jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1448152 - in /jackrabbit/oak/trunk/oak-core/src: main/java/org/apache/jackrabbit/oak/security/authorization/ main/java/org/apache/jackrabbit/oak/security/authorization/permission/ main/java/org/apache/jackrabbit/oak/security/privilege/ tes...
Date Wed, 20 Feb 2013 13:17:44 GMT
Author: angela
Date: Wed Feb 20 13:17:43 2013
New Revision: 1448152

URL: http://svn.apache.org/r1448152
Log:
OAK-64: privilege mgt (split privilegebits handling from definition reading/writing)

Added:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBitsProvider.java
      - copied, changed from r1447803, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionStore.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReader.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriter.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBitsProviderTest.java
      - copied, changed from r1447798, jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionStoreTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReaderTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriterTest.java
Removed:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionStore.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionStoreTest.java
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionHook.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeInitializer.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeManagerImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeMigrator.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidatorTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java Wed Feb 20 13:17:43 2013
@@ -40,7 +40,7 @@ import org.apache.jackrabbit.api.securit
 import org.apache.jackrabbit.api.security.principal.PrincipalManager;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.security.privilege.PrivilegeBits;
-import org.apache.jackrabbit.oak.security.privilege.PrivilegeDefinitionStore;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.ACE;
 import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlList;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
@@ -72,7 +72,7 @@ abstract class ACL extends AbstractAcces
 
     abstract PrivilegeManager getPrivilegeManager();
 
-    abstract PrivilegeDefinitionStore getPrivilegeStore();
+    abstract PrivilegeBitsProvider getPrivilegeBitsProvider();
 
     //------------------------------------------< AbstractAccessControlList >---
     @Nonnull
@@ -236,7 +236,7 @@ abstract class ACL extends AbstractAcces
 
     private Set<Privilege> getPrivileges(PrivilegeBits bits) throws RepositoryException {
         Set<Privilege> privileges = new HashSet<Privilege>();
-        for (String name : getPrivilegeStore().getPrivilegeNames(bits)) {
+        for (String name : getPrivilegeBitsProvider().getPrivilegeNames(bits)) {
             privileges.add(getPrivilegeManager().getPrivilege(name));
         }
         return privileges;
@@ -245,7 +245,7 @@ abstract class ACL extends AbstractAcces
     private PrivilegeBits getPrivilegeBits(ACE entry) {
         PrivilegeBits bits = PrivilegeBits.getInstance();
         for (Privilege privilege : entry.getPrivileges()) {
-            bits.add(getPrivilegeStore().getBits(privilege.getName()));
+            bits.add(getPrivilegeBitsProvider().getBits(privilege.getName()));
         }
         return bits;
     }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java Wed Feb 20 13:17:43 2013
@@ -62,7 +62,7 @@ import org.apache.jackrabbit.oak.plugins
 import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
 import org.apache.jackrabbit.oak.security.authorization.restriction.PrincipalRestrictionProvider;
 import org.apache.jackrabbit.oak.security.principal.PrincipalImpl;
-import org.apache.jackrabbit.oak.security.privilege.PrivilegeDefinitionStore;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.ACE;
 import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration;
@@ -616,8 +616,8 @@ public class AccessControlManagerImpl im
         }
 
         @Override
-        PrivilegeDefinitionStore getPrivilegeStore() {
-            return new PrivilegeDefinitionStore(root);
+        PrivilegeBitsProvider getPrivilegeBitsProvider() {
+            return new PrivilegeBitsProvider(root);
         }
     }
 

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionHook.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionHook.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionHook.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionHook.java Wed Feb 20 13:17:43 2013
@@ -35,7 +35,7 @@ import org.apache.jackrabbit.oak.plugins
 import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
 import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
 import org.apache.jackrabbit.oak.security.privilege.PrivilegeBits;
-import org.apache.jackrabbit.oak.security.privilege.PrivilegeDefinitionStore;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
 import org.apache.jackrabbit.oak.spi.commit.CommitHook;
 import org.apache.jackrabbit.oak.spi.state.NodeBuilder;
 import org.apache.jackrabbit.oak.spi.state.NodeState;
@@ -70,9 +70,9 @@ public class PermissionHook implements C
 
         NodeBuilder permissionRoot = getPermissionRoot(rootAfter, workspaceName);
         ReadOnlyNodeTypeManager ntMgr = ReadOnlyNodeTypeManager.getInstance(before);
-        PrivilegeDefinitionStore privilegeStore = new PrivilegeDefinitionStore(new ReadOnlyRoot(before));
+        PrivilegeBitsProvider bitsProvider = new PrivilegeBitsProvider(new ReadOnlyRoot(before));
 
-        after.compareAgainstBaseState(before, new Diff(new BeforeNode(before), new Node(rootAfter), permissionRoot, privilegeStore, ntMgr));
+        after.compareAgainstBaseState(before, new Diff(new BeforeNode(before), new Node(rootAfter), permissionRoot, bitsProvider, ntMgr));
         return rootAfter.getNodeState();
     }
 
@@ -110,17 +110,17 @@ public class PermissionHook implements C
         private final BeforeNode parentBefore;
         private final Node parentAfter;
         private final NodeBuilder permissionRoot;
-        private final PrivilegeDefinitionStore privilegeStore;
+        private final PrivilegeBitsProvider bitsProvider;
         private final ReadOnlyNodeTypeManager ntMgr;
 
         private Diff(@Nonnull BeforeNode parentBefore, @Nonnull Node parentAfter,
                      @Nonnull NodeBuilder permissionRoot,
-                     @Nonnull PrivilegeDefinitionStore privilegeStore,
+                     @Nonnull PrivilegeBitsProvider bitsProvider,
                      @Nonnull ReadOnlyNodeTypeManager ntMgr) {
             this.parentBefore = parentBefore;
             this.parentAfter = parentAfter;
             this.permissionRoot = permissionRoot;
-            this.privilegeStore = privilegeStore;
+            this.bitsProvider = bitsProvider;
             this.ntMgr = ntMgr;
         }
 
@@ -148,7 +148,7 @@ public class PermissionHook implements C
             } else {
                 BeforeNode before = new BeforeNode(parentBefore.getPath(), name, MemoryNodeState.EMPTY_NODE);
                 Node node = new Node(parentAfter, name);
-                after.compareAgainstBaseState(before.getNodeState(), new Diff(before, node, permissionRoot, privilegeStore, ntMgr));
+                after.compareAgainstBaseState(before.getNodeState(), new Diff(before, node, permissionRoot, bitsProvider, ntMgr));
             }
         }
 
