incubator-sling-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From my...@apache.org
Subject svn commit: r1464159 - in /sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity: ResourceAccessGate.java impl/ResourceAccessGateTracker.java impl/ResourceAccessSecurityImpl.java
Date Wed, 03 Apr 2013 19:13:57 GMT
Author: mykee
Date: Wed Apr  3 19:13:57 2013
New Revision: 1464159

URL: http://svn.apache.org/r1464159
Log:
SLING-2698 - resource access security service for resource providers without backing ACLs,
Part 5

Modified:
    sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/ResourceAccessGate.java
    sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessGateTracker.java
    sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessSecurityImpl.java

Modified: sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/ResourceAccessGate.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/ResourceAccessGate.java?rev=1464159&r1=1464158&r2=1464159&view=diff
==============================================================================
--- sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/ResourceAccessGate.java
(original)
+++ sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/ResourceAccessGate.java
Wed Apr  3 19:13:57 2013
@@ -22,31 +22,30 @@ import org.apache.sling.api.resource.Res
 import org.apache.sling.api.resource.ResourceResolver;
 import org.apache.sling.api.security.AccessSecurityException;
 
-
 /**
- * The <code>ResourceAccessGate</code> defines a service API which might 
- * be used to make some restrictions to accessing resources.
+ * The <code>ResourceAccessGate</code> defines a service API which might be used
+ * to make some restrictions to accessing resources.
  * 
  * Implementations of this service interface must be registered like
  * ResourceProvider with a path (like provider.roots). If different
  * ResourceAccessGateService services match a path, not only the
- * ResourceAccessGateService with the longest path should be called, but all
- * of them, that's in contrast to the ResourceProvider, but in this case more
+ * ResourceAccessGateService with the longest path should be called, but all of
+ * them, that's in contrast to the ResourceProvider, but in this case more
  * logical (and secure!).
-
+ * 
  * service properties:
  * <ul>
  * <li><b>path</b>: regexp to define on which paths the service should
be called
  * (default .*)</li>
- * <li><b>operations</b>: set of operations on which the service should
be called
- * ("read,create,update,delete,execute", default all of them)</li>
- * <li><b>finaloperations</b>: set of operations on which the service answer
is final an
- * no other service should be called (default none of them)</li>
+ * <li><b>operations</b>: set of operations on which the service should
be
+ * called ("read,create,update,delete,execute", default all of them)</li>
+ * <li><b>finaloperations</b>: set of operations on which the service answer
is
+ * final an no other service should be called (default none of them)</li>
  * </ul>
- *
+ * 
  */
 public interface ResourceAccessGate {
-    
+
     /**
      * The service name to use when registering implementations of this
      * interface as services (value is
@@ -55,9 +54,9 @@ public interface ResourceAccessGate {
     String SERVICE_NAME = ResourceAccessGate.class.getName();
 
     /**
-     * The name of the service registration property containing the path
-     * as a regular expression for which the service should be called 
-     * (value is "path").
+     * The name of the service registration property containing the path as a
+     * regular expression for which the service should be called (value is
+     * "path").
      */
     String PATH = "path";
 
@@ -70,10 +69,9 @@ public interface ResourceAccessGate {
 
     /**
      * The name of the service registration property containing the operations
-     * for which the service should be called and no further service should 
-     * be called after this, except the services returns DONTCARE as result, 
-     * default is empty (non of them are final)
-     * (value is "finaloperations").
+     * for which the service should be called and no further service should be
+     * called after this, except the services returns DONTCARE as result,
+     * default is empty (non of them are final) (value is "finaloperations").
      */
     String FINALOPERATIONS = "finaloperations";
 
