Search in sources :

Example 16 with ACEAider

use of org.exist.security.internal.aider.ACEAider in project exist by eXist-db.

the class FnDocSecurityTest method setup.

/**
 * Sets up the database like:
 *
 *  /db/all.xml                              system:dba rwxrwxrwx
 *  /db/system-only.xml                      system:dba rwx------
 *
 *  /db/fnDocSecurityTest1                   system:dba rwxr-xr--
 *  /db/fnDocSecurityTest1/child1            system:dba rwxrwxrwx
 *  /db/fnDocSecurityTest1/child1/doc1.xml   system:dba rwxrwxrwx
 *
 *  /db/fnDocSecurityTest2                   system:dba rwxr-xr-x+ (acl=[DENIED USER docTestUser1 "r-x"])
 *  /db/fnDocSecurityTest2/child2            system:dba rwxrwxrwx
 *  /db/fnDocSecurityTest2/child2/doc2.xml   system:dba rwxrwxrwx
 *
 * Creates a new user: docTestUser1
 */
@BeforeClass
public static void setup() throws EXistException, PermissionDeniedException, SyntaxException, IOException, SAXException, LockException {
    // as system user
    final BrokerPool pool = server.getBrokerPool();
    final SecurityManager securityManager = pool.getSecurityManager();
    try (final DBBroker broker = pool.get(Optional.of(securityManager.getSystemSubject()));
        final Txn transaction = pool.getTransactionManager().beginTransaction()) {
        createUser(securityManager, broker, TEST_USER_1);
        // create /db/all.xml
        createDocument(broker, transaction, ROOT_COLLECTION, TEST_DOC_NAME_ALL, "<hello/>", "rwxrwxrwx");
        // create /db/system-only.xml
        createDocument(broker, transaction, ROOT_COLLECTION, TEST_DOC_NAME_SYSTEM_ONLY, "<hello/>", "rwx------");
        // create /db/fnDocSecurityTest1...
        createCollection(broker, transaction, TEST_COLLECTION_1, "rwxr-xr--");
        createCollection(broker, transaction, TEST_SUB_COLLECTION_1, "rwxrwxrwx");
        createDocument(broker, transaction, TEST_SUB_COLLECTION_1, TEST_DOC_NAME_1, "<hello/>", "rwxrwxrwx");
        // create /db/fnDocSecurityTest2...
        final ACEAider ace = new ACEAider(ACLPermission.ACE_ACCESS_TYPE.DENIED, ACLPermission.ACE_TARGET.USER, TEST_USER_1, SimpleACLPermission.aceSimpleSymbolicModeToInt("r-x"));
        createCollection(broker, transaction, TEST_COLLECTION_2, "rwxr-xr-x", ace);
        createCollection(broker, transaction, TEST_SUB_COLLECTION_2, "rwxrwxrwx");
        createDocument(broker, transaction, TEST_SUB_COLLECTION_2, TEST_DOC_NAME_2, "<hello/>", "rwxrwxrwx");
        transaction.commit();
    }
}
Also used : DBBroker(org.exist.storage.DBBroker) ACEAider(org.exist.security.internal.aider.ACEAider) Txn(org.exist.storage.txn.Txn) BrokerPool(org.exist.storage.BrokerPool) BeforeClass(org.junit.BeforeClass)

Example 17 with ACEAider

use of org.exist.security.internal.aider.ACEAider in project exist by eXist-db.

the class PermissionFactory method chmod_impl.

