Example 26 with Account
use of org.exist.security.Account in project exist by eXist-db.
the class RemoteUserManagementService method lockResource.
@Override
public void lockResource(final Resource res, final User u) throws XMLDBException {
final Account account = new UserAider(u.getName());
lockResource(res, account);
}Example 27 with Account
use of org.exist.security.Account in project exist by eXist-db.
the class RpcConnection method updateAccount.
/**
* Added by {Marco.Tampucci, Massimo.Martinelli} @isti.cnr.it
*
* modified by Chris Tomlinson based on above updateAccount - it appears
* that this code can rely on the SecurityManager to enforce policy about
* whether user is or is not permitted to update the Account with name.
*
* This is called via RemoteUserManagementService.removeGroup(Account,
* String)
*
* @param name username to update
* @param groups a list of groups
* @param rgroup the user will be removed from this group
* @return true, if the action succeeded
*/
public boolean updateAccount(final String name, final List<String> groups, final String rgroup) {
try {
return withDb((broker, transaction) -> {
final SecurityManager manager = broker.getBrokerPool().getSecurityManager();
final Account u = manager.getAccount(name);
for (final String g : groups) {
if (g.equals(rgroup)) {
u.remGroup(g);
}
}
return manager.updateAccount(u);
});
} catch (final EXistException | PermissionDeniedException ex) {
if (LOG.isDebugEnabled()) {
LOG.debug("removeGroup encountered error", ex);
}
return false;
}
}
Also used :
Account(org.exist.security.Account)
SecurityManager(org.exist.security.SecurityManager)
PermissionDeniedException(org.exist.security.PermissionDeniedException)
EXistException(org.exist.EXistException)
Example 28 with Account
use of org.exist.security.Account in project exist by eXist-db.
the class FindGroupFunction method eval.
@Override
public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
final DBBroker broker = getContext().getBroker();
final Subject currentUser = broker.getCurrentSubject();
if (!isCalledAs(qnGetUserGroups.getLocalPart()) && currentUser.getName().equals(SecurityManager.GUEST_USER)) {
throw new XPathException(this, "You must be an authenticated user");
}
final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
final Sequence result;
if (isCalledAs(qnGetUserPrimaryGroup.getLocalPart())) {
final String username = args[0].getStringValue();
result = new StringValue(securityManager.getAccount(username).getPrimaryGroup());
} else if (isCalledAs(qnGroupExists.getLocalPart())) {
final String groupName = args[0].getStringValue();
result = BooleanValue.valueOf(securityManager.hasGroup(groupName));
} else {
final List<String> groupNames;
if (isCalledAs(qnListGroups.getLocalPart())) {
groupNames = securityManager.findAllGroupNames();
} else if (isCalledAs(qnFindGroupsByGroupname.getLocalPart())) {
final String startsWith = args[0].getStringValue();
groupNames = securityManager.findGroupnamesWhereGroupnameStarts(startsWith);
} else if (isCalledAs(qnFindGroupsWhereGroupnameContains.getLocalPart())) {
final String fragment = args[0].getStringValue();
groupNames = securityManager.findGroupnamesWhereGroupnameContains(fragment);
} else if (isCalledAs(qnGetUserGroups.getLocalPart())) {
final String username = args[0].getStringValue();
if (!currentUser.hasDbaRole() && !currentUser.getName().equals(username)) {
throw new XPathException(this, "You must be a DBA or enquiring about your own user account!");
}
final Account user = securityManager.getAccount(username);
groupNames = Arrays.asList(user.getGroups());
} else {
throw new XPathException(this, "Unknown function");
}
// order a-z
Collections.sort(groupNames);
result = new ValueSequence();
for (final String groupName : groupNames) {
result.add(new StringValue(groupName));
}
}
return result;
}
Also used :
Account(org.exist.security.Account)
DBBroker(org.exist.storage.DBBroker)
SecurityManager(org.exist.security.SecurityManager)
XPathException(org.exist.xquery.XPathException)
List(java.util.List)
Subject(org.exist.security.Subject)
Example 29 with Account
use of org.exist.security.Account in project exist by eXist-db.
the class AccountStatusFunction method eval.
