You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/03/19 12:48:37 UTC
svn commit: r1458234 - in /jackrabbit/oak/trunk:
oak-core/src/main/java/org/apache/jackrabbit/oak/core/
oak-core/src/main/java/org/apache/jackrabbit/oak/kernel/
oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/version/
oak-core/src/main/java/or...
Author: angela
Date: Tue Mar 19 11:48:36 2013
New Revision: 1458234
URL: http://svn.apache.org/r1458234
Log:
OAK-527: permissions (wip)
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ImmutableRoot.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ImmutableTree.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/kernel/KernelNodeState.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/version/ReadWriteVersionManager.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionConstants.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreValidatorProvider.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorProvider.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConfigurationImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidatorProvider.java
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ImmutableRoot.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ImmutableRoot.java?rev=1458234&r1=1458233&r2=1458234&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ImmutableRoot.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ImmutableRoot.java Tue Mar 19 11:48:36 2013
@@ -18,7 +18,9 @@
*/
package org.apache.jackrabbit.oak.core;
+import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
import org.apache.jackrabbit.oak.api.BlobFactory;
import org.apache.jackrabbit.oak.api.QueryEngine;
@@ -37,18 +39,37 @@ import static com.google.common.base.Pre
public final class ImmutableRoot implements Root {
private final ImmutableTree rootTree;
+ private final String workspaceName;
- public ImmutableRoot(@Nonnull NodeState rootState) {
- this(new ImmutableTree(rootState));
+ public ImmutableRoot(@Nonnull NodeState rootState, @Nullable String workspaceName) {
+ this(new ImmutableTree(rootState), workspaceName);
}
public ImmutableRoot(@Nonnull Root root, @Nonnull ImmutableTree.TypeProvider typeProvider) {
- this(ImmutableTree.createFromRoot(root, typeProvider));
+ this(ImmutableTree.createFromRoot(root, typeProvider), getWorkspaceName(root));
}
- public ImmutableRoot(@Nonnull ImmutableTree rootTree) {
+ public ImmutableRoot(@Nonnull ImmutableTree rootTree, @Nullable String workspaceName) {
checkArgument(rootTree.isRoot());
this.rootTree = rootTree;
+ this.workspaceName = workspaceName;
+ }
+
+ @CheckForNull
+ public String getWorkspaceName() {
+ return workspaceName;
+ }
+
+ // TODO: review if getWorkspaceName() may be part of Root API
+ @CheckForNull
+ public static String getWorkspaceName(Root root) {
+ if (root instanceof ImmutableRoot) {
+ return ((ImmutableRoot) root).getWorkspaceName();
+ } else if (root instanceof RootImpl) {
+ return ((RootImpl) root).getWorkspaceName();
+ } else {
+ return null;
+ }
}
//---------------------------------------------------------------< Root >---
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ImmutableTree.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ImmutableTree.java?rev=1458234&r1=1458233&r2=1458234&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ImmutableTree.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ImmutableTree.java Tue Mar 19 11:48:36 2013
@@ -26,6 +26,7 @@ import org.apache.jackrabbit.oak.api.Pro
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.kernel.KernelNodeState;
import org.apache.jackrabbit.oak.plugins.version.VersionConstants;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.spi.state.ChildNodeEntry;
@@ -91,9 +92,14 @@ public final class ImmutableTree extends
return "/";
}
- StringBuilder sb = new StringBuilder();
- buildPath(sb);
- return sb.toString();
+ NodeState nodeState = getNodeState();
+ if (nodeState instanceof KernelNodeState) {
