You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by tr...@apache.org on 2013/12/11 23:33:27 UTC
svn commit: r1550298 -
/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/ClusterPermissionsTest.java
Author: tripod
Date: Wed Dec 11 22:33:27 2013
New Revision: 1550298
URL: http://svn.apache.org/r1550298
Log:
OAK-1138 Implement global per principal permission entry cache
- add cluster specific permission test
Added:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/ClusterPermissionsTest.java
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/ClusterPermissionsTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/ClusterPermissionsTest.java?rev=1550298&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/ClusterPermissionsTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/ClusterPermissionsTest.java Wed Dec 11 22:33:27 2013
@@ -0,0 +1,219 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.permission;
+
+import javax.annotation.Nullable;
+import javax.jcr.Credentials;
+import javax.jcr.NoSuchWorkspaceException;
+import javax.jcr.SimpleCredentials;
+import javax.jcr.security.AccessControlEntry;
+import javax.jcr.security.AccessControlManager;
+import javax.security.auth.login.Configuration;
+import javax.security.auth.login.LoginException;
+
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import org.apache.jackrabbit.api.security.user.User;
+import org.apache.jackrabbit.api.security.user.UserManager;
+import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
+import org.apache.jackrabbit.mk.blobs.MemoryBlobStore;
+import org.apache.jackrabbit.oak.Oak;
+import org.apache.jackrabbit.oak.api.ContentRepository;
+import org.apache.jackrabbit.oak.api.ContentSession;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.plugins.index.property.PropertyIndexEditorProvider;
+import org.apache.jackrabbit.oak.plugins.index.property.PropertyIndexProvider;
+import org.apache.jackrabbit.oak.plugins.index.reference.ReferenceEditorProvider;
+import org.apache.jackrabbit.oak.plugins.index.reference.ReferenceIndexProvider;
+import org.apache.jackrabbit.oak.plugins.mongomk.MemoryDocumentStore;
+import org.apache.jackrabbit.oak.plugins.mongomk.MongoMK;
+import org.apache.jackrabbit.oak.plugins.nodetype.RegistrationEditorProvider;
+import org.apache.jackrabbit.oak.plugins.nodetype.write.InitialContent;
+import org.apache.jackrabbit.oak.security.SecurityProviderImpl;
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
+import org.apache.jackrabbit.oak.spi.security.authentication.ConfigurationUtil;
+import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+public class ClusterPermissionsTest {
+
+ private ContentRepository contentRepository1;
+ private ContentRepository contentRepository2;
+ private UserManager userManager1;
+ private UserManager userManager2;
+ private AccessControlManager aclMgr1;
+ private AccessControlManager aclMgr2;
+
+ protected NamePathMapper namePathMapper = NamePathMapper.DEFAULT;
+ protected SecurityProvider securityProvider1;
+ protected SecurityProvider securityProvider2;
+ protected ContentSession adminSession1;
+ protected ContentSession adminSession2;
+ protected Root root1;
+ protected Root root2;
+
+ @Before
+ public void before() throws Exception {
+ MemoryDocumentStore ds = new MemoryDocumentStore();
+ MemoryBlobStore bs = new MemoryBlobStore();
+ MongoMK.Builder builder;
+
+ builder = new MongoMK.Builder();
+ builder.setDocumentStore(ds).setBlobStore(bs).setAsyncDelay(1);
+ MongoMK mk1 = builder.setClusterId(1).open();
+ builder = new MongoMK.Builder();
+ builder.setDocumentStore(ds).setBlobStore(bs).setAsyncDelay(1);
+ MongoMK mk2 = builder.setClusterId(2).open();
+
+ Oak oak = new Oak(mk1)
+ .with(new InitialContent())
+ .with(new ReferenceEditorProvider())
+ .with(new ReferenceIndexProvider())
+ .with(new PropertyIndexEditorProvider())
+ .with(new PropertyIndexProvider())
+ .with(new RegistrationEditorProvider())
+ .with(securityProvider1 = new SecurityProviderImpl(getSecurityConfigParameters()));
+ contentRepository1 = oak.createContentRepository();
+ adminSession1 = login1(getAdminCredentials());
+ root1 = adminSession1.getLatestRoot();
+ userManager1 = securityProvider1.getConfiguration(UserConfiguration.class).getUserManager(root1, namePathMapper);
+ aclMgr1 = securityProvider1.getConfiguration(AuthorizationConfiguration.class).getAccessControlManager(root1, namePathMapper);
+
+ oak = new Oak(mk2)
+ .with(new InitialContent())
