Author: angela
Date: Wed Jul 29 14:21:18 2015
New Revision: 1693270
URL: http://svn.apache.org/r1693270
Log:
OAK-3160 - Implement Session.hasPermission(String, String...) and support for
additional actions,
OAK-2008 : authorization setup for closed user groups (WIP)
Added:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/HasPermissionTest.java
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/CugPolicy.java
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/package-info.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPolicyImplTest.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionsTest.java
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java
jackrabbit/oak/trunk/oak-parent/pom.xml
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/CugPolicy.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/CugPolicy.java?rev=1693270&r1=1693269&r2=1693270&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/CugPolicy.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/CugPolicy.java
Wed Jul 29 14:21:18 2015
@@ -22,11 +22,12 @@ import javax.annotation.Nonnull;
import javax.jcr.security.AccessControlException;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
+import org.apache.jackrabbit.api.security.authorization.PrincipalSetPolicy;
/**
* Denies read access for all principals except for the specified principals.
*/
-public interface CugPolicy extends JackrabbitAccessControlPolicy {
+public interface CugPolicy extends PrincipalSetPolicy,
JackrabbitAccessControlPolicy {
/**
* Returns the set of {@code Principal}s that are allowed to access the
items
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/package-info.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/package-info.java?rev=1693270&r1=1693269&r2=1693270&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/package-info.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/package-info.java
Wed Jul 29 14:21:18 2015
@@ -14,7 +14,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-@Version("1.3.1")
+@Version("1.4.0")
@Export(optional = "provide:=true")
package org.apache.jackrabbit.oak.spi.security.authorization.cug;
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPolicyImplTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPolicyImplTest.java?rev=1693270&r1=1693269&r2=1693270&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPolicyImplTest.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPolicyImplTest.java
Wed Jul 29 14:21:18 2015
@@ -24,6 +24,7 @@ import javax.jcr.security.AccessControlE
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.api.security.authorization.PrincipalSetPolicy;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.namepath.LocalNameMapper;
@@ -63,6 +64,11 @@ public class CugPolicyImplTest extends A
}
@Test
+ public void testPrincipalSetPolicy() {
+ assertTrue(createCugPolicy(principals) instanceof PrincipalSetPolicy);
+ }
+
+ @Test
public void testGetPrincipals() {
CugPolicyImpl cug = createCugPolicy(principals);
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java?rev=1693270&r1=1693269&r2=1693270&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
