You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/05/13 13:55:31 UTC
svn commit: r1481803 - in /jackrabbit/oak/trunk/oak-core/src:
main/java/org/apache/jackrabbit/oak/security/authentication/
main/java/org/apache/jackrabbit/oak/security/authorization/
main/java/org/apache/jackrabbit/oak/security/authorization/restrictio...
Author: angela
Date: Mon May 13 11:55:30 2013
New Revision: 1481803
URL: http://svn.apache.org/r1481803
Log:
OAK-51 : Access Control Management (javadoc, tests)
OAK-50 : User Mgt (javadoc)
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/SystemSubject.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlImporter.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlUtils.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPattern.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBits.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserConfigurationImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionPattern.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidTestPrincipal.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissionsTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/SystemSubject.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/SystemSubject.java?rev=1481803&r1=1481802&r2=1481803&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/SystemSubject.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/SystemSubject.java Mon May 13 11:55:30 2013
@@ -22,12 +22,17 @@ import javax.security.auth.Subject;
import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal;
/**
- * SystemSubject... TODO
+ * Internal utility providing access to a system internal subject instance.
*/
public final class SystemSubject {
public static final Subject INSTANCE = createSystemSubject();
+ /**
+ * Private constructor
+ */
+ private SystemSubject() {}
+
private static Subject createSystemSubject() {
return new Subject(true, Collections.singleton(SystemPrincipal.INSTANCE), Collections.<Object>emptySet(), Collections.<Object>emptySet());
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java?rev=1481803&r1=1481802&r2=1481803&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java Mon May 13 11:55:30 2013
@@ -45,7 +45,7 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
/**
- * {@code AccessControlConfigurationImpl} ... TODO
+ * Default implementation of the {@code AccessControlConfiguration}.
*/
public class AccessControlConfigurationImpl extends SecurityConfiguration.Default implements AccessControlConfiguration {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlImporter.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlImporter.java?rev=1481803&r1=1481802&r2=1481803&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlImporter.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlImporter.java Mon May 13 11:55:30 2013
@@ -16,14 +16,11 @@
*/
package org.apache.jackrabbit.oak.security.authorization;
-import static com.google.common.base.Preconditions.checkNotNull;
-
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
-
import javax.annotation.CheckForNull;
import javax.jcr.PropertyType;
import javax.jcr.RepositoryException;
@@ -51,8 +48,11 @@ import org.apache.jackrabbit.oak.spi.xml
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import static com.google.common.base.Preconditions.checkNotNull;
+
/**
- * AccessControlImporter... TODO
+ * {@link ProtectedNodeImporter} implementation that handles access control lists,
+ * entries and restrictions.
*/
class AccessControlImporter implements ProtectedNodeImporter, AccessControlConstants {
@@ -233,7 +233,6 @@ class AccessControlImporter implements P
private void setPrincipal(TextValue txtValue) {
String principalName = txtValue.getString();
principal = principalManager.getPrincipal(principalName);
- // TODO: review handling of unknown principals
if (principal == null) {
principal = new PrincipalImpl(principalName);
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlUtils.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlUtils.java?rev=1481803&r1=1481802&r2=1481803&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlUtils.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlUtils.java Mon May 13 11:55:30 2013
@@ -27,18 +27,16 @@ import org.apache.jackrabbit.api.securit
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
/**
- * AccessControlUtils... TODO
+ * Access control specific utility methods
*/
public final class AccessControlUtils extends org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils implements AccessControlConstants {
/**
- * logger instance
+ * Private constructor to avoid instantiation
*/
- private static final Logger log = LoggerFactory.getLogger(AccessControlUtils.class);
+ private AccessControlUtils() {}
public static void checkValidPrincipal(Principal principal, PrincipalManager principalManager) throws AccessControlException {
String name = (principal == null) ? null : principal.getName();
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPattern.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPattern.java?rev=1481803&r1=1481802&r2=1481803&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPattern.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPattern.java Mon May 13 11:55:30 2013
@@ -105,7 +105,6 @@ final class GlobPattern implements Restr
//-------------------------------------------------< RestrictionPattern >---
@Override
public boolean matches(@Nonnull Tree tree, @Nullable PropertyState property) {
- // TODO
String path = (property == null) ? tree.getPath() : PathUtils.concat(tree.getPath(), property.getName());
return matches(path);
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java?rev=1481803&r1=1481802&r2=1481803&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java Mon May 13 11:55:30 2013
@@ -29,7 +29,11 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
- * NodeTypePattern... TODO
+ * Implementation of the {@link RestrictionPattern} interface that returns
+ * {@code true} if the primary type of the target tree (or the parent of a
+ * target property) is contained in the configured node type name. This allows
+ * to limit certain operations (e.g. adding or removing a child tree) to
+ * nodes with a specific node type.
