jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1540659 - in /jackrabbit/oak/trunk/oak-core/src: main/java/org/apache/jackrabbit/oak/security/authorization/restriction/ main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/ main/java/org/apache/jackrabbit/oak/spi/...
Date Mon, 11 Nov 2013 10:38:03 GMT
Author: angela
Date: Mon Nov 11 10:38:03 2013
New Revision: 1540659

URL: http://svn.apache.org/r1540659
Log:
OAK-51 : Access Control Management (add restriction that allows filtering by namespace prefix)

Added:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrefixPattern.java
      - copied, changed from r1540632, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AccessControlConstants.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProviderTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImplTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java

Copied: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrefixPattern.java
(from r1540632, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrefixPattern.java?p2=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrefixPattern.java&p1=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java&r1=1540632&r2=1540659&rev=1540659&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrefixPattern.java
Mon Nov 11 10:38:03 2013
@@ -24,30 +24,38 @@ import com.google.common.collect.Immutab
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionPattern;
-import org.apache.jackrabbit.oak.util.TreeUtil;
+import org.apache.jackrabbit.util.Text;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * Implementation of the {@link RestrictionPattern} interface that returns
- * {@code true} if the primary type of the target tree (or the parent of a
- * target property) is contained in the configured node type name. This allows
- * to limit certain operations (e.g. adding or removing a child tree) to
- * nodes with a specific node type.
+ * Implementation of the
+ * {@link org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionPattern}
+ * interface that returns {@code true} if the name of the target property or tree
+ * starts with any of the configured namespace prefixes.
  */
-class NodeTypePattern implements RestrictionPattern {
+class PrefixPattern implements RestrictionPattern {
 
-    private static final Logger log = LoggerFactory.getLogger(NodeTypePattern.class);
+    private static final Logger log = LoggerFactory.getLogger(PrefixPattern.class);
 
-    private final Set<String> nodeTypeNames;
+    private final Set<String> prefixes;
 
-    NodeTypePattern(@Nonnull Iterable<String> nodeTypeNames) {
-        this.nodeTypeNames = ImmutableSet.copyOf(nodeTypeNames);
+    PrefixPattern(@Nonnull Iterable<String> prefixes) {
+        this.prefixes = ImmutableSet.copyOf(prefixes);
     }
 
     @Override
     public boolean matches(@Nonnull Tree tree, @Nullable PropertyState property) {
-        return nodeTypeNames.contains(TreeUtil.getPrimaryTypeName(tree));
+        String name = (property != null) ? property.getName() : tree.getName();
+        String prefix = Text.getNamespacePrefix(name);
+        if (!prefix.isEmpty()) {
+            for (String p : prefixes) {
+                if (prefix.equals(p)) {
+                    return true;
+                }
+            }
+        }
+        return false;
     }
 
     @Override
@@ -68,7 +76,7 @@ class NodeTypePattern implements Restric
      */
     @Override
     public int hashCode() {
-        return nodeTypeNames.hashCode();
+        return prefixes.hashCode();
     }
 
     /**
@@ -76,7 +84,7 @@ class NodeTypePattern implements Restric
      */
     @Override
     public String toString() {
-        return nodeTypeNames.toString();
+        return prefixes.toString();
     }
 
     /**
@@ -87,9 +95,9 @@ class NodeTypePattern implements Restric
         if (obj == this) {
             return true;
         }
-        if (obj instanceof NodeTypePattern) {
-            NodeTypePattern other = (NodeTypePattern) obj;
-            return nodeTypeNames.equals(other.nodeTypeNames);
+        if (obj instanceof PrefixPattern) {
+            PrefixPattern other = (PrefixPattern) obj;
+            return prefixes.equals(other.prefixes);
         }
         return false;
     }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java?rev=1540659&r1=1540658&r2=1540659&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
Mon Nov 11 10:38:03 2013
@@ -57,7 +57,8 @@ public class RestrictionProviderImpl ext
     private static Map<String, RestrictionDefinition> supportedRestrictions() {
         RestrictionDefinition glob = new RestrictionDefinitionImpl(REP_GLOB, Type.STRING,
false);
         RestrictionDefinition nts = new RestrictionDefinitionImpl(REP_NT_NAMES, Type.NAMES,
false);
-        return ImmutableMap.of(glob.getName(), glob, nts.getName(), nts);
+        RestrictionDefinition pfxs = new RestrictionDefinitionImpl(REP_PREFIXES, Type.STRINGS,
false);
+        return ImmutableMap.of(glob.getName(), glob, nts.getName(), nts, pfxs.getName(),
pfxs);
     }
 
