@Override
protected void doPost(SlingHttpServletRequest request, SlingHttpServletResponse response)
throws ServletException, IOException {
String paramUser = request.getParameter(SiteService.SiteEvent.USER);
logger.info("Request to add user " + paramUser);
String paramGroup = "";
try {
Node requestedNode = request.getResource().adaptTo(Node.class);
Value[] authorizables = requestedNode.getProperty("sakai:authorizables").getValues();
paramGroup = authorizables[1].getString();
request.setAttribute(JoinRequestConstants.PARAM_SITENODE, requestedNode);
Session session = slingRepository.loginAdministrative(null);
UserManager userManager = AccessControlUtil.getUserManager(session);
Authorizable userAuth = userManager.getAuthorizable(paramUser);
Group groupAuth = (Group) userManager.getAuthorizable(paramGroup);
if (siteJoinIsAuthorized(request)) {
groupAuth.addMember(userAuth);
logger.info(paramUser + " added as member of group " + paramGroup);
} else {
response.sendError(403, "Not authorized to add member to site.");
}
if (session.hasPendingChanges()) {
session.save();
}
} catch (Exception e) {
response.sendError(500, e.getMessage());
}
}
/**
* KERN-1026 changed the results of this to be the authz's that are members of the managers group
* associated to a group rather than the group managers associated to the group.
*
* <p><del>Get the managers for a group. These should be stored in the {@link
* UserConstants#PROP_GROUP_MANAGERS}.</del>
*
* @param request
* @param group
* @param writer
* @throws RepositoryException
* @throws JSONException
*/
protected TreeMap<String, Authorizable> getManagers(
SlingHttpServletRequest request, Group group, Comparator<String> comparator)
throws RepositoryException, JSONException {
TreeMap<String, Authorizable> map = new TreeMap<String, Authorizable>(comparator);
// KERN-949 will probably change this.
// note above was made before this was changed to retrieving members of the managers
// group and may not apply.
Session session = request.getResourceResolver().adaptTo(Session.class);
UserManager um = AccessControlUtil.getUserManager(session);
Value[] managersGroup = group.getProperty(UserConstants.PROP_MANAGERS_GROUP);
if (managersGroup != null && managersGroup.length == 1) {
String mgrGroupName = managersGroup[0].getString();
Group mgrGroup = (Group) um.getAuthorizable(mgrGroupName);
Iterator<Authorizable> members = mgrGroup.getMembers();
while (members.hasNext()) {
Authorizable member = members.next();
String prinName = member.getPrincipal().getName();
Authorizable mau = um.getAuthorizable(prinName);
String name = getName(mau);
map.put(name, mau);
}
}
return map;
}
public void initDefaultUsers() {
Session session = null;
try {
session = repository.loginAdministrative(null);
UserManager userManager = AccessControlUtil.getUserManager(session);
// Apply default user properties from JSON files.
Pattern fileNamePattern = Pattern.compile("/users/|\\.json");
@SuppressWarnings("rawtypes")
Enumeration entriesEnum = bundle.findEntries("users", "*.json", true);
while (entriesEnum.hasMoreElements()) {
Object entry = entriesEnum.nextElement();
URL jsonUrl = new URL(entry.toString());
String jsonFileName = jsonUrl.getFile();
String authorizableId = fileNamePattern.matcher(jsonFileName).replaceAll("");
Authorizable authorizable = userManager.getAuthorizable(authorizableId);
if (authorizable != null) {
applyJsonToAuthorizable(jsonUrl, authorizable, session);
LOGGER.info("Initialized default authorizable {}", authorizableId);
} else {
LOGGER.warn("Configured default authorizable {} not found", authorizableId);
}
}
} catch (RepositoryException e) {
LOGGER.error("Could not configure default authorizables", e);
} catch (IOException e) {
LOGGER.error("Could not configure default authorizables", e);
} finally {
if (session != null) {
session.logout();
}
}
}
private void badNodeNameParam(String name, String exception) throws RepositoryException {
CreateSakaiUserServlet csus = new CreateSakaiUserServlet();
csus.requestTrustValidatorService = requestTrustValidatorService;
JackrabbitSession session = createMock(JackrabbitSession.class);
ResourceResolver rr = createMock(ResourceResolver.class);
SlingHttpServletRequest request = createMock(SlingHttpServletRequest.class);
UserManager userManager = createMock(UserManager.class);
User user = createMock(User.class);
