Example 1 with SpringSecurityRolePrincipal
use of org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityRolePrincipal in project pentaho-platform by pentaho.
the class JcrRepositoryFileAclDao method internalUpdateAcl.
protected RepositoryFileAcl internalUpdateAcl(final Session session, final PentahoJcrConstants pentahoJcrConstants, final Serializable fileId, final RepositoryFileAcl acl) throws RepositoryException {
if (isKioskEnabled()) {
// $NON-NLS-1$
throw new RuntimeException(Messages.getInstance().getString("JcrRepositoryFileDao.ERROR_0006_ACCESS_DENIED"));
}
DefaultPermissionConversionHelper permissionConversionHelper = new DefaultPermissionConversionHelper(session);
Node node = session.getNodeByIdentifier(fileId.toString());
if (node == null) {
throw new RepositoryException(Messages.getInstance().getString("JackrabbitRepositoryFileAclDao.ERROR_0001_NODE_NOT_FOUND", // $NON-NLS-1$
fileId.toString()));
}
String absPath = node.getPath();
AccessControlManager acMgr = session.getAccessControlManager();
AccessControlList acList = getAccessControlList(acMgr, absPath);
// clear all entries
AccessControlEntry[] acEntries = acList.getAccessControlEntries();
for (int i = 0; i < acEntries.length; i++) {
acList.removeAccessControlEntry(acEntries[i]);
}
JcrRepositoryFileAclUtils.setAclMetadata(session, absPath, acList, new AclMetadata(acl.getOwner().getName(), acl.isEntriesInheriting()));
// add entries to now empty list but only if not inheriting; force user to start with clean slate
boolean adminPrincipalExist = false;
ITenant principalTenant = null;
if (!acl.isEntriesInheriting()) {
for (RepositoryFileAce ace : acl.getAces()) {
Principal principal = null;
if (RepositoryFileSid.Type.ROLE == ace.getSid().getType()) {
String principalName = JcrTenantUtils.getRoleNameUtils().getPrincipleName(ace.getSid().getName());
if (tenantAdminAuthorityName.equals(principalName)) {
adminPrincipalExist = true;
}
principal = new SpringSecurityRolePrincipal(JcrTenantUtils.getTenantedRole(ace.getSid().getName()));
} else {
principal = new SpringSecurityUserPrincipal(JcrTenantUtils.getTenantedUser(ace.getSid().getName()));
}
acList.addAccessControlEntry(principal, permissionConversionHelper.pentahoPermissionsToPrivileges(session, ace.getPermissions()));
}
if (!adminPrincipalExist) {
if (acl.getAces() != null && acl.getAces().size() > 0) {
principalTenant = JcrTenantUtils.getRoleNameUtils().getTenant(acl.getAces().get(0).getSid().getName());
}
if (principalTenant == null || principalTenant.getId() == null) {
principalTenant = JcrTenantUtils.getTenant();
}
List<RepositoryFilePermission> permissionList = new ArrayList<RepositoryFilePermission>();
permissionList.add(RepositoryFilePermission.ALL);
Principal adminPrincipal = new SpringSecurityRolePrincipal(JcrTenantUtils.getRoleNameUtils().getPrincipleId(principalTenant, tenantAdminAuthorityName));
acList.addAccessControlEntry(adminPrincipal, permissionConversionHelper.pentahoPermissionsToPrivileges(session, EnumSet.copyOf(permissionList)));
}
}
acMgr.setPolicy(absPath, acList);
session.save();
return getAcl(fileId);
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
AccessControlList(javax.jcr.security.AccessControlList)
RepositoryFileAce(org.pentaho.platform.api.repository2.unified.RepositoryFileAce)
Node(javax.jcr.Node)
AclMetadata(org.pentaho.platform.repository2.unified.jcr.IAclMetadataStrategy.AclMetadata)
ArrayList(java.util.ArrayList)
AccessControlEntry(javax.jcr.security.AccessControlEntry)
RepositoryException(javax.jcr.RepositoryException)
ITenant(org.pentaho.platform.api.mt.ITenant)
SpringSecurityRolePrincipal(org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityRolePrincipal)
RepositoryFilePermission(org.pentaho.platform.api.repository2.unified.RepositoryFilePermission)
SpringSecurityRolePrincipal(org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityRolePrincipal)
SpringSecurityUserPrincipal(org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityUserPrincipal)
Principal(java.security.Principal)
SpringSecurityUserPrincipal(org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityUserPrincipal)
Example 2 with SpringSecurityRolePrincipal
use of org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityRolePrincipal in project pentaho-platform by pentaho.
the class JcrRepositoryFileAclDao method toAcl.
