Examples with AccessPermission org.alfresco.service.cmr.security.AccessPermission used on opensource projects

Example 41 with AccessPermission

use of org.alfresco.service.cmr.security.AccessPermission in project alfresco-repository by Alfresco.

the class CMISConnector method getACL.

public Acl getACL(NodeRef nodeRef, boolean onlyBasicPermissions) {
    AccessControlListImpl result = new AccessControlListImpl();
    // get the permissions and sort them
    ArrayList<AccessPermission> ordered = new ArrayList<AccessPermission>(permissionService.getAllSetPermissions(nodeRef));
    Collections.sort(ordered, new AccessPermissionComparator());
    // remove denied permissions and create OpenCMIS objects
    Map<String, Map<Boolean, AccessControlEntryImpl>> aceMap = new HashMap<String, Map<Boolean, AccessControlEntryImpl>>();
    for (AccessPermission entry : ordered) {
        if (entry.getAccessStatus() == AccessStatus.ALLOWED) {
            // add allowed entries
            Map<Boolean, AccessControlEntryImpl> directAce = aceMap.get(entry.getAuthority());
            if (directAce == null) {
                directAce = new HashMap<Boolean, AccessControlEntryImpl>();
                aceMap.put(entry.getAuthority(), directAce);
            }
            AccessControlEntryImpl ace = directAce.get(entry.isSetDirectly());
            if (ace == null) {
                ace = new AccessControlEntryImpl();
                ace.setPrincipal(new AccessControlPrincipalDataImpl(entry.getAuthority()));
                ace.setPermissions(new ArrayList<String>());
                ace.setDirect(entry.isSetDirectly());
                directAce.put(entry.isSetDirectly(), ace);
            }
            ace.getPermissions().add(entry.getPermission());
        } else if (entry.getAccessStatus() == AccessStatus.DENIED) {
            // remove denied entries
            Map<Boolean, AccessControlEntryImpl> directAce = aceMap.get(entry.getAuthority());
            if (directAce != null) {
                for (AccessControlEntryImpl ace : directAce.values()) {
                    ace.getPermissions().remove(entry.getPermission());
                }
            }
        }
    }
    // adjust permissions, add CMIS permissions and add ACEs to ACL
    List<Ace> aces = new ArrayList<Ace>();
    result.setAces(aces);
    for (Map<Boolean, AccessControlEntryImpl> bothAces : aceMap.values()) {
        // get, translate and set direct ACE
        AccessControlEntryImpl directAce = bothAces.get(true);
        if ((directAce != null) && (!directAce.getPermissions().isEmpty())) {
            List<String> permissions = translatePermissionsToCMIS(directAce.getPermissions(), onlyBasicPermissions);
            if (permissions != null && !permissions.isEmpty()) {
                // tck doesn't like empty permissions list
                directAce.setPermissions(permissions);
                aces.add(directAce);
            }
        }
        // get, translate, remove duplicate permissions and set indirect ACE
        AccessControlEntryImpl indirectAce = bothAces.get(false);
        if ((indirectAce != null) && (!indirectAce.getPermissions().isEmpty())) {
            List<String> permissions = translatePermissionsToCMIS(indirectAce.getPermissions(), onlyBasicPermissions);
            indirectAce.setPermissions(permissions);
            // remove permissions that are already set in the direct ACE
            if ((directAce != null) && (!directAce.getPermissions().isEmpty())) {
                indirectAce.getPermissions().removeAll(directAce.getPermissions());
            }
            if (!indirectAce.getPermissions().isEmpty()) {
                // tck doesn't like empty permissions list
                aces.add(indirectAce);
            }
        }
    }
    result.setExact(!onlyBasicPermissions);
    return result;
}

Example 42 with AccessPermission

use of org.alfresco.service.cmr.security.AccessPermission in project alfresco-repository by Alfresco.

the class CopyServiceImplTest method testCopyUserPermissions.

