jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1420216 - in /jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak: core/ security/authorization/ security/authorization/restriction/ spi/security/ spi/security/authorization/ spi/security/authorization/restriction/ spi/se...
Date Tue, 11 Dec 2012 15:18:32 GMT
Author: angela
Date: Tue Dec 11 15:18:08 2012
New Revision: 1420216

URL: http://svn.apache.org/viewvc?rev=1420216&view=rev
Log:
OAK-51 : Implement JCR Access Control Management (WIP)

Added:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlHook.java
      - copied, changed from r1420093, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlObserver.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionDefinitionImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
      - copied, changed from r1420093, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/RestrictionProviderImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java
Removed:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlObserver.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/RestrictionProviderImpl.java
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/SecurityConfiguration.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACL.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java?rev=1420216&r1=1420215&r2=1420216&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java
Tue Dec 11 15:18:08 2012
@@ -33,6 +33,7 @@ import org.apache.jackrabbit.oak.api.Com
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.api.SessionQueryEngine;
 import org.apache.jackrabbit.oak.api.TreeLocation;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.plugins.commit.DefaultConflictHandler;
 import org.apache.jackrabbit.oak.query.SessionQueryEngineImpl;
 import org.apache.jackrabbit.oak.spi.commit.ConflictHandler;
@@ -340,7 +341,7 @@ public class RootImpl implements Root {
     }
 
     CompiledPermissions getPermissions() {
-        return accConfiguration.getCompiledPermissions(store, subject.getPrincipals());
+        return accConfiguration.getPermissionProvider(NamePathMapper.DEFAULT).getCompiledPermissions(store,
subject.getPrincipals());
     }
 
     //------------------------------------------------------------< private >---

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java?rev=1420216&r1=1420215&r2=1420216&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java
Tue Dec 11 15:18:08 2012
@@ -16,26 +16,22 @@
  */
 package org.apache.jackrabbit.oak.security.authorization;
 
-import java.security.Principal;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
-import java.util.Set;
 import javax.annotation.Nonnull;
 import javax.jcr.security.AccessControlManager;
 
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.security.authorization.restriction.RestrictionProviderImpl;
 import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
 import org.apache.jackrabbit.oak.spi.security.Context;
 import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration;
-import org.apache.jackrabbit.oak.spi.security.authorization.AllPermissions;
-import org.apache.jackrabbit.oak.spi.security.authorization.CompiledPermissions;
-import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
-import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal;
-import org.apache.jackrabbit.oak.spi.state.NodeStore;
+import org.apache.jackrabbit.oak.spi.security.authorization.PermissionProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
 
 /**
  * {@code AccessControlConfigurationImpl} ... TODO
@@ -63,14 +59,22 @@ public class AccessControlConfigurationI
 
     @Nonnull
     @Override
-    public CompiledPermissions getCompiledPermissions(NodeStore nodeStore, Set<Principal>
principals) {
-        if (principals.contains(SystemPrincipal.INSTANCE) || isAdmin(principals)) {
-            return AllPermissions.getInstance();
-        } else {
-            return new CompiledPermissionImpl(nodeStore, principals);
-        }
+    public RestrictionProvider getRestrictionProvider(NamePathMapper namePathMapper) {
+        return new RestrictionProviderImpl(namePathMapper);
     }
 
+    @Nonnull
+    @Override
+    public PermissionProvider getPermissionProvider(NamePathMapper namePathMapper) {
+        return new PermissionProviderImpl();
+    }
+
+//    @Nonnull
+//    @Override
+//    public List<CommitHook> getCommitHooks() {
+//        return Collections.<CommitHook>singletonList(new AccessControlHook());
+//    }
+
     @Override
     public List<ValidatorProvider> getValidatorProviders() {
         List<ValidatorProvider> vps = new ArrayList<ValidatorProvider>();
@@ -78,14 +82,4 @@ public class AccessControlConfigurationI
         vps.add(new AccessControlValidatorProvider(securityProvider));
         return Collections.unmodifiableList(vps);
     }
-
-    //--------------------------------------------------------------------------
-    private static boolean isAdmin(Set<Principal> principals) {
-        for (Principal principal : principals) {
-            if (principal instanceof AdminPrincipal) {
-                return true;
-            }
-        }
-        return false;
-    }
 }

