Example 6 with PrivilegeBits
use of org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits in project jackrabbit-oak by apache.
the class CompositePermissionProvider method getPrivileges.
@Nonnull
@Override
public Set<String> getPrivileges(@Nullable Tree tree) {
Tree immutableTree = PermissionUtil.getImmutableTree(tree, immutableRoot);
PrivilegeBits result = PrivilegeBits.getInstance();
PrivilegeBits denied = PrivilegeBits.getInstance();
for (AggregatedPermissionProvider aggregatedPermissionProvider : pps) {
PrivilegeBits supported = aggregatedPermissionProvider.supportedPrivileges(immutableTree, null).modifiable();
if (doEvaluate(supported)) {
PrivilegeBits granted = privilegeBitsProvider.getBits(aggregatedPermissionProvider.getPrivileges(immutableTree));
// add the granted privileges to the result
if (!granted.isEmpty()) {
result.add(granted);
}
// update the set of denied privs by comparing the granted privs
// with the complete set of supported privileges
denied.add(supported.diff(granted));
}
}
// subtract all denied privileges from the result
if (!denied.isEmpty()) {
result.diff(denied);
}
return privilegeBitsProvider.getPrivilegeNames(result);
}
Also used :
AggregatedPermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider)
Tree(org.apache.jackrabbit.oak.api.Tree)
ImmutableTree(org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree)
PrivilegeBits(org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits)
Nonnull(javax.annotation.Nonnull)
Example 7 with PrivilegeBits
use of org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits in project jackrabbit-oak by apache.
the class CompiledPermissionImpl method hasPermissions.
private boolean hasPermissions(@Nonnull Iterator<PermissionEntry> entries, @Nonnull EntryPredicate predicate, long permissions, @Nullable String path) {
// calculate readable paths if the given permissions includes any read permission.
boolean isReadable = Permissions.diff(Permissions.READ, permissions) != Permissions.READ && readPolicy.isReadablePath(path, false);
if (!entries.hasNext() && !isReadable) {
return false;
}
boolean respectParent = (path != null) && Permissions.respectParentPermissions(permissions);
long allows = (isReadable) ? Permissions.READ : Permissions.NO_PERMISSION;
long denies = Permissions.NO_PERMISSION;
PrivilegeBits allowBits = PrivilegeBits.getInstance();
if (isReadable) {
allowBits.add(bitsProvider.getBits(PrivilegeConstants.JCR_READ));
}
PrivilegeBits denyBits = PrivilegeBits.getInstance();
PrivilegeBits parentAllowBits;
PrivilegeBits parentDenyBits;
String parentPath;
if (respectParent) {
parentAllowBits = PrivilegeBits.getInstance();
parentDenyBits = PrivilegeBits.getInstance();
parentPath = PermissionUtil.getParentPathOrNull(path);
} else {
parentAllowBits = PrivilegeBits.EMPTY;
parentDenyBits = PrivilegeBits.EMPTY;
parentPath = null;
}
while (entries.hasNext()) {
PermissionEntry entry = entries.next();
if (respectParent && (parentPath != null)) {
boolean matchesParent = entry.matchesParent(parentPath);
if (matchesParent) {
if (entry.isAllow) {
parentAllowBits.addDifference(entry.privilegeBits, parentDenyBits);
} else {
parentDenyBits.addDifference(entry.privilegeBits, parentAllowBits);
}
}
}
if (entry.isAllow) {
if (!respectParent || predicate.apply(entry, false)) {
allowBits.addDifference(entry.privilegeBits, denyBits);
}
long ap = PrivilegeBits.calculatePermissions(allowBits, parentAllowBits, true);
allows |= Permissions.diff(ap, denies);
if ((allows | ~permissions) == -1) {
return true;
}
} else {
if (!respectParent || predicate.apply(entry, false)) {
denyBits.addDifference(entry.privilegeBits, allowBits);
}
long dp = PrivilegeBits.calculatePermissions(denyBits, parentDenyBits, false);
denies |= Permissions.diff(dp, allows);
if (Permissions.includes(denies, permissions)) {
return false;
}
}
}
return (allows | ~permissions) == -1;
}
Also used :
PrivilegeBits(org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits)
Example 8 with PrivilegeBits
use of org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits in project jackrabbit-oak by apache.
