inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-24 17:32:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge V1.4 to HEAD

Browse Source 
- Ignored Enterprise-specific changes
   svn merge svn://svn.alfresco.com:3691/alfresco/BRANCHES/V1.4@3701 svn://svn.alfresco.com:3691/alfresco/BRANCHES/V1.4@3703 .
   svn merge svn://svn.alfresco.com:3691/alfresco/BRANCHES/V1.4@3704 svn://svn.alfresco.com:3691/alfresco/BRANCHES/V1.4@3705 .
   svn merge svn://svn.alfresco.com:3691/alfresco/BRANCHES/V1.4@3707 svn://svn.alfresco.com:3691/alfresco/BRANCHES/V1.4@3876 .
   svn revert root\projects\web-client\source\web\jsp\admin\admin-console.jsp


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@3879 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Derek Hulley
2006-09-21 23:35:51 +00:00
parent 89f39cd176
commit d2bce74f0b
103 changed files with 3569 additions and 1172 deletions
Download Patch File Download Diff File Expand all files Collapse all files

315
source/java/org/alfresco/repo/security/authentication/DefaultMutableAuthenticationDao.java
View File

@@ -25,219 +25,359 @@ import org.alfresco.error.AlfrescoRuntimeException;
import org.springframework.dao.DataAccessException;
/**
* An authority DAO that has no implementation and should not be called.
* An authority DAO that has no implementation.
*
* By default it will throw an exception if any method is called.
*
* Any of the getter/setter methods can be enabled with a no action implementation.
*
* This can support deleting users via the UI for LDAP and NTLM. The Alfresco person object is deleted from the UI.
* The call to delete the user will return with no action.
*
* The following methods will always fail.
*
* getMD4HashedPassword(String userName)
* loadUserByUsername(String arg0)
* getSalt(UserDetails user)
*
* @author Andy Hind
*/
public class DefaultMutableAuthenticationDao implements MutableAuthenticationDao
{
private boolean allowCreateUser = false;
private boolean allowUpdateUser = false;
private boolean allowDeleteUser = false;
private boolean allowSetEnabled = false;
private boolean allowGetEnabled = false;
private boolean allowSetAccountExpires = false;
private boolean allowGetAccountHasExpired = false;
private boolean allowSetCredentialsExpire = false;
private boolean allowGetCredentialsExpire = false;
private boolean allowGetCredentialsHaveExpired = false;
private boolean allowSetAccountLocked = false;
private boolean allowGetAccountLocked = false;
private boolean allowSetAccountExpiryDate = false;
private boolean allowGetAccountExpiryDate = false;
private boolean allowSetCredentialsExpiryDate = false;
private boolean allowGetCredentialsExpiryDate = false;
/**
* Create a user with the given userName and password
*
* If enabled does nothing.
*
* @param userName
* @param rawPassword
* @throws AuthenticationException
*/
public void createUser(String userName, char[] rawPassword) throws AuthenticationException
{
throw new AlfrescoRuntimeException("Not implemented");
if (!allowCreateUser)
{
throw new AlfrescoRuntimeException("Create User is not supported");
}
}
/**
* Update a user's password.
*
* If enabled does nothing.
*
* @param userName
* @param rawPassword
* @throws AuthenticationException
*/
public void updateUser(String userName, char[] rawPassword) throws AuthenticationException
{
throw new AlfrescoRuntimeException("Not implemented");
if (!allowUpdateUser)
{
throw new AlfrescoRuntimeException("Update user is not supported");
}
}
/**
* Delete a user.
*
* If enabled does nothing.
*
* @param userName
* @throws AuthenticationException
*/
public void deleteUser(String userName) throws AuthenticationException
{
throw new AlfrescoRuntimeException("Not implemented");
if (!allowDeleteUser)
{
throw new AlfrescoRuntimeException("Delete user is not supported");
}
}
/**
* Check is a user exists.
*
* If enabled returns true.
*
* @param userName
* @return
*/
public boolean userExists(String userName)
{
// All users may exist
return true;
}
/**
* Enable/disable a user.
*
* If enabled does nothing.
*
* @param userName
* @param enabled
*/
public void setEnabled(String userName, boolean enabled)
{
throw new AlfrescoRuntimeException("Not implemented");
if (!allowSetEnabled)
{
throw new AlfrescoRuntimeException("Set enabled is not supported");
}
}
/**
* Getter for user enabled
*
* If enabled returns true.
*
* @param userName
* @return
*/
public boolean getEnabled(String userName)
{
throw new AlfrescoRuntimeException("Not implemented");
if (!allowGetEnabled)
{
throw new AlfrescoRuntimeException("Get enabled is not supported");
}
return true;
}
/**
* Set if the account should expire
*
* If enabled does nothing.
*
* @param userName
* @param expires
*/
public void setAccountExpires(String userName, boolean expires)
{
throw new AlfrescoRuntimeException("Not implemented");
if (!allowSetAccountExpires)
{
throw new AlfrescoRuntimeException("Set account expires is not supported");
}
}
/**
* Does the account expire?
*
* If enabled returns false.
*
* @param userName
* @return
*/
public boolean getAccountExpires(String userName)
{
throw new AlfrescoRuntimeException("Not implemented");
if (!allowSetAccountExpires)
{
throw new AlfrescoRuntimeException("Get account expires is not supported");
}
return false;
}
/**
* Has the account expired?
*
* If enabled returns false.
*
* @param userName
* @return
*/
public boolean getAccountHasExpired(String userName)
{
throw new AlfrescoRuntimeException("Not implemented");
if (!allowGetAccountHasExpired)
{
throw new AlfrescoRuntimeException("Get account has expired is not supported");
}
return false;
}
/**
* Set if the password expires.
*
* If enabled does nothing.
*
* @param userName
* @param expires
*/
public void setCredentialsExpire(String userName, boolean expires)
{
throw new AlfrescoRuntimeException("Not implemented");
