You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2019/06/12 12:22:31 UTC
svn commit: r1861116 - in
/jackrabbit/oak/trunk/oak-authorization-principalbased/src:
main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/
test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/
Author: angela
Date: Wed Jun 12 12:22:31 2019
New Revision: 1861116
URL: http://svn.apache.org/viewvc?rev=1861116&view=rev
Log:
OAK-8391 : Create AggregationFilter implementation
Added:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AggregationFilterImpl.java (with props)
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AggregationFilterImplTest.java (with props)
Modified:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/Constants.java
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfiguration.java
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationOsgiTest.java
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationTest.java
Added: jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AggregationFilterImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AggregationFilterImpl.java?rev=1861116&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AggregationFilterImpl.java (added)
+++ jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AggregationFilterImpl.java Wed Jun 12 12:22:31 2019
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
+
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregationFilter;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.jcr.security.AccessControlException;
+import javax.jcr.security.AccessControlManager;
+import java.security.Principal;
+import java.util.Set;
+
+public class AggregationFilterImpl implements AggregationFilter {
+
+ private static final Logger log = LoggerFactory.getLogger(AggregationFilterImpl.class);
+
+ @Override
+ public boolean stop(@NotNull AggregatedPermissionProvider permissionProvider, @NotNull Set<Principal> principals) {
+ // validation of principals already took place before creating 'PrincipalBasedPermissionProvider'
+ return permissionProvider instanceof PrincipalBasedPermissionProvider;
+ }
+
+ @Override
+ public boolean stop(@NotNull JackrabbitAccessControlManager accessControlManager, @NotNull Set<Principal> principals) {
+ try {
+ return accessControlManager instanceof PrincipalBasedAccessControlManager && ((PrincipalBasedAccessControlManager) accessControlManager).canHandle(principals);
+ } catch (AccessControlException e) {
+ return false;
+ }
+ }
+
+ @Override
+ public boolean stop(@NotNull AccessControlManager accessControlManager, @Nullable String absPath) {
+ return false;
+ }
+}
\ No newline at end of file
Propchange: jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AggregationFilterImpl.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/Constants.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/Constants.java?rev=1861116&r1=1861115&r2=1861116&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/Constants.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/Constants.java Wed Jun 12 12:22:31 2019
@@ -69,4 +69,9 @@ interface Constants {
* null to {@code AccessControlManager.getEffectivePolicies(String)}.
*/
String REPOSITORY_PERMISSION_PATH = "";
+
+ /**
+ * Name of the optional configuration parameter to enable the {@code AggregationFilter} for this model.
+ */
+ String PARAM_ENABLE_AGGREGATION_FILTER = "enableAggregationFilter";
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java?rev=1861116&r1=1861115&r2=1861116&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java Wed Jun 12 12:22:31 2019
@@ -67,7 +67,6 @@ import javax.jcr.security.Privilege;
import java.security.Principal;
import java.text.ParseException;
import java.util.ArrayList;
-import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
@@ -270,7 +269,6 @@ class PrincipalBasedAccessControlManager
}
//--------------------------------------------------------------------------
-
/**
* Validate the specified {@code principal} taking the configured
* {@link ImportBehavior} into account.
@@ -300,7 +298,7 @@ class PrincipalBasedAccessControlManager
return filter.canHandle(Collections.singleton(principal));
}
- private boolean canHandle(@NotNull Collection<Principal> principals) throws AccessControlException {
+ boolean canHandle(@NotNull Set<Principal> principals) throws AccessControlException {
for (Principal principal : principals) {
if (!canHandle(principal)) {
return false;
Modified: jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfiguration.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfiguration.java?rev=1861116&r1=1861115&r2=1861116&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfiguration.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfiguration.java Wed Jun 12 12:22:31 2019
@@ -31,12 +31,14 @@ import org.apache.jackrabbit.oak.spi.lif
import org.apache.jackrabbit.oak.spi.mount.Mount;
import org.apache.jackrabbit.oak.spi.mount.MountInfoProvider;
import org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants;
+import org.apache.jackrabbit.oak.spi.security.CompositeConfiguration;
import org.apache.jackrabbit.oak.spi.security.ConfigurationBase;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregationFilter;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.EmptyPermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.principalbased.Filter;
@@ -47,8 +49,11 @@ import org.apache.jackrabbit.oak.spi.sta
import org.apache.jackrabbit.oak.spi.state.NodeStore;
import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
import org.jetbrains.annotations.NotNull;
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.ServiceRegistration;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
+import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
@@ -62,11 +67,12 @@ import java.io.IOException;
import java.io.InputStream;
import java.security.Principal;
import java.util.Collections;
+import java.util.Hashtable;
import java.util.List;
-import java.util.Map;
import java.util.Set;
import static org.apache.jackrabbit.oak.spi.security.RegistrationConstants.OAK_SECURITY_NAME;
+import static org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.Constants.PARAM_ENABLE_AGGREGATION_FILTER;
@Component(
service = {AuthorizationConfiguration.class, SecurityConfiguration.class},
@@ -80,6 +86,11 @@ public class PrincipalBasedAuthorization
name = "Ranking",
description = "Ranking of this configuration in a setup with multiple authorization configurations.")
