jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1412069 - in /jackrabbit/oak/trunk/oak-core/src/main: java/org/apache/jackrabbit/oak/spi/security/authorization/ java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/ resources/org/apache/jackrabbit/oak/plugins/nodetype/
Date Wed, 21 Nov 2012 11:48:18 GMT
Author: angela
Date: Wed Nov 21 11:48:17 2012
New Revision: 1412069

URL: http://svn.apache.org/viewvc?rev=1412069&view=rev
Log:
OAK-51 : Implement JCR Access Control Management

Added:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACL.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/builtin_nodetypes.cnd

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java?rev=1412069&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java
(added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java
Wed Nov 21 11:48:17 2012
@@ -0,0 +1,149 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization;
+
+import java.security.Principal;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Set;
+import javax.jcr.RepositoryException;
+import javax.jcr.Value;
+import javax.jcr.security.Privilege;
+
+import com.google.common.base.Function;
+import com.google.common.collect.Collections2;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
+
+/**
+ * ACE... TODO
+ */
+public class ACE implements JackrabbitAccessControlEntry {
+
+    private final Principal principal;
+    private final Privilege[] privileges;
+    private final boolean isAllow;
+    private final Set<Restriction> restrictions;
+    private final NamePathMapper namePathMapper;
+
+    private int hashCode;
+
+    public ACE(Principal principal, Privilege[] privileges, boolean isAllow,
+               Set<Restriction> restrictions, NamePathMapper namePathMapper) {
+        this.principal = principal;
+        this.privileges = privileges;
+        this.isAllow = isAllow;
+        this.restrictions = (restrictions == null) ? Collections.<Restriction>emptySet()
: restrictions;
+        this.namePathMapper = namePathMapper;
+    }
+
+    //-------------------------------------------------< AccessControlEntry >---
+    @Override
+    public Principal getPrincipal() {
+        return principal;
+    }
+
+    @Override
+    public Privilege[] getPrivileges() {
+        return privileges;
+    }
+
+    //---------------------------------------< JackrabbitAccessControlEntry >---
+    @Override
+    public boolean isAllow() {
+        return isAllow;
+    }
+
+    @Override
+    public String[] getRestrictionNames() throws RepositoryException {
+        return Collections2.transform(restrictions, new Function<Restriction, String>()
{
+            @Override
+            public String apply(Restriction restriction) {
+                return namePathMapper.getJcrName(restriction.getName());
+            }
+        }).toArray(new String[restrictions.size()]);
+    }
+
+    @Override
+    public Value getRestriction(String restrictionName) throws RepositoryException {
+        String oakName = namePathMapper.getOakName(restrictionName);
+        for (Restriction restriction : restrictions) {
+            if (restriction.getName().equals(oakName)) {
+                return ValueFactoryImpl.createValue(restriction.getProperty(), namePathMapper);
+            }
+        }
+        return null;
+    }
+
+    //-------------------------------------------------------------< Object >---
+    /**
+     * @see Object#hashCode()
+     */
+    @Override
+    public int hashCode() {
+        if (hashCode == -1) {
+            hashCode = buildHashCode();
+        }
+        return hashCode;
+    }
+
+    /**
+     * @see Object#equals(Object)
+     */
+    @Override
+    public boolean equals(Object obj) {
+        if (obj == this) {
+            return true;
+        }
+        if (obj instanceof ACE) {
+            ACE other = (ACE) obj;
+            return principal.equals(other.principal) &&
+                   Arrays.equals(privileges, other.privileges) &&
+                   isAllow == other.isAllow &&
+                   restrictions.equals(other.restrictions);
+        }
+        return false;
+    }
+
+    /**
+     * @see Object#toString()
+     */
+    @Override
+    public String toString() {
+        StringBuilder sb = new StringBuilder();
+        sb.append(principal.getName()).append('-').append(isAllow).append('-');
+        sb.append(Arrays.toString(privileges)).append('-').append(restrictions.toString());
+        return sb.toString();
+    }
+
+    //------------------------------------------------------------< private >---
+    /**
+     * Build the hash code.
+     *
+     * @return the hash code.
+     */
+    private int buildHashCode() {
+        int h = 17;
+        h = 37 * h + principal.getName().hashCode();
+        h = 37 * h + Arrays.hashCode(privileges);
+        h = 37 * h + Boolean.valueOf(isAllow).hashCode();
+        h = 37 * h + restrictions.hashCode();
+        return h;
+    }
+}