if (!allowSetCredentialsExpire)
{
throw new AlfrescoRuntimeException("Set credentials expire is not supported");
}
}
/**
* Do the credentials for the user expire?
*
* If enabled returns false.
*
* @param userName
* @return
*/
public boolean getCredentialsExpire(String userName)
{
throw new AlfrescoRuntimeException("Not implemented");
if (!allowGetCredentialsExpire)
{
throw new AlfrescoRuntimeException("Get credentials expire is not supported");
}
return false;
}
/**
* Have the credentials for the user expired?
*
* If enabled returns false.
*
* @param userName
* @return
*/
public boolean getCredentialsHaveExpired(String userName)
{
throw new AlfrescoRuntimeException("Not implemented");
if (!allowGetCredentialsHaveExpired)
{
throw new AlfrescoRuntimeException("Get credentials have expired is not supported");
}
return false;
}
/**
* Set if the account is locked.
*
* If enabled does nothing.
*
* @param userName
* @param locked
*/
public void setLocked(String userName, boolean locked)
{
throw new AlfrescoRuntimeException("Not implemented");
if (!allowSetAccountLocked)
{
throw new AlfrescoRuntimeException("Set account locked is not supported");
}
}
/**
* Is the account locked?
*
* If enabled returns false.
*
* @param userName
* @return
*/
public boolean getAccountlocked(String userName)
{
throw new AlfrescoRuntimeException("Not implemented");
if (!allowGetAccountLocked)
{
throw new AlfrescoRuntimeException("Get account locked is not supported");
}
return false;
}
/**
* Set the date on which the account expires
*
* If enabled does nothing.
*
* @param userName
* @param exipryDate
*/
public void setAccountExpiryDate(String userName, Date exipryDate)
{
throw new AlfrescoRuntimeException("Not implemented");
if (!allowSetAccountExpiryDate)
{
throw new AlfrescoRuntimeException("Set account expiry date is not supported");
}
}
/**
/**
* Get the date when this account expires.
*
* If enabled returns null.
*
* @param userName
* @return
*/
public Date getAccountExpiryDate(String userName)
{
throw new AlfrescoRuntimeException("Not implemented");
if (!allowGetAccountExpiryDate)
{
throw new AlfrescoRuntimeException("Get account expiry date is not supported");
}
return null;
}
/**
* Set the date when credentials expire.
*
* If enabled does nothing.
*
* @param userName
* @param exipryDate
*/
public void setCredentialsExpiryDate(String userName, Date exipryDate)
{
throw new AlfrescoRuntimeException("Not implemented");
if (!allowSetCredentialsExpiryDate)
{
throw new AlfrescoRuntimeException("Set credentials expiry date is not supported");
}
}
/**
* Get the date when the credentials/password expire.
*
* If enabled returns null.
*
* @param userName
* @return
*/
public Date getCredentialsExpiryDate(String userName)
{
throw new AlfrescoRuntimeException("Not implemented");
if (!allowGetCredentialsExpiryDate)
{
throw new AlfrescoRuntimeException("Get credentials expiry date is not supported");
}
return null;
}
/**
* Get the MD4 password hash
*
* Always throws an exception.
*
* @param userName
* @return
*/
@@ -249,7 +389,10 @@ public class DefaultMutableAuthenticationDao implements MutableAuthenticationDao
/**
* Return the user details for the specified user
*
* @param user String
* Always throws an exception.
*
* @param user
* String
* @return UserDetails
* @exception UsernameNotFoundException
* @exception DataAccessException
@@ -262,11 +405,99 @@ public class DefaultMutableAuthenticationDao implements MutableAuthenticationDao
/**
* Return salt for user
*
* @param user UserDetails
* Always throws an exception.
*
* @param user
* UserDetails
* @return Object
*/
public Object getSalt(UserDetails user)
{
throw new AlfrescoRuntimeException("Not implemented");
}
// -------- //
// Bean IOC //
// -------- //
public void setAllowCreateUser(boolean allowCreateUser)
{
this.allowCreateUser = allowCreateUser;
}
public void setAllowDeleteUser(boolean allowDeleteUser)
{
this.allowDeleteUser = allowDeleteUser;
}
public void setAllowGetAccountExpiryDate(boolean allowGetAccountExpiryDate)
{
this.allowGetAccountExpiryDate = allowGetAccountExpiryDate;
}
public void setAllowGetAccountHasExpired(boolean allowGetAccountHasExpired)
{
this.allowGetAccountHasExpired = allowGetAccountHasExpired;
}
public void setAllowGetAccountLocked(boolean allowGetAccountLocked)
{
this.allowGetAccountLocked = allowGetAccountLocked;
}
public void setAllowGetCredentialsExpire(boolean allowGetCredentialsExpire)
{
this.allowGetCredentialsExpire = allowGetCredentialsExpire;
}
public void setAllowGetCredentialsExpiryDate(boolean allowGetCredentialsExpiryDate)
{
this.allowGetCredentialsExpiryDate = allowGetCredentialsExpiryDate;
}
public void setAllowGetCredentialsHaveExpired(boolean allowGetCredentialsHaveExpired)
{
this.allowGetCredentialsHaveExpired = allowGetCredentialsHaveExpired;
}
public void setAllowGetEnabled(boolean allowGetEnabled)
{
this.allowGetEnabled = allowGetEnabled;
}
public void setAllowSetAccountExpires(boolean allowSetAccountExpires)
{
this.allowSetAccountExpires = allowSetAccountExpires;
}
public void setAllowSetAccountExpiryDate(boolean allowSetAccountExpiryDate)
{
this.allowSetAccountExpiryDate = allowSetAccountExpiryDate;
}
public void setAllowSetAccountLocked(boolean allowSetAccountLocked)
{
this.allowSetAccountLocked = allowSetAccountLocked;
}
public void setAllowSetCredentialsExpire(boolean allowSetCredentialsExpire)
{
this.allowSetCredentialsExpire = allowSetCredentialsExpire;
}
public void setAllowSetCredentialsExpiryDate(boolean allowSetCredentialsExpiryDate)
{
this.allowSetCredentialsExpiryDate = allowSetCredentialsExpiryDate;
}
public void setAllowSetEnabled(boolean allowSetEnabled)
{
this.allowSetEnabled = allowSetEnabled;
}
public void setAllowUpdateUser(boolean allowUpdateUser)
{
this.allowUpdateUser = allowUpdateUser;
}
}

