Examples of javax.jcr.security.AccessControlList

• javax.jcr.security.AccessControlList

      Set<String> newGrantedPrivilegeNames = disaggregateToPrivilegeNames(accessControlManager, grantedPrivilegeNames, specifiedPrivilegeNames);
      Set<String> newDeniedPrivilegeNames = disaggregateToPrivilegeNames(accessControlManager, deniedPrivilegeNames, specifiedPrivilegeNames);
      disaggregateToPrivilegeNames(accessControlManager, removedPrivilegeNames, specifiedPrivilegeNames);

      // Get or create the ACL for the node.
      AccessControlList acl = null;
      AccessControlPolicy[] policies = accessControlManager.getPolicies(resourcePath);
      for (AccessControlPolicy policy : policies) {
        if (policy instanceof AccessControlList) {
          acl = (AccessControlList) policy;
          break;
        }
      }
      if (acl == null) {
        AccessControlPolicyIterator applicablePolicies = accessControlManager.getApplicablePolicies(resourcePath);
        while (applicablePolicies.hasNext()) {
          AccessControlPolicy policy = applicablePolicies.nextAccessControlPolicy();
          if (policy instanceof AccessControlList) {
            acl = (AccessControlList) policy;
            break;
          }
        }
      }
      if (acl == null) {
        throw new RepositoryException("Could not obtain ACL for resource " + resourcePath);
      }
      // Used only for logging.
      Set<Privilege> oldGrants = null;
      Set<Privilege> oldDenies = null;
      if (log.isDebugEnabled()) {
        oldGrants = new HashSet<Privilege>();
        oldDenies = new HashSet<Privilege>();
      }

      // Combine all existing ACEs for the target principal.
      AccessControlEntry[] accessControlEntries = acl.getAccessControlEntries();
      for (int i=0; i < accessControlEntries.length; i++) {
        AccessControlEntry ace = accessControlEntries[i];
        if (principal.equals(ace.getPrincipal())) {
          if (log.isDebugEnabled()) {
            log.debug("Found Existing ACE for principal {} on resource {}", new Object[] {principal.getName(), resourcePath});
          }
          if (order == null || order.length() == 0) {
            //order not specified, so keep track of the original ACE position.
            order = String.valueOf(i);
          }

          boolean isAllow = isAllow(ace);
          Privilege[] privileges = ace.getPrivileges();
          if (log.isDebugEnabled()) {
            if (isAllow) {
              oldGrants.addAll(Arrays.asList(privileges));
            } else {
              oldDenies.addAll(Arrays.asList(privileges));
            }
          }
          for (Privilege privilege : privileges) {
            Set<String> maintainedPrivileges = disaggregateToPrivilegeNames(privilege);
            // If there is any overlap with the newly specified privileges, then
            // break the existing privilege down; otherwise, maintain as is.
            if (!maintainedPrivileges.removeAll(specifiedPrivilegeNames)) {
              // No conflicts, so preserve the original.
              maintainedPrivileges.clear();
              maintainedPrivileges.add(privilege.getName());
            }
            if (!maintainedPrivileges.isEmpty()) {
              if (isAllow) {
                newGrantedPrivilegeNames.addAll(maintainedPrivileges);
              } else {
                newDeniedPrivilegeNames.addAll(maintainedPrivileges);
              }
            }
          }
          // Remove the old ACE.
          acl.removeAccessControlEntry(ace);
        }
      }

      //add a fresh ACE with the granted privileges
      List<Privilege> grantedPrivilegeList = new ArrayList<Privilege>();
      for (String name : newGrantedPrivilegeNames) {
        Privilege privilege = accessControlManager.privilegeFromName(name);
        grantedPrivilegeList.add(privilege);
      }
      if (grantedPrivilegeList.size() > 0) {
        acl.addAccessControlEntry(principal, grantedPrivilegeList.toArray(new Privilege[grantedPrivilegeList.size()]));
      }

       //add a fresh ACE with the denied privileges
       List<Privilege> deniedPrivilegeList = new ArrayList<Privilege>();
       for (String name : newDeniedPrivilegeNames) {

      Set<String> pidSet = new HashSet<String>();
      pidSet.addAll(Arrays.asList(principalNamesToDelete));

      try {
        AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(jcrSession);
        AccessControlList updatedAcl = getAccessControlList(accessControlManager, resourcePath, false);

        //keep track of the existing Aces for the target principal
        AccessControlEntry[] accessControlEntries = updatedAcl.getAccessControlEntries();
        List<AccessControlEntry> oldAces = new ArrayList<AccessControlEntry>();
        for (AccessControlEntry ace : accessControlEntries) {
          if (pidSet.contains(ace.getPrincipal().getName())) {
            oldAces.add(ace);
          }
        }

        //remove the old aces
        if (!oldAces.isEmpty()) {
          for (AccessControlEntry ace : oldAces) {
            updatedAcl.removeAccessControlEntry(ace);
          }
        }

        //apply the changed policy
        accessControlManager.setPolicy(resourcePath, updatedAcl);

            }
            if (root.hasNode("n2")) {
                root.getNode("n2").remove();
            }

