@Override
 protected void doPost(SlingHttpServletRequest request, SlingHttpServletResponse response)
     throws ServletException, IOException {
   String paramUser = request.getParameter(SiteService.SiteEvent.USER);
   logger.info("Request to add user " + paramUser);
   String paramGroup = "";
   try {
     Node requestedNode = request.getResource().adaptTo(Node.class);
     Value[] authorizables = requestedNode.getProperty("sakai:authorizables").getValues();
     paramGroup = authorizables[1].getString();
     request.setAttribute(JoinRequestConstants.PARAM_SITENODE, requestedNode);
     Session session = slingRepository.loginAdministrative(null);
     UserManager userManager = AccessControlUtil.getUserManager(session);
     Authorizable userAuth = userManager.getAuthorizable(paramUser);
     Group groupAuth = (Group) userManager.getAuthorizable(paramGroup);
     if (siteJoinIsAuthorized(request)) {
       groupAuth.addMember(userAuth);
       logger.info(paramUser + " added as member of group " + paramGroup);
     } else {
       response.sendError(403, "Not authorized to add member to site.");
     }
     if (session.hasPendingChanges()) {
       session.save();
     }
   } catch (Exception e) {
     response.sendError(500, e.getMessage());
   }
 }
  /**
   * KERN-1026 changed the results of this to be the authz's that are members of the managers group
   * associated to a group rather than the group managers associated to the group.
   *
   * <p><del>Get the managers for a group. These should be stored in the {@link
   * UserConstants#PROP_GROUP_MANAGERS}.</del>
   *
   * @param request
   * @param group
   * @param writer
   * @throws RepositoryException
   * @throws JSONException
   */
  protected TreeMap<String, Authorizable> getManagers(
      SlingHttpServletRequest request, Group group, Comparator<String> comparator)
      throws RepositoryException, JSONException {
    TreeMap<String, Authorizable> map = new TreeMap<String, Authorizable>(comparator);

    // KERN-949 will probably change this.
    // note above was made before this was changed to retrieving members of the managers
    // group and may not apply.
    Session session = request.getResourceResolver().adaptTo(Session.class);
    UserManager um = AccessControlUtil.getUserManager(session);
    Value[] managersGroup = group.getProperty(UserConstants.PROP_MANAGERS_GROUP);
    if (managersGroup != null && managersGroup.length == 1) {
      String mgrGroupName = managersGroup[0].getString();

      Group mgrGroup = (Group) um.getAuthorizable(mgrGroupName);

      Iterator<Authorizable> members = mgrGroup.getMembers();
      while (members.hasNext()) {
        Authorizable member = members.next();
        String prinName = member.getPrincipal().getName();
        Authorizable mau = um.getAuthorizable(prinName);
        String name = getName(mau);
        map.put(name, mau);
      }
    }
    return map;
  }
  public void initDefaultUsers() {
    Session session = null;
    try {
      session = repository.loginAdministrative(null);
      UserManager userManager = AccessControlUtil.getUserManager(session);

      // Apply default user properties from JSON files.
      Pattern fileNamePattern = Pattern.compile("/users/|\\.json");
      @SuppressWarnings("rawtypes")
      Enumeration entriesEnum = bundle.findEntries("users", "*.json", true);
      while (entriesEnum.hasMoreElements()) {
        Object entry = entriesEnum.nextElement();
        URL jsonUrl = new URL(entry.toString());
        String jsonFileName = jsonUrl.getFile();
        String authorizableId = fileNamePattern.matcher(jsonFileName).replaceAll("");
        Authorizable authorizable = userManager.getAuthorizable(authorizableId);
        if (authorizable != null) {
          applyJsonToAuthorizable(jsonUrl, authorizable, session);
          LOGGER.info("Initialized default authorizable {}", authorizableId);
        } else {
          LOGGER.warn("Configured default authorizable {} not found", authorizableId);
        }
      }
    } catch (RepositoryException e) {
      LOGGER.error("Could not configure default authorizables", e);
    } catch (IOException e) {
      LOGGER.error("Could not configure default authorizables", e);
    } finally {
      if (session != null) {
        session.logout();
      }
    }
  }
  private void badNodeNameParam(String name, String exception) throws RepositoryException {
    CreateSakaiUserServlet csus = new CreateSakaiUserServlet();
    csus.requestTrustValidatorService = requestTrustValidatorService;

