You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/02/20 14:17:44 UTC
svn commit: r1448152 - in /jackrabbit/oak/trunk/oak-core/src:
main/java/org/apache/jackrabbit/oak/security/authorization/
main/java/org/apache/jackrabbit/oak/security/authorization/permission/
main/java/org/apache/jackrabbit/oak/security/privilege/ tes...
Author: angela
Date: Wed Feb 20 13:17:43 2013
New Revision: 1448152
URL: http://svn.apache.org/r1448152
Log:
OAK-64: privilege mgt (split privilegebits handling from definition reading/writing)
Added:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBitsProvider.java
- copied, changed from r1447803, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionStore.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReader.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriter.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBitsProviderTest.java
- copied, changed from r1447798, jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionStoreTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReaderTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriterTest.java
Removed:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionStore.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionStoreTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionHook.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeInitializer.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeMigrator.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidatorTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java Wed Feb 20 13:17:43 2013
@@ -40,7 +40,7 @@ import org.apache.jackrabbit.api.securit
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeBits;
-import org.apache.jackrabbit.oak.security.privilege.PrivilegeDefinitionStore;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.ACE;
import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlList;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
@@ -72,7 +72,7 @@ abstract class ACL extends AbstractAcces
abstract PrivilegeManager getPrivilegeManager();
- abstract PrivilegeDefinitionStore getPrivilegeStore();
+ abstract PrivilegeBitsProvider getPrivilegeBitsProvider();
//------------------------------------------< AbstractAccessControlList >---
@Nonnull
@@ -236,7 +236,7 @@ abstract class ACL extends AbstractAcces
private Set<Privilege> getPrivileges(PrivilegeBits bits) throws RepositoryException {
Set<Privilege> privileges = new HashSet<Privilege>();
- for (String name : getPrivilegeStore().getPrivilegeNames(bits)) {
+ for (String name : getPrivilegeBitsProvider().getPrivilegeNames(bits)) {
privileges.add(getPrivilegeManager().getPrivilege(name));
}
return privileges;
@@ -245,7 +245,7 @@ abstract class ACL extends AbstractAcces
private PrivilegeBits getPrivilegeBits(ACE entry) {
PrivilegeBits bits = PrivilegeBits.getInstance();
for (Privilege privilege : entry.getPrivileges()) {
- bits.add(getPrivilegeStore().getBits(privilege.getName()));
+ bits.add(getPrivilegeBitsProvider().getBits(privilege.getName()));
}
return bits;
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java Wed Feb 20 13:17:43 2013
@@ -62,7 +62,7 @@ import org.apache.jackrabbit.oak.plugins
import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
import org.apache.jackrabbit.oak.security.authorization.restriction.PrincipalRestrictionProvider;
import org.apache.jackrabbit.oak.security.principal.PrincipalImpl;
-import org.apache.jackrabbit.oak.security.privilege.PrivilegeDefinitionStore;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.ACE;
import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration;
@@ -616,8 +616,8 @@ public class AccessControlManagerImpl im
}
@Override
- PrivilegeDefinitionStore getPrivilegeStore() {
- return new PrivilegeDefinitionStore(root);
+ PrivilegeBitsProvider getPrivilegeBitsProvider() {
+ return new PrivilegeBitsProvider(root);
}
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionHook.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionHook.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionHook.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionHook.java Wed Feb 20 13:17:43 2013
@@ -35,7 +35,7 @@ import org.apache.jackrabbit.oak.plugins
import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeBits;
-import org.apache.jackrabbit.oak.security.privilege.PrivilegeDefinitionStore;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.commit.CommitHook;
import org.apache.jackrabbit.oak.spi.state.NodeBuilder;
import org.apache.jackrabbit.oak.spi.state.NodeState;
@@ -70,9 +70,9 @@ public class PermissionHook implements C
NodeBuilder permissionRoot = getPermissionRoot(rootAfter, workspaceName);
ReadOnlyNodeTypeManager ntMgr = ReadOnlyNodeTypeManager.getInstance(before);
- PrivilegeDefinitionStore privilegeStore = new PrivilegeDefinitionStore(new ReadOnlyRoot(before));
+ PrivilegeBitsProvider bitsProvider = new PrivilegeBitsProvider(new ReadOnlyRoot(before));
- after.compareAgainstBaseState(before, new Diff(new BeforeNode(before), new Node(rootAfter), permissionRoot, privilegeStore, ntMgr));
+ after.compareAgainstBaseState(before, new Diff(new BeforeNode(before), new Node(rootAfter), permissionRoot, bitsProvider, ntMgr));
return rootAfter.getNodeState();
}
@@ -110,17 +110,17 @@ public class PermissionHook implements C
private final BeforeNode parentBefore;
private final Node parentAfter;
private final NodeBuilder permissionRoot;
- private final PrivilegeDefinitionStore privilegeStore;
+ private final PrivilegeBitsProvider bitsProvider;
private final ReadOnlyNodeTypeManager ntMgr;
private Diff(@Nonnull BeforeNode parentBefore, @Nonnull Node parentAfter,
@Nonnull NodeBuilder permissionRoot,
- @Nonnull PrivilegeDefinitionStore privilegeStore,
+ @Nonnull PrivilegeBitsProvider bitsProvider,
@Nonnull ReadOnlyNodeTypeManager ntMgr) {
this.parentBefore = parentBefore;
this.parentAfter = parentAfter;
this.permissionRoot = permissionRoot;
- this.privilegeStore = privilegeStore;
+ this.bitsProvider = bitsProvider;
this.ntMgr = ntMgr;
}
@@ -148,7 +148,7 @@ public class PermissionHook implements C
} else {
BeforeNode before = new BeforeNode(parentBefore.getPath(), name, MemoryNodeState.EMPTY_NODE);
