Search in sources :

Example 11 with Impersonation

use of org.apache.jackrabbit.api.security.user.Impersonation in project jackrabbit-oak by apache.

the class UserImportBestEffortTest method testImportImpersonationBestEffort.

@Test
public void testImportImpersonationBestEffort() throws Exception {
    String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + "<sv:node sv:name=\"uFolder\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" + "   <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:AuthorizableFolder</sv:value></sv:property>" + "<sv:node sv:name=\"t\">" + "   <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:User</sv:value></sv:property>" + "   <sv:property sv:name=\"jcr:uuid\" sv:type=\"String\"><sv:value>e358efa4-89f5-3062-b10d-d7316b65649e</sv:value></sv:property>" + "   <sv:property sv:name=\"rep:principalName\" sv:type=\"String\"><sv:value>t</sv:value></sv:property>" + "   <sv:property sv:name=\"rep:impersonators\" sv:type=\"String\"><sv:value>g</sv:value></sv:property>" + "</sv:node>" + "<sv:node sv:name=\"g\">" + "   <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:User</sv:value></sv:property>" + "   <sv:property sv:name=\"jcr:uuid\" sv:type=\"String\"><sv:value>b2f5ff47-4366-31b6-a533-d8dc3614845d</sv:value></sv:property>" + "   <sv:property sv:name=\"rep:principalName\" sv:type=\"String\"><sv:value>g</sv:value></sv:property>" + "</sv:node>" + "</sv:node>";
    doImport(getTargetPath(), xml);
    Authorizable newUser = getUserManager().getAuthorizable("t");
    assertNotNull(newUser);
    Authorizable u2 = getUserManager().getAuthorizable("g");
    assertNotNull(u2);
    Subject subj = new Subject();
    subj.getPrincipals().add(u2.getPrincipal());
    Impersonation imp = ((User) newUser).getImpersonation();
    assertTrue(imp.allows(subj));
}
Also used : Impersonation(org.apache.jackrabbit.api.security.user.Impersonation) User(org.apache.jackrabbit.api.security.user.User) Authorizable(org.apache.jackrabbit.api.security.user.Authorizable) Subject(javax.security.auth.Subject) Test(org.junit.Test)

Example 12 with Impersonation

use of org.apache.jackrabbit.api.security.user.Impersonation in project jackrabbit-oak by apache.

the class UserImportTest method testImportImpersonation.

@Test
public void testImportImpersonation() throws Exception {
    String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + "<sv:node sv:name=\"uFolder\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" + "   <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:AuthorizableFolder</sv:value></sv:property>" + "<sv:node sv:name=\"t\">" + "   <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:User</sv:value></sv:property>" + "   <sv:property sv:name=\"jcr:uuid\" sv:type=\"String\"><sv:value>e358efa4-89f5-3062-b10d-d7316b65649e</sv:value></sv:property>" + "   <sv:property sv:name=\"rep:principalName\" sv:type=\"String\"><sv:value>t</sv:value></sv:property>" + "   <sv:property sv:name=\"rep:impersonators\" sv:type=\"String\"><sv:value>g</sv:value></sv:property>" + "</sv:node>" + "<sv:node sv:name=\"g\">" + "   <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:User</sv:value></sv:property>" + "   <sv:property sv:name=\"jcr:uuid\" sv:type=\"String\"><sv:value>b2f5ff47-4366-31b6-a533-d8dc3614845d</sv:value></sv:property>" + "   <sv:property sv:name=\"rep:principalName\" sv:type=\"String\"><sv:value>g</sv:value></sv:property>" + "</sv:node>" + "</sv:node>";
    doImport(getTargetPath(), xml);
    Authorizable newUser = getUserManager().getAuthorizable("t");
    assertNotNull(newUser);
    Authorizable u2 = getUserManager().getAuthorizable("g");
    assertNotNull(u2);
    Subject subj = new Subject();
    subj.getPrincipals().add(u2.getPrincipal());
    Impersonation imp = ((User) newUser).getImpersonation();
    assertTrue(imp.allows(subj));
}
Also used : Impersonation(org.apache.jackrabbit.api.security.user.Impersonation) User(org.apache.jackrabbit.api.security.user.User) Authorizable(org.apache.jackrabbit.api.security.user.Authorizable) Subject(javax.security.auth.Subject) Test(org.junit.Test)

Example 13 with Impersonation

use of org.apache.jackrabbit.api.security.user.Impersonation in project jackrabbit by apache.

the class UserImporter method processReferences.

