-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Acl #274
base: 2.x
Are you sure you want to change the base?
[WIP] Acl #274
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
<?php | ||
|
||
namespace Jackalope\Security; | ||
|
||
use PHPCR\Security\AccessControlEntryInterface; | ||
use PHPCR\Security\PrincipalInterface; | ||
use PHPCR\Security\PrivilegeInterface; | ||
|
||
/** | ||
* {@inheritDoc} | ||
*/ | ||
class AccessControlEntry implements \IteratorAggregate, AccessControlEntryInterface | ||
{ | ||
/** | ||
* @var PrincipalInterface | ||
*/ | ||
private $principal; | ||
|
||
/** | ||
* @var PrivilegeInterface[] | ||
*/ | ||
private $privileges; | ||
|
||
public function __construct(PrincipalInterface $principal, array $privileges) | ||
{ | ||
$this->principal = $principal; | ||
// TODO: validate privileges | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. probably not needed, since the privilege instances will already be "validated" There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. what i meant is validate that its actually PrivilegeInterface instances, in case somebody tries to set them with strings or something like that. |
||
$this->privileges = $privileges; | ||
} | ||
|
||
public function getIterator() | ||
{ | ||
return new \ArrayIterator($this->privileges); | ||
} | ||
|
||
/** | ||
* {@inheritDoc} | ||
*/ | ||
public function getPrincipal() | ||
{ | ||
return $this->principal; | ||
} | ||
|
||
/** | ||
* {@inheritDoc} | ||
*/ | ||
public function getPrivileges() | ||
{ | ||
return $this->privileges; | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
<?php | ||
|
||
namespace Jackalope\Security; | ||
|
||
use Jackalope\FactoryInterface; | ||
use PHPCR\NodeInterface; | ||
use PHPCR\Security\AccessControlEntryInterface; | ||
use PHPCR\Security\AccessControlException; | ||
use PHPCR\Security\AccessControlListInterface; | ||
use PHPCR\Security\AccessControlManagerInterface; | ||
use PHPCR\Security\PrincipalInterface; | ||
|
||
/** | ||
* {@inheritDoc} | ||
*/ | ||
class AccessControlList extends AccessControlPolicy implements \IteratorAggregate, AccessControlListInterface | ||
{ | ||
private $aceList = array(); | ||
|
||
/** | ||
* @param FactoryInterface $factory | ||
* @param NodeInterface $node | ||
*/ | ||
public function __construct(FactoryInterface $factory, AccessControlManagerInterface $acm, NodeInterface $node = null) | ||
{ | ||
$this->factory = $factory; | ||
$this->acm = $acm; | ||
$this->node = $node; | ||
|
||
// TODO think about lazy initialization | ||
if ($this->node) { | ||
foreach ($this->node->getNodes(null, 'rep:ACE') as $aceNode) { | ||
$privileges = array(); | ||
foreach ($aceNode->getPropertyValue('privileges') as $priv) { | ||
$privileges[] = $this->acm->privilegeFromName($priv); | ||
} | ||
$this->aceList[] = new AccessControlEntry(new Principal($aceNode->getProperty('principal')), $privileges); | ||
} | ||
} | ||
|
||
} | ||
|
||
public function getIterator() | ||
{ | ||
return new \ArrayIterator($this->getAccessControlEntries()); | ||
} | ||
/** | ||
* {@inheritDoc} | ||
*/ | ||
public function getAccessControlEntries() | ||
{ | ||
return $this->aceList; | ||
} | ||
|
||
/** | ||
* {@inheritDoc} | ||
*/ | ||
public function addAccessControlEntry(PrincipalInterface $principal, array $privileges) | ||
{ | ||
// $this->add | ||
// TODO factory? | ||
$this->aceList[] = new AccessControlEntry($principal, $privileges); | ||
} | ||
|
||
/** | ||
* {@inheritDoc} | ||
*/ | ||
public function removeAccessControlEntry(AccessControlEntryInterface $ace) | ||
{ | ||
if ($key = array_search($ace, $this->aceList, true)) { | ||
unset($this->aceList[$key]); | ||
|
||
return; | ||
} | ||
|
||
throw new AccessControlException('Entry not found'); | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,140 @@ | ||
<?php | ||
|
||
namespace Jackalope\Security; | ||
use Jackalope\FactoryInterface; | ||
use Jackalope\ObjectManager; | ||
use Jackalope\Transport\AccessControlInterface; | ||
use PHPCR\RepositoryException; | ||
use PHPCR\Security\AccessControlException; | ||
use PHPCR\Security\AccessControlManagerInterface; | ||
use PHPCR\Security\AccessControlPolicyInterface; | ||
use PHPCR\Security\PrivilegeInterface; | ||
|
||
/** | ||
* {@inheritDoc} | ||
*/ | ||
class AccessControlManager implements AccessControlManagerInterface | ||
{ | ||
