(jackrabbit-oak) branch trunk updated: OAK-10772 : Broken links in authentication documentation
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new f3296ec88d OAK-10772 : Broken links in authentication documentation f3296ec88d is described below commit f3296ec88d45467006e34a5ea37e3ccde0db7faf Author: angela AuthorDate: Fri Apr 19 13:29:39 2024 +0200 OAK-10772 : Broken links in authentication documentation --- .../markdown/security/authentication/default.md| 68 -- .../security/authentication/tokenmanagement.md | 8 ++- 2 files changed, 30 insertions(+), 46 deletions(-) diff --git a/oak-doc/src/site/markdown/security/authentication/default.md b/oak-doc/src/site/markdown/security/authentication/default.md index 44535fd05f..ef49e5432c 100644 --- a/oak-doc/src/site/markdown/security/authentication/default.md +++ b/oak-doc/src/site/markdown/security/authentication/default.md @@ -42,22 +42,14 @@ dedicated `LoginModule` implementation(s) for each scenario: Guest Login -The proper way to obtain an guest session as of Oak is as specified by JSR 283: +The proper way to obtain a guest session is specified by JSR 283: -String wspName = null; +String wspName = null; // or any other workspace name if not login to the default workspace Session anonymous = repository.login(new GuestCredentials(), wspName); -As of Oak 1.0 `Repository#login()` and `Repository#login(null, wspName)` is no -longer treated as guest login. This behavior of Jackrabbit-core is violating the -specification, which defines that null-login should be used for those cases where -the authentication process is handled outside of the repository (see [Pre-Authentication](preauthentication.html)). +As of Oak 1.0 `Repository#login()` and `Repository#login(null, wspName)` is no longer treated as guest login. This behavior of Jackrabbit-core is violating the specification, which defines that null-login should be used for those cases where the authentication process is handled outside the repository (see [Pre-Authentication](preauthentication.html)). -Similarly, any special treatment that Jackrabbit core applied for the guest (anonymous) -user has been omitted altogether from the default [LoginModuleImpl]. In the default -setup the built-in anonymous user will be created without any password. Therefore -explicitly uid/pw login using the anonymous userId will no longer work. This behavior -is now consistent with the default login of any other user which doesn't have a -password set. +Similarly, any special treatment that Jackrabbit core applied for the guest (anonymous) user has been omitted altogether from the default [LoginModuleImpl]. By default, the built-in anonymous user will be created without any password. Therefore, explicitly uid/pw login using the anonymous userId will no longer work. This behavior is now consistent with the default login of any other user which doesn't have a password set. # GuestLoginModule @@ -132,7 +124,7 @@ This login module implementations behaves as follows: The `LoginModuleImpl` uses a configured `Authentication`-implementation for performing the login step. Which implementation to use is determined by the [UserAuthenticationFactory] obtained by the given `UserConfiguration`. It is -expected to provides an `Authentication` implementation if the given +expected to provide an `Authentication` implementation if the given `UserConfiguration` is accepted. In case multiple implementations of the `UserAuthenticationFactory` are available, @@ -145,11 +137,7 @@ See also section [user management](../user/default.html#pluggability). Impersonation Login -Another flavor of the Oak authentication implementation is covered by -`javax.jcr.Session#impersonate(Credentials)`, which allows to obtain an new -`Session` for a user identified by the specified credentials. As of JSR 333 -this method can also be used in order to clone the existing session (i.e. -self-impersonation of the user that holds the session. +Another flavor of the Oak authentication implementation is covered by `javax.jcr.Session#impersonate(Credentials)`, which allows to obtain a new `Session` for a user identified by the specified credentials. As of JSR 333 this method can also be used in order to clone the existing session (i.e. self-impersonation of the user that holds the session). With Oak 1.0 impersonation is implemented as follows: @@ -195,30 +183,22 @@ Applications that wish to use a custom authentication setup need to ensure the following steps in order to get JCR impersonation working: - Respect `ImpersonationCredentials` in the authentication setup. -- Identify the impersonated from `ImpersonationCredentials.getBaseCredentials` - and verify if it can be authenticated. -- Validate that the editing session is allowed
(jackrabbit-oak) branch trunk updated: OAK-10738 : Add default values to user-sync configuration section
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new e596b12ca2 OAK-10738 : Add default values to user-sync configuration section e596b12ca2 is described below commit e596b12ca2b50381945692da4a505fdc82b0cf9e Author: angela AuthorDate: Wed Apr 3 11:49:25 2024 +0200 OAK-10738 : Add default values to user-sync configuration section --- .../authentication/external/defaultusersync.md | 37 +++--- 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/oak-doc/src/site/markdown/security/authentication/external/defaultusersync.md b/oak-doc/src/site/markdown/security/authentication/external/defaultusersync.md index 55141ad3a4..bc401ffd90 100644 --- a/oak-doc/src/site/markdown/security/authentication/external/defaultusersync.md +++ b/oak-doc/src/site/markdown/security/authentication/external/defaultusersync.md @@ -206,24 +206,25 @@ to a dynamic external group: The default `SyncHandler` implementations are configured via [DefaultSyncConfig]: -| Name | Property | Description | -|---|---|--| -| Sync Handler Name | `handler.name`| Name of this sync configuration. This is used to reference this handler by the login modules. | -| User auto membership | `user.autoMembership` | List of groups that a synced user is added to automatically | -| User Expiration Time | `user.expirationTime` | Duration until a synced user gets expired (eg. '1h 30m' or '1d'). | -| User Membership Expiration| `user.membershipExpTime` | Time after which membership expires (eg. '1h 30m' or '1d'). | -| User membership nesting depth | `user.membershipNestingDepth` | Returns the maximum depth of group nesting when membership relations are synced. A value of 0 effectively disables group membership lookup. A value of 1 only adds the direct groups of a user. This value has no effect when syncing individual groups only when syncing a users membership ancestry. | -| User Dynamic Membership | `user.dynamicMembership` | Enabling dynamic membership for external users. | -| User Enforce Dynamic Membership | `user.enforceDynamicMembership` | If enabled together with `user.dynamicMembership` previously synced membership information will be migrated to dynamic membership upon user sync. Otherwise it takes no effect. | -| User Path Prefix | `user.pathPrefix` | The path prefix used when creating new users. | -| User property mapping | `user.propertyMapping`| List mapping definition of local properties from external ones. eg: 'profile/email=mail'.Use double quotes for fixed values. eg: 'profile/nt:primaryType="nt:unstructured" | -| Disable missing users | `user.disableMissing` | By default, users that no longer exist on the external provider will be locally removed. Set this property to `true` to [disable](https://jackrabbit.apache.org/api/2.8/org/apache/jackrabbit/api/security/user/User.html#disable(java.lang.String)) them instead and have them re-enabled if they become available again. | -| Group auto membership | `group.autoMembership`| List of groups that a synced group is added to automatically | -| Group Expiration Time | `group.expirationTime`| Duration until a synced group expires (eg. '1h 30m' or '1d'). | -| Group Path Prefix | `group.pathPrefix`| The path prefix used when creating new groups. | -| Group property mapping| `group.propertyMapping` | List mapping definition of local properties from external ones. | -| Group 'Dynamic Groups'| `group.dynamicGroups` | Only takes effect in combination with `user.dynamicMembership` and will result in external groups being synced as dynamic groups. | -| | | | +| Name | Property | Default | Description | +|---|---|-|-| +| Sync Handler Name | `handler.name`| "default" | Name of this sync configuration. This is used to reference this handler by the login modules. | +| User auto membership | `user.autoMembership` | [] | List of groups that a synced user is added to automatically | +| User Expiration Time | `user.expirationTime` | "1h" | Duration until a synced user gets expired (eg. '1h 30m' or '1d'). | +| User Membership Expiration| `user
(jackrabbit-oak) branch trunk updated: OAK-10424 : Allow Fast Query Size and Insecure Facets to be selectively enabled with query options for permitted principals
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new b57bd4ee8e OAK-10424 : Allow Fast Query Size and Insecure Facets to be selectively enabled with query options for permitted principals b57bd4ee8e is described below commit b57bd4ee8e6a02317553e6aee7298d701a27ee75 Author: Mark Adamcin AuthorDate: Wed Jan 10 08:36:38 2024 -0800 OAK-10424 : Allow Fast Query Size and Insecure Facets to be selectively enabled with query options for permitted principals --- .../query/SessionQuerySettingsProviderService.java | 89 +++ .../oak/jcr/repository/RepositoryImpl.java | 34 ++- .../jackrabbit/oak/jcr/session/SessionContext.java | 14 +- .../oak/jcr/OakSegmentTarRepositoryStub.java | 20 +- .../oak/jcr/query/WhiteboardResultSizeTest.java| 264 + .../oak/spi/query/SessionQuerySettings.java| 37 +++ .../spi/query/SessionQuerySettingsProvider.java| 41 .../jackrabbit/oak/spi/query/package-info.java | 2 +- 8 files changed, 489 insertions(+), 12 deletions(-) diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/query/SessionQuerySettingsProviderService.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/query/SessionQuerySettingsProviderService.java new file mode 100644 index 00..5d2a068acf --- /dev/null +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/query/SessionQuerySettingsProviderService.java @@ -0,0 +1,89 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.jackrabbit.oak.query; + +import org.apache.jackrabbit.oak.api.ContentSession; +import org.apache.jackrabbit.oak.spi.query.SessionQuerySettings; +import org.apache.jackrabbit.oak.spi.query.SessionQuerySettingsProvider; +import org.jetbrains.annotations.NotNull; +import org.osgi.service.component.annotations.Activate; +import org.osgi.service.component.annotations.Component; +import org.osgi.service.component.annotations.ConfigurationPolicy; +import org.osgi.service.component.annotations.Modified; +import org.osgi.service.metatype.annotations.AttributeDefinition; +import org.osgi.service.metatype.annotations.Designate; +import org.osgi.service.metatype.annotations.ObjectClassDefinition; + +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.util.Arrays; +import java.util.Collections; +import java.util.HashSet; +import java.util.Optional; +import java.util.Set; + +/** + * Overrides oak.fastQuerySize system property when available. + */ +@Component(configurationPolicy = ConfigurationPolicy.REQUIRE, immediate = true) +@Designate(ocd = SessionQuerySettingsProviderService.Configuration.class) +public class SessionQuerySettingsProviderService implements SessionQuerySettingsProvider { + +@ObjectClassDefinition( +name = "Apache Jackrabbit Session Query Settings Provider Service", +description = "Provides Session-specific query settings exposed by Oak QueryEngine." +) +@Retention(RetentionPolicy.RUNTIME) +public @interface Configuration { +@AttributeDefinition(name = "Direct Counts Principals", description = "Principal names for which executed query result counts directly reflect the index estimate.") +String[] directCountsPrincipals() default {}; +} + +void configure(Configuration config) { +this.directCountsAllowedPrincipals = Optional.ofNullable(config) +.map(cfg -> (Set) new HashSet<>(Arrays.asList(cfg.directCountsPrincipals( +.orElse(Collections.emptySet()); +} + +@Activate +protected void activate(Configuration config) { +configure(config); +} + +@Modified +protected void modified(Configuration config) { +configure(config); +} + +private Set directCountsAllowedPrincipals = Collections.emptySet(); + +@Override +public SessionQuerySettings getQuerySettings(@NotNull ContentSession ses
(jackrabbit-oak) branch trunk updated: OAK-10572 : Best Practices: Clarify ac setup for non existing principals
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new fa8ab43a06 OAK-10572 : Best Practices: Clarify ac setup for non existing principals fa8ab43a06 is described below commit fa8ab43a06f272da2fde3351a8878914b50302f6 Author: angela AuthorDate: Wed Nov 29 16:23:04 2023 +0100 OAK-10572 : Best Practices: Clarify ac setup for non existing principals --- .../security/authentication/external/bestpractices.md| 16 +++- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/oak-doc/src/site/markdown/security/authentication/external/bestpractices.md b/oak-doc/src/site/markdown/security/authentication/external/bestpractices.md index 55f5829c09..460da645e8 100644 --- a/oak-doc/src/site/markdown/security/authentication/external/bestpractices.md +++ b/oak-doc/src/site/markdown/security/authentication/external/bestpractices.md @@ -110,17 +110,23 @@ See also section [Best Practices for Authorization](../../authorization/bestprac External groups get synchronized together with external users upon repository login. If you wish to defined access control setup for groups prior to the synchronization upon login the following 2 options exist: - Pre-sync external groups to make them available to the principal manager (see next section) -- Configure [ImportMode](../../accesscontrol/default.html#configuration)=`besteffort` with the default Oak authorization setup and define access control content for principals before they exist. +- Configure [ImportMode](../../accesscontrol/default.html#configuration)=`besteffort` with the default Oak authorization setup and define access control content for principals before they exist (see below). - Pre-sync of external groups +# Pre-sync of external groups -The following 2 options exist to populate the repository with external group principals outside of the regular synchronization upon login: +The following 2 options exist to populate the repository with external group principals outside the regular synchronization upon login: -- The _oak-auth-external_ module comes with a JMX integration that allows for synchronization of external identities outside of the regular repository login. See [JMX Synchronization Tool](../usersync.html#jmx-synchronization-tool) and [SynchronizationMBean](https://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/SynchronizationMBean.html) for details. This requires the `ExternalIdentityProvider` to implement the methods requ [...] -- In case the `ExternalIdentityProvider` does not support user and group sync outside of the regular repository login, external identities can be created using Jackrabbit User Management API. Note: +- The _oak-auth-external_ module comes with a JMX integration that allows for synchronization of external identities outside the regular repository login. See [JMX Synchronization Tool](../usersync.html#jmx-synchronization-tool) and [SynchronizationMBean](https://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/SynchronizationMBean.html) for details. This requires the `ExternalIdentityProvider` to implement the methods require [...] +- In case the `ExternalIdentityProvider` does not support user and group sync outside the regular repository login, external identities can be created using Jackrabbit User Management API. Note: - The property `rep:externalId` is system maintained and protected and cannot be added or changed once the group has been persisted. - Mistakes in defining the protected properties `rep:externalId`, `rep:authorizableId` or `rep:principalName` will result in a mismatch during authentication, sync and permission evaluation. The only way to fix such mistakes is to remove and recreate the group. Access control content associated with a wrong principal name needs to be removed separately. +# Define Access Control Setup for Non-Existing Principals + +While JSR 283 mandates that an `AccessControlException` is thrown whenever the principal specified for any access control content does not exist, Apache Jackrabbit Oak allows for a relaxed contract using configuration option [ImportMode](../../accesscontrol/default.html#xml_import). If set to [`besteffort`](../../accesscontrol/default.html#configuration) access control setup for unknown principals can be created. + +See also [SLING-12115](https://issues.apache.org/jira/browse/SLING-12115) for an additional option with [Apache Sling RepoInit](https://sling.apache.org/documentation/bundles/repository-initialization.html) to define create access control entries for non-existing principals. + [login modules]: https://docs.oracle.com/en/java/javase/11
(jackrabbit-oak) branch trunk updated: OAK-10563 : Document mapping of actions to privileges
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new e796745ebe OAK-10563 : Document mapping of actions to privileges e796745ebe is described below commit e796745ebeee3205bf499034a0fd25e9d3f2cde2 Author: angela AuthorDate: Thu Nov 23 17:53:17 2023 +0100 OAK-10563 : Document mapping of actions to privileges --- oak-doc/src/site/markdown/security/permission.md | 2 + .../permission/permissionsandprivileges.md | 2 +- oak-doc/src/site/markdown/security/privilege.md| 3 ++ .../site/markdown/security/privilege/default.md| 3 +- .../privilege/mappingprivilegestoactions.md| 59 ++ 5 files changed, 67 insertions(+), 2 deletions(-) diff --git a/oak-doc/src/site/markdown/security/permission.md b/oak-doc/src/site/markdown/security/permission.md index 59450b737d..eb963aad94 100644 --- a/oak-doc/src/site/markdown/security/permission.md +++ b/oak-doc/src/site/markdown/security/permission.md @@ -152,6 +152,8 @@ Not used in Oak 1.0: Mapping of JCR Actions to Oak Permissions +See also section ['Mapping Privileges to JCR/Jackrabbit Actions'](privilege/mappingprivilegestoactions.html). + `ACTION_READ`: - access control content: `Permissions.READ_ACCESS_CONTROL` diff --git a/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md b/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md index 79bb580eb0..f31c57f25d 100644 --- a/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md +++ b/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md @@ -106,6 +106,6 @@ requires the ability to read access control content on the target path. - [Mapping Privileges to Items](../privilege/mappingtoitems.html) - [Mapping API Calls to Privileges](../privilege/mappingtoprivileges.html) - +- [Mapping Privileges to JCR/Jackrabbit Actions](../privilege/mappingprivilegestoactions.html) diff --git a/oak-doc/src/site/markdown/security/privilege.md b/oak-doc/src/site/markdown/security/privilege.md index 97c90bff29..d9a8c508ed 100644 --- a/oak-doc/src/site/markdown/security/privilege.md +++ b/oak-doc/src/site/markdown/security/privilege.md @@ -112,6 +112,9 @@ of the default access control and permission evaluation. - Mapping Privileges to Items and API Calls - [Mapping Privileges to Items](privilege/mappingtoitems.html) - [Mapping API Calls to Privileges](privilege/mappingtoprivileges.html) +- Mapping JCR/Jackrabbit Actions +- [Mapping Privileges to JCR/Jackrabbit Actions](privilege/mappingprivilegestoactions.html) +- [Mapping of JCR Actions to Oak Permissions](permission.html#mapping-of-jcr-actions-to-oak-permissions) diff --git a/oak-doc/src/site/markdown/security/privilege/default.md b/oak-doc/src/site/markdown/security/privilege/default.md index 13fbcd8438..f7e36bf6ac 100644 --- a/oak-doc/src/site/markdown/security/privilege/default.md +++ b/oak-doc/src/site/markdown/security/privilege/default.md @@ -92,7 +92,8 @@ The new Privileges introduced with Oak 1.0 have the following effect: Mapping Privileges to Items and API Calls An overview on how the built-in privileges map to API calls and individual items can be found in ['Mapping Privileges to Items'](mappingtoitems.html) -and ['Mapping API Calls to Privileges'](mappingtoprivileges.html) +and ['Mapping API Calls to Privileges'](mappingtoprivileges.html). +See also ['Mapping Privileges to JCR/Jackrabbit Actions'](mappingprivilegestoactions.html) and ['Mapping of JCR Actions to Oak Permissions'](../permission.html#mapping-of-jcr-actions-to-oak-permissions) ### Representation in the Repository diff --git a/oak-doc/src/site/markdown/security/privilege/mappingprivilegestoactions.md b/oak-doc/src/site/markdown/security/privilege/mappingprivilegestoactions.md new file mode 100644 index 00..35d488badb --- /dev/null +++ b/oak-doc/src/site/markdown/security/privilege/mappingprivilegestoactions.md @@ -0,0 +1,59 @@ + +### Mapping Jcr Actions to Privileges + +| Jcr/Jackrabbit Action| Privilege | +|--|| +| ACTION_READ | jcr:read | +| ACTION_READ on node | rep:readNodes | +| ACTION_READ on prop | rep:readProperties | +| ACTION_SET_PROPERTY | jcr:modifyProperties | +| ACTION_ADD_PROPERTY | rep:addProperties
(jackrabbit-oak) branch trunk updated: OAK-10525 : DefaultSyncContext.createValues : return value should be annotated with @NotNull
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 893c0e4bb6 OAK-10525 : DefaultSyncContext.createValues : return value should be annotated with @NotNull 893c0e4bb6 is described below commit 893c0e4bb6d6e7f60883617c26cf4f702e1c3678 Author: angela AuthorDate: Thu Nov 2 19:55:30 2023 +0100 OAK-10525 : DefaultSyncContext.createValues : return value should be annotated with @NotNull --- .../spi/security/authentication/external/basic/DefaultSyncContext.java | 2 +- .../oak/spi/security/authentication/external/basic/package-info.java| 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java index 1786fe39f1..3796a5509a 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java @@ -750,7 +750,7 @@ public class DefaultSyncContext implements SyncContext { * @return and array of JCR values * @throws RepositoryException if an error occurs */ -@Nullable +@NotNull protected Value[] createValues(@NotNull Collection propValues) throws RepositoryException { List values = new ArrayList<>(); for (Object obj : propValues) { diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/package-info.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/package-info.java index 21e8576349..51feead897 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/package-info.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/package-info.java @@ -14,7 +14,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -@Version("1.8.0") +@Version("1.8.1") package org.apache.jackrabbit.oak.spi.security.authentication.external.basic; import org.osgi.annotation.versioning.Version;
(jackrabbit-oak) branch trunk updated: OAK-10517 : Consistently clean membership when switch between default and dynamic sync
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 84bf4f2d78 OAK-10517 : Consistently clean membership when switch between default and dynamic sync 84bf4f2d78 is described below commit 84bf4f2d78344e41cd0e5455c5aed7eeaec68af4 Author: anchela AuthorDate: Thu Nov 2 11:08:54 2023 +0100 OAK-10517 : Consistently clean membership when switch between default and dynamic sync --- .../external/basic/DefaultSyncContext.java | 9 ++ .../external/impl/DynamicSyncContext.java | 19 ++- .../external/impl/ExternalIdentityConstants.java | 9 ++ .../external/impl/DynamicSyncContextTest.java | 5 +- .../external/impl/SwitchSyncModeTest.java | 161 + 5 files changed, 199 insertions(+), 4 deletions(-) diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java index bf4ba40c04..1786fe39f1 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java @@ -60,6 +60,8 @@ import org.slf4j.LoggerFactory; import static java.text.Normalizer.Form.NFKC; import static java.text.Normalizer.normalize; +import static org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES; +import static org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalIdentityConstants.REP_LAST_DYNAMIC_SYNC; /** * Internal implementation of the sync context @@ -588,6 +590,13 @@ public class DefaultSyncContext implements SyncContext { log.debug("- removing member '{}' for group '{}'", auth.getID(), grp.getID()); } timer.mark("removing"); + +// make sure properties added by 'dynamic sync' are cleared +if (!auth.isGroup()) { +auth.removeProperty(REP_EXTERNAL_PRINCIPAL_NAMES); +auth.removeProperty(REP_LAST_DYNAMIC_SYNC); +timer.mark("cleanup"); +} log.debug("syncMembership({}) {}", external.getId(), timer); } diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContext.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContext.java index fb331ff0b6..92236533fa 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContext.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContext.java @@ -91,7 +91,7 @@ public class DynamicSyncContext extends DefaultSyncContext { } Collection principalNames = clearGroupMembership(authorizable); - authorizable.setProperty(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES, createValues(principalNames)); +setExternalPrincipalNames(authorizable, createValues(principalNames)); return true; } @@ -156,6 +156,10 @@ public class DynamicSyncContext extends DefaultSyncContext { super.syncMembership(external, auth, depth); } else { try { +// determine if clean up of groups (i.e. getting rid of previously synchronized membership information) +// is required or not. due to OAK-10517 just checking 'groupsSyncedBefore' is not sufficient. +boolean cleanupGroups = groupsSyncedBefore || requiresCleanup(auth); + Iterable declaredGroupRefs = external.getDeclaredGroups(); // resolve group-refs respecting depth to avoid iterating twice Map map = collectSyncEntries(declaredGroupRefs, depth); @@ -170,7 +174,7 @@ public class DynamicSyncContext extends DefaultSyncContext { } // clean up any other membership -if (groupsSyncedBefore) { +if (cleanupGroups) { clearGroupMembership(auth); } } catch (ExternalIdentityException e) { @@ -200,7 +204,12 @@ public class DynamicSyncContext extends DefaultSyncContext { Set principalsNames = syncEntries.stream().map(syncEntry -> syncEntry.principalName).collect(Collectors.toSet()); vs = createValues(principalsNames);
(jackrabbit-oak) branch OAK-10517 updated (86956f51e1 -> 76d9d5f3b8)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10517 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git from 86956f51e1 OAK-10517 : Consistently clean membership when switch between default and dynamic sync add 76d9d5f3b8 OAK-10517 : fix comment in test. review finding by nicola scendoni No new revisions were added by this update. Summary of changes: .../spi/security/authentication/external/impl/SwitchSyncModeTest.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
(jackrabbit-oak) branch OAK-10517 updated (413ea5908c -> 86956f51e1)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10517 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git from 413ea5908c OAK-10517 : Consistently clean membership when switch between default and dynamic sync add 86956f51e1 OAK-10517 : Consistently clean membership when switch between default and dynamic sync No new revisions were added by this update. Summary of changes: .../security/authentication/external/impl/DynamicSyncContext.java | 8 ++-- .../authentication/external/impl/DynamicSyncContextTest.java | 5 - 2 files changed, 10 insertions(+), 3 deletions(-)
[jackrabbit-oak] 01/01: OAK-10517 : Consistently clean membership when switch between default and dynamic sync
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch OAK-10517 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit 413ea5908c3a35dcb8e45c2b589dd290c9c7eee6 Author: angela AuthorDate: Thu Oct 26 18:36:07 2023 +0200 OAK-10517 : Consistently clean membership when switch between default and dynamic sync --- .../external/basic/DefaultSyncContext.java | 9 ++ .../external/impl/DynamicSyncContext.java | 11 +- .../external/impl/ExternalIdentityConstants.java | 9 ++ .../external/impl/SwitchSyncModeTest.java | 160 + 4 files changed, 188 insertions(+), 1 deletion(-) diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java index bf4ba40c04..1786fe39f1 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java @@ -60,6 +60,8 @@ import org.slf4j.LoggerFactory; import static java.text.Normalizer.Form.NFKC; import static java.text.Normalizer.normalize; +import static org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES; +import static org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalIdentityConstants.REP_LAST_DYNAMIC_SYNC; /** * Internal implementation of the sync context @@ -588,6 +590,13 @@ public class DefaultSyncContext implements SyncContext { log.debug("- removing member '{}' for group '{}'", auth.getID(), grp.getID()); } timer.mark("removing"); + +// make sure properties added by 'dynamic sync' are cleared +if (!auth.isGroup()) { +auth.removeProperty(REP_EXTERNAL_PRINCIPAL_NAMES); +auth.removeProperty(REP_LAST_DYNAMIC_SYNC); +timer.mark("cleanup"); +} log.debug("syncMembership({}) {}", external.getId(), timer); } diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContext.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContext.java index fb331ff0b6..18a24ea334 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContext.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContext.java @@ -156,6 +156,10 @@ public class DynamicSyncContext extends DefaultSyncContext { super.syncMembership(external, auth, depth); } else { try { +// determine if clean up of groups (i.e. getting rid of previously synchronized membership information) +// is required or not. due to OAK-10517 just checking 'groupsSyncedBefore' is not sufficient. +boolean cleanupGroups = groupsSyncedBefore || requiresCleanup(auth); + Iterable declaredGroupRefs = external.getDeclaredGroups(); // resolve group-refs respecting depth to avoid iterating twice Map map = collectSyncEntries(declaredGroupRefs, depth); @@ -170,7 +174,7 @@ public class DynamicSyncContext extends DefaultSyncContext { } // clean up any other membership -if (groupsSyncedBefore) { +if (cleanupGroups) { clearGroupMembership(auth); } } catch (ExternalIdentityException e) { @@ -201,6 +205,7 @@ public class DynamicSyncContext extends DefaultSyncContext { vs = createValues(principalsNames); } authorizable.setProperty(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES, vs); + authorizable.setProperty(ExternalIdentityConstants.REP_LAST_DYNAMIC_SYNC, nowValue); } @NotNull @@ -378,6 +383,10 @@ public class DynamicSyncContext extends DefaultSyncContext { private static boolean groupsSyncedBefore(@NotNull Authorizable authorizable) throws RepositoryException { return authorizable.hasProperty(REP_LAST_SYNCED) && !authorizable.hasProperty(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES); } + +private static boolean requiresCleanup(@NotNull Authorizable authorizable) throws RepositoryException { +return authorizable.hasProperty(REP_LAST_SYNCED) && !authorizable.hasProperty(ExternalIdentityConsta
[jackrabbit-oak] branch OAK-10517 created (now 413ea5908c)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10517 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git at 413ea5908c OAK-10517 : Consistently clean membership when switch between default and dynamic sync This branch includes the following new commits: new 413ea5908c OAK-10517 : Consistently clean membership when switch between default and dynamic sync The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
[jackrabbit-oak] branch trunk updated: OAK-10471 Implement ConflictHandler for UserPrincipalProvider Cache - fix tests (#1154)
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 9c1fd98d68 OAK-10471 Implement ConflictHandler for UserPrincipalProvider Cache - fix tests (#1154) 9c1fd98d68 is described below commit 9c1fd98d689dd798b5b7063eb46b4df54f0830d7 Author: Nicola Scendoni AuthorDate: Tue Oct 17 10:59:01 2023 +0200 OAK-10471 Implement ConflictHandler for UserPrincipalProvider Cache - fix tests (#1154) --- .../security/user/CacheConflictHandlerTest.java| 134 ++--- 1 file changed, 37 insertions(+), 97 deletions(-) diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/CacheConflictHandlerTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/CacheConflictHandlerTest.java index d32bf4813d..736db26381 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/CacheConflictHandlerTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/CacheConflictHandlerTest.java @@ -19,134 +19,74 @@ package org.apache.jackrabbit.oak.security.user; -import org.apache.jackrabbit.api.security.user.Group; import org.apache.jackrabbit.oak.AbstractSecurityTest; -import org.apache.jackrabbit.oak.api.ContentSession; import org.apache.jackrabbit.oak.api.PropertyState; -import org.apache.jackrabbit.oak.api.Root; -import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.api.Type; -import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; -import org.apache.jackrabbit.oak.spi.security.authentication.SystemSubject; -import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration; -import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider; -import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration; +import org.apache.jackrabbit.oak.plugins.memory.PropertyBuilder; import org.apache.jackrabbit.oak.spi.state.NodeBuilder; -import org.jetbrains.annotations.NotNull; import org.junit.Test; -import javax.security.auth.Subject; -import java.security.Principal; -import java.security.PrivilegedExceptionAction; -import java.util.Set; -import java.util.UUID; - import static org.apache.jackrabbit.oak.security.user.CacheConstants.REP_EXPIRATION; import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; public class CacheConflictHandlerTest extends AbstractSecurityTest { -static final String PARAM_CACHE_EXPIRATION = "cacheExpiration"; - -@Override -public void before() throws Exception { -super.before(); - -String groupId = "testGroup" + UUID.randomUUID(); -@NotNull Group testGroup = getUserManager(root).createGroup(groupId); -testGroup.addMember(getTestUser()); - -String groupId2 = "testGroup" + UUID.randomUUID() + "2"; -@NotNull Group testGroup2 = getUserManager(root).createGroup(groupId2); -testGroup.addMember(testGroup2); - -String groupId3 = "testGroup" + UUID.randomUUID() + "3"; -@NotNull Group testGroup3 = getUserManager(root).createGroup(groupId3); - -root.commit(); -} - -private Tree getCacheTree(Root root) throws Exception { -return getCacheTree(root, getTestUser().getPath()); -} - -private Tree getCacheTree(Root root, String authorizablePath) { -return root.getTree(authorizablePath + '/' + CacheConstants.REP_CACHE); -} - -@Override -protected ConfigurationParameters getSecurityConfigParameters() { -return ConfigurationParameters.of( -UserConfiguration.NAME, -ConfigurationParameters.of(PARAM_CACHE_EXPIRATION, 3600 * 1000) -); -} - @Test -public void testChangeChangedPropertyLower() throws Exception { - -PrincipalConfiguration pc = getConfig(PrincipalConfiguration.class); - -Root oursRoot = Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> login(null)).getLatestRoot(); -Root theirsRoot = Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> login(null)).getLatestRoot(); - -PrincipalProvider oursPP = pc.getPrincipalProvider(oursRoot, namePathMapper); -PrincipalProvider theirsPP = pc.getPrincipalProvider(theirsRoot, namePathMapper); - -// set of principals that read from user + membership-provider -> cache being filled -oursPP.getPrincipals(getTestUser().getID()); -assertTrue(getCacheTree(oursRoot).exists()); - getCacheTree(oursRoot).getProperty("rep:expiration").getValue(Type.LONG).longValue(); +public void testChang
[jackrabbit-oak] branch trunk updated: OAK-10486 : Resolution of inherited groups may terminate pre-maturely for external users (#1147)