/**
 * Creates some content as one user, then as another checks:
 *  * If you don't have read permissions to the source you can't copy
 *  * If you don't have write permissions to the target you can't copy
 *  * If you do, you can copy just fine
 */
public void testCopyUserPermissions() throws Exception {
    String nodeTitle = "Test Title String";
    // Create a node under the source
    permissionService.setPermission(sourceNodeRef, USER_1, PermissionService.EDITOR, true);
    permissionService.setPermission(targetNodeRef, USER_1, PermissionService.CONTRIBUTOR, true);
    permissionService.setPermission(targetNodeRef, USER_2, PermissionService.CONTRIBUTOR, true);
    AuthenticationUtil.setFullyAuthenticatedUser(USER_1);
    NodeRef toCopy = nodeService.createNode(sourceNodeRef, ContentModel.ASSOC_CONTAINS, QName.createQName("content"), ContentModel.TYPE_CONTENT).getChildRef();
    nodeService.setProperty(toCopy, ContentModel.PROP_TITLE, nodeTitle);
    // Check we can't copy it
    AuthenticationUtil.setFullyAuthenticatedUser(USER_2);
    try {
        copyService.copy(toCopy, targetNodeRef, ContentModel.ASSOC_CONTAINS, QName.createQName("NewCopy"));
    } catch (AccessDeniedException e) {
    }
    // Allow the read, but the destination won't accept it
    authenticationComponent.setSystemUserAsCurrentUser();
    permissionService.setPermission(sourceNodeRef, USER_2, PermissionService.CONTRIBUTOR, true);
    permissionService.setPermission(targetNodeRef, USER_2, PermissionService.CONTRIBUTOR, false);
    AuthenticationUtil.setFullyAuthenticatedUser(USER_2);
    try {
        copyService.copy(toCopy, targetNodeRef, ContentModel.ASSOC_CONTAINS, QName.createQName("NewCopy"));
    } catch (AccessDeniedException e) {
    }
    // Now allow on the destination, should go through
    authenticationComponent.setSystemUserAsCurrentUser();
    permissionService.setPermission(targetNodeRef, USER_2, PermissionService.CONTRIBUTOR, true);
    AuthenticationUtil.setFullyAuthenticatedUser(USER_2);
    NodeRef copied = copyService.copy(toCopy, targetNodeRef, ContentModel.ASSOC_CONTAINS, QName.createQName("NewCopy"));
    // Check it got there
    assertEquals(true, nodeService.exists(copied));
    assertEquals(nodeTitle, ((MLText) nodeService.getProperty(copied, ContentModel.PROP_TITLE)).getDefaultValue());
    // Check the owners
    // (The new node should be owned by the person who did the copy)
    assertEquals(USER_1, nodeService.getProperty(toCopy, ContentModel.PROP_CREATOR));
    assertEquals(USER_1, nodeService.getProperty(toCopy, ContentModel.PROP_MODIFIER));
    assertEquals(USER_2, nodeService.getProperty(copied, ContentModel.PROP_CREATOR));
    assertEquals(USER_2, nodeService.getProperty(copied, ContentModel.PROP_MODIFIER));
    // Check the permissions on the source and target
    // On the source, 1 is editor, 2 is contributor
    Set<AccessPermission> perms = permissionService.getAllSetPermissions(toCopy);
    boolean done1 = false;
    boolean done2 = false;
    for (AccessPermission perm : perms) {
        if (perm.getAuthority().equals(USER_1)) {
            done1 = true;
            assertEquals(PermissionService.EDITOR, perm.getPermission());
        }
        if (perm.getAuthority().equals(USER_2)) {
            done2 = true;
            assertEquals(PermissionService.CONTRIBUTOR, perm.getPermission());
        }
    }
    assertEquals(true, done1);
    assertEquals(true, done2);
    // On the target, will have inherited from the folder, so both are contributors
    perms = permissionService.getAllSetPermissions(copied);
    done1 = false;
    done2 = false;
    for (AccessPermission perm : perms) {
        if (perm.getAuthority().equals(USER_1)) {
            done1 = true;
            assertEquals(PermissionService.CONTRIBUTOR, perm.getPermission());
        }
        if (perm.getAuthority().equals(USER_2)) {
            done2 = true;
            assertEquals(PermissionService.CONTRIBUTOR, perm.getPermission());
        }
    }
    assertEquals(true, done1);
    assertEquals(true, done2);
    // User 2 should be able to edit the new node
    // User 1 should be able to edit the old node
    // They shouldn't be allowed to edit each others
    String titleToFailToSet = "Set Title";
    String description = "Set Description";
    AuthenticationUtil.setFullyAuthenticatedUser(USER_1);
    try {
        publicNodeService.setProperty(copied, ContentModel.PROP_TITLE, titleToFailToSet);
        fail("User 1 should no longer have write permissions");
    } catch (AccessDeniedException e) {
    }
    AuthenticationUtil.setFullyAuthenticatedUser(USER_2);
    publicNodeService.setProperty(copied, ContentModel.PROP_DESCRIPTION, description);
    assertEquals(nodeTitle, ((MLText) nodeService.getProperty(copied, ContentModel.PROP_TITLE)).getDefaultValue());
    assertEquals(description, ((MLText) nodeService.getProperty(copied, ContentModel.PROP_DESCRIPTION)).getDefaultValue());
}

