Author: angela
Date: Tue Feb 18 16:21:09 2014
New Revision: 1569408
URL: http://svn.apache.org/r1569408
Log:
OAK-1175 : Security Concerns wrt Index Definitions
Added:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/IndexManagementTest.java
(with props)
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriter.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBits.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConstants.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsTest.java
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/PrivilegeManagementTest.java
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java?rev=1569408&r1=1569407&r2=1569408&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java
Tue Feb 18 16:21:09 2014
@@ -24,6 +24,7 @@ import org.apache.jackrabbit.JcrConstant
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.plugins.index.IndexConstants;
import org.apache.jackrabbit.oak.plugins.tree.ImmutableTree;
import org.apache.jackrabbit.oak.plugins.lock.LockConstants;
import org.apache.jackrabbit.oak.plugins.nodetype.TypePredicate;
@@ -252,6 +253,8 @@ class PermissionValidator extends Defaul
} else if (provider.getUserContext().definesTree(tree)
&&
!provider.requiresJr2Permissions(Permissions.USER_MANAGEMENT)) {
perm = Permissions.USER_MANAGEMENT;
+ } else if (isIndexDefinition(tree)) {
+ perm = Permissions.INDEX_DEFINITION_MANAGEMENT;
} else {
perm = defaultPermission;
}
@@ -297,6 +300,8 @@ class PermissionValidator extends Defaul
} else if (provider.getUserContext().definesProperty(parent,
propertyState)
&&
!provider.requiresJr2Permissions(Permissions.USER_MANAGEMENT)) {
perm = Permissions.USER_MANAGEMENT;
+ } else if (isIndexDefinition(parent)) {
+ perm = Permissions.INDEX_DEFINITION_MANAGEMENT;
} else {
perm = defaultPermission;
}
@@ -345,4 +350,8 @@ class PermissionValidator extends Defaul
}
return (ImmutableTree) versionHistory;
}
+
+ private boolean isIndexDefinition(@Nonnull Tree tree) {
+ return tree.getPath().contains(IndexConstants.INDEX_DEFINITIONS_NAME);
+ }
}
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriter.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriter.java?rev=1569408&r1=1569407&r2=1569408&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriter.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriter.java
Tue Feb 18 16:21:09 2014
@@ -16,18 +16,14 @@
*/
package org.apache.jackrabbit.oak.security.privilege;
-import static java.util.Arrays.asList;
-
import java.util.Collection;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.Map;
-
import javax.annotation.Nonnull;
import javax.jcr.RepositoryException;
import com.google.common.collect.ImmutableMap;
-
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
@@ -38,6 +34,8 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition;
import org.apache.jackrabbit.oak.util.NodeUtil;
+import static java.util.Arrays.asList;
+
/**
* PrivilegeDefinitionWriter is responsible for writing privilege definitions
* to the repository without applying any validation checks.