@@ -161,7 +161,7 @@ public class PermissionHook implements C
             } else {
                 BeforeNode nodeBefore = new BeforeNode(parentBefore.getPath(), name, before);
                 Node nodeAfter = new Node(parentAfter, name);
-                after.compareAgainstBaseState(before, new Diff(nodeBefore, nodeAfter, permissionRoot, privilegeStore, ntMgr));
+                after.compareAgainstBaseState(before, new Diff(nodeBefore, nodeAfter, permissionRoot, bitsProvider, ntMgr));
             }
         }
 
@@ -172,7 +172,7 @@ public class PermissionHook implements C
             } else {
                 BeforeNode nodeBefore = new BeforeNode(parentBefore.getPath(), name, before);
                 Node after = new Node(parentAfter.getPath(), name, MemoryNodeState.EMPTY_NODE);
-                after.getNodeState().compareAgainstBaseState(before, new Diff(nodeBefore, after, permissionRoot, privilegeStore, ntMgr));
+                after.getNodeState().compareAgainstBaseState(before, new Diff(nodeBefore, after, permissionRoot, bitsProvider, ntMgr));
             }
         }
 
@@ -234,7 +234,7 @@ public class PermissionHook implements C
         private Entry createEntry(String name, NodeState ace, BaseNode acl) {
             Tree aceTree = getTree(name, ace);
             String principalName = checkNotNull(TreeUtil.getString(aceTree, REP_PRINCIPAL_NAME));
-            PrivilegeBits privilegeBits = privilegeStore.getBits(TreeUtil.getString(aceTree, REP_PRIVILEGES));
+            PrivilegeBits privilegeBits = bitsProvider.getBits(TreeUtil.getString(aceTree, REP_PRIVILEGES));
             boolean isAllow = NT_REP_GRANT_ACE.equals(TreeUtil.getPrimaryTypeName(aceTree));
             // TODO: respect restrictions
 

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java Wed Feb 20 13:17:43 2013
@@ -37,7 +37,7 @@ import org.apache.jackrabbit.oak.securit
 import org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissionImpl;
 import org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions;
 import org.apache.jackrabbit.oak.security.authorization.permission.NoPermissions;
-import org.apache.jackrabbit.oak.security.privilege.PrivilegeDefinitionStore;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
 import org.apache.jackrabbit.oak.spi.security.Context;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.PermissionProvider;
@@ -81,8 +81,7 @@ public class PermissionProviderImpl impl
             if (permissionsTree == null) {
                 compiledPermissions = NoPermissions.getInstance();
             } else {
-                PrivilegeDefinitionStore privilegeStore = new PrivilegeDefinitionStore(this.root);
-                compiledPermissions = new CompiledPermissionImpl(principals, privilegeStore, permissionsTree);
+                compiledPermissions = new CompiledPermissionImpl(principals, new PrivilegeBitsProvider(this.root), permissionsTree);
             }
         }
     }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java Wed Feb 20 13:17:43 2013
@@ -31,7 +31,7 @@ import org.apache.jackrabbit.oak.api.Typ
 import org.apache.jackrabbit.oak.core.ReadOnlyTree;
 import org.apache.jackrabbit.oak.security.authorization.AccessControlConstants;
 import org.apache.jackrabbit.oak.security.privilege.PrivilegeBits;
-import org.apache.jackrabbit.oak.security.privilege.PrivilegeDefinitionStore;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.Permissions;
 import org.apache.jackrabbit.util.Text;
 
@@ -43,16 +43,16 @@ import static com.google.common.base.Pre
 public class CompiledPermissionImpl implements CompiledPermissions, AccessControlConstants {
 
     private final Set<Principal> principals;
-    private final PrivilegeDefinitionStore privilegeStore;
+    private final PrivilegeBitsProvider bitsProvider;
 
     private final Map<Key, Entry> userEntries;
     private final Map<Key, Entry> groupEntries;
 
     public CompiledPermissionImpl(@Nonnull Set<Principal> principals,
-                                  @Nonnull PrivilegeDefinitionStore privilegeStore,
+                                  @Nonnull PrivilegeBitsProvider bitsProvider,
                                   @Nonnull ReadOnlyTree permissionsTree) {
         this.principals = checkNotNull(principals);
-        this.privilegeStore = privilegeStore;
+        this.bitsProvider = bitsProvider;
 
         EntriesBuilder builder = new EntriesBuilder();
         for (Principal principal : principals) {
@@ -99,12 +99,12 @@ public class CompiledPermissionImpl impl
 
     @Override
     public Set<String> getPrivileges(@Nullable Tree tree) {
-        return privilegeStore.getPrivilegeNames(getPrivilegeBits(tree));
+        return bitsProvider.getPrivilegeNames(getPrivilegeBits(tree));
     }
 
     @Override
     public boolean hasPrivileges(@Nullable Tree tree, String... privilegeNames) {
-        return getPrivilegeBits(tree).includes(privilegeStore.getBits(privilegeNames));
+        return getPrivilegeBits(tree).includes(bitsProvider.getBits(privilegeNames));
     }
 
     //------------------------------------------------------------< private >---

Copied: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBitsProvider.java (from r1447803, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionStore.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBitsProvider.java?p2=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBitsProvider.java&p1=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionStore.java&r1=1447803&r2=1448152&rev=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionStore.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBitsProvider.java Wed Feb 20 13:17:43 2013
@@ -16,27 +16,17 @@
  */
 package org.apache.jackrabbit.oak.security.privilege;
 
-import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
-import java.util.LinkedHashMap;
 import java.util.Map;
 import java.util.Set;
 import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
-import javax.jcr.RepositoryException;
 
-import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
-import org.apache.jackrabbit.oak.api.CommitFailedException;
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.api.Tree;
-import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition;
-import org.apache.jackrabbit.oak.util.NodeUtil;
-import org.apache.jackrabbit.oak.util.TreeUtil;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 import static com.google.common.base.Preconditions.checkNotNull;
 
