You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by md...@apache.org on 2014/07/29 18:04:43 UTC
svn commit: r1614397 - in /jackrabbit/oak/trunk:
oak-core/src/main/java/org/apache/jackrabbit/oak/core/
oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/
oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/aut...
Author: mduerig
Date: Tue Jul 29 16:04:43 2014
New Revision: 1614397
URL: http://svn.apache.org/r1614397
Log:
OAK-1998: Accessible tree below a non-accessible parent are HiddenTree
Only return HiddenTree instances for actually hidden trees, not for inaccessible trees
Added:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ReadVersionContent.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/MutableTree.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/HiddenTreeTest.java
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/VersionManagementTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/MutableTree.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/MutableTree.java?rev=1614397&r1=1614396&r2=1614397&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/MutableTree.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/MutableTree.java Tue Jul 29 16:04:43 2014
@@ -143,7 +143,7 @@ class MutableTree extends AbstractTree {
@Override
public Tree getChild(String name) {
beforeRead();
- if (super.hasChild(name)) {
+ if (!isHidden(name)) {
return createChild(name);
} else {
return new HiddenTree(this, name);
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/HiddenTreeTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/HiddenTreeTest.java?rev=1614397&r1=1614396&r2=1614397&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/HiddenTreeTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/HiddenTreeTest.java Tue Jul 29 16:04:43 2014
@@ -16,23 +16,21 @@
*/
package org.apache.jackrabbit.oak.security.authorization.evaluation;
-import org.apache.jackrabbit.oak.api.Tree;
-import org.junit.Before;
-import org.junit.Test;
-
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.junit.Before;
+import org.junit.Test;
+
/**
* Test to make sure hidden trees are never exposed.
*/
public class HiddenTreeTest extends AbstractOakCoreTest {
-
- private String hiddenParentPath = "/oak:index/nodetype";
- private String hiddenName = ":index";
+ private static final String HIDDEN_NAME = ":index";
private Tree parent;
@@ -41,18 +39,19 @@ public class HiddenTreeTest extends Abst
public void before() throws Exception {
super.before();
+ String hiddenParentPath = "/oak:index/nodetype";
parent = root.getTree(hiddenParentPath);
assertTrue(parent.exists());
}
@Test
public void testHasHiddenTree() {
- assertFalse(parent.hasChild(hiddenName));
+ assertFalse(parent.hasChild(HIDDEN_NAME));
}
@Test
public void testGetHiddenTree() {
- Tree hidden = parent.getChild(hiddenName);
+ Tree hidden = parent.getChild(HIDDEN_NAME);
assertNotNull(hidden);
assertFalse(hidden.exists());
assertEquals(0, hidden.getChildrenCount(1));
@@ -61,7 +60,7 @@ public class HiddenTreeTest extends Abst
@Test
public void testOrderBeforeOnHiddenTree() {
try {
- Tree hidden = parent.getChild(hiddenName);
+ Tree hidden = parent.getChild(HIDDEN_NAME);
hidden.orderBefore("someother");
fail("IllegalStateException expected");
} catch (IllegalStateException e) {
@@ -72,7 +71,7 @@ public class HiddenTreeTest extends Abst
@Test
public void testSetOrderableChildNodesOnHiddenTree() {
try {
- Tree hidden = parent.getChild(hiddenName);
+ Tree hidden = parent.getChild(HIDDEN_NAME);
hidden.setOrderableChildren(true);
fail("IllegalStateException expected");
} catch (IllegalStateException e) {
@@ -80,7 +79,7 @@ public class HiddenTreeTest extends Abst
}
try {
- Tree hidden = parent.getChild(hiddenName);
+ Tree hidden = parent.getChild(HIDDEN_NAME);
hidden.setOrderableChildren(false);
fail("IllegalStateException expected");
} catch (IllegalStateException e) {
Added: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ReadVersionContent.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ReadVersionContent.java?rev=1614397&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ReadVersionContent.java (added)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ReadVersionContent.java Tue Jul 29 16:04:43 2014
@@ -0,0 +1,279 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.jackrabbit.oak.jcr.security.authorization;
+
+import javax.jcr.ItemNotFoundException;
+import javax.jcr.Node;
+import javax.jcr.PathNotFoundException;
+import javax.jcr.security.AccessControlEntry;
