inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-07 18:25:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
alfresco-community-repo/source/java/org/alfresco/repo/domain/hibernate/AclDaoComponentImpl.java
Dave Ward a5f31cd37e Merged V3.3 to HEAD 
20167: Merged HEAD to BRANCHES/V3.3: (RECORD ONLY)
      20166: Fix ALF-2765: Renditions created via 3.3 RenditionService are not exposed via OpenCMIS rendition API
   20232: Fix problem opening AVM web project folders via FTP. ALF-2738.
   20234: ALF-2352: Cannot create folders in Share doclib without admin user in authentication chain
   20235: Fix for unable to create folders in web project via CIFS. ALF-2736.
   20258: Reverse-merged rev 20254: 'When dropping the mysql database ...'
   20262: Merged V3.3-BUG-FIX to V3.3
      20251: Fix for ALF-2804 - Unable to browse into folders in Share Site in certain situations.
              - Browser history filter object in incorrect state after page refresh.
   20264: Updated Oracle build support (to fix grants)
   20282: Merged PATCHES/V3.2.0 to V3.3
      20266: Test reproduction of ALF-2839 failure: Node pre-loading generates needless resultset rows
      20280: Fixed ALF-2839: Node pre-loading generates needless resultset rows
   20283: Merged BRANCHES/DEV/V3.3-BUG-FIX to BRANCHES/V3.3:
      20194: AVMTestSuite - scale down unit tests (slightly)
      20247: AVMServiceTest.testVersionByDate - build (add delay)
   20290: Fixed ALF-2851 "Drag n Drop issues in IE6 & IE7"
      - Reordering rules-list with drag and drop didn't work at all because each rule was created using a template that had the "id"-attribute set, which made IE confused after using HTMLELement.clone() even though the id was resetted
      - Both customise-dashlets & rules-list got an error when "throwing" away the dashlet or rule instead of releasing it "carefully", reason was becuuase IE didnt capture the x:y-position which made the animation fail. Now no animation is done if x:y isn't found.
   20296: Merged PATCHES/V3.1.0 to V3.3 (RECORD ONLY)
      20249: Merged V3.1 to PATCHES/V3.1.0
         14565: Updated version to include revision number (x.y.z)
      20246: Merged V3.1 to PATCHES/V3.1.0
         13841: Build fix
      20245: Merged V3.1 to PATCHES/V3.1.0
         16185: AbstractLuceneIndexerAndSearcherFactory.getTransactionId() must return null when there is no transaction
      20241: Merged V3.1 to PATCHES/V3.1.0
         14187: Fix for ETHREEOH-2023: LDAP import must lower case the local name of the association to person.
         16167: ETHREEOH-2475: Fixed nested transaction handling in AbstractLuceneIndexerAndSearcherFactory to allow duplicate user processing in PersonServiceImpl to actually work
         16168: ETHREEOH-2797: Force patch.db-V2.2-Person to apply one more time to fix up corrupt users created by LDAP Import
            - Problem due to ETHREEOH-2023, fixed in 3.1.1
            - Also corrects ldap.synchronisation.defaultHomeFolderProvider to be userHomesHomeFolderProvider
            - Also requires fix to ETHREEOH-2475 to fix up duplicate users
      20221:Merged PATCHES/V3.1.2 to PATCHES/V3.1.0
         20217: Merged PATCHES/V3.2.0 to PATCHES/V3.1.2
            19793: Merged HEAD to V3.2.0
               19786: Refactor of previous test fix. I have pushed down the OOo-specific parts of the change from AbstractContentTransformerTest to OpenOfficeContentTransformerTest leaving an extension point in the base class should other transformations need to be excluded in the future.
               19785: Fix for failing test OpenOfficeContentTransformerTest.testAllConversions.
                  Various OOo-related transformations are returned as available but fail on our test server with OOo on it.
                  Pending further work on these failings, I am disabling those transformations in test code whilst leaving them available in the product code. This is because in the wild a different OOo version may succeed with these transformations.
                  I had previously explicitly disabled 3 transformations in the product and I am moving that restriction from product to test code for the same reason.
               19707: Return value from isTransformationBlocked was inverted. Fixed now.
               19705: Refinement of previous check-in re OOo transformations.
                  I have pulled up the code that handles blocked transformations into a superclass so that the JodConverter-based transformer worker can inherit the same list of blocked transformations. To reiterate, blocked transformations are those that the OOo integration code believes should work but which are broken in practice. These are blocked by the transformers and will always be unavailable regardless of the OOo connection state.
               19702: Fix for HEAD builds running on panda build server.
                  OOo was recently installed on panda which has activated various OOo-related transformations/extractions in the test code.
                  It appears that OOo does not support some transformations from Office 97 to Office 2007. Specifically doc to docx and xls to xlsx. These transformations have now been marked as unavailable.
      20220: Created hotfix branch off TAGS/ENTERPRISE/V3.1.0
   20297: Merged PATCHES/V3.1.2 to V3.3 (RECORD ONLY)
      20268: Increment version number
      20267: ALF-550: Merged V3.2 to PATCHES/V3.1.2
         17768: Merged DEV/BELARUS/V3.2-2009_11_24 to V3.2
            17758: ETHREEOH-3757: Oracle upgrade issue: failed "inviteEmailTemplate" patch - also causes subsequent patches to not be applied
      20217: Merged PATCHES/V3.2.0 to PATCHES/V3.1.2
         19793: Merged HEAD to V3.2.0
            19786: Refactor of previous test fix. I have pushed down the OOo-specific parts of the change from AbstractContentTransformerTest to OpenOfficeContentTransformerTest leaving an extension point in the base class should other transformations need to be excluded in the future.
            19785: Fix for failing test OpenOfficeContentTransformerTest.testAllConversions.
               Various OOo-related transformations are returned as available but fail on our test server with OOo on it.
               Pending further work on these failings, I am disabling those transformations in test code whilst leaving them available in the product code. This is because in the wild a different OOo version may succeed with these transformations.
               I had previously explicitly disabled 3 transformations in the product and I am moving that restriction from product to test code for the same reason.
            19707: Return value from isTransformationBlocked was inverted. Fixed now.
            19705: Refinement of previous check-in re OOo transformations.
               I have pulled up the code that handles blocked transformations into a superclass so that the JodConverter-based transformer worker can inherit the same list of blocked transformations. To reiterate, blocked transformations are those that the OOo integration code believes should work but which are broken in practice. These are blocked by the transformers and will always be unavailable regardless of the OOo connection state.
            19702: Fix for HEAD builds running on panda build server.
               OOo was recently installed on panda which has activated various OOo-related transformations/extractions in the test code.
               It appears that OOo does not support some transformations from Office 97 to Office 2007. Specifically doc to docx and xls to xlsx. These transformations have now been marked as unavailable.
      20204: Moved version label to '.6'
   20298: Merged PATCHES/V3.2.0 to V3.3 (RECORD ONLY)
      20281: Incremented version number to '10'
      20272: Backports to help fix ALF-2839: Node pre-loading generates needless resultset rows
         Merged BRANCHES/V3.2 to PATCHES/V3.2.0:
            18490: Added cache for alf_content_data
         Merged BRANCHES/DEV/V3.3-BUG-FIX to PATCHES/V3.2.0:
            20231: Fixed ALF-2784: Degradation of performance between 3.1.1 and 3.2x (observed in JSF)
   20299: Merged PATCHES/V3.2.1 to V3.3 (RECORD ONLY)
      20279: Incremented version label
      20211: Reinstated patch 'patch.convertContentUrls' (reversed rev 20205 ALF-2719)
      20210: Incremented version label to '.3'
      20206: Bumped version label to '.2'
      20205: Workaround for ALF-2719 by disabling patch.convertContentUrls and ContentStoreCleaner
      20149: Incremented version label
      20101: Created hotfix branch off ENTERPRISE/V3.2.1
   20300: Merged BRANCHES/DEV/BELARUS/HEAD-2010_04_28 to BRANCHES/V3.3:
      20293: ALF-767: remove-AVM-issuer.sql upgrade does not account for column (mis-)order - fixed for MySQL, PostgreSQL and Oracle (DB2 & MS SQL Server already OK)
   20301: Merged PATCHES/V3.2.1 to V3.3
      20278: ALF-206: Make it possible to follow hyperlinks to document JSF client URLs from MS Office
         - A request parameter rather than a (potentially forgotten) session attribute is used to propagate the URL to redirect to after successful login
   20303: Fixed ALF-2855: FixAuthorityCrcValuesPatch reports NPE during upgrade from 2.1.7 to 3.3E
      - Auto-unbox NPE on Long->long: Just used the Long directly for reporting
   20319: Fixed ALF-2854: User Usage Queries use read-write methods on QNameDAO
   20322: Fixed ALF-1998: contentStoreCleanerJob leads to foreign key exception
      - Possible concurrent modification of alf_content_url.orphan_time led to false orphan detection
      - Fixed queries to check for dereferencing AND use the indexed orphan_time column
      - More robust use of EagerContentStoreCleaner: On eager cleanup, ensure that URLs are deleted
      - Added optimistic lock checks on updates and deletes of alf_content_url
   20335: Merged DEV/V3.3-BUG-FIX to V3.3
      20334: ALF-2473: Changes for clean startup and shutdown of subsystems on Spring 3
         - Removed previous SafeEventPublisher workaround for startup errors and associated changes
         - Replaced with SafeApplicationEventMulticaster which queues up events while an application context isn't started
         - Now all subsystems shut down cleanly
         - Fixes problem with FileContentStore visibility in JMX too!
   20341: ALF-2517 Quick fix which means rules which compare the creation/modification date of content should now correctly be applied when content is uploaded to a folder.
   20346: ALF-2839: Node pre-loading generates needless resultset rows
      - Added missing Criteria.list() call
   20347: Merged BRANCHES/DEV/V3.3-BUG-FIX to BRANCHES/V3.3:
      20231: Fixed ALF-2784: Degradation of performance between 3.1.1 and 3.2x (observed in JSF)
   20356: Merged DEV/BELARUS/HEAD-2010_03_30 to V3.3 (with corrections)
      19735: ALF-686: Alfresco cannot start if read/write mode in Sysadmin subsystem is configured
         1. org.alfresco.repo.module.ModuleComponentHelper was modified to allow “System” user run write operations in read-only system.
         2. Startup of “Synchronization” subsystem failed with the same error as was occurred in issue during modules start. org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer was also modified to allow “System” user run write operations in read-only mode.
   20361: Merged HEAD to BRANCHES/V3.3: (RECORD ONLY)
      20345: Fix ALF-2319: CMIS 'current' version mapping is not compliant with spec
      20354: Update test to reflect changes to CMIS version mapping.
   20363: Merge from V3.2 to V3.2 (all record-only)
      c. 19448 OOoJodConverter worker bean correctly handles isAvailable() when subsystem is disabled.
      c. 19484 JodConverter-backed thumbnailing test now explicitly sets OOoDirect and OOoJodconverter enabled-ness back to default settings in tearDown
      c. 20175 Fix for ALF-2773 JMX configuration of enterprise logging broken
   20376: Altered URL of online help to point at http://www.alfresco.com/help/33/enterprise/webeditor/
   20395: set google docs off
   20398: Fixed ALF-2890: Upgrade removes content if transaction retries are triggered
      - Setting ContentData that was derived outside of the current transaction opened up a window
        for the post-rollback code to delete the underlying binary. The binaries are only registered
        for writers fetched via the ContentService now; the low-level DAO no longer does management
        because it can't assume that a new content URL indicates a new underlying binary.
