Return-Path: X-Original-To: apmail-jackrabbit-oak-commits-archive@minotaur.apache.org Delivered-To: apmail-jackrabbit-oak-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BD190EAA0 for ; Thu, 14 Feb 2013 14:18:59 +0000 (UTC) Received: (qmail 17380 invoked by uid 500); 14 Feb 2013 14:18:59 -0000 Delivered-To: apmail-jackrabbit-oak-commits-archive@jackrabbit.apache.org Received: (qmail 17320 invoked by uid 500); 14 Feb 2013 14:18:58 -0000 Mailing-List: contact oak-commits-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: oak-dev@jackrabbit.apache.org Delivered-To: mailing list oak-commits@jackrabbit.apache.org Received: (qmail 17298 invoked by uid 99); 14 Feb 2013 14:18:57 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Feb 2013 14:18:57 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Feb 2013 14:18:55 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id DB5D623889ED; Thu, 14 Feb 2013 14:18:36 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1446198 - in /jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak: security/authorization/ security/authorization/permission/ spi/security/authorization/ Date: Thu, 14 Feb 2013 14:18:36 -0000 To: oak-commits@jackrabbit.apache.org From: angela@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20130214141836.DB5D623889ED@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: angela Date: Thu Feb 14 14:18:35 2013 New Revision: 1446198 URL: http://svn.apache.org/r1446198 Log: OAK-527 : Implement Permission evaluation (work in progress) Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenPermissionProvider.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1446198&r1=1446197&r2=1446198&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java Thu Feb 14 14:18:35 2013 @@ -522,7 +522,7 @@ public class AccessControlManagerImpl im // TODO String oakPath = getOakPath(absPath); Tree tree = getTree(oakPath); - Set pNames = provider.getPrivilegeNames(tree); + Set pNames = provider.getPrivileges(tree); if (pNames.isEmpty()) { return new Privilege[0]; } else { Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java?rev=1446198&r1=1446197&r2=1446198&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java Thu Feb 14 14:18:35 2013 @@ -17,7 +17,6 @@ package org.apache.jackrabbit.oak.security.authorization; import java.security.Principal; -import java.util.Collections; import java.util.Set; import javax.annotation.CheckForNull; import javax.annotation.Nonnull; @@ -38,6 +37,7 @@ import org.apache.jackrabbit.oak.securit import org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissionImpl; import org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions; import org.apache.jackrabbit.oak.security.authorization.permission.NoPermissions; +import org.apache.jackrabbit.oak.security.privilege.PrivilegeDefinitionStore; import org.apache.jackrabbit.oak.spi.security.Context; import org.apache.jackrabbit.oak.spi.security.SecurityProvider; import org.apache.jackrabbit.oak.spi.security.authorization.PermissionProvider; @@ -60,7 +60,8 @@ public class PermissionProviderImpl impl private static final Logger log = LoggerFactory.getLogger(PermissionProviderImpl.class); - private final Root root; + private final ReadOnlyRoot root; + private final Context acContext; private final String workspaceName = "default"; // FIXME: use proper workspace as associated with the root @@ -75,27 +76,26 @@ public class PermissionProviderImpl impl compiledPermissions = AllPermissions.getInstance(); } else { String relativePath = PERMISSIONS_STORE_PATH + '/' + workspaceName; - ReadOnlyTree rootTree = ReadOnlyTree.createFromRoot(root); + ReadOnlyTree rootTree = this.root.getTree("/"); ReadOnlyTree permissionsTree = getPermissionsRoot(rootTree, relativePath); if (permissionsTree == null) { compiledPermissions = NoPermissions.getInstance(); } else { - compiledPermissions = new CompiledPermissionImpl(permissionsTree, principals); + PrivilegeDefinitionStore privilegeStore = new PrivilegeDefinitionStore(this.root); + compiledPermissions = new CompiledPermissionImpl(principals, privilegeStore, permissionsTree); } } } @Nonnull @Override - public Set getPrivilegeNames(@Nullable Tree tree) { - // TODO - return Collections.emptySet(); + public Set getPrivileges(@Nullable Tree tree) { + return compiledPermissions.getPrivileges(tree); } @Override public boolean hasPrivileges(@Nullable Tree tree, String... privilegeNames) { - // TODO - return false; + return compiledPermissions.hasPrivileges(tree, privilegeNames); } @Override @@ -144,7 +144,7 @@ public class PermissionProviderImpl impl } @Override - public boolean hasPermission(@Nonnull String oakPath, String jcrActions) { + public boolean hasPermission(@Nonnull String oakPath, @Nonnull String jcrActions) { TreeLocation location = root.getLocation(oakPath); long