@@ -54,7 +52,7 @@ class PrivilegeDefinitionWriter implemen
JCR_READ_ACCESS_CONTROL, JCR_MODIFY_ACCESS_CONTROL,
JCR_NODE_TYPE_MANAGEMENT,
JCR_VERSION_MANAGEMENT, JCR_LOCK_MANAGEMENT,
JCR_LIFECYCLE_MANAGEMENT,
JCR_RETENTION_MANAGEMENT, JCR_WORKSPACE_MANAGEMENT,
JCR_NODE_TYPE_DEFINITION_MANAGEMENT,
- JCR_NAMESPACE_MANAGEMENT, REP_PRIVILEGE_MANAGEMENT,
REP_USER_MANAGEMENT};
+ JCR_NAMESPACE_MANAGEMENT, REP_PRIVILEGE_MANAGEMENT,
REP_USER_MANAGEMENT, REP_INDEX_DEFINITION_MANAGEMENT};
/**
* The internal names and aggregation definition of all built-in privileges
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java?rev=1569408&r1=1569407&r2=1569408&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
Tue Feb 18 16:21:09 2014
@@ -99,6 +99,10 @@ public final class Permissions {
* @since OAK 1.0
*/
public static final long USER_MANAGEMENT = PRIVILEGE_MANAGEMENT << 1;
+ /**
+ * @since OAK 1.0
+ */
+ public static final long INDEX_DEFINITION_MANAGEMENT = USER_MANAGEMENT <<
1;
public static final long READ = READ_NODE | READ_PROPERTY;
@@ -124,6 +128,7 @@ public final class Permissions {
| WORKSPACE_MANAGEMENT
| PRIVILEGE_MANAGEMENT
| USER_MANAGEMENT
+ | INDEX_DEFINITION_MANAGEMENT
);
public static final Map<Long, String> PERMISSION_NAMES = new
LinkedHashMap<Long, String>();
@@ -152,6 +157,7 @@ public final class Permissions {
PERMISSION_NAMES.put(WORKSPACE_MANAGEMENT, "WORKSPACE_MANAGEMENT");
PERMISSION_NAMES.put(PRIVILEGE_MANAGEMENT, "PRIVILEGE_MANAGEMENT");
PERMISSION_NAMES.put(USER_MANAGEMENT, "USER_MANAGEMENT");
+ PERMISSION_NAMES.put(INDEX_DEFINITION_MANAGEMENT,
"INDEX_DEFINITION_MANAGEMENT");
}
/**
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBits.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBits.java?rev=1569408&r1=1569407&r2=1569408&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBits.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBits.java
Tue Feb 18 16:21:09 2014
@@ -57,6 +57,7 @@ public final class PrivilegeBits impleme
private static final long NAMESPACE_MNGMT = NODE_TYPE_DEF_MNGMT << 1;
private static final long PRIVILEGE_MNGMT = NAMESPACE_MNGMT << 1;
private static final long USER_MNGMT = PRIVILEGE_MNGMT << 1;
+ private static final long INDEX_DEFINITION_MNGMT = USER_MNGMT << 1;
private static final long READ = READ_NODES | READ_PROPERTIES;
private static final long MODIFY_PROPERTIES = ADD_PROPERTIES |
ALTER_PROPERTIES | REMOVE_PROPERTIES;
@@ -87,6 +88,7 @@ public final class PrivilegeBits impleme
BUILT_IN.put(JCR_NAMESPACE_MANAGEMENT, getInstance(NAMESPACE_MNGMT));
BUILT_IN.put(REP_PRIVILEGE_MANAGEMENT, getInstance(PRIVILEGE_MNGMT));
BUILT_IN.put(REP_USER_MANAGEMENT, getInstance(USER_MNGMT));
+ BUILT_IN.put(REP_INDEX_DEFINITION_MANAGEMENT,
getInstance(INDEX_DEFINITION_MNGMT));
BUILT_IN.put(JCR_READ, PrivilegeBits.getInstance(READ));
BUILT_IN.put(JCR_MODIFY_PROPERTIES,
PrivilegeBits.getInstance(MODIFY_PROPERTIES));
@@ -95,7 +97,7 @@ public final class PrivilegeBits impleme
}
public static PrivilegeBits NEXT_AFTER_BUILT_INS =
- getInstance(USER_MNGMT).nextBits();
+ getInstance(INDEX_DEFINITION_MNGMT).nextBits();
private final Data d;
@@ -315,6 +317,9 @@ public final class PrivilegeBits impleme
if ((privs & USER_MNGMT) == USER_MNGMT) {
perm |= Permissions.USER_MANAGEMENT;
}
+ if ((privs & INDEX_DEFINITION_MNGMT) == INDEX_DEFINITION_MNGMT) {
+ perm |= Permissions.INDEX_DEFINITION_MANAGEMENT;
+ }
return perm;
}
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConstants.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConstants.java?rev=1569408&r1=1569407&r2=1569408&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConstants.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConstants.java
Tue Feb 18 16:21:09 2014
@@ -216,4 +216,11 @@ public interface PrivilegeConstants {
* @since OAK 1.0
*/
String REP_REMOVE_PROPERTIES = "rep:removeProperties";
+
+ /**
+ * Internal (oak) name of the rep:indexDefinitionManagement privilege
+ *
+ * @since OAK 1.0
+ */
+ String REP_INDEX_DEFINITION_MANAGEMENT = "rep:indexDefinitionManagement";
}
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsTest.java?rev=1569408&r1=1569407&r2=1569408&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsTest.java
Tue Feb 18 16:21:09 2014
@@ -560,6 +560,7 @@ public class PrivilegeBitsTest extends A
