jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1557071 - in /jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak: security/authorization/accesscontrol/ spi/security/authorization/ spi/security/authorization/accesscontrol/
Date Fri, 10 Jan 2014 10:20:58 GMT
Author: angela
Date: Fri Jan 10 10:20:58 2014
New Revision: 1557071

URL: http://svn.apache.org/r1557071
Log:
OAK-1268 : Add support for composite authorization setup

Added:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/PolicyOwner.java
  (with props)
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompositeAuthorizationConfiguration.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java?rev=1557071&r1=1557070&r2=1557071&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
Fri Jan 10 10:20:58 2014
@@ -67,6 +67,7 @@ import org.apache.jackrabbit.oak.spi.sec
 import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager;
 import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
 import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ImmutableACL;
+import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.PolicyOwner;
 import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
 import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
@@ -90,7 +91,7 @@ import static com.google.common.base.Pre
  * This implementation covers both editing access control content by path and
  * by {@code Principal} resulting both in the same content structure.
  */
-public class AccessControlManagerImpl extends AbstractAccessControlManager implements AccessControlConstants
{
+public class AccessControlManagerImpl extends AbstractAccessControlManager implements PolicyOwner
{
 
     private static final Logger log = LoggerFactory.getLogger(AccessControlManagerImpl.class);
 
@@ -374,6 +375,17 @@ public class AccessControlManagerImpl ex
         return effective.toArray(new AccessControlPolicy[effective.size()]);
     }
 
+    //--------------------------------------------------------< PolicyOwner >---
+    @Override
+    public boolean defines(String absPath, AccessControlPolicy accessControlPolicy) {
+        try {
+            return Util.isValidPolicy(getOakPath(absPath), accessControlPolicy);
+        } catch (RepositoryException e) {
+            log.warn("Invalid absolute path: " + absPath, e.getMessage());
+            return false;
+        }
+    }
+
     //------------------------------------------------------------< private >---
     @CheckForNull
     private Tree getAclTree(@Nullable String oakPath, @Nonnull Tree accessControlledTree)
{

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java?rev=1557071&r1=1557070&r2=1557071&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java
Fri Jan 10 10:20:58 2014
@@ -60,13 +60,16 @@ final class Util implements AccessContro
         }
     }
 
-    public static void checkValidPolicy(@Nullable String oakPath, @Nonnull AccessControlPolicy
policy) throws AccessControlException {
+    public static boolean isValidPolicy(@Nullable String oakPath, @Nonnull AccessControlPolicy
policy) {
         if (policy instanceof ACL) {
             String path = ((ACL) policy).getOakPath();
-            if ((path == null && oakPath != null) || (path != null && !path.equals(oakPath)))
{
-                throw new AccessControlException("Invalid access control policy " + policy
+ ": path mismatch " + oakPath);
-            }
-        } else {
+            return !((path == null && oakPath != null) || (path != null &&
!path.equals(oakPath)));
+        }
+        return false;
+    }
+
+    public static void checkValidPolicy(@Nullable String oakPath, @Nonnull AccessControlPolicy
policy) throws AccessControlException {
+        if (!isValidPolicy(oakPath, policy)) {
             throw new AccessControlException("Invalid access control policy " + policy);
         }
     }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompositeAuthorizationConfiguration.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompositeAuthorizationConfiguration.java?rev=1557071&r1=1557070&r2=1557071&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompositeAuthorizationConfiguration.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompositeAuthorizationConfiguration.java
Fri Jan 10 10:20:58 2014
@@ -21,6 +21,7 @@ import java.util.List;
 import java.util.Set;
 import javax.annotation.Nonnull;
 import javax.jcr.RepositoryException;
+import javax.jcr.security.AccessControlException;
 import javax.jcr.security.AccessControlManager;
 import javax.jcr.security.AccessControlPolicy;
 import javax.jcr.security.AccessControlPolicyIterator;
@@ -38,6 +39,7 @@ import org.apache.jackrabbit.oak.namepat
 import org.apache.jackrabbit.oak.spi.security.CompositeConfiguration;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager;
+import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.PolicyOwner;
 import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.CompositeRestrictionProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
@@ -86,7 +88,11 @@ public class CompositeAuthorizationConfi
     }
 
     /**
-     *
+     * Access control manager that aggregates a list of different access control
+     * manager implementations. Note, that the implementations *must* implement
+     * the {@link org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.PolicyOwner}
+     * interface in order to be able to set and remove individual access control
+     * policies.
      */
     private static class CompositeAcMgr extends AbstractAccessControlManager {
 
@@ -113,11 +119,11 @@ public class CompositeAuthorizationConfi
 
         @Override
         public AccessControlPolicy[] getPolicies(String absPath) throws RepositoryException
{
-            ImmutableList.Builder<AccessControlPolicy> privs = ImmutableList.builder();
+            ImmutableList.Builder<AccessControlPolicy> policies = ImmutableList.builder();
             for (AccessControlManager acMgr : acMgrs) {
-                privs.add(acMgr.getPolicies(absPath));
+                policies.add(acMgr.getPolicies(absPath));
             }
-            List<AccessControlPolicy> l = privs.build();
+            List<AccessControlPolicy> l = policies.build();
             return l.toArray(new AccessControlPolicy[l.size()]);
         }
 
