inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-31 17:39:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged DEV/ROYTEST to HEAD:

Browse Source 
109931: Classification enforcement refactor
   110013: Classification enforecment refactor
       * rename veto as permission pre-processor
       * add support for permission post-processors
       * add transaction cache to classification enforcement
       * add records management permission post processor to remove code from extended permission service
   110191: Extended permission service unit test
   110301: Classification permission pre-processor unit test

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@110507 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Roy Wetherall
2015-08-20 02:51:23 +00:00
parent 33edc6feb0 2bcebc2abe
commit 95d7013517
37 changed files with 952 additions and 2107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
rm-server/config/alfresco/module/org_alfresco_module_rm/classified-content-context.xml
View File

@@ -39,26 +39,17 @@
</list> </list>
</property> </property>
</bean> </bean>
<!-- Classification Method Interceptor --> <!-- Classification Permission Pre Processor -->
<bean id="classificationPermissionPreProcessor"
<bean id="preMethodInvocationProcessor" class="org.alfresco.module.org_alfresco_module_rm.classification.permission.ClassificationPermissionPreProcessor"
class="org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.PreMethodInvocationProcessor"> parent="parentPermissionPreProcessor">
<property name="contentClassificationService" ref="contentClassificationService" />
<property name="transactionalResourceHelper" ref="rm.transactionalResourceHelper" />
<property name="classificationServiceBootstrap" ref="classificationServiceBootstrap"/>
<property name="authenticationUtil" ref="rm.authenticationUtil" />
</bean> </bean>
<bean id="postMethodInvocationProcessor"
class="org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.PostMethodInvocationProcessor">
</bean>
<bean id="classificationMethodInterceptor"
class="org.alfresco.module.org_alfresco_module_rm.classification.interceptor.ClassificationMethodInterceptor">
<property name="preMethodInvocationProcessor" ref="preMethodInvocationProcessor" />
<property name="postMethodInvocationProcessor" ref="postMethodInvocationProcessor" />
</bean>
<bean id="classificationMethodInterceptorPostProcessor"
class="org.alfresco.module.org_alfresco_module_rm.classification.interceptor.ClassificationMethodInterceptorPostProcessor" />
<!-- Classification service DAO --> <!-- Classification service DAO -->
<bean id="classificationServiceDAO" class="org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceDAO"> <bean id="classificationServiceDAO" class="org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceDAO">

77
rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml
View File

@@ -26,6 +26,7 @@
<property name="extendingBeanName" value="rm.FileFolderService_security" /> <property name="extendingBeanName" value="rm.FileFolderService_security" />
</bean> </bean>
<!-- extended quick share implementation -->
<bean id="rm.quickShareService" abstract="true" class="org.alfresco.repo.quickshare.ExtendedQuickShareServiceImpl"> <bean id="rm.quickShareService" abstract="true" class="org.alfresco.repo.quickshare.ExtendedQuickShareServiceImpl">
<property name="nodeService" ref="NodeService"/> <property name="nodeService" ref="NodeService"/>
</bean> </bean>
@@ -34,6 +35,7 @@
<property name="extendingBeanName" value="rm.quickShareService"/> <property name="extendingBeanName" value="rm.quickShareService"/>
</bean> </bean>
<!-- Extended permission service interface -->
<bean id="ExtendedPermissionService" class="org.springframework.aop.framework.ProxyFactoryBean"> <bean id="ExtendedPermissionService" class="org.springframework.aop.framework.ProxyFactoryBean">
<property name="proxyInterfaces"> <property name="proxyInterfaces">
<value>org.alfresco.repo.security.permissions.impl.ExtendedPermissionService</value> <value>org.alfresco.repo.security.permissions.impl.ExtendedPermissionService</value>
@@ -51,6 +53,7 @@
</property> </property>
</bean> </bean>
<!-- Extended permissions service security bean -->
<bean id="ExtendedPermissionService_security" class="org.alfresco.module.org_alfresco_module_rm.security.RMMethodSecurityInterceptor"> <bean id="ExtendedPermissionService_security" class="org.alfresco.module.org_alfresco_module_rm.security.RMMethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
@@ -77,11 +80,11 @@
</property> </property>
</bean> </bean>
<!-- Writers permission cache -->
<bean name="writersSharedCache" factory-bean="cacheFactory" factory-method="createCache"> <bean name="writersSharedCache" factory-bean="cacheFactory" factory-method="createCache">
<constructor-arg value="cache.writersSharedCache"/> <constructor-arg value="cache.writersSharedCache"/>
</bean> </bean>
<bean name="writersCache" class="org.alfresco.repo.cache.TransactionalCache">
<bean name="writersCache" class="org.alfresco.repo.cache.TransactionalCache">
<property name="sharedCache"> <property name="sharedCache">
<ref bean="writersSharedCache" /> <ref bean="writersSharedCache" />
</property> </property>
@@ -92,48 +95,25 @@
<property name="mutable" value="true" /> <property name="mutable" value="true" />
<property name="disableSharedCache" value="${system.cache.disableMutableSharedCaches}" /> <property name="disableSharedCache" value="${system.cache.disableMutableSharedCaches}" />
</bean> </bean>
<bean id="permissionServiceImpl" class="org.alfresco.repo.security.permissions.impl.RMPermissionServiceImpl" init-method="init"> <!-- Permission processor registry -->
<property name="writersCache" ref="writersCache"/> <bean id="permissionProcessorRegistry" class='org.alfresco.repo.security.permissions.processor.PermissionProcessorRegistry'/>
<property name="nodeService">
<ref bean="mtAwareNodeService" /> <!-- Permission pre-processor base bean -->
</property> <bean id="parentPermissionPreProcessor" init-method="init" abstract="true">
<property name="tenantService"> <property name="permissionProcessorRegistry" ref="permissionProcessorRegistry"/>
<ref bean="tenantService"/> </bean>
</property>
<property name="dictionaryService"> <!-- Permission post-processor base bean -->
<ref bean="dictionaryService" /> <bean id="parentPermissionPostProcessor" init-method="init" abstract="true">
</property> <property name="permissionProcessorRegistry" ref="permissionProcessorRegistry"/>
<property name="permissionsDaoComponent"> </bean>
<ref bean="permissionsDaoComponent" />
</property> <!-- Extended permission service implementation bean -->
<property name="modelDAO"> <bean id="rm.permissionServiceImpl" abstract="true" class="org.alfresco.repo.security.permissions.impl.ExtendedPermissionServiceImpl">
<ref bean="permissionsModelDAO" /> <property name="writersCache" ref="writersCache"/>
</property> <property name="filePlanService" ref="filePlanService" />
<property name="authorityService"> <property name="permissionProcessorRegistry" ref="permissionProcessorRegistry"/>
<ref bean="authorityService" />
</property>
<property name="accessCache">
<ref bean="permissionsAccessCache" />
</property>
<property name="readersCache">
<ref bean="readersCache" />
</property>
<property name="readersDeniedCache">
<ref bean="readersDeniedCache" />
</property>
<property name="policyComponent">
<ref bean="policyComponent" />
</property>
<property name="aclDAO">
<ref bean="aclDAO" />
</property>
<property name="ownableService">
<ref bean="ownableService" />
</property>
<property name="anyDenyDenies">
<value>${security.anyDenyDenies}</value>
</property>
<property name="dynamicAuthorities"> <property name="dynamicAuthorities">
<list> <list>
<ref bean="ownerDynamicAuthority" /> <ref bean="ownerDynamicAuthority" />
@@ -142,13 +122,14 @@
<ref bean="extendedReaderDynamicAuthority" /> <ref bean="extendedReaderDynamicAuthority" />
</list> </list>
</property> </property>
<property name="filePlanService"> </bean>
<ref bean="filePlanService" /> <bean class="org.alfresco.util.BeanExtender">
</property> <property name="beanName" value="permissionServiceImpl"/>
<property name="extendingBeanName" value="rm.permissionServiceImpl"/>
</bean> </bean>
<!-- In-place reader and writer dynamic authorites -->
<bean id="extendedReaderDynamicAuthority" class="org.alfresco.module.org_alfresco_module_rm.security.ExtendedReaderDynamicAuthority" /> <bean id="extendedReaderDynamicAuthority" class="org.alfresco.module.org_alfresco_module_rm.security.ExtendedReaderDynamicAuthority" />
<bean id="extendedWriterDynamicAuthority" class="org.alfresco.module.org_alfresco_module_rm.security.ExtendedWriterDynamicAuthority" /> <bean id="extendedWriterDynamicAuthority" class="org.alfresco.module.org_alfresco_module_rm.security.ExtendedWriterDynamicAuthority" />
<!-- Action Service --> <!-- Action Service -->

9
rm-server/config/alfresco/module/org_alfresco_module_rm/module-context.xml
View File

@@ -24,9 +24,8 @@
<bean name="rm.alfrescoTransactionSupport" class="org.alfresco.module.org_alfresco_module_rm.util.AlfrescoTransactionSupport" /> <bean name="rm.alfrescoTransactionSupport" class="org.alfresco.module.org_alfresco_module_rm.util.AlfrescoTransactionSupport" />
<!-- Import extended repository context --> <!-- Import extended repository context -->
<import resource="classpath:alfresco/module/org_alfresco_module_rm/extended-repository-context.xml"/> <import resource="classpath:alfresco/module/org_alfresco_module_rm/extended-repository-context.xml"/>
<!-- Bootstrap records management data --> <!-- Bootstrap records management data -->
<bean id="org_alfresco_module_rm_bootstrapData" <bean id="org_alfresco_module_rm_bootstrapData"
class="org.alfresco.module.org_alfresco_module_rm.bootstrap.BootstrapImporterModuleComponent" class="org.alfresco.module.org_alfresco_module_rm.bootstrap.BootstrapImporterModuleComponent"
@@ -84,6 +83,12 @@
</list> </list>
</property> </property>
</bean> </bean>
<!-- Records management permission post processor -->
<bean id="recordsManagementPermissionPostProcessor" class="org.alfresco.module.org_alfresco_module_rm.permission.RecordsManagementPermissionPostProcessor" parent="parentPermissionPostProcessor">
<property name="nodeService" ref="nodeService"/>
<property name="permissionService" ref="permissionService"/>
</bean>
<!-- Import RM model --> <!-- Import RM model -->
<import resource="classpath:alfresco/module/org_alfresco_module_rm/rm-model-context.xml"/> <import resource="classpath:alfresco/module/org_alfresco_module_rm/rm-model-context.xml"/>

3
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/caveat/RMCaveatConfigComponentImpl.java
View File

