jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1581745 - in /jackrabbit/oak/trunk/oak-core/src: main/java/org/apache/jackrabbit/oak/security/authorization/restriction/ test/java/org/apache/jackrabbit/oak/security/authorization/restriction/
Date Wed, 26 Mar 2014 08:42:14 GMT
Author: angela
Date: Wed Mar 26 08:42:14 2014
New Revision: 1581745

URL: http://svn.apache.org/r1581745
Log:
OAK-1612 : Limit number of wildcards in rep:glob

Added:
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPatternTest.java
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPattern.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPattern.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPattern.java?rev=1581745&r1=1581744&r2=1581745&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPattern.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPattern.java
Wed Mar 26 08:42:14 2014
@@ -18,6 +18,7 @@ package org.apache.jackrabbit.oak.securi
 
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
+import javax.jcr.security.AccessControlException;
 
 import com.google.common.base.Objects;
 import org.apache.jackrabbit.oak.api.PropertyState;
@@ -67,6 +68,7 @@ import static com.google.common.base.Pre
 final class GlobPattern implements RestrictionPattern {
 
     private static final char WILDCARD_CHAR = '*';
+    private static final int MAX_WILDCARD = 20;
 
     private final String path;
     private final String restriction;
@@ -102,6 +104,18 @@ final class GlobPattern implements Restr
         return new GlobPattern(nodePath, restrictions);
     }
 
+    static void validate(@Nonnull String restriction) throws AccessControlException {
+        int cnt = 0;
+        for (int i = 0; i < restriction.length(); i++) {
+            if (WILDCARD_CHAR == restriction.charAt(i)) {
+                cnt++;
+            }
+            if (cnt > MAX_WILDCARD) {
+                throw new AccessControlException("Number of wildcards in rep:glob exceeds
allowed complexity.");
+            }
+        }
+    }
+
     //-------------------------------------------------< RestrictionPattern >---
     @Override
     public boolean matches(@Nonnull Tree tree, @Nullable PropertyState property) {
@@ -204,7 +218,7 @@ final class GlobPattern implements Restr
             }
             char[] tm = (toMatch.endsWith("/")) ? toMatch.substring(0, toMatch.length()-1).toCharArray()
: toMatch.toCharArray();
             // shortcut didn't reveal mismatch -> need to process the internal match method.
-            return matches(patternChars, 0, tm, 0);
+            return matches(patternChars, 0, tm, 0, MAX_WILDCARD);
         }
 
         /**
@@ -216,7 +230,12 @@ final class GlobPattern implements Restr
          * @return {@code true} if matches, {@code false} otherwise
          */
         private boolean matches(char[] pattern, int pOff,
-                                char[] s, int sOff) {
+                                char[] s, int sOff, int cnt) {
+
+            if (cnt <= 0) {
+                throw new IllegalArgumentException("Illegal glob pattern " + GlobPattern.this);
+            }
+
             int pLength = pattern.length;
             int sLength = s.length;
 
@@ -240,8 +259,9 @@ final class GlobPattern implements Restr
                         return true;
                     }
 
+                    cnt--;
                     while (true) {
-                        if (matches(pattern, pOff, s, sOff)) {
+                        if (matches(pattern, pOff, s, sOff, cnt)) {
                             return true;
                         }
                         if (sOff >= sLength) {

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java?rev=1581745&r1=1581744&r2=1581745&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
Wed Mar 26 08:42:14 2014
@@ -19,6 +19,7 @@ package org.apache.jackrabbit.oak.securi
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import javax.jcr.security.AccessControlException;
 
 import com.google.common.collect.ImmutableMap;
 import org.apache.felix.scr.annotations.Component;
@@ -91,4 +92,15 @@ public class RestrictionProviderImpl ext
             }
         }
     }
+
+    @Override
+    public void validateRestrictions(String oakPath, Tree aceTree) throws AccessControlException
{
+        super.validateRestrictions(oakPath, aceTree);
+
+        Tree restrictionsTree = getRestrictionsTree(aceTree);
+        PropertyState glob = restrictionsTree.getProperty(REP_GLOB);
+        if (glob != null) {
+            GlobPattern.validate(glob.getValue(Type.STRING));
+        }
+    }
 }

Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPatternTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPatternTest.java?rev=1581745&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPatternTest.java
(added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPatternTest.java
Wed Mar 26 08:42:14 2014
@@ -0,0 +1,350 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.jackrabbit.oak.security.authorization.restriction;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public class GlobPatternTest {
+
+    private static void assertMatch(GlobPattern gp, String testPath, Boolean expectedResult)
{
+        Boolean match = Boolean.valueOf(gp.matches(testPath));
+        assertEquals("Pattern : " + gp + "; TestPath : " + testPath, expectedResult, match);
+    }
+
+    @Test
+    public void testMatchesWildcardAll() {
+
+        Map<String,Boolean> tests = new HashMap<String,Boolean>();
+
+        // restriction "*" matches /foo, all siblings of foo and foo's and the siblings'
descendants
+        GlobPattern gp = GlobPattern.create("/a/b/c", "*");
+        // matching
+        tests.put("/a/b/c", true);        // foo itself
+        tests.put("/a/b/c/d", true);      // child of foo
+        tests.put("/a/b/c/d/e", true);    // child of foo
+        tests.put("/a/b/c/d/e/f", true);  // child of foo
+        tests.put("/a/b/cde", true);      // sibling
+        tests.put("/a/b/cde/e/f", true);  // child of the sibling
+        // not-matching
+        tests.put("/", false);
+        tests.put("/a", false);
+        tests.put("/b/c", false);
+
+        for (String testPath : tests.keySet()) {
+            assertMatch(gp, testPath, tests.get(testPath));
+        }
+
+        // restriction "*cat" matches all siblings and descendants of /foo that have a name
ending with cat
+        gp = GlobPattern.create("/a/b/c", "*e");
+        tests = new HashMap<String,Boolean>();
+        // matching
+        tests.put("/a/b/c/e", true);      // descendant with name segment 'e'
+        tests.put("/a/b/c/d/e", true);    // descendant with name segment 'e'
+        tests.put("/a/b/c/gge", true);    // descendant with name segment ending with 'e'
+        tests.put("/a/b/c/d/gge", true);  // descendant with name segment ending with 'e'
+        tests.put("/a/b/ce", true);       // sibling whose name ends with 'e'
+        tests.put("/a/b/chee", true);     // sibling whose name ends with 'e'
+        tests.put("/a/b/cd/e", true);     // descendant of sibling named 'e'
+        tests.put("/a/b/cd/f/e", true);   // descendant of sibling named 'e'
+        tests.put("/a/b/cd/e", true);     // descendant of sibling with name ending with
'e'
+        tests.put("/a/b/cd/f/e", true);   // descendant of sibling with name ending with
'e'
+        // not-matching
+        tests.put("/", false);
+        tests.put("/a", false);
+        tests.put("/b/c", false);
+        tests.put("/a/b/c", false);
+        tests.put("/a/b/c/d", false);
+        tests.put("/a/b/c/d/e/f", false);
+        tests.put("/a/b/c/d/f/e/f", false);
+        tests.put("/a/b/c/d/f/efg", false);
+        tests.put("/a/b/c/d/f/f", false);
+        tests.put("/a/b/c/e/f", false);
+        tests.put("/a/b/ce/", false);
+        tests.put("/a/b/ceg", false);
+
+        for (String testPath : tests.keySet()) {
+            assertMatch(gp, testPath, tests.get(testPath));
+        }
+
+        // restriction "*/cat" matches all descendants of /foo and foo's siblings that have
a name segment "cat"
+        gp = GlobPattern.create("/a/b/c", "*/e");
+        tests = new HashMap<String,Boolean>();
+        // matching
+        tests.put("/a/b/c/e", true);      // descendant with name segment 'e'
+        tests.put("/a/b/c/d/e", true);    // descendant with name segment 'e'
+        tests.put("/a/b/cd/e", true);     // descendant of sibling named 'e'
+        tests.put("/a/b/cd/f/e", true);   // descendant of sibling named 'e'
+        // not-matching
+        tests.put("/", false);
+        tests.put("/a", false);
+        tests.put("/b/c", false);
+        tests.put("/a/b/c", false);
+        tests.put("/a/b/c/d", false);
+        tests.put("/a/b/c/d/e/f", false);
+        tests.put("/a/b/c/d/f/e/f", false);
+        tests.put("/a/b/c/d/f/efg", false);
+        tests.put("/a/b/c/d/f/f", false);
+        tests.put("/a/b/c/e/f", false);
+        tests.put("/a/b/ce/", false);
+
+        for (String testPath : tests.keySet()) {
+            assertMatch(gp, testPath, tests.get(testPath));
+        }
+
+        // matches target path '/a/b/c/e', all siblings whose name starts with e
+        // and child nodes of either.
+        gp = GlobPattern.create("/a/b/c/e", "*");
+        tests = new HashMap<String,Boolean>();
