Package org.apache.jackrabbit.core.security.authorization.acl

Class PentahoEntryCollector

  • All Implemented Interfaces:
    javax.jcr.observation.EventListener, org.apache.jackrabbit.core.observation.SynchronousEventListener, org.apache.jackrabbit.core.security.authorization.AccessControlConstants
    Direct Known Subclasses:
    CachingPentahoEntryCollector
    public class PentahoEntryCollector
extends org.apache.jackrabbit.core.security.authorization.acl.EntryCollector
    Copy-and-paste of org.apache.jackrabbit.core.security.authorization.acl.EntryCollector in Jackrabbit 2.4.0. This class is in org.apache.jackrabbit.core.security.authorization.acl package due to the scope of collaborating classes.

    Changes to original:

    • Entries always have null nextId.
    • collectEntries() copied from EntryCollector uses entries.getNextId() instead of node.getParentId()
    • filterEntries() copied from EntryCollector as it was static and private.
    • No caching is done in the presence of dynamic ACEs. This may need to be revisited but due to the short lifetime of the way we use Sessions, it may be acceptable.
    • Understands AclMetadataPrincipal.
    • Adds MagicPrincipals on the fly.
    • If access decision on versionStorage, then find the associated file node and use that ACL.

    Author:
    mlowery

    • Field Summary

      • Fields inherited from class org.apache.jackrabbit.core.security.authorization.acl.EntryCollector

        rootID, systemSession

      • Fields inherited from class org.apache.jackrabbit.core.security.authorization.AccessControlObserver

        MOVE, POLICY_ADDED, POLICY_MODIFIED, POLICY_REMOVED

      • Fields inherited from interface org.apache.jackrabbit.core.security.authorization.AccessControlConstants

        N_ACCESSCONTROL, N_POLICY, N_REPO_POLICY, NT_REP_ACCESS_CONTROL, NT_REP_ACCESS_CONTROLLABLE, NT_REP_ACE, NT_REP_ACL, NT_REP_DENY_ACE, NT_REP_GRANT_ACE, NT_REP_PRINCIPAL_ACCESS_CONTROL, NT_REP_REPO_ACCESS_CONTROLLABLE, P_GLOB, P_PRINCIPAL_NAME, P_PRIVILEGES

    • Constructor Summary

      Constructors 
      Constructor Description
      PentahoEntryCollector​(org.apache.jackrabbit.core.SessionImpl systemSession, org.apache.jackrabbit.core.id.NodeId rootID, Map configuration)  

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected void addOwnerAce​(String owner, org.apache.jackrabbit.core.security.authorization.acl.ACLTemplate acl)
      Creates an ACE that gives full access to the owner.
      protected List collectEntries​(org.apache.jackrabbit.core.NodeImpl node, org.apache.jackrabbit.core.security.authorization.acl.EntryFilter filter)
      Overridden since collectEntries() from EntryCollector called node.getParentId() instead of entries.getNextId().
      protected void filterEntries​(org.apache.jackrabbit.core.security.authorization.acl.EntryFilter filter, List aces, LinkedList userAces, LinkedList groupAces)
      Copied from EntryCollector since that method was private.
      protected org.apache.jackrabbit.core.NodeImpl findAccessControlledNode​(org.apache.jackrabbit.core.NodeImpl node)
      Find the ancestor (maybe the node itself) that is access-controlled.
      protected org.apache.jackrabbit.core.NodeImpl findNonInheritingNode​(org.apache.jackrabbit.core.NodeImpl node)
      Find the ancestor (maybe the node itself) that is not inheriting ACEs.
      protected List<PentahoEntry> getAcesIncludingMagicAces​(String path, String owner, org.apache.jackrabbit.core.security.authorization.acl.ACLTemplate ancestorAcl, org.apache.jackrabbit.core.security.authorization.acl.ACLTemplate acl)
      Extracts ACEs including magic aces.
      protected org.pentaho.platform.api.engine.IAuthorizationPolicy getAuthorizationPolicy()
      IAuthorizationPolicy is used in magic ACE definitions.
      protected org.apache.jackrabbit.core.security.authorization.acl.PentahoEntryCollector.PentahoEntries getEntries​(org.apache.jackrabbit.core.NodeImpl node)
      Returns an Entries for the given node.
      protected List<PentahoEntry> getRelevantAncestorAces​(org.apache.jackrabbit.core.security.authorization.acl.ACLTemplate ancestorAcl)
      Selects (and modifies) ACEs containing JCR_ADD_CHILD_NODES or JCR_REMOVE_CHILD_NODES privileges from the given ACL.
      protected IRoleAuthorizationPolicyRoleBindingDao getRoleBindingDao()  
      protected List<String> getRuntimeRoleNames()  
      protected org.apache.jackrabbit.core.NodeImpl getVersionable​(org.apache.jackrabbit.core.NodeImpl node)
      Incoming node is in versionStorage.
      protected boolean isAllowed​(IRoleAuthorizationPolicyRoleBindingDao roleBindingDao, String logicalRoleName)  
      protected void notifyListeners​(org.apache.jackrabbit.core.security.authorization.AccessControlModifications modifications)  

