Example 46 with SecurityManager
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class SetPrincipalMetadataFunction method eval.
@Override
public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
final DBBroker broker = getContext().getBroker();
final Subject currentUser = broker.getCurrentSubject();
if (currentUser.getName().equals(SecurityManager.GUEST_USER)) {
throw new XPathException("You must be an authenticated user");
}
final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
final String strPrincipal = args[0].getStringValue();
final String metadataAttributeNamespace = args[1].getStringValue();
final String value = args[2].getStringValue();
final Principal principal;
if (isCalledAs(qnSetAccountMetadata.getLocalPart())) {
if (!currentUser.hasDbaRole() && !currentUser.getUsername().equals(strPrincipal)) {
throw new XPathException(this, new PermissionDeniedException("You must have suitable access rights to modify the users metadata."));
}
principal = securityManager.getAccount(strPrincipal);
} else if (isCalledAs(qnSetGroupMetadata.getLocalPart())) {
// check for a valid group metadata key
boolean valid = false;
for (final SchemaType groupMetadataKey : GetPrincipalMetadataFunction.GROUP_METADATA_KEYS) {
if (groupMetadataKey.getNamespace().equals(metadataAttributeNamespace)) {
valid = true;
break;
}
}
if (!valid) {
throw new XPathException("The metadata attribute key '" + metadataAttributeNamespace + "' is not valid on a group.");
}
final Group group = securityManager.getGroup(strPrincipal);
if (!currentUser.hasDbaRole() && !group.isManager(currentUser)) {
throw new XPathException(this, new PermissionDeniedException("You must have suitable access rights to modify the groups metadata."));
}
principal = group;
} else {
throw new XPathException(this, "Unknown function");
}
setAccountMetadata(securityManager, principal, metadataAttributeNamespace, value);
return Sequence.EMPTY_SEQUENCE;
}
Also used :
DBBroker(org.exist.storage.DBBroker)
SecurityManager(org.exist.security.SecurityManager)
XPathException(org.exist.xquery.XPathException)
Example 47 with SecurityManager
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class AccountManagementFunction method eval.
@Override
public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
final DBBroker broker = getContext().getBroker();
final Subject currentUser = broker.getCurrentSubject();
final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
final String username = args[0].getStringValue();
try {
if (isCalledAs(qnRemoveAccount.getLocalPart())) {
/* remove account */
if (!currentUser.hasDbaRole()) {
throw new XPathException(this, "Only a DBA user may remove accounts.");
}
if (!securityManager.hasAccount(username)) {
throw new XPathException(this, "The user account with username " + username + " does not exist.");
}
if (currentUser.getName().equals(username)) {
throw new XPathException(this, "You cannot remove yourself i.e. the currently logged in user.");
}
securityManager.deleteAccount(username);
} else {
final String password = args[1].getStringValue();
if (isCalledAs(qnPasswd.getLocalPart()) || isCalledAs(qnPasswdHash.getLocalPart())) {
if (!(currentUser.getName().equals(username) || currentUser.hasDbaRole())) {
throw new XPathException(this, "You may only change your own password, unless you are a DBA.");
}
final Account account = securityManager.getAccount(username);
if (isCalledAs(qnPasswdHash.getLocalPart())) {
account.setCredential(new Password(account, Password.DEFAULT_ALGORITHM, password));
} else {
account.setPassword(password);
}
securityManager.updateAccount(account);
} else if (isCalledAs(qnCreateAccount.getLocalPart())) {
/* create account */
if (!currentUser.hasDbaRole()) {
throw new XPathException(this, "You must be a DBA to create a User Account.");
}
if (securityManager.hasAccount(username)) {
throw new XPathException(this, "The user account with username " + username + " already exists.");
}
final Account user = new UserAider(username);
user.setPassword(password);
if (getSignature().getArgumentCount() >= 5) {
// set metadata values if present
