public void testAddAccessControlEntry() throws NotExecutableException, RepositoryException {
checkCanModifyAc(path);
Privilege[] privileges = new Privilege[] {privs[0]};
AccessControlList acl = getList(acMgr, path);
AccessControlEntry entry = null;
if (acl.addAccessControlEntry(testPrincipal, privileges)) {
AccessControlEntry[] aces = acl.getAccessControlEntries();
for (int i = 0; i < aces.length; i++) {
if (aces[i].getPrincipal().equals(testPrincipal)
&& Arrays.asList(privileges).equals(Arrays.asList(aces[i].getPrivileges()))) {
entry = aces[i];
}
}
if (entry == null) throw new NotExecutableException();
} else {
throw new NotExecutableException();
}
assertEquals(
"Principal name of the ACE must be equal to the name of the passed Principal",
testPrincipal.getName(),
entry.getPrincipal().getName());
assertEquals(
"Privileges of the ACE must be equal to the passed ones",
Arrays.asList(privileges),
Arrays.asList(entry.getPrivileges()));
}
protected void tearDown() throws Exception {
try {
// restore original entries (remove others).
AccessControlList list = getList(acMgr, path);
AccessControlEntry[] entries = list.getAccessControlEntries();
for (int i = 0; i < entries.length; i++) {
AccessControlEntry ace = entries[i];
if (testPrincipal.equals(ace.getPrincipal())) {
list.removeAccessControlEntry(ace);
}
}
if (!privilegesToRestore.isEmpty()) {
list.addAccessControlEntry(
testPrincipal,
(Privilege[]) privilegesToRestore.toArray(new Privilege[privilegesToRestore.size()]));
}
if (list.getAccessControlEntries().length > 0 && acMgr.getPolicies(path).length > 0) {
acMgr.setPolicy(path, list);
superuser.save();
}
} catch (Exception e) {
log.warn("Unexpected error while removing test entries.", e);
}
super.tearDown();
}
/**
* Adds ACE so that everyone can read access control. This allows Jackrabbit's default collectAcls
* to work without change. Otherwise, you have to be an admin to call acMgr.getEffectivePolicies.
*/
protected void updateRootAcl(SessionImpl systemSession, ACLEditor editor)
throws RepositoryException {
String rootPath = session.getRootNode().getPath();
AccessControlPolicy[] acls = editor.getPolicies(rootPath);
if (acls.length > 0) {
PrincipalManager pMgr = systemSession.getPrincipalManager();
AccessControlManager acMgr = session.getAccessControlManager();
Principal everyone = pMgr.getEveryone();
Privilege[] privs =
new Privilege[] {
acMgr.privilegeFromName(Privilege.JCR_READ),
acMgr.privilegeFromName(Privilege.JCR_READ_ACCESS_CONTROL)
};
AccessControlList acList = (AccessControlList) acls[0];
AccessControlEntry[] acEntries = acList.getAccessControlEntries();
for (AccessControlEntry acEntry : acEntries) {
if (acEntry.getPrincipal().equals(everyone)) {
acList.removeAccessControlEntry(acEntry);
}
}
acList.addAccessControlEntry(everyone, privs);
editor.setPolicy(rootPath, acList);
session.save();
}
}
protected RepositoryFileAce toAce(final Session session, final AccessControlEntry acEntry)
throws RepositoryException {
Principal principal = acEntry.getPrincipal();
RepositoryFileSid sid = null;
String name = principal.getName();
DefaultPermissionConversionHelper permissionConversionHelper =
new DefaultPermissionConversionHelper(session);
if (principal instanceof Group) {
sid =
new RepositoryFileSid(
JcrTenantUtils.getRoleNameUtils().getPrincipleName(name),
RepositoryFileSid.Type.ROLE);
} else {
sid =
new RepositoryFileSid(
JcrTenantUtils.getUserNameUtils().getPrincipleName(name),
RepositoryFileSid.Type.USER);
}
logger.debug(
String.format("principal class [%s]", principal.getClass().getName())); // $NON-NLS-1$
Privilege[] privileges = acEntry.getPrivileges();
return new RepositoryFileAce(
sid, permissionConversionHelper.privilegesToPentahoPermissions(session, privileges));
}
public Privilege[] getPrivileges(String s) throws RepositoryException {
Item item = registrySession.getItem(s);
if (item instanceof Property) {
throw new PathNotFoundException("No privilages can be added for Properties");
}
Set<Privilege> privileges = new HashSet<Privilege>();
if (accessCtrlPolicies.get(s) instanceof RegistryAccessControlList) {
AccessControlEntry[] accessNtries =
((RegistryAccessControlList) accessCtrlPolicies.get(s)).getAccessControlEntries();
for (AccessControlEntry ac : accessNtries) {
if (ac != null) {
privileges.addAll(Arrays.asList(ac.getPrivileges()));
}
}
} else {
// TODO check how to apply NamedAccessControlPolicy
}
// Read-only session must have READ privilege on test node
if (RegistryJCRSpecificStandardLoderUtil.isSessionReadOnly(registrySession.getUserID())
&& !privileges.contains(privilegeRegistry.getPrivilegeFromName(Privilege.JCR_READ))) {
privileges.add(privilegeRegistry.getPrivilegeFromName(Privilege.JCR_READ));
}
if (privileges.size() != 0) {
return privileges.toArray(new Privilege[privileges.size()]);
} else return new Privilege[0];
}
/**
* Searches access control entry for given principal inside given entry set.
