X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.server.jcr%2Fsrc%2Forg%2Fargeo%2Fjcr%2Fsecurity%2FJcrAuthorizations.java;fp=org.argeo.server.jcr%2Fsrc%2Forg%2Fargeo%2Fjcr%2Fsecurity%2FJcrAuthorizations.java;h=491f8a6fe4a4b36f07f9622462c62c09665a9a0d;hb=cf3a914f6fbf31b43be5cb86e54d05e8543be6a9;hp=0000000000000000000000000000000000000000;hpb=2e854796e0a27c9ef9e29b0664132a87ddbd1285;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.server.jcr/src/org/argeo/jcr/security/JcrAuthorizations.java b/org.argeo.server.jcr/src/org/argeo/jcr/security/JcrAuthorizations.java
new file mode 100644
index 000000000..491f8a6fe
--- /dev/null
+++ b/org.argeo.server.jcr/src/org/argeo/jcr/security/JcrAuthorizations.java
@@ -0,0 +1,223 @@
+/*
+ * Copyright (C) 2007-2012 Argeo GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.argeo.jcr.security;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.jcr.Repository;
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+import javax.jcr.security.AccessControlManager;
+import javax.jcr.security.Privilege;
+
+import org.argeo.ArgeoException;
+import org.argeo.jcr.JcrUtils;
+import org.argeo.util.security.SimplePrincipal;
+
+/** Apply authorizations to a JCR repository. */
+public class JcrAuthorizations implements Runnable {
+	// private final static Log log =
+	// LogFactory.getLog(JcrAuthorizations.class);
+
+	private Repository repository;
+	private String workspace = null;
+
+	private String securityWorkspace = "security";
+
+	/**
+	 * key := privilege1,privilege2/path/to/node<br/>
+	 * value := group1,group2,user1
+	 */
+	private Map<String, String> principalPrivileges = new HashMap<String, String>();
+
+	public void run() {
+		String currentWorkspace = workspace;
+		Session session = null;
+		try {
+			if (workspace != null && workspace.equals("*")) {
+				session = repository.login();
+				String[] workspaces = session.getWorkspace()
+						.getAccessibleWorkspaceNames();
+				JcrUtils.logoutQuietly(session);
+				for (String wksp : workspaces) {
+					currentWorkspace = wksp;
+					if (currentWorkspace.equals(securityWorkspace))
+						continue;
+					session = repository.login(currentWorkspace);
+					initAuthorizations(session);
+					JcrUtils.logoutQuietly(session);
+				}
+			} else {
+				session = repository.login(workspace);
+				initAuthorizations(session);
+			}
+		} catch (Exception e) {
+			JcrUtils.discardQuietly(session);
+			throw new ArgeoException(
+					"Cannot set authorizations " + principalPrivileges
+							+ " on workspace " + currentWorkspace, e);
+		} finally {
+			JcrUtils.logoutQuietly(session);
+		}
+	}
+
+	protected void processWorkspace(String workspace) {
+		Session session = null;
+		try {
+			session = repository.login(workspace);
+			initAuthorizations(session);
+		} catch (Exception e) {
+			JcrUtils.discardQuietly(session);
+			throw new ArgeoException("Cannot set authorizations "
+					+ principalPrivileges + " on repository " + repository, e);
+		} finally {
+			JcrUtils.logoutQuietly(session);
+		}
+	}
+
+	/** @deprecated call {@link #run()} instead. */
+	@Deprecated
+	public void init() {
+		run();
+	}
+
+	protected void initAuthorizations(Session session)
+			throws RepositoryException {
+		AccessControlManager acm = session.getAccessControlManager();
+
+		for (String privileges : principalPrivileges.keySet()) {
+			String path = null;
+			int slashIndex = privileges.indexOf('/');
+			if (slashIndex == 0) {
+				throw new ArgeoException("Privilege " + privileges
+						+ " badly formatted it starts with /");
+			} else if (slashIndex > 0) {
+				path = privileges.substring(slashIndex);
