Author: angela
Date: Mon Aug 20 13:35:07 2012
New Revision: 1375016
URL: http://svn.apache.org/viewvc?rev=1375016&view=rev
Log:
OAK-64 : Privilege Management (WIP)
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeMigrator.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeRegistry.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImpl.java
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImplTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionImpl.java?rev=1375016&r1=1375015&r2=1375016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionImpl.java
Mon Aug 20 13:35:07 2012
@@ -16,8 +16,8 @@
*/
package org.apache.jackrabbit.oak.security.privilege;
+import java.util.Collections;
import java.util.Set;
-
import javax.annotation.Nonnull;
import com.google.common.collect.ImmutableSet;
@@ -41,7 +41,9 @@ class PrivilegeDefinitionImpl implements
PrivilegeDefinitionImpl(String name, boolean isAbstract,
String... declaredAggregateNames) {
- this(name, isAbstract, ImmutableSet.copyOf(declaredAggregateNames == null ? new
String[0] : declaredAggregateNames));
+ this(name, isAbstract, (declaredAggregateNames == null) ?
+ Collections.<String>emptySet() :
+ ImmutableSet.copyOf(declaredAggregateNames));
}
//------------------------------------------------< PrivilegeDefinition >---
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeMigrator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeMigrator.java?rev=1375016&r1=1375015&r2=1375016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeMigrator.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeMigrator.java
Mon Aug 20 13:35:07 2012
@@ -52,9 +52,7 @@ public class PrivilegeMigrator {
try {
NamespaceRegistry nsRegistry = new NamespaceRegistryImpl(contentSession);
PrivilegeDefinition[] custom = PrivilegeDefinitionReader.readCustomDefinitons(stream,
nsRegistry);
- for (PrivilegeDefinition def : custom) {
- pr.registerDefinition(def);
- }
+ pr.registerDefinitions(custom);
} catch (IOException e) {
throw new RepositoryException(e);
} finally {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeRegistry.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeRegistry.java?rev=1375016&r1=1375015&r2=1375016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeRegistry.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeRegistry.java
Mon Aug 20 13:35:07 2012
@@ -17,6 +17,7 @@
package org.apache.jackrabbit.oak.security.privilege;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
@@ -40,6 +41,7 @@ import org.apache.jackrabbit.oak.util.No
* TODO: define if custom privileges are read with editing content session (thus enforcing
read permissions)
*
* FIXME: Session#refresh should refresh privileges exposed
+ * FIXME: Proper implementation for JCR_ALL privilege containing all custom privileges.
*/
public class PrivilegeRegistry implements PrivilegeProvider, PrivilegeConstants {
@@ -89,11 +91,33 @@ public class PrivilegeRegistry implement
private static void updateJcrAllPrivilege(Map<String, PrivilegeDefinition> definitions)
{
// TODO: add proper implementation taking custom privileges into account.
- definitions.put(JCR_ALL, new PrivilegeDefinitionImpl(JCR_ALL, false,
- JCR_READ, JCR_READ_ACCESS_CONTROL, JCR_MODIFY_ACCESS_CONTROL,
- JCR_VERSION_MANAGEMENT, JCR_LOCK_MANAGEMENT, JCR_LIFECYCLE_MANAGEMENT,
- JCR_RETENTION_MANAGEMENT, JCR_WORKSPACE_MANAGEMENT, JCR_NODE_TYPE_DEFINITION_MANAGEMENT,
- JCR_NAMESPACE_MANAGEMENT, REP_PRIVILEGE_MANAGEMENT, REP_WRITE));
+ Set<String> declaredAggregateNames = new HashSet<String>();
+ declaredAggregateNames.add(JCR_READ);
+ declaredAggregateNames.add(JCR_READ_ACCESS_CONTROL);
+ declaredAggregateNames.add(JCR_MODIFY_ACCESS_CONTROL);
+ declaredAggregateNames.add(JCR_VERSION_MANAGEMENT);
+ declaredAggregateNames.add(JCR_LOCK_MANAGEMENT);
+ declaredAggregateNames.add(JCR_LIFECYCLE_MANAGEMENT);
+ declaredAggregateNames.add(JCR_RETENTION_MANAGEMENT);
+ declaredAggregateNames.add(JCR_WORKSPACE_MANAGEMENT);