Wed Jul 29 14:21:18 2015
@@ -30,6 +30,7 @@ import com.google.common.base.Predicate;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.collect.Sets;
+import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.oak.plugins.name.NamespaceConstants;
import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
@@ -190,34 +191,59 @@ public final class Permissions {
}
private static final Map<String, Long> PERMISSION_LOOKUP = new
LinkedHashMap<String, Long>();
- static {
- PERMISSION_LOOKUP.put("ALL", ALL);
- PERMISSION_LOOKUP.put("READ", READ);
- PERMISSION_LOOKUP.put("READ_NODE", READ_NODE);
- PERMISSION_LOOKUP.put("READ_PROPERTY", READ_PROPERTY);
- PERMISSION_LOOKUP.put("SET_PROPERTY", SET_PROPERTY);
- PERMISSION_LOOKUP.put("ADD_PROPERTY", ADD_PROPERTY);
- PERMISSION_LOOKUP.put("MODIFY_PROPERTY", MODIFY_PROPERTY);
- PERMISSION_LOOKUP.put("REMOVE_PROPERTY", REMOVE_PROPERTY);
- PERMISSION_LOOKUP.put("ADD_NODE", ADD_NODE);
- PERMISSION_LOOKUP.put("REMOVE_NODE", REMOVE_NODE);
- PERMISSION_LOOKUP.put("REMOVE", REMOVE);
- PERMISSION_LOOKUP.put("WRITE", WRITE);
- PERMISSION_LOOKUP.put("MODIFY_CHILD_NODE_COLLECTION",
MODIFY_CHILD_NODE_COLLECTION);
- PERMISSION_LOOKUP.put("READ_ACCESS_CONTROL", READ_ACCESS_CONTROL);
- PERMISSION_LOOKUP.put("MODIFY_ACCESS_CONTROL",
MODIFY_ACCESS_CONTROL);
- PERMISSION_LOOKUP.put("NODE_TYPE_MANAGEMENT",
NODE_TYPE_MANAGEMENT);
- PERMISSION_LOOKUP.put("VERSION_MANAGEMENT", VERSION_MANAGEMENT);
- PERMISSION_LOOKUP.put("LOCK_MANAGEMENT", LOCK_MANAGEMENT);
- PERMISSION_LOOKUP.put("LIFECYCLE_MANAGEMENT",
LIFECYCLE_MANAGEMENT);
- PERMISSION_LOOKUP.put("RETENTION_MANAGEMENT",
RETENTION_MANAGEMENT);
- PERMISSION_LOOKUP.put("NODE_TYPE_DEFINITION_MANAGEMENT",
NODE_TYPE_DEFINITION_MANAGEMENT);
- PERMISSION_LOOKUP.put("NAMESPACE_MANAGEMENT",
NAMESPACE_MANAGEMENT);
- PERMISSION_LOOKUP.put("WORKSPACE_MANAGEMENT",
WORKSPACE_MANAGEMENT);
- PERMISSION_LOOKUP.put("PRIVILEGE_MANAGEMENT",
PRIVILEGE_MANAGEMENT);
- PERMISSION_LOOKUP.put("USER_MANAGEMENT", USER_MANAGEMENT);
- PERMISSION_LOOKUP.put("INDEX_DEFINITION_MANAGEMENT",
INDEX_DEFINITION_MANAGEMENT);
- }
+ static {
+ PERMISSION_LOOKUP.put("ALL", ALL);
+ PERMISSION_LOOKUP.put("READ", READ);
+ PERMISSION_LOOKUP.put("READ_NODE", READ_NODE);
+ PERMISSION_LOOKUP.put("READ_PROPERTY", READ_PROPERTY);
+ PERMISSION_LOOKUP.put("SET_PROPERTY", SET_PROPERTY);
+ PERMISSION_LOOKUP.put("ADD_PROPERTY", ADD_PROPERTY);
+ PERMISSION_LOOKUP.put("MODIFY_PROPERTY", MODIFY_PROPERTY);
+ PERMISSION_LOOKUP.put("REMOVE_PROPERTY", REMOVE_PROPERTY);
+ PERMISSION_LOOKUP.put("ADD_NODE", ADD_NODE);
+ PERMISSION_LOOKUP.put("REMOVE_NODE", REMOVE_NODE);
+ PERMISSION_LOOKUP.put("REMOVE", REMOVE);
+ PERMISSION_LOOKUP.put("WRITE", WRITE);
+ PERMISSION_LOOKUP.put("MODIFY_CHILD_NODE_COLLECTION",
MODIFY_CHILD_NODE_COLLECTION);
+ PERMISSION_LOOKUP.put("READ_ACCESS_CONTROL", READ_ACCESS_CONTROL);
+ PERMISSION_LOOKUP.put("MODIFY_ACCESS_CONTROL", MODIFY_ACCESS_CONTROL);
+ PERMISSION_LOOKUP.put("NODE_TYPE_MANAGEMENT", NODE_TYPE_MANAGEMENT);
+ PERMISSION_LOOKUP.put("VERSION_MANAGEMENT", VERSION_MANAGEMENT);
