Example 11 with PrivilegeBits
use of org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits in project jackrabbit-oak by apache.
the class PrivilegeValidator method validateDefinition.
/**
* Validation of the privilege definition including the following steps:
* <p>
* - privilege bits must not collide with an existing privilege
* - next bits must have been adjusted in case of a non-aggregate privilege
* - all aggregates must have been registered before
* - no existing privilege defines the same aggregation
* - no cyclic aggregation
*
* @param definitionTree The new privilege definition tree to validate.
* @throws org.apache.jackrabbit.oak.api.CommitFailedException
* If any of
* the checks listed above fails.
*/
private void validateDefinition(Tree definitionTree) throws CommitFailedException {
PrivilegeBits newBits = PrivilegeBits.getInstance(definitionTree);
if (newBits.isEmpty()) {
throw new CommitFailedException(CONSTRAINT, 48, "PrivilegeBits are missing.");
}
Set<String> privNames = bitsProvider.getPrivilegeNames(newBits);
PrivilegeDefinition definition = PrivilegeUtil.readDefinition(definitionTree);
Set<String> declaredNames = definition.getDeclaredAggregateNames();
// non-aggregate privilege
if (declaredNames.isEmpty()) {
if (!privNames.isEmpty()) {
throw new CommitFailedException(CONSTRAINT, 49, "PrivilegeBits already in used.");
}
validateNext(newBits);
return;
}
// aggregation of a single privilege
if (declaredNames.size() == 1) {
throw new CommitFailedException(CONSTRAINT, 50, "Singular aggregation is equivalent to existing privilege.");
}
// aggregation of >1 privileges
Map<String, PrivilegeDefinition> definitions = new PrivilegeDefinitionReader(rootBefore).readDefinitions();
for (String aggrName : declaredNames) {
// aggregated privilege not registered
if (!definitions.containsKey(aggrName)) {
throw new CommitFailedException(CONSTRAINT, 51, "Declared aggregate '" + aggrName + "' is not a registered privilege.");
}
// check for circular aggregation
if (isCircularAggregation(definition.getName(), aggrName, definitions)) {
String msg = "Detected circular aggregation within custom privilege caused by " + aggrName;
throw new CommitFailedException(CONSTRAINT, 52, msg);
}
}
Set<String> aggregateNames = resolveAggregates(declaredNames, definitions);
for (PrivilegeDefinition existing : definitions.values()) {
Set<String> existingDeclared = existing.getDeclaredAggregateNames();
if (existingDeclared.isEmpty()) {
continue;
}
// test for exact same aggregation or aggregation with the same net effect
if (declaredNames.equals(existingDeclared) || aggregateNames.equals(resolveAggregates(existingDeclared, definitions))) {
String msg = "Custom aggregate privilege '" + definition.getName() + "' is already covered by '" + existing.getName() + '\'';
throw new CommitFailedException(CONSTRAINT, 53, msg);
}
}
PrivilegeBits aggrBits = bitsProvider.getBits(declaredNames.toArray(new String[declaredNames.size()]));
if (!newBits.equals(aggrBits)) {
throw new CommitFailedException(CONSTRAINT, 53, "Invalid privilege bits for aggregated privilege definition.");
}
}
Also used :
PrivilegeDefinition(org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition)
PrivilegeBits(org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits)
CommitFailedException(org.apache.jackrabbit.oak.api.CommitFailedException)
Example 12 with PrivilegeBits
use of org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits in project jackrabbit-oak by apache.
the class JcrAllTest method testAll.
@Test
public void testAll() {
PrivilegeBits all = bitsProvider.getBits(JCR_ALL);
assertFalse(all.isEmpty());
assertEquals(Collections.singleton(JCR_ALL), bitsProvider.getPrivilegeNames(all));
}
Also used :
PrivilegeBits(org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits)
AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest)
Test(org.junit.Test)
Example 13 with PrivilegeBits
use of org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits in project jackrabbit-oak by apache.
the class JcrAllTest method testCalculatePermissionsAll.
