Author: angela
Date: Mon Nov 11 10:38:03 2013
New Revision: 1540659
URL: http://svn.apache.org/r1540659
Log:
OAK-51 : Access Control Management (add restriction that allows filtering by
namespace prefix)
Added:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrefixPattern.java
- copied, changed from r1540632,
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AccessControlConstants.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProviderTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImplTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java
Copied:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrefixPattern.java
(from r1540632,
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java)
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrefixPattern.java?p2=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrefixPattern.java&p1=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java&r1=1540632&r2=1540659&rev=1540659&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrefixPattern.java
Mon Nov 11 10:38:03 2013
@@ -24,30 +24,38 @@ import com.google.common.collect.Immutab
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionPattern;
-import org.apache.jackrabbit.oak.util.TreeUtil;
+import org.apache.jackrabbit.util.Text;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
- * Implementation of the {@link RestrictionPattern} interface that returns
- * {@code true} if the primary type of the target tree (or the parent of a
- * target property) is contained in the configured node type name. This allows
- * to limit certain operations (e.g. adding or removing a child tree) to
- * nodes with a specific node type.
+ * Implementation of the
+ * {@link
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionPattern}
+ * interface that returns {@code true} if the name of the target property or
tree
+ * starts with any of the configured namespace prefixes.
*/
-class NodeTypePattern implements RestrictionPattern {
+class PrefixPattern implements RestrictionPattern {
- private static final Logger log =
LoggerFactory.getLogger(NodeTypePattern.class);
+ private static final Logger log =
LoggerFactory.getLogger(PrefixPattern.class);
- private final Set<String> nodeTypeNames;
+ private final Set<String> prefixes;
- NodeTypePattern(@Nonnull Iterable<String> nodeTypeNames) {
- this.nodeTypeNames = ImmutableSet.copyOf(nodeTypeNames);
+ PrefixPattern(@Nonnull Iterable<String> prefixes) {
+ this.prefixes = ImmutableSet.copyOf(prefixes);
}
@Override
public boolean matches(@Nonnull Tree tree, @Nullable PropertyState
property) {
- return nodeTypeNames.contains(TreeUtil.getPrimaryTypeName(tree));
+ String name = (property != null) ? property.getName() : tree.getName();
+ String prefix = Text.getNamespacePrefix(name);
+ if (!prefix.isEmpty()) {
+ for (String p : prefixes) {
+ if (prefix.equals(p)) {
+ return true;
+ }
+ }
+ }
+ return false;
}
@Override
@@ -68,7 +76,7 @@ class NodeTypePattern implements Restric
*/
@Override
public int hashCode() {
- return nodeTypeNames.hashCode();
+ return prefixes.hashCode();
}
/**
@@ -76,7 +84,7 @@ class NodeTypePattern implements Restric
*/
@Override
public String toString() {
- return nodeTypeNames.toString();
+ return prefixes.toString();
}
/**
@@ -87,9 +95,9 @@ class NodeTypePattern implements Restric
if (obj == this) {
return true;
}
- if (obj instanceof NodeTypePattern) {
- NodeTypePattern other = (NodeTypePattern) obj;
- return nodeTypeNames.equals(other.nodeTypeNames);
+ if (obj instanceof PrefixPattern) {
+ PrefixPattern other = (PrefixPattern) obj;
+ return prefixes.equals(other.prefixes);
}
return false;
}
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java?rev=1540659&r1=1540658&r2=1540659&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
Mon Nov 11 10:38:03 2013
@@ -57,7 +57,8 @@ public class RestrictionProviderImpl ext
private static Map<String, RestrictionDefinition> supportedRestrictions() {
