Example 11 with GroupAider
use of org.exist.security.internal.aider.GroupAider in project exist by eXist-db.
the class RpcConnection method addGroup.
@Override
public boolean addGroup(final String name, final Map<String, String> metadata) throws EXistException, PermissionDeniedException {
final SecurityManager manager = factory.getBrokerPool().getSecurityManager();
if (!manager.hasGroup(name)) {
if (!manager.hasAdminPrivileges(user)) {
throw new PermissionDeniedException("Not allowed to create group");
}
final Group role = new GroupAider(name);
for (final Map.Entry<String, String> m : metadata.entrySet()) {
if (AXSchemaType.valueOfNamespace(m.getKey()) != null) {
role.setMetadataValue(AXSchemaType.valueOfNamespace(m.getKey()), m.getValue());
} else if (EXistSchemaType.valueOfNamespace(m.getKey()) != null) {
role.setMetadataValue(EXistSchemaType.valueOfNamespace(m.getKey()), m.getValue());
}
}
withDb((broker, transaction) -> manager.addGroup(broker, role));
return true;
}
return false;
}
Also used :
Group(org.exist.security.Group)
SecurityManager(org.exist.security.SecurityManager)
PermissionDeniedException(org.exist.security.PermissionDeniedException)
GroupAider(org.exist.security.internal.aider.GroupAider)
LockedDocumentMap(org.exist.storage.lock.LockedDocumentMap)
Example 12 with GroupAider
use of org.exist.security.internal.aider.GroupAider in project exist by eXist-db.
the class XMLDBAuthenticateTest method beforeClass.
@Before
public void beforeClass() throws XMLDBException {
final Collection root = DatabaseManager.getCollection("xmldb:exist://localhost:" + existWebServer.getPort() + "/xmlrpc/db", TestUtils.ADMIN_DB_USER, TestUtils.ADMIN_DB_PWD);
final UserManagementService ums = (UserManagementService) root.getService("UserManagementService", "1.0");
final GroupAider group1 = new GroupAider(USER1_UID);
ums.addGroup(group1);
final UserAider user1 = new UserAider(USER1_UID, group1);
user1.setPassword(USER1_PWD);
ums.addAccount(user1);
}
Also used :
Collection(org.xmldb.api.base.Collection)
UserManagementService(org.exist.xmldb.UserManagementService)
GroupAider(org.exist.security.internal.aider.GroupAider)
UserAider(org.exist.security.internal.aider.UserAider)
Before(org.junit.Before)
Example 13 with GroupAider
use of org.exist.security.internal.aider.GroupAider in project exist by eXist-db.
the class GroupManagementFunction method eval.
@Override
public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
final SecurityManager securityManager = context.getBroker().getBrokerPool().getSecurityManager();
final Subject currentSubject = context.getBroker().getCurrentSubject();
try {
final String groupName = args[0].itemAt(0).getStringValue();
if (isCalledAs(qnCreateGroup.getLocalPart())) {
if (securityManager.hasGroup(groupName)) {
throw new XPathException(this, "The group with name " + groupName + " already exists.");
}
if (!currentSubject.hasDbaRole()) {
throw new XPathException(this, "Only DBA users may create a user group.");
}
final Group group = new GroupAider(groupName);
group.addManager(currentSubject);
if (getSignature().getArgumentCount() == 3) {
// set group managers
final List<Account> groupManagers = getGroupManagers(securityManager, args[1]);
group.addManagers(groupManagers);
}
// set metadata
if (getSignature().getArgumentCount() >= 2) {
group.setMetadataValue(EXistSchemaType.DESCRIPTION, args[getSignature().getArgumentCount() - 1].toString());
}
securityManager.addGroup(context.getBroker(), group);
} else if (isCalledAs(qnRemoveGroup.getLocalPart())) {
if (!securityManager.hasGroup(groupName)) {
throw new XPathException(this, "The group with name " + groupName + " does not exist.");
}
final Group successorGroup;
if (getArgumentCount() == 2) {
final String successorGroupName = args[1].itemAt(0).getStringValue();
if (!currentSubject.hasGroup(successorGroupName)) {
throw new PermissionDeniedException("You must be a member of the group for which permissions should be inherited by");
}
successorGroup = securityManager.getGroup(successorGroupName);
} else {
successorGroup = securityManager.getGroup("guest");
}
try {
securityManager.deleteGroup(groupName);
} catch (final EXistException ee) {
throw new XPathException(this, ee);
}
} else {
throw new XPathException(this, "Unknown function call: " + getSignature());
}
return Sequence.EMPTY_SEQUENCE;
} catch (final PermissionDeniedException | EXistException pde) {
throw new XPathException(this, pde);
}
}
Also used :
SecurityManager(org.exist.security.SecurityManager)
XPathException(org.exist.xquery.XPathException)
EXistException(org.exist.EXistException)
GroupAider(org.exist.security.internal.aider.GroupAider)
Example 14 with GroupAider
use of org.exist.security.internal.aider.GroupAider in project exist by eXist-db.
the class AccountManagementFunction method eval.