@@ -44,38 +34,14 @@ import static com.google.common.base.Pre
  * Reads and writes privilege definitions from and to the repository content
  * without applying any validation.
  */
-public class PrivilegeDefinitionStore implements PrivilegeConstants {
-
-    private static final Logger log = LoggerFactory.getLogger(PrivilegeDefinitionStore.class);
-
-    /**
-     * The internal names of all built-in privileges that are not aggregates.
-     */
-    private static final String[] NON_AGGR_PRIVILEGES = new String[]{
-            REP_READ_NODES, REP_READ_PROPERTIES,
-            REP_ADD_PROPERTIES, REP_ALTER_PROPERTIES, REP_REMOVE_PROPERTIES,
-            JCR_ADD_CHILD_NODES, JCR_REMOVE_CHILD_NODES, JCR_REMOVE_NODE,
-            JCR_READ_ACCESS_CONTROL, JCR_MODIFY_ACCESS_CONTROL, JCR_NODE_TYPE_MANAGEMENT,
-            JCR_VERSION_MANAGEMENT, JCR_LOCK_MANAGEMENT, JCR_LIFECYCLE_MANAGEMENT,
-            JCR_RETENTION_MANAGEMENT, JCR_WORKSPACE_MANAGEMENT, JCR_NODE_TYPE_DEFINITION_MANAGEMENT,
-            JCR_NAMESPACE_MANAGEMENT, REP_PRIVILEGE_MANAGEMENT, REP_USER_MANAGEMENT};
-
-    /**
-     * The internal names and aggregation definition of all built-in privileges
-     * that are aggregates (except for jcr:all).
-     */
-    private static final Map<String, String[]> AGGREGATE_PRIVILEGES = ImmutableMap.of(
-            JCR_READ, new String[]{REP_READ_NODES, REP_READ_PROPERTIES},
-            JCR_MODIFY_PROPERTIES, new String[]{REP_ADD_PROPERTIES, REP_ALTER_PROPERTIES, REP_REMOVE_PROPERTIES},
-            JCR_WRITE, new String[]{JCR_MODIFY_PROPERTIES, JCR_ADD_CHILD_NODES, JCR_REMOVE_CHILD_NODES, JCR_REMOVE_NODE},
-            REP_WRITE, new String[]{JCR_WRITE, JCR_NODE_TYPE_MANAGEMENT});
+public final class PrivilegeBitsProvider implements PrivilegeConstants {
 
     private final Root root;
     private final Map<PrivilegeBits, Set<String>> bitsToNames = new HashMap<PrivilegeBits, Set<String>>();
 
     private PrivilegeBits next;
 
-    public PrivilegeDefinitionStore(Root root) {
+    public PrivilegeBitsProvider(Root root) {
         this.root = root;
         Tree privilegesTree = getPrivilegesTree();
         if (privilegesTree != null && privilegesTree.hasProperty(REP_NEXT)) {
@@ -96,6 +62,18 @@ public class PrivilegeDefinitionStore im
         return root.getTree(PRIVILEGES_PATH);
     }
 
+    @Nonnull
+    PrivilegeBits getNext() {
+        return next;
+    }
+
+    @Nonnull
+    PrivilegeBits next() {
+        PrivilegeBits bits = next;
+        next = bits.nextBits();
+        return bits;
+    }
+
     /**
      * @param privilegeNames
      * @return
@@ -158,7 +136,7 @@ public class PrivilegeDefinitionStore im
                     if (privilegeBits.includes(bits)) {
                         privilegeNames.add(child.getName());
                         if (child.hasProperty(REP_AGGREGATES)) {
-                            aggregates.addAll(readDefinition(child).getDeclaredAggregateNames());
+                            aggregates.addAll(PrivilegeDefinitionReader.readDefinition(child).getDeclaredAggregateNames());
                         }
                     }
                 }
@@ -168,153 +146,4 @@ public class PrivilegeDefinitionStore im
             return privilegeNames;
         }
     }
-
-    /**
-     * Read all registered privilege definitions from the content.
-     *
-     * @return All privilege definitions stored in the content.
-     */
-    @Nonnull
-    public Map<String, PrivilegeDefinition> readDefinitions() {
-        Tree privilegesTree = getPrivilegesTree();
-        if (privilegesTree == null) {
-            return Collections.emptyMap();
-        } else {
-            Map<String, PrivilegeDefinition> definitions = new HashMap<String, PrivilegeDefinition>();
-            for (Tree child : privilegesTree.getChildren()) {
-                PrivilegeDefinition def = readDefinition(child);
-                definitions.put(def.getName(), def);
-            }
-            return definitions;
-        }
-    }
-
-    /**
-     * Retrieve the privilege definition with the specified {@code privilegeName}.
-     *
-     * @param privilegeName The name of a registered privilege definition.
-     * @return The privilege definition with the specified name or {@code null}
-     *         if the name doesn't refer to a registered privilege.
-     */
-    @CheckForNull
-    public PrivilegeDefinition readDefinition(String privilegeName) {
-        Tree privilegesTree = getPrivilegesTree();
-        if (privilegesTree == null) {
-            return null;
-        } else {
-            Tree definitionTree = privilegesTree.getChild(privilegeName);
-            return (definitionTree == null) ? null : readDefinition(definitionTree);
-        }
-    }
-
-    /**
-     * @param definitionTree
-     * @return
-     */
-    @Nonnull
-    static PrivilegeDefinition readDefinition(@Nonnull Tree definitionTree) {
-        String name = definitionTree.getName();
-        boolean isAbstract = TreeUtil.getBoolean(definitionTree, REP_IS_ABSTRACT);
-        String[] declAggrNames = TreeUtil.getStrings(definitionTree, REP_AGGREGATES);
-
-        return new PrivilegeDefinitionImpl(name, isAbstract, declAggrNames);
-    }
-
-    /**
-     * Write the given privilege definition to the repository content.
-     *
-     * @param definition The new privilege definition.
-     * @throws RepositoryException If the definition can't be written.
-     */
-    public void writeDefinition(PrivilegeDefinition definition) throws RepositoryException {
-        writeDefinitions(Collections.singleton(definition));
-    }
-
-    /**
-     * Create the built-in privilege definitions during repository setup.
-     *
-     * @throws RepositoryException If an error occurs.
-     */
-    void writeBuiltInDefinitions() throws RepositoryException {
-        writeDefinitions(getBuiltInDefinitions());
-    }
-
-    //------------------------------------------------------------< private >---
-
-    /**
-     * @param definitions
-     * @throws RepositoryException
-     */
-    private void writeDefinitions(Iterable<PrivilegeDefinition> definitions) throws RepositoryException {
-        try {
-            // make sure the privileges path is defined
-            Tree privilegesTree = getPrivilegesTree();
-            if (privilegesTree == null) {
-                throw new RepositoryException("Privilege store does not exist.");
-            }
-            NodeUtil privilegesNode = new NodeUtil(getPrivilegesTree());
-            for (PrivilegeDefinition definition : definitions) {
-                if (privilegesNode.hasChild(definition.getName())) {
-                    throw new RepositoryException("Privilege definition with name '" + definition.getName() + "' already exists.");
-                }
-                writePrivilegeNode(privilegesNode, definition);
-            }
-            /*
-            update the property storing the next privilege bits with the
-            privileges root tree. this is a cheap way to detect collisions that
-            may arise from concurrent registration of custom privileges.
-            */
-            next.writeTo(privilegesTree);
-
-            // delegate validation to the commit validation (see above)
-            root.commit();
-
-        } catch (CommitFailedException e) {
-            Throwable t = e.getCause();
-            if (t instanceof RepositoryException) {
-                throw (RepositoryException) t;
-            } else {
-                throw new RepositoryException(e);
-            }
-        }
-    }
-
-    private void writePrivilegeNode(NodeUtil privilegesNode, PrivilegeDefinition definition) {
-        String name = definition.getName();
-        NodeUtil privNode = privilegesNode.addChild(name, NT_REP_PRIVILEGE);
-        if (definition.isAbstract()) {
-            privNode.setBoolean(REP_IS_ABSTRACT, true);
-        }
-        String[] declAggrNames = definition.getDeclaredAggregateNames().toArray(new String[definition.getDeclaredAggregateNames().size()]);
-        boolean isAggregate = declAggrNames.length > 0;
-        if (isAggregate) {
-            privNode.setNames(REP_AGGREGATES, declAggrNames);
-        }
-
-        PrivilegeBits bits;
-        if (PrivilegeBits.BUILT_IN.containsKey(name)) {
-            bits = PrivilegeBits.BUILT_IN.get(name);
-        } else if (isAggregate) {
-            bits = getBits(declAggrNames);
-        } else {
-            bits = next;
-            next = bits.nextBits();
-        }
-        bits.writeTo(privNode.getTree());
-    }
-
-    private static Collection<PrivilegeDefinition> getBuiltInDefinitions() {
-        Map<String, PrivilegeDefinition> definitions = new LinkedHashMap<String, PrivilegeDefinition>();
-        for (String privilegeName : NON_AGGR_PRIVILEGES) {
-            PrivilegeDefinition def = new PrivilegeDefinitionImpl(privilegeName, false);
-            definitions.put(privilegeName, def);
-        }
-        for (String privilegeName : AGGREGATE_PRIVILEGES.keySet()) {
-            PrivilegeDefinition def = new PrivilegeDefinitionImpl(privilegeName, false, AGGREGATE_PRIVILEGES.get(privilegeName));
-            definitions.put(privilegeName, def);
-        }
-        PrivilegeDefinition all = new PrivilegeDefinitionImpl(JCR_ALL, false, definitions.keySet());
-        definitions.put(JCR_ALL, all);
-        return definitions.values();
-    }
 }

