@Override
public void addGroup(final Group group) throws XMLDBException {
final SecurityManager manager = pool.getSecurityManager();
if (!manager.hasAdminPrivileges(user)) {
throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, " you are not allowed to add role");
}
if (manager.hasGroup(group.getName())) {
throw new XMLDBException(ErrorCodes.VENDOR_ERROR, "group '" + group.getName() + "' exists");
}
try {
executeWithBroker(
new BrokerOperation<Void>() {
@Override
public Void withBroker(DBBroker broker)
throws XMLDBException, LockException, PermissionDeniedException, IOException,
EXistException, TriggerException {
manager.addGroup(group);
return null;
}
});
} catch (final Exception e) {
throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, e.getMessage(), e);
}
}
@Override
public void setUserPrimaryGroup(final String username, final String groupName)
throws XMLDBException {
final SecurityManager manager = pool.getSecurityManager();
if (!manager.hasGroup(groupName)) {
throw new XMLDBException(
ErrorCodes.PERMISSION_DENIED, "Group '" + groupName + "' does not exist!");
}
if (!manager.hasAdminPrivileges(user)) {
throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, "Not allowed to modify user");
}
try {
executeWithBroker(
new BrokerOperation<Void>() {
@Override
public Void withBroker(final DBBroker broker)
throws XMLDBException, LockException, PermissionDeniedException, IOException,
EXistException, TriggerException {
final Account account = manager.getAccount(username);
final Group group = manager.getGroup(groupName);
account.setPrimaryGroup(group);
manager.updateAccount(account);
return null;
}
});
} catch (final Exception e) {
throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, e.getMessage(), e);
}
}
private <R> R modifyResource(
DBBroker broker, Resource resource, DatabaseItemModifier<DocumentImpl, R> modifier)
throws XMLDBException, LockException, PermissionDeniedException, EXistException,
SyntaxException {
final TransactionManager transact = broker.getBrokerPool().getTransactionManager();
final Txn transaction = transact.beginTransaction();
DocumentImpl document = null;
try {
document = ((AbstractEXistResource) resource).openDocument(broker, Lock.WRITE_LOCK);
final SecurityManager sm = broker.getBrokerPool().getSecurityManager();
if (!document.getPermissions().validate(user, Permission.WRITE)
&& !sm.hasAdminPrivileges(user)) {
throw new XMLDBException(
ErrorCodes.PERMISSION_DENIED,
"you are not the owner of this resource; owner = "
+ document.getPermissions().getOwner());
}
final R result = modifier.modify(document);
broker.storeXMLResource(transaction, document);
transact.commit(transaction);
return result;
} catch (final EXistException ee) {
transact.abort(transaction);
throw ee;
} catch (final XMLDBException xmldbe) {
transact.abort(transaction);
throw xmldbe;
} catch (final LockException le) {
transact.abort(transaction);
throw le;
} catch (final PermissionDeniedException pde) {
transact.abort(transaction);
throw pde;
} catch (final SyntaxException se) {
transact.abort(transaction);
throw se;
} finally {
transact.close(transaction);
if (document != null) {
((AbstractEXistResource) resource).closeDocument(document, Lock.WRITE_LOCK);
}
}
}
public Sequence eval(Sequence contextSequence, Item contextItem) throws XPathException {
Sequence userSeq = getArgument(0).eval(contextSequence, contextItem);
Sequence passwdSeq = getArgument(1).eval(contextSequence, contextItem);
if (userSeq.isEmpty()) throw new XPathException(getASTNode(), "No user specified");
String userName = userSeq.getStringValue();
String passwd = passwdSeq.getStringValue();
org.exist.security.SecurityManager security =
context.getBroker().getBrokerPool().getSecurityManager();
User user = security.getUser(userName);
if (user == null) throw new XPathException(getASTNode(), "Authentication failed");
if (user.validate(passwd)) {
User oldUser = context.getBroker().getUser();
try {
context.getBroker().setUser(user);
return getArgument(2).eval(contextSequence, contextItem);
} finally {
context.getBroker().setUser(oldUser);
}
} else throw new XPathException(getASTNode(), "Authentication failed");
}
/*
* (non-Javadoc)
*
* @see org.exist.xquery.Expression#eval(org.exist.dom.DocumentSet,
* org.exist.xquery.value.Sequence, org.exist.xquery.value.Item)
*/
@Override
public Sequence eval(Sequence args[], Sequence contextSequence) throws XPathException {
final String groupName = args[0].getStringValue();
if ("guest".equals(context.getSubject().getName()) || "dba".equals(groupName)) {
final XPathException xPathException =
new XPathException(
this,
"Permission denied, calling account '"
+ context.getSubject().getName()
+ "' must be an authenticated account to call this function.");
logger.error("Invalid user", xPathException);
throw xPathException;
}
logger.info("Attempting to create group " + groupName);
Group group = new GroupAider(groupName);
final DBBroker broker = context.getBroker();
final Subject currentUser = broker.getSubject();
try {
final SecurityManager sm = broker.getBrokerPool().getSecurityManager();
// add the current user as a group manager
group.addManager(currentUser);
if (args.length == 2) {
// add the additional group managers, this also makes sure they
// all exist first!
for (final SequenceIterator i = args[1].iterate(); i.hasNext(); ) {
final String groupManager = i.nextItem().getStringValue();
final Account groupManagerAccount = sm.getAccount(groupManager);
if (groupManagerAccount == null) {
logger.error("Could not find the user: "******"Permission denied, calling account '"
+ context.getSubject().getName()
+ "' do not authorize to call this function.");
} catch (final EXistException exe) {
logger.error("Failed to create group: " + group, exe);
}
return BooleanValue.FALSE;
}
