diff --git a/rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml b/rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml index e5264e8139..939392423c 100644 --- a/rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml +++ b/rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml @@ -120,6 +120,7 @@ ${rm.haspermissionmap.write} + diff --git a/rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/messages/audit-service.properties b/rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/messages/audit-service.properties index f5cd13d5a1..a9c90dfba8 100644 --- a/rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/messages/audit-service.properties +++ b/rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/messages/audit-service.properties @@ -14,4 +14,7 @@ rm.audit.audit-clear=Audit Clear rm.audit.audit-view=Audit View rm.audit.trail-file-fail=Can't generate audit report. rm.audit.audit-report=Audit Report +rm.audit.set-permission=Set Permission +rm.audit.enable-inherit-permission=Enable Inherit Permissions +rm.audit.disable-inherit-permission=Disable Inherit Permissions recordable-version-config=Auto-Declare Options \ No newline at end of file diff --git a/rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml b/rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml index 6b39ea2065..f0fdb645e4 100644 --- a/rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml +++ b/rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml @@ -448,6 +448,7 @@ + diff --git a/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/audit/RecordsManagementAuditService.java b/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/audit/RecordsManagementAuditService.java index f47eb7f26d..77eada74f6 100644 --- a/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/audit/RecordsManagementAuditService.java +++ b/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/audit/RecordsManagementAuditService.java @@ -39,18 +39,18 @@ import org.alfresco.service.namespace.QName; /** * Records management audit service. - * + * * @author Gavin Cornwell */ public interface RecordsManagementAuditService extends RecordsManagementAuditServiceDeprecated { public enum ReportFormat { HTML, JSON } - - - + + + /** * Retrieves a list of audit events. - * + * * @return List of audit events */ List getAuditEvents(); @@ -60,49 +60,49 @@ public interface RecordsManagementAuditService extends RecordsManagementAuditSer *

* Creates an instance of a simple audit event and registers it with * the service. - * + * * @param name name of audit event * @param label display label of audit event */ void registerAuditEvent(String name, String label); - + /** * Register audit event. - * + * * @param auditEvent audit event */ void registerAuditEvent(AuditEvent auditEvent); - + /** * Audits an event, assumes no properties where modified and that the event should not be audited - * immediately. - * + * immediately. + * * @param nodeRef node reference * @param eventName event name */ - void auditEvent(NodeRef nodeRef, + void auditEvent(NodeRef nodeRef, String eventName); - + /** * Audits an event, assumes that the event should not be audited immediately and not be removed if no property is changed. - * + * * @param nodeRef node reference * @param eventName event name - * @param before property values before event - * @param after property values after event + * @param before property values before event (this must be modifiable and may be changed by the method). + * @param after property values after event (this must be modifiable and may be changed by the method). */ void auditEvent(NodeRef nodeRef, String eventName, Map before, Map after); - + /** * Audit event, assumes not to be removed if no property is changed. - * + * * @param nodeRef node reference * @param eventName event name - * @param before property values before event - * @param after property values after event + * @param before property values before event (this must be modifiable and may be changed by the method). + * @param after property values after event (this must be modifiable and may be changed by the method). * @param immediate true if event is to be audited immediately, false otherwise */ void auditEvent(NodeRef nodeRef, @@ -110,14 +110,14 @@ public interface RecordsManagementAuditService extends RecordsManagementAuditSer Map before, Map after, boolean immediate); - + /** * Audit