jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1414270 - in /jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak: core/ security/authorization/ spi/security/authorization/
Date Tue, 27 Nov 2012 17:12:52 GMT
Author: angela
Date: Tue Nov 27 17:12:49 2012
New Revision: 1414270

URL: http://svn.apache.org/viewvc?rev=1414270&view=rev
Log:
OAK-51 : Access Control Management

Added:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java
      - copied, changed from r1412918, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContextImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/RestrictionProviderImpl.java
Removed:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContextImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlContext.java
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/CompiledPermissionImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java?rev=1414270&r1=1414269&r2=1414270&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java
Tue Nov 27 17:12:49 2012
@@ -338,7 +338,7 @@ public class RootImpl implements Root {
     }
 
     CompiledPermissions getPermissions() {
-        return accConfiguration.getAccessControlContext(subject).getPermissions();
+        return accConfiguration.getCompiledPermissions(store, subject.getPrincipals());
     }
 
     //------------------------------------------------------------< private >---

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java?rev=1414270&r1=1414269&r2=1414270&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java
Tue Nov 27 17:12:49 2012
@@ -16,19 +16,26 @@
  */
 package org.apache.jackrabbit.oak.security.authorization;
 
+import java.security.Principal;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import java.util.Set;
+import javax.annotation.Nonnull;
 import javax.jcr.security.AccessControlManager;
-import javax.security.auth.Subject;
 
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
+import org.apache.jackrabbit.oak.spi.security.Context;
 import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration;
-import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlContext;
+import org.apache.jackrabbit.oak.spi.security.authorization.AllPermissions;
+import org.apache.jackrabbit.oak.spi.security.authorization.CompiledPermissions;
+import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
+import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal;
+import org.apache.jackrabbit.oak.spi.state.NodeStore;
 
 /**
  * {@code AccessControlConfigurationImpl} ... TODO
@@ -41,14 +48,27 @@ public class AccessControlConfigurationI
         this.securityProvider = securityProvider;
     }
 
+    //----------------------------------------------< SecurityConfiguration >---
+
+    @Override
+    public Context getContext() {
+        return AccessControlContext.getInstance();
+    }
+
+    //-----------------------------------------< AccessControlConfiguration >---
     @Override
     public AccessControlManager getAccessControlManager(Root root, NamePathMapper namePathMapper)
{
         throw new UnsupportedOperationException("not yet implemented");
     }
 
+    @Nonnull
     @Override
-    public AccessControlContext getAccessControlContext(Subject subject) {
-        return new AccessControlContextImpl(subject);
+    public CompiledPermissions getCompiledPermissions(NodeStore nodeStore, Set<Principal>
principals) {
+        if (principals.contains(SystemPrincipal.INSTANCE) || isAdmin(principals)) {
+            return AllPermissions.getInstance();
+        } else {
+            return new CompiledPermissionImpl(nodeStore, principals);
+        }
     }
 
     @Override
@@ -58,4 +78,14 @@ public class AccessControlConfigurationI
         vps.add(new AccessControlValidatorProvider(securityProvider));
         return Collections.unmodifiableList(vps);
     }
+
+    //--------------------------------------------------------------------------
+    private static boolean isAdmin(Set<Principal> principals) {
+        for (Principal principal : principals) {
+            if (principal instanceof AdminPrincipal) {
+                return true;
+            }
+        }
+        return false;
+    }
 }

