Examples with ACE org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE used on opensource projects

Example 16 with ACE

use of org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE in project jackrabbit-oak by apache.

the class AccessControlManagerImpl method createACL.

@CheckForNull
private JackrabbitAccessControlList createACL(@Nullable String oakPath, @Nonnull Tree accessControlledTree, boolean isEffectivePolicy, @CheckForNull Predicate<ACE> predicate) throws RepositoryException {
    JackrabbitAccessControlList acl = null;
    String aclName = Util.getAclName(oakPath);
    if (accessControlledTree.exists() && Util.isAccessControlled(oakPath, accessControlledTree, ntMgr)) {
        Tree aclTree = accessControlledTree.getChild(aclName);
        if (aclTree.exists()) {
            List<ACE> entries = new ArrayList<ACE>();
            for (Tree child : aclTree.getChildren()) {
                if (Util.isACE(child, ntMgr)) {
                    ACE ace = createACE(oakPath, child, restrictionProvider);
                    if (predicate == null || predicate.apply(ace)) {
                        entries.add(ace);
                    }
                }
            }
            if (isEffectivePolicy) {
                acl = new ImmutableACL(oakPath, entries, restrictionProvider, getNamePathMapper());
            } else {
                acl = new NodeACL(oakPath, entries);
            }
        }
    }
    return acl;
}

Example 17 with ACE

use of org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE in project jackrabbit-oak by apache.

the class AccessControlManagerImpl method removePolicy.

@Override
public void removePolicy(@Nullable String absPath, @Nonnull AccessControlPolicy policy) throws RepositoryException {
    String oakPath = getOakPath(absPath);
    Util.checkValidPolicy(oakPath, policy);
    if (policy instanceof PrincipalACL) {
        PrincipalACL principalAcl = (PrincipalACL) policy;
        for (ACE ace : principalAcl.getEntries()) {
            String path = getNodePath(ace);
            Tree tree = getTree(path, Permissions.MODIFY_ACCESS_CONTROL, true);
            Tree aclTree = getAclTree(path, tree);
            if (aclTree == null) {
                throw new AccessControlException("Unable to retrieve policy node at " + path);
            }
            Iterator<Tree> children = aclTree.getChildren().iterator();
            while (children.hasNext()) {
                Tree child = children.next();
                if (ace.equals(createACE(path, child, principalAcl.rProvider))) {
                    child.remove();
                }
            }
            if (!aclTree.getChildren().iterator().hasNext()) {
                aclTree.remove();
            }
        }
    } else {
        Tree tree = getTree(oakPath, Permissions.MODIFY_ACCESS_CONTROL, true);
        Tree aclTree = getAclTree(oakPath, tree);
        if (aclTree != null) {
            aclTree.remove();
        } else {
            throw new AccessControlException("No policy to remove at " + absPath);
        }
    }
}

Example 18 with ACE

use of org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE in project jackrabbit-oak by apache.

the class AccessControlManagerImpl method createPrincipalACL.

@Nullable
private JackrabbitAccessControlList createPrincipalACL(@Nullable String oakPath, @Nonnull Principal principal) throws RepositoryException {
    Root root = getRoot();
    Result aceResult = searchAces(Collections.<Principal>singleton(principal), root);
    RestrictionProvider restrProvider = new PrincipalRestrictionProvider(restrictionProvider);
    List<ACE> entries = new ArrayList<ACE>();
    for (ResultRow row : aceResult.getRows()) {
        Tree aceTree = root.getTree(row.getPath());
        if (Util.isACE(aceTree, ntMgr)) {
            String aclPath = Text.getRelativeParent(aceTree.getPath(), 1);
            String path;
            if (aclPath.endsWith(REP_REPO_POLICY)) {
                path = null;
            } else {
                path = Text.getRelativeParent(aclPath, 1);
            }
            entries.add(createACE(path, aceTree, restrProvider));
        }
    }
    if (entries.isEmpty()) {
        // nothing found
        return null;
    } else {
        return new PrincipalACL(oakPath, principal, entries, restrProvider);
    }
}

Example 19 with ACE

use of org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE in project jackrabbit-oak by apache.

the class ACL method internalAddEntry.

private boolean internalAddEntry(@Nonnull ACE entry) throws RepositoryException {
    final Principal principal = entry.getPrincipal();
    List<ACE> subList = Lists.newArrayList(Iterables.filter(entries, new Predicate<ACE>() {