Copied: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlHook.java
(from r1420093, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlObserver.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlHook.java?p2=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlHook.java&p1=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlObserver.java&r1=1420093&r2=1420216&rev=1420216&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlObserver.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlHook.java
Tue Dec 11 15:18:08 2012
@@ -16,18 +16,22 @@
  */
 package org.apache.jackrabbit.oak.security.authorization;
 
-import org.apache.jackrabbit.oak.spi.commit.Observer;
+import javax.annotation.Nonnull;
+
+import org.apache.jackrabbit.oak.api.CommitFailedException;
+import org.apache.jackrabbit.oak.spi.commit.CommitHook;
 import org.apache.jackrabbit.oak.spi.state.NodeState;
 
 /**
- * {@code Observer} implementation that processes any modification made to
+ * {@code CommitHook} implementation that processes any modification made to
  * access control content and updates persisted permission caches associated
  * with access control related data stored in the repository.
  */
-public class AccessControlObserver implements Observer {
+public class AccessControlHook implements CommitHook {
 
+    @Nonnull
     @Override
-    public void contentChanged(NodeState before, NodeState after) {
+    public NodeState processCommit(NodeState before, NodeState after) throws CommitFailedException
{
         // TODO
         throw new UnsupportedOperationException("not yet implemented");
     }

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java?rev=1420216&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java
(added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java
Tue Dec 11 15:18:08 2012
@@ -0,0 +1,69 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization;
+
+import java.security.Principal;
+import java.util.Set;
+import javax.annotation.Nonnull;
+import javax.jcr.security.Privilege;
+
+import org.apache.jackrabbit.oak.spi.security.authorization.AllPermissions;
+import org.apache.jackrabbit.oak.spi.security.authorization.CompiledPermissions;
+import org.apache.jackrabbit.oak.spi.security.authorization.PermissionProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.Permissions;
+import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
+import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal;
+import org.apache.jackrabbit.oak.spi.state.NodeStore;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * PermissionProviderImpl... TODO
+ */
+public class PermissionProviderImpl implements PermissionProvider {
+
+    /**
+     * logger instance
+     */
+    private static final Logger log = LoggerFactory.getLogger(PermissionProviderImpl.class);
+
+    @Override
+    public Permissions getPermissions(Set<Privilege> privileges) {
+        // TODO
+        throw new UnsupportedOperationException("not yet implemented.");
+    }
+
+    @Nonnull
+    @Override
+    public CompiledPermissions getCompiledPermissions(NodeStore nodeStore, Set<Principal>
principals) {
+        if (principals.contains(SystemPrincipal.INSTANCE) || isAdmin(principals)) {
+            return AllPermissions.getInstance();
+        } else {
+            return new CompiledPermissionImpl(nodeStore, principals);
+        }
+    }
+
+    //--------------------------------------------------------------------------
+    private static boolean isAdmin(Set<Principal> principals) {
+        for (Principal principal : principals) {
+            if (principal instanceof AdminPrincipal) {
+                return true;
+            }
+        }
+        return false;
+    }
+}

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java?rev=1420216&r1=1420215&r2=1420216&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java
Tue Dec 11 15:18:08 2012
@@ -24,6 +24,7 @@ import javax.annotation.Nonnull;
 import javax.security.auth.Subject;
 
 import org.apache.jackrabbit.oak.core.ReadOnlyTree;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.spi.commit.Validator;
 import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
 import org.apache.jackrabbit.oak.spi.security.Context;
@@ -52,7 +53,7 @@ class PermissionValidatorProvider implem
     public Validator getRootValidator(NodeState before, NodeState after) {
         Subject subject = Subject.getSubject(AccessController.getContext());
         Set<Principal> principals = (subject != null) ? subject.getPrincipals() : Collections.<Principal>emptySet();
-        CompiledPermissions permissions = acConfiguration.getCompiledPermissions(/*TODO*/null,
principals);
+        CompiledPermissions permissions = acConfiguration.getPermissionProvider(NamePathMapper.DEFAULT).getCompiledPermissions(/*TODO*/null,
principals);
 
         NodeUtil rootBefore = new NodeUtil(new ReadOnlyTree(before));
         NodeUtil rootAfter = new NodeUtil(new ReadOnlyTree(after));

