You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2021/03/05 16:15:11 UTC
svn commit: r1887210 - in /jackrabbit/oak/trunk: oak-core/
oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/
oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/monitor/
oak-core/src/main/java/org/apache/jackr...
Author: angela
Date: Fri Mar 5 16:15:11 2021
New Revision: 1887210
URL: http://svn.apache.org/viewvc?rev=1887210&view=rev
Log:
OAK-9367 : Monitoring for default authorization module
Added:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/monitor/
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/monitor/AuthorizationMonitor.java (with props)
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/monitor/AuthorizationMonitorImpl.java (with props)
Modified:
jackrabbit/oak/trunk/oak-core/pom.xml
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ProviderCtx.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProvider.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreEditor.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorProvider.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImplTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/MoveAwarePermissionValidatorTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionEntryProviderImplTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreEditorTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreImplTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorTest.java
jackrabbit/oak/trunk/oak-store-document/src/test/java/org/apache/jackrabbit/oak/plugins/document/VisibleChangesTest.java
Modified: jackrabbit/oak/trunk/oak-core/pom.xml
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/pom.xml?rev=1887210&r1=1887209&r2=1887210&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/pom.xml (original)
+++ jackrabbit/oak/trunk/oak-core/pom.xml Fri Mar 5 16:15:11 2021
@@ -159,6 +159,7 @@
<include>org.apache.jackrabbit.oak.security.authentication.monitor</include>
<include>org.apache.jackrabbit.oak.security.authentication.user</include>
<include>org.apache.jackrabbit.oak.security.authorization</include>
+ <include>org.apache.jackrabbit.oak.security.authorization.monitor</include>
<include>org.apache.jackrabbit.oak.security.internal</include>
<include>org.apache.jackrabbit.oak.security.principal</include>
<include>org.apache.jackrabbit.oak.security.privilege</include>
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java?rev=1887210&r1=1887209&r2=1887210&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java Fri Mar 5 16:15:11 2021
@@ -17,6 +17,7 @@
package org.apache.jackrabbit.oak.security.authorization;
import java.security.Principal;
+import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
@@ -25,6 +26,8 @@ import javax.jcr.security.AccessControlM
import com.google.common.collect.ImmutableList;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.security.authorization.monitor.AuthorizationMonitor;
+import org.apache.jackrabbit.oak.security.authorization.monitor.AuthorizationMonitorImpl;
import org.apache.jackrabbit.oak.security.authorization.permission.VersionablePathHook;
import org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlImporter;
import org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl;
@@ -57,6 +60,8 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
+import org.apache.jackrabbit.oak.stats.Monitor;
+import org.apache.jackrabbit.oak.stats.StatisticsProvider;
import org.jetbrains.annotations.NotNull;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
@@ -121,6 +126,8 @@ public class AuthorizationConfigurationI
private MountInfoProvider mountInfoProvider = Mounts.defaultMountInfoProvider();
+ private AuthorizationMonitor monitor = new AuthorizationMonitorImpl(StatisticsProvider.NOOP);
+
public AuthorizationConfigurationImpl() {
super();
}
@@ -145,12 +152,6 @@ public class AuthorizationConfigurationI
@NotNull
@Override
- public Context getContext() {
- return AuthorizationContext.getInstance();
- }
-
- @NotNull
- @Override
public WorkspaceInitializer getWorkspaceInitializer() {
return new AuthorizationInitializer(mountInfoProvider);
}
@@ -160,7 +161,7 @@ public class AuthorizationConfigurationI
public List<? extends CommitHook> getCommitHooks(@NotNull String workspaceName) {
return ImmutableList.of(
new VersionablePathHook(workspaceName, this),
- new PermissionHook(workspaceName, getRestrictionProvider(), mountInfoProvider, getRootProvider(), getTreeProvider()));
+ new PermissionHook(workspaceName, getRestrictionProvider(), this));
}
@NotNull
@@ -178,6 +179,19 @@ public class AuthorizationConfigurationI
return ImmutableList.of(new AccessControlImporter());
}
+ @NotNull
+ @Override
+ public Context getContext() {
+ return AuthorizationContext.getInstance();
+ }
+
+ @NotNull
+ @Override
+ public Iterable<Monitor<?>> getMonitors(@NotNull StatisticsProvider statisticsProvider) {
+ monitor = new AuthorizationMonitorImpl(statisticsProvider);
+ return Collections.singleton(monitor);
+ }
+
//-----------------------------------------< AccessControlConfiguration >---
@NotNull
@Override
@@ -222,6 +236,12 @@ public class AuthorizationConfigurationI
return mountInfoProvider;
}
+ @NotNull
+ @Override
+ public AuthorizationMonitor getMonitor() {
+ return monitor;
+ }
+
//--------------------------------------------------------------------------
@Reference(name = "mountInfoProvider", cardinality = ReferenceCardinality.MANDATORY)
public void bindMountInfoProvider(MountInfoProvider mountInfoProvider) {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ProviderCtx.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ProviderCtx.java?rev=1887210&r1=1887209&r2=1887210&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ProviderCtx.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ProviderCtx.java Fri Mar 5 16:15:11 2021
@@ -18,6 +18,7 @@ package org.apache.jackrabbit.oak.securi
import org.apache.jackrabbit.oak.plugins.tree.RootProvider;
import org.apache.jackrabbit.oak.plugins.tree.TreeProvider;
+import org.apache.jackrabbit.oak.security.authorization.monitor.AuthorizationMonitor;
import org.apache.jackrabbit.oak.spi.mount.MountInfoProvider;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.jetbrains.annotations.NotNull;
@@ -35,4 +36,7 @@ public interface ProviderCtx {
@NotNull
MountInfoProvider getMountInfoProvider();
+
+ @NotNull
+ AuthorizationMonitor getMonitor();
}
Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/monitor/AuthorizationMonitor.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/monitor/AuthorizationMonitor.java?rev=1887210&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/monitor/AuthorizationMonitor.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/monitor/AuthorizationMonitor.java Fri Mar 5 16:15:11 2021
@@ -0,0 +1,47 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.monitor;
+
+import org.apache.jackrabbit.oak.stats.Monitor;
+import org.osgi.annotation.versioning.ProviderType;
+
+@ProviderType
+public interface AuthorizationMonitor extends Monitor<AuthorizationMonitor> {
+
+ /**
+ * Called to mark an access violation in the default permission validator.
+ */
+ void accessViolation();
+
+ /**
+ * Called to mark unexpected errors related to the permission store. It does does not cover access violations,
+ * but actual operational errors that probably need to be investigated. Any triggered event should have a
+ * corresponding error logged to make this investigation possible.
+ */
+ void permissionError();
+
+ /**
+ * Called when the {@link org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider} is
+ * being refreshed and permission caches are cleared.
+ */
+ void permissionRefresh();
+
+ /**
+ * Called to record the time it takes to eagerly load all permissions for a given principal.
