public void process(Authorizable authorizable, Session session, Modification change)
throws Exception {
LOGGER.debug("Starting MessageAuthorizablePostProcessor process");
if (authorizable != null && authorizable.getID() != null && !authorizable.isGroup()) {
PrincipalManager principalManager = AccessControlUtil.getPrincipalManager(session);
String path =
PersonalUtils.getHomeFolder(authorizable) + "/" + MessageConstants.FOLDER_MESSAGES;
LOGGER.debug("Getting/creating message store node: {}", path);
Node messageStore = JcrUtils.deepGetOrCreateNode(session, path);
messageStore.setProperty(
JcrResourceConstants.SLING_RESOURCE_TYPE_PROPERTY,
MessageConstants.SAKAI_MESSAGESTORE_RT);
// ACL's are managed by the Personal User Post processor.
Principal anon =
new Principal() {
public String getName() {
return UserConstants.ANON_USERID;
}
};
Principal everyone = principalManager.getEveryone();
// The user can do everything on this node.
replaceAccessControlEntry(
session, path, authorizable.getPrincipal(), new String[] {JCR_ALL}, null, null, null);
// explicitly deny anon and everyone, this is private space.
String[] deniedPrivs = new String[] {JCR_READ, JCR_WRITE};
replaceAccessControlEntry(session, path, anon, null, deniedPrivs, null, null);
replaceAccessControlEntry(session, path, everyone, null, deniedPrivs, null, null);
}
}
@Override
public void activate() throws Exception {
String listGroup = getProperties().get(PROP_LIST, String.class);
if (listGroup.equals(PROP_LIST_OPTION1)) {
UserManager userManager = getResourceResolver().adaptTo(UserManager.class);
Authorizable opsBluPrintUser = userManager.getAuthorizable(getRequest().getUserPrincipal());
Iterator<Group> groups = opsBluPrintUser.memberOf();
for (; groups.hasNext(); ) {
String groupName = groups.next().getPrincipal().getName();
if ((groupName.equals(MAKER_GROUP))
|| (groupName.equals(CHECKER_GROUP))
|| (groupName.equals(READER_GROUP))) {
hiddenFieldValue = groupName;
}
}
} else if (listGroup.equals(PROP_LIST_OPTION2)) {
hiddenFieldValue = getRequest().getUserPrincipal().getName();
} else if (listGroup.equals(PROP_LIST_OPTION3)) {
// to be added
} else if (listGroup.equals(PROP_LIST_OPTION4)) {
hiddenFieldValue = getProperties().get(STATIC_VALUE, String.class);
}
}
private void applyJsonToAuthorizable(URL url, Authorizable authorizable, Session session)
throws IOException, RepositoryException {
String jsonString = IOUtils.readFully(url.openStream(), "UTF-8");
if (jsonString != null) {
Map<String, Object[]> postprocessParameters = new HashMap<String, Object[]>();
try {
JSONObject jsonObject = new JSONObject(jsonString);
Iterator<String> keys = jsonObject.keys();
while (keys.hasNext()) {
String key = keys.next();
Object jsonValue = jsonObject.get(key);
if (key.startsWith(SlingPostConstants.RP_PREFIX)) {
postprocessParameters.put(key, new Object[] {jsonValue});
} else {
Value value = JcrResourceUtil.createValue(jsonValue, session);
authorizable.setProperty(key, value);
}
}
} catch (JSONException e) {
LOGGER.error("Faulty JSON at " + url, e);
}
try {
authorizablePostProcessService.process(
authorizable, session, ModificationType.CREATE, postprocessParameters);
} catch (Exception e) {
LOGGER.error("Could not configure default authorizable " + authorizable.getID(), e);
}
}
}
public Resource next() {
Principal nextPrincipal = principals.nextPrincipal();
try {
ResourceResolver resourceResolver = parent.getResourceResolver();
if (resourceResolver != null) {
Session session = resourceResolver.adaptTo(Session.class);
if (session != null) {
UserManager userManager = AccessControlUtil.getUserManager(session);
if (userManager != null) {
Authorizable authorizable = userManager.getAuthorizable(nextPrincipal.getName());
if (authorizable != null) {
String path;
if (authorizable.isGroup()) {
path = SYSTEM_USER_MANAGER_GROUP_PREFIX + nextPrincipal.getName();
} else {
path = SYSTEM_USER_MANAGER_USER_PREFIX + nextPrincipal.getName();
}
return new SakaiAuthorizableResource(authorizable, resourceResolver, path);
}
}
}
}
} catch (RepositoryException re) {
log.error("Exception while looking up authorizable resource.", re);
}
return null;
}
/**
* KERN-1026 changed the results of this to be the authz's that are members of the managers group
* associated to a group rather than the group managers associated to the group.
