[GitHub] npeltier commented on a change in pull request #6: SLING-7793 ACLs pipes

Mon, 10 Sep 2018 01:51:02 -0700 

npeltier commented on a change in pull request #6: SLING-7793 ACLs pipes
URL: 
https://github.com/apache/sling-org-apache-sling-pipes/pull/6#discussion_r216237815
 
 

 ##########
 File path: src/main/java/org/apache/sling/pipes/internal/ACLPipe.java
 ##########
 @@ -0,0 +1,260 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sling.pipes.internal;
+
+import org.apache.commons.lang3.ArrayUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.jackrabbit.api.JackrabbitSession;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
+import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import org.apache.jackrabbit.api.security.user.Authorizable;
+import org.apache.jackrabbit.api.security.user.UserManager;
+import 
org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
+import org.apache.sling.api.resource.Resource;
+import org.apache.sling.api.resource.ResourceResolver;
+import org.apache.sling.api.resource.ValueMap;
+import org.apache.sling.pipes.BasePipe;
+import org.apache.sling.pipes.PipeBindings;
+import org.apache.sling.pipes.Plumber;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+import javax.jcr.security.AccessControlList;
+import javax.jcr.security.Privilege;
+import javax.json.Json;
+import javax.json.JsonArrayBuilder;
+import javax.json.JsonObjectBuilder;
+import javax.script.ScriptException;
+import java.security.Principal;
+import java.util.Arrays;
+import java.util.Iterator;
+import java.util.stream.Collectors;
+
+public class ACLPipe extends BasePipe {
+    private static Logger logger = LoggerFactory.getLogger(ACLPipe.class);
+    public static final String RESOURCE_TYPE = RT_PREFIX + "acl";
+    public static final String PN_USERNAME = "userName";
+    public static final String PN_ALLOW = "allow";
+    public static final String PN_DENY = "deny";
+    public static final String PN_AUTHORIZABLE = "authorizable";
+    public static final String PATH_KEY = "path";
+    public static final String PRIVILEGES_KEY = "rep:privileges";
+    public static final String ACE_GRANT_KEY = "rep:GrantACE";
+    public static final String ACE_DENY_KEY = "rep:DenyACE";
+    public static final String JCR_PRIVILEGES_INPUT = "jcr:privileges";
+    public static final String PRIVILEGES_JSON_KEY = "privileges";
+
+    Session session;
+    ResourceResolver resolver;
+    UserManager userManager;
+    Privilege[] privileges;
+    String[] privilegesInput;
+    boolean allow;
+    boolean deny;
+    boolean authorizable;
+    Object outputBinding;
+
+    @Override
+    public Object getOutputBinding() {
+        if (outputBinding != null) {
+            return outputBinding;
+        }
+        return super.getOutputBinding();
+    }
+
+    @Override
+    public boolean modifiesContent() {
+        return allow || deny ;
+    }
+
+    /**
+     * public constructor
+     *
+     * @param plumber  plumber instance
+     * @param resource configuration resource
+     * @throws Exception bad configuration handling
+     */
+    public ACLPipe(Plumber plumber, Resource resource, PipeBindings 
upperBindings) throws Exception {
+        super(plumber, resource, upperBindings);
+        resolver = resource.getResourceResolver();
+        session = resolver.adaptTo(Session.class);
+        userManager = resolver.adaptTo(UserManager.class);
+        if (getConfiguration() != null) {
+            ValueMap properties = getConfiguration().adaptTo(ValueMap.class);
+            privilegesInput = properties.get(JCR_PRIVILEGES_INPUT, new 
String[]{});
+            allow = properties.get(PN_ALLOW, false);
+            deny = properties.get(PN_DENY, false);
+            authorizable = properties.get(PN_AUTHORIZABLE, false);
+        }
+    }
+
+    @Override
+    public Iterator<Resource> computeOutput() throws Exception {
+        Resource resource = getInput();
+        if (resource != null) {
+            if (allow || deny) {
+                logger.info("Going to changing ACL for the resource at path 
{}", resource.getPath());
+                if (StringUtils.isEmpty(getExpr())) {
+                    throw new Exception("expression for the principal or 
authorizable Id should be provided or provided correctly for privileges to be 
set");
+                }
+                Principal principal = getPrincipalFor(getExpr());
+                if ( null != privilegesInput && privilegesInput.length == 0 ){
+                    // create a privilege set with jcr:all
+                    privileges = allow ? 
AccessControlUtils.privilegesFromNames(session, Privilege.JCR_ALL) : 
AccessControlUtils.privilegesFromNames(session, Privilege.JCR_READ);
+                }
+                else {
+                    try {
+                        privilegesInput = 
processPrivilegesInput(privilegesInput);
+                        privileges = 
AccessControlUtils.privilegesFromNames(session, privilegesInput);
+                    }
+                    catch (Exception e) {
+                        logger.error("unable to get privileges , either 
privileges input is wrong either error evaluting bindings for privileges", e);
+                    }
+                }
+                if (!isDryRun()) {
+                    if (allow) {
+                        logger.info("adding privileges {} for principal {} 
allow {}",ArrayUtils.toString(privileges), principal.getName(), allow);
+                        AccessControlUtils.addAccessControlEntry(session, 
resource.getPath(), principal, privileges, true);
+                    } else if (deny) {
+                        logger.info("adding privileges {} for principal {} 
deny {}",ArrayUtils.toString(privileges), principal.getName(), deny);
+                        AccessControlUtils.addAccessControlEntry(session, 
resource.getPath(), principal, privileges, false);
+                    }
+                    if (session.hasPendingChanges()) {
 
 Review comment:
   if you can, please not save here, plumber will do that for you and saving 
less will be more performant

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to