Example 16 with UserAider
use of org.exist.security.internal.aider.UserAider in project exist by eXist-db.
the class AccountManagementFunction method eval.
@Override
public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
final DBBroker broker = getContext().getBroker();
final Subject currentUser = broker.getCurrentSubject();
final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
final String username = args[0].getStringValue();
try {
if (isCalledAs(qnRemoveAccount.getLocalPart())) {
/* remove account */
if (!currentUser.hasDbaRole()) {
throw new XPathException(this, "Only a DBA user may remove accounts.");
}
if (!securityManager.hasAccount(username)) {
throw new XPathException(this, "The user account with username " + username + " does not exist.");
}
if (currentUser.getName().equals(username)) {
throw new XPathException(this, "You cannot remove yourself i.e. the currently logged in user.");
}
securityManager.deleteAccount(username);
} else {
final String password = args[1].getStringValue();
if (isCalledAs(qnPasswd.getLocalPart()) || isCalledAs(qnPasswdHash.getLocalPart())) {
if (!(currentUser.getName().equals(username) || currentUser.hasDbaRole())) {
throw new XPathException(this, "You may only change your own password, unless you are a DBA.");
}
final Account account = securityManager.getAccount(username);
if (isCalledAs(qnPasswdHash.getLocalPart())) {
account.setCredential(new Password(account, Password.DEFAULT_ALGORITHM, password));
} else {
account.setPassword(password);
}
securityManager.updateAccount(account);
} else if (isCalledAs(qnCreateAccount.getLocalPart())) {
/* create account */
if (!currentUser.hasDbaRole()) {
throw new XPathException(this, "You must be a DBA to create a User Account.");
}
if (securityManager.hasAccount(username)) {
throw new XPathException(this, "The user account with username " + username + " already exists.");
}
final Account user = new UserAider(username);
user.setPassword(password);
if (getSignature().getArgumentCount() >= 5) {
// set metadata values if present
user.setMetadataValue(AXSchemaType.FULLNAME, args[getSignature().getArgumentCount() - 2].toString());
user.setMetadataValue(EXistSchemaType.DESCRIPTION, args[getSignature().getArgumentCount() - 1].toString());
}
final String[] subGroups;
if (getSignature().getArgumentCount() == 3 || getSignature().getArgumentCount() == 5) {
// create the personal group
final Group group = new GroupAider(username);
group.setMetadataValue(EXistSchemaType.DESCRIPTION, "Personal group for " + username);
group.addManager(currentUser);
securityManager.addGroup(broker, group);
// add the personal group as the primary group
user.addGroup(username);
subGroups = getGroups(args[2]);
} else {
// add the primary group as the primary group
final String primaryGroup = args[2].getStringValue();
if (primaryGroup == null || primaryGroup.isEmpty()) {
throw new XPathException(this, "You must specify a primary group for the user.");
}
user.addGroup(primaryGroup);
subGroups = getGroups(args[3]);
}
for (String subGroup : subGroups) {
user.addGroup(subGroup);
}
// create the account
securityManager.addAccount(user);
// if we created a personal group, then add the new account as a manager of their personal group
if (getSignature().getArgumentCount() == 3 || getSignature().getArgumentCount() == 5) {
final Group group = securityManager.getGroup(username);
group.addManager(securityManager.getAccount(username));
securityManager.updateGroup(group);
}
} else {
throw new XPathException(this, "Unknown function call: " + getSignature());
}
}
} catch (final PermissionDeniedException | EXistException pde) {
throw new XPathException(this, pde);
}
return Sequence.EMPTY_SEQUENCE;
}
Also used :
SecurityManager(org.exist.security.SecurityManager)
EXistException(org.exist.EXistException)
DBBroker(org.exist.storage.DBBroker)
UserAider(org.exist.security.internal.aider.UserAider)
GroupAider(org.exist.security.internal.aider.GroupAider)
Password(org.exist.security.internal.Password)
Example 17 with UserAider
use of org.exist.security.internal.aider.UserAider in project exist by eXist-db.
the class XMLDBSecurityTest method setup.
// TODO need tests for
// 4) CopyingCollections to dests where permission is denied!
// 5) What about move Document, move Collection?
