inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-24 17:32:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Early checkpoint of lightweight ACLs.

Browse Source 
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@6763 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Britt Park
2007-09-12 14:18:52 +00:00
parent 91558c7ff6
commit 57a468dfe2
9 changed files with 1005 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

482
source/java/org/alfresco/repo/simple/permission/ACLImpl.java Normal file
View File

@@ -0,0 +1,482 @@
/*
* Copyright (C) 2005-2007 Alfresco Software Limited.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* As a special exception to the terms and conditions of version 2.0 of
* the GPL, you may redistribute this Program in connection with Free/Libre
* and Open Source Software ("FLOSS") applications as described in Alfresco's
* FLOSS exception. You should have recieved a copy of the text describing
* the FLOSS exception, and it is also available here:
* http://www.alfresco.com/legal/licensing
*/
package org.alfresco.repo.simple.permission;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import org.alfresco.repo.avm.util.RawServices;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.AuthorityType;
import org.alfresco.service.simple.permission.ACL;
import org.alfresco.service.simple.permission.CapabilityRegistry;
/**
* Basic implementation of an ACL
* @author britt
*/
public class ACLImpl implements ACL
{
private static final long serialVersionUID = 5184311729355811095L;
/**
* The allowed entries for users.
*/
private Map<String, Set<String>> fUserAllows;
/**
* The allowed entries for groups.
*/
private Map<String, Set<String>> fGroupAllows;
/**
* The denied entries for users.
*/
private Map<String, Set<String>> fUserDenies;
/**
* The denied entries for groups.
*/
private Map<String, Set<String>> fGroupDenies;
/**
* Bit indicating whether a child (however that is defined)
* should inherit these permissions.
*/
private boolean fInherit;
private transient AuthorityService fAuthorityService;
private transient CapabilityRegistry fCapabilityRegistry;
private transient String fStringRep;
public ACLImpl(boolean inherit)
{
fAuthorityService = RawServices.Instance().getAuthorityService();
fCapabilityRegistry = RawServices.Instance().getCapabilityRegistry();
fUserAllows = new HashMap<String, Set<String>>();
fGroupAllows = new HashMap<String, Set<String>>();
fUserDenies = new HashMap<String, Set<String>>();
fGroupDenies = new HashMap<String, Set<String>>();
fInherit = inherit;
fStringRep = null;
}
public ACLImpl(String stringRep)
{
this(true);
fStringRep = stringRep;
}
/* (non-Javadoc)
* @see org.alfresco.service.simple.permission.ACL#allow(java.lang.String, java.lang.String[])
*/
public void allow(String agent, String... capabilities)
{
digest();
AuthorityType type = AuthorityType.getAuthorityType(agent);
if (type == AuthorityType.ADMIN)
{
return;
}
Set<String> capDenied = null;
Set<String> capAllowed = null;
switch (type)
{
case EVERYONE :
case GROUP :
{
capDenied = fGroupDenies.get(agent);
capAllowed = fGroupAllows.get(agent);
if (capAllowed == null)
{
capAllowed = new HashSet<String>();
fGroupAllows.put(agent, capAllowed);
}
break;
}
case ADMIN :
case USER :
case OWNER :
{
capDenied = fUserDenies.get(agent);
capAllowed = fUserAllows.get(agent);
if (capAllowed == null)
{
capAllowed = new HashSet<String>();
fUserAllows.put(agent, capAllowed);
}
break;
}
default :
{
// ignore.
return;
}
}
if (capDenied != null)
{
for (String cap : capabilities)
{
capDenied.remove(cap);
capAllowed.add(cap);
}
}
else
{
for (String cap : capabilities)
{
capAllowed.add(cap);
}
}
}
private void digestMap(String mapRep, Map<String, Set<String>> map)
{
String[] segments = mapRep.split(":");
if (segments.length == 0 || segments[0].equals(""))
{
return;
}
for (String segment : segments)
{
String[] entrySeg = segment.split(";");
if (entrySeg.length == 0 || entrySeg[0].equals(""))
{
continue;
}
Set<String> caps = new HashSet<String>();
map.put(entrySeg[0], caps);
for (int i = 1; i < entrySeg.length; ++i)
{
String cap = fCapabilityRegistry.getCapabilityName(Integer.parseInt(entrySeg[i], 16));
if (cap == null)
{
continue;
}
caps.add(cap);
}
}
}
private void digest()
{
if (fStringRep == null)
{
return;
}
String[] segments = fStringRep.split("\\|");
fInherit = segments[0].equals("i") ? true : false;
digestMap(segments[1], fUserAllows);
digestMap(segments[2], fUserDenies);
digestMap(segments[3], fGroupAllows);
digestMap(segments[4], fGroupDenies);
fStringRep = null;
}
/* (non-Javadoc)
* @see org.alfresco.service.simple.permission.ACL#can(java.lang.String, java.lang.String)
*/
public boolean can(String agent, String capability)
{
digest();
AuthorityType type = AuthorityType.getAuthorityType(agent);
// Admin trumps all.
if (type == AuthorityType.ADMIN)
{
return true;
}
// Next check for denied entries that apply.
Set<String> denied = fUserDenies.get(agent);
if (denied == null)
{
denied = new HashSet<String>();
