REPO-5659: Added ALFRESCO_SYSTEM_ADMINISTRATORS group authority. (#668)

remote-api/src/test/java/org/alfresco/rest/api/tests/GroupsTest.java

@@ -836,13 +836,13 @@ public class GroupsTest extends AbstractSingleNetworkSiteTest
         // Get network admin's groups by explicit ID.
         {
             ListResponse<Group> groups = groupsProxy.getGroupsByPersonId(networkAdmin, null, "Couldn't get user's groups", 200);
-            assertEquals(6L, (long) groups.getPaging().getTotalItems());
+            assertEquals(7L, (long) groups.getPaging().getTotalItems());
         }
 
         // test -me- alias (as network admin)
         {
             ListResponse<Group> groups = groupsProxy.getGroupsByPersonId("-me-", null, "Couldn't get user's groups", 200);
-            assertEquals(6L, (long) groups.getPaging().getCount());
+            assertEquals(7L, (long) groups.getPaging().getCount());
             Iterator<Group> it = groups.getList().iterator();
             assertEquals("GROUP_ALFRESCO_ADMINISTRATORS", it.next().getId());
         }

repository/src/main/java/org/alfresco/repo/security/authority/AuthorityServiceImpl.java

@@ -64,6 +64,8 @@ import org.springframework.extensions.surf.util.ParameterCheck;
  */
 public class AuthorityServiceImpl implements AuthorityService, InitializingBean
 {
+    public static final String GROUP_ALFRESCO_SYSTEM_ADMINISTRATORS_AUTHORITY = PermissionService.GROUP_PREFIX + "ALFRESCO_SYSTEM_ADMINISTRATORS";
+
     private static Set<String> DEFAULT_ZONES = new HashSet<String>();
     
     static
@@ -770,6 +772,16 @@ public class AuthorityServiceImpl implements AuthorityService, InitializingBean
         return authorityDAO.getShortName(name);
     }
 
+    @Override
+    public boolean hasSysAdminAuthority()
+    {
+        final String currentUserName = AuthenticationUtil.getRunAsUser();
+        if (currentUserName == null)
+        {
+            return false;
+        }
+        return getAuthoritiesForUser(currentUserName).contains(GROUP_ALFRESCO_SYSTEM_ADMINISTRATORS_AUTHORITY);
+    }
 
     /**
      * Lazy load set of authorities. Try not to iterate or ask for the size. Needed for the case where there

repository/src/main/java/org/alfresco/service/cmr/security/AuthorityService.java

@@ -511,4 +511,19 @@ public interface AuthorityService
      */
     @Auditable(parameters = {"type"})
     public Set<String> findAuthorities(AuthorityType type, String parentAuthority, boolean immediate, String displayNamePattern, String zoneName);
+
+    /**
+     * Check the current user has system administration authority.
+     *
+     * @return true if the currently authenticated user has the system administration authority, otherwise false
+     * @throws UnsupportedOperationException if the implementing class (i.e. external clients) doesn't provide an implementation for the {@code hasSysAdminAuthority} operation
+     *
+     * @since 7.1
+     */
+    @Auditable
+    // See PRODMAN-493 -> REPO-5659
+    default boolean hasSysAdminAuthority()
+    {
+        throw new UnsupportedOperationException("hasSysAdminAuthority");
+    }
 }