simple.put(provider.getBits(REP_ADD_PROPERTIES),
Permissions.ADD_PROPERTY);
simple.put(provider.getBits(REP_ALTER_PROPERTIES),
Permissions.MODIFY_PROPERTY);
simple.put(provider.getBits(REP_REMOVE_PROPERTIES),
Permissions.REMOVE_PROPERTY);
+ simple.put(provider.getBits(REP_INDEX_DEFINITION_MANAGEMENT),
Permissions.INDEX_DEFINITION_MANAGEMENT);
for (PrivilegeBits pb : simple.keySet()) {
long expected = simple.get(pb).longValue();
assertTrue(expected == PrivilegeBits.calculatePermissions(pb,
PrivilegeBits.EMPTY, true));
Added:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/IndexManagementTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/IndexManagementTest.java?rev=1569408&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/IndexManagementTest.java
(added)
+++
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/IndexManagementTest.java
Tue Feb 18 16:21:09 2014
@@ -0,0 +1,240 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.jcr.security.authorization;
+
+import javax.jcr.AccessDeniedException;
+import javax.jcr.Node;
+import javax.jcr.RepositoryException;
+
+import org.apache.jackrabbit.JcrConstants;
+import
org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
+import org.apache.jackrabbit.oak.plugins.index.IndexConstants;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+
+public class IndexManagementTest extends AbstractEvaluationTest {
+
+ public void testDefaultSetup() throws RepositoryException {
+ assertFalse(testSession.hasPermission(path,
Permissions.getString(Permissions.INDEX_DEFINITION_MANAGEMENT)));
+ }
+
+ public void testAddOakIndexDefinition() throws Exception {
+ allow(path,
privilegesFromName(PrivilegeConstants.REP_INDEX_DEFINITION_MANAGEMENT));
+
+ Node n = testSession.getNode(path);
+ n.addNode(IndexConstants.INDEX_DEFINITIONS_NAME);
+ testSession.save();
+ }
+
+ public void testAddOakIndexWithoutPermission() throws Exception {
+ allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
+
+ Node n = testSession.getNode(path);
+ try {
+ n.addNode(IndexConstants.INDEX_DEFINITIONS_NAME);
+ testSession.save();
+ fail("AccessDeniedException expected. Test session is not allowed
to add oak:index node.");
+ } catch (AccessDeniedException e) {
+ // success
+ }
+ }
+
+ public void testAddIndexDefinition() throws Exception {
+ superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME);
+ superuser.save();
+
+ allow(path, privilegesFromNames(new
String[]{PrivilegeConstants.REP_INDEX_DEFINITION_MANAGEMENT,
PrivilegeConstants.JCR_NODE_TYPE_MANAGEMENT}));
+ Node n =
testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+ n.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+ testSession.save();
+ }
+
+ public void testAddIndexDefinitionWithoutPermission() throws Exception {
+ superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME);
+ superuser.save();
+
+ allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
+ try {
+ Node n =
testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+ n.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+ testSession.save();
+ fail("AccessDeniedException expected. Test session is not allowed
to add index definition node.");
+ } catch (AccessDeniedException e) {
+ // success
+ }
+ }
+
+ public void testModifyIndexDefinition() throws Exception {
+ Node indexDef =
superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+ indexDef.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+ superuser.save();
+
+ allow(path,
privilegesFromName(PrivilegeConstants.REP_INDEX_DEFINITION_MANAGEMENT));
+ Node n =
testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME).getNode("myIndex");
+ n.setProperty("someProperty", "val");
+ testSession.save();
+ }
+
+ public void testModifyIndexDefinitionWithoutPermission() throws Exception {
+ Node indexDef =
superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+ indexDef.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+ superuser.save();
+
+ allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
+ try {
+ Node n =
testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME).getNode("myIndex");
+ n.setProperty("someProperty", "val");
+ testSession.save();
+ fail("AccessDeniedException expected. Test session is not allowed
to add index definition property.");
+ } catch (AccessDeniedException e) {
