You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/05/03 16:36:12 UTC
svn commit: r1478813 - in /jackrabbit/oak/trunk/oak-jcr/src:
main/java/org/apache/jackrabbit/oak/jcr/
main/java/org/apache/jackrabbit/oak/jcr/delegate/
main/java/org/apache/jackrabbit/oak/jcr/security/
test/java/org/apache/jackrabbit/oak/jcr/security/a...
Author: angela
Date: Fri May 3 14:36:12 2013
New Revision: 1478813
URL: http://svn.apache.org/r1478813
Log:
OAK-711 : PermissionValidator: Proper permission handling for jcr:nodetypeManagement privilege
Added:
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/AccessManager.java
Modified:
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/NodeImpl.java
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/WorkspaceImpl.java
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/SessionDelegate.java
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/NodeTypeManagementTest.java
Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/NodeImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/NodeImpl.java?rev=1478813&r1=1478812&r2=1478813&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/NodeImpl.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/NodeImpl.java Fri May 3 14:36:12 2013
@@ -16,22 +16,11 @@
*/
package org.apache.jackrabbit.oak.jcr;
-import static com.google.common.base.Preconditions.checkNotNull;
-import static java.util.Collections.singleton;
-import static javax.jcr.Property.JCR_LOCK_IS_DEEP;
-import static javax.jcr.Property.JCR_LOCK_OWNER;
-import static javax.jcr.PropertyType.UNDEFINED;
-import static org.apache.jackrabbit.JcrConstants.JCR_MIXINTYPES;
-import static org.apache.jackrabbit.JcrConstants.JCR_PRIMARYTYPE;
-import static org.apache.jackrabbit.oak.api.Type.NAME;
-import static org.apache.jackrabbit.oak.api.Type.NAMES;
-
import java.io.InputStream;
import java.math.BigDecimal;
import java.util.Calendar;
import java.util.Iterator;
import java.util.Set;
-
import javax.annotation.Nonnull;
import javax.jcr.AccessDeniedException;
import javax.jcr.Binary;
@@ -91,6 +80,16 @@ import org.apache.jackrabbit.value.Value
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import static com.google.common.base.Preconditions.checkNotNull;
+import static java.util.Collections.singleton;
+import static javax.jcr.Property.JCR_LOCK_IS_DEEP;
+import static javax.jcr.Property.JCR_LOCK_OWNER;
+import static javax.jcr.PropertyType.UNDEFINED;
+import static org.apache.jackrabbit.JcrConstants.JCR_MIXINTYPES;
+import static org.apache.jackrabbit.JcrConstants.JCR_PRIMARYTYPE;
+import static org.apache.jackrabbit.oak.api.Type.NAME;
+import static org.apache.jackrabbit.oak.api.Type.NAMES;
+
/**
* TODO document
*
@@ -248,9 +247,9 @@ public class NodeImpl<T extends NodeDele
// check for NODE_TYPE_MANAGEMENT permission here as we cannot
// distinguish between user-supplied and system-generated
// modification of that property in the PermissionValidator
- if (oakTypeName != null &&
- !hasNtMgtPermission(JCR_PRIMARYTYPE, oakTypeName)) {
- throw new AccessDeniedException("Access denied.");
+ if (oakTypeName != null) {
+ PropertyState prop = PropertyStates.createProperty(JCR_PRIMARYTYPE, oakTypeName, NAME);
+ sessionContext.getAccessManager().checkPermissions(dlg.getTree(), prop, Permissions.NODE_TYPE_MANAGEMENT);
}
NodeDelegate added = parent.addChild(oakName, oakTypeName);
@@ -881,8 +880,8 @@ public class NodeImpl<T extends NodeDele
return perform(new ItemReadOperation<Boolean>() {
@Override
public Boolean perform() throws RepositoryException {
- return hasNtMgtPermission(JCR_MIXINTYPES, oakTypeName)
- && dlg.canAddMixin(oakTypeName);
+ PropertyState prop = PropertyStates.createProperty(JCR_MIXINTYPES, singleton(oakTypeName), NAMES);
+ return sessionContext.getAccessManager().hasPermissions(dlg.getTree(), prop, Permissions.NODE_TYPE_MANAGEMENT) && dlg.canAddMixin(oakTypeName);
}
});
}
@@ -1365,21 +1364,4 @@ public class NodeImpl<T extends NodeDele
}
});
}
-
- // TODO: Move to NodeDelegate?