repository/src/main/resources/alfresco/bootstrap/alfrescoAuthorityStore.xml

@@ -63,6 +63,17 @@
                         <cm:authorityName>GROUP_ALFRESCO_MODEL_ADMINISTRATORS</cm:authorityName>
                     </view:properties>
                 </cm:authorityContainer>
+                <!-- See PRODMAN-493 -> REPO-5659 -->
+                <cm:authorityContainer view:childName="cm:GROUP_ALFRESCO_SYSTEM_ADMINISTRATORS">
+                    <view:aspects>
+                        <sys:referenceable/>
+                    </view:aspects>
+                    <view:properties>
+                        <sys:node-uuid>GROUP_ALFRESCO_SYSTEM_ADMINISTRATORS</sys:node-uuid>
+                        <cm:name>GROUP_ALFRESCO_SYSTEM_ADMINISTRATORS</cm:name>
+                        <cm:authorityName>GROUP_ALFRESCO_SYSTEM_ADMINISTRATORS</cm:authorityName>
+                    </view:properties>
+                </cm:authorityContainer>
             </sys:children>
         </view:associations>
     </sys:container>
@@ -110,6 +121,11 @@
                                 view:pathref="${system.authorities_container.childname}/cm:GROUP_ALFRESCO_MODEL_ADMINISTRATORS"
                                 view:childName="cm:GROUP_ALFRESCO_MODEL_ADMINISTRATORS" />
                         </cm:inZone>
+                        <cm:inZone>
+                            <view:reference
+                                    view:pathref="${system.authorities_container.childname}/cm:GROUP_ALFRESCO_SYSTEM_ADMINISTRATORS"
+                                    view:childName="cm:GROUP_ALFRESCO_SYSTEM_ADMINISTRATORS" />
+                        </cm:inZone>
                     </view:associations>
                 </cm:zone>
                 <cm:zone view:childName="cm:APP.DEFAULT">
@@ -146,6 +162,11 @@
                                 view:pathref="${system.authorities_container.childname}/cm:GROUP_ALFRESCO_MODEL_ADMINISTRATORS"
                                 view:childName="cm:GROUP_ALFRESCO_MODEL_ADMINISTRATORS" />
                         </cm:inZone>
+                        <cm:inZone>
+                            <view:reference
+                                view:pathref="${system.authorities_container.childname}/cm:GROUP_ALFRESCO_SYSTEM_ADMINISTRATORS"
+                                view:childName="cm:GROUP_ALFRESCO_SYSTEM_ADMINISTRATORS" />
+                        </cm:inZone>
                     </view:associations>
                 </cm:zone>
             </sys:children>

repository/src/main/resources/alfresco/bootstrap/alfrescoAuthorityStoreDefaultMembers.xml

@@ -40,6 +40,15 @@
                view:childName="cm:${alfresco_user_store.adminusername}" />
          </cm:member>
       </view:associations>
+   </view:reference>
+    <!-- See PRODMAN-493 -> REPO-5659 -->
+   <view:reference view:pathref="${system.authorities_container.childname}/cm:GROUP_ALFRESCO_SYSTEM_ADMINISTRATORS">
+       <view:associations>
+           <cm:member>
+               <view:reference view:pathref="${system.people_container.childname}/cm:${alfresco_user_store.adminusername}"
+                  view:childName="cm:${alfresco_user_store.adminusername}"/>
+           </cm:member>
+       </view:associations>
    </view:reference>
    <view:reference view:pathref="${system.zones_container.childname}/cm:AUTH.ALF">
       <view:associations>

repository/src/main/resources/alfresco/public-services-security-context.xml

@@ -792,6 +792,7 @@
             <value>
                 org.alfresco.service.cmr.security.AuthorityService.hasAdminAuthority=ACL_ALLOW
                 org.alfresco.service.cmr.security.AuthorityService.hasGuestAuthority=ACL_ALLOW
+                org.alfresco.service.cmr.security.AuthorityService.hasSysAdminAuthority=ACL_ALLOW
                 org.alfresco.service.cmr.security.AuthorityService.isAdminAuthority=ACL_ALLOW
                 org.alfresco.service.cmr.security.AuthorityService.isGuestAuthority=ACL_ALLOW
                 org.alfresco.service.cmr.security.AuthorityService.countUsers=ACL_ALLOW

repository/src/test/java/org/alfresco/repo/security/authority/AuthorityServiceTest.java

@@ -25,6 +25,7 @@
  */
 package org.alfresco.repo.security.authority;
 
+import static org.alfresco.repo.security.authority.AuthorityServiceImpl.GROUP_ALFRESCO_SYSTEM_ADMINISTRATORS_AUTHORITY;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 
@@ -117,9 +118,10 @@ public class AuthorityServiceTest extends TestCase
     
     private static final int DEFAULT_SITE_GRP_CNT = 5;      // default number of groups per site
     private static final int DEFAULT_SITE_ROOT_GRP_CNT = 1; // default number of root groups per site
-    private static final int DEFAULT_GRP_CNT = 5;           // default (non-site) bootstrap groups -
+    private static final int DEFAULT_GRP_CNT = 6;           // default (non-site) bootstrap groups -
                                                             // eg. GROUP_ALFRESCO_ADMINISTRATORS, GROUP_EMAIL_CONTRIBUTORS, GROUP_SITE_ADMINISTRATORS,
-                                                            // GROUP_ALFRESCO_SEARCH_ADMINISTRATORS, GROUP_ALFRESCO_MODEL_ADMINISTRATORS
+                                                            // GROUP_ALFRESCO_SEARCH_ADMINISTRATORS, GROUP_ALFRESCO_MODEL_ADMINISTRATORS,
+                                                            // GROUP_ALFRESCO_SYSTEM_ADMINISTRATORS
 
