public void createAce()

in src/main/java/org/apache/sling/jcr/contentloader/internal/DefaultContentCreator.java [934:1002]

• 45 lines of code
• 10 McCabe index (conditional complexity)

    public void createAce(String principalId, Collection<LocalPrivilege> privileges, String order)
            throws RepositoryException {
        final Node parentNode = this.parentNodeStack.peek();
        Session jcrSession = parentNode.getSession();

        // validate that the principal name is valid
        PrincipalManager principalManager = AccessControlUtil.getPrincipalManager(jcrSession);
        Principal principal = principalId == null ? null : principalManager.getPrincipal(principalId);
        if (principal == null) {
            // SLING-7268 - as pointed out in OAK-5496, we cannot successfully use
            // PrincipalManager#getPrincipal in oak
            // without the session that created the principal getting saved first (and a
            // subsequent index update).
            // Workaround by trying the UserManager#getAuthorizable API to locate the
            // principal.
            UserManager userManager = AccessControlUtil.getUserManager(jcrSession);
            final Authorizable authorizable = userManager.getAuthorizable(principalId);
            if (authorizable != null) {
                principal = authorizable.getPrincipal();
            }
        }

        if (principal == null) {
            throw new RepositoryException("No principal found for id: " + principalId);
        }

        // validate that the privilege names are valid
        AccessControlManager acm = AccessControlUtil.getAccessControlManager(jcrSession);
        for (LocalPrivilege localPrivilege: privileges) {
            localPrivilege.checkPrivilege(acm);
        }

        String resourcePath = parentNode.getPath();

        // build a list of each of the LocalPrivileges that have the same restrictions
        Map<Set<LocalRestriction>, List<LocalPrivilege>> allowRestrictionsToLocalPrivilegesMap = new HashMap<>();
        Map<Set<LocalRestriction>, List<LocalPrivilege>> denyRestrictionsToLocalPrivilegesMap = new HashMap<>();
        for (LocalPrivilege localPrivilege: privileges) {
            if (localPrivilege.isAllow()) {
                List<LocalPrivilege> list = allowRestrictionsToLocalPrivilegesMap.computeIfAbsent(localPrivilege.getAllowRestrictions(), key -> new ArrayList<>());
                list.add(localPrivilege);
            }
            if (localPrivilege.isDeny()) {
                List<LocalPrivilege> list = denyRestrictionsToLocalPrivilegesMap.computeIfAbsent(localPrivilege.getDenyRestrictions(), key -> new ArrayList<>());
                list.add(localPrivilege);
            }
        }

        try {
            // Get or create the ACL for the node.
            JackrabbitAccessControlList acl = getAcl(acm, resourcePath, principal);

            // remove all the old aces for the principal
            order = removeAces(resourcePath, order, principal, acl);

            // now add all the new aces that we have collected
            Map<Privilege, Integer> privilegeLongestDepthMap = buildPrivilegeLongestDepthMap(acm.privilegeFromName(PrivilegeConstants.JCR_ALL));
            addAces(resourcePath, principal, denyRestrictionsToLocalPrivilegesMap, false, acl, privilegeLongestDepthMap);
            addAces(resourcePath, principal, allowRestrictionsToLocalPrivilegesMap, true, acl, privilegeLongestDepthMap);

            // reorder the aces
            reorderAccessControlEntries(acl, principal, order);

            // Store the actual changes.
            acm.setPolicy(acl.getPath(), acl);
        } catch (RepositoryException re) {
            throw new RepositoryException("Failed to create ace.", re);
        }
    }