Author: angela
Date: Thu Nov 12 13:55:18 2015
New Revision: 1714047
URL: http://svn.apache.org/viewvc?rev=1714047&view=rev
Log:
OAK-1268 : Add support for composite authorization setup (WIP)
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugTreePermissionTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/VersionTest.java
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java?rev=1714047&r1=1714046&r2=1714047&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
Thu Nov 12 13:55:18 2015
@@ -254,7 +254,7 @@ class CugPermissionProvider implements A
TreePermission tp;
boolean parentIsCugPermission = (parentPermission instanceof
CugTreePermission);
if (TreeType.VERSION == type) {
- tp = createVersionStorePermission(immutableTree, type,
parentPermission, parentIsCugPermission);
+ tp = createVersionPermission(immutableTree, type,
parentPermission, parentIsCugPermission);
} else {
if (parentIsCugPermission) {
tp = new CugTreePermission(immutableTree, type,
parentPermission, this);
@@ -369,7 +369,7 @@ class CugPermissionProvider implements A
}
@Nonnull
- private TreePermission createVersionStorePermission(@Nonnull Tree tree,
@Nonnull TreeType type, @Nonnull TreePermission parent, boolean
parentIsCugPermission) {
+ private TreePermission createVersionPermission(@Nonnull Tree tree,
@Nonnull TreeType type, @Nonnull TreePermission parent, boolean
parentIsCugPermission) {
if (ReadOnlyVersionManager.isVersionStoreTree(tree)) {
if (parentIsCugPermission) {
return new CugTreePermission(tree, type, parent, this);
@@ -381,29 +381,37 @@ class CugPermissionProvider implements A
if (versionableTree == null) {
return TreePermission.NO_RECOURSE;
}
+ TreeType versionableType = typeProvider.getType(versionableTree);
+ if (!isSupportedType(versionableType)) {
+ return TreePermission.NO_RECOURSE;
+ }
- TreePermission tp;
String path = versionableTree.getPath();
+ boolean isSupportedPath = false;
+
+ // test if the versionable node holds a cug
+ Tree cug = null;
if (parentIsCugPermission) {
- CugTreePermission delegatee;
- if (CugUtil.hasCug(versionableTree)) {
- delegatee = new CugTreePermission(versionableTree, type,
parent, this);
- } else {
- delegatee = (CugTreePermission) parent;
- };
- tp = new CugTreePermission(tree, type, parent, this,
delegatee.isInCug(), delegatee.isAllow());
+ cug = CugUtil.getCug(versionableTree);
} else if (supportedPaths.includes(path)) {
- // look for cug in the hierarchy
- Tree cugRoot = getCugRoot(versionableTree,
typeProvider.getType(versionableTree));
- if (cugRoot == null) {
- // no cug present so far -> continue looking for cugs for
frozen children
- tp = new CugTreePermission(tree, type, parent, this,
false, false);
- } else {
- // retrieve read-access from the cug and apply it to the
- // tree permissions of the target tree located in the
version storage
- CugTreePermission delegatee = new
CugTreePermission(cugRoot, type, parent, this);
- tp = new CugTreePermission(tree, type, parent, this,
delegatee.isInCug(), delegatee.isAllow());
+ isSupportedPath = true;
+ // the versionable tree might be included in a cug defined by
+ // a parent node -> need to search for inherited cugs as well.
+ Tree cugRoot = getCugRoot(versionableTree, versionableType);
+ if (cugRoot != null) {
+ cug = CugUtil.getCug(cugRoot);
}
+ }
+
+ TreePermission tp;
+ if (cug != null) {
+ // backing versionable tree holds a cug
+ tp = new CugTreePermission(tree, type, parent, this, true,
isAllow(cug));
+ } else if (parentIsCugPermission) {
+ CugTreePermission ctp = (CugTreePermission) parent;
+ tp = new CugTreePermission(tree, type, parent, this,
ctp.isInCug(), ctp.isAllow());
+ } else if (isSupportedPath) {
+ tp = new CugTreePermission(tree, type, parent, this, false,
false);
} else if (supportedPaths.mayContainCug(path)) {
tp = new EmptyCugTreePermission(tree, type, this);
} else {
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java?rev=1714047&r1=1714046&r2=1714047&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
Thu Nov 12 13:55:18 2015
@@ -35,11 +35,15 @@ import org.apache.jackrabbit.api.securit
import
org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.ContentSession;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugPolicy;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
@@ -192,4 +196,16 @@ public class AbstractCugTest extends Abs
assertTrue(tp instanceof EmptyCugTreePermission);
}
}
+
+ static TreePermission getTreePermission(@Nonnull Root root,
+ @Nonnull String path,
+ @Nonnull PermissionProvider pp) {
+ Tree t = root.getTree("/");
+ TreePermission tp = pp.getTreePermission(t, TreePermission.EMPTY);
+ for (String segm : PathUtils.elements(path)) {
+ t = t.getChild(segm);
+ tp = pp.getTreePermission(t, tp);
+ }
+ return tp;
+ }
}
\ No newline at end of file
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugTreePermissionTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugTreePermissionTest.java?rev=1714047&r1=1714046&r2=1714047&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugTreePermissionTest.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugTreePermissionTest.java
Thu Nov 12 13:55:18 2015
@@ -21,7 +21,6 @@ import javax.annotation.Nonnull;
import com.google.common.collect.ImmutableSet;
import org.apache.jackrabbit.oak.api.PropertyState;
-import org.apache.jackrabbit.oak.plugins.memory.EmptyNodeState;
import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
import org.apache.jackrabbit.oak.plugins.tree.impl.AbstractTree;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
@@ -51,9 +50,12 @@ public class CugTreePermissionTest exten
}
private CugTreePermission getCugTreePermission(@Nonnull Principal...
