Author: angela
Date: Tue Oct 27 14:37:05 2015
New Revision: 1710829
URL: http://svn.apache.org/viewvc?rev=1710829&view=rev
Log:
OAK-3542 : evaluation for special tree types in aggregation (WIP)
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AccessControlTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/VersionTest.java
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java?rev=1710829&r1=1710828&r2=1710829&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
Tue Oct 27 14:37:05 2015
@@ -141,30 +141,7 @@ class CugPermissionProvider implements A
TreePermission tp;
boolean parentIsCugPermission = (parentPermission instanceof
CugTreePermission);
if (TreeType.VERSION == type) {
- if (ReadOnlyVersionManager.isVersionStoreTree(immutableTree)) {
- tp = (parentIsCugPermission) ?
- createCugPermission(immutableTree, (CugTreePermission)
parentPermission) :
- new EmptyCugTreePermission(immutableTree, this);
- } else {
- // TODO
- Tree versionableTree =
getVersionManager().getVersionable(immutableTree, workspaceName);
- if (versionableTree == null) {
- tp = TreePermission.NO_RECOURSE;
- } else if (!parentIsCugPermission &&
- !supportedPaths.includes(versionableTree.getPath()) &&
-
!supportedPaths.mayContainCug(versionableTree.getPath())){
- tp = TreePermission.NO_RECOURSE;
- } else {
- Tree cugRoot = getCugRoot(versionableTree,
typeProvider.getType(versionableTree));
- if (cugRoot == null) {
- // there might be a cug in the live correspondent of
any of the frozen subtrees
- tp = new EmptyCugTreePermission(immutableTree, this);
- } else {
- boolean canRead = createCugPermission(cugRoot,
null).canRead();
- tp = new CugTreePermission(immutableTree, canRead,
this);
- }
- }
- }
+ tp = createVersionStorePermission(immutableTree, parentPermission,
parentIsCugPermission);
} else {
if (parentIsCugPermission) {
tp = createCugPermission(immutableTree, (CugTreePermission)
parentPermission);
@@ -377,7 +354,7 @@ class CugPermissionProvider implements A
boolean allow = princNamesState != null &&
Iterables.any(princNamesState.getValue(Type.STRINGS), new Predicate<String>() {
@Override
public boolean apply(@Nullable String principalName) {
- return (principalName != null) &&
principalNames.contains(principalName);
+ return principalNames.contains(principalName);
}
});
tp = new CugTreePermission(tree, allow, this);
@@ -391,6 +368,44 @@ class CugPermissionProvider implements A
}
@Nonnull
+ private TreePermission createVersionStorePermission(@Nonnull Tree tree,
@Nonnull TreePermission parent, boolean parentIsCugPermission) {
+ if (ReadOnlyVersionManager.isVersionStoreTree(tree)) {
+ return (parentIsCugPermission) ?
+ createCugPermission(tree, (CugTreePermission) parent) :
+ new EmptyCugTreePermission(tree, this);
+ } else {
+ Tree versionableTree = getVersionManager().getVersionable(tree,
workspaceName);
+ if (versionableTree == null) {
+ return TreePermission.NO_RECOURSE;
+ }
+
+ TreePermission tp;
+ String path = versionableTree.getPath();
+ if (parentIsCugPermission) {
+ boolean canRead = (hasCug(versionableTree)) ?
