jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1441127 - in /jackrabbit/oak/trunk/oak-core/src: main/java/org/apache/jackrabbit/oak/security/authorization/ main/java/org/apache/jackrabbit/oak/security/authorization/permission/ main/java/org/apache/jackrabbit/oak/spi/security/authorizat...
Date Thu, 31 Jan 2013 19:01:54 GMT
Author: angela
Date: Thu Jan 31 19:01:54 2013
New Revision: 1441127

URL: http://svn.apache.org/viewvc?rev=1441127&view=rev
Log:
OAK-51 : Access Control Management (WIP)

Added:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/TreeUtil.java
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenPermissionProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java
    jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissionsTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java?rev=1441127&r1=1441126&r2=1441127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java Thu Jan 31 19:01:54 2013
@@ -65,20 +65,10 @@ public interface AccessControlConstants 
      */
     String PERMISSIONS_STORE_PATH = JcrConstants.JCR_SYSTEM + '/' + REP_PERMISSION_STORE;
 
-
-    /**
-     * @since OAK 1.0
-     */
-    String MIX_REP_VERSIONABLE_INFO = "rep:VersionableInfo";
-    String REP_VERSIONABLE_INFO = "rep:versionableInfo";
-    /**
-     * @since OAK 1.0
-     */
-    String REP_WORKSPACE_NAME = "rep:workspaceName";
     /**
      * @since OAK 1.0
      */
-    String REP_VERSIONABLE_PATH = "rep:versionablePath";
+    String MIX_REP_VERSIONABLE_PATH = "rep:VersionablePath";
 
     Collection<String> POLICY_NODE_NAMES = ImmutableSet.of(REP_POLICY, REP_REPO_POLICY);
 

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java?rev=1441127&r1=1441126&r2=1441127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java Thu Jan 31 19:01:54 2013
@@ -19,7 +19,7 @@ package org.apache.jackrabbit.oak.securi
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.spi.security.Context;
-import org.apache.jackrabbit.oak.util.NodeUtil;
+import org.apache.jackrabbit.oak.util.TreeUtil;
 
 /**
  * AccessControlContext... TODO
@@ -43,8 +43,7 @@ final class AccessControlContext impleme
 
     @Override
     public boolean definesTree(Tree tree) {
-        NodeUtil node = new NodeUtil(tree);
-        String ntName = node.getPrimaryNodeTypeName();
+        String ntName = TreeUtil.getPrimaryTypeName(tree);
         return AC_NODETYPE_NAMES.contains(ntName);
     }
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1441127&r1=1441126&r2=1441127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java Thu Jan 31 19:01:54 2013
@@ -71,6 +71,7 @@ import org.apache.jackrabbit.oak.spi.sec
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
 import org.apache.jackrabbit.oak.spi.state.PropertyBuilder;
 import org.apache.jackrabbit.oak.util.NodeUtil;
+import org.apache.jackrabbit.oak.util.TreeUtil;
 import org.apache.jackrabbit.util.ISO9075;
 import org.apache.jackrabbit.util.Text;
 import org.slf4j.Logger;
@@ -341,7 +342,7 @@ public class AccessControlManagerImpl im
         checkPermission(tree);
 
         // check if the tree is access controlled
-        String ntName = new NodeUtil(tree).getPrimaryNodeTypeName();
+        String ntName = TreeUtil.getPrimaryTypeName(tree);
         if (AC_NODETYPE_NAMES.contains(ntName)) {
             throw new AccessControlException("Tree " + tree.getPath() + " defines access control content.");
         }
@@ -457,10 +458,9 @@ public class AccessControlManagerImpl im
     @Nonnull
     private JackrabbitAccessControlEntry createACE(String oakPath, Tree aceTree,
                                                    RestrictionProvider restrictionProvider) throws RepositoryException {
-        NodeUtil aceNode = new NodeUtil(aceTree);
-        boolean isAllow = aceNode.hasPrimaryNodeTypeName(NT_REP_GRANT_ACE);
+        boolean isAllow = NT_REP_GRANT_ACE.equals(TreeUtil.getPrimaryTypeName(aceTree));
         Set<Restriction> restrictions = restrictionProvider.readRestrictions(oakPath, aceTree);
-        return new ACE(getPrincipal(aceNode), getPrivileges(aceNode), isAllow, restrictions);
+        return new ACE(getPrincipal(aceTree), getPrivileges(aceTree), isAllow, restrictions);
     }
 
     @Nonnull
@@ -496,8 +496,8 @@ public class AccessControlManagerImpl im
     }
 
     @Nonnull
-    private Principal getPrincipal(@Nonnull NodeUtil aceNode) {
-        String principalName = checkNotNull(aceNode.getString(REP_PRINCIPAL_NAME, null));
+    private Principal getPrincipal(@Nonnull Tree aceTree) {
+        String principalName = checkNotNull(TreeUtil.getString(aceTree, REP_PRINCIPAL_NAME));
         Principal principal = principalManager.getPrincipal(principalName);
         if (principal == null) {
             log.debug("Unknown principal " + principalName);
@@ -507,8 +507,8 @@ public class AccessControlManagerImpl im
     }
 
     @Nonnull
-    private Set<Privilege> getPrivileges(@Nonnull NodeUtil aceNode) throws RepositoryException {
-        String[] privNames = aceNode.getNames(REP_PRIVILEGES);
+    private Set<Privilege> getPrivileges(@Nonnull Tree aceTree) throws RepositoryException {
+        String[] privNames = TreeUtil.getStrings(aceTree, REP_PRIVILEGES);
         Set<Privilege> privileges = new HashSet<Privilege>(privNames.length);
         for (String name : privNames) {
             privileges.add(privilegeManager.getPrivilege(name));

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java?rev=1441127&r1=1441126&r2=1441127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java Thu Jan 31 19:01:54 2013
@@ -32,7 +32,7 @@ import org.apache.jackrabbit.oak.spi.com
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition;
 import org.apache.jackrabbit.oak.spi.state.NodeState;
-import org.apache.jackrabbit.oak.util.NodeUtil;
+import org.apache.jackrabbit.oak.util.TreeUtil;
 import org.apache.jackrabbit.util.Text;
 
 import static com.google.common.base.Preconditions.checkNotNull;
@@ -42,14 +42,14 @@ import static com.google.common.base.Pre
  */
 class AccessControlValidator implements Validator, AccessControlConstants {
 
-    private final NodeUtil parentBefore;
-    private final NodeUtil parentAfter;
+    private final Tree parentBefore;
+    private final Tree parentAfter;
 
     private final Map<String, PrivilegeDefinition> privilegeDefinitions;
     private final RestrictionProvider restrictionProvider;
     private final ReadOnlyNodeTypeManager ntMgr;
 
