You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2015/06/04 10:00:24 UTC
svn commit: r1683479 - in /jackrabbit/oak/trunk/oak-core/src:
main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/
main/java/org/apache/jackrabbit/oak/security/authorization/permission/
test/java/org/apache/jackrabbit/oak/security/...
Author: angela
Date: Thu Jun 4 08:00:24 2015
New Revision: 1683479
URL: http://svn.apache.org/r1683479
Log:
OAK-2955 : Extend ACL-level principal validation for configured administrative principals
Added:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AdminPrincipalsAbortTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AdminPrincipalsBaseTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AdminPrincipalsBestEffortTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AdminPrincipalsIgnoreTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java?rev=1683479&r1=1683478&r2=1683479&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java Thu Jun 4 08:00:24 2015
@@ -45,6 +45,7 @@ import javax.jcr.security.NamedAccessCon
import javax.jcr.security.Privilege;
import com.google.common.base.Objects;
+import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Lists;
import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
@@ -65,7 +66,9 @@ import org.apache.jackrabbit.oak.commons
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.memory.PropertyBuilder;
import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
+import org.apache.jackrabbit.oak.security.authorization.permission.PermissionUtil;
import org.apache.jackrabbit.oak.security.authorization.restriction.PrincipalRestrictionProvider;
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager;
@@ -75,7 +78,6 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
-import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
@@ -103,6 +105,7 @@ public class AccessControlManagerImpl ex
private final PrincipalManager principalManager;
private final RestrictionProvider restrictionProvider;
+ private final ConfigurationParameters configParams;
private final Set<String> readPaths;
public AccessControlManagerImpl(@Nonnull Root root, @Nonnull NamePathMapper namePathMapper,
@@ -115,7 +118,8 @@ public class AccessControlManagerImpl ex
principalManager = securityProvider.getConfiguration(PrincipalConfiguration.class).getPrincipalManager(root, namePathMapper);
restrictionProvider = getConfig().getRestrictionProvider();
- readPaths = getConfig().getParameters().getConfigValue(PermissionConstants.PARAM_READ_PATHS, PermissionConstants.DEFAULT_READ_PATHS);
+ configParams = getConfig().getParameters();
+ readPaths = configParams.getConfigValue(PermissionConstants.PARAM_READ_PATHS, PermissionConstants.DEFAULT_READ_PATHS);
}
//-----------------------------------------------< AccessControlManager >---
@@ -323,7 +327,7 @@ public class AccessControlManagerImpl ex
@Nonnull
@Override
public JackrabbitAccessControlPolicy[] getApplicablePolicies(@Nonnull Principal principal) throws RepositoryException {
- Util.checkValidPrincipal(principal, principalManager, true);
+ Util.checkValidPrincipal(principal, principalManager);
String oakPath = (principal instanceof ItemBasedPrincipal) ? ((ItemBasedPrincipal) principal).getPath() : null;
JackrabbitAccessControlPolicy policy = createPrincipalACL(oakPath, principal);
@@ -338,7 +342,7 @@ public class AccessControlManagerImpl ex
@Nonnull
@Override
public JackrabbitAccessControlPolicy[] getPolicies(@Nonnull Principal principal) throws RepositoryException {
- Util.checkValidPrincipal(principal, principalManager, true);
+ Util.checkValidPrincipal(principal, principalManager);
String oakPath = (principal instanceof ItemBasedPrincipal) ? ((ItemBasedPrincipal) principal).getPath() : null;
JackrabbitAccessControlPolicy policy = createPrincipalACL(oakPath, principal);
@@ -565,9 +569,11 @@ public class AccessControlManagerImpl ex
@Override
boolean checkValidPrincipal(Principal principal) throws AccessControlException {
int importBehavior = Util.getImportBehavior(getConfig());
- Util.checkValidPrincipal(principal, principalManager, ImportBehavior.BESTEFFORT != importBehavior);
+ if (!Util.checkValidPrincipal(principal, principalManager, importBehavior)) {
+ return false;
+ }
- if (principal instanceof AdminPrincipal) {