user.setMetadataValue(AXSchemaType.FULLNAME, args[getSignature().getArgumentCount() - 2].toString());
user.setMetadataValue(EXistSchemaType.DESCRIPTION, args[getSignature().getArgumentCount() - 1].toString());
}
final String[] subGroups;
if (getSignature().getArgumentCount() == 3 || getSignature().getArgumentCount() == 5) {
// create the personal group
final Group group = new GroupAider(username);
group.setMetadataValue(EXistSchemaType.DESCRIPTION, "Personal group for " + username);
group.addManager(currentUser);
securityManager.addGroup(broker, group);
// add the personal group as the primary group
user.addGroup(username);
subGroups = getGroups(args[2]);
} else {
// add the primary group as the primary group
final String primaryGroup = args[2].getStringValue();
if (primaryGroup == null || primaryGroup.isEmpty()) {
throw new XPathException(this, "You must specify a primary group for the user.");
}
user.addGroup(primaryGroup);
subGroups = getGroups(args[3]);
}
for (String subGroup : subGroups) {
user.addGroup(subGroup);
}
// create the account
securityManager.addAccount(user);
// if we created a personal group, then add the new account as a manager of their personal group
if (getSignature().getArgumentCount() == 3 || getSignature().getArgumentCount() == 5) {
final Group group = securityManager.getGroup(username);
group.addManager(securityManager.getAccount(username));
securityManager.updateGroup(group);
}
} else {
throw new XPathException(this, "Unknown function call: " + getSignature());
}
}
} catch (final PermissionDeniedException | EXistException pde) {
throw new XPathException(this, pde);
}
return Sequence.EMPTY_SEQUENCE;
}
Also used :
SecurityManager(org.exist.security.SecurityManager)
EXistException(org.exist.EXistException)
DBBroker(org.exist.storage.DBBroker)
UserAider(org.exist.security.internal.aider.UserAider)
GroupAider(org.exist.security.internal.aider.GroupAider)
Password(org.exist.security.internal.Password)
Example 48 with SecurityManager
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class GroupMembershipFunction method eval.
@Override
public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
Sequence result = Sequence.EMPTY_SEQUENCE;
final DBBroker broker = getContext().getBroker();
final Subject currentUser = broker.getCurrentSubject();
final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
try {
if (isCalledAs(qnIsDba.getLocalPart())) {
final String username = args[0].getStringValue();
if (!securityManager.hasAccount(username)) {
throw new XPathException("The user account with username " + username + " does not exist.");
} else {
final Account account = securityManager.getAccount(username);
result = BooleanValue.valueOf(securityManager.hasAdminPrivileges(account));
}
} else if (isCalledAs(qnSetPrimaryGroup.getLocalPart())) {
final String username = args[0].getStringValue();
final String groupName = args[1].getStringValue();
if (!securityManager.hasAccount(username)) {
throw new XPathException("The user account with username " + username + " does not exist.");
}
if (!securityManager.hasGroup(groupName)) {
throw new XPathException("The user group with name " + groupName + " does not exist.");
}
final Group group = securityManager.getGroup(groupName);
if (!isCalledAs(qnGetGroupMembers.getLocalPart()) && (!(group.isManager(currentUser) || currentUser.hasDbaRole()))) {
throw new XPathException("Only a Group Manager or DBA may modify the group or retrieve sensitive group information.");
}
final Account account = securityManager.getAccount(username);
// set the primary group
account.setPrimaryGroup(group);
securityManager.updateAccount(account);
} else {
final String groupName = args[0].getStringValue();
if (!securityManager.hasGroup(groupName)) {
throw new XPathException("The user group with name " + groupName + " does not exist.");
}
final Group group = securityManager.getGroup(groupName);
if (!isCalledAs(qnGetGroupMembers.getLocalPart()) && (!(group.isManager(currentUser) || currentUser.hasDbaRole()))) {
throw new XPathException("Only a Group Manager or DBA may modify the group or retrieve sensitive group information.");
}
