You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2015/08/05 18:18:44 UTC
svn commit: r1694258 - in /jackrabbit/oak/trunk: oak-authorization-cug/
oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/
oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/author...
Author: angela
Date: Wed Aug 5 16:18:43 2015
New Revision: 1694258
URL: http://svn.apache.org/r1694258
Log:
OAK-2008 : authorization setup for closed user groups (wip)
Added:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImportAbortTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImportBaseTest.java
- copied, changed from r1694075, jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImporterTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImportBesteffortTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImportIgnoreTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugSecurityProvider.java
Removed:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImporterTest.java
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/pom.xml
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImporter.java
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtil.java
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugValidatorProvider.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugValidatorTest.java
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/cug.md
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/xml/ImporterImpl.java
Modified: jackrabbit/oak/trunk/oak-authorization-cug/pom.xml
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/pom.xml?rev=1694258&r1=1694257&r2=1694258&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/pom.xml (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/pom.xml Wed Aug 5 16:18:43 2015
@@ -137,7 +137,19 @@
<classifier>tests</classifier>
<scope>test</scope>
</dependency>
-
+ <dependency>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>oak-jcr</artifactId>
+ <version>${project.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.jackrabbit</groupId>
+ <artifactId>oak-jcr</artifactId>
+ <version>${project.version}</version>
+ <classifier>tests</classifier>
+ <scope>test</scope>
+ </dependency>
</dependencies>
</project>
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImporter.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImporter.java?rev=1694258&r1=1694257&r2=1694258&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImporter.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImporter.java Wed Aug 5 16:18:43 2015
@@ -23,7 +23,6 @@ import java.util.Set;
import javax.annotation.Nonnull;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
-import javax.jcr.nodetype.ConstraintViolationException;
import javax.jcr.nodetype.PropertyDefinition;
import org.apache.jackrabbit.api.JackrabbitSession;
@@ -121,8 +120,13 @@ class CugImporter implements ProtectedPr
}
@Override
- public void propertiesCompleted(@Nonnull Tree protectedParent) throws IllegalStateException, ConstraintViolationException, RepositoryException {
- // nothing to do
+ public void propertiesCompleted(@Nonnull Tree protectedParent) throws IllegalStateException, RepositoryException {
+ if (CugUtil.definesCug(protectedParent) && !protectedParent.hasProperty(REP_PRINCIPAL_NAMES)) {
+ // remove the rep:cugPolicy node if mandatory property is missing
+ // (which may also happen upon an attempt to create a cug at an unsupported path).
+ log.debug("Removing incomplete rep:cugPolicy node (due to missing mandatory property or unsupported path).");
+ protectedParent.remove();
+ }
}
//--------------------------------------------------------------------------
Modified: jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtil.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtil.java?rev=1694258&r1=1694257&r2=1694258&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtil.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtil.java Wed Aug 5 16:18:43 2015
@@ -18,13 +18,10 @@ package org.apache.jackrabbit.oak.spi.se
import java.io.IOException;
import java.io.InputStream;
-import java.security.Principal;
-import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.jcr.RepositoryException;
-import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
