jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r659109 - in /jackrabbit/trunk/jackrabbit-core/src: main/java/org/apache/jackrabbit/core/security/authorization/acl/ main/java/org/apache/jackrabbit/core/security/authorization/combined/ test/java/org/apache/jackrabbit/core/security/authori...
Date Thu, 22 May 2008 13:38:16 GMT
Author: angela
Date: Thu May 22 06:38:15 2008
New Revision: 659109

URL: http://svn.apache.org/viewvc?rev=659109&view=rev
Log:
JCR-1588: JSR 283 Access Control (work in progress)

- Groups can only add 'allows'
- add tests
- clean evaluation tests from unused, temporary code

Modified:
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyTemplateImpl.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyTemplateTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplateTest.java

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java?rev=659109&r1=659108&r2=659109&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java
Thu May 22 06:38:15 2008
@@ -32,6 +32,7 @@
 import javax.jcr.RepositoryException;
 import javax.jcr.Value;
 import java.security.Principal;
+import java.security.acl.Group;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
@@ -116,6 +117,10 @@
         // TODO: ev. assert that the principal is known to the repository
         // make sure valid privileges are provided.
         PrivilegeRegistry.getBits(ace.getPrivileges());
+
+        if (!entry.isAllow() && entry.getPrincipal() instanceof Group) {
+            throw new AccessControlException("For group principals permissions can only be
added but not denied.");
+        }
     }
 
     private List internalGetEntries() {

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyTemplateImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyTemplateImpl.java?rev=659109&r1=659108&r2=659109&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyTemplateImpl.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyTemplateImpl.java
Thu May 22 06:38:15 2008
@@ -25,6 +25,7 @@
 
 import javax.jcr.RepositoryException;
 import java.security.Principal;
+import java.security.acl.Group;
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
@@ -68,25 +69,13 @@
     }
 
     public boolean setEntry(PolicyEntry entry) throws AccessControlException, RepositoryException
{
-        if (entry instanceof PolicyEntryImpl &&
-            principal.equals(entry.getPrincipal())) {
-            // make sure valid privileges are provided.
-            PrivilegeRegistry.getBits(entry.getPrivileges());
-            return internalAddEntry((PolicyEntryImpl) entry);
-        } else {
-            throw new AccessControlException("Invalid entry.");
-        }
+        checkValidEntry(entry);
+        return internalAddEntry((PolicyEntryImpl) entry);
     }
 
     public boolean removeEntry(PolicyEntry entry) throws AccessControlException, RepositoryException
{
-        if (entry instanceof PolicyEntryImpl &&
-            principal.equals(entry.getPrincipal())) {
-            // make sure valid privileges are provided.
-            PrivilegeRegistry.getBits(entry.getPrivileges());
-            return entries.remove(entry);
-        } else {
-            throw new AccessControlException("Invalid entry.");
-        }
+        checkValidEntry(entry);
+        return entries.remove(entry);
     }
 
     //------------------------------------------------< AccessControlPolicy >---
@@ -108,6 +97,29 @@
     /**
      *
      * @param entry
+     * @throws AccessControlException
+     */
+    private void checkValidEntry(PolicyEntry entry) throws AccessControlException {
+        if (!(entry instanceof PolicyEntryImpl)) {
+            throw new AccessControlException("Invalid PolicyEntry " + entry + ". Expected
instanceof ACEImpl.");
+        }
+        if (!principal.equals(entry.getPrincipal())) {
+            throw new AccessControlException("Invalid principal. Expected: " + principal);
+        }
+
+        PolicyEntryImpl ace = (PolicyEntryImpl) entry;
+        // TODO: ev. assert that the principal is known to the repository
+        // make sure valid privileges are provided.
+        PrivilegeRegistry.getBits(ace.getPrivileges());
+
+        if (!entry.isAllow() && entry.getPrincipal() instanceof Group) {
+            throw new AccessControlException("For group principals permissions can only be
added but not denied.");
+        }
+    }
+
+    /**
+     *
+     * @param entry
      * @return
      */
     private synchronized boolean internalAddEntry(PolicyEntryImpl entry) {

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java?rev=659109&r1=659108&r2=659109&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java
Thu May 22 06:38:15 2008
@@ -23,6 +23,7 @@
 import org.apache.jackrabbit.api.security.user.Authorizable;
 import org.apache.jackrabbit.api.security.user.User;
 import org.apache.jackrabbit.api.security.user.UserManager;
+import org.apache.jackrabbit.api.security.user.Group;
 import org.apache.jackrabbit.core.SessionImpl;
 import org.apache.jackrabbit.core.security.TestPrincipal;
 import org.apache.jackrabbit.test.JUnitTest;
@@ -49,10 +50,11 @@
  */
 public abstract class AbstractEvaluationTest extends AbstractAccessControlTest {
 
