Author: angela
Date: Thu Jul 9 13:15:18 2015
New Revision: 1690094
URL: http://svn.apache.org/r1690094
Log:
OAK-2008 : authorization setup for closed user groups
OAK-1268 Add support for composite authorization setup (WIP)
Added:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugContextTest.java
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/SecurityProviderImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/package-info.java
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java?rev=1690094&r1=1690093&r2=1690094&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java
Thu Jul 9 13:15:18 2015
@@ -130,7 +130,7 @@ public class CugConfiguration extends Co
if (!enabled || supportedPaths.isEmpty() ||
getExclude().isExcluded(principals)) {
return EmptyPermissionProvider.getInstance();
} else {
- return new CugPermissionProvider(root, principals, supportedPaths,
getContext());
+ return new CugPermissionProvider(root, principals, supportedPaths,
getSecurityProvider().getConfiguration(AuthorizationConfiguration.class).getContext());
}
}
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java?rev=1690094&r1=1690093&r2=1690094&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
Thu Jul 9 13:15:18 2015
@@ -232,12 +232,10 @@ class CugPermissionProvider implements P
}
private boolean isAcContent(@Nonnull Tree tree, boolean testForCtxRoot) {
- // FIXME: this should also take other ac-configurations into
considerations
return (testForCtxRoot) ? ctx.definesContextRoot(tree) :
ctx.definesTree(tree);
}
private boolean isAcContent(@Nonnull TreeLocation location) {
- // FIXME: this should also take other ac-configurations into
considerations
return ctx.definesLocation(location);
}
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java?rev=1690094&r1=1690093&r2=1690094&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
Thu Jul 9 13:15:18 2015
@@ -17,10 +17,7 @@
package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;
import java.security.Principal;
-import java.util.Iterator;
-import java.util.Set;
import javax.annotation.Nonnull;
-import javax.annotation.Nullable;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
@@ -29,9 +26,9 @@ import javax.jcr.security.AccessControlP
import com.google.common.collect.ImmutableMap;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
+import org.apache.jackrabbit.oak.security.SecurityProviderImpl;
import
org.apache.jackrabbit.oak.security.authorization.composite.CompositeAuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
-import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugPolicy;
@@ -79,7 +76,15 @@ public class AbstractCugTest extends Abs
@Override
protected SecurityProvider getSecurityProvider() {
if (securityProvider == null) {
- securityProvider = new
CugSecurityProvider(super.getSecurityProvider());
+ securityProvider = new
CugSecurityProvider(getSecurityConfigParameters());
+ AuthorizationConfiguration authorizationConfiguration =
securityProvider.getConfiguration(AuthorizationConfiguration.class);
+ if (!(authorizationConfiguration instanceof
CompositeAuthorizationConfiguration)) {
+ CompositeAuthorizationConfiguration composite = new
CompositeAuthorizationConfiguration(securityProvider);
+ composite.setDefaultConfig(authorizationConfiguration);
+ composite.addConfiguration(new
CugConfiguration(securityProvider));
+ composite.addConfiguration(authorizationConfiguration);
+ ((CugSecurityProvider)
securityProvider).bindAuthorizationConfiguration(composite);
+ }
}
return securityProvider;
}
@@ -105,55 +110,14 @@ public class AbstractCugTest extends Abs
throw new IllegalStateException("Unable to create CUG at " + absPath);
}
- final class CugSecurityProvider implements SecurityProvider {
-
- private final SecurityProvider base;
-
- private final CugConfiguration cugConfiguration;
-
- private CugSecurityProvider(@Nonnull SecurityProvider base) {
- this.base = base;
- cugConfiguration = new CugConfiguration(this);
- }
-
- @Nonnull
- @Override
- public ConfigurationParameters getParameters(@Nullable String name) {