-    AccessControlValidator(NodeUtil parentBefore, NodeUtil parentAfter,
+    AccessControlValidator(Tree parentBefore, Tree parentAfter,
                            Map<String, PrivilegeDefinition> privilegeDefinitions,
                            RestrictionProvider restrictionProvider, ReadOnlyNodeTypeManager ntMgr) {
         this.parentBefore = parentBefore;
@@ -87,19 +87,19 @@ class AccessControlValidator implements 
 
     @Override
     public Validator childNodeAdded(String name, NodeState after) throws CommitFailedException {
-        NodeUtil nodeAfter = checkNotNull(parentAfter.getChild(name));
+        Tree treeAfter = checkNotNull(parentAfter.getChild(name));
 
-        checkValidNode(parentAfter, nodeAfter);
-        return new AccessControlValidator(null, nodeAfter, privilegeDefinitions, restrictionProvider, ntMgr);
+        checkValidTree(parentAfter, treeAfter);
+        return new AccessControlValidator(null, treeAfter, privilegeDefinitions, restrictionProvider, ntMgr);
     }
 
     @Override
     public Validator childNodeChanged(String name, NodeState before, NodeState after) throws CommitFailedException {
-        NodeUtil nodeBefore = checkNotNull(parentBefore.getChild(name));
-        NodeUtil nodeAfter = checkNotNull(parentAfter.getChild(name));
+        Tree treeBefore = checkNotNull(parentBefore.getChild(name));
+        Tree treeAfter = checkNotNull(parentAfter.getChild(name));
 
-        checkValidNode(parentAfter, nodeAfter);
-        return new AccessControlValidator(nodeBefore, nodeAfter, privilegeDefinitions, restrictionProvider, ntMgr);
+        checkValidTree(parentAfter, treeAfter);
+        return new AccessControlValidator(treeBefore, treeAfter, privilegeDefinitions, restrictionProvider, ntMgr);
     }
 
     @Override
@@ -110,33 +110,33 @@ class AccessControlValidator implements 
 
     //------------------------------------------------------------< private >---
 
-    private void checkValidNode(NodeUtil parentAfter, NodeUtil nodeAfter) throws CommitFailedException {
-        if (isPolicy(nodeAfter)) {
-            checkValidPolicy(parentAfter, nodeAfter);
-        } else if (isAccessControlEntry(nodeAfter)) {
-            checkValidAccessControlEntry(nodeAfter);
-        } else if (NT_REP_RESTRICTIONS.equals(nodeAfter.getPrimaryNodeTypeName())) {
+    private void checkValidTree(Tree parentAfter, Tree treeAfter) throws CommitFailedException {
+        if (isPolicy(treeAfter)) {
+            checkValidPolicy(parentAfter, treeAfter);
+        } else if (isAccessControlEntry(treeAfter)) {
+            checkValidAccessControlEntry(treeAfter);
+        } else if (NT_REP_RESTRICTIONS.equals(TreeUtil.getPrimaryTypeName(treeAfter))) {
             checkIsAccessControlEntry(parentAfter);
             checkValidRestrictions(parentAfter);
         }
     }
 
-    private static boolean isPolicy(NodeUtil node) {
-        return NT_REP_ACL.equals(node.getPrimaryNodeTypeName());
+    private static boolean isPolicy(Tree tree) {
+        return NT_REP_ACL.equals(TreeUtil.getPrimaryTypeName(tree));
     }
 
-    private static boolean isAccessControlEntry(NodeUtil node) {
-        String ntName = node.getPrimaryNodeTypeName();
+    private static boolean isAccessControlEntry(Tree tree) {
+        String ntName = TreeUtil.getPrimaryTypeName(tree);
         return NT_REP_DENY_ACE.equals(ntName) || NT_REP_GRANT_ACE.equals(ntName);
     }
 
-    private static void checkIsAccessControlEntry(NodeUtil node) throws CommitFailedException {
-        if (!isAccessControlEntry(node)) {
+    private static void checkIsAccessControlEntry(Tree tree) throws CommitFailedException {
+        if (!isAccessControlEntry(tree)) {
             fail("Access control entry node expected.");
         }
     }
 
-    private void checkValidPolicy(NodeUtil parent, NodeUtil policyNode) throws CommitFailedException {
+    private void checkValidPolicy(Tree parent, Tree policyNode) throws CommitFailedException {
         String mixinType = (REP_REPO_POLICY.equals(policyNode.getName())) ?
                 MIX_REP_REPO_ACCESS_CONTROLLABLE :
                 MIX_REP_ACCESS_CONTROLLABLE;
@@ -150,9 +150,8 @@ class AccessControlValidator implements 
         }
     }
 
-    private void checkValidAccessControlledNode(NodeUtil accessControlledNode, String requiredMixin) throws CommitFailedException {
-        Tree accessControlledTree = accessControlledNode.getTree();
-        if (AC_NODETYPE_NAMES.contains(accessControlledNode.getPrimaryNodeTypeName())) {
+    private void checkValidAccessControlledNode(Tree accessControlledTree, String requiredMixin) throws CommitFailedException {
+        if (AC_NODETYPE_NAMES.contains(TreeUtil.getPrimaryTypeName(accessControlledTree))) {
             fail("Access control policy within access control content (" + accessControlledTree.getPath() + ')');
         }
 
@@ -170,13 +169,13 @@ class AccessControlValidator implements 
         }
     }
 
-    private void checkValidAccessControlEntry(NodeUtil aceNode) throws CommitFailedException {
-        NodeUtil parent = aceNode.getParent();
-        if (parent == null || !NT_REP_ACL.equals(parent.getPrimaryNodeTypeName())) {
-            fail("Isolated access control entry at " + aceNode.getTree().getPath());
+    private void checkValidAccessControlEntry(Tree aceNode) throws CommitFailedException {
+        Tree parent = aceNode.getParent();
+        if (parent == null || !NT_REP_ACL.equals(TreeUtil.getPrimaryTypeName(parent))) {
+            fail("Isolated access control entry at " + aceNode.getPath());
         }
-        checkValidPrincipal(aceNode.getString(REP_PRINCIPAL_NAME, null));
-        checkValidPrivileges(aceNode.getNames(REP_PRIVILEGES));
+        checkValidPrincipal(TreeUtil.getString(aceNode, REP_PRINCIPAL_NAME));
+        checkValidPrivileges(TreeUtil.getStrings(aceNode, REP_PRIVILEGES));
         checkValidRestrictions(aceNode);
     }
 
