Index: oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java (revision e4f36479f75a5cc44539bef039614cf148f43a9c) +++ oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java (revision ) @@ -20,9 +20,11 @@ import javax.jcr.Credentials; import javax.jcr.NoSuchWorkspaceException; import javax.jcr.SimpleCredentials; +import javax.jcr.security.AccessControlManager; import javax.security.auth.login.Configuration; import javax.security.auth.login.LoginException; +import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager; import org.apache.jackrabbit.api.security.user.UserManager; import org.apache.jackrabbit.oak.api.ContentRepository; import org.apache.jackrabbit.oak.api.ContentSession; @@ -36,6 +38,7 @@ import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; import org.apache.jackrabbit.oak.spi.security.SecurityProvider; import org.apache.jackrabbit.oak.spi.security.authentication.ConfigurationUtil; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider; import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration; import org.apache.jackrabbit.oak.spi.security.user.util.UserUtility; import org.junit.After; @@ -107,5 +110,15 @@ userManager = getUserConfiguration().getUserManager(root, namePathMapper); } return userManager; + } + + protected JackrabbitAccessControlManager getAccessControlManager(Root root) { + PermissionProvider pp = null; // TODO + AccessControlManager acMgr = securityProvider.getAccessControlConfiguration().getAccessControlManager(root, NamePathMapper.DEFAULT, pp); + if (acMgr instanceof JackrabbitAccessControlManager) { + return (JackrabbitAccessControlManager) acMgr; + } else { + throw new UnsupportedOperationException("Expected JackrabbitAccessControlManager found " + acMgr.getClass()); + } } } Index: oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlTest.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlTest.java (revision e4f36479f75a5cc44539bef039614cf148f43a9c) +++ oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlTest.java (revision ) @@ -17,10 +17,8 @@ package org.apache.jackrabbit.oak.spi.security.authorization; import javax.jcr.NamespaceRegistry; -import javax.jcr.security.AccessControlManager; import javax.jcr.security.Privilege; -import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager; import org.apache.jackrabbit.api.security.authorization.PrivilegeManager; import org.apache.jackrabbit.api.security.principal.PrincipalManager; import org.apache.jackrabbit.oak.AbstractSecurityTest; @@ -28,7 +26,6 @@ import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.plugins.name.ReadWriteNamespaceRegistry; -import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider; import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider; /** @@ -64,16 +61,6 @@ privs[i] = getPrivilegeManager().getPrivilege(privilegeNames[i]); } return privs; - } - - protected JackrabbitAccessControlManager getAccessControlManager(Root root) { - PermissionProvider pp = null; // TODO - AccessControlManager acMgr = securityProvider.getAccessControlConfiguration().getAccessControlManager(root, NamePathMapper.DEFAULT, pp); - if (acMgr instanceof JackrabbitAccessControlManager) { - return (JackrabbitAccessControlManager) acMgr; - } else { - throw new UnsupportedOperationException("Expected JackrabbitAccessControlManager found " + acMgr.getClass()); - } } protected RestrictionProvider getRestrictionProvider() { @@ -93,4 +80,4 @@ } return privMgr; } -} \ No newline at end of file +} Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java (revision e4f36479f75a5cc44539bef039614cf148f43a9c) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java (revision ) @@ -20,6 +20,7 @@ import java.util.Collections; import java.util.List; import java.util.Set; + import javax.annotation.Nonnull; import javax.jcr.security.AccessControlManager; Index: oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java (revision e4f36479f75a5cc44539bef039614cf148f43a9c) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java (revision ) @@ -18,12 +18,19 @@ */ package org.apache.jackrabbit.oak.core; +import static com.google.common.base.Preconditions.checkArgument; +import static com.google.common.base.Preconditions.checkNotNull; +import static org.apache.jackrabbit.oak.commons.PathUtils.elements; +import static org.apache.jackrabbit.oak.commons.PathUtils.getName; +import static org.apache.jackrabbit.oak.commons.PathUtils.getParentPath; + import java.io.IOException; import