Return-Path: X-Original-To: apmail-jackrabbit-oak-commits-archive@minotaur.apache.org Delivered-To: apmail-jackrabbit-oak-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4CA68D74D for ; Tue, 11 Dec 2012 15:19:12 +0000 (UTC) Received: (qmail 4346 invoked by uid 500); 11 Dec 2012 15:19:12 -0000 Delivered-To: apmail-jackrabbit-oak-commits-archive@jackrabbit.apache.org Received: (qmail 4290 invoked by uid 500); 11 Dec 2012 15:19:11 -0000 Mailing-List: contact oak-commits-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: oak-dev@jackrabbit.apache.org Delivered-To: mailing list oak-commits@jackrabbit.apache.org Received: (qmail 4278 invoked by uid 99); 11 Dec 2012 15:19:11 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 11 Dec 2012 15:19:11 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 11 Dec 2012 15:19:04 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 36DB123888CD; Tue, 11 Dec 2012 15:18:42 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1420216 - in /jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak: core/ security/authorization/ security/authorization/restriction/ spi/security/ spi/security/authorization/ spi/security/authorization/restriction/ spi/se... Date: Tue, 11 Dec 2012 15:18:32 -0000 To: oak-commits@jackrabbit.apache.org From: angela@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20121211151842.36DB123888CD@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: angela Date: Tue Dec 11 15:18:08 2012 New Revision: 1420216 URL: http://svn.apache.org/viewvc?rev=1420216&view=rev Log: OAK-51 : Implement JCR Access Control Management (WIP) Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlHook.java - copied, changed from r1420093, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlObserver.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionDefinitionImpl.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java - copied, changed from r1420093, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/RestrictionProviderImpl.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java Removed: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlObserver.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/RestrictionProviderImpl.java Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/SecurityConfiguration.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACL.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java?rev=1420216&r1=1420215&r2=1420216&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java Tue Dec 11 15:18:08 2012 @@ -33,6 +33,7 @@ import org.apache.jackrabbit.oak.api.Com import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.api.SessionQueryEngine; import org.apache.jackrabbit.oak.api.TreeLocation; +import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.plugins.commit.DefaultConflictHandler; import org.apache.jackrabbit.oak.query.SessionQueryEngineImpl; import org.apache.jackrabbit.oak.spi.commit.ConflictHandler; @@ -340,7 +341,7 @@ public class RootImpl implements Root { } CompiledPermissions getPermissions() { - return accConfiguration.getCompiledPermissions(store, subject.getPrincipals()); + return accConfiguration.getPermissionProvider(NamePathMapper.DEFAULT).getCompiledPermissions(store, subject.getPrincipals()); } //------------------------------------------------------------< private >--- Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java?rev=1420216&r1=1420215&r2=1420216&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java Tue Dec 11 15:18:08 2012 @@ -16,26 +16,22 @@ */ package org.apache.jackrabbit.oak.security.authorization; -import java.security.Principal; import java.util.ArrayList; import java.util.Collections; import java.util.List; -import java.util.Set; import javax.annotation.Nonnull; import javax.jcr.security.AccessControlManager; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.namepath.NamePathMapper; +import org.apache.jackrabbit.oak.security.authorization.restriction.RestrictionProviderImpl; import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider; import org.apache.jackrabbit.oak.spi.security.Context; import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration; import org.apache.jackrabbit.oak.spi.security.SecurityProvider; import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration; -import org.apache.jackrabbit.oak.spi.security.authorization.AllPermissions; -import org.apache.jackrabbit.oak.spi.security.authorization.CompiledPermissions; -import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal; -import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal; -import