You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/05/13 10:58:03 UTC
svn commit: r1481736 - in /jackrabbit/oak/trunk/oak-core/src:
main/java/org/apache/jackrabbit/oak/security/authorization/
main/java/org/apache/jackrabbit/oak/security/authorization/restriction/
main/java/org/apache/jackrabbit/oak/spi/security/authoriza...
Author: angela
Date: Mon May 13 08:58:02 2013
New Revision: 1481736
URL: http://svn.apache.org/r1481736
Log:
OAK-51 : Access Control Management (wip)
Effective policies:
- avoid reading effective policies from transient state -> fix TODO and add more tests
Restrictions:
- allow restriction properties to have a mv value
- add node type restriction to validate multi-restriction behavior
- add composite restriction pattern to evaluate multiple restrictions present with a ace
Added:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositePattern.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidTestPrincipal.java
- copied, changed from r1480956, jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidPrincipal.java
Removed:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidPrincipal.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlList.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImplTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java Mon May 13 08:58:02 2013
@@ -38,6 +38,10 @@ public interface AccessControlConstants
/**
* @since OAK 1.0
*/
+ String REP_NT_NAMES = "rep:ntNames";
+ /**
+ * @since OAK 1.0
+ */
String REP_RESTRICTIONS = "rep:restrictions";
String MIX_REP_ACCESS_CONTROLLABLE = "rep:AccessControllable";
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java Mon May 13 08:58:02 2013
@@ -171,6 +171,9 @@ public class AccessControlManagerImpl im
String oakPath = getOakPath(absPath);
Tree tree = getTree(oakPath, Permissions.READ_ACCESS_CONTROL);
+ Root r = root.getContentSession().getLatestRoot();
+ tree = r.getTree(tree.getPath());
+
List<AccessControlPolicy> effective = new ArrayList<AccessControlPolicy>();
AccessControlPolicy policy = createACL(oakPath, tree, true);
if (policy != null) {
@@ -179,7 +182,7 @@ public class AccessControlManagerImpl im
if (oakPath != null) {
String parentPath = Text.getRelativeParent(oakPath, 1);
while (!parentPath.isEmpty()) {
- Tree t = root.getTree(parentPath);
+ Tree t = r.getTree(parentPath);
AccessControlPolicy plc = createACL(parentPath, t, true);
if (plc != null) {
effective.add(plc);
@@ -366,13 +369,15 @@ public class AccessControlManagerImpl im
@Override
public AccessControlPolicy[] getEffectivePolicies(@Nonnull Set<Principal> principals) throws RepositoryException {
AccessControlUtils.checkValidPrincipals(principals, principalManager);
- Result aceResult = searchAces(principals);
+ Root r = root.getContentSession().getLatestRoot();
+
+ Result aceResult = searchAces(principals, r);
List<AccessControlPolicy> effective = new ArrayList<AccessControlPolicy>();
for (ResultRow row : aceResult.getRows()) {
String acePath = row.getPath();
String aclName = Text.getName(Text.getRelativeParent(acePath, 1));
- Tree accessControlledTree = root.getTree(Text.getRelativeParent(acePath, 2));
+ Tree accessControlledTree = r.getTree(Text.getRelativeParent(acePath, 2));
if (aclName.isEmpty() || !accessControlledTree.exists()) {
log.debug("Isolated access control entry -> ignore query result at " + acePath);
continue;
@@ -435,7 +440,6 @@ public class AccessControlManagerImpl im
throw new AccessControlException("Tree " + tree.getPath() + " defines access control content.");
}
}
-
return tree;
}
@@ -494,8 +498,7 @@ public class AccessControlManagerImpl im
String aclName = AccessControlUtils.getAclName(oakPath);
if (accessControlledTree.exists() && AccessControlUtils.isAccessControlled(oakPath, accessControlledTree, ntMgr)) {
Tree aclTree = accessControlledTree.getChild(aclName);
- // TODO: effective policies: add proper handling for modified ACLs
- if (aclTree.exists() && (!isEffectivePolicy || aclTree.getStatus() != Tree.Status.NEW)) {
+ if (aclTree.exists()) {
List<JackrabbitAccessControlEntry> entries = new ArrayList<JackrabbitAccessControlEntry>();
for (Tree child : aclTree.getChildren()) {
if (AccessControlUtils.isACE(child, ntMgr)) {
@@ -515,7 +518,7 @@ public class AccessControlManagerImpl im
@Nullable
private JackrabbitAccessControlList createPrincipalACL(@Nullable String oakPath,
@Nonnull Principal principal) throws RepositoryException {
- Result aceResult = searchAces(Collections.<Principal>singleton(principal));
+ Result aceResult = searchAces(Collections.<Principal>singleton(principal), root);
RestrictionProvider restrProvider = new PrincipalRestrictionProvider(restrictionProvider, namePathMapper);
List<JackrabbitAccessControlEntry> entries = new ArrayList<JackrabbitAccessControlEntry>();
for (ResultRow row : aceResult.getRows()) {
@@ -549,7 +552,7 @@ public class AccessControlManagerImpl im
}
@Nonnull
- private Result searchAces(@Nonnull Set<Principal> principals) throws RepositoryException {
+ private static Result searchAces(@Nonnull Set<Principal> principals, @Nonnull Root root) throws RepositoryException {
// TODO: specify sort order
StringBuilder stmt = new StringBuilder("/jcr:root");
stmt.append("//element(*,");
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java Mon May 13 08:58:02 2013
@@ -16,14 +16,10 @@
*/
package org.apache.jackrabbit.oak.security.authorization;
-import static com.google.common.base.Preconditions.checkNotNull;
-import static org.apache.jackrabbit.oak.api.CommitFailedException.ACCESS;
-
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
-
import javax.jcr.security.AccessControlException;
import javax.jcr.security.Privilege;
@@ -40,6 +36,9 @@ import org.apache.jackrabbit.oak.spi.sta
import org.apache.jackrabbit.oak.util.TreeUtil;
import org.apache.jackrabbit.util.Text;
+import static com.google.common.base.Preconditions.checkNotNull;
+import static org.apache.jackrabbit.oak.api.CommitFailedException.ACCESS;
+
/**
* Validation for access control information changed by regular JCR (and Jackrabbit)
* access control management API.
Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java?rev=1481736&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java Mon May 13 08:58:02 2013
@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.restriction;
+
+import java.util.Set;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionPattern;
+import org.apache.jackrabbit.oak.util.TreeUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * NodeTypePattern... TODO
+ */
+class NodeTypePattern implements RestrictionPattern {
+
+ private static final Logger log = LoggerFactory.getLogger(NodeTypePattern.class);
+
+ private final Set<String> nodeTypeNames;
+
+ NodeTypePattern(@Nonnull Iterable<String> nodeTypeNames) {
+ this.nodeTypeNames = ImmutableSet.copyOf(nodeTypeNames);
+ }
+
+ @Override
+ public boolean matches(@Nonnull Tree tree, @Nullable PropertyState property) {
+ return nodeTypeNames.contains(TreeUtil.getPrimaryTypeName(tree));
+ }
+
+ @Override
+ public boolean matches(@Nonnull String path) {
+ log.debug("Unable to validate node type restriction.");
+ return false;
+ }
+}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java Mon May 13 08:58:02 2013
@@ -57,7 +57,7 @@ public class PrincipalRestrictionProvide
@Override
public Set<RestrictionDefinition> getSupportedRestrictions(@Nullable String oakPath) {
Set<RestrictionDefinition> definitions = new HashSet<RestrictionDefinition>(base.getSupportedRestrictions(oakPath));
- definitions.add(new RestrictionDefinitionImpl(REP_NODE_PATH, PropertyType.PATH, true, namePathMapper));
+ definitions.add(new RestrictionDefinitionImpl(REP_NODE_PATH, Type.PATH, true, namePathMapper));
return definitions;
}
@@ -72,6 +72,12 @@ public class PrincipalRestrictionProvide
}
}
+ @Nonnull
+ @Override
+ public Restriction createRestriction(@Nullable String oakPath, @Nonnull String jcrName, @Nonnull Value... values) throws RepositoryException {
+ return base.createRestriction(oakPath, jcrName, values);
+ }
+
@Override
public Set<Restriction> readRestrictions(@Nullable String oakPath, @Nonnull Tree aceTree) {
Set<Restriction> restrictions = new HashSet<Restriction>(base.readRestrictions(oakPath, aceTree));
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java Mon May 13 08:58:02 2013
@@ -16,9 +16,11 @@
*/
package org.apache.jackrabbit.oak.security.authorization.restriction;
+import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
+import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
@@ -28,6 +30,7 @@ import javax.jcr.RepositoryException;
import javax.jcr.Value;
import javax.jcr.security.AccessControlException;
+import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import org.apache.jackrabbit.oak.api.PropertyState;
@@ -36,6 +39,7 @@ import org.apache.jackrabbit.oak.api.Typ
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
import org.apache.jackrabbit.oak.security.authorization.AccessControlConstants;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.CompositePattern;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinitionImpl;
@@ -56,8 +60,9 @@ public class RestrictionProviderImpl imp
public RestrictionProviderImpl(NamePathMapper namePathMapper) {
this.namePathMapper = namePathMapper;
- RestrictionDefinition glob = new RestrictionDefinitionImpl(REP_GLOB, PropertyType.STRING, false, namePathMapper);
- this.supported = ImmutableMap.of(REP_GLOB, glob);
+ RestrictionDefinition glob = new RestrictionDefinitionImpl(REP_GLOB, Type.STRING, false, namePathMapper);
+ RestrictionDefinition nts = new RestrictionDefinitionImpl(REP_NT_NAMES, Type.NAMES, false, namePathMapper);
+ this.supported = ImmutableMap.of(glob.getName(), glob, nts.getName(), nts);
}
//------------------------------------------------< RestrictionProvider >---
@@ -82,11 +87,46 @@ public class RestrictionProviderImpl imp
if (definition == null) {
throw new AccessControlException("Unsupported restriction: " + oakName);
}
- int requiredType = definition.getRequiredType();
- if (requiredType != PropertyType.UNDEFINED && requiredType != value.getType()) {
- throw new AccessControlException("Unsupported restriction: Expected value of type " + PropertyType.nameFromValue(definition.getRequiredType()));
+ Type requiredType = definition.getRequiredType();
+ if (requiredType.tag() != PropertyType.UNDEFINED && requiredType.tag() != value.getType()) {
+ throw new AccessControlException("Unsupported restriction: Expected value of type " + requiredType);
+ }
+ PropertyState propertyState;
+ if (requiredType.isArray()) {
+ propertyState = PropertyStates.createProperty(oakName, ImmutableList.of(value));
+ } else {
+ propertyState = PropertyStates.createProperty(oakName, value);
