Search in sources :

Example 6 with RepositoryFileAce

use of org.pentaho.platform.api.repository2.unified.RepositoryFileAce in project pentaho-platform by pentaho.

the class JcrAclNodeHelper method getAclFor.

/**
 * {@inheritDoc}
 */
@Override
public RepositoryFileAcl getAclFor(final RepositoryFile repositoryFile) {
    if (repositoryFile == null) {
        return null;
    }
    // Obtain a reference to ACL node as "system", guaranteed access
    final RepositoryFile aclNode = getAclNode(repositoryFile);
    // Removed redundant call to getAclNode via BISERVER-12780
    if (aclNode == null) {
        return null;
    }
    RepositoryFileAcl acl;
    try {
        acl = unifiedRepository.getAcl(aclNode.getId());
    } catch (Exception e) {
        return null;
    }
    RepositoryFileAcl.Builder aclBuilder = new RepositoryFileAcl.Builder(acl.getId(), acl.getOwner().getName(), RepositoryFileSid.Type.ROLE);
    aclBuilder.aces(acl.getAces());
    // add the Administrator role
    if (canAdminister()) {
        String adminRoleName = PentahoSystem.get(String.class, "singleTenantAdminAuthorityName", PentahoSessionHolder.getSession());
        RepositoryFileAce adminGroup = new RepositoryFileAce(new RepositoryFileSid(adminRoleName, RepositoryFileSid.Type.ROLE), RepositoryFilePermission.ALL);
        aclBuilder.ace(adminGroup);
    }
    return aclBuilder.build();
}
Also used : RepositoryFileSid(org.pentaho.platform.api.repository2.unified.RepositoryFileSid) RepositoryFileAce(org.pentaho.platform.api.repository2.unified.RepositoryFileAce) RepositoryFile(org.pentaho.platform.api.repository2.unified.RepositoryFile) RepositoryFileAcl(org.pentaho.platform.api.repository2.unified.RepositoryFileAcl)

Example 7 with RepositoryFileAce

use of org.pentaho.platform.api.repository2.unified.RepositoryFileAce in project pentaho-platform by pentaho.

the class JcrRepositoryFileAclDao method toAce.

protected RepositoryFileAce toAce(final Session session, final AccessControlEntry acEntry) throws RepositoryException {
    Principal principal = acEntry.getPrincipal();
    RepositoryFileSid sid = null;
    String name = principal.getName();
    DefaultPermissionConversionHelper permissionConversionHelper = new DefaultPermissionConversionHelper(session);
    if (principal instanceof Group) {
        sid = new RepositoryFileSid(JcrTenantUtils.getRoleNameUtils().getPrincipleName(name), RepositoryFileSid.Type.ROLE);
    } else {
        sid = new RepositoryFileSid(JcrTenantUtils.getUserNameUtils().getPrincipleName(name), RepositoryFileSid.Type.USER);
    }
    // $NON-NLS-1$
    logger.debug(String.format("principal class [%s]", principal.getClass().getName()));
    Privilege[] privileges = acEntry.getPrivileges();
    return new RepositoryFileAce(sid, permissionConversionHelper.privilegesToPentahoPermissions(session, privileges));
}
Also used : Group(java.security.acl.Group) RepositoryFileSid(org.pentaho.platform.api.repository2.unified.RepositoryFileSid) RepositoryFileAce(org.pentaho.platform.api.repository2.unified.RepositoryFileAce) Privilege(javax.jcr.security.Privilege) SpringSecurityRolePrincipal(org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityRolePrincipal) SpringSecurityUserPrincipal(org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityUserPrincipal) Principal(java.security.Principal)

Example 8 with RepositoryFileAce

use of org.pentaho.platform.api.repository2.unified.RepositoryFileAce in project pentaho-platform by pentaho.

the class JcrRepositoryFileAclDao method internalUpdateAcl.

