use of javax.jcr.security.AccessControlManager in project sling by apache.
the class AbstractGetAclServlet method internalGetAcl.
@SuppressWarnings("unchecked")
protected JsonObject internalGetAcl(Session jcrSession, String resourcePath) throws RepositoryException {
if (jcrSession == null) {
throw new RepositoryException("JCR Session not found");
}
Item item = jcrSession.getItem(resourcePath);
if (item != null) {
resourcePath = item.getPath();
} else {
throw new ResourceNotFoundException("Resource is not a JCR Node");
}
// Calculate a map of privileges to all the aggregate privileges it is contained in.
// Use for fast lookup during the mergePrivilegeSets calls below.
AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(jcrSession);
Map<Privilege, Set<Privilege>> privilegeToAncestorMap = new HashMap<Privilege, Set<Privilege>>();
Privilege[] supportedPrivileges = accessControlManager.getSupportedPrivileges(item.getPath());
for (Privilege privilege : supportedPrivileges) {
if (privilege.isAggregate()) {
Privilege[] ap = privilege.getAggregatePrivileges();
for (Privilege privilege2 : ap) {
Set<Privilege> set = privilegeToAncestorMap.get(privilege2);
if (set == null) {
set = new HashSet<Privilege>();
privilegeToAncestorMap.put(privilege2, set);
}
set.add(privilege);
}
}
}
AccessControlEntry[] declaredAccessControlEntries = getAccessControlEntries(jcrSession, resourcePath);
Map<String, Map<String, Object>> aclMap = new LinkedHashMap<String, Map<String, Object>>();
int sequence = 0;
for (AccessControlEntry ace : declaredAccessControlEntries) {
Principal principal = ace.getPrincipal();
Map<String, Object> map = aclMap.get(principal.getName());
if (map == null) {
map = new LinkedHashMap<String, Object>();
aclMap.put(principal.getName(), map);
map.put("order", sequence++);
}
}
//evaluate these in reverse order so the most entries with highest specificity are last
for (int i = declaredAccessControlEntries.length - 1; i >= 0; i--) {
AccessControlEntry ace = declaredAccessControlEntries[i];
Principal principal = ace.getPrincipal();
Map<String, Object> map = aclMap.get(principal.getName());
Set<Privilege> grantedSet = (Set<Privilege>) map.get("granted");
if (grantedSet == null) {
grantedSet = new LinkedHashSet<Privilege>();
map.put("granted", grantedSet);
}
Set<Privilege> deniedSet = (Set<Privilege>) map.get("denied");
if (deniedSet == null) {
deniedSet = new LinkedHashSet<Privilege>();
map.put("denied", deniedSet);
}
boolean allow = AccessControlUtil.isAllow(ace);
if (allow) {
Privilege[] privileges = ace.getPrivileges();
for (Privilege privilege : privileges) {
mergePrivilegeSets(privilege, privilegeToAncestorMap, grantedSet, deniedSet);
}
} else {
Privilege[] privileges = ace.getPrivileges();
for (Privilege privilege : privileges) {
mergePrivilegeSets(privilege, privilegeToAncestorMap, deniedSet, grantedSet);
}
}
}
List<JsonObject> aclList = new ArrayList<>();
Set<Entry<String, Map<String, Object>>> entrySet = aclMap.entrySet();
for (Entry<String, Map<String, Object>> entry : entrySet) {
String principalName = entry.getKey();
Map<String, Object> value = entry.getValue();
JsonObjectBuilder aceObject = Json.createObjectBuilder();
aceObject.add("principal", principalName);
Set<Privilege> grantedSet = (Set<Privilege>) value.get("granted");
if (grantedSet != null && !grantedSet.isEmpty()) {
JsonArrayBuilder arrayBuilder = Json.createArrayBuilder();
for (Privilege v : grantedSet) {
arrayBuilder.add(v.getName());
}
aceObject.add("granted", arrayBuilder);
}
Set<Privilege> deniedSet = (Set<Privilege>) value.get("denied");
if (deniedSet != null && !deniedSet.isEmpty()) {
JsonArrayBuilder arrayBuilder = Json.createArrayBuilder();
for (Privilege v : deniedSet) {
arrayBuilder.add(v.getName());
}
aceObject.add("denied", arrayBuilder);
}
aceObject.add("order", (Integer) value.get("order"));
aclList.add(aceObject.build());
}
JsonObjectBuilder jsonAclMap = Json.createObjectBuilder();
for (Map.Entry<String, Map<String, Object>> entry : aclMap.entrySet()) {
JsonObjectBuilder builder = Json.createObjectBuilder();
for (Map.Entry<String, Object> inner : entry.getValue().entrySet()) {
addTo(builder, inner.getKey(), inner.getValue());
}
jsonAclMap.add(entry.getKey(), builder);
}
for (JsonObject jsonObj : aclList) {
jsonAclMap.add(jsonObj.getString("principal"), jsonObj);
}
return jsonAclMap.build();
}
use of javax.jcr.security.AccessControlManager in project sling by apache.
