You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/04/23 15:39:49 UTC
svn commit: r1470949 - in /jackrabbit/oak/trunk/oak-core/src:
main/java/org/apache/jackrabbit/oak/security/authorization/
test/java/org/apache/jackrabbit/oak/
test/java/org/apache/jackrabbit/oak/security/authorization/
test/java/org/apache/jackrabbit/o...
Author: angela
Date: Tue Apr 23 13:39:49 2013
New Revision: 1470949
URL: http://svn.apache.org/r1470949
Log:
OAK-51 : Access Control Management (tests, minor improvement)
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/ImmutableACLTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java?rev=1470949&r1=1470948&r2=1470949&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java Tue Apr 23 13:39:49 2013
@@ -44,6 +44,7 @@ import org.apache.jackrabbit.oak.securit
import org.apache.jackrabbit.oak.spi.security.authorization.ACE;
import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlList;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -108,6 +109,12 @@ abstract class ACL extends AbstractAcces
throw new AccessControlException(msg);
}
+ for (RestrictionDefinition def : getRestrictionProvider().getSupportedRestrictions(getOakPath())) {
+ if (def.isMandatory() && (restrictions == null || !restrictions.containsKey(def.getJcrName()))) {
+ throw new AccessControlException("Mandatory restriction " +def.getJcrName()+ " is missing.");
+ }
+ }
+
Set<Restriction> rs;
if (restrictions == null) {
rs = Collections.emptySet();
@@ -117,6 +124,7 @@ abstract class ACL extends AbstractAcces
rs.add(getRestrictionProvider().createRestriction(getOakPath(), name, restrictions.get(name)));
}
}
+
ACE entry = new ACE(principal, privileges, isAllow, rs);
if (entries.contains(entry)) {
log.debug("Entry is already contained in policy -> no modification.");
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java?rev=1470949&r1=1470948&r2=1470949&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java Tue Apr 23 13:39:49 2013
@@ -22,6 +22,7 @@ import javax.jcr.Credentials;
import javax.jcr.NoSuchWorkspaceException;
import javax.jcr.RepositoryException;
import javax.jcr.SimpleCredentials;
+import javax.jcr.ValueFactory;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.Privilege;
import javax.security.auth.login.Configuration;
@@ -40,6 +41,7 @@ import org.apache.jackrabbit.oak.plugins
import org.apache.jackrabbit.oak.plugins.index.p2.Property2IndexProvider;
import org.apache.jackrabbit.oak.plugins.nodetype.RegistrationEditorProvider;
import org.apache.jackrabbit.oak.plugins.nodetype.write.InitialContent;
+import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
import org.apache.jackrabbit.oak.security.SecurityProviderImpl;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
@@ -157,6 +159,10 @@ public abstract class AbstractSecurityTe
return privMgr;
}
+ protected ValueFactory getValueFactory() {
+ return new ValueFactoryImpl(root.getBlobFactory(), getNamePathMapper());
+ }
+
protected User getTestUser() throws Exception {
if (testUser == null) {
String uid = "testUser" + UUID.randomUUID();
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java?rev=1470949&r1=1470948&r2=1470949&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java Tue Apr 23 13:39:49 2013
@@ -18,6 +18,7 @@ package org.apache.jackrabbit.oak.securi
import java.security.Principal;
import java.security.acl.Group;
+import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
@@ -27,20 +28,23 @@ import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.jcr.PropertyType;
+import javax.jcr.RepositoryException;
import javax.jcr.Value;
-import javax.jcr.ValueFactory;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.Privilege;
import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
-import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
+import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