if (isCalledAs(qnAddGroupMember.getLocalPart())) {
final List<Account> users = getUsers(securityManager, args[1]);
addGroupMembers(securityManager, group, users);
} else if (isCalledAs(qnRemoveGroupMember.getLocalPart())) {
final List<Account> users = getUsers(securityManager, args[1]);
removeGroupMembers(securityManager, group, users);
} else if (isCalledAs(qnGetGroupMembers.getLocalPart())) {
final List<String> groupMembers = securityManager.findAllGroupMembers(groupName);
final ValueSequence seq = new ValueSequence();
for (final String groupMember : groupMembers) {
seq.add(new StringValue(groupMember));
}
result = seq;
} else if (isCalledAs(qnAddGroupManager.getLocalPart())) {
final List<Account> users = getUsers(securityManager, args[1]);
addGroupManagers(securityManager, group, users);
} else if (isCalledAs(qnRemoveGroupManager.getLocalPart())) {
final List<Account> users = getUsers(securityManager, args[1]);
removeGroupManagers(securityManager, group, users);
} else if (isCalledAs(qnGetGroupManagers.getLocalPart())) {
final ValueSequence seq = new ValueSequence();
for (final Account groupManager : group.getManagers()) {
seq.add(new StringValue(groupManager.getName()));
}
result = seq;
} else {
throw new XPathException("Unknown function call: " + getSignature());
}
}
} catch (final PermissionDeniedException | EXistException pde) {
throw new XPathException(this, pde);
}
return result;
}
Also used :
SecurityManager(org.exist.security.SecurityManager)
XPathException(org.exist.xquery.XPathException)
EXistException(org.exist.EXistException)
DBBroker(org.exist.storage.DBBroker)
ArrayList(java.util.ArrayList)
List(java.util.List)
Example 49 with SecurityManager
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class UMaskFunction method getUMask.
private IntegerValue getUMask(final DBBroker broker, final String username) {
final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
final Account account = securityManager.getAccount(username);
return new IntegerValue(account.getUserMask());
}
Also used :
Account(org.exist.security.Account)
SecurityManager(org.exist.security.SecurityManager)
IntegerValue(org.exist.xquery.value.IntegerValue)
Example 50 with SecurityManager
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class UMaskFunction method setUMask.
private void setUMask(final DBBroker broker, final Subject currentUser, final String username, final int umask) throws XPathException {
if (!currentUser.hasDbaRole() && !currentUser.getUsername().equals(username)) {
throw new XPathException(this, new PermissionDeniedException("You must have suitable access rights to set the users umask."));
}
final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
final Account account = securityManager.getAccount(username);
account.setUserMask(umask);
try {
securityManager.updateAccount(account);
} catch (final PermissionDeniedException | EXistException pde) {
throw new XPathException(this, pde);
}
}
Also used :
Account(org.exist.security.Account)
SecurityManager(org.exist.security.SecurityManager)
XPathException(org.exist.xquery.XPathException)
PermissionDeniedException(org.exist.security.PermissionDeniedException)
EXistException(org.exist.EXistException)
Aggregations
SecurityManager (org.exist.security.SecurityManager)68
DBBroker (org.exist.storage.DBBroker)22
Txn (org.exist.storage.txn.Txn)16
Account (org.exist.security.Account)15
BrokerPool (org.exist.storage.BrokerPool)15
Subject (org.exist.security.Subject)12
EXistException (org.exist.EXistException)11
PermissionDeniedException (org.exist.security.PermissionDeniedException)9
XPathException (org.exist.xquery.XPathException)9
AuthenticationException (org.exist.security.AuthenticationException)8
GroupAider (org.exist.security.internal.aider.GroupAider)6
Collection (org.exist.collections.Collection)5
Group (org.exist.security.Group)5
Database (org.exist.Database)4
UserAider (org.exist.security.internal.aider.UserAider)4
LockedDocumentMap (org.exist.storage.lock.LockedDocumentMap)4
Test (org.junit.Test)4
java.util (java.util)2
List (java.util.List)2
HttpSession (javax.servlet.http.HttpSession)2
