jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1456090 - in /jackrabbit/oak/trunk: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ oak-jcr/ oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/ oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/xml/
Date Wed, 13 Mar 2013 19:05:39 GMT
Author: angela
Date: Wed Mar 13 19:05:38 2013
New Revision: 1456090

URL: http://svn.apache.org/r1456090
Log:
OAK-527: permissions (wip)
OAK-414,OAK-127: replace user/ac specific item importer by SessionContext#getProtectedItemImporters

Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java
    jackrabbit/oak/trunk/oak-jcr/pom.xml
    jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java
    jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java
    jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/xml/SessionImporter.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1456090&r1=1456089&r2=1456090&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
Wed Mar 13 19:05:38 2013
@@ -38,6 +38,7 @@ import javax.jcr.security.AccessControlP
 import javax.jcr.security.Privilege;
 import javax.security.auth.Subject;
 
+import com.google.common.base.Objects;
 import org.apache.jackrabbit.JcrConstants;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
@@ -109,6 +110,8 @@ public class AccessControlManagerImpl im
         acConfig = securityProvider.getAccessControlConfiguration();
         restrictionProvider = acConfig.getRestrictionProvider(namePathMapper);
         ntMgr = ReadOnlyNodeTypeManager.getInstance(root, namePathMapper);
+
+        permissionProvider = getPermissionProvider();
     }
 
     //-----------------------------------------------< AccessControlManager >---
@@ -358,10 +361,15 @@ public class AccessControlManagerImpl im
 
     @Nonnull
     private PermissionProvider getPermissionProvider() {
+        // TODO
         if (permissionProvider == null) {
             Subject subject = Subject.getSubject(AccessController.getContext());
-            Set<Principal> principals = (subject != null) ? subject.getPrincipals()
: Collections.<Principal>emptySet();
-            permissionProvider = acConfig.getPermissionProvider(root, principals);
+            if (subject != null && !subject.getPublicCredentials(PermissionProvider.class).isEmpty())
{
+                permissionProvider = subject.getPublicCredentials(PermissionProvider.class).iterator().next();
+            } else {
+                Set<Principal> principals = (subject != null) ? subject.getPrincipals()
: Collections.<Principal>emptySet();
+                permissionProvider = acConfig.getPermissionProvider(root, principals);
+            }
         } else {
             permissionProvider.refresh();
         }
@@ -561,7 +569,7 @@ public class AccessControlManagerImpl im
         for (Privilege privilege : privileges) {
             privilegeNames.add(namePathMapper.getOakName(privilege.getName()));
         }
-        return provider.hasPrivileges(tree, privilegeNames.toArray(new String[privilegeNames.size()]));
+        return (privilegeNames.isEmpty()) || provider.hasPrivileges(tree, privilegeNames.toArray(new
String[privilegeNames.size()]));
     }
 
     @CheckForNull
@@ -637,6 +645,24 @@ public class AccessControlManagerImpl im
         PrivilegeBitsProvider getPrivilegeBitsProvider() {
             return new PrivilegeBitsProvider(root);
         }
+
+        @Override
+        public boolean equals(Object obj) {
+            if (obj == this) {
+                return true;
+            }
+            if (obj instanceof NodeACL) {
+                NodeACL other = (NodeACL) obj;
+                return Objects.equal(getOakPath(), other.getOakPath())
+                        && getEntries().equals(other.getEntries());
+            }
+            return false;
+        }
+
+        @Override
+        public int hashCode() {
+            return 0;
+        }
     }
 
     private final class PrincipalACL extends NodeACL {
@@ -654,5 +680,23 @@ public class AccessControlManagerImpl im
         public RestrictionProvider getRestrictionProvider() {
             return rProvider;
         }
+
+        @Override
+        public boolean equals(Object obj) {
+            if (obj == this) {
+                return true;
+            }
+            if (obj instanceof PrincipalACL) {
+                PrincipalACL other = (PrincipalACL) obj;
+                return Objects.equal(getOakPath(), other.getOakPath())
+                        && getEntries().equals(other.getEntries());
+            }
+            return false;
+        }
+
+        @Override
+        public int hashCode() {
+            return 0;
+        }
     }
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java?rev=1456090&r1=1456089&r2=1456090&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java
Wed Mar 13 19:05:38 2013
@@ -26,8 +26,8 @@ import javax.jcr.Session;
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.api.Tree;
-import org.apache.jackrabbit.oak.security.authorization.permission.PermissionProviderImpl;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.PermissionProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.Permissions;
 import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
 import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal;
@@ -35,15 +35,19 @@ import org.apache.jackrabbit.oak.spi.sec
 /**
  * TmpPermissionProvider... TODO remove again once permission evaluation works.
  */
-class TmpPermissionProvider extends PermissionProviderImpl {
+class TmpPermissionProvider implements PermissionProvider {
 
