Source code

001/*
002 * (C) Copyright 2006-2011 Nuxeo SA (http://nuxeo.com/) and others.
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 *     http://www.apache.org/licenses/LICENSE-2.0
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 *
016 * Contributors:
017 *     Florent Guillaume
018 */
019
020package org.nuxeo.ecm.core.api;
021
022import java.security.Principal;
023
024import javax.security.auth.login.LoginContext;
025import javax.security.auth.login.LoginException;
026
027import org.apache.commons.logging.Log;
028import org.apache.commons.logging.LogFactory;
029import org.nuxeo.ecm.core.api.security.SecurityConstants;
030import org.nuxeo.runtime.api.Framework;
031
032/**
033 * Helper class to run code with an unrestricted session.
034 * <p>
035 * The caller must implement the {@link #run} method, and call {@link #runUnrestricted}.
036 *
037 * @author Florent Guillaume
038 */
039public abstract class UnrestrictedSessionRunner {
040
041    private static final Log log = LogFactory.getLog(UnrestrictedSessionRunner.class);
042
043    protected String originatingUsername;
044
045    protected CoreSession session;
046
047    protected final boolean sessionIsAlreadyUnrestricted;
048
049    protected final String repositoryName;
050
051    /** True if a call to {@link #runUnrestricted} is in progress. */
052    protected boolean isUnrestricted;
053
054    /**
055     * Constructs a {@link UnrestrictedSessionRunner} given an existing session (which may or may not be already
056     * unrestricted).
057     * <p>
058     * Originating user is taken on given session.
059     *
060     * @param session the available session
061     */
062    protected UnrestrictedSessionRunner(CoreSession session) {
063        this.session = session;
064        sessionIsAlreadyUnrestricted = checkUnrestricted(session);
065        if (sessionIsAlreadyUnrestricted) {
066            repositoryName = null;
067        } else {
068            repositoryName = session.getRepositoryName();
069        }
070        Principal pal = session.getPrincipal();
071        if (pal != null) {
072            originatingUsername = pal.getName();
073        }
074    }
075
076    /**
077     * Constructs a {@link UnrestrictedSessionRunner} given a repository name.
078     *
079     * @param repositoryName the repository name
080     */
081    protected UnrestrictedSessionRunner(String repositoryName) {
082        session = null;
083        sessionIsAlreadyUnrestricted = false;
084        this.repositoryName = repositoryName;
085    }
086
087    /**
088     * Constructs a {@link UnrestrictedSessionRunner} given a repository name and an originating user name.
089     *
090     * @param repositoryName the repository name
091     * @param originatingUser the user name behind the system user
092     */
093    protected UnrestrictedSessionRunner(String repositoryName, String originatingUser) {
094        session = null;
095        sessionIsAlreadyUnrestricted = false;
096        this.repositoryName = repositoryName;
097        originatingUsername = originatingUser;
098    }
099
100    public String getOriginatingUsername() {
101        return originatingUsername;
102    }
103
104    public void setOriginatingUsername(String originatingUsername) {
105        this.originatingUsername = originatingUsername;
106    }
107
108    protected boolean checkUnrestricted(CoreSession session) {
109        return SecurityConstants.SYSTEM_USERNAME.equals(session.getPrincipal().getName())
110                || (session.getPrincipal() instanceof NuxeoPrincipal && ((NuxeoPrincipal) session.getPrincipal()).isAdministrator());
111    }
112
113    /**
114     * Calls the {@link #run()} method with an unrestricted {@link #session}. During this call, {@link #isUnrestricted}
115     * is set to {@code true}.
116     */
117    public void runUnrestricted() {
118        isUnrestricted = true;
119        try {
120            if (sessionIsAlreadyUnrestricted) {
121                run();
122                return;
123            }
124
125            LoginContext loginContext;
126            try {
127                loginContext = Framework.loginAs(originatingUsername);
128            } catch (LoginException e) {
129                throw new NuxeoException(e);
130            }
131            try {
132                CoreSession baseSession = session;
133                try (CloseableCoreSession closeableCoreSession = CoreInstance.openCoreSession(repositoryName)) {
134                    session = closeableCoreSession;
135                    run();
136                } finally {
137                    session = baseSession;
138                }
139            } finally {
140                try {
141                    // loginContext may be null in tests
142                    if (loginContext != null) {
143                        loginContext.logout();
144                    }
145                } catch (LoginException e) {
146                    log.error(e); // don't rethrow inside finally
147                }
148            }
149        } finally {
150            isUnrestricted = false;
151        }
152    }
153
154    /**
155     * This method will be called by {@link #runUnrestricted()} with {@link #session} available as an unrestricted
156     * session.
157     * <p>
158     * It can also be called directly in which case the {@link #session} available will be the one passed to
159     * {@code #UnrestrictedSessionRunner(CoreSession)}.
160     */
161    public abstract void run();
162
163}