You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2021/05/07 14:27:22 UTC
svn commit: r1889632 - in /jackrabbit/oak/trunk:
oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/
oak-core/src/test/java/org/apache/jackrabbit/oak/
oak-core/src/test/java/org/apache/jackrabbit/oak/security/authoriz...
Author: angela
Date: Fri May 7 14:27:22 2021
New Revision: 1889632
URL: http://svn.apache.org/viewvc?rev=1889632&view=rev
Log:
OAK-9424 - AccessControlManagerImpl ignores importBehavior when retrieving policies by principal(s)
Added:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlWithUnknownPrincipalTest.java (with props)
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AbstractAccessControlTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/EntryTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/PrincipalACLTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/RemappedPrivilegeNamesTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/RemappedRestrictionNamesTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/UtilTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ValidationEntryTest.java
jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AbstractAccessControlList.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java?rev=1889632&r1=1889631&r2=1889632&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java Fri May 7 14:27:22 2021
@@ -248,27 +248,7 @@ public class AccessControlManagerImpl ex
String path = getNodePath(ace);
Tree tree = getTree(path, Permissions.MODIFY_ACCESS_CONTROL, true);
- ACL acl = (ACL) createACL(path, tree, false);
- if (acl == null) {
- acl = new NodeACL(path);
- }
-
- // calculate single and mv restriction and drop the rep:nodePath restriction
- // present with the principal-based-entries.
- Map<String, Value> restrictions = new HashMap<>();
- Map<String, Value[]> mvRestrictions = new HashMap<>();
- for (Restriction r : ace.getRestrictions()) {
- String name = r.getDefinition().getName();
- if (REP_NODE_PATH.equals(name)) {
- continue;
- }
- if (r.getDefinition().getRequiredType().isArray()) {
- mvRestrictions.put(name, ace.getRestrictions(name));
- } else {
- restrictions.put(name, ace.getRestriction(name));
- }
- }
- acl.addEntry(ace.getPrincipal(), ace.getPrivileges(), ace.isAllow(), restrictions, mvRestrictions);
+ ACL acl = populateNodeBasedAcl(ace, path, tree);
setNodeBasedAcl(path, tree, acl);
}
@@ -291,6 +271,32 @@ public class AccessControlManagerImpl ex
}
}
}
+
+ @NotNull
+ private ACL populateNodeBasedAcl(@NotNull ACE ace, @Nullable String path, @NotNull Tree tree) throws RepositoryException {
+ ACL acl = (ACL) createACL(path, tree, false);
+ if (acl == null) {
+ acl = new NodeACL(path);
+ }
+
+ // calculate single and mv restriction and drop the rep:nodePath restriction
+ // present with the principal-based-entries.
+ Map<String, Value> restrictions = new HashMap<>();
+ Map<String, Value[]> mvRestrictions = new HashMap<>();
+ for (Restriction r : ace.getRestrictions()) {
+ String name = r.getDefinition().getName();
+ if (REP_NODE_PATH.equals(name)) {
+ continue;
+ }
+ if (r.getDefinition().getRequiredType().isArray()) {
+ mvRestrictions.put(name, ace.getRestrictions(name));
+ } else {
+ restrictions.put(name, ace.getRestriction(name));
+ }
+ }
+ acl.addEntry(ace.getPrincipal(), ace.getPrivileges(), ace.isAllow(), restrictions, mvRestrictions);
+ return acl;
+ }
private void setNodeBasedAcl(@Nullable String oakPath, @NotNull Tree tree,
@NotNull ACL acl) throws RepositoryException {
@@ -325,25 +331,7 @@ public class AccessControlManagerImpl ex
Map<String, Principal> principalMap = new HashMap<>();
if (policy instanceof PrincipalACL) {
- PrincipalACL principalAcl = (PrincipalACL) policy;
- for (ACE ace : principalAcl.getEntries()) {
- String path = getNodePath(ace);
- Tree tree = getTree(path, Permissions.MODIFY_ACCESS_CONTROL, true);
- Tree aclTree = getAclTree(path, tree);
- if (aclTree == null) {
- throw new AccessControlException("Unable to retrieve policy node at " + path);
- }
- Iterator<Tree> children = aclTree.getChildren().iterator();
- while (children.hasNext()) {
- Tree child = children.next();
- if (ace.equals(createACE(path, child, principalAcl.rProvider, principalMap))) {
- child.remove();
- }
- }
- if (!aclTree.getChildren().iterator().hasNext()) {
- aclTree.remove();
- }
- }
+ ((PrincipalACL) policy).remove(principalMap);
} else {
Tree tree = getTree(oakPath, Permissions.MODIFY_ACCESS_CONTROL, true);
Tree aclTree = getAclTree(oakPath, tree);
@@ -359,8 +347,10 @@ public class AccessControlManagerImpl ex
@NotNull
@Override
public JackrabbitAccessControlPolicy[] getApplicablePolicies(@NotNull Principal principal) throws RepositoryException {
- Util.checkValidPrincipal(principal, principalManager);
-
+ if (!Util.checkValidPrincipal(principal, principalManager, Util.getImportBehavior(getConfig()))) {
+ return new JackrabbitAccessControlPolicy[0];
+ }
+
String oakPath = (principal instanceof ItemBasedPrincipal) ? ((ItemBasedPrincipal) principal).getPath() : null;
JackrabbitAccessControlPolicy policy = createPrincipalACL(oakPath, principal);
@@ -374,7 +364,9 @@ public class AccessControlManagerImpl ex
@NotNull
@Override
public JackrabbitAccessControlPolicy[] getPolicies(@NotNull Principal principal) throws RepositoryException {
- Util.checkValidPrincipal(principal, principalManager);
+ if (!Util.checkValidPrincipal(principal, principalManager, Util.getImportBehavior(getConfig()))) {
+ return new JackrabbitAccessControlPolicy[0];
+ }
String oakPath = (principal instanceof ItemBasedPrincipal) ? ((ItemBasedPrincipal) principal).getPath() : null;
JackrabbitAccessControlPolicy policy = createPrincipalACL(oakPath, principal);
@@ -389,9 +381,11 @@ public class AccessControlManagerImpl ex
@NotNull
@Override
public AccessControlPolicy[] getEffectivePolicies(@NotNull Set<Principal> principals) throws RepositoryException {
- Util.checkValidPrincipals(principals, principalManager);
+ if (!Util.checkValidPrincipals(principals, principalManager, Util.getImportBehavior(getConfig()))) {
+ return new JackrabbitAccessControlPolicy[0];
+ }
+
Root r = getLatestRoot();
-
Result aceResult = searchAces(principals, r);
Set<JackrabbitAccessControlList> effective = Sets.newTreeSet(new PolicyComparator());
@@ -491,7 +485,7 @@ public class AccessControlManagerImpl ex
