Author: angela
Date: Mon Apr 15 07:16:49 2019
New Revision: 1857551
URL: http://svn.apache.org/viewvc?rev=1857551&view=rev
Log:
OAK-8190 : Dedicated authorization for system users (wip)
Added:
jackrabbit/oak/trunk/oak-authorization-principalbased/ (with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/pom.xml (with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/Filter.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/FilterProvider.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/PrincipalPolicy.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractTreePermission.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/Constants.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ContextImpl.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EntryCache.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EntryIterator.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EntryPredicate.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/FilterProviderImpl.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/MgrProvider.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/MgrProviderImpl.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PermissionEntry.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfiguration.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedPermissionProvider.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalPolicyImpl.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalPolicyImporter.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalPolicyValidatorProvider.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/Utils.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/package-info.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/resources/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/resources/org/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/resources/org/apache/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/resources/org/apache/jackrabbit/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/resources/org/apache/jackrabbit/oak/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/resources/org/apache/jackrabbit/oak/spi/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/resources/org/apache/jackrabbit/oak/spi/security/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/resources/org/apache/jackrabbit/oak/spi/security/authorization/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/resources/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/resources/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/resources/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/nodetypes.cnd
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractPrincipalBasedTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractTreePermissionTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AccessControlManagerLimitedSystemUserTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AccessControlManagerLimitedUserTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ContextImplTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EffectivePolicyTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EntryCacheTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EntryIteratorTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EntryPredicateTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/FilterImplTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/FilterProviderImplTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ImportAbortTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ImportBaseTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ImportBesteffortTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ImportIgnoreTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/MgrProviderImplTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/MockUtility.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PermissionProviderAccessControlTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PermissionProviderHiddenTypeTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PermissionProviderInternalTypeTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PermissionProviderVersionStoreTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PermissionProviderVersionTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PolicyValidatorLimitedUserTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PolicyValidatorTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManagerTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationOsgiTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedPermissionProviderTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalPolicyImplTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalPolicyImporterTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/RegularTreePermissionTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/RepositoryPermissionTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/TransientPrincipalTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/UnknownPrincipalAbortTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/UnknownPrincipalBesteffortTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/UnknownPrincipalIgnoreTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/UtilsTest.java
(with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/VersionTreePermissionTest.java
(with props)
Modified:
jackrabbit/oak/trunk/pom.xml
Propchange: jackrabbit/oak/trunk/oak-authorization-principalbased/
------------------------------------------------------------------------------
--- svn:ignore (added)
+++ svn:ignore Mon Apr 15 07:16:49 2019
@@ -0,0 +1,5 @@
+target
+.*
+*.iml
+*.ipr
+*.iws
Added: jackrabbit/oak/trunk/oak-authorization-principalbased/pom.xml
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/pom.xml?rev=1857551&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-principalbased/pom.xml (added)
+++ jackrabbit/oak/trunk/oak-authorization-principalbased/pom.xml Mon Apr 15
07:16:49 2019
@@ -0,0 +1,203 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ -->
+<project xmlns="http://maven.apache.org/POM/4.0.0";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/xsd/maven-4.0.0.xsd";>
+ <parent>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>oak-parent</artifactId>
+ <version>1.14-SNAPSHOT</version>
+ <relativePath>../oak-parent/pom.xml</relativePath>
+ </parent>
+ <modelVersion>4.0.0</modelVersion>
+
+ <properties>
+ <!-- enable execution of jacoco and set minimal line coverage -->
+ <skip.coverage>false</skip.coverage>
+ <minimum.coverage>0.99</minimum.coverage>
+ <minimum.branch.coverage>1.0</minimum.branch.coverage>
+ </properties>
+
+ <artifactId>oak-authorization-principalbased</artifactId>
+ <name>Oak Principal-Based Authorization</name>
+ <packaging>bundle</packaging>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.felix</groupId>
+ <artifactId>maven-bundle-plugin</artifactId>
+ <configuration>
+ <instructions>
+ <Import-Package>
+ <!-- OAK-7182 -->${guava.osgi.import},
+ *
+ </Import-Package>
+ <Export-Package>
+
org.apache.jackrabbit.oak.spi.security.authorization.principalbased
+ </Export-Package>
+ </instructions>
+ </configuration>
+ <executions>
+ <execution>
+ <id>baseline</id>
+ <goals>
+ <goal>baseline</goal>
+ </goals>
+ <phase>pre-integration-test</phase>
+ <configuration>
+ <!--