int configurationRanking() default 500;
+
+ @AttributeDefinition(
+ name = "Enable AggregationFilter",
+ description = "If enabled effective permission evaluation will stop after this module.")
+ boolean enableAggregationFilter() default false;
}
/**
@@ -92,6 +103,8 @@ public class PrincipalBasedAuthorization
*/
private MountInfoProvider mountInfoProvider;
+ private ServiceRegistration aggregationFilterRegistration;
+
@SuppressWarnings("UnusedDeclaration")
public PrincipalBasedAuthorizationConfiguration() {
super();
@@ -168,14 +181,24 @@ public class PrincipalBasedAuthorization
//----------------------------------------------------< SCR Integration >---
@Activate
- public void activate(@NotNull Configuration configuration, @NotNull Map<String, Object> properties) {
+ public void activate(@NotNull BundleContext context, @NotNull Configuration configuration) {
checkConflictingMount();
- setParameters(ConfigurationParameters.of(properties));
+ setParameters(ConfigurationParameters.of(CompositeConfiguration.PARAM_RANKING, configuration.configurationRanking(), PARAM_ENABLE_AGGREGATION_FILTER, configuration.enableAggregationFilter()));
+ if (configuration.enableAggregationFilter()) {
+ registerAggregationFilter(context);
+ } else {
+ unregisterAggregationFilter();
+ }
}
@Modified
- public void modified(@NotNull Configuration configuration, @NotNull Map<String, Object> properties) {
- activate(configuration, properties);
+ public void modified(@NotNull BundleContext context, @NotNull Configuration configuration) {
+ activate(context, configuration);
+ }
+
+ @Deactivate
+ public void deactivate(@NotNull BundleContext context, @NotNull Configuration configuration) {
+ unregisterAggregationFilter();
}
@Reference(name = "filterProvider", cardinality = ReferenceCardinality.MANDATORY)
@@ -232,4 +255,17 @@ public class PrincipalBasedAuthorization
}
return false;
}
+
+ private void registerAggregationFilter(@NotNull BundleContext context) {
+ if (aggregationFilterRegistration == null) {
+ aggregationFilterRegistration = context.registerService(AggregationFilter.class.getName(), new AggregationFilterImpl(), new Hashtable());
+ }
+ }
+
+ private void unregisterAggregationFilter() {
+ if (aggregationFilterRegistration != null) {
+ aggregationFilterRegistration.unregister();
+ aggregationFilterRegistration = null;
+ }
+ }
}
Added: jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AggregationFilterImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AggregationFilterImplTest.java?rev=1861116&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AggregationFilterImplTest.java (added)
+++ jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AggregationFilterImplTest.java Wed Jun 12 12:22:31 2019
@@ -0,0 +1,103 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
+
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
+import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
+import org.junit.Before;
+import org.junit.Test;
+
+import javax.jcr.security.AccessControlManager;
+import java.security.Principal;
+import java.util.Set;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
+
+public class AggregationFilterImplTest extends AbstractPrincipalBasedTest{
+
+ private AggregationFilterImpl aggregationFilter;
+ private Set<Principal> systemUserPrincipals;
+ private Set<Principal> testUserPrincipals;
+
+ @Before
+ public void before() throws Exception {
+ super.before();
+
+ aggregationFilter = new AggregationFilterImpl();
+ systemUserPrincipals = ImmutableSet.of(getTestSystemUser().getPrincipal());
+ testUserPrincipals = ImmutableSet.of(getTestUser().getPrincipal(), EveryonePrincipal.getInstance());
+ }
+
+ @Test
+ public void testStopPermissionProviderTrue() {
+ assertTrue(aggregationFilter.stop(createPermissionProvider(root, systemUserPrincipals.toArray(new Principal[0])), systemUserPrincipals));
+ }
+
+ @Test
+ public void testStopPermissionProviderFalse() {
+ assertFalse(aggregationFilter.stop(mock(AggregatedPermissionProvider.class), systemUserPrincipals));
