You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/04/11 15:35:04 UTC
svn commit: r1466882 - in
/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak:
security/authorization/ security/authorization/permission/
security/privilege/ security/user/ spi/security/
spi/security/authorization/permission/
Author: angela
Date: Thu Apr 11 13:35:04 2013
New Revision: 1466882
URL: http://svn.apache.org/r1466882
Log:
OAK-527: permissions (WIP: missing handling for ac content in Session#hasPermission)
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeContext.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserContext.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/Context.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/SecurityConfiguration.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java?rev=1466882&r1=1466881&r2=1466882&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java Thu Apr 11 13:35:04 2013
@@ -18,9 +18,11 @@ package org.apache.jackrabbit.oak.securi
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.api.TreeLocation;
import org.apache.jackrabbit.oak.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.util.TreeUtil;
+import org.apache.jackrabbit.util.Text;
/**
* AccessControlContext... TODO
@@ -47,4 +49,16 @@ final class AccessControlContext impleme
String ntName = TreeUtil.getPrimaryTypeName(tree);
return AC_NODETYPE_NAMES.contains(ntName) || PERMISSION_NODETYPE_NAMES.contains(ntName);
}
+
+ @Override
+ public boolean definesLocation(TreeLocation location) {
+ if (location.exists()) {
+ PropertyState p = location.getProperty();
+ return (p == null) ? definesTree(location.getTree()) : definesProperty(location.getTree(), p);
+ } else {
+ String path = location.getPath();
+ String name = Text.getName(location.getPath());
+ return POLICY_NODE_NAMES.contains(name) || ACE_PROPERTY_NAMES.contains(name) || path.startsWith(PERMISSIONS_STORE_PATH);
+ }
+ }
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java?rev=1466882&r1=1466881&r2=1466882&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java Thu Apr 11 13:35:04 2013
@@ -148,7 +148,8 @@ public class PermissionProviderImpl impl
@Override
public boolean isGranted(@Nonnull String oakPath, @Nonnull String jcrActions) {
TreeLocation location = getImmutableRoot().getLocation(oakPath);
- long permissions = Permissions.getPermissions(jcrActions, location);
+ boolean isAcContent = acConfig.getContext().definesLocation(location);
+ long permissions = Permissions.getPermissions(jcrActions, location, isAcContent);
if (!location.exists()) {
// TODO: deal with version content
return compiledPermissions.isGranted(oakPath, permissions);
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeContext.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeContext.java?rev=1466882&r1=1466881&r2=1466882&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeContext.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeContext.java Thu Apr 11 13:35:04 2013
@@ -18,6 +18,7 @@ package org.apache.jackrabbit.oak.securi
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.api.TreeLocation;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.util.TreeUtil;
@@ -45,4 +46,9 @@ final class PrivilegeContext implements
public boolean definesTree(Tree tree) {
return PrivilegeConstants.NT_REP_PRIVILEGE.equals(TreeUtil.getPrimaryTypeName(tree));
}
+
+ @Override
+ public boolean definesLocation(TreeLocation location) {
+ return location.getPath().startsWith(PrivilegeConstants.PRIVILEGES_PATH);
+ }
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserContext.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserContext.java?rev=1466882&r1=1466881&r2=1466882&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserContext.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserContext.java Thu Apr 11 13:35:04 2013
@@ -18,6 +18,7 @@ package org.apache.jackrabbit.oak.securi
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.api.TreeLocation;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
import org.apache.jackrabbit.oak.util.TreeUtil;
@@ -25,7 +26,7 @@ import org.apache.jackrabbit.oak.util.Tr
/**
* UserContext... TODO
*/
-final class UserContext implements Context {
+final class UserContext implements Context, UserConstants {
private static final Context INSTANCE = new UserContext();
@@ -40,11 +41,11 @@ final class UserContext implements Conte
@Override
public boolean definesProperty(Tree parent, PropertyState property) {
String ntName = TreeUtil.getPrimaryTypeName(parent);
- if (UserConstants.NT_REP_USER.equals(ntName)) {
- return UserConstants.USER_PROPERTY_NAMES.contains(property.getName());
- } else if (UserConstants.NT_REP_GROUP.equals(ntName)) {
- return UserConstants.GROUP_PROPERTY_NAMES.contains(property.getName());
- } else if (UserConstants.NT_REP_MEMBERS.equals(ntName)) {
+ if (NT_REP_USER.equals(ntName)) {
+ return USER_PROPERTY_NAMES.contains(property.getName());
