Return-Path: X-Original-To: apmail-jackrabbit-oak-commits-archive@minotaur.apache.org Delivered-To: apmail-jackrabbit-oak-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D3FF610335 for ; Thu, 2 May 2013 14:35:28 +0000 (UTC) Received: (qmail 38232 invoked by uid 500); 2 May 2013 14:35:28 -0000 Delivered-To: apmail-jackrabbit-oak-commits-archive@jackrabbit.apache.org Received: (qmail 38209 invoked by uid 500); 2 May 2013 14:35:28 -0000 Mailing-List: contact oak-commits-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: oak-dev@jackrabbit.apache.org Delivered-To: mailing list oak-commits@jackrabbit.apache.org Received: (qmail 38200 invoked by uid 99); 2 May 2013 14:35:28 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 May 2013 14:35:28 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 May 2013 14:35:22 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id DD34723889F1; Thu, 2 May 2013 14:35:00 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1478389 - in /jackrabbit/oak/trunk/oak-core/src: main/java/org/apache/jackrabbit/oak/security/authorization/ test/java/org/apache/jackrabbit/oak/security/authorization/ Date: Thu, 02 May 2013 14:35:00 -0000 To: oak-commits@jackrabbit.apache.org From: angela@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20130502143500.DD34723889F1@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: angela Date: Thu May 2 14:35:00 2013 New Revision: 1478389 URL: http://svn.apache.org/r1478389 Log: OAK-51 : Access Control Management (backwards compatible handling of "unknown" principals) Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlUtils.java jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidPrincipal.java Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java?rev=1478389&r1=1478388&r2=1478389&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java Thu May 2 14:35:00 2013 @@ -104,10 +104,7 @@ abstract class ACL extends AbstractAcces getPrivilegeManager().getPrivilege(p.getName()); } - if (principal == null || !getPrincipalManager().hasPrincipal(principal.getName())) { - String msg = "Unknown principal " + ((principal == null) ? "null" : principal.getName()); - throw new AccessControlException(msg); - } + AccessControlUtils.checkValidPrincipal(principal, getPrincipalManager()); for (RestrictionDefinition def : getRestrictionProvider().getSupportedRestrictions(getOakPath())) { if (def.isMandatory() && (restrictions == null || !restrictions.containsKey(def.getJcrName()))) { Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1478389&r1=1478388&r2=1478389&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java Thu May 2 14:35:00 2013 @@ -16,8 +16,6 @@ */ package org.apache.jackrabbit.oak.security.authorization; -import static com.google.common.base.Preconditions.checkNotNull; - import java.security.Principal; import java.text.ParseException; import java.util.ArrayList; @@ -28,7 +26,6 @@ import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.Set; - import javax.annotation.CheckForNull; import javax.annotation.Nonnull; import javax.annotation.Nullable; @@ -56,7 +53,6 @@ import org.apache.jackrabbit.api.securit import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal; import org.apache.jackrabbit.api.security.principal.PrincipalManager; import org.apache.jackrabbit.commons.iterator.AccessControlPolicyIteratorAdapter; -import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils; import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.PropertyValue; import org.apache.jackrabbit.oak.api.QueryEngine; @@ -88,6 +84,8 @@ import org.apache.jackrabbit.util.Text; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import static com.google.common.base.Preconditions.checkNotNull; + /** * Default implementation of the {@code JackrabbitAccessControlManager} interface. * This implementation covers both editing access control content by path and @@ -204,13 +202,13 @@ public class AccessControlManagerImpl im AccessControlPolicy policy = null; Tree aclTree = getAclTree(oakPath, tree); if (aclTree == null) { - if (tree.hasChild(getAclName(oakPath))) { + if (tree.hasChild(AccessControlUtils.getAclName(oakPath))) { // policy child node without tree being access controlled log.warn("Colliding policy child without node being access controllable ({}).", absPath); } else { // create an empty acl unless the node is protected or cannot have // mixin set (e.g. due to a lock) - String mixinName = getMixinName(oakPath); + String mixinName = AccessControlUtils.getMixinName(oakPath); if (ntMgr.isNodeType(tree, mixinName) || ntMgr.getEffectiveNodeType(tree).supportsMixin(mixinName)) { policy = new NodeACL(oakPath); } else { @@ -229,7 +227,7 @@ public class AccessControlManagerImpl im @Override public void setPolicy(@Nullable String absPath, @Nonnull AccessControlPolicy policy) throws RepositoryException { String oakPath = getOakPath(absPath); - checkValidPolicy(oakPath, policy); + AccessControlUtils.checkValidPolicy(oakPath, policy); if (policy instanceof PrincipalACL) { setPrincipalBasedAcl((PrincipalACL) policy); @@ -301,7 +299,7 @@ public class AccessControlManagerImpl im @Override public void removePolicy(@Nullable String absPath, @Nonnull AccessControlPolicy policy) throws RepositoryException { String oakPath = getOakPath(absPath); - checkValidPolicy(oakPath, policy); + AccessControlUtils.checkValidPolicy(oakPath, policy); if (policy instanceof PrincipalACL) { PrincipalACL principalAcl = (PrincipalACL) policy; @@ -337,7 +335,7 @@ public class AccessControlManagerImpl im @Nonnull @Override public JackrabbitAccessControlPolicy[] getApplicablePolicies(@Nonnull Principal principal) throws RepositoryException { - checkValidPrincipal(principal); + AccessControlUtils.checkValidPrincipal(principal, principalManager); String oakPath = (principal instanceof ItemBasedPrincipal) ? ((ItemBasedPrincipal) principal).getPath() : null; JackrabbitAccessControlPolicy policy = createPrincipalACL(oakPath, principal); @@ -352,7 +350,7 @@ public class AccessControlManagerImpl im @Nonnull @Override public JackrabbitAccessControlPolicy[] getPolicies(@Nonnull Principal principal) throws RepositoryException { - checkValidPrincipal(principal); + AccessControlUtils.checkValidPrincipal(principal, principalManager); String oakPath = (principal instanceof ItemBasedPrincipal) ? ((ItemBasedPrincipal) principal).getPath() : null; JackrabbitAccessControlPolicy policy = createPrincipalACL(oakPath, principal); @@ -367,7 +365,7 @@ public class AccessControlManagerImpl im @Nonnull @Override public AccessControlPolicy[] getEffectivePolicies(@Nonnull Set principals) throws RepositoryException { - checkValidPrincipals(principals); + AccessControlUtils.checkValidPrincipals(principals, principalManager); Result aceResult = searchAces(principals); List effective = new ArrayList(); for (ResultRow row : aceResult.getRows()) { @@ -453,50 +451,15 @@ public class AccessControlManagerImpl im } } - private static void checkValidPolicy(@Nullable String oakPath, @Nonnull AccessControlPolicy policy) throws AccessControlException { - if (policy instanceof ACL) { - String path = ((ACL) policy).getOakPath(); - if ((path == null && oakPath != null) || (path != null && !path.equals(oakPath))) { - throw new AccessControlException("Invalid access control policy " + policy + ": path mismatch " + oakPath); - } - } else { - throw new AccessControlException("Invalid access control policy " + policy); - } - } - - private void checkValidPrincipals(@Nullable Set principals) throws AccessControlException { - if (principals == null) { - throw new AccessControlException("Valid principals expected. Found null."); - } - for (Principal principal : principals) { - checkValidPrincipal(principal); - } - } - - private void checkValidPrincipal(@Nullable Principal principal) throws AccessControlException { - String name = (principal == null) ? null : principal.getName(); - if (name == null || !principalManager.hasPrincipal(name)) { - throw new AccessControlException("Unknown principal " + name); - } - } - - private boolean isAccessControlled(@Nonnull Tree tree, @Nonnull String nodeTypeName) { - return ntMgr.isNodeType(tree, nodeTypeName); - } - - private boolean isACE(@Nonnull Tree tree) { - return tree.exists() && ntMgr.isNodeType(tree, NT_REP_ACE); - } - @CheckForNull private Tree getAclTree(@Nullable String oakPath, @Nonnull Tree accessControlledTree) { - if (isAccessControlled(accessControlledTree, getMixinName(oakPath))) { - Tree policyTree = accessControlledTree.getChild(getAclName(oakPath)); + if (AccessControlUtils.isAccessControlled(oakPath, accessControlledTree, ntMgr)) { + String aclName = AccessControlUtils.getAclName(oakPath); + Tree policyTree = accessControlledTree.getChild(aclName); if (policyTree.exists()) { return policyTree; } } - return null; } @@ -508,10 +471,9 @@ public class AccessControlManagerImpl im */ @Nonnull private Tree createAclTree(@Nullable String oakPath, @Nonnull Tree tree) { - String mixinName = getMixinName(oakPath); - - if (!isAccessControlled(tree, mixinName)) { + if (!AccessControlUtils.isAccessControlled(oakPath, tree, ntMgr)) { PropertyState mixins = tree.getProperty(JcrConstants.JCR_MIXINTYPES); + String