You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2014/01/22 18:21:15 UTC
svn commit: r1560428 - in /jackrabbit/oak/trunk:
oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/
oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/
oak-jcr/src/test/java/org/apa...
Author: angela
Date: Wed Jan 22 17:21:14 2014
New Revision: 1560428
URL: http://svn.apache.org/r1560428
Log:
OAK-1350 : Inconsistent Principal Validation between API and Import behavior
Added:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportAbortTest.java (with props)
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportBesteffortTest.java (with props)
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportIgnoreTest.java
- copied, changed from r1559977, jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlImporter.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java?rev=1560428&r1=1560427&r2=1560428&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java Wed Jan 22 17:21:14 2014
@@ -52,25 +52,18 @@ abstract class ACL extends AbstractAcces
private final List<ACE> entries = new ArrayList<ACE>();
- private final PrincipalManager principalManager;
- private final PrivilegeManager privilegeManager;
- private final PrivilegeBitsProvider privilegeBitsProvider;
-
ACL(@Nullable String oakPath, @Nullable List<ACE> entries,
- @Nonnull NamePathMapper namePathMapper,
- @Nonnull PrincipalManager principalManager,
- @Nonnull PrivilegeManager privilegeManager,
- @Nonnull PrivilegeBitsProvider privilegeBitsProvider) {
+ @Nonnull NamePathMapper namePathMapper) {
super(oakPath, namePathMapper);
if (entries != null) {
this.entries.addAll(entries);
}
- this.principalManager = principalManager;
- this.privilegeManager = privilegeManager;
- this.privilegeBitsProvider = privilegeBitsProvider;
}
abstract ACE createACE(Principal principal, PrivilegeBits privilegeBits, boolean isAllow, Set<Restriction> restrictions) throws RepositoryException;
+ abstract void checkValidPrincipal(Principal principal) throws AccessControlException;
+ abstract PrivilegeManager getPrivilegeManager();
+ abstract PrivilegeBits getPrivilegeBits(Privilege[] privileges);
//------------------------------------------< AbstractAccessControlList >---
@Nonnull
@@ -98,13 +91,13 @@ abstract class ACL extends AbstractAcces
throw new AccessControlException("Privileges may not be null nor an empty array");
}
for (Privilege p : privileges) {
- Privilege pv = privilegeManager.getPrivilege(p.getName());
+ Privilege pv = getPrivilegeManager().getPrivilege(p.getName());
if (pv.isAbstract()) {
throw new AccessControlException("Privilege " + p + " is abstract.");
}
}
- Util.checkValidPrincipal(principal, principalManager);
+ checkValidPrincipal(principal);
for (RestrictionDefinition def : getRestrictionProvider().getSupportedRestrictions(getOakPath())) {
String jcrName = getNamePathMapper().getJcrName(def.getName());
@@ -241,8 +234,4 @@ abstract class ACL extends AbstractAcces
private ACE createACE(@Nonnull ACE existing, @Nonnull PrivilegeBits newPrivilegeBits) throws RepositoryException {
return createACE(existing.getPrincipal(), newPrivilegeBits, existing.isAllow(), existing.getRestrictions());
}
-
- private PrivilegeBits getPrivilegeBits(Privilege[] privileges) {
- return privilegeBitsProvider.getBits(privileges, getNamePathMapper());
- }
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlImporter.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlImporter.java?rev=1560428&r1=1560427&r2=1560428&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlImporter.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlImporter.java Wed Jan 22 17:21:14 2014
@@ -16,6 +16,7 @@
*/
package org.apache.jackrabbit.oak.security.authorization.accesscontrol;
+import java.security.AccessControlException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
@@ -44,6 +45,7 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
+import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
import org.apache.jackrabbit.oak.spi.xml.NodeInfo;
import org.apache.jackrabbit.oak.spi.xml.PropInfo;
import org.apache.jackrabbit.oak.spi.xml.ProtectedNodeImporter;
@@ -76,6 +78,8 @@ public class AccessControlImporter imple
private JackrabbitAccessControlList acl;
private MutableEntry entry;
+ private int importBehavior;
+
//----------------------------------------------< ProtectedItemImporter >---
@Override
@@ -86,8 +90,10 @@ public class AccessControlImporter imple
throw new IllegalStateException("Already initialized");
}
try {
+ AuthorizationConfiguration config = securityProvider.getConfiguration(AuthorizationConfiguration.class);
+ importBehavior = Util.getImportBehavior(config);
+
if (isWorkspaceImport) {
- AuthorizationConfiguration config = securityProvider.getConfiguration(AuthorizationConfiguration.class);
acMgr = config.getAccessControlManager(root, namePathMapper);
PrincipalConfiguration pConfig = securityProvider.getConfiguration(PrincipalConfiguration.class);
principalManager = pConfig.getPrincipalManager(root, namePathMapper);
@@ -230,10 +236,13 @@ public class AccessControlImporter imple
