Author: angela
Date: Tue Jul 30 14:28:40 2013
New Revision: 1508464
URL: http://svn.apache.org/r1508464
Log:
OAK-64 : Privilege Management
- javadoc
- tests
- fixing leftover of Tree#getChild returning null -> changed to test for
existence
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReader.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBits.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeUtil.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReaderTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriterTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReader.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReader.java?rev=1508464&r1=1508463&r2=1508464&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReader.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReader.java
Tue Jul 30 14:28:40 2013
@@ -21,7 +21,6 @@ import java.util.Map;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
-import javax.annotation.Nullable;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
@@ -76,7 +75,7 @@ class PrivilegeDefinitionReader implemen
}
}
- private static boolean isPrivilegeDefinition(@Nullable Tree tree) {
- return tree != null &&
NT_REP_PRIVILEGE.equals(TreeUtil.getPrimaryTypeName(tree));
+ private static boolean isPrivilegeDefinition(@Nonnull Tree tree) {
+ return tree.exists() &&
NT_REP_PRIVILEGE.equals(TreeUtil.getPrimaryTypeName(tree));
}
}
\ No newline at end of file
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeManagerImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeManagerImpl.java?rev=1508464&r1=1508463&r2=1508464&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeManagerImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeManagerImpl.java
Tue Jul 30 14:28:40 2013
@@ -194,7 +194,6 @@ class PrivilegeManagerImpl implements Pr
for (Privilege decl : getDeclaredAggregatePrivileges()) {
aggr.add(decl);
if (decl.isAggregate()) {
- // TODO: defensive check to prevent circular aggregation
that might occur with inconsistent repositories
aggr.addAll(Arrays.asList(decl.getAggregatePrivileges()));
}
}
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBits.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBits.java?rev=1508464&r1=1508463&r2=1508464&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBits.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBits.java
Tue Jul 30 14:28:40 2013
@@ -32,7 +32,7 @@ import org.apache.jackrabbit.oak.spi.sec
import static com.google.common.base.Preconditions.checkArgument;
/**
- * {@code PrivilegeBits} TODO
+ * Internal representation of JCR privileges.
*/
public final class PrivilegeBits implements PrivilegeConstants {
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeUtil.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeUtil.java?rev=1508464&r1=1508463&r2=1508464&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeUtil.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeUtil.java
Tue Jul 30 14:28:40 2013
@@ -23,7 +23,7 @@ import org.apache.jackrabbit.oak.api.Tre
import org.apache.jackrabbit.oak.util.TreeUtil;
/**
- * PrivilegeUtil... TODO
+ * Privilege management related utility methods.
*/
public final class PrivilegeUtil implements PrivilegeConstants {
@@ -41,8 +41,12 @@ public final class PrivilegeUtil impleme
}
/**
- * @param definitionTree
- * @return
+ * Reads the privilege definition stored in the specified definition tree.
+ * Note, that this utility does not check the existence nor the node type
+ * of the specified tree.
+ *
+ * @param definitionTree An existing tree storing a privilege definition.
+ * @return A new instance of {@code PrivilegeDefinition}.
*/
@Nonnull
public static PrivilegeDefinition readDefinition(@Nonnull Tree
definitionTree) {
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReaderTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReaderTest.java?rev=1508464&r1=1508463&r2=1508464&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReaderTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionReaderTest.java
Tue Jul 30 14:28:40 2013
@@ -16,17 +16,40 @@
*/
package org.apache.jackrabbit.oak.security.privilege;
+import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.Oak;
