http://git-wip-us.apache.org/repos/asf/jena/blob/c4b0113d/jena-permissions/src/main/java/org/apache/jena/permissions/graph/SecuredPrefixMapping.java ---------------------------------------------------------------------- diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/graph/SecuredPrefixMapping.java b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/SecuredPrefixMapping.java new file mode 100644 index 0000000..f4007d8 --- /dev/null +++ b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/SecuredPrefixMapping.java @@ -0,0 +1,133 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jena.permissions.graph; + +import java.util.Map; + +import org.apache.jena.permissions.AccessDeniedException; +import org.apache.jena.permissions.impl.SecuredItem; +import org.apache.jena.shared.PrefixMapping ; + +/** + * The interface for secured PrefixMapping instances. + * + * Use the SecuredPrefixMapping.Factory to create instances + */ +public interface SecuredPrefixMapping extends PrefixMapping, SecuredItem +{ + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public String expandPrefix( final String prefixed ) + throws AccessDeniedException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public Map<String, String> getNsPrefixMap() throws AccessDeniedException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public String getNsPrefixURI( final String prefix ) + throws AccessDeniedException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public String getNsURIPrefix( final String uri ) + throws AccessDeniedException; + + /** + * @sec.graph Update + * @throws AccessDeniedException + */ + @Override + public SecuredPrefixMapping lock() throws AccessDeniedException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public String qnameFor( final String uri ) throws AccessDeniedException; + + /** + * @sec.graph Update + * @throws AccessDeniedException + */ + @Override + public SecuredPrefixMapping removeNsPrefix( final String prefix ) + throws AccessDeniedException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public boolean samePrefixMappingAs( final PrefixMapping other ) + throws AccessDeniedException; + + /** + * @sec.graph Update + * @throws AccessDeniedException + */ + @Override + public SecuredPrefixMapping setNsPrefix( final String prefix, + final String uri ) throws AccessDeniedException; + + /** + * @sec.graph Update + * @throws AccessDeniedException + */ + @Override + public SecuredPrefixMapping setNsPrefixes( final Map<String, String> map ) + throws AccessDeniedException; + + /** + * @sec.graph Update + * @throws AccessDeniedException + */ + @Override + public SecuredPrefixMapping setNsPrefixes( final PrefixMapping other ) + throws AccessDeniedException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public String shortForm( final String uri ) throws AccessDeniedException; + + /** + * @sec.graph Update + * @throws AccessDeniedException + */ + @Override + public SecuredPrefixMapping withDefaultMappings( final PrefixMapping map ) + throws AccessDeniedException; + +}
http://git-wip-us.apache.org/repos/asf/jena/blob/c4b0113d/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/Factory.java ---------------------------------------------------------------------- diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/Factory.java b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/Factory.java new file mode 100644 index 0000000..22dccf2 --- /dev/null +++ b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/Factory.java @@ -0,0 +1,95 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jena.permissions.graph.impl; + +import org.apache.jena.graph.Graph ; +import org.apache.jena.permissions.SecurityEvaluator; +import org.apache.jena.permissions.graph.SecuredGraph; +import org.apache.jena.permissions.graph.SecuredPrefixMapping; +import org.apache.jena.permissions.impl.ItemHolder; +import org.apache.jena.permissions.impl.SecuredItemInvoker; +import org.apache.jena.shared.PrefixMapping ; + +public class Factory +{ + + /** + * Create an instance of SecuredPrefixMapping + * + * @param graph + * The SecuredGraph that contains the prefixmapping. + * @param prefixMapping + * The prefixmapping returned from the base graph. + * @return The SecuredPrefixMapping. + */ + static SecuredPrefixMapping getInstance( final SecuredGraphImpl graph, + final PrefixMapping prefixMapping ) + { + + final ItemHolder<PrefixMapping, SecuredPrefixMapping> holder = new ItemHolder<PrefixMapping, SecuredPrefixMapping>( + prefixMapping); + final SecuredPrefixMappingImpl checker = new SecuredPrefixMappingImpl( + graph, holder); + // if we are going to create a duplicate proxy just return this one. + if (prefixMapping instanceof SecuredPrefixMapping) + { + if (checker.isEquivalent((SecuredPrefixMapping) prefixMapping)) + { + return (SecuredPrefixMapping) prefixMapping; + } + } + + return holder.setSecuredItem(new SecuredItemInvoker(prefixMapping + .getClass(), checker)); + } + + /** + * Create an instance of the SecuredGraph + * + * @param securityEvaluator + * The security evaluator to use + * @param graphIRI + * The IRI for the graph. + * @param graph + * The graph that we are wrapping. + * @return the secured graph + */ + public static SecuredGraph getInstance( + final SecurityEvaluator securityEvaluator, final String graphIRI, + final Graph graph ) + { + + final ItemHolder<Graph, SecuredGraphImpl> holder = new ItemHolder<Graph, SecuredGraphImpl>( + graph); + final SecuredGraphImpl checker = new SecuredGraphImpl( + securityEvaluator, graphIRI, holder) { + }; + + // If we going to create a duplicate proxy return this one. + if (graph instanceof SecuredGraphImpl) + { + if (checker.isEquivalent((SecuredGraphImpl) graph)) + { + return (SecuredGraph) graph; + } + } + return holder.setSecuredItem(new SecuredItemInvoker(graph.getClass(), + checker)); + } + +} http://git-wip-us.apache.org/repos/asf/jena/blob/c4b0113d/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/SecuredGraphImpl.java ---------------------------------------------------------------------- diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/SecuredGraphImpl.java b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/SecuredGraphImpl.java new file mode 100644 index 0000000..cc0f283 --- /dev/null +++ b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/SecuredGraphImpl.java @@ -0,0 +1,285 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jena.permissions.graph.impl; + +import org.apache.jena.graph.* ; +import org.apache.jena.permissions.SecurityEvaluator; +import org.apache.jena.permissions.SecurityEvaluator.Action; +import org.apache.jena.permissions.graph.*; +import org.apache.jena.permissions.impl.ItemHolder; +import org.apache.jena.permissions.impl.SecuredItem; +import org.apache.jena.permissions.impl.SecuredItemImpl; +import org.apache.jena.permissions.utils.PermTripleFilter; +import org.apache.jena.shared.AddDeniedException ; +import org.apache.jena.shared.DeleteDeniedException ; +import org.apache.jena.util.iterator.ExtendedIterator ; + +/** + * Implementation of SecuredGraph to be used by a SecuredItemInvoker proxy. + */ +public class SecuredGraphImpl extends SecuredItemImpl implements SecuredGraph +{ + + // the prefixMapping for this graph. + private SecuredPrefixMapping prefixMapping; + // the item holder that contains this SecuredGraph + private final ItemHolder<Graph, SecuredGraphImpl> holder; + + private final SecuredGraphEventManager eventManager; + + /** + * Constructor + * + * @param securityEvaluator + * The security evaluator to use + * @param graphIRI + * The IRI for the graph + * @param holder + * The item holder that will contain this SecuredGraph. + */ + SecuredGraphImpl( final SecuredItem securedItem, + final ItemHolder<Graph, SecuredGraphImpl> holder ) + { + super(securedItem, holder); + this.holder = holder; + this.eventManager = new SecuredGraphEventManager(this, + holder.getBaseItem(), holder.getBaseItem().getEventManager()); + } + + SecuredGraphImpl( final SecurityEvaluator securityEvaluator, + final String modelURI, + final ItemHolder<Graph, SecuredGraphImpl> holder ) + { + super(securityEvaluator, modelURI, holder); + this.holder = holder; + this.eventManager = new SecuredGraphEventManager(this, + holder.getBaseItem(), holder.getBaseItem().getEventManager()); + } + + @Override + public void add( final Triple t ) throws AddDeniedException + { + checkUpdate(); + checkCreate(t); + holder.getBaseItem().add(t); + } + + @Override + public void close() + { + holder.getBaseItem().close(); + } + + @Override + public boolean contains( final Node s, final Node p, final Node o ) + { + return contains(new Triple(s, p, o)); + } + + @Override + public boolean contains( final Triple t ) + { + checkRead(); + if (canRead(t)) + { + return holder.getBaseItem().contains(t); + } + final ExtendedIterator<Triple> iter = holder.getBaseItem().find(t); + try + { + while (iter.hasNext()) + { + if (canRead(iter.next())) + { + return true; + } + } + return false; + } + finally + { + iter.close(); + } + + } + + private synchronized void createPrefixMapping() + { + if (prefixMapping == null) + { + prefixMapping = org.apache.jena.permissions.graph.impl.Factory + .getInstance(this, holder.getBaseItem().getPrefixMapping()); + } + } + + @Override + public void delete( final Triple t ) throws DeleteDeniedException + { + checkUpdate(); + checkDelete(t); + holder.getBaseItem().delete(t); + } + + @Override + public boolean dependsOn( final Graph other ) + { + checkRead(); + if (other.equals(holder.getBaseItem())) + { + return true; + } + return holder.getBaseItem().dependsOn(other); + } + + @Override + public ExtendedIterator<Triple> find( final Node s, final Node p, + final Node o ) + { + checkRead(); + ExtendedIterator<Triple> retval = holder.getBaseItem().find(s, p, o); + if (!canRead(Triple.ANY)) + { + retval = retval.filterKeep(new PermTripleFilter(Action.Read, this)); + } + return retval; + } + + @Override + public ExtendedIterator<Triple> find( final Triple m ) + { + checkRead(); + ExtendedIterator<Triple> retval = holder.getBaseItem().find(m); + if (!canRead(Triple.ANY)) + { + retval = retval.filterKeep(new PermTripleFilter(Action.Read, this)); + } + return retval; + } + + @Override + public SecuredCapabilities getCapabilities() + { + return new SecuredCapabilities(getSecurityEvaluator(), getModelIRI(), + holder.getBaseItem().getCapabilities()); + } + + @Override + public SecuredGraphEventManager getEventManager() + { + return eventManager; + } + + @Override + public SecuredPrefixMapping getPrefixMapping() + { + if (prefixMapping == null) + { + createPrefixMapping(); + } + return prefixMapping; + } + + @Override + public GraphStatisticsHandler getStatisticsHandler() + { + checkRead(); + return holder.getBaseItem().getStatisticsHandler(); + } + + @Override + public TransactionHandler getTransactionHandler() + { + return holder.getBaseItem().getTransactionHandler(); + } + + @Override + public boolean isClosed() + { + return holder.getBaseItem().isClosed(); + } + + @Override + public boolean isEmpty() + { + checkRead(); + return holder.getBaseItem().isEmpty(); + } + + @Override + public boolean isIsomorphicWith( final Graph g ) + { + checkRead(); + if (g.size() != holder.getBaseItem().size()) + { + return false; + } + final Triple t = new Triple(Node.ANY, Node.ANY, Node.ANY); + if (!canRead(t)) + { + final ExtendedIterator<Triple> iter = g.find(t); + while (iter.hasNext()) + { + checkRead(iter.next()); + } + } + return holder.getBaseItem().isIsomorphicWith(g); + } + + @Override + public int size() + { + checkRead(); + return holder.getBaseItem().size(); + } + + @Override + public void clear() + { + checkUpdate(); + if (! canDelete( Triple.ANY )) + { + ExtendedIterator<Triple> iter = holder.getBaseItem().find( Triple.ANY ); + while (iter.hasNext()) + { + checkDelete( iter.next() ); + } + } + holder.getBaseItem().clear(); + } + + @Override + public void remove( Node s, Node p, Node o ) + { + checkUpdate(); + Triple t = new Triple( s, p, o ); + if (t.isConcrete()) + { + checkDelete( t ); + } + else + { + ExtendedIterator<Triple> iter = holder.getBaseItem().find( Triple.ANY ); + while (iter.hasNext()) + { + checkDelete( iter.next() ); + } + } + holder.getBaseItem().remove(s, p, o); + } + +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/jena/blob/c4b0113d/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/SecuredPrefixMappingImpl.java ---------------------------------------------------------------------- diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/SecuredPrefixMappingImpl.java b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/SecuredPrefixMappingImpl.java new file mode 100644 index 0000000..610ed92 --- /dev/null +++ b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/SecuredPrefixMappingImpl.java @@ -0,0 +1,167 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jena.permissions.graph.impl; + +import java.util.Map; +import java.util.Map.Entry; + +import org.apache.jena.permissions.graph.SecuredPrefixMapping; +import org.apache.jena.permissions.impl.ItemHolder; +import org.apache.jena.permissions.impl.SecuredItemImpl; +import org.apache.jena.shared.PrefixMapping ; +import org.apache.jena.shared.impl.PrefixMappingImpl ; + +/** + * Implementation of SecuredPrefixMapping to be used by a SecuredItemInvoker + * proxy. + */ +public class SecuredPrefixMappingImpl extends SecuredItemImpl implements + SecuredPrefixMapping +{ + // the item holder that holds this SecuredPrefixMapping + private final ItemHolder<PrefixMapping, SecuredPrefixMapping> holder; + + /** + * Constructor + * + * @param graph + * The Secured graph this mapping is for. + * @param holder + * The item holder that will contain this SecuredPrefixMapping. + */ + SecuredPrefixMappingImpl( final SecuredGraphImpl graph, + final ItemHolder<PrefixMapping, SecuredPrefixMapping> holder ) + { + super(graph, holder); + this.holder = holder; + } + + @Override + public String expandPrefix( final String prefixed ) + { + checkRead(); + return holder.getBaseItem().expandPrefix(prefixed); + } + + @Override + public Map<String, String> getNsPrefixMap() + { + checkRead(); + return holder.getBaseItem().getNsPrefixMap(); + } + + @Override + public String getNsPrefixURI( final String prefix ) + { + checkRead(); + return holder.getBaseItem().getNsPrefixURI(prefix); + } + + @Override + public String getNsURIPrefix( final String uri ) + { + checkRead(); + return holder.getBaseItem().getNsURIPrefix(uri); + } + + @Override + public SecuredPrefixMapping lock() + { + checkUpdate(); + holder.getBaseItem().lock(); + return holder.getSecuredItem(); + } + + @Override + public String qnameFor( final String uri ) + { + checkRead(); + return holder.getBaseItem().qnameFor(uri); + } + + @Override + public SecuredPrefixMapping removeNsPrefix( final String prefix ) + { + checkUpdate(); + holder.getBaseItem().removeNsPrefix(prefix); + return holder.getSecuredItem(); + } + + @Override + public boolean samePrefixMappingAs( final PrefixMapping other ) + { + checkRead(); + return holder.getBaseItem().samePrefixMappingAs(other); + } + + @Override + public SecuredPrefixMapping setNsPrefix( final String prefix, + final String uri ) + { + checkUpdate(); + holder.getBaseItem().setNsPrefix(prefix, uri); + return holder.getSecuredItem(); + } + + @Override + public SecuredPrefixMapping setNsPrefixes( final Map<String, String> map ) + { + checkUpdate(); + holder.getBaseItem().setNsPrefixes(map); + return holder.getSecuredItem(); + } + + @Override + public SecuredPrefixMapping setNsPrefixes( final PrefixMapping other ) + { + checkUpdate(); + holder.getBaseItem().setNsPrefixes(other); + return holder.getSecuredItem(); + } + + @Override + public String shortForm( final String uri ) + { + checkRead(); + return holder.getBaseItem().shortForm(uri); + } + + @Override + public SecuredPrefixMapping withDefaultMappings( final PrefixMapping map ) + { + // mapping only updates if there are map entries to add. Since this gets called + // when we are doing deep triple checks while writing we need to attempt the + // update only if there are new updates to add. + + PrefixMapping m = holder.getBaseItem(); + PrefixMappingImpl pm = new PrefixMappingImpl(); + for ( Entry<String, String> e : map.getNsPrefixMap().entrySet()) + { + if (m.getNsPrefixURI(e.getKey()) == null && m.getNsURIPrefix(e.getValue()) == null ) + { + pm.setNsPrefix( e.getKey(), e.getValue() ); + } + } + if ( !pm.getNsPrefixMap().isEmpty()) + { + checkUpdate(); + holder.getBaseItem().withDefaultMappings(pm); + } + return holder.getSecuredItem(); + } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/jena/blob/c4b0113d/jena-permissions/src/main/java/org/apache/jena/permissions/graph/package-info.java ---------------------------------------------------------------------- diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/graph/package-info.java b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/package-info.java new file mode 100644 index 0000000..35cf67c --- /dev/null +++ b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/package-info.java @@ -0,0 +1,50 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/** + * Secured implementation of the Graph interface and associated classes. + * <p> + * + * The SecurityEvaluator class must be implemented. This class provides the interface to the + * authentication results (e.g. getPrincipal())) and the authorization system. + * </p><p> + * Create a SecuredGraph by calling Factory.getInstance( SecurityEvaluator, String, Graph ); + * Create a SecuredModel by calling Factory.getInstance( SecurityEvaluator, String, Model ) + * or ModelFactory.createModelForGraph( SecuredGraph ); + * </p><p> + * NOTE: when creating a model by wrapping a secured graph (e.g. + * ModelFactory.createModelForGraph( SecuredGraph );) the resulting Model does not + * have the same security requirements that the standard secured model does. + * </p><p> + * For instance when creating a list on a secured model calling model.createList( RDFNode[] ); + * The standard secured model verifies that the user + * has the right to update the triples and allows or denies the entire operation accordingly. + * The wrapped secured graph does not have visibility + * to the createList() command and can only operate on the instructions issued by the + * model.createList() implementation. In the standard implementation + * the model requests the graph to delete one triple and then insert another. + * Thus the user must have delete and add permissions, not the update permission. + * </p><p> + * There are several other cases where the difference in the layer can trip up the security system. + * In all known cases the result is a tighter + * security definition than was requested. For simplicity sake we recommend that the wrapped + * secured graph only be used in cases where access to the + * graph as a whole is granted/denied. In these cases the user either has all CRUD capabilities or + * none. + * </p> + */ +package org.apache.jena.permissions.graph; \ No newline at end of file http://git-wip-us.apache.org/repos/asf/jena/blob/c4b0113d/jena-permissions/src/main/java/org/apache/jena/permissions/impl/CachedSecurityEvaluator.java ---------------------------------------------------------------------- diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/impl/CachedSecurityEvaluator.java b/jena-permissions/src/main/java/org/apache/jena/permissions/impl/CachedSecurityEvaluator.java new file mode 100644 index 0000000..7c14a3b --- /dev/null +++ b/jena-permissions/src/main/java/org/apache/jena/permissions/impl/CachedSecurityEvaluator.java @@ -0,0 +1,90 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jena.permissions.impl; + +import java.util.Set; + +import org.apache.jena.permissions.SecurityEvaluator; + +/** + * A SecurityEvaluator that can be cached for later use. + */ +public class CachedSecurityEvaluator implements SecurityEvaluator { + private final SecurityEvaluator wrapped; + private final Object origPrincipal; + + /** + * + * @param wrapped + * @param runAs + */ + public CachedSecurityEvaluator(final SecurityEvaluator wrapped, + final Object runAs) { + this.origPrincipal = runAs; + this.wrapped = wrapped; + } + + @Override + public boolean evaluate(final Object principal, final Action action, + final SecNode graphIRI) { + return wrapped.evaluate(principal, action, graphIRI); + } + + @Override + public boolean evaluate(final Object principal, final Action action, + final SecNode graphIRI, final SecTriple triple) { + return wrapped.evaluate(principal, action, graphIRI, triple); + } + + @Override + public boolean evaluate(final Object principal, final Set<Action> actions, + final SecNode graphIRI) { + return wrapped.evaluate(principal, actions, graphIRI); + } + + @Override + public boolean evaluate(final Object principal, final Set<Action> actions, + final SecNode graphIRI, final SecTriple triple) { + return wrapped.evaluate(principal, actions, graphIRI, triple); + } + + @Override + public boolean evaluateAny(final Object principal, + final Set<Action> actions, final SecNode graphIRI) { + return wrapped.evaluateAny(principal, actions, graphIRI); + } + + @Override + public boolean evaluateAny(final Object principal, + final Set<Action> actions, final SecNode graphIRI, + final SecTriple triple) { + return wrapped.evaluateAny(principal, actions, graphIRI, triple); + } + + @Override + public boolean evaluateUpdate(final Object principal, + final SecNode graphIRI, final SecTriple from, final SecTriple to) { + return wrapped.evaluateUpdate(principal, graphIRI, from, to); + } + + @Override + public Object getPrincipal() { + return origPrincipal; + } + +} http://git-wip-us.apache.org/repos/asf/jena/blob/c4b0113d/jena-permissions/src/main/java/org/apache/jena/permissions/impl/ItemHolder.java ---------------------------------------------------------------------- diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/impl/ItemHolder.java b/jena-permissions/src/main/java/org/apache/jena/permissions/impl/ItemHolder.java new file mode 100644 index 0000000..e5b52d0 --- /dev/null +++ b/jena-permissions/src/main/java/org/apache/jena/permissions/impl/ItemHolder.java @@ -0,0 +1,117 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jena.permissions.impl; + +import java.lang.reflect.Proxy; +import java.util.LinkedHashSet; +import java.util.Set; + +import org.apache.commons.lang3.ClassUtils; + +/** + * A class that holds the original item and the secured version of it. + * + * This class is used by the Invoker to return secured versions of the object + * during + * calls that return the called class for cascading. + * + * @param <Base> + * The base class that is being secured + * @param <Secured> + * The implementation (proxy) of the secured class. + */ +public class ItemHolder<Base, Secured extends SecuredItem> +{ + /** + * The base item that is being secured + */ + private final Base baseItem; + /** + * The proxy to the base class that implements the security. + */ + private Secured securedItem; + + /** + * Constructor. + * + * @param baseItem + * The base item. + */ + public ItemHolder( final Base baseItem ) + { + super(); + this.baseItem = baseItem; + } + + /** + * Get the base item. + * + * This method is used in the proxy to get call to the underlying instance. + * + * @return The instance that is being protected. + */ + public Base getBaseItem() + { + return baseItem; + } + + /** + * Get the secured item. + * + * This method is used in the invocation handler to get the instance of the + * proxy that made the + * on which a method call was made. Generally used in returing the original + * object to support + * cascading. + * + * @return the proxy. + */ + public Secured getSecuredItem() + { + return securedItem; + } + + /** + * Creates the proxy, saves it as the securedItem and returns it. + * + * @param handler + * The SecuredItemInvoker to create the proxy with. + * @return The proxy. + */ + @SuppressWarnings( "unchecked" ) + public final Secured setSecuredItem( final SecuredItemInvoker handler ) + { + final Set<Class<?>> ifac = new LinkedHashSet<Class<?>>(); + if (baseItem.getClass().isInterface()) + { + ifac.add(baseItem.getClass()); + } + ifac.addAll(ClassUtils.getAllInterfaces(baseItem.getClass())); + if (handler.securedItem.getClass().isInterface()) + { + ifac.add(handler.securedItem.getClass()); + } + ifac.addAll(ClassUtils.getAllInterfaces(handler.securedItem.getClass())); + + securedItem = (Secured) Proxy.newProxyInstance( + SecuredItemImpl.class.getClassLoader(), + ifac.toArray(new Class<?