CuratorFrameworkFactory.Builder builder = CuratorFrameworkFactory.builder() .connectString(connectString) .retryPolicy(new ExponentialBackoffRetry(retryInitialWaitMs, maxRetryCount)) .connectionTimeoutMs(connectionTimeoutMs) .sessionTimeoutMs(sessionTimeoutMs); /* * If authorization information is available, those will be added to the client. NOTE: These auth info are * for access control, therefore no authentication will happen when the client is being started. These * info will only be required whenever a client is accessing an already create ZNode. For another client of * another node to make use of a ZNode created by this node, it should also provide the same auth info. */ if (zkUsername != null && zkPassword != null) { String authenticationString = zkUsername + ":" + zkPassword; builder.authorization("digest", authenticationString.getBytes()) .aclProvider(new ACLProvider() { @Override public List<ACL> getDefaultAcl() { return ZooDefs.Ids.CREATOR_ALL_ACL; } @Override public List<ACL> getAclForPath(String path) { return ZooDefs.Ids.CREATOR_ALL_ACL; } }); } CuratorFramework client = builder.build();
checkInitialized(); if (absPath == null) { targetNode = (NodeImpl) session.getRootNode(); if (isRepoAccessControlled(targetNode)) { if (permissions.grants(targetNode.getPrimaryPath(), Permission.READ_AC)) { acls.add(getACL(targetNode, N_REPO_POLICY, null)); } else { throw new AccessDeniedException("Access denied at " + targetNode.getPath()); NodeImpl node = getNode(targetNode, isAcItem(targetNode)); collectAcls(node, permissions, acls);
/** * @see org.apache.jackrabbit.core.security.authorization.AccessControlProvider#init(Session, Map) */ @Override public void init(Session systemSession, Map configuration) throws RepositoryException { super.init(systemSession, configuration); allowUnknownPrincipals = "true".equals(configuration.get(PARAM_ALLOW_UNKNOWN_PRINCIPALS)); // make sure the workspace of the given systemSession has a // minimal protection on the root node. NodeImpl root = (NodeImpl) session.getRootNode(); rootNodeId = root.getNodeId(); ACLEditor systemEditor = new ACLEditor(session, this, allowUnknownPrincipals); // TODO: replace by configurable default policy (see JCR-2331) boolean initializedWithDefaults = !configuration.containsKey(PARAM_OMIT_DEFAULT_PERMISSIONS); if (initializedWithDefaults && !isAccessControlled(root)) { initRootACL(session, systemEditor); } entryCollector = createEntryCollector(session); }
/** * @see org.apache.jackrabbit.core.security.authorization.AccessControlProvider#compilePermissions(Set) */ public CompiledPermissions compilePermissions(Set<Principal> principals) throws RepositoryException { checkInitialized(); if (isAdminOrSystem(principals)) { return getAdminPermissions(); } else if (isReadOnly(principals)) { return getReadOnlyPermissions(); } else { return new CompiledPermissionsImpl(principals, session, entryCollector, this, true); } }
/** * Returns the rep:Policy node below the given Node or <code>null</code> * if the node is not mix:AccessControllable or if no policy node exists. * * @param controlledNode the controlled node * @param nodePath * @return node or <code>null</code> * @throws RepositoryException if an error occurs */ private NodeImpl getAclNode(NodeImpl controlledNode, String nodePath) throws RepositoryException { NodeImpl aclNode = null; if (nodePath == null) { if (ACLProvider.isRepoAccessControlled(controlledNode)) { aclNode = controlledNode.getNode(N_REPO_POLICY); } } else { if (ACLProvider.isAccessControlled(controlledNode)) { aclNode = controlledNode.getNode(N_POLICY); } } return aclNode; }
NodeImpl accessControlledNode = (NodeImpl) aclNode.getParent(); if (N_POLICY.equals(aclName) && isAccessControlled(accessControlledNode)) { if (permissions.canRead(aclNode.getPrimaryPath(), aclNode.getNodeId())) { acls.add(getACL(accessControlledNode, N_POLICY, accessControlledNode.getPath())); } else { throw new AccessDeniedException("Access denied at " + Text.getRelativeParent(aclNode.getPath(), 1)); } else if (N_REPO_POLICY.equals(aclName) && isRepoAccessControlled(accessControlledNode)) { if (permissions.canRead(aclNode.getPrimaryPath(), aclNode.getNodeId())) { acls.add(getACL(accessControlledNode, N_REPO_POLICY, null)); } else { throw new AccessDeniedException("Access denied at " + Text.getRelativeParent(aclNode.getPath(), 1));
/** * Recursively collects all ACLs that are effective on the specified node. * * @param node the Node to collect the ACLs for, which must NOT be part of the * structure defined by mix:AccessControllable. * @param permissions * @param acls List used to collect the effective acls. * @throws RepositoryException if an error occurs */ private void collectAcls(NodeImpl node, CompiledPermissions permissions, List<AccessControlList> acls) throws RepositoryException { // if the given node is access-controlled, construct a new ACL and add // it to the list if (isAccessControlled(node)) { if (permissions.grants(node.getPrimaryPath(), Permission.READ_AC)) { acls.add(getACL(node, N_POLICY, node.getPath())); } else { throw new AccessDeniedException("Access denied at " + node.getPath()); } } // then, recursively look for access controlled parents up the hierarchy. if (!rootNodeId.equals(node.getId())) { NodeImpl parentNode = (NodeImpl) node.getParent(); collectAcls(parentNode, permissions, acls); } }