      - The contentUrlConverter was creating new URLs and thus the low-level DAO cleaned up
        live content when retrying collisions took place. The cleanup is no longer on the stack
        for the patch.
      - Removes the ALF-558 changes around ContentData.reference()
   20399: Remove googledocs aspect option
   20400: PurgeTestP (AVM) - increase wait cycles
   20422: Added ooo converter properties
   20425: Merge V3.3-BUG-FIX to V3.3
      20392 : ALF-2716 - imap mail metadata extraction fails when alfresco server locale is non English
      20365 : Merge DEV to V3.3-BUG_FIX     
         18011 : ETHREEOH-3804 - IMAP message body doesn't appears in IMAP folder when message subject is equal to the attachment name
      20332 : Build fix - rework to the ImapServiceUnit tests.
      20325 : build fix
      20318 : MERGE DEV TO V3.3-BUG-FIX    
         20287 : ALF-2754: Alfresco IMAP and Zimbra Desktop Client.
      20317 : ALF-2716 - imap mail metadata extraction fails when alfresco server locale is non English   This change reworks the received date metadata extraction.
      20316 : ALF-1912 : Problem with IMAP Sites visibility   Now only IMAP favouries are shown.   Also major rework to the way that this service uses the FileFolderService.
      20315 : ALF-1912 Updates to the FileFolderService to support the Imap Service    - add listDeepFolders    - remove "makeFolders" which moves to its own Utility class.    - update to JavaDoc
   20429: Merged BRANCHES/DEV/V3.3-BUG-FIX to BRANCHES/V3.3:
      20171: 3.3SP1 bug fix branch
      20174: Fix for ALF-960 and ALFCOM-1980: WCM - File Picker Restriction relative to folder not web project
      20179: ALF-2629 Now when a workflow timer signals a transition it also ends the associated task.
   20433: Merged BRANCHES/DEV/V3.3-BUG-FIX to BRANCHES/V3.3:
      20184: ALF-2772: Added new test case to RepoTransferReceiverImplTest and fixed the fault in the primary manifest processor.
      20196: Temporary fix to SandboxServiceImplTest, which reverses the fix to ALF-2529.
   20434: Merged BRANCHES/DEV/V3.3-BUG-FIX to BRANCHES/V3.3: (RECORD ONLY)
      20213: (RECORD ONLY) Merge from V3.3 to V3.3-BUG-FIX
         r20176 Merge from V3.2 to V3.3.
             r20175. JMX configuration of enterprise logging broken (fix).
      20215: (RECORD ONLY) Merge from V3.3 to V3.3-BUG-FIX
         r20178 JodConverter loggers are now exposed in JMX.
      20218: (RECORD ONLY) Merged BRANCHES/V3.3 to BRANCHES/DEV/V3.3-BUG-FIX:
         20195: Form fields for numbers are now rendered much smaller that ...
      20248: (RECORD ONLY) Merging HEAD into V3.3
      20284: (RECORD ONLY) Merged BRANCHES/V3.3 to BRANCHES/DEV/V3.3-BUG-FIX:
         20177: Add 'MaxPermSize' setting for DOD JUnit tests
      20305: (RECORD ONLY) Merged BRANCHES/V3.3 to BRANCHES/DEV/V3.3-BUG-FIX:
         20236: Add Oracle support for creating/dropping "databases" (users) in continuous.xml
         20264: Updated Oracle build support (to fix grants)
   20435: Merged BRANCHES/DEV/V3.3-BUG-FIX to BRANCHES/V3.3:
      20233: Part fix for ALF-2811: DOD5015 module breaks CMIS tck
      20239: Final part of fix for ALF-2811: DOD5015 module breaks CMIS tck
      20250: Merge from DEV/BELARUS/HEAD-2010_04_28 to V3.3-BUG-FIX
         20230 ALF-2450: latin/utf-8 HTML file cannot be text-extracted.
      20253: ALF-2629 Now tasks should correctly be ended when an associated timer is triggered. Should no longer cause WCM workflows to fail.
      20254: ALF-2579 Changed teh status code on incorrect password to '401' to reflect that it is an authorisation error.
      20263: Fix for ALF-2500: query with a ! in contains search make it strange
      20265: Fix for ALF-1495. Reindexing of OOo-transformed content after OOo crash.
   20436: Merged BRANCHES/DEV/V3.3-BUG-FIX to BRANCHES/V3.3:
      20292: (RECORD ONLY) Latest SpringSurf libs:
      20308: (RECORD ONLY) Latest SpringSurf libs:
      20366: (RECORD ONLY) Latest SpringSurf libs:
      20415: Latest SpringSurf libs:
   20437: Merged BRANCHES/DEV/V3.3-BUG-FIX to BRANCHES/V3.3:
      20270: Build times: SearchTestSuite
      20273: Fix for ALF-2125 - Accessing a deleted page in Share does not return an error page, instead the document-details page breaks
      20274: Fix for ALF-2518: It's impossible to find user by user name in Add User or Group window at Manage permissions page (also allows users to be found by username in the Share Admin Console).
      20277: Fix for ALF-2417: Create Web Content Wizard if cancelling/aborting Step Two - Author Web Content, any asset being uploaded gets locked
      20291: Reduce build time: Added security test suite to cover 17 security tests 
   20439: Merged BRANCHES/DEV/V3.3-BUG-FIX to BRANCHES/V3.3:
      20302: Fixed ALF-727:  Oracle iBatis fails on PropertyValueDAOTest Double.MAX_VALUE
      20307: VersionStore - minor fixes if running deprecated V1 
      20310: Fixed a bug in UIContentSelector which was building lucene search queries incorrectly.
      20314: Fix for ALF-2789 - DispatcherServlet not correctly retrieving Object ID from request parameters
      20320: Merged DEV/TEMPORARY to V3.3-BUG-FIX
         20313: ALF-2507: Not able to email space users even if the user owns the space 
      20324: Fixed ALF-2078 "Content doesn't make checked in after applying 'Check-in' rule in Share"
      20327: Fix Quickr project to compile in Eclipse
      20367: ALF-2829: Avoid reading entire result set into memory in FixNameCrcValuesPatch
      20368: Work-around for ALF-2366: patch.updateDmPermissions takes too long to complete
      20369: Part 1 of fix for ALF-2943: Update incorrect mimetypes (Excel and Powerpoint)
      20370: Version Migrator (ALF-1000) - use common batch processor to enable multiple workers
      20373: Version Migrator (ALF-1000) - resolve runtime conflict (w/ r20334)
      20378: Merged BRANCHES/DEV/BELARUS/HEAD-2010_04_28 to BRANCHES/DEV/V3.3-BUG-FIX:
         20312: ALF-2162: Error processing WCM form: XFormsBindingException: property 'constraint' already present at model item
      20381: Fixed ALF-2943: Update incorrect mimetypes (Excel and Powerpoint)


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@20571 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2010-06-09 14:01:07 +00:00

2579 lines
96 KiB
Java
Raw Blame History

/*
* Copyright (C) 2005-2010 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.repo.domain.hibernate;
import java.io.Serializable;
import java.io.UnsupportedEncodingException;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.zip.CRC32;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.repo.cache.SimpleCache;
import org.alfresco.repo.domain.DbAccessControlEntry;
import org.alfresco.repo.domain.DbAccessControlList;
import org.alfresco.repo.domain.DbAccessControlListChangeSet;
import org.alfresco.repo.domain.DbAccessControlListMember;
import org.alfresco.repo.domain.DbAuthority;
import org.alfresco.repo.domain.DbPermission;
import org.alfresco.repo.domain.Node;
import org.alfresco.repo.domain.avm.AVMNodeDAO;
import org.alfresco.repo.domain.avm.AVMNodeEntity;
import org.alfresco.repo.domain.patch.PatchDAO;
import org.alfresco.repo.domain.qname.QNameDAO;
import org.alfresco.repo.security.permissions.ACEType;
import org.alfresco.repo.security.permissions.ACLCopyMode;
import org.alfresco.repo.security.permissions.ACLType;
import org.alfresco.repo.security.permissions.AccessControlEntry;
import org.alfresco.repo.security.permissions.AccessControlList;
import org.alfresco.repo.security.permissions.AccessControlListProperties;
import org.alfresco.repo.security.permissions.PermissionReference;
import org.alfresco.repo.security.permissions.SimpleAccessControlEntry;
import org.alfresco.repo.security.permissions.SimpleAccessControlEntryContext;
import org.alfresco.repo.security.permissions.SimpleAccessControlList;
import org.alfresco.repo.security.permissions.SimpleAccessControlListProperties;
import org.alfresco.repo.security.permissions.impl.AclChange;
import org.alfresco.repo.security.permissions.impl.AclDaoComponent;
import org.alfresco.repo.security.permissions.impl.PermissionsDaoComponent;
import org.alfresco.repo.security.permissions.impl.SimplePermissionReference;
import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.AuthorityType;
import org.alfresco.service.namespace.QName;
import org.alfresco.util.GUID;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.hibernate.CacheMode;
import org.hibernate.Criteria;
import org.hibernate.Query;
import org.hibernate.Session;
import org.hibernate.criterion.Criterion;
import org.hibernate.criterion.Restrictions;
import org.alfresco.util.Pair;
import org.springframework.orm.hibernate3.HibernateCallback;
import org.springframework.orm.hibernate3.support.HibernateDaoSupport;
/**