+ declaredAggregateNames.add(JCR_NODE_TYPE_DEFINITION_MANAGEMENT);
+ declaredAggregateNames.add(JCR_NAMESPACE_MANAGEMENT);
+ declaredAggregateNames.add(REP_PRIVILEGE_MANAGEMENT);
+ declaredAggregateNames.add(REP_WRITE);
+
+ definitions.put(JCR_ALL, new PrivilegeDefinitionImpl(JCR_ALL, false, declaredAggregateNames));
+ }
+
+ void registerDefinitions(PrivilegeDefinition[] definitions) throws RepositoryException
{
+ for (PrivilegeDefinition definition : definitions) {
+ PrivilegeDefinition toRegister;
+ if (definition instanceof PrivilegeDefinitionImpl) {
+ toRegister = definition;
+ } else {
+ toRegister = new PrivilegeDefinitionImpl(definition.getName(), definition.isAbstract(),
definition.getDeclaredAggregateNames());
+ }
+ internalRegisterDefinitions(toRegister);
+ }
}
//--------------------------------------------------< PrivilegeProvider >---
@@ -119,16 +143,6 @@ public class PrivilegeRegistry implement
return definition;
}
- public void registerDefinition(PrivilegeDefinition definition) throws RepositoryException
{
- PrivilegeDefinition toRegister;
- if (definition instanceof PrivilegeDefinitionImpl) {
- toRegister = definition;
- } else {
- toRegister = new PrivilegeDefinitionImpl(definition.getName(), definition.isAbstract(),
definition.getDeclaredAggregateNames());
- }
- internalRegisterDefinitions(toRegister);
- }
-
//------------------------------------------------------------< private >---
private void internalRegisterDefinitions(PrivilegeDefinition toRegister) throws RepositoryException
{
@@ -149,7 +163,12 @@ public class PrivilegeRegistry implement
root.commit(DefaultConflictHandler.OURS);
} catch (CommitFailedException e) {
- throw new RepositoryException(e.getMessage());
+ Throwable t = e.getCause();
+ if (t instanceof RepositoryException) {
+ throw (RepositoryException) t;
+ } else {
+ throw new RepositoryException(e.getMessage());
+ }
}
definitions.put(toRegister.getName(), toRegister);
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java?rev=1375016&r1=1375015&r2=1375016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java
Mon Aug 20 13:35:07 2012
@@ -16,6 +16,7 @@
*/
package org.apache.jackrabbit.oak.security.privilege;
+import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.jcr.RepositoryException;
@@ -125,12 +126,16 @@ class PrivilegeValidator implements Priv
* the checks listed above fails.
*/
private void validateDefinition(PrivilegeDefinition definition) throws CommitFailedException
{
- Set<String> aggrNames = definition.getDeclaredAggregateNames();
- if (aggrNames.isEmpty()) {
+ Set<String> declaredNames = definition.getDeclaredAggregateNames();
+ if (declaredNames.isEmpty()) {
return;
}
- for (String aggrName : aggrNames) {
+ if (declaredNames.size() == 1) {
+ throw new CommitFailedException("Singular aggregation is equivalent to existing
privilege.");
+ }
+
+ for (String aggrName : declaredNames) {
// aggregated privilege not registered
if (!definitions.containsKey(aggrName)) {
throw new CommitFailedException("Declared aggregate '"+ aggrName +"' is not
a registered privilege.");
@@ -143,8 +148,15 @@ class PrivilegeValidator implements Priv
}
}
+ Set<String> aggregateNames = resolveAggregates(declaredNames);
for (PrivilegeDefinition existing : definitions.values()) {
- if (aggrNames.equals(existing.getDeclaredAggregateNames())) {
+ Set<String> existingDeclared = existing.getDeclaredAggregateNames();
+ if (existingDeclared.isEmpty()) {
+ continue;
+ }
+
+ // test for exact same aggregation or aggregation with the same net effect
+ if (declaredNames.equals(existingDeclared) || aggregateNames.equals(resolveAggregates(existingDeclared)))
{
String msg = "Custom aggregate privilege '" + definition.getName() + "' is
already covered by '" + existing.getName() + '\'';
throw new CommitFailedException(msg);
}
@@ -173,6 +185,24 @@ class PrivilegeValidator implements Priv
}
}
+ private Set<String> resolveAggregates(Set<String> declared) throws CommitFailedException
{
