jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1481736 - in /jackrabbit/oak/trunk/oak-core/src: main/java/org/apache/jackrabbit/oak/security/authorization/ main/java/org/apache/jackrabbit/oak/security/authorization/restriction/ main/java/org/apache/jackrabbit/oak/spi/security/authoriza...
Date Mon, 13 May 2013 08:58:03 GMT
Author: angela
Date: Mon May 13 08:58:02 2013
New Revision: 1481736

URL: http://svn.apache.org/r1481736
Log:
OAK-51 : Access Control Management (wip)

Effective policies:
- avoid reading effective policies from transient state -> fix TODO and add more tests

Restrictions:
- allow restriction properties to have a mv value
- add node type restriction to validate multi-restriction behavior
- add composite restriction pattern to evaluate multiple restrictions present with a ace

Added:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositePattern.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidTestPrincipal.java
      - copied, changed from r1480956, jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidPrincipal.java
Removed:
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidPrincipal.java
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlList.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImplTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java Mon May 13 08:58:02 2013
@@ -38,6 +38,10 @@ public interface AccessControlConstants 
     /**
      * @since OAK 1.0
      */
+    String REP_NT_NAMES = "rep:ntNames";
+    /**
+     * @since OAK 1.0
+     */
     String REP_RESTRICTIONS = "rep:restrictions";
 
     String MIX_REP_ACCESS_CONTROLLABLE = "rep:AccessControllable";

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java Mon May 13 08:58:02 2013
@@ -171,6 +171,9 @@ public class AccessControlManagerImpl im
         String oakPath = getOakPath(absPath);
         Tree tree = getTree(oakPath, Permissions.READ_ACCESS_CONTROL);
 
+        Root r = root.getContentSession().getLatestRoot();
+        tree = r.getTree(tree.getPath());
+
         List<AccessControlPolicy> effective = new ArrayList<AccessControlPolicy>();
         AccessControlPolicy policy = createACL(oakPath, tree, true);
         if (policy != null) {
@@ -179,7 +182,7 @@ public class AccessControlManagerImpl im
         if (oakPath != null) {
             String parentPath = Text.getRelativeParent(oakPath, 1);
             while (!parentPath.isEmpty()) {
-                Tree t = root.getTree(parentPath);
+                Tree t = r.getTree(parentPath);
                 AccessControlPolicy plc = createACL(parentPath, t, true);
                 if (plc != null) {
                     effective.add(plc);
@@ -366,13 +369,15 @@ public class AccessControlManagerImpl im
     @Override
     public AccessControlPolicy[] getEffectivePolicies(@Nonnull Set<Principal> principals) throws RepositoryException {
         AccessControlUtils.checkValidPrincipals(principals, principalManager);
-        Result aceResult = searchAces(principals);
+        Root r = root.getContentSession().getLatestRoot();
+
+        Result aceResult = searchAces(principals, r);
         List<AccessControlPolicy> effective = new ArrayList<AccessControlPolicy>();
         for (ResultRow row : aceResult.getRows()) {
             String acePath = row.getPath();
             String aclName = Text.getName(Text.getRelativeParent(acePath, 1));
-            Tree accessControlledTree = root.getTree(Text.getRelativeParent(acePath, 2));
 
+            Tree accessControlledTree = r.getTree(Text.getRelativeParent(acePath, 2));
             if (aclName.isEmpty() || !accessControlledTree.exists()) {
                 log.debug("Isolated access control entry -> ignore query result at " + acePath);
                 continue;
@@ -435,7 +440,6 @@ public class AccessControlManagerImpl im
                 throw new AccessControlException("Tree " + tree.getPath() + " defines access control content.");
             }
         }
-
         return tree;
     }
 
@@ -494,8 +498,7 @@ public class AccessControlManagerImpl im
         String aclName = AccessControlUtils.getAclName(oakPath);
         if (accessControlledTree.exists() && AccessControlUtils.isAccessControlled(oakPath, accessControlledTree, ntMgr)) {
             Tree aclTree = accessControlledTree.getChild(aclName);
-            // TODO: effective policies: add proper handling for modified ACLs
-            if (aclTree.exists() && (!isEffectivePolicy || aclTree.getStatus() != Tree.Status.NEW)) {
+            if (aclTree.exists()) {
                 List<JackrabbitAccessControlEntry> entries = new ArrayList<JackrabbitAccessControlEntry>();
                 for (Tree child : aclTree.getChildren()) {
                     if (AccessControlUtils.isACE(child, ntMgr)) {
@@ -515,7 +518,7 @@ public class AccessControlManagerImpl im
     @Nullable
     private JackrabbitAccessControlList createPrincipalACL(@Nullable String oakPath,
                                                            @Nonnull Principal principal) throws RepositoryException {
-        Result aceResult = searchAces(Collections.<Principal>singleton(principal));
+        Result aceResult = searchAces(Collections.<Principal>singleton(principal), root);
         RestrictionProvider restrProvider = new PrincipalRestrictionProvider(restrictionProvider, namePathMapper);
         List<JackrabbitAccessControlEntry> entries = new ArrayList<JackrabbitAccessControlEntry>();
         for (ResultRow row : aceResult.getRows()) {
@@ -549,7 +552,7 @@ public class AccessControlManagerImpl im
     }
 
