jackrabbit-commits mailing list archives

Site index · List index

Message view	« Date » · « Thread »
Top	« Date » · « Thread »
From	ang...@apache.org
Subject	svn commit: r659109 - in /jackrabbit/trunk/jackrabbit-core/src: main/java/org/apache/jackrabbit/core/security/authorization/acl/ main/java/org/apache/jackrabbit/core/security/authorization/combined/ test/java/org/apache/jackrabbit/core/security/authori...
Date	Thu, 22 May 2008 13:38:16 GMT
Author: angela Date: Thu May 22 06:38:15 2008 New Revision: 659109 URL: http://svn.apache.org/viewvc?rev=659109&view=rev Log: JCR-1588: JSR 283 Access Control (work in progress) - Groups can only add 'allows' - add tests - clean evaluation tests from unused, temporary code Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyTemplateImpl.java jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyTemplateTest.java jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplateTest.java Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java?rev=659109&r1=659108&r2=659109&view=diff ============================================================================== --- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java (original) +++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java Thu May 22 06:38:15 2008 @@ -32,6 +32,7 @@ import javax.jcr.RepositoryException; import javax.jcr.Value; import java.security.Principal; +import java.security.acl.Group; import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; @@ -116,6 +117,10 @@ // TODO: ev. assert that the principal is known to the repository // make sure valid privileges are provided. PrivilegeRegistry.getBits(ace.getPrivileges()); + + if (!entry.isAllow() && entry.getPrincipal() instanceof Group) { + throw new AccessControlException("For group principals permissions can only be added but not denied."); + } } private List internalGetEntries() { Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyTemplateImpl.java URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyTemplateImpl.java?rev=659109&r1=659108&r2=659109&view=diff ============================================================================== --- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyTemplateImpl.java (original) +++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyTemplateImpl.java Thu May 22 06:38:15 2008 @@ -25,6 +25,7 @@ import javax.jcr.RepositoryException; import java.security.Principal; +import java.security.acl.Group; import java.util.ArrayList; import java.util.Iterator; import java.util.List; @@ -68,25 +69,13 @@ } public boolean setEntry(PolicyEntry entry) throws AccessControlException, RepositoryException { - if (entry instanceof PolicyEntryImpl && - principal.equals(entry.getPrincipal())) { - // make sure valid privileges are provided. - PrivilegeRegistry.getBits(entry.getPrivileges()); - return internalAddEntry((PolicyEntryImpl) entry); - } else { - throw new AccessControlException("Invalid entry."); - } + checkValidEntry(entry); + return internalAddEntry((PolicyEntryImpl) entry); } public boolean removeEntry(PolicyEntry entry) throws AccessControlException, RepositoryException { - if (entry instanceof PolicyEntryImpl && - principal.equals(entry.getPrincipal())) { - // make sure valid privileges are provided. - PrivilegeRegistry.getBits(entry.getPrivileges()); - return entries.remove(entry); - } else { - throw new AccessControlException("Invalid entry."); - } + checkValidEntry(entry); + return entries.remove(entry); } //------------------------------------------------< AccessControlPolicy >--- @@ -108,6 +97,29 @@ /** * * @param entry + * @throws AccessControlException + / + private void checkValidEntry(PolicyEntry entry) throws AccessControlException { + if (!(entry instanceof PolicyEntryImpl)) { + throw new AccessControlException("Invalid PolicyEntry " + entry + ". Expected instanceof ACEImpl."); + } + if (!principal.equals(entry.getPrincipal())) { + throw new AccessControlException("Invalid principal. Expected: " + principal); + } + + PolicyEntryImpl ace = (PolicyEntryImpl) entry; + // TODO: ev. assert that the principal is known to the repository + // make sure valid privileges are provided. + PrivilegeRegistry.getBits(ace.getPrivileges()); + + if (!entry.isAllow() && entry.getPrincipal() instanceof Group) { + throw new AccessControlException("For group principals permissions can only be added but not denied."); + } + } + + /* + * + * @param entry * @return / private synchronized boolean internalAddEntry(PolicyEntryImpl