expect(request.getResourceResolver()).andReturn(rr).anyTimes();
expect(rr.adaptTo(Session.class)).andReturn(session).anyTimes();
expect(session.getUserManager()).andReturn(userManager);
expect(session.getUserID()).andReturn("userID");
expect(userManager.getAuthorizable("userID")).andReturn(user);
expect(user.isAdmin()).andReturn(false);
expect(request.getParameter(":create-auth")).andReturn("reCAPTCHA");
expect(request.getParameter(SlingPostConstants.RP_NODE_NAME)).andReturn(name);
HtmlResponse response = new HtmlResponse();
replay();
try {
csus.handleOperation(request, response, null);
fail();
} catch (RepositoryException e) {
assertEquals(exception, e.getMessage());
}
verify();
}
@Override
public void activate() throws Exception {
String listGroup = getProperties().get(PROP_LIST, String.class);
if (listGroup.equals(PROP_LIST_OPTION1)) {
UserManager userManager = getResourceResolver().adaptTo(UserManager.class);
Authorizable opsBluPrintUser = userManager.getAuthorizable(getRequest().getUserPrincipal());
Iterator<Group> groups = opsBluPrintUser.memberOf();
for (; groups.hasNext(); ) {
String groupName = groups.next().getPrincipal().getName();
if ((groupName.equals(MAKER_GROUP))
|| (groupName.equals(CHECKER_GROUP))
|| (groupName.equals(READER_GROUP))) {
hiddenFieldValue = groupName;
}
}
} else if (listGroup.equals(PROP_LIST_OPTION2)) {
hiddenFieldValue = getRequest().getUserPrincipal().getName();
} else if (listGroup.equals(PROP_LIST_OPTION3)) {
// to be added
} else if (listGroup.equals(PROP_LIST_OPTION4)) {
hiddenFieldValue = getProperties().get(STATIC_VALUE, String.class);
}
}
public Resource next() {
Principal nextPrincipal = principals.nextPrincipal();
try {
ResourceResolver resourceResolver = parent.getResourceResolver();
if (resourceResolver != null) {
Session session = resourceResolver.adaptTo(Session.class);
if (session != null) {
UserManager userManager = AccessControlUtil.getUserManager(session);
if (userManager != null) {
Authorizable authorizable = userManager.getAuthorizable(nextPrincipal.getName());
if (authorizable != null) {
String path;
if (authorizable.isGroup()) {
path = SYSTEM_USER_MANAGER_GROUP_PREFIX + nextPrincipal.getName();
} else {
path = SYSTEM_USER_MANAGER_USER_PREFIX + nextPrincipal.getName();
}
return new SakaiAuthorizableResource(authorizable, resourceResolver, path);
}
}
}
}
} catch (RepositoryException re) {
log.error("Exception while looking up authorizable resource.", re);
}
return null;
}
private User getJackrabbitUser(ITenant theTenant, String name, Session session)
throws RepositoryException {
User jackrabbitUser = null;
String userId = name;
String userName = name;
ITenant tenant = theTenant;
if (tenant == null) {
tenant = JcrTenantUtils.getTenant(userName, true);
userName = JcrTenantUtils.getPrincipalName(userName, true);
}
if (tenant == null || tenant.getId() == null) {
tenant = JcrTenantUtils.getCurrentTenant();
}
if (tenant == null || tenant.getId() == null) {
tenant = JcrTenantUtils.getDefaultTenant();
}
if (tenant != null) {
userId = tenantedUserNameUtils.getPrincipleId(tenant, userName);
UserManager userMgr = getUserManager(tenant, session);
Authorizable authorizable = userMgr.getAuthorizable(userId);
if (authorizable instanceof User) {
jackrabbitUser = (User) authorizable;
}
}
return jackrabbitUser;
}
private Group getJackrabbitGroup(ITenant theTenant, String name, Session session)
throws RepositoryException {
Group jackrabbitGroup = null;
String roleId = name;
String roleName = name;
ITenant tenant = theTenant;
if (tenant == null) {
tenant = JcrTenantUtils.getTenant(roleName, false);
roleName = JcrTenantUtils.getPrincipalName(roleName, false);
}
if (tenant == null || tenant.getId() == null) {
tenant = JcrTenantUtils.getCurrentTenant();
}
if (tenant == null || tenant.getId() == null) {
tenant = JcrTenantUtils.getDefaultTenant();
}
roleId = tenantedRoleNameUtils.getPrincipleId(tenant, roleName);
UserManager userMgr = getUserManager(tenant, session);
Authorizable authorizable = userMgr.getAuthorizable(roleId);
if (authorizable instanceof Group) {
jackrabbitGroup = (Group) authorizable;
}
return jackrabbitGroup;
}
/**
* {@inheritDoc}
*
* @see
* org.sakaiproject.nakamura.api.search.SearchResultProcessor#writeNode(org.apache.sling.api.SlingHttpServletRequest,
* org.apache.sling.commons.json.io.JSONWriter,
