private static void makeFileNonReadable(String file) throws IOException { Path filePath = Paths.get(file); Set<String> supportedAttr = filePath.getFileSystem().supportedFileAttributeViews(); if (supportedAttr.contains("posix")) { Files.setPosixFilePermissions(filePath, PosixFilePermissions.fromString("-w--w----")); } else if (supportedAttr.contains("acl")) { UserPrincipal fileOwner = Files.getOwner(filePath); AclFileAttributeView view = Files.getFileAttributeView(filePath, AclFileAttributeView.class); AclEntry entry = AclEntry.newBuilder() .setType(AclEntryType.DENY) .setPrincipal(fileOwner) .setPermissions(AclEntryPermission.READ_DATA) .build(); List<AclEntry> acl = view.getAcl(); acl.add(0, entry); view.setAcl(acl); } }
/** * Add the proper File-System permissions to a file so that SQL Server can run a RESTORE query. * * @param username The username that SQL Server runs as, e.g. "NETWORK SERVICE" * @param file The file whose permissions will be modified. * @throws IOException */ public static void addRestorePermissions(String username, Path file) throws IOException { AclFileAttributeView aclAttr = Files.getFileAttributeView(file, AclFileAttributeView.class); UserPrincipalLookupService currULS = file.getFileSystem().getUserPrincipalLookupService(); UserPrincipal principal = currULS.lookupPrincipalByName(username); AclEntry.Builder builder = AclEntry.newBuilder(); builder.setPermissions(EnumSet.of(AclEntryPermission.READ_DATA, AclEntryPermission.READ_ACL, AclEntryPermission.READ_ATTRIBUTES, AclEntryPermission.READ_NAMED_ATTRS, AclEntryPermission.EXECUTE, AclEntryPermission.SYNCHRONIZE)); builder.setPrincipal(principal); builder.setType(AclEntryType.ALLOW); aclAttr.setAcl(Collections.singletonList(builder.build())); }
@Override protected void protectPrivateKeyFile(File sshKey) throws ServerException { try { AclFileAttributeView attributes = Files.getFileAttributeView(sshKey.toPath(), AclFileAttributeView.class); AclEntry.Builder builder = AclEntry.newBuilder(); builder.setType(ALLOW); String ownerName = System.getProperty(OWNER_NAME_PROPERTY); UserPrincipal userPrincipal = FileSystems.getDefault().getUserPrincipalLookupService().lookupPrincipalByName(ownerName); builder.setPrincipal(userPrincipal); builder.setPermissions( READ_DATA, APPEND_DATA, READ_NAMED_ATTRS, READ_ATTRIBUTES, DELETE, READ_ACL, SYNCHRONIZE); AclEntry entry = builder.build(); List<AclEntry> aclEntryList = new ArrayList<>(); aclEntryList.add(entry); attributes.setAcl(aclEntryList); } catch (IOException e) { throw new ServerException("Failed to set file permissions"); } }
private static List<FileAttribute<List<AclEntry>>> getAclAttributes(Path file) throws IOException { if (Files.exists(file) && supportsFileOwnerAttributeView(file, AclFileAttributeView.class)) { AclFileAttributeView aclView = Files.getFileAttributeView(file, AclFileAttributeView.class); if (aclView != null) { final List<AclEntry> entries = aclView.getAcl(); return Collections.singletonList(new FileAttribute<List<AclEntry>>() { @Override public List<AclEntry> value() { return entries; } @Override public String name() { return "acl:acl"; } }); } } return Collections.emptyList(); }
private AclEntry createConfigurationAccessACLEntry(UserPrincipal user) { AclEntry entry = AclEntry .newBuilder() .setType(AclEntryType.ALLOW) .setPrincipal(user) .setPermissions( AclEntryPermission.WRITE_NAMED_ATTRS, AclEntryPermission.WRITE_DATA, AclEntryPermission.WRITE_ATTRIBUTES, AclEntryPermission.READ_ATTRIBUTES, AclEntryPermission.APPEND_DATA, AclEntryPermission.READ_DATA, AclEntryPermission.READ_NAMED_ATTRS, AclEntryPermission.READ_ACL, AclEntryPermission.SYNCHRONIZE, AclEntryPermission.DELETE) .setFlags(AclEntryFlag.FILE_INHERIT) .build(); return entry; }
@Test public void testView() throws IOException { AclFileAttributeView view = provider.view( fileLookup(), ImmutableMap.<String, FileAttributeView>of( "owner", new OwnerAttributeProvider().view(fileLookup(), NO_INHERITED_VIEWS))); assertNotNull(view); assertThat(view.name()).isEqualTo("acl"); assertThat(view.getAcl()).isEqualTo(defaultAcl); view.setAcl(ImmutableList.<AclEntry>of()); view.setOwner(FOO); assertThat(view.getAcl()).isEqualTo(ImmutableList.<AclEntry>of()); assertThat(view.getOwner()).isEqualTo(FOO); assertThat(file.getAttribute("acl", "acl")).isEqualTo(ImmutableList.<AclEntry>of()); }
private Set<AclEntryPermission> getOwnerPermissions(Collection<AclEntry> entries, UserPrincipal owner) { Set<AclEntryPermission> set = new HashSet<>(); for (AclEntry aclEntry : entries) { if (aclEntry.principal().equals(owner)) { Set<AclEntryPermission> permissions = aclEntry.permissions(); for (AclEntryPermission aclEntryPermission : permissions) { set.add(aclEntryPermission); } } } return set; }