event. - * + * * @param nodeRef node reference * @param eventName event name - * @param before property values before event - * @param after property values after event + * @param before property values before event (this must be modifiable and may be changed by the method). + * @param after property values after event (this must be modifiable and may be changed by the method). * @param immediate true if event is to be audited immediately, false otherwise * @param removeIfNoPropertyChanged true if event is not audited when there are no properties changed, false otherwise */ @@ -127,52 +127,67 @@ public interface RecordsManagementAuditService extends RecordsManagementAuditSer Map after, boolean immediate, boolean removeIfNoPropertyChanged); - + + /** + * Supply incremental changes as part of an event. This will either create a new event or update the existing details to put any supplied properties into the map. + * + * @param nodeRef node reference + * @param eventName event name + * @param before additional property values before event (this must be modifiable and may be changed by the method). + * @param after additional property values after event (this must be modifiable and may be changed by the method). + * @param removeIfNoPropertyChanged true if event is not audited when there are no properties changed, false otherwise + */ + void auditOrUpdateEvent(NodeRef nodeRef, + String eventName, + Map before, + Map after, + boolean removeIfNoPropertyChanged); + /** * Determines whether the RM audit log is currently enabled. - * + * * @param filePlan file plan * @return true if RM auditing is active false otherwise */ - boolean isAuditLogEnabled(NodeRef filePlan); - + boolean isAuditLogEnabled(NodeRef filePlan); + /** * Start RM auditing. - * + * * @param filePlan file plan */ void startAuditLog(NodeRef filePlan); - + /** * Stop RM auditing. - * + * * @param filePlan file plan - */ + */ void stopAuditLog(NodeRef filePlan); - - + + /** * Clears the RM audit. - * + * * @param filePlan file plan */ void clearAuditLog(NodeRef filePlan); - + /** * Returns the date the RM audit was last started. - * - * @param filePlan file plan + * + * @param filePlan file plan * @return Date the audit was last started */ Date getDateAuditLogLastStarted(NodeRef filePlan); /** * Returns the date the RM audit was last stopped. - * + * * @return Date the audit was last stopped */ Date getDateAuditLogLastStopped(NodeRef filePlan); - + /** * Retrieves a list of audit log entries using the provided parameters * represented by the RecordsManagementAuditQueryParameters instance. @@ -181,13 +196,13 @@ public interface RecordsManagementAuditService extends RecordsManagementAuditSer * object will result in ALL audit log entries for the RM system being * returned. Setting the various parameters effectively filters the full * audit trail. - * + * * @param params Parameters to use to retrieve audit trail (never null) * @param format The format the report should be produced in * @return File containing JSON representation of audit trail */ File getAuditTrailFile(RecordsManagementAuditQueryParameters params, ReportFormat format); - + /** * Retrieves a list of audit log entries using the provided parameters * represented by the RecordsManagementAuditQueryParameters instance. @@ -196,23 +211,23 @@ public interface RecordsManagementAuditService extends RecordsManagementAuditSer * object will result in ALL audit log entries for the RM system being * returned. Setting the various parameters effectively filters the full * audit trail. - * + * * @param params Parameters to use to retrieve audit trail (never null) * @return All entries for the audit trail */ List getAuditTrail(RecordsManagementAuditQueryParameters params); - + /** * Retrieves a list of audit log entries using the provided parameters * represented by the RecordsManagementAuditQueryParameters instance and - * then files the resulting log as an undeclared record in the record folder + * then files the resulting log as an undeclared record in the record folder * represented by the given NodeRef. *