* org.sakaiproject.nakamura.api.search.Aggregator, javax.jcr.query.Row)
*/
public void writeNode(
SlingHttpServletRequest request, JSONWriter write, Aggregator aggregator, Row row)
throws JSONException, RepositoryException {
write.object();
Node node = row.getNode();
write.key("jcr:created");
write.value(node.getProperty("jcr:created").getString());
String userID = node.getName();
UserManager um = AccessControlUtil.getUserManager(node.getSession());
Authorizable au = um.getAuthorizable(userID);
if (au != null) {
ValueMap map = profileService.getCompactProfileMap(au, node.getSession());
((ExtendedJSONWriter) write).valueMapInternals(map);
}
write.endObject();
}
@Test
public void testRequestTrusted() throws RepositoryException {
CreateSakaiUserServlet csus = new CreateSakaiUserServlet();
JackrabbitSession session = createMock(JackrabbitSession.class);
ResourceResolver rr = createMock(ResourceResolver.class);
expect(rr.adaptTo(Session.class)).andReturn(session);
SlingHttpServletRequest request = createMock(SlingHttpServletRequest.class);
UserManager userManager = createMock(UserManager.class);
User user = createMock(User.class);
expect(request.getResourceResolver()).andReturn(rr).anyTimes();
expect(rr.adaptTo(Session.class)).andReturn(session).anyTimes();
expect(session.getUserManager()).andReturn(userManager);
expect(session.getUserID()).andReturn("userID");
expect(userManager.getAuthorizable("userID")).andReturn(user);
expect(user.isAdmin()).andReturn(false);
expect(request.getParameter(":create-auth")).andReturn("typeA");
RequestTrustValidatorService requestTrustValidatorService =
createMock(RequestTrustValidatorService.class);
RequestTrustValidator requestTrustValidator = createMock(RequestTrustValidator.class);
expect(requestTrustValidatorService.getValidator("typeA")).andReturn(requestTrustValidator);
expect(requestTrustValidator.getLevel()).andReturn(RequestTrustValidator.CREATE_USER);
expect(requestTrustValidator.isTrusted(request)).andReturn(true);
expect(request.getParameter(SlingPostConstants.RP_NODE_NAME)).andReturn("foo");
expect(request.getParameter("pwd")).andReturn("bar");
expect(request.getParameter("pwdConfirm")).andReturn("baz");
HtmlResponse response = new HtmlResponse();
csus.requestTrustValidatorService = requestTrustValidatorService;
replay();
try {
csus.handleOperation(request, response, null);
fail();
} catch (RepositoryException e) {
assertEquals("Password value does not match the confirmation password", e.getMessage());
}
verify();
}
@Override
protected TreeMap<String, Group> getGroups(Authorizable member, UserManager userManager)
throws RepositoryException {
TreeMap<String, Group> managedGroups = new TreeMap<String, Group>();
Iterator<Group> allGroupsIter = member.memberOf();
while (allGroupsIter.hasNext()) {
Group group = allGroupsIter.next();
if (group.hasProperty(UserConstants.PROP_MANAGED_GROUP)) {
Value[] values = group.getProperty(UserConstants.PROP_MANAGED_GROUP);
if ((values != null) && (values.length == 1)) {
String managedGroupId = values[0].getString();
Group managedGroup = (Group) userManager.getAuthorizable(managedGroupId);
managedGroups.put(managedGroupId, managedGroup);
}
}
}
return managedGroups;
}
/*
* (non-Javadoc)
* @see
* org.apache.sling.api.resource.ResourceProvider#getResource(org.apache
* .sling.api.resource.ResourceResolver, java.lang.String)
*/
public Resource getResource(ResourceResolver resourceResolver, String path) {
// handle resources for the virtual container resources
if (path.equals(SYSTEM_USER_MANAGER_PATH)) {
return new SyntheticResource(resourceResolver, path, "sling/userManager");
} else if (path.equals(SYSTEM_USER_MANAGER_USER_PATH)) {
return new SyntheticResource(resourceResolver, path, "sling/users");
} else if (path.equals(SYSTEM_USER_MANAGER_GROUP_PATH)) {
return new SyntheticResource(resourceResolver, path, "sling/groups");
}
// the principalId should be the first segment after the prefix
String pid = null;
if (path.startsWith(SYSTEM_USER_MANAGER_USER_PREFIX)) {
pid = path.substring(SYSTEM_USER_MANAGER_USER_PREFIX.length());
} else if (path.startsWith(SYSTEM_USER_MANAGER_GROUP_PREFIX)) {
pid = path.substring(SYSTEM_USER_MANAGER_GROUP_PREFIX.length());
}
if (pid != null) {
if (pid.indexOf('/') != -1) {
return null; // something bogus on the end of the path so bail
// out now.