     @Nonnull
-    private Result searchAces(@Nonnull Set<Principal> principals) throws RepositoryException {
+    private static Result searchAces(@Nonnull Set<Principal> principals, @Nonnull Root root) throws RepositoryException {
         // TODO: specify sort order
         StringBuilder stmt = new StringBuilder("/jcr:root");
         stmt.append("//element(*,");

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java Mon May 13 08:58:02 2013
@@ -16,14 +16,10 @@
  */
 package org.apache.jackrabbit.oak.security.authorization;
 
-import static com.google.common.base.Preconditions.checkNotNull;
-import static org.apache.jackrabbit.oak.api.CommitFailedException.ACCESS;
-
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Map;
-
 import javax.jcr.security.AccessControlException;
 import javax.jcr.security.Privilege;
 
@@ -40,6 +36,9 @@ import org.apache.jackrabbit.oak.spi.sta
 import org.apache.jackrabbit.oak.util.TreeUtil;
 import org.apache.jackrabbit.util.Text;
 
+import static com.google.common.base.Preconditions.checkNotNull;
+import static org.apache.jackrabbit.oak.api.CommitFailedException.ACCESS;
+
 /**
  * Validation for access control information changed by regular JCR (and Jackrabbit)
  * access control management API.

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java?rev=1481736&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java Mon May 13 08:58:02 2013
@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.restriction;
+
+import java.util.Set;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionPattern;
+import org.apache.jackrabbit.oak.util.TreeUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * NodeTypePattern... TODO
+ */
+class NodeTypePattern implements RestrictionPattern {
+
+    private static final Logger log = LoggerFactory.getLogger(NodeTypePattern.class);
+
+    private final Set<String> nodeTypeNames;
+
+    NodeTypePattern(@Nonnull Iterable<String> nodeTypeNames) {
+        this.nodeTypeNames = ImmutableSet.copyOf(nodeTypeNames);
+    }
+
+    @Override
+    public boolean matches(@Nonnull Tree tree, @Nullable PropertyState property) {
+        return nodeTypeNames.contains(TreeUtil.getPrimaryTypeName(tree));
+    }
+
+    @Override
+    public boolean matches(@Nonnull String path) {
+        log.debug("Unable to validate node type restriction.");
+        return false;
+    }
+}
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java Mon May 13 08:58:02 2013
@@ -57,7 +57,7 @@ public class PrincipalRestrictionProvide
     @Override
     public Set<RestrictionDefinition> getSupportedRestrictions(@Nullable String oakPath) {
         Set<RestrictionDefinition> definitions = new HashSet<RestrictionDefinition>(base.getSupportedRestrictions(oakPath));
-        definitions.add(new RestrictionDefinitionImpl(REP_NODE_PATH, PropertyType.PATH, true, namePathMapper));
+        definitions.add(new RestrictionDefinitionImpl(REP_NODE_PATH, Type.PATH, true, namePathMapper));
         return definitions;
     }
 
@@ -72,6 +72,12 @@ public class PrincipalRestrictionProvide
         }
     }
 
+    @Nonnull
+    @Override
+    public Restriction createRestriction(@Nullable String oakPath, @Nonnull String jcrName, @Nonnull Value... values) throws RepositoryException {
+        return base.createRestriction(oakPath, jcrName, values);
+    }
+
     @Override
     public Set<Restriction> readRestrictions(@Nullable String oakPath, @Nonnull Tree aceTree) {
         Set<Restriction> restrictions = new HashSet<Restriction>(base.readRestrictions(oakPath, aceTree));

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java Mon May 13 08:58:02 2013
@@ -16,9 +16,11 @@
  */
 package org.apache.jackrabbit.oak.security.authorization.restriction;
 
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import javax.annotation.Nonnull;
@@ -28,6 +30,7 @@ import javax.jcr.RepositoryException;
 import javax.jcr.Value;
 import javax.jcr.security.AccessControlException;
 
+import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import org.apache.jackrabbit.oak.api.PropertyState;
@@ -36,6 +39,7 @@ import org.apache.jackrabbit.oak.api.Typ
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
 import org.apache.jackrabbit.oak.security.authorization.AccessControlConstants;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.CompositePattern;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinitionImpl;
@@ -56,8 +60,9 @@ public class RestrictionProviderImpl imp
     public RestrictionProviderImpl(NamePathMapper namePathMapper) {
         this.namePathMapper = namePathMapper;
 
-        RestrictionDefinition glob = new RestrictionDefinitionImpl(REP_GLOB, PropertyType.STRING, false, namePathMapper);
-        this.supported = ImmutableMap.of(REP_GLOB, glob);
+        RestrictionDefinition glob = new RestrictionDefinitionImpl(REP_GLOB, Type.STRING, false, namePathMapper);
+        RestrictionDefinition nts = new RestrictionDefinitionImpl(REP_NT_NAMES, Type.NAMES, false, namePathMapper);
+        this.supported = ImmutableMap.of(glob.getName(), glob, nts.getName(), nts);
     }
 