Example 43 with AccessPermission

use of org.alfresco.service.cmr.security.AccessPermission in project alfresco-repository by Alfresco.

the class SiteServiceImplMoreTest method deleteSiteAndRestoreEnsuringSiteGroupsAreRecovered.

/**
 * This test ensures that when sites are deleted (moved to the trashcan) and then restored, that the 4 role-based groups are
 * restored correctly and that any users who were members of those groups are made members once more.
 *
 * @see SiteServiceImpl#deleteSite(String)
 * @see SiteServiceImpl#onRestoreNode(org.alfresco.service.cmr.repository.ChildAssociationRef)
 */
@Test
public void deleteSiteAndRestoreEnsuringSiteGroupsAreRecovered() throws Exception {
    // Implementation note: as of Alfresco 4.2, authorities cannot be archived and are always hard-deleted.
    // Therefore, on site restore, the SiteService *recreates* the deleted groups associated with the restored site.
    // Having recreated them, it then needs to add any old members (users, TODO what about groups?) into those newly created site groups.
    // It does this by writing the site members and their roles onto a property on the st:site node in the archive & reading them on restore.
    // Choose a site name that will link back to this test case...
    final String siteShortName = testName.getMethodName();
    log.debug("Creating test site called: " + siteShortName);
    // ...and create the site
    final TestSiteAndMemberInfo testSiteAndMemberInfo = perMethodTestSites.createTestSiteWithUserPerRole(siteShortName, "sitePreset", SiteVisibility.PUBLIC, AuthenticationUtil.getAdminUserName());
    // Now get the various site-related data that we want to examine after deletion & restoration
    final TestData testData = TRANSACTION_HELPER.doInTransaction(new RetryingTransactionCallback<TestData>() {

