You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2015/10/23 18:17:01 UTC
svn commit: r1710263 - in /jackrabbit/oak/trunk/oak-authorization-cug/src:
main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/
test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/
Author: angela
Date: Fri Oct 23 16:17:01 2015
New Revision: 1710263
URL: http://svn.apache.org/viewvc?rev=1710263&view=rev
Log:
OAK-3542 : evaluation for special tree types in aggregation (WIP: adjust oak-authorization-cug)
Added:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/HiddenTest.java (with props)
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/VersionTest.java (with props)
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugTreePermissionTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/EmptyCugTreePermissionTest.java
Modified: jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java?rev=1710263&r1=1710262&r2=1710263&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java Fri Oct 23 16:17:01 2015
@@ -130,7 +130,7 @@ public class CugConfiguration extends Co
if (!enabled || supportedPaths.isEmpty() || getExclude().isExcluded(principals)) {
return EmptyPermissionProvider.getInstance();
} else {
- return new CugPermissionProvider(root, principals, supportedPaths, getSecurityProvider().getConfiguration(AuthorizationConfiguration.class).getContext());
+ return new CugPermissionProvider(root, workspaceName, principals, supportedPaths, getSecurityProvider().getConfiguration(AuthorizationConfiguration.class).getContext());
}
}
Modified: jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java?rev=1710263&r1=1710262&r2=1710263&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.java Fri Oct 23 16:17:01 2015
@@ -28,13 +28,18 @@ import com.google.common.base.Predicate;
import com.google.common.base.Predicates;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
+import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.tree.RootFactory;
import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
+import org.apache.jackrabbit.oak.plugins.tree.TreeType;
+import org.apache.jackrabbit.oak.plugins.tree.TreeTypeProvider;
+import org.apache.jackrabbit.oak.plugins.version.ReadOnlyVersionManager;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
@@ -42,7 +47,9 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.apache.jackrabbit.oak.spi.state.NodeStateUtils;
import org.apache.jackrabbit.oak.util.TreeUtil;
+import org.apache.jackrabbit.util.Text;
class CugPermissionProvider implements AggregatedPermissionProvider, CugConstants {
@@ -53,19 +60,24 @@ class CugPermissionProvider implements A
);
private final Root root;
+ private final String workspaceName;
private final Set<String> principalNames;
+ private final TreeTypeProvider typeProvider;
private final Context ctx;
private final SupportedPaths supportedPaths;
private Root immutableRoot;
+ private ReadOnlyVersionManager versionManager;
CugPermissionProvider(@Nonnull Root root,
+ @Nonnull String workspaceName,
@Nonnull Set<Principal> principals,
@Nonnull Set<String> supportedPaths,
@Nonnull Context ctx) {
this.root = root;
+ this.workspaceName = workspaceName;
immutableRoot = RootFactory.createReadOnlyRoot(root);
principalNames = new HashSet<String>(principals.size());
@@ -74,6 +86,7 @@ class CugPermissionProvider implements A
}
this.supportedPaths = new SupportedPaths(supportedPaths);
+ this.typeProvider = new TreeTypeProvider(ctx);
this.ctx = ctx;
}
@@ -81,6 +94,7 @@ class CugPermissionProvider implements A
@Override
public void refresh() {
immutableRoot = RootFactory.createReadOnlyRoot(root);
+ versionManager = null;
}
@Nonnull
@@ -119,23 +133,53 @@ class CugPermissionProvider implements A
throw new IllegalStateException("Attempt to create tree permission for unsupported path.");
}
Tree immutableTree = getImmutableTree(tree);
- if (isAcContent(immutableTree, true)) {
+ TreeType type = typeProvider.getType(immutableTree);
+ if (!isSupportedType(type)) {
return TreePermission.NO_RECOURSE;
}
TreePermission tp;
- if (parentPermission instanceof CugTreePermission) {
- tp = createCugPermission(immutableTree, (CugTreePermission) parentPermission);
+ boolean parentIsCugPermission = (parentPermission instanceof CugTreePermission);
+ if (TreeType.VERSION == type) {
+ if (ReadOnlyVersionManager.isVersionStoreTree(immutableTree)) {
+ tp = (parentIsCugPermission) ?
+ createCugPermission(immutableTree, (CugTreePermission) parentPermission) :
+ new EmptyCugTreePermission(immutableTree, this);
+ } else {
+ // TODO
+ Tree versionableTree = getVersionManager().getVersionable(immutableTree, workspaceName);
+ if (versionableTree == null) {
+ tp = TreePermission.NO_RECOURSE;
+ } else if (!parentIsCugPermission &&
+ !supportedPaths.includes(versionableTree.getPath()) &&
+ !supportedPaths.mayContainCug(versionableTree.getPath())){
+ tp = TreePermission.NO_RECOURSE;
+ } else {
+ Tree cugRoot = getCugRoot(versionableTree, typeProvider.getType(versionableTree));
+ if (cugRoot == null) {
+ // there might be a cug in the live correspondent of any of the frozen subtrees
+ tp = new EmptyCugTreePermission(immutableTree, this);
+ } else {
+ boolean canRead = createCugPermission(cugRoot, null).canRead();
+ tp = new CugTreePermission(immutableTree, canRead, this);
+ }
+ }
+ }
} else {
- String path = immutableTree.getPath();
- if (supportedPaths.includes(path)) {
- tp = createCugPermission(immutableTree, null);
- } else if (supportedPaths.mayContainCug(path)) {
- tp = new EmptyCugTreePermission(immutableTree, this);
+ if (parentIsCugPermission) {
+ tp = createCugPermission(immutableTree, (CugTreePermission) parentPermission);
} else {
- tp = TreePermission.NO_RECOURSE;
+ String path = immutableTree.getPath();
+ if (supportedPaths.includes(path)) {
+ tp = createCugPermission(immutableTree, null);
+ } else if (supportedPaths.mayContainCug(path) || isJcrSystemPath(path)) {
+ tp = new EmptyCugTreePermission(immutableTree, this);
+ } else {
+ tp = TreePermission.NO_RECOURSE;
+ }
}
}
+
return tp;
}
@@ -151,9 +195,11 @@ class CugPermissionProvider implements A
@Override
public boolean isGranted(@Nonnull String oakPath, @Nonnull String jcrActions) {
TreeLocation location = TreeLocation.create(immutableRoot, oakPath);
- boolean isAcContent = isAcContent(location);
- long permissions = Permissions.getPermissions(jcrActions, location, isAcContent);
+ if (ctx.definesLocation(location) || NodeStateUtils.isHidden(PathUtils.getName(oakPath))) {
+ return false;
+ }
+ long permissions = Permissions.getPermissions(jcrActions, location, false);
return isGranted(location, permissions);
}
@@ -173,7 +219,7 @@ class CugPermissionProvider implements A
