Author: angela
Date: Tue Feb 17 14:01:34 2015
New Revision: 1660382
URL: http://svn.apache.org/r1660382
Log:
OAK-2225 : MultipleMoveTest doesn't restore ACEs properly causing later tests
to fail
NA : Additional user management related test
Modified:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractEvaluationTest.java
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/MultipleMoveTest.java
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/UserManagementTest.java
Modified:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractEvaluationTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractEvaluationTest.java?rev=1660382&r1=1660381&r2=1660382&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractEvaluationTest.java
(original)
+++
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractEvaluationTest.java
Tue Feb 17 14:01:34 2015
@@ -18,10 +18,10 @@ package org.apache.jackrabbit.oak.jcr.se
import java.security.Principal;
import java.util.Collections;
-import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
+import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.jcr.Credentials;
@@ -35,8 +35,10 @@ import javax.jcr.Value;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlManager;
+import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.Privilege;
+import com.google.common.collect.Maps;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.user.Group;
@@ -48,7 +50,6 @@ import org.apache.jackrabbit.test.api.se
import org.junit.After;
import org.junit.Before;
-import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import static org.junit.Assert.assertArrayEquals;
@@ -81,7 +82,7 @@ public abstract class AbstractEvaluation
protected Session testSession;
protected AccessControlManager testAcMgr;
- private List<ACL> toRestore = Lists.newArrayList();
+ private Map<String, ACL> toRestore = Maps.newHashMap();
@Override
@Before
@@ -141,10 +142,8 @@ public abstract class AbstractEvaluation
}
superuser.refresh(false);
// restore in reverse order
- for (ACL acl : Lists.reverse(toRestore)) {
- if (acl.path == null || superuser.nodeExists(acl.path)) {
- restoreAces(acl);
- }
+ for (String path : toRestore.keySet()) {
+ toRestore.get(path).restore();
}
toRestore.clear();
if (testGroup != null) {
@@ -225,11 +224,18 @@ public abstract class AbstractEvaluation
}
protected JackrabbitAccessControlList modify(String path, Principal
principal, Privilege[] privileges, boolean isAllow, Map<String, Value>
restrictions) throws Exception {
+ return modify(path, principal, privileges, isAllow, restrictions,
Collections.<String, Value[]>emptyMap());
+ }
+
+ protected JackrabbitAccessControlList modify(String path, Principal
principal,
+ Privilege[] privileges,
boolean isAllow,
+ Map<String, Value>
restrictions,
+ Map<String, Value[]>
mvRestrictions) throws Exception {
// remember for restore during tearDown
- toRestore.add(getACL(path));
+ rememberForRestore(path);
JackrabbitAccessControlList tmpl =
AccessControlUtils.getAccessControlList(acMgr, path);
- tmpl.addEntry(principal, privileges, isAllow, restrictions);
+ tmpl.addEntry(principal, privileges, isAllow, restrictions,
mvRestrictions);
acMgr.setPolicy(tmpl.getPath(), tmpl);
superuser.save();
@@ -272,35 +278,56 @@ public abstract class AbstractEvaluation
return modify(nPath, principal, privileges, false, EMPTY_RESTRICTIONS);
}
- private ACL getACL(String path) throws RepositoryException {
- return new ACL(path,
AccessControlUtils.getAccessControlList(superuser, path));
- }
-
- private void restoreAces(ACL restore) throws RepositoryException {
- AccessControlList acl =
AccessControlUtils.getAccessControlList(superuser, path);
- if (acl != null) {
- for (AccessControlEntry ace : acl.getAccessControlEntries()) {
- acl.removeAccessControlEntry(ace);
- }
- for (AccessControlEntry ace : restore.entries) {
- acl.addAccessControlEntry(ace.getPrincipal(),
ace.getPrivileges());
- }
- acMgr.setPolicy(path, acl);
- superuser.save();
+ private void rememberForRestore(@Nullable String path) throws
RepositoryException {
+ if (!toRestore.containsKey(path)) {
+ toRestore.put(path, new ACL(path));
}
}
- private static final class ACL {
+ private final class ACL {
private final String path;
+ private final boolean remove;
private final Set<AccessControlEntry> entries = Sets.newHashSet();
