You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2015/07/09 15:15:18 UTC
svn commit: r1690094 - in /jackrabbit/oak/trunk:
oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/
oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/
oak-c...
Author: angela
Date: Thu Jul 9 13:15:18 2015
New Revision: 1690094
URL: http://svn.apache.org/r1690094
Log:
OAK-2008 : authorization setup for closed user groups
OAK-1268 Add support for composite authorization setup (WIP)
Added:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugContextTest.java
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/SecurityProviderImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/package-info.java
Modified: jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java?rev=1690094&r1=1690093&r2=1690094&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java Thu Jul 9 13:15:18 2015
@@ -130,7 +130,7 @@ public class CugConfiguration extends Co
if (!enabled || supportedPaths.isEmpty() || getExclude().isExcluded(principals)) {
return EmptyPermissionProvider.getInstance();
} else {
- return new CugPermissionProvider(root, principals, supportedPaths, getContext());
+ return new CugPermissionProvider(root, principals, supportedPaths, getSecurityProvider().getConfiguration(AuthorizationConfiguration.class).getContext());
}
}
Modified: jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java?rev=1690094&r1=1690093&r2=1690094&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java Thu Jul 9 13:15:18 2015
@@ -232,12 +232,10 @@ class CugPermissionProvider implements P
}
private boolean isAcContent(@Nonnull Tree tree, boolean testForCtxRoot) {
- // FIXME: this should also take other ac-configurations into considerations
return (testForCtxRoot) ? ctx.definesContextRoot(tree) : ctx.definesTree(tree);
}
private boolean isAcContent(@Nonnull TreeLocation location) {
- // FIXME: this should also take other ac-configurations into considerations
return ctx.definesLocation(location);
}
Modified: jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java?rev=1690094&r1=1690093&r2=1690094&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java Thu Jul 9 13:15:18 2015
@@ -17,10 +17,7 @@
package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;
import java.security.Principal;
-import java.util.Iterator;
-import java.util.Set;
import javax.annotation.Nonnull;
-import javax.annotation.Nullable;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
@@ -29,9 +26,9 @@ import javax.jcr.security.AccessControlP
import com.google.common.collect.ImmutableMap;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
+import org.apache.jackrabbit.oak.security.SecurityProviderImpl;
import org.apache.jackrabbit.oak.security.authorization.composite.CompositeAuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
-import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugPolicy;
@@ -79,7 +76,15 @@ public class AbstractCugTest extends Abs
@Override
protected SecurityProvider getSecurityProvider() {
if (securityProvider == null) {
- securityProvider = new CugSecurityProvider(super.getSecurityProvider());
+ securityProvider = new CugSecurityProvider(getSecurityConfigParameters());
+ AuthorizationConfiguration authorizationConfiguration = securityProvider.getConfiguration(AuthorizationConfiguration.class);
+ if (!(authorizationConfiguration instanceof CompositeAuthorizationConfiguration)) {
+ CompositeAuthorizationConfiguration composite = new CompositeAuthorizationConfiguration(securityProvider);
+ composite.setDefaultConfig(authorizationConfiguration);
+ composite.addConfiguration(new CugConfiguration(securityProvider));
+ composite.addConfiguration(authorizationConfiguration);
+ ((CugSecurityProvider) securityProvider).bindAuthorizationConfiguration(composite);
+ }
}
return securityProvider;
}
@@ -105,55 +110,14 @@ public class AbstractCugTest extends Abs
throw new IllegalStateException("Unable to create CUG at " + absPath);
}
- final class CugSecurityProvider implements SecurityProvider {
-
- private final SecurityProvider base;
