@Nonnull @Override public Set<String> getPrivileges(@Nullable Tree tree) { Tree immutableTree = PermissionUtil.getImmutableTree(tree, immutableRoot); PrivilegeBits result = PrivilegeBits.getInstance(); PrivilegeBits denied = PrivilegeBits.getInstance(); for (AggregatedPermissionProvider aggregatedPermissionProvider : pps) { PrivilegeBits supported = aggregatedPermissionProvider.supportedPrivileges(immutableTree, null).modifiable(); if (doEvaluate(supported)) { PrivilegeBits granted = privilegeBitsProvider.getBits(aggregatedPermissionProvider.getPrivileges(immutableTree)); // add the granted privileges to the result if (!granted.isEmpty()) { result.add(granted); } if (compositionType == AND) { // update the set of denied privs by comparing the granted privs // with the complete set of supported privileges denied.add(supported.diff(granted)); } } } // subtract all denied privileges from the result if (!denied.isEmpty()) { result.diff(denied); } return privilegeBitsProvider.getPrivilegeNames(result); }
/** * Returns the bits for the given privilege names * @param privilegeNames the names * @return the privilege bits */ @NotNull public PrivilegeBits getBits(@NotNull Iterable<String> privilegeNames) { if (Iterables.isEmpty(privilegeNames)) { return PrivilegeBits.EMPTY; } Tree privilegesTree = null; PrivilegeBits bits = PrivilegeBits.getInstance(); for (String privilegeName : privilegeNames) { PrivilegeBits builtIn = PrivilegeBits.BUILT_IN.get(privilegeName); if (builtIn != null) { bits.add(builtIn); } else { if (privilegesTree == null) { privilegesTree = getPrivilegesTree(); } if (privilegesTree.exists() && privilegesTree.hasChild(privilegeName)) { Tree defTree = privilegesTree.getChild(privilegeName); bits.add(PrivilegeBits.getInstance(defTree)); } else { log.debug("Ignoring privilege name " + privilegeName); } } } return bits.unmodifiable(); }
private void validateNext(PrivilegeBits bits) throws CommitFailedException { PrivilegeBits next = PrivilegeBits.getInstance(getPrivilegesTree(rootAfter).getProperty(REP_NEXT)); if (!next.equals(bits.nextBits())) { throw new CommitFailedException(CONSTRAINT, 43, "Next bits not updated"); } }
/** * Creates a mutable instance of privilege bits. * * @param base The base for this mutable instance. * @return a new instance of privilege bits. */ @NotNull public static PrivilegeBits getInstance(@NotNull PrivilegeBits... base) { PrivilegeBits bts = getInstance(); for (PrivilegeBits baseBits : base) { bts.add(baseBits); } return bts; }
/** * Adds the other privilege bits to this instance. * * @param other The other privilege bits to be added. * @return The updated instance. * @throws UnsupportedOperationException if this instance is immutable. */ @NotNull public PrivilegeBits add(@NotNull PrivilegeBits other) { if (d instanceof ModifiableData) { ((ModifiableData) d).add(other.d); return this; } else { throw unsupported(); } }
@Test public void testGetInstanceFromMvPropertyState() { PropertyState property = PropertyStates.createProperty("name", ImmutableSet.of(Long.MAX_VALUE, Long.MIN_VALUE / 2), Type.LONGS); PrivilegeBits pb = PrivilegeBits.getInstance(property); assertEquivalent(pb, PrivilegeBits.getInstance(property)); assertSame(pb, pb.unmodifiable()); assertEquivalent(pb, PrivilegeBits.getInstance(pb)); assertEquivalent(PrivilegeBits.getInstance(pb), pb); assertNotSame(pb, PrivilegeBits.getInstance(pb)); try { pb.add(READ_NODES_PRIVILEGE_BITS); fail("UnsupportedOperation expected"); } catch (UnsupportedOperationException e) { // success } try { pb.addDifference(READ_NODES_PRIVILEGE_BITS, READ_NODES_PRIVILEGE_BITS); fail("UnsupportedOperation expected"); } catch (UnsupportedOperationException e) { // success } try { pb.diff(READ_NODES_PRIVILEGE_BITS); fail("UnsupportedOperation expected"); } catch (UnsupportedOperationException e) { // success } }
