diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java index 8dc7b5ad2b..481c79d8bc 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java @@ -197,18 +197,19 @@ public class AuthorizationConfigurationImpl extends ConfigurationBase implements @Nonnull Set principals) { Context ctx = getSecurityProvider().getConfiguration(AuthorizationConfiguration.class).getContext(); + Mount defaultMount = mountInfoProvider.getDefaultMount(); if (mountInfoProvider.hasNonDefaultMounts()) { List agg = new ArrayList<>(); - agg.add(new PermissionProviderImpl(root, workspaceName, principals, getRestrictionProvider(), + agg.add(new PermissionProviderImpl(root, workspaceName, defaultMount, principals, getRestrictionProvider(), getParameters(), ctx)); for (Mount m : mountInfoProvider.getNonDefaultMounts()) { - String ws = MultiplexingPermissionProvider.getWorkspaceName(m, workspaceName); - agg.add(new PermissionProviderImpl(root, ws, principals, getRestrictionProvider(), getParameters(), + agg.add(new PermissionProviderImpl(root, workspaceName, m, principals, getRestrictionProvider(), getParameters(), ctx)); } return new MultiplexingPermissionProvider(root, agg, ctx); + } else { + return new PermissionProviderImpl(root, workspaceName, defaultMount, principals, getRestrictionProvider(), getParameters(), + ctx); } - return new PermissionProviderImpl(root, workspaceName, principals, getRestrictionProvider(), getParameters(), - ctx); } } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationInitializer.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationInitializer.java index e04a806783..d4ff9003d3 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationInitializer.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationInitializer.java @@ -72,9 +72,9 @@ class AuthorizationInitializer implements WorkspaceInitializer, AccessControlCon permissionStore.child(workspaceName).setProperty(JcrConstants.JCR_PRIMARYTYPE, NT_REP_PERMISSION_STORE, Type.NAME); } for (Mount m : mountInfoProvider.getNonDefaultMounts()) { - String ws = MultiplexingPermissionProvider.getWorkspaceName(m, workspaceName); - if (!permissionStore.hasChildNode(ws)) { - permissionStore.child(ws).setProperty(JcrConstants.JCR_PRIMARYTYPE, NT_REP_PERMISSION_STORE, Type.NAME); + String permissionRootName = MultiplexingPermissionProvider.getPermissionRootName(m, workspaceName); + if (!permissionStore.hasChildNode(permissionRootName)) { + permissionStore.child(permissionRootName).setProperty(JcrConstants.JCR_PRIMARYTYPE, NT_REP_PERMISSION_STORE, Type.NAME); } } } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/MultiplexingPermissionProvider.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/MultiplexingPermissionProvider.java index 646ec875c1..0a3ebd6d3a 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/MultiplexingPermissionProvider.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/MultiplexingPermissionProvider.java @@ -24,14 +24,20 @@ import org.apache.jackrabbit.oak.spi.mount.Mount; import org.apache.jackrabbit.oak.spi.security.Context; import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider; +import javax.annotation.Nonnull; + public class MultiplexingPermissionProvider extends CompositePermissionProvider { public MultiplexingPermissionProvider(Root root, List pps, Context acContext) { super(root, pps, acContext, CompositionType.OR); } - public static String getWorkspaceName(Mount m, String workspace) { - return m.getPathFragmentName() + "-" + workspace; + public static @Nonnull String getPermissionRootName(@Nonnull Mount mount, @Nonnull String workspace) { + if (mount.isDefault()) { + return workspace; + } else { + return mount.getPathFragmentName() + "-" + workspace; + } } } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java index d63f706f45..e63feb62e5 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java @@ -42,6 +42,7 @@ import org.apache.jackrabbit.oak.plugins.tree.TreeTypeProvider; import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree; import org.apache.jackrabbit.oak.plugins.version.ReadOnlyVersionManager; +import org.apache.jackrabbit.oak.spi.mount.Mount; import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; import org.apache.jackrabbit.oak.spi.security.Context; import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants; @@ -85,6 +86,7 @@ final class CompiledPermissionImpl implements CompiledPermissions, PermissionCon private CompiledPermissionImpl(@Nonnull Set principals, @Nonnull Root root, @Nonnull String workspaceName, + @Nonnull Mount mount, @Nonnull