Node node = new Node(parentAfter, name);
- after.compareAgainstBaseState(before.getNodeState(), new Diff(before, node, permissionRoot, privilegeStore, ntMgr));
+ after.compareAgainstBaseState(before.getNodeState(), new Diff(before, node, permissionRoot, bitsProvider, ntMgr));
}
}
@@ -161,7 +161,7 @@ public class PermissionHook implements C
} else {
BeforeNode nodeBefore = new BeforeNode(parentBefore.getPath(), name, before);
Node nodeAfter = new Node(parentAfter, name);
- after.compareAgainstBaseState(before, new Diff(nodeBefore, nodeAfter, permissionRoot, privilegeStore, ntMgr));
+ after.compareAgainstBaseState(before, new Diff(nodeBefore, nodeAfter, permissionRoot, bitsProvider, ntMgr));
}
}
@@ -172,7 +172,7 @@ public class PermissionHook implements C
} else {
BeforeNode nodeBefore = new BeforeNode(parentBefore.getPath(), name, before);
Node after = new Node(parentAfter.getPath(), name, MemoryNodeState.EMPTY_NODE);
- after.getNodeState().compareAgainstBaseState(before, new Diff(nodeBefore, after, permissionRoot, privilegeStore, ntMgr));
+ after.getNodeState().compareAgainstBaseState(before, new Diff(nodeBefore, after, permissionRoot, bitsProvider, ntMgr));
}
}
@@ -234,7 +234,7 @@ public class PermissionHook implements C
private Entry createEntry(String name, NodeState ace, BaseNode acl) {
Tree aceTree = getTree(name, ace);
String principalName = checkNotNull(TreeUtil.getString(aceTree, REP_PRINCIPAL_NAME));
- PrivilegeBits privilegeBits = privilegeStore.getBits(TreeUtil.getString(aceTree, REP_PRIVILEGES));
+ PrivilegeBits privilegeBits = bitsProvider.getBits(TreeUtil.getString(aceTree, REP_PRIVILEGES));
boolean isAllow = NT_REP_GRANT_ACE.equals(TreeUtil.getPrimaryTypeName(aceTree));
// TODO: respect restrictions
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java Wed Feb 20 13:17:43 2013
@@ -37,7 +37,7 @@ import org.apache.jackrabbit.oak.securit
import org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissionImpl;
import org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions;
import org.apache.jackrabbit.oak.security.authorization.permission.NoPermissions;
-import org.apache.jackrabbit.oak.security.privilege.PrivilegeDefinitionStore;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.PermissionProvider;
@@ -81,8 +81,7 @@ public class PermissionProviderImpl impl
if (permissionsTree == null) {
compiledPermissions = NoPermissions.getInstance();
} else {
- PrivilegeDefinitionStore privilegeStore = new PrivilegeDefinitionStore(this.root);
- compiledPermissions = new CompiledPermissionImpl(principals, privilegeStore, permissionsTree);
+ compiledPermissions = new CompiledPermissionImpl(principals, new PrivilegeBitsProvider(this.root), permissionsTree);
}
}
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java Wed Feb 20 13:17:43 2013
@@ -31,7 +31,7 @@ import org.apache.jackrabbit.oak.api.Typ
import org.apache.jackrabbit.oak.core.ReadOnlyTree;
import org.apache.jackrabbit.oak.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeBits;
-import org.apache.jackrabbit.oak.security.privilege.PrivilegeDefinitionStore;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.Permissions;
import org.apache.jackrabbit.util.Text;
@@ -43,16 +43,16 @@ import static com.google.common.base.Pre
public class CompiledPermissionImpl implements CompiledPermissions, AccessControlConstants {
private final Set<Principal> principals;
- private final PrivilegeDefinitionStore privilegeStore;
+ private final PrivilegeBitsProvider bitsProvider;
private final Map<Key, Entry> userEntries;
private final Map<Key, Entry> groupEntries;
public CompiledPermissionImpl(@Nonnull Set<Principal> principals,
- @Nonnull PrivilegeDefinitionStore privilegeStore,
+ @Nonnull PrivilegeBitsProvider bitsProvider,
@Nonnull ReadOnlyTree permissionsTree) {
this.principals = checkNotNull(principals);
- this.privilegeStore = privilegeStore;
+ this.bitsProvider = bitsProvider;
EntriesBuilder builder = new EntriesBuilder();
for (Principal principal : principals) {
@@ -99,12 +99,12 @@ public class CompiledPermissionImpl impl
@Override
public Set<String> getPrivileges(@Nullable Tree tree) {
- return privilegeStore.getPrivilegeNames(getPrivilegeBits(tree));
+ return bitsProvider.getPrivilegeNames(getPrivilegeBits(tree));
}
@Override
public boolean hasPrivileges(@Nullable Tree tree, String... privilegeNames) {
- return getPrivilegeBits(tree).includes(privilegeStore.getBits(privilegeNames));
+ return getPrivilegeBits(tree).includes(bitsProvider.getBits(privilegeNames));
}
//------------------------------------------------------------< private >---
Copied: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBitsProvider.java (from r1447803, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionStore.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBitsProvider.java?p2=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBitsProvider.java&p1=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionStore.java&r1=1447803&r2=1448152&rev=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionStore.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBitsProvider.java Wed Feb 20 13:17:43 2013
@@ -16,27 +16,17 @@
*/
package org.apache.jackrabbit.oak.security.privilege;
-import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
-import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
-import javax.jcr.RepositoryException;
-import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
-import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
-import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition;
-import org.apache.jackrabbit.oak.util.NodeUtil;
-import org.apache.jackrabbit.oak.util.TreeUtil;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import static com.google.common.base.Preconditions.checkNotNull;
@@ -44,38 +34,14 @@ import static com.google.common.base.Pre
* Reads and writes privilege definitions from and to the repository content
* without applying any validation.
*/
-public class PrivilegeDefinitionStore implements PrivilegeConstants {
-
- private static final Logger log = LoggerFactory.getLogger(PrivilegeDefinitionStore.class);
-
- /**
- * The internal names of all built-in privileges that are not aggregates.