@@ -204,27 +203,27 @@ class AccessControlValidator implements 
         }
     }
 
-    private void checkValidRestrictions(NodeUtil aceNode) throws CommitFailedException {
+    private void checkValidRestrictions(Tree aceTree) throws CommitFailedException {
         String path;
-        NodeUtil aclNode = checkNotNull(aceNode.getParent());
-        String aclPath = aclNode.getTree().getPath();
+        Tree aclTree = checkNotNull(aceTree.getParent());
+        String aclPath = aclTree.getPath();
         if (REP_REPO_POLICY.equals(Text.getName(aclPath))) {
             path = null;
         } else {
             path = Text.getRelativeParent(aclPath, 1);
         }
         try {
-            restrictionProvider.validateRestrictions(path, aceNode.getTree());
+            restrictionProvider.validateRestrictions(path, aceTree);
         } catch (AccessControlException e) {
             throw new CommitFailedException(e);
         }
     }
 
 
-    private static void checkMixinTypes(NodeUtil parentNode) throws CommitFailedException {
-        String[] mixinNames = parentNode.getNames(JcrConstants.JCR_MIXINTYPES);
+    private static void checkMixinTypes(Tree parentTree) throws CommitFailedException {
+        String[] mixinNames = TreeUtil.getStrings(parentTree, JcrConstants.JCR_MIXINTYPES);
         if (mixinNames != null && Arrays.asList(mixinNames).contains(MIX_REP_REPO_ACCESS_CONTROLLABLE)) {
-            checkValidRepoAccessControlled(parentNode.getTree());
+            checkValidRepoAccessControlled(parentTree);
         }
     }
 

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java?rev=1441127&r1=1441126&r2=1441127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java Thu Jan 31 19:01:54 2013
@@ -31,7 +31,6 @@ import org.apache.jackrabbit.oak.spi.sec
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition;
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinitionReader;
 import org.apache.jackrabbit.oak.spi.state.NodeState;
-import org.apache.jackrabbit.oak.util.NodeUtil;
 
 /**
  * {@code AccessControlValidatorProvider} aimed to provide a root validator
@@ -51,11 +50,10 @@ class AccessControlValidatorProvider imp
     @Nonnull
     @Override
     public Validator getRootValidator(NodeState before, NodeState after) {
-        Tree treeBefore = new ReadOnlyTree(before);
-        NodeUtil rootBefore = new NodeUtil(treeBefore);
-        NodeUtil rootAfter = new NodeUtil(new ReadOnlyTree(after));
+        Tree rootBefore = new ReadOnlyTree(before);
+        Tree rootAfter = new ReadOnlyTree(after);
 
-        PrivilegeDefinitionReader reader = securityProvider.getPrivilegeConfiguration().getPrivilegeDefinitionReader(treeBefore);
+        PrivilegeDefinitionReader reader = securityProvider.getPrivilegeConfiguration().getPrivilegeDefinitionReader(rootBefore);
         Map<String, PrivilegeDefinition> privilegeDefinitions = reader.readDefinitions();
 
         AccessControlConfiguration acConfig = securityProvider.getAccessControlConfiguration();

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java?rev=1441127&r1=1441126&r2=1441127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java Thu Jan 31 19:01:54 2013
@@ -23,15 +23,15 @@ import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 
+import com.google.common.base.Strings;
 import org.apache.jackrabbit.JcrConstants;
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.api.TreeLocation;
 import org.apache.jackrabbit.oak.api.Type;
+import org.apache.jackrabbit.oak.commons.PathUtils;
 import org.apache.jackrabbit.oak.core.ReadOnlyTree;
-import org.apache.jackrabbit.oak.plugins.name.NamespaceConstants;
-import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
 import org.apache.jackrabbit.oak.plugins.version.VersionConstants;
 import org.apache.jackrabbit.oak.security.authorization.permission.AllPermissions;
 import org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissionImpl;
@@ -43,6 +43,7 @@ import org.apache.jackrabbit.oak.spi.sec
 import org.apache.jackrabbit.oak.spi.security.authorization.Permissions;
 import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
 import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal;
+import org.apache.jackrabbit.oak.util.TreeUtil;
 import org.apache.jackrabbit.util.Text;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -51,13 +52,15 @@ import org.slf4j.LoggerFactory;
  * PermissionProviderImpl... TODO
  * <p/>
  * FIXME: permissions need to be refreshed if something changes in the permission tree
+ * FIXME: define read/write access patterns on version-store content
+ * FIXME: proper access permissions on activity-store and configuration-store
  */
 public class PermissionProviderImpl implements PermissionProvider, AccessControlConstants {
 
     private static final Logger log = LoggerFactory.getLogger(PermissionProviderImpl.class);
 
     private final Root root;
-    private final SecurityProvider securityProvider;
+    private final Context acContext;
 
     private final String workspaceName = "default"; // FIXME: use proper workspace as associated with the root
 
@@ -65,8 +68,8 @@ public class PermissionProviderImpl impl
 
     public PermissionProviderImpl(@Nonnull Root root, @Nonnull Set<Principal> principals,
                                   @Nonnull SecurityProvider securityProvider) {
-        this.root = root;
-        this.securityProvider = securityProvider;
+        this.root = root; // FIXME: assert that root has full access.
+        this.acContext = securityProvider.getAccessControlConfiguration().getContext();
         if (principals.contains(SystemPrincipal.INSTANCE) || isAdmin(principals)) {
             compiledPermissions = AllPermissions.getInstance();
         } else {
@@ -96,12 +99,10 @@ public class PermissionProviderImpl impl
 
     @Override
     public boolean canRead(@Nonnull Tree tree) {
-        if (getAccessControlContext().definesTree(tree)) {
-            return compiledPermissions.isGranted(Permissions.READ_ACCESS_CONTROL, tree);
+        if (acContext.definesTree(tree)) {
+            return compiledPermissions.isGranted(tree, Permissions.READ_ACCESS_CONTROL);
         } else if (isVersionContent(tree)) {
-            // TODO: add proper implementation
-            Tree versionableTree = getVersionableTree(tree);
-            return versionableTree != null && compiledPermissions.canRead(versionableTree);
+            return canReadVersionContent(tree, null);
         } else {
             return compiledPermissions.canRead(tree);
         }
@@ -109,12 +110,10 @@ public class PermissionProviderImpl impl
 
     @Override
     public boolean canRead(@Nonnull Tree tree, @Nonnull PropertyState property) {
-        if (getAccessControlContext().definesTree(tree)) {
-            return compiledPermissions.isGranted(Permissions.READ_ACCESS_CONTROL, tree, property);
+        if (acContext.definesTree(tree)) {
+            return compiledPermissions.isGranted(tree, property, Permissions.READ_ACCESS_CONTROL);
         } else if (isVersionContent(tree)) {
-            // TODO: add proper implementation
-            Tree versionableTree = getVersionableTree(tree);
-            return versionableTree != null && compiledPermissions.canRead(versionableTree, property);
+            return canReadVersionContent(tree, property);
         } else {
             return compiledPermissions.canRead(tree, property);
         }
@@ -127,88 +126,35 @@ public class PermissionProviderImpl impl
 