+ }
+ return createRestriction(propertyState, definition);
+ }
+
+ @Override
+ public Restriction createRestriction(String oakPath, String jcrName, Value... values) throws RepositoryException {
+ if (isUnsupportedPath(oakPath)) {
+ throw new AccessControlException("Unsupported restriction at " + oakPath);
+ }
+
+ String oakName = namePathMapper.getOakName(jcrName);
+ RestrictionDefinition definition = supported.get(oakName);
+ if (definition == null) {
+ throw new AccessControlException("Unsupported restriction: " + oakName);
+ }
+ Type requiredType = definition.getRequiredType();
+ for (Value v : values) {
+ if (requiredType.tag() != PropertyType.UNDEFINED && requiredType.tag() != v.getType()) {
+ throw new AccessControlException("Unsupported restriction: Expected value of type " + requiredType);
+ }
+ }
+
+ PropertyState propertyState;
+ if (requiredType.isArray()) {
+ propertyState = PropertyStates.createProperty(oakName, ImmutableList.of(values));
+ } else {
+ if (values.length != 1) {
+ throw new AccessControlException("Unsupported restriction: Expected single value.");
+ }
+ propertyState = PropertyStates.createProperty(oakName, values[0]);
}
- PropertyState propertyState = PropertyStates.createProperty(oakName, value);
return createRestriction(propertyState, definition);
}
@@ -100,7 +140,7 @@ public class RestrictionProviderImpl imp
String propName = propertyState.getName();
if (isRestrictionProperty(propName) && supported.containsKey(propName)) {
RestrictionDefinition def = supported.get(propName);
- if (def.getRequiredType() == propertyState.getType().tag()) {
+ if (def.getRequiredType() == propertyState.getType()) {
restrictions.add(createRestriction(propertyState, def));
}
}
@@ -134,9 +174,9 @@ public class RestrictionProviderImpl imp
if (def == null) {
throw new AccessControlException("Unsupported restriction: " + restrName);
}
- int type = entry.getValue().getType().tag();
+ Type type = entry.getValue().getType();
if (type != def.getRequiredType()) {
- throw new AccessControlException("Invalid restriction type '" + PropertyType.nameFromValue(type) + "'. Expected " + PropertyType.nameFromValue(def.getRequiredType()));
+ throw new AccessControlException("Invalid restriction type '" + type + "'. Expected " + def.getRequiredType());
}
}
for (RestrictionDefinition def : supported.values()) {
@@ -148,13 +188,26 @@ public class RestrictionProviderImpl imp
@Override
public RestrictionPattern getPattern(String oakPath, Tree tree) {
- if (oakPath != null) {
+ if (oakPath == null) {
+ return RestrictionPattern.EMPTY;
+ } else {
PropertyState glob = tree.getProperty(REP_GLOB);
+
+ List<RestrictionPattern> patterns = new ArrayList<RestrictionPattern>(2);
if (glob != null) {
- return GlobPattern.create(oakPath, glob.getValue(Type.STRING));
+ patterns.add(GlobPattern.create(oakPath, glob.getValue(Type.STRING)));
+ }
+ PropertyState ntNames = tree.getProperty(REP_NT_NAMES);
+ if (ntNames != null) {
+ patterns.add(new NodeTypePattern(ntNames.getValue(Type.NAMES)));
+ }
+
+ switch (patterns.size()) {
+ case 1 : return patterns.get(0);
+ case 2 : return new CompositePattern(patterns);
+ default : return RestrictionPattern.EMPTY;
}
}
- return RestrictionPattern.EMPTY;
}
//------------------------------------------------------------< private >---
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlList.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlList.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlList.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlList.java Mon May 13 08:58:02 2013
@@ -113,7 +113,7 @@ public abstract class AbstractAccessCont
public int getRestrictionType(String restrictionName) throws RepositoryException {
for (RestrictionDefinition definition : getRestrictionProvider().getSupportedRestrictions(getOakPath())) {
if (definition.getJcrName().equals(restrictionName)) {
- return definition.getRequiredType();
+ return definition.getRequiredType().tag();
}
}
// for backwards compatibility with JR2 return undefined type for an
Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositePattern.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositePattern.java?rev=1481736&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositePattern.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositePattern.java Mon May 13 08:58:02 2013
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.restriction;
+
+import java.util.List;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+
+/**
+ * Aggregates of a list of {@link RestrictionPattern}s into a single pattern.
