You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/05/02 16:35:00 UTC
svn commit: r1478389 - in /jackrabbit/oak/trunk/oak-core/src:
main/java/org/apache/jackrabbit/oak/security/authorization/
test/java/org/apache/jackrabbit/oak/security/authorization/
Author: angela
Date: Thu May 2 14:35:00 2013
New Revision: 1478389
URL: http://svn.apache.org/r1478389
Log:
OAK-51 : Access Control Management (backwards compatible handling of "unknown" principals)
Added:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlUtils.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidPrincipal.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java?rev=1478389&r1=1478388&r2=1478389&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java Thu May 2 14:35:00 2013
@@ -104,10 +104,7 @@ abstract class ACL extends AbstractAcces
getPrivilegeManager().getPrivilege(p.getName());
}
- if (principal == null || !getPrincipalManager().hasPrincipal(principal.getName())) {
- String msg = "Unknown principal " + ((principal == null) ? "null" : principal.getName());
- throw new AccessControlException(msg);
- }
+ AccessControlUtils.checkValidPrincipal(principal, getPrincipalManager());
for (RestrictionDefinition def : getRestrictionProvider().getSupportedRestrictions(getOakPath())) {
if (def.isMandatory() && (restrictions == null || !restrictions.containsKey(def.getJcrName()))) {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1478389&r1=1478388&r2=1478389&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java Thu May 2 14:35:00 2013
@@ -16,8 +16,6 @@
*/
package org.apache.jackrabbit.oak.security.authorization;
-import static com.google.common.base.Preconditions.checkNotNull;
-
import java.security.Principal;
import java.text.ParseException;
import java.util.ArrayList;
@@ -28,7 +26,6 @@ import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
-
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
@@ -56,7 +53,6 @@ import org.apache.jackrabbit.api.securit
import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.commons.iterator.AccessControlPolicyIteratorAdapter;
-import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.PropertyValue;
import org.apache.jackrabbit.oak.api.QueryEngine;
@@ -88,6 +84,8 @@ import org.apache.jackrabbit.util.Text;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import static com.google.common.base.Preconditions.checkNotNull;
+
/**
* Default implementation of the {@code JackrabbitAccessControlManager} interface.
* This implementation covers both editing access control content by path and
@@ -204,13 +202,13 @@ public class AccessControlManagerImpl im
AccessControlPolicy policy = null;
Tree aclTree = getAclTree(oakPath, tree);
if (aclTree == null) {
- if (tree.hasChild(getAclName(oakPath))) {
+ if (tree.hasChild(AccessControlUtils.getAclName(oakPath))) {
// policy child node without tree being access controlled
log.warn("Colliding policy child without node being access controllable ({}).", absPath);
} else {
// create an empty acl unless the node is protected or cannot have
// mixin set (e.g. due to a lock)
- String mixinName = getMixinName(oakPath);
+ String mixinName = AccessControlUtils.getMixinName(oakPath);
if (ntMgr.isNodeType(tree, mixinName) || ntMgr.getEffectiveNodeType(tree).supportsMixin(mixinName)) {
policy = new NodeACL(oakPath);
} else {
@@ -229,7 +227,7 @@ public class AccessControlManagerImpl im
@Override
public void setPolicy(@Nullable String absPath, @Nonnull AccessControlPolicy policy) throws RepositoryException {
String oakPath = getOakPath(absPath);
- checkValidPolicy(oakPath, policy);
+ AccessControlUtils.checkValidPolicy(oakPath, policy);
if (policy instanceof PrincipalACL) {
setPrincipalBasedAcl((PrincipalACL) policy);
@@ -301,7 +299,7 @@ public class AccessControlManagerImpl im
@Override
public void removePolicy(@Nullable String absPath, @Nonnull AccessControlPolicy policy) throws RepositoryException {
String oakPath = getOakPath(absPath);
- checkValidPolicy(oakPath, policy);
+ AccessControlUtils.checkValidPolicy(oakPath, policy);
if (policy instanceof PrincipalACL) {
PrincipalACL principalAcl = (PrincipalACL) policy;
