jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1411772 - in /jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security: ./ authorization/
Date Tue, 20 Nov 2012 18:07:20 GMT
Author: angela
Date: Tue Nov 20 18:07:19 2012
New Revision: 1411772

URL: http://svn.apache.org/viewvc?rev=1411772&view=rev
Log:
OAK-51 : Implement JCR Access Control Management

Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/SecurityProviderImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/SecurityProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/SecurityProviderImpl.java?rev=1411772&r1=1411771&r2=1411772&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/SecurityProviderImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/SecurityProviderImpl.java
Tue Nov 20 18:07:19 2012
@@ -98,7 +98,7 @@ public class SecurityProviderImpl implem
     @Nonnull
     @Override
     public AccessControlConfiguration getAccessControlConfiguration() {
-        return new AccessControlConfigurationImpl();
+        return new AccessControlConfigurationImpl(this);
     }
 
     @Nonnull

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java?rev=1411772&r1=1411771&r2=1411772&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java
Tue Nov 20 18:07:19 2012
@@ -19,7 +19,6 @@ package org.apache.jackrabbit.oak.securi
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
-import javax.annotation.Nonnull;
 import javax.jcr.security.AccessControlManager;
 import javax.security.auth.Subject;
 
@@ -27,6 +26,7 @@ import org.apache.jackrabbit.oak.api.Roo
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
 import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
+import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration;
 import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlContext;
 
@@ -35,6 +35,12 @@ import org.apache.jackrabbit.oak.spi.sec
  */
 public class AccessControlConfigurationImpl extends SecurityConfiguration.Default implements
AccessControlConfiguration {
 
+    private final SecurityProvider securityProvider;
+
+    public AccessControlConfigurationImpl(SecurityProvider securityProvider) {
+        this.securityProvider = securityProvider;
+    }
+
     @Override
     public AccessControlManager getAccessControlManager(Root root, NamePathMapper namePathMapper)
{
         throw new UnsupportedOperationException("not yet implemented");
@@ -48,8 +54,8 @@ public class AccessControlConfigurationI
     @Override
     public List<ValidatorProvider> getValidatorProviders() {
         List<ValidatorProvider> vps = new ArrayList<ValidatorProvider>();
-        vps.add(new PermissionValidatorProvider(this));
-        vps.add(new AccessControlValidatorProvider());
+        vps.add(new PermissionValidatorProvider(securityProvider));
+        vps.add(new AccessControlValidatorProvider(securityProvider));
         return Collections.unmodifiableList(vps);
     }
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java?rev=1411772&r1=1411771&r2=1411772&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java
Tue Nov 20 18:07:19 2012
@@ -20,6 +20,7 @@ import javax.annotation.Nonnull;
 
 import org.apache.jackrabbit.oak.spi.commit.Validator;
 import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
+import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import org.apache.jackrabbit.oak.spi.state.NodeState;
 
 /**
@@ -30,6 +31,12 @@ import org.apache.jackrabbit.oak.spi.sta
  */
 class AccessControlValidatorProvider implements ValidatorProvider {
 
+    private SecurityProvider securityProvider;
+
+    AccessControlValidatorProvider(SecurityProvider securityProvider) {
+        this.securityProvider = securityProvider;
+    }
+
     @Nonnull
     @Override
     public Validator getRootValidator(NodeState before, NodeState after) {

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java?rev=1411772&r1=1411771&r2=1411772&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java
Tue Nov 20 18:07:19 2012
@@ -27,8 +27,6 @@ import org.apache.jackrabbit.oak.plugins
 import org.apache.jackrabbit.oak.spi.commit.Validator;
 import org.apache.jackrabbit.oak.spi.security.authorization.CompiledPermissions;
 import org.apache.jackrabbit.oak.spi.security.authorization.Permissions;
-import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
-import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
 import org.apache.jackrabbit.oak.spi.state.NodeState;
 import org.apache.jackrabbit.oak.util.NodeUtil;
 import org.apache.jackrabbit.oak.version.VersionConstants;
@@ -45,17 +43,22 @@ class PermissionValidator implements Val
      * - review usage of OAK_CHILD_ORDER property (in particular if the property was removed
      */
 
-    private final CompiledPermissions compiledPermissions;
-
     private final NodeUtil parentBefore;
     private final NodeUtil parentAfter;
+    private final CompiledPermissions compiledPermissions;
+    private final PermissionValidatorProvider provider;
 
-    PermissionValidator(CompiledPermissions compiledPermissions,
-                        NodeUtil parentBefore, NodeUtil parentAfter) {
+    PermissionValidator(NodeUtil parentBefore, NodeUtil parentAfter,
+                        CompiledPermissions compiledPermissions,
+                        PermissionValidatorProvider provider) {
         this.compiledPermissions = compiledPermissions;
         this.parentBefore = parentBefore;
         this.parentAfter = parentAfter;
+        this.provider = provider;
+    }
 
