Merge of ACL permissions for eXist, extends the Unix Style Permissions

Note - Default permissions have been tightened up, we now try to follow the Unix model more closely. i.e. Default new collection and resource permissions are 0644 and the rights to modify permissions now tightly follow the Unix permission model. Documentation is to follow shortly. svn path=/trunk/eXist/; revision=14670
mjhallman · Jun 10, 2011 · 71fa3ea · 71fa3ea
1 parent 892d38b
commit 71fa3ea
Show file tree

Hide file tree

Showing 110 changed files with 6,623 additions and 3,320 deletions.
diff --git a/build.properties b/build.properties
@@ -29,6 +29,9 @@ proxy.socks.port = 0
 # Ant
 tools.ant = ./tools/ant
 
+#aspectj
+tools.aspectj = ./tools/aspectj
+
 # Common libs
 lib.core = ./lib/core
 lib.optional = ./lib/optional

diff --git a/build/scripts/build-impl.xml b/build/scripts/build-impl.xml
@@ -97,6 +97,18 @@
         </fileset>
     </path>
 
+    <path id="classpath.catalina">
+        <fileset dir="${catalina.home}/bin">
+            <include name="*.jar"/>
+        </fileset>
+        <fileset dir="${catalina.home}/server/lib">
+            <include name="*.jar"/>
+        </fileset>
+        <!--fileset dir="${catalina.home}/common/lib">
+        <include name="*.jar"/>
+        </fileset-->
+    </path>
+
     <taskdef name="java2wsdl" classname="org.apache.axis.tools.ant.wsdl.Java2WsdlAntTask">
         <classpath refid="classpath.core"/>
     </taskdef>
@@ -113,6 +125,14 @@
         <classpath refid="classpath.core"/>
     </taskdef-->
 
+    <taskdef classpath="${tools.aspectj}/lib/aspectjtools-1.6.11.jar" resource="org/aspectj/tools/ant/taskdefs/aspectjTaskdefs.properties"/>
+    <path id="classpath.aspectj">
+        <fileset dir="${tools.aspectj}/lib">
+            <include name="*.jar"/>
+        </fileset>
+    </path>
+
+
     <!-- =================================================================== -->
     <!-- Prepare the build                                                   -->
     <!-- =================================================================== -->
@@ -177,6 +197,7 @@
 
         <echo
             message="Compiling with Java ${ant.java.version} from ${build.compiler.source} source to ${build.compiler.target} target, debug ${build.debug}, optimize ${build.optimize}, deprecation ${build.deprecation}"/>
+
         <javac includeAntRuntime="false" debug="${build.debug}" deprecation="${build.deprecation}" destdir="${build.classes}"
             encoding="UTF-8" optimize="${build.optimize}" srcdir="${src}"
             source="${build.compiler.source}" target="${build.compiler.target}"
@@ -189,6 +210,7 @@
             <classpath>
                 <path refid="classpath.core"/>
                 <path refid="classpath.jetty"/>
+                <path refid="classpath.aspectj"/>
             </classpath>
         </javac>
 
@@ -207,19 +229,38 @@
             <include name="org/exist/http/realm/**"/>
             <classpath>
                 <path refid="classpath.core"/>
-                <fileset dir="${catalina.home}/bin">
-                    <include name="*.jar"/>
-                </fileset>
-                <fileset dir="${catalina.home}/server/lib">
-                    <include name="*.jar"/>
-                </fileset>
-                <!--fileset dir="${catalina.home}/common/lib">
-                <include name="*.jar"/>
-                </fileset-->
+                <path refid="classpath.catalina"/>
             </classpath>
         </javac>
     </target>
 