pb.retain(PrivilegeBits.BUILT_IN.get(PrivilegeConstants.JCR_READ));
}
- if (pb.isEmpty() || !includesCug(tree, tree.getPath())) {
+ if (pb.isEmpty() || !includesCug(tree)) {
return PrivilegeBits.EMPTY;
} else {
return pb;
@@ -188,7 +234,7 @@ class CugPermissionProvider implements A
}
long supported = permissions & Permissions.READ;
- if (supported != Permissions.NO_PERMISSION && includesCug(tree, tree.getPath())) {
+ if (supported != Permissions.NO_PERMISSION && includesCug(tree)) {
return supported;
} else {
return Permissions.NO_PERMISSION;
@@ -198,7 +244,7 @@ class CugPermissionProvider implements A
@Override
public long supportedPermissions(@Nonnull TreeLocation location, long permissions) {
long supported = permissions & Permissions.READ;
- if (supported != Permissions.NO_PERMISSION && includesCug(getTreeFromLocation(location), location.getPath())) {
+ if (supported != Permissions.NO_PERMISSION && includesCug(getTreeFromLocation(location))) {
return supported;
} else {
return Permissions.NO_PERMISSION;
@@ -227,6 +273,10 @@ class CugPermissionProvider implements A
}
//--------------------------------------------------------------------------
+ private static boolean isJcrSystemPath(@Nonnull String path) {
+ return JcrConstants.JCR_SYSTEM.equals(Text.getName(path));
+ }
+
private static boolean isRead(long permission) {
return permission == Permissions.READ_NODE || permission == Permissions.READ_PROPERTY || permission == Permissions.READ;
}
@@ -235,16 +285,19 @@ class CugPermissionProvider implements A
return tree.exists() && tree.hasChild(REP_CUG_POLICY);
}
- private boolean isAcContent(@Nonnull Tree tree, boolean testForCtxRoot) {
- return (testForCtxRoot) ? ctx.definesContextRoot(tree) : ctx.definesTree(tree);
- }
-
- private boolean isAcContent(@Nonnull TreeLocation location) {
- return ctx.definesLocation(location);
+ private static boolean isSupportedType(@Nonnull TreeType type) {
+ return type == TreeType.DEFAULT || type == TreeType.VERSION;
}
- private boolean includesCug(@CheckForNull Tree tree, @Nonnull String path) {
- return tree != null && getCugRoot(tree, path) != null;
+ private boolean includesCug(@CheckForNull Tree tree) {
+ if (tree != null) {
+ Tree immutableTree = getImmutableTree(tree);
+ TreeType type = typeProvider.getType(immutableTree);
+ if (isSupportedType(type)) {
+ return getCugRoot(immutableTree, type) != null;
+ }
+ }
+ return false;
}
/**
@@ -252,29 +305,37 @@ class CugPermissionProvider implements A
* given {@code tree} with the specified {@code path} or {@code null} if no
* such tree exists and thus no CUG is effective at the specified path.
*
- * @param tree The target tree.
- * @param path The path of the given target tree.
+ * @param immutableTree The target tree.
+ * @param type the type of this tree.
* @return the {@code tree} holding the CUG policy that effects the specified
* path or {@code null} if no such policy exists.
*/
@CheckForNull
- private Tree getCugRoot(@Nonnull Tree tree, @Nonnull String path) {
- if (!supportedPaths.includes(path)) {
+ private Tree getCugRoot(@Nonnull Tree immutableTree, @Nonnull TreeType type) {
+ Tree tree = immutableTree;
+ String p = immutableTree.getPath();
+ if (TreeType.VERSION == type && !ReadOnlyVersionManager.isVersionStoreTree(tree)) {
+ tree = getVersionManager().getVersionable(immutableTree, workspaceName);
+ if (tree == null) {
+ return null;
+ }
+ p = tree.getPath();
+ }
+ if (!supportedPaths.includes(p)) {
return null;
}
- Tree immutableTree = getImmutableTree(tree);
- if (hasCug(immutableTree)) {
- return immutableTree;
+ if (hasCug(tree)) {
+ return tree;
}
String parentPath;
- while (!immutableTree.isRoot()) {
- parentPath = PathUtils.getParentPath(path);
+ while (!tree.isRoot()) {
+ parentPath = PathUtils.getParentPath(p);
if (!supportedPaths.includes(parentPath)) {
break;
}
- immutableTree = immutableTree.getParent();
- if (hasCug(immutableTree)) {
- return immutableTree;
+ tree = tree.getParent();
+ if (hasCug(tree)) {
+ return tree;
}
}
return null;
@@ -282,11 +343,11 @@ class CugPermissionProvider implements A
private boolean canRead(@Nonnull Tree tree) {
Tree immutableTree = getImmutableTree(tree);
- if (isAcContent(immutableTree, false)) {
- // cug defining access control content is not accessible
+ TreeType type = typeProvider.getType(immutableTree);
+ if (!isSupportedType(type)) {
return false;
}
- Tree cugRoot = getCugRoot(immutableTree, immutableTree.getPath());
+ Tree cugRoot = getCugRoot(immutableTree, type);
return cugRoot != null && createCugPermission(cugRoot, null).canRead();
}
@@ -310,11 +371,10 @@ class CugPermissionProvider implements A
TreePermission tp;
Tree cugTree = tree.getChild(REP_CUG_POLICY);
- PropertyState princNamesState = cugTree.getProperty(REP_PRINCIPAL_NAMES);
-
- if (CugUtil.definesCug(cugTree) && princNamesState != null) {
+ if (CugUtil.definesCug(cugTree)) {
// a new (possibly nested) cug starts off here
- boolean allow = Iterables.any(princNamesState.getValue(Type.STRINGS), new Predicate<String>() {
+ PropertyState princNamesState = cugTree.getProperty(REP_PRINCIPAL_NAMES);
+ boolean allow = princNamesState != null && Iterables.any(princNamesState.getValue(Type.STRINGS), new Predicate<String>() {
@Override
public boolean apply(@Nullable String principalName) {
return (principalName != null) && principalNames.contains(principalName);
@@ -329,4 +389,12 @@ class CugPermissionProvider implements A
}
return tp;
}
+
+ @Nonnull
+ private ReadOnlyVersionManager getVersionManager() {
+ if (versionManager == null) {
+ versionManager = ReadOnlyVersionManager.getInstance(immutableRoot, NamePathMapper.DEFAULT);
+ }
+ return versionManager;
+ }
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java?rev=1710263&r1=1710262&r2=1710263&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java Fri Oct 23 16:17:01 2015
@@ -17,19 +17,32 @@
package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;
import java.security.Principal;
+import java.util.Set;
+import java.util.UUID;
import javax.annotation.Nonnull;
import javax.jcr.RepositoryException;
+import javax.jcr.SimpleCredentials;
+import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.api.security.user.Authorizable;
+import org.apache.jackrabbit.api.security.user.Group;
+import org.apache.jackrabbit.api.security.user.User;
+import org.apache.jackrabbit.api.security.user.UserManager;
+import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugPolicy;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.util.NodeUtil;
/**
@@ -37,7 +50,7 @@ import org.apache.jackrabbit.oak.util.No
* to expose the CUG specific implementations of {@code AccessControlManager}
* and {@code PermissionProvider}.
