Author: angela
Date: Tue Oct 6 16:27:36 2015
New Revision: 1707085
URL: http://svn.apache.org/viewvc?rev=1707085&view=rev
Log:
OAK-1268 : Add support for composite authorization setup (WIP)
Added:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/AbstractCompositeProviderTest.java
- copied, changed from r1704492,
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderAllReverseTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderAllTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderEmptyReverseTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderEmptyTest.java
- copied, changed from r1704492,
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedReverseTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedTest.java
- copied, changed from r1705991,
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeReverseTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeReverseTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/TestPermissionProvider.java
Removed:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderTest.java
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManager.java
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManager.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/AggregatedPermissionProvider.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/package-info.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsProvider.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManagerTest.java
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManager.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManager.java?rev=1707085&r1=1707084&r2=1707085&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManager.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManager.java
Tue Oct 6 16:27:36 2015
@@ -178,17 +178,17 @@ class CugAccessControlManager extends Ab
//-------------------------------------< JackrabbitAccessControlManager
>---
public JackrabbitAccessControlPolicy[] getApplicablePolicies(Principal
principal) throws RepositoryException {
- // TODO
+ // editing by 'principal' is not supported
return new JackrabbitAccessControlPolicy[0];
}
public JackrabbitAccessControlPolicy[] getPolicies(Principal principal)
throws RepositoryException {
- // TODO
+ // editing by 'principal' is not supported
return new JackrabbitAccessControlPolicy[0];
}
public AccessControlPolicy[] getEffectivePolicies(Set<Principal>
principals) throws RepositoryException {
- // TODO
+ // editing by 'principal' is not supported
return new AccessControlPolicy[0];
}
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java?rev=1707085&r1=1707084&r2=1707085&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
Tue Oct 6 16:27:36 2015
@@ -162,6 +162,7 @@ class CugPermissionProvider implements A
}
//---------------------------------------< AggregatedPermissionProvider
>---
+ @Nonnull
@Override
public PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable
PrivilegeBits privilegeBits) {
if (tree == null) {
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.java?rev=1707085&r1=1707084&r2=1707085&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.java
Tue Oct 6 16:27:36 2015
@@ -61,6 +61,11 @@ public class CugEvaluationTest extends A
private Root testRoot;
private Principal testGroupPrincipal;
+ private Tree content;
+ private Tree content2;
+ private Tree a;
+ private Tree c;
+
@Before
@Override
public void before() throws Exception {
@@ -79,6 +84,10 @@ public class CugEvaluationTest extends A
n.addChild("aa", NT_OAK_UNSTRUCTURED).addChild("bb",
NT_OAK_UNSTRUCTURED).addChild("cc", NT_OAK_UNSTRUCTURED);
// create cugs
+ // - /content/a : allow testGroup, deny everyone
+ // - /content/aa/bb : allow testGroup, deny everyone
+ // - /content/a/b/c : allow everyone, deny testGroup (isolated)
+ // - /content2 : allow everyone, deny testGroup (isolated)
createCug("/content/a", testGroupPrincipal);
createCug("/content/aa/bb", testGroupPrincipal);
createCug("/content/a/b/c", EveryonePrincipal.getInstance());
@@ -98,6 +107,11 @@ public class CugEvaluationTest extends A
root.commit();
+ content = root.getTree("/content");
+ content2 = root.getTree("/content2");
+ a = root.getTree("/content/a");
+ c = root.getTree("/content/a/b/c");
+
testSession = createTestSession();
testRoot = testSession.getLatestRoot();
}
@@ -130,6 +144,10 @@ public class CugEvaluationTest extends A
return
getSecurityProvider().getConfiguration(AuthorizationConfiguration.class).getPermissionProvider(root,
adminSession.getWorkspaceName(), principals);
}
+ private PermissionProvider createPermissionProvider(Principal...
principals) {
+ return
getSecurityProvider().getConfiguration(AuthorizationConfiguration.class).getPermissionProvider(root,
adminSession.getWorkspaceName(), ImmutableSet.copyOf(principals));
+ }
+
@Test
public void testRead() throws Exception {
List<String> noAccess = ImmutableList.of(
@@ -261,14 +279,9 @@ public class CugEvaluationTest extends A
}
@Test
- public void testIsGranted() throws Exception {
- Tree content = root.getTree("/content");
- Tree a = root.getTree("/content/a");
- Tree c = root.getTree("/content/a/b/c");
-
+ public void testIsGrantedTestGroup() throws Exception {
// testGroup
- Set<Principal> principals = ImmutableSet.of(testGroupPrincipal);
- PermissionProvider pp = createPermissionProvider(principals);
+ PermissionProvider pp = createPermissionProvider(testGroupPrincipal);
assertTrue(pp.isGranted(content, null, Permissions.READ));
assertTrue(pp.isGranted(a, null, Permissions.READ));
@@ -277,22 +290,28 @@ public class CugEvaluationTest extends A
assertTrue(pp.isGranted(content, null,
Permissions.READ_ACCESS_CONTROL));
assertTrue(pp.isGranted(a, null, Permissions.READ_ACCESS_CONTROL));
assertTrue(pp.isGranted(c, null, Permissions.READ_ACCESS_CONTROL));
+ }
+ @Test
+ public void testIsGrantedEveryone() throws Exception {
// everyone
- principals =
ImmutableSet.<Principal>of(EveryonePrincipal.getInstance());
- pp = createPermissionProvider(principals);
+ PermissionProvider pp =
createPermissionProvider(EveryonePrincipal.getInstance());
assertFalse(pp.isGranted(content, null, Permissions.READ));
+ assertFalse(pp.isGranted(content2, null, Permissions.READ));
assertFalse(pp.isGranted(a, null, Permissions.READ));
assertFalse(pp.isGranted(c, null, Permissions.READ));
assertFalse(pp.isGranted(content, null,
Permissions.READ_ACCESS_CONTROL));
+ assertFalse(pp.isGranted(content2, null,
Permissions.READ_ACCESS_CONTROL));
assertFalse(pp.isGranted(a, null, Permissions.READ_ACCESS_CONTROL));
assertFalse(pp.isGranted(c, null, Permissions.READ_ACCESS_CONTROL));
+ }
+ @Test
+ public void testIsGrantedTestGroupEveryone() throws Exception {
// testGroup + everyone
- principals = ImmutableSet.of(testGroupPrincipal,
EveryonePrincipal.getInstance());
- pp = createPermissionProvider(principals);
+ PermissionProvider pp = createPermissionProvider(testGroupPrincipal,
EveryonePrincipal.getInstance());
assertTrue(pp.isGranted(content, null, Permissions.READ));
assertTrue(pp.isGranted(a, null, Permissions.READ));
@@ -301,10 +320,12 @@ public class CugEvaluationTest extends A
assertTrue(pp.isGranted(content, null,
Permissions.READ_ACCESS_CONTROL));
assertTrue(pp.isGranted(a, null, Permissions.READ_ACCESS_CONTROL));
assertTrue(pp.isGranted(c, null, Permissions.READ_ACCESS_CONTROL));
+ }
+ @Test
+ public void testIsGrantedTestUserEveryone() throws Exception {
// testUser + everyone
- principals = ImmutableSet.of(getTestUser().getPrincipal(),
EveryonePrincipal.getInstance());
- pp = createPermissionProvider(principals);
+ PermissionProvider pp =
createPermissionProvider(getTestUser().getPrincipal(),
EveryonePrincipal.getInstance());
assertTrue(pp.isGranted(content, null, Permissions.READ));
assertFalse(pp.isGranted(a, null, Permissions.READ));
