jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1374191 - in /jackrabbit/oak/trunk: oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/ oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/
Date Fri, 17 Aug 2012 10:16:24 GMT
Author: angela
Date: Fri Aug 17 10:16:24 2012
New Revision: 1374191

URL: http://svn.apache.org/viewvc?rev=1374191&view=rev
Log:
OAK-50 : Implement User Management (WIP)

Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProviderImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/UserProvider.java
    jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/AuthorizableImpl.java
    jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/GroupImpl.java
    jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/ImpersonationImpl.java
    jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/UserImpl.java
    jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/UserManagerImpl.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProviderImpl.java?rev=1374191&r1=1374190&r2=1374191&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProviderImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProviderImpl.java
Fri Aug 17 10:16:24 2012
@@ -16,15 +16,19 @@
  */
 package org.apache.jackrabbit.oak.security.user;
 
+import java.security.Principal;
+import java.text.ParseException;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 import javax.annotation.Nullable;
 import javax.jcr.PropertyType;
 import javax.jcr.RepositoryException;
 import javax.jcr.nodetype.ConstraintViolationException;
+import javax.jcr.query.Query;
 
 import com.google.common.base.Function;
 import com.google.common.base.Predicate;
@@ -36,9 +40,13 @@ import org.apache.jackrabbit.commons.ite
 import org.apache.jackrabbit.oak.api.ContentSession;
 import org.apache.jackrabbit.oak.api.CoreValue;
 import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Result;
 import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.SessionQueryEngine;
 import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManager;
+import org.apache.jackrabbit.oak.spi.security.principal.TreeBasedPrincipal;
 import org.apache.jackrabbit.oak.spi.security.user.MembershipProvider;
 import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
 import org.apache.jackrabbit.oak.spi.security.user.UserManagerConfig;
@@ -54,7 +62,7 @@ import org.slf4j.LoggerFactory;
  *
  * <h1>UserProvider</h1>
  *
- * <h2>Creation</h2>
+ * <h2>User and Group Creation</h2>
  * This implementation creates the JCR nodes corresponding the a given
  * authorizable ID with the following behavior:
  * <ul>
@@ -130,7 +138,12 @@ import org.slf4j.LoggerFactory;
  *     <li>autoExpandSize</li>
  * </ul>
  *
- * <h2>Access by ID</h2>
+ * <h2>User and Group Access</h2>
+ * <h3>By ID</h3>
+ * TODO
+ * <h3>By Path</h3>
+ * TODO
+ * <h3>By Principal Name</h3>
  * TODO
  *
  * <h1>MembershipProvider</h1>
@@ -153,6 +166,7 @@ public class UserProviderImpl implements
 
     private final int defaultDepth;
     private final int splitSize;
+    private final String adminId;
 
     private final String groupPath;
     private final String userPath;
@@ -169,6 +183,7 @@ public class UserProviderImpl implements
             splitValue = 0;
         }
         this.splitSize = splitValue;
+        this.adminId = config.getAdminId();
 
         groupPath = config.getConfigValue(UserManagerConfig.PARAM_GROUP_PATH, DEFAULT_GROUP_PATH);
         userPath = config.getConfigValue(UserManagerConfig.PARAM_USER_PATH, DEFAULT_USER_PATH);
@@ -215,6 +230,55 @@ public class UserProviderImpl implements
         }
     }
 
