MT fixes to provide initial support for tenant-specific guests

- explicit guest access is required, such as "guest@tenant1" (note: implicit/anonymous guest access can only login to the default domain)
- also fixes issue with "Show All" users, when logged in as a tenant admin

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@7748 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

config/alfresco/authentication-services-context.xml

@@ -158,6 +158,9 @@
         <property name="allowGuestLogin">
             <value>true</value>
         </property>
+        <property name="tenantService">
+            <ref bean="tenantService"/>
+        </property>
     </bean>
 
 

source/java/org/alfresco/repo/security/authentication/AbstractAuthenticationComponent.java

@@ -32,6 +32,7 @@ import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
 import net.sf.acegisecurity.providers.dao.User;
 
 import org.alfresco.error.AlfrescoRuntimeException;
+import org.alfresco.repo.tenant.TenantService;
 import org.alfresco.service.cmr.security.PermissionService;
 
 /**
@@ -47,6 +48,8 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC
      */
     private Boolean allowGuestLogin = null;
     
+    private TenantService tenantService;
+
     public AbstractAuthenticationComponent()
     {
         super();
@@ -62,12 +65,17 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC
         this.allowGuestLogin = allowGuestLogin;
     }
     
+    public void setTenantService(TenantService tenantService)
+    {
+    	this.tenantService = tenantService;
+    }
+
     public void authenticate(String userName, char[] password) throws AuthenticationException
     {
         // Support guest login from the login screen
-        if ((userName != null) && (userName.equalsIgnoreCase(PermissionService.GUEST_AUTHORITY)))
+        if (isGuestUserName(userName))
         {
-            setGuestUserAsCurrentUser();
+            setGuestUserAsCurrentUser(tenantService.getUserDomain(userName));
         }
         else
         {
@@ -111,10 +119,10 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC
                 gas[0] = new GrantedAuthorityImpl("ROLE_SYSTEM");
                 ud = new User(AuthenticationUtil.SYSTEM_USER_NAME, "", true, true, true, true, gas);
             }
-            else if (userName.equalsIgnoreCase(PermissionService.GUEST_AUTHORITY))
+            else if (isGuestUserName(userName))
             {
                 GrantedAuthority[] gas = new GrantedAuthority[0];
-                ud = new User(PermissionService.GUEST_AUTHORITY.toLowerCase(), "", true, true, true, true, gas);
+                ud = new User(getGuestUserName(tenantService.getUserDomain(userName)), "", true, true, true, true, gas);
             }
             else
             {
@@ -203,22 +211,37 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC
 
     /**
      * Get the name of the Guest User
+     * note: for MT, will get guest for default domain only
      */
     public String getGuestUserName()
     {
         return PermissionService.GUEST_AUTHORITY.toLowerCase();
     }
 
+    private String getGuestUserName(String tenantDomain)
+    {
+    	return tenantService.getDomainUser(getGuestUserName(), tenantDomain);
+    }
+    
+    /**
+     * Set the guest user as the current user.
+     * note: for MT, will set to default domain only
+     */
+    public Authentication setGuestUserAsCurrentUser() throws AuthenticationException
+    {
+    	return setGuestUserAsCurrentUser(TenantService.DEFAULT_DOMAIN);
+    }
+    
     /**
      * Set the guest user as the current user.
      */
-    public Authentication setGuestUserAsCurrentUser() throws AuthenticationException
+    private Authentication setGuestUserAsCurrentUser(String tenantDomain) throws AuthenticationException
     {
         if (allowGuestLogin == null)
         {
             if (implementationAllowsGuestLogin())
             {
-                return setCurrentUser(PermissionService.GUEST_AUTHORITY);
+                return setCurrentUser(getGuestUserName(tenantDomain));
             }
             else
             {
@@ -229,7 +252,7 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC
         {
             if (allowGuestLogin.booleanValue())
             {
-                return setCurrentUser(PermissionService.GUEST_AUTHORITY);
+            	return setCurrentUser(getGuestUserName(tenantDomain));
             }
             else
             {
@@ -239,6 +262,11 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC
         }
     }
     
+    private boolean isGuestUserName(String userName)
+    {
+    	return ((userName != null) && tenantService.getBaseNameUser(userName).equalsIgnoreCase(PermissionService.GUEST_AUTHORITY));
+    }
+
     protected abstract boolean implementationAllowsGuestLogin();
 
