inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-31 17:39:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

RM: Policy refactor

Browse Source 
* moved policy implementations out of RMEntryVoter and into separate classes
 * rather than being a hard coded list, policies are now registered via spring allowing others to be easily added
 * re-arrange some of the support implementation
 * RMEntryVoter is now significantly smaller and most of the logic that was once encapsulated in here is spread over supporting classes and services
 * TODO .. need to review policies and determine which are appropraite .. much easier to do now!



git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@48815 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Roy Wetherall
2013-04-04 00:09:06 +00:00
parent 13d4f3f576
commit f03059d9fe
22 changed files with 1091 additions and 757 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
rm-server/config/alfresco/module/org_alfresco_module_rm/module-context.xml
View File

@@ -78,6 +78,7 @@
<!-- Import fixed permission definitions for RM --> <!-- Import fixed permission definitions for RM -->
<import resource="classpath:alfresco/module/org_alfresco_module_rm/rm-public-services-security-context.xml"/> <import resource="classpath:alfresco/module/org_alfresco_module_rm/rm-public-services-security-context.xml"/>
<import resource="classpath:alfresco/module/org_alfresco_module_rm/security/rm-method-security-context.xml"/> <import resource="classpath:alfresco/module/org_alfresco_module_rm/security/rm-method-security-context.xml"/>
<import resource="classpath:alfresco/module/org_alfresco_module_rm/security/rm-policy-context.xml"/>
<!-- Import the RM service's --> <!-- Import the RM service's -->
<import resource="classpath:alfresco/module/org_alfresco_module_rm/rm-service-context.xml"/> <import resource="classpath:alfresco/module/org_alfresco_module_rm/rm-service-context.xml"/>

1
rm-server/config/alfresco/module/org_alfresco_module_rm/rm-capabilities-context.xml
View File

@@ -14,7 +14,6 @@
abstract="true" abstract="true"
parent="RMSecurityCommon" parent="RMSecurityCommon"
init-method="init"> init-method="init">
<property name="voter" ref="rmEntryVoter"/>
<property name="capabilityService" ref="CapabilityService"/> <property name="capabilityService" ref="CapabilityService"/>
</bean> </bean>

3
rm-server/config/alfresco/module/org_alfresco_module_rm/rm-public-services-security-context.xml
View File

@@ -93,10 +93,7 @@
lazy-init="false" lazy-init="false"
parent="RMSecurityCommon" parent="RMSecurityCommon"
depends-on="CapabilityService"> depends-on="CapabilityService">
<!-- Services -->
<property name="namespacePrefixResolver" ref="namespaceService"/> <property name="namespacePrefixResolver" ref="namespaceService"/>
<property name="dictionaryService" ref="dictionaryService"/>
<property name="dispositionService" ref="dispositionService"/>
<property name="capabilityService" ref="capabilityService"/> <property name="capabilityService" ref="capabilityService"/>
</bean> </bean>

2
rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-method-security-context.xml
View File

@@ -15,6 +15,6 @@
<bean id="rm-method-security-post-processor" class="org.alfresco.module.org_alfresco_module_rm.security.RMMethodSecurityPostProcessor"> <bean id="rm-method-security-post-processor" class="org.alfresco.module.org_alfresco_module_rm.security.RMMethodSecurityPostProcessor">
<property name="properties" ref="rm-method-security-properties"/> <property name="properties" ref="rm-method-security-properties"/>
</bean> </bean>
</beans> </beans>

11
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/AbstractCapability.java
View File

@@ -41,9 +41,6 @@ public abstract class AbstractCapability extends RMSecurityCommon
@SuppressWarnings("unused") @SuppressWarnings("unused")
private static Log logger = LogFactory.getLog(AbstractCapability.class); private static Log logger = LogFactory.getLog(AbstractCapability.class);
/** RM entry voter */
protected RMEntryVoter voter;
/** Capability service */ /** Capability service */
protected CapabilityService capabilityService; protected CapabilityService capabilityService;
@@ -63,14 +60,6 @@ public abstract class AbstractCapability extends RMSecurityCommon
/** Indicates whether this is a private capability or not */ /** Indicates whether this is a private capability or not */
protected boolean isPrivate = false; protected boolean isPrivate = false;
/**
* @param voter RM entry voter
*/
public void setVoter(RMEntryVoter voter)
{
this.voter = voter;
}
/** /**
* @param capabilityService capability service * @param capabilityService capability service
*/ */

804
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMEntryVoter.java
View File