+ This is required because there's no prior
(stable) version
+ TODO: Removed post first release
+ -->
+ <skip>true</skip>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.rat</groupId>
+ <artifactId>apache-rat-plugin</artifactId>
+ </plugin>
+ </plugins>
+ </build>
+
+ <dependencies>
+ <!-- Optional OSGi dependencies, used only when running within OSGi -->
+ <dependency>
+ <groupId>org.osgi</groupId>
+ <artifactId>org.osgi.core</artifactId>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.osgi</groupId>
+ <artifactId>org.osgi.compendium</artifactId>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.osgi</groupId>
+ <artifactId>org.osgi.annotation</artifactId>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.osgi</groupId>
+ <artifactId>org.osgi.service.component.annotations</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.osgi</groupId>
+ <artifactId>org.osgi.service.metatype.annotations</artifactId>
+ </dependency>
+
+ <!-- Dependencies to other Oak components -->
+ <dependency>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>oak-api</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>oak-query-spi</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>oak-security-spi</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>oak-store-spi</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>oak-core</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+
+ <!-- JCR and Jackrabbit dependencies -->
+ <dependency>
+ <groupId>javax.jcr</groupId>
+ <artifactId>jcr</artifactId>
+ <version>2.0</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>jackrabbit-api</artifactId>
+ <version>${jackrabbit.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>jackrabbit-jcr-commons</artifactId>
+ <version>${jackrabbit.version}</version>
+ </dependency>
+
+ <!-- General utility libraries -->
+ <dependency>
+ <groupId>com.google.guava</groupId>
+ <artifactId>guava</artifactId>
+ </dependency>
+
+ <!-- Logging -->
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ </dependency>
+
+ <!-- Nullability annotations -->
+ <dependency>
+ <groupId>org.jetbrains</groupId>
+ <artifactId>annotations</artifactId>
+ </dependency>
+
+ <!-- Test dependencies -->
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>oak-core</artifactId>
+ <version>${project.version}</version>
+ <classifier>tests</classifier>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>oak-store-composite</artifactId>
+ <version>${project.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.mockito</groupId>
+ <artifactId>mockito-core</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sling</groupId>
+ <artifactId>org.apache.sling.testing.osgi-mock</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>oak-jcr</artifactId>
+ <version>${project.version}</version>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+
+</project>
Propchange: jackrabbit/oak/trunk/oak-authorization-principalbased/pom.xml
------------------------------------------------------------------------------
svn:eol-style = native
Added:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/Filter.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/Filter.java?rev=1857551&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/Filter.java
(added)
+++
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/Filter.java
Mon Apr 15 07:16:49 2019
@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.principalbased;
+
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+import org.osgi.annotation.versioning.ProviderType;
+
+import java.security.Principal;
+import java.util.Set;
+
+/**
+ * Interface that allows to define the principals for which principal based
access control management and permission
+ * evaluation can be executed. For any other principals this module would
never take effect.
+ */
+@ProviderType
+public interface Filter {
+
+ /**
+ * Reveals if this filter implementation is able to handle the given set
of principals.
+ *
+ * @param principals A set of principals.
+ * @return {@code true} if the principals can be dealt with by this filter
implementation, {@code false} otherwise.
+ */
+ boolean canHandle(@NotNull Set<Principal> principals);
+
+ /**
+ * Returns the Oak path of the {@code Tree} to which the policy for the
given {@code validPrincipal} will be bound.
+ * This method can rely on the fact that the given principal has been
{@link #canHandle(Set) validated} before and is
+ * not expected to validate the principal.
+ *
+ * @param validPrincipal A valid principal i.e. that has been validated
through {@link #canHandle(Set)}.
+ * @return The absolute oak path to an exiting {@code Tree}. The policy
for the given principal will be bound to that tree.
+ * @throws IllegalArgumentException If the specified principal is not
validated/valid.
+ */
+ @NotNull
+ String getOakPath(@NotNull Principal validPrincipal);
+
+ /**
+ * Retrieves the {@link
org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal} for the given
{@code oakPath}
+ * and returns it if it is considered valid by the {@code Filter}
implementation. Otherwise this method returns
+ * {@code null}.
+ *
+ * @param oakPath A non-null Oak path pointing to an {@link
org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal}.
+ * @return A valid principal or {@code null} if no valid principal can be
retrieved/exists for the given path.
+ */
+ @Nullable
+ Principal getValidPrincipal(@NotNull String oakPath);
+
+}
Propchange:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/Filter.java
------------------------------------------------------------------------------
svn:eol-style = native
Added:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/FilterProvider.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/FilterProvider.java?rev=1857551&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/FilterProvider.java
(added)
+++
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/FilterProvider.java
Mon Apr 15 07:16:49 2019
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.principalbased;
+
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
+import org.jetbrains.annotations.NotNull;
+import org.osgi.annotation.versioning.ProviderType;
+
+/**
+ * Interface that allows to define the principals for which principal based
access control management and permission
+ * evaluation can be executed. For any other principals this module would
never take effect.
+ */
+@ProviderType
+public interface FilterProvider {
+
+ /**
+ * Reveals if the given implementation is able to handle access control at
the tree defined by the given {@code oakPath}.
+ *
+ * @param absPath The absolute oak path to be tested.
+ * @return {@code true} if the given path is supported by this
implememntation, {@code false} otherwise.
+ */
+ boolean handlesPath(@NotNull String oakPath);
+
+ /**
+ * Returns the root path of handled by the filer. In case multiple paths
are supported this method returns the common
+ * ancestor path.
+ *
+ * @return An absolute oak path.
+ */
+ @NotNull
+ String getFilterRoot();
+
+ /**
+ * Returns the {@link Filter} associated with this provider implementation.
+ *
+ * @param securityProvider The security provider.
+ * @param root The reading/editing root.
+ * @param namePathMapper The name path mapper.
+ * @return A new filter associated with the given parameters.
