Author: angela
Date: Thu Feb 21 11:00:23 2019
New Revision: 1854036
URL: http://svn.apache.org/viewvc?rev=1854036&view=rev
Log:
OAK-8023 : AccessControlManagerImpl can not handle repository level when
editing policies by principal (merge r1853441 into 1.10 branch)
Modified:
jackrabbit/oak/branches/1.10/ (props changed)
jackrabbit/oak/branches/1.10/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
jackrabbit/oak/branches/1.10/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java
jackrabbit/oak/branches/1.10/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
Propchange: jackrabbit/oak/branches/1.10/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Feb 21 11:00:23 2019
@@ -1,3 +1,3 @@
/jackrabbit/oak/branches/1.0:1665962
-/jackrabbit/oak/trunk:1851236,1851253,1851451,1852052,1852084,1852120,1852451,1852492-1852493,1852528,1852582,1852584,1852920,1853393,1853429,1853433,1853866,1853870,1853893,1853969,1853997
+/jackrabbit/oak/trunk:1851236,1851253,1851451,1852052,1852084,1852120,1852451,1852492-1852493,1852528,1852582,1852584,1852920,1853393,1853429,1853433,1853441,1853866,1853870,1853893,1853969,1853997
/jackrabbit/trunk:1345480
Modified:
jackrabbit/oak/branches/1.10/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.10/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java?rev=1854036&r1=1854035&r2=1854036&view=diff
==============================================================================
---
jackrabbit/oak/branches/1.10/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
(original)
+++
jackrabbit/oak/branches/1.10/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
Thu Feb 21 11:00:23 2019
@@ -42,6 +42,7 @@ import javax.jcr.security.Privilege;
import com.google.common.base.Function;
import com.google.common.base.Objects;
import com.google.common.base.Predicate;
+import com.google.common.base.Strings;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
@@ -593,7 +594,7 @@ public class AccessControlManagerImpl ex
if (v == null) {
throw new AccessControlException("Missing mandatory restriction
rep:nodePath");
} else {
- return getOakPath(v.getString());
+ return getOakPath(Strings.emptyToNull(v.getString()));
}
}
Modified:
jackrabbit/oak/branches/1.10/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.10/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java?rev=1854036&r1=1854035&r2=1854036&view=diff
==============================================================================
---
jackrabbit/oak/branches/1.10/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java
(original)
+++
jackrabbit/oak/branches/1.10/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java
Thu Feb 21 11:00:23 2019
@@ -18,7 +18,6 @@ package org.apache.jackrabbit.oak.securi
import java.util.HashSet;
import java.util.Set;
-import javax.jcr.PropertyType;
import javax.jcr.RepositoryException;
import javax.jcr.Value;
@@ -63,8 +62,14 @@ public class PrincipalRestrictionProvide
@NotNull
@Override
public Restriction createRestriction(@Nullable String oakPath, @NotNull
String oakName, @NotNull Value value) throws RepositoryException {
- if (REP_NODE_PATH.equals(oakName) && PropertyType.PATH ==
value.getType()) {
- return new RestrictionImpl(PropertyStates.createProperty(oakName,
value), true);
+ if (REP_NODE_PATH.equals(oakName)) {
+ PropertyState property;
+ if (value.getString().isEmpty()) {
+ property = PropertyStates.createProperty(oakName, "",
Type.STRING);
+ } else {
+ property = PropertyStates.createProperty(oakName, value);
+ }
+ return new RestrictionImpl(property, true);
} else {
return base.createRestriction(oakPath, oakName, value);
}
@@ -80,9 +85,13 @@ public class PrincipalRestrictionProvide
@Override
public Set<Restriction> readRestrictions(@Nullable String oakPath,
@NotNull Tree aceTree) {
Set<Restriction> restrictions = new
HashSet<>(base.readRestrictions(oakPath, aceTree));
- String value = (oakPath == null) ? "" : oakPath;
- PropertyState nodePathProp =