private RepositoryFileAcl toAcl(final Session session, final PentahoJcrConstants pentahoJcrConstants, final Serializable id) throws RepositoryException {
Node node = session.getNodeByIdentifier(id.toString());
if (node == null) {
throw new RepositoryException(Messages.getInstance().getString("JackrabbitRepositoryFileAclDao.ERROR_0001_NODE_NOT_FOUND", // $NON-NLS-1$
id.toString()));
}
String absPath = node.getPath();
AccessControlManager acMgr = session.getAccessControlManager();
AccessControlList acList = getAccessControlList(acMgr, absPath);
RepositoryFileSid owner = null;
String ownerString = getOwner(session, absPath, acList);
if (ownerString != null) {
// for now, just assume all owners are users; only has UI impact
owner = new RepositoryFileSid(JcrTenantUtils.getUserNameUtils().getPrincipleName(ownerString), RepositoryFileSid.Type.USER);
}
RepositoryFileAcl.Builder aclBuilder = new RepositoryFileAcl.Builder(id, owner);
aclBuilder.entriesInheriting(isEntriesInheriting(session, absPath, acList));
List<AccessControlEntry> cleanedAcEntries = JcrRepositoryFileAclUtils.removeAclMetadata(Arrays.asList(acList.getAccessControlEntries()));
for (AccessControlEntry acEntry : cleanedAcEntries) {
if (!acEntry.getPrincipal().equals(new SpringSecurityRolePrincipal(JcrTenantUtils.getTenantedRole(tenantAdminAuthorityName)))) {
aclBuilder.ace(toAce(session, acEntry));
}
}
return aclBuilder.build();
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
AccessControlList(javax.jcr.security.AccessControlList)
RepositoryFileSid(org.pentaho.platform.api.repository2.unified.RepositoryFileSid)
SpringSecurityRolePrincipal(org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityRolePrincipal)
Node(javax.jcr.Node)
AccessControlEntry(javax.jcr.security.AccessControlEntry)
RepositoryException(javax.jcr.RepositoryException)
RepositoryFileAcl(org.pentaho.platform.api.repository2.unified.RepositoryFileAcl)
Example 3 with SpringSecurityRolePrincipal
use of org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityRolePrincipal in project pentaho-platform by pentaho.
the class JcrRepositoryFileAclDao method getEffectiveAces.
// ~ Methods
// =========================================================================================================
/**
* {@inheritDoc}
*/
@SuppressWarnings("unchecked")
public List<RepositoryFileAce> getEffectiveAces(final Serializable id, final boolean forceEntriesInheriting) {
return (List<RepositoryFileAce>) jcrTemplate.execute(new JcrCallback() {
public Object doInJcr(final Session session) throws RepositoryException, IOException {
Node node = session.getNodeByIdentifier(id.toString());
if (node == null) {
throw new RepositoryException(Messages.getInstance().getString("JackrabbitRepositoryFileAclDao.ERROR_0001_NODE_NOT_FOUND", // $NON-NLS-1$
id.toString()));
}
// consult the parent node's effective policy if force is true and parent is not null
if (forceEntriesInheriting && session.getNodeByIdentifier(id.toString()).getParent() != null) {
node = node.getParent();
}
String absPath = node.getPath();
AccessControlPolicy[] acPolicies = session.getAccessControlManager().getEffectivePolicies(absPath);
// logic assumes policies are ordered from leaf to root
for (AccessControlPolicy policy : acPolicies) {
Assert.isTrue(policy instanceof AccessControlList);
AccessControlList acList = ((AccessControlList) policy);
if (!isEntriesInheriting(session, absPath, acList)) {
List<RepositoryFileAce> aces = new ArrayList<RepositoryFileAce>();
AccessControlEntry[] acEntries = acList.getAccessControlEntries();
List<AccessControlEntry> cleanedAcEntries = JcrRepositoryFileAclUtils.removeAclMetadata(Arrays.asList(acEntries));
for (AccessControlEntry acEntry : cleanedAcEntries) {
if (!acEntry.getPrincipal().equals(new SpringSecurityRolePrincipal(JcrTenantUtils.getTenantedRole(tenantAdminAuthorityName)))) {
aces.add(toAce(session, acEntry));
}
}
return aces;
}
}
// none are entriesInheriting=false so root aces are the effective aces
AccessControlList acList = (AccessControlList) acPolicies[acPolicies.length - 1];
List<RepositoryFileAce> aces = new ArrayList<RepositoryFileAce>();
AccessControlEntry[] acEntries = acList.getAccessControlEntries();
List<AccessControlEntry> cleanedAcEntries = JcrRepositoryFileAclUtils.removeAclMetadata(Arrays.asList(acEntries));
for (AccessControlEntry acEntry : cleanedAcEntries) {
if (!acEntry.getPrincipal().equals(new SpringSecurityRolePrincipal(JcrTenantUtils.getTenantedRole(tenantAdminAuthorityName)))) {
aces.add(toAce(session, acEntry));
}
}
return aces;
}
});
}
Also used :
AccessControlList(javax.jcr.security.AccessControlList)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
RepositoryFileAce(org.pentaho.platform.api.repository2.unified.RepositoryFileAce)
Node(javax.jcr.Node)
ArrayList(java.util.ArrayList)
AccessControlEntry(javax.jcr.security.AccessControlEntry)
RepositoryException(javax.jcr.RepositoryException)
JcrCallback(org.springframework.extensions.jcr.JcrCallback)
SpringSecurityRolePrincipal(org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityRolePrincipal)
ArrayList(java.util.ArrayList)
AccessControlList(javax.jcr.security.AccessControlList)
List(java.util.List)
Session(javax.jcr.Session)
Example 4 with SpringSecurityRolePrincipal
use of org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityRolePrincipal in project pentaho-platform by pentaho.