     //------------------------------------------------< RestrictionProvider >---
@@ -82,11 +87,46 @@ public class RestrictionProviderImpl imp
         if (definition == null) {
             throw new AccessControlException("Unsupported restriction: " + oakName);
         }
-        int requiredType = definition.getRequiredType();
-        if (requiredType != PropertyType.UNDEFINED && requiredType != value.getType()) {
-            throw new AccessControlException("Unsupported restriction: Expected value of type " + PropertyType.nameFromValue(definition.getRequiredType()));
+        Type requiredType = definition.getRequiredType();
+        if (requiredType.tag() != PropertyType.UNDEFINED && requiredType.tag() != value.getType()) {
+            throw new AccessControlException("Unsupported restriction: Expected value of type " + requiredType);
+        }
+        PropertyState propertyState;
+        if (requiredType.isArray()) {
+            propertyState = PropertyStates.createProperty(oakName, ImmutableList.of(value));
+        } else {
+            propertyState = PropertyStates.createProperty(oakName, value);
+        }
+        return createRestriction(propertyState, definition);
+    }
+
+    @Override
+    public Restriction createRestriction(String oakPath, String jcrName, Value... values) throws RepositoryException {
+        if (isUnsupportedPath(oakPath)) {
+            throw new AccessControlException("Unsupported restriction at " + oakPath);
+        }
+
+        String oakName = namePathMapper.getOakName(jcrName);
+        RestrictionDefinition definition = supported.get(oakName);
+        if (definition == null) {
+            throw new AccessControlException("Unsupported restriction: " + oakName);
+        }
+        Type requiredType = definition.getRequiredType();
+        for (Value v : values) {
+            if (requiredType.tag() != PropertyType.UNDEFINED && requiredType.tag() != v.getType()) {
+                throw new AccessControlException("Unsupported restriction: Expected value of type " + requiredType);
+            }
+        }
+
+        PropertyState propertyState;
+        if (requiredType.isArray()) {
+            propertyState = PropertyStates.createProperty(oakName, ImmutableList.of(values));
+        } else {
+            if (values.length != 1) {
+                throw new AccessControlException("Unsupported restriction: Expected single value.");
+            }
+            propertyState = PropertyStates.createProperty(oakName, values[0]);
         }
-        PropertyState propertyState = PropertyStates.createProperty(oakName, value);
         return createRestriction(propertyState, definition);
     }
 
@@ -100,7 +140,7 @@ public class RestrictionProviderImpl imp
                 String propName = propertyState.getName();
                 if (isRestrictionProperty(propName) && supported.containsKey(propName)) {
                     RestrictionDefinition def = supported.get(propName);
-                    if (def.getRequiredType() == propertyState.getType().tag()) {
+                    if (def.getRequiredType() == propertyState.getType()) {
                         restrictions.add(createRestriction(propertyState, def));
                     }
                 }
@@ -134,9 +174,9 @@ public class RestrictionProviderImpl imp
             if (def == null) {
                 throw new AccessControlException("Unsupported restriction: " + restrName);
             }
-            int type = entry.getValue().getType().tag();
+            Type type = entry.getValue().getType();
             if (type != def.getRequiredType()) {
-                throw new AccessControlException("Invalid restriction type '" + PropertyType.nameFromValue(type) + "'. Expected " + PropertyType.nameFromValue(def.getRequiredType()));
+                throw new AccessControlException("Invalid restriction type '" + type + "'. Expected " + def.getRequiredType());
             }
         }
         for (RestrictionDefinition def : supported.values()) {
@@ -148,13 +188,26 @@ public class RestrictionProviderImpl imp
 
     @Override
     public RestrictionPattern getPattern(String oakPath, Tree tree) {
-        if (oakPath != null) {
+        if (oakPath == null) {
+            return RestrictionPattern.EMPTY;
+        } else {
             PropertyState glob = tree.getProperty(REP_GLOB);
+
+            List<RestrictionPattern> patterns = new ArrayList<RestrictionPattern>(2);
             if (glob != null) {
-                return GlobPattern.create(oakPath, glob.getValue(Type.STRING));
+                patterns.add(GlobPattern.create(oakPath, glob.getValue(Type.STRING)));
+            }
+            PropertyState ntNames = tree.getProperty(REP_NT_NAMES);
+            if (ntNames != null) {
+                patterns.add(new NodeTypePattern(ntNames.getValue(Type.NAMES)));
+            }
+
+            switch (patterns.size()) {
+                case 1 : return patterns.get(0);
+                case 2 : return new CompositePattern(patterns);
+                default : return  RestrictionPattern.EMPTY;
             }
         }
-        return RestrictionPattern.EMPTY;
     }
 
     //------------------------------------------------------------< private >---

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlList.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlList.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlList.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlList.java Mon May 13 08:58:02 2013
@@ -113,7 +113,7 @@ public abstract class AbstractAccessCont
     public int getRestrictionType(String restrictionName) throws RepositoryException {
         for (RestrictionDefinition definition : getRestrictionProvider().getSupportedRestrictions(getOakPath())) {
             if (definition.getJcrName().equals(restrictionName)) {
-                return definition.getRequiredType();
+                return definition.getRequiredType().tag();
             }
         }
         // for backwards compatibility with JR2 return undefined type for an

