jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r792160 - in /jackrabbit/trunk/jackrabbit-core/src: main/java/org/apache/jackrabbit/core/security/authorization/ main/java/org/apache/jackrabbit/core/security/authorization/acl/ main/java/org/apache/jackrabbit/core/security/authorization/pr...
Date Wed, 08 Jul 2009 14:24:07 GMT
Author: angela
Date: Wed Jul  8 14:24:07 2009
New Revision: 792160

URL: http://svn.apache.org/viewvc?rev=792160&view=rev
Log:
 JCR-1588: JSR 283: Access Control

- minor improvement, javadoc, java 5, tests

Modified:
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractCompiledPermissions.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlProvider.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractWriteTest.java

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractCompiledPermissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractCompiledPermissions.java?rev=792160&r1=792159&r2=792160&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractCompiledPermissions.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractCompiledPermissions.java
Wed Jul  8 14:24:07 2009
@@ -60,7 +60,7 @@
     protected abstract Result buildResult(Path absPath) throws RepositoryException;
 
     /**
-     *
+     * Removes all entries from the cache.
      */
     protected void clearCache() {
         synchronized (cache) {

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlProvider.java?rev=792160&r1=792159&r2=792160&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlProvider.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlProvider.java
Wed Jul  8 14:24:07 2009
@@ -24,6 +24,7 @@
 import javax.jcr.Session;
 import java.util.Map;
 import java.util.Set;
+import java.security.Principal;
 
 /**
  * The AccessControlProvider is used to provide access control policy and entry
@@ -116,7 +117,7 @@
      * specified set of principals.
      * @throws RepositoryException If an error occurs.
      */
-    CompiledPermissions compilePermissions(Set principals) throws RepositoryException;
+    CompiledPermissions compilePermissions(Set<Principal> principals) throws RepositoryException;
 
     /**
      * Returns <code>true</code> if the given set of principals can access the
@@ -130,5 +131,5 @@
      * <code>false</code> otherwise.
      * @throws RepositoryException If an error occurs.
      */
-    boolean canAccessRoot(Set principals) throws RepositoryException;
+    boolean canAccessRoot(Set<Principal> principals) throws RepositoryException;
 }

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java?rev=792160&r1=792159&r2=792160&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
Wed Jul  8 14:24:07 2009
@@ -183,7 +183,7 @@
     /**
      * @see org.apache.jackrabbit.core.security.authorization.AccessControlProvider#compilePermissions(Set)
      */
-    public CompiledPermissions compilePermissions(Set principals) throws RepositoryException
{
+    public CompiledPermissions compilePermissions(Set<Principal> principals) throws
RepositoryException {
         checkInitialized();
         if (isAdminOrSystem(principals)) {
             return getAdminPermissions();
@@ -197,7 +197,7 @@
     /**
      * @see org.apache.jackrabbit.core.security.authorization.AccessControlProvider#canAccessRoot(Set)
      */
-    public boolean canAccessRoot(Set principals) throws RepositoryException {
+    public boolean canAccessRoot(Set<Principal> principals) throws RepositoryException
{
         checkInitialized();
         if (isAdminOrSystem(principals)) {
             return true;
@@ -338,14 +338,14 @@
          */
         private boolean readAllowed;
 
-        private AclPermissions(Set principals) throws RepositoryException {
+        private AclPermissions(Set<Principal> principals) throws RepositoryException
{
             this(principals, true);
         }
 
-        private AclPermissions(Set principals, boolean listenToEvents) throws RepositoryException
{
+        private AclPermissions(Set<Principal> principals, boolean listenToEvents) throws
RepositoryException {
             principalNames = new ArrayList(principals.size());
-            for (Iterator it = principals.iterator(); it.hasNext();) {
-                principalNames.add(((Principal) it.next()).getName());
+            for (Principal princ : principals) {
+                principalNames.add(princ.getName());
             }
             jcrReadPrivilegeName = session.getAccessControlManager().privilegeFromName(Privilege.JCR_READ).getName();
 
