You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2015/07/29 16:21:18 UTC
svn commit: r1693270 - in /jackrabbit/oak/trunk:
oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/
oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/
oak-core/s...
Author: angela
Date: Wed Jul 29 14:21:18 2015
New Revision: 1693270
URL: http://svn.apache.org/r1693270
Log:
OAK-3160 - Implement Session.hasPermission(String, String...) and support for additional actions,
OAK-2008 : authorization setup for closed user groups (WIP)
Added:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/HasPermissionTest.java
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/CugPolicy.java
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/package-info.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPolicyImplTest.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionsTest.java
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java
jackrabbit/oak/trunk/oak-parent/pom.xml
Modified: jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/CugPolicy.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/CugPolicy.java?rev=1693270&r1=1693269&r2=1693270&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/CugPolicy.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/CugPolicy.java Wed Jul 29 14:21:18 2015
@@ -22,11 +22,12 @@ import javax.annotation.Nonnull;
import javax.jcr.security.AccessControlException;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
+import org.apache.jackrabbit.api.security.authorization.PrincipalSetPolicy;
/**
* Denies read access for all principals except for the specified principals.
*/
-public interface CugPolicy extends JackrabbitAccessControlPolicy {
+public interface CugPolicy extends PrincipalSetPolicy, JackrabbitAccessControlPolicy {
/**
* Returns the set of {@code Principal}s that are allowed to access the items
Modified: jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/package-info.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/package-info.java?rev=1693270&r1=1693269&r2=1693270&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/package-info.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/package-info.java Wed Jul 29 14:21:18 2015
@@ -14,7 +14,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-@Version("1.3.1")
+@Version("1.4.0")
@Export(optional = "provide:=true")
package org.apache.jackrabbit.oak.spi.security.authorization.cug;
Modified: jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPolicyImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPolicyImplTest.java?rev=1693270&r1=1693269&r2=1693270&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPolicyImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPolicyImplTest.java Wed Jul 29 14:21:18 2015
@@ -24,6 +24,7 @@ import javax.jcr.security.AccessControlE
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.api.security.authorization.PrincipalSetPolicy;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.namepath.LocalNameMapper;
@@ -63,6 +64,11 @@ public class CugPolicyImplTest extends A
}
@Test
+ public void testPrincipalSetPolicy() {
+ assertTrue(createCugPolicy(principals) instanceof PrincipalSetPolicy);
+ }
+