*/
-public class AbstractCugTest extends AbstractSecurityTest implements CugConstants {
+public class AbstractCugTest extends AbstractSecurityTest implements CugConstants, NodeTypeConstants {
static final String SUPPORTED_PATH = "/content";
static final String SUPPORTED_PATH2 = "/content2";
@@ -48,6 +61,9 @@ public class AbstractCugTest extends Abs
CugConstants.PARAM_CUG_SUPPORTED_PATHS, new String[] {SUPPORTED_PATH, SUPPORTED_PATH2},
CugConstants.PARAM_CUG_ENABLED, true);
+ private static final String TEST_GROUP_ID = "testGroup" + UUID.randomUUID();
+ private static final String TEST_USER2_ID = "testUser2" + UUID.randomUUID();
+
@Override
public void before() throws Exception {
super.before();
@@ -64,6 +80,18 @@ public class AbstractCugTest extends Abs
@Override
public void after() throws Exception {
try {
+ // revert transient pending changes (that might be invalid)
+ root.refresh();
+
+ // remove the test group and second test user
+ Authorizable testGroup = getUserManager(root).getAuthorizable(TEST_GROUP_ID);
+ if (testGroup != null) {
+ testGroup.remove();
+ }
+ Authorizable testUser2 = getUserManager(root).getAuthorizable(TEST_USER2_ID);
+ if (testUser2 != null) {
+ testUser2.remove();
+ }
root.getTree(SUPPORTED_PATH).remove();
root.getTree(SUPPORTED_PATH2).remove();
root.getTree(UNSUPPORTED_PATH).remove();
@@ -88,6 +116,47 @@ public class AbstractCugTest extends Abs
);
}
+ CugPermissionProvider createCugPermissionProvider(@Nonnull Set<String> supportedPaths, @Nonnull Principal... principals) {
+ return new CugPermissionProvider(root, root.getContentSession().getWorkspaceName(), ImmutableSet.copyOf(principals), supportedPaths, CugContext.INSTANCE);
+ }
+
+ void setupCugsAndAcls() throws Exception {
+ UserManager uMgr = getUserManager(root);
+ Principal testGroupPrincipal = getTestGroupPrincipal();
+
+ User testUser2 = uMgr.createUser(TEST_USER2_ID, TEST_USER2_ID);
+ ((Group) uMgr.getAuthorizable(testGroupPrincipal)).addMember(testUser2);
+ root.commit();
+
+ // add more child nodes
+ NodeUtil n = new NodeUtil(root.getTree(SUPPORTED_PATH));
+ n.addChild("a", NT_OAK_UNSTRUCTURED).addChild("b", NT_OAK_UNSTRUCTURED).addChild("c", NT_OAK_UNSTRUCTURED);
+ n.addChild("aa", NT_OAK_UNSTRUCTURED).addChild("bb", NT_OAK_UNSTRUCTURED).addChild("cc", NT_OAK_UNSTRUCTURED);
+
+ // create cugs
+ // - /content/a : allow testGroup, deny everyone
+ // - /content/aa/bb : allow testGroup, deny everyone
+ // - /content/a/b/c : allow everyone, deny testGroup (isolated)
+ // - /content2 : allow everyone, deny testGroup (isolated)
+ createCug("/content/a", testGroupPrincipal);
+ createCug("/content/aa/bb", testGroupPrincipal);
+ createCug("/content/a/b/c", EveryonePrincipal.getInstance());
+ createCug("/content2", EveryonePrincipal.getInstance());
+
+ // setup regular acl at /content:
+ // - testUser ; allow ; jcr:read
+ // - testGroup ; allow ; jcr:read, jcr:write, jcr:readAccessControl
+ AccessControlManager acMgr = getAccessControlManager(root);
+ AccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/content");
+ acl.addAccessControlEntry(getTestUser().getPrincipal(), privilegesFromNames(
+ PrivilegeConstants.JCR_READ));
+ acl.addAccessControlEntry(testGroupPrincipal, privilegesFromNames(
+ PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE, PrivilegeConstants.JCR_READ_ACCESS_CONTROL)
+ );
+ acMgr.setPolicy("/content", acl);
+ root.commit();
+ }
+
void createCug(@Nonnull String absPath, @Nonnull Principal principal) throws RepositoryException {
AccessControlManager acMgr = getAccessControlManager(root);
AccessControlPolicyIterator it = acMgr.getApplicablePolicies(absPath);
@@ -101,4 +170,18 @@ public class AbstractCugTest extends Abs
}
throw new IllegalStateException("Unable to create CUG at " + absPath);
}
+
+ Principal getTestGroupPrincipal() throws Exception {
+ UserManager uMgr = getUserManager(root);
+ Group g = uMgr.getAuthorizable(TEST_GROUP_ID, Group.class);
+ if (g == null) {
+ g = uMgr.createGroup(TEST_GROUP_ID);
+ root.commit();
+ }
+ return g.getPrincipal();
+ }
+
+ ContentSession createTestSession2() throws Exception {
+ return login(new SimpleCredentials(TEST_USER2_ID, TEST_USER2_ID.toCharArray()));
+ }
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.java?rev=1710263&r1=1710262&r2=1710263&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.java Fri Oct 23 16:17:01 2015
@@ -19,29 +19,23 @@ package org.apache.jackrabbit.oak.spi.se
import java.security.Principal;
import java.util.List;
import java.util.Set;
-import javax.jcr.SimpleCredentials;
import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlManager;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
-import org.apache.jackrabbit.api.security.user.Authorizable;
-import org.apache.jackrabbit.api.security.user.Group;
-import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
-import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
-import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.util.NodeUtil;
import org.junit.Before;
@@ -54,9 +48,6 @@ import static org.junit.Assert.fail;
public class CugEvaluationTest extends AbstractCugTest implements NodeTypeConstants {
- private static final String TEST_GROUP_ID = "testGroup";
- private static final String TEST_USER2_ID = "testUser2";
-
private ContentSession testSession;
private Root testRoot;
private Principal testGroupPrincipal;
@@ -71,41 +62,9 @@ public class CugEvaluationTest extends A
public void before() throws Exception {
super.before();
- // create testGroup with 'testuser2' being a declared member (testUser is not)
- Group testGroup = getUserManager(root).createGroup(TEST_GROUP_ID);
- testGroupPrincipal = testGroup.getPrincipal();
- User testUser2 = getUserManager(root).createUser(TEST_USER2_ID, TEST_USER2_ID);
- testGroup.addMember(testUser2);
- root.commit();
-
- // add more child nodes
- NodeUtil n = new NodeUtil(root.getTree(SUPPORTED_PATH));
- n.addChild("a", NT_OAK_UNSTRUCTURED).addChild("b", NT_OAK_UNSTRUCTURED).addChild("c", NT_OAK_UNSTRUCTURED);
- n.addChild("aa", NT_OAK_UNSTRUCTURED).addChild("bb", NT_OAK_UNSTRUCTURED).addChild("cc", NT_OAK_UNSTRUCTURED);
-
- // create cugs
- // - /content/a : allow testGroup, deny everyone
- // - /content/aa/bb : allow testGroup, deny everyone
- // - /content/a/b/c : allow everyone, deny testGroup (isolated)
