Author: angela
Date: Wed Nov 11 16:23:20 2015
New Revision: 1713884
URL: http://svn.apache.org/viewvc?rev=1713884&view=rev
Log:
OAK-1268 : Add support for composite authorization setup (WIP)
Added:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtilTest.java
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/CugOakTest.java
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/CugTest.java
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractTreePermission.java
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugContext.java
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugTreePermission.java
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtil.java
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/EmptyCugTreePermission.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugContextTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/EmptyCugTreePermissionTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/HiddenTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/VersionTest.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationContext.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAuthorizationConfiguration.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermission.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProvider.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationContextTest.java
jackrabbit/oak/trunk/oak-run/pom.xml
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/BenchmarkRunner.java
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/ReadDeepTreeTest.java
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractTreePermission.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractTreePermission.java?rev=1713884&r1=1713883&r2=1713884&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractTreePermission.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractTreePermission.java
Wed Nov 11 16:23:20 2015
@@ -25,9 +25,9 @@ import org.apache.jackrabbit.oak.spi.sta
abstract class AbstractTreePermission implements TreePermission {
- private final Tree tree;
- private final TreeType type;
- private final CugPermissionProvider permissionProvider;
+ final Tree tree;
+ final TreeType type;
+ final CugPermissionProvider permissionProvider;
AbstractTreePermission(@Nonnull Tree tree, @Nonnull TreeType type,
@Nonnull CugPermissionProvider permissionProvider) {
this.tree = tree;
@@ -35,12 +35,6 @@ abstract class AbstractTreePermission im
this.permissionProvider = permissionProvider;
}
- AbstractTreePermission(@Nonnull Tree tree, @Nonnull TreeType type,
@Nonnull AbstractTreePermission parent) {
- this.tree = tree;
- this.type = type;
- this.permissionProvider = parent.permissionProvider;
- }
-
@Nonnull
@Override
public TreePermission getChildPermission(@Nonnull String childName,
@Nonnull NodeState childState) {
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugContext.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugContext.java?rev=1713884&r1=1713883&r2=1713884&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugContext.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugContext.java
Wed Nov 11 16:23:20 2015
@@ -50,9 +50,9 @@ final class CugContext implements Contex
@Override
public boolean definesLocation(@Nonnull TreeLocation location) {
- Tree tree = location.getTree();
- if (tree != null && location.exists()) {
- PropertyState p = location.getProperty();
+ PropertyState p = location.getProperty();
+ Tree tree = (p == null) ? location.getTree() :
location.getParent().getTree();
+ if (tree != null) {
return (p == null) ? definesTree(tree) : definesProperty(tree, p);
} else {
String path = location.getPath();
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java?rev=1713884&r1=1713883&r2=1713884&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
Wed Nov 11 16:23:20 2015
@@ -95,6 +95,20 @@ class CugPermissionProvider implements A
return getTreePermission(t, type, parentPermission);
}
+ boolean isAllow(@Nonnull Tree cugTree) {
+ PropertyState princNamesState =
cugTree.getProperty(REP_PRINCIPAL_NAMES);
+ if (princNamesState != null) {
+ for (String pName : princNamesState.getValue(Type.STRINGS)) {
+ for (String pN : principalNames) {
+ if (pName.equals(pN)) {
+ return true;
+ }
+ }
+ }
+ }
+ return false;
+ }
+
//-------------------------------------------------< PermissionProvider
>---
@Override
public void refresh() {
@@ -213,7 +227,7 @@ class CugPermissionProvider implements A
@Override
public long supportedPermissions(@Nonnull TreePermission treePermission,
@Nullable PropertyState propertyState, long permissions) {
long supported = permissions & Permissions.READ;
- if (supported != Permissions.NO_PERMISSION && (treePermission
instanceof CugTreePermission)) {
+ if (supported != Permissions.NO_PERMISSION && (treePermission
instanceof CugTreePermission) && ((CugTreePermission)
treePermission).isInCug()) {
return supported;
} else {
return Permissions.NO_PERMISSION;
@@ -242,14 +256,14 @@ class CugPermissionProvider implements A
if (TreeType.VERSION == type) {
tp = createVersionStorePermission(immutableTree, type,
parentPermission, parentIsCugPermission);
} else {
- if (parentIsCugPermission ||
isKnownSupportedPath(parentPermission)) {
- tp = createCugPermission(immutableTree, type,
parentPermission, true);
+ if (parentIsCugPermission) {
+ tp = new CugTreePermission(immutableTree, type,
parentPermission, this);
} else {
String path = immutableTree.getPath();
if (supportedPaths.includes(path)) {
- tp = createCugPermission(immutableTree, type,
parentPermission, true);
+ tp = new CugTreePermission(immutableTree, type,
parentPermission, this);
} else if (supportedPaths.mayContainCug(path) ||
isJcrSystemPath(immutableTree)) {
- tp = new EmptyCugTreePermission(immutableTree, type,
this, false);
+ tp = new EmptyCugTreePermission(immutableTree, type,
this);
} else {
tp = TreePermission.NO_RECOURSE;
}
@@ -263,22 +277,10 @@ class CugPermissionProvider implements A
return JcrConstants.JCR_SYSTEM.equals(tree.getName());
}
- private static boolean isKnownSupportedPath(@Nonnull TreePermission
parentPermission) {
- if (parentPermission instanceof EmptyCugTreePermission) {
- return ((EmptyCugTreePermission)
parentPermission).isSupportedPath();
- } else {
- return false;
- }
- }
-
private static boolean isRead(long permission) {
return permission == Permissions.READ_NODE || permission ==
Permissions.READ_PROPERTY || permission == Permissions.READ;
}
- private static boolean hasCug(@Nonnull Tree tree) {