87
source/java/org/alfresco/repo/security/authentication/ldap/LDAPGroupExportSource.java
View File

@@ -91,6 +91,10 @@ public class LDAPGroupExportSource implements ExportSource, InitializingBean
private AuthorityDAO authorityDAO;
private boolean errorOnMissingGID;
private boolean errorOnMissingUID;
public LDAPGroupExportSource()
{
super();
@@ -146,6 +150,16 @@ public class LDAPGroupExportSource implements ExportSource, InitializingBean
this.errorOnMissingMembers = errorOnMissingMembers;
}
public void setErrorOnMissingGID(boolean errorOnMissingGID)
{
this.errorOnMissingGID = errorOnMissingGID;
}
public void setErrorOnMissingUID(boolean errorOnMissingUID)
{
this.errorOnMissingUID = errorOnMissingUID;
}
public void setAuthorityDAO(AuthorityDAO authorityDAO)
{
this.authorityDAO = authorityDAO;
@@ -279,7 +293,7 @@ public class LDAPGroupExportSource implements ExportSource, InitializingBean
ContentModel.TYPE_AUTHORITY_CONTAINER.getLocalName(), ContentModel.TYPE_AUTHORITY_CONTAINER
.toPrefixString(namespaceService), attrs);
if ((authorityDAO != null ) && authorityDAO.authorityExists(group.gid))
if ((authorityDAO != null) && authorityDAO.authorityExists(group.gid))
{
NodeRef authNodeRef = authorityDAO.getAuthorityNodeRefOrNull(group.gid);
if (authNodeRef != null)
@@ -295,7 +309,7 @@ public class LDAPGroupExportSource implements ExportSource, InitializingBean
.toPrefixString(namespaceService));
}
}
writer.startElement(ContentModel.PROP_AUTHORITY_NAME.getNamespaceURI(), ContentModel.PROP_AUTHORITY_NAME
.getLocalName(), ContentModel.PROP_AUTHORITY_NAME.toPrefixString(namespaceService),
new AttributesImpl());
@@ -368,8 +382,17 @@ public class LDAPGroupExportSource implements ExportSource, InitializingBean
Attribute gidAttribute = attributes.get(groupIdAttributeName);
if (gidAttribute == null)
{
throw new ExportSourceImporterException(
"Group returned by group search does not have mandatory group id attribute " + attributes);
if (errorOnMissingGID)
{
throw new ExportSourceImporterException(
"Group returned by group search does not have mandatory group id attribute "
+ attributes);
}
else
{
s_logger.warn("Missing GID on " + attributes);
continue;
}
}
String gid = (String) gidAttribute.get(0);
@@ -453,7 +476,15 @@ public class LDAPGroupExportSource implements ExportSource, InitializingBean
Attribute objectclass = attributes.get("objectclass");
if (objectclass == null)
{
throw new ExportSourceImporterException("Failed to find attribute objectclass for DN " + dn);
if (errorOnMissingMembers)
{
throw new ExportSourceImporterException("Failed to find attribute objectclass for DN "
+ dn);
}
else
{
continue;
}
}
for (int i = 0; i < objectclass.size(); i++)
{
@@ -479,8 +510,18 @@ public class LDAPGroupExportSource implements ExportSource, InitializingBean
Attribute groupIdAttribute = attributes.get(groupIdAttributeName);
if (groupIdAttribute == null)
{
throw new ExportSourceImporterException("Group missing group id attribute DN ="
+ dn + " att = " + groupIdAttributeName);
if (errorOnMissingGID)
{
throw new ExportSourceImporterException(
"Group missing group id attribute DN ="
+ dn + " att = " + groupIdAttributeName);
}
else
{
s_logger.warn("Group missing group id attribute DN ="
+ dn + " att = " + groupIdAttributeName);
continue;
}
}
id = (String) groupIdAttribute.get(0);
}
@@ -504,8 +545,18 @@ public class LDAPGroupExportSource implements ExportSource, InitializingBean
Attribute userIdAttribute = attributes.get(userIdAttributeName);
if (userIdAttribute == null)
{
throw new ExportSourceImporterException("User missing user id attribute DN ="
+ dn + " att = " + userIdAttributeName);
if (errorOnMissingUID)
{
throw new ExportSourceImporterException(
"User missing user id attribute DN ="
+ dn + " att = " + userIdAttributeName);
}
else
{
s_logger.warn("User missing user id attribute DN ="
+ dn + " att = " + userIdAttributeName);
continue;
}
}
id = (String) userIdAttribute.get(0);
}
@@ -527,7 +578,14 @@ public class LDAPGroupExportSource implements ExportSource, InitializingBean
{
if (isGroup == null)
{
throw new ExportSourceImporterException("Type not recognised for DN" + dn);
if (errorOnMissingMembers)
{
throw new ExportSourceImporterException("Type not recognised for DN" + dn);
}
else
{
continue;
}
}
else if (isGroup)
{
@@ -538,7 +596,14 @@ public class LDAPGroupExportSource implements ExportSource, InitializingBean
Group child = lookup.get("GROUP_" + id);
if (child == null)
{
if (errorOnMissingMembers)
{
throw new ExportSourceImporterException("Failed to find child group " + id);
}
else
{
continue;
}
}
if (rootGroups.contains(child))
{
@@ -688,7 +753,7 @@ public class LDAPGroupExportSource implements ExportSource, InitializingBean
TransactionService txs = (TransactionService) ctx.getBean("transactionComponent");
UserTransaction tx = txs.getUserTransaction();
tx.begin();
File file = new File(args[0]);
Writer writer = new BufferedWriter(new FileWriter(file));
XMLWriter xmlWriter = createXMLExporter(writer);