+ return ((KernelNodeState) nodeState).getPath();
+ } else {
+ StringBuilder sb = new StringBuilder();
+ buildPath(sb);
+ return sb.toString();
+ }
}
private void buildPath(StringBuilder sb) {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java?rev=1458234&r1=1458233&r2=1458234&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java Tue Mar 19 11:48:36 2013
@@ -423,6 +423,11 @@ public class RootImpl implements Root {
return permissionProvider;
}
+ @Nonnull
+ String getWorkspaceName() {
+ return workspaceName;
+ }
+
//------------------------------------------------------------< private >---
/**
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/kernel/KernelNodeState.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/kernel/KernelNodeState.java?rev=1458234&r1=1458233&r2=1458234&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/kernel/KernelNodeState.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/kernel/KernelNodeState.java Tue Mar 19 11:48:36 2013
@@ -390,7 +390,7 @@ public final class KernelNodeState exten
}
@Nonnull
- String getPath() {
+ public String getPath() {
return path;
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/version/ReadWriteVersionManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/version/ReadWriteVersionManager.java?rev=1458234&r1=1458233&r2=1458234&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/version/ReadWriteVersionManager.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/version/ReadWriteVersionManager.java Tue Mar 19 11:48:36 2013
@@ -83,7 +83,7 @@ class ReadWriteVersionManager extends Re
@Nonnull
@Override
protected Root getWorkspaceRoot() {
- return new ImmutableRoot(workspaceRoot.getNodeState());
+ return new ImmutableRoot(workspaceRoot.getNodeState(), null);
}
@Nonnull
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java?rev=1458234&r1=1458233&r2=1458234&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java Tue Mar 19 11:48:36 2013
@@ -79,7 +79,7 @@ public class AccessControlConfigurationI
return ImmutableList.of(
new PermissionStoreValidatorProvider(),
new PermissionValidatorProvider(securityProvider, workspaceName),
- new AccessControlValidatorProvider(securityProvider));
+ new AccessControlValidatorProvider(securityProvider, workspaceName));
}
@Nonnull
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1458234&r1=1458233&r2=1458234&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java Tue Mar 19 11:48:36 2013
@@ -130,13 +130,13 @@ public class AccessControlManagerImpl im
@Override
public boolean hasPrivileges(@Nullable String absPath, @Nonnull Privilege[] privileges) throws RepositoryException {
- return hasPrivileges(absPath, privileges, getPermissionProvider());
+ return hasPrivileges(absPath, privileges, permissionProvider);
}
@Nonnull
@Override
public Privilege[] getPrivileges(@Nullable String absPath) throws RepositoryException {
- return getPrivileges(absPath, getPermissionProvider());
+ return getPrivileges(absPath, permissionProvider);
}
@Nonnull
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java?rev=1458234&r1=1458233&r2=1458234&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java Tue Mar 19 11:48:36 2013
@@ -49,10 +49,13 @@ class AccessControlValidatorProvider ext
private static final Logger log = LoggerFactory.getLogger(AccessControlValidatorProvider.class);
- private SecurityProvider securityProvider;
+ private final SecurityProvider securityProvider;
+ private final String workspaceName;
- AccessControlValidatorProvider(SecurityProvider securityProvider) {
+ AccessControlValidatorProvider(@Nonnull SecurityProvider securityProvider,
+ @Nonnull String workspaceName) {
this.securityProvider = securityProvider;
+ this.workspaceName = workspaceName;
}
//--------------------------------------------------< ValidatorProvider >---
@@ -71,8 +74,8 @@ class AccessControlValidatorProvider ext
return new AccessControlValidator(rootBefore, rootAfter, privileges, restrictionProvider, ntMgr);
