Search in sources :

Example 11 with GroupAider

use of org.exist.security.internal.aider.GroupAider in project exist by eXist-db.

the class RpcConnection method addGroup.

@Override
public boolean addGroup(final String name, final Map<String, String> metadata) throws EXistException, PermissionDeniedException {
    final SecurityManager manager = factory.getBrokerPool().getSecurityManager();
    if (!manager.hasGroup(name)) {
        if (!manager.hasAdminPrivileges(user)) {
            throw new PermissionDeniedException("Not allowed to create group");
        }
        final Group role = new GroupAider(name);
        for (final Map.Entry<String, String> m : metadata.entrySet()) {
            if (AXSchemaType.valueOfNamespace(m.getKey()) != null) {
                role.setMetadataValue(AXSchemaType.valueOfNamespace(m.getKey()), m.getValue());
            } else if (EXistSchemaType.valueOfNamespace(m.getKey()) != null) {
                role.setMetadataValue(EXistSchemaType.valueOfNamespace(m.getKey()), m.getValue());
            }
        }
        withDb((broker, transaction) -> manager.addGroup(broker, role));
        return true;
    }
    return false;
}
Also used : Group(org.exist.security.Group) SecurityManager(org.exist.security.SecurityManager) PermissionDeniedException(org.exist.security.PermissionDeniedException) GroupAider(org.exist.security.internal.aider.GroupAider) LockedDocumentMap(org.exist.storage.lock.LockedDocumentMap)

Example 12 with GroupAider

use of org.exist.security.internal.aider.GroupAider in project exist by eXist-db.

the class XMLDBAuthenticateTest method beforeClass.

@Before
public void beforeClass() throws XMLDBException {
    final Collection root = DatabaseManager.getCollection("xmldb:exist://localhost:" + existWebServer.getPort() + "/xmlrpc/db", TestUtils.ADMIN_DB_USER, TestUtils.ADMIN_DB_PWD);
    final UserManagementService ums = (UserManagementService) root.getService("UserManagementService", "1.0");
    final GroupAider group1 = new GroupAider(USER1_UID);
    ums.addGroup(group1);
    final UserAider user1 = new UserAider(USER1_UID, group1);
    user1.setPassword(USER1_PWD);
    ums.addAccount(user1);
}
Also used : Collection(org.xmldb.api.base.Collection) UserManagementService(org.exist.xmldb.UserManagementService) GroupAider(org.exist.security.internal.aider.GroupAider) UserAider(org.exist.security.internal.aider.UserAider) Before(org.junit.Before)

Example 13 with GroupAider

use of org.exist.security.internal.aider.GroupAider in project exist by eXist-db.

the class GroupManagementFunction method eval.

@Override
public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
    final SecurityManager securityManager = context.getBroker().getBrokerPool().getSecurityManager();
    final Subject currentSubject = context.getBroker().getCurrentSubject();
    try {
        final String groupName = args[0].itemAt(0).getStringValue();
        if (isCalledAs(qnCreateGroup.getLocalPart())) {
            if (securityManager.hasGroup(groupName)) {
                throw new XPathException(this, "The group with name " + groupName + " already exists.");
            }
            if (!currentSubject.hasDbaRole()) {
                throw new XPathException(this, "Only DBA users may create a user group.");
            }
            final Group group = new GroupAider(groupName);
            group.addManager(currentSubject);
            if (getSignature().getArgumentCount() == 3) {
                // set group managers
                final List<Account> groupManagers = getGroupManagers(securityManager, args[1]);
                group.addManagers(groupManagers);
            }
            // set metadata
            if (getSignature().getArgumentCount() >= 2) {
                group.setMetadataValue(EXistSchemaType.DESCRIPTION, args[getSignature().getArgumentCount() - 1].toString());
            }
            securityManager.addGroup(context.getBroker(), group);
        } else if (isCalledAs(qnRemoveGroup.getLocalPart())) {
            if (!securityManager.hasGroup(groupName)) {
                throw new XPathException(this, "The group with name " + groupName + " does not exist.");
            }
            final Group successorGroup;
            if (getArgumentCount() == 2) {
                final String successorGroupName = args[1].itemAt(0).getStringValue();
                if (!currentSubject.hasGroup(successorGroupName)) {
                    throw new PermissionDeniedException("You must be a member of the group for which permissions should be inherited by");
                }
                successorGroup = securityManager.getGroup(successorGroupName);
            } else {
                successorGroup = securityManager.getGroup("guest");
            }
            try {
                securityManager.deleteGroup(groupName);
            } catch (final EXistException ee) {
                throw new XPathException(this, ee);
            }
        } else {
            throw new XPathException(this, "Unknown function call: " + getSignature());
        }
        return Sequence.EMPTY_SEQUENCE;
    } catch (final PermissionDeniedException | EXistException pde) {
        throw new XPathException(this, pde);
    }
}
Also used : SecurityManager(org.exist.security.SecurityManager) XPathException(org.exist.xquery.XPathException) EXistException(org.exist.EXistException) GroupAider(org.exist.security.internal.aider.GroupAider)

