Author: angela
Date: Tue May 19 15:46:41 2015
New Revision: 1680323
URL: http://svn.apache.org/r1680323
Log:
OAK-1268 : Add support for composite authorization setup
Added:
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/CompositeAuthorizationReadTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/BenchmarkRunner.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.java?rev=1680323&r1=1680322&r2=1680323&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.java
Tue May 19 15:46:41 2015
@@ -32,6 +32,7 @@ import org.apache.jackrabbit.oak.api.Roo
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.plugins.tree.RootFactory;
import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree;
+import
org.apache.jackrabbit.oak.security.authorization.permission.PermissionUtil;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
@@ -81,10 +82,11 @@ class CompositePermissionProvider implem
@Nonnull
@Override
- public Set<String> getPrivileges(@Nullable final Tree tree) {
+ public Set<String> getPrivileges(@Nullable Tree tree) {
PrivilegeBits result = null;
- for (AggregatedPermissionProvider pp : filter(pps, tree)) {
- PrivilegeBits privs =
privilegeBitsProvider.getBits(pp.getPrivileges(tree));
+ Tree immutableTree = PermissionUtil.getImmutableTree(tree,
immutableRoot);
+ for (AggregatedPermissionProvider pp : filter(pps, immutableTree)) {
+ PrivilegeBits privs =
privilegeBitsProvider.getBits(pp.getPrivileges(immutableTree));
if (result == null) {
result = PrivilegeBits.getInstance();
result.add(privs);
@@ -97,17 +99,18 @@ class CompositePermissionProvider implem
}
@Override
- public boolean hasPrivileges(@Nullable final Tree tree, @Nonnull String...
privilegeNames) {
+ public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String...
privilegeNames) {
+ final Tree immutableTree = PermissionUtil.getImmutableTree(tree,
immutableRoot);
for (final String privName :
privilegeBitsProvider.getAggregatedPrivilegeNames(privilegeNames)) {
Iterable<AggregatedPermissionProvider> providers =
Iterables.filter(pps, new Predicate<AggregatedPermissionProvider>() {
@Override
public boolean apply(AggregatedPermissionProvider pp) {
// the permissionprovider is never null
- return (tree == null) ? pp.handlesRepositoryPermissions()
: pp.handles(tree, privilegeBitsProvider.getBits(privName));
+ return (immutableTree == null) ?
pp.handlesRepositoryPermissions() : pp.handles(immutableTree,
privilegeBitsProvider.getBits(privName));
}
});
for (AggregatedPermissionProvider pp : providers) {
- if (!pp.hasPrivileges(tree, privName)) {
+ if (!pp.hasPrivileges(immutableTree, privName)) {
return false;
}
}
@@ -124,28 +127,29 @@ class CompositePermissionProvider implem
@Nonnull
@Override
public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull
TreePermission parentPermission) {
- ImmutableTree immTree = (tree instanceof ImmutableTree) ?
(ImmutableTree) tree : (ImmutableTree) immutableRoot.getTree(tree.getPath());
+ ImmutableTree immutableTree = (ImmutableTree)
PermissionUtil.getImmutableTree(tree, immutableRoot);
if (tree.isRoot()) {
- return new CompositeTreePermission(immTree, new
CompositeTreePermission());
+ return new CompositeTreePermission(immutableTree, new
CompositeTreePermission());
} else {
if (!(parentPermission instanceof CompositeTreePermission)) {
throw new IllegalArgumentException("Illegal parent permission
instance. Expected CompositeTreePermission.");
}
- return new CompositeTreePermission(immTree,
(CompositeTreePermission) parentPermission);
+ return new CompositeTreePermission(immutableTree,
(CompositeTreePermission) parentPermission);
}
}
@Override
public boolean isGranted(@Nonnull Tree parent, @Nullable PropertyState
property, long permissions) {
+ Tree immParent = PermissionUtil.getImmutableTree(parent,
immutableRoot);
if (Permissions.isAggregate(permissions)) {
for (final long permission : Permissions.aggregates(permissions)) {
- if (!grantsPermission(parent, property, permission,
filter(parent, permission))) {
+ if (!grantsPermission(immParent, property, permission,
filter(parent, permission))) {
return false;
}
}
return true;
} else {
- return grantsPermission(parent, property, permissions,
filter(parent, permissions));
+ return grantsPermission(immParent, property, permissions,
filter(immParent, permissions));
}
}
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java?rev=1680323&r1=1680322&r2=1680323&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
Tue May 19 15:46:41 2015
@@ -27,7 +27,6 @@ import org.apache.jackrabbit.oak.api.Pro
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.plugins.tree.RootFactory;
-import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree;
import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
import org.apache.jackrabbit.oak.plugins.version.VersionConstants;
import
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
@@ -78,12 +77,12 @@ public class PermissionProviderImpl impl
@Nonnull
@Override
public Set<String> getPrivileges(@Nullable Tree tree) {
- return compiledPermissions.getPrivileges(getImmutableTree(tree));
+ return
compiledPermissions.getPrivileges(PermissionUtil.getImmutableTree(tree,
immutableRoot));
}
@Override
public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String...