+    @Override
+    public Tree getAuthorizableByPrincipal(Principal principal) {
+        Tree authorizableTree = null;
+        if (principal instanceof TreeBasedPrincipal) {
+            authorizableTree = root.getTree(((TreeBasedPrincipal) principal).getOakPath());
+        } else {
+            // NOTE: in contrast to JR2 the extra shortcut for ID==principalName
+            // can be omitted as principals names are stored in user defined
+            // index as well.
+            SessionQueryEngine queryEngine = contentSession.getQueryEngine();
+            try {
+                CoreValue bindValue = contentSession.getCoreValueFactory().createValue(principal.getName());
+                Map<String, CoreValue> bindings = Collections.singletonMap("principalName",
bindValue);
+                String stmt = "SELECT * FROM [rep:Authorizable] WHERE [rep:principalName]
= $principalName";
+                Result result = contentSession.getQueryEngine().executeQuery(stmt,
+                        Query.JCR_SQL2, 1, 0,
+                        Collections.singletonMap("principalName", bindValue),
+                        new NamePathMapper.Default());
+
+                Iterator rows = result.getRows().iterator();
+                if (rows.hasNext()) {
+                    String path = rows.next().toString();
+                    authorizableTree = root.getTree(path);
+                }
+            } catch (ParseException ex) {
+                log.error("query failed", ex);
+            }
+        }
+        return authorizableTree;
+    }
+
+    @Override
+    public String getAuthorizableId(Tree authorizableTree) {
+        assert authorizableTree != null;
+        PropertyState idProp = authorizableTree.getProperty(UserConstants.REP_AUTHORIZABLE_ID);
+        if (idProp != null) {
+            return idProp.getValue().getString();
+        } else {
+            return Text.unescapeIllegalJcrChars(authorizableTree.getName());
+        }
+    }
+
+    @Override
+    public boolean isAdminUser(Tree userTree) {
+        assert userTree != null;
+        return isAuthorizableTree(userTree, UserManager.SEARCH_TYPE_USER) &&
+               adminId.equals(getAuthorizableId(userTree));
+    }
+
     //--------------------------------------------------< MembershipProvider>---
     @Override
     public Iterator<String> getMembership(String authorizableId, boolean includeInherited)
{

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/UserProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/UserProvider.java?rev=1374191&r1=1374190&r2=1374191&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/UserProvider.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/UserProvider.java
Fri Aug 17 10:16:24 2012
@@ -16,6 +16,7 @@
  */
 package org.apache.jackrabbit.oak.spi.security.user;
 
+import java.security.Principal;
 import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
 import javax.jcr.RepositoryException;
@@ -42,4 +43,13 @@ public interface UserProvider {
 
     @CheckForNull
     Tree getAuthorizableByPath(String authorizableOakPath);
+
+    @CheckForNull
+    Tree getAuthorizableByPrincipal(Principal principal);
+
+    @Nonnull
+    String getAuthorizableId(Tree authorizableTree);
+
+    boolean isAdminUser(Tree userTree);
+
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/AuthorizableImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/AuthorizableImpl.java?rev=1374191&r1=1374190&r2=1374191&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/AuthorizableImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/AuthorizableImpl.java
Fri Aug 17 10:16:24 2012
@@ -33,7 +33,6 @@ import org.apache.jackrabbit.api.securit
 import org.apache.jackrabbit.api.security.user.User;
 import org.apache.jackrabbit.api.security.user.UserManager;
 import org.apache.jackrabbit.commons.iterator.RangeIteratorAdapter;
-import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
 import org.apache.jackrabbit.oak.spi.security.user.MembershipProvider;
@@ -81,12 +80,7 @@ abstract class AuthorizableImpl implemen
      */
     @Override
     public String getID() {
-        PropertyState idProp = tree.getProperty(UserConstants.REP_AUTHORIZABLE_ID);
-        if (idProp != null) {
-            return idProp.getValue().getString();
-        } else {
-            return Text.unescapeIllegalJcrChars(getTree().getName());
-        }
+        return userManager.getUserProvider().getAuthorizableId(tree);
     }
 
     /**

Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/GroupImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/GroupImpl.java?rev=1374191&r1=1374190&r2=1374191&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/GroupImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/GroupImpl.java
Fri Aug 17 10:16:24 2012
@@ -19,16 +19,19 @@ package org.apache.jackrabbit.oak.jcr.se
 import java.security.Principal;
 import java.util.Enumeration;
 import java.util.Iterator;
+import javax.annotation.Nullable;
 import javax.jcr.Node;
 import javax.jcr.RepositoryException;
 