- return tree.exists() && tree.hasChild(REP_CUG_POLICY);
- }
-
private static boolean isSupportedType(@Nonnull TreeType type) {
return type == TreeType.DEFAULT || type == TreeType.VERSION;
}
@@ -318,7 +320,7 @@ class CugPermissionProvider implements A
if (!supportedPaths.includes(p)) {
return null;
}
- if (hasCug(tree)) {
+ if (CugUtil.hasCug(tree)) {
return tree;
}
String parentPath;
@@ -328,7 +330,7 @@ class CugPermissionProvider implements A
break;
}
tree = tree.getParent();
- if (hasCug(tree)) {
+ if (CugUtil.hasCug(tree)) {
return tree;
}
}
@@ -342,7 +344,13 @@ class CugPermissionProvider implements A
return false;
}
Tree cugRoot = getCugRoot(immutableTree, type);
- return cugRoot != null && createCugPermission(cugRoot, type, null,
true).canRead();
+ if (cugRoot != null) {
+ Tree cugTree = CugUtil.getCug(cugRoot);
+ if (cugTree != null) {
+ return isAllow(cugTree);
+ }
+ }
+ return false;
}
@Nonnull
@@ -360,46 +368,13 @@ class CugPermissionProvider implements A
return tree;
}
- private boolean isAllow(@Nonnull Tree cugTree) {
- PropertyState princNamesState =
cugTree.getProperty(REP_PRINCIPAL_NAMES);
- if (princNamesState != null) {
- for (String pName : princNamesState.getValue(Type.STRINGS)) {
- for (String pN : principalNames) {
- if (pName.equals(pN)) {
- return true;
- }
- }
- }
- }
- return false;
- }
-
- @Nonnull
- private TreePermission createCugPermission(@Nonnull Tree tree, @Nonnull
TreeType type, @Nullable TreePermission parent, boolean isSupportedPath) {
- TreePermission tp;
-
- Tree cugTree = (hasCug(tree)) ? tree.getChild(REP_CUG_POLICY) : null;
- if (cugTree != null && CugUtil.definesCug(cugTree)) {
- // a new (possibly nested) cug starts off here
- tp = new CugTreePermission(tree, type, isAllow(cugTree), this);
- } else if (parent instanceof CugTreePermission) {
- // still within the parents CUG
- tp = new CugTreePermission(tree, type, (CugTreePermission) parent);
- } else if (parent instanceof EmptyCugTreePermission) {
- tp = new EmptyCugTreePermission(tree, type,
(EmptyCugTreePermission) parent, isSupportedPath);
- } else {
- tp = new EmptyCugTreePermission(tree, type, this, isSupportedPath);
- }
- return tp;
- }
-
@Nonnull
private TreePermission createVersionStorePermission(@Nonnull Tree tree,
@Nonnull TreeType type, @Nonnull TreePermission parent, boolean
parentIsCugPermission) {
if (ReadOnlyVersionManager.isVersionStoreTree(tree)) {
if (parentIsCugPermission) {
- return createCugPermission(tree, type, parent, true);
+ return new CugTreePermission(tree, type, parent, this);
} else {
- return new EmptyCugTreePermission(tree, type, this, false);
+ return new EmptyCugTreePermission(tree, type, this);
}
} else {
Tree versionableTree = getVersionManager().getVersionable(tree,
workspaceName);
@@ -410,22 +385,27 @@ class CugPermissionProvider implements A
TreePermission tp;
String path = versionableTree.getPath();
if (parentIsCugPermission) {
- boolean canRead = (hasCug(versionableTree)) ?
createCugPermission(versionableTree, type, null, true).canRead() :
parent.canRead();
- tp = new CugTreePermission(tree, type, canRead, this);
+ CugTreePermission delegatee;
+ if (CugUtil.hasCug(versionableTree)) {
+ delegatee = new CugTreePermission(versionableTree, type,
parent, this);
+ } else {
+ delegatee = (CugTreePermission) parent;
+ };
+ tp = new CugTreePermission(tree, type, parent, this,
delegatee.isInCug(), delegatee.isAllow());
} else if (supportedPaths.includes(path)) {
// look for cug in the hierarchy
Tree cugRoot = getCugRoot(versionableTree,
typeProvider.getType(versionableTree));
if (cugRoot == null) {
// no cug present so far -> continue looking for cugs for
frozen children
- tp = new EmptyCugTreePermission(tree, type, this, true);
+ tp = new CugTreePermission(tree, type, parent, this,
false, false);
} else {
// retrieve read-access from the cug and apply it to the
// tree permissions of the target tree located in the
version storage
- boolean canRead = createCugPermission(cugRoot, type, null,
true).canRead();
- tp = new CugTreePermission(tree, type, canRead, this);
+ CugTreePermission delegatee = new
CugTreePermission(cugRoot, type, parent, this);
+ tp = new CugTreePermission(tree, type, parent, this,
delegatee.isInCug(), delegatee.isAllow());
}
} else if (supportedPaths.mayContainCug(path)) {
- tp = new EmptyCugTreePermission(tree, type, this, false);
+ tp = new EmptyCugTreePermission(tree, type, this);
} else {
tp = TreePermission.NO_RECOURSE;
}
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugTreePermission.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugTreePermission.java?rev=1713884&r1=1713883&r2=1713884&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugTreePermission.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugTreePermission.java
Wed Nov 11 16:23:20 2015
@@ -22,34 +22,70 @@ import org.apache.jackrabbit.oak.api.Pro
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.plugins.tree.TreeType;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
/**
- * {@code TreePermission} implementation for all items located with a CUG.
+ * {@code TreePermission} implementation for all tree located within one of the
+ * supported paths which may or may not contain a CUG.
*/
-final class CugTreePermission extends AbstractTreePermission {
+final class CugTreePermission extends AbstractTreePermission implements
CugConstants {
- private final boolean allow;
+ private final TreePermission parent;
+ private Boolean inCug;
+ private Boolean allow;
- CugTreePermission(@Nonnull Tree tree, @Nonnull TreeType type, boolean
allow, @Nonnull CugPermissionProvider permissionProvider) {
+ CugTreePermission(@Nonnull Tree tree, @Nonnull TreeType type, @Nonnull
TreePermission parent,
+ @Nonnull CugPermissionProvider permissionProvider) {
super(tree, type, permissionProvider);
- this.allow = allow;
+ this.parent = parent;
}
- CugTreePermission(@Nonnull Tree tree, @Nonnull TreeType type, @Nonnull
CugTreePermission parent) {
- super(tree, type, parent);
- this.allow = parent.allow;
+ CugTreePermission(@Nonnull Tree tree, @Nonnull TreeType type, @Nonnull
TreePermission parent,
+ @Nonnull CugPermissionProvider permissionProvider,
boolean inCug, boolean canRead) {
+ super(tree, type, permissionProvider);
+ this.parent = parent;
+ this.inCug = inCug;
+ this.allow = canRead;
+ }
+
+ boolean isInCug() {
+ if (inCug == null) {
+ loadCug();
+ }
+ return inCug;
+ }
+
+ boolean isAllow() {
+ if (allow == null) {
+ loadCug();
+ }
+ return allow;
+ }
+
+ private void loadCug() {
+ Tree cugTree = CugUtil.getCug(tree);
