You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2019/06/06 07:34:09 UTC
svn commit: r1860703 - in /jackrabbit/oak/trunk/oak-core/src:
main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/
main/java/org/apache/jackrabbit/oak/security/authorization/permission/
test/java/org/apache/jackrabbit/oak/security/...
Author: angela
Date: Thu Jun 6 07:34:09 2019
New Revision: 1860703
URL: http://svn.apache.org/viewvc?rev=1860703&view=rev
Log:
OAK-8385 : Get rid of duplicated AcEntry/Entry in PermissionStoreEditor and AccessControlValidator
Added:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ValidationEntry.java (with props)
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ValidationEntryTest.java (with props)
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidator.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreEditor.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidator.java?rev=1860703&r1=1860702&r2=1860703&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidator.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidator.java Thu Jun 6 07:34:09 2019
@@ -23,7 +23,6 @@ import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.Privilege;
-import com.google.common.base.Objects;
import com.google.common.collect.Iterables;
import com.google.common.collect.Sets;
import org.apache.jackrabbit.JcrConstants;
@@ -50,6 +49,7 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.util.Text;
import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
import static com.google.common.base.Preconditions.checkNotNull;
import static org.apache.jackrabbit.oak.api.CommitFailedException.ACCESS_CONTROL;
@@ -203,10 +203,10 @@ class AccessControlValidator extends Def
throw accessViolation(4, "Invalid policy node at " + policyTree.getPath() + ": Order of children is not stable.");
}
- Set<Entry> aceSet = Sets.newHashSet();
+ Set<ValidationEntry> aceSet = Sets.newHashSet();
for (Tree child : policyTree.getChildren()) {
if (isAccessControlEntry(child)) {
- if (!aceSet.add(new Entry(parent.getPath(), child))) {
+ if (!aceSet.add(createAceEntry(parent.getPath(), child))) {
throw accessViolation(13, "Duplicate ACE '" + child.getPath() + "' found in policy");
}
}
@@ -300,38 +300,12 @@ class AccessControlValidator extends Def
return new CommitFailedException(ACCESS_CONTROL, code, message);
}
- private final class Entry {
-
- private final boolean isAllow;
- private final String principalName;
- private final PrivilegeBits privilegeBits;
- private final Set<Restriction> restrictions;
-
- private Entry(String path, Tree aceTree) {
- isAllow = NT_REP_GRANT_ACE.equals(TreeUtil.getPrimaryTypeName(aceTree));
- principalName = aceTree.getProperty(REP_PRINCIPAL_NAME).getValue(Type.STRING);
- privilegeBits = privilegeBitsProvider.getBits(aceTree.getProperty(REP_PRIVILEGES).getValue(Type.NAMES));
- restrictions = restrictionProvider.readRestrictions(path, aceTree);
- }
-
- @Override
- public int hashCode() {
- return Objects.hashCode(principalName, privilegeBits, restrictions, isAllow);
- }
-
- @Override
- public boolean equals(Object o) {
- if (o == this) {
- return true;
- }
- if (o instanceof Entry) {
- Entry other = (Entry) o;
- return isAllow == other.isAllow
- && Objects.equal(principalName, other.principalName)
- && privilegeBits.equals(other.privilegeBits)
- && restrictions.equals(other.restrictions);
- }
- return false;
- }
+ private ValidationEntry createAceEntry(@Nullable String path, @NotNull Tree aceTree) {
+ String principalName = aceTree.getProperty(REP_PRINCIPAL_NAME).getValue(Type.STRING);
+ PrivilegeBits privilegeBits = privilegeBitsProvider.getBits(aceTree.getProperty(REP_PRIVILEGES).getValue(Type.NAMES));
+
+ boolean isAllow = NT_REP_GRANT_ACE.equals(TreeUtil.getPrimaryTypeName(aceTree));
+ Set<Restriction> restrictions = restrictionProvider.readRestrictions(path, aceTree);
