jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1470949 - in /jackrabbit/oak/trunk/oak-core/src: main/java/org/apache/jackrabbit/oak/security/authorization/ test/java/org/apache/jackrabbit/oak/ test/java/org/apache/jackrabbit/oak/security/authorization/ test/java/org/apache/jackrabbit/o...
Date Tue, 23 Apr 2013 13:39:49 GMT
Author: angela
Date: Tue Apr 23 13:39:49 2013
New Revision: 1470949

URL: http://svn.apache.org/r1470949
Log:
OAK-51 : Access Control Management (tests, minor improvement)

Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/ImmutableACLTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java?rev=1470949&r1=1470948&r2=1470949&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
Tue Apr 23 13:39:49 2013
@@ -44,6 +44,7 @@ import org.apache.jackrabbit.oak.securit
 import org.apache.jackrabbit.oak.spi.security.authorization.ACE;
 import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlList;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -108,6 +109,12 @@ abstract class ACL extends AbstractAcces
             throw new AccessControlException(msg);
         }
 
+        for (RestrictionDefinition def : getRestrictionProvider().getSupportedRestrictions(getOakPath()))
{
+            if (def.isMandatory() && (restrictions == null || !restrictions.containsKey(def.getJcrName())))
{
+                throw new AccessControlException("Mandatory restriction " +def.getJcrName()+
" is missing.");
+            }
+        }
+
         Set<Restriction> rs;
         if (restrictions == null) {
             rs = Collections.emptySet();
@@ -117,6 +124,7 @@ abstract class ACL extends AbstractAcces
                 rs.add(getRestrictionProvider().createRestriction(getOakPath(), name, restrictions.get(name)));
             }
         }
+
         ACE entry = new ACE(principal, privileges, isAllow, rs);
         if (entries.contains(entry)) {
             log.debug("Entry is already contained in policy -> no modification.");

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java?rev=1470949&r1=1470948&r2=1470949&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java
Tue Apr 23 13:39:49 2013
@@ -22,6 +22,7 @@ import javax.jcr.Credentials;
 import javax.jcr.NoSuchWorkspaceException;
 import javax.jcr.RepositoryException;
 import javax.jcr.SimpleCredentials;
+import javax.jcr.ValueFactory;
 import javax.jcr.security.AccessControlManager;
 import javax.jcr.security.Privilege;
 import javax.security.auth.login.Configuration;
@@ -40,6 +41,7 @@ import org.apache.jackrabbit.oak.plugins
 import org.apache.jackrabbit.oak.plugins.index.p2.Property2IndexProvider;
 import org.apache.jackrabbit.oak.plugins.nodetype.RegistrationEditorProvider;
 import org.apache.jackrabbit.oak.plugins.nodetype.write.InitialContent;
+import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
 import org.apache.jackrabbit.oak.security.SecurityProviderImpl;
 import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
@@ -157,6 +159,10 @@ public abstract class AbstractSecurityTe
         return privMgr;
     }
 
+    protected ValueFactory getValueFactory() {
+        return new ValueFactoryImpl(root.getBlobFactory(), getNamePathMapper());
+    }
+
     protected User getTestUser() throws Exception {
         if (testUser == null) {
             String uid = "testUser" + UUID.randomUUID();

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java?rev=1470949&r1=1470948&r2=1470949&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
Tue Apr 23 13:39:49 2013
@@ -18,6 +18,7 @@ package org.apache.jackrabbit.oak.securi
 
 import java.security.Principal;
 import java.security.acl.Group;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashSet;
@@ -27,20 +28,23 @@ import java.util.Set;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 import javax.jcr.PropertyType;
+import javax.jcr.RepositoryException;
 import javax.jcr.Value;
-import javax.jcr.ValueFactory;
 import javax.jcr.security.AccessControlEntry;
 import javax.jcr.security.AccessControlException;
 import javax.jcr.security.Privilege;
 
