jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mdue...@apache.org
Subject svn commit: r1485648 - in /jackrabbit/oak/trunk: oak-core/src/main/java/org/apache/jackrabbit/oak/core/ oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/ oak-core/src/test/java/org/apache/jackrabbit/oak/security/author...
Date Thu, 23 May 2013 11:27:16 GMT
Author: mduerig
Date: Thu May 23 11:27:15 2013
New Revision: 1485648

URL: http://svn.apache.org/r1485648
Log:
OAK-709: Consider moving permission evaluation to the node state level
OAK-781: Clarify / fix effects of MISSING_NODE as base state of NodeBuilder
Correctly handle the case where a node is deleted and has child nodes that are not visible
due to access control: also delete those child nodes.

Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/SecuredNodeRebaseDiff.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/Jr2CompatibilityTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.java
    jackrabbit/oak/trunk/oak-jcr/pom.xml
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/SecuredNodeRebaseDiff.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/SecuredNodeRebaseDiff.java?rev=1485648&r1=1485647&r2=1485648&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/SecuredNodeRebaseDiff.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/SecuredNodeRebaseDiff.java
Thu May 23 11:27:15 2013
@@ -29,10 +29,7 @@ import org.apache.jackrabbit.oak.spi.sta
  * {@link org.apache.jackrabbit.oak.spi.state.NodeStateDiff}
  * for applying changes made on top of secure node states
  * to a node builder for the underlying non secure node state
- * of the before state. That is, the only expected conflicts
- * are adding an existing property and adding an existing node.
- * These conflicts correspond to the shadowing of hidden properties
- * and nodes in transient space, respectively.
+ * of the before state.
  *
  * @see SecureNodeState
  */
@@ -65,6 +62,12 @@ class SecuredNodeRebaseDiff extends Abst
         return new SecuredNodeRebaseDiff(builder.child(name));
     }
 
+    /**
+     * This conflict corresponds to the shadowing of an invisible property.
+     * @param builder  parent builder
+     * @param before existing property
+     * @param after  added property
+     */
     @Override
     protected void addExistingProperty(NodeBuilder builder, PropertyState before, PropertyState
after) {
         builder.setProperty(after);
@@ -91,6 +94,12 @@ class SecuredNodeRebaseDiff extends Abst
         throw new IllegalStateException("Unexpected conflict: delete changed property: "
+ before);
     }
 
+    /**
+     * This conflict corresponds to the shadowing of an invisible node
+     * @param builder  parent builder
+     * @param before existing property
+     * @param after  added property
+     */
     @Override
     protected void addExistingNode(NodeBuilder builder, String name, NodeState before, NodeState
after) {
         // FIXME (OAK-709) after might be a secured node instead of the underlying non secured
node.
@@ -111,11 +120,15 @@ class SecuredNodeRebaseDiff extends Abst
                 name + " : " + before);
     }
 
+    /**
+     * This conflict occurs when deleting a node that has an invisible child node.
+     * @param builder  parent builder
+     * @param name
+     * @param before  deleted node
+     */
     @Override
     protected void deleteChangedNode(NodeBuilder builder, String name, NodeState before)
{
-        // FIXME Should never be called. OAK-781 should fix this.
-//        throw new IllegalStateException("Unexpected conflict: delete changed node: " +
-//                name + " : " + before);
+        builder.removeChildNode(name);
     }
 
 }

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/Jr2CompatibilityTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/Jr2CompatibilityTest.java?rev=1485648&r1=1485647&r2=1485648&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/Jr2CompatibilityTest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/Jr2CompatibilityTest.java
Thu May 23 11:27:15 2013
@@ -16,8 +16,13 @@
  */
 package org.apache.jackrabbit.oak.security.authorization.evaluation;
 
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
 import java.util.Collections;
 import java.util.Map;
+
 import javax.jcr.security.AccessControlEntry;
 import javax.jcr.security.AccessControlManager;
 
@@ -30,19 +35,14 @@ import org.apache.jackrabbit.commons.jac
 import org.apache.jackrabbit.oak.api.CommitFailedException;
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
-import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConstants;
 import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
 import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration;
+import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConstants;
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
 import org.junit.After;
 import org.junit.Before;
-import org.junit.Ignore;
 import org.junit.Test;
 
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
 /**
  * Test compatibility with Jackrabbit 2.x using the
  * {@link AccessControlConstants#PARAM_PERMISSIONS_JR2} configuration parameter.
@@ -113,7 +113,6 @@ public class Jr2CompatibilityTest extend
         }
     }
 
-    @Ignore("OAK-781") // FIXME
     @Test
     public void testRemoveNodeWithJr2Flag() throws Exception {
         /* allow READ/WRITE privilege for testUser at 'path' */
@@ -137,7 +136,6 @@ public class Jr2CompatibilityTest extend
         }
     }
 
-    @Ignore("OAK-781") // FIXME
     @Test
     public void testRemoveNodeWithJr2Flag2() throws Exception {
         /* allow READ/WRITE privilege for testUser at 'path' */