privilegeNames) {
- return compiledPermissions.hasPrivileges(getImmutableTree(tree),
privilegeNames);
+ return
compiledPermissions.hasPrivileges(PermissionUtil.getImmutableTree(tree,
immutableRoot), privilegeNames);
}
@Nonnull
@@ -95,12 +94,12 @@ public class PermissionProviderImpl impl
@Nonnull
@Override
public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull
TreePermission parentPermission) {
- return compiledPermissions.getTreePermission(getImmutableTree(tree),
parentPermission);
+ return
compiledPermissions.getTreePermission(PermissionUtil.getImmutableTree(tree,
immutableRoot), parentPermission);
}
@Override
public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState
property, long permissions) {
- return compiledPermissions.isGranted(getImmutableTree(tree), property,
permissions);
+ return
compiledPermissions.isGranted(PermissionUtil.getImmutableTree(tree,
immutableRoot), property, permissions);
}
@Override
@@ -158,14 +157,6 @@ public class PermissionProviderImpl impl
return false;
}
- private ImmutableTree getImmutableTree(@Nullable Tree tree) {
- if (tree instanceof ImmutableTree) {
- return (ImmutableTree) tree;
- } else {
- return (tree == null) ? null : (ImmutableTree)
immutableRoot.getTree(tree.getPath());
- }
- }
-
private static boolean isVersionStorePath(@Nonnull String oakPath) {
if (oakPath.indexOf(JcrConstants.JCR_SYSTEM) == 1) {
for (String p : VersionConstants.SYSTEM_PATHS) {
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java?rev=1680323&r1=1680322&r2=1680323&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java
Tue May 19 15:46:41 2015
@@ -25,6 +25,7 @@ import org.apache.jackrabbit.oak.api.Pro
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
+import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.state.NodeBuilder;
import org.apache.jackrabbit.util.Text;
@@ -86,4 +87,12 @@ public final class PermissionUtil implem
}
return path;
}
+
+ public static Tree getImmutableTree(@Nullable Tree tree, @Nonnull Root
immutableRoot) {
+ if (tree instanceof ImmutableTree) {
+ return tree;
+ } else {
+ return (tree == null) ? null :
immutableRoot.getTree(tree.getPath());
+ }
+ }
}
\ No newline at end of file
Modified:
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/BenchmarkRunner.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/BenchmarkRunner.java?rev=1680323&r1=1680322&r2=1680323&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/BenchmarkRunner.java
(original)
+++
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/BenchmarkRunner.java
Tue May 19 15:46:41 2015
@@ -219,6 +219,9 @@ public class BenchmarkRunner {
runAsAdmin.value(options),
itemsToRead.value(options),
report.value(options)),
+ new CompositeAuthorizationReadTest(
+ runAsAdmin.value(options),
+ itemsToRead.value(options)), // TODO: is currently the
no of configurations (hack)
new ConcurrentReadDeepTreeTest(
runAsAdmin.value(options),
itemsToRead.value(options),
Added:
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/CompositeAuthorizationReadTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/CompositeAuthorizationReadTest.java?rev=1680323&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/CompositeAuthorizationReadTest.java
(added)
+++
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/CompositeAuthorizationReadTest.java
Tue May 19 15:46:41 2015
@@ -0,0 +1,275 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.benchmark;
+
+import java.security.Principal;
+import java.util.Collections;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import javax.jcr.Repository;
+import javax.jcr.security.AccessControlManager;
