use of org.apache.jackrabbit.spi.Name in project jackrabbit by apache.
the class HoldImpl method createFromValue.
static HoldImpl createFromValue(Value val, NodeId nodeId, NameResolver resolver) throws RepositoryException {
String str = val.getString();
Name name = NAME_FACTORY.create(str.substring(2));
boolean isDeep = str.startsWith(DEEP);
return new HoldImpl(name, isDeep, nodeId, resolver);
}
use of org.apache.jackrabbit.spi.Name in project jackrabbit by apache.
the class ACLProvider method getEffectivePolicies.
/**
* @see org.apache.jackrabbit.core.security.authorization.AccessControlProvider#getEffectivePolicies(java.util.Set, CompiledPermissions)
*/
public AccessControlPolicy[] getEffectivePolicies(Set<Principal> principals, CompiledPermissions permissions) throws RepositoryException {
String propName = ISO9075.encode(session.getJCRName(P_PRINCIPAL_NAME));
StringBuilder stmt = new StringBuilder("/jcr:root");
stmt.append("//element(*,");
stmt.append(session.getJCRName(NT_REP_ACE));
stmt.append(")[");
int i = 0;
for (Principal principal : principals) {
if (i > 0) {
stmt.append(" or ");
}
stmt.append("@");
stmt.append(propName);
stmt.append("='");
stmt.append(principal.getName().replaceAll("'", "''"));
stmt.append("'");
i++;
}
stmt.append("]");
QueryResult result;
try {
QueryManager qm = session.getWorkspace().getQueryManager();
Query q = qm.createQuery(stmt.toString(), Query.XPATH);
result = q.execute();
} catch (RepositoryException e) {
log.error("Unexpected error while searching effective policies. {}", e.getMessage());
throw new UnsupportedOperationException("Retrieve effective policies for set of principals not supported.", e);
}
Set<AccessControlPolicy> acls = new LinkedHashSet<AccessControlPolicy>();
for (NodeIterator it = result.getNodes(); it.hasNext(); ) {
NodeImpl aclNode = (NodeImpl) it.nextNode().getParent();
Name aclName = aclNode.getQName();
NodeImpl accessControlledNode = (NodeImpl) aclNode.getParent();
if (N_POLICY.equals(aclName) && isAccessControlled(accessControlledNode)) {
if (permissions.canRead(aclNode.getPrimaryPath(), aclNode.getNodeId())) {
acls.add(getACL(accessControlledNode, N_POLICY, accessControlledNode.getPath()));
} else {
throw new AccessDeniedException("Access denied at " + Text.getRelativeParent(aclNode.getPath(), 1));
}
} else if (N_REPO_POLICY.equals(aclName) && isRepoAccessControlled(accessControlledNode)) {
if (permissions.canRead(aclNode.getPrimaryPath(), aclNode.getNodeId())) {
acls.add(getACL(accessControlledNode, N_REPO_POLICY, null));
} else {
throw new AccessDeniedException("Access denied at " + Text.getRelativeParent(aclNode.getPath(), 1));
}
}
// else: not a regular policy node -> ignore.
}
return acls.toArray(new AccessControlPolicy[acls.size()]);
}
use of org.apache.jackrabbit.spi.Name in project jackrabbit by apache.
the class TokenProvider method createToken.
/**
* Create a separate token node underneath a dedicated token store within
* the user home node. That token node contains the hashed token, the
* expiration time and additional mandatory attributes that will be verified
* during login.
*
* @param userId The identifier of the user for which a new token should
* be created.
* @param attributes The attributes associated with the new token.
* @return A new {@code TokenInfo} or {@code null} if the token could not
* be created.
