jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1432203 - in /jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak: security/authorization/ security/authorization/restriction/ spi/security/authorization/ spi/security/authorization/restriction/ util/
Date Fri, 11 Jan 2013 18:19:08 GMT
Author: angela
Date: Fri Jan 11 18:19:07 2013
New Revision: 1432203

URL: http://svn.apache.org/viewvc?rev=1432203&view=rev
Log:
OAK-51 : Access Control Management (WIP)

Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/EmptyRestrictionProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1432203&r1=1432202&r2=1432203&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
Fri Jan 11 18:19:07 2013
@@ -216,7 +216,17 @@ public class AccessControlManagerImpl im
                 NodeUtil aceNode = aclNode.addChild(nodeName, ntName);
                 aceNode.setString(REP_PRINCIPAL_NAME, ace.getPrincipal().getName());
                 aceNode.setNames(REP_PRIVILEGES, AccessControlUtils.namesFromPrivileges(ace.getPrivileges()));
-                restrictionProvider.writeRestrictions(absPath, aceNode.getTree(), ace);
+                Set<Restriction> restrictions;
+                if (ace instanceof ACE) {
+                    restrictions = ((ACE) ace).getRestrictions();
+                } else {
+                    String[] rNames = ace.getRestrictionNames();
+                    restrictions = new HashSet<Restriction>(rNames.length);
+                    for (String rName : rNames) {
+                        restrictions.add(restrictionProvider.createRestriction(acl.getPath(),
rName, ace.getRestriction(rName)));
+                    }
+                }
+                restrictionProvider.writeRestrictions(absPath, aceNode.getTree(), restrictions);
             }
         }
     }
@@ -571,7 +581,7 @@ public class AccessControlManagerImpl im
             Set<Restriction> restrictions = super.readRestrictions(jcrPath, aceTree);
             String value = (jcrPath == null) ? "" : jcrPath;
             PropertyState nodePathProp = PropertyStates.createProperty(REP_NODE_PATH, value,
Type.PATH);
-            restrictions.add(new RestrictionImpl(nodePathProp, PropertyType.PATH, true, namePathMapper));
+            restrictions.add(new RestrictionImpl(nodePathProp, true, namePathMapper));
             return restrictions;
         }
 

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionImpl.java?rev=1432203&r1=1432202&r2=1432203&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionImpl.java
Fri Jan 11 18:19:07 2013
@@ -32,10 +32,9 @@ public class RestrictionImpl extends Res
 
     private final PropertyState property;
 
-    public RestrictionImpl(@Nonnull PropertyState property, int requiredType,
-                           boolean isMandatory,
+    public RestrictionImpl(@Nonnull PropertyState property, boolean isMandatory,
                            @Nonnull NamePathMapper namePathMapper) {
-        super(property.getName(), requiredType, isMandatory, namePathMapper);
+        super(property.getName(), property.getType().tag(), isMandatory, namePathMapper);
         this.property = property;
     }
 

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java?rev=1432203&r1=1432202&r2=1432203&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
Fri Jan 11 18:19:07 2013
@@ -18,38 +18,39 @@ package org.apache.jackrabbit.oak.securi
 
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 import javax.annotation.Nonnull;
-import javax.jcr.NamespaceRegistry;
 import javax.jcr.PropertyType;
 import javax.jcr.RepositoryException;
 import javax.jcr.Value;
 import javax.jcr.security.AccessControlException;
 
 import com.google.common.collect.ImmutableSet;
-import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
+import org.apache.jackrabbit.oak.plugins.name.NamespaceConstants;
 import org.apache.jackrabbit.oak.security.authorization.AccessControlConstants;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
+import org.apache.jackrabbit.oak.util.NodeUtil;
 import org.apache.jackrabbit.util.Text;
 
 /**
  * RestrictionProviderImpl... TODO
  */
-public class RestrictionProviderImpl implements RestrictionProvider {
+public class RestrictionProviderImpl implements RestrictionProvider, AccessControlConstants
{
 
     private Map<String, RestrictionDefinition> supported;
     private NamePathMapper namePathMapper;
 
     public RestrictionProviderImpl(NamePathMapper namePathMapper) {
-        RestrictionDefinition glob = new RestrictionDefinitionImpl(AccessControlConstants.REP_GLOB,
PropertyType.STRING, false, namePathMapper);
-        this.supported = Collections.singletonMap(AccessControlConstants.REP_GLOB, glob);
+        RestrictionDefinition glob = new RestrictionDefinitionImpl(REP_GLOB, PropertyType.STRING,
false, namePathMapper);
+        this.supported = Collections.singletonMap(REP_GLOB, glob);
         this.namePathMapper = namePathMapper;
     }
 
