Example 1 with NodeImpl
use of org.apache.jackrabbit.core.NodeImpl in project pentaho-platform by pentaho.
the class PentahoCompiledPermissionsImpl method buildResult.
private Result buildResult(NodeImpl node, boolean isExistingNode, boolean isAcItem, EntryFilterImpl filter) throws RepositoryException {
// retrieve all ACEs at path or at the direct ancestor of path that
// apply for the principal names.
NodeImpl n = ACLProvider.getNode(node, isAcItem);
Iterator entries = entryCollector.collectEntries(n, filter).iterator();
/*
* Calculate privileges and permissions: Since the ACEs only define privileges on a node and do not allow to
* add additional restrictions, the permissions can be determined without taking the given target name or
* target item into account.
*/
int allows = Permission.NONE;
int denies = Permission.NONE;
PrivilegeBits allowBits = PrivilegeBits.getInstance();
PrivilegeBits denyBits = PrivilegeBits.getInstance();
PrivilegeBits parentAllowBits = PrivilegeBits.getInstance();
PrivilegeBits parentDenyBits = PrivilegeBits.getInstance();
String parentPath = Text.getRelativeParent(filter.getPath(), 1);
NodeId nodeId = (node == null) ? null : node.getNodeId();
while (entries.hasNext()) {
Object ace = entries.next();
/*
* Determine if the ACE also takes effect on the parent: Some permissions (e.g. add-node or removal) must be
* determined from privileges defined for the parent. A 'local' entry defined on the target node never
* effects the parent. For inherited ACEs determine if the ACE matches the parent path.
*/
PrivilegeBits entryBits = null;
boolean isLocal = false;
boolean matchesParent = false;
boolean isAllow = false;
if (ace instanceof PentahoEntry) {
entryBits = (((PentahoEntry) ace).getPrivilegeBits());
isLocal = isExistingNode && ((PentahoEntry) ace).isLocal(nodeId);
matchesParent = (!isLocal && ((PentahoEntry) ace).matches(parentPath));
isAllow = ((PentahoEntry) ace).isAllow();
} else {
entryBits = ((Entry) ace).getPrivilegeBits();
isLocal = isExistingNode && ((Entry) ace).isLocal(nodeId);
matchesParent = (!isLocal && ((Entry) ace).matches(parentPath));
isAllow = ((Entry) ace).isAllow();
}
// check specific case: "Inherit permissions" may have been unchecked, and node operation permissions may
// have been granted directly to the item ( thus not requiring having those permissions defined for the parent )
boolean isLocalAndDoesNotInheritPermissions = isLocal && isValidPentahoNode(node) && !isEntriesInheriting(node);
if (matchesParent || isLocalAndDoesNotInheritPermissions) {
if (isAllow) {
parentAllowBits.addDifference(entryBits, parentDenyBits);
} else {
parentDenyBits.addDifference(entryBits, parentAllowBits);
}
}
if (isAllow) {
allowBits.addDifference(entryBits, denyBits);
int permissions = PrivilegeRegistry.calculatePermissions(allowBits, parentAllowBits, true, isAcItem);
allows |= Permission.diff(permissions, denies);
} else {
denyBits.addDifference(entryBits, allowBits);
int permissions = PrivilegeRegistry.calculatePermissions(denyBits, parentDenyBits, false, isAcItem);
denies |= Permission.diff(permissions, allows);
}
}
return new Result(allows, denies, allowBits, denyBits);
}
Also used :
NodeImpl(org.apache.jackrabbit.core.NodeImpl)
Iterator(java.util.Iterator)
NodeId(org.apache.jackrabbit.core.id.NodeId)
PrivilegeBits(org.apache.jackrabbit.core.security.authorization.PrivilegeBits)
Example 2 with NodeImpl
use of org.apache.jackrabbit.core.NodeImpl in project pentaho-platform by pentaho.
the class PentahoEntryCollector method getRelevantAncestorAces.
/**
* Selects (and modifies) ACEs containing JCR_ADD_CHILD_NODES or JCR_REMOVE_CHILD_NODES privileges from the given
* ACL.