     private final boolean isAdmin;
 
     public TmpPermissionProvider(@Nonnull Root root, @Nonnull Set<Principal> principals,
@Nonnull SecurityProvider securityProvider) {
-        super(root, principals, securityProvider);
         isAdmin = principals.contains(SystemPrincipal.INSTANCE) || isAdmin(principals);
     }
 
+    @Override
+    public void refresh() {
+        // nothing to do
+    }
+
     @Nonnull
     @Override
     public Set<String> getPrivileges(@Nullable Tree tree) {

Modified: jackrabbit/oak/trunk/oak-jcr/pom.xml
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/pom.xml?rev=1456090&r1=1456089&r2=1456090&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/pom.xml (original)
+++ jackrabbit/oak/trunk/oak-jcr/pom.xml Wed Mar 13 19:05:38 2013
@@ -245,7 +245,6 @@
       org.apache.jackrabbit.test.api.observation.AddEventListenerTest#testUUID
       org.apache.jackrabbit.test.api.observation.LockingTest#testAddLockToNode
       org.apache.jackrabbit.test.api.observation.LockingTest#testRemoveLockFromNode
-      org.apache.jackrabbit.test.api.security.AccessControlDiscoveryTest                
                   <!-- OAK-527 -->
       org.apache.jackrabbit.test.api.security.RSessionAccessControlPolicyTest           
                   <!-- OAK-527 -->
       org.apache.jackrabbit.oak.jcr.security.user.GroupTest#testCyclicGroups2           
                   <!-- OAK-615 -->
       org.apache.jackrabbit.oak.jcr.security.authorization.AccessControlImporterTest#testImportACLRemoveACE
<!-- OAK-414 -->

Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java?rev=1456090&r1=1456089&r2=1456090&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java
(original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java
Wed Mar 13 19:05:38 2013
@@ -1,7 +1,10 @@
 package org.apache.jackrabbit.oak.jcr;
 
+import java.security.PrivilegedAction;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
 import java.util.Map;
-
 import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
 import javax.jcr.PathNotFoundException;
@@ -16,6 +19,7 @@ import javax.jcr.observation.Observation
 import javax.jcr.query.QueryManager;
 import javax.jcr.security.AccessControlManager;
 import javax.jcr.version.VersionManager;
+import javax.security.auth.Subject;
 
 import com.google.common.collect.Maps;
 import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
@@ -31,10 +35,10 @@ import org.apache.jackrabbit.oak.plugins
 import org.apache.jackrabbit.oak.plugins.nodetype.EffectiveNodeTypeProvider;
 import org.apache.jackrabbit.oak.plugins.observation.ObservationManagerImpl;
 import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
+import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
-import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration;
 import org.apache.jackrabbit.oak.spi.security.authorization.PermissionProvider;
-import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
+import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
 
 import static com.google.common.base.Preconditions.checkNotNull;
 
@@ -48,11 +52,10 @@ public abstract class SessionContext imp
     private final ValueFactory valueFactory;
 
     private AccessControlManager accessControlManager;
+    private PermissionProvider permissionProvider;
     private PrincipalManager principalManager;
     private UserManager userManager;
     private PrivilegeManager privilegeManager;
-    private UserConfiguration userConfiguration;
-    private AccessControlConfiguration accessControlConfiguration;
     private ObservationManagerImpl observationManager;
 
     private SessionContext(RepositoryImpl repository, SessionDelegate delegate,
@@ -138,22 +141,30 @@ public abstract class SessionContext imp
     }
 
     @Nonnull
-    public AccessControlManager getAccessControlManager(SessionDelegate delegate) {
+    public AccessControlManager getAccessControlManager() throws RepositoryException {
         if (accessControlManager == null) {
-            SecurityProvider securityProvider = repository.getSecurityProvider();
-            accessControlManager = securityProvider.getAccessControlConfiguration()
-                    .getAccessControlManager(delegate.getRoot(), namePathMapper);
+            // TODO
+            Subject subject = new Subject(true, delegate.getAuthInfo().getPrincipals(), Collections.singleton(getPermissionProvider()),
Collections.<Object>emptySet());
+            accessControlManager = Subject.doAs(subject, new PrivilegedAction<AccessControlManager>()
{
+                @Override
+                public AccessControlManager run() {
+                    SecurityProvider securityProvider = repository.getSecurityProvider();
+                    return securityProvider.getAccessControlConfiguration().getAccessControlManager(delegate.getRoot(),
namePathMapper);
+                }
+            });
         }
         return accessControlManager;
     }
 