@@ -75,61 +76,87 @@ public class RestrictionProviderImpl imp
             throw new AccessControlException("Unsupported restriction: Expected value of
type " + PropertyType.nameFromValue(definition.getRequiredType()));
         }
         PropertyState propertyState = PropertyStates.createProperty(oakName, value);
-        return new RestrictionImpl(propertyState, requiredType, definition.isMandatory(),
namePathMapper);
+        return new RestrictionImpl(propertyState, definition.isMandatory(), namePathMapper);
     }
 
     @Override
     public Set<Restriction> readRestrictions(String jcrPath, Tree aceTree) throws AccessControlException
{
-        // TODO
-        throw new UnsupportedOperationException("not yet implemented");
+        if (jcrPath == null) {
+            return Collections.emptySet();
+        } else {
+            Set<Restriction> restrictions = new HashSet<Restriction>();
+            for (PropertyState propertyState : getRestrictionsTree(aceTree).getProperties())
{
+                String propName = propertyState.getName();
+                if (isRestrictionProperty(propName) && supported.containsKey(propName))
{
+                    RestrictionDefinition def = supported.get(propName);
+                    if (def.getRequiredType() == propertyState.getType().tag()) {
+                        restrictions.add(new RestrictionImpl(propertyState, def.isMandatory(),
namePathMapper));
+                    }
+                }
+            }
+            return restrictions;
+        }
     }
 
     @Override
     public void writeRestrictions(String jcrPath, Tree aceTree, Set<Restriction> restrictions)
throws AccessControlException {
-        // TODO
-        throw new UnsupportedOperationException("not yet implemented");
+        // validation of the restrictions is delegated to the commit hook
+        // see #validateRestrictions below
+        NodeUtil aceNode = new NodeUtil(aceTree);
+        NodeUtil rNode = aceNode.getOrAddChild(REP_RESTRICTIONS, NT_REP_RESTRICTIONS);
+        for (Restriction restriction : restrictions) {
+            rNode.getTree().setProperty(restriction.getProperty());
+        }
     }
 
     @Override
-    public void writeRestrictions(String jcrPath, Tree aceTree, JackrabbitAccessControlEntry
entry) throws AccessControlException {
-        // TODO
-        throw new UnsupportedOperationException("not yet implemented");
+    public void validateRestrictions(String jcrPath, Tree aceTree) throws javax.jcr.security.AccessControlException
{
+        Map<String,PropertyState> restrictionProperties = getRestrictionProperties(aceTree);
+        if (jcrPath == null && !restrictionProperties.isEmpty()) {
+            throw new AccessControlException("Restrictions not supported with 'null' path.");
+        }
+        for (String restrName : restrictionProperties.keySet()) {
+            RestrictionDefinition def = supported.get(restrName);
+            if (def == null || restrictionProperties.get(restrName).getType().tag() != def.getRequiredType())
{
+                throw new AccessControlException("Unsupported restriction: " + restrName);
+            }
+        }
+        for (RestrictionDefinition def : supported.values()) {
+            if (def.isMandatory() && !restrictionProperties.containsKey(def.getName()))
{
+                throw new AccessControlException("Mandatory restriction " + def.getName()
+ " is missing.");
+            }
+        }
     }
 
-    @Override
-    public void validateRestrictions(String jcrPath, Tree aceTree) throws javax.jcr.security.AccessControlException
{
+    //------------------------------------------------------------< private >---
+    @Nonnull
+    private Tree getRestrictionsTree(Tree aceTree) {
         Tree restrictions;
-        if (aceTree.hasChild(AccessControlConstants.REP_RESTRICTIONS)) {
-            restrictions = aceTree.getChild(AccessControlConstants.REP_RESTRICTIONS);
+        if (aceTree.hasChild(REP_RESTRICTIONS)) {
+            restrictions = aceTree.getChild(REP_RESTRICTIONS);
         } else {
             // backwards compatibility
             restrictions = aceTree;
         }
+        return restrictions;
+    }
 
