[399487] [Security] Changes to the security realm should be verified before being applied

https://bugs.eclipse.org/bugs/show_bug.cgi?id=399487

Initial implementation of critical security realm integrity checking.  Includes:
  - security realm constraints and generated validator
  - write-access handler step in the SecurityManager to validate
     changes to the security realm on detection of IMPACT_REALM
  - CDO protocol enhancement to notify client of rollback due to
     semantic validation checks
  - CDOEditor enhancement to report the new rollback reason
  - basic JUnit coverage of realm-edit transaction validation

Change-Id: If2c2727652760409d497145b5465fb3c5748c3b8

2 files changed, 51 insertions, 2 deletions

diff --git a/plugins/org.eclipse.emf.cdo.server/src/org/eclipse/emf/cdo/internal/server/TransactionCommitContext.java b/plugins/org.eclipse.emf.cdo.server/src/org/eclipse/emf/cdo/internal/server/TransactionCommitContext.java
index 32681ac6e1..d8d68d94f0 100644
--- a/plugins/org.eclipse.emf.cdo.server/src/org/eclipse/emf/cdo/internal/server/TransactionCommitContext.java
+++ b/plugins/org.eclipse.emf.cdo.server/src/org/eclipse/emf/cdo/internal/server/TransactionCommitContext.java
@@ -9,6 +9,7 @@
  *    Simon McDuff - initial API and implementation
  *    Eike Stepper - maintenance
  *    Martin Fluegge - maintenance, bug 318518
+ *    Christian W. Damus (CEA LIST) - bug 399487
  */
 package org.eclipse.emf.cdo.internal.server;
 
@@ -48,6 +49,7 @@ import org.eclipse.emf.cdo.internal.common.model.CDOPackageRegistryImpl;
 import org.eclipse.emf.cdo.internal.server.bundle.OM;
 import org.eclipse.emf.cdo.server.IStoreAccessor;
 import org.eclipse.emf.cdo.server.IStoreAccessor.QueryXRefsContext;
+import org.eclipse.emf.cdo.server.IRepository;
 import org.eclipse.emf.cdo.server.IView;
 import org.eclipse.emf.cdo.server.StoreThreadLocal;
 import org.eclipse.emf.cdo.spi.common.commit.CDOCommitInfoUtil;
@@ -709,8 +711,16 @@ public class TransactionCommitContext implements InternalCommitContext
         TRACER.trace(ex);
       }
 
-      String storeClass = repository.getStore().getClass().getSimpleName();
-      rollback("Rollback in " + storeClass + ": " + StringUtil.formatException(ex)); //$NON-NLS-1$ //$NON-NLS-2$
+      if (ex instanceof IRepository.WriteAccessHandler.TransactionValidationException)
+      {
+        rollbackReason = CDOProtocolConstants.ROLLBACK_REASON_VALIDATION_ERROR;
+        rollback(ex.getLocalizedMessage());
+      }
+      else
+      {
+        String storeClass = repository.getStore().getClass().getSimpleName();
+        rollback("Rollback in " + storeClass + ": " + StringUtil.formatException(ex)); //$NON-NLS-1$ //$NON-NLS-2$
+      }
     }
     catch (Exception ex1)
     {
diff --git a/plugins/org.eclipse.emf.cdo.server/src/org/eclipse/emf/cdo/server/IRepository.java b/plugins/org.eclipse.emf.cdo.server/src/org/eclipse/emf/cdo/server/IRepository.java
index 2c87f7acc8..34db6f611d 100644
--- a/plugins/org.eclipse.emf.cdo.server/src/org/eclipse/emf/cdo/server/IRepository.java
+++ b/plugins/org.eclipse.emf.cdo.server/src/org/eclipse/emf/cdo/server/IRepository.java
@@ -7,6 +7,7 @@
  *
  * Contributors:
  *    Eike Stepper - initial API and implementation
+ *    Christian W. Damus (CEA LIST) - bug 399487
  */
 package org.eclipse.emf.cdo.server;
 
@@ -227,6 +228,10 @@ public interface IRepository extends CDOCommonRepository, IQueryHandlerProvider,
      *          internal state of the commit context in any way!</b>
      * @param monitor
      *          A monitor that should be used by the implementor to avoid timeouts.
+     * @throws TransactionValidationException
+     *           to indicate that the commit operation must not be executed against the backend store because some
+     *           semantic validation checks failed. The message should describe the validation failure and will be
+     *           passed through to the client
      * @throws RuntimeException
      *           to indicate that the commit operation must not be executed against the backend store. This exception
      *           will be visible at the client side!
@@ -249,6 +254,40 @@ public interface IRepository extends CDOCommonRepository, IQueryHandlerProvider,
      */
     public void handleTransactionAfterCommitted(ITransaction transaction, IStoreAccessor.CommitContext commitContext,
         OMMonitor monitor);
+
+    /**
+     * An exception that a {@link WriteAccessHandler} may throw to indicate that a
+     * {@linkplain WriteAccessHandler#handleTransactionBeforeCommitting(ITransaction, org.eclipse.emf.cdo.server.IStoreAccessor.CommitContext, OMMonitor) transaction commit}
+     * was rejected because one or more semantic validation checks reported errors.
+     * 
+     * @author Christian W. Damus (CEA LIST)
+     * 
+     * @since 4.3
+     */
+    public static final class TransactionValidationException extends RuntimeException
+    {
+      private static final long serialVersionUID = 1L;
+
+      public TransactionValidationException()
+      {
+      }
+
+      public TransactionValidationException(String message, Throwable cause)
+      {
+        super(message, cause);
+      }
+
+      public TransactionValidationException(String message)
+      {
+        super(message);
+      }
+
+      public TransactionValidationException(Throwable cause)
+      {
+        super(cause);
+      }
+
+    }
   }
 
   /**