RestrictionDefinition glob = new RestrictionDefinitionImpl(REP_GLOB,
Type.STRING, false);
RestrictionDefinition nts = new
RestrictionDefinitionImpl(REP_NT_NAMES, Type.NAMES, false);
- return ImmutableMap.of(glob.getName(), glob, nts.getName(), nts);
+ RestrictionDefinition pfxs = new
RestrictionDefinitionImpl(REP_PREFIXES, Type.STRINGS, false);
+ return ImmutableMap.of(glob.getName(), glob, nts.getName(), nts,
pfxs.getName(), pfxs);
}
//------------------------------------------------< RestrictionProvider
>---
@@ -78,6 +79,11 @@ public class RestrictionProviderImpl ext
patterns.add(new
NodeTypePattern(ntNames.getValue(Type.NAMES)));
}
+ PropertyState prefixes = tree.getProperty(REP_PREFIXES);
+ if (prefixes != null) {
+ patterns.add(new
PrefixPattern(prefixes.getValue(Type.STRINGS)));
+ }
+
switch (patterns.size()) {
case 1 : return patterns.get(0);
case 2 : return new CompositePattern(patterns);
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AccessControlConstants.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AccessControlConstants.java?rev=1540659&r1=1540658&r2=1540659&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AccessControlConstants.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AccessControlConstants.java
Mon Nov 11 10:38:03 2013
@@ -34,12 +34,21 @@ public interface AccessControlConstants
String REP_NODE_PATH = "rep:nodePath";
/**
- * Name of the optional access control restriction by node type name.
+ * Name of the optional multivalued access control restriction by node
type name.
* The corresponding restriction type is {@link
org.apache.jackrabbit.oak.api.Type#NAMES}.
*
* @since OAK 1.0
*/
String REP_NT_NAMES = "rep:ntNames";
+
+ /**
+ * Name of the optional multivalued access control restriction which
matches by name space prefix.
+ * The corresponding restriction type is {@link
org.apache.jackrabbit.oak.api.Type#STRINGS}.
+ *
+ * @since OAK 1.0
+ */
+ String REP_PREFIXES = "rep:prefixes";
+
/**
* @since OAK 1.0
*/
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java?rev=1540659&r1=1540658&r2=1540659&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java
Mon Nov 11 10:38:03 2013
@@ -175,7 +175,7 @@ public abstract class AbstractRestrictio
@Nonnull
private Restriction createRestriction(PropertyState propertyState,
RestrictionDefinition definition) {
- return new RestrictionImpl(propertyState, definition.isMandatory());
+ return new RestrictionImpl(propertyState, definition);
}
@Nonnull
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImpl.java?rev=1540659&r1=1540658&r2=1540659&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImpl.java
Mon Nov 11 10:38:03 2013
@@ -50,6 +50,7 @@ public class RestrictionDefinitionImpl i
this.type = type;
this.isMandatory = isMandatory;
}
+
//----------------------------------------------< RestrictionDefinition
>---
@Nonnull
@Override
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java?rev=1540659&r1=1540658&r2=1540659&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
Mon Nov 11 10:38:03 2013
@@ -29,6 +29,11 @@ public class RestrictionImpl implements
private final RestrictionDefinition definition;
private final PropertyState property;
+ public RestrictionImpl(@Nonnull PropertyState property, @Nonnull
RestrictionDefinition def) {
+ this.definition = def;
+ this.property = property;
+ }
+
public RestrictionImpl(@Nonnull PropertyState property, boolean
isMandatory) {
this.definition = new RestrictionDefinitionImpl(property.getName(),
property.getType(), isMandatory);
this.property = property;
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java?rev=1540659&r1=1540658&r2=1540659&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
Mon Nov 11 10:38:03 2013
@@ -589,10 +589,11 @@ public class ACLTest extends AbstractAcc
public void testRestrictions() throws Exception {
String[] names = acl.getRestrictionNames();
assertNotNull(names);
