Example 1 with PrivilegeSet
use of org.bedework.access.PrivilegeSet in project bw-calendar-engine by Bedework.
the class CalSvc method getCal.
/* Currently this gets a local calintf only. Later we need to use a par to
* get calintf from a table.
*/
Calintf getCal() throws CalFacadeException {
if (cali != null) {
return cali;
}
final long start = System.currentTimeMillis();
try {
final long beforeGetIntf = System.currentTimeMillis() - start;
cali = CalintfFactory.getIntf(CalintfFactory.hibernateClass);
final long afterGetIntf = System.currentTimeMillis() - start;
cali.open(pars.getWebMode(), pars.getForRestore(), // Just for the user interactions
pars.getIndexRebuild());
postNotification(SysEvent.makeTimedEvent("Login: about to obtain calintf", beforeGetIntf));
postNotification(SysEvent.makeTimedEvent("Login: calintf obtained", afterGetIntf));
postNotification(SysEvent.makeTimedEvent("Login: intf opened", System.currentTimeMillis() - start));
cali.beginTransaction();
postNotification(SysEvent.makeTimedEvent("Login: transaction started", System.currentTimeMillis() - start));
String runAsUser = pars.getUser();
if (pars.getCalSuite() != null) {
final BwCalSuite cs = cali.getCalSuite(pars.getCalSuite());
if (cs == null) {
error("******************************************************");
error("Unable to fetch calendar suite " + pars.getCalSuite());
error("Is the database correctly initialised?");
error("******************************************************");
throw new CalFacadeException(CalFacadeException.unknownCalsuite, pars.getCalSuite());
}
getCalSuitesHandler().set(new BwCalSuiteWrapper(cs));
/* For administrative use we use the account of the admin group the user
* is a direct member of
*
* For public clients we use the calendar suite owning group.
*/
if (!pars.getPublicAdmin()) {
runAsUser = cs.getGroup().getOwnerHref();
}
}
postNotification(SysEvent.makeTimedEvent("Login: before get dirs", System.currentTimeMillis() - start));
final Directories dir = getDirectories();
/* Get ourselves a user object */
String authenticatedUser = pars.getAuthUser();
if (authenticatedUser != null) {
final String sv = authenticatedUser;
if (dir.isPrincipal(authenticatedUser)) {
authenticatedUser = dir.accountFromPrincipal(authenticatedUser);
}
if (authenticatedUser == null) {
error("Failed with Authenticated user " + sv);
return null;
}
if (authenticatedUser.endsWith("/")) {
getLogger().warn("Authenticated user " + authenticatedUser + " ends with \"/\"");
}
}
postNotification(SysEvent.makeTimedEvent("Login: before user fetch", System.currentTimeMillis() - start));
// synchronized (synchlock) {
final Users users = (Users) getUsersHandler();
if (runAsUser == null) {
runAsUser = authenticatedUser;
}
BwPrincipal currentPrincipal;
final BwPrincipal authPrincipal;
PrivilegeSet maxAllowedPrivs = null;
boolean subscriptionsOnly = getSystemProperties().getUserSubscriptionsOnly();
boolean userMapHit = false;
boolean addingUser = false;
boolean addingRunAsUser = false;
if (pars.getForRestore()) {
authenticated = true;
currentPrincipal = dir.caladdrToPrincipal(pars.getAuthUser());
authPrincipal = currentPrincipal;
subscriptionsOnly = false;
} else if (authenticatedUser == null) {
authenticated = false;
// Unauthenticated use
currentPrincipal = unauthUsers.get(runAsUser);
if (currentPrincipal == null) {
currentPrincipal = users.getUser(runAsUser);
} else {
userMapHit = true;
}
if (currentPrincipal == null) {
// XXX Should we set this one up?