124
source/java/org/alfresco/repo/security/authentication/ldap/LDAPInitialDirContextFactoryImpl.java
View File

@@ -30,17 +30,22 @@ import javax.naming.directory.InitialDirContext;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.util.ApplicationContextHelper;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.context.ApplicationContext;
public class LDAPInitialDirContextFactoryImpl implements LDAPInitialDirContextFactory
public class LDAPInitialDirContextFactoryImpl implements LDAPInitialDirContextFactory, InitializingBean
{
private static final Log logger = LogFactory.getLog(LDAPInitialDirContextFactoryImpl.class);
private Map<String, String> initialDirContextEnvironment = Collections.<String, String> emptyMap();
static
{
System.setProperty("javax.security.auth.useSubjectCredentialsOnly", "false");
}
public LDAPInitialDirContextFactoryImpl()
{
super();
@@ -87,11 +92,22 @@ public class LDAPInitialDirContextFactoryImpl implements LDAPInitialDirContextFa
{
throw new AuthenticationException("Null user name provided.");
}
if (principal.length() == 0)
{
throw new AuthenticationException("Empty user name provided.");
}
if (credentials == null)
{
throw new AuthenticationException("No credentials provided.");
}
if (credentials.length() == 0)
{
throw new AuthenticationException("Empty credentials provided.");
}
Hashtable<String, String> env = new Hashtable<String, String>(initialDirContextEnvironment.size());
env.putAll(initialDirContextEnvironment);
env.put(Context.SECURITY_PRINCIPAL, principal);
@@ -187,4 +203,108 @@ public class LDAPInitialDirContextFactoryImpl implements LDAPInitialDirContextFa
}
public void afterPropertiesSet() throws Exception
{
// Check Anonymous bind
Hashtable<String, String> env = new Hashtable<String, String>(initialDirContextEnvironment.size());
env.putAll(initialDirContextEnvironment);
env.remove(Context.SECURITY_PRINCIPAL);
env.remove(Context.SECURITY_CREDENTIALS);
try
{
new InitialDirContext(env);
logger.warn("LDAP server supports anonymous bind " + env.get(Context.PROVIDER_URL));
}
catch (javax.naming.AuthenticationException ax)
{
}
catch (NamingException nx)
{
throw new AuthenticationException("Unable to connect to LDAP Server; check LDAP configuration", nx);
}
// Simple DN and password
env = new Hashtable<String, String>(initialDirContextEnvironment.size());
env.putAll(initialDirContextEnvironment);
env.put(Context.SECURITY_PRINCIPAL, "daftAsABrush");
env.put(Context.SECURITY_CREDENTIALS, "daftAsABrush");
try
{
new InitialDirContext(env);
throw new AuthenticationException(
"The ldap server at "
+ env.get(Context.PROVIDER_URL)
+ " falls back to use anonymous bind if invalid security credentials are presented. This is not supported.");
}
catch (javax.naming.AuthenticationException ax)
{
logger.info("LDAP server does not fall back to anonymous bind for a string uid and password at " + env.get(Context.PROVIDER_URL));
}
catch (NamingException nx)
{
logger.info("LDAP server does not support simple string user ids and invalid credentials at "+ env.get(Context.PROVIDER_URL));
}
// DN and password
env = new Hashtable<String, String>(initialDirContextEnvironment.size());
env.putAll(initialDirContextEnvironment);
env.put(Context.SECURITY_PRINCIPAL, "cn=daftAsABrush,dc=woof");
env.put(Context.SECURITY_CREDENTIALS, "daftAsABrush");
try
{
new InitialDirContext(env);
throw new AuthenticationException(
"The ldap server at "
+ env.get(Context.PROVIDER_URL)
+ " falls back to use anonymous bind if invalid security credentials are presented. This is not supported.");
}
catch (javax.naming.AuthenticationException ax)
{
logger.info("LDAP server does not fall back to anonymous bind for a simple dn and password at " + env.get(Context.PROVIDER_URL));
}
catch (NamingException nx)
{
logger.info("LDAP server does not support simple DN and invalid password at "+ env.get(Context.PROVIDER_URL));
}
// Check more if we have a real principal we expect to work
env = new Hashtable<String, String>(initialDirContextEnvironment.size());
env.putAll(initialDirContextEnvironment);
if(env.get(Context.SECURITY_PRINCIPAL) != null)
{
// Correct principal invalid password
env = new Hashtable<String, String>(initialDirContextEnvironment.size());
env.putAll(initialDirContextEnvironment);
env.put(Context.SECURITY_CREDENTIALS, "sdasdasdasdasd123123123");
try
{
new InitialDirContext(env);
throw new AuthenticationException(
"The ldap server at "
+ env.get(Context.PROVIDER_URL)
+ " falls back to use anonymous bind for a known principal if invalid security credentials are presented. This is not supported.");
}
catch (javax.naming.AuthenticationException ax)
{
logger.info("LDAP server does not fall back to anonymous bind for known principal and invalid credentials at " + env.get(Context.PROVIDER_URL));
}
catch (NamingException nx)
{
// already donw
}
}
}
}

15
source/java/org/alfresco/repo/security/authentication/ldap/LDAPPersonExportSource.java
View File

@@ -67,6 +67,8 @@ public class LDAPPersonExportSource implements ExportSource
private NamespaceService namespaceService;
private String defaultHomeFolder;
private boolean errorOnMissingUID;
public LDAPPersonExportSource()
{
@@ -113,6 +115,11 @@ public class LDAPPersonExportSource implements ExportSource
this.attributeMapping = attributeMapping;
}
public void setErrorOnMissingUID(boolean errorOnMissingUID)
{
this.errorOnMissingUID = errorOnMissingUID;
}
public void generateExport(XMLWriter writer)
{
QName nodeUUID = QName.createQName("sys:node-uuid", namespaceService);
@@ -161,8 +168,16 @@ public class LDAPPersonExportSource implements ExportSource
Attribute uidAttribute = attributes.get(userIdAttributeName);
if (uidAttribute == null)
{
if(errorOnMissingUID)
{
throw new ExportSourceImporterException(
"User returned by user search does not have mandatory user id attribute " + attributes);
}
else
{
s_logger.warn("User returned by user search does not have mandatory user id attribute " + attributes);
continue;
}
}
String uid = (String) uidAttribute.get(0);

2
source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java
View File

@@ -210,7 +210,7 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing
throw new IllegalArgumentException("Property 'policyComponent' has not been set");
}
policyComponent.bindClassBehaviour(QName.createQName(NamespaceService.ALFRESCO_URI, "onMoveNode"), ContentModel.ASPECT_AUDITABLE, new JavaBehaviour(this, "onMoveNode"));
policyComponent.bindClassBehaviour(QName.createQName(NamespaceService.ALFRESCO_URI, "onMoveNode"), ContentModel.TYPE_BASE, new JavaBehaviour(this, "onMoveNode"));
}

32
source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceTest.java
View File

