Author: angela
Date: Wed Sep 11 14:08:23 2013
New Revision: 1521856
URL: http://svn.apache.org/r1521856
Log:
OAK-51 : Access Control Management
- simplify restrictions
- add compositerestrictionprovider
Added:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProvider.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProviderTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java?rev=1521856&r1=1521855&r2=1521856&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java
Wed Sep 11 14:08:23 2013
@@ -91,7 +91,7 @@ public class PrincipalRestrictionProvide
Iterator<Restriction> it = Sets.newHashSet(restrictions).iterator();
while (it.hasNext()) {
Restriction r = it.next();
- if (REP_NODE_PATH.equals(r.getName())) {
+ if (REP_NODE_PATH.equals(r.getDefinition().getName())) {
it.remove();
}
}
Added:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProvider.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProvider.java?rev=1521856&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProvider.java
(added)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProvider.java
Wed Sep 11 14:08:23 2013
@@ -0,0 +1,146 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.restriction;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import javax.jcr.RepositoryException;
+import javax.jcr.Value;
+import javax.jcr.security.AccessControlException;
+
+import com.google.common.collect.Sets;
+import org.apache.jackrabbit.oak.api.Tree;
+
+/**
+ * Aggregates of a collection of {@link RestrictionProvider} implementations
+ * into a single provider.
+ */
+public class CompositeRestrictionProvider implements RestrictionProvider {
+
+ private final Collection<? extends RestrictionProvider> providers;
+
+ private CompositeRestrictionProvider(Collection<? extends
RestrictionProvider> providers) {
+ this.providers = providers;
+ }
+
+ public static RestrictionProvider newInstance(Collection<? extends
RestrictionProvider> providers) {
+ return new CompositeRestrictionProvider(providers);
+ }
+
+ @Nonnull
+ @Override
+ public Set<RestrictionDefinition> getSupportedRestrictions(@Nullable
String oakPath) {
+ Set<RestrictionDefinition> defs = Sets.newHashSet();
+ for (RestrictionProvider rp : providers) {
+ defs.addAll(rp.getSupportedRestrictions(oakPath));
+ }
+ return defs;
+ }
+
+ @Nonnull
+ @Override
+ public Restriction createRestriction(@Nullable String oakPath, @Nonnull
String oakName, @Nonnull Value value) throws AccessControlException,
RepositoryException {
+ return getProvider(oakPath, oakName).createRestriction(oakPath,
oakName, value);
+ }
+
+ @Nonnull
+ @Override
+ public Restriction createRestriction(@Nullable String oakPath, @Nonnull
String oakName, @Nonnull Value... values) throws AccessControlException,
RepositoryException {
+ return getProvider(oakPath, oakName).createRestriction(oakPath,
oakName, values);
+ }
+
+ @Nonnull
+ @Override
+ public Set<Restriction> readRestrictions(@Nullable String oakPath,
@Nonnull Tree aceTree) {
+ Set<Restriction> restrictions = Sets.newHashSet();
+ for (RestrictionProvider rp : providers) {
+ restrictions.addAll(rp.readRestrictions(oakPath, aceTree));
+ }
+ return restrictions;
+ }
+
+ @Override
+ public void writeRestrictions(String oakPath, Tree aceTree,
Set<Restriction> restrictions) throws RepositoryException {
+ for (Restriction r : restrictions) {
+ RestrictionProvider rp = getProvider(oakPath, getName(r));
+ rp.writeRestrictions(oakPath, aceTree, restrictions);
+ }
+ }
+
+ @Override
+ public void validateRestrictions(@Nullable String oakPath, @Nonnull Tree
aceTree) throws AccessControlException, RepositoryException {
+ Set<RestrictionDefinition> supported =
getSupportedRestrictions(oakPath);
+ Set<String> rNames = new HashSet<String>();
+ for (Restriction r : readRestrictions(oakPath, aceTree)) {
+ String name = getName(r);
+ rNames.add(name);
+ boolean valid = false;
+ for (RestrictionDefinition def : supported) {
+ if (name.equals(def.getName())) {
+ valid = def.equals(r.getDefinition());
+ break;
+ }
+ }
+ if (!valid) {
+ throw new AccessControlException("Invalid restriction: " + r +
" at " + oakPath);
+ }
+ }
+ for (RestrictionDefinition def : supported) {
+ if (def.isMandatory() && !rNames.contains(def.getName())) {
+ throw new AccessControlException("Mandatory restriction " +
