You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by an...@apache.org on 2008/04/03 10:15:04 UTC
svn commit: r644215 [2/3] - in /jackrabbit/trunk/jackrabbit-core/src:
main/java/org/apache/jackrabbit/core/security/
main/java/org/apache/jackrabbit/core/security/authorization/
main/java/org/apache/jackrabbit/core/security/authorization/acl/ main/java...
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java Thu Apr 3 01:15:01 2008
@@ -16,19 +16,19 @@
*/
package org.apache.jackrabbit.core.security.authorization.combined;
-import org.apache.jackrabbit.core.NodeId;
+import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.core.NodeImpl;
import org.apache.jackrabbit.core.SessionImpl;
-import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.core.security.authorization.AccessControlEditor;
import org.apache.jackrabbit.core.security.authorization.PolicyTemplate;
-import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
+import org.apache.jackrabbit.core.security.authorization.PolicyEntry;
import org.apache.jackrabbit.core.security.authorization.acl.ACLEditor;
import org.apache.jackrabbit.core.security.jsr283.security.AccessControlException;
import org.apache.jackrabbit.core.security.jsr283.security.Privilege;
-import org.apache.jackrabbit.core.security.principal.PrincipalImpl;
import org.apache.jackrabbit.core.security.principal.ItemBasedPrincipal;
+import org.apache.jackrabbit.core.security.principal.PrincipalImpl;
import org.apache.jackrabbit.spi.Name;
import org.apache.jackrabbit.spi.Path;
import org.apache.jackrabbit.spi.commons.conversion.NamePathResolver;
@@ -36,11 +36,12 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.jcr.ItemNotFoundException;
import javax.jcr.NodeIterator;
+import javax.jcr.PropertyType;
import javax.jcr.RepositoryException;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
+import javax.jcr.PathNotFoundException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.List;
@@ -50,108 +51,97 @@
*/
class CombinedEditor extends ACLEditor {
- // TODO: must make sure, that store paths/globs do not contain remapped prefixes from the session
-
private static Logger log = LoggerFactory.getLogger(CombinedEditor.class);
- private final SessionImpl session;
private final NamePathResolver systemResolver;
- private final Path acRootPath;
+ private final String acRootPath;
CombinedEditor(SessionImpl session, NamePathResolver systemResolver,
Path acRootPath) throws RepositoryException {
super(session);
- this.session = session;
this.systemResolver = systemResolver;
- this.acRootPath = acRootPath;
+ this.acRootPath = session.getJCRPath(acRootPath);
}
- PolicyTemplateImpl editPolicyTemplate(Principal principal) throws RepositoryException {
+ PolicyTemplate getPolicyTemplate(Principal principal) throws RepositoryException {
if (!session.getPrincipalManager().hasPrincipal(principal.getName())) {
throw new AccessControlException("Unknown principal.");
}
- NodeId nid = getAcId(principal);
- if (nid == null) {
- nid = createAcNode(principal).getNodeId();
- }
- PolicyTemplate pt = getPolicyTemplate(nid);
- if (pt instanceof PolicyTemplateImpl) {
- return (PolicyTemplateImpl) pt;
+ String nPath = getPathToAcNode(principal);
+ if (session.nodeExists(nPath)) {
+ return getPolicyTemplate(nPath);
} else {
- // should never get here.
- throw new AccessControlException();
- }
- }
-
- PolicyTemplateImpl getPolicyTemplate(Principal principal) throws RepositoryException {
- if (!session.getPrincipalManager().hasPrincipal(principal.getName())) {
- throw new AccessControlException("Unknown principal.");
- }
-
- NodeId nid = getAcId(principal);
- if (nid != null) {
- PolicyTemplate pt = getPolicyTemplate(nid);
- if (pt instanceof PolicyTemplateImpl) {
- return (PolicyTemplateImpl) pt;
- }
+ // no policy for the given principal
+ log.debug("No combined policy template for Principal " + principal.getName());
+ return null;
}
-
- // no policy for the given principal
- log.debug("No combined policy template for Principal " + principal.getName());
- return null;
}
//------------------------------------------------< AccessControlEditor >---
/**
- * @see AccessControlEditor#getPolicyTemplate(NodeId)
+ * @see AccessControlEditor#getPolicyTemplate(String)
*/
- public PolicyTemplate getPolicyTemplate(NodeId id) throws AccessControlException, ItemNotFoundException, RepositoryException {
- checkProtectsNode(id);
+ public PolicyTemplate getPolicyTemplate(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException {
+ checkProtectsNode(nodePath);
- NodeImpl acNode = getAcNode(id);
+ NodeImpl acNode = getAcNode(nodePath);
if (acNode != null) {
- if (isAccessControlled(acNode)) {
- return buildTemplate(acNode);
- } else {
- log.debug("No local policy defined for Node " + id);
- return null;
- }
+ return createTemplate(acNode);
} else {
// nodeID not below rep:accesscontrol -> delegate to ACLEditor
- return super.getPolicyTemplate(id);
+ return super.getPolicyTemplate(nodePath);
}
}
/**
- * @see AccessControlEditor#editPolicyTemplate(NodeId)
+ * @see AccessControlEditor#editPolicyTemplate(String)
*/
- public PolicyTemplate editPolicyTemplate(NodeId id) throws AccessControlException, ItemNotFoundException, RepositoryException {
- checkProtectsNode(id);
+ public PolicyTemplate editPolicyTemplate(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException {
+ checkProtectsNode(nodePath);
- NodeImpl acNode = getAcNode(id);
- if (acNode != null) {
- return buildTemplate(acNode);
+ if (Text.isDescendant(acRootPath, nodePath)) {
+ NodeImpl acNode = getAcNode(nodePath);
+ if (acNode == null) {
+ // check validity and create the ac node
+ getPrincipal(nodePath);
+ acNode = createAcNode(nodePath);
+ }
+ return createTemplate(acNode);
} else {
// nodeID not below rep:accesscontrol -> delegate to ACLEditor
- return super.editPolicyTemplate(id);
+ return super.editPolicyTemplate(nodePath);
+ }
+ }
+
+ /**
+ * @see AccessControlEditor#editPolicyTemplate(Principal)
+ */
+ public PolicyTemplate editPolicyTemplate(Principal principal) throws RepositoryException {
+ if (!session.getPrincipalManager().hasPrincipal(principal.getName())) {
+ throw new AccessControlException("Unknown principal.");
}
+ String nPath = getPathToAcNode(principal);
+ if (!session.nodeExists(nPath)) {
+ createAcNode(nPath);
+ }
+ return getPolicyTemplate(nPath);
}
/**
- * @see AccessControlEditor#setPolicyTemplate(NodeId, PolicyTemplate)
+ * @see AccessControlEditor#setPolicyTemplate(String,PolicyTemplate)
*/
- public void setPolicyTemplate(NodeId id, PolicyTemplate template) throws AccessControlException, ItemNotFoundException, RepositoryException {
- checkProtectsNode(id);
+ public void setPolicyTemplate(String nodePath, PolicyTemplate template) throws AccessControlException, PathNotFoundException, RepositoryException {
+ checkProtectsNode(nodePath);
if (template instanceof PolicyTemplateImpl) {
PolicyTemplateImpl at = (PolicyTemplateImpl) template;
- if (!id.equals(at.getNodeId())) {
+ if (!nodePath.equals(at.getPath())) {
throw new AccessControlException("Attempt to store PolicyTemplate to a wrong node.");
}
- NodeImpl acNode = getAcNode(id);
+ NodeImpl acNode = getAcNode(nodePath);
if (acNode == null) {
- throw new ItemNotFoundException("No such node " + id);
+ throw new PathNotFoundException("No such node " + nodePath);
}
/*
@@ -169,9 +159,9 @@
aclNode = addSecurityNode(acNode, N_POLICY, NT_REP_ACL);
/* add all entries defined on the template */
- PolicyEntryImpl[] aces = (PolicyEntryImpl[]) template.getEntries();
+ PolicyEntry[] aces = (PolicyEntry[]) template.getEntries();
for (int i = 0; i < aces.length; i++) {
- PolicyEntryImpl ace = aces[i];
+ PolicyEntryImpl ace = (PolicyEntryImpl) aces[i];
// create the ACE node
Name nodeName = getUniqueNodeName(aclNode, "entry");
@@ -185,69 +175,66 @@
Privilege[] privs = ace.getPrivileges();
Value[] vs = new Value[privs.length];
for (int j = 0; j < privs.length; j++) {
- vs[i] = vf.createValue(privs[j].getName());
+ vs[j] = vf.createValue(privs[j].getName());
}
setSecurityProperty(aceNode, P_PRIVILEGES, vs);
- setSecurityProperty(aceNode, P_NODE_PATH, vf.createValue(ace.getNodePath()));
+
+ // remove local namespace remapping from the node path before
+ // storing the path value.
