View Javadoc
1   /**
2    * This file Copyright (c) 2003-2015 Magnolia International
3    * Ltd.  (http://www.magnolia-cms.com). All rights reserved.
4    *
5    *
6    * This file is dual-licensed under both the Magnolia
7    * Network Agreement and the GNU General Public License.
8    * You may elect to use one or the other of these licenses.
9    *
10   * This file is distributed in the hope that it will be
11   * useful, but AS-IS and WITHOUT ANY WARRANTY; without even the
12   * implied warranty of MERCHANTABILITY or FITNESS FOR A
13   * PARTICULAR PURPOSE, TITLE, or NONINFRINGEMENT.
14   * Redistribution, except as permitted by whichever of the GPL
15   * or MNA you select, is prohibited.
16   *
17   * 1. For the GPL license (GPL), you can redistribute and/or
18   * modify this file under the terms of the GNU General
19   * Public License, Version 3, as published by the Free Software
20   * Foundation.  You should have received a copy of the GNU
21   * General Public License, Version 3 along with this program;
22   * if not, write to the Free Software Foundation, Inc., 51
23   * Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
24   *
25   * 2. For the Magnolia Network Agreement (MNA), this file
26   * and the accompanying materials are made available under the
27   * terms of the MNA which accompanies this distribution, and
28   * is available at http://www.magnolia-cms.com/mna.html
29   *
30   * Any modifications to this file must keep this entire header
31   * intact.
32   *
33   */
34  package info.magnolia.cms.security;
35  
36  import static info.magnolia.cms.security.SecurityConstants.*;
37  
38  import info.magnolia.context.MgnlContext;
39  import info.magnolia.jcr.iterator.FilteringPropertyIterator;
40  import info.magnolia.jcr.util.NodeTypes;
41  import info.magnolia.jcr.util.NodeUtil;
42  import info.magnolia.repository.RepositoryConstants;
43  
44  import java.util.ArrayList;
45  import java.util.Collection;
46  import java.util.Collections;
47  import java.util.HashSet;
48  import java.util.Iterator;
49  import java.util.List;
50  
51  import javax.jcr.ItemNotFoundException;
52  import javax.jcr.Node;
53  import javax.jcr.NodeIterator;
54  import javax.jcr.Property;
55  import javax.jcr.PropertyIterator;
56  import javax.jcr.RepositoryException;
57  import javax.jcr.Session;
58  
59  import org.apache.commons.lang3.StringUtils;
60  import org.slf4j.Logger;
61  import org.slf4j.LoggerFactory;
62  
63  /**
64   * Group manager working directly with JCR API and returning simple groups (no JCR node aware).
65   */
66  public class MgnlGroupManager extends RepositoryBackedSecurityManager implements GroupManager {
67  
68      private static final Logger log = LoggerFactory.getLogger(MgnlGroupManager.class);
69  
70      @Override
71      public Group createGroup(final String name) throws AccessDeniedException {
72          return createGroup(null, name);
73      }
74  
75      /**
76       * Creates a new group in a specific folder. The folder must exist.
