Package org.apache.jackrabbit.core.security.authorization

Source Code of org.apache.jackrabbit.core.security.authorization.PrivilegeManagerImpl$PrivilegeImpl

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements.  See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License.  You may obtain a copy of the License at
*
*      http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.jackrabbit.core.security.authorization;

import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.spi.Name;
import org.apache.jackrabbit.spi.PrivilegeDefinition;
import org.apache.jackrabbit.spi.commons.conversion.NameResolver;
import org.apache.jackrabbit.spi.commons.name.NameConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.jcr.AccessDeniedException;
import javax.jcr.NamespaceException;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.Privilege;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;

/**
* <code>PrivilegeManager</code>...
*/
public final class PrivilegeManagerImpl implements PrivilegeManager, PrivilegeRegistry.Listener {

    /**
     * logger instance
     */
    private static final Logger log = LoggerFactory.getLogger(PrivilegeManagerImpl.class);

    private static final Privilege[] EMPTY_ARRAY = new Privilege[0];

    /**
     * The privilege registry
     */
    private final PrivilegeRegistry registry;

    /**
     * The name resolver used to determine the correct privilege
     * {@link javax.jcr.security.Privilege#getName() name} depending on the sessions namespace
     * mappings.
     */
    private final NameResolver resolver;

    /**
     * Per instance map containing the namespace aware representation of
     * the registered privileges.
     */
    private final Map<Name, Privilege> cache;

    public PrivilegeManagerImpl(PrivilegeRegistry registry, NameResolver nameResolver) {
        this.registry = registry;
        this.resolver = nameResolver;
        this.cache = new HashMap<Name, Privilege>();

        // listen to privilege registration (due to weak references no explicit
        // stop-listening call required
        registry.addListener(this);
    }

    //---------------------------------------------------< PrivilegeManager >---
    /**
     * @see PrivilegeManager#getRegisteredPrivileges()
     */
    public Privilege[] getRegisteredPrivileges() throws RepositoryException {
        PrivilegeDefinition[] allDefs = registry.getAll();
        if (allDefs.length != cache.size()) {
            synchronized (cache) {
                for (PrivilegeDefinition def : allDefs) {
                    if (!cache.containsKey(def.getName())) {
                        cache.put(def.getName(), new PrivilegeImpl(def));
                    }
                }
            }
        }
        return cache.values().toArray(new Privilege[allDefs.length]);
    }

    /**
     * @see PrivilegeManager#getPrivilege(String)
     */
    public Privilege getPrivilege(String privilegeName) throws AccessControlException, RepositoryException {
        Name name = resolver.getQName(privilegeName);
        return getPrivilege(name);
    }

    /**
     * Register a new custom privilege with the specified characteristics.<p/>
     *
     * <p>The current implementation has the following limitations and constraints:</p>
     *
     * <ul>
     * <li>the name may not be in use by another privilege</li>
     * <li>the namespace URI must be a valid, registered namespace excluding
     * those namespaces marked as being reserved</li>
     * <li>an aggregate custom privilege is valid if all declared aggregate
     * names can be resolved to registered privileges and if there exists
     * no registered privilege with the same aggregated privileges.</li>
     * </ul>
     *
     * <strong>Please note</strong><br>
     * Custom privilege(s) will not be enforced for any kind of repository
     * operations. Those are exclusively covered by the built-in privileges.
     * This also implies that the {@link Permission}s are not affected by
     * custom privileges.<p/>
     * Applications making use of the custom privilege(s) are in charge of
     * asserting whether the privileges are granted/denied according to their
     * application specific needs.
     *
     * @param privilegeName The name of the new custom privilege.
     * @param isAbstract Boolean flag indicating if the privilege is abstract.
     * @param declaredAggregateNames An array of privilege names referring to
     * registered privileges being aggregated by this new custom privilege.
     * In case of a non aggregate privilege an empty array should be passed.
     * @return the new privilege.
     * @throws AccessDeniedException If the session this manager has been created
     * lacks rep:privilegeManagement privilege.
     * @throws RepositoryException If the privilege could not be registered due
     * to constraint violations or if persisting the custom privilege fails.
     * @see PrivilegeManager#registerPrivilege(String, boolean, String[])
     */
    public Privilege registerPrivilege(String privilegeName, boolean isAbstract,
                                       String[] declaredAggregateNames)
            throws AccessDeniedException, RepositoryException {
        boolean allowed = false;
        if (resolver instanceof SessionImpl) {
            // TODO: FIXME should be 'null' path as privilegeManagement is a
            // TODO: repo-level privilege such as namespace or node type mgt.
            SessionImpl sImpl = (SessionImpl) resolver;
            allowed = sImpl.getAccessManager().isGranted(sImpl.getQPath("/"), Permission.PRIVILEGE_MNGMT);
        }
        if (!allowed) {
            throw new AccessDeniedException("Registering privileges is not allowed for the editing session.");
        }