+    private Validator nextValidator(NodeUtil parentBefore, NodeUtil parentAfter) {
+        return new PermissionValidator(parentBefore, parentAfter, compiledPermissions, provider);
     }
 
     //----------------------------------------------------------< Validator >---
@@ -87,7 +90,7 @@ class PermissionValidator implements Val
 
         // TODO
 
-        return new PermissionValidator(compiledPermissions, childBefore, childAfter);
+        return nextValidator(childBefore, childAfter);
     }
 
     @Override
@@ -98,7 +101,8 @@ class PermissionValidator implements Val
 
     //------------------------------------------------------------< private >---
     private void checkPermissions(NodeUtil parent, PropertyState property, int defaultPermission)
throws CommitFailedException {
-        String parentPath = parent.getTree().getPath();
+        Tree parentTree = parent.getTree();
+        String parentPath = parentTree.getPath();
         String name = property.getName();
 
         int permission;
@@ -111,15 +115,15 @@ class PermissionValidator implements Val
             permission = Permissions.NAMESPACE_MANAGEMENT;
         } else if (isNodeTypeDefinition(parentPath)) {
             permission = Permissions.NODE_TYPE_DEFINITION_MANAGEMENT;
-        } else if (isPrivilegeDefinition(parentPath)) {
-            permission = Permissions.PRIVILEGE_MANAGEMENT;
-        } else if (isAccessControl(parent)) {
-            permission = Permissions.MODIFY_ACCESS_CONTROL;
         } else if (isVersionProperty(parent, property)) {
             permission = Permissions.VERSION_MANAGEMENT;
             // FIXME: path to check for permission must be adjusted to be
             //        the one of the versionable node instead of the target parent.
-        } else if (isAuthorizableProperty(parent, property)) {
+        } else if (provider.getPrivilegeContext().definesProperty(parentTree, property))
{
+            permission = Permissions.PRIVILEGE_MANAGEMENT;
+        } else if (provider.getAccessControlContext().definesProperty(parentTree, property))
{
+            permission = Permissions.MODIFY_ACCESS_CONTROL;
+        } else if (provider.getUserContext().definesProperty(parentTree, property)) {
             permission = Permissions.USER_MANAGEMENT;
         } else {
             permission = defaultPermission;
@@ -128,28 +132,29 @@ class PermissionValidator implements Val
         checkPermissions(parent.getTree(), property, permission);
     }
 
-    private PermissionValidator checkPermissions(NodeUtil node, boolean isBefore, int defaultPermission)
throws CommitFailedException {
-        String path = node.getTree().getPath();
+    private Validator checkPermissions(NodeUtil node, boolean isBefore, int defaultPermission)
throws CommitFailedException {
+        Tree tree = node.getTree();
+        String path = tree.getPath();
         int permission;
 
         if (isNamespaceDefinition(path)) {
             permission = Permissions.NAMESPACE_MANAGEMENT;
         } else if (isNodeTypeDefinition(path)) {
             permission = Permissions.NODE_TYPE_DEFINITION_MANAGEMENT;
-        } else if (isPrivilegeDefinition(path)) {
-            permission = Permissions.PRIVILEGE_MANAGEMENT;
-        } else if (isAccessControl(node)) {
-            permission = Permissions.MODIFY_ACCESS_CONTROL;
         } else if (isVersion(node)) {
             permission = Permissions.VERSION_MANAGEMENT;
             // FIXME: path to check for permission must be adjusted to be
             // //     the one of the versionable node instead of the target node.
-        } else if (isAuthorizable(node)) {
+        } else if (provider.getPrivilegeContext().definesTree(tree)) {
+            permission = Permissions.PRIVILEGE_MANAGEMENT;
+        } else if (provider.getAccessControlContext().definesTree(tree)) {
+            permission = Permissions.MODIFY_ACCESS_CONTROL;
+        } else if (provider.getUserContext().definesTree(tree)) {
             permission = Permissions.USER_MANAGEMENT;
         } else {
             // TODO: identify specific permission depending on additional types of protection
-            // - user/group -> user management
-            // - workspace management ???
+            // TODO  - workspace management
+
             // TODO: identify renaming/move of nodes that only required MODIFY_CHILD_NODE_COLLECTION
permission
             permission = defaultPermission;
         }
@@ -158,10 +163,10 @@ class PermissionValidator implements Val
             checkPermissions(permission);
             return null; // no need for further validation down the subtree
         } else {
-            checkPermissions(node.getTree(), permission);
+            checkPermissions(tree, permission);
             return (isBefore) ?
-                    new PermissionValidator(compiledPermissions, node, null) :
-                    new PermissionValidator(compiledPermissions, null, node);
+                    nextValidator(node, null) :
+                    nextValidator(null, node);
         }
     }
 
