/**
  * @see AccessManager#canRead(org.apache.jackrabbit.spi.Path,org.apache.jackrabbit.core.id.ItemId)
  */
 public boolean canRead(Path itemPath, ItemId itemId) throws RepositoryException {
   checkInitialized();
   if (compiledPermissions.canReadAll()) {
     return true;
   } else {
     return compiledPermissions.canRead(itemPath, itemId);
   }
 }
Example #2
0
  /**
   * @see
   *     org.apache.jackrabbit.core.security.authorization.AccessControlProvider#getEffectivePolicies(java.util.Set,
   *     CompiledPermissions)
   */
  public AccessControlPolicy[] getEffectivePolicies(
      Set<Principal> principals, CompiledPermissions permissions) throws RepositoryException {
    String propName = ISO9075.encode(session.getJCRName(P_PRINCIPAL_NAME));

    StringBuilder stmt = new StringBuilder("/jcr:root");
    stmt.append("//element(*,");
    stmt.append(session.getJCRName(NT_REP_ACE));
    stmt.append(")[");
    int i = 0;
    for (Principal principal : principals) {
      if (i > 0) {
        stmt.append(" or ");
      }
      stmt.append("@");
      stmt.append(propName);
      stmt.append("='");
      stmt.append(principal.getName().replaceAll("'", "''"));
      stmt.append("'");
      i++;
    }
    stmt.append("]");

    QueryResult result;
    try {
      QueryManager qm = session.getWorkspace().getQueryManager();
      Query q = qm.createQuery(stmt.toString(), Query.XPATH);
      result = q.execute();
    } catch (RepositoryException e) {
      log.error("Unexpected error while searching effective policies.", e.getMessage());
      throw new UnsupportedOperationException(
          "Retrieve effective policies for set of principals not supported.", e);
    }

    Set<AccessControlPolicy> acls = new LinkedHashSet<AccessControlPolicy>();
    for (NodeIterator it = result.getNodes(); it.hasNext(); ) {
      NodeImpl aclNode = (NodeImpl) it.nextNode().getParent();
      Name aclName = aclNode.getQName();
      NodeImpl accessControlledNode = (NodeImpl) aclNode.getParent();

      if (N_POLICY.equals(aclName) && isAccessControlled(accessControlledNode)) {
        if (permissions.canRead(aclNode.getPrimaryPath(), aclNode.getNodeId())) {
          acls.add(getACL(accessControlledNode, N_POLICY, accessControlledNode.getPath()));
        } else {
          throw new AccessDeniedException(
              "Access denied at " + Text.getRelativeParent(aclNode.getPath(), 1));
        }
      } else if (N_REPO_POLICY.equals(aclName) && isRepoAccessControlled(accessControlledNode)) {
        if (permissions.canRead(aclNode.getPrimaryPath(), aclNode.getNodeId())) {
          acls.add(getACL(accessControlledNode, N_REPO_POLICY, null));
        } else {
          throw new AccessDeniedException(
              "Access denied at " + Text.getRelativeParent(aclNode.getPath(), 1));
        }
      } // else: not a regular policy node -> ignore.
    }

    return acls.toArray(new AccessControlPolicy[acls.size()]);
  }
Example #3
0
 /**
  * @see org.apache.jackrabbit.core.security.authorization.AccessControlProvider#canAccessRoot(Set)
  */
 public boolean canAccessRoot(Set<Principal> principals) throws RepositoryException {
   checkInitialized();
   if (isAdminOrSystem(principals)) {
     return true;
   } else {
     CompiledPermissions cp =
         new CompiledPermissionsImpl(principals, session, entryCollector, this, false);
     try {
       return cp.canRead(null, rootNodeId);
     } finally {
       cp.close();
     }
   }
 }
  /**
   * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlManager#getPrivileges(String,
   *     Set)
   */
  public Privilege[] getPrivileges(String absPath, Set<Principal> principals)
      throws PathNotFoundException, RepositoryException {
    checkInitialized();
    checkValidNodePath(absPath);
    checkPermission(absPath, Permission.READ_AC);