+ assertFalse(aggregationFilter.stop(mock(AggregatedPermissionProvider.class), testUserPrincipals));
+
+ PermissionProvider pp = getConfig(AuthorizationConfiguration.class).getPermissionProvider(root, adminSession.getWorkspaceName(), systemUserPrincipals);
+ if (pp instanceof AggregatedPermissionProvider) {
+ assertFalse(aggregationFilter.stop((AggregatedPermissionProvider) pp, systemUserPrincipals));
+ }
+
+ pp = getConfig(AuthorizationConfiguration.class).getPermissionProvider(root, adminSession.getWorkspaceName(), testUserPrincipals);
+ if (pp instanceof AggregatedPermissionProvider) {
+ assertFalse(aggregationFilter.stop((AggregatedPermissionProvider) pp, testUserPrincipals));
+ }
+ }
+
+ @Test
+ public void testStopAcMgrPrincipalsTrue() {
+ assertTrue(aggregationFilter.stop(createAccessControlManager(root), systemUserPrincipals));
+ }
+
+ @Test
+ public void testStopAcMgrPrincipalsFalse() {
+ assertFalse(aggregationFilter.stop(mock(JackrabbitAccessControlManager.class), systemUserPrincipals));
+ assertFalse(aggregationFilter.stop(mock(JackrabbitAccessControlManager.class), testUserPrincipals));
+
+ assertFalse(aggregationFilter.stop(createAccessControlManager(root), testUserPrincipals));
+
+ AccessControlManager acMgr = getConfig(AuthorizationConfiguration.class).getAccessControlManager(root, getNamePathMapper());
+ if (acMgr instanceof JackrabbitAccessControlManager) {
+ assertFalse(aggregationFilter.stop((JackrabbitAccessControlManager) acMgr, systemUserPrincipals));
+ }
+ }
+
+ @Test
+ public void testStopAcMgrPrincipalsInvalid() {
+ assertFalse(aggregationFilter.stop(createAccessControlManager(root), ImmutableSet.of(new PrincipalImpl("invalid"))));
+ }
+
+ @Test
+ public void testStopAcMgrPath() {
+ assertFalse(aggregationFilter.stop(createAccessControlManager(root), PathUtils.ROOT_PATH));
+ assertFalse(aggregationFilter.stop(createAccessControlManager(root), SUPPORTED_PATH));
+ assertFalse(aggregationFilter.stop(getConfig(AuthorizationConfiguration.class).getAccessControlManager(root, getNamePathMapper()), SUPPORTED_PATH));
+ }
+}
\ No newline at end of file
Propchange: jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AggregationFilterImplTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationOsgiTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationOsgiTest.java?rev=1861116&r1=1861115&r2=1861116&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationOsgiTest.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationOsgiTest.java Wed Jun 12 12:22:31 2019
@@ -17,31 +17,41 @@
package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
import org.apache.jackrabbit.oak.composite.MountInfoProviderService;
+import org.apache.jackrabbit.oak.plugins.tree.impl.RootProviderService;
+import org.apache.jackrabbit.oak.plugins.tree.impl.TreeProviderService;
+import org.apache.jackrabbit.oak.security.authentication.AuthenticationConfigurationImpl;
+import org.apache.jackrabbit.oak.security.authorization.AuthorizationConfigurationImpl;
+import org.apache.jackrabbit.oak.security.authorization.composite.CompositeAuthorizationConfiguration;
+import org.apache.jackrabbit.oak.security.authorization.permission.PermissionProviderImpl;
+import org.apache.jackrabbit.oak.security.internal.SecurityProviderRegistration;
+import org.apache.jackrabbit.oak.security.principal.PrincipalConfigurationImpl;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeConfigurationImpl;
+import org.apache.jackrabbit.oak.security.user.UserConfigurationImpl;
+import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregationFilter;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
+import org.apache.jackrabbit.oak.stats.StatisticsProvider;
import org.apache.jackrabbit.util.Text;
import org.apache.sling.testing.mock.osgi.ReferenceViolationException;
import org.apache.sling.testing.mock.osgi.junit.OsgiContext;
-import org.jetbrains.annotations.NotNull;
import org.junit.Rule;
import org.junit.Test;
-import static org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.AbstractPrincipalBasedTest.SUPPORTED_PATH;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