@@ -18,41 +18,23 @@
*/ */
package org.alfresco.module.org_alfresco_module_rm.capability; package org.alfresco.module.org_alfresco_module_rm.capability;
import java.io.Serializable;
import java.lang.reflect.Method; import java.lang.reflect.Method;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.HashMap; import java.util.HashMap;
import java.util.Iterator; import java.util.Iterator;
import java.util.List; import java.util.List;
import java.util.Map;
import java.util.StringTokenizer;
import net.sf.acegisecurity.Authentication; import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.ConfigAttribute; import net.sf.acegisecurity.ConfigAttribute;
import net.sf.acegisecurity.ConfigAttributeDefinition;
import net.sf.acegisecurity.vote.AccessDecisionVoter; import net.sf.acegisecurity.vote.AccessDecisionVoter;
import org.alfresco.module.org_alfresco_module_rm.RecordsManagementService; import org.alfresco.module.org_alfresco_module_rm.capability.policy.ConfigAttributeDefinition;
import org.alfresco.module.org_alfresco_module_rm.capability.impl.CreateCapability; import org.alfresco.module.org_alfresco_module_rm.capability.policy.Policy;
import org.alfresco.module.org_alfresco_module_rm.capability.impl.UpdateCapability;
import org.alfresco.module.org_alfresco_module_rm.capability.impl.UpdatePropertiesCapability;
import org.alfresco.module.org_alfresco_module_rm.caveat.RMCaveatConfigComponent;
import org.alfresco.module.org_alfresco_module_rm.disposition.DispositionService;
import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.permissions.impl.SimplePermissionReference;
import org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoterException;
import org.alfresco.service.cmr.dictionary.DictionaryService;
import org.alfresco.service.cmr.repository.AssociationRef;
import org.alfresco.service.cmr.repository.ChildAssociationRef;
import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.repository.StoreRef;
import org.alfresco.service.cmr.search.SearchService; import org.alfresco.service.cmr.search.SearchService;
import org.alfresco.service.cmr.security.OwnableService; import org.alfresco.service.cmr.security.OwnableService;
import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.service.namespace.NamespacePrefixResolver; import org.alfresco.service.namespace.NamespacePrefixResolver;
import org.alfresco.service.namespace.QName;
import org.aopalliance.intercept.MethodInvocation; import org.aopalliance.intercept.MethodInvocation;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
@@ -66,60 +48,34 @@ public class RMEntryVoter extends RMSecurityCommon
{ {
private static Log logger = LogFactory.getLog(RMEntryVoter.class); private static Log logger = LogFactory.getLog(RMEntryVoter.class);
private static final String RM = "RM"; private NamespacePrefixResolver nspr;
private static final String RM_ALLOW = "RM_ALLOW";
private static final String RM_DENY = "RM_DENY";
private static final String RM_CAP = "RM_CAP";
private static final String RM_ABSTAIN = "RM_ABSTAIN";
private static final String RM_QUERY = "RM_QUERY";
private NamespacePrefixResolver nspr;
private NodeService nodeService;
private PermissionService permissionService;
private RMCaveatConfigComponent caveatConfigComponent;
private DictionaryService dictionaryService;
private RecordsManagementService recordsManagementService;
private DispositionService dispositionService;
private SearchService searchService; private SearchService searchService;
private OwnableService ownableService; private OwnableService ownableService;
private CapabilityService capabilityService; private CapabilityService capabilityService;
private static HashMap<String, Policy> policies = new HashMap<String, Policy>(); private HashMap<String, Policy> policies = new HashMap<String, Policy>();
static // static
// {
// policies.put("Read", new ReadPolicy());
// policies.put("Create", new CreatePolicy());
// policies.put("Move", new MovePolicy());
// policies.put("Update", new UpdatePolicy());
// policies.put("Delete", new DeletePolicy());
// policies.put("UpdateProperties", new UpdatePropertiesPolicy());
// policies.put("Assoc", new AssocPolicy());
// policies.put("WriteContent", new WriteContentPolicy());
// policies.put("Capability", new CapabilityPolicy());
// policies.put("Declare", new DeclarePolicy());
// policies.put("ReadProperty", new ReadPropertyPolicy());
// }
private ApplicationContext applicationContext;
@Override
public void setApplicationContext(ApplicationContext applicationContext) throws BeansException
{ {
policies.put("Read", new ReadPolicy()); this.applicationContext = applicationContext;
policies.put("Create", new CreatePolicy());
policies.put("Move", new MovePolicy());
policies.put("Update", new UpdatePolicy());
policies.put("Delete", new DeletePolicy());
policies.put("UpdateProperties", new UpdatePropertiesPolicy());
policies.put("Assoc", new AssocPolicy());
policies.put("WriteContent", new WriteContentPolicy());
policies.put("Capability", new CapabilityPolicy());
policies.put("Declare", new DeclarePolicy());
policies.put("ReadProperty", new ReadPropertyPolicy());
}
/**
* Set the permission service
*
* @param permissionService
*/
public void setPermissionService(PermissionService permissionService)
{
this.permissionService = permissionService;
}
/**
* Set the node service
*
* @param nodeService
*/
public void setNodeService(NodeService nodeService)
{
this.nodeService = nodeService;
} }
/** /**
@@ -144,6 +100,7 @@ public class RMEntryVoter extends RMSecurityCommon
} }
/** /**
*
* @return * @return
*/ */
public OwnableService getOwnableService() public OwnableService getOwnableService()
@@ -164,23 +121,27 @@ public class RMEntryVoter extends RMSecurityCommon
{ {
this.nspr = nspr; this.nspr = nspr;
} }
public void setCaveatConfigComponent(RMCaveatConfigComponent caveatConfigComponent) /**
* Register a policy the voter
*
* @param policy policy
*/
public void registerPolicy(Policy policy)
{ {
this.caveatConfigComponent = caveatConfigComponent; policies.put(policy.getName(), policy);
}
public void setDictionaryService(DictionaryService dictionaryService)
{
this.dictionaryService = dictionaryService;
} }
/**
* @see net.sf.acegisecurity.vote.AccessDecisionVoter#supports(net.sf.acegisecurity.ConfigAttribute)
*/
@Override
public boolean supports(ConfigAttribute attribute) public boolean supports(ConfigAttribute attribute)
{ {
if ((attribute.getAttribute() != null) if ((attribute.getAttribute() != null)
&& (attribute.getAttribute().equals(RM_ABSTAIN) && (attribute.getAttribute().equals(ConfigAttributeDefinition.RM_ABSTAIN)
|| attribute.getAttribute().equals(RM_QUERY) || attribute.getAttribute().equals(RM_ALLOW) || attribute.getAttribute().equals(RM_DENY) || attribute.getAttribute().equals(ConfigAttributeDefinition.RM_QUERY) || attribute.getAttribute().equals(ConfigAttributeDefinition.RM_ALLOW) || attribute.getAttribute().equals(ConfigAttributeDefinition.RM_DENY)
|| attribute.getAttribute().startsWith(RM_CAP) || attribute.getAttribute().startsWith(RM))) || attribute.getAttribute().startsWith(ConfigAttributeDefinition.RM_CAP) || attribute.getAttribute().startsWith(ConfigAttributeDefinition.RM)))
{ {
return true; return true;
} }
@@ -197,7 +158,7 @@ public class RMEntryVoter extends RMSecurityCommon
} }
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config) public int vote(Authentication authentication, Object object, net.sf.acegisecurity.ConfigAttributeDefinition config)
{ {
if (logger.isDebugEnabled()) if (logger.isDebugEnabled())
{ {
@@ -214,7 +175,7 @@ public class RMEntryVoter extends RMSecurityCommon
return AccessDecisionVoter.ACCESS_GRANTED; return AccessDecisionVoter.ACCESS_GRANTED;
} }
List<ConfigAttributeDefintion> supportedDefinitions = extractSupportedDefinitions(config); List<ConfigAttributeDefinition> supportedDefinitions = extractSupportedDefinitions(config);
// No RM definitions so we do not vote // No RM definitions so we do not vote
if (supportedDefinitions.size() == 0) if (supportedDefinitions.size() == 0)
@@ -231,36 +192,36 @@ public class RMEntryVoter extends RMSecurityCommon
// If any abstain we deny // If any abstain we deny
// All present must vote to allow unless an explicit direction comes first (e.g. RM_ALLOW) // All present must vote to allow unless an explicit direction comes first (e.g. RM_ALLOW)
for (ConfigAttributeDefintion cad : supportedDefinitions) for (ConfigAttributeDefinition cad : supportedDefinitions)
{ {
// Whatever is found first takes precedence // Whatever is found first takes precedence
if (cad.typeString.equals(RM_DENY)) if (cad.getTypeString().equals(ConfigAttributeDefinition.RM_DENY))
{ {
return AccessDecisionVoter.ACCESS_DENIED; return AccessDecisionVoter.ACCESS_DENIED;
} }
else if (cad.typeString.equals(RM_ABSTAIN)) else if (cad.getTypeString().equals(ConfigAttributeDefinition.RM_ABSTAIN))
{ {
return AccessDecisionVoter.ACCESS_ABSTAIN; return AccessDecisionVoter.ACCESS_ABSTAIN;
} }
else if (cad.typeString.equals(RM_ALLOW)) else if (cad.getTypeString().equals(ConfigAttributeDefinition.RM_ALLOW))
{ {
return AccessDecisionVoter.ACCESS_GRANTED; return AccessDecisionVoter.ACCESS_GRANTED;
} }
// RM_QUERY is a special case - the entry is allowed and filtering sorts out the results // RM_QUERY is a special case - the entry is allowed and filtering sorts out the results
// It is distinguished from RM_ALLOW so query may have additional behaviour in the future // It is distinguished from RM_ALLOW so query may have additional behaviour in the future
else if (cad.typeString.equals(RM_QUERY)) else if (cad.getTypeString().equals(ConfigAttributeDefinition.RM_QUERY))
{ {
return AccessDecisionVoter.ACCESS_GRANTED; return AccessDecisionVoter.ACCESS_GRANTED;
} }
// Ignore config that references method arguments that do not exist // Ignore config that references method arguments that do not exist
// Arguably we should deny here but that requires a full impact analysis // Arguably we should deny here but that requires a full impact analysis
// These entries effectively abstain // These entries effectively abstain