@@ -316,14 +337,9 @@ public class CugEvaluationTest extends A
}
@Test
- public void testHasPrivileges() throws Exception {
- Tree content = root.getTree("/content");
- Tree a = root.getTree("/content/a");
- Tree c = root.getTree("/content/a/b/c");
-
+ public void testHasPrivilegesTestGroup() throws Exception {
// testGroup
- Set<Principal> principals = ImmutableSet.of(testGroupPrincipal);
- PermissionProvider pp = createPermissionProvider(principals);
+ PermissionProvider pp = createPermissionProvider(testGroupPrincipal);
assertTrue(pp.hasPrivileges(content, PrivilegeConstants.JCR_READ));
assertTrue(pp.hasPrivileges(a, PrivilegeConstants.JCR_READ));
@@ -332,22 +348,28 @@ public class CugEvaluationTest extends A
assertTrue(pp.hasPrivileges(content, PrivilegeConstants.REP_WRITE,
PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
assertTrue(pp.hasPrivileges(a, PrivilegeConstants.REP_WRITE,
PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
assertTrue(pp.hasPrivileges(c, PrivilegeConstants.REP_WRITE,
PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
+ }
+ @Test
+ public void testHasPrivilegesEveryone() throws Exception {
// everyone
- principals =
ImmutableSet.<Principal>of(EveryonePrincipal.getInstance());
- pp = createPermissionProvider(principals);
+ PermissionProvider pp =
createPermissionProvider(EveryonePrincipal.getInstance());
assertFalse(pp.hasPrivileges(content, PrivilegeConstants.JCR_READ));
+ assertFalse(pp.hasPrivileges(content2, PrivilegeConstants.JCR_READ));
assertFalse(pp.hasPrivileges(a, PrivilegeConstants.JCR_READ));
assertFalse(pp.hasPrivileges(c, PrivilegeConstants.JCR_READ));
assertFalse(pp.hasPrivileges(content, PrivilegeConstants.REP_WRITE,
PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
+ assertFalse(pp.hasPrivileges(content2, PrivilegeConstants.REP_WRITE,
PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
assertFalse(pp.hasPrivileges(a, PrivilegeConstants.REP_WRITE,
PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
assertFalse(pp.hasPrivileges(c, PrivilegeConstants.REP_WRITE,
PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
+ }
+ @Test
+ public void testHasPrivilegesTestGroupEveryone() throws Exception {
// testGroup + everyone
- principals = ImmutableSet.of(testGroupPrincipal,
EveryonePrincipal.getInstance());
- pp = createPermissionProvider(principals);
+ PermissionProvider pp = createPermissionProvider(testGroupPrincipal,
EveryonePrincipal.getInstance());
assertTrue(pp.hasPrivileges(content, PrivilegeConstants.JCR_READ));
assertTrue(pp.hasPrivileges(a, PrivilegeConstants.JCR_READ));
@@ -356,10 +378,12 @@ public class CugEvaluationTest extends A
assertTrue(pp.hasPrivileges(content, PrivilegeConstants.REP_WRITE,
PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
assertTrue(pp.hasPrivileges(a, PrivilegeConstants.REP_WRITE,
PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
assertTrue(pp.hasPrivileges(c, PrivilegeConstants.REP_WRITE,
PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
+ }
+ @Test
+ public void testHasPrivilegesTestUserEveryone() throws Exception {
// testUser + everyone
- principals = ImmutableSet.of(getTestUser().getPrincipal(),
EveryonePrincipal.getInstance());
- pp = createPermissionProvider(principals);
+ PermissionProvider pp =
createPermissionProvider(getTestUser().getPrincipal(),
EveryonePrincipal.getInstance());
assertTrue(pp.hasPrivileges(content, PrivilegeConstants.JCR_READ));
assertFalse(pp.hasPrivileges(a, PrivilegeConstants.JCR_READ));
@@ -376,9 +400,9 @@ public class CugEvaluationTest extends A
Set<Principal> principals = ImmutableSet.of(testGroupPrincipal);
PermissionProvider pp = createPermissionProvider(principals);
- assertFalse(pp.hasPrivileges(root.getTree("/content"),
PrivilegeConstants.JCR_ALL));
- assertFalse(pp.hasPrivileges(root.getTree("/content/a"),
PrivilegeConstants.JCR_ALL));
- assertFalse(pp.hasPrivileges(root.getTree("/content/b/c"),
PrivilegeConstants.JCR_ALL));
+ assertFalse(pp.hasPrivileges(content, PrivilegeConstants.JCR_ALL));
+ assertFalse(pp.hasPrivileges(a, PrivilegeConstants.JCR_ALL));
+ assertFalse(pp.hasPrivileges(c, PrivilegeConstants.JCR_ALL));
}
@Test
@@ -390,8 +414,7 @@ public class CugEvaluationTest extends A
root.commit();
// testGroup
- Set<Principal> principals = ImmutableSet.of(testGroupPrincipal);
- PermissionProvider pp = createPermissionProvider(principals);
+ PermissionProvider pp = createPermissionProvider(testGroupPrincipal);
assertFalse(pp.hasPrivileges(root.getTree("/content"),
PrivilegeConstants.JCR_ALL));
assertTrue(pp.hasPrivileges(root.getTree("/content/a"),
PrivilegeConstants.JCR_ALL));
@@ -400,61 +423,64 @@ public class CugEvaluationTest extends A
}
@Test
- public void testHasAllPrivileges3() throws Exception {
+ public void testHasAllPrivilegesAdmin() throws Exception {
// admin principal
Set<Principal> principals = adminSession.getAuthInfo().getPrincipals();
PermissionProvider pp = createPermissionProvider(principals);
- assertTrue(pp.hasPrivileges(root.getTree("/content"),
PrivilegeConstants.JCR_ALL));
- assertTrue(pp.hasPrivileges(root.getTree("/content/a"),
PrivilegeConstants.JCR_ALL));
- assertTrue(pp.hasPrivileges(root.getTree("/content/a/b/c"),
PrivilegeConstants.JCR_ALL));
+ assertTrue(pp.hasPrivileges(content, PrivilegeConstants.JCR_ALL));
+ assertTrue(pp.hasPrivileges(a, PrivilegeConstants.JCR_ALL));
+ assertTrue(pp.hasPrivileges(c, PrivilegeConstants.JCR_ALL));
}
@Test
- public void testGetPrivileges() throws Exception {
- Tree content = root.getTree("/content");
- Tree content2 = root.getTree("/content2");
- Tree a = root.getTree("/content/a");
- Tree c = root.getTree("/content/a/b/c");
-
- Set<String> r = ImmutableSet.of(PrivilegeConstants.JCR_READ);
+ public void testGetPrivilegesTestGroup() throws Exception {
Set<String> w_rac = ImmutableSet.of(PrivilegeConstants.REP_WRITE,
PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
Set<String> r_w_rac = ImmutableSet.of(PrivilegeConstants.JCR_READ,
PrivilegeConstants.REP_WRITE, PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
// testGroup
- Set<Principal> principals = ImmutableSet.of(testGroupPrincipal);
- PermissionProvider pp = createPermissionProvider(principals);
+ PermissionProvider pp = createPermissionProvider(testGroupPrincipal);
assertEquals(r_w_rac, pp.getPrivileges(content));
assertEquals(r_w_rac, pp.getPrivileges(a));
assertEquals(w_rac, pp.getPrivileges(c));
assertTrue(pp.getPrivileges(content2).isEmpty());
+ }
+ @Test
+ public void testGetPrivilegesEveryone() throws Exception {
// everyone
- principals =
ImmutableSet.<Principal>of(EveryonePrincipal.getInstance());
- pp = createPermissionProvider(principals);
+ PermissionProvider pp =
createPermissionProvider(EveryonePrincipal.getInstance());
assertTrue(pp.getPrivileges(content).isEmpty());
+ assertTrue(pp.getPrivileges(content2).isEmpty());
assertTrue(pp.getPrivileges(a).isEmpty());
- assertEquals(r, pp.getPrivileges(c));
- assertEquals(r, pp.getPrivileges(content2));
+ assertTrue(pp.getPrivileges(c).isEmpty());
+ }
+
+ @Test
+ public void testGetPrivilegesTestGroupEveryone() throws Exception {
+ Set<String> r_w_rac = ImmutableSet.of(PrivilegeConstants.JCR_READ,
PrivilegeConstants.REP_WRITE, PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
// testGroup + everyone
- principals = ImmutableSet.of(testGroupPrincipal,
EveryonePrincipal.getInstance());
- pp = createPermissionProvider(principals);
+ PermissionProvider pp = createPermissionProvider(testGroupPrincipal,
EveryonePrincipal.getInstance());
assertEquals(r_w_rac, pp.getPrivileges(content));
assertEquals(r_w_rac, pp.getPrivileges(a));
assertEquals(r_w_rac, pp.getPrivileges(c));
- assertEquals(r, pp.getPrivileges(content2));
+ assertTrue(pp.getPrivileges(content2).isEmpty());
