Author: stillalex
Date: Wed Aug  9 12:35:08 2017
New Revision: 1804509

URL: http://svn.apache.org/viewvc?rev=1804509&view=rev
Log:
OAK-6527 CompositeNodeStore permission evaluation fails for open setups


Added:
    
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProvider.java
   (with props)
    
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProviderRandomTestIT.java
   (with props)
    
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProviderTest.java
   (with props)
Removed:
    
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/MultiplexingPermissionProvider.java
    
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/MultiplexingProviderTest.java
    
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/MutiplexingProviderRandomTestIT.java
Modified:
    
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java
    
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationInitializer.java
    
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
    
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java
    
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
    
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStore.java
    
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreImpl.java
    
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionEntryProviderImplTest.java

Modified: 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java?rev=1804509&r1=1804508&r2=1804509&view=diff
==============================================================================
--- 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java
 (original)
+++ 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java
 Wed Aug  9 12:35:08 2017
@@ -19,7 +19,6 @@ package org.apache.jackrabbit.oak.securi
 import static 
org.apache.jackrabbit.oak.spi.security.RegistrationConstants.OAK_SECURITY_NAME;
 
 import java.security.Principal;
-import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -42,7 +41,7 @@ import org.apache.jackrabbit.oak.plugins
 import 
org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlImporter;
 import 
org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl;
 import 
org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlValidatorProvider;
-import 
org.apache.jackrabbit.oak.security.authorization.composite.MultiplexingPermissionProvider;
+import 
org.apache.jackrabbit.oak.security.authorization.permission.MountPermissionProvider;
 import 
org.apache.jackrabbit.oak.security.authorization.permission.PermissionHook;
 import 
org.apache.jackrabbit.oak.security.authorization.permission.PermissionProviderImpl;
 import 
org.apache.jackrabbit.oak.security.authorization.permission.PermissionStoreValidatorProvider;
@@ -52,7 +51,6 @@ import org.apache.jackrabbit.oak.spi.com
 import org.apache.jackrabbit.oak.spi.commit.MoveTracker;
 import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
 import org.apache.jackrabbit.oak.spi.lifecycle.WorkspaceInitializer;
-import org.apache.jackrabbit.oak.spi.mount.Mount;
 import org.apache.jackrabbit.oak.spi.mount.MountInfoProvider;
 import org.apache.jackrabbit.oak.spi.mount.Mounts;
 import org.apache.jackrabbit.oak.spi.security.CompositeConfiguration;
@@ -63,7 +61,6 @@ import org.apache.jackrabbit.oak.spi.sec
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import 
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
 import 
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
-import 
org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
 import 
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
 import 
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
 import 
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
@@ -203,18 +200,11 @@ public class AuthorizationConfigurationI
         Context ctx = 
getSecurityProvider().getConfiguration(AuthorizationConfiguration.class).getContext();
 
         if (mountInfoProvider.hasNonDefaultMounts()) {
-            List<AggregatedPermissionProvider> agg = new ArrayList<>();
-            agg.add(new PermissionProviderImpl(root, workspaceName, 
workspaceName, principals, getRestrictionProvider(),
-                    getParameters(), ctx));
-            for (Mount m : mountInfoProvider.getNonDefaultMounts()) {
-                String permissionRootName = 
MultiplexingPermissionProvider.getPermissionRootName(m, workspaceName);
-                agg.add(new PermissionProviderImpl(root, workspaceName, 
permissionRootName, principals, getRestrictionProvider(), getParameters(),
-                        ctx));
-            }
-            return new MultiplexingPermissionProvider(root, agg, ctx);
+            return new MountPermissionProvider(root, workspaceName, 
principals, getRestrictionProvider(),
+                    getParameters(), ctx, mountInfoProvider);
         } else {
-            return new PermissionProviderImpl(root, workspaceName, 
workspaceName, principals, getRestrictionProvider(), getParameters(),
-                    ctx);
+            return new PermissionProviderImpl(root, workspaceName, principals, 
getRestrictionProvider(),
+                    getParameters(), ctx);
         }
     }
 }