protected RepositoryFileAcl internalUpdateAcl(final Session session, final PentahoJcrConstants pentahoJcrConstants, final Serializable fileId, final RepositoryFileAcl acl) throws RepositoryException {
    if (isKioskEnabled()) {
        // $NON-NLS-1$
        throw new RuntimeException(Messages.getInstance().getString("JcrRepositoryFileDao.ERROR_0006_ACCESS_DENIED"));
    }
    DefaultPermissionConversionHelper permissionConversionHelper = new DefaultPermissionConversionHelper(session);
    Node node = session.getNodeByIdentifier(fileId.toString());
    if (node == null) {
        throw new RepositoryException(Messages.getInstance().getString("JackrabbitRepositoryFileAclDao.ERROR_0001_NODE_NOT_FOUND", // $NON-NLS-1$
        fileId.toString()));
    }
    String absPath = node.getPath();
    AccessControlManager acMgr = session.getAccessControlManager();
    AccessControlList acList = getAccessControlList(acMgr, absPath);
    // clear all entries
    AccessControlEntry[] acEntries = acList.getAccessControlEntries();
    for (int i = 0; i < acEntries.length; i++) {
        acList.removeAccessControlEntry(acEntries[i]);
    }
    JcrRepositoryFileAclUtils.setAclMetadata(session, absPath, acList, new AclMetadata(acl.getOwner().getName(), acl.isEntriesInheriting()));
    // add entries to now empty list but only if not inheriting; force user to start with clean slate
    boolean adminPrincipalExist = false;
    ITenant principalTenant = null;
    if (!acl.isEntriesInheriting()) {
        for (RepositoryFileAce ace : acl.getAces()) {
            Principal principal = null;
            if (RepositoryFileSid.Type.ROLE == ace.getSid().getType()) {
                String principalName = JcrTenantUtils.getRoleNameUtils().getPrincipleName(ace.getSid().getName());
                if (tenantAdminAuthorityName.equals(principalName)) {
                    adminPrincipalExist = true;
                }
                principal = new SpringSecurityRolePrincipal(JcrTenantUtils.getTenantedRole(ace.getSid().getName()));
            } else {
                principal = new SpringSecurityUserPrincipal(JcrTenantUtils.getTenantedUser(ace.getSid().getName()));
            }
            acList.addAccessControlEntry(principal, permissionConversionHelper.pentahoPermissionsToPrivileges(session, ace.getPermissions()));
        }
        if (!adminPrincipalExist) {
            if (acl.getAces() != null && acl.getAces().size() > 0) {
                principalTenant = JcrTenantUtils.getRoleNameUtils().getTenant(acl.getAces().get(0).getSid().getName());
            }
            if (principalTenant == null || principalTenant.getId() == null) {
                principalTenant = JcrTenantUtils.getTenant();
            }
            List<RepositoryFilePermission> permissionList = new ArrayList<RepositoryFilePermission>();
            permissionList.add(RepositoryFilePermission.ALL);
            Principal adminPrincipal = new SpringSecurityRolePrincipal(JcrTenantUtils.getRoleNameUtils().getPrincipleId(principalTenant, tenantAdminAuthorityName));
            acList.addAccessControlEntry(adminPrincipal, permissionConversionHelper.pentahoPermissionsToPrivileges(session, EnumSet.copyOf(permissionList)));
        }
    }
    acMgr.setPolicy(absPath, acList);
    session.save();
    return getAcl(fileId);
}
Also used : AccessControlManager(javax.jcr.security.AccessControlManager) AccessControlList(javax.jcr.security.AccessControlList) RepositoryFileAce(org.pentaho.platform.api.repository2.unified.RepositoryFileAce) Node(javax.jcr.Node) AclMetadata(org.pentaho.platform.repository2.unified.jcr.IAclMetadataStrategy.AclMetadata) ArrayList(java.util.ArrayList) AccessControlEntry(javax.jcr.security.AccessControlEntry) RepositoryException(javax.jcr.RepositoryException) ITenant(org.pentaho.platform.api.mt.ITenant) SpringSecurityRolePrincipal(org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityRolePrincipal) RepositoryFilePermission(org.pentaho.platform.api.repository2.unified.RepositoryFilePermission) SpringSecurityRolePrincipal(org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityRolePrincipal) SpringSecurityUserPrincipal(org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityUserPrincipal) Principal(java.security.Principal) SpringSecurityUserPrincipal(org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityUserPrincipal)

Example 9 with RepositoryFileAce

use of org.pentaho.platform.api.repository2.unified.RepositoryFileAce in project pentaho-platform by pentaho.

the class JcrRepositoryFileAclUtils method toAce.

private static RepositoryFileAce toAce(final Session session, final AccessControlEntry acEntry) throws RepositoryException {
    Principal principal = acEntry.getPrincipal();
    RepositoryFileSid sid = null;
    if (principal instanceof Group) {
        sid = new RepositoryFileSid(principal.getName(), RepositoryFileSid.Type.ROLE);
    } else {
        sid = new RepositoryFileSid(principal.getName(), RepositoryFileSid.Type.USER);
    }
    Privilege[] privileges = acEntry.getPrivileges();
    IPermissionConversionHelper permissionConversionHelper = new DefaultPermissionConversionHelper(session);
    return new RepositoryFileAce(sid, permissionConversionHelper.privilegesToPentahoPermissions(session, privileges));
}
Also used : Group(org.apache.jackrabbit.api.security.user.Group) RepositoryFileSid(org.pentaho.platform.api.repository2.unified.RepositoryFileSid) RepositoryFileAce(org.pentaho.platform.api.repository2.unified.RepositoryFileAce) IPermissionConversionHelper(org.pentaho.platform.repository2.unified.jcr.JcrRepositoryFileAclDao.IPermissionConversionHelper) Privilege(javax.jcr.security.Privilege) SpringSecurityRolePrincipal(org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityRolePrincipal) SpringSecurityUserPrincipal(org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityUserPrincipal) Principal(java.security.Principal)

Example 10 with RepositoryFileAce

use of org.pentaho.platform.api.repository2.unified.RepositoryFileAce in project pentaho-platform by pentaho.

the class DefaultUnifiedRepositoryAuthorizationIT method testGetEffectiveAces.