* Hibernate DAO to manage ACL persistence
*
* @author andyh
*/
public class AclDaoComponentImpl extends HibernateDaoSupport implements AclDaoComponent
{
private static Log logger = LogFactory.getLog(AclDaoComponentImpl.class);
static String QUERY_GET_PERMISSION = "permission.GetPermission";
static String QUERY_GET_AUTHORITY = "permission.GetAuthority";
static String QUERY_GET_ACE_WITH_NO_CONTEXT = "permission.GetAceWithNoContext";
// static String QUERY_GET_AUTHORITY_ALIAS = "permission.GetAuthorityAlias";
// static String QUERY_GET_AUTHORITY_ALIASES = "permission.GetAuthorityAliases";
static String QUERY_GET_ACES_AND_ACLS_BY_AUTHORITY = "permission.GetAcesAndAclsByAuthority";
static String QUERY_GET_ACES_BY_AUTHORITY = "permission.GetAcesByAuthority";
static String QUERY_GET_ACES_FOR_ACL = "permission.GetAcesForAcl";
static String QUERY_LOAD_ACL = "permission.LoadAcl";
static String QUERY_GET_ACLS_THAT_INHERIT_FROM_THIS_ACL = "permission.GetAclsThatInheritFromThisAcl";
static String QUERY_GET_AVM_NODES_BY_ACL = "permission.FindAvmNodesByACL";
static String QUERY_GET_LATEST_ACL_BY_ACLID = "permission.FindLatestAclByGuid";
/** Access to QName entities */
private QNameDAO qnameDAO;
/** Access to AVMNode queries */
private AVMNodeDAO avmNodeDAO;
/** Access to additional Patch queries */
private PatchDAO patchDAO;
/** a transactionally-safe cache to be injected */
private SimpleCache<Long, AccessControlList> aclCache;
private boolean useOldPermissions;
private enum WriteMode
{
/**
* Remove inherited ACEs after that set
*/
TRUNCATE_INHERITED,
/**
* Add inherited ACEs
*/
ADD_INHERITED,
/**
* The source of inherited ACEs is changing
*/
CHANGE_INHERITED,
/**
* Remove all inherited ACEs
*/
REMOVE_INHERITED,
/**
* Insert inherited ACEs
*/
INSERT_INHERITED,
/**
* Copy ACLs and update ACEs and inheritance
*/
COPY_UPDATE_AND_INHERIT,
/**
* Simlpe copy
*/
COPY_ONLY, CREATE_AND_INHERIT;
}
/**
*
*/
public AclDaoComponentImpl()
{
super();
// Wire up for annoying AVM hack to support copy and setting of ACLs as nodes are created
DbAccessControlListImpl.setAclDaoComponent(this);
}
/**
* Set the DAO for accessing QName entities
*
* @param qnameDAO
*/
public void setQnameDAO(QNameDAO qnameDAO)
{
this.qnameDAO = qnameDAO;
}
public void setPatchDAO(PatchDAO patchDAO)
{
this.patchDAO = patchDAO;
}
public void setAvmNodeDAO(AVMNodeDAO avmNodeDAO)
{
this.avmNodeDAO = avmNodeDAO;
}
/**
* Set the ACL cache
*
* @param aclCache
*/
public void setAclCache(SimpleCache<Long, AccessControlList> aclCache)
{
this.aclCache = aclCache;
}
public DbAccessControlList getDbAccessControlList(Long id)
{
if (id == null)
{
return null;
}
DbAccessControlList acl = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, id);
return acl;
}
public Long createAccessControlList(AccessControlListProperties properties)
{
if (properties.getAclType() == null)
{
throw new IllegalArgumentException("ACL Type must be defined");
}
switch (properties.getAclType())
{
case OLD:
if (properties.isVersioned() == Boolean.TRUE)
{
throw new IllegalArgumentException("Old acls can not be versioned");
}
break;
case SHARED:
throw new IllegalArgumentException("Can not create shared acls direct - use get inherited");
case DEFINING:
case LAYERED:
break;
case FIXED:
if (properties.getInherits() == Boolean.TRUE)
{
throw new IllegalArgumentException("Fixed ACLs can not inherit");
}
case GLOBAL:
if (properties.getInherits() == Boolean.TRUE)
{
throw new IllegalArgumentException("Fixed ACLs can not inherit");
}
default:
break;
}
return createAccessControlListImpl(properties, null, null);
}
private Long createAccessControlListImpl(AccessControlListProperties properties, List<AccessControlEntry> aces, Long inherited)
{
DbAccessControlListImpl acl = new DbAccessControlListImpl();
if (properties.getAclId() != null)
{
acl.setAclId(properties.getAclId());
}
else
{
acl.setAclId(GUID.generate());
}
acl.setAclType(properties.getAclType());
acl.setAclVersion(Long.valueOf(1l));
switch (properties.getAclType())
{
case FIXED:
case GLOBAL:
acl.setInherits(Boolean.FALSE);
case OLD:
case SHARED:
case DEFINING:
case LAYERED:
default:
if (properties.getInherits() != null)
{
acl.setInherits(properties.getInherits());
}
else
{
acl.setInherits(Boolean.TRUE);
}
break;
}
acl.setLatest(Boolean.TRUE);
switch (properties.getAclType())
{
case OLD:
acl.setVersioned(Boolean.FALSE);
break;
case FIXED:
case GLOBAL:
case SHARED:
case DEFINING:
case LAYERED:
default:
if (properties.isVersioned() != null)
{
acl.setVersioned(properties.isVersioned());
}
else
{
acl.setVersioned(Boolean.TRUE);
}
break;
}
acl.setAclChangeSet(getCurrentChangeSet());
acl.setRequiresVersion(false);
Long created = (Long) getHibernateTemplate().save(acl);
DirtySessionMethodInterceptor.flushSession(getSession(), true);
if ((aces != null) && aces.size() > 0)
{
List<AclChange> changes = new ArrayList<AclChange>();
List<DbAccessControlEntry> toAdd = new ArrayList<DbAccessControlEntry>(aces.size());
List<AccessControlEntry> excluded = new ArrayList<AccessControlEntry>(aces.size());
for (AccessControlEntry ace : aces)
{
if ((ace.getPosition() != null) && (ace.getPosition() != 0))
{
throw new IllegalArgumentException("Invalid position");
}
// Find authority
DbAuthority authority = getAuthority(ace.getAuthority(), true);
DbPermission permission = getPermission(ace.getPermission(), true);
// Find context
if (ace.getContext() != null)
{
throw new UnsupportedOperationException();
}
// Find ACE
DbAccessControlEntry entry = getAccessControlEntry(permission, authority, ace, true);
// Wire up
// COW and remove any existing matches
SimpleAccessControlEntry exclude = new SimpleAccessControlEntry();
// match any access status
exclude.setAceType(ace.getAceType());
exclude.setAuthority(ace.getAuthority());
exclude.setPermission(ace.getPermission());
exclude.setPosition(0);
toAdd.add(entry);
excluded.add(exclude);
// Will remove from the cache
}
Long toInherit = null;
if (inherited != null)
{
toInherit = getInheritedAccessControlList(inherited);
}
getWritable(created, toInherit, excluded, toAdd, toInherit, false, changes, WriteMode.CREATE_AND_INHERIT);
}
return created;
}
@SuppressWarnings("unchecked")
private void getWritable(final Long id, final Long parent, List<? extends AccessControlEntry> exclude, List<DbAccessControlEntry> toAdd, Long inheritsFrom, boolean cascade,
List<AclChange> changes, WriteMode mode)
{
List<DbAccessControlEntry> inherited = null;
List<Integer> positions = null;
if ((mode == WriteMode.ADD_INHERITED) || (mode == WriteMode.INSERT_INHERITED) || (mode == WriteMode.CHANGE_INHERITED))
{
inherited = new ArrayList<DbAccessControlEntry>();
positions = new ArrayList<Integer>();
HibernateCallback callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Query query = session.getNamedQuery(QUERY_GET_ACES_FOR_ACL);
query.setParameter("id", parent);
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
return query.list();
}
};
List<DbAccessControlListMember> members = (List<DbAccessControlListMember>) getHibernateTemplate().execute(callback);
for (DbAccessControlListMember member : members)
{
if ((mode == WriteMode.INSERT_INHERITED) && (member.getPosition() == 0))
{
inherited.add(member.getAccessControlEntry());
positions.add(member.getPosition());
}
else
{
inherited.add(member.getAccessControlEntry());
positions.add(member.getPosition());
}
}
}
getWritable(id, parent, exclude, toAdd, inheritsFrom, inherited, positions, cascade, 0, changes, mode, false);
}
/**
* Make a whole tree of ACLs copy on write if required Includes adding and removing ACEs which cna be optimised
* slighlty for copy on write (no need to add and then remove)
*
* @param id
* @param parent
* @param exclude
* @param toAdd
* @param inheritsFrom
* @param cascade
* @param depth
* @param changes
*/
@SuppressWarnings("unchecked")
private void getWritable(final Long id, final Long parent, List<? extends AccessControlEntry> exclude, List<DbAccessControlEntry> toAdd, Long inheritsFrom,
List<DbAccessControlEntry> inherited, List<Integer> positions, boolean cascade, int depth, List<AclChange> changes, WriteMode mode, boolean requiresVersion)
{
AclChange current = getWritable(id, parent, exclude, toAdd, inheritsFrom, inherited, positions, depth, mode, requiresVersion);
changes.add(current);
boolean cascadeVersion = requiresVersion;
if (!cascadeVersion)
{
cascadeVersion = !current.getBefore().equals(current.getAfter());
}
if (cascade)
{
HibernateCallback callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Query query = session.getNamedQuery(QUERY_GET_ACLS_THAT_INHERIT_FROM_THIS_ACL);
query.setParameter("id", id);
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
return query.list();
}
};
List<Long> inheritors = (List<Long>) getHibernateTemplate().execute(callback);
for (Long nextId : inheritors)
{
// Check for those that inherit themselves to other nodes ...