-
- private final CugConfiguration cugConfiguration;
-
- private CugSecurityProvider(@Nonnull SecurityProvider base) {
- this.base = base;
- cugConfiguration = new CugConfiguration(this);
- }
-
- @Nonnull
- @Override
- public ConfigurationParameters getParameters(@Nullable String name) {
- return base.getParameters(name);
- }
-
- @Nonnull
- @Override
- public Iterable<? extends SecurityConfiguration> getConfigurations() {
- Set<SecurityConfiguration> configs = (Set<SecurityConfiguration>) base.getConfigurations();
-
- CompositeAuthorizationConfiguration composite = new CompositeAuthorizationConfiguration(this);
- Iterator<SecurityConfiguration> it = configs.iterator();
- while (it.hasNext()) {
- SecurityConfiguration sc = it.next();
- if (sc instanceof AuthorizationConfiguration) {
- composite.addConfiguration((AuthorizationConfiguration) sc);
- it.remove();
- }
- }
- composite.addConfiguration(cugConfiguration);
- configs.add(composite);
-
- return configs;
+ final class CugSecurityProvider extends SecurityProviderImpl {
+ public CugSecurityProvider(@Nonnull ConfigurationParameters configuration) {
+ super(configuration);
}
- @Nonnull
@Override
- public <T> T getConfiguration(@Nonnull Class<T> configClass) {
- T c = base.getConfiguration(configClass);
- if (AuthorizationConfiguration.class == configClass) {
- CompositeAuthorizationConfiguration composite = new CompositeAuthorizationConfiguration(this);
- composite.addConfiguration(cugConfiguration);
- composite.addConfiguration((AuthorizationConfiguration) c);
- return (T) composite;
- } else {
- return c;
- }
+ protected void bindAuthorizationConfiguration(@Nonnull AuthorizationConfiguration reference) {
+ super.bindAuthorizationConfiguration(reference);
}
}
}
\ No newline at end of file
Added: jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugContextTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugContextTest.java?rev=1690094&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugContextTest.java (added)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugContextTest.java Thu Jul 9 13:15:18 2015
@@ -0,0 +1,159 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;
+
+import java.util.List;
+import javax.jcr.AccessDeniedException;
+import javax.jcr.security.AccessControlList;
+import javax.jcr.security.AccessControlManager;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.api.Type;
+import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
+import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
+import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.apache.jackrabbit.oak.util.NodeUtil;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+public class CugContextTest extends AbstractCugTest implements NodeTypeConstants {
+
+ private static String CUG_PATH = "/content/a/rep:cugPolicy";
+ private static List<String> NO_CUG_PATH = ImmutableList.of(
+ "/content",
+ "/content/a",
+ "/content/rep:policy",
+ "/content/rep:cugPolicy",
+ "/content/a/rep:cugPolicy/rep:principalNames",
+ UNSUPPORTED_PATH + "/rep:cugPolicy"
+ );
+
+ @Before
+ @Override
+ public void before() throws Exception {
+ super.before();
+
+ // add more child nodes
+ NodeUtil n = new NodeUtil(root.getTree(SUPPORTED_PATH));
+ n.addChild("a", NT_OAK_UNSTRUCTURED).addChild("b", NT_OAK_UNSTRUCTURED).addChild("c", NT_OAK_UNSTRUCTURED);
+ n.addChild("aa", NT_OAK_UNSTRUCTURED).addChild("bb", NT_OAK_UNSTRUCTURED).addChild("cc", NT_OAK_UNSTRUCTURED);
+
+ // create cugs
+ createCug("/content/a", getTestUser().getPrincipal());
+
+ // setup regular acl at /content
+ AccessControlManager acMgr = getAccessControlManager(root);
+ AccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/content");
+ acl.addAccessControlEntry(getTestUser().getPrincipal(), privilegesFromNames(PrivilegeConstants.JCR_READ));
+ acMgr.setPolicy("/content", acl);
+
+ root.commit();
+ }
+
+ @Override
+ public void after() throws Exception {
+ try {
+ root.refresh();
+ } finally {
+ super.after();
+ }
+ }
+
+ @Test
+ public void testDefinesContextRoot() {