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new da19433ebe OAK-10486 : Resolution of inherited groups may terminate pre-maturely for external users (#1147) da19433ebe is described below commit da19433ebe9eed5dc78e938d05fb01ce7364d3a6 Author: anchela AuthorDate: Tue Oct 17 08:50:22 2023 +0200 OAK-10486 : Resolution of inherited groups may terminate pre-maturely for external users (#1147) --- .../principal/InheritedMembershipIterator.java | 29 ++ .../external/impl/DynamicSyncTest.java | 66 ++ 2 files changed, 85 insertions(+), 10 deletions(-) diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/InheritedMembershipIterator.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/InheritedMembershipIterator.java index 8b19f07532..0fe885276d 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/InheritedMembershipIterator.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/InheritedMembershipIterator.java @@ -54,6 +54,7 @@ class InheritedMembershipIterator extends AbstractLazyIterator { try { // call 'memberof' to cover nested inheritance Iterator it = gr.memberOf(); +// verify that the group-iterator has any elements before remembering it for further processing if (it.hasNext()) { inherited.add(it); } @@ -63,20 +64,13 @@ class InheritedMembershipIterator extends AbstractLazyIterator { return gr; } -if (inheritedIterator == null) { -inheritedIterator = getNextInheritedIterator(); -} - -while (inheritedIterator.hasNext()) { +while (inheritedHasNext()) { Group gr = inheritedIterator.next(); if (notProcessedBefore(gr)) { return gr; } -if (!inheritedIterator.hasNext()) { -inheritedIterator = getNextInheritedIterator(); -} -} - +} + // all inherited groups have been processed return null; } @@ -89,6 +83,21 @@ class InheritedMembershipIterator extends AbstractLazyIterator { } } +private boolean inheritedHasNext() { +if (inheritedIterator == null) { +// initialize the inherited iterator (i.e. get the first one after having processed all dynamic groups) +inheritedIterator = getNextInheritedIterator(); +} +if (inheritedIterator.hasNext()) { +return true; +} else { +// no more elements in the current 'inheritedIterator'. move on to the next inherited iterator +// (or an empty one if there are no more iterators left to process) +inheritedIterator = getNextInheritedIterator(); +return inheritedIterator.hasNext(); +} +} + @NotNull private Iterator getNextInheritedIterator() { if (inherited.isEmpty()) { diff --git a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java index c653741007..c9f81effce 100644 --- a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java +++ b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java @@ -50,6 +50,8 @@ public class DynamicSyncTest extends AbstractDynamicTest { private static final String BASE_ID = "base"; private static final String BASE2_ID = "base2"; +private static final String BASE3_ID = "base3"; +private static final String BASE4_ID = "base4"; private static final String AUTO_GROUPS = "autoForGroups"; private static final String AUTO_USERS = "autoForUsers"; @@ -57,6 +59,7 @@ public class DynamicSyncTest extends AbstractDynamicTest { private Group autoForUsers; private Group base; private Group base2; +private Group base3; @Override public void before() throws Exception { @@ -75,6 +78,10 @@ public class DynamicSyncTest extends AbstractDynamicTest { base2 = userManager.createGroup(BASE2_ID); base2.addMember(autoForUsers); + +base3 = userManager.createGroup(BASE3_ID); +Gro
[jackrabbit-oak] branch trunk updated: OAK-10471: Implement ConflictHandler for UserPrincipalProvider Cache
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 62a3f776cb OAK-10471: Implement ConflictHandler for UserPrincipalProvider Cache 62a3f776cb is described below commit 62a3f776cb4febe17003f8d550c749846d561324 Author: Nicola Scendoni AuthorDate: Thu Oct 12 14:07:18 2023 +0200 OAK-10471: Implement ConflictHandler for UserPrincipalProvider Cache --- .../oak/security/user/CacheConflictHandler.java| 95 +++ .../oak/security/user/UserConfigurationImpl.java | 2 +- .../security/user/CacheConflictHandlerTest.java| 181 + .../security/user/UserConfigurationImplTest.java | 2 +- 4 files changed, 278 insertions(+), 2 deletions(-) diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/CacheConflictHandler.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/CacheConflictHandler.java new file mode 100644 index 00..4122c1b070 --- /dev/null +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/CacheConflictHandler.java @@ -0,0 +1,95 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.jackrabbit.oak.security.user; + +import org.apache.jackrabbit.oak.api.PropertyState; +import org.apache.jackrabbit.oak.api.Type; +import org.apache.jackrabbit.oak.plugins.commit.DefaultThreeWayConflictHandler; +import org.apache.jackrabbit.oak.plugins.memory.PropertyBuilder; +import org.apache.jackrabbit.oak.spi.state.NodeBuilder; +import org.jetbrains.annotations.NotNull; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * The {@code CacheConflictHandler} takes care of merging the {@code rep:expiration} property + * during parallel updates. + * + * The conflict handler deals with the following conflicts: + * + * {@code addExistingProperty} : {@code Resolution.IGNORED}, We should not have add conflints, since the {@code rep:{@code rep:expiration}} node is created with the user + * {@code changeDeletedProperty}: {@code Resolution.IGNORED}, + * {@code changeChangedProperty}: {@code Resolution.MERGED}, the properties with higher {@code rep:expiration} get merged + * {@code deleteChangedProperty}: {@code Resolution.IGNORED} . + * {@code deleteDeletedProperty}: {@code Resolution.IGNORED}. + * {@code changeDeletedNode}: {@code Resolution.IGNORED}, . + * {@code deleteChangedNode}: {@code Resolution.IGNORED}, + * {@code deleteDeletedNode}: {@code Resolution.IGNORED}. + * + */ + +class CacheConflictHandler extends DefaultThreeWayConflictHandler { + +private static final Logger LOG = LoggerFactory.getLogger(CacheConflictHandler.class); + +protected CacheConflictHandler() { +super(Resolution.IGNORED); + +} + +private Resolution resolveRepExpirationConflict(@NotNull NodeBuilder parent, @NotNull PropertyState ours, @NotNull PropertyState theirs, + PropertyState base) { +if (CacheConstants.REP_EXPIRATION.equals(ours.getName()) && CacheConstants.REP_EXPIRATION.equals(theirs.getName())){ + +PropertyBuilder merged = PropertyBuilder.scalar(Type.LONG); +merged.setName(CacheConstants.REP_EXPIRATION); + +//if base is bigger than ours and theirs, then use base. This should never happens +if (base != null && +base.getValue(Type.LONG) > ours.getValue(Type.LONG) && +base.getValue(Type.LONG) > theirs.getValue(Type.LONG)){ +merged.setValue(base.getValue(Type.LONG)); +LOG.warn("base is bigger than ours and theirs. This was supposed to never happens"); +return Resolution.MERGED; +} + +//if ours is bigger than theirs, then use ours +//otherwise use theirs +if (ours.getValue(Type.LONG) > theirs.getValue(Type.LONG)){ +merged.setValue(ours.getValue(Type.LONG)); +
[jackrabbit-oak] 01/01: OAK-10486 : Resolution of inherited groups may terminate pre-maturely for external users
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch issue/OAK-10486 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit 7e3056f337490cb66cf7336136628bb8cbda0ec9 Author: angela AuthorDate: Wed Oct 11 19:12:39 2023 +0200 OAK-10486 : Resolution of inherited groups may terminate pre-maturely for external users --- .../principal/InheritedMembershipIterator.java | 29 ++ .../external/impl/DynamicSyncTest.java | 66 ++ 2 files changed, 85 insertions(+), 10 deletions(-) diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/InheritedMembershipIterator.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/InheritedMembershipIterator.java index 8b19f07532..0fe885276d 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/InheritedMembershipIterator.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/InheritedMembershipIterator.java @@ -54,6 +54,7 @@ class InheritedMembershipIterator extends AbstractLazyIterator { try { // call 'memberof' to cover nested inheritance Iterator it = gr.memberOf(); +// verify that the group-iterator has any elements before remembering it for further processing if (it.hasNext()) { inherited.add(it); } @@ -63,20 +64,13 @@ class InheritedMembershipIterator extends AbstractLazyIterator { return gr; } -if (inheritedIterator == null) { -inheritedIterator = getNextInheritedIterator(); -} - -while (inheritedIterator.hasNext()) { +while (inheritedHasNext()) { Group gr = inheritedIterator.next(); if (notProcessedBefore(gr)) { return gr; } -if (!inheritedIterator.hasNext()) { -inheritedIterator = getNextInheritedIterator(); -} -} - +} + // all inherited groups have been processed return null; } @@ -89,6 +83,21 @@ class InheritedMembershipIterator extends AbstractLazyIterator { } } +private boolean inheritedHasNext() { +if (inheritedIterator == null) { +// initialize the inherited iterator (i.e. get the first one after having processed all dynamic groups) +inheritedIterator = getNextInheritedIterator(); +} +if (inheritedIterator.hasNext()) { +return true; +} else { +// no more elements in the current 'inheritedIterator'. move on to the next inherited iterator +// (or an empty one if there are no more iterators left to process) +inheritedIterator = getNextInheritedIterator(); +return inheritedIterator.hasNext(); +} +} + @NotNull private Iterator getNextInheritedIterator() { if (inherited.isEmpty()) { diff --git a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java index c653741007..c9f81effce 100644 --- a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java +++ b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java @@ -50,6 +50,8 @@ public class DynamicSyncTest extends AbstractDynamicTest { private static final String BASE_ID = "base"; private static final String BASE2_ID = "base2"; +private static final String BASE3_ID = "base3"; +private static final String BASE4_ID = "base4"; private static final String AUTO_GROUPS = "autoForGroups"; private static final String AUTO_USERS = "autoForUsers"; @@ -57,6 +59,7 @@ public class DynamicSyncTest extends AbstractDynamicTest { private Group autoForUsers; private Group base; private Group base2; +private Group base3; @Override public void before() throws Exception { @@ -75,6 +78,10 @@ public class DynamicSyncTest extends AbstractDynamicTest { base2 = userManager.createGroup(BASE2_ID); base2.addMember(autoForUsers); + +base3 = userManager.createGroup(BASE3_ID); +Group base4 = userManager.createGroup(BASE4_ID); +base4.addMembers(BASE3_ID); r.commit(); } @@ -130,6 +137,65 @@ public class DynamicSyncTest extends AbstractDynamicTest {
[jackrabbit-oak] branch issue/OAK-10486 created (now 7e3056f337)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch issue/OAK-10486 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git at 7e3056f337 OAK-10486 : Resolution of inherited groups may terminate pre-maturely for external users This branch includes the following new commits: new 7e3056f337 OAK-10486 : Resolution of inherited groups may terminate pre-maturely for external users The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
[jackrabbit-oak] branch OAK-10486 created (now 549f1db9c6)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10486 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git at 549f1db9c6 OAK-10486 : Resolution of inherited groups may terminate pre-maturely for external users This branch includes the following new commits: new 549f1db9c6 OAK-10486 : Resolution of inherited groups may terminate pre-maturely for external users The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
[jackrabbit-oak] 01/01: OAK-10486 : Resolution of inherited groups may terminate pre-maturely for external users
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch OAK-10486 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit 549f1db9c6791ec51e727272c2830ceb34717a03 Author: angela AuthorDate: Wed Oct 11 18:55:48 2023 +0200 OAK-10486 : Resolution of inherited groups may terminate pre-maturely for external users --- .../principal/InheritedMembershipIterator.java | 25 +--- .../external/impl/DynamicSyncTest.java | 66 ++ 2 files changed, 83 insertions(+), 8 deletions(-) diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/InheritedMembershipIterator.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/InheritedMembershipIterator.java index 8b19f07532..bc142cdea8 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/InheritedMembershipIterator.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/InheritedMembershipIterator.java @@ -54,6 +54,7 @@ class InheritedMembershipIterator extends AbstractLazyIterator { try { // call 'memberof' to cover nested inheritance Iterator it = gr.memberOf(); +// verify that the group-iterator has any elements before remembering it for further processing if (it.hasNext()) { inherited.add(it); } @@ -63,18 +64,11 @@ class InheritedMembershipIterator extends AbstractLazyIterator { return gr; } -if (inheritedIterator == null) { -inheritedIterator = getNextInheritedIterator(); -} - -while (inheritedIterator.hasNext()) { +while (inheritedHasNext()) { Group gr = inheritedIterator.next(); if (notProcessedBefore(gr)) { return gr; } -if (!inheritedIterator.hasNext()) { -inheritedIterator = getNextInheritedIterator(); -} } // all inherited groups have been processed @@ -88,6 +82,21 @@ class InheritedMembershipIterator extends AbstractLazyIterator { return true; } } + +private boolean inheritedHasNext() { +if (inheritedIterator == null) { +// initialize the inherited iterator (i.e. get the first one after having processed all dynamic groups) +inheritedIterator = getNextInheritedIterator(); +} +if (inheritedIterator.hasNext()) { +return true; +} else { +// no more elements in the current 'inheritedIterator'. move on to the next inherited iterator +// (or an empty one if there are no more iterators left to process) +inheritedIterator = getNextInheritedIterator(); +return inheritedIterator.hasNext(); +} +} @NotNull private Iterator getNextInheritedIterator() { diff --git a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java index c653741007..1ac7309a3c 100644 --- a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java +++ b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java @@ -50,6 +50,8 @@ public class DynamicSyncTest extends AbstractDynamicTest { private static final String BASE_ID = "base"; private static final String BASE2_ID = "base2"; +private static final String BASE3_ID = "base3"; +private static final String BASE4_ID = "base4"; private static final String AUTO_GROUPS = "autoForGroups"; private static final String AUTO_USERS = "autoForUsers"; @@ -57,6 +59,8 @@ public class DynamicSyncTest extends AbstractDynamicTest { private Group autoForUsers; private Group base; private Group base2; +private Group base3; +private Group base4; @Override public void before() throws Exception { @@ -76,6 +80,9 @@ public class DynamicSyncTest extends AbstractDynamicTest { base2 = userManager.createGroup(BASE2_ID); base2.addMember(autoForUsers); +base3 = userManager.createGroup(BASE3_ID); +base4 = userManager.createGroup(BASE4_ID); +base4.addMembers(BASE3_ID); r.commit(); } @@ -130,6 +137,65 @@ public class DynamicSyncTest extends AbstractDynamicTest { assertEquals(10, principalNames.size()); } +
[jackrabbit-oak] branch trunk updated: OAK-10318 : Improve AutoMembershipPrincipals#isInheritedMember
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 615b2e9002 OAK-10318 : Improve AutoMembershipPrincipals#isInheritedMember 615b2e9002 is described below commit 615b2e90021b2136549ca33a28e4a453c8d2132f Author: anchela AuthorDate: Tue Jul 25 14:28:09 2023 +0200 OAK-10318 : Improve AutoMembershipPrincipals#isInheritedMember * OAK-10318 : Improve AutoMembershipPrincipals#isInheritedMember * OAK-10318 : Improve AutoMembershipPrincipals#isInheritedMember (add trace to cycle-warning as suggested by joergH, fix typo, change order of checks) --- .../impl/principal/AutoMembershipPrincipals.java | 68 +-- .../impl/principal/AutoMembershipCycleTest.java| 218 + 2 files changed, 227 insertions(+), 59 deletions(-) diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipPrincipals.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipPrincipals.java index fc9c664940..eb26a19b1e 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipPrincipals.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipPrincipals.java @@ -16,12 +16,12 @@ */ package org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal; -import org.apache.jackrabbit.guava.common.collect.ImmutableSet; -import org.apache.jackrabbit.guava.common.collect.Iterators; -import org.apache.jackrabbit.guava.common.collect.Maps; import org.apache.jackrabbit.api.security.user.Authorizable; import org.apache.jackrabbit.api.security.user.Group; import org.apache.jackrabbit.api.security.user.UserManager; +import org.apache.jackrabbit.guava.common.collect.ImmutableSet; +import org.apache.jackrabbit.guava.common.collect.Iterators; +import org.apache.jackrabbit.guava.common.collect.Maps; import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.AutoMembershipConfig; import org.apache.jackrabbit.oak.spi.security.principal.GroupPrincipals; import org.jetbrains.annotations.NotNull; @@ -32,6 +32,7 @@ import org.slf4j.LoggerFactory; import javax.jcr.RepositoryException; import java.security.Principal; import java.util.ArrayList; +import java.util.Arrays; import java.util.HashSet; import java.util.Iterator; import java.util.List; @@ -103,7 +104,7 @@ final class AutoMembershipPrincipals { * * @param idpName The name of an IDP * @param groupId The target group id - * @param authorizable The authorizable for which to evaluation if it is a automatic member of the group identified by {@code groupId}. + * @param authorizable The authorizable for which to evaluation if it is an automatic member of the group identified by {@code groupId}. * @return {@code true} if the given authorizable is an automatic member of the group identified by {@code groupId}; {@code false} otherwise. * @see AutoMembershipProvider#isMember(Group, Authorizable, boolean) */ @@ -127,23 +128,56 @@ final class AutoMembershipPrincipals { } boolean isInheritedMember(@NotNull String idpName, @NotNull Group group, @NotNull Authorizable authorizable) throws RepositoryException { -return isInheritedMember(idpName, group, authorizable, new HashSet<>()); -} - -boolean isInheritedMember(@NotNull String idpName, @NotNull Group group, @NotNull Authorizable authorizable, @NotNull Set processedIds) throws RepositoryException { String groupId = group.getID(); -if (!processedIds.add(groupId)) { -log.error("Cyclic group membership detected for group id {}", groupId); -return false; -} if (isMember(idpName, groupId, authorizable)) { +// groupId is listed in auto-membership configuration return true; } -Iterator declaredGroupMembers = Iterators.filter(group.getDeclaredMembers(), Authorizable::isGroup); -while (declaredGroupMembers.hasNext()) { -Group grMember = (Group) declaredGroupMembers.next(); -if (isInheritedMember(idpName, grMember, authorizable, processedIds)) { +// to test for inherited membership collect automembership-ids and loop auto-membership groups +Set automembershipIds = new HashSet<>(Arrays.asList(autoMembershipMapping.get(idpName))); +AutoMembershipConfig config = autoMembershipConfigMap.get(idpName); +if (config != null) { +automembershipIds.addAll(config.getAutoMembership(authorizable)); +
[jackrabbit-oak] branch OAK-10318 updated: OAK-10318 : Improve AutoMembershipPrincipals#isInheritedMember (add trace to cycle-warning as suggested by joergH, fix typo, change order of checks)
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch OAK-10318 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/OAK-10318 by this push: new 0ea2af524a OAK-10318 : Improve AutoMembershipPrincipals#isInheritedMember (add trace to cycle-warning as suggested by joergH, fix typo, change order of checks) 0ea2af524a is described below commit 0ea2af524a168efd502a8ad220377ac6ba670bbe Author: angela AuthorDate: Mon Jul 24 12:17:27 2023 +0200 OAK-10318 : Improve AutoMembershipPrincipals#isInheritedMember (add trace to cycle-warning as suggested by joergH, fix typo, change order of checks) --- .../impl/principal/AutoMembershipPrincipals.java | 25 .../impl/principal/AutoMembershipCycleTest.java| 70 +- 2 files changed, 80 insertions(+), 15 deletions(-) diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipPrincipals.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipPrincipals.java index f5ceb84d16..eb26a19b1e 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipPrincipals.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipPrincipals.java @@ -147,7 +147,7 @@ final class AutoMembershipPrincipals { Authorizable gr = userManager.getAuthorizable(automembershipId); if (gr == null || !gr.isGroup()) { log.warn("Configured automembership id '{}' is not a valid group", automembershipId); -} else if (hasInheritedMembership(gr.declaredMemberOf(), groupId, automembershipId, processed)) { +} else if (hasInheritedMembership(gr.declaredMemberOf(), groupId, automembershipId, processed, "> ")) { return true; } } @@ -155,28 +155,29 @@ final class AutoMembershipPrincipals { } private static boolean hasInheritedMembership(@NotNull Iterator declared, @NotNull String groupId, - @NotNull String memberId, @NotNull Set processed) throws RepositoryException { + @NotNull String memberId, @NotNull Set processed, + @NotNull String trace) throws RepositoryException { List groups = new ArrayList<>(); while (declared.hasNext()) { Group gr = declared.next(); String grId = gr.getID(); -if (memberId.equals(grId)) { -log.error("Cyclic group membership detected for group id {}", memberId); -} -if (!processed.add(grId)) { -// group has already been processed before (shared membership e.g. for the 'everyone' group) -return false; -} if (groupId.equals(grId)) { // the specified groupId defines inherited membership of a configured auto-membership group return true; } -// remember group for traversing up the membership hierarchy -groups.add(gr); +if (memberId.equals(grId)) { +log.error("Cyclic group membership detected for group id {} via {}{}", memberId, trace, grId); +continue; +} +if (processed.add(grId)) { +// remember group for traversing up the membership hierarchy if it has not already been +// processed before (shared membership e.g. for the 'everyone' group) +groups.add(gr); +} } // recursively call to search for inherited membership for (Group group : groups) { -if (hasInheritedMembership(group.declaredMemberOf(), groupId, memberId, processed)) { +if (hasInheritedMembership(group.declaredMemberOf(), groupId, memberId, processed, String.format("%s %s > ", trace, group.getID( { return true; } } diff --git a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipCycleTest.java b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipCycleTest.java index c8664a3add..049ef74970 100644 --- a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipCycleTest.java +++ b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principa
[jackrabbit-oak] branch OAK-10318 created (now 7764be2df5)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10318 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git at 7764be2df5 OAK-10318 : Improve AutoMembershipPrincipals#isInheritedMember This branch includes the following new commits: new 7764be2df5 OAK-10318 : Improve AutoMembershipPrincipals#isInheritedMember The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
[jackrabbit-oak] 01/01: OAK-10318 : Improve AutoMembershipPrincipals#isInheritedMember
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch OAK-10318 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit 7764be2df57fd787d1dad07a1c418333185b7daf Author: angela AuthorDate: Fri Jul 21 12:03:26 2023 +0200 OAK-10318 : Improve AutoMembershipPrincipals#isInheritedMember --- .../impl/principal/AutoMembershipPrincipals.java | 67 ++--- .../impl/principal/AutoMembershipCycleTest.java| 154 +++-- 2 files changed, 162 insertions(+), 59 deletions(-) diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipPrincipals.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipPrincipals.java index fc9c664940..f5ceb84d16 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipPrincipals.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipPrincipals.java @@ -16,12 +16,12 @@ */ package org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal; -import org.apache.jackrabbit.guava.common.collect.ImmutableSet; -import org.apache.jackrabbit.guava.common.collect.Iterators; -import org.apache.jackrabbit.guava.common.collect.Maps; import org.apache.jackrabbit.api.security.user.Authorizable; import org.apache.jackrabbit.api.security.user.Group; import org.apache.jackrabbit.api.security.user.UserManager; +import org.apache.jackrabbit.guava.common.collect.ImmutableSet; +import org.apache.jackrabbit.guava.common.collect.Iterators; +import org.apache.jackrabbit.guava.common.collect.Maps; import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.AutoMembershipConfig; import org.apache.jackrabbit.oak.spi.security.principal.GroupPrincipals; import org.jetbrains.annotations.NotNull; @@ -32,6 +32,7 @@ import org.slf4j.LoggerFactory; import javax.jcr.RepositoryException; import java.security.Principal; import java.util.ArrayList; +import java.util.Arrays; import java.util.HashSet; import java.util.Iterator; import java.util.List; @@ -103,7 +104,7 @@ final class AutoMembershipPrincipals { * * @param idpName The name of an IDP * @param groupId The target group id - * @param authorizable The authorizable for which to evaluation if it is a automatic member of the group identified by {@code groupId}. + * @param authorizable The authorizable for which to evaluation if it is an automatic member of the group identified by {@code groupId}. * @return {@code true} if the given authorizable is an automatic member of the group identified by {@code groupId}; {@code false} otherwise. * @see AutoMembershipProvider#isMember(Group, Authorizable, boolean) */ @@ -127,23 +128,55 @@ final class AutoMembershipPrincipals { } boolean isInheritedMember(@NotNull String idpName, @NotNull Group group, @NotNull Authorizable authorizable) throws RepositoryException { -return isInheritedMember(idpName, group, authorizable, new HashSet<>()); -} - -boolean isInheritedMember(@NotNull String idpName, @NotNull Group group, @NotNull Authorizable authorizable, @NotNull Set processedIds) throws RepositoryException { String groupId = group.getID(); -if (!processedIds.add(groupId)) { -log.error("Cyclic group membership detected for group id {}", groupId); -return false; -} if (isMember(idpName, groupId, authorizable)) { +// groupId is listed in auto-membership configuration return true; } -Iterator declaredGroupMembers = Iterators.filter(group.getDeclaredMembers(), Authorizable::isGroup); -while (declaredGroupMembers.hasNext()) { -Group grMember = (Group) declaredGroupMembers.next(); -if (isInheritedMember(idpName, grMember, authorizable, processedIds)) { +// to test for inherited membership collect automembership-ids and loop auto-membership groups +Set automembershipIds = new HashSet<>(Arrays.asList(autoMembershipMapping.get(idpName))); +AutoMembershipConfig config = autoMembershipConfigMap.get(idpName); +if (config != null) { +automembershipIds.addAll(config.getAutoMembership(authorizable)); +} + +// keep track of processed ids over all 'automembership' ids to avoid repeated evaluation +Set processed = new HashSet<>(); +for (String automembershipId : automembershipIds) { +Authorizable gr = userManager.getAuthorizable(automembershipId); +if (gr == null || !gr.isGroup()) { +log.warn("Configured automembership id '{}' is not
[jackrabbit-oak] branch trunk updated: OAK-10364 : Consolidate inheritance related automembership tests (subtask of OAK-10318 Improve AutoMembershipPrincipals#isInheritedMember)
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 67189cff32 OAK-10364 : Consolidate inheritance related automembership tests (subtask of OAK-10318 Improve AutoMembershipPrincipals#isInheritedMember) 67189cff32 is described below commit 67189cff3285556d0fb314804d8539407321bb64 Author: angela AuthorDate: Fri Jul 21 10:27:54 2023 +0200 OAK-10364 : Consolidate inheritance related automembership tests (subtask of OAK-10318 Improve AutoMembershipPrincipals#isInheritedMember) --- ...membershipTest.java => AutoMembershipTest.java} | 247 +++-- .../external/impl/DynamicAutomembershipTest.java | 123 -- .../impl/principal/AbstractAutoMembershipTest.java | 6 + .../principal/AutoMembershipPrincipalsTest.java| 14 ++ .../impl/principal/AutoMembershipProviderTest.java | 19 +- 5 files changed, 115 insertions(+), 294 deletions(-) diff --git a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicAutomembershipTest.java b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/AutoMembershipTest.java similarity index 50% copy from oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicAutomembershipTest.java copy to oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/AutoMembershipTest.java index 2b7deebeac..d44a65e57e 100644 --- a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicAutomembershipTest.java +++ b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/AutoMembershipTest.java @@ -16,85 +16,93 @@ */ package org.apache.jackrabbit.oak.spi.security.authentication.external.impl; -import org.apache.jackrabbit.api.security.user.User; -import org.apache.jackrabbit.guava.common.collect.Lists; import org.apache.jackrabbit.api.security.user.Authorizable; import org.apache.jackrabbit.api.security.user.Group; -import org.apache.jackrabbit.oak.api.Tree; -import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup; -import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef; +import org.apache.jackrabbit.api.security.user.User; +import org.apache.jackrabbit.api.security.user.UserManager; +import org.apache.jackrabbit.guava.common.collect.Lists; +import org.apache.jackrabbit.oak.api.Root; +import org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest; +import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncContext; +import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncResult; +import org.apache.jackrabbit.oak.spi.security.authentication.external.TestIdentityProvider; import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncConfig; +import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext; import org.jetbrains.annotations.NotNull; +import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; import org.junit.runners.Parameterized; -import javax.jcr.RepositoryException; import javax.jcr.ValueFactory; import java.util.Collection; -import java.util.Iterator; -import java.util.stream.StreamSupport; -import static org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalIdentityConstants.REP_EXTERNAL_ID; -import static org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; -@RunWith(Parameterized.class) -public class DynamicAutomembershipTest extends DynamicSyncContextTest { +public @RunWith(Parameterized.class) +class AutoMembershipTest extends AbstractExternalAuthTest { @Parameterized.Parameters(name = "name={1}") public static Collection parameters() { return Lists.newArrayList( -new Object[] { false, "DynamicGroups=false" }, -new Object[] { true, "DynamicGroups=true" }); +new Object[]{true, "DynamicSync=true"}, +new Object[]{false, "DynamicSync=false"}); } - -private final boolean hasDynamicGroups; - + +private final boolean dynamicSync; +private Root r; +private UserManager userManager; private Group groupAutomembership; private Group userAutomembership;
[jackrabbit-oak] branch trunk updated: OAK-10362: Create benchmark test (subtask of Improve AutoMembershipPrincipals#isInheritedMember)
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new f7e3023516 OAK-10362: Create benchmark test (subtask of Improve AutoMembershipPrincipals#isInheritedMember) f7e3023516 is described below commit f7e3023516f453262e29a13fd8e10390918a4b88 Author: angela AuthorDate: Thu Jul 20 17:48:53 2023 +0200 OAK-10362: Create benchmark test (subtask of Improve AutoMembershipPrincipals#isInheritedMember) --- .../jackrabbit/oak/benchmark/BenchmarkRunner.java | 3 + .../external/AbstractExternalTest.java | 31 - .../external/AutoMembershipTest.java | 153 + 3 files changed, 180 insertions(+), 7 deletions(-) diff --git a/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/BenchmarkRunner.java b/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/BenchmarkRunner.java index fe9b8b621a..8dd12210f4 100644 --- a/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/BenchmarkRunner.java +++ b/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/BenchmarkRunner.java @@ -28,6 +28,7 @@ import org.apache.jackrabbit.guava.common.util.concurrent.MoreExecutors; import joptsimple.OptionParser; import joptsimple.OptionSet; import org.apache.commons.io.FileUtils; +import org.apache.jackrabbit.oak.benchmark.authentication.external.AutoMembershipTest; import org.apache.jackrabbit.oak.benchmark.authentication.external.ExternalLoginTest; import org.apache.jackrabbit.oak.benchmark.authentication.external.ListIdentitiesTest; import org.apache.jackrabbit.oak.benchmark.authentication.external.PrincipalNameResolutionTest; @@ -456,6 +457,8 @@ public class BenchmarkRunner { benchmarkOptions.getNumberOfGroups().value(options), benchmarkOptions.getExpiration().value(options), benchmarkOptions.getRoundtripDelay().value(options)), new ListIdentitiesTest(benchmarkOptions.getNumberOfUsers().value(options)), +new AutoMembershipTest(benchmarkOptions.getNumberOfUsers().value(options), benchmarkOptions.getNumberOfGroups().value(options), + benchmarkOptions.getDynamicMembership().value(options), benchmarkOptions.getAutoMembership().values(options)), new BundlingNodeTest(), new PersistentCacheTest(statsProvider), new StringWriteTest(), diff --git a/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/authentication/external/AbstractExternalTest.java b/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/authentication/external/AbstractExternalTest.java index 8859f285b0..6bf4ccd662 100644 --- a/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/authentication/external/AbstractExternalTest.java +++ b/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/authentication/external/AbstractExternalTest.java @@ -41,7 +41,9 @@ import org.apache.jackrabbit.oak.fixture.JcrCreator; import org.apache.jackrabbit.oak.fixture.OakRepositoryFixture; import org.apache.jackrabbit.oak.fixture.RepositoryFixture; import org.apache.jackrabbit.oak.jcr.Jcr; +import org.apache.jackrabbit.oak.osgi.OsgiWhiteboard; import org.apache.jackrabbit.oak.security.internal.SecurityProviderBuilder; +import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; import org.apache.jackrabbit.oak.spi.security.SecurityProvider; import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup; import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity; @@ -63,6 +65,7 @@ import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.princ import org.apache.jackrabbit.oak.spi.security.principal.CompositePrincipalConfiguration; import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration; import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl; +import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration; import org.apache.jackrabbit.oak.spi.security.user.UserConstants; import org.apache.jackrabbit.oak.spi.whiteboard.Whiteboard; import org.apache.jackrabbit.oak.spi.whiteboard.WhiteboardUtils; @@ -127,10 +130,18 @@ abstract class AbstractExternalTest extends AbstractTest { .setExpirationTime(expTime).setPathPrefix(PATH_PREFIX); syncConfig.group() .setExpirationTime(expTime).setPathPrefix(PATH_PREFIX); - +expandSyncConfig(); } protected abstract Configuration createConfiguration(); + +protected ConfigurationParameters getSecurityConfiguration() { +return ConfigurationParameters.EMPTY
[jackrabbit-oak] branch trunk updated: OAK-10317 : Additional tests for dynamic automembership