Map<String, Principal> principalMap = new HashMap<>();
for (Tree child : aclTree.getChildren()) {
if (Util.isACE(child, ntMgr) && predicate.test(child)) {
- ACE ace = createACE(oakPath, child, restrictionProvider, principalMap);
+ ACE ace = createEntryWithPrincipalMap(oakPath, child, restrictionProvider, principalMap);
entries.add(ace);
}
}
@@ -520,7 +514,7 @@ public class AccessControlManagerImpl ex
} else {
path = Text.getRelativeParent(aclPath, 1);
}
- entries.add(createACE(path, aceTree, restrProvider, principalMap));
+ entries.add(createEntryWithPrincipalMap(path, aceTree, restrProvider, principalMap));
}
}
if (entries.isEmpty()) {
@@ -532,10 +526,10 @@ public class AccessControlManagerImpl ex
}
@NotNull
- private ACE createACE(@Nullable String oakPath,
- @NotNull Tree aceTree,
- @NotNull RestrictionProvider restrictionProvider,
- @NotNull Map<String, Principal> principalMap) throws RepositoryException {
+ private ACE createEntryWithPrincipalMap(@Nullable String oakPath,
+ @NotNull Tree aceTree,
+ @NotNull RestrictionProvider restrictionProvider,
+ @NotNull Map<String, Principal> principalMap) throws RepositoryException {
boolean isAllow = NT_REP_GRANT_ACE.equals(TreeUtil.getPrimaryTypeName(aceTree));
Set<Restriction> restrictions = restrictionProvider.readRestrictions(oakPath, aceTree);
Iterable<String> privNames = checkNotNull(TreeUtil.getStrings(aceTree, REP_PRIVILEGES));
@@ -587,7 +581,8 @@ public class AccessControlManagerImpl ex
});
}
- private String getNodePath(ACE principalBasedAce) throws RepositoryException {
+ @Nullable
+ private String getNodePath(@NotNull ACE principalBasedAce) throws RepositoryException {
Value v = principalBasedAce.getRestriction(REP_NODE_PATH);
if (v == null) {
throw new AccessControlException("Missing mandatory restriction rep:nodePath");
@@ -706,7 +701,11 @@ public class AccessControlManagerImpl ex
@Override
boolean checkValidPrincipal(@Nullable Principal principal) throws AccessControlException {
- Util.checkValidPrincipal(principal, principalManager);
+ // principal asspciated with the policy has been validated before -> make sure only entries for the same
+ // principal are created
+ if (principal == null || !this.principal.getName().equals(principal.getName())) {
+ throw new AccessControlException("Principal mismatch.");
+ }
return true;
}
@@ -745,6 +744,27 @@ public class AccessControlManagerImpl ex
public int hashCode() {
return 0;
}
+
+ private void remove(Map<String, Principal> principalMap) throws RepositoryException {
+ for (ACE ace : getEntries()) {
+ String path = getNodePath(ace);
+ Tree tree = getTree(path, Permissions.MODIFY_ACCESS_CONTROL, true);
+ Tree aclTree = getAclTree(path, tree);
+ if (aclTree == null) {
+ throw new AccessControlException("Unable to retrieve policy node at " + path);
+ }
+ Iterator<Tree> children = aclTree.getChildren().iterator();
+ while (children.hasNext()) {
+ Tree child = children.next();
+ if (ace.equals(createEntryWithPrincipalMap(path, child, rProvider, principalMap))) {
+ child.remove();
+ }
+ }
+ if (!aclTree.getChildren().iterator().hasNext()) {
+ aclTree.remove();
+ }
+ }
+ }
}
private final class Entry extends ACE {
@@ -776,8 +796,8 @@ public class AccessControlManagerImpl ex
}
@Override
- public boolean test(@Nullable Tree aceTree) {
- return aceTree != null && Iterables.contains(principalNames, TreeUtil.getString(aceTree, REP_PRINCIPAL_NAME));
+ public boolean test(@NotNull Tree aceTree) {
+ return Iterables.contains(principalNames, TreeUtil.getString(aceTree, REP_PRINCIPAL_NAME));
}
}
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java?rev=1889632&r1=1889631&r2=1889632&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java Fri May 7 14:27:22 2021
@@ -51,16 +51,11 @@ final class Util implements AccessContro
}
return principal;
}
-
- static void checkValidPrincipal(@Nullable Principal principal,
- @NotNull PrincipalManager principalManager) throws AccessControlException {
- checkValidPrincipal(checkValidPrincipal(principal), principalManager, ImportBehavior.ABORT);
- }
static boolean checkValidPrincipal(@NotNull Principal principal,
@NotNull PrincipalManager principalManager,
int importBehavior) throws AccessControlException {
- String name = principal.getName();
+ String name = checkValidPrincipal(principal).getName();
if (importBehavior == ImportBehavior.BESTEFFORT) {
return true;
} else {
@@ -78,14 +73,20 @@ final class Util implements AccessContro
}
}
- static void checkValidPrincipals(@Nullable Set<Principal> principals,
- @NotNull PrincipalManager principalManager) throws AccessControlException {
+ static boolean checkValidPrincipals(@Nullable Set<Principal> principals,
+ @NotNull PrincipalManager principalManager,
+ int importBehavior) throws AccessControlException {
if (principals == null) {
throw new AccessControlException("Valid principals expected. Found null.");
}
+ boolean isValid = false;
for (Principal principal : principals) {
- checkValidPrincipal(principal, principalManager);
+ if (principal == null) {
+ throw new AccessControlException("Valid principal expected. Found null.");
+ }
+ isValid = checkValidPrincipal(principal, principalManager, importBehavior);
}
+ return isValid;
}
static boolean isValidPolicy(@Nullable String oakPath, @NotNull AccessControlPolicy policy) {
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java?rev=1889632&r1=1889631&r2=1889632&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java Fri May 7 14:27:22 2021
@@ -121,10 +121,7 @@ public abstract class AbstractSecurityTe
@After
public void after() throws Exception {
try {
- if (testUser != null) {
- testUser.remove();
- root.commit();
- }
+ removeTestUser();
} finally {
if (adminSession != null) {
adminSession.close();
@@ -263,6 +260,14 @@ public abstract class AbstractSecurityTe
}
return testUser;
}
+
+ protected void removeTestUser() throws Exception {
+ if (testUser != null) {
+ testUser.remove();
+ root.commit();
+ testUser = null;
+ }
+ }
protected ContentSession createTestSession() throws Exception {
String uid = getTestUser().getID();
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java?rev=1889632&r1=1889631&r2=1889632&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java Fri May 7 14:27:22 2021
@@ -81,15 +81,39 @@ import static org.mockito.Mockito.when;
* Test {@code ACL} implementation.