+ PERMISSION_LOOKUP.put("LOCK_MANAGEMENT", LOCK_MANAGEMENT);
+ PERMISSION_LOOKUP.put("LIFECYCLE_MANAGEMENT", LIFECYCLE_MANAGEMENT);
+ PERMISSION_LOOKUP.put("RETENTION_MANAGEMENT", RETENTION_MANAGEMENT);
+ PERMISSION_LOOKUP.put("NODE_TYPE_DEFINITION_MANAGEMENT",
NODE_TYPE_DEFINITION_MANAGEMENT);
+ PERMISSION_LOOKUP.put("NAMESPACE_MANAGEMENT", NAMESPACE_MANAGEMENT);
+ PERMISSION_LOOKUP.put("WORKSPACE_MANAGEMENT", WORKSPACE_MANAGEMENT);
+ PERMISSION_LOOKUP.put("PRIVILEGE_MANAGEMENT", PRIVILEGE_MANAGEMENT);
+ PERMISSION_LOOKUP.put("USER_MANAGEMENT", USER_MANAGEMENT);
+ PERMISSION_LOOKUP.put("INDEX_DEFINITION_MANAGEMENT",
INDEX_DEFINITION_MANAGEMENT);
+ }
+
+ private static final Set<String> WRITE_ACTIONS = ImmutableSet.of(
+ Session.ACTION_REMOVE,
+ Session.ACTION_ADD_NODE,
+ Session.ACTION_SET_PROPERTY,
+ JackrabbitSession.ACTION_REMOVE_NODE,
+ JackrabbitSession.ACTION_ADD_PROPERTY,
+ JackrabbitSession.ACTION_MODIFY_PROPERTY,
+ JackrabbitSession.ACTION_REMOVE_PROPERTY
+ );
+
+ private static final Map<String, Long> ACTIONS_MAP = new
LinkedHashMap<String, Long>();
+ static {
+ ACTIONS_MAP.put(Session.ACTION_ADD_NODE, ADD_NODE);
+ ACTIONS_MAP.put(JackrabbitSession.ACTION_ADD_PROPERTY, ADD_PROPERTY);
+ ACTIONS_MAP.put(JackrabbitSession.ACTION_MODIFY_PROPERTY,
MODIFY_PROPERTY);
+ ACTIONS_MAP.put(JackrabbitSession.ACTION_REMOVE_PROPERTY,
REMOVE_PROPERTY);
+ ACTIONS_MAP.put(JackrabbitSession.ACTION_REMOVE_NODE, REMOVE_NODE);
+ ACTIONS_MAP.put(JackrabbitSession.ACTION_NODE_TYPE_MANAGEMENT,
NODE_TYPE_MANAGEMENT);
+ ACTIONS_MAP.put(JackrabbitSession.ACTION_LOCKING, LOCK_MANAGEMENT);
+ ACTIONS_MAP.put(JackrabbitSession.ACTION_VERSIONING,
VERSION_MANAGEMENT);
+ ACTIONS_MAP.put(JackrabbitSession.ACTION_READ_ACCESS_CONTROL,
READ_ACCESS_CONTROL);
+ ACTIONS_MAP.put(JackrabbitSession.ACTION_MODIFY_ACCESS_CONTROL,
MODIFY_ACCESS_CONTROL);
+ ACTIONS_MAP.put(JackrabbitSession.ACTION_USER_MANAGEMENT,
USER_MANAGEMENT);
+ }
/**
* Returns names of the specified permissions.
@@ -301,19 +327,19 @@ public final class Permissions {
Permissions.includes(permissions, Permissions.REMOVE_NODE);
}
- /**
- * Returns those bits from {@code permissions} that are not present in
- * the {@code otherPermissions}, i.e. subtracts the other permissions
- * from permissions.<br>
- * If the specified {@code otherPermissions} do not intersect with
- * {@code permissions}, {@code permissions} are returned.<br>
- * If {@code permissions} is included in {@code otherPermissions},
- * {@link #NO_PERMISSION} is returned.
- *
- * @param permissions
- * @param otherPermissions
- * @return the differences of the 2 permissions or {@link #NO_PERMISSION}.
- */
+ /**
+ * Returns those bits from {@code permissions} that are not present in
+ * the {@code otherPermissions}, i.e. subtracts the other permissions
+ * from permissions.<br>
+ * If the specified {@code otherPermissions} do not intersect with
+ * {@code permissions}, {@code permissions} are returned.<br>
+ * If {@code permissions} is included in {@code otherPermissions},
+ * {@link #NO_PERMISSION} is returned.
