You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/07/31 09:43:54 UTC
svn commit: r1508752 - in /jackrabbit/oak/trunk:
oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/
oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/
Author: angela
Date: Wed Jul 31 07:43:54 2013
New Revision: 1508752
URL: http://svn.apache.org/r1508752
Log:
OAK-51 : Access Control Management
Added:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/Util.java
- copied, changed from r1508502, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlUtils.java
Removed:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlUtils.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ReadTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java?rev=1508752&r1=1508751&r2=1508752&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java Wed Jul 31 07:43:54 2013
@@ -99,7 +99,7 @@ abstract class ACL extends AbstractAcces
getPrivilegeManager().getPrivilege(p.getName());
}
- AccessControlUtils.checkValidPrincipal(principal, getPrincipalManager());
+ Util.checkValidPrincipal(principal, getPrincipalManager());
for (RestrictionDefinition def : getRestrictionProvider().getSupportedRestrictions(getOakPath())) {
String jcrName = getNamePathMapper().getJcrName(def.getName());
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1508752&r1=1508751&r2=1508752&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java Wed Jul 31 07:43:54 2013
@@ -53,6 +53,7 @@ import org.apache.jackrabbit.api.securit
import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.commons.iterator.AccessControlPolicyIteratorAdapter;
+import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.PropertyValue;
import org.apache.jackrabbit.oak.api.QueryEngine;
@@ -74,9 +75,9 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
-import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConfiguration;
import org.apache.jackrabbit.oak.spi.state.PropertyBuilder;
import org.apache.jackrabbit.oak.util.NodeUtil;
@@ -94,7 +95,7 @@ import static com.google.common.base.Pre
* This implementation covers both editing access control content by path and
* by {@code Principal} resulting both in the same content structure.
*/
-public class AccessControlManagerImpl implements JackrabbitAccessControlManager, AccessControlConstants {
+class AccessControlManagerImpl implements JackrabbitAccessControlManager, AccessControlConstants {
private static final Logger log = LoggerFactory.getLogger(AccessControlManagerImpl.class);
@@ -111,8 +112,8 @@ public class AccessControlManagerImpl im
private PermissionProvider permissionProvider;
- public AccessControlManagerImpl(@Nonnull Root root, @Nonnull NamePathMapper namePathMapper,
- @Nonnull SecurityProvider securityProvider) {
+ AccessControlManagerImpl(@Nonnull Root root, @Nonnull NamePathMapper namePathMapper,
+ @Nonnull SecurityProvider securityProvider) {
this.root = root;
this.namePathMapper = namePathMapper;
@@ -212,13 +213,13 @@ public class AccessControlManagerImpl im
AccessControlPolicy policy = null;
Tree aclTree = getAclTree(oakPath, tree);
if (aclTree == null) {
- if (tree.hasChild(AccessControlUtils.getAclName(oakPath))) {
+ if (tree.hasChild(Util.getAclName(oakPath))) {
// policy child node without tree being access controlled
log.warn("Colliding policy child without node being access controllable ({}).", absPath);
} else {
// create an empty acl unless the node is protected or cannot have
// mixin set (e.g. due to a lock)
- String mixinName = AccessControlUtils.getMixinName(oakPath);
+ String mixinName = Util.getMixinName(oakPath);
if (ntMgr.isNodeType(tree, mixinName) || ntMgr.getEffectiveNodeType(tree).supportsMixin(mixinName)) {
policy = new NodeACL(oakPath);
} else {
@@ -237,7 +238,7 @@ public class AccessControlManagerImpl im
@Override
public void setPolicy(@Nullable String absPath, @Nonnull AccessControlPolicy policy) throws RepositoryException {
String oakPath = getOakPath(absPath);
- AccessControlUtils.checkValidPolicy(oakPath, policy);
+ Util.checkValidPolicy(oakPath, policy);
if (policy instanceof PrincipalACL) {
setPrincipalBasedAcl((PrincipalACL) policy);
@@ -308,7 +309,7 @@ public class AccessControlManagerImpl im
aclTree.setOrderableChildren(true);
