Optimizing the JCR Access Control routines.

Author: SilverYoCha

src/main/java/org/silverpeas/jcr/auth/AbstractAuthentication.java

@@ -25,18 +25,13 @@
 
 import org.silverpeas.jcr.jaas.SilverpeasJcrSystemPrincipal;
 import org.silverpeas.jcr.jaas.SilverpeasUserPrincipal;
-import org.silverpeas.jcr.jaas.SilverpeasUserProfile;
 
 import javax.naming.InitialContext;
 import javax.naming.NamingException;
 import javax.sql.DataSource;
 import java.security.Principal;
 import java.sql.Connection;
-import java.sql.PreparedStatement;
-import java.sql.ResultSet;
 import java.sql.SQLException;
-import java.util.logging.Level;
-import java.util.logging.Logger;
 
 /**
  * This class defines common operations authentication mechanisms can require in order to perform
@@ -45,34 +40,15 @@
  */
 public abstract class AbstractAuthentication implements Authentication {
 
-  private static final String SELECT_USER_ROLES =
-      "select r.rolename, r.instanceid, c.componentname from st_userrole_user_rel u join " +
-          "st_userrole r on u.userroleid = r.id join st_componentinstance c on " +
-          "c.id = r.instanceid where u.userid = ?";
-
-  protected Principal getSilverpeasUserPrincipal(final SilverpeasUser user) {
-    Principal principal;
+  protected Principal getSilverpeasUserPrincipal(final SilverpeasUser user,
+      final String authorizedDocumentPath) {
+    final Principal principal;
     if (user.isJcrSystemUser()) {
       principal = new SilverpeasJcrSystemPrincipal();
     } else {
-      try (Connection connection = openConnectionToDataSource();
-           PreparedStatement statement = connection.prepareStatement(SELECT_USER_ROLES)) {
-        statement.setInt(1, Integer.parseInt(user.getId()));
-        try (ResultSet resultSet = statement.executeQuery()) {
-          principal = new SilverpeasUserPrincipal(user.getId(), "A".equals(user.getAccessLevel()));
-          while (resultSet.next()) {
-            String componentInstanceId = resultSet.getString("instanceid");
-            String componentName = resultSet.getString("componentname");
-            String roleName = resultSet.getString("rolename");
-            SilverpeasUserProfile profile =
-                new SilverpeasUserProfile(componentName + componentInstanceId, roleName);
-            ((SilverpeasUserPrincipal) principal).addUserProfile(profile);
-          }
-        }
-      } catch (SQLException e) {
-        principal = null;
-        Logger.getLogger(getClass().getSimpleName()).log(Level.SEVERE, e.getMessage(), e);
-      }
+      principal = new SilverpeasUserPrincipal(user.getId(),
+                                              "A".equals(user.getAccessLevel()),
+                                              authorizedDocumentPath);
     }
     return principal;
   }

src/main/java/org/silverpeas/jcr/auth/SQLSimpleAuthentication.java

@@ -53,9 +53,10 @@ public class SQLSimpleAuthentication extends AbstractAuthentication {
   private static final String SELECT_DOMAIN_TABLE =
       "select propfilename, classname from st_domain where id = ?";
 
-  private static final String SELECT_USER_DATA =
-      "select du.id as id, du.password as password, u.accesslevel as accesslevel from " +
-          "{0}_user du left join st_user u on du.id = u.id where du.login = ? and u.state = ''VALID''";
+  private static final String SELECT_DOMAIN_USER_DATA =
+      "SELECT du.id as id, du.password as password, u.accesslevel as accesslevel FROM " +
+          "{0}_user du LEFT JOIN st_user u ON CAST(du.id AS VARCHAR(100)) = u.specificid " +
+          "WHERE u.domainid = ? AND du.login = ? AND u.state = ''VALID''";
 