+ }
+ @Test
+ public void testGetPrivilegesTestUserEveryone() throws Exception {
// testUser + everyone
- principals = ImmutableSet.of(getTestUser().getPrincipal(),
EveryonePrincipal.getInstance());
- pp = createPermissionProvider(principals);
+ PermissionProvider pp =
createPermissionProvider(getTestUser().getPrincipal(),
EveryonePrincipal.getInstance());
+ Set<String> r = ImmutableSet.of(PrivilegeConstants.JCR_READ);
assertEquals(r, pp.getPrivileges(content));
- assertTrue(pp.getPrivileges(a).isEmpty());
assertEquals(r, pp.getPrivileges(c));
- assertEquals(r, pp.getPrivileges(content2));
+
+ assertTrue(pp.getPrivileges(a).isEmpty());
+ assertTrue(pp.getPrivileges(content2).isEmpty());
}
}
\ No newline at end of file
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManager.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManager.java?rev=1707085&r1=1707084&r2=1707085&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManager.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManager.java
Tue Oct 6 16:27:36 2015
@@ -28,6 +28,7 @@ import javax.jcr.security.AccessControlP
import javax.jcr.security.Privilege;
import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterators;
import com.google.common.collect.Lists;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
@@ -62,12 +63,12 @@ class CompositeAccessControlManager exte
@Nonnull
@Override
public Privilege[] getSupportedPrivileges(String absPath) throws
RepositoryException {
- ImmutableList.Builder<Privilege> privs = ImmutableList.builder();
+ ImmutableSet.Builder<Privilege> privs = ImmutableSet.builder();
for (AccessControlManager acMgr : acMgrs) {
privs.add(acMgr.getSupportedPrivileges(absPath));
}
- List<Privilege> l = privs.build();
- return l.toArray(new Privilege[l.size()]);
+ Set<Privilege> s = privs.build();
+ return s.toArray(new Privilege[s.size()]);
}
@Override
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.java?rev=1707085&r1=1707084&r2=1707085&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.java
Tue Oct 6 16:27:36 2015
@@ -93,17 +93,19 @@ class CompositePermissionProvider implem
PrivilegeBits supported =
aggregatedPermissionProvider.supportedPrivileges(immutableTree,
null).modifiable();
if (doEvaluate(supported)) {
PrivilegeBits granted =
privilegeBitsProvider.getBits(aggregatedPermissionProvider.getPrivileges(immutableTree));
- // make sure privs denied by a previous provider are
substracted
- if (!denied.isEmpty()) {
- result.add(granted.modifiable().diff(denied));
- } else {
+ // add the granted privileges to the result
+ if (!granted.isEmpty()) {
result.add(granted);
}
// update the set of denied privs by comparing the granted
privs
- // the complete set of supported privileges.
+ // with the complete set of supported privileges
denied.add(supported.diff(granted));
}
}
+ // subtract all denied privileges from the result
+ if (!denied.isEmpty()) {
+ result.diff(denied);
+ }
return privilegeBitsProvider.getPrivilegeNames(result);
}
@@ -111,6 +113,9 @@ class CompositePermissionProvider implem
public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String...
privilegeNames) {
Tree immutableTree = PermissionUtil.getImmutableTree(tree,
immutableRoot);
PrivilegeBits privilegeBits =
privilegeBitsProvider.getBits(privilegeNames);
+ if (privilegeBits.isEmpty()) {
+ return true;
+ }
boolean hasPrivileges = false;
PrivilegeBits coveredPrivs = PrivilegeBits.getInstance();
@@ -120,7 +125,7 @@ class CompositePermissionProvider implem
if (doEvaluate(supported)) {
Set<String> supportedNames =
privilegeBitsProvider.getPrivilegeNames(supported);
hasPrivileges =
aggregatedPermissionProvider.hasPrivileges(immutableTree,
supportedNames.toArray(new String[supportedNames.size()]));
- coveredPrivs.add(supported);;
+ coveredPrivs.add(supported);
if (!hasPrivileges) {
break;
@@ -218,26 +223,21 @@ class CompositePermissionProvider implem
private final class CompositeTreePermission implements TreePermission {
private final ImmutableTree tree;
- private final CompositeTreePermission parentPermission;
-
private final Map<AggregatedPermissionProvider, TreePermission> map;
private Boolean canRead;
private CompositeTreePermission() {
tree = null;
- parentPermission = null;
-
map = ImmutableMap.of();
}
private CompositeTreePermission(@Nonnull final ImmutableTree tree,
@Nonnull CompositeTreePermission parentPermission) {
this.tree = tree;
- this.parentPermission = parentPermission;
-
map = new LinkedHashMap<AggregatedPermissionProvider,
TreePermission>(pps.size());
for (AggregatedPermissionProvider provider : pps) {
- TreePermission tp = provider.getTreePermission(tree,
getParentPermission(provider));
+ // TODO: stop aggregation for providers that don't support
evaluation within this path
+ TreePermission tp = provider.getTreePermission(tree,
getParentPermission(parentPermission, provider));
map.put(provider, tp);
}
}
@@ -324,11 +324,9 @@ class CompositePermissionProvider implem
}
@Nonnull
- private TreePermission
getParentPermission(AggregatedPermissionProvider provider) {
- TreePermission parent = null;
- if (parentPermission != null) {
- parent = parentPermission.map.get(provider);
- }
+ private TreePermission getParentPermission(@Nonnull
CompositeTreePermission compositeParent,
+ @Nonnull
AggregatedPermissionProvider provider) {
+ TreePermission parent = compositeParent.map.get(provider);
return (parent == null) ? TreePermission.EMPTY : parent;
}
}
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java?rev=1707085&r1=1707084&r2=1707085&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
Tue Oct 6 16:27:36 2015
@@ -116,6 +116,7 @@ public class PermissionProviderImpl impl
}
//---------------------------------------< AggregatedPermissionProvider
>---
+ @Nonnull
@Override
public PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable
PrivilegeBits privilegeBits) {
return (privilegeBits != null) ? privilegeBits : new
PrivilegeBitsProvider(immutableRoot).getBits(PrivilegeConstants.JCR_ALL);
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/AggregatedPermissionProvider.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/AggregatedPermissionProvider.java?rev=1707085&r1=1707084&r2=1707085&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/AggregatedPermissionProvider.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/AggregatedPermissionProvider.java
Tue Oct 6 16:27:36 2015
@@ -32,6 +32,29 @@ import org.apache.jackrabbit.oak.spi.sec
*/
public interface AggregatedPermissionProvider extends PermissionProvider {
+ /**
+ * Allows to determined the set or subset of privileges evaluated by the
+ * implementing permission provider at the specified path or at the
repository
+ * level in case the specified {@code tree} is {@code null}.
+ *
+ * If the given {@code privilegeBits} is {@code null} an implementation
returns
+ * the complete set that is covered by the provider; otherwise the
supported
+ * subset of the specified {@code privilegeBits} is returned.
+ *
+ * Returning {@link PrivilegeBits#EMPTY} indicates that this implementation
+ * is not in charge of evaluating the specified privileges and thus will
+ * be ignored while computing the composite result of
+ * {@link
PermissionProvider#getPrivileges(org.apache.jackrabbit.oak.api.Tree)}
+ * or {@link
PermissionProvider#hasPrivileges(org.apache.jackrabbit.oak.api.Tree,
String...)}.
+ *
+ * @param tree The tree for which the privileges will be evaluated or
{@code null}
+ * for repository level privileges.
+ * @param privilegeBits The privilege(s) to be tested or {@code null}
+ * @return The set of privileges or the subset of the given {@code
privilegeBits}
+ * that are supported and evaluated by the the implementation at the given
{@code tree}
+ * represented as {@code PrivilegeBits}.