+ * The implementations of {@code matches} returns {@code true} if all aggregated
+ * patterns successfully validate the given parameters and returns {@code false}
+ * as soon as the first aggregated pattern returns {@code false}.
+ */
+public final class CompositePattern implements RestrictionPattern {
+
+ private final List<RestrictionPattern> patterns;
+
+ public CompositePattern(@Nonnull List<RestrictionPattern> patterns) {
+ this.patterns = patterns;
+ }
+
+ @Override
+ public boolean matches(@Nonnull Tree tree, @Nullable PropertyState property) {
+ for (RestrictionPattern pattern : patterns) {
+ if (!pattern.matches(tree, property)) {
+ return false;
+ }
+ }
+ return true;
+ }
+
+ @Override
+ public boolean matches(@Nonnull String path) {
+ for (RestrictionPattern pattern : patterns) {
+ if (!pattern.matches(path)) {
+ return false;
+ }
+ }
+ return true;
+ }
+}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java Mon May 13 08:58:02 2013
@@ -18,6 +18,8 @@ package org.apache.jackrabbit.oak.spi.se
import javax.annotation.Nonnull;
+import org.apache.jackrabbit.oak.api.Type;
+
/**
* The {@code RestrictionDefinition} interface provides methods for
* discovering the static definition of any additional policy-internal refinements
@@ -58,7 +60,7 @@ public interface RestrictionDefinition {
*
* @return The required type which must be a valid {@link javax.jcr.PropertyType}.
*/
- int getRequiredType();
+ Type getRequiredType();
/**
* Indicates if this restriction is mandatory.
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImpl.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImpl.java Mon May 13 08:58:02 2013
@@ -20,6 +20,7 @@ import javax.annotation.Nonnull;
import javax.jcr.PropertyType;
import com.google.common.base.Objects;
+import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import static com.google.common.base.Preconditions.checkNotNull;
@@ -30,7 +31,7 @@ import static com.google.common.base.Pre
public class RestrictionDefinitionImpl implements RestrictionDefinition {
private final String name;
- private final int type;
+ private final Type type;
private final boolean isMandatory;
private final NamePathMapper namePathMapper;
@@ -44,10 +45,10 @@ public class RestrictionDefinitionImpl i
* @param isMandatory A boolean indicating if the restriction is mandatory.
* @param namePathMapper The name path mapper used to calculate the JCR name.
*/
- public RestrictionDefinitionImpl(@Nonnull String name, int type, boolean isMandatory,
+ public RestrictionDefinitionImpl(@Nonnull String name, Type type, boolean isMandatory,
@Nonnull NamePathMapper namePathMapper) {
this.name = checkNotNull(name);
- if (type == PropertyType.UNDEFINED) {
+ if (type.tag() == PropertyType.UNDEFINED) {
throw new IllegalArgumentException("'undefined' is not a valid required definition type.");
}
this.type = type;
@@ -73,7 +74,7 @@ public class RestrictionDefinitionImpl i
}
@Override
- public int getRequiredType() {
+ public Type getRequiredType() {
return type;
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java Mon May 13 08:58:02 2013
@@ -33,7 +33,7 @@ public class RestrictionImpl extends Res
public RestrictionImpl(@Nonnull PropertyState property, boolean isMandatory,
@Nonnull NamePathMapper namePathMapper) {
- super(property.getName(), property.getType().tag(), isMandatory, namePathMapper);
+ super(property.getName(), property.getType(), isMandatory, namePathMapper);
this.property = property;
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java Mon May 13 08:58:02 2013
@@ -35,7 +35,13 @@ public interface RestrictionProvider {
@Nonnull
Restriction createRestriction(@Nullable String oakPath,
- @Nonnull String jcrName, @Nonnull Value value) throws RepositoryException;
+ @Nonnull String jcrName,
+ @Nonnull Value value) throws RepositoryException;
+
+ @Nonnull
+ Restriction createRestriction(@Nullable String oakPath,
+ @Nonnull String jcrName,
+ @Nonnull Value... values) throws RepositoryException;
@Nonnull
Set<Restriction> readRestrictions(@Nullable String oakPath, @Nonnull Tree aceTree);
Modified: jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd Mon May 13 08:58:02 2013
@@ -634,6 +634,7 @@
*/
[rep:Restrictions]
- * (UNDEFINED) protected
+ - * (UNDEFINED) protected multiple
/**
* @since oak 1.0
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java Mon May 13 08:58:02 2013
@@ -43,6 +43,7 @@ import org.apache.jackrabbit.api.securit
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
@@ -62,6 +63,7 @@ import org.junit.Before;
import org.junit.Ignore;
