jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1440607 - in /jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak: security/user/ spi/security/user/util/
Date Wed, 30 Jan 2013 19:40:51 GMT
Author: angela
Date: Wed Jan 30 19:40:51 2013
New Revision: 1440607

URL: http://svn.apache.org/viewvc?rev=1440607&view=rev
Log:
OAK-50 : Implement User Management (WIP)

Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizablePropertiesImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserContext.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserValidator.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/UserUtility.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizablePropertiesImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizablePropertiesImpl.java?rev=1440607&r1=1440606&r2=1440607&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizablePropertiesImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizablePropertiesImpl.java
Wed Jan 30 19:40:51 2013
@@ -206,12 +206,12 @@ class AuthorizablePropertiesImpl impleme
      *
      * @param authorizableTree The tree of the target authorizable.
      * @param propertyLocation Location to be tested.
-     * @param verifyAncestor If true the property is tested to be a descendant
-     * of the node of this authorizable; otherwise it is expected that this
-     * test has been executed by the caller.
+     * @param verifyAncestor   If true the property is tested to be a descendant
+     *                         of the node of this authorizable; otherwise it is expected
that this
+     *                         test has been executed by the caller.
      * @return {@code true} if the given property is not protected and is defined
-     * by the rep:authorizable node type or one of it's sub-node types;
-     * {@code false} otherwise.
+     *         by the rep:authorizable node type or one of it's sub-node types;
+     *         {@code false} otherwise.
      * @throws RepositoryException If an error occurs.
      */
     private boolean isAuthorizableProperty(Tree authorizableTree, TreeLocation propertyLocation,
boolean verifyAncestor) throws RepositoryException {
@@ -226,17 +226,21 @@ class AuthorizablePropertiesImpl impleme
      *
      * @param authorizableTree The tree of the target authorizable.
      * @param propertyLocation Location to be tested.
-     * @param verifyAncestor If true the property is tested to be a descendant
-     * of the node of this authorizable; otherwise it is expected that this
-     * test has been executed by the caller.
+     * @param verifyAncestor   If true the property is tested to be a descendant
+     *                         of the node of this authorizable; otherwise it is expected
that this
+     *                         test has been executed by the caller.
      * @return a valid authorizable property or {@code null} if no such property
-     * exists or fi the property is protected or not defined by the rep:authorizable
-     * node type or one of it's sub-node types.
+     *         exists or fi the property is protected or not defined by the rep:authorizable
+     *         node type or one of it's sub-node types.
      * @throws RepositoryException If an error occurs.
      */
     @CheckForNull
     private PropertyState getAuthorizableProperty(Tree authorizableTree, TreeLocation propertyLocation,
boolean verifyAncestor) throws RepositoryException {
-        if (propertyLocation == null || TreeLocation.NULL == propertyLocation) {
+        if (propertyLocation == null) {
+            return null;
+        }
+        PropertyState property = propertyLocation.getProperty();
+        if (property == null) {
             return null;
         }
 
@@ -246,19 +250,16 @@ class AuthorizablePropertiesImpl impleme
             return null;
         }
 
-        PropertyState property = propertyLocation.getProperty();
-        if (property != null) {
-            Tree parent = propertyLocation.getParent().getTree();
-            if (parent == null) {
-                log.debug("Unable to determine definition of authorizable property at " +
propertyLocation.getPath());
-                return null;
-            }
-            PropertyDefinition def = nodeTypeManager.getDefinition(parent, property);
-            if (def.isProtected() || (authorizablePath.equals(parent.getPath())
-                    && !def.getDeclaringNodeType().isNodeType(UserConstants.NT_REP_AUTHORIZABLE)))
{
-                return null;
-            } // else: non-protected property somewhere in the subtree of the user tree.
-        } // else: no such property.
+        Tree parent = propertyLocation.getParent().getTree();
+        if (parent == null) {
+            log.debug("Unable to determine definition of authorizable property at " + propertyLocation.getPath());
+            return null;
+        }
+        PropertyDefinition def = nodeTypeManager.getDefinition(parent, property);
+        if (def.isProtected() || (authorizablePath.equals(parent.getPath())
+                && !def.getDeclaringNodeType().isNodeType(UserConstants.NT_REP_AUTHORIZABLE)))
{
+            return null;
+        } // else: non-protected property somewhere in the subtree of the user tree.
 