java.io.InputStream; import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.Collections; import java.util.List; + import javax.annotation.Nonnull; import javax.jcr.UnsupportedRepositoryOperationException; import javax.security.auth.Subject; @@ -63,12 +70,6 @@ import org.apache.jackrabbit.oak.spi.state.NodeStoreBranch; import org.apache.jackrabbit.oak.util.TODO; -import static com.google.common.base.Preconditions.checkArgument; -import static com.google.common.base.Preconditions.checkNotNull; -import static org.apache.jackrabbit.oak.commons.PathUtils.elements; -import static org.apache.jackrabbit.oak.commons.PathUtils.getName; -import static org.apache.jackrabbit.oak.commons.PathUtils.getParentPath; - public class RootImpl implements Root { /** @@ -499,7 +500,7 @@ @Override protected void addExistingNode(NodeBuilder builder, String name, NodeState after) { - conflict(); + builder.setNode(name, after); } @Override Index: oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/RootImplWithACLTest.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/RootImplWithACLTest.java (revision ) +++ oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/RootImplWithACLTest.java (revision ) @@ -0,0 +1,100 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.jackrabbit.oak.security.authorization; + +import static org.apache.jackrabbit.JcrConstants.NT_UNSTRUCTURED; +import static org.junit.Assert.assertTrue; + +import java.security.Principal; +import java.security.PrivilegedActionException; + +import javax.jcr.NoSuchWorkspaceException; +import javax.jcr.RepositoryException; +import javax.jcr.SimpleCredentials; +import javax.jcr.security.AccessControlManager; +import javax.security.auth.login.LoginException; + +import org.apache.jackrabbit.api.security.JackrabbitAccessControlList; +import org.apache.jackrabbit.api.security.user.User; +import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils; +import org.apache.jackrabbit.oak.AbstractSecurityTest; +import org.apache.jackrabbit.oak.api.CommitFailedException; +import org.apache.jackrabbit.oak.api.ContentSession; +import org.apache.jackrabbit.oak.api.Root; +import org.apache.jackrabbit.oak.api.Tree; +import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants; +import org.apache.jackrabbit.oak.util.NodeUtil; +import org.junit.Before; +import org.junit.Test; + +public class RootImplWithACLTest extends AbstractSecurityTest { + private String userId = "test"; + private Principal userPrincipal; + + @Before + @Override + public void before() throws Exception { + super.before(); + + User user = getUserManager().createUser(userId, userId); + userPrincipal = user.getPrincipal();; + + NodeUtil rootNode = new NodeUtil(root.getTree("/")); + + NodeUtil testNode = rootNode.addChild("nodeName1", NT_UNSTRUCTURED); + testNode.setString("propName1", "strValue"); + NodeUtil testNode2 = testNode.addChild("nodeName2", NT_UNSTRUCTURED); + testNode2.setString("propName2", "strValue"); + NodeUtil testNode3 = testNode.addChild("nodeName3", NT_UNSTRUCTURED); + testNode3.setString("propName3", "strValue"); + root.commit(); + } + + private void setupPermission(Principal principal, String path, boolean isAllow, + int index, String privilegeName) throws CommitFailedException, RepositoryException { + + AccessControlManager acMgr = getAccessControlManager(root); + JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, path); + acl.addEntry(principal,AccessControlUtils.privilegesFromNames(acMgr, privilegeName) , isAllow); + acMgr.setPolicy(path, acl); + root.commit(); + } + + private ContentSession createContentSession(final String username) throws LoginException, NoSuchWorkspaceException, PrivilegedActionException { + return login(new SimpleCredentials(userId, userId.toCharArray())); + } + + @Test + public void testSetTree() throws CommitFailedException, LoginException, PrivilegedActionException, RepositoryException{ + setupPermission(userPrincipal, "/", true, 0, PrivilegeConstants.JCR_ALL); + setupPermission(userPrincipal, "/nodeName1", false, 0, PrivilegeConstants.JCR_ALL); + setupPermission(userPrincipal, "/nodeName1/nodeName3", true, 0, PrivilegeConstants.JCR_ALL); + ContentSession session = createContentSession(userId); + Root rootTestUser = session.getLatestRoot(); + Tree rootTree = rootTestUser.getTree("/"); + Tree nn1 = rootTree.addChild("nodeName1"); + try { + rootTestUser.commit(); + } catch (CommitFailedException e) { + assertTrue(e.isAccessViolation()); + } + } + +}