use of org.exist.security.internal.aider.ACEAider in project exist by eXist-db.
the class FnDocSecurityTest method setup.
/**
* Sets up the database like:
*
* /db/all.xml system:dba rwxrwxrwx
* /db/system-only.xml system:dba rwx------
*
* /db/fnDocSecurityTest1 system:dba rwxr-xr--
* /db/fnDocSecurityTest1/child1 system:dba rwxrwxrwx
* /db/fnDocSecurityTest1/child1/doc1.xml system:dba rwxrwxrwx
*
* /db/fnDocSecurityTest2 system:dba rwxr-xr-x+ (acl=[DENIED USER docTestUser1 "r-x"])
* /db/fnDocSecurityTest2/child2 system:dba rwxrwxrwx
* /db/fnDocSecurityTest2/child2/doc2.xml system:dba rwxrwxrwx
*
* Creates a new user: docTestUser1
*/
@BeforeClass
public static void setup() throws EXistException, PermissionDeniedException, SyntaxException, IOException, SAXException, LockException {
// as system user
final BrokerPool pool = server.getBrokerPool();
final SecurityManager securityManager = pool.getSecurityManager();
try (final DBBroker broker = pool.get(Optional.of(securityManager.getSystemSubject()));
final Txn transaction = pool.getTransactionManager().beginTransaction()) {
createUser(securityManager, broker, TEST_USER_1);
// create /db/all.xml
createDocument(broker, transaction, ROOT_COLLECTION, TEST_DOC_NAME_ALL, "<hello/>", "rwxrwxrwx");
// create /db/system-only.xml
createDocument(broker, transaction, ROOT_COLLECTION, TEST_DOC_NAME_SYSTEM_ONLY, "<hello/>", "rwx------");
// create /db/fnDocSecurityTest1...
createCollection(broker, transaction, TEST_COLLECTION_1, "rwxr-xr--");
createCollection(broker, transaction, TEST_SUB_COLLECTION_1, "rwxrwxrwx");
createDocument(broker, transaction, TEST_SUB_COLLECTION_1, TEST_DOC_NAME_1, "<hello/>", "rwxrwxrwx");
// create /db/fnDocSecurityTest2...
final ACEAider ace = new ACEAider(ACLPermission.ACE_ACCESS_TYPE.DENIED, ACLPermission.ACE_TARGET.USER, TEST_USER_1, SimpleACLPermission.aceSimpleSymbolicModeToInt("r-x"));
createCollection(broker, transaction, TEST_COLLECTION_2, "rwxr-xr-x", ace);
createCollection(broker, transaction, TEST_SUB_COLLECTION_2, "rwxrwxrwx");
createDocument(broker, transaction, TEST_SUB_COLLECTION_2, TEST_DOC_NAME_2, "<hello/>", "rwxrwxrwx");
transaction.commit();
}
}
use of org.exist.security.internal.aider.ACEAider in project exist by eXist-db.
the class PermissionFactory method chmod_impl.
private static void chmod_impl(final DBBroker broker, final Permission permission, final Optional<Either<String, Integer>> mode, final Optional<List<ACEAider>> acl) throws PermissionDeniedException {
if ((!mode.isPresent()) && !acl.isPresent()) {
throw new IllegalArgumentException("Either mode or acl must be provided");
}
try {
final boolean changeMode;
if (mode.isPresent()) {
if (mode.get().isLeft()) {
final Subject effectiveUser = broker.getCurrentSubject();
final Permission other = new UnixStylePermission(broker.getBrokerPool().getSecurityManager(), effectiveUser.getId(), effectiveUser.getDefaultGroup().getId(), 0);
other.setMode(mode.get().left().get());
changeMode = permission.getMode() != other.getMode();
} else {
changeMode = permission.getMode() != mode.get().right().get();
}
} else {
changeMode = false;
}
final boolean changeAcl = acl.map(desiredAces -> !aclEquals(permission, desiredAces)).orElse(false);
/*
To change the permission bits of a file, the effective user ID of the process must be equal to the owner ID
of the file, or the process must have superuser permissions.