- // - /content2 : allow everyone, deny testGroup (isolated)
- createCug("/content/a", testGroupPrincipal);
- createCug("/content/aa/bb", testGroupPrincipal);
- createCug("/content/a/b/c", EveryonePrincipal.getInstance());
- createCug("/content2", EveryonePrincipal.getInstance());
-
- // setup regular acl at /content:
- // - testUser ; allow ; jcr:read
- // - testGroup ; allow ; jcr:read, jcr:write, jcr:readAccessControl
- AccessControlManager acMgr = getAccessControlManager(root);
- AccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/content");
- acl.addAccessControlEntry(getTestUser().getPrincipal(), privilegesFromNames(
- PrivilegeConstants.JCR_READ));
- acl.addAccessControlEntry(testGroupPrincipal, privilegesFromNames(
- PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE, PrivilegeConstants.JCR_READ_ACCESS_CONTROL)
- );
- acMgr.setPolicy("/content", acl);
+ setupCugsAndAcls();
- root.commit();
+ testGroupPrincipal = getTestGroupPrincipal();
content = root.getTree("/content");
content2 = root.getTree("/content2");
@@ -119,23 +78,10 @@ public class CugEvaluationTest extends A
@Override
public void after() throws Exception {
try {
- // revert transient pending changes (that might be invalid)
- root.refresh();
-
- // remove the test group and second test user
- Authorizable testGroup = getUserManager(root).getAuthorizable(TEST_GROUP_ID);
- if (testGroup != null) {
- testGroup.remove();
- }
- Authorizable testUser2 = getUserManager(root).getAuthorizable(TEST_USER2_ID);
- if (testUser2 != null) {
- testUser2.remove();
- }
- root.commit();
- } finally {
if (testSession != null) {
testSession.close();
}
+ } finally {
super.after();
}
}
@@ -172,7 +118,7 @@ public class CugEvaluationTest extends A
@Test
public void testReadAcl2() throws Exception {
- ContentSession cs = login(new SimpleCredentials(TEST_USER2_ID, TEST_USER2_ID.toCharArray()));
+ ContentSession cs = createTestSession2();
try {
Root r = cs.getLatestRoot();
@@ -194,7 +140,7 @@ public class CugEvaluationTest extends A
@Test
public void testReadCug2() throws Exception {
- ContentSession cs = login(new SimpleCredentials(TEST_USER2_ID, TEST_USER2_ID.toCharArray()));
+ ContentSession cs = createTestSession2();
try {
Root r = cs.getLatestRoot();
@@ -224,14 +170,14 @@ public class CugEvaluationTest extends A
@Test
public void testWrite2() throws Exception {
- Set<Principal> principalSet = (Set<Principal>) getConfig(PrincipalConfiguration.class).getPrincipalProvider(root, NamePathMapper.DEFAULT).getPrincipals(TEST_USER2_ID);
- PermissionProvider pp = createPermissionProvider(principalSet);
- assertTrue(pp.isGranted(root.getTree("/content/writeTest"), null, Permissions.ADD_NODE));
- assertTrue(pp.isGranted(root.getTree("/content/a/b/c/writeTest"), null, Permissions.ADD_NODE));
-
- ContentSession cs = login(new SimpleCredentials(TEST_USER2_ID, TEST_USER2_ID.toCharArray()));
+ ContentSession cs = createTestSession2();
Root r = cs.getLatestRoot();
try {
+ Set<Principal> principalSet = cs.getAuthInfo().getPrincipals();
+ PermissionProvider pp = createPermissionProvider(principalSet);
+ assertTrue(pp.isGranted(root.getTree("/content/writeTest"), null, Permissions.ADD_NODE));
+ assertTrue(pp.isGranted(root.getTree("/content/a/b/c/writeTest"), null, Permissions.ADD_NODE));
+
List<String> paths = ImmutableList.of("/content", "/content/a/b/c");
for (String p : paths) {
NodeUtil content = new NodeUtil(r.getTree(p));
@@ -246,7 +192,7 @@ public class CugEvaluationTest extends A
@Test
public void testWriteAcl() throws Exception {
- ContentSession cs = login(new SimpleCredentials(TEST_USER2_ID, TEST_USER2_ID.toCharArray()));
+ ContentSession cs = createTestSession2();
Root r = cs.getLatestRoot();
try {
Tree tree = r.getTree("/content/a/b/c");
@@ -263,7 +209,7 @@ public class CugEvaluationTest extends A
@Test
public void testWriteCug() throws Exception {
- ContentSession cs = login(new SimpleCredentials(TEST_USER2_ID, TEST_USER2_ID.toCharArray()));
+ ContentSession cs = createTestSession2();
Root r = cs.getLatestRoot();
try {
// modify the existing cug
Modified: jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java?rev=1710263&r1=1710262&r2=1710263&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProviderTest.java Fri Oct 23 16:17:01 2015
@@ -28,8 +28,6 @@ import javax.jcr.Session;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
-import org.apache.jackrabbit.api.security.user.Authorizable;
-import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
@@ -54,13 +52,11 @@ import static org.junit.Assert.fail;
public class CugPermissionProviderTest extends AbstractCugTest implements NodeTypeConstants {
- private static final String TEST_GROUP_ID = "testGroupForCugTest";
-
private static final Map<String, Boolean> PATH_INCUG_MAP = new HashMap<String, Boolean>();
static {
PATH_INCUG_MAP.put(SUPPORTED_PATH, false);
PATH_INCUG_MAP.put("/content/a", true);
- PATH_INCUG_MAP.put("/content/a/rep:cugPolicy", true);
+ PATH_INCUG_MAP.put("/content/a/rep:cugPolicy", false);
PATH_INCUG_MAP.put("/content/a/b", true);
PATH_INCUG_MAP.put("/content/a/b/c/jcr:primaryType", true);
PATH_INCUG_MAP.put("/content/aa", false);
@@ -97,42 +93,20 @@ public class CugPermissionProviderTest e
public void before() throws Exception {
super.before();
- Group testGroup = getUserManager(root).createGroup(TEST_GROUP_ID);
- root.commit();
+ testGroupPrincipal = getTestGroupPrincipal();
// add more child nodes
NodeUtil n = new NodeUtil(root.getTree(SUPPORTED_PATH));
n.addChild("a", NT_OAK_UNSTRUCTURED).addChild("b", NT_OAK_UNSTRUCTURED).addChild("c", NT_OAK_UNSTRUCTURED);
n.addChild("aa", NT_OAK_UNSTRUCTURED).addChild("bb", NT_OAK_UNSTRUCTURED).addChild("cc", NT_OAK_UNSTRUCTURED);
- testGroupPrincipal = testGroup.getPrincipal();
createCug("/content/a", testGroupPrincipal);
createCug("/content/a/b/c", EveryonePrincipal.getInstance());
createCug("/content/aa/bb", testGroupPrincipal);
root.commit();
- Set<Principal> principals = ImmutableSet.of(getTestUser().getPrincipal(), EveryonePrincipal.getInstance());
- Set<String> supportedPaths = ImmutableSet.of(SUPPORTED_PATH);
-
- cugPermProvider = new CugPermissionProvider(root, principals, supportedPaths, CugContext.INSTANCE);
- }
-
- @Override
- public void after() throws Exception {
- try {