Modified: 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationInitializer.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationInitializer.java?rev=1804509&r1=1804508&r2=1804509&view=diff
==============================================================================
--- 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationInitializer.java
 (original)
+++ 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationInitializer.java
 Wed Aug  9 12:35:08 2017
@@ -20,7 +20,7 @@ import com.google.common.collect.Immutab
 import org.apache.jackrabbit.JcrConstants;
 import org.apache.jackrabbit.oak.api.Type;
 import org.apache.jackrabbit.oak.plugins.index.IndexUtils;
-import 
org.apache.jackrabbit.oak.security.authorization.composite.MultiplexingPermissionProvider;
+import 
org.apache.jackrabbit.oak.security.authorization.permission.MountPermissionProvider;
 import org.apache.jackrabbit.oak.spi.lifecycle.WorkspaceInitializer;
 import org.apache.jackrabbit.oak.spi.mount.Mount;
 import org.apache.jackrabbit.oak.spi.mount.MountInfoProvider;
@@ -72,7 +72,7 @@ class AuthorizationInitializer implement
             
permissionStore.child(workspaceName).setProperty(JcrConstants.JCR_PRIMARYTYPE, 
NT_REP_PERMISSION_STORE, Type.NAME);
         }
         for (Mount m : mountInfoProvider.getNonDefaultMounts()) {
-            String permissionRootName =  
MultiplexingPermissionProvider.getPermissionRootName(m, workspaceName);
+            String permissionRootName =  
MountPermissionProvider.getPermissionRootName(m, workspaceName);
             if (!permissionStore.hasChildNode(permissionRootName)) {
                 
permissionStore.child(permissionRootName).setProperty(JcrConstants.JCR_PRIMARYTYPE,
 NT_REP_PERMISSION_STORE, Type.NAME);
             }

Modified: 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java?rev=1804509&r1=1804508&r2=1804509&view=diff
==============================================================================
--- 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
 (original)
+++ 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
 Wed Aug  9 12:35:08 2017
@@ -74,7 +74,7 @@ final class CompiledPermissionImpl imple
 
     private final String workspaceName;
     private final ReadPolicy readPolicy;
-    private final PermissionStoreImpl store;
+    private final PermissionStore store;
     private final PermissionEntryProvider userStore;
     private final PermissionEntryProvider groupStore;
     private final TreeTypeProvider typeProvider;
@@ -86,7 +86,7 @@ final class CompiledPermissionImpl imple
     private CompiledPermissionImpl(@Nonnull Set<Principal> principals,
                                    @Nonnull Root root,
                                    @Nonnull String workspaceName,
-                                   @Nonnull String permissionRootName,
+                                   @Nonnull PermissionStore store,
                                    @Nonnull RestrictionProvider 
restrictionProvider,
                                    @Nonnull ConfigurationParameters options,
                                    @Nonnull Context ctx) {
@@ -99,7 +99,7 @@ final class CompiledPermissionImpl imple
         readPolicy = (readPaths.isEmpty()) ? EmptyReadPolicy.INSTANCE : new 
DefaultReadPolicy(readPaths);
 
         // setup
-        store = new PermissionStoreImpl(root, permissionRootName, 
restrictionProvider);
+        this.store = store;
         Set<String> userNames = new HashSet<String>(principals.size());
         Set<String> groupNames = new HashSet<String>(principals.size());
         for (Principal principal : principals) {
@@ -119,16 +119,16 @@ final class CompiledPermissionImpl imple
 
     static CompiledPermissions create(@Nonnull Root root,
                                       @Nonnull String workspaceName,
-                                      @Nonnull String permissionRootName,
+                                      @Nonnull PermissionStore store,
                                       @Nonnull Set<Principal> principals,
                                       @Nonnull RestrictionProvider 
restrictionProvider,
                                       @Nonnull ConfigurationParameters options,
                                       @Nonnull Context ctx) {
-        Tree permissionsTree = PermissionUtil.getPermissionsRoot(root, 
permissionRootName);
+        Tree permissionsTree = PermissionUtil.getPermissionsRoot(root, 
workspaceName);
         if (!permissionsTree.exists() || principals.isEmpty()) {
             return NoPermissions.getInstance();
         } else {
-            return new CompiledPermissionImpl(principals, root, workspaceName, 
permissionRootName, restrictionProvider, options, ctx);
+            return new CompiledPermissionImpl(principals, root, workspaceName, 
store, restrictionProvider, options, ctx);
         }
     }
 
@@ -531,7 +531,7 @@ final class CompiledPermissionImpl imple
             while (it.hasNext()) {
                 PermissionEntry entry = it.next();
                 if (entry.privilegeBits.includes(READ_BITS.get(permission))) {
-                    return (entry.isAllow);
+                    return entry.isAllow;
                 }
             }
             return false;