+ *
+ * @param permissions
+ * @param otherPermissions
+ * @return the differences of the 2 permissions or {@link #NO_PERMISSION}.
+ */
public static long diff(long permissions, long otherPermissions) {
return permissions & ~otherPermissions;
}
@@ -340,6 +366,7 @@ public final class Permissions {
boolean isAccessControlContent) {
Set<String> actions = Sets.newHashSet(Text.explode(jcrActions, ',',
false));
long permissions = NO_PERMISSION;
+ // map read action respecting the 'isAccessControlContent' flag.
if (actions.remove(Session.ACTION_READ)) {
if (isAccessControlContent) {
permissions |= READ_ACCESS_CONTROL;
@@ -352,17 +379,15 @@ public final class Permissions {
}
}
+ // map write actions respecting the 'isAccessControlContent' flag.
if (!actions.isEmpty()) {
if (isAccessControlContent) {
- actions.removeAll(ImmutableSet.of(
- Session.ACTION_ADD_NODE,
- Session.ACTION_REMOVE,
- Session.ACTION_SET_PROPERTY));
- permissions |= MODIFY_ACCESS_CONTROL;
- } else {
- if (actions.remove(Session.ACTION_ADD_NODE)) {
- permissions |= ADD_NODE;
+ if (actions.removeAll(WRITE_ACTIONS)) {
+ permissions |= MODIFY_ACCESS_CONTROL;
}
+ } else {
+ // item is not access controlled -> cover actions that don't
have
+ // a 1:1 mapping to a given permission.
if (actions.remove(Session.ACTION_SET_PROPERTY)) {
if (location.getProperty() == null) {
permissions |= ADD_PROPERTY;
@@ -382,8 +407,18 @@ public final class Permissions {
}
}
- permissions |= getPermissions(actions);
+ // map remaining actions and permission-names that have a simple 1:1
+ // mapping between action and permission
+ if (!actions.isEmpty()) {
+ for (String action : ACTIONS_MAP.keySet()) {
+ if (actions.remove(action)) {
+ permissions |= ACTIONS_MAP.get(action);
+ }
+ }
+ permissions |= getPermissions(actions);
+ }
+ // now the action set must be empty; otherwise it contained
unsupported action(s)
if (!actions.isEmpty()) {
throw new IllegalArgumentException("Unknown actions: " + actions);
}
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionsTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionsTest.java?rev=1693270&r1=1693269&r2=1693270&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionsTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionsTest.java
Wed Jul 29 14:21:18 2015
@@ -16,6 +16,7 @@
*/
package org.apache.jackrabbit.oak.spi.security.authorization.permission;
+import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
@@ -23,12 +24,15 @@ import javax.jcr.Session;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
+import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
import org.apache.jackrabbit.util.Text;
import org.junit.Test;
import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
import static org.junit.Assert.fail;
@@ -74,6 +78,87 @@ public class PermissionsTest extends Abs
}
@Test
+ public void testGetPermissionsFromJackrabbitActions() {
+ TreeLocation tl = TreeLocation.create(root.getTree("/"));
+ Map<String, Long> map = new HashMap<String, Long>();
+ map.put(Session.ACTION_ADD_NODE, Permissions.ADD_NODE);
+ map.put(JackrabbitSession.ACTION_ADD_PROPERTY,
Permissions.ADD_PROPERTY);
+ map.put(JackrabbitSession.ACTION_MODIFY_PROPERTY,
Permissions.MODIFY_PROPERTY);
+ map.put(JackrabbitSession.ACTION_REMOVE_PROPERTY,
Permissions.REMOVE_PROPERTY);