+ @Test
public void testGetPrincipals() {
CugPolicyImpl cug = createCugPolicy(principals);
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java?rev=1693270&r1=1693269&r2=1693270&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java Wed Jul 29 14:21:18 2015
@@ -30,6 +30,7 @@ import com.google.common.base.Predicate;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.collect.Sets;
+import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.oak.plugins.name.NamespaceConstants;
import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
@@ -190,34 +191,59 @@ public final class Permissions {
}
private static final Map<String, Long> PERMISSION_LOOKUP = new LinkedHashMap<String, Long>();
- static {
- PERMISSION_LOOKUP.put("ALL", ALL);
- PERMISSION_LOOKUP.put("READ", READ);
- PERMISSION_LOOKUP.put("READ_NODE", READ_NODE);
- PERMISSION_LOOKUP.put("READ_PROPERTY", READ_PROPERTY);
- PERMISSION_LOOKUP.put("SET_PROPERTY", SET_PROPERTY);
- PERMISSION_LOOKUP.put("ADD_PROPERTY", ADD_PROPERTY);
- PERMISSION_LOOKUP.put("MODIFY_PROPERTY", MODIFY_PROPERTY);
- PERMISSION_LOOKUP.put("REMOVE_PROPERTY", REMOVE_PROPERTY);
- PERMISSION_LOOKUP.put("ADD_NODE", ADD_NODE);
- PERMISSION_LOOKUP.put("REMOVE_NODE", REMOVE_NODE);
- PERMISSION_LOOKUP.put("REMOVE", REMOVE);
- PERMISSION_LOOKUP.put("WRITE", WRITE);
- PERMISSION_LOOKUP.put("MODIFY_CHILD_NODE_COLLECTION", MODIFY_CHILD_NODE_COLLECTION);
- PERMISSION_LOOKUP.put("READ_ACCESS_CONTROL", READ_ACCESS_CONTROL);
- PERMISSION_LOOKUP.put("MODIFY_ACCESS_CONTROL", MODIFY_ACCESS_CONTROL);
- PERMISSION_LOOKUP.put("NODE_TYPE_MANAGEMENT", NODE_TYPE_MANAGEMENT);
- PERMISSION_LOOKUP.put("VERSION_MANAGEMENT", VERSION_MANAGEMENT);
- PERMISSION_LOOKUP.put("LOCK_MANAGEMENT", LOCK_MANAGEMENT);
- PERMISSION_LOOKUP.put("LIFECYCLE_MANAGEMENT", LIFECYCLE_MANAGEMENT);
- PERMISSION_LOOKUP.put("RETENTION_MANAGEMENT", RETENTION_MANAGEMENT);
- PERMISSION_LOOKUP.put("NODE_TYPE_DEFINITION_MANAGEMENT", NODE_TYPE_DEFINITION_MANAGEMENT);
- PERMISSION_LOOKUP.put("NAMESPACE_MANAGEMENT", NAMESPACE_MANAGEMENT);
- PERMISSION_LOOKUP.put("WORKSPACE_MANAGEMENT", WORKSPACE_MANAGEMENT);
- PERMISSION_LOOKUP.put("PRIVILEGE_MANAGEMENT", PRIVILEGE_MANAGEMENT);
- PERMISSION_LOOKUP.put("USER_MANAGEMENT", USER_MANAGEMENT);
- PERMISSION_LOOKUP.put("INDEX_DEFINITION_MANAGEMENT", INDEX_DEFINITION_MANAGEMENT);
- }
+ static {
+ PERMISSION_LOOKUP.put("ALL", ALL);
+ PERMISSION_LOOKUP.put("READ", READ);
+ PERMISSION_LOOKUP.put("READ_NODE", READ_NODE);
+ PERMISSION_LOOKUP.put("READ_PROPERTY", READ_PROPERTY);
+ PERMISSION_LOOKUP.put("SET_PROPERTY", SET_PROPERTY);
+ PERMISSION_LOOKUP.put("ADD_PROPERTY", ADD_PROPERTY);
+ PERMISSION_LOOKUP.put("MODIFY_PROPERTY", MODIFY_PROPERTY);
+ PERMISSION_LOOKUP.put("REMOVE_PROPERTY", REMOVE_PROPERTY);
+ PERMISSION_LOOKUP.put("ADD_NODE", ADD_NODE);
+ PERMISSION_LOOKUP.put("REMOVE_NODE", REMOVE_NODE);
+ PERMISSION_LOOKUP.put("REMOVE", REMOVE);
+ PERMISSION_LOOKUP.put("WRITE", WRITE);
+ PERMISSION_LOOKUP.put("MODIFY_CHILD_NODE_COLLECTION", MODIFY_CHILD_NODE_COLLECTION);
+ PERMISSION_LOOKUP.put("READ_ACCESS_CONTROL", READ_ACCESS_CONTROL);
+ PERMISSION_LOOKUP.put("MODIFY_ACCESS_CONTROL", MODIFY_ACCESS_CONTROL);