entry) { Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java?rev=659109&r1=659108&r2=659109&view=diff ============================================================================== --- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java (original) +++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java Thu May 22 06:38:15 2008 @@ -23,6 +23,7 @@ import org.apache.jackrabbit.api.security.user.Authorizable; import org.apache.jackrabbit.api.security.user.User; import org.apache.jackrabbit.api.security.user.UserManager; +import org.apache.jackrabbit.api.security.user.Group; import org.apache.jackrabbit.core.SessionImpl; import org.apache.jackrabbit.core.security.TestPrincipal; import org.apache.jackrabbit.test.JUnitTest; @@ -49,10 +50,11 @@ / public abstract class AbstractEvaluationTest extends AbstractAccessControlTest { - protected static final long DEFAULT_WAIT_TIMEOUT = 50; + protected static final long DEFAULT_WAIT_TIMEOUT = 5000; protected Credentials creds; protected User testUser; + protected Group testGroup; protected SessionImpl testSession; protected AccessControlManager testAcMgr; @@ -71,9 +73,9 @@ super.setUp(); UserManager uMgr = getUserManager(superuser); - Principal princ = new TestPrincipal("anyUser"); - String uid = "anyUser"; - String pw = "anyUser"; + Principal princ = getTestPrincipal("testUser", uMgr); + String uid = princ.getName(); + String pw = princ.getName(); creds = new SimpleCredentials(uid, pw.toCharArray()); Authorizable a = uMgr.getAuthorizable(princ); @@ -85,6 +87,9 @@ testUser = (User) a; } + testGroup = uMgr.createGroup(getTestPrincipal("testGroup", uMgr)); + testGroup.addMember(testUser); + // TODO: remove cast once 283 is released. testSession = (SessionImpl) helper.getRepository().login(creds); testAcMgr = getAccessControlManager(testSession); @@ -114,6 +119,10 @@ } // make sure all ac info is removed clearACInfo(); + if (testGroup != null) { + testGroup.removeMember(testUser); + testGroup.remove(); + } // remove the test user again. if (testUser != null) { testUser.remove(); @@ -142,45 +151,24 @@ protected abstract String[] getRestrictions(String path); protected PolicyTemplate givePrivileges(String nPath, int privileges, String[] restrictions) throws NotExecutableException, RepositoryException { - ObservationManager obsMgr = superuser.getWorkspace().getObservationManager(); - EventResult listener = new EventResult(((JUnitTest) this).log); - try { - obsMgr.addEventListener(listener, Event.PROPERTY_CHANGED, nPath, - true, new String[0], new String[] {"rep:ACE"}, false); - - PolicyTemplate tmpl = getPolicyTemplate(acMgr, nPath); - tmpl.setEntry(createEntry(testUser.getPrincipal(), privileges, true, restrictions)); - acMgr.setPolicy(tmpl.getPath(), tmpl); - superuser.save(); - - obsMgr.removeEventListener(listener); - Event[] evts = listener.getEvents(DEFAULT_WAIT_TIMEOUT); + return givePrivileges(nPath, testUser.getPrincipal(), privileges, restrictions); + } - return tmpl; - } finally { - obsMgr.removeEventListener(listener); - } + protected PolicyTemplate givePrivileges(String nPath, Principal principal, + int privileges, String[] restrictions) throws NotExecutableException, RepositoryException { + PolicyTemplate tmpl = getPolicyTemplate(acMgr, nPath); + tmpl.setEntry(createEntry(principal, privileges, true, restrictions)); + acMgr.setPolicy(tmpl.getPath(), tmpl); + superuser.save(); + return tmpl; } protected PolicyTemplate withdrawPrivileges(String nPath, int privileges, String[] restrictions) throws NotExecutableException, RepositoryException { - ObservationManager obsMgr = superuser.getWorkspace().getObservationManager(); - EventResult listener = new EventResult(((JUnitTest) this).log); - try { - obsMgr.addEventListener(listener, Event.PROPERTY_CHANGED \| Event.PROPERTY_REMOVED, nPath, - true, new String[0], new String[] {"rep:ACE"}, false); - - PolicyTemplate tmpl = getPolicyTemplate(acMgr, nPath); - tmpl.setEntry(createEntry(testUser.getPrincipal(), privileges, false, restrictions)); - acMgr.setPolicy(tmpl.getPath(), tmpl); - superuser.save(); - - obsMgr.removeEventListener(listener); - Event[] evts = listener.getEvents(DEFAULT_WAIT_TIMEOUT); - - return tmpl; - } finally { - obsMgr.removeEventListener(listener); - } + PolicyTemplate tmpl = getPolicyTemplate(acMgr, nPath); + tmpl.setEntry(createEntry(testUser.getPrincipal(), privileges, false, restrictions)); + acMgr.setPolicy(tmpl.getPath(), tmpl); + superuser.save(); + return tmpl; } protected void