77       *
78       * @throws IllegalArgumentException if the name is not valid or if a group with this name already exists
79       * @throws UnsupportedOperationException if the implementation does not support writing
80       */
81      public Group createGroup(final String path, final String name) throws AccessDeniedException {
82          validateGroupName(name);
83          return MgnlContext.doInSystemContext(new SilentSessionOp<MgnlGroup>(getRepositoryName()) {
84  
85              @Override
86              public MgnlGroup doExec(Session session) throws RepositoryException {
87                  String parentPath = StringUtils.defaultString(path, "/");
88                  Node groupNode = session.getNode(parentPath).addNode(name, NodeTypes.Group.NAME);
89                  session.save();
90                  return new MgnlGroup(groupNode.getIdentifier(), groupNode.getName(), Collections.EMPTY_LIST, Collections.EMPTY_LIST);
91              }
92  
93              @Override
94              public String toString() {
95                  return "create group " + name;
96              }
97          });
98      }
99  
100     @Override
101     public Group getGroup(final String name) throws AccessDeniedException {
102         return MgnlContext.doInSystemContext(new SilentSessionOp<Group>(getRepositoryName()) {
103 
104             @Override
105             public Group doExec(Session session) throws RepositoryException {
106                 Node privilegedGroupNode = findPrincipalNode(name, session);
107                 if (privilegedGroupNode == null) {
108                     return null;
109                 }
110                 return newGroupInstance(privilegedGroupNode);
111             }
112 
113             @Override
114             public String toString() {
115                 return "get group " + name;
116             }
117         });
118     }
119 
120     @Override
121     public Collection<Group> getAllGroups() {
122         return MgnlContext.doInSystemContext(new SilentSessionOp<Collection<Group>>(getRepositoryName()) {
123 
124             @Override
125             public Collection<Group> doExec(Session session) throws RepositoryException {
126                 List<Group> groups = new ArrayList<Group>();
127                 Node rootNode = session.getNode("/");
128                 findAllGroupsInFolder(rootNode, groups);
129                 return groups;
130             }
131 
132             @Override
133             public String toString() {
134                 return "get all groups";
135             }
136 
137         });
138     }
139 
140     @Override
141     public Collection<String> getAllGroups(final String name) {
142         return MgnlContext.doInSystemContext(new SilentSessionOp<Collection<String>>(getRepositoryName()) {
143 
144             List<String> groups;
145 
146             @Override
147             public Collection<String> doExec(Session session) throws RepositoryException {
148                 Group group = getGroup(name);
149                 if (group == null) {
150                     return null;
151                 }
152                 groups = new ArrayList<String>();
153                 collectGroups(group);
154 
155                 return groups;
156             }
157 
158             private void collectGroups(Group group) throws AccessDeniedException {
159                 for (Iterator iter = group.getGroups().iterator(); iter.hasNext(); ) {
160                     Group subGroup = getGroup((String) iter.next());
161                     if (subGroup != null && !groups.contains(subGroup.getName())) {
162                         groups.add(subGroup.getName());
163                         collectGroups(subGroup);
164                     }
165                 }
166             }
167 
168             @Override
169             public String toString() {
170                 return "get all groups";
171             }
172         });
173     }
174 
175     protected Group newGroupInstance(Node node) throws RepositoryException {
176         // remove duplicates
177         Collection<String> groups = new HashSet<String>();
178         if (node.hasNode(NODE_GROUPS)) {
179             for (PropertyIterator iter = new FilteringPropertyIterator(node.getNode(NODE_GROUPS).getProperties(), NodeUtil.ALL_PROPERTIES_EXCEPT_JCR_AND_MGNL_FILTER); iter.hasNext(); ) {
180                 Property subgroup = iter.nextProperty();
181                 String resources = getResourceName(subgroup.getString());
182                 if (resources != null) {
183                     groups.add(resources);
184                 }
185             }
186         }
187         Collection<String> roles = new HashSet<String>();
188         if (node.hasNode(NODE_ROLES)) {
189             RoleManager roleMan = SecuritySupport.Factory.getInstance().getRoleManager();
190             for (PropertyIterator iter = new FilteringPropertyIterator(node.getNode(NODE_ROLES).getProperties(), NodeUtil.ALL_PROPERTIES_EXCEPT_JCR_AND_MGNL_FILTER); iter.hasNext(); ) {
191                 Property role = iter.nextProperty();
192                 try {
193                     String roleName = roleMan.getRoleNameById(role.getString());
194                     if (roleName != null) {
195                         roles.add(roleName);
196                     }
197                 } catch (ItemNotFoundException e) {
198                     log.warn("assigned role {} doesn't exist.", role.getString());
199                 }
200             }
201         }
202         MgnlGroup group = new MgnlGroup(node.getIdentifier(), node.getName(), groups, roles);
203         return group;
204     }
205 
206     /**
207      * Helper method to find a group. Uses JCR Query.
208      * This will return null if group doesn't exist.