+ */
+ void permissionAllLoaded(long timeTakenNanos);
+}
Propchange: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/monitor/AuthorizationMonitor.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/monitor/AuthorizationMonitorImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/monitor/AuthorizationMonitorImpl.java?rev=1887210&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/monitor/AuthorizationMonitorImpl.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/monitor/AuthorizationMonitorImpl.java Fri Mar 5 16:15:11 2021
@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.monitor;
+
+import org.apache.jackrabbit.oak.stats.MeterStats;
+import org.apache.jackrabbit.oak.stats.StatisticsProvider;
+import org.apache.jackrabbit.oak.stats.StatsOptions;
+import org.apache.jackrabbit.oak.stats.TimerStats;
+import org.jetbrains.annotations.NotNull;
+
+import java.util.Collections;
+import java.util.Map;
+
+import static java.util.concurrent.TimeUnit.NANOSECONDS;
+
+public class AuthorizationMonitorImpl implements AuthorizationMonitor {
+
+ private final MeterStats accessViolations;
+ private final MeterStats permissionError;
+ private final MeterStats permissionRefresh;
+ private final TimerStats permissionAllLoaded;
+
+ public AuthorizationMonitorImpl(@NotNull StatisticsProvider statisticsProvider) {
+ accessViolations = statisticsProvider.getMeter("security.authorization.default.access.violation", StatsOptions.DEFAULT);
+ permissionError = statisticsProvider.getMeter("security.authorization.default.permission.error", StatsOptions.DEFAULT);
+ permissionRefresh = statisticsProvider.getMeter("security.authorization.default.permission.refresh", StatsOptions.DEFAULT);
+ permissionAllLoaded = statisticsProvider.getTimer("security.authorization.default.permission.all_loaded", StatsOptions.METRICS_ONLY);
+ }
+
+ //-------------------------------------------------------------------------------------< AccessViolationMonitor >---
+
+ @Override
+ public @NotNull Class<AuthorizationMonitor> getMonitorClass() {
+ return AuthorizationMonitor.class;
+ }
+
+ @Override
+ public @NotNull Map<Object, Object> getMonitorProperties() {
+ return Collections.emptyMap();
+ }
+
+ @Override
+ public void accessViolation() {
+ accessViolations.mark();
+ }
+
+ @Override
+ public void permissionError() {
+ permissionError.mark();
+ }
+
+ @Override
+ public void permissionRefresh() {
+ permissionRefresh.mark();
+
+ }
+
+ @Override
+ public void permissionAllLoaded(long timeTakenNanos) {
+ permissionAllLoaded.update(timeTakenNanos, NANOSECONDS);
+ }
+}
\ No newline at end of file
Propchange: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/monitor/AuthorizationMonitorImpl.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProvider.java?rev=1887210&r1=1887209&r2=1887210&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProvider.java Fri Mar 5 16:15:11 2021
@@ -57,11 +57,11 @@ public class MountPermissionProvider ext
@NotNull
@Override
protected PermissionStore getPermissionStore(@NotNull Root root, @NotNull String workspaceName, @NotNull RestrictionProvider restrictionProvider) {
- List<PermissionStoreImpl> stores = newArrayList();
- stores.add(new PermissionStoreImpl(root, workspaceName, restrictionProvider));
+ List<PermissionStore> stores = newArrayList();
+ stores.add(super.getPermissionStore(root, workspaceName, restrictionProvider));
for (Mount m : mountInfoProvider.getNonDefaultMounts()) {
String psRoot = getPermissionRootName(m, workspaceName);
- PermissionStoreImpl ps = new PermissionStoreImpl(root, psRoot, restrictionProvider);
+ PermissionStore ps = super.getPermissionStore(root, psRoot, restrictionProvider);
stores.add(ps);
}
return new MountPermissionStore(stores);
@@ -69,9 +69,9 @@ public class MountPermissionProvider ext
private static class MountPermissionStore implements PermissionStore {
- private final List<PermissionStoreImpl> stores;
+ private final List<PermissionStore> stores;
- MountPermissionStore(List<PermissionStoreImpl> stores) {
+ MountPermissionStore(List<PermissionStore> stores) {
this.stores = stores;
}
@@ -79,7 +79,7 @@ public class MountPermissionProvider ext
@Override
public Collection<PermissionEntry> load(@NotNull String principalName,
@NotNull String path) {
- for (PermissionStoreImpl store : stores) {
+ for (PermissionStore store : stores) {
Collection<PermissionEntry> col = store.load(principalName, path);
if (col != null) {
return col;
@@ -92,7 +92,7 @@ public class MountPermissionProvider ext
@Override
public PrincipalPermissionEntries load(@NotNull String principalName) {
PrincipalPermissionEntries ppe = new PrincipalPermissionEntries();
- for (PermissionStoreImpl store : stores) {
+ for (PermissionStore store : stores) {
ppe.putAllEntries(store.load(principalName).getEntries());
}
ppe.setFullyLoaded(true);
@@ -104,7 +104,7 @@ public class MountPermissionProvider ext
public NumEntries getNumEntries(@NotNull String principalName, long max) {
long num = 0;
boolean isExact = true;
- for (PermissionStoreImpl store : stores) {
+ for (PermissionStore store : stores) {
NumEntries ne = store.getNumEntries(principalName, max);
num = LongUtils.safeAdd(num, ne.size);
if (!ne.isExact) {
@@ -123,7 +123,7 @@ public class MountPermissionProvider ext
@Override
public void flush(@NotNull Root root) {
- for (PermissionStoreImpl store : stores) {
+ for (PermissionStore store : stores) {
store.flush(root);
}
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java?rev=1887210&r1=1887209&r2=1887210&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java Fri Mar 5 16:15:11 2021
@@ -16,16 +16,11 @@
*/
package org.apache.jackrabbit.oak.security.authorization.permission;
-import java.util.HashMap;
-import java.util.Map;
-
import org.apache.jackrabbit.oak.plugins.nodetype.TypePredicate;
-import org.apache.jackrabbit.oak.plugins.tree.RootProvider;
-import org.apache.jackrabbit.oak.plugins.tree.TreeProvider;
+import org.apache.jackrabbit.oak.security.authorization.ProviderCtx;
import org.apache.jackrabbit.oak.spi.commit.CommitInfo;
import org.apache.jackrabbit.oak.spi.commit.PostValidationHook;
import org.apache.jackrabbit.oak.spi.mount.Mount;
-import org.apache.jackrabbit.oak.spi.mount.MountInfoProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
@@ -36,6 +31,9 @@ import org.apache.jackrabbit.oak.spi.sta
import org.apache.jackrabbit.oak.spi.state.NodeStateUtils;
import org.jetbrains.annotations.NotNull;
+import java.util.HashMap;
+import java.util.Map;
+
import static org.apache.jackrabbit.JcrConstants.JCR_SYSTEM;
import static org.apache.jackrabbit.oak.plugins.memory.EmptyNodeState.EMPTY_NODE;
@@ -66,9 +64,7 @@ public class PermissionHook implements P
private final RestrictionProvider restrictionProvider;