+ Set<String> aggregateNames = new HashSet<String>();
+ for (String name : declared) {
+ PrivilegeDefinition d = definitions.get(name);
+ if (d == null) {
+ throw new CommitFailedException("Invalid declared aggregate name " + name
+ ": Unknown privilege.");
+ }
+
+ Set<String> names = d.getDeclaredAggregateNames();
+ if (names.isEmpty()) {
+ aggregateNames.add(name);
+ } else {
+ aggregateNames.addAll(resolveAggregates(names));
+ }
+ }
+ return aggregateNames;
+ }
+
private void checkInitialized() throws CommitFailedException {
if (reader == null || definitions == null) {
throw new CommitFailedException(new IllegalStateException("Mandatory privileges
root is missing."));
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java?rev=1375016&r1=1375015&r2=1375016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java
Mon Aug 20 13:35:07 2012
@@ -191,7 +191,7 @@ public class NodeUtil {
for (String value : values) {
String oakName = mapper.getOakName(value);
if (oakName == null) {
- throw new IllegalArgumentException("Invalid name:" + name);
+ throw new IllegalArgumentException(new RepositoryException("Invalid name:"
+ name));
}
cvs.add(factory.createValue(oakName, PropertyType.NAME));
Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImpl.java?rev=1375016&r1=1375015&r2=1375016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImpl.java
Mon Aug 20 13:35:07 2012
@@ -20,6 +20,7 @@ import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
+import javax.jcr.NamespaceException;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.Privilege;
@@ -72,23 +73,36 @@ public class PrivilegeManagerImpl implem
@Override
public Privilege registerPrivilege(String privilegeName, boolean isAbstract,
String[] declaredAggregateNames) throws RepositoryException
{
- PrivilegeDefinition def = provider.registerDefinition(getOakName(privilegeName),
isAbstract, getOakNames(declaredAggregateNames));
+ if (privilegeName == null || privilegeName.isEmpty()) {
+ throw new RepositoryException("Invalid privilege name " + privilegeName);
+ }
+ String oakName = getOakName(privilegeName);
+ if (oakName == null) {
+ throw new NamespaceException("Invalid privilege name " + privilegeName);
+ }
+
+ PrivilegeDefinition def = provider.registerDefinition(oakName, isAbstract, getOakNames(declaredAggregateNames));
return new PrivilegeImpl(def);
}
- //--------------------------------------------------------------------------
+ //------------------------------------------------------------< private >---
+
private String getOakName(String jcrName) {
return sessionDelegate.getNamePathMapper().getOakName(jcrName);
}
- private Set<String> getOakNames(String[] jcrNames) {
+ private Set<String> getOakNames(String[] jcrNames) throws RepositoryException {
Set<String> oakNames;
if (jcrNames == null || jcrNames.length == 0) {
oakNames = Collections.emptySet();
} else {
oakNames = new HashSet<String>(jcrNames.length);
for (String jcrName : jcrNames) {
- oakNames.add(getOakName(jcrName));
+ String oakName = getOakName(jcrName);
+ if (oakName == null) {
+ throw new RepositoryException("Invalid name " + jcrName);
+ }
+ oakNames.add(oakName);
}
}
return oakNames;
Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImplTest.java?rev=1375016&r1=1375015&r2=1375016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImplTest.java
(original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImplTest.java
Mon Aug 20 13:35:07 2012
@@ -18,122 +18,152 @@ package org.apache.jackrabbit.oak.jcr.se
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.LinkedHashMap;
import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import javax.jcr.AccessDeniedException;
+import javax.jcr.NamespaceException;
import javax.jcr.RepositoryException;
+import javax.jcr.Session;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.JackrabbitWorkspace;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.test.AbstractJCRTest;
import org.junit.Before;
import org.junit.Test;
/**
* PrivilegeManagerTest...