*
* @param entries the set of entries
* @param principal the name of the principal
* @return access control entry.
* @throws RemoteException if there is a problem using the repository
*/
private AccessControlEntry find(AccessControlEntry[] entries, String principal)
throws RemoteException {
for (AccessControlEntry entry : entries) {
if (entry.getPrincipal().getName().equals(principal)) {
return entry;
}
}
throw new RemoteException("Access list has been deleted");
}
private static List<Privilege> currentPrivileges(AccessControlList acl, Principal principal)
throws RepositoryException {
List<Privilege> privileges = new ArrayList<Privilege>();
AccessControlEntry[] entries = acl.getAccessControlEntries();
for (int i = 0; i < entries.length; i++) {
AccessControlEntry ace = entries[i];
if (principal.equals(ace.getPrincipal())) {
privileges.addAll(Arrays.asList(ace.getPrivileges()));
}
}
return privileges;
}
private RepositoryFileAcl toAcl(
final Session session, final PentahoJcrConstants pentahoJcrConstants, final Serializable id)
throws RepositoryException {
Node node = session.getNodeByIdentifier(id.toString());
if (node == null) {
throw new RepositoryException(
Messages.getInstance()
.getString(
"JackrabbitRepositoryFileAclDao.ERROR_0001_NODE_NOT_FOUND",
id.toString())); // $NON-NLS-1$
}
String absPath = node.getPath();
AccessControlManager acMgr = session.getAccessControlManager();
AccessControlList acList = getAccessControlList(acMgr, absPath);
RepositoryFileSid owner = null;
String ownerString = getOwner(session, absPath, acList);
if (ownerString != null) {
// for now, just assume all owners are users; only has UI impact
owner =
new RepositoryFileSid(
JcrTenantUtils.getUserNameUtils().getPrincipleName(ownerString),
RepositoryFileSid.Type.USER);
}
RepositoryFileAcl.Builder aclBuilder = new RepositoryFileAcl.Builder(id, owner);
aclBuilder.entriesInheriting(isEntriesInheriting(session, absPath, acList));
List<AccessControlEntry> cleanedAcEntries =
JcrRepositoryFileAclUtils.removeAclMetadata(
Arrays.asList(acList.getAccessControlEntries()));
for (AccessControlEntry acEntry : cleanedAcEntries) {
if (!acEntry
.getPrincipal()
.equals(
new SpringSecurityRolePrincipal(
JcrTenantUtils.getTenantedRole(tenantAdminAuthorityName)))) {
aclBuilder.ace(toAce(session, acEntry));
}
}
return aclBuilder.build();
}
private JcrAccessControlList getAccessList(AccessControlManager acm, Node node)
throws RepositoryException {
AccessControlList accessList = findAccessList(acm, node);
if (accessList == null) {
return JcrAccessControlList.defaultInstance();
}
JcrAccessControlList acl = new JcrAccessControlList();
AccessControlEntry[] entries = accessList.getAccessControlEntries();
for (AccessControlEntry entry : entries) {
JcrPolicy en = new JcrPolicy();
en.setPrincipal(entry.getPrincipal().getName());
Privilege[] privileges = entry.getPrivileges();
for (Privilege p : privileges) {
en.add(new JcrPermission(p.getName()));
}
}
return acl;
}