/** * Find the ancestor (maybe the node itself) that is access-controlled. */ protected NodeImpl findAccessControlledNode( final NodeImpl node ) throws RepositoryException { NodeImpl currentNode = node; // skip all nodes that are not access-controlled; might eventually hit root which is always access-controlled while ( !ACLProvider.isAccessControlled( currentNode ) ) { currentNode = (NodeImpl) currentNode.getParent(); } return currentNode; }
if (ACLProvider.isRepoAccessControlled(root)) { NodeImpl aclNode = root.getNode(N_REPO_POLICY); filterEntries(filter, Entry.readEntries(aclNode, null), userAces, groupAces);
NodeImpl n = ACLProvider.getNode(node, isAcItem); Iterator<Entry> entries = entryCollector.collectEntries(n, filter).iterator();
/** * @see org.apache.jackrabbit.core.security.authorization.AccessControlProvider#canAccessRoot(Set) */ public boolean canAccessRoot(Set<Principal> principals) throws RepositoryException { checkInitialized(); if (isAdminOrSystem(principals)) { return true; } else { CompiledPermissions cp = new CompiledPermissionsImpl(principals, session, entryCollector, this, false); try { return cp.canRead(null, rootNodeId); } finally { cp.close(); } } }
/** * @see org.apache.jackrabbit.core.security.authorization.AccessControlProvider#getEditor(Session) */ public AccessControlEditor getEditor(Session session) { checkInitialized(); return new ACLEditor(session, this, allowUnknownPrincipals); }
/** * @see org.apache.jackrabbit.core.security.authorization.AccessControlProvider#compilePermissions(Set) */ public CompiledPermissions compilePermissions(Set<Principal> principals) throws RepositoryException { checkInitialized(); if (isAdminOrSystem(principals)) { return getAdminPermissions(); } else if (isReadOnly(principals)) { return getReadOnlyPermissions(); } else { return new CompiledPermissionsImpl(principals, session, entryCollector, this, true); } }
NodeImpl accessControlledNode = (NodeImpl) aclNode.getParent(); if (N_POLICY.equals(aclName) && isAccessControlled(accessControlledNode)) { if (permissions.canRead(aclNode.getPrimaryPath(), aclNode.getNodeId())) { acls.add(getACL(accessControlledNode, N_POLICY, accessControlledNode.getPath())); } else { throw new AccessDeniedException("Access denied at " + Text.getRelativeParent(aclNode.getPath(), 1)); } else if (N_REPO_POLICY.equals(aclName) && isRepoAccessControlled(accessControlledNode)) { if (permissions.canRead(aclNode.getPrimaryPath(), aclNode.getNodeId())) { acls.add(getACL(accessControlledNode, N_REPO_POLICY, null)); } else { throw new AccessDeniedException("Access denied at " + Text.getRelativeParent(aclNode.getPath(), 1));
/** * Returns the rep:Policy node below the given Node or <code>null</code> * if the node is not mix:AccessControllable or if no policy node exists. * * @param controlledNode the controlled node * @param nodePath * @return node or <code>null</code> * @throws RepositoryException if an error occurs */ private NodeImpl getAclNode(NodeImpl controlledNode, String nodePath) throws RepositoryException { NodeImpl aclNode = null; if (nodePath == null) { if (ACLProvider.isRepoAccessControlled(controlledNode)) { aclNode = controlledNode.getNode(N_REPO_POLICY); } } else { if (ACLProvider.isAccessControlled(controlledNode)) { aclNode = controlledNode.getNode(N_POLICY); } } return aclNode; }
/** * Recursively collects all ACLs that are effective on the specified node. * * @param node the Node to collect the ACLs for, which must NOT be part of the * structure defined by mix:AccessControllable. * @param permissions * @param acls List used to collect the effective acls. * @throws RepositoryException if an error occurs */ private void collectAcls(NodeImpl node, CompiledPermissions permissions, List<AccessControlList> acls) throws RepositoryException { // if the given node is access-controlled, construct a new ACL and add // it to the list if (isAccessControlled(node)) { if (permissions.grants(node.getPrimaryPath(), Permission.READ_AC)) { acls.add(getACL(node, N_POLICY, node.getPath())); } else { throw new AccessDeniedException("Access denied at " + node.getPath()); } } // then, recursively look for access controlled parents up the hierarchy. if (!rootNodeId.equals(node.getId())) { NodeImpl parentNode = (NodeImpl) node.getParent(); collectAcls(parentNode, permissions, acls); } }
/** * Evaluates if the given node is access controlled and holds a non-empty rep:policy child node. * * @param n The node to test. * @return true if the specified node is access controlled and holds a non-empty policy child node. * @throws RepositoryException If an error occurs. */ private static boolean hasEntries( NodeImpl n ) throws RepositoryException { if ( ACLProvider.isAccessControlled( n ) ) { NodeImpl aclNode = n.getNode( N_POLICY ); return aclNode.hasNodes(); } // no ACL defined here return false; }
if (ACLProvider.isRepoAccessControlled(root)) { NodeImpl aclNode = root.getNode(N_REPO_POLICY); filterEntries(filter, Entry.readEntries(aclNode, null), userAces, groupAces);
NodeImpl n = ACLProvider.getNode(node, isAcItem); Iterator<Entry> entries = entryCollector.collectEntries(n, filter).iterator();
/** * @see org.apache.jackrabbit.core.security.authorization.AccessControlProvider#canAccessRoot(Set) */ public boolean canAccessRoot(Set<Principal> principals) throws RepositoryException { checkInitialized(); if (isAdminOrSystem(principals)) { return true; } else { CompiledPermissions cp = new CompiledPermissionsImpl(principals, session, entryCollector, this, false); try { return cp.canRead(null, rootNodeId); } finally { cp.close(); } } }