private final class MutableEntry {
final boolean isAllow;
+
Principal principal;
List<Privilege> privileges;
Map<String, Value> restrictions = new HashMap<String, Value>();
+ boolean ignore;
+
private MutableEntry(boolean isAllow) {
this.isAllow = isAllow;
}
@@ -242,7 +251,16 @@ public class AccessControlImporter imple
String principalName = txtValue.getString();
principal = principalManager.getPrincipal(principalName);
if (principal == null) {
- principal = new PrincipalImpl(principalName);
+ switch (importBehavior) {
+ case ImportBehavior.IGNORE:
+ log.debug("Unknown principal " + principalName + " -> Ignoring this ACE.");
+ ignore = true;
+ break;
+ case ImportBehavior.ABORT:
+ throw new AccessControlException("Unknown principal " + principalName);
+ case ImportBehavior.BESTEFFORT:
+ principal = new PrincipalImpl(principalName);
+ }
}
}
@@ -268,7 +286,11 @@ public class AccessControlImporter imple
private void applyTo(JackrabbitAccessControlList acl) throws RepositoryException {
checkNotNull(acl);
- acl.addEntry(principal, privileges.toArray(new Privilege[privileges.size()]), isAllow, restrictions);
+ if (!ignore) {
+ acl.addEntry(principal, privileges.toArray(new Privilege[privileges.size()]), isAllow, restrictions);
+ } else {
+ log.debug("Unknown principal: Ignore ACE based on ImportBehavior.IGNORE configuration.");
+ }
}
}
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java?rev=1560428&r1=1560427&r2=1560428&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java Wed Jan 22 17:21:14 2014
@@ -46,6 +46,7 @@ import com.google.common.collect.Lists;
import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
+import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.commons.iterator.AccessControlPolicyIteratorAdapter;
@@ -75,6 +76,7 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
+import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
import org.apache.jackrabbit.oak.util.NodeUtil;
import org.apache.jackrabbit.oak.util.PropertyBuilder;
import org.apache.jackrabbit.oak.util.TreeUtil;
@@ -320,7 +322,7 @@ public class AccessControlManagerImpl ex
@Nonnull
@Override
public JackrabbitAccessControlPolicy[] getApplicablePolicies(@Nonnull Principal principal) throws RepositoryException {
- Util.checkValidPrincipal(principal, principalManager);
+ Util.checkValidPrincipal(principal, principalManager, true);
String oakPath = (principal instanceof ItemBasedPrincipal) ? ((ItemBasedPrincipal) principal).getPath() : null;
JackrabbitAccessControlPolicy policy = createPrincipalACL(oakPath, principal);
@@ -335,7 +337,7 @@ public class AccessControlManagerImpl ex
@Nonnull
@Override
public JackrabbitAccessControlPolicy[] getPolicies(@Nonnull Principal principal) throws RepositoryException {
- Util.checkValidPrincipal(principal, principalManager);
+ Util.checkValidPrincipal(principal, principalManager, true);
String oakPath = (principal instanceof ItemBasedPrincipal) ? ((ItemBasedPrincipal) principal).getPath() : null;
JackrabbitAccessControlPolicy policy = createPrincipalACL(oakPath, principal);
@@ -543,7 +545,7 @@ public class AccessControlManagerImpl ex
}
NodeACL(@Nullable String oakPath, @Nullable List<ACE> entries) {
- super(oakPath, entries, AccessControlManagerImpl.this.getNamePathMapper(), principalManager, getPrivilegeManager(), bitsProvider);
+ super(oakPath, entries, AccessControlManagerImpl.this.getNamePathMapper());
}
@Nonnull
@@ -558,6 +560,21 @@ public class AccessControlManagerImpl ex
}
@Override
+ void checkValidPrincipal(Principal principal) throws AccessControlException {
+ Util.checkValidPrincipal(principal, principalManager, ImportBehavior.BESTEFFORT != Util.getImportBehavior(getConfig()));
+ }
+
+ @Override
+ PrivilegeManager getPrivilegeManager() {
+ return AccessControlManagerImpl.this.getPrivilegeManager();
+ }
+
+ @Override
+ PrivilegeBits getPrivilegeBits(Privilege[] privileges) {
+ return bitsProvider.getBits(privileges, getNamePathMapper());
+ }
+
+ @Override
public boolean equals(Object obj) {
if (obj == this) {
return true;
@@ -588,7 +605,7 @@ public class AccessControlManagerImpl ex
private PrincipalACL(@Nullable String oakPath, @Nonnull Principal principal,
@Nullable List<ACE> entries,
@Nonnull RestrictionProvider restrictionProvider) {
- super(oakPath, entries, AccessControlManagerImpl.this.getNamePathMapper(), principalManager, getPrivilegeManager(), bitsProvider);
+ super(oakPath, entries, AccessControlManagerImpl.this.getNamePathMapper());
this.principal = principal;
rProvider = restrictionProvider;
}
@@ -605,6 +622,21 @@ public class AccessControlManagerImpl ex
}
@Override
+ void checkValidPrincipal(Principal principal) throws AccessControlException {
+ Util.checkValidPrincipal(principal, principalManager, true);
+ }
+
+ @Override
+ PrivilegeManager getPrivilegeManager() {
+ return AccessControlManagerImpl.this.getPrivilegeManager();
+ }
+
+ @Override
+ PrivilegeBits getPrivilegeBits(Privilege[] privileges) {
+ return bitsProvider.getBits(privileges, getNamePathMapper());
+ }
+
+ @Override