    JackrabbitSession session = createMock(JackrabbitSession.class);

    ResourceResolver rr = createMock(ResourceResolver.class);

    SlingHttpServletRequest request = createMock(SlingHttpServletRequest.class);
    UserManager userManager = createMock(UserManager.class);
    User user = createMock(User.class);
    expect(request.getResourceResolver()).andReturn(rr).anyTimes();
    expect(rr.adaptTo(Session.class)).andReturn(session).anyTimes();

    expect(session.getUserManager()).andReturn(userManager);
    expect(session.getUserID()).andReturn("userID");
    expect(userManager.getAuthorizable("userID")).andReturn(user);
    expect(user.isAdmin()).andReturn(false);

    expect(request.getParameter(":create-auth")).andReturn("reCAPTCHA");
    expect(request.getParameter(SlingPostConstants.RP_NODE_NAME)).andReturn(name);

    HtmlResponse response = new HtmlResponse();

    replay();

    try {
      csus.handleOperation(request, response, null);
      fail();
    } catch (RepositoryException e) {
      assertEquals(exception, e.getMessage());
    }
    verify();
  }
  @Override
  public void activate() throws Exception {

    String listGroup = getProperties().get(PROP_LIST, String.class);

    if (listGroup.equals(PROP_LIST_OPTION1)) {
      UserManager userManager = getResourceResolver().adaptTo(UserManager.class);
      Authorizable opsBluPrintUser = userManager.getAuthorizable(getRequest().getUserPrincipal());
      Iterator<Group> groups = opsBluPrintUser.memberOf();
      for (; groups.hasNext(); ) {
        String groupName = groups.next().getPrincipal().getName();

        if ((groupName.equals(MAKER_GROUP))
            || (groupName.equals(CHECKER_GROUP))
            || (groupName.equals(READER_GROUP))) {
          hiddenFieldValue = groupName;
        }
      }

    } else if (listGroup.equals(PROP_LIST_OPTION2)) {

      hiddenFieldValue = getRequest().getUserPrincipal().getName();
    } else if (listGroup.equals(PROP_LIST_OPTION3)) {
      // to be added

    } else if (listGroup.equals(PROP_LIST_OPTION4)) {
      hiddenFieldValue = getProperties().get(STATIC_VALUE, String.class);
    }
  }
 public Resource next() {
   Principal nextPrincipal = principals.nextPrincipal();
   try {
     ResourceResolver resourceResolver = parent.getResourceResolver();
     if (resourceResolver != null) {
       Session session = resourceResolver.adaptTo(Session.class);
       if (session != null) {
         UserManager userManager = AccessControlUtil.getUserManager(session);
         if (userManager != null) {
           Authorizable authorizable = userManager.getAuthorizable(nextPrincipal.getName());
           if (authorizable != null) {
             String path;
             if (authorizable.isGroup()) {
               path = SYSTEM_USER_MANAGER_GROUP_PREFIX + nextPrincipal.getName();
             } else {
               path = SYSTEM_USER_MANAGER_USER_PREFIX + nextPrincipal.getName();
             }
             return new SakaiAuthorizableResource(authorizable, resourceResolver, path);
           }
         }
       }
     }
   } catch (RepositoryException re) {
     log.error("Exception while looking up authorizable resource.", re);
   }
   return null;
 }
  private User getJackrabbitUser(ITenant theTenant, String name, Session session)
      throws RepositoryException {
    User jackrabbitUser = null;
    String userId = name;
    String userName = name;
    ITenant tenant = theTenant;
    if (tenant == null) {
      tenant = JcrTenantUtils.getTenant(userName, true);
      userName = JcrTenantUtils.getPrincipalName(userName, true);
    }
    if (tenant == null || tenant.getId() == null) {
      tenant = JcrTenantUtils.getCurrentTenant();
    }
    if (tenant == null || tenant.getId() == null) {
      tenant = JcrTenantUtils.getDefaultTenant();
    }

    if (tenant != null) {
      userId = tenantedUserNameUtils.getPrincipleId(tenant, userName);