org.apache.jackrabbit.oak.spi.state.NodeStore; +import org.apache.jackrabbit.oak.spi.security.authorization.PermissionProvider; +import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider; /** * {@code AccessControlConfigurationImpl} ... TODO @@ -63,14 +59,22 @@ public class AccessControlConfigurationI @Nonnull @Override - public CompiledPermissions getCompiledPermissions(NodeStore nodeStore, Set principals) { - if (principals.contains(SystemPrincipal.INSTANCE) || isAdmin(principals)) { - return AllPermissions.getInstance(); - } else { - return new CompiledPermissionImpl(nodeStore, principals); - } + public RestrictionProvider getRestrictionProvider(NamePathMapper namePathMapper) { + return new RestrictionProviderImpl(namePathMapper); } + @Nonnull + @Override + public PermissionProvider getPermissionProvider(NamePathMapper namePathMapper) { + return new PermissionProviderImpl(); + } + +// @Nonnull +// @Override +// public List getCommitHooks() { +// return Collections.singletonList(new AccessControlHook()); +// } + @Override public List getValidatorProviders() { List vps = new ArrayList(); @@ -78,14 +82,4 @@ public class AccessControlConfigurationI vps.add(new AccessControlValidatorProvider(securityProvider)); return Collections.unmodifiableList(vps); } - - //-------------------------------------------------------------------------- - private static boolean isAdmin(Set principals) { - for (Principal principal : principals) { - if (principal instanceof AdminPrincipal) { - return true; - } - } - return false; - } } Copied: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlHook.java (from r1420093, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlObserver.java) URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlHook.java?p2=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlHook.java&p1=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlObserver.java&r1=1420093&r2=1420216&rev=1420216&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlObserver.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlHook.java Tue Dec 11 15:18:08 2012 @@ -16,18 +16,22 @@ */ package org.apache.jackrabbit.oak.security.authorization; -import org.apache.jackrabbit.oak.spi.commit.Observer; +import javax.annotation.Nonnull; + +import org.apache.jackrabbit.oak.api.CommitFailedException; +import org.apache.jackrabbit.oak.spi.commit.CommitHook; import org.apache.jackrabbit.oak.spi.state.NodeState; /** - * {@code Observer} implementation that processes any modification made to + * {@code CommitHook} implementation that processes any modification made to * access control content and updates persisted permission caches associated * with access control related data stored in the repository. */ -public class AccessControlObserver implements Observer { +public class AccessControlHook implements CommitHook { + @Nonnull @Override - public void contentChanged(NodeState before, NodeState after) { + public NodeState processCommit(NodeState before, NodeState after) throws CommitFailedException { // TODO throw new UnsupportedOperationException("not yet implemented"); } Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java?rev=1420216&view=auto ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java (added) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java Tue Dec 11 15:18:08 2012 @@ -0,0 +1,69 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.oak.security.authorization; + +import java.security.Principal; +import java.util.Set; +import javax.annotation.Nonnull; +import javax.jcr.security.Privilege; + +import org.apache.jackrabbit.oak.spi.security.authorization.AllPermissions; +import org.apache.jackrabbit.oak.spi.security.authorization.CompiledPermissions; +import org.apache.jackrabbit.oak.spi.security.authorization.PermissionProvider; +import org.apache.jackrabbit.oak.spi.security.authorization.Permissions; +import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal; +import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal; +import org.apache.jackrabbit.oak.spi.state.NodeStore; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * PermissionProviderImpl... TODO + */ +public class PermissionProviderImpl implements PermissionProvider { + + /** + * logger instance + */ + private static final Logger log = LoggerFactory.getLogger(PermissionProviderImpl.class); + + @Override + public Permissions getPermissions(Set privileges) { + // TODO + throw new UnsupportedOperationException("not yet implemented."); + } + + @Nonnull + @Override + public CompiledPermissions getCompiledPermissions(NodeStore