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 4352bb31fe OAK-10317 : Additional tests for dynamic automembership 4352bb31fe is described below commit 4352bb31fe5ef74e8601ff1feb44d8f200bec303 Author: angela AuthorDate: Wed Jun 21 19:36:40 2023 +0200 OAK-10317 : Additional tests for dynamic automembership --- .../external/impl/DynamicAutomembershipTest.java | 208 +++-- 1 file changed, 191 insertions(+), 17 deletions(-) diff --git a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicAutomembershipTest.java b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicAutomembershipTest.java index 1daf9ca16d..2b7deebeac 100644 --- a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicAutomembershipTest.java +++ b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicAutomembershipTest.java @@ -16,11 +16,13 @@ */ package org.apache.jackrabbit.oak.spi.security.authentication.external.impl; +import org.apache.jackrabbit.api.security.user.User; import org.apache.jackrabbit.guava.common.collect.Lists; import org.apache.jackrabbit.api.security.user.Authorizable; import org.apache.jackrabbit.api.security.user.Group; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup; +import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef; import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncConfig; import org.jetbrains.annotations.NotNull; import org.junit.Test; @@ -28,10 +30,12 @@ import org.junit.runner.RunWith; import org.junit.runners.Parameterized; import javax.jcr.RepositoryException; +import javax.jcr.ValueFactory; import java.util.Collection; import java.util.Iterator; import java.util.stream.StreamSupport; +import static org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalIdentityConstants.REP_EXTERNAL_ID; import static org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; @@ -51,11 +55,16 @@ public class DynamicAutomembershipTest extends DynamicSyncContextTest { private final boolean hasDynamicGroups; -private Group group1; -private Group group2; -private Group group3; +private Group groupAutomembership; +private Group userAutomembership; +private Group userAutomembership2; private Group groupInherited; +// users/groups for additional tests that are only executed if dynamic groups are enabled. +private Group externalGroup; +private User externalUser; +private Group testGroup; + public DynamicAutomembershipTest(boolean hasDynamicGroups, @NotNull String name) { this.hasDynamicGroups = hasDynamicGroups; } @@ -64,24 +73,66 @@ public class DynamicAutomembershipTest extends DynamicSyncContextTest { public void before() throws Exception { super.before(); -group1 = userManager.getAuthorizable("group1", Group.class); -group2 = userManager.getAuthorizable("group2", Group.class); -group3 = userManager.getAuthorizable("group3", Group.class); +groupAutomembership = userManager.getAuthorizable("groupAutomembership", Group.class); +userAutomembership = userManager.getAuthorizable("userAutomembership1", Group.class); +userAutomembership2 = userManager.getAuthorizable("userAutomembership2", Group.class); groupInherited = userManager.createGroup("groupInherited"); -groupInherited.addMembers("group1", "group2"); +groupInherited.addMembers("groupAutomembership", "userAutomembership"); + +// setup for additional tests +if (hasDynamicGroups) { +assertNotNull(userAutomembership); +assertNotNull(groupAutomembership); +} + +ValueFactory vf = getValueFactory(r); +externalUser = userManager.createUser("externalUser", null); +externalUser.setProperty(REP_EXTERNAL_ID, vf.createValue(new ExternalIdentityRef("externalUser", idp.getName()).getString())); + +externalGroup = userManager.createGroup("externalGroup"); +externalGroup.setProperty(REP_EXTERNAL_ID, vf.createValue(new ExternalIdentityRef("extern
[jackrabbit-oak] branch trunk updated (e503b50d9d -> 142e4be8f7)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git from e503b50d9d OAK-10284: switch oak-benchmarks to shaded guava (#972) add 142e4be8f7 OAK-10286 : AutoMembershipPrincipals.isInheritedMember add check for cyclic membership, OAK-10285 : MembershipProvider change log level to ERROR for cyclic membership (#971) No new revisions were added by this update. Summary of changes: .../impl/principal/AutoMembershipPrincipals.java | 12 ++- .../impl/principal/AutoMembershipCycleTest.java| 109 + .../oak/security/user/MembershipProvider.java | 2 +- 3 files changed, 120 insertions(+), 3 deletions(-) create mode 100644 oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipCycleTest.java
[jackrabbit-oak] 01/01: OAK-10286 : AutoMembershipPrincipals.isInheritedMember add check for cyclic membership, OAK-10285 : MembershipProvider change log level to ERROR for cyclic membership
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch OAK-10286_OAK-10285 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit 1ac567e59dadad7fe0a6eeacb24b9d26e75b8f13 Author: angela AuthorDate: Thu Jun 8 16:34:13 2023 +0200 OAK-10286 : AutoMembershipPrincipals.isInheritedMember add check for cyclic membership, OAK-10285 : MembershipProvider change log level to ERROR for cyclic membership --- .../impl/principal/AutoMembershipPrincipals.java | 12 ++- .../impl/principal/AutoMembershipCycleTest.java| 109 + .../oak/security/user/MembershipProvider.java | 2 +- 3 files changed, 120 insertions(+), 3 deletions(-) diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipPrincipals.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipPrincipals.java index f7f29c823d..fc9c664940 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipPrincipals.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipPrincipals.java @@ -127,15 +127,23 @@ final class AutoMembershipPrincipals { } boolean isInheritedMember(@NotNull String idpName, @NotNull Group group, @NotNull Authorizable authorizable) throws RepositoryException { +return isInheritedMember(idpName, group, authorizable, new HashSet<>()); +} + +boolean isInheritedMember(@NotNull String idpName, @NotNull Group group, @NotNull Authorizable authorizable, @NotNull Set processedIds) throws RepositoryException { String groupId = group.getID(); +if (!processedIds.add(groupId)) { +log.error("Cyclic group membership detected for group id {}", groupId); +return false; +} if (isMember(idpName, groupId, authorizable)) { return true; } - + Iterator declaredGroupMembers = Iterators.filter(group.getDeclaredMembers(), Authorizable::isGroup); while (declaredGroupMembers.hasNext()) { Group grMember = (Group) declaredGroupMembers.next(); -if (isInheritedMember(idpName, grMember, authorizable)) { +if (isInheritedMember(idpName, grMember, authorizable, processedIds)) { return true; } } diff --git a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipCycleTest.java b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipCycleTest.java new file mode 100644 index 00..60a088f821 --- /dev/null +++ b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipCycleTest.java @@ -0,0 +1,109 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal; + +import org.apache.jackrabbit.api.security.user.Authorizable; +import org.apache.jackrabbit.api.security.user.Group; +import org.apache.jackrabbit.guava.common.collect.Iterators; +import org.jetbrains.annotations.NotNull; +import org.junit.Before; +import org.junit.Test; + +import javax.jcr.RepositoryException; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; +import java.util.Map; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; +import static org.mockito.Mockito.clearInvocations; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.never; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.verifyNoMoreInteractions; +import static org.mockito.Mockito.when; + +public class AutoMembershipCycleTest extends AbstractAutoMembershipTest { + +private AutoMembersh
[jackrabbit-oak] branch OAK-10286_OAK-10285 created (now 1ac567e59d)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10286_OAK-10285 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git at 1ac567e59d OAK-10286 : AutoMembershipPrincipals.isInheritedMember add check for cyclic membership, OAK-10285 : MembershipProvider change log level to ERROR for cyclic membership This branch includes the following new commits: new 1ac567e59d OAK-10286 : AutoMembershipPrincipals.isInheritedMember add check for cyclic membership, OAK-10285 : MembershipProvider change log level to ERROR for cyclic membership The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
[jackrabbit-oak] branch trunk updated (e384b80d34 -> 0ccdf7ea8e)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git from e384b80d34 OAK-10270 : document limitation in default perm evaluation regarding TreePermissionImpl.canRead(PropertyState) add 0ccdf7ea8e OAK-10271 : Fix dependencies on oak-exercise No new revisions were added by this update. Summary of changes: oak-exercise/pom.xml | 23 +++ 1 file changed, 23 insertions(+)
[jackrabbit-oak] branch trunk updated: OAK-10270 : document limitation in default perm evaluation regarding TreePermissionImpl.canRead(PropertyState)
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new e384b80d34 OAK-10270 : document limitation in default perm evaluation regarding TreePermissionImpl.canRead(PropertyState) e384b80d34 is described below commit e384b80d344468700708cf7921ad0db15a165cc4 Author: angela AuthorDate: Tue Jun 6 17:49:45 2023 +0200 OAK-10270 : document limitation in default perm evaluation regarding TreePermissionImpl.canRead(PropertyState) --- .../site/markdown/security/permission/default.md | 45 ++ 1 file changed, 28 insertions(+), 17 deletions(-) diff --git a/oak-doc/src/site/markdown/security/permission/default.md b/oak-doc/src/site/markdown/security/permission/default.md index d27dc67b02..a5141f743f 100644 --- a/oak-doc/src/site/markdown/security/permission/default.md +++ b/oak-doc/src/site/markdown/security/permission/default.md @@ -15,23 +15,24 @@ limitations under the License. --> -Permissions : The Default Implementation - +# Permissions : The Default Implementation -### General Notes + + +## General Notes The default implementation of the `PermissionProvider` interface evaluates permissions based on the information stored in a dedicated part of the repository content call the [permission store](#permissionStore). -### Characteristics of the Permission Evaluation +## Characteristics of the Permission Evaluation - Regular Permission Evaluation +### Regular Permission Evaluation See section [Permission Evaluation in Detail](evaluation.html). - Readable Trees +### Readable Trees Oak 1.0 comes with a configurable set of subtrees that are read-accessible to all subjects irrespective of other access control content taking effect. The original @@ -48,7 +49,7 @@ option. However, it is important to note that many JCR API calls rely on the accessibility of the namespace, nodetype and privilege information. Removing the corresponding paths from the configuration will most probably have undesired effects. - Administrative Access +### Administrative Access In the default implementation following principals always have full access to the whole content repository (except for hidden items that are not exposed @@ -61,15 +62,15 @@ on the Oak API) irrespective of the access control content: evaluation and is currently not reflected in other security models nor methods that deal with the administrator (i.e. `User#isAdmin`). - Permission Evaluation in Multiplexed Stores +### Permission Evaluation in Multiplexed Stores See section [Multiplexing support in the PermissionStore](multiplexing.html). -### Representation in the Repository +## Representation in the Repository - Permission Store +### Permission Store The permission evaluation present with Oak 1.0 keeps a dedicated location where permissions are being stored for later evaluation. The store is kept in sync @@ -114,7 +115,7 @@ Each per path store looks as follows } } -# Accessing the Permission Store + Accessing the Permission Store It is important to understand that the permission store is a implementation specific structure that is maintained by the system itself. For this reason @@ -130,7 +131,7 @@ use the regular JCR and Jackrabbit permission and access control management API as listed in the [introduction](../permission.html#jcr_api) and in section [Using the Access Control Management API](../accesscontrol/editing.html). - Node Type Definitions +### Node Type Definitions For the permission store the following built-in node types have been defined: @@ -156,7 +157,7 @@ implementation (`VersionablePathHook`). - * (PATH) protected ABORT -### Validation +## Validation The consistency of this content structure is asserted by a dedicated `PermissionValidator`. The corresponding errors are all of type `Access` with the following codes: @@ -168,9 +169,9 @@ The corresponding errors are all of type `Access` with the following codes: | 0022 | Version storage: Removal of intermediate node | -### Configuration +## Configuration - Configuration Parameters +### Configuration Parameters The default implementation supports the following configuration parameters: @@ -181,12 +182,22 @@ The default implementation supports the following configuration parameters: | `PARAM_ADMINISTRATIVE_PRINCIPALS` | String[]| \- | The names of the additional principals that have full permission and for which the permission evaluation can be skipped altogether. | | | | | | -# Supported Values for PARAM_PERMISSIONS_JR2 + Supported Values for PARAM_PERMISSIONS_JR2 - `REMOVE_NODE`: if pres
[jackrabbit-oak] branch trunk updated: OAK-10256 : Principal documentation does not mention GroupPrincipal
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 22eb54e4f8 OAK-10256 : Principal documentation does not mention GroupPrincipal 22eb54e4f8 is described below commit 22eb54e4f826c9520398010b4cc3ac20b2c75511 Author: angela AuthorDate: Tue May 23 11:03:14 2023 +0200 OAK-10256 : Principal documentation does not mention GroupPrincipal --- oak-doc/src/site/markdown/security/principal.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/oak-doc/src/site/markdown/security/principal.md b/oak-doc/src/site/markdown/security/principal.md index cd3da47856..29c5c6852e 100644 --- a/oak-doc/src/site/markdown/security/principal.md +++ b/oak-doc/src/site/markdown/security/principal.md @@ -34,12 +34,13 @@ extensions present with Jackrabbit API. The Jackrabbit API provides support for principal management (i.e. discovery) that are missing in JCR. The relevant interfaces are defined in the -`org.apache.jackrabbit.api.security.principal' package space: +[org.apache.jackrabbit.api.security.principal](https://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/api/security/principal/package-summary.html) package space: - `PrincipalManager` - `PrincipalIterator` - `JackrabbitPrincipal` extends [Principal](http://docs.oracle.com/javase/7/docs/api/java/security/Principal.html) - `ItemBasedPrincipal` +- `GroupPrincipal` extends [Principal](http://docs.oracle.com/javase/7/docs/api/java/security/Principal.html) replacing the removed `java.security.acl.Group` (see [OAK-7024](https://issues.apache.org/jira/browse/OAK-7024)). Differences wrt Jackrabbit 2.x
[jackrabbit-oak] branch trunk updated: OAK-10245 : Document OAK-10173
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 1b07fcb454 OAK-10245 : Document OAK-10173 1b07fcb454 is described below commit 1b07fcb454e1dab5275800c8778a6532436a6bf6 Author: angela AuthorDate: Tue May 16 18:15:48 2023 +0200 OAK-10245 : Document OAK-10173 --- .../markdown/security/authentication/default.md| 10 ++-- oak-doc/src/site/markdown/security/user/default.md | 59 +- .../src/site/markdown/security/user/differences.md | 9 ++-- 3 files changed, 44 insertions(+), 34 deletions(-) diff --git a/oak-doc/src/site/markdown/security/authentication/default.md b/oak-doc/src/site/markdown/security/authentication/default.md index 771d2ee2e6..44535fd05f 100644 --- a/oak-doc/src/site/markdown/security/authentication/default.md +++ b/oak-doc/src/site/markdown/security/authentication/default.md @@ -158,7 +158,7 @@ With Oak 1.0 impersonation is implemented as follows: along with the current `AuthInfo` object. 3. these `ImpersonationCredentials` are passed to `Repository.login` -Whether or not impersonation succeeds consequently both depends on the authentication +If impersonation succeeds consequently both depends on the authentication setup and on some implementation specific validation that make sure the editing session is allowed to impersonate the user identified by the credentials passed to the impersonate call. @@ -170,23 +170,23 @@ with `ImpersonationCredentials` and applies the following logic: as long as the user is still valid (i.e. exists and has not been disabled). - **Regular Impersonation**: Impersonation another user will only succeed if the impersonated user is valid (i.e. exists and is not disabled) _and_ the - the user associated with the editing session is allowed to impersonate this + user associated with the editing session is allowed to impersonate this user. The latter depends on the [User Management](../user.html) implementation - specifically on the return value of `User.getImpersonation().allows(Subject subject)`. + specifically on the return value of `User.getImpersonation().allows(Subject subject)`. See [User Management : The Default Implementation](../user/default.html) for details. # ImpersonationCredentials Since the implementation of `Session.impersonate` no longer uses `SimpleCredentials` to transport the original `Subject` but rather performs the login with dedicated [ImpersonationCredentials], impersonation is no longer restricted to `SimpleCredentials` -being passed to `Session#impersonate` call. Instead the specified credentials are +being passed to `Session#impersonate` call. Instead, the specified credentials are passed to a new instance of `ImpersonationCredentials` delegating the evaluation and validation of the specified `Credentials` to the configured login module(s). This modification will not affect applications that used JCR API to impersonate a given session. Note however that applications relying on the Jackrabbit implementation and manually creating `SimpleCredentials` with a -`SecurityConstants.IMPERSONATOR_ATTRIBUTE`, would need to be refactor after +`SecurityConstants.IMPERSONATOR_ATTRIBUTE`, would need to be refactored after migration to Oak. # Impersonation with Custom Authentication Setup diff --git a/oak-doc/src/site/markdown/security/user/default.md b/oak-doc/src/site/markdown/security/user/default.md index 14deb362db..108f625d66 100644 --- a/oak-doc/src/site/markdown/security/user/default.md +++ b/oak-doc/src/site/markdown/security/user/default.md @@ -25,7 +25,7 @@ content repository. In contrast to Jackrabbit 2.x, which by default used a singl dedicated workspace for user/group data, this data will as of Oak 1.0 be stored separately for each JCR workspace. -Consequently the `UserManager` associated with the editing sessions, performs +Consequently, the `UserManager` associated with the editing sessions, performs all actions with this editing session. This corresponds to the behavior as defined the alternative implementation present with Jackrabbit 2.x ((see Jackrabbit 2.x `UserPerWorkspaceUserManager`). @@ -139,16 +139,24 @@ import. Other differences compared to Jackrabbit 2.x: Since Oak 1.1.0 the default user management and authentication implementation provides password expiry and initial password change. -By default these features are disabled. See section [Password Expiry and Force Initial Password Change](expiry.html) +By default, these features are disabled. See section [Password Expiry and Force Initial Password Change](expiry.html) for details. Password History Since Oak 1.3.3 the default user management implementation provides password -history support. By default this feature is disabled. +history support
[jackrabbit-oak] branch trunk updated: OAK-10246 : Minor cleanup of unused imports, indention and whitespace
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new d92d6cba58 OAK-10246 : Minor cleanup of unused imports, indention and whitespace d92d6cba58 is described below commit d92d6cba582e657f5641bbf35ed3ca0410f6a546 Author: angela AuthorDate: Tue May 16 17:04:05 2023 +0200 OAK-10246 : Minor cleanup of unused imports, indention and whitespace --- .../org/apache/jackrabbit/oak/spi/security/user/UserConstants.java| 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/user/UserConstants.java b/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/user/UserConstants.java index 55fc4ac4e9..38773e8063 100644 --- a/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/user/UserConstants.java +++ b/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/user/UserConstants.java @@ -19,8 +19,6 @@ package org.apache.jackrabbit.oak.spi.security.user; import java.util.Collection; import org.apache.jackrabbit.guava.common.collect.ImmutableSet; -import java.util.Collection; - /** * User management related constants. Please note that all names and paths * are OAK names/paths and therefore are not suited to be used in JCR context @@ -81,6 +79,8 @@ public interface UserConstants { /** * Configuration option defining the names of the impersonatorPrincipals field. + * @since Oak 1.54.0 + * @see https://issues.apache.org/jira/browse/OAK-10173;>OAK-10173 */ String PARAM_IMPERSONATOR_PRINCIPAL_NAMES = "impersonatorPrincipals";
[jackrabbit-oak] branch trunk updated: OAK-10246 : Minor cleanup of unused imports, indention and whitespace
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 8c73d8217e OAK-10246 : Minor cleanup of unused imports, indention and whitespace 8c73d8217e is described below commit 8c73d8217e649d28cf1c3825a095b038c0b434e9 Author: angela AuthorDate: Tue May 16 16:54:56 2023 +0200 OAK-10246 : Minor cleanup of unused imports, indention and whitespace --- .../oak/security/user/ImpersonationImpl.java | 9 ++- .../apache/jackrabbit/oak/security/user/Utils.java | 38 ++-- .../oak/security/user/ImpersonationTestUtil.java | 24 .../jackrabbit/oak/security/user/UtilsTest.java| 70 +- 4 files changed, 92 insertions(+), 49 deletions(-) diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java index 11b704fed4..cedbe6f7f3 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java @@ -19,7 +19,6 @@ package org.apache.jackrabbit.oak.security.user; import org.apache.jackrabbit.api.security.principal.PrincipalIterator; import org.apache.jackrabbit.api.security.principal.PrincipalManager; import org.apache.jackrabbit.api.security.user.Authorizable; -import org.apache.jackrabbit.api.security.user.Group; import org.apache.jackrabbit.api.security.user.Impersonation; import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Tree; @@ -37,7 +36,6 @@ import javax.jcr.RepositoryException; import javax.security.auth.Subject; import java.security.Principal; import java.util.HashSet; -import java.util.Iterator; import java.util.Set; import static org.apache.jackrabbit.oak.api.Type.STRINGS; @@ -131,9 +129,10 @@ class ImpersonationImpl implements Impersonation, UserConstants { Set principals = subject.getPrincipals(); Set principalNames = new HashSet<>(); for (Principal principal : principals) { -principalNames.add(principal.getName()); +principalNames.add(principal.getName()); } +// OAK-10173 : short-cut if the subject contains any of the configured principal names that can impersonate all users if (isImpersonator(principalNames)){ return true; } @@ -158,7 +157,7 @@ class ImpersonationImpl implements Impersonation, UserConstants { } @NotNull -private Set getImpersonatorNames(@NotNull Tree userTree) { +private static Set getImpersonatorNames(@NotNull Tree userTree) { Set princNames = new HashSet<>(); PropertyState impersonators = userTree.getProperty(REP_IMPERSONATORS); if (impersonators != null) { @@ -169,7 +168,7 @@ class ImpersonationImpl implements Impersonation, UserConstants { return princNames; } -private void updateImpersonatorNames(@NotNull Tree userTree, @NotNull Set principalNames) { +private static void updateImpersonatorNames(@NotNull Tree userTree, @NotNull Set principalNames) { if (principalNames.isEmpty()) { userTree.removeProperty(REP_IMPERSONATORS); } else { diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/Utils.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/Utils.java index bad5b562c9..f0b4af1ac2 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/Utils.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/Utils.java @@ -58,10 +58,10 @@ public final class Utils { * * @param relativePathA relative OAK path that may contain parent and *current elements. - * @param primaryTypeName A oak name of a primary node type that is used + * @param primaryTypeName An oak name of a primary node type that is used *to create the missing trees. * @return The node util of the tree at the specified {@code relativePath}. - * @throws AccessDeniedException If the any intermediate tree does not exist + * @throws AccessDeniedException If the intermediate tree does not exist * and cannot be created. */ @NotNull @@ -99,7 +99,7 @@ public final class Utils { /** * Return {@code true} if the given principal can impersonate all users. * The implementation tests if the given principal refers to an existing {@code User} for which {@link User#isAdmin()} - * returns {@code true} OR if the user contains a principal name configured to impersonate all users. + * returns {@code true} OR if the user's principal
[jackrabbit-oak] branch trunk updated: OAK-10173 : Allow configured principals to impersonate any user
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new fc3994ec17 OAK-10173 : Allow configured principals to impersonate any user fc3994ec17 is described below commit fc3994ec17869cda76e5dda7b36afb9f3946fa8d Author: Antoniu Neacsu AuthorDate: Tue May 16 13:23:16 2023 +0300 OAK-10173 : Allow configured principals to impersonate any user Co-authored-by: Antoniu Neacsu Co-authored-by: Cristian Brande --- .../oak/security/user/ImpersonationImpl.java | 43 +++--- .../oak/security/user/UserConfigurationImpl.java | 8 ++ .../apache/jackrabbit/oak/security/user/Utils.java | 80 - .../oak/security/user/ImpersonationImplTest.java | 31 +++ .../oak/security/user/ImpersonationTestUtil.java | 99 ++ .../jackrabbit/oak/security/user/UtilsTest.java| 72 .../org.mockito.plugins.MockMaker | 16 .../oak/spi/security/user/UserConstants.java | 8 +- .../oak/spi/security/user/package-info.java| 2 +- 9 files changed, 342 insertions(+), 17 deletions(-) diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java index 867cdbaffe..11b704fed4 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java @@ -16,15 +16,10 @@ */ package org.apache.jackrabbit.oak.security.user; -import java.security.Principal; -import java.util.HashSet; -import java.util.Set; -import javax.jcr.RepositoryException; -import javax.security.auth.Subject; - import org.apache.jackrabbit.api.security.principal.PrincipalIterator; import org.apache.jackrabbit.api.security.principal.PrincipalManager; import org.apache.jackrabbit.api.security.user.Authorizable; +import org.apache.jackrabbit.api.security.user.Group; import org.apache.jackrabbit.api.security.user.Impersonation; import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Tree; @@ -38,6 +33,13 @@ import org.jetbrains.annotations.NotNull; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import javax.jcr.RepositoryException; +import javax.security.auth.Subject; +import java.security.Principal; +import java.util.HashSet; +import java.util.Iterator; +import java.util.Set; + import static org.apache.jackrabbit.oak.api.Type.STRINGS; /** @@ -126,15 +128,20 @@ class ImpersonationImpl implements Impersonation, UserConstants { return false; } +Set principals = subject.getPrincipals(); Set principalNames = new HashSet<>(); -for (Principal principal : subject.getPrincipals()) { -principalNames.add(principal.getName()); +for (Principal principal : principals) { +principalNames.add(principal.getName()); +} + +if (isImpersonator(principalNames)){ +return true; } boolean allows = getImpersonatorNames().removeAll(principalNames); if (!allows) { // check if subject belongs to administrator user -for (Principal principal : subject.getPrincipals()) { +for (Principal principal : principals) { if (isAdmin(principal)) { allows = true; break; @@ -173,11 +180,23 @@ class ImpersonationImpl implements Impersonation, UserConstants { private boolean isAdmin(@NotNull Principal principal) { if (principal instanceof AdminPrincipal) { return true; -} else if (GroupPrincipals.isGroup(principal)) { +} +if (GroupPrincipals.isGroup(principal)) { +return false; +} +return Utils.isAdmin(principal, user.getUserManager()); +} + +private boolean isImpersonator(@NotNull Set principalNames) { +Set impersonatorPrincipals = Set.of(user.getUserManager().getConfig().getConfigValue( +PARAM_IMPERSONATOR_PRINCIPAL_NAMES, +new String[]{})); + +if (impersonatorPrincipals.isEmpty()) { return false; -} else { -return Utils.canImpersonateAllUsers(principal, user.getUserManager()); } +return principalNames.stream() +.anyMatch(impersonatorPrincipals::contains); } private boolean isValidPrincipal(@NotNull Principal principal) { diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserConfigurationImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserConfigurationImpl.java index 368aafaf1a..06696dc4a6
[jackrabbit-oak] branch trunk updated: OAK-10223 : Introduce constant for the 'do-create-token' marker value
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 48b88f1d8b OAK-10223 : Introduce constant for the 'do-create-token' marker value 48b88f1d8b is described below commit 48b88f1d8b02cdbcbfac8172827bc6bb980c061f Author: angela AuthorDate: Wed May 3 12:08:13 2023 +0200 OAK-10223 : Introduce constant for the 'do-create-token' marker value --- .../external/impl/principal/ExternalUserValidatorTest.java | 3 ++- .../oak/security/authentication/token/TokenProviderImpl.java | 7 +++ .../security/authentication/token/TestCredentialsSupport.java | 2 +- .../authentication/token/TokenConfigurationImplOSGiTest.java | 2 +- .../authentication/token/TokenConfigurationImplTest.java | 7 --- .../token/TokenLoginModuleCredentialsSupportTest.java | 3 ++- .../security/authentication/token/TokenLoginModuleTest.java| 10 ++ .../security/authentication/token/TokenProviderImplTest.java | 4 ++-- .../oak/spi/security/authentication/token/TokenConstants.java | 6 ++ .../oak/spi/security/authentication/token/package-info.java| 2 +- 10 files changed, 28 insertions(+), 18 deletions(-) diff --git a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalUserValidatorTest.java b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalUserValidatorTest.java index 164dffdb49..66bcc6b2e4 100644 --- a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalUserValidatorTest.java +++ b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalUserValidatorTest.java @@ -70,6 +70,7 @@ import static org.apache.jackrabbit.JcrConstants.MIX_VERSIONABLE; import static org.apache.jackrabbit.JcrConstants.NT_UNSTRUCTURED; import static org.apache.jackrabbit.oak.spi.security.authentication.external.TestIdentityProvider.ID_SECOND_USER; import static org.apache.jackrabbit.oak.spi.security.authentication.token.TokenConstants.TOKENS_NODE_NAME; +import static org.apache.jackrabbit.oak.spi.security.authentication.token.TokenConstants.TOKEN_ATTRIBUTE_DO_CREATE; import static org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_READ; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; @@ -349,7 +350,7 @@ public class ExternalUserValidatorTest extends ExternalLoginTestBase { // force creation of login token SimpleCredentials sc = new SimpleCredentials(USER_ID, "".toCharArray()); -sc.setAttribute(TokenConstants.TOKEN_ATTRIBUTE, ""); +sc.setAttribute(TokenConstants.TOKEN_ATTRIBUTE, TOKEN_ATTRIBUTE_DO_CREATE); getContentRepository().login(sc, null).close(); root.refresh(); diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java index b6fa651d16..ca42d386fa 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java @@ -42,7 +42,6 @@ import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.namepath.NamePathMapper; -import org.apache.jackrabbit.oak.namepath.PathMapper; import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManager; import org.apache.jackrabbit.oak.plugins.tree.TreeAware; import org.apache.jackrabbit.oak.spi.namespace.NamespaceConstants; @@ -147,11 +146,11 @@ class TokenProviderImpl implements TokenProvider, TokenConstants { /** * Returns {@code true} if {@code SimpleCredentials} can be extracted from * the specified credentials object and that simple credentials object has - * a {@link #TOKEN_ATTRIBUTE} attribute with an empty value. + * a {@link #TOKEN_ATTRIBUTE} attribute with an {@link #TOKEN_ATTRIBUTE_DO_CREATE empty value}. * * @param credentials The current credentials. * @return {@code true} if the specified credentials or those extracted from - * {@link ImpersonationCredentials} are supported and and if the (extracted) + * {@link ImpersonationCredentials} are supported and if the (extracted) * credentials object contain a {@link #TOKEN_ATTRIBUTE} attribute with an * empty value; {@code false} otherwise. */ @@ -162,7 +161,7 @@ cla
[jackrabbit-oak] branch trunk updated: OAK-10200 : CompositeAccessControlManager.getEffectivePolicies(String) should filter duplicate policies
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 63b4ddb9d1 OAK-10200 : CompositeAccessControlManager.getEffectivePolicies(String) should filter duplicate policies 63b4ddb9d1 is described below commit 63b4ddb9d173b766ed4e23e3bc6150d721c768cb Author: angela AuthorDate: Thu Apr 20 17:14:10 2023 +0200 OAK-10200 : CompositeAccessControlManager.getEffectivePolicies(String) should filter duplicate policies --- .../authorization/composite/CompositeAccessControlManager.java | 3 +-- .../composite/CompositeAccessControlManagerTest.java | 10 ++ .../security/internal/SecurityProviderRegistrationTest.java| 6 -- 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManager.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManager.java index 202ff0e611..24cc670463 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManager.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManager.java @@ -98,8 +98,7 @@ class CompositeAccessControlManager extends AbstractAccessControlManager { break; } } -List l = policies.build(); -return l.toArray(new AccessControlPolicy[0]); +return policies.build().stream().distinct().toArray(AccessControlPolicy[]::new); } @Override diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManagerTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManagerTest.java index b858ff181e..a7d7514e1e 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManagerTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManagerTest.java @@ -194,6 +194,16 @@ public class CompositeAccessControlManagerTest extends AbstractSecurityTest { assertEquals(1, acMgr.getEffectivePolicies(child.getPath()).length); } +@Test +public void testGetEffectivePoliciesFiltersDuplicates() throws Exception { +TestAcMgr test = new TestAcMgr(); +test.hasPolicy = true; + +// create a composite that would result in duplicate effective policies +AccessControlManager composite = createComposite(test, test); +assertEquals(1, composite.getEffectivePolicies(TEST_PATH).length); +} + @Test public void testSetPolicyAtRoot() throws Exception { AccessControlPolicyIterator it = acMgr.getApplicablePolicies("/"); diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/internal/SecurityProviderRegistrationTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/internal/SecurityProviderRegistrationTest.java index 23d66cd93f..78449a5626 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/internal/SecurityProviderRegistrationTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/internal/SecurityProviderRegistrationTest.java @@ -56,6 +56,7 @@ import org.apache.jackrabbit.oak.spi.security.authentication.LoginModuleStatsCol import org.apache.jackrabbit.oak.spi.security.authentication.token.CompositeTokenConfiguration; import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenConfiguration; import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration; +import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ReadPolicy; import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider; import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregationFilter; import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider; @@ -1019,9 +1020,10 @@ public class SecurityProviderRegistrationTest extends AbstractSecurityTest { AggregatedPermissionProvider pp = mock(AggregatedPermissionProvider.class); JackrabbitAccessControlManager acMgr = mock(JackrabbitAccessControlManager.class); +// make sure different policies are returned for subsequent calls of the aggregated configurations AccessControlPolicy policy = mock(AccessControlPolicy.class); -when(acMgr.getEffectivePolicies(anyString())).thenReturn(new AccessControlPolicy[] {policy}); -when(acMgr.getEffectivePolicies(any(Set.class))).thenReturn(new AccessCon
[jackrabbit-oak] branch trunk updated: OAK-10188 : Document OAK-10130 JackrabbitAccessControlManager.getEffectivePolicies(Set,String...)