*/
public class ACLTest extends AbstractAccessControlTest implements PrivilegeConstants, AccessControlConstants {
+
+ private ACL acl;
+
+ @Override
+ public void before() throws Exception {
+ super.before();
+ acl = createACL(TEST_PATH, Collections.emptyList(), getNamePathMapper());
+ }
private static void assertACE(@NotNull JackrabbitAccessControlEntry ace, boolean isAllow, @NotNull Privilege... privileges) {
assertEquals(isAllow, ace.isAllow());
assertEquals(Sets.newHashSet(privileges), Sets.newHashSet(ace.getPrivileges()));
}
+ @NotNull
+ private ACL createACL(@Nullable String jcrPath,
+ @NotNull List<ACE> entries,
+ @NotNull NamePathMapper namePathMapper) {
+ return createACL(jcrPath, entries, namePathMapper, getRestrictionProvider());
+ }
+
+ @NotNull
+ private List<ACE> createTestEntries() throws RepositoryException {
+ List<ACE> entries = new ArrayList<>(3);
+ for (int i = 0; i < 3; i++) {
+ entries.add(createEntry(new PrincipalImpl("testPrincipal" + i), true, null, PrivilegeConstants.JCR_READ));
+ }
+ return entries;
+ }
+
@Test
public void testGetNamePathMapper() {
- assertSame(getNamePathMapper(), createEmptyACL().getNamePathMapper());
+ assertSame(getNamePathMapper(), acl.getNamePathMapper());
assertSame(NamePathMapper.DEFAULT, createACL(TEST_PATH, ImmutableList.of(), NamePathMapper.DEFAULT).getNamePathMapper());
}
@@ -107,10 +131,10 @@ public class ACLTest extends AbstractAcc
paths.put("/jr:testPath", "/jr:testPath");
paths.put("/{http://jackrabbit.apache.org}testPath", "/jr:testPath");
- for (String path : paths.keySet()) {
- AbstractAccessControlList acl = createACL(path, Collections.emptyList(), npMapper);
- assertEquals(paths.get(path), acl.getPath());
- }
+ paths.forEach((key, value) -> {
+ AbstractAccessControlList acl = createACL(key, Collections.emptyList(), npMapper);
+ assertEquals(value, acl.getPath());
+ });
}
@Test
@@ -130,16 +154,14 @@ public class ACLTest extends AbstractAcc
paths.put(jcrPath, oakPath);
// test if oak-path is properly set.
- for (String path : paths.keySet()) {
- AbstractAccessControlList acl = createACL(path, Collections.emptyList(), npMapper);
- assertEquals(paths.get(path), acl.getOakPath());
- }
+ paths.forEach((key, value) -> {
+ AbstractAccessControlList acl = createACL(key, Collections.emptyList(), npMapper);
+ assertEquals(value, acl.getOakPath());
+ });
}
@Test
public void testEmptyAcl() {
- AbstractAccessControlList acl = createEmptyACL();
-
assertNotNull(acl.getAccessControlEntries());
assertNotNull(acl.getEntries());
@@ -177,8 +199,6 @@ public class ACLTest extends AbstractAcc
@Test
public void testGetRestrictionNames() {
- AbstractAccessControlList acl = createEmptyACL();
-
String[] restrNames = acl.getRestrictionNames();
assertNotNull(restrNames);
List<String> names = Lists.newArrayList(restrNames);
@@ -190,7 +210,6 @@ public class ACLTest extends AbstractAcc
@Test
public void testGetRestrictionType() {
- AbstractAccessControlList acl = createEmptyACL();
for (RestrictionDefinition def : getRestrictionProvider().getSupportedRestrictions(TEST_PATH)) {
int reqType = acl.getRestrictionType(getNamePathMapper().getJcrName(def.getName()));
@@ -201,40 +220,11 @@ public class ACLTest extends AbstractAcc
@Test
public void testGetRestrictionTypeForUnknownName() {
- AbstractAccessControlList acl = createEmptyACL();
// for backwards compatibility getRestrictionType(String) must return
// UNDEFINED for a unknown restriction name:
assertEquals(PropertyType.UNDEFINED, acl.getRestrictionType("unknownRestrictionName"));
}
-
- @Test
- public void testUnknownPrincipal() throws Exception {
- Principal unknownPrincipal = new InvalidTestPrincipal("unknown");
- try {
- acl.addAccessControlEntry(unknownPrincipal, privilegesFromNames(JCR_READ));
- fail("Adding an ACE with an unknown principal should fail");
- } catch (AccessControlException e) {
- // success
- }
- }
-
- @Test
- public void testInternalPrincipal() throws RepositoryException {
- Principal internal = new PrincipalImpl("unknown");
- acl.addAccessControlEntry(internal, privilegesFromNames(JCR_READ));
- }
-
- @Test(expected = AccessControlException.class)
- public void testNullPrincipal() throws Exception {
- acl.addAccessControlEntry(null, privilegesFromNames(JCR_READ));
- }
-
- @Test(expected = AccessControlException.class)
- public void testEmptyPrincipal() throws Exception {
- acl.addAccessControlEntry(new PrincipalImpl(""), privilegesFromNames(JCR_READ));
- }
-
@Test
public void testAddEntriesWithCustomPrincipal() throws Exception {
Principal oakPrincipal = new PrincipalImpl("anonymous");
@@ -348,7 +338,7 @@ public class ACLTest extends AbstractAcc
@Test(expected = AccessControlException.class)
public void testRemoveNonExisting() throws Exception {
- acl.removeAccessControlEntry(createEntry(testPrincipal, testPrivileges, true));
+ acl.removeAccessControlEntry(createEntry(testPrincipal, testPrivileges, true, Collections.emptySet()));
}
@Test
@@ -356,7 +346,6 @@ public class ACLTest extends AbstractAcc
Privilege[] read = privilegesFromNames(JCR_READ, JCR_READ_ACCESS_CONTROL);
Privilege[] write = privilegesFromNames(JCR_WRITE);
- AbstractAccessControlList acl = createEmptyACL();
acl.addAccessControlEntry(testPrincipal, read);
acl.addEntry(testPrincipal, write, false);
acl.addAccessControlEntry(EveryonePrincipal.getInstance(), write);
@@ -376,7 +365,6 @@ public class ACLTest extends AbstractAcc
Privilege[] read = privilegesFromNames(JCR_READ, JCR_READ_ACCESS_CONTROL);
Privilege[] write = privilegesFromNames(JCR_WRITE);
- AbstractAccessControlList acl = createEmptyACL();
acl.addAccessControlEntry(testPrincipal, read);
acl.addEntry(testPrincipal, write, false);
acl.addAccessControlEntry(EveryonePrincipal.getInstance(), write);
@@ -421,7 +409,6 @@ public class ACLTest extends AbstractAcc
@Test
public void testReorderSourceSameAsDest() throws Exception {
- AbstractAccessControlList acl = createEmptyACL();
acl.addAccessControlEntry(testPrincipal, privilegesFromNames(JCR_READ, JCR_READ_ACCESS_CONTROL));
acl.addEntry(testPrincipal, privilegesFromNames(JCR_WRITE), false);
acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames(JCR_WRITE));
@@ -793,7 +780,7 @@ public class ACLTest extends AbstractAcc
public void testUnsupportedRestrictions2() throws Exception {
