Examples of org.apache.jackrabbit.api.jsr283.security.Privilege

• org.apache.jackrabbit.api.jsr283.security.AccessControlList
  A privilege represents the capability of performing a particular set of operations on items in the JCR repository. Each privilege is identified by a JCR name. JCR defines a set of standard privileges in the jcr namespace. Implementations may add additional privileges in namespaces other than jcr.

  A privilege may be an aggregate privilege. Aggregate privileges are sets of other privileges. Granting, denying, or testing an aggregate privilege is equivalent to individually granting, denying, or testing each privilege it contains. The privileges contained by an aggregate privilege may themselves be aggregate privileges if the resulting privilege graph is acyclic.

  A privilege may be an abstract privilege. Abstract privileges cannot themselves be granted or denied, but can be composed into aggregate privileges which are granted or denied.

  A privilege can be both aggregate and abstract. @since JCR 2.0

                }
            }
        }
        // node either not access-controlled or the passed policy didn't apply
        // to the node at 'nodePath' -> throw exception.no policy was removed
        throw new AccessControlException("Policy " + policy + " does not apply to " + nodePath);
    }

     */
    private void checkProtectsNode(String nodePath) throws RepositoryException {
        if (session.nodeExists(nodePath)) {
            NodeImpl n = (NodeImpl) session.getNode(nodePath);
            if (n.isNodeType(NT_REP_ACL) || n.isNodeType(NT_REP_ACE)) {
                throw new AccessControlException("Node " + nodePath + " defines ACL or ACE.");
            }
        }
    }

     * @throws AccessControlException
     */
    private void checkValidPolicy(String nodePath, AccessControlPolicy policy)
            throws AccessControlException {
        if (policy == null || !(policy instanceof ACLTemplate)) {
            throw new AccessControlException("Attempt to set/remove invalid policy " + policy);
        }
        ACLTemplate acl = (ACLTemplate) policy;
        if (!nodePath.equals(acl.getPath())) {
            throw new AccessControlException("Policy " + policy + " is not applicable or does not apply to the node at " + nodePath);
        }
    }

    private Principal getPrincipal(String pathToACNode) throws RepositoryException {
        String name = Text.unescapeIllegalJcrChars(Text.getName(pathToACNode));
        PrincipalManager pMgr = session.getPrincipalManager();
        if (!pMgr.hasPrincipal(name)) {
            throw new AccessControlException("Unknown principal.");
        }
        return pMgr.getPrincipal(name);
    }

     * @see AccessControlList#removeAccessControlEntry(AccessControlEntry)
     */
    public void removeAccessControlEntry(AccessControlEntry ace)
            throws AccessControlException, RepositoryException {
        if (!(ace instanceof Entry)) {
            throw new AccessControlException("Invalid AccessControlEntry implementation " + ace.getClass().getName() + ".");
        }
        if (!entries.remove(ace)) {
            throw new AccessControlException("Cannot remove AccessControlEntry " + ace);
        }
    }

            }
        }

        private void checkValidEntry() throws AccessControlException, NamespaceException {
            if (!principal.equals(getPrincipal())) {
                throw new AccessControlException("Invalid principal. Expected: " + principal);
            }
            if (!isAllow() && getPrincipal() instanceof Group) {
                throw new AccessControlException("For group principals permissions can only be added but not denied.");
            }

            String[] rNames = getRestrictionNames();
            if (!Arrays.asList(rNames).contains(jcrNodePathName)) {
                throw new AccessControlException("Missing mandatory restriction: " + jcrNodePathName);
            }
        }

     */
    public void setPolicy(String absPath, AccessControlPolicy policy) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException {
        checkInitialized();
        checkPrivileges(absPath, PrivilegeRegistry.MODIFY_AC);

        throw new AccessControlException("AccessControlPolicy " + policy + " cannot be applied.");
    }

     */
    public void removePolicy(String absPath, AccessControlPolicy policy) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException {
        checkInitialized();
        checkPrivileges(absPath, PrivilegeRegistry.MODIFY_AC);

        throw new AccessControlException("No AccessControlPolicy has been set through this API -> Cannot be removed.");
    }

