You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2012/08/10 15:46:27 UTC
svn commit: r1371700 - in
/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak:
security/authorization/PermissionValidator.java
security/authorization/PermissionValidatorProvider.java version/
version/VersionConstants.java
Author: angela
Date: Fri Aug 10 13:46:27 2012
New Revision: 1371700
URL: http://svn.apache.org/viewvc?rev=1371700&view=rev
Log:
OAK-51 : Implement JCR Access Control Management (work in progress)
Added:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/version/
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/version/VersionConstants.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java?rev=1371700&r1=1371699&r2=1371700&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java Fri Aug 10 13:46:27 2012
@@ -21,9 +21,7 @@ import javax.jcr.AccessDeniedException;
import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.PropertyState;
-import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.commons.PathUtils;
-import org.apache.jackrabbit.oak.core.ReadOnlyTree;
import org.apache.jackrabbit.oak.plugins.name.NamespaceConstants;
import org.apache.jackrabbit.oak.plugins.type.NodeTypeConstants;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
@@ -31,6 +29,8 @@ import org.apache.jackrabbit.oak.spi.com
import org.apache.jackrabbit.oak.spi.security.authorization.CompiledPermissions;
import org.apache.jackrabbit.oak.spi.security.authorization.Permissions;
import org.apache.jackrabbit.oak.spi.state.NodeState;
+import org.apache.jackrabbit.oak.util.NodeUtil;
+import org.apache.jackrabbit.oak.version.VersionConstants;
import org.apache.jackrabbit.util.Text;
/**
@@ -46,11 +46,11 @@ class PermissionValidator implements Val
private final CompiledPermissions compiledPermissions;
- private final ReadOnlyTree parentBefore;
- private final ReadOnlyTree parentAfter;
+ private final NodeUtil parentBefore;
+ private final NodeUtil parentAfter;
PermissionValidator(CompiledPermissions compiledPermissions,
- ReadOnlyTree parentBefore, ReadOnlyTree parentAfter) {
+ NodeUtil parentBefore, NodeUtil parentAfter) {
this.compiledPermissions = compiledPermissions;
this.parentBefore = parentBefore;
this.parentAfter = parentAfter;
@@ -75,14 +75,14 @@ class PermissionValidator implements Val
@Override
public Validator childNodeAdded(String name, NodeState after) throws CommitFailedException {
- ReadOnlyTree child = new ReadOnlyTree(parentAfter, name, after);
+ NodeUtil child = parentAfter.getChild(name);
return checkPermissions(child, false, Permissions.ADD_NODE);
}
@Override
public Validator childNodeChanged(String name, NodeState before, NodeState after) throws CommitFailedException {
- ReadOnlyTree childBefore = new ReadOnlyTree(parentBefore, name, before);
- ReadOnlyTree childAfter = new ReadOnlyTree(parentAfter, name, after);
+ NodeUtil childBefore = parentBefore.getChild(name);
+ NodeUtil childAfter = parentAfter.getChild(name);
// TODO
@@ -91,13 +91,13 @@ class PermissionValidator implements Val
@Override
public Validator childNodeDeleted(String name, NodeState before) throws CommitFailedException {
- ReadOnlyTree child = new ReadOnlyTree(parentBefore, name, before);
+ NodeUtil child = parentBefore.getChild(name);
return checkPermissions(child, true, Permissions.REMOVE_NODE);
}
//------------------------------------------------------------< private >---
- private void checkPermissions(Tree parent, PropertyState property, int defaultPermission) throws CommitFailedException {
- String parentPath = parent.getPath();
+ private void checkPermissions(NodeUtil parent, PropertyState property, int defaultPermission) throws CommitFailedException {
+ String parentPath = parent.getTree().getPath();
String name = property.getName();
int permission;
@@ -116,8 +116,10 @@ class PermissionValidator implements Val
permission = Permissions.PRIVILEGE_MANAGEMENT;
} else if (isAccessControl(parent)) {
permission = Permissions.MODIFY_ACCESS_CONTROL;
- } else if (isVersion(parent)) {
+ } else if (isVersionProperty(parent, property)) {
permission = Permissions.VERSION_MANAGEMENT;
+ // FIXME: path to check for permission must be adjusted to be
+ // the one of the versionable node instead of the target parent.