- */
- private static final String[] NON_AGGR_PRIVILEGES = new String[]{
- REP_READ_NODES, REP_READ_PROPERTIES,
- REP_ADD_PROPERTIES, REP_ALTER_PROPERTIES, REP_REMOVE_PROPERTIES,
- JCR_ADD_CHILD_NODES, JCR_REMOVE_CHILD_NODES, JCR_REMOVE_NODE,
- JCR_READ_ACCESS_CONTROL, JCR_MODIFY_ACCESS_CONTROL, JCR_NODE_TYPE_MANAGEMENT,
- JCR_VERSION_MANAGEMENT, JCR_LOCK_MANAGEMENT, JCR_LIFECYCLE_MANAGEMENT,
- JCR_RETENTION_MANAGEMENT, JCR_WORKSPACE_MANAGEMENT, JCR_NODE_TYPE_DEFINITION_MANAGEMENT,
- JCR_NAMESPACE_MANAGEMENT, REP_PRIVILEGE_MANAGEMENT, REP_USER_MANAGEMENT};
-
- /**
- * The internal names and aggregation definition of all built-in privileges
- * that are aggregates (except for jcr:all).
- */
- private static final Map<String, String[]> AGGREGATE_PRIVILEGES = ImmutableMap.of(
- JCR_READ, new String[]{REP_READ_NODES, REP_READ_PROPERTIES},
- JCR_MODIFY_PROPERTIES, new String[]{REP_ADD_PROPERTIES, REP_ALTER_PROPERTIES, REP_REMOVE_PROPERTIES},
- JCR_WRITE, new String[]{JCR_MODIFY_PROPERTIES, JCR_ADD_CHILD_NODES, JCR_REMOVE_CHILD_NODES, JCR_REMOVE_NODE},
- REP_WRITE, new String[]{JCR_WRITE, JCR_NODE_TYPE_MANAGEMENT});
+public final class PrivilegeBitsProvider implements PrivilegeConstants {
private final Root root;
private final Map<PrivilegeBits, Set<String>> bitsToNames = new HashMap<PrivilegeBits, Set<String>>();
private PrivilegeBits next;
- public PrivilegeDefinitionStore(Root root) {
+ public PrivilegeBitsProvider(Root root) {
this.root = root;
Tree privilegesTree = getPrivilegesTree();
if (privilegesTree != null && privilegesTree.hasProperty(REP_NEXT)) {
@@ -96,6 +62,18 @@ public class PrivilegeDefinitionStore im
return root.getTree(PRIVILEGES_PATH);
}
+ @Nonnull
+ PrivilegeBits getNext() {
+ return next;
+ }
+
+ @Nonnull
+ PrivilegeBits next() {
+ PrivilegeBits bits = next;
+ next = bits.nextBits();
+ return bits;
+ }
+
/**
* @param privilegeNames
* @return
@@ -158,7 +136,7 @@ public class PrivilegeDefinitionStore im
if (privilegeBits.includes(bits)) {
privilegeNames.add(child.getName());
if (child.hasProperty(REP_AGGREGATES)) {
- aggregates.addAll(readDefinition(child).getDeclaredAggregateNames());
+ aggregates.addAll(PrivilegeDefinitionReader.readDefinition(child).getDeclaredAggregateNames());
}
}
}
@@ -168,153 +146,4 @@ public class PrivilegeDefinitionStore im
return privilegeNames;
}
}
-
- /**
- * Read all registered privilege definitions from the content.
- *
- * @return All privilege definitions stored in the content.
- */
- @Nonnull
- public Map<String, PrivilegeDefinition> readDefinitions() {
- Tree privilegesTree = getPrivilegesTree();
- if (privilegesTree == null) {
- return Collections.emptyMap();
- } else {
- Map<String, PrivilegeDefinition> definitions = new HashMap<String, PrivilegeDefinition>();
- for (Tree child : privilegesTree.getChildren()) {
- PrivilegeDefinition def = readDefinition(child);
- definitions.put(def.getName(), def);
- }
- return definitions;
- }
- }
-
- /**
- * Retrieve the privilege definition with the specified {@code privilegeName}.
- *
- * @param privilegeName The name of a registered privilege definition.
- * @return The privilege definition with the specified name or {@code null}
- * if the name doesn't refer to a registered privilege.
- */
- @CheckForNull
- public PrivilegeDefinition readDefinition(String privilegeName) {
- Tree privilegesTree = getPrivilegesTree();
- if (privilegesTree == null) {
- return null;
- } else {
- Tree definitionTree = privilegesTree.getChild(privilegeName);
- return (definitionTree == null) ? null : readDefinition(definitionTree);
- }
- }
-
- /**
- * @param definitionTree
- * @return
- */
- @Nonnull
- static PrivilegeDefinition readDefinition(@Nonnull Tree definitionTree) {
- String name = definitionTree.getName();
- boolean isAbstract = TreeUtil.getBoolean(definitionTree, REP_IS_ABSTRACT);
- String[] declAggrNames = TreeUtil.getStrings(definitionTree, REP_AGGREGATES);
-
- return new PrivilegeDefinitionImpl(name, isAbstract, declAggrNames);
- }
-
- /**
- * Write the given privilege definition to the repository content.
- *
- * @param definition The new privilege definition.
- * @throws RepositoryException If the definition can't be written.
- */
- public void writeDefinition(PrivilegeDefinition definition) throws RepositoryException {
- writeDefinitions(Collections.singleton(definition));
- }
-
- /**
- * Create the built-in privilege definitions during repository setup.
- *
- * @throws RepositoryException If an error occurs.
- */
- void writeBuiltInDefinitions() throws RepositoryException {
- writeDefinitions(getBuiltInDefinitions());
- }
-
- //------------------------------------------------------------< private >---
-
- /**
- * @param definitions
- * @throws RepositoryException
- */
- private void writeDefinitions(Iterable<PrivilegeDefinition> definitions) throws RepositoryException {
- try {
- // make sure the privileges path is defined
- Tree privilegesTree = getPrivilegesTree();
- if (privilegesTree == null) {
- throw new RepositoryException("Privilege store does not exist.");
- }
- NodeUtil privilegesNode = new NodeUtil(getPrivilegesTree());
- for (PrivilegeDefinition definition : definitions) {
- if (privilegesNode.hasChild(definition.getName())) {
- throw new RepositoryException("Privilege definition with name '" + definition.getName() + "' already exists.");
- }
- writePrivilegeNode(privilegesNode, definition);
- }
- /*
- update the property storing the next privilege bits with the
- privileges root tree. this is a cheap way to detect collisions that
- may arise from concurrent registration of custom privileges.
