Return-Path: X-Original-To: apmail-jackrabbit-oak-commits-archive@minotaur.apache.org Delivered-To: apmail-jackrabbit-oak-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id AA27DD903 for ; Fri, 17 Aug 2012 10:18:13 +0000 (UTC) Received: (qmail 8216 invoked by uid 500); 17 Aug 2012 10:18:13 -0000 Delivered-To: apmail-jackrabbit-oak-commits-archive@jackrabbit.apache.org Received: (qmail 8184 invoked by uid 500); 17 Aug 2012 10:18:13 -0000 Mailing-List: contact oak-commits-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: oak-dev@jackrabbit.apache.org Delivered-To: mailing list oak-commits@jackrabbit.apache.org Received: (qmail 8165 invoked by uid 99); 17 Aug 2012 10:18:12 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 17 Aug 2012 10:18:12 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 17 Aug 2012 10:18:11 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id DB8042388900; Fri, 17 Aug 2012 10:17:27 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1374193 - in /jackrabbit/oak/trunk: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/ oak-core/src/main/java/org/apache/jackrabbit/oak/security/principal/ oak-core/src/main/java/org/apache/jackrabbit/oak/spi/securit... Date: Fri, 17 Aug 2012 10:17:27 -0000 To: oak-commits@jackrabbit.apache.org From: angela@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20120817101727.DB8042388900@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: angela Date: Fri Aug 17 10:17:27 2012 New Revision: 1374193 URL: http://svn.apache.org/viewvc?rev=1374193&view=rev Log: OAK-90 : Implement Principal Management (WIP) Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/principal/TmpPrincipalProvider.java Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/principal/KernelPrincipalProvider.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/TreeBasedPrincipal.java jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java?rev=1374193&r1=1374192&r2=1374193&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java Fri Aug 17 10:17:27 2012 @@ -17,7 +17,7 @@ package org.apache.jackrabbit.oak.security.authentication; import org.apache.jackrabbit.oak.api.ContentRepository; -import org.apache.jackrabbit.oak.security.principal.KernelPrincipalProvider; +import org.apache.jackrabbit.oak.security.principal.TmpPrincipalProvider; import org.apache.jackrabbit.oak.spi.security.authentication.LoginContextProvider; import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider; import org.slf4j.Logger; @@ -45,7 +45,7 @@ public class LoginContextProviderImpl im public LoginContextProviderImpl(ContentRepository repository) { // TODO: use configurable authentication config and principal provider authConfig = new ConfigurationImpl(); - principalProvider = new KernelPrincipalProvider(); + principalProvider = new TmpPrincipalProvider(); } @Override Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java?rev=1374193&r1=1374192&r2=1374193&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java Fri Aug 17 10:17:27 2012 @@ -18,6 +18,7 @@ package org.apache.jackrabbit.oak.securi import java.io.IOException; import java.security.Principal; +import java.util.Collections; import java.util.HashMap; import java.util.HashSet; import java.util.Map; @@ -37,7 +38,6 @@ import org.apache.jackrabbit.oak.api.Aut import org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule; import org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials; import org.apache.jackrabbit.oak.spi.security.authentication.PrincipalProviderCallback; -import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal; import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -167,25 +167,13 @@ public class LoginModuleImpl extends Abs //-------------------------------------------------------------------------- private Set getPrincipals(String userID) { - Set principals = new HashSet(); PrincipalProvider principalProvider = getPrincipalProvider(); - if (principalProvider != null && userID != null) { - // TODO fixme - Principal p = principalProvider.getPrincipal(userID); - if (p != null) { - principals.add(p); - if ("admin".equals(p.getName())) { - principals.add(AdminPrincipal.INSTANCE); - } - principals.addAll(principalProvider.getGroupMembership(p)); - } else { - log.debug("Commit: Cannot retrieve principal for userID '{}'.", userID); - } - } else { + if (principalProvider == null) { log.debug("Commit: Cannot retrieve principals. No principal provider configured."); + return Collections.emptySet(); + } else { + return principalProvider.getPrincipals(userID); } - - return principals; } private PrincipalProvider getPrincipalProvider() { Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/principal/KernelPrincipalProvider.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/principal/KernelPrincipalProvider.java?rev=1374193&r1=1374192&r2=1374193&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/principal/KernelPrincipalProvider.