jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1569408 - in /jackrabbit/oak/trunk: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/ oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/ oak-core/src/main/java/org/apache/jackrabbit/oak/s...
Date Tue, 18 Feb 2014 16:21:10 GMT
Author: angela
Date: Tue Feb 18 16:21:09 2014
New Revision: 1569408

URL: http://svn.apache.org/r1569408
Log:
OAK-1175 : Security Concerns wrt Index Definitions

Added:
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/IndexManagementTest.java
  (with props)
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriter.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBits.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConstants.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsTest.java
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/PrivilegeManagementTest.java
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java?rev=1569408&r1=1569407&r2=1569408&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java
Tue Feb 18 16:21:09 2014
@@ -24,6 +24,7 @@ import org.apache.jackrabbit.JcrConstant
 import org.apache.jackrabbit.oak.api.CommitFailedException;
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.plugins.index.IndexConstants;
 import org.apache.jackrabbit.oak.plugins.tree.ImmutableTree;
 import org.apache.jackrabbit.oak.plugins.lock.LockConstants;
 import org.apache.jackrabbit.oak.plugins.nodetype.TypePredicate;
@@ -252,6 +253,8 @@ class PermissionValidator extends Defaul
         } else if (provider.getUserContext().definesTree(tree)
                 && !provider.requiresJr2Permissions(Permissions.USER_MANAGEMENT))
{
             perm = Permissions.USER_MANAGEMENT;
+        } else if (isIndexDefinition(tree)) {
+            perm = Permissions.INDEX_DEFINITION_MANAGEMENT;
         } else {
             perm = defaultPermission;
         }
@@ -297,6 +300,8 @@ class PermissionValidator extends Defaul
         } else if (provider.getUserContext().definesProperty(parent, propertyState)
                  && !provider.requiresJr2Permissions(Permissions.USER_MANAGEMENT))
{
             perm = Permissions.USER_MANAGEMENT;
+        } else if (isIndexDefinition(parent)) {
+            perm = Permissions.INDEX_DEFINITION_MANAGEMENT;
         } else {
             perm = defaultPermission;
         }
@@ -345,4 +350,8 @@ class PermissionValidator extends Defaul
         }
         return (ImmutableTree) versionHistory;
     }
+
+    private boolean isIndexDefinition(@Nonnull Tree tree) {
+        return tree.getPath().contains(IndexConstants.INDEX_DEFINITIONS_NAME);
+    }
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriter.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriter.java?rev=1569408&r1=1569407&r2=1569408&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriter.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionWriter.java
Tue Feb 18 16:21:09 2014
@@ -16,18 +16,14 @@
  */
 package org.apache.jackrabbit.oak.security.privilege;
 
-import static java.util.Arrays.asList;
-
 import java.util.Collection;
 import java.util.Collections;
 import java.util.LinkedHashMap;
 import java.util.Map;
-
 import javax.annotation.Nonnull;
 import javax.jcr.RepositoryException;
 
 import com.google.common.collect.ImmutableMap;
-
 import org.apache.jackrabbit.oak.api.CommitFailedException;
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.api.Tree;
@@ -38,6 +34,8 @@ import org.apache.jackrabbit.oak.spi.sec
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition;
 import org.apache.jackrabbit.oak.util.NodeUtil;
 
+import static java.util.Arrays.asList;
+
 /**
  * PrivilegeDefinitionWriter is responsible for writing privilege definitions
  * to the repository without applying any validation checks.
@@ -54,7 +52,7 @@ class PrivilegeDefinitionWriter implemen
             JCR_READ_ACCESS_CONTROL, JCR_MODIFY_ACCESS_CONTROL, JCR_NODE_TYPE_MANAGEMENT,
             JCR_VERSION_MANAGEMENT, JCR_LOCK_MANAGEMENT, JCR_LIFECYCLE_MANAGEMENT,
             JCR_RETENTION_MANAGEMENT, JCR_WORKSPACE_MANAGEMENT, JCR_NODE_TYPE_DEFINITION_MANAGEMENT,
-            JCR_NAMESPACE_MANAGEMENT, REP_PRIVILEGE_MANAGEMENT, REP_USER_MANAGEMENT};
+            JCR_NAMESPACE_MANAGEMENT, REP_PRIVILEGE_MANAGEMENT, REP_USER_MANAGEMENT, REP_INDEX_DEFINITION_MANAGEMENT};
 
