You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/03/26 10:21:50 UTC
svn commit: r1461031 - in /jackrabbit/oak/trunk/oak-core/src:
main/java/org/apache/jackrabbit/oak/core/
main/java/org/apache/jackrabbit/oak/security/authorization/permission/
test/java/org/apache/jackrabbit/oak/security/authorization/permission/
Author: angela
Date: Tue Mar 26 09:21:50 2013
New Revision: 1461031
URL: http://svn.apache.org/r1461031
Log:
OAK-527: permissions (wip)
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ImmutableTree.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ImmutableTree.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ImmutableTree.java?rev=1461031&r1=1461030&r2=1461031&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ImmutableTree.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ImmutableTree.java Tue Mar 26 09:21:50 2013
@@ -33,7 +33,6 @@ import org.apache.jackrabbit.oak.spi.sta
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.oak.spi.state.NodeStateUtils;
-import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.apache.jackrabbit.oak.api.Type.STRING;
@@ -171,9 +170,13 @@ public final class ImmutableTree extends
return typeProvider.getType(this);
}
+ // TODO
public static int getType(Tree tree) {
- checkArgument(tree instanceof ImmutableTree);
- return ((ImmutableTree) tree).getType();
+ if (tree instanceof ImmutableTree) {
+ return ((ImmutableTree) tree).getType();
+ } else {
+ return TypeProvider.TYPE_DEFAULT;
+ }
}
@Nonnull
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java?rev=1461031&r1=1461030&r2=1461031&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java Tue Mar 26 09:21:50 2013
@@ -166,8 +166,6 @@ public class PermissionHook implements P
// ignore hidden nodes
} else if (isACE(name, after)) {
addEntry(name, after);
- } else if (REP_RESTRICTIONS.equals(name)) {
- updateEntry(parentAfter.getName(), parentBefore.getNodeState(), parentAfter.getNodeState());
} else {
Node before = new BeforeNode(parentBefore.getPath(), name, EMPTY_NODE);
AfterNode node = new AfterNode(parentAfter, name);
@@ -181,8 +179,6 @@ public class PermissionHook implements P
// ignore hidden nodes
} else if (isACE(name, before) || isACE(name, after)) {
updateEntry(name, before, after);
- } else if (REP_RESTRICTIONS.equals(name)) {
- updateEntry(parentAfter.getName(), parentBefore.getNodeState(), parentAfter.getNodeState());
} else {
BeforeNode nodeBefore = new BeforeNode(parentBefore.getPath(), name, before);
AfterNode nodeAfter = new AfterNode(parentAfter, name);
@@ -196,8 +192,6 @@ public class PermissionHook implements P
// ignore hidden nodes
} else if (isACE(name, before)) {
removeEntry(name, before);
- } else if (REP_RESTRICTIONS.equals(name)) {
- updateEntry(parentAfter.getName(), parentBefore.getNodeState(), parentAfter.getNodeState());
} else {
BeforeNode nodeBefore = new BeforeNode(parentBefore.getPath(), name, before);
AfterNode after = new AfterNode(parentAfter.getPath(), name, EMPTY_NODE);
@@ -337,10 +331,10 @@ public class PermissionHook implements P
this.isAllow = isAllow;
this.restrictions = restrictions;
- // create node name from ace definition (excluding the index)
+ // create node name from ace definition
StringBuilder name = new StringBuilder();
name.append((isAllow) ? PREFIX_ALLOW : PREFIX_DENY).append('-');
- name.append(Objects.hashCode(accessControlledPath, principalName, privilegeBits, isAllow, restrictions));
+ name.append(Objects.hashCode(accessControlledPath, principalName, index, privilegeBits, isAllow, restrictions));
nodeName = name.toString();
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java?rev=1461031&r1=1461030&r2=1461031&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java Tue Mar 26 09:21:50 2013
@@ -223,7 +223,8 @@ class PermissionValidator extends Defaul
// TODO
public static boolean noTraverse(long permission) {
return permission == Permissions.MODIFY_ACCESS_CONTROL ||
- permission == Permissions.VERSION_MANAGEMENT;
+ permission == Permissions.VERSION_MANAGEMENT ||
+ permission == Permissions.REMOVE_NODE;
}
// TODO
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.java?rev=1461031&r1=1461030&r2=1461031&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.java Tue Mar 26 09:21:50 2013
@@ -16,16 +16,21 @@
*/
package org.apache.jackrabbit.oak.security.authorization.permission;
-import java.security.Principal;
+import java.util.HashSet;
+import java.util.Set;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlManager;
+import com.google.common.collect.ImmutableSet;
import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
+import org.apache.jackrabbit.oak.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.oak.security.principal.PrincipalImpl;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeBits;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlTest;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
@@ -36,35 +41,53 @@ import org.junit.Ignore;
import org.junit.Test;
import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
/**
* PermissionHookTest... TODO
*/
-public class PermissionHookTest extends AbstractAccessControlTest implements PermissionConstants {
+public class PermissionHookTest extends AbstractAccessControlTest implements AccessControlConstants, PermissionConstants {
+
+ private String testPath = "/testPath";
+ private String testPrincipalName = "admin"; // TODO
+
+ private PrivilegeBitsProvider bitsProvider;
- private AccessControlManager acMgr;
@Override
@Before
public void before() throws Exception {
super.before();
NodeUtil rootNode = new NodeUtil(root.getTree("/"), namePathMapper);
- rootNode.addChild("testName", JcrConstants.NT_UNSTRUCTURED);
+ rootNode.addChild("testPath", JcrConstants.NT_UNSTRUCTURED);
+
+ AccessControlManager acMgr = getAccessControlManager(root);
+ JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, testPath);
+ acl.addAccessControlEntry(new PrincipalImpl(testPrincipalName), privilegesFromNames(PrivilegeConstants.JCR_ADD_CHILD_NODES));
+ acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames(PrivilegeConstants.JCR_READ));
+ acMgr.setPolicy(testPath, acl);
root.commit();
- acMgr = getAccessControlManager(root);
+ bitsProvider = new PrivilegeBitsProvider(root);
}
@After
public void after() throws Exception {
root.refresh();
- root.getTree("/testName").remove();
- root.commit();
+ Tree test = root.getTree(testPath);
+ if (test != null) {
+ test.remove();
+ root.commit();
+ }
+ }
+
+ private Tree getPrincipalRoot(String principalName) {
+ return root.getTree(PERMISSIONS_STORE_PATH).getChild(adminSession.getWorkspaceName()).getChild(principalName);
}
private Tree getEntry(String principalName, String accessControlledPath) throws Exception {
- Tree permissionTree = root.getTree(PERMISSIONS_STORE_PATH).getChild(adminSession.getWorkspaceName()).getChild(principalName);
- for (Tree entry : permissionTree.getChildren()) {
+ Tree principalRoot = getPrincipalRoot(principalName);
+ for (Tree entry : principalRoot.getChildren()) {
if (accessControlledPath.equals(entry.getProperty(REP_ACCESS_CONTROLLED_PATH).getValue(Type.STRING))) {
return entry;
}
@@ -73,49 +96,96 @@ public class PermissionHookTest extends
}
@Test
- public void testAddDuplicateAce() {
- // TODO
- }
+ public void testDuplicateAce() throws Exception {
+ // add duplicate policy on OAK-API
+ NodeUtil policy = new NodeUtil(root.getTree(testPath + "/rep:policy"));
+ NodeUtil ace = policy.addChild("duplicateAce", NT_REP_GRANT_ACE);
+ ace.setString(REP_PRINCIPAL_NAME, testPrincipalName);
+ ace.setStrings(REP_PRIVILEGES, PrivilegeConstants.JCR_ADD_CHILD_NODES);
+ root.commit();
- @Test
- public void testRemoveDuplicateAce() {
- // TODO
- }
+ Tree principalRoot = getPrincipalRoot(testPrincipalName);
+ assertEquals(2, principalRoot.getChildrenCount());
- @Test
- public void testAddRestrictionNode() {
- // TODO add restriction node on oak-api
- }
+ Set<Integer> index = new HashSet<Integer>(2);
+ for (Tree entry : principalRoot.getChildren()) {