import org.junit.Test;
+import static org.junit.Assert.assertArrayEquals;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
@@ -74,7 +76,7 @@ import static org.junit.Assert.fail;
* TODO: test restrictions
* TODO: add test with multiple entries
*/
-public class ACLTest extends AbstractAccessControlListTest implements PrivilegeConstants {
+public class ACLTest extends AbstractAccessControlListTest implements PrivilegeConstants, AccessControlConstants {
private PrivilegeManager privilegeManager;
private PrincipalManager principalManager;
@@ -132,7 +134,7 @@ public class ACLTest extends AbstractAcc
@Test
public void testAddInvalidEntry() throws Exception {
- Principal unknownPrincipal = new InvalidPrincipal("unknown");
+ Principal unknownPrincipal = new InvalidTestPrincipal("unknown");
try {
acl.addAccessControlEntry(unknownPrincipal, privilegesFromNames(JCR_READ));
fail("Adding an ACE with an unknown principal should fail");
@@ -554,7 +556,7 @@ public class ACLTest extends AbstractAcc
Privilege[] writePriv = privilegesFromNames(JCR_WRITE);
Privilege[] addNodePriv = privilegesFromNames(JCR_ADD_CHILD_NODES);
- Map<String, Value> restrictions = Collections.singletonMap(AccessControlConstants.REP_GLOB, getValueFactory().createValue("/.*"));
+ Map<String, Value> restrictions = Collections.singletonMap(REP_GLOB, getValueFactory().createValue("/.*"));
acl.addEntry(testPrincipal, readPriv, true);
acl.addEntry(testPrincipal, writePriv, false);
@@ -572,7 +574,7 @@ public class ACLTest extends AbstractAcc
Privilege[] writePriv = privilegesFromNames(JCR_WRITE);
Privilege[] addNodePriv = privilegesFromNames(JCR_ADD_CHILD_NODES);
- Map<String, Value> restrictions = Collections.singletonMap(AccessControlConstants.REP_GLOB, getValueFactory().createValue("/.*"));
+ Map<String, Value> restrictions = Collections.singletonMap(REP_GLOB, getValueFactory().createValue("/.*"));
acl.addEntry(testPrincipal, readPriv, true);
acl.addEntry(testPrincipal, addNodePriv, true, restrictions);
@@ -588,9 +590,10 @@ public class ACLTest extends AbstractAcc
public void testRestrictions() throws Exception {
String[] names = acl.getRestrictionNames();
assertNotNull(names);
- assertEquals(1, names.length);
- assertEquals(AccessControlConstants.REP_GLOB, names[0]);
+ assertEquals(2, names.length);
+ assertArrayEquals(new String[] {REP_GLOB, REP_NT_NAMES}, names);
assertEquals(PropertyType.STRING, acl.getRestrictionType(names[0]));
+ assertEquals(PropertyType.NAME, acl.getRestrictionType(names[1]));
Privilege[] writePriv = privilegesFromNames(JCR_WRITE);
@@ -611,7 +614,7 @@ public class ACLTest extends AbstractAcc
assertEquals(1, acl.getAccessControlEntries().length);
// add an entry with a restrictions:
- Map<String, Value> restrictions = Collections.singletonMap(AccessControlConstants.REP_GLOB, getValueFactory().createValue("/.*"));
+ Map<String, Value> restrictions = Collections.singletonMap(REP_GLOB, getValueFactory().createValue("/.*"));
assertTrue(acl.addEntry(testPrincipal, writePriv, false, restrictions));
assertEquals(2, acl.getAccessControlEntries().length);
@@ -637,7 +640,7 @@ public class ACLTest extends AbstractAcc
@Test
public void testUnsupportedRestrictions2() throws Exception {
- RestrictionProvider rp = new TestRestrictionProvider("restr", PropertyType.NAME, false);
+ RestrictionProvider rp = new TestRestrictionProvider("restr", Type.NAME, false);
JackrabbitAccessControlList acl = createACL(getTestPath(), new ArrayList(), namePathMapper, rp);
try {
@@ -650,7 +653,7 @@ public class ACLTest extends AbstractAcc
@Test
public void testInvalidRestrictionType() throws Exception {
- RestrictionProvider rp = new TestRestrictionProvider("restr", PropertyType.NAME, false);
+ RestrictionProvider rp = new TestRestrictionProvider("restr", Type.NAME, false);
JackrabbitAccessControlList acl = createACL(getTestPath(), new ArrayList(), namePathMapper, rp);
try {
@@ -663,7 +666,7 @@ public class ACLTest extends AbstractAcc
@Test
public void testMandatoryRestrictions() throws Exception {
- RestrictionProvider rp = new TestRestrictionProvider("mandatory", PropertyType.NAME, true);
+ RestrictionProvider rp = new TestRestrictionProvider("mandatory", Type.NAME, true);
JackrabbitAccessControlList acl = createACL(getTestPath(), new ArrayList(), namePathMapper, rp);
try {
@@ -708,7 +711,7 @@ public class ACLTest extends AbstractAcc
private final RestrictionDefinition supported;
- private TestRestrictionProvider(String name, int type, boolean isMandatory) {
+ private TestRestrictionProvider(String name, Type type, boolean isMandatory) {
