@Override protected void doPost(SlingHttpServletRequest request, SlingHttpServletResponse response) throws ServletException, IOException { String paramUser = request.getParameter(SiteService.SiteEvent.USER); logger.info("Request to add user " + paramUser); String paramGroup = ""; try { Node requestedNode = request.getResource().adaptTo(Node.class); Value[] authorizables = requestedNode.getProperty("sakai:authorizables").getValues(); paramGroup = authorizables[1].getString(); request.setAttribute(JoinRequestConstants.PARAM_SITENODE, requestedNode); Session session = slingRepository.loginAdministrative(null); UserManager userManager = AccessControlUtil.getUserManager(session); Authorizable userAuth = userManager.getAuthorizable(paramUser); Group groupAuth = (Group) userManager.getAuthorizable(paramGroup); if (siteJoinIsAuthorized(request)) { groupAuth.addMember(userAuth); logger.info(paramUser + " added as member of group " + paramGroup); } else { response.sendError(403, "Not authorized to add member to site."); } if (session.hasPendingChanges()) { session.save(); } } catch (Exception e) { response.sendError(500, e.getMessage()); } }
/** * KERN-1026 changed the results of this to be the authz's that are members of the managers group * associated to a group rather than the group managers associated to the group. * * <p><del>Get the managers for a group. These should be stored in the {@link * UserConstants#PROP_GROUP_MANAGERS}.</del> * * @param request * @param group * @param writer * @throws RepositoryException * @throws JSONException */ protected TreeMap<String, Authorizable> getManagers( SlingHttpServletRequest request, Group group, Comparator<String> comparator) throws RepositoryException, JSONException { TreeMap<String, Authorizable> map = new TreeMap<String, Authorizable>(comparator); // KERN-949 will probably change this. // note above was made before this was changed to retrieving members of the managers // group and may not apply. Session session = request.getResourceResolver().adaptTo(Session.class); UserManager um = AccessControlUtil.getUserManager(session); Value[] managersGroup = group.getProperty(UserConstants.PROP_MANAGERS_GROUP); if (managersGroup != null && managersGroup.length == 1) { String mgrGroupName = managersGroup[0].getString(); Group mgrGroup = (Group) um.getAuthorizable(mgrGroupName); Iterator<Authorizable> members = mgrGroup.getMembers(); while (members.hasNext()) { Authorizable member = members.next(); String prinName = member.getPrincipal().getName(); Authorizable mau = um.getAuthorizable(prinName); String name = getName(mau); map.put(name, mau); } } return map; }
public void initDefaultUsers() { Session session = null; try { session = repository.loginAdministrative(null); UserManager userManager = AccessControlUtil.getUserManager(session); // Apply default user properties from JSON files. Pattern fileNamePattern = Pattern.compile("/users/|\\.json"); @SuppressWarnings("rawtypes") Enumeration entriesEnum = bundle.findEntries("users", "*.json", true); while (entriesEnum.hasMoreElements()) { Object entry = entriesEnum.nextElement(); URL jsonUrl = new URL(entry.toString()); String jsonFileName = jsonUrl.getFile(); String authorizableId = fileNamePattern.matcher(jsonFileName).replaceAll(""); Authorizable authorizable = userManager.getAuthorizable(authorizableId); if (authorizable != null) { applyJsonToAuthorizable(jsonUrl, authorizable, session); LOGGER.info("Initialized default authorizable {}", authorizableId); } else { LOGGER.warn("Configured default authorizable {} not found", authorizableId); } } } catch (RepositoryException e) { LOGGER.error("Could not configure default authorizables", e); } catch (IOException e) { LOGGER.error("Could not configure default authorizables", e); } finally { if (session != null) { session.logout(); } } }