        public TestData execute() throws Throwable {
            Map<QName, Serializable> properties = new HashMap<QName, Serializable>();
            properties.put(ContentModel.PROP_NAME, "testcontent");
            properties.put(ContentModel.PROP_DESCRIPTION, "content - test doc for test");
            ChildAssociationRef testDoc = NODE_SERVICE.createNode(testSiteAndMemberInfo.doclib, ContentModel.ASSOC_CONTAINS, QName.createQName(NamespaceService.CONTENT_MODEL_1_0_URI, "testcontent"), ContentModel.TYPE_CONTENT, properties);
            NodeRef testDocNodeRef = testDoc.getChildRef();
            // change all groups to have the permissions from a contributor
            PERMISSION_SERVICE.deletePermissions(testDocNodeRef);
            PERMISSION_SERVICE.setInheritParentPermissions(testDocNodeRef, false);
            assertTrue("Permissions should be cleared", PERMISSION_SERVICE.getAllSetPermissions(testDocNodeRef).isEmpty());
            Set<String> permissions = PERMISSION_SERVICE.getSettablePermissions(SiteModel.TYPE_SITE);
            for (String permission : permissions) {
                String siteRoleGroup = SITE_SERVICE.getSiteRoleGroup(siteShortName, permission);
                PERMISSION_SERVICE.setPermission(testDocNodeRef, siteRoleGroup, "SiteContributor", true);
            }
            final Map<String, String> userNameToRoleMap = new HashMap<String, String>();
            // Which users are members of which groups?
            for (String role : SITE_SERVICE.getSiteRoles()) {
                // putAll here shouldn't overwrite any keys in the above map as each authority should only have one role in a site.
                userNameToRoleMap.putAll(SITE_SERVICE.listMembers(siteShortName, null, role, 0, true));
            }
            // Some sanity checking before we delete the site
            final String siteContributorGroup = SITE_SERVICE.getSiteRoleGroup(siteShortName, "SiteContributor");
            assertTrue("Site contributor user was not in site contributors group", AUTHORITY_SERVICE.getContainedAuthorities(AuthorityType.USER, siteContributorGroup, true).contains(testSiteAndMemberInfo.siteContributor));
            assertEquals("Site contributor user did not have expected Contributor role", SiteModel.SITE_CONTRIBUTOR, userNameToRoleMap.get(testSiteAndMemberInfo.siteContributor));
            log.debug("About to delete site.");
            SITE_SERVICE.deleteSite(siteShortName);
            log.debug("Site deleted.");
            return new TestData(userNameToRoleMap, testDocNodeRef);
        }
    });
    TRANSACTION_HELPER.doInTransaction(new RetryingTransactionCallback<Void>() {

        public Void execute() throws Throwable {
            assertThatArchivedNodeExists(testSiteAndMemberInfo.siteInfo.getNodeRef(), "Site node not found in archive.");
            // At this point we might assert that the groups associated with the site were gone, but that's an implementation detail really.
            log.debug("About to restore site node from archive");
            final NodeRef archivedSiteNode = NODE_ARCHIVE_SERVICE.getArchivedNode(testSiteAndMemberInfo.siteInfo.getNodeRef());
            RestoreNodeReport report = NODE_ARCHIVE_SERVICE.restoreArchivedNode(archivedSiteNode);
            // ...which should work
            assertEquals("Failed to restore site from archive", RestoreStatus.SUCCESS, report.getStatus());
            log.debug("Successfully restored site from arhive.");
            return null;
        }
    });
    final Map<String, String> associatedGroups = TRANSACTION_HELPER.doInTransaction(new RetryingTransactionCallback<Map<String, String>>() {

        public Map<String, String> execute() throws Throwable {
            // The site itself should have been restored, of course...
            assertTrue("The site noderef was not restored as expected", NODE_SERVICE.exists(testSiteAndMemberInfo.siteInfo.getNodeRef()));
            // But the group authority nodes should be restored (recreated) as well.
            for (String role : SITE_SERVICE.getSiteRoles()) {
                final String siteGroup = SITE_SERVICE.getSiteRoleGroup(siteShortName, role);
                assertTrue("Site group for role " + role + " did not exist after site restoration", AUTHORITY_SERVICE.authorityExists(siteGroup));
            }
            log.debug(SITE_SERVICE.listMembers(siteShortName, null, null, 0, true).size() + " members...");
            for (Map.Entry<String, String> entry : SITE_SERVICE.listMembers(siteShortName, null, null, 0, true).entrySet()) {
                log.debug(entry);
            }
            // And finally, the original members of the site should have been given the same membership that they had before.
            for (Map.Entry<String, String> entry : testData.userNameToRoleMap.entrySet()) {
                assertEquals("Unexpected role for site user: " + entry.getKey(), entry.getValue(), SITE_SERVICE.getMembersRole(siteShortName, entry.getKey()));
            }
            // When the site is restored custom permissions on contents should be also restored
            Set<AccessPermission> accessPermissions = PERMISSION_SERVICE.getAllSetPermissions(testData.testDocNodeRef);
            Map<String, String> associatedGroups = new HashMap<String, String>();
            for (AccessPermission access : accessPermissions) {
                associatedGroups.put(access.getAuthority(), access.getPermission());
            }
            Set<String> permissions = PERMISSION_SERVICE.getSettablePermissions(SiteModel.TYPE_SITE);
            for (String permission : permissions) {
                String siteRoleGroup = SITE_SERVICE.getSiteRoleGroup(siteShortName, permission);
                assertTrue("all groups should have the permissions from a contributor on test content", "SiteContributor".equals(associatedGroups.get(siteRoleGroup)));
            }
            return associatedGroups;
        }
    });
    TRANSACTION_HELPER.doInTransaction(new RetryingTransactionCallback<Void>() {