if (nextId != id)
{
getWritable(nextId, current.getAfter(), exclude, toAdd, current.getAfter(), inherited, positions, cascade, depth + 1, changes, mode, cascadeVersion);
}
}
}
}
/**
* COW for an individual ACL
*
* @param id
* @param parent
* @param exclude
* @param toAdd
* @param inheritsFrom
* @param depth
* @return - an AclChange
*/
@SuppressWarnings("unchecked")
private AclChange getWritable(final Long id, final Long parent, List<? extends AccessControlEntry> exclude, List<DbAccessControlEntry> toAdd, Long inheritsFrom,
List<DbAccessControlEntry> inherited, List<Integer> positions, int depth, WriteMode mode, boolean requiresVersion)
{
DbAccessControlList acl = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, id);
if (!acl.isLatest())
{
aclCache.remove(id);
return new AclChangeImpl(id, id, acl.getAclType(), acl.getAclType());
}
if (!acl.isVersioned())
{
switch (mode)
{
case COPY_UPDATE_AND_INHERIT:
removeAcesFromAcl(id, exclude, depth);
addAcesToAcl(acl, toAdd, depth);
break;
case CHANGE_INHERITED:
replaceInherited(id, acl, inherited, positions, depth);
break;
case ADD_INHERITED:
addInherited(acl, inherited, positions, depth);
break;
case TRUNCATE_INHERITED:
truncateInherited(id, depth);
break;
case INSERT_INHERITED:
insertInherited(id, acl, inherited, positions, depth);
break;
case REMOVE_INHERITED:
removeInherited(id, depth);
break;
case CREATE_AND_INHERIT:
addAcesToAcl(acl, toAdd, depth);
addInherited(acl, inherited, positions, depth);
case COPY_ONLY:
default:
break;
}
if (inheritsFrom != null)
{
acl.setInheritsFrom(inheritsFrom);
}
aclCache.remove(id);
return new AclChangeImpl(id, id, acl.getAclType(), acl.getAclType());
}
else if ((acl.getAclChangeSet() == getCurrentChangeSet()) && (!requiresVersion) && (!acl.getRequiresVersion()))
{
switch (mode)
{
case COPY_UPDATE_AND_INHERIT:
removeAcesFromAcl(id, exclude, depth);
addAcesToAcl(acl, toAdd, depth);
break;
case CHANGE_INHERITED:
replaceInherited(id, acl, inherited, positions, depth);
break;
case ADD_INHERITED:
addInherited(acl, inherited, positions, depth);
break;
case TRUNCATE_INHERITED:
truncateInherited(id, depth);
break;
case INSERT_INHERITED:
insertInherited(id, acl, inherited, positions, depth);
break;
case REMOVE_INHERITED:
removeInherited(id, depth);
break;
case CREATE_AND_INHERIT:
addAcesToAcl(acl, toAdd, depth);
addInherited(acl, inherited, positions, depth);
case COPY_ONLY:
default:
break;
}
if (inheritsFrom != null)
{
acl.setInheritsFrom(inheritsFrom);
}
aclCache.remove(id);
return new AclChangeImpl(id, id, acl.getAclType(), acl.getAclType());
}
else
{
DbAccessControlList newAcl = new DbAccessControlListImpl();
newAcl.setAclChangeSet(getCurrentChangeSet());
newAcl.setAclId(acl.getAclId());
newAcl.setAclType(acl.getAclType());
newAcl.setAclVersion(acl.getAclVersion() + 1);
newAcl.setInheritedAclId(-1l);
newAcl.setInherits(acl.getInherits());
newAcl.setInheritsFrom((inheritsFrom != null) ? inheritsFrom : acl.getInheritsFrom());
newAcl.setLatest(Boolean.TRUE);
newAcl.setVersioned(Boolean.TRUE);
newAcl.setRequiresVersion(Boolean.FALSE);
Long created = (Long) getHibernateTemplate().save(newAcl);
DirtySessionMethodInterceptor.flushSession(getSession(), true);
// Create new membership entries - excluding those in the given pattern
// AcePatternMatcher excluder = new AcePatternMatcher(exclude);
HibernateCallback callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Query query = session.getNamedQuery(QUERY_GET_ACES_FOR_ACL);
query.setParameter("id", id);
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
return query.list();
}
};
List<DbAccessControlListMember> members = (List<DbAccessControlListMember>) getHibernateTemplate().execute(callback);
for (DbAccessControlListMember member : members)
{
// if (mode == WriteMode.COPY_UPDATE_AND_INHERIT)
// {
// if ((member.getPosition() == depth) && ((excluder == null) || !excluder.matches(member.getACE(),
// member.getPosition())))
// {
// DbAccessControlListMemberImpl newMember = new DbAccessControlListMemberImpl();
// newMember.setACL(newAcl);
// newMember.setACE(member.getACE());
// newMember.setPosition(member.getPosition());
// getHibernateTemplate().save(newMember);
// }
// }
// TODO: optimise copy cases :-)
DbAccessControlListMemberImpl newMember = new DbAccessControlListMemberImpl();
newMember.setAccessControlList(newAcl);
newMember.setAccessControlEntry(member.getAccessControlEntry());
newMember.setPosition(member.getPosition());
getHibernateTemplate().save(newMember);
DirtySessionMethodInterceptor.flushSession(getSession(), true);
}
// add new
switch (mode)
{
case COPY_UPDATE_AND_INHERIT:
// Done above
removeAcesFromAcl(newAcl.getId(), exclude, depth);
addAcesToAcl(newAcl, toAdd, depth);
break;
case CHANGE_INHERITED:
replaceInherited(newAcl.getId(), newAcl, inherited, positions, depth);
break;
case ADD_INHERITED:
addInherited(newAcl, inherited, positions, depth);
break;
case TRUNCATE_INHERITED:
truncateInherited(newAcl.getId(), depth);
break;
case INSERT_INHERITED:
insertInherited(newAcl.getId(), newAcl, inherited, positions, depth);
break;
case REMOVE_INHERITED:
removeInherited(newAcl.getId(), depth);
break;
case CREATE_AND_INHERIT:
addAcesToAcl(acl, toAdd, depth);
addInherited(acl, inherited, positions, depth);
case COPY_ONLY:
default:
break;
}
// Fix up inherited ACL if required
if (newAcl.getAclType() == ACLType.SHARED)
{
if (parent != null)
{
Long writableParentAcl = getWritable(parent, null, null, null, null, null, null, 0, WriteMode.COPY_ONLY, false).getAfter();
DbAccessControlList parentAcl = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, writableParentAcl);
parentAcl.setInheritedAclId(created);
}
}
// fix up old version
acl.setLatest(Boolean.FALSE);
acl.setRequiresVersion(Boolean.FALSE);
aclCache.remove(id);
return new AclChangeImpl(id, created, acl.getAclType(), newAcl.getAclType());
}
}
/**
* Helper to remove ACEs from an ACL
*
* @param id
* @param exclude
* @param depth
*/
@SuppressWarnings("unchecked")
private void removeAcesFromAcl(final Long id, final List<? extends AccessControlEntry> exclude, final int depth)
{
AcePatternMatcher excluder = new AcePatternMatcher(exclude);
HibernateCallback callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
if (exclude == null)
{
Criteria criteria = session.createCriteria(DbAccessControlListMemberImpl.class, "member");
criteria.createAlias("accessControlList", "acl");
criteria.add(Restrictions.eq("acl.id", id));
criteria.createAlias("accessControlEntry", "ace");
criteria.createAlias("ace.authority", "authority");
criteria.createAlias("ace.permission", "permission");
criteria.setResultTransformer(Criteria.ALIAS_TO_ENTITY_MAP);
DirtySessionMethodInterceptor.setCriteriaFlushMode(session, criteria);
return criteria.list();
}
else
{
Criteria criteria = session.createCriteria(DbAccessControlListMemberImpl.class, "member");
criteria.createAlias("accessControlList", "acl");
criteria.add(Restrictions.eq("acl.id", id));
// build or
if (exclude.size() == 1)
{
AccessControlEntry excluded = exclude.get(0);
if ((excluded.getPosition() != null) && excluded.getPosition() >= 0)
{
criteria.add(Restrictions.eq("position", Integer.valueOf(depth)));
}
if ((excluded.getAccessStatus() != null) || (excluded.getAceType() != null) || (excluded.getAuthority() != null) || (excluded.getPermission() != null))
{
criteria.createAlias("accessControlEntry", "ace");
if (excluded.getAccessStatus() != null)
{
criteria.add(Restrictions.eq("ace.allowed", excluded.getAccessStatus() == AccessStatus.ALLOWED ? Boolean.TRUE : Boolean.FALSE));
}
if (excluded.getAceType() != null)
{
criteria.add(Restrictions.eq("ace.applies", Integer.valueOf(excluded.getAceType().getId())));
}
if (excluded.getAuthority() != null)
{
criteria.createAlias("ace.authority", "authority");
criteria.add(Restrictions.eq("authority.authority", excluded.getAuthority()));
}
if (excluded.getPermission() != null)
{
criteria.createAlias("ace.permission", "permission");
criteria.add(Restrictions.eq("permission.name", excluded.getPermission().getName()));
// TODO: Add typeQname
}
}
}
else
{
criteria.createAlias("accessControlEntry", "ace");
criteria.createAlias("ace.authority", "authority");
criteria.createAlias("ace.permission", "permission");
List<Criterion> toOr = new LinkedList<Criterion>();
LOOP: for (AccessControlEntry excluded : exclude)
{
List<Criterion> toAnd = new LinkedList<Criterion>();
if ((excluded.getPosition() != null) && excluded.getPosition() >= 0)
{
toAnd.add(Restrictions.eq("position", Integer.valueOf(depth)));
}
if (excluded.getAccessStatus() != null)
{
toAnd.add(Restrictions.eq("ace.allowed", excluded.getAccessStatus() == AccessStatus.ALLOWED ? Boolean.TRUE : Boolean.FALSE));
}
if (excluded.getAceType() != null)
{
toAnd.add(Restrictions.eq("ace.applies", Integer.valueOf(excluded.getAceType().getId())));
}
if (excluded.getAuthority() != null)
{
toAnd.add(Restrictions.eq("authority.authority", excluded.getAuthority()));
}
if (excluded.getPermission() != null)
{
toAnd.add(Restrictions.eq("permission.name", excluded.getPermission().getName()));
// TODO: Add typeQname
}
Criterion accumulated = null;
for (Criterion current : toAnd)
{
if (accumulated == null)
{
accumulated = current;
}
else
{
accumulated = Restrictions.and(accumulated, current);
}
}
if (accumulated == null)
{
// matches all
toOr = null;
break LOOP;
}
else
{
toOr.add(accumulated);
}
}
Criterion accumulated = null;
for (Criterion current : toOr)
{
if (accumulated == null)
{
accumulated = current;
}
else
{
accumulated = Restrictions.or(accumulated, current);
}
}
if (accumulated == null)
{
// no action
}
else
{
criteria.add(accumulated);
}
}
criteria.setResultTransformer(Criteria.ALIAS_TO_ENTITY_MAP);
DirtySessionMethodInterceptor.setCriteriaFlushMode(session, criteria);
return criteria.list();
}
}
};
List<Map<String, Object>> results = (List<Map<String, Object>>) getHibernateTemplate().execute(callback);
boolean removed = false;
for (Map<String, Object> result : results)
{
DbAccessControlListMember member = (DbAccessControlListMember) result.get("member");
if ((exclude != null) && excluder.matches(qnameDAO, result, depth))
{
getHibernateTemplate().delete(member);
removed = true;
}
}
if (removed)
{
DirtySessionMethodInterceptor.flushSession(getSession(), true);
}
}
/**
* Helper to add ACEs to an ACL
*
* @param acl
* @param toAdd
* @param depth
*/
private void addAcesToAcl(DbAccessControlList acl, List<DbAccessControlEntry> toAdd, int depth)
{
if (toAdd != null)
{
for (DbAccessControlEntry add : toAdd)
{
DbAccessControlListMemberImpl newMember = new DbAccessControlListMemberImpl();
newMember.setAccessControlList(acl);
newMember.setAccessControlEntry(add);
newMember.setPosition(depth);
getHibernateTemplate().save(newMember);
}
DirtySessionMethodInterceptor.flushSession(getSession(), true);
}
}
private void replaceInherited(Long id, DbAccessControlList acl, List<DbAccessControlEntry> inherited, List<Integer> positions, int depth)
{
truncateInherited(id, depth);
addInherited(acl, inherited, positions, depth);
}
@SuppressWarnings("unchecked")
private void truncateInherited(final Long id, int depth)
{
HibernateCallback callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Query query = session.getNamedQuery(QUERY_GET_ACES_FOR_ACL);
query.setParameter("id", id);
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
return query.list();
}
};
List<DbAccessControlListMember> members = (List<DbAccessControlListMember>) getHibernateTemplate().execute(callback);
boolean removed = false;
for (DbAccessControlListMember member : members)
{
if (member.getPosition() > depth)
{
getHibernateTemplate().delete(member);
removed = true;
}
}
if (removed)
{
DirtySessionMethodInterceptor.flushSession(getSession(), true);
}
}
@SuppressWarnings("unchecked")
private void removeInherited(final Long id, int depth)
{
HibernateCallback callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Query query = session.getNamedQuery(QUERY_GET_ACES_FOR_ACL);
query.setParameter("id", id);
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
return query.list();
}
};
List<DbAccessControlListMember> members = (List<DbAccessControlListMember>) getHibernateTemplate().execute(callback);
boolean changed = false;
for (DbAccessControlListMember member : members)
{
if (member.getPosition() == depth + 1)
{
getHibernateTemplate().delete(member);
changed = true;
}
else if (member.getPosition() > (depth + 1))
{
member.setPosition(member.getPosition() - 1);
changed = true;
}
}
if (changed)
{
DirtySessionMethodInterceptor.flushSession(getSession(), true);
}
}
private void addInherited(DbAccessControlList acl, List<DbAccessControlEntry> inherited, List<Integer> positions, int depth)
{
if (inherited != null)
{
for (int i = 0; i < inherited.size(); i++)
{
DbAccessControlEntry add = inherited.get(i);
Integer position = positions.get(i);
DbAccessControlListMemberImpl newMember = new DbAccessControlListMemberImpl();
newMember.setAccessControlList(acl);
newMember.setAccessControlEntry(add);
newMember.setPosition(position.intValue() + depth + 1);
getHibernateTemplate().save(newMember);
}
DirtySessionMethodInterceptor.flushSession(getSession(), true);
}
}
@SuppressWarnings("unchecked")
private void insertInherited(final Long id, DbAccessControlList acl, List<DbAccessControlEntry> inherited, List<Integer> positions, int depth)
{
HibernateCallback callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Query query = session.getNamedQuery(QUERY_GET_ACES_FOR_ACL);
query.setParameter("id", id);
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
return query.list();
}
};
List<DbAccessControlListMember> members = (List<DbAccessControlListMember>) getHibernateTemplate().execute(callback);
boolean changed = false;
for (DbAccessControlListMember member : members)
{
if (member.getPosition() > depth)
{
member.setPosition(member.getPosition() + 1);
changed = true;
}
}
if (changed)
{
DirtySessionMethodInterceptor.flushSession(getSession(), true);
}
for (int i = 0; i < inherited.size(); i++)
{
DbAccessControlEntry add = inherited.get(i);
Integer position = positions.get(i);
DbAccessControlListMemberImpl newMember = new DbAccessControlListMemberImpl();
newMember.setAccessControlList(acl);
newMember.setAccessControlEntry(add);
newMember.setPosition(position.intValue() + depth + 1);
getHibernateTemplate().save(newMember);
}
DirtySessionMethodInterceptor.flushSession(getSession(), true);
}
/**
* Used when deleting a user. No ACL is updated - the user has gone the aces and all related info is deleted.