+ *
+ * TODO: more tests for cyclic aggregation
*/
public class PrivilegeManagerImplTest extends AbstractJCRTest {
- private PrivilegeManager privilegeMgr;
+ private PrivilegeManager privilegeManager;
@Before
@Override
protected void setUp() throws Exception {
super.setUp();
- privilegeMgr = ((JackrabbitWorkspace) superuser.getWorkspace()).getPrivilegeManager();
+ privilegeManager = getPrivilegeManager(superuser);
+ }
+
+ private static PrivilegeManager getPrivilegeManager(Session s) throws RepositoryException
{
+ return ((JackrabbitWorkspace) s.getWorkspace()).getPrivilegeManager();
+ }
+
+ private static String[] getAggregateNames(String... names) {
+ return names;
+ }
+
+ private static void assertContainsDeclared(Privilege privilege, String aggrName) {
+ boolean found = false;
+ for (Privilege p : privilege.getDeclaredAggregatePrivileges()) {
+ if (aggrName.equals(p.getName())) {
+ found = true;
+ break;
+ }
+ }
+ assertTrue(found);
}
@Test
public void testRegisteredPrivileges() throws RepositoryException {
- Privilege[] ps = privilegeMgr.getRegisteredPrivileges();
+ Privilege[] ps = privilegeManager.getRegisteredPrivileges();
List<Privilege> l = new ArrayList<Privilege>(Arrays.asList(ps));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_READ)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_ADD_CHILD_NODES)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_REMOVE_CHILD_NODES)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_MODIFY_PROPERTIES)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_REMOVE_NODE)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_READ_ACCESS_CONTROL)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_WRITE)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_ALL)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_LIFECYCLE_MANAGEMENT)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_LOCK_MANAGEMENT)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_NODE_TYPE_MANAGEMENT)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_RETENTION_MANAGEMENT)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_VERSION_MANAGEMENT)));
- assertTrue(l.remove(privilegeMgr.getPrivilege("rep:write")));
- assertTrue(l.remove(privilegeMgr.getPrivilege("rep:addProperties")));
- assertTrue(l.remove(privilegeMgr.getPrivilege("rep:alterProperties")));
- assertTrue(l.remove(privilegeMgr.getPrivilege("rep:removeProperties")));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_READ)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_ADD_CHILD_NODES)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_REMOVE_CHILD_NODES)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_MODIFY_PROPERTIES)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_REMOVE_NODE)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_READ_ACCESS_CONTROL)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_WRITE)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_ALL)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_LIFECYCLE_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_LOCK_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_NODE_TYPE_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_RETENTION_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_VERSION_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_WRITE)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_ADD_PROPERTIES)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_ALTER_PROPERTIES)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_REMOVE_PROPERTIES)));
// including repo-level operation privileges
- assertTrue(l.remove(privilegeMgr.getPrivilege("jcr:namespaceManagement")));
- assertTrue(l.remove(privilegeMgr.getPrivilege("jcr:nodeTypeDefinitionManagement")));
- assertTrue(l.remove(privilegeMgr.getPrivilege("jcr:workspaceManagement")));
- assertTrue(l.remove(privilegeMgr.getPrivilege("rep:privilegeManagement")));
+ assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.JCR_WORKSPACE_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT)));
assertTrue(l.isEmpty());
}
@Test
public void testAllPrivilege() throws RepositoryException {