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java?rev=1414270&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
(added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
Tue Nov 27 17:12:49 2012
@@ -0,0 +1,49 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization;
+
+import java.util.Collection;
+
+import com.google.common.collect.ImmutableSet;
+
+/**
+ * AccessControlConstants... TODO
+ */
+public interface AccessControlConstants {
+
+    String REP_POLICY = "rep:policy";
+    String REP_REPO_POLICY = "rep:repoPolicy";
+    String REP_PRIVILEGES = "rep:privileges";
+    String REP_PRINCIPAL_NAME = "rep:principalName";
+    String REP_GLOB = "rep:glob";
+    String REP_RESTRICTIONS = "rep:restrictions";
+
+
+    String MIX_REP_ACCESS_CONTROLLABLE = "rep:AccessControllable";
+    String MIX_REP_REPO_ACCESS_CONTROLLABLE = "rep:RepoAccessControllable";
+    String NT_REP_POLICY = "rep:Policy";
+    String NT_REP_ACL = "rep:ACL";
+    String NT_REP_ACE = "rep:ACE";
+    String NT_REP_GRANT_ACE = "rep:GrantACE";
+    String NT_REP_DENY_ACE = "rep:DenyACE";
+    String NT_REP_RESTRICTIONS = "rep:Restrictions";
+
+    Collection<String> AC_PROPERTY_NAMES = ImmutableSet.of(REP_PRINCIPAL_NAME, REP_PRIVILEGES,
REP_GLOB);
+    Collection<String> AC_NODE_NAMES = ImmutableSet.of(REP_POLICY, REP_REPO_POLICY);
+    Collection<String> AC_NODE_TYPE_NAMES = ImmutableSet.of(NT_REP_POLICY, NT_REP_ACL,
NT_REP_ACE, NT_REP_DENY_ACE, NT_REP_GRANT_ACE, NT_REP_RESTRICTIONS);
+
+}
\ No newline at end of file

Copied: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java
(from r1412918, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContextImpl.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java?p2=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java&p1=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContextImpl.java&r1=1412918&r2=1414270&rev=1414270&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContextImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java
Tue Nov 27 17:12:49 2012
@@ -16,47 +16,35 @@
  */
 package org.apache.jackrabbit.oak.security.authorization;
 
-import java.security.Principal;
-import java.util.Set;
-import javax.security.auth.Subject;
-
-import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlContext;
-import org.apache.jackrabbit.oak.spi.security.authorization.AllPermissions;
-import org.apache.jackrabbit.oak.spi.security.authorization.CompiledPermissions;
-import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
-import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.spi.security.Context;
+import org.apache.jackrabbit.oak.util.NodeUtil;
 
 /**
- * PermissionProviderImpl... TODO
+ * AccessControlContext... TODO
  */
-class AccessControlContextImpl implements AccessControlContext {
+class AccessControlContext implements Context, AccessControlConstants {
 
-    private final Subject subject;
+    private static final Context INSTANCE = new AccessControlContext();
 
-    AccessControlContextImpl(Subject subject) {
-        this.subject = subject;
+    private AccessControlContext() {
     }
 
-    //-----------------------------------------------< AccessControlContext >---
+    static Context getInstance() {
+        return INSTANCE;
+    }
 
+    //------------------------------------------------------------< Context >---
     @Override
-    public CompiledPermissions getPermissions() {
-        Set<Principal> principals = subject.getPrincipals();
-        if (principals.contains(SystemPrincipal.INSTANCE) || isAdmin(principals)) {
-            return AllPermissions.getInstance();
-        } else {
-            // TODO: replace with permissions based on ac evaluation
-            return new CompiledPermissionImpl(principals);
-        }
+    public boolean definesProperty(Tree parent, PropertyState property) {
+        return definesTree(parent);
     }
 
-    //--------------------------------------------------------------------------
-    private static boolean isAdmin(Set<Principal> principals) {
-        for (Principal principal : principals) {
-            if (principal instanceof AdminPrincipal) {
-                return true;
-            }
-        }
-        return false;
+    @Override
+    public boolean definesTree(Tree tree) {
+        NodeUtil node = new NodeUtil(tree);
+        String ntName = node.getPrimaryNodeTypeName();
+        return AC_NODE_TYPE_NAMES.contains(ntName);
     }
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java?rev=1414270&r1=1414269&r2=1414270&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java
Tue Nov 27 17:12:49 2012
@@ -16,15 +16,35 @@
  */
 package org.apache.jackrabbit.oak.security.authorization;
 