-        if (restrictions != null) {
-            Map<String,PropertyState> restrictionProperties = new HashMap<String,
PropertyState>();
-            for (PropertyState property : restrictions.getProperties()) {
-                String name = property.getName();
-                String prefix = Text.getNamespacePrefix(name);
-                if (!NamespaceRegistry.PREFIX_JCR.equals(prefix) && !AccessControlConstants.AC_PROPERTY_NAMES.contains(name))
{
-                    restrictionProperties.put(name, property);
-                }
-            }
-
-            if (jcrPath == null && !restrictionProperties.isEmpty()) {
-                throw new AccessControlException("Restrictions not supported with 'null'
path.");
-            }
-            for (String restrName : restrictionProperties.keySet()) {
-                RestrictionDefinition def = supported.get(restrName);
-                if (def == null || restrictionProperties.get(restrName).getType().tag() !=
def.getRequiredType()) {
-                    throw new AccessControlException("Unsupported restriction: " + restrName);
-                }
-            }
-            for (RestrictionDefinition def : supported.values()) {
-                if (def.isMandatory() && !restrictionProperties.containsKey(def.getName()))
{
-                    throw new AccessControlException("Mandatory restriction " + def.getName()
+ " is missing.");
-                }
+    @Nonnull
+    private Map<String, PropertyState> getRestrictionProperties(Tree aceTree) {
+        Tree rTree = getRestrictionsTree(aceTree);
+        Map<String,PropertyState> restrictionProperties = new HashMap<String, PropertyState>();
+        for (PropertyState property : rTree.getProperties()) {
+            String name = property.getName();
+            if (isRestrictionProperty(name)) {
+                restrictionProperties.put(name, property);
             }
         }
+        return restrictionProperties;
+    }
+
+    private static boolean isRestrictionProperty(String propertyName) {
+        String prefix = Text.getNamespacePrefix(propertyName);
+        return !NamespaceConstants.RESERVED_PREFIXES.contains(prefix)
+                && !AccessControlConstants.AC_PROPERTY_NAMES.contains(propertyName);
     }
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java?rev=1432203&r1=1432202&r2=1432203&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ACE.java
Fri Jan 11 18:19:07 2013
@@ -72,6 +72,11 @@ public class ACE implements JackrabbitAc
         this.restrictions = (restrictions == null) ? Collections.<Restriction>emptySet()
: ImmutableSet.copyOf(restrictions);
     }
 
+    @Nonnull
+    public Set<Restriction> getRestrictions() {
+        return restrictions;
+    }
+
     //-------------------------------------------------< AccessControlEntry >---
     @Nonnull
     @Override

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/EmptyRestrictionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/EmptyRestrictionProvider.java?rev=1432203&r1=1432202&r2=1432203&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/EmptyRestrictionProvider.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/EmptyRestrictionProvider.java
Fri Jan 11 18:19:07 2013
@@ -23,7 +23,6 @@ import javax.jcr.RepositoryException;
 import javax.jcr.Value;
 import javax.jcr.security.AccessControlException;
 
-import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -64,11 +63,6 @@ public class EmptyRestrictionProvider im
     }
 
     @Override
-    public void writeRestrictions(String jcrPath, Tree aceTree, JackrabbitAccessControlEntry
ace) throws AccessControlException {
-        throw new AccessControlException("Implementation doesn't supported restrictions.");
-    }
-
-    @Override
     public void validateRestrictions(String jcrPath, Tree aceTree) throws AccessControlException
{
         // nothing to do.
     }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java?rev=1432203&r1=1432202&r2=1432203&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
Fri Jan 11 18:19:07 2013
@@ -22,7 +22,6 @@ import javax.jcr.RepositoryException;
 import javax.jcr.Value;
 import javax.jcr.security.AccessControlException;
 
-import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
 import org.apache.jackrabbit.oak.api.Tree;
 
 /**
@@ -34,14 +33,12 @@ public interface RestrictionProvider {
     Set<RestrictionDefinition> getSupportedRestrictions(String jcrPath);
 
     @Nonnull
-    Restriction createRestriction(String jcrPath, String jcrName, Value value) throws RepositoryException;
+    Restriction createRestriction(String jcrPath, @Nonnull String jcrName, @Nonnull Value
value) throws RepositoryException;
 
     @Nonnull
-    Set<Restriction> readRestrictions(String jcrPath, Tree aceTree) throws AccessControlException;
+    Set<Restriction> readRestrictions(String jcrPath, @Nonnull Tree aceTree) throws
AccessControlException;
 
     void writeRestrictions(String jcrPath, Tree aceTree, Set<Restriction> restrictions)
throws AccessControlException;
 
-    void writeRestrictions(String jcrPath, Tree aceTree, JackrabbitAccessControlEntry entry)
throws AccessControlException;
-
-    void validateRestrictions(String jcrPath, Tree aceTree) throws AccessControlException;
+    void validateRestrictions(String jcrPath, @Nonnull Tree aceTree) throws AccessControlException;
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java?rev=1432203&r1=1432202&r2=1432203&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java
Fri Jan 11 18:19:07 2013
@@ -38,10 +38,8 @@ import org.apache.jackrabbit.oak.api.Typ
 import org.apache.jackrabbit.oak.commons.PathUtils;
 import org.apache.jackrabbit.oak.namepath.NameMapper;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
-import org.apache.jackrabbit.oak.plugins.memory.MemoryPropertyBuilder;
 import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
 import org.apache.jackrabbit.oak.plugins.value.Conversions;
-import org.apache.jackrabbit.oak.spi.state.PropertyBuilder;
 import org.apache.jackrabbit.util.Text;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -284,9 +282,8 @@ public class NodeUtil {
     public void setValues(String name, Value[] values) {
         try {
             tree.setProperty(PropertyStates.createProperty(name, Arrays.asList(values)));
-        }
-        catch (RepositoryException e) {
-            log.warn("Unable to convert a default value", e);
+        } catch (RepositoryException e) {
+            log.warn("Unable to convert values", e);
         }
     }
 



Mime
View raw message