      UserManager userMgr = getUserManager(tenant, session);
      Authorizable authorizable = userMgr.getAuthorizable(userId);
      if (authorizable instanceof User) {
        jackrabbitUser = (User) authorizable;
      }
    }
    return jackrabbitUser;
  }
  private Group getJackrabbitGroup(ITenant theTenant, String name, Session session)
      throws RepositoryException {
    Group jackrabbitGroup = null;
    String roleId = name;
    String roleName = name;
    ITenant tenant = theTenant;

    if (tenant == null) {
      tenant = JcrTenantUtils.getTenant(roleName, false);
      roleName = JcrTenantUtils.getPrincipalName(roleName, false);
    }
    if (tenant == null || tenant.getId() == null) {
      tenant = JcrTenantUtils.getCurrentTenant();
    }
    if (tenant == null || tenant.getId() == null) {
      tenant = JcrTenantUtils.getDefaultTenant();
    }
    roleId = tenantedRoleNameUtils.getPrincipleId(tenant, roleName);

    UserManager userMgr = getUserManager(tenant, session);
    Authorizable authorizable = userMgr.getAuthorizable(roleId);
    if (authorizable instanceof Group) {
      jackrabbitGroup = (Group) authorizable;
    }
    return jackrabbitGroup;
  }
  /**
   * {@inheritDoc}
   *
   * @see
   *     org.sakaiproject.nakamura.api.search.SearchResultProcessor#writeNode(org.apache.sling.api.SlingHttpServletRequest,
   *     org.apache.sling.commons.json.io.JSONWriter,
   *     org.sakaiproject.nakamura.api.search.Aggregator, javax.jcr.query.Row)
   */
  public void writeNode(
      SlingHttpServletRequest request, JSONWriter write, Aggregator aggregator, Row row)
      throws JSONException, RepositoryException {

    write.object();
    Node node = row.getNode();
    write.key("jcr:created");
    write.value(node.getProperty("jcr:created").getString());
    String userID = node.getName();
    UserManager um = AccessControlUtil.getUserManager(node.getSession());
    Authorizable au = um.getAuthorizable(userID);
    if (au != null) {
      ValueMap map = profileService.getCompactProfileMap(au, node.getSession());
      ((ExtendedJSONWriter) write).valueMapInternals(map);
    }
    write.endObject();
  }
  @Test
  public void testRequestTrusted() throws RepositoryException {
    CreateSakaiUserServlet csus = new CreateSakaiUserServlet();

    JackrabbitSession session = createMock(JackrabbitSession.class);

    ResourceResolver rr = createMock(ResourceResolver.class);
    expect(rr.adaptTo(Session.class)).andReturn(session);

    SlingHttpServletRequest request = createMock(SlingHttpServletRequest.class);
    UserManager userManager = createMock(UserManager.class);
    User user = createMock(User.class);
    expect(request.getResourceResolver()).andReturn(rr).anyTimes();
    expect(rr.adaptTo(Session.class)).andReturn(session).anyTimes();

    expect(session.getUserManager()).andReturn(userManager);
    expect(session.getUserID()).andReturn("userID");
    expect(userManager.getAuthorizable("userID")).andReturn(user);
    expect(user.isAdmin()).andReturn(false);

    expect(request.getParameter(":create-auth")).andReturn("typeA");
    RequestTrustValidatorService requestTrustValidatorService =
        createMock(RequestTrustValidatorService.class);
    RequestTrustValidator requestTrustValidator = createMock(RequestTrustValidator.class);
    expect(requestTrustValidatorService.getValidator("typeA")).andReturn(requestTrustValidator);
    expect(requestTrustValidator.getLevel()).andReturn(RequestTrustValidator.CREATE_USER);
    expect(requestTrustValidator.isTrusted(request)).andReturn(true);

    expect(request.getParameter(SlingPostConstants.RP_NODE_NAME)).andReturn("foo");
    expect(request.getParameter("pwd")).andReturn("bar");
    expect(request.getParameter("pwdConfirm")).andReturn("baz");

