Classification enforcement refactor

* added permission veto registry
 * extend permission service to check vetos before permission evaluation
 * register classification veto
 * unit and integration tests run
 * UI tests run



git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/DEV/ROYTEST@109931 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

rm-server/source/java/org/alfresco/repo/security/permissions/impl/ExtendedPermissionServiceImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2014 Alfresco Software Limited.
+ * Copyright (C) 2005-2015 Alfresco Software Limited.
  *
  * This file is part of Alfresco
  *
@@ -23,6 +23,7 @@ import static org.apache.commons.lang.StringUtils.isNotBlank;
 import java.io.Serializable;
 import java.util.Collections;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Set;
 
 import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
@@ -34,6 +35,8 @@ import org.alfresco.module.org_alfresco_module_rm.security.ExtendedWriterDynamic
 import org.alfresco.repo.cache.SimpleCache;
 import org.alfresco.repo.security.permissions.AccessControlEntry;
 import org.alfresco.repo.security.permissions.AccessControlList;
+import org.alfresco.repo.security.permissions.veto.PermissionVeto;
+import org.alfresco.repo.security.permissions.veto.PermissionVetoRegistry;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.security.AccessStatus;
 import org.alfresco.service.cmr.security.AuthorityType;
@@ -49,7 +52,7 @@ import org.springframework.context.ApplicationEvent;
  *
  * @author Roy Wetherall
  */
-public class RMPermissionServiceImpl extends PermissionServiceImpl
+public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
                                      implements ExtendedPermissionService
 {
 	/** Writers simple cache */
@@ -57,6 +60,9 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl
 
     /** File plan service */
     private FilePlanService filePlanService;
+    
+    /** Permission veto registry */
+    private PermissionVetoRegistry permissionVetoRegistry;
 
     /**
      * Gets the file plan service
@@ -77,6 +83,11 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl
     {
         this.filePlanService = filePlanService;
     }
+    
+    public void setPermissionVetoRegistry(PermissionVetoRegistry permissionVetoRegistry) 
+    {
+		this.permissionVetoRegistry = permissionVetoRegistry;
+	}
 
     /**
      * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#setAnyDenyDenies(boolean)
@@ -85,7 +96,10 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl
     public void setAnyDenyDenies(boolean anyDenyDenies)
     {
         super.setAnyDenyDenies(anyDenyDenies);
-        writersCache.clear();
+        if (writersCache != null)
+        {
+        	writersCache.clear();
+        }
     }
 
     /**
@@ -116,6 +130,19 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl
     @Override
     public AccessStatus hasPermission(NodeRef nodeRef, String perm)
     {
+    	// check permission vetos
+    	List<PermissionVeto> permissionVetos = permissionVetoRegistry.getPermissionVetos();
+    	for (PermissionVeto permissionVeto : permissionVetos) 
+    	{
+    		if (permissionVeto.isVetoed(nodeRef, perm))
+    		{
+    			// TODO add logging so veto cause can be diagnosed
+    			
+    			// veto access to node    			
+    			return AccessStatus.DENIED;
+    		}
+		}
+    	
         AccessStatus acs = super.hasPermission(nodeRef, perm);
         if (AccessStatus.DENIED.equals(acs) &&
             PermissionService.READ.equals(perm) &&

rm-server/source/java/org/alfresco/repo/security/permissions/veto/PermissionVeto.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2005-2015 Alfresco Software Limited.
+ *
+ * This file is part of Alfresco
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.alfresco.repo.security.permissions.veto;
+
+import org.alfresco.service.cmr.repository.NodeRef;
+
+/**
+ * @author Roy Wetherall
+ * @since 3.0.a
+ */
+public interface PermissionVeto 
+{
+	/**
+	 * 
+	 * @param nodeRef
+	 * @param perm
+	 * @return
+	 */
+	boolean isVetoed(NodeRef nodeRef, String perm);
+}

rm-server/source/java/org/alfresco/repo/security/permissions/veto/PermissionVetoBaseImpl.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2005-2015 Alfresco Software Limited.
+ *
+ * This file is part of Alfresco
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.alfresco.repo.security.permissions.veto;
+
+/**
+ * @author Roy Wetherall
+ * @since 3.0.a
+ */
+public abstract class PermissionVetoBaseImpl implements PermissionVeto 
+{
+	/** permission veto refistry */
+	private PermissionVetoRegistry permissionVetoRegistry;
+	
+	/**
+	 * @param permissionVetoRegistry	permission veto registry
+	 */
+	public void setPermissionVetoRegistry(PermissionVetoRegistry permissionVetoRegistry) 
+	{
+		this.permissionVetoRegistry = permissionVetoRegistry;
+	}
+	
+	/**
+	 * Init method to add this permission veto to the registry
+	 */
+	public void init()
+	{
+		permissionVetoRegistry.addPermissionVeto(this);
+	}
+}

rm-server/source/java/org/alfresco/repo/security/permissions/veto/PermissionVetoRegistry.java

@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2005-2015 Alfresco Software Limited.
+ *
+ * This file is part of Alfresco
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.alfresco.repo.security.permissions.veto;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * @author Roy Wetherall
+ * @since 3.0.a
+ */
+public class PermissionVetoRegistry 
+{
+	/** list of vetos to apply */
+	private List<PermissionVeto> permissionVetos = new ArrayList<PermissionVeto>();
+	
+	/**
+	 * @param permissionVeto permission veto
+	 */
+	public void addPermissionVeto(PermissionVeto permissionVeto)
+	{
+		permissionVetos.add(permissionVeto);
+	}
+	
+	/**
+	 * @return {@link List}<{@link PermissionVeto}>	list of permission vetos
+	 */
+	public List<PermissionVeto> getPermissionVetos()
+	{
+		return permissionVetos;
+	}	
+}