+ String pathValue = systemResolver.getJCRPath(session.getQPath(ace.getNodePath()));
+ setSecurityProperty(aceNode, P_NODE_PATH, vf.createValue(pathValue, PropertyType.PATH));
+
+ // TODO: TOBEFIXED respect namespace sensitive parts of the glob
setSecurityProperty(aceNode, P_GLOB, vf.createValue(ace.getGlob()));
}
} else {
// try super class
- super.setPolicyTemplate(id, template);
+ super.setPolicyTemplate(nodePath, template);
}
}
/**
- * @see AccessControlEditor#removePolicyTemplate(NodeId)
+ * @see AccessControlEditor#removePolicyTemplate(String)
+ * @param nodePath
*/
- public PolicyTemplate removePolicyTemplate(NodeId id) throws AccessControlException, ItemNotFoundException, RepositoryException {
- checkProtectsNode(id);
+ public PolicyTemplate removePolicyTemplate(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException {
+ checkProtectsNode(nodePath);
- NodeImpl acNode = getAcNode(id);
+ NodeImpl acNode = getAcNode(nodePath);
if (acNode != null) {
if (isAccessControlled(acNode)) {
// build the template in order to have a return value
- PolicyTemplate tmpl = buildTemplate(acNode);
+ PolicyTemplate tmpl = createTemplate(acNode);
removeSecurityItem(acNode.getNode(N_POLICY));
return tmpl;
} else {
- log.debug("No policy present to remove at " + id);
+ log.debug("No policy present to remove at " + nodePath);
return null;
}
} else {
// nodeID not below rep:accesscontrol -> delegate to ACLEditor
- return super.removePolicyTemplate(id);
+ return super.removePolicyTemplate(nodePath);
}
}
- // TODO: check if get/add/remove entries are properly handled by super-class
-
//------------------------------------------------------------< private >---
/**
*
- * @param nodeId
+ * @param nodePath
* @return
- * @throws AccessControlException
+ * @throws PathNotFoundException
* @throws RepositoryException
*/
- private NodeImpl getAcNode(NodeId nodeId) throws AccessControlException, RepositoryException {
- NodeImpl n = session.getNodeById(nodeId);
- Path p = session.getHierarchyManager().getPath(n.getNodeId());
- if (p.isDescendantOf(acRootPath)) {
- return n;
+ private NodeImpl getAcNode(String nodePath) throws PathNotFoundException, RepositoryException {
+ if (Text.isDescendant(acRootPath, nodePath)) {
+ return (NodeImpl) session.getNode(nodePath);
} else {
// node outside of rep:accesscontrol tree -> not handled by this editor.
return null;
}
}
- private NodeId getAcId(Principal principal) throws RepositoryException {
- Path acPath = session.getQPath(getPathToAcNode(principal));
- return session.getHierarchyManager().resolveNodePath(acPath);
- }
-
- private NodeImpl createAcNode(Principal principal) throws RepositoryException {
- String acPath = getPathToAcNode(principal);
+ private NodeImpl createAcNode(String acPath) throws RepositoryException {
String[] segms = Text.explode(acPath, '/', false);
NodeImpl node = (NodeImpl) session.getRootNode();
for (int i = 0; i < segms.length; i++) {
@@ -270,20 +257,28 @@
* defining content. It this case setting or modifying an AC-policy is
* obviously not possible.
*
- * @param id
+ * @param nodePath
* @throws AccessControlException If the given id identifies a Node that
* represents a ACL or ACE item.
* @throws RepositoryException
*/
- private void checkProtectsNode(NodeId id) throws RepositoryException {
- NodeImpl node = session.getNodeById(id);
- if (node.isNodeType(NT_REP_ACL) || node.isNodeType(NT_REP_ACE)) {
- throw new AccessControlException("Node " + id + " defines ACL or ACE.");
+ private void checkProtectsNode(String nodePath) throws RepositoryException {
+ if (session.nodeExists(nodePath)) {
+ NodeImpl n = (NodeImpl) session.getNode(nodePath);
+ if (n.isNodeType(NT_REP_ACL) || n.isNodeType(NT_REP_ACE)) {
+ throw new AccessControlException("Node " + nodePath + " defines ACL or ACE.");
+ }
}
}
+ /**
+ *
+ * @param principal
+ * @return
+ * @throws RepositoryException
+ */
private String getPathToAcNode(Principal principal) throws RepositoryException {
- StringBuffer princPath = new StringBuffer(session.getJCRPath(acRootPath));
+ StringBuffer princPath = new StringBuffer(acRootPath);
if (principal instanceof ItemBasedPrincipal) {
princPath.append(((ItemBasedPrincipal) principal).getPath());
} else {
@@ -293,6 +288,15 @@
return princPath.toString();
}
+ private Principal getPrincipal(String pathToACNode) throws RepositoryException {
+ String name = Text.unescapeIllegalJcrChars(Text.getName(pathToACNode));
+ PrincipalManager pMgr = session.getPrincipalManager();
+ if (!pMgr.hasPrincipal(name)) {
+ throw new AccessControlException("Unknown principal.");
+ }
+ return pMgr.getPrincipal(name);
+ }
+
/**
*
* @param node
@@ -303,7 +307,17 @@
return node.isNodeType(NT_REP_ACCESS_CONTROL) && node.hasNode(N_POLICY);
}
- private PolicyTemplate buildTemplate(NodeImpl acNode) throws RepositoryException {
+ /**
+ *
+ * @param acNode
+ * @return
+ * @throws RepositoryException
+ */
+ private PolicyTemplate createTemplate(NodeImpl acNode) throws RepositoryException {
+ if (!acNode.isNodeType(NT_REP_ACCESS_CONTROL)) {
+ throw new RepositoryException("Expected node of type rep:AccessControl.");
+ }
+
Principal principal;
String principalName = Text.unescapeIllegalJcrChars(acNode.getName());
PrincipalManager pMgr = ((SessionImpl) acNode.getSession()).getPrincipalManager();
@@ -314,27 +328,32 @@
// TODO: rather throw?
principal = new PrincipalImpl(principalName);
}
- return new PolicyTemplateImpl(getEntries(acNode, principal), principal, acNode.getNodeId());
- }
- private List getEntries(NodeImpl acNode, Principal principal) throws RepositoryException {
+ // build the list of policy entries;
List entries = new ArrayList();
- if (acNode.isNodeType(NT_REP_ACCESS_CONTROL) && acNode.hasNode(N_POLICY)) {
+ if (acNode.hasNode(N_POLICY)) {
NodeImpl aclNode = acNode.getNode(N_POLICY);
// loop over all entries in the aclNode for the princ-Principal
// and compare if they apply to the Node with 'nodeId'
for (NodeIterator aceNodes = aclNode.getNodes(); aceNodes.hasNext();) {
NodeImpl aceNode = (NodeImpl) aceNodes.nextNode();
- PolicyEntryImpl ace = createFromNode(aceNode, principal);
+ PolicyEntryImpl ace = createEntry(aceNode, principal);
if (ace != null) {
entries.add(ace);
}
}
}
- return entries;
+ return new PolicyTemplateImpl(entries, principal, acNode.getPath());
}
- private PolicyEntryImpl createFromNode(NodeImpl node, Principal principal) throws RepositoryException {
+ /**
+ *
+ * @param node
+ * @param principal
+ * @return
+ * @throws RepositoryException
+ */
+ private PolicyEntryImpl createEntry(NodeImpl node, Principal principal) throws RepositoryException {
if (!node.isNodeType(AccessControlConstants.NT_REP_ACE)) {
log.warn("Unexpected nodetype. Was not rep:ACE.");
return null;
@@ -349,10 +368,11 @@
}
int privileges = PrivilegeRegistry.getBits(pNames);
- String nodePath = node.getProperty(P_NODE_PATH).getString();
- String glob = node.getProperty(P_GLOB).getString();
+ String pV = node.getProperty(P_NODE_PATH).getString();
+ String nodePath = session.getJCRPath(systemResolver.getQPath(pV));
- // TODO: mk sure principal and principal-name in node match
+ // TODO: make sure local namespace remappings are respected.
+ String glob = node.getProperty(P_GLOB).getString();
return new PolicyEntryImpl(principal, privileges, allow, nodePath, glob);
}
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedProvider.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedProvider.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedProvider.java Thu Apr 3 01:15:01 2008
@@ -28,13 +28,13 @@
import org.apache.jackrabbit.core.security.authorization.AccessControlProvider;
import org.apache.jackrabbit.core.security.authorization.CompiledPermissions;
import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
-import org.apache.jackrabbit.core.security.authorization.GlobPattern;
-import org.apache.jackrabbit.core.security.authorization.acl.ACLEditor;
+import org.apache.jackrabbit.core.security.authorization.Permission;
+import org.apache.jackrabbit.core.security.authorization.PolicyEntry;
+import org.apache.jackrabbit.core.security.authorization.PolicyTemplate;
import org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry;
import org.apache.jackrabbit.core.security.principal.PrincipalImpl;
import org.apache.jackrabbit.spi.Path;
import org.apache.jackrabbit.util.Text;
-import org.apache.commons.collections.map.ListOrderedMap;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -42,8 +42,8 @@
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Node;
+import javax.jcr.Item;
import javax.jcr.observation.Event;
-import javax.jcr.observation.ObservationManager;
import javax.jcr.observation.EventListener;
import javax.jcr.observation.EventIterator;
import java.security.Principal;
@@ -51,6 +51,9 @@
import java.util.Map;
import java.util.Set;
import java.util.HashSet;
+import java.util.List;
+import java.util.ArrayList;
+import java.util.Arrays;
/**
* <code>CombinedProvider</code>...