*/
if ((changeMode || changeAcl) && (!permission.isCurrentSubjectDBA()) && !permission.isCurrentSubjectOwner()) {
throw new PermissionDeniedException("Only a DBA or the resources owner can change the mode of a resource.");
}
// change the mode
if (changeMode) {
final boolean matchedGroup = permission.isCurrentSubjectInGroup();
if (permission.isCurrentSubjectDBA() || matchedGroup) {
if (mode.get().isLeft()) {
permission.setMode(mode.get().left().get());
} else {
permission.setMode(mode.get().right().get());
}
} else {
/*
If the group ID of the file does not equal either the effective group ID of the process or one of
the processâs supplementary group IDs and if the process does not have superuser privileges,
then the set-group-ID bit is automatically turned off.
This prevents a user from creating a set-group-ID file owned by a group that the user doesnât
belong to.
*/
if (mode.get().isLeft()) {
permission.setMode(removeSetGid(mode.get().left().get()));
} else {
permission.setMode(removeSetGid(mode.get().right().get()));
}
}
}
// change the acl
if (changeAcl) {
final ACLPermission aclPermission = (ACLPermission) permission;
aclPermission.clear();
for (final ACEAider ace : acl.get()) {
aclPermission.addACE(ace.getAccessType(), ace.getTarget(), ace.getWho(), ace.getMode());
}
}
} catch (final SyntaxException se) {
throw new PermissionDeniedException("Unrecognised mode syntax: " + se.getMessage(), se);
}
}
use of org.exist.security.internal.aider.ACEAider in project exist by eXist-db.
the class RemoteUserManagementService method getSubCollectionPermissions.
@Override
public Permission getSubCollectionPermissions(final Collection cParent, final String name) throws XMLDBException {
if (collection == null) {
throw new XMLDBException(ErrorCodes.INVALID_COLLECTION, "collection is null");
}
Permission perm;
try {
perm = ((RemoteCollection) cParent).getSubCollectionPermissions(name);
if (perm == null) {
final List<Object> params = new ArrayList<>();
params.add(((RemoteCollection) cParent).getPath());
params.add(name);
final Map result = (Map) collection.execute("getSubCollectionPermissions", params);
final String owner = (String) result.get("owner");
final String group = (String) result.get("group");
final int mode = (Integer) result.get("permissions");
final Stream<ACEAider> aces = extractAces(result.get("acl"));
perm = getPermission(owner, group, mode, aces);
}
} catch (final PermissionDeniedException pde) {
throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, pde.getMessage(), pde);
}
return perm;
}
use of org.exist.security.internal.aider.ACEAider in project exist by eXist-db.
the class RemoteUserManagementService method getSubResourcePermissions.
@Override
public Permission getSubResourcePermissions(final Collection cParent, final String name) throws XMLDBException {
if (collection == null) {
throw new XMLDBException(ErrorCodes.INVALID_RESOURCE, "collection is null");
}
Permission perm;
try {
perm = ((RemoteCollection) cParent).getSubCollectionPermissions(name);
if (perm == null) {
final List<Object> params = new ArrayList<>();
params.add(((RemoteCollection) cParent).getPath());
params.add(name);
final Map result = (Map) collection.execute("getSubResourcePermissions", params);
final String owner = (String) result.get("owner");
final String group = (String) result.get("group");
final int mode = (Integer) result.get("permissions");
final Stream<ACEAider> aces = extractAces(result.get("acl"));
perm = getPermission(owner, group, mode, aces);
}
} catch (final PermissionDeniedException pde) {
throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, pde.getMessage(), pde);
}
return perm;
}
use of org.exist.security.internal.aider.ACEAider in project exist by eXist-db.
the class RemoteUserManagementService method getACEs.
private List<ACEAider> getACEs(final Permission perm) {
final List<ACEAider> aces = new ArrayList<>();
final ACLPermission aclPermission = (ACLPermission) perm;
for (int i = 0; i < aclPermission.getACECount(); i++) {
aces.add(new ACEAider(aclPermission.getACEAccessType(i), aclPermission.getACETarget(i), aclPermission.getACEWho(i), aclPermission.getACEMode(i)));
}
return aces;
}
Aggregations