jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1430958 - in /jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak: security/authorization/ security/authorization/restriction/ spi/security/authorization/ spi/security/authorization/restriction/
Date Wed, 09 Jan 2013 16:57:16 GMT
Author: angela
Date: Wed Jan  9 16:57:16 2013
New Revision: 1430958

URL: http://svn.apache.org/viewvc?rev=1430958&view=rev
Log:
OAK-51 : Access Control Management (WIP)

Added:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
      - copied, changed from r1430723, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACL.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlList.java
Removed:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACL.java
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionDefinitionImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ImmutableACL.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java

Copied: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java (from r1430723, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACL.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java?p2=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java&p1=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACL.java&r1=1430723&r2=1430958&rev=1430958&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACL.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java Wed Jan  9 16:57:16 2013
@@ -14,7 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.jackrabbit.oak.spi.security.authorization;
+package org.apache.jackrabbit.oak.security.authorization;
 
 import java.security.Principal;
 import java.util.ArrayList;
@@ -23,20 +23,16 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-import javax.jcr.PropertyType;
 import javax.jcr.RepositoryException;
-import javax.jcr.UnsupportedRepositoryOperationException;
 import javax.jcr.Value;
 import javax.jcr.security.AccessControlEntry;
 import javax.jcr.security.AccessControlException;
 import javax.jcr.security.Privilege;
 
-import com.google.common.base.Function;
-import com.google.common.collect.Collections2;
-import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
-import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
+import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlList;
+import org.apache.jackrabbit.oak.spi.security.authorization.ACE;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
-import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -44,29 +40,20 @@ import org.slf4j.LoggerFactory;
 /**
  * ACL... TODO
  */
-public class ACL implements JackrabbitAccessControlList {
+class ACL extends AbstractAccessControlList {
 
     private static final Logger log = LoggerFactory.getLogger(ACL.class);
 
-    private final String jcrPath;
-    private final List<ACE> entries;
-    private final RestrictionProvider restrictionProvider;
-    private final NamePathMapper namePathMapper;
+    private final List<JackrabbitAccessControlEntry> entries;
 
-    public ACL(String jcrPath, RestrictionProvider restrictionProvider, NamePathMapper namePathMapper) {
-        this(jcrPath, null, restrictionProvider, namePathMapper);
-    }
+    ACL(String jcrPath, List<JackrabbitAccessControlEntry> entries, RestrictionProvider restrictionProvider) {
+        super(jcrPath, restrictionProvider);
 
-    public ACL(String jcrPath, List<ACE> entries, RestrictionProvider restrictionProvider,
-               NamePathMapper namePathMapper) {
-        this.jcrPath = jcrPath;
-        this.entries = (entries == null) ? new ArrayList<ACE>() : entries;
-        this.restrictionProvider = restrictionProvider;
-        this.namePathMapper = namePathMapper;
+        this.entries = (entries == null) ? new ArrayList<JackrabbitAccessControlEntry>() : entries;
     }
 
-    public ACE[] getACEs() {
-        return entries.toArray(new ACE[entries.size()]);
+    JackrabbitAccessControlEntry[] getACEs() {
+        return entries.toArray(new JackrabbitAccessControlEntry[entries.size()]);
     }
 
     //--------------------------------------------------< AccessControlList >---
@@ -76,49 +63,15 @@ public class ACL implements JackrabbitAc
     }
 
     @Override
-    public boolean addAccessControlEntry(Principal principal, Privilege[] privileges) throws AccessControlException, RepositoryException {
-        return addEntry(principal, privileges, true, Collections.<String, Value>emptyMap());
-    }
-
-    @Override
-    public void removeAccessControlEntry(AccessControlEntry ace) throws AccessControlException, RepositoryException {
-        checkACE(ace);
-        if (!entries.remove(ace)) {
+    public void removeAccessControlEntry(AccessControlEntry ace) throws RepositoryException {
+        JackrabbitAccessControlEntry entry = checkACE(ace);
+        if (!entries.remove(entry)) {
             throw new AccessControlException("Cannot remove AccessControlEntry " + ace);
         }
     }
 
-    //--------------------------------------< JackrabbitAccessControlPolicy >---
-    @Override
-    public String getPath() {
-        return jcrPath;
-    }
-
     //----------------------------------------< JackrabbitAccessControlList >---
     @Override
-    public String[] getRestrictionNames() throws RepositoryException {
-        Set<RestrictionDefinition> supported = restrictionProvider.getSupportedRestrictions(jcrPath);
-        return Collections2.transform(supported, new Function<RestrictionDefinition, String>() {
-            @Override
-            public String apply(RestrictionDefinition definition) {
-                return namePathMapper.getJcrName(definition.getName());
-            }
-        }).toArray(new String[supported.size()]);
-
-    }
-
-    @Override
-    public int getRestrictionType(String restrictionName) throws RepositoryException {
-        String oakName = namePathMapper.getOakName(restrictionName);
-        for (RestrictionDefinition definition : restrictionProvider.getSupportedRestrictions(jcrPath)) {
-            if (definition.getName().equals(oakName)) {
-                return definition.getRequiredType();
-            }
-        }
-        return PropertyType.UNDEFINED;
-    }
-
-    @Override
     public boolean isEmpty() {
         return entries.isEmpty();
     }
@@ -129,12 +82,8 @@ public class ACL implements JackrabbitAc
     }
 