- Privilege p = privilegeMgr.getPrivilege(Privilege.JCR_ALL);
+ Privilege p = privilegeManager.getPrivilege(Privilege.JCR_ALL);
assertEquals("jcr:all",p.getName());
assertTrue(p.isAggregate());
assertFalse(p.isAbstract());
List<Privilege> l = new ArrayList<Privilege>(Arrays.asList(p.getAggregatePrivileges()));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_READ)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_ADD_CHILD_NODES)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_REMOVE_CHILD_NODES)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_MODIFY_PROPERTIES)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_REMOVE_NODE)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_READ_ACCESS_CONTROL)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_LIFECYCLE_MANAGEMENT)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_LOCK_MANAGEMENT)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_NODE_TYPE_MANAGEMENT)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_RETENTION_MANAGEMENT)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_VERSION_MANAGEMENT)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_WRITE)));
- assertTrue(l.remove(privilegeMgr.getPrivilege("rep:write")));
- assertTrue(l.remove(privilegeMgr.getPrivilege("rep:addProperties")));
- assertTrue(l.remove(privilegeMgr.getPrivilege("rep:alterProperties")));
- assertTrue(l.remove(privilegeMgr.getPrivilege("rep:removeProperties")));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_READ)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_ADD_CHILD_NODES)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_REMOVE_CHILD_NODES)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_MODIFY_PROPERTIES)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_REMOVE_NODE)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_READ_ACCESS_CONTROL)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_LIFECYCLE_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_LOCK_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_NODE_TYPE_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_RETENTION_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_VERSION_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_WRITE)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_WRITE)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_ADD_PROPERTIES)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_ALTER_PROPERTIES)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_REMOVE_PROPERTIES)));
// including repo-level operation privileges
- assertTrue(l.remove(privilegeMgr.getPrivilege("jcr:namespaceManagement")));
- assertTrue(l.remove(privilegeMgr.getPrivilege("jcr:nodeTypeDefinitionManagement")));
- assertTrue(l.remove(privilegeMgr.getPrivilege("jcr:workspaceManagement")));
- assertTrue(l.remove(privilegeMgr.getPrivilege("rep:privilegeManagement")));
+ assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.JCR_WORKSPACE_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT)));
assertTrue(l.isEmpty());
l = new ArrayList<Privilege>(Arrays.asList(p.getDeclaredAggregatePrivileges()));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_READ)));
- assertTrue(l.remove(privilegeMgr.getPrivilege("rep:write")));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_READ_ACCESS_CONTROL)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_LIFECYCLE_MANAGEMENT)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_LOCK_MANAGEMENT)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_RETENTION_MANAGEMENT)));
- assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_VERSION_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_READ)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_READ_ACCESS_CONTROL)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_LIFECYCLE_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_LOCK_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_RETENTION_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_VERSION_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_WRITE)));