}
- private static Map<String, Privilege> getPrivileges(NodeState beforeRoot, PrivilegeConfiguration config) {
- Root root = new ImmutableRoot(beforeRoot);
+ private Map<String, Privilege> getPrivileges(NodeState beforeRoot, PrivilegeConfiguration config) {
+ Root root = new ImmutableRoot(beforeRoot, workspaceName);
PrivilegeManager pMgr = config.getPrivilegeManager(root, NamePathMapper.DEFAULT);
ImmutableMap.Builder privileges = ImmutableMap.builder();
try {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java?rev=1458234&r1=1458233&r2=1458234&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java Tue Mar 19 11:48:36 2013
@@ -68,6 +68,7 @@ class CompiledPermissionImpl implements
checkArgument(!principals.isEmpty());
this.principals = principals;
this.restrictionProvider = restrictionProvider;
+ this.bitsProvider = bitsProvider;
this.trees = new HashMap<String, ImmutableTree>(principals.size());
buildEntries(permissionsTree);
}
@@ -105,14 +106,22 @@ class CompiledPermissionImpl implements
//------------------------------------------------< CompiledPermissions >---
@Override
public boolean canRead(Tree tree) {
- // TODO
- return isGranted(tree, Permissions.READ_NODE);
+ for (PermissionEntry entry : filterEntries(tree, null)) {
+ if (entry.privilegeBits.includesRead(Permissions.READ_NODE)) {
+ return entry.isAllow;
+ }
+ }
+ return false;
}
@Override
public boolean canRead(Tree tree, PropertyState property) {
- // TODO
- return isGranted(tree, property, Permissions.READ_PROPERTY);
+ for (PermissionEntry entry : filterEntries(tree, property)) {
+ if (entry.privilegeBits.includesRead(Permissions.READ_PROPERTY)) {
+ return entry.isAllow;
+ }
+ }
+ return false;
}
@Override
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionConstants.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionConstants.java?rev=1458234&r1=1458233&r2=1458234&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionConstants.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionConstants.java Tue Mar 19 11:48:36 2013
@@ -41,7 +41,7 @@ public interface PermissionConstants {
/**
* @since OAK 1.0
*/
- String PERMISSIONS_STORE_PATH = JcrConstants.JCR_SYSTEM + '/' + REP_PERMISSION_STORE;
+ String PERMISSIONS_STORE_PATH = '/' + JcrConstants.JCR_SYSTEM + '/' + REP_PERMISSION_STORE;
String REP_ACCESS_CONTROLLED_PATH = "rep:accessControlledPath";
String REP_PRIVILEGE_BITS = "rep:privileges";
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java?rev=1458234&r1=1458233&r2=1458234&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java Tue Mar 19 11:48:36 2013
@@ -31,7 +31,6 @@ import org.apache.jackrabbit.oak.commons
import org.apache.jackrabbit.oak.core.ImmutableRoot;
import org.apache.jackrabbit.oak.core.ImmutableTree;
import org.apache.jackrabbit.oak.core.TreeImpl;
-import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
import org.apache.jackrabbit.oak.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeBits;
@@ -42,6 +41,7 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.state.NodeBuilder;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.oak.spi.state.NodeStateDiff;
+import org.apache.jackrabbit.oak.spi.state.NodeStateUtils;
import org.apache.jackrabbit.oak.util.TreeUtil;
import org.apache.jackrabbit.util.Text;
import org.slf4j.Logger;
@@ -49,6 +49,7 @@ import org.slf4j.LoggerFactory;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.apache.jackrabbit.JcrConstants.JCR_PRIMARYTYPE;
+import static org.apache.jackrabbit.JcrConstants.JCR_SYSTEM;
import static org.apache.jackrabbit.oak.plugins.memory.EmptyNodeState.EMPTY_NODE;
/**
@@ -77,17 +78,17 @@ public class PermissionHook implements P
public NodeState processCommit(final NodeState before, NodeState after) throws CommitFailedException {
NodeBuilder rootAfter = after.builder();
- permissionRoot = getPermissionRoot(rootAfter, workspaceName);
+ permissionRoot = getPermissionRoot(rootAfter);