- assertEquals(2, names.length);
- assertArrayEquals(new String[] {REP_GLOB, REP_NT_NAMES}, names);
+ assertEquals(3, names.length);
+ assertArrayEquals(new String[] {REP_GLOB, REP_NT_NAMES, REP_PREFIXES},
names);
assertEquals(PropertyType.STRING, acl.getRestrictionType(names[0]));
assertEquals(PropertyType.NAME, acl.getRestrictionType(names[1]));
+ assertEquals(PropertyType.STRING, acl.getRestrictionType(names[2]));
Privilege[] writePriv = privilegesFromNames(JCR_WRITE);
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java?rev=1540659&r1=1540658&r2=1540659&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java
Mon Nov 11 10:38:03 2013
@@ -63,7 +63,7 @@ public class RestrictionProviderImplTest
Set<RestrictionDefinition> defs =
provider.getSupportedRestrictions("/testPath");
assertNotNull(defs);
- assertEquals(2, defs.size());
+ assertEquals(3, defs.size());
for (RestrictionDefinition def : defs) {
if (REP_GLOB.equals(def.getName())) {
@@ -72,6 +72,9 @@ public class RestrictionProviderImplTest
} else if (REP_NT_NAMES.equals(def.getName())) {
assertEquals(Type.NAMES, def.getRequiredType());
assertFalse(def.isMandatory());
+ } else if (REP_PREFIXES.equals(def.getName())) {
+ assertEquals(Type.STRINGS, def.getRequiredType());
+ assertFalse(def.isMandatory());
} else {
fail("unexpected restriction " + def.getName());
}
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProviderTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProviderTest.java?rev=1540659&r1=1540658&r2=1540659&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProviderTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProviderTest.java
Mon Nov 11 10:38:03 2013
@@ -47,7 +47,8 @@ public class CompositeRestrictionProvide
private RestrictionProvider rp1 = new TestProvider(ImmutableMap.<String,
RestrictionDefinition>of(
REP_GLOB, new RestrictionDefinitionImpl(REP_GLOB, Type.STRING,
false),
- REP_NT_NAMES, new RestrictionDefinitionImpl(REP_NT_NAMES,
Type.NAMES, false)
+ REP_NT_NAMES, new RestrictionDefinitionImpl(REP_NT_NAMES,
Type.NAMES, false),
+ REP_PREFIXES, new RestrictionDefinitionImpl(REP_PREFIXES,
Type.STRINGS, false)
));
private RestrictionProvider rp2 = new TestProvider(ImmutableMap.of(
"boolean", new RestrictionDefinitionImpl("boolean", Type.BOOLEAN,
true),
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImplTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImplTest.java?rev=1540659&r1=1540658&r2=1540659&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImplTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImplTest.java
Mon Nov 11 10:38:03 2013
@@ -92,7 +92,9 @@ public class RestrictionDefinitionImplTe
// - different name
defs.add(new RestrictionDefinitionImpl("otherName", Type.NAME, true));
// - different mandatory flag
- defs.add(new RestrictionDefinitionImpl(name, Type.NAMES, false));
+ defs.add(new RestrictionDefinitionImpl(name, Type.NAME, false));
+ // - different mv flag
+ defs.add(new RestrictionDefinitionImpl(name, Type.NAMES, true));
// - different impl
defs.add(new RestrictionDefinition() {
@Override
@@ -107,6 +109,7 @@ public class RestrictionDefinitionImplTe
public boolean isMandatory() {
return true;
}
+
});
for (RestrictionDefinition rd : defs) {
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java?rev=1540659&r1=1540658&r2=1540659&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java
Mon Nov 11 10:38:03 2013
@@ -94,7 +94,7 @@ public class RestrictionImplTest extends
// - different type
rs.add(new RestrictionImpl(PropertyStates.createProperty(name, value,
Type.STRING), true));
// - different multi-value status
- rs.add(new RestrictionImpl(PropertyStates.createProperty(name,
ImmutableList.of(value), Type.STRINGS), true));
+ rs.add(new RestrictionImpl(PropertyStates.createProperty(name,
ImmutableList.of(value), Type.NAMES), true));
// - different name
rs.add(new RestrictionImpl(createProperty("otherName", value), true));
// - different value