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionDefinitionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionDefinitionImpl.java?rev=1420216&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionDefinitionImpl.java
(added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionDefinitionImpl.java
Tue Dec 11 15:18:08 2012
@@ -0,0 +1,53 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.restriction;
+
+import javax.annotation.Nonnull;
+
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
+
+/**
+ * RestrictionDefinitionImpl... TODO
+ */
+public class RestrictionDefinitionImpl implements RestrictionDefinition {
+
+    private final String name;
+    private final int type;
+    private final boolean isMandatory;
+
+    public RestrictionDefinitionImpl(String name, int type, boolean isMandatory) {
+        this.name = name;
+        this.type = type;
+        this.isMandatory = isMandatory;
+    }
+
+    @Nonnull
+    @Override
+    public String getName() {
+        return name;
+    }
+
+    @Override
+    public int getRequiredType() {
+        return type;
+    }
+
+    @Override
+    public boolean isMandatory() {
+        return isMandatory;
+    }
+}

Copied: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
(from r1420093, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/RestrictionProviderImpl.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java?p2=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java&p1=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/RestrictionProviderImpl.java&r1=1420093&r2=1420216&rev=1420216&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/RestrictionProviderImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
Tue Dec 11 15:18:08 2012
@@ -14,7 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.jackrabbit.oak.security.authorization;
+package org.apache.jackrabbit.oak.security.authorization.restriction;
 
 import java.security.AccessControlException;
 import java.util.Collections;
@@ -27,12 +27,12 @@ import javax.jcr.PropertyType;
 import javax.jcr.RepositoryException;
 import javax.jcr.Value;
 
-import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
+import org.apache.jackrabbit.oak.security.authorization.AccessControlConstants;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
@@ -46,8 +46,9 @@ public class RestrictionProviderImpl imp
     private Map<String, RestrictionDefinition> supported;
     private NamePathMapper namePathMapper;
 
-    public RestrictionProviderImpl(Map<String, RestrictionDefinition> supported, NamePathMapper
namePathMapper) {
-        this.supported = ImmutableMap.copyOf(supported);
+    public RestrictionProviderImpl(NamePathMapper namePathMapper) {
+        RestrictionDefinition glob = new RestrictionDefinitionImpl(AccessControlConstants.REP_GLOB,
PropertyType.STRING, false);
+        this.supported = Collections.singletonMap(AccessControlConstants.REP_GLOB, glob);
         this.namePathMapper = namePathMapper;
     }
 
@@ -83,6 +84,12 @@ public class RestrictionProviderImpl imp
     }
 
     @Override
+    public void writeRestrictions(String path, Tree aceTree, Set<Restriction> restrictions)
throws javax.jcr.security.AccessControlException {
+        // TODO
+
+    }
+
+    @Override
     public void validateRestrictions(String path, Tree aceTree) throws javax.jcr.security.AccessControlException
{
         Tree restrictions;
         if (aceTree.hasChild(AccessControlConstants.REP_RESTRICTIONS)) {
@@ -152,4 +159,4 @@ public class RestrictionProviderImpl imp
             return isMandatory;
         }
     }
-}
\ No newline at end of file
+}

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/SecurityConfiguration.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/SecurityConfiguration.java?rev=1420216&r1=1420215&r2=1420216&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/SecurityConfiguration.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/SecurityConfiguration.java
Tue Dec 11 15:18:08 2012
@@ -24,14 +24,13 @@ import org.apache.jackrabbit.oak.api.Pro
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.spi.commit.CommitHook;
 import org.apache.jackrabbit.oak.spi.commit.EmptyHook;
-import org.apache.jackrabbit.oak.spi.commit.Observer;
 import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
 import org.apache.jackrabbit.oak.spi.lifecycle.CompositeInitializer;
 import org.apache.jackrabbit.oak.spi.lifecycle.RepositoryInitializer;
 import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
 
 /**
- * PluginConfiguration... TODO
+ * SecurityConfiguration... TODO
  */
 public interface SecurityConfiguration {
 
@@ -48,9 +47,6 @@ public interface SecurityConfiguration {
     List<ValidatorProvider> getValidatorProviders();
 
     @Nonnull
-    List<Observer> getCommitObservers();
-
-    @Nonnull
     List<ProtectedItemImporter> getProtectedItemImporters();
 