     @Override
-    public boolean addEntry(Principal principal, Privilege[] privileges, boolean isAllow) throws AccessControlException, RepositoryException {
-        return addEntry(principal, privileges, isAllow, Collections.<String, Value>emptyMap());
-    }
-
-    @Override
-    public boolean addEntry(Principal principal, Privilege[] privileges, boolean isAllow, Map<String, Value> restrictions) throws AccessControlException, RepositoryException {
+    public boolean addEntry(Principal principal, Privilege[] privileges,
+                            boolean isAllow, Map<String, Value> restrictions) throws RepositoryException {
         // NOTE: validation and any kind of optimization of the entry list is
         // delegated to the commit validator
         Set<Restriction> rs;
@@ -146,7 +95,7 @@ public class ACL implements JackrabbitAc
                 rs.add(restrictionProvider.createRestriction(jcrPath, name, restrictions.get(name)));
             }
         }
-        ACE entry = new ACE(principal, privileges, isAllow, rs, namePathMapper);
+        JackrabbitAccessControlEntry entry = new ACE(principal, privileges, isAllow, rs);
         if (entries.contains(entry)) {
             log.debug("Entry is already contained in policy -> no modification.");
             return false;
@@ -156,25 +105,22 @@ public class ACL implements JackrabbitAc
     }
 
     @Override
-    public void orderBefore(AccessControlEntry srcEntry, AccessControlEntry destEntry) throws AccessControlException, UnsupportedRepositoryOperationException, RepositoryException {
-        checkACE(srcEntry);
-        if (destEntry != null) {
-            checkACE(destEntry);
-        }
+    public void orderBefore(AccessControlEntry srcEntry, AccessControlEntry destEntry) throws RepositoryException {
+        JackrabbitAccessControlEntry src = checkACE(srcEntry);
+        JackrabbitAccessControlEntry dest = (destEntry == null) ? null : checkACE(destEntry);
 
-        if (srcEntry.equals(destEntry)) {
+        if (src.equals(dest)) {
             log.debug("'srcEntry' equals 'destEntry' -> no reordering required.");
             return;
         }
 
-        int index = (destEntry == null) ? entries.size()-1 : entries.indexOf(destEntry);
+        int index = (dest == null) ? entries.size()-1 : entries.indexOf(dest);
         if (index < 0) {
             throw new AccessControlException("'destEntry' not contained in this AccessControlList.");
         } else {
-            ACE srcACE = (ACE) srcEntry;
-            if (entries.remove(srcACE)) {
+            if (entries.remove(src)) {
                 // re-insert the srcEntry at the new position.
-                entries.add(index, srcACE);
+                entries.add(index, src);
             } else {
                 // src entry not contained in this list.
                 throw new AccessControlException("srcEntry not contained in this AccessControlList");
@@ -226,9 +172,10 @@ public class ACL implements JackrabbitAc
     }
 
     //------------------------------------------------------------< private >---
-    private static void checkACE(AccessControlEntry entry) throws AccessControlException {
+    private static JackrabbitAccessControlEntry checkACE(AccessControlEntry entry) throws AccessControlException {
         if (!(entry instanceof ACE)) {
             throw new AccessControlException("Invalid access control entry.");
         }
+        return (ACE) entry;
     }
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1430958&r1=1430957&r2=1430958&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java Wed Jan  9 16:57:16 2013
@@ -32,15 +32,19 @@ import javax.jcr.PropertyType;
 import javax.jcr.RepositoryException;
 import javax.jcr.query.Query;
 import javax.jcr.security.AccessControlException;
+import javax.jcr.security.AccessControlList;
 import javax.jcr.security.AccessControlPolicy;
 import javax.jcr.security.AccessControlPolicyIterator;
 import javax.jcr.security.Privilege;
 
 import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
 import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
 import org.apache.jackrabbit.commons.iterator.AccessControlPolicyIteratorAdapter;
+import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.PropertyValue;
 import org.apache.jackrabbit.oak.api.QueryEngine;
@@ -59,7 +63,6 @@ import org.apache.jackrabbit.oak.securit
 import org.apache.jackrabbit.oak.security.authorization.restriction.RestrictionProviderImpl;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.ACE;
-import org.apache.jackrabbit.oak.spi.security.authorization.ACL;
 import org.apache.jackrabbit.oak.spi.security.authorization.ImmutableACL;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
@@ -81,7 +84,6 @@ public class AccessControlManagerImpl im
 
     private final Root root;
     private final NamePathMapper namePathMapper;
-    private final SecurityProvider securityProvider;
 
     private final PrivilegeManager privilegeManager;
     private final PrincipalProvider principalProvider;
@@ -92,7 +94,6 @@ public class AccessControlManagerImpl im
                                     SecurityProvider securityProvider) {
         this.root = root;
         this.namePathMapper = namePathMapper;
-        this.securityProvider = securityProvider;
 
         privilegeManager = securityProvider.getPrivilegeConfiguration().getPrivilegeManager(root, namePathMapper);
         principalProvider = securityProvider.getPrincipalConfiguration().getPrincipalProvider(root, namePathMapper);
@@ -225,14 +226,14 @@ public class AccessControlManagerImpl im
             }
 