         return property;
     }
@@ -278,7 +279,7 @@ class AuthorizablePropertiesImpl impleme
      * @param relPath A relative path.
      * @return The corresponding node.
      * @throws RepositoryException If an error occurs or if {@code relPath} refers
-     * to a node that is outside of the scope of this authorizable.
+     *                             to a node that is outside of the scope of this authorizable.
      */
     @Nonnull
     private Tree getOrCreateTargetTree(String relPath) throws RepositoryException {

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserContext.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserContext.java?rev=1440607&r1=1440606&r2=1440607&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserContext.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserContext.java
Wed Jan 30 19:40:51 2013
@@ -25,11 +25,12 @@ import org.apache.jackrabbit.oak.util.No
 /**
  * UserContext... TODO
  */
-class UserContext implements Context {
+final class UserContext implements Context {
 
     private static final Context INSTANCE = new UserContext();
 
-    private UserContext() {}
+    private UserContext() {
+    }
 
     static Context getInstance() {
         return INSTANCE;

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProvider.java?rev=1440607&r1=1440606&r2=1440607&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProvider.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProvider.java
Wed Jan 30 19:40:51 2013
@@ -50,9 +50,9 @@ import static org.apache.jackrabbit.oak.
 /**
  * User provider implementation and manager for group memberships with the
  * following characteristics:
- *
+ * <p/>
  * <h1>UserProvider</h1>
- *
+ * <p/>
  * <h2>User and Group Creation</h2>
  * This implementation creates the JCR nodes corresponding the a given
  * authorizable ID with the following behavior:
@@ -100,31 +100,31 @@ import static org.apache.jackrabbit.oak.
  * <h3>Conflicts</h3>
  *
  * <ul>
- *     <li>If the authorizable node to be created would collide with an existing
- *     folder the conflict is resolved by using the colling folder as target.</li>
- *     <li>The current implementation asserts that authorizable nodes are always
- *     created underneath an node of type {@code rep:AuthorizableFolder}. If this
- *     condition is violated a {@code ConstraintViolationException} is thrown.</li>
- *     <li>If the specified intermediate path results in an authorizable node
- *     being located outside of the configured content structure a
- *     {@code ConstraintViolationException} is thrown.</li>
+ * <li>If the authorizable node to be created would collide with an existing
+ * folder the conflict is resolved by using the colling folder as target.</li>
+ * <li>The current implementation asserts that authorizable nodes are always
+ * created underneath an node of type {@code rep:AuthorizableFolder}. If this
+ * condition is violated a {@code ConstraintViolationException} is thrown.</li>
+ * <li>If the specified intermediate path results in an authorizable node
+ * being located outside of the configured content structure a
+ * {@code ConstraintViolationException} is thrown.</li>
  * </ul>
  *
  * <h3>Configuration Options</h3>
  * <ul>
- *     <li>{@link UserConstants#PARAM_USER_PATH}: Underneath this structure
- *     all user nodes are created. Default value is
- *     "/rep:security/rep:authorizables/rep:users"</li>
- *     <li>{@link UserConstants#PARAM_GROUP_PATH}: Underneath this structure
- *     all group nodes are created. Default value is
- *     "/rep:security/rep:authorizables/rep:groups"</li>
- *     <li>{@link UserConstants#PARAM_DEFAULT_DEPTH}: A positive {@code integer}
- *     greater than zero defining the depth of the default structure that is
- *     always created. Default value: 2</li>
- *     <li>{@link UserConstants#PARAM_AUTHORIZABLE_NODE_NAME}: An implementation
- *     of {@link AuthorizableNodeName} used to create a node name for a given
- *     authorizableId. By {@link AuthorizableNodeName.Default default} the
- *     ID itself is used as node name. (since OAK 1.0)</li>
+ * <li>{@link UserConstants#PARAM_USER_PATH}: Underneath this structure
+ * all user nodes are created. Default value is
+ * "/rep:security/rep:authorizables/rep:users"</li>
+ * <li>{@link UserConstants#PARAM_GROUP_PATH}: Underneath this structure
+ * all group nodes are created. Default value is
+ * "/rep:security/rep:authorizables/rep:groups"</li>
+ * <li>{@link UserConstants#PARAM_DEFAULT_DEPTH}: A positive {@code integer}
+ * greater than zero defining the depth of the default structure that is
+ * always created. Default value: 2</li>
+ * <li>{@link UserConstants#PARAM_AUTHORIZABLE_NODE_NAME}: An implementation
+ * of {@link AuthorizableNodeName} used to create a node name for a given
+ * authorizableId. By {@link AuthorizableNodeName.Default default} the
+ * ID itself is used as node name. (since OAK 1.0)</li>
  * </ul>
  *
  * <h3>Compatibility with Jackrabbit 2.x</h3>
@@ -132,8 +132,8 @@ import static org.apache.jackrabbit.oak.
  * Due to the fact that this JCR implementation is expected to deal with huge amount
  * of child nodes the following configuration options are no longer supported:
  * <ul>
- *     <li>autoExpandTree</li>
- *     <li>autoExpandSize</li>
+ * <li>autoExpandTree</li>
+ * <li>autoExpandSize</li>
  * </ul>
  *
  * <h2>User and Group Access</h2>
@@ -227,7 +227,7 @@ class UserProvider extends AuthorizableB
     }
 