    HtmlResponse response = new HtmlResponse();

    csus.requestTrustValidatorService = requestTrustValidatorService;
    replay();

    try {
      csus.handleOperation(request, response, null);
      fail();
    } catch (RepositoryException e) {
      assertEquals("Password value does not match the confirmation password", e.getMessage());
    }
    verify();
  }
 @Override
 protected TreeMap<String, Group> getGroups(Authorizable member, UserManager userManager)
     throws RepositoryException {
   TreeMap<String, Group> managedGroups = new TreeMap<String, Group>();
   Iterator<Group> allGroupsIter = member.memberOf();
   while (allGroupsIter.hasNext()) {
     Group group = allGroupsIter.next();
     if (group.hasProperty(UserConstants.PROP_MANAGED_GROUP)) {
       Value[] values = group.getProperty(UserConstants.PROP_MANAGED_GROUP);
       if ((values != null) && (values.length == 1)) {
         String managedGroupId = values[0].getString();
         Group managedGroup = (Group) userManager.getAuthorizable(managedGroupId);
         managedGroups.put(managedGroupId, managedGroup);
       }
     }
   }
   return managedGroups;
 }
  /*
   * (non-Javadoc)
   * @see
   * org.apache.sling.api.resource.ResourceProvider#getResource(org.apache
   * .sling.api.resource.ResourceResolver, java.lang.String)
   */
  public Resource getResource(ResourceResolver resourceResolver, String path) {

    // handle resources for the virtual container resources
    if (path.equals(SYSTEM_USER_MANAGER_PATH)) {
      return new SyntheticResource(resourceResolver, path, "sling/userManager");
    } else if (path.equals(SYSTEM_USER_MANAGER_USER_PATH)) {
      return new SyntheticResource(resourceResolver, path, "sling/users");
    } else if (path.equals(SYSTEM_USER_MANAGER_GROUP_PATH)) {
      return new SyntheticResource(resourceResolver, path, "sling/groups");
    }

    // the principalId should be the first segment after the prefix
    String pid = null;
    if (path.startsWith(SYSTEM_USER_MANAGER_USER_PREFIX)) {
      pid = path.substring(SYSTEM_USER_MANAGER_USER_PREFIX.length());
    } else if (path.startsWith(SYSTEM_USER_MANAGER_GROUP_PREFIX)) {
      pid = path.substring(SYSTEM_USER_MANAGER_GROUP_PREFIX.length());
    }

    if (pid != null) {
      if (pid.indexOf('/') != -1) {
        return null; // something bogus on the end of the path so bail
        // out now.
      }
      try {
        Session session = resourceResolver.adaptTo(Session.class);
        if (session != null) {
          UserManager userManager = AccessControlUtil.getUserManager(session);
          if (userManager != null) {
            Authorizable authorizable = userManager.getAuthorizable(pid);
            if (authorizable != null) {
              // found the Authorizable, so return the resource
              // that wraps it.
              return new SakaiAuthorizableResource(authorizable, resourceResolver, path);
            }
          }
        }
      } catch (RepositoryException re) {
        throw new SlingException("Error looking up Authorizable for principal: " + pid, re);
      }
    }
    return null;
  }
  /*
   * (non-Javadoc)
   * @see
   * org.apache.sling.jackrabbit.usermanager.post.AbstractAuthorizablePostServlet
   * #handleOperation(org.apache.sling.api.SlingHttpServletRequest,
   * org.apache.sling.api.servlets.HtmlResponse, java.util.List)
   */
  @Override
  protected void handleOperation(
      SlingHttpServletRequest request, HtmlResponse response, List<Modification> changes)
      throws RepositoryException {
    // make sure user self-registration is enabled
    if (!selfRegistrationEnabled) {
      throw new RepositoryException(
          "Sorry, registration of new users is not currently enabled.  Please try again later.");
    }