@Test
public void testGetEffectiveAces() throws Exception {
    loginAsSysTenantAdmin();
    ITenant tenantAcme = tenantManager.createTenant(systemTenant, TENANT_ID_ACME, tenantAdminRoleName, tenantAuthenticatedRoleName, ANONYMOUS_ROLE_NAME);
    userRoleDao.createUser(tenantAcme, USERNAME_ADMIN, PASSWORD, "", new String[] { tenantAdminRoleName });
    login(USERNAME_ADMIN, tenantAcme, new String[] { tenantAdminRoleName, tenantAuthenticatedRoleName });
    userRoleDao.createUser(tenantAcme, USERNAME_SUZY, PASSWORD, "", null);
    userRoleDao.createUser(tenantAcme, USERNAME_TIFFANY, PASSWORD, "", null);
    defaultBackingRepositoryLifecycleManager.newTenant();
    login(USERNAME_SUZY, tenantAcme, new String[] { tenantAuthenticatedRoleName });
    RepositoryFile acmePublicFolder = repo.getFile(ClientRepositoryPaths.getUserHomeFolderPath(PentahoSessionHolder.getSession().getName()));
    List<RepositoryFileAce> expectedEffectiveAces1 = repo.getEffectiveAces(acmePublicFolder.getId());
    RepositoryFile newFolder = new RepositoryFile.Builder("test").folder(true).versioned(true).build();
    newFolder = repo.createFolder(acmePublicFolder.getId(), newFolder, null);
    assertEquals(expectedEffectiveAces1, repo.getEffectiveAces(newFolder.getId()));
    RepositoryFileAcl acl = repo.getAcl(newFolder.getId());
    RepositoryFileAcl newAcl = new RepositoryFileAcl.Builder(acl).entriesInheriting(false).ace(new RepositoryFileSid(userNameUtils.getPrincipleId(tenantAcme, USERNAME_SUZY)), RepositoryFilePermission.ALL).ace(new RepositoryFileSid(userNameUtils.getPrincipleId(tenantAcme, USERNAME_TIFFANY)), RepositoryFilePermission.READ).build();
    repo.updateAcl(newAcl);
    List<RepositoryFileAce> expectedEffectiveAces2 = new ArrayList<RepositoryFileAce>();
    expectedEffectiveAces2.add(new RepositoryFileAce(new RepositoryFileSid(USERNAME_SUZY), EnumSet.of(RepositoryFilePermission.ALL)));
    expectedEffectiveAces2.add(new RepositoryFileAce(new RepositoryFileSid(USERNAME_TIFFANY), EnumSet.of(RepositoryFilePermission.READ)));
    assertEquals(expectedEffectiveAces2, repo.getEffectiveAces(newFolder.getId()));
    assertEquals(expectedEffectiveAces2, repo.getEffectiveAces(newFolder.getId(), false));
    assertEquals(expectedEffectiveAces1, repo.getEffectiveAces(newFolder.getId(), true));
}
Also used : RepositoryFileSid(org.pentaho.platform.api.repository2.unified.RepositoryFileSid) ITenant(org.pentaho.platform.api.mt.ITenant) RepositoryFileAce(org.pentaho.platform.api.repository2.unified.RepositoryFileAce) ArrayList(java.util.ArrayList) RepositoryFile(org.pentaho.platform.api.repository2.unified.RepositoryFile) RepositoryFileAcl(org.pentaho.platform.api.repository2.unified.RepositoryFileAcl) Test(org.junit.Test)

Aggregations

RepositoryFileAce (org.pentaho.platform.api.repository2.unified.RepositoryFileAce)19 RepositoryFileAcl (org.pentaho.platform.api.repository2.unified.RepositoryFileAcl)11 RepositoryFileSid (org.pentaho.platform.api.repository2.unified.RepositoryFileSid)9 ArrayList (java.util.ArrayList)7 Test (org.junit.Test)5 ITenant (org.pentaho.platform.api.mt.ITenant)5 RepositoryFile (org.pentaho.platform.api.repository2.unified.RepositoryFile)5 RepositoryFilePermission (org.pentaho.platform.api.repository2.unified.RepositoryFilePermission)5 SpringSecurityRolePrincipal (org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityRolePrincipal)5 Principal (java.security.Principal)4 SpringSecurityUserPrincipal (org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityUserPrincipal)4 Node (javax.jcr.Node)3 RepositoryException (javax.jcr.RepositoryException)3 AccessControlEntry (javax.jcr.security.AccessControlEntry)3 AccessControlList (javax.jcr.security.AccessControlList)3 AccessControlManager (javax.jcr.security.AccessControlManager)2 Privilege (javax.jcr.security.Privilege)2 EntityAcl (org.pentaho.platform.plugin.services.importexport.exportManifest.bindings.EntityAcl)2 AclMetadata (org.pentaho.platform.repository2.unified.jcr.IAclMetadataStrategy.AclMetadata)2 IPermissionConversionHelper (org.pentaho.platform.repository2.unified.jcr.JcrRepositoryFileAclDao.IPermissionConversionHelper)2