currentPrincipal = BwPrincipal.makeUserPrincipal();
}
currentPrincipal.setUnauthenticated(true);
if (!userMapHit) {
unauthUsers.put(runAsUser, currentPrincipal);
}
authPrincipal = currentPrincipal;
maxAllowedPrivs = PrivilegeSet.readOnlyPrivileges;
} else {
authenticated = true;
currentPrincipal = unauthUsers.get(authenticatedUser);
if (currentPrincipal == null) {
currentPrincipal = users.getUser(authenticatedUser);
} else {
userMapHit = true;
}
if (currentPrincipal == null) {
/* Add the user to the database. Presumably this is first logon
*/
getLogger().debug("Add new user " + authenticatedUser);
/*
currentPrincipal = addUser(authenticatedUser);
if (currentPrincipal == null) {
error("Failed to find user after adding: " + authenticatedUser);
}
*/
currentPrincipal = getFakeUser(authenticatedUser);
addingUser = true;
}
authPrincipal = currentPrincipal;
if (authenticatedUser.equals(runAsUser)) {
getLogger().debug("Authenticated user " + authenticatedUser + " logged on");
} else {
currentPrincipal = unauthUsers.get(runAsUser);
if (currentPrincipal == null) {
currentPrincipal = users.getUser(runAsUser);
} else {
userMapHit = true;
}
if (currentPrincipal == null) {
// throw new CalFacadeException("User " + runAsUser + " does not exist.");
/* Add the user to the database. Presumably this is first logon
*/
getLogger().debug("Add new run-as-user " + runAsUser);
// currentPrincipal = addUser(runAsUser);
currentPrincipal = getFakeUser(runAsUser);
addingRunAsUser = true;
}
getLogger().debug("Authenticated user " + authenticatedUser + " logged on - running as " + runAsUser);
}
if (!userMapHit && (currentPrincipal != null)) {
currentPrincipal.setGroups(dir.getAllGroups(currentPrincipal));
authUsers.put(currentPrincipal.getAccount(), currentPrincipal);
}
postNotification(SysEvent.makeTimedEvent("Login: after get Groups", System.currentTimeMillis() - start));
if (pars.getService()) {
subscriptionsOnly = false;
} else {
final BwPrincipalInfo bwpi = dir.getDirInfo(currentPrincipal);
currentPrincipal.setPrincipalInfo(bwpi);
if (pars.getPublicAdmin() || (bwpi != null && bwpi.getHasFullAccess())) {
subscriptionsOnly = false;
}
postNotification(SysEvent.makeTimedEvent("Login: got Dirinfo", System.currentTimeMillis() - start));
}
}
principalInfo = new SvciPrincipalInfo(this, currentPrincipal, authPrincipal, maxAllowedPrivs, subscriptionsOnly);
cali.init(pars.getLogId(), configs, principalInfo, null, pars.getPublicAdmin(), pars.getPublicSubmission(), pars.getSessionsless(), pars.getDontKill());
if (addingUser) {
// Do the real work of setting up user
addUser(authenticatedUser);
}
if (addingRunAsUser) {
// Do the real work of setting up user
addUser(runAsUser);
}
if (!currentPrincipal.getUnauthenticated()) {
if (pars.getService()) {
postNotification(SysEvent.makePrincipalEvent(SysEvent.SysCode.SERVICE_USER_LOGIN, currentPrincipal, System.currentTimeMillis() - start));
} else if (!creating) {
users.logon(currentPrincipal);
postNotification(SysEvent.makePrincipalEvent(SysEvent.SysCode.USER_LOGIN, currentPrincipal, System.currentTimeMillis() - start));
}
} else {
// If we have a runAsUser it's a public client. Pretend we authenticated
// WHY? currentPrincipal.setUnauthenticated(runAsUser == null);
}
if (pars.getPublicAdmin() || pars.isGuest()) {
if (debug) {
trace("PublicAdmin: " + pars.getPublicAdmin() + " user: " + runAsUser);
}
/* We may be running as a different user. The preferences we want to see
* are those of the user we are running as - i.e. the 'run.as' user
* not those of the authenticated user.