import org.apache.jackrabbit.oak.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
@@ -48,6 +52,10 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlList;
import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlListTest;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinitionImpl;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionImpl;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionPattern;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.junit.Before;
@@ -91,13 +99,13 @@ public class ACLTest extends AbstractAcc
@Override
protected AbstractAccessControlList createACL(@Nullable String jcrPath,
@Nonnull List<JackrabbitAccessControlEntry> entries,
- @Nonnull NamePathMapper namePathMapper) {
+ @Nonnull NamePathMapper namePathMapper,
+ final @Nonnull RestrictionProvider restrictionProvider) {
String path = (jcrPath == null) ? null : namePathMapper.getOakPathKeepIndex(jcrPath);
- final RestrictionProvider rp = getRestrictionProvider();
return new ACL(path, entries, namePathMapper) {
@Override
public RestrictionProvider getRestrictionProvider() {
- return rp;
+ return restrictionProvider;
}
@Override
@@ -117,10 +125,6 @@ public class ACLTest extends AbstractAcc
};
}
- private ValueFactory getValueFactory() {
- return new ValueFactoryImpl(root.getBlobFactory(), NamePathMapper.DEFAULT);
- }
-
private static void assertACE(JackrabbitAccessControlEntry ace, boolean isAllow, Privilege... privileges) {
assertEquals(isAllow, ace.isAllow());
assertEquals(Sets.newHashSet(privileges), Sets.newHashSet(ace.getPrivileges()));
@@ -176,17 +180,6 @@ public class ACLTest extends AbstractAcc
}
@Test
- public void testAddEntryWithInvalidRestrictions() throws Exception {
- Map<String, Value> restrictions = Collections.singletonMap("unknownRestriction", new ValueFactoryImpl(root.getBlobFactory(), namePathMapper).createValue("value"));
- try {
- acl.addEntry(testPrincipal, testPrivileges, false, restrictions);
- fail("Invalid restrictions -> AccessControlException expected");
- } catch (AccessControlException e) {
- // success
- }
- }
-
- @Test
public void testRemoveEntry() throws Exception {
assertTrue(acl.addAccessControlEntry(testPrincipal, testPrivileges));
acl.removeAccessControlEntry(acl.getAccessControlEntries()[0]);
@@ -550,6 +543,42 @@ public class ACLTest extends AbstractAcc
}
@Test
+ public void testInsertionOrder() throws Exception {
+ Privilege[] readPriv = privilegesFromNames(JCR_READ);
+ Privilege[] writePriv = privilegesFromNames(JCR_WRITE);
+ Privilege[] addNodePriv = privilegesFromNames(JCR_ADD_CHILD_NODES);
+
+ Map<String, Value> restrictions = Collections.singletonMap(AccessControlConstants.REP_GLOB, getValueFactory().createValue("/.*"));
+
+ acl.addEntry(testPrincipal, readPriv, true);
+ acl.addEntry(testPrincipal, writePriv, false);
+ acl.addEntry(testPrincipal, addNodePriv, true, restrictions);
+
+ List<JackrabbitAccessControlEntry> entries = acl.getEntries();
+ assertACE(entries.get(0), true, readPriv);
+ assertACE(entries.get(1), false, writePriv);
+ assertACE(entries.get(2), true, addNodePriv);
+ }
+
+ @Test
+ public void testInsertionOrder2() throws Exception {
+ Privilege[] readPriv = privilegesFromNames(JCR_READ);
+ Privilege[] writePriv = privilegesFromNames(JCR_WRITE);
+ Privilege[] addNodePriv = privilegesFromNames(JCR_ADD_CHILD_NODES);
+
+ Map<String, Value> restrictions = Collections.singletonMap(AccessControlConstants.REP_GLOB, getValueFactory().createValue("/.*"));
+
+ acl.addEntry(testPrincipal, readPriv, true);
+ acl.addEntry(testPrincipal, addNodePriv, true, restrictions);
+ acl.addEntry(testPrincipal, writePriv, false);
+
+ List<JackrabbitAccessControlEntry> entries = acl.getEntries();
+ assertACE(entries.get(0), true, readPriv);
+ assertACE(entries.get(1), true, addNodePriv);
+ assertACE(entries.get(2), false, writePriv);
+ }
+
+ @Test
public void testRestrictions() throws Exception {
