Examples with UnmodifiableAccessControlList - org.apache.jackrabbit.core.security.authorization.UnmodifiableAccessControlList

Example 1 with UnmodifiableAccessControlList

use of org.apache.jackrabbit.core.security.authorization.UnmodifiableAccessControlList in project jackrabbit by apache.

the class ACLProvider method getEffectivePolicies.

/**
 * @see org.apache.jackrabbit.core.security.authorization.AccessControlProvider#getEffectivePolicies(org.apache.jackrabbit.spi.Path,org.apache.jackrabbit.core.security.authorization.CompiledPermissions)
 */
public AccessControlPolicy[] getEffectivePolicies(Path absPath, CompiledPermissions permissions) throws ItemNotFoundException, RepositoryException {
    if (absPath == null) {
        // TODO: JCR-2774
        log.warn("TODO: JCR-2774 - Repository level permissions.");
        return new AccessControlPolicy[0];
    }
    String jcrPath = session.getJCRPath(absPath);
    String pName = ISO9075.encode(session.getJCRName(ACLTemplate.P_NODE_PATH));
    int ancestorCnt = absPath.getAncestorCount();
    // search all ACEs whose rep:nodePath property equals the specified
    // absPath or any of it's ancestors
    StringBuilder stmt = new StringBuilder("/jcr:root");
    stmt.append(acRoot.getPath());
    stmt.append("//element(*,");
    stmt.append(session.getJCRName(NT_REP_ACE));
    stmt.append(")[");
    for (int i = 0; i <= ancestorCnt; i++) {
        String path = Text.getRelativeParent(jcrPath, i);
        if (i > 0) {
            stmt.append(" or ");
        }
        stmt.append("@");
        stmt.append(pName);
        stmt.append("='");
        stmt.append(path.replaceAll("'", "''"));
        stmt.append("'");
    }
    stmt.append("]");
    QueryResult result;
    try {
        QueryManager qm = session.getWorkspace().getQueryManager();
        Query q = qm.createQuery(stmt.toString(), Query.XPATH);
        result = q.execute();
    } catch (RepositoryException e) {
        log.error("Unexpected error while searching effective policies. {}", e.getMessage());
        throw new UnsupportedOperationException("Retrieve effective policies at absPath '" + jcrPath + "' not supported.", e);
    }
    /**
     * Loop over query results and verify that
     * - the corresponding ACE really takes effect on the specified absPath.
     * - the corresponding ACL can be read by the editing session.
     */
    Set<AccessControlPolicy> acls = new LinkedHashSet<AccessControlPolicy>();
    for (NodeIterator it = result.getNodes(); it.hasNext(); ) {
        Node aceNode = it.nextNode();
        String accessControlledNodePath = Text.getRelativeParent(aceNode.getPath(), 2);
        Path acPath = session.getQPath(accessControlledNodePath);
        AccessControlPolicy[] policies = editor.getPolicies(accessControlledNodePath);
        if (policies.length > 0) {
            ACLTemplate acl = (ACLTemplate) policies[0];
            for (AccessControlEntry ace : acl.getAccessControlEntries()) {
                ACLTemplate.Entry entry = (ACLTemplate.Entry) ace;
                if (entry.matches(jcrPath)) {
                    if (permissions.grants(acPath, Permission.READ_AC)) {
                        acls.add(new UnmodifiableAccessControlList(acl));
                        break;
                    } else {
                        throw new AccessDeniedException("Access denied at " + accessControlledNodePath);
                    }
                }
            }
        }
    }
    return acls.toArray(new AccessControlPolicy[acls.size()]);
}

Also used : LinkedHashSet(java.util.LinkedHashSet) NodeIterator(javax.jcr.NodeIterator) Path(org.apache.jackrabbit.spi.Path) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) AccessDeniedException(javax.jcr.AccessDeniedException) Query(javax.jcr.query.Query) Node(javax.jcr.Node) AccessControlEntry(javax.jcr.security.AccessControlEntry) RepositoryException(javax.jcr.RepositoryException) QueryResult(javax.jcr.query.QueryResult) AccessControlEntry(javax.jcr.security.AccessControlEntry) QueryManager(javax.jcr.query.QueryManager) UnmodifiableAccessControlList(org.apache.jackrabbit.core.security.authorization.UnmodifiableAccessControlList)

Example 2 with UnmodifiableAccessControlList

use of org.apache.jackrabbit.core.security.authorization.UnmodifiableAccessControlList in project jackrabbit by apache.

the class ACLProvider method getACL.

private AccessControlList getACL(NodeImpl accessControlledNode, Name policyName, String path) throws RepositoryException {
    // collect the aces of that node.
    NodeImpl aclNode = accessControlledNode.getNode(policyName);
    AccessControlList acl = new ACLTemplate(aclNode, path, allowUnknownPrincipals);
    return new UnmodifiableAccessControlList(acl);
}

Also used : AccessControlList(javax.jcr.security.AccessControlList) UnmodifiableAccessControlList(org.apache.jackrabbit.core.security.authorization.UnmodifiableAccessControlList) NodeImpl(org.apache.jackrabbit.core.NodeImpl) UnmodifiableAccessControlList(org.apache.jackrabbit.core.security.authorization.UnmodifiableAccessControlList)

Aggregations

UnmodifiableAccessControlList (org.apache.jackrabbit.core.security.authorization.UnmodifiableAccessControlList)2 LinkedHashSet (java.util.LinkedHashSet)1 AccessDeniedException (javax.jcr.AccessDeniedException)1 Node (javax.jcr.Node)1 NodeIterator (javax.jcr.NodeIterator)1 RepositoryException (javax.jcr.RepositoryException)1 Query (javax.jcr.query.Query)1 QueryManager (javax.jcr.query.QueryManager)1 QueryResult (javax.jcr.query.QueryResult)1 AccessControlEntry (javax.jcr.security.AccessControlEntry)1 AccessControlList (javax.jcr.security.AccessControlList)1 AccessControlPolicy (javax.jcr.security.AccessControlPolicy)1 NodeImpl (org.apache.jackrabbit.core.NodeImpl)1 Path (org.apache.jackrabbit.spi.Path)1