PrivilegeBits existingBits = PrivilegeBits.getInstance(existing.getPrivilegeBits()); PrivilegeBits entryBits = entry.getPrivilegeBits(); if (entry.getRestrictions().equals(existing.getRestrictions())) { if (entry.isAllow() == existing.isAllow()) { if (existingBits.includes(entryBits)) { existingBits.add(entryBits); int index = entries.indexOf(existing); entries.remove(existing); PrivilegeBits updated = PrivilegeBits.getInstance(existingBits).diff(entryBits); if (updated.isEmpty()) { } else if (!updated.includes(existingBits)) {
@Test public void testIsEmpty() { // empty assertTrue(PrivilegeBits.EMPTY.isEmpty()); // any other bits should not be empty PrivilegeBits pb = READ_NODES_PRIVILEGE_BITS; PrivilegeBits mod = PrivilegeBits.getInstance(pb); for (int i = 0; i < 100; i++) { assertFalse(pb.isEmpty()); assertFalse(PrivilegeBits.getInstance(pb).isEmpty()); pb = pb.nextBits(); mod.add(pb); assertFalse(mod.isEmpty()); PrivilegeBits tmp = PrivilegeBits.getInstance(pb); tmp.diff(pb); assertTrue(tmp.toString(), tmp.isEmpty()); } }
@Test public void testGetBitsBuiltInIterable() { PrivilegeBits bits = bitsProvider.getBits(ImmutableList.of(JCR_ADD_CHILD_NODES, JCR_REMOVE_CHILD_NODES)); assertFalse(bits.isEmpty()); PrivilegeBits mod = PrivilegeBits.getInstance(bitsProvider.getBits(JCR_ADD_CHILD_NODES)).add(bitsProvider.getBits(JCR_REMOVE_CHILD_NODES)); assertEquals(bits, mod.unmodifiable()); }
PrivilegeBits allowBits = PrivilegeBits.getInstance(); if (isReadable) { allowBits.add(bitsProvider.getBits(PrivilegeConstants.JCR_READ)); PrivilegeBits denyBits = PrivilegeBits.getInstance(); PrivilegeBits parentAllowBits; PrivilegeBits parentDenyBits; parentAllowBits = PrivilegeBits.getInstance(); parentDenyBits = PrivilegeBits.getInstance(); parentPath = PermissionUtil.getParentPathOrNull(path); } else { if (matchesParent) { if (entry.isAllow) { parentAllowBits.addDifference(entry.privilegeBits, parentDenyBits); } else { parentDenyBits.addDifference(entry.privilegeBits, parentAllowBits); allowBits.addDifference(entry.privilegeBits, denyBits); long ap = PrivilegeBits.calculatePermissions(allowBits, parentAllowBits, true); allows |= Permissions.diff(ap, denies); if ((allows | ~permissions) == -1) { denyBits.addDifference(entry.privilegeBits, allowBits); long dp = PrivilegeBits.calculatePermissions(denyBits, parentDenyBits, false); denies |= Permissions.diff(dp, allows);
PrivilegeBits bits = PrivilegeBits.getInstance(after.getProperty(REP_BITS)); PrivilegeBits all = PrivilegeBits.getInstance(jcrAll.getProperty(REP_BITS)); jcrAll.setProperty(PrivilegeBits.getInstance(all).add(bits).asPropertyState(REP_BITS));
@Test public void testUnmodifiable() { assertSame(PrivilegeBits.EMPTY, PrivilegeBits.EMPTY.unmodifiable()); // other privilege bits PrivilegeBits pb = READ_NODES_PRIVILEGE_BITS; PrivilegeBits mod = PrivilegeBits.getInstance(pb); for (int i = 0; i < 100; i++) { PrivilegeBits nxt = pb.nextBits(); assertSame(nxt, nxt.unmodifiable()); assertEquals(nxt, nxt.unmodifiable()); mod.add(nxt); assertNotSame(mod, mod.unmodifiable()); pb = nxt; } }
