You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2012/10/05 16:30:23 UTC
svn commit: r1394546 - in /jackrabbit/oak/trunk:
oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/
oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/
oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/ oak-jcr/...
Author: angela
Date: Fri Oct 5 14:30:23 2012
New Revision: 1394546
URL: http://svn.apache.org/viewvc?rev=1394546&view=rev
Log:
OAK-64 : Privilege Management (WIP)
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeRegistry.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeProvider.java
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionDelegate.java
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/WorkspaceImpl.java
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImpl.java
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/AbstractPrivilegeTest.java
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/CustomPrivilegeTest.java
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImplTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeRegistry.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeRegistry.java?rev=1394546&r1=1394545&r2=1394546&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeRegistry.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeRegistry.java Fri Oct 5 14:30:23 2012
@@ -55,7 +55,7 @@ public class PrivilegeRegistry implement
public PrivilegeRegistry(ContentSession contentSession) {
this.contentSession = contentSession;
- this.definitions = getAllDefinitions(new PrivilegeDefinitionReader(contentSession));
+ this.definitions = readDefinitions();
}
static Map<String, PrivilegeDefinition> getAllDefinitions(PrivilegeDefinitionReader reader) {
@@ -76,6 +76,10 @@ public class PrivilegeRegistry implement
return definitions;
}
+ private Map<String, PrivilegeDefinition> readDefinitions() {
+ return getAllDefinitions(new PrivilegeDefinitionReader(contentSession));
+ }
+
private static void updateJcrAllPrivilege(Map<String, PrivilegeDefinition> definitions) {
Map<String, PrivilegeDefinition> m = new HashMap<String, PrivilegeDefinition>(definitions);
m.remove(JCR_ALL);
@@ -83,6 +87,12 @@ public class PrivilegeRegistry implement
}
//--------------------------------------------------< PrivilegeProvider >---
+ @Override
+ public void refresh() {
+ // re-read the definitions (TODO: evaluate if it was better to always read privileges on demand only.)
+ definitions.putAll(readDefinitions());
+ }
+
@Nonnull
@Override
public PrivilegeDefinition[] getPrivilegeDefinitions() {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeProvider.java?rev=1394546&r1=1394545&r2=1394546&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeProvider.java Fri Oct 5 14:30:23 2012
@@ -27,8 +27,12 @@ import javax.jcr.RepositoryException;
public interface PrivilegeProvider {
/**
- * Returns all privilege definitions accessible to a given
- * {@link org.apache.jackrabbit.oak.api.ContentSession}.
+ * Refresh this privilege provider.
+ */
+ void refresh();
+
+ /**
+ * Returns all privilege definitions accessible to this provider.
*
* @return all privilege definitions.
*/
Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionDelegate.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionDelegate.java?rev=1394546&r1=1394545&r2=1394546&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionDelegate.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionDelegate.java Fri Oct 5 14:30:23 2012
@@ -33,6 +33,7 @@ import javax.jcr.observation.Observation
import javax.jcr.query.QueryManager;
import javax.jcr.version.VersionManager;
+import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.api.AuthInfo;
@@ -45,6 +46,7 @@ import org.apache.jackrabbit.oak.api.Tre
import org.apache.jackrabbit.oak.api.TreeLocation;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.jcr.observation.ObservationManagerImpl;
+import org.apache.jackrabbit.oak.jcr.security.privilege.PrivilegeManagerImpl;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.namepath.NamePathMapperImpl;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManager;
@@ -71,7 +73,9 @@ public class SessionDelegate {
private final SecurityProvider securityProvider;
private final IdentifierManager idManager;
+
private ObservationManagerImpl observationManager;
+ private PrivilegeManagerImpl privilegeManager;
private boolean isAlive = true;
private int sessionOpCount;
@@ -230,10 +234,12 @@ public class SessionDelegate {
public void refresh(boolean keepChanges) {
if (keepChanges) {
root.rebase();
- }
- else {
+ } else {
root.refresh();
}
+ if (privilegeManager != null) {
+ privilegeManager.refresh();
+ }
}
/**
@@ -491,4 +497,12 @@ public class SessionDelegate {