@Override
public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
final DBBroker broker = getContext().getBroker();
final Subject currentUser = broker.getCurrentSubject();
final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
final String username = args[0].getStringValue();
if (isCalledAs(qnIsAccountEnabled.getLocalPart())) {
if (!currentUser.hasDbaRole() && !currentUser.getName().equals(username)) {
throw new XPathException("You must be a DBA or be enquiring about your own account!");
}
final Account account = securityManager.getAccount(username);
return (account == null) ? BooleanValue.FALSE : new BooleanValue(account.isEnabled());
} else if (isCalledAs(qnSetAccountEnabled.getLocalPart())) {
if (!currentUser.hasDbaRole()) {
throw new XPathException("You must be a DBA to change the status of an account!");
}
final boolean enable = args[1].effectiveBooleanValue();
final Account account = securityManager.getAccount(username);
account.setEnabled(enable);
try {
account.save(broker);
return Sequence.EMPTY_SEQUENCE;
} catch (final ConfigurationException | PermissionDeniedException ce) {
throw new XPathException(ce.getMessage(), ce);
}
} else {
throw new XPathException("Unknown function");
}
}
Also used :
Account(org.exist.security.Account)
DBBroker(org.exist.storage.DBBroker)
SecurityManager(org.exist.security.SecurityManager)
XPathException(org.exist.xquery.XPathException)
BooleanValue(org.exist.xquery.value.BooleanValue)
Subject(org.exist.security.Subject)
Example 30 with Account
use of org.exist.security.Account in project exist by eXist-db.
the class SecurityManagerImpl method processParameter.
@Override
public void processParameter(final DBBroker broker, final DocumentImpl document) throws ConfigurationException {
XmldbURI uri = document.getCollection().getURI();
final boolean isRemoved = uri.endsWith(SecurityManager.REMOVED_COLLECTION_URI);
if (isRemoved) {
uri = uri.removeLastSegment();
}
final boolean isAccount = uri.endsWith(SecurityManager.ACCOUNTS_COLLECTION_URI);
final boolean isGroup = uri.endsWith(SecurityManager.GROUPS_COLLECTION_URI);
if (isAccount || isGroup) {
uri = uri.removeLastSegment();
final String realmId = uri.lastSegment().toString();
final AbstractRealm realm = (AbstractRealm) findRealmForRealmId(realmId);
final Configuration conf = Configurator.parse(broker.getBrokerPool(), document);
Integer id = -1;
if (isRemoved) {
id = conf.getPropertyInteger("id");
}
final String name = conf.getProperty("name");
if (isAccount) {
if (isRemoved && id > 2 && !hasUser(id)) {
final AccountImpl account = new AccountImpl(realm, conf);
account.removed = true;
registerAccount(account);
} else if (name != null) {
if (realm.hasAccount(name)) {
final Integer oldId = saving.get(document.getURI());
final Integer newId = conf.getPropertyInteger("id");
if (!newId.equals(oldId)) {
final Account current = realm.getAccount(name);
try (final ManagedLock<ReadWriteLock> lock = ManagedLock.acquire(accountLocks.getLock(current), LockMode.WRITE_LOCK)) {
usersById.write(principalDb -> {
principalDb.remove(oldId);
principalDb.put(newId, current);
});
}
}
} else {
final Account account = new AccountImpl(realm, conf);
if (account.getGroups().length == 0) {
try {
account.setPrimaryGroup(realm.getGroup(SecurityManager.UNKNOWN_GROUP));
LOG.warn("Account '{}' has no groups, but every account must have at least 1 group. Assigned group: " + SecurityManager.UNKNOWN_GROUP, account.getName());
} catch (final PermissionDeniedException e) {
throw new ConfigurationException("Account has no group, unable to default to " + SecurityManager.UNKNOWN_GROUP + ": " + e.getMessage(), e);
}
}
registerAccount(account);
realm.registerAccount(account);
}
} else {
// this can't be! log any way
LOG.error("Account '{}' already exists in realm: '{}', but received notification that a new one was created.", name, realmId);
}
} else if (isGroup) {
if (isRemoved && id > 2 && !hasGroup(id)) {
final GroupImpl group = new GroupImpl(realm, conf);
group.removed = true;
registerGroup(group);