     /**
      * The internal names and aggregation definition of all built-in privileges

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java?rev=1569408&r1=1569407&r2=1569408&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
Tue Feb 18 16:21:09 2014
@@ -99,6 +99,10 @@ public final class Permissions {
      * @since OAK 1.0
      */
     public static final long USER_MANAGEMENT = PRIVILEGE_MANAGEMENT << 1;
+    /**
+     * @since OAK 1.0
+     */
+    public static final long INDEX_DEFINITION_MANAGEMENT = USER_MANAGEMENT << 1;
 
     public static final long READ = READ_NODE | READ_PROPERTY;
 
@@ -124,6 +128,7 @@ public final class Permissions {
             | WORKSPACE_MANAGEMENT
             | PRIVILEGE_MANAGEMENT
             | USER_MANAGEMENT
+            | INDEX_DEFINITION_MANAGEMENT
     );
 
     public static final Map<Long, String> PERMISSION_NAMES = new LinkedHashMap<Long,
String>();
@@ -152,6 +157,7 @@ public final class Permissions {
         PERMISSION_NAMES.put(WORKSPACE_MANAGEMENT, "WORKSPACE_MANAGEMENT");
         PERMISSION_NAMES.put(PRIVILEGE_MANAGEMENT, "PRIVILEGE_MANAGEMENT");
         PERMISSION_NAMES.put(USER_MANAGEMENT, "USER_MANAGEMENT");
+        PERMISSION_NAMES.put(INDEX_DEFINITION_MANAGEMENT, "INDEX_DEFINITION_MANAGEMENT");
     }
 
     /**

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBits.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBits.java?rev=1569408&r1=1569407&r2=1569408&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBits.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBits.java
Tue Feb 18 16:21:09 2014
@@ -57,6 +57,7 @@ public final class PrivilegeBits impleme
     private static final long NAMESPACE_MNGMT = NODE_TYPE_DEF_MNGMT << 1;
     private static final long PRIVILEGE_MNGMT = NAMESPACE_MNGMT << 1;
     private static final long USER_MNGMT = PRIVILEGE_MNGMT << 1;
+    private static final long INDEX_DEFINITION_MNGMT = USER_MNGMT << 1;
 
     private static final long READ = READ_NODES | READ_PROPERTIES;
     private static final long MODIFY_PROPERTIES = ADD_PROPERTIES | ALTER_PROPERTIES | REMOVE_PROPERTIES;
@@ -87,6 +88,7 @@ public final class PrivilegeBits impleme
         BUILT_IN.put(JCR_NAMESPACE_MANAGEMENT, getInstance(NAMESPACE_MNGMT));
         BUILT_IN.put(REP_PRIVILEGE_MANAGEMENT, getInstance(PRIVILEGE_MNGMT));
         BUILT_IN.put(REP_USER_MANAGEMENT, getInstance(USER_MNGMT));
+        BUILT_IN.put(REP_INDEX_DEFINITION_MANAGEMENT, getInstance(INDEX_DEFINITION_MNGMT));
 
         BUILT_IN.put(JCR_READ, PrivilegeBits.getInstance(READ));
         BUILT_IN.put(JCR_MODIFY_PROPERTIES, PrivilegeBits.getInstance(MODIFY_PROPERTIES));
@@ -95,7 +97,7 @@ public final class PrivilegeBits impleme
     }
 
     public static PrivilegeBits NEXT_AFTER_BUILT_INS =
-            getInstance(USER_MNGMT).nextBits();
+            getInstance(INDEX_DEFINITION_MNGMT).nextBits();
 
     private final Data d;
 
