/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.apache.lenya.cms.ac.usecases;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.TreeSet;
import org.apache.cocoon.ProcessingException;
import org.apache.lenya.cms.publication.Document;
import org.apache.lenya.cms.publication.DocumentFactory;
import org.apache.lenya.cms.publication.Publication;
import org.apache.lenya.cms.publication.URLInformation;
import org.apache.lenya.ac.AccessControlException;
import org.apache.lenya.ac.Accreditable;
import org.apache.lenya.ac.AccreditableManager;
import org.apache.lenya.ac.Group;
import org.apache.lenya.ac.IPRange;
import org.apache.lenya.ac.Item;
import org.apache.lenya.ac.Policy;
import org.apache.lenya.ac.Role;
import org.apache.lenya.ac.User;
import org.apache.lenya.ac.Credential;
import org.apache.lenya.ac.ModifiablePolicy;
import org.apache.lenya.ac.InheritingPolicyManager;
import org.apache.lenya.ac.World;
/**
* Usecase to display the AccessControl tab in the site area for a document.
* This is a mix-in class that ideally would inherit both from
* AccessControlUsecase and DocumentUsecase. FIXME i just took the appropriate
* code from DocumentUsecase, maybe its possible to have a saner inheritance?
*
* @version $Id: AccessControl.java 408702 2006-05-22 16:03:49Z andreas $
*/
public class AccessControl extends AccessControlUsecase {
protected static final String AC_AREA = "acArea";
protected static final String ADD = "add";
protected static final String DELETE = "delete";
protected static final String UP = "up";
protected static final String DOWN = "down";
protected static final String USER = "user";
protected static final String GROUP = "group";
protected static final String IPRANGE = "ipRange";
protected static final String WORLD = "world";
protected static final String ROLE = "role";
protected static final String SUB_USER = "subuser";
protected static final String SUB_GROUP = "subgroup";
protected static final String SUB_IPRANGE = "subipRange";
private static String[] types = { USER, GROUP, IPRANGE, SUB_USER, SUB_GROUP, SUB_IPRANGE, WORLD };
private static String[] operations = { ADD, DELETE, DOWN, UP };
protected static final String SSL = "ssl";
protected static final String ANCESTOR_SSL = "ancestorSsl";
protected static final String DOCUMENT = "document";
protected static final String SUB_CREDENTIALS = "subCredentials";
protected static final String PARENT_CREDENTIALS = "parentCredentials";
private static final String METHOD = "method";
private String COMPLETE_AREA = "private.completeArea";
/**
* @see org.apache.lenya.cms.usecase.AbstractUsecase#initParameters()
*/
protected void initParameters() {
super.initParameters();
try {
URLInformation info = new URLInformation(getSourceURL());
setParameter(COMPLETE_AREA, info.getCompleteArea());
DocumentFactory map = getDocumentFactory();
if (map.isDocument(getSourceURL())) {
Document sourceDocument = map.getFromURL(getSourceURL());
setParameter(DOCUMENT, sourceDocument);
}
setParameter(SSL, Boolean.toString(isSSLProtected()));
setParameter(ANCESTOR_SSL, Boolean.toString(isAncestorSSLProtected()));
User[] users = getUserManager().getUsers();
String[] userIds = new String[users.length];
for (int i = 0; i < users.length; i++) {
userIds[i] = users[i].getId();
}
Arrays.sort(userIds);
setParameter("users", userIds);
Group[] groups = getGroupManager().getGroups();
String[] groupIds = new String[groups.length];
for (int i = 0; i < groups.length; i++) {
groupIds[i] = groups[i].getId();
}
Arrays.sort(groupIds);
setParameter("groups", groupIds);
IPRange[] ipRanges = getIpRangeManager().getIPRanges();
String[] ipRangeIds = new String[ipRanges.length];
for (int i = 0; i < ipRanges.length; i++) {
ipRangeIds[i] = ipRanges[i].getId();
}
Arrays.sort(ipRangeIds);
setParameter("ipRanges", ipRangeIds);
Role[] roles = getRoleManager().getRoles();
String visitorRole = "";
Set roleIds = new TreeSet();
for (int i = 0; i < roles.length; i++) {
if (roles[i].isAssignable()) {
roleIds.add(roles[i].getId());
if (roles[i].getId().equals("visit")) {
visitorRole = roles[i].getId();
}
}
}
setParameter("roles", roleIds.toArray(new String[roleIds.size()]));
setParameter("visitorRole", visitorRole);
setParameter(SUB_CREDENTIALS, getSubtreeCredentials());
setParameter(PARENT_CREDENTIALS, getParentCredentials());
} catch (final Exception e) {
addErrorMessage("Could not read a value.");
getLogger().error("Could not read value for AccessControl usecase. ", e);
}
}
/**
* @see org.apache.lenya.cms.usecase.AbstractUsecase#doCheckPreconditions()
*/