permissions = Permissions.getPermissions(jcrActions, location); if (!location.exists()) { @@ -184,28 +184,30 @@ public class PermissionProviderImpl impl } } + // TODO: deal with activities/configurations @CheckForNull private String getVersionablePath(@Nonnull Tree versionStoreTree, @Nullable PropertyState property) { + String relPath = ""; + String propName = (property == null) ? "" : property.getName(); String versionablePath = null; Tree t = versionStoreTree; - while (!JcrConstants.JCR_SYSTEM.equals(t.getName())) { - if (JcrConstants.NT_VERSIONHISTORY.equals(TreeUtil.getPrimaryTypeName(t))) { + while (t != null && !JcrConstants.JCR_VERSIONSTORAGE.equals(t.getName())) { + String name = t.getName(); + String ntName = TreeUtil.getPrimaryTypeName(t); + if (VersionConstants.JCR_FROZENNODE.equals(name) && t != versionStoreTree) { + relPath = PathUtils.relativize(t.getPath(), versionStoreTree.getPath()); + } else if (JcrConstants.NT_VERSIONHISTORY.equals(ntName)) { PropertyState prop = t.getProperty(workspaceName); if (prop != null) { - versionablePath = prop.getValue(Type.PATH); - if (t != versionStoreTree) { - String rel = PathUtils.relativize(t.getPath(), versionStoreTree.getPath()); - String propName = (property == null) ? "" : property.getName(); - versionablePath = PathUtils.concat(versionablePath, rel, propName); - } + versionablePath = PathUtils.concat(prop.getValue(Type.PATH), relPath, propName); } break; - }// FIXME: handle activities and configurations + } t = t.getParent(); } if (versionablePath == null || versionablePath.length() == 0) { - log.warn("Unable to determine path of the versionable node."); + log.warn("Unable to determine path of the version controlled node."); } return Strings.emptyToNull(versionablePath); } Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java?rev=1446198&r1=1446197&r2=1446198&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java Thu Feb 14 14:18:35 2013 @@ -16,10 +16,12 @@ */ package org.apache.jackrabbit.oak.security.authorization.permission; -import javax.annotation.Nonnull; +import java.util.Collections; +import java.util.Set; import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Tree; +import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants; /** * AllPermissions... TODO @@ -61,7 +63,17 @@ public final class AllPermissions implem } @Override - public boolean isGranted(@Nonnull String path, long permissions) { + public boolean isGranted(String path, long permissions) { + return true; + } + + @Override + public Set getPrivileges(Tree tree) { + return Collections.singleton(PrivilegeConstants.JCR_ALL); + } + + @Override + public boolean hasPrivileges(Tree tree, String... privilegeNames) { return true; } } \ No newline at end of file Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java?rev=1446198&r1=1446197&r2=1446198&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java Thu Feb 14 14:18:35 2013 @@ -22,14 +22,17 @@ import java.util.List; import java.util.Map; import java.util.Set; import javax.annotation.Nonnull; +import javax.annotation.Nullable; import com.google.common.collect.ImmutableSortedMap; import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Tree; +import org.apache.jackrabbit.oak.api.Type; import org.apache.jackrabbit.oak.core.ReadOnlyTree; import org.apache.jackrabbit.oak.security.authorization.AccessControlConstants; +import org.apache.jackrabbit.oak.security.privilege.PrivilegeBits; +import org.apache.jackrabbit.oak.security.privilege.PrivilegeDefinitionStore; import org.apache.jackrabbit.oak.spi.security.authorization.Permissions; -import org.apache.jackrabbit.oak.util.NodeUtil; import org.apache.jackrabbit.util.Text; import static com.google.common.base.Preconditions.checkNotNull; @@ -40,13 +43,16 @@ import static com.google.common.base.Pre public class CompiledPermissionImpl implements CompiledPermissions, AccessControlConstants { private final Set principals; + private final PrivilegeDefinitionStore privilegeStore; - private Map userEntries; - private Map groupEntries; + private final Map userEntries; + private final Map groupEntries; - public CompiledPermissionImpl(@Nonnull ReadOnlyTree permissionsTree, - @Nonnull Set principals) { + public CompiledPermissionImpl(@Nonnull Set principals, + @Nonnull PrivilegeDefinitionStore privilegeStore, + @Nonnull ReadOnlyTree permissionsTree) { this.principals = checkNotNull(principals); + this.privilegeStore = privilegeStore; EntriesBuilder builder = new EntriesBuilder(); for (Principal principal : principals) { @@ -93,16 +99,30 @@ public class CompiledPermissionImpl impl return false; } + @Override + public Set getPrivileges(@Nullable Tree tree) { + return privilegeStore.getPrivilegeNames(getPrivilegeBits(tree)); + } + + @Override + public boolean hasPrivileges(@Nullable