Examples with SecurityManager org.exist.security.SecurityManager used on opensource projects

Example 51 with SecurityManager

use of org.exist.security.SecurityManager in project exist by eXist-db.

the class AsUser method eval.

@Override
public Sequence eval(final Sequence contextSequence, final Item contextItem) throws XPathException {
    logger.debug("Entering the " + SystemModule.PREFIX + ":as-user XQuery function");
    final DBBroker broker = context.getBroker();
    final Sequence usernameResult = getArgument(0).eval(contextSequence, contextItem);
    if (usernameResult.isEmpty()) {
        final XPathException exception = new XPathException(this, "No user specified");
        logger.error("No user specified, throwing an exception!", exception);
        throw exception;
    }
    final Sequence password = getArgument(1).eval(contextSequence, contextItem);
    final String username = usernameResult.getStringValue();
    final SecurityManager sm = broker.getBrokerPool().getSecurityManager();
    Subject user;
    try {
        user = sm.authenticate(username, password.getStringValue());
    } catch (final AuthenticationException e) {
        final XPathException exception = new XPathException(this, "Authentication failed", e);
        logger.error("Authentication failed for [{}] because of [{}].", username, e.getMessage(), exception);
        throw exception;
    }
    logger.info("Setting the effective user to: [{}]", username);
    try {
        broker.pushSubject(user);
        return getArgument(2).eval(contextSequence, contextItem);
    } finally {
        broker.popSubject();
        logger.info("Returned the effective user to: [{}]", broker.getCurrentSubject());
    }
}

Example 52 with SecurityManager

use of org.exist.security.SecurityManager in project exist by eXist-db.

the class DocumentImplTest method isSameNode_sameDoc.

@Test
public void isSameNode_sameDoc() {
    final BrokerPool mockBrokerPool = EasyMock.createMock(BrokerPool.class);
    final Database mockDatabase = EasyMock.createMock(Database.class);
    final DBBroker mockBroker = EasyMock.createMock(DBBroker.class);
    final Subject mockCurrentSubject = EasyMock.createMock(Subject.class);
    final Group mockCurrentSubjectGroup = EasyMock.createMock(Group.class);
    final SecurityManager mockSecurityManager = EasyMock.createMock(SecurityManager.class);
    // expectations
    expect(mockBrokerPool.getSecurityManager()).andReturn(mockSecurityManager);
    expect(mockSecurityManager.getDatabase()).andReturn(mockDatabase);
    expect(mockDatabase.getActiveBroker()).andReturn(mockBroker);
    expect(mockBroker.getCurrentSubject()).andReturn(mockCurrentSubject);
    expect(mockCurrentSubject.getUserMask()).andReturn(Permission.DEFAULT_UMASK);
    expect(mockCurrentSubject.getId()).andReturn(RealmImpl.SYSTEM_ACCOUNT_ID);
    expect(mockCurrentSubject.getDefaultGroup()).andReturn(mockCurrentSubjectGroup);
    expect(mockCurrentSubjectGroup.getId()).andReturn(RealmImpl.DBA_GROUP_ID);
    replay(mockBrokerPool, mockDatabase, mockBroker, mockCurrentSubject, mockCurrentSubjectGroup, mockSecurityManager);
    // test setup
    final DocumentImpl doc = new DocumentImpl(mockBrokerPool, 99);
    assertTrue(doc.isSameNode(doc));
    verify(mockBrokerPool, mockDatabase, mockBroker, mockCurrentSubject, mockCurrentSubjectGroup, mockSecurityManager);
}

Example 53 with SecurityManager

use of org.exist.security.SecurityManager in project exist by eXist-db.

the class DocumentImplTest method copyOf_updates_metadata_created_and_lastModified.

@Test
public void copyOf_updates_metadata_created_and_lastModified() throws PermissionDeniedException {
    BrokerPool mockBrokerPool = EasyMock.createMock(BrokerPool.class);
    Database mockDatabase = EasyMock.createMock(Database.class);
    DBBroker mockBroker = EasyMock.createMock(DBBroker.class);
    Subject mockCurrentSubject = EasyMock.createMock(Subject.class);
    Group mockCurrentSubjectGroup = EasyMock.createMock(Group.class);
    SecurityManager mockSecurityManager = EasyMock.createMock(SecurityManager.class);
    // test values
    final long otherCreated = System.currentTimeMillis() - 2000;
    final long otherLastModified = System.currentTimeMillis() - 1000;
    // expectations
    expect(mockBrokerPool.getSecurityManager()).andReturn(mockSecurityManager).times(2);
    expect(mockSecurityManager.getDatabase()).andReturn(mockDatabase).times(2);
    expect(mockDatabase.getActiveBroker()).andReturn(mockBroker).times(2);
    expect(mockBroker.getCurrentSubject()).andReturn(mockCurrentSubject).times(2);
    expect(mockCurrentSubject.getUserMask()).andReturn(Permission.DEFAULT_UMASK).times(2);
    expect(mockCurrentSubject.getId()).andReturn(RealmImpl.SYSTEM_ACCOUNT_ID).times(2);
    expect(mockCurrentSubject.getDefaultGroup()).andReturn(mockCurrentSubjectGroup).times(2);
    expect(mockCurrentSubjectGroup.getId()).andReturn(RealmImpl.DBA_GROUP_ID).times(2);
    replay(mockBrokerPool, mockDatabase, mockBroker, mockCurrentSubject, mockCurrentSubjectGroup, mockSecurityManager);
    // test setup
    DocumentImpl doc = new DocumentImpl(mockBrokerPool, 888);
    DocumentImpl other = new DocumentImpl(mockBrokerPool, 999);
    // actions
    doc.copyOf(mockBroker, other, (DocumentImpl) null);
    verify(mockBrokerPool, mockDatabase, mockBroker, mockCurrentSubject, mockCurrentSubjectGroup, mockSecurityManager);
    // assertions
    assertThat(otherCreated, new LessThan(doc.getCreated()));
    assertThat(otherLastModified, new LessThan(doc.getLastModified()));
}

