/** * @see org.apache.jackrabbit.core.security.authorization.AccessControlProvider#getEditor(Session) */ public AccessControlEditor getEditor(Session session) { checkInitialized(); return new ACLEditor(session, this, allowUnknownPrincipals); }
/** * * @param nodePath the node path * @return the new node * @throws RepositoryException if an error occurs */ private NodeImpl createAclNode(String nodePath) throws RepositoryException { NodeImpl protectedNode = getNode(nodePath); if (!protectedNode.isNodeType(NT_REP_ACCESS_CONTROLLABLE)) { protectedNode.addMixin(NT_REP_ACCESS_CONTROLLABLE); } return addNode(protectedNode, N_POLICY, NT_REP_ACL); }
/** * @see AccessControlEditor#removePolicy(String,AccessControlPolicy) */ public synchronized void removePolicy(String nodePath, AccessControlPolicy policy) throws AccessControlException, RepositoryException { checkProtectsNode(nodePath); checkValidPolicy(nodePath, policy); NodeImpl aclNode = getAclNode(nodePath); if (aclNode != null) { removeItem(aclNode); } else { throw new AccessControlException("No policy to remove at " + nodePath); } }
/** * @see AccessControlEditor#getPolicies(String) */ public AccessControlPolicy[] getPolicies(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException { checkProtectsNode(nodePath); NodeImpl aclNode = getAclNode(nodePath); if (aclNode == null) { return new AccessControlPolicy[0]; } else { return new AccessControlPolicy[] {getACL(aclNode, nodePath)}; } }
/** * Returns the rep:Policy node below the Node identified at the given * path or <code>null</code> if the node is not mix:AccessControllable * or if no policy node exists. * * @param nodePath the node path * @return node or <code>null</code> * @throws PathNotFoundException if not found * @throws RepositoryException if an error occurs */ private NodeImpl getAclNode(String nodePath) throws PathNotFoundException, RepositoryException { NodeImpl controlledNode; if (nodePath == null) { controlledNode = (NodeImpl) session.getRootNode(); } else { controlledNode = getNode(nodePath); } return getAclNode(controlledNode, nodePath); }
checkProtectsNode(nodePath); checkValidPolicy(nodePath, policy); NodeImpl aclNode = getAclNode(nodePath); if (aclNode != null) { removeItem(aceNode); aclNode = (nodePath == null) ? createRepoAclNode() : createAclNode(nodePath); AccessControlEntryImpl ace = (AccessControlEntryImpl) entry; Name nodeName = getUniqueNodeName(aclNode, ace.isAllow() ? "allow" : "deny"); Name ntName = (ace.isAllow()) ? NT_REP_GRANT_ACE : NT_REP_DENY_ACE; ValueFactory vf = session.getValueFactory(); NodeImpl aceNode = addNode(aclNode, nodeName, ntName); setProperty(aceNode, P_PRINCIPAL_NAME, vf.createValue(principalName)); Value[] names = getPrivilegeNames(pvlgs, vf); setProperty(aceNode, P_PRIVILEGES, names); for (Name restrName : restrNames) { Value value = ace.getRestriction(restrName); setProperty(aceNode, restrName, value); markModified(((NodeImpl)aclNode.getParent()));
checkProtectsNode(nodePath); aclName = N_REPO_POLICY; } else { controlledNode = getNode(nodePath); mixin = session.getJCRName(NT_REP_ACCESS_CONTROLLABLE); aclName = N_POLICY; NodeImpl aclNode = getAclNode(controlledNode, nodePath); if (aclNode == null) {
/** * Adds ACE so that everyone can read access control. This allows Jackrabbit's default collectAcls to work without * change. Otherwise, you have to be an admin to call acMgr.getEffectivePolicies. */ protected void updateRootAcl( SessionImpl systemSession, ACLEditor editor ) throws RepositoryException { String rootPath = session.getRootNode().getPath(); AccessControlPolicy[] acls = editor.getPolicies( rootPath ); if ( acls.length > 0 ) { PrincipalManager pMgr = systemSession.getPrincipalManager(); AccessControlManager acMgr = session.getAccessControlManager(); Principal everyone = pMgr.getEveryone(); Privilege[] privs = new Privilege[] { acMgr.privilegeFromName( Privilege.JCR_READ ), acMgr.privilegeFromName( Privilege.JCR_READ_ACCESS_CONTROL ) }; AccessControlList acList = (AccessControlList) acls[0]; AccessControlEntry[] acEntries = acList.getAccessControlEntries(); for ( AccessControlEntry acEntry : acEntries ) { if ( acEntry.getPrincipal().equals( everyone ) ) { acList.removeAccessControlEntry( acEntry ); } } acList.addAccessControlEntry( everyone, privs ); editor.setPolicy( rootPath, acList ); session.save(); } }