     @Override
     public boolean isGranted(@Nonnull Tree tree, long permissions) {
-        if (Permissions.includes(permissions, Permissions.VERSION_MANAGEMENT)) {
-            // FIXME: path to check for permission must be adjusted to be
-            // FIXME: the one of the versionable node instead of the target parent in case of version-store is affected.
-        } else if (Permissions.includes(permissions, Permissions.READ_NODE)) {
-            // TODO
+        if (isVersionContent(tree)) {
+            return compiledPermissions.isGranted(getVersionablePath(tree, null), permissions);
+        } else {
+            return compiledPermissions.isGranted(tree, permissions);
         }
-
-        return compiledPermissions.isGranted(permissions, tree);
     }
 
     @Override
     public boolean isGranted(@Nonnull Tree parent, @Nonnull PropertyState property, long permissions) {
-        if (Permissions.includes(permissions, Permissions.VERSION_MANAGEMENT)) {
-            // FIXME: path to check for permission must be adjusted to be
-            // FIXME: the one of the versionable node instead of the target parent in case of version-store is affected.
-        } else if (Permissions.includes(permissions, Permissions.READ_PROPERTY)) {
-            // TODO
+        if (isVersionContent(parent)) {
+            return compiledPermissions.isGranted(getVersionablePath(parent, property), permissions);
+        } else {
+            return compiledPermissions.isGranted(parent, property, permissions);
         }
-
-        return compiledPermissions.isGranted(permissions, parent, property);
     }
 
     @Override
     public boolean hasPermission(@Nonnull String oakPath, String jcrActions) {
         TreeLocation location = root.getLocation(oakPath);
         long permissions = Permissions.getPermissions(jcrActions, location);
-
-        // TODO
-        return false;
-    }
-
-    @Override
-    public long getPermission(@Nonnull Tree tree, long defaultPermission) {
-        String path = tree.getPath();
-        long permission;
-        if (isNamespaceDefinition(path)) {
-            permission = Permissions.NAMESPACE_MANAGEMENT;
-        } else if (isNodeTypeDefinition(path)) {
-            permission = Permissions.NODE_TYPE_DEFINITION_MANAGEMENT;
-        } else if (isVersionContent(tree)) {
-            permission = Permissions.VERSION_MANAGEMENT;
-        } else if (getPrivilegeContext().definesTree(tree)) {
-            permission = Permissions.PRIVILEGE_MANAGEMENT;
-        } else if (getAccessControlContext().definesTree(tree)) {
-            permission = Permissions.MODIFY_ACCESS_CONTROL;
-        } else if (getUserContext().definesTree(tree)) {
-            permission = Permissions.USER_MANAGEMENT;
+        if (!location.exists()) {
+            // TODO: deal with version content
+            // FIXME: non-existing locations currently return null-path
+            return compiledPermissions.isGranted(location.getPath(), permissions);
+        } else if (location.getProperty() != null) {
+            return isGranted(location.getTree(), location.getProperty(), permissions);
         } else {
-            // TODO  - workspace management
-            // TODO: identify renaming/move of nodes that only required MODIFY_CHILD_NODE_COLLECTION permission
-            permission = defaultPermission;
+            return isGranted(location.getTree(), permissions);
         }
-        return permission;
-    }
-
-    @Override
-    public long getPermission(@Nonnull Tree parent, @Nonnull PropertyState propertyState, long defaultPermission) {
-        String parentPath = parent.getPath();
-        String name = propertyState.getName();
-
-        long permission;
-        if (JcrConstants.JCR_PRIMARYTYPE.equals(name) || JcrConstants.JCR_MIXINTYPES.equals(name)) {
-            // FIXME: distinguish between autocreated and user-supplied modification (?)
-            permission = Permissions.NODE_TYPE_MANAGEMENT;
-        } else if (isLockProperty(name)) {
-            permission = Permissions.LOCK_MANAGEMENT;
-        } else if (isNamespaceDefinition(parentPath)) {
-            permission = Permissions.NAMESPACE_MANAGEMENT;
-        } else if (isNodeTypeDefinition(parentPath)) {
-            permission = Permissions.NODE_TYPE_DEFINITION_MANAGEMENT;
-        } else if (isVersionProperty(parent, propertyState)) {
-            permission = Permissions.VERSION_MANAGEMENT;
-        } else if (getPrivilegeContext().definesProperty(parent, propertyState)) {
-            permission = Permissions.PRIVILEGE_MANAGEMENT;
-        } else if (getAccessControlContext().definesProperty(parent, propertyState)) {
-            permission = Permissions.MODIFY_ACCESS_CONTROL;
-        } else if (getUserContext().definesProperty(parent, propertyState)) {
-            permission = Permissions.USER_MANAGEMENT;
-        } else {
-            permission = defaultPermission;
-        }
-        return permission;
     }
 
     //--------------------------------------------------------------------------
@@ -228,82 +174,56 @@ public class PermissionProviderImpl impl
         return (tree == null) ? null : (ReadOnlyTree) tree;
     }
 
+    private boolean canReadVersionContent(@Nonnull Tree versionStoreTree, @Nullable PropertyState property) {
+        String versionablePath = getVersionablePath(versionStoreTree, property);
+        if (versionablePath != null) {
+            long permission = (property == null) ? Permissions.READ_NODE : Permissions.READ_PROPERTY;
+            return compiledPermissions.isGranted(versionablePath, permission);
+        } else {
+            return false;
+        }
+    }
+
     @CheckForNull
-    private Tree getVersionableTree(Tree versionStoreTree) {
-        String locationPath = workspaceName + '/' + REP_VERSIONABLE_PATH;
+    private String getVersionablePath(@Nonnull Tree versionStoreTree, @Nullable PropertyState property) {
         String versionablePath = null;
         Tree t = versionStoreTree;
-        while (versionablePath == null && !JcrConstants.JCR_VERSIONSTORAGE.equals(t.getName())) {
-            if (t.hasChild(REP_VERSIONABLE_INFO)) {
-                PropertyState prop = t.getLocation().getChild(locationPath).getProperty();
+        while (!JcrConstants.JCR_SYSTEM.equals(t.getName())) {
+            if (JcrConstants.NT_VERSIONHISTORY.equals(TreeUtil.getPrimaryTypeName(t))) {
+                PropertyState prop = t.getProperty(workspaceName);
                 if (prop != null) {
                     versionablePath = prop.getValue(Type.PATH);
+                    if (t != versionStoreTree) {
+                        String rel = PathUtils.relativize(t.getPath(), versionStoreTree.getPath());
+                        String propName = (property == null) ? "" : property.getName();
+                        versionablePath = PathUtils.concat(versionablePath, rel, propName);
+                    }
                 }
-            }
+                break;
+            }// FIXME: handle activities and configurations
             t = t.getParent();
         }
-        if (versionablePath == null || versionablePath.isEmpty()) {
+
+        if (versionablePath == null || versionablePath.length() == 0) {
             log.warn("Unable to determine path of the versionable node.");
-            return null;
-        } else {
-            return root.getLocation(versionablePath).getTree();
         }
+        return Strings.emptyToNull(versionablePath);
     }
 