+ map.put(JackrabbitSession.ACTION_REMOVE_NODE, Permissions.REMOVE_NODE);
+ map.put(JackrabbitSession.ACTION_NODE_TYPE_MANAGEMENT,
Permissions.NODE_TYPE_MANAGEMENT);
+ map.put(JackrabbitSession.ACTION_LOCKING, Permissions.LOCK_MANAGEMENT);
+ map.put(JackrabbitSession.ACTION_VERSIONING,
Permissions.VERSION_MANAGEMENT);
+ map.put(JackrabbitSession.ACTION_READ_ACCESS_CONTROL,
Permissions.READ_ACCESS_CONTROL);
+ map.put(JackrabbitSession.ACTION_MODIFY_ACCESS_CONTROL,
Permissions.MODIFY_ACCESS_CONTROL);
+ map.put(JackrabbitSession.ACTION_USER_MANAGEMENT,
Permissions.USER_MANAGEMENT);
+
+ for (Map.Entry<String, Long> entry : map.entrySet()) {
+ assertEquals(entry.getValue().longValue(),
Permissions.getPermissions(entry.getKey(), tl, false));
+ }
+ }
+
+ @Test
+ public void testGetPermissionsOnAccessControlledNode() {
+ TreeLocation tl = TreeLocation.create(root.getTree("/rep:policy"));
+ Map<String, Long> map = new HashMap<String, Long>();
+
+ // read -> mapped to read-access-control
+ map.put(Session.ACTION_READ, Permissions.READ_ACCESS_CONTROL);
+
+ // all regular write -> mapped to modify-access-control (compatible
and in
+ // accordance to the previous behavior, where specifying an explicit
+ // modify_access_control action was not possible.
+ map.put(Session.ACTION_ADD_NODE, Permissions.MODIFY_ACCESS_CONTROL);
+ map.put(Session.ACTION_REMOVE, Permissions.MODIFY_ACCESS_CONTROL);
+ map.put(Session.ACTION_SET_PROPERTY,
Permissions.MODIFY_ACCESS_CONTROL);
+ map.put(JackrabbitSession.ACTION_ADD_PROPERTY,
Permissions.MODIFY_ACCESS_CONTROL);
+ map.put(JackrabbitSession.ACTION_MODIFY_PROPERTY,
Permissions.MODIFY_ACCESS_CONTROL);
+ map.put(JackrabbitSession.ACTION_REMOVE_PROPERTY,
Permissions.MODIFY_ACCESS_CONTROL);
+ map.put(JackrabbitSession.ACTION_REMOVE_NODE,
Permissions.MODIFY_ACCESS_CONTROL);
+
+ // all other actions are mapped to the corresponding permission without
+ // testing for item being ac-content
+ map.put(JackrabbitSession.ACTION_READ_ACCESS_CONTROL,
Permissions.READ_ACCESS_CONTROL);
+ map.put(JackrabbitSession.ACTION_MODIFY_ACCESS_CONTROL,
Permissions.MODIFY_ACCESS_CONTROL);
+ map.put(JackrabbitSession.ACTION_LOCKING, Permissions.LOCK_MANAGEMENT);
+ map.put(JackrabbitSession.ACTION_VERSIONING,
Permissions.VERSION_MANAGEMENT);
+ map.put(JackrabbitSession.ACTION_USER_MANAGEMENT,
Permissions.USER_MANAGEMENT);
+
+ for (Map.Entry<String, Long> entry : map.entrySet()) {
+ assertEquals(entry.getKey(), entry.getValue().longValue(),
Permissions.getPermissions(entry.getKey(), tl, true));
+ }
+ }
+
+ @Test
+ public void testActionSetProperty() {
+ TreeLocation treeLocation = TreeLocation.create(root.getTree("/"));
+ assertNull(treeLocation.getProperty());
+ assertEquals(Permissions.ADD_PROPERTY,
Permissions.getPermissions(Session.ACTION_SET_PROPERTY, treeLocation, false));
+ assertEquals(Permissions.MODIFY_ACCESS_CONTROL,
Permissions.getPermissions(Session.ACTION_SET_PROPERTY, treeLocation, true));
+
+ TreeLocation nonExistingTree =
TreeLocation.create(root.getTree("/nonExisting"));
+ assertNull(nonExistingTree.getProperty());
+ assertEquals(Permissions.ADD_PROPERTY,
Permissions.getPermissions(Session.ACTION_SET_PROPERTY, nonExistingTree,
false));
+ assertEquals(Permissions.MODIFY_ACCESS_CONTROL,
Permissions.getPermissions(Session.ACTION_SET_PROPERTY, nonExistingTree, true));