}
Set<String> containing = fAuthorityService.getContainingAuthorities(null, agent, false);
Set<String> found = fGroupDenies.get(agent);
if (found != null)
{
denied.addAll(found);
}
for (String container : containing)
{
found = fGroupDenies.get(container);
if (found != null)
{
denied.addAll(found);
}
}
if (denied.contains(capability))
{
return false;
}
// Now go look for the alloweds.
Set<String> allowed = fUserAllows.get(agent);
if (allowed == null)
{
allowed = new HashSet<String>();
}
found = fGroupAllows.get(agent);
if (found != null)
{
allowed.addAll(found);
}
for (String container : containing)
{
found = fGroupAllows.get(container);
if (found != null)
{
allowed.addAll(found);
}
}
return allowed.contains(capability);
}
/* (non-Javadoc)
* @see org.alfresco.service.simple.permission.ACL#deny(java.lang.String, java.lang.String[])
*/
public void deny(String agent, String ... capabilities)
{
digest();
AuthorityType type = AuthorityType.getAuthorityType(agent);
if (type == AuthorityType.ADMIN)
{
return;
}
Set<String> allowed = fUserAllows.get(agent);
if (allowed != null)
{
for (String cap : capabilities)
{
allowed.remove(cap);
}
}
allowed = fGroupAllows.get(agent);
if (allowed != null)
{
for (String cap : capabilities)
{
allowed.remove(cap);
}
}
Set<String> denied = null;
switch (type)
{
case EVERYONE :
case GROUP :
{
denied = fGroupDenies.get(agent);
if (denied == null)
{
denied = new HashSet<String>();
fGroupDenies.put(agent, denied);
}
break;
}
case OWNER :
case USER :
case GUEST :
{
denied = fUserDenies.get(agent);
if (denied == null)
{
denied = new HashSet<String>();
fUserDenies.put(agent, denied);
}
break;
}
default :
{
// Cop Out!
return;
}
}
for (String cap : capabilities)
{
denied.add(cap);
}
}
/* (non-Javadoc)
* @see org.alfresco.service.simple.permission.ACL#getCapabilities(java.lang.String)
*/
public Set<String> getCapabilities(String agent)
{
digest();
AuthorityType type = AuthorityType.getAuthorityType(agent);
if (type == AuthorityType.ADMIN)
{
return fCapabilityRegistry.getAll();
}
// First add in all the possible capabilities from the allow sets.
Set<String> capabilities = new HashSet<String>();
Set<String> found = fUserAllows.get(agent);
if (found != null)
{
capabilities.addAll(found);
}
found = fGroupAllows.get(agent);
if (found != null)
{
capabilities.addAll(found);
}
Set<String> containers = fAuthorityService.getContainingAuthorities(null, agent, false);
for (String container : containers)
{
found = fGroupAllows.get(container);
if (found != null)
{
capabilities.addAll(found);
}
}
// Now remove everything that's denied.
found = fUserDenies.get(agent);
if (found != null)
{
capabilities.removeAll(found);
}
found = fGroupDenies.get(agent);
if (found != null)
{
capabilities.removeAll(found);
}
for (String container : containers)
{
found = fGroupDenies.get(container);
if (found != null)
{
capabilities.removeAll(found);
}
}
return capabilities;
}
/* (non-Javadoc)
* @see org.alfresco.service.simple.permission.ACL#getStringRepresentation()
*/
public String getStringRepresentation()
{
if (fStringRep != null)
{
return fStringRep;
}
StringBuilder builder = new StringBuilder();
builder.append(fInherit ? 'i' : 'n');
builder.append('|');
int count = 0;
for (Map.Entry<String, Set<String>> entry : fUserAllows.entrySet())
{
builder.append(entry.getKey());
if (entry.getValue().size() != 0)
{
for (String cap : entry.getValue())
{
builder.append(';');
builder.append(Integer.toString(fCapabilityRegistry.getCapabilityID(cap), 16));
}
}
if (count++ < fUserAllows.size() - 1)
{
builder.append(':');
}
}
builder.append('|');
count = 0;
for (Map.Entry<String, Set<String>> entry : fUserDenies.entrySet())
{
builder.append(entry.getKey());
if (entry.getValue().size() != 0)
{
for (String cap : entry.getValue())
{
builder.append(';');
builder.append(Integer.toString(fCapabilityRegistry.getCapabilityID(cap), 16));
}
}
if (count++ < fUserDenies.size() - 1)
{
builder.append(':');
}
}
builder.append('|');
count = 0;
for (Map.Entry<String, Set<String>> entry : fGroupAllows.entrySet())
{
builder.append(entry.getKey());
if (entry.getValue().size() != 0)
{
for (String cap : entry.getValue())
{
builder.append(';');
builder.append(Integer.toString(fCapabilityRegistry.getCapabilityID(cap), 16));
}
}
if (count++ < fGroupAllows.size() - 1)
{
builder.append(':');
}
}
builder.append('|');
count = 0;
for (Map.Entry<String, Set<String>> entry : fGroupDenies.entrySet())
{
builder.append(entry.getKey());
if (entry.getValue().size() != 0)
{
for (String cap : entry.getValue())
{
builder.append(';');
builder.append(Integer.toString(fCapabilityRegistry.getCapabilityID(cap), 16));
}
}
if (count++ < fGroupDenies.size() - 1)
{
builder.append(':');
}
}
return builder.toString();
}
/* (non-Javadoc)
* @see org.alfresco.service.simple.permission.ACL#inherits()
*/
public boolean inherits()
{
return fInherit;
}
/* (non-Javadoc)
* @see java.lang.Object#toString()
*/
@Override
public String toString()
{
return "[" + getStringRepresentation() + "]";
}
}

