Search in sources :

Example 26 with Account

use of org.exist.security.Account in project exist by eXist-db.

the class RemoteUserManagementService method lockResource.

@Override
public void lockResource(final Resource res, final User u) throws XMLDBException {
    final Account account = new UserAider(u.getName());
    lockResource(res, account);
}
Also used : Account(org.exist.security.Account) UserAider(org.exist.security.internal.aider.UserAider)

Example 27 with Account

use of org.exist.security.Account in project exist by eXist-db.

the class RpcConnection method updateAccount.

/**
 * Added by {Marco.Tampucci, Massimo.Martinelli} @isti.cnr.it
 *
 * modified by Chris Tomlinson based on above updateAccount - it appears
 * that this code can rely on the SecurityManager to enforce policy about
 * whether user is or is not permitted to update the Account with name.
 *
 * This is called via RemoteUserManagementService.removeGroup(Account,
 * String)
 *
 * @param name username to update
 * @param groups a list of groups
 * @param rgroup the user will be removed from this group
 * @return true, if the action succeeded
 */
public boolean updateAccount(final String name, final List<String> groups, final String rgroup) {
    try {
        return withDb((broker, transaction) -> {
            final SecurityManager manager = broker.getBrokerPool().getSecurityManager();
            final Account u = manager.getAccount(name);
            for (final String g : groups) {
                if (g.equals(rgroup)) {
                    u.remGroup(g);
                }
            }
            return manager.updateAccount(u);
        });
    } catch (final EXistException | PermissionDeniedException ex) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("removeGroup encountered error", ex);
        }
        return false;
    }
}
Also used : Account(org.exist.security.Account) SecurityManager(org.exist.security.SecurityManager) PermissionDeniedException(org.exist.security.PermissionDeniedException) EXistException(org.exist.EXistException)

Example 28 with Account

use of org.exist.security.Account in project exist by eXist-db.

the class FindGroupFunction method eval.

@Override
public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
    final DBBroker broker = getContext().getBroker();
    final Subject currentUser = broker.getCurrentSubject();
    if (!isCalledAs(qnGetUserGroups.getLocalPart()) && currentUser.getName().equals(SecurityManager.GUEST_USER)) {
        throw new XPathException(this, "You must be an authenticated user");
    }
    final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
    final Sequence result;
    if (isCalledAs(qnGetUserPrimaryGroup.getLocalPart())) {
        final String username = args[0].getStringValue();
        result = new StringValue(securityManager.getAccount(username).getPrimaryGroup());
    } else if (isCalledAs(qnGroupExists.getLocalPart())) {
        final String groupName = args[0].getStringValue();
        result = BooleanValue.valueOf(securityManager.hasGroup(groupName));
    } else {
        final List<String> groupNames;
        if (isCalledAs(qnListGroups.getLocalPart())) {
            groupNames = securityManager.findAllGroupNames();
        } else if (isCalledAs(qnFindGroupsByGroupname.getLocalPart())) {
            final String startsWith = args[0].getStringValue();
            groupNames = securityManager.findGroupnamesWhereGroupnameStarts(startsWith);
        } else if (isCalledAs(qnFindGroupsWhereGroupnameContains.getLocalPart())) {
            final String fragment = args[0].getStringValue();
            groupNames = securityManager.findGroupnamesWhereGroupnameContains(fragment);
        } else if (isCalledAs(qnGetUserGroups.getLocalPart())) {
            final String username = args[0].getStringValue();
            if (!currentUser.hasDbaRole() && !currentUser.getName().equals(username)) {
                throw new XPathException(this, "You must be a DBA or enquiring about your own user account!");
            }
            final Account user = securityManager.getAccount(username);
            groupNames = Arrays.asList(user.getGroups());
        } else {
            throw new XPathException(this, "Unknown function");
        }
        // order a-z
        Collections.sort(groupNames);
        result = new ValueSequence();
        for (final String groupName : groupNames) {
            result.add(new StringValue(groupName));
        }
    }
    return result;
}
Also used : Account(org.exist.security.Account) DBBroker(org.exist.storage.DBBroker) SecurityManager(org.exist.security.SecurityManager) XPathException(org.exist.xquery.XPathException) List(java.util.List) Subject(org.exist.security.Subject)

Example 29 with Account

use of org.exist.security.Account in project exist by eXist-db.

the class AccountStatusFunction method eval.