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositePattern.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositePattern.java?rev=1481736&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositePattern.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositePattern.java Mon May 13 08:58:02 2013
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.restriction;
+
+import java.util.List;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+
+/**
+ * Aggregates of a list of {@link RestrictionPattern}s into a single pattern.
+ * The implementations of {@code matches} returns {@code true} if all aggregated
+ * patterns successfully validate the given parameters and returns {@code false}
+ * as soon as the first aggregated pattern returns {@code false}.
+ */
+public final class CompositePattern implements RestrictionPattern {
+
+    private final List<RestrictionPattern> patterns;
+
+    public CompositePattern(@Nonnull List<RestrictionPattern> patterns) {
+        this.patterns = patterns;
+    }
+
+    @Override
+    public boolean matches(@Nonnull Tree tree, @Nullable PropertyState property) {
+        for (RestrictionPattern pattern : patterns) {
+            if (!pattern.matches(tree, property)) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    @Override
+    public boolean matches(@Nonnull String path) {
+        for (RestrictionPattern pattern : patterns) {
+            if (!pattern.matches(path)) {
+                return false;
+            }
+        }
+        return true;
+    }
+}
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java Mon May 13 08:58:02 2013
@@ -18,6 +18,8 @@ package org.apache.jackrabbit.oak.spi.se
 
 import javax.annotation.Nonnull;
 
+import org.apache.jackrabbit.oak.api.Type;
+
 /**
  * The {@code RestrictionDefinition} interface provides methods for
  * discovering the static definition of any additional policy-internal refinements
@@ -58,7 +60,7 @@ public interface RestrictionDefinition {
      *
      * @return The required type which must be a valid {@link javax.jcr.PropertyType}.
      */
-    int getRequiredType();
+    Type getRequiredType();
 
     /**
      * Indicates if this restriction is mandatory.

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImpl.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImpl.java Mon May 13 08:58:02 2013
@@ -20,6 +20,7 @@ import javax.annotation.Nonnull;
 import javax.jcr.PropertyType;
 
 import com.google.common.base.Objects;
+import org.apache.jackrabbit.oak.api.Type;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 
 import static com.google.common.base.Preconditions.checkNotNull;
@@ -30,7 +31,7 @@ import static com.google.common.base.Pre
 public class RestrictionDefinitionImpl implements RestrictionDefinition {
 
     private final String name;
-    private final int type;
+    private final Type type;
     private final boolean isMandatory;
     private final NamePathMapper namePathMapper;
 
@@ -44,10 +45,10 @@ public class RestrictionDefinitionImpl i
      * @param isMandatory    A boolean indicating if the restriction is mandatory.
      * @param namePathMapper The name path mapper used to calculate the JCR name.
      */
-    public RestrictionDefinitionImpl(@Nonnull String name, int type, boolean isMandatory,
+    public RestrictionDefinitionImpl(@Nonnull String name, Type type, boolean isMandatory,
                                      @Nonnull NamePathMapper namePathMapper) {
         this.name = checkNotNull(name);
-        if (type == PropertyType.UNDEFINED) {
+        if (type.tag() == PropertyType.UNDEFINED) {
             throw new IllegalArgumentException("'undefined' is not a valid required definition type.");
         }
         this.type = type;
@@ -73,7 +74,7 @@ public class RestrictionDefinitionImpl i
     }
 
     @Override
-    public int getRequiredType() {
+    public Type getRequiredType() {
         return type;
     }
 

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java Mon May 13 08:58:02 2013
@@ -33,7 +33,7 @@ public class RestrictionImpl extends Res
 
     public RestrictionImpl(@Nonnull PropertyState property, boolean isMandatory,
                            @Nonnull NamePathMapper namePathMapper) {
-        super(property.getName(), property.getType().tag(), isMandatory, namePathMapper);
+        super(property.getName(), property.getType(), isMandatory, namePathMapper);
         this.property = property;
     }
 

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java Mon May 13 08:58:02 2013
@@ -35,7 +35,13 @@ public interface RestrictionProvider {
 
     @Nonnull
     Restriction createRestriction(@Nullable String oakPath,
-                                  @Nonnull String jcrName, @Nonnull Value value) throws RepositoryException;
+                                  @Nonnull String jcrName,
+                                  @Nonnull Value value) throws RepositoryException;
+
+    @Nonnull
+    Restriction createRestriction(@Nullable String oakPath,
+                                  @Nonnull String jcrName,
+                                  @Nonnull Value... values) throws RepositoryException;
 
     @Nonnull
     Set<Restriction> readRestrictions(@Nullable String oakPath, @Nonnull Tree aceTree);

Modified: jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/resources/org/apache/jackrabbit/oak/plugins/nodetype/write/builtin_nodetypes.cnd Mon May 13 08:58:02 2013
@@ -634,6 +634,7 @@
  */
 [rep:Restrictions]
   - * (UNDEFINED) protected
+  - * (UNDEFINED) protected multiple
 
 /**
  * @since oak 1.0

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java Mon May 13 08:58:02 2013
@@ -43,6 +43,7 @@ import org.apache.jackrabbit.api.securit
 import org.apache.jackrabbit.api.security.principal.PrincipalManager;
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.api.Type;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
 import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
@@ -62,6 +63,7 @@ import org.junit.Before;
 import org.junit.Ignore;
 import org.junit.Test;
 
