Index: oak-security-spi/src/main/java/org/apache/jackrabbit/oak/plugins/tree/TreeProvider.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-security-spi/src/main/java/org/apache/jackrabbit/oak/plugins/tree/TreeProvider.java (revision 1830798) +++ oak-security-spi/src/main/java/org/apache/jackrabbit/oak/plugins/tree/TreeProvider.java (revision ) @@ -25,7 +25,12 @@ @ProviderType public interface TreeProvider { + @Nonnull Tree createReadOnlyTree(@Nonnull NodeState rootState); + @Nonnull Tree createReadOnlyTree(@Nonnull Tree readOnlyParent, @Nonnull String childName, @Nonnull NodeState childState); + + @Nonnull + NodeState asNodeState(@Nonnull Tree readOnlyTree); } \ No newline at end of file Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorProvider.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorProvider.java (revision 1830798) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorProvider.java (revision ) @@ -22,15 +22,14 @@ import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.api.Tree; -import org.apache.jackrabbit.oak.plugins.tree.RootProvider; import org.apache.jackrabbit.oak.plugins.tree.TreeProvider; +import org.apache.jackrabbit.oak.security.authorization.ProviderCtx; import org.apache.jackrabbit.oak.spi.commit.CommitInfo; import org.apache.jackrabbit.oak.spi.commit.MoveTracker; import org.apache.jackrabbit.oak.spi.commit.Validator; import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider; import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; import org.apache.jackrabbit.oak.spi.security.Context; -import org.apache.jackrabbit.oak.spi.security.SecurityProvider; import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration; import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants; import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider; @@ -44,7 +43,6 @@ */ public class PermissionValidatorProvider extends ValidatorProvider { - private final SecurityProvider securityProvider; private final AuthorizationConfiguration acConfig; private final long jr2Permissions; @@ -52,17 +50,15 @@ private final Set principals; private final MoveTracker moveTracker; - private final RootProvider rootProvider; - private final TreeProvider treeProvider; + private final ProviderCtx providerCtx; private Context acCtx; private Context userCtx; - public PermissionValidatorProvider(@Nonnull SecurityProvider securityProvider, @Nonnull String workspaceName, + public PermissionValidatorProvider(@Nonnull String workspaceName, @Nonnull Set principals, @Nonnull MoveTracker moveTracker, - @Nonnull RootProvider rootProvider, @Nonnull TreeProvider treeProvider) { - this.securityProvider = securityProvider; - this.acConfig = securityProvider.getConfiguration(AuthorizationConfiguration.class); + @Nonnull ProviderCtx providerCtx) { + this.acConfig = providerCtx.getSecurityProvider().getConfiguration(AuthorizationConfiguration.class); ConfigurationParameters params = acConfig.getParameters(); String compatValue = params.getConfigValue(PermissionConstants.PARAM_PERMISSIONS_JR2, null, String.class); @@ -72,8 +68,7 @@ this.principals = principals; this.moveTracker = moveTracker; - this.rootProvider = rootProvider; - this.treeProvider = treeProvider; + this.providerCtx = providerCtx; } //--------------------------------------------------< ValidatorProvider >--- @@ -100,21 +95,25 @@ Context getUserContext() { if (userCtx == null) { - UserConfiguration uc = securityProvider.getConfiguration(UserConfiguration.class); + UserConfiguration uc = providerCtx.getSecurityProvider().getConfiguration(UserConfiguration.class); userCtx = uc.getContext(); } return userCtx; } + TreeProvider getTreeProvider() { + return providerCtx.getTreeProvider(); + } + boolean requiresJr2Permissions(long permission) { return Permissions.includes(jr2Permissions, permission); } Root createReadOnlyRoot(@Nonnull NodeState nodeState) { - return rootProvider.createReadOnlyRoot(nodeState); + return providerCtx.getRootProvider().createReadOnlyRoot(nodeState); } Tree createReadOnlyTree(@Nonnull NodeState nodeState) { - return treeProvider.createReadOnlyTree(nodeState); + return providerCtx.getTreeProvider().createReadOnlyTree(nodeState); } } Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/VersionTreePermission.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/VersionTreePermission.java (revision 1830798) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/VersionTreePermission.java (revision ) @@ -22,7 +22,7 @@ import com.google.common.collect.ImmutableSet; import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Tree; -import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree; +import org.apache.jackrabbit.oak.plugins.tree.TreeProvider; import org.apache.jackrabbit.oak.spi.version.VersionConstants; import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission; import org.apache.jackrabbit.oak.spi.state.NodeState; @@ -40,10 +40,12 @@ private final Tree versionTree; private final TreePermission versionablePermission; + private final TreeProvider treeProvider; - VersionTreePermission(@Nonnull Tree versionTree, @Nonnull TreePermission versionablePermission) { + VersionTreePermission(@Nonnull Tree versionTree, @Nonnull TreePermission versionablePermission, @Nonnull TreeProvider treeProvider) { this.versionTree = versionTree; this.versionablePermission = versionablePermission; + this.treeProvider = treeProvider; } VersionTreePermission createChildPermission(@Nonnull Tree versionTree) { @@ -51,9 +53,9 @@ if (JCR_FROZENNODE.equals(versionTree.getName()) || NT_NAMES.contains(TreeUtil.getPrimaryTypeName(versionTree))) { delegatee = versionablePermission; } else { - delegatee = versionablePermission.getChildPermission(versionTree.getName(), ((ImmutableTree) versionTree).getNodeState()); + delegatee = versionablePermission.getChildPermission(versionTree.getName(), treeProvider.asNodeState(versionTree)); } - return new VersionTreePermission(versionTree, delegatee); + return new VersionTreePermission(versionTree, delegatee, treeProvider); } //-----------------------------------------------------< TreePermission >--- @@ -61,7 +63,7 @@ @Nonnull @Override public TreePermission getChildPermission(@Nonnull String childName, @Nonnull NodeState childState) { - return createChildPermission(new ImmutableTree((ImmutableTree) versionTree, childName, childState)); + return createChildPermission(treeProvider.createReadOnlyTree(versionTree, childName, childState)); } @Override \ No newline at end of file Index: oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugTreePermissionTest.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugTreePermissionTest.java (revision 1830798) +++ oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugTreePermissionTest.java (revision ) @@ -24,6 +24,7 @@ import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.commons.PathUtils; import org.apache.jackrabbit.oak.plugins.memory.PropertyStates; +import org.apache.jackrabbit.oak.plugins.tree.TreeProvider; import org.apache.jackrabbit.oak.plugins.tree.impl.AbstractTree; import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions; import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission; @@ -65,14 +66,15 @@ @Test public void testGetChildPermission() throws Exception { - NodeState ns = ((AbstractTree) root.getTree(SUPPORTED_PATH + "/subtree")).getNodeState(); + TreeProvider treeProvider = getTreeProvider(); + NodeState ns = treeProvider.asNodeState(root.getTree(SUPPORTED_PATH + "/subtree")); TreePermission child = allowedTp.getChildPermission("subtree", ns); assertTrue(child instanceof CugTreePermission); child = deniedTp.getChildPermission("subtree", ns); assertTrue(child instanceof CugTreePermission); - NodeState cugNs = ((AbstractTree) root.getTree(PathUtils.concat(SUPPORTED_PATH, REP_CUG_POLICY))).getNodeState(); + NodeState cugNs = treeProvider.asNodeState(root.getTree(PathUtils.concat(SUPPORTED_PATH, REP_CUG_POLICY))); TreePermission cugChild = allowedTp.getChildPermission(REP_CUG_POLICY, cugNs); assertSame(TreePermission.NO_RECOURSE, cugChild); } \ No newline at end of file Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MoveAwarePermissionValidator.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MoveAwarePermissionValidator.java (revision 1830798) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MoveAwarePermissionValidator.java (revision ) @@ -24,7 +24,7 @@ import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.commons.PathUtils; -import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree; +import org.apache.jackrabbit.oak.plugins.tree.TreeProvider; import org.apache.jackrabbit.oak.spi.commit.EditorDiff; import org.apache.jackrabbit.oak.spi.commit.MoveTracker; import org.apache.jackrabbit.oak.spi.commit.Validator; @@ -75,12 +75,11 @@ private Validator visibleValidator(@Nonnull Tree source, @Nonnull Tree dest) { // TODO improve: avoid calculating the 'before' permissions in case the current parent permissions already point to the correct tree. - ImmutableTree immutableTree = (ImmutableTree) moveCtx.rootBefore.getTree("/"); - TreePermission tp = getPermissionProvider().getTreePermission(immutableTree - , TreePermission.EMPTY); + Tree immutableTree = moveCtx.rootBefore.getTree("/"); + TreePermission tp = getPermissionProvider().getTreePermission(immutableTree, TreePermission.EMPTY); for (String n : PathUtils.elements(source.getPath())) { immutableTree = immutableTree.getChild(n); - tp = tp.getChildPermission(n, immutableTree.getNodeState()); + tp = tp.getChildPermission(n, getTreeProvider().asNodeState(immutableTree)); } Validator validator = createValidator(source, dest, tp, this); return new VisibleValidator(validator, true, false); @@ -129,10 +128,10 @@ if (parent == null) { return false; } - ImmutableTree child = (ImmutableTree) parent.getChild(name); + Tree child = parent.getChild(name); String sourcePath = moveTracker.getSourcePath(child.getPath()); if (sourcePath != null) { - ImmutableTree source = (ImmutableTree) rootBefore.getTree(sourcePath); + Tree source = rootBefore.getTree(sourcePath); if (source.exists()) { // check permissions for adding the moved node at the target location. validator.checkPermissions(child, false, Permissions.ADD_NODE | Permissions.NODE_TYPE_MANAGEMENT); @@ -147,10 +146,10 @@ if (parent == null) { return false; } - ImmutableTree child = (ImmutableTree) parent.getChild(name); + Tree child = parent.getChild(name); String destPath = moveTracker.getDestPath(child.getPath()); if (destPath != null) { - ImmutableTree dest = (ImmutableTree) rootAfter.getTree(destPath); + Tree dest = rootAfter.getTree(destPath); if (dest.exists()) { // check permissions for removing that node. validator.checkPermissions(child, true, Permissions.REMOVE_NODE); @@ -162,10 +161,11 @@ return false; } - private boolean diff(@Nonnull ImmutableTree source, @Nonnull ImmutableTree dest, + private boolean diff(@Nonnull Tree source, @Nonnull Tree dest, @Nonnull MoveAwarePermissionValidator validator) throws CommitFailedException { Validator nextValidator = validator.visibleValidator(source, dest); - CommitFailedException e = EditorDiff.process(nextValidator , source.getNodeState(), dest.getNodeState()); + TreeProvider tp = validator.getTreeProvider(); + CommitFailedException e = EditorDiff.process(nextValidator , tp.asNodeState(source), tp.asNodeState(dest)); if (e != null) { throw e; } \ No newline at end of file Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidatorProvider.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidatorProvider.java (revision 1830798) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidatorProvider.java (revision ) @@ -20,13 +20,11 @@ import org.apache.jackrabbit.api.security.authorization.PrivilegeManager; import org.apache.jackrabbit.oak.api.Root; -import org.apache.jackrabbit.oak.plugins.tree.RootProvider; import org.apache.jackrabbit.oak.namepath.NamePathMapper; -import org.apache.jackrabbit.oak.plugins.tree.TreeProvider; +import org.apache.jackrabbit.oak.security.authorization.ProviderCtx; import org.apache.jackrabbit.oak.spi.commit.CommitInfo; import org.apache.jackrabbit.oak.spi.commit.Validator; import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider; -import org.apache.jackrabbit.oak.spi.security.SecurityProvider; import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration; import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider; @@ -41,14 +39,10 @@ */ public class AccessControlValidatorProvider extends ValidatorProvider { - private final SecurityProvider securityProvider; - private final RootProvider rootProvider; - private final TreeProvider treeProvider; + private final ProviderCtx providerCtx; - public AccessControlValidatorProvider(@Nonnull SecurityProvider securityProvider, @Nonnull RootProvider rootProvider, @Nonnull TreeProvider treeProvider) { - this.securityProvider = securityProvider; - this.rootProvider = rootProvider; - this.treeProvider = treeProvider; + public AccessControlValidatorProvider(@Nonnull ProviderCtx providerCtx) { + this.providerCtx = providerCtx; } //--------------------------------------------------< ValidatorProvider >--- @@ -58,14 +52,14 @@ RestrictionProvider restrictionProvider = getConfig(AuthorizationConfiguration.class).getRestrictionProvider(); - Root root = rootProvider.createReadOnlyRoot(before); + Root root = providerCtx.getRootProvider().createReadOnlyRoot(before); PrivilegeManager privilegeManager = getConfig(PrivilegeConfiguration.class).getPrivilegeManager(root, NamePathMapper.DEFAULT); PrivilegeBitsProvider privilegeBitsProvider = new PrivilegeBitsProvider(root); - return new AccessControlValidator(after, privilegeManager, privilegeBitsProvider, restrictionProvider, treeProvider); + return new AccessControlValidator(after, privilegeManager, privilegeBitsProvider, restrictionProvider, providerCtx); } private T getConfig(Class configClass) { - return securityProvider.getConfiguration(configClass); + return providerCtx.getSecurityProvider().getConfiguration(configClass); } } Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAuthorizationConfiguration.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAuthorizationConfiguration.java (revision 1830798) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAuthorizationConfiguration.java (revision ) @@ -185,7 +185,7 @@ pp = aggrPermissionProviders.get(0); break; default : - pp = new CompositePermissionProvider(root, aggrPermissionProviders, getContext(), compositionType, getRootProvider()); + pp = new CompositePermissionProvider(root, aggrPermissionProviders, getContext(), compositionType, getRootProvider(), getTreeProvider()); } return pp; } \ No newline at end of file Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java (revision 1830798) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java (revision ) @@ -36,11 +36,11 @@ import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.commons.PathUtils; +import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.plugins.tree.TreeType; import org.apache.jackrabbit.oak.plugins.tree.TreeTypeProvider; -import org.apache.jackrabbit.oak.namepath.NamePathMapper; -import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree; import org.apache.jackrabbit.oak.plugins.version.ReadOnlyVersionManager; +import org.apache.jackrabbit.oak.security.authorization.ProviderCtx; import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; import org.apache.jackrabbit.oak.spi.security.Context; import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants; @@ -48,13 +48,11 @@ import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions; import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission; import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission; -import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider; import org.apache.jackrabbit.oak.spi.security.principal.GroupPrincipals; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants; import org.apache.jackrabbit.oak.spi.state.NodeState; - import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -77,7 +75,9 @@ private final PermissionStore store; private final PermissionEntryProvider userStore; private final PermissionEntryProvider groupStore; + private final TreeTypeProvider typeProvider; + private final ProviderCtx providerCtx; private Root root; private ReadOnlyVersionManager versionManager; @@ -87,11 +87,12 @@ @Nonnull Root root, @Nonnull String workspaceName, @Nonnull PermissionStore store, - @Nonnull RestrictionProvider restrictionProvider, @Nonnull ConfigurationParameters options, - @Nonnull Context ctx) { + @Nonnull Context ctx, + @Nonnull ProviderCtx providerCtx) { this.root = root; this.workspaceName = workspaceName; + this.providerCtx = providerCtx; bitsProvider = new PrivilegeBitsProvider(root); @@ -121,14 +122,14 @@ @Nonnull String workspaceName, @Nonnull PermissionStore store, @Nonnull Set principals, - @Nonnull RestrictionProvider restrictionProvider, @Nonnull ConfigurationParameters options, - @Nonnull Context ctx) { + @Nonnull Context ctx, + @Nonnull ProviderCtx providerCtx) { Tree permissionsTree = PermissionUtil.getPermissionsRoot(root, workspaceName); if (!permissionsTree.exists() || principals.isEmpty()) { return NoPermissions.getInstance(); } else { - return new CompiledPermissionImpl(principals, root, workspaceName, store, restrictionProvider, options, ctx); + return new CompiledPermissionImpl(principals, root, workspaceName, store, options, ctx, providerCtx); } } @@ -194,7 +195,7 @@ while (!versionableTree.exists()) { versionableTree = versionableTree.getParent(); } - return new VersionTreePermission(tree, buildVersionDelegatee(versionableTree)); + return new VersionTreePermission(tree, buildVersionDelegatee(versionableTree), providerCtx.getTreeProvider()); } } case ACCESS_CONTROL: @@ -485,7 +486,7 @@ @Nonnull @Override public TreePermission getChildPermission(@Nonnull String childName, @Nonnull NodeState childState) { - Tree childTree = new ImmutableTree((ImmutableTree) tree, childName, childState); + Tree childTree = providerCtx.getTreeProvider().createReadOnlyTree(tree, childName, childState); return getTreePermission(childTree, typeProvider.getType(childTree, type), this); } Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ProviderCtx.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ProviderCtx.java (revision ) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ProviderCtx.java (revision ) @@ -0,0 +1,39 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.oak.security.authorization; + +import javax.annotation.Nonnull; + +import org.apache.jackrabbit.oak.plugins.tree.RootProvider; +import org.apache.jackrabbit.oak.plugins.tree.TreeProvider; +import org.apache.jackrabbit.oak.spi.mount.MountInfoProvider; +import org.apache.jackrabbit.oak.spi.security.SecurityProvider; + +public interface ProviderCtx { + + @Nonnull + SecurityProvider getSecurityProvider(); + + @Nonnull + TreeProvider getTreeProvider(); + + @Nonnull + RootProvider getRootProvider(); + + @Nonnull + MountInfoProvider getMountInfoProvider(); +} \ No newline at end of file Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidatorProvider.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidatorProvider.java (revision 1830798) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidatorProvider.java (revision ) @@ -20,6 +20,7 @@ import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.plugins.tree.RootProvider; +import org.apache.jackrabbit.oak.plugins.tree.TreeProvider; import org.apache.jackrabbit.oak.spi.commit.CommitInfo; import org.apache.jackrabbit.oak.spi.commit.SubtreeValidator; import org.apache.jackrabbit.oak.spi.commit.Validator; @@ -37,20 +38,23 @@ class PrivilegeValidatorProvider extends ValidatorProvider { private final RootProvider rootProvider; + private final TreeProvider treeProvider; - PrivilegeValidatorProvider(@Nonnull RootProvider rootProvider) { + PrivilegeValidatorProvider(@Nonnull RootProvider rootProvider, @Nonnull TreeProvider treeProvider) { this.rootProvider = rootProvider; + this.treeProvider = treeProvider; } @Nonnull @Override public Validator getRootValidator( NodeState before, NodeState after, CommitInfo info) { - return new SubtreeValidator(new PrivilegeValidator(createRoot(before), createRoot(after)), + return new SubtreeValidator(new PrivilegeValidator(createRoot(before), createRoot(after), treeProvider), JCR_SYSTEM, REP_PRIVILEGES); } private Root createRoot(NodeState nodeState) { return rootProvider.createReadOnlyRoot(nodeState); } + } \ No newline at end of file Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java (revision 1830798) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java (revision ) @@ -25,11 +25,11 @@ import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.plugins.index.IndexConstants; -import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree; import org.apache.jackrabbit.oak.plugins.lock.LockConstants; import org.apache.jackrabbit.oak.plugins.nodetype.TypePredicate; import org.apache.jackrabbit.oak.plugins.tree.TreeConstants; -import org.apache.jackrabbit.oak.spi.version.VersionConstants; +import org.apache.jackrabbit.oak.plugins.tree.TreeProvider; +import org.apache.jackrabbit.oak.plugins.tree.TreeUtil; import org.apache.jackrabbit.oak.spi.commit.DefaultValidator; import org.apache.jackrabbit.oak.spi.commit.Validator; import org.apache.jackrabbit.oak.spi.commit.VisibleValidator; @@ -38,7 +38,7 @@ import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission; import org.apache.jackrabbit.oak.spi.state.NodeState; import org.apache.jackrabbit.oak.spi.state.NodeStateUtils; -import org.apache.jackrabbit.oak.plugins.tree.TreeUtil; +import org.apache.jackrabbit.oak.spi.version.VersionConstants; import static com.google.common.base.Preconditions.checkNotNull; import static org.apache.jackrabbit.JcrConstants.JCR_CREATED; @@ -190,6 +190,11 @@ return permissionProvider; } + @Nonnull + TreeProvider getTreeProvider() { + return provider.getTreeProvider(); + } + @CheckForNull Validator checkPermissions(@Nonnull Tree tree, boolean isBefore, long defaultPermission) throws CommitFailedException { @@ -200,7 +205,7 @@ } return null; // no need for further validation down the subtree } else { - NodeState ns = getNodeState(tree); + NodeState ns = provider.getTreeProvider().asNodeState(tree); if (ns == null) { throw new CommitFailedException(ACCESS, 0, "Access denied"); } @@ -317,7 +322,7 @@ // NOTE: we cannot rely on autocreated/protected definition as this // doesn't reveal if a given property is expected to be never modified // after creation. - NodeState parentNs = getNodeState(parent); + NodeState parentNs = provider.getTreeProvider().asNodeState(parent); if (JcrConstants.JCR_UUID.equals(name) && isReferenceable.apply(parentNs)) { return true; } else { @@ -356,14 +361,5 @@ private boolean isIndexDefinition(@Nonnull Tree tree) { return tree.getPath().contains(IndexConstants.INDEX_DEFINITIONS_NAME); - } - - @CheckForNull - private static NodeState getNodeState(@Nonnull Tree tree) { - if (tree instanceof ImmutableTree) { - return ((ImmutableTree) tree).getNodeState(); - } else { - return null; - } } } Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermission.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermission.java (revision 1830798) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermission.java (revision ) @@ -16,35 +16,35 @@ */ package org.apache.jackrabbit.oak.security.authorization.composite; -import static org.apache.jackrabbit.oak.security.authorization.composite.CompositeAuthorizationConfiguration.CompositionType.AND; -import static org.apache.jackrabbit.oak.security.authorization.composite.CompositeAuthorizationConfiguration.CompositionType.OR; - import java.util.function.Supplier; - import javax.annotation.Nonnull; import javax.annotation.Nullable; import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Tree; +import org.apache.jackrabbit.oak.plugins.tree.TreeProvider; import org.apache.jackrabbit.oak.plugins.tree.TreeType; import org.apache.jackrabbit.oak.plugins.tree.TreeTypeProvider; -import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree; import org.apache.jackrabbit.oak.security.authorization.composite.CompositeAuthorizationConfiguration.CompositionType; import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider; import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions; import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission; import org.apache.jackrabbit.oak.spi.state.NodeState; +import static org.apache.jackrabbit.oak.security.authorization.composite.CompositeAuthorizationConfiguration.CompositionType.AND; +import static org.apache.jackrabbit.oak.security.authorization.composite.CompositeAuthorizationConfiguration.CompositionType.OR; + /** * {@code TreePermission} implementation that combines multiple {@code TreePermission} * implementations. */ final class CompositeTreePermission implements TreePermission { - private final ImmutableTree tree; + private final Tree tree; private final TreeType type; private final CompositionType compositionType; + private final TreeProvider treeProvider; private final TreeTypeProvider typeProvider; private final AggregatedPermissionProvider[] providers; private final TreePermission[] treePermissions; @@ -53,12 +53,14 @@ private Boolean canRead; private Boolean canReadProperties; - private CompositeTreePermission(@Nonnull ImmutableTree tree, @Nonnull TreeType type, + private CompositeTreePermission(@Nonnull Tree tree, @Nonnull TreeType type, + @Nonnull TreeProvider treeProvider, @Nonnull TreeTypeProvider typeProvider, @Nonnull AggregatedPermissionProvider[] providers, @Nonnull TreePermission[] treePermissions, int cnt, @Nonnull CompositionType compositionType) { this.tree = tree; this.type = type; + this.treeProvider = treeProvider; this.typeProvider = typeProvider; this.providers = providers; this.treePermissions = treePermissions; @@ -66,8 +68,11 @@ this.compositionType = compositionType; } - static TreePermission create(@Nonnull ImmutableTree rootTree, @Nonnull TreeTypeProvider typeProvider, - @Nonnull AggregatedPermissionProvider[] providers, @Nonnull CompositionType compositionType) { + static TreePermission create(@Nonnull Tree rootTree, + @Nonnull TreeProvider treeProvider, + @Nonnull TreeTypeProvider typeProvider, + @Nonnull AggregatedPermissionProvider[] providers, + @Nonnull CompositionType compositionType) { switch (providers.length) { case 0 : return TreePermission.EMPTY; case 1 : return