+				privileges = privileges.substring(0, slashIndex);
+			}
+
+			if (path == null)
+				path = "/";
+
+			List<Privilege> privs = new ArrayList<Privilege>();
+			for (String priv : privileges.split(",")) {
+				privs.add(acm.privilegeFromName(priv));
+			}
+
+			String principalNames = principalPrivileges.get(privileges);
+			for (String principalName : principalNames.split(",")) {
+				Principal principal = getOrCreatePrincipal(session,
+						principalName);
+				JcrUtils.addPrivileges(session, path, principal, privs);
+				// if (log.isDebugEnabled()) {
+				// StringBuffer privBuf = new StringBuffer();
+				// for (Privilege priv : privs)
+				// privBuf.append(priv.getName());
+				// log.debug("Added privileges " + privBuf + " to "
+				// + principal.getName() + " on " + path + " in '"
+				// + session.getWorkspace().getName() + "'");
+				// }
+			}
+		}
+
+		// if (log.isDebugEnabled())
+		// log.debug("JCR authorizations applied on '"
+		// + session.getWorkspace().getName() + "'");
+	}
+
+	/**
+	 * Returns a {@link SimplePrincipal}, does not check whether it exists since
+	 * such capabilities is not provided by the standard JCR API. Can be
+	 * overridden to provide smarter handling
+	 */
+	protected Principal getOrCreatePrincipal(Session session,
+			String principalName) throws RepositoryException {
+		return new SimplePrincipal(principalName);
+	}
+
+	// public static void addPrivileges(Session session, Principal principal,
+	// String path, List<Privilege> privs) throws RepositoryException {
+	// AccessControlManager acm = session.getAccessControlManager();
+	// // search for an access control list
+	// AccessControlList acl = null;
+	// AccessControlPolicyIterator policyIterator = acm
+	// .getApplicablePolicies(path);
+	// if (policyIterator.hasNext()) {
+	// while (policyIterator.hasNext()) {
+	// AccessControlPolicy acp = policyIterator
+	// .nextAccessControlPolicy();
+	// if (acp instanceof AccessControlList)
+	// acl = ((AccessControlList) acp);
+	// }
+	// } else {
+	// AccessControlPolicy[] existingPolicies = acm.getPolicies(path);
+	// for (AccessControlPolicy acp : existingPolicies) {
+	// if (acp instanceof AccessControlList)
+	// acl = ((AccessControlList) acp);
+	// }
+	// }
+	//
+	// if (acl != null) {
+	// acl.addAccessControlEntry(principal,
+	// privs.toArray(new Privilege[privs.size()]));
+	// acm.setPolicy(path, acl);
+	// session.save();
+	// if (log.isDebugEnabled()) {
+	// StringBuffer buf = new StringBuffer("");
+	// for (int i = 0; i < privs.size(); i++) {
+	// if (i != 0)
+	// buf.append(',');
+	// buf.append(privs.get(i).getName());
+	// }
+	// log.debug("Added privilege(s) '" + buf + "' to '"
+	// + principal.getName() + "' on " + path
+	// + " from workspace '"
+	// + session.getWorkspace().getName() + "'");
+	// }
+	// } else {
+	// throw new ArgeoException("Don't know how to apply  privileges "
+	// + privs + " to " + principal + " on " + path
+	// + " from workspace '" + session.getWorkspace().getName()
+	// + "'");
+	// }
+	// }
+
+	@Deprecated
+	public void setGroupPrivileges(Map<String, String> groupPrivileges) {
+		this.principalPrivileges = groupPrivileges;
+	}
+
+	public void setPrincipalPrivileges(Map<String, String> principalPrivileges) {
+		this.principalPrivileges = principalPrivileges;
+	}
+
+	public void setRepository(Repository repository) {
+		this.repository = repository;
+	}
+
+	public void setWorkspace(String workspace) {
+		this.workspace = workspace;
+	}
+
+	public void setSecurityWorkspace(String securityWorkspace) {
+		this.securityWorkspace = securityWorkspace;
+	}
+
+}