Examples with AclMetadata org.pentaho.platform.repository2.unified.jcr.IAclMetadataStrategy.AclMetadata used on opensource projects

Example 1 with AclMetadata

use of org.pentaho.platform.repository2.unified.jcr.IAclMetadataStrategy.AclMetadata in project pentaho-platform by pentaho.

the class JcrRepositoryFileAclDao method internalUpdateAcl.

protected RepositoryFileAcl internalUpdateAcl(final Session session, final PentahoJcrConstants pentahoJcrConstants, final Serializable fileId, final RepositoryFileAcl acl) throws RepositoryException {
    if (isKioskEnabled()) {
        // $NON-NLS-1$
        throw new RuntimeException(Messages.getInstance().getString("JcrRepositoryFileDao.ERROR_0006_ACCESS_DENIED"));
    }
    DefaultPermissionConversionHelper permissionConversionHelper = new DefaultPermissionConversionHelper(session);
    Node node = session.getNodeByIdentifier(fileId.toString());
    if (node == null) {
        throw new RepositoryException(Messages.getInstance().getString("JackrabbitRepositoryFileAclDao.ERROR_0001_NODE_NOT_FOUND", // $NON-NLS-1$
        fileId.toString()));
    }
    String absPath = node.getPath();
    AccessControlManager acMgr = session.getAccessControlManager();
    AccessControlList acList = getAccessControlList(acMgr, absPath);
    // clear all entries
    AccessControlEntry[] acEntries = acList.getAccessControlEntries();
    for (int i = 0; i < acEntries.length; i++) {
        acList.removeAccessControlEntry(acEntries[i]);
    }
    JcrRepositoryFileAclUtils.setAclMetadata(session, absPath, acList, new AclMetadata(acl.getOwner().getName(), acl.isEntriesInheriting()));
    // add entries to now empty list but only if not inheriting; force user to start with clean slate
    boolean adminPrincipalExist = false;
    ITenant principalTenant = null;
    if (!acl.isEntriesInheriting()) {
        for (RepositoryFileAce ace : acl.getAces()) {
            Principal principal = null;
            if (RepositoryFileSid.Type.ROLE == ace.getSid().getType()) {
                String principalName = JcrTenantUtils.getRoleNameUtils().getPrincipleName(ace.getSid().getName());
                if (tenantAdminAuthorityName.equals(principalName)) {
                    adminPrincipalExist = true;
                }
                principal = new SpringSecurityRolePrincipal(JcrTenantUtils.getTenantedRole(ace.getSid().getName()));
            } else {
                principal = new SpringSecurityUserPrincipal(JcrTenantUtils.getTenantedUser(ace.getSid().getName()));
            }
            acList.addAccessControlEntry(principal, permissionConversionHelper.pentahoPermissionsToPrivileges(session, ace.getPermissions()));
        }
        if (!adminPrincipalExist) {
            if (acl.getAces() != null && acl.getAces().size() > 0) {
                principalTenant = JcrTenantUtils.getRoleNameUtils().getTenant(acl.getAces().get(0).getSid().getName());
            }
            if (principalTenant == null || principalTenant.getId() == null) {
                principalTenant = JcrTenantUtils.getTenant();
            }
            List<RepositoryFilePermission> permissionList = new ArrayList<RepositoryFilePermission>();
            permissionList.add(RepositoryFilePermission.ALL);
            Principal adminPrincipal = new SpringSecurityRolePrincipal(JcrTenantUtils.getRoleNameUtils().getPrincipleId(principalTenant, tenantAdminAuthorityName));
            acList.addAccessControlEntry(adminPrincipal, permissionConversionHelper.pentahoPermissionsToPrivileges(session, EnumSet.copyOf(permissionList)));
        }
    }
    acMgr.setPolicy(absPath, acList);
    session.save();
    return getAcl(fileId);
}

Example 2 with AclMetadata

use of org.pentaho.platform.repository2.unified.jcr.IAclMetadataStrategy.AclMetadata in project pentaho-platform by pentaho.

the class PentahoEntryCollector method getEntries.

