jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1370806 - in /jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak: security/authorization/PermissionValidator.java security/privilege/PrivilegeConstants.java spi/security/authorization/Permissions.java
Date Wed, 08 Aug 2012 15:17:45 GMT
Author: angela
Date: Wed Aug  8 15:17:45 2012
New Revision: 1370806

URL: http://svn.apache.org/viewvc?rev=1370806&view=rev
Log:
OAK-51 : Implement JCR Access Control Management  (work in progress)

Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConstants.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java?rev=1370806&r1=1370805&r2=1370806&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java
Wed Aug  8 15:17:45 2012
@@ -18,14 +18,20 @@ package org.apache.jackrabbit.oak.securi
 
 import javax.jcr.AccessDeniedException;
 
+import org.apache.jackrabbit.JcrConstants;
 import org.apache.jackrabbit.oak.api.CommitFailedException;
 import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.commons.PathUtils;
 import org.apache.jackrabbit.oak.core.ReadOnlyTree;
+import org.apache.jackrabbit.oak.plugins.name.NamespaceConstants;
+import org.apache.jackrabbit.oak.plugins.type.NodeTypeConstants;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
 import org.apache.jackrabbit.oak.spi.commit.Validator;
 import org.apache.jackrabbit.oak.spi.security.authorization.CompiledPermissions;
 import org.apache.jackrabbit.oak.spi.security.authorization.Permissions;
 import org.apache.jackrabbit.oak.spi.state.NodeState;
+import org.apache.jackrabbit.util.Text;
 
 /**
  * PermissionValidator... TODO
@@ -55,30 +61,23 @@ public class PermissionValidator impleme
     //----------------------------------------------------------< Validator >---
     @Override
     public void propertyAdded(PropertyState after) throws CommitFailedException {
-        int permissions = getPermissions(after, Permissions.ADD_PROPERTY);
-        checkPermissions(getPath(after), permissions);
+        checkPermissions(parentAfter, after, Permissions.ADD_PROPERTY);
     }
 
     @Override
     public void propertyChanged(PropertyState before, PropertyState after) throws CommitFailedException
{
-        int permissions = getPermissions(after, Permissions.MODIFY_PROPERTY);
-        checkPermissions(getPath(after), permissions);
+        checkPermissions(parentAfter, after, Permissions.MODIFY_PROPERTY);
     }
 
     @Override
     public void propertyDeleted(PropertyState before) throws CommitFailedException {
-        int permissions = getPermissions(before, Permissions.REMOVE_PROPERTY);
-        checkPermissions(getPath(before), permissions);
+        checkPermissions(parentBefore, before, Permissions.REMOVE_PROPERTY);
     }
 
     @Override
     public Validator childNodeAdded(String name, NodeState after) throws CommitFailedException
{
         ReadOnlyTree child = new ReadOnlyTree(parentAfter, name, after);
-
-        int permissions = getPermissions(child, Permissions.ADD_NODE);
-        checkPermissions(child.getPath(), permissions);
-
-        return new PermissionValidator(compiledPermissions, null, child);
+        return checkPermissions(child, false, Permissions.ADD_NODE);
     }
 
     @Override
@@ -89,67 +88,104 @@ public class PermissionValidator impleme
         // TODO
 
         return new PermissionValidator(compiledPermissions, childBefore, childAfter);
-
     }
 
     @Override
     public Validator childNodeDeleted(String name, NodeState before) throws CommitFailedException
{
         ReadOnlyTree child = new ReadOnlyTree(parentBefore, name, before);
-
-        int permissions = getPermissions(child, Permissions.REMOVE_NODE);
-        checkPermissions(child.getPath(), permissions);
-
-        return new PermissionValidator(compiledPermissions, child, null);
+        return checkPermissions(child, true, Permissions.REMOVE_NODE);
     }
 
     //------------------------------------------------------------< private >---
-    private void checkPermissions(String path, int permissions) throws CommitFailedException
{
-        if (!compiledPermissions.isGranted(path, permissions))    {
-            throw new CommitFailedException(new AccessDeniedException());
+    private void checkPermissions(Tree parent, PropertyState property, int defaultPermission)
throws CommitFailedException {
+        String parentPath = parent.getPath();
+        String name = property.getName();
+
+        int permission;
+        if (JcrConstants.JCR_PRIMARYTYPE.equals(name) || JcrConstants.JCR_MIXINTYPES.equals(name))
{
+            // TODO: distinguish between autocreated and user-supplied modification (?)
+            permission = Permissions.NODE_TYPE_MANAGEMENT;
+        } else if (PropertyState.OAK_CHILD_ORDER.equals(property.getName())) {
+            permission = Permissions.MODIFY_CHILD_NODE_COLLECTION;
+        } else if (isLockProperty(name)) {
+            permission = Permissions.LOCK_MANAGEMENT;
+        } else if (isNamespaceDefinition(parentPath)) {
+            permission = Permissions.NAMESPACE_MANAGEMENT;
+        } else if (isNodeTypeDefinition(parentPath)) {
+            permission = Permissions.NODE_TYPE_DEFINITION_MANAGEMENT;
+        } else if (isPrivilegeDefinition(parentPath)) {
+            permission = Permissions.PRIVILEGE_MANAGEMENT;
+        } else if (isAccessControl(parent, property)) {
+            permission = Permissions.MODIFY_ACCESS_CONTROL;
+        } else {
+            // TODO: identify specific permission depending on type of protection
+            // - version property -> version management
+            // - user/group property -> user management
+            permission = defaultPermission;
         }
+
+        checkPermissions(PathUtils.concat(parentPath, name), permission);
     }
 