-public class PrincipalBasedAuthorizationConfigurationOsgiTest {
+public class PrincipalBasedAuthorizationConfigurationOsgiTest extends AbstractPrincipalBasedTest {
@Rule
public final OsgiContext context = new OsgiContext();
private final PrincipalBasedAuthorizationConfiguration pbac = new PrincipalBasedAuthorizationConfiguration();
- @NotNull
- protected PrincipalBasedAuthorizationConfiguration initPrincipalBasedAuthorizationConfiguration() {
- // create instance without binding mandatory references
- return new PrincipalBasedAuthorizationConfiguration();
- }
-
@Test(expected = ReferenceViolationException.class)
public void testMissingMandatoryReferences() {
context.registerInjectActivateService(pbac, ImmutableMap.of());
@@ -106,4 +116,36 @@ public class PrincipalBasedAuthorization
context.registerInjectActivateService(pbac, ImmutableMap.of());
}
+
+ @Test
+ public void testEnableAggregationFilter() throws Exception {
+ context.registerInjectActivateService(new FilterProviderImpl(), ImmutableMap.of("path", SUPPORTED_PATH));
+ context.registerInjectActivateService(new MountInfoProviderService(), ImmutableMap.of("mountedPaths", new String[] {"/etc", "/var/some/mount", UserConstants.DEFAULT_GROUP_PATH}));
+
+ context.registerInjectActivateService(pbac, ImmutableMap.of(Constants.PARAM_ENABLE_AGGREGATION_FILTER, true));
+ assertNotNull(context.getService(AggregationFilter.class));
+
+ context.registerInjectActivateService(new AuthorizationConfigurationImpl());
+ context.registerInjectActivateService(new AuthenticationConfigurationImpl());
+ context.registerInjectActivateService(new UserConfigurationImpl());
+ context.registerInjectActivateService(new PrivilegeConfigurationImpl());
+ context.registerInjectActivateService(new PrincipalConfigurationImpl());
+ context.registerInjectActivateService(new RootProviderService());
+ context.registerInjectActivateService(new TreeProviderService());
+ context.registerService(StatisticsProvider.class, StatisticsProvider.NOOP);
+
+ context.registerInjectActivateService(new SecurityProviderRegistration(), ImmutableMap.of("requiredServicePids", new String[0]));
+ SecurityProvider securityProvider = context.getService(SecurityProvider.class);
+ assertNotNull(securityProvider);
+
+ AuthorizationConfiguration ac = securityProvider.getConfiguration(AuthorizationConfiguration.class);
+ assertTrue(ac instanceof CompositeAuthorizationConfiguration);
+ assertEquals(2, ((CompositeAuthorizationConfiguration) ac).getConfigurations().size());
+
+ PermissionProvider pp = ac.getPermissionProvider(root, adminSession.getWorkspaceName(), ImmutableSet.of(getTestSystemUser().getPrincipal()));
+ assertTrue(pp instanceof PrincipalBasedPermissionProvider);
+
+ pp = ac.getPermissionProvider(root, adminSession.getWorkspaceName(), ImmutableSet.of(getTestUser().getPrincipal()));
+ assertTrue(pp instanceof PermissionProviderImpl);
+ }
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationTest.java?rev=1861116&r1=1861115&r2=1861116&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationTest.java (original)
+++ jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationTest.java Wed Jun 12 12:22:31 2019
@@ -16,7 +16,6 @@
*/
package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
-import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
@@ -30,6 +29,7 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregationFilter;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.EmptyPermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.principalbased.Filter;
@@ -39,11 +39,14 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.state.ReadOnlyBuilder;
import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
import org.junit.Test;
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.ServiceRegistration;
import javax.jcr.nodetype.NodeTypeManager;
import javax.jcr.security.AccessControlManager;
import java.lang.reflect.Field;
import java.security.Principal;
+import java.util.Hashtable;
import java.util.List;
import java.util.Set;
@@ -51,6 +54,7 @@ import static org.apache.jackrabbit.oak.