} else {
// TODO: identify specific permission depending on type of protection
// - user/group property -> user management
@@ -127,8 +129,8 @@ class PermissionValidator implements Val
checkPermissions(PathUtils.concat(parentPath, name), permission);
}
- private PermissionValidator checkPermissions(ReadOnlyTree tree, boolean isBefore, int defaultPermission) throws CommitFailedException {
- String path = tree.getPath();
+ private PermissionValidator checkPermissions(NodeUtil node, boolean isBefore, int defaultPermission) throws CommitFailedException {
+ String path = node.getTree().getPath();
int permission;
if (isNamespaceDefinition(path)) {
@@ -137,10 +139,12 @@ class PermissionValidator implements Val
permission = Permissions.NODE_TYPE_DEFINITION_MANAGEMENT;
} else if (isPrivilegeDefinition(path)) {
permission = Permissions.PRIVILEGE_MANAGEMENT;
- } else if (isAccessControl(tree)) {
+ } else if (isAccessControl(node)) {
permission = Permissions.MODIFY_ACCESS_CONTROL;
- } else if (isVersion(tree)) {
+ } else if (isVersion(node)) {
permission = Permissions.VERSION_MANAGEMENT;
+ // FIXME: path to check for permission must be adjusted to be
+ // // the one of the versionable node instead of the target node.
} else {
// TODO: identify specific permission depending on additional types of protection
// - user/group -> user management
@@ -155,8 +159,8 @@ class PermissionValidator implements Val
} else {
checkPermissions(path, permission);
return (isBefore) ?
- new PermissionValidator(compiledPermissions, tree, null) :
- new PermissionValidator(compiledPermissions, null, tree);
+ new PermissionValidator(compiledPermissions, node, null) :
+ new PermissionValidator(compiledPermissions, null, node);
}
}
@@ -166,14 +170,32 @@ class PermissionValidator implements Val
}
}
- private static boolean isAccessControl(Tree parent) {
+ private static boolean isAccessControl(NodeUtil node) {
// TODO: depends on ac-model
return false;
}
- private static boolean isVersion(Tree parent) {
- // TODO: add implementation
- return false;
+ private static boolean isVersion(NodeUtil node) {
+ if (node.getTree().isRoot()) {
+ return false;
+ }
+ // TODO: review again
+ if (VersionConstants.VERSION_NODE_NAMES.contains(node.getName())) {
+ return true;
+ } else if (VersionConstants.VERSION_NODE_TYPE_NAMES.contains(node.getName(JcrConstants.JCR_PRIMARYTYPE))) {
+ return true;
+ } else {
+ String path = node.getTree().getPath();
+ return VersionConstants.SYSTEM_PATHS.contains(Text.getAbsoluteParent(path, 1));
+ }
+ }
+
+ private static boolean isVersionProperty(NodeUtil parent, PropertyState property) {
+ if (VersionConstants.VERSION_PROPERTY_NAMES.contains(property.getName())) {
+ return true;
+ } else {
+ return isVersion(parent);
+ }
}
private static boolean isLockProperty(String name) {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java?rev=1371700&r1=1371699&r2=1371700&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java Fri Aug 10 13:46:27 2012
@@ -18,11 +18,15 @@ package org.apache.jackrabbit.oak.securi
import javax.annotation.Nonnull;
+import org.apache.jackrabbit.oak.api.ContentSession;
+import org.apache.jackrabbit.oak.api.CoreValueFactory;
import org.apache.jackrabbit.oak.core.ReadOnlyTree;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.spi.commit.Validator;
import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlContext;
import org.apache.jackrabbit.oak.spi.state.NodeState;
+import org.apache.jackrabbit.oak.util.NodeUtil;
/**
* PermissionValidatorProvider... TODO
@@ -30,11 +34,17 @@ import org.apache.jackrabbit.oak.spi.sta
public class PermissionValidatorProvider implements ValidatorProvider {
private final AccessControlContext acContext = null; // TODO
+ private final ContentSession contentSession = null; // TODO
//--------------------------------------------------< ValidatorProvider >---
@Nonnull
@Override
public Validator getRootValidator(NodeState before, NodeState after) {
- return new PermissionValidator(acContext.getPermissions(), new ReadOnlyTree(before), new ReadOnlyTree(after));
+ NamePathMapper mapper = new NamePathMapper.Default();
+ CoreValueFactory vf = contentSession.getCoreValueFactory();
+
+ NodeUtil rootBefore = new NodeUtil(vf, mapper, new ReadOnlyTree(before));
+ NodeUtil rootAfter = new NodeUtil(vf, mapper, new ReadOnlyTree(after));
+ return new PermissionValidator(acContext.getPermissions(), rootBefore, rootAfter);
}
}
\ No newline at end of file
Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/version/VersionConstants.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/version/VersionConstants.java?rev=1371700&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/version/VersionConstants.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/version/VersionConstants.java Fri Aug 10 13:46:27 2012
@@ -0,0 +1,127 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.version;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+
+import org.apache.jackrabbit.JcrConstants;
+
+/**
+ * VersionConstants... TODO
+ */
+public interface VersionConstants extends JcrConstants {
+
+ // activities
+ String JCR_ACTIVITY = "jcr:activity";
+ String JCR_ACTIVITIES = "jcr:activities";
+ String JCR_ACTIVITY_TITLE = "jcr:activityTitle";
+ String NT_ACTIVITY = "nt:activity";
+ String REP_ACTIVITIES = "rep:Activities";
+
+ // configurations
+ String JCR_CONFIGURATION = "jcr:configuration";
+ String JCR_CONFIGURATIONS = "jcr:configurations";
+ String JCR_ROOT = "jcr:root"; // TODO: possible collisions?