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReader.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReader.java?rev=1448152&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReader.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReader.java Wed Feb 20 13:17:43 2013
@@ -0,0 +1,90 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.privilege;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import javax.annotation.CheckForNull;
+import javax.annotation.Nonnull;
+
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition;
+import org.apache.jackrabbit.oak.util.TreeUtil;
+
+/**
+ * Reads privilege definitions from the repository content without applying
+ * any validation.
+ */
+class PrivilegeDefinitionReader implements PrivilegeConstants {
+
+    private final Tree privilegesTree;
+
+    PrivilegeDefinitionReader(@Nonnull Root root) {
+        this.privilegesTree = root.getTree(PRIVILEGES_PATH);
+    }
+
+    /**
+     * Read all registered privilege definitions from the content.
+     *
+     * @return All privilege definitions stored in the content.
+     */
+    @Nonnull
+    Map<String, PrivilegeDefinition> readDefinitions() {
+        if (privilegesTree == null) {
+            return Collections.emptyMap();
+        } else {
+            Map<String, PrivilegeDefinition> definitions = new HashMap<String, PrivilegeDefinition>();
+            for (Tree child : privilegesTree.getChildren()) {
+                PrivilegeDefinition def = readDefinition(child);
+                definitions.put(def.getName(), def);
+            }
+            return definitions;
+        }
+    }
+
+    /**
+     * Retrieve the privilege definition with the specified {@code privilegeName}.
+     *
+     * @param privilegeName The name of a registered privilege definition.
+     * @return The privilege definition with the specified name or {@code null}
+     *         if the name doesn't refer to a registered privilege.
+     */
+    @CheckForNull
+    PrivilegeDefinition readDefinition(String privilegeName) {
+        if (privilegesTree == null) {
+            return null;
+        } else {
+            Tree definitionTree = privilegesTree.getChild(privilegeName);
+            return (definitionTree == null) ? null : readDefinition(definitionTree);
+        }
+    }
+
+    /**
+     * @param definitionTree
+     * @return
+     */
+    @Nonnull
+    static PrivilegeDefinition readDefinition(@Nonnull Tree definitionTree) {
+        String name = definitionTree.getName();
+        boolean isAbstract = TreeUtil.getBoolean(definitionTree, REP_IS_ABSTRACT);
+        String[] declAggrNames = TreeUtil.getStrings(definitionTree, REP_AGGREGATES);
+
+        return new PrivilegeDefinitionImpl(name, isAbstract, declAggrNames);
+    }
+}
\ No newline at end of file