@Override
public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
    final DBBroker broker = getContext().getBroker();
    final Subject currentUser = broker.getCurrentSubject();
    final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
    final String username = args[0].getStringValue();
    if (isCalledAs(qnIsAccountEnabled.getLocalPart())) {
        if (!currentUser.hasDbaRole() && !currentUser.getName().equals(username)) {
            throw new XPathException("You must be a DBA or be enquiring about your own account!");
        }
        final Account account = securityManager.getAccount(username);
        return (account == null) ? BooleanValue.FALSE : new BooleanValue(account.isEnabled());
    } else if (isCalledAs(qnSetAccountEnabled.getLocalPart())) {
        if (!currentUser.hasDbaRole()) {
            throw new XPathException("You must be a DBA to change the status of an account!");
        }
        final boolean enable = args[1].effectiveBooleanValue();
        final Account account = securityManager.getAccount(username);
        account.setEnabled(enable);
        try {
            account.save(broker);
            return Sequence.EMPTY_SEQUENCE;
        } catch (final ConfigurationException | PermissionDeniedException ce) {
            throw new XPathException(ce.getMessage(), ce);
        }
    } else {
        throw new XPathException("Unknown function");
    }
}
Also used : Account(org.exist.security.Account) DBBroker(org.exist.storage.DBBroker) SecurityManager(org.exist.security.SecurityManager) XPathException(org.exist.xquery.XPathException) BooleanValue(org.exist.xquery.value.BooleanValue) Subject(org.exist.security.Subject)

Example 30 with Account

use of org.exist.security.Account in project exist by eXist-db.

the class SecurityManagerImpl method processParameter.

