svn commit: r1689688 - in /jackrabbit/oak/trunk/oak-core/src: main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java test/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlActionTest.java

Tue, 07 Jul 2015 07:21:58 -0700 

Author: angela
Date: Tue Jul  7 14:20:55 2015
New Revision: 1689688

URL: http://svn.apache.org/r1689688
Log:
OAK-3078 : AccessControlAction: Omit setup for administrative principals

Modified:
    
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java
    
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlActionTest.java

Modified: 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java?rev=1689688&r1=1689687&r2=1689688&view=diff
==============================================================================
--- 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java
 (original)
+++ 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java
 Tue Jul  7 14:20:55 2015
@@ -17,6 +17,8 @@
 package org.apache.jackrabbit.oak.spi.security.user.action;
 
 import java.security.Principal;
+import java.util.Collections;
+import java.util.Set;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 import javax.jcr.RepositoryException;
@@ -34,6 +36,7 @@ import org.apache.jackrabbit.oak.namepat
 import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import 
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import 
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
 import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
 import org.apache.jackrabbit.oak.spi.security.user.util.UserUtil;
 import org.slf4j.Logger;
@@ -105,6 +108,7 @@ public class AccessControlAction extends
     private SecurityProvider securityProvider;
     private String[] groupPrivilegeNames = new String[0];
     private String[] userPrivilegeNames = new String[0];
+    private Set<String> administrativePrincipals = Collections.emptySet();
 
     //-------------------------------------------------< AuthorizableAction 
>---
     @Override
@@ -112,6 +116,8 @@ public class AccessControlAction extends
         this.securityProvider = securityProvider;
         userPrivilegeNames = privilegeNames(config, USER_PRIVILEGE_NAMES);
         groupPrivilegeNames = privilegeNames(config, GROUP_PRIVILEGE_NAMES);
+
+        administrativePrincipals = 
securityProvider.getConfiguration(AuthorizationConfiguration.class).getParameters().getConfigValue(PermissionConstants.PARAM_ADMINISTRATIVE_PRINCIPALS,
 Collections.EMPTY_SET);
     }
 
     @Override
@@ -154,6 +160,11 @@ public class AccessControlAction extends
             log.debug("No privileges configured for groups and users; omit ac 
setup.");
             return;
         }
+        Principal principal = authorizable.getPrincipal();
+        if (administrativePrincipals.contains(principal.getName())) {
+            log.debug("Administrative principal: " + principal.getName() + "; 
omit ac setup.");
+            return;
+        }
 
         String path = authorizable.getPath();
         AuthorizationConfiguration acConfig = 
securityProvider.getConfiguration(AuthorizationConfiguration.class);
@@ -171,7 +182,6 @@ public class AccessControlAction extends
             log.warn("Cannot process AccessControlAction: no applicable ACL at 
" + path);
         } else {
             // setup acl according to configuration.
-            Principal principal = authorizable.getPrincipal();
             boolean modified = false;
             if (authorizable.isGroup()) {
                 // new authorizable is a Group

Modified: 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlActionTest.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlActionTest.java?rev=1689688&r1=1689687&r2=1689688&view=diff
==============================================================================
--- 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlActionTest.java
 (original)
+++ 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlActionTest.java
 Tue Jul  7 14:20:55 2015
@@ -27,6 +27,8 @@ import org.apache.jackrabbit.api.securit
 import org.apache.jackrabbit.api.security.user.UserManager;
 import org.apache.jackrabbit.oak.AbstractSecurityTest;
 import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import 
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import 
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
 import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
 import org.junit.Test;
@@ -46,7 +48,10 @@ public class AccessControlActionTest ext
                 AccessControlAction.GROUP_PRIVILEGE_NAMES, new String[] 
{PrivilegeConstants.JCR_READ},
                 AccessControlAction.USER_PRIVILEGE_NAMES, new String[] 
{PrivilegeConstants.JCR_ALL}
         );
-        return ConfigurationParameters.of(UserConfiguration.NAME, userConfig);
+        ConfigurationParameters authorizationConfig = 
ConfigurationParameters.of(
+                PermissionConstants.PARAM_ADMINISTRATIVE_PRINCIPALS, new 
String[] {"administrativePrincipalName"}
+        );
+        return ConfigurationParameters.of(UserConfiguration.NAME, userConfig, 
AuthorizationConfiguration.NAME, authorizationConfig);
     }
 
     @Test
@@ -86,13 +91,33 @@ public class AccessControlActionTest ext
         }
     }
 
+    @Test
+    public void testAdministrativePrincipals() throws Exception {
+        UserManager userMgr = getUserManager(root);
+        Group gr = null;
+        try {
+            gr = userMgr.createGroup("administrativePrincipalName");
+            root.commit();
+
+            AccessControlManager acMgr = getAccessControlManager(root);
+            AccessControlPolicy[] policies = acMgr.getPolicies(gr.getPath());
+            assertEquals(0, policies.length);
+        } finally {
+            root.refresh();
+            if (gr != null) {
+                gr.remove();
+            }
+            root.commit();
+        }
+    }
+
     private void assertAcAction(Authorizable a, String expectedPrivName) 
throws Exception {
         AccessControlManager acMgr = getAccessControlManager(root);
-            AccessControlPolicy[] policies = acMgr.getPolicies(a.getPath());
-            assertEquals(1, policies.length);
-            assertTrue(policies[0] instanceof AccessControlList);
-            AccessControlList acl = (AccessControlList) policies[0];
-            assertEquals(1, acl.getAccessControlEntries().length);
-            assertArrayEquals(new 
Privilege[]{getPrivilegeManager(root).getPrivilege(expectedPrivName)}, 
acl.getAccessControlEntries()[0].getPrivileges());
+        AccessControlPolicy[] policies = acMgr.getPolicies(a.getPath());
+        assertEquals(1, policies.length);
+        assertTrue(policies[0] instanceof AccessControlList);
+        AccessControlList acl = (AccessControlList) policies[0];
+        assertEquals(1, acl.getAccessControlEntries().length);
+        assertArrayEquals(new 
Privilege[]{getPrivilegeManager(root).getPrivilege(expectedPrivName)}, 
acl.getAccessControlEntries()[0].getPrivileges());
     }
 }
\ No newline at end of file

Reply via email to