+ return new ValidationEntry(principalName, privilegeBits, isAllow, restrictions);
}
}
Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ValidationEntry.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ValidationEntry.java?rev=1860703&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ValidationEntry.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ValidationEntry.java Thu Jun 6 07:34:09 2019
@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.accesscontrol;
+
+import com.google.common.base.Objects;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
+import org.jetbrains.annotations.NotNull;
+
+import java.util.Set;
+
+public class ValidationEntry {
+
+ protected final String principalName;
+ protected final PrivilegeBits privilegeBits;
+ protected final boolean isAllow;
+ protected final Set<Restriction> restrictions;
+ // optional index not used for equality/hashcode
+ protected final int index;
+
+ public ValidationEntry(@NotNull String principalName, @NotNull PrivilegeBits privilegeBits, boolean isAllow, @NotNull Set<Restriction> restrictions) {
+ this.principalName = principalName;
+ this.privilegeBits = privilegeBits;
+ this.isAllow = isAllow;
+ this.restrictions = restrictions;
+ this.index = -1;
+ }
+
+ public ValidationEntry(@NotNull String principalName, @NotNull PrivilegeBits privilegeBits, boolean isAllow, @NotNull Set<Restriction> restrictions, int index) {
+ this.principalName = principalName;
+ this.privilegeBits = privilegeBits;
+ this.isAllow = isAllow;
+ this.restrictions = restrictions;
+ this.index = index;
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hashCode(principalName, privilegeBits, restrictions, isAllow);
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (o == this) {
+ return true;
+ }
+ if (o instanceof ValidationEntry) {
+ ValidationEntry other = (ValidationEntry) o;
+ return isAllow == other.isAllow
+ && Objects.equal(principalName, other.principalName)
+ && privilegeBits.equals(other.privilegeBits)
+ && restrictions.equals(other.restrictions);
+ }
+ return false;
+ }
+}
\ No newline at end of file
Propchange: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ValidationEntry.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreEditor.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreEditor.java?rev=1860703&r1=1860702&r2=1860703&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreEditor.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreEditor.java Thu Jun 6 07:34:09 2019
@@ -26,6 +26,7 @@ import org.apache.jackrabbit.oak.api.Pro
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.plugins.nodetype.TypePredicate;
import org.apache.jackrabbit.oak.plugins.tree.TreeProvider;
+import org.apache.jackrabbit.oak.security.authorization.accesscontrol.ValidationEntry;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
@@ -84,8 +85,9 @@ final class PermissionStoreEditor implem
PrivilegeBits privilegeBits = bitsProvider.getBits(ace.getNames(REP_PRIVILEGES));
Set<Restriction> restrictions = restrictionProvider.readRestrictions(Strings.emptyToNull(accessControlledPath), treeProvider.createReadOnlyTree(ace));
- AcEntry entry = new AcEntry(ace, index, isAllow, privilegeBits, restrictions);
- List<AcEntry> list = entries.computeIfAbsent(entry.principalName, k -> new ArrayList<>());
+ String principalName = Text.escapeIllegalJcrChars(ace.getString(REP_PRINCIPAL_NAME));
+ AcEntry entry = new AcEntry(principalName, index, isAllow, privilegeBits, restrictions);
+ List<AcEntry> list = entries.computeIfAbsent(principalName, k -> new ArrayList<>());
list.add(entry);
index++;
}
@@ -244,22 +246,12 @@ final class PermissionStoreEditor implem
}
}
- private class AcEntry {
+ private class AcEntry extends ValidationEntry {
- private final String principalName;
- private final PrivilegeBits privilegeBits;
- private final boolean isAllow;
- private final Set<Restriction> restrictions;