     @Nonnull
@@ -87,12 +83,6 @@ public interface SecurityConfiguration {
 
         @Nonnull
         @Override
-        public List<Observer> getCommitObservers() {
-            return Collections.emptyList();
-        }
-
-        @Nonnull
-        @Override
         public List<ProtectedItemImporter> getProtectedItemImporters() {
             return Collections.emptyList();
         }
@@ -112,5 +102,4 @@ public interface SecurityConfiguration {
             };
         }
     }
-
-}
\ No newline at end of file
+}

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java?rev=1420216&r1=1420215&r2=1420216&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java
Tue Dec 11 15:18:08 2012
@@ -17,7 +17,6 @@
 package org.apache.jackrabbit.oak.spi.security.authorization;
 
 import java.security.Principal;
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.Set;
 import javax.jcr.RepositoryException;
@@ -26,6 +25,7 @@ import javax.jcr.security.Privilege;
 
 import com.google.common.base.Function;
 import com.google.common.collect.Collections2;
+import com.google.common.collect.ImmutableSet;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
@@ -37,7 +37,7 @@ import org.apache.jackrabbit.oak.spi.sec
 public class ACE implements JackrabbitAccessControlEntry {
 
     private final Principal principal;
-    private final Privilege[] privileges;
+    private final Set<Privilege> privileges;
     private final boolean isAllow;
     private final Set<Restriction> restrictions;
     private final NamePathMapper namePathMapper;
@@ -46,13 +46,26 @@ public class ACE implements JackrabbitAc
 
     public ACE(Principal principal, Privilege[] privileges, boolean isAllow,
                Set<Restriction> restrictions, NamePathMapper namePathMapper) {
+        this(principal, ImmutableSet.copyOf(privileges), isAllow, restrictions, namePathMapper);
+    }
+
+    public ACE(Principal principal, Set<Privilege> privileges, boolean isAllow,
+               Set<Restriction> restrictions, NamePathMapper namePathMapper) {
         this.principal = principal;
-        this.privileges = privileges;
+        this.privileges = ImmutableSet.copyOf(privileges);
         this.isAllow = isAllow;
-        this.restrictions = (restrictions == null) ? Collections.<Restriction>emptySet()
: restrictions;
+        this.restrictions = (restrictions == null) ? Collections.<Restriction>emptySet()
: ImmutableSet.copyOf(restrictions);
         this.namePathMapper = namePathMapper;
     }
 
+    public Set<Privilege> getPrivilegeSet() {
+        return privileges;
+    }
+
+    public Set<Restriction> getRestrictionSet() {
+        return restrictions;
+    }
+
     //-------------------------------------------------< AccessControlEntry >---
     @Override
     public Principal getPrincipal() {
@@ -61,7 +74,7 @@ public class ACE implements JackrabbitAc
 
     @Override
     public Privilege[] getPrivileges() {
-        return privileges;
+        return privileges.toArray(new Privilege[privileges.size()]);
     }
 
     //---------------------------------------< JackrabbitAccessControlEntry >---
@@ -114,7 +127,7 @@ public class ACE implements JackrabbitAc
         if (obj instanceof ACE) {
             ACE other = (ACE) obj;
             return principal.equals(other.principal) &&
-                   Arrays.equals(privileges, other.privileges) &&
+                   privileges.equals(other.privileges) &&
                    isAllow == other.isAllow &&
                    restrictions.equals(other.restrictions);
         }
@@ -128,7 +141,7 @@ public class ACE implements JackrabbitAc
     public String toString() {
         StringBuilder sb = new StringBuilder();
         sb.append(principal.getName()).append('-').append(isAllow).append('-');
-        sb.append(Arrays.toString(privileges)).append('-').append(restrictions.toString());
+        sb.append(privileges.toString()).append('-').append(restrictions.toString());
         return sb.toString();
     }
 
@@ -141,7 +154,7 @@ public class ACE implements JackrabbitAc
     private int buildHashCode() {
         int h = 17;
         h = 37 * h + principal.getName().hashCode();
-        h = 37 * h + Arrays.hashCode(privileges);
+        h = 37 * h + privileges.hashCode();
         h = 37 * h + Boolean.valueOf(isAllow).hashCode();
         h = 37 * h + restrictions.hashCode();
         return h;