@@ -83,83 +81,99 @@ public interface ResourceAccessGate {
      * <ul>
      * <li>GRANTED: means no restrictions</li>
      * <li>DENIED: means no permission for the requested action</li>
-     * <li>DONTCARE: means that the implementation of the service has no information
-     * or can't decide and therefore neither can't grant or deny access</li>
+     * <li>DONTCARE: means that the implementation of the service has no
+     * information or can't decide and therefore neither can't grant or deny
+     * access</li>
      * </ul>
      */
-    public enum GateResult { GRANTED, DENIED, DONTCARE };
-    
-    public enum Operation { READ("read"),
-                            CREATE("create"),
-                            UPDATE("update"),
-                            DELETE("delete"),
-                            EXECUTE("execute");
-    
+    public enum GateResult {
+        GRANTED, DENIED, DONTCARE
+    };
+
+    public enum Operation {
+        READ("read"), CREATE("create"), UPDATE("update"), DELETE("delete"), EXECUTE(
+                "execute");
+
         private String text;
-    
-        Operation( String text ) {
+
+        Operation(String text) {
             this.text = text;
         }
-        
-        public static Operation fromString( String opAsString ) {
+
+        public static Operation fromString(String opAsString) {
             Operation returnValue = null;
-            
+
             for (Operation op : Operation.values()) {
-                if ( opAsString.equals(op.getText()))
-                {
+                if (opAsString.equals(op.getText())) {
                     returnValue = op;
                     break;
                 }
             }
-            
+
             return returnValue;
         }
-        
-        public String getText(){
+
+        public String getText() {
             return this.text;
         }
     }
-    
-    
-    public GateResult canRead( Resource resource, String user );
-    public GateResult canCreate( String absPathName, String user );
-    public GateResult canUpdate( Resource resource, String user );
-    public GateResult canDelete( Resource resource, String user );
-    public GateResult canExecute( Resource resource, String user );
-
-    public GateResult canReadValue( Resource resource, String valueName, String user );
-    public GateResult canCreateValue( Resource resource, String valueName, String user );
-    public GateResult canUpdateValue( Resource resource, String valueName, String user );
-    public GateResult canDeleteValue( Resource resource, String valueName, String user );
-
-    /**
-     * Allows to transform the query based on the current
-     * user's credentials. Can be used to narrow down queries to omit results
-     * that the current user is not allowed to see anyway, speeding up
-     * downstream access control.
+
+    public GateResult canRead(Resource resource);
+
+    public GateResult canCreate(String absPathName,
+            ResourceResolver resourceResolver);
+
+    public GateResult canUpdate(Resource resource);
+
+    public GateResult canDelete(Resource resource);
+
+    public GateResult canExecute(Resource resource);
+
+    public GateResult canReadValue(Resource resource, String valueName);
+
+    public GateResult canCreateValue(Resource resource, String valueName);
+
+    public GateResult canUpdateValue(Resource resource, String valueName);
+
+    public GateResult canDeleteValue(Resource resource, String valueName);
+
+    /**
+     * Allows to transform the query based on the current user's credentials.
+     * Can be used to narrow down queries to omit results that the current user
+     * is not allowed to see anyway, speeding up downstream access control.
      * 
-     * Query transformations are not critical with respect to access control as results
-     * are checked using the canRead.. methods anyway. 
+     * Query transformations are not critical with respect to access control as
+     * results are checked using the canRead.. methods anyway.
      * 
-     * @param query the query
-     * @param language the language in which the query is expressed
-     * @param resourceResolver the resource resolver which resolves the query
+     * @param query
+     *            the query
+     * @param language
+     *            the language in which the query is expressed
+     * @param resourceResolver
+     *            the resource resolver which resolves the query
      * @return the transformed query
-     * @throws AccessSecurityException 
+     * @throws AccessSecurityException
      */
-    public String transformQuery(String query, String language, ResourceResolver resourceResolver)
-            throws AccessSecurityException;
+    public String transformQuery(String query, String language,
+            ResourceResolver resourceResolver) throws AccessSecurityException;
 