+ PERMISSION_LOOKUP.put("NODE_TYPE_MANAGEMENT", NODE_TYPE_MANAGEMENT);
+ PERMISSION_LOOKUP.put("VERSION_MANAGEMENT", VERSION_MANAGEMENT);
+ PERMISSION_LOOKUP.put("LOCK_MANAGEMENT", LOCK_MANAGEMENT);
+ PERMISSION_LOOKUP.put("LIFECYCLE_MANAGEMENT", LIFECYCLE_MANAGEMENT);
+ PERMISSION_LOOKUP.put("RETENTION_MANAGEMENT", RETENTION_MANAGEMENT);
+ PERMISSION_LOOKUP.put("NODE_TYPE_DEFINITION_MANAGEMENT", NODE_TYPE_DEFINITION_MANAGEMENT);
+ PERMISSION_LOOKUP.put("NAMESPACE_MANAGEMENT", NAMESPACE_MANAGEMENT);
+ PERMISSION_LOOKUP.put("WORKSPACE_MANAGEMENT", WORKSPACE_MANAGEMENT);
+ PERMISSION_LOOKUP.put("PRIVILEGE_MANAGEMENT", PRIVILEGE_MANAGEMENT);
+ PERMISSION_LOOKUP.put("USER_MANAGEMENT", USER_MANAGEMENT);
+ PERMISSION_LOOKUP.put("INDEX_DEFINITION_MANAGEMENT", INDEX_DEFINITION_MANAGEMENT);
+ }
+
+ private static final Set<String> WRITE_ACTIONS = ImmutableSet.of(
+ Session.ACTION_REMOVE,
+ Session.ACTION_ADD_NODE,
+ Session.ACTION_SET_PROPERTY,
+ JackrabbitSession.ACTION_REMOVE_NODE,
+ JackrabbitSession.ACTION_ADD_PROPERTY,
+ JackrabbitSession.ACTION_MODIFY_PROPERTY,
+ JackrabbitSession.ACTION_REMOVE_PROPERTY
+ );
+
+ private static final Map<String, Long> ACTIONS_MAP = new LinkedHashMap<String, Long>();
+ static {
+ ACTIONS_MAP.put(Session.ACTION_ADD_NODE, ADD_NODE);
+ ACTIONS_MAP.put(JackrabbitSession.ACTION_ADD_PROPERTY, ADD_PROPERTY);
+ ACTIONS_MAP.put(JackrabbitSession.ACTION_MODIFY_PROPERTY, MODIFY_PROPERTY);
+ ACTIONS_MAP.put(JackrabbitSession.ACTION_REMOVE_PROPERTY, REMOVE_PROPERTY);
+ ACTIONS_MAP.put(JackrabbitSession.ACTION_REMOVE_NODE, REMOVE_NODE);
+ ACTIONS_MAP.put(JackrabbitSession.ACTION_NODE_TYPE_MANAGEMENT, NODE_TYPE_MANAGEMENT);
+ ACTIONS_MAP.put(JackrabbitSession.ACTION_LOCKING, LOCK_MANAGEMENT);
+ ACTIONS_MAP.put(JackrabbitSession.ACTION_VERSIONING, VERSION_MANAGEMENT);
+ ACTIONS_MAP.put(JackrabbitSession.ACTION_READ_ACCESS_CONTROL, READ_ACCESS_CONTROL);
+ ACTIONS_MAP.put(JackrabbitSession.ACTION_MODIFY_ACCESS_CONTROL, MODIFY_ACCESS_CONTROL);
+ ACTIONS_MAP.put(JackrabbitSession.ACTION_USER_MANAGEMENT, USER_MANAGEMENT);
+ }
/**
* Returns names of the specified permissions.
@@ -301,19 +327,19 @@ public final class Permissions {
Permissions.includes(permissions, Permissions.REMOVE_NODE);
}
- /**
- * Returns those bits from {@code permissions} that are not present in
- * the {@code otherPermissions}, i.e. subtracts the other permissions
- * from permissions.<br>
- * If the specified {@code otherPermissions} do not intersect with
- * {@code permissions}, {@code permissions} are returned.<br>
- * If {@code permissions} is included in {@code otherPermissions},
- * {@link #NO_PERMISSION} is returned.
- *
- * @param permissions
- * @param otherPermissions
- * @return the differences of the 2 permissions or {@link #NO_PERMISSION}.
- */
+ /**
+ * Returns those bits from {@code permissions} that are not present in
+ * the {@code otherPermissions}, i.e. subtracts the other permissions
+ * from permissions.<br>
+ * If the specified {@code otherPermissions} do not intersect with
+ * {@code permissions}, {@code permissions} are returned.<br>
+ * If {@code permissions} is included in {@code otherPermissions},
+ * {@link #NO_PERMISSION} is returned.