+        // matching
+        tests.put("/a/b/c/e/f/g/h", true);
+        tests.put("/a/b/c/e/d/e/f", true);
+        tests.put("/a/b/c/e/d/e/f", true);
+        tests.put("/a/b/c/e", true);
+        tests.put("/a/b/c/e/", true);
+        tests.put("/a/b/c/ef", true);
+        tests.put("/a/b/c/ef/g", true);
+        // not-matching
+        tests.put("/a/b/ce/f/g/h", false);
+        tests.put("/a/b/ce/d/e/f", false);
+        tests.put("/a/b/c", false);
+        tests.put("/a/b/c/d", false);
+        tests.put("/a/b/c/d/e/f", false);
+        tests.put("/a/b/c/d/f/f", false);
+        tests.put("/a/b/c/d/f/e/f", false);
+        tests.put("/a/b/cee/d/e/f", false);
+
+        for (String testPath : tests.keySet()) {
+            assertMatch(gp, testPath, tests.get(testPath));
+        }
+
+        // all descendants of '/a/b/c/e'
+        gp = GlobPattern.create("/a/b/c/e", "/*");
+        tests = new HashMap<String,Boolean>();
+        // matching
+        tests.put("/a/b/c/e/f/g/h", true);
+        tests.put("/a/b/c/e/d/e/f", true);
+        // not-matching
+        tests.put("/a/b/c/e", false);  // not matching node path
+        tests.put("/a/b/c/e/", false); // not matching node path + /
+        tests.put("/a/b/c/ef", false); // not matching siblings of node path
+        tests.put("/a/b/ce/f/g/h", false);
+        tests.put("/a/b/ce/d/e/f", false);
+        tests.put("/a/b/c", false);
+        tests.put("/a/b/c/d", false);
+        tests.put("/a/b/c/d/e", false);
+        tests.put("/a/b/c/d/e/f", false);
+        tests.put("/a/b/c/d/f/f", false);
+        tests.put("/a/b/c/d/f/e/f", false);
+        tests.put("/a/b/cee/d/e/f", false);
+
+        for (String testPath : tests.keySet()) {
+            assertMatch(gp, testPath, tests.get(testPath));
+        }
+
+        // all descendants of '/a/b/ce'
+        gp = GlobPattern.create("/a/b/c", "e/*");
+        tests = new HashMap<String,Boolean>();
+        // not-matching
+        tests.put("/a/b/ce/f/g/h", true);
+        tests.put("/a/b/ce/d/e/f", true);
+        // not-matching
+        tests.put("/a/b/c", false);
+        tests.put("/a/b/ce", false);
+        tests.put("/a/b/c/d", false);
+        tests.put("/a/b/c/d/e", false);
+        tests.put("/a/b/c/d/e/f", false);
+        tests.put("/a/b/c/d/f/f", false);
+        tests.put("/a/b/c/d/f/e/f", false);
+        tests.put("/a/b/cee/d/e/f", false);
+        tests.put("/a/b/ce/", false);       // missing * after ce/
+
+        for (String testPath : tests.keySet()) {
+            assertMatch(gp, testPath, tests.get(testPath));
+        }
+
+        // all descendants of '/'
+        gp = GlobPattern.create("/", "*");
+        tests = new HashMap<String,Boolean>();
+        // matching
+        tests.put("/a", true);
+        tests.put("/b/", true);
+        tests.put("/c/d", true);
+        tests.put("/a/b/ce/", true);
+        tests.put("/a/b/ce/f/g/h", true);
+        tests.put("/a/b/ce/d/e/f", true);
+        // not-matching
+        tests.put("/", false);
+
+        for (String testPath : tests.keySet()) {
+            assertMatch(gp, testPath, tests.get(testPath));
+        }
+
+        // restriction "*e/*" matches all descendants of /foo that have an intermediate segment
ending with 'e'
+        gp = GlobPattern.create("/a/b/c", "*e/*");
+        tests = new HashMap<String,Boolean>();
+        // matching
+        tests.put("/a/b/ceeeeeee/f/g/h", true);
+        tests.put("/a/b/cde/d/e/f", true);
+        tests.put("/a/b/c/d/e/f", true);
+        tests.put("/a/b/ced/d/e/f", true);
+        // not-matching
+        tests.put("/a/b/ce/", false);      // ignore trailing / in test path
+        tests.put("/a/b/c/d/e/", false);   // ignore trailing / in test path
+        tests.put("/a/b/c/d", false);      // missing *e/*
+        tests.put("/a/b/c/d/e", false);    // missing /*
+        tests.put("/a/b/c/d/f/f", false);  // missing *e
+        tests.put("/a/b/c/ed/f/f", false); // missing e/
+
+        for (String testPath : tests.keySet()) {
+            assertMatch(gp, testPath, tests.get(testPath));
+        }
+
+        //  restriction /*cat  matches all children of /a/b/c whose path ends with "cat"
+        gp = GlobPattern.create("/a/b/c", "/*cat");
+        tests = new HashMap<String,Boolean>();
+        // matching
+        tests.put("/a/b/c/cat", true);
+        tests.put("/a/b/c/acat", true);
+        tests.put("/a/b/c/f/cat", true);
+        tests.put("/a/b/c/f/acat", true);
+        // not-matching
+        tests.put("/a/b/c/d", false);
+        tests.put("/a/b/c/d/cat/e", false);  // cat only intermediate segment
+        tests.put("/a/b/c/d/acat/e", false);  // cat only intermediate segment
