Copied: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/LimitedScopeProvider.java (from r1708074, jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/TestPermissionProvider.java) URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/LimitedScopeProvider.java?p2=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/LimitedScopeProvider.java&p1=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/TestPermissionProvider.java&r1=1708074&r2=1708563&rev=1708563&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/TestPermissionProvider.java (original) +++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/LimitedScopeProvider.java Wed Oct 14 09:02:49 2015 @@ -16,13 +16,12 @@ */ package org.apache.jackrabbit.oak.security.authorization.composite; -import java.util.Arrays; import java.util.Set; import javax.annotation.Nonnull; import javax.annotation.Nullable; -import javax.jcr.Session; import com.google.common.collect.ImmutableSet; +import com.google.common.collect.Sets; import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.api.Tree; @@ -33,40 +32,44 @@ import org.apache.jackrabbit.oak.spi.sec import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission; import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits; -import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants; import org.apache.jackrabbit.oak.spi.state.NodeState; import org.apache.jackrabbit.util.Text; /** * Test implementation of the {@code AggregatedPermissionProvider} with following - * characteristics: + * characteristics. It has a limited scope and supports * - * If {@code supportsAll} is {@code true} this provider supports all permissions - * but only grants {@link Permissions#NAMESPACE_MANAGEMENT} on repository level - * and {@link Permissions#READ_NODE} on regular items. - * In this case the provider will always be respected for evaluation and will - * therefore cause the final result to be always restricted to the permissions - * granted by this provider. - * - * If {@code supportsAll} is {@code false} this provider supports - * - {@link Permissions#NAMESPACE_MANAGEMENT} on repository level - * - {@link Permissions#READ_NODE} at the tree defined by {@link AbstractCompositeProviderTest#TEST_A_PATH} + * - {@link Permissions#NAMESPACE_MANAGEMENT} and {@link Permissions#NODE_TYPE_DEFINITION_MANAGEMENT} on repository level + * - {@link Permissions#WRITE} at the tree defined by {@link AbstractCompositeProviderTest#TEST_A_PATH} * - {@link Permissions#NO_PERMISSION} everywhere else. - * The permissions granted are the same as above. Due to the limited scope - * however, the provider will in this case only respected for evaluation at - * the supported paths (and at the repo level). The final result will restricted - * to the permissions granted by this provider at the supported paths. For all - * other paths the access limitations of this provider have no effect. + * + * The permission setup defined by this provider is as follows: + * + * At the repository level + * - {@link Permissions#NAMESPACE_MANAGEMENT} is denied + * - {@link Permissions#NODE_TYPE_DEFINITION_MANAGEMENT} is allowed + * + * At {@link AbstractCompositeProviderTest#TEST_A_PATH} + * - {@link Permissions#ADD_NODE} and {@link Permissions#ADD_PROPERTY} is denied + * - all other aggregates of {@link Permissions#WRITE} are allowed. + * - any other permissions are ignored + * + * Consequently any path outside of the scope of this provider is not affected + * by the permission setup. */ -class TestPermissionProvider implements AggregatedPermissionProvider { +class LimitedScopeProvider implements AggregatedPermissionProvider, PrivilegeConstants { + + private static final Set<String> grantedPrivs = ImmutableSet.of(JCR_REMOVE_CHILD_NODES, JCR_REMOVE_NODE, REP_ALTER_PROPERTIES, REP_REMOVE_PROPERTIES); + private static final Set<String> deniedPrivs = ImmutableSet.of(JCR_ADD_CHILD_NODES, REP_ADD_PROPERTIES); + + private static final long grantedPerms = Permissions.REMOVE_NODE | Permissions.REMOVE_PROPERTY | Permissions.MODIFY_PROPERTY; + private static final long deniedPerms = Permissions.ADD_NODE | Permissions.ADD_PROPERTY; private final Root root; - private final boolean supportsAll; - TestPermissionProvider(@Nonnull Root root, boolean supportsAll) { + LimitedScopeProvider(@Nonnull Root root) { this.root = root; - this.supportsAll = supportsAll; } //-------------------------------------------------< PermissionProvider >--- @@ -79,24 +82,32 @@ class TestPermissionProvider implements @Override public Set<String> getPrivileges(@Nullable Tree tree) { if (tree == null) { - return ImmutableSet.of(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT); + return ImmutableSet.of(JCR_NODE_TYPE_DEFINITION_MANAGEMENT); } else if (isSupported(tree)) { - return ImmutableSet.of(PrivilegeConstants.REP_READ_NODES); + return ImmutableSet.of(JCR_REMOVE_CHILD_NODES, JCR_REMOVE_NODE, REP_ALTER_PROPERTIES, REP_REMOVE_PROPERTIES); } else { return ImmutableSet.of(); } - } @Override public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String... privilegeNames) { + Set<String> pSet = Sets.newHashSet(privilegeNames); if (tree == null) { - return Arrays.equals(new