Search in sources :

Example 61 with Authorizable

use of org.apache.jackrabbit.api.security.user.Authorizable in project jackrabbit by apache.

the class UserImporter method start.

// ---------------------------------------------< ProtectedNodeImporter >---
/**
     * @see ProtectedNodeImporter#start(org.apache.jackrabbit.core.NodeImpl)
     */
public boolean start(NodeImpl protectedParent) throws RepositoryException {
    String repMembers = resolver.getJCRName(UserConstants.NT_REP_MEMBERS);
    if (repMembers.equals(protectedParent.getPrimaryNodeType().getName())) {
        NodeImpl groupNode = protectedParent;
        while (groupNode.getDepth() != 0 && repMembers.equals(groupNode.getPrimaryNodeType().getName())) {
            groupNode = (NodeImpl) groupNode.getParent();
        }
        Authorizable auth = userManager.getAuthorizable(groupNode);
        if (auth == null) {
            log.debug("Cannot handle protected node " + protectedParent + ". It nor one of its parents represent a valid Authorizable.");
            return false;
        } else {
            currentMembership = new Membership(auth.getID());
            return true;
        }
    } else {
        return false;
    }
}
Also used : NodeImpl(org.apache.jackrabbit.core.NodeImpl) Authorizable(org.apache.jackrabbit.api.security.user.Authorizable)

Example 62 with Authorizable

use of org.apache.jackrabbit.api.security.user.Authorizable in project jackrabbit by apache.

the class UserImporter method handlePropInfo.

// -----------------------------------------< ProtectedPropertyImporter >---
/**
     * @see ProtectedPropertyImporter#handlePropInfo(org.apache.jackrabbit.core.NodeImpl, org.apache.jackrabbit.core.xml.PropInfo, org.apache.jackrabbit.spi.QPropertyDefinition)
     */
public boolean handlePropInfo(NodeImpl parent, PropInfo protectedPropInfo, QPropertyDefinition def) throws RepositoryException {
    if (!initialized) {
        throw new IllegalStateException("Not initialized");
    }
    /* importer can only handle protected properties below user/group
           nodes that are properly stored underneath the configured users/groups
           hierarchies (see {@link UserManagerImpl#getAuthorizable(NodeImpl)}.
           this prevents from importing user/group nodes somewhere in the
           content hierarchy which isn't possible when creating user/groups
           using the corresponding API calls  {@link UserManager#createUser} or
           {@link UserManager#createGroup} respectively. */
    Authorizable a = userManager.getAuthorizable(parent);
    if (a == null) {
        log.warn("Cannot handle protected PropInfo " + protectedPropInfo + ". Node " + parent + " doesn't represent a valid Authorizable.");
        return false;
    }
    // assert that user manager is isn't in auto-save mode
    if (userManager.isAutoSave()) {
        userManager.autoSave(false);
    }
    try {
        Name propName = protectedPropInfo.getName();
        if (UserConstants.P_PRINCIPAL_NAME.equals(propName)) {
            // protected rep:principalName property defined by rep:Authorizable.
            if (def.isMultiple() || !UserConstants.NT_REP_AUTHORIZABLE.equals(def.getDeclaringNodeType())) {
                // some other unexpected property definition -> cannot handle
                log.warn("Unexpected definition for property rep:principalName");
                return false;
            }
            Value v = protectedPropInfo.getValues(PropertyType.STRING, resolver)[0];
            String princName = v.getString();
            userManager.setPrincipal(parent, new PrincipalImpl(princName));
            /*
                Execute authorizable actions for a NEW group as this is the
                same place in the userManager#createGroup that the actions
                are called.
                In case of a NEW user the actions are executed if the password
                has been imported before.
                */
            if (parent.isNew()) {
                if (a.isGroup()) {
                    userManager.onCreate((Group) a);
                } else if (currentPw.containsKey(a.getID())) {
                    userManager.onCreate((User) a, currentPw.remove(a.getID()));
                }
            }
            return true;
        } else if (UserConstants.P_PASSWORD.equals(propName)) {
            if (a.isGroup()) {
                log.warn("Expected parent node of type rep:User.");
                return false;
            }
            // minimal validation of the passed definition
            if (def.isMultiple() || !UserConstants.NT_REP_USER.equals(def.getDeclaringNodeType())) {
                // some other unexpected property definition -> cannot handle
                log.warn("Unexpected definition for property rep:password");
                return false;
            }
            Value v = protectedPropInfo.getValues(PropertyType.STRING, resolver)[0];
            String pw = v.getString();
            userManager.setPassword(parent, pw, false);
            /*
                 Execute authorizable actions for a NEW user at this point after
                 having set the password if the principal name has already been
                 processed, otherwise postpone it.
                 */
            if (parent.isNew()) {
                if (parent.hasProperty(UserConstants.P_PRINCIPAL_NAME)) {
                    userManager.onCreate((User) a, pw);
                } else {
                    // principal name not yet available -> remember the pw
                    currentPw.clear();
                    currentPw.put(a.getID(), pw);
                }
            }
            return true;
        } else if (UserConstants.P_IMPERSONATORS.equals(propName)) {
            if (a.isGroup()) {
                // unexpected parent type -> cannot handle
                log.warn("Expected parent node of type rep:User.");
                return false;
            }
            // minimal validation of the passed definition
            if (!def.isMultiple() || !UserConstants.MIX_REP_IMPERSONATABLE.equals(def.getDeclaringNodeType())) {
                // some other unexpected property definition -> cannot handle
                log.warn("Unexpected definition for property rep:impersonators");
                return false;
            }
            // since impersonators may be imported later on, postpone processing
            // to the end.
            // see -> process References
            Value[] vs = protectedPropInfo.getValues(PropertyType.STRING, resolver);
            referenceTracker.processedReference(new Impersonators(a.getID(), vs));
            return true;
        } else if (UserConstants.P_DISABLED.equals(propName)) {
            if (a.isGroup()) {
                log.warn("Expected parent node of type rep:User.");
                return false;
            }
            // minimal validation of the passed definition
            if (def.isMultiple() || !UserConstants.NT_REP_USER.equals(def.getDeclaringNodeType())) {
                // some other unexpected property definition -> cannot handle
                log.warn("Unexpected definition for property rep:disabled");
                return false;
            }
            Value v = protectedPropInfo.getValues(PropertyType.STRING, resolver)[0];
            ((User) a).disable(v.getString());
            return true;
        } else if (UserConstants.P_MEMBERS.equals(propName)) {
            if (!a.isGroup()) {
                // unexpected parent type -> cannot handle
                log.warn("Expected parent node of type rep:Group.");
                return false;
            }
            // minimal validation of the passed definition
            if (!def.isMultiple() || !UserConstants.NT_REP_GROUP.equals(def.getDeclaringNodeType())) {
                // some other unexpected property definition -> cannot handle
                log.warn("Unexpected definition for property rep:members");
                return false;
            }
            // since group-members are references to user/groups that potentially
            // are to be imported later on -> postpone processing to the end.
            // see -> process References
            Membership membership = new Membership(a.getID());
            for (Value v : protectedPropInfo.getValues(PropertyType.WEAKREFERENCE, resolver)) {
                membership.addMember(new NodeId(v.getString()));
            }
            referenceTracker.processedReference(membership);
            return true;
        }
        return false;
    } finally {
        // the original state.
        if (resetAutoSave) {
            userManager.autoSave(true);
        }
    }
}
Also used : User(org.apache.jackrabbit.api.security.user.User) Value(javax.jcr.Value) NodeId(org.apache.jackrabbit.core.id.NodeId) Authorizable(org.apache.jackrabbit.api.security.user.Authorizable) PrincipalImpl(org.apache.jackrabbit.core.security.principal.PrincipalImpl) Name(org.apache.jackrabbit.spi.Name)