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriter.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriter.java?rev=1448152&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriter.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriter.java Wed Feb 20 13:17:43 2013
@@ -0,0 +1,164 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.privilege;
+
+import java.util.Collection;
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import javax.jcr.RepositoryException;
+
+import com.google.common.collect.ImmutableMap;
+import org.apache.jackrabbit.oak.api.CommitFailedException;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition;
+import org.apache.jackrabbit.oak.util.NodeUtil;
+
+/**
+ * PrivilegeDefinitionWriter is responsible for writing privilege definitions
+ * to the repository without applying any validation checks.
+ */
+class PrivilegeDefinitionWriter implements PrivilegeConstants {
+
+    /**
+     * The internal names of all built-in privileges that are not aggregates.
+     */
+    private static final String[] NON_AGGR_PRIVILEGES = new String[]{
+            REP_READ_NODES, REP_READ_PROPERTIES,
+            REP_ADD_PROPERTIES, REP_ALTER_PROPERTIES, REP_REMOVE_PROPERTIES,
+            JCR_ADD_CHILD_NODES, JCR_REMOVE_CHILD_NODES, JCR_REMOVE_NODE,
+            JCR_READ_ACCESS_CONTROL, JCR_MODIFY_ACCESS_CONTROL, JCR_NODE_TYPE_MANAGEMENT,
+            JCR_VERSION_MANAGEMENT, JCR_LOCK_MANAGEMENT, JCR_LIFECYCLE_MANAGEMENT,
+            JCR_RETENTION_MANAGEMENT, JCR_WORKSPACE_MANAGEMENT, JCR_NODE_TYPE_DEFINITION_MANAGEMENT,
+            JCR_NAMESPACE_MANAGEMENT, REP_PRIVILEGE_MANAGEMENT, REP_USER_MANAGEMENT};
+
+    /**
+     * The internal names and aggregation definition of all built-in privileges
+     * that are aggregates (except for jcr:all).
+     */
+    private static final Map<String, String[]> AGGREGATE_PRIVILEGES = ImmutableMap.of(
+            JCR_READ, new String[]{REP_READ_NODES, REP_READ_PROPERTIES},
+            JCR_MODIFY_PROPERTIES, new String[]{REP_ADD_PROPERTIES, REP_ALTER_PROPERTIES, REP_REMOVE_PROPERTIES},
+            JCR_WRITE, new String[]{JCR_MODIFY_PROPERTIES, JCR_ADD_CHILD_NODES, JCR_REMOVE_CHILD_NODES, JCR_REMOVE_NODE},
+            REP_WRITE, new String[]{JCR_WRITE, JCR_NODE_TYPE_MANAGEMENT});
+
+    private final Root root;
+    private final PrivilegeBitsProvider bitsMgr;
+
+    PrivilegeDefinitionWriter(Root root) {
+        this.root = root;
+        this.bitsMgr = new PrivilegeBitsProvider(root);
+    }
+
+    /**
+     * Write the given privilege definition to the repository content.
+     *
+     * @param definition The new privilege definition.
+     * @throws RepositoryException If the definition can't be written.
+     */
+    void writeDefinition(PrivilegeDefinition definition) throws RepositoryException {
+        writeDefinitions(Collections.singleton(definition));
+    }
+
+    /**
+     * Create the built-in privilege definitions during repository setup.
+     *
+     * @throws RepositoryException If an error occurs.
+     */
+    void writeBuiltInDefinitions() throws RepositoryException {
+        writeDefinitions(getBuiltInDefinitions());
+    }
+
+    //--------------------------------------------------------------------------
+
+    /**
+     * @param definitions
+     * @throws RepositoryException
+     */
+    private void writeDefinitions(Iterable<PrivilegeDefinition> definitions) throws RepositoryException {
+        try {
+            // make sure the privileges path is defined
+            Tree privilegesTree = root.getTree(PRIVILEGES_PATH);
+            if (privilegesTree == null) {
+                throw new RepositoryException("Privilege store does not exist.");
+            }
+            NodeUtil privilegesNode = new NodeUtil(privilegesTree);
+            for (PrivilegeDefinition definition : definitions) {
+                if (privilegesNode.hasChild(definition.getName())) {
+                    throw new RepositoryException("Privilege definition with name '" + definition.getName() + "' already exists.");
+                }
+                writePrivilegeNode(privilegesNode, definition);
+            }
+            /*
+            update the property storing the next privilege bits with the
+            privileges root tree. this is a cheap way to detect collisions that
+            may arise from concurrent registration of custom privileges.
+            */
+            bitsMgr.getNext().writeTo(privilegesTree);
+
+            // delegate validation to the commit validation (see above)
+            root.commit();
+
+        } catch (CommitFailedException e) {
+            Throwable t = e.getCause();
+            if (t instanceof RepositoryException) {
+                throw (RepositoryException) t;
+            } else {
+                throw new RepositoryException(e);
+            }
+        }
+    }
+
+    private void writePrivilegeNode(NodeUtil privilegesNode, PrivilegeDefinition definition) {
+        String name = definition.getName();
+        NodeUtil privNode = privilegesNode.addChild(name, NT_REP_PRIVILEGE);
+        if (definition.isAbstract()) {
+            privNode.setBoolean(REP_IS_ABSTRACT, true);
+        }
+        String[] declAggrNames = definition.getDeclaredAggregateNames().toArray(new String[definition.getDeclaredAggregateNames().size()]);
+        boolean isAggregate = declAggrNames.length > 0;
+        if (isAggregate) {
+            privNode.setNames(REP_AGGREGATES, declAggrNames);
+        }
+
+        PrivilegeBits bits;
+        if (PrivilegeBits.BUILT_IN.containsKey(name)) {
+            bits = PrivilegeBits.BUILT_IN.get(name);
+        } else if (isAggregate) {
+            bits = bitsMgr.getBits(declAggrNames);
+        } else {
+            bits = bitsMgr.next();
+        }
+        bits.writeTo(privNode.getTree());
+    }
+
+    private static Collection<PrivilegeDefinition> getBuiltInDefinitions() {
+        Map<String, PrivilegeDefinition> definitions = new LinkedHashMap<String, PrivilegeDefinition>();
+        for (String privilegeName : NON_AGGR_PRIVILEGES) {
+            PrivilegeDefinition def = new PrivilegeDefinitionImpl(privilegeName, false);
+            definitions.put(privilegeName, def);
+        }
+        for (String privilegeName : AGGREGATE_PRIVILEGES.keySet()) {
+            PrivilegeDefinition def = new PrivilegeDefinitionImpl(privilegeName, false, AGGREGATE_PRIVILEGES.get(privilegeName));
+            definitions.put(privilegeName, def);
+        }
+        PrivilegeDefinition all = new PrivilegeDefinitionImpl(JCR_ALL, false, definitions.keySet());
+        definitions.put(JCR_ALL, all);
+        return definitions.values();
+    }
+}
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeInitializer.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeInitializer.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeInitializer.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeInitializer.java Wed Feb 20 13:17:43 2013
@@ -65,7 +65,7 @@ class PrivilegeInitializer implements Re
             }
 
             try {
-                new PrivilegeDefinitionStore(new RootImpl(store)).writeBuiltInDefinitions();
+                new PrivilegeDefinitionWriter(new RootImpl(store)).writeBuiltInDefinitions();
             } catch (RepositoryException e) {
                 log.error("Failed to register built-in privileges", e);
                 throw new RuntimeException(e);