*
* <p><del>Get the managers for a group. These should be stored in the {@link
* UserConstants#PROP_GROUP_MANAGERS}.</del>
*
* @param request
* @param group
* @param writer
* @throws RepositoryException
* @throws JSONException
*/
protected TreeMap<String, Authorizable> getManagers(
SlingHttpServletRequest request, Group group, Comparator<String> comparator)
throws RepositoryException, JSONException {
TreeMap<String, Authorizable> map = new TreeMap<String, Authorizable>(comparator);
// KERN-949 will probably change this.
// note above was made before this was changed to retrieving members of the managers
// group and may not apply.
Session session = request.getResourceResolver().adaptTo(Session.class);
UserManager um = AccessControlUtil.getUserManager(session);
Value[] managersGroup = group.getProperty(UserConstants.PROP_MANAGERS_GROUP);
if (managersGroup != null && managersGroup.length == 1) {
String mgrGroupName = managersGroup[0].getString();
Group mgrGroup = (Group) um.getAuthorizable(mgrGroupName);
Iterator<Authorizable> members = mgrGroup.getMembers();
while (members.hasNext()) {
Authorizable member = members.next();
String prinName = member.getPrincipal().getName();
Authorizable mau = um.getAuthorizable(prinName);
String name = getName(mau);
map.put(name, mau);
}
}
return map;
}
/**
* {@inheritDoc}
*
* @see java.lang.Object#equals(java.lang.Object)
*/
@Override
public boolean equals(Object obj) {
if (obj instanceof Membership) {
Membership m = (Membership) obj;
if (parent == null) {
if (m.getParent() == null) {
return true;
} else {
return false;
}
} else {
return (parent.equals(m.getParent())) && member.equals(m.getMember());
}
}
return super.equals(obj);
}
/**
* Get's the name for an authorizable on what the list should be sorted. sakai:group-title for
* Groups, lastName for Users.
*
* @param member The authorizable to get a name for.
* @return The name.
* @throws RepositoryException
*/
private String getName(Authorizable member) throws RepositoryException {
String name = member.getID();
if (member.isGroup()) {
Value[] values = member.getProperty("sakai:group-title");
if (values != null && values.length != 0) {
name = values[0].getString();
}
} else {
Value[] values = member.getProperty("lastName");
if (values != null && values.length != 0) {
name = values[0].getString();
}
}
// We need to add the ID to keep the keys unique.
return name + member.getID();
}
@Test
public void testGetEmailAddrs_User() throws Exception {
String userPath = "/home/users/a/admin";
MockValue[] emailVal = new MockValue[] {new MockValue("*****@*****.**")};
ResourceResolver resolver = mock(ResourceResolver.class);
Resource userRes = mock(Resource.class);
Authorizable adminUser = mock(Authorizable.class);
when(resolver.getResource(userPath)).thenReturn(userRes);
when(userRes.adaptTo(Authorizable.class)).thenReturn(adminUser);
when(adminUser.isGroup()).thenReturn(false);
when(adminUser.hasProperty(PN_EMAIL)).thenReturn(true);
when(adminUser.getProperty(PN_EMAIL)).thenReturn(emailVal);
String[] emails = SendTemplatedEmailUtils.getEmailAddrsFromUserPath(resolver, userPath);
assertEquals(1, emails.length);
assertEquals("*****@*****.**", emails[0]);
}
protected void addMember(
Session session, String filePath, Authorizable authorizable, String memberType)
throws RepositoryException {
Principal principal = authorizable.getPrincipal();
// Add (or re-use) a members node for the new viewer or manager.
String memberPath = getMemberNodePath(filePath, authorizable);
Node memberNode = JcrUtils.deepGetOrCreateNode(session, memberPath);
memberNode.setProperty(SLING_RESOURCE_TYPE_PROPERTY, POOLED_CONTENT_USER_RT);
memberNode.setProperty(memberType, new String[] {principal.getName()});
// Update the member's access to the pooled content.