+import com.google.common.base.Function;
+import com.google.common.collect.Iterators;
 import org.apache.jackrabbit.api.security.user.Authorizable;
 import org.apache.jackrabbit.api.security.user.Group;
 import org.apache.jackrabbit.api.security.user.UserManager;
 import org.apache.jackrabbit.commons.iterator.RangeIteratorAdapter;
 import org.apache.jackrabbit.oak.api.Tree;
-import org.apache.jackrabbit.oak.spi.security.principal.TreeBasedPrincipal;
 import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.security.principal.TreeBasedPrincipal;
 import org.apache.jackrabbit.oak.spi.security.user.MembershipProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -68,7 +71,7 @@ class GroupImpl extends AuthorizableImpl
      */
     @Override
     public Principal getPrincipal() throws RepositoryException {
-        return new GroupPrincipal(getPrincipalName());
+        return new GroupPrincipal(getPrincipalName(), getTree());
     }
 
     //--------------------------------------------------------------< Group >---
@@ -216,18 +219,18 @@ class GroupImpl extends AuthorizableImpl
      */
     private class GroupPrincipal extends TreeBasedPrincipal implements java.security.acl.Group
{
 
-        GroupPrincipal(String principalName) {
-            super(principalName, getTree(), getUserManager().getNamePathMapper());
+        GroupPrincipal(String principalName, Tree groupTree) {
+            super(principalName, groupTree, getUserManager().getNamePathMapper());
         }
 
         @Override
         public boolean addMember(Principal principal) {
-            return false;
+            throw new UnsupportedOperationException();
         }
 
         @Override
         public boolean removeMember(Principal principal) {
-            return false;
+            throw new UnsupportedOperationException();
         }
 
         @Override
@@ -254,9 +257,9 @@ class GroupImpl extends AuthorizableImpl
 
         @Override
         public Enumeration<? extends Principal> members() {
-            final Iterator<Authorizable> iterator;
+            final Iterator<Authorizable> members;
             try {
-                iterator = GroupImpl.this.getMembers();
+                members = GroupImpl.this.getMembers();
             } catch (RepositoryException e) {
                 // should not occur.
                 String msg = "Unable to retrieve Group members: " + e.getMessage();
@@ -264,25 +267,20 @@ class GroupImpl extends AuthorizableImpl
                 throw new IllegalStateException(msg);
             }
 
-            Enumeration<Principal> members = new Enumeration<Principal>() {
-
-                @Override
-                public boolean hasMoreElements() {
-                    return iterator.hasNext();
-                }
-
+            Iterator<Principal> principals = Iterators.transform(members, new Function<Authorizable,
Principal>() {
                 @Override
-                public Principal nextElement() {
+                public Principal apply(@Nullable Authorizable authorizable) {
+                    assert authorizable != null;
                     try {
-                        return iterator.next().getPrincipal();
+                        return authorizable.getPrincipal();
                     } catch (RepositoryException e) {
                         String msg = "Internal error while retrieving principal: " + e.getMessage();
                         log.error(msg);
                         throw new IllegalStateException(msg);
                     }
                 }
-            };
-            return members;
+            });
+            return Iterators.asEnumeration(principals);
         }
     }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/ImpersonationImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/ImpersonationImpl.java?rev=1374191&r1=1374190&r2=1374191&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/ImpersonationImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/ImpersonationImpl.java
Fri Aug 17 10:16:24 2012
@@ -112,7 +112,7 @@ class ImpersonationImpl implements Imper
 
         // make sure the given principal doesn't refer to the admin user.
         Authorizable a = user.getUserManager().getAuthorizable(p);
-        if (a != null && !a.isGroup() && ((User)a).isAdmin()) {
+        if (a != null && ((User)a).isAdmin()) {
             log.debug("Admin principal is already granted impersonation.");
             return false;
         }
@@ -168,7 +168,7 @@ class ImpersonationImpl implements Imper
                 }
                 UserManagerImpl userManager = user.getUserManager();
                 Authorizable a = userManager.getAuthorizable(p);
-                if (a != null && userManager.isAdminId(a.getID())) {
+                if (a != null && ((User) a).isAdmin()) {
                     allows = true;
                     break;
                 }
@@ -179,7 +179,7 @@ class ImpersonationImpl implements Imper
 
