Author: tripod
Date: Tue Oct 22 21:14:40 2013
New Revision: 1534792
URL: http://svn.apache.org/r1534792
Log:
OAK-527 Implement Permission evaluation
- calculate number of permission entries in commit hook
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStore.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionConstants.java
jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AbstractPermissionHookTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java?rev=1534792&r1=1534791&r2=1534792&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java
Tue Oct 22 21:14:40 2013
@@ -303,12 +303,15 @@ public class PermissionHook implements P
continue;
}
+ long numEntries =
PermissionUtil.getNumPermissions(principalRoot);
+
// check if the node is the correct one
if (PermissionUtil.checkACLPath(parent,
accessControlledPath)) {
// remove and reconnect child nodes
NodeBuilder newParent = null;
for (String childName : parent.getChildNodeNames()) {
if (childName.charAt(0) != 'c') {
+ numEntries--;
continue;
}
NodeBuilder child = parent.getChildNode(childName);
@@ -332,10 +335,14 @@ public class PermissionHook implements P
NodeBuilder child = parent.getChildNode(childName);
if (PermissionUtil.checkACLPath(child,
accessControlledPath)) {
// remove child
+ for (String n: child.getChildNodeNames()) {
+ numEntries--;
+ }
child.remove();
}
}
}
+ principalRoot.setProperty(REP_NUM_PERMISSIONS, numEntries);
} else {
log.error("{} {}: Principal root missing.", msg, this);
}
@@ -387,15 +394,19 @@ public class PermissionHook implements P
// new parent
parent.setProperty(REP_ACCESS_CONTROLLED_PATH,
accessControlledPath);
}
- updateEntries(parent, entries.get(principalName));
+ long numEntries =
PermissionUtil.getNumPermissions(principalRoot);
+ numEntries+= updateEntries(parent, entries.get(principalName));
+ principalRoot.setProperty(REP_NUM_PERMISSIONS, numEntries);
}
}
- private void updateEntries(NodeBuilder parent, List<AcEntry> list) {
+ private long updateEntries(NodeBuilder parent, List<AcEntry> list) {
// remove old entries
+ long numEntries = 0;
for (String childName : parent.getChildNodeNames()) {
if (childName.charAt(0) != 'c') {
parent.getChildNode(childName).remove();
+ numEntries--;
}
}
for (AcEntry ace: list) {
@@ -407,7 +418,9 @@ public class PermissionHook implements P
for (Restriction restriction : ace.restrictions) {
n.setProperty(restriction.getProperty());
}
+ numEntries++;
}
+ return numEntries;
}
}
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStore.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStore.java?rev=1534792&r1=1534791&r2=1534792&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStore.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStore.java
Tue Oct 22 21:14:40 2013
@@ -62,8 +62,7 @@ final class PermissionStore implements P
if (!principalTrees.isEmpty()) {
Iterator<Tree> treeItr = principalTrees.values().iterator();
while (treeItr.hasNext() && cnt < MAX_SIZE) {
- Tree t = treeItr.next();
- cnt += t.getChildrenCount(MAX_SIZE);
+ cnt += PermissionUtil.getNumPermissions(treeItr.next());
}
}
return new PermissionStore(principalTrees, restrictionProvider, (cnt <
MAX_SIZE));
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java?rev=1534792&r1=1534791&r2=1534792&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java
Tue Oct 22 21:14:40 2013
@@ -65,6 +65,16 @@ public final class PermissionUtil implem
return String.valueOf(path.hashCode());
}
+ public static long getNumPermissions(@Nonnull NodeBuilder node) {
+ PropertyState property = node.getProperty(REP_NUM_PERMISSIONS);
+ return property == null ? 0 : property.getValue(Type.LONG);
+ }
+
+ public static long getNumPermissions(@Nonnull Tree node) {
+ PropertyState property = node.getProperty(REP_NUM_PERMISSIONS);
