Search in sources :

Example 16 with JackrabbitAccessControlManager

use of org.apache.jackrabbit.api.security.JackrabbitAccessControlManager in project jackrabbit-oak by apache.

the class L4_EffectivePoliciesTest method testSessionGetEffectivePoliciesByPrincipal.

public void testSessionGetEffectivePoliciesByPrincipal() throws Exception {
    Privilege[] privileges = AccessControlUtils.privilegesFromNames(acMgr, Privilege.JCR_READ, Privilege.JCR_READ_ACCESS_CONTROL);
    setupPolicy(testRoot, privileges, testPrincipal);
    setupPolicy(childPath, testPrivileges, EveryonePrincipal.getInstance());
    superuser.save();
    testSession = getTestSession();
    JackrabbitAccessControlManager testAcMgr = (JackrabbitAccessControlManager) testSession.getAccessControlManager();
    AccessControlPolicy[] effective = testAcMgr.getEffectivePolicies(Collections.singleton(testPrincipal));
    // EXERCISE
    int expectedLength = -1;
    assertEquals(expectedLength, effective.length);
// EXERCISE : explain the result
}
Also used : JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) Privilege(javax.jcr.security.Privilege)

Example 17 with JackrabbitAccessControlManager

use of org.apache.jackrabbit.api.security.JackrabbitAccessControlManager in project jackrabbit by apache.

the class AccessControlImporter method addACE.

private void addACE(NodeInfo childInfo, List<PropInfo> propInfos) throws RepositoryException, UnsupportedRepositoryOperationException {
    // node type may only be rep:GrantACE or rep:DenyACE
    Name ntName = childInfo.getNodeTypeName();
    if (!ACE_NODETYPES.contains(ntName)) {
        throw new ConstraintViolationException("Cannot handle childInfo " + childInfo + "; expected a valid, applicable rep:ACE node definition.");
    }
    checkIdMixins(childInfo);
    boolean isAllow = AccessControlConstants.NT_REP_GRANT_ACE.equals(ntName);
    Principal principal = null;
    Privilege[] privileges = null;
    Map<String, TextValue> restrictions = new HashMap<String, TextValue>();
    for (PropInfo pInfo : propInfos) {
        Name name = pInfo.getName();
        if (AccessControlConstants.P_PRINCIPAL_NAME.equals(name)) {
            Value[] values = pInfo.getValues(PropertyType.STRING, resolver);
            if (values == null || values.length != 1) {
                throw new ConstraintViolationException("");
            }
            String pName = values[0].getString();
            principal = session.getPrincipalManager().getPrincipal(pName);
            if (principal == null) {
                if (importBehavior == ImportBehavior.BEST_EFFORT) {
                    // create "fake" principal that is always accepted in ACLTemplate.checkValidEntry()
                    principal = new UnknownPrincipal(pName);
                } else {
                    // create "fake" principal. this is checked again in ACLTemplate.checkValidEntry()
                    principal = new PrincipalImpl(pName);
                }
            }
        } else if (AccessControlConstants.P_PRIVILEGES.equals(name)) {
            Value[] values = pInfo.getValues(PropertyType.NAME, resolver);
            privileges = new Privilege[values.length];
            for (int i = 0; i < values.length; i++) {
                privileges[i] = acMgr.privilegeFromName(values[i].getString());
            }
        } else {
            TextValue[] txtVls = pInfo.getTextValues();
            for (TextValue txtV : txtVls) {
                restrictions.put(resolver.getJCRName(name), txtV);
            }
        }
    }
    if (principalbased) {
        // try to access policies
        List<AccessControlPolicy> policies = new ArrayList<AccessControlPolicy>();
        if (acMgr instanceof JackrabbitAccessControlManager) {
            JackrabbitAccessControlManager jacMgr = (JackrabbitAccessControlManager) acMgr;
            policies.addAll(Arrays.asList(jacMgr.getPolicies(principal)));
            policies.addAll(Arrays.asList(jacMgr.getApplicablePolicies(principal)));
        }
        for (AccessControlPolicy policy : policies) {
            if (policy instanceof JackrabbitAccessControlList) {
                JackrabbitAccessControlList acl = (JackrabbitAccessControlList) policy;
                Map<String, Value> restr = new HashMap<String, Value>();
                for (String restName : acl.getRestrictionNames()) {
                    TextValue txtVal = restrictions.remove(restName);
                    if (txtVal != null) {
                        restr.put(restName, txtVal.getValue(acl.getRestrictionType(restName), resolver));
                    }
                }
                if (!restrictions.isEmpty()) {
                    throw new ConstraintViolationException("ACE childInfo contained restrictions that could not be applied.");
                }
                acl.addEntry(principal, privileges, isAllow, restr);
                acMgr.setPolicy(acl.getPath(), acl);
                return;
            }
        }
    } else {
        Map<String, Value> restr = new HashMap<String, Value>();
        for (String restName : acl.getRestrictionNames()) {
            TextValue txtVal = restrictions.remove(restName);
            if (txtVal != null) {
                restr.put(restName, txtVal.getValue(acl.getRestrictionType(restName), resolver));
            }
        }
        if (!restrictions.isEmpty()) {
            throw new ConstraintViolationException("ACE childInfo contained restrictions that could not be applied.");
        }
        acl.addEntry(principal, privileges, isAllow, restr);
        return;
    }
    // could not apply the ACE. No suitable ACL found.
    throw new ConstraintViolationException("Cannot handle childInfo " + childInfo + "; No policy found to apply the ACE.");
}
Also used : JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) Name(org.apache.jackrabbit.spi.Name) UnknownPrincipal(org.apache.jackrabbit.core.security.principal.UnknownPrincipal) Value(javax.jcr.Value) ConstraintViolationException(javax.jcr.nodetype.ConstraintViolationException) Privilege(javax.jcr.security.Privilege) UnknownPrincipal(org.apache.jackrabbit.core.security.principal.UnknownPrincipal) Principal(java.security.Principal) PrincipalImpl(org.apache.jackrabbit.core.security.principal.PrincipalImpl)