     /**

source/java/org/alfresco/repo/security/authority/AuthorityServiceImpl.java

@@ -154,7 +154,7 @@ public class AuthorityServiceImpl implements AuthorityService
         {
             authorities.addAll(adminSet);
         }
-        if(AuthorityType.getAuthorityType(currentUserName) != AuthorityType.GUEST)
+        if (AuthorityType.getAuthorityType(tenantService.getBaseNameUser(currentUserName)) != AuthorityType.GUEST)
         {
            authorities.addAll(allSet);
         }

source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java

@@ -433,7 +433,15 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing
         }
         // TODO: Refactor and use the authentication service for this.
         User user = (User) auth.getPrincipal();
-        auths.add(user.getUsername());
+        
+        String username = user.getUsername();
+        auths.add(username);
+        
+        if (tenantService.getBaseNameUser(username).equalsIgnoreCase(PermissionService.GUEST_AUTHORITY))
+        {
+        	auths.add(PermissionService.GUEST_AUTHORITY);
+        }
+        
         for (GrantedAuthority authority : auth.getAuthorities())
         {
             auths.add(authority.getAuthority());
@@ -444,7 +452,7 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing
             {
                 for (DynamicAuthority da : dynamicAuthorities)
                 {
-                    if (da.hasAuthority(nodeRef, user.getUsername()))
+                    if (da.hasAuthority(nodeRef, username))
                     {
                         auths.add(da.getAuthority());
                     }

source/java/org/alfresco/repo/tenant/MultiTAdminServiceImpl.java

@@ -601,9 +601,6 @@ public class MultiTAdminServiceImpl extends AbstractLifecycleBean implements Ten
         props.put("alfresco_user_store.adminusername", getTenantAdminUser(tenantDomain));
         props.put("alfresco_user_store.adminpassword", passwordEncoder.encodePassword(new String(tenantAdminRawPassword), salt));
         
-        // override guest username property
-        props.put("alfresco_user_store.guestusername", getTenantGuestUser(tenantDomain));
-        
         userImporterBootstrap.bootstrap();
         
         logger.debug("Bootstrapped store: " + tenantService.getBaseName(bootstrapStoreRef));
@@ -670,6 +667,9 @@ public class MultiTAdminServiceImpl extends AbstractLifecycleBean implements Ten
         Properties props = spacesImporterBootstrap.getConfiguration();
         props.put("alfresco_user_store.adminusername", getTenantAdminUser(tenantDomain));
         
+        // override guest username property
+        props.put("alfresco_user_store.guestusername", getTenantGuestUser(tenantDomain));
+   
         spacesImporterBootstrap.bootstrap();
        
         logger.debug("Bootstrapped store: " + tenantService.getBaseName(bootstrapStoreRef));

source/java/org/alfresco/repo/tenant/MultiTServiceImpl.java

@@ -183,7 +183,7 @@ public class MultiTServiceImpl implements TenantService
         
         String tenantDomain = getCurrentUserDomain();
         
-        if (! tenantDomain.equals(""))
+        if (! tenantDomain.equals(DEFAULT_DOMAIN))
         {
             int idx1 = name.indexOf(SEPARATOR);
             if (idx1 != 0)
@@ -246,12 +246,12 @@ public class MultiTServiceImpl implements TenantService
             int idx2 = name.indexOf(SEPARATOR, 1);
             String nameDomain = name.substring(1, idx2);
             
-            if ((! tenantDomain.equals("")) && (! tenantDomain.equals(nameDomain)))
+            if ((! tenantDomain.equals(DEFAULT_DOMAIN)) && (! tenantDomain.equals(nameDomain)))
             {
                 throw new AlfrescoRuntimeException("domain mismatch: expected = " + tenantDomain + ", actual = " + nameDomain);
             }
             
-            if ((! tenantDomain.equals("")) || (forceForNonTenant))
+            if ((! tenantDomain.equals(DEFAULT_DOMAIN)) || (forceForNonTenant))
             {
                 // remove tenant domain
                 name = name.substring(idx2+1);
@@ -282,7 +282,7 @@ public class MultiTServiceImpl implements TenantService
         
         String tenantDomain = getCurrentUserDomain();
           
-         if (! tenantDomain.equals(""))
+         if (! tenantDomain.equals(DEFAULT_DOMAIN))
          {
             int idx2 = username.lastIndexOf(SEPARATOR);
             if ((idx2 > 0) && (idx2 < (username.length()-1)))
@@ -317,7 +317,7 @@ public class MultiTServiceImpl implements TenantService
                 