>[ifac.size()]), handler); + return securedItem; + } + +} http://git-wip-us.apache.org/repos/asf/jena/blob/c4b0113d/jena-permissions/src/main/java/org/apache/jena/permissions/impl/SecuredItem.java ---------------------------------------------------------------------- diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/impl/SecuredItem.java b/jena-permissions/src/main/java/org/apache/jena/permissions/impl/SecuredItem.java new file mode 100644 index 0000000..bdec7c3 --- /dev/null +++ b/jena-permissions/src/main/java/org/apache/jena/permissions/impl/SecuredItem.java @@ -0,0 +1,185 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jena.permissions.impl; + +import org.apache.jena.permissions.SecurityEvaluator; +import org.apache.jena.permissions.SecurityEvaluator.SecNode; +import org.apache.jena.permissions.SecurityEvaluator.SecTriple; + +/** + * The secured item interface is mixed into instances of secured objects by the + * proxy. It provides the security context for the security checks as well as + * several useful shorthand methods for common checks. + */ +public interface SecuredItem +{ + + /** + * Utilities for SecuredItem implementations. + */ + public static class Util + { + /** + * Secured items are equivalent if their security evaluators and + * modelIRIs are equal. + * + * @param si1 + * A secured item to check + * @param si2 + * A second secured item to check + * @return true if si1 is equivalent to si2. + */ + public static boolean isEquivalent( final SecuredItem si1, + final SecuredItem si2 ) + { + return si1.getSecurityEvaluator() + .equals(si2.getSecurityEvaluator()) + && si1.getModelIRI().equals(si2.getModelIRI()); + } + } + + /** + * @return true if the securedModel allows items to to be created. + */ + public boolean canCreate(); + + /** + * Return true if the triple can be created. + * If any s,p or o is SecNode.ANY then this method must return false if + * there + * are + * any restrictions where the remaining nodes and held constant and the ANY + * node + * is allowed to vary. + * + * See canRead(SecTriple t) + * + * @param t + * The triple to check + * @return true if the triple can be created. + */ + public boolean canCreate( SecTriple t ); + + /** + * @return true if the securedModel allows items to to be deleted. + */ + public boolean canDelete(); + + /** + * Return true if the triple can be deleted. + * If any s,p or o is SecNode.ANY then this method must return false if + * there + * are + * any restrictions where the remaining nodes and held constant and the ANY + * node + * is allowed to vary. + * + * See canRead(SecTriple t) + * + * @param t + * The triple to check + * @return true if the triple can be deleted. + */ + public boolean canDelete( SecTriple t ); + + /** + * @return true if the securedModel allows items to to be read. + */ + public boolean canRead(); + + /** + * Return true if the triple can be read. + * If any s,p or o is SecNode.ANY then this method must return false if + * there + * are + * any restrictions where the remaining nodes and held constant and the ANY + * node + * is allowed to vary. + * + * (S, P, O) check if S,P,O can be read. + * (S, P, ANY) check if there are any S,P,x restrictions. + * (S, ANY, P) check if there are any S,x,P restrictions. + * (ANY, ANY, ANY) check if there are any restricitons on reading. + * + * @param t + * The triple to check + * @return true if the triple can be read. + */ + public boolean canRead( SecTriple t ); + + /** + * @return true if the securedModel allows items to to be updated. + */ + public boolean canUpdate(); + + /** + * Return true if the triple can be updated. + * If any s,p or o is SecNode.ANY then this method must return false if + * there + * are + * any restrictions where the remaining nodes and held constant and the ANY + * node + * is allowed to vary. + * + * See canRead(SecTriple t) + * + * @param from + * The triple that will be changed + * @param to + * The resulting triple. + * @return true if the from triple can be updated as the to triple. + */ + public boolean canUpdate( SecTriple from, SecTriple to ); + + @Override + public boolean equals( Object o ); + + /** + * @return the base item that is being secured. + */ + public Object getBaseItem(); + + /** + * @return The IRI of the securedModel that the item belongs to. + */ + public String getModelIRI(); + + /** + * @return The node represnetation of the securedModel IRI. + */ + public SecNode getModelNode(); + + /** + * The SecurityEvaluator implementation that is being used to determine + * access. + * + * @return The SecurityEvaluator implementation. + */ + public SecurityEvaluator getSecurityEvaluator(); + + /** + * Return true if this secured item is equivalent to another secured item. + * Generally implemented by calling SecuredItem.Util.isEquivalent + * + * @param securedItem + * the other secured item. + * @return True if they are equivalent, false otherwise. + */ + public boolean isEquivalent( SecuredItem securedItem ); + +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/jena/blob/c4b0113d/jena-permissions/src/main/java/org/apache/jena/permissions/impl/SecuredItemImpl.java ---------------------------------------------------------------------- diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/impl/SecuredItemImpl.java b/jena-permissions/src/main/java/org/apache/jena/permissions/impl/SecuredItemImpl.java new file mode 100644 index 0000000..d2bca9a --- /dev/null +++ b/jena-permissions/src/main/java/org/apache/jena/permissions/impl/SecuredItemImpl.java @@ -0,0 +1,842 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jena.permissions.impl; + +import java.lang.reflect.Proxy; + +import org.apache.commons.collections4.map.LRUMap; +import org.apache.commons.lang3.StringUtils; +import org.apache.commons.lang3.builder.HashCodeBuilder; +import org.apache.jena.permissions.AccessDeniedException; +import org.apache.jena.permissions.SecurityEvaluator; +import org.apache.jena.permissions.SecurityEvaluator.Action; +import org.apache.jena.permissions.SecurityEvaluator.SecNode; +import org.apache.jena.permissions.SecurityEvaluator.SecTriple; +import org.apache.jena.permissions.SecurityEvaluator.SecNode.Type; +import org.apache.jena.rdf.model.Statement ; +import org.apache.jena.util.iterator.ExtendedIterator ; +import org.apache.jena.vocabulary.RDF ; + +/** + * An abstract implementation of SecuredItem that caches security checks. + * <p> + * Security checks are performed at multiple locations. This implementation ensures that + * during a single operation the specific check is only evaluated once by caching the result. + * </p> + * + */ +public abstract class SecuredItemImpl implements SecuredItem +{ + // a key for the secured item. + private class CacheKey implements Comparable<CacheKey> + { + private final Action action; + private final SecNode modelNode; + private final SecTriple from; + private final SecTriple to; + private Integer hashCode; + + public CacheKey( final Action action, final SecNode modelNode ) + { + this(action, modelNode, null, null); + } + + public CacheKey( final Action action, final SecNode modelNode, + final SecTriple to ) + { + this(action, modelNode, to, null); + } + + public CacheKey( final Action action, final SecNode modelNode, + final SecTriple to, final SecTriple from ) + { + this.action = action; + this.modelNode = modelNode; + this.to = to; + this.from = from; + } + + @Override + public int compareTo( final CacheKey other ) + { + int retval = this.action.compareTo(other.action); + if (retval == 0) + { + retval = this.modelNode.compareTo(other.modelNode); + } + if (retval == 0) + { + if (this.to == null) + { + if (other.to == null) + { + return 0; + } + return -1; + } + retval = this.to.compareTo(other.to); + } + if (retval == 0) + { + if (this.from == null) + { + if (other.from == null) + { + return 0; + } + return -1; + } + retval = this.from.compareTo(other.from); + } + return retval; + } + + @Override + public boolean equals( final Object o ) + { + if (o instanceof CacheKey) + { + return this.compareTo((CacheKey) o) == 0; + } + return false; + } + + @Override + public int hashCode() + { + if (hashCode == null) + { + hashCode = new HashCodeBuilder().append(action) + .append(modelNode).append(from).append(to).toHashCode(); + } + return hashCode; + } + } + + // the maximum size of the cache + public static int MAX_CACHE = 100; + // the cache for this thread. + public static final ThreadLocal<LRUMap> CACHE = new ThreadLocal<LRUMap>(); + // the number of times this thread has recursively called the constructor. + public static final ThreadLocal<Integer> COUNT = new ThreadLocal<Integer>(); + + /** + * Convert a Jena Node object into a SecNode object. + * @param jenaNode The Jena node to convert. + * @return The SecNode that represents the jenaNode. + */ + public static SecNode convert( final org.apache.jena.graph.Node jenaNode ) + { + if (org.apache.jena.graph.Node.ANY.equals(jenaNode)) + { + return SecNode.ANY; + } + if (jenaNode.isLiteral()) + { + return new SecNode(Type.Literal, jenaNode.getLiteral().toString()); + } + if (jenaNode.isBlank()) + { + return new SecNode(Type.Anonymous, jenaNode.getBlankNodeLabel()); + } + if (jenaNode.isVariable()) + { + return SecNode.VARIABLE; + } + return new SecNode(Type.URI, jenaNode.getURI()); + } + + /** + * Convert a Jena Triple into a SecTriple. + * @param jenaTriple The Jena Triple to convert. + * @return The SecTriple that represents the jenaTriple. + */ + public static SecTriple