You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2015/10/14 11:02:49 UTC
svn commit: r1708563 [3/3] - in /jackrabbit/oak/trunk:
oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/
oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/...
Copied: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/LimitedScopeProvider.java (from r1708074, jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/TestPermissionProvider.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/LimitedScopeProvider.java?p2=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/LimitedScopeProvider.java&p1=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/TestPermissionProvider.java&r1=1708074&r2=1708563&rev=1708563&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/TestPermissionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/LimitedScopeProvider.java Wed Oct 14 09:02:49 2015
@@ -16,13 +16,12 @@
*/
package org.apache.jackrabbit.oak.security.authorization.composite;
-import java.util.Arrays;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
-import javax.jcr.Session;
import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
@@ -33,40 +32,44 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
-import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.util.Text;
/**
* Test implementation of the {@code AggregatedPermissionProvider} with following
- * characteristics:
+ * characteristics. It has a limited scope and supports
*
- * If {@code supportsAll} is {@code true} this provider supports all permissions
- * but only grants {@link Permissions#NAMESPACE_MANAGEMENT} on repository level
- * and {@link Permissions#READ_NODE} on regular items.
- * In this case the provider will always be respected for evaluation and will
- * therefore cause the final result to be always restricted to the permissions
- * granted by this provider.
- *
- * If {@code supportsAll} is {@code false} this provider supports
- * - {@link Permissions#NAMESPACE_MANAGEMENT} on repository level
- * - {@link Permissions#READ_NODE} at the tree defined by {@link AbstractCompositeProviderTest#TEST_A_PATH}
+ * - {@link Permissions#NAMESPACE_MANAGEMENT} and {@link Permissions#NODE_TYPE_DEFINITION_MANAGEMENT} on repository level
+ * - {@link Permissions#WRITE} at the tree defined by {@link AbstractCompositeProviderTest#TEST_A_PATH}
* - {@link Permissions#NO_PERMISSION} everywhere else.
- * The permissions granted are the same as above. Due to the limited scope
- * however, the provider will in this case only respected for evaluation at
- * the supported paths (and at the repo level). The final result will restricted
- * to the permissions granted by this provider at the supported paths. For all
- * other paths the access limitations of this provider have no effect.
+ *
+ * The permission setup defined by this provider is as follows:
+ *
+ * At the repository level
+ * - {@link Permissions#NAMESPACE_MANAGEMENT} is denied
+ * - {@link Permissions#NODE_TYPE_DEFINITION_MANAGEMENT} is allowed
+ *
+ * At {@link AbstractCompositeProviderTest#TEST_A_PATH}
+ * - {@link Permissions#ADD_NODE} and {@link Permissions#ADD_PROPERTY} is denied
+ * - all other aggregates of {@link Permissions#WRITE} are allowed.
+ * - any other permissions are ignored
+ *
+ * Consequently any path outside of the scope of this provider is not affected
+ * by the permission setup.
