X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=security%2Fruntime%2Forg.argeo.security.jackrabbit%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fjackrabbit%2FArgeoSecurityManager.java;h=8f2632d0ff0ccf0445c968a86f8b4e771c36c58b;hb=8b8ee149b20e2578a55e17413fa5f7399ff7ba14;hp=bf33b8a2808369f5e0795f465aaba9620a0d3d66;hpb=da55282938aaebf9fa148454dbc8add9c558501f;p=lgpl%2Fargeo-commons.git

diff --git a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java
index bf33b8a28..8f2632d0f 100644
--- a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java
+++ b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java
@@ -2,22 +2,26 @@ package org.argeo.security.jackrabbit;
 
 import java.security.Principal;
 import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.Iterator;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 
 import javax.jcr.Node;
+import javax.jcr.PropertyType;
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
-import javax.jcr.security.AccessControlList;
-import javax.jcr.security.AccessControlManager;
-import javax.jcr.security.AccessControlPolicy;
-import javax.jcr.security.AccessControlPolicyIterator;
+import javax.jcr.Value;
+import javax.jcr.ValueFactory;
 import javax.jcr.security.Privilege;
 import javax.security.auth.Subject;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
 import org.apache.jackrabbit.api.security.user.Group;
 import org.apache.jackrabbit.api.security.user.User;
 import org.apache.jackrabbit.api.security.user.UserManager;
@@ -42,6 +46,7 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 			throws RepositoryException {
 		long begin = System.currentTimeMillis();
 
+		// skip Jackrabbit system user
 		if (!subject.getPrincipals(SystemPrincipal.class).isEmpty())
 			return super.getUserID(subject, workspaceName);
 
@@ -54,6 +59,10 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 		else
 			authen = authens.iterator().next();
 
+		// skip argeo system authenticated
+		// if (authen instanceof SystemAuthentication)
+		// return super.getUserID(subject, workspaceName);
+
 		UserManager systemUm = getSystemUserManager(workspaceName);
 
 		String userId = authen.getName();
@@ -64,7 +73,7 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 			log.info(userId + " added as " + user);
 		}
 
-		setHomeNodeAuthorizations(user);
+		//setHomeNodeAuthorizations(user);
 
 		// process groups
 		List<String> userGroupIds = new ArrayList<String>();
@@ -77,7 +86,6 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 			if (!group.isMember(user))
 				group.addMember(user);
 			userGroupIds.add(ga.getAuthority());
-
 		}
 
 		// check if user has not been removed from some groups
@@ -87,6 +95,36 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 				group.removeMember(user);
 		}
 
+		// write roles in profile for easy access
+//		if (!(authen instanceof SystemAuthentication)) {
+//			Node userProfile = JcrUtils.getUserProfile(getSystemSession(),
+//					userId);
+//			boolean writeRoles = false;
+//			if (userProfile.hasProperty(ArgeoNames.ARGEO_REMOTE_ROLES)) {
+//				Value[] roles = userProfile.getProperty(ArgeoNames.ARGEO_REMOTE_ROLES)
+//						.getValues();
+//				if (roles.length != userGroupIds.size())
+//					writeRoles = true;
+//				else
+//					for (int i = 0; i < roles.length; i++)
+//						if (!roles[i].getString().equals(userGroupIds.get(i)))
+//							writeRoles = true;
+//			} else
+//				writeRoles = true;
+//
+//			if (writeRoles) {
+//				userProfile.getSession().getWorkspace().getVersionManager()
+//						.checkout(userProfile.getPath());
+//				String[] roleIds = userGroupIds.toArray(new String[userGroupIds
+//						.size()]);
+//				userProfile.setProperty(ArgeoNames.ARGEO_REMOTE_ROLES, roleIds);
+//				JcrUtils.updateLastModified(userProfile);
+//				userProfile.getSession().save();
+//				userProfile.getSession().getWorkspace().getVersionManager()
+//						.checkin(userProfile.getPath());
+//			}
+//		}
+
 		if (log.isTraceEnabled())
 			log.trace("Spring and Jackrabbit Security synchronized for user "
 					+ userId + " in " + (System.currentTimeMillis() - begin)
@@ -94,41 +132,53 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 		return userId;
 	}
 
-	protected void setHomeNodeAuthorizations(User user) {
+	protected synchronized void setHomeNodeAuthorizations(User user) {
 		// give all privileges on user home
 		// FIXME: fails on an empty repo
 		String userId = "<not yet set>";
 		try {
 			userId = user.getID();
-			Node userHome = JcrUtils.getUserHome(getSystemSession(), userId);
-			// autocreate home node?
-//			if (userHome == null)
-//				userHome = JcrUtils.createUserHome(getSystemSession(),
-//						HOME_BASE_PATH, userId);
+			Node userHome = null;
+			try {
+				userHome = JcrUtils.getUserHome(getSystemSession(), userId);
+				if (userHome == null) {
+					userHome = JcrUtils.createUserHome(getSystemSession(),
+							HOME_BASE_PATH, userId);
+					//log.warn("No home available for user "+userId);
+					return;
+				}
+			} catch (Exception e) {
+				// silent
+			}
 
 			if (userHome != null) {
 				String path = userHome.getPath();
-				AccessControlPolicy policy = null;
-				AccessControlManager acm = getSystemSession()
+				Principal principal = user.getPrincipal();
+
+				JackrabbitAccessControlManager acm = (JackrabbitAccessControlManager) getSystemSession()
 						.getAccessControlManager();
-				AccessControlPolicyIterator policyIterator = acm
-						.getApplicablePolicies(path);
-				if (policyIterator.hasNext()) {
-					policy = policyIterator.nextAccessControlPolicy();
-				} else {
-					AccessControlPolicy[] existingPolicies = acm
-							.getPolicies(path);
-					policy = existingPolicies[0];
-				}
-				if (policy instanceof AccessControlList) {
-					Privilege[] privileges = { acm
-							.privilegeFromName(Privilege.JCR_ALL) };
-					((AccessControlList) policy).addAccessControlEntry(
-							user.getPrincipal(), privileges);
-					acm.setPolicy(path, policy);
+				JackrabbitAccessControlPolicy[] ps = acm
+						.getApplicablePolicies(principal);
+				if (ps.length == 0) {
+					// log.warn("No ACL found for " + user);
+					return;
 				}
+
+				JackrabbitAccessControlList list = (JackrabbitAccessControlList) ps[0];
+
+				// add entry
+				Privilege[] privileges = new Privilege[] { acm
+						.privilegeFromName(Privilege.JCR_ALL) };
+				Map<String, Value> restrictions = new HashMap<String, Value>();
+				ValueFactory vf = getSystemSession().getValueFactory();
+				restrictions.put("rep:nodePath",
+						vf.createValue(path, PropertyType.PATH));
+				restrictions.put("rep:glob", vf.createValue("*"));
+				list.addEntry(principal, privileges, true /* allow or deny */,
+						restrictions);
 			}
 		} catch (Exception e) {
+			e.printStackTrace();
 			log.warn("Cannot set authorization on user node for " + userId
 					+ ": " + e.getMessage());
 		}