- ACL(String path, AccessControlList list)
- throws RepositoryException {
+ private ACL(String path) throws RepositoryException {
this.path = path;
+
+ AccessControlList list = getList(path);
+ remove = (list == null);
if (list != null) {
Collections.addAll(entries, list.getAccessControlEntries());
}
}
+
+ private void restore() throws RepositoryException {
+ AccessControlList list = getList(path);
+ if (list != null) {
+ if (remove) {
+ acMgr.removePolicy(path, list);
+ } else {
+ for (AccessControlEntry ace :
list.getAccessControlEntries()) {
+ list.removeAccessControlEntry(ace);
+ }
+ for (AccessControlEntry ace : entries) {
+ list.addAccessControlEntry(ace.getPrincipal(),
ace.getPrivileges());
+ }
+ acMgr.setPolicy(path, list);
+ }
+ }
+ superuser.save();
+ }
+
+ @CheckForNull
+ private AccessControlList getList(@Nullable String path) throws
RepositoryException {
+ if (path == null || superuser.nodeExists(path)) {
+ for (AccessControlPolicy policy : acMgr.getPolicies(path)) {
+ if (policy instanceof AccessControlList) {
+ return (AccessControlList) policy;
+ }
+ }
+ }
+ return null;
+ }
}
}
\ No newline at end of file
Modified:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/MultipleMoveTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/MultipleMoveTest.java?rev=1660382&r1=1660381&r2=1660382&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/MultipleMoveTest.java
(original)
+++
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/MultipleMoveTest.java
Tue Feb 17 14:01:34 2015
@@ -23,6 +23,7 @@ import javax.jcr.Session;
import javax.jcr.security.Privilege;
import org.junit.Before;
+import org.junit.Ignore;
import org.junit.Test;
/**
@@ -82,22 +83,21 @@ public class MultipleMoveTest extends Ab
}
}
-// FIXME OAK-2225 AbstractEvaluationTest doesn't restore ACEs properly causing
later tests to fail
-// @Test
-// public void testMoveSubTreeBack2() throws Exception {
-// allow(testRootNode.getPath(), privilegesFromNames(new String[]{
-// Privilege.JCR_REMOVE_NODE,
-// Privilege.JCR_REMOVE_CHILD_NODES,
-// Privilege.JCR_ADD_CHILD_NODES,
-// Privilege.JCR_NODE_TYPE_MANAGEMENT
-// }));
-//
-// first move must succeed
-// move(childNPath, siblingDestPath);
-// moving child back must fail due to missing privileges
-// move(siblingDestPath + '/' + nodeName3, path + "/subtreeBack");
-// testSession.save();
-// }
+ @Test
+ public void testMoveSubTreeBack2() throws Exception {
+ allow(testRootNode.getPath(), privilegesFromNames(new String[]{
+ Privilege.JCR_REMOVE_NODE,
+ Privilege.JCR_REMOVE_CHILD_NODES,
+ Privilege.JCR_ADD_CHILD_NODES,
+ Privilege.JCR_NODE_TYPE_MANAGEMENT
+ }));
+
+ //first move must succeed
+ move(childNPath, siblingDestPath);
+ //moving child back must fail due to missing privileges
+ move(siblingDestPath + '/' + nodeName3, path + "/subtreeBack");
+ testSession.save();
+ }
@Test
public void testMoveSubTreeBack3() throws Exception {
@@ -115,23 +115,22 @@ public class MultipleMoveTest extends Ab
}
}
-// FIXME OAK-2225 AbstractEvaluationTest doesn't restore ACEs properly causing
later tests to fail
-// @Ignore("Known Limitation of OAK-710")
-// @Test
-// public void testMoveSubTreeBack4() throws Exception {
-// allow(testRootNode.getPath(), privilegesFromNames(new String[]{
-// Privilege.JCR_REMOVE_NODE,
-// Privilege.JCR_REMOVE_CHILD_NODES,
-// Privilege.JCR_ADD_CHILD_NODES,
-// Privilege.JCR_NODE_TYPE_MANAGEMENT
-// }));
-//
-// first move must succeed
-// move(childNPath, siblingDestPath);
-// moving child back must fail due to missing privileges
-// move(siblingDestPath + '/' + nodeName3, childNPath);
-// testSession.save();
-// }
+ @Ignore("Known Limitation of OAK-710")
+ @Test
+ public void testMoveSubTreeBack4() throws Exception {
+ allow(testRootNode.getPath(), privilegesFromNames(new String[]{
+ Privilege.JCR_REMOVE_NODE,
+ Privilege.JCR_REMOVE_CHILD_NODES,
+ Privilege.JCR_ADD_CHILD_NODES,
+ Privilege.JCR_NODE_TYPE_MANAGEMENT
+ }));
+
+ //first move must succeed
+ move(childNPath, siblingDestPath);
+ //moving child back must fail due to missing privileges
+ move(siblingDestPath + '/' + nodeName3, childNPath);
+ testSession.save();
+ }
@Test
public void testMoveDestParent() throws Exception {
@@ -149,23 +148,22 @@ public class MultipleMoveTest extends Ab
}
}