+ if (PermissionUtil.isAdminOrSystem(ImmutableSet.of(principal), configParams)) {
log.warn("Attempt to create an ACE for the admin principal which always has full access.");
switch (Util.getImportBehavior(getConfig())) {
case ImportBehavior.ABORT:
@@ -643,7 +649,7 @@ public class AccessControlManagerImpl ex
@Override
boolean checkValidPrincipal(Principal principal) throws AccessControlException {
- Util.checkValidPrincipal(principal, principalManager, true);
+ Util.checkValidPrincipal(principal, principalManager);
return true;
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java?rev=1683479&r1=1683478&r2=1683479&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java Thu Jun 4 08:00:24 2015
@@ -43,15 +43,29 @@ final class Util implements AccessContro
private Util() {}
public static void checkValidPrincipal(@Nullable Principal principal,
- @Nonnull PrincipalManager principalManager,
- boolean verifyExists) throws AccessControlException {
+ @Nonnull PrincipalManager principalManager) throws AccessControlException {
+ checkValidPrincipal(principal, principalManager, ImportBehavior.ABORT);
+ }
+
+ public static boolean checkValidPrincipal(@Nullable Principal principal,
+ @Nonnull PrincipalManager principalManager,
+ int importBehavior) throws AccessControlException {
String name = (principal == null) ? null : principal.getName();
if (name == null || name.isEmpty()) {
throw new AccessControlException("Invalid principal " + name);
}
- if (verifyExists && !(principal instanceof PrincipalImpl) && !principalManager.hasPrincipal(name)) {
- throw new AccessControlException("Unknown principal " + name);
+ if (!(principal instanceof PrincipalImpl) && !principalManager.hasPrincipal(name)) {
+ switch (importBehavior) {
+ case ImportBehavior.ABORT:
+ throw new AccessControlException("Unknown principal " + name);
+ case ImportBehavior.IGNORE:
+ return false;
+ case ImportBehavior.BESTEFFORT:
+ return true;
+ default: throw new IllegalArgumentException("Invalid import behavior " + importBehavior);
+ }
}
+ return true;
}
public static void checkValidPrincipals(@Nullable Set<Principal> principals,
@@ -60,7 +74,7 @@ final class Util implements AccessContro
throw new AccessControlException("Valid principals expected. Found null.");
}
for (Principal principal : principals) {
- checkValidPrincipal(principal, principalManager, true);
+ checkValidPrincipal(principal, principalManager);
}
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java?rev=1683479&r1=1683478&r2=1683479&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java Thu Jun 4 08:00:24 2015
@@ -17,7 +17,6 @@
package org.apache.jackrabbit.oak.security.authorization.permission;
import java.security.Principal;
-import java.util.Collections;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
@@ -37,8 +36,6 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
-import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
-import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
public class PermissionProviderImpl implements PermissionProvider, AccessControlConstants, PermissionConstants, AggregatedPermissionProvider {
@@ -61,7 +58,7 @@ public class PermissionProviderImpl impl
immutableRoot = RootFactory.createReadOnlyRoot(root);
- if (principals.contains(SystemPrincipal.INSTANCE) || isAdmin(principals)) {
+ if (PermissionUtil.isAdminOrSystem(principals, acConfig.getParameters())) {
compiledPermissions = AllPermissions.getInstance();
} else {
compiledPermissions = CompiledPermissionImpl.create(immutableRoot, workspaceName, principals, acConfig);
@@ -147,16 +144,6 @@ public class PermissionProviderImpl impl
//--------------------------------------------------------------------------
- private boolean isAdmin(Set<Principal> principals) {
- Set<String> adminNames = acConfig.getParameters().getConfigValue(PARAM_ADMINISTRATIVE_PRINCIPALS, Collections.EMPTY_SET);
- for (Principal principal : principals) {
- if (principal instanceof AdminPrincipal || adminNames.contains(principal.getName())) {
- return true;
- }
- }
- return false;
- }
-
private static boolean isVersionStorePath(@Nonnull String oakPath) {
if (oakPath.indexOf(JcrConstants.JCR_SYSTEM) == 1) {
for (String p : VersionConstants.SYSTEM_PATHS) {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java?rev=1683479&r1=1683478&r2=1683479&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionUtil.java Thu Jun 4 08:00:24 2015