+ */
+ @Nonnull
PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable
PrivilegeBits privilegeBits);
long supportedPermissions(@Nullable Tree tree, @Nullable PropertyState
property, long permissions);
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/package-info.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/package-info.java?rev=1707085&r1=1707084&r2=1707085&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/package-info.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/package-info.java
Tue Oct 6 16:27:36 2015
@@ -14,7 +14,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-@Version("2.0.1")
+@Version("2.0.2")
@Export(optional = "provide:=true")
package org.apache.jackrabbit.oak.spi.security.authorization.permission;
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsProvider.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsProvider.java?rev=1707085&r1=1707084&r2=1707085&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsProvider.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsProvider.java
Tue Oct 6 16:27:36 2015
@@ -28,10 +28,12 @@ import javax.jcr.RepositoryException;
import javax.jcr.security.Privilege;
import com.google.common.base.Function;
+import com.google.common.base.Predicates;
import com.google.common.collect.FluentIterable;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.collect.Sets;
+import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
@@ -88,21 +90,26 @@ public final class PrivilegeBitsProvider
*/
@Nonnull
public PrivilegeBits getBits(@Nonnull Iterable<String> privilegeNames) {
- if (!privilegeNames.iterator().hasNext()) {
+ if (Iterables.isEmpty(privilegeNames)) {
return PrivilegeBits.EMPTY;
}
- Tree privilegesTree = getPrivilegesTree();
- if (!privilegesTree.exists()) {
- return PrivilegeBits.EMPTY;
- }
+ Tree privilegesTree = null;
PrivilegeBits bits = PrivilegeBits.getInstance();
for (String privilegeName : privilegeNames) {
- if (privilegesTree.hasChild(privilegeName)) {
- Tree defTree = privilegesTree.getChild(privilegeName);
- bits.add(PrivilegeBits.getInstance(defTree));
+ PrivilegeBits builtIn = PrivilegeBits.BUILT_IN.get(privilegeName);
+ if (builtIn != null) {
+ bits.add(builtIn);
} else {
- log.debug("Ignoring privilege name " + privilegeName);
+ if (privilegesTree == null) {
+ privilegesTree = getPrivilegesTree();
+ }
+ if (privilegesTree.exists() &&
privilegesTree.hasChild(privilegeName)) {
+ Tree defTree = privilegesTree.getChild(privilegeName);
+ bits.add(PrivilegeBits.getInstance(defTree));
+ } else {
+ log.debug("Ignoring privilege name " + privilegeName);
+ }
}
}
return bits.unmodifiable();
@@ -117,7 +124,7 @@ public final class PrivilegeBitsProvider
*/
@Nonnull
public PrivilegeBits getBits(@Nonnull Privilege[] privileges, final
@Nonnull NameMapper nameMapper) {
- return getBits(Iterables.transform(Arrays.asList(privileges), new
Function<Privilege, String>() {
+ return
getBits(Iterables.filter(Iterables.transform(Arrays.asList(privileges), new
Function<Privilege, String>() {
@Override
public String apply(@Nullable Privilege privilege) {
@@ -131,7 +138,7 @@ public final class PrivilegeBitsProvider
// null privilege or failed to resolve the privilege name
return null;
}
- }));
+ }), Predicates.notNull()));
}
/**
@@ -247,8 +254,9 @@ public final class PrivilegeBitsProvider
if (!privTree.exists()) {
return;
}
- if (privTree.hasProperty(REP_AGGREGATES)) {
- for (String name :
privTree.getProperty(REP_AGGREGATES).getValue(Type.NAMES)) {
+ PropertyState aggregates = privTree.getProperty(REP_AGGREGATES);
+ if (aggregates != null) {
+ for (String name : aggregates.getValue(Type.NAMES)) {
if (NON_AGGREGATE_PRIVILEGES.contains(name)) {
aggSet.add(name);
} else if (aggregation.containsKey(name)) {
Copied:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/AbstractCompositeProviderTest.java
(from r1704492,
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderTest.java)
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/AbstractCompositeProviderTest.java?p2=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/AbstractCompositeProviderTest.java&p1=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderTest.java&r1=1704492&r2=1707085&rev=1707085&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/AbstractCompositeProviderTest.java
Tue Oct 6 16:27:36 2015
@@ -16,9 +16,250 @@
*/
package org.apache.jackrabbit.oak.security.authorization.composite;
+import java.security.Principal;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import javax.jcr.security.AccessControlManager;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import
org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
+import
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.apache.jackrabbit.oak.util.NodeUtil;
+import org.junit.Test;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+public abstract class AbstractCompositeProviderTest extends
AbstractSecurityTest implements NodeTypeConstants {
+
+ static final String ROOT_PATH = "/";
+ static final String TEST_PATH = "/test";
+ static final String TEST_CHILD_PATH = "/test/child";
+ static final String TEST_A_PATH = "/test/a";
+ static final String TEST_A_B_PATH = "/test/a/b";
+ static final String TEST_A_B_C_PATH = "/test/a/b/c";
+ static final String TEST_A_B2_PATH = "/test/a/b2";
+
+ static final String TEST_PATH_2 = "/test2";
+
+ static final String PROP_NAME = "propName";
+
+ static final List<String> NODE_PATHS = ImmutableList.of("/", TEST_PATH,
TEST_PATH_2, TEST_CHILD_PATH, TEST_A_PATH, TEST_A_B_PATH, TEST_A_B_C_PATH,
TEST_A_B2_PATH);
+
+ Map<String, Long> defPermissions;
+ Map<String, Set<String>> defPrivileges;
+
+
+ @Override
+ public void before() throws Exception {
+ super.before();
+
+ NodeUtil rootNode = new NodeUtil(root.getTree("/"));
+
+ NodeUtil test = rootNode.addChild("test", NT_OAK_UNSTRUCTURED);
+ test.setString(PROP_NAME, "strValue");
+ test.addChild("child", NT_OAK_UNSTRUCTURED).setString(PROP_NAME,
"strVal");
+ NodeUtil a = test.addChild("a", NT_OAK_UNSTRUCTURED);
+ a.addChild("b2", NT_OAK_UNSTRUCTURED);
+ a.addChild("b", NT_OAK_UNSTRUCTURED).addChild("c",
NT_OAK_UNSTRUCTURED).setString(PROP_NAME, "strVal");
+
+ rootNode.addChild("test2", NT_OAK_UNSTRUCTURED);
+
+ AccessControlManager acMgr = getAccessControlManager(root);
+ Principal everyone = EveryonePrincipal.getInstance();
+
+ allow(acMgr, everyone, null,
PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT,
PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT);
+ allow(acMgr, everyone, TEST_PATH, PrivilegeConstants.JCR_READ);
+ allow(acMgr, everyone, TEST_CHILD_PATH,
PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
+
+ allow(acMgr, everyone, TEST_A_PATH, PrivilegeConstants.JCR_WRITE);
+ deny(acMgr, everyone, TEST_A_B_PATH,
PrivilegeConstants.REP_REMOVE_PROPERTIES, PrivilegeConstants.JCR_REMOVE_NODE);
+ deny(acMgr, everyone, TEST_A_B_C_PATH,
PrivilegeConstants.REP_READ_NODES);
+
+ root.commit();
+
+ defPermissions = ImmutableMap.<String, Long>builder().
+ put(TEST_PATH, Permissions.READ).
+ put(TEST_CHILD_PATH, Permissions.READ |
Permissions.READ_ACCESS_CONTROL).
+ put(TEST_A_PATH, Permissions.READ | Permissions.SET_PROPERTY |
Permissions.MODIFY_CHILD_NODE_COLLECTION).
+ put(TEST_A_B2_PATH, Permissions.READ | Permissions.WRITE |
Permissions.MODIFY_CHILD_NODE_COLLECTION).
+ put(TEST_A_B_PATH, Permissions.READ | Permissions.ADD_NODE |
Permissions.ADD_PROPERTY | Permissions.MODIFY_PROPERTY |
Permissions.MODIFY_CHILD_NODE_COLLECTION).