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACL.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACL.java?rev=1412069&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACL.java
(added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACL.java
Wed Nov 21 11:48:17 2012
@@ -0,0 +1,214 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import javax.jcr.PropertyType;
+import javax.jcr.RepositoryException;
+import javax.jcr.UnsupportedRepositoryOperationException;
+import javax.jcr.Value;
+import javax.jcr.security.AccessControlEntry;
+import javax.jcr.security.AccessControlException;
+import javax.jcr.security.Privilege;
+
+import com.google.common.base.Function;
+import com.google.common.collect.Collections2;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * ACL... TODO
+ */
+public class ACL implements JackrabbitAccessControlList {
+
+    private static final Logger log = LoggerFactory.getLogger(ACL.class);
+
+    private final String path;
+    private final List<AccessControlEntry> entries;
+    private final RestrictionProvider restrictionProvider;
+    private final NamePathMapper namePathMapper;
+
+    public ACL(String path, List<AccessControlEntry> entries,
+               RestrictionProvider restrictionProvider, NamePathMapper namePathMapper) {
+        this.path = path;
+        this.entries = (entries == null) ? new ArrayList<AccessControlEntry>() : entries;
+        this.restrictionProvider = restrictionProvider;
+        this.namePathMapper = namePathMapper;
+    }
+
+    //--------------------------------------------------< AccessControlList >---
+    @Override
+    public AccessControlEntry[] getAccessControlEntries() throws RepositoryException {
+        return entries.toArray(new AccessControlEntry[entries.size()]);
+    }
+
+    @Override
+    public boolean addAccessControlEntry(Principal principal, Privilege[] privileges) throws
AccessControlException, RepositoryException {
+        return addEntry(principal, privileges, true, Collections.<String, Value>emptyMap());
+    }
+
+    @Override
+    public void removeAccessControlEntry(AccessControlEntry ace) throws AccessControlException,
RepositoryException {
+        if (!(ace instanceof ACE)) {
+            throw new AccessControlException("Invalid AccessControlEntry implementation "
+ ace.getClass().getName() + '.');
+        }
+        if (!entries.remove(ace)) {
+            throw new AccessControlException("Cannot remove AccessControlEntry " + ace);
+        }
+    }
+
+    //--------------------------------------< JackrabbitAccessControlPolicy >---
+    @Override
+    public String getPath() {
+        return (path == null) ? null : namePathMapper.getJcrPath(path);
+    }
+
+    //----------------------------------------< JackrabbitAccessControlList >---
+    @Override
+    public String[] getRestrictionNames() throws RepositoryException {
+        Set<RestrictionDefinition> supported = restrictionProvider.getSupportedRestrictions(path);
+        return Collections2.transform(supported, new Function<RestrictionDefinition, String>()
{
+            @Override
+            public String apply(RestrictionDefinition definition) {
+                return namePathMapper.getJcrName(definition.getName());
+            }
+        }).toArray(new String[supported.size()]);
+
+    }
+
+    @Override
+    public int getRestrictionType(String restrictionName) throws RepositoryException {
+        String oakName = namePathMapper.getOakName(restrictionName);
+        for (RestrictionDefinition definition : restrictionProvider.getSupportedRestrictions(path))
{
+            if (definition.getName().equals(oakName)) {
+                return definition.getRequiredType();
+            }
+        }
+        return PropertyType.UNDEFINED;
+    }
+
+    @Override
+    public boolean isEmpty() {
+        return entries.isEmpty();
+    }
+
+    @Override
+    public int size() {
+        return entries.size();
+    }
+
+    @Override
+    public boolean addEntry(Principal principal, Privilege[] privileges, boolean isAllow)
throws AccessControlException, RepositoryException {
+        return addEntry(principal, privileges, isAllow, Collections.<String, Value>emptyMap());
+    }
+
+    @Override
+    public boolean addEntry(Principal principal, Privilege[] privileges, boolean isAllow,
Map<String, Value> restrictions) throws AccessControlException, RepositoryException
{
+        // NOTE: validation and any kind of optimization of the entry list is
+        // delegated to the commit validator
+        Set<Restriction> rs;
+        if (restrictions == null) {
+            rs = Collections.emptySet();
+        } else {
+            rs = new HashSet<Restriction>(restrictions.size());
+            for (String name : restrictions.keySet()) {
+                rs.add(restrictionProvider.createRestriction(path, name, restrictions.get(name)));
+            }
+        }
+        AccessControlEntry entry = new ACE(principal, privileges, isAllow, rs, namePathMapper);
+        if (entries.contains(entry)) {
+            log.debug("Entry is already contained in policy -> no modification.");
+            return false;
+        } else {
+            return entries.add(entry);
+        }
+    }
+
+    @Override
+    public void orderBefore(AccessControlEntry srcEntry, AccessControlEntry destEntry) throws
AccessControlException, UnsupportedRepositoryOperationException, RepositoryException {
+        if (srcEntry.equals(destEntry)) {
+            log.debug("'srcEntry' equals 'destEntry' -> no reordering required.");
+            return;
+        }
+
+        int index = (destEntry == null) ? entries.size()-1 : entries.indexOf(destEntry);
+        if (index < 0) {
+            throw new AccessControlException("'destEntry' not contained in this AccessControlList.");
+        } else {
+            if (entries.remove(srcEntry)) {
+                // re-insert the srcEntry at the new position.
+                entries.add(index, srcEntry);
+            } else {
+                // src entry not contained in this list.
+                throw new AccessControlException("srcEntry not contained in this AccessControlList");
+            }
+        }
+    }
+
+    //-------------------------------------------------------------< Object >---
+    /**
+     * Returns zero to satisfy the Object equals/hashCode contract.
+     * This class is mutable and not meant to be used as a hash key.
+     *
+     * @return always zero
+     * @see Object#hashCode()
+     */
+    @Override
+    public int hashCode() {
+        return 0;
+    }
+
+    /**
+     * Returns true if the path and the entries are equal; false otherwise.
+     *
+     * @param obj Object to test.
+     * @return true if the path and the entries are equal; false otherwise.
+     * @see Object#equals(Object)
+     */
+    @Override
+    public boolean equals(Object obj) {
+        if (obj == this) {
+            return true;
+        }
+        if (obj instanceof ACL) {
+            ACL acl = (ACL) obj;
+            return path.equals(acl.path) && entries.equals(acl.entries);
+        }
+        return false;
+    }
+
+    @Override
+    public String toString() {
+        StringBuilder sb = new StringBuilder();
+        sb.append("ACL: ").append(path).append("; ACEs: ");
+        for (AccessControlEntry ace : entries) {
+            sb.append(ace.toString()).append(';');
+        }
+        return sb.toString();
+    }
+}

