You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by kw...@apache.org on 2021/08/30 06:54:59 UTC
[jackrabbit-filevault] branch
feature/JCRVLT-522-filter-rules-for-autorizables-acls created (now b916da5)
This is an automated email from the ASF dual-hosted git repository.
kwin pushed a change to branch feature/JCRVLT-522-filter-rules-for-autorizables-acls
in repository https://gitbox.apache.org/repos/asf/jackrabbit-filevault.git.
at b916da5 JCRVLT-522 check effect of filter rules on ACLs
This branch includes the following new commits:
new b916da5 JCRVLT-522 check effect of filter rules on ACLs
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[jackrabbit-filevault] 01/01: JCRVLT-522 check effect of filter
rules on ACLs
Posted by kw...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
kwin pushed a commit to branch feature/JCRVLT-522-filter-rules-for-autorizables-acls
in repository https://gitbox.apache.org/repos/asf/jackrabbit-filevault.git
commit b916da5f4857e20d31bf6f54469256d404b41c97
Author: Konrad Windszus <kw...@apache.org>
AuthorDate: Mon Aug 30 08:54:48 2021 +0200
JCRVLT-522 check effect of filter rules on ACLs
WIP
---
src/site/markdown/filter.md | 8 ++--
src/site/markdown/importmode.md | 14 ++++++-
.../apache/jackrabbit/vault/fs/io/Importer.java | 5 +++
.../vault/packaging/integration/ACLAndMergeIT.java | 21 ++++++++--
.../META-INF/vault/definition/.content.xml | 49 ++++++++++++++++++++++
.../META-INF/vault/filter.xml | 20 +++++++++
.../META-INF/vault/nodetypes.cnd | 8 ++++
.../META-INF/vault/properties.xml | 36 ++++++++++++++++
.../ac_outside_filter.zip/jcr_root/.content.xml | 34 +++++++++++++++
.../jcr_root/testroot/_rep_policy.xml | 9 ++++
.../jcr_root/testroot/node_a/.content.xml | 4 ++
.../jcr_root/testroot/secured/.content.xml | 21 ++++++++++
.../jcr_root/testroot/secured/_rep_policy.xml | 9 ++++
13 files changed, 230 insertions(+), 8 deletions(-)
diff --git a/src/site/markdown/filter.md b/src/site/markdown/filter.md
index 05f8da4..6d8c98b 100644
--- a/src/site/markdown/filter.md
+++ b/src/site/markdown/filter.md
@@ -120,15 +120,17 @@ The exact rules are outlined below
Item covered by filter rule | Item contained in the Content Package | Item contained in the Repository (prior to Import/Installation) | State of Item in Repository after Import/Installation
--- | --- | --- | ---
-no | yes | yes | not touched
-no | no | yes | not touched
-no | yes | no | *nodes which are ancestors of covered rules*: deserialized from content package (for backwards compatibility reasons), *nodes which are not ancestors of covered rules*: not touched. One should not rely on this behaviour, i.e. all items in the content package should always be covered by some filter rule to make the behaviour more explicit.
+no | yes | yes | not touched(*)
+no | no | yes | not touched(*)
+no | yes | no | *nodes which are ancestors of covered rules*: deserialized from content package (for backwards compatibility reasons), *nodes which are not ancestors of covered rules*: not touched. One should not rely on this behaviour, i.e. all items in the content package should always be covered by some filter rule to make the behaviour more explicit.(*)
no | no | no | not existing (not touched)
yes | yes | yes | overwritten
yes | no | yes | removed
yes | yes | no | deserialized from content package
yes | no | no | not existing
+Mostly for historical reason both authorizable nodes and access control lists behave differently.
+
### Uncovered ancestor nodes
All *uncovered* ancestor nodes are either
diff --git a/src/site/markdown/importmode.md b/src/site/markdown/importmode.md
index 8fd54aa..0a85836 100644
--- a/src/site/markdown/importmode.md
+++ b/src/site/markdown/importmode.md
@@ -25,7 +25,10 @@ Details on how node ids are treated during import are outlined at [Referenceable
The import mode handling is inconsistent and has many edge cases for the mode `MERGE` and `UPDATE`. Therefore FileVault 3.5.0 introduces the new modes `MERGE_PROPERTIES` and `UPDATE_PROPERTIES` (in [JCRVLT-255][JCRVLT-255]) which behave much more predicatable. The details are outlined at the [JavaDoc][api.ImportMode].
-Import Mode behaviour on authorizables
+As the import mode has other side effects for authorizable and authorization nodes, the behavior is described in the following sections
+
+
+Authorizable Nodes
----------------------------------------------------
If an authorizable with the same name already exists, the active `ImportMode` controls how the existing authorizables are affected:
@@ -58,6 +61,13 @@ Note that the workspace filter of the package refers on the content of the packa
However, the importer keeps track of potential remapping of existing users and tries to calculate the filters accordingly.