* <p/>
* <p> Modifications to this ACL are not persisted. ACEs must be created in the given ACL because the path embedded in
* the given ACL plays into authorization decisions using parentPrivs. </p>
*/
@SuppressWarnings("unchecked")
protected List<PentahoEntry> getRelevantAncestorAces(final ACLTemplate ancestorAcl) throws RepositoryException {
if (ancestorAcl == null) {
return Collections.emptyList();
}
NodeImpl ancestorNode = (NodeImpl) systemSession.getNode(ancestorAcl.getPath());
PentahoEntries fullEntriesIncludingMagicACEs = this.getEntries(ancestorNode);
JackrabbitAccessControlManager acMgr = (JackrabbitAccessControlManager) systemSession.getAccessControlManager();
PrivilegeManagerImpl privMrg = (PrivilegeManagerImpl) (((JackrabbitWorkspace) systemSession.getWorkspace()).getPrivilegeManager());
Privilege addChildNodesPrivilege = acMgr.privilegeFromName(Privilege.JCR_ADD_CHILD_NODES);
PrivilegeBits addChildNodesPrivilegeBits = privMrg.getBits(addChildNodesPrivilege);
Privilege removeChildNodesPrivilege = acMgr.privilegeFromName(Privilege.JCR_REMOVE_CHILD_NODES);
PrivilegeBits removeChildNodesPrivilegeBits = privMrg.getBits(removeChildNodesPrivilege);
for (PentahoEntry entry : (List<PentahoEntry>) fullEntriesIncludingMagicACEs.getACEs()) {
List<Privilege> privs = new ArrayList<Privilege>(2);
if (entry.getPrivilegeBits().includes(addChildNodesPrivilegeBits)) {
privs.add(addChildNodesPrivilege);
}
if (entry.getPrivilegeBits().includes(removeChildNodesPrivilegeBits)) {
privs.add(removeChildNodesPrivilege);
}
// remove all physical entries from the ACL. MagicAces will not be present in the ACL Entries, so we check
// before trying to remove
AccessControlEntry[] ancestorACEs = ancestorAcl.getEntries().toArray(new AccessControlEntry[] {});
for (AccessControlEntry ace : ancestorACEs) {
PentahoEntry pe = buildPentahoEntry(ancestorNode.getNodeId(), ancestorAcl.getPath(), ace);
if (entry.equals(pe)) {
ancestorAcl.removeAccessControlEntry(ace);
}
}
// addAccessControlEntry will silently fail to add a new ACE if perms already exist
if (!privs.isEmpty()) {
// create new ACE with same principal but only privs relevant to child operations
// clone to new list to allow concurrent modification
List<AccessControlEntry> entries = new LinkedList<AccessControlEntry>(ancestorAcl.getEntries());
for (AccessControlEntry ace : entries) {
if (ace.getPrincipal().getName().equals(entry.getPrincipalName())) {
ancestorAcl.removeAccessControlEntry(ace);
}
}
if (!ancestorAcl.addAccessControlEntry(entry.isGroupEntry() ? new MagicGroup(entry.getPrincipalName()) : new MagicPrincipal(entry.getPrincipalName()), privs.toArray(new Privilege[privs.size()]))) {
// we can never fail to add this entry because it means we may be giving more permission than the above two
throw new RuntimeException();
}
}
}
return buildPentahoEntries(ancestorAcl);
}
Also used :
JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)
NodeImpl(org.apache.jackrabbit.core.NodeImpl)
ArrayList(java.util.ArrayList)
AccessControlEntry(javax.jcr.security.AccessControlEntry)
JackrabbitWorkspace(org.apache.jackrabbit.api.JackrabbitWorkspace)
LinkedList(java.util.LinkedList)
ArrayList(java.util.ArrayList)
LinkedList(java.util.LinkedList)
List(java.util.List)
PrivilegeBits(org.apache.jackrabbit.core.security.authorization.PrivilegeBits)
Privilege(javax.jcr.security.Privilege)
PrivilegeManagerImpl(org.apache.jackrabbit.core.security.authorization.PrivilegeManagerImpl)
Example 3 with NodeImpl
use of org.apache.jackrabbit.core.NodeImpl in project pentaho-platform by pentaho.
the class CachingPentahoEntryCollector method getNextID.