*/
-class TestPermissionProvider implements AggregatedPermissionProvider {
+class LimitedScopeProvider implements AggregatedPermissionProvider, PrivilegeConstants {
+
+ private static final Set<String> grantedPrivs = ImmutableSet.of(JCR_REMOVE_CHILD_NODES, JCR_REMOVE_NODE, REP_ALTER_PROPERTIES, REP_REMOVE_PROPERTIES);
+ private static final Set<String> deniedPrivs = ImmutableSet.of(JCR_ADD_CHILD_NODES, REP_ADD_PROPERTIES);
+
+ private static final long grantedPerms = Permissions.REMOVE_NODE | Permissions.REMOVE_PROPERTY | Permissions.MODIFY_PROPERTY;
+ private static final long deniedPerms = Permissions.ADD_NODE | Permissions.ADD_PROPERTY;
private final Root root;
- private final boolean supportsAll;
- TestPermissionProvider(@Nonnull Root root, boolean supportsAll) {
+ LimitedScopeProvider(@Nonnull Root root) {
this.root = root;
- this.supportsAll = supportsAll;
}
//-------------------------------------------------< PermissionProvider >---
@@ -79,24 +82,32 @@ class TestPermissionProvider implements
@Override
public Set<String> getPrivileges(@Nullable Tree tree) {
if (tree == null) {
- return ImmutableSet.of(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT);
+ return ImmutableSet.of(JCR_NODE_TYPE_DEFINITION_MANAGEMENT);
} else if (isSupported(tree)) {
- return ImmutableSet.of(PrivilegeConstants.REP_READ_NODES);
+ return ImmutableSet.of(JCR_REMOVE_CHILD_NODES, JCR_REMOVE_NODE, REP_ALTER_PROPERTIES, REP_REMOVE_PROPERTIES);
} else {
return ImmutableSet.of();
}
-
}
@Override
public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String... privilegeNames) {
+ Set<String> pSet = Sets.newHashSet(privilegeNames);
if (tree == null) {
- return Arrays.equals(new String[]{PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT}, privilegeNames);
+ if (pSet.contains(JCR_NAMESPACE_MANAGEMENT)) {
+ return false;
+ } else {
+ return pSet.size() == 1 && pSet.contains(JCR_NODE_TYPE_DEFINITION_MANAGEMENT);
+ }
} else if (isSupported(tree)) {
- return Arrays.equals(new String[]{PrivilegeConstants.REP_READ_NODES}, privilegeNames);
- } else {
- return false;
+ if (pSet.removeAll(deniedPrivs)) {
+ return false;
+ } else if (pSet.removeAll(grantedPrivs)) {
+ return pSet.isEmpty();
+ }
}
+
+ return false;
}
@Nonnull
@@ -105,7 +116,7 @@ class TestPermissionProvider implements
return new RepositoryPermission() {
@Override
public boolean isGranted(long repositoryPermissions) {
- return Permissions.NAMESPACE_MANAGEMENT == repositoryPermissions;
+ return Permissions.NODE_TYPE_DEFINITION_MANAGEMENT == repositoryPermissions;
}
};
}
@@ -113,76 +124,90 @@ class TestPermissionProvider implements
@Nonnull
@Override
public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreePermission parentPermission) {
- return (isSupported(tree)) ? new TestTreePermission(tree.getPath()) : TreePermission.EMPTY;
+ String path = tree.getPath();
+ if (isSupported(path)) {
+ return new TestTreePermission(path);
+ } else if (Text.isDescendant(path, AbstractCompositeProviderTest.TEST_A_PATH)) {
+ return TreePermission.EMPTY;
+ } else {
+ return TreePermission.NO_RECOURSE;
+ }
}
@Override
public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState property, long permissions) {
- return isSupported(tree) && property == null && permissions == Permissions.READ_NODE;
+ if (isSupported(tree)) {
+ if (Permissions.includes(permissions, Permissions.ADD_NODE|Permissions.ADD_PROPERTY)) {
+ return false;
+ } else {
+ return Permissions.diff(permissions, grantedPerms) == Permissions.NO_PERMISSION;
+ }
+ } else {
+ return false;
+ }
}
@Override
public boolean isGranted(@Nonnull String oakPath, @Nonnull String jcrActions) {
- Tree tree = root.getTree(oakPath);
- return tree.exists() && isSupported(tree) && Session.ACTION_READ.equals(jcrActions);
+ if (isSupported(oakPath)) {
+ Tree tree = root.getTree(oakPath);
+ long perms = Permissions.getPermissions(jcrActions, TreeLocation.create(tree), false);