RestrictionProvider rp = new TestRestrictionProvider("restr", Type.NAME, false);
- JackrabbitAccessControlList acl = createACL(TEST_PATH, new ArrayList<>(), namePathMapper, rp);
+ JackrabbitAccessControlList acl = createACL(TEST_PATH, new ArrayList<>(), getNamePathMapper(), rp);
acl.addEntry(testPrincipal, testPrivileges, false, Collections.singletonMap("unsupported", getValueFactory().createValue("value")));
}
@@ -801,7 +788,7 @@ public class ACLTest extends AbstractAcc
public void testInvalidRestrictionType() throws Exception {
RestrictionProvider rp = new TestRestrictionProvider("restr", Type.NAME, false);
- JackrabbitAccessControlList acl = createACL(TEST_PATH, new ArrayList<>(), namePathMapper, rp);
+ JackrabbitAccessControlList acl = createACL(TEST_PATH, new ArrayList<>(), getNamePathMapper(), rp);
acl.addEntry(testPrincipal, testPrivileges, false, Collections.singletonMap("restr", getValueFactory().createValue(true)));
}
@@ -809,7 +796,7 @@ public class ACLTest extends AbstractAcc
public void testMandatoryRestrictions() throws Exception {
RestrictionProvider rp = new TestRestrictionProvider("mandatory", Type.NAME, true);
- JackrabbitAccessControlList acl = createACL(TEST_PATH, new ArrayList<>(), namePathMapper, rp);
+ JackrabbitAccessControlList acl = createACL(TEST_PATH, new ArrayList<>(), getNamePathMapper(), rp);
acl.addEntry(testPrincipal, testPrivileges, false, Collections.emptyMap(), Collections.emptyMap());
}
@@ -817,15 +804,15 @@ public class ACLTest extends AbstractAcc
public void testMandatoryRestrictionsPresent() throws Exception {
RestrictionProvider rp = new TestRestrictionProvider("mandatory", Type.NAME, true);
- JackrabbitAccessControlList acl = createACL(TEST_PATH, new ArrayList<>(), namePathMapper, rp);
- acl.addEntry(testPrincipal, testPrivileges, false, Collections.singletonMap("mandatory", getValueFactory(root).createValue("name", PropertyType.NAME)), Collections.emptyMap());
+ JackrabbitAccessControlList acl = createACL(TEST_PATH, new ArrayList<>(), getNamePathMapper(), rp);
+ assertTrue(acl.addEntry(testPrincipal, testPrivileges, false, Collections.singletonMap("mandatory", getValueFactory(root).createValue("name", PropertyType.NAME)), Collections.emptyMap()));
}
@Test(expected = AccessControlException.class)
public void testMandatoryRestrictionsPresentAsMV() throws Exception {
RestrictionProvider rp = new TestRestrictionProvider("mandatory", Type.NAME, true);
- JackrabbitAccessControlList acl = createACL(TEST_PATH, new ArrayList<>(), namePathMapper, rp);
+ JackrabbitAccessControlList acl = createACL(TEST_PATH, new ArrayList<>(), getNamePathMapper(), rp);
acl.addEntry(testPrincipal, testPrivileges, false, Collections.emptyMap(), Collections.singletonMap("mandatory", new Value[] {getValueFactory(root).createValue("name", PropertyType.NAME)}));
}
@@ -833,7 +820,7 @@ public class ACLTest extends AbstractAcc
public void testMandatoryMVRestrictions() throws Exception {
RestrictionProvider rp = new TestRestrictionProvider("mandatory", Type.NAMES, true);
- JackrabbitAccessControlList acl = createACL(TEST_PATH, new ArrayList<>(), namePathMapper, rp);
+ JackrabbitAccessControlList acl = createACL(TEST_PATH, new ArrayList<>(), getNamePathMapper(), rp);
acl.addEntry(testPrincipal, testPrivileges, false, Collections.emptyMap(), Collections.emptyMap());
}
@@ -841,7 +828,7 @@ public class ACLTest extends AbstractAcc
public void testMandatoryMVRestrictionsPresentAsSingle() throws Exception {
RestrictionProvider rp = new TestRestrictionProvider("mandatory", Type.NAMES, true);
- JackrabbitAccessControlList acl = createACL(TEST_PATH, new ArrayList<>(), namePathMapper, rp);
+ JackrabbitAccessControlList acl = createACL(TEST_PATH, new ArrayList<>(), getNamePathMapper(), rp);
acl.addEntry(testPrincipal, testPrivileges, false, Collections.singletonMap("mandatory", getValueFactory(root).createValue("name", PropertyType.NAME)), Collections.emptyMap());
}
@@ -849,8 +836,8 @@ public class ACLTest extends AbstractAcc
public void testMandatoryMVRestrictionsPresent() throws Exception {
RestrictionProvider rp = new TestRestrictionProvider("mandatory", Type.NAMES, true);
- JackrabbitAccessControlList acl = createACL(TEST_PATH, new ArrayList<>(), namePathMapper, rp);
- acl.addEntry(testPrincipal, testPrivileges, false, Collections.emptyMap(), Collections.singletonMap("mandatory", new Value[] {getValueFactory(root).createValue("name", PropertyType.NAME)}));
+ JackrabbitAccessControlList acl = createACL(TEST_PATH, new ArrayList<>(), getNamePathMapper(), rp);
+ assertTrue(acl.addEntry(testPrincipal, testPrivileges, false, Collections.emptyMap(), Collections.singletonMap("mandatory", new Value[] {getValueFactory(root).createValue("name", PropertyType.NAME)})));
}
//--------------------------------------------------------------------------
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AbstractAccessControlTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AbstractAccessControlTest.java?rev=1889632&r1=1889631&r2=1889632&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AbstractAccessControlTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AbstractAccessControlTest.java Fri May 7 14:27:22 2021
@@ -16,30 +16,18 @@
*/
package org.apache.jackrabbit.oak.security.authorization.accesscontrol;
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-import java.util.Set;
-import javax.jcr.RepositoryException;
-import javax.jcr.security.AccessControlException;
-import javax.jcr.security.AccessControlPolicy;
-import javax.jcr.security.AccessControlPolicyIterator;
-import javax.jcr.security.Privilege;
-
import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
-import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
-import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
@@ -47,6 +35,19 @@ import org.jetbrains.annotations.NotNull
import org.jetbrains.annotations.Nullable;
import org.junit.Before;
+import javax.jcr.RepositoryException;
+import javax.jcr.security.AccessControlException;
+import javax.jcr.security.AccessControlPolicy;
+import javax.jcr.security.AccessControlPolicyIterator;
+import javax.jcr.security.Privilege;
+import java.security.Principal;
+import java.util.Collections;
+import java.util.List;
+import java.util.Set;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+