@@ -45,7 +42,7 @@ final class CugUtil implements CugConsta
private CugUtil(){}
public static boolean definesCug(@Nonnull Tree tree) {
- return tree.exists() && NT_REP_CUG_POLICY.equals(TreeUtil.getPrimaryTypeName(tree));
+ return tree.exists() && REP_CUG_POLICY.equals(tree.getName()) && NT_REP_CUG_POLICY.equals(TreeUtil.getPrimaryTypeName(tree));
}
public static boolean definesCug(@Nonnull Tree tree, @Nonnull PropertyState property) {
Modified: jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugValidatorProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugValidatorProvider.java?rev=1694258&r1=1694257&r2=1694258&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugValidatorProvider.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugValidatorProvider.java Wed Aug 5 16:18:43 2015
@@ -40,7 +40,7 @@ class CugValidatorProvider extends Valid
@Override
protected Validator getRootValidator(NodeState before, NodeState after, CommitInfo info) {
this.isMixCug = new TypePredicate(after, MIX_REP_CUG_MIXIN);
- return new CugValidator(after);
+ return new CugValidator("", after);
}
private static CommitFailedException accessViolation(int code, String message) {
@@ -57,14 +57,27 @@ class CugValidatorProvider extends Valid
}
private final class CugValidator extends DefaultValidator {
+
private final NodeState parentAfter;
+ private final String parentName;
- private CugValidator(@Nonnull NodeState parentAfter) {
+ private CugValidator(@Nonnull String parentName, @Nonnull NodeState parentAfter) {
this.parentAfter = parentAfter;
+ this.parentName = parentName;
}
//------------------------------------------------------< Validator >---
@Override
+ public void propertyAdded(PropertyState after) throws CommitFailedException {
+ String name = after.getName();
+ if (JcrConstants.JCR_PRIMARYTYPE.equals(name)) {
+ if (NT_REP_CUG_POLICY.equals(after.getValue(Type.STRING)) && !REP_CUG_POLICY.equals(parentName)) {
+ throw accessViolation(23, "Attempt create Cug node with different name than 'rep:cugPolicy'.");
+ }
+ }
+ }
+
+ @Override
public void propertyChanged(PropertyState before, PropertyState after) throws CommitFailedException {
String name = after.getName();
if (JcrConstants.JCR_PRIMARYTYPE.equals(name)) {
@@ -79,7 +92,7 @@ class CugValidatorProvider extends Valid
if (REP_CUG_POLICY.equals(name)) {
validateCugNode(parentAfter, after);
}
- return new VisibleValidator(new CugValidator(after), true, true);
+ return new VisibleValidator(new CugValidator(name, after), true, true);
}
@Override
@@ -87,7 +100,7 @@ class CugValidatorProvider extends Valid
if (after.hasChildNode(REP_CUG_POLICY)) {
validateCugNode(after, after.getChildNode(REP_CUG_POLICY));
}
- return new VisibleValidator(new CugValidator(after), true, true);
+ return new VisibleValidator(new CugValidator(name, after), true, true);
}
}
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java?rev=1694258&r1=1694257&r2=1694258&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java Wed Aug 5 16:18:43 2015
@@ -26,7 +26,6 @@ import javax.jcr.security.AccessControlP
import com.google.common.collect.ImmutableMap;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
-import org.apache.jackrabbit.oak.security.SecurityProviderImpl;
import org.apache.jackrabbit.oak.security.authorization.composite.CompositeAuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
@@ -77,14 +76,6 @@ public class AbstractCugTest extends Abs
protected SecurityProvider getSecurityProvider() {
if (securityProvider == null) {
securityProvider = new CugSecurityProvider(getSecurityConfigParameters());
- AuthorizationConfiguration authorizationConfiguration = securityProvider.getConfiguration(AuthorizationConfiguration.class);
- if (!(authorizationConfiguration instanceof CompositeAuthorizationConfiguration)) {
- CompositeAuthorizationConfiguration composite = new CompositeAuthorizationConfiguration(securityProvider);
- composite.setDefaultConfig(authorizationConfiguration);
- composite.addConfiguration(new CugConfiguration(securityProvider));
- composite.addConfiguration(authorizationConfiguration);
- ((CugSecurityProvider) securityProvider).bindAuthorizationConfiguration(composite);
- }
}
return securityProvider;
}
@@ -109,15 +100,4 @@ public class AbstractCugTest extends Abs
