Example 1 with PrivilegeBits
use of org.apache.jackrabbit.core.security.authorization.PrivilegeBits in project jackrabbit by apache.
the class ACLTemplateTest method testMultipleEntryEffect2.
public void testMultipleEntryEffect2() throws RepositoryException, NotExecutableException {
Privilege repwrite = getAccessControlManager(superuser).privilegeFromName(PrivilegeRegistry.REP_WRITE);
JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
pt.addAccessControlEntry(testPrincipal, new Privilege[] { repwrite });
// add deny entry for mod_props
Privilege modProperties = getAccessControlManager(superuser).privilegeFromName(Privilege.JCR_MODIFY_PROPERTIES);
assertTrue(pt.addEntry(testPrincipal, new Privilege[] { modProperties }, false, null));
// net-effect: 2 entries with the allow entry being adjusted
assertTrue(pt.size() == 2);
AccessControlEntry[] entries = pt.getAccessControlEntries();
for (AccessControlEntry entry1 : entries) {
ACLTemplate.Entry entry = (ACLTemplate.Entry) entry1;
PrivilegeBits privs = entry.getPrivilegeBits();
if (entry.isAllow()) {
Privilege[] result = privilegesFromNames(new String[] { Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_NODE_TYPE_MANAGEMENT, Privilege.JCR_REMOVE_CHILD_NODES, Privilege.JCR_REMOVE_NODE });
PrivilegeBits bits = privilegeMgr.getBits(result);
assertEquals(privs, bits);
} else {
assertEquals(privs, privilegeMgr.getBits(modProperties));
}
}
}
Also used :
JackrabbitAccessControlEntry(org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)
AccessControlEntry(javax.jcr.security.AccessControlEntry)
JackrabbitAccessControlEntry(org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)
AccessControlEntry(javax.jcr.security.AccessControlEntry)
PrivilegeBits(org.apache.jackrabbit.core.security.authorization.PrivilegeBits)
Privilege(javax.jcr.security.Privilege)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
Example 2 with PrivilegeBits
use of org.apache.jackrabbit.core.security.authorization.PrivilegeBits in project jackrabbit by apache.
the class CompiledPermissionsImpl method buildResult.
private Result buildResult(NodeImpl node, boolean isExistingNode, boolean isAcItem, EntryFilterImpl filter) throws RepositoryException {
// retrieve all ACEs at path or at the direct ancestor of path that
// apply for the principal names.
NodeImpl n = ACLProvider.getNode(node, isAcItem);
Iterator<Entry> entries = entryCollector.collectEntries(n, filter).iterator();
/*
Calculate privileges and permissions:
Since the ACEs only define privileges on a node and do not allow
to add additional restrictions, the permissions can be determined
without taking the given target name or target item into account.
*/
int allows = Permission.NONE;
int denies = Permission.NONE;
PrivilegeBits allowBits = PrivilegeBits.getInstance();
PrivilegeBits denyBits = PrivilegeBits.getInstance();
PrivilegeBits parentAllowBits = PrivilegeBits.getInstance();
PrivilegeBits parentDenyBits = PrivilegeBits.getInstance();
String parentPath = Text.getRelativeParent(filter.getPath(), 1);
NodeId nodeId = (node == null) ? null : node.getNodeId();
while (entries.hasNext()) {
Entry ace = entries.next();
/*
Determine if the ACE also takes effect on the parent:
Some permissions (e.g. add-node or removal) must be determined
from privileges defined for the parent.
A 'local' entry defined on the target node never effects the
parent. For inherited ACEs determine if the ACE matches the
parent path.
