You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/02/14 15:18:36 UTC
svn commit: r1446198 - in
/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak:
security/authorization/ security/authorization/permission/
spi/security/authorization/
Author: angela
Date: Thu Feb 14 14:18:35 2013
New Revision: 1446198
URL: http://svn.apache.org/r1446198
Log:
OAK-527 : Implement Permission evaluation (work in progress)
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenPermissionProvider.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1446198&r1=1446197&r2=1446198&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java Thu Feb 14 14:18:35 2013
@@ -522,7 +522,7 @@ public class AccessControlManagerImpl im
// TODO
String oakPath = getOakPath(absPath);
Tree tree = getTree(oakPath);
- Set<String> pNames = provider.getPrivilegeNames(tree);
+ Set<String> pNames = provider.getPrivileges(tree);
if (pNames.isEmpty()) {
return new Privilege[0];
} else {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java?rev=1446198&r1=1446197&r2=1446198&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java Thu Feb 14 14:18:35 2013
@@ -17,7 +17,6 @@
package org.apache.jackrabbit.oak.security.authorization;
import java.security.Principal;
-import java.util.Collections;
import java.util.Set;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
@@ -38,6 +37,7 @@ import org.apache.jackrabbit.oak.securit
import org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissionImpl;
import org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions;
import org.apache.jackrabbit.oak.security.authorization.permission.NoPermissions;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeDefinitionStore;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.PermissionProvider;
@@ -60,7 +60,8 @@ public class PermissionProviderImpl impl
private static final Logger log = LoggerFactory.getLogger(PermissionProviderImpl.class);
- private final Root root;
+ private final ReadOnlyRoot root;
+
private final Context acContext;
private final String workspaceName = "default"; // FIXME: use proper workspace as associated with the root
@@ -75,27 +76,26 @@ public class PermissionProviderImpl impl
compiledPermissions = AllPermissions.getInstance();
} else {
String relativePath = PERMISSIONS_STORE_PATH + '/' + workspaceName;
- ReadOnlyTree rootTree = ReadOnlyTree.createFromRoot(root);
+ ReadOnlyTree rootTree = this.root.getTree("/");
ReadOnlyTree permissionsTree = getPermissionsRoot(rootTree, relativePath);
if (permissionsTree == null) {
compiledPermissions = NoPermissions.getInstance();
} else {
- compiledPermissions = new CompiledPermissionImpl(permissionsTree, principals);
+ PrivilegeDefinitionStore privilegeStore = new PrivilegeDefinitionStore(this.root);
+ compiledPermissions = new CompiledPermissionImpl(principals, privilegeStore, permissionsTree);
}
}
}
@Nonnull
@Override
- public Set<String> getPrivilegeNames(@Nullable Tree tree) {
- // TODO
- return Collections.emptySet();
+ public Set<String> getPrivileges(@Nullable Tree tree) {
+ return compiledPermissions.getPrivileges(tree);
}
@Override
public boolean hasPrivileges(@Nullable Tree tree, String... privilegeNames) {
- // TODO
- return false;
+ return compiledPermissions.hasPrivileges(tree, privilegeNames);
}
@Override
@@ -144,7 +144,7 @@ public class PermissionProviderImpl impl
}
@Override
- public boolean hasPermission(@Nonnull String oakPath, String jcrActions) {
+ public boolean hasPermission(@Nonnull String oakPath, @Nonnull String jcrActions) {
TreeLocation location = root.getLocation(oakPath);
long permissions = Permissions.getPermissions(jcrActions, location);
if (!location.exists()) {
@@ -184,28 +184,30 @@ public class PermissionProviderImpl impl
}
}
+ // TODO: deal with activities/configurations
@CheckForNull
private String getVersionablePath(@Nonnull Tree versionStoreTree, @Nullable PropertyState property) {
+ String relPath = "";
+ String propName = (property == null) ? "" : property.getName();
String versionablePath = null;
Tree t = versionStoreTree;
- while (!JcrConstants.JCR_SYSTEM.equals(t.getName())) {
- if (JcrConstants.NT_VERSIONHISTORY.equals(TreeUtil.getPrimaryTypeName(t))) {
+ while (t != null && !JcrConstants.JCR_VERSIONSTORAGE.equals(t.getName())) {