+ *
+ * @param permissions
+ * @param otherPermissions
+ * @return the differences of the 2 permissions or {@link #NO_PERMISSION}.
+ */
public static long diff(long permissions, long otherPermissions) {
return permissions & ~otherPermissions;
}
@@ -340,6 +366,7 @@ public final class Permissions {
boolean isAccessControlContent) {
Set<String> actions = Sets.newHashSet(Text.explode(jcrActions, ',', false));
long permissions = NO_PERMISSION;
+ // map read action respecting the 'isAccessControlContent' flag.
if (actions.remove(Session.ACTION_READ)) {
if (isAccessControlContent) {
permissions |= READ_ACCESS_CONTROL;
@@ -352,17 +379,15 @@ public final class Permissions {
}
}
+ // map write actions respecting the 'isAccessControlContent' flag.
if (!actions.isEmpty()) {
if (isAccessControlContent) {
- actions.removeAll(ImmutableSet.of(
- Session.ACTION_ADD_NODE,
- Session.ACTION_REMOVE,
- Session.ACTION_SET_PROPERTY));
- permissions |= MODIFY_ACCESS_CONTROL;
- } else {
- if (actions.remove(Session.ACTION_ADD_NODE)) {
- permissions |= ADD_NODE;
+ if (actions.removeAll(WRITE_ACTIONS)) {
+ permissions |= MODIFY_ACCESS_CONTROL;
}
+ } else {
+ // item is not access controlled -> cover actions that don't have
+ // a 1:1 mapping to a given permission.
if (actions.remove(Session.ACTION_SET_PROPERTY)) {
if (location.getProperty() == null) {
permissions |= ADD_PROPERTY;
@@ -382,8 +407,18 @@ public final class Permissions {
}
}
- permissions |= getPermissions(actions);
+ // map remaining actions and permission-names that have a simple 1:1
+ // mapping between action and permission
+ if (!actions.isEmpty()) {
+ for (String action : ACTIONS_MAP.keySet()) {
+ if (actions.remove(action)) {
+ permissions |= ACTIONS_MAP.get(action);
+ }
+ }
+ permissions |= getPermissions(actions);
+ }
+ // now the action set must be empty; otherwise it contained unsupported action(s)
if (!actions.isEmpty()) {
throw new IllegalArgumentException("Unknown actions: " + actions);
}
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionsTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionsTest.java?rev=1693270&r1=1693269&r2=1693270&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionsTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionsTest.java Wed Jul 29 14:21:18 2015
@@ -16,6 +16,7 @@
*/
package org.apache.jackrabbit.oak.spi.security.authorization.permission;
+import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
@@ -23,12 +24,15 @@ import javax.jcr.Session;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
+import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
import org.apache.jackrabbit.util.Text;
import org.junit.Test;
import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
import static org.junit.Assert.fail;
@@ -74,6 +78,87 @@ public class PermissionsTest extends Abs
}
@Test
+ public void testGetPermissionsFromJackrabbitActions() {
+ TreeLocation tl = TreeLocation.create(root.getTree("/"));
+ Map<String, Long> map = new HashMap<String, Long>();
+ map.put(Session.ACTION_ADD_NODE, Permissions.ADD_NODE);
+ map.put(JackrabbitSession.ACTION_ADD_PROPERTY, Permissions.ADD_PROPERTY);
+ map.put(JackrabbitSession.ACTION_MODIFY_PROPERTY, Permissions.MODIFY_PROPERTY);
+ map.put(JackrabbitSession.ACTION_REMOVE_PROPERTY, Permissions.REMOVE_PROPERTY);
+ map.put(JackrabbitSession.ACTION_REMOVE_NODE, Permissions.REMOVE_NODE);
+ map.put(JackrabbitSession.ACTION_NODE_TYPE_MANAGEMENT, Permissions.NODE_TYPE_MANAGEMENT);
+ map.put(JackrabbitSession.ACTION_LOCKING, Permissions.LOCK_MANAGEMENT);
+ map.put(JackrabbitSession.ACTION_VERSIONING, Permissions.VERSION_MANAGEMENT);
+ map.put(JackrabbitSession.ACTION_READ_ACCESS_CONTROL, Permissions.READ_ACCESS_CONTROL);
+ map.put(JackrabbitSession.ACTION_MODIFY_ACCESS_CONTROL, Permissions.MODIFY_ACCESS_CONTROL);
+ map.put(JackrabbitSession.ACTION_USER_MANAGEMENT, Permissions.USER_MANAGEMENT);
+
+ for (Map.Entry<String, Long> entry : map.entrySet()) {
+ assertEquals(entry.getValue().longValue(), Permissions.getPermissions(entry.getKey(), tl, false));
+ }
+ }
+
+ @Test
+ public void testGetPermissionsOnAccessControlledNode() {
+ TreeLocation tl = TreeLocation.create(root.getTree("/rep:policy"));
+ Map<String, Long> map = new HashMap<String, Long>();
+
+ // read -> mapped to read-access-control
+ map.put(Session.ACTION_READ, Permissions.READ_ACCESS_CONTROL);
+
+ // all regular write -> mapped to modify-access-control (compatible and in
+ // accordance to the previous behavior, where specifying an explicit
+ // modify_access_control action was not possible.
