This is an automated email from the ASF dual-hosted git repository. kwin pushed a commit to branch bugfix/revert-SLING-9449 in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-jcr-repoinit.git
commit 1ab45558af630cdb6845c331c994e6650589ebcd Author: Konrad Windszus <[email protected]> AuthorDate: Thu Apr 8 13:47:00 2021 +0200 SLING-10281 revert SLING-9449 make repoinit throw exceptions in case principal acls can not be applied --- src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java | 5 +---- .../java/org/apache/sling/jcr/repoinit/PrincipalBasedAclTest.java | 7 +++++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java b/src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java index cde2e34..6b68c21 100644 --- a/src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java +++ b/src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java @@ -221,10 +221,7 @@ public class AclUtil { // no PrincipalAccessControlList available: don't fail if an equivalent path-based entry with the same definition exists // or if there exists no node at the effective path (unable to evaluate path-based entries). LOG.info("No PrincipalAccessControlList available for principal {}", principal); - if (!containsEquivalentEntry(session, effectivePath, principal, privileges, true, line.getRestrictions())) { - LOG.warn("No equivalent path-based entry exists for principal {} and effective path {} ", principal.getName(), effectivePath); - return; - } + checkState(containsEquivalentEntry(session, effectivePath, principal, privileges, true, line.getRestrictions()), "No PrincipalAccessControlList available for principal '" + principal + "'."); } else { final LocalRestrictions restrictions = createLocalRestrictions(line.getRestrictions(), acl, session); final boolean added = acl.addEntry(effectivePath, privileges, restrictions.getRestrictions(), restrictions.getMVRestrictions()); diff --git a/src/test/java/org/apache/sling/jcr/repoinit/PrincipalBasedAclTest.java b/src/test/java/org/apache/sling/jcr/repoinit/PrincipalBasedAclTest.java index b0a9a84..68af580 100644 --- a/src/test/java/org/apache/sling/jcr/repoinit/PrincipalBasedAclTest.java +++ b/src/test/java/org/apache/sling/jcr/repoinit/PrincipalBasedAclTest.java @@ -456,11 +456,12 @@ public class PrincipalBasedAclTest { assertEquals(2, pacl.size()); } - @Test + @Test(expected = RuntimeException.class) public void principalAclNotAvailable() throws Exception { try { // create service user outside of supported tree for principal-based access control U.parseAndExecute("create service user otherSystemPrincipal"); + // principal-based ac-setup must fail as service user is not located below supported path String setup = "set principal ACL for otherSystemPrincipal \n" + "allow jcr:read on " + path + "\n" + "end"; @@ -470,7 +471,7 @@ public class PrincipalBasedAclTest { } } - @Test + @Test(expected = RuntimeException.class) public void principalAclNotAvailableRestrictionMismatch() throws Exception { JackrabbitAccessControlManager acMgr = (JackrabbitAccessControlManager) adminSession.getAccessControlManager(); try { @@ -485,6 +486,8 @@ public class PrincipalBasedAclTest { Principal principal = adminSession.getUserManager().getAuthorizable("otherSystemPrincipal").getPrincipal(); assertTrue(acMgr.hasPrivileges(path, Collections.singleton(principal), AccessControlUtils.privilegesFromNames(adminSession, Privilege.JCR_READ))); + // setting up principal-acl will not succeed (principal not located below supported path) + // since effective entry doesn't match the restriction -> setup must fail setup = "set principal ACL for otherSystemPrincipal \n" + "allow jcr:read on " + path + " restriction(rep:glob,*mismatch)\n" + "end";