@@ -16,6 +16,9 @@
*/
package org.apache.jackrabbit.oak.security.authorization.permission;
+import java.security.Principal;
+import java.util.Collections;
+import java.util.Set;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
@@ -26,7 +29,10 @@ import org.apache.jackrabbit.oak.api.Roo
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree;
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
+import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
+import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal;
import org.apache.jackrabbit.oak.spi.state.NodeBuilder;
import org.apache.jackrabbit.util.Text;
@@ -77,6 +83,20 @@ public final class PermissionUtil implem
return permissionsTree.getChild(Text.escapeIllegalJcrChars(principalName));
}
+ public static boolean isAdminOrSystem(@Nonnull Set<Principal> principals, @Nonnull ConfigurationParameters config) {
+ if (principals.contains(SystemPrincipal.INSTANCE)) {
+ return true;
+ } else {
+ Set<String> adminNames = config.getConfigValue(PARAM_ADMINISTRATIVE_PRINCIPALS, Collections.EMPTY_SET);
+ for (Principal principal : principals) {
+ if (principal instanceof AdminPrincipal || adminNames.contains(principal.getName())) {
+ return true;
+ }
+ }
+ return false;
+ }
+ }
+
@CheckForNull
public static String getPath(@Nullable Tree parentBefore, @Nullable Tree parentAfter) {
String path = null;
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java?rev=1683479&r1=1683478&r2=1683479&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java Thu Jun 4 08:00:24 2015
@@ -115,7 +115,7 @@ public class ACLTest extends AbstractAcc
@Override
boolean checkValidPrincipal(Principal principal) throws AccessControlException {
- Util.checkValidPrincipal(principal, principalManager, true);
+ Util.checkValidPrincipal(principal, principalManager);
return true;
}
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java?rev=1683479&r1=1683478&r2=1683479&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java Thu Jun 4 08:00:24 2015
@@ -71,7 +71,6 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.TestACL;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
-import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
@@ -191,7 +190,7 @@ public class AccessControlManagerImplTes
@Override
boolean checkValidPrincipal(Principal principal) throws AccessControlException {
- Util.checkValidPrincipal(principal, pm, true);
+ Util.checkValidPrincipal(principal, pm);
return true;
}
@@ -1658,40 +1657,6 @@ public class AccessControlManagerImplTes
assertEquals(1, policies.length);
}
- /**
- * Test if the ACL code prevents the creation of ACEs for administrative
- * principals which have full access anyway.
- *
- * @since Oak 1.1.1
- * @see <a href="https://issues.apache.org/jira/browse/OAK-2158">OAK-2158</a>
- */
- @Test
- public void testAdminPrincipal() throws Exception {
- ACL acl = getApplicablePolicy(testPath);
- try {
- acl.addAccessControlEntry(new AdminPrincipal() {
- @Override
- public String getName() {
- return "admin";
- }
- }, privilegesFromNames(PrivilegeConstants.JCR_READ));
- fail("Adding an ACE for an admin principal should fail");
- } catch (AccessControlException e) {
- // success
- }
-
- try {
- for (Principal p : adminSession.getAuthInfo().getPrincipals()) {
- if (p instanceof AdminPrincipal) {
- acl.addAccessControlEntry(p, privilegesFromNames(PrivilegeConstants.JCR_READ));
- fail("Adding an ACE for an admin principal should fail");
- }
- }
- } catch (AccessControlException e) {
- // success
- }
- }
-
@Test
public void testTestSessionGetPolicies() throws Exception {
setupPolicy(testPath);
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AdminPrincipalsAbortTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AdminPrincipalsAbortTest.java?rev=1683479&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AdminPrincipalsAbortTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AdminPrincipalsAbortTest.java Thu Jun 4 08:00:24 2015
@@ -0,0 +1,47 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.accesscontrol;
+
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
+import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
+import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
+