+ if (cugTree != null) {
+ inCug = true;
+ allow = permissionProvider.isAllow(cugTree);
+ } else if (parent instanceof CugTreePermission) {
+ inCug = ((CugTreePermission) parent).isInCug();
+ allow = ((CugTreePermission) parent).isAllow();
+ } else {
+ inCug = false;
+ allow = false;
+ }
}
//-----------------------------------------------------< TreePermission
>---
@Override
public boolean canRead() {
- return allow;
+ return isAllow();
}
@Override
public boolean canRead(@Nonnull PropertyState property) {
- return allow;
+ return isAllow();
}
@Override
@@ -59,16 +95,16 @@ final class CugTreePermission extends Ab
@Override
public boolean canReadProperties() {
- return allow;
+ return isAllow();
}
@Override
public boolean isGranted(long permissions) {
- return allow && permissions == Permissions.READ_NODE;
+ return permissions == Permissions.READ_NODE && isAllow();
}
@Override
public boolean isGranted(long permissions, @Nonnull PropertyState
property) {
- return allow && permissions == Permissions.READ_PROPERTY;
+ return permissions == Permissions.READ_PROPERTY && isAllow();
}
}
\ No newline at end of file
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtil.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtil.java?rev=1713884&r1=1713883&r2=1713884&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtil.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtil.java
Wed Nov 11 16:23:20 2015
@@ -18,6 +18,7 @@ package org.apache.jackrabbit.oak.spi.se
import java.io.IOException;
import java.io.InputStream;
+import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.jcr.RepositoryException;
@@ -41,6 +42,20 @@ final class CugUtil implements CugConsta
private CugUtil(){}
+ public static boolean hasCug(@Nonnull Tree tree) {
+ return tree.exists() && tree.hasChild(REP_CUG_POLICY);
+ }
+
+ @CheckForNull
+ public static Tree getCug(@Nonnull Tree tree) {
+ Tree cugTree = (CugUtil.hasCug(tree)) ? tree.getChild(REP_CUG_POLICY)
: null;
+ if (cugTree != null &&
NT_REP_CUG_POLICY.equals(TreeUtil.getPrimaryTypeName(cugTree))) {
+ return cugTree;
+ } else {
+ return null;
+ }
+ }
+
public static boolean definesCug(@Nonnull Tree tree) {
return tree.exists() && REP_CUG_POLICY.equals(tree.getName()) &&
NT_REP_CUG_POLICY.equals(TreeUtil.getPrimaryTypeName(tree));
}
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/EmptyCugTreePermission.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/EmptyCugTreePermission.java?rev=1713884&r1=1713883&r2=1713884&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/EmptyCugTreePermission.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/EmptyCugTreePermission.java
Wed Nov 11 16:23:20 2015
@@ -32,20 +32,8 @@ import org.apache.jackrabbit.oak.plugins
*/
final class EmptyCugTreePermission extends AbstractTreePermission {
- private final boolean isSupportedPath;
-
- EmptyCugTreePermission(@Nonnull Tree tree, @Nonnull TreeType type,
@Nonnull CugPermissionProvider permissionProvider, boolean isSupportedPath) {
+ EmptyCugTreePermission(@Nonnull Tree tree, @Nonnull TreeType type,
@Nonnull CugPermissionProvider permissionProvider) {
super(tree, type, permissionProvider);
- this.isSupportedPath = isSupportedPath;
- }
-
- EmptyCugTreePermission(@Nonnull Tree tree, @Nonnull TreeType type,
@Nonnull EmptyCugTreePermission parent, boolean isSupportedPath) {
- super(tree, type, parent);
- this.isSupportedPath = isSupportedPath;
- }
-
- boolean isSupportedPath() {
- return isSupportedPath;
}
//-----------------------------------------------------< TreePermission
>---
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java?rev=1713884&r1=1713883&r2=1713884&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
Wed Nov 11 16:23:20 2015
@@ -40,10 +40,13 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugPolicy;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.util.NodeUtil;
+import static org.junit.Assert.assertTrue;
+
/**
* Base class for CUG related test that setup the authorization configuration
* to expose the CUG specific implementations of {@code AccessControlManager}
@@ -181,4 +184,12 @@ public class AbstractCugTest extends Abs
ContentSession createTestSession2() throws Exception {
return login(new SimpleCredentials(TEST_USER2_ID,
TEST_USER2_ID.toCharArray()));
}
+
+ static void assertCugPermission(@Nonnull TreePermission tp, boolean
isSupportedPath) {
+ if (isSupportedPath) {
+ assertTrue(tp instanceof CugTreePermission);
+ } else {
+ assertTrue(tp instanceof EmptyCugTreePermission);
+ }
+ }
}
\ No newline at end of file
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugContextTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugContextTest.java?rev=1713884&r1=1713883&r2=1713884&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugContextTest.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugContextTest.java
Wed Nov 11 16:23:20 2015
@@ -133,6 +133,7 @@ public class CugContextTest extends Abst
for (String path : nonExistingCug) {
assertTrue(path,
CugContext.INSTANCE.definesLocation(TreeLocation.create(root, path)));
assertTrue(path,
CugContext.INSTANCE.definesLocation(TreeLocation.create(root, path + "/" +
CugConstants.REP_PRINCIPAL_NAMES)));
+ assertFalse(path,
CugContext.INSTANCE.definesLocation(TreeLocation.create(root, path + "/" +
JcrConstants.JCR_PRIMARYTYPE)));
}
}
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java?rev=1713884&r1=1713883&r2=1713884&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java
Wed Nov 11 16:23:20 2015
@@ -497,7 +497,7 @@ public class CugPermissionProviderTest e
assertTrue(rootTp instanceof EmptyCugTreePermission);
TreePermission contentTp =
cugPermProvider.getTreePermission(root.getTree(SUPPORTED_PATH), rootTp);
- assertTrue(contentTp instanceof EmptyCugTreePermission);
+ assertTrue(contentTp instanceof CugTreePermission);
TreePermission aTp =
cugPermProvider.getTreePermission(root.getTree("/content/a"), contentTp);
assertTrue(aTp instanceof CugTreePermission);
@@ -509,7 +509,7 @@ public class CugPermissionProviderTest e
assertTrue(cTp instanceof CugTreePermission);
TreePermission aaTp =
cugPermProvider.getTreePermission(root.getTree("/content/aa"), contentTp);
- assertTrue(aaTp instanceof EmptyCugTreePermission);
+ assertTrue(aaTp instanceof CugTreePermission);
TreePermission bbTp =
cugPermProvider.getTreePermission(root.getTree("/content/aa/bb"), aaTp);
assertTrue(bbTp instanceof CugTreePermission);
@@ -521,7 +521,7 @@ public class CugPermissionProviderTest e
Tree aaTree = root.getTree("/content/aa");
