From 136cec62524d6839ad18ed93ff98b64081d6cfbc Mon Sep 17 00:00:00 2001 From: AFaust Date: Mon, 11 May 2020 12:09:54 +0200 Subject: [PATCH] New effectiveAuthorisations command --- pom.xml | 4 + .../messages/ootbee-support-tools.properties | 2 + .../ootbee-support-tools_de.properties | 2 + .../ootbee-support-tools_en.properties | 2 + .../ootbee-support-tools_es.properties | 2 + .../ootbee-support-tools_it.properties | 2 + .../ootbee-support-tools_pt.properties | 2 + .../permission-commands.post.desc.xml | 1 + .../permission-commands.post.json.ftl | 11 +- .../permission-commands.post.json.js | 157 +++++++++++++++++- 10 files changed, 181 insertions(+), 4 deletions(-) diff --git a/pom.xml b/pom.xml index d66df6ff..41842543 100644 --- a/pom.xml +++ b/pom.xml @@ -453,6 +453,10 @@ maven-javadoc-plugin ${maven.javadoc.version} + + + 8 + attach-javadoc diff --git a/repository/src/main/resources/alfresco/messages/ootbee-support-tools.properties b/repository/src/main/resources/alfresco/messages/ootbee-support-tools.properties index 7e35151a..e6587c8c 100644 --- a/repository/src/main/resources/alfresco/messages/ootbee-support-tools.properties +++ b/repository/src/main/resources/alfresco/messages/ootbee-support-tools.properties @@ -46,6 +46,8 @@ ootbee-support-tools.command-console.permissions.help.description=Displays the l ootbee-support-tools.command-console.permissions.effectivePermission.description=Checks if a user has a specific permission on a specific node ootbee-support-tools.command-console.permissions.effectivePermissions.description=Checks all settable permissions on a specific node for a specific user ootbee-support-tools.command-console.permissions.effectivePermissions.flexibleParameterPairs=The order of parameter pairs (key ) is flexible +ootbee-support-tools.command-console.permissions.effectiveAuthorisations.description=Determines the effective set of authorities a user has as would be evaluated during regular permission checks in the core permission service (excluding any higher-level overrides, e.g. as found in Records Management) +ootbee-support-tools.command-console.permissions.effectiveAuthorisations.flexibleParameterPairs=The order of parameter pairs (key ) is flexible and each parameter is optional. When the user is omitted, the current user will be used by default. When the node is omitted, only the core / global authorities will be collected. ootbee-support-tools.command-console.subsystems.description=The subsystems plugin provides commands for inspecting / modifying subsystems. ootbee-support-tools.command-console.subsystems.help.description=Displays the list of commands and their supported arguments within the current plugin diff --git a/repository/src/main/resources/alfresco/messages/ootbee-support-tools_de.properties b/repository/src/main/resources/alfresco/messages/ootbee-support-tools_de.properties index 207c89dd..50f55607 100644 --- a/repository/src/main/resources/alfresco/messages/ootbee-support-tools_de.properties +++ b/repository/src/main/resources/alfresco/messages/ootbee-support-tools_de.properties @@ -46,6 +46,8 @@ ootbee-support-tools.command-console.permissions.help.description=Zeigt die List ootbee-support-tools.command-console.permissions.effectivePermission.description=Pr\u00fcft ob ein Nutzer eine bestimmte Berechtigung auf einem bestimmten Knoten besitzt bzw. diese ihm zugewiesen wurde ootbee-support-tools.command-console.permissions.effectivePermissions.description=Pr\u00fcft f\u00fcr alle vergebbaren Berechtigungen ob ein Nutzer diese auf einem bestimmten Knoten besitzt bzw. diese ihm zugewiesen wurde ootbee-support-tools.command-console.permissions.effectivePermissions.flexibleParameterPairs=Die Reihenfolge der Parameterpaare (Schl\u00fcssel ) ist flexibel +ootbee-support-tools.command-console.permissions.effectiveAuthorisations.description=Ermittelt die effektive Menge der Authorit\u00e4ten (Authority), die f\u00fcr einen Nutzer im Rahmen der allgemeinen Berechtigungspr\u00fcfung \u00fcber den Permission Service ber\u00fccksichtigt werden (dies schlie\u00dft keine Anpassungen auf h\u00f6herer Ebene ein, wie sie z.B. bei Records Management zu finden sind) +ootbee-support-tools.command-console.permissions.effectiveAuthorisations.flexibleParameterPairs=Die Reihenfolge der Parameterpaare (Schl\u00fcssel ) ist flexibel und alle Parameter sind optional. Wird kein Nutzer