def.getName() + " is missing.");
+ }
+ }
+ }
+
+ @Nonnull
+ @Override
+ public RestrictionPattern getPattern(@Nullable String oakPath, @Nonnull
Tree tree) {
+ List<RestrictionPattern> patterns = new
ArrayList<RestrictionPattern>();
+ for (RestrictionProvider rp : providers) {
+ RestrictionPattern pattern = rp.getPattern(oakPath, tree);
+ if (pattern != RestrictionPattern.EMPTY) {
+ patterns.add(pattern);
+ }
+ }
+ switch (patterns.size()) {
+ case 0 : return RestrictionPattern.EMPTY;
+ case 1 : return patterns.iterator().next();
+ default : return new CompositePattern(patterns);
+ }
+ }
+
+ //------------------------------------------------------------< private
>---
+ private RestrictionProvider getProvider(@Nullable String oakPath, @Nonnull
String oakName) throws AccessControlException {
+ for (RestrictionProvider rp : providers) {
+ for (RestrictionDefinition def :
rp.getSupportedRestrictions(oakPath)) {
+ if (def.getName().equals(oakName)) {
+ return rp;
+ }
+ }
+ }
+ throw new AccessControlException("Unsupported restriction (path = " +
oakPath + "; name = " + oakName + ')');
+ }
+
+ private static String getName(Restriction restriction) {
+ return restriction.getDefinition().getName();
+ }
+}
\ No newline at end of file
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java?rev=1521856&r1=1521855&r2=1521856&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java
Wed Sep 11 14:08:23 2013
@@ -27,7 +27,15 @@ import org.apache.jackrabbit.oak.api.Pro
*
* @see
org.apache.jackrabbit.api.security.JackrabbitAccessControlList#addEntry(java.security.Principal,
javax.jcr.security.Privilege[], boolean, java.util.Map)
*/
-public interface Restriction extends RestrictionDefinition {
+public interface Restriction {
+
+ /**
+ * Returns the underlying restriction definition.
+ *
+ * @return the restriction definition that applies to this restriction.
+ */
+ @Nonnull
+ RestrictionDefinition getDefinition();
/**
* The OAK property state associated with this restriction.
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java?rev=1521856&r1=1521855&r2=1521856&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
Wed Sep 11 14:08:23 2013
@@ -24,18 +24,25 @@ import org.apache.jackrabbit.oak.api.Pro
/**
* {@code RestrictionImpl}
*/
-public class RestrictionImpl extends RestrictionDefinitionImpl implements
Restriction {
+public class RestrictionImpl implements Restriction {
+ private final RestrictionDefinition definition;
private final PropertyState property;
public RestrictionImpl(@Nonnull PropertyState property, boolean
isMandatory) {
- super(property.getName(), property.getType(), isMandatory);
+ this.definition = new RestrictionDefinitionImpl(property.getName(),
property.getType(), isMandatory);
this.property = property;
}
//--------------------------------------------------------< Restriction
>---
@Nonnull
@Override
+ public RestrictionDefinition getDefinition() {
+ return definition;
+ }
+
+ @Nonnull
+ @Override
public PropertyState getProperty() {
return property;
}
@@ -43,7 +50,7 @@ public class RestrictionImpl extends Res
//-------------------------------------------------------------< Object
>---
@Override
public int hashCode() {
- return Objects.hashCode(getName(), getRequiredType(), isMandatory(),
property);
+ return Objects.hashCode(definition, property);
}
@Override
@@ -53,9 +60,8 @@ public class RestrictionImpl extends Res
}
if (o instanceof RestrictionImpl) {
RestrictionImpl other = (RestrictionImpl) o;
- return super.equals(other) && property.equals(other.property);
+ return definition.equals(other.definition) &&
property.equals(other.property);
}
-
return false;
}
}
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProviderTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProviderTest.java?rev=1521856&r1=1521855&r2=1521856&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProviderTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProviderTest.java
Wed Sep 11 14:08:23 2013
@@ -179,7 +179,7 @@ public class AbstractRestrictionProvider
public void testCreateRestriction() throws Exception {
Restriction r = restrictionProvider.createRestriction(testPath,
REP_GLOB, globValue);
assertNotNull(r);
- assertEquals(REP_GLOB, r.getName());