@@ -83,6 +83,16 @@ public class PermissionServiceTest extends AbstractPermissionTest
allowAndyReadChildren = new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ_CHILDREN),
"andy", AccessStatus.ALLOWED);
}
public void testWeSetConsumerOnRootIsNotSupportedByHasPermisssionAsItIsTheWrongType()
{
runAs("andy");
assertEquals(0, permissionService.getSetPermissions(rootNodeRef).getPermissionEntries().size());
permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.CONSUMER),
"andy", AccessStatus.ALLOWED));
assertEquals(1, permissionService.getSetPermissions(rootNodeRef).getPermissionEntries().size());
assertEquals(permissionService.hasPermission(rootNodeRef, (PermissionService.CONSUMER)), AccessStatus.DENIED);
}
public void testGetAllSetPermissions()
{
@@ -417,7 +427,7 @@ public class PermissionServiceTest extends AbstractPermissionTest
{
Set<String> answer = permissionService.getSettablePermissions(QName.createQName("sys", "base",
namespacePrefixResolver));
assertEquals(21, answer.size());
assertEquals(36, answer.size());
answer = permissionService.getSettablePermissions(QName.createQName("cm", "ownable", namespacePrefixResolver));
assertEquals(0, answer.size());
@@ -427,29 +437,33 @@ public class PermissionServiceTest extends AbstractPermissionTest
answer = permissionService.getSettablePermissions(QName.createQName("cm", "folder", namespacePrefixResolver));
assertEquals(5, answer.size());
answer = permissionService.getSettablePermissions(QName.createQName("cm", "monkey", namespacePrefixResolver));
assertEquals(0, answer.size());
}
public void testGetSettablePermissionsForNode()
{
QName ownable = QName.createQName("cm", "ownable", namespacePrefixResolver);
Set<String> answer = permissionService.getSettablePermissions(rootNodeRef);
assertEquals(25, answer.size());
assertEquals(42, answer.size());
nodeService.addAspect(rootNodeRef, ownable, null);
answer = permissionService.getSettablePermissions(rootNodeRef);
assertEquals(25, answer.size());
assertEquals(42, answer.size());
nodeService.removeAspect(rootNodeRef, ownable);
answer = permissionService.getSettablePermissions(rootNodeRef);
assertEquals(25, answer.size());
assertEquals(42, answer.size());
}
public void testSimplePermissionOnRoot()
{
runAs("andy");
assertEquals(25, permissionService.getPermissions(rootNodeRef).size());
assertEquals(42, permissionService.getPermissions(rootNodeRef).size());
assertEquals(0, countGranted(permissionService.getPermissions(rootNodeRef)));
assertEquals(0, permissionService.getAllSetPermissions(rootNodeRef).size());
@@ -462,8 +476,8 @@ public class PermissionServiceTest extends AbstractPermissionTest
assertEquals(1, permissionService.getAllSetPermissions(rootNodeRef).size());
runAs("andy");
assertEquals(25, permissionService.getPermissions(rootNodeRef).size());
assertEquals(1, countGranted(permissionService.getPermissions(rootNodeRef)));
assertEquals(42, permissionService.getPermissions(rootNodeRef).size());
assertEquals(2, countGranted(permissionService.getPermissions(rootNodeRef)));
assertTrue(permissionService.hasPermission(rootNodeRef, getPermission(PermissionService.READ_PROPERTIES)) == AccessStatus.ALLOWED);
runAs("lemur");
@@ -578,8 +592,8 @@ public class PermissionServiceTest extends AbstractPermissionTest
permissionService.setPermission(allowAndyRead);
runAs("andy");
assertEquals(25, permissionService.getPermissions(rootNodeRef).size());
assertEquals(4, countGranted(permissionService.getPermissions(rootNodeRef)));
assertEquals(42, permissionService.getPermissions(rootNodeRef).size());
assertEquals(7, countGranted(permissionService.getPermissions(rootNodeRef)));
assertEquals(1, permissionService.getAllSetPermissions(rootNodeRef).size());
assertTrue(permissionService.hasPermission(rootNodeRef, getPermission(PermissionService.READ)) == AccessStatus.ALLOWED);

80
source/java/org/alfresco/repo/security/permissions/impl/model/PermissionModel.java
View File

