Search in sources :

Example 1 with PrivilegeBits

use of org.apache.jackrabbit.core.security.authorization.PrivilegeBits in project jackrabbit by apache.

the class ACLTemplateTest method testMultipleEntryEffect2.

public void testMultipleEntryEffect2() throws RepositoryException, NotExecutableException {
    Privilege repwrite = getAccessControlManager(superuser).privilegeFromName(PrivilegeRegistry.REP_WRITE);
    JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
    pt.addAccessControlEntry(testPrincipal, new Privilege[] { repwrite });
    // add deny entry for mod_props
    Privilege modProperties = getAccessControlManager(superuser).privilegeFromName(Privilege.JCR_MODIFY_PROPERTIES);
    assertTrue(pt.addEntry(testPrincipal, new Privilege[] { modProperties }, false, null));
    // net-effect: 2 entries with the allow entry being adjusted
    assertTrue(pt.size() == 2);
    AccessControlEntry[] entries = pt.getAccessControlEntries();
    for (AccessControlEntry entry1 : entries) {
        ACLTemplate.Entry entry = (ACLTemplate.Entry) entry1;
        PrivilegeBits privs = entry.getPrivilegeBits();
        if (entry.isAllow()) {
            Privilege[] result = privilegesFromNames(new String[] { Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_NODE_TYPE_MANAGEMENT, Privilege.JCR_REMOVE_CHILD_NODES, Privilege.JCR_REMOVE_NODE });
            PrivilegeBits bits = privilegeMgr.getBits(result);
            assertEquals(privs, bits);
        } else {
            assertEquals(privs, privilegeMgr.getBits(modProperties));
        }
    }
}
Also used : JackrabbitAccessControlEntry(org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry) AccessControlEntry(javax.jcr.security.AccessControlEntry) JackrabbitAccessControlEntry(org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry) AccessControlEntry(javax.jcr.security.AccessControlEntry) PrivilegeBits(org.apache.jackrabbit.core.security.authorization.PrivilegeBits) Privilege(javax.jcr.security.Privilege) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)

Example 2 with PrivilegeBits

use of org.apache.jackrabbit.core.security.authorization.PrivilegeBits in project jackrabbit by apache.

the class CompiledPermissionsImpl method buildResult.

private Result buildResult(NodeImpl node, boolean isExistingNode, boolean isAcItem, EntryFilterImpl filter) throws RepositoryException {
    // retrieve all ACEs at path or at the direct ancestor of path that
    // apply for the principal names.
    NodeImpl n = ACLProvider.getNode(node, isAcItem);
    Iterator<Entry> entries = entryCollector.collectEntries(n, filter).iterator();
    /*
        Calculate privileges and permissions:
        Since the ACEs only define privileges on a node and do not allow
        to add additional restrictions, the permissions can be determined
        without taking the given target name or target item into account.
        */
    int allows = Permission.NONE;
    int denies = Permission.NONE;
    PrivilegeBits allowBits = PrivilegeBits.getInstance();
    PrivilegeBits denyBits = PrivilegeBits.getInstance();
    PrivilegeBits parentAllowBits = PrivilegeBits.getInstance();
    PrivilegeBits parentDenyBits = PrivilegeBits.getInstance();
    String parentPath = Text.getRelativeParent(filter.getPath(), 1);
    NodeId nodeId = (node == null) ? null : node.getNodeId();
    while (entries.hasNext()) {
        Entry ace = entries.next();
        /*
            Determine if the ACE also takes effect on the parent:
            Some permissions (e.g. add-node or removal) must be determined
            from privileges defined for the parent.
            A 'local' entry defined on the target node never effects the
            parent. For inherited ACEs determine if the ACE matches the
            parent path.
            */
        PrivilegeBits entryBits = ace.getPrivilegeBits();
        boolean isLocal = isExistingNode && ace.isLocal(nodeId);
        boolean matchesParent = (!isLocal && ace.matches(parentPath));
        if (matchesParent) {
            if (ace.isAllow()) {
                parentAllowBits.addDifference(entryBits, parentDenyBits);
            } else {
                parentDenyBits.addDifference(entryBits, parentAllowBits);
            }
        }
        if (ace.isAllow()) {
            allowBits.addDifference(entryBits, denyBits);
            int permissions = PrivilegeRegistry.calculatePermissions(allowBits, parentAllowBits, true, isAcItem);
            allows |= Permission.diff(permissions, denies);
        } else {
            denyBits.addDifference(entryBits, allowBits);
            int permissions = PrivilegeRegistry.calculatePermissions(denyBits, parentDenyBits, false, isAcItem);
            denies |= Permission.diff(permissions, allows);
        }
    }
    return new Result(allows, denies, allowBits, denyBits);
}
Also used : NodeImpl(org.apache.jackrabbit.core.NodeImpl) NodeId(org.apache.jackrabbit.core.id.NodeId) PrivilegeBits(org.apache.jackrabbit.core.security.authorization.PrivilegeBits)