Example 54 with SecurityManager

use of org.exist.security.SecurityManager in project exist by eXist-db.

the class ConfigurationDocumentTrigger method processPrincipal.

/**
 * When configuring a Principal (Account or Group) we need to
 * make sure of two things:
 *
 * 1) If the principal uses an old style id, i.e. before ACL Permissions
 * were introduced then we have to modernise this id
 *
 * 2) If the principal uses a name or id which already exists in
 * the database then we must avoid conflicts
 */
private void processPrincipal(final PrincipalType principalType) throws SAXException {
    final SAXEvent firstEvent = deferred.peek();
    if (!(firstEvent instanceof StartElement)) {
        throw new SAXException("Unbalanced SAX Events");
    }
    final StartElement start = ((StartElement) firstEvent);
    if (start.namespaceURI == null || !start.namespaceURI.equals(Configuration.NS) || !start.localName.equals(principalType.getElementName())) {
        throw new SAXException("First element does not match ending '" + principalType.getElementName() + "' element");
    }
    final SecurityManager sm = broker.getBrokerPool().getSecurityManager();
    // if needed, update old style id to new style id
    final AttributesImpl attrs = new AttributesImpl(migrateIdAttribute(sm, start.attributes, principalType));
    // check if there is a name collision, i.e. another principal with the same name
    final String principalName = findName();
    // first check if the account or group exists before trying to retrieve it
    // otherwise the LDAP realm will create a new user, leading to an endless loop
    final boolean principalExists = principalName != null && principalType.hasPrincipal(sm, principalName);
    Principal existingPrincipleByName = null;
    if (principalExists) {
        existingPrincipleByName = principalType.getPrincipal(sm, principalName);
    }
    final int newId;
    if (existingPrincipleByName != null) {
        // use id of existing principal which has the same name
        newId = existingPrincipleByName.getId();
    } else {
        // check if there is an id collision, i.e. another principal with the same id
        final Integer id = Integer.valueOf(attrs.getValue(ID_ATTR));
        final boolean principalIdExists = principalType.hasPrincipal(sm, id);
        Principal existingPrincipalById = null;
        if (principalIdExists) {
            existingPrincipalById = principalType.getPrincipal(sm, id);
        }
        if (existingPrincipalById != null) {
            // pre-allocate a new id, so as not to collide with the existing principal
            if (isValidating()) {
                try {
                    principalType.preAllocateId(sm, preAllocatedId);
                } catch (final PermissionDeniedException | EXistException e) {
                    throw new SAXException("Unable to pre-allocate principle id for " + principalType.getElementName() + ": " + principalName, e);
                }
            }
            newId = preAllocatedId.getId();
            if (!isValidating()) {
                preAllocatedId.clear();
            }
        } else {
            // use the provided id as it is currently unallocated
            newId = id;
        }
    }
    // update attributes of the principal in deferred
    attrs.setValue(attrs.getIndex(ID_ATTR), String.valueOf(newId));
    final StartElement prevPrincipalStart = (StartElement) deferred.poll();
    deferred.addFirst(new StartElement(prevPrincipalStart.namespaceURI, prevPrincipalStart.localName, prevPrincipalStart.qname, attrs));
}

Example 55 with SecurityManager

use of org.exist.security.SecurityManager in project exist by eXist-db.

the class DatabaseImpl method getUser.

/**
 * @param user
 * @param pool
 * @return the User object corresponding to the username in <code>user</code>
 * @throws XMLDBException
 */
private Subject getUser(String user, String password, final BrokerPool pool) throws XMLDBException {
    try {
        if (user == null) {
            user = SecurityManager.GUEST_USER;
            password = SecurityManager.GUEST_USER;
        }
        final SecurityManager securityManager = pool.getSecurityManager();
        return securityManager.authenticate(user, password);
    } catch (final AuthenticationException e) {
        throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, e.getMessage(), e);
    }
}