@@ -382,8 +382,9 @@
          * this shortcut is not possible.
          *
          * @param principalnames
+         * @return true if read is allowed everywhere.
          */
-        private boolean isReadAllowed(Collection principalnames) {
+        private boolean isReadAllowed(Collection<String> principalnames) {
             boolean isReadAllowed = false;
             if (initializedWithDefaults) {
                 try {
@@ -478,7 +479,7 @@
             int parentAllows = PrivilegeRegistry.NO_PRIVILEGE;
             int parentDenies = PrivilegeRegistry.NO_PRIVILEGE;
 
-            while (entries.hasNext() && allows != privAll) {
+            while (entries.hasNext()) {
                 ACLTemplate.Entry ace = (ACLTemplate.Entry) entries.next();
                 // Determine if the ACE is defined on the node at absPath (locally):
                 // Except for READ-privileges the permissions must be determined
@@ -616,6 +617,11 @@
         }
     }
 
+    //--------------------------------------------------------------------------
+    /**
+     * Inner class used to collect ACEs for a given set of principals throughout
+     * the node hierarchy.
+     */
     private class Entries {
 
         private final ListOrderedMap principalNamesToEntries;

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java?rev=792160&r1=792159&r2=792160&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java
Wed Jul  8 14:24:07 2009
@@ -202,7 +202,7 @@
     /**
      * @see org.apache.jackrabbit.core.security.authorization.AccessControlProvider#compilePermissions(Set)
      */
-    public CompiledPermissions compilePermissions(Set principals) throws RepositoryException
{
+    public CompiledPermissions compilePermissions(Set<Principal> principals) throws
RepositoryException {
         checkInitialized();
         if (isAdminOrSystem(principals)) {
             return getAdminPermissions();
@@ -216,7 +216,7 @@
     /**
      * @see org.apache.jackrabbit.core.security.authorization.AccessControlProvider#canAccessRoot(Set)
      */
-    public boolean canAccessRoot(Set principals) throws RepositoryException {
+    public boolean canAccessRoot(Set<Principal> principals) throws RepositoryException
{
         checkInitialized();
         if (isAdminOrSystem(principals)) {
             return true;
@@ -233,15 +233,15 @@
     private class CompiledPermissionImpl extends AbstractCompiledPermissions
             implements SynchronousEventListener {
 
-        private final Set principals;
-        private final Set acPaths;
-        private ACLProvider.Entries entries;
+        private final Set<Principal> principals;
+        private final Set<String> acPaths;
+        private List<AccessControlEntry> entries;
 
         /**
          * @param principals
          * @throws RepositoryException
          */
-        private CompiledPermissionImpl(Set principals) throws RepositoryException {
+        private CompiledPermissionImpl(Set<Principal> principals) throws RepositoryException
{
             this(principals, true);
         }
 
@@ -249,7 +249,7 @@
          * @param principals
          * @throws RepositoryException
          */
-        private CompiledPermissionImpl(Set principals, boolean listenToEvents) throws RepositoryException
{
+        private CompiledPermissionImpl(Set<Principal> principals, boolean listenToEvents)
throws RepositoryException {
 
             this.principals = principals;
             acPaths = new HashSet(principals.size());
@@ -282,13 +282,69 @@
             Result result;
             if (session.itemExists(jcrPath)) {
                 Item item = session.getItem(jcrPath);
-                result = entries.getResult(item, item.getPath(), isAcItem);
+                result = getResult(item, item.getPath(), isAcItem);
             } else {
-                result = entries.getResult(null, jcrPath, isAcItem);
+                result = getResult(null, jcrPath, isAcItem);
             }
             return result;
         }
 