/**
 * @see org.apache.jackrabbit.core.xml.ProtectedPropertyImporter#processReferences()
 */
public void processReferences() throws RepositoryException {
    if (!initialized) {
        throw new IllegalStateException("Not initialized");
    }
    // assert that user manager is isn't in auto-save mode
    if (userManager.isAutoSave()) {
        userManager.autoSave(false);
    }
    try {
        List<Object> processed = new ArrayList<Object>();
        for (Iterator<Object> it = referenceTracker.getProcessedReferences(); it.hasNext(); ) {
            Object reference = it.next();
            if (reference instanceof Membership) {
                Authorizable a = userManager.getAuthorizable(((Membership) reference).groupId);
                if (a == null || !a.isGroup()) {
                    throw new RepositoryException(((Membership) reference).groupId + " does not represent a valid group.");
                }
                final Group gr = (Group) a;
                // 1. collect members to add and to remove.
                Map<String, Authorizable> toRemove = new HashMap<String, Authorizable>();
                for (Iterator<Authorizable> declMembers = gr.getDeclaredMembers(); declMembers.hasNext(); ) {
                    Authorizable dm = declMembers.next();
                    toRemove.put(dm.getID(), dm);
                }
                List<Authorizable> toAdd = new ArrayList<Authorizable>();
                final List<Membership.Member> nonExisting = new ArrayList<Membership.Member>();
                for (Membership.Member member : ((Membership) reference).members) {
                    NodeId remapped = referenceTracker.getMappedId(member.id);
                    NodeId id = (remapped == null) ? member.id : remapped;
                    Authorizable authorz = null;
                    try {
                        NodeImpl n = ((SessionImpl) session).getNodeById(id);
                        authorz = userManager.getAuthorizable(n);
                    } catch (RepositoryException e) {
                    // no such node or failed to retrieve authorizable
                    // warning is logged below.
                    }
                    if (authorz != null) {
                        if (toRemove.remove(authorz.getID()) == null) {
                            toAdd.add(authorz);
                        }
                    // else: no need to remove from rep:members
                    } else {
                        handleFailure("New member of " + gr + ": No such authorizable (NodeID = " + id + ")");
                        if (importBehavior == ImportBehavior.BESTEFFORT) {
                            log.info("ImportBehavior.BESTEFFORT: Remember non-existing member for processing.");
                            nonExisting.add(member);
                        }
                    }
                }
                // 2. adjust members of the group
                for (Authorizable m : toRemove.values()) {
                    if (!gr.removeMember(m)) {
                        handleFailure("Failed remove existing member (" + m + ") from " + gr);
                    }
                }
                for (Authorizable m : toAdd) {
                    if (!gr.addMember(m)) {
                        handleFailure("Failed add member (" + m + ") to " + gr);
                    }
                }
                // handling non-existing members in case of best-effort
                if (!nonExisting.isEmpty()) {
                    log.info("ImportBehavior.BESTEFFORT: Found " + nonExisting.size() + " entries of rep:members pointing to non-existing authorizables. Adding to rep:members.");
                    final NodeImpl groupNode = ((AuthorizableImpl) gr).getNode();
                    if (userManager.hasMemberSplitSize()) {
                        userManager.performProtectedOperation((SessionImpl) session, new SessionWriteOperation<Object>() {