- private final int index;
-
- AcEntry(@NotNull NodeState node, int index,
+ AcEntry(@NotNull String principalName, int index,
boolean isAllow, @NotNull PrivilegeBits privilegeBits,
@NotNull Set<Restriction> restrictions) {
- this.index = index;
- this.principalName = Text.escapeIllegalJcrChars(node.getString(REP_PRINCIPAL_NAME));
- this.privilegeBits = privilegeBits;
- this.isAllow = isAllow;
- this.restrictions = restrictions;
+ super(principalName, privilegeBits, isAllow, restrictions, index);
}
private void writeToPermissionStore(@NotNull NodeBuilder parent) {
@@ -273,7 +265,7 @@ final class PermissionStoreEditor implem
}
@NotNull
- PropertyState getPrivilegeBitsProperty() {
+ private PropertyState getPrivilegeBitsProperty() {
return JcrAllUtil.asPropertyState(REP_PRIVILEGE_BITS, privilegeBits, bitsProvider);
}
}
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ValidationEntryTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ValidationEntryTest.java?rev=1860703&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ValidationEntryTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ValidationEntryTest.java Thu Jun 6 07:34:09 2019
@@ -0,0 +1,69 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.accesscontrol;
+
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotEquals;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
+
+public class ValidationEntryTest extends AbstractAccessControlTest {
+
+ private ValidationEntry entry;
+
+ @Before
+ public void before() throws Exception {
+ super.before();
+ entry = new ValidationEntry("principalName", PrivilegeBits.BUILT_IN.get(JCR_WRITE), false, ImmutableSet.of(mock(Restriction.class)));
+ }
+
+ @Test
+ public void testEquals() {
+ assertEquals(entry, new ValidationEntry(entry.principalName, entry.privilegeBits, entry.isAllow, entry.restrictions));
+ assertEquals(entry, new ValidationEntry(entry.principalName, entry.privilegeBits, entry.isAllow, entry.restrictions, entry.index+1));
+ assertTrue(entry.equals(entry));
+ }
+
+ @Test
+ public void testNotEquals() throws Exception {
+ assertNotEquals(entry, new ValidationEntry("other", entry.privilegeBits, entry.isAllow, entry.restrictions));
+ assertNotEquals(entry, new ValidationEntry(entry.principalName, PrivilegeBits.BUILT_IN.get(REP_WRITE), entry.isAllow, entry.restrictions));
+ assertNotEquals(entry, new ValidationEntry(entry.principalName, entry.privilegeBits, !entry.isAllow, entry.restrictions));
+ assertNotEquals(entry, new ValidationEntry(entry.principalName, entry.privilegeBits, entry.isAllow, ImmutableSet.of()));
+ assertNotEquals(entry, createEntry(new PrincipalImpl(entry.principalName), entry.privilegeBits, entry.isAllow, entry.restrictions));
+ }
+
+ @Test
+ public void testHashcode() {
+ int hc = entry.hashCode();
+ assertEquals(hc, entry.hashCode());
+ assertEquals(hc, new ValidationEntry(entry.principalName, entry.privilegeBits, entry.isAllow, entry.restrictions).hashCode());
+ assertEquals(hc, new ValidationEntry(entry.principalName, entry.privilegeBits, entry.isAllow, entry.restrictions, entry.index+1).hashCode());
+
+ assertNotEquals(hc, new ValidationEntry("other", entry.privilegeBits, entry.isAllow, entry.restrictions).hashCode());
+ assertNotEquals(hc, new ValidationEntry(entry.principalName, PrivilegeBits.BUILT_IN.get(REP_WRITE), entry.isAllow, entry.restrictions).hashCode());
+ assertNotEquals(hc, new ValidationEntry(entry.principalName, entry.privilegeBits, !entry.isAllow, entry.restrictions).hashCode());
+ assertNotEquals(hc, new ValidationEntry(entry.principalName, entry.privilegeBits, entry.isAllow, ImmutableSet.of()).hashCode());
+ }
+}
\ No newline at end of file
Propchange: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ValidationEntryTest.java
------------------------------------------------------------------------------
svn:eol-style = native