nodeStore, Set principals) { + if (principals.contains(SystemPrincipal.INSTANCE) || isAdmin(principals)) { + return AllPermissions.getInstance(); + } else { + return new CompiledPermissionImpl(nodeStore, principals); + } + } + + //-------------------------------------------------------------------------- + private static boolean isAdmin(Set principals) { + for (Principal principal : principals) { + if (principal instanceof AdminPrincipal) { + return true; + } + } + return false; + } +} Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java?rev=1420216&r1=1420215&r2=1420216&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java Tue Dec 11 15:18:08 2012 @@ -24,6 +24,7 @@ import javax.annotation.Nonnull; import javax.security.auth.Subject; import org.apache.jackrabbit.oak.core.ReadOnlyTree; +import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.spi.commit.Validator; import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider; import org.apache.jackrabbit.oak.spi.security.Context; @@ -52,7 +53,7 @@ class PermissionValidatorProvider implem public Validator getRootValidator(NodeState before, NodeState after) { Subject subject = Subject.getSubject(AccessController.getContext()); Set principals = (subject != null) ? subject.getPrincipals() : Collections.emptySet(); - CompiledPermissions permissions = acConfiguration.getCompiledPermissions(/*TODO*/null, principals); + CompiledPermissions permissions = acConfiguration.getPermissionProvider(NamePathMapper.DEFAULT).getCompiledPermissions(/*TODO*/null, principals); NodeUtil rootBefore = new NodeUtil(new ReadOnlyTree(before)); NodeUtil rootAfter = new NodeUtil(new ReadOnlyTree(after)); Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionDefinitionImpl.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionDefinitionImpl.java?rev=1420216&view=auto ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionDefinitionImpl.java (added) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionDefinitionImpl.java Tue Dec 11 15:18:08 2012 @@ -0,0 +1,53 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.oak.security.authorization.restriction; + +import javax.annotation.Nonnull; + +import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition; + +/** + * RestrictionDefinitionImpl... TODO + */ +public class RestrictionDefinitionImpl implements RestrictionDefinition { + + private final String name; + private final int type; + private final boolean isMandatory; + + public RestrictionDefinitionImpl(String name, int type, boolean isMandatory) { + this.name = name; + this.type = type; + this.isMandatory = isMandatory; + } + + @Nonnull + @Override + public String getName() { + return name; + } + + @Override + public int getRequiredType() { + return type; + } + + @Override + public boolean isMandatory() { + return isMandatory; + } +} Copied: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java (from r1420093, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/RestrictionProviderImpl.java) URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java?p2=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java&p1=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/RestrictionProviderImpl.java&r1=1420093&r2=1420216&rev=1420216&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/RestrictionProviderImpl.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java Tue Dec 11 15:18:08 2012 @@ -14,7 +14,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.apache.jackrabbit.oak.security.authorization; +package org.apache.jackrabbit.oak.security.authorization.restriction; import java.security.AccessControlException; import java.util.Collections; @@ -27,12 +27,12 @@ import javax.jcr.PropertyType; import javax.jcr.RepositoryException; import javax.jcr.Value; -import com.google.common.collect.ImmutableMap; import com.google.common.collect.ImmutableSet; import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.plugins.memory.PropertyStates; +import org.apache.jackrabbit.oak.security.authorization.AccessControlConstants; import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction; import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition; import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider; @@ -46,8 +46,9 @@ public class RestrictionProviderImpl imp private Map supported; private NamePathMapper namePathMapper; - public RestrictionProviderImpl(Map supported, NamePathMapper namePathMapper) { - this.supported = ImmutableMap.copyOf(supported); + public RestrictionProviderImpl(NamePathMapper namePathMapper) { + RestrictionDefinition glob = new