@@ -315,6 +317,9 @@ public final class PrivilegeBits impleme
         if ((privs & USER_MNGMT) == USER_MNGMT) {
             perm |= Permissions.USER_MANAGEMENT;
         }
+        if ((privs & INDEX_DEFINITION_MNGMT) == INDEX_DEFINITION_MNGMT) {
+            perm |= Permissions.INDEX_DEFINITION_MANAGEMENT;
+        }
         return perm;
     }
 

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConstants.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConstants.java?rev=1569408&r1=1569407&r2=1569408&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConstants.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConstants.java
Tue Feb 18 16:21:09 2014
@@ -216,4 +216,11 @@ public interface PrivilegeConstants {
      * @since OAK 1.0
      */
     String REP_REMOVE_PROPERTIES = "rep:removeProperties";
+
+    /**
+     * Internal (oak) name of the rep:indexDefinitionManagement privilege
+     *
+     * @since OAK 1.0
+     */
+    String REP_INDEX_DEFINITION_MANAGEMENT = "rep:indexDefinitionManagement";
 }

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsTest.java?rev=1569408&r1=1569407&r2=1569408&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsTest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsTest.java
Tue Feb 18 16:21:09 2014
@@ -560,6 +560,7 @@ public class PrivilegeBitsTest extends A
         simple.put(provider.getBits(REP_ADD_PROPERTIES), Permissions.ADD_PROPERTY);
         simple.put(provider.getBits(REP_ALTER_PROPERTIES), Permissions.MODIFY_PROPERTY);
         simple.put(provider.getBits(REP_REMOVE_PROPERTIES), Permissions.REMOVE_PROPERTY);
+        simple.put(provider.getBits(REP_INDEX_DEFINITION_MANAGEMENT), Permissions.INDEX_DEFINITION_MANAGEMENT);
         for (PrivilegeBits pb : simple.keySet()) {
             long expected = simple.get(pb).longValue();
             assertTrue(expected == PrivilegeBits.calculatePermissions(pb, PrivilegeBits.EMPTY,
true));

