You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/03/22 11:21:39 UTC
svn commit: r1459696 - in /jackrabbit/oak/trunk/oak-core/src:
main/java/org/apache/jackrabbit/oak/core/
main/java/org/apache/jackrabbit/oak/security/authorization/
main/java/org/apache/jackrabbit/oak/security/authorization/permission/
main/java/org/apa...
Author: angela
Date: Fri Mar 22 10:21:39 2013
New Revision: 1459696
URL: http://svn.apache.org/r1459696
Log:
OAK-527: permissions (wip)
Added:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/ReadStatus.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/TreeImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/OpenPermissionProvider.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionProvider.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissionsTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/TreeImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/TreeImpl.java?rev=1459696&r1=1459695&r2=1459696&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/TreeImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/TreeImpl.java Fri Mar 22 10:21:39 2013
@@ -39,6 +39,7 @@ import org.apache.jackrabbit.oak.commons
import org.apache.jackrabbit.oak.core.RootImpl.Move;
import org.apache.jackrabbit.oak.plugins.memory.MemoryPropertyBuilder;
import org.apache.jackrabbit.oak.plugins.memory.MultiStringPropertyState;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.ReadStatus;
import org.apache.jackrabbit.oak.spi.state.NodeBuilder;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.oak.spi.state.NodeStateUtils;
@@ -86,6 +87,8 @@ public class TreeImpl implements Tree {
/** Pointer into the list of pending moves */
private Move pendingMoves;
+ private ReadStatus readStatus = null;
+
TreeImpl(RootImpl root, Move pendingMoves) {
this.root = checkNotNull(root);
this.name = "";
@@ -106,6 +109,7 @@ public class TreeImpl implements Tree {
} else {
this.baseState = parent.baseState.getChildNode(name);
}
+ readStatus = ReadStatus.getChildStatus(parent.readStatus);
}
@Override
@@ -277,7 +281,7 @@ public class TreeImpl implements Tree {
new Predicate<Tree>() {
@Override
public boolean apply(Tree tree) {
- return tree != null && canRead(tree);
+ return tree != null && canRead((TreeImpl) tree);
}
});
}
@@ -564,18 +568,31 @@ public class TreeImpl implements Tree {
}
}
- private boolean canRead(Tree tree) {
+ private boolean canRead(TreeImpl tree) {
// FIXME: access control eval must have full access to the tree
// FIXME: special handling for access control item and version content
- return root.getPermissionProvider().canRead(tree);
+ if (tree.readStatus == null) {
+ tree.readStatus = root.getPermissionProvider().getReadStatus(tree, null);
+ }
+ return tree.readStatus.includes(ReadStatus.ALLOW_THIS);
}
private boolean canRead(PropertyState property) {
// FIXME: access control eval must have full access to the tree/property
// FIXME: special handling for access control item and version content
- return (property != null)
- && root.getPermissionProvider().canRead(this, property)
- && !NodeStateUtils.isHidden(property.getName());
+ if (property == null || NodeStateUtils.isHidden(property.getName())) {
+ return false;
+ }
+ if (readStatus == null || readStatus.appliesToThis()) {
+ ReadStatus rs = root.getPermissionProvider().getReadStatus(this, property);
+ if (rs.appliesToThis()) {
+ // status applies to this property only -> recalc for others
+ return rs.isAllow();
+ } else {
+ readStatus = rs;
+ }
+ }
+ return readStatus.includes(ReadStatus.ALLOW_PROPERTIES);
}
/**
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1459696&r1=1459695&r2=1459696&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java Fri Mar 22 10:21:39 2013
@@ -362,7 +362,7 @@ public class AccessControlManagerImpl im
}
private void checkPermission(@Nonnull Tree tree, long permissions) throws AccessDeniedException {
- if (permissionProvider != null && !permissionProvider.isGranted(tree, permissions)) {