@NotNull @Override public PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable PrivilegeBits privilegeBits) { if (tree == null) { return PrivilegeBits.EMPTY; } PrivilegeBits pb; if (privilegeBits == null) { pb = SUPPORTED_PRIVBITS; } else { pb = PrivilegeBits.getInstance(privilegeBits); pb.retain(SUPPORTED_PRIVBITS); } if (pb.isEmpty() || !Utils.isSupportedPath(supportedPath, tree.getPath())) { return PrivilegeBits.EMPTY; } else { return pb; } }
@Test public void testIncludes() { // empty assertTrue(PrivilegeBits.EMPTY.includes(PrivilegeBits.EMPTY)); // other privilege bits PrivilegeBits pb = READ_NODES_PRIVILEGE_BITS; PrivilegeBits mod = PrivilegeBits.getInstance(); for (int i = 0; i < 100; i++) { assertFalse(PrivilegeBits.EMPTY.includes(pb)); assertTrue(pb.includes(PrivilegeBits.EMPTY)); mod.add(pb); assertTrue(mod.includes(pb)); PrivilegeBits nxt = pb.nextBits(); assertTrue(nxt.includes(nxt)); assertTrue(nxt.includes(PrivilegeBits.getInstance(nxt))); assertFalse(pb + " should not include " + nxt, pb.includes(nxt)); assertFalse(nxt + " should not include " + pb, nxt.includes(pb)); assertFalse(mod.includes(nxt)); assertFalse(nxt.includes(mod)); pb = nxt; } }
private static boolean doEvaluate(PrivilegeBits supportedPrivileges) { return !supportedPrivileges.isEmpty(); }
@Test public void testNextBitsFromEmpty() { // empty assertSame(PrivilegeBits.EMPTY, PrivilegeBits.EMPTY.nextBits()); PrivilegeBits bits = PrivilegeBits.getInstance().unmodifiable(); assertSame(bits, bits.nextBits()); }
@Test public void testGetPrivilegesOnRepoAdmin() throws Exception { PrivilegeBits expected = pbp.getBits(JCR_ALL).modifiable().diff(pbp.getBits(JCR_NAMESPACE_MANAGEMENT)).unmodifiable(); assertEquals(expected, pbp.getBits(cppAdminUser.getPrivileges(null))); }
@Test public void testModifiable() { assertNotSame(PrivilegeBits.EMPTY, PrivilegeBits.EMPTY.modifiable()); // other privilege bits PrivilegeBits mod = PrivilegeBits.getInstance(READ_NODES_PRIVILEGE_BITS); assertSame(mod, mod.modifiable()); assertNotSame(mod, mod.unmodifiable()); assertNotEquals(mod, mod.unmodifiable()); }
@NotNull private PrivilegeBits getPrivilegeBits(@Nullable Tree tree) { EntryPredicate pred = (tree == null) ? new EntryPredicate() : new EntryPredicate(tree, null, false); Iterator<PermissionEntry> entries = getEntryIterator(pred); PrivilegeBits allowBits = PrivilegeBits.getInstance(); PrivilegeBits denyBits = PrivilegeBits.getInstance(); while (entries.hasNext()) { PermissionEntry entry = entries.next(); if (entry.isAllow) { allowBits.addDifference(entry.privilegeBits, denyBits); } else { denyBits.addDifference(entry.privilegeBits, allowBits); } } // special handling for paths that are always readable if (tree != null && readPolicy.isReadableTree(tree, false)) { allowBits.add(bitsProvider.getBits(PrivilegeConstants.JCR_READ)); } return allowBits; }
@NotNull private PermissionEntry createPermissionEntry(@NotNull String path, @NotNull Tree entryTree) { PropertyState ps = entryTree.getProperty(REP_PRIVILEGE_BITS); PrivilegeBits bits = (isJcrAll(ps)) ? allBits : PrivilegeBits.getInstance(ps); boolean isAllow = TreeUtil.getBoolean(entryTree, REP_IS_ALLOW); return new PermissionEntry(path, isAllow, Integer.parseInt(entryTree.getName()), bits, restrictionProvider.getPattern(path, entryTree)); }