             ACL acl = (ACL) policy;
-            for (ACE ace : acl.getACEs()) {
+            for (JackrabbitAccessControlEntry ace : acl.getACEs()) {
                 String nodeName = generateAceName(aclNode, ace.isAllow());
                 String ntName = (ace.isAllow()) ? NT_REP_GRANT_ACE : NT_REP_DENY_ACE;
 
                 NodeUtil aceNode = aclNode.addChild(nodeName, ntName);
                 aceNode.setString(REP_PRINCIPAL_NAME, ace.getPrincipal().getName());
-                aceNode.setNames(REP_PRIVILEGES, ace.getPrivilegeNames());
-                restrictionProvider.writeRestrictions(absPath, aceNode.getTree(), ace.getRestrictionSet());
+                aceNode.setNames(REP_PRIVILEGES, AccessControlUtils.namesFromPrivileges(ace.getPrivileges()));
+                restrictionProvider.writeRestrictions(absPath, aceNode.getTree(), ace);
             }
         }
     }
@@ -315,21 +316,18 @@ public class AccessControlManagerImpl im
     }
 
     //------------------------------------------------------------< private >---
-    @CheckForNull
-    private String getOakPath(String absJcrPath) throws RepositoryException {
-        if (absJcrPath == null) {
-            return null; // repository level
-        }
-        String oakPath = namePathMapper.getOakPath(absJcrPath);
-        if (oakPath == null) {
-            throw new RepositoryException("Failed to resolve JCR path " + absJcrPath);
-        }
-        return oakPath;
-    }
-
-    @CheckForNull
+    @Nonnull
     private Tree getTree(String jcrPath) throws RepositoryException {
-        Tree tree = (jcrPath == null) ? root.getTree("/") : root.getTree(getOakPath(jcrPath));
+        Tree tree;
+        if (jcrPath == null) {
+            tree = root.getTree("/");
+        } else {
+            String oakPath = namePathMapper.getOakPath(jcrPath);
+            if (oakPath == null) {
+                throw new RepositoryException("Failed to resolve JCR path " + jcrPath);
+            }
+            tree = root.getTree(oakPath);
+        }
         if (tree == null) {
             throw new PathNotFoundException("No tree at " +jcrPath);
         }
@@ -337,7 +335,7 @@ public class AccessControlManagerImpl im
     }
 
     private void checkValidPath(String jcrPath) throws RepositoryException {
-        getTree(getOakPath(jcrPath));
+        getTree(jcrPath);
     }
 
     /**
@@ -380,21 +378,21 @@ public class AccessControlManagerImpl im
     }
 
     @CheckForNull
-    private ACL readACL(String jcrPath, Tree accessControlledTree,
+    private AccessControlList readACL(String jcrPath, Tree accessControlledTree,
                         boolean isReadOnly) throws RepositoryException {
-        ACL acl = null;
+        AccessControlList acl = null;
         String aclName = getAclName(jcrPath);
         String mixinName = getMixinName(jcrPath);
         if (isAccessControlled(accessControlledTree, mixinName) && accessControlledTree.hasChild(aclName)) {
             Tree aclTree = accessControlledTree.getChild(aclName);
-            List<ACE> entries = new ArrayList<ACE>();
+            List<JackrabbitAccessControlEntry> entries = new ArrayList<JackrabbitAccessControlEntry>();
             for (Tree child : aclTree.getChildren()) {
                 if (isACE(child)) {
                     entries.add(readACE(jcrPath, child, restrictionProvider));
                 }
             }
             if (isReadOnly) {
-                acl = new ImmutableACL(jcrPath, entries, restrictionProvider, namePathMapper);
+                acl = new ImmutableACL(jcrPath, entries, restrictionProvider);
             } else {
                 acl = new NodeACL(jcrPath, entries);
             }
@@ -403,16 +401,16 @@ public class AccessControlManagerImpl im
     }
 
     @Nonnull
-    private ACE readACE(String jcrPath, Tree aceTree, RestrictionProvider restrictionProvider)
+    private JackrabbitAccessControlEntry readACE(String jcrPath, Tree aceTree, RestrictionProvider restrictionProvider)
             throws RepositoryException {
         NodeUtil aceNode = new NodeUtil(aceTree);
         Principal principal = principalProvider.getPrincipal(aceNode.getString(REP_PRINCIPAL_NAME, null));
         boolean isAllow = aceNode.hasPrimaryNodeTypeName(NT_REP_GRANT_ACE);
         Set<Restriction> restrictions = restrictionProvider.readRestrictions(jcrPath, aceTree);
-        return new ACE(principal, getPrivileges(aceNode), isAllow, restrictions, namePathMapper);
+        return new ACE(principal, getPrivileges(aceNode), isAllow, restrictions);
     }
 
-    private ACL createPrincipalACL(Principal principal, Result aceResult) throws RepositoryException {
+    private JackrabbitAccessControlList createPrincipalACL(Principal principal, Result aceResult) throws RepositoryException {
         // TODO: specific path indicating the principal-based nature of the
         // TODO: ACL... this could also be the path of the compiled permissions
         // TODO: for this principal.
@@ -422,7 +420,7 @@ public class AccessControlManagerImpl im
         // TODO: the ACEs need to be stored in the content tree.
         RestrictionProvider pbRestrictions = new PrincipalRestrictionProvider(namePathMapper);
 