@@ -337,7 +335,7 @@ public class AccessControlManagerImpl im
@Nonnull
@Override
public JackrabbitAccessControlPolicy[] getApplicablePolicies(@Nonnull Principal principal) throws RepositoryException {
- checkValidPrincipal(principal);
+ AccessControlUtils.checkValidPrincipal(principal, principalManager);
String oakPath = (principal instanceof ItemBasedPrincipal) ? ((ItemBasedPrincipal) principal).getPath() : null;
JackrabbitAccessControlPolicy policy = createPrincipalACL(oakPath, principal);
@@ -352,7 +350,7 @@ public class AccessControlManagerImpl im
@Nonnull
@Override
public JackrabbitAccessControlPolicy[] getPolicies(@Nonnull Principal principal) throws RepositoryException {
- checkValidPrincipal(principal);
+ AccessControlUtils.checkValidPrincipal(principal, principalManager);
String oakPath = (principal instanceof ItemBasedPrincipal) ? ((ItemBasedPrincipal) principal).getPath() : null;
JackrabbitAccessControlPolicy policy = createPrincipalACL(oakPath, principal);
@@ -367,7 +365,7 @@ public class AccessControlManagerImpl im
@Nonnull
@Override
public AccessControlPolicy[] getEffectivePolicies(@Nonnull Set<Principal> principals) throws RepositoryException {
- checkValidPrincipals(principals);
+ AccessControlUtils.checkValidPrincipals(principals, principalManager);
Result aceResult = searchAces(principals);
List<AccessControlPolicy> effective = new ArrayList<AccessControlPolicy>();
for (ResultRow row : aceResult.getRows()) {
@@ -453,50 +451,15 @@ public class AccessControlManagerImpl im
}
}
- private static void checkValidPolicy(@Nullable String oakPath, @Nonnull AccessControlPolicy policy) throws AccessControlException {
- if (policy instanceof ACL) {
- String path = ((ACL) policy).getOakPath();
- if ((path == null && oakPath != null) || (path != null && !path.equals(oakPath))) {
- throw new AccessControlException("Invalid access control policy " + policy + ": path mismatch " + oakPath);
- }
- } else {
- throw new AccessControlException("Invalid access control policy " + policy);
- }
- }
-
- private void checkValidPrincipals(@Nullable Set<Principal> principals) throws AccessControlException {
- if (principals == null) {
- throw new AccessControlException("Valid principals expected. Found null.");
- }
- for (Principal principal : principals) {
- checkValidPrincipal(principal);
- }
- }
-
- private void checkValidPrincipal(@Nullable Principal principal) throws AccessControlException {
- String name = (principal == null) ? null : principal.getName();
- if (name == null || !principalManager.hasPrincipal(name)) {
- throw new AccessControlException("Unknown principal " + name);
- }
- }
-
- private boolean isAccessControlled(@Nonnull Tree tree, @Nonnull String nodeTypeName) {
- return ntMgr.isNodeType(tree, nodeTypeName);
- }
-
- private boolean isACE(@Nonnull Tree tree) {
- return tree.exists() && ntMgr.isNodeType(tree, NT_REP_ACE);
- }
-
@CheckForNull
private Tree getAclTree(@Nullable String oakPath, @Nonnull Tree accessControlledTree) {
- if (isAccessControlled(accessControlledTree, getMixinName(oakPath))) {
- Tree policyTree = accessControlledTree.getChild(getAclName(oakPath));
+ if (AccessControlUtils.isAccessControlled(oakPath, accessControlledTree, ntMgr)) {
+ String aclName = AccessControlUtils.getAclName(oakPath);
+ Tree policyTree = accessControlledTree.getChild(aclName);
if (policyTree.exists()) {
return policyTree;
}
}
-
return null;
}
@@ -508,10 +471,9 @@ public class AccessControlManagerImpl im
*/
@Nonnull
private Tree createAclTree(@Nullable String oakPath, @Nonnull Tree tree) {
- String mixinName = getMixinName(oakPath);
-
- if (!isAccessControlled(tree, mixinName)) {
+ if (!AccessControlUtils.isAccessControlled(oakPath, tree, ntMgr)) {
PropertyState mixins = tree.getProperty(JcrConstants.JCR_MIXINTYPES);
+ String mixinName = AccessControlUtils.getMixinName(oakPath);
if (mixins == null) {
tree.setProperty(JcrConstants.JCR_MIXINTYPES, Collections.singleton(mixinName), Type.NAMES);
} else {
@@ -520,7 +482,8 @@ public class AccessControlManagerImpl im
tree.setProperty(pb.getPropertyState());
}
}
- return new NodeUtil(tree).addChild(getAclName(oakPath), NT_REP_ACL).getTree();