+ */
+ @NotNull
+ Filter getFilter(@NotNull SecurityProvider securityProvider, @NotNull Root
root, @NotNull NamePathMapper namePathMapper);
+}
Propchange:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/FilterProvider.java
------------------------------------------------------------------------------
svn:eol-style = native
Added:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/PrincipalPolicy.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/PrincipalPolicy.java?rev=1857551&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/PrincipalPolicy.java
(added)
+++
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/PrincipalPolicy.java
Mon Apr 15 07:16:49 2019
@@ -0,0 +1,46 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.principalbased;
+
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+import org.osgi.annotation.versioning.ProviderType;
+
+import javax.jcr.RepositoryException;
+import javax.jcr.Value;
+import javax.jcr.security.Privilege;
+import java.security.Principal;
+import java.util.Map;
+
+@ProviderType
+public interface PrincipalPolicy extends JackrabbitAccessControlList {
+
+ @NotNull
+ Principal getPrincipal();
+
+ boolean addEntry(@NotNull String effectivePath, @NotNull Privilege[]
privileges) throws RepositoryException;
+
+ boolean addEntry(@NotNull String effectivePath, @NotNull Privilege[]
privileges, @NotNull Map<String, Value> restrictions, @NotNull Map<String,
Value[]> mvRestrictions) throws RepositoryException;
+
+ interface Entry extends JackrabbitAccessControlEntry {
+
+ @Nullable
+ String getEffectivePath();
+ }
+}
\ No newline at end of file
Propchange:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/PrincipalPolicy.java
------------------------------------------------------------------------------
svn:eol-style = native
Added:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractTreePermission.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractTreePermission.java?rev=1857551&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractTreePermission.java
(added)
+++
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractTreePermission.java
Mon Apr 15 07:16:49 2019
@@ -0,0 +1,85 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
+
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.plugins.tree.TreeType;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
+import org.apache.jackrabbit.oak.spi.state.NodeState;
+import org.jetbrains.annotations.NotNull;
+
+abstract class AbstractTreePermission implements TreePermission {
+
+ private final Tree tree;
+ private final TreeType type;
+
+ AbstractTreePermission(@NotNull Tree tree, @NotNull TreeType type) {
+ this.tree = tree;
+ this.type = type;
+ }
+
+ abstract PrincipalBasedPermissionProvider getPermissionProvider();
+
+ @NotNull
+ Tree getTree() {
+ return tree;
+ }
+
+ @NotNull
+ TreeType getType() {
+ return type;
+ }
+
+ @Override
+ public @NotNull TreePermission getChildPermission(@NotNull String
childName, @NotNull NodeState childState) {
+ return getPermissionProvider().getTreePermission(childName,
childState, this);
+ }
+
+ @Override
+ public boolean canRead() {
+ long permission = (type == TreeType.ACCESS_CONTROL) ?
Permissions.READ_ACCESS_CONTROL : Permissions.READ_NODE;
+ return getPermissionProvider().isGranted(tree, null, permission);
+ }
+
+ @Override
+ public boolean canRead(@NotNull PropertyState property) {
+ long permission = (type == TreeType.ACCESS_CONTROL) ?
Permissions.READ_ACCESS_CONTROL : Permissions.READ_PROPERTY;
+ return getPermissionProvider().isGranted(tree, property, permission);
+ }
+
+ @Override
+ public boolean canReadAll() {
+ return false;
+ }
+
+ @Override
+ public boolean canReadProperties() {
+ return false;
+ }
+
+ @Override
+ public boolean isGranted(long permissions) {
+ return getPermissionProvider().isGranted(tree, null, permissions);
+ }
+
+ @Override
+ public boolean isGranted(long permissions, @NotNull PropertyState
property) {
+ return getPermissionProvider().isGranted(tree, property, permissions);
+ }
+}
\ No newline at end of file
Propchange:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractTreePermission.java
------------------------------------------------------------------------------
svn:eol-style = native
Added:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/Constants.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/Constants.java?rev=1857551&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/Constants.java
(added)
+++
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/Constants.java
Mon Apr 15 07:16:49 2019
@@ -0,0 +1,72 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
+
+interface Constants {
+
+ /**
+ * The name of the mixin type that defines the principal based access
control policy node.
+ */
+ String MIX_REP_PRINCIPAL_BASED_MIXIN = "rep:PrincipalBasedMixin";
+
+ /**
+ * The primary node type name of the principal based access control policy
node.
+ */
+ String NT_REP_PRINCIPAL_POLICY = "rep:PrincipalPolicy";
+
+ /**
+ * The primary node type name of the entries inside the principal based
access control policy node.
+ */
+ String NT_REP_PRINCIPAL_ENTRY = "rep:PrincipalEntry";
+
+ /**
+ * The primary node type name of the restrictions node associated with
entries inside the principal based access control policy node.
+ */
+ String NT_REP_RESTRICTIONS = "rep:Restrictions";
+
+ /**
+ * The name of the principal based access control policy node.
+ */
+ String REP_PRINCIPAL_POLICY = "rep:principalPolicy";
+
+ /**
+ * The name of the mandatory principal name property associated with the
principal based access control policy.