Example 18 with JackrabbitAccessControlManager

use of org.apache.jackrabbit.api.security.JackrabbitAccessControlManager in project jackrabbit by apache.

the class EvaluationUtil method isExecutable.

static boolean isExecutable(SessionImpl s, AccessControlManager acMgr) {
    if (acMgr instanceof JackrabbitAccessControlManager) {
        for (Principal princ : s.getSubject().getPrincipals()) {
            try {
                AccessControlPolicy[] policies = ((JackrabbitAccessControlManager) acMgr).getApplicablePolicies(princ);
                for (AccessControlPolicy policy : policies) {
                    if (policy instanceof ACLTemplate) {
                        return true;
                    }
                }
                policies = ((JackrabbitAccessControlManager) acMgr).getPolicies(princ);
                for (AccessControlPolicy policy : policies) {
                    if (policy instanceof ACLTemplate) {
                        return true;
                    }
                }
            } catch (RepositoryException e) {
            // ignore
            }
        }
    }
    return false;
}
Also used : JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) RepositoryException(javax.jcr.RepositoryException) Principal(java.security.Principal)

Example 19 with JackrabbitAccessControlManager

use of org.apache.jackrabbit.api.security.JackrabbitAccessControlManager in project jackrabbit by apache.

the class EvaluationUtil method getPolicy.

static JackrabbitAccessControlList getPolicy(AccessControlManager acM, String path, Principal principal) throws RepositoryException, AccessDeniedException, NotExecutableException {
    if (acM instanceof JackrabbitAccessControlManager && path != null) {
        // first try applicable policies
        AccessControlPolicy[] policies = ((JackrabbitAccessControlManager) acM).getApplicablePolicies(principal);
        for (AccessControlPolicy policy : policies) {
            if (policy instanceof ACLTemplate) {
                return (ACLTemplate) policy;
            }
        }
        // second existing policies
        policies = ((JackrabbitAccessControlManager) acM).getPolicies(principal);
        for (AccessControlPolicy policy : policies) {
            if (policy instanceof ACLTemplate) {
                return (ACLTemplate) policy;
            }
        }
    }
    throw new NotExecutableException();
}
Also used : JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) NotExecutableException(org.apache.jackrabbit.test.NotExecutableException)

Example 20 with JackrabbitAccessControlManager

use of org.apache.jackrabbit.api.security.JackrabbitAccessControlManager in project jackrabbit-oak by apache.

the class CompositeAccessControlManager method getEffectivePolicies.

@Override
public AccessControlPolicy[] getEffectivePolicies(Set<Principal> principals) throws RepositoryException {
    ImmutableList.Builder<AccessControlPolicy> privs = ImmutableList.builder();
    for (AccessControlManager acMgr : acMgrs) {
        if (acMgr instanceof JackrabbitAccessControlManager) {
            privs.add(((JackrabbitAccessControlManager) acMgr).getEffectivePolicies(principals));
        }
    }
    List<AccessControlPolicy> l = privs.build();
    return l.toArray(new AccessControlPolicy[l.size()]);
}
Also used : AbstractAccessControlManager(org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager) AccessControlManager(javax.jcr.security.AccessControlManager) JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager) JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) JackrabbitAccessControlPolicy(org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy) ImmutableList(com.google.common.collect.ImmutableList)

Aggregations

JackrabbitAccessControlManager (org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)29 AccessControlPolicy (javax.jcr.security.AccessControlPolicy)16 Principal (java.security.Principal)15 JackrabbitAccessControlPolicy (org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy)15 Privilege (javax.jcr.security.Privilege)11 Test (org.junit.Test)8 AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)7 Root (org.apache.jackrabbit.oak.api.Root)7 AccessControlManager (javax.jcr.security.AccessControlManager)6 EveryonePrincipal (org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal)6 NodeUtil (org.apache.jackrabbit.oak.util.NodeUtil)5 NotExecutableException (org.apache.jackrabbit.test.NotExecutableException)5 JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)4 TestPrincipal (org.apache.jackrabbit.core.security.TestPrincipal)4 ImmutableList (com.google.common.collect.ImmutableList)3 Session (javax.jcr.Session)3 ItemBasedPrincipal (org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal)3 PrincipalManager (org.apache.jackrabbit.api.security.principal.PrincipalManager)3 UserManager (org.apache.jackrabbit.api.security.user.UserManager)3 PrincipalImpl (org.apache.jackrabbit.core.security.principal.PrincipalImpl)3