        public Void execute() throws Throwable {
            log.debug("About to delete site completely.");
            SITE_SERVICE.deleteSite(siteShortName);
            for (String authority : associatedGroups.keySet()) {
                assertTrue("Associated groups should remain after site delete", AUTHORITY_SERVICE.authorityExists(authority));
            }
            return null;
        }
    });
    TRANSACTION_HELPER.doInTransaction(new RetryingTransactionCallback<Void>() {

        public Void execute() throws Throwable {
            log.debug("About to purge site from trashcan.");
            // get archive node reference
            String storePath = "archive://SpacesStore";
            StoreRef storeRef = new StoreRef(storePath);
            NodeRef archivedNodeRef = new NodeRef(storeRef, testSiteAndMemberInfo.siteInfo.getNodeRef().getId());
            NODE_ARCHIVE_SERVICE.purgeArchivedNode(archivedNodeRef);
            for (String authority : associatedGroups.keySet()) {
                assertTrue("Associated groups should be deleted on site purge", !AUTHORITY_SERVICE.authorityExists(authority));
            }
            return null;
        }
    });
}

Example 44 with AccessPermission

use of org.alfresco.service.cmr.security.AccessPermission in project alfresco-repository by Alfresco.

the class VirtualPermissionServiceExtensionTest method assertUniqueAccessPermission.

/**
 * Asserts that the permission with the given name uniquely found in the
 * given permission entries list has the given access status for the given
 * authority.
 *
 * @param permissionName
 * @param accessStatus
 * @param authority
 * @param permissionEntries
 */
protected void assertUniqueAccessPermission(String permissionName, AccessStatus accessStatus, String authority, Set<AccessPermission> accessPermissions) {
    Map<String, List<AccessPermission>> apByName = mapAccessPermissionsByName(accessPermissions);
    assertNotNull("Not null permission " + permissionName + " expected.", apByName.get(permissionName));
    List<AccessPermission> oneAccessPermission = apByName.get(permissionName);
    assertEquals("Expected single AccessPermission but found " + oneAccessPermission, 1, oneAccessPermission.size());
    AccessPermission permission = apByName.get(permissionName).get(0);
    assertEquals(accessStatus, permission.getAccessStatus());
    assertEquals(authority, permission.getAuthority());
}

Example 45 with AccessPermission

use of org.alfresco.service.cmr.security.AccessPermission in project alfresco-repository by Alfresco.

the class VirtualPermissionServiceExtensionTest method mapAccessPermissionsByName.

private Map<String, List<AccessPermission>> mapAccessPermissionsByName(Set<AccessPermission> accessPermissions) {
    Map<String, List<AccessPermission>> nameMap = new HashMap<>();
    for (AccessPermission accessPermission : accessPermissions) {
        String name = accessPermission.getPermission();
        List<AccessPermission> permissions = (List<AccessPermission>) nameMap.get(name);
        if (permissions == null) {
            permissions = new ArrayList<>();
            nameMap.put(name, permissions);
        }
        permissions.add(accessPermission);
    }
    return nameMap;
}