+import org.apache.jackrabbit.oak.api.ContentRepository;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.spi.security.OpenSecurityProvider;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.junit.Test;
-public class PrivilegeDefinitionReaderTest {
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+
+public class PrivilegeDefinitionReaderTest extends AbstractSecurityTest
implements PrivilegeConstants {
+
+ @Test
+ public void testReadNonExisting() throws Exception {
+ PrivilegeDefinitionReader reader = new PrivilegeDefinitionReader(root);
+ assertNull(reader.readDefinition("nonexisting"));
+ }
@Test
- public void testReadDefinition() {
- // TODO
+ public void testReadDefinition() throws Exception {
+ PrivilegeDefinitionReader reader = new PrivilegeDefinitionReader(root);
+ assertNotNull(reader.readDefinition(JCR_READ));
}
@Test
- public void testReadDefinitions() {
- // TODO
+ public void testMissingPermissionRoot() throws Exception {
+ ContentRepository repo = new Oak().with(new
OpenSecurityProvider()).createContentRepository();
+ Root tmpRoot = repo.login(null, null).getLatestRoot();
+ try {
+ PrivilegeDefinitionReader reader = new
PrivilegeDefinitionReader(tmpRoot);
+ assertNull(reader.readDefinition(JCR_READ));
+ } finally {
+ tmpRoot.getContentSession().close();
+ }
}
}
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriterTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriterTest.java?rev=1508464&r1=1508463&r2=1508464&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriterTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriterTest.java
Tue Jul 30 14:28:40 2013
@@ -16,12 +16,74 @@
*/
package org.apache.jackrabbit.oak.security.privilege;
+import java.util.Collections;
+import javax.jcr.RepositoryException;
+
+import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.Oak;
+import org.apache.jackrabbit.oak.api.ContentRepository;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.spi.security.OpenSecurityProvider;
+import
org.apache.jackrabbit.oak.spi.security.privilege.ImmutablePrivilegeDefinition;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.apache.jackrabbit.oak.util.TreeUtil;
+import org.junit.After;
import org.junit.Test;
-public class PrivilegeDefinitionWriterTest {
+import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public class PrivilegeDefinitionWriterTest extends AbstractSecurityTest
implements PrivilegeConstants {
+
+ @After
+ @Override
+ public void after() throws Exception {
+ try {
+ root.refresh();
+ } finally {
+ super.after();
+ }
+ }
+
+ @Test
+ public void testNameCollision() {
+ try {
+ PrivilegeDefinitionWriter writer = new
PrivilegeDefinitionWriter(root);
+ writer.writeDefinition(new ImmutablePrivilegeDefinition(JCR_READ,
true, Collections.<String>emptySet()));
+ fail("name collision");
+ } catch (RepositoryException e) {
+ // success
+ }
+ }
+
+ @Test
+ public void testMissingPrivilegeRoot() throws Exception {
+ ContentRepository repo = new Oak().with(new
OpenSecurityProvider()).createContentRepository();
+ Root tmpRoot = repo.login(null, null).getLatestRoot();
+ try {
+ PrivilegeDefinitionWriter writer = new
PrivilegeDefinitionWriter(tmpRoot);
+ writer.writeDefinition(new ImmutablePrivilegeDefinition("newName",
true, Collections.<String>emptySet()));
+ fail("missing privilege root");
+ } catch (RepositoryException e) {
+ // success
+ } finally {
+ tmpRoot.getContentSession().close();
+ }
+ }
@Test
- public void testWriteDefinition() {
- // TODO
+ public void testWriteDefinition() throws Exception {
+ PrivilegeDefinitionWriter writer = new PrivilegeDefinitionWriter(root);
+ writer.writeDefinition(new ImmutablePrivilegeDefinition("tmp", true,
JCR_READ_ACCESS_CONTROL, JCR_MODIFY_ACCESS_CONTROL));
+
+ Tree privRoot = root.getTree(PRIVILEGES_PATH);
+ assertTrue(privRoot.hasChild("tmp"));
+
+ Tree tmpTree = privRoot.getChild("tmp");
+ assertTrue(TreeUtil.getBoolean(tmpTree, REP_IS_ABSTRACT));
+ assertArrayEquals(new String[] {JCR_READ_ACCESS_CONTROL,
JCR_MODIFY_ACCESS_CONTROL},
+ TreeUtil.getStrings(tmpTree, REP_AGGREGATES));
}
}
\ No newline at end of file
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsTest.java?rev=1508464&r1=1508463&r2=1508464&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsTest.java