String[]{PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT}, privilegeNames); + if (pSet.contains(JCR_NAMESPACE_MANAGEMENT)) { + return false; + } else { + return pSet.size() == 1 && pSet.contains(JCR_NODE_TYPE_DEFINITION_MANAGEMENT); + } } else if (isSupported(tree)) { - return Arrays.equals(new String[]{PrivilegeConstants.REP_READ_NODES}, privilegeNames); - } else { - return false; + if (pSet.removeAll(deniedPrivs)) { + return false; + } else if (pSet.removeAll(grantedPrivs)) { + return pSet.isEmpty(); + } } + + return false; } @Nonnull @@ -105,7 +116,7 @@ class TestPermissionProvider implements return new RepositoryPermission() { @Override public boolean isGranted(long repositoryPermissions) { - return Permissions.NAMESPACE_MANAGEMENT == repositoryPermissions; + return Permissions.NODE_TYPE_DEFINITION_MANAGEMENT == repositoryPermissions; } }; } @@ -113,76 +124,90 @@ class TestPermissionProvider implements @Nonnull @Override public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreePermission parentPermission) { - return (isSupported(tree)) ? new TestTreePermission(tree.getPath()) : TreePermission.EMPTY; + String path = tree.getPath(); + if (isSupported(path)) { + return new TestTreePermission(path); + } else if (Text.isDescendant(path, AbstractCompositeProviderTest.TEST_A_PATH)) { + return TreePermission.EMPTY; + } else { + return TreePermission.NO_RECOURSE; + } } @Override public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState property, long permissions) { - return isSupported(tree) && property == null && permissions == Permissions.READ_NODE; + if (isSupported(tree)) { + if (Permissions.includes(permissions, Permissions.ADD_NODE|Permissions.ADD_PROPERTY)) { + return false; + } else { + return Permissions.diff(permissions, grantedPerms) == Permissions.NO_PERMISSION; + } + } else { + return false; + } } @Override public boolean isGranted(@Nonnull String oakPath, @Nonnull String jcrActions) { - Tree tree = root.getTree(oakPath); - return tree.exists() && isSupported(tree) && Session.ACTION_READ.equals(jcrActions); + if (isSupported(oakPath)) { + Tree tree = root.getTree(oakPath); + long perms = Permissions.getPermissions(jcrActions, TreeLocation.create(tree), false); + if (Permissions.includes(perms, Permissions.ADD_NODE|Permissions.ADD_PROPERTY)) { + return false; + } else { + return Permissions.diff(perms, grantedPerms) == Permissions.NO_PERMISSION; + } + } else { + return false; + } } //---------------------------------------< AggregatedPermissionProvider >--- @Nonnull @Override public PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable PrivilegeBits privilegeBits) { - if (supportsAll) { - return (privilegeBits == null) ? new PrivilegeBitsProvider(root).getBits(PrivilegeConstants.JCR_ALL) : privilegeBits; + PrivilegeBits supported; + if (tree == null) { + supported = PrivilegeBits.getInstance( + PrivilegeBits.BUILT_IN.get(JCR_NAMESPACE_MANAGEMENT), + PrivilegeBits.BUILT_IN.get(JCR_NODE_TYPE_DEFINITION_MANAGEMENT)); + } else if (isSupported(tree)) { + supported = PrivilegeBits.BUILT_IN.get(JCR_WRITE); } else { - PrivilegeBits supported; - if (tree == null) { - supported = PrivilegeBits.BUILT_IN.get(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT); - } else if (isSupportedPath(tree.getPath())) { - supported = PrivilegeBits.BUILT_IN.get(PrivilegeConstants.REP_READ_NODES); - } else { - supported = PrivilegeBits.EMPTY; - } + supported = PrivilegeBits.EMPTY; + } - if (privilegeBits != null && !supported.isEmpty()) { - return PrivilegeBits.getInstance(privilegeBits).retain(supported); - } else { - return supported; - } + if (privilegeBits != null && !supported.isEmpty()) { + return PrivilegeBits.getInstance(privilegeBits).retain(supported); + } else { + return supported; } } @Override public long supportedPermissions(@Nullable Tree tree, @Nullable PropertyState property, long permissions) { - if (supportsAll) { - return permissions; + if (tree == null) { + return permissions & (Permissions.NAMESPACE_MANAGEMENT|Permissions.NODE_TYPE_DEFINITION_MANAGEMENT); + } else if (isSupported(tree)) { + return permissions & Permissions.WRITE; } else { - if (tree == null) { - return permissions & Permissions.NAMESPACE_MANAGEMENT; - } else if (isSupportedPath(tree.getPath())) { - return permissions & Permissions.READ_NODE; - } else { - return Permissions.NO_PERMISSION; - } + return Permissions.NO_PERMISSION; } } @Override public long supportedPermissions(@Nonnull TreeLocation location, long permissions) { - if (supportsAll) { - return permissions; - } else if (isSupportedPath(location.getPath())) { - return permissions & Permissions.READ_NODE; + if (isSupported(location.getPath())) { + return permissions & Permissions.WRITE; } else { return Permissions.NO_PERMISSION; } } @Override - public long supportedPermissions(@Nonnull TreePermission treePermission, long permissions) { - if (supportsAll) { - return permissions; - } else if (isSupportedPath(((TestTreePermission) treePermission).path)) { - return permissions & Permissions.READ_NODE; + public long supportedPermissions(@Nonnull TreePermission treePermission, @Nullable PropertyState propertyState, long permissions) { + if (treePermission instanceof TestTreePermission && isSupported(((TestTreePermission) treePermission).path)) { + return permissions & Permissions.WRITE; } else { return Permissions.NO_PERMISSION; } @@ -190,21 +215,23 @@ class TestPermissionProvider implements @Override public boolean isGranted(@Nonnull TreeLocation location, long permissions) { - if (supportsAll) { - return permissions == Permissions.READ_NODE; - } else if (isSupportedPath(location.getPath())) { - return permissions == Permissions.READ_NODE; + if (isSupported(location.getPath())) { + if (Permissions.includes(permissions, Permissions.ADD_NODE|Permissions.ADD_PROPERTY)) { + return false; + } else { + return Permissions.diff(permissions, grantedPerms) == Permissions.NO_PERMISSION; + } } else { return false; } } //-------------------------------------------------------------------------- - private boolean isSupported(@Nonnull Tree tree) { - return supportsAll || isSupportedPath(tree.getPath()); + boolean isSupported(@Nonnull Tree tree) { + return isSupported(tree.getPath()); } - private boolean isSupportedPath(@Nonnull String path) { + static boolean isSupported(@Nonnull String path) { return Text.isDescendantOrEqual(AbstractCompositeProviderTest.TEST_A_PATH, path); } @@ -224,7 +251,7 @@ class TestPermissionProvider implements @Override public boolean canRead() { - return true; + return false; } @Override @@ -244,12 +271,20 @@ class TestPermissionProvider implements @Override public boolean isGranted(long permissions) { - return Permissions.READ_NODE == permissions; + if (Permissions.includes(permissions, Permissions.ADD_NODE|Permissions.ADD_PROPERTY)) { + return false; + } else { + return Permissions.diff(permissions, grantedPerms) == Permissions.NO_PERMISSION; + } } @Override public boolean isGranted(long permissions, @Nonnull PropertyState property) { - return false; + if (Permissions.includes(permissions, Permissions.ADD_NODE|Permissions.ADD_PROPERTY)) { + return false; + } else { + return Permissions.diff(permissions, grantedPerms) == Permissions.NO_PERMISSION; + } } } } \ No newline at end of file
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/NoScopeProvider.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/NoScopeProvider.java?rev=1708563&view=auto ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/NoScopeProvider.java (added) +++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/NoScopeProvider.java Wed Oct 14 09:02:49 2015 @@ -0,0 +1,105 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.oak.security.authorization.composite; + +import java.util.Set; +import javax.annotation.Nonnull; +import javax.annotation.Nullable; + +import org.apache.jackrabbit.oak.api.PropertyState; +import org.apache.jackrabbit.oak.api.Tree; +import org.apache.jackrabbit.oak.plugins.tree.TreeLocation; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission; +import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits; + +/** + * {@code AggregatedPermissionProvider} that doesn't supported anything anywhere + * and which consequently must be completely ignored from the permission evaluation. + */ +final class NoScopeProvider implements AggregatedPermissionProvider { + + @Nonnull + @Override + public PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable PrivilegeBits privilegeBits) { + return PrivilegeBits.EMPTY; + } + + @Override + public long supportedPermissions(@Nullable Tree tree, @Nullable PropertyState property, long permissions) { + return Permissions.NO_PERMISSION; + } + + @Override + public long supportedPermissions(@Nonnull TreeLocation location, long permissions) { + return Permissions.NO_PERMISSION; + } + + @Override + public long supportedPermissions(@Nonnull TreePermission treePermission, @Nullable PropertyState propertyState, long permissions) { + return Permissions.NO_PERMISSION; + } + + @Override + public boolean isGranted(@Nonnull TreeLocation location, long permissions) { + throw new UnsupportedOperationException("should never get here"); + } + + @Override + public void refresh() { + // nop + } + + @Nonnull + @Override + public Set<String> getPrivileges(@Nullable Tree tree) { + throw new UnsupportedOperationException("should never get here"); + } + + @Override + public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String... privilegeNames) { + throw new UnsupportedOperationException("should never get here"); + } + + @Nonnull + @Override + public RepositoryPermission getRepositoryPermission() { + throw new UnsupportedOperationException("should never get here"); + } + + @Nonnull + @Override + public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreePermission parentPermission) { + if (tree.isRoot()) { + return TreePermission.NO_RECOURSE; + } else { + throw new UnsupportedOperationException("should never get here"); + } + } + + @Override + public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState property, long permissions) { + throw new UnsupportedOperationException("should never get here"); + } + + @Override + public boolean isGranted(@Nonnull String oakPath, @Nonnull String jcrActions) { + throw new UnsupportedOperationException("should never get here"); + } +} \ No newline at end of file