*/
@SuppressWarnings("unchecked")
public List<AclChange> deleteAccessControlEntries(final String authority)
{
List<AclChange> acls = new ArrayList<AclChange>();
Set<Long> aces = new HashSet<Long>();
HibernateCallback callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Query query = session.getNamedQuery(QUERY_GET_ACES_AND_ACLS_BY_AUTHORITY);
query.setParameter("authority", authority);
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
return query.list();
}
};
List<Object[]> results = (List<Object[]>) getHibernateTemplate().execute(callback);
// fix up members and extract acls and aces
for (Object[] ids : results)
{
String authorityFound = (String) ids[3];
if (authorityFound.equals(authority))
{
// Delete acl entry
DbAccessControlListMember member = (DbAccessControlListMember) getHibernateTemplate().get(DbAccessControlListMemberImpl.class, (Long) ids[0]);
Long aclId = ((Long) ids[1]);
aclCache.remove(aclId);
DbAccessControlList list = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, aclId);
acls.add(new AclChangeImpl(aclId, aclId, list.getAclType(), list.getAclType()));
getHibernateTemplate().delete(member);
aces.add((Long) ids[2]);
}
}
// remove ACEs
for (Long id : aces)
{
// Delete acl entry
DbAccessControlEntry ace = (DbAccessControlEntry) getHibernateTemplate().get(DbAccessControlEntryImpl.class, id);
getHibernateTemplate().delete(ace);
}
// Tidy up any unreferenced ACEs
callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Query query = session.getNamedQuery(QUERY_GET_ACES_BY_AUTHORITY);
query.setParameter("authority", authority);
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
return query.list();
}
};
List<DbAccessControlEntry> unreferenced = (List<DbAccessControlEntry>) getHibernateTemplate().execute(callback);
for (DbAccessControlEntry ace : unreferenced)
{
getHibernateTemplate().delete(ace);
}
// remove authority
DbAuthority toRemove = getAuthority(authority, false);
if (toRemove != null)
{
getHibernateTemplate().delete(toRemove);
}
// TODO: Remove affected ACLs from the cache
DirtySessionMethodInterceptor.flushSession(getSession(), true);
return acls;
}
@SuppressWarnings("unchecked")
public void onDeleteAccessControlList(final long id)
{
// The acl has gone - remove any members it may have
HibernateCallback callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Query query = session.getNamedQuery(QUERY_GET_ACES_FOR_ACL);
query.setParameter("id", id);
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
return query.list();
}
};
List<DbAccessControlListMember> members = (List<DbAccessControlListMember>) getHibernateTemplate().execute(callback);
for (DbAccessControlListMember member : members)
{
getHibernateTemplate().delete(member);
}
DirtySessionMethodInterceptor.flushSession(getSession(), true);
aclCache.remove(id);
}
@SuppressWarnings("unchecked")
public List<AclChange> deleteAccessControlList(final Long id)
{
if (logger.isDebugEnabled())
{
HibernateCallback check = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Criteria criteria = getSession().createCriteria(NodeImpl.class, "node");
criteria.createAlias("node.accessControlList", "acl");
criteria.add(Restrictions.eq("acl.id", id));
criteria.setResultTransformer(Criteria.DISTINCT_ROOT_ENTITY);
DirtySessionMethodInterceptor.setCriteriaFlushMode(session, criteria);
return criteria.list();
}
};
List<Node> nodes = (List<Node>) getHibernateTemplate().execute(check);
for (Node node : nodes)
{
logger.debug("Found " + node.getId() + " " + node.getUuid() + " " + node.getAccessControlList());
}
}
List<AclChange> acls = new ArrayList<AclChange>();
final DbAccessControlList acl = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, id);
if (!acl.isLatest())
{
throw new UnsupportedOperationException("Old ALC versions can not be updated");
}
if (acl.getAclType() == ACLType.SHARED)
{
throw new UnsupportedOperationException("Delete is not supported for shared acls - they are deleted with the defining acl");
}
if ((acl.getAclType() == ACLType.DEFINING) || (acl.getAclType() == ACLType.LAYERED))
{
if ((acl.getInheritedAclId() != null) && (acl.getInheritedAclId() != -1))
{
final DbAccessControlList inherited = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, acl.getInheritedAclId());
// Will remove from the cache
getWritable(inherited.getId(), acl.getInheritsFrom(), null, null, null, true, acls, WriteMode.REMOVE_INHERITED);
DbAccessControlList unusedInherited = null;
for (AclChange change : acls)
{
if (change.getBefore() == inherited.getId())
{
unusedInherited = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, change.getAfter());
}
}
final Long newId = unusedInherited.getId();
HibernateCallback callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Query query = session.getNamedQuery(QUERY_GET_ACLS_THAT_INHERIT_FROM_THIS_ACL);
query.setParameter("id", newId);
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
return query.list();
}
};
List<Long> inheritors = (List<Long>) getHibernateTemplate().execute(callback);
for (Long nextId : inheritors)
{
// Will remove from the cache
getWritable(nextId, acl.getInheritsFrom(), null, null, acl.getInheritsFrom(), true, acls, WriteMode.REMOVE_INHERITED);
}
callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Query query = session.getNamedQuery(QUERY_GET_ACES_FOR_ACL);
query.setParameter("id", newId);
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
return query.list();
}
};
List<DbAccessControlListMember> members = (List<DbAccessControlListMember>) getHibernateTemplate().execute(callback);
for (DbAccessControlListMember member : members)
{
getHibernateTemplate().delete(member);
}
getHibernateTemplate().delete(unusedInherited);
if (inherited.isVersioned())
{
inherited.setLatest(Boolean.FALSE);
}
else
{
getHibernateTemplate().delete(inherited);
}
}
}
else
{
HibernateCallback callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Query query = session.getNamedQuery(QUERY_GET_ACLS_THAT_INHERIT_FROM_THIS_ACL);
query.setParameter("id", id);
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
return query.list();
}
};
List<Long> inheritors = (List<Long>) getHibernateTemplate().execute(callback);
for (Long nextId : inheritors)
{
// Will remove from the cache
getWritable(nextId, acl.getInheritsFrom(), null, null, null, true, acls, WriteMode.REMOVE_INHERITED);
}
}
// delete
if (acl.isVersioned())
{
acl.setLatest(Boolean.FALSE);
}
else
{
HibernateCallback callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Query query = session.getNamedQuery(QUERY_GET_ACES_FOR_ACL);
query.setParameter("id", id);
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
return query.list();
}
};
List<DbAccessControlListMember> members = (List<DbAccessControlListMember>) getHibernateTemplate().execute(callback);
for (DbAccessControlListMember member : members)
{
getHibernateTemplate().delete(member);
}
getHibernateTemplate().delete(acl);
DirtySessionMethodInterceptor.flushSession(getSession(), true);
}
// remove the deleted acl from the cache
aclCache.remove(id);
acls.add(new AclChangeImpl(id, null, acl.getAclType(), null));
return acls;
}
public List<AclChange> deleteLocalAccessControlEntries(Long id)
{
List<AclChange> changes = new ArrayList<AclChange>();
SimpleAccessControlEntry pattern = new SimpleAccessControlEntry();
pattern.setPosition(Integer.valueOf(0));
// Will remove from the cache
getWritable(id, null, Collections.singletonList(pattern), null, null, true, changes, WriteMode.COPY_UPDATE_AND_INHERIT);
return changes;
}
public List<AclChange> deleteInheritedAccessControlEntries(Long id)
{
List<AclChange> changes = new ArrayList<AclChange>();
SimpleAccessControlEntry pattern = new SimpleAccessControlEntry();
pattern.setPosition(Integer.valueOf(-1));
// Will remove from the cache
getWritable(id, null, Collections.singletonList(pattern), null, null, true, changes, WriteMode.COPY_UPDATE_AND_INHERIT);
return changes;
}
public List<AclChange> deleteAccessControlEntries(Long id, AccessControlEntry pattern)
{
List<AclChange> changes = new ArrayList<AclChange>();
// Will remove from the cache
getWritable(id, null, Collections.singletonList(pattern), null, null, true, changes, WriteMode.COPY_UPDATE_AND_INHERIT);
return changes;
}
/**
* Search for access control lists
*
* @param pattern
* @return the ids of the ACLs found
*/
public Long[] findAccessControlList(AccessControlEntry pattern)
{
throw new UnsupportedOperationException();
}
public AccessControlList getAccessControlList(Long id)
{
AccessControlList acl = aclCache.get(id);
if (acl == null)
{
acl = getAccessControlListImpl(id);
aclCache.put(id, acl);
}
else
{
// System.out.println("Used cache for "+id);
}
return acl;
}
/**
* @param id
* @return the access control list
*/
@SuppressWarnings("unchecked")
public AccessControlList getAccessControlListImpl(final Long id)
{
SimpleAccessControlList acl = new SimpleAccessControlList();
AccessControlListProperties properties = getAccessControlListProperties(id);
if (properties == null)
{
return null;
}
acl.setProperties(properties);
HibernateCallback callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Query query = session.getNamedQuery(QUERY_LOAD_ACL);
query.setParameter("id", id);
query.setCacheMode(CacheMode.IGNORE);
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
return query.list();
}
};
List<Object[]> results = (List<Object[]>) getHibernateTemplate().execute(callback);
List<AccessControlEntry> entries = new ArrayList<AccessControlEntry>(results.size());
for (Object[] result : results)
// for (DbAccessControlListMember member : members)
{
Boolean aceIsAllowed = (Boolean) result[0];
Integer aceType = (Integer) result[1];