+import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
@@ -74,7 +76,7 @@ import static org.junit.Assert.fail;
  * TODO: test restrictions
  * TODO: add test with multiple entries
  */
-public class ACLTest extends AbstractAccessControlListTest implements PrivilegeConstants {
+public class ACLTest extends AbstractAccessControlListTest implements PrivilegeConstants, AccessControlConstants {
 
     private PrivilegeManager privilegeManager;
     private PrincipalManager principalManager;
@@ -132,7 +134,7 @@ public class ACLTest extends AbstractAcc
 
     @Test
     public void testAddInvalidEntry() throws Exception {
-        Principal unknownPrincipal = new InvalidPrincipal("unknown");
+        Principal unknownPrincipal = new InvalidTestPrincipal("unknown");
         try {
             acl.addAccessControlEntry(unknownPrincipal, privilegesFromNames(JCR_READ));
             fail("Adding an ACE with an unknown principal should fail");
@@ -554,7 +556,7 @@ public class ACLTest extends AbstractAcc
         Privilege[] writePriv = privilegesFromNames(JCR_WRITE);
         Privilege[] addNodePriv = privilegesFromNames(JCR_ADD_CHILD_NODES);
 
-        Map<String, Value> restrictions = Collections.singletonMap(AccessControlConstants.REP_GLOB, getValueFactory().createValue("/.*"));
+        Map<String, Value> restrictions = Collections.singletonMap(REP_GLOB, getValueFactory().createValue("/.*"));
 
         acl.addEntry(testPrincipal, readPriv, true);
         acl.addEntry(testPrincipal, writePriv, false);
@@ -572,7 +574,7 @@ public class ACLTest extends AbstractAcc
         Privilege[] writePriv = privilegesFromNames(JCR_WRITE);
         Privilege[] addNodePriv = privilegesFromNames(JCR_ADD_CHILD_NODES);
 
-        Map<String, Value> restrictions = Collections.singletonMap(AccessControlConstants.REP_GLOB, getValueFactory().createValue("/.*"));
+        Map<String, Value> restrictions = Collections.singletonMap(REP_GLOB, getValueFactory().createValue("/.*"));
 
         acl.addEntry(testPrincipal, readPriv, true);
         acl.addEntry(testPrincipal, addNodePriv, true, restrictions);
@@ -588,9 +590,10 @@ public class ACLTest extends AbstractAcc
     public void testRestrictions() throws Exception {
         String[] names = acl.getRestrictionNames();
         assertNotNull(names);
-        assertEquals(1, names.length);
-        assertEquals(AccessControlConstants.REP_GLOB, names[0]);
+        assertEquals(2, names.length);
+        assertArrayEquals(new String[] {REP_GLOB, REP_NT_NAMES}, names);
         assertEquals(PropertyType.STRING, acl.getRestrictionType(names[0]));
+        assertEquals(PropertyType.NAME, acl.getRestrictionType(names[1]));
 
         Privilege[] writePriv = privilegesFromNames(JCR_WRITE);
 
@@ -611,7 +614,7 @@ public class ACLTest extends AbstractAcc
         assertEquals(1, acl.getAccessControlEntries().length);
 
         // add an entry with a restrictions:
-        Map<String, Value> restrictions = Collections.singletonMap(AccessControlConstants.REP_GLOB, getValueFactory().createValue("/.*"));
+        Map<String, Value> restrictions = Collections.singletonMap(REP_GLOB, getValueFactory().createValue("/.*"));
         assertTrue(acl.addEntry(testPrincipal, writePriv, false, restrictions));
         assertEquals(2, acl.getAccessControlEntries().length);
 
@@ -637,7 +640,7 @@ public class ACLTest extends AbstractAcc
 
     @Test
     public void testUnsupportedRestrictions2() throws Exception {
-        RestrictionProvider rp = new TestRestrictionProvider("restr", PropertyType.NAME, false);
+        RestrictionProvider rp = new TestRestrictionProvider("restr", Type.NAME, false);
 
         JackrabbitAccessControlList acl = createACL(getTestPath(), new ArrayList(), namePathMapper, rp);
         try {
@@ -650,7 +653,7 @@ public class ACLTest extends AbstractAcc
 
     @Test
     public void testInvalidRestrictionType() throws Exception {
-        RestrictionProvider rp = new TestRestrictionProvider("restr", PropertyType.NAME, false);
+        RestrictionProvider rp = new TestRestrictionProvider("restr", Type.NAME, false);
 
         JackrabbitAccessControlList acl = createACL(getTestPath(), new ArrayList(), namePathMapper, rp);
         try {
@@ -663,7 +666,7 @@ public class ACLTest extends AbstractAcc
 
     @Test
     public void testMandatoryRestrictions() throws Exception {
-        RestrictionProvider rp = new TestRestrictionProvider("mandatory", PropertyType.NAME, true);
+        RestrictionProvider rp = new TestRestrictionProvider("mandatory", Type.NAME, true);
 
         JackrabbitAccessControlList acl = createACL(getTestPath(), new ArrayList(), namePathMapper, rp);
         try {
@@ -708,7 +711,7 @@ public class ACLTest extends AbstractAcc
 
         private final RestrictionDefinition supported;
 
-        private TestRestrictionProvider(String name, int type, boolean isMandatory) {
+        private TestRestrictionProvider(String name, Type type, boolean isMandatory) {
             supported = new RestrictionDefinitionImpl(name, type, isMandatory, namePathMapper);
         }
 