+ if (permissionProvider != null && !permissionProvider.isGranted(tree, null, permissions)) {
throw new AccessDeniedException("Access denied at " + tree);
}
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java?rev=1459696&r1=1459695&r2=1459696&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java Fri Mar 22 10:21:39 2013
@@ -29,6 +29,7 @@ import org.apache.jackrabbit.oak.api.Tre
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.ReadStatus;
import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal;
@@ -68,37 +69,25 @@ class TmpPermissionProvider implements P
}
@Override
- public boolean canRead(@Nonnull Tree tree) {
- return true;
+ public ReadStatus getReadStatus(@Nonnull Tree tree, @Nullable PropertyState property) {
+ return ReadStatus.ALLOW_ALL;
}
@Override
- public boolean canRead(@Nonnull Tree tree, @Nonnull PropertyState property) {
- return true;
- }
-
- @Override
- public boolean isGranted(long permissions) {
+ public boolean isGranted(long repositoryPermissions) {
if (isAdmin) {
return true;
} else {
- return permissions == Permissions.READ;
+ return false;
}
}
@Override
- public boolean isGranted(@Nonnull Tree tree, long permissions) {
+ public boolean isGranted(@Nonnull Tree parent, @Nullable PropertyState property, long permissions) {
if (isAdmin) {
return true;
- } else {
+ } else if (property == null) {
return permissions == Permissions.READ_NODE;
- }
- }
-
- @Override
- public boolean isGranted(@Nonnull Tree parent, @Nonnull PropertyState property, long permissions) {
- if (isAdmin) {
- return true;
} else {
return permissions == Permissions.READ_PROPERTY;
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java?rev=1459696&r1=1459695&r2=1459696&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java Fri Mar 22 10:21:39 2013
@@ -22,6 +22,7 @@ import java.util.Set;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.ReadStatus;
/**
* AllPermissions... TODO
@@ -38,13 +39,8 @@ public final class AllPermissions implem
}
@Override
- public boolean canRead(Tree tree) {
- return true;
- }
-
- @Override
- public boolean canRead(Tree tree, PropertyState property) {
- return true;
+ public ReadStatus getReadStatus(Tree tree, PropertyState property) {
+ return ReadStatus.ALLOW_ALL;
}
@Override
@@ -76,4 +72,4 @@ public final class AllPermissions implem
public boolean hasPrivileges(Tree tree, String... privilegeNames) {
return true;
}
-}
\ No newline at end of file
+}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java?rev=1459696&r1=1459695&r2=1459696&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java Fri Mar 22 10:21:39 2013
@@ -39,6 +39,7 @@ import org.apache.jackrabbit.oak.core.Im
import org.apache.jackrabbit.oak.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.ReadStatus;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionPattern;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.util.TreeUtil;
@@ -105,23 +106,15 @@ class CompiledPermissionImpl implements
//------------------------------------------------< CompiledPermissions >---
@Override
- public boolean canRead(Tree tree) {
- for (PermissionEntry entry : filterEntries(tree, null)) {
- if (entry.privilegeBits.includesRead(Permissions.READ_NODE)) {
- return entry.isAllow;
- }
- }
- return false;
- }
-
- @Override
- public boolean canRead(Tree tree, PropertyState property) {
+ public ReadStatus getReadStatus(@Nonnull Tree tree, @Nullable PropertyState property) {
+ // FIXME
+ long permission = (property == null) ? Permissions.READ_NODE : Permissions.READ_PROPERTY;
for (PermissionEntry entry : filterEntries(tree, property)) {
- if (entry.privilegeBits.includesRead(Permissions.READ_PROPERTY)) {
- return entry.isAllow;
+ if (entry.privilegeBits.includesRead(permission)) {
+ return ReadStatus.ALLOW_THIS;
}
}
- return false;
+ return ReadStatus.DENY_THIS;
}
@Override
@@ -181,7 +174,8 @@ class CompiledPermissionImpl implements
}
}
- private Iterable<PermissionEntry> filterEntries(final @Nonnull Tree tree, final @Nullable PropertyState property) {