   /**
    * Authenticates a user by its credentials.
@@ -107,7 +108,7 @@ public Principal authenticate(SimpleCredentials credentials) throws Authenticati
             throw new AuthenticationException(error.getMessage());
           }
         }
-        principal = getSilverpeasUserPrincipal(user);
+        principal = getSilverpeasUserPrincipal(user, null);
       } else {
         throw new AuthenticationException("No user matching the login " + login +
             " and the domain identifier " + domainId);
@@ -138,9 +139,11 @@ private SilverpeasUser getSilverpeasUserByDomain(final String login, final Strin
             if (className != null && (className.toLowerCase().endsWith("sqldriver") ||
                 className.toLowerCase().endsWith("silverpeasdomaindriver"))) {
               String domainName = fetchDomainNameFrom(domainResultSet.getString("propfilename"));
-              String sqlUserData = computeUserDataSQLQueryFor(domainName);
-              try (PreparedStatement userStatement = connection.prepareStatement(sqlUserData)) {
-                userStatement.setString(1, login);
+              String sqlDomainUserData = computeDomainUserDataSQLQueryFor(domainName);
+              try (PreparedStatement userStatement = connection.prepareStatement(sqlDomainUserData)) {
+                int i = 1;
+                userStatement.setInt(i++, Integer.parseInt(domainId));
+                userStatement.setString(i, login);
                 try (ResultSet userResultSet = userStatement.executeQuery()) {
                   if (userResultSet.next()) {
                     user = new SilverpeasUser().withId(userResultSet.getString("id"))
@@ -165,7 +168,7 @@ private String fetchDomainNameFrom(String propFileName) {
     return (lastSepIndex > 0 ? propFileName.substring(lastSepIndex + 1).toLowerCase() : null);
   }
 
-  private String computeUserDataSQLQueryFor(String tableName) {
-    return MessageFormat.format(SELECT_USER_DATA, tableName);
+  private String computeDomainUserDataSQLQueryFor(String tableName) {
+    return MessageFormat.format(SELECT_DOMAIN_USER_DATA, tableName);
   }
 }

src/main/java/org/silverpeas/jcr/auth/TokenAuthentication.java

@@ -46,6 +46,7 @@
 public class TokenAuthentication extends AbstractAuthentication {
 
   private static final String USERID_TOKEN_ATTRIBUTE = "UserID";
+  private static final String AUTHORIZED_DOCUMENT_PATH_ATTRIBUTE = "AuthorizedDocumentPath";
   private static final String IDENTIFY_USER =
       "select id, accesslevel from st_user where state = 'VALID' and login = ? and domainId = ?";
   private static final Pattern TOKEN_FORMAT = Pattern.compile("[a-zA-Z0-9]{16}+");
@@ -85,16 +86,17 @@ public Principal authenticate(final Credentials credentials) throws Authenticati
    */
   private Principal authenticate(TokenCredentials credentials) throws AuthenticationException {
     Principal principal = null;
-    String token = credentials.getToken();
-    String userID = credentials.getAttribute(USERID_TOKEN_ATTRIBUTE);
+    final String token = credentials.getToken();
+    final String userID = credentials.getAttribute(USERID_TOKEN_ATTRIBUTE);
     if (matches(token, userID)) {
-      String[] userIdParts = fetchUserIdParts(userID);
+      final String[] userIdParts = fetchUserIdParts(userID);
       if (userIdParts != null && userIdParts.length == 2) {
-        String login = userIdParts[0];
-        String domainId = userIdParts[1];
-        SilverpeasUser user = identifySilverpeasUser(login, domainId);
+        final String login = userIdParts[0];
+        final String domainId = userIdParts[1];
+        final SilverpeasUser user = identifySilverpeasUser(login, domainId);
         if (user != null) {
-          principal = getSilverpeasUserPrincipal(user);
+          final String authorizedDocumentPath = credentials.getAttribute(AUTHORIZED_DOCUMENT_PATH_ATTRIBUTE);
+          principal = getSilverpeasUserPrincipal(user, authorizedDocumentPath);
         } else {
           // a TokenCredentials must match an existing user. Otherwise, it is considered as a
           // forbidden access

src/main/java/org/silverpeas/jcr/jaas/SilverpeasAccessManager.java

@@ -23,6 +23,8 @@
  */
 package org.silverpeas.jcr.jaas;
 
+import org.apache.commons.codec.Charsets;
+import org.apache.jackrabbit.commons.JcrUtils;
 import org.apache.jackrabbit.core.id.ItemId;
 import org.apache.jackrabbit.core.id.NodeId;
 import org.apache.jackrabbit.core.id.PropertyId;
@@ -47,10 +49,13 @@
 import javax.jcr.SimpleCredentials;
 import javax.jcr.nodetype.NodeType;
 import javax.security.auth.Subject;
+import java.io.UnsupportedEncodingException;
+import java.net.URLDecoder;
 import java.text.MessageFormat;
 import java.util.Arrays;
 import java.util.List;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 import static org.silverpeas.jcr.JcrProperties.*;
 