RestrictionDefinitionImpl(AccessControlConstants.REP_GLOB, PropertyType.STRING, false); + this.supported = Collections.singletonMap(AccessControlConstants.REP_GLOB, glob); this.namePathMapper = namePathMapper; } @@ -83,6 +84,12 @@ public class RestrictionProviderImpl imp } @Override + public void writeRestrictions(String path, Tree aceTree, Set restrictions) throws javax.jcr.security.AccessControlException { + // TODO + + } + + @Override public void validateRestrictions(String path, Tree aceTree) throws javax.jcr.security.AccessControlException { Tree restrictions; if (aceTree.hasChild(AccessControlConstants.REP_RESTRICTIONS)) { @@ -152,4 +159,4 @@ public class RestrictionProviderImpl imp return isMandatory; } } -} \ No newline at end of file +} Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/SecurityConfiguration.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/SecurityConfiguration.java?rev=1420216&r1=1420215&r2=1420216&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/SecurityConfiguration.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/SecurityConfiguration.java Tue Dec 11 15:18:08 2012 @@ -24,14 +24,13 @@ import org.apache.jackrabbit.oak.api.Pro import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.spi.commit.CommitHook; import org.apache.jackrabbit.oak.spi.commit.EmptyHook; -import org.apache.jackrabbit.oak.spi.commit.Observer; import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider; import org.apache.jackrabbit.oak.spi.lifecycle.CompositeInitializer; import org.apache.jackrabbit.oak.spi.lifecycle.RepositoryInitializer; import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter; /** - * PluginConfiguration... TODO + * SecurityConfiguration... TODO */ public interface SecurityConfiguration { @@ -48,9 +47,6 @@ public interface SecurityConfiguration { List getValidatorProviders(); @Nonnull - List getCommitObservers(); - - @Nonnull List getProtectedItemImporters(); @Nonnull @@ -87,12 +83,6 @@ public interface SecurityConfiguration { @Nonnull @Override - public List getCommitObservers() { - return Collections.emptyList(); - } - - @Nonnull - @Override public List getProtectedItemImporters() { return Collections.emptyList(); } @@ -112,5 +102,4 @@ public interface SecurityConfiguration { }; } } - -} \ No newline at end of file +} Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java?rev=1420216&r1=1420215&r2=1420216&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java Tue Dec 11 15:18:08 2012 @@ -17,7 +17,6 @@ package org.apache.jackrabbit.oak.spi.security.authorization; import java.security.Principal; -import java.util.Arrays; import java.util.Collections; import java.util.Set; import javax.jcr.RepositoryException; @@ -26,6 +25,7 @@ import javax.jcr.security.Privilege; import com.google.common.base.Function; import com.google.common.collect.Collections2; +import com.google.common.collect.ImmutableSet; import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry; import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl; @@ -37,7 +37,7 @@ import org.apache.jackrabbit.oak.spi.sec public class ACE implements JackrabbitAccessControlEntry { private final Principal principal; - private final Privilege[] privileges; + private final Set privileges; private final boolean isAllow; private final Set restrictions; private final NamePathMapper namePathMapper; @@ -46,13 +46,26 @@ public class ACE implements JackrabbitAc public ACE(Principal principal, Privilege[] privileges, boolean isAllow, Set restrictions, NamePathMapper namePathMapper) { + this(principal, ImmutableSet.copyOf(privileges), isAllow, restrictions, namePathMapper); + } + + public ACE(Principal principal, Set privileges, boolean isAllow, + Set restrictions, NamePathMapper namePathMapper) { this.principal = principal; - this.privileges = privileges; + this.privileges = ImmutableSet.copyOf(privileges); this.isAllow = isAllow; - this.restrictions = (restrictions == null) ? Collections.emptySet() : restrictions; + this.restrictions = (restrictions == null) ? Collections.emptySet() : ImmutableSet.copyOf(restrictions); this.namePathMapper = namePathMapper; } + public Set getPrivilegeSet() { + return privileges; + } + + public Set getRestrictionSet() { + return restrictions; + } + //-------------------------------------------------< AccessControlEntry >--- @Override public Principal getPrincipal() { @@ -61,7 +74,7 @@ public class ACE implements JackrabbitAc @Override public Privilege[] getPrivileges() { - return privileges; + return privileges.toArray(new Privilege[privileges.size()]); } //---------------------------------------< JackrabbitAccessControlEntry >--- @@ -114,7 +127,7 @@ public class ACE implements JackrabbitAc if (obj instanceof ACE) { ACE other = (ACE) obj; return principal.equals(other.principal) && - Arrays.equals(privileges, other.privileges) && + privileges.equals(other.privileges) && isAllow == other.isAllow && restrictions.equals(other.restrictions); } @@ -128,7 +141,7 @@ public class ACE implements JackrabbitAc public String toString() { StringBuilder sb = new StringBuilder(); sb.append(principal.getName()).append('-').append(isAllow).append('-'); - sb.append(Arrays.toString(privileges)).append('-').append(restrictions.toString()); + sb.append(privileges.toString()).append('-').append(restrictions.toString()); return sb.toString(); } @@ -141,7 +154,7 @@ public class ACE implements JackrabbitAc private int buildHashCode() { int h = 17; h = 37 * h + principal.getName().hashCode(); - h = 37 * h + Arrays.hashCode(privileges); + h = 37 * h + privileges.hashCode(); h = 37 * h + Boolean.valueOf(isAllow).hashCode(); h = 37 * h + restrictions.hashCode(); return h; Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACL.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACL.java?rev=1420216&r1=1420215&r2=1420216&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACL.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACL.java Tue Dec 11 15:18:08 2012 @@ -49,22 +49,26 @@ public class ACL implements JackrabbitAc private static final Logger log = LoggerFactory.getLogger(ACL.class); private final String path; - private final List entries; + private final List entries; private final RestrictionProvider restrictionProvider; private final NamePathMapper namePathMapper; - public ACL(String path, List entries, - RestrictionProvider restrictionProvider, NamePathMapper namePathMapper) { + public ACL(String path, List entries, RestrictionProvider restrictionProvider, + NamePathMapper namePathMapper) { this.path = path; - this.entries = (entries == null) ? new ArrayList() : entries; + this.entries = (entries == null) ? new ArrayList() : entries; this.restrictionProvider = restrictionProvider; this.namePathMapper = namePathMapper; } + public ACE[] getACEs() { + return entries.toArray(new ACE[entries.size()]); + } + //--------------------------------------------------< AccessControlList >--- @Override public AccessControlEntry[] getAccessControlEntries() throws RepositoryException { - return entries.toArray(new AccessControlEntry[entries.size()]); + return getACEs(); } @Override @@ -74,9 +78,7 @@ public class ACL implements JackrabbitAc @Override public void removeAccessControlEntry(AccessControlEntry ace) throws AccessControlException, RepositoryException { - if (!(ace instanceof ACE)) { - throw new AccessControlException("Invalid AccessControlEntry implementation " + ace.getClass().getName() + '.'); - } + checkACE(ace); if (!entries.remove(ace)) { throw new AccessControlException("Cannot remove AccessControlEntry " + ace); } @@ -140,7 +142,7 @@ public class ACL implements JackrabbitAc rs.add(restrictionProvider.createRestriction(path, name, restrictions.get(name))); } } - AccessControlEntry entry = new ACE(principal, privileges, isAllow, rs, namePathMapper); + ACE entry = new ACE(principal, privileges, isAllow, rs, namePathMapper); if (entries.contains(entry)) { log.debug("Entry is already contained in policy -> no modification."); return false; @@ -151,6 +153,11 @@ public class ACL implements JackrabbitAc @Override public void orderBefore(AccessControlEntry srcEntry, AccessControlEntry destEntry) throws AccessControlException, UnsupportedRepositoryOperationException, RepositoryException { + checkACE(srcEntry); + if (destEntry != null) { + checkACE(destEntry); + } + if (srcEntry.equals(destEntry)) { log.debug("'srcEntry' equals 'destEntry' -> no reordering required."); return; @@ -160,9 +167,10 @@ public class ACL implements JackrabbitAc if (index < 0) { throw new AccessControlException("'destEntry' not contained in this AccessControlList."); } else { - if (entries.remove(srcEntry)) { + ACE srcACE = (ACE) srcEntry; + if (entries.remove(srcACE)) { // re-insert the srcEntry at the new position. - entries.add(index, srcEntry); + entries.add(index, srcACE); } else { // src entry not contained in this list. throw new AccessControlException("srcEntry not contained in this AccessControlList"); @@ -211,4 +219,11 @@ public class ACL implements JackrabbitAc } return sb.toString(); } + + //------------------------------------------------------------< private >--- + private static void checkACE(AccessControlEntry entry) throws AccessControlException { + if (!