        Name name = resolver.getQName(privilegeName);
        Set<Name> daNames;
        if (declaredAggregateNames == null || declaredAggregateNames.length == 0) {
            daNames = Collections.emptySet();
        } else {
            daNames = new HashSet<Name>(declaredAggregateNames.length);
            for (String declaredAggregateName : declaredAggregateNames) {
                daNames.add(resolver.getQName(declaredAggregateName));
            }
        }
        registry.registerDefinition(name, isAbstract, daNames);

        return getPrivilege(privilegeName);
    }

    //-----------------------------< implementation specific public methods >---      
    /**
     * @param privileges An array of privileges.
     * @return The bits of the privileges contained in the specified
     * array.
     * @throws AccessControlException If the specified array is null, empty
     * or if it contains an unregistered privilege.
     */
    public PrivilegeBits getBits(Privilege... privileges) throws AccessControlException {
        if (privileges == null || privileges.length == 0) {
            throw new AccessControlException("Privilege array is empty or null.");
        }

        PrivilegeDefinition[] defs = new PrivilegeDefinition[privileges.length];
        for (int i = 0; i < privileges.length; i++) {
            Privilege p = privileges[i];
            if (p instanceof PrivilegeImpl) {
                defs[i] = ((PrivilegeImpl) p).definition;
            } else {
                String name = (p == null) ? "null" : p.getName();
                throw new AccessControlException("Unknown privilege '" + name + "'.");
            }
        }
        return registry.getBits(defs);
    }

    /**
     * Returns an array of registered <code>Privilege</code>s. If the specified
     * <code>bits</code> represent a single registered privilege the returned array
     * contains a single element. Otherwise the returned array contains the
     * individual registered privileges that are combined in the given
     * <code>bits</code>. If <code>bits</code> does not match to any registered
     * privilege an empty array will be returned.
     *
     * @param bits Privilege bits as obtained from {@link #getBits(Privilege...)}.
     * @return Array of <code>Privilege</code>s that are presented by the given
     * <code>bits</code> or an empty array if <code>bits</code> cannot be
     * resolved to registered <code>Privilege</code>s.
     * @see #getBits(Privilege...)
     */
    public Set<Privilege> getPrivileges(PrivilegeBits bits) {
        Name[] names = registry.getNames(bits);
        if (names.length == 0) {
            return Collections.emptySet();
        } else {
            Set<Privilege> privs = new HashSet<Privilege>(names.length);
            for (Name n : names) {
                try {
                    privs.add(getPrivilege(n));
                } catch (RepositoryException e) {
                    log.error("Internal error: invalid privilege name " + n.toString());
                }
            }
            return privs;
        }
    }

    //------------------------------------------------------------< private >---
    /**
     * @param name
     * @return The privilege with the specified name.
     * @throws AccessControlException
     * @throws RepositoryException
     */
    private Privilege getPrivilege(Name name) throws AccessControlException, RepositoryException {
        Privilege privilege;
        synchronized (cache) {
            if (cache.containsKey(name)) {
                privilege = cache.get(name);
            } else {
                PrivilegeDefinition def = registry.get(name);
                if (def != null) {
                    privilege = new PrivilegeImpl(def);
                    cache.put(name, privilege);
                } else {
                    throw new AccessControlException("Unknown privilege " + resolver.getJCRName(name));
                }
            }
        }
        return privilege;
    }