-        List<ACE> entries = null;
+        List<JackrabbitAccessControlEntry> entries = null;
         if (aceResult != null) {
             entries = new ArrayList();
             for (ResultRow row : aceResult.getRows()) {
@@ -439,7 +437,7 @@ public class AccessControlManagerImpl im
                 }
             }
         }
-        return new PrincipalACL(principalBasedPath, entries, pbRestrictions, namePathMapper);
+        return new PrincipalACL(principalBasedPath, entries, pbRestrictions);
     }
 
     /**
@@ -551,8 +549,8 @@ public class AccessControlManagerImpl im
             this(jcrPath, null);
         }
 
-        private NodeACL(String jcrPath, List<ACE> entries) {
-            super(jcrPath, entries, restrictionProvider, namePathMapper);
+        private NodeACL(String jcrPath, List<JackrabbitAccessControlEntry> entries) {
+            super(jcrPath, entries, AccessControlManagerImpl.this.restrictionProvider);
         }
     }
 
@@ -561,12 +559,12 @@ public class AccessControlManagerImpl im
 
     private class PrincipalACL extends ACL {
 
-        private PrincipalACL(String jcrPath, List<ACE> entries, RestrictionProvider restrictionProvider, NamePathMapper namePathMapper) {
-            super(jcrPath, entries, restrictionProvider, namePathMapper);
+        private PrincipalACL(String jcrPath, List<JackrabbitAccessControlEntry> entries, RestrictionProvider restrictionProvider) {
+            super(jcrPath, entries, restrictionProvider);
         }
     }
 
-    private static class PrincipalRestrictionProvider extends RestrictionProviderImpl {
+    private class PrincipalRestrictionProvider extends RestrictionProviderImpl {
 
         private PrincipalRestrictionProvider(NamePathMapper namePathMapper) {
             super(namePathMapper);
@@ -576,7 +574,7 @@ public class AccessControlManagerImpl im
         @Override
         public Set<RestrictionDefinition> getSupportedRestrictions(String jcrPath) {
             Set<RestrictionDefinition> definitions = new HashSet<RestrictionDefinition>(super.getSupportedRestrictions(jcrPath));
-            definitions.add(new RestrictionDefinitionImpl(REP_NODE_PATH, PropertyType.PATH, true));
+            definitions.add(new RestrictionDefinitionImpl(REP_NODE_PATH, PropertyType.PATH, true, namePathMapper));
             return definitions;
         }
 
@@ -585,7 +583,7 @@ public class AccessControlManagerImpl im
             Set<Restriction> restrictions = super.readRestrictions(jcrPath, aceTree);
             String value = (jcrPath == null) ? "" : jcrPath;
             PropertyState nodePathProp = PropertyStates.createProperty(REP_NODE_PATH, value, Type.PATH);
-            restrictions.add(new RestrictionImpl(nodePathProp, PropertyType.PATH, true));
+            restrictions.add(new RestrictionImpl(nodePathProp, PropertyType.PATH, true, namePathMapper));
             return restrictions;
         }
 

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionDefinitionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionDefinitionImpl.java?rev=1430958&r1=1430957&r2=1430958&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionDefinitionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionDefinitionImpl.java Wed Jan  9 16:57:16 2013
@@ -18,6 +18,7 @@ package org.apache.jackrabbit.oak.securi
 
 import javax.annotation.Nonnull;
 
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
 
 /**
@@ -29,10 +30,14 @@ public class RestrictionDefinitionImpl i
     private final int type;
     private final boolean isMandatory;
 
-    public RestrictionDefinitionImpl(String name, int type, boolean isMandatory) {
+    final NamePathMapper namePathMapper;
+
+    public RestrictionDefinitionImpl(String name, int type, boolean isMandatory,
+                                     NamePathMapper namePathMapper) {
         this.name = name;
         this.type = type;
         this.isMandatory = isMandatory;
+        this.namePathMapper = namePathMapper;
     }
 
     @Nonnull
@@ -41,6 +46,12 @@ public class RestrictionDefinitionImpl i
         return name;
     }
 
+    @Nonnull
+    @Override
+    public String getJcrName() {
+        return namePathMapper.getJcrName(getName());
+    }
+
     @Override
     public int getRequiredType() {
         return type;

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionImpl.java?rev=1430958&r1=1430957&r2=1430958&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionImpl.java Wed Jan  9 16:57:16 2013
@@ -21,16 +21,21 @@ package org.apache.jackrabbit.oak.securi
  */
 
 import javax.annotation.Nonnull;
+import javax.jcr.Value;
 
 import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
 
 public class RestrictionImpl extends RestrictionDefinitionImpl implements Restriction {
 
     private final PropertyState property;
 
-    public RestrictionImpl(@Nonnull PropertyState property, int requiredType, boolean isMandatory) {
-        super(property.getName(), requiredType, isMandatory);
+    public RestrictionImpl(@Nonnull PropertyState property, int requiredType,
+                           boolean isMandatory,
+                           @Nonnull NamePathMapper namePathMapper) {
+        super(property.getName(), requiredType, isMandatory, namePathMapper);
         this.property = property;
     }
 