private final String workspaceName;
- private final MountInfoProvider mountInfoProvider;
- private final RootProvider rootProvider;
- private final TreeProvider treeProvider;
+ private final ProviderCtx providerCtx;
private NodeBuilder permissionStore;
private PrivilegeBitsProvider bitsProvider;
@@ -81,13 +77,10 @@ public class PermissionHook implements P
private Map<String, PermissionStoreEditor> deleted = new HashMap<>();
public PermissionHook(@NotNull String workspaceName, @NotNull RestrictionProvider restrictionProvider,
- @NotNull MountInfoProvider mountInfoProvider, @NotNull RootProvider rootProvider,
- @NotNull TreeProvider treeProvider) {
+ @NotNull ProviderCtx providerCtx) {
this.workspaceName = workspaceName;
this.restrictionProvider = restrictionProvider;
- this.mountInfoProvider = mountInfoProvider;
- this.rootProvider = rootProvider;
- this.treeProvider = treeProvider;
+ this.providerCtx = providerCtx;
}
//---------------------------------------------------------< CommitHook >---
@@ -97,7 +90,7 @@ public class PermissionHook implements P
NodeBuilder rootAfter = after.builder();
permissionStore = getPermissionStore(rootAfter);
- bitsProvider = new PrivilegeBitsProvider(rootProvider.createReadOnlyRoot(after));
+ bitsProvider = new PrivilegeBitsProvider(providerCtx.getRootProvider().createReadOnlyRoot(after));
isACL = new TypePredicate(after, NT_REP_ACL);
isACE = new TypePredicate(after, NT_REP_ACE);
@@ -136,7 +129,7 @@ public class PermissionHook implements P
@NotNull
private NodeBuilder getPermissionRoot(@NotNull String path) {
- Mount m = mountInfoProvider.getMountByPath(path);
+ Mount m = providerCtx.getMountInfoProvider().getMountByPath(path);
return permissionStore.getChildNode(MountPermissionProvider.getPermissionRootName(m, workspaceName));
}
@@ -214,7 +207,7 @@ public class PermissionHook implements P
@NotNull
private PermissionStoreEditor createPermissionStoreEditor(@NotNull String nodeName, @NotNull NodeState nodeState) {
- return new PermissionStoreEditor(parentPath, nodeName, nodeState, getPermissionRoot(parentPath), isACE, isGrantACE, bitsProvider, restrictionProvider, treeProvider);
+ return new PermissionStoreEditor(parentPath, nodeName, nodeState, getPermissionRoot(parentPath), isACE, isGrantACE, bitsProvider, restrictionProvider, providerCtx);
}
}
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java?rev=1887210&r1=1887209&r2=1887210&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java Fri Mar 5 16:15:11 2021
@@ -84,6 +84,7 @@ public class PermissionProviderImpl impl
public void refresh() {
immutableRoot = providerCtx.getRootProvider().createReadOnlyRoot(root);
getCompiledPermissions().refresh(immutableRoot, workspaceName);
+ providerCtx.getMonitor().permissionRefresh();
}
@NotNull
@@ -175,7 +176,7 @@ public class PermissionProviderImpl impl
@NotNull
protected PermissionStore getPermissionStore(@NotNull Root root, @NotNull String workspaceName, @NotNull RestrictionProvider restrictionProvider) {
- return new PermissionStoreImpl(root, workspaceName, restrictionProvider);
+ return new PermissionStoreImpl(root, workspaceName, restrictionProvider, providerCtx.getMonitor());
}
private static boolean isVersionStorePath(@NotNull String oakPath) {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreEditor.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreEditor.java?rev=1887210&r1=1887209&r2=1887210&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreEditor.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreEditor.java Fri Mar 5 16:15:11 2021
@@ -25,8 +25,9 @@ import com.google.common.collect.Maps;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.plugins.nodetype.TypePredicate;
-import org.apache.jackrabbit.oak.plugins.tree.TreeProvider;
+import org.apache.jackrabbit.oak.security.authorization.ProviderCtx;
import org.apache.jackrabbit.oak.security.authorization.accesscontrol.ValidationEntry;
+import org.apache.jackrabbit.oak.security.authorization.monitor.AuthorizationMonitor;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
@@ -55,15 +56,17 @@ final class PermissionStoreEditor implem
private final Map<String, List<AcEntry>> entries = Maps.newHashMap();
private final NodeBuilder permissionRoot;
private final PrivilegeBitsProvider bitsProvider;
+ private final AuthorizationMonitor monitor;
PermissionStoreEditor(@NotNull String aclPath, @NotNull String name,
@NotNull NodeState node, @NotNull NodeBuilder permissionRoot,
@NotNull TypePredicate isACE, @NotNull TypePredicate isGrantACE,
@NotNull PrivilegeBitsProvider bitsProvider,
@NotNull RestrictionProvider restrictionProvider,
- @NotNull TreeProvider treeProvider) {
+ @NotNull ProviderCtx providerCtx) {
this.permissionRoot = permissionRoot;
this.bitsProvider = bitsProvider;
+ this.monitor = providerCtx.getMonitor();
if (name.equals(REP_REPO_POLICY)) {
accessControlledPath = "";
} else {
@@ -83,7 +86,7 @@ final class PermissionStoreEditor implem
if (isACE.test(ace)) {
boolean isAllow = isGrantACE.test(ace);
PrivilegeBits privilegeBits = bitsProvider.getBits(ace.getNames(REP_PRIVILEGES));
- Set<Restriction> restrictions = restrictionProvider.readRestrictions(Strings.emptyToNull(accessControlledPath), treeProvider.createReadOnlyTree(ace));
+ Set<Restriction> restrictions = restrictionProvider.readRestrictions(Strings.emptyToNull(accessControlledPath), providerCtx.getTreeProvider().createReadOnlyTree(ace));
String principalName = Text.escapeIllegalJcrChars(ace.getString(REP_PRINCIPAL_NAME));
AcEntry entry = new AcEntry(principalName, index, isAllow, privilegeBits, restrictions);
@@ -155,9 +158,10 @@ final class PermissionStoreEditor implem
}
}
if (removed) {
- updateNumEntries(principalName, principalRoot, -1);
+ updateNumEntries(principalName, principalRoot, -1, monitor);
}
} else {
+ monitor.permissionError();
log.error("Unable to remove permission entry {}: Principal root missing.", this);
}
}
@@ -212,7 +216,7 @@ final class PermissionStoreEditor implem
updateEntries(parent, entry.getValue());
if (parent.isNew()) {
- updateNumEntries(principalName, principalRoot, +1);
+ updateNumEntries(principalName, principalRoot, +1, monitor);
}
}
}
@@ -229,7 +233,7 @@ final class PermissionStoreEditor implem
}
}
- private static void updateNumEntries(@NotNull String principalName, @NotNull NodeBuilder principalRoot, int cnt) {
+ private static void updateNumEntries(@NotNull String principalName, @NotNull NodeBuilder principalRoot, int cnt, @NotNull AuthorizationMonitor monitor) {
PropertyState ps = principalRoot.getProperty(REP_NUM_PERMISSIONS);
if (ps == null && !principalRoot.isNew()) {
// existing principal root that doesn't have the rep:numEntries set
@@ -239,6 +243,7 @@ final class PermissionStoreEditor implem
