You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2015/08/12 11:04:24 UTC
svn commit: r1695450 - in /jackrabbit/oak/trunk/oak-core/src:
main/java/org/apache/jackrabbit/oak/security/user/
main/java/org/apache/jackrabbit/oak/util/
test/java/org/apache/jackrabbit/oak/security/user/
test/java/org/apache/jackrabbit/oak/util/
Author: angela
Date: Wed Aug 12 09:04:24 2015
New Revision: 1695450
URL: http://svn.apache.org/r1695450
Log:
OAK-3218 : UserProvider.getFolderPath may throw StringIndexOutOfBoundsException
Added:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/IntermediatePathTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/util/NodeUtilTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProvider.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProvider.java?rev=1695450&r1=1695449&r2=1695450&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProvider.java Wed Aug 12 09:04:24 2015
@@ -323,19 +323,21 @@ class UserProvider extends AuthorizableB
return folder.getTree();
}
+ @Nonnull
private String getFolderPath(@Nonnull String nodeName,
@Nullable String intermediatePath,
@Nonnull String authRoot) throws ConstraintViolationException {
- if (intermediatePath != null && intermediatePath.charAt(0) == '/') {
- if (!intermediatePath.startsWith(authRoot)) {
- throw new ConstraintViolationException("Attempt to create authorizable at '" + intermediatePath +"' outside of the configured root '" + authRoot + '\'');
- } else {
- intermediatePath = intermediatePath.substring(authRoot.length() + 1);
- }
- }
-
+ boolean emptyOrNull = (intermediatePath == null || intermediatePath.isEmpty() || authRoot.equals(intermediatePath));
StringBuilder sb = new StringBuilder();
- if (intermediatePath != null && !intermediatePath.isEmpty()) {
+ if (!emptyOrNull) {
+ // convert absolute paths into relative paths wrt the authRoot
+ if (intermediatePath.charAt(0) == '/') {
+ if (!intermediatePath.startsWith(authRoot)) {
+ throw new ConstraintViolationException("Attempt to create authorizable at '" + intermediatePath +"' outside of the configured root '" + authRoot + '\'');
+ } else {
+ intermediatePath = intermediatePath.substring(authRoot.length() + 1);
+ }
+ }
sb.append(DELIMITER).append(intermediatePath);
} else {
String hint = Text.unescapeIllegalJcrChars(nodeName);
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java?rev=1695450&r1=1695449&r2=1695450&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java Wed Aug 12 09:04:24 2015
@@ -152,7 +152,11 @@ public class NodeUtil {
*/
@Nonnull
public NodeUtil getOrAddTree(String relativePath, String primaryTypeName) throws AccessDeniedException {
- if (relativePath.indexOf('/') == -1) {
+ if (PathUtils.denotesCurrent(relativePath)) {
+ return this;
+ } else if (PathUtils.denotesParent(relativePath)) {
+ return getParent();
+ } else if (relativePath.indexOf('/') == -1) {
return getOrAddChild(relativePath, primaryTypeName);
} else {
Tree t = TreeUtil.getTree(tree, relativePath);
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/IntermediatePathTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/IntermediatePathTest.java?rev=1695450&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/IntermediatePathTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/IntermediatePathTest.java Wed Aug 12 09:04:24 2015
@@ -0,0 +1,208 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.user;
+
+import java.util.List;
+import java.util.UUID;
+
+import javax.annotation.Nullable;
+import javax.jcr.RepositoryException;
+import javax.jcr.nodetype.ConstraintViolationException;
+
+import com.google.common.collect.ImmutableList;
+import org.apache.jackrabbit.api.security.user.Authorizable;
+import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.api.CommitFailedException;
+import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
+import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
+import org.apache.jackrabbit.oak.util.NodeUtil;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+/**
+ * Test user/group creation with intermediate path parameter.
