001/* 002 * (C) Copyright 2015 Nuxeo SA (http://nuxeo.com/) and others. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 * 016 * Contributors: 017 * Thomas Roger 018 */ 019 020package org.nuxeo.ecm.admin.permissions; 021 022import java.io.Serializable; 023import java.util.ArrayList; 024import java.util.Calendar; 025import java.util.GregorianCalendar; 026import java.util.List; 027import java.util.Map; 028 029import org.apache.commons.lang3.StringUtils; 030import org.apache.logging.log4j.LogManager; 031import org.apache.logging.log4j.Logger; 032import org.nuxeo.ecm.core.api.DocumentModel; 033import org.nuxeo.ecm.core.api.DocumentRef; 034import org.nuxeo.ecm.core.api.IdRef; 035import org.nuxeo.ecm.core.api.IterableQueryResult; 036import org.nuxeo.ecm.core.api.security.ACE; 037import org.nuxeo.ecm.core.api.security.ACL; 038import org.nuxeo.ecm.core.api.security.ACP; 039import org.nuxeo.ecm.core.query.sql.NXQL; 040import org.nuxeo.ecm.core.transientstore.api.TransientStore; 041import org.nuxeo.ecm.core.transientstore.work.TransientStoreWork; 042import org.nuxeo.ecm.core.work.api.WorkManager; 043import org.nuxeo.ecm.platform.query.api.PageProviderDefinition; 044import org.nuxeo.ecm.platform.query.api.PageProviderService; 045import org.nuxeo.ecm.platform.query.nxql.NXQLQueryBuilder; 046import org.nuxeo.runtime.api.Framework; 047import org.nuxeo.runtime.transaction.TransactionRuntimeException; 048 049/** 050 * Work archiving ACEs based on a query. 051 * 052 * @since 7.4 053 */ 054public class PermissionsPurgeWork extends TransientStoreWork { 055 056 private static final Logger log = LogManager.getLogger(PermissionsPurgeWork.class); 057 058 private static final long serialVersionUID = 1L; 059 060 public static final int DEFAULT_BATCH_SIZE = 20; 061 062 public static final String CATEGORY = "permissionsPurge"; 063 064 protected DocumentModel searchDocument; 065 066 protected int batchSize = DEFAULT_BATCH_SIZE; 067 068 public PermissionsPurgeWork(DocumentModel searchDocument) { 069 this.searchDocument = searchDocument; 070 } 071 072 @Override 073 @SuppressWarnings("unchecked") 074 public String getTitle() { 075 return String.format("Permissions purge for '%s' user and %s document ids", 076 searchDocument.getPropertyValue("rs:ace_username"), 077 StringUtils.join((List<String>) searchDocument.getPropertyValue("rs:ecm_ancestorIds"), ",")); 078 } 079 080 @Override 081 public String getCategory() { 082 return CATEGORY; 083 } 084 085 @Override 086 @SuppressWarnings("unchecked") 087 public void work() { 088 TransientStore store = getStore(); 089 store.putParameter(id, "status", new PurgeWorkStatus(PurgeWorkStatus.State.RUNNING)); 090 setStatus("Purging"); 091 openSystemSession(); 092 093 PageProviderService pageProviderService = Framework.getService(PageProviderService.class); 094 PageProviderDefinition def = pageProviderService.getPageProviderDefinition("permissions_purge"); 095 String query = NXQLQueryBuilder.getQuery(searchDocument, def.getWhereClause(), null); 096 097 List<String> docIds = new ArrayList<>(); 098 try (IterableQueryResult result = session.queryAndFetch(query, NXQL.NXQL)) { 099 for (Map<String, Serializable> map : result) { 100 docIds.add((String) map.get("ecm:uuid")); 101 } 102 } 103 104 List<String> usernames = (List<String>) searchDocument.getPropertyValue("rs:ace_username"); 105 log.info("Purging permissions on {} documents for usernames: {} and ancestorIds: {}", docIds::size, 106 () -> usernames, () -> searchDocument.getPropertyValue("rs:ecm_ancestorIds")); 107 108 int acpUpdatedCount = 0; 109 for (String docId : docIds) { 110 DocumentRef ref = new IdRef(docId); 111 ACP acp = session.getACP(ref); 112 // cleanup acp for all principals 113 boolean changed = false; 114 for (String username : usernames) { 115 for (ACL acl : acp.getACLs()) { 116 for (ACE ace : acl) { 117 if (username.equals(ace.getUsername())) { 118 Calendar now = new GregorianCalendar(); 119 ace.setEnd(now); 120 changed = true; 121 } 122 } 123 } 124 } 125 126 try { 127 if (changed) { 128 session.setACP(ref, acp, true); 129 acpUpdatedCount++; 130 if (acpUpdatedCount % batchSize == 0) { 131 commitOrRollbackTransaction(); 132 startTransaction(); 133 } 134 } 135 } catch (TransactionRuntimeException e) { 136 if (e.getMessage().contains("Transaction timeout")) { 137 batchSize = 1; 138 } 139 throw e; 140 } 141 142 } 143 setStatus(null); 144 } 145 146 @Override 147 public void cleanUp(boolean ok, Exception e) { 148 try { 149 super.cleanUp(ok, e); 150 } finally { 151 getStore().putParameter(id, "status", new PurgeWorkStatus(PurgeWorkStatus.State.COMPLETED)); 152 } 153 } 154 155 public String launch() { 156 WorkManager works = Framework.getService(WorkManager.class); 157 TransientStore store = getStore(); 158 store.putParameter(id, "status", new PurgeWorkStatus(PurgeWorkStatus.State.SCHEDULED)); 159 works.schedule(this); 160 return id; 161 } 162 163 @Override 164 public int getRetryCount() { 165 return 10; 166 } 167 168 static PurgeWorkStatus getStatus(String id) { 169 TransientStore store = getStore(); 170 if (!store.exists(id)) { 171 return null; 172 } 173 return (PurgeWorkStatus) store.getParameter(id, "status"); 174 } 175}