- return base.getParameters(name);
- }
-
- @Nonnull
- @Override
- public Iterable<? extends SecurityConfiguration> getConfigurations() {
- Set<SecurityConfiguration> configs = (Set<SecurityConfiguration>)
base.getConfigurations();
-
- CompositeAuthorizationConfiguration composite = new
CompositeAuthorizationConfiguration(this);
- Iterator<SecurityConfiguration> it = configs.iterator();
- while (it.hasNext()) {
- SecurityConfiguration sc = it.next();
- if (sc instanceof AuthorizationConfiguration) {
- composite.addConfiguration((AuthorizationConfiguration)
sc);
- it.remove();
- }
- }
- composite.addConfiguration(cugConfiguration);
- configs.add(composite);
-
- return configs;
+ final class CugSecurityProvider extends SecurityProviderImpl {
+ public CugSecurityProvider(@Nonnull ConfigurationParameters
configuration) {
+ super(configuration);
}
- @Nonnull
@Override
- public <T> T getConfiguration(@Nonnull Class<T> configClass) {
- T c = base.getConfiguration(configClass);
- if (AuthorizationConfiguration.class == configClass) {
- CompositeAuthorizationConfiguration composite = new
CompositeAuthorizationConfiguration(this);
- composite.addConfiguration(cugConfiguration);
- composite.addConfiguration((AuthorizationConfiguration) c);
- return (T) composite;
- } else {
- return c;
- }
+ protected void bindAuthorizationConfiguration(@Nonnull
AuthorizationConfiguration reference) {
+ super.bindAuthorizationConfiguration(reference);
}
}
}
\ No newline at end of file
Added:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugContextTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugContextTest.java?rev=1690094&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugContextTest.java
(added)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugContextTest.java
Thu Jul 9 13:15:18 2015
@@ -0,0 +1,159 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;
+
+import java.util.List;
+import javax.jcr.AccessDeniedException;
+import javax.jcr.security.AccessControlList;
+import javax.jcr.security.AccessControlManager;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.JcrConstants;
+import
org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.api.Type;
+import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
+import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
+import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.apache.jackrabbit.oak.util.NodeUtil;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+public class CugContextTest extends AbstractCugTest implements
NodeTypeConstants {
+
+ private static String CUG_PATH = "/content/a/rep:cugPolicy";
+ private static List<String> NO_CUG_PATH = ImmutableList.of(
+ "/content",
+ "/content/a",
+ "/content/rep:policy",
+ "/content/rep:cugPolicy",
+ "/content/a/rep:cugPolicy/rep:principalNames",
+ UNSUPPORTED_PATH + "/rep:cugPolicy"
+ );
+
+ @Before
+ @Override
+ public void before() throws Exception {
+ super.before();
+
+ // add more child nodes
+ NodeUtil n = new NodeUtil(root.getTree(SUPPORTED_PATH));
+ n.addChild("a", NT_OAK_UNSTRUCTURED).addChild("b",
NT_OAK_UNSTRUCTURED).addChild("c", NT_OAK_UNSTRUCTURED);
+ n.addChild("aa", NT_OAK_UNSTRUCTURED).addChild("bb",
NT_OAK_UNSTRUCTURED).addChild("cc", NT_OAK_UNSTRUCTURED);
+
+ // create cugs
+ createCug("/content/a", getTestUser().getPrincipal());
+
+ // setup regular acl at /content
+ AccessControlManager acMgr = getAccessControlManager(root);
+ AccessControlList acl = AccessControlUtils.getAccessControlList(acMgr,
"/content");
+ acl.addAccessControlEntry(getTestUser().getPrincipal(),
privilegesFromNames(PrivilegeConstants.JCR_READ));
+ acMgr.setPolicy("/content", acl);
+
+ root.commit();
+ }
+
+ @Override
+ public void after() throws Exception {
+ try {
+ root.refresh();
+ } finally {
+ super.after();
+ }
+ }
+
+ @Test
+ public void testDefinesContextRoot() {
+
assertTrue(CugContext.INSTANCE.definesContextRoot(root.getTree(CUG_PATH)));
+
+ for (String path : NO_CUG_PATH) {
+ assertFalse(path,
CugContext.INSTANCE.definesContextRoot(root.getTree(path)));
+ }
+ }
+
+ @Test
+ public void testDefinesTree() {