+import java.util.Map;
+import javax.jcr.security.AccessControlException;
+
 import org.apache.jackrabbit.oak.api.CommitFailedException;
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.spi.commit.Validator;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition;
 import org.apache.jackrabbit.oak.spi.state.NodeState;
+import org.apache.jackrabbit.oak.util.NodeUtil;
 
 /**
  * AccessControlValidator... TODO
  */
-class AccessControlValidator implements Validator {
+class AccessControlValidator implements Validator, AccessControlConstants {
+
+    private final NodeUtil parentBefore;
+    private final NodeUtil parentAfter;
+    private final Map<String, PrivilegeDefinition> privilegeDefinitions;
+    private final RestrictionProvider restrictionProvider;
+
+    AccessControlValidator(NodeUtil parentBefore, NodeUtil parentAfter,
+                           Map<String, PrivilegeDefinition> privilegeDefinitions,
+                           RestrictionProvider restrictionProvider) {
+        this.parentBefore = parentBefore;
+        this.parentAfter = parentAfter;
+        this.privilegeDefinitions = privilegeDefinitions;
+        this.restrictionProvider = restrictionProvider;
+    }
 
     //----------------------------------------------------------< Validator >---
     @Override
@@ -44,14 +64,25 @@ class AccessControlValidator implements 
 
     @Override
     public Validator childNodeAdded(String name, NodeState after) throws CommitFailedException
{
-        // TODO validate new acl / ace
-        return null;
+        NodeUtil node = parentAfter.getChild(name);
+        if (isAccessControlEntry(node)) {
+            checkValidAccessControlEntry(node);
+            return null;
+        } else {
+            return new AccessControlValidator(null, node, privilegeDefinitions, restrictionProvider);
+        }
     }
 
     @Override
     public Validator childNodeChanged(String name, NodeState before, NodeState after) throws
CommitFailedException {
-        // TODO validate acl / ace / restriction modification
-        return null;
+        NodeUtil nodeBefore = parentBefore.getChild(name);
+        NodeUtil nodeAfter = parentAfter.getChild(name);
+        if (isAccessControlEntry(nodeAfter)) {
+            checkValidAccessControlEntry(nodeAfter);
+            return null;
+        } else {
+            return new AccessControlValidator(nodeBefore, nodeAfter, privilegeDefinitions,
restrictionProvider);
+        }
     }
 
     @Override
@@ -59,4 +90,55 @@ class AccessControlValidator implements 
         // TODO validate acl / ace / restriction removal
         return null;
     }
+
+    //------------------------------------------------------------< private >---
+    private boolean isAccessControlEntry(NodeUtil node) {
+        String ntName = node.getPrimaryNodeTypeName();
+        return NT_REP_DENY_ACE.equals(ntName) || NT_REP_GRANT_ACE.equals(ntName);
+    }
+
+    private void checkValidAccessControlEntry(NodeUtil aceNode) throws CommitFailedException
{
+        checkValidPrincipal(aceNode.getString(REP_PRINCIPAL_NAME, null));
+        checkValidPrivileges(aceNode.getNames(REP_PRIVILEGES));
+        checkValidRestrictions(aceNode);
+    }
+
+    private void checkValidPrincipal(String principalName) throws CommitFailedException {
+        if (principalName == null || principalName.isEmpty()) {
+            fail("Missing principal name.");
+        }
+        // TODO
+        // if (!principalMgr.hasPrincipal(principal.getName())) {
+        //     throw new AccessControlException("Principal " + principal.getName() + " does
not exist.");
+        // }
+    }
+
+    private void checkValidPrivileges(String[] privilegeNames) throws CommitFailedException
{
+        if (privilegeNames == null || privilegeNames.length == 0) {
+            fail("Missing privileges.");
+        }
+        for (String privilegeName : privilegeNames) {
+            if (!privilegeDefinitions.containsKey(privilegeName)) {
+                fail("Unknown privilege " + privilegeName);
+            }
+
+            PrivilegeDefinition def = privilegeDefinitions.get(privilegeName);
+            if (def.isAbstract()) {
+                fail("Abstract privilege " + privilegeName);
+            }
+        }
+    }
+
+    private void checkValidRestrictions(NodeUtil aceNode) throws CommitFailedException {
+        try {
+            String path = null; // TODO
+            restrictionProvider.validateRestrictions(path, aceNode.getTree());
+        } catch (AccessControlException e) {
+            throw new CommitFailedException(e);
+        }
+    }
+
+    private static void fail(String msg) throws CommitFailedException {
+        throw new CommitFailedException(new AccessControlException(msg));
+    }
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java?rev=1414270&r1=1414269&r2=1414270&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java
Tue Nov 27 17:12:49 2012
@@ -16,12 +16,19 @@
  */
 package org.apache.jackrabbit.oak.security.authorization;
 