     /* for convenience (and performance) */
-    public boolean hasReadRestrictions( String user );
-    public boolean hasCreateRestrictions( String user );
-    public boolean hasUpdateRestrictions( String user );
-    public boolean hasDeleteRestrictions( String user );
-    public boolean hasExecuteRestrictions( String user );
-
-    public boolean canReadAllValues( Resource resource, String user );
-    public boolean canCreateAllValues( Resource resource, String user );
-    public boolean canUpdateAllValues( Resource resource, String user );
-    public boolean canDeleteAllValues( Resource resource, String user );
+    public boolean hasReadRestrictions(ResourceResolver resourceResolver);
+
+    public boolean hasCreateRestrictions(ResourceResolver resourceResolver);
+
+    public boolean hasUpdateRestrictions(ResourceResolver resourceResolver);
+
+    public boolean hasDeleteRestrictions(ResourceResolver resourceResolver);
+
+    public boolean hasExecuteRestrictions(ResourceResolver resourceResolver);
+
+    public boolean canReadAllValues(Resource resource);
+
+    public boolean canCreateAllValues(Resource resource);
+
+    public boolean canUpdateAllValues(Resource resource);
+
+    public boolean canDeleteAllValues(Resource resource);
 
 }

Modified: sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessGateTracker.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessGateTracker.java?rev=1464159&r1=1464158&r2=1464159&view=diff
==============================================================================
--- sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessGateTracker.java
(original)
+++ sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessGateTracker.java
Wed Apr  3 19:13:57 2013
@@ -29,20 +29,22 @@ import org.osgi.framework.BundleContext;
 import org.osgi.framework.ServiceReference;
 import org.osgi.framework.ServiceRegistration;
 
-public class ResourceAccessGateTracker extends SortingServiceTracker<ResourceAccessGate>
{
-    
+public class ResourceAccessGateTracker extends
+        SortingServiceTracker<ResourceAccessGate> {
+
     private List<ResourceAccessGateHandler> resourceAccessGateHandlers = null;
     private ServiceRegistration decoratorRegistration = null;
-    
+
     /**
      * Constructor
      */
-    public ResourceAccessGateTracker(final BundleContext context ) {
+    public ResourceAccessGateTracker(final BundleContext context) {
         super(context, ResourceAccessGate.class.getName());
     }
 
     /**
-     * @see org.osgi.util.tracker.ServiceTracker#removedService(org.osgi.framework.ServiceReference,
java.lang.Object)
+     * @see org.osgi.util.tracker.ServiceTracker#removedService(org.osgi.framework.ServiceReference,
+     *      java.lang.Object)
      */
     @Override
     public void removedService(ServiceReference reference, Object service) {
@@ -51,7 +53,8 @@ public class ResourceAccessGateTracker e
     }
 
     /**
-     * @see org.osgi.util.tracker.ServiceTrackerCustomizer#modifiedService(org.osgi.framework.ServiceReference,
java.lang.Object)
+     * @see org.osgi.util.tracker.ServiceTrackerCustomizer#modifiedService(org.osgi.framework.ServiceReference,
+     *      java.lang.Object)
      */
     @Override
     public void modifiedService(ServiceReference reference, Object service) {
@@ -68,21 +71,22 @@ public class ResourceAccessGateTracker e
         resourceAccessGateHandlers = null;
         return returnValue;
     }
-    
-    public List<ResourceAccessGateHandler> getResourceAccessGateHandlers () {
+
+    public List<ResourceAccessGateHandler> getResourceAccessGateHandlers() {
         List<ResourceAccessGateHandler> returnValue = resourceAccessGateHandlers;
-        
-        if ( returnValue == null )
-        {
+
+        if (returnValue == null) {
             resourceAccessGateHandlers = new ArrayList<ResourceAccessGateHandler>();
             for (ServiceReference serviceReference : getSortedServiceReferences()) {
-                resourceAccessGateHandlers.add( new ResourceAccessGateHandler(serviceReference)
);
+                resourceAccessGateHandlers.add(new ResourceAccessGateHandler(
+                        serviceReference));
             }
-            resourceAccessGateHandlers = Collections.unmodifiableList(resourceAccessGateHandlers);
+            resourceAccessGateHandlers = Collections
+                    .unmodifiableList(resourceAccessGateHandlers);
             returnValue = resourceAccessGateHandlers;
         }
-        
+
         return returnValue;
     }
-        
+
 }

