Example 1 with AccessControlListProperties
use of org.alfresco.repo.security.permissions.AccessControlListProperties in project alfresco-repository by Alfresco.
the class PermissionServiceImpl method hasPermission.
@Override
@Extend(traitAPI = PermissionServiceTrait.class, extensionAPI = PermissionServiceExtension.class)
public AccessStatus hasPermission(NodeRef passedNodeRef, final PermissionReference permIn) {
// - so we allow it
if (passedNodeRef == null) {
return AccessStatus.ALLOWED;
}
// If the permission is null we deny
if (permIn == null) {
return AccessStatus.DENIED;
}
// Note: if we're directly accessing a frozen state (version) node (ie. in the 'version' store) we need to check permissions for the versioned node (ie. in the 'live' store)
if (isVersionNodeRef(passedNodeRef)) {
passedNodeRef = convertVersionNodeRefToVersionedNodeRef(VersionUtil.convertNodeRef(passedNodeRef));
}
// Allow permissions for nodes that do not exist
if (passedNodeRef == null || !nodeService.exists(passedNodeRef)) {
return AccessStatus.ALLOWED;
}
final NodeRef nodeRef = tenantService.getName(passedNodeRef);
final PermissionReference perm;
if (permIn.equals(OLD_ALL_PERMISSIONS_REFERENCE)) {
perm = getAllPermissionReference();
} else {
perm = permIn;
}
if (AuthenticationUtil.getRunAsUser() == null) {
return AccessStatus.DENIED;
}
if (AuthenticationUtil.isRunAsUserTheSystemUser()) {
return AccessStatus.ALLOWED;
}
// New ACLs
AccessControlListProperties properties = permissionsDaoComponent.getAccessControlListProperties(nodeRef);
if ((properties != null) && (properties.getAclType() != null) && (properties.getAclType() != ACLType.OLD)) {
QName typeQname = nodeService.getType(nodeRef);
Set<QName> aspectQNames = nodeService.getAspects(nodeRef);
PermissionContext context = new PermissionContext(typeQname);
context.getAspects().addAll(aspectQNames);
Authentication auth = AuthenticationUtil.getRunAsAuthentication();
if (auth != null) {
String user = AuthenticationUtil.getRunAsUser();
for (String dynamicAuthority : getDynamicAuthorities(auth, nodeRef, perm)) {
context.addDynamicAuthorityAssignment(user, dynamicAuthority);
}
}
return hasPermission(properties.getId(), context, perm);
}
// Get the current authentications
// Use the smart authentication cache to improve permissions performance
Authentication auth = AuthenticationUtil.getRunAsAuthentication();
final Set<String> authorisations = getAuthorisations(auth, nodeRef, perm);
// If the node does not support the given permission there is no point
// doing the test
Set<PermissionReference> available = AuthenticationUtil.runAs(new RunAsWork<Set<PermissionReference>>() {
public Set<PermissionReference> doWork() throws Exception {
return modelDAO.getAllPermissions(nodeRef);
}
}, AuthenticationUtil.getSystemUserName());
available.add(getAllPermissionReference());
available.add(OLD_ALL_PERMISSIONS_REFERENCE);
final Serializable key = generateKey(authorisations, nodeRef, perm, CacheType.HAS_PERMISSION);
if (!(available.contains(perm))) {
accessCache.put(key, AccessStatus.DENIED);
return AccessStatus.DENIED;
}
if (AuthenticationUtil.isRunAsUserTheSystemUser()) {
return AccessStatus.ALLOWED;
}
return AuthenticationUtil.runAs(new RunAsWork<AccessStatus>() {
public AccessStatus doWork() throws Exception {
AccessStatus status = accessCache.get(key);
if (status != null) {
return status;
}
//
// TODO: Dynamic permissions via evaluators
//
/*
* Does the current authentication have the supplied permission on the given node.