createCugPermission(versionableTree, null).canRead() : parent.canRead();
+ tp = new CugTreePermission(tree, canRead, this);
+ } else if (supportedPaths.includes(path)) {
+ // look for cug in the hierarchy
+ Tree cugRoot = getCugRoot(versionableTree,
typeProvider.getType(versionableTree));
+ if (cugRoot == null) {
+ // no cug present so far -> continue looking for cugs for
frozen children
+ tp = new EmptyCugTreePermission(tree, this);
+ } else {
+ // retrieve read-access from the cug and apply it to the
+ // tree permissions of the target tree located in the
version storage
+ boolean canRead = createCugPermission(cugRoot,
null).canRead();
+ tp = new CugTreePermission(tree, canRead, this);
+ }
+ } else if (supportedPaths.mayContainCug(path)) {
+ tp = new EmptyCugTreePermission(tree, this);
+ } else {
+ tp = TreePermission.NO_RECOURSE;
+ }
+ return tp;
+ }
+ }
+
+ @Nonnull
private ReadOnlyVersionManager getVersionManager() {
if (versionManager == null) {
versionManager = ReadOnlyVersionManager.getInstance(immutableRoot,
NamePathMapper.DEFAULT);
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AccessControlTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AccessControlTest.java?rev=1710829&r1=1710828&r2=1710829&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AccessControlTest.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AccessControlTest.java
Tue Oct 27 14:37:05 2015
@@ -29,6 +29,7 @@ import org.apache.jackrabbit.oak.api.Tre
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
import
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
@@ -58,15 +59,23 @@ public class AccessControlTest extends A
setupCugsAndAcls();
- // cugs at
- // - /content/a : allow testGroup, deny everyone
- // - /content/aa/bb : allow testGroup, deny everyone
- // - /content/a/b/c : allow everyone, deny testGroup (isolated)
- // - /content2 : allow everyone, deny testGroup (isolated)
- // regular acl at
- // - /content
+ /**
+ * regular acl at
+ * - /content
+ *
+ * permission store (internal content)
+ * - /jcr:system/rep:permissionStore
+ *
+ * cugs at
+ * - /content/a : allow testGroup, deny everyone
+ * - /content/aa/bb : allow testGroup, deny everyone
+ * - /content/a/b/c : allow everyone, deny testGroup (isolated)
+ * - /content2 : allow everyone, deny testGroup (isolated)
+ *
+ */
acPaths = ImmutableList.of(
"/content/rep:policy",
+ PermissionConstants.PERMISSIONS_STORE_PATH,
"/content/a/rep:cugPolicy",
"/content/aa/bb/rep:cugPolicy",
"/content/a/b/c/rep:cugPolicy",
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java?rev=1710829&r1=1710828&r2=1710829&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java
Tue Oct 27 14:37:05 2015
@@ -23,11 +23,14 @@ import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.jcr.AccessDeniedException;
+import javax.jcr.GuestCredentials;
import javax.jcr.Session;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
+import org.apache.jackrabbit.oak.api.ContentSession;
+import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
@@ -335,6 +338,31 @@ public class CugPermissionProviderTest e
}
}
+ /**
+ * @see
org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider#isGranted(org.apache.jackrabbit.oak.plugins.tree.TreeLocation,
long)
+ */
+ @Test
+ public void testIsGrantedNonExistingLocation() throws Exception {
+ ContentSession anonymous = login(new GuestCredentials());
+ try {
+ // additionally create a root that doesn't have access to the root
node
+ Root anonymousRoot = anonymous.getLatestRoot();
+
+ for (Root r : new Root[] {anonymousRoot, root}) {
+ TreeLocation location = TreeLocation.create(r,
"/path/to/non/existing/tree");
+ assertFalse(cugPermProvider.isGranted(location,
Permissions.READ));
+ assertFalse(cugPermProvider.isGranted(location,
Permissions.READ_NODE));
+ assertFalse(cugPermProvider.isGranted(location,
Permissions.READ_PROPERTY));
+
+ assertFalse(cugPermProvider.isGranted(location,
Permissions.ALL));
+ assertFalse(cugPermProvider.isGranted(location,
Permissions.ADD_NODE));
+ assertFalse(cugPermProvider.isGranted(location,