/**
* Find the next access control ancestor in the hierarchy 'null' indicates that there is no ac-controlled ancestor.
*
* @param node The target node for which the cache needs to be updated.
* @return The NodeId of the next access controlled ancestor in the hierarchy or null
*/
private NodeId getNextID(NodeImpl node) throws RepositoryException {
NodeImpl n = node;
NodeId nextId = null;
while (nextId == null && !isRootId(n.getNodeId())) {
NodeId parentId = n.getParentId();
if (getCache().containsKey(parentId)) {
nextId = parentId;
} else {
NodeImpl parent = (NodeImpl) n.getParent();
if (hasEntries(parent)) {
nextId = parentId;
} else {
// try next ancestor
n = parent;
}
}
}
return nextId;
}Example 4 with NodeImpl
use of org.apache.jackrabbit.core.NodeImpl in project jackrabbit by apache.
the class TraversingNodeResolver method collectNodes.
private void collectNodes(String value, String relPath, AuthorizableTypePredicate predicate, NodeIterator itr, Map<String, Node> matchingNodes, boolean exact, long maxSize) {
while (itr.hasNext()) {
NodeImpl node = (NodeImpl) itr.nextNode();
try {
Node authNode = getMatchingNode(node, predicate, relPath, value, exact);
if (authNode != null) {
matchingNodes.put(authNode.getIdentifier(), authNode);
maxSize--;
} else if (node.hasNodes() && maxSize > 0) {
collectNodes(value, relPath, predicate, node.getNodes(), matchingNodes, exact, maxSize);
}
} catch (RepositoryException e) {
log.warn("Internal error while accessing node", e);
}
}
}
Also used :
NodeImpl(org.apache.jackrabbit.core.NodeImpl)
Node(javax.jcr.Node)
RepositoryException(javax.jcr.RepositoryException)
Example 5 with NodeImpl
use of org.apache.jackrabbit.core.NodeImpl in project jackrabbit by apache.
the class UserImporter method start.
// ---------------------------------------------< ProtectedNodeImporter >---
/**
* @see ProtectedNodeImporter#start(org.apache.jackrabbit.core.NodeImpl)
*/
public boolean start(NodeImpl protectedParent) throws RepositoryException {
String repMembers = resolver.getJCRName(UserConstants.NT_REP_MEMBERS);
if (repMembers.equals(protectedParent.getPrimaryNodeType().getName())) {
NodeImpl groupNode = protectedParent;
while (groupNode.getDepth() != 0 && repMembers.equals(groupNode.getPrimaryNodeType().getName())) {
groupNode = (NodeImpl) groupNode.getParent();
}
Authorizable auth = userManager.getAuthorizable(groupNode);
if (auth == null) {
log.debug("Cannot handle protected node " + protectedParent + ". It nor one of its parents represent a valid Authorizable.");
return false;
} else {
currentMembership = new Membership(auth.getID());
return true;
}
} else {
return false;
}
}
Also used :
NodeImpl(org.apache.jackrabbit.core.NodeImpl)
Authorizable(org.apache.jackrabbit.api.security.user.Authorizable)
Aggregations
NodeImpl (org.apache.jackrabbit.core.NodeImpl)161
RepositoryException (javax.jcr.RepositoryException)34
Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)29
NodeId (org.apache.jackrabbit.core.id.NodeId)25
AccessControlPolicy (javax.jcr.security.AccessControlPolicy)18
ArrayList (java.util.ArrayList)17
Value (javax.jcr.Value)16
Name (org.apache.jackrabbit.spi.Name)16
AccessControlEntry (javax.jcr.security.AccessControlEntry)15
ConstraintViolationException (javax.jcr.nodetype.ConstraintViolationException)13
AccessControlManager (javax.jcr.security.AccessControlManager)13
ByteArrayInputStream (java.io.ByteArrayInputStream)12
InputStream (java.io.InputStream)12
NodeIterator (javax.jcr.NodeIterator)12
JackrabbitAccessControlManager (org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)11
NotExecutableException (org.apache.jackrabbit.test.NotExecutableException)11
Principal (java.security.Principal)10
Node (javax.jcr.Node)10
ParsingContentHandler (org.apache.jackrabbit.commons.xml.ParsingContentHandler)10
JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)9