supported = new RestrictionDefinitionImpl(name, type, isMandatory, namePathMapper);
}
@@ -724,7 +727,7 @@ public class ACLTest extends AbstractAcc
if (!supported.getJcrName().equals(jcrName)) {
throw new AccessControlException();
}
- if (supported.getRequiredType() != value.getType()) {
+ if (supported.getRequiredType().tag() != value.getType()) {
throw new AccessControlException();
}
PropertyState property = PropertyStates.createProperty(namePathMapper.getOakName(jcrName), value.getString(), value.getType());
@@ -733,17 +736,32 @@ public class ACLTest extends AbstractAcc
@Nonnull
@Override
+ public Restriction createRestriction(@Nullable String oakPath, @Nonnull String jcrName, @Nonnull Value... values) throws RepositoryException {
+ if (!supported.getJcrName().equals(jcrName)) {
+ throw new AccessControlException();
+ }
+ for (Value v : values) {
+ if (supported.getRequiredType().tag() != v.getType()) {
+ throw new AccessControlException();
+ }
+ }
+ PropertyState property = PropertyStates.createProperty(namePathMapper.getOakName(jcrName), Arrays.asList(values), supported.getRequiredType());
+ return new RestrictionImpl(property, supported.isMandatory(), namePathMapper);
+ }
+
+ @Nonnull
+ @Override
public Set<Restriction> readRestrictions(@Nullable String oakPath, @Nonnull Tree aceTree) {
throw new UnsupportedOperationException();
}
@Override
- public void writeRestrictions(String oakPath, Tree aceTree, Set<Restriction> restrictions) throws AccessControlException {
+ public void writeRestrictions(String oakPath, Tree aceTree, Set<Restriction> restrictions) {
throw new UnsupportedOperationException();
}
@Override
- public void validateRestrictions(@Nullable String oakPath, @Nonnull Tree aceTree) throws AccessControlException {
+ public void validateRestrictions(@Nullable String oakPath, @Nonnull Tree aceTree) {
throw new UnsupportedOperationException();
}
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java Mon May 13 08:58:02 2013
@@ -37,6 +37,7 @@ import javax.jcr.Value;
import javax.jcr.ValueFactory;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
+import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
@@ -971,11 +972,8 @@ public class AccessControlManagerImplTes
assertEquals(0, policies.length);
setupPolicy(testPath);
- policies = acMgr.getEffectivePolicies(testPath);
- assertNotNull(policies);
- assertEquals(0, policies.length);
-
root.commit();
+
policies = acMgr.getEffectivePolicies(testPath);
assertNotNull(policies);
assertEquals(1, policies.length);
@@ -988,16 +986,53 @@ public class AccessControlManagerImplTes
assertEquals(1, policies.length);
setupPolicy(childPath);
+ root.commit();
policies = acMgr.getEffectivePolicies(childPath);
assertNotNull(policies);
- assertEquals(1, policies.length);
+ assertEquals(2, policies.length);
+ }
- root.commit();
+ @Test
+ public void testGetEffectivePoliciesNewPolicy() throws Exception {
+ AccessControlPolicy[] policies = acMgr.getEffectivePolicies(testPath);
+ assertNotNull(policies);
+ assertEquals(0, policies.length);
+
+ setupPolicy(testPath);
+ policies = acMgr.getEffectivePolicies(testPath);
+ assertNotNull(policies);
+ assertEquals(0, policies.length);
+
+ NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED);
+ String childPath = child.getTree().getPath();
policies = acMgr.getEffectivePolicies(childPath);
assertNotNull(policies);
- assertEquals(2, policies.length);
+ assertEquals(0, policies.length);
+
+ setupPolicy(childPath);
+ policies = acMgr.getEffectivePolicies(childPath);
+ assertNotNull(policies);
+ assertEquals(0, policies.length);
+ }
+
+ @Test
+ public void testGetEffectiveModifiedPolicy() throws Exception {
+ ACL acl = setupPolicy(testPath);
+ AccessControlEntry[] aces = acl.getAccessControlEntries();
+ root.commit();
+
+ acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames(PrivilegeConstants.JCR_VERSION_MANAGEMENT));
+ acMgr.setPolicy(testPath, acl);
+
+ AccessControlPolicy[] policies = acMgr.getEffectivePolicies(testPath);
+ assertNotNull(policies);
+ assertEquals(1, policies.length);
+ assertTrue(policies[0] instanceof AccessControlList);
+ AccessControlEntry[] effectiveAces = ((AccessControlList) policies[0]).getAccessControlEntries();
+ assertArrayEquals(aces, effectiveAces);
+ assertFalse(Arrays.equals(effectiveAces, acl.getAccessControlEntries()));
}
@Test
@@ -1444,7 +1479,7 @@ public class AccessControlManagerImplTes
while (unknown != null) {
unknown = getPrincipalManager().getPrincipal("unknown"+i);
}