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 7f0e7f77bf OAK-10188 : Document OAK-10130 JackrabbitAccessControlManager.getEffectivePolicies(Set,String...) 7f0e7f77bf is described below commit 7f0e7f77bf845ac4b59d867835e55d58939fd7e9 Author: angela AuthorDate: Fri Apr 14 11:15:12 2023 +0200 OAK-10188 : Document OAK-10130 JackrabbitAccessControlManager.getEffectivePolicies(Set,String...) --- .../src/site/markdown/security/accesscontrol.md| 55 +++ .../markdown/security/accesscontrol/editing.md | 172 +++-- 2 files changed, 142 insertions(+), 85 deletions(-) diff --git a/oak-doc/src/site/markdown/security/accesscontrol.md b/oak-doc/src/site/markdown/security/accesscontrol.md index bb29242511..a86ecebc80 100644 --- a/oak-doc/src/site/markdown/security/accesscontrol.md +++ b/oak-doc/src/site/markdown/security/accesscontrol.md @@ -20,13 +20,9 @@ Access Control Management ### General -This section covers fundamental concepts of the access control related APIs provided -by JCR and Jackrabbit as well as the extensions points defined by Oak. +This section covers fundamental concepts of the access control related APIs provided by JCR and Jackrabbit as well as the extensions points defined by Oak. -If you are already familiar with the API and looking for examples you may directly -read [Using the Access Control Management API](accesscontrol/editing.html) for -a comprehensive list of method calls as well as examples that may be used to -edit the access control content of the repository. +If you are already familiar with the API and looking for examples you may directly read [Using the Access Control Management API](accesscontrol/editing.html) for a comprehensive list of method calls as well as examples that may be used to edit the access control content of the repository. ### JCR API @@ -37,12 +33,9 @@ Access Control Management is an optional feature defined by [JSR 283] consisting > > • Assigning access control policies: Setting the privileges that a user has > in relation to a node using access control policies specific to the > implementation. -Whether or not a given implementation supports access control management is defined -by the `Repository.OPTION_ACCESS_CONTROL_SUPPORTED` descriptor. +Whether a given implementation supports access control management is defined by the `Repository.OPTION_ACCESS_CONTROL_SUPPORTED` descriptor. -Since Oak comes with a dedicated [privilege management](privilege.html) this section -focuses on reading and editing access control information. The main interfaces defined -by JSR 283 are: +Since Oak comes with a dedicated [privilege management](privilege.html) this section focuses on reading and editing access control information. The main interfaces defined by JSR 283 are: - `AccessControlManager`: Main entry point for access control related operations - `AccessControlPolicy`: Marker interface for any kind of policies defined by the implementation. @@ -55,19 +48,18 @@ The JCR access control management has the following characteristics: - *path-based*: policies are bound to nodes; a given node may have multiple policies; the `null` path identifies repository level policies. - *transient*: access control related modifications are always transient - *binding*: policies are decoupled from the repository; in order to bind a policy to a node or apply modifications made to an existing policy `AccessControlManager.setPolicy` must be called. -- *effect*: policies bound to a given node only take effect upon `Session.save()`. Access to properties is defined by the their parent node. +- *effect*: policies bound to a given node only take effect upon `Session.save()`. Access to properties is defined by their parent node. - *scope*: a given policy may not only affect the node it is bound to but may have an effect on accessibility of items elsewhere in the workspace. ### Jackrabbit API -The Jackrabbit API defines various access control related extensions to the -JCR API in order to cover common needs such as for example: +The Jackrabbit API defines various access control related extensions to the JCR API in order to cover common needs such as for example: - *deny access*: access control entries can be defined to deny privileges at a given path (JCR only defines allowing access control entries) - *restrictions*: limit the effect of a given access control entry by the mean of restrictions - *convenience*: -- reordering of access control entries in a access control list +- reordering of access control entries in an access control list - retrieve the path of the node a given policy is (or can be) bound to - *principal-based*: - principal-based access contro
[jackrabbit-oak] branch trunk updated: OAK-10130 : Add API to retrieve effective policies for a set of principals for a given path (#895)
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 992df295fe OAK-10130 : Add API to retrieve effective policies for a set of principals for a given path (#895) 992df295fe is described below commit 992df295fed9fc8ced45b07392fc0bdc6f59c6b1 Author: anchela AuthorDate: Fri Apr 14 07:59:14 2023 +0200 OAK-10130 : Add API to retrieve effective policies for a set of principals for a given path (#895) * OAK-10130 : Add API to retrieve effective policies for a set of principals for a given path * OAK-10130 : Add API to retrieve effective policies for a set of principals for a given path --- .../cug/impl/CugAccessControlManager.java | 62 ++- .../authorization/cug/impl/AbstractCugTest.java| 13 ++ .../cug/impl/CugAccessControlManagerTest.java | 104 ++- .../impl/PrincipalBasedAccessControlManager.java | 36 +++- .../principalbased/impl/PrincipalPolicyImpl.java | 27 ++- .../impl/AccessControlManagerLimitedUserTest.java | 22 +++ .../PrincipalBasedAccessControlManagerTest.java| 60 ++ .../impl/PrincipalPolicyImplTest.java | 68 ++- .../accesscontrol/AccessControlManagerImpl.java| 116 +--- .../composite/CompositeAccessControlManager.java | 19 ++ .../EffectivePoliciesByPrincipalsAndPathsTest.java | 205 + .../CompositeAccessControlManagerTest.java | 27 +++ .../security/JackrabbitAccessControlManager.java | 43 + .../jackrabbit/api/security/package-info.java | 2 +- .../JackrabbitAccessControlManagerDelegator.java | 14 ++ ...ackrabbitAccessControlManagerDelegatorTest.java | 10 + .../AbstractAccessControlManager.java | 17 ++ .../authorization/accesscontrol/package-info.java | 2 +- .../AbstractAccessControlManagerTest.java | 29 +++ 19 files changed, 819 insertions(+), 57 deletions(-) diff --git a/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManager.java b/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManager.java index de8d73f3b2..0d355151f8 100644 --- a/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManager.java +++ b/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManager.java @@ -18,6 +18,7 @@ package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl; import com.google.common.collect.ImmutableSet; import com.google.common.collect.Iterables; +import com.google.common.collect.Iterators; import com.google.common.collect.Sets; import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy; import org.apache.jackrabbit.api.security.principal.PrincipalManager; @@ -38,6 +39,7 @@ import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.Abstra import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.PolicyOwner; import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugExclude; import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugPolicy; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider; import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions; import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration; import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl; @@ -55,6 +57,8 @@ import javax.jcr.security.Privilege; import java.security.Principal; import java.util.ArrayList; import java.util.Collections; +import java.util.HashSet; +import java.util.Iterator; import java.util.LinkedList; import java.util.List; import java.util.Queue; @@ -128,15 +132,7 @@ class CugAccessControlManager extends AbstractAccessControlManager implements Cu if (enabled) { Root r = getLatestRoot(); List effective = new ArrayList<>(); -while (oakPath != null) { -if (CugUtil.isSupportedPath(oakPath, supportedPaths)) { -CugPolicy cug = getCugPolicy(oakPath, r.getTree(oakPath), true); -if (cug != null) { -effective.add(cug); -} -} -oakPath = (PathUtils.denotesRoot(oakPath)) ? null : PathUtils.getAncestorPath(oakPath, 1); -} +collectEffectiveCugs(oakPath, r, effective, new HashSet<>()); return effective.toArray(new AccessControlPolicy[0]); } else { return new AccessControlPolicy[0]; @@ -229,7 +225,7 @@ class CugAccessControlMan
[jackrabbit-oak] branch OAK-10130 updated (f42e32af2e -> 33620774a1)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10130 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git from f42e32af2e OAK-10130 : Add API to retrieve effective policies for a set of principals for a given path add 33620774a1 OAK-10130 : Add API to retrieve effective policies for a set of principals for a given path No new revisions were added by this update. Summary of changes: .../composite/CompositeAccessControlManager.java | 19 +++ .../CompositeAccessControlManagerTest.java | 27 ++ .../JackrabbitAccessControlManagerDelegator.java | 14 +++ ...ackrabbitAccessControlManagerDelegatorTest.java | 10 4 files changed, 70 insertions(+)
[jackrabbit-oak] 01/01: OAK-10130 : Add API to retrieve effective policies for a set of principals for a given path
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch OAK-10130 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit f42e32af2e65dfb8add4fa5c4624f22f98bdc5de Author: angela AuthorDate: Tue Apr 11 16:02:49 2023 +0200 OAK-10130 : Add API to retrieve effective policies for a set of principals for a given path --- .../cug/impl/CugAccessControlManager.java | 62 ++- .../authorization/cug/impl/AbstractCugTest.java| 13 ++ .../cug/impl/CugAccessControlManagerTest.java | 104 ++- .../impl/PrincipalBasedAccessControlManager.java | 36 +++- .../principalbased/impl/PrincipalPolicyImpl.java | 27 ++- .../impl/AccessControlManagerLimitedUserTest.java | 22 +++ .../PrincipalBasedAccessControlManagerTest.java| 60 ++ .../impl/PrincipalPolicyImplTest.java | 68 ++- .../accesscontrol/AccessControlManagerImpl.java| 116 +--- .../EffectivePoliciesByPrincipalsAndPathsTest.java | 205 + .../security/JackrabbitAccessControlManager.java | 43 + .../jackrabbit/api/security/package-info.java | 2 +- .../AbstractAccessControlManager.java | 17 ++ .../authorization/accesscontrol/package-info.java | 2 +- .../AbstractAccessControlManagerTest.java | 29 +++ 15 files changed, 749 insertions(+), 57 deletions(-) diff --git a/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManager.java b/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManager.java index de8d73f3b2..0d355151f8 100644 --- a/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManager.java +++ b/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManager.java @@ -18,6 +18,7 @@ package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl; import com.google.common.collect.ImmutableSet; import com.google.common.collect.Iterables; +import com.google.common.collect.Iterators; import com.google.common.collect.Sets; import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy; import org.apache.jackrabbit.api.security.principal.PrincipalManager; @@ -38,6 +39,7 @@ import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.Abstra import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.PolicyOwner; import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugExclude; import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugPolicy; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider; import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions; import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration; import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl; @@ -55,6 +57,8 @@ import javax.jcr.security.Privilege; import java.security.Principal; import java.util.ArrayList; import java.util.Collections; +import java.util.HashSet; +import java.util.Iterator; import java.util.LinkedList; import java.util.List; import java.util.Queue; @@ -128,15 +132,7 @@ class CugAccessControlManager extends AbstractAccessControlManager implements Cu if (enabled) { Root r = getLatestRoot(); List effective = new ArrayList<>(); -while (oakPath != null) { -if (CugUtil.isSupportedPath(oakPath, supportedPaths)) { -CugPolicy cug = getCugPolicy(oakPath, r.getTree(oakPath), true); -if (cug != null) { -effective.add(cug); -} -} -oakPath = (PathUtils.denotesRoot(oakPath)) ? null : PathUtils.getAncestorPath(oakPath, 1); -} +collectEffectiveCugs(oakPath, r, effective, new HashSet<>()); return effective.toArray(new AccessControlPolicy[0]); } else { return new AccessControlPolicy[0]; @@ -229,7 +225,7 @@ class CugAccessControlManager extends AbstractAccessControlManager implements Cu @NotNull @Override public AccessControlPolicy[] getEffectivePolicies(@NotNull Set principals) { -if (!config.getConfigValue(CugConstants.PARAM_CUG_ENABLED, false)) { +if (!config.getConfigValue(CugConstants.PARAM_CUG_ENABLED, false) || principals.isEmpty()) { return new AccessControlPolicy[0]; } Root r = getLatestRoot(); @@ -251,6 +247,30 @@ class CugAccessControlManager extends AbstractAccessControlManager implements Cu } } +@Override +public @NotNull Iterator getEffectivePolicies(@NotNull Set principals, @Nullable String... absP
[jackrabbit-oak] branch OAK-10130 created (now f42e32af2e)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10130 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git at f42e32af2e OAK-10130 : Add API to retrieve effective policies for a set of principals for a given path This branch includes the following new commits: new f42e32af2e OAK-10130 : Add API to retrieve effective policies for a set of principals for a given path The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
[jackrabbit-oak] branch OAK-10151 updated (cdd34dae89 -> f9a2915fcc)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10151 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git from cdd34dae89 Merge branch 'trunk' into OAK-10151 add 1c28101ce6 OAK-10163 : add benchmark test cases to measure performance using query with projection add ba82ae23b3 Merge pull request #882 from rishabhdaim/OAK-10163 add 41ba9eb566 OAK-10169 : improve output of test-assertions add e30a98fe81 OAK-10168: bump testcontainers version to 1.17.6 (#883) add 9161f530ee OAK-10175: Reduce currently supported Guava range to 15 - 19 add f09c2d2aa8 OAK-10176: oak-shaded-guava: switch to latest Guava version add 4797545327 OAK-10177: adjust OSGi ITs and size limits for shaded guava inclusion (#887) add 521e56c329 OAK-10177: adjust OSGi ITs and size limits for shaded guava inclusion (#888) add d242f633c9 OAK-10162: Fix Version copier with preserveOnTarget to ignore diverge… (#880) add e97bfb0036 OAK-10170 : simplify usage of authorizableiterator (#885) add f9a2915fcc Merge branch 'trunk' into OAK-10151 No new revisions were added by this update. Summary of changes: .../jackrabbit/oak/benchmark/BenchmarkRunner.java | 1 + .../oak/benchmark/CompareManyChildNodesTest.java | 118 + .../oak/plugins/migration/NodeStateCopier.java | 70 +- .../plugins/migration/version/VersionCopier.java | 88 ++- .../migration/version/VersionCopierTest.java | 263 - .../version/ReadWriteVersionManagerUtil.java | 44 oak-it-osgi/test-bundles.xml | 1 + oak-parent/pom.xml | 8 +- oak-run-elastic/pom.xml| 3 +- oak-shaded-guava/pom.xml | 4 +- .../oak/composite/it/CompositeTestSupport.java | 1 + 11 files changed, 582 insertions(+), 19 deletions(-) create mode 100644 oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/CompareManyChildNodesTest.java create mode 100644 oak-core/src/test/java/org/apache/jackrabbit/oak/plugins/version/ReadWriteVersionManagerUtil.java
[jackrabbit-oak] branch trunk updated: OAK-10170 : simplify usage of authorizableiterator (#885)
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new e97bfb0036 OAK-10170 : simplify usage of authorizableiterator (#885) e97bfb0036 is described below commit e97bfb0036344b42f14d9093ac08b892d56f5a3f Author: anchela AuthorDate: Tue Apr 4 08:21:16 2023 +0200 OAK-10170 : simplify usage of authorizableiterator (#885) --- .../oak/security/user/AuthorizableImpl.java | 12 .../oak/security/user/AuthorizableIterator.java | 20 +--- .../jackrabbit/oak/security/user/GroupImpl.java | 4 ++-- 3 files changed, 19 insertions(+), 17 deletions(-) diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableImpl.java index f9647c8e4e..40d1c734ef 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableImpl.java @@ -288,9 +288,13 @@ abstract class AuthorizableImpl implements Authorizable, UserConstants, TreeAwar MembershipProvider mMgr = getMembershipProvider(); Iterator trees = mMgr.getMembership(getTree(), includeInherited); - -AuthorizableIterator groups = (!trees.hasNext()) ? AuthorizableIterator.empty() : AuthorizableIterator.create(trees, userManager, AuthorizableType.GROUP); -AuthorizableIterator allGroups = AuthorizableIterator.create(true, dynamicGroups, groups); -return new RangeIteratorAdapter(allGroups); + +if (!trees.hasNext()) { +return new RangeIteratorAdapter(AuthorizableIterator.create(true, dynamicGroups)); +} else { +AuthorizableIterator groups = AuthorizableIterator.create(trees, userManager, AuthorizableType.GROUP); +AuthorizableIterator allGroups = AuthorizableIterator.create(true, dynamicGroups, groups); +return new RangeIteratorAdapter(allGroups); +} } } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableIterator.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableIterator.java index 03be2bf3c6..b9b95f8e56 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableIterator.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableIterator.java @@ -29,7 +29,6 @@ import org.slf4j.LoggerFactory; import javax.jcr.RangeIterator; import javax.jcr.RepositoryException; -import java.util.Collections; import java.util.HashSet; import java.util.Iterator; import java.util.Objects; @@ -43,12 +42,10 @@ final class AuthorizableIterator implements Iterator { private static final Logger log = LoggerFactory.getLogger(AuthorizableIterator.class); -private final Iterator authorizables; +private final Iterator authorizables; private final long size; private final Set servedIds; - -private static AuthorizableIterator EMPTY = new AuthorizableIterator(Collections.emptyIterator(), 0, false); - + @NotNull static AuthorizableIterator create(@NotNull Iterator authorizableTrees, @NotNull UserManagerImpl userManager, @@ -57,6 +54,12 @@ final class AuthorizableIterator implements Iterator { long size = getSize(authorizableTrees); return new AuthorizableIterator(it, size, false); } + +@NotNull +static AuthorizableIterator create(boolean filterDuplicates, @NotNull Iterator it1) { +long size = getSize(it1); +return new AuthorizableIterator(it1, size, filterDuplicates); +} @NotNull static AuthorizableIterator create(boolean filterDuplicates, @NotNull Iterator it1, @NotNull Iterator it2) { @@ -72,13 +75,8 @@ final class AuthorizableIterator implements Iterator { } return new AuthorizableIterator(Iterators.concat(it1, it2), size, filterDuplicates); } - -@NotNull -static AuthorizableIterator empty() { -return EMPTY; -} -private AuthorizableIterator(Iterator authorizables, long size, boolean filterDuplicates) { +private AuthorizableIterator(Iterator authorizables, long size, boolean filterDuplicates) { if (filterDuplicates) { this.servedIds = new HashSet<>(); this.authorizables = Iterators.filter(authorizables, authorizable -> { diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java index 48076dcdb8..f41484ee0e 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/secu
[jackrabbit-oak] branch OAK-10170 created (now e8e7281227)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10170 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git at e8e7281227 OAK-10170 : simplify usage of authorizableiterator This branch includes the following new commits: new e8e7281227 OAK-10170 : simplify usage of authorizableiterator The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
[jackrabbit-oak] 01/01: OAK-10170 : simplify usage of authorizableiterator
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch OAK-10170 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit e8e7281227d04da14ab81a293a695ae9a7baa6f1 Author: angela AuthorDate: Thu Mar 30 16:01:18 2023 +0200 OAK-10170 : simplify usage of authorizableiterator --- .../oak/security/user/AuthorizableImpl.java | 12 .../oak/security/user/AuthorizableIterator.java | 20 +--- .../jackrabbit/oak/security/user/GroupImpl.java | 4 ++-- 3 files changed, 19 insertions(+), 17 deletions(-) diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableImpl.java index f9647c8e4e..40d1c734ef 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableImpl.java @@ -288,9 +288,13 @@ abstract class AuthorizableImpl implements Authorizable, UserConstants, TreeAwar MembershipProvider mMgr = getMembershipProvider(); Iterator trees = mMgr.getMembership(getTree(), includeInherited); - -AuthorizableIterator groups = (!trees.hasNext()) ? AuthorizableIterator.empty() : AuthorizableIterator.create(trees, userManager, AuthorizableType.GROUP); -AuthorizableIterator allGroups = AuthorizableIterator.create(true, dynamicGroups, groups); -return new RangeIteratorAdapter(allGroups); + +if (!trees.hasNext()) { +return new RangeIteratorAdapter(AuthorizableIterator.create(true, dynamicGroups)); +} else { +AuthorizableIterator groups = AuthorizableIterator.create(trees, userManager, AuthorizableType.GROUP); +AuthorizableIterator allGroups = AuthorizableIterator.create(true, dynamicGroups, groups); +return new RangeIteratorAdapter(allGroups); +} } } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableIterator.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableIterator.java index 03be2bf3c6..b9b95f8e56 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableIterator.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableIterator.java @@ -29,7 +29,6 @@ import org.slf4j.LoggerFactory; import javax.jcr.RangeIterator; import javax.jcr.RepositoryException; -import java.util.Collections; import java.util.HashSet; import java.util.Iterator; import java.util.Objects; @@ -43,12 +42,10 @@ final class AuthorizableIterator implements Iterator { private static final Logger log = LoggerFactory.getLogger(AuthorizableIterator.class); -private final Iterator authorizables; +private final Iterator authorizables; private final long size; private final Set servedIds; - -private static AuthorizableIterator EMPTY = new AuthorizableIterator(Collections.emptyIterator(), 0, false); - + @NotNull static AuthorizableIterator create(@NotNull Iterator authorizableTrees, @NotNull UserManagerImpl userManager, @@ -57,6 +54,12 @@ final class AuthorizableIterator implements Iterator { long size = getSize(authorizableTrees); return new AuthorizableIterator(it, size, false); } + +@NotNull +static AuthorizableIterator create(boolean filterDuplicates, @NotNull Iterator it1) { +long size = getSize(it1); +return new AuthorizableIterator(it1, size, filterDuplicates); +} @NotNull static AuthorizableIterator create(boolean filterDuplicates, @NotNull Iterator it1, @NotNull Iterator it2) { @@ -72,13 +75,8 @@ final class AuthorizableIterator implements Iterator { } return new AuthorizableIterator(Iterators.concat(it1, it2), size, filterDuplicates); } - -@NotNull -static AuthorizableIterator empty() { -return EMPTY; -} -private AuthorizableIterator(Iterator authorizables, long size, boolean filterDuplicates) { +private AuthorizableIterator(Iterator authorizables, long size, boolean filterDuplicates) { if (filterDuplicates) { this.servedIds = new HashSet<>(); this.authorizables = Iterators.filter(authorizables, authorizable -> { diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java index 48076dcdb8..f41484ee0e 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java @@ -213,13 +213,13 @@ class GroupImpl extends AuthorizableImpl impleme
[jackrabbit-oak] branch trunk updated: OAK-10169 : improve output of test-assertions
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 41ba9eb566 OAK-10169 : improve output of test-assertions 41ba9eb566 is described below commit 41ba9eb5660ed11aa5ff4f2219d63b845673f4ad Author: angela AuthorDate: Thu Mar 30 15:10:40 2023 +0200 OAK-10169 : improve output of test-assertions --- .../security/authentication/external/impl/DynamicGroupsTest.java | 8 .../authentication/external/impl/DynamicSyncContextTest.java | 4 +++- .../security/authentication/external/impl/DynamicSyncTest.java| 4 ++-- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicGroupsTest.java b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicGroupsTest.java index 28975e3254..445c99b3f7 100644 --- a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicGroupsTest.java +++ b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicGroupsTest.java @@ -302,11 +302,11 @@ public class DynamicGroupsTest extends DynamicSyncContextTest { String groupId2 = declaredGroupRefs.get(1).getId(); Group local = um.createGroup("localGroup"); local.addMembers(groupId, groupId2); -userManager.createGroup(EveryonePrincipal.getInstance()); +um.createGroup(EveryonePrincipal.getInstance()); r.commit(); -Authorizable a = getUserManager(r).getAuthorizable(PREVIOUS_SYNCED_ID); -assertFalse(Iterators.contains(a.memberOf(), local)); +Authorizable a = um.getAuthorizable(PREVIOUS_SYNCED_ID); +assertTrue(getIds(a.memberOf()).contains(local.getID())); // sync again to establish dynamic membership syncContext.setForceUserSync(true); @@ -322,7 +322,7 @@ public class DynamicGroupsTest extends DynamicSyncContextTest { assertFalse(groupIds.contains("localGroup")); assertFalse(local.isMember(a)); } else { -assertEquals((membershipNestingDepth > 1) ? 5 : 4, groupIds.size()); +assertEquals("Found "+groupIds, (membershipNestingDepth > 1) ? 5 : 4, groupIds.size()); assertTrue(groupIds.contains("localGroup")); assertTrue(local.isMember(a)); diff --git a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContextTest.java b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContextTest.java index dcd69d6ee9..712fc8eaca 100644 --- a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContextTest.java +++ b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContextTest.java @@ -49,6 +49,7 @@ import org.junit.Test; import javax.jcr.RepositoryException; import javax.jcr.Value; import java.util.HashSet; +import java.util.List; import java.util.Objects; import java.util.Set; import java.util.UUID; @@ -159,7 +160,8 @@ public class DynamicSyncContextTest extends AbstractDynamicTest { Group gr = userManager.getAuthorizable(ref.getId(), Group.class); assertNotNull(gr); assertTrue(gr.isMember(a)); -assertTrue(Iterators.contains(a.memberOf(), gr)); +List ids = getIds(a.memberOf()); +assertTrue("Expected "+ids+ " to contain "+gr.getID(), ids.contains(gr.getID())); if (Iterables.contains(declaredGroupRefs, ref)) { assertTrue(gr.isDeclaredMember(a)); diff --git a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java index 1f83bfad5d..61a67c8ebc 100644 --- a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java +++ b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java @@ -230,8 +230,8 @@ public class DynamicSyncTest extends AbstractDynamicTest { private static void assertExpectedIds(@NotNull Set expectedIds, @NotNull Iterator... iterators) { for (Iterator it : iterators) { List ids = getIds(it); -assertEquals(expectedIds.size(), ids.size()); -assertTrue(
[jackrabbit-oak] branch trunk updated: OAK-10135 : JackrabbitAccessControlManager.getEffectivePolicies(Set principals) should include ReadPolicy, reapply changes
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 84b25fe4d6 OAK-10135 : JackrabbitAccessControlManager.getEffectivePolicies(Set principals) should include ReadPolicy, reapply changes 84b25fe4d6 is described below commit 84b25fe4d61f0267ecf7444ec0e453f70dd33884 Author: angela AuthorDate: Wed Mar 29 16:44:00 2023 +0200 OAK-10135 : JackrabbitAccessControlManager.getEffectivePolicies(Set principals) should include ReadPolicy, reapply changes This reverts commit c71b900b7e6efe231f6213eb2e222a3dcb303fc9. --- .../impl/PrincipalBasedAccessControlManager.java | 7 ++- .../impl/AbstractPrincipalBasedTest.java | 16 +++ .../impl/AccessControlManagerLimitedUserTest.java | 10 .../principalbased/impl/EffectivePolicyTest.java | 6 +-- .../impl/ImmutablePrincipalPolicyTest.java | 2 +- .../PrincipalBasedAccessControlManagerTest.java| 26 +-- .../impl/ReadablePathsAccessControlTest.java | 6 ++- .../impl/TransientPrincipalTest.java | 4 +- .../accesscontrol/AccessControlManagerImpl.java| 6 ++- .../accesscontrol/PolicyComparator.java| 33 ++ .../accesscontrol/AbstractAccessControlTest.java | 8 .../AccessControlManagerImplTest.java | 28 ++-- ...AccessControlManagerLimitedPermissionsTest.java | 53 +++--- .../AccessControlWithUnknownPrincipalTest.java | 11 ++--- .../accesscontrol/PolicyComparatorTest.java| 26 +++ .../accesscontrol/ReadPolicyTest.java | 53 -- .../authorization/accesscontrol/ReadPolicy.java| 20 .../authorization/accesscontrol/package-info.java | 2 +- .../accesscontrol/ReadPolicyTest.java | 20 19 files changed, 268 insertions(+), 69 deletions(-) diff --git a/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java b/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java index 21876483c2..fe00e9695b 100644 --- a/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java +++ b/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java @@ -69,7 +69,6 @@ import java.text.ParseException; import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; -import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; @@ -145,13 +144,17 @@ class PrincipalBasedAccessControlManager extends AbstractAccessControlManager im // this implementation only takes effect if the complete set of principals can be handled. see also // PrincipalBasedAuthorizationConfiguration.getPermissionProvider if (canHandle(principals)) { -Set effective = new HashSet<>(principals.size()); +List effective = new ArrayList<>(principals.size()); for (Principal principal : principals) { AccessControlPolicy policy = createPolicy(principal, true); if (policy != null) { effective.add(policy); } } +// add read-policy if there are configured paths +if (ReadPolicy.canAccessReadPolicy(getPermissionProvider(), readPaths.toArray(new String[0]))) { +effective.add(ReadPolicy.INSTANCE); +} return effective.toArray(new AccessControlPolicy[0]); } else { return new JackrabbitAccessControlPolicy[0]; diff --git a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractPrincipalBasedTest.java b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractPrincipalBasedTest.java index b7d64f690b..68e06622f5 100644 --- a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractPrincipalBasedTest.java +++ b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractPrincipalBasedTest.java @@ -36,6 +36,7 @@ import org.apache.jackrabbit.oak.security.internal.SecurityProviderHelper; import org.apache.jackrabbit.oak.spi.mount.Mounts; import org.apache.jackrabbit.oak.spi.security.SecurityProvi