@@ -35,10 +35,11 @@ import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReadWriteLock; import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock; import java.util.concurrent.locks.ReentrantReadWriteLock;
import net.sf.acegisecurity.AccessDeniedException;
import org.alfresco.error.AlfrescoRuntimeException; import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.model.ContentModel; import org.alfresco.model.ContentModel;
import org.alfresco.module.org_alfresco_module_rm.caveat.RMListOfValuesConstraint.MatchLogic; import org.alfresco.module.org_alfresco_module_rm.caveat.RMListOfValuesConstraint.MatchLogic;
import org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.AccessDeniedException;
import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel; import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
import org.alfresco.repo.cache.SimpleCache; import org.alfresco.repo.cache.SimpleCache;
import org.alfresco.repo.content.ContentServicePolicies; import org.alfresco.repo.content.ContentServicePolicies;

11
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/ContentClassificationServiceImpl.java
View File

@@ -212,9 +212,14 @@ public class ContentClassificationServiceImpl extends ServiceBaseImpl
@Override @Override
public boolean hasClearance(NodeRef nodeRef) public boolean hasClearance(NodeRef nodeRef)
{ {
// Get the node's current classification boolean result = true;
ClassificationLevel currentClassification = getCurrentClassification(nodeRef); if (nodeService.exists(nodeRef))
return securityClearanceService.isCurrentUserClearedForClassification(currentClassification.getId()); {
// Get the node's current classification
ClassificationLevel currentClassification = getCurrentClassification(nodeRef);
result = securityClearanceService.isCurrentUserClearedForClassification(currentClassification.getId());
}
return result;
} }
/** /**

122
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/interceptor/ClassificationMethodInterceptor.java
View File

@@ -1,122 +0,0 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.classification.interceptor;
import static org.alfresco.repo.security.authentication.AuthenticationUtil.getFullyAuthenticatedUser;
import static org.alfresco.repo.security.authentication.AuthenticationUtil.isRunAsUserTheSystemUser;
import static org.alfresco.util.ParameterCheck.mandatory;
import static org.apache.commons.lang3.StringUtils.isNotBlank;
import org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.PostMethodInvocationProcessor;
import org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.PreMethodInvocationProcessor;
import org.aopalliance.intercept.MethodInterceptor;
import org.aopalliance.intercept.MethodInvocation;
/**
* Classification method interceptor
*
* @author Roy Wetherall
* @author Tuna Aksoy
* @since 3.0.a
*/
public class ClassificationMethodInterceptor implements MethodInterceptor
{
/** Pre method invocation processor */
private PreMethodInvocationProcessor preMethodInvocationProcessor;
/** Post method invocation processor */
private PostMethodInvocationProcessor postMethodInvocationProcessor;
/**
* @return the preMethodInvocationProcessor
*/
protected PreMethodInvocationProcessor getPreMethodInvocationProcessor()
{
return this.preMethodInvocationProcessor;
}
/**
* @return the postMethodInvocationProcessor
*/
protected PostMethodInvocationProcessor getPostMethodInvocationProcessor()
{
return this.postMethodInvocationProcessor;
}
/**
* @param postMethodInvocationProcessor the postMethodInvocationProcessor to set
*/
public void setPostMethodInvocationProcessor(PostMethodInvocationProcessor postMethodInvocationProcessor)
{
this.postMethodInvocationProcessor = postMethodInvocationProcessor;
}
/**
* @param preMethodInvocationProcessor the preMethodInvocationProcessor to set
*/
public void setPreMethodInvocationProcessor(PreMethodInvocationProcessor preMethodInvocationProcessor)
{
this.preMethodInvocationProcessor = preMethodInvocationProcessor;
}
/**
* @see org.aopalliance.intercept.MethodInterceptor#invoke(org.aopalliance.intercept.MethodInvocation)
*/
@Override
public Object invoke(MethodInvocation invocation) throws Throwable
{
mandatory("invocation", invocation);
boolean isUserValid = isUserValid();
// Pre method invocation processing
if (isUserValid)
{
getPreMethodInvocationProcessor().process(invocation);
}
// Method invocation
Object result = invocation.proceed();
// Post method invocation processing
if (isUserValid && result != null)
{
result = getPostMethodInvocationProcessor().process(result);
}
return result;
}
/**
* Checks if we have an authenticated user and that they aren't "System"
*
* @return <code>true</code> if we have an authenticated user and that they aren't "System", <code>false</code> otherwise.
*/
private boolean isUserValid()
{
boolean result = false;
if (isNotBlank(getFullyAuthenticatedUser()) && !isRunAsUserTheSystemUser())
{
result = true;
}
return result;
}
}

83
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/interceptor/ClassificationMethodInterceptorPostProcessor.java
View File

@@ -1,83 +0,0 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.classification.interceptor;
import org.springframework.beans.BeansException;
import org.springframework.beans.MutablePropertyValues;
import org.springframework.beans.PropertyValue;
import org.springframework.beans.factory.config.BeanDefinition;
import org.springframework.beans.factory.config.BeanFactoryPostProcessor;
import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
import org.springframework.beans.factory.config.RuntimeBeanNameReference;
import org.springframework.beans.factory.support.ManagedList;
/**
* Classification method interceptor bean factory post processor.
* <p>
* Bean factory post processor that inspects available beans and adds the classification method interceptor
* to all public services.
*
* @author Roy Wetherall
* @since 3.0.a
*/
public class ClassificationMethodInterceptorPostProcessor implements BeanFactoryPostProcessor
{
private static final String PROP_INTERCEPTOR_NAMES = "interceptorNames";
private static final String TYPE_PROXY_FACTORY_BEAN = "ProxyFactoryBean";
private static final String POSTFIX_SERVICE = "Service";
private static final String BEAN_NAME_CLASSIFICATION_METHOD_INTERCEPTOR = "classificationMethodInterceptor";
/**
* @see org.springframework.beans.factory.config.BeanFactoryPostProcessor#postProcessBeanFactory(org.springframework.beans.factory.config.ConfigurableListableBeanFactory)
*/
@SuppressWarnings("unchecked")
@Override
public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException
{
// get all bean definition names
String beans[] = beanFactory.getBeanDefinitionNames();
for (String bean : beans)
{
// get bean definition
BeanDefinition beanDefinition = beanFactory.getBeanDefinition(bean);
// only modify proxy factory beans that follow the public service naming postfix convention
if (beanDefinition.getBeanClassName() != null &&
beanDefinition.getBeanClassName().endsWith(TYPE_PROXY_FACTORY_BEAN) &&
bean.endsWith(POSTFIX_SERVICE) &&
Character.isUpperCase(bean.charAt(0)))
{
// get the property values for the bean definition
MutablePropertyValues propertyValues = beanDefinition.getPropertyValues();
if (propertyValues.contains(PROP_INTERCEPTOR_NAMES))
{
// get the current list of interceptor names
PropertyValue value = propertyValues.getPropertyValue(PROP_INTERCEPTOR_NAMES);
ManagedList<RuntimeBeanNameReference> list = (ManagedList<RuntimeBeanNameReference>)value.getValue();
if (!list.isEmpty())
{
// add reference to classification method interceptor
RuntimeBeanNameReference beanReference = new RuntimeBeanNameReference(BEAN_NAME_CLASSIFICATION_METHOD_INTERCEPTOR);
list.add(beanReference);
}
}
}
}
}
}

90
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/interceptor/processor/ArrayPostMethodInvocationProcessor.java
View File

@@ -1,90 +0,0 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor;
import static java.lang.reflect.Array.newInstance;
import java.lang.reflect.Array;
import java.util.ArrayList;
import java.util.List;
import org.springframework.stereotype.Component;
/**
* Array Post Method Invocation Processor
*
* @author Tuna Aksoy
* @since 3.0.a
*/
@Component
public class ArrayPostMethodInvocationProcessor extends BasePostMethodInvocationProcessor
{
/**
* @see org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.BasePostMethodInvocationProcessor#getClassName()
*/
@Override
protected Class<Array> getClassName()
{
return Array.class;
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.BasePostMethodInvocationProcessor#process(java.lang.Object)
*/
@SuppressWarnings({ "unchecked", "rawtypes" })
@Override
protected <T> T process(T object)
{
T result = object;
if (result != null)
{
T[] objects = (T[]) result;
T obj = objects[0];
BasePostMethodInvocationProcessor processor = getPostMethodInvocationProcessor().getProcessor(obj);
if (processor != null)
{
int length = objects.length;
List processedObjects = new ArrayList();
for (int i = 0; i < length; i++)
{
Object processedObject = processor.process(objects[i]);
if (processedObject != null)
{
processedObjects.add(processedObject);
}
}
int size = processedObjects.size();
T[] objs = (T[]) newInstance(obj.getClass(), size);
for (int i = 0; i < size; i++)
{
objs[i] = (T) processedObjects.get(i);
}
result = (T) objs;
}
}
return result;
}
}

69
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/interceptor/processor/AssociationRefPostMethodInvocationProcessor.java
View File

@@ -1,69 +0,0 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor;
import org.alfresco.service.cmr.repository.AssociationRef;
import org.alfresco.service.cmr.repository.NodeRef;
import org.springframework.stereotype.Component;
/**
* AssociationRef Post Method Invocation Processor
*
* @author Tuna Aksoy
* @since 3.0.a
*/
@Component
public class AssociationRefPostMethodInvocationProcessor extends BasePostMethodInvocationProcessor
{
/**
* @see org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.BasePostMethodInvocationProcessor#getClassName()
*/
@Override
protected Class<AssociationRef> getClassName()
{
return AssociationRef.class;
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.BasePostMethodInvocationProcessor#process(java.lang.Object)
*/
@Override
protected <T> T process(T object)
{
T result = object;
if (result != null)
{
AssociationRef associationRef = getClassName().cast(result);
NodeRef sourceRef = associationRef.getSourceRef();
NodeRef filteredSource = filter(sourceRef);
NodeRef targetRef = associationRef.getTargetRef();
NodeRef filteredTarget = filter(targetRef);
if (filteredSource == null || filteredTarget == null)
{
result = null;
}
}
return result;
}
}

159
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/interceptor/processor/BasePostMethodInvocationProcessor.java
View File