// including repo-level operation privileges
- assertTrue(l.remove(privilegeMgr.getPrivilege("jcr:namespaceManagement")));
- assertTrue(l.remove(privilegeMgr.getPrivilege("jcr:nodeTypeDefinitionManagement")));
- assertTrue(l.remove(privilegeMgr.getPrivilege("jcr:workspaceManagement")));
- assertTrue(l.remove(privilegeMgr.getPrivilege("rep:privilegeManagement")));
+ assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.JCR_WORKSPACE_MANAGEMENT)));
+ assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT)));
assertTrue(l.isEmpty());
}
@Test
public void testGetPrivilegeFromName() throws AccessControlException, RepositoryException
{
- Privilege p = privilegeMgr.getPrivilege(Privilege.JCR_READ);
+ Privilege p = privilegeManager.getPrivilege(Privilege.JCR_READ);
assertTrue(p != null);
assertEquals("jcr:read", p.getName());
assertFalse(p.isAggregate());
- p = privilegeMgr.getPrivilege(Privilege.JCR_WRITE);
+ p = privilegeManager.getPrivilege(Privilege.JCR_WRITE);
assertTrue(p != null);
assertEquals("jcr:write", p.getName());
@@ -143,7 +173,7 @@ public class PrivilegeManagerImplTest ex
@Test
public void testGetPrivilegesFromInvalidName() throws RepositoryException {
try {
- privilegeMgr.getPrivilege("unknown");
+ privilegeManager.getPrivilege("unknown");
fail("invalid privilege name");
} catch (AccessControlException e) {
// OK
@@ -153,7 +183,7 @@ public class PrivilegeManagerImplTest ex
@Test
public void testGetPrivilegesFromEmptyNames() {
try {
- privilegeMgr.getPrivilege("");
+ privilegeManager.getPrivilege("");
fail("invalid privilege name array");
} catch (AccessControlException e) {
// OK
@@ -165,12 +195,279 @@ public class PrivilegeManagerImplTest ex
@Test
public void testGetPrivilegesFromNullNames() {
try {
- privilegeMgr.getPrivilege(null);
+ privilegeManager.getPrivilege(null);
fail("invalid privilege name (null)");
} catch (Exception e) {
// OK
}
}
- // TODO test privilege registration
+ @Test
+ public void testRegisterPrivilegeWithIllegalName() {
+ Map<String, String[]> illegal = new HashMap<String, String[]>();
+ // invalid privilege name
+ illegal.put(null, new String[0]);
+ illegal.put("", new String[0]);
+ illegal.put("invalid:privilegeName", new String[0]);
+ illegal.put(".e:privilegeName", new String[0]);
+ // invalid aggregate names
+ illegal.put("newPrivilege", new String[] {"invalid:privilegeName"});
+ illegal.put("newPrivilege", new String[] {".e:privilegeName"});
+ illegal.put("newPrivilege", new String[] {null});
+ illegal.put("newPrivilege", new String[] {""});
+
+ for (String illegalName : illegal.keySet()) {
+ try {
+ privilegeManager.registerPrivilege(illegalName, true, illegal.get(illegalName));
+ fail("Illegal name -> Exception expected");
+ } catch (NamespaceException e) {
+ // success
+ } catch (RepositoryException e) {
+ // success
+ }
+ }
+ }
+
+ @Test
+ public void testRegisterReservedName() {
+ Map<String, String[]> illegal = new HashMap<String, String[]>();
+ // invalid privilege name
+ illegal.put(null, new String[0]);
+ illegal.put("jcr:privilegeName", new String[0]);
+ illegal.put("rep:privilegeName", new String[0]);
+ illegal.put("nt:privilegeName", new String[0]);
+ illegal.put("mix:privilegeName", new String[0]);
+ illegal.put("sv:privilegeName", new String[0]);
+ illegal.put("xml:privilegeName", new String[0]);
+ illegal.put("xmlns:privilegeName", new String[0]);
+ // invalid aggregate names
+ illegal.put("newPrivilege", new String[] {"jcr:privilegeName"});
+
+ for (String illegalName : illegal.keySet()) {
+ try {
+ privilegeManager.registerPrivilege(illegalName, true, illegal.get(illegalName));
+ fail("Illegal name -> Exception expected");
+ } catch (RepositoryException e) {
+ // success
+ }
+ }
+ }
+
+ @Test
+ public void testRegisterPrivilegeWithReadOnly() throws RepositoryException {
+ Session s = getHelper().getReadOnlySession();
+ try {
+ ((JackrabbitWorkspace) s.getWorkspace()).getPrivilegeManager().registerPrivilege("test",
true, new String[0]);
+ fail("Only admin is allowed to register privileges.");
+ } catch (AccessDeniedException e) {
+ // success
+ } finally {
+ s.logout();
+ }
+ }