+ String aclName = AccessControlUtils.getAclName(oakPath);
+ return new NodeUtil(tree).addChild(aclName, NT_REP_ACL).getTree();
}
@CheckForNull
@@ -528,15 +491,15 @@ public class AccessControlManagerImpl im
@Nonnull Tree accessControlledTree,
boolean isReadOnly) throws RepositoryException {
JackrabbitAccessControlList acl = null;
- String aclName = getAclName(oakPath);
- String mixinName = getMixinName(oakPath);
+ String aclName = AccessControlUtils.getAclName(oakPath);
+ String mixinName = AccessControlUtils.getMixinName(oakPath);
- if (accessControlledTree.exists() && isAccessControlled(accessControlledTree, mixinName)) {
+ if (accessControlledTree.exists() && AccessControlUtils.isAccessControlled(oakPath, accessControlledTree, ntMgr)) {
Tree aclTree = accessControlledTree.getChild(aclName);
if (aclTree.exists()) {
List<JackrabbitAccessControlEntry> entries = new ArrayList<JackrabbitAccessControlEntry>();
for (Tree child : aclTree.getChildren()) {
- if (isACE(child)) {
+ if (AccessControlUtils.isACE(child, ntMgr)) {
entries.add(createACE(oakPath, child, restrictionProvider));
}
}
@@ -558,7 +521,7 @@ public class AccessControlManagerImpl im
List<JackrabbitAccessControlEntry> entries = new ArrayList<JackrabbitAccessControlEntry>();
for (ResultRow row : aceResult.getRows()) {
Tree aceTree = root.getTree(row.getPath());
- if (isACE(aceTree)) {
+ if (AccessControlUtils.isACE(aceTree, ntMgr)) {
String aclPath = Text.getRelativeParent(aceTree.getPath(), 1);
String path;
if (aclPath.endsWith(REP_REPO_POLICY)) {
@@ -621,7 +584,7 @@ public class AccessControlManagerImpl im
@Nonnull JackrabbitAccessControlEntry ace,
@Nonnull RestrictionProvider rProvider) throws RepositoryException {
boolean isAllow = ace.isAllow();
- String nodeName = generateAceName(aclTree, isAllow);
+ String nodeName = AccessControlUtils.generateAceName(aclTree, isAllow);
String ntName = (isAllow) ? NT_REP_GRANT_ACE : NT_REP_DENY_ACE;
NodeUtil aceNode = new NodeUtil(aclTree).addChild(nodeName, ntName);
@@ -724,35 +687,6 @@ public class AccessControlManagerImpl im
}
}
- @Nonnull
- private static String getMixinName(@Nullable String oakPath) {
- return (oakPath == null) ? MIX_REP_REPO_ACCESS_CONTROLLABLE : MIX_REP_ACCESS_CONTROLLABLE;
- }
-
- @Nonnull
- private static String getAclName(@Nullable String oakPath) {
- return (oakPath == null) ? REP_REPO_POLICY : REP_POLICY;
- }
-
- /**
- * Create a unique valid name for the Permission nodes to be save.
- *
- * @param aclTree The acl for which a new ACE name should be generated.
- * @param isAllow If the ACE is allowing or denying.
- * @return the name of the ACE node.
- */
- @Nonnull
- private static String generateAceName(@Nonnull Tree aclTree, boolean isAllow) {
- int i = 0;
- String hint = (isAllow) ? "allow" : "deny";
- String aceName = hint;
- while (aclTree.hasChild(aceName)) {
- aceName = hint + i;
- i++;
- }
- return aceName;
- }
-
//--------------------------------------------------------------------------
// TODO review again
private class NodeACL extends ACL {
Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlUtils.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlUtils.java?rev=1478389&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlUtils.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlUtils.java Thu May 2 14:35:00 2013
@@ -0,0 +1,110 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization;
+
+import java.security.Principal;
+import java.util.Set;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import javax.jcr.security.AccessControlException;
+import javax.jcr.security.AccessControlPolicy;
+
+import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * AccessControlUtils... TODO
+ */
+public final class AccessControlUtils extends org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils implements AccessControlConstants {
+
+ /**
+ * logger instance
+ */
+ private static final Logger log = LoggerFactory.getLogger(AccessControlUtils.class);
+
+ public static void checkValidPrincipal(Principal principal, PrincipalManager principalManager) throws AccessControlException {
+ String name = (principal == null) ? null : principal.getName();
