Merge MNT-17512_AuditPermissionChanges into release/V2.4.

rm-community/rm-community-repo/source/java/org/alfresco/repo/security/permissions/impl/ExtendedPermissionServiceImpl.java

@@ -36,12 +36,15 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 
+import org.alfresco.module.org_alfresco_module_rm.audit.RecordsManagementAuditService;
+import org.alfresco.module.org_alfresco_module_rm.audit.event.AuditEvent;
 import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
 import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService;
 import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
 import org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService;
 import org.alfresco.repo.cache.SimpleCache;
-
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
+import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
 import org.alfresco.repo.security.permissions.AccessControlEntry;
 import org.alfresco.repo.security.permissions.AccessControlList;
 import org.alfresco.repo.security.permissions.processor.PermissionPostProcessor;
@@ -69,7 +72,12 @@ import org.springframework.context.ApplicationEvent;
 public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
                                            implements ExtendedPermissionService
 {
-	/** Writers simple cache */
+    /** An audit key for the enable permission inheritance event. */
+    private static final String AUDIT_ENABLE_INHERIT_PERMISSION = "enable-inherit-permission";
+    /** An audit key for the disable permission inheritance event. */
+    private static final String AUDIT_DISABLE_INHERIT_PERMISSION = "disable-inherit-permission";
+
+    /** Writers simple cache */
     protected SimpleCache<Serializable, Set<String>> writersCache;
 
     /**
@@ -88,10 +96,30 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
 
     /** File plan service */
     private FilePlanService filePlanService;
-    
+
     /** Permission processor registry */
     private PermissionProcessorRegistry permissionProcessorRegistry;
 
+    /** The RM audit service. */
+    private RecordsManagementAuditService recordsManagementAuditService;
+
+    /** {@inheritDoc} Register the audit events. */
+    @Override
+    public void init()
+    {
+        super.init();
+        AuthenticationUtil.runAsSystem(new RunAsWork<Void>()
+        {
+            @Override
+            public Void doWork() throws Exception
+            {
+                recordsManagementAuditService.registerAuditEvent(new AuditEvent(AUDIT_ENABLE_INHERIT_PERMISSION, "rm.audit.enable-inherit-permission"));
+                recordsManagementAuditService.registerAuditEvent(new AuditEvent(AUDIT_DISABLE_INHERIT_PERMISSION, "rm.audit.disable-inherit-permission"));
+                return null;
+            }
+        });
+    }
+
     /**
      * Gets the file plan service
      *
@@ -111,17 +139,27 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
     {
         this.filePlanService = filePlanService;
     }
-    
+
     /**
      * Sets the permission processor registry
-     * 
+     *
      * @param permissionProcessorRegistry	the permissions processor registry
      */
-    public void setPermissionProcessorRegistry(PermissionProcessorRegistry permissionProcessorRegistry) 
+    public void setPermissionProcessorRegistry(PermissionProcessorRegistry permissionProcessorRegistry)
     {
 		this.permissionProcessorRegistry = permissionProcessorRegistry;
 	}
 
+    /**
+     * Set the RM audit service.
+     *
+     * @param recordsManagementAuditService The RM audit service.
+     */
+    public void setRecordsManagementAuditService(RecordsManagementAuditService recordsManagementAuditService)
+    {
+        this.recordsManagementAuditService = recordsManagementAuditService;
+    }
+
     /**
      * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#setAnyDenyDenies(boolean)
      */
@@ -186,40 +224,40 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
     public AccessStatus hasPermission(NodeRef nodeRef, String perm)
     {
     	AccessStatus result = AccessStatus.UNDETERMINED;
-    	
+
     	// permission pre-processors
     	List<PermissionPreProcessor> preProcessors = permissionProcessorRegistry.getPermissionPreProcessors();
-    	for (PermissionPreProcessor preProcessor : preProcessors) 
+    	for (PermissionPreProcessor preProcessor : preProcessors)
     	{
     		// pre process permission
     		result = preProcessor.process(nodeRef, perm);
-    		
+
     		// veto if denied
     		if (AccessStatus.DENIED.equals(result))
     		{
     			return result;
     		}
 		}
-    	
+
     	// evaluate permission
         result = hasPermissionImpl(nodeRef, perm);
-        
+
         // permission post-processors
         List<PermissionPostProcessor> postProcessors = permissionProcessorRegistry.getPermissionPostProcessors();
-        for (PermissionPostProcessor postProcessor : postProcessors) 
+        for (PermissionPostProcessor postProcessor : postProcessors)
         {
         	// post process permission
         	result = postProcessor.process(result, nodeRef, perm, this.configuredReadPermissions, this.configuredFilePermissions);
-		}        
-        
+		}
+
         return result;
     }
-    
+
     /**
      * Implementation of hasPermission method call.
      * <p>
      * Separation also convenient for unit testing.
-     * 
+     *
      * @param nodeRef	node reference
      * @param perm		permission
      * @return {@link AccessStatus}	access status result
@@ -315,6 +353,7 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
      * @param aclId
      * @return
      */
+    @Override
     public Set<String> getReadersDenied(Long aclId)
     {
         AccessControlList acl = aclDaoComponent.getAccessControlList(aclId);
@@ -354,6 +393,7 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
     /**
      * @see org.alfresco.repo.security.permissions.impl.ExtendedPermissionService#getWriters(java.lang.Long)
      */
+    @Override
     public Set<String> getWriters(Long aclId)
     {
         AccessControlList acl = aclDaoComponent.getAccessControlList(aclId);
@@ -401,7 +441,12 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
         {
            setPermission(nodeRef, adminRole, RMPermissionModel.FILING, true);
         }
-        super.setInheritParentPermissions(nodeRef, inheritParentPermissions);
+        if (inheritParentPermissions != super.getInheritParentPermissions(nodeRef))
+        {
+            super.setInheritParentPermissions(nodeRef, inheritParentPermissions);
+            String auditEvent = (inheritParentPermissions ? AUDIT_ENABLE_INHERIT_PERMISSION : AUDIT_DISABLE_INHERIT_PERMISSION);
+            recordsManagementAuditService.auditEvent(nodeRef, auditEvent);
+        }
     }
 
     /**