      • Methods inherited from class org.apache.jackrabbit.core.security.authorization.acl.EntryCollector

        close, getEntries, onEvent

      • Methods inherited from class org.apache.jackrabbit.core.security.authorization.AccessControlObserver

        addListener, removeListener

    • Constructor Detail

      • PentahoEntryCollector

        public PentahoEntryCollector​(org.apache.jackrabbit.core.SessionImpl systemSession,
                             org.apache.jackrabbit.core.id.NodeId rootID,
                             Map configuration)
                      throws javax.jcr.RepositoryException
        Throws:
        javax.jcr.RepositoryException

    • Method Detail

      • findAccessControlledNode

        protected org.apache.jackrabbit.core.NodeImpl findAccessControlledNode​(org.apache.jackrabbit.core.NodeImpl node)
                                                                throws javax.jcr.RepositoryException
        Find the ancestor (maybe the node itself) that is access-controlled.
        Throws:
        javax.jcr.RepositoryException

      • findNonInheritingNode

        protected org.apache.jackrabbit.core.NodeImpl findNonInheritingNode​(org.apache.jackrabbit.core.NodeImpl node)
                                                             throws javax.jcr.RepositoryException
        Find the ancestor (maybe the node itself) that is not inheriting ACEs.
        Throws:
        javax.jcr.RepositoryException

      • getEntries

        protected org.apache.jackrabbit.core.security.authorization.acl.PentahoEntryCollector.PentahoEntries getEntries​(org.apache.jackrabbit.core.NodeImpl node)
                                                                                                         throws javax.jcr.RepositoryException
        Returns an Entries for the given node. This is where most of the customization lives.
        Overrides:
        getEntries in class org.apache.jackrabbit.core.security.authorization.acl.EntryCollector
        Throws:
        javax.jcr.RepositoryException

      • getVersionable

        protected org.apache.jackrabbit.core.NodeImpl getVersionable​(org.apache.jackrabbit.core.NodeImpl node)
                                                      throws javax.jcr.RepositoryException
        Incoming node is in versionStorage. Find its associated versionable--the node associated with this version history node.
        Throws:
        javax.jcr.RepositoryException

      • getAuthorizationPolicy

        protected org.pentaho.platform.api.engine.IAuthorizationPolicy getAuthorizationPolicy()
        IAuthorizationPolicy is used in magic ACE definitions.

      • getAcesIncludingMagicAces

        protected List<PentahoEntry> getAcesIncludingMagicAces​(String path,
                                                       String owner,
                                                       org.apache.jackrabbit.core.security.authorization.acl.ACLTemplate ancestorAcl,
                                                       org.apache.jackrabbit.core.security.authorization.acl.ACLTemplate acl)
                                                throws javax.jcr.RepositoryException
        Extracts ACEs including magic aces. Magic ACEs are added for (1) the owner, (2) as a result of magic ACE definitions, and (3) as a result of ancestor ACL contributions.

        Modifications to these ACLs are not persisted.

        Throws:
        javax.jcr.RepositoryException

      • getRelevantAncestorAces

        protected List<PentahoEntry> getRelevantAncestorAces​(org.apache.jackrabbit.core.security.authorization.acl.ACLTemplate ancestorAcl)
                                              throws javax.jcr.RepositoryException
        Selects (and modifies) ACEs containing JCR_ADD_CHILD_NODES or JCR_REMOVE_CHILD_NODES privileges from the given ACL.

        Modifications to this ACL are not persisted. ACEs must be created in the given ACL because the path embedded in the given ACL plays into authorization decisions using parentPrivs.

        Throws:
        javax.jcr.RepositoryException

      • addOwnerAce

        protected void addOwnerAce​(String owner,
                           org.apache.jackrabbit.core.security.authorization.acl.ACLTemplate acl)
                    throws javax.jcr.RepositoryException
        Creates an ACE that gives full access to the owner.

        Modifications to this ACL are not persisted.

        Throws:
        javax.jcr.RepositoryException

      • collectEntries

        protected List collectEntries​(org.apache.jackrabbit.core.NodeImpl node,
                              org.apache.jackrabbit.core.security.authorization.acl.EntryFilter filter)
                       throws javax.jcr.RepositoryException
        Overridden since collectEntries() from EntryCollector called node.getParentId() instead of entries.getNextId().
        Overrides:
        collectEntries in class org.apache.jackrabbit.core.security.authorization.acl.EntryCollector
        Throws:
        javax.jcr.RepositoryException

      • filterEntries

        protected void filterEntries​(org.apache.jackrabbit.core.security.authorization.acl.EntryFilter filter,
                             List aces,
                             LinkedList userAces,
                             LinkedList groupAces)
        Copied from EntryCollector since that method was private.

      • getRuntimeRoleNames

        protected List<String> getRuntimeRoleNames()

      • notifyListeners

        protected void notifyListeners​(org.apache.jackrabbit.core.security.authorization.AccessControlModifications modifications)
        Overrides:
        notifyListeners in class org.apache.jackrabbit.core.security.authorization.AccessControlObserver