/**
 * Returns an {@code Entries} for the given node. This is where most of the customization lives.
 */
@Override
protected PentahoEntries getEntries(final NodeImpl node) throws RepositoryException {
    // find nearest node with an ACL that is not inheriting ACEs
    NodeImpl currentNode = node;
    ACLTemplate acl;
    // if we do hit the root, then you get jcr:read for everyone which is acceptable
    if (currentNode.getPath().startsWith("/jcr:system/jcr:versionStorage")) {
        // $NON-NLS-1$
        currentNode = getVersionable(currentNode);
    }
    // find first access-controlled node
    currentNode = findAccessControlledNode(currentNode);
    acl = new ACLTemplate(currentNode.getNode(N_POLICY), currentNode.getPath(), false);
    // owner comes from the first access-controlled node
    String owner = null;
    AclMetadata aclMetadata = JcrRepositoryFileAclUtils.getAclMetadata(systemSession, currentNode.getPath(), acl);
    if (aclMetadata != null) {
        owner = aclMetadata.getOwner();
    }
    // find the ACL
    NodeImpl firstAccessControlledNode = currentNode;
    currentNode = findNonInheritingNode(currentNode);
    acl = new ACLTemplate(currentNode.getNode(N_POLICY), currentNode.getPath(), false);
    // permissions. This needs to transform to become addChild removeChild
    if (!currentNode.isSame(node)) {
        Privilege removeNodePrivilege = systemSession.getAccessControlManager().privilegeFromName(Privilege.JCR_REMOVE_NODE);
        Privilege removeChildNodesPrivilege = systemSession.getAccessControlManager().privilegeFromName(Privilege.JCR_REMOVE_CHILD_NODES);
        for (AccessControlEntry entry : acl.getEntries()) {
            Privilege[] expandedPrivileges = JcrRepositoryFileAclUtils.expandPrivileges(entry.getPrivileges(), false);
            if (ArrayUtils.contains(expandedPrivileges, removeChildNodesPrivilege) && !ArrayUtils.contains(expandedPrivileges, removeNodePrivilege)) {
                if (!acl.addAccessControlEntry(entry.getPrincipal(), new Privilege[] { removeNodePrivilege })) {
                    // two
                    throw new RuntimeException();
                }
                break;
            }
        }
    }
    // find first ancestor that is not inheriting; its ACEs will be used if the ACL is not inheriting
    ACLTemplate ancestorAcl = null;
    if (firstAccessControlledNode.isSame(currentNode) && !rootID.equals(currentNode.getNodeId())) {
        NodeImpl ancestorNode = findNonInheritingNode((NodeImpl) currentNode.getParent());
        ancestorAcl = new ACLTemplate(ancestorNode.getNode(N_POLICY), ancestorNode.getPath(), false);
    }
    return new PentahoEntries(getAcesIncludingMagicAces(currentNode.getPath(), owner, ancestorAcl, acl), null);
}

Example 3 with AclMetadata

use of org.pentaho.platform.repository2.unified.jcr.IAclMetadataStrategy.AclMetadata in project pentaho-platform by pentaho.

the class PentahoEntryCollector method findNonInheritingNode.

/**
 * Find the ancestor (maybe the node itself) that is not inheriting ACEs.
 */
protected NodeImpl findNonInheritingNode(final NodeImpl node) throws RepositoryException {
    NodeImpl currentNode = node;
    ACLTemplate acl;
    while (true) {
        currentNode = findAccessControlledNode(currentNode);
        NodeImpl aclNode = currentNode.getNode(N_POLICY);
        String path = aclNode != null ? aclNode.getParent().getPath() : null;
        acl = new ACLTemplate(aclNode, path, false);
        // skip all nodes that are inheriting
        AclMetadata aclMetadata = JcrRepositoryFileAclUtils.getAclMetadata(systemSession, currentNode.getPath(), acl);
        if (aclMetadata != null && aclMetadata.isEntriesInheriting()) {
            currentNode = (NodeImpl) currentNode.getParent();
            continue;
        }
        break;
    }
    return currentNode;
}

Example 4 with AclMetadata

use of org.pentaho.platform.repository2.unified.jcr.IAclMetadataStrategy.AclMetadata in project pentaho-platform by pentaho.

the class JcrRepositoryFileAclUtils method internalUpdateAcl.

private static RepositoryFileAcl internalUpdateAcl(final Session session, final PentahoJcrConstants pentahoJcrConstants, final Serializable fileId, final RepositoryFileAcl acl) throws RepositoryException {
    Node node = session.getNodeByIdentifier(fileId.toString());
    if (node == null) {
        // $NON-NLS-1$
        throw new RepositoryException("Node not found");
    }
    String absPath = node.getPath();
    AccessControlManager acMgr = session.getAccessControlManager();
    AccessControlList acList = getAccessControlList(acMgr, absPath);
    // clear all entries
    AccessControlEntry[] acEntries = acList.getAccessControlEntries();
    for (int i = 0; i < acEntries.length; i++) {
        acList.removeAccessControlEntry(acEntries[i]);
    }
    JcrRepositoryFileAclUtils.setAclMetadata(session, absPath, acList, new AclMetadata(acl.getOwner().getName(), acl.isEntriesInheriting()));
    // add entries to now empty list but only if not inheriting; force user to start with clean slate
    if (!acl.isEntriesInheriting()) {
        for (RepositoryFileAce ace : acl.getAces()) {
            Principal principal = null;
            if (RepositoryFileSid.Type.ROLE == ace.getSid().getType()) {
                principal = new SpringSecurityRolePrincipal(JcrTenantUtils.getTenantedRole(ace.getSid().getName()));
            } else {
                principal = new SpringSecurityUserPrincipal(JcrTenantUtils.getTenantedUser(ace.getSid().getName()));
            }
            IPermissionConversionHelper permissionConversionHelper = new DefaultPermissionConversionHelper(session);
            acList.addAccessControlEntry(principal, permissionConversionHelper.pentahoPermissionsToPrivileges(session, ace.getPermissions()));
        }
    }
    acMgr.setPolicy(absPath, acList);
    session.save();
    return getAcl(session, pentahoJcrConstants, fileId);
}