@@ -724,7 +727,7 @@ public class ACLTest extends AbstractAcc
             if (!supported.getJcrName().equals(jcrName)) {
                 throw new AccessControlException();
             }
-            if (supported.getRequiredType() != value.getType()) {
+            if (supported.getRequiredType().tag() != value.getType()) {
                 throw new AccessControlException();
             }
             PropertyState property = PropertyStates.createProperty(namePathMapper.getOakName(jcrName), value.getString(), value.getType());
@@ -733,17 +736,32 @@ public class ACLTest extends AbstractAcc
 
         @Nonnull
         @Override
+        public Restriction createRestriction(@Nullable String oakPath, @Nonnull String jcrName, @Nonnull Value... values) throws RepositoryException {
+            if (!supported.getJcrName().equals(jcrName)) {
+                throw new AccessControlException();
+            }
+            for (Value v : values) {
+                if (supported.getRequiredType().tag() != v.getType()) {
+                    throw new AccessControlException();
+                }
+            }
+            PropertyState property = PropertyStates.createProperty(namePathMapper.getOakName(jcrName), Arrays.asList(values), supported.getRequiredType());
+            return new RestrictionImpl(property, supported.isMandatory(), namePathMapper);
+        }
+
+        @Nonnull
+        @Override
         public Set<Restriction> readRestrictions(@Nullable String oakPath, @Nonnull Tree aceTree) {
             throw new UnsupportedOperationException();
         }
 
         @Override
-        public void writeRestrictions(String oakPath, Tree aceTree, Set<Restriction> restrictions) throws AccessControlException {
+        public void writeRestrictions(String oakPath, Tree aceTree, Set<Restriction> restrictions) {
             throw new UnsupportedOperationException();
         }
 
         @Override
-        public void validateRestrictions(@Nullable String oakPath, @Nonnull Tree aceTree) throws AccessControlException {
+        public void validateRestrictions(@Nullable String oakPath, @Nonnull Tree aceTree) {
             throw new UnsupportedOperationException();
         }
 

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java Mon May 13 08:58:02 2013
@@ -37,6 +37,7 @@ import javax.jcr.Value;
 import javax.jcr.ValueFactory;
 import javax.jcr.security.AccessControlEntry;
 import javax.jcr.security.AccessControlException;
+import javax.jcr.security.AccessControlList;
 import javax.jcr.security.AccessControlManager;
 import javax.jcr.security.AccessControlPolicy;
 import javax.jcr.security.AccessControlPolicyIterator;
@@ -971,11 +972,8 @@ public class AccessControlManagerImplTes
         assertEquals(0, policies.length);
 
         setupPolicy(testPath);
-        policies = acMgr.getEffectivePolicies(testPath);
-        assertNotNull(policies);
-        assertEquals(0, policies.length);
-
         root.commit();
+
         policies = acMgr.getEffectivePolicies(testPath);
         assertNotNull(policies);
         assertEquals(1, policies.length);
@@ -988,16 +986,53 @@ public class AccessControlManagerImplTes
         assertEquals(1, policies.length);
 
         setupPolicy(childPath);
+        root.commit();
 
         policies = acMgr.getEffectivePolicies(childPath);
         assertNotNull(policies);
-        assertEquals(1, policies.length);
+        assertEquals(2, policies.length);
+    }
 
-        root.commit();
+    @Test
+    public void testGetEffectivePoliciesNewPolicy() throws Exception {
+        AccessControlPolicy[] policies = acMgr.getEffectivePolicies(testPath);
+        assertNotNull(policies);
+        assertEquals(0, policies.length);
+
+        setupPolicy(testPath);
+        policies = acMgr.getEffectivePolicies(testPath);
+        assertNotNull(policies);
+        assertEquals(0, policies.length);
+
+        NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED);
+        String childPath = child.getTree().getPath();
 
         policies = acMgr.getEffectivePolicies(childPath);
         assertNotNull(policies);
-        assertEquals(2, policies.length);
+        assertEquals(0, policies.length);
+
+        setupPolicy(childPath);
+        policies = acMgr.getEffectivePolicies(childPath);
+        assertNotNull(policies);
+        assertEquals(0, policies.length);
+    }
+
+    @Test
+    public void testGetEffectiveModifiedPolicy() throws Exception {
+        ACL acl = setupPolicy(testPath);
+        AccessControlEntry[] aces = acl.getAccessControlEntries();
+        root.commit();
+
+        acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames(PrivilegeConstants.JCR_VERSION_MANAGEMENT));
+        acMgr.setPolicy(testPath, acl);
+
+        AccessControlPolicy[] policies = acMgr.getEffectivePolicies(testPath);
+        assertNotNull(policies);
+        assertEquals(1, policies.length);
+        assertTrue(policies[0] instanceof AccessControlList);
+        AccessControlEntry[] effectiveAces = ((AccessControlList) policies[0]).getAccessControlEntries();
+        assertArrayEquals(aces, effectiveAces);
+        assertFalse(Arrays.equals(effectiveAces, acl.getAccessControlEntries()));
     }
 
