Search in sources :

Example 51 with SecurityManager

use of org.exist.security.SecurityManager in project exist by eXist-db.

the class AsUser method eval.

@Override
public Sequence eval(final Sequence contextSequence, final Item contextItem) throws XPathException {
    logger.debug("Entering the " + SystemModule.PREFIX + ":as-user XQuery function");
    final DBBroker broker = context.getBroker();
    final Sequence usernameResult = getArgument(0).eval(contextSequence, contextItem);
    if (usernameResult.isEmpty()) {
        final XPathException exception = new XPathException(this, "No user specified");
        logger.error("No user specified, throwing an exception!", exception);
        throw exception;
    }
    final Sequence password = getArgument(1).eval(contextSequence, contextItem);
    final String username = usernameResult.getStringValue();
    final SecurityManager sm = broker.getBrokerPool().getSecurityManager();
    Subject user;
    try {
        user = sm.authenticate(username, password.getStringValue());
    } catch (final AuthenticationException e) {
        final XPathException exception = new XPathException(this, "Authentication failed", e);
        logger.error("Authentication failed for [{}] because of [{}].", username, e.getMessage(), exception);
        throw exception;
    }
    logger.info("Setting the effective user to: [{}]", username);
    try {
        broker.pushSubject(user);
        return getArgument(2).eval(contextSequence, contextItem);
    } finally {
        broker.popSubject();
        logger.info("Returned the effective user to: [{}]", broker.getCurrentSubject());
    }
}
Also used : DBBroker(org.exist.storage.DBBroker) SecurityManager(org.exist.security.SecurityManager) AuthenticationException(org.exist.security.AuthenticationException) Sequence(org.exist.xquery.value.Sequence) Subject(org.exist.security.Subject)

Example 52 with SecurityManager

use of org.exist.security.SecurityManager in project exist by eXist-db.

the class DocumentImplTest method isSameNode_sameDoc.

@Test
public void isSameNode_sameDoc() {
    final BrokerPool mockBrokerPool = EasyMock.createMock(BrokerPool.class);
    final Database mockDatabase = EasyMock.createMock(Database.class);
    final DBBroker mockBroker = EasyMock.createMock(DBBroker.class);
    final Subject mockCurrentSubject = EasyMock.createMock(Subject.class);
    final Group mockCurrentSubjectGroup = EasyMock.createMock(Group.class);
    final SecurityManager mockSecurityManager = EasyMock.createMock(SecurityManager.class);
    // expectations
    expect(mockBrokerPool.getSecurityManager()).andReturn(mockSecurityManager);
    expect(mockSecurityManager.getDatabase()).andReturn(mockDatabase);
    expect(mockDatabase.getActiveBroker()).andReturn(mockBroker);
    expect(mockBroker.getCurrentSubject()).andReturn(mockCurrentSubject);
    expect(mockCurrentSubject.getUserMask()).andReturn(Permission.DEFAULT_UMASK);
    expect(mockCurrentSubject.getId()).andReturn(RealmImpl.SYSTEM_ACCOUNT_ID);
    expect(mockCurrentSubject.getDefaultGroup()).andReturn(mockCurrentSubjectGroup);
    expect(mockCurrentSubjectGroup.getId()).andReturn(RealmImpl.DBA_GROUP_ID);
    replay(mockBrokerPool, mockDatabase, mockBroker, mockCurrentSubject, mockCurrentSubjectGroup, mockSecurityManager);
    // test setup
    final DocumentImpl doc = new DocumentImpl(mockBrokerPool, 99);
    assertTrue(doc.isSameNode(doc));
    verify(mockBrokerPool, mockDatabase, mockBroker, mockCurrentSubject, mockCurrentSubjectGroup, mockSecurityManager);
}
Also used : DBBroker(org.exist.storage.DBBroker) SecurityManager(org.exist.security.SecurityManager) Database(org.exist.Database) BrokerPool(org.exist.storage.BrokerPool) Test(org.junit.Test)

Example 53 with SecurityManager

use of org.exist.security.SecurityManager in project exist by eXist-db.

the class DocumentImplTest method copyOf_updates_metadata_created_and_lastModified.