- */
- next.writeTo(privilegesTree);
-
- // delegate validation to the commit validation (see above)
- root.commit();
-
- } catch (CommitFailedException e) {
- Throwable t = e.getCause();
- if (t instanceof RepositoryException) {
- throw (RepositoryException) t;
- } else {
- throw new RepositoryException(e);
- }
- }
- }
-
- private void writePrivilegeNode(NodeUtil privilegesNode, PrivilegeDefinition definition) {
- String name = definition.getName();
- NodeUtil privNode = privilegesNode.addChild(name, NT_REP_PRIVILEGE);
- if (definition.isAbstract()) {
- privNode.setBoolean(REP_IS_ABSTRACT, true);
- }
- String[] declAggrNames = definition.getDeclaredAggregateNames().toArray(new String[definition.getDeclaredAggregateNames().size()]);
- boolean isAggregate = declAggrNames.length > 0;
- if (isAggregate) {
- privNode.setNames(REP_AGGREGATES, declAggrNames);
- }
-
- PrivilegeBits bits;
- if (PrivilegeBits.BUILT_IN.containsKey(name)) {
- bits = PrivilegeBits.BUILT_IN.get(name);
- } else if (isAggregate) {
- bits = getBits(declAggrNames);
- } else {
- bits = next;
- next = bits.nextBits();
- }
- bits.writeTo(privNode.getTree());
- }
-
- private static Collection<PrivilegeDefinition> getBuiltInDefinitions() {
- Map<String, PrivilegeDefinition> definitions = new LinkedHashMap<String, PrivilegeDefinition>();
- for (String privilegeName : NON_AGGR_PRIVILEGES) {
- PrivilegeDefinition def = new PrivilegeDefinitionImpl(privilegeName, false);
- definitions.put(privilegeName, def);
- }
- for (String privilegeName : AGGREGATE_PRIVILEGES.keySet()) {
- PrivilegeDefinition def = new PrivilegeDefinitionImpl(privilegeName, false, AGGREGATE_PRIVILEGES.get(privilegeName));
- definitions.put(privilegeName, def);
- }
- PrivilegeDefinition all = new PrivilegeDefinitionImpl(JCR_ALL, false, definitions.keySet());
- definitions.put(JCR_ALL, all);
- return definitions.values();
- }
}
Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReader.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReader.java?rev=1448152&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReader.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReader.java Wed Feb 20 13:17:43 2013
@@ -0,0 +1,90 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.privilege;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import javax.annotation.CheckForNull;
+import javax.annotation.Nonnull;
+
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition;
+import org.apache.jackrabbit.oak.util.TreeUtil;
+
+/**
+ * Reads privilege definitions from the repository content without applying
+ * any validation.
+ */
+class PrivilegeDefinitionReader implements PrivilegeConstants {
+
+ private final Tree privilegesTree;
+
+ PrivilegeDefinitionReader(@Nonnull Root root) {
+ this.privilegesTree = root.getTree(PRIVILEGES_PATH);
+ }
+
+ /**
+ * Read all registered privilege definitions from the content.
+ *
+ * @return All privilege definitions stored in the content.
+ */
+ @Nonnull
+ Map<String, PrivilegeDefinition> readDefinitions() {
+ if (privilegesTree == null) {
+ return Collections.emptyMap();
+ } else {
+ Map<String, PrivilegeDefinition> definitions = new HashMap<String, PrivilegeDefinition>();
+ for (Tree child : privilegesTree.getChildren()) {
+ PrivilegeDefinition def = readDefinition(child);
+ definitions.put(def.getName(), def);
+ }
+ return definitions;
+ }
+ }
+
+ /**
+ * Retrieve the privilege definition with the specified {@code privilegeName}.
+ *
+ * @param privilegeName The name of a registered privilege definition.
+ * @return The privilege definition with the specified name or {@code null}
+ * if the name doesn't refer to a registered privilege.
+ */
+ @CheckForNull
+ PrivilegeDefinition readDefinition(String privilegeName) {
+ if (privilegesTree == null) {
+ return null;
+ } else {
+ Tree definitionTree = privilegesTree.getChild(privilegeName);
+ return (definitionTree == null) ? null : readDefinition(definitionTree);
+ }
+ }
+
+ /**
+ * @param definitionTree
+ * @return
+ */
+ @Nonnull
+ static PrivilegeDefinition readDefinition(@Nonnull Tree definitionTree) {
+ String name = definitionTree.getName();
+ boolean isAbstract = TreeUtil.getBoolean(definitionTree, REP_IS_ABSTRACT);
+ String[] declAggrNames = TreeUtil.getStrings(definitionTree, REP_AGGREGATES);
+
+ return new PrivilegeDefinitionImpl(name, isAbstract, declAggrNames);
+ }
+}
\ No newline at end of file
Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriter.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriter.java?rev=1448152&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriter.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriter.java Wed Feb 20 13:17:43 2013
@@ -0,0 +1,164 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.privilege;
+
+import java.util.Collection;
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import javax.jcr.RepositoryException;
+
+import com.google.common.collect.ImmutableMap;
+import org.apache.jackrabbit.oak.api.CommitFailedException;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition;
+import org.apache.jackrabbit.oak.util.NodeUtil;
+
+/**
+ * PrivilegeDefinitionWriter is responsible for writing privilege definitions
+ * to the repository without applying any validation checks.
+ */
+class PrivilegeDefinitionWriter implements PrivilegeConstants {
+
+ /**
+ * The internal names of all built-in privileges that are not aggregates.