145
source/java/org/alfresco/repo/simple/permission/ACLTest.java Normal file
View File

@@ -0,0 +1,145 @@
/*
* Copyright (C) 2005-2007 Alfresco Software Limited.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* As a special exception to the terms and conditions of version 2.0 of
* the GPL, you may redistribute this Program in connection with Free/Libre
* and Open Source Software ("FLOSS") applications as described in Alfresco's
* FLOSS exception. You should have recieved a copy of the text describing
* the FLOSS exception, and it is also available here:
* http://www.alfresco.com/legal/licensing
*/
package org.alfresco.repo.simple.permission;
import org.alfresco.repo.security.authentication.AuthenticationComponent;
import org.alfresco.service.cmr.security.AuthenticationService;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.AuthorityType;
import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.service.simple.permission.ACL;
import org.alfresco.service.simple.permission.CapabilityRegistry;
import org.springframework.context.support.FileSystemXmlApplicationContext;
import junit.framework.TestCase;
/**
* Rudimentary test of ACLs.
* @author britt
*/
public class ACLTest extends TestCase
{
private static FileSystemXmlApplicationContext fContext = null;
private static PersonService fPersonService;
private static AuthorityService fAuthorityService;
private static AuthenticationService fAuthenticationService;
private static AuthenticationComponent fAuthenticationComponent;
private static CapabilityRegistry fCapabilityRegistry;
/* (non-Javadoc)
* @see junit.framework.TestCase#setUp()
*/
protected void setUp() throws Exception
{
if (fContext == null)
{
fContext = new FileSystemXmlApplicationContext("config/alfresco/application-context.xml");
fPersonService = (PersonService)fContext.getBean("PersonService");
fAuthorityService = (AuthorityService)fContext.getBean("AuthorityService");
fAuthenticationService = (AuthenticationService)fContext.getBean("AuthenticationService");
fAuthenticationComponent = (AuthenticationComponent)fContext.getBean("AuthenticationComponent");
fAuthenticationComponent.setSystemUserAsCurrentUser();
fCapabilityRegistry = (CapabilityRegistry)fContext.getBean("capabilityRegistry");
}
// Set up sample users groups and roles.
fAuthenticationService.createAuthentication("Buffy", "Buffy".toCharArray());
fPersonService.getPerson("Buffy");
fAuthorityService.createAuthority(AuthorityType.GROUP, null, "Scoobies");
fAuthorityService.addAuthority("GROUP_Scoobies", "Buffy");
fAuthenticationService.createAuthentication("Willow", "Willow".toCharArray());
fPersonService.getPerson("Willow");
fAuthorityService.addAuthority("GROUP_Scoobies", "Willow");
fAuthenticationService.createAuthentication("Xander", "Xander".toCharArray());
fPersonService.getPerson("Xander");
fAuthorityService.addAuthority("GROUP_Scoobies", "Xander");
fAuthenticationService.createAuthentication("Tara", "Tara".toCharArray());
fPersonService.getPerson("Tara");
fAuthenticationService.createAuthentication("Spike", "Spike".toCharArray());
fPersonService.getPerson("Spike");
fAuthorityService.createAuthority(AuthorityType.GROUP, null, "vampires");
fAuthorityService.addAuthority("GROUP_vampires", "Spike");
fAuthorityService.createAuthority(AuthorityType.GROUP, null, "soulless");
fAuthorityService.addAuthority("GROUP_soulless", "Spike");
}
/* (non-Javadoc)
* @see junit.framework.TestCase#tearDown()
*/
protected void tearDown() throws Exception
{
fAuthenticationService.deleteAuthentication("Buffy");
fAuthenticationService.deleteAuthentication("Willow");
fAuthenticationService.deleteAuthentication("Xander");
fAuthenticationService.deleteAuthentication("Tara");
fAuthenticationService.deleteAuthentication("Spike");
fPersonService.deletePerson("Buffy");
fPersonService.deletePerson("Willow");
fPersonService.deletePerson("Tara");
fPersonService.deletePerson("Xander");
fPersonService.deletePerson("Spike");
fAuthorityService.deleteAuthority("GROUP_Scoobies");
fAuthorityService.deleteAuthority("GROUP_vampires");
fAuthorityService.deleteAuthority("GROUP_soulless");
}
public void testBasic()
{
try
{
System.out.println(fCapabilityRegistry.getAll());
ACL acl = new ACLImpl(true);
acl.allow("GROUP_Scoobies", "read", "write", "delete", "shimmy");
acl.deny("Xander", "delete");
acl.allow("Tara", "shake");
acl.allow("GROUP_vampires", "read", "write", "delete", "shimmy", "shake");
acl.deny("Spike", "shake");
acl.deny("GROUP_soulless", "delete");
System.out.println(acl.getCapabilities("Spike"));
System.out.println(acl.getCapabilities("Tara"));
System.out.println(acl.getCapabilities("Xander"));
System.out.println(acl.getCapabilities("Buffy"));
String stringRep = acl.getStringRepresentation();
System.out.println(stringRep);
ACL acl2 = new ACLImpl(stringRep);
System.out.println(acl2.getStringRepresentation());
System.out.println(acl2.getCapabilities("Spike"));
System.out.println(acl2.getCapabilities("Tara"));
System.out.println(acl2.getCapabilities("Xander"));
System.out.println(acl2.getCapabilities("Buffy"));
System.out.println(acl2.getStringRepresentation());
}
catch (Exception e)
{
e.printStackTrace();
fail();
}
}
}