}
throw new IllegalStateException("Unable to create CUG at " + absPath);
}
-
- final class CugSecurityProvider extends SecurityProviderImpl {
- public CugSecurityProvider(@Nonnull ConfigurationParameters configuration) {
- super(configuration);
- }
-
- @Override
- protected void bindAuthorizationConfiguration(@Nonnull AuthorizationConfiguration reference) {
- super.bindAuthorizationConfiguration(reference);
- }
- }
}
\ No newline at end of file
Added: jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImportAbortTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImportAbortTest.java?rev=1694258&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImportAbortTest.java (added)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImportAbortTest.java Wed Aug 5 16:18:43 2015
@@ -0,0 +1,56 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;
+
+import java.security.AccessControlException;
+
+import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
+import org.junit.Test;
+
+import static org.junit.Assert.fail;
+
+public class CugImportAbortTest extends CugImportBaseTest {
+
+ @Override
+ protected String getImportBehavior() {
+ return ImportBehavior.NAME_ABORT;
+ }
+
+ @Test
+ public void testCugInvalidPrincipals() throws Exception {
+ try {
+ doImport(getTargetPath(), XML_CUG_POLICY);
+ fail();
+ } catch (AccessControlException e) {
+ // success
+ } finally {
+ getImportSession().refresh(false);
+ }
+ }
+
+ @Test
+ public void testNodeWithCugInvalidPrincipals() throws Exception {
+ try {
+ doImport(getTargetPath(), XML_CHILD_WITH_CUG);
+ fail();
+ } catch (AccessControlException e) {
+ // success
+ } finally {
+ getImportSession().refresh(false);
+ }
+ }
+}
\ No newline at end of file
Copied: jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImportBaseTest.java (from r1694075, jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImporterTest.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImportBaseTest.java?p2=jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImportBaseTest.java&p1=jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImporterTest.java&r1=1694075&r2=1694258&rev=1694258&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImporterTest.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImportBaseTest.java Wed Aug 5 16:18:43 2015
@@ -16,7 +16,326 @@
*/
package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;
-public class CugImporterTest {
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.util.Set;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import javax.jcr.ImportUUIDBehavior;
+import javax.jcr.Node;
+import javax.jcr.Repository;
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+import javax.jcr.SimpleCredentials;
+import javax.jcr.Value;
+import javax.jcr.nodetype.ConstraintViolationException;
+import javax.jcr.security.AccessControlException;
+import javax.jcr.security.AccessControlPolicy;
- // TODO
+import com.google.common.base.Function;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Iterables;
+import org.apache.jackrabbit.api.JackrabbitRepository;
+import org.apache.jackrabbit.api.JackrabbitSession;
+import org.apache.jackrabbit.api.security.user.Group;
+import org.apache.jackrabbit.oak.api.CommitFailedException;
+import org.apache.jackrabbit.oak.jcr.Jcr;
+import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugPolicy;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
+import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
+import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public abstract class CugImportBaseTest {
+
+ static final String TEST_NODE_NAME = "testNode";
+ static final String TEST_NODE_PATH = "/testNode";
+ static final String TEST_GROUP_PRINCIPAL_NAME = "testPrincipal";
+
+ static final String XML_CUG_POLICY = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
+ "<sv:node sv:name=\"rep:cugPolicy\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" +
+ "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:CugPolicy</sv:value></sv:property>" +
+ "<sv:property sv:name=\"rep:principalNames\" sv:type=\"String\" sv:multiple=\"true\">" +
+ "<sv:value>" + TEST_GROUP_PRINCIPAL_NAME + "</sv:value>" +
+ "<sv:value>" + EveryonePrincipal.NAME + "</sv:value>" +