public abstract class AbstractAccessControlTest extends AbstractSecurityTest {
static final String TEST_PATH = "/testPath";
@@ -54,7 +55,6 @@ public abstract class AbstractAccessCont
private PrivilegeManager privilegeManager;
PrincipalManager principalManager;
- ACL acl;
Principal testPrincipal;
Privilege[] testPrivileges;
@@ -71,8 +71,6 @@ public abstract class AbstractAccessCont
privilegeManager = getPrivilegeManager(root);
principalManager = getPrincipalManager(root);
-
- acl = createEmptyACL();
}
@Override
@@ -100,22 +98,14 @@ public abstract class AbstractAccessCont
}
@NotNull
- List<ACE> createTestEntries() throws RepositoryException {
- List<ACE> entries = new ArrayList<>(3);
- for (int i = 0; i < 3; i++) {
- entries.add(createEntry(new PrincipalImpl("testPrincipal" + i), true, null, PrivilegeConstants.JCR_READ));
- }
- return entries;
- }
-
- @NotNull
ACE createEntry(@NotNull Principal principal, boolean isAllow, @Nullable Set<Restriction> restrictions, @NotNull String... privilegeNames) throws RepositoryException {
- return createEntry(principal, privilegesFromNames(privilegeNames), isAllow, restrictions);
+ return createEntry(principal, privilegesFromNames(privilegeNames), isAllow, (restrictions==null) ? Collections.emptySet() : restrictions);
}
-
+
@NotNull
- ACE createEntry(@NotNull Principal principal, @NotNull Privilege[] privileges, boolean isAllow) throws RepositoryException {
- return createEntry(principal, privileges, isAllow, null);
+ ACE createEntry(@NotNull Principal principal, @NotNull Privilege[] privileges, boolean isAllow, @NotNull Set<Restriction> restrictions) throws RepositoryException {
+ ACL acl = createACL(TEST_PATH, Collections.emptyList(), getNamePathMapper(), getRestrictionProvider());
+ return acl.createACE(principal, getBitsProvider().getBits(privileges, getNamePathMapper()), isAllow, restrictions);
}
@NotNull
@@ -132,25 +122,6 @@ public abstract class AbstractAccessCont
}
@NotNull
- private ACE createEntry(@NotNull Principal principal, @NotNull Privilege[] privileges, boolean isAllow, @Nullable Set<Restriction> restrictions)
- throws RepositoryException {
- ACL acl = createEmptyACL();
- return acl.createACE(principal, getBitsProvider().getBits(privileges, getNamePathMapper()), isAllow, restrictions);
- }
-
- @NotNull
- ACL createEmptyACL() {
- return createACL(TEST_PATH, Collections.emptyList(), getNamePathMapper(), getRestrictionProvider());
- }
-
- @NotNull
- ACL createACL(@Nullable String jcrPath,
- @NotNull List<ACE> entries,
- @NotNull NamePathMapper namePathMapper) {
- return createACL(jcrPath, entries, namePathMapper, getRestrictionProvider());
- }
-
- @NotNull
ACL createACL(@Nullable String jcrPath,
@NotNull List<ACE> entries,
@NotNull NamePathMapper namePathMapper,
@@ -180,8 +151,7 @@ public abstract class AbstractAccessCont
@Override
boolean checkValidPrincipal(@Nullable Principal principal) throws AccessControlException {
- Util.checkValidPrincipal(principal, principalManager);
- return true;
+ return Util.checkValidPrincipal(principal, principalManager, Util.getImportBehavior(getConfig(AuthorizationConfiguration.class)));
}
@Override
@@ -197,4 +167,9 @@ public abstract class AbstractAccessCont
}
};
}
+
+ static void assertPolicies(@Nullable AccessControlPolicy[] policies, long expectedSize) {
+ assertNotNull(policies);
+ assertEquals(expectedSize, policies.length);
+ }
}
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java?rev=1889632&r1=1889631&r2=1889632&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java Fri May 7 14:27:22 2021
@@ -185,14 +185,9 @@ public class AccessControlManagerImplTes
return ImmutableSet.of(EveryonePrincipal.getInstance());
}
- private static void assertPolicies(@Nullable AccessControlPolicy[] policies, long expectedSize) {
- assertNotNull(policies);
- assertEquals(expectedSize, policies.length);
- }
-
@NotNull
- private ACL createPolicy(@Nullable String path) {
- return createACL(path, Collections.emptyList(), getNamePathMapper());
+ private ACL createPolicy(@Nullable String path) throws RepositoryException {
+ return createACL(path, Collections.emptyList(), getNamePathMapper(), getRestrictionProvider());
}
@NotNull
@@ -1479,30 +1474,6 @@ public class AccessControlManagerImplTes
acMgr.getApplicablePolicies((Principal) null);
}
- @Test(expected = AccessControlException.class)
- public void testGetApplicablePoliciesInvalidPrincipal() throws Exception {
- Principal unknown = getPrincipalManager(root).getPrincipal("unknown");
- int i = 0;
- while (unknown != null) {
- unknown = getPrincipalManager(root).getPrincipal("unknown"+i);
- }
- unknown = new InvalidTestPrincipal("unknown" + i);
-
- acMgr.getApplicablePolicies(unknown);
- }
-
- @Test
- public void testGetApplicablePoliciesInternalPrincipal() throws Exception {
- Principal unknown = getPrincipalManager(root).getPrincipal("unknown");
- int i = 0;
- while (unknown != null) {
- unknown = getPrincipalManager(root).getPrincipal("unknown"+i);
- }
- unknown = new PrincipalImpl("unknown" + i);
-
- assertPolicies(acMgr.getApplicablePolicies(unknown), 1);
- }
-
@Test
public void testGetApplicablePoliciesByPrincipal() throws Exception {
List<Principal> principals = ImmutableList.of(testPrincipal, EveryonePrincipal.getInstance());
@@ -1533,29 +1504,6 @@ public class AccessControlManagerImplTes
acMgr.getPolicies((Principal) null);
}
- @Test(expected = AccessControlException.class)
- public void testGetPoliciesInvalidPrincipal() throws Exception {
- Principal unknown = getPrincipalManager(root).getPrincipal("unknown");
- int i = 0;
- while (unknown != null) {
- unknown = getPrincipalManager(root).getPrincipal("unknown"+i);
- }
- unknown = new InvalidTestPrincipal("unknown" + i);
-
- acMgr.getPolicies(unknown);
- }
-
- @Test
- public void testGetPoliciesInternalPrincipal() throws Exception {
- Principal unknown = getPrincipalManager(root).getPrincipal("unknown");
- int i = 0;
- while (unknown != null) {
- unknown = getPrincipalManager(root).getPrincipal("unknown"+i);
- }
- unknown = new PrincipalImpl("unknown" + i);
- assertPolicies(acMgr.getPolicies(unknown), 0);
- }
-
@Test
public void testGetPoliciesByPrincipal() throws Exception {
List<Principal> principals = ImmutableList.of(testPrincipal, EveryonePrincipal.getInstance());