-    // FIXME: versionable-info not detected
-    private static boolean isVersionContent(Tree tree) {
+    private static boolean isVersionContent(@Nonnull Tree tree) {
         if (tree.isRoot()) {
             return false;
         }
         if (VersionConstants.VERSION_NODE_NAMES.contains(tree.getName())) {
             return true;
-        } else if (VersionConstants.VERSION_NODE_TYPE_NAMES.contains(getPrimaryTypeName(tree))) {
+        } else if (VersionConstants.VERSION_NODE_TYPE_NAMES.contains(TreeUtil.getPrimaryTypeName(tree))) {
             return true;
         } else {
-            String path = tree.getPath();
-            return VersionConstants.SYSTEM_PATHS.contains(Text.getAbsoluteParent(path, 1));
+            return isVersionContent(tree.getPath());
         }
     }
 
-    // FIXME: versionable-info not detected
-    private static boolean isVersionProperty(Tree parent, PropertyState property) {
-        if (VersionConstants.VERSION_PROPERTY_NAMES.contains(property.getName())) {
-            return true;
-        } else {
-            return isVersionContent(parent);
-        }
-    }
-
-    private static boolean isLockProperty(String name) {
-        return JcrConstants.JCR_LOCKISDEEP.equals(name) || JcrConstants.JCR_LOCKOWNER.equals(name);
-    }
-
-    private static boolean isNamespaceDefinition(String path) {
-        return Text.isDescendant(NamespaceConstants.NAMESPACES_PATH, path);
-    }
-
-    private static boolean isNodeTypeDefinition(String path) {
-        return Text.isDescendant(NodeTypeConstants.NODE_TYPES_PATH, path);
-    }
-
-    private Context getUserContext() {
-        return securityProvider.getUserConfiguration().getContext();
-    }
-
-    private Context getPrivilegeContext() {
-        return securityProvider.getPrivilegeConfiguration().getContext();
-    }
-
-    private Context getAccessControlContext() {
-        return securityProvider.getAccessControlConfiguration().getContext();
-    }
-
-    private static String getPrimaryTypeName(Tree tree) {
-        PropertyState property = tree.getProperty(JcrConstants.JCR_PRIMARYTYPE);
-        if (property != null && !property.isArray()) {
-            return property.getValue(Type.STRING);
-        } else {
-            return null;
-        }
+    private static boolean isVersionContent(@Nonnull String path) {
+        return VersionConstants.SYSTEM_PATHS.contains(Text.getAbsoluteParent(path, 1));
     }
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java?rev=1441127&r1=1441126&r2=1441127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java Thu Jan 31 19:01:54 2013
@@ -16,13 +16,16 @@
  */
 package org.apache.jackrabbit.oak.security.authorization;
 
+import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 import javax.jcr.AccessDeniedException;
 
+import org.apache.jackrabbit.JcrConstants;
 import org.apache.jackrabbit.oak.api.CommitFailedException;
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.plugins.version.VersionConstants;
 import org.apache.jackrabbit.oak.spi.commit.Validator;
 import org.apache.jackrabbit.oak.spi.security.authorization.PermissionProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.Permissions;
@@ -44,17 +47,24 @@ class PermissionValidator implements Val
     private final PermissionProvider permissionProvider;
     private final PermissionValidatorProvider provider;
 
+    private final long permission;
+
     PermissionValidator(Tree parentBefore, Tree parentAfter,
                         PermissionProvider permissionProvider,
                         PermissionValidatorProvider provider) {
+        this(parentBefore, parentAfter, permissionProvider, provider,
+                Permissions.getPermission(getPath(parentBefore, parentAfter), Permissions.NO_PERMISSION));
+    }
+
+    PermissionValidator(Tree parentBefore, Tree parentAfter,
+                        PermissionProvider permissionProvider,
+                        PermissionValidatorProvider provider,
+                        long permission) {
         this.permissionProvider = permissionProvider;
+        this.provider = provider;
         this.parentBefore = parentBefore;
         this.parentAfter = parentAfter;
-        this.provider = provider;
-    }
-
-    private Validator nextValidator(@Nullable Tree parentBefore, @Nullable Tree parentAfter) {
-        return new PermissionValidator(parentBefore, parentAfter, permissionProvider, provider);
+        this.permission = permission;
     }
 
     //----------------------------------------------------------< Validator >---
@@ -96,17 +106,20 @@ class PermissionValidator implements Val
     }
 
     //------------------------------------------------------------< private >---
+    private Validator nextValidator(@Nullable Tree parentBefore, @Nullable Tree parentAfter) {
+        return new PermissionValidator(parentBefore, parentAfter, permissionProvider, provider, permission);
+    }
 
     private Validator checkPermissions(@Nonnull Tree tree, boolean isBefore,
                                        long defaultPermission) throws CommitFailedException {
-        long permission = permissionProvider.getPermission(tree, defaultPermission);
-        if (Permissions.isRepositoryPermission(permission)) {
-            if (!permissionProvider.isGranted(permission)) {
+        long toTest = getPermission(tree, defaultPermission);
+        if (Permissions.isRepositoryPermission(toTest)) {
+            if (!permissionProvider.isGranted(toTest)) {
                 throw new CommitFailedException(new AccessDeniedException());
             }
             return null; // no need for further validation down the subtree
         } else {
-            if (!permissionProvider.isGranted(tree, permission)) {
+            if (!permissionProvider.isGranted(tree, toTest)) {
                 throw new CommitFailedException(new AccessDeniedException());
             }
             return (isBefore) ?
@@ -117,9 +130,63 @@ class PermissionValidator implements Val
 