for (ACE ace : acl.getEntries()) {
boolean isAllow = ace.isAllow();
- String nodeName = AccessControlUtils.generateAceName(aclTree, isAllow);
+ String nodeName = Util.generateAceName(aclTree, isAllow);
String ntName = (isAllow) ? NT_REP_GRANT_ACE : NT_REP_DENY_ACE;
NodeUtil aceNode = new NodeUtil(aclTree).addChild(nodeName, ntName);
@@ -322,7 +323,7 @@ public class AccessControlManagerImpl im
@Override
public void removePolicy(@Nullable String absPath, @Nonnull AccessControlPolicy policy) throws RepositoryException {
String oakPath = getOakPath(absPath);
- AccessControlUtils.checkValidPolicy(oakPath, policy);
+ Util.checkValidPolicy(oakPath, policy);
if (policy instanceof PrincipalACL) {
PrincipalACL principalAcl = (PrincipalACL) policy;
@@ -359,7 +360,7 @@ public class AccessControlManagerImpl im
@Nonnull
@Override
public JackrabbitAccessControlPolicy[] getApplicablePolicies(@Nonnull Principal principal) throws RepositoryException {
- AccessControlUtils.checkValidPrincipal(principal, principalManager);
+ Util.checkValidPrincipal(principal, principalManager);
String oakPath = (principal instanceof ItemBasedPrincipal) ? ((ItemBasedPrincipal) principal).getPath() : null;
JackrabbitAccessControlPolicy policy = createPrincipalACL(oakPath, principal);
@@ -374,7 +375,7 @@ public class AccessControlManagerImpl im
@Nonnull
@Override
public JackrabbitAccessControlPolicy[] getPolicies(@Nonnull Principal principal) throws RepositoryException {
- AccessControlUtils.checkValidPrincipal(principal, principalManager);
+ Util.checkValidPrincipal(principal, principalManager);
String oakPath = (principal instanceof ItemBasedPrincipal) ? ((ItemBasedPrincipal) principal).getPath() : null;
JackrabbitAccessControlPolicy policy = createPrincipalACL(oakPath, principal);
@@ -389,7 +390,7 @@ public class AccessControlManagerImpl im
@Nonnull
@Override
public AccessControlPolicy[] getEffectivePolicies(@Nonnull Set<Principal> principals) throws RepositoryException {
- AccessControlUtils.checkValidPrincipals(principals, principalManager);
+ Util.checkValidPrincipals(principals, principalManager);
Root r = root.getContentSession().getLatestRoot();
Result aceResult = searchAces(principals, r);
@@ -478,8 +479,8 @@ public class AccessControlManagerImpl im
@CheckForNull
private Tree getAclTree(@Nullable String oakPath, @Nonnull Tree accessControlledTree) {
- if (AccessControlUtils.isAccessControlled(oakPath, accessControlledTree, ntMgr)) {
- String aclName = AccessControlUtils.getAclName(oakPath);
+ if (Util.isAccessControlled(oakPath, accessControlledTree, ntMgr)) {
+ String aclName = Util.getAclName(oakPath);
Tree policyTree = accessControlledTree.getChild(aclName);
if (policyTree.exists()) {
return policyTree;
@@ -496,9 +497,9 @@ public class AccessControlManagerImpl im
*/
@Nonnull
private Tree createAclTree(@Nullable String oakPath, @Nonnull Tree tree) throws AccessDeniedException {
- if (!AccessControlUtils.isAccessControlled(oakPath, tree, ntMgr)) {
+ if (!Util.isAccessControlled(oakPath, tree, ntMgr)) {
PropertyState mixins = tree.getProperty(JcrConstants.JCR_MIXINTYPES);
- String mixinName = AccessControlUtils.getMixinName(oakPath);
+ String mixinName = Util.getMixinName(oakPath);
if (mixins == null) {
tree.setProperty(JcrConstants.JCR_MIXINTYPES, Collections.singleton(mixinName), Type.NAMES);
} else {
@@ -507,7 +508,7 @@ public class AccessControlManagerImpl im
tree.setProperty(pb.getPropertyState());
}
}
- String aclName = AccessControlUtils.getAclName(oakPath);
+ String aclName = Util.getAclName(oakPath);
return new NodeUtil(tree).addChild(aclName, NT_REP_ACL).getTree();
}
@@ -516,13 +517,13 @@ public class AccessControlManagerImpl im
@Nonnull Tree accessControlledTree,
boolean isEffectivePolicy) throws RepositoryException {
JackrabbitAccessControlList acl = null;
- String aclName = AccessControlUtils.getAclName(oakPath);
- if (accessControlledTree.exists() && AccessControlUtils.isAccessControlled(oakPath, accessControlledTree, ntMgr)) {
+ String aclName = Util.getAclName(oakPath);
+ if (accessControlledTree.exists() && Util.isAccessControlled(oakPath, accessControlledTree, ntMgr)) {
Tree aclTree = accessControlledTree.getChild(aclName);
if (aclTree.exists()) {