Modified: sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessSecurityImpl.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessSecurityImpl.java?rev=1464159&r1=1464158&r2=1464159&view=diff
==============================================================================
--- sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessSecurityImpl.java
(original)
+++ sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessSecurityImpl.java
Wed Apr  3 19:13:57 2013
@@ -37,16 +37,13 @@ import org.apache.sling.resourceaccessse
 import org.osgi.framework.Constants;
 import org.osgi.service.component.ComponentContext;
 
-@Component(
-        name = "org.apache.sling.api.security.ResourceAccessSecurity",
-        immediate = true )
-@Service( value={ResourceAccessSecurity.class})
-   @Properties({
-       @Property(name = Constants.SERVICE_DESCRIPTION, value = "Apache Sling ResourceAccessSecurity"),
-       @Property(name = Constants.SERVICE_VENDOR, value = "The Apache Software Foundation")
-   })
+@Component(name = "org.apache.sling.api.security.ResourceAccessSecurity", immediate = true)
+@Service(value = { ResourceAccessSecurity.class })
+@Properties({
+        @Property(name = Constants.SERVICE_DESCRIPTION, value = "Apache Sling ResourceAccessSecurity"),
+        @Property(name = Constants.SERVICE_VENDOR, value = "The Apache Software Foundation")
})
 public class ResourceAccessSecurityImpl implements ResourceAccessSecurity {
-    
+
     private ResourceAccessGateTracker resourceAccessGateTracker;
 
     // ---------- SCR Integration ---------------------------------------------
@@ -54,9 +51,10 @@ public class ResourceAccessSecurityImpl 
     /** Activates this component, called by SCR before registering as a service */
     @Activate
     protected void activate(final ComponentContext componentContext) {
-        resourceAccessGateTracker = new ResourceAccessGateTracker( componentContext.getBundleContext()
);
+        resourceAccessGateTracker = new ResourceAccessGateTracker(
+                componentContext.getBundleContext());
         resourceAccessGateTracker.open();
-        
+
     }
 
     /**
@@ -66,26 +64,32 @@ public class ResourceAccessSecurityImpl 
     protected void deactivate() {
         resourceAccessGateTracker.close();
     }
-    
-    private List<ResourceAccessGateHandler> getMatchingResourceAccessGateHandlers (
String path, ResourceAccessGate.Operation operation ) {
-        /* TODO: maybe caching some frequent paths with read operation would be a good idea
*/
-        List<ResourceAccessGateHandler> returnValue = resourceAccessGateTracker.getResourceAccessGateHandlers();
-        
-        if ( returnValue.size() > 0 ) {
+
+    private List<ResourceAccessGateHandler> getMatchingResourceAccessGateHandlers(
+            String path, ResourceAccessGate.Operation operation) {
+        /*
+         * TODO: maybe caching some frequent paths with read operation would be
+         * a good idea
+         */
+        List<ResourceAccessGateHandler> returnValue = resourceAccessGateTracker
+                .getResourceAccessGateHandlers();
+
+        if (returnValue.size() > 0) {
             returnValue = new ArrayList<ResourceAccessGateHandler>();
-            
-            for (ResourceAccessGateHandler resourceAccessGateHandler : resourceAccessGateTracker.getResourceAccessGateHandlers()
) {
-                if ( resourceAccessGateHandler.matches(path, operation) ) {
+
+            for (ResourceAccessGateHandler resourceAccessGateHandler : resourceAccessGateTracker
+                    .getResourceAccessGateHandlers()) {
+                if (resourceAccessGateHandler.matches(path, operation)) {
                     returnValue.add(resourceAccessGateHandler);
                 }
             }
         }
-        
+
         return returnValue;
     }
-    
-    public boolean areResourceAccessGatesRegistered () {
-        return (resourceAccessGateTracker.size() > 0 );
+
+    public boolean areResourceAccessGatesRegistered() {
+        return (resourceAccessGateTracker.size() > 0);
     }
 