private static void chmod_impl(final DBBroker broker, final Permission permission, final Optional<Either<String, Integer>> mode, final Optional<List<ACEAider>> acl) throws PermissionDeniedException {
    if ((!mode.isPresent()) && !acl.isPresent()) {
        throw new IllegalArgumentException("Either mode or acl must be provided");
    }
    try {
        final boolean changeMode;
        if (mode.isPresent()) {
            if (mode.get().isLeft()) {
                final Subject effectiveUser = broker.getCurrentSubject();
                final Permission other = new UnixStylePermission(broker.getBrokerPool().getSecurityManager(), effectiveUser.getId(), effectiveUser.getDefaultGroup().getId(), 0);
                other.setMode(mode.get().left().get());
                changeMode = permission.getMode() != other.getMode();
            } else {
                changeMode = permission.getMode() != mode.get().right().get();
            }
        } else {
            changeMode = false;
        }
        final boolean changeAcl = acl.map(desiredAces -> !aclEquals(permission, desiredAces)).orElse(false);
        /*
                To change the permission bits of a file, the effective user ID of the process must be equal to the owner ID
                of the file, or the process must have superuser permissions.
            */
        if ((changeMode || changeAcl) && (!permission.isCurrentSubjectDBA()) && !permission.isCurrentSubjectOwner()) {
            throw new PermissionDeniedException("Only a DBA or the resources owner can change the mode of a resource.");
        }
        // change the mode
        if (changeMode) {
            final boolean matchedGroup = permission.isCurrentSubjectInGroup();
            if (permission.isCurrentSubjectDBA() || matchedGroup) {
                if (mode.get().isLeft()) {
                    permission.setMode(mode.get().left().get());
                } else {
                    permission.setMode(mode.get().right().get());
                }
            } else {
                /*
                    If the group ID of the file does not equal either the effective group ID of the process or one of
                    the process’s supplementary group IDs and if the process does not have superuser privileges,
                    then the set-group-ID bit is automatically turned off.
                    This prevents a user from creating a set-group-ID file owned by a group that the user doesn’t
                    belong to.
                */
                if (mode.get().isLeft()) {
                    permission.setMode(removeSetGid(mode.get().left().get()));
                } else {
                    permission.setMode(removeSetGid(mode.get().right().get()));
                }
            }
        }
        // change the acl
        if (changeAcl) {
            final ACLPermission aclPermission = (ACLPermission) permission;
            aclPermission.clear();
            for (final ACEAider ace : acl.get()) {
                aclPermission.addACE(ace.getAccessType(), ace.getTarget(), ace.getWho(), ace.getMode());
            }
        }
    } catch (final SyntaxException se) {
        throw new PermissionDeniedException("Unrecognised mode syntax: " + se.getMessage(), se);
    }
}
Also used : ACEAider(org.exist.security.internal.aider.ACEAider) LockMode(org.exist.storage.lock.Lock.LockMode) Txn(org.exist.storage.txn.Txn) LockedDocument(org.exist.dom.persistent.LockedDocument) BrokerPool(org.exist.storage.BrokerPool) IOException(java.io.IOException) SIMPLE_SYMBOLIC_MODE_PATTERN(org.exist.security.AbstractUnixStylePermission.SIMPLE_SYMBOLIC_MODE_PATTERN) UNIX_SYMBOLIC_MODE_PATTERN(org.exist.security.AbstractUnixStylePermission.UNIX_SYMBOLIC_MODE_PATTERN) Either(com.evolvedbinary.j8fu.Either) List(java.util.List) Matcher(java.util.regex.Matcher) Logger(org.apache.logging.log4j.Logger) POSIX_CHOWN_RESTRICTED_PROPERTY(org.exist.storage.DBBroker.POSIX_CHOWN_RESTRICTED_PROPERTY) DBBroker(org.exist.storage.DBBroker) Collection(org.exist.collections.Collection) SyntaxException(org.exist.util.SyntaxException) XmldbURI(org.exist.xmldb.XmldbURI) Optional(java.util.Optional) DocumentImpl(org.exist.dom.persistent.DocumentImpl) Pattern(java.util.regex.Pattern) ConsumerE(com.evolvedbinary.j8fu.function.ConsumerE) LogManager(org.apache.logging.log4j.LogManager) XPathException(org.exist.xquery.XPathException) Permission(org.exist.security.Permission) SyntaxException(org.exist.util.SyntaxException) ACEAider(org.exist.security.internal.aider.ACEAider) Permission(org.exist.security.Permission)

Example 18 with ACEAider

use of org.exist.security.internal.aider.ACEAider in project exist by eXist-db.

the class RemoteUserManagementService method getSubCollectionPermissions.