+ put(TEST_A_B_C_PATH, Permissions.READ_PROPERTY |
Permissions.ADD_NODE | Permissions.ADD_PROPERTY | Permissions.MODIFY_PROPERTY |
Permissions.MODIFY_CHILD_NODE_COLLECTION).
+ build();
+ defPrivileges = ImmutableMap.<String, Set<String>>builder().
+ put(ROOT_PATH, ImmutableSet.<String>of()).
+ put(TEST_PATH_2, ImmutableSet.<String>of()).
+ put(TEST_PATH, ImmutableSet.of(PrivilegeConstants.JCR_READ)).
+ put(TEST_CHILD_PATH,
ImmutableSet.of(PrivilegeConstants.JCR_READ,
PrivilegeConstants.JCR_READ_ACCESS_CONTROL)).
+ put(TEST_A_PATH, ImmutableSet.of(PrivilegeConstants.JCR_READ,
PrivilegeConstants.JCR_WRITE)).
+ put(TEST_A_B2_PATH,
ImmutableSet.of(PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_WRITE)).
+ put(TEST_A_B_PATH,
ImmutableSet.of(PrivilegeConstants.JCR_READ,
PrivilegeConstants.JCR_ADD_CHILD_NODES,
PrivilegeConstants.JCR_REMOVE_CHILD_NODES,
PrivilegeConstants.REP_ADD_PROPERTIES,
PrivilegeConstants.REP_ALTER_PROPERTIES)).
+ put(TEST_A_B_C_PATH,
ImmutableSet.of(PrivilegeConstants.REP_READ_PROPERTIES,
PrivilegeConstants.JCR_ADD_CHILD_NODES,
PrivilegeConstants.JCR_REMOVE_CHILD_NODES,
PrivilegeConstants.REP_ADD_PROPERTIES,
PrivilegeConstants.REP_ALTER_PROPERTIES)).
+ build();
+ }
+
+ @Override
+ public void after() throws Exception {
+ try {
+ root.refresh();
+ root.getTree(TEST_PATH).remove();
+ root.commit();
+ } finally {
+ super.after();
+ }
+ }
+
+ private static void allow(@Nonnull AccessControlManager acMgr,
+ @Nonnull Principal principal,
+ @Nullable String path,
+ @Nonnull String... privilegeNames) throws Exception {
+ JackrabbitAccessControlList acl =
AccessControlUtils.getAccessControlList(acMgr, path);
+ acl.addEntry(principal, AccessControlUtils.privilegesFromNames(acMgr,
privilegeNames), true);
+ acMgr.setPolicy(acl.getPath(), acl);
+ }
+
+ private static void deny(@Nonnull AccessControlManager acMgr,
+ @Nonnull Principal principal,
+ @Nullable String path,
+ @Nonnull String... privilegeNames) throws Exception {
+ JackrabbitAccessControlList acl =
AccessControlUtils.getAccessControlList(acMgr, path);
+ acl.addEntry(principal, AccessControlUtils.privilegesFromNames(acMgr,
privilegeNames), false);
+ acMgr.setPolicy(acl.getPath(), acl);
+ }
+
+ abstract AggregatedPermissionProvider getTestPermissionProvider();
+
+ boolean reverseOrder() {
+ return false;
+ }
+
+ private List<AggregatedPermissionProvider> getAggregatedProviders(@Nonnull
String workspaceName,
+ @Nonnull
AuthorizationConfiguration config,
+ @Nonnull
Set<Principal> principals) {
+ if (reverseOrder()) {
+ return ImmutableList.of(
+ (AggregatedPermissionProvider)
config.getPermissionProvider(root, workspaceName, principals),
+ getTestPermissionProvider());
+ } else {
+ return ImmutableList.of(
+ (AggregatedPermissionProvider)
config.getPermissionProvider(root, workspaceName, principals),
+ getTestPermissionProvider());
+ }
+ }
+
+
+ CompositePermissionProvider createPermissionProvider(Principal...
principals) {
+ return createPermissionProvider(ImmutableSet.copyOf(principals));
+ }
+
+ CompositePermissionProvider createPermissionProvider(Set<Principal>
principals) {
+ String workspaceName = root.getContentSession().getWorkspaceName();
+ AuthorizationConfiguration config =
getConfig(AuthorizationConfiguration.class);
+ return new CompositePermissionProvider(root,
getAggregatedProviders(workspaceName, config, principals), config.getContext());
+ }
+
+ @Test
+ public void testHasPrivilegesJcrAll() throws Exception {
+ PermissionProvider pp = createPermissionProvider();
+ for (String p : NODE_PATHS) {
+ Tree tree = root.getTree(p);
+
+ assertFalse(p, pp.hasPrivileges(tree, PrivilegeConstants.JCR_ALL));
+ }
+ }
+
+ @Test
+ public void testHasPrivilegesNone() throws Exception {
+ PermissionProvider pp = createPermissionProvider();
+ for (String p : NODE_PATHS) {
+ Tree tree = root.getTree(p);
+
+ assertTrue(p, pp.hasPrivileges(tree));
+ }
+ }
+
+ @Test
+ public void testHasPrivilegesOnRepoJcrAll() throws Exception {
+ PermissionProvider pp = createPermissionProvider();
+ assertFalse(pp.hasPrivileges(null, PrivilegeConstants.JCR_ALL));
+ }
+
+ @Test
+ public void testHasPrivilegesOnRepoNone() throws Exception {
+ PermissionProvider pp = createPermissionProvider();
+ assertTrue(pp.hasPrivileges(null));
+ }
+
+ @Test
+ public void testIsGrantedAll() throws Exception {
+ PermissionProvider pp = createPermissionProvider();
+
+ for (String p : NODE_PATHS) {
+ Tree tree = root.getTree(p);
+ PropertyState ps = tree.getProperty(JcrConstants.JCR_PRIMARYTYPE);
+
+ assertFalse(p, pp.isGranted(tree, null, Permissions.ALL));
+ assertFalse(PathUtils.concat(p, JcrConstants.JCR_PRIMARYTYPE),
pp.isGranted(tree, ps, Permissions.ALL));
+ }
+ }
+
+ @Test
+ public void testIsGrantedNone() throws Exception {
+ PermissionProvider pp = createPermissionProvider();
+
+ for (String p : NODE_PATHS) {
+ Tree tree = root.getTree(p);
+ PropertyState ps = tree.getProperty(JcrConstants.JCR_PRIMARYTYPE);
+
+ assertFalse(p, pp.isGranted(tree, null,
Permissions.NO_PERMISSION));
+ assertFalse(PathUtils.concat(p, JcrConstants.JCR_PRIMARYTYPE),
pp.isGranted(tree, ps, Permissions.NO_PERMISSION));
+ }
+ }
+
+ @Test
+ public void testGetTreePermissionInstance() throws Exception {
+ TreePermission parentPermission = TreePermission.EMPTY;
+
+ List<String> paths = ImmutableList.of("/", TEST_PATH, TEST_CHILD_PATH,
TEST_CHILD_PATH + "/nonexisting");
+ for (String path : paths) {
+ TreePermission tp =
createPermissionProvider().getTreePermission(root.getTree(path),
parentPermission);
+
assertTrue(tp.getClass().getName().endsWith("CompositeTreePermission"));
+ parentPermission = tp;
+ }
+ }
-public class CompositePermissionProviderTest extends AbstractSecurityTest {
+ @Test
+ public void testGetRepositoryPermissionInstance() throws Exception {
+ RepositoryPermission rp =
createPermissionProvider().getRepositoryPermission();
+
assertTrue(rp.getClass().getName().endsWith("CompositeRepositoryPermission"));
+ }
- // TODO
+ @Test
+ public void testRepositoryPermissionIsNotGranted() throws Exception {
+ RepositoryPermission rp =
createPermissionProvider().getRepositoryPermission();
+ assertFalse(rp.isGranted(Permissions.PRIVILEGE_MANAGEMENT));
+
assertFalse(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT|Permissions.PRIVILEGE_MANAGEMENT));
+ assertFalse(rp.isGranted(Permissions.WORKSPACE_MANAGEMENT));
+ assertFalse(rp.isGranted(Permissions.ALL));
+ assertFalse(rp.isGranted(Permissions.NO_PERMISSION));
+ }
}
\ No newline at end of file
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManagerTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManagerTest.java?rev=1707085&r1=1707084&r2=1707085&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManagerTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManagerTest.java