public void orderBefore(AccessControlEntry srcEntry, AccessControlEntry destEntry) throws RepositoryException {
throw new UnsupportedRepositoryOperationException("reordering is not supported");
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java?rev=1560428&r1=1560427&r2=1560428&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java Wed Jan 22 17:21:14 2014
@@ -26,8 +26,11 @@ import javax.jcr.security.AccessControlP
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
+import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
+import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
+import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
/**
* Implementation specific access control utility methods
@@ -40,12 +43,13 @@ final class Util implements AccessContro
private Util() {}
public static void checkValidPrincipal(@Nullable Principal principal,
- @Nonnull PrincipalManager principalManager) throws AccessControlException {
+ @Nonnull PrincipalManager principalManager,
+ boolean verifyExists) throws AccessControlException {
String name = (principal == null) ? null : principal.getName();
if (name == null || name.isEmpty()) {
throw new AccessControlException("Invalid principal " + name);
}
- if (!(principal instanceof PrincipalImpl) && !principalManager.hasPrincipal(name)) {
+ if (verifyExists && !(principal instanceof PrincipalImpl) && !principalManager.hasPrincipal(name)) {
throw new AccessControlException("Unknown principal " + name);
}
}
@@ -56,7 +60,7 @@ final class Util implements AccessContro
throw new AccessControlException("Valid principals expected. Found null.");
}
for (Principal principal : principals) {
- checkValidPrincipal(principal, principalManager);
+ checkValidPrincipal(principal, principalManager, true);
}
}
@@ -112,4 +116,9 @@ final class Util implements AccessContro
}
return aceName;
}
+
+ public static int getImportBehavior(AuthorizationConfiguration config) {
+ String importBehaviorStr = config.getParameters().getConfigValue(ProtectedItemImporter.PARAM_IMPORT_BEHAVIOR, ImportBehavior.NAME_ABORT);
+ return ImportBehavior.valueFromString(importBehaviorStr);
+ }
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java?rev=1560428&r1=1560427&r2=1560428&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java Wed Jan 22 17:21:14 2014
@@ -100,7 +100,7 @@ public class ACLTest extends AbstractAcc
@Nonnull NamePathMapper namePathMapper,
final @Nonnull RestrictionProvider restrictionProvider) {
String path = (jcrPath == null) ? null : namePathMapper.getOakPathKeepIndex(jcrPath);
- return new ACL(path, entries, namePathMapper, principalManager, privilegeManager, getBitsProvider()) {
+ return new ACL(path, entries, namePathMapper) {
@Override
public RestrictionProvider getRestrictionProvider() {
return restrictionProvider;
@@ -110,6 +110,22 @@ public class ACLTest extends AbstractAcc
ACE createACE(Principal principal, PrivilegeBits privilegeBits, boolean isAllow, Set<Restriction> restrictions) throws RepositoryException {
return createEntry(principal, privilegeBits, isAllow, restrictions);
}
+
+ @Override
+ void checkValidPrincipal(Principal principal) throws AccessControlException {
+ Util.checkValidPrincipal(principal, principalManager, true);
+
+ }
+
+ @Override
+ PrivilegeManager getPrivilegeManager() {
+ return privilegeManager;
+ }
+
+ @Override
+ PrivilegeBits getPrivilegeBits(Privilege[] privileges) {
+ return getBitsProvider().getBits(privileges, getNamePathMapper());
+ }
};
}
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java?rev=1560428&r1=1560427&r2=1560428&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java Wed Jan 22 17:21:14 2014
@@ -50,6 +50,7 @@ import org.apache.jackrabbit.JcrConstant
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
+import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.oak.TestNameMapper;
import org.apache.jackrabbit.oak.api.ContentSession;
@@ -175,14 +176,30 @@ public class AccessControlManagerImplTes
private ACL createPolicy(@Nullable String path) {
final PrincipalManager pm = getPrincipalManager(root);
+ final PrivilegeManager pvMgr = getPrivilegeManager(root);
final RestrictionProvider rp = getRestrictionProvider();
- return new ACL(path, null, getNamePathMapper(), pm, AccessControlManagerImplTest.this.getPrivilegeManager(root), getBitsProvider()) {
+ return new ACL(path, null, getNamePathMapper()) {
@Override
ACE createACE(Principal principal, PrivilegeBits privilegeBits, boolean isAllow, Set<Restriction> restrictions) {
throw new UnsupportedOperationException();
}
+ @Override
+ void checkValidPrincipal(Principal principal) throws AccessControlException {
+ Util.checkValidPrincipal(principal, pm, true);
+ }
+
+ @Override
+ PrivilegeManager getPrivilegeManager() {
+ return pvMgr;
+ }
+
+ @Override
+ PrivilegeBits getPrivilegeBits(Privilege[] privileges) {
+ return getBitsProvider().getBits(privileges, getNamePathMapper());
+ }
+
@Nonnull
@Override
public RestrictionProvider getRestrictionProvider() {
Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.java?rev=1560428&r1=1560427&r2=1560428&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.java Wed Jan 22 17:21:14 2014