     @CheckForNull
-    static String getAuthorizableId(Tree authorizableTree) {
+    static String getAuthorizableId(@Nonnull Tree authorizableTree) {
         checkNotNull(authorizableTree);
         if (UserUtility.isType(authorizableTree, AuthorizableType.AUTHORIZABLE)) {
             PropertyState idProp = authorizableTree.getProperty(UserConstants.REP_AUTHORIZABLE_ID);
@@ -262,15 +262,15 @@ class UserProvider extends AuthorizableB
      * configured user or group path. Note that Authorizable nodes are never
      * nested.
      *
-     * @param authorizableId The desired authorizable ID.
-     * @param nodeName The name of the authorizable node.
-     * @param isGroup Flag indicating whether the new authorizable is a group or a user.
+     * @param authorizableId   The desired authorizable ID.
+     * @param nodeName         The name of the authorizable node.
+     * @param isGroup          Flag indicating whether the new authorizable is a group or
a user.
      * @param intermediatePath An optional intermediate path.
      * @return The folder node.
      * @throws RepositoryException If an error occurs
      */
     private NodeUtil createFolderNodes(String authorizableId, String nodeName,
-                                   boolean isGroup, String intermediatePath) throws RepositoryException
{
+                                       boolean isGroup, String intermediatePath) throws RepositoryException
{
         String authRoot = (isGroup) ? groupPath : userPath;
         NodeUtil folder;
         Tree authTree = root.getTree(authRoot);
@@ -279,7 +279,7 @@ class UserProvider extends AuthorizableB
             for (String name : Text.explode(authRoot, '/', false)) {
                 folder = folder.getOrAddChild(name, NT_REP_AUTHORIZABLE_FOLDER);
             }
-        }  else {
+        } else {
             folder = new NodeUtil(authTree);
         }
 
@@ -309,7 +309,7 @@ class UserProvider extends AuthorizableB
             if (!intermediatePath.startsWith(authRoot)) {
                 throw new ConstraintViolationException("Attempt to create authorizable outside
of configured tree");
             } else {
-                intermediatePath = intermediatePath.substring(authRoot.length()+1);
+                intermediatePath = intermediatePath.substring(authRoot.length() + 1);
             }
         }
 