     //------------------------------------------------------------< private >---
 
-    private Set<String> getImpersonatorNames() throws RepositoryException {
+    private Set<String> getImpersonatorNames() {
         Set<String> princNames = new HashSet<String>();
         Tree userTree = user.getTree();
         PropertyState impersonators = userTree.getProperty(REP_IMPERSONATORS);

Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/UserImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/UserImpl.java?rev=1374191&r1=1374190&r2=1374191&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/UserImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/UserImpl.java
Fri Aug 17 10:16:24 2012
@@ -77,7 +77,7 @@ class UserImpl extends AuthorizableImpl 
      */
     @Override
     public boolean isAdmin() {
-        return getUserManager().isAdminId(getID());
+        return getUserManager().getUserProvider().isAdminUser(getTree());
     }
 
     /**

Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/UserManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/UserManagerImpl.java?rev=1374191&r1=1374190&r2=1374191&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/UserManagerImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/user/UserManagerImpl.java
Fri Aug 17 10:16:24 2012
@@ -28,7 +28,6 @@ import javax.jcr.RepositoryException;
 import javax.jcr.Session;
 import javax.jcr.UnsupportedRepositoryOperationException;
 
-import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
 import org.apache.jackrabbit.api.security.user.Authorizable;
 import org.apache.jackrabbit.api.security.user.AuthorizableExistsException;
 import org.apache.jackrabbit.api.security.user.Group;
@@ -49,6 +48,7 @@ import org.apache.jackrabbit.oak.spi.sec
 import org.apache.jackrabbit.oak.spi.security.user.PasswordUtility;
 import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
 import org.apache.jackrabbit.oak.spi.security.user.UserManagerConfig;
+import org.apache.jackrabbit.oak.spi.security.user.UserProvider;
 import org.apache.jackrabbit.oak.spi.security.user.action.AuthorizableAction;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -93,30 +93,7 @@ public class UserManagerImpl implements 
      */
     @Override
     public Authorizable getAuthorizable(Principal principal) throws RepositoryException {
-        Session session = getSession();
-        Authorizable authorizable = null;
-        if (principal instanceof ItemBasedPrincipal) {
-            String authJcrPath = ((ItemBasedPrincipal) principal).getPath();
-            String oakPath = sessionDelegate.getNamePathMapper().getOakPath(authJcrPath);
-            authorizable = getAuthorizable(userProvider.getAuthorizableByPath(oakPath));
-        } else {
-            // another Principal implementation.
-            // first try shortcut for cases where principalName equals the ID.
-            // second use a query to find the authorizable by principalName.
-            String name = principal.getName();
-            Authorizable a = getAuthorizable(name);
-            if (a != null && name.equals(a.getPrincipal().getName())) {
-                authorizable = a;
-            } else {
-                String propName = getJcrName(UserConstants.REP_PRINCIPAL_NAME);
-                Iterator<Authorizable> result = findAuthorizables(propName, name, SEARCH_TYPE_AUTHORIZABLE);
-                if (result.hasNext()) {
-                    authorizable = result.next();
-                }
-            }
-        }
-        // build the corresponding authorizable object
-        return authorizable;
+        return getAuthorizable(userProvider.getAuthorizableByPrincipal(principal));
     }
 
     /**
@@ -294,14 +271,6 @@ public class UserManagerImpl implements 
 
     //--------------------------------------------------------------------------
     /**
-     * @param userID A userID.
-     * @return true if the given userID belongs to the administrator user.
-     */
-    boolean isAdminId(String userID) {
-        return config.getAdminId().equals(userID);
-    }
-
-    /**
      *
      *
      * @param userNode The node representing the user.
@@ -357,6 +326,10 @@ public class UserManagerImpl implements 
         return sessionDelegate.getNamePathMapper();
     }
 
+    UserProvider getUserProvider() {
+        return userProvider;
+    }
+
     MembershipProvider getMembershipProvider() {
         return userProvider;
     }



Mime
View raw message