+import javax.jcr.security.Privilege;
+import javax.jcr.version.Version;
+import javax.jcr.version.VersionHistory;
+import javax.jcr.version.VersionIterator;
+
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
+import org.apache.jackrabbit.oak.plugins.version.VersionConstants;
+import org.apache.jackrabbit.test.NotExecutableException;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+public class ReadVersionContent extends AbstractEvaluationTest {
+
+ private Version v;
+ private Version v2;
+ private VersionHistory vh;
+
+ private String versionablePath;
+
+ @Override
+ @Before
+ protected void setUp() throws Exception {
+ super.setUp();
+
+ deny(VersionConstants.VERSION_STORE_PATH, privilegesFromName(Privilege.JCR_READ));
+
+ Node n = createVersionableNode(superuser.getNode(path));
+ versionablePath = n.getPath();
+ v = n.checkin();
+ vh = n.getVersionHistory();
+ n.checkout();
+ v2 = n.checkin();
+ n.checkout();
+
+ testSession.refresh(false);
+ }
+
+ @Override
+ @After
+ protected void tearDown() throws Exception {
+ JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(superuser, VersionConstants.VERSION_STORE_PATH);
+ if (acl != null) {
+ for (AccessControlEntry entry : acl.getAccessControlEntries()) {
+ if (entry.getPrincipal().equals(testUser.getPrincipal())) {
+ acl.removeAccessControlEntry(entry);
+ }
+ }
+ acMgr.setPolicy(VersionConstants.VERSION_STORE_PATH, acl);
+ superuser.save();
+ }
+ }
+
+ private Node createVersionableNode(Node parent) throws Exception {
+ Node n = (parent.hasNode(nodeName1)) ? parent.getNode(nodeName1) : parent.addNode(nodeName1);
+ if (n.canAddMixin(mixVersionable)) {
+ n.addMixin(mixVersionable);
+ } else {
+ throw new NotExecutableException();
+ }
+ n.getSession().save();
+ return n;
+ }
+
+
+ /**
+ * @since oak
+ */
+ @Test
+ public void testHasVersionContentNodes() throws Exception {
+ // version information must still be accessible
+ assertTrue(testSession.nodeExists(v.getPath()));
+ assertTrue(testSession.nodeExists(v2.getPath()));
+ assertTrue(testSession.nodeExists(vh.getPath()));
+ }
+
+ /**
+ * @since oak
+ */
+ @Test
+ public void testGetBaseVersion() throws Exception {
+ // version information must still be accessible
+ Version base = testSession.getNode(versionablePath).getBaseVersion();
+ Version base2 = testSession.getWorkspace().getVersionManager().getBaseVersion(versionablePath);
+ }
+
+ /**
+ * @since oak
+ */
+ @Test
+ public void testGetVersionHistory() throws Exception {
+ // accessing the version history must be allowed if the versionable node
+ // is readable to the editing test session.
+ Node testNode = testSession.getNode(versionablePath);
+
+ VersionHistory vh = testNode.getVersionHistory();
+ VersionHistory vh2 = testSession.getWorkspace().getVersionManager().getVersionHistory(versionablePath);
+ }
+
+ /**
+ * @since oak
+ */
+ @Test
+ public void testGetVersionHistoryNode() throws Exception {
+ // accessing the version history must be allowed if the versionable node
+ // is readable to the editing test session.
+ Node testNode = testSession.getNode(versionablePath);
+
+ String vhPath = vh.getPath();
+ String vhUUID = vh.getIdentifier();
+
+ assertTrue(vh.isSame(testNode.getSession().getNode(vhPath)));
+ assertTrue(vh.isSame(testNode.getSession().getNodeByIdentifier(vhUUID)));
+ assertTrue(vh.isSame(testNode.getSession().getNodeByUUID(vhUUID)));
+ }
+
+ /**
+ * @since oak
+ */
+ @Test
+ public void testVersionHistoryGetUUID() throws Exception {
+ VersionHistory testVh = testSession.getNode(versionablePath).getVersionHistory();
+ testVh.getUUID();
+ }
+
+ /**
+ * @since oak
+ */
+ @Test
+ public void testVersionHistoryGetIdentifier() throws Exception {
+ VersionHistory testVh = testSession.getNode(versionablePath).getVersionHistory();
+ testVh.getIdentifier();
+ }
+
+ /**
+ * @since oak
+ */
+ @Test
+ public void testVersionHistoryGetVersionableIdentifier() throws Exception {
+ VersionHistory testVh = testSession.getNode(versionablePath).getVersionHistory();
+ testVh.getVersionableIdentifier();
+ }
+
+ /**
+ * @since oak
+ */
+ @Test
+ public void testVersionHistoryGetVersionableUUID() throws Exception {
+ VersionHistory testVh = testSession.getNode(versionablePath).getVersionHistory();
+ testVh.getVersionableUUID();
+ }
+
+ /**
+ * @since oak
+ */
+ @Test
+ public void testVersionHistoryIsSame() throws Exception {
+ // accessing the version history must be allowed if the versionable node
+ // is readable to the editing test session.