@@ -324,7 +324,7 @@ class UserProvider extends AuthorizableB
                     segment.append(authorizableId.charAt(i));
                 } else {
                     // escapedID is too short -> append the last char again
-                    segment.append(authorizableId.charAt(idLength-1));
+                    segment.append(authorizableId.charAt(idLength - 1));
                 }
                 sb.append(DELIMITER).append(Text.escapeIllegalJcrChars(segment.toString()));
             }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserValidator.java?rev=1440607&r1=1440606&r2=1440607&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserValidator.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserValidator.java
Wed Jan 30 19:40:51 2013
@@ -16,6 +16,8 @@
  */
 package org.apache.jackrabbit.oak.security.user;
 
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
 import javax.jcr.nodetype.ConstraintViolationException;
 
 import org.apache.jackrabbit.JcrConstants;
@@ -25,13 +27,15 @@ import org.apache.jackrabbit.oak.api.Typ
 import org.apache.jackrabbit.oak.spi.commit.DefaultValidator;
 import org.apache.jackrabbit.oak.spi.commit.Validator;
 import org.apache.jackrabbit.oak.spi.security.user.AuthorizableType;
-import org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtility;
 import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
+import org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtility;
 import org.apache.jackrabbit.oak.spi.security.user.util.UserUtility;
 import org.apache.jackrabbit.oak.spi.state.NodeState;
 import org.apache.jackrabbit.oak.util.NodeUtil;
 import org.apache.jackrabbit.util.Text;
 
+import static com.google.common.base.Preconditions.checkNotNull;
+
 /**
  * Validator that enforces user management specific constraints. Please note that
  * is this validator is making implementation specific assumptions; if the
@@ -51,7 +55,7 @@ class UserValidator extends DefaultValid
         this.parentAfter = parentAfter;
         this.provider = provider;
 
-        authorizableType = UserUtility.getType(parentAfter);
+        authorizableType = (parentAfter == null) ? null : UserUtility.getType(parentAfter);
     }
 
     //----------------------------------------------------------< Validator >---
@@ -68,7 +72,7 @@ class UserValidator extends DefaultValid
             fail(msg);
         }
 
-        if (JcrConstants.JCR_UUID.equals(name) && !isValidUUID(after.getValue(Type.STRING)))
{
+        if (JcrConstants.JCR_UUID.equals(name) && !isValidUUID(parentAfter, after.getValue(Type.STRING)))
{
             String msg = "Invalid jcr:uuid for authorizable " + parentAfter.getName();
             fail(msg);
         }
@@ -84,9 +88,12 @@ class UserValidator extends DefaultValid
         if (REP_PRINCIPAL_NAME.equals(name) || REP_AUTHORIZABLE_ID.equals(name)) {
             String msg = "Authorizable property " + name + " may not be altered after user/group
creation.";
             fail(msg);
-        } else if (JcrConstants.JCR_UUID.equals(name) && !isValidUUID(after.getValue(Type.STRING)))
{
-            String msg = "Invalid jcr:uuid for authorizable " + parentAfter.getName();
-            fail(msg);
+        } else if (JcrConstants.JCR_UUID.equals(name)) {
+            checkNotNull(parentAfter);
+            if (!isValidUUID(parentAfter, after.getValue(Type.STRING))) {
+                String msg = "Invalid jcr:uuid for authorizable " + parentAfter.getName();
+                fail(msg);
+            }
         }
 
         if (isUser(parentBefore) && REP_PASSWORD.equals(name) && PasswordUtility.isPlainTextPassword(after.getValue(Type.STRING)))
{
@@ -111,7 +118,8 @@ class UserValidator extends DefaultValid
 
     @Override
     public Validator childNodeAdded(String name, NodeState after) throws CommitFailedException
{
-        NodeUtil node = parentAfter.getChild(name);
+        NodeUtil node = checkNotNull(parentAfter.getChild(name));
+
         AuthorizableType type = UserUtility.getType(node);
         String authRoot = UserUtility.getAuthorizableRootPath(provider.getConfig(), type);
         if (authRoot != null) {
@@ -143,39 +151,39 @@ class UserValidator extends DefaultValid
 