/**
* 1) Sets '/db' to rwxr-xr-x (0755)
* 2) Adds the Group 'users'
* 3) Adds the User 'test1' with password 'test1' and set's their primary group to 'users'
* 4) Creates the group 'extusers' and adds 'test1' to it
* 5) Adds the User 'test2' with password 'test2' and set's their primary group to 'users'
* 6) Creates the group 'test2-only` and adds 'test2' to it
* 7) Adds the User 'test3' with password 'test3' and set's their primary group to 'guest'
* 8) Creates the Collection '/db/securityTest1' owned by 'test1':'users' with permissions rwxrwx--- (0770)
* 9) Creates the XML resource '/db/securityTest1/test.xml' owned by 'test1':'users' with permissions rwxrwx--- (0770)
* 10) Creates the Binary resource '/db/securityTest1/test.bin' owned by 'test1':'users' with permissions rwxrwx--- (0770)
* 11) Creates the Collection '/db/securityTest2' owned by 'test1':'users' with permissions rwxrwxr-x (0775)
* 12) Creates the Collection '/db/securityTest3' owned by 'test3':'guest' with permissions rwxrwxrwx (0777)
*/
@Before
public void setup() throws XMLDBException {
final Collection root = DatabaseManager.getCollection(getBaseUri() + "/db", TestUtils.ADMIN_DB_USER, TestUtils.ADMIN_DB_PWD);
UserManagementService ums = (UserManagementService) root.getService("UserManagementService", "1.0");
// ensure /db is always 755
ums.chmod("rwxr-xr-x");
// remove accounts 'test1', 'test2' and 'test3'
removeAccounts(ums, new String[] { "test1", "test2", "test3" });
// remove group 'users'
removeGroups(ums, new String[] { "users" });
final Group group = new GroupAider("exist", "users");
ums.addGroup(group);
UserAider user = new UserAider("test1", group);
user.setPassword("test1");
ums.addAccount(user);
final Group extGroup = new GroupAider("exist", "extusers");
ums.addGroup(extGroup);
ums.addAccountToGroup("test1", "extusers");
user = new UserAider("test2", group);
user.setPassword("test2");
ums.addAccount(user);
final Group test2OnlyGroup = new GroupAider("exist", "test2-only");
ums.addGroup(test2OnlyGroup);
ums.addAccountToGroup("test2", "test2-only");
user = new UserAider("test3", ums.getGroup("guest"));
user.setPassword("test3");
ums.addAccount(user);
// create a collection /db/securityTest1 as owned by "test1:users" and mode 0770
CollectionManagementService cms = (CollectionManagementService) root.getService("CollectionManagementService", "1.0");
Collection test = cms.createCollection("securityTest1");
ums = (UserManagementService) test.getService("UserManagementService", "1.0");
// change ownership to test1
final Account test1 = ums.getAccount("test1");
ums.chown(test1, "users");
// full permissions for user and group, none for world
ums.chmod(0770);
test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
// create a resource /db/securityTest1/test.xml owned by "test1:users" and mode 0770
Resource resource = test.createResource("test.xml", XMLResource.RESOURCE_TYPE);
resource.setContent("<test/>");
test.storeResource(resource);
ums.chmod(resource, 0770);
resource = test.createResource("test.bin", BinaryResource.RESOURCE_TYPE);
resource.setContent("binary-test".getBytes());
test.storeResource(resource);
ums.chmod(resource, 0770);
// create a collection /db/securityTest2 as user "test1"
cms = (CollectionManagementService) root.getService("CollectionManagementService", "1.0");
Collection testCol2 = cms.createCollection("securityTest2");
ums = (UserManagementService) testCol2.getService("UserManagementService", "1.0");
// change ownership to test1
ums.chown(test1, "users");
// full permissions for user and group, none for world
ums.chmod(0775);
// create a collection /db/securityTest3 as user "test3"
cms = (CollectionManagementService) root.getService("CollectionManagementService", "1.0");
Collection testCol3 = cms.createCollection("securityTest3");
ums = (UserManagementService) testCol3.getService("UserManagementService", "1.0");
// change ownership to test3
final Account test3 = ums.getAccount("test3");
ums.chown(test3, "users");
// full permissions for all
ums.chmod(0777);
// create a sub-collection /db/securityTest1/sub1 as user "test1"
cms = (CollectionManagementService) test.getService("CollectionManagementService", "1.0");
Collection sub1 = cms.createCollection("sub1");
ums = (UserManagementService) sub1.getService("UserManagementService", "1.0");
// change ownership to test1
ums.chown(test1, "users");
// full permissions for all
ums.chmod(0777);
}
Also used :
EXistCollectionManagementService(org.exist.xmldb.EXistCollectionManagementService)
CollectionManagementService(org.xmldb.api.modules.CollectionManagementService)
BinaryResource(org.xmldb.api.modules.BinaryResource)
XMLResource(org.xmldb.api.modules.XMLResource)
Resource(org.xmldb.api.base.Resource)
Collection(org.xmldb.api.base.Collection)
UserManagementService(org.exist.xmldb.UserManagementService)
GroupAider(org.exist.security.internal.aider.GroupAider)
UserAider(org.exist.security.internal.aider.UserAider)
Before(org.junit.Before)
Example 18 with UserAider
use of org.exist.security.internal.aider.UserAider in project exist by eXist-db.
the class UserDialog method createUser.