the class ResourceResolverTest method removeAce.
// ---------- internal
private void removeAce(Session adminSession, Principal principal, String absPath) throws Exception {
AccessControlManager accessControlManager = adminSession.getAccessControlManager();
AccessControlPolicy[] policies = accessControlManager.getPolicies(absPath);
for (AccessControlPolicy plc : policies) {
if (plc instanceof AccessControlList) {
boolean modified = false;
AccessControlList acl = ((AccessControlList) plc);
for (AccessControlEntry ace : acl.getAccessControlEntries()) {
if (principal.equals(ace.getPrincipal())) {
acl.removeAccessControlEntry(ace);
modified = true;
}
}
if (modified) {
accessControlManager.setPolicy(absPath, acl);
}
}
}
if (adminSession.hasPendingChanges()) {
adminSession.save();
}
}
use of javax.jcr.security.AccessControlManager in project sling by apache.
the class PrivilegeDistributionRequestAuthorizationStrategy method checkPermissionForAdd.
private void checkPermissionForAdd(Session session, String[] paths) throws RepositoryException, DistributionException {
AccessControlManager acMgr = session.getAccessControlManager();
Privilege[] privileges = new Privilege[] { acMgr.privilegeFromName(jcrPrivilege), acMgr.privilegeFromName(Privilege.JCR_READ) };
for (String path : paths) {
if (!acMgr.hasPrivileges(path, privileges)) {
throw new DistributionException("Not enough privileges");
}
}
}
use of javax.jcr.security.AccessControlManager in project sling by apache.
the class PrivilegeDistributionRequestAuthorizationStrategy method checkPermissionForDelete.
private void checkPermissionForDelete(Session session, String[] paths) throws RepositoryException, DistributionException {
AccessControlManager acMgr = session.getAccessControlManager();
Privilege[] privileges = new Privilege[] { acMgr.privilegeFromName(jcrPrivilege), acMgr.privilegeFromName(Privilege.JCR_REMOVE_NODE) };
for (String path : paths) {
String closestParentPath = getClosestParent(session, path);
if (closestParentPath == null || !acMgr.hasPrivileges(closestParentPath, privileges)) {
throw new DistributionException("Not enough privileges");
}
}
}
use of javax.jcr.security.AccessControlManager in project sling by apache.
the class PrivilegeDistributionRequestAuthorizationStrategyTest method testNoPermissionOnDelete.
@Test(expected = DistributionException.class)
public void testNoPermissionOnDelete() throws Exception {
String jcrPrivilege = "somePermission";
PrivilegeDistributionRequestAuthorizationStrategy strategy = new PrivilegeDistributionRequestAuthorizationStrategy(jcrPrivilege);
DistributionRequest distributionRequest = mock(DistributionRequest.class);
ResourceResolver resourceResolver = mock(ResourceResolver.class);
Session session = mock(Session.class);
AccessControlManager acm = mock(AccessControlManager.class);
Privilege privilege = mock(Privilege.class);
when(acm.privilegeFromName(jcrPrivilege)).thenReturn(privilege);
when(session.getAccessControlManager()).thenReturn(acm);
when(resourceResolver.adaptTo(Session.class)).thenReturn(session);
String[] paths = new String[] { "/foo" };
for (String path : paths) {
when(acm.hasPrivileges(path, new Privilege[] { privilege })).thenReturn(false);
when(session.nodeExists(path)).thenReturn(true);
}
when(distributionRequest.getPaths()).thenReturn(paths);
when(distributionRequest.getRequestType()).thenReturn(DistributionRequestType.DELETE);
strategy.checkPermission(resourceResolver, distributionRequest);
}
Aggregations