String authority = (String) result[2];
Long permissionId = (Long) result[3];
Integer position = (Integer) result[4];
SimpleAccessControlEntry sacEntry = new SimpleAccessControlEntry();
sacEntry.setAccessStatus(aceIsAllowed ? AccessStatus.ALLOWED : AccessStatus.DENIED);
sacEntry.setAceType(ACEType.getACETypeFromId(aceType));
sacEntry.setAuthority(authority);
// if (entry.getContext() != null)
// {
// SimpleAccessControlEntryContext context = new SimpleAccessControlEntryContext();
// context.setClassContext(entry.getContext().getClassContext());
// context.setKVPContext(entry.getContext().getKvpContext());
// context.setPropertyContext(entry.getContext().getPropertyContext());
// sacEntry.setContext(context);
// }
DbPermission perm = (DbPermission) getSession().get(DbPermissionImpl.class, permissionId);
QName permTypeQName = qnameDAO.getQName(perm.getTypeQNameId()).getSecond(); // Has an ID so must exist
SimplePermissionReference permissionRefernce = SimplePermissionReference.getPermissionReference(permTypeQName, perm.getName());
sacEntry.setPermission(permissionRefernce);
sacEntry.setPosition(position);
entries.add(sacEntry);
}
Collections.sort(entries);
acl.setEntries(entries);
return acl;
}
public AccessControlListProperties getAccessControlListProperties(Long id)
{
DbAccessControlList acl = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, id);
if (acl == null)
{
return null;
}
SimpleAccessControlListProperties properties = new SimpleAccessControlListProperties();
properties.setAclId(acl.getAclId());
properties.setAclType(acl.getAclType());
properties.setAclVersion(acl.getAclVersion());
properties.setInherits(acl.getInherits());
properties.setLatest(acl.isLatest());
properties.setVersioned(acl.isVersioned());
properties.setId(id);
return properties;
}
public Long getInheritedAccessControlList(Long id)
{
DbAccessControlList acl = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, id);
if (acl.getAclType() == ACLType.OLD)
{
return null;
}
if ((acl.getInheritedAclId() != null) && (acl.getInheritedAclId() != -1))
{
return acl.getInheritedAclId();
}
if ((acl.getAclType() == ACLType.DEFINING) || (acl.getAclType() == ACLType.LAYERED))
{
List<AclChange> changes = new ArrayList<AclChange>();
// created shared acl
SimpleAccessControlListProperties properties = new SimpleAccessControlListProperties();
properties.setAclType(ACLType.SHARED);
properties.setInherits(Boolean.TRUE);
properties.setVersioned(acl.isVersioned());
Long sharedId = createAccessControlListImpl(properties, null, null);
@SuppressWarnings("unused")
DbAccessControlList shared = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, sharedId);
getWritable(sharedId, id, null, null, id, true, changes, WriteMode.ADD_INHERITED);
acl.setInheritedAclId(sharedId);
return sharedId;
}
else
{
acl.setInheritedAclId(acl.getId());
return acl.getInheritedAclId();
}
}
public List<AclChange> invalidateAccessControlEntries(final String authority)
{
throw new UnsupportedOperationException();
}
public List<AclChange> mergeInheritedAccessControlList(Long inherited, Long target)
{
// TODO: For now we do a replace - we could do an insert if both inherit from the same acl
List<AclChange> changes = new ArrayList<AclChange>();
DbAccessControlList targetAcl = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, target);
DbAccessControlList inheritedAcl = null;
if (inherited != null)
{
inheritedAcl = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, inherited);
}
else
{
// Assume we are just resetting it to inherit as before
if (targetAcl.getInheritsFrom() != null)
{
inheritedAcl = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, targetAcl.getInheritsFrom());
if (inheritedAcl == null)
{
// TODO: Try previous versions
throw new IllegalStateException("No old inheritance definition to use");
}
else
{
// find the latest version of the acl
if (!inheritedAcl.isLatest())
{
final String searchAclId = inheritedAcl.getAclId();
HibernateCallback callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Query query = session.getNamedQuery(QUERY_GET_LATEST_ACL_BY_ACLID);
query.setParameter("aclId", searchAclId);
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
return query.uniqueResult();
}
};
Long actualInheritor = (Long) getHibernateTemplate().execute(callback);
inheritedAcl = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, actualInheritor);
if (inheritedAcl == null)
{
// TODO: Try previous versions
throw new IllegalStateException("No ACL found");
}
}
}
}
else
{
// There is no inheritance to set
return changes;
}
}
// recursion test
// if inherited already inherits from the target
DbAccessControlList test = inheritedAcl;
while (test != null)
{
if (test.getId() == target)
{
throw new IllegalStateException("Cyclical ACL detected");
}
Long parent = test.getInheritsFrom();
if ((parent == null) || (parent == -1l))
{
test = null;
}
else
{
test = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, test.getInheritsFrom());
}
}
if ((targetAcl.getAclType() != ACLType.DEFINING) && (targetAcl.getAclType() != ACLType.LAYERED))
{
throw new IllegalArgumentException("Only defining ACLs can have their inheritance set");
}
if (!targetAcl.getInherits())
{
return changes;
}
Long actualInheritedId = inheritedAcl.getId();
if ((inheritedAcl.getAclType() == ACLType.DEFINING) || (inheritedAcl.getAclType() == ACLType.LAYERED))
{
actualInheritedId = getInheritedAccessControlList(actualInheritedId);
}
// Will remove from the cache
getWritable(target, actualInheritedId, null, null, actualInheritedId, true, changes, WriteMode.CHANGE_INHERITED);
return changes;
}
@SuppressWarnings("unchecked")
public List<AclChange> setAccessControlEntry(final Long id, final AccessControlEntry ace)
{
DbAccessControlList target = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, id);
if (target.getAclType() == ACLType.SHARED)
{
throw new IllegalArgumentException("Shared ACLs are immutable");
}
List<AclChange> changes = new ArrayList<AclChange>();
if ((ace.getPosition() != null) && (ace.getPosition() != 0))
{
throw new IllegalArgumentException("Invalid position");
}
// Find authority
DbAuthority authority = getAuthority(ace.getAuthority(), true);
DbPermission permission = getPermission(ace.getPermission(), true);
// Find context
if (ace.getContext() != null)
{
throw new UnsupportedOperationException();
}
// Find ACE
DbAccessControlEntry entry = getAccessControlEntry(permission, authority, ace, true);
// Wire up
// COW and remove any existing matches
SimpleAccessControlEntry exclude = new SimpleAccessControlEntry();
// match any access status
exclude.setAceType(ace.getAceType());
exclude.setAuthority(ace.getAuthority());
exclude.setPermission(ace.getPermission());
exclude.setPosition(0);
List<DbAccessControlEntry> toAdd = new ArrayList<DbAccessControlEntry>(1);
toAdd.add(entry);
// Will remove from the cache
getWritable(id, null, Collections.singletonList(exclude), toAdd, null, true, changes, WriteMode.COPY_UPDATE_AND_INHERIT);
return changes;
}
private long getCrc(String str)
{
try
{
CRC32 crc = new CRC32();
crc.update(str.getBytes("UTF-8"));
return crc.getValue();
}
catch (UnsupportedEncodingException e)
{
throw new RuntimeException("UTF-8 encoding is not supported");
}
}
public List<AclChange> enableInheritance(Long id, Long parent)
{
List<AclChange> changes = new ArrayList<AclChange>();
DbAccessControlList acl = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, id);
switch (acl.getAclType())
{
case FIXED:
case GLOBAL:
throw new IllegalArgumentException("Fixed and global permissions can not inherit");
case OLD:
acl.setInherits(Boolean.TRUE);
aclCache.remove(id);
changes.add(new AclChangeImpl(id, id, acl.getAclType(), acl.getAclType()));
DirtySessionMethodInterceptor.flushSession(getSession(), true);
return changes;
case SHARED:
// TODO support a list of children and casacade if given
throw new IllegalArgumentException(
"Shared acls should be replace by creating a definig ACL, wiring it up for inhertitance, and then applying inheritance to any children. It can not be done by magic ");
case DEFINING:
case LAYERED:
default:
if (!acl.getInherits())
{
// Will remove from the cache
getWritable(id, null, null, null, null, false, changes, WriteMode.COPY_ONLY);
acl = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, changes.get(0).getAfter());
acl.setInherits(Boolean.TRUE);
DirtySessionMethodInterceptor.flushSession(getSession(), true);
}
else
{
// Will remove from the cache
getWritable(id, null, null, null, null, false, changes, WriteMode.COPY_ONLY);
}
List<AclChange> merged = mergeInheritedAccessControlList(parent, changes.get(0).getAfter());
changes.addAll(merged);
return changes;
}
}
public List<AclChange> disableInheritance(Long id, boolean setInheritedOnAcl)
{
DbAccessControlList acl = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, id);
List<AclChange> changes = new ArrayList<AclChange>(1);
switch (acl.getAclType())
{
case FIXED:
case GLOBAL:
return Collections.<AclChange> singletonList(new AclChangeImpl(id, id, acl.getAclType(), acl.getAclType()));
case OLD:
acl.setInherits(Boolean.FALSE);
aclCache.remove(id);
changes.add(new AclChangeImpl(id, id, acl.getAclType(), acl.getAclType()));
DirtySessionMethodInterceptor.flushSession(getSession(), true);
return changes;
case SHARED:
// TODO support a list of children and casacade if given
throw new IllegalArgumentException("Shared ACL must inherit");
case DEFINING:
case LAYERED:
default:
return disableInheritanceImpl(id, setInheritedOnAcl, acl);
}
}
public Long getCopy(Long toCopy, Long toInheritFrom, ACLCopyMode mode)
{
DbAccessControlList aclToCopy;
Long inheritedId;