mixinName = AccessControlUtils.getMixinName(oakPath); if (mixins == null) { tree.setProperty(JcrConstants.JCR_MIXINTYPES, Collections.singleton(mixinName), Type.NAMES); } else { @@ -520,7 +482,8 @@ public class AccessControlManagerImpl im tree.setProperty(pb.getPropertyState()); } } - return new NodeUtil(tree).addChild(getAclName(oakPath), NT_REP_ACL).getTree(); + String aclName = AccessControlUtils.getAclName(oakPath); + return new NodeUtil(tree).addChild(aclName, NT_REP_ACL).getTree(); } @CheckForNull @@ -528,15 +491,15 @@ public class AccessControlManagerImpl im @Nonnull Tree accessControlledTree, boolean isReadOnly) throws RepositoryException { JackrabbitAccessControlList acl = null; - String aclName = getAclName(oakPath); - String mixinName = getMixinName(oakPath); + String aclName = AccessControlUtils.getAclName(oakPath); + String mixinName = AccessControlUtils.getMixinName(oakPath); - if (accessControlledTree.exists() && isAccessControlled(accessControlledTree, mixinName)) { + if (accessControlledTree.exists() && AccessControlUtils.isAccessControlled(oakPath, accessControlledTree, ntMgr)) { Tree aclTree = accessControlledTree.getChild(aclName); if (aclTree.exists()) { List entries = new ArrayList(); for (Tree child : aclTree.getChildren()) { - if (isACE(child)) { + if (AccessControlUtils.isACE(child, ntMgr)) { entries.add(createACE(oakPath, child, restrictionProvider)); } } @@ -558,7 +521,7 @@ public class AccessControlManagerImpl im List entries = new ArrayList(); for (ResultRow row : aceResult.getRows()) { Tree aceTree = root.getTree(row.getPath()); - if (isACE(aceTree)) { + if (AccessControlUtils.isACE(aceTree, ntMgr)) { String aclPath = Text.getRelativeParent(aceTree.getPath(), 1); String path; if (aclPath.endsWith(REP_REPO_POLICY)) { @@ -621,7 +584,7 @@ public class AccessControlManagerImpl im @Nonnull JackrabbitAccessControlEntry ace, @Nonnull RestrictionProvider rProvider) throws RepositoryException { boolean isAllow = ace.isAllow(); - String nodeName = generateAceName(aclTree, isAllow); + String nodeName = AccessControlUtils.generateAceName(aclTree, isAllow); String ntName = (isAllow) ? NT_REP_GRANT_ACE : NT_REP_DENY_ACE; NodeUtil aceNode = new NodeUtil(aclTree).addChild(nodeName, ntName); @@ -724,35 +687,6 @@ public class AccessControlManagerImpl im } } - @Nonnull - private static String getMixinName(@Nullable String oakPath) { - return (oakPath == null) ? MIX_REP_REPO_ACCESS_CONTROLLABLE : MIX_REP_ACCESS_CONTROLLABLE; - } - - @Nonnull - private static String getAclName(@Nullable String oakPath) { - return (oakPath == null) ? REP_REPO_POLICY : REP_POLICY; - } - - /** - * Create a unique valid name for the Permission nodes to be save. - * - * @param aclTree The acl for which a new ACE name should be generated. - * @param isAllow If the ACE is allowing or denying. - * @return the name of the ACE node. - */ - @Nonnull - private static String generateAceName(@Nonnull Tree aclTree, boolean isAllow) { - int i = 0; - String hint = (isAllow) ? "allow" : "deny"; - String aceName = hint; - while (aclTree.hasChild(aceName)) { - aceName = hint + i; - i++; - } - return aceName; - } - //-------------------------------------------------------------------------- // TODO review again private class NodeACL extends ACL { Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlUtils.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlUtils.java?rev=1478389&view=auto ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlUtils.java (added) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlUtils.java Thu May 2 14:35:00 2013 @@ -0,0 +1,110 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.oak.security.authorization; + +import java.security.Principal; +import java.util.Set; +import javax.annotation.Nonnull; +import javax.annotation.Nullable; +import javax.jcr.security.AccessControlException; +import javax.jcr.security.AccessControlPolicy; + +import org.apache.jackrabbit.api.security.principal.PrincipalManager; +import org.apache.jackrabbit.oak.api.Tree; +import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager; +import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * AccessControlUtils... TODO + */ +public final class AccessControlUtils extends org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils implements AccessControlConstants { + + /** + * logger instance + */ + private static final Logger log = LoggerFactory.getLogger(AccessControlUtils.class); + + public static void checkValidPrincipal(Principal principal, PrincipalManager principalManager) throws AccessControlException { + String name = (principal == null) ? null : principal.getName(); + if (name == null || name.isEmpty()) { + throw new AccessControlException("Invalid principal " + name); + } + if (!