You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/12/04 15:50:00 UTC

svn commit: r1547811 - in /jackrabbit/oak/trunk: oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/ oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/

Author: angela
Date: Wed Dec  4 14:49:59 2013
New Revision: 1547811

URL: http://svn.apache.org/r1547811
Log:
OAK-1183 : UserQuery: Impersonators Constraint does not work for admin user

Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/UserQueryManager.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathConditionVisitor.java
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserQueryTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/UserQueryManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/UserQueryManager.java?rev=1547811&r1=1547810&r2=1547811&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/UserQueryManager.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/UserQueryManager.java Wed Dec  4 14:49:59 2013
@@ -99,7 +99,7 @@ public class UserQueryManager {
         }
 
         StringBuilder statement = new StringBuilder();
-        ConditionVisitor visitor = new XPathConditionVisitor(statement, namePathMapper);
+        ConditionVisitor visitor = new XPathConditionVisitor(statement, namePathMapper, userManager);
 
         String searchRoot = namePathMapper.getJcrPath(QueryUtil.getSearchRoot(builder.getSelectorType(), config));
         String ntName = namePathMapper.getJcrName(QueryUtil.getNodeTypeName(builder.getSelectorType()));

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathConditionVisitor.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathConditionVisitor.java?rev=1547811&r1=1547810&r2=1547811&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathConditionVisitor.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathConditionVisitor.java Wed Dec  4 14:49:59 2013
@@ -18,7 +18,12 @@ package org.apache.jackrabbit.oak.securi
 
 import javax.jcr.RepositoryException;
 
+import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.api.security.user.Authorizable;
+import org.apache.jackrabbit.api.security.user.User;
+import org.apache.jackrabbit.api.security.user.UserManager;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
 import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
 
 /**
@@ -28,10 +33,13 @@ class XPathConditionVisitor implements C
 
     private final StringBuilder statement;
     private final NamePathMapper namePathMapper;
+    private final UserManager userMgr;
 
-    XPathConditionVisitor(StringBuilder statement, NamePathMapper namePathMapper) {
+    XPathConditionVisitor(StringBuilder statement, NamePathMapper namePathMapper,
+                          UserManager userMgr) {
         this.statement = statement;
         this.namePathMapper = namePathMapper;
+        this.userMgr = userMgr;
     }
 
     //---------------------------------------------------< ConditionVisitor >---
@@ -79,9 +87,27 @@ class XPathConditionVisitor implements C
 
     @Override
     public void visit(Condition.Impersonation condition) {
-        statement.append("@rep:impersonators='")
-                .append(condition.getName())
-                .append('\'');
+        String principalName = condition.getName();
+        boolean isAdmin = false;
+        try {
+            Authorizable authorizable = userMgr.getAuthorizable(new PrincipalImpl(principalName));
+            isAdmin = authorizable != null && !authorizable.isGroup() && ((User) authorizable).isAdmin();
+        } catch (RepositoryException e) {
+            // unable to retrieve authorizable
+        }
+        if (isAdmin) {
+            statement.append('@')
+                    .append(namePathMapper.getJcrName(JcrConstants.JCR_PRIMARYTYPE))
+                    .append("='")
+                    .append(namePathMapper.getJcrName(UserConstants.NT_REP_USER))
+                    .append('\'');
+        } else {
+            statement.append('@')
+                    .append(namePathMapper.getJcrName(UserConstants.REP_IMPERSONATORS))
+                    .append("='")
+                    .append(condition.getName())
+                    .append('\'');
+        }
     }
 
     @Override

Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserQueryTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserQueryTest.java?rev=1547811&r1=1547810&r2=1547811&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserQueryTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserQueryTest.java Wed Dec  4 14:49:59 2013
@@ -34,6 +34,7 @@ import org.apache.jackrabbit.api.securit
 import org.apache.jackrabbit.api.security.user.Query;
 import org.apache.jackrabbit.api.security.user.QueryBuilder;
 import org.apache.jackrabbit.api.security.user.User;
+import org.apache.jackrabbit.api.security.user.UserManager;
 import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
 import org.junit.Test;
 
@@ -602,7 +603,22 @@ public class UserQueryTest extends Abstr
 
         Iterator<User> expected = Iterators.singletonIterator(elephant);
         assertTrue(result.hasNext());
-        assertSameElements(result, expected);
+        assertSameElements(expected, result);
+    }
+
+    @Test
+    public void testAdminImpersonation() throws Exception {
+        final String adminPrincipalName = userMgr.getAuthorizable(superuser.getUserID()).getPrincipal().getName();
+        Iterator<Authorizable> result = userMgr.findAuthorizables(new Query() {
+            public <T> void build(QueryBuilder<T> builder) {
+                builder.setCondition(builder.
+                        impersonates(adminPrincipalName));
+            }
+        });
+
+        Iterator<Authorizable> expected = userMgr.findAuthorizables("rep:principalName", null, UserManager.SEARCH_TYPE_USER);
+        assertTrue(result.hasNext());
+        assertSameElements(expected, result);
     }
 
     @Test