You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2012/08/08 17:17:45 UTC
svn commit: r1370806 - in
/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak:
security/authorization/PermissionValidator.java
security/privilege/PrivilegeConstants.java
spi/security/authorization/Permissions.java
Author: angela
Date: Wed Aug 8 15:17:45 2012
New Revision: 1370806
URL: http://svn.apache.org/viewvc?rev=1370806&view=rev
Log:
OAK-51 : Implement JCR Access Control Management (work in progress)
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConstants.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java?rev=1370806&r1=1370805&r2=1370806&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java Wed Aug 8 15:17:45 2012
@@ -18,14 +18,20 @@ package org.apache.jackrabbit.oak.securi
import javax.jcr.AccessDeniedException;
+import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.core.ReadOnlyTree;
+import org.apache.jackrabbit.oak.plugins.name.NamespaceConstants;
+import org.apache.jackrabbit.oak.plugins.type.NodeTypeConstants;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.spi.commit.Validator;
import org.apache.jackrabbit.oak.spi.security.authorization.CompiledPermissions;
import org.apache.jackrabbit.oak.spi.security.authorization.Permissions;
import org.apache.jackrabbit.oak.spi.state.NodeState;
+import org.apache.jackrabbit.util.Text;
/**
* PermissionValidator... TODO
@@ -55,30 +61,23 @@ public class PermissionValidator impleme
//----------------------------------------------------------< Validator >---
@Override
public void propertyAdded(PropertyState after) throws CommitFailedException {
- int permissions = getPermissions(after, Permissions.ADD_PROPERTY);
- checkPermissions(getPath(after), permissions);
+ checkPermissions(parentAfter, after, Permissions.ADD_PROPERTY);
}
@Override
public void propertyChanged(PropertyState before, PropertyState after) throws CommitFailedException {
- int permissions = getPermissions(after, Permissions.MODIFY_PROPERTY);
- checkPermissions(getPath(after), permissions);
+ checkPermissions(parentAfter, after, Permissions.MODIFY_PROPERTY);
}
@Override
public void propertyDeleted(PropertyState before) throws CommitFailedException {
- int permissions = getPermissions(before, Permissions.REMOVE_PROPERTY);
- checkPermissions(getPath(before), permissions);
+ checkPermissions(parentBefore, before, Permissions.REMOVE_PROPERTY);
}
@Override
public Validator childNodeAdded(String name, NodeState after) throws CommitFailedException {
ReadOnlyTree child = new ReadOnlyTree(parentAfter, name, after);
-
- int permissions = getPermissions(child, Permissions.ADD_NODE);
- checkPermissions(child.getPath(), permissions);
-
- return new PermissionValidator(compiledPermissions, null, child);
+ return checkPermissions(child, false, Permissions.ADD_NODE);
}
@Override
@@ -89,67 +88,104 @@ public class PermissionValidator impleme
// TODO
return new PermissionValidator(compiledPermissions, childBefore, childAfter);
-
}
@Override
public Validator childNodeDeleted(String name, NodeState before) throws CommitFailedException {
ReadOnlyTree child = new ReadOnlyTree(parentBefore, name, before);
-
- int permissions = getPermissions(child, Permissions.REMOVE_NODE);
- checkPermissions(child.getPath(), permissions);
-
- return new PermissionValidator(compiledPermissions, child, null);
+ return checkPermissions(child, true, Permissions.REMOVE_NODE);
}
//------------------------------------------------------------< private >---
- private void checkPermissions(String path, int permissions) throws CommitFailedException {
- if (!compiledPermissions.isGranted(path, permissions)) {
- throw new CommitFailedException(new AccessDeniedException());
+ private void checkPermissions(Tree parent, PropertyState property, int defaultPermission) throws CommitFailedException {
+ String parentPath = parent.getPath();
+ String name = property.getName();
+
+ int permission;
+ if (JcrConstants.JCR_PRIMARYTYPE.equals(name) || JcrConstants.JCR_MIXINTYPES.equals(name)) {
+ // TODO: distinguish between autocreated and user-supplied modification (?)
+ permission = Permissions.NODE_TYPE_MANAGEMENT;
+ } else if (PropertyState.OAK_CHILD_ORDER.equals(property.getName())) {
+ permission = Permissions.MODIFY_CHILD_NODE_COLLECTION;
+ } else if (isLockProperty(name)) {
+ permission = Permissions.LOCK_MANAGEMENT;
+ } else if (isNamespaceDefinition(parentPath)) {
+ permission = Permissions.NAMESPACE_MANAGEMENT;
+ } else if (isNodeTypeDefinition(parentPath)) {
+ permission = Permissions.NODE_TYPE_DEFINITION_MANAGEMENT;
+ } else if (isPrivilegeDefinition(parentPath)) {
+ permission = Permissions.PRIVILEGE_MANAGEMENT;
+ } else if (isAccessControl(parent, property)) {
+ permission = Permissions.MODIFY_ACCESS_CONTROL;
+ } else {
+ // TODO: identify specific permission depending on type of protection
+ // - version property -> version management
+ // - user/group property -> user management
+ permission = defaultPermission;
}
+
+ checkPermissions(PathUtils.concat(parentPath, name), permission);
}
+ private PermissionValidator checkPermissions(ReadOnlyTree tree, boolean isBefore, int defaultPermission) throws CommitFailedException {
+ String path = tree.getPath();
+ int permission;
+
+ if (isNamespaceDefinition(path)) {
+ permission = Permissions.NAMESPACE_MANAGEMENT;
+ } else if (isNodeTypeDefinition(path)) {
+ permission = Permissions.NODE_TYPE_DEFINITION_MANAGEMENT;
+ } else if (isPrivilegeDefinition(path)) {
+ permission = Permissions.PRIVILEGE_MANAGEMENT;
+ } else if (isAccessControl(tree)) {
+ permission = Permissions.MODIFY_ACCESS_CONTROL;
+ } else {
+ // TODO: identify specific permission depending on additional types of protection
+ // - versioning -> version management
+ // - user/group -> user management
+ // - workspace management ???