@@ -64,13 +67,12 @@
// TODO: TOBEFIXED proper evaluation of permissions respecting resource-based ACLs.
// TODO: TOBEFIXED assert proper evaluation order of group/non-group principal-ACLs
- private SessionImpl session;
- private ObservationManager obsMgr;
-
private CombinedEditor editor;
private NodeImpl acRoot;
- protected CombinedProvider() {
+ private String policyName;
+
+ public CombinedProvider() {
super("Combined AC policy", "Policy evaluating user-based and resource-based ACLs.");
}
//----------------------------------------------< AccessControlProvider >---
@@ -78,18 +80,21 @@
* @see AccessControlProvider#init(javax.jcr.Session, java.util.Map)
*/
public void init(Session systemSession, Map options) throws RepositoryException {
- if (initialized) {
- throw new IllegalStateException("already initialized");
- }
- if (!(systemSession instanceof SessionImpl)) {
- throw new RepositoryException("SessionImpl (system session) expected.");
+ super.init(systemSession, options);
+
+ NodeImpl root = (NodeImpl) session.getRootNode();
+ if (root.hasNode(N_ACCESSCONTROL)) {
+ acRoot = root.getNode(N_ACCESSCONTROL);
+ if (!acRoot.isNodeType(NT_REP_ACCESS_CONTROL)) {
+ throw new RepositoryException("Error while initializing Access Control Provider: Found ac-root to be wrong node type " + acRoot.getPrimaryNodeType().getName());
+ }
+ } else {
+ acRoot = root.addNode(N_ACCESSCONTROL, NT_REP_ACCESS_CONTROL, null);
}
- session = (SessionImpl) systemSession;
- obsMgr = session.getWorkspace().getObservationManager();
- String rootPath = acRoot.getPath();
- editor = new CombinedEditor(session, session.getNamePathResolver(),
- session.getQPath(rootPath));
+ policyName = session.getJCRName(AccessControlConstants.N_POLICY);
+
+ editor = new CombinedEditor(session, resolver, resolver.getQPath(acRoot.getPath()));
try {
log.info("Install initial ACL:...");
@@ -105,16 +110,15 @@
}
String glob = GlobPattern.WILDCARD_ALL;
- PolicyTemplateImpl pt = editor.editPolicyTemplate(administrators);
- pt.setEntry(new PolicyEntryImpl(administrators, PrivilegeRegistry.ALL, true, rootPath, glob));
- editor.setPolicyTemplate(pt.getNodeId(), pt);
+ PolicyTemplate pt = editor.editPolicyTemplate(administrators);
+ pt.setEntry(new PolicyEntryImpl(administrators, PrivilegeRegistry.ALL, true, root.getPath(), glob));
+ editor.setPolicyTemplate(pt.getPath(), pt);
Principal everyone = pMgr.getEveryone();
- // TODO: to be improved. how to define where everyone has read-access
log.info("... Privilege.READ for everyone.");
pt = editor.editPolicyTemplate(everyone);
- pt.setEntry(new PolicyEntryImpl(everyone, PrivilegeRegistry.READ, true, rootPath, glob));
- editor.setPolicyTemplate(pt.getNodeId(), pt);
+ pt.setEntry(new PolicyEntryImpl(everyone, PrivilegeRegistry.READ, true, root.getPath(), glob));
+ editor.setPolicyTemplate(pt.getPath(), pt);
session.save();
log.info("... done.");
@@ -124,19 +128,6 @@
session.getRootNode().refresh(false);
throw e;
}
-
-
- NodeImpl root = (NodeImpl) session.getRootNode();
- if (root.hasNode(N_ACCESSCONTROL)) {
- // TODO: make sure its a node with the correct nodetype
- acRoot = root.getNode(N_ACCESSCONTROL);
- if (!acRoot.isNodeType(NT_REP_ACCESS_CONTROL)) {
- throw new RepositoryException("Error while initializing Access Control Provider: Found ac-root to be wrong node type " + acRoot.getPrimaryNodeType().getName());
- }
- } else {
- acRoot = root.addNode(N_ACCESSCONTROL, NT_REP_ACCESS_CONTROL, null);
- }
- initialized = true;
}
/**
@@ -164,7 +155,7 @@
}
}
- log.debug("Unable to createFromNode " + CombinedEditor.class.getName() + ".");
+ log.debug("Unable to build access control editor " + CombinedEditor.class.getName() + ".");
return null;
}
@@ -176,68 +167,11 @@
if (isAdminOrSystem(principals)) {
return getAdminPermissions();
} else {
- // TODO: include the resource-based ACLs!
+ // TODO: TOBEFIXED include the resource-based ACLs!
return new CompiledPermissionImpl(principals);
}
}
- //----------------------------------------< private | package protected >---
- /**
- * Test if the given path points to a Node (or an existing or non existing
- * direct decendant of an existing Node) that stores AC-information
- *
- * @param path
- * @return
- * @throws RepositoryException
- */
- private boolean isAccessControlItem(Path path) throws ItemNotFoundException, RepositoryException {
- NodeImpl node;
- String absPath = session.getJCRPath(path);
- if (session.nodeExists(absPath)) {
- node = (NodeImpl) session.getNode(absPath);
- } else {
- // path points to existing prop or non-existing item (node or prop).
- String parentPath = Text.getRelativeParent(absPath, 1);
- if (session.nodeExists(parentPath)) {
- node = (NodeImpl) session.getNode(parentPath);
- } else {
- throw new ItemNotFoundException("No item exists at " + absPath + " nor at its direct ancestor.");
- }
- }
- return node.isNodeType(ACLEditor.NT_REP_ACL) || node.isNodeType(ACLEditor.NT_REP_ACE);
- }
-
- /**
- *
- * @param principals
- * @return
- * @throws RepositoryException
- */
- private ACLImpl getACL(Set principals) throws RepositoryException {
- // acNodes must be ordered in the same order as the principals
- // in order to obtain proper acl-evalution in case the given
- // principal-set is ordered.
- Map princToACEs = new ListOrderedMap();
- Set acPaths = new HashSet();
- // build acl-hierarchy assuming that principal-order determines the
- // acl-inheritance.
- for (Iterator it = principals.iterator(); it.hasNext();) {
- Principal princ = (Principal) it.next();
- PolicyTemplateImpl at = editor.getPolicyTemplate(princ);
- if (at == null) {
- log.debug("No matching ACL node found for principal " + princ.getName() + " -> principal ignored.");
- } else {
- // retrieve the ACEs from the node
- PolicyEntryImpl[] aces = (PolicyEntryImpl[]) at.getEntries();
- princToACEs.put(princ, aces);
-
- Path p = session.getHierarchyManager().getPath(at.getNodeId());
- acPaths.add(session.getJCRPath(p));
- }
- }
- return new ACLImpl(princToACEs, acPaths);
- }
-
//-----------------------------------------------------< CompiledPolicy >---
/**
*
@@ -246,7 +180,8 @@
implements EventListener {
private final Set principals;
- private ACLImpl acl;
+ private final Set acPaths;
+ private Entries entries;
/**
* @param principals
@@ -255,41 +190,60 @@
private CompiledPermissionImpl(Set principals) throws RepositoryException {
this.principals = principals;
- acl = getACL(principals);
+ acPaths = new HashSet(principals.size());
+ entries = reload();
// TODO: describe
- // TODO: rather on CombinedProvider? -> but must keep references to the CompiledPermission then....?
int events = Event.PROPERTY_CHANGED | Event.PROPERTY_ADDED |
Event.PROPERTY_REMOVED | Event.NODE_ADDED | Event.NODE_REMOVED;
String[] ntNames = new String[] {
session.getJCRName(NT_REP_ACE)
};
- obsMgr.addEventListener(this, events, acRoot.getPath(), true, null, ntNames, true);
+ observationMgr.addEventListener(this, events, acRoot.getPath(), true, null, ntNames, false);
}
//------------------------------------< AbstractCompiledPermissions >---
/**
* @see AbstractCompiledPermissions#buildResult(Path)
*/
- protected Result buildResult(Path absPath) throws RepositoryException {
+ protected synchronized Result buildResult(Path absPath) throws RepositoryException {
if (!absPath.isAbsolute()) {
throw new RepositoryException("Absolute path expected.");
}
String jcrPath = session.getJCRPath(absPath);
- boolean isAclItem = isAccessControlItem(absPath);
-
+ boolean isAclItem = false;
+ /* Test if the given path points to a Node (or an existing or non
+ * existing direct decendant of an existing Node) that stores
+ * AC-information
+ */
+ String[] segments = Text.explode(jcrPath, '/', false);
+ if (segments.length > 0) {
+ for (int i = segments.length - 1; i >= 0 && !isAclItem; i--) {
+ isAclItem = policyName.equals(segments[i]);
+ }
+ }
+
int permissions;
if (session.itemExists(jcrPath)) {
- permissions = acl.getPermissions(session.getItem(jcrPath), isAclItem);
+ permissions = entries.getPermissions(session.getItem(jcrPath), isAclItem);
} else {
- Node parent = session.getNode(Text.getRelativeParent(jcrPath, 1));
- String name = session.getJCRName(absPath.getNameElement().getName());
- permissions = acl.getPermissions(parent, name, isAclItem);
- }
- /* privileges can only be determined for existing nodes.
