1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34 package info.magnolia.cms.core;
35
36
37 import info.magnolia.cms.security.AccessManager;
38 import info.magnolia.cms.security.AccessManagerImpl;
39 import info.magnolia.cms.security.Permission;
40
41 import java.util.List;
42 import java.util.Map;
43
44 import javax.jcr.RepositoryException;
45
46 import org.apache.jackrabbit.core.SessionImpl;
47 import org.apache.jackrabbit.core.cache.GrowingLRUMap;
48 import org.apache.jackrabbit.core.id.ItemId;
49 import org.apache.jackrabbit.core.id.PropertyId;
50 import org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions;
51 import org.apache.jackrabbit.core.security.authorization.PrivilegeManagerImpl;
52 import org.apache.jackrabbit.spi.Path;
53 import org.apache.jackrabbit.spi.commons.conversion.CachingPathResolver;
54 import org.apache.jackrabbit.spi.commons.conversion.ParsingPathResolver;
55 import org.apache.jackrabbit.spi.commons.conversion.PathResolver;
56 import org.slf4j.Logger;
57 import org.slf4j.LoggerFactory;
58
59
60
61
62
63 public class DefaultACLBasedPermissions extends AbstractCompiledPermissions {
64
65 protected final AccessManager ami = new AccessManagerImpl();
66 @SuppressWarnings("unchecked")
67 protected final Map<ItemId, Boolean> readCache = new GrowingLRUMap(1024, 5000);
68 protected final Object monitor = new Object();
69 protected SessionImpl session;
70
71 private static final Logger log = LoggerFactory.getLogger(DefaultACLBasedPermissions.class);
72
73 protected final long permissionMapping[][] = {
74 {org.apache.jackrabbit.core.security.authorization.Permission.READ, Permission.READ},
75 {org.apache.jackrabbit.core.security.authorization.Permission.SET_PROPERTY, Permission.SET},
76 {org.apache.jackrabbit.core.security.authorization.Permission.ADD_NODE, Permission.ADD},
77 {org.apache.jackrabbit.core.security.authorization.Permission.REMOVE_NODE, Permission.REMOVE},
78 {org.apache.jackrabbit.core.security.authorization.Permission.REMOVE_PROPERTY, Permission.REMOVE},
79 {org.apache.jackrabbit.core.security.authorization.Permission.READ_AC, Permission.EXECUTE},
80 {org.apache.jackrabbit.core.security.authorization.Permission.MODIFY_AC, Permission.EXECUTE},
81 {org.apache.jackrabbit.core.security.authorization.Permission.NODE_TYPE_MNGMT, Permission.ADD},
82 {org.apache.jackrabbit.core.security.authorization.Permission.VERSION_MNGMT, Permission.EXECUTE},
83 {org.apache.jackrabbit.core.security.authorization.Permission.LOCK_MNGMT, Permission.EXECUTE},
84 {org.apache.jackrabbit.core.security.authorization.Permission.LIFECYCLE_MNGMT, Permission.EXECUTE},
85 {org.apache.jackrabbit.core.security.authorization.Permission.RETENTION_MNGMT, Permission.EXECUTE},
86 {org.apache.jackrabbit.core.security.authorization.Permission.MODIFY_CHILD_NODE_COLLECTION, Permission.ADD}
87 };
88
89 protected long convertJackrabbitPermissionsToMagnoliaPermissions(long jackRabbitPermissions) {
90 long magnoliaPermissions = 0;
91 for (long[] mapping : permissionMapping) {
92 long jackrabbitPermission = mapping[0];
93 long magnoliaPermission = mapping[1];
94 if ((jackRabbitPermissions & jackrabbitPermission) != 0) {
95 magnoliaPermissions = magnoliaPermissions | magnoliaPermission;
96 }
97 }
98 return magnoliaPermissions;
99 }
100
101
102
103
104
105 protected final PathResolver pathResolver;
106
107 public DefaultACLBasedPermissions(List<Permission> permissions, SessionImpl systemSession, Map<?, ?> configuration) {
108
109 ami.setPermissionList(permissions);
110 this.session = systemSession;
111 pathResolver = new CachingPathResolver(new ParsingPathResolver(null, session));
112 }
113
114 @Override
115 public boolean canRead(Path itemPath, ItemId itemId) throws RepositoryException {
116
117 if ((itemId != null && "cafebabe-cafe-babe-cafe-babecafebabe".equals(itemId.toString())) || (itemPath != null && "/".equals(itemPath.toString()))) {
118
119 return true;
120 }
121
122 if (itemPath == null) {
123
124
125 if (!itemId.denotesNode()) {
126 itemId = ((PropertyId)itemId).getParentId();
127 }
128
129 synchronized (monitor) {
130
131 if (readCache.containsKey(itemId)) {
132 return readCache.get(itemId);
133 }
134
135 itemPath = session.getHierarchyManager().getPath(itemId);
136 boolean canRead = canRead(itemPath, itemId);
137 readCache.put(itemId, canRead);
138 return canRead;
139 }
140 }
141
142 String path = pathResolver.getJCRPath(itemPath);
143 log.debug("Read request for {} :: {}", path, itemId);
144 return ami.isGranted(path, Permission.READ);
145 }
146
147 @Override
148 protected Result buildResult(Path absPath) throws RepositoryException {
149 throw new UnsupportedOperationException();
150 }
151
152 @Override
153 public Result getResult(Path absPath) throws RepositoryException {
154 throw new UnsupportedOperationException();
155 }
156
157 @Override
158 public boolean grants(Path absPath, int permissions) throws RepositoryException {
159 long magnoliaPermissions = convertJackrabbitPermissionsToMagnoliaPermissions(permissions);
160 return ami.isGranted(pathResolver.getJCRPath(absPath), magnoliaPermissions);
161 }
162
163 @Override
164 public int getPrivileges(Path absPath) throws RepositoryException {
165 throw new UnsupportedOperationException();
166 }
167
168 @Override
169 protected Result buildRepositoryResult() throws RepositoryException {
170 throw new UnsupportedOperationException();
171 }
172
173 @Override
174 protected PrivilegeManagerImpl getPrivilegeManagerImpl() throws RepositoryException {
175 throw new UnsupportedOperationException();
176 }
177
178 }