* /
BwCalSuiteWrapper suite = getCalSuitesHandler().get();
BwPrincipal user;
if (suite != null) {
// Use this user
user = users.getPrincipal(suite.getGroup().getOwnerHref());
} else if (runAsUser == null) {
// Unauthenticated CalDAV for example?
user = currentPrincipal;
} else {
// No calendar suite set up
// XXX This is messy
if (runAsUser.startsWith("/")) {
user = users.getPrincipal(runAsUser);
} else {
user = users.getUser(runAsUser);
}
}
if (!user.equals(principalInfo.getPrincipal())) {
user.setGroups(getDirectories().getAllGroups(user));
user.setPrincipalInfo(getDirectories().getDirInfo(user));
((SvciPrincipalInfo)principalInfo).setPrincipal(user);
}
*/
}
return cali;
// }
} catch (final CalFacadeException cfe) {
error(cfe);
throw cfe;
} catch (final Throwable t) {
error(t);
throw new CalFacadeException(t);
} finally {
if (cali != null) {
cali.endTransaction();
cali.close();
// cali.flushAll();
}
}
}
Also used :
BwCalSuite(org.bedework.calfacade.svc.BwCalSuite)
PrivilegeSet(org.bedework.access.PrivilegeSet)
BwString(org.bedework.calfacade.BwString)
BwCalSuiteWrapper(org.bedework.calfacade.svc.wrappers.BwCalSuiteWrapper)
CalFacadeException(org.bedework.calfacade.exc.CalFacadeException)
Directories(org.bedework.calfacade.ifs.Directories)
BwPrincipal(org.bedework.calfacade.BwPrincipal)
BwPrincipalInfo(org.bedework.calfacade.BwPrincipalInfo)
Example 2 with PrivilegeSet
use of org.bedework.access.PrivilegeSet in project bw-calendar-engine by Bedework.
the class AccessUtil method checkAccess.
@Override
public CurrentAccess checkAccess(final BwShareableDbentity<?> ent, final int desiredAccess, final boolean alwaysReturnResult) throws CalFacadeException {
if (ent == null) {
return null;
}
if (ent instanceof CalendarWrapper) {
final CalendarWrapper col = (CalendarWrapper) ent;
final CurrentAccess ca = col.getCurrentAccess(desiredAccess);
if (ca != null) {
if (debug) {
debug("Access " + desiredAccess + " already checked for " + cb.getPrincipal().getPrincipalRef() + " and allowed=" + ca.getAccessAllowed());
}
if (!ca.getAccessAllowed() && !alwaysReturnResult) {
throw new CalFacadeAccessException();
}
return ca;
}
}
if (debug) {
final String cname = ent.getClass().getName();
final String ident;
if (ent instanceof BwCalendar) {
ident = ((BwCalendar) ent).getPath();
} else {
ident = String.valueOf(ent.getId());
}
debug("Check access by " + cb.getPrincipal().getPrincipalRef() + " for object " + cname.substring(cname.lastIndexOf(".") + 1) + " ident=" + ident + " desiredAccess = " + desiredAccess);
}
try {
final long startTime = System.currentTimeMillis();
CurrentAccess ca = null;
final AccessPrincipal owner = cb.getPrincipal(ent.getOwnerHref());
if (debug) {
debug("After getPrincipal - took: " + (System.currentTimeMillis() - startTime));
}
if (owner == null) {
error("Principal(owner) " + ent.getOwnerHref() + " does not exist");
if (!alwaysReturnResult) {
throw new CalFacadeAccessException();
}
return new CurrentAccess(false);
}
PrivilegeSet maxPrivs = null;
char[] aclChars = null;
if (ent instanceof BwCalendar) {
final BwCalendar cal = (BwCalendar) ent;
final String path = cal.getPath();
/* I think this was wrong. For superuser we want to see the real
* access but they are going to be allowed access whatever.