throw new UnsupportedRepositoryOperationException("User management not supported.");
}
}
+
+ @Nonnull
+ PrivilegeManager getPrivilegeManager() {
+ if (privilegeManager == null) {
+ privilegeManager = new PrivilegeManagerImpl(this);
+ }
+ return privilegeManager;
+ }
}
Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/WorkspaceImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/WorkspaceImpl.java?rev=1394546&r1=1394545&r2=1394546&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/WorkspaceImpl.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/WorkspaceImpl.java Fri Oct 5 14:30:23 2012
@@ -282,7 +282,7 @@ public class WorkspaceImpl implements Ja
*/
@Override
public PrivilegeManager getPrivilegeManager() throws RepositoryException {
- return new PrivilegeManagerImpl(sessionDelegate);
+ return sessionDelegate.getPrivilegeManager();
}
//------------------------------------------------------------< private >---
Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImpl.java?rev=1394546&r1=1394545&r2=1394546&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImpl.java Fri Oct 5 14:30:23 2012
@@ -46,11 +46,15 @@ public class PrivilegeManagerImpl implem
private final PrivilegeProvider provider;
private final SessionDelegate sessionDelegate;
- public PrivilegeManagerImpl(SessionDelegate sessionDelegate) throws RepositoryException {
+ public PrivilegeManagerImpl(SessionDelegate sessionDelegate) {
this.provider = new PrivilegeRegistry(sessionDelegate.getContentSession());
this.sessionDelegate = sessionDelegate;
}
+ public void refresh() {
+ provider.refresh();
+ }
+
@Override
public Privilege[] getRegisteredPrivileges() throws RepositoryException {
Set<Privilege> privileges = new HashSet<Privilege>();
@@ -82,6 +86,7 @@ public class PrivilegeManagerImpl implem
}
PrivilegeDefinition def = provider.registerDefinition(oakName, isAbstract, getOakNames(declaredAggregateNames));
+ sessionDelegate.refresh(true);
return new PrivilegeImpl(def);
}
Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/AbstractPrivilegeTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/AbstractPrivilegeTest.java?rev=1394546&r1=1394545&r2=1394546&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/AbstractPrivilegeTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/AbstractPrivilegeTest.java Fri Oct 5 14:30:23 2012
@@ -25,28 +25,12 @@ import org.apache.jackrabbit.api.Jackrab
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.test.AbstractJCRTest;
-import org.junit.After;
-import org.junit.Before;
/**
* AbstractPrivilegeTest... TODO
*/
abstract class AbstractPrivilegeTest extends AbstractJCRTest implements PrivilegeConstants {
- PrivilegeManager privilegeManager;
-
- @Before
- public void setUp() throws Exception {
- super.setUp();
- privilegeManager = getPrivilegeManager(superuser);
- }
-
- @After
- public void tearDown() throws Exception {
- privilegeManager = null;
- super.tearDown();
- }
-
static PrivilegeManager getPrivilegeManager(Session session) throws RepositoryException {
Workspace workspace = session.getWorkspace();
return ((JackrabbitWorkspace) workspace).getPrivilegeManager();
Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/CustomPrivilegeTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/CustomPrivilegeTest.java?rev=1394546&r1=1394545&r2=1394546&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/CustomPrivilegeTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/CustomPrivilegeTest.java Fri Oct 5 14:30:23 2012
@@ -18,13 +18,13 @@ package org.apache.jackrabbit.oak.jcr.se
import java.util.ArrayList;
import java.util.HashMap;
-import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
-import java.util.Set;
+import java.util.concurrent.Executors;
import javax.jcr.AccessDeniedException;
import javax.jcr.NamespaceException;
+import javax.jcr.Repository;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Workspace;
@@ -32,29 +32,57 @@ import javax.jcr.security.AccessControlE
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
+import org.apache.jackrabbit.mk.core.MicroKernelImpl;
+import org.apache.jackrabbit.oak.jcr.RepositoryImpl;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
import org.junit.After;
-import org.junit.Ignore;
+import org.junit.Before;
import org.junit.Test;
/**
* CustomPrivilegeTest...
+ *
+ * TODO: more tests for cyclic aggregation
*/
-@Ignore
public class CustomPrivilegeTest extends AbstractPrivilegeTest {
+ private Repository repository;
+ private Session session;
+ private PrivilegeManager privilegeManager;
+
+ @Before
+ public void setUp() throws Exception {
+ super.setUp();
+
+ // create a separate repository in order to be able to remove registered privileges.