+ */
+ String REP_PRINCIPAL_NAME = "rep:principalName";
+
+ /**
+ * The name of the mandatory path property of a given entry in a principal
based access control policy.
+ * It will store an absolute path or empty string for the repository-level
+ */
+ String REP_EFFECTIVE_PATH = "rep:effectivePath";
+
+ /**
+ * The name of the mandatory principal property of a given entry in a
principal based access control policy.
+ */
+ String REP_PRIVILEGES = "rep:privileges";
+
+ /**
+ * The name of the optional restriction node associated with a given entry
in a principal based access control policy.
+ */
+ String REP_RESTRICTIONS = "rep:restrictions";
+
+ /**
+ * Value to be used for the {@code rep:effectivePath} property in case of
repository level permissions (analog to passing
+ * null to {@code AccessControlManager.getEffectivePolicies(String)}.
+ */
+ String REPOSITORY_PERMISSION_PATH = "";
+}
\ No newline at end of file
Propchange:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/Constants.java
------------------------------------------------------------------------------
svn:eol-style = native
Added:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ContextImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ContextImpl.java?rev=1857551&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ContextImpl.java
(added)
+++
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ContextImpl.java
Mon Apr 15 07:16:49 2019
@@ -0,0 +1,104 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
+
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
+import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
+import org.apache.jackrabbit.oak.spi.security.Context;
+import org.jetbrains.annotations.NotNull;
+
+final class ContextImpl implements Context, Constants {
+
+ private ContextImpl(){}
+
+ static final Context INSTANCE = new ContextImpl();
+
+ private static final String[] NODE_NAMES = new String[]
{REP_PRINCIPAL_POLICY, REP_RESTRICTIONS};
+ private static final String[] PROPERTY_NAMES = new String[]
{REP_PRINCIPAL_NAME, REP_EFFECTIVE_PATH, REP_PRIVILEGES};
+ private static final String[] NT_NAMES = new String[]
{NT_REP_PRINCIPAL_POLICY, NT_REP_PRINCIPAL_ENTRY, NT_REP_RESTRICTIONS};
+
+ //------------------------------------------------------------< Context
>---
+ @Override
+ public boolean definesProperty(@NotNull Tree parent, @NotNull
PropertyState property) {
+ return definesTree(parent);
+ }
+
+ @Override
+ public boolean definesContextRoot(@NotNull Tree tree) {
+ return Utils.isPrincipalPolicyTree(tree);
+ }
+
+ @Override
+ public boolean definesTree(@NotNull Tree tree) {
+ return tree.exists() && (isNodeName(tree.getName()) || isNtName(tree));
+ }
+
+ @Override
+ public boolean definesLocation(@NotNull TreeLocation location) {
+ PropertyState p = location.getProperty();
+ Tree tree = (p == null) ? location.getTree() :
location.getParent().getTree();
+ if (tree != null) {
+ return (p == null) ? definesTree(tree) : definesProperty(tree, p);
+ } else {
+ if (isItemName(location.getName())) {
+ return true;
+ }
+ TreeLocation parent = location.getParent();
+ String parentName = parent.getName();
+ return REP_PRINCIPAL_POLICY.equals(parentName) ||
REP_RESTRICTIONS.equals(parentName);
+ }
+ }
+
+ @Override
+ public boolean definesInternal(@NotNull Tree tree) {
+ return false;
+ }
+
+ private static boolean isNodeName(@NotNull String name) {
+ for (String n : NODE_NAMES) {
+ if (n.equals(name)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ private static boolean isPropertyName(@NotNull String name) {
+ for (String n : PROPERTY_NAMES) {
+ if (n.equals(name)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ private static boolean isItemName(@NotNull String name) {
+ return isNodeName(name) || isPropertyName(name);
+ }
+
+ private static boolean isNtName(@NotNull Tree tree) {
+ String ntName = TreeUtil.getPrimaryTypeName(tree);
+ for (String n : NT_NAMES) {
+ if (n.equals(ntName)) {
+ return true;
+ }
+ }
+ return false;
+ }
+}
Propchange:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ContextImpl.java
------------------------------------------------------------------------------
svn:eol-style = native
Added:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EntryCache.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EntryCache.java?rev=1857551&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EntryCache.java
(added)
+++
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EntryCache.java
Mon Apr 15 07:16:49 2019
@@ -0,0 +1,117 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
+
+import com.google.common.base.Strings;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.api.Type;
+import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
+import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionPattern;
+import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
+import org.apache.jackrabbit.util.Text;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+
+class EntryCache implements Constants {
+
+ private final RestrictionProvider restrictionProvider;
+ private final PrivilegeBitsProvider bitsProvider;
+
+ /**
+ * Mapping effective path (empty string representing the null path) to the
permission entries defined for each
+ * effective path. Note that this map does not record the name or nature
(group vs non-group) of the principal for
+ * which the entries have been defined. Similarly it ignores the order of
entries as the implementation only
+ * supports 'allow' entries.