+ */
+ private static final String[] NON_AGGR_PRIVILEGES = new String[]{
+ REP_READ_NODES, REP_READ_PROPERTIES,
+ REP_ADD_PROPERTIES, REP_ALTER_PROPERTIES, REP_REMOVE_PROPERTIES,
+ JCR_ADD_CHILD_NODES, JCR_REMOVE_CHILD_NODES, JCR_REMOVE_NODE,
+ JCR_READ_ACCESS_CONTROL, JCR_MODIFY_ACCESS_CONTROL, JCR_NODE_TYPE_MANAGEMENT,
+ JCR_VERSION_MANAGEMENT, JCR_LOCK_MANAGEMENT, JCR_LIFECYCLE_MANAGEMENT,
+ JCR_RETENTION_MANAGEMENT, JCR_WORKSPACE_MANAGEMENT, JCR_NODE_TYPE_DEFINITION_MANAGEMENT,
+ JCR_NAMESPACE_MANAGEMENT, REP_PRIVILEGE_MANAGEMENT, REP_USER_MANAGEMENT};
+
+ /**
+ * The internal names and aggregation definition of all built-in privileges
+ * that are aggregates (except for jcr:all).
+ */
+ private static final Map<String, String[]> AGGREGATE_PRIVILEGES = ImmutableMap.of(
+ JCR_READ, new String[]{REP_READ_NODES, REP_READ_PROPERTIES},
+ JCR_MODIFY_PROPERTIES, new String[]{REP_ADD_PROPERTIES, REP_ALTER_PROPERTIES, REP_REMOVE_PROPERTIES},
+ JCR_WRITE, new String[]{JCR_MODIFY_PROPERTIES, JCR_ADD_CHILD_NODES, JCR_REMOVE_CHILD_NODES, JCR_REMOVE_NODE},
+ REP_WRITE, new String[]{JCR_WRITE, JCR_NODE_TYPE_MANAGEMENT});
+
+ private final Root root;
+ private final PrivilegeBitsProvider bitsMgr;
+
+ PrivilegeDefinitionWriter(Root root) {
+ this.root = root;
+ this.bitsMgr = new PrivilegeBitsProvider(root);
+ }
+
+ /**
+ * Write the given privilege definition to the repository content.
+ *
+ * @param definition The new privilege definition.
+ * @throws RepositoryException If the definition can't be written.
+ */
+ void writeDefinition(PrivilegeDefinition definition) throws RepositoryException {
+ writeDefinitions(Collections.singleton(definition));
+ }
+
+ /**
+ * Create the built-in privilege definitions during repository setup.
+ *
+ * @throws RepositoryException If an error occurs.
+ */
+ void writeBuiltInDefinitions() throws RepositoryException {
+ writeDefinitions(getBuiltInDefinitions());
+ }
+
+ //--------------------------------------------------------------------------
+
+ /**
+ * @param definitions
+ * @throws RepositoryException
+ */
+ private void writeDefinitions(Iterable<PrivilegeDefinition> definitions) throws RepositoryException {
+ try {
+ // make sure the privileges path is defined
+ Tree privilegesTree = root.getTree(PRIVILEGES_PATH);
+ if (privilegesTree == null) {
+ throw new RepositoryException("Privilege store does not exist.");
+ }
+ NodeUtil privilegesNode = new NodeUtil(privilegesTree);
+ for (PrivilegeDefinition definition : definitions) {
+ if (privilegesNode.hasChild(definition.getName())) {
+ throw new RepositoryException("Privilege definition with name '" + definition.getName() + "' already exists.");
+ }
+ writePrivilegeNode(privilegesNode, definition);
+ }
+ /*
+ update the property storing the next privilege bits with the
+ privileges root tree. this is a cheap way to detect collisions that
+ may arise from concurrent registration of custom privileges.
+ */
+ bitsMgr.getNext().writeTo(privilegesTree);
+
+ // delegate validation to the commit validation (see above)
+ root.commit();
+
+ } catch (CommitFailedException e) {
+ Throwable t = e.getCause();
+ if (t instanceof RepositoryException) {
+ throw (RepositoryException) t;
+ } else {
+ throw new RepositoryException(e);
+ }
+ }
+ }
+
+ private void writePrivilegeNode(NodeUtil privilegesNode, PrivilegeDefinition definition) {
+ String name = definition.getName();
+ NodeUtil privNode = privilegesNode.addChild(name, NT_REP_PRIVILEGE);
+ if (definition.isAbstract()) {
+ privNode.setBoolean(REP_IS_ABSTRACT, true);
+ }
+ String[] declAggrNames = definition.getDeclaredAggregateNames().toArray(new String[definition.getDeclaredAggregateNames().size()]);
+ boolean isAggregate = declAggrNames.length > 0;
+ if (isAggregate) {
+ privNode.setNames(REP_AGGREGATES, declAggrNames);
+ }
+
+ PrivilegeBits bits;
+ if (PrivilegeBits.BUILT_IN.containsKey(name)) {
+ bits = PrivilegeBits.BUILT_IN.get(name);
+ } else if (isAggregate) {
+ bits = bitsMgr.getBits(declAggrNames);
+ } else {
+ bits = bitsMgr.next();
+ }
+ bits.writeTo(privNode.getTree());
+ }
+
+ private static Collection<PrivilegeDefinition> getBuiltInDefinitions() {
+ Map<String, PrivilegeDefinition> definitions = new LinkedHashMap<String, PrivilegeDefinition>();
+ for (String privilegeName : NON_AGGR_PRIVILEGES) {
+ PrivilegeDefinition def = new PrivilegeDefinitionImpl(privilegeName, false);
+ definitions.put(privilegeName, def);
+ }
+ for (String privilegeName : AGGREGATE_PRIVILEGES.keySet()) {
+ PrivilegeDefinition def = new PrivilegeDefinitionImpl(privilegeName, false, AGGREGATE_PRIVILEGES.get(privilegeName));
+ definitions.put(privilegeName, def);
+ }
+ PrivilegeDefinition all = new PrivilegeDefinitionImpl(JCR_ALL, false, definitions.keySet());
+ definitions.put(JCR_ALL, all);
+ return definitions.values();
+ }
+}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeInitializer.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeInitializer.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeInitializer.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeInitializer.java Wed Feb 20 13:17:43 2013
@@ -65,7 +65,7 @@ class PrivilegeInitializer implements Re
}
try {
