/**
* @see AccessManager#canRead(org.apache.jackrabbit.spi.Path,org.apache.jackrabbit.core.id.ItemId)
*/
public boolean canRead(Path itemPath, ItemId itemId) throws RepositoryException {
checkInitialized();
if (compiledPermissions.canReadAll()) {
return true;
} else {
return compiledPermissions.canRead(itemPath, itemId);
}
}
/**
* @see
* org.apache.jackrabbit.core.security.authorization.AccessControlProvider#getEffectivePolicies(java.util.Set,
* CompiledPermissions)
*/
public AccessControlPolicy[] getEffectivePolicies(
Set<Principal> principals, CompiledPermissions permissions) throws RepositoryException {
String propName = ISO9075.encode(session.getJCRName(P_PRINCIPAL_NAME));
StringBuilder stmt = new StringBuilder("/jcr:root");
stmt.append("//element(*,");
stmt.append(session.getJCRName(NT_REP_ACE));
stmt.append(")[");
int i = 0;
for (Principal principal : principals) {
if (i > 0) {
stmt.append(" or ");
}
stmt.append("@");
stmt.append(propName);
stmt.append("='");
stmt.append(principal.getName().replaceAll("'", "''"));
stmt.append("'");
i++;
}
stmt.append("]");
QueryResult result;
try {
QueryManager qm = session.getWorkspace().getQueryManager();
Query q = qm.createQuery(stmt.toString(), Query.XPATH);
result = q.execute();
} catch (RepositoryException e) {
log.error("Unexpected error while searching effective policies.", e.getMessage());
throw new UnsupportedOperationException(
"Retrieve effective policies for set of principals not supported.", e);
}
Set<AccessControlPolicy> acls = new LinkedHashSet<AccessControlPolicy>();
for (NodeIterator it = result.getNodes(); it.hasNext(); ) {
NodeImpl aclNode = (NodeImpl) it.nextNode().getParent();
Name aclName = aclNode.getQName();
NodeImpl accessControlledNode = (NodeImpl) aclNode.getParent();
if (N_POLICY.equals(aclName) && isAccessControlled(accessControlledNode)) {
if (permissions.canRead(aclNode.getPrimaryPath(), aclNode.getNodeId())) {
acls.add(getACL(accessControlledNode, N_POLICY, accessControlledNode.getPath()));
} else {
throw new AccessDeniedException(
"Access denied at " + Text.getRelativeParent(aclNode.getPath(), 1));
}
} else if (N_REPO_POLICY.equals(aclName) && isRepoAccessControlled(accessControlledNode)) {
if (permissions.canRead(aclNode.getPrimaryPath(), aclNode.getNodeId())) {
acls.add(getACL(accessControlledNode, N_REPO_POLICY, null));
} else {
throw new AccessDeniedException(
"Access denied at " + Text.getRelativeParent(aclNode.getPath(), 1));
}
} // else: not a regular policy node -> ignore.
}
return acls.toArray(new AccessControlPolicy[acls.size()]);
}
/**
* @see org.apache.jackrabbit.core.security.authorization.AccessControlProvider#canAccessRoot(Set)
*/
public boolean canAccessRoot(Set<Principal> principals) throws RepositoryException {
checkInitialized();
if (isAdminOrSystem(principals)) {
return true;
} else {
CompiledPermissions cp =
new CompiledPermissionsImpl(principals, session, entryCollector, this, false);
try {
return cp.canRead(null, rootNodeId);
} finally {
cp.close();
}
}
}
/**
* @see org.apache.jackrabbit.api.security.JackrabbitAccessControlManager#getPrivileges(String,
* Set)
*/
public Privilege[] getPrivileges(String absPath, Set<Principal> principals)
throws PathNotFoundException, RepositoryException {
checkInitialized();
checkValidNodePath(absPath);
checkPermission(absPath, Permission.READ_AC);
CompiledPermissions perms = acProvider.compilePermissions(principals);
try {
Set<Privilege> privs = perms.getPrivilegeSet(getPath(absPath));
return privs.toArray(new Privilege[privs.size()]);
} finally {
perms.close();
}
}
/**
* Overridden to:
*
* <ul>
* <li>Use custom {@code CompiledPermissions}.
* </ul>
*
* @see PentahoCompiledPermissionsImpl
*/
@Override
public boolean canAccessRoot(Set<Principal> principals) throws RepositoryException {
checkInitialized();
if (isAdminOrSystem(principals)) {
return true;
} else {
CompiledPermissions cp = getCompiledPermissions(principals);
try {
return cp.canRead(null, getRootNodeId());
} finally {
cp.close();
}
}
}
/**
* @see
* org.apache.jackrabbit.core.security.authorization.AccessControlProvider#getEffectivePolicies(org.apache.jackrabbit.spi.Path,org.apache.jackrabbit.core.security.authorization.CompiledPermissions)
*/
public AccessControlPolicy[] getEffectivePolicies(Path absPath, CompiledPermissions permissions)
throws ItemNotFoundException, RepositoryException {
checkInitialized();
NodeImpl targetNode;
List<AccessControlList> acls = new ArrayList<AccessControlList>();
if (absPath == null) {
targetNode = (NodeImpl) session.getRootNode();
if (isRepoAccessControlled(targetNode)) {
if (permissions.grants(targetNode.getPrimaryPath(), Permission.READ_AC)) {
acls.add(getACL(targetNode, N_REPO_POLICY, null));
} else {
throw new AccessDeniedException("Access denied at " + targetNode.getPath());
}
}
} else {
targetNode = (NodeImpl) session.getNode(session.getJCRPath(absPath));
NodeImpl node = getNode(targetNode, isAcItem(targetNode));
// collect all ACLs effective at node
collectAcls(node, permissions, acls);
}
// if no effective ACLs are present -> add a default, empty acl.