209      */
210     @Override
211     protected Node findPrincipalNode(String principalName, Session session) throws RepositoryException {
212         return findPrincipalNode(principalName, session, NodeTypes.Group.NAME);
213     }
214 
215     @Override
216     protected String getRepositoryName() {
217         return RepositoryConstants.USER_GROUPS;
218     }
219 
220     @Override
221     public Group addRole(Group group, String roleName) throws AccessDeniedException {
222         try {
223             add(group.getName(), roleName, NODE_ROLES);
224         } catch (PrincipalNotFoundException e) {
225             // group doesn't exist in this GM
226             return null;
227         }
228         return getGroup(group.getName());
229     }
230 
231     @Override
232     public Group addGroup(Group group, String groupName) throws AccessDeniedException {
233         try {
234             add(group.getName(), groupName, NODE_GROUPS);
235         } catch (PrincipalNotFoundException e) {
236             // group doesn't exist in this GM
237             return null;
238         }
239         return getGroup(groupName);
240     }
241 
242     /**
243      * Finds all groups located in the provided node or in sub-folders within it and adds them to the given collection.
244      * As this method bases on a method using jcr queries to find nodes, it might not see nodes that have been created but not saved yet (i.e. during installation of a module).
245      */
246     protected void findAllGroupsInFolder(Node node, Collection<Group> addTo) throws RepositoryException {
247         final NodeIterator nodesIter = findPrincipalNodes(node, NodeTypes.Group.NAME);
248         while (nodesIter.hasNext()) {
249             addTo.add(newGroupInstance(nodesIter.nextNode()));
250         }
251     }
252 
253     protected void validateGroupName(String name) throws AccessDeniedException {
254         if (StringUtils.isBlank(name)) {
255             throw new IllegalArgumentException(name + " is not a valid group name.");
256         }
257 
258         Group group = Security.getGroupManager().getGroup(name);
259 
260         if (group != null) {
261             throw new IllegalArgumentException("Group with name " + name + " already exists.");
262         }
263     }
264 
265     @Override
266     public Collection<String> getGroupsWithGroup(final String groupName) {
267         return MgnlContext.doInSystemContext(new SilentSessionOp<Collection<String>>(getRepositoryName()) {
268 
269             @Override
270             public Collection<String> doExec(Session session) throws RepositoryException {
271                 final Node groupNode = findPrincipalNode(groupName, session);
272                 return findUsersOrGroupsHavingAssignedGroupOrRoleWithUid(session, groupNode, GROUPS_NODE_NAME);
273             }
274 
275             @Override
276             public String toString() {
277                 return "get group " + groupName;
278             }
279         });
280     }
281 
282 
283     @Override
284     public Collection<String> getGroupsWithRole(final String roleName) {
285         return MgnlContext.doInSystemContext(new SilentSessionOp<Collection<String>>(getRepositoryName()) {
286 
287             @Override
288             public Collection<String> doExec(Session session) throws RepositoryException {
289                 final Node principalNode = findPrincipalNode(roleName, MgnlContext.getJCRSession(RepositoryConstants.USER_ROLES), NodeTypes.Role.NAME);
290                 return findUsersOrGroupsHavingAssignedGroupOrRoleWithUid(session, principalNode, ROLES_NODE_NAME);
291             }
292 
293             @Override
294             public String toString() {
295                 return "get group with role " + roleName;
296             }
297         });
298     }
299 
300     @Override
301     public Group removeGroup(Group group, String groupName) throws AccessDeniedException {
302         try {
303             super.remove(group.getName(), groupName, NODE_GROUPS);
304         } catch (PrincipalNotFoundException e) {
305             throw new IllegalArgumentException("group doesn't exist in this GM" + e);
306         }
307         return getGroup(group.getName());
308     }
309 
310     @Override
311     public Group removeRole(Group group, String roleName) throws AccessDeniedException {
312         try {
313             super.remove(group.getName(), roleName, NODE_ROLES);
314         } catch (PrincipalNotFoundException e) {
315             throw new IllegalArgumentException("role doesn't exist in this GM" + e);
316         }
317         return getGroup(group.getName());
318     }
319 }