else if (((cad.parameters.get(0) != null) && (cad.parameters.get(0) >= invocation.getArguments().length)) else if (((cad.getParameters().get(0) != null) && (cad.getParameters().get(0) >= invocation.getArguments().length)) ||
|| ((cad.parameters.get(1) != null) && (cad.parameters.get(1) >= invocation.getArguments().length))) ((cad.getParameters().get(1) != null) && (cad.getParameters().get(1) >= invocation.getArguments().length)))
{ {
continue; continue;
} }
else if (cad.typeString.equals(RM_CAP)) else if (cad.getTypeString().equals(ConfigAttributeDefinition.RM_CAP))
{ {
switch(checkCapability(invocation, params, cad)) switch(checkCapability(invocation, params, cad))
{ {
@@ -271,11 +232,11 @@ public class RMEntryVoter extends RMSecurityCommon
{ {
if(logger.isTraceEnabled()) if(logger.isTraceEnabled())
{ {
logger.trace("Capability " + cad.required + " abstained for " + invocation.getMethod(), new IllegalStateException()); logger.trace("Capability " + cad.getRequired() + " abstained for " + invocation.getMethod(), new IllegalStateException());
} }
else else
{ {
logger.debug("Capability " + cad.required + " abstained for " + invocation.getMethod()); logger.debug("Capability " + cad.getRequired() + " abstained for " + invocation.getMethod());
} }
} }
// abstain denies // abstain denies
@@ -284,7 +245,7 @@ public class RMEntryVoter extends RMSecurityCommon
break; break;
} }
} }
else if (cad.typeString.equals(RM)) else if (cad.getTypeString().equals(ConfigAttributeDefinition.RM))
{ {
switch(checkPolicy(invocation, params, cad)) switch(checkPolicy(invocation, params, cad))
{ {
@@ -295,11 +256,11 @@ public class RMEntryVoter extends RMSecurityCommon
{ {
if(logger.isTraceEnabled()) if(logger.isTraceEnabled())
{ {
logger.trace("Policy " + cad.policyName + " abstained for " + invocation.getMethod(), new IllegalStateException()); logger.trace("Policy " + cad.getPolicyName() + " abstained for " + invocation.getMethod(), new IllegalStateException());
} }
else else
{ {
logger.debug("Policy " + cad.policyName + " abstained for " + invocation.getMethod()); logger.debug("Policy " + cad.getPolicyName() + " abstained for " + invocation.getMethod());
} }
} }
// abstain denies // abstain denies
@@ -317,14 +278,14 @@ public class RMEntryVoter extends RMSecurityCommon
} }
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
private int checkCapability(MethodInvocation invocation, Class[] params, ConfigAttributeDefintion cad) private int checkCapability(MethodInvocation invocation, Class[] params, ConfigAttributeDefinition cad)
{ {
NodeRef testNodeRef = getTestNode(getNodeService(), getRecordsManagementService(), invocation, params, cad.parameters.get(0), cad.parent); NodeRef testNodeRef = getTestNode(invocation, params, cad.getParameters().get(0), cad.isParent());
if (testNodeRef == null) if (testNodeRef == null)
{ {
return AccessDecisionVoter.ACCESS_ABSTAIN; return AccessDecisionVoter.ACCESS_ABSTAIN;
} }
Capability capability = capabilityService.getCapability(cad.required.getName()); Capability capability = capabilityService.getCapability(cad.getRequired().getName());
if (capability == null) if (capability == null)
{ {
return AccessDecisionVoter.ACCESS_DENIED; return AccessDecisionVoter.ACCESS_DENIED;
@@ -334,210 +295,16 @@ public class RMEntryVoter extends RMSecurityCommon
} }
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
private static QName getType(NodeService nodeService, MethodInvocation invocation, Class[] params, int position, boolean parent) private int checkPolicy(MethodInvocation invocation, Class[] params, ConfigAttributeDefinition cad)
{ {
if (QName.class.isAssignableFrom(params[position])) Policy policy = policies.get(cad.getPolicyName());
{
if (invocation.getArguments()[position] != null)
{
QName qname = (QName) invocation.getArguments()[position];
return qname;
}
}
else if (NodeRef.class.isAssignableFrom(params[position]))
{
if (invocation.getArguments()[position] != null)
{
NodeRef nodeRef = (NodeRef) invocation.getArguments()[position];
return nodeService.getType(nodeRef);
}
}
return null;
}
@SuppressWarnings("unchecked")
private static QName getQName(MethodInvocation invocation, Class[] params, int position)
{
if (QName.class.isAssignableFrom(params[position]))
{
if (invocation.getArguments()[position] != null)
{
QName qname = (QName) invocation.getArguments()[position];
return qname;
}
}
throw new ACLEntryVoterException("Unknown type");
}
@SuppressWarnings("unchecked")
private static Serializable getProperty(MethodInvocation invocation, Class[] params, int position)
{
if (invocation.getArguments()[position] == null)
{
return null;
}
if (Serializable.class.isAssignableFrom(params[position]))
{
if (invocation.getArguments()[position] != null)
{
Serializable property = (Serializable) invocation.getArguments()[position];
return property;
}
}
throw new ACLEntryVoterException("Unknown type");
}
@SuppressWarnings("unchecked")
private static Map<QName, Serializable> getProperties(MethodInvocation invocation, Class[] params, int position)
{
if (invocation.getArguments()[position] == null)
{
return null;
}
if (Map.class.isAssignableFrom(params[position]))
{
if (invocation.getArguments()[position] != null)
{
Map<QName, Serializable> properties = (Map<QName, Serializable>) invocation.getArguments()[position];
return properties;
}
}
throw new ACLEntryVoterException("Unknown type");
}
@SuppressWarnings("unchecked")
private static NodeRef getTestNode(NodeService nodeService, RecordsManagementService rmService, MethodInvocation invocation, Class[] params, int position, boolean parent)
{
NodeRef testNodeRef = null;
if (position < 0)
{
// Test against the fileplan root node
List<NodeRef> rmRoots = rmService.getFilePlans();
if (rmRoots.size() != 0)
{
// TODO for now we can take the first one as we only support a single rm site
testNodeRef = rmRoots.get(0);
if (logger.isDebugEnabled())
{
logger.debug("\tPermission test against the rm root node " + nodeService.getPath(testNodeRef));
}
}
}
else if (StoreRef.class.isAssignableFrom(params[position]))
{
if (invocation.getArguments()[position] != null)
{
if (logger.isDebugEnabled())
{
logger.debug("\tPermission test against the store - using permissions on the root node");
}
StoreRef storeRef = (StoreRef) invocation.getArguments()[position];
if (nodeService.exists(storeRef))
{
testNodeRef = nodeService.getRootNode(storeRef);
}
}
}
else if (NodeRef.class.isAssignableFrom(params[position]))
{
testNodeRef = (NodeRef) invocation.getArguments()[position];
if (parent)
{
testNodeRef = nodeService.getPrimaryParent(testNodeRef).getParentRef();
if (logger.isDebugEnabled())
{
if (nodeService.exists(testNodeRef))
{
logger.debug("\tPermission test for parent on node " + nodeService.getPath(testNodeRef));
}
else
{
logger.debug("\tPermission test for parent on non-existing node " + testNodeRef);
}
logger.debug("\tPermission test for parent on node " + nodeService.getPath(testNodeRef));
}
}
else
{
if (logger.isDebugEnabled())
{
if (nodeService.exists(testNodeRef))
{
logger.debug("\tPermission test on node " + nodeService.getPath(testNodeRef));
}
else
{
logger.debug("\tPermission test on non-existing node " + testNodeRef);
}
}
}
}
else if (ChildAssociationRef.class.isAssignableFrom(params[position]))
{
if (invocation.getArguments()[position] != null)
{
if (parent)
{
testNodeRef = ((ChildAssociationRef) invocation.getArguments()[position]).getParentRef();
}
else
{
testNodeRef = ((ChildAssociationRef) invocation.getArguments()[position]).getChildRef();
}
if (logger.isDebugEnabled())
{
if (nodeService.exists(testNodeRef))
{
logger.debug("\tPermission test on node " + nodeService.getPath(testNodeRef));
}
else
{
logger.debug("\tPermission test on non-existing node " + testNodeRef);
}
}
}
}
else if (AssociationRef.class.isAssignableFrom(params[position]))
{
if (invocation.getArguments()[position] != null)
{
if (parent)
{
testNodeRef = ((AssociationRef) invocation.getArguments()[position]).getSourceRef();
}
else
{
testNodeRef = ((AssociationRef) invocation.getArguments()[position]).getTargetRef();
}
if (logger.isDebugEnabled())
{
if (nodeService.exists(testNodeRef))
{
logger.debug("\tPermission test on node " + nodeService.getPath(testNodeRef));
}
else
{
logger.debug("\tPermission test on non-existing node " + testNodeRef);
}
}
}
}
return testNodeRef;
}
@SuppressWarnings("unchecked")
private int checkPolicy(MethodInvocation invocation, Class[] params, ConfigAttributeDefintion cad)
{
Policy policy = policies.get(cad.policyName);
if (policy == null) if (policy == null)
{ {
return AccessDecisionVoter.ACCESS_GRANTED; return AccessDecisionVoter.ACCESS_GRANTED;
} }
else else
{ {
return policy.evaluate(this.nodeService, this.recordsManagementService, this.capabilityService, invocation, params, cad); return policy.evaluate(invocation, params, cad);
} }
} }
@@ -548,9 +315,9 @@ public class RMEntryVoter extends RMSecurityCommon
} }
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
private List<ConfigAttributeDefintion> extractSupportedDefinitions(ConfigAttributeDefinition config) private List<ConfigAttributeDefinition> extractSupportedDefinitions(net.sf.acegisecurity.ConfigAttributeDefinition config)
{ {
List<ConfigAttributeDefintion> definitions = new ArrayList<ConfigAttributeDefintion>(2); List<ConfigAttributeDefinition> definitions = new ArrayList<ConfigAttributeDefinition>(2);
Iterator iter = config.getConfigAttributes(); Iterator iter = config.getConfigAttributes();
while (iter.hasNext()) while (iter.hasNext())
@@ -559,454 +326,11 @@ public class RMEntryVoter extends RMSecurityCommon
if (this.supports(attr)) if (this.supports(attr))
{ {
definitions.add(new ConfigAttributeDefintion(attr)); definitions.add(new ConfigAttributeDefinition(attr, nspr));
} }
} }
return definitions; return definitions;
} }
/**
* @return the nodeService
*/
public NodeService getNodeService()
{
return nodeService;
}
/**
* @return the permissionService
*/
public PermissionService getPermissionService()
{
return permissionService;
}
/**
* @return the caveatConfigService
*/
public RMCaveatConfigComponent getCaveatConfigComponent()