+ */
+public class IntermediatePathTest extends AbstractSecurityTest {
+
+ @Override
+ public void after() throws Exception {
+ try {
+ root.refresh();
+ } finally {
+ super.after();
+ }
+ }
+
+ private Authorizable createAuthorizable(boolean createGroup, @Nullable String intermediatePath) throws RepositoryException {
+ String id = UUID.randomUUID().toString();
+ if (createGroup) {
+ return getUserManager(root).createGroup(id, new PrincipalImpl(id), intermediatePath);
+ } else {
+ return getUserManager(root).createUser(id, null, new PrincipalImpl(id), intermediatePath);
+ }
+ }
+
+ @Test
+ public void testUserNullPath() throws Exception {
+ assertNotNull(createAuthorizable(false, null));
+ }
+
+ @Test
+ public void testGroupNullPath() throws Exception {
+ assertNotNull(createAuthorizable(true, null));
+ }
+
+ @Test
+ public void testUserEmptyPath() throws Exception {
+ Authorizable authorizable = createAuthorizable(false, "");
+ assertFalse(UserConstants.DEFAULT_USER_PATH.equals(PathUtils.getAncestorPath(authorizable.getPath(), 1)));
+ assertTrue(authorizable.getPath().startsWith(UserConstants.DEFAULT_USER_PATH));
+ }
+
+ @Test
+ public void testGroupEmptyPath() throws Exception {
+ Authorizable authorizable = createAuthorizable(true, "");
+ assertFalse(UserConstants.DEFAULT_GROUP_PATH.equals(PathUtils.getAncestorPath(authorizable.getPath(), 1)));
+ assertTrue(authorizable.getPath().startsWith(UserConstants.DEFAULT_GROUP_PATH));
+ }
+
+ @Test
+ public void testUserRelativePath() throws Exception {
+ Authorizable authorizable = createAuthorizable(false, "a/b/c");
+ assertTrue(authorizable.getPath().startsWith(UserConstants.DEFAULT_USER_PATH + "/a/b/c"));
+ }
+
+ @Test
+ public void testGroupRelativePath() throws Exception {
+ Authorizable authorizable = createAuthorizable(true, "a/b/c");
+ assertTrue(authorizable.getPath().startsWith(UserConstants.DEFAULT_GROUP_PATH + "/a/b/c"));
+ }
+
+ @Test
+ public void testUserAbsolutePath() throws Exception {
+ Authorizable authorizable = createAuthorizable(false, UserConstants.DEFAULT_USER_PATH + "/a/b/c");
+ assertTrue(authorizable.getPath().startsWith(UserConstants.DEFAULT_USER_PATH + "/a/b/c"));
+ }
+
+ @Test
+ public void testGroupAbsolutePath() throws Exception {
+ Authorizable authorizable = createAuthorizable(true, UserConstants.DEFAULT_GROUP_PATH + "/a/b/c");
+ assertTrue(authorizable.getPath().startsWith(UserConstants.DEFAULT_GROUP_PATH + "/a/b/c"));
+ }
+
+ @Test
+ public void testUserRootPath() throws Exception {
+ Authorizable authorizable = createAuthorizable(false, UserConstants.DEFAULT_USER_PATH);
+ assertFalse(UserConstants.DEFAULT_USER_PATH.equals(PathUtils.getAncestorPath(authorizable.getPath(), 1)));
+ assertTrue(authorizable.getPath().startsWith(UserConstants.DEFAULT_USER_PATH));
+ }
+
+ @Test
+ public void testGroupRootPath() throws Exception {
+ Authorizable authorizable = createAuthorizable(true, UserConstants.DEFAULT_GROUP_PATH);
+ assertFalse(UserConstants.DEFAULT_GROUP_PATH.equals(PathUtils.getAncestorPath(authorizable.getPath(), 1)));
+ assertTrue(authorizable.getPath().startsWith(UserConstants.DEFAULT_GROUP_PATH));
+ }
+
+ @Test(expected = ConstraintViolationException.class)
+ public void testUserWrongRoot() throws Exception {
+ createAuthorizable(false, UserConstants.DEFAULT_GROUP_PATH);
+ }
+
+ @Test(expected = ConstraintViolationException.class)
+ public void testGroupWrongRoot() throws Exception {
+ createAuthorizable(true, UserConstants.DEFAULT_USER_PATH);
+ }
+
+ @Test
+ public void testInvalidAbsolutePaths() throws Exception {
+ new NodeUtil(root.getTree("/")).addChild("testNode", NodeTypeConstants.NT_OAK_UNSTRUCTURED);
+ List<String> invalidPaths = ImmutableList.of(
+ "/",
+ PathUtils.getAncestorPath(UserConstants.DEFAULT_GROUP_PATH, 1),
+ PathUtils.getAncestorPath(UserConstants.DEFAULT_GROUP_PATH, 2),
+ "/testNode",
+ "/nonExisting");
+ for (String absPath : invalidPaths) {
+ try {