@@ -183,11 +188,6 @@ class PermissionValidator implements Val
         }
     }
 
-    private static boolean isAccessControl(NodeUtil node) {
-        // TODO: depends on ac-model
-        return false;
-    }
-
     private static boolean isVersion(NodeUtil node) {
         if (node.getTree().isRoot()) {
             return false;
@@ -212,26 +212,6 @@ class PermissionValidator implements Val
         }
     }
 
-    private static boolean isAuthorizable(NodeUtil parent) {
-        // TODO: review again: depends on configured user-mgt
-        String ntName = parent.getName(JcrConstants.JCR_PRIMARYTYPE);
-        return UserConstants.NT_REP_GROUP.equals(ntName) || UserConstants.NT_REP_USER.equals(ntName)
|| UserConstants.NT_REP_MEMBERS.equals(ntName);
-    }
-
-    private static boolean isAuthorizableProperty(NodeUtil parent, PropertyState property)
{
-        // TODO: review again: depends on configured user-mgt
-        String ntName = parent.getName(JcrConstants.JCR_PRIMARYTYPE);
-        if (UserConstants.NT_REP_USER.equals(ntName)) {
-            return UserConstants.USER_PROPERTY_NAMES.contains(property.getName());
-        } else if (UserConstants.NT_REP_GROUP.equals(ntName)) {
-            return UserConstants.GROUP_PROPERTY_NAMES.contains(property.getName());
-        } else if (UserConstants.NT_REP_MEMBERS.equals(ntName)) {
-            return true;
-        }
-
-        return false;
-    }
-
     private static boolean isLockProperty(String name) {
         return JcrConstants.JCR_LOCKISDEEP.equals(name) || JcrConstants.JCR_LOCKOWNER.equals(name);
     }
@@ -244,9 +224,4 @@ class PermissionValidator implements Val
         // TODO: depends on pluggable module
         return Text.isDescendant(NodeTypeConstants.NODE_TYPES_PATH, path);
     }
-
-    private static boolean isPrivilegeDefinition(String path) {
-        // TODO: depends on pluggable module
-        return Text.isDescendant(PrivilegeConstants.PRIVILEGES_PATH, path);
-    }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java?rev=1411772&r1=1411771&r2=1411772&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java
Tue Nov 20 18:07:19 2012
@@ -17,13 +17,14 @@
 package org.apache.jackrabbit.oak.security.authorization;
 
 import java.security.AccessController;
-
 import javax.annotation.Nonnull;
 import javax.security.auth.Subject;
 
 import org.apache.jackrabbit.oak.core.ReadOnlyTree;
 import org.apache.jackrabbit.oak.spi.commit.Validator;
 import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
+import org.apache.jackrabbit.oak.spi.security.Context;
+import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration;
 import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlContext;
 import org.apache.jackrabbit.oak.spi.state.NodeState;
@@ -32,14 +33,17 @@ import org.apache.jackrabbit.oak.util.No
 /**
  * PermissionValidatorProvider... TODO
  */
-public class PermissionValidatorProvider implements ValidatorProvider {
+class PermissionValidatorProvider implements ValidatorProvider {
 
-    private final AccessControlConfiguration accessControlConfiguration;
+    private final SecurityProvider securityProvider;
+    private final AccessControlConfiguration acConfiguration;
 
-    PermissionValidatorProvider(AccessControlConfiguration accessControlConfiguration) {
-        this.accessControlConfiguration = accessControlConfiguration;
+    PermissionValidatorProvider(SecurityProvider securityProvider) {
+        this.securityProvider = securityProvider;
+        this.acConfiguration = securityProvider.getAccessControlConfiguration();
     }
 
+    //--------------------------------------------------< ValidatorProvider >---
     @Nonnull
     @Override
     public Validator getRootValidator(NodeState before, NodeState after) {
@@ -49,10 +53,23 @@ public class PermissionValidatorProvider
             subject = new Subject();
         }
 
-        AccessControlContext context = accessControlConfiguration.getAccessControlContext(subject);
+        AccessControlContext context = acConfiguration.getAccessControlContext(subject);
 
         NodeUtil rootBefore = new NodeUtil(new ReadOnlyTree(before));
         NodeUtil rootAfter = new NodeUtil(new ReadOnlyTree(after));
-        return new PermissionValidator(context.getPermissions(), rootBefore, rootAfter);
+        return new PermissionValidator(rootBefore, rootAfter, context.getPermissions(), this);
+    }
+
+    //-----------------------------------------------------------< internal >---
+    Context getUserContext() {
+        return securityProvider.getUserConfiguration().getContext();
+    }
+
+    Context getPrivilegeContext() {
+        return securityProvider.getPrivilegeConfiguration().getContext();
+    }
+
+    Context getAccessControlContext() {
+        return acConfiguration.getContext();
     }
 }



Mime
View raw message