001/*
002 * (C) Copyright 2006-2014 Nuxeo SA (http://nuxeo.com/) and others.
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 *     http://www.apache.org/licenses/LICENSE-2.0
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 *
016 * Contributors:
017 *     Thierry Delprat <tdelprat@nuxeo.com>
018 */
019
020package org.nuxeo.ecm.multi.tenant.acl;
021
022import java.util.List;
023
024import org.nuxeo.ecm.core.api.DocumentModel;
025import org.nuxeo.ecm.core.api.event.CoreEventConstants;
026import org.nuxeo.ecm.core.api.event.DocumentEventTypes;
027import org.nuxeo.ecm.core.api.security.ACE;
028import org.nuxeo.ecm.core.api.security.ACL;
029import org.nuxeo.ecm.core.api.security.ACP;
030import org.nuxeo.ecm.core.event.Event;
031import org.nuxeo.ecm.core.event.EventListener;
032import org.nuxeo.ecm.core.event.impl.DocumentEventContext;
033import org.nuxeo.ecm.multi.tenant.MultiTenantHelper;
034import org.nuxeo.ecm.multi.tenant.MultiTenantService;
035import org.nuxeo.runtime.api.Framework;
036
037/**
038 * Intercepts ACL changes and restrict Grant to Tenant bound groups for a configured list of global groups
039 *
040 * @author tiry
041 */
042public class ACLUpdateListener implements EventListener {
043
044    @Override
045    public void handleEvent(Event event) {
046
047        if (DocumentEventTypes.BEFORE_DOC_SECU_UPDATE.equals(event.getName())) {
048
049            MultiTenantService mts = Framework.getService(MultiTenantService.class);
050            if (!mts.isTenantIsolationEnabled(event.getContext().getCoreSession())) {
051                return;
052            }
053            List<String> prohibitedGroups = mts.getProhibitedGroups();
054
055            DocumentModel target = ((DocumentEventContext) event.getContext()).getSourceDocument();
056            ACP newACP = (ACP) event.getContext().getProperty(CoreEventConstants.NEW_ACP);
057
058            for (ACL acl : newACP.getACLs()) {
059                int idx = 0;
060                for (ACE ace : acl.getACEs()) {
061                    if (ace.isGranted() && prohibitedGroups.contains(ace.getUsername())) {
062                        String tenantId = MultiTenantHelper.getOwningTenantId(target);
063                        if (tenantId != null) {
064                            acl.set(idx,
065                                    new ACE(MultiTenantHelper.computeTenantMembersGroup(tenantId), ace.getPermission(),
066                                            ace.isGranted()));
067                        }
068                    }
069                    idx++;
070                }
071            }
072        }
073    }
074}