use of org.pentaho.platform.api.repository2.unified.RepositoryFileAce in project pentaho-platform by pentaho.
the class JcrAclNodeHelper method getAclFor.
/**
* {@inheritDoc}
*/
@Override
public RepositoryFileAcl getAclFor(final RepositoryFile repositoryFile) {
if (repositoryFile == null) {
return null;
}
// Obtain a reference to ACL node as "system", guaranteed access
final RepositoryFile aclNode = getAclNode(repositoryFile);
// Removed redundant call to getAclNode via BISERVER-12780
if (aclNode == null) {
return null;
}
RepositoryFileAcl acl;
try {
acl = unifiedRepository.getAcl(aclNode.getId());
} catch (Exception e) {
return null;
}
RepositoryFileAcl.Builder aclBuilder = new RepositoryFileAcl.Builder(acl.getId(), acl.getOwner().getName(), RepositoryFileSid.Type.ROLE);
aclBuilder.aces(acl.getAces());
// add the Administrator role
if (canAdminister()) {
String adminRoleName = PentahoSystem.get(String.class, "singleTenantAdminAuthorityName", PentahoSessionHolder.getSession());
RepositoryFileAce adminGroup = new RepositoryFileAce(new RepositoryFileSid(adminRoleName, RepositoryFileSid.Type.ROLE), RepositoryFilePermission.ALL);
aclBuilder.ace(adminGroup);
}
return aclBuilder.build();
}
use of org.pentaho.platform.api.repository2.unified.RepositoryFileAce in project pentaho-platform by pentaho.
the class JcrRepositoryFileAclDao method toAce.
protected RepositoryFileAce toAce(final Session session, final AccessControlEntry acEntry) throws RepositoryException {
Principal principal = acEntry.getPrincipal();
RepositoryFileSid sid = null;
String name = principal.getName();
DefaultPermissionConversionHelper permissionConversionHelper = new DefaultPermissionConversionHelper(session);
if (principal instanceof Group) {
sid = new RepositoryFileSid(JcrTenantUtils.getRoleNameUtils().getPrincipleName(name), RepositoryFileSid.Type.ROLE);
} else {
sid = new RepositoryFileSid(JcrTenantUtils.getUserNameUtils().getPrincipleName(name), RepositoryFileSid.Type.USER);
}
// $NON-NLS-1$
logger.debug(String.format("principal class [%s]", principal.getClass().getName()));
Privilege[] privileges = acEntry.getPrivileges();
return new RepositoryFileAce(sid, permissionConversionHelper.privilegesToPentahoPermissions(session, privileges));
}
use of org.pentaho.platform.api.repository2.unified.RepositoryFileAce in project pentaho-platform by pentaho.
the class JcrRepositoryFileAclDao method internalUpdateAcl.
protected RepositoryFileAcl internalUpdateAcl(final Session session, final PentahoJcrConstants pentahoJcrConstants, final Serializable fileId, final RepositoryFileAcl acl) throws RepositoryException {
if (isKioskEnabled()) {
// $NON-NLS-1$
throw new RuntimeException(Messages.getInstance().getString("JcrRepositoryFileDao.ERROR_0006_ACCESS_DENIED"));
}
DefaultPermissionConversionHelper permissionConversionHelper = new DefaultPermissionConversionHelper(session);
Node node = session.getNodeByIdentifier(fileId.toString());
if (node == null) {
throw new RepositoryException(Messages.getInstance().getString("JackrabbitRepositoryFileAclDao.ERROR_0001_NODE_NOT_FOUND", // $NON-NLS-1$
fileId.toString()));
}
String absPath = node.getPath();
AccessControlManager acMgr = session.getAccessControlManager();
AccessControlList acList = getAccessControlList(acMgr, absPath);
// clear all entries
AccessControlEntry[] acEntries = acList.getAccessControlEntries();
for (int i = 0; i < acEntries.length; i++) {
acList.removeAccessControlEntry(acEntries[i]);
}
JcrRepositoryFileAclUtils.setAclMetadata(session, absPath, acList, new AclMetadata(acl.getOwner().getName(), acl.isEntriesInheriting()));
// add entries to now empty list but only if not inheriting; force user to start with clean slate
boolean adminPrincipalExist = false;
ITenant principalTenant = null;
if (!acl.isEntriesInheriting()) {
for (RepositoryFileAce ace : acl.getAces()) {
Principal principal = null;
if (RepositoryFileSid.Type.ROLE == ace.getSid().getType()) {
String principalName = JcrTenantUtils.getRoleNameUtils().getPrincipleName(ace.getSid().getName());
if (tenantAdminAuthorityName.equals(principalName)) {
adminPrincipalExist = true;
}
principal = new SpringSecurityRolePrincipal(JcrTenantUtils.getTenantedRole(ace.getSid().getName()));
} else {
principal = new SpringSecurityUserPrincipal(JcrTenantUtils.getTenantedUser(ace.getSid().getName()));
}
acList.addAccessControlEntry(principal, permissionConversionHelper.pentahoPermissionsToPrivileges(session, ace.getPermissions()));
}
if (!adminPrincipalExist) {
if (acl.getAces() != null && acl.getAces().size() > 0) {
principalTenant = JcrTenantUtils.getRoleNameUtils().getTenant(acl.getAces().get(0).getSid().getName());
}
if (principalTenant == null || principalTenant.getId() == null) {
principalTenant = JcrTenantUtils.getTenant();
}
List<RepositoryFilePermission> permissionList = new ArrayList<RepositoryFilePermission>();
permissionList.add(RepositoryFilePermission.ALL);
Principal adminPrincipal = new SpringSecurityRolePrincipal(JcrTenantUtils.getRoleNameUtils().getPrincipleId(principalTenant, tenantAdminAuthorityName));
acList.addAccessControlEntry(adminPrincipal, permissionConversionHelper.pentahoPermissionsToPrivileges(session, EnumSet.copyOf(permissionList)));
}
}
acMgr.setPolicy(absPath, acList);
session.save();
return getAcl(fileId);
}
use of org.pentaho.platform.api.repository2.unified.RepositoryFileAce in project pentaho-platform by pentaho.