refreshMemberAccess(session, filePath, principal, memberNode);
}
@Override
protected TreeMap<String, Group> getGroups(Authorizable member, UserManager userManager)
throws RepositoryException {
TreeMap<String, Group> managedGroups = new TreeMap<String, Group>();
Iterator<Group> allGroupsIter = member.memberOf();
while (allGroupsIter.hasNext()) {
Group group = allGroupsIter.next();
if (group.hasProperty(UserConstants.PROP_MANAGED_GROUP)) {
Value[] values = group.getProperty(UserConstants.PROP_MANAGED_GROUP);
if ((values != null) && (values.length == 1)) {
String managedGroupId = values[0].getString();
Group managedGroup = (Group) userManager.getAuthorizable(managedGroupId);
managedGroups.put(managedGroupId, managedGroup);
}
}
}
return managedGroups;
}
/**
* Remove a User or Group from the list of viewers or the list of managers. Currently, the node
* which points to the user/group remains in place, and only the specified membership property is
* deleted. Note that a single user/group can be on both lists, and so their access rights might
* not actually change as a result of being removed from a single list.
*
* @param session
* @param filePath
* @param authorizable
* @param memberType
* @throws RepositoryException
*/
protected void removeMember(
Session session, String filePath, Authorizable authorizable, String memberType)
throws RepositoryException {
String memberPath = getMemberNodePath(filePath, authorizable);
// Is there actually such a member?
if (session.itemExists(memberPath)) {
Node memberNode = session.getNode(memberPath);
if (memberNode.hasProperty(memberType)) {
// Remove the property.
memberNode.setProperty(memberType, (Value[]) null);
// Update ACEs that refer to this member.
Principal principal = authorizable.getPrincipal();
refreshMemberAccess(session, filePath, principal, memberNode);
}
}
}
@Test
public void testGetEmailAddrs_Group() throws Exception {
// mock group and users
String groupPath = "/home/users/g/group";
List<Authorizable> groupMembers = new ArrayList<Authorizable>();
Authorizable user1 = mock(Authorizable.class);
Authorizable user2 = mock(Authorizable.class);
when(user1.hasProperty(PN_EMAIL)).thenReturn(true);
when(user1.getProperty(PN_EMAIL))
.thenReturn(new MockValue[] {new MockValue("*****@*****.**")});
when(user2.hasProperty(PN_EMAIL)).thenReturn(true);
when(user2.getProperty(PN_EMAIL))
.thenReturn(new MockValue[] {new MockValue("*****@*****.**")});
groupMembers.add(user1);
groupMembers.add(user2);
ResourceResolver resolver = mock(ResourceResolver.class);
Resource groupRes = mock(Resource.class);
Authorizable groupAuth = mock(Authorizable.class);
Group userGroup = mock(Group.class);
when(resolver.getResource(groupPath)).thenReturn(groupRes);
when(groupRes.adaptTo(Authorizable.class)).thenReturn(groupAuth);
when(groupAuth.isGroup()).thenReturn(true);
when(groupRes.adaptTo(Group.class)).thenReturn(userGroup);
when(userGroup.getMembers()).thenReturn(groupMembers.iterator());
String[] emails = SendTemplatedEmailUtils.getEmailAddrsFromUserPath(resolver, groupPath);
assertEquals(2, emails.length);
assertEquals("*****@*****.**", emails[0]);
assertEquals("*****@*****.**", emails[1]);
}
/**
* Add an ACL entry at a path for the authorizable.
*
* @param path
* @param authorizable
* @param session
* @param writePrivilageGranted
* @throws RepositoryException
*/
public static void addEntry(
String path, Authorizable authorizable, Session session, String... privilegeSpec)
throws RepositoryException {
String principalName = authorizable.getPrincipal().getName();
List<String> grantedPrivilegeNames = new ArrayList<String>();
List<String> deniedPrivilegeNames = new ArrayList<String>();
for (String spec : privilegeSpec) {
if (spec.startsWith(GRANTED)) {
grantedPrivilegeNames.add(spec.substring(GRANTED.length()));
} else if (spec.startsWith(DENIED)) {
deniedPrivilegeNames.add(spec.substring(DENIED.length()));
}
}
AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(session);
AccessControlList updatedAcl = null;
AccessControlPolicyIterator applicablePolicies =
accessControlManager.getApplicablePolicies(path);
while (applicablePolicies.hasNext()) {
AccessControlPolicy policy = applicablePolicies.nextAccessControlPolicy();
if (policy instanceof AccessControlList) {