@@ -135,21 +141,33 @@ public class CompositeAuthorizationConfi
         public AccessControlPolicyIterator getApplicablePolicies(String absPath) throws RepositoryException
{
             List<AccessControlPolicyIterator> l = Lists.newArrayList();
             for (AccessControlManager acMgr : acMgrs) {
-                l.add(acMgr.getApplicablePolicies(absPath));
+                if (acMgr instanceof PolicyOwner) {
+                    l.add(acMgr.getApplicablePolicies(absPath));
+                }
             }
             return new AccessControlPolicyIteratorAdapter(Iterators.concat(l.toArray(new
AccessControlPolicyIterator[l.size()])));
         }
 
         @Override
         public void setPolicy(String absPath, AccessControlPolicy policy) throws RepositoryException
{
-            // TODO
-            throw new UnsupportedOperationException("not yet implemented.");
+            for (AccessControlManager acMgr : acMgrs) {
+                if (acMgr instanceof PolicyOwner && ((PolicyOwner) acMgr).defines(absPath,
policy)) {
+                    acMgr.setPolicy(absPath, policy);
+                    return;
+                }
+            }
+            throw new AccessControlException("Cannot set access control policy " + policy
+ "; no PolicyOwner found.");
         }
 
         @Override
         public void removePolicy(String absPath, AccessControlPolicy policy) throws RepositoryException
{
-            // TODO
-            throw new UnsupportedOperationException("not yet implemented.");
+            for (AccessControlManager acMgr : acMgrs) {
+                if (acMgr instanceof PolicyOwner && ((PolicyOwner) acMgr).defines(absPath,
policy)) {
+                    acMgr.removePolicy(absPath, policy);
+                    return;
+                }
+            }
+            throw new AccessControlException("Cannot remove access control policy " + policy
+ "; no PolicyOwner found.");
         }
 
         //---------------------------------< JackrabbitAccessControlManager >---
@@ -158,7 +176,9 @@ public class CompositeAuthorizationConfi
             ImmutableList.Builder<JackrabbitAccessControlPolicy> policies = ImmutableList.builder();
             for (AccessControlManager acMgr : acMgrs) {
                 if (acMgr instanceof JackrabbitAccessControlManager) {
-                    policies.add(((JackrabbitAccessControlManager) acMgr).getApplicablePolicies(principal));
+                    if (acMgr instanceof PolicyOwner) {
+                        policies.add(((JackrabbitAccessControlManager) acMgr).getApplicablePolicies(principal));
+                    }
                 }
             }
             List<JackrabbitAccessControlPolicy> l = policies.build();

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/PolicyOwner.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/PolicyOwner.java?rev=1557071&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/PolicyOwner.java
(added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/PolicyOwner.java
Fri Jan 10 10:20:58 2014
@@ -0,0 +1,48 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol;
+
+import javax.jcr.security.AccessControlPolicy;
+
+/**
+ * Interface to improve pluggability of the {@link javax.jcr.security.AccessControlManager},
+ * namely the interaction of multiple managers within a
+ * single repository. It provides a single method {@link #defines(String, javax.jcr.security.AccessControlPolicy)}
+ * that allows to termine the responsible manager upon
+ * {@link javax.jcr.security.AccessControlManager#setPolicy(String, javax.jcr.security.AccessControlPolicy)
setPolicy}
+ * and
+ * {@link javax.jcr.security.AccessControlManager#removePolicy(String, javax.jcr.security.AccessControlPolicy)
removePolicy}.
+ *
+ * @see org.apache.jackrabbit.oak.spi.security.authorization.CompositeAuthorizationConfiguration
+ */
+public interface PolicyOwner {
+
+    /**
+     * Determines if the implementing {@code AccessManager} defines the specified
+     * {@code acceessControlPolicy} at the given {@code absPath}. If this method
+     * returns {@code true} it is expected that the given policy is valid to be
+     * {@link javax.jcr.security.AccessControlManager#setPolicy(String, javax.jcr.security.AccessControlPolicy)
set}
+     * or {@link javax.jcr.security.AccessControlManager#removePolicy(String, javax.jcr.security.AccessControlPolicy)
removed}
+     * with the manager.
+     *
+     * @param absPath An absolute path.
+     * @param accessControlPolicy The access control policy to be tested.
+     * @return {@code true} If the {@code AccessControlManager} implementing this
+     * interface can handle the specified {@code accessControlPolicy} at the given {@code
path}.
+     */
+    boolean defines(String absPath, AccessControlPolicy accessControlPolicy);
+}
\ No newline at end of file

Propchange: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/PolicyOwner.java
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message