+ assertTrue(CugContext.INSTANCE.definesContextRoot(root.getTree(CUG_PATH)));
+
+ for (String path : NO_CUG_PATH) {
+ assertFalse(path, CugContext.INSTANCE.definesContextRoot(root.getTree(path)));
+ }
+ }
+
+ @Test
+ public void testDefinesTree() {
+ assertTrue(CugContext.INSTANCE.definesTree(root.getTree(CUG_PATH)));
+
+ for (String path : NO_CUG_PATH) {
+ assertFalse(path, CugContext.INSTANCE.definesTree(root.getTree(path)));
+ }
+ }
+
+ @Test
+ public void testDefinesProperty() {
+ Tree cugTree = root.getTree(CUG_PATH);
+ PropertyState repPrincipalNames = cugTree.getProperty(CugConstants.REP_PRINCIPAL_NAMES);
+ assertTrue(CugContext.INSTANCE.definesProperty(cugTree, repPrincipalNames));
+ assertFalse(CugContext.INSTANCE.definesProperty(cugTree, cugTree.getProperty(JcrConstants.JCR_PRIMARYTYPE)));
+
+ for (String path : NO_CUG_PATH) {
+ assertFalse(path, CugContext.INSTANCE.definesProperty(root.getTree(path), repPrincipalNames));
+ }
+ }
+
+ @Test
+ public void testDefinesLocation() throws AccessDeniedException {
+ assertTrue(CugContext.INSTANCE.definesLocation(TreeLocation.create(root, CUG_PATH)));
+ assertTrue(CugContext.INSTANCE.definesLocation(TreeLocation.create(root, CUG_PATH + "/" + CugConstants.REP_PRINCIPAL_NAMES)));
+
+ List<String> existingNoCug = ImmutableList.of(
+ "/content",
+ "/content/a",
+ "/content/rep:policy"
+ );
+ for (String path : existingNoCug) {
+ assertFalse(path, CugContext.INSTANCE.definesLocation(TreeLocation.create(root, path)));
+ assertFalse(path, CugContext.INSTANCE.definesLocation(TreeLocation.create(root, path + "/" + CugConstants.REP_PRINCIPAL_NAMES)));
+ }
+
+ List<String> nonExistingCug = ImmutableList.of(
+ "/content/rep:cugPolicy",
+ UNSUPPORTED_PATH + "/rep:cugPolicy");
+ for (String path : nonExistingCug) {
+ assertTrue(path, CugContext.INSTANCE.definesLocation(TreeLocation.create(root, path)));
+ assertTrue(path, CugContext.INSTANCE.definesLocation(TreeLocation.create(root, path + "/" + CugConstants.REP_PRINCIPAL_NAMES)));
+ }
+ }
+
+ @Test
+ public void testInvalidCug() throws Exception {
+ PropertyState ps = PropertyStates.createProperty(CugConstants.REP_PRINCIPAL_NAMES, ImmutableSet.of(getTestUser().getPrincipal().getName()), Type.STRINGS);
+
+ // cug at unsupported path -> context doesn't take supported paths into account.
+ Tree invalidCug = new NodeUtil(root.getTree(UNSUPPORTED_PATH)).addChild(CugConstants.REP_CUG_POLICY, CugConstants.NT_REP_CUG_POLICY).getTree();
+ invalidCug.setProperty(ps);
+
+ assertTrue(CugContext.INSTANCE.definesContextRoot(invalidCug));
+ assertTrue(CugContext.INSTANCE.definesTree(invalidCug));
+ assertTrue(CugContext.INSTANCE.definesProperty(invalidCug, invalidCug.getProperty(CugConstants.REP_PRINCIPAL_NAMES)));
+
+ // 'cug' with wrong node type -> detected as no-cug by context
+ invalidCug = new NodeUtil(root.getTree(UNSUPPORTED_PATH)).addChild(CugConstants.REP_CUG_POLICY, NT_OAK_UNSTRUCTURED).getTree();
+ invalidCug.setProperty(ps);
+
+ assertFalse(CugContext.INSTANCE.definesContextRoot(invalidCug));
+ assertFalse(CugContext.INSTANCE.definesTree(invalidCug));
+ assertFalse(CugContext.INSTANCE.definesProperty(invalidCug, invalidCug.getProperty(CugConstants.REP_PRINCIPAL_NAMES)));
+ }
+}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.java?rev=1690094&r1=1690093&r2=1690094&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.java Thu Jul 9 13:15:18 2015
@@ -155,13 +155,11 @@ public class CugEvaluationTest extends A
Root r = cs.getLatestRoot();
assertTrue(r.getTree("/content/rep:policy").exists());
- assertFalse(r.getTree("/content2/rep:cugPolicy").exists());
} finally {
cs.close();
}
}
- @Ignore("FIXME: cugpolicy not detected as ac-content") // FIXME
@Test
public void testReadCug() throws Exception {
List<String> noAccess = ImmutableList.of(
@@ -236,7 +234,6 @@ public class CugEvaluationTest extends A
}
}
- @Ignore("FIXME: cugpolicy not detected as ac-content") // FIXME
@Test
public void testWriteCug() throws Exception {
ContentSession cs = login(new SimpleCredentials(TEST_USER2_ID, TEST_USER2_ID.toCharArray()));