+ map.put(Session.ACTION_ADD_NODE, Permissions.MODIFY_ACCESS_CONTROL);
+ map.put(Session.ACTION_REMOVE, Permissions.MODIFY_ACCESS_CONTROL);
+ map.put(Session.ACTION_SET_PROPERTY, Permissions.MODIFY_ACCESS_CONTROL);
+ map.put(JackrabbitSession.ACTION_ADD_PROPERTY, Permissions.MODIFY_ACCESS_CONTROL);
+ map.put(JackrabbitSession.ACTION_MODIFY_PROPERTY, Permissions.MODIFY_ACCESS_CONTROL);
+ map.put(JackrabbitSession.ACTION_REMOVE_PROPERTY, Permissions.MODIFY_ACCESS_CONTROL);
+ map.put(JackrabbitSession.ACTION_REMOVE_NODE, Permissions.MODIFY_ACCESS_CONTROL);
+
+ // all other actions are mapped to the corresponding permission without
+ // testing for item being ac-content
+ map.put(JackrabbitSession.ACTION_READ_ACCESS_CONTROL, Permissions.READ_ACCESS_CONTROL);
+ map.put(JackrabbitSession.ACTION_MODIFY_ACCESS_CONTROL, Permissions.MODIFY_ACCESS_CONTROL);
+ map.put(JackrabbitSession.ACTION_LOCKING, Permissions.LOCK_MANAGEMENT);
+ map.put(JackrabbitSession.ACTION_VERSIONING, Permissions.VERSION_MANAGEMENT);
+ map.put(JackrabbitSession.ACTION_USER_MANAGEMENT, Permissions.USER_MANAGEMENT);
+
+ for (Map.Entry<String, Long> entry : map.entrySet()) {
+ assertEquals(entry.getKey(), entry.getValue().longValue(), Permissions.getPermissions(entry.getKey(), tl, true));
+ }
+ }
+
+ @Test
+ public void testActionSetProperty() {
+ TreeLocation treeLocation = TreeLocation.create(root.getTree("/"));
+ assertNull(treeLocation.getProperty());
+ assertEquals(Permissions.ADD_PROPERTY, Permissions.getPermissions(Session.ACTION_SET_PROPERTY, treeLocation, false));
+ assertEquals(Permissions.MODIFY_ACCESS_CONTROL, Permissions.getPermissions(Session.ACTION_SET_PROPERTY, treeLocation, true));
+
+ TreeLocation nonExistingTree = TreeLocation.create(root.getTree("/nonExisting"));
+ assertNull(nonExistingTree.getProperty());
+ assertEquals(Permissions.ADD_PROPERTY, Permissions.getPermissions(Session.ACTION_SET_PROPERTY, nonExistingTree, false));
+ assertEquals(Permissions.MODIFY_ACCESS_CONTROL, Permissions.getPermissions(Session.ACTION_SET_PROPERTY, nonExistingTree, true));
+
+ TreeLocation nonExistingProp = TreeLocation.create(root, "/nonExisting");
+ assertNull(nonExistingProp.getProperty());
+ assertEquals(Permissions.ADD_PROPERTY, Permissions.getPermissions(Session.ACTION_SET_PROPERTY, nonExistingProp, false));
+ assertEquals(Permissions.MODIFY_ACCESS_CONTROL, Permissions.getPermissions(Session.ACTION_SET_PROPERTY, nonExistingProp, true));
+
+ TreeLocation existingProp = TreeLocation.create(root, "/jcr:primaryType");
+ assertNotNull(existingProp.getProperty());
+ assertEquals(Permissions.MODIFY_PROPERTY, Permissions.getPermissions(Session.ACTION_SET_PROPERTY, existingProp, false));
+ assertEquals(Permissions.MODIFY_ACCESS_CONTROL, Permissions.getPermissions(Session.ACTION_SET_PROPERTY, existingProp, true));
+ }
+
+ @Test
+ public void testActionRemove() {
+ // TODO
+ }
+
+ @Test
public void testAggregates() {
// TODO
}
Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java?rev=1693270&r1=1693269&r2=1693270&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java Wed Jul 29 14:21:18 2015
@@ -69,6 +69,7 @@ import org.apache.jackrabbit.oak.jcr.ses
import org.apache.jackrabbit.oak.jcr.xml.ImportHandler;
import org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import org.apache.jackrabbit.test.api.util.Text;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xml.sax.ContentHandler;
@@ -749,6 +750,11 @@ public class SessionImpl implements Jack
//--------------------------------------------------< JackrabbitSession >---
@Override
+ public boolean hasPermission(String absPath, String... actions) throws RepositoryException {
+ return hasPermission(absPath, Text.implode(actions, ","));
+ }
+
+ @Override
@Nonnull
public PrincipalManager getPrincipalManager() throws RepositoryException {
return sessionContext.getPrincipalManager();
Added: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/HasPermissionTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/HasPermissionTest.java?rev=1693270&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/HasPermissionTest.java (added)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/HasPermissionTest.java Wed Jul 29 14:21:18 2015
@@ -0,0 +1,100 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.jcr.security.authorization;
+
+import java.util.List;
+import java.util.Map;
+
+import javax.jcr.Session;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.Maps;
+import org.apache.jackrabbit.api.JackrabbitSession;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+
+/**
+ * Testing {@link Session#hasPermission(String,String)} and {@link JackrabbitSession#hasPermission(String, String...)}
+ */
+public class HasPermissionTest extends AbstractEvaluationTest {
+
+ public void testEmpty() throws Exception {
+ List<String> paths = ImmutableList.of(
+ "/", path, childPPath, path + "/rep:policy",
+ "/nonExisting", path + "/nonExisting");
+
+ for (String p : paths) {
+ assertTrue(testSession.hasPermission(p, ""));
+ assertTrue(testSession.hasPermission(p, ",,"));
+ assertTrue(((JackrabbitSession) testSession).hasPermission(p, new String[0]));
+ assertTrue(((JackrabbitSession) testSession).hasPermission(p, new String[]{""}));
+ assertTrue(((JackrabbitSession) testSession).hasPermission(p, new String[]{"", ""}));
+ assertTrue(((JackrabbitSession) testSession).hasPermission(p, "", ""));
+ }
+ }
+
+ public void testSingle() throws Exception {
+ Map<String, Boolean> map = Maps.newHashMap();
+ map.put("/", true);
+ map.put(path, true);
+ map.put(childPPath, true);
+ map.put(path + "/rep:policy", false);
+ map.put("/nonExisting", true);
+ map.put(path + "/nonExisting", true);
+
+ for (String p : map.keySet()) {
+ boolean expected = map.get(p);
+ assertEquals(p, expected, testSession.hasPermission(p, Session.ACTION_READ));
+ assertEquals(p, expected, ((JackrabbitSession) testSession).hasPermission(p, new String[]{Session.ACTION_READ}));
+ }
+ }
+
+ public void testDuplicate() throws Exception {
+ Map<String, Boolean> map = Maps.newHashMap();