checkReadOnly(String path) throws RepositoryException { @@ -491,6 +479,24 @@ assertTrue(exptectedPrivs == PrivilegeRegistry.getBits(privs)); } + public void testGroupPermissions() throws NotExecutableException, RepositoryException { + /* + precondition: + testuser must have READ-only permission on test-node and below + / + checkReadOnly(path); + + / add privileges for the Group the test-user is member of / + givePrivileges(path, testGroup.getPrincipal(), PrivilegeRegistry.MODIFY_PROPERTIES, getRestrictions(path)); + + / testuser must get the permissions/privileges inherited from + the group it is member of. + / + String actions = SessionImpl.SET_PROPERTY_ACTION + "," + SessionImpl.READ_ACTION; + assertTrue(testSession.hasPermission(path, actions)); + assertTrue(testAcMgr.hasPrivileges(path, new Privilege[] {PrivilegeRegistry.MODIFY_PROPERTIES_PRIVILEGE})); + } + public void testNewNodes() throws RepositoryException { / precondition: @@ -572,4 +578,14 @@ } return policyNode; } + + protected Principal getTestPrincipal(String nameHint, UserManager uMgr) throws RepositoryException { + Principal principal = new TestPrincipal(nameHint); + int i = 0; + while (uMgr.getAuthorizable(principal) != null) { + principal = new TestPrincipal(nameHint + i); + i++; + } + return principal; + } } \ No newline at end of file Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyTemplateTest.java URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyTemplateTest.java?rev=659109&r1=659108&r2=659109&view=diff ============================================================================== --- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyTemplateTest.java (original) +++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyTemplateTest.java Thu May 22 06:38:15 2008 @@ -24,6 +24,8 @@ import javax.jcr.RepositoryException; import java.security.Principal; +import java.security.acl.Group; +import java.util.Enumeration; /** * <code>AbstractPolicyTemplateTest</code>... @@ -33,6 +35,7 @@ private static Logger log = LoggerFactory.getLogger(AbstractPolicyTemplateTest.class); protected Principal testPrincipal; + protected Group testGroup; protected void setUp() throws Exception { super.setUp(); @@ -41,10 +44,27 @@ return "TestPrincipal"; } }; + testGroup = new Group() { + public boolean addMember(Principal user) { + return false; + } + public boolean removeMember(Principal user) { + return false; + } + public boolean isMember(Principal member) { + return false; + } + public Enumeration members() { + return null; + } + public String getName() { + return "TestGroup"; + } + }; } protected abstract String getTestPath(); - + protected abstract PolicyTemplate createEmptyTemplate(String path); public void testEmptyTemplate() throws RepositoryException { Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplateTest.java URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplateTest.java?rev=659109&r1=659108&r2=659109&view=diff ============================================================================== --- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplateTest.java (original) +++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplateTest.java Thu May 22 06:38:15 2008 @@ -16,6 +16,7 @@ */ package org.apache.jackrabbit.core.security.authorization.acl; +import org.apache.jackrabbit.api.jsr283.security.AccessControlException; import org.apache.jackrabbit.core.security.authorization.AbstractPolicyTemplateTest; import org.apache.jackrabbit.core.security.authorization.PolicyEntry; import org.apache.jackrabbit.core.security.authorization.PolicyTemplate; @@ -43,7 +44,6 @@ public void testAddEntry() throws RepositoryException { PolicyTemplate pt = createEmptyTemplate(getTestPath()); - assertTrue(pt.setEntry(new ACEImpl(testPrincipal, PrivilegeRegistry.READ, true))); } @@ -164,4 +164,21 @@ assertFalse(pt.removeEntry(pe)); } + + public void testSetEntryForGroupPrincipal() throws RepositoryException { + PolicyTemplate pt = createEmptyTemplate(getTestPath()); + + // adding allow-entry must succeed + PolicyEntry pe = new ACEImpl(testGroup, PrivilegeRegistry.READ, true); + assertTrue(pt.setEntry(pe)); + + // adding deny-entry must succeed + pe = new ACEImpl(testGroup, PrivilegeRegistry.READ, false); + try { + pt.setEntry(pe); + fail("Adding DENY-ace for a group principal should fail."); + } catch (AccessControlException e) { + // success + } + } } \ No newline at end of file
Mime	Unnamed text/plain (inline, 7-Bit, 16868 bytes)
	View raw message