String[] names = acl.getRestrictionNames();
assertNotNull(names);
@@ -590,39 +619,53 @@ public class ACLTest extends AbstractAcc
}
@Test
- public void testInsertionOrder() throws Exception {
- Privilege[] readPriv = privilegesFromNames(JCR_READ);
- Privilege[] writePriv = privilegesFromNames(JCR_WRITE);
- Privilege[] addNodePriv = privilegesFromNames(JCR_ADD_CHILD_NODES);
-
- Map<String, Value> restrictions = Collections.singletonMap(AccessControlConstants.REP_GLOB, getValueFactory().createValue("/.*"));
+ public void testUnsupportedRestrictions() throws Exception {
+ Map<String, Value> restrictions = Collections.singletonMap("unknownRestriction", getValueFactory().createValue("value"));
+ try {
+ acl.addEntry(testPrincipal, testPrivileges, false, restrictions);
+ fail("Invalid restrictions -> AccessControlException expected");
+ } catch (AccessControlException e) {
+ // success
+ }
+ }
- acl.addEntry(testPrincipal, readPriv, true);
- acl.addEntry(testPrincipal, writePriv, false);
- acl.addEntry(testPrincipal, addNodePriv, true, restrictions);
+ @Test
+ public void testUnsupportedRestrictions2() throws Exception {
+ RestrictionProvider rp = new TestRestrictionProvider("restr", PropertyType.NAME, false);
- List<JackrabbitAccessControlEntry> entries = acl.getEntries();
- assertACE(entries.get(0), true, readPriv);
- assertACE(entries.get(1), false, writePriv);
- assertACE(entries.get(2), true, addNodePriv);
+ JackrabbitAccessControlList acl = createACL(getTestPath(), new ArrayList(), namePathMapper, rp);
+ try {
+ acl.addEntry(testPrincipal, testPrivileges, false, Collections.<String, Value>singletonMap("unsupported", getValueFactory().createValue("value")));
+ fail("Unsupported restriction must be detected.");
+ } catch (AccessControlException e) {
+ // mandatory restriction missing -> success
+ }
}
@Test
- public void testInsertionOrder2() throws Exception {
- Privilege[] readPriv = privilegesFromNames(JCR_READ);
- Privilege[] writePriv = privilegesFromNames(JCR_WRITE);
- Privilege[] addNodePriv = privilegesFromNames(JCR_ADD_CHILD_NODES);
+ public void testInvalidRestrictionType() throws Exception {
+ RestrictionProvider rp = new TestRestrictionProvider("restr", PropertyType.NAME, false);
- Map<String, Value> restrictions = Collections.singletonMap(AccessControlConstants.REP_GLOB, getValueFactory().createValue("/.*"));
+ JackrabbitAccessControlList acl = createACL(getTestPath(), new ArrayList(), namePathMapper, rp);
+ try {
+ acl.addEntry(testPrincipal, testPrivileges, false, Collections.<String, Value>singletonMap("restr", getValueFactory().createValue(true)));
+ fail("Invalid restriction type.");
+ } catch (AccessControlException e) {
+ // mandatory restriction missing -> success
+ }
+ }
- acl.addEntry(testPrincipal, readPriv, true);
- acl.addEntry(testPrincipal, addNodePriv, true, restrictions);
- acl.addEntry(testPrincipal, writePriv, false);
+ @Test
+ public void testMandatoryRestrictions() throws Exception {
+ RestrictionProvider rp = new TestRestrictionProvider("mandatory", PropertyType.NAME, true);
- List<JackrabbitAccessControlEntry> entries = acl.getEntries();
- assertACE(entries.get(0), true, readPriv);
- assertACE(entries.get(1), true, addNodePriv);
- assertACE(entries.get(2), false, writePriv);
+ JackrabbitAccessControlList acl = createACL(getTestPath(), new ArrayList(), namePathMapper, rp);
+ try {
+ acl.addEntry(testPrincipal, testPrivileges, false, Collections.<String, Value>emptyMap());
+ fail("Mandatory restriction must be enforced.");
+ } catch (AccessControlException e) {
+ // mandatory restriction missing -> success
+ }
}
//--------------------------------------------------------------------------
@@ -654,4 +697,54 @@ public class ACLTest extends AbstractAcc
return new Privilege[0];
}
}
+
+ private final class TestRestrictionProvider implements RestrictionProvider {
+
+ private final RestrictionDefinition supported;