+
+ TreeLocation nonExistingProp = TreeLocation.create(root,
"/nonExisting");
+ assertNull(nonExistingProp.getProperty());
+ assertEquals(Permissions.ADD_PROPERTY,
Permissions.getPermissions(Session.ACTION_SET_PROPERTY, nonExistingProp,
false));
+ assertEquals(Permissions.MODIFY_ACCESS_CONTROL,
Permissions.getPermissions(Session.ACTION_SET_PROPERTY, nonExistingProp, true));
+
+ TreeLocation existingProp = TreeLocation.create(root,
"/jcr:primaryType");
+ assertNotNull(existingProp.getProperty());
+ assertEquals(Permissions.MODIFY_PROPERTY,
Permissions.getPermissions(Session.ACTION_SET_PROPERTY, existingProp, false));
+ assertEquals(Permissions.MODIFY_ACCESS_CONTROL,
Permissions.getPermissions(Session.ACTION_SET_PROPERTY, existingProp, true));
+ }
+
+ @Test
+ public void testActionRemove() {
+ // TODO
+ }
+
+ @Test
public void testAggregates() {
// TODO
}
Modified:
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java?rev=1693270&r1=1693269&r2=1693270&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java
Wed Jul 29 14:21:18 2015
@@ -69,6 +69,7 @@ import org.apache.jackrabbit.oak.jcr.ses
import org.apache.jackrabbit.oak.jcr.xml.ImportHandler;
import
org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import org.apache.jackrabbit.test.api.util.Text;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xml.sax.ContentHandler;
@@ -749,6 +750,11 @@ public class SessionImpl implements Jack
//--------------------------------------------------< JackrabbitSession
>---
@Override
+ public boolean hasPermission(String absPath, String... actions) throws
RepositoryException {
+ return hasPermission(absPath, Text.implode(actions, ","));
+ }
+
+ @Override
@Nonnull
public PrincipalManager getPrincipalManager() throws RepositoryException {
return sessionContext.getPrincipalManager();
Added:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/HasPermissionTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/HasPermissionTest.java?rev=1693270&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/HasPermissionTest.java
(added)
+++
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/HasPermissionTest.java
Wed Jul 29 14:21:18 2015
@@ -0,0 +1,100 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.jcr.security.authorization;
+
+import java.util.List;
+import java.util.Map;
+
+import javax.jcr.Session;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.Maps;
+import org.apache.jackrabbit.api.JackrabbitSession;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+
+/**
+ * Testing {@link Session#hasPermission(String,String)} and {@link
JackrabbitSession#hasPermission(String, String...)}
+ */
+public class HasPermissionTest extends AbstractEvaluationTest {
+
+ public void testEmpty() throws Exception {
+ List<String> paths = ImmutableList.of(
+ "/", path, childPPath, path + "/rep:policy",
+ "/nonExisting", path + "/nonExisting");
+
+ for (String p : paths) {
+ assertTrue(testSession.hasPermission(p, ""));
+ assertTrue(testSession.hasPermission(p, ",,"));
+ assertTrue(((JackrabbitSession) testSession).hasPermission(p, new
String[0]));
+ assertTrue(((JackrabbitSession) testSession).hasPermission(p, new
String[]{""}));
+ assertTrue(((JackrabbitSession) testSession).hasPermission(p, new
String[]{"", ""}));