     private void checkPermissions(@Nonnull Tree parent, @Nonnull PropertyState property,
                                   long defaultPermission) throws CommitFailedException {
-        long permission = permissionProvider.getPermission(parent, property, defaultPermission);
-        if (!permissionProvider.isGranted(parent, property, permission)) {
+        long toTest = getPermission(parent, property, defaultPermission);
+        if (!permissionProvider.isGranted(parent, property, toTest)) {
             throw new CommitFailedException(new AccessDeniedException());
         }
     }
+
+    @CheckForNull
+    private static String getPath(@Nullable Tree parentBefore, @Nullable Tree parentAfter) {
+        String path = null;
+        if (parentBefore != null) {
+            path = parentBefore.getPath();
+        } else if (parentAfter != null) {
+            path = parentAfter.getPath();
+        }
+        return path;
+    }
+
+    public long getPermission(@Nonnull Tree tree, long defaultPermission) {
+        if (permission != Permissions.NO_PERMISSION) {
+            return permission;
+        }
+        long perm;
+        if (provider.getAccessControlContext().definesTree(tree)) {
+            perm = Permissions.MODIFY_ACCESS_CONTROL;
+        } else if (provider.getUserContext().definesTree(tree)) {
+            perm = Permissions.USER_MANAGEMENT;
+        } else {
+            // TODO: identify renaming/move of nodes that only required MODIFY_CHILD_NODE_COLLECTION permission
+            perm = defaultPermission;
+        }
+        return perm;
+    }
+
+    public long getPermission(@Nonnull Tree parent, @Nonnull PropertyState propertyState, long defaultPermission) {
+        if (permission != Permissions.NO_PERMISSION) {
+            return permission;
+        }
+        String name = propertyState.getName();
+        long perm;
+        if (JcrConstants.JCR_PRIMARYTYPE.equals(name) || JcrConstants.JCR_MIXINTYPES.equals(name)) {
+            // FIXME: distinguish between autocreated and user-supplied modification (?)
+            perm = Permissions.NODE_TYPE_MANAGEMENT;
+        } else if (isLockProperty(name)) {
+            perm = Permissions.LOCK_MANAGEMENT;
+        } else if (VersionConstants.VERSION_PROPERTY_NAMES.contains(name)) {
+            perm = Permissions.VERSION_MANAGEMENT;
+        } else if (provider.getAccessControlContext().definesProperty(parent, propertyState)) {
+            perm = Permissions.MODIFY_ACCESS_CONTROL;
+        } else if (provider.getUserContext().definesProperty(parent, propertyState)) {
+            perm = Permissions.USER_MANAGEMENT;
+        } else {
+            perm = defaultPermission;
+        }
+        return perm;
+    }
+
+    private static boolean isLockProperty(String name) {
+        return JcrConstants.JCR_LOCKISDEEP.equals(name) || JcrConstants.JCR_LOCKOWNER.equals(name);
+    }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java?rev=1441127&r1=1441126&r2=1441127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java Thu Jan 31 19:01:54 2013
@@ -27,8 +27,8 @@ import org.apache.jackrabbit.oak.core.Re
 import org.apache.jackrabbit.oak.core.ReadOnlyTree;
 import org.apache.jackrabbit.oak.spi.commit.Validator;
 import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
+import org.apache.jackrabbit.oak.spi.security.Context;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
-import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration;
 import org.apache.jackrabbit.oak.spi.security.authorization.PermissionProvider;
 import org.apache.jackrabbit.oak.spi.state.NodeState;
 
@@ -37,10 +37,13 @@ import org.apache.jackrabbit.oak.spi.sta
  */
 class PermissionValidatorProvider implements ValidatorProvider {
 
-    private final AccessControlConfiguration acConfiguration;
+    private final SecurityProvider securityProvider;
+
+    private Context acCtx;
+    private Context userCtx;
 
     PermissionValidatorProvider(SecurityProvider securityProvider) {
-        this.acConfiguration = securityProvider.getAccessControlConfiguration();
+        this.securityProvider = securityProvider;
     }
 
     //--------------------------------------------------< ValidatorProvider >---
@@ -51,8 +54,24 @@ class PermissionValidatorProvider implem
         Set<Principal> principals = (subject != null) ? subject.getPrincipals() : Collections.<Principal>emptySet();
 
         ReadOnlyRoot root = new ReadOnlyRoot(before);
-        PermissionProvider pp = acConfiguration.getPermissionProvider(root, principals);
+        PermissionProvider pp = securityProvider.getAccessControlConfiguration().getPermissionProvider(root, principals);
 
         return new PermissionValidator(new ReadOnlyTree(before), new ReadOnlyTree(after), pp, this);
     }
+
+    //--------------------------------------------------------------------------
+
+    Context getAccessControlContext() {
+        if (acCtx == null) {
+            acCtx = securityProvider.getAccessControlConfiguration().getContext();
+        }
+        return acCtx;
+    }
+
+    Context getUserContext() {
+        if (userCtx == null) {
+            userCtx = securityProvider.getUserConfiguration().getContext();
+        }
+        return userCtx;
+    }
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java?rev=1441127&r1=1441126&r2=1441127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java Thu Jan 31 19:01:54 2013
@@ -16,6 +16,8 @@
  */
 package org.apache.jackrabbit.oak.security.authorization.permission;
 
+import javax.annotation.Nonnull;
+
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Tree;
 
@@ -49,12 +51,17 @@ public final class AllPermissions implem
     }
 
     @Override
-    public boolean isGranted(long permissions, Tree tree) {
+    public boolean isGranted(Tree tree, long permissions) {
+        return true;
+    }
+
+    @Override
+    public boolean isGranted(Tree parent, PropertyState property, long permissions) {
         return true;
     }
 
     @Override
-    public boolean isGranted(long permissions, Tree parent, PropertyState property) {
+    public boolean isGranted(@Nonnull String path, long permissions) {
         return true;
     }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java?rev=1441127&r1=1441126&r2=1441127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java Thu Jan 31 19:01:54 2013
@@ -59,12 +59,12 @@ public class CompiledPermissionImpl impl
 
     @Override
     public boolean canRead(Tree tree) {
-        return isGranted(Permissions.READ_NODE, tree);
+        return isGranted(tree, Permissions.READ_NODE);
     }
 
     @Override
     public boolean canRead(Tree tree, PropertyState property) {
-        return isGranted(Permissions.READ_PROPERTY, tree, property);
+        return isGranted(tree, property, Permissions.READ_PROPERTY);
     }
 
     @Override
@@ -74,13 +74,19 @@ public class CompiledPermissionImpl impl
     }
 
     @Override
-    public boolean isGranted(long permissions, Tree tree) {
+    public boolean isGranted(Tree tree, long permissions) {
         // TODO
         return false;
     }
 
     @Override
-    public boolean isGranted(long permissions, Tree parent, PropertyState property) {
+    public boolean isGranted(Tree parent, PropertyState property, long permissions) {
+        // TODO
+        return false;
+    }
+
+    @Override
+    public boolean isGranted(String path, long permissions) {
         // TODO
         return false;
     }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java?rev=1441127&r1=1441126&r2=1441127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java Thu Jan 31 19:01:54 2013
@@ -32,8 +32,10 @@ public interface CompiledPermissions {
 
     boolean isGranted(long permissions);
 
-    boolean isGranted(long permissions, @Nonnull Tree tree);
+    boolean isGranted(@Nonnull Tree tree, long permissions);
 
-    boolean isGranted(long permissions, @Nonnull Tree parent, @Nonnull PropertyState property);
+    boolean isGranted(@Nonnull Tree parent, @Nonnull PropertyState property, long permissions);
+
+    boolean isGranted(@Nonnull String path, long permissions);
 