updatedAcl = (AccessControlList) policy;
break;
}
}
if (updatedAcl == null) {
throw new RepositoryException("Unable to find an access conrol policy to update.");
}
StringBuilder oldPrivileges = null;
StringBuilder newPrivileges = null;
if (LOGGER.isInfoEnabled()) {
oldPrivileges = new StringBuilder();
newPrivileges = new StringBuilder();
}
// keep track of the existing Aces for the target principal
AccessControlEntry[] accessControlEntries = updatedAcl.getAccessControlEntries();
List<AccessControlEntry> oldAces = new ArrayList<AccessControlEntry>();
for (AccessControlEntry ace : accessControlEntries) {
if (principalName.equals(ace.getPrincipal().getName())) {
if (LOGGER.isInfoEnabled()) {
LOGGER.info(
"Found Existing ACE for principal {} on resource: ",
new Object[] {principalName, path});
}
oldAces.add(ace);
if (LOGGER.isInfoEnabled()) {
// collect the information for debug logging
boolean isAllow = AccessControlUtil.isAllow(ace);
Privilege[] privileges = ace.getPrivileges();
for (Privilege privilege : privileges) {
if (oldPrivileges.length() > 0) {
oldPrivileges.append(", "); // separate entries by commas
}
if (isAllow) {
oldPrivileges.append("granted=");
} else {
oldPrivileges.append("denied=");
}
oldPrivileges.append(privilege.getName());
}
}
}
}
// remove the old aces
if (!oldAces.isEmpty()) {
for (AccessControlEntry ace : oldAces) {
updatedAcl.removeAccessControlEntry(ace);
}
}
// add a fresh ACE with the granted privileges
List<Privilege> grantedPrivilegeList = new ArrayList<Privilege>();
for (String name : grantedPrivilegeNames) {
if (name.length() == 0) {
continue; // empty, skip it.
}
Privilege privilege = accessControlManager.privilegeFromName(name);
grantedPrivilegeList.add(privilege);
if (LOGGER.isInfoEnabled()) {
if (newPrivileges.length() > 0) {
newPrivileges.append(", "); // separate entries by commas
}
newPrivileges.append("granted=");
newPrivileges.append(privilege.getName());
}
}
if (grantedPrivilegeList.size() > 0) {
Principal principal = authorizable.getPrincipal();
updatedAcl.addAccessControlEntry(
principal, grantedPrivilegeList.toArray(new Privilege[grantedPrivilegeList.size()]));
}
// add a fresh ACE with the denied privileges
List<Privilege> deniedPrivilegeList = new ArrayList<Privilege>();
for (String name : deniedPrivilegeNames) {
if (name.length() == 0) {
continue; // empty, skip it.
}
Privilege privilege = accessControlManager.privilegeFromName(name);
deniedPrivilegeList.add(privilege);
if (LOGGER.isInfoEnabled()) {
if (newPrivileges.length() > 0) {
newPrivileges.append(", "); // separate entries by commas
}
newPrivileges.append("denied=");
newPrivileges.append(privilege.getName());
}
}
if (deniedPrivilegeList.size() > 0) {
Principal principal = authorizable.getPrincipal();
AccessControlUtil.addEntry(
updatedAcl,
principal,
deniedPrivilegeList.toArray(new Privilege[deniedPrivilegeList.size()]),
false);
}
accessControlManager.setPolicy(path, updatedAcl);
if (LOGGER.isInfoEnabled()) {
LOGGER.info(
"Updated ACE for principalId {} for resource {} from {} to {}",
new Object[] {
authorizable.getID(), path, oldPrivileges.toString(), newPrivileges.toString()
});
}
}
/**
* {@inheritDoc}
*
* @see java.lang.Object#hashCode()
*/
@Override
public int hashCode() {
return parent.hashCode() + member.hashCode();
}
/**
* {@inheritDoc}
*
* @see
* org.apache.sling.api.servlets.SlingSafeMethodsServlet#doGet(org.apache.sling.api.SlingHttpServletRequest,
* org.apache.sling.api.SlingHttpServletResponse)
*/
@Override
protected void doGet(SlingHttpServletRequest request, SlingHttpServletResponse response)
throws ServletException, IOException {
Authorizable authorizable = null;
Resource resource = request.getResource();
if (resource != null) {
authorizable = resource.adaptTo(Authorizable.class);
}
if (authorizable == null || !authorizable.isGroup()) {
response.sendError(HttpServletResponse.SC_NO_CONTENT, "Couldn't find group");
return;
}
Group group = (Group) authorizable;
List<String> selectors = Arrays.asList(request.getRequestPathInfo().getSelectors());
ExtendedJSONWriter writer = new ExtendedJSONWriter(response.getWriter());
writer.setTidy(selectors.contains("tidy"));
// Get the sorting order, default is ascending or the natural sorting order (which is
// null for a TreeMap.)
