You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/03/05 20:38:25 UTC
svn commit: r1452958 - in /jackrabbit/oak/trunk:
oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/
oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/
oak-core/src/main/resources/org/apache/jackrab...
Author: angela
Date: Tue Mar 5 19:38:25 2013
New Revision: 1452958
URL: http://svn.apache.org/r1452958
Log:
OAK-527: permissions (wip)
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionConstants.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java
jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionDelegate.java
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java?rev=1452958&r1=1452957&r2=1452958&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java Tue Mar 5 19:38:25 2013
@@ -18,13 +18,14 @@ package org.apache.jackrabbit.oak.securi
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.util.TreeUtil;
/**
* AccessControlContext... TODO
*/
-final class AccessControlContext implements Context, AccessControlConstants {
+final class AccessControlContext implements Context, AccessControlConstants, PermissionConstants {
private static final Context INSTANCE = new AccessControlContext();
@@ -44,6 +45,6 @@ final class AccessControlContext impleme
@Override
public boolean definesTree(Tree tree) {
String ntName = TreeUtil.getPrimaryTypeName(tree);
- return AC_NODETYPE_NAMES.contains(ntName);
+ return AC_NODETYPE_NAMES.contains(ntName) || PERMISSION_NODETYPE_NAMES.contains(ntName);
}
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1452958&r1=1452957&r2=1452958&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java Tue Mar 5 19:38:25 2013
@@ -350,8 +350,7 @@ public class AccessControlManagerImpl im
checkPermission(tree);
// check if the tree is access controlled
- String ntName = TreeUtil.getPrimaryTypeName(tree);
- if (AC_NODETYPE_NAMES.contains(ntName)) {
+ if (acConfig.getContext().definesTree(tree)) {
throw new AccessControlException("Tree " + tree.getPath() + " defines access control content.");
}
return tree;
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java?rev=1452958&r1=1452957&r2=1452958&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java Tue Mar 5 19:38:25 2013
@@ -17,8 +17,11 @@
package org.apache.jackrabbit.oak.security.authorization;
import java.security.Principal;
+import java.util.Collections;
import java.util.Set;
import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import javax.jcr.Session;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
@@ -41,6 +44,25 @@ class TmpPermissionProvider extends Perm
isAdmin = principals.contains(SystemPrincipal.INSTANCE) || isAdmin(principals);
}
+ @Nonnull
+ @Override
+ public Set<String> getPrivileges(@Nullable Tree tree) {
+ if (isAdmin) {
+ return Collections.singleton("jcr:all");
+ } else {
+ return Collections.singleton("jcr:read");
+ }
+ }
+
+ @Override
+ public boolean hasPrivileges(@Nullable Tree tree, String... privilegeNames) {
+ if (isAdmin) {
+ return true;
+ } else {
+ return privilegeNames != null && privilegeNames.length == 1 && "jcr:read".equals(privilegeNames[0]);
+ }
+ }
+
@Override
public boolean canRead(@Nonnull Tree tree) {
return true;
@@ -78,6 +100,15 @@ class TmpPermissionProvider extends Perm
}
}
+ @Override
+ public boolean hasPermission(@Nonnull String oakPath, @Nonnull String jcrActions) {
+ if (isAdmin) {
+ return true;
+ } else {
+ return Session.ACTION_READ.equals(jcrActions);
+ }
+ }
+
private static boolean isAdmin(Set<Principal> principals) {
for (Principal principal : principals) {
if (principal instanceof AdminPrincipal) {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionConstants.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionConstants.java?rev=1452958&r1=1452957&r2=1452958&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionConstants.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionConstants.java Tue Mar 5 19:38:25 2013
@@ -16,12 +16,15 @@
*/
package org.apache.jackrabbit.oak.security.authorization.permission;
+import java.util.Set;
+
+import com.google.common.collect.ImmutableSet;
import org.apache.jackrabbit.JcrConstants;
/**
* PermissionConstants... TODO
*/
-interface PermissionConstants {