@Before public void setup() throws Exception { systemSession = Mockito.mock( SessionImpl.class ); rootNode = Mockito.mock( NodeImpl.class ); pMgr = Mockito.mock( PrincipalManager.class ); editor = Mockito.mock( ACLEditor.class ); acList = Mockito.mock( ACLTemplate.class ); acMgr = Mockito.mock( AccessControlManager.class ); everyone = Mockito.mock( Principal.class ); aclEntry = Mockito.mock( ACLTemplate.Entry.class ); jcrReadAccessControlPriv = Mockito.mock( Privilege.class ); when( systemSession.getRootNode() ).thenReturn( rootNode ); when( systemSession.getPrincipalManager() ).thenReturn( pMgr ); when( systemSession.getAccessControlManager() ).thenReturn( acMgr ); when( rootNode.getPath() ).thenReturn( rootPath ); when( pMgr.getEveryone() ).thenReturn( everyone ); when( acMgr.privilegeFromName( Privilege.JCR_READ_ACCESS_CONTROL ) ).thenReturn( jcrReadAccessControlPriv ); final AccessControlPolicy[] acls = new AccessControlPolicy[]{acList}; when( editor.getPolicies( rootPath ) ).thenReturn( acls ); final AccessControlEntry[] acEntries = new AccessControlEntry[]{ aclEntry }; when( acList.getAccessControlEntries() ).thenReturn( acEntries ); provider = new PentahoACLProvider(); Whitebox.setInternalState( provider, "session", systemSession ); }
/** * * @return the new acl node used to store repository level privileges. * @throws RepositoryException if an error occurs */ private NodeImpl createRepoAclNode() throws RepositoryException { NodeImpl root = (NodeImpl) session.getRootNode(); if (!root.isNodeType(NT_REP_REPO_ACCESS_CONTROLLABLE)) { root.addMixin(NT_REP_REPO_ACCESS_CONTROLLABLE); } return addNode(root, N_REPO_POLICY, NT_REP_ACL); }
/** * Check if the Node identified by <code>nodePath</code> is itself part of ACL * defining content. It this case setting or modifying an AC-policy is * obviously not possible. * * @param nodePath the node path * @throws AccessControlException If the given nodePath identifies a Node that * represents a ACL or ACE item. * @throws RepositoryException */ private void checkProtectsNode(String nodePath) throws RepositoryException { if (nodePath != null) { NodeImpl node = getNode(nodePath); if (utils.isAcItem(node)) { throw new AccessControlException("Node " + nodePath + " defines ACL or ACE itself."); } } }
checkProtectsNode(nodePath); checkValidPolicy(nodePath, policy); NodeImpl aclNode = getAclNode(nodePath); if (aclNode != null) { removeItem(aceNode); aclNode = (nodePath == null) ? createRepoAclNode() : createAclNode(nodePath); AccessControlEntryImpl ace = (AccessControlEntryImpl) entry; Name nodeName = getUniqueNodeName(aclNode, ace.isAllow() ? "allow" : "deny"); Name ntName = (ace.isAllow()) ? NT_REP_GRANT_ACE : NT_REP_DENY_ACE; ValueFactory vf = session.getValueFactory(); NodeImpl aceNode = addNode(aclNode, nodeName, ntName); setProperty(aceNode, P_PRINCIPAL_NAME, vf.createValue(principalName)); Value[] names = getPrivilegeNames(pvlgs, vf); setProperty(aceNode, P_PRIVILEGES, names); for (Name restrName : restrNames) { Value value = ace.getRestriction(restrName); setProperty(aceNode, restrName, value); markModified(((NodeImpl)aclNode.getParent()));
/** * @see AccessControlEditor#getPolicies(String) */ public AccessControlPolicy[] getPolicies(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException { checkProtectsNode(nodePath); NodeImpl aclNode = getAclNode(nodePath); if (aclNode == null) { return new AccessControlPolicy[0]; } else { return new AccessControlPolicy[] {getACL(aclNode, nodePath)}; } }