@@ -335,41 +335,6 @@ public class AccessControlImporterTest e
}
}
- public void testImportACLUnknown() throws Exception {
- try {
- Node target = createImportTarget();
-
- doImport(target.getPath(), XML_POLICY_TREE_4);
-
- String path = target.getPath();
-
- AccessControlManager acMgr = superuser.getAccessControlManager();
- AccessControlPolicy[] policies = acMgr.getPolicies(path);
-
- assertEquals(1, policies.length);
- assertTrue(policies[0] instanceof JackrabbitAccessControlList);
-
- AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
- assertEquals(2, entries.length);
-
- AccessControlEntry entry = entries[0];
- assertEquals("unknownprincipal", entry.getPrincipal().getName());
- assertEquals(1, entry.getPrivileges().length);
- assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
-
- entry = entries[1];
- assertEquals("admin", entry.getPrincipal().getName());
- assertEquals(1, entry.getPrivileges().length);
- assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
-
- if (entry instanceof JackrabbitAccessControlEntry) {
- assertTrue(((JackrabbitAccessControlEntry) entry).isAllow());
- }
- } finally {
- superuser.refresh(false);
- }
- }
-
/**
* Imports a resource-based ACL containing a single entry for a policy that
* already exists: expected outcome its that the existing ACE is replaced.
Added: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportAbortTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportAbortTest.java?rev=1560428&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportAbortTest.java (added)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportAbortTest.java Wed Jan 22 17:21:14 2014
@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.jcr.security.authorization;
+
+import java.security.AccessControlException;
+
+import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
+import org.junit.Test;
+
+import static org.junit.Assert.fail;
+
+public class ImportAbortTest extends ImportIgnoreTest {
+
+ protected String getImportBehavior() {
+ return ImportBehavior.NAME_ABORT;
+ }
+
+ @Test
+ public void testImportUnknownPrincipal() throws Exception {
+ try {
+ runImport();
+ fail("Import with unknown principal must fail.");
+ } catch (AccessControlException e) {
+ // success
+ }
+ }
+}
Propchange: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportAbortTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportAbortTest.java
------------------------------------------------------------------------------
svn:executable = *
Added: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportBesteffortTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportBesteffortTest.java?rev=1560428&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportBesteffortTest.java (added)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportBesteffortTest.java Wed Jan 22 17:21:14 2014
@@ -0,0 +1,74 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.jcr.security.authorization;
+
+import java.security.Principal;
+import javax.jcr.RepositoryException;
+import javax.jcr.security.AccessControlEntry;
+import javax.jcr.security.AccessControlManager;
+import javax.jcr.security.AccessControlPolicy;
+import javax.jcr.security.Privilege;
+
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
+import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+public class ImportBesteffortTest extends ImportIgnoreTest {
+
+ protected String getImportBehavior() {
+ return ImportBehavior.NAME_BESTEFFORT;
+ }
+
+ @Test
+ public void testImportUnknownPrincipal() throws Exception {
+ runImport();
+
+ AccessControlManager acMgr = adminSession.getAccessControlManager();
+ AccessControlPolicy[] policies = acMgr.getPolicies(target.getPath());
+
+ assertEquals(1, policies.length);
+ assertTrue(policies[0] instanceof JackrabbitAccessControlList);
+
+ AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
+ assertEquals(1, entries.length);
+
+ AccessControlEntry entry = entries[0];
+ assertEquals("unknownprincipal", entry.getPrincipal().getName());
+ assertEquals(1, entry.getPrivileges().length);
+ assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
+
+ if (entry instanceof JackrabbitAccessControlEntry) {
+ assertTrue(((JackrabbitAccessControlEntry) entry).isAllow());
+ }
+ }
+
+ @Test
+ public void testAddEntry() throws RepositoryException {
+ Principal unknown = new Principal() {
+ @Override
+ public String getName() {
+ return "anotherUnknown";
+ }
+ };
+ AccessControlUtils.addAccessControlEntry(adminSession, target.getPath(), unknown, new String[] {Privilege.JCR_READ}, true);
+ }
+}
Propchange: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportBesteffortTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportBesteffortTest.java
------------------------------------------------------------------------------
svn:executable = *