@@ -39,4 +44,10 @@ public class RestrictionImpl extends Res
     public PropertyState getProperty() {
         return property;
     }
+
+    @Nonnull
+    @Override
+    public Value getValue() {
+        return ValueFactoryImpl.createValue(property, namePathMapper);
+    }
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java?rev=1430958&r1=1430957&r2=1430958&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java Wed Jan  9 16:57:16 2013
@@ -28,6 +28,7 @@ import javax.jcr.Value;
 import javax.jcr.security.AccessControlException;
 
 import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
@@ -47,7 +48,7 @@ public class RestrictionProviderImpl imp
     private NamePathMapper namePathMapper;
 
     public RestrictionProviderImpl(NamePathMapper namePathMapper) {
-        RestrictionDefinition glob = new RestrictionDefinitionImpl(AccessControlConstants.REP_GLOB, PropertyType.STRING, false);
+        RestrictionDefinition glob = new RestrictionDefinitionImpl(AccessControlConstants.REP_GLOB, PropertyType.STRING, false, namePathMapper);
         this.supported = Collections.singletonMap(AccessControlConstants.REP_GLOB, glob);
         this.namePathMapper = namePathMapper;
     }
@@ -74,7 +75,7 @@ public class RestrictionProviderImpl imp
             throw new AccessControlException("Unsupported restriction: Expected value of type " + PropertyType.nameFromValue(definition.getRequiredType()));
         }
         PropertyState propertyState = PropertyStates.createProperty(oakName, value);
-        return new RestrictionImpl(propertyState, requiredType, definition.isMandatory());
+        return new RestrictionImpl(propertyState, requiredType, definition.isMandatory(), namePathMapper);
     }
 
     @Override
@@ -90,6 +91,12 @@ public class RestrictionProviderImpl imp
     }
 
     @Override
+    public void writeRestrictions(String jcrPath, Tree aceTree, JackrabbitAccessControlEntry entry) throws AccessControlException {
+        // TODO
+        throw new UnsupportedOperationException("not yet implemented");
+    }
+
+    @Override
     public void validateRestrictions(String jcrPath, Tree aceTree) throws javax.jcr.security.AccessControlException {
         Tree restrictions;
         if (aceTree.hasChild(AccessControlConstants.REP_RESTRICTIONS)) {
@@ -99,27 +106,29 @@ public class RestrictionProviderImpl imp
             restrictions = aceTree;
         }
 
-        Map<String,PropertyState> restrictionProperties = new HashMap<String, PropertyState>();
-        for (PropertyState property : restrictions.getProperties()) {
-            String name = property.getName();
-            String prefix = Text.getNamespacePrefix(name);
-            if (!NamespaceRegistry.PREFIX_JCR.equals(prefix) && !AccessControlConstants.AC_PROPERTY_NAMES.contains(name)) {
-                restrictionProperties.put(name, property);
+        if (restrictions != null) {
+            Map<String,PropertyState> restrictionProperties = new HashMap<String, PropertyState>();
+            for (PropertyState property : restrictions.getProperties()) {
+                String name = property.getName();
+                String prefix = Text.getNamespacePrefix(name);
+                if (!NamespaceRegistry.PREFIX_JCR.equals(prefix) && !AccessControlConstants.AC_PROPERTY_NAMES.contains(name)) {
+                    restrictionProperties.put(name, property);
+                }
             }
-        }
 
-        if (jcrPath == null && !restrictionProperties.isEmpty()) {
-            throw new AccessControlException("Restrictions not supported with 'null' path.");
-        }
-        for (String restrName : restrictionProperties.keySet()) {
-            RestrictionDefinition def = supported.get(restrName);
-            if (def == null || restrictionProperties.get(restrName).getType().tag() != def.getRequiredType()) {
-                throw new AccessControlException("Unsupported restriction: " + restrName);
+            if (jcrPath == null && !restrictionProperties.isEmpty()) {
+                throw new AccessControlException("Restrictions not supported with 'null' path.");
             }
-        }
-        for (RestrictionDefinition def : supported.values()) {
-            if (def.isMandatory() && !restrictionProperties.containsKey(def.getName())) {
-                throw new AccessControlException("Mandatory restriction " + def.getName() + " is missing.");
+            for (String restrName : restrictionProperties.keySet()) {
+                RestrictionDefinition def = supported.get(restrName);
+                if (def == null || restrictionProperties.get(restrName).getType().tag() != def.getRequiredType()) {
+                    throw new AccessControlException("Unsupported restriction: " + restrName);
+                }
+            }
+            for (RestrictionDefinition def : supported.values()) {
+                if (def.isMandatory() && !restrictionProperties.containsKey(def.getName())) {
+                    throw new AccessControlException("Mandatory restriction " + def.getName() + " is missing.");
+                }
             }
         }
     }

