Example 11 with Group
use of org.exist.security.Group in project exist by eXist-db.
the class RpcConnection method getGroup.
@Override
public Map<String, Object> getGroup(final String name) throws EXistException, PermissionDeniedException {
return withDb((broker, transaction) -> {
final SecurityManager securityManager = factory.getBrokerPool().getSecurityManager();
final Group group = securityManager.getGroup(name);
if (group != null) {
final Map<String, Object> map = new HashMap<>();
map.put("id", group.getId());
map.put("realmId", group.getRealmId());
map.put("name", name);
final List<Account> groupManagers = group.getManagers();
final List<String> managers = new ArrayList<>(groupManagers.size());
for (final Account groupManager : groupManagers) {
managers.add(groupManager.getName());
}
map.put("managers", managers);
final Map<String, String> metadata = new HashMap<>();
for (final SchemaType key : group.getMetadataKeys()) {
metadata.put(key.getNamespace(), group.getMetadataValue(key));
}
map.put("metadata", metadata);
return map;
}
return null;
});
}
Also used :
Group(org.exist.security.Group)
Account(org.exist.security.Account)
SecurityManager(org.exist.security.SecurityManager)
EXistSchemaType(org.exist.security.EXistSchemaType)
SchemaType(org.exist.security.SchemaType)
AXSchemaType(org.exist.security.AXSchemaType)
Example 12 with Group
use of org.exist.security.Group in project exist by eXist-db.
the class RpcConnection method setUserPrimaryGroup.
@Override
public boolean setUserPrimaryGroup(final String username, final String groupName) throws EXistException, PermissionDeniedException {
final SecurityManager manager = factory.getBrokerPool().getSecurityManager();
if (!manager.hasGroup(groupName)) {
throw new EXistException("Group '" + groupName + "' does not exist!");
}
if (!manager.hasAdminPrivileges(user)) {
throw new PermissionDeniedException("Not allowed to modify user");
}
withDb((broker, transaction) -> {
final Account account = manager.getAccount(username);
final Group group = manager.getGroup(groupName);
account.setPrimaryGroup(group);
manager.updateAccount(account);
return null;
});
return true;
}
Also used :
Account(org.exist.security.Account)
Group(org.exist.security.Group)
SecurityManager(org.exist.security.SecurityManager)
PermissionDeniedException(org.exist.security.PermissionDeniedException)
EXistException(org.exist.EXistException)
Example 13 with Group
use of org.exist.security.Group in project exist by eXist-db.
the class RpcConnection method addGroup.
@Override
public boolean addGroup(final String name, final Map<String, String> metadata) throws EXistException, PermissionDeniedException {
final SecurityManager manager = factory.getBrokerPool().getSecurityManager();
if (!manager.hasGroup(name)) {
if (!manager.hasAdminPrivileges(user)) {
throw new PermissionDeniedException("Not allowed to create group");
}
final Group role = new GroupAider(name);
for (final Map.Entry<String, String> m : metadata.entrySet()) {
if (AXSchemaType.valueOfNamespace(m.getKey()) != null) {
role.setMetadataValue(AXSchemaType.valueOfNamespace(m.getKey()), m.getValue());
} else if (EXistSchemaType.valueOfNamespace(m.getKey()) != null) {
role.setMetadataValue(EXistSchemaType.valueOfNamespace(m.getKey()), m.getValue());
}
}
withDb((broker, transaction) -> manager.addGroup(broker, role));
return true;
}
return false;
}
Also used :
Group(org.exist.security.Group)
SecurityManager(org.exist.security.SecurityManager)
PermissionDeniedException(org.exist.security.PermissionDeniedException)
GroupAider(org.exist.security.internal.aider.GroupAider)
LockedDocumentMap(org.exist.storage.lock.LockedDocumentMap)
Example 14 with Group
use of org.exist.security.Group in project exist by eXist-db.
the class LDAPRealm method getGroupMembershipForLdapUser.
private List<Group> getGroupMembershipForLdapUser(final LdapContext ctx, final DBBroker broker, final SearchResult ldapUser) throws NamingException {
final List<Group> memberOf_groups = new ArrayList<>();
final LDAPSearchContext search = ensureContextFactory().getSearch();
final String userDistinguishedName = (String) ldapUser.getAttributes().get(search.getSearchAccount().getSearchAttribute(LDAPSearchAttributeKey.DN)).get();
final List<String> memberOf_groupNames = findGroupnamesForUserDistinguishedName(ctx, userDistinguishedName);
for (final String memberOf_groupName : memberOf_groupNames) {
memberOf_groups.add(getGroup(ctx, broker, memberOf_groupName));
}
// TODO expand to a general method that rewrites the useraider based on the realTransformation
if (ensureContextFactory().getTransformationContext() != null) {
final List<String> additionalGroupNames = ensureContextFactory().getTransformationContext().getAdditionalGroups();
if (additionalGroupNames != null) {
for (final String additionalGroupName : additionalGroupNames) {
final Group additionalGroup = getSecurityManager().getGroup(additionalGroupName);
if (additionalGroup != null) {
memberOf_groups.add(additionalGroup);
}
}
}
}
return memberOf_groups;
}Example 15 with Group
use of org.exist.security.Group in project exist by eXist-db.
the class LDAPRealm method refreshAccountFromLdap.