+ */
+ private final Map<String, List<PermissionEntry>> entries = new HashMap<>();
+
+ EntryCache(@NotNull Root root, @NotNull Iterable<String> principalPathSet,
@NotNull RestrictionProvider restrictionProvider) {
+ this.restrictionProvider = restrictionProvider;
+ this.bitsProvider = new PrivilegeBitsProvider(root);
+
+ for (String principalPath : principalPathSet) {
+ Tree policyTree = root.getTree(PathUtils.concat(principalPath,
Constants.REP_PRINCIPAL_POLICY));
+ if (!policyTree.exists()) {
+ continue;
+ }
+ for (Tree child : policyTree.getChildren()) {
+ if
(Constants.NT_REP_PRINCIPAL_ENTRY.equals(TreeUtil.getPrimaryTypeName(child))) {
+ PermissionEntryImpl entry = new PermissionEntryImpl(child);
+ String key = Strings.nullToEmpty(entry.effectivePath);
+ List<PermissionEntry> list = entries.computeIfAbsent(key,
k -> new ArrayList<>());
+ list.add(entry);
+ }
+ }
+ }
+ }
+
+ @NotNull
+ Iterator<PermissionEntry> getEntries(@NotNull String path) {
+ Iterable<PermissionEntry> list = entries.get(path);
+ return (list == null) ? Collections.emptyIterator() : list.iterator();
+ }
+
+ private final class PermissionEntryImpl implements PermissionEntry {
+
+ private final String effectivePath;
+ private final PrivilegeBits privilegeBits;
+ private RestrictionPattern pattern;
+
+ private PermissionEntryImpl(@NotNull Tree entryTree) {
+ effectivePath = Strings.emptyToNull(TreeUtil.getString(entryTree,
REP_EFFECTIVE_PATH));
+ privilegeBits =
bitsProvider.getBits(entryTree.getProperty(REP_PRIVILEGES).getValue(Type.NAMES));
+ pattern = restrictionProvider.getPattern(effectivePath,
restrictionProvider.readRestrictions(effectivePath, entryTree));
+ }
+
+ @NotNull
+ public PrivilegeBits getPrivilegeBits() {
+ return privilegeBits;
+ }
+
+ @Override
+ public boolean appliesTo(@NotNull String path) {
+ return Text.isDescendantOrEqual(effectivePath, path);
+ }
+
+ @Override
+ public boolean matches(@NotNull Tree tree, @Nullable PropertyState
property) {
+ return pattern.matches(tree, property);
+ }
+
+ @Override
+ public boolean matches(@NotNull String treePath) {
+ return pattern.matches(treePath);
+ }
+
+ @Override
+ public boolean matches() {
+ return pattern.matches();
+ }
+ }
+}
\ No newline at end of file
Propchange:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EntryCache.java
------------------------------------------------------------------------------
svn:eol-style = native
Added:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EntryIterator.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EntryIterator.java?rev=1857551&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EntryIterator.java
(added)
+++
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EntryIterator.java
Mon Apr 15 07:16:49 2019
@@ -0,0 +1,72 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
+
+import com.google.common.base.Predicate;
+import org.apache.jackrabbit.commons.iterator.AbstractLazyIterator;
+import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+
+import java.util.Collections;
+import java.util.Iterator;
+
+final class EntryIterator extends AbstractLazyIterator<PermissionEntry> {
+
+ private final Predicate<PermissionEntry> predicate;
+ private final EntryCache entryCache;
+
+ // initially set to empty-iterator to trigger reading entries from the
cache
+ private Iterator<PermissionEntry> nextEntries =
Collections.emptyIterator();
+
+ // the next oak path for which to retrieve permission entries
+ private String nextPath;
+
+ EntryIterator(@NotNull String path, @NotNull Predicate<PermissionEntry>
predicate, @NotNull EntryCache entryCache) {
+ this.nextPath = path;
+ this.predicate = predicate;
+ this.entryCache = entryCache;
+ }
+
+ @Override
+ protected PermissionEntry getNext() {
+ PermissionEntry next = null;
+ while (next == null) {
+ if (nextEntries.hasNext()) {
+ PermissionEntry pe = nextEntries.next();
+ if (predicate.apply(pe)) {
+ next = pe;
+ }
+ } else {
+ // stop the iteration if entries for the root node have
already been processed
+ if (nextPath == null) {
+ break;
+ }
+ // obtain entries from the next path in the hierarchy
+ nextEntries = entryCache.getEntries(nextPath);
+ nextPath = getParentPathOrNull(nextPath);
+ }
+ }
+ return next;
+ }
+
+ @Nullable
+ private static String getParentPathOrNull(@NotNull String path) {
+ String parentPath = PathUtils.getParentPath(path);
+ return (path.equals(parentPath)) ? null : parentPath;
+ }
+}
\ No newline at end of file
Propchange:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EntryIterator.java
------------------------------------------------------------------------------
svn:eol-style = native
Added:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EntryPredicate.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EntryPredicate.java?rev=1857551&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EntryPredicate.java
(added)
+++
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EntryPredicate.java
Mon Apr 15 07:16:49 2019
@@ -0,0 +1,84 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
+
+import com.google.common.base.Predicate;
+import com.google.common.base.Predicates;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.commons.PathUtils;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+
+final class EntryPredicate {
+
+ private EntryPredicate() {}
+
+ @NotNull
+ static Predicate<PermissionEntry> create(@Nullable String oakPath) {
+ if (oakPath == null) {
+ return permissionEntry -> permissionEntry.matches();
+ } else {
+ return permissionEntry -> permissionEntry.matches(oakPath);
+ }
+ }
+
+ @NotNull
+ static Predicate<PermissionEntry> create(@NotNull Tree tree, @Nullable
PropertyState property) {
+ if (!tree.exists()) {
+ // target node does not exist (anymore) in this workspace
+ // use best effort calculation based on the item path.