@Override
public Permission getSubCollectionPermissions(final Collection cParent, final String name) throws XMLDBException {
    if (collection == null) {
        throw new XMLDBException(ErrorCodes.INVALID_COLLECTION, "collection is null");
    }
    Permission perm;
    try {
        perm = ((RemoteCollection) cParent).getSubCollectionPermissions(name);
        if (perm == null) {
            final List<Object> params = new ArrayList<>();
            params.add(((RemoteCollection) cParent).getPath());
            params.add(name);
            final Map result = (Map) collection.execute("getSubCollectionPermissions", params);
            final String owner = (String) result.get("owner");
            final String group = (String) result.get("group");
            final int mode = (Integer) result.get("permissions");
            final Stream<ACEAider> aces = extractAces(result.get("acl"));
            perm = getPermission(owner, group, mode, aces);
        }
    } catch (final PermissionDeniedException pde) {
        throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, pde.getMessage(), pde);
    }
    return perm;
}
Also used : ACEAider(org.exist.security.internal.aider.ACEAider) ACLPermission(org.exist.security.ACLPermission) Permission(org.exist.security.Permission) XMLDBException(org.xmldb.api.base.XMLDBException) PermissionDeniedException(org.exist.security.PermissionDeniedException)

Example 19 with ACEAider

use of org.exist.security.internal.aider.ACEAider in project exist by eXist-db.

the class RemoteUserManagementService method getSubResourcePermissions.

@Override
public Permission getSubResourcePermissions(final Collection cParent, final String name) throws XMLDBException {
    if (collection == null) {
        throw new XMLDBException(ErrorCodes.INVALID_RESOURCE, "collection is null");
    }
    Permission perm;
    try {
        perm = ((RemoteCollection) cParent).getSubCollectionPermissions(name);
        if (perm == null) {
            final List<Object> params = new ArrayList<>();
            params.add(((RemoteCollection) cParent).getPath());
            params.add(name);
            final Map result = (Map) collection.execute("getSubResourcePermissions", params);
            final String owner = (String) result.get("owner");
            final String group = (String) result.get("group");
            final int mode = (Integer) result.get("permissions");
            final Stream<ACEAider> aces = extractAces(result.get("acl"));
            perm = getPermission(owner, group, mode, aces);
        }
    } catch (final PermissionDeniedException pde) {
        throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, pde.getMessage(), pde);
    }
    return perm;
}
Also used : ACEAider(org.exist.security.internal.aider.ACEAider) ACLPermission(org.exist.security.ACLPermission) Permission(org.exist.security.Permission) XMLDBException(org.xmldb.api.base.XMLDBException) PermissionDeniedException(org.exist.security.PermissionDeniedException)

Example 20 with ACEAider

use of org.exist.security.internal.aider.ACEAider in project exist by eXist-db.

the class RemoteUserManagementService method getACEs.

private List<ACEAider> getACEs(final Permission perm) {
    final List<ACEAider> aces = new ArrayList<>();
    final ACLPermission aclPermission = (ACLPermission) perm;
    for (int i = 0; i < aclPermission.getACECount(); i++) {
        aces.add(new ACEAider(aclPermission.getACEAccessType(i), aclPermission.getACETarget(i), aclPermission.getACEWho(i), aclPermission.getACEMode(i)));
    }
    return aces;
}
Also used : ACLPermission(org.exist.security.ACLPermission) ACEAider(org.exist.security.internal.aider.ACEAider)

Aggregations

ACEAider (org.exist.security.internal.aider.ACEAider)23 PermissionDeniedException (org.exist.security.PermissionDeniedException)8 XMLDBException (org.xmldb.api.base.XMLDBException)8 ACLPermission (org.exist.security.ACLPermission)7 Permission (org.exist.security.Permission)7 ArrayList (java.util.ArrayList)5 Map (java.util.Map)3 Collection (org.exist.collections.Collection)3 BrokerPool (org.exist.storage.BrokerPool)3 DBBroker (org.exist.storage.DBBroker)3 Txn (org.exist.storage.txn.Txn)3 ACE_ACCESS_TYPE (org.exist.security.ACLPermission.ACE_ACCESS_TYPE)2 ACE_TARGET (org.exist.security.ACLPermission.ACE_TARGET)2 BeforeClass (org.junit.BeforeClass)2 Collection (org.xmldb.api.base.Collection)2 Either (com.evolvedbinary.j8fu.Either)1 ConsumerE (com.evolvedbinary.j8fu.function.ConsumerE)1 IOException (java.io.IOException)1 URISyntaxException (java.net.URISyntaxException)1 List (java.util.List)1