@Override
  public void addGroup(final Group group) throws XMLDBException {
    final SecurityManager manager = pool.getSecurityManager();

    if (!manager.hasAdminPrivileges(user)) {
      throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, " you are not allowed to add role");
    }

    if (manager.hasGroup(group.getName())) {
      throw new XMLDBException(ErrorCodes.VENDOR_ERROR, "group '" + group.getName() + "' exists");
    }

    try {
      executeWithBroker(
          new BrokerOperation<Void>() {
            @Override
            public Void withBroker(DBBroker broker)
                throws XMLDBException, LockException, PermissionDeniedException, IOException,
                    EXistException, TriggerException {
              manager.addGroup(group);
              return null;
            }
          });
    } catch (final Exception e) {
      throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, e.getMessage(), e);
    }
  }
  @Override
  public void setUserPrimaryGroup(final String username, final String groupName)
      throws XMLDBException {
    final SecurityManager manager = pool.getSecurityManager();

    if (!manager.hasGroup(groupName)) {
      throw new XMLDBException(
          ErrorCodes.PERMISSION_DENIED, "Group '" + groupName + "' does not exist!");
    }

    if (!manager.hasAdminPrivileges(user)) {
      throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, "Not allowed to modify user");
    }

    try {
      executeWithBroker(
          new BrokerOperation<Void>() {
            @Override
            public Void withBroker(final DBBroker broker)
                throws XMLDBException, LockException, PermissionDeniedException, IOException,
                    EXistException, TriggerException {
              final Account account = manager.getAccount(username);
              final Group group = manager.getGroup(groupName);
              account.setPrimaryGroup(group);
              manager.updateAccount(account);
              return null;
            }
          });
    } catch (final Exception e) {
      throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, e.getMessage(), e);
    }
  }
  private <R> R modifyResource(
      DBBroker broker, Resource resource, DatabaseItemModifier<DocumentImpl, R> modifier)
      throws XMLDBException, LockException, PermissionDeniedException, EXistException,
          SyntaxException {
    final TransactionManager transact = broker.getBrokerPool().getTransactionManager();
    final Txn transaction = transact.beginTransaction();

    DocumentImpl document = null;
    try {
      document = ((AbstractEXistResource) resource).openDocument(broker, Lock.WRITE_LOCK);
      final SecurityManager sm = broker.getBrokerPool().getSecurityManager();
      if (!document.getPermissions().validate(user, Permission.WRITE)
          && !sm.hasAdminPrivileges(user)) {
        throw new XMLDBException(
            ErrorCodes.PERMISSION_DENIED,
            "you are not the owner of this resource; owner = "
                + document.getPermissions().getOwner());
      }

      final R result = modifier.modify(document);

      broker.storeXMLResource(transaction, document);
      transact.commit(transaction);

      return result;

    } catch (final EXistException ee) {
      transact.abort(transaction);
      throw ee;
    } catch (final XMLDBException xmldbe) {
      transact.abort(transaction);
      throw xmldbe;
    } catch (final LockException le) {
      transact.abort(transaction);
      throw le;
    } catch (final PermissionDeniedException pde) {
      transact.abort(transaction);
      throw pde;
    } catch (final SyntaxException se) {
      transact.abort(transaction);
      throw se;
    } finally {
      transact.close(transaction);
      if (document != null) {
        ((AbstractEXistResource) resource).closeDocument(document, Lock.WRITE_LOCK);
      }
    }
  }
Beispiel #4
0
 public Sequence eval(Sequence contextSequence, Item contextItem) throws XPathException {
   Sequence userSeq = getArgument(0).eval(contextSequence, contextItem);
   Sequence passwdSeq = getArgument(1).eval(contextSequence, contextItem);
   if (userSeq.isEmpty()) throw new XPathException(getASTNode(), "No user specified");
   String userName = userSeq.getStringValue();
   String passwd = passwdSeq.getStringValue();
   org.exist.security.SecurityManager security =
       context.getBroker().getBrokerPool().getSecurityManager();
   User user = security.getUser(userName);
   if (user == null) throw new XPathException(getASTNode(), "Authentication failed");
   if (user.validate(passwd)) {
     User oldUser = context.getBroker().getUser();
     try {
       context.getBroker().setUser(user);
       return getArgument(2).eval(contextSequence, contextItem);
     } finally {
       context.getBroker().setUser(oldUser);
     }
   } else throw new XPathException(getASTNode(), "Authentication failed");
 }
  /*
   * (non-Javadoc)
   *
   * @see org.exist.xquery.Expression#eval(org.exist.dom.DocumentSet,
   * org.exist.xquery.value.Sequence, org.exist.xquery.value.Item)
   */
  @Override
  public Sequence eval(Sequence args[], Sequence contextSequence) throws XPathException {

    final String groupName = args[0].getStringValue();

    if ("guest".equals(context.getSubject().getName()) || "dba".equals(groupName)) {
      final XPathException xPathException =
          new XPathException(
              this,
              "Permission denied, calling account '"
                  + context.getSubject().getName()
                  + "' must be an authenticated account to call this function.");
      logger.error("Invalid user", xPathException);
      throw xPathException;
    }

    logger.info("Attempting to create group " + groupName);

    Group group = new GroupAider(groupName);

    final DBBroker broker = context.getBroker();
    final Subject currentUser = broker.getSubject();

    try {

      final SecurityManager sm = broker.getBrokerPool().getSecurityManager();

      // add the current user as a group manager
      group.addManager(currentUser);

      if (args.length == 2) {
        // add the additional group managers, this also makes sure they
        // all exist first!
        for (final SequenceIterator i = args[1].iterate(); i.hasNext(); ) {
          final String groupManager = i.nextItem().getStringValue();

          final Account groupManagerAccount = sm.getAccount(groupManager);
          if (groupManagerAccount == null) {
            logger.error("Could not find the user: "******"Permission denied, calling account '"
              + context.getSubject().getName()
              + "' do not authorize to call this function.");
    } catch (final EXistException exe) {
      logger.error("Failed to create group: " + group, exe);
    }

    return BooleanValue.FALSE;
  }