You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by bd...@apache.org on 2020/04/30 14:56:35 UTC

[sling-org-apache-sling-jcr-repoinit] branch master updated: SLING-9412 : AclUtil.containsEquivalentEntry should not fail if no such node exists

This is an automated email from the ASF dual-hosted git repository.

bdelacretaz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-jcr-repoinit.git


The following commit(s) were added to refs/heads/master by this push:
     new fee4928  SLING-9412 : AclUtil.containsEquivalentEntry should not fail if no such node exists
     new db2f274  Merge pull request #11 from anchela/SLING-9412
fee4928 is described below

commit fee49281302d23316a8ced1783cbe79c7510bbb9
Author: angela <an...@adobe.com>
AuthorDate: Thu Apr 30 16:00:35 2020 +0200

    SLING-9412 : AclUtil.containsEquivalentEntry should not fail if no such node exists
---
 .../apache/sling/jcr/repoinit/impl/AclUtil.java    |  7 ++++++-
 .../sling/jcr/repoinit/PrincipalBasedAclTest.java  | 24 ++++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java b/src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java
index cd9907a..6c568fa 100644
--- a/src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java
+++ b/src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java
@@ -185,7 +185,8 @@ public class AclUtil {
             Privilege[] privileges = AccessControlUtils.privilegesFromNames(session, line.getProperty(PROP_PRIVILEGES).toArray(new String[0]));
             for (String effectivePath : getJcrPaths(session, line.getProperty(PROP_PATHS))) {
                 if (acl == null) {
-                    // no PrincipalAccessControlList available: don't fail if an equivalent path-based entry with the same definition exists.
+                    // no PrincipalAccessControlList available: don't fail if an equivalent path-based entry with the same definition exists
+                    // or if there exists no node at the effective path (unable to evaluate path-based entries).
                     LOG.info("No PrincipalAccessControlList available for principal {}", principal);
                     checkState(containsEquivalentEntry(session, effectivePath, principal, privileges, true, line.getRestrictions()), "No PrincipalAccessControlList available for principal '" + principal + "'.");
                 } else {
@@ -257,6 +258,10 @@ public class AclUtil {
     }
 
     private static boolean containsEquivalentEntry(Session session, String absPath, Principal principal, Privilege[] privileges, boolean isAllow, List<RestrictionClause> restrictionList) throws RepositoryException {
+        if (absPath != null && !session.nodeExists(absPath)) {
+            LOG.info("Cannot determine existence of equivalent path-based entry for principal {}. No node at path {} ", principal.getName(), absPath);
+            return true;
+        }
         for (AccessControlPolicy policy : session.getAccessControlManager().getPolicies(absPath)) {
             if (policy instanceof JackrabbitAccessControlList) {
                 LocalRestrictions lr = createLocalRestrictions(restrictionList, ((JackrabbitAccessControlList) policy), session);
diff --git a/src/test/java/org/apache/sling/jcr/repoinit/PrincipalBasedAclTest.java b/src/test/java/org/apache/sling/jcr/repoinit/PrincipalBasedAclTest.java
index bcb11c0..19a1270 100644
--- a/src/test/java/org/apache/sling/jcr/repoinit/PrincipalBasedAclTest.java
+++ b/src/test/java/org/apache/sling/jcr/repoinit/PrincipalBasedAclTest.java
@@ -588,6 +588,30 @@ public class PrincipalBasedAclTest {
     }
 
     @Test
+    public void  principalAclNotAvailableNonExistingNode() throws Exception {
+        JackrabbitAccessControlManager acMgr = (JackrabbitAccessControlManager) adminSession.getAccessControlManager();
+        try {
+            // create service user outside of supported tree for principal-based access control
+            U.parseAndExecute("create service user otherSystemPrincipal");
+
+            // setting up principal-acl will not succeed (principal not located below supported path)
+            // but since the target node does not exist we cannot verify if an equivalent resource-based ac-setup exists
+            // (AccessControlManager.getPolicies would fail with PathNotFoundException) => relaxed behavior (SLING-9412)
+            String setup = "set principal ACL for otherSystemPrincipal \n"
+                    + "allow jcr:read on /non/existing/path\n"
+                    + "end";
+            U.parseAndExecute(setup);
+
+            Principal principal = adminSession.getUserManager().getAuthorizable("otherSystemPrincipal").getPrincipal();
+            for (AccessControlPolicy policy : acMgr.getPolicies(principal)) {
+                assertFalse(policy instanceof PrincipalAccessControlList);
+            }
+        } finally {
+            U.cleanupServiceUser("otherSystemPrincipal");
+        }
+    }
+
+    @Test
     public void testHomePath() throws Exception {
         UserManager uMgr = ((JackrabbitSession) U.adminSession).getUserManager();
         Authorizable a = uMgr.getAuthorizable(U.username);