// GEN-LAST:event_btnCreateActionPerformed
protected void createUser() {
// 0 - determine the primary group
final GroupAider primaryGroup;
if (getPrimaryGroup() == null) {
if (cbPersonalGroup.isSelected()) {
primaryGroup = new GroupAider(txtUsername.getText());
} else {
final String firstGroup = memberOfGroupsModel.firstElement();
if (firstGroup != null) {
primaryGroup = new GroupAider(firstGroup);
} else {
JOptionPane.showMessageDialog(this, "Could not determine primary group for user '" + txtUsername.getText() + "'. User must create personal group or belong to at least one existing group", "Create User Error", JOptionPane.ERROR_MESSAGE);
return;
}
}
} else {
primaryGroup = new GroupAider(getPrimaryGroup());
}
// 1 - create personal group
GroupAider groupAider = null;
if (cbPersonalGroup.isSelected()) {
groupAider = new GroupAider(txtUsername.getText());
groupAider.setMetadataValue(EXistSchemaType.DESCRIPTION, "Personal group for " + txtUsername.getText());
try {
getUserManagementService().addGroup(groupAider);
} catch (final XMLDBException xmldbe) {
JOptionPane.showMessageDialog(this, "Could not create personal group '" + txtUsername.getText() + "': " + xmldbe.getMessage(), "Create User Error", JOptionPane.ERROR_MESSAGE);
return;
}
}
// 2 - create the user
final UserAider userAider = new UserAider(txtUsername.getText());
userAider.setMetadataValue(AXSchemaType.FULLNAME, txtFullName.getText());
userAider.setMetadataValue(EXistSchemaType.DESCRIPTION, txtDescription.getText());
userAider.setPassword(txtPassword.getText());
userAider.setEnabled(!cbDisabled.isSelected());
userAider.setUserMask(UmaskSpinnerModel.octalUmaskToInt((String) spnUmask.getValue()));
// add the personal group to the user
if (cbPersonalGroup.isSelected()) {
userAider.addGroup(txtUsername.getText());
}
// add any other groups to the user
final Iterator<String> itMemberOfGroups = memberOfGroupsModel.iterator();
while (itMemberOfGroups.hasNext()) {
final String memberOfGroup = itMemberOfGroups.next();
userAider.addGroup(memberOfGroup);
}
// set the primary group
try {
userAider.setPrimaryGroup(primaryGroup);
} catch (final PermissionDeniedException pde) {
JOptionPane.showMessageDialog(this, "Could not set primary group '" + getPrimaryGroup() + "' of user '" + txtUsername.getText() + "': " + pde.getMessage(), "Create User Error", JOptionPane.ERROR_MESSAGE);
return;
}
try {
getUserManagementService().addAccount(userAider);
} catch (final XMLDBException xmldbe) {
JOptionPane.showMessageDialog(this, "Could not create user '" + txtUsername.getText() + "': " + xmldbe.getMessage(), "Create User Error", JOptionPane.ERROR_MESSAGE);
return;
}
// 3 - if created personal group, then add us as the manager
if (cbPersonalGroup.isSelected()) {
try {
groupAider.addManager(userAider);
getUserManagementService().updateGroup(groupAider);
} catch (final XMLDBException | PermissionDeniedException xmldbe) {
JOptionPane.showMessageDialog(this, "Could not set user '" + txtUsername.getText() + "' as manager of personal group '" + txtUsername.getText() + "': " + xmldbe.getMessage(), "Create User Error", JOptionPane.ERROR_MESSAGE);
return;
}
}
}
Also used :
XMLDBException(org.xmldb.api.base.XMLDBException)
PermissionDeniedException(org.exist.security.PermissionDeniedException)
GroupAider(org.exist.security.internal.aider.GroupAider)
UserAider(org.exist.security.internal.aider.UserAider)
Example 19 with UserAider
use of org.exist.security.internal.aider.UserAider in project exist by eXist-db.
the class AbstractSecurityManagerRoundtripTest method checkGroupManagerStability.