+ "</sv:property>" +
+ "</sv:node>";
+
+ static final String XML_CHILD_WITH_CUG = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
+ "<sv:node sv:name=\"child\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" +
+ "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>oak:Unstructured</sv:value></sv:property>" +
+ "<sv:property sv:name=\"jcr:mixinTypes\" sv:type=\"Name\"><sv:value>rep:CugMixin</sv:value></sv:property>" +
+ "<sv:node sv:name=\"rep:cugPolicy\">" +
+ "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:CugPolicy</sv:value></sv:property>" +
+ "<sv:property sv:name=\"rep:principalNames\" sv:type=\"String\" sv:multiple=\"true\">" +
+ "<sv:value>" + TEST_GROUP_PRINCIPAL_NAME + "</sv:value>" +
+ "<sv:value>" + EveryonePrincipal.NAME + "</sv:value>" +
+ "</sv:property>" +
+ "</sv:node>" +
+ "</sv:node>";
+
+ static final String XML_NESTED_CUG_POLICY = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
+ "<sv:node sv:name=\"rep:cugPolicy\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" +
+ "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:CugPolicy</sv:value></sv:property>" +
+ "<sv:property sv:name=\"rep:principalNames\" sv:type=\"String\" sv:multiple=\"true\">" +
+ "<sv:value>" + EveryonePrincipal.NAME + "</sv:value>" +
+ "</sv:property>" +
+ "<sv:node sv:name=\"rep:cugPolicy\">" +
+ "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:CugPolicy</sv:value></sv:property>" +
+ "<sv:property sv:name=\"rep:principalNames\" sv:type=\"String\" sv:multiple=\"true\">" +
+ "<sv:value>" + EveryonePrincipal.NAME + "</sv:value>" +
+ "</sv:property>" +
+ "</sv:node>" +
+ "</sv:node>";
+
+ private Repository repo;
+ private Session adminSession;
+ private Group testGroup;
+
+ @Before
+ public void before() throws Exception {
+ ConfigurationParameters config = getConfigurationParameters();
+ SecurityProvider securityProvider = new CugSecurityProvider(config);
+
+ Jcr jcr = new Jcr();
+ jcr.with(securityProvider);
+ repo = jcr.createRepository();
+ adminSession = repo.login(new SimpleCredentials(UserConstants.DEFAULT_ADMIN_ID, UserConstants.DEFAULT_ADMIN_ID.toCharArray()));
+
+ adminSession.getRootNode().addNode(TEST_NODE_NAME, NodeTypeConstants.NT_OAK_UNSTRUCTURED);
+ adminSession.save();
+ }
+
+ @After
+ public void after() throws Exception {
+ try {
+ adminSession.refresh(false);
+
+ adminSession.getNode(TEST_NODE_PATH).remove();
+ if (testGroup != null) {
+ testGroup.remove();
+ }
+ adminSession.save();
+ } finally {
+ adminSession.logout();
+ if (repo instanceof JackrabbitRepository) {
+ ((JackrabbitRepository) repo).shutdown();
+ }
+ repo = null;
+ }
+ }
+
+ @Nonnull
+ private ConfigurationParameters getConfigurationParameters() {
+ String importBehavior = getImportBehavior();
+ if (importBehavior != null) {
+ ConfigurationParameters params = ConfigurationParameters.of(
+ ProtectedItemImporter.PARAM_IMPORT_BEHAVIOR, getImportBehavior(),
+ CugConstants.PARAM_CUG_SUPPORTED_PATHS, new String[] {TEST_NODE_PATH});
+ return ConfigurationParameters.of(AuthorizationConfiguration.NAME, params);
+ } else {
+ return ConfigurationParameters.EMPTY;
+ }
+ }
+
+ abstract String getImportBehavior();
+
+ String getTargetPath() {
+ return TEST_NODE_PATH;
+ }
+
+ Session getImportSession() {
+ return adminSession;
+ }
+
+ Node getTargetNode() throws RepositoryException {
+ return getImportSession().getNode(getTargetPath());
+ }
+
+ void doImport(String parentPath, String xml) throws Exception {
+ doImport(parentPath, xml, ImportUUIDBehavior.IMPORT_UUID_COLLISION_THROW);
+ }
+
+ void doImport(String parentPath, String xml, int importUUIDBehavior) throws Exception {
+ doImport(getImportSession(), parentPath, xml, importUUIDBehavior);
+ }
+
+ void doImport(Session importSession, String parentPath, String xml, int importUUIDBehavior) throws Exception {
+ InputStream in;
+ if (xml.charAt(0) == '<') {
+ in = new ByteArrayInputStream(xml.getBytes());
+ } else {
+ in = getClass().getResourceAsStream(xml);
+ }
+ try {
+ importSession.importXML(parentPath, in, importUUIDBehavior);
+ } finally {
+ in.close();
+ }
+ }
+
+ static void assertPrincipalNames(@Nonnull Set<String> expectedPrincipalNames, @Nonnull Value[] principalNames) {