+ Node testNode = testSession.getNode(versionablePath);
+
+ VersionHistory testVh = testNode.getVersionHistory();
+ Node vh2 = testNode.getSession().getNode(testVh.getPath());
+
+ assertTrue(testVh.isSame(vh2));
+ }
+
+ /**
+ * @since oak
+ */
+ @Test
+ public void testGetAllVersions() throws Exception {
+ // accessing the version history must be allowed if the versionable node
+ // is readable to the editing test session.
+ Node testNode = testSession.getNode(versionablePath);
+
+ VersionHistory vh = testNode.getVersionHistory();
+ VersionIterator versionIterator = vh.getAllVersions();
+ // TODO
+ }
+
+ /**
+ * @since oak
+ */
+ @Test
+ public void testGetAllLinearVersions() throws Exception {
+ // accessing the version history must be allowed if the versionable node
+ // is readable to the editing test session.
+ Node testNode = testSession.getNode(versionablePath);
+
+ VersionHistory vh = testNode.getVersionHistory();
+ VersionIterator versionIterator = vh.getAllLinearVersions();
+ // TODO
+ }
+
+
+ /**
+ * @since oak
+ */
+ @Test
+ public void testAccessVersionHistoryVersionableNodeNotAccessible() throws Exception {
+ // revert read permission on the versionable node
+ modify(versionablePath, Privilege.JCR_READ, false);
+
+ // versionable node is not readable any more for test session.
+ assertFalse(testSession.nodeExists(versionablePath));
+
+ // access version history directly => should fail
+ try {
+ VersionHistory history = (VersionHistory) testSession.getNode(vh.getPath());
+ fail("Access to version history should be denied if versionable node is not accessible");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+
+ try {
+ VersionHistory history = (VersionHistory) testSession.getNodeByIdentifier(vh.getIdentifier());
+ fail("Access to version history should be denied if versionable node is not accessible");
+ } catch (ItemNotFoundException e) {
+ // success
+ }
+
+ try {
+ VersionHistory history = (VersionHistory) testSession.getNodeByUUID(vh.getUUID());
+ fail("Access to version history should be denied if versionable node is not accessible");
+ } catch (ItemNotFoundException e) {
+ // success
+ }
+ }
+
+ /**
+ * @since oak
+ */
+ @Test
+ public void testAccessVersionHistoryVersionableNodeRemoved() throws Exception {
+ superuser.getNode(versionablePath).remove();
+ superuser.save();
+
+ testSession.refresh(false);
+ assertTrue(testSession.nodeExists(path));
+ assertFalse(testSession.nodeExists(versionablePath));
+
+ // accessing the version history directly should still succeed as
+ // read permission is still granted on the tree defined by the parent.
+ VersionHistory history = (VersionHistory) testSession.getNode(vh.getPath());
+ history = (VersionHistory) testSession.getNodeByIdentifier(vh.getIdentifier());
+ history = (VersionHistory) testSession.getNodeByUUID(vh.getUUID());
+
+ // revoking read permission on the parent node -> version history
+ // must no longer be accessible
+ modify(path, Privilege.JCR_READ, false);
+ assertFalse(testSession.nodeExists(vh.getPath()));
+ }
+}
Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/VersionManagementTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/VersionManagementTest.java?rev=1614397&r1=1614396&r2=1614397&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/VersionManagementTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/VersionManagementTest.java Tue Jul 29 16:04:43 2014
@@ -30,7 +30,6 @@ import javax.jcr.version.VersionManager;
import org.apache.jackrabbit.test.NotExecutableException;
import org.junit.Before;
-import org.junit.Ignore;
import org.junit.Test;
/**
@@ -192,39 +191,6 @@ public class VersionManagementTest exten
}
/**
- * @since oak
- */
- @Test
- public void testAccessVersionContentWithoutStoreAccess() throws Exception {
- Node n = createVersionableNode(superuser.getNode(path));
- Version v = n.checkin();
- VersionHistory vh = n.getVersionHistory();
- n.checkout();
- Version v2 = n.checkin();
- n.checkout();
-
- testSession.refresh(false);
- assertFalse(testAcMgr.hasPrivileges(n.getPath(), versionPrivileges));
- AccessControlList acl = deny(SYSTEM, privilegesFromName(Privilege.JCR_READ));
-
- try {
- // version information must still be accessible
- assertTrue(testSession.nodeExists(v.getPath()));
- assertTrue(testSession.nodeExists(v2.getPath()));
- assertTrue(testSession.nodeExists(vh.getPath()));
-
- } finally {
- for (AccessControlEntry entry : acl.getAccessControlEntries()) {
- if (entry.getPrincipal().equals(testUser.getPrincipal())) {
- acl.removeAccessControlEntry(entry);
- }
- }
- acMgr.setPolicy(SYSTEM, acl);
- superuser.save();
- }
- }
-
- /**
* @since oak (DIFF: jr required jcr:versionManagement privilege on the version store)
*/
@Test