* The parameters are all optional so an empty RecordsManagementAuditQueryParameters * object will result in ALL audit log entries for the RM system being * returned. Setting the various parameters effectively filters the full * audit trail. - * + * * @param params Parameters to use to retrieve audit trail (never null) * @param destination NodeRef representing a record folder in which to file the audit log * @param format The format the report should be produced in diff --git a/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/audit/RecordsManagementAuditServiceImpl.java b/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/audit/RecordsManagementAuditServiceImpl.java index 032e3c5bca..977bbc73ac 100644 --- a/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/audit/RecordsManagementAuditServiceImpl.java +++ b/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/audit/RecordsManagementAuditServiceImpl.java @@ -110,7 +110,7 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean private static Log logger = LogFactory.getLog(RecordsManagementAuditServiceImpl.class); private static final String ACCESS_AUDIT_CAPABILITY = "AccessAudit"; - + private static final String KEY_RM_AUDIT_NODE_RECORDS = "RMAUditNodeRecords"; protected static final String RM_AUDIT_EVENT_LOGIN_SUCCESS = "Login.Success"; @@ -284,7 +284,7 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean { this.namespaceService = namespaceService; } - + /** * @param capabilityService capability service */ @@ -292,9 +292,7 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean { this.capabilityService = capabilityService; } - - - + /** * @param ignoredAuditProperties @@ -514,40 +512,89 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean } else { - Set auditDetails = TransactionalResourceHelper.getSet(KEY_RM_AUDIT_NODE_RECORDS); - AlfrescoTransactionSupport.bindListener(txnListener); - // RM-936: Eliminate multiple audit maps from being generated when events with the same name are required to be fired multiple times in the same transaction. // Check if auditDetails already contains an auditedNode with the same combination of nodeRef and eventName. - boolean auditNodeAlreadyExists = false; - for (RMAuditNode existingRMAuditNode : auditDetails) + RMAuditNode existingEventNode = findExistingEventNode(nodeRef, eventName); + if (existingEventNode != null) { - if (existingRMAuditNode.getNodeRef().equals(nodeRef) && existingRMAuditNode.getEventName().equals(eventName)) - { - // If there exists such an auditNode, update its 'after' properties with the latest set of properties and leave its 'before' properties unchanged so that it - // retains the original set of properties. The first 'before' and last 'after' will be diff'ed when comes to building the auditMap later when the transaction - // commits. - existingRMAuditNode.setNodePropertiesAfter(after); - auditNodeAlreadyExists = true; - break; - } + // If there exists such an auditNode, update its 'after' properties with the latest set of properties and leave its 'before' properties unchanged so that it + // retains the original set of properties. The first 'before' and last 'after' will be diff'ed when comes to building the auditMap later when the transaction + // commits. + existingEventNode.setNodePropertiesAfter(after); } - - if (!auditNodeAlreadyExists) + else { - // Create a new auditNode if it doesn't already exist - RMAuditNode auditedNode = new RMAuditNode(); - auditedNode.setNodeRef(nodeRef); - auditedNode.setEventName(eventName); - auditedNode.setNodePropertiesBefore(before); - auditedNode.setNodePropertiesAfter(after); - auditedNode.setRemoveIfNoPropertyChanged(removeIfNoPropertyChanged); - - auditDetails.add(auditedNode); + createAuditEventInTransaction(nodeRef, eventName, before, after, removeIfNoPropertyChanged); } } } + /** {@inheritDoc} */ + @Override + public void auditOrUpdateEvent(NodeRef nodeRef, String eventName, Map before, + Map after, boolean removeIfNoPropertyChanged) + { + RMAuditNode existingEventNode = findExistingEventNode(nodeRef, eventName); + if (existingEventNode != null) + { + // Update the existing event to include all the new properties. + existingEventNode.getNodePropertiesBefore().putAll(before); + existingEventNode.getNodePropertiesAfter().putAll(after); + } + else + { + createAuditEventInTransaction(nodeRef, eventName, before, after, removeIfNoPropertyChanged); + } + } + + /** + * Create a new audit event for this transaction. + * + * @param nodeRef The node the audit message is about. + * @param eventName The event. + * @param before The before property map to use. + * @param after The after property map to