+
+import org.apache.jackrabbit.oak.Oak;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.fixture.JcrCreator;
+import org.apache.jackrabbit.oak.fixture.OakRepositoryFixture;
+import org.apache.jackrabbit.oak.fixture.RepositoryFixture;
+import org.apache.jackrabbit.oak.jcr.Jcr;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.plugins.tree.RootFactory;
+import org.apache.jackrabbit.oak.security.SecurityProviderImpl;
+import
org.apache.jackrabbit.oak.security.authorization.composite.CompositeAuthorizationConfiguration;
+import
org.apache.jackrabbit.oak.security.authorization.permission.PermissionUtil;
+import org.apache.jackrabbit.oak.spi.commit.CommitHook;
+import org.apache.jackrabbit.oak.spi.commit.MoveTracker;
+import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
+import org.apache.jackrabbit.oak.spi.lifecycle.RepositoryInitializer;
+import org.apache.jackrabbit.oak.spi.lifecycle.WorkspaceInitializer;
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import org.apache.jackrabbit.oak.spi.security.Context;
+import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
+import
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.OpenPermissionProvider;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
+import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
+import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
+
+/**
+ * CompositeAuthorizationReadTest... TODO
+ */
+public class CompositeAuthorizationReadTest extends ReadDeepTreeTest {
+
+ private int cnt;
+
+ protected CompositeAuthorizationReadTest(boolean runAsAdmin, int
cntConfigurations) {
+ super(runAsAdmin, 1000, false);
+ cnt = cntConfigurations;
+ }
+
+ @Override
+ protected Repository[] createRepository(RepositoryFixture fixture) throws
Exception {
+ if (fixture instanceof OakRepositoryFixture) {
+ return ((OakRepositoryFixture) fixture).setUpCluster(1, new
JcrCreator() {
+ @Override
+ public Jcr customize(Oak oak) {
+ return new Jcr(oak).with(new TmpSecurityProvider(cnt));
+ }
+ });
+ } else {
+ return super.createRepository(fixture);
+ }
+ }
+
+ private static final class TmpSecurityProvider extends
SecurityProviderImpl {
+
+ private final int cnt;
+
+ private TmpSecurityProvider(int cnt) {
+ this.cnt = cnt;
+ }
+
+ @Nonnull
+ @Override
+ public ConfigurationParameters getParameters(@Nullable String name) {
+ return ConfigurationParameters.EMPTY;
+ }
+
+ @Nonnull
+ @Override
+ public Iterable<? extends SecurityConfiguration> getConfigurations() {
+ Set<SecurityConfiguration> configs = (Set<SecurityConfiguration>)
super.getConfigurations();
+
+ CompositeAuthorizationConfiguration composite = new
CompositeAuthorizationConfiguration(this);
+ Iterator<SecurityConfiguration> it = configs.iterator();
+ AuthorizationConfiguration base = null;
+ while (it.hasNext()) {
+ SecurityConfiguration sc = it.next();
+ if (sc instanceof AuthorizationConfiguration) {
+ base = (AuthorizationConfiguration) sc;
+ it.remove();
+ break;
+ }
+ }
+ fillComposite(composite, base, cnt);
+ configs.add(composite);
+
+ return configs;
+ }
+
+ @Nonnull
+ @Override
+ public <T> T getConfiguration(@Nonnull Class<T> configClass) {
+ T c = super.getConfiguration(configClass);
+ if (AuthorizationConfiguration.class == configClass) {
+ CompositeAuthorizationConfiguration composite = new
CompositeAuthorizationConfiguration(this);
+ fillComposite(composite, (AuthorizationConfiguration) c, cnt);
+ return (T) composite;
+ } else {
+ return c;
+ }
+ }
+
+ private static void fillComposite(CompositeAuthorizationConfiguration
composite,
+ final AuthorizationConfiguration
