You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by md...@apache.org on 2013/05/23 13:27:16 UTC
svn commit: r1485648 - in /jackrabbit/oak/trunk:
oak-core/src/main/java/org/apache/jackrabbit/oak/core/
oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/
oak-core/src/test/java/org/apache/jackrabbit/oak/security/author...
Author: mduerig
Date: Thu May 23 11:27:15 2013
New Revision: 1485648
URL: http://svn.apache.org/r1485648
Log:
OAK-709: Consider moving permission evaluation to the node state level
OAK-781: Clarify / fix effects of MISSING_NODE as base state of NodeBuilder
Correctly handle the case where a node is deleted and has child nodes that are not visible due to access control: also delete those child nodes.
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/SecuredNodeRebaseDiff.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/Jr2CompatibilityTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.java
jackrabbit/oak/trunk/oak-jcr/pom.xml
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/SecuredNodeRebaseDiff.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/SecuredNodeRebaseDiff.java?rev=1485648&r1=1485647&r2=1485648&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/SecuredNodeRebaseDiff.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/SecuredNodeRebaseDiff.java Thu May 23 11:27:15 2013
@@ -29,10 +29,7 @@ import org.apache.jackrabbit.oak.spi.sta
* {@link org.apache.jackrabbit.oak.spi.state.NodeStateDiff}
* for applying changes made on top of secure node states
* to a node builder for the underlying non secure node state
- * of the before state. That is, the only expected conflicts
- * are adding an existing property and adding an existing node.
- * These conflicts correspond to the shadowing of hidden properties
- * and nodes in transient space, respectively.
+ * of the before state.
*
* @see SecureNodeState
*/
@@ -65,6 +62,12 @@ class SecuredNodeRebaseDiff extends Abst
return new SecuredNodeRebaseDiff(builder.child(name));
}
+ /**
+ * This conflict corresponds to the shadowing of an invisible property.
+ * @param builder parent builder
+ * @param before existing property
+ * @param after added property
+ */
@Override
protected void addExistingProperty(NodeBuilder builder, PropertyState before, PropertyState after) {
builder.setProperty(after);
@@ -91,6 +94,12 @@ class SecuredNodeRebaseDiff extends Abst
throw new IllegalStateException("Unexpected conflict: delete changed property: " + before);
}
+ /**
+ * This conflict corresponds to the shadowing of an invisible node
+ * @param builder parent builder
+ * @param before existing property
+ * @param after added property
+ */
@Override
protected void addExistingNode(NodeBuilder builder, String name, NodeState before, NodeState after) {
// FIXME (OAK-709) after might be a secured node instead of the underlying non secured node.
@@ -111,11 +120,15 @@ class SecuredNodeRebaseDiff extends Abst
name + " : " + before);
}
+ /**
+ * This conflict occurs when deleting a node that has an invisible child node.
+ * @param builder parent builder
+ * @param name
+ * @param before deleted node
+ */
@Override
protected void deleteChangedNode(NodeBuilder builder, String name, NodeState before) {
- // FIXME Should never be called. OAK-781 should fix this.
-// throw new IllegalStateException("Unexpected conflict: delete changed node: " +
-// name + " : " + before);
+ builder.removeChildNode(name);
}
}
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/Jr2CompatibilityTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/Jr2CompatibilityTest.java?rev=1485648&r1=1485647&r2=1485648&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/Jr2CompatibilityTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/Jr2CompatibilityTest.java Thu May 23 11:27:15 2013
@@ -16,8 +16,13 @@
*/
package org.apache.jackrabbit.oak.security.authorization.evaluation;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
import java.util.Collections;
import java.util.Map;
+
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlManager;
@@ -30,19 +35,14 @@ import org.apache.jackrabbit.commons.jac
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
-import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration;
+import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.junit.After;
import org.junit.Before;
-import org.junit.Ignore;
import org.junit.Test;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
/**
* Test compatibility with Jackrabbit 2.x using the
* {@link AccessControlConstants#PARAM_PERMISSIONS_JR2} configuration parameter.
