Author: angela
Date: Tue Oct 7 12:53:02 2014
New Revision: 1629878
URL: http://svn.apache.org/r1629878
Log:
OAK-2158 : Fail for ACEs created for the admin principal
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java?rev=1629878&r1=1629877&r2=1629878&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
Tue Oct 7 12:53:02 2014
@@ -75,6 +75,7 @@ import org.apache.jackrabbit.oak.spi.sec
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
+import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
@@ -564,6 +565,9 @@ public class AccessControlManagerImpl ex
@Override
void checkValidPrincipal(Principal principal) throws
AccessControlException {
Util.checkValidPrincipal(principal, principalManager,
ImportBehavior.BESTEFFORT != Util.getImportBehavior(getConfig()));
+ if (principal instanceof AdminPrincipal) {
+ throw new AccessControlException("Attempt to create an ACE for
the admin principal which always has full access.");
+ }
}
@Override
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java?rev=1629878&r1=1629877&r2=1629878&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
Tue Oct 7 12:53:02 2014
@@ -71,6 +71,7 @@ import org.apache.jackrabbit.oak.spi.sec
import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.TestACL;
import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
+import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
@@ -1656,6 +1657,40 @@ public class AccessControlManagerImplTes
assertEquals(1, policies.length);
}
+ /**
+ * Test if the ACL code prevents the creation of ACEs for administrative
+ * principals which have full access anyway.
+ *
+ * @since Oak 1.1.1
+ * @see <a
href="https://issues.apache.org/jira/browse/OAK-2158";>OAK-2158</a>
+ */
+ @Test
+ public void testAdminPrincipal() throws Exception {
+ ACL acl = getApplicablePolicy(testPath);
+ try {
+ acl.addAccessControlEntry(new AdminPrincipal() {
+ @Override
+ public String getName() {
+ return "admin";
+ }
+ }, privilegesFromNames(PrivilegeConstants.JCR_READ));
+ fail("Adding an ACE for an admin principal should fail");
+ } catch (AccessControlException e) {
+ // success
+ }
+
+ try {
+ for (Principal p : adminSession.getAuthInfo().getPrincipals()) {
+ if (p instanceof AdminPrincipal) {
+ acl.addAccessControlEntry(p,
privilegesFromNames(PrivilegeConstants.JCR_READ));
+ fail("Adding an ACE for an admin principal should fail");
+ }
+ }
+ } catch (AccessControlException e) {
+ // success
+ }
+ }
+
@Test
public void testTestSessionGetPolicies() throws Exception {
setupPolicy(testPath);