principals) {
+ return getCugTreePermission(SUPPORTED_PATH, principals);
+ }
+
+ private CugTreePermission getCugTreePermission(@Nonnull String path,
@Nonnull Principal... principals) {
CugPermissionProvider pp =
createCugPermissionProvider(ImmutableSet.of(SUPPORTED_PATH, SUPPORTED_PATH2),
principals);
- TreePermission rootTp = pp.getTreePermission(root.getTree("/"),
TreePermission.EMPTY);
- TreePermission targetTp =
pp.getTreePermission(root.getTree(SUPPORTED_PATH), rootTp);
+ TreePermission targetTp = getTreePermission(root, path, pp);
assertTrue(targetTp instanceof CugTreePermission);
return (CugTreePermission) targetTp;
}
@@ -73,6 +75,26 @@ public class CugTreePermissionTest exten
}
@Test
+ public void testIsAllow() throws Exception {
+ assertTrue(allowedTp.isAllow());
+ assertFalse(deniedTp.isAllow());
+
+ CugTreePermission tp = getCugTreePermission(SUPPORTED_PATH2);
+ assertFalse(tp.isAllow());
+ tp = getCugTreePermission(SUPPORTED_PATH2,
getTestUser().getPrincipal(), EveryonePrincipal.getInstance());
+ assertFalse(tp.isAllow());
+ }
+
+ @Test
+ public void testIsInCug() {
+ assertTrue(allowedTp.isInCug());
+ assertTrue(deniedTp.isInCug());
+
+ CugTreePermission tp = getCugTreePermission(SUPPORTED_PATH2);
+ assertFalse(tp.isInCug());
+ }
+
+ @Test
public void testCanRead() {
assertTrue(allowedTp.canRead());
assertFalse(deniedTp.canRead());
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/VersionTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/VersionTest.java?rev=1714047&r1=1714046&r2=1714047&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/VersionTest.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/VersionTest.java
Thu Nov 12 13:55:18 2015
@@ -33,6 +33,7 @@ import org.apache.jackrabbit.oak.commons
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManager;
import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
+import org.apache.jackrabbit.oak.plugins.tree.TreeType;
import org.apache.jackrabbit.oak.plugins.version.ReadOnlyVersionManager;
import org.apache.jackrabbit.oak.plugins.version.VersionConstants;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
@@ -335,13 +336,7 @@ public class VersionTest extends Abstrac
Tree vh =
checkNotNull(versionManager.getVersionHistory(root.getTree(SUPPORTED_PATH)));
CugPermissionProvider pp =
createCugPermissionProvider(ImmutableSet.of(SUPPORTED_PATH + "/a"));
-
- Tree t = root.getTree("/");
- TreePermission tp = pp.getTreePermission(t, TreePermission.EMPTY);
- for (String segm : PathUtils.elements(vh.getPath())) {
- t = t.getChild(segm);
- tp = pp.getTreePermission(t, tp);
- }
+ TreePermission tp = getTreePermission(root, vh.getPath(), pp);
assertTrue(tp instanceof EmptyCugTreePermission);
}
@@ -365,7 +360,6 @@ public class VersionTest extends Abstrac
for (String segm : PathUtils.elements(vhPath)) {
t = t.getChild(segm);
tp = pp.getTreePermission(t, tp);
-
assertTrue(tp instanceof CugTreePermission);
}
} finally {
@@ -377,4 +371,39 @@ public class VersionTest extends Abstrac
root.commit();
}
}
+
+ @Test
+ public void testVersionableWithUnsupportedType() throws Exception {
+ Tree versionable = root.getTree("/content");
+ Tree vh = checkNotNull(versionManager.getVersionHistory(versionable));
+ Tree frozen =
vh.getChild("1.0").getChild(JCR_FROZENNODE).getChild("a").getChild("b").getChild("c");
+
+ Tree invalidFrozen = frozen.addChild(REP_CUG_POLICY);
+ invalidFrozen.setProperty(JCR_PRIMARYTYPE, NT_REP_CUG_POLICY);
+
+ CugPermissionProvider pp =
createCugPermissionProvider(ImmutableSet.of(SUPPORTED_PATH, SUPPORTED_PATH2));
+ TreePermission tp = getTreePermission(root,
PathUtils.concat(vh.getPath(), "1.0", JCR_FROZENNODE, "a/b/c"), pp);
+
+ TreePermission tpForUnsupportedType =
pp.getTreePermission(invalidFrozen, TreeType.VERSION, tp);
+ assertEquals(TreePermission.NO_RECOURSE, tpForUnsupportedType);
+ }
+
+ @Test
+ public void testVersionableWithCugParent() throws Exception {
+ addVersionContent("/content/aa/bb/cc");
+
+ Tree cc = root.getTree("/content/aa/bb/cc");
+ assertFalse(CugUtil.hasCug(cc));
+
+ Tree vh = checkNotNull(versionManager.getVersionHistory(cc));
+ Tree t = root.getTree("/");
+ CugPermissionProvider pp = createCugPermissionProvider(
+ ImmutableSet.of(SUPPORTED_PATH, SUPPORTED_PATH2),
getTestGroupPrincipal());
+
+ TreePermission tp = getTreePermission(root, vh.getPath(), pp);
+
+ assertTrue(tp instanceof CugTreePermission);
+ assertTrue(((CugTreePermission) tp).isInCug());
+ assertTrue(((CugTreePermission) tp).isAllow());
+ }
}
\ No newline at end of file