[jackrabbit-oak] 01/01: OAK-10151 : oak-auth-external tests fail with Guava 20
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch OAK-10151 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit 30783fdbebc9fd424210fa619f52c340fc19dd35 Author: angela AuthorDate: Tue Mar 28 20:13:29 2023 +0200 OAK-10151 : oak-auth-external tests fail with Guava 20 --- .../external/impl/DynamicGroupsTest.java | 8 +- .../external/impl/DynamicSyncContextTest.java | 4 +- .../external/impl/DynamicSyncTest.java | 4 +- .../jackrabbit/oak/commons/collect/Iterators.java | 83 + .../oak/commons/collect/IteratorsTest.java | 85 ++ .../oak/security/user/AuthorizableImpl.java| 12 ++- .../oak/security/user/AuthorizableIterator.java| 24 +++--- .../jackrabbit/oak/security/user/GroupImpl.java| 4 +- 8 files changed, 199 insertions(+), 25 deletions(-) diff --git a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicGroupsTest.java b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicGroupsTest.java index 28975e3254..445c99b3f7 100644 --- a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicGroupsTest.java +++ b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicGroupsTest.java @@ -302,11 +302,11 @@ public class DynamicGroupsTest extends DynamicSyncContextTest { String groupId2 = declaredGroupRefs.get(1).getId(); Group local = um.createGroup("localGroup"); local.addMembers(groupId, groupId2); -userManager.createGroup(EveryonePrincipal.getInstance()); +um.createGroup(EveryonePrincipal.getInstance()); r.commit(); -Authorizable a = getUserManager(r).getAuthorizable(PREVIOUS_SYNCED_ID); -assertFalse(Iterators.contains(a.memberOf(), local)); +Authorizable a = um.getAuthorizable(PREVIOUS_SYNCED_ID); +assertTrue(getIds(a.memberOf()).contains(local.getID())); // sync again to establish dynamic membership syncContext.setForceUserSync(true); @@ -322,7 +322,7 @@ public class DynamicGroupsTest extends DynamicSyncContextTest { assertFalse(groupIds.contains("localGroup")); assertFalse(local.isMember(a)); } else { -assertEquals((membershipNestingDepth > 1) ? 5 : 4, groupIds.size()); +assertEquals("Found "+groupIds, (membershipNestingDepth > 1) ? 5 : 4, groupIds.size()); assertTrue(groupIds.contains("localGroup")); assertTrue(local.isMember(a)); diff --git a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContextTest.java b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContextTest.java index dcd69d6ee9..712fc8eaca 100644 --- a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContextTest.java +++ b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContextTest.java @@ -49,6 +49,7 @@ import org.junit.Test; import javax.jcr.RepositoryException; import javax.jcr.Value; import java.util.HashSet; +import java.util.List; import java.util.Objects; import java.util.Set; import java.util.UUID; @@ -159,7 +160,8 @@ public class DynamicSyncContextTest extends AbstractDynamicTest { Group gr = userManager.getAuthorizable(ref.getId(), Group.class); assertNotNull(gr); assertTrue(gr.isMember(a)); -assertTrue(Iterators.contains(a.memberOf(), gr)); +List ids = getIds(a.memberOf()); +assertTrue("Expected "+ids+ " to contain "+gr.getID(), ids.contains(gr.getID())); if (Iterables.contains(declaredGroupRefs, ref)) { assertTrue(gr.isDeclaredMember(a)); diff --git a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java index 1f83bfad5d..61a67c8ebc 100644 --- a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java +++ b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java @@ -230,8 +230,8 @@ public class DynamicSyncTest extends AbstractDynamicTest { private static void assertExpectedIds(@NotNull Set expectedIds, @NotNull Iterator... iterators) {
[jackrabbit-oak] branch OAK-10151 created (now 30783fdbeb)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10151 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git at 30783fdbeb OAK-10151 : oak-auth-external tests fail with Guava 20 This branch includes the following new commits: new 30783fdbeb OAK-10151 : oak-auth-external tests fail with Guava 20 The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
[jackrabbit-oak] branch trunk updated: Revert "OAK-10135 : JackrabbitAccessControlManager.getEffectivePolicies(Set principals) should include ReadPolicy (#869)" This reverts commit b578e486
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new c71b900b7e Revert "OAK-10135 : JackrabbitAccessControlManager.getEffectivePolicies(Set principals) should include ReadPolicy (#869)" This reverts commit b578e486 c71b900b7e is described below commit c71b900b7e6efe231f6213eb2e222a3dcb303fc9 Author: angela AuthorDate: Fri Mar 10 08:41:56 2023 +0100 Revert "OAK-10135 : JackrabbitAccessControlManager.getEffectivePolicies(Set principals) should include ReadPolicy (#869)" This reverts commit b578e486 --- .../impl/PrincipalBasedAccessControlManager.java | 7 +-- .../impl/AbstractPrincipalBasedTest.java | 16 --- .../impl/AccessControlManagerLimitedUserTest.java | 10 .../principalbased/impl/EffectivePolicyTest.java | 6 ++- .../impl/ImmutablePrincipalPolicyTest.java | 2 +- .../PrincipalBasedAccessControlManagerTest.java| 26 ++- .../impl/ReadablePathsAccessControlTest.java | 6 +-- .../impl/TransientPrincipalTest.java | 4 +- .../accesscontrol/AccessControlManagerImpl.java| 6 +-- .../accesscontrol/PolicyComparator.java| 33 -- .../accesscontrol/AbstractAccessControlTest.java | 8 .../AccessControlManagerImplTest.java | 28 ++-- ...AccessControlManagerLimitedPermissionsTest.java | 53 +++--- .../AccessControlWithUnknownPrincipalTest.java | 11 +++-- .../accesscontrol/PolicyComparatorTest.java| 26 --- .../accesscontrol/ReadPolicyTest.java | 53 ++ .../authorization/accesscontrol/ReadPolicy.java| 20 .../authorization/accesscontrol/package-info.java | 2 +- .../accesscontrol/ReadPolicyTest.java | 20 19 files changed, 69 insertions(+), 268 deletions(-) diff --git a/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java b/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java index fe00e9695b..21876483c2 100644 --- a/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java +++ b/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java @@ -69,6 +69,7 @@ import java.text.ParseException; import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; +import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; @@ -144,17 +145,13 @@ class PrincipalBasedAccessControlManager extends AbstractAccessControlManager im // this implementation only takes effect if the complete set of principals can be handled. see also // PrincipalBasedAuthorizationConfiguration.getPermissionProvider if (canHandle(principals)) { -List effective = new ArrayList<>(principals.size()); +Set effective = new HashSet<>(principals.size()); for (Principal principal : principals) { AccessControlPolicy policy = createPolicy(principal, true); if (policy != null) { effective.add(policy); } } -// add read-policy if there are configured paths -if (ReadPolicy.canAccessReadPolicy(getPermissionProvider(), readPaths.toArray(new String[0]))) { -effective.add(ReadPolicy.INSTANCE); -} return effective.toArray(new AccessControlPolicy[0]); } else { return new JackrabbitAccessControlPolicy[0]; diff --git a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractPrincipalBasedTest.java b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractPrincipalBasedTest.java index 68e06622f5..b7d64f690b 100644 --- a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractPrincipalBasedTest.java +++ b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractPrincipalBasedTest.java @@ -36,7 +36,6 @@ import org.apache.jackrabbit.oak.security.internal.SecurityProviderHelper; import org.apache.jackrabbit.oak.spi.mount.Mounts; import org.apache.jackrabbit.oak.spi.se
[jackrabbit-oak] branch trunk updated: OAK-10135 : JackrabbitAccessControlManager.getEffectivePolicies(Set principals) should include ReadPolicy (#869)
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new b578e486c2 OAK-10135 : JackrabbitAccessControlManager.getEffectivePolicies(Set principals) should include ReadPolicy (#869) b578e486c2 is described below commit b578e486c2429688e5b31004a205896abec856ad Author: anchela AuthorDate: Thu Mar 9 16:21:03 2023 +0100 OAK-10135 : JackrabbitAccessControlManager.getEffectivePolicies(Set principals) should include ReadPolicy (#869) --- .../impl/PrincipalBasedAccessControlManager.java | 7 ++- .../impl/AbstractPrincipalBasedTest.java | 16 +++ .../impl/AccessControlManagerLimitedUserTest.java | 10 .../principalbased/impl/EffectivePolicyTest.java | 6 +-- .../impl/ImmutablePrincipalPolicyTest.java | 2 +- .../PrincipalBasedAccessControlManagerTest.java| 26 +-- .../impl/ReadablePathsAccessControlTest.java | 6 ++- .../impl/TransientPrincipalTest.java | 4 +- .../accesscontrol/AccessControlManagerImpl.java| 6 ++- .../accesscontrol/PolicyComparator.java| 33 ++ .../accesscontrol/AbstractAccessControlTest.java | 8 .../AccessControlManagerImplTest.java | 28 ++-- ...AccessControlManagerLimitedPermissionsTest.java | 53 +++--- .../AccessControlWithUnknownPrincipalTest.java | 11 ++--- .../accesscontrol/PolicyComparatorTest.java| 26 +++ .../accesscontrol/ReadPolicyTest.java | 53 -- .../authorization/accesscontrol/ReadPolicy.java| 20 .../authorization/accesscontrol/package-info.java | 2 +- .../accesscontrol/ReadPolicyTest.java | 20 19 files changed, 268 insertions(+), 69 deletions(-) diff --git a/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java b/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java index 21876483c2..fe00e9695b 100644 --- a/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java +++ b/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java @@ -69,7 +69,6 @@ import java.text.ParseException; import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; -import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; @@ -145,13 +144,17 @@ class PrincipalBasedAccessControlManager extends AbstractAccessControlManager im // this implementation only takes effect if the complete set of principals can be handled. see also // PrincipalBasedAuthorizationConfiguration.getPermissionProvider if (canHandle(principals)) { -Set effective = new HashSet<>(principals.size()); +List effective = new ArrayList<>(principals.size()); for (Principal principal : principals) { AccessControlPolicy policy = createPolicy(principal, true); if (policy != null) { effective.add(policy); } } +// add read-policy if there are configured paths +if (ReadPolicy.canAccessReadPolicy(getPermissionProvider(), readPaths.toArray(new String[0]))) { +effective.add(ReadPolicy.INSTANCE); +} return effective.toArray(new AccessControlPolicy[0]); } else { return new JackrabbitAccessControlPolicy[0]; diff --git a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractPrincipalBasedTest.java b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractPrincipalBasedTest.java index b7d64f690b..68e06622f5 100644 --- a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractPrincipalBasedTest.java +++ b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractPrincipalBasedTest.java @@ -36,6 +36,7 @@ import org.apache.jackrabbit.oak.security.internal.SecurityProviderHelper; import org.apache.jackrabbit.oak.spi.mount.Mounts; import org.apache.jackrabbit.oak.spi.security.SecurityProvider; import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfigurat
[jackrabbit-oak] 01/01: OAK-10135 : JackrabbitAccessControlManager.getEffectivePolicies(Set principals) should include ReadPolicy
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch OAK-10135 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit dde38356dc8cb23910c10eb036726844674063d7 Author: angela AuthorDate: Thu Mar 9 13:25:13 2023 +0100 OAK-10135 : JackrabbitAccessControlManager.getEffectivePolicies(Set principals) should include ReadPolicy --- .../impl/PrincipalBasedAccessControlManager.java | 7 ++- .../impl/AbstractPrincipalBasedTest.java | 16 +++ .../impl/AccessControlManagerLimitedUserTest.java | 10 .../principalbased/impl/EffectivePolicyTest.java | 6 +-- .../impl/ImmutablePrincipalPolicyTest.java | 2 +- .../PrincipalBasedAccessControlManagerTest.java| 26 +-- .../impl/ReadablePathsAccessControlTest.java | 6 ++- .../impl/TransientPrincipalTest.java | 4 +- .../accesscontrol/AccessControlManagerImpl.java| 6 ++- .../accesscontrol/PolicyComparator.java| 33 ++ .../accesscontrol/AbstractAccessControlTest.java | 8 .../AccessControlManagerImplTest.java | 28 ++-- ...AccessControlManagerLimitedPermissionsTest.java | 53 +++--- .../AccessControlWithUnknownPrincipalTest.java | 11 ++--- .../accesscontrol/PolicyComparatorTest.java| 26 +++ .../accesscontrol/ReadPolicyTest.java | 53 -- .../authorization/accesscontrol/ReadPolicy.java| 20 .../authorization/accesscontrol/package-info.java | 2 +- .../accesscontrol/ReadPolicyTest.java | 20 19 files changed, 268 insertions(+), 69 deletions(-) diff --git a/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java b/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java index 21876483c2..fe00e9695b 100644 --- a/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java +++ b/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java @@ -69,7 +69,6 @@ import java.text.ParseException; import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; -import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; @@ -145,13 +144,17 @@ class PrincipalBasedAccessControlManager extends AbstractAccessControlManager im // this implementation only takes effect if the complete set of principals can be handled. see also // PrincipalBasedAuthorizationConfiguration.getPermissionProvider if (canHandle(principals)) { -Set effective = new HashSet<>(principals.size()); +List effective = new ArrayList<>(principals.size()); for (Principal principal : principals) { AccessControlPolicy policy = createPolicy(principal, true); if (policy != null) { effective.add(policy); } } +// add read-policy if there are configured paths +if (ReadPolicy.canAccessReadPolicy(getPermissionProvider(), readPaths.toArray(new String[0]))) { +effective.add(ReadPolicy.INSTANCE); +} return effective.toArray(new AccessControlPolicy[0]); } else { return new JackrabbitAccessControlPolicy[0]; diff --git a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractPrincipalBasedTest.java b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractPrincipalBasedTest.java index b7d64f690b..68e06622f5 100644 --- a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractPrincipalBasedTest.java +++ b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractPrincipalBasedTest.java @@ -36,6 +36,7 @@ import org.apache.jackrabbit.oak.security.internal.SecurityProviderHelper; import org.apache.jackrabbit.oak.spi.mount.Mounts; import org.apache.jackrabbit.oak.spi.security.SecurityProvider; import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration; +import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ReadPolicy; import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider; import org.apache.jackrabbit.oak.spi.security.authorization.principalbased.FilterProvi
[jackrabbit-oak] branch OAK-10135 created (now dde38356dc)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10135 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git at dde38356dc OAK-10135 : JackrabbitAccessControlManager.getEffectivePolicies(Set principals) should include ReadPolicy This branch includes the following new commits: new dde38356dc OAK-10135 : JackrabbitAccessControlManager.getEffectivePolicies(Set principals) should include ReadPolicy The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
[jackrabbit-oak] branch trunk updated: OAK-10132 ; Duplication in XPathConditionVisitor and ImpersonationImpl (#866)
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new f666b0dbdf OAK-10132 ; Duplication in XPathConditionVisitor and ImpersonationImpl (#866) f666b0dbdf is described below commit f666b0dbdf937dc0376fa4fc0f2abfb703c80428 Author: anchela AuthorDate: Sun Mar 5 16:58:02 2023 +0100 OAK-10132 ; Duplication in XPathConditionVisitor and ImpersonationImpl (#866) --- .../oak/security/user/ImpersonationImpl.java | 9 +-- .../apache/jackrabbit/oak/security/user/Utils.java | 28 - .../security/user/query/XPathConditionVisitor.java | 13 +--- .../jackrabbit/oak/security/user/UtilsTest.java| 72 ++ 4 files changed, 103 insertions(+), 19 deletions(-) diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java index 51152a1b79..867cdbaffe 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java @@ -26,7 +26,6 @@ import org.apache.jackrabbit.api.security.principal.PrincipalIterator; import org.apache.jackrabbit.api.security.principal.PrincipalManager; import org.apache.jackrabbit.api.security.user.Authorizable; import org.apache.jackrabbit.api.security.user.Impersonation; -import org.apache.jackrabbit.api.security.user.User; import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.api.Type; @@ -177,13 +176,7 @@ class ImpersonationImpl implements Impersonation, UserConstants { } else if (GroupPrincipals.isGroup(principal)) { return false; } else { -try { -Authorizable authorizable = user.getUserManager().getAuthorizable(principal); -return authorizable != null && !authorizable.isGroup() && ((User) authorizable).isAdmin(); -} catch (RepositoryException e) { -log.debug(e.getMessage()); -return false; -} +return Utils.canImpersonateAllUsers(principal, user.getUserManager()); } } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/Utils.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/Utils.java index 197f661ab0..a39bf98a6e 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/Utils.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/Utils.java @@ -18,6 +18,7 @@ package org.apache.jackrabbit.oak.security.user; import org.apache.jackrabbit.api.security.user.Authorizable; import org.apache.jackrabbit.api.security.user.User; +import org.apache.jackrabbit.api.security.user.UserManager; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.commons.PathUtils; @@ -28,11 +29,16 @@ import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal; import org.apache.jackrabbit.oak.spi.security.user.util.UserUtil; import org.jetbrains.annotations.NotNull; import org.jetbrains.annotations.Nullable; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import javax.jcr.AccessDeniedException; import javax.jcr.RepositoryException; +import java.security.Principal; -final class Utils { +public final class Utils { + +private static final Logger log = LoggerFactory.getLogger(Utils.class); private Utils() {} @@ -83,6 +89,26 @@ final class Utils { static boolean isEveryone(@NotNull Authorizable authorizable) { return authorizable.isGroup() && EveryonePrincipal.NAME.equals(getPrincipalName(authorizable)); } + +/** + * Return {@code true} if the given principal can impersonate all users. + * The implementation tests if the given principal refers to an existing {@code User} for which {@link User#isAdmin()} + * returns {@code true}. + * + * @param principal A non-null principal instance. + * @param userManager The user manager used for the lookup calling {@link UserManager#getAuthorizable(Principal))} + * @return {@code true} if the given principal can impersonate all users; {@code false} if that condition is not met + * or if the evaluation failed. + */ +public static boolean canImpersonateAllUsers(@NotNull Principal principal, @NotNull UserManager userManager) { +try { +Authorizable authorizable = userManager.getAuthorizable(principal); +return authorizable != null && !authorizable.isGroup() && ((User) authorizable).isAdmin(); +} catch (RepositoryException
[jackrabbit-oak] 01/01: OAK-10132 ; Duplication in XPathConditionVisitor and ImpersonationImpl
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch OAK-10132 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit 31d94e73283b0fa1e01dfe9beec39938c905691d Author: angela AuthorDate: Sun Mar 5 15:11:56 2023 +0100 OAK-10132 ; Duplication in XPathConditionVisitor and ImpersonationImpl --- .../oak/security/user/ImpersonationImpl.java | 9 +-- .../apache/jackrabbit/oak/security/user/Utils.java | 28 - .../security/user/query/XPathConditionVisitor.java | 13 +--- .../jackrabbit/oak/security/user/UtilsTest.java| 72 ++ 4 files changed, 103 insertions(+), 19 deletions(-) diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java index 51152a1b79..867cdbaffe 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java @@ -26,7 +26,6 @@ import org.apache.jackrabbit.api.security.principal.PrincipalIterator; import org.apache.jackrabbit.api.security.principal.PrincipalManager; import org.apache.jackrabbit.api.security.user.Authorizable; import org.apache.jackrabbit.api.security.user.Impersonation; -import org.apache.jackrabbit.api.security.user.User; import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.api.Type; @@ -177,13 +176,7 @@ class ImpersonationImpl implements Impersonation, UserConstants { } else if (GroupPrincipals.isGroup(principal)) { return false; } else { -try { -Authorizable authorizable = user.getUserManager().getAuthorizable(principal); -return authorizable != null && !authorizable.isGroup() && ((User) authorizable).isAdmin(); -} catch (RepositoryException e) { -log.debug(e.getMessage()); -return false; -} +return Utils.canImpersonateAllUsers(principal, user.getUserManager()); } } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/Utils.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/Utils.java index 197f661ab0..a39bf98a6e 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/Utils.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/Utils.java @@ -18,6 +18,7 @@ package org.apache.jackrabbit.oak.security.user; import org.apache.jackrabbit.api.security.user.Authorizable; import org.apache.jackrabbit.api.security.user.User; +import org.apache.jackrabbit.api.security.user.UserManager; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.commons.PathUtils; @@ -28,11 +29,16 @@ import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal; import org.apache.jackrabbit.oak.spi.security.user.util.UserUtil; import org.jetbrains.annotations.NotNull; import org.jetbrains.annotations.Nullable; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import javax.jcr.AccessDeniedException; import javax.jcr.RepositoryException; +import java.security.Principal; -final class Utils { +public final class Utils { + +private static final Logger log = LoggerFactory.getLogger(Utils.class); private Utils() {} @@ -83,6 +89,26 @@ final class Utils { static boolean isEveryone(@NotNull Authorizable authorizable) { return authorizable.isGroup() && EveryonePrincipal.NAME.equals(getPrincipalName(authorizable)); } + +/** + * Return {@code true} if the given principal can impersonate all users. + * The implementation tests if the given principal refers to an existing {@code User} for which {@link User#isAdmin()} + * returns {@code true}. + * + * @param principal A non-null principal instance. + * @param userManager The user manager used for the lookup calling {@link UserManager#getAuthorizable(Principal))} + * @return {@code true} if the given principal can impersonate all users; {@code false} if that condition is not met + * or if the evaluation failed. + */ +public static boolean canImpersonateAllUsers(@NotNull Principal principal, @NotNull UserManager userManager) { +try { +Authorizable authorizable = userManager.getAuthorizable(principal); +return authorizable != null && !authorizable.isGroup() && ((User) authorizable).isAdmin(); +} catch (RepositoryException e) { +log.debug(e.getMessage()); +return false; +} +} @Nullable private static String getPrincipalName(@NotNull Authorizable authorizable) {
[jackrabbit-oak] branch OAK-10132 created (now 31d94e7328)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10132 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git at 31d94e7328 OAK-10132 ; Duplication in XPathConditionVisitor and ImpersonationImpl This branch includes the following new commits: new 31d94e7328 OAK-10132 ; Duplication in XPathConditionVisitor and ImpersonationImpl The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
[jackrabbit-oak] branch trunk updated: OAK-10131 : ExternalGroupPrincipalProvider should return ItemBasedPrincipals if dynamic group option is enabled (#865)
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 499364c020 OAK-10131 : ExternalGroupPrincipalProvider should return ItemBasedPrincipals if dynamic group option is enabled (#865) 499364c020 is described below commit 499364c020292dc37e38bf32862a86474a153b9c Author: anchela AuthorDate: Sat Mar 4 17:51:04 2023 +0100 OAK-10131 : ExternalGroupPrincipalProvider should return ItemBasedPrincipals if dynamic group option is enabled (#865) --- .../principal/ExternalGroupPrincipalProvider.java | 38 +-- .../impl/principal/AbstractPrincipalTest.java | 4 ++ .../ExternalGroupPrincipalProviderDMTest.java | 56 ++ .../PrincipalProviderAutoMembershipTest.java | 3 +- 4 files changed, 96 insertions(+), 5 deletions(-) diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalGroupPrincipalProvider.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalGroupPrincipalProvider.java index 37861f2cdf..e4698c0ac6 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalGroupPrincipalProvider.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalGroupPrincipalProvider.java @@ -162,7 +162,7 @@ class ExternalGroupPrincipalProvider implements PrincipalProvider, ExternalIdent Result result = findPrincipals(principalName, true); Iterator rows = (result == null) ? Collections.emptyIterator() : result.getRows().iterator(); if (rows.hasNext()) { -return new ExternalGroupPrincipal(principalName, getIdpName(rows.next())); +return createExternalGroupPrincipal(principalName, getIdpName(rows.next())); } return null; } @@ -388,7 +388,7 @@ class ExternalGroupPrincipalProvider implements PrincipalProvider, ExternalIdent // we have an 'external' user that has been synchronized with the dynamic-membership option Set groupPrincipals = Sets.newHashSet(); for (String principalName : ps.getValue(Type.STRINGS)) { -groupPrincipals.add(new ExternalGroupPrincipal(principalName, idpName)); + groupPrincipals.add(createExternalGroupPrincipal(principalName, idpName)); } // add inherited local groups (crossing IDP boundary) @@ -511,13 +511,43 @@ class ExternalGroupPrincipalProvider implements PrincipalProvider, ExternalIdent } //--< inner classes >--- + +private GroupPrincipal createExternalGroupPrincipal(@NotNull String principalName, @Nullable String idpName) { +if (idpNamesWithDynamicGroups.contains(idpName)) { +return new ExternalGroupPrincipalItemBased(principalName, idpName); +} else { +return new ExternalGroupPrincipal(principalName, idpName); +} +} + +/** + * Implementation of the {@link org.apache.jackrabbit.api.security.principal.GroupPrincipal} interface representing + * external group identities that are represented as authorizable group in the repository's user management i.e. + * the {@code SyncHandler} configured for the IDP with the given name has dynamic-group option enabled. + */ +private final class ExternalGroupPrincipalItemBased extends ExternalGroupPrincipal implements ItemBasedPrincipal { + +private ExternalGroupPrincipalItemBased(@NotNull String principalName, @Nullable String idpName) { +super(principalName, idpName); +} + +@Override +public @NotNull String getPath() throws RepositoryException { +Authorizable a = userManager.getAuthorizable(this); +if (a == null) { +throw new RepositoryException("Cannot determine path for principal '" + getName() + "'. Group with this principal name does not exist."); +} else { +return a.getPath(); +} +} +} /** * Implementation of the {@link org.apache.jackrabbit.api.security.principal.GroupPrincipal} interface representing external group * identities that are not represented as authorizable group * in the repository's user management. */ -private final class ExternalGroupPrincipal extends PrincipalImpl implements GroupPrincipal { +private class ExternalGroupPrincipal extends PrincipalImpl implements GroupPrincipal { private final String idpName;
[jackrabbit-oak] 01/01: OAK-10131 : ExternalGroupPrincipalProvider should return ItemBasedPrincipals if dynamic group option is enabled