convert( + final org.apache.jena.graph.Triple jenaTriple ) + { + return new SecTriple(SecuredItemImpl.convert(jenaTriple.getSubject()), + SecuredItemImpl.convert(jenaTriple.getPredicate()), + SecuredItemImpl.convert(jenaTriple.getObject())); + } + + /** + * Decrement the number of instances of SecuredItem. + */ + public static void decrementUse() + { + final Integer i = SecuredItemImpl.COUNT.get(); + if (i == null) + { + throw new IllegalStateException("No count on exit"); + } + if (i < 1) + { + throw new IllegalStateException("No count less than 1"); + } + if (i == 1) + { + SecuredItemImpl.CACHE.remove(); + SecuredItemImpl.COUNT.remove(); + } + else + { + SecuredItemImpl.COUNT.set( i - 1 ); + } + } + + /** + * Increment the number of instances of SecuredItem. + */ + public static void incrementUse() + { + final Integer i = SecuredItemImpl.COUNT.get(); + if (i == null) + { + SecuredItemImpl.CACHE.set(new LRUMap(Math.max( + SecuredItemImpl.MAX_CACHE, 100))); + SecuredItemImpl.COUNT.set( 1 ); + } + else + { + SecuredItemImpl.COUNT.set( i + 1 ); + } + } + + // the evaluator we are using + private final SecurityEvaluator securityEvaluator; + + // the secured node for that names the graph. + private final SecNode modelNode; + + // the item holder that we are evaluating. + private final ItemHolder<?, ?> itemHolder; + + /** + * Create the SecuredItemImpl. + * @param securedItem The securedItem. + * @param holder The Item holder for the securedItem. + * @throws IllegalArgumentException if securedItem is null or securedItem.getSecurityEvaluator() + * returns null, or the holder is null. + */ + protected SecuredItemImpl( final SecuredItem securedItem, + final ItemHolder<?, ?> holder ) + { + if (securedItem == null) + { + throw new IllegalArgumentException("Secured item may not be null"); + } + if (securedItem.getSecurityEvaluator() == null) + { + throw new IllegalArgumentException( + "Security evaluator in secured item may not be null"); + } + if (holder == null) + { + throw new IllegalArgumentException("ItemHolder may not be null"); + } + this.securityEvaluator = securedItem.getSecurityEvaluator(); + this.modelNode = new SecurityEvaluator.SecNode( + SecurityEvaluator.SecNode.Type.URI, securedItem.getModelIRI()); + this.itemHolder = holder; + } + + /** + * Create the SecuredItemImpl. + * @param securityEvaluator the secured evaluator to use. + * @param modelURI the URI for the model. + * @param holder The holder to use. + * @throws IllegalArgumentException if security evaluator is null, modelURI is null or empty, + * or holder is null. + */ + protected SecuredItemImpl( final SecurityEvaluator securityEvaluator, + final String modelURI, final ItemHolder<?, ?> holder ) + { + if (securityEvaluator == null) + { + throw new IllegalArgumentException( + "Security evaluator may not be null"); + } + if (StringUtils.isEmpty(modelURI)) + { + throw new IllegalArgumentException( + "ModelURI may not be empty or null"); + } + if (holder == null) + { + throw new IllegalArgumentException("ItemHolder may not be null"); + } + this.securityEvaluator = securityEvaluator; + this.modelNode = new SecurityEvaluator.SecNode( + SecurityEvaluator.SecNode.Type.URI, modelURI); + this.itemHolder = holder; + } + + @Override + public String toString() { + if (canRead()) + { + return itemHolder.getBaseItem().toString(); + } + return super.toString(); + } + + /** + * get the cached value. + * @param key The key to look for. + * @return the value of the security check or <code>null</code> if the value has not been cached. + */ + private Boolean cacheGet( final CacheKey key ) + { + final LRUMap cache = SecuredItemImpl.CACHE.get(); + return (cache == null) ? null : (Boolean) cache.get(key); + } + + /** + * set teh cache value. + * @param key The key to set the value for. + * @param value The value to set. + */ + void cachePut( final CacheKey key, final boolean value ) + { + final LRUMap cache = SecuredItemImpl.CACHE.get(); + if (cache != null) + { + cache.put(key, value); + SecuredItemImpl.CACHE.set(cache); + } + } + + /* + * (non-Javadoc) + * + * @see org.apache.jena.security.SecuredItem#canCreate() + */ + @Override + public boolean canCreate() + { + final CacheKey key = new CacheKey(Action.Create, modelNode); + Boolean retval = cacheGet(key); + if (retval == null) + { + retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(),Action.Create, modelNode); + cachePut(key, retval); + } + return retval; + } + + public boolean canCreate( final org.apache.jena.graph.Triple t ) + { + return canCreate(SecuredItemImpl.convert(t)); + } + + @Override + public boolean canCreate( final SecTriple t ) + { + final CacheKey key = new CacheKey(Action.Create, modelNode, t); + Boolean retval = cacheGet(key); + if (retval == null) + { + retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(),Action.Create, modelNode, t); + cachePut(key, retval); + } + return retval; + } + + public boolean canCreate( final Statement s ) + { + return canCreate(s.asTriple()); + } + + /* + * (non-Javadoc) + * + * @see org.apache.jena.security.SecuredItem#canDelete() + */ + @Override + public boolean canDelete() + { + final CacheKey key = new CacheKey(Action.Delete, modelNode); + Boolean retval = cacheGet(key); + if (retval == null) + { + retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(),Action.Delete, modelNode); + cachePut(key, retval); + } + return retval; + } + + public boolean canDelete( final org.apache.jena.graph.Triple t ) + { + return canDelete(SecuredItemImpl.convert(t)); + } + + @Override + public boolean canDelete( final SecTriple t ) + { + final CacheKey key = new CacheKey(Action.Delete, modelNode, t); + Boolean retval = cacheGet(key); + if (retval == null) + { + retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(),Action.Delete, modelNode, t); + cachePut(key, retval); + } + return retval; + } + + public boolean canDelete( final Statement s ) + { + return canDelete(s.asTriple()); + } + + /* + * (non-Javadoc) + * + * @see org.apache.jena.security.SecuredItem#canRead() + */ + @Override + public boolean canRead() + { + final CacheKey key = new CacheKey(Action.Read, modelNode); + Boolean retval = cacheGet(key); + if (retval == null) + { + retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(),Action.Read, modelNode); + cachePut(key, retval); + } + return retval; + } + + public boolean canRead( final org.apache.jena.graph.Triple t ) + { + return canRead(SecuredItemImpl.convert(t)); + } + + @Override + public boolean canRead( final SecTriple t ) + { + final CacheKey key = new CacheKey(Action.Read, modelNode, t); + Boolean retval = cacheGet(key); + if (retval == null) + { + retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(),Action.Read, modelNode, t); + cachePut(key, retval); + } + return retval; + } + + public boolean canRead( final Statement s ) + { + return canRead(s.asTriple()); + } + + /* + * (non-Javadoc) + * + * @see org.apache.jena.security.SecuredItem#canUpdate() + */ + @Override + public boolean canUpdate() + { + final CacheKey key = new CacheKey(Action.Update, modelNode); + Boolean retval = cacheGet(key); + if (retval == null) + { + retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(),Action.Update, modelNode); + cachePut(key, retval); + } + return retval; + } + + public boolean canUpdate( final org.apache.jena.graph.Triple from, + final org.apache.jena.graph.Triple to ) + { + return canUpdate(SecuredItemImpl.convert(from), + SecuredItemImpl.convert(to)); + } + + @Override + public boolean canUpdate( final SecTriple from, final SecTriple to ) + { + final CacheKey key = new CacheKey(Action.Update, modelNode, from, to); + Boolean retval = cacheGet(key); + if (retval == null) + { + retval = securityEvaluator.evaluateUpdate(securityEvaluator.getPrincipal(),modelNode, from, to); + cachePut(key, retval); + } + return retval; + } + + public boolean canUpdate( final Statement from, final Statement to ) + { + return canUpdate(from.asTriple(), to.asTriple()); + } + + /** + * check that create on the securedModel is allowed, + * + * @throws AccessDeniedException + * on failure + */ + protected void checkCreate() + { + if (!canCreate()) + { + throw new AccessDeniedException(modelNode, Action.Create); + } + } + + protected void checkCreate( final org.apache.jena.graph.Triple t ) + { + checkCreate(SecuredItemImpl.convert(t)); + } + + /** + * check that the triple can be created in the securedModel., + * + * @throws AccessDeniedException + * on failure + */ + protected void checkCreate( final SecTriple t ) + { + if (!canCreate(t)) + { + throw new AccessDeniedException(modelNode, t.toString(), + Action.Create); + } + } + + protected void checkCreate( final Statement s ) + { + checkCreate(s.asTriple()); + } + + protected void checkCreateReified( final String uri, final SecTriple t ) + { + checkUpdate(); + final SecNode n = uri == null ? SecNode.FUTURE : new SecNode(Type.URI, + uri); + checkCreate(new SecTriple(n, SecuredItemImpl.convert(RDF.subject + .asNode()), t.getSubject())); + checkCreate(new SecTriple(n, SecuredItemImpl.convert(RDF.predicate + .asNode()), t.getPredicate())); + checkCreate(new SecTriple(n, SecuredItemImpl.convert(RDF.object + .asNode()), t.getObject())); + } + + protected void checkCreateStatement( final ExtendedIterator<Statement> stmts ) + { + if (!canCreate(SecTriple.ANY)) + { + try + { + while (stmts.hasNext()) + { + checkCreate(stmts.next()); + } + } + finally + { + stmts.close(); + } + } + } + + protected void checkCreateTriples( + final ExtendedIterator<org.apache.jena.graph.Triple> triples ) + { + if (!canCreate(SecTriple.ANY)) + { + try + { + while (triples.hasNext()) + { + checkCreate(triples.next()); + } + } + finally + { + triples.close(); + } + } + } + + /** + * check that delete on the securedModel is allowed, + * + * @throws AccessDeniedException + * on failure + */ + protected void checkDelete() + { + if (!canDelete()) + { + throw new AccessDeniedException(modelNode, Action.Delete); + } + } + + protected void checkDelete( final org.apache.jena.graph.Triple t ) + { + checkDelete(SecuredItemImpl.convert(t)); + } + + /** + * check that the triple can be deleted in the securedModel., + * + * @throws AccessDeniedException + * on failure + */ + protected void checkDelete( final SecTriple t ) + { + if (!canDelete(t)) + { + throw new AccessDeniedException(modelNode, t.toString(), + Action.Delete); + } + } + + protected void checkDelete( final Statement s ) + { + checkDelete(s.asTriple()); + } + + protected void checkDeleteStatements( + final ExtendedIterator<Statement> stmts ) + { + if (!canDelete(SecTriple.ANY)) + { + try + { + while (stmts.hasNext()) + { + checkDelete(stmts.next()); + } + } + finally + { + stmts.close(); + } + } + } + + protected void checkDeleteTriples( + final ExtendedIterator<org.apache.jena.graph.Triple> triples ) + { + if (!canDelete(SecTriple.ANY)) + { + try + { + while (triples.hasNext()) + { + checkDelete(triples.next()); + } + } + finally + { + triples.close(); + } + } + } + + /** + * check that read on the securedModel is allowed, + * + * @throws AccessDeniedException + * on failure + */ + protected void checkRead() + { + if (!canRead()) + { + throw new AccessDeniedException(modelNode, Action.Read); + } + } + + protected void checkRead( final org.apache.jena.graph.Triple t ) + { + checkRead(SecuredItemImpl.convert(t)); + } + + /** + * check that the triple can be read in the securedModel., + * + * @throws AccessDeniedException + * on failure + */ + protected void checkRead( final SecTriple t ) + { + if (!canRead(t)) + { + throw new AccessDeniedException(modelNode, t.toString(), + Action.Read); + } + } + + protected void checkRead( final Statement s ) + { + checkRead(s.asTriple()); + } + + protected void checkReadStatement( final ExtendedIterator<Statement> stmts ) + { + try + { + while (stmts.hasNext()) + { + checkRead(stmts.next()); + } + } + finally + { + stmts.close(); + } + } + + protected void checkReadTriples( + final ExtendedIterator<org.apache.jena.graph.Triple> triples ) + { + try + { + while (triples.hasNext()) + { + checkRead(triples.next()); + } + } + finally + { + triples.close(); + } + } + + /** + * check that update on the securedModel is allowed, + * + * @throws AccessDeniedException + * on failure + */ + protected void checkUpdate() + { + if (!canUpdate()) + { + throw new AccessDeniedException(modelNode, Action.Update); + } + } + + protected void checkUpdate( final org.apache.jena.graph.Triple from, + final org.apache.jena.graph.Triple to ) + { + checkUpdate(SecuredItemImpl.convert(from), SecuredItemImpl.convert(to)); + } + + /** + * check that the triple can be updated in the securedModel., + * + * @param from the starting triple + * @param to the final triple. + * @throws AccessDeniedException + * on failure + */ + protected void checkUpdate( final SecTriple from, final SecTriple to ) + { + if (!canUpdate(from, to)) + { + throw new AccessDeniedException(modelNode, String.format( + "%s to %s", from, to), Action.Update); + } + } + + /* + * (non-Javadoc) + * + * @see org.apache.jena.security.SecuredItem#equals(java.lang.Object) + */ + @Override + public boolean equals( final Object o ) + { + if (Proxy.isProxyClass(o.getClass())) + { + return o.equals(itemHolder.getSecuredItem()); + } + else + { + if (o instanceof SecuredItemImpl) + { + return itemHolder.getBaseItem().equals( ((SecuredItemImpl)o).getBaseItem()); + } + return false; + } + } + + @Override + public int hashCode() + { + return itemHolder.getBaseItem().hashCode(); + } + /* + * (non-Javadoc) + * + * @see org.apache.jena.security.SecuredItem#getBaseItem() + */ + @Override + public Object getBaseItem() + { + return itemHolder.getBaseItem(); + } + + /* + * (non-Javadoc) + * + * @see org.apache.jena.security.SecuredItem#getModelIRI() + */ + @Override + public String getModelIRI() + { + return modelNode.getValue(); + } + + /** + * get the name of the model. + */ + @Override + public SecNode getModelNode() + { + return modelNode; + } + + /* + * (non-Javadoc) + * + * @see org.apache.jena.security.SecuredItem#getSecurityEvaluator() + */ + @Override + public SecurityEvaluator getSecurityEvaluator() + { + return securityEvaluator; + } + + /* + * (non-Javadoc) + * + * @see org.apache.jena.security.isEquivalent() + */ + @Override + public boolean isEquivalent( final SecuredItem securedItem ) + { + return SecuredItem.Util.isEquivalent(this, securedItem); + } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/jena/blob/c4b0113d/jena-permissions/src/main/java/org/apache/jena/permissions/impl/SecuredItemInvoker.java ---------------------------------------------------------------------- diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/impl/SecuredItemInvoker.java b/jena-permissions/src/main/java/org/apache/jena/permissions/impl/SecuredItemInvoker.java new file mode 100644 index 0000000..94416e5 --- /dev/null +++ b/jena-permissions/src/main/java/org/apache/jena/permissions/impl/SecuredItemInvoker.java @@ -0,0 +1,146 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jena.permissions.impl; + +import java.lang.reflect.InvocationHandler; +import java.lang.reflect.Method; +import java.lang.reflect.Modifier; +import java.lang.reflect.Proxy; + + +/** + * A generic InvocationHandler that handles the general invocation of the + * security methods. + */ +public class SecuredItemInvoker implements InvocationHandler +{ + // the equals() method + private static Method EQUALS; + // the toString() method + private static Method TO_STRING; + // the hashCode() method. + private static Method HASH_CODE; + // the instance of SecuredItem that this proxy is using. Must be + // package-private for ItemHolder use. + /* package-private */final SecuredItem securedItem; + + final Class<?> securedClass; + + // populate the static fields. + static + { + try + { + SecuredItemInvoker.EQUALS = Object.class.getMethod("equals", + Object.class); + SecuredItemInvoker.TO_STRING = Object.class.getMethod("toString"); + SecuredItemInvoker.HASH_CODE = Object.class.getMethod("hashCode"); + } + catch (final SecurityException e) + { + throw new RuntimeException(e); + } + catch (final NoSuchMethodException e) + { + throw new RuntimeException(e); + } + } + + /** + * Constructor. + * + * @param securedClass + * The class of the object that is being protected. + * @param securedItem + * The implementation of the SecuredItem version of the object. + */ + public SecuredItemInvoker( final Class<?