new NodeUtil(aaTree).addChild(CugConstants.REP_CUG_POLICY,
NT_OAK_UNSTRUCTURED);
TreePermission aaTp2 =
cugPermProvider.getTreePermission(root.getTree("/content/aa"), contentTp);
- assertTrue(aaTp2 instanceof EmptyCugTreePermission);
+ assertTrue(aaTp2 instanceof CugTreePermission);
TreePermission falseCugTp =
cugPermProvider.getTreePermission(root.getTree("/content/aa/rep:cugPolicy"),
aaTp2);
assertNotSame(TreePermission.EMPTY, falseCugTp);
Added:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtilTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtilTest.java?rev=1713884&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtilTest.java
(added)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtilTest.java
Wed Nov 11 16:23:20 2015
@@ -0,0 +1,104 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;
+
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
+import org.apache.jackrabbit.oak.util.NodeUtil;
+import org.junit.Test;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertSame;
+import static org.junit.Assert.assertTrue;
+
+public class CugUtilTest extends AbstractCugTest {
+
+ @Override
+ public void before() throws Exception {
+ super.before();
+
+ createCug(SUPPORTED_PATH, EveryonePrincipal.getInstance());
+ }
+
+ @Override
+ public void after() throws Exception {
+ try {
+ root.refresh();
+ } finally {
+ super.after();
+ }
+ }
+
+ @Test
+ public void testHasCug() throws Exception {
+ assertFalse(CugUtil.hasCug(root.getTree("/")));
+ assertFalse(CugUtil.hasCug(root.getTree(INVALID_PATH)));
+ assertFalse(CugUtil.hasCug(root.getTree(UNSUPPORTED_PATH)));
+ assertFalse(CugUtil.hasCug(root.getTree(SUPPORTED_PATH + "/subtree")));
+ assertFalse(CugUtil.hasCug(root.getTree(SUPPORTED_PATH2)));
+
+ assertTrue(CugUtil.hasCug(root.getTree(SUPPORTED_PATH)));
+
+ new NodeUtil(root.getTree(SUPPORTED_PATH2)).addChild(REP_CUG_POLICY,
NodeTypeConstants.NT_OAK_UNSTRUCTURED).getTree();
+ assertTrue(CugUtil.hasCug(root.getTree(SUPPORTED_PATH2)));
+ }
+
+ @Test
+ public void testGetCug() throws Exception {
+ assertNull(CugUtil.getCug(root.getTree("/")));
+ assertNull(CugUtil.getCug(root.getTree(INVALID_PATH)));
+ assertNull(CugUtil.getCug(root.getTree(UNSUPPORTED_PATH)));
+ assertNull(CugUtil.getCug(root.getTree(SUPPORTED_PATH + "/subtree")));
+ assertNull(CugUtil.getCug(root.getTree(SUPPORTED_PATH2)));
+
+ assertNotNull(CugUtil.getCug(root.getTree(SUPPORTED_PATH)));
+
+ Tree invalid = new
NodeUtil(root.getTree(SUPPORTED_PATH2)).addChild(REP_CUG_POLICY,
NodeTypeConstants.NT_OAK_UNSTRUCTURED).getTree();
+ assertNull(CugUtil.getCug(invalid));
+ }
+
+ @Test
+ public void testDefinesCug() throws Exception {
+
assertFalse(CugUtil.definesCug(root.getTree(PathUtils.concat(INVALID_PATH,
REP_CUG_POLICY))));
+
assertTrue(CugUtil.definesCug(root.getTree(PathUtils.concat(SUPPORTED_PATH,
REP_CUG_POLICY))));
+
+ Tree invalid = new
NodeUtil(root.getTree(SUPPORTED_PATH2)).addChild(REP_CUG_POLICY,
NodeTypeConstants.NT_OAK_UNSTRUCTURED).getTree();
+ assertFalse(CugUtil.definesCug(invalid));
+ }
+
+ @Test
+ public void testIsSupportedPath() {
+ assertFalse(CugUtil.isSupportedPath(null, CUG_CONFIG));
+ assertFalse(CugUtil.isSupportedPath(UNSUPPORTED_PATH, CUG_CONFIG));
+
+ assertTrue(CugUtil.isSupportedPath(SUPPORTED_PATH, CUG_CONFIG));
+ assertTrue(CugUtil.isSupportedPath(SUPPORTED_PATH2, CUG_CONFIG));
+ assertTrue(CugUtil.isSupportedPath(SUPPORTED_PATH + "/child",
CUG_CONFIG));
+ assertTrue(CugUtil.isSupportedPath(SUPPORTED_PATH2 + "/child",
CUG_CONFIG));
+ }
+
+ @Test
+ public void testGetImportBehavior() {
+ assertSame(ImportBehavior.ABORT,
CugUtil.getImportBehavior(ConfigurationParameters.EMPTY));
+ }
+}
\ No newline at end of file
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/EmptyCugTreePermissionTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/EmptyCugTreePermissionTest.java?rev=1713884&r1=1713883&r2=1713884&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/EmptyCugTreePermissionTest.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/EmptyCugTreePermissionTest.java
Wed Nov 11 16:23:20 2015
@@ -16,8 +16,6 @@
*/
package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;
-import javax.annotation.Nonnull;
-
import com.google.common.collect.ImmutableSet;
import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.oak.api.PropertyState;
@@ -36,7 +34,6 @@ import org.apache.jackrabbit.oak.spi.sta
import org.apache.jackrabbit.util.Text;
import org.junit.Test;
-import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertSame;
import static org.junit.Assert.assertTrue;
@@ -59,36 +56,29 @@ public class EmptyCugTreePermissionTest
getTestUser().getPrincipal(), EveryonePrincipal.getInstance());
Root readOnlyRoot = RootFactory.createReadOnlyRoot(root);
Tree t = readOnlyRoot.getTree("/");
- tp = new EmptyCugTreePermission(t, TreeType.DEFAULT, pp, false);
+ tp = new EmptyCugTreePermission(t, TreeType.DEFAULT, pp);
rootState = ((AbstractTree) t).getNodeState();
}
- private static void assertEmptyCugPermission(@Nonnull TreePermission tp,
boolean isSupportedPath, @Nonnull String path) {
- assertTrue(tp instanceof EmptyCugTreePermission);
-
- EmptyCugTreePermission etp = (EmptyCugTreePermission) tp;
- assertEquals(isSupportedPath, etp.isSupportedPath());
- }
-
@Test
public void testRootPermission() throws Exception {
- assertEmptyCugPermission(tp, false, "/");
+ assertCugPermission(tp, false);
TreePermission rootTp = pp.getTreePermission(root.getTree("/"),
TreePermission.EMPTY);
- assertEmptyCugPermission(rootTp, false, "/");
+ assertCugPermission(rootTp, false);
}
@Test
public void testJcrSystemPermissions() throws Exception {
NodeState system = rootState.getChildNode(JcrConstants.JCR_SYSTEM);
TreePermission systemTp =
tp.getChildPermission(JcrConstants.JCR_SYSTEM, system);
- assertEmptyCugPermission(systemTp, false, "/jcr:system");
-
assertEmptyCugPermission(pp.getTreePermission(root.getTree("/jcr:system"), tp),
false, "/jcr:system");
+ assertCugPermission(systemTp, false);
+ assertCugPermission(pp.getTreePermission(root.getTree("/jcr:system"),
tp), false);
NodeState versionStore =
system.getChildNode(VersionConstants.JCR_VERSIONSTORAGE);
TreePermission versionStoreTp =
systemTp.getChildPermission(VersionConstants.JCR_VERSIONSTORAGE, versionStore);
- assertEmptyCugPermission(versionStoreTp, false,
VersionConstants.VERSION_STORE_PATH);
-
assertEmptyCugPermission(pp.getTreePermission(root.getTree(VersionConstants.VERSION_STORE_PATH),
systemTp), false, VersionConstants.VERSION_STORE_PATH);
+ assertCugPermission(versionStoreTp, false);
