private boolean matches(Entry entry) { if (principalNames == null || principalNames.contains(entry.getPrincipalName())) { if (!entry.hasRestrictions()) { // short cut: there is no glob-restriction -> the entry matches // because it is either defined on the node or inherited. return true; } else { // there is a glob-restriction: check if the target path matches // this entry. try { return entry.matches(getPath()); } catch (RepositoryException e) { log.error("Cannot determine ACE match.", e); } } } // doesn't match this filter -> ignore return false; }
private Entry(NodeId id, String principalName, boolean isGroupEntry, PrivilegeBits privilegeBits, boolean allow, String path, Value globValue) throws RepositoryException { this.principalName = principalName; this.isGroupEntry = isGroupEntry; this.privilegeBits = privilegeBits; this.isAllow = allow; this.id = id; this.pattern = calculatePattern(path, globValue); this.hasRestrictions = (globValue != null); }
PrivilegeBits entryBits = ace.getPrivilegeBits(); boolean isLocal = isExistingNode && ace.isLocal(nodeId); boolean matchesParent = (!isLocal && ace.matches(parentPath)); if (matchesParent) { if (ace.isAllow()) { parentAllowBits.addDifference(entryBits, parentDenyBits); } else { if (ace.isAllow()) { allowBits.addDifference(entryBits, denyBits); int permissions = PrivilegeRegistry.calculatePermissions(allowBits, parentAllowBits, true, isAcItem);
public void testIsLocal() throws NotExecutableException, RepositoryException { acl = getPolicy(acMgr, testPath, testUser.getPrincipal()); modifyPrivileges(testPath, Privilege.JCR_READ, true); NodeImpl aclNode = (NodeImpl) superuser.getNode(acl.getPath() + "/rep:policy"); List<Entry> entries = Entry.readEntries(aclNode, testRootNode.getPath()); assertTrue(!entries.isEmpty()); assertEquals(1, entries.size()); Entry entry = entries.iterator().next(); // false since acl has been created from path only -> no id assertTrue(entry.isLocal(((NodeImpl) testRootNode).getNodeId())); // false since internal id is null -> will never match. assertFalse(entry.isLocal(NodeId.randomId())); }
public void testRestrictions() throws RepositoryException, NotExecutableException { // test if restrictions with expanded name are properly resolved Map<String, Value> restrictions = new HashMap<String,Value>(); restrictions.put(ACLTemplate.P_GLOB.toString(), superuser.getValueFactory().createValue("*/test")); acl = getPolicy(acMgr, testPath, testUser.getPrincipal()); acl.addEntry(testUser.getPrincipal(), new Privilege[] {acMgr.privilegeFromName(Privilege.JCR_ALL)}, true, restrictions); acMgr.setPolicy(testPath, acl); superuser.save(); Map<String, Boolean> toMatch = new HashMap<String, Boolean>(); toMatch.put(acl.getPath(), false); toMatch.put(acl.getPath() + "test", false); toMatch.put(acl.getPath() + "/test", true); toMatch.put(acl.getPath() + "/something/test", true); toMatch.put(acl.getPath() + "de/test", true); NodeImpl aclNode = (NodeImpl) superuser.getNode(acl.getPath() + "/rep:policy"); List<Entry> entries = Entry.readEntries(aclNode, testRootNode.getPath()); assertTrue(!entries.isEmpty()); assertEquals(1, entries.size()); Entry entry = entries.iterator().next(); for (String str : toMatch.keySet()) { assertEquals("Path to match : " + str, toMatch.get(str).booleanValue(), entry.matches(str)); } } }
if (ace.getPrivilegeBits().includesRead()) { canRead = ace.isAllow(); break;