> securedClass, + final SecuredItem securedItem ) + { + this.securedItem = securedItem; + this.securedClass = securedClass; + } + + @Override + public Object invoke( final Object proxy, final Method method, + final Object[] args ) throws Throwable + { + + // check for the special case methods + if (SecuredItemInvoker.EQUALS.equals(method)) + { + if (Proxy.isProxyClass(args[0].getClass())) + { + return args[0].equals(securedItem); + } + else + { + return securedItem.equals(args[0]); + } + } + + if (SecuredItemInvoker.HASH_CODE.equals(method)) + { + return securedItem.hashCode(); + } + + if (SecuredItemInvoker.TO_STRING.equals(method)) + { + return securedItem.toString(); + } + + try + { + final Method m = securedItem.getClass().getMethod(method.getName(), + method.getParameterTypes()); + if (!Modifier.isAbstract(m.getModifiers())) + { + try + { + SecuredItemImpl.incrementUse(); + try + { + return m.invoke(securedItem, args); + } + finally + { + SecuredItemImpl.decrementUse(); + } + + } + catch (final java.lang.reflect.InvocationTargetException e2) + { + if (e2.getTargetException() instanceof RuntimeException) + { + throw e2.getTargetException(); + } + throw e2; + } + } + } + catch (final NoSuchMethodException e2) + { + // acceptable + } + + // if we get here then the method is not being proxied so call the + // original method on the base item. + return method.invoke(securedItem.getBaseItem(), args); + + } +} http://git-wip-us.apache.org/repos/asf/jena/blob/c4b0113d/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredAlt.java ---------------------------------------------------------------------- diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredAlt.java b/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredAlt.java new file mode 100644 index 0000000..7630b79 --- /dev/null +++ b/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredAlt.java @@ -0,0 +1,264 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jena.permissions.model; + +import org.apache.jena.permissions.AccessDeniedException; +import org.apache.jena.rdf.model.Alt ; +import org.apache.jena.rdf.model.RDFNode ; +import org.apache.jena.rdf.model.ResourceF ; + +/** + * The interface for secured Alt instances. + * + * Use the SecuredAlt.Factory to create instances + */ +@SuppressWarnings("deprecation") +public interface SecuredAlt extends Alt, SecuredContainer +{ + /** + * @sec.graph Read + * @sec.triple Read SecTriple(this, RDF.li(1), o ) + * @throws AccessDeniedException + */ + @Override + public SecuredRDFNode getDefault() throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple(this, RDF.li(1), o ) + * @throws AccessDeniedException + */ + @Override + public SecuredAlt getDefaultAlt() throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple(this, RDF.li(1), o ) + * @throws AccessDeniedException + */ + @Override + public SecuredBag getDefaultBag() throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple(this, RDF.li(1), o ) + * @throws AccessDeniedException + */ + @Override + public boolean getDefaultBoolean() throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple(this, RDF.li(1), o ) + * @throws AccessDeniedException + */ + @Override + public byte getDefaultByte() throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple(this, RDF.li(1), o ) + * @throws AccessDeniedException + */ + @Override + public char getDefaultChar() throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple(this, RDF.li(1), o ) + * @throws AccessDeniedException + */ + @Override + public double getDefaultDouble() throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple(this, RDF.li(1), o ) + * @throws AccessDeniedException + */ + @Override + public float getDefaultFloat() throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple(this, RDF.li(1), o ) + * @throws AccessDeniedException + */ + @Override + public int getDefaultInt() throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple(this, RDF.li(1), o ) + * @throws AccessDeniedException + */ + @Override + public String getDefaultLanguage() throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple(this, RDF.li(1), o ) + * @throws AccessDeniedException + */ + @Override + public SecuredLiteral getDefaultLiteral() throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple(this, RDF.li(1), o ) + * @throws AccessDeniedException + */ + @Override + public long getDefaultLong() throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple(this, RDF.li(1), o ) + * @throws AccessDeniedException + */ + @Override + public SecuredResource getDefaultResource() throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple(this, RDF.li(1), o ) + * @throws AccessDeniedException + */ + @Override + @Deprecated + public SecuredResource getDefaultResource( final ResourceF f ) + throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple(this, RDF.li(1), o ) + * @throws AccessDeniedException + */ + @Override + public SecuredSeq getDefaultSeq() throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple(this, RDF.li(1), o ) + * @throws AccessDeniedException + */ + @Override + public short getDefaultShort() throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple(this, RDF.li(1), o ) + * @throws AccessDeniedException + */ + @Override + public String getDefaultString() throws AccessDeniedException; + + /** + * @sec.graph Update + * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this, + * RDF.li(1), o ) + * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default + * @throws AccessDeniedException + */ + @Override + public SecuredAlt setDefault( final boolean o ) + throws AccessDeniedException; + + /** + * @sec.graph Update + * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this, + * RDF.li(1), o ) + * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default + * @throws AccessDeniedException + */ + @Override + public SecuredAlt setDefault( final char o ) throws AccessDeniedException; + + /** + * @sec.graph Update + * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this, + * RDF.li(1), o ) + * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default + * @throws AccessDeniedException + */ + @Override + public SecuredAlt setDefault( final double o ) throws AccessDeniedException; + + /** + * @sec.graph Update + * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this, + * RDF.li(1), o ) + * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default + * @throws AccessDeniedException + */ + @Override + public SecuredAlt setDefault( final float o ) throws AccessDeniedException; + + /** + * @sec.graph Update + * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this, + * RDF.li(1), o ) + * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default + * @throws AccessDeniedException + */ + @Override + public SecuredAlt setDefault( final long o ) throws AccessDeniedException; + + /** + * @sec.graph Update + * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this, + * RDF.li(1), o ) + * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default + * @throws AccessDeniedException + */ + @Override + public SecuredAlt setDefault( final Object o ) throws AccessDeniedException; + + /** + * @sec.graph Update + * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this, + * RDF.li(1), o ) + * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default + * @throws AccessDeniedException + */ + @Override + public SecuredAlt setDefault( final RDFNode o ) + throws AccessDeniedException; + + /** + * @sec.graph Update + * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this, + * RDF.li(1), o ) + * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default + * @throws AccessDeniedException + */ + @Override + public SecuredAlt setDefault( final String o ) throws AccessDeniedException; + + /** + * @sec.graph Update + * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this, + * RDF.li(1), o ) + * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default + * @throws AccessDeniedException + */ + @Override + public SecuredAlt setDefault( final String o, final String l ) + throws AccessDeniedException; + +} http://git-wip-us.apache.org/repos/asf/jena/blob/c4b0113d/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredBag.java ---------------------------------------------------------------------- diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredBag.java b/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredBag.java new file mode 100644 index 0000000..c40f78f --- /dev/null +++ b/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredBag.java @@ -0,0 +1,29 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jena.permissions.model; + +import org.apache.jena.rdf.model.Bag ; + +/** + * The interface for secured Bag instances. + * + * Use the SecuredBag.Factory to create instances + */ +public interface SecuredBag extends Bag, SecuredContainer +{ +} http://git-wip-us.apache.org/repos/asf/jena/blob/c4b0113d/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredContainer.java ---------------------------------------------------------------------- diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredContainer.java