     @Test
@@ -1444,7 +1479,7 @@ public class AccessControlManagerImplTes
         while (unknown != null) {
             unknown = getPrincipalManager().getPrincipal("unknown"+i);
         }
-        unknown = new InvalidPrincipal("unknown" + i);
+        unknown = new InvalidTestPrincipal("unknown" + i);
         try {
             acMgr.getApplicablePolicies(unknown);
             fail("Unknown principal should be detected.");
@@ -1533,7 +1568,7 @@ public class AccessControlManagerImplTes
         while (unknown != null) {
             unknown = getPrincipalManager().getPrincipal("unknown"+i);
         }
-        unknown = new InvalidPrincipal("unknown" + i);
+        unknown = new InvalidTestPrincipal("unknown" + i);
         try {
             acMgr.getPolicies(unknown);
             fail("Unknown principal should be detected.");
@@ -1630,7 +1665,7 @@ public class AccessControlManagerImplTes
         while (unknown != null) {
             unknown = getPrincipalManager().getPrincipal("unknown"+i);
         }
-        unknown = new InvalidPrincipal("unknown" + i);
+        unknown = new InvalidTestPrincipal("unknown" + i);
         try {
             acMgr.getEffectivePolicies(Collections.singleton(unknown));
             fail("Unknown principal should be detected.");

Copied: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidTestPrincipal.java (from r1480956, jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidPrincipal.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidTestPrincipal.java?p2=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidTestPrincipal.java&p1=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidPrincipal.java&r1=1480956&r2=1481736&rev=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidPrincipal.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidTestPrincipal.java Mon May 13 08:58:02 2013
@@ -24,11 +24,11 @@ import org.slf4j.LoggerFactory;
 /**
  * InvalidPrincipal... TODO
  */
-public final class InvalidPrincipal implements Principal {
+public final class InvalidTestPrincipal implements Principal {
 
     private final String name;
 
-    public InvalidPrincipal(String name) {
+    public InvalidTestPrincipal(String name) {
         this.name = name;
     }
 

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java Mon May 13 08:58:02 2013
@@ -18,8 +18,7 @@ package org.apache.jackrabbit.oak.securi
 
 import java.util.Set;
 
-import javax.jcr.PropertyType;
-
+import org.apache.jackrabbit.oak.api.Type;
 import org.apache.jackrabbit.oak.security.authorization.AccessControlConstants;
 import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlTest;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
@@ -30,6 +29,7 @@ import static org.junit.Assert.assertEqu
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 
 /**
  * Tests for {@link RestrictionProviderImpl}
@@ -51,12 +51,19 @@ public class RestrictionProviderImplTest
 
         Set<RestrictionDefinition> defs = provider.getSupportedRestrictions("/testPath");
         assertNotNull(defs);
-        assertEquals(1, defs.size());
+        assertEquals(2, defs.size());
 
-        RestrictionDefinition def = defs.iterator().next();
-        assertEquals(REP_GLOB, def.getName());
-        assertEquals(PropertyType.STRING, def.getRequiredType());
-        assertFalse(def.isMandatory());
+        for (RestrictionDefinition def : defs) {
+            if (REP_GLOB.equals(def.getName())) {
+                assertEquals(Type.STRING, def.getRequiredType());
+                assertFalse(def.isMandatory());
+            } else if (REP_NT_NAMES.equals(def.getName())) {
+                assertEquals(Type.NAMES, def.getRequiredType());
+                assertFalse(def.isMandatory());
+            } else {
+                fail("unexpected restriction "+def.getName());
+            }
+        }
     }
 
     @Test
@@ -65,6 +72,11 @@ public class RestrictionProviderImplTest
     }
 
     @Test
+    public void testCreateMvRestriction() {
+        // TODO
+    }
+
+    @Test
     public void testReadRestrictions() {
         // TODO
     }
@@ -79,4 +91,8 @@ public class RestrictionProviderImplTest
         // TODO
     }
 
+    @Test
+    public void testGetRestrictionPattern() {
+        // TODO
+    }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java Mon May 13 08:58:02 2013
@@ -212,7 +212,7 @@ public abstract class AbstractAccessCont
             int reqType = acl.getRestrictionType(def.getJcrName());
 
             assertTrue(reqType > PropertyType.UNDEFINED);
-            assertEquals(def.getRequiredType(), reqType);
+            assertEquals(def.getRequiredType().tag(), reqType);
         }
     }
 

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImplTest.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinitionImplTest.java Mon May 13 08:58:02 2013
@@ -16,17 +16,11 @@
  */
 package org.apache.jackrabbit.oak.spi.security.authorization.restriction;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
 import java.util.ArrayList;
 import java.util.List;
 
-import javax.jcr.PropertyType;
-
 import org.apache.jackrabbit.oak.TestNameMapper;
+import org.apache.jackrabbit.oak.api.Type;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.namepath.NamePathMapperImpl;
 import org.apache.jackrabbit.oak.plugins.name.Namespaces;
@@ -34,6 +28,11 @@ import org.apache.jackrabbit.oak.spi.sec
 import org.junit.Before;
 import org.junit.Test;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
 /**
  * Tests for {@link RestrictionDefinitionImpl}.
  */
@@ -50,7 +49,7 @@ public class RestrictionDefinitionImplTe
         NamePathMapper npMapper = new NamePathMapperImpl(new TestNameMapper(Namespaces.getNamespaceMap(root.getTree("/")), TestNameMapper.LOCAL_MAPPING));
 
         name = TestNameMapper.TEST_PREFIX + ":defName";
-        definition = new RestrictionDefinitionImpl(name, PropertyType.NAME, true, npMapper);
+        definition = new RestrictionDefinitionImpl(name, Type.NAME, true, npMapper);
     }
 