     @Override
@@ -93,56 +97,61 @@ public class ResourceAccessSecurityImpl 
         Resource returnValue = resource;
         ResourceResolver resResolver = resource.getResourceResolver();
         String user = resResolver.getUserID();
-        
-        List<ResourceAccessGateHandler> accessGateHandlers =
-                getMatchingResourceAccessGateHandlers( resource.getPath(), ResourceAccessGate.Operation.READ
);
-        
+
+        List<ResourceAccessGateHandler> accessGateHandlers = getMatchingResourceAccessGateHandlers(
+                resource.getPath(), ResourceAccessGate.Operation.READ);
+
         GateResult finalGateResult = null;
         boolean canReadAllValues = false;
         List<ResourceAccessGate> accessGatesForValues = null;
-        
+
         for (ResourceAccessGateHandler resourceAccessGateHandler : accessGateHandlers) {
-            GateResult gateResult = resourceAccessGateHandler.getResourceAccessGate().canRead(resource,
user);
-            if ( !canReadAllValues && gateResult == GateResult.GRANTED ) {
-                if ( resourceAccessGateHandler.getResourceAccessGate().canReadAllValues(resource,
user) ) {
+            GateResult gateResult = resourceAccessGateHandler
+                    .getResourceAccessGate().canRead(resource);
+            if (!canReadAllValues && gateResult == GateResult.GRANTED) {
+                if (resourceAccessGateHandler.getResourceAccessGate()
+                        .canReadAllValues(resource)) {
                     canReadAllValues = true;
                     accessGatesForValues = null;
-                }
-                else {
-                    if ( accessGatesForValues == null ) {
+                } else {
+                    if (accessGatesForValues == null) {
                         accessGatesForValues = new ArrayList<ResourceAccessGate>();
                     }
-                    accessGatesForValues.add( resourceAccessGateHandler.getResourceAccessGate()
);
+                    accessGatesForValues.add(resourceAccessGateHandler
+                            .getResourceAccessGate());
                 }
             }
-            if ( finalGateResult == null ) {
+            if (finalGateResult == null) {
                 finalGateResult = gateResult;
-            }
-            else if ( finalGateResult == GateResult.DENIED ){
+            } else if (finalGateResult == GateResult.DENIED) {
                 finalGateResult = gateResult;
             }
-            if ( resourceAccessGateHandler.isFinalOperation(ResourceAccessGate.Operation.READ)
) {
+            if (resourceAccessGateHandler
+                    .isFinalOperation(ResourceAccessGate.Operation.READ)) {
                 break;
             }
         }
-        
-        // return NonExistingResource if access is denied or no ResourceAccessGate is present
-        if ( finalGateResult == null || finalGateResult == GateResult.DENIED ) {
-            returnValue = new NonExistingResource( resResolver, resource.getPath() );
-        }
-        else if ( finalGateResult == GateResult.DONTCARE ) {
+
+        // return NonExistingResource if access is denied or no
+        // ResourceAccessGate is present
+        if (finalGateResult == null || finalGateResult == GateResult.DENIED) {
+            returnValue = new NonExistingResource(resResolver,
+                    resource.getPath());
+        } else if (finalGateResult == GateResult.DONTCARE) {
             returnValue = resource;
         }
-        // wrap Resource if read access is not or partly (values) not granted 
-        else if ( !canReadAllValues ) {
-            returnValue = new AccessGateResourceWrapper( resource, accessGatesForValues );
+        // wrap Resource if read access is not or partly (values) not granted
+        else if (!canReadAllValues) {
+            returnValue = new AccessGateResourceWrapper(resource,
+                    accessGatesForValues);
         }
-        
+
         return returnValue;
     }
 
     @Override
-    public boolean canCreate(String absPathName, ResourceResolver resourceResolver) {
+    public boolean canCreate(String absPathName,
+            ResourceResolver resourceResolver) {
         // TODO Auto-generated method stub
         return false;
     }
@@ -184,8 +193,8 @@ public class ResourceAccessSecurityImpl 
     }
 
     @Override
-    public String transformQuery(String query, String language, ResourceResolver resourceResolver)
-            throws AccessSecurityException {
+    public String transformQuery(String query, String language,
+            ResourceResolver resourceResolver) throws AccessSecurityException {
         return query;
     }
 



Mime
View raw message