ntMgr = ReadOnlyNodeTypeManager.getInstance(before);
- bitsProvider = new PrivilegeBitsProvider(new ImmutableRoot(before));
+ bitsProvider = new PrivilegeBitsProvider(new ImmutableRoot(before, workspaceName));
after.compareAgainstBaseState(before, new Diff(new BeforeNode(before), new Node(rootAfter)));
return rootAfter.getNodeState();
}
@Nonnull
- private NodeBuilder getPermissionRoot(NodeBuilder rootBuilder, String workspaceName) {
- NodeBuilder permissionStore = rootBuilder.child(NodeTypeConstants.JCR_SYSTEM).child(REP_PERMISSION_STORE);
+ private NodeBuilder getPermissionRoot(NodeBuilder rootBuilder) {
+ NodeBuilder permissionStore = rootBuilder.child(JCR_SYSTEM).child(REP_PERMISSION_STORE);
if (permissionStore.getProperty(JCR_PRIMARYTYPE) == null) {
permissionStore.setProperty(JCR_PRIMARYTYPE, NT_REP_PERMISSION_STORE, Type.NAME);
}
@@ -157,7 +158,9 @@ public class PermissionHook implements P
@Override
public void childNodeAdded(String name, NodeState after) {
- if (isACE(name, after)) {
+ if (NodeStateUtils.isHidden(name)) {
+ // ignore hidden nodes
+ } else if (isACE(name, after)) {
addEntry(name, after);
} else {
BeforeNode before = new BeforeNode(parentBefore.getPath(), name, EMPTY_NODE);
@@ -168,7 +171,9 @@ public class PermissionHook implements P
@Override
public void childNodeChanged(String name, final NodeState before, NodeState after) {
- if (isACE(name, before) || isACE(name, after)) {
+ if (NodeStateUtils.isHidden(name)) {
+ // ignore hidden nodes
+ } else if (isACE(name, before) || isACE(name, after)) {
updateEntry(name, before, after);
} else if (REP_RESTRICTIONS.equals(name)) {
updateEntry(parentAfter.getName(), parentBefore.getNodeState(), parentAfter.getNodeState());
@@ -181,7 +186,9 @@ public class PermissionHook implements P
@Override
public void childNodeDeleted(String name, NodeState before) {
- if (isACE(name, before)) {
+ if (NodeStateUtils.isHidden(name)) {
+ // ignore hidden nodes
+ } else if (isACE(name, before)) {
removeEntry(name, before);
} else {
BeforeNode nodeBefore = new BeforeNode(parentBefore.getPath(), name, before);
@@ -201,12 +208,14 @@ public class PermissionHook implements P
private void addEntry(String name, NodeState ace) {
PermissionEntry entry = createPermissionEntry(name, ace, parentAfter);
- entry.writeTo(permissionRoot);
+ if (getExistingPermissionNodeName(entry) == null) {
+ entry.writeTo(permissionRoot);
+ }
}
private void removeEntry(String name, NodeState ace) {
PermissionEntry entry = createPermissionEntry(name, ace, parentBefore);
- String permissionName = getPermissionNodeName(entry);
+ String permissionName = getExistingPermissionNodeName(entry);
if (permissionName != null) {
permissionRoot.child(entry.principalName).removeNode(permissionName);
}
@@ -218,12 +227,13 @@ public class PermissionHook implements P
}
@CheckForNull
- private String getPermissionNodeName(PermissionEntry permissionEntry) {
+ private String getExistingPermissionNodeName(PermissionEntry permissionEntry) {
if (permissionRoot.hasChildNode(permissionEntry.principalName)) {
NodeBuilder principalRoot = permissionRoot.child(permissionEntry.principalName);
for (String childName : principalRoot.getChildNodeNames()) {
NodeState state = principalRoot.child(childName).getNodeState();
if (permissionEntry.isSame(childName, state)) {
+ log.debug("Found existing permission entry for " + permissionEntry);
return childName;
}
}
@@ -360,22 +370,19 @@ public class PermissionHook implements P
private boolean isSame(String name, NodeState node) {
Tree entry = getTree(name, node);
- if (isAllow == (name.charAt(0) == PREFIX_ALLOW)) {
+ if (isAllow != (name.charAt(0) == PREFIX_ALLOW)) {
return false;
}
if (!privilegeBits.equals(PrivilegeBits.getInstance(node.getProperty(REP_PRIVILEGES)))) {
return false;
}
- if (!principalName.equals(TreeUtil.getString(entry, REP_PRINCIPAL_NAME))) {
- return false;
- }
if (index != entry.getProperty(REP_INDEX).getValue(Type.LONG)) {
return false;
}
