You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2019/09/20 08:57:23 UTC
[sling-org-apache-sling-repoinit-parser] branch master updated:
SLING-8602 - Add support for PrincipalAccessControlList and ac-management
by principa
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-repoinit-parser.git
The following commit(s) were added to refs/heads/master by this push:
new b1797e9 SLING-8602 - Add support for PrincipalAccessControlList and ac-management by principa
b1797e9 is described below
commit b1797e911283a94035718bd772cc1743d298d08d
Author: Angela Schreiber <an...@apache.org>
AuthorDate: Fri Sep 20 10:53:23 2019 +0200
SLING-8602 - Add support for PrincipalAccessControlList and ac-management by principa
---
.../parser/operations/OperationVisitor.java | 1 +
.../parser/operations/SetAclPrincipalBased.java | 55 ++++++++++++++++++++++
src/main/javacc/RepoInitGrammar.jjt | 19 ++++++++
.../parser/test/OperationToStringVisitor.java | 18 ++++++-
src/test/resources/testcases/test-33-output.txt | 23 +++++++++
src/test/resources/testcases/test-33.txt | 51 ++++++++++++++++++++
6 files changed, 166 insertions(+), 1 deletion(-)
diff --git a/src/main/java/org/apache/sling/repoinit/parser/operations/OperationVisitor.java b/src/main/java/org/apache/sling/repoinit/parser/operations/OperationVisitor.java
index 5912e93..5b4b6b7 100644
--- a/src/main/java/org/apache/sling/repoinit/parser/operations/OperationVisitor.java
+++ b/src/main/java/org/apache/sling/repoinit/parser/operations/OperationVisitor.java
@@ -29,6 +29,7 @@ public interface OperationVisitor {
void visitDeleteServiceUser(DeleteServiceUser s);
void visitSetAclPrincipal(SetAclPrincipals s);
void visitSetAclPaths(SetAclPaths s);
+ void visitSetAclPrincipalBased(SetAclPrincipalBased s);
void visitCreatePath(CreatePath cp);
void visitRegisterNamespace(RegisterNamespace rn);
void visitRegisterNodetypes(RegisterNodetypes b);
diff --git a/src/main/java/org/apache/sling/repoinit/parser/operations/SetAclPrincipalBased.java b/src/main/java/org/apache/sling/repoinit/parser/operations/SetAclPrincipalBased.java
new file mode 100644
index 0000000..3d43e61
--- /dev/null
+++ b/src/main/java/org/apache/sling/repoinit/parser/operations/SetAclPrincipalBased.java
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sling.repoinit.parser.operations;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/** Set ACL statement that groups a set of AclLines
+ * that all refer to the same set of principals.
+ */
+public class SetAclPrincipalBased extends AclGroupBase {
+
+ private final List<String> principals;
+
+ public SetAclPrincipalBased(List<String> principals, List<AclLine> lines) {
+ this(principals,lines,new ArrayList<String>());
+ }
+
+ public SetAclPrincipalBased(List<String> principals, List<AclLine> lines, List<String> aclOptions) {
+ super(lines,aclOptions);
+ this.principals = Collections.unmodifiableList(principals);
+ }
+
+ protected String getParametersDescription() {
+ final StringBuilder sb = new StringBuilder();
+ sb.append(principals);
+ sb.append(super.getParametersDescription());
+ return sb.toString();
+ }
+
+ public List<String> getPrincipals() {
+ return principals;
+ }
+
+ @Override
+ public void accept(OperationVisitor v) {
+ v.visitSetAclPrincipalBased(this);
+ }
+}
diff --git a/src/main/javacc/RepoInitGrammar.jjt b/src/main/javacc/RepoInitGrammar.jjt
index 3b5b83b..0695780 100644
--- a/src/main/javacc/RepoInitGrammar.jjt
+++ b/src/main/javacc/RepoInitGrammar.jjt
@@ -69,6 +69,7 @@ TOKEN:
| < PATH: "path" >
| < END: "end" >
| < REPOSITORY: "repository" >
+| < PRINCIPAL: "principal" >
| < USER: "user" >
| < GROUP: "group" >
| < NODETYPES: "nodetypes" >
@@ -132,6 +133,7 @@ List<Operation> parse() :
serviceUserStatement(result)
| setAclPaths(result)
| setAclPrincipals(result)
+ | setAclPrincipalBased(result)
| setAclRepository(result)
| createPathStatement(result)
| registerNamespaceStatement(result)
@@ -470,6 +472,23 @@ void setAclPrincipals(List<Operation> result) :
}
}
+void setAclPrincipalBased(List<Operation> result) :
+{
+ List <String> principals;
+ List<AclLine> lines = new ArrayList<AclLine>();
+ List<String> aclOptions;
+}
+{
+ <SET> <PRINCIPAL> <ACL> <FOR> principals = principalsList() aclOptions=aclOptions() <EOL>
+ ( removeStarLine(lines) | pathPrivilegesLine(lines) | blankLine() ) +
+ <END>
+ ( <EOL> | <EOF> )
+
+ {
+ result.add(new SetAclPrincipalBased(principals, lines, aclOptions));
+ }
+}
+
void registerNamespaceStatement(List<Operation> result) :
{
Token prefix = null;
diff --git a/src/test/java/org/apache/sling/repoinit/parser/test/OperationToStringVisitor.java b/src/test/java/org/apache/sling/repoinit/parser/test/OperationToStringVisitor.java
index 7887431..79aba7f 100644
--- a/src/test/java/org/apache/sling/repoinit/parser/test/OperationToStringVisitor.java
+++ b/src/test/java/org/apache/sling/repoinit/parser/test/OperationToStringVisitor.java
@@ -35,6 +35,7 @@ import org.apache.sling.repoinit.parser.operations.OperationVisitor;
import org.apache.sling.repoinit.parser.operations.RegisterNamespace;
import org.apache.sling.repoinit.parser.operations.RegisterPrivilege;
import org.apache.sling.repoinit.parser.operations.SetAclPaths;
+import org.apache.sling.repoinit.parser.operations.SetAclPrincipalBased;
import org.apache.sling.repoinit.parser.operations.SetAclPrincipals;
/** OperationVisitor that dumps the operations using
@@ -105,7 +106,22 @@ class OperationToStringVisitor implements OperationVisitor {
out.println();
dumpAclLines(s.getLines());
}
-
+
+ @Override
+ public void visitSetAclPrincipalBased(SetAclPrincipalBased s) {
+ out.print(s.getClass().getSimpleName());
+ out.print(" for ");
+ for(String p : s.getPrincipals()) {
+ out.print(p);
+ out.print(' ');
+ }
+
+ dumpAclOptions(s.getOptions());
+
+ out.println();
+ dumpAclLines(s.getLines());
+ }
+
@Override
public void visitCreatePath(CreatePath cp) {
out.println(cp.toString());
diff --git a/src/test/resources/testcases/test-33-output.txt b/src/test/resources/testcases/test-33-output.txt
new file mode 100644
index 0000000..cd489cc
--- /dev/null
+++ b/src/test/resources/testcases/test-33-output.txt
@@ -0,0 +1,23 @@
+SetAclPrincipalBased for principal1 principal2
+ AclLine REMOVE_ALL {paths=[/libs, /apps]}
+ AclLine ALLOW {paths=[/content], privileges=[jcr:read]}
+ AclLine DENY {paths=[/apps], privileges=[jcr:write]}
+ AclLine DENY {nodetypes=[sling:Folder, nt:unstructured], paths=[/apps, /content], privileges=[jcr:lockManagement]}
+ AclLine DENY {nodetypes=[sling:Folder, nt:unstructured], paths=[/apps, /content], privileges=[jcr:modifyProperties]} restrictions=[rep:itemNames=[prop1, prop2]]
+ AclLine REMOVE {paths=[/apps], privileges=[jcr:understand, some:other]}
+ AclLine ALLOW {paths=[/apps], privileges=[jcr:addChildNodes]} restrictions=[rep:ntNames=[sling:Folder, nt:unstructured]]
+ AclLine ALLOW {paths=[/apps], privileges=[jcr:modifyProperties]} restrictions=[rep:ntNames=[sling:Folder, nt:unstructured], rep:itemNames=[prop1, prop2]]
+ AclLine ALLOW {paths=[/apps, /content], privileges=[jcr:addChildNodes]} restrictions=[rep:glob=[/cat, /cat/, cat]]
+ AclLine ALLOW {paths=[/apps, /content], privileges=[jcr:addChildNodes]} restrictions=[rep:glob=[cat/, *, *cat]]
+ AclLine ALLOW {paths=[/apps, /content], privileges=[jcr:addChildNodes]} restrictions=[rep:glob=[/cat/*, */cat, *cat/*]]
+ AclLine ALLOW {paths=[/], privileges=[jcr:something]} restrictions=[rep:glob=[]]
+SetAclPrincipalBased for principal1 principal2 ACLOptions=[mergePreserve]
+ AclLine REMOVE_ALL {paths=[/libs, /apps]}
+ AclLine ALLOW {paths=[/content], privileges=[jcr:read]}
+SetAclPrincipalBased for principal1 principal2 ACLOptions=[mergePreserve, someOtherOption, someOther123, namespaced:option]
+ AclLine REMOVE_ALL {paths=[/libs, /apps]}
+ AclLine ALLOW {paths=[/content], privileges=[jcr:read]}
+SetAclPrincipalBased for principal1 principal2
+ AclLine ALLOW {paths=[:repository], privileges=[jcr:namespaceManagement]}
+SetAclPrincipalBased for principal1
+ AclLine ALLOW {paths=[:repository, /content], privileges=[jcr:all]}
\ No newline at end of file
diff --git a/src/test/resources/testcases/test-33.txt b/src/test/resources/testcases/test-33.txt
new file mode 100644
index 0000000..6319504
--- /dev/null
+++ b/src/test/resources/testcases/test-33.txt
@@ -0,0 +1,51 @@
+# Test the principal-based ACL syntax
+
+set principal ACL for principal1,principal2
+ remove * on /libs,/apps
+ allow jcr:read on /content
+
+ deny jcr:write on /apps
+
+ # Optional nodetypes clause
+ deny jcr:lockManagement on /apps, /content nodetypes sling:Folder, nt:unstructured
+ # nodetypes clause with restriction clause
+ deny jcr:modifyProperties on /apps, /content nodetypes sling:Folder, nt:unstructured restriction(rep:itemNames,prop1,prop2)
+ remove jcr:understand,some:other on /apps
+
+ # multi value restriction
+ allow jcr:addChildNodes on /apps restriction(rep:ntNames,sling:Folder,nt:unstructured)
+
+ # multiple restrictions
+ allow jcr:modifyProperties on /apps restriction(rep:ntNames,sling:Folder,nt:unstructured) restriction(rep:itemNames,prop1,prop2)
+
+ # restrictions with glob patterns
+ allow jcr:addChildNodes on /apps,/content restriction(rep:glob,/cat,/cat/,cat)
+ allow jcr:addChildNodes on /apps,/content restriction(rep:glob,cat/,*,*cat)
+ allow jcr:addChildNodes on /apps,/content restriction(rep:glob,/cat/*,*/cat,*cat/*)
+
+ allow jcr:something on / restriction(rep:glob)
+end
+
+# Test the principal-baesd ACL syntax with options SLING-6423
+
+set principal ACL for principal1,principal2 (ACLOptions=mergePreserve)
+ remove * on /libs,/apps
+ allow jcr:read on /content
+end
+
+# with multiple options
+
+set principal ACL for principal1,principal2 (ACLOptions=mergePreserve,someOtherOption,someOther123,namespaced:option)
+ remove * on /libs,/apps
+ allow jcr:read on /content
+end
+
+# repository level
+
+set principal ACL for principal1,principal2
+ allow jcr:namespaceManagement on :repository
+end
+
+set principal ACL for principal1
+ allow jcr:all on :repository,/content
+end
\ No newline at end of file