+ assertEquals(REP_GLOB, r.getDefinition().getName());
assertEquals(globValue.getString(),
r.getProperty().getValue(Type.STRING));
}
@@ -189,8 +189,8 @@ public class AbstractRestrictionProvider
valueFactory.createValue("nt:folder", PropertyType.NAME),
valueFactory.createValue("nt:file", PropertyType.NAME));
assertNotNull(r);
- assertEquals(REP_NT_NAMES, r.getName());
- assertEquals(Type.NAMES, r.getRequiredType());
+ assertEquals(REP_NT_NAMES, r.getDefinition().getName());
+ assertEquals(Type.NAMES, r.getDefinition().getRequiredType());
PropertyState ps = r.getProperty();
assertTrue(ps.isArray());
@@ -204,8 +204,8 @@ public class AbstractRestrictionProvider
public void testCreateMvRestriction2() throws Exception {
Restriction r = restrictionProvider.createRestriction(testPath,
REP_NT_NAMES, nameValues);
assertNotNull(r);
- assertEquals(REP_NT_NAMES, r.getName());
- assertEquals(Type.NAMES, r.getRequiredType());
+ assertEquals(REP_NT_NAMES, r.getDefinition().getName());
+ assertEquals(Type.NAMES, r.getDefinition().getRequiredType());
PropertyState ps = r.getProperty();
assertTrue(ps.isArray());
@@ -219,8 +219,8 @@ public class AbstractRestrictionProvider
public void testCreateMvRestriction3() throws Exception {
Restriction r = restrictionProvider.createRestriction(testPath,
REP_NT_NAMES, nameValue);
assertNotNull(r);
- assertEquals(REP_NT_NAMES, r.getName());
- assertEquals(Type.NAMES, r.getRequiredType());
+ assertEquals(REP_NT_NAMES, r.getDefinition().getName());
+ assertEquals(Type.NAMES, r.getDefinition().getRequiredType());
assertTrue(r.getProperty().isArray());
assertEquals(Type.NAMES, r.getProperty().getType());
@@ -233,8 +233,8 @@ public class AbstractRestrictionProvider
public void testCreateEmptyMvRestriction() throws Exception {
Restriction r = restrictionProvider.createRestriction(testPath,
REP_NT_NAMES);
assertNotNull(r);
- assertEquals(REP_NT_NAMES, r.getName());
- assertEquals(Type.NAMES, r.getRequiredType());
+ assertEquals(REP_NT_NAMES, r.getDefinition().getName());
+ assertEquals(Type.NAMES, r.getDefinition().getRequiredType());
assertTrue(r.getProperty().isArray());
assertEquals(Type.NAMES, r.getProperty().getType());
@@ -248,8 +248,8 @@ public class AbstractRestrictionProvider
public void testCreateEmptyMvRestriction2() throws Exception {
Restriction r = restrictionProvider.createRestriction(testPath,
REP_NT_NAMES, new Value[0]);
assertNotNull(r);
- assertEquals(REP_NT_NAMES, r.getName());
- assertEquals(Type.NAMES, r.getRequiredType());
+ assertEquals(REP_NT_NAMES, r.getDefinition().getName());
+ assertEquals(Type.NAMES, r.getDefinition().getRequiredType());
assertTrue(r.getProperty().isArray());
assertEquals(Type.NAMES, r.getProperty().getType());
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java?rev=1521856&r1=1521855&r2=1521856&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java
Wed Sep 11 14:08:23 2013
@@ -19,6 +19,8 @@ package org.apache.jackrabbit.oak.spi.se
import java.util.ArrayList;
import java.util.List;
+import javax.annotation.Nonnull;
+
import com.google.common.collect.ImmutableList;
import org.apache.jackrabbit.oak.TestNameMapper;
import org.apache.jackrabbit.oak.api.PropertyState;
@@ -57,17 +59,17 @@ public class RestrictionImplTest extends
@Test
public void testGetName() {
- assertEquals(name, restriction.getName());
+ assertEquals(name, restriction.getDefinition().getName());
}
@Test
public void testGetRequiredType() {
- assertEquals(Type.NAME, restriction.getRequiredType());
+ assertEquals(Type.NAME, restriction.getDefinition().getRequiredType());
}
@Test
public void testIsMandatory() {
- assertTrue(restriction.isMandatory());
+ assertTrue(restriction.getDefinition().isMandatory());
}
@Test
@@ -101,18 +103,12 @@ public class RestrictionImplTest extends
rs.add(new RestrictionImpl(createProperty(name, value), false));
// - different impl
rs.add(new Restriction() {
+ @Nonnull
@Override
- public String getName() {
- return name;
- }
- @Override
- public Type<?> getRequiredType() {
- return Type.NAME;
- }
- @Override
- public boolean isMandatory() {
- return true;
+ public RestrictionDefinition getDefinition() {
+ return new RestrictionDefinitionImpl(name, Type.NAME, true);
}
+
@Override
public PropertyState getProperty() {
return createProperty(name, value);