} else if (name != null && !realm.hasGroup(name)) {
final GroupImpl group = new GroupImpl(realm, conf);
registerGroup(group);
realm.registerGroup(group);
} else {
// this can't be! log any way
LOG.error("Group '{}' already exists in realm: '{}', but received notification that a new one was created.", name, realmId);
}
}
saving.remove(document.getURI());
}
}
Also used :
LockMode(org.exist.storage.lock.Lock.LockMode)
Txn(org.exist.storage.txn.Txn)
BrokerPool(org.exist.storage.BrokerPool)
ConfigurationException(org.exist.config.ConfigurationException)
BiFunction(java.util.function.BiFunction)
JobDescription(org.exist.scheduler.JobDescription)
PermissionDeniedException(org.exist.security.PermissionDeniedException)
ConcurrentValueWrapper(org.exist.util.ConcurrentValueWrapper)
Configuration(org.exist.config.Configuration)
Configurator(org.exist.config.Configurator)
Map(java.util.Map)
SchemaType(org.exist.security.SchemaType)
Collection(org.exist.collections.Collection)
ReadWriteLock(java.util.concurrent.locks.ReadWriteLock)
JobExecutionContext(org.quartz.JobExecutionContext)
Int2ObjectOpenHashMap(it.unimi.dsi.fastutil.ints.Int2ObjectOpenHashMap)
AbstractRealm(org.exist.security.AbstractRealm)
AuthenticationException(org.exist.security.AuthenticationException)
GroupAider(org.exist.security.internal.aider.GroupAider)
Session(org.exist.security.Session)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
AtomicLazyVal(com.evolvedbinary.j8fu.lazy.AtomicLazyVal)
Collectors(java.util.stream.Collectors)
SecurityManager(org.exist.security.SecurityManager)
List(java.util.List)
Logger(org.apache.logging.log4j.Logger)
Principal(org.exist.security.Principal)
ManagedLock(org.exist.storage.lock.ManagedLock)
JobDataMap(org.quartz.JobDataMap)
Realm(org.exist.security.realm.Realm)
WeakLazyStripes(org.exist.util.WeakLazyStripes)
ThreadSafe(net.jcip.annotations.ThreadSafe)
HashMap(java.util.HashMap)
ReentrantReadWriteLock(java.util.concurrent.locks.ReentrantReadWriteLock)
ArrayList(java.util.ArrayList)
Account(org.exist.security.Account)
Subject(org.exist.security.Subject)
BrokerPoolServiceException(org.exist.storage.BrokerPoolServiceException)
XmldbURI(org.exist.xmldb.XmldbURI)
SimpleTrigger(org.quartz.SimpleTrigger)
DocumentImpl(org.exist.dom.persistent.DocumentImpl)
EXistException(org.exist.EXistException)
Permission(org.exist.security.Permission)
Database(org.exist.Database)
Properties(java.util.Properties)
Group(org.exist.security.Group)
BrokerPoolService(org.exist.storage.BrokerPoolService)
org.exist.config.annotation(org.exist.config.annotation)
DBBroker(org.exist.storage.DBBroker)
Int2ObjectMap(it.unimi.dsi.fastutil.ints.Int2ObjectMap)
LogManager(org.apache.logging.log4j.LogManager)
Account(org.exist.security.Account)
Configuration(org.exist.config.Configuration)
AbstractRealm(org.exist.security.AbstractRealm)
ManagedLock(org.exist.storage.lock.ManagedLock)
ConfigurationException(org.exist.config.ConfigurationException)
PermissionDeniedException(org.exist.security.PermissionDeniedException)
XmldbURI(org.exist.xmldb.XmldbURI)
Aggregations
Account (org.exist.security.Account)60
PermissionDeniedException (org.exist.security.PermissionDeniedException)18
SecurityManager (org.exist.security.SecurityManager)17
EXistException (org.exist.EXistException)12
XMLDBException (org.xmldb.api.base.XMLDBException)11
Group (org.exist.security.Group)10
Collection (org.xmldb.api.base.Collection)10
AuthenticationException (org.exist.security.AuthenticationException)9
DBBroker (org.exist.storage.DBBroker)9
AbstractAccount (org.exist.security.AbstractAccount)7
CollectionManagementService (org.xmldb.api.modules.CollectionManagementService)7
Txn (org.exist.storage.txn.Txn)6
DocumentImpl (org.exist.dom.persistent.DocumentImpl)5
Subject (org.exist.security.Subject)5
UserAider (org.exist.security.internal.aider.UserAider)5
UserManagementService (org.exist.xmldb.UserManagementService)5
Permission (org.exist.security.Permission)4
XPathException (org.exist.xquery.XPathException)4
Before (org.junit.Before)4
Test (org.junit.Test)4