{
return caveatConfigComponent;
}
/**
* @param recordsManagementService
* the recordsManagementService to set
*/
public void setRecordsManagementService(RecordsManagementService recordsManagementService)
{
this.recordsManagementService = recordsManagementService;
}
/**
* @return the recordsManagementService
*/
public RecordsManagementService getRecordsManagementService()
{
return recordsManagementService;
}
public void setDispositionService(DispositionService dispositionService)
{
this.dispositionService = dispositionService;
}
public DispositionService getDispositionService()
{
return dispositionService;
}
/**
* @return the dictionaryService
*/
public DictionaryService getDictionaryService()
{
return dictionaryService;
}
private class ConfigAttributeDefintion
{
String typeString;
String policyName;
SimplePermissionReference required;
HashMap<Integer, Integer> parameters = new HashMap<Integer, Integer>(2, 1.0f);
boolean parent = false;
ConfigAttributeDefintion(ConfigAttribute attr)
{
StringTokenizer st = new StringTokenizer(attr.getAttribute(), ".", false);
if (st.countTokens() < 1)
{
throw new ACLEntryVoterException("There must be at least one token in a config attribute");
}
typeString = st.nextToken();
if (!(typeString.equals(RM) || typeString.equals(RM_ALLOW) || typeString.equals(RM_CAP) || typeString.equals(RM_DENY) || typeString.equals(RM_QUERY) || typeString
.equals(RM_ABSTAIN)))
{
throw new ACLEntryVoterException("Invalid type: must be ACL_NODE, ACL_PARENT or ACL_ALLOW");
}
if (typeString.equals(RM))
{
policyName = st.nextToken();
int position = 0;
while (st.hasMoreElements())
{
String numberString = st.nextToken();
Integer value = Integer.parseInt(numberString);
parameters.put(position, value);
position++;
}
}
else if (typeString.equals(RM_CAP))
{
String numberString = st.nextToken();
String qNameString = st.nextToken();
String permissionString = st.nextToken();
Integer value = Integer.parseInt(numberString);
parameters.put(0, value);
QName qName = QName.createQName(qNameString, nspr);
required = SimplePermissionReference.getPermissionReference(qName, permissionString);
if (st.hasMoreElements())
{
parent = true;
}
}
}
}
interface Policy
{
/**
*
* @param nodeService
* @param rmService
* @param capabilitiesService
* @param invocation
* @param params
* @param cad
* @return
*/
@SuppressWarnings("unchecked")
int evaluate(
NodeService nodeService,
RecordsManagementService rmService,
CapabilityService capabilitiesService,
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefintion cad);
}
private static class ReadPolicy implements Policy
{
@SuppressWarnings("unchecked")
public int evaluate(
NodeService nodeService,
RecordsManagementService rmService,
CapabilityService capabilityService,
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefintion cad)
{
NodeRef testNodeRef = getTestNode(nodeService, rmService, invocation, params, cad.parameters.get(0), cad.parent);
return capabilityService.getCapability(RMPermissionModel.VIEW_RECORDS).evaluate(testNodeRef);
}
}
private static class CreatePolicy implements Policy
{
@SuppressWarnings("unchecked")
public int evaluate(
NodeService nodeService,
RecordsManagementService rmService,
CapabilityService capabilityService,
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefintion cad)
{
NodeRef destination = getTestNode(nodeService, rmService, invocation, params, cad.parameters.get(0), cad.parent);
QName type = getType(nodeService, invocation, params, cad.parameters.get(1), cad.parent);
// linkee is not null for creating secondary child assocs
NodeRef linkee = getTestNode(nodeService, rmService, invocation, params, cad.parameters.get(1), cad.parent);
QName assocType = null;
if(cad.parameters.size() > 2)
{
assocType = getType(nodeService, invocation, params, cad.parameters.get(2), cad.parent);
}
return ((CreateCapability)capabilityService.getCapability("Create")).evaluate(destination, linkee, type, assocType);
}
}
private static class MovePolicy implements Policy
{
@SuppressWarnings("unchecked")
public int evaluate(
NodeService nodeService,
RecordsManagementService rmService,
CapabilityService capabilityService,
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefintion cad)
{
NodeRef movee = null;
if (cad.parameters.get(0) > -1)
{
movee = getTestNode(nodeService, rmService, invocation, params, cad.parameters.get(0), cad.parent);
}
NodeRef destination = null;
if (cad.parameters.get(1) > -1)
{
destination = getTestNode(nodeService, rmService, invocation, params, cad.parameters.get(1), cad.parent);
}
if ((movee != null) && (destination != null))
{
return capabilityService.getCapability("Move").evaluate(movee, destination);
}
else
{
return AccessDecisionVoter.ACCESS_DENIED;
}
}
}
private static class UpdatePolicy implements Policy
{
@SuppressWarnings("unchecked")
public int evaluate(
NodeService nodeService,
RecordsManagementService rmService,
CapabilityService capabilityService,
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefintion cad)
{
NodeRef updatee = getTestNode(nodeService, rmService, invocation, params, cad.parameters.get(0), cad.parent);
QName aspectQName = null;
if (cad.parameters.size() > 1)
{
if (cad.parameters.get(1) > -1)
{
aspectQName = getQName(invocation, params, cad.parameters.get(1));
}
}
Map<QName, Serializable> properties = null;
if (cad.parameters.size() > 2)
{
if (cad.parameters.get(2) > -1)
{
properties = getProperties(invocation, params, cad.parameters.get(2));
}
}
UpdateCapability updateCapability = (UpdateCapability)capabilityService.getCapability("Update");
return updateCapability.evaluate(updatee, aspectQName, properties);
}
}
private static class DeletePolicy implements Policy
{
@SuppressWarnings("unchecked")
public int evaluate(
NodeService nodeService,
RecordsManagementService rmService,
CapabilityService capabilityService,
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefintion cad)
{
NodeRef deletee = null;
if (cad.parameters.get(0) > -1)
{
deletee = getTestNode(nodeService, rmService, invocation, params, cad.parameters.get(0), cad.parent);
}
if (deletee != null)
{
return capabilityService.getCapability("Delete").evaluate(deletee);
}
else
{
return AccessDecisionVoter.ACCESS_DENIED;
}
}
}
private static class UpdatePropertiesPolicy implements Policy
{
@SuppressWarnings("unchecked")
public int evaluate(
NodeService nodeService,
RecordsManagementService rmService,
CapabilityService capabilityService,
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefintion cad)
{
NodeRef updatee = getTestNode(nodeService, rmService, invocation, params, cad.parameters.get(0), cad.parent);
Map<QName, Serializable> properties;
if (QName.class.isAssignableFrom(params[cad.parameters.get(1)]))
{
// single update/delete
// We have a specific property
QName propertyQName = getQName(invocation, params, cad.parameters.get(1));
properties = new HashMap<QName, Serializable>(1, 1.0f);
if (cad.parameters.size() > 2)
{
properties.put(propertyQName, getProperty(invocation, params, cad.parameters.get(2)));
}
else
{
properties.put(propertyQName, null);
}
}
else
{
properties = getProperties(invocation, params, cad.parameters.get(1));
}
return ((UpdatePropertiesCapability)capabilityService.getCapability("UpdateProperties")).evaluate(updatee, properties);
}
}
private static class AssocPolicy implements Policy
{
@SuppressWarnings("unchecked")
public int evaluate(
NodeService nodeService,
RecordsManagementService rmService,
CapabilityService capabilityService,
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefintion cad)
{
Policy policy = policies.get("Read");
if (policy == null)
{
return AccessDecisionVoter.ACCESS_DENIED;
}
else
{
return policy.evaluate(nodeService, rmService, capabilityService, invocation, params, cad);
}
}
}
private static class WriteContentPolicy implements Policy
{
@SuppressWarnings("unchecked")
public int evaluate(
NodeService nodeService,
RecordsManagementService rmService,
CapabilityService capabilityService,
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefintion cad)
{
NodeRef updatee = getTestNode(nodeService, rmService, invocation, params, cad.parameters.get(0), cad.parent);
return capabilityService.getCapability("WriteContent").evaluate(updatee);
}
}
private static class CapabilityPolicy implements Policy
{
@SuppressWarnings("unchecked")
public int evaluate(
NodeService nodeService,
RecordsManagementService rmService,
CapabilityService capabilityService,
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefintion cad)
{
NodeRef assignee = getTestNode(nodeService, rmService, invocation, params, cad.parameters.get(0), cad.parent);
return capabilityService.getCapability(RMPermissionModel.MANAGE_ACCESS_CONTROLS).evaluate(assignee);
}
}
private static class DeclarePolicy implements Policy
{
@SuppressWarnings("unchecked")
public int evaluate(
NodeService nodeService,
RecordsManagementService rmService,
CapabilityService capabilityService,
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefintion cad)
{
NodeRef declaree = getTestNode(nodeService, rmService, invocation, params, cad.parameters.get(0), cad.parent);
return capabilityService.getCapability("Declare").evaluate(declaree);
}
}
private static class ReadPropertyPolicy implements Policy
{
@SuppressWarnings("unchecked")
public int evaluate(
NodeService nodeService,
RecordsManagementService rmService,
CapabilityService capabilityService,
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefintion cad)
{
NodeRef nodeRef = getTestNode(nodeService, rmService, invocation, params, cad.parameters.get(0), cad.parent);
QName propertyQName = getQName(invocation, params, cad.parameters.get(1));
if(propertyQName.equals(RecordsManagementModel.PROP_HOLD_REASON))
{
return capabilityService.getCapability(RMPermissionModel.VIEW_UPDATE_REASONS_FOR_FREEZE).evaluate(nodeRef);
}
else
{
return AccessDecisionVoter.ACCESS_GRANTED;
}
}
}
private ApplicationContext applicationContext;
@Override
public void setApplicationContext(ApplicationContext applicationContext)
throws BeansException
{
this.applicationContext = applicationContext;
}
} }