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeManagerImpl.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeManagerImpl.java Wed Feb 20 13:17:43 2013
@@ -82,8 +82,8 @@ public class PrivilegeManagerImpl implem
             throw new RepositoryException("Invalid privilege name " + privilegeName);
         }
         PrivilegeDefinitionImpl definition = new PrivilegeDefinitionImpl(getOakName(privilegeName), isAbstract, getOakNames(declaredAggregateNames));
-        PrivilegeDefinitionStore store = getStore(getWriteRoot());
-        store.writeDefinition(definition);
+        PrivilegeDefinitionWriter writer = new PrivilegeDefinitionWriter(getWriteRoot());
+        writer.writeDefinition(definition);
 
         // refresh the current root to make sure the definition is visible
         root.refresh();
@@ -130,18 +130,18 @@ public class PrivilegeManagerImpl implem
 
     @Nonnull
     private PrivilegeDefinition[] getPrivilegeDefinitions() {
-        Map<String, PrivilegeDefinition> definitions = getStore(root).readDefinitions();
+        Map<String, PrivilegeDefinition> definitions = getReader().readDefinitions();
         return definitions.values().toArray(new PrivilegeDefinition[definitions.size()]);
     }
 
     @CheckForNull
     private PrivilegeDefinition getPrivilegeDefinition(String oakName) {
-        return getStore(root).readDefinition(oakName);
+        return getReader().readDefinition(oakName);
     }
 
     @Nonnull
-    private static PrivilegeDefinitionStore getStore(Root targetRoot) {
-        return new PrivilegeDefinitionStore(targetRoot);
+    private PrivilegeDefinitionReader getReader() {
+        return new PrivilegeDefinitionReader(root);
     }
 
     //--------------------------------------------------------------------------

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeMigrator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeMigrator.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeMigrator.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeMigrator.java Wed Feb 20 13:17:43 2013
@@ -62,7 +62,7 @@ public class PrivilegeMigrator {
 
     public void migrateCustomPrivileges(InputStream privilegeStream) throws RepositoryException {
         final Root root = contentSession.getLatestRoot();
-        PrivilegeDefinitionStore store = new PrivilegeDefinitionStore(root);
+        PrivilegeDefinitionWriter writer = new PrivilegeDefinitionWriter(root);
         try {
             NamespaceRegistry nsRegistry = new ReadWriteNamespaceRegistry() {
                 @Override
@@ -76,7 +76,7 @@ public class PrivilegeMigrator {
                 }
             };
             for (PrivilegeDefinition def : readCustomDefinitions(privilegeStream, nsRegistry)) {
-                store.writeDefinition(def);
+                writer.writeDefinition(def);
             }
         } catch (IOException e) {
             throw new RepositoryException(e);

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java Wed Feb 20 13:17:43 2013
@@ -19,11 +19,13 @@ package org.apache.jackrabbit.oak.securi
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
+import javax.annotation.Nonnull;
 import javax.jcr.RepositoryException;
 
 import org.apache.jackrabbit.JcrConstants;
 import org.apache.jackrabbit.oak.api.CommitFailedException;
 import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.api.Type;
 import org.apache.jackrabbit.oak.core.ReadOnlyRoot;
@@ -33,8 +35,6 @@ import org.apache.jackrabbit.oak.spi.com
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition;
 import org.apache.jackrabbit.oak.spi.state.NodeState;
 import org.apache.jackrabbit.util.Text;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 /**
  * Validator implementation that is responsible for validating any modifications
@@ -42,14 +42,14 @@ import org.slf4j.LoggerFactory;
  */
 class PrivilegeValidator implements PrivilegeConstants, Validator {
 
-    private static final Logger log = LoggerFactory.getLogger(PrivilegeValidator.class);
-
-    private final PrivilegeDefinitionStore storeBefore;
-    private final PrivilegeDefinitionStore storeAfter;
+    private final Root rootBefore;
+    private final Root rootAfter;
+    private final PrivilegeBitsProvider bitsProvider;
 
     PrivilegeValidator(NodeState before, NodeState after) {
-        storeBefore = new PrivilegeDefinitionStore(new ReadOnlyRoot(before));
-        storeAfter = new PrivilegeDefinitionStore((new ReadOnlyRoot(after)));
+        rootBefore = new ReadOnlyRoot(before);
+        rootAfter = new ReadOnlyRoot(after);
+        bitsProvider = new PrivilegeBitsProvider(rootBefore);
     }
 
     //----------------------------------------------------------< Validator >---
@@ -61,7 +61,7 @@ class PrivilegeValidator implements Priv
     @Override
     public void propertyChanged(PropertyState before, PropertyState after) throws CommitFailedException {
         if (REP_NEXT.equals(before.getName())) {
-            validateNext(PrivilegeBits.getInstance(storeBefore.getPrivilegesTree().getProperty(REP_NEXT)));
+            validateNext(PrivilegeBits.getInstance(getPrivilegesTree(rootBefore).getProperty(REP_NEXT)));
         } else {
             throw new CommitFailedException("Attempt to modify existing privilege definition.");
         }
@@ -74,7 +74,9 @@ class PrivilegeValidator implements Priv
 
     @Override
     public Validator childNodeAdded(String name, NodeState after) throws CommitFailedException {
-        checkInitialized();
+        // make sure privileges have been initialized before
+        getPrivilegesTree(rootBefore);
+
         // the following characteristics are expected to be validated elsewhere:
         // - permission to allow privilege registration -> permission validator.
         // - name collisions (-> delegated to NodeTypeValidator since sms are not allowed)
@@ -111,14 +113,8 @@ class PrivilegeValidator implements Priv
     }
 