@Override
public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
final DBBroker broker = getContext().getBroker();
final Subject currentUser = broker.getCurrentSubject();
final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
final String username = args[0].getStringValue();
try {
if (isCalledAs(qnRemoveAccount.getLocalPart())) {
/* remove account */
if (!currentUser.hasDbaRole()) {
throw new XPathException(this, "Only a DBA user may remove accounts.");
}
if (!securityManager.hasAccount(username)) {
throw new XPathException(this, "The user account with username " + username + " does not exist.");
}
if (currentUser.getName().equals(username)) {
throw new XPathException(this, "You cannot remove yourself i.e. the currently logged in user.");
}
securityManager.deleteAccount(username);
} else {
final String password = args[1].getStringValue();
if (isCalledAs(qnPasswd.getLocalPart()) || isCalledAs(qnPasswdHash.getLocalPart())) {
if (!(currentUser.getName().equals(username) || currentUser.hasDbaRole())) {
throw new XPathException(this, "You may only change your own password, unless you are a DBA.");
}
final Account account = securityManager.getAccount(username);
if (isCalledAs(qnPasswdHash.getLocalPart())) {
account.setCredential(new Password(account, Password.DEFAULT_ALGORITHM, password));
} else {
account.setPassword(password);
}
securityManager.updateAccount(account);
} else if (isCalledAs(qnCreateAccount.getLocalPart())) {
/* create account */
if (!currentUser.hasDbaRole()) {
throw new XPathException(this, "You must be a DBA to create a User Account.");
}
if (securityManager.hasAccount(username)) {
throw new XPathException(this, "The user account with username " + username + " already exists.");
}
final Account user = new UserAider(username);
user.setPassword(password);
if (getSignature().getArgumentCount() >= 5) {
// set metadata values if present
user.setMetadataValue(AXSchemaType.FULLNAME, args[getSignature().getArgumentCount() - 2].toString());
user.setMetadataValue(EXistSchemaType.DESCRIPTION, args[getSignature().getArgumentCount() - 1].toString());
}
final String[] subGroups;
if (getSignature().getArgumentCount() == 3 || getSignature().getArgumentCount() == 5) {
// create the personal group
final Group group = new GroupAider(username);
group.setMetadataValue(EXistSchemaType.DESCRIPTION, "Personal group for " + username);
group.addManager(currentUser);
securityManager.addGroup(broker, group);
// add the personal group as the primary group
user.addGroup(username);
subGroups = getGroups(args[2]);
} else {
// add the primary group as the primary group
final String primaryGroup = args[2].getStringValue();
if (primaryGroup == null || primaryGroup.isEmpty()) {
throw new XPathException(this, "You must specify a primary group for the user.");
}
user.addGroup(primaryGroup);
subGroups = getGroups(args[3]);
}
for (String subGroup : subGroups) {
user.addGroup(subGroup);
}
// create the account
securityManager.addAccount(user);
// if we created a personal group, then add the new account as a manager of their personal group
if (getSignature().getArgumentCount() == 3 || getSignature().getArgumentCount() == 5) {
final Group group = securityManager.getGroup(username);
group.addManager(securityManager.getAccount(username));
securityManager.updateGroup(group);
}
} else {
throw new XPathException(this, "Unknown function call: " + getSignature());
}
}
} catch (final PermissionDeniedException | EXistException pde) {
throw new XPathException(this, pde);
}
return Sequence.EMPTY_SEQUENCE;
}
Also used :
SecurityManager(org.exist.security.SecurityManager)
EXistException(org.exist.EXistException)
DBBroker(org.exist.storage.DBBroker)
UserAider(org.exist.security.internal.aider.UserAider)
GroupAider(org.exist.security.internal.aider.GroupAider)
Password(org.exist.security.internal.Password)
Example 15 with GroupAider
use of org.exist.security.internal.aider.GroupAider in project exist by eXist-db.
the class XMLDBSecurityTest method setup.
// TODO need tests for
// 4) CopyingCollections to dests where permission is denied!
// 5) What about move Document, move Collection?
