Example 26 with SecurityManager
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class FindGroupFunction method eval.
@Override
public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
final DBBroker broker = getContext().getBroker();
final Subject currentUser = broker.getCurrentSubject();
if (!isCalledAs(qnGetUserGroups.getLocalPart()) && currentUser.getName().equals(SecurityManager.GUEST_USER)) {
throw new XPathException(this, "You must be an authenticated user");
}
final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
final Sequence result;
if (isCalledAs(qnGetUserPrimaryGroup.getLocalPart())) {
final String username = args[0].getStringValue();
result = new StringValue(securityManager.getAccount(username).getPrimaryGroup());
} else if (isCalledAs(qnGroupExists.getLocalPart())) {
final String groupName = args[0].getStringValue();
result = BooleanValue.valueOf(securityManager.hasGroup(groupName));
} else {
final List<String> groupNames;
if (isCalledAs(qnListGroups.getLocalPart())) {
groupNames = securityManager.findAllGroupNames();
} else if (isCalledAs(qnFindGroupsByGroupname.getLocalPart())) {
final String startsWith = args[0].getStringValue();
groupNames = securityManager.findGroupnamesWhereGroupnameStarts(startsWith);
} else if (isCalledAs(qnFindGroupsWhereGroupnameContains.getLocalPart())) {
final String fragment = args[0].getStringValue();
groupNames = securityManager.findGroupnamesWhereGroupnameContains(fragment);
} else if (isCalledAs(qnGetUserGroups.getLocalPart())) {
final String username = args[0].getStringValue();
if (!currentUser.hasDbaRole() && !currentUser.getName().equals(username)) {
throw new XPathException(this, "You must be a DBA or enquiring about your own user account!");
}
final Account user = securityManager.getAccount(username);
groupNames = Arrays.asList(user.getGroups());
} else {
throw new XPathException(this, "Unknown function");
}
// order a-z
Collections.sort(groupNames);
result = new ValueSequence();
for (final String groupName : groupNames) {
result.add(new StringValue(groupName));
}
}
return result;
}
Also used :
Account(org.exist.security.Account)
DBBroker(org.exist.storage.DBBroker)
SecurityManager(org.exist.security.SecurityManager)
XPathException(org.exist.xquery.XPathException)
List(java.util.List)
Subject(org.exist.security.Subject)
Example 27 with SecurityManager
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class GetPrincipalMetadataFunction method eval.
@Override
public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
Sequence result = Sequence.EMPTY_SEQUENCE;
final DBBroker broker = getContext().getBroker();
final Subject currentUser = broker.getCurrentSubject();
if (args.length == 0) {
if (isCalledAs(qnGetAccountMetadataKeys.getLocalPart())) {
result = getAllAccountMetadataKeys();
} else if (isCalledAs(qnGetGroupMetadataKeys.getLocalPart())) {
result = getAllGroupMetadataKeys();
} else {
throw new XPathException("Unknown function");
}
} else {
final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
final String strPrincipal = args[0].getStringValue();
final Principal principal;
if (isCalledAs(qnGetAccountMetadataKeys.getLocalPart()) || isCalledAs(qnGetAccountMetadata.getLocalPart())) {
if (!currentUser.hasDbaRole() && !currentUser.getUsername().equals(strPrincipal)) {
throw new XPathException("You must be a DBA to retrieve metadata about other users, otherwise you may only retrieve metadata about yourself.");
}
principal = securityManager.getAccount(strPrincipal);
} else if (isCalledAs(qnGetGroupMetadataKeys.getLocalPart()) || isCalledAs(qnGetGroupMetadata.getLocalPart())) {
if (!currentUser.hasDbaRole() && !currentUser.hasGroup(strPrincipal)) {
throw new XPathException("You must be a DBA to retrieve metadata about other groups, otherwise you may only retrieve metadata about groups you are a member of.");
}
principal = securityManager.getGroup(strPrincipal);
} else {
throw new XPathException("Unknown function");
}
if (principal == null) {
result = Sequence.EMPTY_SEQUENCE;
} else {
if (isCalledAs(qnGetAccountMetadataKeys.getLocalPart()) || isCalledAs(qnGetGroupMetadataKeys.getLocalPart())) {
result = getPrincipalMetadataKeys(principal);
} else if (isCalledAs(qnGetAccountMetadata.getLocalPart()) || isCalledAs(qnGetGroupMetadata.getLocalPart())) {
final String metadataAttributeNamespace = args[1].getStringValue();
result = getPrincipalMetadata(principal, metadataAttributeNamespace);
} else {
throw new XPathException("Unknown function");
}
}
}
return result;
}
Also used :
DBBroker(org.exist.storage.DBBroker)
SecurityManager(org.exist.security.SecurityManager)
XPathException(org.exist.xquery.XPathException)
ValueSequence(org.exist.xquery.value.ValueSequence)
Sequence(org.exist.xquery.value.Sequence)
Subject(org.exist.security.Subject)
Principal(org.exist.security.Principal)
Example 28 with SecurityManager
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class AccountStatusFunction method eval.