@@ -1626,28 +1574,6 @@ public class AccessControlManagerImplTes
}
@Test
- public void testGetEffectivePoliciesInvalidPrincipals() throws Exception {
- Principal unknown = getPrincipalManager(root).getPrincipal("unknown");
- int i = 0;
- while (unknown != null) {
- unknown = getPrincipalManager(root).getPrincipal("unknown"+i);
- }
- unknown = new InvalidTestPrincipal("unknown" + i);
- try {
- acMgr.getEffectivePolicies(Collections.singleton(unknown));
- fail("Unknown principal should be detected.");
- } catch (AccessControlException e) {
- // success
- }
- try {
- acMgr.getEffectivePolicies(ImmutableSet.of(unknown, EveryonePrincipal.getInstance(), testPrincipal));
- fail("Unknown principal should be detected.");
- } catch (AccessControlException e) {
- // success
- }
- }
-
- @Test
public void testGetEffectivePoliciesByPrincipal() throws Exception {
// no ACLs containing entries for the specified principals
// -> no effective policies expected
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlWithUnknownPrincipalTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlWithUnknownPrincipalTest.java?rev=1889632&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlWithUnknownPrincipalTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlWithUnknownPrincipalTest.java Fri May 7 14:27:22 2021
@@ -0,0 +1,244 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.accesscontrol;
+
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Lists;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
+import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
+import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
+import org.jetbrains.annotations.NotNull;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+import javax.jcr.RepositoryException;
+import javax.jcr.ValueFactory;
+import javax.jcr.security.AccessControlException;
+import javax.jcr.security.AccessControlPolicy;
+import java.security.Principal;
+import java.util.Collection;
+import java.util.Collections;
+
+import static org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_READ;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+@RunWith(Parameterized.class)
+public class AccessControlWithUnknownPrincipalTest extends AbstractAccessControlTest {
+
+ @Parameterized.Parameters(name = "ImportBehavior={1}")
+ public static Collection<Object[]> parameters() {
+ return Lists.newArrayList(
+ new Object[] {ImportBehavior.IGNORE , ImportBehavior.NAME_IGNORE},
+ new Object[] {ImportBehavior.BESTEFFORT, ImportBehavior.NAME_BESTEFFORT},
+ new Object[] {ImportBehavior.ABORT, ImportBehavior.NAME_ABORT}
+ );
+ }
+
+ private final int importBehavior;
+ private final String importBehaviorName;
+
+ private AccessControlManagerImpl acMgr;
+ private ValueFactory valueFactory;
+
+ public AccessControlWithUnknownPrincipalTest(int importBehavior, String importBehaviorName) {
+ this.importBehavior = importBehavior;
+ this.importBehaviorName = importBehaviorName;
+ }
+
+ @Before
+ public void before() throws Exception {
+ super.before();
+
+ acMgr = new AccessControlManagerImpl(root, getNamePathMapper(), getSecurityProvider());
+ valueFactory = getValueFactory(root);
+ }
+
+ @Override
+ protected ConfigurationParameters getSecurityConfigParameters() {
+ ConfigurationParameters params = ConfigurationParameters.of(ProtectedItemImporter.PARAM_IMPORT_BEHAVIOR, importBehaviorName);
+ return ConfigurationParameters.of(AuthorizationConfiguration.NAME, params);
+ }
+
+ @NotNull
+ private String getUnknownPrincipalName() {
+ Principal unknown = getPrincipalManager(root).getPrincipal("unknown");
+ int i = 0;
+ while (unknown != null) {
+ unknown = getPrincipalManager(root).getPrincipal("unknown"+i);
+ }
+ return "unknown"+i;
+ }
+
+ private void assertImportBehavior(String message) {
+ // success if importBehavior == ABORT
+ if (importBehavior != ImportBehavior.ABORT) {
+ fail(message);
+ }
+ }
+
+ @Test
+ public void testGetApplicablePoliciesInvalidPrincipal() throws Exception {
+ Principal unknown = new InvalidTestPrincipal(getUnknownPrincipalName());
+ try {
+ AccessControlPolicy[] applicable = acMgr.getApplicablePolicies(unknown);
+ switch (importBehavior) {
+ case ImportBehavior.IGNORE:
+ assertEquals(0, applicable.length);
+ break;
+ case ImportBehavior.BESTEFFORT:
+ assertEquals(1, applicable.length);
+ break;
+ case ImportBehavior.ABORT:
+ default:
+ fail("Getting applicable policies for unknown principal should fail");
+ }
+ } catch (AccessControlException e) {
+ assertImportBehavior("Getting applicable policies for unknown principal with importBehavior "+importBehaviorName+" must not throw AccessControlException");
+ }
+ }
+
+ @Test
+ public void testGetApplicablePoliciesInternalPrincipal() throws Exception {
+ Principal unknown = new PrincipalImpl(getUnknownPrincipalName());
+ assertPolicies(acMgr.getApplicablePolicies(unknown), 1);
+ }
+
+ @Test
+ public void testGetPoliciesInvalidPrincipal() throws Exception {
+ Principal unknown = new InvalidTestPrincipal(getUnknownPrincipalName());
+ assertGetPolicies(unknown, 0);
+ }
+
+ @Test
+ public void testGetPoliciesRemovedPrincipal() throws Exception {
+ JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, TEST_PATH);
+ assertNotNull(acl);
+ acl.addEntry(testPrincipal, privilegesFromNames(JCR_READ), true);
+ acMgr.setPolicy(TEST_PATH, acl);
+
+ Principal p = () -> testPrincipal.getName();
+ removeTestUser();
+
+ assertGetPolicies(p, 1);
+ }
+
+ private void assertGetPolicies(@NotNull Principal principal, int expectedBestEffort) throws Exception {
+ try {
+ AccessControlPolicy[] policies = acMgr.getPolicies(principal);
+ switch (importBehavior) {
+ case ImportBehavior.IGNORE:
+ assertEquals(0, policies.length);
+ break;
+ case ImportBehavior.BESTEFFORT:
+ assertEquals(expectedBestEffort, policies.length);
+ break;
+ case ImportBehavior.ABORT:
+ default:
+ fail("Getting applicable policies for unknown principal should fail");
+ }
+ } catch (AccessControlException e) {
+ assertImportBehavior("Getting policies for unknown principal with importBehavior "+importBehaviorName+" must not throw AccessControlException");
+ }
+ }
+
+ @Test
+ public void testGetPoliciesInternalPrincipal() throws Exception {
+ // internal principal implementation is allowed irrespective of import-mode