-    protected static final long DEFAULT_WAIT_TIMEOUT = 50;
+    protected static final long DEFAULT_WAIT_TIMEOUT = 5000;
 
     protected Credentials creds;
     protected User testUser;
+    protected Group testGroup;
     protected SessionImpl testSession;
     protected AccessControlManager testAcMgr;
 
@@ -71,9 +73,9 @@
         super.setUp();
 
         UserManager uMgr = getUserManager(superuser);
-        Principal princ = new TestPrincipal("anyUser");
-        String uid = "anyUser";
-        String pw = "anyUser";
+        Principal princ = getTestPrincipal("testUser", uMgr);
+        String uid = princ.getName();
+        String pw = princ.getName();
         creds = new SimpleCredentials(uid, pw.toCharArray());
 
         Authorizable a = uMgr.getAuthorizable(princ);
@@ -85,6 +87,9 @@
             testUser = (User) a;
         }
 
+        testGroup = uMgr.createGroup(getTestPrincipal("testGroup", uMgr));
+        testGroup.addMember(testUser);
+
         // TODO: remove cast once 283 is released.
         testSession = (SessionImpl) helper.getRepository().login(creds);
         testAcMgr = getAccessControlManager(testSession);
@@ -114,6 +119,10 @@
         }
         // make sure all ac info is removed
         clearACInfo();
+        if (testGroup != null) {
+            testGroup.removeMember(testUser);
+            testGroup.remove();
+        }
         // remove the test user again.
         if (testUser != null) {
             testUser.remove();
@@ -142,45 +151,24 @@
     protected abstract String[] getRestrictions(String path);
 
     protected PolicyTemplate givePrivileges(String nPath, int privileges, String[] restrictions)
throws NotExecutableException, RepositoryException {
-        ObservationManager obsMgr = superuser.getWorkspace().getObservationManager();
-        EventResult listener = new EventResult(((JUnitTest) this).log);
-        try {
-            obsMgr.addEventListener(listener, Event.PROPERTY_CHANGED, nPath,
-                    true, new String[0], new String[] {"rep:ACE"}, false);
-
-            PolicyTemplate tmpl = getPolicyTemplate(acMgr, nPath);
-            tmpl.setEntry(createEntry(testUser.getPrincipal(), privileges, true, restrictions));
-            acMgr.setPolicy(tmpl.getPath(), tmpl);
-            superuser.save();
-
-            obsMgr.removeEventListener(listener);
-            Event[] evts = listener.getEvents(DEFAULT_WAIT_TIMEOUT);
+        return givePrivileges(nPath, testUser.getPrincipal(), privileges, restrictions);
+    }
 
-            return tmpl;
-        } finally {
-            obsMgr.removeEventListener(listener);
-        }
+    protected PolicyTemplate givePrivileges(String nPath, Principal principal,
+                                            int privileges, String[] restrictions) throws
NotExecutableException, RepositoryException {
+        PolicyTemplate tmpl = getPolicyTemplate(acMgr, nPath);
+        tmpl.setEntry(createEntry(principal, privileges, true, restrictions));
+        acMgr.setPolicy(tmpl.getPath(), tmpl);
+        superuser.save();
+        return tmpl;
     }
 
     protected PolicyTemplate withdrawPrivileges(String nPath, int privileges, String[] restrictions)
throws NotExecutableException, RepositoryException {
-        ObservationManager obsMgr = superuser.getWorkspace().getObservationManager();
-        EventResult listener = new EventResult(((JUnitTest) this).log);
-        try {
-            obsMgr.addEventListener(listener, Event.PROPERTY_CHANGED | Event.PROPERTY_REMOVED,
nPath,
-                    true, new String[0], new String[] {"rep:ACE"}, false);
-
-            PolicyTemplate tmpl = getPolicyTemplate(acMgr, nPath);
-            tmpl.setEntry(createEntry(testUser.getPrincipal(), privileges, false, restrictions));
-            acMgr.setPolicy(tmpl.getPath(), tmpl);
-            superuser.save();
-
-            obsMgr.removeEventListener(listener);
-            Event[] evts = listener.getEvents(DEFAULT_WAIT_TIMEOUT);
-
-            return tmpl;
-        } finally {
-            obsMgr.removeEventListener(listener);
-        }
+        PolicyTemplate tmpl = getPolicyTemplate(acMgr, nPath);
+        tmpl.setEntry(createEntry(testUser.getPrincipal(), privileges, false, restrictions));
+        acMgr.setPolicy(tmpl.getPath(), tmpl);
+        superuser.save();
+        return tmpl;
     }
 
     protected void checkReadOnly(String path) throws RepositoryException {
@@ -491,6 +479,24 @@
         assertTrue(exptectedPrivs == PrivilegeRegistry.getBits(privs));
     }
 