@Override
public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
final DBBroker broker = getContext().getBroker();
final Subject currentUser = broker.getCurrentSubject();
final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
final String username = args[0].getStringValue();
if (isCalledAs(qnIsAccountEnabled.getLocalPart())) {
if (!currentUser.hasDbaRole() && !currentUser.getName().equals(username)) {
throw new XPathException("You must be a DBA or be enquiring about your own account!");
}
final Account account = securityManager.getAccount(username);
return (account == null) ? BooleanValue.FALSE : new BooleanValue(account.isEnabled());
} else if (isCalledAs(qnSetAccountEnabled.getLocalPart())) {
if (!currentUser.hasDbaRole()) {
throw new XPathException("You must be a DBA to change the status of an account!");
}
final boolean enable = args[1].effectiveBooleanValue();
final Account account = securityManager.getAccount(username);
account.setEnabled(enable);
try {
account.save(broker);
return Sequence.EMPTY_SEQUENCE;
} catch (final ConfigurationException | PermissionDeniedException ce) {
throw new XPathException(ce.getMessage(), ce);
}
} else {
throw new XPathException("Unknown function");
}
}
Also used :
Account(org.exist.security.Account)
DBBroker(org.exist.storage.DBBroker)
SecurityManager(org.exist.security.SecurityManager)
XPathException(org.exist.xquery.XPathException)
BooleanValue(org.exist.xquery.value.BooleanValue)
Subject(org.exist.security.Subject)
Example 29 with SecurityManager
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class SetCurrentUser method eval.
@Override
public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
// get the username and password parameters
final String userName = args[0].getStringValue();
final String passwd = args[1].getStringValue();
// try and validate the user and password
final SecurityManager security = context.getBroker().getBrokerPool().getSecurityManager();
final Subject user;
try {
user = security.authenticate(userName, passwd);
} catch (final AuthenticationException e) {
logger.warn("Could not validate user {} [{}]", userName, e.getMessage());
return BooleanValue.FALSE;
}
// switch the user of the current broker
switchUser(user);
// validated user, store in session
final SessionWrapper session = SessionFunction.getValidOrCreateSession(this, context, Optional.ofNullable(context.getHttpContext()).map(XQueryContext.HttpContext::getSession));
session.setAttribute("user", userName);
session.setAttribute("password", new StringValue(passwd));
return BooleanValue.TRUE;
}
Also used :
SecurityManager(org.exist.security.SecurityManager)
AuthenticationException(org.exist.security.AuthenticationException)
StringValue(org.exist.xquery.value.StringValue)
Subject(org.exist.security.Subject)
SessionWrapper(org.exist.http.servlets.SessionWrapper)
Example 30 with SecurityManager
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class CopyResourceTest method cleanupDb.
@AfterClass
public static void cleanupDb() throws EXistException, PermissionDeniedException, IOException, TriggerException {
final BrokerPool pool = existWebServer.getBrokerPool();
final SecurityManager sm = pool.getSecurityManager();
try (final DBBroker broker = pool.get(Optional.of(sm.getSystemSubject()));
final Txn transaction = pool.getTransactionManager().beginTransaction()) {
removeUser(sm, USER2_NAME);
removeUser(sm, USER1_NAME);
removeGroup(sm, GROUP1_NAME);
removeCollection(broker, transaction, TEST_COLLECTION_URI);
transaction.commit();
}
}
Also used :
SecurityManager(org.exist.security.SecurityManager)
Txn(org.exist.storage.txn.Txn)
Aggregations
SecurityManager (org.exist.security.SecurityManager)68
DBBroker (org.exist.storage.DBBroker)22
Txn (org.exist.storage.txn.Txn)16
Account (org.exist.security.Account)15
BrokerPool (org.exist.storage.BrokerPool)15
Subject (org.exist.security.Subject)12
EXistException (org.exist.EXistException)11
PermissionDeniedException (org.exist.security.PermissionDeniedException)9
XPathException (org.exist.xquery.XPathException)9
AuthenticationException (org.exist.security.AuthenticationException)8
GroupAider (org.exist.security.internal.aider.GroupAider)6
Collection (org.exist.collections.Collection)5
Group (org.exist.security.Group)5
Database (org.exist.Database)4
UserAider (org.exist.security.internal.aider.UserAider)4
LockedDocumentMap (org.exist.storage.lock.LockedDocumentMap)4
Test (org.junit.Test)4
java.util (java.util)2
List (java.util.List)2
HttpSession (javax.servlet.http.HttpSession)2