@@ -113,7 +113,6 @@ public class Jr2CompatibilityTest extend
}
}
- @Ignore("OAK-781") // FIXME
@Test
public void testRemoveNodeWithJr2Flag() throws Exception {
/* allow READ/WRITE privilege for testUser at 'path' */
@@ -137,7 +136,6 @@ public class Jr2CompatibilityTest extend
}
}
- @Ignore("OAK-781") // FIXME
@Test
public void testRemoveNodeWithJr2Flag2() throws Exception {
/* allow READ/WRITE privilege for testUser at 'path' */
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.java?rev=1485648&r1=1485647&r2=1485648&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.java Thu May 23 11:27:15 2013
@@ -16,12 +16,19 @@
*/
package org.apache.jackrabbit.oak.security.authorization.permission;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
+
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlManager;
@@ -35,24 +42,17 @@ import org.apache.jackrabbit.oak.api.Con
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
-import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlTest;
+import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.util.NodeUtil;
import org.junit.After;
import org.junit.Before;
-import org.junit.Ignore;
import org.junit.Test;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNull;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
/**
* Testing the {@code PermissionHook}
*/
@@ -86,6 +86,7 @@ public class PermissionHookTest extends
bitsProvider = new PrivilegeBitsProvider(root);
}
+ @Override
@After
public void after() throws Exception {
try {
@@ -164,7 +165,7 @@ public class PermissionHookTest extends
NodeUtil node = new NodeUtil(testAce);
NodeUtil restrictions = node.addChild(REP_RESTRICTIONS, NT_REP_RESTRICTIONS);
restrictions.setString(REP_GLOB, "*");
- String restritionsPath = restrictions.getTree().getPath();
+ String restrictionsPath = restrictions.getTree().getPath();
root.commit();
Tree principalRoot = getPrincipalRoot(testPrincipalName);
@@ -172,7 +173,7 @@ public class PermissionHookTest extends
assertEquals("*", principalRoot.getChildren().iterator().next().getProperty(REP_GLOB).getValue(Type.STRING));
// modify the restrictions node
- Tree restrictionsNode = root.getTree(restritionsPath);
+ Tree restrictionsNode = root.getTree(restrictionsPath);
restrictionsNode.setProperty(REP_GLOB, "/*/jcr:content/*");
root.commit();
@@ -181,7 +182,7 @@ public class PermissionHookTest extends
assertEquals("/*/jcr:content/*", principalRoot.getChildren().iterator().next().getProperty(REP_GLOB).getValue(Type.STRING));
// remove the restriction again
- root.getTree(restritionsPath).remove();
+ root.getTree(restrictionsPath).remove();
root.commit();
principalRoot = getPrincipalRoot(testPrincipalName);
@@ -327,7 +328,6 @@ public class PermissionHookTest extends
}
}
- @Ignore("OAK-781") // FIXME
@Test
public void testImplicitAceRemoval() throws Exception {
AccessControlManager acMgr = getAccessControlManager(root);
Modified: jackrabbit/oak/trunk/oak-jcr/pom.xml
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/pom.xml?rev=1485648&r1=1485647&r2=1485648&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/pom.xml (original)
+++ jackrabbit/oak/trunk/oak-jcr/pom.xml Thu May 23 11:27:15 2013
@@ -291,9 +291,6 @@
org.apache.jackrabbit.test.api.lock.LockTest#testCheckedInUnlock
org.apache.jackrabbit.test.api.observation.GetUserDataTest#testVersioning
- org.apache.jackrabbit.oak.jcr.security.authorization.WriteTest#testRemove5 <!-- OAK-781 -->
- org.apache.jackrabbit.oak.jcr.security.authorization.WriteTest#testRemove6 <!-- OAK-781 -->
- org.apache.jackrabbit.oak.jcr.security.authorization.WriteTest#testRemove7 <!-- OAK-781 -->
org.apache.jackrabbit.oak.jcr.security.authorization.WriteTest#testRemoveIfReadingParentIsDenied <!-- OAK-813 -->
org.apache.jackrabbit.oak.jcr.security.authorization.AccessControlManagementTest#testRemoveMixin <!-- OAK-767 -->
Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java?rev=1485648&r1=1485647&r2=1485648&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java Thu May 23 11:27:15 2013
@@ -19,6 +19,7 @@ package org.apache.jackrabbit.oak.jcr.se
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
+
import javax.jcr.AccessDeniedException;
import javax.jcr.Node;
import javax.jcr.Session;
@@ -166,7 +167,6 @@ public class WriteTest extends AbstractE
testSession.save();
}
- @Ignore("OAK-781") // FIXME
@Test
public void testRemove5() throws Exception {
// add 'remove_node' privilege at 'childNPath'
@@ -209,7 +209,6 @@ public class WriteTest extends AbstractE
}
}
- @Ignore("OAK-781") // FIXME
@Test
public void testRemove6() throws Exception {
// add 'remove_child_nodes' and 'remove_node' privilege at 'path'
@@ -271,7 +270,6 @@ public class WriteTest extends AbstractE
}
}
- @Ignore("OAK-781") // FIXME
@Test
public void testRemove7() throws Exception {
Privilege[] rmChildNodes = privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES);
@@ -298,7 +296,7 @@ public class WriteTest extends AbstractE
assertTrue(testAcMgr.hasPrivileges(childNPath, new Privilege[] {rmChildNodes[0], rmNode[0]}));
try {
testSession.getNode(childNPath).remove();
- superuser.save();
+ testSession.save();
fail("Removal must fail");
} catch (AccessDeniedException e) {
// success