/**
* 1) Sets '/db' to rwxr-xr-x (0755)
* 2) Adds the Group 'users'
* 3) Adds the User 'test1' with password 'test1' and set's their primary group to 'users'
* 4) Creates the group 'extusers' and adds 'test1' to it
* 5) Adds the User 'test2' with password 'test2' and set's their primary group to 'users'
* 6) Creates the group 'test2-only` and adds 'test2' to it
* 7) Adds the User 'test3' with password 'test3' and set's their primary group to 'guest'
* 8) Creates the Collection '/db/securityTest1' owned by 'test1':'users' with permissions rwxrwx--- (0770)
* 9) Creates the XML resource '/db/securityTest1/test.xml' owned by 'test1':'users' with permissions rwxrwx--- (0770)
* 10) Creates the Binary resource '/db/securityTest1/test.bin' owned by 'test1':'users' with permissions rwxrwx--- (0770)
* 11) Creates the Collection '/db/securityTest2' owned by 'test1':'users' with permissions rwxrwxr-x (0775)
* 12) Creates the Collection '/db/securityTest3' owned by 'test3':'guest' with permissions rwxrwxrwx (0777)
*/
@Before
public void setup() throws XMLDBException {
final Collection root = DatabaseManager.getCollection(getBaseUri() + "/db", TestUtils.ADMIN_DB_USER, TestUtils.ADMIN_DB_PWD);
UserManagementService ums = (UserManagementService) root.getService("UserManagementService", "1.0");
// ensure /db is always 755
ums.chmod("rwxr-xr-x");
// remove accounts 'test1', 'test2' and 'test3'
removeAccounts(ums, new String[] { "test1", "test2", "test3" });
// remove group 'users'
removeGroups(ums, new String[] { "users" });
final Group group = new GroupAider("exist", "users");
ums.addGroup(group);
UserAider user = new UserAider("test1", group);
user.setPassword("test1");
ums.addAccount(user);
final Group extGroup = new GroupAider("exist", "extusers");
ums.addGroup(extGroup);
ums.addAccountToGroup("test1", "extusers");
user = new UserAider("test2", group);
user.setPassword("test2");
ums.addAccount(user);
final Group test2OnlyGroup = new GroupAider("exist", "test2-only");
ums.addGroup(test2OnlyGroup);
ums.addAccountToGroup("test2", "test2-only");
user = new UserAider("test3", ums.getGroup("guest"));
user.setPassword("test3");
ums.addAccount(user);
// create a collection /db/securityTest1 as owned by "test1:users" and mode 0770
CollectionManagementService cms = (CollectionManagementService) root.getService("CollectionManagementService", "1.0");
Collection test = cms.createCollection("securityTest1");
ums = (UserManagementService) test.getService("UserManagementService", "1.0");
// change ownership to test1
final Account test1 = ums.getAccount("test1");
ums.chown(test1, "users");
// full permissions for user and group, none for world
ums.chmod(0770);
test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
// create a resource /db/securityTest1/test.xml owned by "test1:users" and mode 0770
Resource resource = test.createResource("test.xml", XMLResource.RESOURCE_TYPE);
resource.setContent("<test/>");
test.storeResource(resource);
ums.chmod(resource, 0770);
resource = test.createResource("test.bin", BinaryResource.RESOURCE_TYPE);
resource.setContent("binary-test".getBytes());
test.storeResource(resource);
ums.chmod(resource, 0770);
// create a collection /db/securityTest2 as user "test1"
cms = (CollectionManagementService) root.getService("CollectionManagementService", "1.0");
Collection testCol2 = cms.createCollection("securityTest2");
ums = (UserManagementService) testCol2.getService("UserManagementService", "1.0");
// change ownership to test1
ums.chown(test1, "users");
// full permissions for user and group, none for world
ums.chmod(0775);
// create a collection /db/securityTest3 as user "test3"
cms = (CollectionManagementService) root.getService("CollectionManagementService", "1.0");
Collection testCol3 = cms.createCollection("securityTest3");
ums = (UserManagementService) testCol3.getService("UserManagementService", "1.0");
// change ownership to test3
final Account test3 = ums.getAccount("test3");
ums.chown(test3, "users");
// full permissions for all
ums.chmod(0777);
// create a sub-collection /db/securityTest1/sub1 as user "test1"
cms = (CollectionManagementService) test.getService("CollectionManagementService", "1.0");
Collection sub1 = cms.createCollection("sub1");
ums = (UserManagementService) sub1.getService("UserManagementService", "1.0");
// change ownership to test1
ums.chown(test1, "users");
// full permissions for all
ums.chmod(0777);
}
Also used :
EXistCollectionManagementService(org.exist.xmldb.EXistCollectionManagementService)
CollectionManagementService(org.xmldb.api.modules.CollectionManagementService)
BinaryResource(org.xmldb.api.modules.BinaryResource)
XMLResource(org.xmldb.api.modules.XMLResource)
Resource(org.xmldb.api.base.Resource)
Collection(org.xmldb.api.base.Collection)
UserManagementService(org.exist.xmldb.UserManagementService)
GroupAider(org.exist.security.internal.aider.GroupAider)
UserAider(org.exist.security.internal.aider.UserAider)
Before(org.junit.Before)
Aggregations
GroupAider (org.exist.security.internal.aider.GroupAider)23
UserAider (org.exist.security.internal.aider.UserAider)15
UserManagementService (org.exist.xmldb.UserManagementService)8
XMLDBException (org.xmldb.api.base.XMLDBException)7
SecurityManager (org.exist.security.SecurityManager)6
DBBroker (org.exist.storage.DBBroker)5
EXistException (org.exist.EXistException)4
PermissionDeniedException (org.exist.security.PermissionDeniedException)4
Test (org.junit.Test)4
Collection (org.exist.collections.Collection)3
Group (org.exist.security.Group)3
BrokerPool (org.exist.storage.BrokerPool)3
Txn (org.exist.storage.txn.Txn)3
IOException (java.io.IOException)2
LockedDocumentMap (org.exist.storage.lock.LockedDocumentMap)2
Before (org.junit.Before)2
Collection (org.xmldb.api.base.Collection)2
Either (com.evolvedbinary.j8fu.Either)1
BufferedInputStream (java.io.BufferedInputStream)1
InputStream (java.io.InputStream)1