+ if (Permissions.includes(perms, Permissions.ADD_NODE|Permissions.ADD_PROPERTY)) {
+ return false;
+ } else {
+ return Permissions.diff(perms, grantedPerms) == Permissions.NO_PERMISSION;
+ }
+ } else {
+ return false;
+ }
}
//---------------------------------------< AggregatedPermissionProvider >---
@Nonnull
@Override
public PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable PrivilegeBits privilegeBits) {
- if (supportsAll) {
- return (privilegeBits == null) ? new PrivilegeBitsProvider(root).getBits(PrivilegeConstants.JCR_ALL) : privilegeBits;
+ PrivilegeBits supported;
+ if (tree == null) {
+ supported = PrivilegeBits.getInstance(
+ PrivilegeBits.BUILT_IN.get(JCR_NAMESPACE_MANAGEMENT),
+ PrivilegeBits.BUILT_IN.get(JCR_NODE_TYPE_DEFINITION_MANAGEMENT));
+ } else if (isSupported(tree)) {
+ supported = PrivilegeBits.BUILT_IN.get(JCR_WRITE);
} else {
- PrivilegeBits supported;
- if (tree == null) {
- supported = PrivilegeBits.BUILT_IN.get(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT);
- } else if (isSupportedPath(tree.getPath())) {
- supported = PrivilegeBits.BUILT_IN.get(PrivilegeConstants.REP_READ_NODES);
- } else {
- supported = PrivilegeBits.EMPTY;
- }
+ supported = PrivilegeBits.EMPTY;
+ }
- if (privilegeBits != null && !supported.isEmpty()) {
- return PrivilegeBits.getInstance(privilegeBits).retain(supported);
- } else {
- return supported;
- }
+ if (privilegeBits != null && !supported.isEmpty()) {
+ return PrivilegeBits.getInstance(privilegeBits).retain(supported);
+ } else {
+ return supported;
}
}
@Override
public long supportedPermissions(@Nullable Tree tree, @Nullable PropertyState property, long permissions) {
- if (supportsAll) {
- return permissions;
+ if (tree == null) {
+ return permissions & (Permissions.NAMESPACE_MANAGEMENT|Permissions.NODE_TYPE_DEFINITION_MANAGEMENT);
+ } else if (isSupported(tree)) {
+ return permissions & Permissions.WRITE;
} else {
- if (tree == null) {
- return permissions & Permissions.NAMESPACE_MANAGEMENT;
- } else if (isSupportedPath(tree.getPath())) {
- return permissions & Permissions.READ_NODE;
- } else {
- return Permissions.NO_PERMISSION;
- }
+ return Permissions.NO_PERMISSION;
}
}
@Override
public long supportedPermissions(@Nonnull TreeLocation location, long permissions) {
- if (supportsAll) {
- return permissions;
- } else if (isSupportedPath(location.getPath())) {
- return permissions & Permissions.READ_NODE;
+ if (isSupported(location.getPath())) {
+ return permissions & Permissions.WRITE;
} else {
return Permissions.NO_PERMISSION;
}
}
@Override
- public long supportedPermissions(@Nonnull TreePermission treePermission, long permissions) {
- if (supportsAll) {
- return permissions;
- } else if (isSupportedPath(((TestTreePermission) treePermission).path)) {
- return permissions & Permissions.READ_NODE;
+ public long supportedPermissions(@Nonnull TreePermission treePermission, @Nullable PropertyState propertyState, long permissions) {
+ if (treePermission instanceof TestTreePermission && isSupported(((TestTreePermission) treePermission).path)) {
+ return permissions & Permissions.WRITE;
} else {
return Permissions.NO_PERMISSION;
}
@@ -190,21 +215,23 @@ class TestPermissionProvider implements
@Override
public boolean isGranted(@Nonnull TreeLocation location, long permissions) {
- if (supportsAll) {
- return permissions == Permissions.READ_NODE;
- } else if (isSupportedPath(location.getPath())) {
- return permissions == Permissions.READ_NODE;
+ if (isSupported(location.getPath())) {
+ if (Permissions.includes(permissions, Permissions.ADD_NODE|Permissions.ADD_PROPERTY)) {
+ return false;
+ } else {
+ return Permissions.diff(permissions, grantedPerms) == Permissions.NO_PERMISSION;
+ }
} else {
return false;
}
}
//--------------------------------------------------------------------------
- private boolean isSupported(@Nonnull Tree tree) {