+    public void testGroupPermissions() throws NotExecutableException, RepositoryException
{
+        /*
+         precondition:
+         testuser must have READ-only permission on test-node and below
+        */
+        checkReadOnly(path);
+
+        /* add privileges for the Group the test-user is member of */
+        givePrivileges(path, testGroup.getPrincipal(), PrivilegeRegistry.MODIFY_PROPERTIES,
getRestrictions(path));
+
+        /* testuser must get the permissions/privileges inherited from
+           the group it is member of.
+         */
+        String actions = SessionImpl.SET_PROPERTY_ACTION + "," + SessionImpl.READ_ACTION;
+        assertTrue(testSession.hasPermission(path, actions));
+        assertTrue(testAcMgr.hasPrivileges(path, new Privilege[] {PrivilegeRegistry.MODIFY_PROPERTIES_PRIVILEGE}));
+    }
+
     public void testNewNodes() throws RepositoryException {
         /*
          precondition:
@@ -572,4 +578,14 @@
         }
         return policyNode;
     }
+
+    protected Principal getTestPrincipal(String nameHint, UserManager uMgr) throws RepositoryException
{
+        Principal principal = new TestPrincipal(nameHint);
+        int i = 0;
+        while (uMgr.getAuthorizable(principal) != null) {
+            principal = new TestPrincipal(nameHint + i);
+            i++;
+        }
+        return principal;
+    }
 }
\ No newline at end of file

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyTemplateTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyTemplateTest.java?rev=659109&r1=659108&r2=659109&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyTemplateTest.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyTemplateTest.java
Thu May 22 06:38:15 2008
@@ -24,6 +24,8 @@
 
 import javax.jcr.RepositoryException;
 import java.security.Principal;
+import java.security.acl.Group;
+import java.util.Enumeration;
 
 /**
  * <code>AbstractPolicyTemplateTest</code>...
@@ -33,6 +35,7 @@
     private static Logger log = LoggerFactory.getLogger(AbstractPolicyTemplateTest.class);
 
     protected Principal testPrincipal;
+    protected Group testGroup;
 
     protected void setUp() throws Exception {
         super.setUp();
@@ -41,10 +44,27 @@
                 return "TestPrincipal";
             }
         };
+        testGroup = new Group() {
+            public boolean addMember(Principal user) {
+                return false;
+            }
+            public boolean removeMember(Principal user) {
+                return false;
+            }
+            public boolean isMember(Principal member) {
+                return false;
+            }
+            public Enumeration members() {
+                return null;
+            }
+            public String getName() {
+                return "TestGroup";
+            }
+        };
     }
 
     protected abstract String getTestPath();
-    
+
     protected abstract PolicyTemplate createEmptyTemplate(String path);
 
     public void testEmptyTemplate() throws RepositoryException {

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplateTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplateTest.java?rev=659109&r1=659108&r2=659109&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplateTest.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplateTest.java
Thu May 22 06:38:15 2008
@@ -16,6 +16,7 @@
  */
 package org.apache.jackrabbit.core.security.authorization.acl;
 
+import org.apache.jackrabbit.api.jsr283.security.AccessControlException;
 import org.apache.jackrabbit.core.security.authorization.AbstractPolicyTemplateTest;
 import org.apache.jackrabbit.core.security.authorization.PolicyEntry;
 import org.apache.jackrabbit.core.security.authorization.PolicyTemplate;
@@ -43,7 +44,6 @@
 
     public void testAddEntry() throws RepositoryException {
         PolicyTemplate pt = createEmptyTemplate(getTestPath());
-
         assertTrue(pt.setEntry(new ACEImpl(testPrincipal, PrivilegeRegistry.READ, true)));
     }
 
@@ -164,4 +164,21 @@
 
         assertFalse(pt.removeEntry(pe));
     }
+
+    public void testSetEntryForGroupPrincipal() throws RepositoryException {
+        PolicyTemplate pt = createEmptyTemplate(getTestPath());
+
+        // adding allow-entry must succeed
+        PolicyEntry pe = new ACEImpl(testGroup, PrivilegeRegistry.READ, true);
+        assertTrue(pt.setEntry(pe));
+
+        // adding deny-entry must succeed
+        pe = new ACEImpl(testGroup, PrivilegeRegistry.READ, false);
+        try {
+            pt.setEntry(pe);
+            fail("Adding DENY-ace for a group principal should fail.");
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
 }
\ No newline at end of file



Mime
View raw message