*/
private TokenInfo createToken(User user, Map<String, ?> attributes) throws RepositoryException {
String error = "Failed to create login token. ";
NodeImpl tokenParent = getTokenParent(user);
if (tokenParent != null) {
try {
ValueFactory vf = session.getValueFactory();
long creationTime = new Date().getTime();
Calendar creation = GregorianCalendar.getInstance();
creation.setTimeInMillis(creationTime);
Name tokenName = session.getQName(Text.replace(ISO8601.format(creation), ":", "."));
NodeImpl tokenNode = super.addNode(tokenParent, tokenName, session.getQName(TOKEN_NT_NAME), NodeId.randomId());
String key = generateKey(8);
String token = new StringBuilder(tokenNode.getId().toString()).append(DELIM).append(key).toString();
String keyHash = PasswordUtility.buildPasswordHash(getKeyValue(key, user.getID()));
setProperty(tokenNode, session.getQName(TOKEN_ATTRIBUTE_KEY), vf.createValue(keyHash));
setProperty(tokenNode, session.getQName(TOKEN_ATTRIBUTE_EXPIRY), createExpirationValue(creationTime, session));
for (String name : attributes.keySet()) {
if (!RESERVED_ATTRIBUTES.contains(name)) {
String attr = attributes.get(name).toString();
setProperty(tokenNode, session.getQName(name), vf.createValue(attr));
}
}
session.save();
return new TokenInfoImpl(tokenNode, token, user.getID());
} catch (NoSuchAlgorithmException e) {
// error while generating login token
log.error(error, e);
} catch (UnsupportedEncodingException e) {
// error while generating login token
log.error(error, e);
} catch (AccessDeniedException e) {
log.warn(error, e);
}
} else {
log.warn("Unable to get/create token store for user {}", user.getID());
}
return null;
}
use of org.apache.jackrabbit.spi.Name in project jackrabbit by apache.
the class AccessControlEntryImpl method getRestrictionNames.
/**
* @see org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry#getRestrictionNames()
*/
public String[] getRestrictionNames() throws NamespaceException {
String[] restrNames = new String[restrictions.size()];
int i = 0;
for (Name n : restrictions.keySet()) {
restrNames[i] = getResolver().getJCRName(n);
i++;
}
return restrNames;
}
use of org.apache.jackrabbit.spi.Name in project jackrabbit by apache.
the class PrivilegeManagerImpl method registerPrivilege.
/**
* Register a new custom privilege with the specified characteristics.
* <p>
* The current implementation has the following limitations and constraints:
*
* <ul>
* <li>the name may not be in use by another privilege</li>
* <li>the namespace URI must be a valid, registered namespace excluding
* those namespaces marked as being reserved</li>
* <li>an aggregate custom privilege is valid if all declared aggregate
* names can be resolved to registered privileges and if there exists
* no registered privilege with the same aggregated privileges.</li>
* </ul>
* <p>
* <strong>Please note</strong><br>
* Custom privilege(s) will not be enforced for any kind of repository
* operations. Those are exclusively covered by the built-in privileges.
* This also implies that the {@link Permission}s are not affected by
* custom privileges.
* <p>
* Applications making use of the custom privilege(s) are in charge of
* asserting whether the privileges are granted/denied according to their
* application specific needs.
*
* @param privilegeName The name of the new custom privilege.
* @param isAbstract Boolean flag indicating if the privilege is abstract.
* @param declaredAggregateNames An array of privilege names referring to
* registered privileges being aggregated by this new custom privilege.
* In case of a non aggregate privilege an empty array should be passed.
* @return the new privilege.
* @throws AccessDeniedException If the session this manager has been created
* lacks rep:privilegeManagement privilege.
* @throws RepositoryException If the privilege could not be registered due
* to constraint violations or if persisting the custom privilege fails.
* @see PrivilegeManager#registerPrivilege(String, boolean, String[])
*/
public Privilege registerPrivilege(String privilegeName, boolean isAbstract, String[] declaredAggregateNames) throws AccessDeniedException, RepositoryException {
if (resolver instanceof SessionImpl) {
SessionImpl sImpl = (SessionImpl) resolver;
sImpl.getAccessManager().checkRepositoryPermission(Permission.PRIVILEGE_MNGMT);
} else {
// cannot evaluate
throw new AccessDeniedException("Registering privileges is not allowed for the editing session.");
}
Name name = resolver.getQName(privilegeName);
Set<Name> daNames;
if (declaredAggregateNames == null || declaredAggregateNames.length == 0) {
daNames = Collections.emptySet();
} else {
daNames = new HashSet<Name>(declaredAggregateNames.length);
for (String declaredAggregateName : declaredAggregateNames) {
daNames.add(resolver.getQName(declaredAggregateName));
}
}
registry.registerDefinition(name, isAbstract, daNames);
return getPrivilege(privilegeName);
}
Aggregations