+    <!-- =================================================================== -->
+    <!-- Compiles the aspects                                                -->
+    <!-- =================================================================== -->
+    <target name="compile-aspectj" depends="prepare,compile,compile-tomcat-realm" description="Compiles the aspects">
+
+        <echo
+            message="Compiling aspects with Java ${ant.java.version} from ${build.compiler.source} source to ${build.compiler.target} target, debug ${build.debug}, optimize ${build.optimize}, deprecation ${build.deprecation}"/>
+
+        <iajc debug="${build.debug}" deprecation="${build.deprecation}" destdir="${build.classes}"
+            encoding="UTF-8" srcdir="${src}"
+            source="${build.compiler.source}" target="${build.compiler.target}"
+            fork="true" maxmem="1024m" showWeaveInfo="true">
+
+            <include name="org/**"/>
+            <include name="org/exist/schema/**"/>
+            <exclude name="org/exist/http/realm/**"/>
+            <exclude name="doxygen"/>
+
+            <classpath>
+                <path refid="classpath.aspectj"/>
+                <path refid="classpath.core"/>
+                <path refid="classpath.jetty"/>
+                <!-- path refid="classpath.catalina"/ -->
+            </classpath>
+        </iajc>
+    </target>
+
     <!-- =================================================================== -->
     <!-- Run antlr parser generator									   	   -->
     <!-- needs antlr distribution-directory in the classpath			   -->
@@ -258,9 +299,9 @@
     <target depends="XQueryTreeParser,jar" name="xquery-ng"/>
 
     <!-- ================================================================== -->
-    <!-- Create jar files                    							   	-->
+    <!-- Create jar files                    				    -->
     <!-- ================================================================== -->
-    <target name="jar" depends="compile, compile-tomcat-realm"
+    <target name="jar" depends="compile, compile-tomcat-realm, compile-aspectj"
         description="Create eXist unsigned jar files">
         <filter token="version" value="${project.version}"/>
         <filter token="build" value="${DSTAMP}"/>

diff --git a/build/scripts/junit.xml b/build/scripts/junit.xml
@@ -97,6 +97,7 @@
             <sysproperty key="exist.home" value="${basedir}" />
             <classpath refid="classpath.core"/>
             <classpath refid="classpath.jetty"/>
+            <classpath refid="classpath.aspectj"/>
             <classpath refid="classpath.junit"/>
             <classpath refid="classpath.test-libs"/>
 