private void badNodeNameParam(String name, String exception) throws RepositoryException { CreateSakaiUserServlet csus = new CreateSakaiUserServlet(); csus.requestTrustValidatorService = requestTrustValidatorService; JackrabbitSession session = createMock(JackrabbitSession.class); ResourceResolver rr = createMock(ResourceResolver.class); SlingHttpServletRequest request = createMock(SlingHttpServletRequest.class); UserManager userManager = createMock(UserManager.class); User user = createMock(User.class); expect(request.getResourceResolver()).andReturn(rr).anyTimes(); expect(rr.adaptTo(Session.class)).andReturn(session).anyTimes(); expect(session.getUserManager()).andReturn(userManager); expect(session.getUserID()).andReturn("userID"); expect(userManager.getAuthorizable("userID")).andReturn(user); expect(user.isAdmin()).andReturn(false); expect(request.getParameter(":create-auth")).andReturn("reCAPTCHA"); expect(request.getParameter(SlingPostConstants.RP_NODE_NAME)).andReturn(name); HtmlResponse response = new HtmlResponse(); replay(); try { csus.handleOperation(request, response, null); fail(); } catch (RepositoryException e) { assertEquals(exception, e.getMessage()); } verify(); }
@Override public void activate() throws Exception { String listGroup = getProperties().get(PROP_LIST, String.class); if (listGroup.equals(PROP_LIST_OPTION1)) { UserManager userManager = getResourceResolver().adaptTo(UserManager.class); Authorizable opsBluPrintUser = userManager.getAuthorizable(getRequest().getUserPrincipal()); Iterator<Group> groups = opsBluPrintUser.memberOf(); for (; groups.hasNext(); ) { String groupName = groups.next().getPrincipal().getName(); if ((groupName.equals(MAKER_GROUP)) || (groupName.equals(CHECKER_GROUP)) || (groupName.equals(READER_GROUP))) { hiddenFieldValue = groupName; } } } else if (listGroup.equals(PROP_LIST_OPTION2)) { hiddenFieldValue = getRequest().getUserPrincipal().getName(); } else if (listGroup.equals(PROP_LIST_OPTION3)) { // to be added } else if (listGroup.equals(PROP_LIST_OPTION4)) { hiddenFieldValue = getProperties().get(STATIC_VALUE, String.class); } }
public Resource next() { Principal nextPrincipal = principals.nextPrincipal(); try { ResourceResolver resourceResolver = parent.getResourceResolver(); if (resourceResolver != null) { Session session = resourceResolver.adaptTo(Session.class); if (session != null) { UserManager userManager = AccessControlUtil.getUserManager(session); if (userManager != null) { Authorizable authorizable = userManager.getAuthorizable(nextPrincipal.getName()); if (authorizable != null) { String path; if (authorizable.isGroup()) { path = SYSTEM_USER_MANAGER_GROUP_PREFIX + nextPrincipal.getName(); } else { path = SYSTEM_USER_MANAGER_USER_PREFIX + nextPrincipal.getName(); } return new SakaiAuthorizableResource(authorizable, resourceResolver, path); } } } } } catch (RepositoryException re) { log.error("Exception while looking up authorizable resource.", re); } return null; }
private User getJackrabbitUser(ITenant theTenant, String name, Session session) throws RepositoryException { User jackrabbitUser = null; String userId = name; String userName = name; ITenant tenant = theTenant; if (tenant == null) { tenant = JcrTenantUtils.getTenant(userName, true); userName = JcrTenantUtils.getPrincipalName(userName, true); } if (tenant == null || tenant.getId() == null) { tenant = JcrTenantUtils.getCurrentTenant(); } if (tenant == null || tenant.getId() == null) { tenant = JcrTenantUtils.getDefaultTenant(); } if (tenant != null) { userId = tenantedUserNameUtils.getPrincipleId(tenant, userName); UserManager userMgr = getUserManager(tenant, session); Authorizable authorizable = userMgr.getAuthorizable(userId); if (authorizable instanceof User) { jackrabbitUser = (User) authorizable; } } return jackrabbitUser; }
private Group getJackrabbitGroup(ITenant theTenant, String name, Session session) throws RepositoryException { Group jackrabbitGroup = null; String roleId = name; String roleName = name; ITenant tenant = theTenant; if (tenant == null) { tenant = JcrTenantUtils.getTenant(roleName, false); roleName = JcrTenantUtils.getPrincipalName(roleName, false); } if (tenant == null || tenant.getId() == null) { tenant = JcrTenantUtils.getCurrentTenant(); } if (tenant == null || tenant.getId() == null) { tenant = JcrTenantUtils.getDefaultTenant(); } roleId = tenantedRoleNameUtils.getPrincipleId(tenant, roleName); UserManager userMgr = getUserManager(tenant, session); Authorizable authorizable = userMgr.getAuthorizable(roleId); if (authorizable instanceof Group) { jackrabbitGroup = (Group) authorizable; } return jackrabbitGroup; }