107
source/java/org/alfresco/repo/simple/permission/CapabilityRegistryImpl.java Normal file
View File

@@ -0,0 +1,107 @@
/*
* Copyright (C) 2005-2007 Alfresco Software Limited.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* As a special exception to the terms and conditions of version 2.0 of
* the GPL, you may redistribute this Program in connection with Free/Libre
* and Open Source Software ("FLOSS") applications as described in Alfresco's
* FLOSS exception. You should have recieved a copy of the text describing
* the FLOSS exception, and it is also available here:
* http://www.alfresco.com/legal/licensing
*/
package org.alfresco.repo.simple.permission;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import org.alfresco.service.simple.permission.CapabilityRegistry;
/**
* Basic implementation of a capability registry.
* @author britt
*/
public class CapabilityRegistryImpl implements CapabilityRegistry
{
private Map<Integer, String> fIDToCapability;
private Map<String, Integer> fCapabilityToID;
public CapabilityRegistryImpl()
{
fIDToCapability = new HashMap<Integer, String>();
fCapabilityToID = new HashMap<String, Integer>();
}
public void setCapabilities(Set<String> capabilities)
{
int count = 0;
for (String cap : capabilities)
{
Integer id = count++;
fIDToCapability.put(id, cap);
fCapabilityToID.put(cap, id);
}
}
/* (non-Javadoc)
* @see org.alfresco.service.simple.permission.CapabilityRegistry#addCapability(java.lang.String)
*/
public void addCapability(String capability)
{
// TODO Make this do something in the future.
}
/* (non-Javadoc)
* @see org.alfresco.service.simple.permission.CapabilityRegistry#getAll()
*/
public Set<String> getAll()
{
return fCapabilityToID.keySet();
}
/* (non-Javadoc)
* @see org.alfresco.service.simple.permission.CapabilityRegistry#getCapabilityID(java.lang.String)
*/
public int getCapabilityID(String capability)
{
Integer id = fCapabilityToID.get(capability);
if (id == null)
{
return -1;
}
return id;
}
/* (non-Javadoc)
* @see org.alfresco.service.simple.permission.CapabilityRegistry#getCapabilityName(int)
*/
public String getCapabilityName(int id)
{
return fIDToCapability.get(id);
}
/* (non-Javadoc)
* @see org.alfresco.service.simple.permission.CapabilityRegistry#removeCapability(java.lang.String)
*/
public void removeCapability(String capability)
{
// TODO Make this persistent.
Integer removed = fCapabilityToID.remove(capability);
fIDToCapability.remove(removed);
}
}