Added: 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProvider.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProvider.java?rev=1804509&view=auto
==============================================================================
--- 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProvider.java
 (added)
+++ 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProvider.java
 Wed Aug  9 12:35:08 2017
@@ -0,0 +1,119 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.permission;
+
+import static com.google.common.collect.Lists.newArrayList;
+
+import java.security.Principal;
+import java.util.Collection;
+import java.util.List;
+import java.util.Set;
+
+import javax.annotation.Nonnull;
+
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.spi.mount.Mount;
+import org.apache.jackrabbit.oak.spi.mount.MountInfoProvider;
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import org.apache.jackrabbit.oak.spi.security.Context;
+import 
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
+
+import com.google.common.collect.ImmutableSet;
+
+public class MountPermissionProvider extends PermissionProviderImpl {
+
+    @Nonnull
+    public static String getPermissionRootName(@Nonnull Mount mount, @Nonnull 
String workspace) {
+        if (mount.isDefault()) {
+            return workspace;
+        } else {
+            return mount.getPathFragmentName() + "-" + workspace;
+        }
+    }
+
+    private final MountInfoProvider mountInfoProvider;
+
+    public MountPermissionProvider(@Nonnull Root root, @Nonnull String 
workspaceName,
+            @Nonnull Set<Principal> principals, @Nonnull RestrictionProvider 
restrictionProvider,
+            @Nonnull ConfigurationParameters options, @Nonnull Context ctx, 
MountInfoProvider mountInfoProvider) {
+        super(root, workspaceName, principals, restrictionProvider, options, 
ctx);
+        this.mountInfoProvider = mountInfoProvider;
+    }
+
+    @Override
+    protected PermissionStore getPermissionStore(Root root, String 
workspaceName,
+            RestrictionProvider restrictionProvider) {
+        List<PermissionStoreImpl> stores = newArrayList();
+        stores.add(new PermissionStoreImpl(root, workspaceName, 
restrictionProvider));
+        for (Mount m : mountInfoProvider.getNonDefaultMounts()) {
+            String psRoot = getPermissionRootName(m, workspaceName);
+            PermissionStoreImpl ps = new PermissionStoreImpl(root, psRoot, 
restrictionProvider);
+            stores.add(ps);
+        }
+        return new MountPermissionStore(stores);
+    }
+
+    private static class MountPermissionStore implements PermissionStore {
+
+        private final List<PermissionStoreImpl> stores;
+
+        public MountPermissionStore(List<PermissionStoreImpl> stores) {
+            this.stores = stores;
+        }
+
+        @Override
+        public Collection<PermissionEntry> load(Collection<PermissionEntry> 
entries, String principalName,
+                String path) {
+            for (PermissionStoreImpl store : stores) {
+                Collection<PermissionEntry> col = store.load(null, 
principalName, path);
+                if (col != null && !col.isEmpty()) {
+                    return col;
+                }
+            }
+            return ImmutableSet.of();
+        }
+
+        @Override
+        public PrincipalPermissionEntries load(String principalName) {
+            PrincipalPermissionEntries ppe = new PrincipalPermissionEntries();
+            for (PermissionStoreImpl store : stores) {
+                
ppe.getEntries().putAll(store.load(principalName).getEntries());
+            }
+            ppe.setFullyLoaded(true);
+            return ppe;
+        }
+
+        @Override
+        public long getNumEntries(String principalName, long max) {
+            long num = 0;
+            for (PermissionStoreImpl store : stores) {
+                num += store.getNumEntries(principalName, max);
+                if (num >= max) {
+                    break;
+                }
+            }
+            return num;
+        }
+
+        @Override
+        public void flush(Root root) {
+            for (PermissionStoreImpl store : stores) {
+                store.flush(root);
+            }
+        }
+    }
+}

Propchange: 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProvider.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java?rev=1804509&r1=1804508&r2=1804509&view=diff
==============================================================================
--- 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java
 (original)
+++ 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java
 Wed Aug  9 12:35:08 2017
@@ -23,7 +23,6 @@ import javax.annotation.Nonnull;
 import org.apache.jackrabbit.oak.api.CommitFailedException;
 import org.apache.jackrabbit.oak.plugins.nodetype.TypePredicate;
 import org.apache.jackrabbit.oak.plugins.tree.RootFactory;
-import 
org.apache.jackrabbit.oak.security.authorization.composite.MultiplexingPermissionProvider;
 import org.apache.jackrabbit.oak.spi.commit.CommitInfo;
 import org.apache.jackrabbit.oak.spi.commit.PostValidationHook;
 import org.apache.jackrabbit.oak.spi.mount.Mount;
@@ -134,7 +133,7 @@ public class PermissionHook implements P
     @Nonnull
     private NodeBuilder getPermissionRoot(String path) {
         Mount m = mountInfoProvider.getMountByPath(path);
-        return 
permissionStore.getChildNode(MultiplexingPermissionProvider.getPermissionRootName(m,
 workspaceName));
+        return 
permissionStore.getChildNode(MountPermissionProvider.getPermissionRootName(m, 
workspaceName));
     }
 