- not for properties and neither for non-existing nodes. */
- int privileges = (session.nodeExists(jcrPath)) ? acl.getPrivileges(jcrPath) : PrivilegeRegistry.NO_PRIVILEGE;
+ Node parent = null;
+ String parentPath = jcrPath;
+ while (parent == null) {
+ parentPath = Text.getRelativeParent(parentPath, 1);
+ if (parentPath.length() == 0) {
+ // root node reached
+ parent = session.getRootNode();
+ } else if (session.nodeExists(parentPath)) {
+ parent = session.getNode(parentPath);
+ }
+ }
+ String relPath = jcrPath.substring(parent.getPath().length() + 1);
+ permissions = entries.getPermissions(parent, relPath, isAclItem);
+ }
+ /* TODO: privileges can only be determined for nodes. */
+ int privileges = entries.getPrivileges(jcrPath);
return new Result(permissions, privileges);
}
@@ -299,7 +253,7 @@
*/
public void close() {
try {
- obsMgr.removeEventListener(this);
+ observationMgr.removeEventListener(this);
} catch (RepositoryException e) {
log.error("Internal error: ", e.getMessage());
}
@@ -310,8 +264,7 @@
/**
* @see EventListener#onEvent(EventIterator)
*/
- public void onEvent(EventIterator events) {
- Set acPaths = acl.getAcPaths();
+ public synchronized void onEvent(EventIterator events) {
try {
boolean reload = false;
while (events.hasNext() && !reload) {
@@ -334,19 +287,140 @@
reload = false;
break;
}
-
}
-
// eventually reload the ACL and clear the cache
if (reload) {
- // reload the acl
- acl = getACL(principals);
clearCache();
+ // reload the acl
+ entries = reload();
}
} catch (RepositoryException e) {
// should never get here
log.warn("Internal error: ", e.getMessage());
}
+ }
+
+ /**
+ *
+ * @return
+ * @throws RepositoryException
+ */
+ private Entries reload() throws RepositoryException {
+ // reload the paths
+ acPaths.clear();
+
+ // acNodes must be ordered in the same order as the principals
+ // in order to obtain proper acl-evalution in case the given
+ // principal-set is ordered.
+ List allACEs = new ArrayList();
+ // build acl-hierarchy assuming that principal-order determines the
+ // acl-inheritance.
+ for (Iterator it = principals.iterator(); it.hasNext();) {
+ Principal princ = (Principal) it.next();
+ PolicyTemplate at = editor.getPolicyTemplate(princ);
+ if (at == null || at.isEmpty()) {
+ log.debug("No matching ACL node found for principal " + princ.getName() + " -> principal ignored.");
+ } else {
+ // retrieve the ACEs from the node
+ PolicyEntry[] aces = (PolicyEntry[]) at.getEntries();
+ allACEs.addAll(Arrays.asList(aces));
+ acPaths.add(at.getPath());
+ }
+ }
+ return new Entries(allACEs);
+ }
+ }
+
+ //--------------------------------------------------------------------------
+
+ private static class Entries {
+
+ private final List entries;
+
+ private Entries(List entries) {
+ this.entries = entries;
+ }
+
+ /**
+ * Loop over all entries and evaluate allows/denies for those matching
+ * the given jcrPath.
+ *
+ * @param target Existing target item for which the permissions will be
+ * evaluated.
+ * @param protectsACL
+ * @return
+ * @throws RepositoryException
+ */
+ private int getPermissions(Item target, boolean protectsACL) throws RepositoryException {
+ int allows = 0;
+ int denies = 0;
+ for (Iterator it = entries.iterator(); it.hasNext() && allows != Permission.ALL;) {
+ PolicyEntryImpl entr = (PolicyEntryImpl) it.next();
+ if (entr.matches(target)) {
+ int privs = entr.getPrivilegeBits();
+ int permissions = Permission.calculatePermissions(privs, privs, protectsACL);
+ if (entr.isAllow()) {
+ allows |= Permission.diff(permissions, denies);
+ } else {
+ denies |= Permission.diff(permissions, allows);
+ }
+ }
+ }
+ return allows;
+ }
+
+ /**
+ * loop over all entries and evaluate allows/denies for those matching
+ * the given jcrPath.
+ *
+ * @param parent Existing parent of the target to be evaluated.
+ * @param relPath relative path to a non-existing child item to calculate the
+ * permissions for.
+ * @param protectsACL
+ * @return
+ * @throws RepositoryException
+ */
+ private int getPermissions(Node parent, String relPath, boolean protectsACL) throws RepositoryException {
+ int allows = 0;
+ int denies = 0;
+ String jcrPath = parent.getPath() + "/" + relPath;
+
+ for (Iterator it = entries.iterator(); it.hasNext() && allows != Permission.ALL;) {
+ PolicyEntryImpl entr = (PolicyEntryImpl) it.next();
+ if (entr.matches(jcrPath)) {
+ int privs = entr.getPrivilegeBits();
+ int permissions = Permission.calculatePermissions(privs, privs, protectsACL);
+ if (entr.isAllow()) {
+ allows |= Permission.diff(permissions, denies);
+ } else {
+ denies |= Permission.diff(permissions, allows);
+ }
+ }
+ }
+ return allows;
+ }
+
+ private int getPrivileges(String nodePath) throws RepositoryException {
+ // TODO: improve. avoid duplicate evaluation...
+ int allows = 0;
+ int denies = 0;
+ for (Iterator it = entries.iterator(); it.hasNext() && allows != Permission.ALL;) {
+ PolicyEntryImpl entr = (PolicyEntryImpl) it.next();
+ // loop over all entries and evaluate allows/denies for those
+ // matching the given jcrPath
+ // TODO: check again which ACEs must be respected.
+ // TODO: maybe ancestor-defs only if glob = *?
+ String np = entr.getNodePath();
+ // TODO: TOBEFIXED Text.isDescendant that returns false if np==root-path
+ if (np.equals(nodePath) || "/".equals(np) || Text.isDescendant(np, nodePath)) {
+ if (entr.isAllow()) {
+ allows |= PrivilegeRegistry.diff(entr.getPrivilegeBits(), denies);
+ } else {
+ denies |= PrivilegeRegistry.diff(entr.getPrivilegeBits(), allows);
+ }
+ }
+ }
+ return allows;
}
}
}
Added: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/GlobPattern.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/GlobPattern.java?rev=644215&view=auto
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/GlobPattern.java (added)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/GlobPattern.java Thu Apr 3 01:15:01 2008
@@ -0,0 +1,124 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.authorization.combined;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.jcr.Item;
+import javax.jcr.RepositoryException;
+
+/**
+ * <code>GlobPattern</code>...