protected void doCheckPreconditions() throws Exception {
super.doCheckPreconditions();
URLInformation info = new URLInformation(getSourceURL());
String acArea = getParameterAsString(AC_AREA);
if (!acArea.equals(Publication.LIVE_AREA) && !info.getArea().equals(acArea)) {
addErrorMessage("This usecase can only be invoked in the configured area.");
}
}
protected void doCheckExecutionConditions() throws Exception {
super.doCheckExecutionConditions();
for (int i = 0; i < types.length; i++) {
for (int j = 0; j < operations.length; j++) {
String type = types[i];
String paramName = operations[j] + "Credential_" + type;
if (getParameterAsString(paramName) != null) {
String roleId = getParameterAsString(ROLE);
String id = getParameterAsString(type);
Accreditable item = getAccreditable(type, id);
if (item == null) {
addErrorMessage("no_such_accreditable", new String[] { type, id });
} else {
Role role = getRoleManager().getRole(roleId);
if (role == null) {
addErrorMessage("role_no_such_role", new String[] { roleId });
}
if (!role.isAssignable()) {
addErrorMessage("cannot-assign-role", new String[] { roleId });
}
if (operations[j].equals(ADD)) {
ModifiablePolicy policy = getPolicy();
if (containsCredential(policy, item, role)) {
addErrorMessage("credential-already-contained", new String[] {
((Item) item).getId(), role.getId() });
}
}
}
if (hasErrors()) {
deleteParameter(paramName);
}
}
}
}
}
/**
* @see org.apache.lenya.cms.usecase.AbstractUsecase#doExecute()
*/
public void doExecute() throws Exception {
super.doExecute();
if (getParameterAsString("change_ssl") != null) {
String ssl = getBooleanCheckboxParameter("ssl");
setSSLProtected(Boolean.valueOf(ssl).booleanValue());
}
for (int i = 0; i < types.length; i++) {
for (int j = 0; j < operations.length; j++) {
String type = types[i];
String paramName = operations[j] + "Credential_" + type;
if (getParameterAsString(paramName) != null) {
String roleId = getParameterAsString(ROLE);
String method = getParameterAsString(METHOD);
String id = getParameterAsString(type);
Accreditable item = getAccreditable(type, id);
Role role = getRoleManager().getRole(roleId);
manipulateCredential(item, role, operations[j], method);
setParameter(SUB_CREDENTIALS, getSubtreeCredentials());
deleteParameter(paramName);
}
}
}
}
protected Accreditable getAccreditable(String type, String id) {
Accreditable item = null;
if (type.equals(USER)) {
item = getUserManager().getUser(id);
} else if (type.equals(GROUP)) {
item = getGroupManager().getGroup(id);
} else if (type.equals(IPRANGE)) {
item = getIpRangeManager().getIPRange(id);
} else if (type.equals(WORLD)) {
item = World.getInstance();
}
return item;
}
/**
* Returns if one of the ancestors of this URL is SSL protected.
*
* @return A boolean value.
* @throws ProcessingException when something went wrong.
*/
protected boolean isAncestorSSLProtected() throws ProcessingException {
boolean ssl;
try {
String ancestorUrl = "";
int lastSlashIndex = getPolicyURL().lastIndexOf("/");
if (lastSlashIndex != -1) {
ancestorUrl = getPolicyURL().substring(0, lastSlashIndex);
}
Policy policy = getPolicyManager().getPolicy(getAccreditableManager(), ancestorUrl);
ssl = policy.isSSLProtected();
} catch (AccessControlException e) {
throw new ProcessingException("Resolving policy failed: ", e);
}
return ssl;
}
/**
* Returns if one of the ancestors of this URL is SSL protected.
*
* @return A boolean value.
* @throws ProcessingException when something went wrong.
*/
protected boolean isSSLProtected() throws ProcessingException {
boolean ssl;
try {
Policy policy = getPolicyManager().getPolicy(getAccreditableManager(), getPolicyURL());
ssl = policy.isSSLProtected();
} catch (AccessControlException e) {
throw new ProcessingException("Resolving policy failed: ", e);
}
return ssl;
}
/**
* Sets if this URL is SSL protected.
*
* @param ssl A boolean value.
* @throws ProcessingException when something went wrong.
*/
protected void setSSLProtected(boolean ssl) throws ProcessingException {
try {
ModifiablePolicy policy = getPolicy();
policy.setSSL(ssl);
getPolicyManager().saveSubtreePolicy(getPolicyURL(), policy);
} catch (AccessControlException e) {
throw new ProcessingException("Resolving policy failed: ", e);
}
}
protected InheritingPolicyManager getPolicyManager() {
return (InheritingPolicyManager) getAccessController().getPolicyManager();
}
protected AccreditableManager getAccreditableManager() {
return getAccessController().getAccreditableManager();
}
/**
* Changes a credential by adding or deleting an item for a role.
*
* @param accreditable The accreditable to add or delete.