127
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMSecurityCommon.java
View File

@@ -18,6 +18,8 @@
*/ */
package org.alfresco.module.org_alfresco_module_rm.capability; package org.alfresco.module.org_alfresco_module_rm.capability;
import java.util.List;
import net.sf.acegisecurity.vote.AccessDecisionVoter; import net.sf.acegisecurity.vote.AccessDecisionVoter;
import org.alfresco.module.org_alfresco_module_rm.RecordsManagementService; import org.alfresco.module.org_alfresco_module_rm.RecordsManagementService;
@@ -25,10 +27,14 @@ import org.alfresco.module.org_alfresco_module_rm.caveat.RMCaveatConfigComponent
import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService; import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService;
import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.transaction.AlfrescoTransactionSupport; import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
import org.alfresco.service.cmr.repository.AssociationRef;
import org.alfresco.service.cmr.repository.ChildAssociationRef;
import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService; import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.repository.StoreRef;
import org.alfresco.service.cmr.security.AccessStatus; import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.PermissionService; import org.alfresco.service.cmr.security.PermissionService;
import org.aopalliance.intercept.MethodInvocation;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
@@ -220,4 +226,125 @@ public class RMSecurityCommon
} }
} }
@SuppressWarnings("unchecked")
protected NodeRef getTestNode(MethodInvocation invocation, Class[] params, int position, boolean parent)
{
NodeRef testNodeRef = null;
if (position < 0)
{
// Test against the fileplan root node
List<NodeRef> rmRoots = rmService.getFilePlans();
if (rmRoots.size() != 0)
{
// TODO for now we can take the first one as we only support a single rm site
testNodeRef = rmRoots.get(0);
if (logger.isDebugEnabled())
{
logger.debug("\tPermission test against the rm root node " + nodeService.getPath(testNodeRef));
}
}
}
else if (StoreRef.class.isAssignableFrom(params[position]))
{
if (invocation.getArguments()[position] != null)
{
if (logger.isDebugEnabled())
{
logger.debug("\tPermission test against the store - using permissions on the root node");
}
StoreRef storeRef = (StoreRef) invocation.getArguments()[position];
if (nodeService.exists(storeRef))
{
testNodeRef = nodeService.getRootNode(storeRef);
}
}
}
else if (NodeRef.class.isAssignableFrom(params[position]))
{
testNodeRef = (NodeRef) invocation.getArguments()[position];
if (parent)
{
testNodeRef = nodeService.getPrimaryParent(testNodeRef).getParentRef();
if (logger.isDebugEnabled())
{
if (nodeService.exists(testNodeRef))
{
logger.debug("\tPermission test for parent on node " + nodeService.getPath(testNodeRef));
}
else
{
logger.debug("\tPermission test for parent on non-existing node " + testNodeRef);
}
logger.debug("\tPermission test for parent on node " + nodeService.getPath(testNodeRef));
}
}
else
{
if (logger.isDebugEnabled())
{
if (nodeService.exists(testNodeRef))
{
logger.debug("\tPermission test on node " + nodeService.getPath(testNodeRef));
}
else
{
logger.debug("\tPermission test on non-existing node " + testNodeRef);
}
}
}
}
else if (ChildAssociationRef.class.isAssignableFrom(params[position]))
{
if (invocation.getArguments()[position] != null)
{
if (parent)
{
testNodeRef = ((ChildAssociationRef) invocation.getArguments()[position]).getParentRef();
}
else
{
testNodeRef = ((ChildAssociationRef) invocation.getArguments()[position]).getChildRef();
}
if (logger.isDebugEnabled())
{
if (nodeService.exists(testNodeRef))
{
logger.debug("\tPermission test on node " + nodeService.getPath(testNodeRef));
}
else
{
logger.debug("\tPermission test on non-existing node " + testNodeRef);
}
}
}
}
else if (AssociationRef.class.isAssignableFrom(params[position]))
{
if (invocation.getArguments()[position] != null)
{
if (parent)
{
testNodeRef = ((AssociationRef) invocation.getArguments()[position]).getSourceRef();
}
else
{
testNodeRef = ((AssociationRef) invocation.getArguments()[position]).getTargetRef();
}
if (logger.isDebugEnabled())
{
if (nodeService.exists(testNodeRef))
{
logger.debug("\tPermission test on node " + nodeService.getPath(testNodeRef));
}
else
{
logger.debug("\tPermission test on non-existing node " + testNodeRef);
}
}
}
}
return testNodeRef;
}
} }