the class JcrRepositoryFileAclUtils method internalUpdateAcl.
private static RepositoryFileAcl internalUpdateAcl(final Session session, final PentahoJcrConstants pentahoJcrConstants, final Serializable fileId, final RepositoryFileAcl acl) throws RepositoryException {
Node node = session.getNodeByIdentifier(fileId.toString());
if (node == null) {
// $NON-NLS-1$
throw new RepositoryException("Node not found");
}
String absPath = node.getPath();
AccessControlManager acMgr = session.getAccessControlManager();
AccessControlList acList = getAccessControlList(acMgr, absPath);
// clear all entries
AccessControlEntry[] acEntries = acList.getAccessControlEntries();
for (int i = 0; i < acEntries.length; i++) {
acList.removeAccessControlEntry(acEntries[i]);
}
JcrRepositoryFileAclUtils.setAclMetadata(session, absPath, acList, new AclMetadata(acl.getOwner().getName(), acl.isEntriesInheriting()));
// add entries to now empty list but only if not inheriting; force user to start with clean slate
if (!acl.isEntriesInheriting()) {
for (RepositoryFileAce ace : acl.getAces()) {
Principal principal = null;
if (RepositoryFileSid.Type.ROLE == ace.getSid().getType()) {
principal = new SpringSecurityRolePrincipal(JcrTenantUtils.getTenantedRole(ace.getSid().getName()));
} else {
principal = new SpringSecurityUserPrincipal(JcrTenantUtils.getTenantedUser(ace.getSid().getName()));
}
IPermissionConversionHelper permissionConversionHelper = new DefaultPermissionConversionHelper(session);
acList.addAccessControlEntry(principal, permissionConversionHelper.pentahoPermissionsToPrivileges(session, ace.getPermissions()));
}
}
acMgr.setPolicy(absPath, acList);
session.save();
return getAcl(session, pentahoJcrConstants, fileId);
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
AccessControlList(javax.jcr.security.AccessControlList)
RepositoryFileAce(org.pentaho.platform.api.repository2.unified.RepositoryFileAce)
Node(javax.jcr.Node)
AclMetadata(org.pentaho.platform.repository2.unified.jcr.IAclMetadataStrategy.AclMetadata)
AccessControlEntry(javax.jcr.security.AccessControlEntry)
RepositoryException(javax.jcr.RepositoryException)
IPermissionConversionHelper(org.pentaho.platform.repository2.unified.jcr.JcrRepositoryFileAclDao.IPermissionConversionHelper)
SpringSecurityRolePrincipal(org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityRolePrincipal)
SpringSecurityRolePrincipal(org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityRolePrincipal)
SpringSecurityUserPrincipal(org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityUserPrincipal)
Principal(java.security.Principal)
SpringSecurityUserPrincipal(org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityUserPrincipal)
Example 5 with SpringSecurityRolePrincipal
use of org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityRolePrincipal in project pentaho-platform by pentaho.
the class TestPrincipalProvider method getGroupMembership.