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/principal/KernelPrincipalProvider.java Fri Aug 17 10:17:27 2012 @@ -19,11 +19,26 @@ package org.apache.jackrabbit.oak.securi import java.security.Principal; import java.security.acl.Group; import java.util.Collections; +import java.util.Enumeration; import java.util.HashSet; +import java.util.Iterator; import java.util.Set; +import javax.annotation.Nullable; +import com.google.common.base.Function; +import com.google.common.base.Predicates; +import com.google.common.collect.Iterators; +import org.apache.jackrabbit.JcrConstants; +import org.apache.jackrabbit.api.security.user.UserManager; +import org.apache.jackrabbit.oak.api.Tree; +import org.apache.jackrabbit.oak.namepath.PathMapper; +import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal; import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal; import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider; +import org.apache.jackrabbit.oak.spi.security.principal.TreeBasedPrincipal; +import org.apache.jackrabbit.oak.spi.security.user.MembershipProvider; +import org.apache.jackrabbit.oak.spi.security.user.UserConstants; +import org.apache.jackrabbit.oak.spi.security.user.UserProvider; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -39,32 +54,130 @@ public class KernelPrincipalProvider imp */ private static final Logger log = LoggerFactory.getLogger(KernelPrincipalProvider.class); + private final UserProvider userProvider; + private final MembershipProvider membershipProvider; + private final PathMapper pathMapper; + + public KernelPrincipalProvider(UserProvider userProvider, + MembershipProvider membershipProvider, PathMapper pathMapper) { + this.userProvider = userProvider; + this.membershipProvider = membershipProvider; + this.pathMapper = pathMapper; + + } + //--------------------------------------------------< PrincipalProvider >--- @Override public Principal getPrincipal(final String principalName) { - // TODO: use user-defined query to search for a principalName property - // TODO that is defined by a user/group node. - return new Principal() { + Tree tree = userProvider.getAuthorizableByPrincipal(new Principal() { @Override public String getName() { return principalName; } - }; + }); + + if (tree != null) { + return (isGroup(tree)) ? new TreeBasedGroup(tree) : new TreeBasedPrincipal(tree, pathMapper); + } else { + return null; + } } @Override public Set getGroupMembership(Principal principal) { - // TODO - return Collections.singleton(EveryonePrincipal.getInstance()); + Tree authTree = userProvider.getAuthorizableByPrincipal(principal); + if (authTree == null) { + return Collections.emptySet(); + } else { + return getGroupMembership(authTree); + } } @Override public Set getPrincipals(String userID) { - // TODO - Set principals = new HashSet(); - Principal p = getPrincipal(userID); - principals.add(p); - principals.addAll(getGroupMembership(p)); + Set principals; + Tree userTree = userProvider.getAuthorizable(userID, UserManager.SEARCH_TYPE_USER); + if (userTree != null) { + principals = new HashSet(); + Principal userPrincipal = new TreeBasedPrincipal(userTree, pathMapper); + principals.add(userPrincipal); + principals.addAll(getGroupMembership(userPrincipal)); + if (userProvider.isAdminUser(userTree)) { + principals.add(AdminPrincipal.INSTANCE); + } + } else { + principals = Collections.emptySet(); + } return principals; } + + //------------------------------------------------------------< private >--- + private Set getGroupMembership(Tree authorizableTree) { + Iterator groupPaths = membershipProvider.getMembership(authorizableTree, true); + Set groups = new HashSet(); + groups.add(EveryonePrincipal.getInstance()); + + while (groupPaths.hasNext()) { + String path = groupPaths.next(); + Tree groupTree = userProvider.getAuthorizableByPath(path); + if (groupTree != null) { + groups.add(new TreeBasedGroup(groupTree)); + } + } + return groups; + } + + private boolean isGroup(Tree authorizableTree) { + assert authorizableTree != null; + assert authorizableTree.hasProperty(JcrConstants.JCR_PRIMARYTYPE); + + String ntName = authorizableTree.getProperty(JcrConstants.JCR_PRIMARYTYPE).getValue().getString(); + return UserConstants.NT_REP_GROUP.equals(ntName); + } + + /** + * Tree-based principal implementation that marks the principal as group. + */ + private final class TreeBasedGroup extends TreeBasedPrincipal implements Group { + + public TreeBasedGroup(Tree tree) { + super(tree, pathMapper); + } + + @Override + public boolean addMember(Principal principal) { + throw new UnsupportedOperationException(); + } + + @Override + public boolean removeMember(Principal principal) { + throw new UnsupportedOperationException(); + } + + @Override + public boolean isMember(Principal principal) { + return