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACL.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACL.java?rev=1420216&r1=1420215&r2=1420216&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACL.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACL.java
Tue Dec 11 15:18:08 2012
@@ -49,22 +49,26 @@ public class ACL implements JackrabbitAc
     private static final Logger log = LoggerFactory.getLogger(ACL.class);
 
     private final String path;
-    private final List<AccessControlEntry> entries;
+    private final List<ACE> entries;
     private final RestrictionProvider restrictionProvider;
     private final NamePathMapper namePathMapper;
 
-    public ACL(String path, List<AccessControlEntry> entries,
-               RestrictionProvider restrictionProvider, NamePathMapper namePathMapper) {
+    public ACL(String path, List<ACE> entries, RestrictionProvider restrictionProvider,
+               NamePathMapper namePathMapper) {
         this.path = path;
-        this.entries = (entries == null) ? new ArrayList<AccessControlEntry>() : entries;
+        this.entries = (entries == null) ? new ArrayList<ACE>() : entries;
         this.restrictionProvider = restrictionProvider;
         this.namePathMapper = namePathMapper;
     }
 
+    public ACE[] getACEs() {
+        return entries.toArray(new ACE[entries.size()]);
+    }
+
     //--------------------------------------------------< AccessControlList >---
     @Override
     public AccessControlEntry[] getAccessControlEntries() throws RepositoryException {
-        return entries.toArray(new AccessControlEntry[entries.size()]);
+        return getACEs();
     }
 
     @Override
@@ -74,9 +78,7 @@ public class ACL implements JackrabbitAc
 
     @Override
     public void removeAccessControlEntry(AccessControlEntry ace) throws AccessControlException,
RepositoryException {
-        if (!(ace instanceof ACE)) {
-            throw new AccessControlException("Invalid AccessControlEntry implementation "
+ ace.getClass().getName() + '.');
-        }
+        checkACE(ace);
         if (!entries.remove(ace)) {
             throw new AccessControlException("Cannot remove AccessControlEntry " + ace);
         }
@@ -140,7 +142,7 @@ public class ACL implements JackrabbitAc
                 rs.add(restrictionProvider.createRestriction(path, name, restrictions.get(name)));
             }
         }
-        AccessControlEntry entry = new ACE(principal, privileges, isAllow, rs, namePathMapper);
+        ACE entry = new ACE(principal, privileges, isAllow, rs, namePathMapper);
         if (entries.contains(entry)) {
             log.debug("Entry is already contained in policy -> no modification.");
             return false;
@@ -151,6 +153,11 @@ public class ACL implements JackrabbitAc
 
     @Override
     public void orderBefore(AccessControlEntry srcEntry, AccessControlEntry destEntry) throws
AccessControlException, UnsupportedRepositoryOperationException, RepositoryException {
+        checkACE(srcEntry);
+        if (destEntry != null) {
+            checkACE(destEntry);
+        }
+
         if (srcEntry.equals(destEntry)) {
             log.debug("'srcEntry' equals 'destEntry' -> no reordering required.");
             return;
@@ -160,9 +167,10 @@ public class ACL implements JackrabbitAc
         if (index < 0) {
             throw new AccessControlException("'destEntry' not contained in this AccessControlList.");
         } else {
-            if (entries.remove(srcEntry)) {
+            ACE srcACE = (ACE) srcEntry;
+            if (entries.remove(srcACE)) {
                 // re-insert the srcEntry at the new position.
-                entries.add(index, srcEntry);
+                entries.add(index, srcACE);
             } else {
                 // src entry not contained in this list.
                 throw new AccessControlException("srcEntry not contained in this AccessControlList");
@@ -211,4 +219,11 @@ public class ACL implements JackrabbitAc
         }
         return sb.toString();
     }
+
+    //------------------------------------------------------------< private >---
+    private static void checkACE(AccessControlEntry entry) throws AccessControlException
{
+        if (!(entry instanceof ACE)) {
+            throw new AccessControlException("Invalid access control entry.");
+        }
+    }
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java?rev=1420216&r1=1420215&r2=1420216&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java
Tue Dec 11 15:18:08 2012
@@ -16,15 +16,13 @@
  */
 package org.apache.jackrabbit.oak.spi.security.authorization;
 
-import java.security.Principal;
-import java.util.Set;
 import javax.annotation.Nonnull;
 import javax.jcr.security.AccessControlManager;
 
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
-import org.apache.jackrabbit.oak.spi.state.NodeStore;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
 