long numEntries = ((ps == null) ? 0 : ps.getValue(Type.LONG)) + cnt;
if (numEntries < 0) {
// numEntries unexpectedly turned negative
+ monitor.permissionError();
log.error("NumEntries counter for principal '{}' turned negative -> removing 'rep:numPermissions' property.", principalName);
principalRoot.removeProperty(REP_NUM_PERMISSIONS);
} else {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreImpl.java?rev=1887210&r1=1887209&r2=1887210&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreImpl.java Fri Mar 5 16:15:11 2021
@@ -20,10 +20,12 @@ import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import java.util.TreeSet;
+
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
+import org.apache.jackrabbit.oak.security.authorization.monitor.AuthorizationMonitor;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.JcrAllUtil;
@@ -45,17 +47,19 @@ class PermissionStoreImpl implements Per
private static final Logger log = LoggerFactory.getLogger(PermissionStoreImpl.class);
private final String permissionRootName;
-
private final RestrictionProvider restrictionProvider;
+ private final AuthorizationMonitor monitor;
private final Map<String, Tree> principalTreeMap = new HashMap<>();
private Tree permissionsTree;
private PrivilegeBitsProvider bitsProvider;
- PermissionStoreImpl(@NotNull Root root, @NotNull String permissionRootName, @NotNull RestrictionProvider restrictionProvider) {
+ PermissionStoreImpl(@NotNull Root root, @NotNull String permissionRootName, @NotNull RestrictionProvider restrictionProvider,
+ @NotNull AuthorizationMonitor monitor) {
this.permissionRootName = permissionRootName;
this.restrictionProvider = restrictionProvider;
+ this.monitor = monitor;
reset(root);
}
@@ -126,9 +130,10 @@ class PermissionStoreImpl implements Per
}
}
ret.setFullyLoaded(true);
- long t1 = System.nanoTime();
+ long t = System.nanoTime()-t0;
+ monitor.permissionAllLoaded(t);
if (log.isDebugEnabled()) {
- log.debug(String.format("loaded %d entries in %.2fus for %s.%n", ret.getSize(), (t1 - t0) / 1000.0, principalName));
+ log.debug(String.format("loaded %d entries in %.2fus for %s.%n", ret.getSize(), t / 1000.0, principalName));
}
return ret;
}
@@ -165,6 +170,7 @@ class PermissionStoreImpl implements Per
}
}
} else {
+ monitor.permissionError();
log.error("Permission entry at '{}' without rep:accessControlledPath property.", tree.getPath());
}
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java?rev=1887210&r1=1887209&r2=1887210&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java Fri Mar 5 16:15:11 2021
@@ -138,6 +138,7 @@ class PermissionValidator extends Defaul
if (isVersionstorageTree(child)) {
child = getVersionHistoryTree(child);
if (child == null) {
+ provider.getAccessMonitor().accessViolation();
throw new CommitFailedException(
ACCESS, 21, "New version storage node without version history: cannot verify permissions.");
}
@@ -157,6 +158,7 @@ class PermissionValidator extends Defaul
public Validator childNodeDeleted(String name, NodeState before) throws CommitFailedException {
Tree child = parentBefore.getChild(name);
if (isVersionstorageTree(child)) {
+ provider.getAccessMonitor().accessViolation();
throw new CommitFailedException(
ACCESS, 22, "Attempt to remove versionstorage node: Fail to verify delete permission.");
}
@@ -349,6 +351,7 @@ class PermissionValidator extends Defaul
void checkIsGranted(boolean isGranted) throws CommitFailedException {
if (!isGranted) {
+ provider.getAccessMonitor().accessViolation();
throw new CommitFailedException(ACCESS, 0, "Access denied");
}
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorProvider.java?rev=1887210&r1=1887209&r2=1887210&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorProvider.java Fri Mar 5 16:15:11 2021
@@ -22,6 +22,7 @@ import org.apache.jackrabbit.oak.api.Roo
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.plugins.tree.TreeProvider;
import org.apache.jackrabbit.oak.security.authorization.ProviderCtx;
+import org.apache.jackrabbit.oak.security.authorization.monitor.AuthorizationMonitor;
import org.apache.jackrabbit.oak.spi.commit.CommitInfo;
import org.apache.jackrabbit.oak.spi.commit.MoveTracker;
import org.apache.jackrabbit.oak.spi.commit.Validator;
@@ -118,4 +119,9 @@ public class PermissionValidatorProvider
Tree createReadOnlyTree(@NotNull NodeState nodeState) {
return providerCtx.getTreeProvider().createReadOnlyTree(nodeState);
}
+
+ @NotNull
+ AuthorizationMonitor getAccessMonitor() {
+ return providerCtx.getMonitor();
+ }
}
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImplTest.java?rev=1887210&r1=1887209&r2=1887210&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImplTest.java Fri Mar 5 16:15:11 2021
@@ -34,6 +34,7 @@ import org.apache.jackrabbit.oak.plugins
import org.apache.jackrabbit.oak.security.authorization.AuthorizationConfigurationImpl;
import org.apache.jackrabbit.oak.security.authorization.ProviderCtx;
import org.apache.jackrabbit.oak.security.authorization.composite.CompositeAuthorizationConfiguration;
+import org.apache.jackrabbit.oak.security.authorization.monitor.AuthorizationMonitor;
import org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.Context;
@@ -78,7 +79,6 @@ import static org.junit.Assert.assertTru
import static org.mockito.ArgumentMatchers.anyLong;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.Mockito.clearInvocations;
-import static org.mockito.Mockito.doReturn;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.spy;
@@ -132,7 +132,7 @@ public class CompiledPermissionImplTest
@NotNull
private PermissionStore mockPermissionStore(@NotNull Root r, @NotNull String wspName) {
- return spy(new PermissionStoreImpl(r, wspName, getConfig(AuthorizationConfiguration.class).getRestrictionProvider()));
+ return spy(new PermissionStoreImpl(r, wspName, getConfig(AuthorizationConfiguration.class).getRestrictionProvider(), mock(AuthorizationMonitor.class)));
}
private CompiledPermissionImpl create(@NotNull Root r, @NotNull String workspaceName, @NotNull Set<Principal> principals, @NotNull PermissionStore store, @NotNull ConfigurationParameters options) {
@@ -529,7 +529,7 @@ public class CompiledPermissionImplTest
String wspName = testSession.getWorkspaceName();
// create cp for group principal only (no user principal)
- PermissionStore store = spy(new PermissionStoreImpl(readOnlyRoot, wspName, getConfig(AuthorizationConfiguration.class).getRestrictionProvider()));
+ PermissionStore store = mockPermissionStore(readOnlyRoot, wspName);
CompiledPermissionImpl cp = create(readOnlyRoot, wspName, ImmutableSet.of(EveryonePrincipal.getInstance()), store, ConfigurationParameters.EMPTY);
verify(store, never()).getNumEntries(anyString(), anyLong());