+ // success
+ }
+ }
+
+ public void testModifyIndexDefinitionWithoutPermission2() throws Exception
{
+ Node indexDef =
superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+ indexDef.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+ superuser.save();
+
+ allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
+ try {
+ Node n =
testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME).getNode("myIndex");
+ n.addNode("customNode");
+ testSession.save();
+ fail("AccessDeniedException expected. Test session is not allowed
to add index definition node.");
+ } catch (AccessDeniedException e) {
+ // success
+ }
+ }
+
+ public void testModifyIndexDefinitionWithoutPermission3() throws Exception
{
+ Node indexDef =
superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+ indexDef.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+ indexDef.setProperty("customProp", "val");
+ superuser.save();
+
+ allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
+ try {
+ Node n =
testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME).getNode("myIndex");
+ n.getProperty("customProp").setValue("val2");
+ testSession.save();
+ fail("AccessDeniedException expected. Test session is not allowed
to modify index definition property.");
+ } catch (AccessDeniedException e) {
+ // success
+ }
+ }
+
+ public void testModifyIndexDefinitionWithoutPermission4() throws Exception
{
+ Node indexDef =
superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+ indexDef.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+ indexDef.setProperty("customProp", "val");
+ superuser.save();
+
+ allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
+ try {
+ Node n =
testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME).getNode("myIndex");
+ n.getProperty("customProp").remove();
+ testSession.save();
+ fail("AccessDeniedException expected. Test session is not allowed
to remove index definition property.");
+ } catch (AccessDeniedException e) {
+ // success
+ }
+ }
+
+ public void testRemoveIndexDefinition() throws Exception {
+ Node indexDef =
superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+ indexDef.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+ superuser.save();
+
+ allow(path,
privilegesFromName(PrivilegeConstants.REP_INDEX_DEFINITION_MANAGEMENT));
+ Node n =
testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME).getNode("myIndex");
+ n.remove();
+ testSession.save();
+ }
+
+ public void testRemoveIndexDefinitionWithoutPermission() throws Exception {
+ Node indexDef =
superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+ indexDef.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+ superuser.save();
+
+ allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
+ try {
+ Node n =
testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME).getNode("myIndex");
+ n.remove();
+ testSession.save();
+ fail("AccessDeniedException expected. Test session is not allowed
to remove index definition node.");
+ } catch (AccessDeniedException e) {
+ // success
+ }
+ }
+
+ public void testRemoveOakIndex() throws Exception {
+ Node indexDef =
superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+ indexDef.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+ superuser.save();
+
+ allow(path,
privilegesFromName(PrivilegeConstants.REP_INDEX_DEFINITION_MANAGEMENT));
+ Node n =
testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME);
+ n.remove();
+ testSession.save();
+ }
+
+ public void testRemoveOakIndexWithoutPermission() throws Exception {
+ Node indexDef =
superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+ indexDef.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+ superuser.save();
+
+ allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
+ try {
+ Node n =
testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME);
+ n.remove();
+ testSession.save();
+ fail("AccessDeniedException expected. Test session is not allowed
to remove oak:index.");
+ } catch (AccessDeniedException e) {
+ // success
+ }
+ }
+
+ public void testAddAccessControlToIndexDefinition() throws Exception {
+ allow(path, privilegesFromNames(new String[]
{PrivilegeConstants.REP_INDEX_DEFINITION_MANAGEMENT,
PrivilegeConstants.JCR_NODE_TYPE_MANAGEMENT}));
+
+ try {
+ Node n =