-// FIXME OAK-2225 AbstractEvaluationTest doesn't restore ACEs properly causing
later tests to fail
-// @Ignore("Known Limitation of OAK-710")
-// @Test
-// public void testMoveDestParent2() throws Exception {
-// allow(testRootNode.getPath(), privilegesFromNames(new String[]{
-// Privilege.JCR_REMOVE_NODE,
-// Privilege.JCR_REMOVE_CHILD_NODES,
-// Privilege.JCR_ADD_CHILD_NODES,
-// Privilege.JCR_NODE_TYPE_MANAGEMENT
-// }));
-//
-// first move must succeed
-// move(childNPath, siblingDestPath);
-// moving dest parent to original source location
-// move(siblingPath, path + "/parentMove");
-// testSession.save();
-// }
+ @Ignore("Known Limitation of OAK-710")
+ @Test
+ public void testMoveDestParent2() throws Exception {
+ allow(testRootNode.getPath(), privilegesFromNames(new String[]{
+ Privilege.JCR_REMOVE_NODE,
+ Privilege.JCR_REMOVE_CHILD_NODES,
+ Privilege.JCR_ADD_CHILD_NODES,
+ Privilege.JCR_NODE_TYPE_MANAGEMENT
+ }));
+
+ //first move must succeed
+ move(childNPath, siblingDestPath);
+ //moving dest parent to original source location
+ move(siblingPath, path + "/parentMove");
+ testSession.save();
+ }
@Test
public void testMoveDestParent3() throws Exception {
@@ -183,21 +181,20 @@ public class MultipleMoveTest extends Ab
}
}
-// FIXME OAK-2225 AbstractEvaluationTest doesn't restore ACEs properly causing
later tests to fail
-// @Ignore("Known Limitation of OAK-710")
-// @Test
-// public void testMoveDestParent4() throws Exception {
-// allow(testRootNode.getPath(), privilegesFromNames(new String[]{
-// Privilege.JCR_REMOVE_NODE,
-// Privilege.JCR_REMOVE_CHILD_NODES,
-// Privilege.JCR_ADD_CHILD_NODES,
-// Privilege.JCR_NODE_TYPE_MANAGEMENT
-// }));
-//
-// first move must succeed
-// move(childNPath, siblingDestPath);
-// moving dest parent to original source location
-// move(siblingPath, childNPath);
-// testSession.save();
-// }
+ @Ignore("Known Limitation of OAK-710")
+ @Test
+ public void testMoveDestParent4() throws Exception {
+ allow(testRootNode.getPath(), privilegesFromNames(new String[]{
+ Privilege.JCR_REMOVE_NODE,
+ Privilege.JCR_REMOVE_CHILD_NODES,
+ Privilege.JCR_ADD_CHILD_NODES,
+ Privilege.JCR_NODE_TYPE_MANAGEMENT
+ }));
+
+ //first move must succeed
+ move(childNPath, siblingDestPath);
+ //moving dest parent to original source location
+ move(siblingPath, childNPath);
+ testSession.save();
+ }
}
Modified:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/UserManagementTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/UserManagementTest.java?rev=1660382&r1=1660381&r2=1660382&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/UserManagementTest.java
(original)
+++
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/UserManagementTest.java
Tue Feb 17 14:01:34 2015
@@ -16,6 +16,7 @@
*/
package org.apache.jackrabbit.oak.jcr.security.authorization;
+import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
@@ -23,6 +24,9 @@ import java.util.Set;
import javax.jcr.AccessDeniedException;
import javax.jcr.Node;
import javax.jcr.NodeIterator;
+import javax.jcr.PropertyType;
+import javax.jcr.Value;
+import javax.jcr.ValueFactory;
import javax.jcr.query.Query;
import javax.jcr.security.Privilege;
@@ -34,6 +38,7 @@ import org.apache.jackrabbit.api.securit
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.JcrUtils;
import
org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
+import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
@@ -456,4 +461,29 @@ public class UserManagementTest extends
}
assertTrue("Result mismatch", ids.isEmpty());
}
+
+ @Test
+ public void testGlobRestriction() throws Exception {
+ String groupHome =
Text.getRelativeParent(UserConstants.DEFAULT_GROUP_PATH, 1);
+ Privilege[] privs =
privilegesFromName(PrivilegeConstants.REP_USER_MANAGEMENT);
+ allow(groupHome, privs);
+ deny(groupHome, privs, createGlobRestriction("*/" +
UserConstants.REP_MEMBERS));
+
+ UserManager testUserMgr = getUserManager(testSession);
+
+ // creating a new group must be allow
+ Group gr = testUserMgr.createGroup(groupId);
+ testSession.save();
+
+ // modifying group membership must be denied
+ try {
+ gr.addMember(testUserMgr.getAuthorizable(testSession.getUserID()));
+ testSession.save();
+ fail();
+ } catch (AccessDeniedException e) {
+ // success
+ } finally {
+ testSession.refresh(false);
+ }
+ }
}
\ No newline at end of file