if (userRootPath.equals(path)) {
ca = new CurrentAccess();
if (getSuperUser()) {
ca.privileges = PrivilegeSet.makeDefaultOwnerPrivileges();
} else {
ca.privileges = PrivilegeSet.makeDefaultNonOwnerPrivileges();
}
} else if (path.equals(userHomePathPrefix + account)){
// Accessing user home directory
if (getSuperUser()) {
ca = new CurrentAccess();
ca.privileges = PrivilegeSet.makeDefaultOwnerPrivileges();
} else {
// Set the maximumn access
maxPrivs = PrivilegeSet.userHomeMaxPrivileges;
}
}
*/
if (!cb.getSuperUser()) {
if (cb.getUserHomePath().equals(path)) {
ca = new CurrentAccess();
ca = Acl.defaultNonOwnerAccess;
} else if (path.equals(Util.buildPath(colPathEndsWithSlash, cb.getUserHomePath(), "/", owner.getAccount()))) {
// Accessing user home directory
// Set the maximumn access
maxPrivs = PrivilegeSet.userHomeMaxPrivileges;
}
}
}
if (maxPrivs == null) {
maxPrivs = cb.getMaximumAllowedPrivs();
} else if (cb.getMaximumAllowedPrivs() != null) {
maxPrivs = PrivilegeSet.filterPrivileges(maxPrivs, cb.getMaximumAllowedPrivs());
}
if (ca == null) {
/* Not special. getAclChars provides merged access for the current
* entity.
*/
aclChars = getAclChars(ent);
if (aclChars == null) {
error("Unable to fetch aclchars for " + ent);
if (!alwaysReturnResult) {
throw new CalFacadeAccessException();
}
return new CurrentAccess(false);
}
if (debug) {
debug("aclChars = " + new String(aclChars));
}
if (desiredAccess == privAny) {
ca = access.checkAny(cb, cb.getPrincipal(), owner, aclChars, maxPrivs);
} else if (desiredAccess == privRead) {
ca = access.checkRead(cb, cb.getPrincipal(), owner, aclChars, maxPrivs);
} else if (desiredAccess == privWrite) {
ca = access.checkReadWrite(cb, cb.getPrincipal(), owner, aclChars, maxPrivs);
} else {
ca = access.evaluateAccess(cb, cb.getPrincipal(), owner, desiredAccess, aclChars, maxPrivs);
}
}
if ((cb.getPrincipal() != null) && cb.getSuperUser()) {
/* Override rather than just create a readable access as code further
* up expects a valid filled in object.
*/
if (debug && !ca.getAccessAllowed()) {
debug("Override for superuser");
}
ca = Acl.forceAccessAllowed(ca);
}
if (ent instanceof CalendarWrapper) {
final CalendarWrapper col = (CalendarWrapper) ent;
col.setCurrentAccess(ca, desiredAccess);
}
if (debug) {
debug("access allowed: " + ca.getAccessAllowed());
}
if (!ca.getAccessAllowed() && !alwaysReturnResult) {
throw new CalFacadeAccessException();
}
return ca;
} catch (final CalFacadeException cfe) {
throw cfe;
} catch (final Throwable t) {
throw new CalFacadeException(t);
}
}
Also used :
PrivilegeSet(org.bedework.access.PrivilegeSet)
CurrentAccess(org.bedework.access.Acl.CurrentAccess)
CalendarWrapper(org.bedework.calfacade.wrappers.CalendarWrapper)
BwCalendar(org.bedework.calfacade.BwCalendar)
CalFacadeAccessException(org.bedework.calfacade.exc.CalFacadeAccessException)
AccessPrincipal(org.bedework.access.AccessPrincipal)
CalFacadeException(org.bedework.calfacade.exc.CalFacadeException)
Aggregations
PrivilegeSet (org.bedework.access.PrivilegeSet)2
CalFacadeException (org.bedework.calfacade.exc.CalFacadeException)2
AccessPrincipal (org.bedework.access.AccessPrincipal)1
CurrentAccess (org.bedework.access.Acl.CurrentAccess)1
BwCalendar (org.bedework.calfacade.BwCalendar)1
BwPrincipal (org.bedework.calfacade.BwPrincipal)1
BwPrincipalInfo (org.bedework.calfacade.BwPrincipalInfo)1
BwString (org.bedework.calfacade.BwString)1
CalFacadeAccessException (org.bedework.calfacade.exc.CalFacadeAccessException)1
Directories (org.bedework.calfacade.ifs.Directories)1
BwCalSuite (org.bedework.calfacade.svc.BwCalSuite)1
BwCalSuiteWrapper (org.bedework.calfacade.svc.wrappers.BwCalSuiteWrapper)1
CalendarWrapper (org.bedework.calfacade.wrappers.CalendarWrapper)1