Added: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/IndexManagementTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/IndexManagementTest.java?rev=1569408&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/IndexManagementTest.java
(added)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/IndexManagementTest.java
Tue Feb 18 16:21:09 2014
@@ -0,0 +1,240 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.jcr.security.authorization;
+
+import javax.jcr.AccessDeniedException;
+import javax.jcr.Node;
+import javax.jcr.RepositoryException;
+
+import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
+import org.apache.jackrabbit.oak.plugins.index.IndexConstants;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+
+public class IndexManagementTest extends AbstractEvaluationTest {
+
+    public void testDefaultSetup() throws RepositoryException {
+        assertFalse(testSession.hasPermission(path, Permissions.getString(Permissions.INDEX_DEFINITION_MANAGEMENT)));
+    }
+
+    public void testAddOakIndexDefinition() throws Exception {
+        allow(path, privilegesFromName(PrivilegeConstants.REP_INDEX_DEFINITION_MANAGEMENT));
+
+        Node n = testSession.getNode(path);
+        n.addNode(IndexConstants.INDEX_DEFINITIONS_NAME);
+        testSession.save();
+    }
+
+    public void testAddOakIndexWithoutPermission() throws Exception {
+        allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
+
+        Node n = testSession.getNode(path);
+        try {
+            n.addNode(IndexConstants.INDEX_DEFINITIONS_NAME);
+            testSession.save();
+            fail("AccessDeniedException expected. Test session is not allowed to add oak:index
node.");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+    }
+
+    public void testAddIndexDefinition() throws Exception {
+        superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME);
+        superuser.save();
+
+        allow(path, privilegesFromNames(new String[]{PrivilegeConstants.REP_INDEX_DEFINITION_MANAGEMENT,
PrivilegeConstants.JCR_NODE_TYPE_MANAGEMENT}));
+        Node n = testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+        n.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+        testSession.save();
+    }
+
+    public void testAddIndexDefinitionWithoutPermission() throws Exception {
+        superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME);
+        superuser.save();
+
+        allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
+        try {
+            Node n = testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+            n.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+            testSession.save();
+            fail("AccessDeniedException expected. Test session is not allowed to add index
definition node.");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+    }
+
+    public void testModifyIndexDefinition() throws Exception {
+        Node indexDef = superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+        indexDef.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+        superuser.save();
+
+        allow(path, privilegesFromName(PrivilegeConstants.REP_INDEX_DEFINITION_MANAGEMENT));
+        Node n = testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME).getNode("myIndex");
+        n.setProperty("someProperty", "val");
+        testSession.save();
+    }
+
+    public void testModifyIndexDefinitionWithoutPermission() throws Exception {
+        Node indexDef = superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+        indexDef.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+        superuser.save();
+
+        allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
+        try {
+            Node n = testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME).getNode("myIndex");
+            n.setProperty("someProperty", "val");
+            testSession.save();
+            fail("AccessDeniedException expected. Test session is not allowed to add index
definition property.");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+    }
+
+    public void testModifyIndexDefinitionWithoutPermission2() throws Exception {
+        Node indexDef = superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+        indexDef.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+        superuser.save();
+
+        allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
+        try {
+            Node n = testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME).getNode("myIndex");
+            n.addNode("customNode");
+            testSession.save();
+            fail("AccessDeniedException expected. Test session is not allowed to add index
definition node.");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+    }
+
+    public void testModifyIndexDefinitionWithoutPermission3() throws Exception {
+        Node indexDef = superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+        indexDef.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+        indexDef.setProperty("customProp", "val");
+        superuser.save();
+
+        allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
+        try {
+            Node n = testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME).getNode("myIndex");
+            n.getProperty("customProp").setValue("val2");
+            testSession.save();
+            fail("AccessDeniedException expected. Test session is not allowed to modify index
definition property.");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+    }
+
+    public void testModifyIndexDefinitionWithoutPermission4() throws Exception {
+        Node indexDef = superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+        indexDef.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+        indexDef.setProperty("customProp", "val");
+        superuser.save();
+
+        allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
+        try {
+            Node n = testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME).getNode("myIndex");
+            n.getProperty("customProp").remove();
+            testSession.save();
+            fail("AccessDeniedException expected. Test session is not allowed to remove index
definition property.");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+    }
+
+    public void testRemoveIndexDefinition() throws Exception {
+        Node indexDef = superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+        indexDef.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+        superuser.save();
+
+        allow(path, privilegesFromName(PrivilegeConstants.REP_INDEX_DEFINITION_MANAGEMENT));
+        Node n = testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME).getNode("myIndex");
+        n.remove();
+        testSession.save();
+    }
+
+    public void testRemoveIndexDefinitionWithoutPermission() throws Exception {
+        Node indexDef = superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+        indexDef.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+        superuser.save();
+
+        allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
+        try {
+            Node n = testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME).getNode("myIndex");
+            n.remove();
+            testSession.save();
+            fail("AccessDeniedException expected. Test session is not allowed to remove index
definition node.");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+    }
+
+    public void testRemoveOakIndex() throws Exception {
+        Node indexDef = superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+        indexDef.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+        superuser.save();
+
+        allow(path, privilegesFromName(PrivilegeConstants.REP_INDEX_DEFINITION_MANAGEMENT));
+        Node n = testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME);
+        n.remove();
+        testSession.save();
+    }
+
+    public void testRemoveOakIndexWithoutPermission() throws Exception {
+        Node indexDef = superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+        indexDef.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+        superuser.save();
+
+        allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
+        try {
+            Node n = testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME);
+            n.remove();
+            testSession.save();
+            fail("AccessDeniedException expected. Test session is not allowed to remove oak:index.");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+    }
+
+    public void testAddAccessControlToIndexDefinition() throws Exception {
+        allow(path, privilegesFromNames(new String[] {PrivilegeConstants.REP_INDEX_DEFINITION_MANAGEMENT,
PrivilegeConstants.JCR_NODE_TYPE_MANAGEMENT}));
+
+        try {
+            Node n = testSession.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+            n.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+            AccessControlUtils.addAccessControlEntry(testSession, n.getPath(), testUser.getPrincipal(),
new String[] {PrivilegeConstants.JCR_ALL}, true);
+            testSession.save();
+            fail("Missing rep:modifyAccessControl privilege");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+    }
+
+    public void testVersionableIndexDefinition() throws Exception {
+        allow(path, privilegesFromNames(new String[] {PrivilegeConstants.REP_INDEX_DEFINITION_MANAGEMENT,
PrivilegeConstants.JCR_NODE_TYPE_MANAGEMENT}));
+
+        try {
+            Node n = testSession.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex",
IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
+            n.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
+            n.addMixin(JcrConstants.MIX_VERSIONABLE);
+            testSession.save();
+            fail("Missing rep:versionManagement privilege");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+    }
+
+}