Tue Jul 30 14:28:40 2013
@@ -17,8 +17,12 @@
package org.apache.jackrabbit.oak.spi.security.privilege;
import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
@@ -31,7 +35,7 @@ import static org.junit.Assert.assertSam
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
-public class PrivilegeBitsTest implements PrivilegeConstants {
+public class PrivilegeBitsTest extends AbstractSecurityTest implements
PrivilegeConstants {
private static final long NO_PRIVILEGE = 0;
private static final PrivilegeBits READ_NODES_PRIVILEGE_BITS =
PrivilegeBits.BUILT_IN.get(REP_READ_NODES);
@@ -537,11 +541,67 @@ public class PrivilegeBitsTest implement
@Test
public void testGetInstanceFromTree() {
- // TODO
+ Tree privRoot = root.getTree(PRIVILEGES_PATH);
+ try {
+ Tree tmp = privRoot.addChild("tmpPrivilege");
+ PrivilegeBits tmpBits =
PrivilegeBits.getInstance(privRoot.getProperty(REP_NEXT));
+ tmpBits.writeTo(tmp);
+
+ Map<Tree, PrivilegeBits> treeToBits = new HashMap<Tree,
PrivilegeBits>();
+ treeToBits.put(privRoot.getChild(JCR_READ),
PrivilegeBits.BUILT_IN.get(JCR_READ));
+ treeToBits.put(tmp, tmpBits);
+ treeToBits.put(privRoot, tmpBits);
+
+ for (Tree tree : treeToBits.keySet()) {
+ assertEquals(treeToBits.get(tree),
PrivilegeBits.getInstance(tree));
+ }
+ } finally {
+ root.refresh();
+ }
}
@Test
public void testCalculatePermissions() {
- // TODO
+ PrivilegeBitsProvider provider = new PrivilegeBitsProvider(root);
+
+ Map<PrivilegeBits, Long> simple = new HashMap<PrivilegeBits, Long>();
+ simple.put(PrivilegeBits.EMPTY, Permissions.NO_PERMISSION);
+ simple.put(provider.getBits(JCR_READ), Permissions.READ);
+ simple.put(provider.getBits(JCR_LOCK_MANAGEMENT),
Permissions.LOCK_MANAGEMENT);
+ simple.put(provider.getBits(JCR_VERSION_MANAGEMENT),
Permissions.VERSION_MANAGEMENT);
+ simple.put(provider.getBits(JCR_READ_ACCESS_CONTROL),
Permissions.READ_ACCESS_CONTROL);
+ simple.put(provider.getBits(JCR_MODIFY_ACCESS_CONTROL),
Permissions.MODIFY_ACCESS_CONTROL);
+ simple.put(provider.getBits(REP_READ_NODES), Permissions.READ_NODE);
+ simple.put(provider.getBits(REP_READ_PROPERTIES),
Permissions.READ_PROPERTY);
+ simple.put(provider.getBits(REP_USER_MANAGEMENT),
Permissions.USER_MANAGEMENT);
+ for (PrivilegeBits pb : simple.keySet()) {
+ long expected = simple.get(pb).longValue();
+ assertTrue(expected == PrivilegeBits.calculatePermissions(pb,
PrivilegeBits.EMPTY, true));
+ }
+
+ // jcr:add aggregate
+ PrivilegeBits all = provider.getBits(JCR_ALL);
+ assertFalse(Permissions.ALL == PrivilegeBits.calculatePermissions(all,
PrivilegeBits.EMPTY, true));
+ assertTrue(Permissions.ALL == PrivilegeBits.calculatePermissions(all,
all, true));
+
+ // parent aware permissions
+ // a) jcr:addChildNodes
+ PrivilegeBits addChild = provider.getBits(JCR_ADD_CHILD_NODES);
+ assertFalse(Permissions.ADD_NODE ==
PrivilegeBits.calculatePermissions(addChild, PrivilegeBits.EMPTY, true));
+ assertTrue(Permissions.ADD_NODE ==
PrivilegeBits.calculatePermissions(PrivilegeBits.EMPTY, addChild, true));
+
+ // b) jcr:removeChildNodes and jcr:removeNode
+ PrivilegeBits removeChild = provider.getBits(JCR_REMOVE_CHILD_NODES);
+ assertFalse(Permissions.REMOVE_NODE ==
PrivilegeBits.calculatePermissions(removeChild, PrivilegeBits.EMPTY, true));
+ assertFalse(Permissions.REMOVE_NODE ==
PrivilegeBits.calculatePermissions(PrivilegeBits.EMPTY, removeChild, true));
+
+ PrivilegeBits removeNode = provider.getBits(JCR_REMOVE_NODE);
+ assertFalse(Permissions.REMOVE_NODE ==
PrivilegeBits.calculatePermissions(removeNode, PrivilegeBits.EMPTY, true));
+ assertFalse(Permissions.REMOVE_NODE ==
PrivilegeBits.calculatePermissions(PrivilegeBits.EMPTY, removeNode, true));
+
+ PrivilegeBits remove = provider.getBits(JCR_REMOVE_CHILD_NODES,
JCR_REMOVE_NODE);
+ assertFalse(Permissions.REMOVE_NODE ==
PrivilegeBits.calculatePermissions(remove, PrivilegeBits.EMPTY, true));
+ assertFalse(Permissions.REMOVE_NODE ==
PrivilegeBits.calculatePermissions(PrivilegeBits.EMPTY, remove, true));
+ assertTrue(Permissions.REMOVE_NODE ==
PrivilegeBits.calculatePermissions(remove, remove, true));
}
}
\ No newline at end of file