+ String dir = "target/mk-tck-" + System.currentTimeMillis();
+ repository = new RepositoryImpl(new MicroKernelImpl(dir), Executors.newScheduledThreadPool(1));
+ session = getAdminSession();
+ privilegeManager = getPrivilegeManager(session);
+
+ }
@After
public void tearDown() throws Exception {
+ try {
+ super.tearDown();
+ } finally {
+ session.logout();
+ repository = null;
+ privilegeManager = null;
+ }
+ }
- // FIXME: remove any remaining custom privilege definitions
+ private Session getReadOnlySession() throws RepositoryException {
+ return repository.login(getHelper().getReadOnlyCredentials());
+ }
- super.tearDown();
+ private Session getAdminSession() throws RepositoryException {
+ return repository.login(getHelper().getSuperuserCredentials());
}
- @Ignore // FIXME: default setup should enforce access restrictions
@Test
public void testRegisterPrivilegeWithReadOnly() throws RepositoryException {
- Session readOnly = getHelper().getReadOnlySession();
+ Session readOnly = getReadOnlySession();
try {
getPrivilegeManager(readOnly).registerPrivilege("test", true, new String[0]);
fail("Only admin is allowed to register privileges.");
@@ -69,7 +97,7 @@ public class CustomPrivilegeTest extends
public void testCustomDefinitionsWithCyclicReferences() throws RepositoryException {
try {
privilegeManager.registerPrivilege("cycl-1", false, new String[] {"cycl-1"});
- fail("Cyclic definitions must be detected upon registry startup.");
+ fail("Cyclic definitions must be detected upon registration.");
} catch (RepositoryException e) {
// success
}
@@ -147,9 +175,6 @@ public class CustomPrivilegeTest extends
Map<String, String[]> newCustomPrivs = new LinkedHashMap<String, String[]>();
newCustomPrivs.put("new", new String[0]);
newCustomPrivs.put("new2", new String[0]);
- Set<String> decl = new HashSet<String>();
- decl.add("new");
- decl.add("new2");
newCustomPrivs.put("new3", getAggregateNames("new", "new2"));
for (String name : newCustomPrivs.keySet()) {
@@ -176,7 +201,7 @@ public class CustomPrivilegeTest extends
}
}
- @Test
+ @Test
public void testRegisterPrivilegeWithIllegalName() {
Map<String, String[]> illegal = new HashMap<String, String[]>();
// invalid privilege name
@@ -229,7 +254,7 @@ public class CustomPrivilegeTest extends
@Test
public void testRegisterCustomPrivileges() throws RepositoryException {
- Workspace workspace = superuser.getWorkspace();
+ Workspace workspace = session.getWorkspace();
workspace.getNamespaceRegistry().registerNamespace("test", "http://www.apache.org/jackrabbit/test");
Map<String, String[]> newCustomPrivs = new HashMap<String, String[]>();
@@ -282,7 +307,7 @@ public class CustomPrivilegeTest extends
String privName = "testCustomPrivilegeVisibleToNewSession";
privilegeManager.registerPrivilege(privName, isAbstract, new String[0]);
- Session s2 = getHelper().getSuperuserSession();
+ Session s2 = getAdminSession();
try {
PrivilegeManager pm = getPrivilegeManager(s2);
Privilege priv = pm.getPrivilege(privName);
@@ -294,25 +319,24 @@ public class CustomPrivilegeTest extends
}
}
- @Ignore // FIXME
@Test
public void testCustomPrivilegeVisibleAfterRefresh() throws RepositoryException {
- Session s2 = getHelper().getSuperuserSession();
+ Session s2 = getAdminSession();
+ PrivilegeManager pm = getPrivilegeManager(s2);
try {
boolean isAbstract = false;
String privName = "testCustomPrivilegeVisibleAfterRefresh";
privilegeManager.registerPrivilege(privName, isAbstract, new String[0]);
// before refreshing: privilege not visible
- PrivilegeManager pm = getPrivilegeManager(s2);
try {
Privilege priv = pm.getPrivilege(privName);
- fail("Custom privilege must show up after Session#refresh()");
+ fail("Custom privilege will show up after Session#refresh()");
} catch (AccessControlException e) {
// success
}
- // after refresh privilege manager must be updated
+ // latest after refresh privilege manager must be updated
s2.refresh(true);
Privilege priv = pm.getPrivilege(privName);
assertEquals(privName, priv.getName());
Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImplTest.java?rev=1394546&r1=1394545&r2=1394546&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImplTest.java Fri Oct 5 14:30:23 2012
@@ -18,30 +18,38 @@ package org.apache.jackrabbit.oak.jcr.se
import java.util.ArrayList;
import java.util.Arrays;
-import java.util.HashMap;
import java.util.HashSet;
-import java.util.LinkedHashMap;
import java.util.List;
-import java.util.Map;
import java.util.Set;
-import javax.jcr.AccessDeniedException;
-import javax.jcr.NamespaceException;
import javax.jcr.RepositoryException;
-import javax.jcr.Session;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.Privilege;
+import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
-import org.junit.Ignore;
+import org.junit.After;
+import org.junit.Before;
import org.junit.Test;
/**
* PrivilegeManagerTest...
- *
- * TODO: more tests for cyclic aggregation
*/
public class PrivilegeManagerImplTest extends AbstractPrivilegeTest {
+ private PrivilegeManager privilegeManager;
+
+ @Before
+ public void setUp() throws Exception {
+ super.setUp();
+ privilegeManager = getPrivilegeManager(superuser);
+ }
+
+ @After
+ public void tearDown() throws Exception {
+ privilegeManager = null;
+ super.tearDown();
+ }
+
public void testGetRegisteredPrivileges() throws RepositoryException {
Privilege[] registered = privilegeManager.getRegisteredPrivileges();
Set<Privilege> set = new HashSet<Privilege>();