+ Principal unknown = new PrincipalImpl(getUnknownPrincipalName());
+ assertPolicies(acMgr.getPolicies(unknown), 0);
+ }
+
+ @Test
+ public void testGetEffectivePoliciesInvalidPrincipal() throws Exception {
+ Principal unknown = new InvalidTestPrincipal(getUnknownPrincipalName());
+ try {
+ AccessControlPolicy[] effective = acMgr.getEffectivePolicies(Collections.singleton(unknown));
+ switch (importBehavior) {
+ case ImportBehavior.IGNORE:
+ case ImportBehavior.BESTEFFORT:
+ assertEquals(0, effective.length);
+ break;
+ case ImportBehavior.ABORT:
+ default:
+ fail("Getting effective policies for unknown principal should fail");
+ }
+ } catch (AccessControlException e) {
+ assertImportBehavior("Getting effective policies for unknown principal with importBehavior "+importBehaviorName+" must not throw AccessControlException");
+ }
+ }
+
+ @Test
+ public void testGetEffectivePoliciesInternalPrincipal() throws Exception {
+ Principal unknown = new PrincipalImpl(getUnknownPrincipalName());
+ AccessControlPolicy[] effective = acMgr.getEffectivePolicies(Collections.singleton(unknown));
+ assertEquals(0, effective.length);
+ }
+
+ @Test
+ public void testAddEntryInvalidPrincipal() throws Exception {
+ Principal unknownPrincipal = new InvalidTestPrincipal("unknown");
+ JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, TEST_PATH);
+ try {
+ boolean modified = acl.addAccessControlEntry(unknownPrincipal, privilegesFromNames(JCR_READ));
+ switch (importBehavior) {
+ case ImportBehavior.IGNORE:
+ assertFalse(modified);
+ break;
+ case ImportBehavior.BESTEFFORT:
+ assertTrue(modified);
+ break;
+ case ImportBehavior.ABORT:
+ default:
+ fail("Adding an ACE with an unknown principal should fail");
+ }
+ } catch (AccessControlException e) {
+ assertImportBehavior("Adding entry for unknown principal with importBehavior "+importBehaviorName+" must not throw AccessControlException");
+ }
+ }
+
+ @Test
+ public void testAddEntryInternalPrincipal() throws RepositoryException {
+ // internal principal impl is allowed irrespective of import mode
+ Principal internal = new PrincipalImpl("unknown");
+ JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, TEST_PATH);
+ boolean modified = acl.addAccessControlEntry(internal, privilegesFromNames(JCR_READ));
+ assertTrue(modified);
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testNullPrincipal() throws Exception {
+ JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, TEST_PATH);
+ acl.addAccessControlEntry(null, privilegesFromNames(JCR_READ));
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testEmptyPrincipal() throws Exception {
+ JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, TEST_PATH);
+ acl.addAccessControlEntry(new PrincipalImpl(""), privilegesFromNames(JCR_READ));
+ }
+}
\ No newline at end of file
Propchange: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlWithUnknownPrincipalTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/EntryTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/EntryTest.java?rev=1889632&r1=1889631&r2=1889632&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/EntryTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/EntryTest.java Fri May 7 14:27:22 2021
@@ -90,6 +90,11 @@ public class EntryTest extends AbstractA
throws RepositoryException {
return createEntry(testPrincipal, isAllow, null, privilegeNames);
}
+
+ @NotNull
+ private ACE createEntry(@NotNull Principal principal, @NotNull Privilege[] privileges, boolean isAllow) throws RepositoryException {
+ return createEntry(principal, privileges, isAllow, Collections.emptySet());
+ }
private ACE createEntry(Set<Restriction> restrictions) throws Exception {
return createEntry(testPrincipal, true, restrictions, PrivilegeConstants.JCR_READ);
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/PrincipalACLTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/PrincipalACLTest.java?rev=1889632&r1=1889631&r2=1889632&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/PrincipalACLTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/PrincipalACLTest.java Fri May 7 14:27:22 2021
@@ -29,9 +29,12 @@ import javax.jcr.RepositoryException;
import javax.jcr.UnsupportedRepositoryOperationException;
import javax.jcr.ValueFactory;
import javax.jcr.security.AccessControlEntry;
+import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlPolicy;
+import javax.jcr.security.Privilege;
import java.security.Principal;
+import java.util.Collections;
import static org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants.REP_GLOB;
import static org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants.REP_NODE_PATH;
@@ -42,6 +45,7 @@ import static org.junit.Assert.assertNot
public class PrincipalACLTest extends AbstractAccessControlTest {
private ACL principalAcl;
+ private Privilege[] privileges;
@Override
@Before
@@ -56,6 +60,7 @@ public class PrincipalACLTest extends Ab
root.commit();
principalAcl = getPrincipalAcl(acMgr, testPrincipal);
+ privileges = privilegesFromNames(JCR_VERSION_MANAGEMENT);
}
@NotNull
@@ -100,7 +105,7 @@ public class PrincipalACLTest extends Ab
public void testEqualsDifferentEntries() throws Exception {
ValueFactory vf = getValueFactory(root);
ACL acl = getPrincipalAcl(getAccessControlManager(root), testPrincipal);
- acl.addEntry(testPrincipal, privilegesFromNames(JCR_VERSION_MANAGEMENT), true,
+ acl.addEntry(testPrincipal, privileges, true,
ImmutableMap.of(REP_GLOB, vf.createValue("/subtree/*"), REP_NODE_PATH, vf.createValue(TEST_PATH)));
assertNotEquals(principalAcl, acl);
}
@@ -109,4 +114,19 @@ public class PrincipalACLTest extends Ab
public void testHashCode() {
assertEquals(0, principalAcl.hashCode());
}
+
+ @Test(expected = AccessControlException.class)
+ public void testAddEntryMissingNodePath() throws Exception {
+ principalAcl.addAccessControlEntry(testPrincipal, privileges);
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testAddEntryDifferentPrincipal() throws Exception {
+ principalAcl.addEntry(EveryonePrincipal.getInstance(), privileges, true, Collections.singletonMap(REP_NODE_PATH, getValueFactory(root).createValue(TEST_PATH)));
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testAddEntryNullPrincipal() throws Exception {
