You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by an...@apache.org on 2010/05/18 09:53:47 UTC
svn commit: r945528 - in /jackrabbit/trunk/jackrabbit-core/src:
main/java/org/apache/jackrabbit/core/security/
main/java/org/apache/jackrabbit/core/security/authorization/
main/java/org/apache/jackrabbit/core/security/user/
test/java/org/apache/jackrab...
Author: angela
Date: Tue May 18 07:53:46 2010
New Revision: 945528
URL: http://svn.apache.org/viewvc?rev=945528&view=rev
Log:
JCR-2630 : UserAccessControlProvider handles users who dont have Jackrabbit managed Principals or User node incosistently.
Added:
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/UserAccessControlProviderTest.java (with props)
Modified:
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/CompiledPermissions.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserAccessControlProvider.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/TestAll.java
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java?rev=945528&r1=945527&r2=945528&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java Tue May 18 07:53:46 2010
@@ -76,21 +76,6 @@ import java.util.Set;
public class DefaultAccessManager extends AbstractAccessControlManager implements AccessManager {
private static final Logger log = LoggerFactory.getLogger(DefaultAccessManager.class);
- private static final CompiledPermissions NO_PERMISSION = new CompiledPermissions() {
- public void close() {
- //nop
- }
- public boolean grants(Path absPath, int permissions) {
- // deny everything
- return false;
- }
- public int getPrivileges(Path absPath) {
- return PrivilegeRegistry.NO_PRIVILEGE;
- }
- public boolean canReadAll() {
- return false;
- }
- };
private boolean initialized;
@@ -161,7 +146,7 @@ public class DefaultAccessManager extend
} else {
log.warn("No AccessControlProvider defined -> no access is granted.");
editor = null;
- compiledPermissions = NO_PERMISSION;
+ compiledPermissions = CompiledPermissions.NO_PERMISSION;
}
initialized = true;
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/CompiledPermissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/CompiledPermissions.java?rev=945528&r1=945527&r2=945528&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/CompiledPermissions.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/CompiledPermissions.java Tue May 18 07:53:46 2010
@@ -72,4 +72,24 @@ public interface CompiledPermissions {
* @throws RepositoryException if an error occurs
*/
boolean canReadAll() throws RepositoryException;
+
+ /**
+ * Static implementation of a <code>CompiledPermissions</code> that doesn't
+ * grant any permissions at all.
+ */
+ public static final CompiledPermissions NO_PERMISSION = new CompiledPermissions() {
+ public void close() {
+ //nop
+ }
+ public boolean grants(Path absPath, int permissions) {
+ // deny everything
+ return false;
+ }
+ public int getPrivileges(Path absPath) {
+ return PrivilegeRegistry.NO_PRIVILEGE;
+ }
+ public boolean canReadAll() {
+ return false;
+ }
+ };
}
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserAccessControlProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserAccessControlProvider.java?rev=945528&r1=945527&r2=945528&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserAccessControlProvider.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserAccessControlProvider.java Tue May 18 07:53:46 2010
@@ -193,8 +193,9 @@ public class UserAccessControlProvider e
ItemBasedPrincipal userPrincipal = getUserPrincipal(principals);
NodeImpl userNode = getUserNode(userPrincipal);
if (userNode == null) {
- // no 'user' within set of principals -> READ-only
- return getReadOnlyPermissions();
+ // no 'user' within set of principals -> no permissions in the
+ // security workspace.
+ return CompiledPermissions.NO_PERMISSION;
} else {
return new CompiledPermissionsImpl(principals, userNode.getPath());
}
@@ -337,7 +338,7 @@ public class UserAccessControlProvider e
// no Node corresponding to user for which the permissions are
// calculated -> no permissions/privileges.
