Author: angela
Date: Fri Jan 10 10:20:58 2014
New Revision: 1557071
URL: http://svn.apache.org/r1557071
Log:
OAK-1268 : Add support for composite authorization setup
Added:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/PolicyOwner.java
(with props)
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompositeAuthorizationConfiguration.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java?rev=1557071&r1=1557070&r2=1557071&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
Fri Jan 10 10:20:58 2014
@@ -67,6 +67,7 @@ import org.apache.jackrabbit.oak.spi.sec
import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager;
import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ImmutableACL;
+import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.PolicyOwner;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
@@ -90,7 +91,7 @@ import static com.google.common.base.Pre
* This implementation covers both editing access control content by path and
* by {@code Principal} resulting both in the same content structure.
*/
-public class AccessControlManagerImpl extends AbstractAccessControlManager
implements AccessControlConstants {
+public class AccessControlManagerImpl extends AbstractAccessControlManager
implements PolicyOwner {
private static final Logger log =
LoggerFactory.getLogger(AccessControlManagerImpl.class);
@@ -374,6 +375,17 @@ public class AccessControlManagerImpl ex
return effective.toArray(new AccessControlPolicy[effective.size()]);
}
+ //--------------------------------------------------------< PolicyOwner
>---
+ @Override
+ public boolean defines(String absPath, AccessControlPolicy
accessControlPolicy) {
+ try {
+ return Util.isValidPolicy(getOakPath(absPath),
accessControlPolicy);
+ } catch (RepositoryException e) {
+ log.warn("Invalid absolute path: " + absPath, e.getMessage());
+ return false;
+ }
+ }
+
//------------------------------------------------------------< private
>---
@CheckForNull
private Tree getAclTree(@Nullable String oakPath, @Nonnull Tree
accessControlledTree) {
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java?rev=1557071&r1=1557070&r2=1557071&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java
Fri Jan 10 10:20:58 2014
@@ -60,13 +60,16 @@ final class Util implements AccessContro
}
}
- public static void checkValidPolicy(@Nullable String oakPath, @Nonnull
AccessControlPolicy policy) throws AccessControlException {
+ public static boolean isValidPolicy(@Nullable String oakPath, @Nonnull
AccessControlPolicy policy) {
if (policy instanceof ACL) {
String path = ((ACL) policy).getOakPath();
- if ((path == null && oakPath != null) || (path != null &&
!path.equals(oakPath))) {
- throw new AccessControlException("Invalid access control
policy " + policy + ": path mismatch " + oakPath);
- }
- } else {
+ return !((path == null && oakPath != null) || (path != null &&
!path.equals(oakPath)));
+ }
+ return false;
+ }
+
+ public static void checkValidPolicy(@Nullable String oakPath, @Nonnull
AccessControlPolicy policy) throws AccessControlException {
+ if (!isValidPolicy(oakPath, policy)) {
throw new AccessControlException("Invalid access control policy "
+ policy);
}
}
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompositeAuthorizationConfiguration.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompositeAuthorizationConfiguration.java?rev=1557071&r1=1557070&r2=1557071&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompositeAuthorizationConfiguration.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompositeAuthorizationConfiguration.java
Fri Jan 10 10:20:58 2014
@@ -21,6 +21,7 @@ import java.util.List;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.jcr.RepositoryException;
+import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
@@ -38,6 +39,7 @@ import org.apache.jackrabbit.oak.namepat
import org.apache.jackrabbit.oak.spi.security.CompositeConfiguration;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager;
+import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.PolicyOwner;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.CompositeRestrictionProvider;
import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
@@ -86,7 +88,11 @@ public class CompositeAuthorizationConfi
}
/**
- *
+ * Access control manager that aggregates a list of different access
control
+ * manager implementations. Note, that the implementations *must* implement
+ * the {@link
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.PolicyOwner}
+ * interface in order to be able to set and remove individual access
control
+ * policies.