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java?rev=1430958&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java Wed Jan  9 16:57:16 2013
@@ -0,0 +1,149 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization;
+
+import java.security.Principal;
+import java.util.Collections;
+import java.util.Set;
+import javax.jcr.RepositoryException;
+import javax.jcr.Value;
+import javax.jcr.security.Privilege;
+
+import com.google.common.base.Function;
+import com.google.common.collect.Collections2;
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
+
+/**
+ * ACE... TODO
+ */
+public class ACE implements JackrabbitAccessControlEntry {
+
+    private final Principal principal;
+    private final Set<Privilege> privileges;
+    private final boolean isAllow;
+    private final Set<Restriction> restrictions;
+
+    private int hashCode;
+
+    public ACE(Principal principal, Privilege[] privileges,
+               boolean isAllow, Set<Restriction> restrictions) {
+        this(principal, ImmutableSet.copyOf(privileges), isAllow, restrictions);
+    }
+
+    public ACE(Principal principal, Set<Privilege> privileges,
+               boolean isAllow, Set<Restriction> restrictions) {
+        this.principal = principal;
+        this.privileges = ImmutableSet.copyOf(privileges);
+        this.isAllow = isAllow;
+        this.restrictions = (restrictions == null) ? Collections.<Restriction>emptySet() : ImmutableSet.copyOf(restrictions);
+    }
+
+    //-------------------------------------------------< AccessControlEntry >---
+    @Override
+    public Principal getPrincipal() {
+        return principal;
+    }
+
+    @Override
+    public Privilege[] getPrivileges() {
+        return privileges.toArray(new Privilege[privileges.size()]);
+    }
+
+    //---------------------------------------< JackrabbitAccessControlEntry >---
+    @Override
+    public boolean isAllow() {
+        return isAllow;
+    }
+
+    @Override
+    public String[] getRestrictionNames() throws RepositoryException {
+        return Collections2.transform(restrictions, new Function<Restriction, String>() {
+            @Override
+            public String apply(Restriction restriction) {
+                return restriction.getJcrName();
+            }
+        }).toArray(new String[restrictions.size()]);
+    }
+
+    @Override
+    public Value getRestriction(String restrictionName) throws RepositoryException {
+        for (Restriction restriction : restrictions) {
+            if (restriction.getJcrName().equals(restrictionName)) {
+                return restriction.getValue();
+            }
+        }
+        return null;
+    }
+
+    //-------------------------------------------------------------< Object >---
+    /**
+     * @see Object#hashCode()
+     */
+    @Override
+    public int hashCode() {
+        if (hashCode == -1) {
+            hashCode = buildHashCode();
+        }
+        return hashCode;
+    }
+
+    /**
+     * @see Object#equals(Object)
+     */
+    @Override
+    public boolean equals(Object obj) {
+        if (obj == this) {
+            return true;
+        }
+        if (obj instanceof ACE) {
+            ACE other = (ACE) obj;
+            return principal.equals(other.principal) &&
+                   privileges.equals(other.privileges) &&
+                   isAllow == other.isAllow &&
+                   restrictions.equals(other.restrictions);
+        }
+        return false;
+    }
+
+    /**
+     * @see Object#toString()
+     */
+    @Override
+    public String toString() {
+        StringBuilder sb = new StringBuilder();
+        sb.append(principal.getName()).append('-').append(isAllow).append('-');
+        sb.append(privileges.toString()).append('-').append(restrictions.toString());
+        return sb.toString();
+    }
+
+    //------------------------------------------------------------< private >---
+    /**
+     * Build the hash code.
+     *
+     * @return the hash code.
+     */
+    private int buildHashCode() {
+        int h = 17;
+        h = 37 * h + principal.hashCode();
+        h = 37 * h + privileges.hashCode();
+        h = 37 * h + Boolean.valueOf(isAllow).hashCode();
+        h = 37 * h + restrictions.hashCode();
+        return h;
+    }
+}
\ No newline at end of file

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlList.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlList.java?rev=1430958&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlList.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlList.java Wed Jan  9 16:57:16 2013
@@ -0,0 +1,86 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization;
+
+import java.security.Principal;
+import java.util.Collections;
+import java.util.Set;
+import javax.jcr.PropertyType;
+import javax.jcr.RepositoryException;
+import javax.jcr.Value;
+import javax.jcr.security.Privilege;
+
+import com.google.common.base.Function;
+import com.google.common.collect.Collections2;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
+
+/**
+ * AbstractAccessControlList... TODO
+ */
+public abstract class AbstractAccessControlList implements JackrabbitAccessControlList {
+
+    protected final String jcrPath;
+    protected final RestrictionProvider restrictionProvider;
+
+    public AbstractAccessControlList(String jcrPath, RestrictionProvider restrictionProvider) {
+        this.jcrPath = jcrPath;
+        this.restrictionProvider = restrictionProvider;
+    }
+
+    //--------------------------------------< JackrabbitAccessControlPolicy >---
+    @Override
+    public String getPath() {
+        return jcrPath;
+    }
+
+    //--------------------------------------------------< AccessControlList >---
+
+    @Override
+    public boolean addAccessControlEntry(Principal principal, Privilege[] privileges) throws RepositoryException {
+        return addEntry(principal, privileges, true, Collections.<String, Value>emptyMap());
+    }
+
+    //----------------------------------------< JackrabbitAccessControlList >---
+    @Override
+    public String[] getRestrictionNames() throws RepositoryException {
+        Set<RestrictionDefinition> supported = restrictionProvider.getSupportedRestrictions(jcrPath);
+        return Collections2.transform(supported, new Function<RestrictionDefinition, String>() {
+            @Override
+            public String apply(RestrictionDefinition definition) {
+                return definition.getJcrName();
+            }
+        }).toArray(new String[supported.size()]);
+
+    }
+
+    @Override
+    public int getRestrictionType(String restrictionName) throws RepositoryException {
+        for (RestrictionDefinition definition : restrictionProvider.getSupportedRestrictions(jcrPath)) {
+            if (definition.getJcrName().equals(restrictionName)) {
+                return definition.getRequiredType();
+            }
+        }
+        return PropertyType.UNDEFINED;
+    }
+
+    @Override
+    public boolean addEntry(Principal principal, Privilege[] privileges, boolean isAllow) throws RepositoryException {
+        return addEntry(principal, privileges, isAllow, Collections.<String, Value>emptyMap());
+    }
+}
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java?rev=1430958&r1=1430957&r2=1430958&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java Wed Jan  9 16:57:16 2013
@@ -30,11 +30,11 @@ import org.apache.jackrabbit.oak.spi.sec
 public interface AccessControlConfiguration extends SecurityConfiguration {
 