+ } else if (NT_REP_GROUP.equals(ntName)) {
+ return GROUP_PROPERTY_NAMES.contains(property.getName());
+ } else if (NT_REP_MEMBERS.equals(ntName)) {
return true;
}
return false;
@@ -53,6 +54,17 @@ final class UserContext implements Conte
@Override
public boolean definesTree(Tree tree) {
String ntName = TreeUtil.getPrimaryTypeName(tree);
- return UserConstants.NT_REP_GROUP.equals(ntName) || UserConstants.NT_REP_USER.equals(ntName) || UserConstants.NT_REP_MEMBERS.equals(ntName);
+ return NT_REP_GROUP.equals(ntName) || NT_REP_USER.equals(ntName) || NT_REP_MEMBERS.equals(ntName);
+ }
+
+ @Override
+ public boolean definesLocation(TreeLocation location) {
+ if (location.exists()) {
+ PropertyState p = location.getProperty();
+ return (p == null) ? definesTree(location.getTree()) : definesProperty(location.getTree(), p);
+ } else {
+ // FIXME
+ return false;
+ }
}
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/Context.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/Context.java?rev=1466882&r1=1466881&r2=1466882&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/Context.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/Context.java Thu Apr 11 13:35:04 2013
@@ -18,6 +18,7 @@ package org.apache.jackrabbit.oak.spi.se
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.api.TreeLocation;
/**
* Context... TODO
@@ -27,4 +28,6 @@ public interface Context {
boolean definesProperty(Tree parent, PropertyState property);
boolean definesTree(Tree tree);
+
+ boolean definesLocation(TreeLocation location);
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/SecurityConfiguration.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/SecurityConfiguration.java?rev=1466882&r1=1466881&r2=1466882&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/SecurityConfiguration.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/SecurityConfiguration.java Thu Apr 11 13:35:04 2013
@@ -22,6 +22,7 @@ import javax.annotation.Nonnull;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.api.TreeLocation;
import org.apache.jackrabbit.oak.spi.commit.CommitHook;
import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
import org.apache.jackrabbit.oak.spi.lifecycle.WorkspaceInitializer;
@@ -105,6 +106,11 @@ public interface SecurityConfiguration {
public boolean definesTree(Tree tree) {
return false;
}
+
+ @Override
+ public boolean definesLocation(TreeLocation location) {
+ return false;
+ }
};
}
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java?rev=1466882&r1=1466881&r2=1466882&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java Thu Apr 11 13:35:04 2013
@@ -24,6 +24,7 @@ import java.util.Set;
import javax.annotation.Nullable;
import javax.jcr.Session;
+import com.google.common.collect.ImmutableSet;
import org.apache.jackrabbit.oak.api.TreeLocation;
import org.apache.jackrabbit.oak.plugins.name.NamespaceConstants;
import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
@@ -177,11 +178,14 @@ public final class Permissions {
return permissions & ~otherPermissions;
}
- public static long getPermissions(String jcrActions, TreeLocation location) {
+ public static long getPermissions(String jcrActions, TreeLocation location,
+ boolean isAccessControlContent) {
Set<String> actions = new HashSet<String>(Arrays.asList(jcrActions.split(",")));
int permissions = 0;
if (actions.remove(Session.ACTION_READ)) {
- if (!location.exists()) {
+ if (isAccessControlContent) {
+ permissions |= READ_ACCESS_CONTROL;
+ } else if (!location.exists()) {
permissions |= READ;
} else if (location.getProperty() != null) {
permissions |= READ_PROPERTY;
@@ -189,23 +193,32 @@ public final class Permissions {
permissions |= READ_NODE;
}
}
- if (actions.remove(Session.ACTION_ADD_NODE)) {
- permissions |= ADD_NODE;
- }
- if (actions.remove(Session.ACTION_SET_PROPERTY)) {
- if (location.getProperty() == null) {
- permissions |= ADD_PROPERTY;
- } else {
- permissions |= MODIFY_PROPERTY;
- }
- }
- if (actions.remove(Session.ACTION_REMOVE)) {
- if (!location.exists()) {
- permissions |= REMOVE;
- } else if (location.getProperty() != null) {
- permissions |= REMOVE_PROPERTY;
+
+ if (!actions.isEmpty()) {
+ if (isAccessControlContent) {
+ actions.removeAll(ImmutableSet.of(Session.ACTION_ADD_NODE,
+ Session.ACTION_REMOVE, Session.ACTION_SET_PROPERTY));
+ permissions |= MODIFY_ACCESS_CONTROL;
} else {
- permissions |= REMOVE_NODE;
+ if (actions.remove(Session.ACTION_ADD_NODE)) {
+ permissions |= ADD_NODE;
+ }
+ if (actions.remove(Session.ACTION_SET_PROPERTY)) {
+ if (location.getProperty() == null) {
+ permissions |= ADD_PROPERTY;
+ } else {
+ permissions |= MODIFY_PROPERTY;
+ }
+ }
+ if (actions.remove(Session.ACTION_REMOVE)) {
+ if (!location.exists()) {
+ permissions |= REMOVE;
+ } else if (location.getProperty() != null) {
+ permissions |= REMOVE_PROPERTY;
+ } else {
+ permissions |= REMOVE_NODE;
+ }
+ }
}
}
if (!actions.isEmpty()) {