     //------------------------------------------------------------< private >---
-    private void checkInitialized() throws CommitFailedException {
-        if (storeBefore.getPrivilegesTree() == null) {
-            throw new CommitFailedException("Privilege store not initialized.");
-        }
-    }
-
     private void validateNext(PrivilegeBits bits) throws CommitFailedException {
-        PrivilegeBits next = PrivilegeBits.getInstance(storeAfter.getPrivilegesTree().getProperty(REP_NEXT));
+        PrivilegeBits next = PrivilegeBits.getInstance(getPrivilegesTree(rootAfter).getProperty(REP_NEXT));
         if (!next.equals(bits.nextBits())) {
             throw new CommitFailedException("Next bits not updated.");
         }
@@ -130,6 +126,15 @@ class PrivilegeValidator implements Priv
         }
     }
 
+    @Nonnull
+    private Tree getPrivilegesTree(Root root) throws CommitFailedException {
+        Tree privilegesTree = root.getTree(PRIVILEGES_PATH);
+        if (privilegesTree == null) {
+            throw new CommitFailedException("Privilege store not initialized.");
+        }
+        return privilegesTree;
+    }
+
     /**
      * Validation of the privilege definition including the following steps:
      * <p/>
@@ -150,8 +155,8 @@ class PrivilegeValidator implements Priv
             throw new CommitFailedException("PrivilegeBits are missing.");
         }
 
-        Set<String> privNames = storeBefore.getPrivilegeNames(newBits);
-        PrivilegeDefinition definition = PrivilegeDefinitionStore.readDefinition(definitionTree);
+        Set<String> privNames = bitsProvider.getPrivilegeNames(newBits);
+        PrivilegeDefinition definition = PrivilegeDefinitionReader.readDefinition(definitionTree);
         Set<String> declaredNames = definition.getDeclaredAggregateNames();
 
         // non-aggregate privilege
@@ -169,7 +174,7 @@ class PrivilegeValidator implements Priv
         }
 
         // aggregation of >1 privileges
-        Map<String, PrivilegeDefinition> definitions = storeBefore.readDefinitions();
+        Map<String, PrivilegeDefinition> definitions = new PrivilegeDefinitionReader(rootBefore).readDefinitions();
         for (String aggrName : declaredNames) {
             // aggregated privilege not registered
             if (!definitions.containsKey(aggrName)) {
@@ -197,7 +202,7 @@ class PrivilegeValidator implements Priv
             }
         }
 
-        PrivilegeBits aggrBits = storeBefore.getBits(declaredNames.toArray(new String[declaredNames.size()]));
+        PrivilegeBits aggrBits = bitsProvider.getBits(declaredNames.toArray(new String[declaredNames.size()]));
         if (!newBits.equals(aggrBits)) {
             throw new CommitFailedException("Invalid privilege bits for aggregated privilege definition.");
         }

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java Wed Feb 20 13:17:43 2013
@@ -39,7 +39,7 @@ import org.apache.jackrabbit.oak.namepat
 import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
 import org.apache.jackrabbit.oak.security.principal.PrincipalImpl;
 import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
-import org.apache.jackrabbit.oak.security.privilege.PrivilegeDefinitionStore;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.ACE;
 import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlList;
 import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlListTest;
@@ -107,8 +107,8 @@ public class ACLTest extends AbstractAcc
             }
 
             @Override
-            PrivilegeDefinitionStore getPrivilegeStore() {
-                return new PrivilegeDefinitionStore(root);
+            PrivilegeBitsProvider getPrivilegeBitsProvider() {
+                return new PrivilegeBitsProvider(root);
             }
         };
     }

Copied: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBitsProviderTest.java (from r1447798, jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionStoreTest.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBitsProviderTest.java?p2=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBitsProviderTest.java&p1=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionStoreTest.java&r1=1447798&r2=1448152&rev=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionStoreTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBitsProviderTest.java Wed Feb 20 13:17:43 2013
@@ -30,63 +30,48 @@ import static org.junit.Assert.assertNot
 /**
  * PrivilegeDefinitionStoreTest... TODO
  */
-public class PrivilegeDefinitionStoreTest extends AbstractSecurityTest implements PrivilegeConstants {
+public class PrivilegeBitsProviderTest extends AbstractSecurityTest implements PrivilegeConstants {
 
-    private PrivilegeDefinitionStore store;
+    private PrivilegeBitsProvider bitsProvider;
 
     @Override
     public void before() throws Exception {
         super.before();
 
-        store = new PrivilegeDefinitionStore(root);
+        bitsProvider = new PrivilegeBitsProvider(root);
     }
 
     @Test
     public void testGetPrivilegesTree() {
-        assertNotNull(store.getPrivilegesTree());
-        assertEquals(PRIVILEGES_PATH, store.getPrivilegesTree().getPath());
-    }
-
-    @Test
-    public void testReadDefinition() {
-        // TODO
-    }
-
-    @Test
-    public void testReadDefinitions() {
-        // TODO
-    }
-
-    @Test
-    public void testWriteDefinition() {
-        // TODO
+        assertNotNull(bitsProvider.getPrivilegesTree());
+        assertEquals(PRIVILEGES_PATH, bitsProvider.getPrivilegesTree().getPath());
     }
 
     @Test
     public void testGetBits() {
-        PrivilegeBits bits = store.getBits(JCR_ADD_CHILD_NODES, JCR_REMOVE_CHILD_NODES);
+        PrivilegeBits bits = bitsProvider.getBits(JCR_ADD_CHILD_NODES, JCR_REMOVE_CHILD_NODES);
         assertFalse(bits.isEmpty());
 
-        PrivilegeBits mod = PrivilegeBits.getInstance(store.getBits(JCR_ADD_CHILD_NODES)).add(store.getBits(JCR_REMOVE_CHILD_NODES));
+        PrivilegeBits mod = PrivilegeBits.getInstance(bitsProvider.getBits(JCR_ADD_CHILD_NODES)).add(bitsProvider.getBits(JCR_REMOVE_CHILD_NODES));
         assertEquals(bits, mod.unmodifiable());
     }
 
     @Test
     public void testGetBitsFromInvalidPrivilege() {
-        assertEquals(PrivilegeBits.EMPTY, store.getBits("invalid1", "invalid2"));
+        assertEquals(PrivilegeBits.EMPTY, bitsProvider.getBits("invalid1", "invalid2"));
     }
 