 /**
  * {@code AccessControlContextProvider}...
@@ -34,7 +32,9 @@ public interface AccessControlConfigurat
     @Nonnull
     public AccessControlManager getAccessControlManager(Root root, NamePathMapper namePathMapper);
 
-    // TODO define how permissions eval is bound to a particular revision/branch. (passing
Tree?)
     @Nonnull
-    public CompiledPermissions getCompiledPermissions(NodeStore nodeStore, Set<Principal>
principals);
+    public RestrictionProvider getRestrictionProvider(NamePathMapper namePathMapper);
+
+    @Nonnull
+    public PermissionProvider getPermissionProvider(NamePathMapper namePathMapper);
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java?rev=1420216&r1=1420215&r2=1420216&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java
Tue Dec 11 15:18:08 2012
@@ -20,16 +20,18 @@ import java.security.Principal;
 import java.util.Set;
 import javax.annotation.Nonnull;
 import javax.jcr.security.AccessControlManager;
+import javax.jcr.security.Privilege;
 import javax.security.auth.Subject;
 
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
 import org.apache.jackrabbit.oak.spi.state.NodeStore;
 
 /**
  * This class implements an {@link AccessControlConfiguration} which grants
- * full access to any {@link Subject} passed to {@link AccessControlConfiguration#getCompiledPermissions(NodeStore,
java.util.Set}.
+ * full access to any {@link Subject}.
  */
 public class OpenAccessControlConfiguration extends SecurityConfiguration.Default
         implements AccessControlConfiguration {
@@ -41,7 +43,23 @@ public class OpenAccessControlConfigurat
 
     @Nonnull
     @Override
-    public CompiledPermissions getCompiledPermissions(NodeStore nodeStore, Set<Principal>
principals) {
-        return AllPermissions.getInstance();
+    public RestrictionProvider getRestrictionProvider(NamePathMapper namePathMapper) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Nonnull
+    @Override
+    public PermissionProvider getPermissionProvider(NamePathMapper namePathMapper) {
+        return new PermissionProvider() {
+            @Override
+            public Permissions getPermissions(Set<Privilege> privileges) {
+                throw new UnsupportedOperationException();
+            }
+
+            @Override
+            public CompiledPermissions getCompiledPermissions(NodeStore nodeStore, Set<Principal>
principals) {
+                return AllPermissions.getInstance();
+            }
+        };
     }
 }

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java?rev=1420216&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java
(added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java
Tue Dec 11 15:18:08 2012
@@ -0,0 +1,37 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization;
+
+import java.security.Principal;
+import java.util.Set;
+import javax.annotation.Nonnull;
+import javax.jcr.security.Privilege;
+
+import org.apache.jackrabbit.oak.spi.state.NodeStore;
+
+/**
+ * PermissionProvider... TODO
+ */
+public interface PermissionProvider {
+
+    @Nonnull
+    Permissions getPermissions(Set<Privilege> privileges);
+
+    // TODO define how permissions eval is bound to a particular revision/branch. (passing
Tree?)
+    @Nonnull
+    CompiledPermissions getCompiledPermissions(NodeStore nodeStore, Set<Principal>
principals);
+}

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java?rev=1420216&r1=1420215&r2=1420216&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
Tue Dec 11 15:18:08 2012
@@ -36,5 +36,7 @@ public interface RestrictionProvider {
 
     Set<Restriction> readRestrictions(String path, Tree aceTree) throws AccessControlException;
 
+    void writeRestrictions(String path, Tree aceTree, Set<Restriction> restrictions)
throws AccessControlException;
+
     void validateRestrictions(String path, Tree aceTree) throws AccessControlException;
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java?rev=1420216&r1=1420215&r2=1420216&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java
Tue Dec 11 15:18:08 2012
@@ -16,17 +16,22 @@
  */
 package org.apache.jackrabbit.oak.spi.security.user.action;
 
+import java.security.Principal;
 import java.util.ArrayList;
 import java.util.List;
 import javax.jcr.RepositoryException;
 import javax.jcr.security.AccessControlManager;
+import javax.jcr.security.AccessControlPolicy;
+import javax.jcr.security.AccessControlPolicyIterator;
 import javax.jcr.security.Privilege;
 
