use of org.exist.security.SecurityManager in project exist by eXist-db.
the class AsUser method eval.
@Override
public Sequence eval(final Sequence contextSequence, final Item contextItem) throws XPathException {
logger.debug("Entering the " + SystemModule.PREFIX + ":as-user XQuery function");
final DBBroker broker = context.getBroker();
final Sequence usernameResult = getArgument(0).eval(contextSequence, contextItem);
if (usernameResult.isEmpty()) {
final XPathException exception = new XPathException(this, "No user specified");
logger.error("No user specified, throwing an exception!", exception);
throw exception;
}
final Sequence password = getArgument(1).eval(contextSequence, contextItem);
final String username = usernameResult.getStringValue();
final SecurityManager sm = broker.getBrokerPool().getSecurityManager();
Subject user;
try {
user = sm.authenticate(username, password.getStringValue());
} catch (final AuthenticationException e) {
final XPathException exception = new XPathException(this, "Authentication failed", e);
logger.error("Authentication failed for [{}] because of [{}].", username, e.getMessage(), exception);
throw exception;
}
logger.info("Setting the effective user to: [{}]", username);
try {
broker.pushSubject(user);
return getArgument(2).eval(contextSequence, contextItem);
} finally {
broker.popSubject();
logger.info("Returned the effective user to: [{}]", broker.getCurrentSubject());
}
}
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class DocumentImplTest method isSameNode_sameDoc.
@Test
public void isSameNode_sameDoc() {
final BrokerPool mockBrokerPool = EasyMock.createMock(BrokerPool.class);
final Database mockDatabase = EasyMock.createMock(Database.class);
final DBBroker mockBroker = EasyMock.createMock(DBBroker.class);
final Subject mockCurrentSubject = EasyMock.createMock(Subject.class);
final Group mockCurrentSubjectGroup = EasyMock.createMock(Group.class);
final SecurityManager mockSecurityManager = EasyMock.createMock(SecurityManager.class);
// expectations
expect(mockBrokerPool.getSecurityManager()).andReturn(mockSecurityManager);
expect(mockSecurityManager.getDatabase()).andReturn(mockDatabase);
expect(mockDatabase.getActiveBroker()).andReturn(mockBroker);
expect(mockBroker.getCurrentSubject()).andReturn(mockCurrentSubject);
expect(mockCurrentSubject.getUserMask()).andReturn(Permission.DEFAULT_UMASK);
expect(mockCurrentSubject.getId()).andReturn(RealmImpl.SYSTEM_ACCOUNT_ID);
expect(mockCurrentSubject.getDefaultGroup()).andReturn(mockCurrentSubjectGroup);
expect(mockCurrentSubjectGroup.getId()).andReturn(RealmImpl.DBA_GROUP_ID);
replay(mockBrokerPool, mockDatabase, mockBroker, mockCurrentSubject, mockCurrentSubjectGroup, mockSecurityManager);
// test setup
final DocumentImpl doc = new DocumentImpl(mockBrokerPool, 99);
assertTrue(doc.isSameNode(doc));
verify(mockBrokerPool, mockDatabase, mockBroker, mockCurrentSubject, mockCurrentSubjectGroup, mockSecurityManager);
}
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class DocumentImplTest method copyOf_updates_metadata_created_and_lastModified.
@Test
public void copyOf_updates_metadata_created_and_lastModified() throws PermissionDeniedException {
BrokerPool mockBrokerPool = EasyMock.createMock(BrokerPool.class);
Database mockDatabase = EasyMock.createMock(Database.class);
DBBroker mockBroker = EasyMock.createMock(DBBroker.class);
Subject mockCurrentSubject = EasyMock.createMock(Subject.class);
Group mockCurrentSubjectGroup = EasyMock.createMock(Group.class);
SecurityManager mockSecurityManager = EasyMock.createMock(SecurityManager.class);
// test values
final long otherCreated = System.currentTimeMillis() - 2000;
final long otherLastModified = System.currentTimeMillis() - 1000;
// expectations
expect(mockBrokerPool.getSecurityManager()).andReturn(mockSecurityManager).times(2);
expect(mockSecurityManager.getDatabase()).andReturn(mockDatabase).times(2);
expect(mockDatabase.getActiveBroker()).andReturn(mockBroker).times(2);
expect(mockBroker.getCurrentSubject()).andReturn(mockCurrentSubject).times(2);
expect(mockCurrentSubject.getUserMask()).andReturn(Permission.DEFAULT_UMASK).times(2);
expect(mockCurrentSubject.getId()).andReturn(RealmImpl.SYSTEM_ACCOUNT_ID).times(2);
expect(mockCurrentSubject.getDefaultGroup()).andReturn(mockCurrentSubjectGroup).times(2);
expect(mockCurrentSubjectGroup.getId()).andReturn(RealmImpl.DBA_GROUP_ID).times(2);
replay(mockBrokerPool, mockDatabase, mockBroker, mockCurrentSubject, mockCurrentSubjectGroup, mockSecurityManager);
// test setup
DocumentImpl doc = new DocumentImpl(mockBrokerPool, 888);
DocumentImpl other = new DocumentImpl(mockBrokerPool, 999);
// actions
doc.copyOf(mockBroker, other, (DocumentImpl) null);
verify(mockBrokerPool, mockDatabase, mockBroker, mockCurrentSubject, mockCurrentSubjectGroup, mockSecurityManager);
// assertions
assertThat(otherCreated, new LessThan(doc.getCreated()));
assertThat(otherLastModified, new LessThan(doc.getLastModified()));
}
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class ConfigurationDocumentTrigger method processPrincipal.