*/
QName typeQname = nodeService.getType(nodeRef);
Set<QName> aspectQNames = nodeService.getAspects(nodeRef);
NodeTest nt = new NodeTest(perm, typeQname, aspectQNames);
boolean result = nt.evaluate(authorisations, nodeRef);
if (log.isDebugEnabled()) {
log.debug("Permission <" + perm + "> is " + (result ? "allowed" : "denied") + " for " + AuthenticationUtil.getRunAsUser() + " on node " + nodeService.getPath(nodeRef));
}
status = result ? AccessStatus.ALLOWED : AccessStatus.DENIED;
accessCache.put(key, status);
return status;
}
}, AuthenticationUtil.getSystemUserName());
}
Also used :
Serializable(java.io.Serializable)
Set(java.util.Set)
HashSet(java.util.HashSet)
LinkedHashSet(java.util.LinkedHashSet)
QName(org.alfresco.service.namespace.QName)
AccessControlListProperties(org.alfresco.repo.security.permissions.AccessControlListProperties)
PermissionContext(org.alfresco.service.cmr.security.PermissionContext)
AccessStatus(org.alfresco.service.cmr.security.AccessStatus)
NodeRef(org.alfresco.service.cmr.repository.NodeRef)
Authentication(net.sf.acegisecurity.Authentication)
PermissionReference(org.alfresco.repo.security.permissions.PermissionReference)
Extend(org.alfresco.traitextender.Extend)
Example 2 with AccessControlListProperties
use of org.alfresco.repo.security.permissions.AccessControlListProperties in project alfresco-repository by Alfresco.
the class SOLRDAOTest method testInheritedAclIndexing.
/**
* MNT-11107: during User Home creation Shared Acl is created that is inherited from Acl
* which is assigned to User Home folder node. This Shared Acl is not assigned to any node.
* However, solrDAO should be able to find it so that it can be indexed.
*/
public void testInheritedAclIndexing() throws Exception {
final String USER_MNT11107 = "TestUserMNT11107";
Long sharedAclId = transactionService.getRetryingTransactionHelper().doInTransaction(new RetryingTransactionCallback<Long>() {
@Override
public Long execute() throws Throwable {
// Create a user
if (authenticationService.authenticationExists(USER_MNT11107))
authenticationService.deleteAuthentication(USER_MNT11107);
if (personService.personExists(USER_MNT11107))
personService.deletePerson(USER_MNT11107);
authenticationService.createAuthentication(USER_MNT11107, "PWD".toCharArray());
PropertyMap personProperties = new PropertyMap();
personProperties.put(ContentModel.PROP_USERNAME, USER_MNT11107);
personProperties.put(ContentModel.PROP_AUTHORITY_DISPLAY_NAME, "title" + USER_MNT11107);
personProperties.put(ContentModel.PROP_FIRSTNAME, "firstName");
personProperties.put(ContentModel.PROP_LASTNAME, "lastName");
personProperties.put(ContentModel.PROP_EMAIL, USER_MNT11107 + "@example.com");
personProperties.put(ContentModel.PROP_JOBTITLE, "jobTitle");
NodeRef person = personService.createPerson(personProperties);
NodeRef testUserHomeFolder = (NodeRef) nodeService.getProperty(person, ContentModel.PROP_HOMEFOLDER);
assertNotNull("testUserHomeFolder is null", testUserHomeFolder);
Long aclIdForUserHomeFolder = nodeService.getNodeAclId(testUserHomeFolder);
Long inheritedAclId = aclDaoComponent.getInheritedAccessControlList(aclIdForUserHomeFolder);
return inheritedAclId;
}
});
try {
assertNotNull("Acl for User Home folder should have inherited Acl", sharedAclId);
AccessControlListProperties aclProps = aclDaoComponent.getAccessControlListProperties(sharedAclId);
assertEquals("Inherited Acl should be of SHARED type", aclProps.getAclType(), ACLType.SHARED);
assertTrue("Acl should inherit", aclProps.getInherits());
assertNotNull("AclChangeSet for inherited Acl should not be NULL", aclProps.getAclChangeSetId());
List<Long> aclChangeSetIds = new ArrayList<Long>();