public Account refreshAccountFromLdap(final Account account) throws PermissionDeniedException, AuthenticationException {
final int UPDATE_NONE = 0;
final int UPDATE_GROUP = 1;
final int UPDATE_METADATA = 2;
final Subject invokingUser = getSecurityManager().getCurrentSubject();
if (!invokingUser.hasDbaRole() && invokingUser.getId() != account.getId()) {
throw new PermissionDeniedException("You do not have permission to modify the account");
}
LdapContext ctx = null;
try {
ctx = getContext(invokingUser);
final SearchResult ldapUser = findAccountByAccountName(ctx, account.getName());
if (ldapUser == null) {
throw new AuthenticationException(AuthenticationException.ACCOUNT_NOT_FOUND, "Could not find the account in the LDAP");
}
return executeAsSystemUser(ctx, (ctx2, broker) -> {
int update = UPDATE_NONE;
// 1) get the ldap group membership
final List<Group> memberOf_groups = getGroupMembershipForLdapUser(ctx2, broker, ldapUser);
// 2) get the ldap primary group
final String primaryGroup = findGroupBySID(ctx2, getPrimaryGroupSID(ldapUser));
// append the ldap primaryGroup to the head of the ldap group list, and compare
// to the account group list
memberOf_groups.add(0, getGroup(ctx2, broker, primaryGroup));
final String[] accountGroups = account.getGroups();
if (!accountGroups[0].equals(ensureCase(primaryGroup))) {
update |= UPDATE_GROUP;
} else {
if (accountGroups.length != memberOf_groups.size()) {
update |= UPDATE_GROUP;
} else {
for (final String accountGroup : accountGroups) {
boolean found = false;
for (final Group memberOf_group : memberOf_groups) {
if (accountGroup.equals(ensureCase(memberOf_group.getName()))) {
found = true;
break;
}
}
if (!found) {
update |= UPDATE_GROUP;
break;
}
}
}
}
// 3) check metadata
final List<SimpleEntry<AXSchemaType, String>> ldapMetadatas = getMetadataForLdapUser(ldapUser);
final Set<SchemaType> accountMetadataKeys = account.getMetadataKeys();
if (accountMetadataKeys.size() != ldapMetadatas.size()) {
update |= UPDATE_METADATA;
} else {
for (SchemaType accountMetadataKey : accountMetadataKeys) {
final String accountMetadataValue = account.getMetadataValue(accountMetadataKey);
boolean found = false;
for (SimpleEntry<AXSchemaType, String> ldapMetadata : ldapMetadatas) {
if (accountMetadataKey.equals(ldapMetadata.getKey()) && accountMetadataValue.equals(ldapMetadata.getValue())) {
found = true;
break;
}
}
if (!found) {
update |= UPDATE_METADATA;
break;
}
}
}
// update the groups?
if ((update & UPDATE_GROUP) == UPDATE_GROUP) {
try {
final Field fld = account.getClass().getSuperclass().getDeclaredField("groups");
fld.setAccessible(true);
fld.set(account, memberOf_groups);
} catch (final NoSuchFieldException | IllegalAccessException nsfe) {
throw new EXistException(nsfe.getMessage(), nsfe);
}
}
// update the metdata?
if ((update & UPDATE_METADATA) == UPDATE_METADATA) {
account.clearMetadata();
for (final SimpleEntry<AXSchemaType, String> ldapMetadata : ldapMetadatas) {
account.setMetadataValue(ldapMetadata.getKey(), ldapMetadata.getValue());
}
}
if (update != UPDATE_NONE) {
final boolean updated = getSecurityManager().updateAccount(account);
if (!updated) {
LOG.error("Could not update account");
}
}
return account;
});
} catch (final NamingException | EXistException ne) {
throw new AuthenticationException(AuthenticationException.UNNOWN_EXCEPTION, ne.getMessage(), ne);
} finally {
LdapUtils.closeContext(ctx);
}
}
Also used :
Group(org.exist.security.Group)
AuthenticationException(org.exist.security.AuthenticationException)
SimpleEntry(java.util.AbstractMap.SimpleEntry)
SearchResult(javax.naming.directory.SearchResult)
EXistException(org.exist.EXistException)
Subject(org.exist.security.Subject)
SchemaType(org.exist.security.SchemaType)
AXSchemaType(org.exist.security.AXSchemaType)
Field(java.lang.reflect.Field)
PermissionDeniedException(org.exist.security.PermissionDeniedException)
NamingException(javax.naming.NamingException)
LdapContext(javax.naming.ldap.LdapContext)
AXSchemaType(org.exist.security.AXSchemaType)
Aggregations
Group (org.exist.security.Group)23
Account (org.exist.security.Account)9
PermissionDeniedException (org.exist.security.PermissionDeniedException)9
AuthenticationException (org.exist.security.AuthenticationException)6
SecurityManager (org.exist.security.SecurityManager)6
XMLDBException (org.xmldb.api.base.XMLDBException)6
EXistException (org.exist.EXistException)5
NamingException (javax.naming.NamingException)4
AXSchemaType (org.exist.security.AXSchemaType)4
SchemaType (org.exist.security.SchemaType)4
GroupAider (org.exist.security.internal.aider.GroupAider)4
IOException (java.io.IOException)2
ArrayList (java.util.ArrayList)2
SearchResult (javax.naming.directory.SearchResult)2
LdapContext (javax.naming.ldap.LdapContext)2
XMLStreamException (javax.xml.stream.XMLStreamException)2
ConfigurationException (org.exist.config.ConfigurationException)2
AbstractAccount (org.exist.security.AbstractAccount)2
Permission (org.exist.security.Permission)2
Subject (org.exist.security.Subject)2