*/
private static class CompositeAcMgr extends AbstractAccessControlManager {
@@ -113,11 +119,11 @@ public class CompositeAuthorizationConfi
@Override
public AccessControlPolicy[] getPolicies(String absPath) throws
RepositoryException {
- ImmutableList.Builder<AccessControlPolicy> privs =
ImmutableList.builder();
+ ImmutableList.Builder<AccessControlPolicy> policies =
ImmutableList.builder();
for (AccessControlManager acMgr : acMgrs) {
- privs.add(acMgr.getPolicies(absPath));
+ policies.add(acMgr.getPolicies(absPath));
}
- List<AccessControlPolicy> l = privs.build();
+ List<AccessControlPolicy> l = policies.build();
return l.toArray(new AccessControlPolicy[l.size()]);
}
@@ -135,21 +141,33 @@ public class CompositeAuthorizationConfi
public AccessControlPolicyIterator getApplicablePolicies(String
absPath) throws RepositoryException {
List<AccessControlPolicyIterator> l = Lists.newArrayList();
for (AccessControlManager acMgr : acMgrs) {
- l.add(acMgr.getApplicablePolicies(absPath));
+ if (acMgr instanceof PolicyOwner) {
+ l.add(acMgr.getApplicablePolicies(absPath));
+ }
}
return new
AccessControlPolicyIteratorAdapter(Iterators.concat(l.toArray(new
AccessControlPolicyIterator[l.size()])));
}
@Override
public void setPolicy(String absPath, AccessControlPolicy policy)
throws RepositoryException {
- // TODO
- throw new UnsupportedOperationException("not yet implemented.");
+ for (AccessControlManager acMgr : acMgrs) {
+ if (acMgr instanceof PolicyOwner && ((PolicyOwner)
acMgr).defines(absPath, policy)) {
+ acMgr.setPolicy(absPath, policy);
+ return;
+ }
+ }
+ throw new AccessControlException("Cannot set access control policy
" + policy + "; no PolicyOwner found.");
}
@Override
public void removePolicy(String absPath, AccessControlPolicy policy)
throws RepositoryException {
- // TODO
- throw new UnsupportedOperationException("not yet implemented.");
+ for (AccessControlManager acMgr : acMgrs) {
+ if (acMgr instanceof PolicyOwner && ((PolicyOwner)
acMgr).defines(absPath, policy)) {
+ acMgr.removePolicy(absPath, policy);
+ return;
+ }
+ }
+ throw new AccessControlException("Cannot remove access control
policy " + policy + "; no PolicyOwner found.");
}
//---------------------------------< JackrabbitAccessControlManager
>---
@@ -158,7 +176,9 @@ public class CompositeAuthorizationConfi
ImmutableList.Builder<JackrabbitAccessControlPolicy> policies =
ImmutableList.builder();
for (AccessControlManager acMgr : acMgrs) {
if (acMgr instanceof JackrabbitAccessControlManager) {
- policies.add(((JackrabbitAccessControlManager)
acMgr).getApplicablePolicies(principal));
+ if (acMgr instanceof PolicyOwner) {
+ policies.add(((JackrabbitAccessControlManager)
acMgr).getApplicablePolicies(principal));
+ }
}
}
List<JackrabbitAccessControlPolicy> l = policies.build();
Added:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/PolicyOwner.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/PolicyOwner.java?rev=1557071&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/PolicyOwner.java
(added)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/PolicyOwner.java
Fri Jan 10 10:20:58 2014
@@ -0,0 +1,48 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol;
+
+import javax.jcr.security.AccessControlPolicy;
+
+/**
+ * Interface to improve pluggability of the {@link
javax.jcr.security.AccessControlManager},
+ * namely the interaction of multiple managers within a
+ * single repository. It provides a single method {@link #defines(String,
javax.jcr.security.AccessControlPolicy)}
+ * that allows to termine the responsible manager upon
+ * {@link javax.jcr.security.AccessControlManager#setPolicy(String,
javax.jcr.security.AccessControlPolicy) setPolicy}
+ * and
+ * {@link javax.jcr.security.AccessControlManager#removePolicy(String,
javax.jcr.security.AccessControlPolicy) removePolicy}.
+ *
+ * @see
org.apache.jackrabbit.oak.spi.security.authorization.CompositeAuthorizationConfiguration
+ */
+public interface PolicyOwner {
+
+ /**
+ * Determines if the implementing {@code AccessManager} defines the
specified
+ * {@code acceessControlPolicy} at the given {@code absPath}. If this
method
+ * returns {@code true} it is expected that the given policy is valid to be
+ * {@link javax.jcr.security.AccessControlManager#setPolicy(String,
javax.jcr.security.AccessControlPolicy) set}
+ * or {@link javax.jcr.security.AccessControlManager#removePolicy(String,
javax.jcr.security.AccessControlPolicy) removed}
+ * with the manager.
+ *
+ * @param absPath An absolute path.
+ * @param accessControlPolicy The access control policy to be tested.
+ * @return {@code true} If the {@code AccessControlManager} implementing
this
+ * interface can handle the specified {@code accessControlPolicy} at the
given {@code path}.
+ */
+ boolean defines(String absPath, AccessControlPolicy accessControlPolicy);
+}
\ No newline at end of file
Propchange:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/PolicyOwner.java
------------------------------------------------------------------------------
svn:eol-style = native
