Author: angela
Date: Mon Nov 30 17:17:13 2015
New Revision: 1717297
URL: http://svn.apache.org/viewvc?rev=1717297&view=rev
Log:
OAK-3700 : authorization setup for closed user groups (follow up)
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/CugPolicy.java
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/package-info.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfigurationTest.java
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/CugPolicy.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/CugPolicy.java?rev=1717297&r1=1717296&r2=1717297&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/CugPolicy.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/CugPolicy.java
Mon Nov 30 17:17:13 2015
@@ -16,11 +16,6 @@
*/
package org.apache.jackrabbit.oak.spi.security.authorization.cug;
-import java.security.Principal;
-import java.util.Set;
-import javax.annotation.Nonnull;
-import javax.jcr.security.AccessControlException;
-
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.authorization.PrincipalSetPolicy;
@@ -29,35 +24,4 @@ import org.apache.jackrabbit.api.securit
*/
public interface CugPolicy extends PrincipalSetPolicy,
JackrabbitAccessControlPolicy {
- /**
- * Returns the set of {@code Principal}s that are allowed to access the
items
- * in the restricted area defined by this policy.
- *
- * @return The set of {@code Principal}s that are allowed to access the
- * restricted area.
- */
- @Nonnull
- Set<Principal> getPrincipals();
-
- /**
- * Add {@code Principal}s that are allowed to access the restricted area.
- *
- * @param principals The {@code Principal}s that are granted read access.
- * @return {@code true} if this policy was modified; {@code false}
otherwise.
- * @throws AccessControlException If any of the specified principals is
- * invalid.
- */
- boolean addPrincipals(@Nonnull Principal... principals) throws
AccessControlException;
-
- /**
- * Remove the specified {@code Principal}s for the set of allowed
principals
- * thus revoking their ability to read items in the restricted area defined
- * by this policy.
- *
- * @param principals The {@code Principal}s for which access should be
revoked.
- * @return {@code true} if this policy was modified; {@code false}
otherwise.
- * @throws AccessControlException If an error occurs.
- */
- boolean removePrincipals(@Nonnull Principal... principals) throws
AccessControlException;
-
}
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java?rev=1717297&r1=1717296&r2=1717297&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java
Mon Nov 30 17:17:13 2015
@@ -19,27 +19,23 @@ package org.apache.jackrabbit.oak.spi.se
import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
import java.util.Collections;
import java.util.List;
+import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlManager;
-import javax.security.auth.Subject;
-import javax.security.auth.login.LoginException;
import com.google.common.collect.ImmutableList;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
-import org.apache.felix.scr.annotations.ConfigurationPolicy;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
+import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.oak.api.CommitFailedException;
-import org.apache.jackrabbit.oak.api.ContentRepository;
-import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.memory.MemoryNodeStore;
@@ -57,7 +53,6 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
-import org.apache.jackrabbit.oak.spi.security.authentication.SystemSubject;
import
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugExclude;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.EmptyPermissionProvider;
@@ -71,8 +66,7 @@ import org.apache.jackrabbit.oak.spi.xml
@Component(metatype = true,
label = "Apache Jackrabbit Oak CUG Configuration",
- description = "Authorization configuration dedicated to setup and
evaluate 'Closed User Group' permissions.",
- policy = ConfigurationPolicy.REQUIRE)
+ description = "Authorization configuration dedicated to setup and
evaluate 'Closed User Group' permissions.")
@Service({AuthorizationConfiguration.class, SecurityConfiguration.class})
@Properties({
@Property(name = CugConstants.PARAM_CUG_SUPPORTED_PATHS,
@@ -80,7 +74,7 @@ import org.apache.jackrabbit.oak.spi.xml
description = "Paths under which CUGs can be created and will
be evaluated.",
cardinality = Integer.MAX_VALUE),
@Property(name = CugConstants.PARAM_CUG_ENABLED,
- label = "CUG Enabled",
+ label = "CUG Evaluation Enabled",
description = "Flag to enable the evaluation of the configured
CUG policies.",
boolValue = false),
@Property(name = CompositeConfiguration.PARAM_RANKING,
@@ -90,14 +84,11 @@ import org.apache.jackrabbit.oak.spi.xml
})
public class CugConfiguration extends ConfigurationBase implements
AuthorizationConfiguration, CugConstants {
- @Reference
- private ContentRepository repository;
-
/**
* Reference to services implementing {@link
org.apache.jackrabbit.oak.spi.security.authorization.cug.CugExclude}.