                            public Boolean perform(SessionContext context) throws RepositoryException {
                                NodeImpl nMembers = (groupNode.hasNode(UserConstants.N_MEMBERS) ? groupNode.getNode(UserConstants.N_MEMBERS) : groupNode.addNode(UserConstants.N_MEMBERS, UserConstants.NT_REP_MEMBERS, null));
                                // Create N_MEMBERS node structure for holding member references
                                for (Membership.Member member : nonExisting) {
                                    PropertySequence properties = GroupImpl.getPropertySequence(nMembers, userManager);
                                    String propName = member.name;
                                    if (propName == null) {
                                        log.debug("Ignoring unnamed user with id {}", member.id);
                                        continue;
                                    }
                                    if (properties.hasItem(propName)) {
                                        log.debug("Overwriting authorizable {} which is already member of {}.", propName, gr);
                                        properties.removeProperty(propName);
                                    }
                                    Value newMember = session.getValueFactory().createValue(member.id.toString(), PropertyType.WEAKREFERENCE);
                                    properties.addProperty(propName, newMember);
                                }
                                return null;
                            }
                        });
                    } else {
                        // Create P_MEMBERS for holding member references
                        // build list of valid members set before ....
                        List<Value> memberValues = new ArrayList<Value>();
                        if (groupNode.hasProperty(UserConstants.P_MEMBERS)) {
                            Value[] vls = groupNode.getProperty(UserConstants.P_MEMBERS).getValues();
                            memberValues.addAll(Arrays.asList(vls));
                        }
                        // ... and the non-Existing ones.
                        for (Membership.Member member : nonExisting) {
                            memberValues.add(session.getValueFactory().createValue(member.id.toString(), PropertyType.WEAKREFERENCE));
                        }
                        // and use implementation specific method to set the
                        // value of rep:members properties which was not possible
                        // through the API
                        userManager.setProtectedProperty(groupNode, UserConstants.P_MEMBERS, memberValues.toArray(new Value[memberValues.size()]), PropertyType.WEAKREFERENCE);
                    }
                }
                processed.add(reference);
            } else if (reference instanceof Impersonators) {
                Authorizable a = userManager.getAuthorizable(((Impersonators) reference).userId);
                if (a == null || a.isGroup()) {
                    throw new RepositoryException(((Impersonators) reference).userId + " does not represent a valid user.");
                }
                Impersonation imp = ((User) a).getImpersonation();
                // 1. collect principals to add and to remove.
                Map<String, Principal> toRemove = new HashMap<String, Principal>();
                for (PrincipalIterator pit = imp.getImpersonators(); pit.hasNext(); ) {
                    Principal princ = pit.nextPrincipal();
                    toRemove.put(princ.getName(), princ);
                }
                List<Principal> toAdd = new ArrayList<Principal>();
                Value[] vs = ((Impersonators) reference).values;
                for (Value v : vs) {
                    String princName = v.getString();
                    if (toRemove.remove(princName) == null) {
                        // add it to the list of new impersonators to be added.
                        toAdd.add(new PrincipalImpl(princName));
                    }
                // else: no need to revoke impersonation for the given principal.
                }
                // 2. adjust set of impersonators
                for (Principal princ : toRemove.values()) {
                    if (!imp.revokeImpersonation(princ)) {
                        handleFailure("Failed to revoke impersonation for " + princ.getName() + " on " + a);
                    }
                }
                for (Principal princ : toAdd) {
                    if (!imp.grantImpersonation(princ)) {
                        handleFailure("Failed to grant impersonation for " + princ.getName() + " on " + a);
                    }
                }
                // NOTE: no best effort handling so far. (TODO)
                processed.add(reference);
            }
        }
        // successfully processed this entry of the reference tracker
        // -> remove from the reference tracker.
        referenceTracker.removeReferences(processed);
    } finally {
        // the original state.
        if (resetAutoSave) {
            userManager.autoSave(true);
        }
    }
}
Also used : Group(org.apache.jackrabbit.api.security.user.Group) Impersonation(org.apache.jackrabbit.api.security.user.Impersonation) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) Authorizable(org.apache.jackrabbit.api.security.user.Authorizable) ArrayList(java.util.ArrayList) LinkedList(java.util.LinkedList) List(java.util.List) PrincipalImpl(org.apache.jackrabbit.core.security.principal.PrincipalImpl) NodeImpl(org.apache.jackrabbit.core.NodeImpl) PrincipalIterator(org.apache.jackrabbit.api.security.principal.PrincipalIterator) RepositoryException(javax.jcr.RepositoryException) PropertySequence(org.apache.jackrabbit.commons.flat.PropertySequence) NodeId(org.apache.jackrabbit.core.id.NodeId) Value(javax.jcr.Value) SessionContext(org.apache.jackrabbit.core.session.SessionContext) SessionImpl(org.apache.jackrabbit.core.SessionImpl) HashMap(java.util.HashMap) Map(java.util.Map) Principal(java.security.Principal)

Example 14 with Impersonation

use of org.apache.jackrabbit.api.security.user.Impersonation in project jackrabbit by apache.

the class UserImporterTest method testImportImpersonation.