(principal instanceof PrincipalImpl) && !principalManager.hasPrincipal(name)) { + throw new AccessControlException("Unknown principal " + name); + } + } + + public static void checkValidPrincipals(@Nullable Set principals, PrincipalManager principalManager) throws AccessControlException { + if (principals == null) { + throw new AccessControlException("Valid principals expected. Found null."); + } + for (Principal principal : principals) { + AccessControlUtils.checkValidPrincipal(principal, principalManager); + } + } + + public static void checkValidPolicy(@Nullable String oakPath, @Nonnull AccessControlPolicy policy) throws AccessControlException { + if (policy instanceof ACL) { + String path = ((ACL) policy).getOakPath(); + if ((path == null && oakPath != null) || (path != null && !path.equals(oakPath))) { + throw new AccessControlException("Invalid access control policy " + policy + ": path mismatch " + oakPath); + } + } else { + throw new AccessControlException("Invalid access control policy " + policy); + } + } + + public static boolean isAccessControlled(String oakPath, @Nonnull Tree tree, @Nonnull ReadOnlyNodeTypeManager ntMgr) { + String mixinName = getMixinName(oakPath); + return ntMgr.isNodeType(tree, mixinName); + } + + public static boolean isACE(@Nonnull Tree tree, @Nonnull ReadOnlyNodeTypeManager ntMgr) { + return tree.exists() && ntMgr.isNodeType(tree, NT_REP_ACE); + } + + @Nonnull + public static String getMixinName(@Nullable String oakPath) { + return (oakPath == null) ? MIX_REP_REPO_ACCESS_CONTROLLABLE : MIX_REP_ACCESS_CONTROLLABLE; + } + + @Nonnull + public static String getAclName(@Nullable String oakPath) { + return (oakPath == null) ? REP_REPO_POLICY : REP_POLICY; + } + + /** + * Create a unique valid name for the Permission nodes to be save. + * + * @param aclTree The acl for which a new ACE name should be generated. + * @param isAllow If the ACE is allowing or denying. + * @return the name of the ACE node. + */ + @Nonnull + public static String generateAceName(@Nonnull Tree aclTree, boolean isAllow) { + int i = 0; + String hint = (isAllow) ? "allow" : "deny"; + String aceName = hint; + while (aclTree.hasChild(aceName)) { + aceName = hint + i; + i++; + } + return aceName; + } +} \ No newline at end of file Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java?rev=1478389&r1=1478388&r2=1478389&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java (original) +++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java Thu May 2 14:35:00 2013 @@ -132,7 +132,7 @@ public class ACLTest extends AbstractAcc @Test public void testAddInvalidEntry() throws Exception { - Principal unknownPrincipal = new PrincipalImpl("unknown"); + Principal unknownPrincipal = new InvalidPrincipal("unknown"); try { acl.addAccessControlEntry(unknownPrincipal, privilegesFromNames(JCR_READ)); fail("Adding an ACE with an unknown principal should fail"); @@ -142,6 +142,12 @@ public class ACLTest extends AbstractAcc } @Test + public void testAddEntryWithOakPrincipal() throws Exception { + Principal oakPrincipal = new PrincipalImpl("name"); + acl.addAccessControlEntry(oakPrincipal, privilegesFromNames(JCR_READ)); + } + + @Test public void testAddEntryWithoutPrivilege() throws Exception { try { acl.addAccessControlEntry(testPrincipal, new Privilege[0]); Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java?rev=1478389&r1=1478388&r2=1478389&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java (original) +++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java Thu May 2 14:35:00 2013 @@ -16,14 +16,6 @@ */ package org.apache.jackrabbit.oak.security.authorization; -import static org.junit.Assert.assertArrayEquals; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertNull; -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; - import java.security.Principal; import java.util.ArrayList; import java.util.Arrays; @@ -34,7 +26,6 @@ import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.Set; - import javax.annotation.Nonnull; import javax.annotation.Nullable; import javax.jcr.AccessDeniedException; @@ -81,6 +72,14 @@ import org.junit.After; import org.junit.Before; import org.junit.Test; +import static org.junit.Assert.assertArrayEquals; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + /** * Tests for the default {@code AccessControlManager} implementation. */ @@ -1340,7 +1339,7 @@ public