From 6a7dc21c22d66cbbced8ee7aa475f23e402ba7e6 Mon Sep 17 00:00:00 2001 From: Jukka Zitting Date: Thu, 12 Dec 2013 15:40:16 -0500 Subject: [PATCH] OAK-1247: Non-deterministic access control test failures Make PermissionValidator get the PermissionProvider from the before state instead of from the commit info. This makes the permission checks deterministic and avoids the problem of commits from an unrefreshed session being potentially evaluated against outdated permission settings. --- .../apache/jackrabbit/oak/core/AbstractRoot.java | 16 +++++++------ .../AuthorizationConfigurationImpl.java | 10 ++++----- .../permission/PermissionProviderImpl.java | 4 ++-- .../permission/PermissionValidatorProvider.java | 21 +++++++++-------- .../privilege/PrivilegeConfigurationImpl.java | 6 +++-- .../oak/security/user/UserConfigurationImpl.java | 6 +++-- .../jackrabbit/oak/spi/commit/CommitInfo.java | 26 +--------------------- .../oak/spi/security/CompositeConfiguration.java | 10 ++++++--- .../oak/spi/security/SecurityConfiguration.java | 8 ++++--- .../authorization/AuthorizationConfiguration.java | 1 + .../CompositeAuthorizationConfiguration.java | 2 +- .../OpenAuthorizationConfiguration.java | 2 +- .../AbstractAccessControlManager.java | 9 +++++--- .../permission/PermissionProviderImplTest.java | 2 +- .../permission/PermissionStoreTest.java | 2 +- .../permission/TreePermissionImplTest.java | 2 +- .../oak/spi/commit/BackgroundObserverTest.java | 6 ++--- .../jackrabbit/oak/jcr/session/SessionContext.java | 2 +- 18 files changed, 65 insertions(+), 70 deletions(-) diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/core/AbstractRoot.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/core/AbstractRoot.java index 9ac5c7c..5c751fa 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/core/AbstractRoot.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/core/AbstractRoot.java @@ -22,6 +22,7 @@ import java.io.IOException; import java.io.InputStream; import java.util.ArrayList; import java.util.List; + import javax.annotation.Nonnull; import javax.annotation.Nullable; import javax.security.auth.Subject; @@ -123,7 +124,10 @@ public abstract class AbstractRoot implements Root { private final LazyValue permissionProvider = new LazyValue() { @Override protected PermissionProvider createValue() { - return getAcConfig().getPermissionProvider(AbstractRoot.this, subject.getPrincipals()); + return getAcConfig().getPermissionProvider( + AbstractRoot.this, + getContentSession().getWorkspaceName(), + subject.getPrincipals()); } }; @@ -263,10 +267,8 @@ public abstract class AbstractRoot implements Root { checkLive(); ContentSession session = getContentSession(); CommitInfo info = new CommitInfo( - session.toString(), - session.getAuthInfo().getUserID(), - permissionProvider.get(), moveTracker, message); - base = store.merge(builder, getCommitHook(hook, info), info); + session.toString(), session.getAuthInfo().getUserID(), message); + base = store.merge(builder, getCommitHook(hook), info); secureBuilder.baseChanged(); modCount = 0; if (permissionProvider.hasValue()) { @@ -284,7 +286,7 @@ public abstract class AbstractRoot implements Root { * @return A commit hook combining repository global commit hook(s) with the pluggable hooks * defined with the security modules and the padded {@code hooks}. */ - private CommitHook getCommitHook(@Nullable CommitHook extraHook, @Nonnull CommitInfo commitInfo) { + private CommitHook getCommitHook(@Nullable CommitHook extraHook) { List hooks = newArrayList(); if (extraHook != null) { @@ -303,7 +305,7 @@ public abstract class AbstractRoot implements Root { } } - List validators = sc.getValidators(workspaceName, commitInfo); + List validators = sc.getValidators(workspaceName, subject.getPrincipals(), moveTracker); if (!validators.isEmpty()) { hooks.add(new EditorHook(CompositeEditorProvider.compose(validators))); } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java index 0e8a0a4..ed2aa8e 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java @@ -39,7 +39,7 @@ import org.apache.jackrabbit.oak.security.authorization.permission.PermissionSto import org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidatorProvider; import org.apache.jackrabbit.oak.security.authorization.restriction.RestrictionProviderImpl; import org.apache.jackrabbit.oak.spi.commit.CommitHook; -import org.apache.jackrabbit.oak.spi.commit.CommitInfo; +import org.apache.jackrabbit.oak.spi.commit.MoveTracker; import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider; import org.apache.jackrabbit.oak.spi.lifecycle.WorkspaceInitializer; import org.apache.jackrabbit.oak.spi.security.ConfigurationBase; @@ -98,10 +98,10 @@ public class AuthorizationConfigurationImpl extends ConfigurationBase implements } @Override - public List getValidators(String workspaceName, CommitInfo commitInfo) { + public List getValidators(String workspaceName, Set principals, MoveTracker moveTracker) { return ImmutableList.of( new PermissionStoreValidatorProvider(), - new PermissionValidatorProvider(getSecurityProvider(), commitInfo), + new PermissionValidatorProvider(getSecurityProvider(), workspaceName, principals, moveTracker), new AccessControlValidatorProvider(getSecurityProvider())); } @@ -130,8 +130,8 @@ public class AuthorizationConfigurationImpl extends ConfigurationBase implements @Nonnull @Override - public PermissionProvider getPermissionProvider(Root root, Set principals) { - return new PermissionProviderImpl(root, principals, this, permissionEntryCache.createLocalCache()); + public PermissionProvider getPermissionProvider(Root root, String workspaceName, Set principals) { + return new