Examples with IRoleAuthorizationPolicyRoleBindingDao org.pentaho.platform.security.policy.rolebased.IRoleAuthorizationPolicyRoleBindingDao used on opensource projects

Example 6 with IRoleAuthorizationPolicyRoleBindingDao

use of org.pentaho.platform.security.policy.rolebased.IRoleAuthorizationPolicyRoleBindingDao in project pentaho-platform by pentaho.

the class PentahoEntryCollector method getAcesIncludingMagicAces.

/**
 * Extracts ACEs including magic aces. Magic ACEs are added for (1) the owner, (2) as a result of magic ACE
 * definitions, and (3) as a result of ancestor ACL contributions.
 * <p/>
 * <p> Modifications to these ACLs are not persisted. </p>
 */
@SuppressWarnings("unchecked")
protected List<PentahoEntry> getAcesIncludingMagicAces(final String path, final String owner, final ACLTemplate ancestorAcl, final ACLTemplate acl) throws RepositoryException {
    if (PentahoSessionHolder.getSession() == null || PentahoSessionHolder.getSession().getId() == null || PentahoSessionHolder.getSession().getId().trim().equals("")) {
        // $NON-NLS-1$
        if (log.isDebugEnabled()) {
            // $NON-NLS-1$
            log.debug("no PentahoSession so no magic ACEs");
        }
        return Collections.emptyList();
    }
    if (owner != null) {
        addOwnerAce(owner, acl);
    }
    boolean match = false;
    IRoleAuthorizationPolicyRoleBindingDao roleBindingDao = null;
    try {
        roleBindingDao = PentahoSystem.getObjectFactory().get(IRoleAuthorizationPolicyRoleBindingDao.class, "roleAuthorizationPolicyRoleBindingDaoTarget", PentahoSessionHolder.getSession());
    } catch (ObjectFactoryException e) {
        e.printStackTrace();
    }
    ITenant tenant = JcrTenantUtils.getTenant();
    for (final MagicAceDefinition def : getMagicAceDefinitions()) {
        match = false;
        String substitutedPath = MessageFormat.format(def.path, tenant.getRootFolderAbsolutePath());
        if (isAllowed(roleBindingDao, def.logicalRole)) {
            if (def.applyToTarget) {
                match = path.equals(substitutedPath);
            }
            if (!match && def.applyToChildren) {
                match = path.startsWith(substitutedPath + "/");
                // check to see if we should exclude the match due to the exclude list
                if (match && def.exceptChildren != null) {
                    for (String childPath : def.exceptChildren) {
                        String substitutedChildPath = MessageFormat.format(childPath, tenant.getRootFolderAbsolutePath());
                        if (path.startsWith(substitutedChildPath + "/")) {
                            match = false;
                            break;
                        }
                    }
                }
            }
            if (!match && def.applyToAncestors) {
                match = substitutedPath.startsWith(path + "/");
            }
        }
        if (match) {
            Principal principal = new MagicPrincipal(JcrTenantUtils.getTenantedUser(PentahoSessionHolder.getSession().getName()));
            // unfortunately, we need the ACLTemplate because it alone can create ACEs that can be cast successfully
            // later;
            // changed never persisted
            acl.addAccessControlEntry(principal, def.privileges);
        }
    }
    @SuppressWarnings("rawtypes") List acEntries = new ArrayList();
    // leaf ACEs go first so ACL metadata ACE stays first
    acEntries.addAll(buildPentahoEntries(acl));
    acEntries.addAll(getRelevantAncestorAces(ancestorAcl));
    return acEntries;
}