+ assertTrue(((JackrabbitSession) testSession).hasPermission(p, "",
""));
+ }
+ }
+
+ public void testSingle() throws Exception {
+ Map<String, Boolean> map = Maps.newHashMap();
+ map.put("/", true);
+ map.put(path, true);
+ map.put(childPPath, true);
+ map.put(path + "/rep:policy", false);
+ map.put("/nonExisting", true);
+ map.put(path + "/nonExisting", true);
+
+ for (String p : map.keySet()) {
+ boolean expected = map.get(p);
+ assertEquals(p, expected, testSession.hasPermission(p,
Session.ACTION_READ));
+ assertEquals(p, expected, ((JackrabbitSession)
testSession).hasPermission(p, new String[]{Session.ACTION_READ}));
+ }
+ }
+
+ public void testDuplicate() throws Exception {
+ Map<String, Boolean> map = Maps.newHashMap();
+ map.put("/", true);
+ map.put(path, true);
+ map.put(childPPath, true);
+ map.put(path + "/rep:policy", false);
+ map.put("/nonExisting", true);
+ map.put(path + "/nonExisting", true);
+
+ for (String p : map.keySet()) {
+ boolean expected = map.get(p);
+ assertEquals(p, expected, testSession.hasPermission(p,
Session.ACTION_READ + "," + Permissions.getString(Permissions.READ)));
+ assertEquals(p, expected, ((JackrabbitSession)
testSession).hasPermission(p, new String[]{Session.ACTION_READ,
Session.ACTION_READ}));
+ assertEquals(p, expected, ((JackrabbitSession)
testSession).hasPermission(p, Session.ACTION_READ, Session.ACTION_READ));
+ assertEquals(p, expected, ((JackrabbitSession)
testSession).hasPermission(p, new String[]{Session.ACTION_READ,
Permissions.PERMISSION_NAMES.get(Permissions.READ)}));
+ assertEquals(p, expected, ((JackrabbitSession)
testSession).hasPermission(p, Session.ACTION_READ,
Permissions.PERMISSION_NAMES.get(Permissions.READ)));
+ }
+ }
+
+ public void testMultiple() throws Exception {
+ List<String> paths = ImmutableList.of(
+ "/", path, childPPath, path + "/rep:policy",
+ "/nonExisting", path + "/nonExisting");
+
+ for (String p : paths) {
+ assertFalse(testSession.hasPermission(p, Session.ACTION_READ + ","
+ Session.ACTION_SET_PROPERTY));
+ assertFalse(testSession.hasPermission(p, Session.ACTION_READ + ","
+ Permissions.getString(Permissions.ADD_PROPERTY)));
+
+ assertFalse(((JackrabbitSession) testSession).hasPermission(p,
Session.ACTION_READ, Session.ACTION_SET_PROPERTY));
+ assertFalse(((JackrabbitSession) testSession).hasPermission(p,
Session.ACTION_READ, JackrabbitSession.ACTION_ADD_PROPERTY));
+
+ assertFalse(testSession.hasPermission(p, Session.ACTION_READ + ","
+ JackrabbitSession.ACTION_READ_ACCESS_CONTROL));
+ assertFalse(((JackrabbitSession) testSession).hasPermission(p,
Session.ACTION_READ, JackrabbitSession.ACTION_READ_ACCESS_CONTROL));
+ }
+ }
+}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-parent/pom.xml
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-parent/pom.xml?rev=1693270&r1=1693269&r2=1693270&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-parent/pom.xml (original)
+++ jackrabbit/oak/trunk/oak-parent/pom.xml Wed Jul 29 14:21:18 2015
@@ -42,7 +42,7 @@
<project.reporting.outputEncoding>
${project.build.sourceEncoding}
</project.reporting.outputEncoding>
- <jackrabbit.version>2.10.1</jackrabbit.version>
+ <jackrabbit.version>2.10.2-SNAPSHOT</jackrabbit.version>
<mongo.host>127.0.0.1</mongo.host>
<mongo.port>27017</mongo.port>
<mongo.db>MongoMKDB</mongo.db>