+
assertCugPermission(pp.getTreePermission(root.getTree(VersionConstants.VERSION_STORE_PATH),
systemTp), false);
NodeState nodeTypes =
system.getChildNode(NodeTypeConstants.JCR_NODE_TYPES);
TreePermission nodeTypesTp =
systemTp.getChildPermission(NodeTypeConstants.JCR_NODE_TYPES, nodeTypes);
@@ -100,13 +90,17 @@ public class EmptyCugTreePermissionTest
String name = Text.getName(SUPPORTED_PATH2);
NodeState ns = rootState.getChildNode(name);
TreePermission child = tp.getChildPermission(name, ns);
- assertEmptyCugPermission(child, true, SUPPORTED_PATH2);
+ assertCugPermission(child, true);
+ assertFalse(((CugTreePermission) child).isInCug());
name = Text.getName(SUPPORTED_PATH);
ns = rootState.getChildNode(name);
child = tp.getChildPermission(name, ns);
- assertFalse(child instanceof EmptyCugTreePermission);
- assertTrue(child instanceof CugTreePermission);
+ assertCugPermission(child, true);
+ assertTrue(((CugTreePermission) child).isInCug());
+ TreePermission subtree = child.getChildPermission("subtree",
ns.getChildNode("subtree"));
+ assertCugPermission(subtree, true);
+ assertTrue(((CugTreePermission) subtree).isInCug());
name = Text.getName(UNSUPPORTED_PATH);
ns = rootState.getChildNode(name);
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/HiddenTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/HiddenTest.java?rev=1713884&r1=1713883&r2=1713884&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/HiddenTest.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/HiddenTest.java
Wed Nov 11 16:23:20 2015
@@ -86,7 +86,7 @@ public class HiddenTest extends Abstract
Tree t = readOnlyRoot.getTree("/");
TreePermission tp = pp.getTreePermission(t, TreePermission.EMPTY);
for (String name : PathUtils.elements(hiddenTree.getPath())) {
- assertTrue(tp instanceof EmptyCugTreePermission);
+ assertCugPermission(tp, true);
t = t.getChild(name);
tp = pp.getTreePermission(t, tp);
}
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/VersionTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/VersionTest.java?rev=1713884&r1=1713883&r2=1713884&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/VersionTest.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/VersionTest.java
Wed Nov 11 16:23:20 2015
@@ -303,7 +303,7 @@ public class VersionTest extends Abstrac
if (JCR_SYSTEM.equals(segm) ||
ReadOnlyVersionManager.isVersionStoreTree(t)) {
assertTrue(t.getPath(), tp instanceof EmptyCugTreePermission);
} else {
- assertTrue(t.getPath(), tp instanceof EmptyCugTreePermission);
+ assertTrue(t.getPath(), tp instanceof CugTreePermission);
}
}
}
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationContext.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationContext.java?rev=1713884&r1=1713883&r2=1713884&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationContext.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationContext.java
Wed Nov 11 16:23:20 2015
@@ -18,6 +18,7 @@ package org.apache.jackrabbit.oak.securi
import javax.annotation.Nonnull;
+import com.google.common.collect.Iterables;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
@@ -25,10 +26,13 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.util.TreeUtil;
-import org.apache.jackrabbit.util.Text;
final class AuthorizationContext implements Context, AccessControlConstants,
PermissionConstants {
+ private static final String[] NODE_NAMES = POLICY_NODE_NAMES.toArray(new
String[POLICY_NODE_NAMES.size()]);
+ private static final String[] PROPERTY_NAMES =
ACE_PROPERTY_NAMES.toArray(new String[ACE_PROPERTY_NAMES.size()]);
+ private static final String[] NT_NAMES =
Iterables.toArray(Iterables.concat(AC_NODETYPE_NAMES,
PERMISSION_NODETYPE_NAMES), String.class);
+
private static final Context INSTANCE = new AuthorizationContext();
private AuthorizationContext() {
@@ -47,7 +51,7 @@ final class AuthorizationContext impleme
@Override
public boolean definesContextRoot(@Nonnull Tree tree) {
String name = tree.getName();
- if (POLICY_NODE_NAMES.contains(name)) {
+ if (isNodeName(name)) {
return NT_REP_ACL.equals(TreeUtil.getPrimaryTypeName(tree));
} else {
return REP_PERMISSION_STORE.equals(name);
@@ -57,20 +61,47 @@ final class AuthorizationContext impleme
@Override
public boolean definesTree(@Nonnull Tree tree) {
String ntName = TreeUtil.getPrimaryTypeName(tree);
- return AC_NODETYPE_NAMES.contains(ntName) ||
PERMISSION_NODETYPE_NAMES.contains(ntName);
+ return isNtName(ntName);
}
@Override
public boolean definesLocation(@Nonnull TreeLocation location) {
- Tree tree = location.getTree();
- if (tree != null && location.exists()) {
- PropertyState p = location.getProperty();
+ PropertyState p = location.getProperty();
+ Tree tree = (p == null) ? location.getTree() :
location.getParent().getTree();
+ if (tree != null) {
return (p == null) ? definesTree(tree) : definesProperty(tree, p);
} else {
- String path = location.getPath();
- String name = Text.getName(location.getPath());
- return POLICY_NODE_NAMES.contains(name) ||
ACE_PROPERTY_NAMES.contains(name) || path.startsWith(PERMISSIONS_STORE_PATH);
+ return isItemName(location.getName()) ||
location.getPath().startsWith(PERMISSIONS_STORE_PATH);
+ }
+ }
+
+ private static boolean isNodeName(@Nonnull String name) {
+ for (String n : NODE_NAMES) {
+ if (n.equals(name)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ private static boolean isItemName(@Nonnull String name) {
+ if (isNodeName(name)) {
+ return true;
+ }
+ for (String n : PROPERTY_NAMES) {
+ if (n.equals(name)) {
+ return true;
+ }
}
+ return false;
}
+ private static boolean isNtName(@Nonnull String name) {
+ for (String n : NT_NAMES) {
+ if (n.equals(name)) {
+ return true;
+ }
+ }
+ return false;
+ }
}
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAuthorizationConfiguration.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAuthorizationConfiguration.java?rev=1713884&r1=1713883&r2=1713884&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAuthorizationConfiguration.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAuthorizationConfiguration.java
Wed Nov 11 16:23:20 2015
@@ -17,6 +17,7 @@
package org.apache.jackrabbit.oak.security.authorization.composite;
import java.security.Principal;
+import java.util.ArrayList;
import java.util.List;
import java.util.Set;
import javax.annotation.Nonnull;
@@ -70,14 +71,19 @@ public class CompositeAuthorizationConfi
@Nonnull
@Override
public RestrictionProvider getRestrictionProvider() {
- return CompositeRestrictionProvider.newInstance(
- Lists.transform(getConfigurations(),
