You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2018/03/26 16:11:21 UTC
svn commit: r1827769 - in /jackrabbit/oak/branches/1.6: ./
oak-authorization-cug/
oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/
oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/secur...
Author: angela
Date: Mon Mar 26 16:11:21 2018
New Revision: 1827769
URL: http://svn.apache.org/viewvc?rev=1827769&view=rev
Log:
merge rev. 1827472 (backport of OAK-7356) with minor modifications to CugConfigurationOsgiTest
Added:
jackrabbit/oak/branches/1.6/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfigurationOsgiTest.java
- copied, changed from r1827472, jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfigurationOsgiTest.java
Modified:
jackrabbit/oak/branches/1.6/ (props changed)
jackrabbit/oak/branches/1.6/oak-authorization-cug/pom.xml
jackrabbit/oak/branches/1.6/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java
jackrabbit/oak/branches/1.6/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugExcludeImpl.java
jackrabbit/oak/branches/1.6/oak-doc/src/site/markdown/security/authorization/cug.md
Propchange: jackrabbit/oak/branches/1.6/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Mon Mar 26 16:11:21 2018
@@ -1,3 +1,3 @@
/jackrabbit/oak/branches/1.0:1665962
-/jackrabbit/oak/trunk:1781068,1781075,1781248,1781386,1781846,1781907,1782000,1782029,1782196,1782447,1782476,1782770,1782945,1782966,1782973,1782990,1783061,1783066,1783089,1783104-1783105,1783110,1783619,1783720,1783731,1783733,1783738,1783742,1783773,1783855,1783891,1784023,1784034,1784130,1784162,1784251,1784401,1784551,1784574,1784689,1785095,1785108,1785283,1785838,1785917,1785919,1785946,1786122,1787074,1787145,1787151,1787217,1787425,1788056,1788378,1788387-1788389,1788463,1788476,1788850,1789056,1789534,1790382,1790502-1790503,1792049,1792463,1792483,1792742,1792746,1793013,1793088,1793618,1793627,1793644,1794393,1794417,1794683,1795138,1795314,1795330,1795475,1795488,1795491,1795502,1795594,1795613,1795618,1796144,1796230,1796239,1796274,1796278,1796988,1797378,1798035,1798834,1799219,1799389,1799393,1799924,1800244,1800269,1800606,1800613,1800974,1801011,1801013,1801118-1801119,1801675,1802260,1802262,1802286,1802548,1802934,1802938,1802973,1803026,1803247-1803249,1803951
,1803953-1803955,1805851-1805852,1806668,1807308,1807688,1808022,1808125,1808128,1808142,1808240,1808246,1809024,1809026,1809131,1809163,1809253,1809255-1809256,1809289,1809745,1811071-1811072,1811155,1811380,1811655,1811952,1811963,1811986,1813192,1814189,1814332,1814397,1815201,1815426,1815438,1815926,1817326,1817919,1817987-1817988,1817990,1818038,1818042,1818056,1818124,1818554,1818576,1818645,1819048,1819050,1821325,1821358,1821495,1821516,1822850,1826237,1826338,1826532,1826640,1826932,1826957,1827486
+/jackrabbit/oak/trunk:1781068,1781075,1781248,1781386,1781846,1781907,1782000,1782029,1782196,1782447,1782476,1782770,1782945,1782966,1782973,1782990,1783061,1783066,1783089,1783104-1783105,1783110,1783619,1783720,1783731,1783733,1783738,1783742,1783773,1783855,1783891,1784023,1784034,1784130,1784162,1784251,1784401,1784551,1784574,1784689,1785095,1785108,1785283,1785838,1785917,1785919,1785946,1786122,1787074,1787145,1787151,1787217,1787425,1788056,1788378,1788387-1788389,1788463,1788476,1788850,1789056,1789534,1790382,1790502-1790503,1792049,1792463,1792483,1792742,1792746,1793013,1793088,1793618,1793627,1793644,1794393,1794417,1794683,1795138,1795314,1795330,1795475,1795488,1795491,1795502,1795594,1795613,1795618,1796144,1796230,1796239,1796274,1796278,1796988,1797378,1798035,1798834,1799219,1799389,1799393,1799924,1800244,1800269,1800606,1800613,1800974,1801011,1801013,1801118-1801119,1801675,1802260,1802262,1802286,1802548,1802934,1802938,1802973,1803026,1803247-1803249,1803951
