You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/02/06 11:01:04 UTC

svn commit: r1442881 - in /jackrabbit/oak/trunk/oak-core/src/main: java/org/apache/jackrabbit/oak/core/ java/org/apache/jackrabbit/oak/security/authorization/ resources/org/apache/jackrabbit/oak/plugins/nodetype/write/

Author: angela
Date: Wed Feb  6 10:01:03 2013
New Revision: 1442881

URL: http://svn.apache.org/viewvc?rev=1442881&view=rev
Log:
OAK-527 : Implement Permission evaluation  (work in progress)

Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ReadOnlyRoot.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ReadOnlyRoot.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ReadOnlyRoot.java?rev=1442881&r1=1442880&r2=1442881&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ReadOnlyRoot.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ReadOnlyRoot.java Wed Feb  6 10:01:03 2013
@@ -40,15 +40,19 @@ public final class ReadOnlyRoot implemen
 
     private final ReadOnlyTree rootTree;
 
-    public ReadOnlyRoot(NodeState rootState) {
+    public ReadOnlyRoot(@Nonnull NodeState rootState) {
         this(new ReadOnlyTree(rootState));
     }
 
-    public ReadOnlyRoot(ReadOnlyTree rootTree) {
+    public ReadOnlyRoot(@Nonnull ReadOnlyTree rootTree) {
         checkArgument(rootTree.isRoot());
         this.rootTree = rootTree;
     }
 
+    public ReadOnlyRoot(@Nonnull Root root) {
+        this.rootTree = ReadOnlyTree.createFromRoot(root);
+    }
+
     @Override
     public ReadOnlyTree getTree(String path) {
         return (ReadOnlyTree) getLocation(path).getTree();

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java?rev=1442881&r1=1442880&r2=1442881&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java Wed Feb  6 10:01:03 2013
@@ -32,7 +32,6 @@ public interface AccessControlConstants 
     String REP_PRINCIPAL_NAME = "rep:principalName";
     String REP_GLOB = "rep:glob";
     String REP_NODE_PATH = "rep:nodePath";
-
     /**
      * @since OAK 1.0
      */
@@ -59,6 +58,10 @@ public interface AccessControlConstants 
     /**
      * @since OAK 1.0
      */
+    String NT_REP_PERMISSION_STORE = "rep:PermissionStore";
+    /**
+     * @since OAK 1.0
+     */
     String REP_PERMISSION_STORE = "rep:permissionStore";
     /**
      * @since OAK 1.0
@@ -70,4 +73,4 @@ public interface AccessControlConstants 
     Collection<String> ACE_PROPERTY_NAMES = ImmutableSet.of(REP_PRINCIPAL_NAME, REP_PRIVILEGES);
 
     Collection<String> AC_NODETYPE_NAMES = ImmutableSet.of(NT_REP_POLICY, NT_REP_ACL, NT_REP_ACE, NT_REP_DENY_ACE, NT_REP_GRANT_ACE, NT_REP_RESTRICTIONS);
-}
\ No newline at end of file
+}

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java?rev=1442881&r1=1442880&r2=1442881&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java Wed Feb  6 10:01:03 2013
@@ -31,6 +31,7 @@ import org.apache.jackrabbit.oak.api.Tre
 import org.apache.jackrabbit.oak.api.TreeLocation;
 import org.apache.jackrabbit.oak.api.Type;
 import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.core.ReadOnlyRoot;
 import org.apache.jackrabbit.oak.core.ReadOnlyTree;
 import org.apache.jackrabbit.oak.plugins.version.VersionConstants;
 import org.apache.jackrabbit.oak.security.authorization.permission.AllPermissions;
@@ -68,7 +69,7 @@ public class PermissionProviderImpl impl
 
     public PermissionProviderImpl(@Nonnull Root root, @Nonnull Set<Principal> principals,
                                   @Nonnull SecurityProvider securityProvider) {
-        this.root = root; // FIXME: assert that root has full access.
+        this.root = new ReadOnlyRoot(root);
         this.acContext = securityProvider.getAccessControlConfiguration().getContext();
         if (principals.contains(SystemPrincipal.INSTANCE) || isAdmin(principals)) {
             compiledPermissions = AllPermissions.getInstance();
@@ -148,8 +149,7 @@ public class PermissionProviderImpl impl
         long permissions = Permissions.getPermissions(jcrActions, location);
         if (!location.exists()) {
             // TODO: deal with version content
-            // FIXME: non-existing locations currently return null-path
-            return compiledPermissions.isGranted(location.getPath(), permissions);
+            return compiledPermissions.isGranted(oakPath, permissions);
         } else if (location.getProperty() != null) {
             return isGranted(location.getTree(), location.getProperty(), permissions);
         } else {

Modified: jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd?rev=1442881&r1=1442880&r2=1442881&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd Wed Feb  6 10:01:03 2013
@@ -602,6 +602,23 @@
 [rep:Restrictions]
   - * (UNDEFINED) protected
 
+/**
+ * @since oak 1.0
+ */
+[rep:PermissionStore]
+  orderable
+  + * (rep:PermissionStore) = rep:PermissionStore protected IGNORE
+  + * (rep:Permissions) = rep:Permissions protected  IGNORE
+
+/**
+ * @since oak 1.0
+ */
+[rep:Permissions]
+  - rep:accessControlledPath (PATH) protected mandatory
+  - rep:privilegeBits (UNDEFINED) protected mandatory
+  - rep:index (LONG) protected mandatory
+  - * (UNDEFINED) protected
+
 // -----------------------------------------------------------------------------
 // Principal based AC
 // -----------------------------------------------------------------------------