+ String predicatePath = (property == null) ? tree.getPath() :
PathUtils.concat(tree.getPath(), property.getName());
+ return create(predicatePath);
+ } else {
+ return permissionEntry -> permissionEntry.matches(tree, property);
+ }
+ }
+
+ @NotNull
+ static Predicate<PermissionEntry> createParent(@NotNull String treePath,
@Nullable Tree parentTree, long permissions) {
+ if (!Permissions.respectParentPermissions(permissions)) {
+ return Predicates.alwaysFalse();
+ }
+ if (treePath.isEmpty() || PathUtils.denotesRoot(treePath)) {
+ return Predicates.alwaysFalse();
+ } else if (parentTree != null && parentTree.exists()) {
+ return permissionEntry ->
permissionEntry.appliesTo(parentTree.getPath()) &&
permissionEntry.matches(parentTree, null);
+ } else {
+ String parentPath = PathUtils.getParentPath(treePath);
+ return permissionEntry -> permissionEntry.appliesTo(parentPath) &&
permissionEntry.matches(parentPath);
+ }
+ }
+
+ @NotNull
+ static Predicate<PermissionEntry> createParent(@NotNull Tree tree, long
permissions) {
+ if (!Permissions.respectParentPermissions(permissions)) {
+ return Predicates.alwaysFalse();
+ }
+ if (!tree.exists()) {
+ return createParent(tree.getPath(), tree.getParent(), permissions);
+ } else {
+ if (!tree.isRoot()) {
+ Tree parentTree = tree.getParent();
+ return permissionEntry ->
permissionEntry.appliesTo(parentTree.getPath()) &&
permissionEntry.matches(parentTree, null);
+ } else {
+ return Predicates.alwaysFalse();
+ }
+ }
+ }
+}
\ No newline at end of file
Propchange:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EntryPredicate.java
------------------------------------------------------------------------------
svn:eol-style = native
Added:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/FilterProviderImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/FilterProviderImpl.java?rev=1857551&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/FilterProviderImpl.java
(added)
+++
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/FilterProviderImpl.java
Mon Apr 15 07:16:49 2019
@@ -0,0 +1,205 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
+
+import com.google.common.collect.Maps;
+import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
+import
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.Filter;
+import
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.FilterProvider;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider;
+import org.apache.jackrabbit.oak.spi.security.principal.SystemUserPrincipal;
+import org.apache.jackrabbit.util.Text;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+import org.osgi.service.component.annotations.Activate;
+import org.osgi.service.component.annotations.Component;
+import org.osgi.service.component.annotations.Modified;
+import org.osgi.service.metatype.annotations.AttributeDefinition;
+import org.osgi.service.metatype.annotations.Designate;
+import org.osgi.service.metatype.annotations.ObjectClassDefinition;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.jcr.RepositoryException;
+import java.security.Principal;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * Implementation of the {@link
org.apache.jackrabbit.spi.security.authorization.principalbased.Filter}
interface that
+ * consists of the following two filtering conditions:
+ *
+ * <ol>
+ * <li>All principals in the set must be of type {@link
org.apache.jackrabbit.oak.spi.security.principal.SystemUserPrincipal}</li>
+ * <li>All principals in the set must be located in the repository below
the configured path.</li>
+ * </ol>
+ */
+@Component(service = {FilterProvider.class})
+@Designate(ocd = FilterProviderImpl.Configuration.class)
+public class FilterProviderImpl implements FilterProvider {
+
+ @ObjectClassDefinition(name = "Apache Jackrabbit Oak Filter for Principal
Based Authorization")
+ @interface Configuration {
+ @AttributeDefinition(
+ name = "Path",
+ description = "Required path underneath which all filtered
principals must be located in the repository.")