     //------------------------------------------------------------< private >---
 
-    private boolean isAdminUser(NodeUtil userNode) {
-        if (isUser(userNode)) {
+    private boolean isAdminUser(@Nullable NodeUtil userNode) {
+        if (userNode != null && isUser(userNode)) {
             String id = UserProvider.getAuthorizableId(userNode.getTree());
-            return id != null && UserUtility.getAdminId(provider.getConfig()).equals(id);
+            return UserUtility.getAdminId(provider.getConfig()).equals(id);
         } else {
             return false;
         }
     }
 
-    private boolean isValidUUID(String uuid) {
-        String id = UserProvider.getAuthorizableId(parentAfter.getTree());
+    private static boolean isValidUUID(@Nonnull NodeUtil parent, @Nonnull String uuid) {
+        String id = UserProvider.getAuthorizableId(parent.getTree());
         return uuid.equals(UserProvider.getContentID(id));
     }
 
-    private static boolean isUser(NodeUtil node) {
-        return node.hasPrimaryNodeTypeName(NT_REP_USER);
+    private static boolean isUser(@Nullable NodeUtil node) {
+        return node != null && node.hasPrimaryNodeTypeName(NT_REP_USER);
     }
 
     /**
      * Make sure user and group nodes are located underneath the configured path
      * and that path consists of rep:authorizableFolder nodes.
      *
-     * @param userNode
-     * @param pathConstraint
-     * @throws CommitFailedException
+     * @param node           The node representing a user or group.
+     * @param pathConstraint The path constraint.
+     * @throws CommitFailedException If the hierarchy isn't valid.
      */
-    private static void assertHierarchy(NodeUtil userNode, String pathConstraint) throws
CommitFailedException {
-        if (!Text.isDescendant(pathConstraint, userNode.getTree().getPath())) {
+    private static void assertHierarchy(@Nonnull NodeUtil node, @Nonnull String pathConstraint)
throws CommitFailedException {
+        if (!Text.isDescendant(pathConstraint, node.getTree().getPath())) {
             String msg = "Attempt to create user/group outside of configured scope " + pathConstraint;
             fail(msg);
         }
-        NodeUtil parent = userNode.getParent();
-        while (!parent.getTree().isRoot()) {
+        NodeUtil parent = node.getParent();
+        while (parent != null && !parent.getTree().isRoot()) {
             if (!parent.hasPrimaryNodeTypeName(NT_REP_AUTHORIZABLE_FOLDER)) {
                 String msg = "Cannot create user/group: Intermediate folders must be of type
rep:AuthorizableFolder.";
                 fail(msg);
@@ -184,7 +192,7 @@ class UserValidator extends DefaultValid
         }
     }
 
-    private static void fail(String msg) throws CommitFailedException {
+    private static void fail(@Nonnull String msg) throws CommitFailedException {
         Exception e = new ConstraintViolationException(msg);
         throw new CommitFailedException(e);
     }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/UserUtility.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/UserUtility.java?rev=1440607&r1=1440606&r2=1440607&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/UserUtility.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/util/UserUtility.java
Wed Jan 30 19:40:51 2013
@@ -31,7 +31,8 @@ import org.apache.jackrabbit.util.Text;
  */
 public final class UserUtility implements UserConstants {
 
-    private UserUtility() {}
+    private UserUtility() {
+    }
 
     @Nonnull
     public static String getAdminId(ConfigurationParameters parameters) {
@@ -60,7 +61,7 @@ public final class UserUtility implement
     }
 
     @CheckForNull
-    public static AuthorizableType getType(NodeUtil authorizableNode) {
+    public static AuthorizableType getType(@Nonnull NodeUtil authorizableNode) {
         String ntName = authorizableNode.getPrimaryNodeTypeName();
         if (ntName != null) {
             if (UserConstants.NT_REP_GROUP.equals(ntName)) {



Mime
View raw message