View Javadoc
1   /**
2    * This file Copyright (c) 2003-2018 Magnolia International
3    * Ltd.  (http://www.magnolia-cms.com). All rights reserved.
4    *
5    *
6    * This file is dual-licensed under both the Magnolia
7    * Network Agreement and the GNU General Public License.
8    * You may elect to use one or the other of these licenses.
9    *
10   * This file is distributed in the hope that it will be
11   * useful, but AS-IS and WITHOUT ANY WARRANTY; without even the
12   * implied warranty of MERCHANTABILITY or FITNESS FOR A
13   * PARTICULAR PURPOSE, TITLE, or NONINFRINGEMENT.
14   * Redistribution, except as permitted by whichever of the GPL
15   * or MNA you select, is prohibited.
16   *
17   * 1. For the GPL license (GPL), you can redistribute and/or
18   * modify this file under the terms of the GNU General
19   * Public License, Version 3, as published by the Free Software
20   * Foundation.  You should have received a copy of the GNU
21   * General Public License, Version 3 along with this program;
22   * if not, write to the Free Software Foundation, Inc., 51
23   * Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
24   *
25   * 2. For the Magnolia Network Agreement (MNA), this file
26   * and the accompanying materials are made available under the
27   * terms of the MNA which accompanies this distribution, and
28   * is available at http://www.magnolia-cms.com/mna.html
29   *
30   * Any modifications to this file must keep this entire header
31   * intact.
32   *
33   */
34  package info.magnolia.cms.security;
35  
36  import info.magnolia.cms.security.auth.ACL;
37  import info.magnolia.cms.security.auth.PrincipalCollection;
38  import info.magnolia.cms.security.auth.PrincipalCollectionImpl;
39  import info.magnolia.cms.util.ObservationUtil;
40  import info.magnolia.context.MgnlContext;
41  import info.magnolia.jcr.util.NodeTypes;
42  import info.magnolia.repository.RepositoryConstants;
43  
44  import java.security.Principal;
45  import java.util.ArrayList;
46  import java.util.Collection;
47  import java.util.Collections;
48  
49  import javax.jcr.Node;
50  import javax.jcr.RepositoryException;
51  import javax.jcr.Session;
52  import javax.jcr.observation.EventIterator;
53  import javax.jcr.observation.EventListener;
54  import javax.security.auth.Subject;
55  
56  import org.apache.commons.lang3.StringUtils;
57  import org.slf4j.Logger;
58  import org.slf4j.LoggerFactory;
59  
60  
61  /**
62   * Responsible to handle system users like anonymous and superuser.
63   */
64  public class SystemUserManager extends MgnlUserManager {
65  
66      private static Logger log = LoggerFactory.getLogger(SystemUserManager.class);
67  
68      /**
69       * Cache anonymous user for performance reasons on live instance. Reinitialized on any modification
70       * event on anonymous user, groups or roles repository.
71       */
72      private User anonymousUser;
73  
74      /**
75       * Cache anonymousPermissions for performance reasons on live instance. Reinitialized on any modification
76       * event on anonymous user, groups or roles repository.
77       */
78      private PrincipalCollection anonymousPermissions;
79  
80      public SystemUserManager() {
81  
82          EventListener anonymousListener = new EventListener() {
83  
84              @Override
85              public void onEvent(EventIterator events) {
86                  anonymousUser = null;
87                  anonymousPermissions = null;
88                  log.debug("Anonymous user reloaded");
89              }
90  
91          };
92  
93          final String anonymousUserPath = "/" + Realm.REALM_SYSTEM.getName() + "/" + UserManager.ANONYMOUS_USER;
94          ObservationUtil.registerChangeListener(
95                  RepositoryConstants.USERS,
96                  anonymousUserPath,
97                  true,
98                  NodeTypes.User.NAME,
99                  anonymousListener);
100 
101         ObservationUtil.registerChangeListener(
102                 RepositoryConstants.USER_GROUPS,
103                 "/",
104                 true,
105                 NodeTypes.Group.NAME,
106                 anonymousListener);
107 
108         ObservationUtil.registerDeferredChangeListener(
109                 RepositoryConstants.USER_ROLES,
110                 "/",
111                 true,
112                 new String[]{NodeTypes.Role.NAME, NodeTypes.ContentNode.NAME},
113                 anonymousListener,
114                 1000,
115                 5000);
116     }
117 
118     @Override
119     public String getRealmName() {
120         String name = super.getRealmName();
121         // attempt to fix: MAGNOLIA-1839
122         if (StringUtils.isEmpty(name)) {
123             log.error("realm of system user manager is not set!");
124             return Realm.REALM_SYSTEM.getName();
125         }
126         return name;
127     }
128 
129     @Override
130     public User getSystemUser() {
131         return getOrCreateUser(UserManager.SYSTEM_USER, UserManager.SYSTEM_PSWD);
132     }
133 
134     @Override
135     public User getAnonymousUser() {
136         if (anonymousUser == null) {
137             // see MAGNOLIA-2029
138             anonymousUser = getRequiredSystemUser(UserManager.ANONYMOUS_USER, UserManager.ANONYMOUS_USER);
139         }
140         return anonymousUser;
141     }
142 
143     public Subject getAnonymousSubject() {
144         if (anonymousPermissions == null) {
145             Subject subject = SecurityUtil.createSubjectAndPopulate(getAnonymousUser());
146             anonymousPermissions = PrincipalUtil.findPrincipal(subject, PrincipalCollection.class);
147             return subject;
148         }
149         Subject subject = new Subject();
150         subject.getPrincipals().add(getAnonymousUser());
151 
152         //deep copy of anonymousPermissions
153         Collection<Principal> permissions = new ArrayList<>();
154         for (Principal principal : anonymousPermissions.getCollection()) {
155             ACLhref="../../../../info/magnolia/cms/security/auth/ACL.html#ACL">ACL acl = (ACL) principal;
156 
157             permissions.add(new ACLImpl(acl.getName(), new ArrayList<>(acl.getList())));
158         }
159         subject.getPrincipals().add(new PrincipalCollectionImpl(Collections.unmodifiableCollection(permissions)));
160         return subject;
161     }
162 
163     /**
164      * Load a system user from the repository, but don't try to create it if missing.
165      */
166     private User getRequiredSystemUser(final String username, String password) {
167         return MgnlContext.doInSystemContext(new SilentSessionOp<User>(getRepositoryName()) {
168 
169             @Override
170             public User doExec(Session session) throws RepositoryException {
171                 User user;
172                 Node node;
173                 try {
174                     node = session.getNode("/" + Realm.REALM_SYSTEM.getName() + "/" + username);
175                 } catch (RepositoryException e) {
176                     log.error("Error caught while loading the system user {}: {}: {}", username, e.getClass().getName(), e.getMessage(), e);
177                     return null;
178                 }
179                 if (node == null) {
180                     log.error("User not found: {}.", username);
181                     return null;
182                 }
183 
184                 user = newUserInstance(node);
185                 return user;
186             }
187         });
188     }
189 
190     protected User getOrCreateUser(String userName, String password) {
191         User user = getUser(userName);
192         if (user == null) {
193             log.error(
194                     "Failed to get system user [{}], will try to create new system user with default password",
195                     userName);
196             user = this.createUser(userName, password);
197         }
198         return user;
199     }
200 }