,1803953-1803955,1805851-1805852,1806668,1807308,1807688,1808022,1808125,1808128,1808142,1808240,1808246,1809024,1809026,1809131,1809163,1809253,1809255-1809256,1809289,1809745,1811071-1811072,1811155,1811380,1811655,1811952,1811963,1811986,1813192,1814189,1814332,1814397,1815201,1815426,1815438,1815926,1817326,1817919,1817987-1817988,1817990,1818038,1818042,1818056,1818124,1818554,1818576,1818645,1819048,1819050,1821325,1821358,1821495,1821516,1822850,1826237,1826338,1826532,1826640,1826932,1826957,1827472,1827486
/jackrabbit/trunk:1345480
Modified: jackrabbit/oak/branches/1.6/oak-authorization-cug/pom.xml
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.6/oak-authorization-cug/pom.xml?rev=1827769&r1=1827768&r2=1827769&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.6/oak-authorization-cug/pom.xml (original)
+++ jackrabbit/oak/branches/1.6/oak-authorization-cug/pom.xml Mon Mar 26 16:11:21 2018
@@ -139,6 +139,11 @@
<classifier>tests</classifier>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.apache.sling</groupId>
+ <artifactId>org.apache.sling.testing.osgi-mock</artifactId>
+ <scope>test</scope>
+ </dependency>
</dependencies>
</project>
\ No newline at end of file
Modified: jackrabbit/oak/branches/1.6/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.6/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java?rev=1827769&r1=1827768&r2=1827769&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.6/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java (original)
+++ jackrabbit/oak/branches/1.6/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java Mon Mar 26 16:11:21 2018
@@ -95,7 +95,7 @@ public class CugConfiguration extends Co
/**
* Reference to services implementing {@link org.apache.jackrabbit.oak.spi.security.authorization.cug.CugExclude}.
*/
- @Reference(cardinality = ReferenceCardinality.OPTIONAL_UNARY)
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
private CugExclude exclude;
@SuppressWarnings("UnusedDeclaration")
@@ -190,6 +190,14 @@ public class CugConfiguration extends Co
setParameters(ConfigurationParameters.of(properties));
}
+ public void bindExclude(CugExclude exclude) {
+ this.exclude = exclude;
+ }
+
+ public void unbindExclude(CugExclude exclude) {
+ this.exclude = null;
+ }
+
//--------------------------------------------------------------------------
@Nonnull
private CugExclude getExclude() {
Modified: jackrabbit/oak/branches/1.6/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugExcludeImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.6/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugExcludeImpl.java?rev=1827769&r1=1827768&r2=1827769&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.6/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugExcludeImpl.java (original)
+++ jackrabbit/oak/branches/1.6/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugExcludeImpl.java Mon Mar 26 16:11:21 2018
@@ -25,7 +25,6 @@ import javax.annotation.Nonnull;
import com.google.common.collect.ImmutableSet;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
-import org.apache.felix.scr.annotations.ConfigurationPolicy;
import org.apache.felix.scr.annotations.Modified;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
@@ -37,19 +36,18 @@ import org.apache.jackrabbit.oak.spi.sec
* Extension of the default {@link org.apache.jackrabbit.oak.spi.security.authorization.cug.CugExclude}
* implementation that allow to specify additional principal names to be excluded
* from CUG evaluation.
- *
- * Note: this component is requires a configuration (i.e. a configured list of
- * principal names) in order to be activated.
*/
@Component(metatype = true,
+ immediate = true,
label = "Apache Jackrabbit Oak CUG Exclude List",
- description = "Allows to exclude principal(s) with the configured name(s) from CUG evaluation.",
- policy = ConfigurationPolicy.REQUIRE)
+ description = "Exclude principal(s) from CUG evaluation. In addition to the " +
+ "principals defined by the default CugExclude ('AdminPrincipal', 'SystemPrincipal', 'SystemUserPrincipal' classes), " +
+ "this component allows to optionally configure additional principals by name.")