+ assertTrue(CugContext.INSTANCE.definesTree(root.getTree(CUG_PATH)));
+
+ for (String path : NO_CUG_PATH) {
+ assertFalse(path,
CugContext.INSTANCE.definesTree(root.getTree(path)));
+ }
+ }
+
+ @Test
+ public void testDefinesProperty() {
+ Tree cugTree = root.getTree(CUG_PATH);
+ PropertyState repPrincipalNames =
cugTree.getProperty(CugConstants.REP_PRINCIPAL_NAMES);
+ assertTrue(CugContext.INSTANCE.definesProperty(cugTree,
repPrincipalNames));
+ assertFalse(CugContext.INSTANCE.definesProperty(cugTree,
cugTree.getProperty(JcrConstants.JCR_PRIMARYTYPE)));
+
+ for (String path : NO_CUG_PATH) {
+ assertFalse(path,
CugContext.INSTANCE.definesProperty(root.getTree(path), repPrincipalNames));
+ }
+ }
+
+ @Test
+ public void testDefinesLocation() throws AccessDeniedException {
+
assertTrue(CugContext.INSTANCE.definesLocation(TreeLocation.create(root,
CUG_PATH)));
+
assertTrue(CugContext.INSTANCE.definesLocation(TreeLocation.create(root,
CUG_PATH + "/" + CugConstants.REP_PRINCIPAL_NAMES)));
+
+ List<String> existingNoCug = ImmutableList.of(
+ "/content",
+ "/content/a",
+ "/content/rep:policy"
+ );
+ for (String path : existingNoCug) {
+ assertFalse(path,
CugContext.INSTANCE.definesLocation(TreeLocation.create(root, path)));
+ assertFalse(path,
CugContext.INSTANCE.definesLocation(TreeLocation.create(root, path + "/" +
CugConstants.REP_PRINCIPAL_NAMES)));
+ }
+
+ List<String> nonExistingCug = ImmutableList.of(
+ "/content/rep:cugPolicy",
+ UNSUPPORTED_PATH + "/rep:cugPolicy");
+ for (String path : nonExistingCug) {
+ assertTrue(path,
CugContext.INSTANCE.definesLocation(TreeLocation.create(root, path)));
+ assertTrue(path,
CugContext.INSTANCE.definesLocation(TreeLocation.create(root, path + "/" +
CugConstants.REP_PRINCIPAL_NAMES)));
+ }
+ }
+
+ @Test
+ public void testInvalidCug() throws Exception {
+ PropertyState ps =
PropertyStates.createProperty(CugConstants.REP_PRINCIPAL_NAMES,
ImmutableSet.of(getTestUser().getPrincipal().getName()), Type.STRINGS);
+
+ // cug at unsupported path -> context doesn't take supported paths
into account.
+ Tree invalidCug = new
NodeUtil(root.getTree(UNSUPPORTED_PATH)).addChild(CugConstants.REP_CUG_POLICY,
CugConstants.NT_REP_CUG_POLICY).getTree();
+ invalidCug.setProperty(ps);
+
+ assertTrue(CugContext.INSTANCE.definesContextRoot(invalidCug));
+ assertTrue(CugContext.INSTANCE.definesTree(invalidCug));
+ assertTrue(CugContext.INSTANCE.definesProperty(invalidCug,
invalidCug.getProperty(CugConstants.REP_PRINCIPAL_NAMES)));
+
+ // 'cug' with wrong node type -> detected as no-cug by context
+ invalidCug = new
NodeUtil(root.getTree(UNSUPPORTED_PATH)).addChild(CugConstants.REP_CUG_POLICY,
NT_OAK_UNSTRUCTURED).getTree();
+ invalidCug.setProperty(ps);
+
+ assertFalse(CugContext.INSTANCE.definesContextRoot(invalidCug));
+ assertFalse(CugContext.INSTANCE.definesTree(invalidCug));
+ assertFalse(CugContext.INSTANCE.definesProperty(invalidCug,
invalidCug.getProperty(CugConstants.REP_PRINCIPAL_NAMES)));
+ }
+}
\ No newline at end of file
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.java?rev=1690094&r1=1690093&r2=1690094&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.java
Thu Jul 9 13:15:18 2015
@@ -155,13 +155,11 @@ public class CugEvaluationTest extends A
Root r = cs.getLatestRoot();
assertTrue(r.getTree("/content/rep:policy").exists());
- assertFalse(r.getTree("/content2/rep:cugPolicy").exists());
} finally {
cs.close();
}
}
- @Ignore("FIXME: cugpolicy not detected as ac-content") // FIXME
@Test
public void testReadCug() throws Exception {
List<String> noAccess = ImmutableList.of(
@@ -236,7 +234,6 @@ public class CugEvaluationTest extends A
}
}
- @Ignore("FIXME: cugpolicy not detected as ac-content") // FIXME
@Test
public void testWriteCug() throws Exception {
ContentSession cs = login(new SimpleCredentials(TEST_USER2_ID,
TEST_USER2_ID.toCharArray()));
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java?rev=1690094&r1=1690093&r2=1690094&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java
Thu Jul 9 13:15:18 2015
@@ -341,10 +341,9 @@ public class CugPermissionProviderTest e