Example 63 with Authorizable

use of org.apache.jackrabbit.api.security.user.Authorizable in project jackrabbit by apache.

the class XPathQueryEvaluator method eval.

public Iterator<Authorizable> eval() throws RepositoryException {
    xPath.append("//element(*,").append(getNtName(builder.getSelector())).append(')');
    Value bound = builder.getBound();
    long offset = builder.getOffset();
    if (bound != null && offset > 0) {
        log.warn("Found bound {} and offset {} in limit. Discarding offset.", bound, offset);
        offset = 0;
    }
    Condition condition = builder.getCondition();
    String sortCol = builder.getSortProperty();
    Direction sortDir = builder.getSortDirection();
    if (bound != null) {
        if (sortCol == null) {
            log.warn("Ignoring bound {} since no sort order is specified");
        } else {
            Condition boundCondition = builder.property(sortCol, getCollation(sortDir), bound);
            condition = condition == null ? boundCondition : builder.and(condition, boundCondition);
        }
    }
    if (condition != null) {
        xPath.append('[');
        condition.accept(this);
        xPath.append(']');
    }
    if (sortCol != null) {
        boolean ignoreCase = builder.getSortIgnoreCase();
        xPath.append(" order by ").append(ignoreCase ? "" : "fn:lower-case(").append(sortCol).append(ignoreCase ? " " : ") ").append(sortDir.getDirection());
    }
    QueryManager queryManager = session.getWorkspace().getQueryManager();
    Query query = queryManager.createQuery(xPath.toString(), Query.XPATH);
    long maxCount = builder.getMaxCount();
    if (maxCount == 0) {
        return Iterators.empty();
    }
    // here (inefficient!) otherwise we can apply the limit in the query
    if (builder.getGroupName() == null) {
        if (offset > 0) {
            query.setOffset(offset);
        }
        if (maxCount > 0) {
            query.setLimit(maxCount);
        }
        return toAuthorizables(execute(query));
    } else {
        Iterator<Authorizable> result = toAuthorizables(execute(query));
        Iterator<Authorizable> filtered = filter(result, builder.getGroupName(), builder.isDeclaredMembersOnly());
        return BoundedIterator.create(offset, maxCount, filtered);
    }
}
Also used : Condition(org.apache.jackrabbit.core.security.user.XPathQueryBuilder.Condition) Query(javax.jcr.query.Query) Value(javax.jcr.Value) QueryManager(javax.jcr.query.QueryManager) Authorizable(org.apache.jackrabbit.api.security.user.Authorizable) Direction(org.apache.jackrabbit.api.security.user.QueryBuilder.Direction)