/**
* {@inheritDoc}
*
* <p>
* Called from {@code AbstractLoginModule.getPrincipals()}
* </p>
*/
@Override
public PrincipalIterator getGroupMembership(Principal principal) {
if (principal instanceof EveryonePrincipal) {
return PrincipalIteratorAdapter.EMPTY;
}
if (principal instanceof AclMetadataPrincipal) {
return PrincipalIteratorAdapter.EMPTY;
}
Set<Principal> principals = new HashSet<Principal>(roleAssignments.containsKey(principal.getName()) ? roleAssignments.get(principal.getName()) : new HashSet<Principal>());
principals.add(EveryonePrincipal.getInstance());
if (principal instanceof AdminPrincipal) {
principals.add(adminRolePrincipal);
} else if (principal instanceof UserPrincipal) {
if (userRoleDao != null) {
List<IPentahoRole> roles;
try {
roles = userRoleDao.getUserRoles(null, principal.getName());
for (IPentahoRole role : roles) {
principals.add(new SpringSecurityRolePrincipal(tenantedRoleNameUtils.getPrincipleId(role.getTenant(), role.getName())));
}
} catch (Exception e) {
roles = userRoleDao.getUserRoles(null, principal.getName());
for (IPentahoRole role : roles) {
principals.add(new SpringSecurityRolePrincipal(tenantedRoleNameUtils.getPrincipleId(role.getTenant(), role.getName())));
}
}
} else {
if (principal.getName() != null && (principal.getName().startsWith("admin") || principal.getName().startsWith("suzy") || principal.getName().startsWith("tiffany"))) {
ITenant tenant = tenantedUserNameUtils.getTenant(principal.getName());
principals.add(new SpringSecurityRolePrincipal(tenantedRoleNameUtils.getPrincipleId(tenant, "Authenticated")));
}
if (principal.getName() != null && principal.getName().startsWith("admin")) {
ITenant tenant = tenantedUserNameUtils.getTenant(principal.getName());
principals.add(new SpringSecurityRolePrincipal(tenantedRoleNameUtils.getPrincipleId(tenant, "TenantAdmin")));
}
if (principal.getName() != null && principal.getName().startsWith("super")) {
ITenant tenant = tenantedUserNameUtils.getTenant(principal.getName());
principals.add(new SpringSecurityRolePrincipal(tenantedRoleNameUtils.getPrincipleId(tenant, "SysAdmin")));
}
}
}
return new PrincipalIteratorAdapter(principals);
}
Also used :
PrincipalIteratorAdapter(org.apache.jackrabbit.core.security.principal.PrincipalIteratorAdapter)
UserPrincipal(org.apache.jackrabbit.core.security.UserPrincipal)
NoSuchWorkspaceException(javax.jcr.NoSuchWorkspaceException)
RepositoryException(javax.jcr.RepositoryException)
LoginException(javax.jcr.LoginException)
AclMetadataPrincipal(org.pentaho.platform.repository2.unified.jcr.JcrAclMetadataStrategy.AclMetadataPrincipal)
AdminPrincipal(org.apache.jackrabbit.core.security.principal.AdminPrincipal)
ITenant(org.pentaho.platform.api.mt.ITenant)
ArrayList(java.util.ArrayList)
List(java.util.List)
IPentahoRole(org.pentaho.platform.api.engine.security.userroledao.IPentahoRole)
EveryonePrincipal(org.apache.jackrabbit.core.security.principal.EveryonePrincipal)
EveryonePrincipal(org.apache.jackrabbit.core.security.principal.EveryonePrincipal)
AnonymousPrincipal(org.apache.jackrabbit.core.security.AnonymousPrincipal)
UserPrincipal(org.apache.jackrabbit.core.security.UserPrincipal)
AclMetadataPrincipal(org.pentaho.platform.repository2.unified.jcr.JcrAclMetadataStrategy.AclMetadataPrincipal)
AdminPrincipal(org.apache.jackrabbit.core.security.principal.AdminPrincipal)
Principal(java.security.Principal)
HashSet(java.util.HashSet)
Aggregations
RepositoryException (javax.jcr.RepositoryException)5
Node (javax.jcr.Node)4
AccessControlEntry (javax.jcr.security.AccessControlEntry)4
AccessControlList (javax.jcr.security.AccessControlList)4
SpringSecurityRolePrincipal (org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityRolePrincipal)4
Principal (java.security.Principal)3
ArrayList (java.util.ArrayList)3
AccessControlManager (javax.jcr.security.AccessControlManager)3
RepositoryFileAce (org.pentaho.platform.api.repository2.unified.RepositoryFileAce)3
List (java.util.List)2
ITenant (org.pentaho.platform.api.mt.ITenant)2
AclMetadata (org.pentaho.platform.repository2.unified.jcr.IAclMetadataStrategy.AclMetadata)2
SpringSecurityUserPrincipal (org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityUserPrincipal)2
HashSet (java.util.HashSet)1
LoginException (javax.jcr.LoginException)1
NoSuchWorkspaceException (javax.jcr.NoSuchWorkspaceException)1
Session (javax.jcr.Session)1
AccessControlPolicy (javax.jcr.security.AccessControlPolicy)1
AnonymousPrincipal (org.apache.jackrabbit.core.security.AnonymousPrincipal)1
UserPrincipal (org.apache.jackrabbit.core.security.UserPrincipal)1