log.debug("No node at " + userNodePath);
- return new Result(Permission.NONE, Permission.NONE, PrivilegeRegistry.NO_PRIVILEGE, PrivilegeRegistry.NO_PRIVILEGE);
+ return Result.EMPTY;
}
// no explicit denied permissions:
@@ -445,8 +446,7 @@ public class UserAccessControlProvider e
@Override
public boolean grants(Path absPath, int permissions) throws RepositoryException {
if (permissions == Permission.READ) {
- // read is always granted
- return true;
+ return canReadAll();
}
// otherwise: retrieve from cache (or build)
return super.grants(absPath, permissions);
@@ -457,7 +457,9 @@ public class UserAccessControlProvider e
*/
@Override
public boolean canReadAll() throws RepositoryException {
- return true;
+ // for consistency with 'grants(Path, int) this method only returns
+ // true if there exists a node for 'userNodePath'
+ return session.nodeExists(userNodePath);
}
//--------------------------------------------------< EventListener >---
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/TestAll.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/TestAll.java?rev=945528&r1=945527&r2=945528&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/TestAll.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/TestAll.java Tue May 18 07:53:46 2010
@@ -49,6 +49,8 @@ public class TestAll extends TestCase {
suite.addTestSuite(UserImporterTest.class);
+ suite.addTestSuite(UserAccessControlProviderTest.class);
+
return suite;
}
}
Added: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/UserAccessControlProviderTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/UserAccessControlProviderTest.java?rev=945528&view=auto
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/UserAccessControlProviderTest.java (added)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/UserAccessControlProviderTest.java Tue May 18 07:53:46 2010
@@ -0,0 +1,132 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.user;
+
+import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
+import org.apache.jackrabbit.api.security.user.AbstractUserTest;
+import org.apache.jackrabbit.api.security.user.User;
+import org.apache.jackrabbit.core.RepositoryImpl;
+import org.apache.jackrabbit.core.SessionImpl;
+import org.apache.jackrabbit.core.security.authorization.AccessControlProvider;
+import org.apache.jackrabbit.core.security.authorization.CompiledPermissions;
+import org.apache.jackrabbit.core.security.authorization.Permission;
+import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
+import org.apache.jackrabbit.core.security.user.UserAccessControlProvider;
+import org.apache.jackrabbit.spi.Path;
+import org.apache.jackrabbit.test.NotExecutableException;
+
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Set;
+
+/**
+ * <code>UserAccessControlProviderTest</code>...
+ */
+public class UserAccessControlProviderTest extends AbstractUserTest {
+
+ private Session s;
+ private AccessControlProvider provider;
+
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+
+ RepositoryImpl repo = (RepositoryImpl) superuser.getRepository();
+ String wspName = repo.getConfig().getSecurityConfig().getSecurityManagerConfig().getWorkspaceName();
+
+ s = getHelper().getSuperuserSession(wspName);
+ provider = new UserAccessControlProvider();
+ provider.init(s, Collections.emptyMap());
+ }
+
+ @Override
+ protected void cleanUp() throws Exception {
+ if (provider != null) {
+ provider.close();
+ }
+ if (s != null) {
+ s.logout();
+ }
+ super.cleanUp();
+ }
+
+ /**
+ * @see <a href="https://issues.apache.org/jira/browse/JCR-2630">JCR-2630</a>
+ */
+ public void testNoNodeForPrincipal() throws RepositoryException {
+ final Principal testPrincipal = getTestPrincipal();
+ String path = "/home/users/t/" + testPrincipal.getName();
+ while (s.nodeExists(path)) {
+ path += "_";
+ }
+ final String principalPath = path;
+
+ List<Set<Principal>> principalSets = new ArrayList<Set<Principal>>();
+ principalSets.add(Collections.<Principal>singleton(testPrincipal));
+ principalSets.add(Collections.<Principal>singleton(new ItemBasedPrincipal() {
+ public String getPath() {
+ return principalPath;
+ }
+ public String getName() {
+ return testPrincipal.getName();
+ }
+ }));
+
+ Path rootPath = ((SessionImpl) s).getQPath("/");
+ for (Set<Principal> principals : principalSets) {
+ CompiledPermissions cp = provider.compilePermissions(principals);
+
+ assertFalse(cp.canReadAll());
+ assertFalse(cp.grants(rootPath, Permission.READ));
+ assertEquals(PrivilegeRegistry.NO_PRIVILEGE, cp.getPrivileges(rootPath));
+ assertSame(CompiledPermissions.NO_PERMISSION, cp);
+ }
+ }
+
+ public void testNodeRemovedForPrincipal() throws RepositoryException, NotExecutableException {
+ Principal testPrincipal = getTestPrincipal();
+ final User u = getUserManager(superuser).createUser(testPrincipal.getName(), "pw");
+ save(superuser);
+
+ Path rootPath = ((SessionImpl) s).getQPath("/");
+ CompiledPermissions cp = null;
+ try {
+ Set<Principal> principals = Collections.singleton(u.getPrincipal());
+ cp = provider.compilePermissions(principals);
+
+ assertTrue(cp.canReadAll());
+ assertTrue(cp.grants(rootPath, Permission.READ));
+ assertNotSame(CompiledPermissions.NO_PERMISSION, cp);
+ } finally {
+
+ // remove the user to assert that the path doesn't point to an
+ // existing node any more -> userNode cannot be resolved any more -> permissions denied.
+ u.remove();
+ save(superuser);
+
+ if (cp != null) {
+ assertFalse(cp.canReadAll());
+ assertFalse(cp.grants(rootPath, Permission.READ));
+ assertEquals(PrivilegeRegistry.NO_PRIVILEGE, cp.getPrivileges(rootPath));
+ }
+ }
+ }
+}
\ No newline at end of file
Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/UserAccessControlProviderTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/UserAccessControlProviderTest.java
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision Rev URL