svn commit: r1539663 - in /jackrabbit/oak/trunk/oak-core/src: main/java/org/apache/jackrabbit/oak/security/authorization/permission/ test/java/org/apache/jackrabbit/oak/security/authorization/permission/

[an...@apache.org]

Author: angela
Date: Thu Nov  7 14:41:28 2013
New Revision: 1539663

URL: http://svn.apache.org/r1539663
Log:
OAK-527: permissions (wip)

Added:
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/TreePermissionImplTest.java
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java?rev=1539663&r1=1539662&r2=1539663&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java Thu Nov  7 14:41:28 2013
@@ -460,6 +460,9 @@ final class CompiledPermissionImpl imple
                     if (entry.privilegeBits.includes(requiredBits)) {
                         readStatus = ReadStatus.create(entry, permission, skipped);
                         break;
+                    } else if (permission == Permissions.READ_NODE &&
+                            entry.privilegeBits.includes(READ_BITS.get(Permissions.READ_PROPERTY))) {
+                        skipped = true;
                     }
                 }
             }

Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/TreePermissionImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/TreePermissionImplTest.java?rev=1539663&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/TreePermissionImplTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/TreePermissionImplTest.java Thu Nov  7 14:41:28 2013
@@ -0,0 +1,109 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.permission;
+
+import java.security.Principal;
+import javax.jcr.security.AccessControlManager;
+
+import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
+import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.api.ContentSession;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.apache.jackrabbit.oak.util.NodeUtil;
+import org.junit.Test;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+public class TreePermissionImplTest extends AbstractSecurityTest implements AccessControlConstants {
+
+    private AuthorizationConfiguration config;
+    private Principal testPrincipal;
+
+    @Override
+    public void before() throws Exception {
+        super.before();
+
+        new NodeUtil(root.getTree("/")).addChild("test", JcrConstants.NT_UNSTRUCTURED);
+        root.commit();
+        config = getSecurityProvider().getConfiguration(AuthorizationConfiguration.class);
+        testPrincipal = getTestUser().getPrincipal();
+    }
+
+    @Override
+    public void after() throws Exception {
+        try {
+            root.getTree("/test").remove();
+            if (root.hasPendingChanges()) {
+                root.commit();
+            }
+        } finally {
+            super.after();
+        }
+    }
+
+    private TreePermission getTreePermission(String path) throws Exception {
+        ContentSession testSession = createTestSession();
+        PermissionProvider pp = config.getPermissionProvider(testSession.getLatestRoot(), testSession.getAuthInfo().getPrincipals());
+
+        return pp.getTreePermission(root.getTree(path), TreePermission.EMPTY);
+    }
+
+    @Test
+    public void testCanReadProperties() throws Exception {
+        AccessControlManager acMgr = getAccessControlManager(root);
+        JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/test");
+        acl.addEntry(testPrincipal, privilegesFromNames(PrivilegeConstants.JCR_READ), true);
+        acl.addEntry(testPrincipal, privilegesFromNames(PrivilegeConstants.REP_READ_PROPERTIES), false);
+        acMgr.setPolicy("/test", acl);
+        root.commit();
+
+        TreePermission tp = getTreePermission("/test");
+
+        assertFalse(tp.canReadProperties());
+        assertTrue(tp.canRead());
+        assertFalse(tp.canReadProperties());
+    }
+
+    @Test
+    public void testCanReadProperties2() throws Exception {
+        AccessControlManager acMgr = getAccessControlManager(root);
+        JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/test");
+        acl.addEntry(getTestUser().getPrincipal(), privilegesFromNames(PrivilegeConstants.JCR_READ), true);
+        acMgr.setPolicy("/test", acl);
+        root.commit();
+
+        Tree policyTree = root.getTree("/test/rep:policy");
+        NodeUtil ace = new NodeUtil(policyTree).addChild("ace2", NT_REP_DENY_ACE);
+        ace.setNames(REP_PRIVILEGES, PrivilegeConstants.REP_READ_PROPERTIES);
+        ace.setString(REP_PRINCIPAL_NAME, getTestUser().getPrincipal().getName());
+        root.commit();
+
+        TreePermission tp = getTreePermission("/test");
+
+        assertFalse(tp.canReadProperties());
+        assertTrue(tp.canRead());
+        assertFalse(tp.canReadProperties());
+    }
+}
\ No newline at end of file