the class AccessControlManagerImplTest method createPolicy.
private ACL createPolicy(@Nullable String path) {
final PrincipalManager pm = getPrincipalManager(root);
final PrivilegeManager pvMgr = getPrivilegeManager(root);
final RestrictionProvider rp = getRestrictionProvider();
return new ACL(path, null, getNamePathMapper()) {
@Override
ACE createACE(Principal principal, PrivilegeBits privilegeBits, boolean isAllow, Set<Restriction> restrictions) {
throw new UnsupportedOperationException();
}
@Override
boolean checkValidPrincipal(Principal principal) throws AccessControlException {
Util.checkValidPrincipal(principal, pm);
return true;
}
@Override
PrivilegeManager getPrivilegeManager() {
return pvMgr;
}
@Override
PrivilegeBits getPrivilegeBits(Privilege[] privileges) {
return getBitsProvider().getBits(privileges, getNamePathMapper());
}
@Nonnull
@Override
public RestrictionProvider getRestrictionProvider() {
return rp;
}
};
}
Also used :
PrincipalManager(org.apache.jackrabbit.api.security.principal.PrincipalManager)
Sets.newHashSet(com.google.common.collect.Sets.newHashSet)
ImmutableSet(com.google.common.collect.ImmutableSet)
Set(java.util.Set)
HashSet(java.util.HashSet)
PrivilegeManager(org.apache.jackrabbit.api.security.authorization.PrivilegeManager)
RestrictionProvider(org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider)
TestACL(org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.TestACL)
PrivilegeBits(org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits)
Principal(java.security.Principal)
EveryonePrincipal(org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal)
Example 9 with PrivilegeBits
use of org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits in project jackrabbit-oak by apache.
the class PermissionStoreImpl method createPermissionEntry.
@Nonnull
private PermissionEntry createPermissionEntry(@Nonnull String path, @Nonnull Tree entryTree) {
PropertyState ps = entryTree.getProperty(REP_PRIVILEGE_BITS);
PrivilegeBits bits = (isJcrAll(ps)) ? allBits : PrivilegeBits.getInstance(ps);
boolean isAllow = TreeUtil.getBoolean(entryTree, REP_IS_ALLOW);
return new PermissionEntry(path, isAllow, Integer.parseInt(entryTree.getName()), bits, restrictionProvider.getPattern(path, entryTree));
}
Also used :
PrivilegeBits(org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits)
PropertyState(org.apache.jackrabbit.oak.api.PropertyState)
Nonnull(javax.annotation.Nonnull)
Example 10 with PrivilegeBits
use of org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits in project jackrabbit-oak by apache.
the class PrivilegeDefinitionWriter method next.
@Nonnull
private PrivilegeBits next() {
PrivilegeBits bits = next;
next = bits.nextBits();
return bits;
}
Also used :
PrivilegeBits(org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits)
Nonnull(javax.annotation.Nonnull)
Aggregations
PrivilegeBits (org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits)29
Test (org.junit.Test)18
Tree (org.apache.jackrabbit.oak.api.Tree)9
AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)8
PrivilegeBitsProvider (org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider)6
Nonnull (javax.annotation.Nonnull)5
Principal (java.security.Principal)2
Nullable (javax.annotation.Nullable)2
PrivilegeManager (org.apache.jackrabbit.api.security.authorization.PrivilegeManager)2
ImmutableTree (org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree)2
ACE (org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE)2
AggregatedPermissionProvider (org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider)2
Function (com.google.common.base.Function)1
Predicate (com.google.common.base.Predicate)1
ImmutableSet (com.google.common.collect.ImmutableSet)1
Sets.newHashSet (com.google.common.collect.Sets.newHashSet)1
HashSet (java.util.HashSet)1
Set (java.util.Set)1
Node (javax.jcr.Node)1
Privilege (javax.jcr.security.Privilege)1