     //------------------------------------------------< RestrictionProvider >---
@@ -78,6 +79,11 @@ public class RestrictionProviderImpl ext
                 patterns.add(new NodeTypePattern(ntNames.getValue(Type.NAMES)));
             }
 
+            PropertyState prefixes = tree.getProperty(REP_PREFIXES);
+            if (prefixes != null) {
+                patterns.add(new PrefixPattern(prefixes.getValue(Type.STRINGS)));
+            }
+
             switch (patterns.size()) {
                 case 1 : return patterns.get(0);
                 case 2 : return new CompositePattern(patterns);

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AccessControlConstants.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AccessControlConstants.java?rev=1540659&r1=1540658&r2=1540659&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AccessControlConstants.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AccessControlConstants.java
Mon Nov 11 10:38:03 2013
@@ -34,12 +34,21 @@ public interface AccessControlConstants 
     String REP_NODE_PATH = "rep:nodePath";
 
     /**
-     * Name of the optional access control restriction by node type name.
+     * Name of the optional multivalued access control restriction by node type name.
      * The corresponding restriction type is {@link org.apache.jackrabbit.oak.api.Type#NAMES}.
      *
      * @since OAK 1.0
      */
     String REP_NT_NAMES = "rep:ntNames";
+
+    /**
+     * Name of the optional multivalued access control restriction which matches by name
space prefix.
+     * The corresponding restriction type is {@link org.apache.jackrabbit.oak.api.Type#STRINGS}.
+     *
+     * @since OAK 1.0
+     */
+    String REP_PREFIXES = "rep:prefixes";
+
     /**
      * @since OAK 1.0
      */

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java?rev=1540659&r1=1540658&r2=1540659&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java
Mon Nov 11 10:38:03 2013
@@ -175,7 +175,7 @@ public abstract class AbstractRestrictio
 
     @Nonnull
     private Restriction createRestriction(PropertyState propertyState, RestrictionDefinition
definition) {
-        return new RestrictionImpl(propertyState, definition.isMandatory());
+        return new RestrictionImpl(propertyState, definition);
     }
 
     @Nonnull

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImpl.java?rev=1540659&r1=1540658&r2=1540659&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImpl.java
Mon Nov 11 10:38:03 2013
@@ -50,6 +50,7 @@ public class RestrictionDefinitionImpl i
         this.type = type;
         this.isMandatory = isMandatory;
     }
+
     //----------------------------------------------< RestrictionDefinition >---
     @Nonnull
     @Override

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java?rev=1540659&r1=1540658&r2=1540659&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
Mon Nov 11 10:38:03 2013
@@ -29,6 +29,11 @@ public class RestrictionImpl implements 
     private final RestrictionDefinition definition;
     private final PropertyState property;
 
+    public RestrictionImpl(@Nonnull PropertyState property, @Nonnull RestrictionDefinition
def) {
+        this.definition = def;
+        this.property = property;
+    }
+
     public RestrictionImpl(@Nonnull PropertyState property, boolean isMandatory) {
         this.definition = new RestrictionDefinitionImpl(property.getName(), property.getType(),
isMandatory);
         this.property = property;

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java?rev=1540659&r1=1540658&r2=1540659&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
Mon Nov 11 10:38:03 2013
@@ -589,10 +589,11 @@ public class ACLTest extends AbstractAcc
     public void testRestrictions() throws Exception {
         String[] names = acl.getRestrictionNames();
         assertNotNull(names);
-        assertEquals(2, names.length);
-        assertArrayEquals(new String[] {REP_GLOB, REP_NT_NAMES}, names);
+        assertEquals(3, names.length);
+        assertArrayEquals(new String[] {REP_GLOB, REP_NT_NAMES, REP_PREFIXES}, names);
         assertEquals(PropertyType.STRING, acl.getRestrictionType(names[0]));
         assertEquals(PropertyType.NAME, acl.getRestrictionType(names[1]));
+        assertEquals(PropertyType.STRING, acl.getRestrictionType(names[2]));
 