- return supportsAll || isSupportedPath(tree.getPath());
+ boolean isSupported(@Nonnull Tree tree) {
+ return isSupported(tree.getPath());
}
- private boolean isSupportedPath(@Nonnull String path) {
+ static boolean isSupported(@Nonnull String path) {
return Text.isDescendantOrEqual(AbstractCompositeProviderTest.TEST_A_PATH, path);
}
@@ -224,7 +251,7 @@ class TestPermissionProvider implements
@Override
public boolean canRead() {
- return true;
+ return false;
}
@Override
@@ -244,12 +271,20 @@ class TestPermissionProvider implements
@Override
public boolean isGranted(long permissions) {
- return Permissions.READ_NODE == permissions;
+ if (Permissions.includes(permissions, Permissions.ADD_NODE|Permissions.ADD_PROPERTY)) {
+ return false;
+ } else {
+ return Permissions.diff(permissions, grantedPerms) == Permissions.NO_PERMISSION;
+ }
}
@Override
public boolean isGranted(long permissions, @Nonnull PropertyState property) {
- return false;
+ if (Permissions.includes(permissions, Permissions.ADD_NODE|Permissions.ADD_PROPERTY)) {
+ return false;
+ } else {
+ return Permissions.diff(permissions, grantedPerms) == Permissions.NO_PERMISSION;
+ }
}
}
}
\ No newline at end of file
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/NoScopeProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/NoScopeProvider.java?rev=1708563&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/NoScopeProvider.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/NoScopeProvider.java Wed Oct 14 09:02:49 2015
@@ -0,0 +1,105 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.composite;
+
+import java.util.Set;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
+
+/**
+ * {@code AggregatedPermissionProvider} that doesn't supported anything anywhere
+ * and which consequently must be completely ignored from the permission evaluation.
+ */
+final class NoScopeProvider implements AggregatedPermissionProvider {
+
+ @Nonnull
+ @Override
+ public PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable PrivilegeBits privilegeBits) {
+ return PrivilegeBits.EMPTY;
+ }
+
+ @Override
+ public long supportedPermissions(@Nullable Tree tree, @Nullable PropertyState property, long permissions) {
+ return Permissions.NO_PERMISSION;
+ }
+
+ @Override
+ public long supportedPermissions(@Nonnull TreeLocation location, long permissions) {
+ return Permissions.NO_PERMISSION;
+ }
+
+ @Override
+ public long supportedPermissions(@Nonnull TreePermission treePermission, @Nullable PropertyState propertyState, long permissions) {
+ return Permissions.NO_PERMISSION;
+ }
+
+ @Override
+ public boolean isGranted(@Nonnull TreeLocation location, long permissions) {
+ throw new UnsupportedOperationException("should never get here");
+ }
+
+ @Override
+ public void refresh() {
+ // nop
+ }
+
+ @Nonnull
+ @Override
+ public Set<String> getPrivileges(@Nullable Tree tree) {
+ throw new UnsupportedOperationException("should never get here");
+ }
+
+ @Override
+ public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String... privilegeNames) {
+ throw new UnsupportedOperationException("should never get here");
+ }
+
+ @Nonnull
+ @Override
+ public RepositoryPermission getRepositoryPermission() {
+ throw new UnsupportedOperationException("should never get here");
+ }
+
+ @Nonnull
+ @Override
+ public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreePermission parentPermission) {
+ if (tree.isRoot()) {
+ return TreePermission.NO_RECOURSE;
+ } else {
+ throw new UnsupportedOperationException("should never get here");
+ }
+ }
+
+ @Override
+ public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState property, long permissions) {
+ throw new UnsupportedOperationException("should never get here");
+ }
+
+ @Override
+ public boolean isGranted(@Nonnull String oakPath, @Nonnull String jcrActions) {
+ throw new UnsupportedOperationException("should never get here");
+ }
+}
\ No newline at end of file