membershipProvider.isMember(getTree(), userProvider.getAuthorizableByPrincipal(principal), true); + } + + @Override + public Enumeration members() { + Iterator declaredMemberPaths = membershipProvider.getMembers(getTree(), UserManager.SEARCH_TYPE_AUTHORIZABLE, false); + Iterator members = Iterators.transform(declaredMemberPaths, new Function() { + @Override + public Principal apply(@Nullable String oakPath) { + // TODO + Tree tree = userProvider.getAuthorizableByPath(oakPath); + if (tree != null) { + if (isGroup(tree)) { + return new TreeBasedGroup(tree); + } else { + return new TreeBasedPrincipal(tree, pathMapper); + } + } + return null; + } + }); + return Iterators.asEnumeration(Iterators.filter(members, Predicates.notNull())); + } + } } \ No newline at end of file Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/principal/TmpPrincipalProvider.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/principal/TmpPrincipalProvider.java?rev=1374193&view=auto ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/principal/TmpPrincipalProvider.java (added) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/principal/TmpPrincipalProvider.java Fri Aug 17 10:17:27 2012 @@ -0,0 +1,64 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.oak.security.principal; + +import java.security.Principal; +import java.security.acl.Group; +import java.util.Collections; +import java.util.HashSet; +import java.util.Set; + +import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal; +import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal; +import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider; + +/** + * ToRemovePrincipalProvider... TODO tmp dummy implemetation. to be replace + * by configurable principal provider (default KernelPrincipalProviver) once + * the auth-setup is done properly. + */ +public class TmpPrincipalProvider implements PrincipalProvider { + + //--------------------------------------------------< PrincipalProvider >--- + @Override + public Principal getPrincipal(final String principalName) { + return new Principal() { + @Override + public String getName() { + return principalName; + } + }; + } + + @Override + public Set getGroupMembership(Principal principal) { + return Collections.singleton(EveryonePrincipal.getInstance()); + } + + @Override + public Set getPrincipals(String userID) { + Set principals = new HashSet(); + Principal p = getPrincipal(userID); + principals.add(p); + principals.addAll(getGroupMembership(p)); + if ("admin".equals(userID)) { + principals.add(AdminPrincipal.INSTANCE); + } + return principals; + } + +} \ No newline at end of file Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/TreeBasedPrincipal.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/TreeBasedPrincipal.java?rev=1374193&r1=1374192&r2=1374193&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/TreeBasedPrincipal.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/TreeBasedPrincipal.java Fri Aug 17 10:17:27 2012 @@ -57,6 +57,14 @@ public class TreeBasedPrincipal implemen this.pathMapper = pathMapper; } + protected Tree getTree() { + return tree; + } + + public String getOakPath() { + return tree.getPath(); + } + //-------------------------------------------------< ItemBasedPrincipal >--- @Override public String getPath() { Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java?rev=1374193&r1=1374192&r2=1374193&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java (original) +++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java Fri Aug 17 10:17:27 2012 @@ -21,7 +21,6 @@ import java.util.HashMap; import java.util.HashSet; import java.util.Map; import java.util.Set; - import javax.annotation.Nonnull; import javax.jcr.AccessDeniedException; import javax.jcr.Credentials; @@ -51,7 +50,7 @@ import org.apache.jackrabbit.commons.ite import org.apache.jackrabbit.oak.commons.PathUtils; import org.apache.jackrabbit.oak.jcr.security.principal.PrincipalManagerImpl; import org.apache.jackrabbit.oak.jcr.xml.XmlImportHandler; -import org.apache.jackrabbit.oak.security.principal.KernelPrincipalProvider; +import org.apache.jackrabbit.oak.security.principal.TmpPrincipalProvider; import org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials; import org.apache.jackrabbit.oak.util.TODO; import org.apache.jackrabbit.util.XMLChar; @@ -140,8 +139,8 @@ public class SessionImpl extends Abstrac @Override @Nonnull - public Node getNodeByUUID(String id) throws RepositoryException { - return getNodeByIdentifier(id); + public Node getNodeByUUID(String uuid) throws RepositoryException { + return getNodeByIdentifier(uuid); } @Override @@ -526,7 +525,7 @@ public class SessionImpl extends Abstrac @Nonnull public PrincipalManager getPrincipalManager() throws RepositoryException { return TODO.unimplemented().returnValue(new PrincipalManagerImpl( - new KernelPrincipalProvider())); + new TmpPrincipalProvider())); } @Override