Class PermissionProviderImpl
- java.lang.Object
-
- org.apache.jackrabbit.oak.security.authorization.permission.PermissionProviderImpl
-
- All Implemented Interfaces:
AccessControlConstants
,AggregatedPermissionProvider
,PermissionConstants
,PermissionProvider
- Direct Known Subclasses:
MountPermissionProvider
public class PermissionProviderImpl extends Object implements PermissionProvider, AccessControlConstants, PermissionConstants, AggregatedPermissionProvider
-
-
Field Summary
-
Fields inherited from interface org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants
AC_NODETYPE_NAMES, ACE_PROPERTY_NAMES, MIX_REP_ACCESS_CONTROLLABLE, MIX_REP_REPO_ACCESS_CONTROLLABLE, NT_REP_ACE, NT_REP_ACL, NT_REP_DENY_ACE, NT_REP_GRANT_ACE, NT_REP_POLICY, NT_REP_RESTRICTIONS, PARAM_RESTRICTION_PROVIDER, POLICY_NODE_NAMES, REP_CURRENT, REP_GLOB, REP_GLOBS, REP_ITEM_NAMES, REP_NODE_PATH, REP_NT_NAMES, REP_POLICY, REP_PREFIXES, REP_PRINCIPAL_NAME, REP_PRIVILEGES, REP_REPO_POLICY, REP_RESTRICTIONS, REP_SUBTREES
-
Fields inherited from interface org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants
DEFAULT_READ_PATHS, NT_REP_PERMISSION_STORE, NT_REP_PERMISSIONS, PARAM_ADMINISTRATIVE_PRINCIPALS, PARAM_PERMISSIONS_JR2, PARAM_READ_PATHS, PERMISSION_NODE_NAMES, PERMISSION_NODETYPE_NAMES, PERMISSION_PROPERTY_NAMES, PERMISSIONS_STORE_PATH, REP_ACCESS_CONTROLLED_PATH, REP_IS_ALLOW, REP_NUM_PERMISSIONS, REP_PERMISSION_STORE, REP_PRIVILEGE_BITS, VALUE_PERMISSIONS_JR2
-
-
Constructor Summary
Constructors Constructor Description PermissionProviderImpl(@NotNull Root root, @NotNull String workspaceName, @NotNull Set<Principal> principals, @NotNull RestrictionProvider restrictionProvider, @NotNull ConfigurationParameters options, @NotNull Context ctx, @NotNull ProviderCtx providerCtx)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected @NotNull org.apache.jackrabbit.oak.security.authorization.permission.PermissionStore
getPermissionStore(@NotNull Root root, @NotNull String workspaceName, @NotNull RestrictionProvider restrictionProvider)
@NotNull Set<String>
getPrivileges(@Nullable Tree tree)
Returns the set of privilege names which are granted to the set ofPrincipal
s associated with this provider instance for the specifiedTree
.@NotNull RepositoryPermission
getRepositoryPermission()
Return theRepositoryPermission
for the set ofPrincipal
s associated with this provider instance.@NotNull TreePermission
getTreePermission(@NotNull Tree tree, @NotNull TreeType type, @NotNull TreePermission parentPermission)
Return theTreePermission
for the set ofPrincipal
s associated with this provider at the specifiedtree
with the giventype
.@NotNull TreePermission
getTreePermission(@NotNull Tree tree, @NotNull TreePermission parentPermission)
Return theTreePermission
for the set ofPrincipal
s associated with this provider at the specifiedtree
.boolean
hasPrivileges(@Nullable Tree tree, @NotNull String... privilegeNames)
Returns whether the principal set associated with thisPrivilegeManager
is granted the privileges identified by the specified privilege names for the giventree
.boolean
isGranted(@NotNull String oakPath, @NotNull String jcrActions)
Tests if the the specified actions are granted at the given path for the set ofPrincipal
s associated with this provider instance.boolean
isGranted(@NotNull Tree tree, @Nullable PropertyState property, long permissions)
Test if the specified permissions are granted for the set ofPrincipal
s associated with this provider instance for the item identified by the given tree and optionally property.boolean
isGranted(@NotNull TreeLocation location, long permissions)
Test if the specified permissions are granted for the set ofPrincipal
s associated with this provider instance for the item identified by the givenlocation
and optionally property.void
refresh()
Refresh thisPermissionProvider
.long
supportedPermissions(@NotNull TreeLocation location, long permissions)
Allows to determined the set or subset of permissions evaluated by the implementing permission provider for the specified location.long
supportedPermissions(@NotNull TreePermission treePermission, @Nullable PropertyState property, long permissions)
Allows to determined the set or subset of permissions evaluated by the implementing permission provider for the specified tree permission (plus optionallyproperty
).long
supportedPermissions(@Nullable Tree tree, @Nullable PropertyState property, long permissions)
Allows to determined the set or subset of permissions evaluated by the implementing permission provider for the specified item (identified bytree
and optionallyproperty
) or at the repository level in case the specifiedtree
isnull
.@NotNull PrivilegeBits
supportedPrivileges(@Nullable Tree tree, @Nullable PrivilegeBits privilegeBits)
Allows to determined the set or subset of privileges evaluated by the implementing permission provider for the specified tree or at the repository level in case the specifiedtree
isnull
.