+ .with(new ReferenceEditorProvider())
+ .with(new ReferenceIndexProvider())
+ .with(new PropertyIndexEditorProvider())
+ .with(new PropertyIndexProvider())
+ .with(new RegistrationEditorProvider())
+ .with(securityProvider2 = new SecurityProviderImpl(getSecurityConfigParameters()));
+
+ contentRepository2 = oak.createContentRepository();
+ adminSession2 = login2(getAdminCredentials());
+ root2 = adminSession2.getLatestRoot();
+ userManager2 = securityProvider2.getConfiguration(UserConfiguration.class).getUserManager(root2, namePathMapper);
+ aclMgr2 = securityProvider2.getConfiguration(AuthorizationConfiguration.class).getAccessControlManager(root2, namePathMapper);
+ }
+
+ protected ConfigurationParameters getSecurityConfigParameters() {
+ return ConfigurationParameters.EMPTY;
+ }
+
+ protected Configuration getConfiguration() {
+ return ConfigurationUtil.getDefaultConfiguration(getSecurityConfigParameters());
+ }
+
+ protected ContentSession login1(@Nullable Credentials credentials)
+ throws LoginException, NoSuchWorkspaceException {
+ return contentRepository1.login(credentials, null);
+ }
+ protected ContentSession login2(@Nullable Credentials credentials)
+ throws LoginException, NoSuchWorkspaceException {
+ return contentRepository2.login(credentials, null);
+ }
+
+ protected Credentials getAdminCredentials() {
+ String adminId = "admin";
+ return new SimpleCredentials(adminId, adminId.toCharArray());
+ }
+
+ @Test
+ public void testCreateUser() throws Exception {
+ userManager1.createUser("testUser", "testUser");
+ root1.commit();
+ Thread.sleep(100);
+ root2.refresh();
+ assertNotNull("testUser must exist on 2nd cluster node", userManager2.getAuthorizable("testUser"));
+ }
+
+ @Test
+ public void testAclPropagation() throws Exception {
+ Tree node = root1.getTree("/").addChild("testNode");
+ node.setProperty("jcr:primaryType", "nt:unstructured");
+ User user1 = userManager1.createUser("testUser", "testUser");
+ JackrabbitAccessControlList acl1 = AccessControlUtils.getAccessControlList(aclMgr1, "/testNode");
+ acl1.addEntry(user1.getPrincipal(), AccessControlUtils.privilegesFromNames(aclMgr1, "jcr:all"), true);
+ aclMgr1.setPolicy("/testNode", acl1);
+ root1.commit();
+
+ Thread.sleep(100);
+ root2.refresh();
+ JackrabbitAccessControlList acl2 = AccessControlUtils.getAccessControlList(aclMgr2, "/testNode");
+ AccessControlEntry[] aces = acl2.getAccessControlEntries();
+ assertEquals(1, aces.length);
+ }
+
+ @Test
+ public void testPermissionPropagation() throws Exception {
+ // create a "/testNode"
+ Tree node = root1.getTree("/").addChild("testNode");
+ node.setProperty("jcr:primaryType", "nt:unstructured");
+
+ // create 2 users
+ User user1 = userManager1.createUser("testUser1", "testUser1");
+ User user2 = userManager1.createUser("testUser2", "testUser2");
+
+ JackrabbitAccessControlList acl1 = AccessControlUtils.getAccessControlList(aclMgr1, "/testNode");
+
+ // deny jcr:all for everyone on /testNode
+ acl1.addEntry(EveryonePrincipal.getInstance(), AccessControlUtils.privilegesFromNames(aclMgr1, "jcr:all"), false);
+
+ // allow jcr:read for testUser1 on /testNode
+ acl1.addEntry(user1.getPrincipal(), AccessControlUtils.privilegesFromNames(aclMgr1, "jcr:read"), true);
+ aclMgr1.setPolicy("/testNode", acl1);
+ root1.commit();
+
+ Thread.sleep(100);
+ root2.refresh();
+
+ // login with testUser1 and testUser2 (on cluster node 2)
+ ContentSession session1 = contentRepository2.login(new SimpleCredentials("testUser1", "testUser1".toCharArray()), null);
+ ContentSession session2 = contentRepository2.login(new SimpleCredentials("testUser2", "testUser2".toCharArray()), null);
+
+ // testUser1 can read /testNode
+ assertTrue(session1.getLatestRoot().getTree("/testNode").exists());
+
+ // testUser2 cannot read /testNode
+ assertFalse(session2.getLatestRoot().getTree("/testNode").exists());
+
+ // now, allow jcr:read also for 'everyone' (on cluster node 1)
+ acl1 = AccessControlUtils.getAccessControlList(aclMgr1, "/testNode");
+ acl1.addEntry(EveryonePrincipal.getInstance(), AccessControlUtils.privilegesFromNames(aclMgr1, "jcr:read"), true);
+ aclMgr1.setPolicy("/testNode", acl1);
+ root1.commit();
+
+ Thread.sleep(100);
+ root2.refresh();
+
+ // testUser1 can read /testNode
+ assertTrue(session1.getLatestRoot().getTree("/testNode").exists());
+
+ // testUser2 can also read /testNode
+ assertTrue(session2.getLatestRoot().getTree("/testNode").exists());
+ }
+
+}
\ No newline at end of file