001/*
002 * (C) Copyright 2015 Nuxeo SA (http://nuxeo.com/) and others.
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 *     http://www.apache.org/licenses/LICENSE-2.0
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 *
016 * Contributors:
017 *     Thomas Roger
018 */
019
020package org.nuxeo.ecm.admin.permissions;
021
022import java.io.Serializable;
023import java.util.ArrayList;
024import java.util.Calendar;
025import java.util.GregorianCalendar;
026import java.util.List;
027import java.util.Map;
028
029import org.apache.commons.lang3.StringUtils;
030import org.apache.logging.log4j.LogManager;
031import org.apache.logging.log4j.Logger;
032import org.nuxeo.ecm.core.api.DocumentModel;
033import org.nuxeo.ecm.core.api.DocumentRef;
034import org.nuxeo.ecm.core.api.IdRef;
035import org.nuxeo.ecm.core.api.IterableQueryResult;
036import org.nuxeo.ecm.core.api.security.ACE;
037import org.nuxeo.ecm.core.api.security.ACL;
038import org.nuxeo.ecm.core.api.security.ACP;
039import org.nuxeo.ecm.core.query.sql.NXQL;
040import org.nuxeo.ecm.core.transientstore.api.TransientStore;
041import org.nuxeo.ecm.core.transientstore.work.TransientStoreWork;
042import org.nuxeo.ecm.core.work.api.WorkManager;
043import org.nuxeo.ecm.platform.query.api.PageProviderDefinition;
044import org.nuxeo.ecm.platform.query.api.PageProviderService;
045import org.nuxeo.ecm.platform.query.nxql.NXQLQueryBuilder;
046import org.nuxeo.runtime.api.Framework;
047import org.nuxeo.runtime.transaction.TransactionRuntimeException;
048
049/**
050 * Work archiving ACEs based on a query.
051 *
052 * @since 7.4
053 */
054public class PermissionsPurgeWork extends TransientStoreWork {
055
056    private static final Logger log = LogManager.getLogger(PermissionsPurgeWork.class);
057
058    private static final long serialVersionUID = 1L;
059
060    public static final int DEFAULT_BATCH_SIZE = 20;
061
062    public static final String CATEGORY = "permissionsPurge";
063
064    protected DocumentModel searchDocument;
065
066    protected int batchSize = DEFAULT_BATCH_SIZE;
067
068    public PermissionsPurgeWork(DocumentModel searchDocument) {
069        this.searchDocument = searchDocument;
070    }
071
072    @Override
073    @SuppressWarnings("unchecked")
074    public String getTitle() {
075        return String.format("Permissions purge for '%s' user and %s document ids",
076                searchDocument.getPropertyValue("rs:ace_username"),
077                StringUtils.join((List<String>) searchDocument.getPropertyValue("rs:ecm_ancestorIds"), ","));
078    }
079
080    @Override
081    public String getCategory() {
082        return CATEGORY;
083    }
084
085    @Override
086    @SuppressWarnings("unchecked")
087    public void work() {
088        TransientStore store = getStore();
089        store.putParameter(id, "status", new PurgeWorkStatus(PurgeWorkStatus.State.RUNNING));
090        setStatus("Purging");
091        openSystemSession();
092
093        PageProviderService pageProviderService = Framework.getService(PageProviderService.class);
094        PageProviderDefinition def = pageProviderService.getPageProviderDefinition("permissions_purge");
095        String query = NXQLQueryBuilder.getQuery(searchDocument, def.getWhereClause(), null);
096
097        List<String> docIds = new ArrayList<>();
098        try (IterableQueryResult result = session.queryAndFetch(query, NXQL.NXQL)) {
099            for (Map<String, Serializable> map : result) {
100                docIds.add((String) map.get("ecm:uuid"));
101            }
102        }
103
104        List<String> usernames = (List<String>) searchDocument.getPropertyValue("rs:ace_username");
105        log.info("Purging permissions on {} documents for usernames: {} and ancestorIds: {}", docIds::size,
106                () -> usernames, () -> searchDocument.getPropertyValue("rs:ecm_ancestorIds"));
107
108        int acpUpdatedCount = 0;
109        for (String docId : docIds) {
110            DocumentRef ref = new IdRef(docId);
111            ACP acp = session.getACP(ref);
112            // cleanup acp for all principals
113            boolean changed = false;
114            for (String username : usernames) {
115                for (ACL acl : acp.getACLs()) {
116                    for (ACE ace : acl) {
117                        if (username.equals(ace.getUsername())) {
118                            Calendar now = new GregorianCalendar();
119                            ace.setEnd(now);
120                            changed = true;
121                        }
122                    }
123                }
124            }
125
126            try {
127                if (changed) {
128                    session.setACP(ref, acp, true);
129                    acpUpdatedCount++;
130                    if (acpUpdatedCount % batchSize == 0) {
131                        commitOrRollbackTransaction();
132                        startTransaction();
133                    }
134                }
135            } catch (TransactionRuntimeException e) {
136                if (e.getMessage().contains("Transaction timeout")) {
137                    batchSize = 1;
138                }
139                throw e;
140            }
141
142        }
143        setStatus(null);
144    }
145
146    @Override
147    public void cleanUp(boolean ok, Exception e) {
148        try {
149            super.cleanUp(ok, e);
150        } finally {
151            getStore().putParameter(id, "status", new PurgeWorkStatus(PurgeWorkStatus.State.COMPLETED));
152        }
153    }
154
155    public String launch() {
156        WorkManager works = Framework.getService(WorkManager.class);
157        TransientStore store = getStore();
158        store.putParameter(id, "status", new PurgeWorkStatus(PurgeWorkStatus.State.SCHEDULED));
159        works.schedule(this);
160        return id;
161    }
162
163    @Override
164    public int getRetryCount() {
165        return 10;
166    }
167
168    static PurgeWorkStatus getStatus(String id) {
169        TransientStore store = getStore();
170        if (!store.exists(id)) {
171            return null;
172        }
173        return (PurgeWorkStatus) store.getParameter(id, "status");
174    }
175}