Tue Oct 6 16:27:36 2015
@@ -16,7 +16,6 @@
*/
package org.apache.jackrabbit.oak.security.authorization.composite;
-
import java.util.Collections;
import java.util.List;
import java.util.Set;
@@ -29,8 +28,12 @@ import javax.jcr.security.Privilege;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
+import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import
org.apache.jackrabbit.commons.iterator.AccessControlPolicyIteratorAdapter;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.PolicyOwner;
@@ -57,12 +60,14 @@ public class CompositeAccessControlManag
NodeUtil node = new NodeUtil(root.getTree("/"));
node.addChild("test", NodeTypeConstants.NT_OAK_UNSTRUCTURED);
+
root.commit();
}
@Override
public void after() throws Exception {
try {
+ root.refresh();
root.getTree(TEST_PATH).remove();
root.commit();
} finally {
@@ -73,13 +78,12 @@ public class CompositeAccessControlManag
@Test
public void testGetSupportedPrivileges() throws Exception {
Set<Privilege> expected =
ImmutableSet.copyOf(getPrivilegeManager(root).getRegisteredPrivileges());
- Set<Privilege> result =
ImmutableSet.copyOf(acMgr.getSupportedPrivileges(TEST_PATH));
+ Set<Privilege> result =
ImmutableSet.copyOf(acMgr.getSupportedPrivileges("/"));
assertEquals(expected, result);
- }
- @Test
- public void testPrivilegeFromName() {
- // TODO
+ result = Sets.newHashSet(acMgr.getSupportedPrivileges(TEST_PATH));
+ assertTrue(result.containsAll(expected));
+ assertTrue(result.contains(TestPrivilege.INSTANCE));
}
@Test
@@ -91,12 +95,9 @@ public class CompositeAccessControlManag
}
}
- boolean found = false;
- it = acMgr.getApplicablePolicies(TEST_PATH);
- while (!found && it.hasNext()) {
- found = (it.nextAccessControlPolicy() == TestPolicy.INSTANCE);
- }
- assertTrue(found);
+ Set<AccessControlPolicy> applicable =
ImmutableSet.copyOf(acMgr.getApplicablePolicies(TEST_PATH));
+ assertEquals(2, applicable.size());
+ assertTrue(applicable.contains(TestPolicy.INSTANCE));
}
@Test
@@ -131,18 +132,67 @@ public class CompositeAccessControlManag
}
@Test
- public void testGetEffectivePolicies() {
- // TODO
+ public void testGetEffectivePolicies() throws Exception {
+ AccessControlPolicy[] effective =
acMgr.getEffectivePolicies(TEST_PATH);
+ assertEquals(0, effective.length);
+
+ AccessControlPolicyIterator it =
acMgr.getApplicablePolicies(TEST_PATH);
+ while (it.hasNext()) {
+ AccessControlPolicy plc = it.nextAccessControlPolicy();
+ acMgr.setPolicy(TEST_PATH, plc);
+ }
+ root.commit();
+ assertEquals(2, acMgr.getEffectivePolicies(TEST_PATH).length);
+
+ Tree child = root.getTree(TEST_PATH).addChild("child");
+ child.setProperty(JcrConstants.JCR_PRIMARYTYPE,
NodeTypeConstants.NT_OAK_UNSTRUCTURED);
+
+ assertEquals(1, acMgr.getEffectivePolicies(child.getPath()).length);
}
@Test
- public void testSetPolicy() {
- // TODO
+ public void testSetPolicyAtRoot() throws Exception {
+ AccessControlPolicyIterator it = acMgr.getApplicablePolicies("/");
+ int cnt = 0;
+ while (it.hasNext()) {
+ AccessControlPolicy plc = it.nextAccessControlPolicy();
+ assertTrue(plc instanceof JackrabbitAccessControlList);
+ acMgr.setPolicy("/", plc);
+ cnt++;
+ }
+ assertEquals(1, cnt);
}
@Test
- public void testRemovePolicy() {
- // TODO
+ public void testSetPolicyAtTestPath() throws Exception {
+ AccessControlPolicyIterator it =
acMgr.getApplicablePolicies(TEST_PATH);
+ int cnt = 0;
+ while (it.hasNext()) {
+ AccessControlPolicy plc = it.nextAccessControlPolicy();
+ acMgr.setPolicy(TEST_PATH, plc);
+ cnt++;
+ }
+ assertEquals(2, cnt);
+ }
+
+ @Test
+ public void testRemovePolicy() throws Exception {
+ AccessControlPolicyIterator it =
acMgr.getApplicablePolicies(TEST_PATH);
+ while (it.hasNext()) {
+ AccessControlPolicy plc = it.nextAccessControlPolicy();
+ acMgr.setPolicy(TEST_PATH, plc);
+ }
+ root.commit();
+
+ acMgr.removePolicy(TEST_PATH, TestPolicy.INSTANCE);
+ root.commit();
+
+ assertEquals(1, acMgr.getPolicies(TEST_PATH).length);
+
+ acMgr.removePolicy(TEST_PATH, acMgr.getPolicies(TEST_PATH)[0]);
+ root.commit();
+
+ assertEquals(0, acMgr.getPolicies(TEST_PATH).length);
}
@@ -150,9 +200,19 @@ public class CompositeAccessControlManag
private boolean hasPolicy = false;
+ private final Privilege[] supported;
+
+ private TestAcMgr() {
+ this.supported = new Privilege[] {TestPrivilege.INSTANCE};
+ }
+
@Override
public Privilege[] getSupportedPrivileges(String absPath) {
- return new Privilege[0];
+ if (TEST_PATH.equals(absPath)) {
+ return supported;
+ } else {
+ return new Privilege[0];
+ }
}
@Override
@@ -173,7 +233,7 @@ public class CompositeAccessControlManag
@Override
public AccessControlPolicy[] getPolicies(String absPath) {
if (TEST_PATH.equals(absPath) && hasPolicy) {
- return new AccessControlPolicy[] {TestPolicy.INSTANCE};
+ return TestPolicy.asPolicyArray();
} else {
return new AccessControlPolicy[0];
}
@@ -182,7 +242,7 @@ public class CompositeAccessControlManag
@Override
public AccessControlPolicy[] getEffectivePolicies(String absPath) {
if (TEST_PATH.equals(absPath) && hasPolicy) {
- return new AccessControlPolicy[] {TestPolicy.INSTANCE};
+ return TestPolicy.asPolicyArray();
} else {
return new AccessControlPolicy[0];
}
@@ -224,6 +284,41 @@ public class CompositeAccessControlManag
private static final class TestPolicy implements AccessControlPolicy {
- private static final TestPolicy INSTANCE = new TestPolicy();
+ static final TestPolicy INSTANCE = new TestPolicy();
+
+ static AccessControlPolicy[] asPolicyArray() {
+ return new AccessControlPolicy[] {INSTANCE};
+ }
+ }
+
+ private static final class TestPrivilege implements Privilege {
+
+ static final String NAME = TestPrivilege.class.getName() +
"-privilege";
+ static final Privilege INSTANCE = new TestPrivilege();
+
+ @Override
+ public String getName() {
+ return NAME;
+ }
+
+ @Override
+ public boolean isAbstract() {
+ return false;
+ }
+
+ @Override
+ public boolean isAggregate() {
+ return false;
+ }
+
+ @Override
+ public Privilege[] getDeclaredAggregatePrivileges() {
+ return new Privilege[0];
+ }
+
+ @Override
+ public Privilege[] getAggregatePrivileges() {
+ return new Privilege[0];
+ }
}
}
\ No newline at end of file
Added:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderAllReverseTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderAllReverseTest.java?rev=1707085&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderAllReverseTest.java
(added)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderAllReverseTest.java
Tue Oct 6 16:27:36 2015
@@ -0,0 +1,29 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.composite;
+
+/**
+ * Same as {@link CompositeProviderAllTest}
+ * with reverse order of the aggregated providers.
