You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by tr...@apache.org on 2013/10/22 23:14:41 UTC
svn commit: r1534792 - in /jackrabbit/oak/trunk/oak-core/src:
main/java/org/apache/jackrabbit/oak/security/authorization/permission/
main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/
main/resources/org/apache/jackrabbit/oak/plu...
Author: tripod
Date: Tue Oct 22 21:14:40 2013
New Revision: 1534792
URL: http://svn.apache.org/r1534792
Log:
OAK-527 Implement Permission evaluation
- calculate number of permission entries in commit hook
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStore.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionConstants.java
jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AbstractPermissionHookTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java?rev=1534792&r1=1534791&r2=1534792&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java Tue Oct 22 21:14:40 2013
@@ -303,12 +303,15 @@ public class PermissionHook implements P
continue;
}
+ long numEntries = PermissionUtil.getNumPermissions(principalRoot);
+
// check if the node is the correct one
if (PermissionUtil.checkACLPath(parent, accessControlledPath)) {
// remove and reconnect child nodes
NodeBuilder newParent = null;
for (String childName : parent.getChildNodeNames()) {
if (childName.charAt(0) != 'c') {
+ numEntries--;
continue;
}
NodeBuilder child = parent.getChildNode(childName);
@@ -332,10 +335,14 @@ public class PermissionHook implements P
NodeBuilder child = parent.getChildNode(childName);
if (PermissionUtil.checkACLPath(child, accessControlledPath)) {
// remove child
+ for (String n: child.getChildNodeNames()) {
+ numEntries--;
+ }
child.remove();
}
}
}
+ principalRoot.setProperty(REP_NUM_PERMISSIONS, numEntries);
} else {
log.error("{} {}: Principal root missing.", msg, this);
}
@@ -387,15 +394,19 @@ public class PermissionHook implements P
// new parent
parent.setProperty(REP_ACCESS_CONTROLLED_PATH, accessControlledPath);
}
- updateEntries(parent, entries.get(principalName));
+ long numEntries = PermissionUtil.getNumPermissions(principalRoot);
+ numEntries+= updateEntries(parent, entries.get(principalName));
+ principalRoot.setProperty(REP_NUM_PERMISSIONS, numEntries);
}
}
- private void updateEntries(NodeBuilder parent, List<AcEntry> list) {
+ private long updateEntries(NodeBuilder parent, List<AcEntry> list) {
// remove old entries
+ long numEntries = 0;
for (String childName : parent.getChildNodeNames()) {
if (childName.charAt(0) != 'c') {
parent.getChildNode(childName).remove();
+ numEntries--;
}
}
for (AcEntry ace: list) {
@@ -407,7 +418,9 @@ public class PermissionHook implements P
for (Restriction restriction : ace.restrictions) {
n.setProperty(restriction.getProperty());
}
+ numEntries++;
}
+ return numEntries;
}
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStore.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStore.java?rev=1534792&r1=1534791&r2=1534792&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStore.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStore.java Tue Oct 22 21:14:40 2013
@@ -62,8 +62,7 @@ final class PermissionStore implements P
if (!principalTrees.isEmpty()) {
Iterator<Tree> treeItr = principalTrees.values().iterator();
while (treeItr.hasNext() && cnt < MAX_SIZE) {
- Tree t = treeItr.next();
- cnt += t.getChildrenCount(MAX_SIZE);
+ cnt += PermissionUtil.getNumPermissions(treeItr.next());
}
}
return new PermissionStore(principalTrees, restrictionProvider, (cnt < MAX_SIZE));
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java?rev=1534792&r1=1534791&r2=1534792&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java Tue Oct 22 21:14:40 2013
@@ -65,6 +65,16 @@ public final class PermissionUtil implem
return String.valueOf(path.hashCode());
}
+ public static long getNumPermissions(@Nonnull NodeBuilder node) {
+ PropertyState property = node.getProperty(REP_NUM_PERMISSIONS);
