Search in sources :

Example 96 with AccessControlManager

use of javax.jcr.security.AccessControlManager in project sling by apache.

the class AbstractGetAclServlet method internalGetAcl.

@SuppressWarnings("unchecked")
protected JsonObject internalGetAcl(Session jcrSession, String resourcePath) throws RepositoryException {
    if (jcrSession == null) {
        throw new RepositoryException("JCR Session not found");
    }
    Item item = jcrSession.getItem(resourcePath);
    if (item != null) {
        resourcePath = item.getPath();
    } else {
        throw new ResourceNotFoundException("Resource is not a JCR Node");
    }
    // Calculate a map of privileges to all the aggregate privileges it is contained in.
    // Use for fast lookup during the mergePrivilegeSets calls below.
    AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(jcrSession);
    Map<Privilege, Set<Privilege>> privilegeToAncestorMap = new HashMap<Privilege, Set<Privilege>>();
    Privilege[] supportedPrivileges = accessControlManager.getSupportedPrivileges(item.getPath());
    for (Privilege privilege : supportedPrivileges) {
        if (privilege.isAggregate()) {
            Privilege[] ap = privilege.getAggregatePrivileges();
            for (Privilege privilege2 : ap) {
                Set<Privilege> set = privilegeToAncestorMap.get(privilege2);
                if (set == null) {
                    set = new HashSet<Privilege>();
                    privilegeToAncestorMap.put(privilege2, set);
                }
                set.add(privilege);
            }
        }
    }
    AccessControlEntry[] declaredAccessControlEntries = getAccessControlEntries(jcrSession, resourcePath);
    Map<String, Map<String, Object>> aclMap = new LinkedHashMap<String, Map<String, Object>>();
    int sequence = 0;
    for (AccessControlEntry ace : declaredAccessControlEntries) {
        Principal principal = ace.getPrincipal();
        Map<String, Object> map = aclMap.get(principal.getName());
        if (map == null) {
            map = new LinkedHashMap<String, Object>();
            aclMap.put(principal.getName(), map);
            map.put("order", sequence++);
        }
    }
    //evaluate these in reverse order so the most entries with highest specificity are last
    for (int i = declaredAccessControlEntries.length - 1; i >= 0; i--) {
        AccessControlEntry ace = declaredAccessControlEntries[i];
        Principal principal = ace.getPrincipal();
        Map<String, Object> map = aclMap.get(principal.getName());
        Set<Privilege> grantedSet = (Set<Privilege>) map.get("granted");
        if (grantedSet == null) {
            grantedSet = new LinkedHashSet<Privilege>();
            map.put("granted", grantedSet);
        }
        Set<Privilege> deniedSet = (Set<Privilege>) map.get("denied");
        if (deniedSet == null) {
            deniedSet = new LinkedHashSet<Privilege>();
            map.put("denied", deniedSet);
        }
        boolean allow = AccessControlUtil.isAllow(ace);
        if (allow) {
            Privilege[] privileges = ace.getPrivileges();
            for (Privilege privilege : privileges) {
                mergePrivilegeSets(privilege, privilegeToAncestorMap, grantedSet, deniedSet);
            }
        } else {
            Privilege[] privileges = ace.getPrivileges();
            for (Privilege privilege : privileges) {
                mergePrivilegeSets(privilege, privilegeToAncestorMap, deniedSet, grantedSet);
            }
        }
    }
    List<JsonObject> aclList = new ArrayList<>();
    Set<Entry<String, Map<String, Object>>> entrySet = aclMap.entrySet();
    for (Entry<String, Map<String, Object>> entry : entrySet) {
        String principalName = entry.getKey();
        Map<String, Object> value = entry.getValue();
        JsonObjectBuilder aceObject = Json.createObjectBuilder();
        aceObject.add("principal", principalName);
        Set<Privilege> grantedSet = (Set<Privilege>) value.get("granted");
        if (grantedSet != null && !grantedSet.isEmpty()) {
            JsonArrayBuilder arrayBuilder = Json.createArrayBuilder();
            for (Privilege v : grantedSet) {
                arrayBuilder.add(v.getName());
            }
            aceObject.add("granted", arrayBuilder);
        }
        Set<Privilege> deniedSet = (Set<Privilege>) value.get("denied");
        if (deniedSet != null && !deniedSet.isEmpty()) {
            JsonArrayBuilder arrayBuilder = Json.createArrayBuilder();
            for (Privilege v : deniedSet) {
                arrayBuilder.add(v.getName());
            }
            aceObject.add("denied", arrayBuilder);
        }
        aceObject.add("order", (Integer) value.get("order"));
        aclList.add(aceObject.build());
    }
    JsonObjectBuilder jsonAclMap = Json.createObjectBuilder();
    for (Map.Entry<String, Map<String, Object>> entry : aclMap.entrySet()) {
        JsonObjectBuilder builder = Json.createObjectBuilder();
        for (Map.Entry<String, Object> inner : entry.getValue().entrySet()) {
            addTo(builder, inner.getKey(), inner.getValue());
        }
        jsonAclMap.add(entry.getKey(), builder);
    }
    for (JsonObject jsonObj : aclList) {
        jsonAclMap.add(jsonObj.getString("principal"), jsonObj);
    }
    return jsonAclMap.build();
}
Also used : AccessControlManager(javax.jcr.security.AccessControlManager) HashSet(java.util.HashSet) LinkedHashSet(java.util.LinkedHashSet) Set(java.util.Set) HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) ArrayList(java.util.ArrayList) JsonObject(javax.json.JsonObject) LinkedHashMap(java.util.LinkedHashMap) Item(javax.jcr.Item) AccessControlEntry(javax.jcr.security.AccessControlEntry) Entry(java.util.Map.Entry) JsonArrayBuilder(javax.json.JsonArrayBuilder) ResourceNotFoundException(org.apache.sling.api.resource.ResourceNotFoundException) JsonObjectBuilder(javax.json.JsonObjectBuilder) AccessControlEntry(javax.jcr.security.AccessControlEntry) RepositoryException(javax.jcr.RepositoryException) JsonObject(javax.json.JsonObject) Privilege(javax.jcr.security.Privilege) HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) Map(java.util.Map) Principal(java.security.Principal)