197
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/policy/AbstractBasePolicy.java Normal file
View File

@@ -0,0 +1,197 @@
/*
* Copyright (C) 2005-2013 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.capability.policy;
import java.io.Serializable;
import java.util.Map;
import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService;
import org.alfresco.module.org_alfresco_module_rm.capability.RMEntryVoter;
import org.alfresco.module.org_alfresco_module_rm.capability.RMSecurityCommon;
import org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoterException;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.namespace.QName;
import org.aopalliance.intercept.MethodInvocation;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
/**
* Abstract base policy implementation
*
* @author Roy Wetherall
* @since 2.1
*/
public abstract class AbstractBasePolicy extends RMSecurityCommon
implements Policy
{
/** Logger */
protected static Log logger = LogFactory.getLog(AbstractBasePolicy.class);
/** Capability service */
protected CapabilityService capabilityService;
/** RM entry */
protected RMEntryVoter rmEntryVoter;
/** Policy name */
protected String name;
/**
* @param name policy name
*/
public void setName(String name)
{
this.name = name;
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.capability.policy.Policy#getName()
*/
@Override
public String getName()
{
return name;
}
/**
* @param capabilityService capability service
*/
public void setCapabilityService(CapabilityService capabilityService)
{
this.capabilityService = capabilityService;
}
/**
* @param rmEntryVoter rm entry voter
*/
public void setRmEntryVoter(RMEntryVoter rmEntryVoter)
{
this.rmEntryVoter = rmEntryVoter;
}
/**
* Init method
*/
public void init()
{
rmEntryVoter.registerPolicy(this);
}
/**
*
* @param invocation
* @param params
* @param position
* @param parent
* @return
*/
@SuppressWarnings("unchecked")
protected QName getType(MethodInvocation invocation, Class[] params, int position, boolean parent)
{
if (QName.class.isAssignableFrom(params[position]))
{
if (invocation.getArguments()[position] != null)
{
QName qname = (QName) invocation.getArguments()[position];
return qname;
}
}
else if (NodeRef.class.isAssignableFrom(params[position]))
{
if (invocation.getArguments()[position] != null)
{
NodeRef nodeRef = (NodeRef) invocation.getArguments()[position];
return nodeService.getType(nodeRef);
}
}
return null;
}
/**
*
* @param invocation
* @param params
* @param position
* @return
*/
@SuppressWarnings("unchecked")
protected QName getQName(MethodInvocation invocation, Class[] params, int position)
{
if (QName.class.isAssignableFrom(params[position]))
{
if (invocation.getArguments()[position] != null)
{
QName qname = (QName) invocation.getArguments()[position];
return qname;
}
}
throw new ACLEntryVoterException("Unknown type");
}
/**
*
* @param invocation
* @param params
* @param position
* @return
*/
@SuppressWarnings("unchecked")
protected Serializable getProperty(MethodInvocation invocation, Class[] params, int position)
{
if (invocation.getArguments()[position] == null)
{
return null;
}
if (Serializable.class.isAssignableFrom(params[position]))
{
if (invocation.getArguments()[position] != null)
{
Serializable property = (Serializable) invocation.getArguments()[position];
return property;
}
}
throw new ACLEntryVoterException("Unknown type");
}
/**
*
* @param invocation
* @param params
* @param position
* @return
*/
@SuppressWarnings("unchecked")
protected Map<QName, Serializable> getProperties(MethodInvocation invocation, Class[] params, int position)
{
if (invocation.getArguments()[position] == null)
{
return null;
}
if (Map.class.isAssignableFrom(params[position]))
{
if (invocation.getArguments()[position] != null)
{
Map<QName, Serializable> properties = (Map<QName, Serializable>) invocation.getArguments()[position];
return properties;
}
}
throw new ACLEntryVoterException("Unknown type");
}
}