providers[0].getTreePermission(rootTree, TreeType.DEFAULT, TreePermission.EMPTY); @@ -81,22 +86,24 @@ } treePermissions[i] = tp; } - return new CompositeTreePermission(rootTree, TreeType.DEFAULT, typeProvider, providers, treePermissions, + return new CompositeTreePermission(rootTree, TreeType.DEFAULT, treeProvider, typeProvider, providers, treePermissions, cnt, compositionType); } } - static TreePermission create(@Nonnull final ImmutableTree tree, @Nonnull CompositeTreePermission parentPermission) { - return create(() -> tree, tree.getName(), tree.getNodeState(), parentPermission, null); + static TreePermission create(@Nonnull final Tree tree, @Nonnull TreeProvider treeProvider, @Nonnull CompositeTreePermission parentPermission) { + return create(() -> tree, tree.getName(), treeProvider.asNodeState(tree), parentPermission, null); } - static TreePermission create(@Nonnull final ImmutableTree tree, @Nonnull CompositeTreePermission parentPermission, + static TreePermission create(@Nonnull final Tree tree, @Nonnull TreeProvider treeProvider, @Nonnull CompositeTreePermission parentPermission, - @Nullable TreeType treeType) { + @Nullable TreeType treeType) { - return create(() -> tree, tree.getName(), tree.getNodeState(), parentPermission, treeType); + return create(() -> tree, tree.getName(), treeProvider.asNodeState(tree), parentPermission, treeType); } - private static TreePermission create(@Nonnull Supplier lazyTree, @Nonnull String childName, @Nonnull NodeState childState, @Nonnull CompositeTreePermission parentPermission, + private static TreePermission create(@Nonnull Supplier lazyTree, + @Nonnull String childName, @Nonnull NodeState childState, + @Nonnull CompositeTreePermission parentPermission, - @Nullable TreeType treeType) { + @Nullable TreeType treeType) { switch (parentPermission.childSize) { case 0: return TreePermission.EMPTY; case 1: @@ -109,7 +116,7 @@ } return (parent == null) ? TreePermission.EMPTY : parent.getChildPermission(childName, childState); default: - ImmutableTree tree = lazyTree.get(); + Tree tree = lazyTree.get(); TreeType type; if (treeType != null) { type = treeType; @@ -133,7 +140,7 @@ j++; } } - return new CompositeTreePermission(tree, type, parentPermission.typeProvider, pvds, tps, cnt, + return new CompositeTreePermission(tree, type, parentPermission.treeProvider, parentPermission.typeProvider, pvds, tps, cnt, parentPermission.compositionType); } } @@ -142,7 +149,7 @@ @Nonnull @Override public TreePermission getChildPermission(@Nonnull final String childName, @Nonnull final NodeState childState) { - return create(() -> new ImmutableTree(tree, childName, childState), childName, childState, this, null); + return create(() -> treeProvider.createReadOnlyTree(tree, childName, childState), childName, childState, this, null); } @Override \ No newline at end of file Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java (revision 1830798) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java (revision ) @@ -25,10 +25,10 @@ import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.api.Tree; -import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree; -import org.apache.jackrabbit.oak.spi.namespace.NamespaceConstants; +import org.apache.jackrabbit.oak.plugins.tree.TreeProvider; import org.apache.jackrabbit.oak.spi.commit.DefaultValidator; import org.apache.jackrabbit.oak.spi.commit.Validator; +import org.apache.jackrabbit.oak.spi.namespace.NamespaceConstants; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants; @@ -49,11 +49,13 @@ private final Root rootBefore; private final Root rootAfter; private final PrivilegeBitsProvider bitsProvider; + private final TreeProvider treeProvider; - PrivilegeValidator(Root before, Root after) { + PrivilegeValidator(@Nonnull Root before, @Nonnull Root after, @Nonnull TreeProvider treeProvider) { rootBefore = before; rootAfter = after; bitsProvider = new PrivilegeBitsProvider(rootBefore); + this.treeProvider = treeProvider; } //----------------------------------------------------------< Validator >--- @@ -80,7 +82,7 @@ public Validator childNodeAdded(String name, NodeState after) throws CommitFailedException { if (isPrivilegeDefinition(after)) { // make sure privileges have been initialized before - getPrivilegesTree(rootBefore); + Tree parent = getPrivilegesTree(rootBefore); // the following characteristics are expected to be validated elsewhere: // - permission to allow privilege registration -> permission validator. @@ -94,7 +96,7 @@ } // validate the definition - Tree tree = new ImmutableTree(ImmutableTree.ParentProvider.UNSUPPORTED, name, after); + Tree tree = treeProvider.createReadOnlyTree(parent, name, after); validateDefinition(tree); } \ No newline at end of file Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidator.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidator.java (revision 1830798) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidator.java (revision ) @@ -37,7 +37,7 @@ import org.apache.jackrabbit.oak.plugins.tree.TreeConstants; import org.apache.jackrabbit.oak.plugins.tree.TreeProvider; import org.apache.jackrabbit.oak.plugins.tree.TreeUtil; -import org.apache.jackrabbit.oak.plugins.tree.impl.AbstractTree; +import org.apache.jackrabbit.oak.security.authorization.ProviderCtx; import org.apache.jackrabbit.oak.spi.commit.DefaultValidator; import org.apache.jackrabbit.oak.spi.commit.Validator; import org.apache.jackrabbit.oak.spi.commit.VisibleValidator; @@ -59,6 +59,7 @@ */ class AccessControlValidator extends DefaultValidator implements AccessControlConstants { + private final TreeProvider treeProvider; private final Tree parentAfter; private final PrivilegeBitsProvider privilegeBitsProvider; @@ -72,7 +73,8 @@ @Nonnull PrivilegeManager privilegeManager, @Nonnull PrivilegeBitsProvider privilegeBitsProvider, @Nonnull RestrictionProvider restrictionProvider, - @Nonnull TreeProvider treeProvider) { + @Nonnull ProviderCtx providerCtx) { + treeProvider = providerCtx.getTreeProvider(); this.parentAfter = treeProvider.createReadOnlyTree(parentAfter); this.privilegeBitsProvider = privilegeBitsProvider; this.privilegeManager = privilegeManager; @@ -82,6 +84,7 @@ } private AccessControlValidator(AccessControlValidator parent, Tree parentAfter) { + this.treeProvider = parent.treeProvider; this.parentAfter = parentAfter; this.privilegeBitsProvider = parent.privilegeBitsProvider; this.privilegeManager = parent.privilegeManager; @@ -176,10 +179,10 @@ private void checkValidPolicy(Tree parent, Tree policyTree, NodeState policyNode) throws CommitFailedException { if (REP_REPO_POLICY.equals(policyTree.getName())) { - checkValidAccessControlledNode(parent, isRepoAccessControllable); + checkValidAccessControlledNode(parent, isRepoAccessControllable, treeProvider); checkValidRepoAccessControlled(parent); } else { - checkValidAccessControlledNode(parent, isAccessControllable); + checkValidAccessControlledNode(parent, isAccessControllable, treeProvider); } Collection validPolicyNames = (parent.isRoot()) ? @@ -204,13 +207,13 @@ } private static void checkValidAccessControlledNode(@Nonnull Tree accessControlledTree, - @Nonnull TypePredicate requiredMixin) throws CommitFailedException { + @Nonnull TypePredicate requiredMixin, + @Nonnull TreeProvider treeProvider) throws CommitFailedException { if (AC_NODETYPE_NAMES.contains(TreeUtil.getPrimaryTypeName(accessControlledTree))) { throw accessViolation(5, "Access control policy within access control content (" + accessControlledTree.getPath() + ')'); } - NodeState ns = (accessControlledTree instanceof AbstractTree) ? ((AbstractTree) accessControlledTree).getNodeState() : null; - if (!requiredMixin.apply(ns)) { + if (!requiredMixin.apply(treeProvider.asNodeState(accessControlledTree))) { String msg = "Isolated policy node (" + accessControlledTree.getPath() + "). Parent is not of type " + requiredMixin; throw accessViolation(6, msg); } Index: oak-security-spi/src/main/java/org/apache/jackrabbit/oak/plugins/tree/package-info.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-security-spi/src/main/java/org/apache/jackrabbit/oak/plugins/tree/package-info.java (revision 1830798) +++ oak-security-spi/src/main/java/org/apache/jackrabbit/oak/plugins/tree/package-info.java (revision ) @@ -14,7 +14,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -@Version("3.0.1") +@Version("3.1.0") package org.apache.jackrabbit.oak.plugins.tree; import org.osgi.annotation.versioning.Version; Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConfigurationImpl.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConfigurationImpl.java (revision 1830798) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConfigurationImpl.java (revision ) @@ -79,7 +79,7 @@ @Nonnull @Override public List getValidators(@Nonnull String workspaceName, @Nonnull Set principals, @Nonnull MoveTracker moveTracker) { - return Collections.singletonList(new PrivilegeValidatorProvider(getRootProvider())); + return Collections.singletonList(new PrivilegeValidatorProvider(getRootProvider(), getTreeProvider())); } @Nonnull Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.java (revision 1830798) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.java (revision ) @@ -27,9 +27,9 @@ import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.plugins.tree.RootProvider; import org.apache.jackrabbit.oak.plugins.tree.TreeLocation; +import org.apache.jackrabbit.oak.plugins.tree.TreeProvider; import org.apache.jackrabbit.oak.plugins.tree.TreeType; import org.apache.jackrabbit.oak.plugins.tree.TreeTypeProvider; -import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree; import org.apache.jackrabbit.oak.security.authorization.composite.CompositeAuthorizationConfiguration.CompositionType; import org.apache.jackrabbit.oak.security.authorization.permission.PermissionUtil; import org.apache.jackrabbit.oak.spi.security.Context; @@ -57,6 +57,7 @@ private final Context ctx; private final CompositionType compositionType; private final RootProvider rootProvider; + private final TreeProvider treeProvider; private final RepositoryPermission repositoryPermission; @@ -66,12 +67,13 @@ CompositePermissionProvider(@Nonnull Root root, @Nonnull List pps, @Nonnull Context acContext, @Nonnull CompositionType compositionType, - @Nonnull RootProvider rootProvider) { + @Nonnull RootProvider rootProvider, @Nonnull TreeProvider treeProvider) { this.root = root; this.pps = pps.toArray(new AggregatedPermissionProvider[pps.size()]); this.ctx = acContext; this.compositionType = compositionType; this.rootProvider = rootProvider; + this.treeProvider = treeProvider; repositoryPermission = new CompositeRepositoryPermission(this.pps, this.compositionType); immutableRoot = rootProvider.createReadOnlyRoot(root); @@ -93,7 +95,7 @@ @Nonnull @Override public Set getPrivileges(@Nullable Tree tree) { - Tree immutableTree = PermissionUtil.getImmutableTree(tree, immutableRoot); + Tree immutableTree = PermissionUtil.getReadOnlyTree(tree, immutableRoot); PrivilegeBits result = PrivilegeBits.getInstance(); PrivilegeBits denied = PrivilegeBits.getInstance(); @@ -122,7 +124,7 @@ @Override public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String... privilegeNames) { - Tree immutableTree = PermissionUtil.getImmutableTree(tree, immutableRoot); + Tree immutableTree = PermissionUtil.getReadOnlyTree(tree, immutableRoot); PrivilegeBits privilegeBits = privilegeBitsProvider.getBits(privilegeNames); if (privilegeBits.isEmpty()) { return true; @@ -168,19 +170,19 @@ @Nonnull @Override public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreePermission parentPermission) { - ImmutableTree immutableTree = (ImmutableTree) PermissionUtil.getImmutableTree(tree, immutableRoot); + Tree readOnlyTree = PermissionUtil.getReadOnlyTree(tree, immutableRoot); if (tree.isRoot()) { - return CompositeTreePermission.create(immutableTree, typeProvider, pps, compositionType); + return CompositeTreePermission.create(readOnlyTree, treeProvider, typeProvider, pps, compositionType); } else if (parentPermission instanceof CompositeTreePermission) { - return CompositeTreePermission.create(immutableTree, ((CompositeTreePermission) parentPermission)); + return CompositeTreePermission.create(readOnlyTree, treeProvider, ((CompositeTreePermission) parentPermission)); } else { - return parentPermission.getChildPermission(immutableTree.getName(), immutableTree.getNodeState()); + return parentPermission.getChildPermission(readOnlyTree.getName(), treeProvider.asNodeState(readOnlyTree)); } } @Override public boolean isGranted(@Nonnull Tree parent, @Nullable PropertyState property, long permissions) { - Tree immParent = PermissionUtil.getImmutableTree(parent, immutableRoot); + Tree immParent = PermissionUtil.getReadOnlyTree(parent, immutableRoot); boolean isGranted = false; long coveredPermissions = Permissions.NO_PERMISSION; @@ -348,13 +350,13 @@ @Override public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreeType type, @Nonnull TreePermission parentPermission) { - ImmutableTree immutableTree = (ImmutableTree) PermissionUtil.getImmutableTree(tree, immutableRoot); + Tree immutableTree = PermissionUtil.getReadOnlyTree(tree, immutableRoot); if (tree.isRoot()) { - return