@Test
public void copyOf_updates_metadata_created_and_lastModified() throws PermissionDeniedException {
    BrokerPool mockBrokerPool = EasyMock.createMock(BrokerPool.class);
    Database mockDatabase = EasyMock.createMock(Database.class);
    DBBroker mockBroker = EasyMock.createMock(DBBroker.class);
    Subject mockCurrentSubject = EasyMock.createMock(Subject.class);
    Group mockCurrentSubjectGroup = EasyMock.createMock(Group.class);
    SecurityManager mockSecurityManager = EasyMock.createMock(SecurityManager.class);
    // test values
    final long otherCreated = System.currentTimeMillis() - 2000;
    final long otherLastModified = System.currentTimeMillis() - 1000;
    // expectations
    expect(mockBrokerPool.getSecurityManager()).andReturn(mockSecurityManager).times(2);
    expect(mockSecurityManager.getDatabase()).andReturn(mockDatabase).times(2);
    expect(mockDatabase.getActiveBroker()).andReturn(mockBroker).times(2);
    expect(mockBroker.getCurrentSubject()).andReturn(mockCurrentSubject).times(2);
    expect(mockCurrentSubject.getUserMask()).andReturn(Permission.DEFAULT_UMASK).times(2);
    expect(mockCurrentSubject.getId()).andReturn(RealmImpl.SYSTEM_ACCOUNT_ID).times(2);
    expect(mockCurrentSubject.getDefaultGroup()).andReturn(mockCurrentSubjectGroup).times(2);
    expect(mockCurrentSubjectGroup.getId()).andReturn(RealmImpl.DBA_GROUP_ID).times(2);
    replay(mockBrokerPool, mockDatabase, mockBroker, mockCurrentSubject, mockCurrentSubjectGroup, mockSecurityManager);
    // test setup
    DocumentImpl doc = new DocumentImpl(mockBrokerPool, 888);
    DocumentImpl other = new DocumentImpl(mockBrokerPool, 999);
    // actions
    doc.copyOf(mockBroker, other, (DocumentImpl) null);
    verify(mockBrokerPool, mockDatabase, mockBroker, mockCurrentSubject, mockCurrentSubjectGroup, mockSecurityManager);
    // assertions
    assertThat(otherCreated, new LessThan(doc.getCreated()));
    assertThat(otherLastModified, new LessThan(doc.getLastModified()));
}
Also used : DBBroker(org.exist.storage.DBBroker) SecurityManager(org.exist.security.SecurityManager) Database(org.exist.Database) BrokerPool(org.exist.storage.BrokerPool) Test(org.junit.Test)

Example 54 with SecurityManager

use of org.exist.security.SecurityManager in project exist by eXist-db.

the class ConfigurationDocumentTrigger method processPrincipal.

