use of org.exist.security.internal.aider.GroupAider in project exist by eXist-db.
the class RpcConnection method addGroup.
@Override
public boolean addGroup(final String name, final Map<String, String> metadata) throws EXistException, PermissionDeniedException {
final SecurityManager manager = factory.getBrokerPool().getSecurityManager();
if (!manager.hasGroup(name)) {
if (!manager.hasAdminPrivileges(user)) {
throw new PermissionDeniedException("Not allowed to create group");
}
final Group role = new GroupAider(name);
for (final Map.Entry<String, String> m : metadata.entrySet()) {
if (AXSchemaType.valueOfNamespace(m.getKey()) != null) {
role.setMetadataValue(AXSchemaType.valueOfNamespace(m.getKey()), m.getValue());
} else if (EXistSchemaType.valueOfNamespace(m.getKey()) != null) {
role.setMetadataValue(EXistSchemaType.valueOfNamespace(m.getKey()), m.getValue());
}
}
withDb((broker, transaction) -> manager.addGroup(broker, role));
return true;
}
return false;
}
use of org.exist.security.internal.aider.GroupAider in project exist by eXist-db.
the class XMLDBAuthenticateTest method beforeClass.
@Before
public void beforeClass() throws XMLDBException {
final Collection root = DatabaseManager.getCollection("xmldb:exist://localhost:" + existWebServer.getPort() + "/xmlrpc/db", TestUtils.ADMIN_DB_USER, TestUtils.ADMIN_DB_PWD);
final UserManagementService ums = (UserManagementService) root.getService("UserManagementService", "1.0");
final GroupAider group1 = new GroupAider(USER1_UID);
ums.addGroup(group1);
final UserAider user1 = new UserAider(USER1_UID, group1);
user1.setPassword(USER1_PWD);
ums.addAccount(user1);
}
use of org.exist.security.internal.aider.GroupAider in project exist by eXist-db.
the class GroupManagementFunction method eval.
@Override
public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
final SecurityManager securityManager = context.getBroker().getBrokerPool().getSecurityManager();
final Subject currentSubject = context.getBroker().getCurrentSubject();
try {
final String groupName = args[0].itemAt(0).getStringValue();
if (isCalledAs(qnCreateGroup.getLocalPart())) {
if (securityManager.hasGroup(groupName)) {
throw new XPathException(this, "The group with name " + groupName + " already exists.");
}
if (!currentSubject.hasDbaRole()) {
throw new XPathException(this, "Only DBA users may create a user group.");
}
final Group group = new GroupAider(groupName);
group.addManager(currentSubject);
if (getSignature().getArgumentCount() == 3) {
// set group managers
final List<Account> groupManagers = getGroupManagers(securityManager, args[1]);
group.addManagers(groupManagers);
}
// set metadata
if (getSignature().getArgumentCount() >= 2) {
group.setMetadataValue(EXistSchemaType.DESCRIPTION, args[getSignature().getArgumentCount() - 1].toString());
}
securityManager.addGroup(context.getBroker(), group);
} else if (isCalledAs(qnRemoveGroup.getLocalPart())) {
if (!securityManager.hasGroup(groupName)) {
throw new XPathException(this, "The group with name " + groupName + " does not exist.");
}
final Group successorGroup;
if (getArgumentCount() == 2) {
final String successorGroupName = args[1].itemAt(0).getStringValue();
if (!currentSubject.hasGroup(successorGroupName)) {
throw new PermissionDeniedException("You must be a member of the group for which permissions should be inherited by");
}
successorGroup = securityManager.getGroup(successorGroupName);
} else {
successorGroup = securityManager.getGroup("guest");
}
try {
securityManager.deleteGroup(groupName);
} catch (final EXistException ee) {
throw new XPathException(this, ee);
}
} else {
throw new XPathException(this, "Unknown function call: " + getSignature());
}
return Sequence.EMPTY_SEQUENCE;
} catch (final PermissionDeniedException | EXistException pde) {
throw new XPathException(this, pde);
}
}
use of org.exist.security.internal.aider.GroupAider in project exist by eXist-db.
the class AccountManagementFunction method eval.