+ map.put("/", true);
+ map.put(path, true);
+ map.put(childPPath, true);
+ map.put(path + "/rep:policy", false);
+ map.put("/nonExisting", true);
+ map.put(path + "/nonExisting", true);
+
+ for (String p : map.keySet()) {
+ boolean expected = map.get(p);
+ assertEquals(p, expected, testSession.hasPermission(p, Session.ACTION_READ + "," + Permissions.getString(Permissions.READ)));
+ assertEquals(p, expected, ((JackrabbitSession) testSession).hasPermission(p, new String[]{Session.ACTION_READ, Session.ACTION_READ}));
+ assertEquals(p, expected, ((JackrabbitSession) testSession).hasPermission(p, Session.ACTION_READ, Session.ACTION_READ));
+ assertEquals(p, expected, ((JackrabbitSession) testSession).hasPermission(p, new String[]{Session.ACTION_READ, Permissions.PERMISSION_NAMES.get(Permissions.READ)}));
+ assertEquals(p, expected, ((JackrabbitSession) testSession).hasPermission(p, Session.ACTION_READ, Permissions.PERMISSION_NAMES.get(Permissions.READ)));
+ }
+ }
+
+ public void testMultiple() throws Exception {
+ List<String> paths = ImmutableList.of(
+ "/", path, childPPath, path + "/rep:policy",
+ "/nonExisting", path + "/nonExisting");
+
+ for (String p : paths) {
+ assertFalse(testSession.hasPermission(p, Session.ACTION_READ + "," + Session.ACTION_SET_PROPERTY));
+ assertFalse(testSession.hasPermission(p, Session.ACTION_READ + "," + Permissions.getString(Permissions.ADD_PROPERTY)));
+
+ assertFalse(((JackrabbitSession) testSession).hasPermission(p, Session.ACTION_READ, Session.ACTION_SET_PROPERTY));
+ assertFalse(((JackrabbitSession) testSession).hasPermission(p, Session.ACTION_READ, JackrabbitSession.ACTION_ADD_PROPERTY));
+
+ assertFalse(testSession.hasPermission(p, Session.ACTION_READ + "," + JackrabbitSession.ACTION_READ_ACCESS_CONTROL));
+ assertFalse(((JackrabbitSession) testSession).hasPermission(p, Session.ACTION_READ, JackrabbitSession.ACTION_READ_ACCESS_CONTROL));
+ }
+ }
+}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-parent/pom.xml
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-parent/pom.xml?rev=1693270&r1=1693269&r2=1693270&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-parent/pom.xml (original)
+++ jackrabbit/oak/trunk/oak-parent/pom.xml Wed Jul 29 14:21:18 2015
@@ -42,7 +42,7 @@
<project.reporting.outputEncoding>
${project.build.sourceEncoding}
</project.reporting.outputEncoding>
- <jackrabbit.version>2.10.1</jackrabbit.version>
+ <jackrabbit.version>2.10.2-SNAPSHOT</jackrabbit.version>
<mongo.host>127.0.0.1</mongo.host>
<mongo.port>27017</mongo.port>
<mongo.db>MongoMKDB</mongo.db>
Re: svn commit: r1693270 - in /jackrabbit/oak/trunk: oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/
oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/
oak-co...
Posted by Michael Dürig <md...@apache.org>.
I fixed the import accordingly at http://svn.apache.org/r1694067
Michael
On 4.8.15 3:55 , Angela Schreiber wrote:
> oh... my bad. it should obviously be the Text utility from jcr-commons
> not the one from the test! sorry...