+
+ @Test
+ public void testCustomDefinitionsWithCyclicReferences() throws RepositoryException {
+ try {
+ privilegeManager.registerPrivilege("cycl-1", false, new String[] {"cycl-1"});
+ fail("Cyclic definitions must be detected upon registry startup.");
+ } catch (RepositoryException e) {
+ // success
+ }
+ }
+
+ @Test
+ public void testCustomEquivalentDefinitions() throws RepositoryException {
+ privilegeManager.registerPrivilege("custom4", false, new String[0]);
+ privilegeManager.registerPrivilege("custom5", false, new String[0]);
+ privilegeManager.registerPrivilege("custom2", false, new String[] {"custom4", "custom5"});
+
+ List<String[]> equivalent = new ArrayList<String[]>();
+ equivalent.add(new String[] {"custom4", "custom5"});
+ equivalent.add(new String[] {"custom2", "custom4"});
+ equivalent.add(new String[] {"custom2", "custom5"});
+ int cnt = 6;
+ for (String[] aggrNames : equivalent) {
+ try {
+ // the equivalent definition to 'custom1'
+ String name = "custom"+(cnt++);
+ privilegeManager.registerPrivilege(name, false, aggrNames);
+ fail("Equivalent '"+name+"' definitions must be detected.");
+ } catch (RepositoryException e) {
+ // success
+ }
+ }
+ }
+
+ @Test
+ public void testRegisterBuiltInPrivilege() throws RepositoryException {
+ Map<String, String[]> builtIns = new HashMap<String, String[]>();
+ builtIns.put(PrivilegeConstants.JCR_READ, new String[0]);
+ builtIns.put(PrivilegeConstants.JCR_LIFECYCLE_MANAGEMENT, new String[] {PrivilegeConstants.JCR_ADD_CHILD_NODES});
+ builtIns.put(PrivilegeConstants.REP_WRITE, new String[0]);
+ builtIns.put(PrivilegeConstants.JCR_ALL, new String[0]);
+
+ for (String builtInName : builtIns.keySet()) {
+ try {
+ privilegeManager.registerPrivilege(builtInName, false, builtIns.get(builtInName));
+ fail("Privilege name " +builtInName+ " already in use -> Exception expected");
+ } catch (RepositoryException e) {
+ // success
+ }
+ }
+ }
+
+ @Test
+ public void testRegisterInvalidNewAggregate() throws RepositoryException {
+ Map<String, String[]> newAggregates = new LinkedHashMap<String, String[]>();
+ // same as jcr:read
+ newAggregates.put("jcrReadAggregate", getAggregateNames(PrivilegeConstants.JCR_READ));
+ // aggregated combining built-in and an unknown privilege
+ newAggregates.put("newAggregate2", getAggregateNames(PrivilegeConstants.JCR_READ,
"unknownPrivilege"));
+ // aggregate containing unknown privilege
+ newAggregates.put("newAggregate3", getAggregateNames("unknownPrivilege"));
+ // custom aggregated contains itself
+ newAggregates.put("newAggregate4", getAggregateNames("newAggregate"));
+ // same as rep:write
+ newAggregates.put("repWriteAggregate", getAggregateNames(PrivilegeConstants.JCR_MODIFY_PROPERTIES,
PrivilegeConstants.JCR_ADD_CHILD_NODES, PrivilegeConstants.JCR_NODE_TYPE_MANAGEMENT, PrivilegeConstants.JCR_REMOVE_CHILD_NODES,
PrivilegeConstants.JCR_REMOVE_NODE));
+ // aggregated combining built-in and unknown custom
+ newAggregates.put("newAggregate5", getAggregateNames(PrivilegeConstants.JCR_READ,
"unknownPrivilege"));
+
+ for (String name : newAggregates.keySet()) {
+ try {
+ privilegeManager.registerPrivilege(name, true, newAggregates.get(name));
+ fail("New aggregate "+ name +" referring to unknown Privilege -> Exception
expected");
+ } catch (RepositoryException e) {
+ // success
+ }
+ }
+ }
+
+ @Test
+ public void testRegisterInvalidNewAggregate2() throws RepositoryException {
+ Map<String, String[]> newCustomPrivs = new LinkedHashMap<String, String[]>();
+ newCustomPrivs.put("new", new String[0]);
+ newCustomPrivs.put("new2", new String[0]);
+ Set<String> decl = new HashSet<String>();
+ decl.add("new");
+ decl.add("new2");
+ newCustomPrivs.put("new3", getAggregateNames("new", "new2"));
+
+ for (String name : newCustomPrivs.keySet()) {
+ boolean isAbstract = true;
+ String[] aggrNames = newCustomPrivs.get(name);
+ privilegeManager.registerPrivilege(name, isAbstract, aggrNames);
+ }
+
+ Map<String, String[]> newAggregates = new LinkedHashMap<String, String[]>();
+ // other illegal aggregates already represented by registered definition.
