jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1395932 - in /jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak: security/authentication/ security/authentication/token/ security/user/ spi/security/user/
Date Tue, 09 Oct 2012 09:30:22 GMT
Author: angela
Date: Tue Oct  9 09:30:21 2012
New Revision: 1395932

URL: http://svn.apache.org/viewvc?rev=1395932&view=rev
Log:
 OAK-91 - Implement Authentication Support (WIP)
 OAK-50 - User Management (WIP)

Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProviderImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserValidator.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/UserProvider.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java?rev=1395932&r1=1395931&r2=1395932&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java
Tue Oct  9 09:30:21 2012
@@ -17,10 +17,16 @@
 package org.apache.jackrabbit.oak.security.authentication;
 
 import javax.jcr.Credentials;
+import javax.jcr.GuestCredentials;
+import javax.jcr.RepositoryException;
+import javax.jcr.SimpleCredentials;
 import javax.security.auth.Subject;
 
+import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.spi.security.authentication.Authentication;
 import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider;
+import org.apache.jackrabbit.oak.spi.security.user.AuthorizableType;
+import org.apache.jackrabbit.oak.spi.security.user.PasswordUtility;
 import org.apache.jackrabbit.oak.spi.security.user.UserProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -32,12 +38,14 @@ public class AuthenticationImpl implemen
 
     private static final Logger log = LoggerFactory.getLogger(AuthenticationImpl.class);
 
-    private final String userID;
+    private final String userId;
     private final UserProvider userProvider;
     private final PrincipalProvider principalProvider;
 
-    public AuthenticationImpl(String userID, UserProvider userProvider, PrincipalProvider
principalProvider) {
-        this.userID = userID;
+    private Tree userTree;
+
+    public AuthenticationImpl(String userId, UserProvider userProvider, PrincipalProvider
principalProvider) {
+        this.userId = userId;
         this.userProvider = userProvider;
         this.principalProvider = principalProvider;
     }
@@ -47,19 +55,16 @@ public class AuthenticationImpl implemen
         // TODO
         return true;
 
-//        if (userProvider == null || userID == null) {
+//        Tree userTree = getUserTree();
+//        if (userTree == null || userProvider.isDisabled(userTree)) {
 //            return false;
 //        }
 //
 //        if (credentials instanceof SimpleCredentials) {
 //            SimpleCredentials creds = (SimpleCredentials) credentials;
-//            return userID.equals(creds.getUserID()) &&
-//                    PasswordUtility.isSame(userProvider.getPassword(userID), creds.getPassword());
-//        } else if (credentials instanceof GuestCredentials) {
-//            return userProvider.getAuthorizable(userID) != null;
+//            return PasswordUtility.isSame(userProvider.getPasswordHash(userTree), creds.getPassword());
 //        } else {
-//            // unsupported credentials object
-//            return false;
+//            return credentials instanceof GuestCredentials;
 //        }
     }
 
@@ -68,14 +73,27 @@ public class AuthenticationImpl implemen
         // TODO
         return true;
 
-//        if (userProvider == null || userID == null) {
+//        Tree userTree = getUserTree();
+//        if (userTree == null || userProvider.isDisabled(userTree)) {
+//            return false;
+//        } else {
 //            try {
-//                return userProvider.getImpersonation(userID, principalProvider).allows(subject);
+//                return userProvider.getImpersonation(userTree, principalProvider).allows(subject);
 //            } catch (RepositoryException e) {
 //                log.debug("Error while validating impersonation", e.getMessage());
 //                return false;
 //            }
 //        }
-//        return false;
+    }
+
+    //--------------------------------------------------------------------------
+    private Tree getUserTree() {
+        if (userProvider == null || userId == null) {
+            return null;
+        }
+        if (userTree == null) {
+            userTree = userProvider.getAuthorizable(userId, AuthorizableType.USER);
+        }
+        return userTree;
     }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java?rev=1395932&r1=1395931&r2=1395932&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java
Tue Oct  9 09:30:21 2012
@@ -270,10 +270,21 @@ public class TokenProviderImpl implement
     }
 
     @CheckForNull
+    private Tree getUserTree(Tree tokenTree) {
+        if (tokenTree != null) {
+            return tokenTree.getParent().getParent();
+        } else {
+            return null;
+        }
+    }
+
+    @CheckForNull
     private String getUserId(Tree tokenTree) {
         if (tokenTree != null) {
             Tree userTree = tokenTree.getParent().getParent();
-            return userProvider.getAuthorizableId(userTree);
+            if (userTree != null && !userProvider.isDisabled(userTree)) {
+                return userProvider.getAuthorizableId(userTree);
+            }
         }
 
         return null;