+    private PermissionValidator checkPermissions(ReadOnlyTree tree, boolean isBefore, int
defaultPermission) throws CommitFailedException {
+        String path = tree.getPath();
+        int permission;
+
+        if (isNamespaceDefinition(path)) {
+            permission = Permissions.NAMESPACE_MANAGEMENT;
+        } else if (isNodeTypeDefinition(path)) {
+            permission = Permissions.NODE_TYPE_DEFINITION_MANAGEMENT;
+        } else if (isPrivilegeDefinition(path)) {
+            permission = Permissions.PRIVILEGE_MANAGEMENT;
+        } else if (isAccessControl(tree)) {
+            permission = Permissions.MODIFY_ACCESS_CONTROL;
+        } else {
+            // TODO: identify specific permission depending on additional types of protection
+            // - versioning -> version management
+            // - user/group -> user management
+            // - workspace management ???
+            permission = defaultPermission;
+        }
 
-    private int getPermissions(PropertyState property, int defaultPermission) {
-        if (isProtected(property)) {
-            // TODO: identify specific permission depending on type of protection
-            // - access controlled property
-            // - lock property
-            // - version property
-            // - mixinType/primaryType -> nt-management permission
-            // - node type definition -> nt-definition-management
-            // - namespace definition -> namespace management
-            // - privilege -> privilege management
-            // - user/group property -> user management
-            return Permissions.NO_PERMISSION;
-        } else if (PropertyState.OAK_CHILD_ORDER.equals(property.getName())) {
-            return Permissions.MODIFY_CHILD_NODE_COLLECTION;
+        if (Permissions.isRepositoryPermissions(permission)) {
+            checkPermissions((String) null, permission);
+            return null; // no need for further validation down the subtree
         } else {
-            return defaultPermission;
+            checkPermissions(path, permission);
+            return (isBefore) ?
+                    new PermissionValidator(compiledPermissions, tree, null) :
+                    new PermissionValidator(compiledPermissions, null, tree);
         }
     }
 
-    private int getPermissions(ReadOnlyTree tree, int defaultPermissions) {
-        if (isProtected(tree)) {
-            // TODO: identify specific permission depending on type of protection
-            return Permissions.NO_PERMISSION;
-        } else {
-            return defaultPermissions;
+    private void checkPermissions(String path, int permissions) throws CommitFailedException
{
+        if (!compiledPermissions.isGranted(path, permissions))    {
+            throw new CommitFailedException(new AccessDeniedException());
         }
     }
 
-    private boolean isProtected(PropertyState property) {
-        // TODO
+    private static boolean isAccessControl(Tree parent) {
+        // TODO: depends on ac-model
         return false;
     }
 
-    private boolean isProtected(ReadOnlyTree tree) {
-        // TODO
+    private static boolean isAccessControl(Tree parent, PropertyState property) {
+        // TODO: depends on ac-model
         return false;
     }
 
-    private String getPath(PropertyState property) {
-        String parentPath = (parentAfter != null) ? parentAfter.getPath() : parentBefore.getPath();
-        return PathUtils.concat(parentPath, property.getName());
+    private static boolean isLockProperty(String name) {
+        return JcrConstants.JCR_LOCKISDEEP.equals(name) || JcrConstants.JCR_LOCKOWNER.equals(name);
+    }
+
+    private static boolean isNamespaceDefinition(String path) {
+        return Text.isDescendant(NamespaceConstants.NAMESPACES_PATH, path);
+    }
+    private static boolean isNodeTypeDefinition(String path) {
+        return Text.isDescendant(NodeTypeConstants.NODE_TYPES_PATH, path);
+    }
+
+    private static boolean isPrivilegeDefinition(String path) {
+        return Text.isDescendant(PrivilegeConstants.PRIVILEGES_PATH, path);
     }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConstants.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConstants.java?rev=1370806&r1=1370805&r2=1370806&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConstants.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConstants.java
Wed Aug  8 15:17:45 2012
@@ -16,10 +16,15 @@
  */
 package org.apache.jackrabbit.oak.security.privilege;
 
+import org.apache.jackrabbit.JcrConstants;
+
 /**
  * PrivilegeConstants... TODO
  */
-interface PrivilegeConstants {
+public interface PrivilegeConstants {
+
+    String REP_PRIVILEGES = "rep:privileges";
+    String PRIVILEGES_PATH = '/' + JcrConstants.JCR_SYSTEM + '/' + REP_PRIVILEGES;
     
     String JCR_READ = "jcr:read";
     String JCR_MODIFY_PROPERTIES = "jcr:modifyProperties";

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java?rev=1370806&r1=1370805&r2=1370806&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java
Wed Aug  8 15:17:45 2012
@@ -107,10 +107,9 @@ public final class Permissions {
         PERMISSION_NAMES.put(WORKSPACE_MANAGEMENT, "WORKSPACE_MANAGEMENT");
         PERMISSION_NAMES.put(PRIVILEGE_MANAGEMENT, "PRIVILEGE_MANAGEMENT");
         PERMISSION_NAMES.put(USER_MANAGEMENT, "USER_MANAGEMENT");
-
     }
 
-    public String getString(int permissions) {
+    public static String getString(int permissions) {
         if (PERMISSION_NAMES.containsKey(permissions)) {
             return PERMISSION_NAMES.get(permissions);
         } else {
@@ -123,6 +122,12 @@ public final class Permissions {
             }
             return sb.toString();
         }
+    }
 
+    public static boolean isRepositoryPermissions(int permissions) {
+        return permissions == NAMESPACE_MANAGEMENT ||
+               permissions == NODE_TYPE_DEFINITION_MANAGEMENT ||
+               permissions == PRIVILEGE_MANAGEMENT ||
+               permissions == WORKSPACE_MANAGEMENT;
     }
 }



Mime
View raw message