         String tenantDomain = getCurrentUserDomain();
         
-        if (((nameDomain == null) && (! tenantDomain.equals(""))) || 
+        if (((nameDomain == null) && (! tenantDomain.equals(DEFAULT_DOMAIN))) || 
             ((nameDomain != null) && (! nameDomain.equals(tenantDomain))))
         {
             throw new AlfrescoRuntimeException("domain mismatch: expected = " + tenantDomain + ", actual = " + nameDomain);
@@ -432,17 +432,15 @@ public class MultiTServiceImpl implements TenantService
         return false;  
     }
     
-    public String getCurrentUserDomain()
+    public String getUserDomain(String username)
     {
-        String user = AuthenticationUtil.getCurrentUserName();
-        
     	// can be null (e.g. for System user / during app ctx init)
-        if (user != null) 
+        if (username != null) 
         {
-            int idx = user.lastIndexOf(SEPARATOR);
-            if ((idx > 0) && (idx < (user.length()-1)))
+            int idx = username.lastIndexOf(SEPARATOR);
+            if ((idx > 0) && (idx < (username.length()-1)))
             {
-               String tenantDomain = user.substring(idx+1);
+               String tenantDomain = username.substring(idx+1);
                
                checkTenantEnabled(tenantDomain);
                
@@ -450,7 +448,13 @@ public class MultiTServiceImpl implements TenantService
             }
         }        
         
-        return ""; // default domain - non-tenant user
+        return DEFAULT_DOMAIN; // default domain - non-tenant user
+    }
+    
+    public String getCurrentUserDomain()
+    {
+        String user = AuthenticationUtil.getCurrentUserName();
+        return getUserDomain(user);
     }
     
     public String getDomain(String name)
@@ -460,7 +464,7 @@ public class MultiTServiceImpl implements TenantService
 
         String tenantDomain = getCurrentUserDomain();
         
-        String nameDomain = "";
+        String nameDomain = DEFAULT_DOMAIN;
         
         int idx1 = name.indexOf(SEPARATOR);
         if (idx1 == 0)
@@ -468,7 +472,7 @@ public class MultiTServiceImpl implements TenantService
             int idx2 = name.indexOf(SEPARATOR, 1);
             nameDomain = name.substring(1, idx2);
             
-            if ((! tenantDomain.equals("")) && (! tenantDomain.equals(nameDomain)))
+            if ((! tenantDomain.equals(DEFAULT_DOMAIN)) && (! tenantDomain.equals(nameDomain)))
             {
                 throw new AlfrescoRuntimeException("domain mismatch: expected = " + tenantDomain + ", actual = " + nameDomain);
             }    
@@ -483,7 +487,7 @@ public class MultiTServiceImpl implements TenantService
         ParameterCheck.mandatory("baseUsername", baseUsername);
         ParameterCheck.mandatory("tenantDomain", tenantDomain);
         
-        if (! tenantDomain.equals(""))
+        if (! tenantDomain.equals(DEFAULT_DOMAIN))
         {
             if (baseUsername.contains(SEPARATOR))
             {

source/java/org/alfresco/repo/tenant/SingleTServiceImpl.java

@@ -128,14 +128,19 @@ public class SingleTServiceImpl implements TenantService
         return false;
     }
     
+    public String getUserDomain(String username)
+    {
+        return DEFAULT_DOMAIN;
+    }
+    
     public String getCurrentUserDomain()
     {
-        return "";
+        return DEFAULT_DOMAIN;
     }
     
     public String getDomain(String name)
     {
-        return "";
+        return DEFAULT_DOMAIN;
     }
     
     public String getDomainUser(String baseUsername, String tenantDomain)

source/java/org/alfresco/repo/tenant/TenantService.java

@@ -42,6 +42,8 @@ public interface TenantService
 {
     public static final String SEPARATOR = "@";
     
+    public static final String DEFAULT_DOMAIN = "";
+    
     public static final String ADMIN_BASENAME = "admin";
     
     public NodeRef getName(NodeRef nodeRef);
@@ -80,6 +82,8 @@ public interface TenantService
     
     public boolean isTenantName(String name);
 
+    public String getUserDomain(String username);
+    
     public String getCurrentUserDomain();
     
     public String getDomain(String name);