angegeben, so wird der aktuell angemeldete Nutzer als Standardwert verwendet. Wird kein Knoten angegeben, so werden nur die allgemeinen / globalen Authorities betrachtet. ootbee-support-tools.command-console.subsystems.description=Das Plugin 'subsystems' enth\u00e4lt Befehle zur Interaktion mit / Modifikation von Subsystemen. ootbee-support-tools.command-console.subsystems.help.description=Zeigt die Liste der Befehle des aktuellen Plugins und deren unterst\u00fctzte Parameter an diff --git a/repository/src/main/resources/alfresco/messages/ootbee-support-tools_en.properties b/repository/src/main/resources/alfresco/messages/ootbee-support-tools_en.properties index 7e35151a..e6587c8c 100644 --- a/repository/src/main/resources/alfresco/messages/ootbee-support-tools_en.properties +++ b/repository/src/main/resources/alfresco/messages/ootbee-support-tools_en.properties @@ -46,6 +46,8 @@ ootbee-support-tools.command-console.permissions.help.description=Displays the l ootbee-support-tools.command-console.permissions.effectivePermission.description=Checks if a user has a specific permission on a specific node ootbee-support-tools.command-console.permissions.effectivePermissions.description=Checks all settable permissions on a specific node for a specific user ootbee-support-tools.command-console.permissions.effectivePermissions.flexibleParameterPairs=The order of parameter pairs (key ) is flexible +ootbee-support-tools.command-console.permissions.effectiveAuthorisations.description=Determines the effective set of authorities a user has as would be evaluated during regular permission checks in the core permission service (excluding any higher-level overrides, e.g. as found in Records Management) +ootbee-support-tools.command-console.permissions.effectiveAuthorisations.flexibleParameterPairs=The order of parameter pairs (key ) is flexible and each parameter is optional. When the user is omitted, the current user will be used by default. When the node is omitted, only the core / global authorities will be collected. ootbee-support-tools.command-console.subsystems.description=The subsystems plugin provides commands for inspecting / modifying subsystems. ootbee-support-tools.command-console.subsystems.help.description=Displays the list of commands and their supported arguments within the current plugin diff --git a/repository/src/main/resources/alfresco/messages/ootbee-support-tools_es.properties b/repository/src/main/resources/alfresco/messages/ootbee-support-tools_es.properties index ed19d07f..dd0b6877 100644 --- a/repository/src/main/resources/alfresco/messages/ootbee-support-tools_es.properties +++ b/repository/src/main/resources/alfresco/messages/ootbee-support-tools_es.properties @@ -46,6 +46,8 @@ ootbee-support-tools.command-console.permissions.help.description=Muestra la lis ootbee-support-tools.command-console.permissions.effectivePermission.description=Comprueba si un usuario tiene un permiso concreto sobre un nodo concreto ootbee-support-tools.command-console.permissions.effectivePermissions.description=Comprueba todos los permisos que pueden ser establecidos sobre un nodo por un usuario concreto ootbee-support-tools.command-console.permissions.effectivePermissions.flexibleParameterPairs=El orden de los par\u00E1metros (clave ) es flexible +ootbee-support-tools.command-console.permissions.effectiveAuthorisations.description=Determines the effective set of authorities a user has with as would be evaluated during regular permission checks in the core permission service (excluding any higher-level overrides, e.g. as found in Records Management) +ootbee-support-tools.command-console.permissions.effectiveAuthorisations.flexibleParameterPairs=The order of parameter pairs (key ) is flexible and each parameter is optional. When the user is omitted, the current user will be used by default. When the node is omitted, only the core / global authorities will be collected. ootbee-support-tools.command-console.subsystems.description=El plugin de subsistemas provee comandos para inspeccionar o modificar configuraciones de subsistemas. ootbee-support-tools.command-console.subsystems.help.description=Muestra la lista de comandos y sus argumentos para el plugin actual diff --git a/repository/src/main/resources/alfresco/messages/ootbee-support-tools_it.properties b/repository/src/main/resources/alfresco/messages/ootbee-support-tools_it.properties