PropertyStates.createProperty(REP_NODE_PATH, value, Type.PATH);
- restrictions.add(new RestrictionImpl(nodePathProp, true));
+ PropertyState property;
+ if (oakPath == null) {
+ property = PropertyStates.createProperty(REP_NODE_PATH, "",
Type.STRING);
+ } else {
+ property = PropertyStates.createProperty(REP_NODE_PATH, oakPath,
Type.PATH);
+ }
+ restrictions.add(new RestrictionImpl(property, true));
return restrictions;
}
Modified:
jackrabbit/oak/branches/1.10/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.10/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java?rev=1854036&r1=1854035&r2=1854036&view=diff
==============================================================================
---
jackrabbit/oak/branches/1.10/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
(original)
+++
jackrabbit/oak/branches/1.10/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
Thu Feb 21 11:00:23 2019
@@ -161,6 +161,11 @@ public class AccessControlManagerImplTes
return npMapper;
}
+ private NamePathMapper getNamePathMapperWithLocalRemapping() {
+ NameMapper remapped = new LocalNameMapper(root,
singletonMap(TEST_LOCAL_PREFIX, TEST_URI));
+ return new NamePathMapperImpl(remapped);
+ }
+
private void registerNamespace(String prefix, String uri) throws Exception
{
NamespaceRegistry nsRegistry = new ReadWriteNamespaceRegistry(root) {
@Override
@@ -343,14 +348,11 @@ public class AccessControlManagerImplTes
public void testGetSupportedPrivilegesIncludingPathConversion() throws
Exception {
List<Privilege> allPrivileges =
Arrays.asList(getPrivilegeManager(root).getRegisteredPrivileges());
- List<String> testPaths = new ArrayList();
+ List<String> testPaths = new ArrayList<>();
testPaths.add('/' + TEST_LOCAL_PREFIX + ":testRoot");
testPaths.add("/{" + TEST_URI + "}testRoot");
- NameMapper remapped = new LocalNameMapper(
- root, singletonMap(TEST_LOCAL_PREFIX, TEST_URI));
-
- AccessControlManager acMgr = createAccessControlManager(root, new
NamePathMapperImpl(remapped));
+ AccessControlManager acMgr = createAccessControlManager(root,
getNamePathMapperWithLocalRemapping());
for (String path : testPaths) {
Privilege[] supported = acMgr.getSupportedPrivileges(path);
@@ -377,8 +379,7 @@ public class AccessControlManagerImplTes
@Test
public void testPrivilegeFromName() throws Exception {
- List<Privilege> allPrivileges =
Arrays.asList(getPrivilegeManager(root).getRegisteredPrivileges());
- for (Privilege privilege : allPrivileges) {
+ for (Privilege privilege :
getPrivilegeManager(root).getRegisteredPrivileges()) {
Privilege p = acMgr.privilegeFromName(privilege.getName());
assertEquals(privilege, p);
}
@@ -1861,6 +1862,41 @@ public class AccessControlManagerImplTes
}
@Test
+ public void testGetPoliciesByPrincipalRemapped() throws Exception {
+ setupPolicy(testPath);
+ root.commit();
+
+ NamePathMapper mapper = getNamePathMapperWithLocalRemapping();
+ AccessControlPolicy[] policies = createAccessControlManager(root,
mapper).getPolicies(testPrincipal);
+ assertNotNull(policies);
+ assertEquals(1, policies.length);
+
+ List<ACE> entries = ((ACL) policies[0]).getEntries();
+ assertEquals(mapper.getJcrPath(testPath),
entries.get(0).getRestriction(REP_NODE_PATH).getString());
+ }
+
+ @Test
+ public void testGetPoliciesByPrincipalRepositoryLevel() throws Exception {
+ setupPolicy(null,
privilegesFromNames(PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT));
+
+ // changes not yet persisted -> no existing policies found for user
+ AccessControlPolicy[] policies = acMgr.getPolicies(testPrincipal);
+ assertNotNull(policies);
+ assertEquals(0, policies.length);
+
+ // after persisting changes -> policies must be found
+ root.commit();
+ policies = acMgr.getPolicies(testPrincipal);
+ assertNotNull(policies);
+ assertEquals(1, policies.length);
+ JackrabbitAccessControlList acl = (JackrabbitAccessControlList)
policies[0];
+ AccessControlEntry[] entries = acl.getAccessControlEntries();
+ assertEquals(1, entries.length);