38
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/policy/AssocPolicy.java Normal file
View File

@@ -0,0 +1,38 @@
/*
* Copyright (C) 2005-2013 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.capability.policy;
import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
import org.alfresco.service.cmr.repository.NodeRef;
import org.aopalliance.intercept.MethodInvocation;
public class AssocPolicy extends AbstractBasePolicy
{
@SuppressWarnings("unchecked")
public int evaluate(
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefinition cad)
{
NodeRef testNodeRef = getTestNode(invocation, params, cad.getParameters().get(0), cad.isParent());
return capabilityService.getCapability(RMPermissionModel.VIEW_RECORDS).evaluate(testNodeRef);
}
}

46
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/policy/CapabilityPolicy.java Normal file
View File

@@ -0,0 +1,46 @@
/*
* Copyright (C) 2005-2013 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.capability.policy;
import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
import org.alfresco.service.cmr.repository.NodeRef;
import org.aopalliance.intercept.MethodInvocation;
/**
*
* @author Roy Wetherall
* @since 2.1
*/
public class CapabilityPolicy extends AbstractBasePolicy
{
/**
* @see org.alfresco.module.org_alfresco_module_rm.capability.policy.Policy#evaluate(org.aopalliance.intercept.MethodInvocation, java.lang.Class[], org.alfresco.module.org_alfresco_module_rm.capability.policy.ConfigAttributeDefinition)
*/
@Override
@SuppressWarnings("unchecked")
public int evaluate(
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefinition cad)
{
NodeRef assignee = getTestNode(invocation, params, cad.getParameters().get(0), cad.isParent());
return capabilityService.getCapability(RMPermissionModel.MANAGE_ACCESS_CONTROLS).evaluate(assignee);
}
}

125
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/policy/ConfigAttributeDefinition.java Normal file
View File

@@ -0,0 +1,125 @@
/*
* Copyright (C) 2005-2013 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.capability.policy;
import java.util.HashMap;
import java.util.StringTokenizer;
import net.sf.acegisecurity.ConfigAttribute;
import org.alfresco.repo.security.permissions.impl.SimplePermissionReference;
import org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoterException;
import org.alfresco.service.namespace.NamespacePrefixResolver;
import org.alfresco.service.namespace.QName;
/**
* @author Roy Wetherall
* @since 2.1
*/
public class ConfigAttributeDefinition
{
public static final String RM = "RM";
public static final String RM_ALLOW = "RM_ALLOW";
public static final String RM_DENY = "RM_DENY";
public static final String RM_CAP = "RM_CAP";
public static final String RM_ABSTAIN = "RM_ABSTAIN";
public static final String RM_QUERY = "RM_QUERY";
private String typeString;
private String policyName;
private SimplePermissionReference required;
private HashMap<Integer, Integer> parameters = new HashMap<Integer, Integer>(2, 1.0f);
private boolean parent = false;
public ConfigAttributeDefinition(ConfigAttribute attr, NamespacePrefixResolver namespacePrefixResolver)
{
StringTokenizer st = new StringTokenizer(attr.getAttribute(), ".", false);
if (st.countTokens() < 1)
{
throw new ACLEntryVoterException("There must be at least one token in a config attribute");
}
typeString = st.nextToken();
if (!(typeString.equals(RM) || typeString.equals(RM_ALLOW) || typeString.equals(RM_CAP) || typeString.equals(RM_DENY) || typeString.equals(RM_QUERY) || typeString
.equals(RM_ABSTAIN)))
{
throw new ACLEntryVoterException("Invalid type: must be ACL_NODE, ACL_PARENT or ACL_ALLOW");
}
if (typeString.equals(RM))
{
policyName = st.nextToken();
int position = 0;
while (st.hasMoreElements())
{
String numberString = st.nextToken();
Integer value = Integer.parseInt(numberString);
parameters.put(position, value);
position++;
}
}
else if (typeString.equals(RM_CAP))
{
String numberString = st.nextToken();
String qNameString = st.nextToken();
String permissionString = st.nextToken();
Integer value = Integer.parseInt(numberString);
parameters.put(0, value);
QName qName = QName.createQName(qNameString, namespacePrefixResolver);
required = SimplePermissionReference.getPermissionReference(qName, permissionString);
if (st.hasMoreElements())
{
parent = true;
}
}
}
public String getTypeString()
{
return typeString;
}
public String getPolicyName()
{
return policyName;
}
public SimplePermissionReference getRequired()
{
return required;
}
public HashMap<Integer, Integer> getParameters()
{
return parameters;
}
public boolean isParent()
{
return parent;
}
}

48
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/policy/CreatePolicy.java Normal file
View File

@@ -0,0 +1,48 @@
/*
* Copyright (C) 2005-2013 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.capability.policy;
import org.alfresco.module.org_alfresco_module_rm.capability.impl.CreateCapability;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.namespace.QName;
import org.aopalliance.intercept.MethodInvocation;
public class CreatePolicy extends AbstractBasePolicy
{
@SuppressWarnings("unchecked")
public int evaluate(
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefinition cad)
{
NodeRef destination = getTestNode(invocation, params, cad.getParameters().get(0), cad.isParent());
QName type = getType(invocation, params, cad.getParameters().get(1), cad.isParent());
// linkee is not null for creating secondary child assocs
NodeRef linkee = getTestNode(invocation, params, cad.getParameters().get(1), cad.isParent());
QName assocType = null;
if(cad.getParameters().size() > 2)
{
assocType = getType(invocation, params, cad.getParameters().get(2), cad.isParent());
}
return ((CreateCapability)capabilityService.getCapability("Create")).evaluate(destination, linkee, type, assocType);
}
}

37
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/policy/DeclarePolicy.java Normal file
View File

@@ -0,0 +1,37 @@
/*
* Copyright (C) 2005-2013 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.capability.policy;
import org.alfresco.service.cmr.repository.NodeRef;
import org.aopalliance.intercept.MethodInvocation;
public class DeclarePolicy extends AbstractBasePolicy
{
@SuppressWarnings("unchecked")
public int evaluate(
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefinition cad)
{
NodeRef declaree = getTestNode(invocation, params, cad.getParameters().get(0), cad.isParent());
return capabilityService.getCapability("Declare").evaluate(declaree);
}
}

52
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/policy/DeletePolicy.java Normal file
View File

@@ -0,0 +1,52 @@
/*
* Copyright (C) 2005-2013 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.capability.policy;
import net.sf.acegisecurity.vote.AccessDecisionVoter;
import org.alfresco.service.cmr.repository.NodeRef;
import org.aopalliance.intercept.MethodInvocation;
public class DeletePolicy extends AbstractBasePolicy
{
@SuppressWarnings("unchecked")
public int evaluate(
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefinition cad)
{
NodeRef deletee = null;
if (cad.getParameters().get(0) > -1)
{
deletee = getTestNode(invocation, params, cad.getParameters().get(0), cad.isParent());
}
if (deletee != null)
{
return capabilityService.getCapability("Delete").evaluate(deletee);
}
else
{
return AccessDecisionVoter.ACCESS_DENIED;
}
}
}