DbAccessControlList aclToInheritFrom;
switch (mode)
{
case INHERIT:
if (toCopy.equals(toInheritFrom))
{
return getInheritedAccessControlList(toCopy);
}
else
{
throw new UnsupportedOperationException();
}
case COW:
aclToCopy = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, toCopy);
aclToCopy.setRequiresVersion(true);
aclCache.remove(toCopy);
inheritedId = getInheritedAccessControlList(toCopy);
if ((inheritedId != null) && (!inheritedId.equals(toCopy)))
{
DbAccessControlList inheritedAcl = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, inheritedId);
inheritedAcl.setRequiresVersion(true);
aclCache.remove(inheritedId);
}
DirtySessionMethodInterceptor.flushSession(getSession(), true);
return toCopy;
case REDIRECT:
if ((toInheritFrom != null) && (toInheritFrom == toCopy))
{
return getInheritedAccessControlList(toInheritFrom);
}
aclToCopy = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, toCopy);
aclToInheritFrom = null;
if (toInheritFrom != null)
{
aclToInheritFrom = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, toInheritFrom);
}
switch (aclToCopy.getAclType())
{
case DEFINING:
// This is not called on the redirecting node as only LAYERED change permissins when redirected
// So this needs to make a copy in the same way layered does
case LAYERED:
if (toInheritFrom == null)
{
return toCopy;
}
// manages cache clearing beneath
List<AclChange> changes = mergeInheritedAccessControlList(toInheritFrom, toCopy);
for (AclChange change : changes)
{
if (change.getBefore().equals(toCopy))
{
return change.getAfter();
}
}
throw new UnsupportedOperationException();
case SHARED:
if (aclToInheritFrom != null)
{
return getInheritedAccessControlList(toInheritFrom);
}
else
{
throw new UnsupportedOperationException();
}
case FIXED:
case GLOBAL:
case OLD:
return toCopy;
default:
throw new UnsupportedOperationException();
}
case COPY:
aclToCopy = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, toCopy);
aclToInheritFrom = null;
if (toInheritFrom != null)
{
aclToInheritFrom = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, toInheritFrom);
}
switch (aclToCopy.getAclType())
{
case DEFINING:
SimpleAccessControlListProperties properties = new SimpleAccessControlListProperties();
properties.setAclType(ACLType.DEFINING);
properties.setInherits(aclToCopy.getInherits());
// Accept default versioning
Long id = createAccessControlList(properties);
AccessControlList indirectAcl = getAccessControlList(toCopy);
for (AccessControlEntry entry : indirectAcl.getEntries())
{
if (entry.getPosition() == 0)
{
setAccessControlEntry(id, entry);
}
}
if (aclToInheritFrom != null)
{
mergeInheritedAccessControlList(toInheritFrom, id);
}
DirtySessionMethodInterceptor.flushSession(getSession(), true);
return id;
case SHARED:
if (aclToInheritFrom != null)
{
return getInheritedAccessControlList(toInheritFrom);
}
else
{
return null;
}
case FIXED:
case GLOBAL:
case LAYERED:
case OLD:
return toCopy;
default:
throw new UnsupportedOperationException();
}
default:
throw new UnsupportedOperationException();
}
}
public DbAccessControlList getDbAccessControlListCopy(Long toCopy, Long toInheritFrom, ACLCopyMode mode)
{
Long id = getCopy(toCopy, toInheritFrom, mode);
if (id == null)
{
return null;
}
DbAccessControlList acl = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, id);
return acl;
}
public List<Long> getAvmNodesByACL(final Long id)
{
List<Long> avmNodeIds = avmNodeDAO.getAVMNodesByAclId(id);
return avmNodeIds;
}
@SuppressWarnings("unchecked")
private List<AclChange> disableInheritanceImpl(Long id, boolean setInheritedOnAcl, DbAccessControlList acl)
{
List<AclChange> changes = new ArrayList<AclChange>();
if (!acl.getInherits())
{
return Collections.<AclChange> emptyList();
}
// Manges caching
getWritable(id, null, null, null, null, false, changes, WriteMode.COPY_ONLY);
acl = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, changes.get(0).getAfter());
final Long inheritsFrom = acl.getInheritsFrom();
acl.setInherits(Boolean.FALSE);
// Keep inherits from so we can reinstate if required
// acl.setInheritsFrom(-1l);
// Manges caching
getWritable(acl.getId(), null, null, null, null, true, changes, WriteMode.TRUNCATE_INHERITED);
// set Inherited - TODO: UNTESTED
if ((inheritsFrom != null) && (inheritsFrom != -1) && setInheritedOnAcl)
{
HibernateCallback callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Query query = session.getNamedQuery(QUERY_GET_ACES_FOR_ACL);
query.setParameter("id", inheritsFrom);
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
return query.list();
}
};
List<DbAccessControlListMember> members = (List<DbAccessControlListMember>) getHibernateTemplate().execute(callback);
for (DbAccessControlListMember member : members)
{
SimpleAccessControlEntry entry = new SimpleAccessControlEntry();
entry.setAccessStatus(member.getAccessControlEntry().isAllowed() ? AccessStatus.ALLOWED : AccessStatus.DENIED);
entry.setAceType(member.getAccessControlEntry().getAceType());
entry.setAuthority(member.getAccessControlEntry().getAuthority().getAuthority());
if (member.getAccessControlEntry().getContext() != null)
{
SimpleAccessControlEntryContext context = new SimpleAccessControlEntryContext();
context.setClassContext(member.getAccessControlEntry().getContext().getClassContext());
context.setKVPContext(member.getAccessControlEntry().getContext().getKvpContext());
context.setPropertyContext(member.getAccessControlEntry().getContext().getPropertyContext());
entry.setContext(context);
}
DbPermission perm = member.getAccessControlEntry().getPermission();
QName permTypeQName = qnameDAO.getQName(perm.getTypeQNameId()).getSecond(); // Has an ID so must exist
SimplePermissionReference permissionRefernce = SimplePermissionReference.getPermissionReference(permTypeQName, perm.getName());
entry.setPermission(permissionRefernce);
entry.setPosition(Integer.valueOf(0));
setAccessControlEntry(id, entry);
}
}
DirtySessionMethodInterceptor.flushSession(getSession(), true);
return changes;
}
private static final String RESOURCE_KEY_ACL_CHANGE_SET_ID = "hibernate.acl.change.set.id";
/**
* Support to get the current ACL change set and bind this to the transaction. So we only make one new version of an
* ACL per change set. If something is in the current change set we can update it.
*/
private DbAccessControlListChangeSet getCurrentChangeSet()
{
DbAccessControlListChangeSet changeSet = null;
Serializable changeSetId = (Serializable) AlfrescoTransactionSupport.getResource(RESOURCE_KEY_ACL_CHANGE_SET_ID);
if (changeSetId == null)
{
changeSet = new DbAccessControlListChangeSetImpl();
changeSetId = getHibernateTemplate().save(changeSet);
DirtySessionMethodInterceptor.flushSession(getSession(), true);
changeSet = (DbAccessControlListChangeSetImpl) getHibernateTemplate().get(DbAccessControlListChangeSetImpl.class, changeSetId);
// bind the id
AlfrescoTransactionSupport.bindResource(RESOURCE_KEY_ACL_CHANGE_SET_ID, changeSetId);
if (logger.isDebugEnabled())
{
logger.debug("New change set = " + changeSetId);
}
}
else
{
changeSet = (DbAccessControlListChangeSet) getHibernateTemplate().get(DbAccessControlListChangeSetImpl.class, changeSetId);
if (logger.isDebugEnabled())
{
logger.debug("Existing change set = " + changeSetId);
}
}
return changeSet;
}
private static class AcePatternMatcher
{
private List<? extends AccessControlEntry> patterns;
AcePatternMatcher(List<? extends AccessControlEntry> patterns)
{
this.patterns = patterns;
}
boolean matches(QNameDAO qnameDAO, Map<String, Object> result, int position)
{
if (patterns == null)
{
return true;
}
DbAccessControlListMember member = (DbAccessControlListMember) result.get("member");
DbAccessControlEntry entry = (DbAccessControlEntry) result.get("ace");
for (AccessControlEntry pattern : patterns)
{
if (checkPattern(qnameDAO, result, position, member, entry, pattern))
{
return true;
}
}
return false;
}
/**
* @param qnameDAO
* @param result
* @param position
* @param member
* @param entry
* @return
*/
private boolean checkPattern(QNameDAO qnameDAO, Map<String, Object> result, int position, DbAccessControlListMember member, DbAccessControlEntry entry,
AccessControlEntry pattern)
{
if (pattern.getAccessStatus() != null)
{
if (pattern.getAccessStatus() != (entry.isAllowed() ? AccessStatus.ALLOWED : AccessStatus.DENIED))
{
return false;
}
}
if (pattern.getAceType() != null)
{
if (pattern.getAceType() != entry.getAceType())
{
return false;
}
}
if (pattern.getAuthority() != null)
{
DbAuthority authority = (DbAuthority) result.get("authority");
if ((pattern.getAuthorityType() != AuthorityType.WILDCARD) && !pattern.getAuthority().equals(authority.getAuthority()))
{
return false;
}
}
if (pattern.getContext() != null)
{
throw new IllegalArgumentException("Context not yet supported");
}
if (pattern.getPermission() != null)
{
DbPermission permission = (DbPermission) result.get("permission");
final QName patternQName = pattern.getPermission().getQName();
final QName permTypeQName = qnameDAO.getQName(permission.getTypeQNameId()).getSecond(); // Has an ID so
// must exist
if ((patternQName != null) && (!patternQName.equals(permTypeQName)))
{
return false;
}
final String patternName = pattern.getPermission().getName();
if ((patternName != null) && (!patternName.equals(permission.getName())))
{
return false;
}
}
if (pattern.getPosition() != null)
{
if (pattern.getPosition().intValue() >= 0)
{
if (member.getPosition() != position)
{
return false;
}
}
else if (pattern.getPosition().intValue() == -1)
{
if (member.getPosition() <= position)
{
return false;
}
}
}
return true;
}
}
/**
* Does this <tt>Session</tt> contain any changes which must be synchronized with the store?