if (acls.isEmpty()) {
// no access control information can be retrieved for the specified
// node, since neither the node nor any of its parents is access
// controlled. TODO: there should be a default policy in this case (see JCR-2331)
log.warn(
"No access controlled node present in item hierarchy starting from "
+ targetNode.getPath());
}
return acls.toArray(new AccessControlList[acls.size()]);
}
/** @see javax.jcr.security.AccessControlManager#getPrivileges(String) */
public Privilege[] getPrivileges(String absPath)
throws PathNotFoundException, RepositoryException {
checkInitialized();
checkValidNodePath(absPath);
Set<Privilege> privs = compiledPermissions.getPrivilegeSet(getPath(absPath));
return privs.toArray(new Privilege[privs.size()]);
}
/** @see AccessManager#isGranted(Path, int) */
public boolean isGranted(Path absPath, int permissions) throws RepositoryException {
checkInitialized();
if (!absPath.isAbsolute()) {
throw new RepositoryException("Absolute path expected");
}
return compiledPermissions.grants(absPath, permissions);
}
/** @see AccessManager#isGranted(ItemId, int) */
public boolean isGranted(ItemId id, int actions)
throws ItemNotFoundException, RepositoryException {
checkInitialized();
if (actions == READ && compiledPermissions.canReadAll()) {
return true;
} else {
int perm = 0;
if ((actions & READ) == READ) {
perm |= Permission.READ;
}
if ((actions & WRITE) == WRITE) {
if (id.denotesNode()) {
// TODO: check again if correct
perm |= Permission.SET_PROPERTY;
perm |= Permission.ADD_NODE;
} else {
perm |= Permission.SET_PROPERTY;
}
}
if ((actions & REMOVE) == REMOVE) {
perm |= (id.denotesNode()) ? Permission.REMOVE_NODE : Permission.REMOVE_PROPERTY;
}
Path path = hierMgr.getPath(id);
return isGranted(path, perm);
}
}
/** @see AccessManager#checkRepositoryPermission(int) */
public void checkRepositoryPermission(int permissions)
throws AccessDeniedException, RepositoryException {
checkInitialized();
if (!compiledPermissions.grants(null, permissions)) {
throw new AccessDeniedException("Access denied.");
}
}
/** @see AbstractAccessControlManager#checkPermission(String,int) */
@Override
protected void checkPermission(String absPath, int permission)
throws AccessDeniedException, RepositoryException {
checkValidNodePath(absPath);
Path p = getPath(absPath);
if (!compiledPermissions.grants(p, permission)) {
throw new AccessDeniedException("Access denied at " + absPath);
}
}
/**
* @see org.apache.jackrabbit.api.security.JackrabbitAccessControlManager#hasPrivileges(String,
* Set, Privilege[])
*/
public boolean hasPrivileges(String absPath, Set<Principal> principals, Privilege[] privileges)
throws PathNotFoundException, RepositoryException {
checkInitialized();
checkValidNodePath(absPath);
checkPermission(absPath, Permission.READ_AC);
if (privileges == null || privileges.length == 0) {
// null or empty privilege array -> return true
log.debug("No privileges passed -> allowed.");
return true;
} else {
Path p = getPath(absPath);
CompiledPermissions perms = acProvider.compilePermissions(principals);
try {
return perms.hasPrivileges(p, privileges);
} finally {
perms.close();
}
}
}
/** @see AccessManager#close() */
public void close() throws Exception {
if (!initialized) {
throw new IllegalStateException("Manager is not initialized.");
}
initialized = false;
compiledPermissions.close();
hierMgr = null;
acProvider = null;
editor = null;
wspAccess = null;
}
/** @see javax.jcr.security.AccessControlManager#hasPrivileges(String, Privilege[]) */
public boolean hasPrivileges(String absPath, Privilege[] privileges)
throws PathNotFoundException, RepositoryException {
checkInitialized();
checkValidNodePath(absPath);
if (privileges == null || privileges.length == 0) {
// null or empty privilege array -> return true
log.debug("No privileges passed -> allowed.");
return true;
} else {
Path p = getPath(absPath);
return compiledPermissions.hasPrivileges(p, privileges);
}
}
/**
* Recursively collects all ACLs that are effective on the specified node.
*
* @param node the Node to collect the ACLs for, which must NOT be part of the structure defined
* by mix:AccessControllable.
* @param permissions
* @param acls List used to collect the effective acls.
* @throws RepositoryException if an error occurs
*/
private void collectAcls(
NodeImpl node, CompiledPermissions permissions, List<AccessControlList> acls)
throws RepositoryException {
// if the given node is access-controlled, construct a new ACL and add
// it to the list
if (isAccessControlled(node)) {
if (permissions.grants(node.getPrimaryPath(), Permission.READ_AC)) {
acls.add(getACL(node, N_POLICY, node.getPath()));
} else {
throw new AccessDeniedException("Access denied at " + node.getPath());
}
}
// then, recursively look for access controlled parents up the hierarchy.
if (!rootNodeId.equals(node.getId())) {
NodeImpl parentNode = (NodeImpl) node.getParent();
collectAcls(parentNode, permissions, acls);
}
}