}
try {
Session session = resourceResolver.adaptTo(Session.class);
if (session != null) {
UserManager userManager = AccessControlUtil.getUserManager(session);
if (userManager != null) {
Authorizable authorizable = userManager.getAuthorizable(pid);
if (authorizable != null) {
// found the Authorizable, so return the resource
// that wraps it.
return new SakaiAuthorizableResource(authorizable, resourceResolver, path);
}
}
}
} catch (RepositoryException re) {
throw new SlingException("Error looking up Authorizable for principal: " + pid, re);
}
}
return null;
}
/*
* (non-Javadoc)
* @see
* org.apache.sling.jackrabbit.usermanager.post.AbstractAuthorizablePostServlet
* #handleOperation(org.apache.sling.api.SlingHttpServletRequest,
* org.apache.sling.api.servlets.HtmlResponse, java.util.List)
*/
@Override
protected void handleOperation(
SlingHttpServletRequest request, HtmlResponse response, List<Modification> changes)
throws RepositoryException {
// make sure user self-registration is enabled
if (!selfRegistrationEnabled) {
throw new RepositoryException(
"Sorry, registration of new users is not currently enabled. Please try again later.");
}
Session session = request.getResourceResolver().adaptTo(Session.class);
if (session == null) {
throw new RepositoryException("JCR Session not found");
}
// check that the submitted parameter values have valid values.
String principalName = request.getParameter(SlingPostConstants.RP_NODE_NAME);
if (principalName == null) {
throw new RepositoryException("User name was not submitted");
}
String pwd = request.getParameter("pwd");
if (pwd == null) {
throw new RepositoryException("Password was not submitted");
}
String pwdConfirm = request.getParameter("pwdConfirm");
if (!pwd.equals(pwdConfirm)) {
throw new RepositoryException("Password value does not match the confirmation password");
}
Session selfRegSession = null;
try {
selfRegSession = getSession();
UserManager userManager = AccessControlUtil.getUserManager(selfRegSession);
Authorizable authorizable = userManager.getAuthorizable(principalName);
if (authorizable != null) {
// user already exists!
throw new RepositoryException(
"A principal already exists with the requested name: " + principalName);
} else {
Map<String, RequestProperty> reqProperties = collectContent(request, response);
User user = userManager.createUser(principalName, digestPassword(pwd));
String userPath =
AuthorizableResourceProvider.SYSTEM_USER_MANAGER_USER_PREFIX + user.getID();
response.setPath(userPath);
response.setLocation(externalizePath(request, userPath));
response.setParentLocation(
externalizePath(request, AuthorizableResourceProvider.SYSTEM_USER_MANAGER_USER_PATH));
changes.add(Modification.onCreated(userPath));
// write content from form
writeContent(selfRegSession, user, reqProperties, changes);
if (selfRegSession.hasPendingChanges()) {
selfRegSession.save();
}
}
} finally {
ungetSession(selfRegSession);
}
}
/*
* (non-Javadoc)
*
* @seeorg.apache.sling.jackrabbit.usermanager.post.AbstractAuthorizablePostServlet#
* handleOperation(org.apache.sling.api.SlingHttpServletRequest,
* org.apache.sling.api.servlets.HtmlResponse, java.util.List)
*/
@Override
@edu.umd.cs.findbugs.annotations.SuppressWarnings(
justification = "If there is an exception, the user is certainly not admin",
value = {"REC_CATCH_EXCEPTION"})
protected void handleOperation(
SlingHttpServletRequest request, HtmlResponse response, List<Modification> changes)
throws RepositoryException {
// KERN-432 dont allow anon users to access create group.
if (SecurityConstants.ANONYMOUS_ID.equals(request.getRemoteUser())) {
response.setStatus(403, "AccessDenied");
}
// check that the submitted parameter values have valid values.