@Service({CugExclude.class})
@Properties({
@Property(name = "principalNames",
label = "Principal Names",
- description = "Name of principals that are always excluded from CUG evaluation.",
+ description = "Name(s) of additional principal(s) that are excluded from CUG evaluation.",
cardinality = Integer.MAX_VALUE)
})
public class CugExcludeImpl extends CugExclude.Default {
Copied: jackrabbit/oak/branches/1.6/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfigurationOsgiTest.java (from r1827472, jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfigurationOsgiTest.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.6/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfigurationOsgiTest.java?p2=jackrabbit/oak/branches/1.6/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfigurationOsgiTest.java&p1=jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfigurationOsgiTest.java&r1=1827472&r2=1827769&rev=1827769&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfigurationOsgiTest.java (original)
+++ jackrabbit/oak/branches/1.6/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfigurationOsgiTest.java Mon Mar 26 16:11:21 2018
@@ -22,9 +22,6 @@ import java.util.Map;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
-import org.apache.jackrabbit.oak.composite.MountInfoProviderService;
-import org.apache.jackrabbit.oak.plugins.tree.impl.RootProviderService;
-import org.apache.jackrabbit.oak.plugins.tree.impl.TreeProviderService;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.EmptyPermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
@@ -46,7 +43,7 @@ public class CugConfigurationOsgiTest ex
private static final String EXCLUDED_PRINCIPAL_NAME = "excludedPrincipal";
private static final String ANY_PRINCIPAL_NAME = "anyPrincipal";
- private static final Map<String, Object> PROPERTIES = ImmutableMap.of(
+ private static final Map<String, Object> PROPERTIES = ImmutableMap.<String, Object>of(
CugConstants.PARAM_CUG_ENABLED, true,
CugConstants.PARAM_CUG_SUPPORTED_PATHS, new String[] {"/"});
@@ -64,13 +61,7 @@ public class CugConfigurationOsgiTest ex
wspName = root.getContentSession().getWorkspaceName();
cugConfiguration = new CugConfiguration(getSecurityProvider());
- cugConfiguration.setRootProvider(new RootProviderService());
- cugConfiguration.setTreeProvider(new TreeProviderService());
-
cugExclude = new CugExcludeImpl();
-
- MountInfoProviderService mip = new MountInfoProviderService();
- context.registerInjectActivateService(mip);
}
@Test(expected = ReferenceViolationException.class)
@@ -84,8 +75,18 @@ public class CugConfigurationOsgiTest ex
context.registerInjectActivateService(cugConfiguration, PROPERTIES);
// default exclusion
- AdminPrincipal admin = () -> "name";
- SystemUserPrincipal suPrincipal = () -> "name";
+ AdminPrincipal admin = new AdminPrincipal() {
+ @Override
+ public String getName() {
+ return "name";
+ }
+ };
+ SystemUserPrincipal suPrincipal = new SystemUserPrincipal() {
+ @Override
+ public String getName() {
+ return "name";
+ }
+ };
AuthorizationConfiguration config = context.getService(AuthorizationConfiguration.class);
for (Principal p : new Principal[] {SystemPrincipal.INSTANCE, admin, suPrincipal}) {
@@ -94,51 +95,51 @@ public class CugConfigurationOsgiTest ex
}
// however, other principals must not be excluded
- PermissionProvider permissionProvider = config.getPermissionProvider(root, wspName, ImmutableSet.of(new PrincipalImpl(EXCLUDED_PRINCIPAL_NAME)));
+ PermissionProvider permissionProvider = config.getPermissionProvider(root, wspName, ImmutableSet.<Principal>of(new PrincipalImpl(EXCLUDED_PRINCIPAL_NAME)));
assertTrue(permissionProvider instanceof CugPermissionProvider);
}
@Test
public void testCugExcludeExcludedPrincipal() {
- context.registerInjectActivateService(cugExclude, ImmutableMap.of("principalNames", new String[] {EXCLUDED_PRINCIPAL_NAME}));
+ context.registerInjectActivateService(cugExclude, ImmutableMap.<String, Object>of("principalNames", new String[] {EXCLUDED_PRINCIPAL_NAME}));
context.registerInjectActivateService(cugConfiguration, PROPERTIES);
AuthorizationConfiguration config = context.getService(AuthorizationConfiguration.class);
- PermissionProvider permissionProvider = config.getPermissionProvider(root, wspName, ImmutableSet.of(new PrincipalImpl(EXCLUDED_PRINCIPAL_NAME)));
+ PermissionProvider permissionProvider = config.getPermissionProvider(root, wspName, ImmutableSet.<Principal>of(new PrincipalImpl(EXCLUDED_PRINCIPAL_NAME)));