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.java?rev=1485648&r1=1485647&r2=1485648&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.java
Thu May 23 11:27:15 2013
@@ -16,12 +16,19 @@
  */
 package org.apache.jackrabbit.oak.security.authorization.permission;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
 import java.security.Principal;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Set;
+
 import javax.jcr.RepositoryException;
 import javax.jcr.security.AccessControlEntry;
 import javax.jcr.security.AccessControlManager;
@@ -35,24 +42,17 @@ import org.apache.jackrabbit.oak.api.Con
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.api.Type;
-import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConstants;
 import org.apache.jackrabbit.oak.security.privilege.PrivilegeBits;
 import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlTest;
+import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConstants;
 import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
 import org.apache.jackrabbit.oak.util.NodeUtil;
 import org.junit.After;
 import org.junit.Before;
-import org.junit.Ignore;
 import org.junit.Test;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNull;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
 /**
  * Testing the {@code PermissionHook}
  */
@@ -86,6 +86,7 @@ public class PermissionHookTest extends 
         bitsProvider = new PrivilegeBitsProvider(root);
     }
 
+    @Override
     @After
     public void after() throws Exception {
         try {
@@ -164,7 +165,7 @@ public class PermissionHookTest extends 
         NodeUtil node = new NodeUtil(testAce);
         NodeUtil restrictions = node.addChild(REP_RESTRICTIONS, NT_REP_RESTRICTIONS);
         restrictions.setString(REP_GLOB, "*");
-        String restritionsPath = restrictions.getTree().getPath();
+        String restrictionsPath = restrictions.getTree().getPath();
         root.commit();
 
         Tree principalRoot = getPrincipalRoot(testPrincipalName);
@@ -172,7 +173,7 @@ public class PermissionHookTest extends 
         assertEquals("*", principalRoot.getChildren().iterator().next().getProperty(REP_GLOB).getValue(Type.STRING));
 
         // modify the restrictions node
-        Tree restrictionsNode = root.getTree(restritionsPath);
+        Tree restrictionsNode = root.getTree(restrictionsPath);
         restrictionsNode.setProperty(REP_GLOB, "/*/jcr:content/*");
         root.commit();
 
@@ -181,7 +182,7 @@ public class PermissionHookTest extends 
         assertEquals("/*/jcr:content/*", principalRoot.getChildren().iterator().next().getProperty(REP_GLOB).getValue(Type.STRING));
 
         // remove the restriction again
-        root.getTree(restritionsPath).remove();
+        root.getTree(restrictionsPath).remove();
         root.commit();
 
         principalRoot = getPrincipalRoot(testPrincipalName);
@@ -327,7 +328,6 @@ public class PermissionHookTest extends 
         }
     }
 
-    @Ignore("OAK-781") // FIXME
     @Test
     public void testImplicitAceRemoval() throws Exception {
         AccessControlManager acMgr = getAccessControlManager(root);

Modified: jackrabbit/oak/trunk/oak-jcr/pom.xml
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/pom.xml?rev=1485648&r1=1485647&r2=1485648&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/pom.xml (original)
+++ jackrabbit/oak/trunk/oak-jcr/pom.xml Thu May 23 11:27:15 2013
@@ -291,9 +291,6 @@
       org.apache.jackrabbit.test.api.lock.LockTest#testCheckedInUnlock
       org.apache.jackrabbit.test.api.observation.GetUserDataTest#testVersioning
 
-      org.apache.jackrabbit.oak.jcr.security.authorization.WriteTest#testRemove5    <!--
OAK-781 -->
-      org.apache.jackrabbit.oak.jcr.security.authorization.WriteTest#testRemove6    <!--
OAK-781 -->
-      org.apache.jackrabbit.oak.jcr.security.authorization.WriteTest#testRemove7    <!--
OAK-781 -->
       org.apache.jackrabbit.oak.jcr.security.authorization.WriteTest#testRemoveIfReadingParentIsDenied
     <!-- OAK-813 -->
 
       org.apache.jackrabbit.oak.jcr.security.authorization.AccessControlManagementTest#testRemoveMixin
             <!-- OAK-767 -->

Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java?rev=1485648&r1=1485647&r2=1485648&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java
(original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java
Thu May 23 11:27:15 2013
@@ -19,6 +19,7 @@ package org.apache.jackrabbit.oak.jcr.se
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
+
 import javax.jcr.AccessDeniedException;
 import javax.jcr.Node;
 import javax.jcr.Session;
@@ -166,7 +167,6 @@ public class WriteTest extends AbstractE
         testSession.save();
     }
 
-    @Ignore("OAK-781") // FIXME
     @Test
     public void testRemove5() throws Exception {
         // add 'remove_node' privilege at 'childNPath'
@@ -209,7 +209,6 @@ public class WriteTest extends AbstractE
         }
     }
 
-    @Ignore("OAK-781") // FIXME
     @Test
     public void testRemove6() throws Exception {
         // add 'remove_child_nodes' and 'remove_node' privilege at 'path'
@@ -271,7 +270,6 @@ public class WriteTest extends AbstractE
         }
     }
 
-    @Ignore("OAK-781") // FIXME
     @Test
     public void testRemove7() throws Exception {
         Privilege[] rmChildNodes = privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES);
@@ -298,7 +296,7 @@ public class WriteTest extends AbstractE
         assertTrue(testAcMgr.hasPrivileges(childNPath, new Privilege[] {rmChildNodes[0],
rmNode[0]}));
         try {
             testSession.getNode(childNPath).remove();
-            superuser.save();
+            testSession.save();
             fail("Removal must fail");
         } catch (AccessDeniedException e) {
             // success



Mime
View raw message