@@ -1,159 +0,0 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor;
import static org.alfresco.model.ContentModel.TYPE_CONTENT;
import javax.annotation.PostConstruct;
import org.alfresco.module.org_alfresco_module_rm.classification.ContentClassificationService;
import org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService;
import org.alfresco.service.cmr.dictionary.DictionaryService;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.springframework.beans.factory.annotation.Autowired;
/**
* Base class for post method invocation processors
*
* @author Tuna Aksoy
* @since 3.0.a
*/
public abstract class BasePostMethodInvocationProcessor
{
/** Node service */
@Autowired
private NodeService nodeService;
/** Dictionary service */
@Autowired
private DictionaryService dictionaryService;
/** Content classification service */
@Autowired
private ContentClassificationService contentClassificationService;
/** Security Clearance Service */
@Autowired
private SecurityClearanceService securityClearanceService;
/** Post method invocation processor */
@Autowired
private PostMethodInvocationProcessor postMethodInvocationProcessor;
/** Pre method invocation processor */
@Autowired
private PreMethodInvocationProcessor preMethodInvocationProcessor;
/**
* @return the nodeService
*/
protected NodeService getNodeService()
{
return this.nodeService;
}
/**
* @return the dictionaryService
*/
protected DictionaryService getDictionaryService()
{
return this.dictionaryService;
}
/**
* @return the contentClassificationService
*/
protected ContentClassificationService getContentClassificationService()
{
return this.contentClassificationService;
}
/**
* @return the securityClearanceService
*/
protected SecurityClearanceService getSecurityClearanceService()
{
return this.securityClearanceService;
}
/**
* @return the postMethodInvocationProcessor
*/
protected PostMethodInvocationProcessor getPostMethodInvocationProcessor()
{
return this.postMethodInvocationProcessor;
}
/**
* Registers the post method invocation processors
*/
@PostConstruct
private void register()
{
getPostMethodInvocationProcessor().register(this);
}
/**
* Gets the class name
*
* @return The class name
*/
protected abstract Class<?> getClassName();
/**
* Performs checks on the given object and throws exception if not all checks pass
*
* @param object The object to check
* @return The given object
*/
protected abstract <T extends Object> T process(T object);
/**
* Filters the node if the give node reference exist and it is a
* content but the logged in user is not cleared to see the it.
*
* @param nodeRef Node reference
* @return <code>null</code> if the give node reference has been
* filtered, the node reference itself otherwise
*/
protected NodeRef filter(NodeRef nodeRef)
{
NodeRef filter = nodeRef;
// disable pre-method invocation processor
preMethodInvocationProcessor.disable();
try
{
if (getNodeService().exists(nodeRef) &&
getDictionaryService().isSubClass(getNodeService().getType(nodeRef), TYPE_CONTENT) &&
!getContentClassificationService().hasClearance(nodeRef))
{
filter = null;
}
}
finally
{
// re-enable pre-method invocation processor
preMethodInvocationProcessor.enable();
}
return filter;
}
}

80
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/interceptor/processor/ChildAssociationRefPostMethodInvocationProcessor.java
View File

@@ -1,80 +0,0 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor;
import org.alfresco.service.cmr.repository.ChildAssociationRef;
import org.alfresco.service.cmr.repository.NodeRef;
import org.springframework.stereotype.Component;
/**
* ChildAssociationRef Post Method Invocation Processor
*
* @author Tuna Aksoy
* @since 3.0.a
*/
@Component
public class ChildAssociationRefPostMethodInvocationProcessor extends BasePostMethodInvocationProcessor
{
/**
* @see org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.BasePostMethodInvocationProcessor#getClassName()
*/
@Override
protected Class<ChildAssociationRef> getClassName()
{
return ChildAssociationRef.class;
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.BasePostMethodInvocationProcessor#process(java.lang.Object)
*/
@Override
protected <T> T process(T object)
{
T result = object;
if (result != null)
{
ChildAssociationRef childAssociationRef = getClassName().cast(result);
NodeRef childRef = childAssociationRef.getChildRef();
NodeRef filteredChildRef = filter(childRef);
NodeRef parentRef = childAssociationRef.getParentRef();
NodeRef filteredParentRef;
if (parentRef == null)
{
if (filteredChildRef == null)
{
result = null;
}
}
else
{
filteredParentRef = filter(parentRef);
if (filteredChildRef == null || filteredParentRef == null)
{
result = null;
}
}
}
return result;
}
}

84
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/interceptor/processor/CollectionPostMethodInvocationProcessor.java
View File

@@ -1,84 +0,0 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor;
import java.util.Collection;
import java.util.Iterator;
import org.springframework.stereotype.Component;
/**
* Collection Post Method Invocation Processor.
*
* @author Tuna Aksoy
* @since 3.0.a
*/
@Component
public class CollectionPostMethodInvocationProcessor extends BasePostMethodInvocationProcessor
{
/**
* @see org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.BasePostMethodInvocationProcessor#getClassName()
*/
@SuppressWarnings("rawtypes")
@Override
protected Class<Collection> getClassName()
{
return Collection.class;
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.BasePostMethodInvocationProcessor#process(java.lang.Object)
*/
@SuppressWarnings({ "rawtypes", "unchecked" })
@Override
protected <T> T process(T object)
{
T result = object;
if (result != null)
{
BasePostMethodInvocationProcessor processor = null;
Collection collection = getClassName().cast(object);
Iterator<T> iterator = collection.iterator();
while (iterator.hasNext())
{
Object element = iterator.next();
if (processor == null)
{
processor = getPostMethodInvocationProcessor().getProcessor(element);
if (processor == null)
{
break;
}
}
Object processedElement = processor.process(element);
if (processedElement == null)
{
iterator.remove();
}
}
result = (T) collection;
}
return result;
}
}

61
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/interceptor/processor/NodeRefPostMethodInvocationProcessor.java
View File

@@ -1,61 +0,0 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor;
import org.alfresco.service.cmr.repository.NodeRef;
import org.springframework.stereotype.Component;
/**
* NodeRef Post Method Invocation Processor
*
* @author Tuna Aksoy
* @since 3.0.a
*/
@Component
public class NodeRefPostMethodInvocationProcessor extends BasePostMethodInvocationProcessor
{
/**
* @see org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.BasePostMethodInvocationProcessor#getClassName()
*/
@Override
protected Class<NodeRef> getClassName()
{
return NodeRef.class;
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.BasePostMethodInvocationProcessor#process(java.lang.Object)
*/
@Override
protected <T> T process(T object)
{
T result = object;
if (result != null)
{
NodeRef nodeRef = getClassName().cast(result);
if (filter(nodeRef) == null)
{
result = null;
}
}
return result;
}
}

94
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/interceptor/processor/PagingResultsPostMethodInvocationProcessor.java
View File

@@ -1,94 +0,0 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor;
import java.util.List;
import org.alfresco.query.PagingResults;
import org.alfresco.util.Pair;
import org.springframework.stereotype.Component;
/**
* PagingResults Post Method Invocation Processor
*
* @author Tuna Aksoy
* @since 3.0.a
*/
@Component
public class PagingResultsPostMethodInvocationProcessor extends BasePostMethodInvocationProcessor
{
/**
* @see org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.BasePostMethodInvocationProcessor#getClassName()
*/
@SuppressWarnings("rawtypes")
@Override
protected Class<PagingResults> getClassName()
{
return PagingResults.class;
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.BasePostMethodInvocationProcessor#process(java.lang.Object)
*/
@SuppressWarnings({ "rawtypes", "unchecked" })
@Override
protected <T> T process(T object)
{
T result = object;
if (result != null)
{
final PagingResults pagingResults = getClassName().cast(result);
List page = pagingResults.getPage();
int originalPageSize = page.size();
final List processedPage = getPostMethodInvocationProcessor().process(page);
if (processedPage != null && processedPage.size() != originalPageSize)
{
result = (T) new PagingResults<T>()
{
@Override
public String getQueryExecutionId()
{
return pagingResults.getQueryExecutionId();
}
@Override
public List<T> getPage()
{
return processedPage;
}
@Override
public boolean hasMoreItems()
{
// hasMoreItems might not be correct. Cannot determine the correct value as request details are needed.
return pagingResults.hasMoreItems();
}
@Override
public Pair<Integer, Integer> getTotalResultCount()
{
int size = processedPage.size();
return new Pair<Integer, Integer>(size, size);
}
};
}
}
return result;
}
}

63
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/interceptor/processor/PermissionCheckValuePostMethodInvocationProcessor.java
View File

@@ -1,63 +0,0 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor;
import org.alfresco.repo.security.permissions.PermissionCheckValue;
import org.alfresco.service.cmr.repository.NodeRef;
import org.springframework.stereotype.Component;
/**
* Permission Check Value Post Method Invocation Processor
*
* @author Tuna Aksoy
* @since 3.0.a
*/
@Component
public class PermissionCheckValuePostMethodInvocationProcessor extends BasePostMethodInvocationProcessor
{
/**
* @see org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.BasePostMethodInvocationProcessor#getClassName()
*/
@Override
protected Class<PermissionCheckValue> getClassName()
{
return PermissionCheckValue.class;
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.BasePostMethodInvocationProcessor#process(java.lang.Object)
*/
@Override
protected <T> T process(T object)
{
T result = object;
if (result != null)
{
PermissionCheckValue permissionCheckValue = getClassName().cast(result);
NodeRef nodeRef = permissionCheckValue.getNodeRef();
if (filter(nodeRef) == null)
{
result = null;
}
}
return result;
}
}

119
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/interceptor/processor/PostMethodInvocationProcessor.java
View File

@@ -1,119 +0,0 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor;
import static org.alfresco.util.ParameterCheck.mandatory;
import java.lang.reflect.Array;
import java.util.HashMap;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Set;
/**
* Registry for post method invocation processors
*
* @author Tuna Aksoy
* @since 3.0.a
*/
public class PostMethodInvocationProcessor
{
/** Post method invocation processors */
private Map<Class<?>, BasePostMethodInvocationProcessor> processors = new HashMap<>();
/**
* Registers a post method invocation processor
*
* @param Post method invocation processor object
*/
public void register(BasePostMethodInvocationProcessor object)
{
mandatory("object", object);
getProcessors().put(object.getClassName(), object);
}
/**
* Gets all the available processors
*
* @return the processors Available processors
*/
private Map<Class<?>, BasePostMethodInvocationProcessor> getProcessors()
{
return this.processors;
}
/**
* Gets the processor from the available processors
*
* @param object The post invocation object
* @return The suitable processor for the given class
*/
protected BasePostMethodInvocationProcessor getProcessor(Object object)
{
BasePostMethodInvocationProcessor result = null;
if (object != null)
{
Class<? extends Object> clazz = object.getClass();
if (clazz.isArray())
{
result = getProcessors().get(Array.class);
}
if (result == null)
{
Set<Entry<Class<?>, BasePostMethodInvocationProcessor>> processorsEntrySet = getProcessors().entrySet();
for (Map.Entry<Class<?>, BasePostMethodInvocationProcessor> processorEntry : processorsEntrySet)
{
if (processorEntry.getKey().isAssignableFrom(clazz))
{
result = processorEntry.getValue();
break;
}
}
}
}
return result;
}
/**
* Processes the given object
*
* @param object The object to process
* @return The processed object
*/
public <T> T process(T object)
{
T result = object;
if (result != null)
{
BasePostMethodInvocationProcessor processor = getProcessor(result);
if (processor != null)
{
result = processor.process(result);
}
}
return result;
}
}