 import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Sets;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
 import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
 import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
-import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
+import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
 import org.apache.jackrabbit.oak.security.principal.PrincipalImpl;
 import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
 import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
@@ -48,6 +52,10 @@ import org.apache.jackrabbit.oak.spi.sec
 import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlList;
 import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlListTest;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinitionImpl;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionImpl;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionPattern;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
 import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
 import org.junit.Before;
@@ -91,13 +99,13 @@ public class ACLTest extends AbstractAcc
     @Override
     protected AbstractAccessControlList createACL(@Nullable String jcrPath,
                                                   @Nonnull List<JackrabbitAccessControlEntry>
entries,
-                                                  @Nonnull NamePathMapper namePathMapper)
{
+                                                  @Nonnull NamePathMapper namePathMapper,
+                                                  final @Nonnull RestrictionProvider restrictionProvider)
{
         String path = (jcrPath == null) ? null : namePathMapper.getOakPathKeepIndex(jcrPath);
-        final RestrictionProvider rp = getRestrictionProvider();
         return new ACL(path, entries, namePathMapper) {
             @Override
             public RestrictionProvider getRestrictionProvider() {
-                return rp;
+                return restrictionProvider;
             }
 
             @Override
@@ -117,10 +125,6 @@ public class ACLTest extends AbstractAcc
         };
     }
 
-    private ValueFactory getValueFactory() {
-        return new ValueFactoryImpl(root.getBlobFactory(), NamePathMapper.DEFAULT);
-    }
-
     private static void assertACE(JackrabbitAccessControlEntry ace, boolean isAllow, Privilege...
privileges) {
         assertEquals(isAllow, ace.isAllow());
         assertEquals(Sets.newHashSet(privileges), Sets.newHashSet(ace.getPrivileges()));
@@ -176,17 +180,6 @@ public class ACLTest extends AbstractAcc
     }
 
     @Test
-    public void testAddEntryWithInvalidRestrictions() throws Exception {
-        Map<String, Value> restrictions = Collections.singletonMap("unknownRestriction",
new ValueFactoryImpl(root.getBlobFactory(), namePathMapper).createValue("value"));
-        try {
-            acl.addEntry(testPrincipal, testPrivileges, false, restrictions);
-            fail("Invalid restrictions -> AccessControlException expected");
-        } catch (AccessControlException e) {
-            // success
-        }
-    }
-
-    @Test
     public void testRemoveEntry() throws Exception {
         assertTrue(acl.addAccessControlEntry(testPrincipal, testPrivileges));
         acl.removeAccessControlEntry(acl.getAccessControlEntries()[0]);
@@ -550,6 +543,42 @@ public class ACLTest extends AbstractAcc
     }
 
     @Test
+    public void testInsertionOrder() throws Exception {
+        Privilege[] readPriv = privilegesFromNames(JCR_READ);
+        Privilege[] writePriv = privilegesFromNames(JCR_WRITE);
+        Privilege[] addNodePriv = privilegesFromNames(JCR_ADD_CHILD_NODES);
+
+        Map<String, Value> restrictions = Collections.singletonMap(AccessControlConstants.REP_GLOB,
getValueFactory().createValue("/.*"));
+
+        acl.addEntry(testPrincipal, readPriv, true);
+        acl.addEntry(testPrincipal, writePriv, false);
+        acl.addEntry(testPrincipal, addNodePriv, true, restrictions);
+
+        List<JackrabbitAccessControlEntry> entries = acl.getEntries();
+        assertACE(entries.get(0), true, readPriv);
+        assertACE(entries.get(1), false, writePriv);
+        assertACE(entries.get(2), true, addNodePriv);
+    }
+
+    @Test
+    public void testInsertionOrder2() throws Exception {
+        Privilege[] readPriv = privilegesFromNames(JCR_READ);
+        Privilege[] writePriv = privilegesFromNames(JCR_WRITE);
+        Privilege[] addNodePriv = privilegesFromNames(JCR_ADD_CHILD_NODES);
+
+        Map<String, Value> restrictions = Collections.singletonMap(AccessControlConstants.REP_GLOB,
getValueFactory().createValue("/.*"));
+
+        acl.addEntry(testPrincipal, readPriv, true);
+        acl.addEntry(testPrincipal, addNodePriv, true, restrictions);
+        acl.addEntry(testPrincipal, writePriv, false);
+
+        List<JackrabbitAccessControlEntry> entries = acl.getEntries();
+        assertACE(entries.get(0), true, readPriv);
+        assertACE(entries.get(1), true, addNodePriv);
+        assertACE(entries.get(2), false, writePriv);
+    }
+
+    @Test
     public void testRestrictions() throws Exception {
         String[] names = acl.getRestrictionNames();
         assertNotNull(names);
@@ -590,39 +619,53 @@ public class ACLTest extends AbstractAcc
     }
 