+ assertEquals(expectedPrincipalNames.size(), principalNames.length);
+ Set<String> result = ImmutableSet.copyOf(Iterables.transform(ImmutableSet.copyOf(principalNames), new Function<Value, String>() {
+ @Nullable
+ @Override
+ public String apply(@Nullable Value principalName) {
+ try {
+ return (principalName == null) ? null : principalName.getString();
+ } catch (RepositoryException e) {
+ throw new IllegalStateException(e);
+ }
+ }
+ }));
+ assertEquals(expectedPrincipalNames, result);
+ }
+
+ @Test
+ public void testCugValidPrincipals() throws Exception {
+ testGroup = ((JackrabbitSession) adminSession).getUserManager().createGroup(new PrincipalImpl(TEST_GROUP_PRINCIPAL_NAME));
+ adminSession.save();
+
+ Node targetNode = getTargetNode();
+ targetNode.addMixin(CugConstants.MIX_REP_CUG_MIXIN);
+ doImport(getTargetPath(), XML_CUG_POLICY);
+ adminSession.save();
+ }
+
+ @Test
+ public void testCugValidPrincipalsNoMixin() throws Exception {
+ testGroup = ((JackrabbitSession) adminSession).getUserManager().createGroup(new PrincipalImpl(TEST_GROUP_PRINCIPAL_NAME));
+ adminSession.save();
+
+ doImport(getTargetPath(), XML_CUG_POLICY);
+ try {
+ adminSession.save();
+ fail();
+ } catch (AccessControlException e) {
+ Throwable cause = e.getCause();
+ assertTrue(cause instanceof CommitFailedException);
+ assertTrue(((CommitFailedException) cause).isAccessControlViolation());
+ assertEquals(22, ((CommitFailedException) cause).getCode());
+ }
+
+ }
+
+ @Test
+ public void testNodeWithCugValidPrincipals() throws Exception {
+ testGroup = ((JackrabbitSession) adminSession).getUserManager().createGroup(new PrincipalImpl(TEST_GROUP_PRINCIPAL_NAME));
+ adminSession.save();
+
+ doImport(getTargetPath(), XML_CHILD_WITH_CUG);
+ adminSession.save();
+ }
+
+ @Test
+ public void testCugWithoutPrincipalNames() throws Exception {
+ String xmlCugPolicyWithoutPrincipals = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
+ "<sv:node sv:name=\"rep:cugPolicy\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" +
+ "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:CugPolicy</sv:value></sv:property>" +
+ "</sv:node>";
+ doImport(getTargetPath(), xmlCugPolicyWithoutPrincipals);
+
+ assertFalse(getTargetNode().hasNode(CugConstants.REP_CUG_POLICY));
+ getImportSession().save();
+ }
+
+ @Test
+ public void testCugWithEmptyPrincipalNames() throws Exception {
+ String xmlCugPolicyEmptyPrincipals = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
+ "<sv:node sv:name=\"rep:cugPolicy\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" +
+ "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:CugPolicy</sv:value></sv:property>" +
+ "<sv:property sv:name=\"rep:principalNames\" sv:type=\"String\" sv:multiple=\"true\"></sv:property>" +
+ "</sv:node>";
+
+ getTargetNode().addMixin(CugConstants.MIX_REP_CUG_MIXIN);
+ doImport(getTargetPath(), xmlCugPolicyEmptyPrincipals);
+ getImportSession().save();
+
+ String propPath = getTargetPath() + "/" + CugConstants.REP_CUG_POLICY + "/" + CugConstants.REP_PRINCIPAL_NAMES;
+ assertTrue(getImportSession().propertyExists(propPath));
+ assertArrayEquals(new Value[0], getImportSession().getProperty(propPath).getValues());
+ }
+
+ @Test
+ public void testNestedCug() throws Exception {
+ try {
+ doImport(getTargetPath(), XML_NESTED_CUG_POLICY);
+ fail();
+ } catch (ConstraintViolationException e) {
+ // success
+ } finally {
+ getImportSession().refresh(false);
+ }
+ }
+
+ @Test
+ public void testNestedCugWithMixin() throws Exception {
+ getTargetNode().addMixin(CugConstants.MIX_REP_CUG_MIXIN);
+ doImport(getTargetPath(), XML_NESTED_CUG_POLICY);
+
+ assertTrue(getTargetNode().hasNode(CugConstants.REP_CUG_POLICY));
+
+ Node cugPolicy = getTargetNode().getNode(CugConstants.REP_CUG_POLICY);
+ assertTrue(cugPolicy.hasProperty(CugConstants.REP_PRINCIPAL_NAMES));
+ assertFalse(cugPolicy.hasNode(CugConstants.REP_CUG_POLICY));
+ }
+
+ @Test
+ public void testNestedCugSave() throws Exception {
+ getTargetNode().addMixin(CugConstants.MIX_REP_CUG_MIXIN);
+ doImport(getTargetPath(), XML_NESTED_CUG_POLICY);
+
+ assertTrue(getTargetNode().hasNode(CugConstants.REP_CUG_POLICY));
+
+ Node cugPolicy = getTargetNode().getNode(CugConstants.REP_CUG_POLICY);