(entry instanceof ACE)) { + throw new AccessControlException("Invalid access control entry."); + } + } } Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java?rev=1420216&r1=1420215&r2=1420216&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java Tue Dec 11 15:18:08 2012 @@ -16,15 +16,13 @@ */ package org.apache.jackrabbit.oak.spi.security.authorization; -import java.security.Principal; -import java.util.Set; import javax.annotation.Nonnull; import javax.jcr.security.AccessControlManager; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration; -import org.apache.jackrabbit.oak.spi.state.NodeStore; +import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider; /** * {@code AccessControlContextProvider}... @@ -34,7 +32,9 @@ public interface AccessControlConfigurat @Nonnull public AccessControlManager getAccessControlManager(Root root, NamePathMapper namePathMapper); - // TODO define how permissions eval is bound to a particular revision/branch. (passing Tree?) @Nonnull - public CompiledPermissions getCompiledPermissions(NodeStore nodeStore, Set principals); + public RestrictionProvider getRestrictionProvider(NamePathMapper namePathMapper); + + @Nonnull + public PermissionProvider getPermissionProvider(NamePathMapper namePathMapper); } Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java?rev=1420216&r1=1420215&r2=1420216&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java Tue Dec 11 15:18:08 2012 @@ -20,16 +20,18 @@ import java.security.Principal; import java.util.Set; import javax.annotation.Nonnull; import javax.jcr.security.AccessControlManager; +import javax.jcr.security.Privilege; import javax.security.auth.Subject; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration; +import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider; import org.apache.jackrabbit.oak.spi.state.NodeStore; /** * This class implements an {@link AccessControlConfiguration} which grants - * full access to any {@link Subject} passed to {@link AccessControlConfiguration#getCompiledPermissions(NodeStore, java.util.Set}. + * full access to any {@link Subject}. */ public class OpenAccessControlConfiguration extends SecurityConfiguration.Default implements AccessControlConfiguration { @@ -41,7 +43,23 @@ public class OpenAccessControlConfigurat @Nonnull @Override - public CompiledPermissions getCompiledPermissions(NodeStore nodeStore, Set principals) { - return AllPermissions.getInstance(); + public RestrictionProvider getRestrictionProvider(NamePathMapper namePathMapper) { + throw new UnsupportedOperationException(); + } + + @Nonnull + @Override + public PermissionProvider getPermissionProvider(NamePathMapper namePathMapper) { + return new PermissionProvider() { + @Override + public Permissions getPermissions(Set privileges) { + throw new UnsupportedOperationException(); + } + + @Override + public CompiledPermissions getCompiledPermissions(NodeStore nodeStore, Set principals) { + return AllPermissions.getInstance(); + } + }; } } Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java?rev=1420216&view=auto ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java (added) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java Tue Dec 11 15:18:08 2012 @@ -0,0 +1,37 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.oak.spi.security.authorization; + +import java.security.Principal; +import java.util.Set; +import javax.annotation.Nonnull; +import javax.jcr.security.Privilege; + +import org.apache.jackrabbit.oak.spi.state.NodeStore; + +/** + * PermissionProvider... TODO + */ +public interface PermissionProvider { + + @Nonnull + Permissions getPermissions(Set privileges); + + // TODO define how permissions eval is bound to a particular revision/branch. (passing Tree?) + @Nonnull + CompiledPermissions getCompiledPermissions(NodeStore nodeStore, Set principals); +} Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java?rev=1420216&r1=1420215&r2=1420216&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java Tue Dec 11 15:18:08 2012 @@ -36,5 +36,7 @@ public interface RestrictionProvider { Set readRestrictions(String path, Tree aceTree) throws AccessControlException; + void writeRestrictions(String path, Tree aceTree, Set restrictions) throws AccessControlException; + void validateRestrictions(String path, Tree aceTree) throws AccessControlException; } Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java?rev=1420216&r1=1420215&r2=1420216&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java Tue Dec 11 15:18:08 2012 @@ -16,17 +16,22 @@ */ package