TreePermission falseCugTp =
cugPermProvider.getTreePermission(root.getTree("/content/aa/rep:cugPolicy"),
aaTp2);
assertNotSame(TreePermission.EMPTY, falseCugTp);
- // ac content
+ // cug content
TreePermission cugTp =
cugPermProvider.getTreePermission(root.getTree("/content/a/rep:cugPolicy"),
aTp);
assertSame(TreePermission.EMPTY, cugTp);
- // TODO: for regular acl-node
// paths that may not contain cugs anyway
assertSame(TreePermission.EMPTY,
cugPermProvider.getTreePermission(root.getTree("/jcr:system"), rootTp));
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/SecurityProviderImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/SecurityProviderImpl.java?rev=1690094&r1=1690093&r2=1690094&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/SecurityProviderImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/SecurityProviderImpl.java
Thu Jul 9 13:15:18 2015
@@ -227,6 +227,18 @@ public class SecurityProviderImpl implem
tokenConfiguration.removeConfiguration(reference);
}
+ @SuppressWarnings("UnusedDeclaration")
+ protected void bindAuthorizationConfiguration(@Nonnull
AuthorizationConfiguration reference) {
+ authorizationConfiguration = initConfiguration(reference);
+ // TODO (OAK-1268):
authorizationConfiguration.addConfiguration(initConfiguration(reference));
+ }
+
+ @SuppressWarnings("UnusedDeclaration")
+ protected void unbindAuthorizationConfiguration(@Nonnull
AuthorizationConfiguration reference) {
+ authorizationConfiguration = new AuthorizationConfigurationImpl(this);
+ // TODO (OAK-1268):
authorizationConfiguration.removeConfiguration(reference);
+ }
+
//------------------------------------------------------------< private
>---
private void initializeConfigurations() {
initConfiguration(authorizationConfiguration,
ConfigurationParameters.of(
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java?rev=1690094&r1=1690093&r2=1690094&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java
Thu Jul 9 13:15:18 2015
@@ -181,7 +181,7 @@ public class AuthorizationConfigurationI
@Nonnull
@Override
public PermissionProvider getPermissionProvider(@Nonnull Root root,
@Nonnull String workspaceName, @Nonnull Set<Principal> principals) {
- return new PermissionProviderImpl(root, workspaceName, principals,
this);
+ Context ctx =
getSecurityProvider().getConfiguration(AuthorizationConfiguration.class).getContext();
+ return new PermissionProviderImpl(root, workspaceName, principals,
getRestrictionProvider(), getParameters(), ctx);
}
-
}
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java?rev=1690094&r1=1690093&r2=1690094&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
Thu Jul 9 13:15:18 2015
@@ -42,7 +42,7 @@ import org.apache.jackrabbit.oak.plugins
import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree;
import org.apache.jackrabbit.oak.plugins.version.VersionConstants;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
-import
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.Context;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
@@ -87,12 +87,14 @@ final class CompiledPermissionImpl imple
private CompiledPermissionImpl(@Nonnull Set<Principal> principals,
@Nonnull Root root, @Nonnull String
workspaceName,
@Nonnull RestrictionProvider
restrictionProvider,
- @Nonnull AuthorizationConfiguration
acConfig) {
+ @Nonnull ConfigurationParameters options,
+ @Nonnull Context ctx) {
this.root = root;
this.workspaceName = workspaceName;
bitsProvider = new PrivilegeBitsProvider(root);
- Set<String> readPaths =
acConfig.getParameters().getConfigValue(PARAM_READ_PATHS, DEFAULT_READ_PATHS);
+
+ Set<String> readPaths = options.getConfigValue(PARAM_READ_PATHS,
DEFAULT_READ_PATHS);
readPolicy = (readPaths.isEmpty()) ? EmptyReadPolicy.INSTANCE : new
DefaultReadPolicy(readPaths);
// setup
@@ -107,22 +109,23 @@ final class CompiledPermissionImpl imple
}
}
- ConfigurationParameters options = acConfig.getParameters();
PermissionEntryCache cache = new PermissionEntryCache();
userStore = new PermissionEntryProviderImpl(store, cache, userNames,