- // revert transient pending changes (that might be invalid)
- root.refresh();
-
- // remove the test group
- Authorizable testGroup = getUserManager(root).getAuthorizable(TEST_GROUP_ID);
- if (testGroup != null) {
- testGroup.remove();
- }
- root.commit();
- } finally {
- super.after();
- }
+ cugPermProvider = createCugPermissionProvider(ImmutableSet.of(SUPPORTED_PATH), getTestUser().getPrincipal(), EveryonePrincipal.getInstance());
}
//---------------------------------------< AggregatedPermissionProvider >---
@@ -226,7 +200,7 @@ public class CugPermissionProviderTest e
}
assertEquals(Permissions.NO_PERMISSION, cugPermProvider.supportedPermissions(tree, null, Permissions.WRITE));
- assertEquals(Permissions.NO_PERMISSION, cugPermProvider.supportedPermissions(tree, null, Permissions.ADD_NODE|Permissions.REMOVE));
+ assertEquals(Permissions.NO_PERMISSION, cugPermProvider.supportedPermissions(tree, null, Permissions.ADD_NODE | Permissions.REMOVE));
assertEquals(Permissions.NO_PERMISSION, cugPermProvider.supportedPermissions(tree, null, Permissions.READ_ACCESS_CONTROL));
}
}
@@ -244,7 +218,7 @@ public class CugPermissionProviderTest e
assertEquals(Permissions.NO_PERMISSION, cugPermProvider.supportedPermissions((Tree) null, null, Permissions.READ_NODE | Permissions.READ_ACCESS_CONTROL));
assertEquals(Permissions.NO_PERMISSION, cugPermProvider.supportedPermissions((Tree) null, null, Permissions.WRITE));
- assertEquals(Permissions.NO_PERMISSION, cugPermProvider.supportedPermissions((Tree) null, null, Permissions.ADD_NODE|Permissions.REMOVE));
+ assertEquals(Permissions.NO_PERMISSION, cugPermProvider.supportedPermissions((Tree) null, null, Permissions.ADD_NODE | Permissions.REMOVE));
assertEquals(Permissions.NO_PERMISSION, cugPermProvider.supportedPermissions((Tree) null, null, Permissions.READ_ACCESS_CONTROL));
}
@@ -277,6 +251,8 @@ public class CugPermissionProviderTest e
assertEquals(path, Permissions.NO_PERMISSION, cugPermProvider.supportedPermissions(location, Permissions.MODIFY_ACCESS_CONTROL));
assertEquals(path, Permissions.NO_PERMISSION, cugPermProvider.supportedPermissions(location, Permissions.ADD_NODE));
assertEquals(path, Permissions.NO_PERMISSION, cugPermProvider.supportedPermissions(location, Permissions.WRITE));
+
+ assertEquals(path, Permissions.NO_PERMISSION, cugPermProvider.supportedPermissions(TreeLocation.create(root, "/path/to/no-existing/tree"), Permissions.READ));
}
}
@@ -396,7 +372,7 @@ public class CugPermissionProviderTest e
*/
@Test
public void testGetPrivilegesAtCug2() {
- PermissionProvider pp = new CugPermissionProvider(root, ImmutableSet.of(testGroupPrincipal), ImmutableSet.of(SUPPORTED_PATH), CugContext.INSTANCE);
+ PermissionProvider pp = createCugPermissionProvider(ImmutableSet.of(SUPPORTED_PATH), testGroupPrincipal);
Set<String> expected = ImmutableSet.of(
PrivilegeConstants.JCR_READ,
@@ -526,8 +502,12 @@ public class CugPermissionProviderTest e
TreePermission cugTp = cugPermProvider.getTreePermission(root.getTree("/content/a/rep:cugPolicy"), aTp);
assertSame(TreePermission.NO_RECOURSE, cugTp);
+ // jcr:system special case
+ TreePermission jcrSystemTp = cugPermProvider.getTreePermission(root.getTree("/jcr:system"), rootTp);
+ assertTrue(jcrSystemTp instanceof EmptyCugTreePermission);
+
// paths that may not contain cugs anyway
- assertSame(TreePermission.NO_RECOURSE, cugPermProvider.getTreePermission(root.getTree("/jcr:system"), rootTp));
+ assertSame(TreePermission.NO_RECOURSE, cugPermProvider.getTreePermission(root.getTree(NodeTypeConstants.NODE_TYPES_PATH), jcrSystemTp));
TreePermission unsupportedPathTp = cugPermProvider.getTreePermission(root.getTree(UNSUPPORTED_PATH), rootTp);
assertSame(TreePermission.NO_RECOURSE, unsupportedPathTp);
try {
@@ -548,7 +528,7 @@ public class CugPermissionProviderTest e
Tree tree = root.getTree(p);
if (tree.exists()) {
assertFalse(cugPermProvider.isGranted(tree, null, Permissions.ALL));
- assertFalse(cugPermProvider.isGranted(tree, null, Permissions.READ|Permissions.READ_ACCESS_CONTROL));
+ assertFalse(cugPermProvider.isGranted(tree, null, Permissions.READ | Permissions.READ_ACCESS_CONTROL));
assertFalse(cugPermProvider.isGranted(tree, null, Permissions.REMOVE_NODE));
}
}
Modified: jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugTreePermissionTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugTreePermissionTest.java?rev=1710263&r1=1710262&r2=1710263&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugTreePermissionTest.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugTreePermissionTest.java Fri Oct 23 16:17:01 2015
@@ -17,15 +17,12 @@
package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;
import java.security.Principal;
-import java.util.Set;
import javax.annotation.Nonnull;
import com.google.common.collect.ImmutableSet;
import org.apache.jackrabbit.oak.api.PropertyState;
-import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.plugins.memory.EmptyNodeState;
import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
-import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
@@ -47,15 +44,12 @@ public class CugTreePermissionTest exten
createCug(SUPPORTED_PATH, EveryonePrincipal.getInstance());
root.commit();
- Set<Principal> principals = ImmutableSet.of(getTestUser().getPrincipal(), EveryonePrincipal.getInstance());
- Set<String> supportedPaths = ImmutableSet.of(SUPPORTED_PATH, SUPPORTED_PATH2);
-
- allowedTp = getCugTreePermission(root, getTestUser().getPrincipal(), EveryonePrincipal.getInstance());
- deniedTp = getCugTreePermission(root);
+ allowedTp = getCugTreePermission(getTestUser().getPrincipal(), EveryonePrincipal.getInstance());
+ deniedTp = getCugTreePermission();
}
- private static CugTreePermission getCugTreePermission(@Nonnull Root root, @Nonnull Principal... principals) {
- PermissionProvider pp = new CugPermissionProvider(root, ImmutableSet.copyOf(principals), ImmutableSet.of(SUPPORTED_PATH, SUPPORTED_PATH2), CugContext.INSTANCE);
+ private CugTreePermission getCugTreePermission(@Nonnull Principal... principals) {
+ CugPermissionProvider pp = createCugPermissionProvider(ImmutableSet.of(SUPPORTED_PATH, SUPPORTED_PATH2), principals);
TreePermission rootTp = pp.getTreePermission(root.getTree("/"), TreePermission.EMPTY);
TreePermission targetTp = pp.getTreePermission(root.getTree(SUPPORTED_PATH), rootTp);