@@ -162,6 +163,7 @@
         <junit haltonfailure="false" printsummary="yes" showoutput="${junit.output}" maxmemory="${junit.forked.VM.maxmemory}">
             <sysproperty key="exist.home" value="${basedir}" />
             <classpath refid="classpath.core"/>
+            <classpath refid="classpath.aspectj"/>
             <classpath refid="classpath.jetty"/>
             <classpath refid="classpath.junit"/>
             <classpath refid="classpath.test-libs"/>
@@ -189,6 +191,7 @@
         <junit haltonfailure="false" printsummary="on" showoutput="${junit.output}" fork="no">
             <sysproperty key="exist.home" value="${basedir}" />
             <classpath refid="classpath.core"/>
+            <classpath refid="classpath.aspectj"/>
             <classpath refid="classpath.jetty"/>
             <classpath refid="classpath.junit"/>
             <classpath refid="classpath.test-libs"/>
@@ -207,6 +210,7 @@
         <junit haltonfailure="false" printsummary="on" showoutput="${junit.output}" fork="yes" maxmemory="${junit.forked.VM.maxmemory}">
             <sysproperty key="exist.home" value="${basedir}" />
             <classpath refid="classpath.core"/>
+            <classpath refid="classpath.aspectj"/>
             <classpath refid="classpath.jetty"/>
             <classpath refid="classpath.junit"/>
             <classpath refid="classpath.test-libs"/>
@@ -256,6 +260,7 @@
         <junit haltonfailure="false" printsummary="yes" showoutput="${junit.output}" maxmemory="${junit.forked.VM.maxmemory}">
             <sysproperty key="exist.home" value="${basedir}" />
             <classpath refid="classpath.core"/>
+            <classpath refid="classpath.aspectj"/>
             <classpath refid="classpath.jetty"/>
             <classpath refid="classpath.junit"/>
             <classpath refid="classpath.test-libs"/>
@@ -281,6 +286,7 @@
         <junit haltonfailure="false" printsummary="yes" showoutput="${junit.output}" maxmemory="${junit.forked.VM.maxmemory}">
             <sysproperty key="exist.home" value="${basedir}" />
             <classpath refid="classpath.core"/>
+            <classpath refid="classpath.aspectj"/>
             <classpath refid="classpath.jetty"/>
             <classpath refid="classpath.junit"/>
             <classpath refid="classpath.test-libs"/>
@@ -299,6 +305,7 @@
         <junit haltonfailure="false" printsummary="yes" showoutput="${junit.output}" maxmemory="${junit.forked.VM.maxmemory}">
             <sysproperty key="exist.home" value="${basedir}" />
             <classpath refid="classpath.core"/>
+            <classpath refid="classpath.aspectj"/>
             <classpath refid="classpath.jetty"/>
             <classpath refid="classpath.junit"/>
             <classpath refid="classpath.test-libs"/>
@@ -416,9 +423,10 @@
             source="${build.compiler.source}" target="${build.compiler.target}">
             <classpath>
                 <path refid="classpath.core"/>
+                <path refid="classpath.aspectj"/>
                 <path refid="classpath.junit"/>
-	            <path refid="classpath.test-libs"/>
-	            <path refid="classpath.xslts"/>
+                <path refid="classpath.test-libs"/>
+                <path refid="classpath.xslts"/>
             </classpath>
         </javac>
         <echo>JUnit tests generated.</echo>
@@ -440,6 +448,7 @@
         <junit haltonfailure="false" printsummary="on" showoutput="${junit.output}" fork="yes" maxmemory="${junit.forked.VM.maxmemory}">
             <sysproperty key="exist.home" value="${basedir}" />
             <classpath refid="classpath.core"/>
+            <classpath refid="classpath.aspectj"/>
             <classpath refid="classpath.jetty"/>
             <classpath refid="classpath.ant_launcher"/>
             <classpath refid="classpath.junit"/>
@@ -462,6 +471,7 @@
         <junit haltonfailure="false" printsummary="on" showoutput="${junit.output}" fork="yes" maxmemory="512m">
             <sysproperty key="exist.home" value="${basedir}" />
             <classpath refid="classpath.core"/>
+            <classpath refid="classpath.aspectj"/>
             <classpath refid="classpath.jetty"/>
             <classpath refid="classpath.ant_launcher"/>
             <classpath refid="classpath.junit"/>

diff --git a/extensions/fluent/build.xml b/extensions/fluent/build.xml
@@ -47,6 +47,11 @@
         <pathelement path="${top.dir}/exist.jar"/>
         <pathelement path="${java.class.path}"/>
     </path>
+    <path id="classpath.aspectj">
+        <fileset dir="../../${tools.aspectj}/lib">
+            <include name="*.jar"/>
+        </fileset>
+    </path>
     <path id="classpath.jar">
         <pathelement path="${top.dir}/exist-fluent.jar"/>
     </path>
@@ -142,6 +147,7 @@
 
             <classpath>
                 <path refid="classpath.core"/>
+                <path refid="classpath.aspectj"/>
                 <path refid="classpath.jar"/>
                 <path refid="classpath.test"/>
                 <path refid="classpath.test-libs"/>

diff --git a/extensions/fluent/src/org/exist/fluent/Document.java b/extensions/fluent/src/org/exist/fluent/Document.java
@@ -125,8 +125,8 @@ public void remove(Document.Listener listener) {
 	 */
 	public static class MetadataFacet extends NamedResource.MetadataFacet {
 		private final DocumentMetadata docMetadata;
-		private MetadataFacet(Permission permissions, DocumentMetadata docMetadata) {
-			super(permissions);
+		private MetadataFacet(Permission permissions, DocumentMetadata docMetadata, Database db) {
+			super(permissions, db);
 			this.docMetadata = docMetadata;
 		}
 		@Override public Date creationDate() {return new Date(docMetadata.getCreated());}
@@ -197,7 +197,7 @@ public ListenersFacet listeners() {
 	}
 