Example 14 with GroupAider

use of org.exist.security.internal.aider.GroupAider in project exist by eXist-db.

the class AccountManagementFunction method eval.

@Override
public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
    final DBBroker broker = getContext().getBroker();
    final Subject currentUser = broker.getCurrentSubject();
    final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
    final String username = args[0].getStringValue();
    try {
        if (isCalledAs(qnRemoveAccount.getLocalPart())) {
            /* remove account */
            if (!currentUser.hasDbaRole()) {
                throw new XPathException(this, "Only a DBA user may remove accounts.");
            }
            if (!securityManager.hasAccount(username)) {
                throw new XPathException(this, "The user account with username " + username + " does not exist.");
            }
            if (currentUser.getName().equals(username)) {
                throw new XPathException(this, "You cannot remove yourself i.e. the currently logged in user.");
            }
            securityManager.deleteAccount(username);
        } else {
            final String password = args[1].getStringValue();
            if (isCalledAs(qnPasswd.getLocalPart()) || isCalledAs(qnPasswdHash.getLocalPart())) {
                if (!(currentUser.getName().equals(username) || currentUser.hasDbaRole())) {
                    throw new XPathException(this, "You may only change your own password, unless you are a DBA.");
                }
                final Account account = securityManager.getAccount(username);
                if (isCalledAs(qnPasswdHash.getLocalPart())) {
                    account.setCredential(new Password(account, Password.DEFAULT_ALGORITHM, password));
                } else {
                    account.setPassword(password);
                }
                securityManager.updateAccount(account);
            } else if (isCalledAs(qnCreateAccount.getLocalPart())) {
                /* create account */
                if (!currentUser.hasDbaRole()) {
                    throw new XPathException(this, "You must be a DBA to create a User Account.");
                }
                if (securityManager.hasAccount(username)) {
                    throw new XPathException(this, "The user account with username " + username + " already exists.");
                }
                final Account user = new UserAider(username);
                user.setPassword(password);
                if (getSignature().getArgumentCount() >= 5) {
                    // set metadata values if present
                    user.setMetadataValue(AXSchemaType.FULLNAME, args[getSignature().getArgumentCount() - 2].toString());
                    user.setMetadataValue(EXistSchemaType.DESCRIPTION, args[getSignature().getArgumentCount() - 1].toString());
                }
                final String[] subGroups;
                if (getSignature().getArgumentCount() == 3 || getSignature().getArgumentCount() == 5) {
                    // create the personal group
                    final Group group = new GroupAider(username);
                    group.setMetadataValue(EXistSchemaType.DESCRIPTION, "Personal group for " + username);
                    group.addManager(currentUser);
                    securityManager.addGroup(broker, group);
                    // add the personal group as the primary group
                    user.addGroup(username);
                    subGroups = getGroups(args[2]);
                } else {
                    // add the primary group as the primary group
                    final String primaryGroup = args[2].getStringValue();
                    if (primaryGroup == null || primaryGroup.isEmpty()) {
                        throw new XPathException(this, "You must specify a primary group for the user.");
                    }
                    user.addGroup(primaryGroup);
                    subGroups = getGroups(args[3]);
                }
                for (String subGroup : subGroups) {
                    user.addGroup(subGroup);
                }
                // create the account
                securityManager.addAccount(user);
                // if we created a personal group, then add the new account as a manager of their personal group
                if (getSignature().getArgumentCount() == 3 || getSignature().getArgumentCount() == 5) {
                    final Group group = securityManager.getGroup(username);
                    group.addManager(securityManager.getAccount(username));
                    securityManager.updateGroup(group);
                }
            } else {
                throw new XPathException(this, "Unknown function call: " + getSignature());
            }
        }
    } catch (final PermissionDeniedException | EXistException pde) {
        throw new XPathException(this, pde);
    }
    return Sequence.EMPTY_SEQUENCE;
}
Also used : SecurityManager(org.exist.security.SecurityManager) EXistException(org.exist.EXistException) DBBroker(org.exist.storage.DBBroker) UserAider(org.exist.security.internal.aider.UserAider) GroupAider(org.exist.security.internal.aider.GroupAider) Password(org.exist.security.internal.Password)