    CompiledPermissions perms = acProvider.compilePermissions(principals);
    try {
      Set<Privilege> privs = perms.getPrivilegeSet(getPath(absPath));
      return privs.toArray(new Privilege[privs.size()]);
    } finally {
      perms.close();
    }
  }
  /**
   * Overridden to:
   *
   * <ul>
   *   <li>Use custom {@code CompiledPermissions}.
   * </ul>
   *
   * @see PentahoCompiledPermissionsImpl
   */
  @Override
  public boolean canAccessRoot(Set<Principal> principals) throws RepositoryException {
    checkInitialized();
    if (isAdminOrSystem(principals)) {

      return true;
    } else {
      CompiledPermissions cp = getCompiledPermissions(principals);
      try {
        return cp.canRead(null, getRootNodeId());
      } finally {
        cp.close();
      }
    }
  }
Example #6
0
  /**
   * @see
   *     org.apache.jackrabbit.core.security.authorization.AccessControlProvider#getEffectivePolicies(org.apache.jackrabbit.spi.Path,org.apache.jackrabbit.core.security.authorization.CompiledPermissions)
   */
  public AccessControlPolicy[] getEffectivePolicies(Path absPath, CompiledPermissions permissions)
      throws ItemNotFoundException, RepositoryException {
    checkInitialized();

    NodeImpl targetNode;
    List<AccessControlList> acls = new ArrayList<AccessControlList>();
    if (absPath == null) {
      targetNode = (NodeImpl) session.getRootNode();
      if (isRepoAccessControlled(targetNode)) {
        if (permissions.grants(targetNode.getPrimaryPath(), Permission.READ_AC)) {
          acls.add(getACL(targetNode, N_REPO_POLICY, null));
        } else {
          throw new AccessDeniedException("Access denied at " + targetNode.getPath());
        }
      }
    } else {
      targetNode = (NodeImpl) session.getNode(session.getJCRPath(absPath));
      NodeImpl node = getNode(targetNode, isAcItem(targetNode));

      // collect all ACLs effective at node
      collectAcls(node, permissions, acls);
    }

    // if no effective ACLs are present -> add a default, empty acl.
    if (acls.isEmpty()) {
      // no access control information can be retrieved for the specified
      // node, since neither the node nor any of its parents is access
      // controlled. TODO: there should be a default policy in this case (see JCR-2331)
      log.warn(
          "No access controlled node present in item hierarchy starting from "
              + targetNode.getPath());
    }
    return acls.toArray(new AccessControlList[acls.size()]);
  }
 /** @see javax.jcr.security.AccessControlManager#getPrivileges(String) */
 public Privilege[] getPrivileges(String absPath)
     throws PathNotFoundException, RepositoryException {
   checkInitialized();
   checkValidNodePath(absPath);
   Set<Privilege> privs = compiledPermissions.getPrivilegeSet(getPath(absPath));
   return privs.toArray(new Privilege[privs.size()]);
 }
 /** @see AccessManager#isGranted(Path, int) */
 public boolean isGranted(Path absPath, int permissions) throws RepositoryException {
   checkInitialized();
   if (!absPath.isAbsolute()) {
     throw new RepositoryException("Absolute path expected");
   }
   return compiledPermissions.grants(absPath, permissions);
 }
  /** @see AccessManager#isGranted(ItemId, int) */
  public boolean isGranted(ItemId id, int actions)
      throws ItemNotFoundException, RepositoryException {
    checkInitialized();
    if (actions == READ && compiledPermissions.canReadAll()) {
      return true;
    } else {
      int perm = 0;
      if ((actions & READ) == READ) {
        perm |= Permission.READ;
      }
      if ((actions & WRITE) == WRITE) {
        if (id.denotesNode()) {
          // TODO: check again if correct
          perm |= Permission.SET_PROPERTY;
          perm |= Permission.ADD_NODE;
        } else {
          perm |= Permission.SET_PROPERTY;
        }
      }
      if ((actions & REMOVE) == REMOVE) {
        perm |= (id.denotesNode()) ? Permission.REMOVE_NODE : Permission.REMOVE_PROPERTY;
      }

