/** * * @param aclNode the node * @param path * @return the control list * @throws RepositoryException if an error occurs */ ACLTemplate getACL(NodeImpl aclNode, String path) throws RepositoryException { return new ACLTemplate(aclNode, path, allowUnknownPrincipals); }
/** * Check if the specified policy can be set/removed from this editor. * * @param nodePath the node path * @param policy the policy * @throws AccessControlException if not allowed */ private static void checkValidPolicy(String nodePath, AccessControlPolicy policy) throws AccessControlException { if (policy == null || !(policy instanceof ACLTemplate)) { throw new AccessControlException("Attempt to set/remove invalid policy " + policy); } ACLTemplate acl = (ACLTemplate) policy; boolean matchingPath = (nodePath == null) ? acl.getPath() == null : nodePath.equals(acl.getPath()); if (!matchingPath) { throw new AccessControlException("Policy " + policy + " cannot be applied/removed from the node at " + nodePath); } }
/** * The only known restriction is: * <pre> * rep:glob (optional) value-type: STRING * </pre> * * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlList#addEntry(Principal, Privilege[], boolean, Map) */ public boolean addEntry(Principal principal, Privilege[] privileges, boolean isAllow, Map<String, Value> restrictions) throws AccessControlException, RepositoryException { checkValidEntry(principal, privileges, isAllow, restrictions); Entry ace = createEntry(principal, privileges, isAllow, restrictions); return internalAdd(ace); }
private List<PentahoEntry> buildPentahoEntries( ACLTemplate acl ) throws RepositoryException { List<PentahoEntry> aces = new ArrayList<PentahoEntry>(); if ( acl != null && acl.getEntries() != null && acl.getEntries().size() > 0 ) { NodeImpl aclNode = ( (NodeImpl) systemSession.getNode( acl.getPath() ) ); for ( AccessControlEntry ace : acl.getEntries() ) { aces.add( buildPentahoEntry( aclNode.getNodeId(), acl.getPath(), ace ) ); } } return aces; }
NodeImpl ancestorNode = (NodeImpl) systemSession.getNode( ancestorAcl.getPath() ); PentahoEntries fullEntriesIncludingMagicACEs = this.getEntries( ancestorNode ); AccessControlEntry[] ancestorACEs = ancestorAcl.getEntries().toArray( new AccessControlEntry[] {} ); for ( AccessControlEntry ace : ancestorACEs ) { PentahoEntry pe = buildPentahoEntry( ancestorNode.getNodeId(), ancestorAcl.getPath(), ace ); if ( entry.equals( pe ) ) { ancestorAcl.removeAccessControlEntry( ace ); List<AccessControlEntry> entries = new LinkedList<AccessControlEntry>( ancestorAcl.getEntries() ); for ( AccessControlEntry ace : entries ) { ancestorAcl.removeAccessControlEntry( ace ); if ( !ancestorAcl.addAccessControlEntry( entry.isGroupEntry() ? new MagicGroup( entry.getPrincipalName() ) : new MagicPrincipal( entry.getPrincipalName() ), privs.toArray( new Privilege[privs.size()] ) ) ) {
acl = new ACLTemplate( currentNode.getNode( N_POLICY ), currentNode.getPath(), false /* allowUnknownPrincipals */ ); acl = new ACLTemplate( currentNode.getNode( N_POLICY ), currentNode.getPath(), false /* allowUnknownPrincipals */ ); systemSession.getAccessControlManager().privilegeFromName( Privilege.JCR_REMOVE_CHILD_NODES ); for ( AccessControlEntry entry : acl.getEntries() ) { if ( !acl.addAccessControlEntry( entry.getPrincipal(), new Privilege[] { removeNodePrivilege } ) ) { if ( firstAccessControlledNode.isSame( currentNode ) && !rootID.equals( currentNode.getNodeId() ) ) { NodeImpl ancestorNode = findNonInheritingNode( (NodeImpl) currentNode.getParent() ); ancestorAcl = new ACLTemplate( ancestorNode.getNode( N_POLICY ), ancestorNode.getPath(), false /* allowUnknownPrincipals */ );
/** * Creates an ACE that gives full access to the owner. * <p/> * <p> Modifications to this ACL are not persisted. </p> */ protected void addOwnerAce( final String owner, final ACLTemplate acl ) throws RepositoryException { Principal ownerPrincipal = systemSession.getPrincipalManager().getPrincipal( owner ); if ( ownerPrincipal != null ) { Principal magicPrincipal = null; if ( ownerPrincipal instanceof Group ) { magicPrincipal = new MagicGroup( JcrTenantUtils.getTenantedUser( ownerPrincipal.getName() ) ); } else { magicPrincipal = new MagicPrincipal( JcrTenantUtils.getTenantedUser( ownerPrincipal.getName() ) ); } // unfortunately, we need the ACLTemplate because it alone can create ACEs that can be cast successfully // later; // changed never persisted acl.addAccessControlEntry( magicPrincipal, new Privilege[] { systemSession.getAccessControlManager() .privilegeFromName( "jcr:all" ) } ); //$NON-NLS-1$ } else { // if the Principal doesn't exist anymore, then there's no reason to add an ACE for it if ( log.isDebugEnabled() ) { log.debug( "PrincipalManager cannot find owner=" + owner ); //$NON-NLS-1$ } } }
private ACLTemplate modifyPrivileges(String path, Principal principal, Privilege[] privileges, boolean isAllow) throws NotExecutableException, RepositoryException { ACLTemplate tmpl = getPolicy(acMgr, path, principal); tmpl.addEntry(principal, privileges, isAllow); acMgr.setPolicy(tmpl.getPath(), tmpl); superuser.save(); return tmpl; }
@Override protected JackrabbitAccessControlEntry createEntry(Principal principal, Privilege[] privileges, boolean isAllow, Map<String, Value> restrictions) throws RepositoryException { return acl.createEntry(principal, privileges, isAllow, restrictions); }
