jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1467315 - in /jackrabbit/oak/trunk: oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/ oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/ oak-jcr/src/test/java/org/apache/jackrabbit/oa...
Date Fri, 12 Apr 2013 15:41:09 GMT
Author: angela
Date: Fri Apr 12 15:41:08 2013
New Revision: 1467315

URL: http://svn.apache.org/r1467315
Log:
OAK-527: permissions (wip)

Added:
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/PropertyWriteTest.java
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBits.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBits.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBits.java?rev=1467315&r1=1467314&r2=1467315&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBits.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeBits.java
Fri Apr 12 15:41:08 2013
@@ -227,7 +227,7 @@ public final class PrivilegeBits impleme
         } else {
             if ((privs & ADD_PROPERTIES) == ADD_PROPERTIES) {
                 perm |= Permissions.ADD_PROPERTY;
-            } else if ((privs & MODIFY_PROPERTIES) == MODIFY_PROPERTIES) {
+            } else if ((privs & ALTER_PROPERTIES) == ALTER_PROPERTIES) {
                 perm |= Permissions.MODIFY_PROPERTY;
             } else if ((privs & REMOVE_PROPERTIES) == REMOVE_PROPERTIES) {
                 perm |= Permissions.REMOVE_PROPERTY;

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java?rev=1467315&r1=1467314&r2=1467315&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
Fri Apr 12 15:41:08 2013
@@ -196,8 +196,10 @@ public final class Permissions {
 
         if (!actions.isEmpty()) {
             if (isAccessControlContent) {
-                actions.removeAll(ImmutableSet.of(Session.ACTION_ADD_NODE,
-                        Session.ACTION_REMOVE, Session.ACTION_SET_PROPERTY));
+                actions.removeAll(ImmutableSet.of(
+                        Session.ACTION_ADD_NODE,
+                        Session.ACTION_REMOVE,
+                        Session.ACTION_SET_PROPERTY));
                 permissions |= MODIFY_ACCESS_CONTROL;
             } else {
                 if (actions.remove(Session.ACTION_ADD_NODE)) {