+        tests.put("/a/b/c/d/cata/e", false);  // cat only intermediate segment
+        tests.put("/a/b/c/d/cate", false);
+        tests.put("/a/b/cat", false);        // siblings do no match
+        tests.put("/a/b/cat/ed/f/f", false); // ... nor do siblings' children
+        tests.put("/a/b/ced/cat", false);    // ... nor do siblings' children
+
+        for (String testPath : tests.keySet()) {
+            assertMatch(gp, testPath, tests.get(testPath));
+        }
+
+        //  restriction /*/cat  matches all non-direct descendants of /foo named "cat"
+        gp = GlobPattern.create("/a/b/c", "/*/cat");
+        tests = new HashMap<String,Boolean>();
+        // matching
+        tests.put("/a/b/c/a/cat", true);
+        tests.put("/a/b/c/d/e/f/cat", true);
+        // not-matching
+        tests.put("/a/b/c/cat", false);
+        tests.put("/a/b/c/cate", false);
+        tests.put("/a/b/c/acat", false);
+        tests.put("/a/b/c/cat/d", false);
+        tests.put("/a/b/c/d/acat", false);
+        tests.put("/a/b/c/d/cate", false);
+        tests.put("/a/b/c/d/cat/e", false);   // cat only intermediate segment
+        tests.put("/a/b/c/d/acat/e", false);  // cat only intermediate segment
+        tests.put("/a/b/c/d/cata/e", false);  // cat only intermediate segment
+        tests.put("/a/b/cat", false);        // siblings do no match
+        tests.put("/a/b/cat/ed/f/f", false); // ... nor do siblings' children
+        tests.put("/a/b/ced/cat", false);    // ... nor do siblings' children
+        tests.put("/a/b/ced/f/cat", false);  // ... nor do siblings' children
+
+        for (String testPath : tests.keySet()) {
+            assertMatch(gp, testPath, tests.get(testPath));
+        }
+
+        //  restriction /cat* matches all descendant paths of /foo that have the
+        //  direct foo-descendant segment starting with "cat"
+        gp = GlobPattern.create("/a/b/c", "/cat*");
+        tests = new HashMap<String,Boolean>();
+        // matching
+        tests.put("/a/b/c/cat", true);
+        tests.put("/a/b/c/cats", true);
+        tests.put("/a/b/c/cat/s", true);
+        tests.put("/a/b/c/cats/d/e/f", true);
+        // not-matching
+        tests.put("/a/b/c/d/cat", false);
+        tests.put("/a/b/c/d/cats", false);
+        tests.put("/a/b/c/d/e/cat", false);
+        tests.put("/a/b/c/d/e/cats", false);
+        tests.put("/a/b/c/acat", false);
+        tests.put("/a/b/c/d/acat", false);
+        tests.put("/a/b/c/d/cat/e", false);
+        tests.put("/a/b/c/d/acat/e", false);
+        tests.put("/a/b/c/d/cata/e", false);
+        tests.put("/a/b/cat", false);        // siblings do no match
+        tests.put("/a/b/cat/ed/f/f", false); // ... nor do siblings' children
+        tests.put("/a/b/ced/cat", false);    // ... nor do siblings' children
+        tests.put("/a/b/ced/f/cat", false);  // ... nor do siblings' children
+
+        for (String testPath : tests.keySet()) {
+            assertMatch(gp, testPath, tests.get(testPath));
+        }
+    }
+
+    @Test
+    public void testEmptyRestriction() {
+        GlobPattern gp = GlobPattern.create("/", "");
+        Map<String,Boolean> tests = new HashMap<String,Boolean>();
+        tests.put("/", true);
+
+        tests.put("/a/b/c/d", false);
+        tests.put("/a/b/c/d/e", false);
+        tests.put("/a/b/c/d/e/f", false);
+        tests.put("/a/b/c", false);
+        tests.put("/a", false);
+        tests.put("/a/b/cde", false);
+
+        for (String toTest : tests.keySet()) {
+            assertTrue(gp + " : " + toTest, tests.get(toTest) == gp.matches(toTest));
+        }
+
+        gp = GlobPattern.create("/a/b/c", "");
+
+        tests = new HashMap<String,Boolean>();
+        tests.put("/a/b/c", true);
+
+        tests.put("/a/b/c/d", false);
+        tests.put("/a/b/c/d/e", false);
+        tests.put("/a/b/c/d/e/f", false);
+        tests.put("/", false);
+        tests.put("/a", false);
+        tests.put("/a/b/cde", false);
+
+        for (String toTest : tests.keySet()) {
+            assertTrue(gp + " : " + toTest, tests.get(toTest) == gp.matches(toTest));
+        }
+    }
+
+    @Test
+    public void testMaxOccurrences() {
+        GlobPattern gp = GlobPattern.create("/", "1*/2*/3*/4*/5*/6*/7*/8*/9*/10*/11*/12*/13*/14*/15*/16*/17*/18*/19*/20*/21*");
+        try {
+            gp.matches("/1/2/3/4/5/6/7/8/9/10/11/12/13/14/15/16/17/18/19/20/21");
+            fail();
+        } catch (IllegalArgumentException e) {
+            // success
+        };
+        try {
+            gp.matches("/11/22/33/44/55/66/77/88/99/100/111/122/133/144/155/166/177/188/199/200/211");
+            fail();
+        } catch (IllegalArgumentException e) {
+            // success
+        };
+    }
+}