index 05492ab9..c32c730a 100644 --- a/repository/src/main/resources/alfresco/messages/ootbee-support-tools_it.properties +++ b/repository/src/main/resources/alfresco/messages/ootbee-support-tools_it.properties @@ -46,6 +46,8 @@ ootbee-support-tools.command-console.permissions.help.description=Displays the l ootbee-support-tools.command-console.permissions.effectivePermission.description=Checks if a user has a specific permission on a specific node ootbee-support-tools.command-console.permissions.effectivePermissions.description=Checks all settable permissions on a specific node for a specific user ootbee-support-tools.command-console.permissions.effectivePermissions.flexibleParameterPairs=The order of parameter pairs (key ) is flexible +ootbee-support-tools.command-console.permissions.effectiveAuthorisations.description=Determines the effective set of authorities a user has with as would be evaluated during regular permission checks in the core permission service (excluding any higher-level overrides, e.g. as found in Records Management) +ootbee-support-tools.command-console.permissions.effectiveAuthorisations.flexibleParameterPairs=The order of parameter pairs (key ) is flexible and each parameter is optional. When the user is omitted, the current user will be used by default. When the node is omitted, only the core / global authorities will be collected. ootbee-support-tools.command-console.subsystems.description=The subsystems plugin provides commands for inspecting / modifying subsystems. ootbee-support-tools.command-console.subsystems.help.description=Displays the list of commands and their supported arguments within the current plugin diff --git a/repository/src/main/resources/alfresco/messages/ootbee-support-tools_pt.properties b/repository/src/main/resources/alfresco/messages/ootbee-support-tools_pt.properties index 4a2505f7..764e59e1 100644 --- a/repository/src/main/resources/alfresco/messages/ootbee-support-tools_pt.properties +++ b/repository/src/main/resources/alfresco/messages/ootbee-support-tools_pt.properties @@ -46,6 +46,8 @@ ootbee-support-tools.command-console.permissions.help.description=Exibe a lista ootbee-support-tools.command-console.permissions.effectivePermission.description=Verifica se um usu\u00e1rio tem uma permiss\u00e3o espec\u00edfica em um n\u00f3 ootbee-support-tools.command-console.permissions.effectivePermissions.description=Verifica todas as permiss\u00f5es atribu\u00edveis no no espec\u00edfico para um usu\u00e1rio espec\u00edfico ootbee-support-tools.command-console.permissions.effectivePermissions.flexibleParameterPairs=A ordem dos pares de par\u00e2metros (chave ) \u00e9 flex\u00edvel +ootbee-support-tools.command-console.permissions.effectiveAuthorisations.description=Determines the effective set of authorities a user has with as would be evaluated during regular permission checks in the core permission service (excluding any higher-level overrides, e.g. as found in Records Management) +ootbee-support-tools.command-console.permissions.effectiveAuthorisations.flexibleParameterPairs=The order of parameter pairs (key ) is flexible and each parameter is optional. When the user is omitted, the current user will be used by default. When the node is omitted, only the core / global authorities will be collected. ootbee-support-tools.command-console.subsystems.description=O plugin de subsistemas disponibiliza comandos para inspecionar / modificar subsistemas. ootbee-support-tools.command-console.subsystems.help.description=Exibe a lista de comandos e os argumentos suportados para o plugin atual diff --git a/repository/src/main/resources/alfresco/templates/webscripts/org/orderofthebee/support-tools/admin/ootbee-support-tools/command-console-plugins/permission-commands.post.desc.xml b/repository/src/main/resources/alfresco/templates/webscripts/org/orderofthebee/support-tools/admin/ootbee-support-tools/command-console-plugins/permission-commands.post.desc.xml index 0e448f31..abc6c180 100644 --- a/repository/src/main/resources/alfresco/templates/webscripts/org/orderofthebee/support-tools/admin/ootbee-support-tools/command-console-plugins/permission-commands.post.desc.xml +++ b/repository/src/main/resources/alfresco/templates/webscripts/org/orderofthebee/support-tools/admin/ootbee-support-tools/command-console-plugins/permission-commands.post.desc.xml @@ -5,6 +5,7 @@ /ootbee/admin/command-console/permissions/help /ootbee/admin/command-console/permissions/effectivePermission /ootbee/admin/command-console/permissions/effectivePermissions + /ootbee/admin/command-console/permissions/effectiveAuthorisations OOTBee Support Tools any json diff --git a/repository/src/main/resources/alfresco/templates/webscripts/org/orderofthebee/support-tools/admin/ootbee-support-tools/command-console-plugins/permission-commands.post.json.ftl b/repository/src/main/resources/alfresco/templates/webscripts/org/orderofthebee/support-tools/admin/ootbee-support-tools/command-console-plugins/permission-commands.post.json.ftl index ccda8bd5..3004e1f0 100644 --- a/repository/src/main/resources/alfresco/templates/webscripts/org/orderofthebee/support-tools/admin/ootbee-support-tools/command-console-plugins/permission-commands.post.json.ftl +++ b/repository/src/main/resources/alfresco/templates/webscripts/org/orderofthebee/support-tools/admin/ootbee-support-tools/command-console-plugins/permission-commands.post.json.ftl @@ -35,7 +35,11 @@ Copyright (C) 2005 - 2020 Alfresco Software Limited. "", "effectivePermissions user node ", "\t${msg("ootbee-support-tools.command-console.permissions.effectivePermissions.description")}", - "\t${msg("ootbee-support-tools.command-console.permissions.effectivePermissions.flexibleParameterPairs")}" + "\t${msg("ootbee-support-tools.command-console.permissions.effectivePermissions.flexibleParameterPairs")}", + "", + "effectiveAuthorisations user node ", + "\t${msg("ootbee-support-tools.command-console.permissions.effectiveAuthorisations.description")}", + "\t${msg("ootbee-support-tools.command-console.permissions.effectiveAuthorisations.flexibleParameterPairs")}" <#break> <#case "effectivePermission"> <#case "effectivePermissions"> @@ -43,6 +47,11 @@ Copyright (C) 2005 - 2020 Alfresco Software Limited. "${msg("permissionCheck.result", checkedPermission.user, checkedPermission.permission, checkedPermission.node.nodeRef, checkedPermission.node.name, checkedPermission.allowed?string(msg("permissionCheck.allowed"), msg("permissionCheck.denied")))}"<#if checkedPermission_has_next>, <#break> + <#case "effectiveAuthorisations"> + <#list authorisations as authorisation> + "${authorisation}"<#if authorisation_has_next>, + + <#break> ] } diff --git a/repository/src/main/resources/alfresco/templates/webscripts/org/orderofthebee/support-tools/admin/ootbee-support-tools/command-console-plugins/permission-commands.post.json.js b/repository/src/main/resources/alfresco/templates/webscripts/org/orderofthebee/support-tools/admin/ootbee-support-tools/command-console-plugins/permission-commands.post.json.js index 2c2d2c48..89c08570 100644 --- a/repository/src/main/resources/alfresco/templates/webscripts/org/orderofthebee/support-tools/admin/ootbee-support-tools/command-console-plugins/permission-commands.post.json.js +++ b/repository/src/main/resources/alfresco/templates/webscripts/org/orderofthebee/support-tools/admin/ootbee-support-tools/command-console-plugins/permission-commands.post.json.js @@ -24,6 +24,15 @@ /* global json: false */ +function getAuthenticationComponent() +{ + var ctxt, authenticationComponent; + ctxt = Packages.org.springframework.web.context.ContextLoader.getCurrentWebApplicationContext(); + authenticationComponent = ctxt.getBean('AuthenticationComponent', + Packages.org.alfresco.repo.security.authentication.AuthenticationComponent); + return authenticationComponent; +} + function getPermissionService() { var ctxt, permissionService; @@ -32,6 +41,49 @@ function getPermissionService() return permissionService; } +function getTenantService() +{ + var ctxt, tenantService; + ctxt = Packages.org.springframework.web.context.ContextLoader.getCurrentWebApplicationContext(); + tenantService = ctxt.getBean('tenantService', Packages.org.alfresco.repo.tenant.TenantService); + return tenantService; +} + +function getPermissionServiceImpl() +{ + var ctxt, permissionService; + ctxt = Packages.org.springframework.web.context.ContextLoader.getCurrentWebApplicationContext(); + permissionService = ctxt.getBean('permissionServiceImpl', Packages.org.alfresco.repo.security.permissions.impl.PermissionServiceImpl); + return permissionService; +} + +function getEffectiveDynamicAuthorities(node, user) +{ + var