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch OAK-10131 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit 0086a806282a5518bf83e19308bd378c97398fb8 Author: angela AuthorDate: Sat Mar 4 15:30:54 2023 +0100 OAK-10131 : ExternalGroupPrincipalProvider should return ItemBasedPrincipals if dynamic group option is enabled --- .../principal/ExternalGroupPrincipalProvider.java | 38 +-- .../impl/principal/AbstractPrincipalTest.java | 4 ++ .../ExternalGroupPrincipalProviderDMTest.java | 56 ++ .../PrincipalProviderAutoMembershipTest.java | 3 +- 4 files changed, 96 insertions(+), 5 deletions(-) diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalGroupPrincipalProvider.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalGroupPrincipalProvider.java index 37861f2cdf..e4698c0ac6 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalGroupPrincipalProvider.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalGroupPrincipalProvider.java @@ -162,7 +162,7 @@ class ExternalGroupPrincipalProvider implements PrincipalProvider, ExternalIdent Result result = findPrincipals(principalName, true); Iterator rows = (result == null) ? Collections.emptyIterator() : result.getRows().iterator(); if (rows.hasNext()) { -return new ExternalGroupPrincipal(principalName, getIdpName(rows.next())); +return createExternalGroupPrincipal(principalName, getIdpName(rows.next())); } return null; } @@ -388,7 +388,7 @@ class ExternalGroupPrincipalProvider implements PrincipalProvider, ExternalIdent // we have an 'external' user that has been synchronized with the dynamic-membership option Set groupPrincipals = Sets.newHashSet(); for (String principalName : ps.getValue(Type.STRINGS)) { -groupPrincipals.add(new ExternalGroupPrincipal(principalName, idpName)); + groupPrincipals.add(createExternalGroupPrincipal(principalName, idpName)); } // add inherited local groups (crossing IDP boundary) @@ -511,13 +511,43 @@ class ExternalGroupPrincipalProvider implements PrincipalProvider, ExternalIdent } //--< inner classes >--- + +private GroupPrincipal createExternalGroupPrincipal(@NotNull String principalName, @Nullable String idpName) { +if (idpNamesWithDynamicGroups.contains(idpName)) { +return new ExternalGroupPrincipalItemBased(principalName, idpName); +} else { +return new ExternalGroupPrincipal(principalName, idpName); +} +} + +/** + * Implementation of the {@link org.apache.jackrabbit.api.security.principal.GroupPrincipal} interface representing + * external group identities that are represented as authorizable group in the repository's user management i.e. + * the {@code SyncHandler} configured for the IDP with the given name has dynamic-group option enabled. + */ +private final class ExternalGroupPrincipalItemBased extends ExternalGroupPrincipal implements ItemBasedPrincipal { + +private ExternalGroupPrincipalItemBased(@NotNull String principalName, @Nullable String idpName) { +super(principalName, idpName); +} + +@Override +public @NotNull String getPath() throws RepositoryException { +Authorizable a = userManager.getAuthorizable(this); +if (a == null) { +throw new RepositoryException("Cannot determine path for principal '" + getName() + "'. Group with this principal name does not exist."); +} else { +return a.getPath(); +} +} +} /** * Implementation of the {@link org.apache.jackrabbit.api.security.principal.GroupPrincipal} interface representing external group * identities that are not represented as authorizable group * in the repository's user management. */ -private final class ExternalGroupPrincipal extends PrincipalImpl implements GroupPrincipal { +private class ExternalGroupPrincipal extends PrincipalImpl implements GroupPrincipal { private final String idpName; @@ -621,7 +651,7 @@ class ExternalGroupPrincipalProvider implements PrincipalProvider, ExternalIdent String principalName = propValues.next(); if (!processed.contains(principalName) &
[jackrabbit-oak] branch OAK-10131 created (now 0086a80628)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10131 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git at 0086a80628 OAK-10131 : ExternalGroupPrincipalProvider should return ItemBasedPrincipals if dynamic group option is enabled This branch includes the following new commits: new 0086a80628 OAK-10131 : ExternalGroupPrincipalProvider should return ItemBasedPrincipals if dynamic group option is enabled The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
[jackrabbit-oak] branch trunk updated: OAK-10120 : SessionImpl.hasCapability is prone to NPE, (#855)
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new a3dc6a9e7f OAK-10120 : SessionImpl.hasCapability is prone to NPE, (#855) a3dc6a9e7f is described below commit a3dc6a9e7ff06e27b3218b5801e7bb28ed6173f1 Author: anchela AuthorDate: Wed Feb 22 18:20:13 2023 +0100 OAK-10120 : SessionImpl.hasCapability is prone to NPE, (#855) OAK-10121 : Extend SessionImpl.hasCapability to cover access control write operations --- .../jackrabbit/oak/jcr/session/SessionImpl.java| 44 - ...ionImplCapabilityWithMountInfoProviderTest.java | 186 ++--- 2 files changed, 203 insertions(+), 27 deletions(-) diff --git a/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java b/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java index 41e579766b..23414daf09 100644 --- a/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java +++ b/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java @@ -50,6 +50,7 @@ import org.apache.jackrabbit.api.JackrabbitSession; import org.apache.jackrabbit.api.security.principal.PrincipalManager; import org.apache.jackrabbit.api.security.user.UserManager; import org.apache.jackrabbit.api.stats.RepositoryStatistics.Type; +import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils; import org.apache.jackrabbit.commons.xml.DocumentViewExporter; import org.apache.jackrabbit.commons.xml.Exporter; import org.apache.jackrabbit.commons.xml.ParsingContentHandler; @@ -68,6 +69,7 @@ import org.apache.jackrabbit.oak.jcr.xml.ImportHandler; import org.apache.jackrabbit.oak.spi.mount.MountInfoProvider; import org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials; import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions; +import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants; import org.apache.jackrabbit.oak.stats.CounterStats; import org.apache.jackrabbit.util.Text; import org.jetbrains.annotations.NotNull; @@ -679,6 +681,7 @@ public class SessionImpl implements JackrabbitSession { requireNonNull(target, "parameter 'target' must not be null"); checkAlive(); +AccessManager accessMgr = sessionContext.getAccessManager(); if (target instanceof ItemImpl) { ItemDelegate dlg = ((ItemImpl) target).dlg; if (dlg.isProtected()) { @@ -696,17 +699,20 @@ public class SessionImpl implements JackrabbitSession { return false; } -AccessManager accessMgr = sessionContext.getAccessManager(); long permission = Permissions.NO_PERMISSION; if (isNode) { Tree tree = ((NodeDelegate) dlg).getTree(); if ("addNode".equals(methodName)) { -if (arguments != null && arguments.length > 0) { +String relPath = getFirstArgument(arguments); +if (relPath != null) { // add-node needs to be checked on the (path of) the // new node that has/will be added -String path = PathUtils.concat(tree.getPath(), - sessionContext.getOakName(arguments[0].toString())); +String path = PathUtils.concat(tree.getPath(), sessionContext.getOakPathOrThrow(relPath)); return accessMgr.hasPermissions(path, Session.ACTION_ADD_NODE) && !isMountedReadOnly(path); +} else { +// invalid arguments -> cannot verify +log.warn("Cannot verify capability to '{}' due to missing or invalid arguments, required a valid relative path.", methodName); +return false; } } else if ("setPrimaryType".equals(methodName) || "addMixin".equals(methodName) || "removeMixin".equals(methodName)) { @@ -742,11 +748,41 @@ public class SessionImpl implements JackrabbitSession { && !isMountedReadOnly(dlg.getPath()); } } +} else if (target instanceof AccessControlManager && isPolicyWriteMethod(methodName)) { +if (!hasArguments(arguments)) { +log.warn("Cannot verify capability to '{}' due to missing arguments.", methodName); +return false; +} +String path = getFirstArgument(arguments); +if (path == null) { +return getAccessControlManager().hasPrivileges(null, Acces
[jackrabbit-oak] 01/01: OAK-10120 : SessionImpl.hasCapability is prone to NPE, OAK-10121 : Extend SessionImpl.hasCapability to cover access control write operations
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch OAK-10120_OAK-10121 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit 121bcdcd7a0c91d874a016f937d92e29db255012 Author: angela AuthorDate: Tue Feb 21 15:02:16 2023 +0100 OAK-10120 : SessionImpl.hasCapability is prone to NPE, OAK-10121 : Extend SessionImpl.hasCapability to cover access control write operations --- .../jackrabbit/oak/jcr/session/SessionImpl.java| 44 - ...ionImplCapabilityWithMountInfoProviderTest.java | 186 ++--- 2 files changed, 203 insertions(+), 27 deletions(-) diff --git a/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java b/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java index 41e579766b..23414daf09 100644 --- a/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java +++ b/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java @@ -50,6 +50,7 @@ import org.apache.jackrabbit.api.JackrabbitSession; import org.apache.jackrabbit.api.security.principal.PrincipalManager; import org.apache.jackrabbit.api.security.user.UserManager; import org.apache.jackrabbit.api.stats.RepositoryStatistics.Type; +import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils; import org.apache.jackrabbit.commons.xml.DocumentViewExporter; import org.apache.jackrabbit.commons.xml.Exporter; import org.apache.jackrabbit.commons.xml.ParsingContentHandler; @@ -68,6 +69,7 @@ import org.apache.jackrabbit.oak.jcr.xml.ImportHandler; import org.apache.jackrabbit.oak.spi.mount.MountInfoProvider; import org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials; import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions; +import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants; import org.apache.jackrabbit.oak.stats.CounterStats; import org.apache.jackrabbit.util.Text; import org.jetbrains.annotations.NotNull; @@ -679,6 +681,7 @@ public class SessionImpl implements JackrabbitSession { requireNonNull(target, "parameter 'target' must not be null"); checkAlive(); +AccessManager accessMgr = sessionContext.getAccessManager(); if (target instanceof ItemImpl) { ItemDelegate dlg = ((ItemImpl) target).dlg; if (dlg.isProtected()) { @@ -696,17 +699,20 @@ public class SessionImpl implements JackrabbitSession { return false; } -AccessManager accessMgr = sessionContext.getAccessManager(); long permission = Permissions.NO_PERMISSION; if (isNode) { Tree tree = ((NodeDelegate) dlg).getTree(); if ("addNode".equals(methodName)) { -if (arguments != null && arguments.length > 0) { +String relPath = getFirstArgument(arguments); +if (relPath != null) { // add-node needs to be checked on the (path of) the // new node that has/will be added -String path = PathUtils.concat(tree.getPath(), - sessionContext.getOakName(arguments[0].toString())); +String path = PathUtils.concat(tree.getPath(), sessionContext.getOakPathOrThrow(relPath)); return accessMgr.hasPermissions(path, Session.ACTION_ADD_NODE) && !isMountedReadOnly(path); +} else { +// invalid arguments -> cannot verify +log.warn("Cannot verify capability to '{}' due to missing or invalid arguments, required a valid relative path.", methodName); +return false; } } else if ("setPrimaryType".equals(methodName) || "addMixin".equals(methodName) || "removeMixin".equals(methodName)) { @@ -742,11 +748,41 @@ public class SessionImpl implements JackrabbitSession { && !isMountedReadOnly(dlg.getPath()); } } +} else if (target instanceof AccessControlManager && isPolicyWriteMethod(methodName)) { +if (!hasArguments(arguments)) { +log.warn("Cannot verify capability to '{}' due to missing arguments.", methodName); +return false; +} +String path = getFirstArgument(arguments); +if (path == null) { +return getAccessControlManager().hasPrivileges(null, AccessControlUtils.privilegesFromNames(this, PrivilegeConstants.JCR_MODIFY_ACCESS_CONTROL)); +} else { +String oakPath = getOakPathOrThrow(path); +return !isMo
[jackrabbit-oak] branch OAK-10120_OAK-10121 created (now 121bcdcd7a)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10120_OAK-10121 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git at 121bcdcd7a OAK-10120 : SessionImpl.hasCapability is prone to NPE, OAK-10121 : Extend SessionImpl.hasCapability to cover access control write operations This branch includes the following new commits: new 121bcdcd7a OAK-10120 : SessionImpl.hasCapability is prone to NPE, OAK-10121 : Extend SessionImpl.hasCapability to cover access control write operations The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
[jackrabbit-oak] branch trunk updated: OAK-10069 : Best practices on how to setup access control external identities (#851)
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 3b9638dda0 OAK-10069 : Best practices on how to setup access control external identities (#851) 3b9638dda0 is described below commit 3b9638dda0ab0f4b4fd7b66bd3f974049620786f Author: anchela AuthorDate: Tue Feb 21 11:42:43 2023 +0100 OAK-10069 : Best practices on how to setup access control external identities (#851) * OAK-10069 : Best practices on how to setup access control external identities * Update oak-doc/src/site/markdown/security/authentication/external/bestpractices.md Co-authored-by: Jörg Hoh * Update oak-doc/src/site/markdown/security/authentication/external/bestpractices.md Co-authored-by: Jörg Hoh * OAK-10069 : Best practices on how to setup access control external identities (review findings) * Update oak-doc/src/site/markdown/security/authentication/external/bestpractices.md Co-authored-by: Jörg Hoh - Co-authored-by: Jörg Hoh --- oak-doc/src/site/markdown/dos_and_donts.md | 1 + .../authentication/external/bestpractices.md | 128 + .../authentication/external/defaultusersync.md | 47 +--- .../security/authentication/external/dynamic.md| 32 +++--- .../external/externallogin_examples.md | 88 +- .../security/authentication/externalloginmodule.md | 3 +- .../security/authorization/bestpractices.md| 1 + oak-doc/src/site/markdown/security/overview.md | 2 + oak-doc/src/site/markdown/security/principal.md| 6 +- 9 files changed, 270 insertions(+), 38 deletions(-) diff --git a/oak-doc/src/site/markdown/dos_and_donts.md b/oak-doc/src/site/markdown/dos_and_donts.md index 41b32dc227..fda15e06a4 100644 --- a/oak-doc/src/site/markdown/dos_and_donts.md +++ b/oak-doc/src/site/markdown/dos_and_donts.md @@ -122,6 +122,7 @@ c = d.getParent(); // preferred way to fetch the pa ``` ## Security - [Best Practices for Authorization](security/authorization/bestpractices.html) +- [Best Practices for External Authentication](security/authentication/external/bestpractices.html) ## Misc ### Don't use Thread.interrupt() diff --git a/oak-doc/src/site/markdown/security/authentication/external/bestpractices.md b/oak-doc/src/site/markdown/security/authentication/external/bestpractices.md new file mode 100644 index 00..55f5829c09 --- /dev/null +++ b/oak-doc/src/site/markdown/security/authentication/external/bestpractices.md @@ -0,0 +1,128 @@ + + +# Best Practices for External Authentication + + + +## Before you get started + +Before you get started make sure you are familiar with the basic concepts of JCR authentication, and its implementation in Apache Jackrabbit Oak. + +External authentication in Oak refers to integrating a third party identity provider like LDAP or SAML into the authentication setup optionally combining it with other built-in authentication mechanisms. + +## Best Practices + +### JAAS Setup + +When combining external authentication with other built-in or custom [login modules] make sure to define a [configuration] with the optimal order and the proper [control flag] for each module to cover all cases. The order should be chosen such that optional and sufficient login modules come first. Potentially expensive authentication against a third party identity provider as well as those for rare use cases should be defined with a lower ranking. + +Additional reading: https://docs.oracle.com/en/java/javase/11/security/appendix-b-jaas-login-configuration-file.html#GUID-7EB80FA5-3C16-4016-AED6-0FC619F86F8E + + Combination with Token Authentication + +Whenever JCR sessions created with Oak are short-lived (e.g. only lasting for a single HTTP request) authentication against an external IDP may not perform well. It is therefore recommended to use external authentication in combination with an additional authentication mechanism like e.g. the built-in [token login](../tokenmanagement.html). + +Make sure the token login module has [control flag] 'SUFFICIENT' and is evaluated prior to the external login that connects to the external IDP. + + Combination with Default Authentication + +Oak comes with a default login for user accounts stored and managed inside the JCR content repository. This also includes support for default users like 'anonymous' (guest) and 'admin' with full access to the repository. If this is desired, it is recommend to also add the [default `LoginModule`](../default.html#uid_pw) to the JAAS configuration. + +The optional order depends on the frequency of default vs external login: if login or impersonation against local users occurs frequently (e.g
[jackrabbit-oak] branch OAK-10069 updated (f470f92728 -> 31bf973f7a)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10069 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git from f470f92728 OAK-10069 : Best practices on how to setup access control external identities (review findings) add 31bf973f7a Update oak-doc/src/site/markdown/security/authentication/external/bestpractices.md No new revisions were added by this update. Summary of changes: .../src/site/markdown/security/authentication/external/bestpractices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
[jackrabbit-oak] branch OAK-10069 updated (a20efc00f0 -> f470f92728)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10069 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git from a20efc00f0 Update oak-doc/src/site/markdown/security/authentication/external/bestpractices.md add ae1dc80d31 OAK-10069 : Best practices on how to setup access control external identities (review findings) add f470f92728 OAK-10069 : Best practices on how to setup access control external identities (review findings) No new revisions were added by this update. Summary of changes: .../authentication/external/bestpractices.md | 113 - 1 file changed, 41 insertions(+), 72 deletions(-)
[jackrabbit-oak] branch OAK-10069 updated (c47240d855 -> a20efc00f0)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10069 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git from c47240d855 Update oak-doc/src/site/markdown/security/authentication/external/bestpractices.md add a20efc00f0 Update oak-doc/src/site/markdown/security/authentication/external/bestpractices.md No new revisions were added by this update. Summary of changes: .../src/site/markdown/security/authentication/external/bestpractices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
[jackrabbit-oak] branch OAK-10069 updated (84ff0c267d -> c47240d855)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10069 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git from 84ff0c267d OAK-10069 : Best practices on how to setup access control external identities add c47240d855 Update oak-doc/src/site/markdown/security/authentication/external/bestpractices.md No new revisions were added by this update. Summary of changes: .../src/site/markdown/security/authentication/external/bestpractices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
[jackrabbit-oak] 01/01: OAK-10069 : Best practices on how to setup access control external identities
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch OAK-10069 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit 84ff0c267d4a35a28f27fbb74897754e4206311b Author: angela AuthorDate: Thu Feb 16 17:47:26 2023 +0100 OAK-10069 : Best practices on how to setup access control external identities --- oak-doc/src/site/markdown/dos_and_donts.md | 1 + .../authentication/external/bestpractices.md | 159 + .../authentication/external/defaultusersync.md | 47 +++--- .../security/authentication/external/dynamic.md| 32 +++-- .../external/externallogin_examples.md | 88 +++- .../security/authentication/externalloginmodule.md | 3 +- .../security/authorization/bestpractices.md| 1 + oak-doc/src/site/markdown/security/overview.md | 2 + oak-doc/src/site/markdown/security/principal.md| 6 +- 9 files changed, 301 insertions(+), 38 deletions(-) diff --git a/oak-doc/src/site/markdown/dos_and_donts.md b/oak-doc/src/site/markdown/dos_and_donts.md index 41b32dc227..fda15e06a4 100644 --- a/oak-doc/src/site/markdown/dos_and_donts.md +++ b/oak-doc/src/site/markdown/dos_and_donts.md @@ -122,6 +122,7 @@ c = d.getParent(); // preferred way to fetch the pa ``` ## Security - [Best Practices for Authorization](security/authorization/bestpractices.html) +- [Best Practices for External Authentication](security/authentication/external/bestpractices.html) ## Misc ### Don't use Thread.interrupt() diff --git a/oak-doc/src/site/markdown/security/authentication/external/bestpractices.md b/oak-doc/src/site/markdown/security/authentication/external/bestpractices.md new file mode 100644 index 00..b2ef8bfbf4 --- /dev/null +++ b/oak-doc/src/site/markdown/security/authentication/external/bestpractices.md @@ -0,0 +1,159 @@ + + +# Best Practices for External Authentication + + + +## Before you get started + +Before you get started make sure you are familiar with the basic concepts of JCR authentication, and it's implementation +in Apache Jackrabbit Oak. + +External authentication in Oak refers to integrating a third party identity provider like LDAP or SAML into the +authentication setup optionally combining it with other built-in authentication mechanisms. + +## Best Practices + +### JAAS Setup + +When combining external authentication with other built-in or custom +[login modules](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/javax/security/auth/spi/LoginModule.html) +make sure to define a +[configuration](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/javax/security/auth/login/Configuration.html) +with the optimal order and the proper [control flag](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/javax/security/auth/login/AppConfigurationEntry.LoginModuleControlFlag.html) +for each module to cover all cases. + +Additional reading: https://docs.oracle.com/en/java/javase/11/security/appendix-b-jaas-login-configuration-file.html#GUID-7EB80FA5-3C16-4016-AED6-0FC619F86F8E + + Combination with Token Authentication + +Whenever JCR sessions created with Oak are short-lived (e.g. only lasting for a single HTTP request) authentication +against an external IDP may not perform well. It is therefore recommended to use external authentication in combination +with an additional authentication mechanism like e.g. the built-in [token login](../tokenmanagement.html). + +Make sure the token-login is 'sufficient' and is evaluated prior to the external login that connects to the external IDP. + + Combination with Default Authentication + +Oak comes with a default login for user accounts stored and managed inside the JCR content repository. This also includes +support for default users like an anonymous guest, and an administrator with full access to the repository. If this is +desired, it is recommend to also add the [default `LoginModule`](../default.html#uid_pw) to the JAAS configuration. + +The optional order depends on the frequency of default vs external login. + +# Example JAAS Configuration + +The following JAAS configuration can e.g. be used when running an Oak repository with external authentication +in combination with Apache Sling (see also other [examples](externallogin_examples.html)): + +| Ranking | Control Flag | LoginModule Class Name | +|-|--|| +| 300 | OPTIONAL | org.apache.jackrabbit.oak.spi.security.authentication.GuestLoginModule | +| 200 | SUFFICIENT | org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule | +| 150 | SUFFICIENT | org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory | +| 100 | SUFFICIENT | org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl | + +### Synchronization of Users
[jackrabbit-oak] branch OAK-10069 created (now 84ff0c267d)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10069 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git at 84ff0c267d OAK-10069 : Best practices on how to setup access control external identities This branch includes the following new commits: new 84ff0c267d OAK-10069 : Best practices on how to setup access control external identities The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
[jackrabbit-oak] branch trunk updated: OAK-10107 : update javdoc of class org.apache.jackrabbit.oak.plugins.nodetype.write.ReadWriteNodeTypeManager
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 9ad1ebaa02 OAK-10107 : update javdoc of class org.apache.jackrabbit.oak.plugins.nodetype.write.ReadWriteNodeTypeManager 9ad1ebaa02 is described below commit 9ad1ebaa022802f3851974af2c3848ccb0fb23b0 Author: angela AuthorDate: Thu Feb 16 12:07:44 2023 +0100 OAK-10107 : update javdoc of class org.apache.jackrabbit.oak.plugins.nodetype.write.ReadWriteNodeTypeManager --- .../nodetype/write/ReadWriteNodeTypeManager.java | 106 ++--- 1 file changed, 91 insertions(+), 15 deletions(-) diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/nodetype/write/ReadWriteNodeTypeManager.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/nodetype/write/ReadWriteNodeTypeManager.java index 91bd59386f..54617b1afa 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/nodetype/write/ReadWriteNodeTypeManager.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/nodetype/write/ReadWriteNodeTypeManager.java @@ -16,12 +16,12 @@ */ package org.apache.jackrabbit.oak.plugins.nodetype.write; -import static org.apache.jackrabbit.JcrConstants.JCR_SYSTEM; -import static org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants.JCR_NODE_TYPES; -import static org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants.NODE_TYPES_PATH; - -import java.util.ArrayList; -import java.util.List; +import org.apache.jackrabbit.commons.iterator.NodeTypeIteratorAdapter; +import org.apache.jackrabbit.oak.api.CommitFailedException; +import org.apache.jackrabbit.oak.api.Root; +import org.apache.jackrabbit.oak.api.Tree; +import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager; +import org.jetbrains.annotations.NotNull; import javax.jcr.RepositoryException; import javax.jcr.nodetype.ConstraintViolationException; @@ -29,16 +29,16 @@ import javax.jcr.nodetype.NoSuchNodeTypeException; import javax.jcr.nodetype.NodeDefinitionTemplate; import javax.jcr.nodetype.NodeType; import javax.jcr.nodetype.NodeTypeDefinition; +import javax.jcr.nodetype.NodeTypeExistsException; import javax.jcr.nodetype.NodeTypeIterator; import javax.jcr.nodetype.NodeTypeTemplate; import javax.jcr.nodetype.PropertyDefinitionTemplate; +import java.util.ArrayList; +import java.util.List; -import org.apache.jackrabbit.commons.iterator.NodeTypeIteratorAdapter; -import org.apache.jackrabbit.oak.api.CommitFailedException; -import org.apache.jackrabbit.oak.api.Root; -import org.apache.jackrabbit.oak.api.Tree; -import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager; -import org.jetbrains.annotations.NotNull; +import static org.apache.jackrabbit.JcrConstants.JCR_SYSTEM; +import static org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants.JCR_NODE_TYPES; +import static org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants.NODE_TYPES_PATH; /** * {@code ReadWriteNodeTypeManager} extends the {@link ReadOnlyNodeTypeManager} @@ -95,28 +95,72 @@ public abstract class ReadWriteNodeTypeManager extends ReadOnlyNodeTypeManager { } //< NodeTypeManager >--- - +/** + * Returns an empty {@code NodeTypeTemplate} which can then be used to + * define a node type and passed to {@code NodeTypeManager.registerNodeType}. + * + * @return A new empty {@code NodeTypeTemplate}. + * @since JCR 2.0 + */ @Override public NodeTypeTemplate createNodeTypeTemplate() { return new NodeTypeTemplateImpl(getNamePathMapper()); } +/** + * Returns a {@code NodeTypeTemplate} from the given definition, which can then be used to + * define a node type and passed to {@code NodeTypeManager.registerNodeType}. + * + * @return A new {@code NodeTypeTemplate}. + * @since JCR 2.0 + */ @Override public NodeTypeTemplate createNodeTypeTemplate(NodeTypeDefinition ntd) throws ConstraintViolationException { return new NodeTypeTemplateImpl(getNamePathMapper(), ntd); } +/** + * Returns an empty {@code NodeDefinitionTemplate} which can then be + * used to create a child node definition and attached to a + * {@code NodeTypeTemplate}. + * + * @return A new {@code NodeDefinitionTemplate}. + * @since JCR 2.0 + */ @Override public NodeDefinitionTemplate createNodeDefinitionTemplate() { return new NodeDefinitionTemplateImpl(getNamePathMapper()); } +/** + * Returns an empty {@code PropertyDefinitionTemplate} which can then + * be used to create a property definition and attached to a + * {@code NodeTypeTemplate}. + * + * @return A new {@code PropertyDefinitionTemplate}. + * @since J
[jackrabbit-oak] branch trunk updated: OAK-10099 : DynamicSyncContext: skip warning for everyone group
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new d807a6943c OAK-10099 : DynamicSyncContext: skip warning for everyone group d807a6943c is described below commit d807a6943cd35fd089b455f72cd2c05b52b0d298 Author: angela AuthorDate: Wed Feb 1 18:40:32 2023 +0100 OAK-10099 : DynamicSyncContext: skip warning for everyone group --- .../authentication/external/impl/DynamicSyncContext.java| 13 +++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContext.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContext.java index 6662b86d30..b64e0bf42b 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContext.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContext.java @@ -33,6 +33,7 @@ import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.Defa import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext; import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncResultImpl; import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncedIdentity; +import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal; import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl; import org.jetbrains.annotations.NotNull; import org.jetbrains.annotations.Nullable; @@ -351,8 +352,8 @@ public class DynamicSyncContext extends DefaultSyncContext { // clear auto-membership grp.removeMember(authorizable); clearGroupMembership(grp, groupPrincipalNames, toRemove); -} else { -// some other membership that has not been added by the sync process +} else if (!isEveryone(grp)){ +// some other membership that has not been added by the sync process (but skip for dynamic 'everyone' group) log.warn("Ignoring unexpected membership of '{}' in group '{}' crossing IDP boundary.", authorizable.getID(), grp.getID()); } } @@ -378,6 +379,14 @@ public class DynamicSyncContext extends DefaultSyncContext { return authorizable.hasProperty(REP_LAST_SYNCED) && !authorizable.hasProperty(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES); } +private static boolean isEveryone(@NotNull Group group) { +try { +return EveryonePrincipal.NAME.equals(group.getPrincipal().getName()); +} catch (RepositoryException e) { +return false; +} +} + /** * Helper object to avoid repeated lookup of principalName, {@link ExternalGroup} and synchronized {@link Group} for * a given {@link ExternalIdentityRef} during {@link #syncMembership(ExternalIdentity, Authorizable, long)}.