/**
* When configuring a Principal (Account or Group) we need to
* make sure of two things:
*
* 1) If the principal uses an old style id, i.e. before ACL Permissions
* were introduced then we have to modernise this id
*
* 2) If the principal uses a name or id which already exists in
* the database then we must avoid conflicts
*/
private void processPrincipal(final PrincipalType principalType) throws SAXException {
final SAXEvent firstEvent = deferred.peek();
if (!(firstEvent instanceof StartElement)) {
throw new SAXException("Unbalanced SAX Events");
}
final StartElement start = ((StartElement) firstEvent);
if (start.namespaceURI == null || !start.namespaceURI.equals(Configuration.NS) || !start.localName.equals(principalType.getElementName())) {
throw new SAXException("First element does not match ending '" + principalType.getElementName() + "' element");
}
final SecurityManager sm = broker.getBrokerPool().getSecurityManager();
// if needed, update old style id to new style id
final AttributesImpl attrs = new AttributesImpl(migrateIdAttribute(sm, start.attributes, principalType));
// check if there is a name collision, i.e. another principal with the same name
final String principalName = findName();
// first check if the account or group exists before trying to retrieve it
// otherwise the LDAP realm will create a new user, leading to an endless loop
final boolean principalExists = principalName != null && principalType.hasPrincipal(sm, principalName);
Principal existingPrincipleByName = null;
if (principalExists) {
existingPrincipleByName = principalType.getPrincipal(sm, principalName);
}
final int newId;
if (existingPrincipleByName != null) {
// use id of existing principal which has the same name
newId = existingPrincipleByName.getId();
} else {
// check if there is an id collision, i.e. another principal with the same id
final Integer id = Integer.valueOf(attrs.getValue(ID_ATTR));
final boolean principalIdExists = principalType.hasPrincipal(sm, id);
Principal existingPrincipalById = null;
if (principalIdExists) {
existingPrincipalById = principalType.getPrincipal(sm, id);
}
if (existingPrincipalById != null) {
// pre-allocate a new id, so as not to collide with the existing principal
if (isValidating()) {
try {
principalType.preAllocateId(sm, preAllocatedId);
} catch (final PermissionDeniedException | EXistException e) {
throw new SAXException("Unable to pre-allocate principle id for " + principalType.getElementName() + ": " + principalName, e);
}
}
newId = preAllocatedId.getId();
if (!isValidating()) {
preAllocatedId.clear();
}
} else {
// use the provided id as it is currently unallocated
newId = id;
}
}
// update attributes of the principal in deferred
attrs.setValue(attrs.getIndex(ID_ATTR), String.valueOf(newId));
final StartElement prevPrincipalStart = (StartElement) deferred.poll();
deferred.addFirst(new StartElement(prevPrincipalStart.namespaceURI, prevPrincipalStart.localName, prevPrincipalStart.qname, attrs));
}
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class DatabaseImpl method getUser.
/**
* @param user
* @param pool
* @return the User object corresponding to the username in <code>user</code>
* @throws XMLDBException
*/
private Subject getUser(String user, String password, final BrokerPool pool) throws XMLDBException {
try {
if (user == null) {
user = SecurityManager.GUEST_USER;
password = SecurityManager.GUEST_USER;
}
final SecurityManager securityManager = pool.getSecurityManager();
return securityManager.authenticate(user, password);
} catch (final AuthenticationException e) {
throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, e.getMessage(), e);
}
}
Aggregations