+ String name = t.getName();
+ String ntName = TreeUtil.getPrimaryTypeName(t);
+ if (VersionConstants.JCR_FROZENNODE.equals(name) && t != versionStoreTree) {
+ relPath = PathUtils.relativize(t.getPath(), versionStoreTree.getPath());
+ } else if (JcrConstants.NT_VERSIONHISTORY.equals(ntName)) {
PropertyState prop = t.getProperty(workspaceName);
if (prop != null) {
- versionablePath = prop.getValue(Type.PATH);
- if (t != versionStoreTree) {
- String rel = PathUtils.relativize(t.getPath(), versionStoreTree.getPath());
- String propName = (property == null) ? "" : property.getName();
- versionablePath = PathUtils.concat(versionablePath, rel, propName);
- }
+ versionablePath = PathUtils.concat(prop.getValue(Type.PATH), relPath, propName);
}
break;
- }// FIXME: handle activities and configurations
+ }
t = t.getParent();
}
if (versionablePath == null || versionablePath.length() == 0) {
- log.warn("Unable to determine path of the versionable node.");
+ log.warn("Unable to determine path of the version controlled node.");
}
return Strings.emptyToNull(versionablePath);
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java?rev=1446198&r1=1446197&r2=1446198&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java Thu Feb 14 14:18:35 2013
@@ -16,10 +16,12 @@
*/
package org.apache.jackrabbit.oak.security.authorization.permission;
-import javax.annotation.Nonnull;
+import java.util.Collections;
+import java.util.Set;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
/**
* AllPermissions... TODO
@@ -61,7 +63,17 @@ public final class AllPermissions implem
}
@Override
- public boolean isGranted(@Nonnull String path, long permissions) {
+ public boolean isGranted(String path, long permissions) {
+ return true;
+ }
+
+ @Override
+ public Set<String> getPrivileges(Tree tree) {
+ return Collections.singleton(PrivilegeConstants.JCR_ALL);
+ }
+
+ @Override
+ public boolean hasPrivileges(Tree tree, String... privilegeNames) {
return true;
}
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java?rev=1446198&r1=1446197&r2=1446198&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java Thu Feb 14 14:18:35 2013
@@ -22,14 +22,17 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
import com.google.common.collect.ImmutableSortedMap;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.core.ReadOnlyTree;
import org.apache.jackrabbit.oak.security.authorization.AccessControlConstants;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeBits;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeDefinitionStore;
import org.apache.jackrabbit.oak.spi.security.authorization.Permissions;
-import org.apache.jackrabbit.oak.util.NodeUtil;
import org.apache.jackrabbit.util.Text;
import static com.google.common.base.Preconditions.checkNotNull;
@@ -40,13 +43,16 @@ import static com.google.common.base.Pre
public class CompiledPermissionImpl implements CompiledPermissions, AccessControlConstants {
private final Set<Principal> principals;
+ private final PrivilegeDefinitionStore privilegeStore;
- private Map<Key, Entry> userEntries;
- private Map<Key, Entry> groupEntries;
+ private final Map<Key, Entry> userEntries;
+ private final Map<Key, Entry> groupEntries;
- public CompiledPermissionImpl(@Nonnull ReadOnlyTree permissionsTree,
- @Nonnull Set<Principal> principals) {
+ public CompiledPermissionImpl(@Nonnull Set<Principal> principals,
+ @Nonnull PrivilegeDefinitionStore privilegeStore,
+ @Nonnull ReadOnlyTree permissionsTree) {
this.principals = checkNotNull(principals);
+ this.privilegeStore = privilegeStore;
EntriesBuilder builder = new EntriesBuilder();
for (Principal principal : principals) {
@@ -93,16 +99,30 @@ public class CompiledPermissionImpl impl
return false;
}
+ @Override
+ public Set<String> getPrivileges(@Nullable Tree tree) {
+ return privilegeStore.getPrivilegeNames(getPrivilegeBits(tree));
+ }
+
+ @Override
+ public boolean hasPrivileges(@Nullable Tree tree, String... privilegeNames) {
+ return getPrivilegeBits(tree).includes(privilegeStore.getBits(privilegeNames));
+ }
+
//------------------------------------------------------------< private >---
+ private PrivilegeBits getPrivilegeBits(@Nullable Tree tree) {
+ return PrivilegeBits.EMPTY; // TODO
+ }
+
private static final class Key implements Comparable<Key> {