/**
 * When configuring a Principal (Account or Group) we need to
 * make sure of two things:
 *
 * 1) If the principal uses an old style id, i.e. before ACL Permissions
 * were introduced then we have to modernise this id
 *
 * 2) If the principal uses a name or id which already exists in
 * the database then we must avoid conflicts
 */
private void processPrincipal(final PrincipalType principalType) throws SAXException {
    final SAXEvent firstEvent = deferred.peek();
    if (!(firstEvent instanceof StartElement)) {
        throw new SAXException("Unbalanced SAX Events");
    }
    final StartElement start = ((StartElement) firstEvent);
    if (start.namespaceURI == null || !start.namespaceURI.equals(Configuration.NS) || !start.localName.equals(principalType.getElementName())) {
        throw new SAXException("First element does not match ending '" + principalType.getElementName() + "' element");
    }
    final SecurityManager sm = broker.getBrokerPool().getSecurityManager();
    // if needed, update old style id to new style id
    final AttributesImpl attrs = new AttributesImpl(migrateIdAttribute(sm, start.attributes, principalType));
    // check if there is a name collision, i.e. another principal with the same name
    final String principalName = findName();
    // first check if the account or group exists before trying to retrieve it
    // otherwise the LDAP realm will create a new user, leading to an endless loop
    final boolean principalExists = principalName != null && principalType.hasPrincipal(sm, principalName);
    Principal existingPrincipleByName = null;
    if (principalExists) {
        existingPrincipleByName = principalType.getPrincipal(sm, principalName);
    }
    final int newId;
    if (existingPrincipleByName != null) {
        // use id of existing principal which has the same name
        newId = existingPrincipleByName.getId();
    } else {
        // check if there is an id collision, i.e. another principal with the same id
        final Integer id = Integer.valueOf(attrs.getValue(ID_ATTR));
        final boolean principalIdExists = principalType.hasPrincipal(sm, id);
        Principal existingPrincipalById = null;
        if (principalIdExists) {
            existingPrincipalById = principalType.getPrincipal(sm, id);
        }
        if (existingPrincipalById != null) {
            // pre-allocate a new id, so as not to collide with the existing principal
            if (isValidating()) {
                try {
                    principalType.preAllocateId(sm, preAllocatedId);
                } catch (final PermissionDeniedException | EXistException e) {
                    throw new SAXException("Unable to pre-allocate principle id for " + principalType.getElementName() + ": " + principalName, e);
                }
            }
            newId = preAllocatedId.getId();
            if (!isValidating()) {
                preAllocatedId.clear();
            }
        } else {
            // use the provided id as it is currently unallocated
            newId = id;
        }
    }
    // update attributes of the principal in deferred
    attrs.setValue(attrs.getIndex(ID_ATTR), String.valueOf(newId));
    final StartElement prevPrincipalStart = (StartElement) deferred.poll();
    deferred.addFirst(new StartElement(prevPrincipalStart.namespaceURI, prevPrincipalStart.localName, prevPrincipalStart.qname, attrs));
}
Also used : SecurityManager(org.exist.security.SecurityManager) EXistException(org.exist.EXistException) SAXException(org.xml.sax.SAXException) StartElement(org.exist.util.sax.event.contenthandler.StartElement) AttributesImpl(org.xml.sax.helpers.AttributesImpl) SAXEvent(org.exist.util.sax.event.SAXEvent)

Example 55 with SecurityManager

use of org.exist.security.SecurityManager in project exist by eXist-db.

the class DatabaseImpl method getUser.

/**
 * @param user
 * @param pool
 * @return the User object corresponding to the username in <code>user</code>
 * @throws XMLDBException
 */
private Subject getUser(String user, String password, final BrokerPool pool) throws XMLDBException {
    try {
        if (user == null) {
            user = SecurityManager.GUEST_USER;
            password = SecurityManager.GUEST_USER;
        }
        final SecurityManager securityManager = pool.getSecurityManager();
        return securityManager.authenticate(user, password);
    } catch (final AuthenticationException e) {
        throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, e.getMessage(), e);
    }
}
Also used : SecurityManager(org.exist.security.SecurityManager) AuthenticationException(org.exist.security.AuthenticationException) XMLDBException(org.xmldb.api.base.XMLDBException)

Aggregations

SecurityManager (org.exist.security.SecurityManager)68 DBBroker (org.exist.storage.DBBroker)22 Txn (org.exist.storage.txn.Txn)16 Account (org.exist.security.Account)15 BrokerPool (org.exist.storage.BrokerPool)15 Subject (org.exist.security.Subject)12 EXistException (org.exist.EXistException)11 PermissionDeniedException (org.exist.security.PermissionDeniedException)9 XPathException (org.exist.xquery.XPathException)9 AuthenticationException (org.exist.security.AuthenticationException)8 GroupAider (org.exist.security.internal.aider.GroupAider)6 Collection (org.exist.collections.Collection)5 Group (org.exist.security.Group)5 Database (org.exist.Database)4 UserAider (org.exist.security.internal.aider.UserAider)4 LockedDocumentMap (org.exist.storage.lock.LockedDocumentMap)4 Test (org.junit.Test)4 java.util (java.util)2 List (java.util.List)2 HttpSession (javax.servlet.http.HttpSession)2