- private boolean hasNtMgtPermission(
- String oakPropertyName, String oakTypeName)
- throws RepositoryException {
- PropertyState property;
- if (JCR_MIXINTYPES.equals(oakPropertyName)) {
- property = PropertyStates.createProperty(
- oakPropertyName, singleton(oakTypeName), NAMES);
- } else {
- property = PropertyStates.createProperty(
- oakPropertyName, oakTypeName, NAME);
- }
- return sessionContext.getPermissionProvider().isGranted(
- dlg.getTree(), property, Permissions.NODE_TYPE_MANAGEMENT);
- }
-
}
Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java?rev=1478813&r1=1478812&r2=1478813&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java Fri May 3 14:36:12 2013
@@ -16,12 +16,9 @@
*/
package org.apache.jackrabbit.oak.jcr;
-import static com.google.common.base.Preconditions.checkNotNull;
-
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
-
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.jcr.PathNotFoundException;
@@ -40,6 +37,7 @@ import org.apache.jackrabbit.api.securit
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate;
+import org.apache.jackrabbit.oak.jcr.security.AccessManager;
import org.apache.jackrabbit.oak.namepath.LocalNameMapper;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.namepath.NamePathMapperImpl;
@@ -54,6 +52,8 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
+import static com.google.common.base.Preconditions.checkNotNull;
+
/**
* Instances of this class are passed to all JCR implementation classes
* (e.g. {@code SessionImpl}, {@code NodeImpl}, etc.) and provide access to
@@ -181,15 +181,6 @@ public abstract class SessionContext imp
}
@Nonnull
- public PermissionProvider getPermissionProvider() throws RepositoryException {
- if (permissionProvider == null) {
- SecurityProvider securityProvider = repository.getSecurityProvider();
- permissionProvider = securityProvider.getAccessControlConfiguration().getPermissionProvider(delegate.getRoot(), delegate.getAuthInfo().getPrincipals());
- }
- return permissionProvider;
- }
-
- @Nonnull
public PrincipalManager getPrincipalManager() {
if (principalManager == null) {
SecurityProvider securityProvider = repository.getSecurityProvider();
@@ -327,7 +318,11 @@ public abstract class SessionContext imp
}
}
- //------------------------------------------------------------< internal >---
+ //-----------------------------------------------------------< internal >---
+ @Nonnull
+ AccessManager getAccessManager() throws RepositoryException {
+ return new AccessManager(getPermissionProvider());
+ }
void dispose() {
if (observationManager != null) {
@@ -345,4 +340,14 @@ public abstract class SessionContext imp
permissionProvider.refresh();
}
}
+
+ //------------------------------------------------------------< private >---
+ @Nonnull
+ private PermissionProvider getPermissionProvider() {
+ if (permissionProvider == null) {
+ SecurityProvider securityProvider = repository.getSecurityProvider();
+ permissionProvider = securityProvider.getAccessControlConfiguration().getPermissionProvider(delegate.getRoot(), delegate.getAuthInfo().getPrincipals());
+ }
+ return permissionProvider;
+ }
}
Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java?rev=1478813&r1=1478812&r2=1478813&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java Fri May 3 14:36:12 2013
@@ -19,7 +19,6 @@ package org.apache.jackrabbit.oak.jcr;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
-
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.jcr.AccessDeniedException;
@@ -339,7 +338,7 @@ public class SessionImpl implements Jack
public Void perform() throws RepositoryException {
sd.move(
getOakPathOrThrowNotFound(srcAbsPath),
- getOakPathOrThrowNotFound(destAbsPath), true);
+ getOakPathOrThrowNotFound(destAbsPath), true, sessionContext.getAccessManager());
return null;
}
});