if (!accessControlledPath.equals(TreeUtil.getString(entry, REP_ACCESS_CONTROLLED_PATH))) {
return false;
}
- return restrictions.equals(getRestrictions(accessControlledPath, getTree(name, node)));
+ return restrictions.equals(getRestrictions(accessControlledPath, entry));
}
public String toString() {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java?rev=1458234&r1=1458233&r2=1458234&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java Tue Mar 19 11:48:36 2013
@@ -61,7 +61,7 @@ public class PermissionProviderImpl impl
private final Root root;
- private final String workspaceName = "default"; // FIXME: use proper workspace as associated with the root
+ private final String workspaceName;
private final AccessControlConfiguration acConfig;
@@ -70,6 +70,7 @@ public class PermissionProviderImpl impl
public PermissionProviderImpl(@Nonnull Root root, @Nonnull Set<Principal> principals,
@Nonnull SecurityProvider securityProvider) {
this.root = root;
+ this.workspaceName = checkNotNull(ImmutableRoot.getWorkspaceName(root));
acConfig = securityProvider.getAccessControlConfiguration();
if (principals.contains(SystemPrincipal.INSTANCE) || isAdmin(principals)) {
compiledPermissions = AllPermissions.getInstance();
@@ -192,9 +193,8 @@ public class PermissionProviderImpl impl
@CheckForNull
private ImmutableTree getPermissionsRoot() {
- String relativePath = PERMISSIONS_STORE_PATH + '/' + workspaceName;
- ImmutableTree rootTree = checkNotNull(getImmutableRoot().getTree("/"));
- Tree tree = rootTree.getLocation().getChild(relativePath).getTree();
+ String path = PERMISSIONS_STORE_PATH + '/' + workspaceName;
+ Tree tree = getImmutableRoot().getLocation(path).getTree();
return (tree == null) ? null : (ImmutableTree) tree;
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreValidatorProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreValidatorProvider.java?rev=1458234&r1=1458233&r2=1458234&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreValidatorProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreValidatorProvider.java Tue Mar 19 11:48:36 2013
@@ -24,6 +24,8 @@ import org.apache.jackrabbit.oak.spi.com
import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
import org.apache.jackrabbit.oak.spi.state.NodeState;
+import static org.apache.jackrabbit.JcrConstants.JCR_SYSTEM;
+
/**
* Validator implementation that asserts that the permission store is read-only.
*/
@@ -32,9 +34,7 @@ public class PermissionStoreValidatorPro
@Nonnull
@Override
public Validator getRootValidator(NodeState before, NodeState after) {
- FailingValidator validator =
- new FailingValidator("Attempt to modify permission store.");
- return new SubtreeValidator(validator, PERMISSIONS_STORE_PATH);
+ FailingValidator validator = new FailingValidator("Attempt to modify permission store.");
+ return new SubtreeValidator(validator, JCR_SYSTEM, REP_PERMISSION_STORE);
}
-
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorProvider.java?rev=1458234&r1=1458233&r2=1458234&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorProvider.java Tue Mar 19 11:48:36 2013
@@ -82,7 +82,7 @@ public class PermissionValidatorProvider
if (subject == null || subject.getPublicCredentials(PermissionProvider.class).isEmpty()) {
Set<Principal> principals = (subject != null) ? subject.getPrincipals() : Collections.<Principal>emptySet();
AccessControlConfiguration acConfig = securityProvider.getAccessControlConfiguration();
- return acConfig.getPermissionProvider(new ImmutableRoot(createTree(before)), principals);
+ return acConfig.getPermissionProvider(new ImmutableRoot(createTree(before), workspaceName), principals);
} else {
return subject.getPublicCredentials(PermissionProvider.class).iterator().next();
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConfigurationImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConfigurationImpl.java?rev=1458234&r1=1458233&r2=1458234&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConfigurationImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConfigurationImpl.java Tue Mar 19 11:48:36 2013