[jackrabbit-oak] branch trunk updated: OAK-10082 : Group.getMembers() needs to resolve inherited members of dynamic groups (#834)
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new bef38e97fa OAK-10082 : Group.getMembers() needs to resolve inherited members of dynamic groups (#834) bef38e97fa is described below commit bef38e97fa57ffa7b11a971e7a005eabfc45c805 Author: anchela AuthorDate: Wed Jan 25 09:29:56 2023 +0100 OAK-10082 : Group.getMembers() needs to resolve inherited members of dynamic groups (#834) --- .../external/impl/DynamicSyncTest.java | 38 +- .../jackrabbit/oak/security/user/GroupImpl.java| 6 +- .../security/user/InheritedMembersIterator.java| 92 + .../user/InheritedMembersIteratorTest.java | 142 + 4 files changed, 276 insertions(+), 2 deletions(-) diff --git a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java index 348c188ea5..1f83bfad5d 100644 --- a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java +++ b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java @@ -56,6 +56,7 @@ public class DynamicSyncTest extends AbstractDynamicTest { private Group autoForGroups; private Group autoForUsers; private Group base; +private Group base2; @Override public void before() throws Exception { @@ -72,7 +73,7 @@ public class DynamicSyncTest extends AbstractDynamicTest { userManager.createGroup(EveryonePrincipal.getInstance()); -Group base2 = userManager.createGroup(BASE2_ID); +base2 = userManager.createGroup(BASE2_ID); base2.addMember(autoForUsers); r.commit(); @@ -177,6 +178,41 @@ public class DynamicSyncTest extends AbstractDynamicTest { assertFalse(autoForUsers.isMember(base)); } +@Test +public void testInheritedBaseGroup() throws Exception { +ExternalUser externalUser = idp.getUser(USER_ID); +sync(externalUser, SyncResult.Status.ADD); + +Authorizable user = userManager.getAuthorizable(USER_ID); + +// verify group 'base' +Set expDeclaredMemberIds = ImmutableSet.of(AUTO_GROUPS, AUTO_USERS, "a", "b"); +assertExpectedIds(expDeclaredMemberIds, base.getDeclaredMembers()); +assertFalse(base.isDeclaredMember(user)); + +Set expMemberIds = ImmutableSet.of(USER_ID, AUTO_GROUPS, AUTO_USERS, "a", "b", "c", "aa", "aaa"); + assertExpectedIds(expMemberIds, base.getMembers()); +assertTrue(base.isMember(user)); +} + +@Test +public void testInheritedBase2Group() throws Exception { +ExternalUser externalUser = idp.getUser(USER_ID); +sync(externalUser, SyncResult.Status.ADD); + +Authorizable user = userManager.getAuthorizable(USER_ID); + +// verify group 'base2' +Set expDeclaredMemberIds = ImmutableSet.of(AUTO_USERS); +assertExpectedIds(expDeclaredMemberIds, base2.getDeclaredMembers()); + +assertFalse(base2.isDeclaredMember(user)); + +Set expMemberIds = ImmutableSet.of(USER_ID, AUTO_USERS); +assertExpectedIds(expMemberIds, base2.getMembers()); +assertTrue(base2.isMember(user)); +} + private static void assertIsMember(@NotNull Group group, boolean declared, @NotNull Authorizable... members) { try { for (Authorizable member : members) { diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java index 59d0fa786f..48076dcdb8 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java @@ -222,7 +222,11 @@ class GroupImpl extends AuthorizableImpl implements Group { return AuthorizableIterator.create(true, dynamicMembers, AuthorizableIterator.empty()); } -AuthorizableIterator members = AuthorizableIterator.create(trees, userMgr, AuthorizableType.AUTHORIZABLE); +Iterator members = AuthorizableIterator.create(trees, userMgr, AuthorizableType.AUTHORIZABLE); +if (includeInherited) { +// need to resolve dynamic members of declared and inherited group-members +members = new InheritedMembersIterator(members, dmp); +} AuthorizableIterator allMembers = AuthorizableIterator.create(true, dynamicMembers, members);
[jackrabbit-oak] 01/01: OAK-10082 : Group.getMembers() needs to resolve inherited members of dynamic groups
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch OAK-10082 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit b6f8307bc557eaa4c3062e3d22bf4221dd818f8c Author: angela AuthorDate: Tue Jan 24 16:21:43 2023 +0100 OAK-10082 : Group.getMembers() needs to resolve inherited members of dynamic groups --- .../external/impl/DynamicSyncTest.java | 38 +- .../jackrabbit/oak/security/user/GroupImpl.java| 6 +- .../security/user/InheritedMembersIterator.java| 92 + .../user/InheritedMembersIteratorTest.java | 142 + 4 files changed, 276 insertions(+), 2 deletions(-) diff --git a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java index 348c188ea5..1f83bfad5d 100644 --- a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java +++ b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java @@ -56,6 +56,7 @@ public class DynamicSyncTest extends AbstractDynamicTest { private Group autoForGroups; private Group autoForUsers; private Group base; +private Group base2; @Override public void before() throws Exception { @@ -72,7 +73,7 @@ public class DynamicSyncTest extends AbstractDynamicTest { userManager.createGroup(EveryonePrincipal.getInstance()); -Group base2 = userManager.createGroup(BASE2_ID); +base2 = userManager.createGroup(BASE2_ID); base2.addMember(autoForUsers); r.commit(); @@ -177,6 +178,41 @@ public class DynamicSyncTest extends AbstractDynamicTest { assertFalse(autoForUsers.isMember(base)); } +@Test +public void testInheritedBaseGroup() throws Exception { +ExternalUser externalUser = idp.getUser(USER_ID); +sync(externalUser, SyncResult.Status.ADD); + +Authorizable user = userManager.getAuthorizable(USER_ID); + +// verify group 'base' +Set expDeclaredMemberIds = ImmutableSet.of(AUTO_GROUPS, AUTO_USERS, "a", "b"); +assertExpectedIds(expDeclaredMemberIds, base.getDeclaredMembers()); +assertFalse(base.isDeclaredMember(user)); + +Set expMemberIds = ImmutableSet.of(USER_ID, AUTO_GROUPS, AUTO_USERS, "a", "b", "c", "aa", "aaa"); + assertExpectedIds(expMemberIds, base.getMembers()); +assertTrue(base.isMember(user)); +} + +@Test +public void testInheritedBase2Group() throws Exception { +ExternalUser externalUser = idp.getUser(USER_ID); +sync(externalUser, SyncResult.Status.ADD); + +Authorizable user = userManager.getAuthorizable(USER_ID); + +// verify group 'base2' +Set expDeclaredMemberIds = ImmutableSet.of(AUTO_USERS); +assertExpectedIds(expDeclaredMemberIds, base2.getDeclaredMembers()); + +assertFalse(base2.isDeclaredMember(user)); + +Set expMemberIds = ImmutableSet.of(USER_ID, AUTO_USERS); +assertExpectedIds(expMemberIds, base2.getMembers()); +assertTrue(base2.isMember(user)); +} + private static void assertIsMember(@NotNull Group group, boolean declared, @NotNull Authorizable... members) { try { for (Authorizable member : members) { diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java index 59d0fa786f..48076dcdb8 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java @@ -222,7 +222,11 @@ class GroupImpl extends AuthorizableImpl implements Group { return AuthorizableIterator.create(true, dynamicMembers, AuthorizableIterator.empty()); } -AuthorizableIterator members = AuthorizableIterator.create(trees, userMgr, AuthorizableType.AUTHORIZABLE); +Iterator members = AuthorizableIterator.create(trees, userMgr, AuthorizableType.AUTHORIZABLE); +if (includeInherited) { +// need to resolve dynamic members of declared and inherited group-members +members = new InheritedMembersIterator(members, dmp); +} AuthorizableIterator allMembers = AuthorizableIterator.create(true, dynamicMembers, members); return new RangeIteratorAdapter(allMembers, allMembers.getSize()); } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/InheritedMembersIterator.java b/oak-core/src/main/java/org/apache/ja
[jackrabbit-oak] branch OAK-10082 created (now b6f8307bc5)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10082 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git at b6f8307bc5 OAK-10082 : Group.getMembers() needs to resolve inherited members of dynamic groups This branch includes the following new commits: new b6f8307bc5 OAK-10082 : Group.getMembers() needs to resolve inherited members of dynamic groups The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
[jackrabbit-oak] branch trunk updated: OAK-10074 : AutoMembershipProvider consistency with ExternalPrincipalProvider
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new bf02e7adc1 OAK-10074 : AutoMembershipProvider consistency with ExternalPrincipalProvider bf02e7adc1 is described below commit bf02e7adc1f1a0fb06f05b7663ec0a695d1710af Author: angela AuthorDate: Thu Jan 19 18:25:30 2023 +0100 OAK-10074 : AutoMembershipProvider consistency with ExternalPrincipalProvider --- .../impl/principal/AutoMembershipProvider.java | 4 +-- .../external/impl/DynamicSyncTest.java | 34 ++ 2 files changed, 36 insertions(+), 2 deletions(-) diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipProvider.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipProvider.java index a4c49a70b4..84595ab803 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipProvider.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipProvider.java @@ -52,7 +52,6 @@ import java.util.stream.StreamSupport; import static org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalIdentityConstants.REP_EXTERNAL_ID; import static org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.DynamicGroupUtil.getIdpName; import static org.apache.jackrabbit.oak.spi.security.user.UserConstants.NT_REP_AUTHORIZABLE; -import static org.apache.jackrabbit.oak.spi.security.user.UserConstants.NT_REP_GROUP; import static org.apache.jackrabbit.oak.spi.security.user.UserConstants.NT_REP_USER; import static org.apache.jackrabbit.oak.spi.security.user.UserConstants.REP_AUTHORIZABLE_ID; @@ -190,7 +189,8 @@ class AutoMembershipProvider implements DynamicMembershipProvider { return; } -String nodeType = (groupIdpNames.isEmpty()) ? NT_REP_USER : (idpNames.size() == groupIdpNames.size()) ? NT_REP_GROUP : NT_REP_AUTHORIZABLE; +// currently 'group.automembership' is added for all users -> search for type authorizable (not just groups) +String nodeType = (groupIdpNames.isEmpty()) ? NT_REP_USER : NT_REP_AUTHORIZABLE; // since this provider is only enabled for dynamic-automembership the 'includeInherited' flag can be ignored. // as group-membership for dynamic users is flattened and automembership-configuration for groups is included. diff --git a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java index 0f55531f0e..348c188ea5 100644 --- a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java +++ b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncTest.java @@ -37,6 +37,7 @@ import java.util.List; import java.util.Set; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; @@ -143,6 +144,39 @@ public class DynamicSyncTest extends AbstractDynamicTest { assertExpectedIds(expectedIds, aGroup.declaredMemberOf(), aGroup.memberOf()); } +@Test +public void testAutomembershipGroups() throws Exception { +ExternalUser externalUser = idp.getUser(USER_ID); +sync(externalUser, SyncResult.Status.ADD); + +Authorizable user = userManager.getAuthorizable(USER_ID); +Group aGroup = userManager.getAuthorizable("a", Group.class); + +// verify group 'autoForGroups' +Set expMemberIds = ImmutableSet.of("a", "b", "c", "aa", "aaa", USER_ID); +assertExpectedIds(expMemberIds, autoForGroups.getDeclaredMembers(), autoForGroups.getMembers()); +assertIsMember(autoForGroups, true, user, aGroup); +assertIsMember(autoForGroups, false, user, aGroup); +assertFalse(autoForGroups.isMember(base)); +} + +@Test +public void testAutomembershipUsers() throws Exception { +ExternalUser externalUser = idp.getUser(USER_ID); +sync(externalUser, SyncResult.Status.ADD); + +Authorizable user = userManager.getAuthorizable(USER_ID); +Group aGroup = userManager.getAuthorizable("a", Group.class); + +// verify group 'autoForUsers' +
[jackrabbit-oak] branch trunk updated: OAK-10073 : Additional tests combining dynamic groups and automembership
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 0d116a9cfc OAK-10073 : Additional tests combining dynamic groups and automembership 0d116a9cfc is described below commit 0d116a9cfc3480d62672ee9316c2b5344bf7c9ab Author: angela AuthorDate: Thu Jan 19 16:54:48 2023 +0100 OAK-10073 : Additional tests combining dynamic groups and automembership --- .../external/impl/AbstractDynamicTest.java | 126 .../external/impl/DynamicGroupsTest.java | 19 +-- .../external/impl/DynamicSyncContextTest.java | 69 + .../external/impl/DynamicSyncTest.java | 167 + 4 files changed, 297 insertions(+), 84 deletions(-) diff --git a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/AbstractDynamicTest.java b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/AbstractDynamicTest.java new file mode 100644 index 00..392508b72a --- /dev/null +++ b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/AbstractDynamicTest.java @@ -0,0 +1,126 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.oak.spi.security.authentication.external.impl; + +import com.google.common.collect.ImmutableList; +import com.google.common.collect.Iterables; +import com.google.common.collect.Iterators; +import org.apache.jackrabbit.api.security.user.Authorizable; +import org.apache.jackrabbit.api.security.user.UserManager; +import org.apache.jackrabbit.oak.api.Root; +import org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest; +import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity; +import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser; +import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncResult; +import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncConfig; +import org.jetbrains.annotations.NotNull; +import org.junit.After; +import org.junit.Before; + +import javax.jcr.RepositoryException; +import javax.jcr.ValueFactory; +import java.security.Principal; +import java.util.Iterator; +import java.util.List; + +import static org.junit.Assert.assertSame; + +public abstract class AbstractDynamicTest extends AbstractExternalAuthTest { + +Root r; +UserManager userManager; +ValueFactory valueFactory; + +DynamicSyncContext syncContext; + +// the external user identity that has been synchronized before dynamic membership is enabled. +ExternalUser previouslySyncedUser; + +@Before +public void before() throws Exception { +super.before(); +r = getSystemRoot(); + +createAutoMembershipGroups(); +previouslySyncedUser = syncPriorToDynamicMembership(); + +userManager = getUserManager(r); +valueFactory = getValueFactory(r); +syncContext = new DynamicSyncContext(syncConfig, idp, userManager, valueFactory); + +// inject user-configuration as well as sync-handler and sync-hander-mapping to have get dynamic-membership +// providers registered. +context.registerInjectActivateService(getUserConfiguration()); +registerSyncHandler(syncConfigAsMap(), idp.getName()); +} + +@After +public void after() throws Exception { +try { +syncContext.close(); +r.refresh(); +} finally { +super.after(); +} +} + +private void createAutoMembershipGroups() throws RepositoryException { +DefaultSyncConfig sc = createSyncConfig(); +UserManager um = getUserManager(r); +// create automembership groups +for (String id : Iterables.concat(sc.user().getAutoMembership(), sc.group().getAutoMembership())) { +um.createGroup(id); +} +} + +/**
[jackrabbit-oak] branch trunk updated: OAK-10071 : Consistently filter duplicate authorizables in iterators
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 7f4296a2d4 OAK-10071 : Consistently filter duplicate authorizables in iterators 7f4296a2d4 is described below commit 7f4296a2d42e7d80e83e51069ed531cde4488be2 Author: angela AuthorDate: Thu Jan 19 15:27:14 2023 +0100 OAK-10071 : Consistently filter duplicate authorizables in iterators --- .../oak/security/user/AuthorizableImpl.java| 6 +- .../oak/security/user/AuthorizableIterator.java| 7 ++ .../jackrabbit/oak/security/user/GroupImpl.java| 4 +- .../oak/security/user/DuplicateMembershipTest.java | 130 + 4 files changed, 140 insertions(+), 7 deletions(-) diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableImpl.java index 7e4418682d..f9647c8e4e 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableImpl.java @@ -289,11 +289,7 @@ abstract class AuthorizableImpl implements Authorizable, UserConstants, TreeAwar MembershipProvider mMgr = getMembershipProvider(); Iterator trees = mMgr.getMembership(getTree(), includeInherited); -if (!trees.hasNext()) { -return dynamicGroups; -} - -AuthorizableIterator groups = AuthorizableIterator.create(trees, userManager, AuthorizableType.GROUP); +AuthorizableIterator groups = (!trees.hasNext()) ? AuthorizableIterator.empty() : AuthorizableIterator.create(trees, userManager, AuthorizableType.GROUP); AuthorizableIterator allGroups = AuthorizableIterator.create(true, dynamicGroups, groups); return new RangeIteratorAdapter(allGroups); } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableIterator.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableIterator.java index 81f25592af..eabac4abdc 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableIterator.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableIterator.java @@ -44,6 +44,8 @@ final class AuthorizableIterator implements Iterator { private final Iterator authorizables; private final long size; private final Set servedIds; + +private static AuthorizableIterator EMPTY = new AuthorizableIterator(Iterators.emptyIterator(), 0, false); @NotNull static AuthorizableIterator create(@NotNull Iterator authorizableTrees, @@ -68,6 +70,11 @@ final class AuthorizableIterator implements Iterator { } return new AuthorizableIterator(Iterators.concat(it1, it2), size, filterDuplicates); } + +@NotNull +static AuthorizableIterator empty() { +return EMPTY; +} private AuthorizableIterator(Iterator authorizables, long size, boolean filterDuplicates) { if (filterDuplicates) { diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java index 7df7efc72c..59d0fa786f 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java @@ -213,13 +213,13 @@ class GroupImpl extends AuthorizableImpl implements Group { DynamicMembershipProvider dmp = getUserManager().getDynamicMembershipProvider(); Iterator dynamicMembers = dmp.getMembers(this, includeInherited); if (dmp.coversAllMembers(this)) { -return dynamicMembers; +return AuthorizableIterator.create(true, dynamicMembers, AuthorizableIterator.empty()); } // dynamic membership didn't cover all members -> extract from group-tree Iterator trees = getMembershipProvider().getMembers(getTree(), includeInherited); if (!trees.hasNext()) { -return dynamicMembers; +return AuthorizableIterator.create(true, dynamicMembers, AuthorizableIterator.empty()); } AuthorizableIterator members = AuthorizableIterator.create(trees, userMgr, AuthorizableType.AUTHORIZABLE); diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/DuplicateMembershipTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/DuplicateMembershipTest.java new file mode 100644 index 00..9df87bda75 --- /dev/null +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/DuplicateMembershipTest.java @@ -0,0 +1,130 @@ +/* + * Licen
[jackrabbit-oak] branch trunk updated: OAK-10067 : ExternalGroupPrincipalProvider does not resolve inherited groups that cross IDP boundaries (#825)
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new edf4a4493c OAK-10067 : ExternalGroupPrincipalProvider does not resolve inherited groups that cross IDP boundaries (#825) edf4a4493c is described below commit edf4a4493c18784c83d3e50d26739b458c374a11 Author: anchela AuthorDate: Tue Jan 17 16:11:26 2023 +0100 OAK-10067 : ExternalGroupPrincipalProvider does not resolve inherited groups that cross IDP boundaries (#825) * OAK-10067 : ExternalGroupPrincipalProvider does not resolve inherited groups that cross IDP boundaries * OAK-10067 : ExternalGroupPrincipalProvider does not resolve inherited groups that cross IDP boundaries (missing license header) --- .../impl/principal/AutoMembershipProvider.java | 62 + .../external/impl/principal/DynamicGroupUtil.java | 31 +++ .../principal/ExternalGroupPrincipalProvider.java | 49 +- .../principal/InheritedMembershipIterator.java | 103 + .../external/impl/DynamicGroupsTest.java | 79 .../external/impl/DynamicSyncContextTest.java | 4 +- .../impl/principal/AutoMembershipProviderTest.java | 4 +- .../impl/principal/DynamicGroupUtilTest.java | 44 + 8 files changed, 307 insertions(+), 69 deletions(-) diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipProvider.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipProvider.java index 102d6fe9b7..a4c49a70b4 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipProvider.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipProvider.java @@ -20,7 +20,6 @@ import com.google.common.collect.Iterators; import org.apache.jackrabbit.api.security.user.Authorizable; import org.apache.jackrabbit.api.security.user.Group; import org.apache.jackrabbit.api.security.user.UserManager; -import org.apache.jackrabbit.commons.iterator.AbstractLazyIterator; import org.apache.jackrabbit.commons.iterator.RangeIteratorAdapter; import org.apache.jackrabbit.oak.api.PropertyValue; import org.apache.jackrabbit.oak.api.QueryEngine; @@ -33,8 +32,6 @@ import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.Auto import org.apache.jackrabbit.oak.spi.security.user.DynamicMembershipProvider; import org.jetbrains.annotations.NotNull; import org.jetbrains.annotations.Nullable; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import javax.jcr.PropertyType; import javax.jcr.RepositoryException; @@ -44,7 +41,6 @@ import java.text.ParseException; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; -import java.util.HashSet; import java.util.Iterator; import java.util.List; import java.util.Map; @@ -61,9 +57,7 @@ import static org.apache.jackrabbit.oak.spi.security.user.UserConstants.NT_REP_U import static org.apache.jackrabbit.oak.spi.security.user.UserConstants.REP_AUTHORIZABLE_ID; class AutoMembershipProvider implements DynamicMembershipProvider { - -private static final Logger log = LoggerFactory.getLogger(AutoMembershipProvider.class); - + private static final String BINDING_AUTHORIZABLE_IDS = "authorizableIds"; private final Root root; @@ -174,8 +168,7 @@ class AutoMembershipProvider implements DynamicMembershipProvider { if (!includeInherited) { return groupIt; } else { -Set processed = new HashSet<>(); -return Iterators.filter(new InheritedMembershipIterator(groupIt), processed::add); +return new InheritedMembershipIterator(groupIt); } } @@ -238,56 +231,5 @@ class AutoMembershipProvider implements DynamicMembershipProvider { String val = "%;" + idpName.replace("%", "\\%").replace("_", "\\_"); return Collections.singletonMap(BINDING_AUTHORIZABLE_IDS, PropertyValues.newString(val)); } - -private static class InheritedMembershipIterator extends AbstractLazyIterator { -private final Iterator groupIterator; -private final List> inherited = new ArrayList<>(); -private Iterator inheritedIterator = null; - -private InheritedMembershipIterator(Iterator groupIterator) { -this.groupIterator = groupIterator; -} - -@Nullable -@Override -protected Group getNext() { -if (groupIterator.hasNext(
[jackrabbit-oak] branch OAK-10067 updated (7cc0623cde -> d0e5dcc29c)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10067 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git from 7cc0623cde OAK-10067 : ExternalGroupPrincipalProvider does not resolve inherited groups that cross IDP boundaries add d0e5dcc29c OAK-10067 : ExternalGroupPrincipalProvider does not resolve inherited groups that cross IDP boundaries (missing license header) No new revisions were added by this update. Summary of changes: .../impl/principal/InheritedMembershipIterator.java | 16 1 file changed, 16 insertions(+)
[jackrabbit-oak] branch OAK-10067 created (now 7cc0623cde)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10067 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git at 7cc0623cde OAK-10067 : ExternalGroupPrincipalProvider does not resolve inherited groups that cross IDP boundaries This branch includes the following new commits: new 7cc0623cde OAK-10067 : ExternalGroupPrincipalProvider does not resolve inherited groups that cross IDP boundaries The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
[jackrabbit-oak] 01/01: OAK-10067 : ExternalGroupPrincipalProvider does not resolve inherited groups that cross IDP boundaries
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch OAK-10067 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit 7cc0623cde8c672c362d90a138511af02f3862d4 Author: angela AuthorDate: Tue Jan 17 09:25:53 2023 +0100 OAK-10067 : ExternalGroupPrincipalProvider does not resolve inherited groups that cross IDP boundaries --- .../impl/principal/AutoMembershipProvider.java | 62 +-- .../external/impl/principal/DynamicGroupUtil.java | 31 .../principal/ExternalGroupPrincipalProvider.java | 49 ++-- .../principal/InheritedMembershipIterator.java | 87 ++ .../external/impl/DynamicGroupsTest.java | 79 .../external/impl/DynamicSyncContextTest.java | 4 +- .../impl/principal/AutoMembershipProviderTest.java | 4 +- .../impl/principal/DynamicGroupUtilTest.java | 44 +++ 8 files changed, 291 insertions(+), 69 deletions(-) diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipProvider.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipProvider.java index 102d6fe9b7..a4c49a70b4 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipProvider.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipProvider.java @@ -20,7 +20,6 @@ import com.google.common.collect.Iterators; import org.apache.jackrabbit.api.security.user.Authorizable; import org.apache.jackrabbit.api.security.user.Group; import org.apache.jackrabbit.api.security.user.UserManager; -import org.apache.jackrabbit.commons.iterator.AbstractLazyIterator; import org.apache.jackrabbit.commons.iterator.RangeIteratorAdapter; import org.apache.jackrabbit.oak.api.PropertyValue; import org.apache.jackrabbit.oak.api.QueryEngine; @@ -33,8 +32,6 @@ import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.Auto import org.apache.jackrabbit.oak.spi.security.user.DynamicMembershipProvider; import org.jetbrains.annotations.NotNull; import org.jetbrains.annotations.Nullable; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import javax.jcr.PropertyType; import javax.jcr.RepositoryException; @@ -44,7 +41,6 @@ import java.text.ParseException; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; -import java.util.HashSet; import java.util.Iterator; import java.util.List; import java.util.Map; @@ -61,9 +57,7 @@ import static org.apache.jackrabbit.oak.spi.security.user.UserConstants.NT_REP_U import static org.apache.jackrabbit.oak.spi.security.user.UserConstants.REP_AUTHORIZABLE_ID; class AutoMembershipProvider implements DynamicMembershipProvider { - -private static final Logger log = LoggerFactory.getLogger(AutoMembershipProvider.class); - + private static final String BINDING_AUTHORIZABLE_IDS = "authorizableIds"; private final Root root; @@ -174,8 +168,7 @@ class AutoMembershipProvider implements DynamicMembershipProvider { if (!includeInherited) { return groupIt; } else { -Set processed = new HashSet<>(); -return Iterators.filter(new InheritedMembershipIterator(groupIt), processed::add); +return new InheritedMembershipIterator(groupIt); } } @@ -238,56 +231,5 @@ class AutoMembershipProvider implements DynamicMembershipProvider { String val = "%;" + idpName.replace("%", "\\%").replace("_", "\\_"); return Collections.singletonMap(BINDING_AUTHORIZABLE_IDS, PropertyValues.newString(val)); } - -private static class InheritedMembershipIterator extends AbstractLazyIterator { -private final Iterator groupIterator; -private final List> inherited = new ArrayList<>(); -private Iterator inheritedIterator = null; - -private InheritedMembershipIterator(Iterator groupIterator) { -this.groupIterator = groupIterator; -} - -@Nullable -@Override -protected Group getNext() { -if (groupIterator.hasNext()) { -Group gr = groupIterator.next(); -try { -// call 'memberof' to cover nested inheritance -Iterator it = gr.memberOf(); -if (it.hasNext()) { -inherited.add(it); -} -} catch (RepositoryException e) { -log.error("Failed to retrieve membership of group {}", gr, e); -} -
[jackrabbit-oak] branch trunk updated: OAK-10061 : WARN when for an external group a local group with the same name is already present (#819)
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 109a22af7b OAK-10061 : WARN when for an external group a local group with the same name is already present (#819) 109a22af7b is described below commit 109a22af7b17256916d0a0023662c194d31fe08e Author: anchela AuthorDate: Wed Jan 11 15:49:37 2023 +0100 OAK-10061 : WARN when for an external group a local group with the same name is already present (#819) --- .../external/basic/DefaultSyncContext.java | 16 +++- .../authentication/external/basic/package-info.java | 2 +- .../authentication/external/impl/DynamicSyncContext.java | 3 ++- 3 files changed, 18 insertions(+), 3 deletions(-) diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java index 073efb4fab..bf4ba40c04 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java @@ -229,6 +229,7 @@ public class DefaultSyncContext implements SyncContext { ExternalIdentityRef ref = identity.getExternalId(); if (!isSameIDP(ref)) { // create result in accordance with sync(String) where status is FOREIGN +warnForeign(identity); boolean isGroup = (identity instanceof ExternalGroup); return new DefaultSyncResultImpl(new DefaultSyncedIdentity(identity.getId(), ref, isGroup, -1), SyncResult.Status.FOREIGN); } @@ -286,6 +287,7 @@ public class DefaultSyncContext implements SyncContext { // check if we need to deal with this authorizable ExternalIdentityRef ref = getIdentityRef(auth); if (ref == null || !isSameIDP(ref)) { +warnForeignExisting(auth, auth.isGroup()); return new DefaultSyncResultImpl(new DefaultSyncedIdentity(id, ref, auth.isGroup(), -1), SyncResult.Status.FOREIGN); } @@ -428,6 +430,7 @@ public class DefaultSyncContext implements SyncContext { protected DefaultSyncResultImpl syncUser(@NotNull ExternalUser external, @NotNull User user) throws RepositoryException { // make also sure the local user to be synced belongs to the same IDP. Note: 'external' has been verified before. if (!isSameIDP(user)) { +warnForeignExisting(user, false); return new DefaultSyncResultImpl(new DefaultSyncedIdentity(external.getId(), external.getExternalId(), false, -1), SyncResult.Status.FOREIGN); } @@ -457,6 +460,7 @@ public class DefaultSyncContext implements SyncContext { protected DefaultSyncResultImpl syncGroup(@NotNull ExternalGroup external, @NotNull Group group) throws RepositoryException { // make also sure the local user to be synced belongs to the same IDP. Note: 'external' has been verified before. if (!isSameIDP(group)) { +warnForeignExisting(group, true); return new DefaultSyncResultImpl(new DefaultSyncedIdentity(external.getId(), external.getExternalId(), false, -1), SyncResult.Status.FOREIGN); } @@ -554,7 +558,7 @@ public class DefaultSyncContext implements SyncContext { } else if (a.isGroup() && isSameIDP(a)) { grp = (Group) a; } else { -log.warn("Existing authorizable '{}' is not a group from this IDP '{}'.", extGroup.getId(), idp.getName()); +warnForeignExisting(a, true); continue; } log.debug("- user manager returned '{}'", grp.getID()); @@ -773,6 +777,16 @@ public class DefaultSyncContext implements SyncContext { return idp.getName().equals(ref.getProviderName()); } +protected void warnForeign(@NotNull ExternalIdentity externalIdentity) { +log.warn("Cannot sync externally identity '{}' due to IDP mismatch; expected IDP '{}'.", externalIdentity.getId(), idp.getName()); +} + +protected void warnForeignExisting(@NotNull Authorizable existing, boolean expectGroup) throws RepositoryException { +String typeName = (existing.isGroup()) ? "group" : "user"; +String expectedType = (expectGroup) ? "group" : "user"; +log.warn("Cannot sync external identity: Existing {} with id '{}' and principal name '{}' is not a {} defined by IDP '{}'.", typeName, existing.getID(), exi