+ createAuthorizable(false, absPath);
+ fail("Invalid path " + absPath + " outside of configured scope.");
+ } catch (ConstraintViolationException e) {
+ // success
+ } finally {
+ root.refresh();
+ }
+ }
+ }
+
+ @Test
+ public void testAbsolutePathsWithParentElements() throws Exception {
+ Authorizable authorizable = createAuthorizable(true, UserConstants.DEFAULT_GROUP_PATH + "/a/../b");
+ assertTrue(authorizable.getPath().startsWith(UserConstants.DEFAULT_GROUP_PATH + "/b"));
+ }
+
+ @Test
+ public void testAbsolutePathsWithInvalidParentElements() throws Exception {
+ try {
+ String invalidPath = UserConstants.DEFAULT_GROUP_PATH + "/../a";
+ Authorizable authorizable = createAuthorizable(true, invalidPath);
+ assertTrue(authorizable.getPath().startsWith(PathUtils.getAncestorPath(UserConstants.DEFAULT_GROUP_PATH, 1) + "/a"));
+ root.commit();
+ fail("Invalid path " + invalidPath + " outside of configured scope.");
+ } catch (CommitFailedException e) {
+ // success
+ assertTrue(e.isConstraintViolation());
+ assertEquals(28, e.getCode());
+ } finally {
+ root.refresh();
+ }
+ }
+
+ @Test
+ public void testRelativePaths() throws Exception {
+ new NodeUtil(root.getTree("/")).addChild("testNode", NodeTypeConstants.NT_OAK_UNSTRUCTURED);
+
+ List<String> invalidPaths = ImmutableList.of("..", "../..", "../../..", "../../../testNode","a/b/../../../c");
+ for (String relPath : invalidPaths) {
+ try {
+ Authorizable authorizable = createAuthorizable(false, relPath);
+ // NOTE: requires commit to detect the violation
+ root.commit();
+ fail("Invalid path " + relPath + " outside of configured scope.");
+ } catch (CommitFailedException e) {
+ // success
+ assertTrue(e.isConstraintViolation());
+ assertEquals(28, e.getCode());
+ } finally {
+ root.refresh();
+ }
+ }
+ }
+
+ @Test
+ public void testCurrentRelativePath() throws Exception {
+ Authorizable authorizable = createAuthorizable(false, ".");
+ assertEquals(UserConstants.DEFAULT_USER_PATH, PathUtils.getAncestorPath(authorizable.getPath(), 1));
+ }
+}
\ No newline at end of file
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/util/NodeUtilTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/util/NodeUtilTest.java?rev=1695450&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/util/NodeUtilTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/util/NodeUtilTest.java Wed Aug 12 09:04:24 2015
@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.util;
+
+import java.util.Map;
+import javax.annotation.Nonnull;
+
+import com.google.common.collect.ImmutableMap;
+import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertSame;
+
+public class NodeUtilTest extends AbstractSecurityTest {
+
+ private NodeUtil node;
+
+ @Override
+ public void before() throws Exception {
+ super.before();
+
+ node = new NodeUtil(root.getTree("/"));
+ }
+
+ @Override
+ public void after() throws Exception {
+ try {
+ root.refresh();
+ } finally {
+ super.after();
+ }
+ }
+
+ private void assertEqualNodeUtil(@Nonnull NodeUtil expected, @Nonnull NodeUtil result) {
+ assertEquals(expected.getTree().getPath(), result.getTree().getPath());
+ }
+
+ @Test
+ public void testGetOrAddTree() throws Exception {
+ NodeUtil result = node.getOrAddTree(".", NodeTypeConstants.NT_OAK_UNSTRUCTURED);
+ assertSame(node, result);
+
+ NodeUtil child = node.getOrAddTree("child", NodeTypeConstants.NT_OAK_UNSTRUCTURED);
+ assertEqualNodeUtil(new NodeUtil(root.getTree("/child")), child);
+
+ NodeUtil parent = child.getOrAddTree("..", NodeTypeConstants.NT_OAK_UNSTRUCTURED);
+ assertEqualNodeUtil(node, parent);
+
+ Map<String, String> map = ImmutableMap.of(
+ "a/b/c", "/a/b/c",
+ "a/../b/c", "/b/c",
+ "a/b/c/../..", "/a",
+ "a/././././b/c", "/a/b/c"
+ );
+ for (String relPath : map.keySet()) {
+ NodeUtil n = node.getOrAddTree(relPath, NodeTypeConstants.NT_OAK_UNSTRUCTURED);
+ assertEqualNodeUtil(new NodeUtil(root.getTree(map.get(relPath))), n);
+ }
+ }
+}
\ No newline at end of file