1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34 package info.magnolia.cms.core;
35
36
37 import info.magnolia.cms.security.AccessManager;
38 import info.magnolia.cms.security.AccessManagerImpl;
39 import info.magnolia.cms.security.Permission;
40
41 import java.util.List;
42 import java.util.Map;
43
44 import javax.jcr.RepositoryException;
45
46 import org.apache.jackrabbit.core.SessionImpl;
47 import org.apache.jackrabbit.core.cache.GrowingLRUMap;
48 import org.apache.jackrabbit.core.id.ItemId;
49 import org.apache.jackrabbit.core.id.PropertyId;
50 import org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions;
51 import org.apache.jackrabbit.core.security.authorization.PrivilegeManagerImpl;
52 import org.apache.jackrabbit.spi.Path;
53 import org.apache.jackrabbit.spi.commons.conversion.CachingPathResolver;
54 import org.apache.jackrabbit.spi.commons.conversion.ParsingPathResolver;
55 import org.apache.jackrabbit.spi.commons.conversion.PathResolver;
56 import org.slf4j.Logger;
57 import org.slf4j.LoggerFactory;
58
59
60
61
62
63 public class DefaultACLBasedPermissions extends AbstractCompiledPermissions {
64
65 protected final AccessManager ami = new AccessManagerImpl();
66 @SuppressWarnings("unchecked")
67 protected final Map<ItemId, Boolean> readCache = new GrowingLRUMap(1024, 5000);
68 protected final Object monitor = new Object();
69 protected SessionImpl session;
70
71 private static final Logger log = LoggerFactory.getLogger(DefaultACLBasedPermissions.class);
72
73 protected final long permissionMapping[][] = {
74 {org.apache.jackrabbit.core.security.authorization.Permission.READ, Permission.READ},
75 {org.apache.jackrabbit.core.security.authorization.Permission.SET_PROPERTY, Permission.SET},
76 {org.apache.jackrabbit.core.security.authorization.Permission.ADD_NODE, Permission.ADD},
77 {org.apache.jackrabbit.core.security.authorization.Permission.REMOVE_NODE, Permission.REMOVE},
78 {org.apache.jackrabbit.core.security.authorization.Permission.REMOVE_PROPERTY, Permission.REMOVE},
79 {org.apache.jackrabbit.core.security.authorization.Permission.READ_AC, Permission.EXECUTE},
80 {org.apache.jackrabbit.core.security.authorization.Permission.MODIFY_AC, Permission.EXECUTE},
81 {org.apache.jackrabbit.core.security.authorization.Permission.NODE_TYPE_MNGMT, Permission.ADD},
82 {org.apache.jackrabbit.core.security.authorization.Permission.VERSION_MNGMT, Permission.EXECUTE},
83 {org.apache.jackrabbit.core.security.authorization.Permission.LOCK_MNGMT, Permission.EXECUTE},
84 {org.apache.jackrabbit.core.security.authorization.Permission.LIFECYCLE_MNGMT, Permission.EXECUTE},
85 {org.apache.jackrabbit.core.security.authorization.Permission.RETENTION_MNGMT, Permission.EXECUTE},
86 };
87
88 protected long convertJackrabbitPermissionsToMagnoliaPermissions(long jackRabbitPermissions) {
89 long magnoliaPermissions = 0;
90 for (long[] mapping : permissionMapping) {
91 long jackrabbitPermission = mapping[0];
92 long magnoliaPermission = mapping[1];
93 if ((jackRabbitPermissions & jackrabbitPermission) != 0) {
94 magnoliaPermissions = magnoliaPermissions | magnoliaPermission;
95 }
96 }
97 return magnoliaPermissions;
98 }
99
100
101
102
103
104 protected final PathResolver pathResolver;
105
106 public DefaultACLBasedPermissions(List<Permission> permissions, SessionImpl systemSession, Map<?, ?> configuration) {
107
108 ami.setPermissionList(permissions);
109 this.session = systemSession;
110 pathResolver = new CachingPathResolver(new ParsingPathResolver(null, session));
111 }
112
113 @Override
114 public boolean canRead(Path itemPath, ItemId itemId) throws RepositoryException {
115
116 if ((itemId != null && "cafebabe-cafe-babe-cafe-babecafebabe".equals(itemId.toString())) || (itemPath != null && "/".equals(itemPath.toString()))) {
117
118 return true;
119 }
120
121 if (itemPath == null) {
122
123
124 if (!itemId.denotesNode()) {
125 itemId = ((PropertyId)itemId).getParentId();
126 }
127
128 synchronized (monitor) {
129
130 if (readCache.containsKey(itemId)) {
131 return readCache.get(itemId);
132 }
133
134 itemPath = session.getHierarchyManager().getPath(itemId);
135 boolean canRead = canRead(itemPath, itemId);
136 readCache.put(itemId, canRead);
137 return canRead;
138 }
139 }
140
141 String path = pathResolver.getJCRPath(itemPath);
142 log.debug("Read request for " + path + " :: " + itemId);
143 return ami.isGranted(path, Permission.READ);
144 }
145
146 @Override
147 protected Result buildResult(Path absPath) throws RepositoryException {
148 throw new UnsupportedOperationException();
149 }
150
151 @Override
152 public Result getResult(Path absPath) throws RepositoryException {
153 throw new UnsupportedOperationException();
154 }
155
156 @Override
157 public boolean grants(Path absPath, int permissions) throws RepositoryException {
158 long magnoliaPermissions = convertJackrabbitPermissionsToMagnoliaPermissions(permissions);
159 return ami.isGranted(pathResolver.getJCRPath(absPath), magnoliaPermissions);
160 }
161
162 @Override
163 public int getPrivileges(Path absPath) throws RepositoryException {
164 throw new UnsupportedOperationException();
165 }
166
167 @Override
168 protected Result buildRepositoryResult() throws RepositoryException {
169 throw new UnsupportedOperationException();
170 }
171
172 @Override
173 protected PrivilegeManagerImpl getPrivilegeManagerImpl() throws RepositoryException {
174 throw new UnsupportedOperationException();
175 }
176
177 }