+ principalAcl.addEntry(null, privileges, true, Collections.singletonMap(REP_NODE_PATH, getValueFactory(root).createValue(TEST_PATH)));
+ }
}
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/RemappedPrivilegeNamesTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/RemappedPrivilegeNamesTest.java?rev=1889632&r1=1889631&r2=1889632&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/RemappedPrivilegeNamesTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/RemappedPrivilegeNamesTest.java Fri May 7 14:27:22 2021
@@ -33,6 +33,7 @@ import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.Privilege;
import java.util.Arrays;
+import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
@@ -69,11 +70,13 @@ public class RemappedPrivilegeNamesTest
@Test(expected = AccessControlException.class)
public void testAddEntryWithOakPrivilegeName() throws Exception {
Privilege[] privs = new Privilege[] {when(mock(Privilege.class).getName()).thenReturn(PrivilegeConstants.JCR_READ).getMock()};
+ ACL acl = createACL(TEST_PATH, Collections.emptyList(), getNamePathMapper(), getRestrictionProvider());
acl.addAccessControlEntry(testPrincipal, privs);
}
@Test
public void testAddEntryWithJcrPrivilegeName() throws Exception {
+ ACL acl = createACL(TEST_PATH, Collections.emptyList(), getNamePathMapper(), getRestrictionProvider());
assertTrue(acl.addAccessControlEntry(testPrincipal, privilegesFromNames(PrivilegeConstants.JCR_READ)));
List<ACE> entries = acl.getEntries();
assertEquals(1, entries.size());
@@ -82,6 +85,7 @@ public class RemappedPrivilegeNamesTest
@Test
public void testWriteEntryWithJcrPrivilegeName() throws Exception {
+ ACL acl = createACL(TEST_PATH, Collections.emptyList(), getNamePathMapper(), getRestrictionProvider());
assertTrue(acl.addAccessControlEntry(testPrincipal, privilegesFromNames(PrivilegeConstants.JCR_READ)));
getAccessControlManager(root).setPolicy(acl.getPath(), acl);
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/RemappedRestrictionNamesTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/RemappedRestrictionNamesTest.java?rev=1889632&r1=1889631&r2=1889632&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/RemappedRestrictionNamesTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/RemappedRestrictionNamesTest.java Fri May 7 14:27:22 2021
@@ -30,6 +30,7 @@ import javax.jcr.RepositoryException;
import javax.jcr.Value;
import javax.jcr.security.Privilege;
import java.util.Arrays;
+import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
@@ -51,12 +52,14 @@ public class RemappedRestrictionNamesTes
private NamePathMapperImpl remapped;
private Privilege[] privs;
+ private ACL acl;
@Override
public void before() throws Exception {
super.before();
privs = privilegesFromNames(PrivilegeConstants.JCR_READ);
+ acl = createACL(TEST_PATH, Collections.emptyList(), getNamePathMapper(), getRestrictionProvider());
}
@Override
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/UtilTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/UtilTest.java?rev=1889632&r1=1889631&r2=1889632&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/UtilTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/UtilTest.java Fri May 7 14:27:22 2021
@@ -71,12 +71,12 @@ public class UtilTest extends AbstractSe
@Test(expected = AccessControlException.class)
public void testCheckValidPrincipalForNull() throws Exception {
- Util.checkValidPrincipal(null, getPrincipalManager(root));
+ Util.checkValidPrincipal(() -> null, getPrincipalManager(root), ImportBehavior.BESTEFFORT);
}
@Test(expected = AccessControlException.class)
public void testCheckValidPrincipalForEmpty() throws Exception {
- Util.checkValidPrincipal(new PrincipalImpl(""), getPrincipalManager(root));
+ Util.checkValidPrincipal(new PrincipalImpl(""), getPrincipalManager(root), ImportBehavior.BESTEFFORT);
}
@Test
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ValidationEntryTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ValidationEntryTest.java?rev=1889632&r1=1889631&r2=1889632&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ValidationEntryTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ValidationEntryTest.java Fri May 7 14:27:22 2021
@@ -20,7 +20,6 @@ import com.google.common.collect.Immutab
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
-import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.junit.Before;
import org.junit.Test;
Modified: jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AbstractAccessControlList.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AbstractAccessControlList.java?rev=1889632&r1=1889631&r2=1889632&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AbstractAccessControlList.java (original)
+++ jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AbstractAccessControlList.java Fri May 7 14:27:22 2021
@@ -27,7 +27,6 @@ import javax.jcr.Value;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.Privilege;
-import com.google.common.base.Function;
import com.google.common.collect.Collections2;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
@@ -105,12 +104,7 @@ public abstract class AbstractAccessCont
@Override
public String[] getRestrictionNames() {
Collection<RestrictionDefinition> supported = getRestrictionProvider().getSupportedRestrictions(getOakPath());
- return Collections2.transform(supported, new Function<RestrictionDefinition, String>() {
- @Override
- public String apply(RestrictionDefinition definition) {
- return namePathMapper.getJcrName(definition.getName());
- }
- }).toArray(new String[supported.size()]);
+ return Collections2.transform(supported, definition -> namePathMapper.getJcrName(definition.getName())).toArray(new String[supported.size()]);
}
@@ -138,12 +132,12 @@ public abstract class AbstractAccessCont
// not a supported restriction => return false.
return false;
}
-
-
+
@Override
public boolean addEntry(@NotNull Principal principal, @NotNull Privilege[] privileges, boolean isAllow) throws RepositoryException {
return addEntry(principal, privileges, isAllow, Collections.<String, Value>emptyMap());
}
+
@Override
public boolean addEntry(@NotNull Principal principal, @NotNull Privilege[] privileges, boolean isAllow, @Nullable Map<String, Value> restrictions) throws RepositoryException {
return addEntry(principal, privileges, isAllow, restrictions, null);