     @Test
     public void testGetBitsFromEmpty() {
-        assertEquals(PrivilegeBits.EMPTY, store.getBits());
-        assertEquals(PrivilegeBits.EMPTY, store.getBits(new String[0]));
-        assertEquals(PrivilegeBits.EMPTY, store.getBits(""));
+        assertEquals(PrivilegeBits.EMPTY, bitsProvider.getBits());
+        assertEquals(PrivilegeBits.EMPTY, bitsProvider.getBits(new String[0]));
+        assertEquals(PrivilegeBits.EMPTY, bitsProvider.getBits(""));
     }
 
     @Test
     public void testGetPrivilegeNames() throws RepositoryException {
-        PrivilegeBits bits = store.getBits(JCR_READ_ACCESS_CONTROL);
-        Set<String> names = store.getPrivilegeNames(bits);
+        PrivilegeBits bits = bitsProvider.getBits(JCR_READ_ACCESS_CONTROL);
+        Set<String> names = bitsProvider.getPrivilegeNames(bits);
 
         assertEquals(1, names.size());
         assertEquals(JCR_READ_ACCESS_CONTROL, names.iterator().next());
@@ -94,33 +79,33 @@ public class PrivilegeDefinitionStoreTes
 
     @Test
     public void testAggregation() throws RepositoryException {
-        PrivilegeBits writeBits = store.getBits(JCR_ADD_CHILD_NODES,
+        PrivilegeBits writeBits = bitsProvider.getBits(JCR_ADD_CHILD_NODES,
                 JCR_REMOVE_CHILD_NODES,
                 JCR_REMOVE_NODE,
                 JCR_MODIFY_PROPERTIES);
-        Set<String> names = store.getPrivilegeNames(writeBits);
+        Set<String> names = bitsProvider.getPrivilegeNames(writeBits);
         assertEquals(1, names.size());
         assertEquals(JCR_WRITE, names.iterator().next());
     }
 
     @Test
     public void testUnknownAggregation() throws RepositoryException {
-        PrivilegeBits bits = store.getBits(REP_WRITE, JCR_LIFECYCLE_MANAGEMENT);
-        Set<String> names = store.getPrivilegeNames(bits);
+        PrivilegeBits bits = bitsProvider.getBits(REP_WRITE, JCR_LIFECYCLE_MANAGEMENT);
+        Set<String> names = bitsProvider.getPrivilegeNames(bits);
 
         assertEquals(2, names.size());
     }
 
     @Test
     public void testRedundantAggregation() throws RepositoryException {
-        PrivilegeBits writeBits = store.getBits(REP_WRITE);
-        Set<String> names = store.getPrivilegeNames(writeBits);
+        PrivilegeBits writeBits = bitsProvider.getBits(REP_WRITE);
+        Set<String> names = bitsProvider.getPrivilegeNames(writeBits);
 
         assertEquals(1, names.size());
         assertEquals(REP_WRITE, names.iterator().next());
 
-        writeBits = store.getBits(REP_WRITE, JCR_WRITE);
-        names = store.getPrivilegeNames(writeBits);
+        writeBits = bitsProvider.getBits(REP_WRITE, JCR_WRITE);
+        names = bitsProvider.getPrivilegeNames(writeBits);
 
         assertEquals(1, names.size());
         assertEquals(REP_WRITE, names.iterator().next());
@@ -128,24 +113,25 @@ public class PrivilegeDefinitionStoreTes
 
     @Test
     public void testAll() {
-        PrivilegeBits all = store.getBits(JCR_ALL);
+        PrivilegeBits all = bitsProvider.getBits(JCR_ALL);
         assertFalse(all.isEmpty());
-        assertEquals(Collections.singleton(JCR_ALL), store.getPrivilegeNames(all));
+        assertEquals(Collections.singleton(JCR_ALL), bitsProvider.getPrivilegeNames(all));
     }
 
     @Test
     public void testAllAggregation() {
-        PrivilegeBits all = store.getBits(JCR_ALL);
+        PrivilegeBits all = bitsProvider.getBits(JCR_ALL);
 
-        Set<String> allAggregates = store.readDefinition(JCR_ALL).getDeclaredAggregateNames();
-        PrivilegeBits all2 = store.getBits(allAggregates.toArray(new String[allAggregates.size()]));
+        PrivilegeDefinitionReader reader = new PrivilegeDefinitionReader(root);
+        Set<String> allAggregates = reader.readDefinition(JCR_ALL).getDeclaredAggregateNames();
+        PrivilegeBits all2 = bitsProvider.getBits(allAggregates.toArray(new String[allAggregates.size()]));
 
         assertEquals(all, all2);
-        assertEquals(Collections.singleton(JCR_ALL), store.getPrivilegeNames(all2));
+        assertEquals(Collections.singleton(JCR_ALL), bitsProvider.getPrivilegeNames(all2));
 
         PrivilegeBits bits = PrivilegeBits.getInstance();
         for (String name : allAggregates) {
-            bits.add(store.getBits(name));
+            bits.add(bitsProvider.getBits(name));
         }
         assertEquals(all, bits.unmodifiable());
     }

Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReaderTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReaderTest.java?rev=1448152&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReaderTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReaderTest.java Wed Feb 20 13:17:43 2013
@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.privilege;
+
+import org.junit.Test;
+
+public class PrivilegeDefinitionReaderTest {
+
+    @Test
+    public void testReadDefinition() {
+        // TODO
+    }
+
+    @Test
+    public void testReadDefinitions() {
+        // TODO
+    }
+}

Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriterTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriterTest.java?rev=1448152&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriterTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriterTest.java Wed Feb 20 13:17:43 2013
@@ -0,0 +1,30 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.privilege;
+
+import org.junit.Test;
+
+/**
+ * PrivilegeDefinitionWriterTest... TODO
+ */
+public class PrivilegeDefinitionWriterTest {
+
+    @Test
+    public void testWriteDefinition() {
+        // TODO
+    }
+}
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidatorTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidatorTest.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidatorTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidatorTest.java Wed Feb 20 13:17:43 2013
@@ -37,13 +37,13 @@ import static org.junit.Assert.fail;
  */
 public class PrivilegeValidatorTest extends AbstractSecurityTest implements PrivilegeConstants {
 
-    PrivilegeDefinitionStore store;
+    PrivilegeBitsProvider store;
     Tree privilegesTree;
 
     @Before
     public void before() throws Exception {
         super.before();
-        store = new PrivilegeDefinitionStore(root);
+        store = new PrivilegeBitsProvider(root);
         privilegesTree = checkNotNull(store.getPrivilegesTree());
     }
 



Mime
View raw message