+import static org.junit.Assert.fail;
+
+public class AdminPrincipalsAbortTest extends AdminPrincipalsBaseTest {
+
+ @Override
+ protected ConfigurationParameters getSecurityConfigParameters() {
+ return ConfigurationParameters.of(AuthorizationConfiguration.NAME,
+ ConfigurationParameters.of(
+ PermissionConstants.PARAM_ADMINISTRATIVE_PRINCIPALS, new String[]{ADMINISTRATORS_PRINCIPAL_NAME},
+ ProtectedItemImporter.PARAM_IMPORT_BEHAVIOR, ImportBehavior.NAME_ABORT)
+ );
+ }
+
+ @Override
+ void assertResult(boolean success) throws Exception {
+ fail("Adding an ACE for an admin principal should fail");
+ }
+
+ @Override
+ void assertException() throws Exception {
+ // success -> nothing to do
+ }
+}
\ No newline at end of file
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AdminPrincipalsBaseTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AdminPrincipalsBaseTest.java?rev=1683479&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AdminPrincipalsBaseTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AdminPrincipalsBaseTest.java Thu Jun 4 08:00:24 2015
@@ -0,0 +1,157 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.accesscontrol;
+
+import java.security.Principal;
+import javax.jcr.RepositoryException;
+import javax.jcr.security.AccessControlException;
+import javax.jcr.security.AccessControlList;
+import javax.jcr.security.AccessControlManager;
+import javax.jcr.security.AccessControlPolicy;
+import javax.jcr.security.AccessControlPolicyIterator;
+
+import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.api.security.user.Authorizable;
+import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
+import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.apache.jackrabbit.oak.util.NodeUtil;
+import org.junit.Test;
+
+public abstract class AdminPrincipalsBaseTest extends AbstractSecurityTest {
+
+ static final String ADMINISTRATORS_PRINCIPAL_NAME = "administrators";
+
+ AccessControlList acl;
+ Principal administrativePrincipal;
+
+ @Override
+ public void before() throws Exception {
+ super.before();
+
+ NodeUtil rootNode = new NodeUtil(root.getTree("/"), NamePathMapper.DEFAULT);
+ rootNode.addChild("testNode", JcrConstants.NT_UNSTRUCTURED);
+
+ administrativePrincipal = getUserManager(root).createGroup(new PrincipalImpl(ADMINISTRATORS_PRINCIPAL_NAME)).getPrincipal();
+ root.commit();
+
+ AccessControlManager acMgr = getAccessControlManager(root);
+ AccessControlPolicyIterator itr = acMgr.getApplicablePolicies("/testNode");
+ while (itr.hasNext() && acl == null) {
+ AccessControlPolicy policy = itr.nextAccessControlPolicy();
+ if (policy instanceof AccessControlList) {
+ acl = (AccessControlList) policy;
+ }
+ }
+
+ if (acl == null) {
+ throw new RepositoryException("No applicable policy found.");
+ }
+ }
+
+ @Override
+ public void after() throws Exception {
+ try {
+ root.refresh();
+ root.getTree("/testNode").remove();
+
+ Authorizable gr = getUserManager(root).getAuthorizable(administrativePrincipal);
+ if (gr != null) {
+ gr.remove();
+ }
+ root.commit();
+ } finally {
+ super.after();
+ }
+ }
+
+ abstract void assertResult(boolean success) throws Exception;
+ abstract void assertException() throws Exception;
+
+ /**
+ * Test if the ACL code properly deals the creation of ACEs for administrative
+ * principals which have full access anyway.
+ *
+ * @since Oak 1.1.1
+ * @see <a href="https://issues.apache.org/jira/browse/OAK-2158">OAK-2158</a>
+ */
+ @Test
+ public void testAdminPrincipal() throws Exception {
+ try {
+ boolean success = acl.addAccessControlEntry(new AdminPrincipal() {
+ @Override
+ public String getName() {
+ return "admin";
+ }
+ }, privilegesFromNames(PrivilegeConstants.JCR_READ));
+ assertResult(success);
+ } catch (AccessControlException e) {
+ assertException();
+ }
+ }
+
+ @Test
+ public void testAdminAuthInfoPrincipals() throws Exception {
+ try {
+ for (Principal p : adminSession.getAuthInfo().getPrincipals()) {
+ if (p instanceof AdminPrincipal) {
+ boolean success = acl.addAccessControlEntry(p, privilegesFromNames(PrivilegeConstants.JCR_READ));
+ assertResult(success);
+ }
+ }
+ } catch (AccessControlException e) {
+ assertException();
+ }
+ }
+
+ /**
+ * Test if the ACL code properly deals the creation of ACEs for system
+ * principals which have full access anyway.