Example 3 with PrivilegeBits

use of org.apache.jackrabbit.core.security.authorization.PrivilegeBits in project jackrabbit by apache.

the class ACLTemplate method internalAdd.

private synchronized boolean internalAdd(Entry entry) throws RepositoryException {
    Principal principal = entry.getPrincipal();
    List<Entry> entriesPerPrincipal = internalGetEntries(principal);
    if (entriesPerPrincipal.isEmpty()) {
        // simple case: just add the new entry at the end of the list.
        entries.add(entry);
        return true;
    } else {
        if (entriesPerPrincipal.contains(entry)) {
            // the same entry is already contained -> no modification
            return false;
        }
        // check if need to adjust existing entries
        int updateIndex = -1;
        Entry complementEntry = null;
        for (Entry e : entriesPerPrincipal) {
            if (equalRestriction(entry, e)) {
                if (entry.isAllow() == e.isAllow()) {
                    // need to update an existing entry
                    if (e.getPrivilegeBits().includes(entry.getPrivilegeBits())) {
                        // in the existing entry -> not modified
                        return false;
                    }
                    // remember the index of the existing entry to be updated later on.
                    updateIndex = entries.indexOf(e);
                    // remove the existing entry and create a new one that
                    // includes both the new privileges and the existing ones.
                    entries.remove(e);
                    PrivilegeBits mergedBits = PrivilegeBits.getInstance(e.getPrivilegeBits());
                    mergedBits.add(entry.getPrivilegeBits());
                    // omit validation check.
                    entry = new Entry(entry, mergedBits, entry.isAllow());
                } else {
                    complementEntry = e;
                }
            }
        }
        // denied/granted.
        if (complementEntry != null) {
            PrivilegeBits complPrivs = complementEntry.getPrivilegeBits();
            PrivilegeBits diff = PrivilegeBits.getInstance(complPrivs);
            diff.diff(entry.getPrivilegeBits());
            if (diff.isEmpty()) {
                // remove the complement entry as the new entry covers
                // all privileges granted by the existing entry.
                entries.remove(complementEntry);
                updateIndex--;
            } else if (!diff.equals(complPrivs)) {
                // replace the existing entry having the privileges adjusted
                int index = entries.indexOf(complementEntry);
                entries.remove(complementEntry);
                // combine set of new builtin and custom privileges
                // and create a new entry.
                Entry tmpl = new Entry(entry, diff, !entry.isAllow());
                entries.add(index, tmpl);
            }
        /* else: does not need to be modified.*/
        }
        // to this method at the end.
        if (updateIndex < 0) {
            entries.add(entry);
        } else {
            entries.add(updateIndex, entry);
        }
        return true;
    }
}
Also used : AccessControlEntry(javax.jcr.security.AccessControlEntry) PrivilegeBits(org.apache.jackrabbit.core.security.authorization.PrivilegeBits) UnknownPrincipal(org.apache.jackrabbit.core.security.principal.UnknownPrincipal) Principal(java.security.Principal)

Aggregations

PrivilegeBits (org.apache.jackrabbit.core.security.authorization.PrivilegeBits)3 AccessControlEntry (javax.jcr.security.AccessControlEntry)2 Principal (java.security.Principal)1 Privilege (javax.jcr.security.Privilege)1 JackrabbitAccessControlEntry (org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)1 JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)1 NodeImpl (org.apache.jackrabbit.core.NodeImpl)1 NodeId (org.apache.jackrabbit.core.id.NodeId)1 UnknownPrincipal (org.apache.jackrabbit.core.security.principal.UnknownPrincipal)1