/** * {@inheritDoc} * * @see * org.sakaiproject.nakamura.api.search.SearchResultProcessor#writeNode(org.apache.sling.api.SlingHttpServletRequest, * org.apache.sling.commons.json.io.JSONWriter, * org.sakaiproject.nakamura.api.search.Aggregator, javax.jcr.query.Row) */ public void writeNode( SlingHttpServletRequest request, JSONWriter write, Aggregator aggregator, Row row) throws JSONException, RepositoryException { write.object(); Node node = row.getNode(); write.key("jcr:created"); write.value(node.getProperty("jcr:created").getString()); String userID = node.getName(); UserManager um = AccessControlUtil.getUserManager(node.getSession()); Authorizable au = um.getAuthorizable(userID); if (au != null) { ValueMap map = profileService.getCompactProfileMap(au, node.getSession()); ((ExtendedJSONWriter) write).valueMapInternals(map); } write.endObject(); }
@Test public void testRequestTrusted() throws RepositoryException { CreateSakaiUserServlet csus = new CreateSakaiUserServlet(); JackrabbitSession session = createMock(JackrabbitSession.class); ResourceResolver rr = createMock(ResourceResolver.class); expect(rr.adaptTo(Session.class)).andReturn(session); SlingHttpServletRequest request = createMock(SlingHttpServletRequest.class); UserManager userManager = createMock(UserManager.class); User user = createMock(User.class); expect(request.getResourceResolver()).andReturn(rr).anyTimes(); expect(rr.adaptTo(Session.class)).andReturn(session).anyTimes(); expect(session.getUserManager()).andReturn(userManager); expect(session.getUserID()).andReturn("userID"); expect(userManager.getAuthorizable("userID")).andReturn(user); expect(user.isAdmin()).andReturn(false); expect(request.getParameter(":create-auth")).andReturn("typeA"); RequestTrustValidatorService requestTrustValidatorService = createMock(RequestTrustValidatorService.class); RequestTrustValidator requestTrustValidator = createMock(RequestTrustValidator.class); expect(requestTrustValidatorService.getValidator("typeA")).andReturn(requestTrustValidator); expect(requestTrustValidator.getLevel()).andReturn(RequestTrustValidator.CREATE_USER); expect(requestTrustValidator.isTrusted(request)).andReturn(true); expect(request.getParameter(SlingPostConstants.RP_NODE_NAME)).andReturn("foo"); expect(request.getParameter("pwd")).andReturn("bar"); expect(request.getParameter("pwdConfirm")).andReturn("baz"); HtmlResponse response = new HtmlResponse(); csus.requestTrustValidatorService = requestTrustValidatorService; replay(); try { csus.handleOperation(request, response, null); fail(); } catch (RepositoryException e) { assertEquals("Password value does not match the confirmation password", e.getMessage()); } verify(); }
@Override protected TreeMap<String, Group> getGroups(Authorizable member, UserManager userManager) throws RepositoryException { TreeMap<String, Group> managedGroups = new TreeMap<String, Group>(); Iterator<Group> allGroupsIter = member.memberOf(); while (allGroupsIter.hasNext()) { Group group = allGroupsIter.next(); if (group.hasProperty(UserConstants.PROP_MANAGED_GROUP)) { Value[] values = group.getProperty(UserConstants.PROP_MANAGED_GROUP); if ((values != null) && (values.length == 1)) { String managedGroupId = values[0].getString(); Group managedGroup = (Group) userManager.getAuthorizable(managedGroupId); managedGroups.put(managedGroupId, managedGroup); } } } return managedGroups; }
/* * (non-Javadoc) * @see * org.apache.sling.api.resource.ResourceProvider#getResource(org.apache * .sling.api.resource.ResourceResolver, java.lang.String) */ public Resource getResource(ResourceResolver resourceResolver, String path) { // handle resources for the virtual container resources if (path.equals(SYSTEM_USER_MANAGER_PATH)) { return new SyntheticResource(resourceResolver, path, "sling/userManager"); } else if (path.equals(SYSTEM_USER_MANAGER_USER_PATH)) { return new SyntheticResource(resourceResolver, path, "sling/users"); } else if (path.equals(SYSTEM_USER_MANAGER_GROUP_PATH)) { return new SyntheticResource(resourceResolver, path, "sling/groups"); } // the principalId should be the first segment after