You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2019/06/06 13:40:36 UTC
svn commit: r1860715 - in /jackrabbit/oak/trunk/oak-core/src:
main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/
test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/
Author: angela
Date: Thu Jun 6 13:40:36 2019
New Revision: 1860715
URL: http://svn.apache.org/viewvc?rev=1860715&view=rev
Log:
OAK-8388 : AccessControlManagerImpl.getEffectivePolicies(Set): Insufficient validation of query results
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java?rev=1860715&r1=1860714&r2=1860715&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java Thu Jun 6 13:40:36 2019
@@ -390,7 +390,7 @@ public class AccessControlManagerImpl ex
String aclName = Text.getName(Text.getRelativeParent(acePath, 1));
Tree accessControlledTree = r.getTree(Text.getRelativeParent(acePath, 2));
- if (aclName.isEmpty() || !accessControlledTree.exists()) {
+ if (!POLICY_NODE_NAMES.contains(aclName) || !accessControlledTree.exists()) {
log.debug("Isolated access control entry -> ignore query result at {}", acePath);
continue;
}
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java?rev=1860715&r1=1860714&r2=1860715&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java Thu Jun 6 13:40:36 2019
@@ -31,6 +31,9 @@ import org.apache.jackrabbit.api.securit
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.ContentSession;
+import org.apache.jackrabbit.oak.api.QueryEngine;
+import org.apache.jackrabbit.oak.api.Result;
+import org.apache.jackrabbit.oak.api.ResultRow;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
@@ -91,6 +94,7 @@ import java.util.Set;
import static com.google.common.collect.Sets.newHashSet;
import static java.util.Collections.singletonMap;
+import static org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_READ;
import static org.junit.Assert.assertArrayEquals;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
@@ -99,6 +103,11 @@ import static org.junit.Assert.assertNul
import static org.junit.Assert.assertSame;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.when;
/**
* Tests for the default {@code AccessControlManager} implementation.
@@ -2214,6 +2223,32 @@ public class AccessControlManagerImplTes
}
@Test
+ public void testEffectivePolicyIsolatedAce() throws Exception {
+ Root r = spy(root);
+ ContentSession cs = when(spy(adminSession).getLatestRoot()).thenReturn(r).getMock();
+ when(r.getContentSession()).thenReturn(cs);
+
+ Tree testTree = r.getTree(testPath);
+ Tree ace = TreeUtil.addChild(testTree, "ace", NT_REP_GRANT_ACE);
+ ace.setProperty(REP_PRINCIPAL_NAME, testPrincipal.getName());
+ ace.setProperty(REP_PRIVILEGES, ImmutableList.of(JCR_READ), Type.NAMES);
+
+ when(r.getTree(testPath)).thenReturn(testTree);
+
+ ResultRow row = when(mock(ResultRow.class).getPath()).thenReturn(ace.getPath()).getMock();
+ Iterable rows = ImmutableList.of(row);
+ Result res = mock(Result.class);
+ when(res.getRows()).thenReturn(rows).getMock();
+ QueryEngine qe = mock(QueryEngine.class);
+ when(qe.executeQuery(anyString(), anyString(), any(Map.class), any(Map.class))).thenReturn(res);
+ when(r.getQueryEngine()).thenReturn(qe);
+
+ AccessControlManagerImpl mgr = createAccessControlManager(r, getNamePathMapper());
+ AccessControlPolicy[] policies = mgr.getEffectivePolicies(ImmutableSet.of(testPrincipal));
+ assertPolicies(policies, 0);
+ }
+
+ @Test
public void testTestSessionGetEffectivePoliciesByPrincipal() throws Exception {
NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED);
String childPath = child.getTree().getPath();