     private int SITE_CNT = 0;
     private int GRP_CNT = 0;
@@ -467,8 +469,8 @@ public class AuthorityServiceTest extends TestCase
         assertTrue(authorityService.hasAdminAuthority());
         assertTrue(pubAuthorityService.hasAdminAuthority());
         Set<String> authorities = authorityService.getAuthorities();
-        // 6 => [GROUP_ALFRESCO_ADMINISTRATORS, GROUP_EMAIL_CONTRIBUTORS, GROUP_EVERYONE, GROUP_SITE_ADMINISTRATORS, ROLE_ADMINISTRATOR, GROUP_ALFRESCO_SEARCH_ADMINISTRATORS, GROUP_ALFRESCO_MODEL_ADMINISTRATORS]
-        assertEquals("Unexpected result: " + authorities, 7 + (SITE_CNT*2), authorityService.getAuthorities().size());
+        // 8 => [GROUP_ALFRESCO_ADMINISTRATORS, GROUP_EMAIL_CONTRIBUTORS, GROUP_EVERYONE, GROUP_SITE_ADMINISTRATORS, ROLE_ADMINISTRATOR, GROUP_ALFRESCO_SEARCH_ADMINISTRATORS, GROUP_ALFRESCO_MODEL_ADMINISTRATORS, GROUP_ALFRESCO_SYSTEM_ADMINISTRATORS]
+        assertEquals("Unexpected result: " + authorities, 8 + (SITE_CNT*2), authorityService.getAuthorities().size());
     }
     
     public void testNoUser()
@@ -1773,6 +1775,46 @@ public class AuthorityServiceTest extends TestCase
         personService.deletePerson(username);
     }
 
+    public void testAdminHasSysAdminAuthority()
+    {
+        authenticationComponent.setCurrentUser(AuthenticationUtil.getAdminUserName());
+        assertTrue(authorityService.hasAdminAuthority());
+        assertTrue("By default, Admin should be member of Alfresco_System_Administrators group.",
+                   pubAuthorityService.hasSysAdminAuthority());
+    }
+
+    public void testSysAdminGroup()
+    {
+        personService.getPerson("andy");
+        // Make sure Andy is not part of ALFRESCO_ADMINISTRATORS group
+        String adminGroup = authorityService.getName(AuthorityType.GROUP, "ALFRESCO_ADMINISTRATORS");
+        authorityService.removeAuthority(adminGroup, "andy");
+        assertFalse(authorityService.isAdminAuthority("andy"));
+
+        // Set the current authentication to Andy, so we can check the runAsUser
+        authenticationComponent.setCurrentUser("andy");
+        assertFalse("Andy hasn't been added to the Alfresco_System_Administrators group yet.",
+                    pubAuthorityService.hasSysAdminAuthority());
+
+        // Set the current authentication to admin in order to add Andy to the group
+        authenticationComponent.setCurrentUser(AuthenticationUtil.getAdminUserName());
+        pubAuthorityService.addAuthority(GROUP_ALFRESCO_SYSTEM_ADMINISTRATORS_AUTHORITY, "andy");
+
+        // Set the current authentication to Andy, so we can check the runAsUser
+        authenticationComponent.setCurrentUser("andy");
+        assertTrue("Andy is a member of the Alfresco_System_Administrators group",
+                   pubAuthorityService.hasSysAdminAuthority());
+
+        // Set the current authentication to admin in order to remove Andy from the group
+        authenticationComponent.setCurrentUser(AuthenticationUtil.getAdminUserName());
+        pubAuthorityService.removeAuthority(GROUP_ALFRESCO_SYSTEM_ADMINISTRATORS_AUTHORITY, "andy");
+
+        // Set the current authentication to Andy, so we can check the runAsUser
+        authenticationComponent.setCurrentUser("andy");
+        assertFalse("Andy has been removed from the Alfresco_System_Administrators group.",
+                    pubAuthorityService.hasSysAdminAuthority());
+    }
+
     private <T extends Policy> T createClassPolicy(Class<T> policyInterface, QName policyQName, QName triggerOnClass)
     {
         T policy = mock(policyInterface);