235
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/interceptor/processor/PreMethodInvocationProcessor.java
View File

@@ -1,235 +0,0 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor;
import static java.lang.Boolean.TRUE;
import static org.alfresco.model.ContentModel.TYPE_CONTENT;
import static org.alfresco.repo.security.authentication.AuthenticationUtil.getFullyAuthenticatedUser;
import static org.alfresco.util.GUID.generate;
import static org.alfresco.util.ParameterCheck.mandatory;
import java.lang.reflect.Method;
import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceBootstrap;
import org.alfresco.module.org_alfresco_module_rm.classification.ContentClassificationService;
import org.alfresco.module.org_alfresco_module_rm.util.AlfrescoTransactionSupport;
import org.alfresco.repo.transaction.RetryingTransactionHelper;
import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
import org.alfresco.service.cmr.dictionary.DictionaryService;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.transaction.TransactionService;
import org.aopalliance.intercept.MethodInvocation;
import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
/**
* Pre method invocation processor
*
* @author Roy Wetherall
* @author Tuna Aksoy
* @since 3.0.a
*/
public class PreMethodInvocationProcessor implements ApplicationContextAware
{
/** Key to mark the transaction as processing */
private static final String KEY_PROCESSING = generate();
/** Application context */
private ApplicationContext applicationContext;
/**
* @see org.springframework.context.ApplicationContextAware#setApplicationContext(org.springframework.context.ApplicationContext)
*/
@Override
public void setApplicationContext(ApplicationContext applicationContext) throws BeansException
{
this.applicationContext = applicationContext;
}
/**
* Gets the content classification service
*
* @return The content classification service
*/
protected ContentClassificationService getContentClassificationService()
{
return (ContentClassificationService) applicationContext.getBean("contentClassificationService");
}
/**
* Gets the node service
*
* @return The node service
*/
protected NodeService getNodeService()
{
return (NodeService) applicationContext.getBean("dbNodeService");
}
/**
* Gets the dictionary service
*
* @return The dictionary service
*/
protected DictionaryService getDictionaryService()
{
return (DictionaryService) applicationContext.getBean("dictionaryService");
}
/**
* Gets the alfresco transaction support
*
* @return The alfresco transaction support
*/
protected AlfrescoTransactionSupport getAlfrescoTransactionSupport()
{
return (AlfrescoTransactionSupport) applicationContext.getBean("rm.alfrescoTransactionSupport");
}
/**
* Gets the retrying transaction helper
*
* @return The retrying transaction helper
*/
protected RetryingTransactionHelper getRetryingTransactionHelper()
{
return ((TransactionService) applicationContext.getBean("transactionService")).getRetryingTransactionHelper();
}
/**
* Gets the classification service bootstrap
*
* @return The classification service bootstrap
*/
protected ClassificationServiceBootstrap getClassificationServiceBootstrap()
{
return (ClassificationServiceBootstrap) applicationContext.getBean("classificationServiceBootstrap");
}
/**
* is pre-processing enabled?
*
* @return boolean <code>true</code> if enabled, <code>false</code> otherwise
*/
public boolean isEnabled()
{
return (getAlfrescoTransactionSupport().getResource(KEY_PROCESSING) == null);
}
/**
* disable pre-processing for this transaction
*/
public void disable()
{
// mark the transaction as processing a classification check
getAlfrescoTransactionSupport().bindResource(KEY_PROCESSING, TRUE);
}
/**
* enable pre-processing for this transaction
*/
public void enable()
{
// clear the transaction as processed a classification check
getAlfrescoTransactionSupport().unbindResource(KEY_PROCESSING);
}
/**
* Checks if the current user is cleared to see the items
* passed as parameters to the current method invocation.
*
* @param invocation The current method invocation
*/
public void process(final MethodInvocation invocation)
{
mandatory("invocation", invocation);
// do in transaction
getRetryingTransactionHelper().doInTransaction(new RetryingTransactionCallback<Void>()
{
@SuppressWarnings("rawtypes")
public Void execute() throws Throwable
{
// ensure classification service has been bootstrapped
if (getClassificationServiceBootstrap().isInitialised())
{
// if pre-processing is enabled
if (isEnabled())
{
Method method = invocation.getMethod();
Class[] params = method.getParameterTypes();
int position = 0;
for (Class param : params)
{
// if the param is a node reference
if (NodeRef.class.isAssignableFrom(param))
{
// disable pre-processing
disable();
try
{
// get the value of the parameter
NodeRef testNodeRef = (NodeRef) invocation.getArguments()[position];
// if node exists then see if the current user has clearance
isNodeCleared(testNodeRef, method);
}
finally
{
// re-enable pre-processing
enable();
}
}
position++;
}
}
}
return null;
}
}, true);
}
/**
* Checks if the given node exists, if it is a content and if
* the currently logged in user is cleared to see it.
*
* @param nodeRef Node reference to check
* @param method The invoked method
*/
private void isNodeCleared(NodeRef nodeRef, Method method)
{
if (nodeRef != null &&
getNodeService().exists(nodeRef) &&
getDictionaryService().isSubClass(getNodeService().getType(nodeRef), TYPE_CONTENT) &&
!getContentClassificationService().hasClearance(nodeRef))
{
String className = method.getDeclaringClass().getSimpleName();
String methodName = method.getName();
String name = className + "." + methodName;
throw new AccessDeniedException("Access is denied for the user '" + getFullyAuthenticatedUser()
+ "' to call the method '" + name + "' for the node '" + nodeRef + "'.");
}
}
}

84
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/interceptor/processor/QueryEngineResultsPostMethodInvocationProcessor.java
View File

@@ -1,84 +0,0 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor;
import java.util.HashMap;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Set;
import org.alfresco.repo.search.impl.querymodel.QueryEngineResults;
import org.alfresco.service.cmr.search.ResultSet;
import org.springframework.stereotype.Component;
/**
* A post method invocation processor for {@link QueryEngineResults}.
*
* @author Tom Page
* @since 3.0.a
*/
@Component
public class QueryEngineResultsPostMethodInvocationProcessor extends BasePostMethodInvocationProcessor
{
/**
* @see org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.BasePostMethodInvocationProcessor#getClassName()
*/
@Override
protected Class<QueryEngineResults> getClassName()
{
return QueryEngineResults.class;
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.BasePostMethodInvocationProcessor#process(java.lang.Object)
*/
@SuppressWarnings("unchecked")
@Override
protected <T> T process(T object)
{
T result = object;
if (result != null)
{
QueryEngineResults queryEngineResults = getClassName().cast(result);
Map<Set<String>, ResultSet> resultsMap = queryEngineResults.getResults();
Map<Set<String>, ResultSet> returnMap = new HashMap<>();
BasePostMethodInvocationProcessor processor = null;
for (Entry<Set<String>, ResultSet> entry : resultsMap.entrySet())
{
ResultSet value = entry.getValue();
if (processor == null)
{
processor = getPostMethodInvocationProcessor().getProcessor(value);
}
ResultSet newResultSet = processor.process(value);
if (newResultSet != null)
{
returnMap.put(entry.getKey(), newResultSet);
}
}
result = (T) new QueryEngineResults(returnMap);
}
return result;
}
}

118
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/interceptor/processor/ResultSetPostMethodInvocationProcessor.java
View File

@@ -1,118 +0,0 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor;
import static org.alfresco.service.cmr.search.PermissionEvaluationMode.EAGER;
import java.util.BitSet;
import org.alfresco.repo.search.SimpleResultSetMetaData;
import org.alfresco.repo.security.permissions.impl.acegi.FilteringResultSet;
import org.alfresco.service.cmr.repository.ChildAssociationRef;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.search.ResultSet;
import org.alfresco.service.cmr.search.ResultSetMetaData;
import org.alfresco.service.cmr.search.ResultSetRow;
import org.alfresco.service.cmr.search.SearchParameters;
import org.springframework.stereotype.Component;
/**
* ResultSet Post Method Invocation Processor
*
* @author Tuna Aksoy
* @since 3.0.a
*/
@Component
public class ResultSetPostMethodInvocationProcessor extends BasePostMethodInvocationProcessor
{
/**
* @see org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.BasePostMethodInvocationProcessor#getClassName()
*/
@Override
protected Class<ResultSet> getClassName()
{
return ResultSet.class;
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.CollectionPostMethodInvocationProcessor#process(java.lang.Object)
*/
@SuppressWarnings({ "unchecked" })
@Override
protected <T> T process(T object)
{
T result = object;
if (result != null)
{
ResultSet returnedObject = getClassName().cast(result);
BitSet inclusionMask = new BitSet(returnedObject.length());
FilteringResultSet filteringResultSet = new FilteringResultSet(returnedObject, inclusionMask);
ResultSetMetaData resultSetMetaData = returnedObject.getResultSetMetaData();
SearchParameters searchParameters = resultSetMetaData.getSearchParameters();
BasePostMethodInvocationProcessor nodeRefProcessor = null;
BasePostMethodInvocationProcessor childAssociationRefProcessor = null;
for (int i = 0; i < returnedObject.length(); i++)
{
ResultSetRow row = returnedObject.getRow(i);
NodeRef nodeRef = row.getNodeRef();
if (nodeRefProcessor == null)
{
nodeRefProcessor = getPostMethodInvocationProcessor().getProcessor(nodeRef);
}
NodeRef processedNodeRef = nodeRefProcessor.process(nodeRef);
if (processedNodeRef == null)
{
inclusionMask.set(i, false);
}
else
{
ChildAssociationRef childAssocRef = row.getChildAssocRef();
if (childAssociationRefProcessor == null)
{
childAssociationRefProcessor = getPostMethodInvocationProcessor().getProcessor(childAssocRef);
}
ChildAssociationRef childAssociationRef = childAssociationRefProcessor.process(childAssocRef);
if (childAssociationRef == null)
{
inclusionMask.set(i, false);
}
else
{
inclusionMask.set(i, true);
}
}
}
SimpleResultSetMetaData simpleResultSetMetaData = new SimpleResultSetMetaData(resultSetMetaData.getLimitedBy(), EAGER, searchParameters);
filteringResultSet.setResultSetMetaData(simpleResultSetMetaData);
result = (T) filteringResultSet;
}
return result;
}
}

63
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/interceptor/processor/StoreRefPostMethodInvocationProcessor.java
View File