Propchange: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/IndexManagementTest.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/PrivilegeManagementTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/PrivilegeManagementTest.java?rev=1569408&r1=1569407&r2=1569408&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/PrivilegeManagementTest.java
(original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/PrivilegeManagementTest.java
Tue Feb 18 16:21:09 2014
@@ -24,22 +24,21 @@ import javax.jcr.security.AccessControlP
 import javax.jcr.security.Privilege;
 
 import org.apache.jackrabbit.api.JackrabbitWorkspace;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
 import org.apache.jackrabbit.test.NotExecutableException;
 import org.junit.Test;
 
 /**
- * Permission evaluation tests related to {@link #REP_PRIVILEGE_MANAGEMENT} privilege.
+ * Permission evaluation tests related to {@link org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants#REP_PRIVILEGE_MANAGEMENT}
privilege.
  */
 public class PrivilegeManagementTest extends AbstractEvaluationTest {
 
-    private static final String REP_PRIVILEGE_MANAGEMENT = "rep:privilegeManagement";
-
     @Override
     protected void setUp() throws Exception {
         super.setUp();
 
         // test user must not be allowed
-        assertHasRepoPrivilege(REP_PRIVILEGE_MANAGEMENT, false);
+        assertHasRepoPrivilege(PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT, false);
     }
 
     @Override
@@ -85,21 +84,21 @@ public class PrivilegeManagementTest ext
 
     @Test
     public void testModifyPrivilegeMgtPrivilege() throws Exception {
-        modify(null, REP_PRIVILEGE_MANAGEMENT, true);
-        assertHasRepoPrivilege(REP_PRIVILEGE_MANAGEMENT, true);
+        modify(null, PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT, true);
+        assertHasRepoPrivilege(PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT, true);
 
-        modify(null, REP_PRIVILEGE_MANAGEMENT, false);
-        assertHasRepoPrivilege(REP_PRIVILEGE_MANAGEMENT, false);
+        modify(null, PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT, false);
+        assertHasRepoPrivilege(PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT, false);
     }
 
     @Test
     public void testRegisterPrivilegeWithPrivilege() throws Exception {
-        modify(null, REP_PRIVILEGE_MANAGEMENT, true);
+        modify(null, PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT, true);
         try {
             Workspace testWsp = testSession.getWorkspace();
             ((JackrabbitWorkspace) testWsp).getPrivilegeManager().registerPrivilege(getNewPrivilegeName(testWsp),
false, new String[0]);
         } finally {
-            modify(null, REP_PRIVILEGE_MANAGEMENT, false);
+            modify(null, PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT, false);
         }
     }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerTest.java?rev=1569408&r1=1569407&r2=1569408&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerTest.java
(original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerTest.java
Tue Feb 18 16:21:09 2014
@@ -116,6 +116,7 @@ public class PrivilegeManagerTest extend
         assertTrue(aggr.remove(privilegeManager.getPrivilege(PrivilegeConstants.JCR_WORKSPACE_MANAGEMENT)));
         assertTrue(aggr.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT)));
         assertTrue(aggr.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_USER_MANAGEMENT)));
+        assertTrue(aggr.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_INDEX_DEFINITION_MANAGEMENT)));
 
         // there may be no privileges left
         assertTrue(aggr.isEmpty());



Mime
View raw message