Example 76 with JackrabbitAccessControlList
use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit-oak by apache.
the class ACLTest method testInvalidRestrictionType.
@Test
public void testInvalidRestrictionType() throws Exception {
RestrictionProvider rp = new TestRestrictionProvider("restr", Type.NAME, false);
JackrabbitAccessControlList acl = createACL(TEST_PATH, new ArrayList(), namePathMapper, rp);
try {
acl.addEntry(testPrincipal, testPrivileges, false, Collections.<String, Value>singletonMap("restr", getValueFactory().createValue(true)));
fail("Invalid restriction type.");
} catch (AccessControlException e) {
// mandatory restriction missing -> success
}
}
Also used :
RestrictionProvider(org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider)
AbstractRestrictionProvider(org.apache.jackrabbit.oak.spi.security.authorization.restriction.AbstractRestrictionProvider)
ArrayList(java.util.ArrayList)
AccessControlException(javax.jcr.security.AccessControlException)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
Test(org.junit.Test)
Example 77 with JackrabbitAccessControlList
use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit by apache.
the class AccessControlUtils method getAccessControlList.
/**
* Utility that combines {@link AccessControlManager#getApplicablePolicies(String)}
* and {@link AccessControlManager#getPolicies(String)} to retrieve
* a modifiable {@code JackrabbitAccessControlList} for the given path.<br>
*
* Note that the policy must be {@link AccessControlManager#setPolicy(String,
* javax.jcr.security.AccessControlPolicy) reapplied}
* and the changes must be saved in order to make the AC modifications take
* effect.
*
* @param accessControlManager The {@code AccessControlManager} .
* @param absPath The absolute path of the target node.
* @return A modifiable access control list or null if there is none.
* @throws RepositoryException If an error occurs.
*/
public static JackrabbitAccessControlList getAccessControlList(AccessControlManager accessControlManager, String absPath) throws RepositoryException {
// try applicable (new) ACLs
AccessControlPolicyIterator itr = accessControlManager.getApplicablePolicies(absPath);
while (itr.hasNext()) {
AccessControlPolicy policy = itr.nextAccessControlPolicy();
if (policy instanceof JackrabbitAccessControlList) {
return (JackrabbitAccessControlList) policy;
}
}
// try if there is an acl that has been set before
AccessControlPolicy[] pcls = accessControlManager.getPolicies(absPath);
for (AccessControlPolicy policy : pcls) {
if (policy instanceof JackrabbitAccessControlList) {
return (JackrabbitAccessControlList) policy;
}
}
// no policy found
return null;
}
Also used :
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
AccessControlPolicyIterator(javax.jcr.security.AccessControlPolicyIterator)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
Example 78 with JackrabbitAccessControlList
use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit-oak by apache.
the class AccessControlImporter method getACL.
@CheckForNull
private JackrabbitAccessControlList getACL(Tree tree) throws RepositoryException {
String nodeName = tree.getName();
JackrabbitAccessControlList acList = null;
if (!tree.isRoot()) {
Tree parent = tree.getParent();
if (AccessControlConstants.REP_POLICY.equals(nodeName) && ntMgr.isNodeType(tree, AccessControlConstants.NT_REP_ACL)) {
String path = parent.getPath();
acList = getACL(path);
} else if (AccessControlConstants.REP_REPO_POLICY.equals(nodeName) && ntMgr.isNodeType(tree, AccessControlConstants.NT_REP_ACL) && parent.isRoot()) {
acList = getACL((String) null);
}
}
if (acList != null) {
// clear all existing entries
for (AccessControlEntry ace : acList.getAccessControlEntries()) {
acList.removeAccessControlEntry(ace);
}
}
return acList;
}
Also used :
Tree(org.apache.jackrabbit.oak.api.Tree)
AccessControlEntry(javax.jcr.security.AccessControlEntry)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
CheckForNull(javax.annotation.CheckForNull)
Example 79 with JackrabbitAccessControlList
use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit-oak by apache.
the class AccessControlManagerImpl method getEffectivePolicies.