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java?rev=1395932&r1=1395931&r2=1395932&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java
Tue Oct  9 09:30:21 2012
@@ -93,7 +93,7 @@ class ImpersonationImpl implements Imper
      * @see org.apache.jackrabbit.api.security.user.Impersonation#grantImpersonation(Principal)
      */
     @Override
-    public synchronized boolean grantImpersonation(Principal principal) throws RepositoryException
{
+    public boolean grantImpersonation(Principal principal) throws RepositoryException {
         String principalName = principal.getName();
         Principal p = principalProvider.getPrincipal(principalName);
         if (p == null) {
@@ -132,7 +132,7 @@ class ImpersonationImpl implements Imper
      * @see Impersonation#revokeImpersonation(java.security.Principal)
      */
     @Override
-    public synchronized boolean revokeImpersonation(Principal principal) throws RepositoryException
{
+    public boolean revokeImpersonation(Principal principal) throws RepositoryException {
         String pName = principal.getName();
 
         Tree userTree = getUserTree();

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserImpl.java?rev=1395932&r1=1395931&r2=1395932&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserImpl.java
Tue Oct  9 09:30:21 2012
@@ -18,7 +18,6 @@ package org.apache.jackrabbit.oak.securi
 
 import java.security.Principal;
 import javax.jcr.Credentials;
-import javax.jcr.PropertyType;
 import javax.jcr.RepositoryException;
 import javax.jcr.UnsupportedRepositoryOperationException;
 
@@ -97,7 +96,7 @@ class UserImpl extends AuthorizableImpl 
      */
     @Override
     public Impersonation getImpersonation() throws RepositoryException {
-        return getUserProvider().getImpersonation(getID(), getUserManager().getPrincipalProvider());
+        return getUserProvider().getImpersonation(getTree(), getUserManager().getPrincipalProvider());
     }
 
     /**
@@ -132,18 +131,7 @@ class UserImpl extends AuthorizableImpl 
      */
     @Override
     public void disable(String reason) throws RepositoryException {
-        if (isAdmin()) {
-            throw new RepositoryException("The administrator user cannot be disabled.");
-        }
-        Tree userTree = getTree();
-        if (reason == null) {
-            if (isDisabled()) {
-                // enable the user again.
-                getUserProvider().setProtectedProperty(userTree, REP_DISABLED, (String) null,
PropertyType.STRING);
-            } // else: not disabled -> nothing to
-        } else {
-            getUserProvider().setProtectedProperty(userTree, REP_DISABLED, reason, PropertyType.STRING);
-        }
+        getUserProvider().disable(getTree(), reason);
     }
 
     /**
@@ -151,7 +139,7 @@ class UserImpl extends AuthorizableImpl 
      */
     @Override
     public boolean isDisabled() throws RepositoryException {
-        return getTree().hasProperty(REP_DISABLED);
+        return getUserProvider().isDisabled(getTree());
     }
 
     /**
@@ -159,10 +147,6 @@ class UserImpl extends AuthorizableImpl 
      */
     @Override
     public String getDisabledReason() throws RepositoryException {
-        PropertyState disabled = getTree().getProperty(REP_DISABLED);
-        if (disabled != null) {
-            return disabled.getValue(STRING);
-        } else
-            return null;
+        return getUserProvider().getDisableReason(getTree());
     }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProviderImpl.java?rev=1395932&r1=1395931&r2=1395932&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProviderImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProviderImpl.java
Tue Oct  9 09:30:21 2012
@@ -260,14 +260,11 @@ class UserProviderImpl extends Authoriza
     }
 
     @Override
-    public String getPassword(String userID) {
-        Tree userTree = getAuthorizable(userID, AuthorizableType.USER);
-        if (userTree != null) {
-            NodeUtil n = new NodeUtil(userTree, valueFactory);
-            return n.getString(UserConstants.REP_PASSWORD, null);
-        } else {
-            return null;
-        }
+    public String getPasswordHash(Tree userTree) {
+        checkNotNull(userTree);
+
+        NodeUtil n = new NodeUtil(userTree, valueFactory);
+        return n.getString(UserConstants.REP_PASSWORD, null);
     }
 