+public interface PermissionConstants {
/**
* @since OAK 1.0
@@ -46,4 +49,5 @@ interface PermissionConstants {
char PREFIX_ALLOW = 'a';
char PREFIX_DENY = 'd';
+ Set<String> PERMISSION_NODETYPE_NAMES = ImmutableSet.of(NT_REP_PERMISSIONS, NT_REP_PERMISSION_STORE);
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java?rev=1452958&r1=1452957&r2=1452958&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java Tue Mar 5 19:38:25 2013
@@ -344,9 +344,12 @@ public class PermissionHook implements C
private void writeTo(NodeBuilder permissionRoot) {
NodeBuilder principalRoot = permissionRoot.child(principalName);
+ if (principalRoot.getProperty(JCR_PRIMARYTYPE) == null) {
+ principalRoot.setProperty(JCR_PRIMARYTYPE, NT_REP_PERMISSION_STORE, Type.NAME);
+ }
String entryName = generateName(principalRoot, this);
NodeBuilder entry = principalRoot.child(entryName)
- .setProperty(JCR_PRIMARYTYPE, NT_REP_PERMISSIONS)
+ .setProperty(JCR_PRIMARYTYPE, NT_REP_PERMISSIONS, Type.NAME)
.setProperty(REP_ACCESS_CONTROLLED_PATH, accessControlledPath)
.setProperty(REP_INDEX, index)
.setProperty(privilegeBits.asPropertyState(REP_PRIVILEGE_BITS));
Modified: jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd?rev=1452958&r1=1452957&r2=1452958&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd Tue Mar 5 19:38:25 2013
@@ -620,7 +620,7 @@
*/
[rep:Permissions]
- rep:accessControlledPath (PATH) protected mandatory
- - rep:privileges (UNDEFINED) protected mandatory
+ - rep:privileges (LONG) protected multiple mandatory
- rep:index (LONG) protected mandatory
- * (UNDEFINED) protected
Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionDelegate.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionDelegate.java?rev=1452958&r1=1452957&r2=1452958&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionDelegate.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionDelegate.java Tue Mar 5 19:38:25 2013
@@ -34,14 +34,15 @@ import javax.jcr.observation.Observation
import javax.jcr.security.AccessControlManager;
import javax.jcr.version.VersionManager;
+import com.google.common.collect.Maps;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.api.AuthInfo;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.ContentSession;
-import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.QueryEngine;
+import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.TreeLocation;
import org.apache.jackrabbit.oak.commons.PathUtils;
@@ -54,13 +55,12 @@ import org.apache.jackrabbit.oak.plugins
import org.apache.jackrabbit.oak.plugins.nodetype.DefinitionProvider;
import org.apache.jackrabbit.oak.plugins.nodetype.EffectiveNodeTypeProvider;
import org.apache.jackrabbit.oak.plugins.observation.ObservationManagerImpl;
-import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
+import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.PermissionProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import com.google.common.collect.Maps;
-
import static com.google.common.base.Preconditions.checkNotNull;
public class SessionDelegate {
@@ -491,13 +491,20 @@ public class SessionDelegate {
return root.getLocation(path);
}
- @CheckForNull
+ @Nonnull
AccessControlManager getAccessControlManager() throws RepositoryException {
if (accessControlManager == null) {
accessControlManager = securityProvider.getAccessControlConfiguration().getAccessControlManager(root, getNamePathMapper());
}
return accessControlManager;
}
+
+ @Nonnull
+ PermissionProvider getPermissionProvider() throws RepositoryException {
+ // TODO
+ return securityProvider.getAccessControlConfiguration().getPermissionProvider(root, getAuthInfo().getPrincipals());
+ }
+
@Nonnull
PrincipalManager getPrincipalManager() throws RepositoryException {
if (principalManager == null) {
Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java?rev=1452958&r1=1452957&r2=1452958&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java Tue Mar 5 19:38:25 2013
@@ -358,8 +358,7 @@ public class SessionImpl extends Abstrac
throw new RepositoryException("Invalid JCR path: " + absPath);
}
- // TODO implement hasPermission
- return TODO.unimplemented().returnValue(true);
+ return dlg.getPermissionProvider().hasPermission(absPath, actions);
}
@Override