     @Nonnull
-    public PermissionProvider getPermissionProvider() {
-        SecurityProvider securityProvider = repository.getSecurityProvider();
-
-        // TODO
-        return securityProvider.getAccessControlConfiguration()
-                .getPermissionProvider(delegate.getRoot(), delegate.getAuthInfo().getPrincipals());
+    public PermissionProvider getPermissionProvider() throws RepositoryException {
+        if (permissionProvider == null) {
+            SecurityProvider securityProvider = repository.getSecurityProvider();
+            permissionProvider = securityProvider.getAccessControlConfiguration().getPermissionProvider(delegate.getRoot(),
delegate.getAuthInfo().getPrincipals());
+        } else {
+            permissionProvider.refresh();
+        }
+        return permissionProvider;
     }
 
     @Nonnull
@@ -185,22 +196,15 @@ public abstract class SessionContext imp
     }
 
     @Nonnull
-    public UserConfiguration getUserConfiguration() {
-        if (userConfiguration == null) {
-            SecurityProvider securityProvider = repository.getSecurityProvider();
-            userConfiguration = securityProvider.getUserConfiguration();
+    public List<ProtectedItemImporter> getProtectedItemImporters() {
+        // TODO: take non-security related importers into account as well (proper configuration)
+        List<ProtectedItemImporter> importers = new ArrayList<ProtectedItemImporter>();
+        for (SecurityConfiguration sc : repository.getSecurityProvider().getSecurityConfigurations())
{
+            importers.addAll(sc.getProtectedItemImporters());
         }
-        return userConfiguration;
+        return importers;
     }
 
-    @Nonnull
-    public AccessControlConfiguration getAccessControlConfiguration() {
-        if (accessControlConfiguration == null) {
-            SecurityProvider securityProvider = repository.getSecurityProvider();
-            accessControlConfiguration = securityProvider.getAccessControlConfiguration();
-        }
-        return accessControlConfiguration;
-    }
 
     @Nonnull
     public ObservationManager getObservationManager() {

Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java?rev=1456090&r1=1456089&r2=1456090&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java
Wed Mar 13 19:05:38 2013
@@ -428,7 +428,7 @@ public class SessionImpl extends Abstrac
     @Override
     @Nonnull
     public AccessControlManager getAccessControlManager() throws RepositoryException {
-        return sessionContext.getAccessControlManager(dlg);
+        return sessionContext.getAccessControlManager();
     }
 
     /**

Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/xml/SessionImporter.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/xml/SessionImporter.java?rev=1456090&r1=1456089&r2=1456090&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/xml/SessionImporter.java
(original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/xml/SessionImporter.java
Wed Mar 13 19:05:38 2013
@@ -42,8 +42,6 @@ import org.apache.jackrabbit.commons.Nam
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.jcr.SessionContext;
 import org.apache.jackrabbit.oak.plugins.nodetype.EffectiveNodeTypeProvider;
-import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration;
-import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
 import org.apache.jackrabbit.oak.spi.xml.NodeInfo;
 import org.apache.jackrabbit.oak.spi.xml.PropInfo;
 import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
@@ -102,14 +100,7 @@ public class SessionImporter implements 
         pItemImporters.clear();
 
         //TODO clarify how to provide ProtectedItemImporters
-        UserConfiguration userConfig = sessionContext.getUserConfiguration();
-        for (ProtectedItemImporter importer : userConfig.getProtectedItemImporters()) {
-            if (importer.init(session, root, sessionContext, false, uuidBehavior, refTracker))
{
-                pItemImporters.add(importer);
-            }
-        }
-        AccessControlConfiguration accessControlConfig = sessionContext.getAccessControlConfiguration();
-        for (ProtectedItemImporter importer : accessControlConfig.getProtectedItemImporters())
{
+        for (ProtectedItemImporter importer : sessionContext.getProtectedItemImporters())
{
             if (importer.init(session, root, sessionContext, false, uuidBehavior, refTracker))
{
                 pItemImporters.add(importer);
             }



Mime
View raw message