public void testImportImpersonation() throws IOException, RepositoryException, SAXException, NotExecutableException {
    String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + "<sv:node sv:name=\"uFolder\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" + "   <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:AuthorizableFolder</sv:value></sv:property>" + "<sv:node sv:name=\"t\">" + "   <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:User</sv:value></sv:property>" + "   <sv:property sv:name=\"jcr:uuid\" sv:type=\"String\"><sv:value>e358efa4-89f5-3062-b10d-d7316b65649e</sv:value></sv:property>" + "   <sv:property sv:name=\"rep:principalName\" sv:type=\"String\"><sv:value>t</sv:value></sv:property>" + "   <sv:property sv:name=\"rep:impersonators\" sv:type=\"String\"><sv:value>g</sv:value></sv:property>" + "</sv:node>" + "<sv:node sv:name=\"g\">" + "   <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:User</sv:value></sv:property>" + "   <sv:property sv:name=\"jcr:uuid\" sv:type=\"String\"><sv:value>b2f5ff47-4366-31b6-a533-d8dc3614845d</sv:value></sv:property>" + "   <sv:property sv:name=\"rep:principalName\" sv:type=\"String\"><sv:value>g</sv:value></sv:property>" + "</sv:node>" + "</sv:node>";
    NodeImpl target = (NodeImpl) sImpl.getNode(umgr.getUsersPath());
    try {
        doImport(target, xml);
        Authorizable newUser = umgr.getAuthorizable("t");
        assertNotNull(newUser);
        Authorizable u2 = umgr.getAuthorizable("g");
        assertNotNull(u2);
        Subject subj = new Subject();
        subj.getPrincipals().add(u2.getPrincipal());
        Impersonation imp = ((User) newUser).getImpersonation();
        assertTrue(imp.allows(subj));
    } finally {
        sImpl.refresh(false);
    }
}
Also used : Impersonation(org.apache.jackrabbit.api.security.user.Impersonation) User(org.apache.jackrabbit.api.security.user.User) NodeImpl(org.apache.jackrabbit.core.NodeImpl) Authorizable(org.apache.jackrabbit.api.security.user.Authorizable) Subject(javax.security.auth.Subject)

Example 15 with Impersonation

use of org.apache.jackrabbit.api.security.user.Impersonation in project jackrabbit by apache.

the class UserAdministratorTest method testModifyImpersonationOfUser.

public void testModifyImpersonationOfUser() throws RepositoryException, NotExecutableException {
    UserManager umgr = getUserManager(otherSession);
    Principal otherP = umgr.getAuthorizable(otherUID).getPrincipal();
    // modify impersonation of new user
    User u = null;
    try {
        Principal p = getTestPrincipal();
        u = umgr.createUser(p.getName(), buildPassword(p));
        save(otherSession);
        Impersonation impers = u.getImpersonation();
        assertFalse(impers.allows(buildSubject(otherP)));
        assertTrue(impers.grantImpersonation(otherP));
        save(otherSession);
        assertTrue(impers.allows(buildSubject(otherP)));
    } finally {
        // impersonation get removed while removing the user u.
        if (u != null) {
            u.remove();
            save(otherSession);
        }
    }
    // modify impersonation of another user
    u = (User) umgr.getAuthorizable(uID);
    Impersonation uImpl = u.getImpersonation();
    if (!uImpl.allows(buildSubject(otherP))) {
        // ... trying to modify 'impersonators of another user must succeed
        assertTrue(uImpl.grantImpersonation(otherP));
        save(otherSession);
        assertTrue(uImpl.allows(buildSubject(otherP)));
        uImpl.revokeImpersonation(otherP);
        save(otherSession);
    } else {
        throw new NotExecutableException("Cannot execute test. OtherP can already impersonate UID-user.");
    }
}
Also used : Impersonation(org.apache.jackrabbit.api.security.user.Impersonation) User(org.apache.jackrabbit.api.security.user.User) NotExecutableException(org.apache.jackrabbit.test.NotExecutableException) UserManager(org.apache.jackrabbit.api.security.user.UserManager) EveryonePrincipal(org.apache.jackrabbit.core.security.principal.EveryonePrincipal) Principal(java.security.Principal)

Aggregations

Impersonation (org.apache.jackrabbit.api.security.user.Impersonation)18 User (org.apache.jackrabbit.api.security.user.User)14 Principal (java.security.Principal)12 Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)10 Subject (javax.security.auth.Subject)7 Test (org.junit.Test)7 NotExecutableException (org.apache.jackrabbit.test.NotExecutableException)4 ArrayList (java.util.ArrayList)3 PrincipalIterator (org.apache.jackrabbit.api.security.principal.PrincipalIterator)3 NodeImpl (org.apache.jackrabbit.core.NodeImpl)3 SystemPrincipal (org.apache.jackrabbit.core.security.SystemPrincipal)3 AdminPrincipal (org.apache.jackrabbit.core.security.principal.AdminPrincipal)3 AdminPrincipal (org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal)3 AccessDeniedException (javax.jcr.AccessDeniedException)2 UserManager (org.apache.jackrabbit.api.security.user.UserManager)2 PrincipalImpl (org.apache.jackrabbit.core.security.principal.PrincipalImpl)2 HashMap (java.util.HashMap)1 LinkedList (java.util.LinkedList)1 List (java.util.List)1 Map (java.util.Map)1