     @Nonnull
-    public AccessControlManager getAccessControlManager(Root root, NamePathMapper namePathMapper);
+    AccessControlManager getAccessControlManager(Root root, NamePathMapper namePathMapper);
 
     @Nonnull
-    public RestrictionProvider getRestrictionProvider(NamePathMapper namePathMapper);
+    RestrictionProvider getRestrictionProvider(NamePathMapper namePathMapper);
 
     @Nonnull
-    public PermissionProvider getPermissionProvider(NamePathMapper namePathMapper);
+    PermissionProvider getPermissionProvider(NamePathMapper namePathMapper);
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ImmutableACL.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ImmutableACL.java?rev=1430958&r1=1430957&r2=1430958&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ImmutableACL.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ImmutableACL.java Wed Jan  9 16:57:16 2013
@@ -17,6 +17,7 @@
 package org.apache.jackrabbit.oak.spi.security.authorization;
 
 import java.security.Principal;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
@@ -24,18 +25,19 @@ import javax.jcr.RepositoryException;
 import javax.jcr.Value;
 import javax.jcr.security.AccessControlEntry;
 import javax.jcr.security.AccessControlException;
-import javax.jcr.security.AccessControlList;
 import javax.jcr.security.Privilege;
 
 import com.google.common.collect.ImmutableList;
-import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
 
 /**
  * An implementation of the {@code JackrabbitAccessControlList} interface that only
  * allows for reading. The write methods throw an {@code AccessControlException}.
  */
-public class ImmutableACL extends ACL {
+public class ImmutableACL extends AbstractAccessControlList {
+
+    private final List<AccessControlEntry> entries;
 
     private int hashCode;
 
@@ -45,67 +47,56 @@ public class ImmutableACL extends ACL {
      * @param jcrPath
      * @param entries
      * @param restrictionProvider
-     * @param namePathMapper
      */
-    public ImmutableACL(String jcrPath, List<ACE> entries,
-                        RestrictionProvider restrictionProvider,
-                        NamePathMapper namePathMapper) {
-        super(jcrPath, getImmutableEntries(entries), restrictionProvider, namePathMapper);
-    }
-
-    private static List<ACE> getImmutableEntries(List<ACE> entries) {
-        return (entries == null) ? Collections.<ACE>emptyList() : ImmutableList.copyOf(entries);
+    public ImmutableACL(String jcrPath, List<? extends AccessControlEntry> entries,
+                        RestrictionProvider restrictionProvider) {
+        super(jcrPath, restrictionProvider);
+        this.entries = (entries == null) ? Collections.<AccessControlEntry>emptyList() : ImmutableList.copyOf(entries);
     }
 
     //--------------------------------------------------< AccessControlList >---
-    /**
-     * @see AccessControlList#addAccessControlEntry(java.security.Principal, javax.jcr.security.Privilege[])
-     */
-    public boolean addAccessControlEntry(Principal principal,
-                                         Privilege[] privileges)
-            throws AccessControlException, RepositoryException {
-        throw new AccessControlException("Immutable ACL. Use AccessControlManager#getApplicablePolicies in order to obtain an modifiable ACL.");
+
+    @Override
+    public AccessControlEntry[] getAccessControlEntries() throws RepositoryException {
+        return entries.toArray(new AccessControlEntry[entries.size()]);
     }
 
-    /**
-     * @see AccessControlList#removeAccessControlEntry(AccessControlEntry)
-     */
+    @Override
     public void removeAccessControlEntry(AccessControlEntry ace)
             throws AccessControlException, RepositoryException {
         throw new AccessControlException("Immutable ACL. Use AccessControlManager#getApplicablePolicies in order to obtain an modifiable ACL.");
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlList#addEntry(Principal, Privilege[], boolean)
-     */
-    public boolean addEntry(Principal principal, Privilege[] privileges, boolean isAllow) throws AccessControlException {
-        throw new AccessControlException("Immutable ACL. Use AccessControlManager#getPolicy or #getApplicablePolicies in order to obtain an modifiable ACL.");
+    //----------------------------------------< JackrabbitAccessControlList >---
+
+    @Override
+    public boolean isEmpty() {
+        return entries.isEmpty();
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlList#addEntry(Principal, Privilege[], boolean, Map)
-     */
-    public boolean addEntry(Principal principal, Privilege[] privileges, boolean isAllow, Map<String, Value> restrictions) throws AccessControlException {
+    @Override
+    public int size() {
+        return entries.size();
+    }
+
+    @Override
+    public boolean addEntry(Principal principal, Privilege[] privileges,
+                            boolean isAllow, Map<String, Value> restrictions) throws AccessControlException {
         throw new AccessControlException("Immutable ACL. Use AccessControlManager#getPolicy or #getApplicablePolicies in order to obtain an modifiable ACL.");
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlList#orderBefore(AccessControlEntry, AccessControlEntry)
-     */
+    @Override
     public void orderBefore(AccessControlEntry srcEntry, AccessControlEntry destEntry) throws AccessControlException {
         throw new AccessControlException("Immutable ACL. Use AccessControlManager#getPolicy or #getApplicablePolicy in order to obtain a modifiable ACL.");
     }
 