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/MoveAwarePermissionValidatorTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/MoveAwarePermissionValidatorTest.java?rev=1887210&r1=1887209&r2=1887210&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/MoveAwarePermissionValidatorTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/MoveAwarePermissionValidatorTest.java Fri Mar 5 16:15:11 2021
@@ -26,6 +26,7 @@ import org.apache.jackrabbit.oak.api.Tre
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.security.authorization.ProviderCtx;
+import org.apache.jackrabbit.oak.security.authorization.monitor.AuthorizationMonitor;
import org.apache.jackrabbit.oak.spi.commit.MoveTracker;
import org.apache.jackrabbit.oak.spi.commit.Validator;
import org.apache.jackrabbit.oak.spi.commit.VisibleValidator;
@@ -53,7 +54,9 @@ import static org.junit.Assert.assertNul
import static org.junit.Assert.assertSame;
import static org.junit.Assert.assertTrue;
import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyLong;
import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.clearInvocations;
import static org.mockito.Mockito.doReturn;
import static org.mockito.Mockito.doThrow;
import static org.mockito.Mockito.mock;
@@ -61,6 +64,8 @@ import static org.mockito.Mockito.never;
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoInteractions;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
import static org.mockito.Mockito.when;
public class MoveAwarePermissionValidatorTest extends AbstractSecurityTest {
@@ -69,6 +74,8 @@ public class MoveAwarePermissionValidato
private PermissionProvider pp;
private JackrabbitAccessControlList acl;
+ private final AuthorizationMonitor monitor = mock(AuthorizationMonitor.class);
+
@Before
public void before() throws Exception {
super.before();
@@ -83,6 +90,7 @@ public class MoveAwarePermissionValidato
@After
public void after() throws Exception {
try {
+ clearInvocations(monitor);
if (acl != null) {
getAccessControlManager(root).removePolicy(acl.getPath(), acl);
}
@@ -115,6 +123,7 @@ public class MoveAwarePermissionValidato
when(ctx.getSecurityProvider()).thenReturn(getSecurityProvider());
when(ctx.getTreeProvider()).thenReturn(getTreeProvider());
when(ctx.getRootProvider()).thenReturn(getRootProvider());
+ when(ctx.getMonitor()).thenReturn(monitor);
String wspName = root.getContentSession().getWorkspaceName();
Root readonlyRoot = getRootProvider().createReadOnlyRoot(root);
@@ -134,6 +143,7 @@ public class MoveAwarePermissionValidato
assertTrue(validator instanceof VisibleValidator);
verify(maValidator, times(1)).checkPermissions(t.getChild("name"), false, Permissions.ADD_NODE);
+ verifyNoInteractions(monitor);
}
@Test
@@ -147,6 +157,7 @@ public class MoveAwarePermissionValidato
assertTrue(validator instanceof VisibleValidator);
verify(maValidator, times(1)).checkPermissions(t.getChild("dest"), false, Permissions.ADD_NODE);
verify(pp, never()).isGranted(t.getChild("src"), null, Permissions.REMOVE_NODE);
+ verifyNoInteractions(monitor);
}
@Test
@@ -160,6 +171,7 @@ public class MoveAwarePermissionValidato
assertNull(validator);
verify(maValidator, times(1)).checkPermissions(t.getChild("dest"), false, Permissions.ADD_NODE|Permissions.NODE_TYPE_MANAGEMENT);
verify(pp, times(1)).isGranted(t.getChild("src"), null, Permissions.REMOVE_NODE);
+ verifyNoInteractions(monitor);
}
@Test
@@ -175,6 +187,7 @@ public class MoveAwarePermissionValidato
assertTrue(validator instanceof VisibleValidator);
verify(maValidator, times(1)).checkPermissions(t.getChild("dest"), false, Permissions.ADD_NODE);
verify(pp, never()).isGranted(t.getChild("src"), null, Permissions.REMOVE_NODE);
+ verifyNoInteractions(monitor);
}
@Test(expected = CommitFailedException.class)
@@ -193,6 +206,10 @@ public class MoveAwarePermissionValidato
assertTrue(e.isAccessViolation());
assertEquals(0, e.getCode());
throw e;
+ } finally {
+ verify(monitor).accessViolation();
+ verify(monitor).permissionAllLoaded(anyLong());
+ verifyNoMoreInteractions(monitor);
}
}
@@ -203,6 +220,7 @@ public class MoveAwarePermissionValidato
assertNull(validator);
verify(maValidator, times(1)).checkPermissions(t.getChild("name"), true, Permissions.REMOVE_NODE);
+ verifyNoInteractions(monitor);
}
@Test
@@ -216,6 +234,7 @@ public class MoveAwarePermissionValidato
assertNull(validator);
verify(maValidator, times(1)).checkPermissions(t.getChild("src"), true, Permissions.REMOVE_NODE);
verify(pp, never()).isGranted(t.getChild("nonExistingDest"), null, Permissions.ADD_NODE|Permissions.NODE_TYPE_MANAGEMENT);
+ verifyNoInteractions(monitor);
}
@Test
@@ -229,6 +248,7 @@ public class MoveAwarePermissionValidato
assertNull(validator);
verify(maValidator, times(1)).checkPermissions(t.getChild("src"), true, Permissions.REMOVE_NODE);
verify(pp, times(1)).isGranted(t.getChild("dest"), null, Permissions.ADD_NODE|Permissions.NODE_TYPE_MANAGEMENT);
+ verifyNoInteractions(monitor);
}
@Test
@@ -244,6 +264,7 @@ public class MoveAwarePermissionValidato
assertNull(validator);
verify(maValidator, times(1)).checkPermissions(t.getChild("src"), true, Permissions.REMOVE_NODE);
verify(pp, never()).isGranted(t.getChild("dest"), null, Permissions.ADD_NODE|Permissions.NODE_TYPE_MANAGEMENT);
+ verifyNoInteractions(monitor);
}
@Test(expected = CommitFailedException.class)
@@ -262,6 +283,10 @@ public class MoveAwarePermissionValidato
assertTrue(e.isAccessViolation());
assertEquals(0, e.getCode());
throw e;
+ } finally {
+ verify(monitor).accessViolation();
+ verify(monitor).permissionAllLoaded(anyLong());
+ verifyNoMoreInteractions(monitor);
}
}
@@ -282,6 +307,8 @@ public class MoveAwarePermissionValidato
} catch (CommitFailedException e){
assertSame(exp, e);
throw e;
+ } finally {
+ verifyNoInteractions(monitor);
}
}
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionEntryProviderImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionEntryProviderImplTest.java?rev=1887210&r1=1887209&r2=1887210&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionEntryProviderImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionEntryProviderImplTest.java Fri Mar 5 16:15:11 2021
@@ -40,6 +40,10 @@ public class PermissionEntryProviderImpl
private final String GROUP_LONG_MAX_MINUS_10 = "groupLongMaxMinus10";
private final String GROUP_50 = "group50";
+ private static PermissionEntryProviderImpl createPermissionEntryProviderImpl(@NotNull PermissionStore store, @NotNull Set<String> principalNames) {
+ return new PermissionEntryProviderImpl(store, principalNames, ConfigurationParameters.EMPTY);
+ }
+
/**
* @see <a href="https://issues.apache.org/jira/browse/OAK-2465">OAK-2465</a>
*/
@@ -55,7 +59,7 @@ public class PermissionEntryProviderImpl
return Long.MAX_VALUE the cache should not be filled (-> the mock-cache
implementation will fail.