base,
+ int cnt) {
+ composite.addConfiguration(base);
+ for (int i = 0; i < cnt; i++) {
+ composite.addConfiguration(new AuthorizationConfiguration() {
+
+ @Nonnull
+ @Override
+ public AccessControlManager
getAccessControlManager(@Nonnull Root root, @Nonnull NamePathMapper
namePathMapper) {
+ return base.getAccessControlManager(root,
namePathMapper);
+ }
+
+ @Nonnull
+ @Override
+ public RestrictionProvider getRestrictionProvider() {
+ return base.getRestrictionProvider();
+ }
+
+ @Nonnull
+ @Override
+ public PermissionProvider getPermissionProvider(@Nonnull
Root root, @Nonnull String workspaceName, @Nonnull Set<Principal> principals) {
+ return new TmpPermissionProvider(root);
+ }
+
+ @Nonnull
+ @Override
+ public String getName() {
+ return base.getName();
+ }
+
+ @Nonnull
+ @Override
+ public ConfigurationParameters getParameters() {
+ return base.getParameters();
+ }
+
+ @Nonnull
+ @Override
+ public WorkspaceInitializer getWorkspaceInitializer() {
+ return WorkspaceInitializer.DEFAULT;
+ }
+
+ @Nonnull
+ @Override
+ public RepositoryInitializer getRepositoryInitializer() {
+ return RepositoryInitializer.DEFAULT;
+ }
+
+ @Nonnull
+ @Override
+ public List<? extends CommitHook> getCommitHooks(@Nonnull
String workspaceName) {
+ return Collections.EMPTY_LIST;
+ }
+
+ @Nonnull
+ @Override
+ public List<? extends ValidatorProvider>
getValidators(@Nonnull String workspaceName, @Nonnull Set<Principal>
principals, @Nonnull MoveTracker moveTracker) {
+ return Collections.EMPTY_LIST;
+ }
+
+ @Nonnull
+ @Override
+ public List<ProtectedItemImporter>
getProtectedItemImporters() {
+ return Collections.EMPTY_LIST;
+ }
+
+ @Nonnull
+ @Override
+ public Context getContext() {
+ return base.getContext();
+ }
+ });
+ }
+
+ }
+ }
+
+ private static final class TmpPermissionProvider implements
PermissionProvider {
+
+ private static final String POLICY_NAME = "customPolicy";
+
+ private Root root;
+ private Root immutableRoot;
+
+ private final PermissionProvider fake =
OpenPermissionProvider.getInstance();
+
+ private TmpPermissionProvider(Root root) {
+ this.root = root;
+ immutableRoot = RootFactory.createReadOnlyRoot(root);
+ }
+ @Override
+ public void refresh() {
+ root.refresh();
+ immutableRoot = RootFactory.createReadOnlyRoot(root);
+ }
+
+ @Nonnull
+ @Override
+ public Set<String> getPrivileges(@Nullable Tree tree) {
+ performSomeRead(tree);
+ return fake.getPrivileges(tree);
+ }
+
+ @Override
+ public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String...
privilegeNames) {
+ performSomeRead(tree);
+ return fake.hasPrivileges(tree, privilegeNames);
+ }
+
+ @Nonnull
+ @Override
+ public RepositoryPermission getRepositoryPermission() {
+ return fake.getRepositoryPermission();
+ }
+
+ @Nonnull
+ @Override
+ public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull
TreePermission parentPermission) {
+ performSomeRead(tree);
+ return fake.getTreePermission(tree, parentPermission);
+ }
+
+ @Override
+ public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState
property, long permissions) {
+ performSomeRead(tree);
+ return fake.isGranted(tree, property, permissions);
+ }
+
+ @Override
+ public boolean isGranted(@Nonnull String oakPath, @Nonnull String
jcrActions) {
+ performSomeRead(immutableRoot.getTree(oakPath));
+ return fake.isGranted(oakPath, jcrActions);
+ }
+
+ private void performSomeRead(@Nullable Tree tree) {
+ Tree immutableTree = PermissionUtil.getImmutableTree(tree,
immutableRoot);
+ if (immutableTree != null) {
+ immutableTree.hasChild(POLICY_NAME);
+ }
+ }
+ }
+}
\ No newline at end of file