     @Test
@@ -65,7 +64,7 @@ public class RestrictionDefinitionImplTe
 
     @Test
     public void testGetRequiredType() {
-        assertEquals(PropertyType.NAME, definition.getRequiredType());
+        assertEquals(Type.NAME, definition.getRequiredType());
     }
 
     @Test
@@ -76,21 +75,21 @@ public class RestrictionDefinitionImplTe
     @Test
     public void testInvalid() {
         try {
-            new RestrictionDefinitionImpl(null, PropertyType.BOOLEAN, false, namePathMapper);
+            new RestrictionDefinitionImpl(null, Type.BOOLEAN, false, namePathMapper);
             fail("Creating RestrictionDefinition with null name should fail.");
         } catch (NullPointerException e) {
             // success
         }
 
         try {
-            new RestrictionDefinitionImpl(name, PropertyType.BOOLEAN, false, null);
+            new RestrictionDefinitionImpl(name, Type.BOOLEAN, false, null);
             fail("Creating RestrictionDefinition with null name/path mapper should fail.");
         } catch (NullPointerException e) {
             // success
         }
 
         try {
-            new RestrictionDefinitionImpl(name, PropertyType.UNDEFINED, false, namePathMapper);
+            new RestrictionDefinitionImpl(name, Type.UNDEFINED, false, namePathMapper);
             fail("Creating RestrictionDefinition with undefined required type should fail.");
         } catch (IllegalArgumentException e) {
             // success
@@ -100,10 +99,10 @@ public class RestrictionDefinitionImplTe
     @Test
     public void testEquals() {
         // same definition
-        assertEquals(definition, new RestrictionDefinitionImpl(name, PropertyType.NAME, true, definition.getNamePathMapper()));
+        assertEquals(definition, new RestrictionDefinitionImpl(name, Type.NAME, true, definition.getNamePathMapper()));
 
         // same def but different namepathmapper.
-        RestrictionDefinition definition2 = new RestrictionDefinitionImpl(name, PropertyType.NAME, true, namePathMapper);
+        RestrictionDefinition definition2 = new RestrictionDefinitionImpl(name, Type.NAME, true, namePathMapper);
         assertFalse(definition.getJcrName().equals(definition2.getJcrName()));
         assertEquals(definition, definition2);
     }
@@ -112,11 +111,11 @@ public class RestrictionDefinitionImplTe
     public void testNotEqual() {
         List<RestrictionDefinition> defs = new ArrayList<RestrictionDefinition>();
         // - different type
-        defs.add(new RestrictionDefinitionImpl(name, PropertyType.STRING, true, namePathMapper));
+        defs.add(new RestrictionDefinitionImpl(name, Type.STRING, true, namePathMapper));
         // - different name
-        defs.add(new RestrictionDefinitionImpl("otherName", PropertyType.NAME, true, namePathMapper));
+        defs.add(new RestrictionDefinitionImpl("otherName", Type.NAME, true, namePathMapper));
         // - different mandatory flag
-        defs.add(new RestrictionDefinitionImpl(name, PropertyType.NAME, false, namePathMapper));
+        defs.add(new RestrictionDefinitionImpl(name, Type.NAMES, false, namePathMapper));
         // - different impl
         defs.add(new RestrictionDefinition() {
             @Override
@@ -128,8 +127,8 @@ public class RestrictionDefinitionImplTe
                 throw new UnsupportedOperationException();
             }
             @Override
-            public int getRequiredType() {
-                return PropertyType.NAME;
+            public Type getRequiredType() {
+                return Type.NAME;
             }
             @Override
             public boolean isMandatory() {

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java?rev=1481736&r1=1481735&r2=1481736&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImplTest.java Mon May 13 08:58:02 2013
@@ -16,14 +16,8 @@
  */
 package org.apache.jackrabbit.oak.spi.security.authorization.restriction;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
 import java.util.ArrayList;
 import java.util.List;
-
 import javax.annotation.Nonnull;
 import javax.jcr.PropertyType;
 import javax.jcr.Value;
@@ -40,6 +34,11 @@ import org.apache.jackrabbit.oak.spi.sec
 import org.junit.Before;
 import org.junit.Test;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
 /**
  * Tests for {@link RestrictionImpl}
  */
@@ -76,7 +75,7 @@ public class RestrictionImplTest extends
 
     @Test
     public void testGetRequiredType() {
-        assertEquals(PropertyType.NAME, restriction.getRequiredType());
+        assertEquals(Type.NAME, restriction.getRequiredType());
     }
 
     @Test
@@ -132,8 +131,8 @@ public class RestrictionImplTest extends
                 throw new UnsupportedOperationException();
             }
             @Override
-            public int getRequiredType() {
-                return PropertyType.NAME;
+            public Type getRequiredType() {
+                return Type.NAME;
             }
             @Override
             public boolean isMandatory() {



Mime
View raw message