server/runtime/org.argeo.server.jcr/src/main/java/org/argeo/jcr/security/JcrAuthorizations.java

   1 /*
   2  * Copyright (C) 2007-2012 Mathieu Baudier
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *         http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16 package org.argeo.jcr.security;
  17
  18 import java.security.Principal;
  19 import java.util.ArrayList;
  20 import java.util.HashMap;
  21 import java.util.List;
  22 import java.util.Map;
  23
  24 import javax.jcr.Repository;
  25 import javax.jcr.RepositoryException;
  26 import javax.jcr.Session;
  27 import javax.jcr.security.AccessControlManager;
  28 import javax.jcr.security.Privilege;
  29
  30 import org.apache.commons.logging.Log;
  31 import org.apache.commons.logging.LogFactory;
  32 import org.argeo.ArgeoException;
  33 import org.argeo.jcr.JcrUtils;
  34 import org.argeo.util.security.SimplePrincipal;
  35
  36 /** Apply authorizations to a JCR repository. */
  37 public class JcrAuthorizations implements Runnable {
  38         private final static Log log = LogFactory.getLog(JcrAuthorizations.class);
  39
  40         private Repository repository;
  41         private String workspace = null;
  42
  43         /**
  44          * key := privilege1,privilege2/path/to/node<br/>
  45          * value := group1,group2,user1
  46          */
  47         private Map<String, String> principalPrivileges = new HashMap<String, String>();
  48
  49         public void run() {
  50                 Session session = null;
  51                 try {
  52                         session = repository.login(workspace);
  53                         initAuthorizations(session);
  54                 } catch (Exception e) {
  55                         JcrUtils.discardQuietly(session);
  56                         throw new ArgeoException("Cannot set authorizations "
  57                                         + principalPrivileges + " on repository " + repository, e);
  58                 } finally {
  59                         JcrUtils.logoutQuietly(session);
  60                 }
  61         }
  62
  63         /** @deprecated call {@link #run()} instead. */
  64         @Deprecated
  65         public void init() {
  66                 run();
  67         }
  68
  69         protected void initAuthorizations(Session session)
  70                         throws RepositoryException {
  71                 AccessControlManager acm = session.getAccessControlManager();
  72
  73                 for (String privileges : principalPrivileges.keySet()) {
  74                         String path = null;
  75                         int slashIndex = privileges.indexOf('/');
  76                         if (slashIndex == 0) {
  77                                 throw new ArgeoException("Privilege " + privileges
  78                                                 + " badly formatted it starts with /");
  79                         } else if (slashIndex > 0) {
  80                                 path = privileges.substring(slashIndex);
  81                                 privileges = privileges.substring(0, slashIndex);
  82                         }
  83
  84                         if (path == null)
  85                                 path = "/";
  86
  87                         List<Privilege> privs = new ArrayList<Privilege>();
  88                         for (String priv : privileges.split(",")) {
  89                                 privs.add(acm.privilegeFromName(priv));
  90                         }
  91
  92                         String principalNames = principalPrivileges.get(privileges);
  93                         for (String principalName : principalNames.split(",")) {
  94                                 Principal principal = getOrCreatePrincipal(session,
  95                                                 principalName);
  96                                 JcrUtils.addPrivileges(session, path, principal, privs);
  97                         }
  98                 }
  99
 100                 if (log.isDebugEnabled())
 101                         log.debug("All authorizations applied on workspace "
 102                                         + session.getWorkspace().getName());
 103         }
 104
 105         /**
 106          * Returns a {@link SimplePrincipal}, does not check whether it exists since
 107          * such capabilities is not provided by the standard JCR API. Can be
 108          * overridden to provide smarter handling
 109          */
 110         protected Principal getOrCreatePrincipal(Session session,
 111                         String principalName) throws RepositoryException {
 112                 return new SimplePrincipal(principalName);
 113         }
 114
 115         // public static void addPrivileges(Session session, Principal principal,
 116         // String path, List<Privilege> privs) throws RepositoryException {
 117         // AccessControlManager acm = session.getAccessControlManager();
 118         // // search for an access control list
 119         // AccessControlList acl = null;
 120         // AccessControlPolicyIterator policyIterator = acm
 121         // .getApplicablePolicies(path);
 122         // if (policyIterator.hasNext()) {
 123         // while (policyIterator.hasNext()) {
 124         // AccessControlPolicy acp = policyIterator
 125         // .nextAccessControlPolicy();
 126         // if (acp instanceof AccessControlList)
 127         // acl = ((AccessControlList) acp);
 128         // }
 129         // } else {
 130         // AccessControlPolicy[] existingPolicies = acm.getPolicies(path);
 131         // for (AccessControlPolicy acp : existingPolicies) {
 132         // if (acp instanceof AccessControlList)
 133         // acl = ((AccessControlList) acp);
 134         // }
 135         // }
 136         //
 137         // if (acl != null) {
 138         // acl.addAccessControlEntry(principal,
 139         // privs.toArray(new Privilege[privs.size()]));
 140         // acm.setPolicy(path, acl);
 141         // session.save();
 142         // if (log.isDebugEnabled()) {
 143         // StringBuffer buf = new StringBuffer("");
 144         // for (int i = 0; i < privs.size(); i++) {
 145         // if (i != 0)
 146         // buf.append(',');
 147         // buf.append(privs.get(i).getName());
 148         // }
 149         // log.debug("Added privilege(s) '" + buf + "' to '"
 150         // + principal.getName() + "' on " + path
 151         // + " from workspace '"
 152         // + session.getWorkspace().getName() + "'");
 153         // }
 154         // } else {
 155         // throw new ArgeoException("Don't know how to apply  privileges "
 156         // + privs + " to " + principal + " on " + path
 157         // + " from workspace '" + session.getWorkspace().getName()
 158         // + "'");
 159         // }
 160         // }
 161
 162         @Deprecated
 163         public void setGroupPrivileges(Map<String, String> groupPrivileges) {
 164                 this.principalPrivileges = groupPrivileges;
 165         }
 166
 167         public void setPrincipalPrivileges(Map<String, String> principalPrivileges) {
 168                 this.principalPrivileges = principalPrivileges;
 169         }
 170
 171         public void setRepository(Repository repository) {
 172                 this.repository = repository;
 173         }
 174
 175         public void setWorkspace(String workspace) {
 176                 this.workspace = workspace;
 177         }
 178
 179 }