b/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredContainer.java new file mode 100644 index 0000000..4fc9198 --- /dev/null +++ b/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredContainer.java @@ -0,0 +1,218 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jena.permissions.model; + +import java.util.Set; + +import org.apache.jena.permissions.AccessDeniedException; +import org.apache.jena.permissions.SecurityEvaluator.Action; +import org.apache.jena.permissions.model.impl.SecuredNodeIterator; +import org.apache.jena.rdf.model.Container ; +import org.apache.jena.rdf.model.RDFNode ; +import org.apache.jena.rdf.model.Statement ; + +/** + * The interface for secured Container instances. + * + * Use one of the SecuredContainer derived class Factory methods to create + * instances + */ +public interface SecuredContainer extends Container, SecuredResource +{ + + /** + * @sec.graph Update + * @sec.triple Create SecTriple( this, RDF.li, o ); + * @throws AccessDeniedException + */ + @Override + public SecuredContainer add( final boolean o ) throws AccessDeniedException; + + /** + * @sec.graph Update + * @sec.triple Create SecTriple( this, RDF.li, o ); + * @throws AccessDeniedException + */ + @Override + public SecuredContainer add( final char o ) throws AccessDeniedException; + + /** + * @sec.graph Update + * @sec.triple Create SecTriple( this, RDF.li, o ); + * @throws AccessDeniedException + */ + @Override + public SecuredContainer add( final double o ) throws AccessDeniedException; + + /** + * @sec.graph Update + * @sec.triple Create SecTriple( this, RDF.li, o ); + * @throws AccessDeniedException + */ + @Override + public SecuredContainer add( final float o ) throws AccessDeniedException; + + /** + * @sec.graph Update + * @sec.triple Create SecTriple( this, RDF.li, o ); + * @throws AccessDeniedException + */ + @Override + public SecuredContainer add( final long o ) throws AccessDeniedException; + + /** + * @sec.graph Update + * @sec.triple Create SecTriple( this, RDF.li, o ); + * @throws AccessDeniedException + */ + @Override + public SecuredContainer add( final Object o ) throws AccessDeniedException; + + /** + * @sec.graph Update + * @sec.triple Create SecTriple( this, RDF.li, o ); + * @throws AccessDeniedException + */ + @Override + public SecuredContainer add( final RDFNode o ) throws AccessDeniedException; + + /** + * @sec.graph Update + * @sec.triple Create SecTriple( this, RDF.li, o ); + * @throws AccessDeniedException + */ + @Override + public SecuredContainer add( final String o ) throws AccessDeniedException; + + /** + * @sec.graph Update + * @sec.triple Create SecTriple( this, RDF.li, o ); + * @throws AccessDeniedException + */ + @Override + public SecuredContainer add( final String o, final String l ) + throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple( this, RDF.li, o ); + * @throws AccessDeniedException + */ + @Override + public boolean contains( final boolean o ) throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple( this, RDF.li, o ); + * @throws AccessDeniedException + */ + @Override + public boolean contains( final char o ) throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple( this, RDF.li, o ); + * @throws AccessDeniedException + */ + @Override + public boolean contains( final double o ) throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple( this, RDF.li, o ); + * @throws AccessDeniedException + */ + @Override + public boolean contains( final float o ) throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple( this, RDF.li, o ); + * @throws AccessDeniedException + */ + @Override + public boolean contains( final long o ) throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple( this, RDF.li, o ); + * @throws AccessDeniedException + */ + @Override + public boolean contains( final Object o ) throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple( this, RDF.li, o ); + * @throws AccessDeniedException + */ + @Override + public boolean contains( final RDFNode o ) throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple( this, RDF.li, o ); + * @throws AccessDeniedException + */ + @Override + public boolean contains( final String o ) throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read SecTriple( this, RDF.li, o ); + * @throws AccessDeniedException + */ + @Override + public boolean contains( final String o, final String l ) + throws AccessDeniedException; + + /** + * @sec.graph Read + * @sec.triple Read on each triple ( this, rdf:li_? node ) returned by + * iterator; + * @throws AccessDeniedException + */ + @Override + public SecuredNodeIterator<RDFNode> iterator() throws AccessDeniedException; + + /** + * @param perms the Permissions required on each node returned + * @sec.graph Read + * @sec.triple Read + perms on each triple ( this, rdf:li_? node ) returned + * by iterator; + * @throws AccessDeniedException + */ + public SecuredNodeIterator<RDFNode> iterator( Set<Action> perms ) + throws AccessDeniedException; + + /** + * @sec.graph Update + * @sec.triple Delete s as triple; + * @throws AccessDeniedException + */ + @Override + public SecuredContainer remove( final Statement s ) + throws AccessDeniedException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public int size() throws AccessDeniedException; +} http://git-wip-us.apache.org/repos/asf/jena/blob/c4b0113d/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredLiteral.java ---------------------------------------------------------------------- diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredLiteral.java b/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredLiteral.java new file mode 100644 index 0000000..259430c --- /dev/null +++ b/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredLiteral.java @@ -0,0 +1,165 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jena.permissions.model; + +import org.apache.jena.datatypes.DatatypeFormatException ; +import org.apache.jena.datatypes.RDFDatatype ; +import org.apache.jena.permissions.AccessDeniedException; +import org.apache.jena.rdf.model.Literal ; +import org.apache.jena.rdf.model.Model ; + +/** + * The interface for secured Literal instances. + * + * Use the SecuredLiteral.Factory to create instances + */ +public interface SecuredLiteral extends Literal, SecuredRDFNode +{ + + @Override + public SecuredLiteral asLiteral(); + + // @Override + // public SecuredResource asResource(); + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public boolean getBoolean() throws AccessDeniedException, + DatatypeFormatException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public byte getByte() throws AccessDeniedException, DatatypeFormatException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public char getChar() throws AccessDeniedException, DatatypeFormatException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public RDFDatatype getDatatype() throws AccessDeniedException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public String getDatatypeURI() throws AccessDeniedException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public double getDouble() throws AccessDeniedException, + DatatypeFormatException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public float getFloat() throws AccessDeniedException, + DatatypeFormatException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public int getInt() throws AccessDeniedException, DatatypeFormatException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public String getLanguage() throws AccessDeniedException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public String getLexicalForm() throws AccessDeniedException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public long getLong() throws AccessDeniedException, DatatypeFormatException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public short getShort() throws AccessDeniedException, + DatatypeFormatException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public String getString() throws AccessDeniedException, + DatatypeFormatException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public Object getValue() throws AccessDeniedException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public Literal inModel( final Model m ) throws AccessDeniedException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public boolean isWellFormedXML() throws AccessDeniedException; + + /** + * @sec.graph Read + * @throws AccessDeniedException + */ + @Override + public boolean sameValueAs( final Literal other ) + throws AccessDeniedException; + +}