@@ -542,7 +541,7 @@ public class SessionImpl implements Jack
@Override
protected Boolean perform() throws RepositoryException {
String oakPath = getOakPathOrThrow(absPath);
- return sessionContext.getPermissionProvider().isGranted(oakPath, actions);
+ return sessionContext.getAccessManager().hasPermissions(oakPath, actions);
}
});
}
@@ -550,7 +549,7 @@ public class SessionImpl implements Jack
@Override
public void checkPermission(String absPath, String actions) throws RepositoryException {
if (!hasPermission(absPath, actions)) {
- throw new AccessControlException("Access control violation: path = " + absPath + ", actions = " + actions);
+ throw new AccessControlException("Access denied.");
}
}
Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/WorkspaceImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/WorkspaceImpl.java?rev=1478813&r1=1478812&r2=1478813&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/WorkspaceImpl.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/WorkspaceImpl.java Fri May 3 14:36:12 2013
@@ -16,11 +16,8 @@
*/
package org.apache.jackrabbit.oak.jcr;
-import static org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants.NODE_TYPES_PATH;
-
import java.io.IOException;
import java.io.InputStream;
-
import javax.annotation.Nonnull;
import javax.jcr.NamespaceRegistry;
import javax.jcr.PathNotFoundException;
@@ -50,6 +47,8 @@ import org.apache.jackrabbit.util.Text;
import org.xml.sax.ContentHandler;
import org.xml.sax.InputSource;
+import static org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants.NODE_TYPES_PATH;
+
/**
* TODO document
*/
@@ -136,7 +135,8 @@ public class WorkspaceImpl implements Ja
sessionDelegate.copy(
getOakPathOrThrowNotFound(srcAbsPath),
- getOakPathOrThrowNotFound(destAbsPath));
+ getOakPathOrThrowNotFound(destAbsPath),
+ sessionContext.getAccessManager());
}
@Override
@@ -164,7 +164,7 @@ public class WorkspaceImpl implements Ja
sessionDelegate.move(
getOakPathOrThrowNotFound(srcAbsPath),
getOakPathOrThrowNotFound(destAbsPath),
- false);
+ false, sessionContext.getAccessManager());
}
@Override
Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/SessionDelegate.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/SessionDelegate.java?rev=1478813&r1=1478812&r2=1478813&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/SessionDelegate.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/SessionDelegate.java Fri May 3 14:36:12 2013
@@ -16,10 +16,7 @@
*/
package org.apache.jackrabbit.oak.jcr.delegate;
-import static com.google.common.base.Preconditions.checkNotNull;
-
import java.io.IOException;
-
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.jcr.AccessDeniedException;
@@ -41,13 +38,18 @@ import org.apache.jackrabbit.oak.api.Roo
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.core.IdentifierManager;
+import org.apache.jackrabbit.oak.jcr.security.AccessManager;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import static com.google.common.base.Preconditions.checkNotNull;
+
/**
* TODO document
*/
public class SessionDelegate {
+
static final Logger log = LoggerFactory.getLogger(SessionDelegate.class);
private final ContentSession contentSession;
@@ -216,7 +218,7 @@ public class SessionDelegate {
* @param destPath oak path to the destination
* @throws RepositoryException
*/
- public void copy(String srcPath, String destPath) throws RepositoryException {
+ public void copy(String srcPath, String destPath, AccessManager accessManager) throws RepositoryException {
// check destination
Tree dest = root.getTree(destPath);
if (dest.exists()) {
@@ -236,6 +238,8 @@ public class SessionDelegate {
throw new PathNotFoundException(srcPath);
}
+ accessManager.checkPermissions(destPath, Permissions.getString(Permissions.NODE_TYPE_MANAGEMENT));
+
try {
Root currentRoot = contentSession.getLatestRoot();
currentRoot.copy(srcPath, destPath);