+ *
+ * @since Oak 1.3.0
+ * @see <a href="https://issues.apache.org/jira/browse/OAK-2955">OAK-2955</a>
+ */
+ @Test
+ public void testSystemPrincipal() throws Exception {
+ try {
+ boolean success = acl.addAccessControlEntry(SystemPrincipal.INSTANCE, privilegesFromNames(PrivilegeConstants.JCR_READ));
+ assertResult(success);
+ } catch (AccessControlException e) {
+ assertException();
+ }
+ }
+
+ /**
+ * Test if the ACL code properly deals the creation of ACEs for configured
+ * admin-principals, which have full access anyway.
+ *
+ * @since Oak 1.3.0
+ * @see <a href="https://issues.apache.org/jira/browse/OAK-2955">OAK-2955</a>
+ */
+ @Test
+ public void testConfiguredAdministrativePrincipal() throws Exception {
+ try {
+ boolean success = acl.addAccessControlEntry(administrativePrincipal, privilegesFromNames(PrivilegeConstants.JCR_READ));
+ assertResult(success);
+ } catch (AccessControlException e) {
+ assertException();
+ }
+ }
+}
\ No newline at end of file
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AdminPrincipalsBestEffortTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AdminPrincipalsBestEffortTest.java?rev=1683479&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AdminPrincipalsBestEffortTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AdminPrincipalsBestEffortTest.java Thu Jun 4 08:00:24 2015
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.accesscontrol;
+
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
+import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
+import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public class AdminPrincipalsBestEffortTest extends AdminPrincipalsBaseTest {
+
+ @Override
+ protected ConfigurationParameters getSecurityConfigParameters() {
+ return ConfigurationParameters.of(AuthorizationConfiguration.NAME,
+ ConfigurationParameters.of(
+ PermissionConstants.PARAM_ADMINISTRATIVE_PRINCIPALS, new String[]{ADMINISTRATORS_PRINCIPAL_NAME},
+ ProtectedItemImporter.PARAM_IMPORT_BEHAVIOR, ImportBehavior.NAME_BESTEFFORT)
+ );
+ }
+
+ @Override
+ void assertResult(boolean success) throws Exception {
+ assertTrue(success);
+ assertEquals(1, acl.getAccessControlEntries().length);
+ }
+
+ @Override
+ void assertException() throws Exception {
+ fail("Adding entry for administrative principal should succeed without throwing an exception");
+ }
+}
\ No newline at end of file
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AdminPrincipalsIgnoreTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AdminPrincipalsIgnoreTest.java?rev=1683479&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AdminPrincipalsIgnoreTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AdminPrincipalsIgnoreTest.java Thu Jun 4 08:00:24 2015
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.accesscontrol;
+
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
+import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
+import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.fail;
+
+public class AdminPrincipalsIgnoreTest extends AdminPrincipalsBaseTest {
+
+ @Override
+ protected ConfigurationParameters getSecurityConfigParameters() {
+ return ConfigurationParameters.of(AuthorizationConfiguration.NAME,
+ ConfigurationParameters.of(
+ PermissionConstants.PARAM_ADMINISTRATIVE_PRINCIPALS, new String[]{ADMINISTRATORS_PRINCIPAL_NAME},
+ ProtectedItemImporter.PARAM_IMPORT_BEHAVIOR, ImportBehavior.NAME_IGNORE)
+ );
+ }
+
+ @Override
+ void assertResult(boolean success) throws Exception {
+ assertFalse(success);
+ assertEquals(0, acl.getAccessControlEntries().length);
+ }
+
+ @Override
+ void assertException() throws Exception {
+ fail("Adding entry for administrative principal should be ignored without throwing an exception");
+ }
+}
\ No newline at end of file