You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/08/07 18:49:09 UTC
svn commit: r1511390 - in
/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak:
security/authorization/accesscontrol/ security/authorization/restriction/
spi/security/authorization/restriction/
Author: angela
Date: Wed Aug 7 16:49:08 2013
New Revision: 1511390
URL: http://svn.apache.org/r1511390
Log:
OAK-51 : Access Control Management (restriction related javadoc and minor improvement)
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidator.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidator.java?rev=1511390&r1=1511389&r2=1511390&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidator.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidator.java Wed Aug 7 16:49:08 2013
@@ -21,6 +21,7 @@ import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
+import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.Privilege;
@@ -46,6 +47,7 @@ import org.apache.jackrabbit.util.Text;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.apache.jackrabbit.oak.api.CommitFailedException.ACCESS_CONTROL;
+import static org.apache.jackrabbit.oak.api.CommitFailedException.OAK;
/**
* Validation for access control information changed by regular JCR (and Jackrabbit)
@@ -240,6 +242,8 @@ class AccessControlValidator extends Def
restrictionProvider.validateRestrictions(path, aceTree);
} catch (AccessControlException e) {
throw new CommitFailedException(ACCESS_CONTROL, 1, "Access control violation", e);
+ } catch (RepositoryException e) {
+ throw new CommitFailedException(OAK, 13, "Internal error", e);
}
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java?rev=1511390&r1=1511389&r2=1511390&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java Wed Aug 7 16:49:08 2013
@@ -24,7 +24,6 @@ import javax.annotation.Nullable;
import javax.jcr.PropertyType;
import javax.jcr.RepositoryException;
import javax.jcr.Value;
-import javax.jcr.security.AccessControlException;
import com.google.common.collect.Sets;
import org.apache.jackrabbit.oak.api.PropertyState;
@@ -88,7 +87,7 @@ public class PrincipalRestrictionProvide
}
@Override
- public void writeRestrictions(String oakPath, Tree aceTree, Set<Restriction> restrictions) throws AccessControlException {
+ public void writeRestrictions(String oakPath, Tree aceTree, Set<Restriction> restrictions) throws RepositoryException {
Iterator<Restriction> it = Sets.newHashSet(restrictions).iterator();
while (it.hasNext()) {
Restriction r = it.next();
@@ -100,7 +99,7 @@ public class PrincipalRestrictionProvide
}
@Override
- public void validateRestrictions(String oakPath, @Nonnull Tree aceTree) throws AccessControlException {
+ public void validateRestrictions(String oakPath, @Nonnull Tree aceTree) throws RepositoryException {
base.validateRestrictions(oakPath, aceTree);
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java?rev=1511390&r1=1511389&r2=1511390&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java Wed Aug 7 16:49:08 2013
@@ -24,7 +24,6 @@ import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
-import javax.jcr.AccessDeniedException;
import javax.jcr.NamespaceRegistry;
import javax.jcr.PropertyType;
import javax.jcr.RepositoryException;
@@ -120,7 +119,7 @@ public abstract class AbstractRestrictio
}
@Override
- public void writeRestrictions(String oakPath, Tree aceTree, Set<Restriction> restrictions) throws AccessDeniedException {
+ public void writeRestrictions(String oakPath, Tree aceTree, Set<Restriction> restrictions) throws RepositoryException {
// validation of the restrictions is delegated to the commit hook
// see #validateRestrictions below
if (!restrictions.isEmpty()) {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java?rev=1511390&r1=1511389&r2=1511390&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java Wed Aug 7 16:49:08 2013
@@ -26,30 +26,107 @@ import javax.jcr.security.AccessControlE
import org.apache.jackrabbit.oak.api.Tree;
/**
- * RestrictionProvider... TODO
+ * Interface to manage the supported restrictions present with a given access
+ * control and permission management implementation.
+ *
+ * @since OAK 1.0
*/
public interface RestrictionProvider {
+ /**
+ * Returns the restriction definitions supported by this provider implementation
+ * at the specified path.