*/
- PermissionEntryProviderImpl provider = new PermissionEntryProviderImpl(store, principalNames, ConfigurationParameters.EMPTY);
+ PermissionEntryProviderImpl provider = createPermissionEntryProviderImpl(store, principalNames);
// test that PermissionEntryProviderImpl.noExistingNames nevertheless is
// properly set
@@ -78,7 +82,7 @@ public class PermissionEntryProviderImpl
entries must deal with the fact that the counter may become bigger that
Long.MAX_VALUE
*/
- PermissionEntryProviderImpl provider = new PermissionEntryProviderImpl(store, principalNames, ConfigurationParameters.EMPTY);
+ PermissionEntryProviderImpl provider = createPermissionEntryProviderImpl(store, principalNames);
assertFalse(getBooleanField(provider, "noExistingNames"));
assertNotSame(Collections.emptyIterator(), provider.getEntryIterator(EntryPredicate.create()));
@@ -95,7 +99,7 @@ public class PermissionEntryProviderImpl
/*
same as before but principal-set contains a name for which not entries exist
*/
- PermissionEntryProviderImpl provider = new PermissionEntryProviderImpl(store, principalNames, ConfigurationParameters.EMPTY);
+ PermissionEntryProviderImpl provider = createPermissionEntryProviderImpl(store, principalNames);
assertFalse(getBooleanField(provider, "noExistingNames"));
}
@@ -104,7 +108,7 @@ public class PermissionEntryProviderImpl
MockPermissionStore store = new MockPermissionStore();
Set<String> principalNames = Sets.newHashSet("noEntries", "noEntries2", "noEntries3");
- PermissionEntryProviderImpl provider = new PermissionEntryProviderImpl(store, principalNames, ConfigurationParameters.EMPTY);
+ PermissionEntryProviderImpl provider = createPermissionEntryProviderImpl(store, principalNames);
assertFalse(getBooleanField(provider, "noExistingNames"));
// force init
@@ -117,7 +121,7 @@ public class PermissionEntryProviderImpl
MockPermissionStore store = new MockPermissionStore();
Set<String> principalNames = Sets.newHashSet("noEntries", "noEntries2", "noEntries3");
- PermissionEntryProviderImpl provider = new PermissionEntryProviderImpl(store, principalNames, ConfigurationParameters.EMPTY);
+ PermissionEntryProviderImpl provider = createPermissionEntryProviderImpl(store, principalNames);
assertFalse(getBooleanField(provider, "initialized"));
provider.getEntryIterator(EntryPredicate.create());
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.java?rev=1887210&r1=1887209&r2=1887210&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.java Fri Mar 5 16:15:11 2021
@@ -35,6 +35,8 @@ import org.apache.jackrabbit.oak.plugins
import org.apache.jackrabbit.oak.plugins.tree.RootProvider;
import org.apache.jackrabbit.oak.plugins.tree.TreeProvider;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
+import org.apache.jackrabbit.oak.security.authorization.ProviderCtx;
+import org.apache.jackrabbit.oak.security.authorization.monitor.AuthorizationMonitor;
import org.apache.jackrabbit.oak.spi.commit.CommitInfo;
import org.apache.jackrabbit.oak.spi.mount.MountInfoProvider;
import org.apache.jackrabbit.oak.spi.mount.Mounts;
@@ -92,6 +94,8 @@ public class PermissionHookTest extends
protected Principal testPrincipal;
protected List<Principal> principals = new ArrayList<>();
+ private AuthorizationMonitor monitor;
+
@Override
@Before
public void before() throws Exception {
@@ -107,6 +111,7 @@ public class PermissionHookTest extends
root.commit();
PrivilegeBitsProvider bitsProvider = new PrivilegeBitsProvider(root);
+ monitor = mock(AuthorizationMonitor.class);
}
@Override
@@ -128,8 +133,17 @@ public class PermissionHookTest extends
}
}
+ private ProviderCtx mockProviderContext(@NotNull MountInfoProvider mip, @NotNull RootProvider rootProvider, @NotNull TreeProvider treeProvider) {
+ ProviderCtx ctx = mock(ProviderCtx.class);
+ when(ctx.getMountInfoProvider()).thenReturn(mip);
+ when(ctx.getRootProvider()).thenReturn(rootProvider);
+ when(ctx.getTreeProvider()).thenReturn(treeProvider);
+ when(ctx.getMonitor()).thenReturn(monitor);
+ return ctx;
+ }
+
private PermissionHook createPermissionHook(@NotNull String wspName) {
- return new PermissionHook(wspName, RestrictionProvider.EMPTY, Mounts.defaultMountInfoProvider(), getRootProvider(), getTreeProvider());
+ return new PermissionHook(wspName, RestrictionProvider.EMPTY, mockProviderContext(Mounts.defaultMountInfoProvider(), getRootProvider(), getTreeProvider()));
}
private void addACE(@NotNull String path, @NotNull Principal principal, @NotNull String... privilegeNames) throws RepositoryException {
@@ -789,7 +803,7 @@ public class PermissionHookTest extends
@Test
public void testToString() {
PermissionHook h1 = createPermissionHook("wspName");
- PermissionHook h2 = new PermissionHook("default", mock(RestrictionProvider.class), mock(MountInfoProvider.class), mock(RootProvider.class), mock(TreeProvider.class));
+ PermissionHook h2 = new PermissionHook("default", mock(RestrictionProvider.class), mockProviderContext(mock(MountInfoProvider.class), mock(RootProvider.class), mock(TreeProvider.class)));
assertEquals(h1.toString(), h2.toString());
}
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreEditorTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreEditorTest.java?rev=1887210&r1=1887209&r2=1887210&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreEditorTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreEditorTest.java Fri Mar 5 16:15:11 2021
@@ -23,6 +23,9 @@ import org.apache.jackrabbit.oak.api.Typ
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
import org.apache.jackrabbit.oak.plugins.nodetype.TypePredicate;
+import org.apache.jackrabbit.oak.security.authorization.ProviderCtx;
+import org.apache.jackrabbit.oak.security.authorization.monitor.AuthorizationMonitor;
+import org.apache.jackrabbit.oak.spi.mount.MountInfoProvider;
import org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
@@ -31,6 +34,7 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.state.NodeBuilder;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.jetbrains.annotations.NotNull;
+import org.junit.After;
import org.junit.Before;
import org.junit.Test;
@@ -50,11 +54,13 @@ import static org.apache.jackrabbit.oak.
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyLong;
import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.clearInvocations;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoInteractions;
import static org.mockito.Mockito.when;
public class PermissionStoreEditorTest extends AbstractSecurityTest {
@@ -64,6 +70,8 @@ public class PermissionStoreEditorTest e
private PrivilegeBitsProvider bitsProvider;
private RestrictionProvider restrictionProvider;
+ private final AuthorizationMonitor monitor = mock(AuthorizationMonitor.class);
+
private TypePredicate isACE;
private TypePredicate isGrantACE;
@@ -79,6 +87,11 @@ public class PermissionStoreEditorTest e
isGrantACE = spy(new TypePredicate(rootState, NT_REP_GRANT_ACE));
}
+ @After
+ public void after() {
+ clearInvocations(monitor);
+ }
+
@NotNull
private static NodeState mockACE(@NotNull String principalName) {
NodeState ace = mock(NodeState.class);
@@ -99,8 +112,18 @@ public class PermissionStoreEditorTest e
}
@NotNull
+ private ProviderCtx getProviderCtx() {
+ ProviderCtx ctx = mock(ProviderCtx.class);
+ when(ctx.getMountInfoProvider()).thenReturn(mock(MountInfoProvider.class));
+ when(ctx.getRootProvider()).thenReturn(getRootProvider());
+ when(ctx.getTreeProvider()).thenReturn(getTreeProvider());
+ when(ctx.getMonitor()).thenReturn(monitor);
+ return ctx;
+ }
+
+ @NotNull
private PermissionStoreEditor createPermissionStoreEditor(@NotNull NodeState nodeState, @NotNull NodeBuilder permissionRoot) {
- return new PermissionStoreEditor("", AccessControlConstants.REP_REPO_POLICY, nodeState, permissionRoot, isACE, isGrantACE, bitsProvider, restrictionProvider, getTreeProvider());
+ return new PermissionStoreEditor("", AccessControlConstants.REP_REPO_POLICY, nodeState, permissionRoot, isACE, isGrantACE, bitsProvider, restrictionProvider, getProviderCtx());
}
@Test
@@ -111,11 +134,13 @@ public class PermissionStoreEditorTest e
when(nodeState.getNames(JCR_MIXINTYPES)).thenReturn(Collections.emptySet());
when(nodeState.getChildNode(anyString())).thenReturn(nodeState);
