jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1203751 - in /jackrabbit/trunk/jackrabbit-core/src: main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java test/java/org/apache/jackrabbit/core/security/authorization/AbstractRepositoryOperationTest.java
Date Fri, 18 Nov 2011 17:15:17 GMT
Author: angela
Date: Fri Nov 18 17:15:17 2011
New Revision: 1203751

URL: http://svn.apache.org/viewvc?rev=1203751&view=rev
Log:
JCR-3149 : AccessControlProvider#getEffectivePolicies for a set of principals does not include
repo-level ac

Modified:
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractRepositoryOperationTest.java

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java?rev=1203751&r1=1203750&r2=1203751&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
Fri Nov 18 17:15:17 2011
@@ -199,16 +199,24 @@ public class ACLProvider extends Abstrac
         Set<AccessControlPolicy> acls = new LinkedHashSet<AccessControlPolicy>();
         for (NodeIterator it = result.getNodes(); it.hasNext();) {
             NodeImpl aclNode = (NodeImpl) it.nextNode().getParent();
+            Name aclName = aclNode.getQName();
             NodeImpl accessControlledNode = (NodeImpl) aclNode.getParent();
-            
-            if (isAccessControlled(accessControlledNode)) {
+
+            if (N_POLICY.equals(aclName) && isAccessControlled(accessControlledNode))
{
                 if (permissions.canRead(aclNode.getPrimaryPath(), aclNode.getNodeId())) {
                     List<AccessControlEntry> aces = entryCollector.getEntries(accessControlledNode).getACEs();
                     acls.add(new UnmodifiableAccessControlList(aces, accessControlledNode.getPath(),
Collections.<String, Integer>emptyMap()));
                 } else {
                     throw new AccessDeniedException("Access denied at " + Text.getRelativeParent(aclNode.getPath(),
1));
                 }
-            }
+            } else if (N_REPO_POLICY.equals(aclName) && isRepoAccessControlled(accessControlledNode))
{
+                if (permissions.canRead(aclNode.getPrimaryPath(), aclNode.getNodeId())) {
+                    List<AccessControlEntry> aces = entryCollector.collectEntries(null,
new EntryFilterImpl(null, (NodeId) null, session));
+                    acls.add(new UnmodifiableAccessControlList(aces));
+                } else {
+                    throw new AccessDeniedException("Access denied at " + Text.getRelativeParent(aclNode.getPath(),
1));
+                }
+            } // else: not a regular policy node -> ignore.
         }
 
         return acls.toArray(new AccessControlPolicy[acls.size()]);

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractRepositoryOperationTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractRepositoryOperationTest.java?rev=1203751&r1=1203750&r2=1203751&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractRepositoryOperationTest.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractRepositoryOperationTest.java
Fri Nov 18 17:15:17 2011
@@ -17,6 +17,7 @@
 package org.apache.jackrabbit.core.security.authorization;
 
 import org.apache.jackrabbit.api.JackrabbitWorkspace;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
 import org.apache.jackrabbit.core.SessionImpl;
 import org.apache.jackrabbit.core.security.AccessManager;
@@ -36,8 +37,11 @@ import javax.jcr.security.AccessControlM
 import javax.jcr.security.AccessControlPolicy;
 import javax.jcr.security.AccessControlPolicyIterator;
 import javax.jcr.security.Privilege;
+import java.security.Principal;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.List;
+import java.util.Set;
 
 /**
  * <code>AbstractRepositoryOperationTest</code>...
@@ -49,6 +53,18 @@ public abstract class AbstractRepository
         super.setUp();
     }
 
+    @Override
+    protected void tearDown() throws Exception {
+        try {
+            for (AccessControlPolicy policy : acMgr.getPolicies(null)) {
+                acMgr.removePolicy(null, policy);
+            }
+            superuser.save();
+        } finally {
+            super.tearDown();
+        }
+    }
+
     private Workspace getTestWorkspace() throws RepositoryException {
         return getTestSession().getWorkspace();
     }
@@ -458,28 +474,86 @@ public abstract class AbstractRepository
             assertPrivilege(NameConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT, false);
             assertPermission(Permission.NODE_TYPE_DEF_MNGMT, false);
 