RestrictionProvider restrictionProvider, @Nonnull ConfigurationParameters options, @Nonnull Context ctx) { @@ -97,7 +99,7 @@ final class CompiledPermissionImpl implements CompiledPermissions, PermissionCon readPolicy = (readPaths.isEmpty()) ? EmptyReadPolicy.INSTANCE : new DefaultReadPolicy(readPaths); // setup - store = new PermissionStoreImpl(root, workspaceName, restrictionProvider); + store = new PermissionStoreImpl(root, workspaceName, mount, restrictionProvider); Set userNames = new HashSet(principals.size()); Set groupNames = new HashSet(principals.size()); for (Principal principal : principals) { @@ -116,15 +118,16 @@ final class CompiledPermissionImpl implements CompiledPermissions, PermissionCon } static CompiledPermissions create(@Nonnull Root root, @Nonnull String workspaceName, + @Nonnull Mount mount, @Nonnull Set principals, @Nonnull RestrictionProvider restrictionProvider, @Nonnull ConfigurationParameters options, @Nonnull Context ctx) { - Tree permissionsTree = PermissionUtil.getPermissionsRoot(root, workspaceName); + Tree permissionsTree = PermissionUtil.getPermissionsRoot(root, workspaceName, mount); if (!permissionsTree.exists() || principals.isEmpty()) { return NoPermissions.getInstance(); } else { - return new CompiledPermissionImpl(principals, root, workspaceName, restrictionProvider, options, ctx); + return new CompiledPermissionImpl(principals, root, workspaceName, mount, restrictionProvider, options, ctx); } } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java index aa7eee2e30..185a8299a7 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java @@ -69,7 +69,7 @@ public class PermissionHook implements PostValidationHook, AccessControlConstant private final String workspaceName; private final MountInfoProvider mountInfoProvider; - private NodeBuilder permissionRoot; + private NodeBuilder permissionStore; private PrivilegeBitsProvider bitsProvider; private TypePredicate isACL; @@ -93,7 +93,7 @@ public class PermissionHook implements PostValidationHook, AccessControlConstant throws CommitFailedException { NodeBuilder rootAfter = after.builder(); - permissionRoot = getPermissionRoot(rootAfter); + permissionStore = getPermissionStore(rootAfter); bitsProvider = new PrivilegeBitsProvider(RootFactory.createReadOnlyRoot(after)); isACL = new TypePredicate(after, NT_REP_ACL); @@ -126,7 +126,7 @@ public class PermissionHook implements PostValidationHook, AccessControlConstant } @Nonnull - private static NodeBuilder getPermissionRoot(NodeBuilder rootBuilder) { + private static NodeBuilder getPermissionStore(NodeBuilder rootBuilder) { // permission root has been created during workspace initialization return rootBuilder.getChildNode(JCR_SYSTEM).getChildNode(REP_PERMISSION_STORE); } @@ -134,11 +134,7 @@ public class PermissionHook implements PostValidationHook, AccessControlConstant @Nonnull private NodeBuilder getPermissionRoot(String path) { Mount m = mountInfoProvider.getMountByPath(path); - String ws = workspaceName; - if (!m.isDefault()) { - ws = MultiplexingPermissionProvider.getWorkspaceName(m, ws); - } - return permissionRoot.getChildNode(ws); + return permissionStore.getChildNode(MultiplexingPermissionProvider.getPermissionRootName(m, workspaceName)); } private final class Diff extends DefaultNodeStateDiff { diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java index f0ed7eb54c..e5fea448f2 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java @@ -28,6 +28,7 @@ import org.apache.jackrabbit.oak.plugins.tree.RootFactory; import org.apache.jackrabbit.oak.plugins.tree.TreeLocation; import org.apache.jackrabbit.oak.plugins.tree.TreeType; import org.apache.jackrabbit.oak.plugins.version.VersionConstants; +import org.apache.jackrabbit.oak.spi.mount.Mount; import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; import org.apache.jackrabbit.oak.spi.security.Context; import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants; @@ -48,6 +49,8 @@ public class PermissionProviderImpl implements PermissionProvider, AccessControl private final String workspaceName; + private final Mount mount; + private final Set principals; private final RestrictionProvider restrictionProvider; @@ -61,12 +64,14 @@ public class PermissionProviderImpl implements PermissionProvider, AccessControl private Root immutableRoot; public PermissionProviderImpl(@Nonnull Root root, @Nonnull String workspaceName, + @Nonnull Mount mount, @Nonnull Set principals, @Nonnull RestrictionProvider restrictionProvider, @Nonnull ConfigurationParameters options, @Nonnull Context ctx) { this.root = root; this.workspaceName = workspaceName; + this.mount = mount; this.principals = principals; this.restrictionProvider = restrictionProvider; this.options = options; @@ -159,7 +164,7 @@ public class PermissionProviderImpl implements PermissionProvider, AccessControl if (PermissionUtil.isAdminOrSystem(principals, options)) { cp = AllPermissions.getInstance(); } else { - cp = CompiledPermissionImpl.create(immutableRoot, workspaceName, principals, restrictionProvider, options, ctx); + cp = CompiledPermissionImpl.create(immutableRoot, workspaceName, mount, principals, restrictionProvider, options, ctx); } compiledPermissions = cp; } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreImpl.java index 26010b65b0..8e37522c1b 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreImpl.java @@ -29,6 +29,7 @@ import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.api.Type; +import org.apache.jackrabbit.oak.spi.mount.Mount; import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants; import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits; @@ -50,6 +51,8 @@ class PermissionStoreImpl implements PermissionStore, PermissionConstants { private final String workspaceName; + private final Mount mount; + private final RestrictionProvider restrictionProvider; private final Map principalTreeMap = new HashMap(); @@ -57,8 +60,9 @@ class PermissionStoreImpl implements PermissionStore, PermissionConstants { private Tree permissionsTree; private PrivilegeBits allBits; - PermissionStoreImpl(Root root, String workspaceName, RestrictionProvider restrictionProvider) { + PermissionStoreImpl(Root root, String workspaceName, Mount mount, RestrictionProvider restrictionProvider) { this.workspaceName = workspaceName; + this.mount = mount; this.restrictionProvider = restrictionProvider; reset(root); } @@ -69,7 +73,7 @@ class PermissionStoreImpl implements PermissionStore, PermissionConstants { } private void reset(@Nonnull Root root) { - permissionsTree = PermissionUtil.getPermissionsRoot(root, workspaceName); + permissionsTree = PermissionUtil.getPermissionsRoot(root, workspaceName, mount); allBits = new PrivilegeBitsProvider(root).getBits(PrivilegeConstants.JCR_ALL); } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java index c0b9f03341..97b50b0ffe 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java @@ -29,6 +29,8 @@ import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.api.Type; import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree; +import org.apache.jackrabbit.oak.security.authorization.composite.MultiplexingPermissionProvider; +import org.apache.jackrabbit.oak.spi.mount.Mount; import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants; import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal; @@ -74,8 +76,8 @@ public final class PermissionUtil implements PermissionConstants { } @Nonnull - public static Tree getPermissionsRoot(@Nonnull Root root, @Nonnull String workspaceName) { - return root.getTree(PERMISSIONS_STORE_PATH + '/' + workspaceName); + public static Tree getPermissionsRoot(@Nonnull Root root, @Nonnull String workspaceName, @Nonnull Mount mount) { + return root.getTree(PERMISSIONS_STORE_PATH + '/' + MultiplexingPermissionProvider.getPermissionRootName(mount, workspaceName)); } @Nonnull diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/MultiplexingProviderTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/MultiplexingProviderTest.java index b4962fe4eb..19d7ca84c4 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/MultiplexingProviderTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/MultiplexingProviderTest.java @@ -91,7 +91,7 @@ public class MultiplexingProviderTest extends AbstractSecurityTest String wsName = adminSession.getWorkspaceName(); assertTrue(permStore.hasChild(wsName)); for (Mount m : mountInfoProvider.getNonDefaultMounts()) { - assertTrue(permStore.hasChild(MultiplexingPermissionProvider.getWorkspaceName(m, wsName))); + assertTrue(permStore.hasChild(MultiplexingPermissionProvider.getPermissionRootName(m, wsName))); } Tree rootNode = root.getTree("/"); @@ -107,7 +107,7 @@ public class MultiplexingProviderTest extends AbstractSecurityTest // no entries in the default store assertFalse(permStore.getChild(wsName).hasChild(p.getName())); for (Mount m : mountInfoProvider.getNonDefaultMounts()) { - Tree mps = permStore.getChild(MultiplexingPermissionProvider.getWorkspaceName(m, wsName)); + Tree mps = permStore.getChild(MultiplexingPermissionProvider.getPermissionRootName(m, wsName)); assertTrue(mps.hasChild(p.getName())); }