You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2015/07/14 12:00:31 UTC
svn commit: r1690893 - in /jackrabbit/oak/trunk/oak-core/src:
main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/
test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/
Author: angela
Date: Tue Jul 14 10:00:30 2015
New Revision: 1690893
URL: http://svn.apache.org/r1690893
Log:
OAK-3100 : Filter ACEs when retrieving effective policies for principals
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java?rev=1690893&r1=1690892&r2=1690893&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java Tue Jul 14 10:00:30 2015
@@ -45,8 +45,11 @@ import javax.jcr.security.AccessControlP
import javax.jcr.security.NamedAccessControlPolicy;
import javax.jcr.security.Privilege;
+import com.google.common.base.Function;
import com.google.common.base.Objects;
+import com.google.common.base.Predicate;
import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Iterables;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import com.google.common.primitives.Ints;
@@ -402,7 +405,7 @@ public class AccessControlManagerImpl ex
if (paths.contains(path)) {
continue;
}
- JackrabbitAccessControlList policy = createACL(path, accessControlledTree, true);
+ JackrabbitAccessControlList policy = createACL(path, accessControlledTree, true, new AcePredicate(principals));
if (policy != null) {
effective.add(policy);
paths.add(path);
@@ -462,6 +465,14 @@ public class AccessControlManagerImpl ex
private JackrabbitAccessControlList createACL(@Nullable String oakPath,
@Nonnull Tree accessControlledTree,
boolean isEffectivePolicy) throws RepositoryException {
+ return createACL(oakPath, accessControlledTree, isEffectivePolicy, null);
+ }
+
+ @CheckForNull
+ private JackrabbitAccessControlList createACL(@Nullable String oakPath,
+ @Nonnull Tree accessControlledTree,
+ boolean isEffectivePolicy,
+ @CheckForNull Predicate<ACE> predicate) throws RepositoryException {
JackrabbitAccessControlList acl = null;
String aclName = Util.getAclName(oakPath);
if (accessControlledTree.exists() && Util.isAccessControlled(oakPath, accessControlledTree, ntMgr)) {
@@ -470,7 +481,10 @@ public class AccessControlManagerImpl ex
List<ACE> entries = new ArrayList<ACE>();
for (Tree child : aclTree.getChildren()) {
if (Util.isACE(child, ntMgr)) {
- entries.add(createACE(oakPath, child, restrictionProvider));
+ ACE ace = createACE(oakPath, child, restrictionProvider);
+ if (predicate == null || predicate.apply(ace)) {
+ entries.add(ace);
+ }
}
}
if (isEffectivePolicy) {
@@ -749,4 +763,23 @@ public class AccessControlManagerImpl ex
return "Grants read access on configured trees.";
}
}
+
+ private static final class AcePredicate implements Predicate<ACE> {
+
+ private final Iterable<String> principalNames;
+
+ private AcePredicate(@Nonnull Set<Principal> principals) {
+ principalNames = Iterables.transform(principals, new Function<Principal, String>() {
+ @Override
+ public String apply(Principal input) {
+ return input.getName();
+ }
+ });
+ }
+
+ @Override
+ public boolean apply(@Nullable ACE ace) {
+ return ace != null && Iterables.contains(principalNames, ace.getPrincipal().getName());
+ }
+ }
}
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java?rev=1690893&r1=1690892&r2=1690893&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java Tue Jul 14 10:00:30 2015
@@ -1853,6 +1853,42 @@ public class AccessControlManagerImplTes
}
@Test
+ public void testEffectivePoliciesFiltering() throws Exception {
+ // create first policy with multiple ACEs for the test principal set.
+ ACL policy = getApplicablePolicy(testPath);
+ policy.addEntry(testPrincipal, testPrivileges, true, getGlobRestriction("*"));
+ policy.addEntry(testPrincipal, privilegesFromNames(PrivilegeConstants.JCR_VERSION_MANAGEMENT), false);
+ policy.addEntry(EveryonePrincipal.getInstance(), privilegesFromNames(PrivilegeConstants.JCR_LIFECYCLE_MANAGEMENT), false);
+ assertEquals(3, policy.getAccessControlEntries().length);
+ acMgr.setPolicy(testPath, policy);
+ root.commit();
+
+ // different ways to create the principal-set to make sure the filtering
+ // doesn't rely on principal equality but rather on the name.
+ List<Principal> principals = ImmutableList.of(
+ testPrincipal,
+ new PrincipalImpl(testPrincipal.getName()),
+ new Principal() {
+ @Override
+ public String getName() {
+ return testPrincipal.getName();
+ }
+ });
+
+ for (Principal princ : principals) {
+ AccessControlPolicy[] policies = acMgr.getEffectivePolicies(ImmutableSet.of(princ));
+ assertEquals(1, policies.length);
+ assertTrue(policies[0] instanceof AccessControlList);
+
+ AccessControlList acl = (AccessControlList) policies[0];
+ assertEquals(2, acl.getAccessControlEntries().length);
+ for (AccessControlEntry ace : acl.getAccessControlEntries()) {
+ assertEquals(princ.getName(), ace.getPrincipal().getName());
+ }
+ }
+ }
+
+ @Test
public void testTestSessionGetEffectivePoliciesByPrincipal() throws Exception {
NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED);
String childPath = child.getTree().getPath();