@@ -50,11 +50,7 @@ import org.dom4j.io.SAXReader;
import org.springframework.beans.factory.InitializingBean;
/**
* The implementation of the model DAO
*
* Reads and stores the top level model information
*
* Encapsulates access to this information
* The implementation of the model DAO Reads and stores the top level model information Encapsulates access to this information
*
* @author andyh
*/
@@ -97,16 +93,13 @@ public class PermissionModel implements ModelDAO, InitializingBean
private AccessStatus defaultPermission;
// Cache granting permissions
private HashMap<PermissionReference, Set<PermissionReference>> grantingPermissions =
new HashMap<PermissionReference, Set<PermissionReference>>();
private HashMap<PermissionReference, Set<PermissionReference>> grantingPermissions = new HashMap<PermissionReference, Set<PermissionReference>>();
// Cache grantees
private HashMap<PermissionReference, Set<PermissionReference>> granteePermissions =
new HashMap<PermissionReference, Set<PermissionReference>>();
private HashMap<PermissionReference, Set<PermissionReference>> granteePermissions = new HashMap<PermissionReference, Set<PermissionReference>>();
// Cache the mapping of extended groups to the base
private HashMap<PermissionGroup, PermissionGroup> groupsToBaseGroup =
new HashMap<PermissionGroup, PermissionGroup>();
private HashMap<PermissionGroup, PermissionGroup> groupsToBaseGroup = new HashMap<PermissionGroup, PermissionGroup>();
private HashMap<String, PermissionReference> uniqueMap;
@@ -115,13 +108,13 @@ public class PermissionModel implements ModelDAO, InitializingBean
private HashMap<PermissionReference, PermissionGroup> permissionGroupMap;
private HashMap<String, PermissionReference> permissionReferenceMap;
private Map<QName, LinkedHashSet<PermissionReference>> cachedTypePermissionsExposed =
new HashMap<QName, LinkedHashSet<PermissionReference>>(128, 1.0f);
private Map<QName, LinkedHashSet<PermissionReference>> cachedTypePermissionsUnexposed =
new HashMap<QName, LinkedHashSet<PermissionReference>>(128, 1.0f);
private Map<QName, LinkedHashSet<PermissionReference>> cachedTypePermissionsExposed = new HashMap<QName, LinkedHashSet<PermissionReference>>(
128, 1.0f);
private Map<QName, LinkedHashSet<PermissionReference>> cachedTypePermissionsUnexposed = new HashMap<QName, LinkedHashSet<PermissionReference>>(
128, 1.0f);
public PermissionModel()
{
super();
@@ -145,9 +138,7 @@ public class PermissionModel implements ModelDAO, InitializingBean
}
/*
* Initialise from file
*
* (non-Javadoc)
* Initialise from file (non-Javadoc)
*
* @see org.springframework.beans.factory.InitializingBean#afterPropertiesSet()
*/
@@ -283,7 +274,7 @@ public class PermissionModel implements ModelDAO, InitializingBean
{
return getAllPermissionsImpl(type, true);
}
@SuppressWarnings("unchecked")
private Set<PermissionReference> getAllPermissionsImpl(QName type, boolean exposedOnly)
{
@@ -300,18 +291,22 @@ public class PermissionModel implements ModelDAO, InitializingBean
if (permissions == null)
{
permissions = new LinkedHashSet<PermissionReference>();
if (dictionaryService.getClass(type).isAspect())
ClassDefinition cd = dictionaryService.getClass(type);
if (cd != null)
{
addAspectPermissions(type, permissions, exposedOnly);
}
else
{