+ assertTrue(cugPolicy.hasProperty(CugConstants.REP_PRINCIPAL_NAMES));
+ assertFalse(cugPolicy.hasNode(CugConstants.REP_CUG_POLICY));
+ }
+
+ @Test
+ public void testCugWithInvalidName() throws Exception {
+ String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
+ "<sv:node sv:name=\"someOtherNode\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" +
+ "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:CugPolicy</sv:value></sv:property>" +
+ "<sv:property sv:name=\"rep:principalNames\" sv:type=\"String\" sv:multiple=\"true\">" +
+ "<sv:value>" + EveryonePrincipal.NAME + "</sv:value>" +
+ "</sv:property>" +
+ "</sv:node>";
+
+ getTargetNode().addMixin(CugConstants.MIX_REP_CUG_MIXIN);
+ doImport(getTargetPath(), xml);
+
+ try {
+ getImportSession().save();
+ fail();
+ } catch (ConstraintViolationException e) {
+ // success
+ } finally {
+ getImportSession().refresh(false);
+ }
+ }
+
+ @Test
+ public void testCugAtUnsupportedPath() throws Exception {
+ doImport("/", XML_CHILD_WITH_CUG);
+
+ getImportSession().save();
+
+ assertTrue(getImportSession().getRootNode().hasNode("child"));
+ assertFalse(getImportSession().getRootNode().hasNode("child/rep:cugPolicy"));
+ }
}
\ No newline at end of file
Added: jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImportBesteffortTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImportBesteffortTest.java?rev=1694258&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImportBesteffortTest.java (added)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImportBesteffortTest.java Wed Aug 5 16:18:43 2015
@@ -0,0 +1,72 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;
+
+import java.util.Set;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import javax.jcr.Node;
+import javax.jcr.RepositoryException;
+import javax.jcr.Value;
+
+import com.google.common.base.Function;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Iterables;
+import com.google.common.collect.Sets;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
+import org.apache.jackrabbit.value.ValueHelper;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+public class CugImportBesteffortTest extends CugImportBaseTest {
+
+ private final Set<String> PRINCIPAL_NAMES = Sets.newHashSet(EveryonePrincipal.NAME, TEST_GROUP_PRINCIPAL_NAME);
+
+ @Override
+ protected String getImportBehavior() {
+ return ImportBehavior.NAME_BESTEFFORT;
+ }
+
+ @Test
+ public void testCugInvalidPrincipals() throws Exception {
+ Node targetNode = getTargetNode();
+ targetNode.addMixin(CugConstants.MIX_REP_CUG_MIXIN);
+ doImport(getTargetPath(), XML_CUG_POLICY);
+
+ Node cugNode = targetNode.getNode(CugConstants.REP_CUG_POLICY);
+ Value[] principalNames = cugNode.getProperty(CugConstants.REP_PRINCIPAL_NAMES).getValues();
+
+ assertPrincipalNames(PRINCIPAL_NAMES, principalNames);
+
+ getImportSession().save();
+ }
+
+ @Test
+ public void testNodeWithCugInvalidPrincipals() throws Exception {
+ doImport(getTargetPath(), XML_CHILD_WITH_CUG);
+
+ Node cugNode = getTargetNode().getNode("child").getNode(CugConstants.REP_CUG_POLICY);
+ Value[] principalNames = cugNode.getProperty(CugConstants.REP_PRINCIPAL_NAMES).getValues();
+
+ assertPrincipalNames(PRINCIPAL_NAMES, principalNames);
+
+ getImportSession().save();
+ }
+}
\ No newline at end of file
Added: jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImportIgnoreTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImportIgnoreTest.java?rev=1694258&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImportIgnoreTest.java (added)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugImportIgnoreTest.java Wed Aug 5 16:18:43 2015
@@ -0,0 +1,57 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;
+
+import javax.jcr.Node;
+import javax.jcr.Value;
+
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
+import org.junit.Test;
+
+public class CugImportIgnoreTest extends CugImportBaseTest {
+
+ @Override
+ protected String getImportBehavior() {
+ return ImportBehavior.NAME_IGNORE;
+ }
+
+ @Test
+ public void testCugInvalidPrincipals() throws Exception {
+ Node targetNode = getTargetNode();
+ targetNode.addMixin(CugConstants.MIX_REP_CUG_MIXIN);
+ doImport(getTargetPath(), XML_CUG_POLICY);
+
+ Node cugNode = targetNode.getNode(CugConstants.REP_CUG_POLICY);