+ JackrabbitAccessControlEntry entry = (JackrabbitAccessControlEntry)
entries[0];
+ assertTrue(entry.getRestriction(REP_NODE_PATH).getString().isEmpty());
+ }
+
+ @Test
public void testTestSessionGetPolicies() throws Exception {
setupPolicy(testPath);
root.commit();
@@ -2256,6 +2292,56 @@ public class AccessControlManagerImplTes
}
@Test
+ public void testSetPrincipalPolicyRemapped() throws Exception {
+ setupPolicy(testPath);
+ root.commit();
+
+ NamePathMapper mapper = getNamePathMapperWithLocalRemapping();
+ JackrabbitAccessControlManager remappedAcMgr =
createAccessControlManager(root, mapper);
+ JackrabbitAccessControlPolicy[] policies =
remappedAcMgr.getPolicies(testPrincipal);
+ assertNotNull(policies);
+ assertEquals(1, policies.length);
+
+ ACL acl = (ACL) policies[0];
+ Value pathValue = new ValueFactoryImpl(root,
mapper).createValue(mapper.getJcrPath(testPath), PropertyType.PATH);
+ assertTrue(acl.addEntry(testPrincipal, testPrivileges, true,
Collections.singletonMap(REP_NODE_PATH, pathValue)));
+ remappedAcMgr.setPolicy(acl.getPath(), acl);
+ root.commit();
+
+ AccessControlPolicy[] acps =
remappedAcMgr.getPolicies(mapper.getJcrPath(testPath));
+ assertEquals(1, acps.length);
+ assertEquals(2, ((ACL) acps[0]).getAccessControlEntries().length);
+
+ acps = acMgr.getPolicies(testPath);
+ assertEquals(1, acps.length);
+ assertEquals(2, ((ACL) acps[0]).getAccessControlEntries().length);
+ }
+
+ @Test
+ public void testSetPrincipalPolicyForRepositoryLevel() throws Exception {
+ assertEquals(0, acMgr.getPolicies((String)null).length);
+
+ JackrabbitAccessControlPolicy[] policies =
acMgr.getApplicablePolicies(testPrincipal);
+ ACL acl = (ACL) policies[0];
+
+ Map<String, Value> restrictions = new HashMap<String, Value>();
+ restrictions.put(REP_NODE_PATH, getValueFactory().createValue("",
PropertyType.STRING));
+ Privilege[] privs =
privilegesFromNames(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT);
+ assertTrue(acl.addEntry(testPrincipal, privs, true, restrictions));
+
+ acMgr.setPolicy(acl.getPath(), acl);
+
+ AccessControlPolicy[] repoLevelPolicies =
acMgr.getPolicies((String)null);
+ assertEquals(1, repoLevelPolicies.length);
+
+ AccessControlEntry[] entries = ((JackrabbitAccessControlList)
repoLevelPolicies[0]).getAccessControlEntries();
+ assertEquals(1, entries.length);
+
+ assertArrayEquals(privs, entries[0].getPrivileges());
+ assertEquals(testPrincipal, entries[0].getPrincipal());
+ }
+
+ @Test
public void testSetPrincipalPolicyWithNewMvRestriction() throws Exception {
setupPolicy(testPath);
root.commit();
@@ -2371,6 +2457,39 @@ public class AccessControlManagerImplTes
acMgr.removePolicy(acl.getPath(), acl);
}
+
+ @Test
+ public void testRemovePoliciesByPrincipalRemapped() throws Exception {
+ setupPolicy(testPath);
+ root.commit();
+
+ NamePathMapper mapper = getNamePathMapperWithLocalRemapping();
+ JackrabbitAccessControlManager remappedAcMgr =
createAccessControlManager(root, mapper);
+ JackrabbitAccessControlPolicy[] policies =
remappedAcMgr.getPolicies(testPrincipal);
+ assertNotNull(policies);
+ assertEquals(1, policies.length);
+
+ remappedAcMgr.removePolicy(policies[0].getPath(), policies[0]);
+ root.commit();
+
+ assertEquals(0, acMgr.getPolicies(testPath).length);
+ }
+
+ @Test
+ public void testRemovePrincipalPolicyForRepositoryLevel() throws Exception
{
+ setupPolicy(null,
privilegesFromNames(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT));
+ root.commit();
+
+ JackrabbitAccessControlPolicy[] policies =
acMgr.getPolicies(testPrincipal);
+ assertEquals(1, policies.length);
+
+ acMgr.removePolicy(policies[0].getPath(), policies[0]);
+ root.commit();
+
+ AccessControlPolicy[] repoLevelPolicies =
acMgr.getPolicies((String)null);
+ assertEquals(0, repoLevelPolicies.length);
+ }
+
private final static class TestACL extends AbstractAccessControlList {
private final List<JackrabbitAccessControlEntry> entries = new
ArrayList<JackrabbitAccessControlEntry>();