Tree tree, String... privilegeNames) { + return getPrivilegeBits(tree).includes(privilegeStore.getBits(privilegeNames)); + } + //------------------------------------------------------------< private >--- + private PrivilegeBits getPrivilegeBits(@Nullable Tree tree) { + return PrivilegeBits.EMPTY; // TODO + } + private static final class Key implements Comparable { private String path; - private long order; + private long index; - private Key(NodeUtil node) { - path = node.getString("path", ""); - order = node.getLong("order", -1); + private Key(Tree tree) { + path = tree.getProperty("rep:accessControlledPath").getValue(Type.STRING); + index = tree.getProperty("rep:index").getValue(Type.LONG); } @Override @@ -115,16 +135,13 @@ public class CompiledPermissionImpl impl private static final class Entry { private final boolean isAllow; - private final String[] privilegeNames; + private final PrivilegeBits privilegeBits; private final List restrictions; - private final long permissions; - private Entry(NodeUtil node) { - isAllow = node.hasPrimaryNodeTypeName(NT_REP_GRANT_ACE); - privilegeNames = node.getStrings(REP_PRIVILEGES); + private Entry(Tree entryTree) { + isAllow = ('a' == entryTree.getName().charAt(0)); + privilegeBits = PrivilegeBits.getInstance(entryTree.getProperty(REP_PRIVILEGES)); restrictions = null; // TODO - - permissions = node.getLong("permissions", Permissions.NO_PERMISSION); } } @@ -134,10 +151,9 @@ public class CompiledPermissionImpl impl private ImmutableSortedMap.Builder groupEntries = ImmutableSortedMap.naturalOrder(); private void addEntry(@Nonnull Principal principal, @Nonnull Tree entryTree) { - NodeUtil node = new NodeUtil(entryTree); - Entry entry = new Entry(node); - if (entry.permissions != Permissions.NO_PERMISSION) { - Key key = new Key(node); + Entry entry = new Entry(entryTree); + if (entry.privilegeBits.isEmpty()) { + Key key = new Key(entryTree); if (principal instanceof Group) { groupEntries.put(key, entry); } else { Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java?rev=1446198&r1=1446197&r2=1446198&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java Thu Feb 14 14:18:35 2013 @@ -16,7 +16,9 @@ */ package org.apache.jackrabbit.oak.security.authorization.permission; +import java.util.Set; import javax.annotation.Nonnull; +import javax.annotation.Nullable; import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Tree; @@ -38,4 +40,7 @@ public interface CompiledPermissions { boolean isGranted(@Nonnull String path, long permissions); + Set getPrivileges(@Nullable Tree tree); + + boolean hasPrivileges(@Nullable Tree tree, String... privilegeNames); } Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java?rev=1446198&r1=1446197&r2=1446198&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java Thu Feb 14 14:18:35 2013 @@ -16,7 +16,10 @@ */ package org.apache.jackrabbit.oak.security.authorization.permission; +import java.util.Collections; +import java.util.Set; import javax.annotation.Nonnull; +import javax.annotation.Nullable; import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Tree; @@ -64,4 +67,14 @@ public final class NoPermissions impleme public boolean isGranted(@Nonnull String path, long permissions) { return false; } + + @Override + public Set getPrivileges(@Nullable Tree tree) { + return Collections.emptySet(); + } + + @Override + public boolean hasPrivileges(@Nullable Tree tree, String... privilegeNames) { + return false; + } } \ No newline at end of file Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenPermissionProvider.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenPermissionProvider.java?rev=1446198&r1=1446197&r2=1446198&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenPermissionProvider.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenPermissionProvider.java Thu Feb 14 14:18:35 2013 @@ -41,7 +41,7 @@ public final class OpenPermissionProvide @Nonnull @Override - public Set getPrivilegeNames(@Nullable Tree tree) { + public Set getPrivileges(@Nullable Tree tree) { return Collections.singleton(PrivilegeConstants.JCR_ALL); } @@ -76,7 +76,7 @@ public final class OpenPermissionProvide } @Override - public boolean hasPermission(@Nonnull String oakPath, String jcrActions) { + public boolean hasPermission(@Nonnull String oakPath, @Nonnull String jcrActions) { return true; } } \ No newline at end of file Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java?rev=1446198&r1=1446197&r2=1446198&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java Thu Feb 14 14:18:35 2013 @@ -29,7 +29,7 @@ import org.apache.jackrabbit.oak.api.Tre public interface PermissionProvider { @Nonnull - Set getPrivilegeNames(@Nullable Tree tree); + Set getPrivileges(@Nullable Tree tree); boolean hasPrivileges(@Nullable Tree tree, String... privilegeNames);