/** | ||
* @var FactoryInterface | ||
*/ | ||
private $factory; | ||
|
||
/** | ||
* @var ObjectManager | ||
*/ | ||
private $om; | ||
|
||
/** | ||
* @var AccessControlInterface | ||
*/ | ||
private $transport; | ||
|
||
/** | ||
* @var PrivilegeInterface[] | ||
*/ | ||
private $supportedPrivilegesByPath = array(); | ||
|
||
public function __construct(FactoryInterface $factory, ObjectManager $om, AccessControlInterface $transport) | ||
{ | ||
$this->factory = $factory; | ||
$this->om = $om; | ||
$this->transport = $transport; | ||
} | ||
|
||
/** | ||
* {@inheritDoc} | ||
*/ | ||
public function getSupportedPrivileges($absPath = null) | ||
{ | ||
if (!isset($this->supportedPrivilegesByPath[$absPath])) { | ||
$this->supportedPrivilegesByPath[$absPath] = $this->transport->getSupportedPrivileges($absPath); | ||
} | ||
|
||
return $this->supportedPrivilegesByPath[$absPath]; | ||
} | ||
|
||
/** | ||
* {@inheritDoc} | ||
*/ | ||
public function privilegeFromName($privilegeName) | ||
{ | ||
foreach ($this->getSupportedPrivileges() as $privilege) { | ||
if ($privilegeName === $privilege->getName()) { | ||
return $privilege; | ||
} | ||
|
||
foreach ($privilege->getAggregatePrivileges() as $childPrivilege) { | ||
if ($privilegeName === $childPrivilege->getName()) { | ||
return $childPrivilege; | ||
} | ||
} | ||
} | ||
|
||
throw new AccessControlException($privilegeName); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Improve exception message |
||
} | ||
|
||
/** | ||
* {@inheritDoc} | ||
*/ | ||
public function hasPrivileges($absPath, array $privileges) | ||
{ | ||
// TODO | ||
} | ||
|
||
/** | ||
* {@inheritDoc} | ||
*/ | ||
public function getPrivileges($absPath = null) | ||
{ | ||
// TODO | ||
} | ||
|
||
/** | ||
* {@inheritDoc} | ||
*/ | ||
public function getPolicies($absPath) | ||
{ | ||
return $this->om->getPolicies($absPath); | ||
} | ||
|
||
/** | ||
* {@inheritDoc} | ||
*/ | ||
public function getEffectivePolicies($absPath) | ||
{ | ||
throw new RepositoryException('This method can not properly be implemented. Use getPolicies for this path'); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. currently not implemented for JCR remoting in Jackrabbit There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. yep, and angela thinks it makes semantically no sense, as you might not have the right to read all policies that might affect you, and there is no defined behaviour for that case. the things that are releavant are:
|
||
} | ||
|
||
/** | ||
* {@inheritDoc} | ||
*/ | ||
public function getApplicablePolicies($absPath) | ||
{ | ||
if (count($this->getPolicies($absPath))) { | ||
return array(); | ||
} | ||
|
||
return array(new AccessControlList($this->factory, $this)); | ||
} | ||
|
||
/** | ||
* {@inheritDoc} | ||
*/ | ||
public function setPolicy($absPath, AccessControlPolicyInterface $policy) | ||
{ | ||
if (!$policy instanceof AccessControlList) { | ||
throw new \InvalidArgumentException('Invalid policy given'); | ||
} | ||
|
||
$this->om->setPolicy($absPath, $policy); | ||
} | ||
|
||
/** | ||
* {@inheritDoc} | ||
*/ | ||
public function removePolicy($absPath, AccessControlPolicyInterface $policy) | ||
{ | ||
// TODO: track this so its saved | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. need an operation for this |
||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
<?php | ||
|
||
namespace Jackalope\Security; | ||
|
||
use PHPCR\Security\AccessControlPolicyInterface; | ||
|
||
/** | ||
* {@inheritDoc} | ||
*/ | ||
class AccessControlPolicy implements AccessControlPolicyInterface | ||
{ | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
<?php | ||
|
||
namespace Jackalope\Security; | ||
|
||
use PHPCR\Security\NamedAccessControlPolicyInterface; | ||
|
||
/** | ||
* {@inheritDoc} | ||
*/ | ||
class NamedAccessControlPolicy extends AccessControlPolicy implements NamedAccessControlPolicyInterface | ||
{ | ||
private $name; | ||
|
||
public function __construct($name) | ||
{ | ||
$this->name = $name; | ||
} | ||
|
||
/** | ||
* {@inheritDoc} | ||
*/ | ||
public function getName() | ||
{ | ||
return $this->name; | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
afaik there is no different operation, the acl is always entirely overwritten. right @Alfusainey ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
but there is one for REMOVE_POLICY