        @Override
        public boolean apply(@Nullable ACE ace) {
            return (ace != null) && ace.getPrincipal().getName().equals(principal.getName());
        }
    }));
    boolean addEntry = true;
    for (ACE existing : subList) {
        PrivilegeBits existingBits = PrivilegeBits.getInstance(existing.getPrivilegeBits());
        PrivilegeBits entryBits = entry.getPrivilegeBits();
        if (entry.getRestrictions().equals(existing.getRestrictions())) {
            if (entry.isAllow() == existing.isAllow()) {
                if (existingBits.includes(entryBits)) {
                    // no changes
                    return false;
                } else {
                    // merge existing and new ace
                    existingBits.add(entryBits);
                    int index = entries.indexOf(existing);
                    entries.remove(existing);
                    entries.add(index, createACE(existing, existingBits));
                    addEntry = false;
                }
            } else {
                // existing is complementary entry -> clean up redundant
                // privileges defined by the existing entry
                PrivilegeBits updated = PrivilegeBits.getInstance(existingBits).diff(entryBits);
                if (updated.isEmpty()) {
                    // remove the existing entry as the new entry covers all privileges
                    entries.remove(existing);
                } else if (!updated.includes(existingBits)) {
                    // replace the existing entry having it's privileges adjusted
                    int index = entries.indexOf(existing);
                    entries.remove(existing);
                    entries.add(index, createACE(existing, updated));
                }
            /* else: no collision that requires adjusting the existing entry.*/
            }
        }
    }
    // finally add the new entry at the end of the list
    if (addEntry) {
        entries.add(entry);
    }
    return true;
}

Example 20 with ACE

use of org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE in project jackrabbit-oak by apache.

the class AccessControlManagerImpl method setPrincipalBasedAcl.

private void setPrincipalBasedAcl(PrincipalACL principalAcl) throws RepositoryException {
    AccessControlPolicy[] plcs = getPolicies(principalAcl.principal);
    PrincipalACL existing = (plcs.length == 0) ? null : (PrincipalACL) plcs[0];
    List<ACE> toAdd = Lists.newArrayList(principalAcl.getEntries());
    List<ACE> toRemove = Collections.emptyList();
    if (existing != null) {
        toAdd.removeAll(existing.getEntries());
        toRemove = existing.getEntries();
        toRemove.removeAll(principalAcl.getEntries());
    }
    // add new entries
    for (ACE ace : toAdd) {
        String path = getNodePath(ace);
        Tree tree = getTree(path, Permissions.MODIFY_ACCESS_CONTROL, true);
        ACL acl = (ACL) createACL(path, tree, false);
        if (acl == null) {
            acl = new NodeACL(path);
        }
        // calculate single and mv restriction and drop the rep:nodePath restriction
        // present with the principal-based-entries.
        Map<String, Value> restrictions = new HashMap();
        Map<String, Value[]> mvRestrictions = new HashMap();
        for (Restriction r : ace.getRestrictions()) {
            String name = r.getDefinition().getName();
            if (REP_NODE_PATH.equals(name)) {
                continue;
            }
            if (r.getDefinition().getRequiredType().isArray()) {
                mvRestrictions.put(name, ace.getRestrictions(name));
            } else {
                restrictions.put(name, ace.getRestriction(name));
            }
        }
        acl.addEntry(ace.getPrincipal(), ace.getPrivileges(), ace.isAllow(), restrictions, mvRestrictions);
        setNodeBasedAcl(path, tree, acl);
    }
    // remove entries that are not longer present in the acl to write
    for (ACE ace : toRemove) {
        String path = getNodePath(ace);
        Tree tree = getTree(path, Permissions.MODIFY_ACCESS_CONTROL, true);
        ACL acl = (ACL) createACL(path, tree, false);
        if (acl != null) {
            // remove rep:nodePath restriction before removing the entry from
            // the node-based policy (see above for adding entries without
            // this special restriction).
            Set<Restriction> rstr = Sets.newHashSet(ace.getRestrictions());
            Iterator<Restriction> it = rstr.iterator();
            while (it.hasNext()) {
                Restriction r = it.next();
                if (REP_NODE_PATH.equals(r.getDefinition().getName())) {
                    it.remove();
                }
            }
            acl.removeAccessControlEntry(new Entry(ace.getPrincipal(), ace.getPrivilegeBits(), ace.isAllow(), rstr, getNamePathMapper()));
            setNodeBasedAcl(path, tree, acl);
        } else {
            log.debug("Missing ACL at {}; cannot remove entry {}", path, ace);
        }
    }
}