@Test
public void testCalculatePermissionsAll() {
PrivilegeBits all = bitsProvider.getBits(JCR_ALL);
assertFalse(Permissions.ALL == PrivilegeBits.calculatePermissions(all, PrivilegeBits.EMPTY, true));
assertTrue(Permissions.ALL == PrivilegeBits.calculatePermissions(all, all, true));
}
Also used :
PrivilegeBits(org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits)
AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest)
Test(org.junit.Test)
Example 14 with PrivilegeBits
use of org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits in project jackrabbit-oak by apache.
the class L5_PrivilegeContentTest method testPrivilegeBits.
@Test
public void testPrivilegeBits() {
Tree jcrReadTree = PrivilegeUtil.getPrivilegesTree(root).getChild(PrivilegeConstants.JCR_READ);
Tree repWriteTree = PrivilegeUtil.getPrivilegesTree(root).getChild(PrivilegeConstants.REP_WRITE);
PrivilegeBitsProvider provider = new PrivilegeBitsProvider(root);
PrivilegeBits privilegeBits = provider.getBits(PrivilegeConstants.REP_WRITE, PrivilegeBits.JCR_READ);
PrivilegeBits readBits = PrivilegeBits.getInstance(jcrReadTree);
PrivilegeBits writeBits = PrivilegeBits.getInstance(jcrReadTree);
// EXERCISE: play with 'PrivilegeBits' methods to compare 'privilegeBits' with 'readBits' and 'writeBits'
// EXERCISE: retrieve the property that stores the long representation of each privilege above
}
Also used :
PrivilegeBitsProvider(org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider)
Tree(org.apache.jackrabbit.oak.api.Tree)
PrivilegeBits(org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits)
AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest)
L4_PrivilegesAndPermissionsTest(org.apache.jackrabbit.oak.exercise.security.authorization.permission.L4_PrivilegesAndPermissionsTest)
Test(org.junit.Test)
L7_PermissionContentTest(org.apache.jackrabbit.oak.exercise.security.authorization.permission.L7_PermissionContentTest)
Example 15 with PrivilegeBits
use of org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits in project jackrabbit-oak by apache.
the class ACETest method testGetPrivilegeBits.
@Test
public void testGetPrivilegeBits() throws RepositoryException {
ACE entry = createEntry(true, PrivilegeConstants.JCR_READ);
PrivilegeBits bits = entry.getPrivilegeBits();
assertNotNull(bits);
assertEquals(PrivilegeBits.BUILT_IN.get(PrivilegeConstants.JCR_READ), bits);
entry = createEntry(true, PrivilegeConstants.REP_WRITE);
bits = entry.getPrivilegeBits();
assertNotNull(bits);
assertEquals(PrivilegeBits.BUILT_IN.get(PrivilegeConstants.REP_WRITE), bits);
entry = createEntry(true, PrivilegeConstants.JCR_ADD_CHILD_NODES, PrivilegeConstants.JCR_REMOVE_CHILD_NODES);
bits = entry.getPrivilegeBits();
assertNotNull(bits);
PrivilegeBits expected = getBitsProvider().getBits(PrivilegeConstants.JCR_ADD_CHILD_NODES, PrivilegeConstants.JCR_REMOVE_CHILD_NODES);
assertEquals(expected, bits);
}
Also used :
PrivilegeBits(org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits)
Test(org.junit.Test)
Aggregations
PrivilegeBits (org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits)29
Test (org.junit.Test)18
Tree (org.apache.jackrabbit.oak.api.Tree)9
AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)8
PrivilegeBitsProvider (org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider)6
Nonnull (javax.annotation.Nonnull)5
Principal (java.security.Principal)2
Nullable (javax.annotation.Nullable)2
PrivilegeManager (org.apache.jackrabbit.api.security.authorization.PrivilegeManager)2
ImmutableTree (org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree)2
ACE (org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE)2
AggregatedPermissionProvider (org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider)2
Function (com.google.common.base.Function)1
Predicate (com.google.common.base.Predicate)1
ImmutableSet (com.google.common.collect.ImmutableSet)1
Sets.newHashSet (com.google.common.collect.Sets.newHashSet)1
HashSet (java.util.HashSet)1
Set (java.util.Set)1
Node (javax.jcr.Node)1
Privilege (javax.jcr.security.Privilege)1