@@ -1,63 +0,0 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.StoreRef;
import org.springframework.stereotype.Component;
/**
* StoreRef Post Method Invocation Processor
*
* @author Tuna Aksoy
* @since 3.0.a
*/
@Component
public class StoreRefPostMethodInvocationProcessor extends BasePostMethodInvocationProcessor
{
/**
* @see org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.BasePostMethodInvocationProcessor#getClassName()
*/
@Override
protected Class<StoreRef> getClassName()
{
return StoreRef.class;
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.BasePostMethodInvocationProcessor#process(java.lang.Object)
*/
@Override
protected <T> T process(T object)
{
T result = object;
if (result != null)
{
StoreRef storeRef = getClassName().cast(result);
NodeRef nodeRef = getNodeService().getRootNode(storeRef);
if (filter(nodeRef) == null)
{
result = null;
}
}
return result;
}
}

138
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/permission/ClassificationPermissionPreProcessor.java Normal file
View File

@@ -0,0 +1,138 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.classification.permission;
import java.util.Map;
import java.util.Set;
import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceBootstrap;
import org.alfresco.module.org_alfresco_module_rm.classification.ContentClassificationService;
import org.alfresco.module.org_alfresco_module_rm.util.AuthenticationUtil;
import org.alfresco.module.org_alfresco_module_rm.util.TransactionalResourceHelper;
import org.alfresco.repo.security.permissions.processor.impl.PermissionPreProcessorBaseImpl;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.util.Triple;
/**
* Classification permission pre-processor implementation.
*
* @author Roy Wetherall
* @since 3.0.a
*/
public class ClassificationPermissionPreProcessor extends PermissionPreProcessorBaseImpl
{
/** transaction resource keys */
/*package*/ static final String KEY_PROCESSING = ClassificationPermissionPreProcessor.class.getName() + ".processing";
/*package*/ static final String KEY_CACHE = ClassificationPermissionPreProcessor.class.getName() + ".cache";
/** content classification service */
private ContentClassificationService contentClassificationService;
/** transaction resource helper */
private TransactionalResourceHelper transactionalResourceHelper;
/** classificaiton service bootstrap */
private ClassificationServiceBootstrap classificationServiceBootstrap;
/** authentication util */
private AuthenticationUtil authenticationUtil;
/**
* @param contentClassificationService content classification service
*/
public void setContentClassificationService(ContentClassificationService contentClassificationService)
{
this.contentClassificationService = contentClassificationService;
}
/**
* @param transactionalResourceHelper transaction resource helper
*/
public void setTransactionalResourceHelper(TransactionalResourceHelper transactionalResourceHelper)
{
this.transactionalResourceHelper = transactionalResourceHelper;
}
/**
* @param classificationServiceBootstrap classification service bootstrap
*/
public void setClassificationServiceBootstrap(ClassificationServiceBootstrap classificationServiceBootstrap)
{
this.classificationServiceBootstrap = classificationServiceBootstrap;
}
/**
* @param authenticationUtil authentication util
*/
public void setAuthenticationUtil(AuthenticationUtil authenticationUtil)
{
this.authenticationUtil = authenticationUtil;
}
/**
* @see org.alfresco.repo.security.permissions.processor.PermissionPreProcessor#process(org.alfresco.service.cmr.repository.NodeRef, java.lang.String)
*/
@Override
public AccessStatus process(NodeRef nodeRef, String perm)
{
AccessStatus result = AccessStatus.UNDETERMINED;
// ensure the classification bootstrap has been initialised
if (classificationServiceBootstrap.isInitialised())
{
// do not process a node that is already being processed
Set<Object> processing = transactionalResourceHelper.getSet(KEY_PROCESSING);
if (!processing.contains(nodeRef))
{
processing.add(nodeRef);
try
{
// create key
final String currentUser = authenticationUtil.getRunAsUser();
Triple<NodeRef, String, String> key = new Triple<NodeRef, String, String>(nodeRef, perm, currentUser);
// get transaction cache (the purpose of this is prevent duplicate tests within the same transaction)
Map<Triple<NodeRef, String, String>, AccessStatus> cache = transactionalResourceHelper.getMap(KEY_CACHE);
if (!cache.containsKey(key))
{
// determine whether the current user has clearance for the node
if (!contentClassificationService.hasClearance(nodeRef))
{
result = AccessStatus.DENIED;
}
// cache value (in transaction)
cache.put(key, result);
}
else
{
result = cache.get(key);
}
}
finally
{
processing.remove(nodeRef);
}
}
}
return result;
}
}

73
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/permission/RecordsManagementPermissionPostProcessor.java Normal file
View File

@@ -0,0 +1,73 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.permission;
import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
import org.alfresco.repo.security.permissions.processor.impl.PermissionPostProcessorBaseImpl;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.PermissionService;
/**
* Records management permission post processor.
*
* @author Roy Wetherall
* @since 3.0.a
*/
public class RecordsManagementPermissionPostProcessor extends PermissionPostProcessorBaseImpl
{
/** node service */
private NodeService nodeService;
public void setNodeService(NodeService nodeService) {this.nodeService=nodeService;}
/** permission service */
private PermissionService permissionService;
public void setPermissionService(PermissionService permissionService) {this.permissionService=permissionService;}
/**
* @see org.alfresco.repo.security.permissions.processor.PermissionPostProcessor#process(org.alfresco.service.cmr.security.AccessStatus, org.alfresco.service.cmr.repository.NodeRef, java.lang.String)
*/
@Override
public AccessStatus process(AccessStatus accessStatus, NodeRef nodeRef, String perm)
{
AccessStatus result = accessStatus;
if (AccessStatus.DENIED.equals(accessStatus) &&
nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT))
{
// if read denied on rm artifact
if (PermissionService.READ.equals(perm))
{
// check for read record
result = permissionService.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS);
}
// if write deinied on rm artificat
else if (PermissionService.WRITE.equals(perm))
{
// check for file record
result = permissionService.hasPermission(nodeRef, RMPermissionModel.FILE_RECORDS);
}
}
return result;
}
}

6
rm-server/source/java/org/alfresco/repo/security/permissions/impl/ExtendedPermissionService.java
View File

@@ -30,5 +30,11 @@ import org.alfresco.service.cmr.security.PermissionService;
*/ */
public interface ExtendedPermissionService extends PermissionService public interface ExtendedPermissionService extends PermissionService
{ {
/**
* Get a set of all the authorities that have write access.
*
* @param aclId acl id
* @return {@link Set}<{@link String}> set of authorities with write access
*/
Set<String> getWriters(Long aclId); Set<String> getWriters(Long aclId);
} }

83
rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java → rm-server/source/java/org/alfresco/repo/security/permissions/impl/ExtendedPermissionServiceImpl.java
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright (C) 2005-2014 Alfresco Software Limited. * Copyright (C) 2005-2015 Alfresco Software Limited.
* *
* This file is part of Alfresco * This file is part of Alfresco
* *
@@ -23,6 +23,7 @@ import static org.apache.commons.lang.StringUtils.isNotBlank;
import java.io.Serializable; import java.io.Serializable;
import java.util.Collections; import java.util.Collections;
import java.util.HashSet; import java.util.HashSet;
import java.util.List;
import java.util.Set; import java.util.Set;
import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel; import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
@@ -34,6 +35,9 @@ import org.alfresco.module.org_alfresco_module_rm.security.ExtendedWriterDynamic
import org.alfresco.repo.cache.SimpleCache; import org.alfresco.repo.cache.SimpleCache;
import org.alfresco.repo.security.permissions.AccessControlEntry; import org.alfresco.repo.security.permissions.AccessControlEntry;
import org.alfresco.repo.security.permissions.AccessControlList; import org.alfresco.repo.security.permissions.AccessControlList;
import org.alfresco.repo.security.permissions.processor.PermissionPostProcessor;
import org.alfresco.repo.security.permissions.processor.PermissionPreProcessor;
import org.alfresco.repo.security.permissions.processor.PermissionProcessorRegistry;
import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.security.AccessStatus; import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.AuthorityType; import org.alfresco.service.cmr.security.AuthorityType;
@@ -49,14 +53,17 @@ import org.springframework.context.ApplicationEvent;
* *
* @author Roy Wetherall * @author Roy Wetherall
*/ */
public class RMPermissionServiceImpl extends PermissionServiceImpl public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
implements ExtendedPermissionService implements ExtendedPermissionService
{ {
/** Writers simple cache */ /** Writers simple cache */
protected SimpleCache<Serializable, Set<String>> writersCache; protected SimpleCache<Serializable, Set<String>> writersCache;
/** File plan service */ /** File plan service */
private FilePlanService filePlanService; private FilePlanService filePlanService;
/** Permission processor registry */
private PermissionProcessorRegistry permissionProcessorRegistry;
/** /**
* Gets the file plan service * Gets the file plan service
@@ -77,6 +84,16 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl
{ {
this.filePlanService = filePlanService; this.filePlanService = filePlanService;
} }
/**
* Sets the permission processor registry
*
* @param permissionProcessorRegistry the permissions processor registry
*/
public void setPermissionProcessorRegistry(PermissionProcessorRegistry permissionProcessorRegistry)
{
this.permissionProcessorRegistry = permissionProcessorRegistry;
}
/** /**
* @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#setAnyDenyDenies(boolean) * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#setAnyDenyDenies(boolean)
@@ -85,7 +102,10 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl
public void setAnyDenyDenies(boolean anyDenyDenies) public void setAnyDenyDenies(boolean anyDenyDenies)
{ {
super.setAnyDenyDenies(anyDenyDenies); super.setAnyDenyDenies(anyDenyDenies);
writersCache.clear(); if (writersCache != null)
{
writersCache.clear();
}
} }
/** /**
@@ -116,21 +136,48 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl
@Override @Override
public AccessStatus hasPermission(NodeRef nodeRef, String perm) public AccessStatus hasPermission(NodeRef nodeRef, String perm)
{ {
AccessStatus acs = super.hasPermission(nodeRef, perm); AccessStatus result = AccessStatus.UNDETERMINED;
if (AccessStatus.DENIED.equals(acs) &&
PermissionService.READ.equals(perm) && // permission pre-processors
nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT)) List<PermissionPreProcessor> preProcessors = permissionProcessorRegistry.getPermissionPreProcessors();
for (PermissionPreProcessor preProcessor : preProcessors)
{
// pre process permission
result = preProcessor.process(nodeRef, perm);
// veto if denied
if (AccessStatus.DENIED.equals(result))
{
return result;
}
}
// evaluate permission
result = hasPermissionImpl(nodeRef, perm);
// permission post-processors
List<PermissionPostProcessor> postProcessors = permissionProcessorRegistry.getPermissionPostProcessors();
for (PermissionPostProcessor postProcessor : postProcessors)
{ {
return super.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS); // post process permission
} result = postProcessor.process(result, nodeRef, perm);
else if (AccessStatus.DENIED.equals(acs) && }
PermissionService.WRITE.equals(perm) &&
nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT)) return result;
{ }
return super.hasPermission(nodeRef, RMPermissionModel.FILE_RECORDS);
} /**
* Implementation of hasPermission method call.
return acs; * <p>
* Separation also convenient for unit testing.
*
* @param nodeRef node reference
* @param perm permission
* @return {@link AccessStatus} access status result
*/
protected AccessStatus hasPermissionImpl(NodeRef nodeRef, String perm)
{
return super.hasPermission(nodeRef, perm);
} }
/** /**