/** * Retrieve the access control entries defined for the given node. If the * node is not access controlled or if the ACL is empty this method returns * an empty list. * * @param node * @return * @throws RepositoryException */ protected Entries getEntries(NodeImpl node) throws RepositoryException { List<Entry> aces; if (ACLProvider.isAccessControlled(node)) { // collect the aces of that node. NodeImpl aclNode = node.getNode(N_POLICY); aces = Entry.readEntries(aclNode, node.getPath()); } else { // not access controlled aces = Collections.emptyList(); } return new Entries(aces, node.getParentId()); }
Entry ace = new Entry(nodeId, principalName, isGroupEntry, privilegeMgr.getBits(privNames), isAllow, path, globValue); entries.add(ace); } catch (RepositoryException e) {
PrivilegeBits entryBits = ace.getPrivilegeBits(); boolean isLocal = isExistingNode && ace.isLocal(nodeId); boolean matchesParent = (!isLocal && ace.matches(parentPath)); if (matchesParent) { if (ace.isAllow()) { parentAllowBits.addDifference(entryBits, parentDenyBits); } else { if (ace.isAllow()) { allowBits.addDifference(entryBits, denyBits); int permissions = PrivilegeRegistry.calculatePermissions(allowBits, parentAllowBits, true, isAcItem);
if (ace.getPrivilegeBits().includesRead()) { canRead = ace.isAllow(); break;
/** * Retrieve the access control entries defined for the given node. If the * node is not access controlled or if the ACL is empty this method returns * an empty list. * * @param node * @return * @throws RepositoryException */ protected Entries getEntries(NodeImpl node) throws RepositoryException { List<Entry> aces; if (ACLProvider.isAccessControlled(node)) { // collect the aces of that node. NodeImpl aclNode = node.getNode(N_POLICY); aces = Entry.readEntries(aclNode, node.getPath()); } else { // not access controlled aces = Collections.emptyList(); } return new Entries(aces, node.getParentId()); }
Entry ace = new Entry(nodeId, principalName, isGroupEntry, privilegeMgr.getBits(privNames), isAllow, path, globValue); entries.add(ace); } catch (RepositoryException e) {
entryBits = ( (Entry) ace ).getPrivilegeBits(); isLocal = isExistingNode && ( (Entry) ace ).isLocal( nodeId ); matchesParent = ( !isLocal && ( (Entry) ace ).matches( parentPath ) ); isAllow = ( (Entry) ace ).isAllow();
private boolean matches(Entry entry) { if (principalNames == null || principalNames.contains(entry.getPrincipalName())) { if (!entry.hasRestrictions()) { // short cut: there is no glob-restriction -> the entry matches // because it is either defined on the node or inherited. return true; } else { // there is a glob-restriction: check if the target path matches // this entry. try { return entry.matches(getPath()); } catch (RepositoryException e) { log.error("Cannot determine ACE match.", e); } } } // doesn't match this filter -> ignore return false; }
privilegeBits = ( (Entry) entry ).getPrivilegeBits(); isAllow = ( (Entry) entry ).isAllow();
if (ACLProvider.isRepoAccessControlled(root)) { NodeImpl aclNode = root.getNode(N_REPO_POLICY); filterEntries(filter, Entry.readEntries(aclNode, null), userAces, groupAces);
private Entry(NodeId id, String principalName, boolean isGroupEntry, PrivilegeBits privilegeBits, boolean allow, String path, Value globValue) throws RepositoryException { this.principalName = principalName; this.isGroupEntry = isGroupEntry; this.privilegeBits = privilegeBits; this.isAllow = allow; this.id = id; this.pattern = calculatePattern(path, globValue); this.hasRestrictions = (globValue != null); }
if (ACLProvider.isRepoAccessControlled(root)) { NodeImpl aclNode = root.getNode(N_REPO_POLICY); filterEntries(filter, Entry.readEntries(aclNode, null), userAces, groupAces);
filterEntries( filter, PentahoEntry.readEntries( aclNode, path ), userAces, groupAces ); } else { filterEntries( filter, Entry.readEntries( aclNode, path ), userAces, groupAces );