@@ -250,14 +255,14 @@ public boolean isGranted(final Path absPath, final int permissions) throws Repos
         Node node = session.getNode(jcrPath);
         if (isFolder(node)) {
           // only those with the correct roles can access it (for reading or modifying it).
-          isGranted = isPathAuthorized(absPath, permissions);
+          isGranted = isPathAuthorized(absPath);
         } else if (isLockedFile(node)) {
           // only the user owning the file can access it (for reading or updating it).
           isGranted = isFileAuthorized(node);
         } else {
           // it is an ordinary JCR node: everyone can read it but only those with specific roles
           // can update it.
-          isGranted = permissions == Permission.READ || isPathAuthorized(absPath, permissions);
+          isGranted = permissions == Permission.READ || isPathAuthorized(absPath);
         }
       } finally {
         session.logout();
@@ -345,19 +350,33 @@ public boolean canAccess(final String workspaceName) throws RepositoryException
     return true;
   }
 
-  private boolean isPathAuthorized(Path path, int permissions) {
-    Set<SilverpeasUserPrincipal> principals =
+  private boolean isPathAuthorized(Path path) {
+    final Set<SilverpeasUserPrincipal> principals =
         context.getSubject().getPrincipals(SilverpeasUserPrincipal.class);
-    Path.Element[] elements = path.getElements();
+    final Path.Element[] elements = path.getElements();
+    final String jcrPathToVerify = Arrays.stream(elements)
+                                         .map(e -> e.getName().getLocalName())
+                                         .collect(Collectors.joining("/"));
     for (SilverpeasUserPrincipal principal : principals) {
-      if (principal.isAdministrator()) {
+      if (principal.isAdministrator() || isWebdavPathAuthorized(principal, jcrPathToVerify)) {
         return true;
       }
-      for (Path.Element element : elements) {
-        SilverpeasUserProfile profile = principal.getUserProfile(element.getName().getLocalName());
-        if (profile != null) {
-          return permissions == Permission.READ || WRITING_ROLES.contains(profile.getRole());
-        }
+    }
+    return false;
+  }
+
+  private boolean isWebdavPathAuthorized(final SilverpeasUserPrincipal principal,
+      final String jcrPathToVerify) {
+    String authorizedDocumentPath = principal.getAuthorizedDocumentPath();
+    if (authorizedDocumentPath != null) {
+      try {
+        authorizedDocumentPath = URLDecoder.decode(authorizedDocumentPath, Charsets.UTF_8.name());
+      } catch (UnsupportedEncodingException ignore) {
+      }
+      if (authorizedDocumentPath.length() > jcrPathToVerify.length()) {
+        return authorizedDocumentPath.contains(jcrPathToVerify);
+      } else {
+        return jcrPathToVerify.contains(authorizedDocumentPath);
       }
     }
     return false;

src/main/java/org/silverpeas/jcr/jaas/SilverpeasUserPrincipal.java

@@ -24,8 +24,6 @@
 package org.silverpeas.jcr.jaas;
 
 import java.security.Principal;
-import java.util.HashMap;
-import java.util.Map;
 
 /**
  * The principals of a user in Silverpeas. They are used to check the user has enough privileges to
@@ -35,20 +33,12 @@ public class SilverpeasUserPrincipal implements Principal {
 
   private String userId;
   private boolean administrator;
-  private Map<String, SilverpeasUserProfile> entries;
+  private String authorizedDocumentPath;
 
-  public SilverpeasUserPrincipal(String userId, boolean administrator) {
+  public SilverpeasUserPrincipal(String userId, boolean administrator, String authorizedDocumentPath) {
     this.userId = userId;
     this.administrator = administrator;
-    this.entries = new HashMap<>(100);
-  }
-
-  public void addUserProfile(SilverpeasUserProfile aProfile) {
-    entries.put(aProfile.getComponentId(), aProfile);
-  }
-
-  public SilverpeasUserProfile getUserProfile(String componentId) {
-    return this.entries.get(componentId);
+    this.authorizedDocumentPath = authorizedDocumentPath;
   }
 
   public String getUserId() {
@@ -64,4 +54,7 @@ public String getName() {
     return userId;
   }
 
+  public String getAuthorizedDocumentPath() {
+    return authorizedDocumentPath;
+  }
 }