aclChangeSetIds.add(aclProps.getAclChangeSetId());
List<Acl> acls = solrDAO.getAcls(aclChangeSetIds, null, 1000);
assertTrue("Shared Acl should be found by solrDAO so that it can be indexed", containsAclId(acls, sharedAclId));
} finally {
transactionService.getRetryingTransactionHelper().doInTransaction(new RetryingTransactionCallback<Void>() {
@Override
public Void execute() throws Throwable {
// Tidy up
authenticationComponent.setSystemUserAsCurrentUser();
authenticationService.deleteAuthentication(USER_MNT11107);
personService.deletePerson(USER_MNT11107);
return null;
}
});
}
}
Also used :
ArrayList(java.util.ArrayList)
AccessControlListProperties(org.alfresco.repo.security.permissions.AccessControlListProperties)
Acl(org.alfresco.repo.solr.Acl)
NodeRef(org.alfresco.service.cmr.repository.NodeRef)
PropertyMap(org.alfresco.util.PropertyMap)
Example 3 with AccessControlListProperties
use of org.alfresco.repo.security.permissions.AccessControlListProperties in project alfresco-repository by Alfresco.
the class AclDaoComponentTest method testOldDoesNotCow.
public void testOldDoesNotCow() throws Exception {
SimpleAccessControlListProperties properties = new SimpleAccessControlListProperties();
properties.setAclType(ACLType.OLD);
properties.setVersioned(false);
Long id = aclDaoComponent.createAccessControlList(properties).getId();
AccessControlListProperties aclProps = aclDaoComponent.getAccessControlListProperties(id);
assertEquals(aclProps.getAclType(), ACLType.OLD);
assertEquals(aclProps.getAclVersion(), Long.valueOf(1l));
assertEquals(aclProps.getInherits(), Boolean.TRUE);
testTX.commit();
testTX = transactionService.getUserTransaction();
testTX.begin();
AccessControlListProperties aclPropsBefore = aclDaoComponent.getAccessControlListProperties(id);
assertEquals(aclPropsBefore.getAclType(), ACLType.OLD);
assertEquals(aclPropsBefore.getAclVersion(), Long.valueOf(1l));
assertEquals(aclPropsBefore.getInherits(), Boolean.TRUE);
SimpleAccessControlEntry ace1 = new SimpleAccessControlEntry();
ace1.setAccessStatus(AccessStatus.ALLOWED);
ace1.setAceType(ACEType.ALL);
ace1.setAuthority("andy");
ace1.setPermission(new SimplePermissionReference(QName.createQName("uri", "local"), "Read"));
ace1.setPosition(null);
List<AclChange> changes = aclDaoComponent.setAccessControlEntry(id, ace1);
assertEquals(changes.size(), 1);
assertEquals(changes.get(0).getBefore(), id);
assertTrue(changes.get(0).getBefore().equals(changes.get(0).getAfter()));
aclPropsBefore = aclDaoComponent.getAccessControlListProperties(changes.get(0).getBefore());
assertEquals(aclPropsBefore.getAclType(), ACLType.OLD);
assertEquals(aclPropsBefore.getAclVersion(), Long.valueOf(1l));
assertEquals(aclPropsBefore.getInherits(), Boolean.TRUE);
assertEquals(aclPropsBefore.isLatest(), Boolean.TRUE);
assertEquals(aclPropsBefore.isVersioned(), Boolean.FALSE);
assertEquals(aclDaoComponent.getAccessControlList(changes.get(0).getBefore()).getEntries().size(), 1);
assertTrue(hasAce(aclDaoComponent.getAccessControlList(changes.get(0).getBefore()).getEntries(), ace1, 0));
}
Also used :
AccessControlListProperties(org.alfresco.repo.security.permissions.AccessControlListProperties)
SimpleAccessControlListProperties(org.alfresco.repo.security.permissions.SimpleAccessControlListProperties)
SimpleAccessControlListProperties(org.alfresco.repo.security.permissions.SimpleAccessControlListProperties)
SimpleAccessControlEntry(org.alfresco.repo.security.permissions.SimpleAccessControlEntry)
Example 4 with AccessControlListProperties
use of org.alfresco.repo.security.permissions.AccessControlListProperties in project alfresco-repository by Alfresco.