+ Value[] principalNames = cugNode.getProperty(CugConstants.REP_PRINCIPAL_NAMES).getValues();
+ assertPrincipalNames(ImmutableSet.of(EveryonePrincipal.NAME), principalNames);
+
+ getImportSession().save();
+ }
+
+ @Test
+ public void testNodeWithCugInvalidPrincipals() throws Exception {
+ doImport(getTargetPath(), XML_CHILD_WITH_CUG);
+
+ Node cugNode = getTargetNode().getNode("child").getNode(CugConstants.REP_CUG_POLICY);
+ Value[] principalNames = cugNode.getProperty(CugConstants.REP_PRINCIPAL_NAMES).getValues();
+ assertPrincipalNames(ImmutableSet.of(EveryonePrincipal.NAME), principalNames);
+
+ getImportSession().save();
+ }
+}
\ No newline at end of file
Added: jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugSecurityProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugSecurityProvider.java?rev=1694258&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugSecurityProvider.java (added)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugSecurityProvider.java Wed Aug 5 16:18:43 2015
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;
+
+import javax.annotation.Nonnull;
+
+import org.apache.jackrabbit.oak.security.SecurityProviderImpl;
+import org.apache.jackrabbit.oak.security.authorization.composite.CompositeAuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+
+final class CugSecurityProvider extends SecurityProviderImpl {
+ public CugSecurityProvider(@Nonnull ConfigurationParameters configuration) {
+ super(configuration);
+
+ AuthorizationConfiguration authorizationConfiguration = getConfiguration(AuthorizationConfiguration.class);
+ if (!(authorizationConfiguration instanceof CompositeAuthorizationConfiguration)) {
+ CompositeAuthorizationConfiguration composite = new CompositeAuthorizationConfiguration(this);
+ composite.setDefaultConfig(authorizationConfiguration);
+ composite.addConfiguration(new CugConfiguration(this));
+ composite.addConfiguration(authorizationConfiguration);
+ ((CugSecurityProvider) this).bindAuthorizationConfiguration(composite);
+ }
+ }
+
+ @Override
+ protected void bindAuthorizationConfiguration(@Nonnull AuthorizationConfiguration reference) {
+ super.bindAuthorizationConfiguration(reference);
+ }
+}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugValidatorTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugValidatorTest.java?rev=1694258&r1=1694257&r2=1694258&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugValidatorTest.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugValidatorTest.java Wed Aug 5 16:18:43 2015
@@ -117,4 +117,20 @@ public class CugValidatorTest extends Ab
root.refresh();
}
}
+
+ @Test
+ public void testCugPolicyWithDifferentName() throws Exception {
+ node.setNames(JcrConstants.JCR_MIXINTYPES, MIX_REP_CUG_MIXIN);
+ NodeUtil cug = node.addChild("anotherName", NT_REP_CUG_POLICY);
+ cug.setStrings(REP_PRINCIPAL_NAMES, EveryonePrincipal.NAME);
+ try {
+ root.commit();
+ fail();
+ } catch (CommitFailedException e) {
+ assertTrue(e.isAccessControlViolation());
+ assertEquals(23, e.getCode());
+ } finally {
+ root.refresh();
+ }
+ }
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/cug.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/cug.md?rev=1694258&r1=1694257&r2=1694258&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/cug.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/cug.md Wed Aug 5 16:18:43 2015
@@ -48,6 +48,7 @@ all of type `AccessControl` with the fol
| 0020 | Attempt to change primary type of/to cug policy |
| 0021 | Wrong primary type of 'rep:cugPolicy' node |
| 0022 | Access controlled not not of mixin 'rep:CugMixin' |
+| 0023 | Wrong name of node with primary type 'rep:CugPolicy' |
### Configuration
Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/xml/ImporterImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/xml/ImporterImpl.java?rev=1694258&r1=1694257&r2=1694258&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/xml/ImporterImpl.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/xml/ImporterImpl.java Wed Aug 5 16:18:43 2015
@@ -469,7 +469,9 @@ public class ImporterImpl implements Imp
// process properties
importProperties(tree, propInfos, false);
- parents.push(tree);
+ if (tree.exists()) {
+ parents.push(tree);
+ }
}