assertSame(EmptyPermissionProvider.getInstance(), permissionProvider);
}
@Test
public void testCugExcludeAnyPrincipal() {
- context.registerInjectActivateService(cugExclude, ImmutableMap.of("principalNames", new String[] {EXCLUDED_PRINCIPAL_NAME}));
+ context.registerInjectActivateService(cugExclude, ImmutableMap.<String, Object>of("principalNames", new String[] {EXCLUDED_PRINCIPAL_NAME}));
context.registerInjectActivateService(cugConfiguration, PROPERTIES);
AuthorizationConfiguration config = context.getService(AuthorizationConfiguration.class);
- PermissionProvider permissionProvider = config.getPermissionProvider(root, wspName, ImmutableSet.of(new PrincipalImpl(ANY_PRINCIPAL_NAME)));
+ PermissionProvider permissionProvider = config.getPermissionProvider(root, wspName, ImmutableSet.<Principal>of(new PrincipalImpl(ANY_PRINCIPAL_NAME)));
assertTrue(permissionProvider instanceof CugPermissionProvider);
}
@Test
public void testNotEnabled() {
- context.registerInjectActivateService(cugExclude, ImmutableMap.of("principalNames", new String[] {ANY_PRINCIPAL_NAME}));
- context.registerInjectActivateService(cugConfiguration, ImmutableMap.of(
+ context.registerInjectActivateService(cugExclude, ImmutableMap.<String, Object>of("principalNames", new String[] {ANY_PRINCIPAL_NAME}));
+ context.registerInjectActivateService(cugConfiguration, ImmutableMap.<String, Object>of(
CugConstants.PARAM_CUG_ENABLED, false,
CugConstants.PARAM_CUG_SUPPORTED_PATHS, new String[]{"/"}));
AuthorizationConfiguration config = context.getService(AuthorizationConfiguration.class);
- PermissionProvider permissionProvider = config.getPermissionProvider(root, wspName, ImmutableSet.of(new PrincipalImpl(ANY_PRINCIPAL_NAME)));
+ PermissionProvider permissionProvider = config.getPermissionProvider(root, wspName, ImmutableSet.<Principal>of(new PrincipalImpl(ANY_PRINCIPAL_NAME)));
assertSame(EmptyPermissionProvider.getInstance(), permissionProvider);
}
@Test
public void testNoSupportedPaths() {
- context.registerInjectActivateService(cugExclude, ImmutableMap.of("principalNames", new String[] {ANY_PRINCIPAL_NAME}));
- context.registerInjectActivateService(cugConfiguration, ImmutableMap.of(
+ context.registerInjectActivateService(cugExclude, ImmutableMap.<String, Object>of("principalNames", new String[] {ANY_PRINCIPAL_NAME}));
+ context.registerInjectActivateService(cugConfiguration, ImmutableMap.<String, Object>of(
CugConstants.PARAM_CUG_ENABLED, true,
CugConstants.PARAM_CUG_SUPPORTED_PATHS, new String[0]));
AuthorizationConfiguration config = context.getService(AuthorizationConfiguration.class);
- PermissionProvider permissionProvider = config.getPermissionProvider(root, wspName, ImmutableSet.of(new PrincipalImpl(ANY_PRINCIPAL_NAME)));
+ PermissionProvider permissionProvider = config.getPermissionProvider(root, wspName, ImmutableSet.<Principal>of(new PrincipalImpl(ANY_PRINCIPAL_NAME)));
assertSame(EmptyPermissionProvider.getInstance(), permissionProvider);
}
}
\ No newline at end of file
Modified: jackrabbit/oak/branches/1.6/oak-doc/src/site/markdown/security/authorization/cug.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.6/oak-doc/src/site/markdown/security/authorization/cug.md?rev=1827769&r1=1827768&r2=1827769&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.6/oak-doc/src/site/markdown/security/authorization/cug.md (original)
+++ jackrabbit/oak/branches/1.6/oak-doc/src/site/markdown/security/authorization/cug.md Mon Mar 26 16:11:21 2018
@@ -233,7 +233,7 @@ to be excluded from the evaluation of re
| `principalNames` | Set\<String\> | \- | Name of principals that are always excluded from CUG evaluation. |
| | | | |
-_Note:_ this is an optional feature to extend the [default](/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/cug/CugExclude.Default.html)
+_Note:_ This implementation extends the [default](/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/cug/CugExclude.Default.html)
exclusion list. Alternatively, it is possible to plug a custom `CugExclude` implementation matching
specific needs (see [below](#pluggability)).
@@ -296,7 +296,8 @@ in the `org.apache.jackrabbit.oak.spi.se
1. implement `CugExclude` interface according to you needs,
2. make your implementation an OSGi service
-3. deploy the bundle containing your implementation in the OSGi container and activate the service.
+3. deploy the bundle containing your implementation in the OSGi container and activate the service.
+4. make sure the default CUGExclude service is properly replaced by the custom implementation.
###### Example