+import java.util.Map;
 import javax.annotation.Nonnull;
 
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.core.ReadOnlyTree;
 import org.apache.jackrabbit.oak.spi.commit.Validator;
 import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinitionReader;
 import org.apache.jackrabbit.oak.spi.state.NodeState;
+import org.apache.jackrabbit.oak.util.NodeUtil;
 
 /**
  * {@code AccessControlValidatorProvider} aimed to provide a root validator
@@ -37,9 +44,18 @@ class AccessControlValidatorProvider imp
         this.securityProvider = securityProvider;
     }
 
+    //--------------------------------------------------< ValidatorProvider >---
     @Nonnull
     @Override
     public Validator getRootValidator(NodeState before, NodeState after) {
-        return new AccessControlValidator();
+        Tree treeBefore = new ReadOnlyTree(before);
+        NodeUtil rootBefore = new NodeUtil(treeBefore);
+        NodeUtil rootAfter = new NodeUtil(new ReadOnlyTree(after));
+
+        PrivilegeDefinitionReader reader = securityProvider.getPrivilegeConfiguration().getPrivilegeDefinitionReader(treeBefore);
+        Map<String, PrivilegeDefinition> privilegeDefinitions = reader.readDefinitions();
+        RestrictionProvider restrictionProvider = null; // TODO
+        return new AccessControlValidator(rootBefore, rootAfter, privilegeDefinitions, restrictionProvider);
     }
+
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/CompiledPermissionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/CompiledPermissionImpl.java?rev=1414270&r1=1414269&r2=1414270&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/CompiledPermissionImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/CompiledPermissionImpl.java
Tue Nov 27 17:12:49 2012
@@ -23,13 +23,14 @@ import org.apache.jackrabbit.oak.api.Pro
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.spi.security.authorization.CompiledPermissions;
 import org.apache.jackrabbit.oak.spi.security.authorization.Permissions;
+import org.apache.jackrabbit.oak.spi.state.NodeStore;
 
 /**
  * TODO
  */
 class CompiledPermissionImpl implements CompiledPermissions {
 
-    CompiledPermissionImpl(Set<Principal> principals) {
+    CompiledPermissionImpl(NodeStore nodeStore, Set<Principal> principals) {
 
     }
 

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java?rev=1414270&r1=1414269&r2=1414270&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java
Tue Nov 27 17:12:49 2012
@@ -17,6 +17,9 @@
 package org.apache.jackrabbit.oak.security.authorization;
 
 import java.security.AccessController;
+import java.security.Principal;
+import java.util.Collections;
+import java.util.Set;
 import javax.annotation.Nonnull;
 import javax.security.auth.Subject;
 
@@ -26,7 +29,7 @@ import org.apache.jackrabbit.oak.spi.com
 import org.apache.jackrabbit.oak.spi.security.Context;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration;
-import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlContext;
+import org.apache.jackrabbit.oak.spi.security.authorization.CompiledPermissions;
 import org.apache.jackrabbit.oak.spi.state.NodeState;
 import org.apache.jackrabbit.oak.util.NodeUtil;
 