* @param role The role.
* @param operation The operation, either {@link #ADD}or {@link #DELETE}.
* @param method
* @throws ProcessingException when something went wrong.
*/
protected void manipulateCredential(Accreditable accreditable, Role role, String operation,
String method) throws ProcessingException {
try {
ModifiablePolicy policy = getPolicy();
if (operation.equals(ADD)) {
policy.addRole(accreditable, role, method);
} else if (operation.equals(DELETE)) {
policy.removeRole(accreditable, role);
} else if (operation.equals(UP)) {
policy.moveRoleUp(accreditable, role);
} else if (operation.equals(DOWN)) {
policy.moveRoleDown(accreditable, role);
}
getPolicyManager().saveSubtreePolicy(getPolicyURL(), policy);
} catch (Exception e) {
throw new ProcessingException("Manipulating credential failed: ", e);
}
}
protected ModifiablePolicy getPolicy() throws AccessControlException {
return (ModifiablePolicy) getPolicyManager().buildSubtreePolicy(getAccreditableManager(),
getPolicyURL());
}
protected boolean containsCredential(ModifiablePolicy policy, Accreditable accreditable,
Role role) throws AccessControlException {
Credential[] credentials = policy.getCredentials();
boolean contains = false;
int i = 0;
while (!contains && i < credentials.length) {
Accreditable credAccr = credentials[i].getAccreditable();
Role credRole = credentials[i].getRole();
contains = credAccr.equals(accreditable) && credRole.equals(role);
i++;
}
return contains;
}
/**
* Returns the credential wrappers for the request of this object model.
*
* @return An array of CredentialWrappers.
* @throws ProcessingException when something went wrong.
*/
public CredentialWrapper[] getSubtreeCredentials() throws ProcessingException {
return getCredentials(true);
}
/**
* Returns the credential wrappers for the parent URI of the URL belonging
* to the request of this object model.
*
* @return An array of CredentialWrappers.
* @throws ProcessingException when something went wrong.
*/
public CredentialWrapper[] getParentCredentials() throws ProcessingException {
return getCredentials(false);
}
/**
* Returns the credentials of the policy of the selected URL.
*
* @return An array of CredentialWrappers.
* @throws ProcessingException when something went wrong.
*/
public CredentialWrapper[] getCredentials(boolean inherit) throws ProcessingException {
List credentials = new ArrayList();
ModifiablePolicy policies[] = getPolicies(inherit);
List policyCredentials = new ArrayList();
for (int i = 0; i < policies.length; i++) {
Credential[] creds;
try {
creds = policies[i].getCredentials();
for (int j = 0; j < creds.length; j++) {
policyCredentials.add(creds[j]);
}
} catch (AccessControlException e) {
throw new ProcessingException(
"AccessControlException - receiving credential failed: ", e);
}
}
for (Iterator i = policyCredentials.iterator(); i.hasNext();) {
Credential credential = (Credential) i.next();
Accreditable accreditable = credential.getAccreditable();
Role role = credential.getRole();
String method = credential.getMethod();
credentials.add(new CredentialWrapper(accreditable, role, method));
}
return (CredentialWrapper[]) credentials.toArray(new CredentialWrapper[credentials.size()]);
}
/**
* Returns the policies for a certain URL.
*
* @param inherit If true, all ancestor policies are returned. Otherwise,
* only the URL policies are returned.
* @return An array of DefaultPolicy objects.
* @throws ProcessingException when something went wrong.
*/
protected ModifiablePolicy[] getPolicies(boolean inherit) throws ProcessingException {
ModifiablePolicy[] policies;
try {
if (inherit) {
policies = new ModifiablePolicy[1];
AccreditableManager policyManager = getAccreditableManager();
policies[0] = (ModifiablePolicy) getPolicyManager().buildSubtreePolicy(
policyManager, getPolicyURL());
} else {
String ancestorUrl = "";
String currentUrl = getPolicyURL();
if (currentUrl.endsWith("/")) {
currentUrl = currentUrl.substring(0, currentUrl.length() - 1);
}
int lastSlashIndex = currentUrl.lastIndexOf("/");
if (lastSlashIndex != -1) {
ancestorUrl = currentUrl.substring(0, lastSlashIndex);
}
Policy[] pArray = getPolicyManager().getPolicies(getAccreditableManager(),
ancestorUrl);
policies = new ModifiablePolicy[pArray.length];
for (int i = 0; i < pArray.length; i++) {
policies[policies.length - 1 - i] = (ModifiablePolicy) pArray[i];
}
}
} catch (AccessControlException e) {
throw new ProcessingException(e);
}
return policies;
}
protected String getPolicyURL() {
String infoUrl = getSourceURL();
URLInformation info = new URLInformation(infoUrl);
String area = getParameterAsString(AC_AREA);
String url = "/" + info.getPublicationId() + "/" + area + info.getDocumentUrl();
return url;
}
}