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
 import org.apache.jackrabbit.api.security.user.Authorizable;
 import org.apache.jackrabbit.api.security.user.Group;
 import org.apache.jackrabbit.api.security.user.User;
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import org.apache.jackrabbit.util.Text;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -96,16 +101,24 @@ public class AccessControlAction extends
 
     private String[] groupPrivilegeNames = new String[0];
     private String[] userPrivilegeNames = new String[0];
+    private final SecurityProvider securityProvider;
+
+    AccessControlAction(String[] groupPrivilegeNames, String[] userPrivilegeNames,
+                        SecurityProvider securityProvider) {
+        this.groupPrivilegeNames = groupPrivilegeNames;
+        this.userPrivilegeNames = userPrivilegeNames;
+        this.securityProvider = securityProvider;
+    }
 
     //-------------------------------------------------< AuthorizableAction >---
     @Override
     public void onCreate(Group group, Root root, NamePathMapper namePathMapper) throws RepositoryException
{
-        setAC(group, root);
+        setAC(group, root, namePathMapper);
     }
 
     @Override
     public void onCreate(User user, String password, Root root, NamePathMapper namePathMapper)
throws RepositoryException {
-        setAC(user, root);
+        setAC(user, root, namePathMapper);
     }
 
     //------------------------------------------------------< Configuration >---
@@ -134,44 +147,39 @@ public class AccessControlAction extends
 
     //------------------------------------------------------------< private >---
 
-    private void setAC(Authorizable authorizable, Root root) throws RepositoryException {
-        // TODO: add implementation
-        log.error("Not yet implemented");
-
-//        Node aNode;
-//        String path = authorizable.getPath();
-//
-//        JackrabbitAccessControlList acl = null;
-//        AccessControlManager acMgr = session.getAccessControlManager();
-//        for (AccessControlPolicyIterator it = acMgr.getApplicablePolicies(path); it.hasNext();)
{
-//            AccessControlPolicy plc = it.nextAccessControlPolicy();
-//            if (plc instanceof JackrabbitAccessControlList) {
-//                acl = (JackrabbitAccessControlList) plc;
-//                break;
-//            }
-//        }
-//
-//        if (acl == null) {
-//            log.warn("Cannot process AccessControlAction: no applicable ACL at " + path);
-//        } else {
-//            // setup acl according to configuration.
-//            Principal principal = authorizable.getPrincipal();
-//            boolean modified = false;
-//            if (authorizable.isGroup()) {
-//                // new authorizable is a Group
-//                if (groupPrivilegeNames.length > 0) {
-//                    modified = acl.addAccessControlEntry(principal, getPrivileges(groupPrivilegeNames,
acMgr));
-//                }
-//            } else {
-//                // new authorizable is a User
-//                if (userPrivilegeNames.length > 0) {
-//                    modified = acl.addAccessControlEntry(principal, getPrivileges(userPrivilegeNames,
acMgr));
-//                }
-//            }
-//            if (modified) {
-//                acMgr.setPolicy(path, acl);
-//            }
-//        }
+    private void setAC(Authorizable authorizable, Root root, NamePathMapper namePathMapper)
throws RepositoryException {
+        String path = authorizable.getPath();
+        AccessControlManager acMgr = securityProvider.getAccessControlConfiguration().getAccessControlManager(root,
namePathMapper);
+        JackrabbitAccessControlList acl = null;
+        for (AccessControlPolicyIterator it = acMgr.getApplicablePolicies(path); it.hasNext();)
{
+            AccessControlPolicy plc = it.nextAccessControlPolicy();
+            if (plc instanceof JackrabbitAccessControlList) {
+                acl = (JackrabbitAccessControlList) plc;
+                break;
+            }
+        }
+
+        if (acl == null) {
+            log.warn("Cannot process AccessControlAction: no applicable ACL at " + path);
+        } else {
+            // setup acl according to configuration.
+            Principal principal = authorizable.getPrincipal();
+            boolean modified = false;
+            if (authorizable.isGroup()) {
+                // new authorizable is a Group
+                if (groupPrivilegeNames.length > 0) {
+                    modified = acl.addAccessControlEntry(principal, getPrivileges(groupPrivilegeNames,
acMgr));
+                }
+            } else {
+                // new authorizable is a User
+                if (userPrivilegeNames.length > 0) {
+                    modified = acl.addAccessControlEntry(principal, getPrivileges(userPrivilegeNames,
acMgr));
+                }
+            }
+            if (modified) {
+                acMgr.setPolicy(path, acl);
+            }
+        }
     }
 
     /**



Mime
View raw message