@Override public ImmutableMap<String, ?> defaultValues(Map<String, ?> userProvidedDefaults) { Object userProvidedAcl = userProvidedDefaults.get("acl:acl"); ImmutableList<AclEntry> acl = DEFAULT_ACL; if (userProvidedAcl != null) { acl = toAcl(checkType("acl", "acl", userProvidedAcl, List.class)); } return ImmutableMap.of("acl:acl", acl); }
@SuppressWarnings("unchecked") // only cast after checking each element's type private static ImmutableList<AclEntry> toAcl(List<?> list) { ImmutableList<?> copy = ImmutableList.copyOf(list); for (Object obj : copy) { if (!(obj instanceof AclEntry)) { throw new IllegalArgumentException( "invalid element for attribute 'acl:acl': should be List<AclEntry>, " + "found element of type " + obj.getClass()); } } return (ImmutableList<AclEntry>) copy; }
private AclEntry getAclEntry(UserPrincipal user, Set<AclEntryPermission> permissions) throws IOException { return AclEntry.newBuilder().setPermissions(permissions) .setPrincipal(user) .setType(AclEntryType.ALLOW) .build(); }
/** * if os is windows then posix will not be called and we need to find permission in different manner * * @param file local file path */ private void saveWindowsfilePermissions(final Path file) throws IOException { Set<AclEntryPermission> aclEntryPermissions; String userType; String userDisplay; StringBuilder permission; final AclFileAttributeView view = Files.getFileAttributeView(file, AclFileAttributeView.class); final List<AclEntry> aclEntries = view.getAcl(); final StringBuilder userList = new StringBuilder(); final StringBuilder userDisplayList = new StringBuilder(); final Map<String, Set<Integer>> stringSetMap = new HashMap<>(); for (final AclEntry aclEntry : aclEntries) { /* If a file has no Windoze dacl entries, as may happen on a network-mounted file system, there won't be a principal entry. A principal is a combination of security provider, like NT AUTHORITY, and user name, e.g. NT AUTHORITY\Gracie. This code is looking for the user name -- the second half of the principal. With no principal, there is no second half of the principal. */ final String[] principalFields = aclEntry.principal().getName().split("\\\\"); if (principalFields.length < 2) { continue; } userDisplay = principalFields[1]; Set<Integer> newSet = stringSetMap.get(userDisplay); aclEntryPermissions = aclEntry.permissions(); if (newSet == null) { newSet = new HashSet<>(); } for (final AclEntryPermission aclEntryPermission : aclEntryPermissions) { newSet.add(aclEntryPermission.ordinal()); } stringSetMap.put(userDisplay, newSet); } final int setSize = stringSetMap.size(); int userCount = 1; for (final Map.Entry<String, Set<Integer>> entry: stringSetMap.entrySet()) { int index = 1; final Set<Integer> ordinals = entry.getValue(); final String key = entry.getKey(); userType = key.replaceAll(" ", "").toLowerCase(); permission = new StringBuilder(); for (final int ord : ordinals) { if (ordinals.size() == index) { permission.append(ord); } else { permission.append(ord).append("-"); } index++; } if (setSize == userCount) { userDisplayList.append(key); userList.append(userType); } else { userDisplayList.append(key).append("-"); userList.append(userType).append("-"); } metadataMap.put("x-amz-meta-ds3-" + userType, permission.toString()); userCount++; } metadataMap.put("x-amz-meta-ds3-userList", userList.toString()); metadataMap.put("x-amz-meta-ds3-userListDisplay", userDisplayList.toString()); }
private List<AclEntry> getLocalAclEntries(ItemType type, List<AclEntry> parentAclList, List<AclEntry> childAclList) { List<AclEntry> aclList = new ArrayList<>(); for (AclEntry childEntry : childAclList) { boolean found = false; for (AclEntry parentEntry : parentAclList) { if (!parentEntry.type().equals(childEntry.type())) continue; if (!parentEntry.principal().equals(childEntry.principal())) continue; if (!parentEntry.permissions().equals(childEntry.permissions())) continue; if (!parentEntry.flags().equals(childEntry.flags())) { if (parentEntry.flags().contains(AclEntryFlag.INHERIT_ONLY)) { found = true; break; } else { if (type.equals(ItemType.FOLDER)) { if (parentEntry.flags().contains(AclEntryFlag.DIRECTORY_INHERIT)) { found = true; break; } } else { if (parentEntry.flags().contains(AclEntryFlag.FILE_INHERIT)) { found = true; break; } } } continue; } found = true; break; } if (found) continue; // System.out.println("CHILD: "+childEntry.toString()); /* * System.out.println("\n\n"); * System.out.println("CHILD: "+childEntry.toString()); * * for(AclEntry parentEntry : parentAclList){ * * System.out.println("PARENT: "+parentEntry.toString()); } * * System.out.println("\n\n"); */ aclList.add(childEntry); } return aclList; }
@SuppressWarnings("unchecked") @Override public List<AclEntry> getAcl() throws IOException { return (List<AclEntry>) lookupFile().getAttribute("acl", "acl"); }
@Override public void setAcl(List<AclEntry> acl) throws IOException { checkNotNull(acl); lookupFile().setAttribute("acl", "acl", ImmutableList.copyOf(acl)); }