+ */
+class GlobPattern {
+
+ private static Logger log = LoggerFactory.getLogger(GlobPattern.class);
+
+ private static final char ALL = '*';
+ public static final String WILDCARD_ALL = "*";
+
+ private final String pattern;
+
+ private GlobPattern(String pattern) {
+ this.pattern = pattern;
+ }
+
+ static GlobPattern create(String pattern) {
+ if (pattern == null) {
+ throw new IllegalArgumentException();
+ }
+ return new GlobPattern(pattern);
+ }
+
+ boolean matches(String toMatch) {
+ // shortcut
+ if (WILDCARD_ALL.equals(pattern)) {
+ return true;
+ }
+ if (toMatch == null) {
+ return false;
+ }
+
+ if (containsWildCard()) {
+ return matches(pattern, toMatch);
+ } else {
+ return pattern.equals(toMatch);
+ }
+ }
+
+ boolean matches(Item itemToMatch) {
+ try {
+ // TODO: missing proper impl
+ return matches(itemToMatch.getPath());
+ } catch (RepositoryException e) {
+ log.error("Unable to determine match.", e.getMessage());
+ return false;
+ }
+ }
+
+ private boolean containsWildCard() {
+ // TODO: add proper impl
+ return pattern.indexOf(ALL) > -1;
+ }
+
+ private static boolean matches(String pattern, String toMatch) {
+ // TODO: add proper impl
+ char[] c1 = pattern.toCharArray();
+ char[] c2 = toMatch.toCharArray();
+
+ for (int i = 0; i < c1.length; i++) {
+ if (c1[i] == ALL) {
+ return true;
+ }
+ if (i >= c2.length || c1[i] != c2[i]) {
+ return false;
+ }
+ }
+
+ return false;
+ }
+
+ //-------------------------------------------------------------< Object >---
+
+ /**
+ * @see Object#hashCode()
+ */
+ public int hashCode() {
+ return pattern.hashCode();
+ }
+
+ /**
+ * @see Object#toString()
+ */
+ public String toString() {
+ return pattern;
+ }
+
+ /**
+ * @see Object#equals(Object)
+ */
+ public boolean equals(Object obj) {
+ if (obj == this) {
+ return true;
+ }
+ if (obj instanceof GlobPattern) {
+ return pattern.equals(((GlobPattern)obj).pattern);
+ }
+ return false;
+ }
+}
\ No newline at end of file
Propchange: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/GlobPattern.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/GlobPattern.java
------------------------------------------------------------------------------
svn:keywords = author date id revision url
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyEntryImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyEntryImpl.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyEntryImpl.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyEntryImpl.java Thu Apr 3 01:15:01 2008
@@ -16,40 +16,21 @@
*/
package org.apache.jackrabbit.core.security.authorization.combined;
-import org.apache.jackrabbit.core.security.authorization.PolicyEntry;
-import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
-import org.apache.jackrabbit.core.security.authorization.GlobPattern;
-import org.apache.jackrabbit.core.security.jsr283.security.Privilege;
-import org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry;
+import org.apache.jackrabbit.core.security.authorization.AbstractPolicyEntry;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.jcr.RepositoryException;
import javax.jcr.Item;
+import javax.jcr.RepositoryException;
import java.security.Principal;
/**
* <code>PolicyEntryImpl</code>...
*/
-class PolicyEntryImpl implements PolicyEntry {
+class PolicyEntryImpl extends AbstractPolicyEntry {
private static Logger log = LoggerFactory.getLogger(PolicyEntryImpl.class);
- /**
- * Privileges defined for this entry.
- */
- private final int privileges;
-
- /**
- * If the actions contained are allowed or denied
- */
- private final boolean allow;
-
- /**
- * The Principal of this entry
- */
- private final Principal principal;
-
private final String nodePath;
private final String glob;
@@ -59,11 +40,6 @@
private final GlobPattern pattern;
/**
- * Hash code being calculated on demand.
- */
- private int hashCode = -1;
-
- /**
* Constructs an new entry.
*
* @param principal
@@ -72,20 +48,22 @@
*/
PolicyEntryImpl(Principal principal, int privileges, boolean allow,
String nodePath, String glob) {
+ super(principal, privileges, allow);
+
if (principal == null || nodePath == null) {
throw new IllegalArgumentException("Neither principal nor nodePath must be null.");
}
- this.principal = principal;
- this.privileges = privileges;
- this.allow = allow;
this.nodePath = nodePath;
- this.glob = (glob == null) ? GlobPattern.WILDCARD_ALL : glob;
-
- pattern = GlobPattern.create(nodePath + "/" +glob);
- }
+ this.glob = glob;
- int getPrivilegeBits() {
- return privileges;
+ // TODO: review again
+ if (glob != null && glob.length() > 0) {
+ StringBuffer b = new StringBuffer(nodePath);
+ b.append(glob);
+ pattern = GlobPattern.create(b.toString());
+ } else {
+ pattern = GlobPattern.create(nodePath);
+ }
}
String getNodePath() {
@@ -104,48 +82,15 @@
return pattern.matches(item);
}
- //-------------------------------------------------< AccessControlEntry >---
- /**
- * @see AccessControlEntry#getPrincipal()
- */
- public Principal getPrincipal() {
- return principal;
- }
-
- /**
- * @see AccessControlEntry#getPrivileges()
- */
- public Privilege[] getPrivileges() {
- return PrivilegeRegistry.getPrivileges(privileges);
- }
-
- //--------------------------------------------------------< PolicyEntry >---
- /**
- * @return true if all actions contained in this Entry are allowed
- * @see PolicyEntry#isAllow()
- */
- public boolean isAllow() {
- return allow;
+ protected int buildHashCode() {
+ int h = super.buildHashCode();
+ h = 37 * h + nodePath.hashCode();
+ h = 37 * h + glob.hashCode();
+ return h;
}
//-------------------------------------------------------------< Object >---
/**
- * @see Object#hashCode()
- */
- public int hashCode() {
- if (hashCode == -1) {
- int h = 17;
- h = 37 * h + principal.getName().hashCode();
- h = 37 * h + privileges;
- h = 37 * h + Boolean.valueOf(allow).hashCode();
- h = 37 * h + nodePath.hashCode();
- h = 37 * h + glob.hashCode();
- hashCode = h;
- }
- return hashCode;
- }
-
- /**
* Returns true if the principal, the allow-flag, all privileges and
* the nodepath and the glob string are equal or the same, respectively.
*
@@ -160,13 +105,10 @@
if (obj instanceof PolicyEntryImpl) {
PolicyEntryImpl tmpl = (PolicyEntryImpl) obj;
- // TODO: check again if comparing principal-name is sufficient
- return principal.getName().equals(tmpl.principal.getName()) &&
- allow == tmpl.allow &&
- privileges == tmpl.privileges &&
+ return super.equals(obj) &&
+ nodePath.equals(tmpl.nodePath) &&
glob.equals(tmpl.glob);
}
return false;
}
-
}
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyTemplateImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyTemplateImpl.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyTemplateImpl.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyTemplateImpl.java Thu Apr 3 01:15:01 2008
@@ -16,7 +16,6 @@
*/
package org.apache.jackrabbit.core.security.authorization.combined;
-import org.apache.jackrabbit.core.NodeId;
import org.apache.jackrabbit.core.security.authorization.PolicyEntry;
import org.apache.jackrabbit.core.security.authorization.PolicyTemplate;
import org.apache.jackrabbit.core.security.jsr283.security.AccessControlException;
@@ -37,18 +36,13 @@
private static Logger log = LoggerFactory.getLogger(PolicyTemplateImpl.class);
private final Principal principal;
- private final NodeId acNodeId;
+ private final String acAbsPath;
private final List entries = new ArrayList();
-
- PolicyTemplateImpl(List aceTemplates, Principal principal, NodeId acNodeId) {
+ PolicyTemplateImpl(List policyEntries, Principal principal, String acAbsPath) {
this.principal = principal;
- this.entries.addAll(aceTemplates);
- this.acNodeId = acNodeId;
- }
-
- NodeId getNodeId() {
- return acNodeId;
+ this.entries.addAll(policyEntries);
+ this.acAbsPath = acAbsPath;
}
Principal getPrincipal() {
@@ -56,6 +50,9 @@
}
//-----------------------------------------------------< PolicyTemplate >---
+ public String getPath() {
+ return acAbsPath;
+ }
public boolean isEmpty() {
return entries.isEmpty();
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleAccessManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleAccessManager.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleAccessManager.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleAccessManager.java Thu Apr 3 01:15:01 2008
@@ -16,30 +16,34 @@
*/
package org.apache.jackrabbit.core.security.simple;
+import org.apache.jackrabbit.core.HierarchyManager;
+import org.apache.jackrabbit.core.ItemId;
+import org.apache.jackrabbit.core.security.AMContext;
import org.apache.jackrabbit.core.security.AbstractAccessControlManager;
import org.apache.jackrabbit.core.security.AccessManager;
-import org.apache.jackrabbit.core.security.AMContext;
import org.apache.jackrabbit.core.security.AnonymousPrincipal;
import org.apache.jackrabbit.core.security.SystemPrincipal;
-import org.apache.jackrabbit.core.security.jsr283.security.Privilege;
-import org.apache.jackrabbit.core.security.jsr283.security.AccessControlPolicy;
-import org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry;
-import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager;
import org.apache.jackrabbit.core.security.authorization.AccessControlProvider;
-import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
import org.apache.jackrabbit.core.security.authorization.Permission;
-import org.apache.jackrabbit.core.HierarchyManager;
-import org.apache.jackrabbit.core.ItemId;
-import org.apache.jackrabbit.spi.commons.conversion.NamePathResolver;
-import org.apache.jackrabbit.spi.Path;
+import org.apache.jackrabbit.core.security.authorization.PolicyTemplate;
+import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
+import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager;
+import org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry;
+import org.apache.jackrabbit.core.security.jsr283.security.AccessControlException;
+import org.apache.jackrabbit.core.security.jsr283.security.AccessControlPolicy;
+import org.apache.jackrabbit.core.security.jsr283.security.Privilege;
import org.apache.jackrabbit.spi.Name;
+import org.apache.jackrabbit.spi.Path;
+import org.apache.jackrabbit.spi.commons.conversion.NamePathResolver;
-import javax.security.auth.Subject;
import javax.jcr.AccessDeniedException;
import javax.jcr.ItemNotFoundException;
-import javax.jcr.RepositoryException;
import javax.jcr.NoSuchWorkspaceException;
import javax.jcr.PathNotFoundException;
+import javax.jcr.RepositoryException;
+import javax.jcr.UnsupportedRepositoryOperationException;
+import javax.security.auth.Subject;
+import java.security.Principal;
/**
* <code>SimpleAccessManager</code> ...
