You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2015/07/14 12:00:31 UTC
svn commit: r1690893 - in /jackrabbit/oak/trunk/oak-core/src: main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/

Author: angela
Date: Tue Jul 14 10:00:30 2015
New Revision: 1690893

URL: http://svn.apache.org/r1690893
Log:
OAK-3100 : Filter ACEs when retrieving effective policies for principals

Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java?rev=1690893&r1=1690892&r2=1690893&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java Tue Jul 14 10:00:30 2015
@@ -45,8 +45,11 @@ import javax.jcr.security.AccessControlP
 import javax.jcr.security.NamedAccessControlPolicy;
 import javax.jcr.security.Privilege;
 
+import com.google.common.base.Function;
 import com.google.common.base.Objects;
+import com.google.common.base.Predicate;
 import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Iterables;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;
 import com.google.common.primitives.Ints;
@@ -402,7 +405,7 @@ public class AccessControlManagerImpl ex
             if (paths.contains(path)) {
                 continue;
             }
-            JackrabbitAccessControlList policy = createACL(path, accessControlledTree, true);
+            JackrabbitAccessControlList policy = createACL(path, accessControlledTree, true, new AcePredicate(principals));
             if (policy != null) {
                 effective.add(policy);
                 paths.add(path);
@@ -462,6 +465,14 @@ public class AccessControlManagerImpl ex
     private JackrabbitAccessControlList createACL(@Nullable String oakPath,
                                                   @Nonnull Tree accessControlledTree,
                                                   boolean isEffectivePolicy) throws RepositoryException {
+        return createACL(oakPath, accessControlledTree, isEffectivePolicy, null);
+    }
+
+    @CheckForNull
+    private JackrabbitAccessControlList createACL(@Nullable String oakPath,
+                                                  @Nonnull Tree accessControlledTree,
+                                                  boolean isEffectivePolicy,
+                                                  @CheckForNull Predicate<ACE> predicate) throws RepositoryException {
         JackrabbitAccessControlList acl = null;
         String aclName = Util.getAclName(oakPath);
         if (accessControlledTree.exists() && Util.isAccessControlled(oakPath, accessControlledTree, ntMgr)) {
@@ -470,7 +481,10 @@ public class AccessControlManagerImpl ex
                 List<ACE> entries = new ArrayList<ACE>();
                 for (Tree child : aclTree.getChildren()) {
                     if (Util.isACE(child, ntMgr)) {
-                        entries.add(createACE(oakPath, child, restrictionProvider));
+                        ACE ace = createACE(oakPath, child, restrictionProvider);
+                        if (predicate == null || predicate.apply(ace)) {
+                            entries.add(ace);
+                        }
                     }
                 }
                 if (isEffectivePolicy) {
@@ -749,4 +763,23 @@ public class AccessControlManagerImpl ex
             return "Grants read access on configured trees.";
         }
     }
+
+    private static final class AcePredicate implements Predicate<ACE> {
+
+        private final Iterable<String> principalNames;
+
+        private AcePredicate(@Nonnull Set<Principal> principals) {
+            principalNames = Iterables.transform(principals, new Function<Principal, String>() {
+                @Override
+                public String apply(Principal input) {
+                    return input.getName();
+                }
+            });
+        }
+
+        @Override
+        public boolean apply(@Nullable ACE ace) {
+            return ace != null && Iterables.contains(principalNames, ace.getPrincipal().getName());
+        }
+    }
 }

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java?rev=1690893&r1=1690892&r2=1690893&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java Tue Jul 14 10:00:30 2015
@@ -1853,6 +1853,42 @@ public class AccessControlManagerImplTes
     }
 
     @Test
+    public void testEffectivePoliciesFiltering() throws Exception {
+        // create first policy with multiple ACEs for the test principal set.
+        ACL policy = getApplicablePolicy(testPath);
+        policy.addEntry(testPrincipal, testPrivileges, true, getGlobRestriction("*"));
+        policy.addEntry(testPrincipal, privilegesFromNames(PrivilegeConstants.JCR_VERSION_MANAGEMENT), false);
+        policy.addEntry(EveryonePrincipal.getInstance(), privilegesFromNames(PrivilegeConstants.JCR_LIFECYCLE_MANAGEMENT), false);
+        assertEquals(3, policy.getAccessControlEntries().length);
+        acMgr.setPolicy(testPath, policy);
+        root.commit();
+
+        // different ways to create the principal-set to make sure the filtering
+        // doesn't rely on principal equality but rather on the name.
+        List<Principal> principals = ImmutableList.of(
+                testPrincipal,
+                new PrincipalImpl(testPrincipal.getName()),
+                new Principal() {
+                    @Override
+                    public String getName() {
+                        return testPrincipal.getName();
+                    }
+                });
+
+        for (Principal princ : principals) {
+            AccessControlPolicy[] policies = acMgr.getEffectivePolicies(ImmutableSet.of(princ));
+            assertEquals(1, policies.length);
+            assertTrue(policies[0] instanceof AccessControlList);
+
+            AccessControlList acl = (AccessControlList) policies[0];
+            assertEquals(2, acl.getAccessControlEntries().length);
+            for (AccessControlEntry ace : acl.getAccessControlEntries()) {
+                assertEquals(princ.getName(), ace.getPrincipal().getName());
+            }
+        }
+    }
+
+    @Test
     public void testTestSessionGetEffectivePoliciesByPrincipal() throws Exception {
         NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED);
         String childPath = child.getTree().getPath();