CompositeTreePermission.create(immutableTree, typeProvider, pps, compositionType); + return CompositeTreePermission.create(immutableTree, treeProvider, typeProvider, pps, compositionType); } else if (parentPermission instanceof CompositeTreePermission) { - return CompositeTreePermission.create(immutableTree, ((CompositeTreePermission) parentPermission), type); + return CompositeTreePermission.create(immutableTree, treeProvider, ((CompositeTreePermission) parentPermission), type); } else { - return parentPermission.getChildPermission(immutableTree.getName(), immutableTree.getNodeState()); + return parentPermission.getChildPermission(immutableTree.getName(), treeProvider.asNodeState(immutableTree)); } } } Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java (revision 1830798) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java (revision ) @@ -24,10 +24,9 @@ import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.api.Tree; -import org.apache.jackrabbit.oak.plugins.tree.RootProvider; import org.apache.jackrabbit.oak.plugins.tree.TreeLocation; import org.apache.jackrabbit.oak.plugins.tree.TreeType; -import org.apache.jackrabbit.oak.spi.version.VersionConstants; +import org.apache.jackrabbit.oak.security.authorization.ProviderCtx; import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; import org.apache.jackrabbit.oak.spi.security.Context; import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants; @@ -41,6 +40,7 @@ import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants; +import org.apache.jackrabbit.oak.spi.version.VersionConstants; public class PermissionProviderImpl implements PermissionProvider, AccessControlConstants, PermissionConstants, AggregatedPermissionProvider { @@ -56,7 +56,7 @@ private final Context ctx; - private final RootProvider rootProvider; + private final ProviderCtx providerCtx; private CompiledPermissions compiledPermissions; @@ -68,33 +68,33 @@ @Nonnull RestrictionProvider restrictionProvider, @Nonnull ConfigurationParameters options, @Nonnull Context ctx, - @Nonnull RootProvider rootProvider) { + @Nonnull ProviderCtx providerCtx) { this.root = root; this.workspaceName = workspaceName; this.principals = principals; this.restrictionProvider = restrictionProvider; this.options = options; this.ctx = ctx; - this.rootProvider = rootProvider; + this.providerCtx = providerCtx; - immutableRoot = rootProvider.createReadOnlyRoot(root); + immutableRoot = providerCtx.getRootProvider().createReadOnlyRoot(root); } @Override public void refresh() { - immutableRoot = rootProvider.createReadOnlyRoot(root); + immutableRoot = providerCtx.getRootProvider().createReadOnlyRoot(root); getCompiledPermissions().refresh(immutableRoot, workspaceName); } @Nonnull @Override public Set getPrivileges(@Nullable Tree tree) { - return getCompiledPermissions().getPrivileges(PermissionUtil.getImmutableTree(tree, immutableRoot)); + return getCompiledPermissions().getPrivileges(PermissionUtil.getReadOnlyTree(tree, immutableRoot)); } @Override public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String... privilegeNames) { - return getCompiledPermissions().hasPrivileges(PermissionUtil.getImmutableTree(tree, immutableRoot), privilegeNames); + return getCompiledPermissions().hasPrivileges(PermissionUtil.getReadOnlyTree(tree, immutableRoot), privilegeNames); } @Nonnull @@ -106,12 +106,12 @@ @Nonnull @Override public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreePermission parentPermission) { - return getCompiledPermissions().getTreePermission(PermissionUtil.getImmutableTree(tree, immutableRoot), parentPermission); + return getCompiledPermissions().getTreePermission(PermissionUtil.getReadOnlyTree(tree, immutableRoot), parentPermission); } @Override public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState property, long permissions) { - return getCompiledPermissions().isGranted(PermissionUtil.getImmutableTree(tree, immutableRoot), property, permissions); + return getCompiledPermissions().isGranted(PermissionUtil.getReadOnlyTree(tree, immutableRoot), property, permissions); } @Override @@ -153,7 +153,7 @@ @Nonnull @Override public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreeType type, @Nonnull TreePermission parentPermission) { - return getCompiledPermissions().getTreePermission(PermissionUtil.getImmutableTree(tree, immutableRoot), type, parentPermission); + return getCompiledPermissions().getTreePermission(PermissionUtil.getReadOnlyTree(tree, immutableRoot), type, parentPermission); } //-------------------------------------------------------------------------- @@ -166,7 +166,7 @@ } else { cp = CompiledPermissionImpl.create(immutableRoot, workspaceName, getPermissionStore(immutableRoot, workspaceName, restrictionProvider), principals, - restrictionProvider, options, ctx); + options, ctx, providerCtx); } compiledPermissions = cp; } Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java (revision 1830798) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java (revision ) @@ -28,7 +28,7 @@ import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.api.Type; -import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree; +import org.apache.jackrabbit.oak.plugins.tree.ReadOnly; import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants; import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal; @@ -108,11 +108,11 @@ return path; } - public static Tree getImmutableTree(@Nullable Tree tree, @Nonnull Root immutableRoot) { - if (tree instanceof ImmutableTree) { + public static Tree getReadOnlyTree(@Nullable Tree tree, @Nonnull Root readOnlyRoot) { + if (tree instanceof ReadOnly) { return tree; } else { - return (tree == null) ? null : immutableRoot.getTree(tree.getPath()); + return (tree == null) ? null : readOnlyRoot.getTree(tree.getPath()); } } } \ No newline at end of file Index: oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtilTest.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtilTest.java (revision 1830798) +++ oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtilTest.java (revision ) @@ -22,6 +22,7 @@ import com.google.common.collect.ImmutableSet; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.commons.PathUtils; +import org.apache.jackrabbit.oak.plugins.tree.TreeProvider; import org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants; import org.apache.jackrabbit.oak.plugins.tree.impl.AbstractTree; import org.apache.jackrabbit.oak.spi.mount.MountInfoProvider; @@ -61,8 +62,8 @@ } @Nonnull - private static NodeState getNodeState(@Nonnull Tree tree) { - return ((AbstractTree) tree).getNodeState(); + private NodeState getNodeState(@Nonnull Tree tree) { + return getTreeProvider().asNodeState(tree); } @Test \ No newline at end of file Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProvider.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProvider.java (revision 1830798) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProvider.java (revision ) @@ -16,26 +16,25 @@ */ package org.apache.jackrabbit.oak.security.authorization.permission; -import static com.google.common.collect.Lists.newArrayList; - import java.security.Principal; import java.util.Collection; import java.util.List; import java.util.Set; - import javax.annotation.CheckForNull; import javax.annotation.Nonnull; import javax.annotation.Nullable; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.commons.LongUtils; -import org.apache.jackrabbit.oak.plugins.tree.RootProvider; +import org.apache.jackrabbit.oak.security.authorization.ProviderCtx; import org.apache.jackrabbit.oak.spi.mount.Mount; import org.apache.jackrabbit.oak.spi.mount.MountInfoProvider; import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; import org.apache.jackrabbit.oak.spi.security.Context; import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider; +import static com.google.common.collect.Lists.newArrayList; + public class MountPermissionProvider extends PermissionProviderImpl { @Nonnull @@ -52,10 +51,9 @@ public MountPermissionProvider(@Nonnull Root root, @Nonnull String workspaceName, @Nonnull Set principals, @Nonnull RestrictionProvider restrictionProvider, @Nonnull ConfigurationParameters options, @Nonnull Context ctx, - @Nonnull MountInfoProvider mountInfoProvider, - @Nonnull RootProvider rootProvider) { - super(root, workspaceName, principals, restrictionProvider, options, ctx, rootProvider); - this.mountInfoProvider = mountInfoProvider; + @Nonnull ProviderCtx providerCtx) { + super(root, workspaceName, principals, restrictionProvider, options, ctx, providerCtx); + this.mountInfoProvider = providerCtx.getMountInfoProvider(); } @Override Index: oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/tree/impl/TreeProviderService.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/tree/impl/TreeProviderService.java (revision 1830798) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/tree/impl/TreeProviderService.java (revision ) @@ -24,16 +24,27 @@ import org.apache.jackrabbit.oak.spi.state.NodeState; import org.osgi.service.component.annotations.Component; +import static com.google.common.base.Preconditions.checkArgument; + @Component(service = {TreeProvider.class}) public class TreeProviderService implements TreeProvider { + @Nonnull @Override public Tree createReadOnlyTree(@Nonnull NodeState rootState) { return TreeFactory.createReadOnlyTree(rootState); } + @Nonnull @Override public Tree createReadOnlyTree(@Nonnull Tree readOnlyParent, @Nonnull String childName, @Nonnull NodeState childState) { return TreeFactory.createReadOnlyTree(readOnlyParent, childName, childState); + } + + @Nonnull + @Override + public NodeState asNodeState(@Nonnull Tree readOnlyTree) { + checkArgument(readOnlyTree instanceof AbstractTree); + return ((AbstractTree) readOnlyTree).getNodeState(); } } \ No newline at end of file Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java (revision 1830798) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java (revision ) @@ -59,6 +59,7 @@ import org.osgi.service.component.annotations.Activate; import org.osgi.service.component.annotations.Component; import org.osgi.service.component.annotations.Reference; +import org.osgi.service.component.annotations.ReferenceCardinality; import org.osgi.service.metatype.annotations.AttributeDefinition; import org.osgi.service.metatype.annotations.Designate; import org.osgi.service.metatype.annotations.ObjectClassDefinition; @@ -73,8 +74,8 @@ service = {AuthorizationConfiguration.class, SecurityConfiguration.class}, property = OAK_SECURITY_NAME + "=org.apache.jackrabbit.oak.security.authorization.AuthorizationConfigurationImpl") @Designate(ocd = AuthorizationConfigurationImpl.Configuration.class) -public class AuthorizationConfigurationImpl extends ConfigurationBase implements AuthorizationConfiguration { +public class AuthorizationConfigurationImpl extends ConfigurationBase implements AuthorizationConfiguration, ProviderCtx { - + @ObjectClassDefinition(name = "Apache Jackrabbit Oak AuthorizationConfiguration") @interface Configuration { @AttributeDefinition( @@ -116,7 +117,6 @@ int configurationRanking() default 100; } - @Reference private MountInfoProvider mountInfoProvider = Mounts.defaultMountInfoProvider(); public AuthorizationConfigurationImpl() { @@ -166,8 +166,8 @@ public List getValidators(@Nonnull String workspaceName, @Nonnull Set principals, @Nonnull MoveTracker moveTracker) { return ImmutableList.of( new PermissionStoreValidatorProvider(), - new PermissionValidatorProvider(getSecurityProvider(), workspaceName, principals, moveTracker, getRootProvider(), getTreeProvider()), - new AccessControlValidatorProvider(getSecurityProvider(), getRootProvider(), getTreeProvider())); + new PermissionValidatorProvider(workspaceName, principals, moveTracker, this), + new AccessControlValidatorProvider(this)); } @Nonnull @@ -202,13 +202,23 @@ if (mountInfoProvider.hasNonDefaultMounts()) { return new MountPermissionProvider(root, workspaceName, principals, getRestrictionProvider(), - getParameters(), ctx, mountInfoProvider, getRootProvider()); + getParameters(), ctx, this); } else { return new PermissionProviderImpl(root, workspaceName, principals, getRestrictionProvider(), - getParameters(), ctx, getRootProvider()); + getParameters(), ctx, this); } } + //-----------------------------------------< ProviderCtx >--- + + @Nonnull + @Override + public MountInfoProvider getMountInfoProvider() { + return mountInfoProvider; + } + + //-------------------------------------------------------------------------- + @Reference(name = "mountInfoProvider", cardinality = ReferenceCardinality.MANDATORY) public void bindMountInfoProvider(MountInfoProvider mountInfoProvider) { this.mountInfoProvider = mountInfoProvider; } Index: oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/EmptyCugTreePermissionTest.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/EmptyCugTreePermissionTest.java (revision 1830798) +++ oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/EmptyCugTreePermissionTest.java (revision ) @@ -56,7 +56,7 @@ Root readOnlyRoot = getRootProvider().createReadOnlyRoot(root); Tree t = readOnlyRoot.getTree("/"); tp = new EmptyCugTreePermission(t, TreeType.DEFAULT, pp); - rootState = ((AbstractTree) t).getNodeState(); + rootState = getTreeProvider().asNodeState(t); } @Test