Copied: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportIgnoreTest.java (from r1559977, jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportIgnoreTest.java?p2=jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportIgnoreTest.java&p1=jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.java&r1=1559977&r2=1560428&rev=1560428&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportIgnoreTest.java Wed Jan 22 17:21:14 2014
@@ -19,100 +19,36 @@ package org.apache.jackrabbit.oak.jcr.se
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
-import java.security.Principal;
-import java.util.Arrays;
-import java.util.List;
-import javax.annotation.Nullable;
+import java.util.HashMap;
+import java.util.Map;
import javax.jcr.ImportUUIDBehavior;
import javax.jcr.Node;
+import javax.jcr.Repository;
import javax.jcr.RepositoryException;
-import javax.jcr.security.AccessControlEntry;
-import javax.jcr.security.AccessControlException;
+import javax.jcr.Session;
+import javax.jcr.SimpleCredentials;
import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
-import javax.jcr.security.AccessControlPolicyIterator;
-import javax.jcr.security.Privilege;
-import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
-import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
-import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
-import org.apache.jackrabbit.test.AbstractJCRTest;
-
-public class AccessControlImporterTest extends AbstractJCRTest {
-
- public static final String XML_POLICY_TREE = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
- "<sv:node sv:name=\"test\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" +
- " <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>nt:unstructured</sv:value></sv:property>" +
- " <sv:property sv:name=\"jcr:mixinTypes\" sv:type=\"Name\">" +
- " <sv:value>rep:AccessControllable</sv:value>" +
- " </sv:property>" +
- " <sv:node sv:name=\"rep:policy\">" +
- " <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:ACL</sv:value></sv:property>" +
- " <sv:node sv:name=\"allow\">" +
- " <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
- " <sv:value>rep:GrantACE</sv:value>" +
- " </sv:property>" +
- " <sv:property sv:name=\"rep:principalName\" sv:type=\"String\">" +
- " <sv:value>everyone</sv:value>" +
- " </sv:property>" +
- " <sv:property sv:name=\"rep:privileges\" sv:type=\"Name\">" +
- " <sv:value>jcr:write</sv:value>" +
- " </sv:property>" +
- " </sv:node>" +
- " </sv:node>" +
- "</sv:node>";
+import com.google.common.collect.ImmutableMap;
+import org.apache.jackrabbit.oak.jcr.Jcr;
+import org.apache.jackrabbit.oak.security.SecurityProviderImpl;
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
+import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
+import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
- public static final String XML_POLICY_TREE_2 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
- "<sv:node sv:name=\"rep:policy\" " +
- "xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" +
- "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
- "<sv:value>rep:ACL</sv:value>" +
- "</sv:property>" +
- "<sv:node sv:name=\"allow\">" +
- "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
- "<sv:value>rep:GrantACE</sv:value>" +
- "</sv:property>" +
- "<sv:property sv:name=\"rep:principalName\" sv:type=\"String\">" +
- "<sv:value>everyone</sv:value>" +
- "</sv:property>" +
- "<sv:property sv:name=\"rep:privileges\" sv:type=\"Name\">" +
- "<sv:value>jcr:write</sv:value>" +
- "</sv:property>" +
- "</sv:node>" +
- "</sv:node>";
+import static org.junit.Assert.assertEquals;
- public static final String XML_POLICY_TREE_3 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
- "<sv:node sv:name=\"rep:policy\" " +
- "xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" +
- "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
- "<sv:value>rep:ACL</sv:value>" +
- "</sv:property>" +
- "<sv:node sv:name=\"allow\">" +
- "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
- "<sv:value>rep:GrantACE</sv:value>" +
- "</sv:property>" +
- "<sv:property sv:name=\"rep:principalName\" sv:type=\"String\">" +
- "<sv:value>everyone</sv:value>" +
- "</sv:property>" +
- "<sv:property sv:name=\"rep:privileges\" sv:type=\"Name\">" +
- "<sv:value>jcr:write</sv:value>" +
- "</sv:property>" +
- "</sv:node>" +
- "<sv:node sv:name=\"allow0\">" +
- "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
- "<sv:value>rep:GrantACE</sv:value>" +
- "</sv:property>" +
- "<sv:property sv:name=\"rep:principalName\" sv:type=\"String\">" +
- "<sv:value>admin</sv:value>" +
- "</sv:property>" +
- "<sv:property sv:name=\"rep:privileges\" sv:type=\"Name\">" +
- "<sv:value>jcr:write</sv:value>" +
- "</sv:property>" +
- "</sv:node>" +
- "</sv:node>";
+public class ImportIgnoreTest {
- public static final String XML_POLICY_TREE_4 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
+ private static final String XML = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
"<sv:node sv:name=\"rep:policy\" " +
"xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" +
"<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
@@ -129,378 +65,68 @@ public class AccessControlImporterTest e
"<sv:value>jcr:write</sv:value>" +