+ private Iterable<PermissionEntry> filterEntries(final @Nonnull Tree tree,
+ final @Nullable PropertyState property) {
return Iterables.filter(
Iterables.concat(userEntries.values(), groupEntries.values()),
new Predicate<PermissionEntry>() {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java?rev=1459696&r1=1459695&r2=1459696&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java Fri Mar 22 10:21:39 2013
@@ -22,15 +22,15 @@ import javax.annotation.Nullable;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.ReadStatus;
/**
* CompiledPermissions... TODO
*/
public interface CompiledPermissions {
- boolean canRead(@Nonnull Tree tree);
-
- boolean canRead(@Nonnull Tree tree, @Nonnull PropertyState property);
+ @Nonnull
+ ReadStatus getReadStatus(@Nonnull Tree tree, @Nullable PropertyState property);
boolean isGranted(long permissions);
@@ -40,6 +40,7 @@ public interface CompiledPermissions {
boolean isGranted(@Nonnull String path, long permissions);
+ @Nonnull
Set<String> getPrivileges(@Nullable Tree tree);
boolean hasPrivileges(@Nullable Tree tree, String... privilegeNames);
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java?rev=1459696&r1=1459695&r2=1459696&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java Fri Mar 22 10:21:39 2013
@@ -23,6 +23,7 @@ import javax.annotation.Nullable;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.ReadStatus;
/**
* NoPermissions... TODO
@@ -39,13 +40,8 @@ public final class NoPermissions impleme
}
@Override
- public boolean canRead(@Nonnull Tree tree) {
- return false;
- }
-
- @Override
- public boolean canRead(@Nonnull Tree tree, @Nonnull PropertyState property) {
- return false;
+ public ReadStatus getReadStatus(@Nonnull Tree tree, @Nullable PropertyState property) {
+ return ReadStatus.DENY_ALL;
}
@Override
@@ -77,4 +73,4 @@ public final class NoPermissions impleme
public boolean hasPrivileges(@Nullable Tree tree, String... privilegeNames) {
return false;
}
-}
\ No newline at end of file
+}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java?rev=1459696&r1=1459695&r2=1459696&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java Fri Mar 22 10:21:39 2013
@@ -40,6 +40,7 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.ReadStatus;
import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal;
import org.apache.jackrabbit.oak.spi.state.NodeStateUtils;
@@ -47,6 +48,7 @@ import org.apache.jackrabbit.oak.util.Tr
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkNotNull;
/**
@@ -103,53 +105,33 @@ public class PermissionProviderImpl impl
}
@Override
- public boolean canRead(@Nonnull Tree tree) {
- if (isHidden(tree, null)) {
- return false;
- } else if (isAccessControlContent(tree)) {
- return canReadAccessControlContent(tree, null);
- } else if (isVersionContent(tree)) {
- return canReadVersionContent(tree, null);
- } else {
- return compiledPermissions.canRead(tree);
- }
- }
-
- @Override
- public boolean canRead(@Nonnull Tree tree, @Nonnull PropertyState property) {
+ public ReadStatus getReadStatus(@Nonnull Tree tree, @Nullable PropertyState property) {
if (isHidden(tree, property)) {
- return false;
- } else if (isAccessControlContent(tree)) {
- return canReadAccessControlContent(tree, property);
- } else if (isVersionContent(tree)) {
- return canReadVersionContent(tree, property);
+ return ReadStatus.DENY_ALL;
+ } else if (isAccessControlContent(tree) && canReadAccessControlContent(tree, property)) {
+ // TODO: review if read-ac permission is never fine-granular
+ return ReadStatus.ALLOW_ALL;
+ } else if (isVersionContent(tree) && canReadVersionContent(tree, property)) {
+ return ReadStatus.ALLOW_THIS;
} else {
- return compiledPermissions.canRead(tree, property);
+ return compiledPermissions.getReadStatus(tree, property);
}
}
@Override
- public boolean isGranted(long permissions) {
- return compiledPermissions.isGranted(permissions);
+ public boolean isGranted(long repositoryPermissions) {
+ return compiledPermissions.isGranted(repositoryPermissions);
}
@Override
- public boolean isGranted(@Nonnull Tree tree, long permissions) {