private String path;
- private long order;
+ private long index;
- private Key(NodeUtil node) {
- path = node.getString("path", "");
- order = node.getLong("order", -1);
+ private Key(Tree tree) {
+ path = tree.getProperty("rep:accessControlledPath").getValue(Type.STRING);
+ index = tree.getProperty("rep:index").getValue(Type.LONG);
}
@Override
@@ -115,16 +135,13 @@ public class CompiledPermissionImpl impl
private static final class Entry {
private final boolean isAllow;
- private final String[] privilegeNames;
+ private final PrivilegeBits privilegeBits;
private final List<String> restrictions;
- private final long permissions;
- private Entry(NodeUtil node) {
- isAllow = node.hasPrimaryNodeTypeName(NT_REP_GRANT_ACE);
- privilegeNames = node.getStrings(REP_PRIVILEGES);
+ private Entry(Tree entryTree) {
+ isAllow = ('a' == entryTree.getName().charAt(0));
+ privilegeBits = PrivilegeBits.getInstance(entryTree.getProperty(REP_PRIVILEGES));
restrictions = null; // TODO
-
- permissions = node.getLong("permissions", Permissions.NO_PERMISSION);
}
}
@@ -134,10 +151,9 @@ public class CompiledPermissionImpl impl
private ImmutableSortedMap.Builder<Key, Entry> groupEntries = ImmutableSortedMap.naturalOrder();
private void addEntry(@Nonnull Principal principal, @Nonnull Tree entryTree) {
- NodeUtil node = new NodeUtil(entryTree);
- Entry entry = new Entry(node);
- if (entry.permissions != Permissions.NO_PERMISSION) {
- Key key = new Key(node);
+ Entry entry = new Entry(entryTree);
+ if (entry.privilegeBits.isEmpty()) {
+ Key key = new Key(entryTree);
if (principal instanceof Group) {
groupEntries.put(key, entry);
} else {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java?rev=1446198&r1=1446197&r2=1446198&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java Thu Feb 14 14:18:35 2013
@@ -16,7 +16,9 @@
*/
package org.apache.jackrabbit.oak.security.authorization.permission;
+import java.util.Set;
import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
@@ -38,4 +40,7 @@ public interface CompiledPermissions {
boolean isGranted(@Nonnull String path, long permissions);
+ Set<String> getPrivileges(@Nullable Tree tree);
+
+ boolean hasPrivileges(@Nullable Tree tree, String... privilegeNames);
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java?rev=1446198&r1=1446197&r2=1446198&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java Thu Feb 14 14:18:35 2013
@@ -16,7 +16,10 @@
*/
package org.apache.jackrabbit.oak.security.authorization.permission;
+import java.util.Collections;
+import java.util.Set;
import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
@@ -64,4 +67,14 @@ public final class NoPermissions impleme
public boolean isGranted(@Nonnull String path, long permissions) {
return false;
}
+
+ @Override
+ public Set<String> getPrivileges(@Nullable Tree tree) {
+ return Collections.emptySet();
+ }
+
+ @Override
+ public boolean hasPrivileges(@Nullable Tree tree, String... privilegeNames) {
+ return false;
+ }
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenPermissionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenPermissionProvider.java?rev=1446198&r1=1446197&r2=1446198&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenPermissionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenPermissionProvider.java Thu Feb 14 14:18:35 2013
@@ -41,7 +41,7 @@ public final class OpenPermissionProvide
@Nonnull
@Override
- public Set<String> getPrivilegeNames(@Nullable Tree tree) {
+ public Set<String> getPrivileges(@Nullable Tree tree) {
return Collections.singleton(PrivilegeConstants.JCR_ALL);
}
@@ -76,7 +76,7 @@ public final class OpenPermissionProvide
}
@Override
- public boolean hasPermission(@Nonnull String oakPath, String jcrActions) {
+ public boolean hasPermission(@Nonnull String oakPath, @Nonnull String jcrActions) {
return true;
}
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java?rev=1446198&r1=1446197&r2=1446198&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java Thu Feb 14 14:18:35 2013
@@ -29,7 +29,7 @@ import org.apache.jackrabbit.oak.api.Tre
public interface PermissionProvider {
@Nonnull
- Set<String> getPrivilegeNames(@Nullable Tree tree);
+ Set<String> getPrivileges(@Nullable Tree tree);
boolean hasPrivileges(@Nullable Tree tree, String... privilegeNames);