*/
PrivilegeBits entryBits = ace.getPrivilegeBits();
boolean isLocal = isExistingNode && ace.isLocal(nodeId);
boolean matchesParent = (!isLocal && ace.matches(parentPath));
if (matchesParent) {
if (ace.isAllow()) {
parentAllowBits.addDifference(entryBits, parentDenyBits);
} else {
parentDenyBits.addDifference(entryBits, parentAllowBits);
}
}
if (ace.isAllow()) {
allowBits.addDifference(entryBits, denyBits);
int permissions = PrivilegeRegistry.calculatePermissions(allowBits, parentAllowBits, true, isAcItem);
allows |= Permission.diff(permissions, denies);
} else {
denyBits.addDifference(entryBits, allowBits);
int permissions = PrivilegeRegistry.calculatePermissions(denyBits, parentDenyBits, false, isAcItem);
denies |= Permission.diff(permissions, allows);
}
}
return new Result(allows, denies, allowBits, denyBits);
}
Also used :
NodeImpl(org.apache.jackrabbit.core.NodeImpl)
NodeId(org.apache.jackrabbit.core.id.NodeId)
PrivilegeBits(org.apache.jackrabbit.core.security.authorization.PrivilegeBits)
Example 3 with PrivilegeBits
use of org.apache.jackrabbit.core.security.authorization.PrivilegeBits in project jackrabbit by apache.
the class ACLTemplate method internalAdd.
private synchronized boolean internalAdd(Entry entry) throws RepositoryException {
Principal principal = entry.getPrincipal();
List<Entry> entriesPerPrincipal = internalGetEntries(principal);
if (entriesPerPrincipal.isEmpty()) {
// simple case: just add the new entry at the end of the list.
entries.add(entry);
return true;
} else {
if (entriesPerPrincipal.contains(entry)) {
// the same entry is already contained -> no modification
return false;
}
// check if need to adjust existing entries
int updateIndex = -1;
Entry complementEntry = null;
for (Entry e : entriesPerPrincipal) {
if (equalRestriction(entry, e)) {
if (entry.isAllow() == e.isAllow()) {
// need to update an existing entry
if (e.getPrivilegeBits().includes(entry.getPrivilegeBits())) {
// in the existing entry -> not modified
return false;
}
// remember the index of the existing entry to be updated later on.
updateIndex = entries.indexOf(e);
// remove the existing entry and create a new one that
// includes both the new privileges and the existing ones.
entries.remove(e);
PrivilegeBits mergedBits = PrivilegeBits.getInstance(e.getPrivilegeBits());
mergedBits.add(entry.getPrivilegeBits());
// omit validation check.
entry = new Entry(entry, mergedBits, entry.isAllow());
} else {
complementEntry = e;
}
}
}
// denied/granted.
if (complementEntry != null) {
PrivilegeBits complPrivs = complementEntry.getPrivilegeBits();
PrivilegeBits diff = PrivilegeBits.getInstance(complPrivs);
diff.diff(entry.getPrivilegeBits());
if (diff.isEmpty()) {
// remove the complement entry as the new entry covers
// all privileges granted by the existing entry.
entries.remove(complementEntry);
updateIndex--;
} else if (!diff.equals(complPrivs)) {
// replace the existing entry having the privileges adjusted
int index = entries.indexOf(complementEntry);
entries.remove(complementEntry);
// combine set of new builtin and custom privileges
// and create a new entry.
Entry tmpl = new Entry(entry, diff, !entry.isAllow());
entries.add(index, tmpl);
}
/* else: does not need to be modified.*/
}
// to this method at the end.
if (updateIndex < 0) {
entries.add(entry);
} else {
entries.add(updateIndex, entry);
}
return true;
}
}
Also used :
AccessControlEntry(javax.jcr.security.AccessControlEntry)
PrivilegeBits(org.apache.jackrabbit.core.security.authorization.PrivilegeBits)
UnknownPrincipal(org.apache.jackrabbit.core.security.principal.UnknownPrincipal)
Principal(java.security.Principal)
Aggregations
PrivilegeBits (org.apache.jackrabbit.core.security.authorization.PrivilegeBits)3
AccessControlEntry (javax.jcr.security.AccessControlEntry)2
Principal (java.security.Principal)1
Privilege (javax.jcr.security.Privilege)1
JackrabbitAccessControlEntry (org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)1
JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)1
NodeImpl (org.apache.jackrabbit.core.NodeImpl)1
NodeId (org.apache.jackrabbit.core.id.NodeId)1
UnknownPrincipal (org.apache.jackrabbit.core.security.principal.UnknownPrincipal)1