org.apache.jackrabbit.oak.spi.security.user.action; +import java.security.Principal; import java.util.ArrayList; import java.util.List; import javax.jcr.RepositoryException; import javax.jcr.security.AccessControlManager; +import javax.jcr.security.AccessControlPolicy; +import javax.jcr.security.AccessControlPolicyIterator; import javax.jcr.security.Privilege; +import org.apache.jackrabbit.api.security.JackrabbitAccessControlList; import org.apache.jackrabbit.api.security.user.Authorizable; import org.apache.jackrabbit.api.security.user.Group; import org.apache.jackrabbit.api.security.user.User; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.namepath.NamePathMapper; +import org.apache.jackrabbit.oak.spi.security.SecurityProvider; import org.apache.jackrabbit.util.Text; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -96,16 +101,24 @@ public class AccessControlAction extends private String[] groupPrivilegeNames = new String[0]; private String[] userPrivilegeNames = new String[0]; + private final SecurityProvider securityProvider; + + AccessControlAction(String[] groupPrivilegeNames, String[] userPrivilegeNames, + SecurityProvider securityProvider) { + this.groupPrivilegeNames = groupPrivilegeNames; + this.userPrivilegeNames = userPrivilegeNames; + this.securityProvider = securityProvider; + } //-------------------------------------------------< AuthorizableAction >--- @Override public void onCreate(Group group, Root root, NamePathMapper namePathMapper) throws RepositoryException { - setAC(group, root); + setAC(group, root, namePathMapper); } @Override public void onCreate(User user, String password, Root root, NamePathMapper namePathMapper) throws RepositoryException { - setAC(user, root); + setAC(user, root, namePathMapper); } //------------------------------------------------------< Configuration >--- @@ -134,44 +147,39 @@ public class AccessControlAction extends //------------------------------------------------------------< private >--- - private void setAC(Authorizable authorizable, Root root) throws RepositoryException { - // TODO: add implementation - log.error("Not yet implemented"); - -// Node aNode; -// String path = authorizable.getPath(); -// -// JackrabbitAccessControlList acl = null; -// AccessControlManager acMgr = session.getAccessControlManager(); -// for (AccessControlPolicyIterator it = acMgr.getApplicablePolicies(path); it.hasNext();) { -// AccessControlPolicy plc = it.nextAccessControlPolicy(); -// if (plc instanceof JackrabbitAccessControlList) { -// acl = (JackrabbitAccessControlList) plc; -// break; -// } -// } -// -// if (acl == null) { -// log.warn("Cannot process AccessControlAction: no applicable ACL at " + path); -// } else { -// // setup acl according to configuration. -// Principal principal = authorizable.getPrincipal(); -// boolean modified = false; -// if (authorizable.isGroup()) { -// // new authorizable is a Group -// if (groupPrivilegeNames.length > 0) { -// modified = acl.addAccessControlEntry(principal, getPrivileges(groupPrivilegeNames, acMgr)); -// } -// } else { -// // new authorizable is a User -// if (userPrivilegeNames.length > 0) { -// modified = acl.addAccessControlEntry(principal, getPrivileges(userPrivilegeNames, acMgr)); -// } -// } -// if (modified) { -// acMgr.setPolicy(path, acl); -// } -// } + private void setAC(Authorizable authorizable, Root root, NamePathMapper namePathMapper) throws RepositoryException { + String path = authorizable.getPath(); + AccessControlManager acMgr = securityProvider.getAccessControlConfiguration().getAccessControlManager(root, namePathMapper); + JackrabbitAccessControlList acl = null; + for (AccessControlPolicyIterator it = acMgr.getApplicablePolicies(path); it.hasNext();) { + AccessControlPolicy plc = it.nextAccessControlPolicy(); + if (plc instanceof JackrabbitAccessControlList) { + acl = (JackrabbitAccessControlList) plc; + break; + } + } + + if (acl == null) { + log.warn("Cannot process AccessControlAction: no applicable ACL at " + path); + } else { + // setup acl according to configuration. + Principal principal = authorizable.getPrincipal(); + boolean modified = false; + if (authorizable.isGroup()) { + // new authorizable is a Group + if (groupPrivilegeNames.length > 0) { + modified = acl.addAccessControlEntry(principal, getPrivileges(groupPrivilegeNames, acMgr)); + } + } else { + // new authorizable is a User + if (userPrivilegeNames.length > 0) { + modified = acl.addAccessControlEntry(principal, getPrivileges(userPrivilegeNames, acMgr)); + } + } + if (modified) { + acMgr.setPolicy(path, acl); + } + } } /**