options);
groupStore = new PermissionEntryProviderImpl(store, cache, groupNames,
options);
- typeProvider = new TreeTypeProvider(acConfig.getContext());
+ typeProvider = new TreeTypeProvider(ctx);
}
static CompiledPermissions create(@Nonnull Root root, @Nonnull String
workspaceName,
@Nonnull Set<Principal> principals,
- @Nonnull AuthorizationConfiguration
acConfig) {
+ @Nonnull RestrictionProvider
restrictionProvider,
+ @Nonnull ConfigurationParameters options,
+ @Nonnull Context ctx) {
Tree permissionsTree = PermissionUtil.getPermissionsRoot(root,
workspaceName);
if (!permissionsTree.exists() || principals.isEmpty()) {
return NoPermissions.getInstance();
} else {
- return new CompiledPermissionImpl(principals, root, workspaceName,
acConfig.getRestrictionProvider(), acConfig);
+ return new CompiledPermissionImpl(principals, root, workspaceName,
restrictionProvider, options, ctx);
}
}
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java?rev=1690094&r1=1690093&r2=1690094&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
Thu Jul 9 13:15:18 2015
@@ -28,7 +28,8 @@ import org.apache.jackrabbit.oak.api.Tre
import org.apache.jackrabbit.oak.plugins.tree.RootFactory;
import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
import org.apache.jackrabbit.oak.plugins.version.VersionConstants;
-import
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import org.apache.jackrabbit.oak.spi.security.Context;
import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
@@ -36,6 +37,7 @@ import org.apache.jackrabbit.oak.spi.sec
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
+import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
public class PermissionProviderImpl implements PermissionProvider,
AccessControlConstants, PermissionConstants, AggregatedPermissionProvider {
@@ -44,24 +46,27 @@ public class PermissionProviderImpl impl
private final String workspaceName;
- private final AuthorizationConfiguration acConfig;
+ private final Context ctx;
private final CompiledPermissions compiledPermissions;
private Root immutableRoot;
- public PermissionProviderImpl(@Nonnull Root root, @Nonnull String
workspaceName, @Nonnull Set<Principal> principals,
- @Nonnull AuthorizationConfiguration
acConfig) {
+ public PermissionProviderImpl(@Nonnull Root root, @Nonnull String
workspaceName,
+ @Nonnull Set<Principal> principals,
+ @Nonnull RestrictionProvider
restrictionProvider,
+ @Nonnull ConfigurationParameters options,
+ @Nonnull Context ctx) {
this.root = root;
this.workspaceName = workspaceName;
- this.acConfig = acConfig;
+ this.ctx = ctx;
immutableRoot = RootFactory.createReadOnlyRoot(root);
- if (PermissionUtil.isAdminOrSystem(principals,
acConfig.getParameters())) {
+ if (PermissionUtil.isAdminOrSystem(principals, options)) {
compiledPermissions = AllPermissions.getInstance();
} else {
- compiledPermissions = CompiledPermissionImpl.create(immutableRoot,
workspaceName, principals, acConfig);
+ compiledPermissions = CompiledPermissionImpl.create(immutableRoot,
workspaceName, principals, restrictionProvider, options, ctx);
}
}
@@ -102,7 +107,7 @@ public class PermissionProviderImpl impl
@Override
public boolean isGranted(@Nonnull String oakPath, @Nonnull String
jcrActions) {
TreeLocation location = TreeLocation.create(immutableRoot, oakPath);
- boolean isAcContent = acConfig.getContext().definesLocation(location);
+ boolean isAcContent = ctx.definesLocation(location);
long permissions = Permissions.getPermissions(jcrActions, location,
isAcContent);
boolean isGranted = false;
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/package-info.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/package-info.java?rev=1690094&r1=1690093&r2=1690094&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/package-info.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/package-info.java
Thu Jul 9 13:15:18 2015
@@ -20,7 +20,7 @@
*
* See <a href="README.md">README.md</a> for more details.
*/
-@Version("1.0")
+@Version("1.0.1")
@Export(optional = "provide:=true")
package org.apache.jackrabbit.oak.security;