use. + * @param removeIfNoPropertyChanged Whether to remove the event if no properties have changed. + */ + private void createAuditEventInTransaction(NodeRef nodeRef, String eventName, Map before, + Map after, boolean removeIfNoPropertyChanged) + { + // Create a new auditNode. + RMAuditNode auditedNode = new RMAuditNode(); + auditedNode.setNodeRef(nodeRef); + auditedNode.setEventName(eventName); + auditedNode.setNodePropertiesBefore(before); + auditedNode.setNodePropertiesAfter(after); + auditedNode.setRemoveIfNoPropertyChanged(removeIfNoPropertyChanged); + + // Add it to the transaction. + Set auditDetails = TransactionalResourceHelper.getSet(KEY_RM_AUDIT_NODE_RECORDS); + auditDetails.add(auditedNode); + } + + /** + * Find an audit node if it already exists for the transaction. + * + * @param nodeRef The node the event is against. + * @param eventName The name of the event. + * @param auditDetails The complete set of events for the transaction. + * @return The pre-existing event node, or null if none exists. + */ + private RMAuditNode findExistingEventNode(NodeRef nodeRef, String eventName) + { + AlfrescoTransactionSupport.bindListener(txnListener); + Set auditDetails = TransactionalResourceHelper.getSet(KEY_RM_AUDIT_NODE_RECORDS); + RMAuditNode existingEventNode = null; + for (RMAuditNode existingRMAuditNode : auditDetails) + { + if (existingRMAuditNode.getNodeRef().equals(nodeRef) && existingRMAuditNode.getEventName().equals(eventName)) + { + existingEventNode = existingRMAuditNode; + } + } + return existingEventNode; + } + /** * Helper method to build audit map * @@ -929,7 +976,7 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean // Skip it return true; } - + if(nodeRef != null && nodeService.exists(nodeRef) && !AccessStatus.ALLOWED.equals( capabilityService.getCapabilityAccessState(nodeRef, ACCESS_AUDIT_CAPABILITY))) diff --git a/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java b/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java index a148063bb5..2aa8c3f03f 100644 --- a/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java +++ b/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java @@ -27,6 +27,9 @@ package org.alfresco.module.org_alfresco_module_rm.security; +import static java.util.Collections.singletonMap; +import static org.alfresco.module.org_alfresco_module_rm.security.ExtendedReaderDynamicAuthority.EXTENDED_READER; +import static org.alfresco.module.org_alfresco_module_rm.security.ExtendedWriterDynamicAuthority.EXTENDED_WRITER; import static org.alfresco.repo.policy.Behaviour.NotificationFrequency.TRANSACTION_COMMIT; import static org.alfresco.repo.policy.annotation.BehaviourKind.CLASS; import static org.alfresco.repo.security.authentication.AuthenticationUtil.getSystemUserName; @@ -34,10 +37,15 @@ import static org.alfresco.service.cmr.security.OwnableService.NO_OWNER; import static org.alfresco.util.ParameterCheck.mandatory; import static org.apache.commons.lang.BooleanUtils.isTrue; +import java.io.Serializable; +import java.util.HashMap; import java.util.HashSet; +import java.util.Map; import java.util.Set; import org.alfresco.error.AlfrescoRuntimeException; +import org.alfresco.module.org_alfresco_module_rm.audit.RecordsManagementAuditService; +import org.alfresco.module.org_alfresco_module_rm.audit.event.AuditEvent; import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel; import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService; import org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService; @@ -48,6 +56,7 @@ import org.alfresco.repo.policy.PolicyComponent; import org.alfresco.repo.policy.annotation.Behaviour; import org.alfresco.repo.policy.annotation.BehaviourBean; import org.alfresco.repo.security.authentication.AuthenticationUtil; +import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork; import org.alfresco.service.cmr.repository.ChildAssociationRef; import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.security.AccessPermission; @@ -73,6 +82,12 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl RMPermissionModel, NodeServicePolicies.OnMoveNodePolicy { + /** An audit key for the set permission event. */ + private static final String AUDIT_SET_PERMISSION = "set-permission"; + + /** An namespace to use when constructing QNames to use for auditing changes to permissions. */ + private static final String