class AccessControlManagerImplTes while (unknown != null) { unknown = getPrincipalManager().getPrincipal("unknown"+i); } - unknown = new PrincipalImpl("unknown" + i); + unknown = new InvalidPrincipal("unknown" + i); try { acMgr.getApplicablePolicies(unknown); fail("Unknown principal should be detected."); @@ -1350,6 +1349,18 @@ public class AccessControlManagerImplTes } @Test + public void testGetApplicablePoliciesInternalPrincipal() throws Exception { + Principal unknown = getPrincipalManager().getPrincipal("unknown"); + int i = 0; + while (unknown != null) { + unknown = getPrincipalManager().getPrincipal("unknown"+i); + } + unknown = new PrincipalImpl("unknown" + i); + + assertEquals(1, acMgr.getApplicablePolicies(unknown).length); + } + + @Test public void testGetApplicablePoliciesByPrincipal() throws Exception { List principals = ImmutableList.of(testPrincipal, EveryonePrincipal.getInstance()); for (Principal principal : principals) { @@ -1390,22 +1401,12 @@ public class AccessControlManagerImplTes List principals = ImmutableList.of(testPrincipal, EveryonePrincipal.getInstance()); for (Principal principal : principals) { - if (testPrincipalMgr.hasPrincipal(principal.getName())) { - // testRoot can't read access control content -> doesn't see - // the existing policies and creates a new applicable policy. - AccessControlPolicy[] applicable = testAcMgr.getApplicablePolicies(principal); - assertNotNull(applicable); - assertEquals(1, applicable.length); - assertTrue(applicable[0] instanceof ACL); - } else { - // testRoot can't read principal -> exception expected - try { - testAcMgr.getApplicablePolicies(principal); - fail(); - } catch (AccessControlException e) { - // success - } - } + // testRoot can't read access control content -> doesn't see + // the existing policies and creates a new applicable policy. + AccessControlPolicy[] applicable = testAcMgr.getApplicablePolicies(principal); + assertNotNull(applicable); + assertEquals(1, applicable.length); + assertTrue(applicable[0] instanceof ACL); } } @@ -1427,7 +1428,7 @@ public class AccessControlManagerImplTes while (unknown != null) { unknown = getPrincipalManager().getPrincipal("unknown"+i); } - unknown = new PrincipalImpl("unknown" + i); + unknown = new InvalidPrincipal("unknown" + i); try { acMgr.getPolicies(unknown); fail("Unknown principal should be detected."); @@ -1437,6 +1438,17 @@ public class AccessControlManagerImplTes } @Test + public void testGetPoliciesInternalPrincipal() throws Exception { + Principal unknown = getPrincipalManager().getPrincipal("unknown"); + int i = 0; + while (unknown != null) { + unknown = getPrincipalManager().getPrincipal("unknown"+i); + } + unknown = new PrincipalImpl("unknown" + i); + assertEquals(0, acMgr.getPolicies(unknown).length); + } + + @Test public void testGetPoliciesByPrincipal() throws Exception { List principals = ImmutableList.of(testPrincipal, EveryonePrincipal.getInstance()); for (Principal principal : principals) { @@ -1482,13 +1494,8 @@ public class AccessControlManagerImplTes assertNotNull(policies); assertEquals(0, policies.length); } else { - // testRoot can't read principal -> exception expected - try { - testAcMgr.getApplicablePolicies(principal); - fail(); - } catch (AccessControlException e) { - // success - } + // testRoot can't read principal -> no policies for that principal + assertEquals(0, testAcMgr.getPolicies(principal).length); } } } @@ -1518,7 +1525,7 @@ public class AccessControlManagerImplTes while (unknown != null) { unknown = getPrincipalManager().getPrincipal("unknown"+i); } - unknown = new PrincipalImpl("unknown" + i); + unknown = new InvalidPrincipal("unknown" + i); try { acMgr.getEffectivePolicies(Collections.singleton(unknown)); fail("Unknown principal should be detected."); Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidPrincipal.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidPrincipal.java?rev=1478389&view=auto ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidPrincipal.java (added) +++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/InvalidPrincipal.java Thu May 2 14:35:00 2013 @@ -0,0 +1,39 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.oak.security.authorization; + +import java.security.Principal; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * InvalidPrincipal... TODO + */ +public final class InvalidPrincipal implements Principal { + + private final String name; + + public InvalidPrincipal(String name) { + this.name = name; + } + + @Override + public String getName() { + return name; + } +} \ No newline at end of file