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java?rev=1581745&r1=1581744&r2=1581745&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java
Wed Mar 26 08:42:14 2014
@@ -16,13 +16,17 @@
  */
 package org.apache.jackrabbit.oak.security.authorization.restriction;
 
+import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import javax.jcr.security.AccessControlException;
+import javax.jcr.security.AccessControlManager;
 
 import com.google.common.collect.ImmutableList;
-
 import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.api.Type;
@@ -32,6 +36,7 @@ import org.apache.jackrabbit.oak.spi.sec
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.CompositePattern;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionPattern;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
 import org.apache.jackrabbit.oak.util.NodeUtil;
 import org.junit.Before;
 import org.junit.Test;
@@ -108,4 +113,32 @@ public class RestrictionProviderImplTest
         RestrictionPattern pattern = provider.getPattern("/testPath", restrictions);
         assertTrue(pattern instanceof CompositePattern);
     }
+
+    @Test
+    public void testValidateGlobRestriction() throws Exception {
+        Tree t = new NodeUtil(root.getTree("/")).addChild("testTree", "nt:unstructured").getTree();
+        String path = t.getPath();
+
+        AccessControlManager acMgr = getAccessControlManager(root);
+
+        List<String> globs = ImmutableList.of(
+                "/1*/2*/3*/4*/5*/6*/7*/8*/9*/10*/11*/12*/13*/14*/15*/16*/17*/18*/19*/20*/21*",
+                "*********************");
+        for (String glob : globs) {
+            JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr,
path);
+            acl.addEntry(getTestPrincipal(),
+                    AccessControlUtils.privilegesFromNames(acMgr, PrivilegeConstants.JCR_READ),
+                    true, Collections.singletonMap(REP_GLOB, getValueFactory().createValue(glob)));
+            acMgr.setPolicy(path, acl);
+
+            try {
+                provider.validateRestrictions(path, t.getChild(REP_POLICY).getChild("allow"));
+                fail("AccessControlException expected.");
+            } catch (AccessControlException e) {
+                // success
+            } finally {
+                acMgr.removePolicy(path, acl);
+            }
+        }
+    }
 }
\ No newline at end of file



Mime
View raw message