>
> angela
>
> On 04/08/15 15:47, "Michael Dürig" <md...@apache.org> wrote:
>
>>
>>
>> On 29.7.15 4:21 , angela@apache.org wrote:
>>> Author: angela
>>> Date: Wed Jul 29 14:21:18 2015
>>> New Revision: 1693270
>>>
>>> URL: http://svn.apache.org/r1693270
>>> Log:
>>> OAK-3160 - Implement Session.hasPermission(String, String...) and
>>> support for additional actions,
>>> OAK-2008 : authorization setup for closed user groups (WIP)
>>>
>>
>>>
>>> Modified:
>>> jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/
>>> session/SessionImpl.java
>>> URL:
>>> http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/o
>>> rg/apache/jackrabbit/oak/jcr/session/SessionImpl.java?rev=1693270&r1=1693
>>> 269&r2=1693270&view=diff
>>>
>>> =========================================================================
>>> =====
>>> ---
>>> jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/
>>> session/SessionImpl.java (original)
>>> +++
>>> jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/
>>> session/SessionImpl.java Wed Jul 29 14:21:18 2015
>>> @@ -69,6 +69,7 @@ import org.apache.jackrabbit.oak.jcr.ses
>>> import org.apache.jackrabbit.oak.jcr.xml.ImportHandler;
>>> import
>>> org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCreden
>>> tials;
>>> import
>>> org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissio
>>> ns;
>>> +import org.apache.jackrabbit.test.api.util.Text;
>>
>> This breaks upstream applications as jackrabbit-jcr-tests (which
>> contains o.a.j.test.api.util.Text) is declared as optional.
>>
>> Michael
>
Re: svn commit: r1693270 - in /jackrabbit/oak/trunk:
oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/
oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/
oak-co...
Posted by Angela Schreiber <an...@adobe.com>.
oh... my bad. it should obviously be the Text utility from jcr-commons
not the one from the test! sorry...
angela
On 04/08/15 15:47, "Michael Dürig" <md...@apache.org> wrote:
>
>
>On 29.7.15 4:21 , angela@apache.org wrote:
>> Author: angela
>> Date: Wed Jul 29 14:21:18 2015
>> New Revision: 1693270
>>
>> URL: http://svn.apache.org/r1693270
>> Log:
>> OAK-3160 - Implement Session.hasPermission(String, String...) and
>>support for additional actions,
>> OAK-2008 : authorization setup for closed user groups (WIP)
>>
>
>>
>> Modified:
>>jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/
>>session/SessionImpl.java
>> URL:
>>http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/o
>>rg/apache/jackrabbit/oak/jcr/session/SessionImpl.java?rev=1693270&r1=1693
>>269&r2=1693270&view=diff
>>
>>=========================================================================
>>=====
>> ---
>>jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/
>>session/SessionImpl.java (original)
>> +++
>>jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/
>>session/SessionImpl.java Wed Jul 29 14:21:18 2015
>> @@ -69,6 +69,7 @@ import org.apache.jackrabbit.oak.jcr.ses
>> import org.apache.jackrabbit.oak.jcr.xml.ImportHandler;
>> import
>>org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCreden
>>tials;
>> import
>>org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissio
>>ns;
>> +import org.apache.jackrabbit.test.api.util.Text;
>
>This breaks upstream applications as jackrabbit-jcr-tests (which
>contains o.a.j.test.api.util.Text) is declared as optional.
>
>Michael
Re: svn commit: r1693270 - in /jackrabbit/oak/trunk: oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/
oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/
oak-core/s...
Posted by Michael Dürig <md...@apache.org>.
On 29.7.15 4:21 , angela@apache.org wrote:
> Author: angela
> Date: Wed Jul 29 14:21:18 2015
> New Revision: 1693270
>
> URL: http://svn.apache.org/r1693270
> Log:
> OAK-3160 - Implement Session.hasPermission(String, String...) and support for additional actions,
> OAK-2008 : authorization setup for closed user groups (WIP)
>
>
> Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java
> URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java?rev=1693270&r1=1693269&r2=1693270&view=diff
> ==============================================================================
> --- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java (original)
> +++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java Wed Jul 29 14:21:18 2015
> @@ -69,6 +69,7 @@ import org.apache.jackrabbit.oak.jcr.ses
> import org.apache.jackrabbit.oak.jcr.xml.ImportHandler;
> import org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials;
> import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
> +import org.apache.jackrabbit.test.api.util.Text;
This breaks upstream applications as jackrabbit-jcr-tests (which
contains o.a.j.test.api.util.Text) is declared as optional.
Michael