the class AclDaoComponentTest method testCreateDefault.
public void testCreateDefault() {
// Create default ACL (type=DEFINING, inherits=true, versioned=false)
Long id = aclDaoComponent.createAccessControlList();
AccessControlListProperties aclProps = aclDaoComponent.getAccessControlListProperties(id);
assertEquals(aclProps.getAclType(), ACLType.DEFINING);
assertEquals(aclProps.getAclVersion(), Long.valueOf(1l));
assertEquals(aclProps.getInherits(), Boolean.TRUE);
assertEquals(aclProps.isVersioned(), Boolean.FALSE);
}
Also used :
AccessControlListProperties(org.alfresco.repo.security.permissions.AccessControlListProperties)
SimpleAccessControlListProperties(org.alfresco.repo.security.permissions.SimpleAccessControlListProperties)
Example 5 with AccessControlListProperties
use of org.alfresco.repo.security.permissions.AccessControlListProperties in project alfresco-repository by Alfresco.
the class AclDaoComponentTest method testFixed.
public void testFixed() {
SimpleAccessControlListProperties properties = new SimpleAccessControlListProperties();
properties.setAclType(ACLType.FIXED);
properties.setVersioned(true);
AccessControlListProperties aclProps = aclDaoComponent.createAccessControlList(properties);
Long id = aclProps.getId();
assertEquals(aclProps.getAclType(), ACLType.FIXED);
assertEquals(aclProps.getAclVersion(), Long.valueOf(1l));
assertEquals(aclProps.getInherits(), Boolean.TRUE);
assertEquals(aclDaoComponent.getAccessControlListProperties(aclProps.getId()), aclProps);
assertEquals(aclDaoComponent.getInheritedAccessControlList(id), id);
}
Also used :
AccessControlListProperties(org.alfresco.repo.security.permissions.AccessControlListProperties)
SimpleAccessControlListProperties(org.alfresco.repo.security.permissions.SimpleAccessControlListProperties)
SimpleAccessControlListProperties(org.alfresco.repo.security.permissions.SimpleAccessControlListProperties)
Aggregations
AccessControlListProperties (org.alfresco.repo.security.permissions.AccessControlListProperties)14
SimpleAccessControlListProperties (org.alfresco.repo.security.permissions.SimpleAccessControlListProperties)11
SimpleAccessControlEntry (org.alfresco.repo.security.permissions.SimpleAccessControlEntry)4
AccessControlList (org.alfresco.repo.security.permissions.AccessControlList)3
NodeRef (org.alfresco.service.cmr.repository.NodeRef)3
ArrayList (java.util.ArrayList)2
QName (org.alfresco.service.namespace.QName)2
Serializable (java.io.Serializable)1
HashSet (java.util.HashSet)1
LinkedHashSet (java.util.LinkedHashSet)1
Map (java.util.Map)1
Set (java.util.Set)1
Authentication (net.sf.acegisecurity.Authentication)1
AlfrescoRuntimeException (org.alfresco.error.AlfrescoRuntimeException)1
NodeIdAndAclId (org.alfresco.repo.domain.node.NodeIdAndAclId)1
AccessControlEntry (org.alfresco.repo.security.permissions.AccessControlEntry)1
PermissionReference (org.alfresco.repo.security.permissions.PermissionReference)1
SimpleAccessControlList (org.alfresco.repo.security.permissions.SimpleAccessControlList)1
SimplePermissionReference (org.alfresco.repo.security.permissions.impl.SimplePermissionReference)1
Acl (org.alfresco.repo.solr.Acl)1