*/
class NodeTypePattern implements RestrictionPattern {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBits.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBits.java?rev=1481803&r1=1481802&r2=1481803&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBits.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBits.java Mon May 13 11:55:30 2013
@@ -201,12 +201,17 @@ public final class PrivilegeBits impleme
}
/**
- * TODO
+ * Calculate the granted permissions by evaluating the given privileges. Note,
+ * that only built-in privileges can be mapped to permissions. Any other
+ * privileges will be ignored.
*
- * @param bits
- * @param parentBits
- * @param isAllow
- * @return
+ * @param bits The set of privileges present at given tree.
+ * @param parentBits The privileges present on the parent tree. These are
+ * required in order to determine permissions that include a modification
+ * of the parent tree (add_child_nodes, remove_child_nodes).
+ * @param isAllow {@code true} if the privileges are granted; {@code false}
+ * otherwise.
+ * @return the resulting permissions.
*/
public static long calculatePermissions(@Nonnull PrivilegeBits bits,
@Nonnull PrivilegeBits parentBits,
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserConfigurationImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserConfigurationImpl.java?rev=1481803&r1=1481802&r2=1481803&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserConfigurationImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserConfigurationImpl.java Mon May 13 11:55:30 2013
@@ -36,7 +36,7 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
/**
- * UserConfigurationImpl... TODO
+ * Default implementation of the {@link UserConfiguration}.
*/
public class UserConfigurationImpl extends SecurityConfiguration.Default implements UserConfiguration {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionPattern.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionPattern.java?rev=1481803&r1=1481802&r2=1481803&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionPattern.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionPattern.java Mon May 13 11:55:30 2013
@@ -23,14 +23,37 @@ import org.apache.jackrabbit.oak.api.Pro
import org.apache.jackrabbit.oak.api.Tree;
/**
- * RestrictionPattern... TODO
+ * Interface used to verify if a given {@code restriction} applies to a given
+ * item or path.
*/
public interface RestrictionPattern {
+ /**
+ * Returns {@code true} if the underlying restriction matches the specified
+ * tree or property state.
+ *
+ * @param tree The target tree or the parent of the target property.
+ * @param property The target property state or {@code null} if the target
+ * item is a tree.
+ * @return {@code true} if the underlying restriction matches the specified
+ * tree or property state; {@code false} otherwise.
+ */
boolean matches(@Nonnull Tree tree, @Nullable PropertyState property);
+ /**
+ * Returns {@code true} if the underlying restriction matches the specified
+ * path.
+ *
+ * @param path The path of the target item.
+ * @return {@code true} if the underlying restriction matches the specified
+ * path; {@code false} otherwise.
+ */
boolean matches(@Nonnull String path);
+ /**
+ * Default implementation of the {@code RestrictionPattern} that always
+ * returns {@code true} and thus matches all items or paths.
+ */
RestrictionPattern EMPTY = new RestrictionPattern() {
@Override
public boolean matches(@Nonnull Tree tree, @Nullable PropertyState property) {
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidTestPrincipal.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidTestPrincipal.java?rev=1481803&r1=1481802&r2=1481803&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidTestPrincipal.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidTestPrincipal.java Mon May 13 11:55:30 2013
@@ -18,11 +18,9 @@ package org.apache.jackrabbit.oak.securi
import java.security.Principal;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
/**
- * InvalidPrincipal... TODO
+ * Test principal implementation which doesn't implement the OAK specific
+ * principal marker interface.
*/
public final class InvalidTestPrincipal implements Principal {
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissionsTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissionsTest.java?rev=1481803&r1=1481802&r2=1481803&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissionsTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissionsTest.java Mon May 13 11:55:30 2013
@@ -16,20 +16,22 @@
*/
package org.apache.jackrabbit.oak.security.authorization.permission;
-import static org.junit.Assert.assertSame;
-import static org.junit.Assert.assertTrue;
-
import java.util.ArrayList;
import java.util.List;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
+import org.apache.jackrabbit.oak.plugins.version.VersionConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.ReadStatus;
import org.junit.Before;
import org.junit.Test;
+import static org.junit.Assert.assertSame;
+import static org.junit.Assert.assertTrue;
+
/**
* Test {@code AllPermissions}.
*/
@@ -45,7 +47,9 @@ public class AllPermissionsTest extends
super.before();
paths.add("/");
- // TODO
+ paths.add(VersionConstants.VERSION_STORE_PATH);
+ paths.add(NodeTypeConstants.NODE_TYPES_PATH);
+ paths.add(getTestUser().getPath());
}
@Test