@Override
public void processParameter(final DBBroker broker, final DocumentImpl document) throws ConfigurationException {
    XmldbURI uri = document.getCollection().getURI();
    final boolean isRemoved = uri.endsWith(SecurityManager.REMOVED_COLLECTION_URI);
    if (isRemoved) {
        uri = uri.removeLastSegment();
    }
    final boolean isAccount = uri.endsWith(SecurityManager.ACCOUNTS_COLLECTION_URI);
    final boolean isGroup = uri.endsWith(SecurityManager.GROUPS_COLLECTION_URI);
    if (isAccount || isGroup) {
        uri = uri.removeLastSegment();
        final String realmId = uri.lastSegment().toString();
        final AbstractRealm realm = (AbstractRealm) findRealmForRealmId(realmId);
        final Configuration conf = Configurator.parse(broker.getBrokerPool(), document);
        Integer id = -1;
        if (isRemoved) {
            id = conf.getPropertyInteger("id");
        }
        final String name = conf.getProperty("name");
        if (isAccount) {
            if (isRemoved && id > 2 && !hasUser(id)) {
                final AccountImpl account = new AccountImpl(realm, conf);
                account.removed = true;
                registerAccount(account);
            } else if (name != null) {
                if (realm.hasAccount(name)) {
                    final Integer oldId = saving.get(document.getURI());
                    final Integer newId = conf.getPropertyInteger("id");
                    if (!newId.equals(oldId)) {
                        final Account current = realm.getAccount(name);
                        try (final ManagedLock<ReadWriteLock> lock = ManagedLock.acquire(accountLocks.getLock(current), LockMode.WRITE_LOCK)) {
                            usersById.write(principalDb -> {
                                principalDb.remove(oldId);
                                principalDb.put(newId, current);
                            });
                        }
                    }
                } else {
                    final Account account = new AccountImpl(realm, conf);
                    if (account.getGroups().length == 0) {
                        try {
                            account.setPrimaryGroup(realm.getGroup(SecurityManager.UNKNOWN_GROUP));
                            LOG.warn("Account '{}' has no groups, but every account must have at least 1 group. Assigned group: " + SecurityManager.UNKNOWN_GROUP, account.getName());
                        } catch (final PermissionDeniedException e) {
                            throw new ConfigurationException("Account has no group, unable to default to " + SecurityManager.UNKNOWN_GROUP + ": " + e.getMessage(), e);
                        }
                    }
                    registerAccount(account);
                    realm.registerAccount(account);
                }
            } else {
                // this can't be! log any way
                LOG.error("Account '{}' already exists in realm: '{}', but received notification that a new one was created.", name, realmId);
            }
        } else if (isGroup) {
            if (isRemoved && id > 2 && !hasGroup(id)) {
                final GroupImpl group = new GroupImpl(realm, conf);
                group.removed = true;
                registerGroup(group);
            } else if (name != null && !realm.hasGroup(name)) {
                final GroupImpl group = new GroupImpl(realm, conf);
                registerGroup(group);
                realm.registerGroup(group);
            } else {
                // this can't be! log any way
                LOG.error("Group '{}' already exists in realm: '{}', but received notification that a new one was created.", name, realmId);
            }
        }
        saving.remove(document.getURI());
    }
}
Also used : LockMode(org.exist.storage.lock.Lock.LockMode) Txn(org.exist.storage.txn.Txn) BrokerPool(org.exist.storage.BrokerPool) ConfigurationException(org.exist.config.ConfigurationException) BiFunction(java.util.function.BiFunction) JobDescription(org.exist.scheduler.JobDescription) PermissionDeniedException(org.exist.security.PermissionDeniedException) ConcurrentValueWrapper(org.exist.util.ConcurrentValueWrapper) Configuration(org.exist.config.Configuration) Configurator(org.exist.config.Configurator) Map(java.util.Map) SchemaType(org.exist.security.SchemaType) Collection(org.exist.collections.Collection) ReadWriteLock(java.util.concurrent.locks.ReadWriteLock) JobExecutionContext(org.quartz.JobExecutionContext) Int2ObjectOpenHashMap(it.unimi.dsi.fastutil.ints.Int2ObjectOpenHashMap) AbstractRealm(org.exist.security.AbstractRealm) AuthenticationException(org.exist.security.AuthenticationException) GroupAider(org.exist.security.internal.aider.GroupAider) Session(org.exist.security.Session) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) AtomicLazyVal(com.evolvedbinary.j8fu.lazy.AtomicLazyVal) Collectors(java.util.stream.Collectors) SecurityManager(org.exist.security.SecurityManager) List(java.util.List) Logger(org.apache.logging.log4j.Logger) Principal(org.exist.security.Principal) ManagedLock(org.exist.storage.lock.ManagedLock) JobDataMap(org.quartz.JobDataMap) Realm(org.exist.security.realm.Realm) WeakLazyStripes(org.exist.util.WeakLazyStripes) ThreadSafe(net.jcip.annotations.ThreadSafe) HashMap(java.util.HashMap) ReentrantReadWriteLock(java.util.concurrent.locks.ReentrantReadWriteLock) ArrayList(java.util.ArrayList) Account(org.exist.security.Account) Subject(org.exist.security.Subject) BrokerPoolServiceException(org.exist.storage.BrokerPoolServiceException) XmldbURI(org.exist.xmldb.XmldbURI) SimpleTrigger(org.quartz.SimpleTrigger) DocumentImpl(org.exist.dom.persistent.DocumentImpl) EXistException(org.exist.EXistException) Permission(org.exist.security.Permission) Database(org.exist.Database) Properties(java.util.Properties) Group(org.exist.security.Group) BrokerPoolService(org.exist.storage.BrokerPoolService) org.exist.config.annotation(org.exist.config.annotation) DBBroker(org.exist.storage.DBBroker) Int2ObjectMap(it.unimi.dsi.fastutil.ints.Int2ObjectMap) LogManager(org.apache.logging.log4j.LogManager) Account(org.exist.security.Account) Configuration(org.exist.config.Configuration) AbstractRealm(org.exist.security.AbstractRealm) ManagedLock(org.exist.storage.lock.ManagedLock) ConfigurationException(org.exist.config.ConfigurationException) PermissionDeniedException(org.exist.security.PermissionDeniedException) XmldbURI(org.exist.xmldb.XmldbURI)

Aggregations

Account (org.exist.security.Account)60 PermissionDeniedException (org.exist.security.PermissionDeniedException)18 SecurityManager (org.exist.security.SecurityManager)17 EXistException (org.exist.EXistException)12 XMLDBException (org.xmldb.api.base.XMLDBException)11 Group (org.exist.security.Group)10 Collection (org.xmldb.api.base.Collection)10 AuthenticationException (org.exist.security.AuthenticationException)9 DBBroker (org.exist.storage.DBBroker)9 AbstractAccount (org.exist.security.AbstractAccount)7 CollectionManagementService (org.xmldb.api.modules.CollectionManagementService)7 Txn (org.exist.storage.txn.Txn)6 DocumentImpl (org.exist.dom.persistent.DocumentImpl)5 Subject (org.exist.security.Subject)5 UserAider (org.exist.security.internal.aider.UserAider)5 UserManagementService (org.exist.xmldb.UserManagementService)5 Permission (org.exist.security.Permission)4 XPathException (org.exist.xquery.XPathException)4 Before (org.junit.Before)4 Test (org.junit.Test)4