jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1325657 - in /jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privileges: ./ PrivilegeManagerImpl.java diff.txt
Date Fri, 13 Apr 2012 08:43:24 GMT
Author: angela
Date: Fri Apr 13 08:43:24 2012
New Revision: 1325657

URL: http://svn.apache.org/viewvc?rev=1325657&view=rev
Log:
OAK-64 : Privilege Management (WIP)

Added:
    jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privileges/
    jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privileges/PrivilegeManagerImpl.java
    jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privileges/diff.txt

Added: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privileges/PrivilegeManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privileges/PrivilegeManagerImpl.java?rev=1325657&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privileges/PrivilegeManagerImpl.java
(added)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privileges/PrivilegeManagerImpl.java
Fri Apr 13 08:43:24 2012
@@ -0,0 +1,188 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.jcr.security.privileges;
+
+import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
+import org.apache.jackrabbit.oak.jcr.NodeImpl;
+import org.apache.jackrabbit.oak.jcr.SessionContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.jcr.AccessDeniedException;
+import javax.jcr.Node;
+import javax.jcr.NodeIterator;
+import javax.jcr.RepositoryException;
+import javax.jcr.Value;
+import javax.jcr.Workspace;
+import javax.jcr.security.AccessControlException;
+import javax.jcr.security.Privilege;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * PrivilegeManagerImpl...
+ */
+public class PrivilegeManagerImpl implements PrivilegeManager {
+
+    /**
+     * logger instance
+     */
+    private static final Logger log = LoggerFactory.getLogger(PrivilegeManagerImpl.class);
+
+    // TODO: move to an appropriate place
+    // TODO: proper namespace handling once this is present in oak-jcr
+    private static final String PRIVILEGE_ROOT = Workspace.NAME_SYSTEM_NODE + "/{internal}privileges";
+
+    private static final String NT_REP_PRIVILEGE = "rep:Privilege";
+    private static final String REP_IS_ABSTRACT = "rep:isAbstract";
+    private static final String REP_CONTAINS = "rep:contains";
+
+    private final SessionContext sessionContext;
+
+    public PrivilegeManagerImpl(SessionContext sessionContext) throws RepositoryException
{
+        this.sessionContext = sessionContext;
+        // TODO: add additional validation ??
+    }
+
+    @Override
+    public Privilege[] getRegisteredPrivileges() throws RepositoryException {
+        Map<String, Privilege> privileges = new HashMap<String, Privilege>();
+        NodeIterator it = getPrivilegeRoot().getNodes();
+        while (it.hasNext()) {
+            Node privilegeNode = it.nextNode();
+            Privilege p = getPrivilege(privilegeNode, privileges);
+            if (p != null) {
+                privileges.put(p.getName(),  p);
+            }
+        }
+        return privileges.values().toArray(new Privilege[privileges.size()]);
+    }
+
+    @Override
+    public Privilege getPrivilege(String privilegeName) throws AccessControlException, RepositoryException
{
+        NodeImpl privilegeRoot = getPrivilegeRoot();
+        if (privilegeRoot.hasNode(privilegeName)) {
+            return getPrivilege(privilegeRoot.getNode(privilegeName), new HashMap<String,
Privilege>(1));
+        } else {
+            throw new AccessControlException("No such privilege " + privilegeName);
+        }
+    }
+
+    @Override
+    public Privilege registerPrivilege(String privilegeName, boolean isAbstract,
+                                       String[] declaredAggregateNames)
+            throws AccessDeniedException, RepositoryException {
+
+        // TODO
+        return null;
+    }
+
+    //--------------------------------------------------------------------------
+    private NodeImpl getPrivilegeRoot() throws RepositoryException {
+        return (NodeImpl) sessionContext.getSession().getNode(PRIVILEGE_ROOT);
+    }
+
+    private Privilege getPrivilege(Node privilegeNode, Map<String, Privilege> collected)
throws RepositoryException {
+        Privilege privilege = null;
+        if (privilegeNode.isNodeType(NT_REP_PRIVILEGE)) {
+            String name = privilegeNode.getName();
+            boolean isAbstract = privilegeNode.getProperty(REP_IS_ABSTRACT).getBoolean();