     private final class Diff extends DefaultNodeStateDiff {

Modified: 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java?rev=1804509&r1=1804508&r2=1804509&view=diff
==============================================================================
--- 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
 (original)
+++ 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
 Wed Aug  9 12:35:08 2017
@@ -48,8 +48,6 @@ public class PermissionProviderImpl impl
 
     private final String workspaceName;
 
-    private final String permissionRootName;
-
     private final Set<Principal> principals;
 
     private final RestrictionProvider restrictionProvider;
@@ -64,14 +62,12 @@ public class PermissionProviderImpl impl
 
     public PermissionProviderImpl(@Nonnull Root root,
                                   @Nonnull String workspaceName,
-                                  @Nonnull String permissionRootName,
                                   @Nonnull Set<Principal> principals,
                                   @Nonnull RestrictionProvider 
restrictionProvider,
                                   @Nonnull ConfigurationParameters options,
                                   @Nonnull Context ctx) {
         this.root = root;
         this.workspaceName = workspaceName;
-        this.permissionRootName = permissionRootName;
         this.principals = principals;
         this.restrictionProvider = restrictionProvider;
         this.options = options;
@@ -164,13 +160,20 @@ public class PermissionProviderImpl impl
             if (PermissionUtil.isAdminOrSystem(principals, options)) {
                 cp = AllPermissions.getInstance();
             } else {
-                cp = CompiledPermissionImpl.create(immutableRoot, 
workspaceName, permissionRootName, principals, restrictionProvider, options, 
ctx);
+                cp = CompiledPermissionImpl.create(immutableRoot, 
workspaceName,
+                        getPermissionStore(immutableRoot, workspaceName, 
restrictionProvider), principals,
+                        restrictionProvider, options, ctx);
             }
             compiledPermissions = cp;
         }
         return cp;
     }
 
+    protected PermissionStore getPermissionStore(Root root, String 
workspaceName,
+            RestrictionProvider restrictionProvider) {
+        return new PermissionStoreImpl(root, workspaceName, 
restrictionProvider);
+    }
+
     private static boolean isVersionStorePath(@Nonnull String oakPath) {
         return oakPath.startsWith(VersionConstants.VERSION_STORE_PATH);
     }

Modified: 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStore.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStore.java?rev=1804509&r1=1804508&r2=1804509&view=diff
==============================================================================
--- 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStore.java
 (original)
+++ 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStore.java
 Wed Aug  9 12:35:08 2017
@@ -22,6 +22,8 @@ import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 
+import org.apache.jackrabbit.oak.api.Root;
+
 /**
  * The permission store is used to store and provide access control 
permissions for principals. It is responsible to
  * load and store the permissions in an optimal form in the repository and 
must not cache them.
@@ -48,4 +50,6 @@ interface PermissionStore {
 
     long getNumEntries(@Nonnull String principalName, long max);
 
+    void flush(@Nonnull Root root);
+
 }

Modified: 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreImpl.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreImpl.java?rev=1804509&r1=1804508&r2=1804509&view=diff
==============================================================================
--- 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreImpl.java
 (original)
+++ 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreImpl.java
 Wed Aug  9 12:35:08 2017
@@ -63,7 +63,8 @@ class PermissionStoreImpl implements Per
         reset(root);
     }
 
-    void flush(@Nonnull Root root) {
+    @Override
+    public void flush(@Nonnull Root root) {
         principalTreeMap.clear();
         reset(root);
     }