Modified: jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java?rev=1690094&r1=1690093&r2=1690094&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java Thu Jul 9 13:15:18 2015
@@ -341,10 +341,9 @@ public class CugPermissionProviderTest e
TreePermission falseCugTp = cugPermProvider.getTreePermission(root.getTree("/content/aa/rep:cugPolicy"), aaTp2);
assertNotSame(TreePermission.EMPTY, falseCugTp);
- // ac content
+ // cug content
TreePermission cugTp = cugPermProvider.getTreePermission(root.getTree("/content/a/rep:cugPolicy"), aTp);
assertSame(TreePermission.EMPTY, cugTp);
- // TODO: for regular acl-node
// paths that may not contain cugs anyway
assertSame(TreePermission.EMPTY, cugPermProvider.getTreePermission(root.getTree("/jcr:system"), rootTp));
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/SecurityProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/SecurityProviderImpl.java?rev=1690094&r1=1690093&r2=1690094&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/SecurityProviderImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/SecurityProviderImpl.java Thu Jul 9 13:15:18 2015
@@ -227,6 +227,18 @@ public class SecurityProviderImpl implem
tokenConfiguration.removeConfiguration(reference);
}
+ @SuppressWarnings("UnusedDeclaration")
+ protected void bindAuthorizationConfiguration(@Nonnull AuthorizationConfiguration reference) {
+ authorizationConfiguration = initConfiguration(reference);
+ // TODO (OAK-1268): authorizationConfiguration.addConfiguration(initConfiguration(reference));
+ }
+
+ @SuppressWarnings("UnusedDeclaration")
+ protected void unbindAuthorizationConfiguration(@Nonnull AuthorizationConfiguration reference) {
+ authorizationConfiguration = new AuthorizationConfigurationImpl(this);
+ // TODO (OAK-1268): authorizationConfiguration.removeConfiguration(reference);
+ }
+
//------------------------------------------------------------< private >---
private void initializeConfigurations() {
initConfiguration(authorizationConfiguration, ConfigurationParameters.of(
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java?rev=1690094&r1=1690093&r2=1690094&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java Thu Jul 9 13:15:18 2015
@@ -181,7 +181,7 @@ public class AuthorizationConfigurationI
@Nonnull
@Override
public PermissionProvider getPermissionProvider(@Nonnull Root root, @Nonnull String workspaceName, @Nonnull Set<Principal> principals) {
- return new PermissionProviderImpl(root, workspaceName, principals, this);
+ Context ctx = getSecurityProvider().getConfiguration(AuthorizationConfiguration.class).getContext();
+ return new PermissionProviderImpl(root, workspaceName, principals, getRestrictionProvider(), getParameters(), ctx);
}
-
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java?rev=1690094&r1=1690093&r2=1690094&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java Thu Jul 9 13:15:18 2015
@@ -42,7 +42,7 @@ import org.apache.jackrabbit.oak.plugins
import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree;
import org.apache.jackrabbit.oak.plugins.version.VersionConstants;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
-import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
@@ -87,12 +87,14 @@ final class CompiledPermissionImpl imple
private CompiledPermissionImpl(@Nonnull Set<Principal> principals,
@Nonnull Root root, @Nonnull String workspaceName,
@Nonnull RestrictionProvider restrictionProvider,
- @Nonnull AuthorizationConfiguration acConfig) {
+ @Nonnull ConfigurationParameters options,
+ @Nonnull Context ctx) {
this.root = root;
this.workspaceName = workspaceName;
bitsProvider = new PrivilegeBitsProvider(root);
- Set<String> readPaths = acConfig.getParameters().getConfigValue(PARAM_READ_PATHS, DEFAULT_READ_PATHS);
+
+ Set<String> readPaths = options.getConfigValue(PARAM_READ_PATHS, DEFAULT_READ_PATHS);
readPolicy = (readPaths.isEmpty()) ? EmptyReadPolicy.INSTANCE : new DefaultReadPolicy(readPaths);
// setup
@@ -107,22 +109,23 @@ final class CompiledPermissionImpl imple