mergeGeneralAspectPermissions(permissions, exposedOnly);
addTypePermissions(type, permissions, exposedOnly);
if (cd.isAspect())
{
addAspectPermissions(type, permissions, exposedOnly);
}
else
{
mergeGeneralAspectPermissions(permissions, exposedOnly);
addTypePermissions(type, permissions, exposedOnly);
}
}
cache.put(type, permissions);
}
return (Set<PermissionReference>)permissions.clone();
return (Set<PermissionReference>) permissions.clone();
}
/**
@@ -401,10 +396,10 @@ public class PermissionModel implements ModelDAO, InitializingBean
}
}
}
private void mergeGeneralAspectPermissions(Set<PermissionReference> target, boolean exposedOnly)
{
for(QName aspect : dictionaryService.getAllAspects())
for (QName aspect : dictionaryService.getAllAspects())
{
mergePermissions(target, aspect, exposedOnly, false);
}
@@ -424,10 +419,10 @@ public class PermissionModel implements ModelDAO, InitializingBean
{
//
// TODO: cache permissions based on type and exposed flag
// create JMeter test to see before/after effect!
// create JMeter test to see before/after effect!
//
QName typeName = nodeService.getType(nodeRef);
Set<PermissionReference> permissions = getAllPermissions(typeName);
mergeGeneralAspectPermissions(permissions, exposedOnly);
// Add non mandatory aspects...
@@ -663,9 +658,7 @@ public class PermissionModel implements ModelDAO, InitializingBean
}
/**
* Query the model for a base permission group
*
* Uses the Data Dictionary to reolve inheritance
* Query the model for a base permission group Uses the Data Dictionary to reolve inheritance
*
* @param pg
* @return
@@ -775,8 +768,9 @@ public class PermissionModel implements ModelDAO, InitializingBean
{
for (PermissionGroup pg : ps.getPermissionGroups())
{
if (target.equals(getBasePermissionGroupOrNull(pg))
&& isPartOfDynamicPermissionGroup(pg, qName, aspectQNames))
PermissionGroup base = getBasePermissionGroupOrNull(pg);
if (target.equals(base)
&& (!base.isTypeRequired() || isPartOfDynamicPermissionGroup(pg, qName, aspectQNames)))
{
// Add includes
for (PermissionReference pr : pg.getIncludedPermissionGroups())
@@ -791,7 +785,8 @@ public class PermissionModel implements ModelDAO, InitializingBean
for (PermissionReference grantedTo : p.getGrantedToGroups())
{
PermissionGroup base = getBasePermissionGroupOrNull(getPermissionGroupOrNull(grantedTo));
if (target.equals(base) && (!base.isTypeRequired() || isPartOfDynamicPermissionGroup(grantedTo, qName, aspectQNames)))
if (target.equals(base)
&& (!base.isTypeRequired() || isPartOfDynamicPermissionGroup(grantedTo, qName, aspectQNames)))
{
if (on == RequiredPermission.On.NODE)
{
@@ -887,7 +882,7 @@ public class PermissionModel implements ModelDAO, InitializingBean
public PermissionReference getPermissionReference(QName qname, String permissionName)
{
if(permissionName == null)
if (permissionName == null)
{
return null;
}
@@ -963,7 +958,8 @@ public class PermissionModel implements ModelDAO, InitializingBean
+ PermissionService.ALL_PERMISSIONS);
}
uniqueMap.put(PermissionService.ALL_PERMISSIONS, new SimplePermissionReference(QName.createQName(
NamespaceService.SECURITY_MODEL_1_0_URI, PermissionService.ALL_PERMISSIONS), PermissionService.ALL_PERMISSIONS));
NamespaceService.SECURITY_MODEL_1_0_URI, PermissionService.ALL_PERMISSIONS),
PermissionService.ALL_PERMISSIONS));
}