+
+            Set<String> declaredAggrNames;
+            if (privilegeNode.hasProperty(REP_CONTAINS)) {
+                Value[] vs = privilegeNode.getProperty(REP_CONTAINS).getValues();
+                declaredAggrNames = new HashSet<String>(vs.length);
+                for (Value v : vs) {
+                    String privName = v.getString();
+                    if (getPrivilegeRoot().hasNode(privName)) {
+                        declaredAggrNames.add(privName);
+                    }
+                }
+            } else {
+                declaredAggrNames = Collections.emptySet();
+            }
+            privilege = new PrivilegeImpl(name, isAbstract, declaredAggrNames);
+        }
+
+        return privilege;
+    }
+
+    //--------------------------------------------------------------------------
+    private class PrivilegeImpl implements Privilege {
+
+        private final String name;
+        private final boolean isAbstract;
+        private final Set<String> declaredAggregateNames;
+
+        private Privilege[] declaredAggregates;
+
+        private PrivilegeImpl(String name, boolean isAbstract, Set<String> declaredAggregateNames)
{
+            this.name = name;
+            this.isAbstract = isAbstract;
+            this.declaredAggregateNames = declaredAggregateNames;
+        }
+
+        //------------------------------------------------------< Privilege >---
+        @Override
+        public String getName() {
+            return name;
+        }
+
+        @Override
+        public boolean isAbstract() {
+            return isAbstract;
+        }
+
+        @Override
+        public boolean isAggregate() {
+            return declaredAggregateNames.size() > 0;
+        }
+
+        @Override
+        public Privilege[] getDeclaredAggregatePrivileges() {
+            if (declaredAggregates == null) {
+                Set<Privilege> dagrPrivs = new HashSet<Privilege>(declaredAggregateNames.size());
+                for (String pName : declaredAggregateNames) {
+                    try {
+                        dagrPrivs.add(getPrivilege(pName));
+                    } catch (RepositoryException e) {
+                        log.warn("Error while retrieving privilege "+ pName +" contained
in " + getName(), e.getMessage());
+                    }
+                }
+                declaredAggregates = dagrPrivs.toArray(new Privilege[dagrPrivs.size()]);
+            }
+            return declaredAggregates;
+        }
+
+        @Override
+        public Privilege[] getAggregatePrivileges() {
+            Set<Privilege> aggr = new HashSet<Privilege>();
+            for (Privilege decl : getDeclaredAggregatePrivileges()) {
+                aggr.add(decl);
+                if (decl.isAggregate()) {
+                    // TODO: defensive check to prevent circular aggregation
+                    aggr.addAll(Arrays.asList(decl.getAggregatePrivileges()));
+                }
+            }
+            return aggr.toArray(new Privilege[aggr.size()]);
+        }
+    }
+}
\ No newline at end of file

Added: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privileges/diff.txt
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privileges/diff.txt?rev=1325657&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privileges/diff.txt
(added)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privileges/diff.txt
Fri Apr 13 08:43:24 2012
@@ -0,0 +1,24 @@
+differences regarding jackrabbit 2.x implementation
+================================================================================
+
+- privileges stored in repository content
+- PrivilegeManager used for JCR Access Control API but not for internal
+  permission evaluation (-> delegated to oak-core)
+
+
+TODO:
+================================================================================
+
+- PrivilegeManager#registerPrivilege
+  missing implementataion (still struggling with oak-api. what we need here
+  was the ability to add multiple items at once without the jcr-layer being able
+  to retrieve those items before they are being persisted)....
+
+- Privilege#getAggregates
+  since the privilege manager cannot really rely on proper validation,
+  it should make sure no circular aggregation has been introduced in a
+  deeper level).
+
+- Namespace handling on session level
+
+- Path/Name/NodeTypes handling that rely on oak-core implementation



Mime
View raw message