View Javadoc

1   /**
2    * This file Copyright (c) 2012-2014 Magnolia International
3    * Ltd.  (http://www.magnolia-cms.com). All rights reserved.
4    *
5    *
6    * This file is dual-licensed under both the Magnolia
7    * Network Agreement and the GNU General Public License.
8    * You may elect to use one or the other of these licenses.
9    *
10   * This file is distributed in the hope that it will be
11   * useful, but AS-IS and WITHOUT ANY WARRANTY; without even the
12   * implied warranty of MERCHANTABILITY or FITNESS FOR A
13   * PARTICULAR PURPOSE, TITLE, or NONINFRINGEMENT.
14   * Redistribution, except as permitted by whichever of the GPL
15   * or MNA you select, is prohibited.
16   *
17   * 1. For the GPL license (GPL), you can redistribute and/or
18   * modify this file under the terms of the GNU General
19   * Public License, Version 3, as published by the Free Software
20   * Foundation.  You should have received a copy of the GNU
21   * General Public License, Version 3 along with this program;
22   * if not, write to the Free Software Foundation, Inc., 51
23   * Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
24   *
25   * 2. For the Magnolia Network Agreement (MNA), this file
26   * and the accompanying materials are made available under the
27   * terms of the MNA which accompanies this distribution, and
28   * is available at http://www.magnolia-cms.com/mna.html
29   *
30   * Any modifications to this file must keep this entire header
31   * intact.
32   *
33   */
34  package info.magnolia.security.app.dialog.action;
35  
36  import static info.magnolia.cms.security.MgnlUserManager.*;
37  import static info.magnolia.cms.security.SecurityConstants.*;
38  
39  import info.magnolia.cms.security.SecuritySupport;
40  import info.magnolia.cms.security.SilentSessionOp;
41  import info.magnolia.cms.security.User;
42  import info.magnolia.cms.security.UserManager;
43  import info.magnolia.context.MgnlContext;
44  import info.magnolia.jcr.util.NodeUtil;
45  import info.magnolia.jcr.util.PropertyUtil;
46  import info.magnolia.repository.RepositoryConstants;
47  import info.magnolia.security.app.util.UsersWorkspaceUtil;
48  import info.magnolia.ui.admincentral.dialog.action.SaveDialogAction;
49  import info.magnolia.ui.api.action.ActionExecutionException;
50  import info.magnolia.ui.form.EditorCallback;
51  import info.magnolia.ui.form.EditorValidator;
52  import info.magnolia.ui.vaadin.integration.jcr.JcrNewNodeAdapter;
53  import info.magnolia.ui.vaadin.integration.jcr.JcrNodeAdapter;
54  import info.magnolia.ui.vaadin.integration.jcr.ModelConstants;
55  
56  import java.util.ArrayList;
57  import java.util.Arrays;
58  import java.util.Collection;
59  import java.util.List;
60  
61  import javax.jcr.Node;
62  import javax.jcr.RepositoryException;
63  import javax.jcr.Session;
64  import javax.jcr.Value;
65  import javax.jcr.ValueFactory;
66  
67  import org.apache.commons.lang3.StringUtils;
68  import org.slf4j.Logger;
69  import org.slf4j.LoggerFactory;
70  
71  import com.vaadin.data.Item;
72  
73  /**
74   * Save user dialog action.
75   */
76  public class SaveUserDialogAction extends SaveDialogAction<SaveUserDialogActionDefinition> {
77  
78      private static final Logger log = LoggerFactory.getLogger(SaveUserDialogAction.class);
79  
80      private SecuritySupport securitySupport;
81      private final List<String> protectedProperties = Arrays.asList(PROPERTY_PASSWORD, "name", NODE_GROUPS, NODE_ROLES);
82  
83      public SaveUserDialogAction(SaveUserDialogActionDefinition definition, Item item, EditorValidator validator, EditorCallback callback, SecuritySupport securitySupport) {
84          super(definition, item, validator, callback);
85          this.securitySupport = securitySupport;
86      }
87  
88      @Override
89      public void execute() throws ActionExecutionException {
90          // First Validate
91          validator.showValidation(true);
92          if (validator.isValid()) {
93  
94              final JcrNodeAdapter nodeAdapter = (JcrNodeAdapter) item;
95              createOrUpdateUser(nodeAdapter);
96              callback.onSuccess(getDefinition().getName());
97  
98          } else {
99              // validation errors are displayed in the UI.