-
-
-
Constructor Detail
-
PermissionProviderImpl
public PermissionProviderImpl(@NotNull @NotNull Root root, @NotNull @NotNull String workspaceName, @NotNull @NotNull Set<Principal> principals, @NotNull @NotNull RestrictionProvider restrictionProvider, @NotNull @NotNull ConfigurationParameters options, @NotNull @NotNull Context ctx, @NotNull @NotNull ProviderCtx providerCtx)
-
-
Method Detail
-
refresh
public void refresh()
Description copied from interface:PermissionProvider
Refresh thisPermissionProvider
. The implementation is expected to subsequently return permission evaluation results that reflect the most recent revision of the repository.- Specified by:
refresh
in interfacePermissionProvider
-
getPrivileges
@NotNull public @NotNull Set<String> getPrivileges(@Nullable @Nullable Tree tree)
Description copied from interface:PermissionProvider
Returns the set of privilege names which are granted to the set ofPrincipal
s associated with this provider instance for the specifiedTree
.- Specified by:
getPrivileges
in interfacePermissionProvider
- Parameters:
tree
- Thetree
for which the privileges should be retrieved.- Returns:
- set of privilege names
-
hasPrivileges
public boolean hasPrivileges(@Nullable @Nullable Tree tree, @NotNull @NotNull String... privilegeNames)
Description copied from interface:PermissionProvider
Returns whether the principal set associated with thisPrivilegeManager
is granted the privileges identified by the specified privilege names for the giventree
. In order to test for privileges being granted on a repository level rather than on a particular tree anull
tree should be passed to this method.Testing a name identifying an aggregate privilege is equivalent to testing each non aggregate privilege name.
- Specified by:
hasPrivileges
in interfacePermissionProvider
- Parameters:
tree
- The tree to test for privileges being granted.privilegeNames
- The name of the privileges.- Returns:
true
if all privileges are granted;false
otherwise.
-
getRepositoryPermission
@NotNull public @NotNull RepositoryPermission getRepositoryPermission()
Description copied from interface:PermissionProvider
Return theRepositoryPermission
for the set ofPrincipal
s associated with this provider instance.- Specified by:
getRepositoryPermission
in interfacePermissionProvider
- Returns:
- The
RepositoryPermission
for the set ofPrincipal
s this provider instance has been created for.
-
getTreePermission
@NotNull public @NotNull TreePermission getTreePermission(@NotNull @NotNull Tree tree, @NotNull @NotNull TreePermission parentPermission)
Description copied from interface:PermissionProvider
Return theTreePermission
for the set ofPrincipal
s associated with this provider at the specifiedtree
.- Specified by:
getTreePermission
in interfacePermissionProvider
- Parameters:
tree
- The tree for which theTreePermission
object should be built.parentPermission
- TheTreePermission
object that has been obtained before for the parent tree.- Returns:
- The
TreePermission
object for the specifiedtree
.
-
isGranted
public boolean isGranted(@NotNull @NotNull Tree tree, @Nullable @Nullable PropertyState property, long permissions)
Description copied from interface:PermissionProvider
Test if the specified permissions are granted for the set ofPrincipal
s associated with this provider instance for the item identified by the given tree and optionally property. This method will only returntrue
if all permissions are granted.- Specified by:
isGranted
in interfacePermissionProvider
- Parameters:
tree
- TheTree
to test the permissions for.property
- APropertyState
if the item to test is a property ornull
if the item is aTree
.permissions
- The permissions to be tested.- Returns:
true
if the specified permissions are granted for the item identified by the given tree and optionally property state.
-
isGranted
public boolean isGranted(@NotNull @NotNull String oakPath, @NotNull @NotNull String jcrActions)
Description copied from interface:PermissionProvider
Tests if the the specified actions are granted at the given path for the set ofPrincipal
s associated with this provider instance.The
jcrActions
parameter is a comma separated list of action strings such as defined bySession
and passed toSession.hasPermission(String, String)
. When more than one action is specified in thejcrActions
parameter, this method will only returntrue
if all of them are granted on the specified path.- Specified by:
isGranted
in interfacePermissionProvider
- Parameters:
oakPath
- A valid oak path.jcrActions
- The JCR actions that should be tested separated by ','- Returns:
true
if all actions are granted at the specified path;false
otherwise.
-
supportedPrivileges
@NotNull public @NotNull PrivilegeBits supportedPrivileges(@Nullable @Nullable Tree tree, @Nullable @Nullable PrivilegeBits privilegeBits)
Description copied from interface:AggregatedPermissionProvider
Allows to determined the set or subset of privileges evaluated by the implementing permission provider for the specified tree or at the repository level in case the specifiedtree
isnull
. If the givenprivilegeBits
isnull
an implementation returns the complete set that is covered by the provider; otherwise the supported subset of the specifiedprivilegeBits
is returned. ReturningPrivilegeBits.EMPTY
indicates that this implementation is not in charge of evaluating the specified privileges and thus will be ignored while computing the composite result ofPermissionProvider.getPrivileges(org.apache.jackrabbit.oak.api.Tree)
orPermissionProvider.hasPrivileges(org.apache.jackrabbit.oak.api.Tree, String...)
