X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=security%2Fruntime%2Forg.argeo.security.jackrabbit%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fjackrabbit%2FArgeoSecurityManager.java;h=2153e0e94025c7d96ab3daad787df5612a4be228;hb=484dcb1507e4e35cc282e50522ea7eac7e99a7f9;hp=72479128c4daab4b4ebef81c397e611653f4df57;hpb=2f510fb09e18bc3d3e902c8131d0037763c5f279;p=lgpl%2Fargeo-commons.git

diff --git a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java
index 72479128c..2153e0e94 100644
--- a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java
+++ b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java
@@ -2,16 +2,26 @@ package org.argeo.security.jackrabbit;
 
 import java.security.Principal;
 import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.Iterator;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 
+import javax.jcr.Node;
+import javax.jcr.PropertyType;
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
+import javax.jcr.Value;
+import javax.jcr.ValueFactory;
+import javax.jcr.security.Privilege;
 import javax.security.auth.Subject;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
 import org.apache.jackrabbit.api.security.user.Group;
 import org.apache.jackrabbit.api.security.user.User;
 import org.apache.jackrabbit.api.security.user.UserManager;
@@ -20,6 +30,7 @@ import org.apache.jackrabbit.core.security.SecurityConstants;
 import org.apache.jackrabbit.core.security.SystemPrincipal;
 import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager;
 import org.argeo.ArgeoException;
+import org.argeo.jcr.JcrUtils;
 import org.springframework.security.Authentication;
 import org.springframework.security.GrantedAuthority;
 
@@ -33,6 +44,7 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 			throws RepositoryException {
 		long begin = System.currentTimeMillis();
 
+		// skip Jackrabbit system user
 		if (!subject.getPrincipals(SystemPrincipal.class).isEmpty())
 			return super.getUserID(subject, workspaceName);
 
@@ -45,6 +57,10 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 		else
 			authen = authens.iterator().next();
 
+		// skip argeo system authenticated
+		// if (authen instanceof SystemAuthentication)
+		// return super.getUserID(subject, workspaceName);
+
 		UserManager systemUm = getSystemUserManager(workspaceName);
 
 		String userId = authen.getName();
@@ -55,12 +71,14 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 			log.info(userId + " added as " + user);
 		}
 
+		//setHomeNodeAuthorizations(user);
+
+		// process groups
 		List<String> userGroupIds = new ArrayList<String>();
 		for (GrantedAuthority ga : authen.getAuthorities()) {
 			Group group = (Group) systemUm.getAuthorizable(ga.getAuthority());
 			if (group == null) {
-				group = systemUm.createGroup(ga.getAuthority(),
-						new GrantedAuthorityPrincipal(ga), null);
+				group = systemUm.createGroup(ga.getAuthority());
 				log.info(ga.getAuthority() + " added as " + group);
 			}
 			if (!group.isMember(user))
@@ -75,6 +93,36 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 				group.removeMember(user);
 		}
 
+		// write roles in profile for easy access
+//		if (!(authen instanceof SystemAuthentication)) {
+//			Node userProfile = JcrUtils.getUserProfile(getSystemSession(),
+//					userId);
+//			boolean writeRoles = false;
+//			if (userProfile.hasProperty(ArgeoNames.ARGEO_REMOTE_ROLES)) {
+//				Value[] roles = userProfile.getProperty(ArgeoNames.ARGEO_REMOTE_ROLES)
+//						.getValues();
+//				if (roles.length != userGroupIds.size())
+//					writeRoles = true;
+//				else
+//					for (int i = 0; i < roles.length; i++)
+//						if (!roles[i].getString().equals(userGroupIds.get(i)))
+//							writeRoles = true;
+//			} else
+//				writeRoles = true;
+//
+//			if (writeRoles) {
+//				userProfile.getSession().getWorkspace().getVersionManager()
+//						.checkout(userProfile.getPath());
+//				String[] roleIds = userGroupIds.toArray(new String[userGroupIds
+//						.size()]);
+//				userProfile.setProperty(ArgeoNames.ARGEO_REMOTE_ROLES, roleIds);
+//				JcrUtils.updateLastModified(userProfile);
+//				userProfile.getSession().save();
+//				userProfile.getSession().getWorkspace().getVersionManager()
+//						.checkin(userProfile.getPath());
+//			}
+//		}
+
 		if (log.isTraceEnabled())
 			log.trace("Spring and Jackrabbit Security synchronized for user "
 					+ userId + " in " + (System.currentTimeMillis() - begin)
@@ -82,6 +130,58 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 		return userId;
 	}
 
+	protected synchronized void setHomeNodeAuthorizations(User user) {
+		// give all privileges on user home
+		// FIXME: fails on an empty repo
+		String userId = "<not yet set>";
+		try {
+			userId = user.getID();
+			Node userHome = null;
+			try {
+				userHome = JcrUtils.getUserHome(getSystemSession(), userId);
+				if (userHome == null) {
+					userHome = JcrUtils.createUserHomeIfNeeded(getSystemSession(), userId);
+					//log.warn("No home available for user "+userId);
+					return;
+				}
+			} catch (Exception e) {
+				// silent
+			}
+
+			if (userHome != null) {
+				String path = userHome.getPath();
+				Principal principal = user.getPrincipal();
+
+				JackrabbitAccessControlManager acm = (JackrabbitAccessControlManager) getSystemSession()
+						.getAccessControlManager();
+				JackrabbitAccessControlPolicy[] ps = acm
+						.getApplicablePolicies(principal);
+				if (ps.length == 0) {
+					// log.warn("No ACL found for " + user);
+					return;
+				}
+
+				JackrabbitAccessControlList list = (JackrabbitAccessControlList) ps[0];
+
+				// add entry
+				Privilege[] privileges = new Privilege[] { acm
+						.privilegeFromName(Privilege.JCR_ALL) };
+				Map<String, Value> restrictions = new HashMap<String, Value>();
+				ValueFactory vf = getSystemSession().getValueFactory();
+				restrictions.put("rep:nodePath",
+						vf.createValue(path, PropertyType.PATH));
+				restrictions.put("rep:glob", vf.createValue("*"));
+				list.addEntry(principal, privileges, true /* allow or deny */,
+						restrictions);
+			}
+		} catch (Exception e) {
+			e.printStackTrace();
+			log.warn("Cannot set authorization on user node for " + userId
+					+ ": " + e.getMessage());
+		}
+
+	}
+
 	@Override
 	protected WorkspaceAccessManager createDefaultWorkspaceAccessManager() {
 		WorkspaceAccessManager wam = super
@@ -92,7 +192,8 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 	private class ArgeoWorkspaceAccessManagerImpl implements SecurityConstants,
 			WorkspaceAccessManager {
 		private final WorkspaceAccessManager wam;
-		//private String defaultWorkspace;
+
+		// private String defaultWorkspace;
 
 		public ArgeoWorkspaceAccessManagerImpl(WorkspaceAccessManager wam) {
 			super();
@@ -101,8 +202,8 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 
 		public void init(Session systemSession) throws RepositoryException {
 			wam.init(systemSession);
-//			defaultWorkspace = ((RepositoryImpl) getRepository()).getConfig()
-//					.getDefaultWorkspaceName();
+			// defaultWorkspace = ((RepositoryImpl) getRepository()).getConfig()
+			// .getDefaultWorkspaceName();
 		}
 
 		public void close() throws RepositoryException {