permissionService, tenantService, permissionServiceClass, dynamicAuthorityField, dynamicAuthorities, effectiveDynamicAuthorities, nodeRef, idx, dynamicAuthority; + + permissionService = getPermissionServiceImpl(); + tenantService = getTenantService(); + + permissionServiceClass = Packages.java.lang.Class.forName('org.alfresco.repo.security.permissions.impl.PermissionServiceImpl'); + dynamicAuthorityField = permissionServiceClass.getDeclaredField('dynamicAuthorities'); + dynamicAuthorityField.setAccessible(true); + + dynamicAuthorities = dynamicAuthorityField.get(permissionService); + effectiveDynamicAuthorities = []; + + nodeRef = tenantService.getName(node.nodeRef); + for (idx = 0; idx < dynamicAuthorities.size(); idx++) + { + dynamicAuthority = dynamicAuthorities.get(idx); + if (dynamicAuthority.hasAuthority(nodeRef, user)) + { + effectiveDynamicAuthorities.push(dynamicAuthority.getAuthority()); + } + } + + return effectiveDynamicAuthorities; +} + function getAllSettablePermissions(node) { var permissions, permissionsArr, permissionsIter; @@ -50,19 +102,31 @@ function runAsUser(fn, user) { var result; Packages.org.alfresco.repo.security.authentication.AuthenticationUtil.pushAuthentication(); - Packages.org.alfresco.repo.security.authentication.AuthenticationUtil.setRunAsUser(user); try { + // use full authentication instead of just runAs - depending on authentication subsystem, this may affect implicitly granted + // authorities + getAuthenticationComponent().setCurrentUser(user, + Packages.org.alfresco.repo.security.authentication.AuthenticationComponent.UserNameValidationMode.CHECK); + result = fn(); + // restore Packages.org.alfresco.repo.security.authentication.AuthenticationUtil.popAuthentication(); } catch (e) { - // restore Packages.org.alfresco.repo.security.authentication.AuthenticationUtil.popAuthentication(); - throw e; + + if (e instanceof Packages.org.alfresco.repo.security.authentication.AuthenticationException) + { + status.setCode(status.STATUS_BAD_REQUEST, 'User ' + user + ' does not exist'); + } + else + { + throw e; + } } return result; } @@ -134,6 +198,90 @@ function executeEffectivePermission(args, settable) } } +function executeEffectiveAuthorisations(args) +{ + var userArg, nodeArg, argIdx, permissionService, effectiveAuthorisations, authorisations, authIter, dynamicAuthorities, node, authIdx; + + for (argIdx = 0; argIdx < args.length; argIdx++) + { + switch (args[argIdx]) + { + case 'user': + userArg = (args.length > argIdx + 1) ? args[++argIdx] : null; + break; + case 'node': + nodeArg = (args.length > argIdx + 1) ? args[++argIdx] : null; + break; + } + } + + // for some reason, getAuthorisations on the public PermissionService is denied to all (even admin), so we have to use the impl bean + permissionService = getPermissionServiceImpl(); + effectiveAuthorisations = {}; + + if (nodeArg) + { + node = search.findNode(nodeArg); + if (node !== null) + { + if (userArg) + { + runAsUser(function() + { + model.user = userArg; + authorisations = permissionService.getAuthorisations(); + dynamicAuthorities = getEffectiveDynamicAuthorities(node, userArg); + }, userArg); + } + else + { + model.user = person.properties.userName; + authorisations = permissionService.getAuthorisations(); + dynamicAuthorities = getEffectiveDynamicAuthorities(node, person.properties.userName); + } + } + else + { + status.setCode(status.STATUS_BAD_REQUEST, 'Node ' + nodeArg + ' does not exist'); + } + } + else + { + if (userArg) + { + runAsUser(function() + { + model.user = userArg; + authorisations = permissionService.getAuthorisations(); + }, userArg); + } + else + { + model.user = person.properties.userName; + authorisations = permissionService.getAuthorisations(); + } + } + + if (authorisations) + { + authIter = authorisations.iterator(); + while (authIter.hasNext()) + { + effectiveAuthorisations[authIter.next()] = true; + } + } + + if (dynamicAuthorities) + { + for (authIdx = 0; authIdx < dynamicAuthorities.length; authIdx++) + { + effectiveAuthorisations[dynamicAuthorities[authIdx]] = true; + } + } + + model.authorisations = Object.keys(effectiveAuthorisations); +} + function main() { var service, reqBody, reqArgs, argIdx; @@ -160,6 +308,9 @@ function main() case 'effectivePermissions': executeEffectivePermission(reqArgs, true); break; + case 'effectiveAuthorisations': + executeEffectiveAuthorisations(reqArgs); + break; case 'help': // no-op break; default: