You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/03/13 20:05:39 UTC
svn commit: r1456090 - in /jackrabbit/oak/trunk:
oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/
oak-jcr/ oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/
oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/xml/
Author: angela
Date: Wed Mar 13 19:05:38 2013
New Revision: 1456090
URL: http://svn.apache.org/r1456090
Log:
OAK-527: permissions (wip)
OAK-414,OAK-127: replace user/ac specific item importer by SessionContext#getProtectedItemImporters
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java
jackrabbit/oak/trunk/oak-jcr/pom.xml
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/xml/SessionImporter.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1456090&r1=1456089&r2=1456090&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java Wed Mar 13 19:05:38 2013
@@ -38,6 +38,7 @@ import javax.jcr.security.AccessControlP
import javax.jcr.security.Privilege;
import javax.security.auth.Subject;
+import com.google.common.base.Objects;
import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
@@ -109,6 +110,8 @@ public class AccessControlManagerImpl im
acConfig = securityProvider.getAccessControlConfiguration();
restrictionProvider = acConfig.getRestrictionProvider(namePathMapper);
ntMgr = ReadOnlyNodeTypeManager.getInstance(root, namePathMapper);
+
+ permissionProvider = getPermissionProvider();
}
//-----------------------------------------------< AccessControlManager >---
@@ -358,10 +361,15 @@ public class AccessControlManagerImpl im
@Nonnull
private PermissionProvider getPermissionProvider() {
+ // TODO
if (permissionProvider == null) {
Subject subject = Subject.getSubject(AccessController.getContext());
- Set<Principal> principals = (subject != null) ? subject.getPrincipals() : Collections.<Principal>emptySet();
- permissionProvider = acConfig.getPermissionProvider(root, principals);
+ if (subject != null && !subject.getPublicCredentials(PermissionProvider.class).isEmpty()) {
+ permissionProvider = subject.getPublicCredentials(PermissionProvider.class).iterator().next();
+ } else {
+ Set<Principal> principals = (subject != null) ? subject.getPrincipals() : Collections.<Principal>emptySet();
+ permissionProvider = acConfig.getPermissionProvider(root, principals);
+ }
} else {
permissionProvider.refresh();
}
@@ -561,7 +569,7 @@ public class AccessControlManagerImpl im
for (Privilege privilege : privileges) {
privilegeNames.add(namePathMapper.getOakName(privilege.getName()));
}
- return provider.hasPrivileges(tree, privilegeNames.toArray(new String[privilegeNames.size()]));
+ return (privilegeNames.isEmpty()) || provider.hasPrivileges(tree, privilegeNames.toArray(new String[privilegeNames.size()]));
}
@CheckForNull
@@ -637,6 +645,24 @@ public class AccessControlManagerImpl im
PrivilegeBitsProvider getPrivilegeBitsProvider() {
return new PrivilegeBitsProvider(root);
}
+
+ @Override
+ public boolean equals(Object obj) {
+ if (obj == this) {
+ return true;
+ }
+ if (obj instanceof NodeACL) {
+ NodeACL other = (NodeACL) obj;
+ return Objects.equal(getOakPath(), other.getOakPath())
+ && getEntries().equals(other.getEntries());
+ }
+ return false;
+ }
+
+ @Override
+ public int hashCode() {
+ return 0;
+ }
}
private final class PrincipalACL extends NodeACL {
@@ -654,5 +680,23 @@ public class AccessControlManagerImpl im
public RestrictionProvider getRestrictionProvider() {
return rProvider;
}
+
+ @Override
+ public boolean equals(Object obj) {
+ if (obj == this) {
+ return true;
+ }
+ if (obj instanceof PrincipalACL) {
+ PrincipalACL other = (PrincipalACL) obj;
+ return Objects.equal(getOakPath(), other.getOakPath())
+ && getEntries().equals(other.getEntries());
+ }
+ return false;
+ }
+
+ @Override
+ public int hashCode() {
+ return 0;
+ }
}
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java?rev=1456090&r1=1456089&r2=1456090&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java Wed Mar 13 19:05:38 2013
@@ -26,8 +26,8 @@ import javax.jcr.Session;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
-import org.apache.jackrabbit.oak.security.authorization.permission.PermissionProviderImpl;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.Permissions;
import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal;
@@ -35,15 +35,19 @@ import org.apache.jackrabbit.oak.spi.sec
/**
* TmpPermissionProvider... TODO remove again once permission evaluation works.
*/
-class TmpPermissionProvider extends PermissionProviderImpl {
+class TmpPermissionProvider implements PermissionProvider {
private final boolean isAdmin;
public TmpPermissionProvider(@Nonnull Root root, @Nonnull Set<Principal> principals, @Nonnull SecurityProvider securityProvider) {
- super(root, principals, securityProvider);
isAdmin = principals.contains(SystemPrincipal.INSTANCE) || isAdmin(principals);
}
+ @Override
+ public void refresh() {
+ // nothing to do
+ }
+
@Nonnull
@Override
public Set<String> getPrivileges(@Nullable Tree tree) {
Modified: jackrabbit/oak/trunk/oak-jcr/pom.xml
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/pom.xml?rev=1456090&r1=1456089&r2=1456090&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/pom.xml (original)
+++ jackrabbit/oak/trunk/oak-jcr/pom.xml Wed Mar 13 19:05:38 2013
@@ -245,7 +245,6 @@
org.apache.jackrabbit.test.api.observation.AddEventListenerTest#testUUID
org.apache.jackrabbit.test.api.observation.LockingTest#testAddLockToNode
org.apache.jackrabbit.test.api.observation.LockingTest#testRemoveLockFromNode
- org.apache.jackrabbit.test.api.security.AccessControlDiscoveryTest <!-- OAK-527 -->
org.apache.jackrabbit.test.api.security.RSessionAccessControlPolicyTest <!-- OAK-527 -->
org.apache.jackrabbit.oak.jcr.security.user.GroupTest#testCyclicGroups2 <!-- OAK-615 -->
org.apache.jackrabbit.oak.jcr.security.authorization.AccessControlImporterTest#testImportACLRemoveACE <!-- OAK-414 -->
Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java?rev=1456090&r1=1456089&r2=1456090&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java Wed Mar 13 19:05:38 2013
@@ -1,7 +1,10 @@
package org.apache.jackrabbit.oak.jcr;
+import java.security.PrivilegedAction;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
import java.util.Map;
-
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.jcr.PathNotFoundException;
@@ -16,6 +19,7 @@ import javax.jcr.observation.Observation
import javax.jcr.query.QueryManager;
import javax.jcr.security.AccessControlManager;
import javax.jcr.version.VersionManager;
+import javax.security.auth.Subject;
import com.google.common.collect.Maps;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
@@ -31,10 +35,10 @@ import org.apache.jackrabbit.oak.plugins
import org.apache.jackrabbit.oak.plugins.nodetype.EffectiveNodeTypeProvider;
import org.apache.jackrabbit.oak.plugins.observation.ObservationManagerImpl;
import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
+import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
-import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.PermissionProvider;
-import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
+import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
import static com.google.common.base.Preconditions.checkNotNull;
@@ -48,11 +52,10 @@ public abstract class SessionContext imp
private final ValueFactory valueFactory;
private AccessControlManager accessControlManager;
+ private PermissionProvider permissionProvider;
private PrincipalManager principalManager;
private UserManager userManager;
private PrivilegeManager privilegeManager;
- private UserConfiguration userConfiguration;
- private AccessControlConfiguration accessControlConfiguration;
private ObservationManagerImpl observationManager;
private SessionContext(RepositoryImpl repository, SessionDelegate delegate,
@@ -138,22 +141,30 @@ public abstract class SessionContext imp
}
@Nonnull
- public AccessControlManager getAccessControlManager(SessionDelegate delegate) {
+ public AccessControlManager getAccessControlManager() throws RepositoryException {
if (accessControlManager == null) {
- SecurityProvider securityProvider = repository.getSecurityProvider();
- accessControlManager = securityProvider.getAccessControlConfiguration()
- .getAccessControlManager(delegate.getRoot(), namePathMapper);
+ // TODO
+ Subject subject = new Subject(true, delegate.getAuthInfo().getPrincipals(), Collections.singleton(getPermissionProvider()), Collections.<Object>emptySet());
+ accessControlManager = Subject.doAs(subject, new PrivilegedAction<AccessControlManager>() {
+ @Override
+ public AccessControlManager run() {
+ SecurityProvider securityProvider = repository.getSecurityProvider();
+ return securityProvider.getAccessControlConfiguration().getAccessControlManager(delegate.getRoot(), namePathMapper);
+ }
+ });
}
return accessControlManager;
}
@Nonnull
- public PermissionProvider getPermissionProvider() {
- SecurityProvider securityProvider = repository.getSecurityProvider();
-
- // TODO
- return securityProvider.getAccessControlConfiguration()
- .getPermissionProvider(delegate.getRoot(), delegate.getAuthInfo().getPrincipals());
+ public PermissionProvider getPermissionProvider() throws RepositoryException {
+ if (permissionProvider == null) {
+ SecurityProvider securityProvider = repository.getSecurityProvider();
+ permissionProvider = securityProvider.getAccessControlConfiguration().getPermissionProvider(delegate.getRoot(), delegate.getAuthInfo().getPrincipals());
+ } else {
+ permissionProvider.refresh();
+ }
+ return permissionProvider;
}
@Nonnull
@@ -185,22 +196,15 @@ public abstract class SessionContext imp
}
@Nonnull
- public UserConfiguration getUserConfiguration() {
- if (userConfiguration == null) {
- SecurityProvider securityProvider = repository.getSecurityProvider();
- userConfiguration = securityProvider.getUserConfiguration();
+ public List<ProtectedItemImporter> getProtectedItemImporters() {
+ // TODO: take non-security related importers into account as well (proper configuration)
+ List<ProtectedItemImporter> importers = new ArrayList<ProtectedItemImporter>();
+ for (SecurityConfiguration sc : repository.getSecurityProvider().getSecurityConfigurations()) {
+ importers.addAll(sc.getProtectedItemImporters());
}
- return userConfiguration;
+ return importers;
}
- @Nonnull
- public AccessControlConfiguration getAccessControlConfiguration() {
- if (accessControlConfiguration == null) {
- SecurityProvider securityProvider = repository.getSecurityProvider();
- accessControlConfiguration = securityProvider.getAccessControlConfiguration();
- }
- return accessControlConfiguration;
- }
@Nonnull
public ObservationManager getObservationManager() {
Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java?rev=1456090&r1=1456089&r2=1456090&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java Wed Mar 13 19:05:38 2013
@@ -428,7 +428,7 @@ public class SessionImpl extends Abstrac
@Override
@Nonnull
public AccessControlManager getAccessControlManager() throws RepositoryException {
- return sessionContext.getAccessControlManager(dlg);
+ return sessionContext.getAccessControlManager();
}
/**
Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/xml/SessionImporter.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/xml/SessionImporter.java?rev=1456090&r1=1456089&r2=1456090&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/xml/SessionImporter.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/xml/SessionImporter.java Wed Mar 13 19:05:38 2013
@@ -42,8 +42,6 @@ import org.apache.jackrabbit.commons.Nam
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.jcr.SessionContext;
import org.apache.jackrabbit.oak.plugins.nodetype.EffectiveNodeTypeProvider;
-import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration;
-import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.jackrabbit.oak.spi.xml.NodeInfo;
import org.apache.jackrabbit.oak.spi.xml.PropInfo;
import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
@@ -102,14 +100,7 @@ public class SessionImporter implements
pItemImporters.clear();
//TODO clarify how to provide ProtectedItemImporters
- UserConfiguration userConfig = sessionContext.getUserConfiguration();
- for (ProtectedItemImporter importer : userConfig.getProtectedItemImporters()) {
- if (importer.init(session, root, sessionContext, false, uuidBehavior, refTracker)) {
- pItemImporters.add(importer);
- }
- }
- AccessControlConfiguration accessControlConfig = sessionContext.getAccessControlConfiguration();
- for (ProtectedItemImporter importer : accessControlConfig.getProtectedItemImporters()) {
+ for (ProtectedItemImporter importer : sessionContext.getProtectedItemImporters()) {
if (importer.init(session, root, sessionContext, false, uuidBehavior, refTracker)) {
pItemImporters.add(importer);
}