Added: 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProviderRandomTestIT.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProviderRandomTestIT.java?rev=1804509&view=auto
==============================================================================
--- 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProviderRandomTestIT.java
 (added)
+++ 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProviderRandomTestIT.java
 Wed Aug  9 12:35:08 2017
@@ -0,0 +1,69 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.permission;
+
+import java.security.Principal;
+import java.util.Collections;
+import java.util.Set;
+
+import javax.annotation.Nonnull;
+
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.security.SecurityProviderImpl;
+import org.apache.jackrabbit.oak.spi.mount.MountInfoProvider;
+import org.apache.jackrabbit.oak.spi.mount.Mounts;
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import 
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import 
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
+import 
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
+import org.junit.Assert;
+
+import com.google.common.base.Preconditions;
+import com.google.common.collect.Iterators;
+
+public class MountPermissionProviderRandomTestIT extends 
AbstractPermissionRandomTestIT {
+
+    private MountInfoProvider mountInfoProvider;
+
+    @Override
+    public void before() throws Exception {
+        super.before();
+
+        String[] mpxs = new String[] { Iterators.get(allowU.iterator(), 
allowU.size() / 2) };
+        Mounts.Builder builder = Mounts.newBuilder();
+        int i = 0;
+        for (String p : mpxs) {
+            builder.mount("m" + i, p);
+            i++;
+        }
+        mountInfoProvider = builder.build();
+    }
+
+    @Override
+    protected PermissionProvider candidatePermissionProvider(@Nonnull Root 
root, @Nonnull String workspaceName,
+            @Nonnull Set<Principal> principals) {
+        ConfigurationParameters authConfig = 
ConfigurationParameters.of(Collections.singletonMap(
+                AccessControlConstants.PARAM_MOUNT_PROVIDER, 
Preconditions.checkNotNull(mountInfoProvider)));
+        ConfigurationParameters config = 
ConfigurationParameters.of(Collections.singletonMap(
+                AuthorizationConfiguration.NAME, authConfig));
+        SecurityProviderImpl sp = new SecurityProviderImpl(config);
+        AuthorizationConfiguration acConfig = 
sp.getConfiguration(AuthorizationConfiguration.class);
+        PermissionProvider composite = acConfig.getPermissionProvider(root, 
workspaceName, principals);
+        Assert.assertTrue(composite instanceof MountPermissionProvider);
+        return composite;
+    }
+}
\ No newline at end of file