58
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/policy/MovePolicy.java Normal file
View File

@@ -0,0 +1,58 @@
/*
* Copyright (C) 2005-2013 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.capability.policy;
import net.sf.acegisecurity.vote.AccessDecisionVoter;
import org.alfresco.service.cmr.repository.NodeRef;
import org.aopalliance.intercept.MethodInvocation;
public class MovePolicy extends AbstractBasePolicy
{
@SuppressWarnings("unchecked")
public int evaluate(
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefinition cad)
{
NodeRef movee = null;
if (cad.getParameters().get(0) > -1)
{
movee = getTestNode(invocation, params, cad.getParameters().get(0), cad.isParent());
}
NodeRef destination = null;
if (cad.getParameters().get(1) > -1)
{
destination = getTestNode(invocation, params, cad.getParameters().get(1), cad.isParent());
}
if ((movee != null) && (destination != null))
{
return capabilityService.getCapability("Move").evaluate(movee, destination);
}
else
{
return AccessDecisionVoter.ACCESS_DENIED;
}
}
}

49
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/policy/Policy.java Normal file
View File

@@ -0,0 +1,49 @@
/*
* Copyright (C) 2005-2013 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.capability.policy;
import org.aopalliance.intercept.MethodInvocation;
/**
* Policy interface
*
* @author Roy Wetherall
* @since 2.1
*/
public interface Policy
{
/**
* @return policy name
*/
String getName();
/**
* Evaluate the policy
*
* @param invocation
* @param params
* @param cad
* @return
*/
@SuppressWarnings("unchecked")
int evaluate(
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefinition cad);
}

37
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/policy/ReadPolicy.java Normal file
View File

@@ -0,0 +1,37 @@
/*
* Copyright (C) 2005-2013 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.capability.policy;
import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
import org.alfresco.service.cmr.repository.NodeRef;
import org.aopalliance.intercept.MethodInvocation;
public class ReadPolicy extends AbstractBasePolicy
{
@SuppressWarnings("unchecked")
public int evaluate(
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefinition cad)
{
NodeRef testNodeRef = getTestNode(invocation, params, cad.getParameters().get(0), cad.isParent());
return capabilityService.getCapability(RMPermissionModel.VIEW_RECORDS).evaluate(testNodeRef);
}
}

50
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/policy/ReadPropertyPolicy.java Normal file
View File

@@ -0,0 +1,50 @@
/*
* Copyright (C) 2005-2013 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.capability.policy;
import net.sf.acegisecurity.vote.AccessDecisionVoter;
import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.namespace.QName;
import org.aopalliance.intercept.MethodInvocation;
public class ReadPropertyPolicy extends AbstractBasePolicy
{
@SuppressWarnings("unchecked")
public int evaluate(
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefinition cad)
{
NodeRef nodeRef = getTestNode(invocation, params, cad.getParameters().get(0), cad.isParent());
QName propertyQName = getQName(invocation, params, cad.getParameters().get(1));
if(propertyQName.equals(RecordsManagementModel.PROP_HOLD_REASON))
{
return capabilityService.getCapability(RMPermissionModel.VIEW_UPDATE_REASONS_FOR_FREEZE).evaluate(nodeRef);
}
else
{
return AccessDecisionVoter.ACCESS_GRANTED;
}
}
}

60
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/policy/UpdatePolicy.java Normal file
View File

@@ -0,0 +1,60 @@
/*
* Copyright (C) 2005-2013 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.capability.policy;
import java.io.Serializable;
import java.util.Map;
import org.alfresco.module.org_alfresco_module_rm.capability.impl.UpdateCapability;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.namespace.QName;
import org.aopalliance.intercept.MethodInvocation;
public class UpdatePolicy extends AbstractBasePolicy
{
@SuppressWarnings("unchecked")
public int evaluate(
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefinition cad)
{
NodeRef updatee = getTestNode(invocation, params, cad.getParameters().get(0), cad.isParent());
QName aspectQName = null;
if (cad.getParameters().size() > 1)
{
if (cad.getParameters().get(1) > -1)
{
aspectQName = getQName(invocation, params, cad.getParameters().get(1));
}
}
Map<QName, Serializable> properties = null;
if (cad.getParameters().size() > 2)
{
if (cad.getParameters().get(2) > -1)
{
properties = getProperties(invocation, params, cad.getParameters().get(2));
}
}
UpdateCapability updateCapability = (UpdateCapability)capabilityService.getCapability("Update");
return updateCapability.evaluate(updatee, aspectQName, properties);
}
}

63
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/policy/UpdatePropertiesPolicy.java Normal file
View File

@@ -0,0 +1,63 @@
/*
* Copyright (C) 2005-2013 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.capability.policy;
import java.io.Serializable;
import java.util.HashMap;
import java.util.Map;
import org.alfresco.module.org_alfresco_module_rm.capability.impl.UpdatePropertiesCapability;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.namespace.QName;
import org.aopalliance.intercept.MethodInvocation;
public class UpdatePropertiesPolicy extends AbstractBasePolicy
{
@SuppressWarnings("unchecked")
public int evaluate(
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefinition cad)
{
NodeRef updatee = getTestNode(invocation, params, cad.getParameters().get(0), cad.isParent());
Map<QName, Serializable> properties;
if (QName.class.isAssignableFrom(params[cad.getParameters().get(1)]))
{
// single update/delete
// We have a specific property
QName propertyQName = getQName(invocation, params, cad.getParameters().get(1));
properties = new HashMap<QName, Serializable>(1, 1.0f);
if (cad.getParameters().size() > 2)
{
properties.put(propertyQName, getProperty(invocation, params, cad.getParameters().get(2)));
}
else
{
properties.put(propertyQName, null);
}
}
else
{
properties = getProperties(invocation, params, cad.getParameters().get(1));
}
return ((UpdatePropertiesCapability)capabilityService.getCapability("UpdateProperties")).evaluate(updatee, properties);
}
}

37
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/policy/WriteContentPolicy.java Normal file
View File

@@ -0,0 +1,37 @@
/*
* Copyright (C) 2005-2013 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.capability.policy;
import org.alfresco.service.cmr.repository.NodeRef;
import org.aopalliance.intercept.MethodInvocation;
public class WriteContentPolicy extends AbstractBasePolicy
{
@SuppressWarnings("unchecked")
public int evaluate(
MethodInvocation invocation,
Class[] params,
ConfigAttributeDefinition cad)
{
NodeRef updatee = getTestNode(invocation, params, cad.getParameters().get(0), cad.isParent());
return capabilityService.getCapability("WriteContent").evaluate(updatee);
}
}

2
rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/CapabilityServiceImplTest.java
View File

@@ -178,7 +178,7 @@ public class CapabilityServiceImplTest extends BaseRMTestCase
assertNotNull(vitalRecordCapabilities); assertNotNull(vitalRecordCapabilities);
vitalRecordCapabilitiesSize = vitalRecordCapabilities.size(); vitalRecordCapabilitiesSize = vitalRecordCapabilities.size();
assertEquals(1, vitalRecordCapabilitiesSize); assertTrue(vitalRecordCapabilitiesSize > 0);
return null; return null;
} }