     @Test
-    public void testInsertionOrder() throws Exception {
-        Privilege[] readPriv = privilegesFromNames(JCR_READ);
-        Privilege[] writePriv = privilegesFromNames(JCR_WRITE);
-        Privilege[] addNodePriv = privilegesFromNames(JCR_ADD_CHILD_NODES);
-
-        Map<String, Value> restrictions = Collections.singletonMap(AccessControlConstants.REP_GLOB,
getValueFactory().createValue("/.*"));
+    public void testUnsupportedRestrictions() throws Exception {
+        Map<String, Value> restrictions = Collections.singletonMap("unknownRestriction",
getValueFactory().createValue("value"));
+        try {
+            acl.addEntry(testPrincipal, testPrivileges, false, restrictions);
+            fail("Invalid restrictions -> AccessControlException expected");
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
 
-        acl.addEntry(testPrincipal, readPriv, true);
-        acl.addEntry(testPrincipal, writePriv, false);
-        acl.addEntry(testPrincipal, addNodePriv, true, restrictions);
+    @Test
+    public void testUnsupportedRestrictions2() throws Exception {
+        RestrictionProvider rp = new TestRestrictionProvider("restr", PropertyType.NAME,
false);
 
-        List<JackrabbitAccessControlEntry> entries = acl.getEntries();
-        assertACE(entries.get(0), true, readPriv);
-        assertACE(entries.get(1), false, writePriv);
-        assertACE(entries.get(2), true, addNodePriv);
+        JackrabbitAccessControlList acl = createACL(getTestPath(), new ArrayList(), namePathMapper,
rp);
+        try {
+            acl.addEntry(testPrincipal, testPrivileges, false, Collections.<String, Value>singletonMap("unsupported",
getValueFactory().createValue("value")));
+            fail("Unsupported restriction must be detected.");
+        } catch (AccessControlException e) {
+            // mandatory restriction missing -> success
+        }
     }
 
     @Test
-    public void testInsertionOrder2() throws Exception {
-        Privilege[] readPriv = privilegesFromNames(JCR_READ);
-        Privilege[] writePriv = privilegesFromNames(JCR_WRITE);
-        Privilege[] addNodePriv = privilegesFromNames(JCR_ADD_CHILD_NODES);
+    public void testInvalidRestrictionType() throws Exception {
+        RestrictionProvider rp = new TestRestrictionProvider("restr", PropertyType.NAME,
false);
 
-        Map<String, Value> restrictions = Collections.singletonMap(AccessControlConstants.REP_GLOB,
getValueFactory().createValue("/.*"));
+        JackrabbitAccessControlList acl = createACL(getTestPath(), new ArrayList(), namePathMapper,
rp);
+        try {
+            acl.addEntry(testPrincipal, testPrivileges, false, Collections.<String, Value>singletonMap("restr",
getValueFactory().createValue(true)));
+            fail("Invalid restriction type.");
+        } catch (AccessControlException e) {
+            // mandatory restriction missing -> success
+        }
+    }
 
-        acl.addEntry(testPrincipal, readPriv, true);
-        acl.addEntry(testPrincipal, addNodePriv, true, restrictions);
-        acl.addEntry(testPrincipal, writePriv, false);
+    @Test
+    public void testMandatoryRestrictions() throws Exception {
+        RestrictionProvider rp = new TestRestrictionProvider("mandatory", PropertyType.NAME,
true);
 
-        List<JackrabbitAccessControlEntry> entries = acl.getEntries();
-        assertACE(entries.get(0), true, readPriv);
-        assertACE(entries.get(1), true, addNodePriv);
-        assertACE(entries.get(2), false, writePriv);
+        JackrabbitAccessControlList acl = createACL(getTestPath(), new ArrayList(), namePathMapper,
rp);
+        try {
+            acl.addEntry(testPrincipal, testPrivileges, false, Collections.<String, Value>emptyMap());
+            fail("Mandatory restriction must be enforced.");
+        } catch (AccessControlException e) {
+            // mandatory restriction missing -> success
+        }
     }
 