@Test
public void checkGroupManagerStability() throws XMLDBException, PermissionDeniedException, IOException {
UserManagementService ums = (UserManagementService) getRoot().getService("UserManagementService", "1.0");
final String commonGroupName = "commonGroup";
Group commonGroup = new GroupAider(commonGroupName);
final String userName = "testUserA";
final Group userGroup = new GroupAider(userName);
// set users primary group as personal group
final Account userAccount = new UserAider(userName, userGroup);
try {
// create a user with personal group
ums.addGroup(userGroup);
ums.addAccount(userAccount);
// add user1 as a manager of common group
ums.addGroup(commonGroup);
commonGroup.addManager(userAccount);
ums.updateGroup(commonGroup);
/**
* RESTART THE SERVER **
*/
restartServer();
/**
***********************
*/
ums = (UserManagementService) getRoot().getService("UserManagementService", "1.0");
// get the common group
commonGroup = ums.getGroup(commonGroupName);
assertNotNull(commonGroup);
// assert that user1 is still a manager of the common group
final List<Account> commonGroupManagers = commonGroup.getManagers();
assertNotNull(commonGroupManagers);
assertEquals(1, commonGroupManagers.size());
assertEquals(commonGroupManagers.get(0).getName(), userName);
} finally {
// cleanup
try {
ums.removeGroup(commonGroup);
} catch (Exception e) {
}
try {
ums.removeAccount(userAccount);
} catch (Exception e) {
}
try {
ums.removeGroup(userGroup);
} catch (Exception e) {
}
}
}
Also used :
UserManagementService(org.exist.xmldb.UserManagementService)
GroupAider(org.exist.security.internal.aider.GroupAider)
UserAider(org.exist.security.internal.aider.UserAider)
XMLDBException(org.xmldb.api.base.XMLDBException)
IOException(java.io.IOException)
EXistException(org.exist.EXistException)
DatabaseConfigurationException(org.exist.util.DatabaseConfigurationException)
Test(org.junit.Test)
Example 20 with UserAider
use of org.exist.security.internal.aider.UserAider in project exist by eXist-db.
the class AbstractSecurityManagerRoundtripTest method checkPrimaryGroupRemainsDBA.
@Test
public void checkPrimaryGroupRemainsDBA() throws XMLDBException, PermissionDeniedException, EXistException, IOException, DatabaseConfigurationException {
UserManagementService ums = (UserManagementService) getRoot().getService("UserManagementService", "1.0");
final String group1Name = "testGroup1";
final String group2Name = "testGroup2";
final String userName = "testUser";
Group group1 = new GroupAider(group1Name);
Group group2 = new GroupAider(group2Name);
// set users primary group as DBA
Account user = new UserAider(userName, ums.getGroup(SecurityManager.DBA_GROUP));
try {
ums.addGroup(group1);
ums.addGroup(group2);
ums.addAccount(user);
ums.getAccount(userName);
user.addGroup(group1);
user.addGroup(group2);
ums.updateAccount(user);
/**
* RESTART THE SERVER **
*/
restartServer();
/**
***********************
*/
ums = (UserManagementService) getRoot().getService("UserManagementService", "1.0");
user = ums.getAccount(userName);
assertNotNull(user);
Group defaultGroup = user.getDefaultGroup();
assertNotNull(defaultGroup);
assertEquals(SecurityManager.DBA_GROUP, defaultGroup.getName());
String[] groups = user.getGroups();
assertNotNull(groups);
assertEquals(3, groups.length);
assertEquals(SecurityManager.DBA_GROUP, groups[0]);
assertEquals(group1Name, groups[1]);
assertEquals(group2Name, groups[2]);
} finally {
// cleanup
final Account u1 = ums.getAccount(userName);
if (u1 != null) {
ums.removeAccount(u1);
}
final Group g1 = ums.getGroup(group1Name);
if (g1 != null) {
ums.removeGroup(g1);
}
final Group g2 = ums.getGroup(group2Name);
if (g2 != null) {
ums.removeGroup(g2);
}
}
}
Also used :
UserManagementService(org.exist.xmldb.UserManagementService)
GroupAider(org.exist.security.internal.aider.GroupAider)
UserAider(org.exist.security.internal.aider.UserAider)
Test(org.junit.Test)
Aggregations
UserAider (org.exist.security.internal.aider.UserAider)28
GroupAider (org.exist.security.internal.aider.GroupAider)15
UserManagementService (org.exist.xmldb.UserManagementService)9
Account (org.exist.security.Account)5
XMLDBException (org.xmldb.api.base.XMLDBException)5
EXistException (org.exist.EXistException)4
PermissionDeniedException (org.exist.security.PermissionDeniedException)4
SecurityManager (org.exist.security.SecurityManager)4
DBBroker (org.exist.storage.DBBroker)4
Test (org.junit.Test)4
Collection (org.xmldb.api.base.Collection)4
IOException (java.io.IOException)2
NamingException (javax.naming.NamingException)2
AbstractAccount (org.exist.security.AbstractAccount)2
AuthenticationException (org.exist.security.AuthenticationException)2
LockedDocumentMap (org.exist.storage.lock.LockedDocumentMap)2
EXistCollectionManagementService (org.exist.xmldb.EXistCollectionManagementService)2
Before (org.junit.Before)2
BinaryResource (org.xmldb.api.modules.BinaryResource)2
Either (com.evolvedbinary.j8fu.Either)1
