You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2023/04/20 15:14:20 UTC
[jackrabbit-oak] branch trunk updated: OAK-10200 : CompositeAccessControlManager.getEffectivePolicies(String) should filter duplicate policies

This is an automated email from the ASF dual-hosted git repository.

angela pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 63b4ddb9d1 OAK-10200 : CompositeAccessControlManager.getEffectivePolicies(String) should filter duplicate policies
63b4ddb9d1 is described below

commit 63b4ddb9d173b766ed4e23e3bc6150d721c768cb
Author: angela <an...@adobe.com>
AuthorDate: Thu Apr 20 17:14:10 2023 +0200

    OAK-10200 : CompositeAccessControlManager.getEffectivePolicies(String) should filter duplicate policies
---
 .../authorization/composite/CompositeAccessControlManager.java |  3 +--
 .../composite/CompositeAccessControlManagerTest.java           | 10 ++++++++++
 .../security/internal/SecurityProviderRegistrationTest.java    |  6 ++++--
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManager.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManager.java
index 202ff0e611..24cc670463 100644
--- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManager.java
+++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManager.java
@@ -98,8 +98,7 @@ class CompositeAccessControlManager extends AbstractAccessControlManager {
                 break;
             }
         }
-        List<AccessControlPolicy> l = policies.build();
-        return l.toArray(new AccessControlPolicy[0]);
+        return policies.build().stream().distinct().toArray(AccessControlPolicy[]::new);
     }
 
     @Override
diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManagerTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManagerTest.java
index b858ff181e..a7d7514e1e 100644
--- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManagerTest.java
+++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManagerTest.java
@@ -194,6 +194,16 @@ public class CompositeAccessControlManagerTest extends AbstractSecurityTest {
         assertEquals(1, acMgr.getEffectivePolicies(child.getPath()).length);
     }
 
+    @Test
+    public void testGetEffectivePoliciesFiltersDuplicates() throws Exception {
+        TestAcMgr test = new TestAcMgr();
+        test.hasPolicy = true;
+        
+        // create a composite that would result in duplicate effective policies
+        AccessControlManager composite = createComposite(test, test);
+        assertEquals(1, composite.getEffectivePolicies(TEST_PATH).length);
+    }
+
     @Test
     public void testSetPolicyAtRoot() throws Exception {
         AccessControlPolicyIterator it = acMgr.getApplicablePolicies("/");
diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/internal/SecurityProviderRegistrationTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/internal/SecurityProviderRegistrationTest.java
index 23d66cd93f..78449a5626 100644
--- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/internal/SecurityProviderRegistrationTest.java
+++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/internal/SecurityProviderRegistrationTest.java
@@ -56,6 +56,7 @@ import org.apache.jackrabbit.oak.spi.security.authentication.LoginModuleStatsCol
 import org.apache.jackrabbit.oak.spi.security.authentication.token.CompositeTokenConfiguration;
 import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenConfiguration;
 import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ReadPolicy;
 import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregationFilter;
 import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
@@ -1019,9 +1020,10 @@ public class SecurityProviderRegistrationTest extends AbstractSecurityTest {
 
         AggregatedPermissionProvider pp = mock(AggregatedPermissionProvider.class);
         JackrabbitAccessControlManager acMgr = mock(JackrabbitAccessControlManager.class);
+        // make sure different policies are returned for subsequent calls of the aggregated configurations
         AccessControlPolicy policy = mock(AccessControlPolicy.class);
-        when(acMgr.getEffectivePolicies(anyString())).thenReturn(new AccessControlPolicy[] {policy});
-        when(acMgr.getEffectivePolicies(any(Set.class))).thenReturn(new AccessControlPolicy[] {policy});
+        when(acMgr.getEffectivePolicies(anyString())).thenReturn(new AccessControlPolicy[] {policy}).thenReturn(new AccessControlPolicy[] {ReadPolicy.INSTANCE});
+        when(acMgr.getEffectivePolicies(any(Set.class))).thenReturn(new AccessControlPolicy[] {policy}).thenReturn(new AccessControlPolicy[] {ReadPolicy.INSTANCE});
 
         AuthorizationConfiguration ac1 = mock(AuthorizationConfiguration.class);
         AuthorizationConfiguration ac2 = mock(AuthorizationConfiguration.class);