@@ -59,7 +59,7 @@ public class PrivilegeConfigurationImpl
@Nonnull
@Override
public List<? extends ValidatorProvider> getValidators(String workspaceName) {
- return Collections.singletonList(new PrivilegeValidatorProvider());
+ return Collections.singletonList(new PrivilegeValidatorProvider(workspaceName));
}
@Nonnull
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java?rev=1458234&r1=1458233&r2=1458234&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java Tue Mar 19 11:48:36 2013
@@ -26,7 +26,6 @@ import org.apache.jackrabbit.oak.api.Com
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
-import org.apache.jackrabbit.oak.core.ImmutableRoot;
import org.apache.jackrabbit.oak.core.ImmutableTree;
import org.apache.jackrabbit.oak.plugins.name.NamespaceConstants;
import org.apache.jackrabbit.oak.spi.commit.DefaultValidator;
@@ -46,9 +45,9 @@ class PrivilegeValidator extends Default
private final Root rootAfter;
private final PrivilegeBitsProvider bitsProvider;
- PrivilegeValidator(NodeState before, NodeState after) {
- rootBefore = new ImmutableRoot(before);
- rootAfter = new ImmutableRoot(after);
+ PrivilegeValidator(Root before, Root after) {
+ rootBefore = before;
+ rootAfter = after;
bitsProvider = new PrivilegeBitsProvider(rootBefore);
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidatorProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidatorProvider.java?rev=1458234&r1=1458233&r2=1458234&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidatorProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidatorProvider.java Tue Mar 19 11:48:36 2013
@@ -18,6 +18,8 @@ package org.apache.jackrabbit.oak.securi
import javax.annotation.Nonnull;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.core.ImmutableRoot;
import org.apache.jackrabbit.oak.spi.commit.SubtreeValidator;
import org.apache.jackrabbit.oak.spi.commit.Validator;
import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
@@ -33,9 +35,20 @@ import static org.apache.jackrabbit.oak.
*/
class PrivilegeValidatorProvider extends ValidatorProvider {
+ private final String workspaceName;
+
+ PrivilegeValidatorProvider(String workspaceName) {
+ this.workspaceName = workspaceName;
+ }
+
@Nonnull
@Override
public Validator getRootValidator(NodeState before, NodeState after) {
- return new SubtreeValidator(new PrivilegeValidator(before, after), JCR_SYSTEM, REP_PRIVILEGES);
+ return new SubtreeValidator(new PrivilegeValidator(createRoot(before), createRoot(after)),
+ JCR_SYSTEM, REP_PRIVILEGES);
+ }
+
+ private Root createRoot(NodeState nodeState) {
+ return new ImmutableRoot(nodeState, workspaceName);
}
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java?rev=1458234&r1=1458233&r2=1458234&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java Tue Mar 19 11:48:36 2013
@@ -230,7 +230,7 @@ public abstract class SessionContext imp
return observationManager != null && observationManager.hasEvents();
}
- //------------------------------------------------------------< NamePathMapper >---
+ //-----------------------------------------------------< NamePathMapper >---
@Override
@Nonnull
@@ -332,4 +332,10 @@ public abstract class SessionContext imp
observationManager.dispose();
}
}
+
+ void refresh() {
+ if (permissionProvider != null) {
+ permissionProvider.refresh();
+ }
+ }
}
Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java?rev=1458234&r1=1458233&r2=1458234&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java Tue Mar 19 11:48:36 2013
@@ -318,12 +318,14 @@ public class SessionImpl extends Abstrac
public void save() throws RepositoryException {
ensureIsAlive();
dlg.save();
+ sessionContext.refresh();
}
@Override
public void refresh(boolean keepChanges) throws RepositoryException {
ensureIsAlive();
dlg.refresh(keepChanges);
+ sessionContext.refresh();
}
@Override