@@ -252,7 +256,7 @@ public class SessionDelegate {
* @param transientOp whether or not to perform the move in transient space
* @throws RepositoryException
*/
- public void move(String srcPath, String destPath, boolean transientOp)
+ public void move(String srcPath, String destPath, boolean transientOp, AccessManager accessManager)
throws RepositoryException {
Root moveRoot = transientOp ? root : contentSession.getLatestRoot();
@@ -276,6 +280,8 @@ public class SessionDelegate {
throw new PathNotFoundException(srcPath);
}
+ accessManager.checkPermissions(destPath, Permissions.getString(Permissions.NODE_TYPE_MANAGEMENT));
+
try {
moveRoot.move(srcPath, destPath);
if (!transientOp) {
@@ -306,8 +312,7 @@ public class SessionDelegate {
* @param exception typed commit failure exception
* @return matching repository exception
*/
- private static RepositoryException newRepositoryException(
- CommitFailedException exception) {
+ private static RepositoryException newRepositoryException(CommitFailedException exception) {
checkNotNull(exception);
if (exception.isConstraintViolation()) {
return new ConstraintViolationException(exception);
Added: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/AccessManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/AccessManager.java?rev=1478813&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/AccessManager.java (added)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/AccessManager.java Fri May 3 14:36:12 2013
@@ -0,0 +1,58 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.jcr.security;
+
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import javax.jcr.AccessDeniedException;
+import javax.jcr.RepositoryException;
+
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
+
+/**
+ * AccessManager
+ */
+public class AccessManager {
+
+ private final PermissionProvider permissionProvider;
+
+ public AccessManager(@Nonnull PermissionProvider permissionProvider) {
+ this.permissionProvider = permissionProvider;
+ }
+
+ public boolean hasPermissions(@Nonnull String oakPath, @Nonnull String actions) {
+ return permissionProvider.isGranted(oakPath, actions);
+ }
+
+ public boolean hasPermissions(@Nonnull Tree tree, @Nullable PropertyState property, long permissions) throws RepositoryException {
+ return permissionProvider.isGranted(tree, property, permissions);
+ }
+
+ public void checkPermissions(@Nonnull String oakPath, @Nonnull String actions) throws RepositoryException {
+ if (!hasPermissions(oakPath, actions)) {
+ throw new AccessDeniedException("Access denied.");
+ }
+ }
+
+ public void checkPermissions(@Nonnull Tree tree, @Nullable PropertyState property, long permissions) throws RepositoryException {
+ if (!hasPermissions(tree, property, permissions)) {
+ throw new AccessDeniedException("Access denied.");
+ }
+ }
+}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/NodeTypeManagementTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/NodeTypeManagementTest.java?rev=1478813&r1=1478812&r2=1478813&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/NodeTypeManagementTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/NodeTypeManagementTest.java Fri May 3 14:36:12 2013
@@ -183,7 +183,6 @@ public class NodeTypeManagementTest exte
}
}
- @Ignore("OAK-711") // FIXME
@Test
public void testCopy() throws Exception {
Workspace wsp = testSession.getWorkspace();
@@ -212,7 +211,6 @@ public class NodeTypeManagementTest exte
wsp.copy(srcPath, destPath);
}
- @Ignore("OAK-711") // FIXME
@Test
public void testWorkspaceMove() throws Exception {
Workspace wsp = testSession.getWorkspace();
@@ -241,7 +239,6 @@ public class NodeTypeManagementTest exte
wsp.move(srcPath, destPath);
}
- @Ignore("OAK-711") // FIXME
@Test
public void testSessionMove() throws Exception {
String parentPath = childNode.getParent().getPath();