Example 15 with GroupAider

use of org.exist.security.internal.aider.GroupAider in project exist by eXist-db.

the class XMLDBSecurityTest method setup.

// TODO need tests for
// 4) CopyingCollections to dests where permission is denied!
// 5) What about move Document, move Collection?
/**
 * 1) Sets '/db' to rwxr-xr-x (0755)
 * 2) Adds the Group 'users'
 * 3) Adds the User 'test1' with password 'test1' and set's their primary group to 'users'
 * 4) Creates the group 'extusers' and adds 'test1' to it
 * 5) Adds the User 'test2' with password 'test2' and set's their primary group to 'users'
 * 6) Creates the group 'test2-only` and adds 'test2' to it
 * 7) Adds the User 'test3' with password 'test3' and set's their primary group to 'guest'
 * 8) Creates the Collection '/db/securityTest1' owned by 'test1':'users' with permissions rwxrwx--- (0770)
 * 9) Creates the XML resource '/db/securityTest1/test.xml' owned by 'test1':'users' with permissions rwxrwx--- (0770)
 * 10) Creates the Binary resource '/db/securityTest1/test.bin' owned by 'test1':'users' with permissions rwxrwx--- (0770)
 * 11) Creates the Collection '/db/securityTest2' owned by 'test1':'users' with permissions rwxrwxr-x (0775)
 * 12) Creates the Collection '/db/securityTest3' owned by 'test3':'guest' with permissions rwxrwxrwx (0777)
 */
@Before
public void setup() throws XMLDBException {
    final Collection root = DatabaseManager.getCollection(getBaseUri() + "/db", TestUtils.ADMIN_DB_USER, TestUtils.ADMIN_DB_PWD);
    UserManagementService ums = (UserManagementService) root.getService("UserManagementService", "1.0");
    // ensure /db is always 755
    ums.chmod("rwxr-xr-x");
    // remove accounts 'test1', 'test2' and 'test3'
    removeAccounts(ums, new String[] { "test1", "test2", "test3" });
    // remove group 'users'
    removeGroups(ums, new String[] { "users" });
    final Group group = new GroupAider("exist", "users");
    ums.addGroup(group);
    UserAider user = new UserAider("test1", group);
    user.setPassword("test1");
    ums.addAccount(user);
    final Group extGroup = new GroupAider("exist", "extusers");
    ums.addGroup(extGroup);
    ums.addAccountToGroup("test1", "extusers");
    user = new UserAider("test2", group);
    user.setPassword("test2");
    ums.addAccount(user);
    final Group test2OnlyGroup = new GroupAider("exist", "test2-only");
    ums.addGroup(test2OnlyGroup);
    ums.addAccountToGroup("test2", "test2-only");
    user = new UserAider("test3", ums.getGroup("guest"));
    user.setPassword("test3");
    ums.addAccount(user);
    // create a collection /db/securityTest1 as owned by "test1:users" and mode 0770
    CollectionManagementService cms = (CollectionManagementService) root.getService("CollectionManagementService", "1.0");
    Collection test = cms.createCollection("securityTest1");
    ums = (UserManagementService) test.getService("UserManagementService", "1.0");
    // change ownership to test1
    final Account test1 = ums.getAccount("test1");
    ums.chown(test1, "users");
    // full permissions for user and group, none for world
    ums.chmod(0770);
    test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
    // create a resource /db/securityTest1/test.xml owned by "test1:users" and mode 0770