"</sv:property>" +
"</sv:node>" +
- "<sv:node sv:name=\"allow0\">" +
- "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
- "<sv:value>rep:GrantACE</sv:value>" +
- "</sv:property>" +
- "<sv:property sv:name=\"rep:principalName\" sv:type=\"String\">" +
- "<sv:value>admin</sv:value>" +
- "</sv:property>" +
- "<sv:property sv:name=\"rep:privileges\" sv:type=\"Name\">" +
- "<sv:value>jcr:write</sv:value>" +
- "</sv:property>" +
- "</sv:node>" +
- "</sv:node>";
-
- public static final String XML_POLICY_TREE_5 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
- "<sv:node sv:name=\"rep:policy\" " +
- "xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" +
- "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
- "<sv:value>rep:ACL</sv:value>" +
- "</sv:property>" +
- "<sv:node sv:name=\"allow0\">" +
- "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
- "<sv:value>rep:GrantACE</sv:value>" +
- "</sv:property>" +
- "<sv:property sv:name=\"rep:principalName\" sv:type=\"String\">" +
- "<sv:value>admin</sv:value>" +
- "</sv:property>" +
- "<sv:property sv:name=\"rep:privileges\" sv:type=\"Name\">" +
- "<sv:value>jcr:write</sv:value>" +
- "</sv:property>" +
- "</sv:node>" +
- "</sv:node>";
-
- public static final String XML_REPO_POLICY_TREE = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
- "<sv:node sv:name=\"rep:repoPolicy\" " +
- "xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" +
- "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
- "<sv:value>rep:ACL</sv:value>" +
- "</sv:property>" +
- "<sv:node sv:name=\"allow\">" +
- "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
- "<sv:value>rep:GrantACE</sv:value>" +
- "</sv:property>" +
- "<sv:property sv:name=\"rep:principalName\" sv:type=\"String\">" +
- "<sv:value>admin</sv:value>" +
- "</sv:property>" +
- "<sv:property sv:name=\"rep:privileges\" sv:type=\"Name\">" +
- "<sv:value>jcr:workspaceManagement</sv:value>" +
- "</sv:property>" +
- "</sv:node>" +
"</sv:node>";
- public static final String XML_POLICY_ONLY = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
- "<sv:node sv:name=\"test\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" +
- " <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>nt:unstructured</sv:value></sv:property>" +
- " <sv:property sv:name=\"jcr:mixinTypes\" sv:type=\"Name\">" +
- " <sv:value>rep:AccessControllable</sv:value>" +
- " </sv:property>" +
- " <sv:node sv:name=\"rep:policy\">" +
- " <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:ACL</sv:value></sv:property>" +
- " </sv:node>" +
- "</sv:node>";
+ private Repository repo;
+ protected Session adminSession;
+ protected Node target;
+
+ @Before
+ public void before() throws Exception {
+ String importBehavior = getImportBehavior();
+ SecurityProvider securityProvider;
+ if (importBehavior != null) {
+ Map<String, String> params = new HashMap<String, String>();
+ params.put(ProtectedItemImporter.PARAM_IMPORT_BEHAVIOR, getImportBehavior());
+ ConfigurationParameters config = ConfigurationParameters.of(ImmutableMap.of(AuthorizationConfiguration.NAME, ConfigurationParameters.of(params)));
- protected void doImport(String parentPath, String xml) throws IOException, RepositoryException {
- InputStream in = new ByteArrayInputStream(xml.getBytes("UTF-8"));
- if (isSessionImport()) {
- superuser.importXML(parentPath, in, ImportUUIDBehavior.IMPORT_UUID_COLLISION_THROW);
+ securityProvider = new SecurityProviderImpl(config);
} else {
- superuser.save();
- superuser.getWorkspace().importXML(parentPath, in, ImportUUIDBehavior.IMPORT_UUID_COLLISION_THROW);
+ securityProvider = new SecurityProviderImpl();
}
- }
-
- protected boolean isSessionImport() {
- return true;
- }
+ Jcr jcr = new Jcr();
+ jcr.with(securityProvider);
+ repo = jcr.createRepository();
+ adminSession = repo.login(new SimpleCredentials(UserConstants.DEFAULT_ADMIN_ID, UserConstants.DEFAULT_ADMIN_ID.toCharArray()));
- private Node createImportTarget() throws RepositoryException {
- Node target = testRootNode.addNode(nodeName1);
+ target = adminSession.getRootNode().addNode("nodeName1");
target.addMixin("rep:AccessControllable");
- if (!isSessionImport()) {
- superuser.save();
- }
- return target;
- }
-
- private Node createImportTargetWithPolicy(@Nullable Principal principal) throws RepositoryException {
- Node target = testRootNode.addNode("test", "test:sameNameSibsFalseChildNodeDefinition");
- AccessControlManager acMgr = superuser.getAccessControlManager();
- for (AccessControlPolicyIterator it = acMgr.getApplicablePolicies(target.getPath()); it.hasNext(); ) {
- AccessControlPolicy policy = it.nextAccessControlPolicy();
- if (policy instanceof AccessControlList) {
- if (principal != null) {
- Privilege[] privs = new Privilege[]{acMgr.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT)};
- ((AccessControlList) policy).addAccessControlEntry(principal, privs);
- }
- acMgr.setPolicy(target.getPath(), policy);
- }
- }
- if (!isSessionImport()) {
- superuser.save();
- }
- return target;
- }
-
- /**
- * Imports a resource-based ACL containing a single entry.