+ */
+public class CompositeProviderAllReverseTest extends CompositeProviderAllTest {
+
+ @Override
+ boolean reverseOrder() {
+ return true;
+ }
+}
\ No newline at end of file
Added:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderAllTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderAllTest.java?rev=1707085&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderAllTest.java
(added)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderAllTest.java
Tue Oct 6 16:27:36 2015
@@ -0,0 +1,217 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.composite;
+
+import java.util.Set;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.OpenPermissionProvider;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+/**
+ * Test the effect of the combination of
+ *
+ * - default permission provider (which a limited permission setup)
+ * - custom provider that always grants full access and supports all
permissions.
+ *
+ * for the {@link #getTestUser()}.
+ *
+ * The expected result is only the subset of permissions granted by the default
+ * provider. The test user must never have full access anywhere.
+ */
+public class CompositeProviderAllTest extends AbstractCompositeProviderTest {
+
+ private CompositePermissionProvider cpp;
+
+
+ @Override
+ public void before() throws Exception {
+ super.before();
+
+ cpp = createPermissionProvider(getTestUser().getPrincipal(),
EveryonePrincipal.getInstance());
+ }
+
+ @Override
+ protected AggregatedPermissionProvider getTestPermissionProvider() {
+ return new OpenAggregateProvider(root);
+ }
+
+ @Test
+ public void testGetPrivileges() throws Exception {
+ for (String p : defPrivileges.keySet()) {
+ Set<String> expected = defPrivileges.get(p);
+ Tree tree = root.getTree(p);
+
+ assertEquals(p, expected, cpp.getPrivileges(tree));
+ }
+ }
+
+ @Test
+ public void testGetPrivilegesOnRepo() throws Exception {
+ Set<String> privilegeNames = cpp.getPrivileges(null);
+
assertEquals(ImmutableSet.of(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT,
PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT), privilegeNames);
+ }
+
+
+ @Test
+ public void testHasPrivileges() throws Exception {
+ for (String p : defPrivileges.keySet()) {
+ Set<String> expected = defPrivileges.get(p);
+ Tree tree = root.getTree(p);
+
+ assertTrue(p, cpp.hasPrivileges(tree, expected.toArray(new
String[expected.size()])));
+ }
+ }
+
+
+ @Test
+ public void testHasPrivilegesOnRepo() throws Exception {
+ assertTrue(cpp.hasPrivileges(null,
PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT,
PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT));
+ }
+
+
+ @Test
+ public void testIsGranted() throws Exception {
+ for (String p : defPermissions.keySet()) {
+ long expected = defPermissions.get(p);
+ Tree tree = root.getTree(p);
+
+ assertTrue(p, cpp.isGranted(tree, null, expected));
+ }
+ }
+
+ @Test
+ public void testIsGrantedProperty() throws Exception {
+ // TODO
+ }
+
+ @Test
+ public void testIsGrantedAction() throws Exception {
+ // TODO
+ }
+
+ @Test
+ public void testRepositoryPermissionsIsGranted() throws Exception {
+ RepositoryPermission rp = cpp.getRepositoryPermission();
+ assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT));
+ assertTrue(rp.isGranted(Permissions.NODE_TYPE_DEFINITION_MANAGEMENT));
+ assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT |
Permissions.NODE_TYPE_DEFINITION_MANAGEMENT));
+ }
+
+ @Test
+ public void testGetTreePermission() throws Exception {
+ // TODO
+ }
+
+ /**
+ * Custom permission provider that supports all permissions and grants
+ * full access for everyone.
+ */
+ private static final class OpenAggregateProvider implements
AggregatedPermissionProvider {
+
+ private static final PermissionProvider BASE =
OpenPermissionProvider.getInstance();
+ private final Root root;
+
+ private OpenAggregateProvider(@Nonnull Root root) {
+ this.root = root;
+ }
+
+ @Nonnull
+ @Override
+ public PrivilegeBits supportedPrivileges(@Nullable Tree tree,
@Nullable PrivilegeBits privilegeBits) {
+ return new
PrivilegeBitsProvider(root).getBits(PrivilegeConstants.JCR_ALL);
+ }
+
+ //-----------------------------------< AggregatedPermissionProvider
>---
+ @Override
+ public long supportedPermissions(@Nullable Tree tree, @Nullable
PropertyState property, long permissions) {
+ return permissions;
+ }
+
+ @Override
+ public long supportedPermissions(@Nonnull TreeLocation location, long
permissions) {
+ return permissions;
+ }
+
+ @Override
+ public long supportedPermissions(@Nonnull TreePermission
treePermission, long permissions) {
+ return permissions;
+ }
+
+ @Override
+ public boolean isGranted(@Nonnull TreeLocation location, long
permissions) {
+ return true;
+ }
+
+ //---------------------------------------------< PermissionProvider
>---
+ @Override
+ public void refresh() {
+ root.refresh();
+ }
+
+ @Nonnull
+ @Override
+ public Set<String> getPrivileges(@Nullable Tree tree) {
+ return BASE.getPrivileges(tree);
+ }
+
+ @Override
+ public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String...
privilegeNames) {
+ return BASE.hasPrivileges(tree, privilegeNames);
+ }
+
+ @Nonnull
+ @Override
+ public RepositoryPermission getRepositoryPermission() {
+ return BASE.getRepositoryPermission();
+ }
+
+ @Nonnull
+ @Override
+ public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull
TreePermission parentPermission) {
+ return BASE.getTreePermission(tree, parentPermission);
+ }
+
+ @Override
+ public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState
property, long permissions) {
+ return BASE.isGranted(tree, property, permissions);
+ }
+
+ @Override
+ public boolean isGranted(@Nonnull String oakPath, @Nonnull String
jcrActions) {
+ return BASE.isGranted(oakPath, jcrActions);
+ }
+ };
+}
\ No newline at end of file
Added:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderEmptyReverseTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderEmptyReverseTest.java?rev=1707085&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderEmptyReverseTest.java
(added)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderEmptyReverseTest.java
Tue Oct 6 16:27:36 2015
@@ -0,0 +1,29 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.composite;
+
+/**
+ * Same as {@link CompositeProviderEmptyTest}
+ * with reverse order of the aggregated providers.
+ */
+public class CompositeProviderEmptyReverseTest extends
CompositeProviderEmptyTest {
+
+ @Override
+ boolean reverseOrder() {
+ return true;
+ }
+}
\ No newline at end of file
Copied:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderEmptyTest.java
(from r1704492,
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderTest.java)
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderEmptyTest.java?p2=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderEmptyTest.java&p1=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderTest.java&r1=1704492&r2=1707085&rev=1707085&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderEmptyTest.java
Tue Oct 6 16:27:36 2015
@@ -16,9 +16,240 @@
*/
package org.apache.jackrabbit.oak.security.authorization.composite;
-import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import java.util.Set;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import javax.jcr.Session;
-public class CompositePermissionProviderTest extends AbstractSecurityTest {
+import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.api.JackrabbitSession;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.EmptyPermissionProvider;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.apache.jackrabbit.util.Text;
+import org.junit.Test;
- // TODO
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+/**
+ * Test the effect of the combination of
+ *
+ * - default permission provider, which always grants full access to an
administrative session.
+ * - custom provider that prevents all access but supports all permissions and
+ * thus is always called during composite evaluation.
+ *
+ * The tests are executed with the set of principals associated with the admin
session,
+ * which in the default permission provider is granted full access.
+ *
+ * The expected outcome is that despite the default provider granting full
access,
+ * the combination effectively prevents any access.