 	@Override public MetadataFacet metadata() {
-		if (metadata == null) metadata = new MetadataFacet(doc.getPermissions(), doc.getMetadata());
+		if (metadata == null) metadata = new MetadataFacet(doc.getPermissions(), doc.getMetadata(), db);
 		return metadata;
 	}
 

diff --git a/extensions/fluent/src/org/exist/fluent/Folder.java b/extensions/fluent/src/org/exist/fluent/Folder.java
@@ -645,7 +645,7 @@ public ListenersFacet listeners() {
 	}
 
 	@Override public MetadataFacet metadata() {
-		if (metadata == null) metadata = new MetadataFacet(getQuickHandle().getPermissionsNoLock()) {
+		if (metadata == null) metadata = new MetadataFacet(getQuickHandle().getPermissionsNoLock(), db) {
 			@Override public Date creationDate() {
 				return new Date(getQuickHandle().getCreationTime());
 			}

diff --git a/extensions/fluent/src/org/exist/fluent/NamedResource.java b/extensions/fluent/src/org/exist/fluent/NamedResource.java
@@ -4,6 +4,8 @@
 import java.util.regex.*;
 
 import org.exist.security.Permission;
+import org.exist.security.PermissionDeniedException;
+import org.exist.storage.DBBroker;
 
 /**
  * A named resource in the contents tree of the database:  either a folder or a document.
@@ -24,9 +26,11 @@ public static abstract class MetadataFacet {
 		private static final Pattern SEGMENT_REGEX = Pattern.compile("([augo]+)([-+=])([rwu]*)");
 
 		private Permission permissions;
-
-		protected MetadataFacet(Permission permissions) {
+                private final Database db;
+
+		protected MetadataFacet(Permission permissions, Database db) {
 			this.permissions = permissions;
+                        this.db = db;
 		}
 
 		/**
@@ -48,7 +52,19 @@ protected MetadataFacet(Permission permissions) {
 		 *
 		 * @param owner the new owner of this resource
 		 */
-		public void owner(String owner) {permissions.setOwner(owner);}
+		public void owner(String owner) {
+                    DBBroker broker = null;
+                    try {
+                        broker = db.acquireBroker();
+                        permissions.setOwner(owner);
+                    } catch(PermissionDeniedException pde) {
+                        throw new DatabaseException(pde.getMessage(), pde);
+                    } finally {
+                        if(broker != null) {
+                            db.releaseBroker(broker);
+                        }
+                    }
+                }
 
 		/**
 		 * Return the group who has privileged access to this resource for purposes of permission management.
@@ -62,7 +78,19 @@ protected MetadataFacet(Permission permissions) {
 		 *
 		 * @param group the new owning group of this resource
 		 */
-		public void group(String group) {permissions.setGroup(group);}
+		public void group(String group) {
+                    DBBroker broker = null;
+                    try {
+                        broker = db.acquireBroker();
+                        permissions.setGroup(group);
+                    } catch(PermissionDeniedException pde) {
+                        throw new DatabaseException(pde.getMessage(), pde);
+                    } finally {
+                        if(broker != null) {
+                            db.releaseBroker(broker);
+                        }
+                    }
+                }
 
