This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch SLING-9953-groups in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-feature-cpconverter.git
commit 5992ea406404164afc1159d6291ddfdfb2300691 Author: angela <[email protected]> AuthorDate: Tue Jan 19 10:52:22 2021 +0100 SLING-9953 : ACEs on/below user nodes are ignored upon conversion (treat groups the same as regular users and abort converter if ace points to them) --- .../accesscontrol/DefaultAclManager.java | 29 ++++++++-------------- .../cpconverter/accesscontrol/AclManagerTest.java | 14 +---------- .../handlers/RepPolicyEntryHandlerTest.java | 18 ++------------ 3 files changed, 14 insertions(+), 47 deletions(-) diff --git a/src/main/java/org/apache/sling/feature/cpconverter/accesscontrol/DefaultAclManager.java b/src/main/java/org/apache/sling/feature/cpconverter/accesscontrol/DefaultAclManager.java index f79c6d5..aff08fc 100644 --- a/src/main/java/org/apache/sling/feature/cpconverter/accesscontrol/DefaultAclManager.java +++ b/src/main/java/org/apache/sling/feature/cpconverter/accesscontrol/DefaultAclManager.java @@ -31,18 +31,18 @@ import org.jetbrains.annotations.Nullable; import javax.jcr.NamespaceException; import java.io.File; import java.io.FileInputStream; -import java.util.Optional; +import java.util.Collection; import java.util.Formatter; import java.util.HashMap; +import java.util.LinkedHashMap; import java.util.LinkedHashSet; import java.util.LinkedList; import java.util.List; -import java.util.LinkedHashMap; import java.util.Map; -import java.util.Set; -import java.util.Collection; -import java.util.Objects; import java.util.Map.Entry; +import java.util.Objects; +import java.util.Optional; +import java.util.Set; import java.util.function.Predicate; import java.util.stream.Collectors; import java.util.stream.Stream; @@ -134,20 +134,13 @@ public class DefaultAclManager implements AclManager { } } - for (Group group : groups) { - if (aclStartsWith(group.getPath())) { - formatter.format("create group %s with path %s%n", group.getId(), group.getIntermediatePath()); - } - if (aclIsBelow(group.getPath())) { - throw new IllegalStateException("Detected policy on subpath of group: " + group); - } - } - - for (User user : users) { - if (aclStartsWith(user.getPath())) { - throw new IllegalStateException("Detected policy on user: " + user); + // abort the conversion if an access control entry takes effect at or below a user/group which is not + // created by repo-init statements generated here. + Stream.concat(groups.stream(), users.stream()).forEach(abstractUser -> { + if (aclStartsWith(abstractUser.getPath())) { + throw new IllegalStateException("Detected policy on user: " + abstractUser); } - } + }); } @NotNull diff --git a/src/test/java/org/apache/sling/feature/cpconverter/accesscontrol/AclManagerTest.java b/src/test/java/org/apache/sling/feature/cpconverter/accesscontrol/AclManagerTest.java index 8e74167..bddc611 100644 --- a/src/test/java/org/apache/sling/feature/cpconverter/accesscontrol/AclManagerTest.java +++ b/src/test/java/org/apache/sling/feature/cpconverter/accesscontrol/AclManagerTest.java @@ -200,7 +200,7 @@ public class AclManagerTest { assertFalse(operations.isEmpty()); } - @Test + @Test(expected = IllegalStateException.class) public void testGroupHandlingWithGroupUsed() { aclManager.addSystemUser(new SystemUser("sys-usr", new RepoPath("/home/users/system/foo"), new RepoPath("/home/users/system"))); @@ -216,18 +216,6 @@ public class AclManagerTest { aclManager.addRepoinitExtension(Collections.singletonList(assembler), fm); Extension repoinitExtension = feature.getExtensions().getByName(Extension.EXTENSION_NAME_REPOINIT); - assertNotNull(repoinitExtension); - - String expected = - "create service user sys-usr with path /home/users/system" + System.lineSeparator() + - "create group test with path /home/groups/test" + System.lineSeparator() + - "set ACL for sys-usr" + System.lineSeparator() + - "allow jcr:read on home(test)" + System.lineSeparator() + - "end" + System.lineSeparator(); - - String actual = repoinitExtension.getText(); - assertEquals(expected, actual); - } @Test diff --git a/src/test/java/org/apache/sling/feature/cpconverter/handlers/RepPolicyEntryHandlerTest.java b/src/test/java/org/apache/sling/feature/cpconverter/handlers/RepPolicyEntryHandlerTest.java index c70d39d..421f627 100644 --- a/src/test/java/org/apache/sling/feature/cpconverter/handlers/RepPolicyEntryHandlerTest.java +++ b/src/test/java/org/apache/sling/feature/cpconverter/handlers/RepPolicyEntryHandlerTest.java @@ -221,7 +221,7 @@ public final class RepPolicyEntryHandlerTest { assertTrue(result.getExcludedAcls().isEmpty()); } - @Test + @Test(expected = IllegalStateException.class) public void policyAtGroupNode() throws Exception { SystemUser s1 = new SystemUser("service1", new RepoPath("/home/users/system/services/random1"), new RepoPath("/home/users/system/services")); Group gr = new Group("testgroup", new RepoPath("/home/groups/g/HjDnfdMCjekaF4jhhUvO"), new RepoPath("/home/groups/g")); @@ -230,21 +230,7 @@ public final class RepPolicyEntryHandlerTest { aclManager.addSystemUser(s1); aclManager.addGroup(gr); - ParseResult result = parseAndSetRepoInit("/jcr_root/home/groups/g/HjDnfdMCjekaF4jhhUvO/_rep_policy.xml", aclManager); - Extension repoinitExtension = result.getRepoinitExtension(); - - String expected = - "create service user service1 with path /home/users/system/services" + System.lineSeparator() + - "create group testgroup with path /home/groups/g" + System.lineSeparator() + - "set ACL for service1" + System.lineSeparator() + - "allow jcr:read on home(testgroup)" + System.lineSeparator() + - "end" + System.lineSeparator(); - assertEquals(expected, repoinitExtension.getText()); - - String expectedExclusions = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><jcr:root xmlns:jcr=\"http://www.jcp.org/jcr/1.0\"; xmlns:rep=\"internal\" jcr:primaryType=\"rep:ACL\">\n" + - " <allow1 jcr:primaryType=\"rep:GrantACE\" rep:principalName=\"testgroup\" rep:privileges=\"{Name}[jcr:read]\"/>\n" + - "</jcr:root>\n"; - assertEquals(expectedExclusions, result.getExcludedAcls()); + parseAndSetRepoInit("/jcr_root/home/groups/g/HjDnfdMCjekaF4jhhUvO/_rep_policy.xml", aclManager); } @Test(expected = IllegalStateException.class)