}
}
- ConfigurationParameters options = acConfig.getParameters();
PermissionEntryCache cache = new PermissionEntryCache();
userStore = new PermissionEntryProviderImpl(store, cache, userNames, options);
groupStore = new PermissionEntryProviderImpl(store, cache, groupNames, options);
- typeProvider = new TreeTypeProvider(acConfig.getContext());
+ typeProvider = new TreeTypeProvider(ctx);
}
static CompiledPermissions create(@Nonnull Root root, @Nonnull String workspaceName,
@Nonnull Set<Principal> principals,
- @Nonnull AuthorizationConfiguration acConfig) {
+ @Nonnull RestrictionProvider restrictionProvider,
+ @Nonnull ConfigurationParameters options,
+ @Nonnull Context ctx) {
Tree permissionsTree = PermissionUtil.getPermissionsRoot(root, workspaceName);
if (!permissionsTree.exists() || principals.isEmpty()) {
return NoPermissions.getInstance();
} else {
- return new CompiledPermissionImpl(principals, root, workspaceName, acConfig.getRestrictionProvider(), acConfig);
+ return new CompiledPermissionImpl(principals, root, workspaceName, restrictionProvider, options, ctx);
}
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java?rev=1690094&r1=1690093&r2=1690094&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java Thu Jul 9 13:15:18 2015
@@ -28,7 +28,8 @@ import org.apache.jackrabbit.oak.api.Tre
import org.apache.jackrabbit.oak.plugins.tree.RootFactory;
import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
import org.apache.jackrabbit.oak.plugins.version.VersionConstants;
-import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
@@ -36,6 +37,7 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
public class PermissionProviderImpl implements PermissionProvider, AccessControlConstants, PermissionConstants, AggregatedPermissionProvider {
@@ -44,24 +46,27 @@ public class PermissionProviderImpl impl
private final String workspaceName;
- private final AuthorizationConfiguration acConfig;
+ private final Context ctx;
private final CompiledPermissions compiledPermissions;
private Root immutableRoot;
- public PermissionProviderImpl(@Nonnull Root root, @Nonnull String workspaceName, @Nonnull Set<Principal> principals,
- @Nonnull AuthorizationConfiguration acConfig) {
+ public PermissionProviderImpl(@Nonnull Root root, @Nonnull String workspaceName,
+ @Nonnull Set<Principal> principals,
+ @Nonnull RestrictionProvider restrictionProvider,
+ @Nonnull ConfigurationParameters options,
+ @Nonnull Context ctx) {
this.root = root;
this.workspaceName = workspaceName;
- this.acConfig = acConfig;
+ this.ctx = ctx;
immutableRoot = RootFactory.createReadOnlyRoot(root);
- if (PermissionUtil.isAdminOrSystem(principals, acConfig.getParameters())) {
+ if (PermissionUtil.isAdminOrSystem(principals, options)) {
compiledPermissions = AllPermissions.getInstance();
} else {
- compiledPermissions = CompiledPermissionImpl.create(immutableRoot, workspaceName, principals, acConfig);
+ compiledPermissions = CompiledPermissionImpl.create(immutableRoot, workspaceName, principals, restrictionProvider, options, ctx);
}
}
@@ -102,7 +107,7 @@ public class PermissionProviderImpl impl
@Override
public boolean isGranted(@Nonnull String oakPath, @Nonnull String jcrActions) {
TreeLocation location = TreeLocation.create(immutableRoot, oakPath);
- boolean isAcContent = acConfig.getContext().definesLocation(location);
+ boolean isAcContent = ctx.definesLocation(location);
long permissions = Permissions.getPermissions(jcrActions, location, isAcContent);
boolean isGranted = false;
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/package-info.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/package-info.java?rev=1690094&r1=1690093&r2=1690094&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/package-info.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/package-info.java Thu Jul 9 13:15:18 2015
@@ -20,7 +20,7 @@
*
* See <a href="README.md">README.md</a> for more details.
*/
-@Version("1.0")
+@Version("1.0.1")
@Export(optional = "provide:=true")
package org.apache.jackrabbit.oak.security;