@Override
public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
final DBBroker broker = getContext().getBroker();
final Subject currentUser = broker.getCurrentSubject();
final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
final String username = args[0].getStringValue();
try {
if (isCalledAs(qnRemoveAccount.getLocalPart())) {
/* remove account */
if (!currentUser.hasDbaRole()) {
throw new XPathException(this, "Only a DBA user may remove accounts.");
}
if (!securityManager.hasAccount(username)) {
throw new XPathException(this, "The user account with username " + username + " does not exist.");
}
if (currentUser.getName().equals(username)) {
throw new XPathException(this, "You cannot remove yourself i.e. the currently logged in user.");
}
securityManager.deleteAccount(username);
} else {
final String password = args[1].getStringValue();
if (isCalledAs(qnPasswd.getLocalPart()) || isCalledAs(qnPasswdHash.getLocalPart())) {
if (!(currentUser.getName().equals(username) || currentUser.hasDbaRole())) {
throw new XPathException(this, "You may only change your own password, unless you are a DBA.");
}
final Account account = securityManager.getAccount(username);
if (isCalledAs(qnPasswdHash.getLocalPart())) {
account.setCredential(new Password(account, Password.DEFAULT_ALGORITHM, password));
} else {
account.setPassword(password);
}
securityManager.updateAccount(account);
} else if (isCalledAs(qnCreateAccount.getLocalPart())) {
/* create account */
if (!currentUser.hasDbaRole()) {
throw new XPathException(this, "You must be a DBA to create a User Account.");
}
if (securityManager.hasAccount(username)) {
throw new XPathException(this, "The user account with username " + username + " already exists.");
}
final Account user = new UserAider(username);
user.setPassword(password);
if (getSignature().getArgumentCount() >= 5) {
// set metadata values if present
user.setMetadataValue(AXSchemaType.FULLNAME, args[getSignature().getArgumentCount() - 2].toString());
user.setMetadataValue(EXistSchemaType.DESCRIPTION, args[getSignature().getArgumentCount() - 1].toString());
}
final String[] subGroups;
if (getSignature().getArgumentCount() == 3 || getSignature().getArgumentCount() == 5) {
// create the personal group
final Group group = new GroupAider(username);
group.setMetadataValue(EXistSchemaType.DESCRIPTION, "Personal group for " + username);
group.addManager(currentUser);
securityManager.addGroup(broker, group);
// add the personal group as the primary group
user.addGroup(username);
subGroups = getGroups(args[2]);
} else {
// add the primary group as the primary group
final String primaryGroup = args[2].getStringValue();
if (primaryGroup == null || primaryGroup.isEmpty()) {
throw new XPathException(this, "You must specify a primary group for the user.");
}
user.addGroup(primaryGroup);
subGroups = getGroups(args[3]);
}
for (String subGroup : subGroups) {
user.addGroup(subGroup);
}
// create the account
securityManager.addAccount(user);
// if we created a personal group, then add the new account as a manager of their personal group
if (getSignature().getArgumentCount() == 3 || getSignature().getArgumentCount() == 5) {
final Group group = securityManager.getGroup(username);
group.addManager(securityManager.getAccount(username));
securityManager.updateGroup(group);
}
} else {
throw new XPathException(this, "Unknown function call: " + getSignature());
}
}
} catch (final PermissionDeniedException | EXistException pde) {
throw new XPathException(this, pde);
}
return Sequence.EMPTY_SEQUENCE;
}
use of org.exist.security.internal.aider.GroupAider in project exist by eXist-db.
the class XMLDBSecurityTest method setup.
// TODO need tests for
// 4) CopyingCollections to dests where permission is denied!
// 5) What about move Document, move Collection?