         Privilege[] writePriv = privilegesFromNames(JCR_WRITE);
 

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java?rev=1540659&r1=1540658&r2=1540659&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java
Mon Nov 11 10:38:03 2013
@@ -63,7 +63,7 @@ public class RestrictionProviderImplTest
 
         Set<RestrictionDefinition> defs = provider.getSupportedRestrictions("/testPath");
         assertNotNull(defs);
-        assertEquals(2, defs.size());
+        assertEquals(3, defs.size());
 
         for (RestrictionDefinition def : defs) {
             if (REP_GLOB.equals(def.getName())) {
@@ -72,6 +72,9 @@ public class RestrictionProviderImplTest
             } else if (REP_NT_NAMES.equals(def.getName())) {
                 assertEquals(Type.NAMES, def.getRequiredType());
                 assertFalse(def.isMandatory());
+            } else if (REP_PREFIXES.equals(def.getName())) {
+                assertEquals(Type.STRINGS, def.getRequiredType());
+                assertFalse(def.isMandatory());
             } else {
                 fail("unexpected restriction " + def.getName());
             }

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProviderTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProviderTest.java?rev=1540659&r1=1540658&r2=1540659&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProviderTest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProviderTest.java
Mon Nov 11 10:38:03 2013
@@ -47,7 +47,8 @@ public class CompositeRestrictionProvide
 
     private RestrictionProvider rp1 = new TestProvider(ImmutableMap.<String, RestrictionDefinition>of(
             REP_GLOB, new RestrictionDefinitionImpl(REP_GLOB, Type.STRING, false),
-            REP_NT_NAMES, new RestrictionDefinitionImpl(REP_NT_NAMES, Type.NAMES, false)
+            REP_NT_NAMES, new RestrictionDefinitionImpl(REP_NT_NAMES, Type.NAMES, false),
+            REP_PREFIXES, new RestrictionDefinitionImpl(REP_PREFIXES, Type.STRINGS, false)
     ));
     private RestrictionProvider rp2 = new TestProvider(ImmutableMap.of(
             "boolean", new RestrictionDefinitionImpl("boolean", Type.BOOLEAN, true),

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImplTest.java?rev=1540659&r1=1540658&r2=1540659&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImplTest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImplTest.java
Mon Nov 11 10:38:03 2013
@@ -92,7 +92,9 @@ public class RestrictionDefinitionImplTe
         // - different name
         defs.add(new RestrictionDefinitionImpl("otherName", Type.NAME, true));
         // - different mandatory flag
-        defs.add(new RestrictionDefinitionImpl(name, Type.NAMES, false));
+        defs.add(new RestrictionDefinitionImpl(name, Type.NAME, false));
+        // - different mv flag
+        defs.add(new RestrictionDefinitionImpl(name, Type.NAMES, true));
         // - different impl
         defs.add(new RestrictionDefinition() {
             @Override
@@ -107,6 +109,7 @@ public class RestrictionDefinitionImplTe
             public boolean isMandatory() {
                 return true;
             }
+
         });
 
         for (RestrictionDefinition rd : defs) {

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java?rev=1540659&r1=1540658&r2=1540659&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java
Mon Nov 11 10:38:03 2013
@@ -94,7 +94,7 @@ public class RestrictionImplTest extends
         // - different type
         rs.add(new RestrictionImpl(PropertyStates.createProperty(name, value, Type.STRING),
true));
         // - different multi-value status
-        rs.add(new RestrictionImpl(PropertyStates.createProperty(name, ImmutableList.of(value),
Type.STRINGS), true));
+        rs.add(new RestrictionImpl(PropertyStates.createProperty(name, ImmutableList.of(value),
Type.NAMES), true));
         // - different name
         rs.add(new RestrictionImpl(createProperty("otherName", value), true));
         // - different value



Mime
View raw message