- new PrivilegeDefinitionStore(new RootImpl(store)).writeBuiltInDefinitions();
+ new PrivilegeDefinitionWriter(new RootImpl(store)).writeBuiltInDefinitions();
} catch (RepositoryException e) {
log.error("Failed to register built-in privileges", e);
throw new RuntimeException(e);
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeManagerImpl.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeManagerImpl.java Wed Feb 20 13:17:43 2013
@@ -82,8 +82,8 @@ public class PrivilegeManagerImpl implem
throw new RepositoryException("Invalid privilege name " + privilegeName);
}
PrivilegeDefinitionImpl definition = new PrivilegeDefinitionImpl(getOakName(privilegeName), isAbstract, getOakNames(declaredAggregateNames));
- PrivilegeDefinitionStore store = getStore(getWriteRoot());
- store.writeDefinition(definition);
+ PrivilegeDefinitionWriter writer = new PrivilegeDefinitionWriter(getWriteRoot());
+ writer.writeDefinition(definition);
// refresh the current root to make sure the definition is visible
root.refresh();
@@ -130,18 +130,18 @@ public class PrivilegeManagerImpl implem
@Nonnull
private PrivilegeDefinition[] getPrivilegeDefinitions() {
- Map<String, PrivilegeDefinition> definitions = getStore(root).readDefinitions();
+ Map<String, PrivilegeDefinition> definitions = getReader().readDefinitions();
return definitions.values().toArray(new PrivilegeDefinition[definitions.size()]);
}
@CheckForNull
private PrivilegeDefinition getPrivilegeDefinition(String oakName) {
- return getStore(root).readDefinition(oakName);
+ return getReader().readDefinition(oakName);
}
@Nonnull
- private static PrivilegeDefinitionStore getStore(Root targetRoot) {
- return new PrivilegeDefinitionStore(targetRoot);
+ private PrivilegeDefinitionReader getReader() {
+ return new PrivilegeDefinitionReader(root);
}
//--------------------------------------------------------------------------
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeMigrator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeMigrator.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeMigrator.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeMigrator.java Wed Feb 20 13:17:43 2013
@@ -62,7 +62,7 @@ public class PrivilegeMigrator {
public void migrateCustomPrivileges(InputStream privilegeStream) throws RepositoryException {
final Root root = contentSession.getLatestRoot();
- PrivilegeDefinitionStore store = new PrivilegeDefinitionStore(root);
+ PrivilegeDefinitionWriter writer = new PrivilegeDefinitionWriter(root);
try {
NamespaceRegistry nsRegistry = new ReadWriteNamespaceRegistry() {
@Override
@@ -76,7 +76,7 @@ public class PrivilegeMigrator {
}
};
for (PrivilegeDefinition def : readCustomDefinitions(privilegeStream, nsRegistry)) {
- store.writeDefinition(def);
+ writer.writeDefinition(def);
}
} catch (IOException e) {
throw new RepositoryException(e);
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java Wed Feb 20 13:17:43 2013
@@ -19,11 +19,13 @@ package org.apache.jackrabbit.oak.securi
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
+import javax.annotation.Nonnull;
import javax.jcr.RepositoryException;
import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.core.ReadOnlyRoot;
@@ -33,8 +35,6 @@ import org.apache.jackrabbit.oak.spi.com
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.util.Text;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
/**
* Validator implementation that is responsible for validating any modifications
@@ -42,14 +42,14 @@ import org.slf4j.LoggerFactory;
*/
class PrivilegeValidator implements PrivilegeConstants, Validator {
- private static final Logger log = LoggerFactory.getLogger(PrivilegeValidator.class);
-
- private final PrivilegeDefinitionStore storeBefore;
- private final PrivilegeDefinitionStore storeAfter;
+ private final Root rootBefore;
+ private final Root rootAfter;
+ private final PrivilegeBitsProvider bitsProvider;
PrivilegeValidator(NodeState before, NodeState after) {
- storeBefore = new PrivilegeDefinitionStore(new ReadOnlyRoot(before));
- storeAfter = new PrivilegeDefinitionStore((new ReadOnlyRoot(after)));
+ rootBefore = new ReadOnlyRoot(before);
+ rootAfter = new ReadOnlyRoot(after);
+ bitsProvider = new PrivilegeBitsProvider(rootBefore);
}
//----------------------------------------------------------< Validator >---
@@ -61,7 +61,7 @@ class PrivilegeValidator implements Priv
@Override
public void propertyChanged(PropertyState before, PropertyState after) throws CommitFailedException {
if (REP_NEXT.equals(before.getName())) {
- validateNext(PrivilegeBits.getInstance(storeBefore.getPrivilegesTree().getProperty(REP_NEXT)));
+ validateNext(PrivilegeBits.getInstance(getPrivilegesTree(rootBefore).getProperty(REP_NEXT)));
} else {
throw new CommitFailedException("Attempt to modify existing privilege definition.");
}
@@ -74,7 +74,9 @@ class PrivilegeValidator implements Priv
@Override
public Validator childNodeAdded(String name, NodeState after) throws CommitFailedException {
- checkInitialized();
+ // make sure privileges have been initialized before
+ getPrivilegesTree(rootBefore);
+
// the following characteristics are expected to be validated elsewhere:
// - permission to allow privilege registration -> permission validator.