Propchange: 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProviderRandomTestIT.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProviderTest.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProviderTest.java?rev=1804509&view=auto
==============================================================================
--- 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProviderTest.java
 (added)
+++ 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProviderTest.java
 Wed Aug  9 12:35:08 2017
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.permission;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import java.security.Principal;
+import java.util.Collections;
+
+import javax.jcr.security.AccessControlManager;
+
+import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import 
org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
+import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.api.ContentSession;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
+import org.apache.jackrabbit.oak.spi.mount.Mount;
+import org.apache.jackrabbit.oak.spi.mount.MountInfoProvider;
+import org.apache.jackrabbit.oak.spi.mount.Mounts;
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import 
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import 
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
+import 
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import com.google.common.base.Preconditions;
+import com.google.common.collect.ImmutableMap;
+
+public class MountPermissionProviderTest extends AbstractSecurityTest
+        implements AccessControlConstants, PrivilegeConstants, 
PermissionConstants {
+
+    private MountInfoProvider mountInfoProvider;
+    private String testNode = "MultiplexingProviderTest";
+    private String testPath = "/" + testNode;
+
+    @Override
+    @Before
+    public void before() throws Exception {
+        mountInfoProvider = Mounts.newBuilder().mount("testMount", 
testPath).build();
+        super.before();
+    }
+
+    @Override
+    @After
+    public void after() throws Exception {
+        try {
+            root.refresh();
+            Tree test = root.getTree(testPath);
+            if (test.exists()) {
+                test.remove();
+            }
+            root.commit();
+        } finally {
+            super.after();
+        }
+    }
+
+    @Override
+    protected ConfigurationParameters getSecurityConfigParameters() {
+        ConfigurationParameters authConfig = 
ConfigurationParameters.of(Collections.singletonMap(
+                AccessControlConstants.PARAM_MOUNT_PROVIDER, 
Preconditions.checkNotNull(mountInfoProvider)));
+        return 
ConfigurationParameters.of(ImmutableMap.of(AuthorizationConfiguration.NAME, 
authConfig));
+    }
+
+    @Test
+    public void multiplexingProvider() throws Exception {
+
+        // check init
+        Tree permStore = root.getTree(PERMISSIONS_STORE_PATH);
+        String wsName = adminSession.getWorkspaceName();
+        assertTrue(permStore.hasChild(wsName));
+        for (Mount m : mountInfoProvider.getNonDefaultMounts()) {
+            
assertTrue(permStore.hasChild(MountPermissionProvider.getPermissionRootName(m, 
wsName)));
+        }
+
+        Tree rootNode = root.getTree("/");
+        Tree test = TreeUtil.addChild(rootNode, testNode, 
JcrConstants.NT_UNSTRUCTURED);
+        Tree content = TreeUtil.addChild(test, "content", 
JcrConstants.NT_UNSTRUCTURED);
+        root.commit();
+
+        Principal p = getTestUser().getPrincipal();
+        setPrivileges(p, test.getPath(), true, JCR_READ);
+        setPrivileges(p, content.getPath(), false, JCR_READ);
+
+        permStore = root.getTree(PERMISSIONS_STORE_PATH);
+        // no entries in the default store
+        assertFalse(permStore.getChild(wsName).hasChild(p.getName()));
+        for (Mount m : mountInfoProvider.getNonDefaultMounts()) {
+            Tree mps = 
permStore.getChild(MountPermissionProvider.getPermissionRootName(m, wsName));
+            assertTrue(mps.hasChild(p.getName()));
+        }
+
+        ContentSession testSession = createTestSession();
+        try {
+            Root r = testSession.getLatestRoot();
+            assertFalse(r.getTree("/").exists());
+            assertTrue(r.getTree(test.getPath()).exists());
+            assertFalse(r.getTree(content.getPath()).exists());
+        } finally {
+            testSession.close();
+        }
+    }
+
+    @Test
+    public void multiplexingProviderOpen() throws Exception {
+
+        Tree rootNode = root.getTree("/");
+        Tree test = TreeUtil.addChild(rootNode, testNode, 
JcrConstants.NT_UNSTRUCTURED);
+        Tree content = TreeUtil.addChild(test, "content", 
JcrConstants.NT_UNSTRUCTURED);
+        root.commit();
+
+        Principal p = getTestUser().getPrincipal();
+        setPrivileges(p, "/", true, JCR_READ);
+        setPrivileges(p, test.getPath(), false, JCR_READ);
+        setPrivileges(p, content.getPath(), true, JCR_READ);
+
+        ContentSession testSession = createTestSession();
+        try {
+            Root r = testSession.getLatestRoot();
+            assertTrue(r.getTree("/").exists());
+            assertFalse(test.getPath(), r.getTree(test.getPath()).exists());
+            assertTrue(r.getTree(content.getPath()).exists());
+        } finally {
+            testSession.close();
+        }
+    }
+
+    @Test
+    public void testPermissionProviderName() {
+        assertEquals("oak.default",
+                
MountPermissionProvider.getPermissionRootName(mountInfoProvider.getDefaultMount(),
 "oak.default"));
+        assertEquals("oak:mount-testMount-oak.default", MountPermissionProvider
+                
.getPermissionRootName(mountInfoProvider.getMountByName("testMount"), 
"oak.default"));
+    }
+
+    private void setPrivileges(Principal principal, String path, boolean 
allow, String... privileges) throws Exception {
+        AccessControlManager acm = getAccessControlManager(root);
+        JackrabbitAccessControlList acl = 
AccessControlUtils.getAccessControlList(acm, path);
+        acl.addEntry(principal, privilegesFromNames(privileges), allow);
+        acm.setPolicy(path, acl);
+        root.commit();
+    }
+}

Propchange: 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProviderTest.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionEntryProviderImplTest.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionEntryProviderImplTest.java?rev=1804509&r1=1804508&r2=1804509&view=diff
==============================================================================
--- 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionEntryProviderImplTest.java
 (original)
+++ 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionEntryProviderImplTest.java
 Wed Aug  9 12:35:08 2017
@@ -27,8 +27,7 @@ import com.google.common.collect.Immutab
 import com.google.common.collect.Iterators;
 import com.google.common.collect.Sets;
 
-import junit.framework.Assert;
-
+import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
 import org.junit.Test;
 
@@ -37,6 +36,7 @@ import static org.junit.Assert.assertFal
 import static org.junit.Assert.assertNotSame;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 
 public class PermissionEntryProviderImplTest {
 
@@ -176,6 +176,9 @@ public class PermissionEntryProviderImpl
             return cnt;
         }
 
+        public void flush(@Nonnull Root root) {
+        }
+
     }
 
     private class MockPermissionEntryCache extends PermissionEntryCache {
@@ -183,7 +186,7 @@ public class PermissionEntryProviderImpl
         public void load(@Nonnull PermissionStore store,
                 @Nonnull Map<String, Collection<PermissionEntry>> pathEntryMap,
                 @Nonnull String principalName) {
-            Assert.fail("The number of  entries exceeds the max cache size");
+            fail("The number of  entries exceeds the max cache size");
         }
     }
 }


Reply via email to