testSession.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+ n.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+ AccessControlUtils.addAccessControlEntry(testSession, n.getPath(),
testUser.getPrincipal(), new String[] {PrivilegeConstants.JCR_ALL}, true);
+ testSession.save();
+ fail("Missing rep:modifyAccessControl privilege");
+ } catch (AccessDeniedException e) {
+ // success
+ }
+ }
+
+ public void testVersionableIndexDefinition() throws Exception {
+ allow(path, privilegesFromNames(new String[]
{PrivilegeConstants.REP_INDEX_DEFINITION_MANAGEMENT,
PrivilegeConstants.JCR_NODE_TYPE_MANAGEMENT}));
+
+ try {
+ Node n =
testSession.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+ n.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+ n.addMixin(JcrConstants.MIX_VERSIONABLE);
+ testSession.save();
+ fail("Missing rep:versionManagement privilege");
+ } catch (AccessDeniedException e) {
+ // success
+ }
+ }
+
+}
Propchange:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/IndexManagementTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/PrivilegeManagementTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/PrivilegeManagementTest.java?rev=1569408&r1=1569407&r2=1569408&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/PrivilegeManagementTest.java
(original)
+++
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/PrivilegeManagementTest.java
Tue Feb 18 16:21:09 2014
@@ -24,22 +24,21 @@ import javax.jcr.security.AccessControlP
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.JackrabbitWorkspace;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.test.NotExecutableException;
import org.junit.Test;
/**
- * Permission evaluation tests related to {@link #REP_PRIVILEGE_MANAGEMENT}
privilege.
+ * Permission evaluation tests related to {@link
org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants#REP_PRIVILEGE_MANAGEMENT}
privilege.
*/
public class PrivilegeManagementTest extends AbstractEvaluationTest {
- private static final String REP_PRIVILEGE_MANAGEMENT =
"rep:privilegeManagement";
-
@Override
protected void setUp() throws Exception {
super.setUp();
// test user must not be allowed
- assertHasRepoPrivilege(REP_PRIVILEGE_MANAGEMENT, false);
+ assertHasRepoPrivilege(PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT,
false);
}
@Override
@@ -85,21 +84,21 @@ public class PrivilegeManagementTest ext
@Test
public void testModifyPrivilegeMgtPrivilege() throws Exception {
- modify(null, REP_PRIVILEGE_MANAGEMENT, true);
- assertHasRepoPrivilege(REP_PRIVILEGE_MANAGEMENT, true);
+ modify(null, PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT, true);
+ assertHasRepoPrivilege(PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT,
true);
- modify(null, REP_PRIVILEGE_MANAGEMENT, false);
- assertHasRepoPrivilege(REP_PRIVILEGE_MANAGEMENT, false);
+ modify(null, PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT, false);
+ assertHasRepoPrivilege(PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT,
false);
}
@Test
public void testRegisterPrivilegeWithPrivilege() throws Exception {
- modify(null, REP_PRIVILEGE_MANAGEMENT, true);
+ modify(null, PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT, true);
try {
Workspace testWsp = testSession.getWorkspace();
((JackrabbitWorkspace)
testWsp).getPrivilegeManager().registerPrivilege(getNewPrivilegeName(testWsp),
false, new String[0]);
} finally {
- modify(null, REP_PRIVILEGE_MANAGEMENT, false);
+ modify(null, PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT, false);
}
}
}
\ No newline at end of file
Modified:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerTest.java?rev=1569408&r1=1569407&r2=1569408&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerTest.java
(original)
+++
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerTest.java
Tue Feb 18 16:21:09 2014
@@ -116,6 +116,7 @@ public class PrivilegeManagerTest extend
assertTrue(aggr.remove(privilegeManager.getPrivilege(PrivilegeConstants.JCR_WORKSPACE_MANAGEMENT)));
assertTrue(aggr.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT)));
assertTrue(aggr.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_USER_MANAGEMENT)));
+
assertTrue(aggr.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_INDEX_DEFINITION_MANAGEMENT)));
// there may be no privileges left
assertTrue(aggr.isEmpty());