86
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/interceptor/processor/AccessDeniedException.java → rm-server/source/java/org/alfresco/repo/security/permissions/processor/PermissionPostProcessor.java
View File

@@ -1,43 +1,43 @@
/* /*
* Copyright (C) 2005-2015 Alfresco Software Limited. * Copyright (C) 2005-2015 Alfresco Software Limited.
* *
* This file is part of Alfresco * This file is part of Alfresco
* *
* Alfresco is free software: you can redistribute it and/or modify * Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by * it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or * the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version. * (at your option) any later version.
* *
* Alfresco is distributed in the hope that it will be useful, * Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details. * GNU Lesser General Public License for more details.
* *
* You should have received a copy of the GNU Lesser General Public License * You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>. * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/ */
package org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor; package org.alfresco.repo.security.permissions.processor;
import org.alfresco.error.AlfrescoRuntimeException; import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.security.AccessStatus;
/**
* Access denied exception thrown when a user tries to execute a method call on an uncleared node.
*
* @author Tuna Aksoy /**
* @since 3.0.a * Permission Post Processor.
*/ *
public class AccessDeniedException extends AlfrescoRuntimeException * @author Roy Wetherall
{ * @since 3.0.a
/** Serial version uid */ */
private static final long serialVersionUID = -1546218007029075883L; public interface PermissionPostProcessor
{
/** /**
* Constructor * Process permission.
* *
* @param key The key of the exception to be localized * @param accessStatus current access status
*/ * @param nodeRef node reference
public AccessDeniedException(String key) * @param perm permission
{ * @return {@link AccessStatus}
super(key); */
} AccessStatus process(AccessStatus accessStatus, NodeRef nodeRef, String perm);
} }

43
rm-server/source/java/org/alfresco/repo/security/permissions/processor/PermissionPreProcessor.java Normal file
View File

@@ -0,0 +1,43 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.repo.security.permissions.processor;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.security.AccessStatus;
/**
* Permission Veto Interface
*
* @author Roy Wetherall
* @since 3.0.a
*/
public interface PermissionPreProcessor
{
/**
* Process permission.
*
* @param accessStatus current access status
* @param nodeRef node reference
* @param perm permission
* @return {@link AccessStatus}
*/
AccessStatus process(NodeRef nodeRef, String perm);
}

77
rm-server/source/java/org/alfresco/repo/security/permissions/processor/PermissionProcessorRegistry.java Normal file
View File

@@ -0,0 +1,77 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.repo.security.permissions.processor;
import java.util.ArrayList;
import java.util.List;
/**
* Permission Processor Registry
*
* @author Roy Wetherall
* @since 3.0.a
*/
public class PermissionProcessorRegistry
{
/** permission pre-processors */
private List<PermissionPreProcessor> permissionPreProcessors = new ArrayList<PermissionPreProcessor>();
/** permission post-processors */
private List<PermissionPostProcessor> permissionPostProcessors = new ArrayList<PermissionPostProcessor>();
/**
* Add a permission pre-processor.
*
* @param permissionPreProcessor permission pre-processor
*/
public void addPermissionPreProcessor(PermissionPreProcessor permissionPreProcessor)
{
permissionPreProcessors.add(permissionPreProcessor);
}
/**
* Add a permission post-processor.
*
* @param permissionPostProcessor permission post-processor
*/
public void addPermissionPostProcessor(PermissionPostProcessor permissionPostProcessor)
{
permissionPostProcessors.add(permissionPostProcessor);
}
/**
* Get a list of the registered permission pre-processors.
*
* @return {@link List}<{@link PermissionPreProcessor}> list of permission pre-processors
*/
public List<PermissionPreProcessor> getPermissionPreProcessors()
{
return permissionPreProcessors;
}
/**
* Get a list of the registered permission post-processors.
*
* @return <{@link List}>{@link PermissionPreProcessor} list of permission post-processors
*/
public List<PermissionPostProcessor> getPermissionPostProcessors()
{
return permissionPostProcessors;
}
}

42
rm-server/source/java/org/alfresco/repo/security/permissions/processor/impl/PermissionPostProcessorBaseImpl.java Normal file
View File

@@ -0,0 +1,42 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.repo.security.permissions.processor.impl;
import org.alfresco.repo.security.permissions.processor.PermissionPostProcessor;
/**
* Permission post processor base implementation.
* <p>
* Helper class that can be extended when providing a custom permission
* post processor implementation.
*
* @author Roy Wetherall
* @since 3.0.a
*/
public abstract class PermissionPostProcessorBaseImpl extends PermissionProcessorBaseImpl
implements PermissionPostProcessor
{
/**
* Init method to add this permission extensions to the registry
*/
public void init()
{
getPermissionProcessorRegistry().addPermissionPostProcessor(this);
}
}

42
rm-server/source/java/org/alfresco/repo/security/permissions/processor/impl/PermissionPreProcessorBaseImpl.java Normal file
View File

@@ -0,0 +1,42 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.repo.security.permissions.processor.impl;
import org.alfresco.repo.security.permissions.processor.PermissionPreProcessor;
/**
* Permission pre-processor base implementation.
* <p>
* Helper class that can be extended when providing a custom permission
* pre-processor implementation.
*
* @author Roy Wetherall
* @since 3.0.a
*/
public abstract class PermissionPreProcessorBaseImpl extends PermissionProcessorBaseImpl
implements PermissionPreProcessor
{
/**
* Init method to add this permission extensions to the registry
*/
public void init()
{
getPermissionProcessorRegistry().addPermissionPreProcessor(this);
}
}

49
rm-server/source/java/org/alfresco/repo/security/permissions/processor/impl/PermissionProcessorBaseImpl.java Normal file
View File

@@ -0,0 +1,49 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.repo.security.permissions.processor.impl;
import org.alfresco.repo.security.permissions.processor.PermissionProcessorRegistry;
/**
* Commonality found in both pre and post permission processor implementations.
*
* @author Roy Wetherall
* @since 3.0.a
*/
/*package*/ abstract class PermissionProcessorBaseImpl
{
/** permission processor registry */
private PermissionProcessorRegistry permissionProcessorRegistry;
/**
* @param PermissionProcessorRegistry permission processor registry
*/
public void setPermissionProcessorRegistry(PermissionProcessorRegistry permissionProcessorRegistry)
{
this.permissionProcessorRegistry = permissionProcessorRegistry;
}
/**
* @return {@link PermissionProcessorRegistry} permission processor registry
*/
protected PermissionProcessorRegistry getPermissionProcessorRegistry()
{
return permissionProcessorRegistry;
}
}

2
rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/integration/classification/interceptor/ClassificationEnforcementPreMethodInvocationTest.java
View File

@@ -27,8 +27,8 @@ import java.util.HashMap;
import java.util.Map; import java.util.Map;
import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationAspectProperties; import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationAspectProperties;
import org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor.AccessDeniedException;
import org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase; import org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase;
import org.alfresco.repo.security.permissions.AccessDeniedException;
import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.namespace.QName; import org.alfresco.service.namespace.QName;

76
rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/classification/interceptor/processor/ArrayPostMethodInvocationProcessorUnitTest.java
View File

@@ -1,76 +0,0 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor;
import static org.alfresco.service.cmr.repository.StoreRef.STORE_REF_WORKSPACE_SPACESSTORE;
import static org.alfresco.util.GUID.generate;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.mockito.Matchers.isA;
import static org.mockito.Mockito.when;
import static org.mockito.MockitoAnnotations.initMocks;
import org.alfresco.service.cmr.repository.NodeRef;
import org.apache.commons.lang3.ArrayUtils;
import org.junit.Before;
import org.junit.Test;
import org.mockito.InjectMocks;
import org.mockito.Mock;
/**
* Array Post Method Invocation Processor Unit Test
*
* @author Tuna Aksoy
* @since 3.0.a
*/
public class ArrayPostMethodInvocationProcessorUnitTest
{
private static final NodeRef NODE_REF_1 = new NodeRef(STORE_REF_WORKSPACE_SPACESSTORE, generate());
private static final NodeRef NODE_REF_2 = new NodeRef(STORE_REF_WORKSPACE_SPACESSTORE, generate());
private static final NodeRef NODE_REF_3 = new NodeRef(STORE_REF_WORKSPACE_SPACESSTORE, generate());
private static final NodeRef NODE_REF_4 = new NodeRef(STORE_REF_WORKSPACE_SPACESSTORE, generate());
@InjectMocks private ArrayPostMethodInvocationProcessor arrayPostMethodInvocationProcessor;
@Mock private PostMethodInvocationProcessor mockedPostMethodInvocationProcessor;
@Mock private BasePostMethodInvocationProcessor mockedNodeRefProcessor;
@Before
public void setUp()
{
initMocks(this);
when(mockedPostMethodInvocationProcessor.getProcessor(isA(NodeRef.class))).thenReturn(mockedNodeRefProcessor);
when(mockedNodeRefProcessor.process(NODE_REF_1)).thenReturn(NODE_REF_1);
when(mockedNodeRefProcessor.process(NODE_REF_2)).thenReturn(null);
when(mockedNodeRefProcessor.process(NODE_REF_3)).thenReturn(NODE_REF_3);
when(mockedNodeRefProcessor.process(NODE_REF_4)).thenReturn(null);
}
@Test
public void testArrayPostMethodInvocationProcessor()
{
NodeRef[] nodes = new NodeRef[] { NODE_REF_1, NODE_REF_2, NODE_REF_3, NODE_REF_4 };
NodeRef[] processedNodes = arrayPostMethodInvocationProcessor.process(nodes);
assertEquals(2, processedNodes.length);
assertTrue(ArrayUtils.contains(processedNodes, NODE_REF_1));
assertTrue(ArrayUtils.contains(processedNodes, NODE_REF_3));
}
}

188
rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/classification/interceptor/processor/CollectionPostMethodInvocationProcessorUnitTest.java
View File