+
+        /**
+         * Loop over all entries and evaluate allows/denies for those matching
+         * the given jcrPath.
+         *
+         * @param target Existing target item for which the permissions will be
+         * evaluated or <code>null</code>.
+         * @param targetPath Path used for the evaluation; pointing to an
+         * existing or non-existing item.
+         * @param isAcItem
+         * @return
+         * @throws RepositoryException
+         */
+        private Result getResult(Item target,
+                                 String targetPath,
+                                 boolean isAcItem) throws RepositoryException {
+            int allows = Permission.NONE;
+            int denies = Permission.NONE;
+            int allowPrivileges = PrivilegeRegistry.NO_PRIVILEGE;
+            int denyPrivileges = PrivilegeRegistry.NO_PRIVILEGE;
+            int parentAllows = PrivilegeRegistry.NO_PRIVILEGE;
+            int parentDenies = PrivilegeRegistry.NO_PRIVILEGE;
+
+            String parentPath = Text.getRelativeParent(targetPath, 1);
+            for (AccessControlEntry entry : entries) {
+                if (!(entry instanceof ACLTemplate.Entry)) {
+                    log.warn("Unexpected AccessControlEntry instance -> ignore");
+                    continue;
+                }
+                ACLTemplate.Entry entr = (ACLTemplate.Entry) entry;
+                int privs = entr.getPrivilegeBits();
+
+                if (!"".equals(parentPath) && entr.matches(parentPath)) {
+                    if (entr.isAllow()) {
+                        parentAllows |= Permission.diff(privs, parentDenies);
+                    } else {
+                        parentDenies |= Permission.diff(privs, parentAllows);
+                    }
+                }
+
+                boolean matches = (target != null) ? entr.matches(target) : entr.matches(targetPath);
+                if (matches) {
+                    if (entr.isAllow()) {
+                        allowPrivileges |= Permission.diff(privs, denyPrivileges);
+                        int permissions = PrivilegeRegistry.calculatePermissions(allowPrivileges,
parentAllows, true, isAcItem);
+                        allows |= Permission.diff(permissions, denies);
+                    } else {
+                        denyPrivileges |= Permission.diff(privs, allowPrivileges);
+                        int permissions = PrivilegeRegistry.calculatePermissions(denyPrivileges,
parentDenies, false, isAcItem);
+                        denies |= Permission.diff(permissions, allows);
+                    }
+                }
+            }
+            return new Result(allows, denies, allowPrivileges, denyPrivileges);
+        }
+
         //--------------------------------------------< CompiledPermissions >---
         /**
          * @see CompiledPermissions#close()
@@ -348,14 +404,14 @@
          * @return
          * @throws RepositoryException
          */
-        private ACLProvider.Entries reload() throws RepositoryException {
+        private List<AccessControlEntry> reload() throws RepositoryException {
             // reload the paths
             acPaths.clear();
 
             // acNodes must be ordered in the same order as the principals
             // in order to obtain proper acl-evalution in case the given
             // principal-set is ordered.
-            List allACEs = new ArrayList();
+            List<AccessControlEntry> allACEs = new ArrayList<AccessControlEntry>();
             // build acl-hierarchy assuming that principal-order determines the
             // acl-inheritance.
             for (Iterator it = principals.iterator(); it.hasNext();) {
@@ -371,80 +427,12 @@
                 }
             }
 
-            return new ACLProvider.Entries(allACEs);
+            return allACEs;
         }
     }
 