import static org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.Constants.NT_REP_PRINCIPAL_ENTRY;
import static org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.Constants.NT_REP_PRINCIPAL_POLICY;
import static org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.Constants.NT_REP_RESTRICTIONS;
+import static org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.Constants.PARAM_ENABLE_AGGREGATION_FILTER;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNotSame;
@@ -58,7 +62,10 @@ import static org.junit.Assert.assertNul
import static org.junit.Assert.assertSame;
import static org.junit.Assert.assertTrue;
import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
public class PrincipalBasedAuthorizationConfigurationTest extends AbstractPrincipalBasedTest {
@@ -187,23 +194,77 @@ public class PrincipalBasedAuthorization
@Test
public void testActivate() {
PrincipalBasedAuthorizationConfiguration pbac = getPrincipalBasedAuthorizationConfiguration();
- pbac.activate(mock(PrincipalBasedAuthorizationConfiguration.Configuration.class), ImmutableMap.of(PARAM_RANKING, 50, "invalid", "someValue"));
+
+ BundleContext ctx = mock(BundleContext.class);
+ PrincipalBasedAuthorizationConfiguration.Configuration config = mock(PrincipalBasedAuthorizationConfiguration.Configuration.class);
+ when(config.configurationRanking()).thenReturn(50);
+ when(config.enableAggregationFilter()).thenReturn(true);
+ pbac.activate(ctx, config);
ConfigurationParameters params = pbac.getParameters();
assertEquals(50, params.get(PARAM_RANKING));
- assertEquals("someValue", params.get("invalid"));
+ assertEquals(Boolean.TRUE, params.get(PARAM_ENABLE_AGGREGATION_FILTER));
+
+ verify(ctx, times(1)).registerService(anyString(), any(AggregationFilter.class), any(Hashtable.class));
}
@Test
public void testModified() {
PrincipalBasedAuthorizationConfiguration pbac = getPrincipalBasedAuthorizationConfiguration();
- pbac.activate(mock(PrincipalBasedAuthorizationConfiguration.Configuration.class), ImmutableMap.of(PARAM_RANKING, 50, "invalid", "someValue"));
- pbac.modified(mock(PrincipalBasedAuthorizationConfiguration.Configuration.class), ImmutableMap.of(PARAM_RANKING, 85, "test", "someValue"));
+
+ ServiceRegistration registrationMock = mock(ServiceRegistration.class);
+ BundleContext ctx = when(mock(BundleContext.class).registerService(anyString(), any(AggregationFilter.class), any(Hashtable.class))).thenReturn(registrationMock).getMock();
+ PrincipalBasedAuthorizationConfiguration.Configuration config = mock(PrincipalBasedAuthorizationConfiguration.Configuration.class);
+ when(config.configurationRanking()).thenReturn(50);
+ when(config.enableAggregationFilter()).thenReturn(true);
+ pbac.activate(ctx, config);
+
+ when(config.configurationRanking()).thenReturn(85);
+ when(config.enableAggregationFilter()).thenReturn(true);
+ pbac.modified(ctx, config);
ConfigurationParameters params = pbac.getParameters();
assertEquals(85, params.get(PARAM_RANKING));
- assertEquals("someValue", params.get("test"));
- assertNull(params.get("invalid"));
+ assertEquals(Boolean.TRUE, params.get(PARAM_ENABLE_AGGREGATION_FILTER));
+
+ verify(ctx, times(1)).registerService(anyString(), any(AggregationFilter.class), any(Hashtable.class));
+ }
+
+ @Test
+ public void testModified2() {
+ PrincipalBasedAuthorizationConfiguration pbac = getPrincipalBasedAuthorizationConfiguration();
+
+ ServiceRegistration registrationMock = mock(ServiceRegistration.class);
+ BundleContext ctx = when(mock(BundleContext.class).registerService(anyString(), any(AggregationFilter.class), any(Hashtable.class))).thenReturn(registrationMock).getMock();
+ PrincipalBasedAuthorizationConfiguration.Configuration config = mock(PrincipalBasedAuthorizationConfiguration.Configuration.class);
+ when(config.configurationRanking()).thenReturn(50);
+ when(config.enableAggregationFilter()).thenReturn(true);
+ pbac.activate(ctx, config);
+
+ when(config.configurationRanking()).thenReturn(85);
+ when(config.enableAggregationFilter()).thenReturn(false);
+ pbac.modified(ctx, config);
+
+ ConfigurationParameters params = pbac.getParameters();
+ assertEquals(85, params.get(PARAM_RANKING));
+ assertEquals(Boolean.FALSE, params.get(PARAM_ENABLE_AGGREGATION_FILTER));
+
+ verify(registrationMock, times(1)).unregister();
+ }
+
+ @Test
+ public void testDeactivate() {
+ PrincipalBasedAuthorizationConfiguration pbac = getPrincipalBasedAuthorizationConfiguration();
+
+ ServiceRegistration registrationMock = mock(ServiceRegistration.class);
+ BundleContext ctx = when(mock(BundleContext.class).registerService(anyString(), any(AggregationFilter.class), any(Hashtable.class))).thenReturn(registrationMock).getMock();
+ PrincipalBasedAuthorizationConfiguration.Configuration config = mock(PrincipalBasedAuthorizationConfiguration.Configuration.class);
+ when(config.configurationRanking()).thenReturn(50);
+ when(config.enableAggregationFilter()).thenReturn(true);
+ pbac.activate(ctx, config);
+
+ pbac.deactivate(ctx, config);
+ verify(registrationMock, times(1)).unregister();
}
@Test