@@ -1,188 +0,0 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor;
import static com.google.common.collect.Lists.newArrayList;
import static java.util.Arrays.asList;
import static org.alfresco.util.GUID.generate;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.mockito.Matchers.isA;
import static org.mockito.Mockito.when;
import static org.mockito.MockitoAnnotations.initMocks;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Comparator;
import java.util.Iterator;
import java.util.List;
import java.util.SortedSet;
import java.util.TreeSet;
import org.junit.Before;
import org.junit.Test;
import org.mockito.InjectMocks;
import org.mockito.Mock;
/**
* Unit tests for the {@link CollectionPostMethodInvocationProcessor}.
*
* @author Tom Page
* @since 3.0.a
*/
public class CollectionPostMethodInvocationProcessorUnitTest
{
private static final String REALLY_LONG_OUTPUT_STRING = generate() + generate();
private static final String NON_FILTERED = generate();
private static final String FILTERED = generate();
@InjectMocks private CollectionPostMethodInvocationProcessor collectionPostMethodInvocationProcessor;
@Mock private PostMethodInvocationProcessor mockPostMethodInvocationProcessor;
@Mock private BasePostMethodInvocationProcessor mockStringProcessor;
@Before
public void setUp()
{
initMocks(this);
when(mockPostMethodInvocationProcessor.getProcessor(isA(List.class))).thenReturn(collectionPostMethodInvocationProcessor);
when(mockPostMethodInvocationProcessor.getProcessor(isA(String.class))).thenReturn(mockStringProcessor);
when(mockStringProcessor.process(REALLY_LONG_OUTPUT_STRING)).thenReturn(REALLY_LONG_OUTPUT_STRING);
when(mockStringProcessor.process(NON_FILTERED)).thenReturn(NON_FILTERED);
when(mockStringProcessor.process(FILTERED)).thenReturn(null);
}
@Test
public void testProcess_copesWithNull()
{
Object result = collectionPostMethodInvocationProcessor.process(null);
assertNull("Expected null collection to be passed through.", result);
}
@Test
public void testProcess_nullMember()
{
List<String> collection = new ArrayList<>();
collection.add(null);
Object result = collectionPostMethodInvocationProcessor.process(collection);
assertEquals("Expected collection containing null to be passed through.", collection, result);
}
@Test
public void testProcess_emptyList()
{
List<String> collection = new ArrayList<>();
Collection<String> result = collectionPostMethodInvocationProcessor.process(collection);
assertEquals(collection, result);
}
@Test
public void testProcess_nonFilteredMember()
{
Object collection = asList(NON_FILTERED);
Object result = collectionPostMethodInvocationProcessor.process(collection);
assertEquals("Expected element to still be present in result.", collection, result);
}
@Test
public void testProcess_filteredMemberInModifiableList()
{
List<String> collection = newArrayList(FILTERED);
Collection<String> result = collectionPostMethodInvocationProcessor.process(collection);
assertTrue("Expected an empty list.", result.isEmpty());
}
@Test(expected = UnsupportedOperationException.class)
public void testProcess_filteredMemberInUnmodifiableList()
{
List<String> collection = asList(FILTERED, NON_FILTERED);
collectionPostMethodInvocationProcessor.process(collection);
}
@Test
public void testProcess_noProcessorDefined()
{
List<Integer> collection = asList(1, 4, 91);
Collection<Integer> result = collectionPostMethodInvocationProcessor.process(collection);
assertEquals("If no processor is defined for the members then the whole list should be returned.", collection, result);
}
@SuppressWarnings("unchecked")
@Test
public void testProcess_listOfLists()
{
List<String> innerListA = newArrayList(FILTERED, NON_FILTERED);
List<String> innerListB = newArrayList(FILTERED, NON_FILTERED);
List<List<String>> collection = newArrayList(innerListA, innerListB);
Collection<List<String>> result = collectionPostMethodInvocationProcessor.process(collection);
List<String> expectedInnerListA = asList(NON_FILTERED);
List<String> expectedInnerListB = asList(NON_FILTERED);
List<List<String>> expected = asList(expectedInnerListA, expectedInnerListB);
assertEquals(expected, result);
}
/**
* Given I have a sorted set of input strings
* When I pass it to the collection processor
* Then I expect items above my clearance to be filtered
* And I expect items below my clearance to be passed through
* And I expect the output set to be sorted using the same comparator as the input.
*/
@Test
public void testProcess_sortedSet()
{
// Create a custom comparator that sorts based on the length of the strings.
Comparator<String> comparator = new Comparator<String>()
{
public int compare(String o1, String o2)
{
return o1.length() - o2.length();
}
};
SortedSet<String> collection = new TreeSet<>(comparator);
collection.add(REALLY_LONG_OUTPUT_STRING);
collection.add(NON_FILTERED);
collection.add(FILTERED);
Collection<String> result = collectionPostMethodInvocationProcessor.process(collection);
Iterator<String> iterator = result.iterator();
assertEquals("Expected the first element to be the shortest", NON_FILTERED, iterator.next());
assertEquals("Expected the second element to be the longest", REALLY_LONG_OUTPUT_STRING, iterator.next());
assertFalse("Expected two elements in output", iterator.hasNext());
}
}

94
rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/classification/interceptor/processor/NodeRefPostMethodInvocationProcessorUnitTest.java
View File

@@ -1,94 +0,0 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor;
import static org.junit.Assert.assertEquals;
import static org.mockito.Mockito.when;
import static org.springframework.extensions.webscripts.GUID.generate;
import org.alfresco.module.org_alfresco_module_rm.classification.ContentClassificationService;
import org.alfresco.module.org_alfresco_module_rm.test.util.BaseUnitTest;
import org.alfresco.service.cmr.repository.NodeRef;
import org.junit.Test;
import org.mockito.InjectMocks;
import org.mockito.Mock;
/**
* NodeRef Post Method Invocation Processor Unit Test
*
* @author Tuna Aksoy
* @since 3.0.a
*/
public class NodeRefPostMethodInvocationProcessorUnitTest extends BaseUnitTest
{
@InjectMocks private NodeRefPostMethodInvocationProcessor nodeRefPostMethodInvocationProcessor;
@Mock private ContentClassificationService mockedContentClassificationService;
@Mock private PreMethodInvocationProcessor mockedPreMethodInvocationProcessor;
@Test
public void testProcessingNonExistingNode()
{
NodeRef nodeRef = new NodeRef(generate() + "://" + generate() + "/");
when(mockedDictionaryService.isSubClass(mockedNodeService.getType(nodeRef), TYPE_CONTENT)).thenReturn(true);
when(mockedContentClassificationService.hasClearance(nodeRef)).thenReturn(true);
assertEquals(nodeRef, nodeRefPostMethodInvocationProcessor.process(nodeRef));
}
@Test
public void testProcessingNonContent()
{
NodeRef nodeRef = generateNodeRef();
when(mockedDictionaryService.isSubClass(mockedNodeService.getType(nodeRef), TYPE_CONTENT)).thenReturn(false);
when(mockedContentClassificationService.hasClearance(nodeRef)).thenReturn(true);
assertEquals(nodeRef, nodeRefPostMethodInvocationProcessor.process(nodeRef));
}
@Test
public void testExistingNodeWithUserClearance()
{
NodeRef nodeRef = generateNodeRef();
when(mockedDictionaryService.isSubClass(mockedNodeService.getType(nodeRef), TYPE_CONTENT)).thenReturn(true);
when(mockedContentClassificationService.hasClearance(nodeRef)).thenReturn(true);
assertEquals(nodeRef, nodeRefPostMethodInvocationProcessor.process(nodeRef));
}
@Test
public void testExistingNodeWithNoUserClearance()
{
NodeRef nodeRef = generateNodeRef();
when(mockedDictionaryService.isSubClass(mockedNodeService.getType(nodeRef), TYPE_CONTENT)).thenReturn(true);
when(mockedContentClassificationService.hasClearance(nodeRef)).thenReturn(false);
assertEquals(null, nodeRefPostMethodInvocationProcessor.process(nodeRef));
}
@Test
public void testProcessingNull()
{
assertEquals("Expected null to be passed through without error.", null,
nodeRefPostMethodInvocationProcessor.process((NodeRef) null));
}
}

91
rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/classification/interceptor/processor/QueryEngineResultsPostMethodInvocationProcessorUnitTest.java
View File

@@ -1,91 +0,0 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.classification.interceptor.processor;
import static org.junit.Assert.assertEquals;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import static org.mockito.MockitoAnnotations.initMocks;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import org.alfresco.repo.search.impl.querymodel.QueryEngineResults;
import org.alfresco.service.cmr.search.ResultSet;
import org.junit.Before;
import org.junit.Test;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.Mockito;
import com.google.common.collect.Sets;
/**
* Unit tests for {@link QueryEngineResultPostMethodInvocationProcessor}.
*
* @author Tom Page
* @since 3.0.a
*/
public class QueryEngineResultsPostMethodInvocationProcessorUnitTest
{
private static final Set<String> KEY_1 = Sets.newHashSet("KEY_1");
private static final Set<String> KEY_2 = Sets.newHashSet("KEY_2");
private static final Set<String> KEY_3 = Sets.newHashSet("KEY_3");
private static final Set<String> KEY_4 = Sets.newHashSet("KEY_4");
private static final ResultSet UNCLASSIFIED_RESULT_SET = mock(ResultSet.class);
private static final ResultSet CLASSIFIED_RESULT_SET = mock(ResultSet.class);
@InjectMocks
private QueryEngineResultsPostMethodInvocationProcessor processor = new QueryEngineResultsPostMethodInvocationProcessor();
@Mock
private PostMethodInvocationProcessor mockPostMethodInvocationProcessor;
@Mock
private ResultSetPostMethodInvocationProcessor mockResultSetPMIP;
@Before
public void setUp()
{
initMocks(this);
when(mockPostMethodInvocationProcessor.getProcessor(Mockito.any())).thenReturn(mockResultSetPMIP);
when(mockResultSetPMIP.process(UNCLASSIFIED_RESULT_SET)).thenReturn(UNCLASSIFIED_RESULT_SET);
when(mockResultSetPMIP.process(CLASSIFIED_RESULT_SET)).thenReturn(null);
}
/** Check that {@code process} filters out the classified result sets. */
@Test
public void testProcess()
{
Map<Set<String>, ResultSet> resultsMap = new HashMap<>();
resultsMap.put(KEY_1, UNCLASSIFIED_RESULT_SET);
resultsMap.put(KEY_2, CLASSIFIED_RESULT_SET);
resultsMap.put(KEY_3, UNCLASSIFIED_RESULT_SET);
resultsMap.put(KEY_4, CLASSIFIED_RESULT_SET);
QueryEngineResults queryEngineResults = new QueryEngineResults(resultsMap);
QueryEngineResults returnedQueryEngineResults = processor.process(queryEngineResults);
Map<Set<String>, ResultSet> expectedResultSet = new HashMap<>();
expectedResultSet.put(KEY_1, UNCLASSIFIED_RESULT_SET);
expectedResultSet.put(KEY_3, UNCLASSIFIED_RESULT_SET);
assertEquals("Unexpected results from query.", expectedResultSet, returnedQueryEngineResults.getResults());
}
}