- new PermissionStoreEditor("/test", AccessControlConstants.REP_POLICY, nodeState, mock(NodeBuilder.class), isACE, isGrantACE, bitsProvider, restrictionProvider, getTreeProvider());
+ new PermissionStoreEditor("/test", AccessControlConstants.REP_POLICY, nodeState, mock(NodeBuilder.class), isACE, isGrantACE, bitsProvider, restrictionProvider, getProviderCtx());
verify(nodeState, times(3)).getChildNode(anyString());
verify(isACE, times(3)).test(nodeState);
verify(isGrantACE, never()).test(nodeState);
+
+ verifyNoInteractions(monitor);
}
@Test
@@ -133,6 +158,8 @@ public class PermissionStoreEditorTest e
verify(nodeState, times(3)).getChildNode(anyString());
verify(isACE, times(3)).test(ace);
verify(isGrantACE, times(3)).test(ace);
+
+ verifyNoInteractions(monitor);
}
@Test
@@ -146,6 +173,8 @@ public class PermissionStoreEditorTest e
verify(permissionsRoot, times(1)).hasChildNode("unknownPrincipal");
verify(permissionsRoot, never()).getChildNode("unknownPrincipal");
+
+ verify(monitor).permissionError();
}
@Test
@@ -168,6 +197,8 @@ public class PermissionStoreEditorTest e
verify(principalRoot, times(1)).getChildNode(anyString());
verify(parent, times(1)).exists();
verify(parent, never()).getProperty(anyString());
+
+ verifyNoInteractions(monitor);
}
@Test
@@ -194,6 +225,8 @@ public class PermissionStoreEditorTest e
verify(parent, times(1)).getChildNode("collision");
verify(parent, times(2)).getProperty(REP_ACCESS_CONTROLLED_PATH);
verify(parent, never()).remove();
+
+ verifyNoInteractions(monitor);
}
@Test
@@ -222,6 +255,8 @@ public class PermissionStoreEditorTest e
verify(principalRoot, times(1)).getProperty(REP_NUM_PERMISSIONS);
verify(principalRoot, never()).removeProperty(REP_NUM_PERMISSIONS);
verify(principalRoot, never()).setProperty(anyString(), anyLong(), any(Type.class));
+
+ verifyNoInteractions(monitor);
}
@Test
@@ -251,6 +286,8 @@ public class PermissionStoreEditorTest e
verify(principalRoot, times(1)).getProperty(REP_NUM_PERMISSIONS);
verify(principalRoot, times(1)).removeProperty(REP_NUM_PERMISSIONS);
verify(principalRoot, never()).setProperty(anyString(), anyLong(), any(Type.class));
+
+ verify(monitor).permissionError();
}
@Test
@@ -286,6 +323,8 @@ public class PermissionStoreEditorTest e
verify(collision, times(1)).setProperty(REP_ACCESS_CONTROLLED_PATH, editor.getPath());
verify(collision, times(1)).child(anyString());
+
+ verifyNoInteractions(monitor);
}
@Test
@@ -310,5 +349,7 @@ public class PermissionStoreEditorTest e
// only the existing 'entry' child gets removed. the collision is not touched
verify(child, times(1)).remove();
+
+ verifyNoInteractions(monitor);
}
}
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreImplTest.java?rev=1887210&r1=1887209&r2=1887210&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreImplTest.java Fri Mar 5 16:15:11 2021
@@ -22,6 +22,7 @@ import org.apache.jackrabbit.commons.jac
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
+import org.apache.jackrabbit.oak.security.authorization.monitor.AuthorizationMonitor;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
@@ -45,6 +46,12 @@ import static org.junit.Assert.assertFal
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
+import static org.mockito.ArgumentMatchers.anyLong;
+import static org.mockito.Mockito.clearInvocations;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoInteractions;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
public class PermissionStoreImplTest extends AbstractSecurityTest implements PermissionConstants {
@@ -55,6 +62,8 @@ public class PermissionStoreImplTest ext
private String testPath = "/testPath";
private String childPath = "/testPath/childNode";
+ private AuthorizationMonitor monitor = mock(AuthorizationMonitor.class);
+
@Before
public void before() throws Exception {
super.before();
@@ -68,7 +77,7 @@ public class PermissionStoreImplTest ext
addAcl(childPath, EveryonePrincipal.getInstance());
root.commit();
- permissionStore = new PermissionStoreImpl(root, root.getContentSession().getWorkspaceName(), getConfig(AuthorizationConfiguration.class).getRestrictionProvider());
+ permissionStore = new PermissionStoreImpl(root, root.getContentSession().getWorkspaceName(), getConfig(AuthorizationConfiguration.class).getRestrictionProvider(), monitor);
}
private void addAcl(@NotNull String path, @NotNull Principal principal) throws RepositoryException {
@@ -81,6 +90,8 @@ public class PermissionStoreImplTest ext
@After
public void after() throws Exception {
try {
+ clearInvocations(monitor);
+
AccessControlManager acMgr = getAccessControlManager(root);
JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, testPath);
acMgr.removePolicy(testPath, acl);
@@ -90,12 +101,18 @@ public class PermissionStoreImplTest ext
}
}
+ private void verifyAllLoadedInvoked() {
+ verify(monitor).permissionAllLoaded(anyLong());
+ verifyNoMoreInteractions(monitor);
+ }
+
@Test
public void testLoad() {
PrincipalPermissionEntries entries = permissionStore.load(EveryonePrincipal.NAME);
assertNotNull(entries);
assertTrue(entries.isFullyLoaded());
assertEquals(2, entries.getSize());
+ verifyAllLoadedInvoked();
}
@Test
@@ -104,6 +121,7 @@ public class PermissionStoreImplTest ext
assertNotNull(entries);
assertTrue(entries.isFullyLoaded());
assertEquals(0, entries.getSize());
+ verifyAllLoadedInvoked();
}
@Test
@@ -126,6 +144,7 @@ public class PermissionStoreImplTest ext
assertNotNull(entries);
assertTrue(entries.isFullyLoaded());
assertEquals(3, entries.getSize());
+ verifyAllLoadedInvoked();
} finally {
root.refresh();
}
@@ -150,6 +169,10 @@ public class PermissionStoreImplTest ext
assertNotNull(entries);
assertTrue(entries.isFullyLoaded());
assertEquals(2, entries.getSize());
+
+ verify(monitor).permissionAllLoaded(anyLong());
+ verify(monitor).permissionError();
+ verifyNoMoreInteractions(monitor);
} finally {
root.refresh();
}
@@ -160,16 +183,19 @@ public class PermissionStoreImplTest ext
Collection<PermissionEntry> entries = permissionStore.load(EveryonePrincipal.NAME, testPath);
assertNotNull(entries);
assertFalse(entries.isEmpty());
+ verifyNoInteractions(monitor);
}
@Test
public void testLoadByPathWithoutEntries() {
assertNull(permissionStore.load(EveryonePrincipal.NAME, testPath + "/notAccessControlled"));
+ verifyNoInteractions(monitor);
}
@Test
public void testLoadByPathMissingPrincipalRoot() {
assertNull(permissionStore.load(testPrincipal.getName(), testPath));
+ verifyNoInteractions(monitor);
}
@Test
@@ -225,11 +251,13 @@ public class PermissionStoreImplTest ext
@Test
public void testGetNumEntries() {
assertEquals(NumEntries.valueOf(2, true), permissionStore.getNumEntries(EveryonePrincipal.NAME, Long.MAX_VALUE));
+ verifyNoInteractions(monitor);
}
@Test
public void testGetNumEntriesMissingPrincipalRoot() {
assertEquals(NumEntries.valueOf(0, true), permissionStore.getNumEntries(testPrincipal.getName(), Long.MAX_VALUE));
+ verifyNoInteractions(monitor);
}
@Test
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorTest.java?rev=1887210&r1=1887209&r2=1887210&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorTest.java Fri Mar 5 16:15:11 2021
@@ -16,10 +16,6 @@
*/
package org.apache.jackrabbit.oak.security.authorization.permission;
-import java.security.Principal;
-import java.util.Set;
-import javax.jcr.security.AccessControlManager;
-
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import org.apache.jackrabbit.JcrConstants;
@@ -35,6 +31,7 @@ import org.apache.jackrabbit.oak.commons
import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.security.authorization.ProviderCtx;
+import org.apache.jackrabbit.oak.security.authorization.monitor.AuthorizationMonitor;
import org.apache.jackrabbit.oak.spi.commit.MoveTracker;
import org.apache.jackrabbit.oak.spi.namespace.NamespaceConstants;
import org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants;
@@ -49,6 +46,10 @@ import org.junit.After;
import org.junit.Before;
import org.junit.Test;
+import javax.jcr.security.AccessControlManager;
+import java.security.Principal;
+import java.util.Set;
+
import static org.apache.jackrabbit.JcrConstants.JCR_CREATED;
import static org.apache.jackrabbit.JcrConstants.JCR_PRIMARYTYPE;
import static org.apache.jackrabbit.JcrConstants.NT_UNSTRUCTURED;
@@ -59,7 +60,11 @@ import static org.apache.jackrabbit.oak.