+ if (name == null || name.isEmpty()) {
+ throw new AccessControlException("Invalid principal " + name);
+ }
+ if (!(principal instanceof PrincipalImpl) && !principalManager.hasPrincipal(name)) {
+ throw new AccessControlException("Unknown principal " + name);
+ }
+ }
+
+ public static void checkValidPrincipals(@Nullable Set<Principal> principals, PrincipalManager principalManager) throws AccessControlException {
+ if (principals == null) {
+ throw new AccessControlException("Valid principals expected. Found null.");
+ }
+ for (Principal principal : principals) {
+ AccessControlUtils.checkValidPrincipal(principal, principalManager);
+ }
+ }
+
+ public static void checkValidPolicy(@Nullable String oakPath, @Nonnull AccessControlPolicy policy) throws AccessControlException {
+ if (policy instanceof ACL) {
+ String path = ((ACL) policy).getOakPath();
+ if ((path == null && oakPath != null) || (path != null && !path.equals(oakPath))) {
+ throw new AccessControlException("Invalid access control policy " + policy + ": path mismatch " + oakPath);
+ }
+ } else {
+ throw new AccessControlException("Invalid access control policy " + policy);
+ }
+ }
+
+ public static boolean isAccessControlled(String oakPath, @Nonnull Tree tree, @Nonnull ReadOnlyNodeTypeManager ntMgr) {
+ String mixinName = getMixinName(oakPath);
+ return ntMgr.isNodeType(tree, mixinName);
+ }
+
+ public static boolean isACE(@Nonnull Tree tree, @Nonnull ReadOnlyNodeTypeManager ntMgr) {
+ return tree.exists() && ntMgr.isNodeType(tree, NT_REP_ACE);
+ }
+
+ @Nonnull
+ public static String getMixinName(@Nullable String oakPath) {
+ return (oakPath == null) ? MIX_REP_REPO_ACCESS_CONTROLLABLE : MIX_REP_ACCESS_CONTROLLABLE;
+ }
+
+ @Nonnull
+ public static String getAclName(@Nullable String oakPath) {
+ return (oakPath == null) ? REP_REPO_POLICY : REP_POLICY;
+ }
+
+ /**
+ * Create a unique valid name for the Permission nodes to be save.
+ *
+ * @param aclTree The acl for which a new ACE name should be generated.
+ * @param isAllow If the ACE is allowing or denying.
+ * @return the name of the ACE node.
+ */
+ @Nonnull
+ public static String generateAceName(@Nonnull Tree aclTree, boolean isAllow) {
+ int i = 0;
+ String hint = (isAllow) ? "allow" : "deny";
+ String aceName = hint;
+ while (aclTree.hasChild(aceName)) {
+ aceName = hint + i;
+ i++;
+ }
+ return aceName;
+ }
+}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java?rev=1478389&r1=1478388&r2=1478389&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java Thu May 2 14:35:00 2013
@@ -132,7 +132,7 @@ public class ACLTest extends AbstractAcc
@Test
public void testAddInvalidEntry() throws Exception {
- Principal unknownPrincipal = new PrincipalImpl("unknown");
+ Principal unknownPrincipal = new InvalidPrincipal("unknown");
try {
acl.addAccessControlEntry(unknownPrincipal, privilegesFromNames(JCR_READ));
fail("Adding an ACE with an unknown principal should fail");
@@ -142,6 +142,12 @@ public class ACLTest extends AbstractAcc
}
@Test
+ public void testAddEntryWithOakPrincipal() throws Exception {
+ Principal oakPrincipal = new PrincipalImpl("name");
+ acl.addAccessControlEntry(oakPrincipal, privilegesFromNames(JCR_READ));
+ }
+
+ @Test
public void testAddEntryWithoutPrivilege() throws Exception {
try {
acl.addAccessControlEntry(testPrincipal, new Privilege[0]);
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java?rev=1478389&r1=1478388&r2=1478389&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java Thu May 2 14:35:00 2013
@@ -16,14 +16,6 @@
*/
package org.apache.jackrabbit.oak.security.authorization;
-import static org.junit.Assert.assertArrayEquals;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertNull;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
@@ -34,7 +26,6 @@ import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
-
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.jcr.AccessDeniedException;
@@ -81,6 +72,14 @@ import org.junit.After;
import org.junit.Before;
import org.junit.Test;
+import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
/**
* Tests for the default {@code AccessControlManager} implementation.