AUDIT_NAMESPACE = "audit://permissions/"; + /** Permission service */ private PermissionService permissionService; @@ -91,6 +106,9 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl /** File plan service */ private FilePlanService filePlanService; + /** The RM audit service. */ + private RecordsManagementAuditService recordsManagementAuditService; + /** Logger */ private static final Log LOGGER = LogFactory.getLog(FilePlanPermissionServiceImpl.class); @@ -111,6 +129,16 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl NodeServicePolicies.OnMoveNodePolicy.QNAME, TYPE_RECORD_CATEGORY, new JavaBehaviour(this, "onMoveNode", TRANSACTION_COMMIT)); + + AuthenticationUtil.runAsSystem(new RunAsWork() + { + @Override + public Void doWork() throws Exception + { + recordsManagementAuditService.registerAuditEvent(new AuditEvent(AUDIT_SET_PERMISSION, "rm.audit.set-permission")); + return null; + } + }); } /** @@ -227,6 +255,16 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl this.filePlanService = filePlanService; } + /** + * Set the RM audit service. + * + * @param recordsManagementAuditService The RM audit service. + */ + public void setRecordsManagementAuditService(RecordsManagementAuditService recordsManagementAuditService) + { + this.recordsManagementAuditService = recordsManagementAuditService; + } + /** * @see org.alfresco.module.org_alfresco_module_rm.security.FilePlanPermissionService#setupRecordCategoryPermissions(org.alfresco.service.cmr.repository.NodeRef) */ @@ -340,6 +378,7 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl final boolean hasUserPermission = authenticationUtil.runAs(new AuthenticationUtil.RunAsWork() { + @Override public Boolean doWork() { return getPermissionService().hasPermission(nodeRef, RMPermissionModel.FILING) == AccessStatus.ALLOWED; @@ -350,6 +389,7 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl { authenticationUtil.runAsSystem(new AuthenticationUtil.RunAsWork() { + @Override public Void doWork() { getPermissionService().setPermission(nodeRef, user, RMPermissionModel.FILING, true); @@ -365,6 +405,7 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl * @param parent parent node reference * @param nodeRef child node reference */ + @Override public void setupPermissions(final NodeRef parent, final NodeRef nodeRef) { mandatory("parent", parent); @@ -374,6 +415,7 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl { authenticationUtil.runAsSystem(new AuthenticationUtil.RunAsWork() { + @Override public Object doWork() { // set inheritance @@ -480,6 +522,7 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl authenticationUtil.runAsSystem(new AuthenticationUtil.RunAsWork() { + @Override public Object doWork() { if (nodeService.exists(record) && nodeService.hasAspect(record, aspectTypeQName)) @@ -506,6 +549,7 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl authenticationUtil.runAs(new AuthenticationUtil.RunAsWork() { + @Override public Void doWork() { NodeRef record = sourceAssocRef.getChildRef(); @@ -547,6 +591,7 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl /** * @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#setPermission(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.lang.String, boolean) */ + @Override public void setPermission(final NodeRef nodeRef, final String authority, final String permission) { ParameterCheck.mandatory("nodeRef", nodeRef); @@ -555,12 +600,18 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl authenticationUtil.runAsSystem(new AuthenticationUtil.RunAsWork() { + @Override public Void doWork() { if (canPerformPermissionAction(nodeRef)) { + QName auditProperty = constructAuditEventName(authority, permission); + Map oldPermission = getCurrentPermissionForAuthority(nodeRef, authority, permission, auditProperty); // Set the permission on the node getPermissionService().setPermission(nodeRef, authority, permission, true); + // Add an entry in the audit log. + recordsManagementAuditService.auditOrUpdateEvent(nodeRef, AUDIT_SET_PERMISSION, oldPermission, + new HashMap<>(singletonMap(auditProperty, (Serializable) true)), true); } else { @@ -575,9 +626,31 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl }); } + /** + * Get the current permission on a node for an authority. + * + * @param nodeRef The node. + * @param authority The authority. + * @param auditProperty The QName used as the key