- unknown = new InvalidPrincipal("unknown" + i);
+ unknown = new InvalidTestPrincipal("unknown" + i);
try {
acMgr.getApplicablePolicies(unknown);
fail("Unknown principal should be detected.");
@@ -1533,7 +1568,7 @@ public class AccessControlManagerImplTes
while (unknown != null) {
unknown = getPrincipalManager().getPrincipal("unknown"+i);
}
- unknown = new InvalidPrincipal("unknown" + i);
+ unknown = new InvalidTestPrincipal("unknown" + i);
try {
acMgr.getPolicies(unknown);
fail("Unknown principal should be detected.");
@@ -1630,7 +1665,7 @@ public class AccessControlManagerImplTes
while (unknown != null) {
unknown = getPrincipalManager().getPrincipal("unknown"+i);
}
- unknown = new InvalidPrincipal("unknown" + i);
+ unknown = new InvalidTestPrincipal("unknown" + i);
try {
acMgr.getEffectivePolicies(Collections.singleton(unknown));
fail("Unknown principal should be detected.");
Copied: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidTestPrincipal.java (from r1480956, jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidPrincipal.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidTestPrincipal.java?p2=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidTestPrincipal.java&p1=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidPrincipal.java&r1=1480956&r2=1481736&rev=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidPrincipal.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidTestPrincipal.java Mon May 13 08:58:02 2013
@@ -24,11 +24,11 @@ import org.slf4j.LoggerFactory;
/**
* InvalidPrincipal... TODO
*/
-public final class InvalidPrincipal implements Principal {
+public final class InvalidTestPrincipal implements Principal {
private final String name;
- public InvalidPrincipal(String name) {
+ public InvalidTestPrincipal(String name) {
this.name = name;
}
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java Mon May 13 08:58:02 2013
@@ -18,8 +18,7 @@ package org.apache.jackrabbit.oak.securi
import java.util.Set;
-import javax.jcr.PropertyType;
-
+import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlTest;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
@@ -30,6 +29,7 @@ import static org.junit.Assert.assertEqu
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
/**
* Tests for {@link RestrictionProviderImpl}
@@ -51,12 +51,19 @@ public class RestrictionProviderImplTest
Set<RestrictionDefinition> defs = provider.getSupportedRestrictions("/testPath");
assertNotNull(defs);
- assertEquals(1, defs.size());
+ assertEquals(2, defs.size());
- RestrictionDefinition def = defs.iterator().next();
- assertEquals(REP_GLOB, def.getName());
- assertEquals(PropertyType.STRING, def.getRequiredType());
- assertFalse(def.isMandatory());
+ for (RestrictionDefinition def : defs) {
+ if (REP_GLOB.equals(def.getName())) {
+ assertEquals(Type.STRING, def.getRequiredType());
+ assertFalse(def.isMandatory());
+ } else if (REP_NT_NAMES.equals(def.getName())) {
+ assertEquals(Type.NAMES, def.getRequiredType());
+ assertFalse(def.isMandatory());
+ } else {
+ fail("unexpected restriction "+def.getName());
+ }
+ }
}
@Test
@@ -65,6 +72,11 @@ public class RestrictionProviderImplTest
}
@Test
+ public void testCreateMvRestriction() {
+ // TODO
+ }
+
+ @Test
public void testReadRestrictions() {
// TODO
}
@@ -79,4 +91,8 @@ public class RestrictionProviderImplTest
// TODO
}
+ @Test
+ public void testGetRestrictionPattern() {
+ // TODO
+ }
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java Mon May 13 08:58:02 2013
@@ -212,7 +212,7 @@ public abstract class AbstractAccessCont
int reqType = acl.getRestrictionType(def.getJcrName());
assertTrue(reqType > PropertyType.UNDEFINED);
- assertEquals(def.getRequiredType(), reqType);
+ assertEquals(def.getRequiredType().tag(), reqType);
}
}
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImplTest.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImplTest.java Mon May 13 08:58:02 2013
@@ -16,17 +16,11 @@
*/
package org.apache.jackrabbit.oak.spi.security.authorization.restriction;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
import java.util.ArrayList;
import java.util.List;
-import javax.jcr.PropertyType;
-
import org.apache.jackrabbit.oak.TestNameMapper;
+import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.namepath.NamePathMapperImpl;
import org.apache.jackrabbit.oak.plugins.name.Namespaces;
@@ -34,6 +28,11 @@ import org.apache.jackrabbit.oak.spi.sec
import org.junit.Before;
import org.junit.Test;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
/**
* Tests for {@link RestrictionDefinitionImpl}.