[jackrabbit-oak] 01/01: OAK-10061 : WARN when for an external group a local group with the same name is already present
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch OAK-10061 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit 1684f2b9ec6f1acdbcf5bee9ab90a9e70c50aae6 Author: angela AuthorDate: Wed Jan 11 13:18:58 2023 +0100 OAK-10061 : WARN when for an external group a local group with the same name is already present --- .../external/basic/DefaultSyncContext.java | 16 +++- .../authentication/external/basic/package-info.java | 2 +- .../authentication/external/impl/DynamicSyncContext.java | 3 ++- 3 files changed, 18 insertions(+), 3 deletions(-) diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java index 073efb4fab..bf4ba40c04 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java @@ -229,6 +229,7 @@ public class DefaultSyncContext implements SyncContext { ExternalIdentityRef ref = identity.getExternalId(); if (!isSameIDP(ref)) { // create result in accordance with sync(String) where status is FOREIGN +warnForeign(identity); boolean isGroup = (identity instanceof ExternalGroup); return new DefaultSyncResultImpl(new DefaultSyncedIdentity(identity.getId(), ref, isGroup, -1), SyncResult.Status.FOREIGN); } @@ -286,6 +287,7 @@ public class DefaultSyncContext implements SyncContext { // check if we need to deal with this authorizable ExternalIdentityRef ref = getIdentityRef(auth); if (ref == null || !isSameIDP(ref)) { +warnForeignExisting(auth, auth.isGroup()); return new DefaultSyncResultImpl(new DefaultSyncedIdentity(id, ref, auth.isGroup(), -1), SyncResult.Status.FOREIGN); } @@ -428,6 +430,7 @@ public class DefaultSyncContext implements SyncContext { protected DefaultSyncResultImpl syncUser(@NotNull ExternalUser external, @NotNull User user) throws RepositoryException { // make also sure the local user to be synced belongs to the same IDP. Note: 'external' has been verified before. if (!isSameIDP(user)) { +warnForeignExisting(user, false); return new DefaultSyncResultImpl(new DefaultSyncedIdentity(external.getId(), external.getExternalId(), false, -1), SyncResult.Status.FOREIGN); } @@ -457,6 +460,7 @@ public class DefaultSyncContext implements SyncContext { protected DefaultSyncResultImpl syncGroup(@NotNull ExternalGroup external, @NotNull Group group) throws RepositoryException { // make also sure the local user to be synced belongs to the same IDP. Note: 'external' has been verified before. if (!isSameIDP(group)) { +warnForeignExisting(group, true); return new DefaultSyncResultImpl(new DefaultSyncedIdentity(external.getId(), external.getExternalId(), false, -1), SyncResult.Status.FOREIGN); } @@ -554,7 +558,7 @@ public class DefaultSyncContext implements SyncContext { } else if (a.isGroup() && isSameIDP(a)) { grp = (Group) a; } else { -log.warn("Existing authorizable '{}' is not a group from this IDP '{}'.", extGroup.getId(), idp.getName()); +warnForeignExisting(a, true); continue; } log.debug("- user manager returned '{}'", grp.getID()); @@ -773,6 +777,16 @@ public class DefaultSyncContext implements SyncContext { return idp.getName().equals(ref.getProviderName()); } +protected void warnForeign(@NotNull ExternalIdentity externalIdentity) { +log.warn("Cannot sync externally identity '{}' due to IDP mismatch; expected IDP '{}'.", externalIdentity.getId(), idp.getName()); +} + +protected void warnForeignExisting(@NotNull Authorizable existing, boolean expectGroup) throws RepositoryException { +String typeName = (existing.isGroup()) ? "group" : "user"; +String expectedType = (expectGroup) ? "group" : "user"; +log.warn("Cannot sync external identity: Existing {} with id '{}' and principal name '{}' is not a {} defined by IDP '{}'.", typeName, existing.getID(), existing.getPrincipal().getName(), expectedType, idp.getName()); +} + private static String authType(@NotNull Authorizable a) { return a.isGroup() ? "group" : "user"; } diff --git a/
[jackrabbit-oak] branch OAK-10061 created (now 1684f2b9ec)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10061 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git at 1684f2b9ec OAK-10061 : WARN when for an external group a local group with the same name is already present This branch includes the following new commits: new 1684f2b9ec OAK-10061 : WARN when for an external group a local group with the same name is already present The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
[jackrabbit-oak] branch trunk updated: OAK-10025 - Documentation regarding conflicts is added. (#786)
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 1572996e12 OAK-10025 - Documentation regarding conflicts is added. (#786) 1572996e12 is described below commit 1572996e12da63cd6af31823b70178d506c31a83 Author: Jorge Eduardo Flórez AuthorDate: Tue Dec 13 04:51:46 2022 -0500 OAK-10025 - Documentation regarding conflicts is added. (#786) --- oak-doc/src/site/markdown/dos_and_donts.md | 14 ++ 1 file changed, 14 insertions(+) diff --git a/oak-doc/src/site/markdown/dos_and_donts.md b/oak-doc/src/site/markdown/dos_and_donts.md index b788669c46..41b32dc227 100644 --- a/oak-doc/src/site/markdown/dos_and_donts.md +++ b/oak-doc/src/site/markdown/dos_and_donts.md @@ -130,3 +130,17 @@ c = d.getParent(); // preferred way to fetch the pa this is that Oak internally uses various classes from the `nio` package that implement `InterruptibleChannel`, which are [asynchronously closed](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/nio/channels/InterruptibleChannel.html) when receiving an `InterruptedException` while blocked on IO. See [OAK-2609](https://issues.apache.org/jira/browse/OAK-2609). + +### Avoid or minimize conflicts +To reduce the possiblity of having errors like `OakState0001: Unresolved conflicts in ...`: + +1. Make sure you always release the session by calling session.logout(). If possible, avoid long-running sessions. If they are required (e.g. for observation) make sure +to always call session.refresh(false) before applying changes or session.refresh(true) before saving the changes. + +2. Enable the DEBUG level for `org.apache.jackrabbit.oak.plugins.commit.MergingNodeStateDiff` and `org.apache.jackrabbit.oak.plugins.commit.ConflictValidator` loggers if you want +to have more information on the circumstances of a conflict that happened in a point of time. + +3. Write your own conflict handler and add it when configuring your Oak or WhiteBoard instances. Only if you know what you are doing (i.e. you know how to resolve +the conflict in each one of the possible situations). By default, the [AnnotatingConflictHandler](https://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/oak/plugins/commit/AnnotatingConflictHandler.html) instance will discard your changes +and your commit will fail. If persisting changes fails with a conflict and you cannot lose them, refactor your code such that you can retry after having called session.refresh(false). +Check the source code of [JcrLastModifiedConflictHandler](https://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/oak/plugins/commit/JcrLastModifiedConflictHandler.html) for an example of a conflict handler. \ No newline at end of file
[jackrabbit-oak] branch trunk updated: OAK-10011 : Configure SonarClould for Oak (add missing licence header) (#764)
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 0f5b6f3110 OAK-10011 : Configure SonarClould for Oak (add missing licence header) (#764) 0f5b6f3110 is described below commit 0f5b6f3110d4cb193782179fcce69253a278c5f7 Author: anchela AuthorDate: Thu Nov 24 16:24:19 2022 +0100 OAK-10011 : Configure SonarClould for Oak (add missing licence header) (#764) --- .github/workflows/build.yml | 17 + 1 file changed, 17 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9c45940acc..5b09ded8cf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,3 +1,20 @@ +# ~ Licensed to the Apache Software Foundation (ASF) under one +# ~ or more contributor license agreements. See the NOTICE file +# ~ distributed with this work for additional information +# ~ regarding copyright ownership. The ASF licenses this file +# ~ to you under the Apache License, Version 2.0 (the +# ~ "License"); you may not use this file except in compliance +# ~ with the License. You may obtain a copy of the License at +# ~ +# ~ http://www.apache.org/licenses/LICENSE-2.0 +# ~ +# ~ Unless required by applicable law or agreed to in writing, +# ~ software distributed under the License is distributed on an +# ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# ~ KIND, either express or implied. See the License for the +# ~ specific language governing permissions and limitations +# ~ under the License. + name: SonarCloud on: push:
[jackrabbit-oak] 01/01: OAK-10011 : Configure SonarClould for Oak (add missing licence header)
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch OAK-10011_licence in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit d2d76baff7d5aaf54dcf5196fa6f0d3804c3ce36 Author: angela AuthorDate: Thu Nov 24 16:22:10 2022 +0100 OAK-10011 : Configure SonarClould for Oak (add missing licence header) --- .github/workflows/build.yml | 17 + 1 file changed, 17 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9c45940acc..5b09ded8cf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,3 +1,20 @@ +# ~ Licensed to the Apache Software Foundation (ASF) under one +# ~ or more contributor license agreements. See the NOTICE file +# ~ distributed with this work for additional information +# ~ regarding copyright ownership. The ASF licenses this file +# ~ to you under the Apache License, Version 2.0 (the +# ~ "License"); you may not use this file except in compliance +# ~ with the License. You may obtain a copy of the License at +# ~ +# ~ http://www.apache.org/licenses/LICENSE-2.0 +# ~ +# ~ Unless required by applicable law or agreed to in writing, +# ~ software distributed under the License is distributed on an +# ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# ~ KIND, either express or implied. See the License for the +# ~ specific language governing permissions and limitations +# ~ under the License. + name: SonarCloud on: push:
[jackrabbit-oak] branch OAK-10011_licence created (now d2d76baff7)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10011_licence in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git at d2d76baff7 OAK-10011 : Configure SonarClould for Oak (add missing licence header) This branch includes the following new commits: new d2d76baff7 OAK-10011 : Configure SonarClould for Oak (add missing licence header) The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
[jackrabbit-oak] branch trunk updated: OAK-10012 : Redundant modifier in oak-jackrabbit-api
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new cda4512385 OAK-10012 : Redundant modifier in oak-jackrabbit-api cda4512385 is described below commit cda45123851f2cd18555e5aba263f048724bc158 Author: angela AuthorDate: Thu Nov 24 10:49:05 2022 +0100 OAK-10012 : Redundant modifier in oak-jackrabbit-api --- .../main/java/org/apache/jackrabbit/api/JackrabbitRepository.java | 6 +++--- .../jackrabbit/api/security/JackrabbitAccessControlManager.java | 5 ++--- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/oak-jackrabbit-api/src/main/java/org/apache/jackrabbit/api/JackrabbitRepository.java b/oak-jackrabbit-api/src/main/java/org/apache/jackrabbit/api/JackrabbitRepository.java index 9a84715789..b636187ecf 100644 --- a/oak-jackrabbit-api/src/main/java/org/apache/jackrabbit/api/JackrabbitRepository.java +++ b/oak-jackrabbit-api/src/main/java/org/apache/jackrabbit/api/JackrabbitRepository.java @@ -35,19 +35,19 @@ public interface JackrabbitRepository extends Repository { * Key to a boolean descriptor. Returns true if * and only if user management is supported. */ -public static final String OPTION_USER_MANAGEMENT_SUPPORTED = "option.user.management.supported"; +String OPTION_USER_MANAGEMENT_SUPPORTED = "option.user.management.supported"; /** * Key to a boolean descriptor. Returns true if * and only if principal management is supported. */ -public static final String OPTION_PRINCIPAL_MANAGEMENT_SUPPORTED = "option.principal.management.supported"; +String OPTION_PRINCIPAL_MANAGEMENT_SUPPORTED = "option.principal.management.supported"; /** * Key to a boolean descriptor. Returns true if * and only if privilege management is supported. */ -public static final String OPTION_PRIVILEGE_MANAGEMENT_SUPPORTED = "option.privilege.management.supported"; +String OPTION_PRIVILEGE_MANAGEMENT_SUPPORTED = "option.privilege.management.supported"; /** * Equivalent to {@code login(credentials, workspaceName)} except that the returned diff --git a/oak-jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/JackrabbitAccessControlManager.java b/oak-jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/JackrabbitAccessControlManager.java index 50f434c2dc..fa44286cc4 100644 --- a/oak-jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/JackrabbitAccessControlManager.java +++ b/oak-jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/JackrabbitAccessControlManager.java @@ -133,7 +133,7 @@ public interface JackrabbitAccessControlManager extends AccessControlManager { * READ_ACCESS_CONTROL privilege for the absPath node. * @throws RepositoryException if another error occurs. */ -public boolean hasPrivileges(@Nullable String absPath, @NotNull Set principals, @NotNull Privilege[] privileges) +boolean hasPrivileges(@Nullable String absPath, @NotNull Set principals, @NotNull Privilege[] privileges) throws PathNotFoundException, AccessDeniedException, RepositoryException; /** @@ -171,8 +171,7 @@ public interface JackrabbitAccessControlManager extends AccessControlManager { * privilege for the absPath node. * @throws RepositoryException if another error occurs. */ -@NotNull -public Privilege[] getPrivileges(@Nullable String absPath, @NotNull Set principals) +@NotNull Privilege[] getPrivileges(@Nullable String absPath, @NotNull Set principals) throws PathNotFoundException, AccessDeniedException, RepositoryException; /**
[jackrabbit-oak] branch trunk updated (cf8c866673 -> 1cbccf4e70)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git from cf8c866673 OAK-10008: Reduce heap requirement for test DocumentStoreIndexeIT#parallelReindexWithLZ4 (#761) add 1cbccf4e70 OAK-10009 : Enable SonarClould for Oak No new revisions were added by this update. Summary of changes: .github/workflows/build.yml | 36 pom.xml | 2 ++ 2 files changed, 38 insertions(+) create mode 100644 .github/workflows/build.yml
[jackrabbit-oak] branch OAK-10009 updated (a02e0e77d4 -> 6e9f1deb8e)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10009 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git from a02e0e77d4 OAK-10009 : Enable SonarClould for Oak add 6e9f1deb8e OAK-10009 : use variable name as posted by infra on INFRA-23854 No new revisions were added by this update. Summary of changes: .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
[jackrabbit-oak] 01/01: OAK-10009 : Enable SonarClould for Oak
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch OAK-10009 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit a02e0e77d4925d785e4b7fdc8c754f085c5d29c6 Author: angela AuthorDate: Wed Nov 23 09:27:43 2022 +0100 OAK-10009 : Enable SonarClould for Oak --- .github/workflows/build.yml | 36 pom.xml | 2 ++ 2 files changed, 38 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00..a8c0713582 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,36 @@ +name: SonarCloud +on: + push: +branches: + - trunk + pull_request: +types: [opened, synchronize, reopened] +jobs: + build: +name: Build and analyze +runs-on: ubuntu-latest +steps: + - uses: actions/checkout@v2 +with: + fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + - name: Set up JDK 11 +uses: actions/setup-java@v1 +with: + java-version: 11 + - name: Cache SonarCloud packages +uses: actions/cache@v1 +with: + path: ~/.sonar/cache + key: ${{ runner.os }}-sonar + restore-keys: ${{ runner.os }}-sonar + - name: Cache Maven packages +uses: actions/cache@v1 +with: + path: ~/.m2 + key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} + restore-keys: ${{ runner.os }}-m2 + - name: Build and analyze +env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} +run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=apache_jackrabbit-oak \ No newline at end of file diff --git a/pom.xml b/pom.xml index d367e5f3dd..ccbefb8d77 100644 --- a/pom.xml +++ b/pom.xml @@ -33,6 +33,8 @@ true +apache +https://sonarcloud.io
[jackrabbit-oak] branch OAK-10009 created (now a02e0e77d4)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch OAK-10009 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git at a02e0e77d4 OAK-10009 : Enable SonarClould for Oak This branch includes the following new commits: new a02e0e77d4 OAK-10009 : Enable SonarClould for Oak The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
[jackrabbit-oak] 02/04: Merge branch 'trunk' of https://github.com/apache/jackrabbit-oak into trunk
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit 8f5b008b38ccece32e9512571b9984c2ac4bbad9 Merge: 0047f1a9f2 e44d4fac73 Author: angela AuthorDate: Wed Nov 2 09:17:20 2022 +0100 Merge branch 'trunk' of https://github.com/apache/jackrabbit-oak into trunk oak-blob-plugins/pom.xml |2 +- oak-commons/pom.xml|6 + .../apache/jackrabbit/oak/commons/Compression.java | 72 + .../jackrabbit/oak/commons/package-info.java |2 +- .../jackrabbit/oak/commons/sort/ExternalSort.java | 293 +- .../jackrabbit/oak/commons/sort/package-info.java |2 +- .../oak/commons/sort/ExternalSortTest.java | 68 +- .../index/progress/IndexingProgressReporter.java | 20 +- .../apache/jackrabbit/oak/query/SQL2Parser.java|1 + .../jackrabbit/oak/query/stats/QueryRecorder.java | 35 +- .../oak/query/stats/QueryRecorderTest.java | 16 +- oak-doc/src/site/markdown/query/lucene.md | 16 +- oak-doc/src/site/markdown/query/query-engine.md|2 +- .../jackrabbit/api/security/user/UserManager.java |2 +- .../index/lucene/writer/DefaultIndexWriter.java| 76 +- .../index/lucene/writer/IndexWriterUtils.java | 11 +- oak-parent/pom.xml |4 +- oak-run-commons/pom.xml| 12 +- .../indexer/document/DocumentStoreIndexerBase.java | 130 +- .../indexer/document/IndexerConfiguration.java | 58 + .../flatfile/FlatFileNodeStoreBuilder.java | 54 +- .../document/flatfile/FlatFileSplitter.java| 256 + .../indexer/document/flatfile/FlatFileStore.java | 25 +- .../document/flatfile/FlatFileStoreUtils.java | 52 +- .../indexer/document/flatfile/LZ4Compression.java | 42 + .../indexer/document/flatfile/MergeRunner.java | 15 +- .../MultithreadedTraverseWithSortStrategy.java | 15 +- .../document/flatfile/NodeStateEntrySorter.java| 50 +- .../document/flatfile/StoreAndSortStrategy.java| 21 +- .../document/flatfile/TraverseAndSortTask.java | 11 +- .../flatfile/TraverseWithSortStrategy.java | 15 +- .../flatfile/FlatFileNodeStoreBuilderTest.java | 34 +- .../document/flatfile/FlatFileSplitterTest.java| 536 ++ .../indexer/document/flatfile/MergeRunnerTest.java |5 +- .../MultithreadedTraverseWithSortStrategyTest.java |5 +- .../document/flatfile/TraverseAndSortTaskTest.java |3 +- .../src/test/resources/complex-split.json | 7931 ...-node-type-simple-split-with-nested-parent.json |9 + ...ultiple-node-type-simple-split-with-parent.json |6 + .../resources/simple-split-with-nested-parent.json |9 + .../test/resources/simple-split-with-parent.json |8 + .../src/test/resources/simple-split.json |3 + .../src/test/resources/unknown-no-split.json |3 + oak-run/pom.xml|6 + .../oak/index/AbstractIndexCommandTest.java| 23 +- .../oak/index/DocumentStoreIndexerIT.java | 164 +- .../plugins/index/elastic/ElasticConnection.java |6 +- .../elastic/index/ElasticBulkProcessorHandler.java |5 + .../oak/plugins/index/search/IndexDefinition.java |5 + .../oak/plugins/index/IndexQueryCommonTest.java| 28 + .../oak/plugins/document/DocumentNodeStore.java| 16 +- .../plugins/document/DocumentNodeStoreTest.java| 62 + 52 files changed, 9880 insertions(+), 371 deletions(-)
[jackrabbit-oak] branch trunk updated (0b6dfc995e -> fec8c39ae1)
This is an automated email from the ASF dual-hosted git repository. angela pushed a change to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git from 0b6dfc995e OAK-9980: Index Purging Logic fails when trying to delete :oak:mount-… (#741) new 0047f1a9f2 improve exercise readme new 8f5b008b38 Merge branch 'trunk' of https://github.com/apache/jackrabbit-oak into trunk new 46254a5803 OAK-9972 : Create FAQ for dynamic sync new fec8c39ae1 Merge branch 'trunk' of https://github.com/apache/jackrabbit-oak into trunk The 4 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: oak-doc/src/site/markdown/FAQ.md | 3 +++ .../src/site/markdown/security/authentication/external/faq.md | 9 +++-- oak-exercise/README.md| 11 +-- 3 files changed, 19 insertions(+), 4 deletions(-)
[jackrabbit-oak] 01/04: improve exercise readme
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit 0047f1a9f2f1a6fe125fa584a05d801538d60e98 Author: angela AuthorDate: Wed Nov 2 09:16:55 2022 +0100 improve exercise readme --- oak-exercise/README.md | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/oak-exercise/README.md b/oak-exercise/README.md index a424d0fbf7..991de81cb1 100644 --- a/oak-exercise/README.md +++ b/oak-exercise/README.md @@ -117,9 +117,16 @@ General Security Using the Exercise Module - -TODO +The exercise module consists of training material in the form of test-cases that are to be 'fixed' based on the +instructions in the description and the test-method (EXERCISE comments). +In addition the module comes with examples for customizations and extensions that can be adjusted and plugged +into an test repository for advanced learners. How to Verify your Solutions -TODO \ No newline at end of file +The instructions and the EXERCISE comments indicate how the tests need to be adjusted. +Run the tests in your IDE and verify that they pass to check if your solution is correct. + +NOTE: The module by default skips test execution. Enable test verification if you intend to verify your solutions with +'mvn clean install'. \ No newline at end of file
[jackrabbit-oak] 03/04: OAK-9972 : Create FAQ for dynamic sync
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit 46254a58035d4d5c997fc8a53bca9576b27c1990 Author: angela AuthorDate: Wed Nov 2 12:13:52 2022 +0100 OAK-9972 : Create FAQ for dynamic sync --- oak-doc/src/site/markdown/FAQ.md | 3 +++ .../src/site/markdown/security/authentication/external/faq.md| 9 +++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/oak-doc/src/site/markdown/FAQ.md b/oak-doc/src/site/markdown/FAQ.md index e035ed80ac..36295f5af4 100644 --- a/oak-doc/src/site/markdown/FAQ.md +++ b/oak-doc/src/site/markdown/FAQ.md @@ -40,6 +40,9 @@ Debugging merge conflict errors is now possible by enabling `DEBUG` logs on `org.apache.jackrabbit.oak.plugins.commit.ConflictValidator`. This option is available via [OAK-3057](https://issues.apache.org/jira/browse/OAK-3057) since Oak 1.0.17, 1.2.3, 1.3.3. +## Questions about External Authentication +See the dedicated [FAQ](security/authentication/external/faq.html) + ## My question is not listed here Search the [Oak dev list](http://jackrabbit.markmail.org/search/+list:org.apache.jackrabbit.oak-dev) diff --git a/oak-doc/src/site/markdown/security/authentication/external/faq.md b/oak-doc/src/site/markdown/security/authentication/external/faq.md index 76c878d505..37f8990d2b 100644 --- a/oak-doc/src/site/markdown/security/authentication/external/faq.md +++ b/oak-doc/src/site/markdown/security/authentication/external/faq.md @@ -24,7 +24,11 @@ | Question | Answer| References| |---|---|---| | Why am I no longer able to change the `rep:externalId`? | Since Oak 1.5.8 the default sync mechanism properly protects the system maintained property `rep:externalId` which is used to link a given synced user/group account to the corresponding entry on the external IDP. | See [documentation](defaultusersync.html) and [OAK-4301] | -| Why does a User or Group created with a content package not get synced with the IDP? | Only users/groups with a `rep:externalId` linking them to the external IDP will be respected during the default sync mechanism. | See also [OAK-4397] and [OAK-5304] | +| Why does a user or group created with a content package not get synced with the IDP? | Only users/groups with a `rep:externalId` linking them to the external IDP will be respected during the default sync mechanism. | See also [OAK-4397] and [OAK-5304] | +| Synchronized user/group is not updated | The default sync configuration defines an expiration time before identities get re-synced | See section [Configuration](defaultusersync.html#configuration) | +| Membership information is not store | The default sync configuration needs to define a `user.membershipNestingDepth` > 0 in order to have external membership information synchronized | See section [Configuration](defaultusersync.html#configuration) | +| Membership information is not updated | The default sync configuration defines `user.membershipExpTime` before membership get re-synced | See section [Configuration](defaultusersync.html#configuration) | +| Can I synchronize identities outside of the repository login? | Yes, there is a `SynchronizationMBean` in the JMX console with additional synchronization options | | ## Dynamic Sync See [User and Group Synchronization : Dynamic Membership and Dynamic Groups](dynamic.html) for further details. @@ -34,7 +38,8 @@ See [User and Group Synchronization : Dynamic Membership and Dynamic Groups](dyn | The external group doesn't get created | The dynamic membership option will only synchronize the membership information but not the group accounts. Additionally enabling 'Dynamic Groups' option will make sure groups are synchronized while keeping the dynamic nature of the membership information. | See section [Dynamic Groups](defaultusersync.html#dynamic_groups)| | I cannot add members to a synchronized group | The dynamic groups option comes with a dedicated validator that makes external groups read-only | See section [Enforcing dynamic groups](defaultusersync.html#validation) | | Auto-membership cannot be altered through user management API | The configured auto-membership with local groups is calculated dynamically from the configuration and cannot be changed through user management API | See section [Automatic Membership](dynamic.html) | -| External groups have not rep:members property | The membership information is computed using an implementation of `DynamicMembershipProvider` computed dynamically from the `rep:externalPrincipalNames` properties stored with external users | See [OAK-9803] | +| External groups have no rep:members property | The membership information is computed using an implementation of `DynamicMembershipProvi
[jackrabbit-oak] 04/04: Merge branch 'trunk' of https://github.com/apache/jackrabbit-oak into trunk
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git commit fec8c39ae11a649e1aed279bd71838dc23cd5f12 Merge: 46254a5803 0b6dfc995e Author: angela AuthorDate: Wed Nov 2 12:14:12 2022 +0100 Merge branch 'trunk' of https://github.com/apache/jackrabbit-oak into trunk .../oak/composite/blueGreen/IndexUtils.java| 63 -- .../oak/composite/blueGreen/Persistence.java | 15 ++- oak-run/pom.xml| 7 ++ .../oak/indexversion/PurgeOldVersionUtils.java | 4 + .../oak/indexversion/PurgeOldIndexVersionIT.java | 129 + 5 files changed, 206 insertions(+), 12 deletions(-)
[jackrabbit-oak] branch trunk updated: OAK-9974 : permission eval: entries are evaluated in reverse order
This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git The following commit(s) were added to refs/heads/trunk by this push: new 7d204fa1ee OAK-9974 : permission eval: entries are evaluated in reverse order 7d204fa1ee is described below commit 7d204fa1ee383d64f6bb90c1e078419a6780fc4d Author: angela AuthorDate: Tue Oct 25 17:10:58 2022 +0200 OAK-9974 : permission eval: entries are evaluated in reverse order --- oak-doc/src/site/markdown/security/permission/evaluation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/oak-doc/src/site/markdown/security/permission/evaluation.md b/oak-doc/src/site/markdown/security/permission/evaluation.md index 3ef468635c..8c9b6571f3 100644 --- a/oak-doc/src/site/markdown/security/permission/evaluation.md +++ b/oak-doc/src/site/markdown/security/permission/evaluation.md @@ -39,7 +39,7 @@ The order of precedence is as follows: - their order in the access control list - their position in the node hierarchy - within a given type of principal (user vs. group principal) the order of executing is -- order of entries as specified originally (the index of the permission entry) +- reverse order of entries as specified originally (the index of the permission entry) - entries associated with the target tree take precedence over inherited entries # Examples