Example 97 with AccessControlManager

use of javax.jcr.security.AccessControlManager in project sling by apache.

the class ResourceResolverTest method removeAce.

// ---------- internal
private void removeAce(Session adminSession, Principal principal, String absPath) throws Exception {
    AccessControlManager accessControlManager = adminSession.getAccessControlManager();
    AccessControlPolicy[] policies = accessControlManager.getPolicies(absPath);
    for (AccessControlPolicy plc : policies) {
        if (plc instanceof AccessControlList) {
            boolean modified = false;
            AccessControlList acl = ((AccessControlList) plc);
            for (AccessControlEntry ace : acl.getAccessControlEntries()) {
                if (principal.equals(ace.getPrincipal())) {
                    acl.removeAccessControlEntry(ace);
                    modified = true;
                }
            }
            if (modified) {
                accessControlManager.setPolicy(absPath, acl);
            }
        }
    }
    if (adminSession.hasPendingChanges()) {
        adminSession.save();
    }
}
Also used : AccessControlManager(javax.jcr.security.AccessControlManager) AccessControlList(javax.jcr.security.AccessControlList) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) AccessControlEntry(javax.jcr.security.AccessControlEntry)

Example 98 with AccessControlManager

use of javax.jcr.security.AccessControlManager in project sling by apache.

the class PrivilegeDistributionRequestAuthorizationStrategy method checkPermissionForAdd.

private void checkPermissionForAdd(Session session, String[] paths) throws RepositoryException, DistributionException {
    AccessControlManager acMgr = session.getAccessControlManager();
    Privilege[] privileges = new Privilege[] { acMgr.privilegeFromName(jcrPrivilege), acMgr.privilegeFromName(Privilege.JCR_READ) };
    for (String path : paths) {
        if (!acMgr.hasPrivileges(path, privileges)) {
            throw new DistributionException("Not enough privileges");
        }
    }
}
Also used : AccessControlManager(javax.jcr.security.AccessControlManager) DistributionException(org.apache.sling.distribution.common.DistributionException) Privilege(javax.jcr.security.Privilege)