+ String NT_CONFIGURATION = "nt:configuration";
+ String REP_CONFIGURATIONS = "rep:Configurations";
+
+ // nt:versionHistory
+ String JCR_COPIED_FROM = "jcr:copiedFrom";
+
+ // nt:versionedChild
+ String JCR_CHILD_VERSION_HISTORY = "jcr:childVersionHistory";
+
+ /**
+ * Quote from JSR 283 Section "15.12.3 Activity Storage"<p/>
+ *
+ * Activities are persisted as nodes of type nt:activity under system-generated
+ * node names in activity storage below /jcr:system/jcr:activities.<br>
+ * Similar to the /jcr:system/jcr:versionStorage subgraph, the activity storage
+ * is a single repository wide store, but is reflected into each workspace.
+ */
+ String ACTIVITIES_PATH = '/' + JCR_SYSTEM + '/' + JCR_ACTIVITIES;
+
+ /**
+ * Quote from JSR 283 Section "15.13.2 Configuration Proxy Nodes"<p/>
+ *
+ * Each configuration in a given workspace is represented by a distinct proxy
+ * node of type nt:configuration located in configuration storage within the
+ * same workspace under /jcr:system/jcr:configurations/. The configuration
+ * storage in a particular workspace is specific to that workspace. It is
+ * not a common repository-wide store mirrored into each workspace, as is
+ * the case with version storage.
+ */
+ String CONFIGURATIONS_PATH = '/' + JCR_SYSTEM + '/' + JCR_CONFIGURATIONS;
+
+ /**
+ * Quote from JSR 283 Section "3.13.8 Version Storage"<p/>
+ *
+ * Version histories are stored in a single, repository-wide version storage
+ * mutable and readable through the versioning API.
+ * Under full versioning the version storage data must, additionally, be
+ * reflected in each workspace as a protected subgraph [...] located below
+ * /jcr:system/jcr:versionStorage.
+ */
+ String VERSION_STORE_PATH = '/' + JCR_SYSTEM + '/' + JCR_VERSIONSTORAGE;
+
+ Collection<String> SYSTEM_PATHS = Collections.unmodifiableList(Arrays.asList(
+ ACTIVITIES_PATH,
+ CONFIGURATIONS_PATH,
+ VERSION_STORE_PATH
+ ));
+
+ Collection<String> VERSION_PROPERTY_NAMES = Collections.unmodifiableList(Arrays.asList(
+ JCR_ACTIVITY,
+ JCR_ACTIVITY_TITLE,
+ JCR_BASEVERSION,
+ JCR_CHILD_VERSION_HISTORY,
+ JCR_CONFIGURATION,
+ JCR_COPIED_FROM,
+ JCR_FROZENMIXINTYPES,
+ JCR_FROZENPRIMARYTYPE,
+ JCR_FROZENUUID,
+ JCR_ISCHECKEDOUT,
+ JCR_MERGEFAILED,
+ JCR_PREDECESSORS,
+ JCR_ROOT,
+ JCR_SUCCESSORS,
+ JCR_VERSIONABLEUUID,
+ JCR_VERSIONHISTORY
+ ));
+
+ Collection<String> VERSION_NODE_NAMES = Collections.unmodifiableList(Arrays.asList(
+ JCR_ACTIVITIES,
+ JCR_CONFIGURATIONS,
+ JCR_FROZENNODE,
+ JCR_ROOTVERSION,
+ JCR_VERSIONLABELS
+ ));
+
+ Collection<String> VERSION_NODE_TYPE_NAMES = Collections.unmodifiableList(Arrays.asList(
+ NT_ACTIVITY,
+ NT_CONFIGURATION,
+ NT_FROZENNODE,
+ NT_VERSION,
+ NT_VERSIONEDCHILD,
+ NT_VERSIONHISTORY,
+ NT_VERSIONLABELS,
+ REP_ACTIVITIES,
+ REP_CONFIGURATIONS
+ ));
+}
\ No newline at end of file