+Authorization Nodes
+----------------------------------------------------
+
+All authorization nodes of node type `rep:ACL` or the derived `rep:CugPolicy` or `rep:PrincipalPolicy` are ignoring the import mode but rather only evaluate the [package property `acHandling`][properties].
+
+
[api.WorkspaceFilter]: apidocs/org/apache/jackrabbit/vault/fs/api/WorkspaceFilter.html
[api.ImportMode]: apidocs/org/apache/jackrabbit/vault/fs/api/ImportMode.html
-[JCRVLT-255]: https://issues.apache.org/jira/browse/JCRVLT-255
\ No newline at end of file
+[JCRVLT-255]: https://issues.apache.org/jira/browse/JCRVLT-255
+[properties]: properties.html
\ No newline at end of file
diff --git a/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/io/Importer.java b/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/io/Importer.java
index 4777004..1722221 100644
--- a/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/io/Importer.java
+++ b/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/io/Importer.java
@@ -515,6 +515,11 @@ public class Importer {
}
}
+ /**
+ * This disregards artifacts from the tree which are not contained in the filter
+ * @param root the (sub)tree
+ * @return the modified (sub)tree
+ */
private TxInfo postFilter(TxInfo root) {
TxInfo modifierRoot = root;
if (filter.contains(modifierRoot.path)){
diff --git a/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java b/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java
index 90f22f2..593fabd 100644
--- a/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java
+++ b/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java
@@ -24,9 +24,11 @@ import java.util.Map;
import javax.jcr.RepositoryException;
+import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.UserManager;
+import org.apache.jackrabbit.commons.JcrUtils;
import org.apache.jackrabbit.vault.fs.io.AccessControlHandling;
import org.apache.jackrabbit.vault.fs.io.ImportOptions;
import org.apache.jackrabbit.vault.packaging.JcrPackage;
@@ -416,7 +418,7 @@ public class ACLAndMergeIT extends IntegrationTestBase {
}
/**
- * Installs a package with repository level acl and then installs another that removes them again.
+ * Installs a package with repository level acl with AccessControlHandling.MERGE.
*/
@Test
public void testRepoACLMerge() throws RepositoryException, IOException, PackageException {
@@ -437,7 +439,7 @@ public class ACLAndMergeIT extends IntegrationTestBase {
}
/**
- * Installs a package with repository level acl and then installs another that removes them again.
+ * Installs a package with repository level acl with AccessControlHandling.MERGE_PRESERVE.
*/
@Test
public void testRepoACLMergePreserve() throws RepositoryException, IOException, PackageException {
@@ -458,7 +460,7 @@ public class ACLAndMergeIT extends IntegrationTestBase {
}
/**
- * Installs a package a the root level (JCRVLT-75)
+ * Installs a package at the root level (JCRVLT-75)
*/
@Test
public void testRootACL() throws RepositoryException, IOException, PackageException {
@@ -469,4 +471,17 @@ public class ACLAndMergeIT extends IntegrationTestBase {
// test if nodes and ACLs of first package exist
assertPermission("/", true, new String[]{"jcr:all"}, "everyone", null);
}
+
+ /** Check effect of filter definitions */
+ @Test
+ public void testACLsOutsideFilter() throws IOException, PackageException, RepositoryException {
+ JcrUtils.getOrCreateByPath("/testroot/secured", JcrConstants.NT_FOLDER, admin);
+ extractVaultPackageStrict("/test-packages/ac_outside_filter.zip");
+
+ // test if nodes and ACLs of package exist
+ assertNodeExists("/testroot/node_a");
+ assertPermission("/testroot", false, new String[]{"jcr:all"}, "everyone", null);
+ /*
+ assertPermission("/testroot/secured", false, new String[]{"jcr:all"}, "everyone", null);*/
+ }
}
\ No newline at end of file
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/definition/.content.xml b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/definition/.content.xml
new file mode 100644
index 0000000..94aad31
--- /dev/null
+++ b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/definition/.content.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to You under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<jcr:root xmlns:vlt="http://www.day.com/jcr/vault/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:nt="http://www.jcp.org/jcr/nt/1.0"
+ jcr:created="{Date}2018-05-17T17:41:46.815+02:00"
+ jcr:createdBy="admin"
+ jcr:description="AC Handling: OverWrite"
+ jcr:lastModified="{Date}2018-05-17T17:41:46.815+02:00"
+ jcr:lastModifiedBy="admin"
+ jcr:primaryType="vlt:PackageDefinition"
+ acHandling="overwrite"
+ buildCount="1"
+ builtWith=""
+ fixedBugs=""
+ group="support"
+ lastUnwrapped="{Date}2018-05-17T17:41:46.815+02:00"
+ lastUnwrappedBy="admin"
+ lastWrapped="{Date}2018-05-17T17:41:46.815+02:00"
+ lastWrappedBy="admin"
+ name=""
+ providerLink=""
+ providerName=""
+ providerUrl=""
+ testedWith=""
+ version="">