Comparator<String> comparator = null;
String order = "ascending";
if (request.getRequestParameter("sortOrder") != null) {
order = request.getRequestParameter("sortOrder").getString();
if (order.equals("descending")) {
comparator = Collections.reverseOrder();
}
}
try {
response.setContentType("application/json");
TreeMap<String, Authorizable> map = null;
if (selectors.contains("managers")) {
map = getManagers(request, group, comparator);
} else {
// Members is the default.
map = getMembers(request, group, comparator);
}
// Do some paging.
long items =
(request.getParameter(ITEMS) != null) ? Long.parseLong(request.getParameter(ITEMS)) : 25;
long page =
(request.getParameter(PAGE) != null) ? Long.parseLong(request.getParameter(PAGE)) : 0;
if (page < 0) {
page = 0;
}
if (items < 0) {
items = 25;
}
Iterator<Entry<String, Authorizable>> iterator =
getInPlaceIterator(request, map, items, page);
// Write the whole lot out.
Session session = request.getResourceResolver().adaptTo(Session.class);
writer.array();
int i = 0;
while (iterator.hasNext() && i < items) {
Entry<String, Authorizable> entry = iterator.next();
Authorizable au = entry.getValue();
ValueMap profile;
if (selectors.contains("detailed")) {
profile = profileService.getProfileMap(au, session);
} else {
profile = profileService.getCompactProfileMap(au, session);
}
if (profile != null) {
writer.valueMap(profile);
i++;
} else {
// profile wasn't found. safe to ignore and not include the group
logger.info("Profile not found for " + au.getID());
}
}
writer.endArray();
} catch (RepositoryException e) {
response.sendError(
HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Failed to retrieve members/managers.");
return;
} catch (JSONException e) {
response.sendError(
HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Failed to build a proper JSON output.");
return;
}
}
public void setRoleMembers(
Session session,
final ITenant theTenant,
final String roleName,
final String[] memberUserNames)
throws RepositoryException, NotFoundException {
List<IPentahoUser> currentRoleMembers = getRoleMembers(session, theTenant, roleName);
if (tenantAdminRoleName.equals(roleName)
&& (currentRoleMembers != null && currentRoleMembers.size() > 0)
&& memberUserNames.length == 0) {
throw new RepositoryException(
Messages.getInstance()
.getString(
"AbstractJcrBackedUserRoleDao.ERROR_0001_LAST_ADMIN_ROLE", tenantAdminRoleName));
}
Group jackrabbitGroup = getJackrabbitGroup(theTenant, roleName, session);
if ((jackrabbitGroup == null)
|| !TenantUtils.isAccessibleTenant(
theTenant == null
? tenantedRoleNameUtils.getTenant(jackrabbitGroup.getID())
: theTenant)) {
throw new NotFoundException(
Messages.getInstance()
.getString("AbstractJcrBackedUserRoleDao.ERROR_0002_ROLE_NOT_FOUND"));
}
HashMap<String, User> currentlyAssignedUsers = new HashMap<String, User>();
Iterator<Authorizable> currentMembers = jackrabbitGroup.getMembers();
while (currentMembers.hasNext()) {
Authorizable member = currentMembers.next();
if (member instanceof User) {
currentlyAssignedUsers.put(member.getID(), (User) member);
}
}
HashMap<String, User> finalCollectionOfAssignedUsers = new HashMap<String, User>();
if (memberUserNames != null) {
ITenant tenant = theTenant == null ? JcrTenantUtils.getTenant(roleName, false) : theTenant;
for (String user : memberUserNames) {
User jackrabbitUser = getJackrabbitUser(tenant, user, session);
if (jackrabbitUser != null) {
finalCollectionOfAssignedUsers.put(
tenantedRoleNameUtils.getPrincipleId(tenant, user), jackrabbitUser);
}
}
}
ArrayList<String> usersToRemove = new ArrayList<String>(currentlyAssignedUsers.keySet());
usersToRemove.removeAll(finalCollectionOfAssignedUsers.keySet());
ArrayList<String> usersToAdd = new ArrayList<String>(finalCollectionOfAssignedUsers.keySet());
usersToAdd.removeAll(currentlyAssignedUsers.keySet());
for (String userId : usersToRemove) {
jackrabbitGroup.removeMember(currentlyAssignedUsers.get(userId));
}
for (String userId : usersToAdd) {
jackrabbitGroup.addMember(finalCollectionOfAssignedUsers.get(userId));
// Purge the UserDetails cache
purgeUserFromCache(userId);
}
}