+ public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState property, long permissions) {
if (isVersionContent(tree)) {
- String path = getVersionablePath(tree, null);
+ String path = getVersionablePath(tree, property);
return path != null && compiledPermissions.isGranted(path, permissions);
- } else {
+ } else if (property == null) {
return compiledPermissions.isGranted(tree, permissions);
- }
- }
-
- @Override
- public boolean isGranted(@Nonnull Tree parent, @Nonnull PropertyState property, long permissions) {
- if (isVersionContent(parent)) {
- String path = getVersionablePath(parent, property);
- return path != null && compiledPermissions.isGranted(path, permissions);
} else {
- return compiledPermissions.isGranted(parent, property, permissions);
+ return compiledPermissions.isGranted(tree, property, permissions);
}
}
@@ -168,7 +150,7 @@ public class PermissionProviderImpl impl
return parent != null && isGranted(parent, property, permissions);
} else {
Tree tree = location.getTree();
- return tree != null && isGranted(tree, permissions);
+ return tree != null && isGranted(tree, null, permissions);
}
}
@@ -205,7 +187,7 @@ public class PermissionProviderImpl impl
private static boolean isHidden(@Nonnull Tree tree, @Nullable PropertyState propertyState) {
return ImmutableTree.TypeProvider.TYPE_HIDDEN == ImmutableTree.getType(tree)
- || (propertyState != null && NodeStateUtils.isHidden(propertyState.getName()));
+ && (propertyState != null && NodeStateUtils.isHidden(propertyState.getName()));
}
private static boolean isAccessControlContent(@Nonnull Tree tree) {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java?rev=1459696&r1=1459695&r2=1459696&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java Fri Mar 22 10:21:39 2013
@@ -143,7 +143,7 @@ class PermissionValidator extends Defaul
}
return null; // no need for further validation down the subtree
} else {
- if (!permissionProvider.isGranted(tree, toTest)) {
+ if (!permissionProvider.isGranted(tree, null, toTest)) {
throw new CommitFailedException(new AccessDeniedException());
}
if (noTraverse(toTest)) {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/OpenPermissionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/OpenPermissionProvider.java?rev=1459696&r1=1459695&r2=1459696&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/OpenPermissionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/OpenPermissionProvider.java Fri Mar 22 10:21:39 2013
@@ -56,27 +56,17 @@ public final class OpenPermissionProvide
}
@Override
- public boolean canRead(@Nonnull Tree tree) {
- return true;
- }
-
- @Override
- public boolean canRead(@Nonnull Tree tree, @Nonnull PropertyState property) {
- return true;
- }
-
- @Override
- public boolean isGranted(long permissions) {
- return true;
+ public ReadStatus getReadStatus(@Nonnull Tree tree, PropertyState property) {
+ return ReadStatus.ALLOW_ALL;
}
@Override
- public boolean isGranted(@Nonnull Tree tree, long permissions) {
+ public boolean isGranted(long repositoryPermissions) {
return true;
}
@Override
- public boolean isGranted(@Nonnull Tree parent, @Nonnull PropertyState property, long permissions) {
+ public boolean isGranted(@Nonnull Tree parent, @Nullable PropertyState property, long permissions) {
return true;
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionProvider.java?rev=1459696&r1=1459695&r2=1459696&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionProvider.java Fri Mar 22 10:21:39 2013
@@ -35,15 +35,11 @@ public interface PermissionProvider {
boolean hasPrivileges(@Nullable Tree tree, String... privilegeNames);
- boolean canRead(@Nonnull Tree tree);
+ ReadStatus getReadStatus(@Nonnull Tree tree, @Nullable PropertyState property);
- boolean canRead(@Nonnull Tree tree, @Nonnull PropertyState property);
+ boolean isGranted(long repositoryPermissions);
- boolean isGranted(long permissions);
-
- boolean isGranted(@Nonnull Tree tree, long permissions);
-