+
+ private TestRestrictionProvider(String name, int type, boolean isMandatory) {
+ supported = new RestrictionDefinitionImpl(name, type, isMandatory, namePathMapper);
+ }
+
+ @Nonnull
+ @Override
+ public Set<RestrictionDefinition> getSupportedRestrictions(@Nullable String oakPath) {
+ return ImmutableSet.of(supported);
+ }
+
+ @Nonnull
+ @Override
+ public Restriction createRestriction(@Nullable String oakPath, @Nonnull String jcrName, @Nonnull Value value) throws RepositoryException {
+ if (!supported.getJcrName().equals(jcrName)) {
+ throw new AccessControlException();
+ }
+ if (supported.getRequiredType() != value.getType()) {
+ throw new AccessControlException();
+ }
+ PropertyState property = PropertyStates.createProperty(namePathMapper.getOakName(jcrName), value.getString(), value.getType());
+ return new RestrictionImpl(property, supported.isMandatory(), namePathMapper);
+ }
+
+ @Nonnull
+ @Override
+ public Set<Restriction> readRestrictions(@Nullable String oakPath, @Nonnull Tree aceTree) {
+ throw new UnsupportedOperationException();
+ }
+
+ @Override
+ public void writeRestrictions(String oakPath, Tree aceTree, Set<Restriction> restrictions) throws AccessControlException {
+ throw new UnsupportedOperationException();
+ }
+
+ @Override
+ public void validateRestrictions(@Nullable String oakPath, @Nonnull Tree aceTree) throws AccessControlException {
+ throw new UnsupportedOperationException();
+ }
+
+ @Nonnull
+ @Override
+ public RestrictionPattern getPattern(@Nullable String oakPath, @Nonnull Tree tree) {
+ throw new UnsupportedOperationException();
+ }
+ }
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java?rev=1470949&r1=1470948&r2=1470949&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java Tue Apr 23 13:39:49 2013
@@ -40,6 +40,7 @@ import org.apache.jackrabbit.oak.namepat
import org.apache.jackrabbit.oak.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.junit.Test;
import static org.junit.Assert.assertEquals;
@@ -73,9 +74,16 @@ public abstract class AbstractAccessCont
return createACL(jcrPath, Lists.newArrayList(entries), namePathMapper);
}
+ protected AbstractAccessControlList createACL(@Nullable String jcrPath,
+ @Nonnull List<JackrabbitAccessControlEntry> entries,
+ @Nonnull NamePathMapper namePathMapper) {
+ return createACL(jcrPath, entries, namePathMapper, getRestrictionProvider());
+ }
+
protected abstract AbstractAccessControlList createACL(@Nullable String jcrPath,
@Nonnull List<JackrabbitAccessControlEntry> entries,
- @Nonnull NamePathMapper namePathMapper);
+ @Nonnull NamePathMapper namePathMapper,
+ @Nonnull RestrictionProvider restrictionProvider);
protected List<JackrabbitAccessControlEntry> createTestEntries() throws RepositoryException {
List<JackrabbitAccessControlEntry> entries = new ArrayList<JackrabbitAccessControlEntry>(3);
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/ImmutableACLTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/ImmutableACLTest.java?rev=1470949&r1=1470948&r2=1470949&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/ImmutableACLTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/ImmutableACLTest.java Tue Apr 23 13:39:49 2013
@@ -57,9 +57,10 @@ public class ImmutableACLTest extends Ab
}
@Override
- protected ImmutableACL createACL(String jcrPath, List<JackrabbitAccessControlEntry> entries, NamePathMapper namePathMapper) {
+ protected ImmutableACL createACL(String jcrPath, List<JackrabbitAccessControlEntry> entries,
+ NamePathMapper namePathMapper, RestrictionProvider restrictionProvider) {
String oakPath = (jcrPath == null) ? null : namePathMapper.getOakPathKeepIndex(jcrPath);
- return new ImmutableACL(oakPath, entries, getRestrictionProvider(), namePathMapper);
+ return new ImmutableACL(oakPath, entries, restrictionProvider, namePathMapper);
}
private void assertImmutable(JackrabbitAccessControlList acl) throws Exception {