41
source/java/org/alfresco/repo/security/permissions/impl/model/PermissionModelTest.java
View File

@@ -22,6 +22,7 @@ import org.alfresco.repo.security.permissions.PermissionEntry;
import org.alfresco.repo.security.permissions.PermissionReference;
import org.alfresco.repo.security.permissions.impl.AbstractPermissionTest;
import org.alfresco.repo.security.permissions.impl.SimplePermissionReference;
import org.alfresco.repo.security.permissions.impl.RequiredPermission.On;
import org.alfresco.service.namespace.QName;
public class PermissionModelTest extends AbstractPermissionTest
@@ -32,12 +33,21 @@ public class PermissionModelTest extends AbstractPermissionTest
super();
}
public void testWoof()
{
QName typeQname = nodeService.getType(rootNodeRef);
Set<QName> aspectQNames = nodeService.getAspects(rootNodeRef);
PermissionReference ref = permissionModelDAO.getPermissionReference(null, "CheckOut");
Set<PermissionReference> answer = permissionModelDAO.getRequiredPermissions(ref, typeQname, aspectQNames, On.NODE);
assertEquals(1, answer.size());
}
public void testIncludePermissionGroups()
{
Set<PermissionReference> grantees = permissionModelDAO.getGranteePermissions(new SimplePermissionReference(QName.createQName("cm", "cmobject",
namespacePrefixResolver), "Consumer"));
assertEquals(5, grantees.size());
assertEquals(8, grantees.size());
}
public void testIncludePermissionGroups2()
@@ -45,7 +55,7 @@ public class PermissionModelTest extends AbstractPermissionTest
Set<PermissionReference> grantees = permissionModelDAO.getGranteePermissions(new SimplePermissionReference(QName.createQName("cm", "cmobject",
namespacePrefixResolver), "Contributor"));
assertEquals(11, grantees.size());
assertEquals(17, grantees.size());
}
public void testIncludePermissionGroups3()
@@ -53,7 +63,7 @@ public class PermissionModelTest extends AbstractPermissionTest
Set<PermissionReference> grantees = permissionModelDAO.getGranteePermissions(new SimplePermissionReference(QName.createQName("cm", "cmobject",
namespacePrefixResolver), "Editor"));
assertEquals(11, grantees.size());
assertEquals(17, grantees.size());
}
public void testIncludePermissionGroups4()
@@ -61,14 +71,34 @@ public class PermissionModelTest extends AbstractPermissionTest
Set<PermissionReference> grantees = permissionModelDAO.getGranteePermissions(new SimplePermissionReference(QName.createQName("cm", "cmobject",
namespacePrefixResolver), "Collaborator"));
assertEquals(16, grantees.size());
assertEquals(24, grantees.size());
}
public void testIncludePermissionGroups5()
{
Set<PermissionReference> grantees = permissionModelDAO.getGranteePermissions(new SimplePermissionReference(QName.createQName("cm", "cmobject",
namespacePrefixResolver), "Coordinator"));
assertEquals(59, grantees.size());
}
public void testIncludePermissionGroups6()
{
Set<PermissionReference> grantees = permissionModelDAO.getGranteePermissions(new SimplePermissionReference(QName.createQName("cm", "cmobject",
namespacePrefixResolver), "RecordAdministrator"));
assertEquals(19, grantees.size());
}
public void testGetGrantingPermissions()
{
Set<PermissionReference> granters = permissionModelDAO.getGrantingPermissions(new SimplePermissionReference(QName.createQName("sys", "base",
namespacePrefixResolver), "ReadProperties"));
assertEquals(9, granters.size());
assertEquals(10, granters.size());
granters = permissionModelDAO.getGrantingPermissions(new SimplePermissionReference(QName.createQName("sys", "base",
namespacePrefixResolver), "_ReadProperties"));
assertEquals(11, granters.size());
}
public void testGlobalPermissions()
@@ -76,4 +106,5 @@ public class PermissionModelTest extends AbstractPermissionTest
Set<? extends PermissionEntry> globalPermissions = permissionModelDAO.getGlobalPermissionEntries();
assertEquals(5, globalPermissions.size());
}
}