- new Function<AuthorizationConfiguration,
RestrictionProvider>() {
- @Override
- public RestrictionProvider
apply(AuthorizationConfiguration authorizationConfiguration) {
- return
authorizationConfiguration.getRestrictionProvider();
- }
- }));
+ List<AuthorizationConfiguration> configurations = getConfigurations();
+ switch (configurations.size()) {
+ case 0: return RestrictionProvider.EMPTY;
+ case 1: return configurations.get(0).getRestrictionProvider();
+ default:
+ List<RestrictionProvider> rps = new
ArrayList<RestrictionProvider>(configurations.size());
+ for (AuthorizationConfiguration c : configurations) {
+ if (RestrictionProvider.EMPTY != c) {
+ rps.add(c.getRestrictionProvider());
+ }
+ }
+ return CompositeRestrictionProvider.newInstance(rps);
+ }
}
@Nonnull
@@ -90,7 +96,7 @@ public class CompositeAuthorizationConfi
case 0: throw new IllegalStateException();
case 1: return configurations.get(0).getPermissionProvider(root,
workspaceName, principals);
default:
- List<AggregatedPermissionProvider> aggrPermissionProviders =
Lists.newArrayListWithCapacity(configurations.size());
+ List<AggregatedPermissionProvider> aggrPermissionProviders =
new ArrayList(configurations.size());
for (AuthorizationConfiguration conf : configurations) {
PermissionProvider pProvider =
conf.getPermissionProvider(root, workspaceName, principals);
if (pProvider instanceof AggregatedPermissionProvider) {
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermission.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermission.java?rev=1713884&r1=1713883&r2=1713884&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermission.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermission.java
Wed Nov 11 16:23:20 2015
@@ -105,12 +105,13 @@ final class CompositeTreePermission impl
for (int i = 0, j = 0; i < parentPermission.providers.length;
i++) {
parent = parentPermission.treePermissions[i];
if (isValid(parent)) {
- TreePermission tp =
parent.getChildPermission(childName, childState);
+ AggregatedPermissionProvider provider =
parentPermission.providers[i];
+ TreePermission tp = provider.getTreePermission(tree,
type, parent);
if (!isValid(tp)) {
cnt++;
}
tps[j] = tp;
- pvds[j] = parentPermission.providers[i];
+ pvds[j] = provider;
j++;
}
}
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProvider.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProvider.java?rev=1713884&r1=1713883&r2=1713884&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProvider.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProvider.java
Wed Nov 11 16:23:20 2015
@@ -31,7 +31,6 @@ import javax.jcr.RepositoryException;
import javax.jcr.Value;
import javax.jcr.security.AccessControlException;
-import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import org.apache.jackrabbit.oak.api.Tree;
import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
@@ -42,14 +41,14 @@ import org.apache.jackrabbit.oak.spi.sec
*/
public final class CompositeRestrictionProvider implements RestrictionProvider
{
- private final Collection<? extends RestrictionProvider> providers;
+ private final RestrictionProvider[] providers;
private CompositeRestrictionProvider(@Nonnull Collection<? extends
RestrictionProvider> providers) {
- this.providers = ImmutableSet.copyOf(providers);
+ this.providers = providers.toArray(new
RestrictionProvider[providers.size()]);
}
public static RestrictionProvider newInstance(@Nonnull
RestrictionProvider... providers) {
- return newInstance(Arrays.<RestrictionProvider>asList(providers));
+ return newInstance(Arrays.asList(providers));
}
public static RestrictionProvider newInstance(@Nonnull Collection<?
extends RestrictionProvider> providers) {
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationContextTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationContextTest.java?rev=1713884&r1=1713883&r2=1713884&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationContextTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationContextTest.java
Wed Nov 11 16:23:20 2015
@@ -18,14 +18,22 @@ package org.apache.jackrabbit.oak.securi
import java.util.List;
+import javax.annotation.Nullable;
+import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlManager;
+import com.google.common.collect.ImmutableList;
import com.google.common.collect.Lists;
+import org.apache.jackrabbit.JcrConstants;
import
org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
+import org.apache.jackrabbit.oak.spi.security.Context;
import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.junit.Test;
@@ -36,6 +44,25 @@ import static org.junit.Assert.assertTru
public class AuthorizationContextTest extends AbstractSecurityTest {
+ @Override
+ public void after() throws Exception {
+ try {
+ root.refresh();
+ } finally {
+ super.after();
+ }
+ }
+
+ private void createAcl(@Nullable String path, String... privilegeNames)
throws RepositoryException {
+ AccessControlManager acMgr = getAccessControlManager(root);
+
+ AccessControlList acl = AccessControlUtils.getAccessControlList(acMgr,
path);
+ assertNotNull(acl);
+
+ acl.addAccessControlEntry(EveryonePrincipal.getInstance(),
privilegesFromNames(privilegeNames));
+ acMgr.setPolicy(path, acl);
+ }
+
/**
* @see <a
href="https://issues.apache.org/jira/browse/OAK-2740";>OAK-2740</a>
*/
@@ -53,49 +80,25 @@ public class AuthorizationContextTest ex
@Test
public void testPolicyDefinesContextRoot() throws Exception {
- AccessControlManager acMgr = getAccessControlManager(root);
-
- AccessControlList acl = AccessControlUtils.getAccessControlList(acMgr,
"/");
- assertNotNull(acl);
-
- acl.addAccessControlEntry(EveryonePrincipal.getInstance(),
privilegesFromNames(PrivilegeConstants.JCR_READ));
- acMgr.setPolicy("/", acl);
+ createAcl("/", PrivilegeConstants.JCR_READ);
Tree aclTree =
root.getTree("/").getChild(AccessControlConstants.REP_POLICY);
assertTrue(aclTree.exists());
assertTrue(AuthorizationContext.getInstance().definesContextRoot(aclTree));
-
- // revert changes
- root.refresh();
}
@Test
public void testRepoPolicyDefinesContextRoot() throws Exception {
- AccessControlManager acMgr = getAccessControlManager(root);
-
- AccessControlList acl = AccessControlUtils.getAccessControlList(acMgr,
null);
- assertNotNull(acl);
-
- acl.addAccessControlEntry(EveryonePrincipal.getInstance(),
privilegesFromNames(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT));
- acMgr.setPolicy(null, acl);
+ createAcl(null, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT);
Tree aclTree =