/**
* 1) Sets '/db' to rwxr-xr-x (0755)
* 2) Adds the Group 'users'
* 3) Adds the User 'test1' with password 'test1' and set's their primary group to 'users'
* 4) Creates the group 'extusers' and adds 'test1' to it
* 5) Adds the User 'test2' with password 'test2' and set's their primary group to 'users'
* 6) Creates the group 'test2-only` and adds 'test2' to it
* 7) Adds the User 'test3' with password 'test3' and set's their primary group to 'guest'
* 8) Creates the Collection '/db/securityTest1' owned by 'test1':'users' with permissions rwxrwx--- (0770)
* 9) Creates the XML resource '/db/securityTest1/test.xml' owned by 'test1':'users' with permissions rwxrwx--- (0770)
* 10) Creates the Binary resource '/db/securityTest1/test.bin' owned by 'test1':'users' with permissions rwxrwx--- (0770)
* 11) Creates the Collection '/db/securityTest2' owned by 'test1':'users' with permissions rwxrwxr-x (0775)
* 12) Creates the Collection '/db/securityTest3' owned by 'test3':'guest' with permissions rwxrwxrwx (0777)
*/
@Before
public void setup() throws XMLDBException {
final Collection root = DatabaseManager.getCollection(getBaseUri() + "/db", TestUtils.ADMIN_DB_USER, TestUtils.ADMIN_DB_PWD);
UserManagementService ums = (UserManagementService) root.getService("UserManagementService", "1.0");
// ensure /db is always 755
ums.chmod("rwxr-xr-x");
// remove accounts 'test1', 'test2' and 'test3'
removeAccounts(ums, new String[] { "test1", "test2", "test3" });
// remove group 'users'
removeGroups(ums, new String[] { "users" });
final Group group = new GroupAider("exist", "users");
ums.addGroup(group);
UserAider user = new UserAider("test1", group);
user.setPassword("test1");
ums.addAccount(user);
final Group extGroup = new GroupAider("exist", "extusers");
ums.addGroup(extGroup);
ums.addAccountToGroup("test1", "extusers");
user = new UserAider("test2", group);
user.setPassword("test2");
ums.addAccount(user);
final Group test2OnlyGroup = new GroupAider("exist", "test2-only");
ums.addGroup(test2OnlyGroup);
ums.addAccountToGroup("test2", "test2-only");
user = new UserAider("test3", ums.getGroup("guest"));
user.setPassword("test3");
ums.addAccount(user);
// create a collection /db/securityTest1 as owned by "test1:users" and mode 0770
CollectionManagementService cms = (CollectionManagementService) root.getService("CollectionManagementService", "1.0");
Collection test = cms.createCollection("securityTest1");
ums = (UserManagementService) test.getService("UserManagementService", "1.0");
// change ownership to test1
final Account test1 = ums.getAccount("test1");
ums.chown(test1, "users");
// full permissions for user and group, none for world
ums.chmod(0770);
test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
// create a resource /db/securityTest1/test.xml owned by "test1:users" and mode 0770
Resource resource = test.createResource("test.xml", XMLResource.RESOURCE_TYPE);
resource.setContent("<test/>");
test.storeResource(resource);
ums.chmod(resource, 0770);
resource = test.createResource("test.bin", BinaryResource.RESOURCE_TYPE);
resource.setContent("binary-test".getBytes());
test.storeResource(resource);
ums.chmod(resource, 0770);
// create a collection /db/securityTest2 as user "test1"
cms = (CollectionManagementService) root.getService("CollectionManagementService", "1.0");
Collection testCol2 = cms.createCollection("securityTest2");
ums = (UserManagementService) testCol2.getService("UserManagementService", "1.0");
// change ownership to test1
ums.chown(test1, "users");
// full permissions for user and group, none for world
ums.chmod(0775);
// create a collection /db/securityTest3 as user "test3"
cms = (CollectionManagementService) root.getService("CollectionManagementService", "1.0");
Collection testCol3 = cms.createCollection("securityTest3");
ums = (UserManagementService) testCol3.getService("UserManagementService", "1.0");
// change ownership to test3
final Account test3 = ums.getAccount("test3");
ums.chown(test3, "users");
// full permissions for all
ums.chmod(0777);
// create a sub-collection /db/securityTest1/sub1 as user "test1"
cms = (CollectionManagementService) test.getService("CollectionManagementService", "1.0");
Collection sub1 = cms.createCollection("sub1");
ums = (UserManagementService) sub1.getService("UserManagementService", "1.0");
// change ownership to test1
ums.chown(test1, "users");
// full permissions for all
ums.chmod(0777);
}
Aggregations