Examples with PrivilegeDefinition org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition used on opensource projects

Example 1 with PrivilegeDefinition

use of org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition in project jackrabbit-oak by apache.

the class PrivilegeDefinitionWriter method getBuiltInDefinitions.

private static Collection<PrivilegeDefinition> getBuiltInDefinitions() {
    Map<String, PrivilegeDefinition> definitions = new LinkedHashMap<String, PrivilegeDefinition>();
    for (String privilegeName : NON_AGGREGATE_PRIVILEGES) {
        PrivilegeDefinition def = new ImmutablePrivilegeDefinition(privilegeName, false, null);
        definitions.put(privilegeName, def);
    }
    for (String privilegeName : AGGREGATE_PRIVILEGES.keySet()) {
        PrivilegeDefinition def = new ImmutablePrivilegeDefinition(privilegeName, false, asList(AGGREGATE_PRIVILEGES.get(privilegeName)));
        definitions.put(privilegeName, def);
    }
    PrivilegeDefinition all = new ImmutablePrivilegeDefinition(JCR_ALL, false, definitions.keySet());
    definitions.put(JCR_ALL, all);
    return definitions.values();
}

Example 2 with PrivilegeDefinition

use of org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition in project jackrabbit-oak by apache.

the class PrivilegeDefinitionWriter method writeDefinitions.

/**
     * @param definitions
     * @throws RepositoryException
     */
private void writeDefinitions(Iterable<PrivilegeDefinition> definitions) throws RepositoryException {
    try {
        // make sure the privileges path is defined
        Tree privilegesTree = root.getTree(PRIVILEGES_PATH);
        if (!privilegesTree.exists()) {
            throw new RepositoryException("Privilege store does not exist.");
        }
        for (PrivilegeDefinition definition : definitions) {
            if (privilegesTree.hasChild(definition.getName())) {
                throw new RepositoryException("Privilege definition with name '" + definition.getName() + "' already exists.");
            }
            writePrivilegeNode(privilegesTree, definition);
        }
        /*
            update the property storing the next privilege bits with the
            privileges root tree. this is a cheap way to detect collisions that
            may arise from concurrent registration of custom privileges.
            */
        getNext().writeTo(privilegesTree);
        // delegate validation to the commit validation (see above)
        root.commit();
    } catch (CommitFailedException e) {
        throw e.asRepositoryException();
    }
}

Example 3 with PrivilegeDefinition

use of org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition in project jackrabbit-oak by apache.

the class PrivilegeValidator method resolveAggregates.

private static Set<String> resolveAggregates(Set<String> declared, Map<String, PrivilegeDefinition> definitions) throws CommitFailedException {
    Set<String> aggregateNames = new HashSet<String>();
    for (String name : declared) {
        PrivilegeDefinition d = definitions.get(name);
        if (d == null) {
            throw new CommitFailedException(CONSTRAINT, 47, "Invalid declared aggregate name " + name + ": Unknown privilege.");
        }
        Set<String> names = d.getDeclaredAggregateNames();
        if (names.isEmpty()) {
            aggregateNames.add(name);
        } else {
            aggregateNames.addAll(resolveAggregates(names, definitions));
        }
    }
    return aggregateNames;
}

Example 4 with PrivilegeDefinition

use of org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition in project jackrabbit-oak by apache.

the class PrivilegeValidator method validateDefinition.

/**
     * Validation of the privilege definition including the following steps:
     * <p>
     * - privilege bits must not collide with an existing privilege
     * - next bits must have been adjusted in case of a non-aggregate privilege
     * - all aggregates must have been registered before
     * - no existing privilege defines the same aggregation
     * - no cyclic aggregation
     *
     * @param definitionTree The new privilege definition tree to validate.
     * @throws org.apache.jackrabbit.oak.api.CommitFailedException
     *          If any of
     *          the checks listed above fails.
     */
private void validateDefinition(Tree definitionTree) throws CommitFailedException {
    PrivilegeBits newBits = PrivilegeBits.getInstance(definitionTree);
    if (newBits.isEmpty()) {
        throw new CommitFailedException(CONSTRAINT, 48, "PrivilegeBits are missing.");
    }
    Set<String> privNames = bitsProvider.getPrivilegeNames(newBits);
    PrivilegeDefinition definition = PrivilegeUtil.readDefinition(definitionTree);
    Set<String> declaredNames = definition.getDeclaredAggregateNames();
    // non-aggregate privilege
    if (declaredNames.isEmpty()) {
        if (!privNames.isEmpty()) {
            throw new CommitFailedException(CONSTRAINT, 49, "PrivilegeBits already in used.");
        }
        validateNext(newBits);
        return;
    }
    // aggregation of a single privilege
    if (declaredNames.size() == 1) {
        throw new CommitFailedException(CONSTRAINT, 50, "Singular aggregation is equivalent to existing privilege.");
    }
    // aggregation of >1 privileges
    Map<String, PrivilegeDefinition> definitions = new PrivilegeDefinitionReader(rootBefore).readDefinitions();
    for (String aggrName : declaredNames) {
        // aggregated privilege not registered
        if (!definitions.containsKey(aggrName)) {
            throw new CommitFailedException(CONSTRAINT, 51, "Declared aggregate '" + aggrName + "' is not a registered privilege.");
        }
        // check for circular aggregation
        if (isCircularAggregation(definition.getName(), aggrName, definitions)) {
            String msg = "Detected circular aggregation within custom privilege caused by " + aggrName;
            throw new CommitFailedException(CONSTRAINT, 52, msg);
        }
    }
    Set<String> aggregateNames = resolveAggregates(declaredNames, definitions);
    for (PrivilegeDefinition existing : definitions.values()) {
        Set<String> existingDeclared = existing.getDeclaredAggregateNames();
        if (existingDeclared.isEmpty()) {
            continue;
        }
        // test for exact same aggregation or aggregation with the same net effect
        if (declaredNames.equals(existingDeclared) || aggregateNames.equals(resolveAggregates(existingDeclared, definitions))) {
            String msg = "Custom aggregate privilege '" + definition.getName() + "' is already covered by '" + existing.getName() + '\'';
            throw new CommitFailedException(CONSTRAINT, 53, msg);
        }
    }
    PrivilegeBits aggrBits = bitsProvider.getBits(declaredNames.toArray(new String[declaredNames.size()]));
    if (!newBits.equals(aggrBits)) {
        throw new CommitFailedException(CONSTRAINT, 53, "Invalid privilege bits for aggregated privilege definition.");
    }
}

Example 5 with PrivilegeDefinition

use of org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition in project jackrabbit-oak by apache.

the class PrivilegeImplTest method testToString.

@Test
public void testToString() {
    PrivilegeDefinition def = new PrivilegeDefinitionReader(root).readDefinition(privilege.getName());
    assertEquals(def.getName(), privilege.toString());
}