// - name collisions (-> delegated to NodeTypeValidator since sms are not allowed)
@@ -111,14 +113,8 @@ class PrivilegeValidator implements Priv
}
//------------------------------------------------------------< private >---
- private void checkInitialized() throws CommitFailedException {
- if (storeBefore.getPrivilegesTree() == null) {
- throw new CommitFailedException("Privilege store not initialized.");
- }
- }
-
private void validateNext(PrivilegeBits bits) throws CommitFailedException {
- PrivilegeBits next = PrivilegeBits.getInstance(storeAfter.getPrivilegesTree().getProperty(REP_NEXT));
+ PrivilegeBits next = PrivilegeBits.getInstance(getPrivilegesTree(rootAfter).getProperty(REP_NEXT));
if (!next.equals(bits.nextBits())) {
throw new CommitFailedException("Next bits not updated.");
}
@@ -130,6 +126,15 @@ class PrivilegeValidator implements Priv
}
}
+ @Nonnull
+ private Tree getPrivilegesTree(Root root) throws CommitFailedException {
+ Tree privilegesTree = root.getTree(PRIVILEGES_PATH);
+ if (privilegesTree == null) {
+ throw new CommitFailedException("Privilege store not initialized.");
+ }
+ return privilegesTree;
+ }
+
/**
* Validation of the privilege definition including the following steps:
* <p/>
@@ -150,8 +155,8 @@ class PrivilegeValidator implements Priv
throw new CommitFailedException("PrivilegeBits are missing.");
}
- Set<String> privNames = storeBefore.getPrivilegeNames(newBits);
- PrivilegeDefinition definition = PrivilegeDefinitionStore.readDefinition(definitionTree);
+ Set<String> privNames = bitsProvider.getPrivilegeNames(newBits);
+ PrivilegeDefinition definition = PrivilegeDefinitionReader.readDefinition(definitionTree);
Set<String> declaredNames = definition.getDeclaredAggregateNames();
// non-aggregate privilege
@@ -169,7 +174,7 @@ class PrivilegeValidator implements Priv
}
// aggregation of >1 privileges
- Map<String, PrivilegeDefinition> definitions = storeBefore.readDefinitions();
+ Map<String, PrivilegeDefinition> definitions = new PrivilegeDefinitionReader(rootBefore).readDefinitions();
for (String aggrName : declaredNames) {
// aggregated privilege not registered
if (!definitions.containsKey(aggrName)) {
@@ -197,7 +202,7 @@ class PrivilegeValidator implements Priv
}
}
- PrivilegeBits aggrBits = storeBefore.getBits(declaredNames.toArray(new String[declaredNames.size()]));
+ PrivilegeBits aggrBits = bitsProvider.getBits(declaredNames.toArray(new String[declaredNames.size()]));
if (!newBits.equals(aggrBits)) {
throw new CommitFailedException("Invalid privilege bits for aggregated privilege definition.");
}
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java Wed Feb 20 13:17:43 2013
@@ -39,7 +39,7 @@ import org.apache.jackrabbit.oak.namepat
import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
import org.apache.jackrabbit.oak.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
-import org.apache.jackrabbit.oak.security.privilege.PrivilegeDefinitionStore;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.ACE;
import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlList;
import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlListTest;
@@ -107,8 +107,8 @@ public class ACLTest extends AbstractAcc
}
@Override
- PrivilegeDefinitionStore getPrivilegeStore() {
- return new PrivilegeDefinitionStore(root);
+ PrivilegeBitsProvider getPrivilegeBitsProvider() {
+ return new PrivilegeBitsProvider(root);
}
};
}
Copied: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBitsProviderTest.java (from r1447798, jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionStoreTest.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBitsProviderTest.java?p2=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBitsProviderTest.java&p1=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionStoreTest.java&r1=1447798&r2=1448152&rev=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionStoreTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBitsProviderTest.java Wed Feb 20 13:17:43 2013
@@ -30,63 +30,48 @@ import static org.junit.Assert.assertNot
/**
* PrivilegeDefinitionStoreTest... TODO
*/
-public class PrivilegeDefinitionStoreTest extends AbstractSecurityTest implements PrivilegeConstants {
+public class PrivilegeBitsProviderTest extends AbstractSecurityTest implements PrivilegeConstants {
- private PrivilegeDefinitionStore store;
+ private PrivilegeBitsProvider bitsProvider;
@Override
public void before() throws Exception {
super.before();
- store = new PrivilegeDefinitionStore(root);
+ bitsProvider = new PrivilegeBitsProvider(root);
}
@Test
public void testGetPrivilegesTree() {
- assertNotNull(store.getPrivilegesTree());
- assertEquals(PRIVILEGES_PATH, store.getPrivilegesTree().getPath());
- }
-
- @Test
- public void testReadDefinition() {
- // TODO
- }
-
- @Test
- public void testReadDefinitions() {
- // TODO
- }
-
- @Test
- public void testWriteDefinition() {
- // TODO
+ assertNotNull(bitsProvider.getPrivilegesTree());
+ assertEquals(PRIVILEGES_PATH, bitsProvider.getPrivilegesTree().getPath());
}
@Test
public void testGetBits() {
- PrivilegeBits bits = store.getBits(JCR_ADD_CHILD_NODES, JCR_REMOVE_CHILD_NODES);
+ PrivilegeBits bits = bitsProvider.getBits(JCR_ADD_CHILD_NODES, JCR_REMOVE_CHILD_NODES);
assertFalse(bits.isEmpty());
- PrivilegeBits mod = PrivilegeBits.getInstance(store.getBits(JCR_ADD_CHILD_NODES)).add(store.getBits(JCR_REMOVE_CHILD_NODES));
+ PrivilegeBits mod = PrivilegeBits.getInstance(bitsProvider.getBits(JCR_ADD_CHILD_NODES)).add(bitsProvider.getBits(JCR_REMOVE_CHILD_NODES));
assertEquals(bits, mod.unmodifiable());
}
@Test
public void testGetBitsFromInvalidPrivilege() {
- assertEquals(PrivilegeBits.EMPTY, store.getBits("invalid1", "invalid2"));