assertTrue(targetTp instanceof CugTreePermission);
Modified: jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/EmptyCugTreePermissionTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/EmptyCugTreePermissionTest.java?rev=1710263&r1=1710262&r2=1710263&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/EmptyCugTreePermissionTest.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/EmptyCugTreePermissionTest.java Fri Oct 23 16:17:01 2015
@@ -16,9 +16,6 @@
*/
package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;
-import java.security.Principal;
-import java.util.Set;
-
import com.google.common.collect.ImmutableSet;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.plugins.memory.EmptyNodeState;
@@ -45,10 +42,9 @@ public class EmptyCugTreePermissionTest
createCug(SUPPORTED_PATH, EveryonePrincipal.getInstance());
root.commit();
- Set<Principal> principals = ImmutableSet.of(getTestUser().getPrincipal(), EveryonePrincipal.getInstance());
- Set<String> supportedPaths = ImmutableSet.of(SUPPORTED_PATH, SUPPORTED_PATH2);
-
- PermissionProvider pp = new CugPermissionProvider(root, principals, supportedPaths, CugContext.INSTANCE);
+ PermissionProvider pp = createCugPermissionProvider(
+ ImmutableSet.of(SUPPORTED_PATH, SUPPORTED_PATH2),
+ getTestUser().getPrincipal(), EveryonePrincipal.getInstance());
tp = new EmptyCugTreePermission(root.getTree("/"), pp);
}
Added: jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/HiddenTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/HiddenTest.java?rev=1710263&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/HiddenTest.java (added)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/HiddenTest.java Fri Oct 23 16:17:01 2015
@@ -0,0 +1,119 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;
+
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.plugins.tree.RootFactory;
+import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertSame;
+import static org.junit.Assert.assertTrue;
+
+public class HiddenTest extends AbstractCugTest {
+
+ private Root readOnlyRoot;
+ private Tree hiddenTree;
+
+ private CugPermissionProvider pp;
+
+ @Before
+ @Override
+ public void before() throws Exception {
+ super.before();
+
+ createCug(SUPPORTED_PATH, EveryonePrincipal.getInstance());
+ root.commit();
+
+ readOnlyRoot = RootFactory.createReadOnlyRoot(root);
+ hiddenTree = readOnlyRoot.getTree("/oak:index/acPrincipalName/:index");
+ assertTrue(hiddenTree.exists());
+
+ pp = createCugPermissionProvider(ImmutableSet.of("/"), EveryonePrincipal.getInstance());
+ }
+
+ @Test
+ public void testSupportedPermissions() {
+ assertEquals(Permissions.NO_PERMISSION, pp.supportedPermissions(hiddenTree, null, Permissions.READ));
+ }
+
+ @Test
+ public void testSupportedPermissionsLocation() {
+ assertEquals(Permissions.NO_PERMISSION, pp.supportedPermissions(TreeLocation.create(hiddenTree), Permissions.READ));
+ }
+
+ @Test
+ public void testSupportedPrivileges() {
+ assertSame(PrivilegeBits.EMPTY, pp.supportedPrivileges(hiddenTree, new PrivilegeBitsProvider(readOnlyRoot).getBits(PrivilegeConstants.JCR_READ)));
+ }
+
+ @Test
+ public void testTreePermission() {
+ Tree t = readOnlyRoot.getTree("/");
+ TreePermission tp = pp.getTreePermission(t, TreePermission.EMPTY);
+ for (String name : PathUtils.elements(hiddenTree.getPath())) {
+ assertTrue(tp instanceof EmptyCugTreePermission);
+ t = t.getChild(name);
+ tp = pp.getTreePermission(t, tp);
+ }
+ assertSame(TreePermission.NO_RECOURSE, tp);
+ assertEquals(Permissions.NO_PERMISSION, pp.supportedPermissions(tp, null, Permissions.READ));
+ }
+
+ @Test
+ public void testIsGranted() {
+ assertFalse(pp.isGranted(hiddenTree, null, Permissions.READ));
+ }
+
+ @Test
+ public void testIsGrantedHiddenBelowCug() {
+ assertTrue(pp.isGranted(readOnlyRoot.getTree(SUPPORTED_PATH), null, Permissions.READ));
+ assertFalse(pp.isGranted(readOnlyRoot.getTree(SUPPORTED_PATH + "/:hidden"), null, Permissions.READ));
+ }
+
+ @Test
+ public void testIsGrantedPath() {
+ assertTrue(pp.isGranted(SUPPORTED_PATH, Permissions.getString(Permissions.READ)));
+
+ assertFalse(pp.isGranted(SUPPORTED_PATH + "/:hidden", Permissions.getString(Permissions.READ)));
+ assertFalse(pp.isGranted(hiddenTree.getPath(), Permissions.getString(Permissions.READ)));
+ }
+
+ @Test
+ public void testHasPrivileges() {
+ assertTrue(pp.hasPrivileges(readOnlyRoot.getTree(SUPPORTED_PATH), PrivilegeConstants.JCR_READ));
+ assertFalse(pp.hasPrivileges(readOnlyRoot.getTree(SUPPORTED_PATH + "/:hidden"), PrivilegeConstants.JCR_READ));
+ }
+
+ @Test
+ public void testGetPrivileges() {
+ assertFalse(pp.getPrivileges(readOnlyRoot.getTree(SUPPORTED_PATH)).isEmpty());
+ assertTrue(pp.getPrivileges(readOnlyRoot.getTree(SUPPORTED_PATH + "/:hidden")).isEmpty());
+ }
+}
\ No newline at end of file
Propchange: jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/HiddenTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/VersionTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/VersionTest.java?rev=1710263&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/VersionTest.java (added)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/VersionTest.java Fri Oct 23 16:17:01 2015
@@ -0,0 +1,368 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;
+
+import java.util.ArrayList;
+import java.util.List;
+import javax.annotation.Nonnull;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Iterables;
+import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.oak.api.ContentSession;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.api.Type;
+import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManager;
+import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
+import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
+import org.apache.jackrabbit.oak.plugins.version.ReadOnlyVersionManager;
+import org.apache.jackrabbit.oak.plugins.version.VersionConstants;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.util.TreeUtil;
+import org.junit.Before;
+import org.junit.Test;
+
+import static com.google.common.base.Preconditions.checkNotNull;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertSame;
+import static org.junit.Assert.assertTrue;
+
+/**
+ * Test read access to version related information both in the regular
+ * content and in the version storage.