 		/**
 		 * Return whether the given subject has the given permission.  The "who" character refers to
@@ -133,27 +161,32 @@ private int convertPermissionBits(String what) {
 		 * @param instructions an instruction string encoding the desired changes to the permissions
 		 */
 		public void changePermissions(String instructions) {
-			if (!INSTRUCTIONS_REGEX.matcher(instructions).matches())
-				throw new IllegalArgumentException("bad permissions instructions: " + instructions);
-			StringTokenizer tokenizer = new StringTokenizer(instructions, ",");
-			while (tokenizer.hasMoreTokens()) {
-				Matcher matcher = SEGMENT_REGEX.matcher(tokenizer.nextToken());
-				if (!matcher.matches()) throw new RuntimeException("internal error: illegal segment got through syntax regex, instruction string " + instructions);
-				int perms = convertPermissionBits(matcher.group(3));
-				int mask = 0;
-				boolean all = matcher.group(1).equals("a");
-				if (all || matcher.group(1).indexOf('u') != -1) mask |= perms << 6;
-				if (all || matcher.group(1).indexOf('g') != -1) mask |= perms << 3;
-				if (all || matcher.group(1).indexOf('o') != -1) mask |= perms;
-				int newPerms;
-				switch(matcher.group(2).charAt(0)) {
-					case '=': newPerms = mask; break;
-					case '+': newPerms = permissions.getMode() | mask;
-					case '-': newPerms = permissions.getMode() & ~mask;
-					default: throw new RuntimeException("internal error: illegal segment operator got through syntax regex, instruction string " + instructions);
-				}
-				permissions.setMode(newPerms);
-			}
+                    if (!INSTRUCTIONS_REGEX.matcher(instructions).matches())
+                            throw new IllegalArgumentException("bad permissions instructions: " + instructions);
+                    StringTokenizer tokenizer = new StringTokenizer(instructions, ",");
+
+                    try {
+                        while (tokenizer.hasMoreTokens()) {
+                                Matcher matcher = SEGMENT_REGEX.matcher(tokenizer.nextToken());
+                                if (!matcher.matches()) throw new RuntimeException("internal error: illegal segment got through syntax regex, instruction string " + instructions);
+                                int perms = convertPermissionBits(matcher.group(3));
+                                int mask = 0;
+                                boolean all = matcher.group(1).equals("a");
+                                if (all || matcher.group(1).indexOf('u') != -1) mask |= perms << 6;
+                                if (all || matcher.group(1).indexOf('g') != -1) mask |= perms << 3;
+                                if (all || matcher.group(1).indexOf('o') != -1) mask |= perms;
+                                int newPerms;
+                                switch(matcher.group(2).charAt(0)) {
+                                        case '=': newPerms = mask; break;
+                                        case '+': newPerms = permissions.getMode() | mask;
+                                        case '-': newPerms = permissions.getMode() & ~mask;
+                                        default: throw new RuntimeException("internal error: illegal segment operator got through syntax regex, instruction string " + instructions);
+                                }
+                                permissions.setMode(newPerms);
+                        }
+                    } catch(PermissionDeniedException pde) {
+                        throw new DatabaseException(pde.getMessage(), pde);
+                    }
 		}
 
 		public String toString() {

diff --git a/extensions/fluent/test/src/org/exist/fluent/MetadataTest.java b/extensions/fluent/test/src/org/exist/fluent/MetadataTest.java
@@ -102,7 +102,7 @@ public class MetadataTest extends DatabaseTestCase {
 
 	@Test public void topFolderOwner() {
 		Folder folder = db.getFolder("/");
-		assertEquals("admin", folder.metadata().owner());
+		assertEquals("SYSTEM", folder.metadata().owner());
 		folder.metadata().owner("guest");
 		assertEquals("guest", folder.metadata().owner());
 	}

diff --git a/extensions/indexes/common.xml b/extensions/indexes/common.xml
@@ -39,6 +39,12 @@
         <pathelement path="${java.class.path}"/>
     </path>
 
+    <path id="classpath.aspectj">
+        <fileset dir="${top.dir}/tools/aspectj/lib">
+            <include name="*.jar"/>
+        </fileset>
+    </path>
+
     <path id="classpath.junit">
     	<pathelement path="${top.dir}/test/classes"/>
     	<pathelement path="${test.classes}"/>