+ newAggregates.put("newA2", getAggregateNames("new"));
+ newAggregates.put("newA3", getAggregateNames("new2"));
+
+ for (String name : newAggregates.keySet()) {
+ boolean isAbstract = false;
+ String[] aggrNames = newAggregates.get(name);
+
+ try {
+ privilegeManager.registerPrivilege(name, isAbstract, aggrNames);
+ fail("Invalid aggregation in definition '"+ name.toString()+"' : Exception
expected");
+ } catch (RepositoryException e) {
+ // success
+ }
+ }
+ }
+
+// FIXME: JCR_ALL privilege must be updated
+// @Test
+// public void testRegisterCustomPrivileges() throws RepositoryException {
+// Map<String, String[]> newCustomPrivs = new HashMap<String, String[]>();
+// newCustomPrivs.put("new", new String[0]);
+// newCustomPrivs.put("test:new", new String[0]);
+//
+// for (String name : newCustomPrivs.keySet()) {
+// boolean isAbstract = true;
+// String[] aggrNames = newCustomPrivs.get(name);
+//
+// Privilege registered = privilegeManager.registerPrivilege(name, isAbstract,
aggrNames);
+//
+// // validate definition
+// Privilege privilege = privilegeManager.getPrivilege(name);
+// assertNotNull(privilege);
+// assertEquals(name, privilege.getName());
+// assertTrue(privilege.isAbstract());
+// assertEquals(0, privilege.getDeclaredAggregatePrivileges().length);
+// assertContainsDeclared(privilegeManager.getPrivilege(PrivilegeConstants.JCR_ALL),
name);
+// }
+//
+// Map<String, String[]> newAggregates = new HashMap<String, String[]>();
+// // a new aggregate of custom privileges
+// newAggregates.put("newA2", getAggregateNames("test:new", "new"));
+// // a new aggregate of custom and built-in privilege
+// newAggregates.put("newA1", getAggregateNames("new", PrivilegeConstants.JCR_READ));
+// // aggregating built-in privileges
+// newAggregates.put("aggrBuiltIn", getAggregateNames(PrivilegeConstants.JCR_MODIFY_PROPERTIES,
PrivilegeConstants.JCR_READ));
+//
+// for (String name : newAggregates.keySet()) {
+// boolean isAbstract = false;
+// String[] aggrNames = newAggregates.get(name);
+// privilegeManager.registerPrivilege(name, isAbstract, aggrNames);
+// Privilege p = privilegeManager.getPrivilege(name);
+//
+// assertNotNull(p);
+// assertEquals(name, p.getName());
+// assertFalse(p.isAbstract());
+//
+// for (String n : aggrNames) {
+// assertContainsDeclared(p, n);
+// }
+// assertContainsDeclared(privilegeManager.getPrivilege(PrivilegeConstants.JCR_ALL),
name);
+// }
+// }
+
+ @Test
+ public void testCustomPrivilegeVisibleToNewSession() throws RepositoryException {
+ boolean isAbstract = false;
+ String privName = "testCustomPrivilegeVisibleToNewSession";
+ privilegeManager.registerPrivilege(privName, isAbstract, new String[0]);
+
+ Session s2 = getHelper().getSuperuserSession();
+ try {
+ PrivilegeManager pm = getPrivilegeManager(s2);
+ Privilege priv = pm.getPrivilege(privName);
+ assertEquals(privName, priv.getName());
+ assertEquals(isAbstract, priv.isAbstract());
+ assertFalse(priv.isAggregate());
+ } finally {
+ s2.logout();
+ }
+ }
+
+// FIXME: Session#refresh must refresh privilege definitions
+// @Test
+// public void testCustomPrivilegeVisibleAfterRefresh() throws RepositoryException {
+// Session s2 = getHelper().getSuperuserSession();
+// try {
+// boolean isAbstract = false;
+// String privName = "testCustomPrivilegeVisibleAfterRefresh";
+// privilegeManager.registerPrivilege(privName, isAbstract, new String[0]);
+//
+// // before refreshing: privilege not visible
+// PrivilegeManager pm = getPrivilegeManager(s2);
+// try {
+// Privilege priv = pm.getPrivilege(privName);
+// fail("Custom privilege must show up after Session#refresh()");
+// } catch (AccessControlException e) {
+// // success
+// }
+//
+// // after refresh privilege manager must be updated
+// s2.refresh(true);
+// Privilege priv = pm.getPrivilege(privName);
+// assertEquals(privName, priv.getName());
+// assertEquals(isAbstract, priv.isAbstract());
+// assertFalse(priv.isAggregate());
+// } finally {
+// s2.logout();
+// }
+// }
}
\ No newline at end of file
|