*/
@@ -1340,7 +1339,7 @@ public class AccessControlManagerImplTes
while (unknown != null) {
unknown = getPrincipalManager().getPrincipal("unknown"+i);
}
- unknown = new PrincipalImpl("unknown" + i);
+ unknown = new InvalidPrincipal("unknown" + i);
try {
acMgr.getApplicablePolicies(unknown);
fail("Unknown principal should be detected.");
@@ -1350,6 +1349,18 @@ public class AccessControlManagerImplTes
}
@Test
+ public void testGetApplicablePoliciesInternalPrincipal() throws Exception {
+ Principal unknown = getPrincipalManager().getPrincipal("unknown");
+ int i = 0;
+ while (unknown != null) {
+ unknown = getPrincipalManager().getPrincipal("unknown"+i);
+ }
+ unknown = new PrincipalImpl("unknown" + i);
+
+ assertEquals(1, acMgr.getApplicablePolicies(unknown).length);
+ }
+
+ @Test
public void testGetApplicablePoliciesByPrincipal() throws Exception {
List<Principal> principals = ImmutableList.of(testPrincipal, EveryonePrincipal.getInstance());
for (Principal principal : principals) {
@@ -1390,22 +1401,12 @@ public class AccessControlManagerImplTes
List<Principal> principals = ImmutableList.of(testPrincipal, EveryonePrincipal.getInstance());
for (Principal principal : principals) {
- if (testPrincipalMgr.hasPrincipal(principal.getName())) {
- // testRoot can't read access control content -> doesn't see
- // the existing policies and creates a new applicable policy.
- AccessControlPolicy[] applicable = testAcMgr.getApplicablePolicies(principal);
- assertNotNull(applicable);
- assertEquals(1, applicable.length);
- assertTrue(applicable[0] instanceof ACL);
- } else {
- // testRoot can't read principal -> exception expected
- try {
- testAcMgr.getApplicablePolicies(principal);
- fail();
- } catch (AccessControlException e) {
- // success
- }
- }
+ // testRoot can't read access control content -> doesn't see
+ // the existing policies and creates a new applicable policy.
+ AccessControlPolicy[] applicable = testAcMgr.getApplicablePolicies(principal);
+ assertNotNull(applicable);
+ assertEquals(1, applicable.length);
+ assertTrue(applicable[0] instanceof ACL);
}
}
@@ -1427,7 +1428,7 @@ public class AccessControlManagerImplTes
while (unknown != null) {
unknown = getPrincipalManager().getPrincipal("unknown"+i);
}
- unknown = new PrincipalImpl("unknown" + i);
+ unknown = new InvalidPrincipal("unknown" + i);
try {
acMgr.getPolicies(unknown);
fail("Unknown principal should be detected.");
@@ -1437,6 +1438,17 @@ public class AccessControlManagerImplTes
}
@Test
+ public void testGetPoliciesInternalPrincipal() throws Exception {
+ Principal unknown = getPrincipalManager().getPrincipal("unknown");
+ int i = 0;
+ while (unknown != null) {
+ unknown = getPrincipalManager().getPrincipal("unknown"+i);
+ }
+ unknown = new PrincipalImpl("unknown" + i);
+ assertEquals(0, acMgr.getPolicies(unknown).length);
+ }
+
+ @Test
public void testGetPoliciesByPrincipal() throws Exception {
List<Principal> principals = ImmutableList.of(testPrincipal, EveryonePrincipal.getInstance());
for (Principal principal : principals) {
@@ -1482,13 +1494,8 @@ public class AccessControlManagerImplTes
assertNotNull(policies);
assertEquals(0, policies.length);
} else {
- // testRoot can't read principal -> exception expected
- try {
- testAcMgr.getApplicablePolicies(principal);
- fail();
- } catch (AccessControlException e) {
- // success
- }
+ // testRoot can't read principal -> no policies for that principal
+ assertEquals(0, testAcMgr.getPolicies(principal).length);
}
}
}
@@ -1518,7 +1525,7 @@ public class AccessControlManagerImplTes
while (unknown != null) {
unknown = getPrincipalManager().getPrincipal("unknown"+i);
}
- unknown = new PrincipalImpl("unknown" + i);
+ unknown = new InvalidPrincipal("unknown" + i);
try {
acMgr.getEffectivePolicies(Collections.singleton(unknown));
fail("Unknown principal should be detected.");
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidPrincipal.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidPrincipal.java?rev=1478389&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidPrincipal.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidPrincipal.java Thu May 2 14:35:00 2013
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization;
+
+import java.security.Principal;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * InvalidPrincipal... TODO
+ */
+public final class InvalidPrincipal implements Principal {
+
+ private final String name;
+
+ public InvalidPrincipal(String name) {
+ this.name = name;
+ }
+
+ @Override
+ public String getName() {
+ return name;
+ }
+}
\ No newline at end of file