From oak-commits-return-1912-apmail-jackrabbit-oak-commits-archive=jackrabbit.apache.org@jackrabbit.apache.org Fri Oct 12 12:32:22 2012 Return-Path: X-Original-To: apmail-jackrabbit-oak-commits-archive@minotaur.apache.org Delivered-To: apmail-jackrabbit-oak-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4DE1BD5C1 for ; Fri, 12 Oct 2012 12:32:22 +0000 (UTC) Received: (qmail 77225 invoked by uid 500); 12 Oct 2012 12:32:21 -0000 Delivered-To: apmail-jackrabbit-oak-commits-archive@jackrabbit.apache.org Received: (qmail 77152 invoked by uid 500); 12 Oct 2012 12:32:20 -0000 Mailing-List: contact oak-commits-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: oak-dev@jackrabbit.apache.org Delivered-To: mailing list oak-commits@jackrabbit.apache.org Received: (qmail 77137 invoked by uid 99); 12 Oct 2012 12:32:19 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 12 Oct 2012 12:32:19 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 12 Oct 2012 12:32:18 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 2712C23889D7; Fri, 12 Oct 2012 12:31:35 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1397540 - in /jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak: core/ security/authorization/ spi/security/authorization/ Date: Fri, 12 Oct 2012 12:31:34 -0000 To: oak-commits@jackrabbit.apache.org From: angela@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20121012123135.2712C23889D7@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: angela Date: Fri Oct 12 12:31:34 2012 New Revision: 1397540 URL: http://svn.apache.org/viewvc?rev=1397540&view=rev Log: OAK-51 : Access Control (WIP) Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/TreeImpl.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/CompiledPermissionImpl.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlContext.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AllPermissions.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompiledPermissions.java Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/TreeImpl.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/TreeImpl.java?rev=1397540&r1=1397539&r2=1397540&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/TreeImpl.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/TreeImpl.java Fri Oct 12 12:31:34 2012 @@ -130,8 +130,9 @@ public class TreeImpl implements Tree, P @Override public PropertyState getProperty(String name) { - if (canReadProperty(name)) { - return internalGetProperty(name); + PropertyState property = internalGetProperty(name); + if (canRead(property)) { + return property; } else { return null; } @@ -140,11 +141,30 @@ public class TreeImpl implements Tree, P @Override public Status getPropertyStatus(String name) { // TODO: see OAK-212 - if (canReadProperty(name)) { - return internalGetPropertyStatus(name); - } - else { - return null; + Status nodeStatus = getStatus(); + if (nodeStatus == Status.NEW) { + return (hasProperty(name)) ? Status.NEW : null; + } else if (nodeStatus == Status.REMOVED) { + return Status.REMOVED; // FIXME not correct if no property existed with that name + } else { + PropertyState head = internalGetProperty(name); + if (head != null && !canRead(head)) { + // no permission to read status information for existing property + return null; + } + + PropertyState base = getBaseState().getProperty(name); + if (head == null) { + return (base == null) ? null : Status.REMOVED; + } else { + if (base == null) { + return Status.NEW; + } else if (head.equals(base)) { + return Status.EXISTING; + } else { + return Status.MODIFIED; + } + } } } @@ -164,7 +184,7 @@ public class TreeImpl implements Tree, P new Predicate() { @Override public boolean apply(PropertyState propertyState) { - return propertyState != null && canReadProperty(propertyState.getName()); + return canRead(propertyState); } }); } @@ -462,53 +482,6 @@ public class TreeImpl implements Tree, P return getNodeBuilder().getProperty(propertyName); } - private Status internalGetPropertyStatus(String name) { - if (isRemoved()) { - return Status.REMOVED; - } - - NodeState baseState = getBaseState(); - boolean exists = internalGetProperty(name) != null; - if (baseState == null) { - // This instance is NEW... - if (exists) { - // ...so all children are new - return Status.NEW; - } else { - // ...unless they don't exist. - return null; - } - } else { - if (exists) { - // We have the property... - if (baseState.getProperty(name) == null) { - // ...but didn't have it before. So its NEW. - return Status.NEW; - } else { - // ... and did