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java?rev=1441127&r1=1441126&r2=1441127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java Thu Jan 31 19:01:54 2013
@@ -31,7 +31,7 @@ public final class NoPermissions impleme
     private NoPermissions() {
     }
 
-    public static final CompiledPermissions getInstance() {
+    public static CompiledPermissions getInstance() {
         return INSTANCE;
     }
 
@@ -51,12 +51,17 @@ public final class NoPermissions impleme
     }
 
     @Override
-    public boolean isGranted(long permissions, @Nonnull Tree tree) {
+    public boolean isGranted(@Nonnull Tree tree, long permissions) {
         return false;
     }
 
     @Override
-    public boolean isGranted(long permissions, @Nonnull Tree parent, @Nonnull PropertyState property) {
+    public boolean isGranted(@Nonnull Tree parent, @Nonnull PropertyState property, long permissions) {
+        return false;
+    }
+
+    @Override
+    public boolean isGranted(@Nonnull String path, long permissions) {
         return false;
     }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenPermissionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenPermissionProvider.java?rev=1441127&r1=1441126&r2=1441127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenPermissionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenPermissionProvider.java Thu Jan 31 19:01:54 2013
@@ -79,14 +79,4 @@ public class OpenPermissionProvider impl
     public boolean hasPermission(@Nonnull String oakPath, String jcrActions) {
         return true;
     }
-
-    @Override
-    public long getPermission(@Nonnull Tree tree, long defaultPermission) {
-        return Permissions.ALL;
-    }
-
-    @Override
-    public long getPermission(@Nonnull Tree parent, @Nonnull PropertyState propertyState, long defaultPermission) {
-        return Permissions.ALL;
-    }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java?rev=1441127&r1=1441126&r2=1441127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java Thu Jan 31 19:01:54 2013
@@ -44,8 +44,4 @@ public interface PermissionProvider {
     boolean isGranted(@Nonnull Tree parent, @Nonnull PropertyState property, long permissions);
 
     boolean hasPermission(@Nonnull String oakPath, @Nonnull String jcrActions);
-
-    long getPermission(@Nonnull Tree tree, long defaultPermission);
-
-    long getPermission(@Nonnull Tree parent, @Nonnull PropertyState propertyState, long defaultPermission);
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java?rev=1441127&r1=1441126&r2=1441127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java Thu Jan 31 19:01:54 2013
@@ -21,9 +21,14 @@ import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.Map;
 import java.util.Set;
+import javax.annotation.Nullable;
 import javax.jcr.Session;
 
 import org.apache.jackrabbit.oak.api.TreeLocation;
+import org.apache.jackrabbit.oak.plugins.name.NamespaceConstants;
+import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
+import org.apache.jackrabbit.oak.plugins.version.VersionConstants;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
 
 /**
  * Permissions... TODO
@@ -157,29 +162,56 @@ public final class Permissions {
     }
 
     public static long getPermissions(String jcrActions, TreeLocation location) {
-        Set<String> s = new HashSet<String>(Arrays.asList(jcrActions.split(",")));
+        Set<String> actions = new HashSet<String>(Arrays.asList(jcrActions.split(",")));
         int permissions = 0;
-        if (s.remove(Session.ACTION_READ)) {
-            permissions |= READ;
+        if (actions.remove(Session.ACTION_READ)) {
+            if (!location.exists()) {
+                permissions |= READ;
+            } else if (location.getProperty() != null) {
+                permissions |= READ_PROPERTY;
+            } else {
+                permissions |= READ_NODE;
+            }
         }
-        if (s.remove(Session.ACTION_ADD_NODE)) {
+        if (actions.remove(Session.ACTION_ADD_NODE)) {
             permissions |= ADD_NODE;
         }
-        if (s.remove(Session.ACTION_SET_PROPERTY)) {
-            permissions |= ADD_PROPERTY | MODIFY_PROPERTY;
+        if (actions.remove(Session.ACTION_SET_PROPERTY)) {
+            if (location.getProperty() == null) {
+                permissions |= ADD_PROPERTY;
+            } else {
+                permissions |= MODIFY_PROPERTY;
+            }
         }
-        if (s.remove(Session.ACTION_REMOVE)) {
+        if (actions.remove(Session.ACTION_REMOVE)) {
             if (!location.exists()) {
                 permissions |= REMOVE;
-            } else if (location.getProperty() == null) {
-                permissions |= REMOVE_NODE;
-            } else {
+            } else if (location.getProperty() != null) {
                 permissions |= REMOVE_PROPERTY;
+            } else {
+                permissions |= REMOVE_NODE;
             }
         }
-        if (!s.isEmpty()) {
-            throw new IllegalArgumentException("Unknown actions: " + s);
+        if (!actions.isEmpty()) {
+            throw new IllegalArgumentException("Unknown actions: " + actions);
         }
         return permissions;
     }
+
+    public static long getPermission(@Nullable String path, long defaultPermission) {
+        long permission;
+        if (NamespaceConstants.NAMESPACES_PATH.equals(path)) {
+            permission = Permissions.NAMESPACE_MANAGEMENT;
+        } else if (NodeTypeConstants.NODE_TYPES_PATH.equals(path)) {
+            permission = Permissions.NODE_TYPE_DEFINITION_MANAGEMENT;
+        } else if (VersionConstants.SYSTEM_PATHS.contains(path)) {
+            permission = Permissions.VERSION_MANAGEMENT;
+        } else if (PrivilegeConstants.PRIVILEGES_PATH.equals(path)) {
+            permission = Permissions.PRIVILEGE_MANAGEMENT;
+        } else {
+            // TODO: workspace-mgt
+            permission = defaultPermission;
+        }
+        return permission;
+    }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java?rev=1441127&r1=1441126&r2=1441127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java Thu Jan 31 19:01:54 2013
@@ -123,7 +123,7 @@ public class NodeUtil {
 
     /**
      * TODO: clean up. workaround for OAK-426
-     *
+     * <p/>
      * Create the tree at the specified relative path including all missing
      * intermediate trees using the specified {@code primaryTypeName}. This
      * method treats ".." parent element and "." as current element and
@@ -131,10 +131,10 @@ public class NodeUtil {
      * elements this may lead to tree creating outside the tree structure
      * defined by this {@code NodeUtil}.
      *
-     * @param relativePath A relative OAK path that may contain parent and
-     * current elements.
+     * @param relativePath    A relative OAK path that may contain parent and
+     *                        current elements.
      * @param primaryTypeName A oak name of a primary node type that is used
-     * to create the missing trees.
+     *                        to create the missing trees.
      * @return The node util of the tree at the specified {@code relativePath}.
      */
     @Nonnull
@@ -167,7 +167,7 @@ public class NodeUtil {
 