@@ -187,7 +191,7 @@
public boolean hasPrivileges(String absPath, Privilege[] privileges) throws PathNotFoundException, RepositoryException {
checkInitialized();
// make sure absPath points to an existing node
- getValidNodePath(absPath);
+ checkValidNodePath(absPath);
if (privileges == null || privileges.length == 0) {
// null or empty privilege array -> return true
@@ -214,7 +218,7 @@
*/
public Privilege[] getPrivileges(String absPath) throws PathNotFoundException, RepositoryException {
checkInitialized();
- getValidNodePath(absPath);
+ checkValidNodePath(absPath);
if (anonymous) {
return new Privilege[] {PrivilegeRegistry.READ_PRIVILEGE};
@@ -231,8 +235,7 @@
*/
public AccessControlPolicy getEffectivePolicy(String absPath) throws PathNotFoundException, AccessDeniedException, RepositoryException {
checkInitialized();
- Path p = getValidNodePath(absPath);
- checkPrivileges(p, PrivilegeRegistry.READ_AC);
+ checkPrivileges(absPath, PrivilegeRegistry.READ_AC);
return new AccessControlPolicy() {
public String getName() throws RepositoryException {
@@ -249,12 +252,29 @@
*/
public AccessControlEntry[] getEffectiveAccessControlEntries(String absPath) throws PathNotFoundException, AccessDeniedException, RepositoryException {
checkInitialized();
- Path p = getValidNodePath(absPath);
- checkPrivileges(p, PrivilegeRegistry.READ_AC);
+ checkPrivileges(absPath, PrivilegeRegistry.READ_AC);
return new AccessControlEntry[0];
}
-
+
+ //-------------------------------------< JackrabbitAccessControlManager >---
+ /**
+ * {@inheritDoc}
+ */
+ public PolicyTemplate editPolicy(String absPath) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException {
+ checkInitialized();
+ checkPrivileges(absPath, PrivilegeRegistry.MODIFY_AC);
+
+ throw new UnsupportedRepositoryOperationException("Editing is not supported");
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ public PolicyTemplate editPolicy(Principal principal) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException {
+ throw new UnsupportedRepositoryOperationException("Editing is not supported");
+ }
+
//---------------------------------------< AbstractAccessControlManager >---
/**
* {@inheritDoc}
@@ -265,13 +285,14 @@
}
}
- protected void checkPrivileges(Path absPath, int privileges) throws AccessDeniedException, PathNotFoundException, RepositoryException {
+ protected void checkPrivileges(String absPath, int privileges) throws AccessDeniedException, PathNotFoundException, RepositoryException {
+ checkValidNodePath(absPath);
if (anonymous && privileges != PrivilegeRegistry.READ) {
throw new AccessDeniedException("Anonymous may only READ.");
}
}
- protected Path getValidNodePath(String absPath) throws PathNotFoundException, RepositoryException {
+ protected void checkValidNodePath(String absPath) throws PathNotFoundException, RepositoryException {
Path path = resolver.getQPath(absPath);
if (!path.isAbsolute()) {
throw new RepositoryException("Absolute path expected. Found: " + absPath);
@@ -279,8 +300,6 @@
if (hierMgr.resolveNodePath(path) == null) {
throw new PathNotFoundException(absPath);
- } else {
- return path;
}
}
}
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserAccessControlProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserAccessControlProvider.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserAccessControlProvider.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserAccessControlProvider.java Thu Apr 3 01:15:01 2008
@@ -40,7 +40,6 @@
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.observation.Event;
-import javax.jcr.observation.ObservationManager;
import javax.jcr.observation.EventListener;
import javax.jcr.observation.EventIterator;
import java.security.Principal;
@@ -68,9 +67,6 @@
private Path groupsPath;
private Path usersPath;
- private SessionImpl systemSession;
- private ObservationManager obsMgr;
-
private String userAdminGroup;
private String groupAdminGroup;
@@ -83,40 +79,36 @@
}
//----------------------------------------------< AccessControlProvider >---
- /**
+ /**
* @see AccessControlProvider#init(Session, Map)
*/
public void init(Session systemSession, Map options) throws RepositoryException {
- if (initialized) {
- throw new IllegalStateException("already initialized");
- }
- if (systemSession instanceof SessionImpl) {
- this.systemSession = (SessionImpl) systemSession;
- obsMgr = systemSession.getWorkspace().getObservationManager();
-
- userAdminGroup = (options.containsKey(USER_ADMIN_GROUP_NAME)) ? options.get(USER_ADMIN_GROUP_NAME).toString() : USER_ADMIN_GROUP_NAME;
- groupAdminGroup = (options.containsKey(GROUP_ADMIN_GROUP_NAME)) ? options.get(GROUP_ADMIN_GROUP_NAME).toString() : GROUP_ADMIN_GROUP_NAME;
-
- // make sure the groups exist (and ev. create them).
- // TODO: review again.
- UserManager uMgr = this.systemSession.getUserManager();
- if (!initGroup(uMgr, userAdminGroup)) {
- log.warn("Unable to initialize User admininistrator group -> no user admins.");
- userAdminGroup = null;
- }
- if (!initGroup(uMgr, groupAdminGroup)) {
- log.warn("Unable to initialize Group admininistrator group -> no group admins.");
- groupAdminGroup = null;
- }
+ super.init(systemSession, options);
- usersPath = this.systemSession.getQPath(USERS_PATH);
- groupsPath = this.systemSession.getQPath(GROUPS_PATH);
-
- } else {
- throw new RepositoryException("SessionImpl (system session) expected.");
- }
- initialized = true;
- }
+ if (systemSession instanceof SessionImpl) {
+ SessionImpl sImpl = (SessionImpl) systemSession;
+ userAdminGroup = (options.containsKey(USER_ADMIN_GROUP_NAME)) ? options.get(USER_ADMIN_GROUP_NAME).toString() : USER_ADMIN_GROUP_NAME;
+ groupAdminGroup = (options.containsKey(GROUP_ADMIN_GROUP_NAME)) ? options.get(GROUP_ADMIN_GROUP_NAME).toString() : GROUP_ADMIN_GROUP_NAME;
+
+ // make sure the groups exist (and ev. create them).
+ // TODO: review again.
+ UserManager uMgr = sImpl.getUserManager();
+ if (!initGroup(uMgr, userAdminGroup)) {
+ log.warn("Unable to initialize User admininistrator group -> no user admins.");
+ userAdminGroup = null;
+ }
+ if (!initGroup(uMgr, groupAdminGroup)) {
+ log.warn("Unable to initialize Group admininistrator group -> no group admins.");
+ groupAdminGroup = null;
+ }
+
+ usersPath = sImpl.getQPath(USERS_PATH);
+ groupsPath = sImpl.getQPath(GROUPS_PATH);
+
+ } else {
+ throw new RepositoryException("SessionImpl (system session) expected.");
+ }
+ }
public CompiledPermissions compilePermissions(Set principals) throws ItemNotFoundException, RepositoryException {
checkInitialized();
@@ -139,7 +131,7 @@
private ItemBasedPrincipal getUserPrincipal(Set principals) {
try {
- UserManager uMgr = systemSession.getUserManager();
+ UserManager uMgr = session.getUserManager();
for (Iterator it = principals.iterator(); it.hasNext();) {
Principal p = (Principal) it.next();
if (!(p instanceof Group) && p instanceof ItemBasedPrincipal
@@ -160,7 +152,7 @@
if (principal != null) {
try {
String path = principal.getPath();
- userNode = (NodeImpl) systemSession.getNode(path);
+ userNode = (NodeImpl) session.getNode(path);
} catch (RepositoryException e) {
log.warn("Error while retrieving user node.", e.getMessage());
}
@@ -170,28 +162,28 @@
private boolean isMember(Node userNode, Path memberPath) throws RepositoryException, PathNotFoundException {
// precondition: memberPath points to a rep:members property
- String propPath = systemSession.getJCRPath(memberPath);
- if (systemSession.propertyExists(propPath)) {
+ String propPath = session.getJCRPath(memberPath);
+ if (session.propertyExists(propPath)) {
// check if any of the ref-values equals to the value created from
// the user-Node (which must be present if the user is member of the group)
- Property membersProp = systemSession.getProperty(propPath);
+ Property membersProp = session.getProperty(propPath);
List values = Arrays.asList(membersProp.getValues());
- return values.contains(systemSession.getValueFactory().createValue(userNode));
+ return values.contains(session.getValueFactory().createValue(userNode));
} else {
return false;
}
}
private Node getExistingNode(Path path) throws RepositoryException {
- String absPath = systemSession.getJCRPath(path.getNormalizedPath());
- if (systemSession.nodeExists(absPath)) {
- return systemSession.getNode(absPath);
- } else if (systemSession.propertyExists(absPath)) {
- return systemSession.getProperty(absPath).getParent();
+ String absPath = resolver.getJCRPath(path.getNormalizedPath());
+ if (session.nodeExists(absPath)) {
+ return session.getNode(absPath);
+ } else if (session.propertyExists(absPath)) {
+ return session.getProperty(absPath).getParent();
} else {
String pPath = Text.getRelativeParent(absPath, 1);
- if (systemSession.nodeExists(pPath)) {
- return systemSession.getNode(pPath);
+ if (session.nodeExists(pPath)) {
+ return session.getNode(pPath);
} else {
throw new ItemNotFoundException("Unable to determine permissions: No item and no existing parent for target path " + absPath);
}
@@ -208,10 +200,10 @@
* @throws RepositoryException
*/
private boolean doCalculatePrivileges(Path path) throws RepositoryException {
- String absPath = systemSession.getJCRPath(path.getNormalizedPath());
+ String absPath = resolver.getJCRPath(path.getNormalizedPath());
// privileges can only be determined for existing nodes.