      Set<String> pidSet = new HashSet<String>();
      pidSet.addAll(Arrays.asList(applyTo));

      try {
        AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(session);
        AccessControlList updatedAcl = null;
        AccessControlPolicyIterator applicablePolicies = accessControlManager.getApplicablePolicies(resourcePath);
        while (applicablePolicies.hasNext()) {
          AccessControlPolicy policy = applicablePolicies.nextAccessControlPolicy();
          if (policy instanceof AccessControlList) {
            updatedAcl = (AccessControlList)policy;
            break;
          }
        }
        if (updatedAcl == null) {
          throw new RepositoryException("Unable to find an access control policy to update.");
        }

        //keep track of the existing Aces for the target principal
        AccessControlEntry[] accessControlEntries = updatedAcl.getAccessControlEntries();
        List<AccessControlEntry> oldAces = new ArrayList<AccessControlEntry>();
        for (AccessControlEntry ace : accessControlEntries) {
          if (pidSet.contains(ace.getPrincipal().getName())) {
            oldAces.add(ace);
          }
        }

        //remove the old aces
        if (!oldAces.isEmpty()) {
          for (AccessControlEntry ace : oldAces) {
            updatedAcl.removeAccessControlEntry(ace);
          }
        }

        //apply the changed policy
        accessControlManager.setPolicy(resourcePath, updatedAcl);

      }
    }

    try {
      AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(session);
      AccessControlList updatedAcl = null;
      AccessControlPolicyIterator applicablePolicies = accessControlManager.getApplicablePolicies(resourcePath);
      while (applicablePolicies.hasNext()) {
        AccessControlPolicy policy = applicablePolicies.nextAccessControlPolicy();
        if (policy instanceof AccessControlList) {
          updatedAcl = (AccessControlList)policy;
          break;
        }
      }
      if (updatedAcl == null) {
        throw new RepositoryException("Unable to find an access conrol policy to update.");
      }

      StringBuilder oldPrivileges = null;
      StringBuilder newPrivileges = null;
      if (log.isDebugEnabled()) {
        oldPrivileges = new StringBuilder();
        newPrivileges = new StringBuilder();
      }

      //keep track of the existing Aces for the target principal
      AccessControlEntry[] accessControlEntries = updatedAcl.getAccessControlEntries();
      List<AccessControlEntry> oldAces = new ArrayList<AccessControlEntry>();
      for (AccessControlEntry ace : accessControlEntries) {
        if (principalId.equals(ace.getPrincipal().getName())) {
          if (log.isDebugEnabled()) {
            log.debug("Found Existing ACE for principal {0} on resource: ", new Object[] {principalId, resourcePath});
          }
          oldAces.add(ace);

          if (log.isDebugEnabled()) {
            //collect the information for debug logging
            boolean isAllow = AccessControlUtil.isAllow(ace);
            Privilege[] privileges = ace.getPrivileges();
            for (Privilege privilege : privileges) {
              if (oldPrivileges.length() > 0) {
                oldPrivileges.append(", "); //separate entries by commas
              }
              if (isAllow) {
                oldPrivileges.append("granted=");
              } else {
                oldPrivileges.append("denied=");
              }
              oldPrivileges.append(privilege.getName());
            }
          }
        }
      }

      //remove the old aces
      if (!oldAces.isEmpty()) {
        for (AccessControlEntry ace : oldAces) {
          updatedAcl.removeAccessControlEntry(ace);
        }
      }

      //add a fresh ACE with the granted privileges
      List<Privilege> grantedPrivilegeList = new ArrayList<Privilege>();
      for (String name : grantedPrivilegeNames) {
        if (name.length() == 0) {
          continue; //empty, skip it.
        }
        Privilege privilege = accessControlManager.privilegeFromName(name);
        grantedPrivilegeList.add(privilege);

        if (log.isDebugEnabled()) {
          if (newPrivileges.length() > 0) {
            newPrivileges.append(", "); //separate entries by commas
          }
          newPrivileges.append("granted=");
          newPrivileges.append(privilege.getName());
        }
      }
      if (grantedPrivilegeList.size() > 0) {
        Principal principal = authorizable.getPrincipal();
        updatedAcl.addAccessControlEntry(principal, grantedPrivilegeList.toArray(new Privilege[grantedPrivilegeList.size()]));
      }

      //if the authorizable is a user (not a group) process any denied privileges
      if (!authorizable.isGroup()) {
        //add a fresh ACE with the denied privileges