@Nonnull
@Override
public AccessControlPolicy[] getEffectivePolicies(@Nonnull Set<Principal> principals) throws RepositoryException {
Util.checkValidPrincipals(principals, principalManager);
Root r = getLatestRoot();
Result aceResult = searchAces(principals, r);
Set<JackrabbitAccessControlList> effective = Sets.newTreeSet(new Comparator<JackrabbitAccessControlList>() {
@Override
public int compare(JackrabbitAccessControlList list1, JackrabbitAccessControlList list2) {
if (list1.equals(list2)) {
return 0;
} else {
String p1 = list1.getPath();
String p2 = list2.getPath();
if (p1 == null) {
return -1;
} else if (p2 == null) {
return 1;
} else {
int depth1 = PathUtils.getDepth(p1);
int depth2 = PathUtils.getDepth(p2);
return (depth1 == depth2) ? p1.compareTo(p2) : Ints.compare(depth1, depth2);
}
}
}
});
Set<String> paths = Sets.newHashSet();
for (ResultRow row : aceResult.getRows()) {
String acePath = row.getPath();
String aclName = Text.getName(Text.getRelativeParent(acePath, 1));
Tree accessControlledTree = r.getTree(Text.getRelativeParent(acePath, 2));
if (aclName.isEmpty() || !accessControlledTree.exists()) {
log.debug("Isolated access control entry -> ignore query result at " + acePath);
continue;
}
String path = (REP_REPO_POLICY.equals(aclName)) ? null : accessControlledTree.getPath();
if (paths.contains(path)) {
continue;
}
JackrabbitAccessControlList policy = createACL(path, accessControlledTree, true, new AcePredicate(principals));
if (policy != null) {
effective.add(policy);
paths.add(path);
}
}
return effective.toArray(new AccessControlPolicy[effective.size()]);
}
Also used :
ResultRow(org.apache.jackrabbit.oak.api.ResultRow)
Root(org.apache.jackrabbit.oak.api.Root)
Tree(org.apache.jackrabbit.oak.api.Tree)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
Result(org.apache.jackrabbit.oak.api.Result)
Nonnull(javax.annotation.Nonnull)
Example 80 with JackrabbitAccessControlList
use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit-oak by apache.
the class AccessControlManagerImpl method createACL.
@CheckForNull
private JackrabbitAccessControlList createACL(@Nullable String oakPath, @Nonnull Tree accessControlledTree, boolean isEffectivePolicy, @CheckForNull Predicate<ACE> predicate) throws RepositoryException {
JackrabbitAccessControlList acl = null;
String aclName = Util.getAclName(oakPath);
if (accessControlledTree.exists() && Util.isAccessControlled(oakPath, accessControlledTree, ntMgr)) {
Tree aclTree = accessControlledTree.getChild(aclName);
if (aclTree.exists()) {
List<ACE> entries = new ArrayList<ACE>();
for (Tree child : aclTree.getChildren()) {
if (Util.isACE(child, ntMgr)) {
ACE ace = createACE(oakPath, child, restrictionProvider);
if (predicate == null || predicate.apply(ace)) {
entries.add(ace);
}
}
}
if (isEffectivePolicy) {
acl = new ImmutableACL(oakPath, entries, restrictionProvider, getNamePathMapper());
} else {
acl = new NodeACL(oakPath, entries);
}
}
}
return acl;
}
Also used :
ACE(org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE)
ArrayList(java.util.ArrayList)
Tree(org.apache.jackrabbit.oak.api.Tree)
ImmutableACL(org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ImmutableACL)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
CheckForNull(javax.annotation.CheckForNull)
Aggregations
JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)165
AccessControlManager (javax.jcr.security.AccessControlManager)75
Privilege (javax.jcr.security.Privilege)56
AccessControlEntry (javax.jcr.security.AccessControlEntry)46
AccessControlPolicy (javax.jcr.security.AccessControlPolicy)46
Test (org.junit.Test)40
JackrabbitAccessControlEntry (org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)32
Principal (java.security.Principal)29
Node (javax.jcr.Node)23
Session (javax.jcr.Session)17
Value (javax.jcr.Value)17
AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)15
Tree (org.apache.jackrabbit.oak.api.Tree)15
JackrabbitAccessControlManager (org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)13
AccessControlPolicyIterator (javax.jcr.security.AccessControlPolicyIterator)12
AccessControlException (javax.jcr.security.AccessControlException)10
NodeImpl (org.apache.jackrabbit.core.NodeImpl)9
ByteArrayInputStream (java.io.ByteArrayInputStream)8
InputStream (java.io.InputStream)8
Group (org.apache.jackrabbit.api.security.user.Group)8