     //--------------------------------------------------------------------------
@@ -654,4 +697,54 @@ public class ACLTest extends AbstractAcc
             return new Privilege[0];
         }
     }
+
+    private final class TestRestrictionProvider implements RestrictionProvider {
+
+        private final RestrictionDefinition supported;
+
+        private TestRestrictionProvider(String name, int type, boolean isMandatory) {
+            supported = new RestrictionDefinitionImpl(name, type, isMandatory, namePathMapper);
+        }
+
+        @Nonnull
+        @Override
+        public Set<RestrictionDefinition> getSupportedRestrictions(@Nullable String
oakPath) {
+            return ImmutableSet.of(supported);
+        }
+
+        @Nonnull
+        @Override
+        public Restriction createRestriction(@Nullable String oakPath, @Nonnull String jcrName,
@Nonnull Value value) throws RepositoryException {
+            if (!supported.getJcrName().equals(jcrName)) {
+                throw new AccessControlException();
+            }
+            if (supported.getRequiredType() != value.getType()) {
+                throw new AccessControlException();
+            }
+            PropertyState property = PropertyStates.createProperty(namePathMapper.getOakName(jcrName),
value.getString(), value.getType());
+            return new RestrictionImpl(property, supported.isMandatory(), namePathMapper);
+        }
+
+        @Nonnull
+        @Override
+        public Set<Restriction> readRestrictions(@Nullable String oakPath, @Nonnull
Tree aceTree) {
+            throw new UnsupportedOperationException();
+        }
+
+        @Override
+        public void writeRestrictions(String oakPath, Tree aceTree, Set<Restriction>
restrictions) throws AccessControlException {
+            throw new UnsupportedOperationException();
+        }
+
+        @Override
+        public void validateRestrictions(@Nullable String oakPath, @Nonnull Tree aceTree)
throws AccessControlException {
+            throw new UnsupportedOperationException();
+        }
+
+        @Nonnull
+        @Override
+        public RestrictionPattern getPattern(@Nullable String oakPath, @Nonnull Tree tree)
{
+            throw new UnsupportedOperationException();
+        }
+    }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java?rev=1470949&r1=1470948&r2=1470949&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java
Tue Apr 23 13:39:49 2013
@@ -40,6 +40,7 @@ import org.apache.jackrabbit.oak.namepat
 import org.apache.jackrabbit.oak.security.principal.PrincipalImpl;
 import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
 import org.junit.Test;
 
 import static org.junit.Assert.assertEquals;
@@ -73,9 +74,16 @@ public abstract class AbstractAccessCont
         return createACL(jcrPath, Lists.newArrayList(entries), namePathMapper);
     }
 
+    protected AbstractAccessControlList createACL(@Nullable String jcrPath,
+                                                           @Nonnull List<JackrabbitAccessControlEntry>
entries,
+                                                           @Nonnull NamePathMapper namePathMapper)
{
+        return createACL(jcrPath, entries, namePathMapper, getRestrictionProvider());
+    }
+
     protected abstract AbstractAccessControlList createACL(@Nullable String jcrPath,
                                                            @Nonnull List<JackrabbitAccessControlEntry>
entries,
-                                                           @Nonnull NamePathMapper namePathMapper);
+                                                           @Nonnull NamePathMapper namePathMapper,
+                                                           @Nonnull RestrictionProvider restrictionProvider);
 
     protected List<JackrabbitAccessControlEntry> createTestEntries() throws RepositoryException
{
         List<JackrabbitAccessControlEntry> entries = new ArrayList<JackrabbitAccessControlEntry>(3);

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/ImmutableACLTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/ImmutableACLTest.java?rev=1470949&r1=1470948&r2=1470949&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/ImmutableACLTest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/ImmutableACLTest.java
Tue Apr 23 13:39:49 2013
@@ -57,9 +57,10 @@ public class ImmutableACLTest extends Ab
     }
 
     @Override
-    protected ImmutableACL createACL(String jcrPath, List<JackrabbitAccessControlEntry>
entries, NamePathMapper namePathMapper) {
+    protected ImmutableACL createACL(String jcrPath, List<JackrabbitAccessControlEntry>
entries,
+                                     NamePathMapper namePathMapper, RestrictionProvider restrictionProvider)
{
         String oakPath = (jcrPath == null) ? null : namePathMapper.getOakPathKeepIndex(jcrPath);
-        return new ImmutableACL(oakPath, entries, getRestrictionProvider(), namePathMapper);
+        return new ImmutableACL(oakPath, entries, restrictionProvider, namePathMapper);
     }
 
     private void assertImmutable(JackrabbitAccessControlList acl) throws Exception {



Mime
View raw message