100         }
101     }
102 
103     private void createOrUpdateUser(final JcrNodeAdapter userItem) throws ActionExecutionException {
104         try {
105             String userManagerRealm = getDefinition().getUserManagerRealm();
106             if (StringUtils.isBlank(userManagerRealm)){
107                 log.debug("userManagerRealm property is not defined -> will try to get realm from node path");
108                 userManagerRealm = resolveUserManagerRealm(userItem);
109             }
110             UserManager userManager = securitySupport.getUserManager(userManagerRealm);
111             if (userManager == null){
112                 throw new ActionExecutionException("User cannot be created. No user manager with realm name " + userManagerRealm + " is defined.");
113             }
114 
115             String newUserName = (String) userItem.getItemProperty(ModelConstants.JCR_NAME).getValue();
116             String newPassword = (String) userItem.getItemProperty(PROPERTY_PASSWORD).getValue();
117 
118             User user;
119             Session session = userItem.getJcrItem().getSession();
120             if (userItem instanceof JcrNewNodeAdapter) {
121 
122                 // JcrNewNodeAdapter returns the parent JCR item here
123                 Node parentNode = userItem.getJcrItem();
124                 String parentPath = parentNode.getPath();
125 
126                 if ("/".equals(parentPath)) {
127                     throw new ActionExecutionException("Users cannot be created directly under root");
128                 }
129 
130                 // Make sure this user is allowed to add a user here, the user manager would happily do it and then we'd fail to read the node
131                 parentNode.getSession().checkPermission(parentNode.getPath(), Session.ACTION_ADD_NODE);
132 
133                 user = userManager.createUser(parentPath, newUserName, newPassword);
134             } else {
135                 Node userNode = userItem.getJcrItem();
136                 String existingUserName = userNode.getName();
137                 user = userManager.getUser(existingUserName);
138 
139                 if (!StringUtils.equals(existingUserName, newUserName)) {
140                     String pathBefore = userNode.getPath();
141                     NodeUtil.renameNode(userNode, newUserName);
142                     userNode.setProperty("name", newUserName);
143                     UsersWorkspaceUtil.updateAcls(userNode, pathBefore);
144                 }
145 
146                 String existingPasswordHash = user.getProperty(PROPERTY_PASSWORD);
147                 if (!StringUtils.equals(newPassword, existingPasswordHash)) {
148                     userManager.setProperty(user, PROPERTY_PASSWORD, newPassword);
149                 }
150             }
151 
152             final Collection<String> groups = resolveItemsNamesFromIdentifiers((Collection<String>) userItem.getItemProperty(NODE_GROUPS).getValue(), RepositoryConstants.USER_GROUPS);
153             log.debug("Assigning user the following groups [{}]", groups);
154             storeGroupsCollection(userManager, user, groups);
155 
156             final Collection<String> roles = resolveItemsNamesFromIdentifiers((Collection<String>) userItem.getItemProperty(NODE_ROLES).getValue(), RepositoryConstants.USER_ROLES);
157             log.debug("Assigning user the following roles [{}]", roles);
158             storeRolesCollection(userManager, user, roles);
159 
160             Collection<?> userProperties = userItem.getItemPropertyIds();
161             ValueFactory valueFactory = session.getValueFactory();
162             for (Object propertyName : userProperties) {
163                 if (!protectedProperties.contains(propertyName)) {
164                     Value propertyValue = PropertyUtil.createValue(userItem.getItemProperty(propertyName).getValue(), valueFactory);
165                     userManager.setProperty(user, propertyName.toString(), propertyValue);
166                 }
167             }
168 
169             session.save();
170 
171         } catch (final RepositoryException e) {
172             throw new ActionExecutionException(e);
173         }
174     }
175 
176     private String resolveUserManagerRealm(final JcrNodeAdapter userItem) throws RepositoryException{
177         String userPath = userItem.getJcrItem().getPath();
178         if (userItem instanceof JcrNewNodeAdapter && !"/".equals(userPath)) {
179             //parent JCR item is returned so we need enclose path with "/" to handle correctly in case when user is placed directly under realm root
180             userPath += "/";
181         }
182         return StringUtils.substringBetween(userPath, "/");
183     }
184 
185     private void storeGroupsCollection(UserManager userManager, User user, Collection<String> newGroups){
186         Collection<String> oldGroups = new ArrayList<String>();
187         for (String group : user.getGroups()) {
188             oldGroups.add(group);
189         }
190         for(String newGroup : newGroups) {
191             userManager.addGroup(user, newGroup);
192             oldGroups.remove(newGroup);
193         }
194         for(String oldGroup : oldGroups) {
195             userManager.removeGroup(user, oldGroup);
196         }
197     }
198 
199     private void storeRolesCollection(UserManager userManager, User user, Collection<String> newRoles){
200         Collection<String> oldRoles = new ArrayList<String>();
201         for (String role : user.getRoles()) {
202             oldRoles.add(role);
203         }
204         for(String newRole : newRoles) {
205             userManager.addRole(user, newRole);
206             oldRoles.remove(newRole);
207         }
208         for(String oldRole : oldRoles) {
209             userManager.removeRole(user, oldRole);
210         }
211     }
212 
213     private Collection<String> resolveItemsNamesFromIdentifiers(Collection<String> itemsIdentifiers, String repository){
214         final Collection<String> itemsNames = new ArrayList<String>();
215         for (final String itemIdentifier : itemsIdentifiers) {
216             MgnlContext.doInSystemContext(new SilentSessionOp<Void>(repository) {
217 
218                 @Override
219                 public Void doExec(Session session) {
220                     try {
221                         final String itemName =  session.getNodeByIdentifier(itemIdentifier).getName();
222                         itemsNames.add(itemName);
223                     } catch (RepositoryException e) {
224                         log.error("Can't resolve group/role with uuid: " + itemIdentifier);
225                         log.debug(e.getMessage());
226                     }
227                     return null;
228                 }
229             });
230         }
231         return itemsNames;
232     }
233 
234 }