@@ -48,16 +51,12 @@ class PermissionValidatorProvider implem
     @Override
     public Validator getRootValidator(NodeState before, NodeState after) {
         Subject subject = Subject.getSubject(AccessController.getContext());
-        if (subject == null) {
-            // use empty subject
-            subject = new Subject();
-        }
-
-        AccessControlContext context = acConfiguration.getAccessControlContext(subject);
+        Set<Principal> principals = (subject != null) ? subject.getPrincipals() : Collections.<Principal>emptySet();
+        CompiledPermissions permissions = acConfiguration.getCompiledPermissions(/*TODO*/null,
principals);
 
         NodeUtil rootBefore = new NodeUtil(new ReadOnlyTree(before));
         NodeUtil rootAfter = new NodeUtil(new ReadOnlyTree(after));
-        return new PermissionValidator(rootBefore, rootAfter, context.getPermissions(), this);
+        return new PermissionValidator(rootBefore, rootAfter, permissions, this);
     }
 
     //-----------------------------------------------------------< internal >---

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/RestrictionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/RestrictionProviderImpl.java?rev=1414270&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/RestrictionProviderImpl.java
(added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/RestrictionProviderImpl.java
Tue Nov 27 17:12:49 2012
@@ -0,0 +1,155 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization;
+
+import java.security.AccessControlException;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+import javax.annotation.Nonnull;
+import javax.jcr.NamespaceRegistry;
+import javax.jcr.PropertyType;
+import javax.jcr.RepositoryException;
+import javax.jcr.Value;
+
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
+import org.apache.jackrabbit.util.Text;
+
+/**
+ * RestrictionProviderImpl... TODO
+ */
+public class RestrictionProviderImpl implements RestrictionProvider {
+
+    private Map<String, RestrictionDefinition> supported;
+    private NamePathMapper namePathMapper;
+
+    public RestrictionProviderImpl(Map<String, RestrictionDefinition> supported, NamePathMapper
namePathMapper) {
+        this.supported = ImmutableMap.copyOf(supported);
+        this.namePathMapper = namePathMapper;
+    }
+
+    @Nonnull
+    @Override
+    public Set<RestrictionDefinition> getSupportedRestrictions(String path) {
+        if (path == null) {
+            return Collections.emptySet();
+        } else {
+            return ImmutableSet.copyOf(supported.values());
+        }
+    }
+
+    @Override
+    public Restriction createRestriction(String path, String jcrName, Value value) throws
RepositoryException {
+        String oakName = namePathMapper.getOakName(jcrName);
+        RestrictionDefinition definition = (path == null) ? null : supported.get(oakName);
+        if (definition == null) {
+            throw new AccessControlException("Unsupported restriction: " + jcrName);
+        }
+        int requiredType = definition.getRequiredType();
+        if (requiredType != PropertyType.UNDEFINED && requiredType != value.getType())
{
+            throw new AccessControlException("Unsupported restriction: Expected value of
type " + PropertyType.nameFromValue(definition.getRequiredType()));
+        }
+        PropertyState propertyState = PropertyStates.createProperty(oakName, value);
+        return new RestrictionImpl(propertyState, requiredType, definition.isMandatory());
+    }
+
+    @Override
+    public Set<Restriction> readRestrictions(String path, Tree aceTre) throws javax.jcr.security.AccessControlException
{
+        // TODO
+        return null;
+    }
+
+    @Override
+    public void validateRestrictions(String path, Tree aceTree) throws javax.jcr.security.AccessControlException
{
+        Tree restrictions;
+        if (aceTree.hasChild(AccessControlConstants.REP_RESTRICTIONS)) {
+            restrictions = aceTree.getChild(AccessControlConstants.REP_RESTRICTIONS);
+        } else {
+            // backwards compatibility
+            restrictions = aceTree;
+        }
+
+        Map<String,PropertyState> restrictionProperties = new HashMap<String, PropertyState>();
+        for (PropertyState property : restrictions.getProperties()) {
+            String name = property.getName();
+            String prefix = Text.getNamespacePrefix(name);
+            if (!NamespaceRegistry.PREFIX_JCR.equals(prefix) && !AccessControlConstants.AC_PROPERTY_NAMES.contains(name))
{
+                restrictionProperties.put(name, property);
+            }
+        }
+
+        if (path == null && !restrictionProperties.isEmpty()) {
+            throw new AccessControlException("Restrictions not supported with 'null' path.");
+        }
+        for (String restrName : restrictionProperties.keySet()) {
+            RestrictionDefinition def = supported.get(restrName);
+            if (def == null || restrictionProperties.get(restrName).getType().tag() != def.getRequiredType())
{
+                throw new AccessControlException("Unsupported restriction: " + restrName);
+            }
+        }
+        for (RestrictionDefinition def : supported.values()) {
+            if (def.isMandatory() && !restrictionProperties.containsKey(def.getName()))
{
+                throw new AccessControlException("Mandatory restriction " + def.getName()
+ " is missing.");
+            }
+        }
+    }
+
+    private static class RestrictionImpl implements Restriction {
+
+        private final PropertyState property;
+        private final int requiredType;
+        private final boolean isMandatory;
+
+        private RestrictionImpl(PropertyState property, int requiredType, boolean isMandatory)
{
+            this.property = property;
+            this.requiredType = requiredType;
+            this.isMandatory = isMandatory;
+        }
+
+        @Nonnull
+        @Override
+        public PropertyState getProperty() {
+            return property;
+        }
+
+        @Nonnull
+        @Override
+        public String getName() {
+            return property.getName();
+        }
+
+        @Nonnull
+        @Override
+        public int getRequiredType() {
+            return requiredType;
+        }
+
+        @Override
+        public boolean isMandatory() {
+            return isMandatory;
+        }
+    }
+}
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java?rev=1414270&r1=1414269&r2=1414270&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java
Tue Nov 27 17:12:49 2012
@@ -16,19 +16,25 @@
  */
 package org.apache.jackrabbit.oak.spi.security.authorization;
 