+ assertEquals(PrivilegeBits.EMPTY, bitsProvider.getBits("invalid1", "invalid2"));
}
@Test
public void testGetBitsFromEmpty() {
- assertEquals(PrivilegeBits.EMPTY, store.getBits());
- assertEquals(PrivilegeBits.EMPTY, store.getBits(new String[0]));
- assertEquals(PrivilegeBits.EMPTY, store.getBits(""));
+ assertEquals(PrivilegeBits.EMPTY, bitsProvider.getBits());
+ assertEquals(PrivilegeBits.EMPTY, bitsProvider.getBits(new String[0]));
+ assertEquals(PrivilegeBits.EMPTY, bitsProvider.getBits(""));
}
@Test
public void testGetPrivilegeNames() throws RepositoryException {
- PrivilegeBits bits = store.getBits(JCR_READ_ACCESS_CONTROL);
- Set<String> names = store.getPrivilegeNames(bits);
+ PrivilegeBits bits = bitsProvider.getBits(JCR_READ_ACCESS_CONTROL);
+ Set<String> names = bitsProvider.getPrivilegeNames(bits);
assertEquals(1, names.size());
assertEquals(JCR_READ_ACCESS_CONTROL, names.iterator().next());
@@ -94,33 +79,33 @@ public class PrivilegeDefinitionStoreTes
@Test
public void testAggregation() throws RepositoryException {
- PrivilegeBits writeBits = store.getBits(JCR_ADD_CHILD_NODES,
+ PrivilegeBits writeBits = bitsProvider.getBits(JCR_ADD_CHILD_NODES,
JCR_REMOVE_CHILD_NODES,
JCR_REMOVE_NODE,
JCR_MODIFY_PROPERTIES);
- Set<String> names = store.getPrivilegeNames(writeBits);
+ Set<String> names = bitsProvider.getPrivilegeNames(writeBits);
assertEquals(1, names.size());
assertEquals(JCR_WRITE, names.iterator().next());
}
@Test
public void testUnknownAggregation() throws RepositoryException {
- PrivilegeBits bits = store.getBits(REP_WRITE, JCR_LIFECYCLE_MANAGEMENT);
- Set<String> names = store.getPrivilegeNames(bits);
+ PrivilegeBits bits = bitsProvider.getBits(REP_WRITE, JCR_LIFECYCLE_MANAGEMENT);
+ Set<String> names = bitsProvider.getPrivilegeNames(bits);
assertEquals(2, names.size());
}
@Test
public void testRedundantAggregation() throws RepositoryException {
- PrivilegeBits writeBits = store.getBits(REP_WRITE);
- Set<String> names = store.getPrivilegeNames(writeBits);
+ PrivilegeBits writeBits = bitsProvider.getBits(REP_WRITE);
+ Set<String> names = bitsProvider.getPrivilegeNames(writeBits);
assertEquals(1, names.size());
assertEquals(REP_WRITE, names.iterator().next());
- writeBits = store.getBits(REP_WRITE, JCR_WRITE);
- names = store.getPrivilegeNames(writeBits);
+ writeBits = bitsProvider.getBits(REP_WRITE, JCR_WRITE);
+ names = bitsProvider.getPrivilegeNames(writeBits);
assertEquals(1, names.size());
assertEquals(REP_WRITE, names.iterator().next());
@@ -128,24 +113,25 @@ public class PrivilegeDefinitionStoreTes
@Test
public void testAll() {
- PrivilegeBits all = store.getBits(JCR_ALL);
+ PrivilegeBits all = bitsProvider.getBits(JCR_ALL);
assertFalse(all.isEmpty());
- assertEquals(Collections.singleton(JCR_ALL), store.getPrivilegeNames(all));
+ assertEquals(Collections.singleton(JCR_ALL), bitsProvider.getPrivilegeNames(all));
}
@Test
public void testAllAggregation() {
- PrivilegeBits all = store.getBits(JCR_ALL);
+ PrivilegeBits all = bitsProvider.getBits(JCR_ALL);
- Set<String> allAggregates = store.readDefinition(JCR_ALL).getDeclaredAggregateNames();
- PrivilegeBits all2 = store.getBits(allAggregates.toArray(new String[allAggregates.size()]));
+ PrivilegeDefinitionReader reader = new PrivilegeDefinitionReader(root);
+ Set<String> allAggregates = reader.readDefinition(JCR_ALL).getDeclaredAggregateNames();
+ PrivilegeBits all2 = bitsProvider.getBits(allAggregates.toArray(new String[allAggregates.size()]));
assertEquals(all, all2);
- assertEquals(Collections.singleton(JCR_ALL), store.getPrivilegeNames(all2));
+ assertEquals(Collections.singleton(JCR_ALL), bitsProvider.getPrivilegeNames(all2));
PrivilegeBits bits = PrivilegeBits.getInstance();
for (String name : allAggregates) {
- bits.add(store.getBits(name));
+ bits.add(bitsProvider.getBits(name));
}
assertEquals(all, bits.unmodifiable());
}
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReaderTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReaderTest.java?rev=1448152&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReaderTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReaderTest.java Wed Feb 20 13:17:43 2013
@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.privilege;
+
+import org.junit.Test;
+
+public class PrivilegeDefinitionReaderTest {
+
+ @Test
+ public void testReadDefinition() {
+ // TODO
+ }
+
+ @Test
+ public void testReadDefinitions() {
+ // TODO
+ }
+}
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriterTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriterTest.java?rev=1448152&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriterTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriterTest.java Wed Feb 20 13:17:43 2013
@@ -0,0 +1,30 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.privilege;
+
+import org.junit.Test;
+
+/**
+ * PrivilegeDefinitionWriterTest... TODO
+ */
+public class PrivilegeDefinitionWriterTest {
+
+ @Test
+ public void testWriteDefinition() {
+ // TODO
+ }
+}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidatorTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidatorTest.java?rev=1448152&r1=1448151&r2=1448152&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidatorTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidatorTest.java Wed Feb 20 13:17:43 2013
@@ -37,13 +37,13 @@ import static org.junit.Assert.fail;
*/
public class PrivilegeValidatorTest extends AbstractSecurityTest implements PrivilegeConstants {
- PrivilegeDefinitionStore store;
+ PrivilegeBitsProvider store;
Tree privilegesTree;
@Before
public void before() throws Exception {
super.before();
- store = new PrivilegeDefinitionStore(root);
+ store = new PrivilegeBitsProvider(root);
privilegesTree = checkNotNull(store.getPrivilegesTree());
}