    Session session = request.getResourceResolver().adaptTo(Session.class);
    if (session == null) {
      throw new RepositoryException("JCR Session not found");
    }

    // check that the submitted parameter values have valid values.
    String principalName = request.getParameter(SlingPostConstants.RP_NODE_NAME);
    if (principalName == null) {
      throw new RepositoryException("User name was not submitted");
    }
    String pwd = request.getParameter("pwd");
    if (pwd == null) {
      throw new RepositoryException("Password was not submitted");
    }
    String pwdConfirm = request.getParameter("pwdConfirm");
    if (!pwd.equals(pwdConfirm)) {
      throw new RepositoryException("Password value does not match the confirmation password");
    }

    Session selfRegSession = null;
    try {
      selfRegSession = getSession();

      UserManager userManager = AccessControlUtil.getUserManager(selfRegSession);
      Authorizable authorizable = userManager.getAuthorizable(principalName);

      if (authorizable != null) {
        // user already exists!
        throw new RepositoryException(
            "A principal already exists with the requested name: " + principalName);
      } else {
        Map<String, RequestProperty> reqProperties = collectContent(request, response);

        User user = userManager.createUser(principalName, digestPassword(pwd));
        String userPath =
            AuthorizableResourceProvider.SYSTEM_USER_MANAGER_USER_PREFIX + user.getID();

        response.setPath(userPath);
        response.setLocation(externalizePath(request, userPath));
        response.setParentLocation(
            externalizePath(request, AuthorizableResourceProvider.SYSTEM_USER_MANAGER_USER_PATH));
        changes.add(Modification.onCreated(userPath));

        // write content from form
        writeContent(selfRegSession, user, reqProperties, changes);

        if (selfRegSession.hasPendingChanges()) {
          selfRegSession.save();
        }
      }
    } finally {
      ungetSession(selfRegSession);
    }
  }
  /*
   * (non-Javadoc)
   *
   * @seeorg.apache.sling.jackrabbit.usermanager.post.AbstractAuthorizablePostServlet#
   * handleOperation(org.apache.sling.api.SlingHttpServletRequest,
   * org.apache.sling.api.servlets.HtmlResponse, java.util.List)
   */
  @Override
  @edu.umd.cs.findbugs.annotations.SuppressWarnings(
      justification = "If there is an exception, the user is certainly not admin",
      value = {"REC_CATCH_EXCEPTION"})
  protected void handleOperation(
      SlingHttpServletRequest request, HtmlResponse response, List<Modification> changes)
      throws RepositoryException {

    // KERN-432 dont allow anon users to access create group.
    if (SecurityConstants.ANONYMOUS_ID.equals(request.getRemoteUser())) {
      response.setStatus(403, "AccessDenied");
    }

    // check that the submitted parameter values have valid values.
    final String principalName = request.getParameter(SlingPostConstants.RP_NODE_NAME);
    if (principalName == null) {
      throw new RepositoryException("Group name was not submitted");
    }

    NameSanitizer san = new NameSanitizer(principalName, false);
    san.validate();