+ assertEquals(bitsProvider.getBits(PrivilegeConstants.JCR_ADD_CHILD_NODES), PrivilegeBits.getInstance(entry.getProperty(REP_PRIVILEGE_BITS)));
+ assertEquals(testPath, entry.getProperty(REP_ACCESS_CONTROLLED_PATH).getValue(Type.STRING));
+ index.add(entry.getProperty(REP_INDEX).getValue(Type.LONG).intValue());
+ }
+ assertEquals(ImmutableSet.of(0, 2), index);
- @Test
- public void testRemoveRestrictionNode() {
- // TODO
+ // remove duplicate policy entry again
+ root.getTree(testPath + "/rep:policy/duplicateAce").remove();
+ root.commit();
+
+ assertEquals(1, getPrincipalRoot(testPrincipalName).getChildrenCount());
}
@Test
- public void testModifyRestrictions() {
- // TODO
+ public void testModifyRestrictions() throws Exception {
+ Tree testAce = root.getTree(testPath + "/rep:policy").getChildren().iterator().next();
+ assertEquals(testPrincipalName, testAce.getProperty(REP_PRINCIPAL_NAME).getValue(Type.STRING));
+
+ // add a new restriction node through the OAK API instead of access control manager
+ NodeUtil node = new NodeUtil(testAce);
+ NodeUtil restrictions = node.addChild(REP_RESTRICTIONS, NT_REP_RESTRICTIONS);
+ restrictions.setString(REP_GLOB, "*");
+ String restritionsPath = restrictions.getTree().getPath();
+ root.commit();
+
+ Tree principalRoot = getPrincipalRoot(testPrincipalName);
+ assertEquals(1, principalRoot.getChildrenCount());
+ assertEquals("*", principalRoot.getChildren().iterator().next().getProperty(REP_GLOB).getValue(Type.STRING));
+
+ // modify the restrictions node
+ Tree restrictionsNode = root.getTree(restritionsPath);
+ restrictionsNode.setProperty(REP_GLOB, "/*/jcr:content/*");
+ root.commit();
+
+ principalRoot = getPrincipalRoot(testPrincipalName);
+ assertEquals(1, principalRoot.getChildrenCount());
+ assertEquals("/*/jcr:content/*", principalRoot.getChildren().iterator().next().getProperty(REP_GLOB).getValue(Type.STRING));
+
+ // remove the restriction again
+ root.getTree(restritionsPath).remove();
+ root.commit();
+
+ principalRoot = getPrincipalRoot(testPrincipalName);
+ assertEquals(1, principalRoot.getChildrenCount());
+ assertNull(principalRoot.getChildren().iterator().next().getProperty(REP_GLOB));
+
}
- @Ignore("PermissionHook#propertyChanged without corresponding child node modifications")
+ @Ignore("PermissionHook#propertyChange") // TODO
@Test
public void testReorderAce() throws Exception {
- Principal testPrincipal = new PrincipalImpl("admin");
- JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/testName");
- acl.addAccessControlEntry(testPrincipal, privilegesFromNames(PrivilegeConstants.JCR_ADD_CHILD_NODES));
- acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames(PrivilegeConstants.JCR_READ));
- acMgr.setPolicy("/testName", acl);
+ Tree entry = getEntry(testPrincipalName, testPath);
+ assertEquals(0, entry.getProperty(REP_INDEX).getValue(Type.LONG).longValue());
+
+ Tree aclTree = root.getTree(testPath + "/rep:policy");
+ aclTree.getChildren().iterator().next().orderBefore(null);
+
root.commit();
- Tree entry = getEntry("admin", "/testName");
+ entry = getEntry(testPrincipalName, testPath);
+ assertEquals(1, entry.getProperty(REP_INDEX).getValue(Type.LONG).longValue());
+ }
+
+ @Ignore("PermissionHook#propertyChange") // TODO
+ @Test
+ public void testReorderAndAddAce() throws Exception {
+ Tree entry = getEntry(testPrincipalName, testPath);
assertEquals(0, entry.getProperty(REP_INDEX).getValue(Type.LONG).longValue());
- Tree aclTree = root.getTree("/testName/rep:policy");
+ Tree aclTree = root.getTree(testPath + "/rep:policy");
aclTree.getChildren().iterator().next().orderBefore(null);
-
+ NodeUtil ace = new NodeUtil(aclTree).addChild("denyEveryoneLockMgt", NT_REP_DENY_ACE);
+ ace.setString(REP_PRINCIPAL_NAME, EveryonePrincipal.NAME);
+ ace.setStrings(REP_PRIVILEGES, PrivilegeConstants.JCR_LOCK_MANAGEMENT);
root.commit();
- entry = getEntry("admin", "/testName");
+ entry = getEntry(testPrincipalName, testPath);
assertEquals(1, entry.getProperty(REP_INDEX).getValue(Type.LONG).longValue());
}
}
\ No newline at end of file