Example 99 with AccessControlManager

use of javax.jcr.security.AccessControlManager in project sling by apache.

the class PrivilegeDistributionRequestAuthorizationStrategy method checkPermissionForDelete.

private void checkPermissionForDelete(Session session, String[] paths) throws RepositoryException, DistributionException {
    AccessControlManager acMgr = session.getAccessControlManager();
    Privilege[] privileges = new Privilege[] { acMgr.privilegeFromName(jcrPrivilege), acMgr.privilegeFromName(Privilege.JCR_REMOVE_NODE) };
    for (String path : paths) {
        String closestParentPath = getClosestParent(session, path);
        if (closestParentPath == null || !acMgr.hasPrivileges(closestParentPath, privileges)) {
            throw new DistributionException("Not enough privileges");
        }
    }
}
Also used : AccessControlManager(javax.jcr.security.AccessControlManager) DistributionException(org.apache.sling.distribution.common.DistributionException) Privilege(javax.jcr.security.Privilege)

Example 100 with AccessControlManager

use of javax.jcr.security.AccessControlManager in project sling by apache.

the class PrivilegeDistributionRequestAuthorizationStrategyTest method testNoPermissionOnDelete.

@Test(expected = DistributionException.class)
public void testNoPermissionOnDelete() throws Exception {
    String jcrPrivilege = "somePermission";
    PrivilegeDistributionRequestAuthorizationStrategy strategy = new PrivilegeDistributionRequestAuthorizationStrategy(jcrPrivilege);
    DistributionRequest distributionRequest = mock(DistributionRequest.class);
    ResourceResolver resourceResolver = mock(ResourceResolver.class);
    Session session = mock(Session.class);
    AccessControlManager acm = mock(AccessControlManager.class);
    Privilege privilege = mock(Privilege.class);
    when(acm.privilegeFromName(jcrPrivilege)).thenReturn(privilege);
    when(session.getAccessControlManager()).thenReturn(acm);
    when(resourceResolver.adaptTo(Session.class)).thenReturn(session);
    String[] paths = new String[] { "/foo" };
    for (String path : paths) {
        when(acm.hasPrivileges(path, new Privilege[] { privilege })).thenReturn(false);
        when(session.nodeExists(path)).thenReturn(true);
    }
    when(distributionRequest.getPaths()).thenReturn(paths);
    when(distributionRequest.getRequestType()).thenReturn(DistributionRequestType.DELETE);
    strategy.checkPermission(resourceResolver, distributionRequest);
}
Also used : AccessControlManager(javax.jcr.security.AccessControlManager) DistributionRequest(org.apache.sling.distribution.DistributionRequest) ResourceResolver(org.apache.sling.api.resource.ResourceResolver) Privilege(javax.jcr.security.Privilege) Session(javax.jcr.Session) Test(org.junit.Test)

Aggregations

AccessControlManager (javax.jcr.security.AccessControlManager)192 Privilege (javax.jcr.security.Privilege)82 JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)77 AccessControlPolicy (javax.jcr.security.AccessControlPolicy)62 Session (javax.jcr.Session)47 Test (org.junit.Test)45 AccessControlEntry (javax.jcr.security.AccessControlEntry)39 Node (javax.jcr.Node)33 AccessControlList (javax.jcr.security.AccessControlList)32 JackrabbitAccessControlManager (org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)32 AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)23 Principal (java.security.Principal)22 Value (javax.jcr.Value)17 HashMap (java.util.HashMap)14 JackrabbitAccessControlEntry (org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)14 Group (org.apache.jackrabbit.api.security.user.Group)14 ValueFactory (javax.jcr.ValueFactory)13 AccessControlPolicyIterator (javax.jcr.security.AccessControlPolicyIterator)13 NodeImpl (org.apache.jackrabbit.core.NodeImpl)13 NodeUtil (org.apache.jackrabbit.oak.util.NodeUtil)12