+import java.security.Principal;
+import java.util.Set;
+import javax.annotation.Nonnull;
 import javax.jcr.security.AccessControlManager;
-import javax.security.auth.Subject;
 
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
+import org.apache.jackrabbit.oak.spi.state.NodeStore;
 
 /**
  * {@code AccessControlContextProvider}...
  */
 public interface AccessControlConfiguration extends SecurityConfiguration {
 
+    @Nonnull
     public AccessControlManager getAccessControlManager(Root root, NamePathMapper namePathMapper);
 
-    public AccessControlContext getAccessControlContext(Subject subject);
+    // TODO define how permissions eval is bound to a particular revision/branch. (passing
Tree?)
+    @Nonnull
+    public CompiledPermissions getCompiledPermissions(NodeStore nodeStore, Set<Principal>
principals);
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java?rev=1414270&r1=1414269&r2=1414270&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java
Tue Nov 27 17:12:49 2012
@@ -16,16 +16,20 @@
  */
 package org.apache.jackrabbit.oak.spi.security.authorization;
 
+import java.security.Principal;
+import java.util.Set;
+import javax.annotation.Nonnull;
 import javax.jcr.security.AccessControlManager;
 import javax.security.auth.Subject;
 
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
+import org.apache.jackrabbit.oak.spi.state.NodeStore;
 
 /**
  * This class implements an {@link AccessControlConfiguration} which grants
- * full access to any {@link Subject} passed to {@link #getAccessControlContext(Subject)}.
+ * full access to any {@link Subject} passed to {@link AccessControlConfiguration#getCompiledPermissions(NodeStore,
java.util.Set}.
  */
 public class OpenAccessControlConfiguration extends SecurityConfiguration.Default
         implements AccessControlConfiguration {
@@ -35,13 +39,9 @@ public class OpenAccessControlConfigurat
         throw new UnsupportedOperationException();
     }
 
+    @Nonnull
     @Override
-    public AccessControlContext getAccessControlContext(Subject subject) {
-        return new AccessControlContext() {
-            @Override
-            public CompiledPermissions getPermissions() {
-                return AllPermissions.getInstance();
-            }
-        };
+    public CompiledPermissions getCompiledPermissions(NodeStore nodeStore, Set<Principal>
principals) {
+        return AllPermissions.getInstance();
     }
 }



Mime
View raw message