     @Override
@@ -292,8 +289,45 @@ class UserProviderImpl extends Authoriza
     }
 
     @Override
-    public Impersonation getImpersonation(String userId, PrincipalProvider principalProvider)
{
-        return new ImpersonationImpl(userId, this, principalProvider);
+    public Impersonation getImpersonation(Tree userTree, PrincipalProvider principalProvider)
{
+        // FIXME: for login the impersonation could be based on the tree directly -> improve
+        return new ImpersonationImpl(getAuthorizableId(userTree), this, principalProvider);
+    }
+
+    @Override
+    public boolean isDisabled(Tree userTree) {
+        checkNotNull(userTree);
+
+        return userTree.hasProperty(REP_DISABLED);
+    }
+
+    @Override
+    public String getDisableReason(Tree userTree) {
+        checkNotNull(userTree);
+
+        PropertyState disabled = userTree.getProperty(REP_DISABLED);
+        if (disabled != null) {
+            return disabled.getValue(STRING);
+        } else {
+            return null;
+        }
+    }
+
+    @Override
+    public void disable(Tree userTree, String reason) throws RepositoryException {
+        checkNotNull(userTree);
+
+        if (isAdminUser(userTree)) {
+            throw new RepositoryException("The administrator user cannot be disabled.");
+        }
+        if (reason == null) {
+            if (isDisabled(userTree)) {
+                // enable the user again.
+                setProtectedProperty(userTree, REP_DISABLED, (String) null, PropertyType.STRING);
+            } // else: not disabled -> nothing to
+        } else {
+            setProtectedProperty(userTree, REP_DISABLED, reason, PropertyType.STRING);
+        }
     }
 
     @Override

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserValidator.java?rev=1395932&r1=1395931&r2=1395932&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserValidator.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserValidator.java
Tue Oct  9 09:30:21 2012
@@ -48,6 +48,14 @@ class UserValidator extends DefaultValid
     //----------------------------------------------------------< Validator >---
 
     @Override
+    public void propertyAdded(PropertyState after) throws CommitFailedException {
+        String name = after.getName();
+        if (REP_DISABLED.equals(name) && isAdminUser()) {
+            throw new CommitFailedException("Admin user cannot be disabled.");
+        }
+    }
+
+    @Override
     public void propertyChanged(PropertyState before, PropertyState after) throws CommitFailedException
{
         String name = before.getName();
         if (REP_PRINCIPAL_NAME.equals(name) || REP_AUTHORIZABLE_ID.equals(name)) {
@@ -86,7 +94,7 @@ class UserValidator extends DefaultValid
      * @param pathConstraint
      * @throws CommitFailedException
      */
-    void assertHierarchy(NodeUtil userNode, String pathConstraint) throws CommitFailedException
{
+    private void assertHierarchy(NodeUtil userNode, String pathConstraint) throws CommitFailedException
{
         if (!Text.isDescendant(pathConstraint, userNode.getTree().getPath())) {
             Exception e = new ConstraintViolationException("Attempt to create user/group
outside of configured scope " + pathConstraint);
             throw new CommitFailedException(e);
@@ -102,4 +110,9 @@ class UserValidator extends DefaultValid
             parent = parent.getParent();
         }
     }
+
+    private boolean isAdminUser() {
+        // FIXME: add implementation
+        return false;
+    }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/UserProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/UserProvider.java?rev=1395932&r1=1395931&r2=1395932&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/UserProvider.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/UserProvider.java
Tue Oct  9 09:30:21 2012
@@ -86,14 +86,16 @@ public interface UserProvider {
     boolean isAdminUser(Tree userTree);
 
     /**
-     * Returns the password hash for the user with the specified ID or {@code null}
-     * if the user does not exist or if the hash is not accessible for the editing
+     * Returns the password hash for the user with the specified user tree
+     * or {@code null} if the hash is not accessible for the editing
      * session.
      *
-     * @param userID The id of a user.
+     *
+     * @param userTree
      * @return the password hash or {@code null}.
      */
-    String getPassword(String userID);
+    @CheckForNull
+    String getPasswordHash(Tree userTree);
 
     /**
      * Set the password for the user identified by the specified {@code userTree}.
@@ -106,7 +108,15 @@ public interface UserProvider {
      */
     void setPassword(Tree userTree, String password, boolean forceHash) throws RepositoryException;
 
-    Impersonation getImpersonation(String userID, PrincipalProvider principalProvider);
+    @Nonnull
+    Impersonation getImpersonation(Tree userTree, PrincipalProvider principalProvider);
+
+    boolean isDisabled(Tree userTree);
+
+    @CheckForNull
+    String getDisableReason(Tree userTree);
+
+    void disable(Tree userTree, String reason) throws RepositoryException;
 
     void setProtectedProperty(Tree authorizableTree, String propertyName, String value, int
propertyType);
 



Mime
View raw message