     //-------------------------------------------------------------< Object >---
-    /**
-     * @see Object#hashCode()
-     */
     @Override
     public int hashCode() {
         if (hashCode == 0) {
             int result = 17;
             result = 37 * result + (getPath() != null ? getPath().hashCode() : 0);
-            for (ACE entry : getACEs()) {
+            for (AccessControlEntry entry : entries) {
                 result = 37 * result + entry.hashCode();
             }
             hashCode = result;
@@ -113,19 +104,19 @@ public class ImmutableACL extends ACL {
         return hashCode;
     }
 
-    /**
-     * @see Object#equals(Object)
-     * FIXME: this implementation violates the general contract of equals: it is not symmetric.
-     * While ACL.equals(ImmutableACL) might be true, ImmutableACL.equals(ACL) is always false.
-     */
     @Override
     public boolean equals(Object obj) {
         if (obj == this) {
             return true;
         }
-
-        if (obj instanceof ImmutableACL) {
-            return super.equals(obj);
+        if (obj instanceof JackrabbitAccessControlList) {
+            try {
+                JackrabbitAccessControlList acl = (JackrabbitAccessControlList) obj;
+                return ((jcrPath == null) ? acl.getPath() == null : jcrPath.equals(acl.getPath()))
+                        && entries.equals(Arrays.asList(acl.getAccessControlEntries()));
+            } catch (RepositoryException e) {
+                // failed to retrieve access control entries -> objects are not equal.
+            }
         }
         return false;
     }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java?rev=1430958&r1=1430957&r2=1430958&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java Wed Jan  9 16:57:16 2013
@@ -21,7 +21,6 @@ import java.util.Set;
 import javax.annotation.Nonnull;
 import javax.jcr.security.AccessControlManager;
 import javax.jcr.security.Privilege;
-import javax.security.auth.Subject;
 
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
@@ -31,7 +30,7 @@ import org.apache.jackrabbit.oak.spi.sta
 
 /**
  * This class implements an {@link AccessControlConfiguration} which grants
- * full access to any {@link Subject}.
+ * full access to any {@link javax.security.auth.Subject}.
  */
 public class OpenAccessControlConfiguration extends SecurityConfiguration.Default
         implements AccessControlConfiguration {

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java?rev=1430958&r1=1430957&r2=1430958&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java Wed Jan  9 16:57:16 2013
@@ -24,6 +24,8 @@ import java.util.Map;
  */
 public final class Permissions {
 
+    private Permissions() {};
+
     public static final int NO_PERMISSION = 0;
 
     public static final int READ_NODE = 1;

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java?rev=1430958&r1=1430957&r2=1430958&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java Wed Jan  9 16:57:16 2013
@@ -20,8 +20,6 @@ import javax.annotation.Nonnull;
 import javax.jcr.Value;
 
 import org.apache.jackrabbit.oak.api.PropertyState;
-import org.apache.jackrabbit.oak.api.Type;
-import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 
 /**
  * Restriction... TODO
@@ -30,4 +28,7 @@ public interface Restriction extends Res
 
     @Nonnull
     PropertyState getProperty();
+
+    @Nonnull
+    Value getValue();
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java?rev=1430958&r1=1430957&r2=1430958&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java Wed Jan  9 16:57:16 2013
@@ -32,6 +32,14 @@ public interface RestrictionDefinition {
     String getName();
 
     /**
+     * The jcr name of this restriction definition.
+     *
+     * @return The jcr name.
+     */
+    @Nonnull
+    String getJcrName();
+
+    /**
      * The required type as defined by this definition.
      *
      * @return The required type which must be a valid {@link javax.jcr.PropertyType}.

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java?rev=1430958&r1=1430957&r2=1430958&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java Wed Jan  9 16:57:16 2013
@@ -22,6 +22,7 @@ import javax.jcr.RepositoryException;
 import javax.jcr.Value;
 import javax.jcr.security.AccessControlException;
 
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
 import org.apache.jackrabbit.oak.api.Tree;
 
 /**
@@ -40,5 +41,7 @@ public interface RestrictionProvider {
 
     void writeRestrictions(String jcrPath, Tree aceTree, Set<Restriction> restrictions) throws AccessControlException;
 
+    void writeRestrictions(String jcrPath, Tree aceTree, JackrabbitAccessControlEntry entry) throws AccessControlException;
+
     void validateRestrictions(String jcrPath, Tree aceTree) throws AccessControlException;
 }



Mime
View raw message