checkProtectsNode(nodePath); aclName = N_REPO_POLICY; } else { controlledNode = getNode(nodePath); mixin = session.getJCRName(NT_REP_ACCESS_CONTROLLABLE); aclName = N_POLICY; NodeImpl aclNode = getAclNode(controlledNode, nodePath); if (aclNode == null) {
/** * Returns the rep:Policy node below the Node identified at the given * path or <code>null</code> if the node is not mix:AccessControllable * or if no policy node exists. * * @param nodePath the node path * @return node or <code>null</code> * @throws PathNotFoundException if not found * @throws RepositoryException if an error occurs */ private NodeImpl getAclNode(String nodePath) throws PathNotFoundException, RepositoryException { NodeImpl controlledNode; if (nodePath == null) { controlledNode = (NodeImpl) session.getRootNode(); } else { controlledNode = getNode(nodePath); } return getAclNode(controlledNode, nodePath); }
/** * Returns true if the root acl needs updating (if the JCR_READ_ACCESS_CONTROL privilege is missing from the * 'everyone' principle) and false otherwise. */ protected boolean requireRootAclUpdate( ACLEditor editor ) throws RepositoryException { final String rootPath = session.getRootNode().getPath(); final AccessControlPolicy[] acls = editor.getPolicies( rootPath ); if ( acls != null && acls.length > 0 ) { final PrincipalManager pMgr = session.getPrincipalManager(); final AccessControlManager acMgr = session.getAccessControlManager(); final Privilege jcrReadAccessControlPriv = acMgr.privilegeFromName( Privilege.JCR_READ_ACCESS_CONTROL ); final Principal everyone = pMgr.getEveryone(); final AccessControlList acList = (AccessControlList) acls[0]; final AccessControlEntry[] acEntries = acList.getAccessControlEntries(); if ( acEntries != null ) { for ( AccessControlEntry acEntry : acEntries ) { if ( acEntry.getPrincipal() != null && acEntry.getPrincipal().equals( everyone ) && acEntry.getPrivileges() != null ) { return !Arrays.asList( acEntry.getPrivileges() ).contains( jcrReadAccessControlPriv ); } } } } return true; }
/** * * @return the new acl node used to store repository level privileges. * @throws RepositoryException if an error occurs */ private NodeImpl createRepoAclNode() throws RepositoryException { NodeImpl root = (NodeImpl) session.getRootNode(); if (!root.isNodeType(NT_REP_REPO_ACCESS_CONTROLLABLE)) { root.addMixin(NT_REP_REPO_ACCESS_CONTROLLABLE); } return addNode(root, N_REPO_POLICY, NT_REP_ACL); }
/** * Check if the Node identified by <code>nodePath</code> is itself part of ACL * defining content. It this case setting or modifying an AC-policy is * obviously not possible. * * @param nodePath the node path * @throws AccessControlException If the given nodePath identifies a Node that * represents a ACL or ACE item. * @throws RepositoryException */ private void checkProtectsNode(String nodePath) throws RepositoryException { if (nodePath != null) { NodeImpl node = getNode(nodePath); if (utils.isAcItem(node)) { throw new AccessControlException("Node " + nodePath + " defines ACL or ACE itself."); } } }
/** * @see AccessControlEditor#removePolicy(String,AccessControlPolicy) */ public synchronized void removePolicy(String nodePath, AccessControlPolicy policy) throws AccessControlException, RepositoryException { checkProtectsNode(nodePath); checkValidPolicy(nodePath, policy); NodeImpl aclNode = getAclNode(nodePath); if (aclNode != null) { removeItem(aclNode); } else { throw new AccessControlException("No policy to remove at " + nodePath); } }
/** * @see org.apache.jackrabbit.core.security.authorization.AccessControlProvider#getEditor(Session) */ public AccessControlEditor getEditor(Session session) { checkInitialized(); return new ACLEditor(session, this, allowUnknownPrincipals); }