+ return property == null ? 0 : property.getValue(Type.LONG);
+ }
+
+ public static long getNumPermissions(@Nonnull Tree node) {
+ PropertyState property = node.getProperty(REP_NUM_PERMISSIONS);
+ return property == null ? 0 : property.getValue(Type.LONG);
+ }
+
public static boolean checkACLPath(@Nonnull NodeBuilder node, @Nonnull String path) {
PropertyState property = node.getProperty(REP_ACCESS_CONTROLLED_PATH);
return property != null && path.equals(property.getValue(Type.STRING));
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionConstants.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionConstants.java?rev=1534792&r1=1534791&r2=1534792&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionConstants.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionConstants.java Tue Oct 22 21:14:40 2013
@@ -37,6 +37,7 @@ public interface PermissionConstants {
String PERMISSIONS_STORE_PATH = '/' + JcrConstants.JCR_SYSTEM + '/' + REP_PERMISSION_STORE;
String REP_ACCESS_CONTROLLED_PATH = "rep:accessControlledPath";
+ String REP_NUM_PERMISSIONS = "rep:numPermissions";
String REP_IS_ALLOW = "rep:isAllow";
String REP_PRIVILEGE_BITS = "rep:privileges";
String REP_INDEX = "rep:index";
Modified: jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd?rev=1534792&r1=1534791&r2=1534792&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd Tue Oct 22 21:14:40 2013
@@ -670,6 +670,7 @@
*/
[rep:PermissionStore]
- rep:accessControlledPath (STRING) protected
+ - rep:numPermissions (LONG) protected
+ * (rep:PermissionStore) = rep:PermissionStore protected IGNORE
+ * (rep:Permissions) = rep:Permissions protected IGNORE
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AbstractPermissionHookTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AbstractPermissionHookTest.java?rev=1534792&r1=1534791&r2=1534792&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AbstractPermissionHookTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AbstractPermissionHookTest.java Tue Oct 22 21:14:40 2013
@@ -343,4 +343,43 @@ public abstract class AbstractPermission
principalRoot = getPrincipalRoot(EveryonePrincipal.NAME);
assertEquals(2, cntEntries(principalRoot));
}
+
+ @Test
+ public void testNumPermissions() throws Exception {
+
+ AccessControlManager acMgr = getAccessControlManager(root);
+ JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, testPath);
+ acl.addAccessControlEntry(getTestPrincipal(), privilegesFromNames(JCR_READ, REP_WRITE));
+ acMgr.setPolicy(testPath, acl);
+ root.commit();
+
+ assertEquals(1, PermissionUtil.getNumPermissions(getPrincipalRoot(testPrincipalName)));
+ assertEquals(1, PermissionUtil.getNumPermissions(getPrincipalRoot(EveryonePrincipal.NAME)));
+
+ acl = AccessControlUtils.getAccessControlList(acMgr, childPath);
+ acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames(JCR_READ));
+ acMgr.setPolicy(childPath, acl);
+ root.commit();
+
+ assertEquals(1, PermissionUtil.getNumPermissions(getPrincipalRoot(testPrincipalName)));
+ assertEquals(2, PermissionUtil.getNumPermissions(getPrincipalRoot(EveryonePrincipal.NAME)));
+
+ acl = AccessControlUtils.getAccessControlList(acMgr, testPath);
+ acl.removeAccessControlEntry(acl.getAccessControlEntries()[0]);
+ acMgr.setPolicy(testPath, acl);
+ root.commit();
+
+ assertEquals(0, PermissionUtil.getNumPermissions(getPrincipalRoot(testPrincipalName)));
+ assertEquals(2, PermissionUtil.getNumPermissions(getPrincipalRoot(EveryonePrincipal.NAME)));
+
+ acl = AccessControlUtils.getAccessControlList(acMgr, childPath);
+ acl.removeAccessControlEntry(acl.getAccessControlEntries()[0]);
+ acMgr.setPolicy(childPath, acl);
+ root.commit();
+
+ assertEquals(0, PermissionUtil.getNumPermissions(getPrincipalRoot(testPrincipalName)));
+ assertEquals(1, PermissionUtil.getNumPermissions(getPrincipalRoot(EveryonePrincipal.NAME)));
+ }
+
+
}
\ No newline at end of file