*/
@@ -50,7 +49,7 @@ public class RestrictionDefinitionImplTe
NamePathMapper npMapper = new NamePathMapperImpl(new TestNameMapper(Namespaces.getNamespaceMap(root.getTree("/")), TestNameMapper.LOCAL_MAPPING));
name = TestNameMapper.TEST_PREFIX + ":defName";
- definition = new RestrictionDefinitionImpl(name, PropertyType.NAME, true, npMapper);
+ definition = new RestrictionDefinitionImpl(name, Type.NAME, true, npMapper);
}
@Test
@@ -65,7 +64,7 @@ public class RestrictionDefinitionImplTe
@Test
public void testGetRequiredType() {
- assertEquals(PropertyType.NAME, definition.getRequiredType());
+ assertEquals(Type.NAME, definition.getRequiredType());
}
@Test
@@ -76,21 +75,21 @@ public class RestrictionDefinitionImplTe
@Test
public void testInvalid() {
try {
- new RestrictionDefinitionImpl(null, PropertyType.BOOLEAN, false, namePathMapper);
+ new RestrictionDefinitionImpl(null, Type.BOOLEAN, false, namePathMapper);
fail("Creating RestrictionDefinition with null name should fail.");
} catch (NullPointerException e) {
// success
}
try {
- new RestrictionDefinitionImpl(name, PropertyType.BOOLEAN, false, null);
+ new RestrictionDefinitionImpl(name, Type.BOOLEAN, false, null);
fail("Creating RestrictionDefinition with null name/path mapper should fail.");
} catch (NullPointerException e) {
// success
}
try {
- new RestrictionDefinitionImpl(name, PropertyType.UNDEFINED, false, namePathMapper);
+ new RestrictionDefinitionImpl(name, Type.UNDEFINED, false, namePathMapper);
fail("Creating RestrictionDefinition with undefined required type should fail.");
} catch (IllegalArgumentException e) {
// success
@@ -100,10 +99,10 @@ public class RestrictionDefinitionImplTe
@Test
public void testEquals() {
// same definition
- assertEquals(definition, new RestrictionDefinitionImpl(name, PropertyType.NAME, true, definition.getNamePathMapper()));
+ assertEquals(definition, new RestrictionDefinitionImpl(name, Type.NAME, true, definition.getNamePathMapper()));
// same def but different namepathmapper.
- RestrictionDefinition definition2 = new RestrictionDefinitionImpl(name, PropertyType.NAME, true, namePathMapper);
+ RestrictionDefinition definition2 = new RestrictionDefinitionImpl(name, Type.NAME, true, namePathMapper);
assertFalse(definition.getJcrName().equals(definition2.getJcrName()));
assertEquals(definition, definition2);
}
@@ -112,11 +111,11 @@ public class RestrictionDefinitionImplTe
public void testNotEqual() {
List<RestrictionDefinition> defs = new ArrayList<RestrictionDefinition>();
// - different type
- defs.add(new RestrictionDefinitionImpl(name, PropertyType.STRING, true, namePathMapper));
+ defs.add(new RestrictionDefinitionImpl(name, Type.STRING, true, namePathMapper));
// - different name
- defs.add(new RestrictionDefinitionImpl("otherName", PropertyType.NAME, true, namePathMapper));
+ defs.add(new RestrictionDefinitionImpl("otherName", Type.NAME, true, namePathMapper));
// - different mandatory flag
- defs.add(new RestrictionDefinitionImpl(name, PropertyType.NAME, false, namePathMapper));
+ defs.add(new RestrictionDefinitionImpl(name, Type.NAMES, false, namePathMapper));
// - different impl
defs.add(new RestrictionDefinition() {
@Override
@@ -128,8 +127,8 @@ public class RestrictionDefinitionImplTe
throw new UnsupportedOperationException();
}
@Override
- public int getRequiredType() {
- return PropertyType.NAME;
+ public Type getRequiredType() {
+ return Type.NAME;
}
@Override
public boolean isMandatory() {
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java Mon May 13 08:58:02 2013
@@ -16,14 +16,8 @@
*/
package org.apache.jackrabbit.oak.spi.security.authorization.restriction;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
import java.util.ArrayList;
import java.util.List;
-
import javax.annotation.Nonnull;
import javax.jcr.PropertyType;
import javax.jcr.Value;
@@ -40,6 +34,11 @@ import org.apache.jackrabbit.oak.spi.sec
import org.junit.Before;
import org.junit.Test;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
/**
* Tests for {@link RestrictionImpl}
*/
@@ -76,7 +75,7 @@ public class RestrictionImplTest extends
@Test
public void testGetRequiredType() {
- assertEquals(PropertyType.NAME, restriction.getRequiredType());
+ assertEquals(Type.NAME, restriction.getRequiredType());
}
@Test
@@ -132,8 +131,8 @@ public class RestrictionImplTest extends
throw new UnsupportedOperationException();
}
@Override
- public int getRequiredType() {
- return PropertyType.NAME;
+ public Type getRequiredType() {
+ return Type.NAME;
}
@Override
public boolean isMandatory() {