+ permission = defaultPermission;
+ }
- private int getPermissions(PropertyState property, int defaultPermission) {
- if (isProtected(property)) {
- // TODO: identify specific permission depending on type of protection
- // - access controlled property
- // - lock property
- // - version property
- // - mixinType/primaryType -> nt-management permission
- // - node type definition -> nt-definition-management
- // - namespace definition -> namespace management
- // - privilege -> privilege management
- // - user/group property -> user management
- return Permissions.NO_PERMISSION;
- } else if (PropertyState.OAK_CHILD_ORDER.equals(property.getName())) {
- return Permissions.MODIFY_CHILD_NODE_COLLECTION;
+ if (Permissions.isRepositoryPermissions(permission)) {
+ checkPermissions((String) null, permission);
+ return null; // no need for further validation down the subtree
} else {
- return defaultPermission;
+ checkPermissions(path, permission);
+ return (isBefore) ?
+ new PermissionValidator(compiledPermissions, tree, null) :
+ new PermissionValidator(compiledPermissions, null, tree);
}
}
- private int getPermissions(ReadOnlyTree tree, int defaultPermissions) {
- if (isProtected(tree)) {
- // TODO: identify specific permission depending on type of protection
- return Permissions.NO_PERMISSION;
- } else {
- return defaultPermissions;
+ private void checkPermissions(String path, int permissions) throws CommitFailedException {
+ if (!compiledPermissions.isGranted(path, permissions)) {
+ throw new CommitFailedException(new AccessDeniedException());
}
}
- private boolean isProtected(PropertyState property) {
- // TODO
+ private static boolean isAccessControl(Tree parent) {
+ // TODO: depends on ac-model
return false;
}
- private boolean isProtected(ReadOnlyTree tree) {
- // TODO
+ private static boolean isAccessControl(Tree parent, PropertyState property) {
+ // TODO: depends on ac-model
return false;
}
- private String getPath(PropertyState property) {
- String parentPath = (parentAfter != null) ? parentAfter.getPath() : parentBefore.getPath();
- return PathUtils.concat(parentPath, property.getName());
+ private static boolean isLockProperty(String name) {
+ return JcrConstants.JCR_LOCKISDEEP.equals(name) || JcrConstants.JCR_LOCKOWNER.equals(name);
+ }
+
+ private static boolean isNamespaceDefinition(String path) {
+ return Text.isDescendant(NamespaceConstants.NAMESPACES_PATH, path);
+ }
+ private static boolean isNodeTypeDefinition(String path) {
+ return Text.isDescendant(NodeTypeConstants.NODE_TYPES_PATH, path);
+ }
+
+ private static boolean isPrivilegeDefinition(String path) {
+ return Text.isDescendant(PrivilegeConstants.PRIVILEGES_PATH, path);
}
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConstants.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConstants.java?rev=1370806&r1=1370805&r2=1370806&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConstants.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConstants.java Wed Aug 8 15:17:45 2012
@@ -16,10 +16,15 @@
*/
package org.apache.jackrabbit.oak.security.privilege;
+import org.apache.jackrabbit.JcrConstants;
+
/**
* PrivilegeConstants... TODO
*/
-interface PrivilegeConstants {
+public interface PrivilegeConstants {
+
+ String REP_PRIVILEGES = "rep:privileges";
+ String PRIVILEGES_PATH = '/' + JcrConstants.JCR_SYSTEM + '/' + REP_PRIVILEGES;
String JCR_READ = "jcr:read";
String JCR_MODIFY_PROPERTIES = "jcr:modifyProperties";
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java?rev=1370806&r1=1370805&r2=1370806&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java Wed Aug 8 15:17:45 2012
@@ -107,10 +107,9 @@ public final class Permissions {
PERMISSION_NAMES.put(WORKSPACE_MANAGEMENT, "WORKSPACE_MANAGEMENT");
PERMISSION_NAMES.put(PRIVILEGE_MANAGEMENT, "PRIVILEGE_MANAGEMENT");
PERMISSION_NAMES.put(USER_MANAGEMENT, "USER_MANAGEMENT");
-
}
- public String getString(int permissions) {
+ public static String getString(int permissions) {
if (PERMISSION_NAMES.containsKey(permissions)) {
return PERMISSION_NAMES.get(permissions);
} else {
@@ -123,6 +122,12 @@ public final class Permissions {
}
return sb.toString();
}
+ }
+ public static boolean isRepositoryPermissions(int permissions) {
+ return permissions == NAMESPACE_MANAGEMENT ||
+ permissions == NODE_TYPE_DEFINITION_MANAGEMENT ||
+ permissions == PRIVILEGE_MANAGEMENT ||
+ permissions == WORKSPACE_MANAGEMENT;
}
}