import static org.apache.jackrabbit.oak.spi.version.VersionConstants.VERSION_STORE_PATH;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.clearInvocations;
import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoInteractions;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
import static org.mockito.Mockito.when;
public class PermissionValidatorTest extends AbstractSecurityTest {
@@ -69,6 +74,8 @@ public class PermissionValidatorTest ext
private Principal testPrincipal;
+ private final AuthorizationMonitor monitor = mock(AuthorizationMonitor.class);
+
@Before
@Override
public void before() throws Exception {
@@ -86,6 +93,7 @@ public class PermissionValidatorTest ext
@Override
public void after() throws Exception {
try {
+ clearInvocations(monitor);
// revert uncommitted changes
root.refresh();
@@ -105,17 +113,23 @@ public class PermissionValidatorTest ext
root.commit();
}
- private PermissionValidator createValidator(@NotNull Set<Principal> principals, @NotNull String path) {
- Tree t = root.getTree(PathUtils.ROOT_PATH);
- NodeState ns = getTreeProvider().asNodeState(t);
+ @NotNull
+ private ProviderCtx mockProviderCtx() {
ProviderCtx ctx = mock(ProviderCtx.class);
when(ctx.getSecurityProvider()).thenReturn(getSecurityProvider());
when(ctx.getTreeProvider()).thenReturn(getTreeProvider());
+ when(ctx.getMonitor()).thenReturn(monitor);
+ return ctx;
+ }
+
+ private PermissionValidator createValidator(@NotNull Set<Principal> principals, @NotNull String path) {
+ Tree t = root.getTree(PathUtils.ROOT_PATH);
+ NodeState ns = getTreeProvider().asNodeState(t);
String wspName = root.getContentSession().getWorkspaceName();
PermissionProvider pp = getConfig(AuthorizationConfiguration.class).getPermissionProvider(root, wspName, principals);
- PermissionValidatorProvider pvp = new PermissionValidatorProvider(wspName, principals, new MoveTracker(), ctx);
+ PermissionValidatorProvider pvp = new PermissionValidatorProvider(wspName, principals, new MoveTracker(), mockProviderCtx());
PermissionValidator validator = new PermissionValidator(ns, ns, pp, pvp);
TreePermission tp = pp.getTreePermission(t, TreePermission.EMPTY);
for (String name : PathUtils.elements(path)) {
@@ -127,6 +141,11 @@ public class PermissionValidatorTest ext
return validator;
}
+ private void verifyMonitor() {
+ verify(monitor).accessViolation();
+ verifyNoMoreInteractions(monitor);
+ }
+
@Test(expected = CommitFailedException.class)
public void testLockPermissions() throws Exception {
// grant the test session the ability to read/write that node but don't allow jcr:lockManagement
@@ -153,6 +172,8 @@ public class PermissionValidatorTest ext
assertTrue(e.isAccessViolation());
assertEquals(0, e.getCode());
throw e;
+ } finally {
+ verifyMonitor();
}
}
@@ -165,6 +186,8 @@ public class PermissionValidatorTest ext
assertTrue(e.isAccessViolation());
assertEquals(0, e.getCode());
throw e;
+ } finally {
+ verifyMonitor();
}
}
@@ -177,6 +200,8 @@ public class PermissionValidatorTest ext
assertTrue(e.isAccessViolation());
assertEquals(0, e.getCode());
throw e;
+ } finally {
+ verifyMonitor();
}
}
@@ -184,9 +209,7 @@ public class PermissionValidatorTest ext
public void testRemoveVersionStorageTree() throws Exception {
Tree t = root.getTree(PathUtils.ROOT_PATH);
NodeState ns = getTreeProvider().asNodeState(t);
- ProviderCtx ctx = mock(ProviderCtx.class);
- when(ctx.getSecurityProvider()).thenReturn(getSecurityProvider());
- when(ctx.getTreeProvider()).thenReturn(getTreeProvider());
+ ProviderCtx ctx = mockProviderCtx();
PermissionValidatorProvider pvp = new PermissionValidatorProvider("wspName", ImmutableSet.of(), new MoveTracker(), ctx);
PermissionValidator validator = new PermissionValidator(ns, ns, mock(PermissionProvider.class), pvp);
@@ -202,6 +225,8 @@ public class PermissionValidatorTest ext
assertTrue(e.isAccessViolation());
assertEquals(22, e.getCode());
throw e;
+ } finally {
+ verifyMonitor();
}
}
@@ -216,6 +241,8 @@ public class PermissionValidatorTest ext
assertTrue(e.isAccessViolation());
assertEquals(21, e.getCode());
throw e;
+ } finally {
+ verifyMonitor();
}
}
@@ -231,6 +258,8 @@ public class PermissionValidatorTest ext
assertTrue(e.isOfType("Misc"));
assertEquals(0, e.getCode());
throw e;
+ } finally {
+ verifyNoInteractions(monitor);
}
}
Modified: jackrabbit/oak/trunk/oak-store-document/src/test/java/org/apache/jackrabbit/oak/plugins/document/VisibleChangesTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-store-document/src/test/java/org/apache/jackrabbit/oak/plugins/document/VisibleChangesTest.java?rev=1887210&r1=1887209&r2=1887210&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-store-document/src/test/java/org/apache/jackrabbit/oak/plugins/document/VisibleChangesTest.java (original)
+++ jackrabbit/oak/trunk/oak-store-document/src/test/java/org/apache/jackrabbit/oak/plugins/document/VisibleChangesTest.java Fri Mar 5 16:15:11 2021
@@ -26,6 +26,7 @@ import org.apache.jackrabbit.oak.plugins
import org.apache.jackrabbit.oak.plugins.tree.impl.RootProviderService;
import org.apache.jackrabbit.oak.plugins.tree.impl.TreeProviderService;
import org.apache.jackrabbit.oak.security.authorization.ProviderCtx;
+import org.apache.jackrabbit.oak.security.authorization.monitor.AuthorizationMonitor;
import org.apache.jackrabbit.oak.security.authorization.permission.VersionablePathHook;
import org.apache.jackrabbit.oak.spi.commit.CommitInfo;
import org.apache.jackrabbit.oak.spi.commit.EmptyHook;
@@ -34,6 +35,7 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.state.NodeBuilder;
import org.jetbrains.annotations.NotNull;
import org.junit.Test;
+import sun.reflect.generics.reflectiveObjects.NotImplementedException;
import static org.apache.jackrabbit.oak.plugins.document.TestUtils.persistToBranch;
import static org.apache.jackrabbit.oak.plugins.document.util.Utils.getIdFromPath;
@@ -94,6 +96,11 @@ public class VisibleChangesTest {
public MountInfoProvider getMountInfoProvider() {
throw new UnsupportedOperationException();
}
+
+ @Override
+ public @NotNull AuthorizationMonitor getMonitor() {
+ throw new NotImplementedException();
+ }
});
hook.processCommit(ns.getRoot(), builder.getNodeState(), CommitInfo.EMPTY);
assertEquals("Must not query for hidden paths: " + store.paths.toString(),