193
rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/classification/permission/ClassificationPermissionPreProcessorUnitTest.java Normal file
View File

@@ -0,0 +1,193 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.classification.permission;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
import static org.junit.Assert.assertEquals;
import java.util.HashMap;
import java.util.Map;
import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceBootstrap;
import org.alfresco.module.org_alfresco_module_rm.classification.ContentClassificationService;
import org.alfresco.module.org_alfresco_module_rm.test.util.AlfMock;
import org.alfresco.module.org_alfresco_module_rm.test.util.BaseUnitTest;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.util.Triple;
import org.junit.Before;
import org.junit.Test;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import com.google.common.collect.Sets;
/**
* Classification permission pre-processor unit test
*
* @author Roy Wetherall
* @since 3.0.a
*/
public class ClassificationPermissionPreProcessorUnitTest extends BaseUnitTest
{
/** test artifact */
private @InjectMocks ClassificationPermissionPreProcessor processor;
/** mocks */
private @Mock ClassificationServiceBootstrap mockedClassificationServiceBootstrap;
private @Mock ContentClassificationService mockedContentClassificationService;
/** test data */
private NodeRef nodeRef;
private String perm = AlfMock.generateText();
private String user = AlfMock.generateText();
@Before
@Override
public void before() throws Exception
{
super.before();
nodeRef = generateCmContent(AlfMock.generateText());
}
/**
* Given that the classification hierarchy hasn't been bootstraped
* When the classification permission pre processor is executed
* Then an undetermined result will be returned
*/
@Test
public void classificationServiceNotBootstraped()
{
when(mockedClassificationServiceBootstrap.isInitialised())
.thenReturn(false);
assertEquals(AccessStatus.UNDETERMINED, processor.process(nodeRef, perm));
verify(mockedContentClassificationService, never())
.hasClearance(nodeRef);
}
/**
* Given that the node being evaluated is already being processed
* When the classification permission pre processor is executed
* Then an undetermined result will be returned
*/
@Test
public void nodeBeingProcessed()
{
when(mockedClassificationServiceBootstrap.isInitialised())
.thenReturn(true);
when(mockedTransactionalResourceHelper.getSet(ClassificationPermissionPreProcessor.KEY_PROCESSING))
.thenReturn(Sets.newHashSet(nodeRef));
assertEquals(AccessStatus.UNDETERMINED, processor.process(nodeRef, perm));
verify(mockedContentClassificationService, never())
.hasClearance(nodeRef);
}
/**
* Given that the node already exists in the transaction cache
* When the classification permission pre processor is executed
* Then the result will be returned from the cache
*/
@Test
public void resultAlreadyCached()
{
when(mockedClassificationServiceBootstrap.isInitialised())
.thenReturn(true);
NodeRef notTheNodeRef = AlfMock.generateNodeRef(mockedNodeService);
when(mockedTransactionalResourceHelper.getSet(ClassificationPermissionPreProcessor.KEY_PROCESSING))
.thenReturn(Sets.newHashSet(notTheNodeRef));
when(mockedAuthenticationUtil.getRunAsUser())
.thenReturn(user);
Map<Object, Object> cache = new HashMap<Object, Object>(1);
cache.put(new Triple<NodeRef, String, String>(nodeRef, perm, user), AccessStatus.ALLOWED);
when(mockedTransactionalResourceHelper.getMap(ClassificationPermissionPreProcessor.KEY_CACHE))
.thenReturn(cache);
assertEquals(AccessStatus.ALLOWED, processor.process(nodeRef, perm));
verify(mockedContentClassificationService, never())
.hasClearance(nodeRef);
}
/**
* Given that the user does have clearance
* When the classification permission pre processor is executed
* Then an undetermined result will be returned
*/
@Test
public void userHasClearance()
{
when(mockedClassificationServiceBootstrap.isInitialised())
.thenReturn(true);
NodeRef notTheNodeRef = AlfMock.generateNodeRef(mockedNodeService);
when(mockedTransactionalResourceHelper.getSet(ClassificationPermissionPreProcessor.KEY_PROCESSING))
.thenReturn(Sets.newHashSet(notTheNodeRef));
when(mockedAuthenticationUtil.getRunAsUser())
.thenReturn(user);
Map<Object, Object> cache = new HashMap<Object, Object>(1);
cache.put(new Triple<NodeRef, String, String>(notTheNodeRef, perm, user), AccessStatus.ALLOWED);
when(mockedTransactionalResourceHelper.getMap(ClassificationPermissionPreProcessor.KEY_CACHE))
.thenReturn(cache);
when(mockedContentClassificationService.hasClearance(nodeRef))
.thenReturn(true);
assertEquals(AccessStatus.UNDETERMINED, processor.process(nodeRef, perm));
verify(mockedContentClassificationService)
.hasClearance(nodeRef);
}
/**
* Given that the user doesn't have clearance
* When the classification permission pre processor is executed
* Then an undetermined result will be returned
*/
@Test
public void userDoesNotHaveClearance()
{
when(mockedClassificationServiceBootstrap.isInitialised())
.thenReturn(true);
NodeRef notTheNodeRef = AlfMock.generateNodeRef(mockedNodeService);
when(mockedTransactionalResourceHelper.getSet(ClassificationPermissionPreProcessor.KEY_PROCESSING))
.thenReturn(Sets.newHashSet(notTheNodeRef));
when(mockedAuthenticationUtil.getRunAsUser())
.thenReturn(user);
Map<Object, Object> cache = new HashMap<Object, Object>(1);
cache.put(new Triple<NodeRef, String, String>(notTheNodeRef, perm, user), AccessStatus.ALLOWED);
when(mockedTransactionalResourceHelper.getMap(ClassificationPermissionPreProcessor.KEY_CACHE))
.thenReturn(cache);
when(mockedContentClassificationService.hasClearance(nodeRef))
.thenReturn(false);
assertEquals(AccessStatus.DENIED, processor.process(nodeRef, perm));
verify(mockedContentClassificationService)
.hasClearance(nodeRef);
}
}

125
rm-server/unit-test/java/org/alfresco/repo/security/permissions/impl/ExtendedPermissionServiceImplUnitTest.java Normal file
View File

@@ -0,0 +1,125 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.repo.security.permissions.impl;
import static java.util.Arrays.asList;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.when;
import static org.junit.Assert.assertEquals;
import org.alfresco.module.org_alfresco_module_rm.test.util.AlfMock;
import org.alfresco.module.org_alfresco_module_rm.test.util.BaseUnitTest;
import org.alfresco.repo.security.permissions.processor.PermissionPostProcessor;
import org.alfresco.repo.security.permissions.processor.PermissionPreProcessor;
import org.alfresco.repo.security.permissions.processor.PermissionProcessorRegistry;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.security.AccessStatus;
import org.junit.Test;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.Spy;
/**
* Extended permission service implementation unit test
*
* @author Roy Wetherall
* @since 3.0.a
*/
public class ExtendedPermissionServiceImplUnitTest extends BaseUnitTest
{
private @InjectMocks @Spy ExtendedPermissionServiceImpl extendedPermissionServiceImpl = new ExtendedPermissionServiceImpl()
{
protected AccessStatus hasPermissionImpl(NodeRef nodeRef, String perm) { return AccessStatus.UNDETERMINED; };
};
private @Mock PermissionProcessorRegistry mockedPermissionProcessorRegistry;
private @Mock PermissionPreProcessor mockedPermissionPreProcessor;
private @Mock PermissionPostProcessor mockedPermissionPostProcessor;
/**
* Given a permission pre-processor has been registered
* And does not DENY
* When hasPermission is called
* Then the pre-processor is executed
* And the ACL's are evaluated as normal
*/
@Test
public void preProcessorDoesNotDeny()
{
NodeRef nodeRef = generateCmContent("anyname");
String perm = AlfMock.generateText();
when(mockedPermissionProcessorRegistry.getPermissionPreProcessors())
.thenReturn(asList(mockedPermissionPreProcessor));
when(mockedPermissionPreProcessor.process(nodeRef, perm))
.thenReturn(AccessStatus.UNDETERMINED);
AccessStatus result = extendedPermissionServiceImpl.hasPermission(nodeRef, perm);
assertEquals(AccessStatus.UNDETERMINED, result);
verify(mockedPermissionPreProcessor).process(nodeRef, perm);
verify(extendedPermissionServiceImpl).hasPermissionImpl(nodeRef, perm);
}
/**
* Given a permission pre-processor has been registered
* And DENY's
* When hasPermission is called
* Then the pre-processor is executed
* And the remaining permission evaluations do not take place
*/
@Test
public void preProcessorDenys()
{
NodeRef nodeRef = generateCmContent("anyname");
String perm = AlfMock.generateText();
when(mockedPermissionProcessorRegistry.getPermissionPreProcessors())
.thenReturn(asList(mockedPermissionPreProcessor));
when(mockedPermissionPreProcessor.process(nodeRef, perm))
.thenReturn(AccessStatus.DENIED);
AccessStatus result = extendedPermissionServiceImpl.hasPermission(nodeRef, perm);
assertEquals(AccessStatus.DENIED, result);
verify(mockedPermissionPreProcessor).process(nodeRef, perm);
verify(extendedPermissionServiceImpl, never()).hasPermissionImpl(nodeRef, perm);
}
/**
* Given a permission post-processor has been registered
* When hasPermission is called
* Then the permission post-processor is called
*/
@Test
public void postProcessorRegistered()
{
NodeRef nodeRef = generateCmContent("anyname");
String perm = AlfMock.generateText();
when(mockedPermissionProcessorRegistry.getPermissionPostProcessors())
.thenReturn(asList(mockedPermissionPostProcessor));
when(mockedPermissionPostProcessor.process(AccessStatus.UNDETERMINED, nodeRef, perm))
.thenReturn(AccessStatus.ALLOWED);
AccessStatus result = extendedPermissionServiceImpl.hasPermission(nodeRef, perm);
assertEquals(AccessStatus.ALLOWED, result);
verify(mockedPermissionPostProcessor).process(AccessStatus.UNDETERMINED, nodeRef, perm);
verify(extendedPermissionServiceImpl).hasPermissionImpl(nodeRef, perm);
}
}