+ String path();
+ }
+
+ private static final Logger log =
LoggerFactory.getLogger(FilterProviderImpl.class);
+
+ private String oakPath;
+
+ private final Map<String, String> validatedPrincipalNamesPathMap =
Maps.newConcurrentMap();
+
+ //-----------------------------------------------------< FilterProvider
>---
+
+ @Override
+ public boolean handlesPath(@NotNull String oakPath) {
+ return Text.isDescendantOrEqual(this.oakPath, oakPath);
+ }
+
+ @NotNull
+ @Override
+ public String getFilterRoot() {
+ return oakPath;
+ }
+
+ @NotNull
+ @Override
+ public Filter getFilter(@NotNull SecurityProvider securityProvider,
@NotNull Root root, @NotNull NamePathMapper namePathMapper) {
+ PrincipalProvider principalProvider =
securityProvider.getConfiguration(PrincipalConfiguration.class).getPrincipalProvider(root,
namePathMapper);
+ return new FilterImpl(root, principalProvider, namePathMapper);
+ }
+
+ //----------------------------------------------------< SCR Integration
>---
+
+ @Activate
+ protected void activate(Configuration configuration, Map<String, Object>
properties) {
+ setPath(configuration);
+ }
+
+ @Modified
+ protected void modified(Configuration configuration, Map<String, Object>
properties) {
+ setPath(configuration);
+ }
+
+ private void setPath(@NotNull Configuration configuration) {
+ this.oakPath = configuration.path();
+ }
+
+ //-------------------------------------------------------------< Filter
>---
+
+ private final class FilterImpl implements Filter {
+
+ private final Root root;
+ private final PrincipalProvider principalProvider;
+ private final NamePathMapper namePathMapper;
+
+ private FilterImpl(@NotNull Root root, @NotNull PrincipalProvider
principalProvider, @NotNull NamePathMapper namePathMapper) {
+ this.root = root;
+ this.principalProvider = principalProvider;
+ this.namePathMapper = namePathMapper;
+ }
+
+ @Override
+ public boolean canHandle(@NotNull Set<Principal> principals) {
+ if (principals.isEmpty()) {
+ return false;
+ }
+ for (Principal p : principals) {
+ if (!isValidPrincipal(p)) {
+ return false;
+ }
+ }
+ return true;
+ }
+
+ @Override
+ @NotNull
+ public String getOakPath(@NotNull Principal validPrincipal) {
+ String principalPath =
validatedPrincipalNamesPathMap.get(validPrincipal.getName());
+ if (principalPath == null) {
+ throw new IllegalArgumentException("Invalid principal " +
validPrincipal.getName());
+ }
+ return principalPath;
+ }
+
+ @Override
+ @Nullable
+ public Principal getValidPrincipal(@NotNull String oakPath) {
+ ItemBasedPrincipal principal =
principalProvider.getItemBasedPrincipal(oakPath);
+ if (principal != null && isValidPrincipal(principal)) {
+ return principal;
+ } else {
+ return null;
+ }
+ }
+
+ private boolean isValidPrincipal(@NotNull Principal principal) {
+ if (!(principal instanceof SystemUserPrincipal)) {
+ return false;
+ }
+
+ String principalName = principal.getName();
+ if (validatedPrincipalNamesPathMap.containsKey(principalName)) {
+ return true;
+ }
+
+ String principalPath = getPrincipalPath(principal);
+ if (principalPath != null && handlesPath(principalPath)) {
+ validatedPrincipalNamesPathMap.put(principalName,
principalPath);
+ return true;
+ } else {
+ return false;
+ }
+ }
+
+ @Nullable
+ private String getPrincipalPath(@NotNull Principal principal) {
+ String prinicpalOakPath = null;
+ if (principal instanceof ItemBasedPrincipal) {
+ prinicpalOakPath = getOakPath((ItemBasedPrincipal) principal);
+ }
+ if (prinicpalOakPath == null ||
!root.getTree(prinicpalOakPath).exists()) {
+ // given principal is not ItemBasedPrincipal or it has been
obtained with a different name-path-mapper
+ // making the conversion to oak-path return null -> try
obtaining principal by name
+ Principal p =
principalProvider.getPrincipal(principal.getName());
+ if (p instanceof ItemBasedPrincipal) {
+ prinicpalOakPath = getOakPath((ItemBasedPrincipal) p);
+ } else {
+ prinicpalOakPath = null;
+ }
+ }
+ return prinicpalOakPath;
+ }
+
+ @Nullable
+ private String getOakPath(@NotNull ItemBasedPrincipal principal) {
+ try {
+ return namePathMapper.getOakPath(principal.getPath());
+ } catch (RepositoryException e) {
+ log.error("Error while retrieving path from ItemBasedPrincipal
{}, {}", principal.getName(), e.getMessage());
+ return null;
+ }
+ }
+ }
+}
Propchange:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/FilterProviderImpl.java
------------------------------------------------------------------------------
svn:eol-style = native
Added:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/MgrProvider.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/MgrProvider.java?rev=1857551&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/MgrProvider.java
(added)
+++
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/MgrProvider.java
Mon Apr 15 07:16:49 2019
@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
+
+import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
+import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.plugins.tree.RootProvider;
+import org.apache.jackrabbit.oak.plugins.tree.TreeProvider;
+import org.apache.jackrabbit.oak.spi.security.Context;
+import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
+import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
+import org.jetbrains.annotations.NotNull;
+
+interface MgrProvider {
+
+ @NotNull
+ SecurityProvider getSecurityProvider();
+
+ void reset(@NotNull Root root, NamePathMapper namePathMapper);
+
+ @NotNull
+ Root getRoot();
+
+ @NotNull
+ NamePathMapper getNamePathMapper();
+
+ @NotNull
+ Context getContext();
+
+ @NotNull
+ PrivilegeManager getPrivilegeManager();
+
+ @NotNull
+ PrivilegeBitsProvider getPrivilegeBitsProvider();