    // check for allow create Group
    boolean allowCreateGroup = false;
    User currentUser = null;

    try {
      Session currentSession = request.getResourceResolver().adaptTo(Session.class);
      UserManager um = AccessControlUtil.getUserManager(currentSession);
      currentUser = (User) um.getAuthorizable(currentSession.getUserID());
      if (currentUser.isAdmin()) {
        LOGGER.debug("User is an admin ");
        allowCreateGroup = true;
      } else {
        LOGGER.debug("Checking for membership of one of {} ", Arrays.toString(authorizedGroups));
        PrincipalManager principalManager = AccessControlUtil.getPrincipalManager(currentSession);
        PrincipalIterator pi =
            principalManager.getGroupMembership(
                principalManager.getPrincipal(currentSession.getUserID()));
        Set<String> groups = new HashSet<String>();
        for (; pi.hasNext(); ) {
          groups.add(pi.nextPrincipal().getName());
        }

        for (String groupName : authorizedGroups) {
          if (groups.contains(groupName)) {
            allowCreateGroup = true;
            break;
          }

          // TODO: move this nasty hack into the PrincipalManager dynamic groups need to
          // be in the principal manager for this to work.
          if ("authenticated".equals(groupName)
              && !SecurityConstants.ADMIN_ID.equals(currentUser.getID())) {
            allowCreateGroup = true;
            break;
          }

          // just check via the user manager for dynamic resolution.
          Group group = (Group) um.getAuthorizable(groupName);
          LOGGER.debug("Checking for group  {} {} ", groupName, group);
          if (group != null && group.isMember(currentUser)) {
            allowCreateGroup = true;
            LOGGER.debug("User is a member  of {} {} ", groupName, group);
            break;
          }
        }
      }
    } catch (Exception ex) {
      LOGGER.warn(
          "Failed to determin if the user is an admin, assuming not. Cause: " + ex.getMessage());
      allowCreateGroup = false;
    }

    if (!allowCreateGroup) {
      LOGGER.debug("User is not allowed to create groups ");
      response.setStatus(HttpServletResponse.SC_FORBIDDEN, "User is not allowed to create groups");
      return;
    }

    Session session = getSession();

    try {
      UserManager userManager = AccessControlUtil.getUserManager(session);
      Authorizable authorizable = userManager.getAuthorizable(principalName);

      if (authorizable != null) {
        // principal already exists!
        throw new RepositoryException(
            "A principal already exists with the requested name: " + principalName);
      } else {

        Group group =
            userManager.createGroup(
                new Principal() {
                  public String getName() {
                    return principalName;
                  }
                });
        String groupPath =
            AuthorizableResourceProvider.SYSTEM_USER_MANAGER_GROUP_PREFIX + group.getID();
        Map<String, RequestProperty> reqProperties = collectContent(request, response, groupPath);

        response.setPath(groupPath);
        response.setLocation(externalizePath(request, groupPath));
        response.setParentLocation(
            externalizePath(request, AuthorizableResourceProvider.SYSTEM_USER_MANAGER_GROUP_PATH));
        changes.add(Modification.onCreated(groupPath));

        // It is not allowed to touch the rep:group-managers property directly.
        String key = SYSTEM_USER_MANAGER_GROUP_PREFIX + principalName + "/";
        reqProperties.remove(key + PROP_GROUP_MANAGERS);
        reqProperties.remove(key + PROP_GROUP_VIEWERS);

        // write content from form
        writeContent(session, group, reqProperties, changes);

        // update the group memberships, although this uses session from the request, it
        // only
        // does so for finding authorizables, so its ok that we are using an admin session
        // here.
        updateGroupMembership(request, group, changes);
        updateOwnership(request, group, new String[] {currentUser.getID()}, changes);

        sakaiAuthorizableService.postprocess(group, session);

        // Launch an OSGi event for creating a group.
        try {
          Dictionary<String, String> properties = new Hashtable<String, String>();
          properties.put(UserConstants.EVENT_PROP_USERID, principalName);
          EventUtils.sendOsgiEvent(properties, UserConstants.TOPIC_GROUP_CREATED, eventAdmin);
        } catch (Exception e) {
          // Trap all exception so we don't disrupt the normal behaviour.
          LOGGER.error("Failed to launch an OSGi event for creating a user.", e);
        }
      }
    } catch (RepositoryException re) {
      throw new RepositoryException("Failed to create new group.", re);
    } finally {
      ungetSession(session);
    }
  }