// not for properties and neither for non-existing nodes.
- return systemSession.nodeExists(absPath);
+ return session.nodeExists(absPath);
}
private static boolean containsGroup(Set principals, String groupName) {
@@ -263,7 +255,7 @@
isGroupAdmin = containsGroup(principals, groupAdminGroup);
int events = Event.PROPERTY_CHANGED | Event.PROPERTY_ADDED | Event.PROPERTY_REMOVED;
- obsMgr.addEventListener(this, events, GROUPS_PATH, true, null, null, false);
+ observationMgr.addEventListener(this, events, GROUPS_PATH, true, null, null, false);
}
//------------------------------------< AbstractCompiledPermissions >---
@@ -302,7 +294,7 @@
} // else: outside of user tree -> authN = null
if (authN != null && authN.isNodeType(NT_REP_USER)) {
- int relDepth = systemSession.getHierarchyManager().getRelativeDepth(userNode.getNodeId(), authN.getNodeId());
+ int relDepth = session.getHierarchyManager().getRelativeDepth(userNode.getNodeId(), authN.getNodeId());
switch (relDepth) {
case -1:
// authN is not below the userNode -> can't write anyway.
@@ -380,7 +372,7 @@
*/
public void close() {
try {
- obsMgr.removeEventListener(this);
+ observationMgr.removeEventListener(this);
} catch (RepositoryException e) {
log.error("Internal error: ", e.getMessage());
}
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/AccessManagerTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/AccessManagerTest.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/AccessManagerTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/AccessManagerTest.java Thu Apr 3 01:15:01 2008
@@ -62,7 +62,7 @@
}
}
- // TODO: add tests for new methods!!!!
+ // TODO: add tests for new methods
// TODO: add specific tests for 'AC-read/modify' privileges
public void testCheckPermissionReadOnlySession() throws RepositoryException, NotExecutableException {
Added: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntryTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntryTest.java?rev=644215&view=auto
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntryTest.java (added)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntryTest.java Thu Apr 3 01:15:01 2008
@@ -0,0 +1,158 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.authorization;
+
+import org.apache.jackrabbit.core.security.jsr283.security.AccessControlException;
+import org.apache.jackrabbit.core.security.jsr283.security.Privilege;
+import org.apache.jackrabbit.test.JUnitTest;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Iterator;
+import java.util.List;
+
+/**
+ * <code>AbstractPolicyEntryTest</code>...
+ */
+public abstract class AbstractPolicyEntryTest extends JUnitTest {
+
+ private static Logger log = LoggerFactory.getLogger(AbstractPolicyEntryTest.class);
+ protected Principal testPrincipal;
+
+ protected void setUp() throws Exception {
+ super.setUp();
+ testPrincipal = new Principal() {
+ public String getName() {
+ return "TestPrincipal";
+ }
+ };
+ }
+
+ protected PolicyEntry createPolicyEntry(int privileges, boolean isAllow) {
+ return createPolicyEntry(testPrincipal, privileges, isAllow);
+ }
+
+ protected abstract PolicyEntry createPolicyEntry(Principal principal, int privileges, boolean isAllow);
+
+ public void testIsAllow() {
+ PolicyEntry tmpl = createPolicyEntry(PrivilegeRegistry.READ, true);
+ assertTrue(tmpl.isAllow());
+
+ tmpl = createPolicyEntry(PrivilegeRegistry.READ, false);
+ assertFalse(tmpl.isAllow());
+ }
+
+ public void testGetPrincipal() {
+ PolicyEntry tmpl = createPolicyEntry(PrivilegeRegistry.READ, true);
+ assertNotNull(tmpl.getPrincipal());
+ assertEquals(testPrincipal.getName(), tmpl.getPrincipal().getName());
+ assertSame(testPrincipal, tmpl.getPrincipal());
+ }
+
+ public void testGetPrivilegeBits() {
+ PolicyEntry tmpl = createPolicyEntry(PrivilegeRegistry.READ, true);
+
+ int privs = tmpl.getPrivilegeBits();
+ assertTrue(privs == PrivilegeRegistry.READ);
+
+ tmpl = createPolicyEntry(PrivilegeRegistry.WRITE, true);
+ privs = tmpl.getPrivilegeBits();
+ assertTrue(privs == PrivilegeRegistry.WRITE);
+ }
+
+ public void testGetPrivileges() throws AccessControlException {
+ PolicyEntry tmpl = createPolicyEntry(PrivilegeRegistry.READ, true);
+
+ Privilege[] privs = tmpl.getPrivileges();
+ assertNotNull(privs);
+ assertEquals(1, privs.length);
+ assertEquals(privs[0].getName(), Privilege.READ);
+ assertTrue(PrivilegeRegistry.getBits(privs) == tmpl.getPrivilegeBits());
+
+ tmpl = createPolicyEntry(PrivilegeRegistry.WRITE, true);
+ privs = tmpl.getPrivileges();
+ assertNotNull(privs);
+ assertEquals(1, privs.length);
+ assertEquals(privs[0].getName(), Privilege.WRITE);
+ assertTrue(PrivilegeRegistry.getBits(privs) == tmpl.getPrivilegeBits());
+
+ tmpl = createPolicyEntry(PrivilegeRegistry.ADD_CHILD_NODES | PrivilegeRegistry.REMOVE_CHILD_NODES, true);
+ privs = tmpl.getPrivileges();
+ assertNotNull(privs);
+ assertEquals(2, privs.length);
+
+ Privilege[] param = PrivilegeRegistry.getPrivileges(new String[] {Privilege.ADD_CHILD_NODES, Privilege.REMOVE_CHILD_NODES});
+ assertEquals(Arrays.asList(param), Arrays.asList(privs));
+ assertTrue(PrivilegeRegistry.getBits(privs) == tmpl.getPrivilegeBits());
+ }
+
+ public void testEquals() {
+
+ PolicyEntry ace = createPolicyEntry(PrivilegeRegistry.ALL, true);
+ PolicyEntry ace2 = createPolicyEntry(PrivilegeRegistry.ALL, true);
+ assertEquals(ace, ace2);
+
+ ace2 = createPolicyEntry(PrivilegeRegistry.READ |
+ PrivilegeRegistry.WRITE |
+ PrivilegeRegistry.MODIFY_AC |
+ PrivilegeRegistry.READ_AC, true);
+ assertEquals(ace, ace2);
+ }
+
+ public void testNotEquals() {
+ PolicyEntry ace = createPolicyEntry(PrivilegeRegistry.ALL, true);
+ List otherAces = new ArrayList();
+ // ACE template with different principal
+ otherAces.add(createPolicyEntry(new Principal() {
+ public String getName() {
+ return "a name";
+ } }, PrivilegeRegistry.ALL, true)
+ );
+
+ // ACE template with different privileges
+ otherAces.add(createPolicyEntry(PrivilegeRegistry.READ, true));
+ // ACE template with different 'allow' flag
+ otherAces.add(createPolicyEntry(PrivilegeRegistry.ALL, false));
+ // ACE template with different privileges and 'allows
+ otherAces.add(createPolicyEntry(PrivilegeRegistry.WRITE, false));
+ // other ace impl
+ PolicyEntry pe = new PolicyEntry() {
+ public boolean isAllow() {
+ return true;
+ }
+
+ public int getPrivilegeBits() {
+ return PrivilegeRegistry.ALL;
+ }
+
+ public Principal getPrincipal() {
+ return testPrincipal;
+ }
+ public Privilege[] getPrivileges() {
+ return PrivilegeRegistry.getPrivileges(PrivilegeRegistry.ALL);
+ }
+ };
+ otherAces.add(pe);
+
+ for (Iterator it = otherAces.iterator(); it.hasNext();) {
+ assertFalse(ace.equals(it.next()));
+ }
+ }
+}
\ No newline at end of file
Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntryTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntryTest.java
------------------------------------------------------------------------------
svn:keywords = author date id revision url
Added: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyTemplateTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyTemplateTest.java?rev=644215&view=auto
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyTemplateTest.java (added)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyTemplateTest.java Thu Apr 3 01:15:01 2008
@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.authorization;
+
+import org.apache.jackrabbit.test.JUnitTest;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.jcr.RepositoryException;
+import java.security.Principal;
+
+/**
+ * <code>AbstractPolicyTemplateTest</code>...