      Path path = hierMgr.getPath(id);
      return isGranted(path, perm);
    }
  }
 /** @see AccessManager#checkRepositoryPermission(int) */
 public void checkRepositoryPermission(int permissions)
     throws AccessDeniedException, RepositoryException {
   checkInitialized();
   if (!compiledPermissions.grants(null, permissions)) {
     throw new AccessDeniedException("Access denied.");
   }
 }
 /** @see AbstractAccessControlManager#checkPermission(String,int) */
 @Override
 protected void checkPermission(String absPath, int permission)
     throws AccessDeniedException, RepositoryException {
   checkValidNodePath(absPath);
   Path p = getPath(absPath);
   if (!compiledPermissions.grants(p, permission)) {
     throw new AccessDeniedException("Access denied at " + absPath);
   }
 }
  /**
   * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlManager#hasPrivileges(String,
   *     Set, Privilege[])
   */
  public boolean hasPrivileges(String absPath, Set<Principal> principals, Privilege[] privileges)
      throws PathNotFoundException, RepositoryException {
    checkInitialized();
    checkValidNodePath(absPath);
    checkPermission(absPath, Permission.READ_AC);

    if (privileges == null || privileges.length == 0) {
      // null or empty privilege array -> return true
      log.debug("No privileges passed -> allowed.");
      return true;
    } else {
      Path p = getPath(absPath);
      CompiledPermissions perms = acProvider.compilePermissions(principals);
      try {
        return perms.hasPrivileges(p, privileges);
      } finally {
        perms.close();
      }
    }
  }
  /** @see AccessManager#close() */
  public void close() throws Exception {
    if (!initialized) {
      throw new IllegalStateException("Manager is not initialized.");
    }
    initialized = false;
    compiledPermissions.close();

    hierMgr = null;
    acProvider = null;
    editor = null;
    wspAccess = null;
  }
 /** @see javax.jcr.security.AccessControlManager#hasPrivileges(String, Privilege[]) */
 public boolean hasPrivileges(String absPath, Privilege[] privileges)
     throws PathNotFoundException, RepositoryException {
   checkInitialized();
   checkValidNodePath(absPath);
   if (privileges == null || privileges.length == 0) {
     // null or empty privilege array -> return true
     log.debug("No privileges passed -> allowed.");
     return true;
   } else {
     Path p = getPath(absPath);
     return compiledPermissions.hasPrivileges(p, privileges);
   }
 }
Example #15
0
 /**
  * Recursively collects all ACLs that are effective on the specified node.
  *
  * @param node the Node to collect the ACLs for, which must NOT be part of the structure defined
  *     by mix:AccessControllable.
  * @param permissions
  * @param acls List used to collect the effective acls.
  * @throws RepositoryException if an error occurs
  */
 private void collectAcls(
     NodeImpl node, CompiledPermissions permissions, List<AccessControlList> acls)
     throws RepositoryException {
   // if the given node is access-controlled, construct a new ACL and add
   // it to the list
   if (isAccessControlled(node)) {
     if (permissions.grants(node.getPrimaryPath(), Permission.READ_AC)) {
       acls.add(getACL(node, N_POLICY, node.getPath()));
     } else {
       throw new AccessDeniedException("Access denied at " + node.getPath());
     }
   }
   // then, recursively look for access controlled parents up the hierarchy.
   if (!rootNodeId.equals(node.getId())) {
     NodeImpl parentNode = (NodeImpl) node.getParent();
     collectAcls(parentNode, permissions, acls);
   }
 }