in the returned map. + * @return A map from the audit property to true or false depending on whether the user currently has permission. + */ + private Map getCurrentPermissionForAuthority(NodeRef nodeRef, String authority, String permission, QName auditProperty) + { + Set allSetPermissions = getPermissionService().getAllSetPermissions(nodeRef); + for (AccessPermission setPermission : allSetPermissions) + { + if (setPermission.getAuthority().equals(authority) && setPermission.getPermission().equals(permission)) + { + return new HashMap<>(singletonMap(auditProperty, (Serializable) true)); + } + } + return new HashMap<>(singletonMap(auditProperty, (Serializable) false)); + } + /** * @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#deletePermission(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.lang.String) */ + @Override public void deletePermission(final NodeRef nodeRef, final String authority, final String permission) { ParameterCheck.mandatory("nodeRef", nodeRef); @@ -586,12 +659,18 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl authenticationUtil.runAsSystem(new AuthenticationUtil.RunAsWork() { + @Override public Void doWork() { if (canPerformPermissionAction(nodeRef)) { + QName auditProperty = constructAuditEventName(authority, permission); + Map oldPermission = getCurrentPermissionForAuthority(nodeRef, authority, permission, auditProperty); // Delete permission on this node getPermissionService().deletePermission(nodeRef, authority, permission); + // Add an entry in the audit log. + recordsManagementAuditService.auditOrUpdateEvent(nodeRef, AUDIT_SET_PERMISSION, oldPermission, + new HashMap<>(singletonMap(auditProperty, (Serializable) false)), true); } else { @@ -606,6 +685,19 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl }); } + /** + * Construct a QName so that the authority and permission are visible in the log. + * + * @param authority The authority whose permission is being changed. + * @param permission The name of the permission being changed. + * @return A QName such that the local name will make sense to the end user. + */ + private QName constructAuditEventName(String authority, String permission) + { + QName auditProperty = QName.createQName(AUDIT_NAMESPACE, permission + " " + authority); + return auditProperty; + } + private boolean canPerformPermissionAction(NodeRef nodeRef) { return isFilePlanContainer(nodeRef) || isRecordFolder(nodeRef) || isRecord(nodeRef) || isTransfer(nodeRef) || isHold(nodeRef); diff --git a/rm-community/rm-community-repo/source/java/org/alfresco/repo/security/permissions/impl/ExtendedPermissionServiceImpl.java b/rm-community/rm-community-repo/source/java/org/alfresco/repo/security/permissions/impl/ExtendedPermissionServiceImpl.java index 90bc07ee78..e93a0f8238 100644 --- a/rm-community/rm-community-repo/source/java/org/alfresco/repo/security/permissions/impl/ExtendedPermissionServiceImpl.java +++ b/rm-community/rm-community-repo/source/java/org/alfresco/repo/security/permissions/impl/ExtendedPermissionServiceImpl.java @@ -36,12 +36,15 @@ import java.util.HashSet; import java.util.List; import java.util.Set; +import org.alfresco.module.org_alfresco_module_rm.audit.RecordsManagementAuditService; +import org.alfresco.module.org_alfresco_module_rm.audit.event.AuditEvent; import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel; import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService; import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel; import org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService; import org.alfresco.repo.cache.SimpleCache; - +import org.alfresco.repo.security.authentication.AuthenticationUtil; +import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork; import org.alfresco.repo.security.permissions.AccessControlEntry; import org.alfresco.repo.security.permissions.AccessControlList; import org.alfresco.repo.security.permissions.processor.PermissionPostProcessor; @@ -69,7 +72,12 @@ import org.springframework.context.ApplicationEvent; public class ExtendedPermissionServiceImpl extends PermissionServiceImpl implements ExtendedPermissionService { - /** Writers simple cache */ + /** An audit key for the enable permission inheritance event. */ + private static final String AUDIT_ENABLE_INHERIT_PERMISSION = "enable-inherit-permission"; + /** An audit key for the disable permission