*/
- @Reference
- private CugExclude exclude = new CugExclude.Default();
+ @Reference(cardinality = ReferenceCardinality.OPTIONAL_UNARY)
+ private CugExclude exclude;
@SuppressWarnings("UnusedDeclaration")
public CugConfiguration() {
@@ -181,24 +172,8 @@ public class CugConfiguration extends Co
//----------------------------------------------------< SCR Integration
>---
@SuppressWarnings("UnusedDeclaration")
@Activate
- protected void activate() throws IOException, CommitFailedException,
PrivilegedActionException, RepositoryException {
- ContentSession systemSession = null;
- try {
- systemSession = Subject.doAs(SystemSubject.INSTANCE, new
PrivilegedExceptionAction<ContentSession>() {
- @Override
- public ContentSession run() throws LoginException,
RepositoryException {
- return repository.login(null, null);
- }
- });
- final Root root = systemSession.getLatestRoot();
- if (CugUtil.registerCugNodeTypes(root)) {
- root.commit();
- }
- } finally {
- if (systemSession != null) {
- systemSession.close();
- }
- }
+ protected void activate(Map<String, Object> properties) throws
IOException, CommitFailedException, PrivilegedActionException,
RepositoryException {
+ setParameters(ConfigurationParameters.of(properties));
}
//--------------------------------------------------------------------------
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/package-info.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/package-info.java?rev=1717297&r1=1717296&r2=1717297&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/package-info.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/package-info.java
Mon Nov 30 17:17:13 2015
@@ -14,7 +14,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-@Version("1.4.0")
+@Version("2.0.0")
@Export(optional = "provide:=true")
package org.apache.jackrabbit.oak.spi.security.authorization.cug;
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfigurationTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfigurationTest.java?rev=1717297&r1=1717296&r2=1717297&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfigurationTest.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfigurationTest.java
Mon Nov 30 17:17:13 2015
@@ -16,26 +16,18 @@
*/
package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;
-import java.lang.reflect.Field;
import java.security.Principal;
import java.util.List;
import java.util.Set;
-import javax.jcr.GuestCredentials;
import javax.jcr.security.AccessControlManager;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
-import org.apache.jackrabbit.oak.Oak;
-import org.apache.jackrabbit.oak.api.ContentRepository;
-import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
-import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
-import org.apache.jackrabbit.oak.plugins.nodetype.write.InitialContent;
import org.apache.jackrabbit.oak.security.SecurityProviderImpl;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
-import org.apache.jackrabbit.oak.spi.security.OpenSecurityProvider;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.EmptyPermissionProvider;
@@ -164,28 +156,4 @@ public class CugConfigurationTest extend
assertSame(EmptyPermissionProvider.getInstance(), pp);
}
}
-
- @Test
- public void testActivate() throws Exception {
- SecurityProvider sp = new OpenSecurityProvider();
- ContentRepository repo = new Oak().with(sp).with(new
InitialContent()).createContentRepository();
- ContentSession cs = null;
- try {
- Field repoField =
CugConfiguration.class.getDeclaredField("repository");
- repoField.setAccessible(true);
-
- CugConfiguration cc = new CugConfiguration(sp);
- repoField.set(cc, repo);
-
- cc.activate();
-
- cs = repo.login(new GuestCredentials(), null);
- ReadOnlyNodeTypeManager ntMgr =
ReadOnlyNodeTypeManager.getInstance(cs.getLatestRoot(), NamePathMapper.DEFAULT);
- assertTrue(ntMgr.hasNodeType(CugConstants.NT_REP_CUG_POLICY));
- } finally {
- if (cs != null) {
- cs.close();
- }
- }
- }
}
\ No newline at end of file