the class JcrRepositoryFileAclUtils method toAce.
private static RepositoryFileAce toAce(final Session session, final AccessControlEntry acEntry) throws RepositoryException {
Principal principal = acEntry.getPrincipal();
RepositoryFileSid sid = null;
if (principal instanceof Group) {
sid = new RepositoryFileSid(principal.getName(), RepositoryFileSid.Type.ROLE);
} else {
sid = new RepositoryFileSid(principal.getName(), RepositoryFileSid.Type.USER);
}
Privilege[] privileges = acEntry.getPrivileges();
IPermissionConversionHelper permissionConversionHelper = new DefaultPermissionConversionHelper(session);
return new RepositoryFileAce(sid, permissionConversionHelper.privilegesToPentahoPermissions(session, privileges));
}
use of org.pentaho.platform.api.repository2.unified.RepositoryFileAce in project pentaho-platform by pentaho.
the class DefaultUnifiedRepositoryAuthorizationIT method testGetEffectiveAces.
@Test
public void testGetEffectiveAces() throws Exception {
loginAsSysTenantAdmin();
ITenant tenantAcme = tenantManager.createTenant(systemTenant, TENANT_ID_ACME, tenantAdminRoleName, tenantAuthenticatedRoleName, ANONYMOUS_ROLE_NAME);
userRoleDao.createUser(tenantAcme, USERNAME_ADMIN, PASSWORD, "", new String[] { tenantAdminRoleName });
login(USERNAME_ADMIN, tenantAcme, new String[] { tenantAdminRoleName, tenantAuthenticatedRoleName });
userRoleDao.createUser(tenantAcme, USERNAME_SUZY, PASSWORD, "", null);
userRoleDao.createUser(tenantAcme, USERNAME_TIFFANY, PASSWORD, "", null);
defaultBackingRepositoryLifecycleManager.newTenant();
login(USERNAME_SUZY, tenantAcme, new String[] { tenantAuthenticatedRoleName });
RepositoryFile acmePublicFolder = repo.getFile(ClientRepositoryPaths.getUserHomeFolderPath(PentahoSessionHolder.getSession().getName()));
List<RepositoryFileAce> expectedEffectiveAces1 = repo.getEffectiveAces(acmePublicFolder.getId());
RepositoryFile newFolder = new RepositoryFile.Builder("test").folder(true).versioned(true).build();
newFolder = repo.createFolder(acmePublicFolder.getId(), newFolder, null);
assertEquals(expectedEffectiveAces1, repo.getEffectiveAces(newFolder.getId()));
RepositoryFileAcl acl = repo.getAcl(newFolder.getId());
RepositoryFileAcl newAcl = new RepositoryFileAcl.Builder(acl).entriesInheriting(false).ace(new RepositoryFileSid(userNameUtils.getPrincipleId(tenantAcme, USERNAME_SUZY)), RepositoryFilePermission.ALL).ace(new RepositoryFileSid(userNameUtils.getPrincipleId(tenantAcme, USERNAME_TIFFANY)), RepositoryFilePermission.READ).build();
repo.updateAcl(newAcl);
List<RepositoryFileAce> expectedEffectiveAces2 = new ArrayList<RepositoryFileAce>();
expectedEffectiveAces2.add(new RepositoryFileAce(new RepositoryFileSid(USERNAME_SUZY), EnumSet.of(RepositoryFilePermission.ALL)));
expectedEffectiveAces2.add(new RepositoryFileAce(new RepositoryFileSid(USERNAME_TIFFANY), EnumSet.of(RepositoryFilePermission.READ)));
assertEquals(expectedEffectiveAces2, repo.getEffectiveAces(newFolder.getId()));
assertEquals(expectedEffectiveAces2, repo.getEffectiveAces(newFolder.getId(), false));
assertEquals(expectedEffectiveAces1, repo.getEffectiveAces(newFolder.getId(), true));
}
Aggregations