    //-----------------------------------------< PrivilegeRegistry.Listener >---
    /**
     * @see PrivilegeRegistry.Listener#privilegesRegistered(java.util.Set
     * @param privilegeNames
     */
    public void privilegesRegistered(Set<Name> privilegeNames) {
        // force recalculation of jcr:all privilege
        synchronized (cache) {
            cache.remove(NameConstants.JCR_ALL);
        }
    }

    //----------------------------------------------------------< Privilege >---
    /**
     * Simple wrapper used to provide an public representation of the
     * registered internal privileges properly exposing the JCR name.
     */
    private class PrivilegeImpl implements Privilege {

        private final PrivilegeDefinition definition;

        private final Privilege[] declaredAggregates;
        private final Privilege[] aggregates;

        private PrivilegeImpl(PrivilegeDefinition definition) throws RepositoryException {
            this.definition = definition;

            Set<Name> set = definition.getDeclaredAggregateNames();
            Name[] declAggrNames = set.toArray(new Name[set.size()]);
            if (declAggrNames.length == 0) {
                declaredAggregates = EMPTY_ARRAY;
                aggregates = EMPTY_ARRAY;
            } else {
                declaredAggregates = new Privilege[declAggrNames.length];
                for (int i = 0; i < declAggrNames.length; i++) {
                    declaredAggregates[i] = getPrivilege(declAggrNames[i]);
                }

                Set<Privilege> aggr = new HashSet<Privilege>();
                for (Privilege decl : declaredAggregates) {
                    aggr.add(decl);
                    if (decl.isAggregate()) {
                        aggr.addAll(Arrays.asList(decl.getAggregatePrivileges()));
                    }
                }
                aggregates = aggr.toArray(new Privilege[aggr.size()]);
            }
        }

        /**
         * @see Privilege#getName()
         */
        public String getName() {
            try {
                return resolver.getJCRName(definition.getName());
            } catch (NamespaceException e) {
                // should not occur -> return internal name representation.
                return definition.getName().toString();
            }
        }

        /**
         * @see Privilege#isAbstract()
         */
        public boolean isAbstract() {
            return definition.isAbstract();
        }

        /**
         * @see Privilege#isAggregate()
         */
        public boolean isAggregate() {
            return declaredAggregates.length > 0;
        }

        /**
         * @see Privilege#getDeclaredAggregatePrivileges()
         */
        public Privilege[] getDeclaredAggregatePrivileges() {
            return declaredAggregates;
        }

        /**
         * @see Privilege#getAggregatePrivileges()
         */
        public Privilege[] getAggregatePrivileges() {
            return aggregates;
        }

        //---------------------------------------------------------< Object >---
        @Override
        public String toString() {
            return getName();
        }

        @Override
        public int hashCode() {
            return definition.hashCode();
        }

        @Override
        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (obj instanceof PrivilegeImpl) {
                PrivilegeImpl other = (PrivilegeImpl) obj;
                return definition.equals(other.definition);
            }
            return false;
        }
    }
}
TOP

Related Classes of org.apache.jackrabbit.core.security.authorization.PrivilegeManagerImpl$PrivilegeImpl

  • org.apache.jackrabbit.core.security.authorization.acl.Entry
  • org.apache.jackrabbit.core.security.authorization.principalbased.ACLProvider$CompiledPermissionImpl
  • org.apache.jackrabbit.core.security.user.UserAccessControlProvider$CompiledPermissionsImpl
  • org.apache.jackrabbit.core.session.SessionContext
  • org.apache.jackrabbit.core.SessionImpl
  • org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition
  • org.apache.jackrabbit.spi.Name
  • org.apache.jackrabbit.spi.PrivilegeDefinition
  • javax.jcr.AccessDeniedException
  • javax.jcr.security.Privilege
    • TOP
    Copyright © 2018 www.massapi.com. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.