.- Specified by:
supportedPrivileges
in interfaceAggregatedPermissionProvider
- Parameters:
tree
- The tree for which the privileges will be evaluated ornull
for repository level privileges.privilegeBits
- The privilege(s) to be tested ornull
- Returns:
- The set of privileges or the subset of the given
privilegeBits
that are supported and evaluated by the implementation at the giventree
represented asPrivilegeBits
.
-
supportedPermissions
public long supportedPermissions(@Nullable @Nullable Tree tree, @Nullable @Nullable PropertyState property, long permissions)
Description copied from interface:AggregatedPermissionProvider
Allows to determined the set or subset of permissions evaluated by the implementing permission provider for the specified item (identified bytree
and optionallyproperty
) or at the repository level in case the specifiedtree
isnull
. ReturningPermissions.NO_PERMISSION
indicates that this implementation is not in charge of evaluating the specified permissions for the specified item and thus will be ignored while computing the composite result ofPermissionProvider.isGranted(Tree, PropertyState, long)
.- Specified by:
supportedPermissions
in interfaceAggregatedPermissionProvider
- Parameters:
tree
- The tree for which the permissions will be evaluated ornull
for repository level privileges.property
- The target property ornull
.permissions
- The permissions to be tested- Returns:
- The subset of the given
permissions
that are supported and evaluated by the implementation for the given item.
-
supportedPermissions
public long supportedPermissions(@NotNull @NotNull TreeLocation location, long permissions)
Description copied from interface:AggregatedPermissionProvider
Allows to determined the set or subset of permissions evaluated by the implementing permission provider for the specified location. ReturningPermissions.NO_PERMISSION
indicates that this implementation is not in charge of evaluating the specified permissions for the specified location and thus will be ignored while computing the composite result ofPermissionProvider.isGranted(String, String)
andAggregatedPermissionProvider.isGranted(TreeLocation, long)
.- Specified by:
supportedPermissions
in interfaceAggregatedPermissionProvider
- Parameters:
location
- The tree location for which the permissions will be evaluated.permissions
- The permissions to be tested- Returns:
- The subset of the given
permissions
that are supported and evaluated by the implementation for the given location.
-
supportedPermissions
public long supportedPermissions(@NotNull @NotNull TreePermission treePermission, @Nullable @Nullable PropertyState property, long permissions)
Description copied from interface:AggregatedPermissionProvider
Allows to determined the set or subset of permissions evaluated by the implementing permission provider for the specified tree permission (plus optionallyproperty
). ReturningPermissions.NO_PERMISSION
indicates that this implementation is not in charge of evaluating the specified permissions for the specified tree permission and thus will be ignored while computing the composite result ofTreePermission.isGranted(long, PropertyState)
andTreePermission.isGranted(long)
.- Specified by:
supportedPermissions
in interfaceAggregatedPermissionProvider
- Parameters:
treePermission
- The target tree permission.property
- The target property ornull
.permissions
- The permissions to be tested- Returns:
- The subset of the given
permissions
that are supported and evaluated by the implementation for the given tree permissions.
-
isGranted
public boolean isGranted(@NotNull @NotNull TreeLocation location, long permissions)
Description copied from interface:AggregatedPermissionProvider
Test if the specified permissions are granted for the set ofPrincipal
s associated with this provider instance for the item identified by the givenlocation
and optionally property. This method will only returntrue
if all permissions are granted.- Specified by:
isGranted
in interfaceAggregatedPermissionProvider
- Parameters:
location
- TheTreeLocation
to test the permissions for.permissions
- The permissions to be tested.- Returns:
true
if the specified permissions are granted for the existing or non-existing item identified by the given location.
-
getTreePermission
@NotNull public @NotNull TreePermission getTreePermission(@NotNull @NotNull Tree tree, @NotNull @NotNull TreeType type, @NotNull @NotNull TreePermission parentPermission)
Description copied from interface:AggregatedPermissionProvider
Return theTreePermission
for the set ofPrincipal
s associated with this provider at the specifiedtree
with the giventype
.- Specified by:
getTreePermission
in interfaceAggregatedPermissionProvider
- Parameters:
tree
- The tree for which theTreePermission
object should be built.type
- The type of this tree.parentPermission
- TheTreePermission
object that has been obtained before for the parent tree.- Returns:
- The
TreePermission
object for the specifiedtree
.
-
getPermissionStore
@NotNull protected @NotNull org.apache.jackrabbit.oak.security.authorization.permission.PermissionStore getPermissionStore(@NotNull @NotNull Root root, @NotNull @NotNull String workspaceName, @NotNull @NotNull RestrictionProvider restrictionProvider)
-
-