+ */
+public class VersionTest extends AbstractCugTest implements NodeTypeConstants, VersionConstants {
+
+ private ContentSession testSession;
+ private Root testRoot;
+ private ReadOnlyVersionManager versionManager;
+
+ private List<String> readAccess = new ArrayList<String>();
+ private List<String> noReadAccess = new ArrayList<String>();
+
+ @Before
+ @Override
+ public void before() throws Exception {
+ super.before();
+
+ // create cugs
+ // - /content/a : allow testGroup, deny everyone
+ // - /content/aa/bb : allow testGroup, deny everyone
+ // - /content/a/b/c : allow everyone, deny testGroup (isolated)
+ // - /content2 : allow everyone, deny testGroup (isolated)
+ setupCugsAndAcls();
+
+ readAccess = ImmutableList.of(
+ SUPPORTED_PATH,
+ "/content/subtree",
+ //"/content/a/b/c",
+ "/content/aa");
+
+ noReadAccess = ImmutableList.of(
+ UNSUPPORTED_PATH, /* no access */
+ "/content2", /* granted by cug only */
+ "/content/a", /* granted by ace, denied by cug */
+ //"/content/a/b", /* granted by ace, denied by cug */
+ "/content/aa/bb" /* granted by ace, denied by cug */
+ );
+
+ for (String path : Iterables.concat(readAccess, noReadAccess)) {
+ addVersionContent(path);
+ }
+
+ testSession = createTestSession();
+ testRoot = testSession.getLatestRoot();
+
+ versionManager = new TestVersionManager(root);
+ }
+
+ @Override
+ public void after() throws Exception {
+ try {
+ if (testSession != null) {
+ testSession.close();
+ }
+ } finally {
+ super.after();
+ }
+ }
+
+ private Tree addVersionContent(@Nonnull String path) throws Exception {
+ Tree t = root.getTree(path);
+
+ Tree typesRoot = root.getTree(NodeTypeConstants.NODE_TYPES_PATH);
+ TreeUtil.addMixin(t, JcrConstants.MIX_VERSIONABLE, typesRoot, null);
+ root.commit();
+
+ // force the creation of a version with frozen node
+ t.setProperty(JCR_ISCHECKEDOUT, false);
+ root.commit();
+ t.setProperty(JCR_ISCHECKEDOUT, true);
+ root.commit();
+
+ if (testRoot != null) {
+ testRoot.refresh();
+ }
+
+ return t;
+ }
+
+ @Test
+ public void testReadVersionContent() throws Exception {
+ IdentifierManager idMgr = new IdentifierManager(testRoot);
+ TestVersionManager vMgr = new TestVersionManager(testRoot);
+
+ for (String path : readAccess) {
+ Tree t = testRoot.getTree(path);
+ assertTrue(path, t.exists());
+
+ PropertyState ps = t.getProperty(JCR_VERSIONHISTORY);
+ assertNotNull(ps);
+
+ String vhUUID = ps.getValue(Type.STRING);
+ assertEquals(vhUUID, ps.getValue(Type.STRING));
+
+ Tree versionHistory = vMgr.getVersionHistory(t);
+ assertNotNull(versionHistory);
+ assertTrue(versionHistory.exists());
+ assertTrue(versionHistory.getChild(JCR_ROOTVERSION).exists());
+ assertFalse(versionHistory.getParent().exists());
+
+ Tree vhTree = testRoot.getTree(versionHistory.getPath());
+ assertTrue(vhTree.exists());
+
+ String vhPath = idMgr.resolveUUID(vhUUID);
+ assertNotNull(vhPath);
+
+ assertEquals(versionHistory.getPath(), vhPath);
+ assertTrue(testRoot.getTree(vhPath).exists());
+
+ assertTrue(testRoot.getTree(vhPath + '/' + JCR_ROOTVERSION).exists());
+ }
+ }
+
+ @Test
+ public void testReadVersionContentNoAccess() throws Exception {
+ IdentifierManager idMgr = new IdentifierManager(testRoot);
+
+ for (String path : noReadAccess) {
+ String vhUUID = checkNotNull(TreeUtil.getString(root.getTree(path), JCR_VERSIONHISTORY));
+ String vhPath = PathUtils.concat(VERSION_STORE_PATH, versionManager.getVersionHistoryPath(vhUUID));
+
+ Tree vHistory = testRoot.getTree(vhPath);
+ assertFalse(vHistory.exists());
+ assertFalse(vHistory.getParent().exists());
+ assertFalse(vHistory.getChild(JCR_ROOTVERSION).exists());
+ assertFalse(testRoot.getTree(vhPath + '/' + JCR_ROOTVERSION).exists());
+
+ String vh = idMgr.resolveUUID(vhUUID);
+ assertNull(path, vh);
+ }
+ }
+
+ @Test
+ public void testReadVersionStorage() {
+ assertFalse(testRoot.getTree(VersionConstants.VERSION_STORE_PATH).exists());
+ }
+
+ @Test
+ public void testSupportedPermissions() throws Exception {
+ Tree versionable = addVersionContent("/content/a/b/c");
+
+ CugPermissionProvider pp = createCugPermissionProvider(ImmutableSet.of(SUPPORTED_PATH, SUPPORTED_PATH2));
+
+ Tree versionStorage = root.getTree(VersionConstants.VERSION_STORE_PATH);
+ assertEquals(Permissions.NO_PERMISSION, pp.supportedPermissions(versionStorage, null, Permissions.READ));
+ assertEquals(Permissions.NO_PERMISSION, pp.supportedPermissions(versionStorage.getParent(), null, Permissions.READ));
+
+ ReadOnlyVersionManager vMgr = new TestVersionManager(root);
+
+ // tree with cug (access is granted)
+ Tree vh = vMgr.getVersionHistory(versionable);
+ assertEquals(Permissions.READ, pp.supportedPermissions(vh, null, Permissions.READ));
+
+ // tree with cug (but no access granted)
+ vh = vMgr.getVersionHistory(root.getTree("/content2"));
+ assertEquals(Permissions.READ, pp.supportedPermissions(vh, null, Permissions.READ));
+
+ // tree without cug
+ vh = vMgr.getVersionHistory(root.getTree(UNSUPPORTED_PATH));
+ assertEquals(Permissions.NO_PERMISSION, pp.supportedPermissions(vh, null, Permissions.READ));
+
+ // tree without cug
+ vh = vMgr.getVersionHistory(root.getTree(SUPPORTED_PATH));
+ assertEquals(Permissions.NO_PERMISSION, pp.supportedPermissions(vh, null, Permissions.READ));