root.getTree("/").getChild(AccessControlConstants.REP_REPO_POLICY);
assertTrue(aclTree.exists());
assertTrue(AuthorizationContext.getInstance().definesContextRoot(aclTree));
-
- // revert changes
- root.refresh();
}
@Test
public void testAceDefinesContextRoot() throws Exception {
- AccessControlManager acMgr = getAccessControlManager(root);
-
- AccessControlList acl = AccessControlUtils.getAccessControlList(acMgr,
"/");
- assertNotNull(acl);
-
- acl.addAccessControlEntry(EveryonePrincipal.getInstance(),
privilegesFromNames(PrivilegeConstants.JCR_READ));
- acMgr.setPolicy("/", acl);
+ createAcl("/", PrivilegeConstants.JCR_READ);
Tree aclTree =
root.getTree("/").getChild(AccessControlConstants.REP_POLICY);
assertTrue(aclTree.exists());
@@ -103,9 +106,39 @@ public class AuthorizationContextTest ex
for (Tree child : aclTree.getChildren()) {
assertFalse(AuthorizationContext.getInstance().definesContextRoot(child));
}
+ }
+
+ @Test
+ public void testLocation() throws Exception {
+ createAcl("/", PrivilegeConstants.JCR_READ);
+
+ Context ctx = AuthorizationContext.getInstance();
- // revert changes
- root.refresh();
+ String policyPath = "/rep:policy";
+ assertTrue(ctx.definesLocation(TreeLocation.create(root, policyPath +
"/allow")));
+ assertTrue(ctx.definesLocation(TreeLocation.create(root, policyPath +
"/allow/" + AccessControlConstants.REP_PRINCIPAL_NAME)));
+ assertTrue(ctx.definesLocation(TreeLocation.create(root, policyPath +
"/allow/" + AccessControlConstants.REP_PRIVILEGES)));
+
+ List<String> existingRegular = ImmutableList.of(
+ "/",
+ "/jcr:system"
+ );
+ for (String path : existingRegular) {
+ assertFalse(path, ctx.definesLocation(TreeLocation.create(root,
path)));
+ assertFalse(path, ctx.definesLocation(TreeLocation.create(root,
PathUtils.concat(path, JcrConstants.JCR_PRIMARYTYPE))));
+ }
+
+ List<String> nonExistingItem = ImmutableList.of(
+ '/' + AccessControlConstants.REP_REPO_POLICY,
+ "/content/" + AccessControlConstants.REP_POLICY,
+ "/content/" + AccessControlConstants.REP_PRIVILEGES,
+ "/content/" + AccessControlConstants.REP_REPO_POLICY,
+ "/jcr:system/" + AccessControlConstants.REP_POLICY,
+ PermissionConstants.PERMISSIONS_STORE_PATH + "/nonexisting");
+ for (String path : nonExistingItem) {
+ assertTrue(path, ctx.definesLocation(TreeLocation.create(root,
path)));
+ assertTrue(path, ctx.definesLocation(TreeLocation.create(root,
PathUtils.concat(path, AccessControlConstants.REP_PRIVILEGES))));
+ }
}
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-run/pom.xml
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-run/pom.xml?rev=1713884&r1=1713883&r2=1713884&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-run/pom.xml (original)
+++ jackrabbit/oak/trunk/oak-run/pom.xml Wed Nov 11 16:23:20 2015
@@ -240,11 +240,16 @@
<artifactId>oak-http</artifactId>
<version>${project.version}</version>
</dependency>
- <dependency>
+ <dependency>
<groupId>org.apache.jackrabbit</groupId>
<artifactId>oak-remote</artifactId>
<version>${project.version}</version>
- </dependency>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>oak-authorization-cug</artifactId>
+ <version>${project.version}</version>
+ </dependency>
<dependency>
<groupId>org.apache.jackrabbit</groupId>
<artifactId>oak-lucene</artifactId>
Modified:
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/BenchmarkRunner.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/BenchmarkRunner.java?rev=1713884&r1=1713883&r2=1713884&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/BenchmarkRunner.java
(original)
+++
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/BenchmarkRunner.java
Wed Nov 11 16:23:20 2015
@@ -119,7 +119,12 @@ public class BenchmarkRunner {
.withOptionalArg().ofType(Integer.class).defaultsTo(10000);
OptionSpec<Boolean> setScope = parser.accepts("setScope", "Whether to
use include setScope in the user query.")
.withOptionalArg().ofType(Boolean.class)
- .defaultsTo(Boolean.FALSE);
+ .defaultsTo(Boolean.FALSE);
+ OptionSpec<Boolean> reverseOrder = parser.accepts("reverseOrder",
"Invert order of configurations in composite setup.")
+ .withOptionalArg().ofType(Boolean.class)
+ .defaultsTo(Boolean.FALSE);
+ OptionSpec<String> supportedPaths = parser.accepts("supportedPaths",
"Supported paths in composite setup.")
+
.withOptionalArg().ofType(String.class).withValuesSeparatedBy(',');
OptionSpec<String> nonOption = parser.nonOptions();
OptionSpec help = parser.acceptsAll(asList("h", "?", "help"), "show
help").forHelp();
OptionSet options = parser.parse(args);
@@ -233,7 +238,17 @@ public class BenchmarkRunner {
report.value(options)),
new CompositeAuthorizationTest(
runAsAdmin.value(options),
- itemsToRead.value(options)), // TODO: is currently the
no of configurations (hack)
+ itemsToRead.value(options)), // NOTE: this is
currently the no of configurations
+ new CugTest(runAsAdmin.value(options),
+ itemsToRead.value(options),
+ randomUser.value(options),
+ supportedPaths.values(options),
+ reverseOrder.value(options)),
+ new CugOakTest(runAsAdmin.value(options),
+ itemsToRead.value(options),
+ randomUser.value(options),
+ supportedPaths.values(options),
+ reverseOrder.value(options)),
new ConcurrentReadDeepTreeTest(
runAsAdmin.value(options),
itemsToRead.value(options),
Added:
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/CugOakTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/CugOakTest.java?rev=1713884&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/CugOakTest.java
(added)
+++
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/CugOakTest.java
Wed Nov 11 16:23:20 2015
@@ -0,0 +1,137 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.benchmark;
+
+import java.security.PrivilegedAction;
+import java.util.Collections;
+import java.util.List;
+import javax.annotation.Nonnull;
+import javax.jcr.Credentials;
+import javax.jcr.GuestCredentials;
+import javax.jcr.Repository;
+import javax.security.auth.Subject;
+
+import org.apache.jackrabbit.oak.Oak;
+import org.apache.jackrabbit.oak.api.ContentRepository;
+import org.apache.jackrabbit.oak.api.ContentSession;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.fixture.JcrCreator;
+import org.apache.jackrabbit.oak.fixture.OakRepositoryFixture;
+import org.apache.jackrabbit.oak.fixture.RepositoryFixture;
+import org.apache.jackrabbit.oak.jcr.Jcr;
+import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
+
+/**
+ * Test the effect of multiple authorization configurations on the general read
+ * operations.
+ *
+ * TODO: setup configured number of cugs.