- *
- * @throws Exception
- */
- public void testImportACL() throws Exception {
- try {
- Node target = testRootNode;
- doImport(target.getPath(), XML_POLICY_TREE);
-
- assertTrue(target.hasNode("test"));
- String path = target.getNode("test").getPath();
-
- AccessControlManager acMgr = superuser.getAccessControlManager();
- AccessControlPolicy[] policies = acMgr.getPolicies(path);
-
- assertEquals(1, policies.length);
- assertTrue(policies[0] instanceof JackrabbitAccessControlList);
-
- AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
- assertEquals(1, entries.length);
-
- AccessControlEntry entry = entries[0];
- assertEquals("everyone", entry.getPrincipal().getName());
- assertEquals(1, entry.getPrivileges().length);
- assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
-
- if (entry instanceof JackrabbitAccessControlEntry) {
- assertTrue(((JackrabbitAccessControlEntry) entry).isAllow());
- }
-
- } finally {
- superuser.refresh(false);
- }
+ adminSession.save();
}
- public void testImportACLOnly() throws Exception {
- try {
- Node target = createImportTarget();
-
- doImport(target.getPath(), XML_POLICY_TREE_3);
-
- String path = target.getPath();
-
- AccessControlManager acMgr = superuser.getAccessControlManager();
- AccessControlPolicy[] policies = acMgr.getPolicies(path);
-
- assertEquals(1, policies.length);
- assertTrue(policies[0] instanceof JackrabbitAccessControlList);
-
- AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
- assertEquals(2, entries.length);
-
- AccessControlEntry entry = entries[0];
- assertEquals("everyone", entry.getPrincipal().getName());
- assertEquals(1, entry.getPrivileges().length);
- assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
-
- entry = entries[1];
- assertEquals("admin", entry.getPrincipal().getName());
- assertEquals(1, entry.getPrivileges().length);
- assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
-
- if (entry instanceof JackrabbitAccessControlEntry) {
- assertTrue(((JackrabbitAccessControlEntry) entry).isAllow());
- }
- } finally {
- superuser.refresh(false);
+ @After
+ public void after() throws Exception {
+ if (adminSession != null) {
+ adminSession.refresh(false);
+ adminSession.logout();
}
+ repo = null;
}
- public void testImportACLRemoveACE() throws Exception {
- try {
- Node target = createImportTarget();
-
- doImport(target.getPath(), XML_POLICY_TREE_3);
- doImport(target.getPath(), XML_POLICY_TREE_5);
-
- String path = target.getPath();
-
- AccessControlManager acMgr = superuser.getAccessControlManager();
- AccessControlPolicy[] policies = acMgr.getPolicies(path);
-
- assertEquals(1, policies.length);
- assertTrue(policies[0] instanceof JackrabbitAccessControlList);
-
- AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
- assertEquals(1, entries.length);
-
- AccessControlEntry entry = entries[0];
- assertEquals("admin", entry.getPrincipal().getName());
- assertEquals(1, entry.getPrivileges().length);
- assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
-
- if (entry instanceof JackrabbitAccessControlEntry) {
- assertTrue(((JackrabbitAccessControlEntry) entry).isAllow());
- }
- } finally {
- superuser.refresh(false);
- }
+ protected String getImportBehavior() {
+ return ImportBehavior.NAME_IGNORE;
}
- public void testImportACLUnknown() throws Exception {
- try {
- Node target = createImportTarget();
-
- doImport(target.getPath(), XML_POLICY_TREE_4);
-
- String path = target.getPath();
+ protected void runImport() throws RepositoryException, IOException {
+ String path = target.getPath();
- AccessControlManager acMgr = superuser.getAccessControlManager();
- AccessControlPolicy[] policies = acMgr.getPolicies(path);
+ InputStream in = new ByteArrayInputStream(XML.getBytes("UTF-8"));
+ adminSession.importXML(target.getPath(), in, ImportUUIDBehavior.IMPORT_UUID_COLLISION_THROW);
- assertEquals(1, policies.length);
- assertTrue(policies[0] instanceof JackrabbitAccessControlList);
-
- AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
- assertEquals(2, entries.length);
-
- AccessControlEntry entry = entries[0];
- assertEquals("unknownprincipal", entry.getPrincipal().getName());
- assertEquals(1, entry.getPrivileges().length);
- assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
-
- entry = entries[1];
- assertEquals("admin", entry.getPrincipal().getName());
- assertEquals(1, entry.getPrivileges().length);
- assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
-
- if (entry instanceof JackrabbitAccessControlEntry) {
- assertTrue(((JackrabbitAccessControlEntry) entry).isAllow());
- }
- } finally {
- superuser.refresh(false);
- }
}
- /**
- * Imports a resource-based ACL containing a single entry for a policy that
- * already exists: expected outcome its that the existing ACE is replaced.