            AccessControlList acl = AccessControlUtils.getAccessControlList(session, "/");
            if (acl != null) {
                boolean modified = false;
                for (AccessControlEntry ace : acl.getAccessControlEntries()) {
                    if (getTestPrincipal(session).equals(ace.getPrincipal())) {
                        acl.removeAccessControlEntry(ace);
                        modified = true;
                    }
                }
                if (modified) {
                    session.getAccessControlManager().setPolicy("/", acl);

        Version v = n.checkin();
        n.checkout();

        testSession.refresh(false);
        assertFalse(testAcMgr.hasPrivileges(n.getPath(), versionPrivileges));
        AccessControlList acl = allow(SYSTEM, versionPrivileges);

        try {
            Node testNode = testSession.getNode(n.getPath());
            testNode.getVersionHistory().removeVersion(v.getName());

            fail("Missing jcr:versionManagement privilege -> remove a version must fail.");
        } catch (AccessDeniedException e) {
            // success
        } finally {
            // revert privilege modification (manually remove the ACE added)
            for (AccessControlEntry entry : acl.getAccessControlEntries()) {
                if (entry.getPrincipal().equals(testUser.getPrincipal())) {
                    acl.removeAccessControlEntry(entry);
                }
            }
            acMgr.setPolicy(SYSTEM, acl);
            superuser.save();
        }

        // if the given node is access-controlled, construct a new ACL and add
        // it to the list
        if (isAccessControlled(node)) {
            // build acl for the access controlled node
            NodeImpl aclNode = node.getNode(N_POLICY);
            AccessControlList acl = systemEditor.getACL(aclNode);
            acls.add(new UnmodifiableAccessControlList(acl));
        }
        // then, recursively look for access controlled parents up the hierarchy.
        if (!rootNodeId.equals(node.getId())) {
            NodeImpl parentNode = (NodeImpl) node.getParent();

        String path = session.getRootNode().getPath();
        AccessControlManager accessControlManager = session
                .getAccessControlManager();
        AccessControlPolicyIterator acls = accessControlManager
                .getApplicablePolicies(path);
        AccessControlList acl = null;
        if (acls.hasNext()) {
            acl = (AccessControlList) acls.nextAccessControlPolicy();
        } else {
            acl = (AccessControlList) accessControlManager.getPolicies(path)[0];
        }
        acl.addAccessControlEntry(user.getPrincipal(), accessControlManager.getSupportedPrivileges(path));
        accessControlManager.setPolicy(path, acl);

        session.save();
        session.logout();

                }
                AccessControlPolicyIterator acIterator = acMgr.getApplicablePolicies(path);
                if (acIterator.hasNext()) {
                    AccessControlPolicy policy = acIterator.nextAccessControlPolicy();
                    if (policy instanceof AccessControlList) {
                        AccessControlList acl = (AccessControlList) policy;
                        Privilege[] privileges = new Privilege[] {
                                acMgr.privilegeFromName(Privilege.JCR_READ),
                                acMgr.privilegeFromName(Privilege.JCR_READ_ACCESS_CONTROL)
                        };
                        if (acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privileges)) {
                            acMgr.setPolicy(path, acl);
                            node.getSession().save();
                        }
                    }
                }

    private void assertAcAction(Authorizable a, String expectedPrivName) throws Exception {
        AccessControlManager acMgr = getAccessControlManager(root);
            AccessControlPolicy[] policies = acMgr.getPolicies(a.getPath());
            assertEquals(1, policies.length);
            assertTrue(policies[0] instanceof AccessControlList);
            AccessControlList acl = (AccessControlList) policies[0];
            assertEquals(1, acl.getAccessControlEntries().length);
            assertArrayEquals(new Privilege[]{getPrivilegeManager(root).getPrivilege(expectedPrivName)}, acl.getAccessControlEntries()[0].getPrivileges());
    }

    }

    public void testAddAccessControlEntryAndSetPolicy() throws RepositoryException, NotExecutableException {
        checkCanModifyAc(path);

        AccessControlList acl = getList(acMgr, path);
        List originalAces = Arrays.asList(acl.getAccessControlEntries());

        if (!acl.addAccessControlEntry(testPrincipal, privs)) {
            throw new NotExecutableException();
        }

        // re-access ACL from AC-Manager -> must not yet have changed
        assertEquals("Before calling setPolicy any modifications to an ACL must not be reflected in the policies", originalAces, Arrays.asList(getList(acMgr, path).getAccessControlEntries()));

        // setting the modified policy -> policy must change.
        acMgr.setPolicy(path, acl);
        assertEquals("Before calling setPolicy any modifications to an ACL must not be reflected in the policies", Arrays.asList(acl.getAccessControlEntries()), Arrays.asList(getList(acMgr, path).getAccessControlEntries()));
    }

    }

    public void testAddAccessControlEntryIsTransient() throws NotExecutableException, RepositoryException {
        checkCanModifyAc(path);

        AccessControlList acl = getList(acMgr, path);
        List originalAces = Arrays.asList(acl.getAccessControlEntries());

        if (!acl.addAccessControlEntry(testPrincipal, privs)) {
            throw new NotExecutableException();
        }
        // set the policy (see #testAddAccessControlEntryAndSetPolicy)
        acMgr.setPolicy(path, acl);