the prefix String pid = null; if (path.startsWith(SYSTEM_USER_MANAGER_USER_PREFIX)) { pid = path.substring(SYSTEM_USER_MANAGER_USER_PREFIX.length()); } else if (path.startsWith(SYSTEM_USER_MANAGER_GROUP_PREFIX)) { pid = path.substring(SYSTEM_USER_MANAGER_GROUP_PREFIX.length()); } if (pid != null) { if (pid.indexOf('/') != -1) { return null; // something bogus on the end of the path so bail // out now. } try { Session session = resourceResolver.adaptTo(Session.class); if (session != null) { UserManager userManager = AccessControlUtil.getUserManager(session); if (userManager != null) { Authorizable authorizable = userManager.getAuthorizable(pid); if (authorizable != null) { // found the Authorizable, so return the resource // that wraps it. return new SakaiAuthorizableResource(authorizable, resourceResolver, path); } } } } catch (RepositoryException re) { throw new SlingException("Error looking up Authorizable for principal: " + pid, re); } } return null; }
/* * (non-Javadoc) * @see * org.apache.sling.jackrabbit.usermanager.post.AbstractAuthorizablePostServlet * #handleOperation(org.apache.sling.api.SlingHttpServletRequest, * org.apache.sling.api.servlets.HtmlResponse, java.util.List) */ @Override protected void handleOperation( SlingHttpServletRequest request, HtmlResponse response, List<Modification> changes) throws RepositoryException { // make sure user self-registration is enabled if (!selfRegistrationEnabled) { throw new RepositoryException( "Sorry, registration of new users is not currently enabled. Please try again later."); } Session session = request.getResourceResolver().adaptTo(Session.class); if (session == null) { throw new RepositoryException("JCR Session not found"); } // check that the submitted parameter values have valid values. String principalName = request.getParameter(SlingPostConstants.RP_NODE_NAME); if (principalName == null) { throw new RepositoryException("User name was not submitted"); } String pwd = request.getParameter("pwd"); if (pwd == null) { throw new RepositoryException("Password was not submitted"); } String pwdConfirm = request.getParameter("pwdConfirm"); if (!pwd.equals(pwdConfirm)) { throw new RepositoryException("Password value does not match the confirmation password"); } Session selfRegSession = null; try { selfRegSession = getSession(); UserManager userManager = AccessControlUtil.getUserManager(selfRegSession); Authorizable authorizable = userManager.getAuthorizable(principalName); if (authorizable != null) { // user already exists! throw new RepositoryException( "A principal already exists with the requested name: " + principalName); } else { Map<String, RequestProperty> reqProperties = collectContent(request, response); User user = userManager.createUser(principalName, digestPassword(pwd)); String userPath = AuthorizableResourceProvider.SYSTEM_USER_MANAGER_USER_PREFIX + user.getID(); response.setPath(userPath); response.setLocation(externalizePath(request, userPath)); response.setParentLocation( externalizePath(request, AuthorizableResourceProvider.SYSTEM_USER_MANAGER_USER_PATH)); changes.add(Modification.onCreated(userPath)); // write content from form writeContent(selfRegSession, user, reqProperties, changes); if (selfRegSession.hasPendingChanges()) { selfRegSession.save(); } } } finally { ungetSession(selfRegSession); } }
/* * (non-Javadoc) * * @seeorg.apache.sling.jackrabbit.usermanager.post.AbstractAuthorizablePostServlet# * handleOperation(org.apache.sling.api.SlingHttpServletRequest, * org.apache.sling.api.servlets.HtmlResponse, java.util.List) */ @Override @edu.umd.cs.findbugs.annotations.SuppressWarnings( justification = "If there is an exception, the user is certainly not admin", value = {"REC_CATCH_EXCEPTION"}) protected void handleOperation( SlingHttpServletRequest request, HtmlResponse response, List<Modification> changes) throws RepositoryException { // KERN-432 dont allow anon users to access create group. if (SecurityConstants.ANONYMOUS_ID.equals(request.getRemoteUser())) { response.setStatus(403, "AccessDenied"); } // check that the submitted parameter values have valid values. final String principalName = request.getParameter(SlingPostConstants.RP_NODE_NAME); if (principalName == null) { throw new RepositoryException("Group name was not submitted"); } NameSanitizer san = new NameSanitizer(principalName, false); san.validate(); // check for allow create Group boolean allowCreateGroup = false; User currentUser = null; try { Session currentSession = request.getResourceResolver().adaptTo(Session.class); UserManager um = AccessControlUtil.getUserManager(currentSession); currentUser = (User) um.getAuthorizable(currentSession.getUserID()); if (currentUser.isAdmin()) { LOGGER.debug("User is an admin "); allowCreateGroup = true; } else { LOGGER.debug("Checking for membership of one of {} ", Arrays.toString(authorizedGroups)); PrincipalManager principalManager = AccessControlUtil.getPrincipalManager(currentSession); PrincipalIterator pi = principalManager.getGroupMembership( principalManager.getPrincipal(currentSession.getUserID())); Set<String> groups = new HashSet<String>(); for (; pi.hasNext(); ) { groups.add(pi.nextPrincipal().getName()); } for (String groupName : authorizedGroups) { if (groups.contains(groupName)) { allowCreateGroup = true; break; } // TODO: move this nasty hack into the PrincipalManager dynamic groups need to // be in the principal manager for this to work. if ("authenticated".equals(groupName) && !SecurityConstants.ADMIN_ID.equals(currentUser.getID())) { allowCreateGroup = true; break; } // just check via the user manager for dynamic resolution. Group group = (Group) um.getAuthorizable(groupName); LOGGER.debug("Checking for group {} {} ", groupName, group); if (group != null && group.isMember(currentUser)) { allowCreateGroup = true; LOGGER.debug("User is a member of {} {} ", groupName, group); break; } } } } catch (Exception ex) { LOGGER.warn( "Failed to determin if the user is an admin, assuming not. Cause: " + ex.getMessage()); allowCreateGroup = false; } if (!allowCreateGroup) { LOGGER.debug("User is not allowed to create groups "); response.setStatus(HttpServletResponse.SC_FORBIDDEN, "User is not allowed to create groups"); return; } Session session = getSession(); try { UserManager userManager = AccessControlUtil.getUserManager(session); Authorizable authorizable = userManager.getAuthorizable(principalName); if (authorizable != null) { // principal already exists! throw new RepositoryException( "A principal already exists with the requested name: " + principalName); } else { Group group = userManager.createGroup( new Principal() { public String getName() { return principalName; } }); String groupPath = AuthorizableResourceProvider.SYSTEM_USER_MANAGER_GROUP_PREFIX + group.getID(); Map<String, RequestProperty> reqProperties = collectContent(request, response, groupPath); response.setPath(groupPath); response.setLocation(externalizePath(request, groupPath)); response.setParentLocation( externalizePath(request, AuthorizableResourceProvider.SYSTEM_USER_MANAGER_GROUP_PATH)); changes.add(Modification.onCreated(groupPath)); // It is not allowed to touch the rep:group-managers property directly. String key = SYSTEM_USER_MANAGER_GROUP_PREFIX + principalName + "/"; reqProperties.remove(key + PROP_GROUP_MANAGERS); reqProperties.remove(key + PROP_GROUP_VIEWERS); // write content from form writeContent(session, group, reqProperties, changes); // update the group memberships, although this uses session from the request, it // only // does so for finding authorizables, so its ok that we are using an admin session // here. updateGroupMembership(request, group, changes); updateOwnership(request, group, new String[] {currentUser.getID()}, changes); sakaiAuthorizableService.postprocess(group, session); // Launch an OSGi event for creating a group. try { Dictionary<String, String> properties = new Hashtable<String, String>(); properties.put(UserConstants.EVENT_PROP_USERID, principalName); EventUtils.sendOsgiEvent(properties, UserConstants.TOPIC_GROUP_CREATED, eventAdmin); } catch (Exception e) { // Trap all exception so we don't disrupt the normal behaviour. LOGGER.error("Failed to launch an OSGi event for creating a user.", e); } } } catch (RepositoryException re) { throw new RepositoryException("Failed to create new group.", re); } finally { ungetSession(session); } }