+ */
+public class CugOakTest extends CugTest {
+
+ private ContentRepository contentRepository;
+ private ContentSession cs;
+ private Subject subject;
+
+ protected CugOakTest(boolean runAsAdmin, int itemsToRead, boolean
singleSession, @Nonnull List<String> supportedPaths, boolean reverseOrder) {
+ super(runAsAdmin, itemsToRead, singleSession, supportedPaths,
reverseOrder);
+ }
+
+ @Override
+ protected Repository[] createRepository(RepositoryFixture fixture) throws
Exception {
+ if (fixture instanceof OakRepositoryFixture) {
+ return ((OakRepositoryFixture) fixture).setUpCluster(1, new
JcrCreator() {
+ @Override
+ public Jcr customize(Oak oak) {
+ Jcr jcr = new Jcr(oak).with(createSecurityProvider());
+ contentRepository = jcr.createContentRepository();
+ return jcr;
+ }
+ });
+ } else {
+ throw new IllegalArgumentException("Fixture " + fixture + " not
supported for this benchmark.");
+ }
+ }
+
+ @Override
+ protected void beforeSuite() throws Exception {
+ super.beforeSuite();
+ Credentials creds = (runAsAdmin) ? getCredentials() : new
GuestCredentials();
+ cs = contentRepository.login(creds, null);
+ subject = new Subject(true, cs.getAuthInfo().getPrincipals(),
Collections.emptySet(), Collections.emptySet());
+ }
+
+ @Override
+ protected void afterSuite() throws Exception {
+ super.afterSuite();
+ cs.close();
+ }
+
+ @Override
+ protected void runTest() throws Exception {
+ boolean logout = false;
+ ContentSession readSession;
+ if (singleSession) {
+ readSession = cs;
+ } else {
+ readSession = Subject.doAs(subject, new
PrivilegedAction<ContentSession>() {
+ @Override
+ public ContentSession run() {
+ try {
+ return contentRepository.login(null, null);
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ }
+ });
+ logout = true;
+ }
+ Root root = readSession.getLatestRoot();
+ try {
+ int nodeCnt = 0;
+ int propertyCnt = 0;
+ int noAccess = 0;
+ int size = allPaths.size();
+ long start = System.currentTimeMillis();
+ for (int i = 0; i < itemsToRead; i++) {
+ double rand = size * Math.random();
+ int index = (int) Math.floor(rand);
+ String path = allPaths.get(index);
+ TreeLocation treeLocation = TreeLocation.create(root, path);
+ if (treeLocation.exists()) {
+ PropertyState ps = treeLocation.getProperty();
+ if (ps != null) {
+ propertyCnt++;
+ } else {
+ nodeCnt++;
+ }
+ } else {
+ noAccess++;
+ }
+ }
+ long end = System.currentTimeMillis();
+ if (doReport) {
+ System.out.println("ContentSession " +
cs.getAuthInfo().getUserID() + " reading " + (itemsToRead - noAccess) + "
(Tree: " + nodeCnt + "; PropertyState: " + propertyCnt + ") completed in " +
(end - start));
+ }
+ } finally {
+ if (logout) {
+ readSession.close();
+ }
+ }
+ }
+}
\ No newline at end of file
Added:
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/CugTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/CugTest.java?rev=1713884&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/CugTest.java
(added)
+++
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/CugTest.java
Wed Nov 11 16:23:20 2015
@@ -0,0 +1,100 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.benchmark;
+
+import java.util.List;
+import javax.annotation.Nonnull;
+import javax.jcr.Repository;
+
+import org.apache.jackrabbit.oak.Oak;
+import org.apache.jackrabbit.oak.fixture.JcrCreator;
+import org.apache.jackrabbit.oak.fixture.OakRepositoryFixture;
+import org.apache.jackrabbit.oak.fixture.RepositoryFixture;
+import org.apache.jackrabbit.oak.jcr.Jcr;
+import org.apache.jackrabbit.oak.security.SecurityProviderImpl;
+import
org.apache.jackrabbit.oak.security.authorization.composite.CompositeAuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
+import
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import
org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugConfiguration;
+
+import static com.google.common.base.Preconditions.checkNotNull;
+
+/**
+ * Test the effect of multiple authorization configurations on the general read
+ * operations.
+ *
+ * TODO: setup configured number of cugs.
+ */
+public class CugTest extends ReadDeepTreeTest {
+
+ private final ConfigurationParameters params;
+ private final boolean reverseOrder;
+
+ protected CugTest(boolean runAsAdmin, int itemsToRead, boolean
singleSession, @Nonnull List<String> supportedPaths, boolean reverseOrder) {
+ super(runAsAdmin, itemsToRead, false, singleSession);
+ this.params =
ConfigurationParameters.of(AuthorizationConfiguration.NAME,
ConfigurationParameters.of(
+ "cugSupportedPaths", supportedPaths.toArray(new
String[supportedPaths.size()]),
+ "cugEnabled", true));
+ this.reverseOrder = reverseOrder;
+ }
+
+ @Override
+ protected Repository[] createRepository(RepositoryFixture fixture) throws
Exception {
+ if (fixture instanceof OakRepositoryFixture) {
+ return ((OakRepositoryFixture) fixture).setUpCluster(1, new
JcrCreator() {
+ @Override
+ public Jcr customize(Oak oak) {
+ return new Jcr(oak).with(createSecurityProvider());
+ }
+ });
+ } else {
+ throw new IllegalArgumentException("Fixture " + fixture + " not
supported for this benchmark.");
+ }
+ }
+
+ @Override
+ protected String getImportFileName() {
+ return "deepTree_everyone.xml";
+ }
+
+ @Override
+ protected String getTestNodeName() {
+ return "CugTest";
+ }
+
+ protected SecurityProvider createSecurityProvider() {
+ return new TmpSecurityProvider(params, reverseOrder);
+ }
+
+ private static final class TmpSecurityProvider extends
SecurityProviderImpl {
+
+ private TmpSecurityProvider(@Nonnull ConfigurationParameters params,
boolean reverseOrder) {
+ super(params);
+
+ AuthorizationConfiguration authorizationConfiguration =
getConfiguration(AuthorizationConfiguration.class);
+ AuthorizationConfiguration defaultAuthorization =
checkNotNull(((CompositeAuthorizationConfiguration)
authorizationConfiguration).getDefaultConfig());
+ if (reverseOrder) {
+ bindAuthorizationConfiguration(defaultAuthorization);
+ bindAuthorizationConfiguration(new CugConfiguration(this));
+ } else {
+ bindAuthorizationConfiguration(new CugConfiguration(this));
+ bindAuthorizationConfiguration(defaultAuthorization);
+ }
+ }
+ }
+}
\ No newline at end of file
Modified:
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/ReadDeepTreeTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/ReadDeepTreeTest.java?rev=1713884&r1=1713883&r2=1713884&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/ReadDeepTreeTest.java
(original)
+++
jackrabbit/oak/trunk/oak-run/src/main/java/org/apache/jackrabbit/oak/benchmark/ReadDeepTreeTest.java
Wed Nov 11 16:23:20 2015
@@ -69,7 +69,7 @@ public class ReadDeepTreeTest extends Ab
Node rn = adminSession.getRootNode();
allPaths.clear();
- String testNodeName = getClass().getSimpleName() + TEST_ID;
+ String testNodeName = getTestNodeName();
long start = System.currentTimeMillis();
if (!rn.hasNode(testNodeName)) {
testRoot = adminSession.getRootNode().addNode(testNodeName,
"nt:unstructured");
@@ -101,6 +101,10 @@ public class ReadDeepTreeTest extends Ab
return "deepTree.xml";
}
+ protected String getTestNodeName() {
+ return getClass().getSimpleName() + TEST_ID;
+ }
+
protected void visitingNode(Node node, int i) throws RepositoryException {
allPaths.add(node.getPath());
}