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java?rev=1412069&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java
(added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java
Wed Nov 21 11:48:17 2012
@@ -0,0 +1,33 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.restriction;
+
+import javax.annotation.Nonnull;
+import javax.jcr.Value;
+
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Type;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+
+/**
+ * Restriction... TODO
+ */
+public interface Restriction extends RestrictionDefinition {
+
+    @Nonnull
+    PropertyState getProperty();
+}

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java?rev=1412069&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java
(added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java
Wed Nov 21 11:48:17 2012
@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.restriction;
+
+import javax.annotation.Nonnull;
+
+/**
+ * RestrictionDefinition... TODO
+ */
+public interface RestrictionDefinition {
+
+    @Nonnull
+    String getName();
+
+    int getRequiredType();
+
+    boolean isMandatory();
+}

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java?rev=1412069&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
(added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
Wed Nov 21 11:48:17 2012
@@ -0,0 +1,40 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.restriction;
+
+import java.util.Set;
+import javax.annotation.Nonnull;
+import javax.jcr.RepositoryException;
+import javax.jcr.Value;
+import javax.jcr.security.AccessControlException;
+
+import org.apache.jackrabbit.oak.api.Tree;
+
+/**
+ * RestrictionProvider... TODO
+ */
+public interface RestrictionProvider {
+
+    @Nonnull
+    Set<RestrictionDefinition> getSupportedRestrictions(String path);
+
+    Restriction createRestriction(String jcrPath, String jcrName, Value value) throws RepositoryException;
+
+    Set<Restriction> readRestrictions(String path, Tree aceTree) throws AccessControlException;
+
+    void validateRestrictions(String path, Tree aceTree) throws AccessControlException;
+}

Modified: jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/builtin_nodetypes.cnd
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/builtin_nodetypes.cnd?rev=1412069&r1=1412068&r2=1412069&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/builtin_nodetypes.cnd
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/builtin_nodetypes.cnd
Wed Nov 21 11:48:17 2012
@@ -580,14 +580,21 @@
 [rep:ACE]
   - rep:principalName (STRING) protected mandatory
   - rep:privileges (NAME) protected mandatory multiple
-  - rep:nodePath (PATH) protected
-  - rep:glob (STRING) protected
-  - * (UNDEFINED) protected
+  - rep:nodePath (PATH) protected /* deprecated in favor of restrictions */
+  - rep:glob (STRING) protected   /* deprecated in favor of restrictions */
+  - * (UNDEFINED) protected       /* deprecated in favor of restrictions */
+  + rep:restrictions (rep:Restrictions) = rep:Restrictions protected
 
 [rep:GrantACE] > rep:ACE
 
 [rep:DenyACE] > rep:ACE
 
+/**
+ * @since oak 1.0
+ */
+[rep:Restrictions]
+  - * (UNDEFINED) protected
+
 // -----------------------------------------------------------------------------
 // Principal based AC
 // -----------------------------------------------------------------------------



Mime
View raw message