+ return property == null ? 0 : property.getValue(Type.LONG);
+ }
+
public static boolean checkACLPath(@Nonnull NodeBuilder node, @Nonnull
String path) {
PropertyState property = node.getProperty(REP_ACCESS_CONTROLLED_PATH);
return property != null && path.equals(property.getValue(Type.STRING));
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionConstants.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionConstants.java?rev=1534792&r1=1534791&r2=1534792&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionConstants.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionConstants.java
Tue Oct 22 21:14:40 2013
@@ -37,6 +37,7 @@ public interface PermissionConstants {
String PERMISSIONS_STORE_PATH = '/' + JcrConstants.JCR_SYSTEM + '/' +
REP_PERMISSION_STORE;
String REP_ACCESS_CONTROLLED_PATH = "rep:accessControlledPath";
+ String REP_NUM_PERMISSIONS = "rep:numPermissions";
String REP_IS_ALLOW = "rep:isAllow";
String REP_PRIVILEGE_BITS = "rep:privileges";
String REP_INDEX = "rep:index";
Modified:
jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd?rev=1534792&r1=1534791&r2=1534792&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd
Tue Oct 22 21:14:40 2013
@@ -670,6 +670,7 @@
*/
[rep:PermissionStore]
- rep:accessControlledPath (STRING) protected
+ - rep:numPermissions (LONG) protected
+ * (rep:PermissionStore) = rep:PermissionStore protected IGNORE
+ * (rep:Permissions) = rep:Permissions protected IGNORE
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AbstractPermissionHookTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AbstractPermissionHookTest.java?rev=1534792&r1=1534791&r2=1534792&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AbstractPermissionHookTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AbstractPermissionHookTest.java
Tue Oct 22 21:14:40 2013
@@ -343,4 +343,43 @@ public abstract class AbstractPermission
principalRoot = getPrincipalRoot(EveryonePrincipal.NAME);
assertEquals(2, cntEntries(principalRoot));
}
+
+ @Test
+ public void testNumPermissions() throws Exception {
+
+ AccessControlManager acMgr = getAccessControlManager(root);
+ JackrabbitAccessControlList acl =
AccessControlUtils.getAccessControlList(acMgr, testPath);
+ acl.addAccessControlEntry(getTestPrincipal(),
privilegesFromNames(JCR_READ, REP_WRITE));
+ acMgr.setPolicy(testPath, acl);
+ root.commit();
+
+ assertEquals(1,
PermissionUtil.getNumPermissions(getPrincipalRoot(testPrincipalName)));
+ assertEquals(1,
PermissionUtil.getNumPermissions(getPrincipalRoot(EveryonePrincipal.NAME)));
+
+ acl = AccessControlUtils.getAccessControlList(acMgr, childPath);
+ acl.addAccessControlEntry(EveryonePrincipal.getInstance(),
privilegesFromNames(JCR_READ));
+ acMgr.setPolicy(childPath, acl);
+ root.commit();
+
+ assertEquals(1,
PermissionUtil.getNumPermissions(getPrincipalRoot(testPrincipalName)));
+ assertEquals(2,
PermissionUtil.getNumPermissions(getPrincipalRoot(EveryonePrincipal.NAME)));
+
+ acl = AccessControlUtils.getAccessControlList(acMgr, testPath);
+ acl.removeAccessControlEntry(acl.getAccessControlEntries()[0]);
+ acMgr.setPolicy(testPath, acl);
+ root.commit();
+
+ assertEquals(0,
PermissionUtil.getNumPermissions(getPrincipalRoot(testPrincipalName)));
+ assertEquals(2,
PermissionUtil.getNumPermissions(getPrincipalRoot(EveryonePrincipal.NAME)));
+
+ acl = AccessControlUtils.getAccessControlList(acMgr, childPath);
+ acl.removeAccessControlEntry(acl.getAccessControlEntries()[0]);
+ acMgr.setPolicy(childPath, acl);
+ root.commit();
+
+ assertEquals(0,
PermissionUtil.getNumPermissions(getPrincipalRoot(testPrincipalName)));
+ assertEquals(1,
PermissionUtil.getNumPermissions(getPrincipalRoot(EveryonePrincipal.NAME)));
+ }
+
+
}
\ No newline at end of file