*
* @return true => changes are pending
*/
public boolean isDirty()
{
// create a callback for the task
HibernateCallback callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
return session.isDirty();
}
};
// execute the callback
return ((Boolean) getHibernateTemplate().execute(callback)).booleanValue();
}
/**
* NO-OP
*/
public void beforeCommit()
{
}
static class AclChangeImpl implements AclChange
{
private Long before;
private Long after;
private ACLType typeBefore;
private ACLType typeAfter;
AclChangeImpl(Long before, Long after, ACLType typeBefore, ACLType typeAfter)
{
this.before = before;
this.after = after;
this.typeAfter = typeAfter;
this.typeBefore = typeBefore;
}
public Long getAfter()
{
return after;
}
public Long getBefore()
{
return before;
}
/**
* @param after
*/
public void setAfter(Long after)
{
this.after = after;
}
/**
* @param before
*/
public void setBefore(Long before)
{
this.before = before;
}
public ACLType getTypeAfter()
{
return typeAfter;
}
/**
* @param typeAfter
*/
public void setTypeAfter(ACLType typeAfter)
{
this.typeAfter = typeAfter;
}
public ACLType getTypeBefore()
{
return typeBefore;
}
/**
* @param typeBefore
*/
public void setTypeBefore(ACLType typeBefore)
{
this.typeBefore = typeBefore;
}
@Override
public String toString()
{
StringBuilder builder = new StringBuilder();
builder.append("(").append(getBefore()).append(",").append(getTypeBefore()).append(")");
builder.append(" - > ");
builder.append("(").append(getAfter()).append(",").append(getTypeAfter()).append(")");
return builder.toString();
}
}
/**
* Get the total number of head nodes in the repository
*
* @return count
*/
public Long getAVMHeadNodeCount()
{
try
{
Session session = getSession();
int isolationLevel = session.connection().getTransactionIsolation();
try
{
session.connection().setTransactionIsolation(1);
Query query = getSession().getNamedQuery("permission.GetAVMHeadNodeCount");
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
Long answer = (Long) query.uniqueResult();
return answer;
}
finally
{
session.connection().setTransactionIsolation(isolationLevel);
}
}
catch (SQLException e)
{
throw new AlfrescoRuntimeException("Failed to set TX isolation level", e);
}
}
/**
* Get the max acl id
*
* @return - max acl id
*/
public Long getMaxAclId()
{
try
{
Session session = getSession();
int isolationLevel = session.connection().getTransactionIsolation();
try
{
session.connection().setTransactionIsolation(1);
Query query = getSession().getNamedQuery("permission.GetMaxAclId");
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
Long answer = (Long) query.uniqueResult();
return answer;
}
finally
{
session.connection().setTransactionIsolation(isolationLevel);
}
}
catch (SQLException e)
{
throw new AlfrescoRuntimeException("Failed to set TX isolation level", e);
}
}
/**
* Does the underlyinf connection support isolation level 1 (dirty read)
*
* @return true if we can do a dirty db read and so track changes (Oracle can not)
*/
public boolean supportsProgressTracking()
{
try
{
Session session = getSession();
return session.connection().getMetaData().supportsTransactionIsolationLevel(1);
}
catch (SQLException e)
{
return false;
}
}
/**
* Get the acl count canges so far for progress tracking
*
* @param above
* @return - the count
*/
public Long getAVMNodeCountWithNewACLS(Long above)
{
try
{
Session session = getSession();
int isolationLevel = session.connection().getTransactionIsolation();
try
{
session.connection().setTransactionIsolation(1);
Query query = getSession().getNamedQuery("permission.GetAVMHeadNodeCountWherePermissionsHaveChanged");
query.setParameter("above", above);
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
Long answer = (Long) query.uniqueResult();
return answer;
}
finally
{
session.connection().setTransactionIsolation(isolationLevel);
}
}
catch (SQLException e)
{
throw new AlfrescoRuntimeException("Failed to set TX isolation level", e);
}
}
/**
* How many nodes are noew in store (approximate)
*
* @return - the number of new nodes - approximate
*/
public Long getNewInStore()
{
Long count = patchDAO.getAVMNodesCountWhereNewInStore();
return count;
}
/**
* Find layered directories Used to improve performance during patching and cascading the effect of permission
* changes between layers
*
* @return - layered directories
*/
public List<Indirection> getLayeredDirectories()
{
List<AVMNodeEntity> ldNodeEntities = avmNodeDAO.getAllLayeredDirectories();
ArrayList<Indirection> indirections = new ArrayList<Indirection>(ldNodeEntities.size());
for (AVMNodeEntity ldNodeEntity : ldNodeEntities)
{
Long from = ldNodeEntity.getId();
String to = ldNodeEntity.getIndirection();
Integer version = ldNodeEntity.getIndirectionVersion();
indirections.add(new Indirection(from, to, version));
}
return indirections;
}
/**
* Find layered files Used to improve performance during patching and cascading the effect of permission changes
* between layers
*
* @return - layered files
*/
public List<Indirection> getLayeredFiles()
{
List<AVMNodeEntity> lfNodeEntities = avmNodeDAO.getAllLayeredFiles();
ArrayList<Indirection> indirections = new ArrayList<Indirection>(lfNodeEntities.size());
for (AVMNodeEntity lfNodeEntity : lfNodeEntities)
{
Long from = lfNodeEntity.getId();
String to = lfNodeEntity.getIndirection();
Integer version = lfNodeEntity.getIndirectionVersion();
indirections.add(new Indirection(from, to, version));
}
return indirections;
}
public List<Indirection> getAvmIndirections()
{
List<Indirection> dirList = getLayeredDirectories();
List<Indirection> fileList = getLayeredFiles();
ArrayList<Indirection> answer = new ArrayList<Indirection>(dirList.size() + fileList.size());
answer.addAll(dirList);
answer.addAll(fileList);
return answer;
}
public void flush()
{
getSession().flush();
}
/**
* Support to describe AVM indirections for permission performance improvements when permissions are set.
*
* @author andyh
*/
public static class Indirection
{
Long from;
String to;
Integer toVersion;
Indirection(Long from, String to, Integer toVersion)
{
this.from = from;
this.to = to;
this.toVersion = toVersion;
}
/**
* @return - from id
*/
public Long getFrom()
{
return from;
}
/**
* @return - to id
*/
public String getTo()
{
return to;
}
/**
* @return - version
*/
public Integer getToVersion()
{
return toVersion;
}
}
/**
* How many DM nodes are there?
*
* @return - the count
*/
public Long getDmNodeCount()
{
try
{
Session session = getSession();
int isolationLevel = session.connection().getTransactionIsolation();
try
{
session.connection().setTransactionIsolation(1);
Query query = getSession().getNamedQuery("permission.GetDmNodeCount");
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
Long answer = (Long) query.uniqueResult();
return answer;
}
finally
{
session.connection().setTransactionIsolation(isolationLevel);
}
}
catch (SQLException e)
{
throw new AlfrescoRuntimeException("Failed to set TX isolation level", e);
}
}
/**
* How many DM nodes are three with new ACls (to track patch progress)
*
* @param above
* @return - the count
*/
public Long getDmNodeCountWithNewACLS(Long above)
{
try
{
Session session = getSession();
int isolationLevel = session.connection().getTransactionIsolation();
try
{
session.connection().setTransactionIsolation(1);
Query query = getSession().getNamedQuery("permission.GetDmNodeCountWherePermissionsHaveChanged");
query.setParameter("above", above);
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
Long answer = (Long) query.uniqueResult();
return answer;
}
finally
{
session.connection().setTransactionIsolation(isolationLevel);
}
}
catch (SQLException e)
{
throw new AlfrescoRuntimeException("Failed to set TX isolation level", e);
}
}
public void updateAuthority(String before, String after)
{
DbAuthority dbAuthority = getAuthority(before, false);
// If there is no entry and alias is not required - there is nothing it would match
if (dbAuthority != null)
{
dbAuthority.setAuthority(after);
dbAuthority.setCrc(getCrc(after));
DirtySessionMethodInterceptor.flushSession(getSession(), true);
aclCache.clear();
}
}
private DbAuthority getAuthority(final String authority, boolean create)
{
// Find auth
HibernateCallback callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Query query = session.getNamedQuery(QUERY_GET_AUTHORITY);
query.setParameter("authority", authority);
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
return query.list();
}
};
DbAuthority dbAuthority = null;
List<DbAuthority> authorities = (List<DbAuthority>) getHibernateTemplate().execute(callback);
for (DbAuthority found : authorities)
{
if (found.getAuthority().equals(authority))
{
dbAuthority = found;
break;
}
}
if (create && (dbAuthority == null))
{
dbAuthority = createDbAuthority(authority);
}
return dbAuthority;
}
private DbPermission getPermission(final PermissionReference permissionReference, boolean create)
{
// Find permission
final QName permissionQName = permissionReference.getQName();
final String permissionName = permissionReference.getName();
final Pair<Long, QName> permissionQNamePair = qnameDAO.getOrCreateQName(permissionQName);
HibernateCallback callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Query query = session.getNamedQuery(QUERY_GET_PERMISSION);
query.setParameter("permissionTypeQNameId", permissionQNamePair.getFirst());
query.setParameter("permissionName", permissionName);
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
return query.uniqueResult();
}
};
DbPermission dbPermission = (DbPermission) getHibernateTemplate().execute(callback);
if (create && (dbPermission == null))
{
DbPermissionImpl newPermission = new DbPermissionImpl();
newPermission.setTypeQNameId(permissionQNamePair.getFirst());
newPermission.setName(permissionName);
dbPermission = newPermission;
getHibernateTemplate().save(newPermission);
DirtySessionMethodInterceptor.flushSession(getSession(), true);
}
return dbPermission;
}
private DbAccessControlEntry getAccessControlEntry(final DbPermission permission, final DbAuthority authority, final AccessControlEntry ace, boolean create)
{
HibernateCallback callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Query query = session.getNamedQuery(QUERY_GET_ACE_WITH_NO_CONTEXT);
query.setParameter("permissionId", permission.getId());
query.setParameter("authorityId", authority.getId());
query.setParameter("allowed", (ace.getAccessStatus() == AccessStatus.ALLOWED) ? true : false);
query.setParameter("applies", ace.getAceType().getId());
DirtySessionMethodInterceptor.setQueryFlushMode(session, query);
return query.uniqueResult();
}
};
DbAccessControlEntry entry = (DbAccessControlEntry) getHibernateTemplate().execute(callback);
if (create && (entry == null))
{
DbAccessControlEntryImpl newEntry = new DbAccessControlEntryImpl();
newEntry.setAceType(ace.getAceType());
newEntry.setAllowed((ace.getAccessStatus() == AccessStatus.ALLOWED) ? true : false);
newEntry.setAuthority(authority);
newEntry.setPermission(permission);
entry = newEntry;
getHibernateTemplate().save(newEntry);
DirtySessionMethodInterceptor.flushSession(getSession(), true);
}
return entry;
}
public void createAuthority(String authority)
{
createDbAuthority(authority);
}
public DbAuthority createDbAuthority(String authority)
{
DbAuthority dbAuthority = new DbAuthorityImpl();
dbAuthority.setAuthority(authority);
dbAuthority.setCrc(getCrc(authority));
getHibernateTemplate().save(dbAuthority);
DirtySessionMethodInterceptor.flushSession(getSession(), true);
return dbAuthority;
}
/*
* (non-Javadoc)
*
* @see org.alfresco.repo.security.permissions.impl.AclDaoComponent#setAccessControlEntries(java.lang.Long,
* java.util.List)
*/
public List<AclChange> setAccessControlEntries(Long id, List<AccessControlEntry> aces)
{
throw new UnsupportedOperationException();
}
/*
* (non-Javadoc)
*
* @see org.alfresco.repo.security.permissions.impl.AclDaoComponent#createAccessControlList(org.alfresco.repo.security.permissions.AccessControlListProperties,
* java.util.List, long)
*/
public Long createAccessControlList(AccessControlListProperties properties, List<AccessControlEntry> aces, Long inherited)
{
return createAccessControlListImpl(properties, aces, inherited);
}
/* (non-Javadoc)
* @see org.alfresco.repo.security.permissions.impl.AclDaoComponent#getDefaultProperties()
*/
public SimpleAccessControlListProperties getDefaultProperties()
{
if(useOldPermissions)
{
return OldADMPermissionsDaoComponentImpl.getDefaultProperties();
}
else
{
return DMPermissionsDaoComponentImpl.getDefaultProperties();
}
}
/**
* @param permissionsDaoComponent the permissionsDaoComponent to set
*/
public void setUseOldPermissions(boolean useOldPermissions)
{
this.useOldPermissions = useOldPermissions;
}
}
Reference in New Issue View Git Blame Copy Permalink