+ <filter jcr:primaryType="nt:unstructured">
+ <f0
+ jcr:primaryType="nt:unstructured"
+ mode="replace"
+ root="/testroot/secured"
+ rules="[]"/>
+ </filter>
+ <screenshots jcr:primaryType="nt:unstructured"/>
+</jcr:root>
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/filter.xml b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/filter.xml
new file mode 100644
index 0000000..c631f39
--- /dev/null
+++ b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/filter.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to You under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+<workspaceFilter version="1.0">
+ <filter root="/testroot/node_a"/>
+</workspaceFilter>
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/nodetypes.cnd b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/nodetypes.cnd
new file mode 100644
index 0000000..5afdfb7
--- /dev/null
+++ b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/nodetypes.cnd
@@ -0,0 +1,8 @@
+<'sling'='http://sling.apache.org/jcr/sling/1.0'>
+<'nt'='http://www.jcp.org/jcr/nt/1.0'>
+
+[sling:Folder] > nt:folder
+ - * (undefined)
+ - * (undefined) multiple
+ + * (nt:base) = sling:Folder version
+
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/properties.xml b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/properties.xml
new file mode 100644
index 0000000..70a8f65
--- /dev/null
+++ b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/properties.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="utf-8" standalone="no"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to You under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
+<properties>
+<comment>FileVault Package Properties</comment>
+<entry key="createdBy">admin</entry>
+<entry key="name">mode_ac_test_a</entry>
+<entry key="lastModified">2011-11-15T09:43:22.972+01:00</entry>
+<entry key="lastModifiedBy">admin</entry>
+<entry key="created">2011-11-15T09:43:22.993+01:00</entry>
+<entry key="buildCount">1</entry>
+<entry key="version"/>
+<entry key="dependencies"/>
+<entry key="packageFormatVersion">2</entry>
+<entry key="description"/>
+<entry key="lastWrapped">2011-11-15T09:43:22.972+01:00</entry>
+<entry key="group"/>
+<entry key="lastWrappedBy">admin</entry>
+<entry key="acHandling">overwrite</entry>
+</properties>
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/.content.xml b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/.content.xml
new file mode 100644
index 0000000..d412a30
--- /dev/null
+++ b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/.content.xml
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to You under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
+ jcr:mixinTypes="[rep:AccessControllable]"
+ jcr:primaryType="rep:root"
+ sling:resourceType="sling:redirect"
+ sling:target="/index.html">
+ <rep:policy/>
+ <jcr:system/>
+ <var/>
+ <libs/>
+ <etc/>
+ <apps/>
+ <content/>
+ <tmp/>
+ <home/>
+ <testroot/>
+</jcr:root>
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/_rep_policy.xml b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/_rep_policy.xml
new file mode 100644
index 0000000..8a415d5
--- /dev/null
+++ b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/_rep_policy.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root
+ xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
+ jcr:primaryType="rep:ACL">
+ <deny
+ jcr:primaryType="rep:DenyACE"
+ rep:principalName="everyone"
+ rep:privileges="{Name}[jcr:all]"/>
+</jcr:root>
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/node_a/.content.xml b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/node_a/.content.xml
new file mode 100644
index 0000000..61b37c8
--- /dev/null
+++ b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/node_a/.content.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0"
+ jcr:primaryType="sling:Folder"
+ title="1234"/>
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/secured/.content.xml b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/secured/.content.xml
new file mode 100644
index 0000000..1e519aa
--- /dev/null
+++ b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/secured/.content.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to You under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:nt="http://www.jcp.org/jcr/nt/1.0" xmlns:rep="internal"
+ jcr:mixinTypes="[rep:AccessControllable]"
+ jcr:primaryType="nt:folder"/>
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/secured/_rep_policy.xml b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/secured/_rep_policy.xml
new file mode 100644
index 0000000..8a415d5
--- /dev/null
+++ b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/jcr_root/testroot/secured/_rep_policy.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root
+ xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
+ jcr:primaryType="rep:ACL">
+ <deny
+ jcr:primaryType="rep:DenyACE"
+ rep:principalName="everyone"
+ rep:privileges="{Name}[jcr:all]"/>
+</jcr:root>