+
+ @NotNull
+ PrincipalManager getPrincipalManager();
+
+ @NotNull
+ RestrictionProvider getRestrictionProvider();
+
+ @NotNull
+ TreeProvider getTreeProvider();
+
+ @NotNull
+ RootProvider getRootProvider();
+}
\ No newline at end of file
Propchange:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/MgrProvider.java
------------------------------------------------------------------------------
svn:eol-style = native
Added:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/MgrProviderImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/MgrProviderImpl.java?rev=1857551&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/MgrProviderImpl.java
(added)
+++
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/MgrProviderImpl.java
Mon Apr 15 07:16:49 2019
@@ -0,0 +1,154 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
+
+import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
+import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.plugins.tree.RootProvider;
+import org.apache.jackrabbit.oak.plugins.tree.TreeProvider;
+import org.apache.jackrabbit.oak.spi.security.Context;
+import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
+import
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConfiguration;
+import org.jetbrains.annotations.NotNull;
+
+import static com.google.common.base.Preconditions.checkState;
+
+final class MgrProviderImpl implements MgrProvider {
+
+ private final PrincipalBasedAuthorizationConfiguration config;
+
+ private NamePathMapper namePathMapper;
+ private Root root;
+ private Context ctx;
+ private RestrictionProvider restrictionProvider;
+ private PrincipalManager principalManager;
+ private PrivilegeManager privilegeManager;
+ private PrivilegeBitsProvider privilegeBitsProvider;
+
+ MgrProviderImpl(@NotNull PrincipalBasedAuthorizationConfiguration config) {
+ this.config = config;
+ this.namePathMapper = NamePathMapper.DEFAULT;
+ }
+
+ MgrProviderImpl(@NotNull PrincipalBasedAuthorizationConfiguration config,
@NotNull Root root, @NotNull NamePathMapper namePathMapper) {
+ this.config = config;
+ reset(root, namePathMapper);
+ }
+
+ @NotNull
+ @Override
+ public SecurityProvider getSecurityProvider() {
+ return config.getSecurityProvider();
+ }
+
+ @Override
+ public void reset(@NotNull Root root, NamePathMapper namePathMapper) {
+ this.root = root;
+ this.namePathMapper = namePathMapper;
+
+ this.ctx = null;
+ this.restrictionProvider = null;
+ this.principalManager = null;
+ this.privilegeManager = null;
+ this.privilegeBitsProvider = null;
+ }
+
+ @NotNull
+ @Override
+ public Root getRoot() {
+ checkRootInitialized();
+ return root;
+ }
+
+ @NotNull
+ @Override
+ public NamePathMapper getNamePathMapper() {
+ return namePathMapper;
+ }
+
+ @NotNull
+ @Override
+ public Context getContext() {
+ if (ctx == null) {
+ // make sure the context allows to reveal any kind of protected
access control/permission content not just
+ // those defined by this module.
+ ctx =
getSecurityProvider().getConfiguration(AuthorizationConfiguration.class).getContext();
+ }
+ return ctx;
+ }
+
+ @NotNull
+ @Override
+ public PrivilegeManager getPrivilegeManager() {
+ checkRootInitialized();
+ if (privilegeManager == null) {
+ privilegeManager =
getSecurityProvider().getConfiguration(PrivilegeConfiguration.class).getPrivilegeManager(root,
namePathMapper);
+ }
+ return privilegeManager;
+ }
+
+ @NotNull
+ @Override
+ public PrivilegeBitsProvider getPrivilegeBitsProvider() {
+ checkRootInitialized();
+ if (privilegeBitsProvider == null) {
+ privilegeBitsProvider = new PrivilegeBitsProvider(root);
+ }
+ return privilegeBitsProvider;
+ }
+
+ @NotNull
+ @Override
+ public PrincipalManager getPrincipalManager() {
+ checkRootInitialized();
+ if (principalManager == null) {
+ principalManager =
getSecurityProvider().getConfiguration(PrincipalConfiguration.class).getPrincipalManager(root,
namePathMapper);
+ }
+ return principalManager;
+ }
+
+ @NotNull
+ @Override
+ public RestrictionProvider getRestrictionProvider() {
+ if (restrictionProvider == null) {
+ restrictionProvider =
getSecurityProvider().getConfiguration(AuthorizationConfiguration.class).getRestrictionProvider();
+ }
+ return restrictionProvider;
+ }
+
+ @NotNull
+ @Override
+ public TreeProvider getTreeProvider() {
+ return config.getTreeProvider();
+ }
+
+ @NotNull
+ @Override
+ public RootProvider getRootProvider() {
+ return config.getRootProvider();
+ }
+
+ private void checkRootInitialized() {
+ checkState(root != null);
+ }
+}
\ No newline at end of file
Propchange:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/MgrProviderImpl.java
------------------------------------------------------------------------------
svn:eol-style = native
Added:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PermissionEntry.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PermissionEntry.java?rev=1857551&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PermissionEntry.java
(added)
+++
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PermissionEntry.java
Mon Apr 15 07:16:49 2019
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
+
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+
+interface PermissionEntry {
+
+ PrivilegeBits getPrivilegeBits();
+
+ boolean appliesTo(@NotNull String path);
+
+ boolean matches(@NotNull String oakPath);
+
+ boolean matches(@NotNull Tree tree, @Nullable PropertyState property);
+
+ boolean matches();
+}
\ No newline at end of file
Propchange:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PermissionEntry.java
------------------------------------------------------------------------------
svn:eol-style = native