+ */
+public class CompositeProviderEmptyTest extends AbstractCompositeProviderTest {
+
+ private CompositePermissionProvider cpp;
+
+ @Override
+ public void before() throws Exception {
+ super.before();
+ cpp =
createPermissionProvider(root.getContentSession().getAuthInfo().getPrincipals());
+ }
+
+ @Override
+ protected AggregatedPermissionProvider getTestPermissionProvider() {
+ return new EmptyAggregatedProvider(root);
+ }
+
+ @Test
+ public void testGetPrivileges() throws Exception {
+ for (String p : NODE_PATHS) {
+ assertTrue(cpp.getPrivileges(root.getTree(p)).isEmpty());
+ }
+ }
+
+ @Test
+ public void testGetPrivilegesOnRepo() throws Exception {
+ assertTrue(cpp.getPrivileges(null).isEmpty());
+ }
+
+ @Test
+ public void testHasPrivileges() throws Exception {
+ for (String p : NODE_PATHS) {
+ Tree tree = root.getTree(p);
+
+ assertFalse(cpp.hasPrivileges(tree, PrivilegeConstants.JCR_READ));
+ assertFalse(cpp.hasPrivileges(tree, PrivilegeConstants.JCR_WRITE));
+ assertFalse(cpp.hasPrivileges(tree,
PrivilegeConstants.REP_READ_NODES));
+ }
+ }
+
+ @Test
+ public void testHasPrivilegesOnRepo() throws Exception {
+ assertFalse(cpp.hasPrivileges(null,
PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT));
+ }
+
+
+ @Test
+ public void testIsGranted() throws Exception {
+ for (String p : NODE_PATHS) {
+ Tree tree = root.getTree(p);
+ PropertyState ps = tree.getProperty(JcrConstants.JCR_PRIMARYTYPE);
+
+ assertFalse(cpp.isGranted(tree, null, Permissions.READ_NODE));
+ assertFalse(cpp.isGranted(tree, ps, Permissions.READ_PROPERTY));
+
+ assertFalse(cpp.isGranted(tree, null, Permissions.READ_NODE |
Permissions.MODIFY_CHILD_NODE_COLLECTION));
+ assertFalse(cpp.isGranted(tree, ps, Permissions.MODIFY_PROPERTY));
+
+ assertFalse(cpp.isGranted(tree, null,
Permissions.READ_ACCESS_CONTROL | Permissions.MODIFY_ACCESS_CONTROL));
+ assertFalse(cpp.isGranted(tree, ps,
Permissions.READ_ACCESS_CONTROL | Permissions.MODIFY_ACCESS_CONTROL));
+ }
+ }
+
+ @Test
+ public void testIsGrantedProperty() throws Exception {
+ // TODO
+ }
+
+ @Test
+ public void testIsGrantedAction() throws Exception {
+ for (String nodePath : NODE_PATHS) {
+ String propPath = PathUtils.concat(nodePath,
JcrConstants.JCR_PRIMARYTYPE);
+ String nonExisting = PathUtils.concat(nodePath, "nonExisting");
+
+ assertFalse(cpp.isGranted(nodePath, Session.ACTION_REMOVE));
+ assertFalse(cpp.isGranted(propPath,
JackrabbitSession.ACTION_MODIFY_PROPERTY));
+
+ assertFalse(cpp.isGranted(nodePath, Text.implode(new String[]
{JackrabbitSession.ACTION_MODIFY_ACCESS_CONTROL,
JackrabbitSession.ACTION_READ_ACCESS_CONTROL}, ",")));
+ assertFalse(cpp.isGranted(nonExisting,
JackrabbitSession.ACTION_ADD_PROPERTY));
+ assertFalse(cpp.isGranted(nonExisting, Session.ACTION_ADD_NODE));
+ }
+ }
+
+ @Test
+ public void testRepositoryPermissionsIsGranted() throws Exception {
+ RepositoryPermission rp = cpp.getRepositoryPermission();
+ assertFalse(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT));
+ assertFalse(rp.isGranted(Permissions.NODE_TYPE_DEFINITION_MANAGEMENT));
+ }
+
+ @Test
+ public void testGetTreePermission() throws Exception {
+ TreePermission rootPermission =
assertTreePermission(root.getTree("/"), TreePermission.EMPTY);
+ TreePermission testPermission =
assertTreePermission(root.getTree(TEST_PATH), rootPermission);
+ assertTreePermission(root.getTree(TEST_CHILD_PATH), testPermission);
+ }
+
+ private TreePermission assertTreePermission(@Nonnull Tree tree, @Nonnull
TreePermission parentPermission) {
+ PropertyState ps = tree.getProperty(JcrConstants.JCR_PRIMARYTYPE);
+ assertNotNull(ps);
+
+ TreePermission treePermission = cpp.getTreePermission(tree,
parentPermission);
+
+ assertFalse(treePermission.isGranted(Permissions.ALL));
+ assertFalse(treePermission.isGranted(Permissions.READ_NODE));
+ assertFalse(treePermission.isGranted(Permissions.REMOVE_NODE));
+ assertFalse(treePermission.isGranted(Permissions.REMOVE_NODE));
+
+ assertFalse(treePermission.isGranted(Permissions.READ_PROPERTY, ps));
+ assertFalse(treePermission.isGranted(Permissions.REMOVE_PROPERTY, ps));
+
+ assertFalse(treePermission.canRead());
+ assertFalse(treePermission.canRead(ps));
+ assertFalse(treePermission.canReadAll());
+ assertFalse(treePermission.canReadProperties());
+
+ return treePermission;
+ }
+
+ /**
+ * {@code AggregatedPermissionProvider} that doesn't grant any access.
+ */
+ private static final class EmptyAggregatedProvider implements
AggregatedPermissionProvider {
+
+ private static final PermissionProvider BASE =
EmptyPermissionProvider.getInstance();
+ private final Root root;
+
+ private EmptyAggregatedProvider(@Nonnull Root root) {
+ this.root = root;
+ }
+
+ //---------------------------------------------< PermissionProvider
>---
+ @Override
+ public void refresh() {
+ root.refresh();
+ }
+
+ @Nonnull
+ @Override
+ public Set<String> getPrivileges(@Nullable Tree tree) {
+ return BASE.getPrivileges(tree);
+ }
+
+ @Override
+ public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String...
privilegeNames) {
+ return BASE.hasPrivileges(tree, privilegeNames);
+ }
+
+ @Nonnull
+ @Override
+ public RepositoryPermission getRepositoryPermission() {
+ return BASE.getRepositoryPermission();
+ }
+
+ @Nonnull
+ @Override
+ public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull
TreePermission parentPermission) {
+ return BASE.getTreePermission(tree, parentPermission);
+ }
+
+ @Override
+ public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState
property, long permissions) {
+ return BASE.isGranted(tree, property, permissions);
+ }
+
+ @Override
+ public boolean isGranted(@Nonnull String oakPath, @Nonnull String
jcrActions) {
+ return BASE.isGranted(oakPath, jcrActions);
+ }
+
+ //-----------------------------------< AggregatedPermissionProvider
>---
+ @Nonnull
+ @Override
+ public PrivilegeBits supportedPrivileges(@Nullable Tree tree,
@Nullable PrivilegeBits privilegeBits) {
+ return (privilegeBits == null) ? new
PrivilegeBitsProvider(root).getBits(PrivilegeConstants.JCR_ALL) : privilegeBits;
+ }
+
+ @Override
+ public long supportedPermissions(@Nullable Tree tree, @Nullable
PropertyState property, long permissions) {
+ return permissions;
+ }
+
+ @Override
+ public long supportedPermissions(@Nonnull TreeLocation location, long
permissions) {
+ return permissions;
+ }
+
+ @Override
+ public long supportedPermissions(@Nonnull TreePermission
treePermission, long permissions) {
+ return permissions;
+ }
+
+ @Override
+ public boolean isGranted(@Nonnull TreeLocation location, long
permissions) {
+ return false;
+ }
+ };
}
\ No newline at end of file
Added:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedReverseTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedReverseTest.java?rev=1707085&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedReverseTest.java
(added)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedReverseTest.java
Tue Oct 6 16:27:36 2015
@@ -0,0 +1,29 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.composite;
+
+/**
+ * Same as {@link CompositeProviderLimitedTest}
+ * with reverse order of the aggregated providers.
+ */
+public class CompositeProviderLimitedReverseTest extends
CompositeProviderLimitedTest {
+
+ @Override
+ boolean reverseOrder() {
+ return true;
+ }
+}
\ No newline at end of file