List<ACE> entries = new ArrayList<ACE>();
for (Tree child : aclTree.getChildren()) {
- if (AccessControlUtils.isACE(child, ntMgr)) {
+ if (Util.isACE(child, ntMgr)) {
entries.add(createACE(oakPath, child, restrictionProvider));
}
}
@@ -544,7 +545,7 @@ public class AccessControlManagerImpl im
List<ACE> entries = new ArrayList<ACE>();
for (ResultRow row : aceResult.getRows()) {
Tree aceTree = root.getTree(row.getPath());
- if (AccessControlUtils.isACE(aceTree, ntMgr)) {
+ if (Util.isACE(aceTree, ntMgr)) {
String aclPath = Text.getRelativeParent(aceTree.getPath(), 1);
String path;
if (aclPath.endsWith(REP_REPO_POLICY)) {
Copied: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/Util.java (from r1508502, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlUtils.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/Util.java?p2=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/Util.java&p1=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlUtils.java&r1=1508502&r2=1508752&rev=1508752&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlUtils.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/Util.java Wed Jul 31 07:43:54 2013
@@ -30,16 +30,17 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
/**
- * Access control specific utility methods
+ * Implementation specific access control utility methods
*/
-public final class AccessControlUtils extends org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils implements AccessControlConstants {
+final class Util implements AccessControlConstants {
/**
* Private constructor to avoid instantiation
*/
- private AccessControlUtils() {}
+ private Util() {}
- public static void checkValidPrincipal(Principal principal, PrincipalManager principalManager) throws AccessControlException {
+ public static void checkValidPrincipal(@Nullable Principal principal,
+ @Nonnull PrincipalManager principalManager) throws AccessControlException {
String name = (principal == null) ? null : principal.getName();
if (name == null || name.isEmpty()) {
throw new AccessControlException("Invalid principal " + name);
@@ -49,12 +50,13 @@ public final class AccessControlUtils ex
}
}
- public static void checkValidPrincipals(@Nullable Set<Principal> principals, PrincipalManager principalManager) throws AccessControlException {
+ public static void checkValidPrincipals(@Nullable Set<Principal> principals,
+ @Nonnull PrincipalManager principalManager) throws AccessControlException {
if (principals == null) {
throw new AccessControlException("Valid principals expected. Found null.");
}
for (Principal principal : principals) {
- AccessControlUtils.checkValidPrincipal(principal, principalManager);
+ checkValidPrincipal(principal, principalManager);
}
}
@@ -69,7 +71,8 @@ public final class AccessControlUtils ex
}
}
- public static boolean isAccessControlled(String oakPath, @Nonnull Tree tree, @Nonnull ReadOnlyNodeTypeManager ntMgr) {
+ public static boolean isAccessControlled(@Nullable String oakPath, @Nonnull Tree tree,
+ @Nonnull ReadOnlyNodeTypeManager ntMgr) {
String mixinName = getMixinName(oakPath);
return ntMgr.isNodeType(tree, mixinName);
}
Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ReadTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ReadTest.java?rev=1508752&r1=1508751&r2=1508752&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ReadTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ReadTest.java Wed Jul 31 07:43:54 2013
@@ -16,13 +16,10 @@
*/
package org.apache.jackrabbit.oak.jcr.security.authorization;
-import static org.junit.Assert.assertArrayEquals;
-
import java.security.Principal;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
-
import javax.jcr.Node;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
@@ -35,10 +32,12 @@ import javax.jcr.util.TraversingItemVisi
import com.google.common.collect.Sets;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.user.Group;
-import org.apache.jackrabbit.oak.security.authorization.AccessControlUtils;
+import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.junit.Test;
+import static org.junit.Assert.assertArrayEquals;
+
/**
* Permission evaluation tests related to {@link javax.jcr.security.Privilege#JCR_READ} privilege.
*/