Permissions.READ_ACCESS_CONTROL));
+ }
+ } finally {
+ anonymous.close();
+ }
+ }
+
//------------------------------------------------------< getPrivileges
>---
/**
* @see
PermissionProvider#getPrivileges(org.apache.jackrabbit.oak.api.Tree)
@@ -575,4 +603,17 @@ public class CugPermissionProviderTest e
assertFalse(cugPermProvider.isGranted(p, Session.ACTION_READ + ','
+ Session.ACTION_ADD_NODE));
}
}
+
+ /**
+ * @see PermissionProvider#isGranted(String, String)
+ */
+ @Test
+ public void testIsGrantedJcrActionsNonExistingPath() {
+ String p = "/path/to/non/existing/tree";
+ assertFalse(cugPermProvider.isGranted(p, Session.ACTION_READ));
+ assertFalse(cugPermProvider.isGranted(p,
Permissions.getString(Permissions.READ_NODE)));
+ assertFalse(cugPermProvider.isGranted(p,
Permissions.getString(Permissions.READ_PROPERTY)));
+ assertFalse(cugPermProvider.isGranted(p, Session.ACTION_ADD_NODE));
+ assertFalse(cugPermProvider.isGranted(p, Session.ACTION_READ + ',' +
Session.ACTION_ADD_NODE));
+ }
}
\ No newline at end of file
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/VersionTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/VersionTest.java?rev=1710829&r1=1710828&r2=1710829&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/VersionTest.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/VersionTest.java
Tue Oct 27 14:37:05 2015
@@ -38,6 +38,7 @@ import org.apache.jackrabbit.oak.plugins
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.util.NodeUtil;
import org.apache.jackrabbit.oak.util.TreeUtil;
import org.junit.Before;
import org.junit.Test;
@@ -78,14 +79,12 @@ public class VersionTest extends Abstrac
readAccess = ImmutableList.of(
SUPPORTED_PATH,
"/content/subtree",
- //"/content/a/b/c",
"/content/aa");
noReadAccess = ImmutableList.of(
UNSUPPORTED_PATH, /* no access */
"/content2", /* granted by cug only */
"/content/a", /* granted by ace, denied by cug */
- //"/content/a/b", /* granted by ace, denied by cug */
"/content/aa/bb" /* granted by ace, denied by cug */
);
@@ -310,7 +309,7 @@ public class VersionTest extends Abstrac
}
@Test
- public void testTreePermissionVersionable3() throws Exception {
+ public void testTreePermissionVersionableUnsupportedPath() throws
Exception {
Tree versionable = root.getTree(UNSUPPORTED_PATH);
Tree vh = checkNotNull(versionManager.getVersionHistory(versionable));
@@ -330,4 +329,52 @@ public class VersionTest extends Abstrac
}
}
}
+
+ @Test
+ public void testTreePermissionAtVersionableAboveSupported() throws
Exception {
+ Tree vh =
checkNotNull(versionManager.getVersionHistory(root.getTree(SUPPORTED_PATH)));
+
+ CugPermissionProvider pp =
createCugPermissionProvider(ImmutableSet.of(SUPPORTED_PATH + "/a"));
+
+ Tree t = root.getTree("/");
+ TreePermission tp = pp.getTreePermission(t, TreePermission.EMPTY);
+ for (String segm : PathUtils.elements(vh.getPath())) {
+ t = t.getChild(segm);
+ tp = pp.getTreePermission(t, tp);
+ }
+ assertTrue(tp instanceof EmptyCugTreePermission);
+ }
+
+ @Test
+ public void testCugAtRoot() throws Exception {
+ Tree versionable = root.getTree(UNSUPPORTED_PATH);
+ String vhPath =
checkNotNull(versionManager.getVersionHistory(versionable)).getPath();
+
+ try {
+ NodeUtil rootnode = new NodeUtil(root.getTree("/"));
+ rootnode.setNames(JCR_MIXINTYPES, MIX_REP_CUG_MIXIN);
+ rootnode.addChild(REP_CUG_POLICY,
NT_REP_CUG_POLICY).setStrings(REP_PRINCIPAL_NAMES, EveryonePrincipal.NAME);
+ root.commit();
+
+ CugPermissionProvider pp =
createCugPermissionProvider(ImmutableSet.of("/"));
+
+ Tree t = root.getTree("/");
+ TreePermission tp = pp.getTreePermission(t, TreePermission.EMPTY);
+ assertTrue(tp instanceof CugTreePermission);
+
+ for (String segm : PathUtils.elements(vhPath)) {
+ t = t.getChild(segm);
+ tp = pp.getTreePermission(t, tp);
+
+ assertTrue(tp instanceof CugTreePermission);
+ }
+ } finally {
+ root.getTree("/").removeProperty(JCR_MIXINTYPES);
+ Tree cug = root.getTree("/rep:cugPolicy");
+ if (cug.exists()) {
+ cug.remove();
+ }
+ root.commit();
+ }
+ }
}
\ No newline at end of file