     //--------------------------------------------------------------------------
     /**
-     * Utility class that raps a list of access control entries and evaluates
-     * them for a specified item/path.
-     */
-    private class Entries {
-
-        private final List entries;
-
-        /**
-         *
-         * @param entries
-         */
-        private Entries(List entries) {
-            this.entries = entries;
-        }
-
-        /**
-         * Loop over all entries and evaluate allows/denies for those matching
-         * the given jcrPath.
-         *
-         * @param target Existing target item for which the permissions will be
-         * evaluated or <code>null</code>.
-         * @param targetPath Path used for the evaluation; pointing to an
-         * existing or non-existing item.
-         * @param isAcItem
-         * @return
-         * @throws RepositoryException
-         */
-        private AbstractCompiledPermissions.Result getResult(Item target,
-                                                             String targetPath,
-                                                             boolean isAcItem) throws RepositoryException
{
-            int allows = Permission.NONE;
-            int denies = Permission.NONE;
-            int allowPrivileges = PrivilegeRegistry.NO_PRIVILEGE;
-            int denyPrivileges = PrivilegeRegistry.NO_PRIVILEGE;
-            int parentAllows = PrivilegeRegistry.NO_PRIVILEGE;
-            int parentDenies = PrivilegeRegistry.NO_PRIVILEGE;
-
-            String parentPath = Text.getRelativeParent(targetPath, 1);
-            for (Iterator it = entries.iterator(); it.hasNext() && allows != Permission.ALL;)
{
-                ACLTemplate.Entry entr = (ACLTemplate.Entry) it.next();
-                int privs = entr.getPrivilegeBits();
-
-                if (!"".equals(parentPath) && entr.matches(parentPath)) {
-                    if (entr.isAllow()) {
-                        parentAllows |= Permission.diff(privs, parentDenies);
-                    } else {
-                        parentDenies |= Permission.diff(privs, parentAllows);
-                    }
-                }
-
-                boolean matches = (target != null) ? entr.matches(target) : entr.matches(targetPath);
-                if (matches) {
-                    if (entr.isAllow()) {
-                        allowPrivileges |= Permission.diff(privs, denyPrivileges);
-                        int permissions = PrivilegeRegistry.calculatePermissions(allowPrivileges,
parentAllows, true, isAcItem);
-                        allows |= Permission.diff(permissions, denies);
-                    } else {
-                        denyPrivileges |= Permission.diff(privs, allowPrivileges);
-                        int permissions = PrivilegeRegistry.calculatePermissions(denyPrivileges,
parentDenies, false, isAcItem);
-                        denies |= Permission.diff(permissions, allows);
-                    }
-                }
-            }
-            return new AbstractCompiledPermissions.Result(allows, denies, allowPrivileges,
denyPrivileges);
-        }
-    }
-
-    /**
      * Dummy effective policy 
      */
     private static final class EffectivePrincipalBasedPolicy implements AccessControlPolicy
{

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractWriteTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractWriteTest.java?rev=792160&r1=792159&r2=792160&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractWriteTest.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractWriteTest.java
Wed Jul  8 14:24:07 2009
@@ -40,6 +40,9 @@
 import javax.jcr.security.AccessControlPolicy;
 import javax.jcr.security.Privilege;
 import java.security.Principal;
+import java.util.List;
+import java.util.ArrayList;
+import java.util.Arrays;
 
 /**
  * <code>AbstractEvaluationTest</code>...
@@ -924,6 +927,32 @@
         }
     }
 
+    public void testSingleDenyAfterAllAllowed() throws
+            NotExecutableException, RepositoryException {
+
+        /* add 'all' privilege for testSession at path. */
+        Privilege[] allPrivileges = privilegesFromName(Privilege.JCR_ALL);
+        givePrivileges(path, allPrivileges, getRestrictions(superuser, path));
+
+        /* deny a single privilege */
+        Privilege[] lockPrivileges = privilegesFromName(Privilege.JCR_LOCK_MANAGEMENT);
+        withdrawPrivileges(path, lockPrivileges, getRestrictions(superuser, path));
+
+        /* test permissions. expected result:
+           - testSession cannot lock at 'path'
+           - testSession doesn't have ALL privilege at path
+         */
+        Session testSession = getTestSession();
+        AccessControlManager acMgr = testSession.getAccessControlManager();
+
+        assertFalse(acMgr.hasPrivileges(path, allPrivileges));
+        assertFalse(acMgr.hasPrivileges(path, lockPrivileges));
+
+        List<Privilege> remainingprivs = new ArrayList<Privilege>(Arrays.asList(allPrivileges[0].getAggregatePrivileges()));
+        remainingprivs.remove(lockPrivileges[0]);
+        assertTrue(acMgr.hasPrivileges(path, remainingprivs.toArray(new Privilege[remainingprivs.size()])));
+    }
+
     private static Node findPolicyNode(Node start) throws RepositoryException {
         Node policyNode = null;
         if (start.isNodeType("rep:Policy")) {



Mime
View raw message