-
+        } catch (UnsupportedRepositoryOperationException e) {
+            throw new NotExecutableException();
+        } finally {
             // remove it again
-            acMgr.removePolicy(null, acl);
+            for (AccessControlPolicy plc : acMgr.getPolicies(null)) {
+                acMgr.removePolicy(null, plc);
+            }
             superuser.save();
 
             // back to initial state: no repo level policy
-            policies = acMgr.getPolicies(null);
+            AccessControlPolicy[] policies = acMgr.getPolicies(null);
             assertNotNull(policies);
             assertEquals(0, policies.length);
 
-            effective = acMgr.getEffectivePolicies(null);
+            AccessControlPolicy[] effective = acMgr.getEffectivePolicies(null);
             assertNotNull(effective);
             assertEquals(0, effective.length);
 
-            it = acMgr.getApplicablePolicies(null);
+            AccessControlPolicyIterator it = acMgr.getApplicablePolicies(null);
             assertNotNull(it);
             assertTrue(it.hasNext());
-            acp = it.nextAccessControlPolicy();
+            AccessControlPolicy acp = it.nextAccessControlPolicy();
             assertNotNull(acp);
             assertTrue(acp instanceof JackrabbitAccessControlPolicy);
+        }
+    }
+
+    public void testGetEffectivePoliciesByPrincipal() throws Exception {
+        if (!(acMgr instanceof JackrabbitAccessControlManager)) {
+            throw new NotExecutableException();
+        }
+        JackrabbitAccessControlManager jAcMgr = (JackrabbitAccessControlManager) acMgr;
+        System.out.println(testUser.getPrincipal().getName());
+        Set<Principal> principalSet = Collections.singleton(testUser.getPrincipal());
+
+        try {
+            // initial state: no repo level policy
+            AccessControlPolicy[] policies = acMgr.getPolicies(null);
+            assertNotNull(policies);
+            assertEquals(0, policies.length);
+
+            AccessControlPolicy[] effective = jAcMgr.getEffectivePolicies(principalSet);
+            assertNotNull(effective);
+            assertEquals(0, effective.length);
+
+            AccessControlPolicyIterator it = acMgr.getApplicablePolicies(null);
+            assertTrue(it.hasNext());
+
+            // modify the repo level policy
+            modifyPrivileges(null, NameConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT.toString(),
false);
+            modifyPrivileges(null, NameConstants.JCR_NAMESPACE_MANAGEMENT.toString(), true);
+
+            // verify that the effective policies for the given principal set
+            // is properly calculated.
+            AccessControlPolicy[] eff = jAcMgr.getEffectivePolicies(principalSet);
+            assertNotNull(eff);
+            assertEquals(1, eff.length);
+            assertTrue(eff[0] instanceof AccessControlList);
+
+            AccessControlList acl = (AccessControlList) eff[0];
+            AccessControlEntry[] aces = acl.getAccessControlEntries();
+            assertNotNull(aces);
+            assertEquals(2, aces.length);
+            for (AccessControlEntry ace : aces) {
+                assertEquals(testUser.getPrincipal(), ace.getPrincipal());
+            }
+
         } catch (UnsupportedRepositoryOperationException e) {
             throw new NotExecutableException();
+        } finally {
+            // remove it again
+            for (AccessControlPolicy plc : acMgr.getPolicies(null)) {
+                acMgr.removePolicy(null, plc);
+            }
+            superuser.save();
+
+            // back to initial state: no repo level policy
+            AccessControlPolicy[] policies = acMgr.getPolicies(null);
+            assertNotNull(policies);
+            assertEquals(0, policies.length);
         }
     }
 }



Mime
View raw message