+ *
+ * @param oakPath The path of the access controlled tree. A {@code null}
+ * path indicates that the supported restrictions for repository level
+ * policies should be returned.
+ * @return The set of supported restrictions at the given path.
+ */
@Nonnull
Set<RestrictionDefinition> getSupportedRestrictions(@Nullable String oakPath);
+ /**
+ * Creates a new single valued restriction for the specified parameters.
+ *
+ * @param oakPath The path of the access controlled tree or {@code null} if
+ * the target policies applies to the repository level.
+ * @param oakName The name of the restriction.
+ * @param value The value of the restriction.
+ * @return A new restriction instance.
+ * @throws AccessControlException If no matching restriction definition
+ * exists for the specified parameters.
+ * @throws RepositoryException If another error occurs.
+ */
@Nonnull
Restriction createRestriction(@Nullable String oakPath,
@Nonnull String oakName,
- @Nonnull Value value) throws RepositoryException;
+ @Nonnull Value value) throws AccessControlException, RepositoryException;
+ /**
+ * Creates a new multi valued restriction for the specified parameters.
+ *
+ * @param oakPath The path of the access controlled tree or {@code null} if
+ * the target policies applies to the repository level.
+ * @param oakName The name of the restriction.
+ * @param values The values of the restriction.
+ * @return A new restriction instance.
+ * @throws AccessControlException If no matching restriction definition
+ * exists for the specified parameters.
+ * @throws RepositoryException If another error occurs.
+ */
@Nonnull
Restriction createRestriction(@Nullable String oakPath,
@Nonnull String oakName,
- @Nonnull Value... values) throws RepositoryException;
+ @Nonnull Value... values) throws AccessControlException, RepositoryException;
+ /**
+ * Read the valid restrictions stored in the specified ACE tree.
+ *
+ * @param oakPath The path of the access controlled tree or {@code null} if
+ * the target policies applies to the repository level.
+ * @param aceTree The tree corresponding to an ACE that may contain
+ * restrictions.
+ * @return The valid restrictions stored with the specified tree or an
+ * empty set.
+ */
@Nonnull
Set<Restriction> readRestrictions(@Nullable String oakPath, @Nonnull Tree aceTree);
- void writeRestrictions(String oakPath, Tree aceTree, Set<Restriction> restrictions) throws AccessControlException;
-
- void validateRestrictions(@Nullable String oakPath, @Nonnull Tree aceTree) throws AccessControlException;
-
+ /**
+ * Writes the given restrictions to the specified ACE tree. Note, that this
+ * method does not validate the specified restrictions (see also
+ * {@link #validateRestrictions(String, org.apache.jackrabbit.oak.api.Tree)}).
+ *
+ * @param oakPath The path of the access controlled tree or {@code null} if
+ * the target policies applies to the repository level.
+ * @param aceTree The tree corresponding to an ACE that will have the
+ * specified restrictions added.
+ * @throws RepositoryException If an error occurs while writing the
+ * restrictions.
+ */
+ void writeRestrictions(String oakPath, Tree aceTree, Set<Restriction> restrictions) throws RepositoryException;
+
+ /**
+ * Validate the restrictions present with the specified ACE tree.
+ *
+ * @param oakPath The path of the access controlled tree or {@code null} if
+ * the target policies applies to the repository level.
+ * @param aceTree The tree corresponding to an ACE.
+ * @throws AccessControlException If any invalid restrictions are detected.
+ * @throws RepositoryException If another error occurs.
+ */
+ void validateRestrictions(@Nullable String oakPath, @Nonnull Tree aceTree) throws AccessControlException, RepositoryException;
+
+ /**
+ * Creates the {@link RestrictionPattern} for the restriction information
+ * stored with specified tree.
+ *
+ * @param oakPath The path of the access controlled tree or {@code null} if
+ * the target policies applies to the repository level.
+ * @param tree The tree holding the restriction information.
+ * @return A new {@link RestrictionPattern} representing the restriction
+ * information present with the given tree.
+ */
@Nonnull
RestrictionPattern getPattern(@Nullable String oakPath, @Nonnull Tree tree);
}