Example 64 with Authorizable

use of org.apache.jackrabbit.api.security.user.Authorizable in project jackrabbit by apache.

the class UserManagerImpl method setPrincipal.

//--------------------------------------------------------------------------
/**
     *
     * @param node The new user/group node.
     * @param principal A valid non-null principal.
     * @throws AuthorizableExistsException If there is already another user/group
     * with the same principal name.
     * @throws RepositoryException If another error occurs.
     */
void setPrincipal(NodeImpl node, Principal principal) throws AuthorizableExistsException, RepositoryException {
    checkValidPrincipal(principal, node.isNodeType(NT_REP_GROUP));
    /*
         Check if there is *another* authorizable with the same principal.
         The additional validation (nodes not be same) is required in order to
         circumvent problems with re-importing existing authorizable in which
         case the original user/group node is being recreated but the search
         used to look for an colliding authorizable still finds the persisted
         node.
        */
    Authorizable existing = getAuthorizable(principal);
    if (existing != null && !((AuthorizableImpl) existing).getNode().isSame(node)) {
        throw new AuthorizableExistsException("Authorizable for '" + principal.getName() + "' already exists: ");
    }
    if (!node.isNew() || node.hasProperty(P_PRINCIPAL_NAME)) {
        throw new RepositoryException("rep:principalName can only be set once on a new node.");
    }
    setProperty(node, P_PRINCIPAL_NAME, getValue(principal.getName()), true);
}
Also used : AuthorizableExistsException(org.apache.jackrabbit.api.security.user.AuthorizableExistsException) Authorizable(org.apache.jackrabbit.api.security.user.Authorizable) RepositoryException(javax.jcr.RepositoryException)

Example 65 with Authorizable

use of org.apache.jackrabbit.api.security.user.Authorizable in project jackrabbit-oak by apache.

the class PrincipalProviderAutoMembershipTest method testGetGroupPrincipals.

@Test
public void testGetGroupPrincipals() throws Exception {
    Set<Principal> expected = getExpectedGroupPrincipals(USER_ID);
    Authorizable user = getUserManager(root).getAuthorizable(USER_ID);
    Set<java.security.acl.Group> result = principalProvider.getGroupMembership(user.getPrincipal());
    assertTrue(result.contains(autoMembershipGroup.getPrincipal()));
    assertEquals(expected, result);
}
Also used : Group(org.apache.jackrabbit.api.security.user.Group) Authorizable(org.apache.jackrabbit.api.security.user.Authorizable) Principal(java.security.Principal) Test(org.junit.Test)

Aggregations

Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)466 Test (org.junit.Test)254 User (org.apache.jackrabbit.api.security.user.User)104 Group (org.apache.jackrabbit.api.security.user.Group)101 UserManager (org.apache.jackrabbit.api.security.user.UserManager)93 AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)64 Principal (java.security.Principal)58 Node (javax.jcr.Node)55 RepositoryException (javax.jcr.RepositoryException)55 Query (org.apache.jackrabbit.api.security.user.Query)50 Session (javax.jcr.Session)49 JackrabbitSession (org.apache.jackrabbit.api.JackrabbitSession)45 Value (javax.jcr.Value)29 NodeImpl (org.apache.jackrabbit.core.NodeImpl)29 AbstractExternalAuthTest (org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest)28 ExternalUser (org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser)24 NotExecutableException (org.apache.jackrabbit.test.NotExecutableException)24 SimpleCredentials (javax.jcr.SimpleCredentials)21 HashMap (java.util.HashMap)18 QueryBuilder (org.apache.jackrabbit.api.security.user.QueryBuilder)16