have it before. So... - PropertyState base = baseState.getProperty(name); - PropertyState head = getProperty(name); - if (base == null ? head == null : base.equals(head)) { - // ...it's EXISTING if it hasn't changed - return Status.EXISTING; - } else { - // ...and MODIFIED otherwise. - return Status.MODIFIED; - } - } - } else { - // We don't have the property - if (baseState.getProperty(name) == null) { - // ...and didn't have it before. So it doesn't exist. - return null; - } else { - // ...but did have it before. So it's REMOVED - return Status.REMOVED; - } - } - } - } - private boolean isRemoved() { return removed || (parent != null && parent.isRemoved()); } @@ -521,15 +494,15 @@ public class TreeImpl implements Tree, P } private boolean canRead(Tree tree) { + // FIXME: access control eval must have full access to the tree // FIXME: special handling for access control item and version content - return root.getPermissions().canRead(tree.getPath(), false); + return root.getPermissions().canRead(tree); } - private boolean canReadProperty(String name) { - String path = PathUtils.concat(getPath(), name); - + private boolean canRead(PropertyState property) { + // FIXME: access control eval must have full access to the tree/property // FIXME: special handling for access control item and version content - return root.getPermissions().canRead(path, true); + return (property != null) && root.getPermissions().canRead(this, property); } /** @@ -723,14 +696,14 @@ public class TreeImpl implements Tree, P @Override public PropertyState getProperty() { - return root.getPermissions().canRead(getPath(), true) + return canRead(property) ? property : null; } @Override public Status getStatus() { - return parent.tree.internalGetPropertyStatus(property.getName()); + return parent.tree.getPropertyStatus(property.getName()); } /** @@ -749,10 +722,6 @@ public class TreeImpl implements Tree, P parent.tree.removeProperty(property.getName()); return true; } - - private boolean canRead() { - return root.getPermissions().canRead(getPath(), true); - } } public static class NullLocation implements TreeLocation { Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/CompiledPermissionImpl.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/CompiledPermissionImpl.java?rev=1397540&r1=1397539&r2=1397540&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/CompiledPermissionImpl.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/CompiledPermissionImpl.java Fri Oct 12 12:31:34 2012 @@ -34,7 +34,13 @@ class CompiledPermissionImpl implements } @Override - public boolean canRead(String path, boolean isProperty) { + public boolean canRead(Tree tree) { + // TODO + return true; + } + + @Override + public boolean canRead(Tree tree, PropertyState property) { // TODO return true; } Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlContext.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlContext.java?rev=1397540&r1=1397539&r2=1397540&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlContext.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlContext.java Fri Oct 12 12:31:34 2012 @@ -16,9 +16,6 @@ */ package org.apache.jackrabbit.oak.spi.security.authorization; -import java.security.Principal; -import java.util.Set; - /** * PermissionProvider... TODO */ Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AllPermissions.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AllPermissions.java?rev=1397540&r1=1397539&r2=1397540&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AllPermissions.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AllPermissions.java Fri Oct 12 12:31:34 2012 @@ -33,7 +33,12 @@ public final class AllPermissions implem } @Override - public boolean canRead(String path, boolean isProperty) { + public boolean canRead(Tree tree) { + return true; + } + + @Override + public boolean canRead(Tree tree, PropertyState property) { return true; } Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompiledPermissions.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompiledPermissions.java?rev=1397540&r1=1397539&r2=1397540&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompiledPermissions.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompiledPermissions.java Fri Oct 12 12:31:34 2012 @@ -24,7 +24,9 @@ import org.apache.jackrabbit.oak.api.Tre */ public interface CompiledPermissions { - boolean canRead(String path, boolean isProperty); + boolean canRead(Tree tree); + + boolean canRead(Tree tree, PropertyState property); boolean isGranted(int permissions);