final String principalName = request.getParameter(SlingPostConstants.RP_NODE_NAME);
if (principalName == null) {
throw new RepositoryException("Group name was not submitted");
}
NameSanitizer san = new NameSanitizer(principalName, false);
san.validate();
// check for allow create Group
boolean allowCreateGroup = false;
User currentUser = null;
try {
Session currentSession = request.getResourceResolver().adaptTo(Session.class);
UserManager um = AccessControlUtil.getUserManager(currentSession);
currentUser = (User) um.getAuthorizable(currentSession.getUserID());
if (currentUser.isAdmin()) {
LOGGER.debug("User is an admin ");
allowCreateGroup = true;
} else {
LOGGER.debug("Checking for membership of one of {} ", Arrays.toString(authorizedGroups));
PrincipalManager principalManager = AccessControlUtil.getPrincipalManager(currentSession);
PrincipalIterator pi =
principalManager.getGroupMembership(
principalManager.getPrincipal(currentSession.getUserID()));
Set<String> groups = new HashSet<String>();
for (; pi.hasNext(); ) {
groups.add(pi.nextPrincipal().getName());
}
for (String groupName : authorizedGroups) {
if (groups.contains(groupName)) {
allowCreateGroup = true;
break;
}
// TODO: move this nasty hack into the PrincipalManager dynamic groups need to
// be in the principal manager for this to work.
if ("authenticated".equals(groupName)
&& !SecurityConstants.ADMIN_ID.equals(currentUser.getID())) {
allowCreateGroup = true;
break;
}
// just check via the user manager for dynamic resolution.
Group group = (Group) um.getAuthorizable(groupName);
LOGGER.debug("Checking for group {} {} ", groupName, group);
if (group != null && group.isMember(currentUser)) {
allowCreateGroup = true;
LOGGER.debug("User is a member of {} {} ", groupName, group);
break;
}
}
}
} catch (Exception ex) {
LOGGER.warn(
"Failed to determin if the user is an admin, assuming not. Cause: " + ex.getMessage());
allowCreateGroup = false;
}
if (!allowCreateGroup) {
LOGGER.debug("User is not allowed to create groups ");
response.setStatus(HttpServletResponse.SC_FORBIDDEN, "User is not allowed to create groups");
return;
}
Session session = getSession();
try {
UserManager userManager = AccessControlUtil.getUserManager(session);
Authorizable authorizable = userManager.getAuthorizable(principalName);
if (authorizable != null) {
// principal already exists!
throw new RepositoryException(
"A principal already exists with the requested name: " + principalName);
} else {
Group group =
userManager.createGroup(
new Principal() {
public String getName() {
return principalName;
}
});
String groupPath =
AuthorizableResourceProvider.SYSTEM_USER_MANAGER_GROUP_PREFIX + group.getID();
Map<String, RequestProperty> reqProperties = collectContent(request, response, groupPath);
response.setPath(groupPath);
response.setLocation(externalizePath(request, groupPath));
response.setParentLocation(
externalizePath(request, AuthorizableResourceProvider.SYSTEM_USER_MANAGER_GROUP_PATH));
changes.add(Modification.onCreated(groupPath));
// It is not allowed to touch the rep:group-managers property directly.
String key = SYSTEM_USER_MANAGER_GROUP_PREFIX + principalName + "/";
reqProperties.remove(key + PROP_GROUP_MANAGERS);
reqProperties.remove(key + PROP_GROUP_VIEWERS);
// write content from form
writeContent(session, group, reqProperties, changes);
// update the group memberships, although this uses session from the request, it
// only
// does so for finding authorizables, so its ok that we are using an admin session
// here.
updateGroupMembership(request, group, changes);
updateOwnership(request, group, new String[] {currentUser.getID()}, changes);
sakaiAuthorizableService.postprocess(group, session);
// Launch an OSGi event for creating a group.
try {
Dictionary<String, String> properties = new Hashtable<String, String>();
properties.put(UserConstants.EVENT_PROP_USERID, principalName);
EventUtils.sendOsgiEvent(properties, UserConstants.TOPIC_GROUP_CREATED, eventAdmin);
} catch (Exception e) {
// Trap all exception so we don't disrupt the normal behaviour.
LOGGER.error("Failed to launch an OSGi event for creating a user.", e);
}
}
} catch (RepositoryException re) {
throw new RepositoryException("Failed to create new group.", re);
} finally {
ungetSession(session);
}
}