Added: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/PropertyWriteTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/PropertyWriteTest.java?rev=1467315&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/PropertyWriteTest.java
(added)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/PropertyWriteTest.java
Fri Apr 12 15:41:08 2013
@@ -0,0 +1,244 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.jcr.security.authorization;
+
+import javax.jcr.AccessDeniedException;
+import javax.jcr.Node;
+import javax.jcr.Session;
+import javax.jcr.security.Privilege;
+
+import org.junit.Test;
+
+/**
+ * Specific tests for the individual property modification permissions:
+ * - add
+ * - modify
+ * - remove
+ *
+ * @since OAK 1.0
+ */
+public class PropertyWriteTest extends AbstractEvaluationTest {
+
+    @Test
+    public void testAddProperty() throws Exception {
+        // grant 'testUser' ADD_PROPERTIES privileges at 'path'
+        Privilege[] privileges = privilegesFromNames(new String[] {"rep:addProperties"});
+        allow(path, privileges);
+
+        /*
+         testuser must now have
+         - ADD_PROPERTIES permission
+         - no other write permission
+        */
+        assertHasPrivilege(path, Privilege.JCR_MODIFY_PROPERTIES, false);
+        assertHasPrivilege(path, "rep:addProperties", true);
+        assertHasPrivilege(path, "rep:removeProperties", false);
+        assertHasPrivilege(path, "rep:alterProperties", false);
+
+        // set_property action for non-existing property is translated to "add_properties"
permission
+        String propertyPath = path + "/newProperty";
+        assertTrue(testSession.hasPermission(propertyPath, Session.ACTION_SET_PROPERTY));
+
+        // creating the property must succeed
+        Node testN = testSession.getNode(path);
+        testN.setProperty("newProperty", "value");
+        testSession.save();
+
+        // now property exists -> 'set_property' actions is no longer granted
+        assertFalse(testSession.hasPermission(propertyPath, Session.ACTION_SET_PROPERTY));
+        assertFalse(testSession.hasPermission(propertyPath, Session.ACTION_REMOVE));
+
+        // modifying or removing the new property must fail
+        try {
+            testN.setProperty("newProperty", "modified");
+            testSession.save();
+            fail();
+        } catch (AccessDeniedException e) {
+            // success
+        }
+
+        try {
+            testN.getProperty("newProperty").setValue("modified");
+            testSession.save();
+            fail();
+        } catch (AccessDeniedException e) {
+            // success
+        }
+
+        try {
+            testN.setProperty("newProperty", (String) null);
+            testSession.save();
+            fail();
+        } catch (AccessDeniedException e) {
+            // success
+            testSession.refresh(false);
+        }
+
+        try {
+            testN.getProperty("newProperty").remove();
+            testSession.save();
+            fail();
+        } catch (AccessDeniedException e) {
+            // success
+            testSession.refresh(false);
+        }
+    }
+
+    @Test
+    public void testModifyProperty() throws Exception {
+        // grant 'testUser' ALTER_PROPERTIES privileges at 'path'
+        Privilege[] privileges = privilegesFromNames(new String[] {"rep:alterProperties"});
+        allow(path, privileges);
+
+        /*
+         testuser must now have
+         - MODIFY_PROPERTY_PROPERTIES permission
+         - no other write permission
+        */
+        assertHasPrivilege(path, Privilege.JCR_MODIFY_PROPERTIES, false);
+        assertHasPrivilege(path, "rep:addProperties", false);
+        assertHasPrivilege(path, "rep:removeProperties", false);
+        assertHasPrivilege(path, "rep:alterProperties", true);
+
+        // set_property action for non-existing property is translated to
+        // "add_properties" permission
+        String propertyPath = path + "/newProperty";
+        assertFalse(testSession.hasPermission(propertyPath, Session.ACTION_SET_PROPERTY));
+
+        // creating a new property must fail
+        Node testN = testSession.getNode(path);
+        try {
+            testN.setProperty("newProperty", "value");
+            testSession.save();
+            fail();
+        } catch (AccessDeniedException e) {
+            // success
+            testSession.refresh(false);
+        }
+
+        superuser.getNode(path).setProperty("newProperty", "value");
+        superuser.save();
+        testSession.refresh(false);
+
+        // property exists -> 'set_property' actions is granted, 'remove' is denied
+        assertTrue(testSession.hasPermission(propertyPath, Session.ACTION_SET_PROPERTY));
+        assertFalse(testSession.hasPermission(propertyPath, Session.ACTION_REMOVE));
+
+        // modifying the new property must succeed
+        testN.setProperty("newProperty", "modified");
+        testSession.save();
+
+        testN.getProperty("newProperty").setValue("modified2");
+        testSession.save();
+
+        // removing the property must fail
+        try {
+            testN.setProperty("newProperty", (String) null);
+            testSession.save();
+            fail();
+        } catch (AccessDeniedException e) {
+            // success
+            testSession.refresh(false);
+        }
+
+        try {
+            testN.getProperty("newProperty").remove();
+            testSession.save();
+            fail();
+        } catch (AccessDeniedException e) {
+            // success
+            testSession.refresh(false);
+        }
+    }
+
+    @Test
+    public void testRemoveProperty() throws Exception {
+        // grant 'testUser' REMOVE_PROPERTIES privileges at 'path'
+        Privilege[] privileges = privilegesFromNames(new String[] {"rep:removeProperties"});
+        allow(path, privileges);
+
+        /*
+         testuser must now have
+         - REMOVE_PROPERTY_PROPERTIES permission
+         - no other write permission
+        */
+        assertHasPrivilege(path, Privilege.JCR_MODIFY_PROPERTIES, false);
+        assertHasPrivilege(path, "rep:addProperties", false);
+        assertHasPrivilege(path, "rep:removeProperties", true);
+        assertHasPrivilege(path, "rep:alterProperties", false);
+
+        // set_property action for non-existing property is translated to
+        // "add_properties" permission -> denied
+        String propertyPath = path + "/newProperty";
+        assertFalse(testSession.hasPermission(propertyPath, Session.ACTION_SET_PROPERTY));
+
+        // creating a new property must fail
+        Node testN = testSession.getNode(path);
+        try {
+            testN.setProperty("newProperty", "value");
+            testSession.save();
+            fail();
+        } catch (AccessDeniedException e) {
+            // success
+            testSession.refresh(false);
+        }
+
+        superuser.getNode(path).setProperty("newProperty", "value");
+        superuser.save();
+        testSession.refresh(false);
+
+        // now property exists -> 'set_property' actions is denied, 'remove' is granted
+        assertFalse(testSession.hasPermission(propertyPath, Session.ACTION_SET_PROPERTY));
+        assertTrue(testSession.hasPermission(propertyPath, Session.ACTION_REMOVE));
+
+        // modifying the new property must fail
+        try {
+            testN.setProperty("newProperty", "modified");
+            testSession.save();
+            fail();
+        } catch (AccessDeniedException e) {
+            // success
+        }
+
+        try {
+            testN.getProperty("newProperty").setValue("modified");
+            testSession.save();
+            fail();
+        } catch (AccessDeniedException e) {
+            // success
+        }
+
+        // removing the property must succeed
+        testN.getProperty("newProperty").remove();
+        testSession.save();
+    }
+
+    @Test
+    public void testRemoveProperty2() throws Exception {
+        // grant 'testUser' REMOVE_PROPERTIES privileges at 'path'
+        Privilege[] privileges = privilegesFromNames(new String[] {"rep:removeProperties"});
+        allow(path, privileges);
+
+        superuser.getNode(path).setProperty("newProperty", "value");
+        superuser.save();
+        testSession.refresh(false);
+
+        // removing by setting to null must succeeed
+        testSession.getNode(path).setProperty("newProperty", (String) null);
+        testSession.save();
+    }
+}
\ No newline at end of file



Mime
View raw message