    Resource resource = test.createResource("test.xml", XMLResource.RESOURCE_TYPE);
    resource.setContent("<test/>");
    test.storeResource(resource);
    ums.chmod(resource, 0770);
    resource = test.createResource("test.bin", BinaryResource.RESOURCE_TYPE);
    resource.setContent("binary-test".getBytes());
    test.storeResource(resource);
    ums.chmod(resource, 0770);
    // create a collection /db/securityTest2 as user "test1"
    cms = (CollectionManagementService) root.getService("CollectionManagementService", "1.0");
    Collection testCol2 = cms.createCollection("securityTest2");
    ums = (UserManagementService) testCol2.getService("UserManagementService", "1.0");
    // change ownership to test1
    ums.chown(test1, "users");
    // full permissions for user and group, none for world
    ums.chmod(0775);
    // create a collection /db/securityTest3 as user "test3"
    cms = (CollectionManagementService) root.getService("CollectionManagementService", "1.0");
    Collection testCol3 = cms.createCollection("securityTest3");
    ums = (UserManagementService) testCol3.getService("UserManagementService", "1.0");
    // change ownership to test3
    final Account test3 = ums.getAccount("test3");
    ums.chown(test3, "users");
    // full permissions for all
    ums.chmod(0777);
    // create a sub-collection /db/securityTest1/sub1 as user "test1"
    cms = (CollectionManagementService) test.getService("CollectionManagementService", "1.0");
    Collection sub1 = cms.createCollection("sub1");
    ums = (UserManagementService) sub1.getService("UserManagementService", "1.0");
    // change ownership to test1
    ums.chown(test1, "users");
    // full permissions for all
    ums.chmod(0777);
}
Also used : EXistCollectionManagementService(org.exist.xmldb.EXistCollectionManagementService) CollectionManagementService(org.xmldb.api.modules.CollectionManagementService) BinaryResource(org.xmldb.api.modules.BinaryResource) XMLResource(org.xmldb.api.modules.XMLResource) Resource(org.xmldb.api.base.Resource) Collection(org.xmldb.api.base.Collection) UserManagementService(org.exist.xmldb.UserManagementService) GroupAider(org.exist.security.internal.aider.GroupAider) UserAider(org.exist.security.internal.aider.UserAider) Before(org.junit.Before)

Aggregations

GroupAider (org.exist.security.internal.aider.GroupAider)23 UserAider (org.exist.security.internal.aider.UserAider)15 UserManagementService (org.exist.xmldb.UserManagementService)8 XMLDBException (org.xmldb.api.base.XMLDBException)7 SecurityManager (org.exist.security.SecurityManager)6 DBBroker (org.exist.storage.DBBroker)5 EXistException (org.exist.EXistException)4 PermissionDeniedException (org.exist.security.PermissionDeniedException)4 Test (org.junit.Test)4 Collection (org.exist.collections.Collection)3 Group (org.exist.security.Group)3 BrokerPool (org.exist.storage.BrokerPool)3 Txn (org.exist.storage.txn.Txn)3 IOException (java.io.IOException)2 LockedDocumentMap (org.exist.storage.lock.LockedDocumentMap)2 Before (org.junit.Before)2 Collection (org.xmldb.api.base.Collection)2 Either (com.evolvedbinary.j8fu.Either)1 BufferedInputStream (java.io.BufferedInputStream)1 InputStream (java.io.InputStream)1