- boolean isGranted(@Nonnull Tree parent, @Nonnull PropertyState property, long permissions);
+ boolean isGranted(@Nonnull Tree parent, @Nullable PropertyState property, long permissions);
boolean isGranted(@Nonnull String oakPath, @Nonnull String jcrActions);
}
Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/ReadStatus.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/ReadStatus.java?rev=1459696&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/ReadStatus.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/ReadStatus.java Fri Mar 22 10:21:39 2013
@@ -0,0 +1,83 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.permission;
+
+import javax.annotation.CheckForNull;
+import javax.annotation.Nullable;
+
+/**
+ * ReadStatus... TODO
+ */
+public class ReadStatus {
+
+ public static final ReadStatus ALLOW_THIS = new ReadStatus(1, true);
+ public static final ReadStatus ALLOW_CHILDREN = new ReadStatus(2, true);
+ public static final ReadStatus ALLOW_NODES = new ReadStatus(3, true);
+ public static final ReadStatus ALLOW_PROPERTIES = new ReadStatus(4, true);
+ public static final ReadStatus ALLOW_THIS_PROPERTIES = new ReadStatus(5, true);
+ public static final ReadStatus ALLOW_CHILDITEMS = new ReadStatus(6, true);
+ public static final ReadStatus ALLOW_ALL = new ReadStatus(7, true);
+
+ public static final ReadStatus DENY_THIS = new ReadStatus(1, false);
+ public static final ReadStatus DENY_CHILDREN = new ReadStatus(2, false);
+ public static final ReadStatus DENY_NODES = new ReadStatus(3, false);
+ public static final ReadStatus DENY_PROPERTIES = new ReadStatus(4, false);
+ public static final ReadStatus DENY_THIS_PROPERTIES = new ReadStatus(5, false);
+ public static final ReadStatus DENY_CHILDITEMS = new ReadStatus(6, false);
+ public static final ReadStatus DENY_ALL = new ReadStatus(7, false);
+
+ private final int status;
+ private final boolean isAllow;
+
+ private ReadStatus(int status, boolean isAllow) {
+ this.status = status;
+ this.isAllow = isAllow;
+ }
+
+ @CheckForNull
+ public static ReadStatus getChildStatus(@Nullable ReadStatus parentStatus) {
+ if (parentStatus == null) {
+ return null;
+ }
+ switch (parentStatus.status) {
+ case 1: return null; // recalculate for child item
+ case 2:
+ case 3: return (parentStatus.isAllow) ? ALLOW_NODES : null; // TODO
+ case 4:
+ case 5: return (parentStatus.isAllow) ? ALLOW_PROPERTIES : null; // TODO
+ case 6:
+ case 7: return (parentStatus.isAllow) ? ALLOW_ALL : DENY_ALL;
+ default: throw new IllegalArgumentException("invalid status");
+ }
+ }
+
+ public boolean includes(ReadStatus status) {
+ if (this == status) {
+ return true;
+ } else {
+ return isAllow == status.isAllow && Permissions.includes(this.status, status.status);
+ }
+ }
+
+ public boolean isAllow() {
+ return isAllow;
+ }
+
+ public boolean appliesToThis() {
+ return status == 1;
+ }
+}
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissionsTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissionsTest.java?rev=1459696&r1=1459695&r2=1459696&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissionsTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissionsTest.java Fri Mar 22 10:21:39 2013
@@ -23,6 +23,7 @@ import org.apache.jackrabbit.oak.Abstrac
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.ReadStatus;
import org.junit.Before;
import org.junit.Test;
@@ -49,17 +50,17 @@ public class AllPermissionsTest extends
}
@Test
- public void testCanRead() {
+ public void testGetReadStatus() {
for (String path : paths) {
Tree tree = root.getTree(path);
assertNotNull(tree);
- assertTrue(all.canRead(tree));
- for (PropertyState prop : tree.getProperties()) {
- assertTrue(all.canRead(tree, prop));
- }
+ assertSame(ReadStatus.ALLOW_ALL, all.getReadStatus(tree, null));
for (Tree child : tree.getChildren()) {
- assertTrue(all.canRead(child));
+ assertSame(ReadStatus.ALLOW_ALL, all.getReadStatus(child, null));
+ }
+ for (PropertyState ps : tree.getProperties()) {
+ assertSame(ReadStatus.ALLOW_ALL, all.getReadStatus(tree, ps));
}
}
}