+ */
+public abstract class AbstractPolicyTemplateTest extends JUnitTest {
+
+ private static Logger log = LoggerFactory.getLogger(AbstractPolicyTemplateTest.class);
+
+ protected Principal testPrincipal;
+
+ protected void setUp() throws Exception {
+ super.setUp();
+ testPrincipal = new Principal() {
+ public String getName() {
+ return "TestPrincipal";
+ }
+ };
+ }
+
+ protected abstract String getTestPath();
+
+ protected abstract PolicyTemplate createEmptyTemplate(String path);
+
+ public void testEmptyTemplate() throws RepositoryException {
+ PolicyTemplate pt = createEmptyTemplate(getTestPath());
+
+ assertNotNull(pt.getEntries());
+ assertTrue(pt.getEntries().length == 0);
+ assertTrue(pt.isEmpty());
+ assertNotNull(pt.getName());
+ }
+
+
+ public void testGetPath() {
+ PolicyTemplate pt = (PolicyTemplate) createEmptyTemplate(getTestPath());
+ assertEquals(getTestPath(), pt.getPath());
+ }
+
+ // TODO: add more tests
+}
\ No newline at end of file
Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyTemplateTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyTemplateTest.java
------------------------------------------------------------------------------
svn:keywords = author date id revision url
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java Thu Apr 3 01:15:01 2008
@@ -19,6 +19,7 @@
import junit.framework.Test;
import junit.framework.TestCase;
import junit.framework.TestSuite;
+import org.apache.jackrabbit.core.security.authorization.combined.GlobPatternTest;
/**
* Test suite
@@ -38,7 +39,7 @@
suite.addTestSuite(PrivilegeRegistryTest.class);
suite.addTestSuite(PolicyTemplateTest.class);
- //TODO suite.addTestSuite(EntryTemplateTest.class);
+ suite.addTestSuite(GlobPatternTest.class);
return suite;
}
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACEImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACEImplTest.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACEImplTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACEImplTest.java Thu Apr 3 01:15:01 2008
@@ -16,121 +16,21 @@
*/
package org.apache.jackrabbit.core.security.authorization.acl;
-import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
+import org.apache.jackrabbit.core.security.authorization.AbstractPolicyEntryTest;
import org.apache.jackrabbit.core.security.authorization.PolicyEntry;
-import org.apache.jackrabbit.core.security.jsr283.security.AccessControlException;
-import org.apache.jackrabbit.core.security.jsr283.security.Privilege;
-import org.apache.jackrabbit.test.JUnitTest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.security.Principal;
-import java.util.Arrays;
-import java.util.List;
-import java.util.ArrayList;
-import java.util.Iterator;
/**
* <code>ACEImplTest</code>...
*/
-public class ACEImplTest extends JUnitTest {
+public class ACEImplTest extends AbstractPolicyEntryTest {
private static Logger log = LoggerFactory.getLogger(ACEImplTest.class);
- private Principal testPrincipal;
-
- protected void setUp() throws Exception {
- super.setUp();
- testPrincipal = new Principal() {
- public String getName() {
- return "TestPrincipal";
- }
- };
- }
-
- public void testIsAllow() {
- ACEImpl tmpl = new ACEImpl(testPrincipal, PrivilegeRegistry.READ, true);
- assertTrue(tmpl.isAllow());
-
- tmpl = new ACEImpl(testPrincipal, PrivilegeRegistry.READ, false);
- assertFalse(tmpl.isAllow());
- }
-
- public void testGetPrincipal() {
- ACEImpl tmpl = new ACEImpl(testPrincipal, PrivilegeRegistry.READ, true);
- assertNotNull(tmpl.getPrincipal());
- assertEquals(testPrincipal.getName(), tmpl.getPrincipal().getName());
- assertSame(testPrincipal, tmpl.getPrincipal());
- }
-
- public void testGetPrivileges() throws AccessControlException {
- ACEImpl tmpl = new ACEImpl(testPrincipal, PrivilegeRegistry.READ, true);
-
- Privilege[] privs = tmpl.getPrivileges();
- assertNotNull(privs);
- assertEquals(1, privs.length);
- assertEquals(privs[0].getName(), Privilege.READ);
-
- tmpl = new ACEImpl(testPrincipal, PrivilegeRegistry.WRITE, true);
- privs = tmpl.getPrivileges();
- assertNotNull(privs);
- assertEquals(1, privs.length);
- assertEquals(privs[0].getName(), Privilege.WRITE);
-
- tmpl = new ACEImpl(testPrincipal, PrivilegeRegistry.ADD_CHILD_NODES | PrivilegeRegistry.REMOVE_CHILD_NODES, true);
- privs = tmpl.getPrivileges();
- assertNotNull(privs);
- assertEquals(2, privs.length);
-
- Privilege[] param = PrivilegeRegistry.getPrivileges(new String[] {Privilege.ADD_CHILD_NODES, Privilege.REMOVE_CHILD_NODES});
- assertEquals(Arrays.asList(param), Arrays.asList(privs));
- }
-
- public void testEqual() {
- ACEImpl ace = new ACEImpl(testPrincipal, PrivilegeRegistry.ALL, true);
-
- ACEImpl ace2 = new ACEImpl(testPrincipal, PrivilegeRegistry.ALL, true);
- assertEquals(ace, ace2);
-
- ace2 = new ACEImpl(testPrincipal, PrivilegeRegistry.READ |
- PrivilegeRegistry.WRITE |
- PrivilegeRegistry.MODIFY_AC |
- PrivilegeRegistry.READ_AC, true);
- assertEquals(ace, ace2);
- }
-
- public void testNotEqual() {
- ACEImpl ace = new ACEImpl(testPrincipal, PrivilegeRegistry.ALL, true);
- List otherAces = new ArrayList();
- // ACE template with different principal
- otherAces.add(new ACEImpl(new Principal() {
- public String getName() {
- return "a name";
- } }, PrivilegeRegistry.ALL, true)
- );
-
- // ACE template with different privileges
- otherAces.add(new ACEImpl(testPrincipal, PrivilegeRegistry.READ, true));
- // ACE template with different 'allow' flag
- otherAces.add(new ACEImpl(testPrincipal, PrivilegeRegistry.ALL, false));
- // ACE template with different privileges and 'allows
- otherAces.add(new ACEImpl(testPrincipal, PrivilegeRegistry.WRITE, false));
- // other ace impl
- PolicyEntry pe = new PolicyEntry() {
- public boolean isAllow() {
- return true;
- }
- public Principal getPrincipal() {
- return testPrincipal;
- }
- public Privilege[] getPrivileges() {
- return PrivilegeRegistry.getPrivileges(PrivilegeRegistry.ALL);
- }
- };
- otherAces.add(pe);
-
- for (Iterator it = otherAces.iterator(); it.hasNext();) {
- assertFalse(ace.equals(it.next()));
- }
+ protected PolicyEntry createPolicyEntry(Principal principal, int privileges, boolean isAllow) {
+ return new ACEImpl(principal, privileges, isAllow);
}
}
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplateTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplateTest.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplateTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplateTest.java Thu Apr 3 01:15:01 2008
@@ -16,27 +16,23 @@
*/
package org.apache.jackrabbit.core.security.authorization.acl;
-import org.apache.jackrabbit.test.JUnitTest;
+import org.apache.jackrabbit.core.security.authorization.AbstractPolicyTemplateTest;
+import org.apache.jackrabbit.core.security.authorization.PolicyTemplate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.jcr.RepositoryException;
-
/**
* <code>ACLTemplateTest</code>...
*/
-public class ACLTemplateTest extends JUnitTest {
+public class ACLTemplateTest extends AbstractPolicyTemplateTest {
private static Logger log = LoggerFactory.getLogger(ACLTemplateTest.class);
- public void testEmptyTemplate() throws RepositoryException {
- ACLTemplate at = new ACLTemplate();
-
- assertNotNull(at.getEntries());
- assertTrue(at.getEntries().length == 0);
- assertTrue(at.isEmpty());
- assertNotNull(at.getName());
+ protected String getTestPath() {
+ return "/ab/c/d";
}
- // TODO: add tests
+ protected PolicyTemplate createEmptyTemplate(String path) {
+ return new ACLTemplate(path);
+ }
}