     @CheckForNull
     public String getPrimaryNodeTypeName() {
-        return getString(JcrConstants.JCR_PRIMARYTYPE, null);
+        return TreeUtil.getPrimaryTypeName(tree);
     }
 
     public void removeProperty(String name) {

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/TreeUtil.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/TreeUtil.java?rev=1441127&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/TreeUtil.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/TreeUtil.java Thu Jan 31 19:01:54 2013
@@ -0,0 +1,62 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.util;
+
+import javax.annotation.CheckForNull;
+
+import com.google.common.collect.Iterables;
+import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.api.Type;
+
+import static org.apache.jackrabbit.oak.api.Type.STRINGS;
+
+/**
+ * Utility providing common operations for the {@code Tree} that are not provided
+ * by the API.
+ */
+public final class TreeUtil {
+
+    private TreeUtil() {
+    }
+
+    @CheckForNull
+    public static String getPrimaryTypeName(Tree tree) {
+        return getString(tree, JcrConstants.JCR_PRIMARYTYPE);
+    }
+
+    @CheckForNull
+    public static String[] getStrings(Tree tree, String propertyName) {
+        PropertyState property = tree.getProperty(propertyName);
+        if (property == null) {
+            return null;
+        } else {
+            return Iterables.toArray(property.getValue(STRINGS), String.class);
+        }
+    }
+
+    @CheckForNull
+    public static String getString(Tree tree, String propertyName) {
+        PropertyState property = tree.getProperty(propertyName);
+        if (property != null && !property.isArray()) {
+            return property.getValue(Type.STRING);
+        } else {
+            return null;
+        }
+    }
+}
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd?rev=1441127&r1=1441126&r2=1441127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd Thu Jan 31 19:01:54 2013
@@ -391,6 +391,13 @@
 [nt:configuration] > mix:versionable
   - jcr:root (REFERENCE) mandatory autocreated protected
 
+/**
+ * @since oak 1.0
+ */
+ [rep:VersionablePaths]
+  mixin
+  - * (PATH) protected ABORT
+
 //------------------------------------------------------------------------------
 // N O D E T Y P E S
 //------------------------------------------------------------------------------

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java?rev=1441127&r1=1441126&r2=1441127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java Thu Jan 31 19:01:54 2013
@@ -50,6 +50,7 @@ import org.apache.jackrabbit.oak.securit
 import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlTest;
 import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
 import org.apache.jackrabbit.oak.util.NodeUtil;
+import org.apache.jackrabbit.oak.util.TreeUtil;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Ignore;
@@ -69,7 +70,7 @@ import static org.junit.Assert.fail;
 public class AccessControlManagerImplTest extends AbstractAccessControlTest implements AccessControlConstants {
 
     private final String testName = TestNameMapper.TEST_PREFIX + ":testRoot";
-    private final String testPath = '/' +testName;
+    private final String testPath = '/' + testName;
 
     private Principal testPrincipal;
     private Privilege[] testPrivileges;
@@ -210,7 +211,7 @@ public class AccessControlManagerImplTes
 
         List<String> testPaths = new ArrayList<String>();
         testPaths.add('/' + TestNameMapper.TEST_LOCAL_PREFIX + ":testRoot");
-        testPaths.add("/{"+ TestNameMapper.TEST_URI+"}testRoot");
+        testPaths.add("/{" + TestNameMapper.TEST_URI + "}testRoot");
 
         AccessControlManager acMgr = getAccessControlManager(getLocalNamePathMapper());
         for (String path : testPaths) {
@@ -259,7 +260,7 @@ public class AccessControlManagerImplTes
     public void testPrivilegeFromUnknownName() throws Exception {
         List<String> invalid = new ArrayList<String>();
         invalid.add("unknownPrivilege");
-        invalid.add('{' + NamespaceRegistry.NAMESPACE_JCR+"}unknown");
+        invalid.add('{' + NamespaceRegistry.NAMESPACE_JCR + "}unknown");
 
         for (String privilegeName : invalid) {
             try {
@@ -417,7 +418,7 @@ public class AccessControlManagerImplTes
 
         ACL acl = (ACL) policies[0];
         List<String> principalNames = new ArrayList<String>();
-        for (AccessControlEntry ace :acl.getEntries()) {
+        for (AccessControlEntry ace : acl.getEntries()) {
             principalNames.add(ace.getPrincipal().getName());
         }
         assertTrue(principalNames.remove("invalidPrincipal"));
@@ -588,14 +589,14 @@ public class AccessControlManagerImplTes
         Tree tree = root2.getTree(testPath);
         assertTrue(tree.hasChild(REP_POLICY));
         Tree policyTree = tree.getChild(REP_POLICY);
-        assertEquals(NT_REP_ACL, new NodeUtil(policyTree).getPrimaryNodeTypeName());
+        assertEquals(NT_REP_ACL, TreeUtil.getPrimaryTypeName(policyTree));
         assertEquals(2, policyTree.getChildrenCount());
 
         Iterator<Tree> children = policyTree.getChildren().iterator();
-        NodeUtil ace = new NodeUtil(children.next());
-        assertEquals(NT_REP_GRANT_ACE, ace.getPrimaryNodeTypeName());
-        assertEquals(testPrincipal.getName(), ace.getString(REP_PRINCIPAL_NAME, null));
-        assertArrayEquals(testPrivileges, privilegesFromNames(ace.getNames(REP_PRIVILEGES)));
+        Tree ace = children.next();
+        assertEquals(NT_REP_GRANT_ACE, TreeUtil.getPrimaryTypeName(ace));
+        assertEquals(testPrincipal.getName(), TreeUtil.getString(ace, REP_PRINCIPAL_NAME));
+        assertArrayEquals(testPrivileges, privilegesFromNames(TreeUtil.getStrings(ace, REP_PRIVILEGES)));
         assertFalse(ace.hasChild(REP_RESTRICTIONS));
 
         NodeUtil ace2 = new NodeUtil(children.next());

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissionsTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissionsTest.java?rev=1441127&r1=1441126&r2=1441127&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissionsTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissionsTest.java Thu Jan 31 19:01:54 2013
@@ -72,12 +72,12 @@ public class AllPermissionsTest extends 
             Tree tree = root.getTree(path);
             assertNotNull(tree);
 
-            assertTrue(all.isGranted(Permissions.ALL, tree));
+            assertTrue(all.isGranted(tree, Permissions.ALL));
             for (PropertyState prop : tree.getProperties()) {
-                assertTrue(all.isGranted(Permissions.ALL, tree, prop));
+                assertTrue(all.isGranted(tree, prop, Permissions.ALL));
             }
             for (Tree child : tree.getChildren()) {
-                assertTrue(all.isGranted(Permissions.ALL, child));
+                assertTrue(all.isGranted(child, Permissions.ALL));
             }
         }
     }



Mime
View raw message