+ }
+
+ @Test
+ public void testVersionableRemoved() throws Exception {
+ // cug at /content/a/b/c grants access
+ Tree versionable = addVersionContent("/content/a/b/c");
+
+ Tree vh = checkNotNull(versionManager.getVersionHistory(versionable));
+
+ assertTrue(testRoot.getTree(vh.getPath()).exists());
+
+ versionable.remove();
+ root.commit();
+
+ // the cug-permission provider still supports the path as there exists
+ // a cug higher up in the hierarchy
+ // -> the parent cug takes effect now
+ CugPermissionProvider pp = createCugPermissionProvider(ImmutableSet.of(SUPPORTED_PATH, SUPPORTED_PATH2));
+ assertEquals(Permissions.READ, pp.supportedPermissions(vh, null, Permissions.READ));
+ assertFalse(pp.isGranted(vh, null, Permissions.READ));
+
+ // the vh associated with /content/a/b/c is no longer accessible
+ testRoot.refresh();
+ assertFalse(testRoot.getTree(vh.getPath()).exists());
+ }
+
+ @Test
+ public void testVersionableRemoved2() throws Exception {
+ // cug at /content/a/b/c denies access
+ Tree versionable = root.getTree("/content/a");
+
+ Tree vh = checkNotNull(versionManager.getVersionHistory(versionable));
+
+ assertFalse(testRoot.getTree(vh.getPath()).exists());
+
+ versionable.remove();
+ root.commit();
+
+ // removing this versionable node removes the CUG in this tree
+ // -> the permission provider is no longer responsible
+ CugPermissionProvider pp = createCugPermissionProvider(ImmutableSet.of(SUPPORTED_PATH, SUPPORTED_PATH2));
+ assertEquals(Permissions.NO_PERMISSION, pp.supportedPermissions(vh, null, Permissions.READ));
+ assertFalse(pp.isGranted(vh, null, Permissions.READ));
+
+ // subsequently the deny of the former CUG is gone as well
+ testRoot.refresh();
+ assertTrue(testRoot.getTree(vh.getPath()).exists());
+ }
+
+ @Test
+ public void testTreePermissionVersionable() throws Exception {
+ Tree versionable = root.getTree("/content/a");
+ Tree vh = checkNotNull(versionManager.getVersionHistory(versionable));
+
+ CugPermissionProvider pp = createCugPermissionProvider(ImmutableSet.of(SUPPORTED_PATH, SUPPORTED_PATH2), EveryonePrincipal.getInstance());
+
+ Tree t = root.getTree("/");
+ TreePermission tp = pp.getTreePermission(t, TreePermission.EMPTY);
+
+ String path = PathUtils.concat(vh.getPath(), "1.0", JCR_FROZENNODE, "b/c");
+ for (String segm : PathUtils.elements(path)) {
+ t = t.getChild(segm);
+ tp = pp.getTreePermission(t, tp);
+
+ if (JCR_SYSTEM.equals(segm) || ReadOnlyVersionManager.isVersionStoreTree(t)) {
+ assertTrue(t.getPath(), tp instanceof EmptyCugTreePermission);
+ } else {
+ assertTrue(t.getPath(), tp instanceof CugTreePermission);
+ assertEquals(t.getPath(), "c".equals(segm), tp.canRead());
+ }
+ }
+ }
+
+ @Test
+ public void testTreePermissionVersionable2() throws Exception {
+ Tree versionable = root.getTree("/content");
+ Tree vh = checkNotNull(versionManager.getVersionHistory(versionable));
+
+ CugPermissionProvider pp = createCugPermissionProvider(ImmutableSet.of(SUPPORTED_PATH, SUPPORTED_PATH2));
+
+ Tree t = root.getTree("/");
+ TreePermission tp = pp.getTreePermission(t, TreePermission.EMPTY);
+
+ String path = PathUtils.concat(vh.getPath(), "1.0", JCR_FROZENNODE, "aa");
+ for (String segm : PathUtils.elements(path)) {
+ t = t.getChild(segm);
+ tp = pp.getTreePermission(t, tp);
+
+ if (JCR_SYSTEM.equals(segm) || ReadOnlyVersionManager.isVersionStoreTree(t)) {
+ assertTrue(t.getPath(), tp instanceof EmptyCugTreePermission);
+ } else {
+ assertTrue(t.getPath(), tp instanceof EmptyCugTreePermission);
+ }
+ }
+ }
+
+ @Test
+ public void testTreePermissionVersionable3() throws Exception {
+ Tree versionable = root.getTree(UNSUPPORTED_PATH);
+ Tree vh = checkNotNull(versionManager.getVersionHistory(versionable));
+
+ CugPermissionProvider pp = createCugPermissionProvider(ImmutableSet.of(SUPPORTED_PATH, SUPPORTED_PATH2));
+
+ Tree t = root.getTree("/");
+ TreePermission tp = pp.getTreePermission(t, TreePermission.EMPTY);
+
+ for (String segm : PathUtils.elements(vh.getPath())) {
+ t = t.getChild(segm);
+ tp = pp.getTreePermission(t, tp);
+
+ if (JCR_SYSTEM.equals(segm) || ReadOnlyVersionManager.isVersionStoreTree(t)) {
+ assertTrue(t.getPath(), tp instanceof EmptyCugTreePermission);
+ } else {
+ assertSame(t.getPath(), TreePermission.NO_RECOURSE, tp);
+ }
+ }
+ }
+
+ private final class TestVersionManager extends ReadOnlyVersionManager {
+
+ private final Root root;
+
+ TestVersionManager(@Nonnull Root root) {
+ this.root = root;
+ }
+
+ @Nonnull
+ @Override
+ protected Tree getVersionStorage() {
+ return root.getTree(VersionConstants.VERSION_STORE_PATH);
+ }
+
+ @Nonnull
+ @Override
+ protected Root getWorkspaceRoot() {
+ return root;
+ }
+
+ @Nonnull
+ @Override
+ protected ReadOnlyNodeTypeManager getNodeTypeManager() {
+ return ReadOnlyNodeTypeManager.getInstance(root, NamePathMapper.DEFAULT);
+ }
+
+ @Override
+ protected boolean isVersionable(@Nonnull Tree tree) {
+ return super.isVersionable(tree);
+ }
+ }
+}
\ No newline at end of file
Propchange: jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/VersionTest.java
------------------------------------------------------------------------------
svn:eol-style = native