@Before public void setup() throws Exception { systemSession = Mockito.mock( SessionImpl.class ); rootNode = Mockito.mock( NodeImpl.class ); pMgr = Mockito.mock( PrincipalManager.class ); editor = Mockito.mock( ACLEditor.class ); acList = Mockito.mock( ACLTemplate.class ); acMgr = Mockito.mock( AccessControlManager.class ); everyone = Mockito.mock( Principal.class ); aclEntry = Mockito.mock( ACLTemplate.Entry.class ); jcrReadAccessControlPriv = Mockito.mock( Privilege.class ); when( systemSession.getRootNode() ).thenReturn( rootNode ); when( systemSession.getPrincipalManager() ).thenReturn( pMgr ); when( systemSession.getAccessControlManager() ).thenReturn( acMgr ); when( rootNode.getPath() ).thenReturn( rootPath ); when( pMgr.getEveryone() ).thenReturn( everyone ); when( acMgr.privilegeFromName( Privilege.JCR_READ_ACCESS_CONTROL ) ).thenReturn( jcrReadAccessControlPriv ); final AccessControlPolicy[] acls = new AccessControlPolicy[]{acList}; when( editor.getPolicies( rootPath ) ).thenReturn( acls ); final AccessControlEntry[] acEntries = new AccessControlEntry[]{ aclEntry }; when( acList.getAccessControlEntries() ).thenReturn( acEntries ); provider = new PentahoACLProvider(); Whitebox.setInternalState( provider, "session", systemSession ); }
private synchronized boolean internalAdd(Entry entry) throws RepositoryException { Principal principal = entry.getPrincipal(); List<Entry> entriesPerPrincipal = internalGetEntries(principal); if (entriesPerPrincipal.isEmpty()) { if (equalRestriction(entry, e)) { if (entry.isAllow() == e.isAllow()) {
log.debug("... Privilege.ALL for administrators."); Privilege[] privs = new Privilege[]{acMgr.privilegeFromName(Privilege.JCR_ALL)}; acl.addAccessControlEntry(administrators, privs); } else { log.info("Administrators principal group is missing -> omitting initialization of default permissions."); log.debug("... Privilege.READ for everyone."); Privilege[] privs = new Privilege[]{acMgr.privilegeFromName(Privilege.JCR_READ)}; acl.addAccessControlEntry(everyone, privs);
@Override protected JackrabbitAccessControlEntry createEntry(Principal principal, Privilege[] privileges, boolean isAllow) throws RepositoryException { return acl.createEntry(principal, privileges, isAllow, Collections.<String, Value>emptyMap()); }
AccessControlEntry[] entries = ((ACLTemplate) policy).getAccessControlEntries(); for (AccessControlEntry entry : entries) { AccessControlEntryImpl ace = (AccessControlEntryImpl) entry;
private synchronized boolean internalAdd(Entry entry) throws RepositoryException { Principal principal = entry.getPrincipal(); List<Entry> entriesPerPrincipal = internalGetEntries(principal); if (entriesPerPrincipal.isEmpty()) { if (equalRestriction(entry, e)) { if (entry.isAllow() == e.isAllow()) {
/** * * @param aclNode the node * @param path * @return the control list * @throws RepositoryException if an error occurs */ ACLTemplate getACL(NodeImpl aclNode, String path) throws RepositoryException { return new ACLTemplate(aclNode, path, allowUnknownPrincipals); }
log.debug("... Privilege.ALL for administrators."); Privilege[] privs = new Privilege[]{acMgr.privilegeFromName(Privilege.JCR_ALL)}; acl.addAccessControlEntry(administrators, privs); } else { log.info("Administrators principal group is missing -> omitting initialization of default permissions."); log.debug("... Privilege.READ for everyone."); Privilege[] privs = new Privilege[]{acMgr.privilegeFromName(Privilege.JCR_READ)}; acl.addAccessControlEntry(everyone, privs);
/** * Check if the specified policy can be set/removed from this editor. * * @param nodePath the node path * @param policy the policy * @throws AccessControlException if not allowed */ private static void checkValidPolicy(String nodePath, AccessControlPolicy policy) throws AccessControlException { if (policy == null || !(policy instanceof ACLTemplate)) { throw new AccessControlException("Attempt to set/remove invalid policy " + policy); } ACLTemplate acl = (ACLTemplate) policy; boolean matchingPath = (nodePath == null) ? acl.getPath() == null : nodePath.equals(acl.getPath()); if (!matchingPath) { throw new AccessControlException("Policy " + policy + " cannot be applied/removed from the node at " + nodePath); } }
/** * The only known restriction is: * <pre> * rep:glob (optional) value-type: STRING * </pre> * * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlList#addEntry(Principal, Privilege[], boolean, Map) */ public boolean addEntry(Principal principal, Privilege[] privileges, boolean isAllow, Map<String, Value> restrictions) throws AccessControlException, RepositoryException { checkValidEntry(principal, privileges, isAllow, restrictions); Entry ace = createEntry(principal, privileges, isAllow, restrictions); return internalAdd(ace); }
@Override protected JackrabbitAccessControlEntry createEntryFromBase(JackrabbitAccessControlEntry base, Privilege[] privileges, boolean isAllow) throws RepositoryException, NotExecutableException { if (base instanceof ACLTemplate.Entry) { return acl.createEntry((ACLTemplate.Entry) base, privileges, isAllow); } else { throw new NotExecutableException(); } }