- */
- public void testImportPolicyExists() throws Exception {
+ @Test
+ public void testImportUnknownPrincipal() throws Exception {
try {
- Node target = createImportTargetWithPolicy(EveryonePrincipal.getInstance());
- doImport(target.getPath(), XML_POLICY_TREE_2);
+ runImport();
- AccessControlManager acMgr = superuser.getAccessControlManager();
+ AccessControlManager acMgr = adminSession.getAccessControlManager();
AccessControlPolicy[] policies = acMgr.getPolicies(target.getPath());
- assertEquals(1, policies.length);
- assertTrue(policies[0] instanceof JackrabbitAccessControlList);
-
- AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
- assertEquals(1, entries.length);
-
- AccessControlEntry entry = entries[0];
- assertEquals(EveryonePrincipal.getInstance(), entry.getPrincipal());
- List<Privilege> privs = Arrays.asList(entry.getPrivileges());
- assertEquals(1, privs.size());
- assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
-
- if (entry instanceof JackrabbitAccessControlEntry) {
- assertTrue(((JackrabbitAccessControlEntry) entry).isAllow());
- }
- } finally {
- superuser.refresh(false);
- }
- }
-
- /**
- * Imports an empty resource-based ACL for a policy that already exists.
- *
- * @throws Exception
- */
- public void testImportEmptyExistingPolicy() throws Exception {
- try {
- Node target = createImportTargetWithPolicy(null);
- doImport(target.getPath(), XML_POLICY_ONLY);
-
- AccessControlPolicy[] policies = superuser.getAccessControlManager().getPolicies(target.getPath());
-
- assertEquals(1, policies.length);
- assertTrue(policies[0] instanceof JackrabbitAccessControlList);
-
- AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
- assertEquals(0, entries.length);
-
- } finally {
- superuser.refresh(false);
- }
- }
-
- /**
- * Repo level acl must be imported underneath the root node.
- *
- * @throws Exception
- */
- public void testImportRepoACLAtRoot() throws Exception {
- Node target = superuser.getRootNode();
- AccessControlManager acMgr = superuser.getAccessControlManager();
- try {
- // need to add mixin. in contrast to only using JCR API to retrieve
- // and set the policies the protected item import only is called if
- // the node to be imported is defined to be protected. however, if
- // the root node doesn't have the mixin assigned the defining node
- // type of the imported policy nodes will be rep:root (unstructured)
- // and the items will not be detected as being protected.
- target.addMixin("rep:RepoAccessControllable");
- if (!isSessionImport()) {
- superuser.save();
- }
-
- doImport(target.getPath(), XML_REPO_POLICY_TREE);
-
- AccessControlPolicy[] policies = acMgr.getPolicies(null);
assertEquals(1, policies.length);
- assertTrue(policies[0] instanceof JackrabbitAccessControlList);
-
- AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
- assertEquals(1, entries.length);
- assertEquals(1, entries[0].getPrivileges().length);
- assertEquals(acMgr.privilegeFromName("jcr:workspaceManagement"), entries[0].getPrivileges()[0]);
-
- assertTrue(target.hasNode("rep:repoPolicy"));
- assertTrue(target.hasNode("rep:repoPolicy/allow"));
-
- // clean up again
- acMgr.removePolicy(null, policies[0]);
- assertFalse(target.hasNode("rep:repoPolicy"));
- assertFalse(target.hasNode("rep:repoPolicy/allow"));
-
- } finally {
- if (isSessionImport()) {
- superuser.refresh(false);
- } else {
- superuser.save();
- }
- assertEquals(0, acMgr.getPolicies(null).length);
- }
- }
-
- /**
- * Make sure repo-level acl is not imported below any other node than the
- * root node.
- *
- * @throws Exception
- */
- public void testImportRepoACLAtTestNode() throws Exception {
- try {
- Node target = testRootNode.addNode("test");
- target.addMixin("rep:RepoAccessControllable");
-
- doImport(target.getPath(), XML_REPO_POLICY_TREE);
-
- assertTrue(target.hasNode("rep:repoPolicy"));
- assertFalse(target.hasNode("rep:repoPolicy/allow0"));
-
- Node n = target.getNode("rep:repoPolicy");
- assertEquals("rep:RepoAccessControllable", n.getDefinition().getDeclaringNodeType().getName());
-
- try {
- superuser.save();
- fail("Importing repo policy to non-root node must fail");
- } catch (AccessControlException e) {
- // success
- }
+ assertEquals(0, ((AccessControlList) policies[0]).getAccessControlEntries().length);
} finally {
- superuser.refresh(false);
+ adminSession.refresh(false);
}
}
}