inheritance event. */ + private static final String AUDIT_DISABLE_INHERIT_PERMISSION = "disable-inherit-permission"; + + /** Writers simple cache */ protected SimpleCache> writersCache; /** @@ -88,10 +96,30 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl /** File plan service */ private FilePlanService filePlanService; - + /** Permission processor registry */ private PermissionProcessorRegistry permissionProcessorRegistry; + /** The RM audit service. */ + private RecordsManagementAuditService recordsManagementAuditService; + + /** {@inheritDoc} Register the audit events. */ + @Override + public void init() + { + super.init(); + AuthenticationUtil.runAsSystem(new RunAsWork() + { + @Override + public Void doWork() throws Exception + { + recordsManagementAuditService.registerAuditEvent(new AuditEvent(AUDIT_ENABLE_INHERIT_PERMISSION, "rm.audit.enable-inherit-permission")); + recordsManagementAuditService.registerAuditEvent(new AuditEvent(AUDIT_DISABLE_INHERIT_PERMISSION, "rm.audit.disable-inherit-permission")); + return null; + } + }); + } + /** * Gets the file plan service * @@ -111,17 +139,27 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl { this.filePlanService = filePlanService; } - + /** * Sets the permission processor registry - * + * * @param permissionProcessorRegistry the permissions processor registry */ - public void setPermissionProcessorRegistry(PermissionProcessorRegistry permissionProcessorRegistry) + public void setPermissionProcessorRegistry(PermissionProcessorRegistry permissionProcessorRegistry) { this.permissionProcessorRegistry = permissionProcessorRegistry; } + /** + * Set the RM audit service. + * + * @param recordsManagementAuditService The RM audit service. + */ + public void setRecordsManagementAuditService(RecordsManagementAuditService recordsManagementAuditService) + { + this.recordsManagementAuditService = recordsManagementAuditService; + } + /** * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#setAnyDenyDenies(boolean) */ @@ -186,40 +224,40 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl public AccessStatus hasPermission(NodeRef nodeRef, String perm) { AccessStatus result = AccessStatus.UNDETERMINED; - + // permission pre-processors List preProcessors = permissionProcessorRegistry.getPermissionPreProcessors(); - for (PermissionPreProcessor preProcessor : preProcessors) + for (PermissionPreProcessor preProcessor : preProcessors) { // pre process permission result = preProcessor.process(nodeRef, perm); - + // veto if denied if (AccessStatus.DENIED.equals(result)) { return result; } } - + // evaluate permission result = hasPermissionImpl(nodeRef, perm); - + // permission post-processors List postProcessors = permissionProcessorRegistry.getPermissionPostProcessors(); - for (PermissionPostProcessor postProcessor : postProcessors) + for (PermissionPostProcessor postProcessor : postProcessors) { // post process permission result = postProcessor.process(result, nodeRef, perm, this.configuredReadPermissions, this.configuredFilePermissions); - } - + } + return result; } - + /** * Implementation of hasPermission method call. *

* Separation also convenient for unit testing. - * + * * @param nodeRef node reference * @param perm permission * @return {@link AccessStatus} access status result @@ -315,6 +353,7 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl * @param aclId * @return */ + @Override public Set getReadersDenied(Long aclId) { AccessControlList acl = aclDaoComponent.getAccessControlList(aclId); @@ -354,6 +393,7 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl /** * @see org.alfresco.repo.security.permissions.impl.ExtendedPermissionService#getWriters(java.lang.Long) */ + @Override public Set getWriters(Long aclId) { AccessControlList acl = aclDaoComponent.getAccessControlList(aclId); @@ -401,7 +441,12 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl { setPermission(nodeRef, adminRole, RMPermissionModel.FILING, true); } - super.setInheritParentPermissions(nodeRef, inheritParentPermissions); + if (inheritParentPermissions != super.getInheritParentPermissions(nodeRef)) + { + super.setInheritParentPermissions(nodeRef, inheritParentPermissions); + String auditEvent = (inheritParentPermissions ? AUDIT_ENABLE_INHERIT_PERMISSION : AUDIT_DISABLE_INHERIT_PERMISSION); + recordsManagementAuditService.auditEvent(nodeRef, auditEvent); + } } /**