in src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java [295:355]
public static void setPrincipalAcl(Session session, String principalName, Collection<AclLine> lines, boolean isStrict) throws RepositoryException {
final JackrabbitAccessControlManager acMgr = getJACM(session);
Principal principal = AccessControlUtils.getPrincipal(session, principalName);
if (principal == null) {
// due to transient nature of the repo-init the principal lookup may not succeed if completed through query
// -> save transient changes and retry principal lookup
session.save();
principal = AccessControlUtils.getPrincipal(session, principalName);
checkState(principal != null, PRINCIPAL_NOT_FOUND_PATTERN, principalName);
}
final PrincipalAccessControlList acl = getPrincipalAccessControlList(acMgr, principal, true);
if (acl == null && isStrict) {
String principalDescription = principal.getName();
// try to get path of principal in case it is backed by a JCR user/group
if (principal instanceof ItemBasedPrincipal) {
principalDescription += " (" + ((ItemBasedPrincipal) principal).getPath() + ")";
}
throw new IllegalStateException("No PrincipalAccessControlList available for principal '" + principalDescription + "'.");
}
boolean modified = false;
for (AclLine line : lines) {
AclLine.Action action = line.getAction();
List<String> jcrPaths = getJcrPaths(session, line.getProperty(PROP_PATHS));
if (action == AclLine.Action.DENY) {
throw new AccessControlException("PrincipalAccessControlList doesn't support 'deny' entries.");
} else if (action == AclLine.Action.REMOVE) {
throw new IllegalArgumentException(AclLine.Action.REMOVE + " is not supported. Use 'remove principal acl' instead.");
} else if (action == AclLine.Action.REMOVE_ALL) {
if (removePrincipalEntries(acl, principalName, entry -> jcrPaths.contains(entry.getEffectivePath()))) {
modified = true;
}
} else if (action == AclLine.Action.ALLOW) {
final Privilege[] privileges = AccessControlUtils.privilegesFromNames(acMgr, line.getProperty(PROP_PRIVILEGES).toArray(new String[0]));
for (String effectivePath : jcrPaths) {
if (acl == null) {
// no PrincipalAccessControlList available: don't fail if an equivalent path-based entry with the same definition exists
// or if there exists no node at the effective path (unable to evaluate path-based entries).
LOG.info("No PrincipalAccessControlList available for principal {}", principal);
if (!containsEquivalentEntry(session, effectivePath, principal, privileges, true, line.getRestrictions())) {
LOG.warn("No equivalent path-based entry exists for principal {} and effective path {} ", principal.getName(), effectivePath);
return;
}
} else {
final LocalRestrictions restrictions = createLocalRestrictions(line.getRestrictions(), acl, session);
final boolean added = acl.addEntry(effectivePath, privileges, restrictions.getRestrictions(), restrictions.getMVRestrictions());
if (!added) {
LOG.info("Equivalent principal-based entry already exists for principal {} and effective path {} ", principalName, effectivePath);
} else {
modified = true;
}
}
}
} else {
throw new IllegalArgumentException("Unknown action " + action);
}
}
if (modified) {
acMgr.setPolicy(acl.getPath(), acl);
}
}