PermissionProviderImpl(root, workspaceName, principals, this, permissionEntryCache.createLocalCache()); } } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java index d75d863..cc634b6 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java @@ -57,11 +57,11 @@ public class PermissionProviderImpl implements PermissionProvider, AccessControl private ImmutableRoot immutableRoot; - public PermissionProviderImpl(@Nonnull Root root, @Nonnull Set principals, + public PermissionProviderImpl(@Nonnull Root root, @Nonnull String workspaceName, @Nonnull Set principals, @Nonnull AuthorizationConfiguration acConfig, @Nonnull PermissionEntryCache.Local cache) { this.root = root; - this.workspaceName = root.getContentSession().getWorkspaceName(); + this.workspaceName = workspaceName; this.acConfig = acConfig; immutableRoot = getImmutableRoot(root, acConfig); diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorProvider.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorProvider.java index 02bb05e..157f4f4 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorProvider.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorProvider.java @@ -16,12 +16,15 @@ */ package org.apache.jackrabbit.oak.security.authorization.permission; +import java.security.Principal; +import java.util.Set; + import javax.annotation.Nonnull; +import org.apache.jackrabbit.oak.core.ImmutableRoot; import org.apache.jackrabbit.oak.core.ImmutableTree; import org.apache.jackrabbit.oak.core.TreeTypeProviderImpl; import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager; -import org.apache.jackrabbit.oak.spi.commit.CommitInfo; import org.apache.jackrabbit.oak.spi.commit.MoveTracker; import org.apache.jackrabbit.oak.spi.commit.Validator; import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider; @@ -45,14 +48,15 @@ public class PermissionValidatorProvider extends ValidatorProvider { private final AuthorizationConfiguration acConfig; private final long jr2Permissions; - private final CommitInfo commitInfo; + private final String workspaceName; + private final Set principals; private final MoveTracker moveTracker; private ReadOnlyNodeTypeManager ntMgr; private Context acCtx; private Context userCtx; - public PermissionValidatorProvider(SecurityProvider securityProvider, CommitInfo commitInfo) { + public PermissionValidatorProvider(SecurityProvider securityProvider, String workspaceName, Set principals, MoveTracker moveTracker) { this.securityProvider = securityProvider; this.acConfig = securityProvider.getConfiguration(AuthorizationConfiguration.class); @@ -60,8 +64,9 @@ public class PermissionValidatorProvider extends ValidatorProvider { String compatValue = params.getConfigValue(PermissionConstants.PARAM_PERMISSIONS_JR2, null, String.class); jr2Permissions = Permissions.getPermissions(compatValue); - this.commitInfo = commitInfo; - moveTracker = commitInfo.getMoveTracker(); + this.workspaceName = workspaceName; + this.principals = principals; + this.moveTracker = moveTracker; } //--------------------------------------------------< ValidatorProvider >--- @@ -70,9 +75,10 @@ public class PermissionValidatorProvider extends ValidatorProvider { public Validator getRootValidator(NodeState before, NodeState after) { ntMgr = ReadOnlyNodeTypeManager.getInstance(after); - PermissionProvider pp = getPermissionProvider(); ImmutableTree treeBefore = createTree(before); ImmutableTree treeAfter = createTree(after); + PermissionProvider pp = acConfig.getPermissionProvider( + new ImmutableRoot(treeBefore), workspaceName, principals); if (moveTracker.isEmpty()) { return new PermissionValidator(treeBefore, treeAfter, pp, this); @@ -110,7 +116,4 @@ public class PermissionValidatorProvider extends ValidatorProvider { return new ImmutableTree(root, new TreeTypeProviderImpl(getAccessControlContext())); } - private PermissionProvider getPermissionProvider() { - return commitInfo.getPermissionProvider(); - } } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConfigurationImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConfigurationImpl.java index 2bc6e2f..f03904a 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConfigurationImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeConfigurationImpl.java @@ -16,8 +16,10 @@ */ package org.apache.jackrabbit.oak.security.privilege; +import java.security.Principal; import java.util.Collections; import java.util.List; +import java.util.Set; import javax.annotation.Nonnull; @@ -27,7 +29,7 @@ import org.apache.jackrabbit.api.security.authorization.PrivilegeManager; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.spi.commit.CommitHook; -import org.apache.jackrabbit.oak.spi.commit.CommitInfo; +import org.apache.jackrabbit.oak.spi.commit.MoveTracker; import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider; import org.apache.jackrabbit.oak.spi.lifecycle.RepositoryInitializer; import org.apache.jackrabbit.oak.spi.security.ConfigurationBase; @@ -70,7 +72,7 @@ public class PrivilegeConfigurationImpl extends ConfigurationBase implements Pri @Nonnull @Override - public List getValidators(String workspaceName, CommitInfo commitInfo) { + public List getValidators(String workspaceName, Set principals, MoveTracker moveTracker) { return Collections.singletonList(new PrivilegeValidatorProvider()); } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserConfigurationImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserConfigurationImpl.java index 9c2b1c6..a46165a 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserConfigurationImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserConfigurationImpl.java @@ -16,8 +16,10 @@ */ package org.apache.jackrabbit.oak.security.user; +import java.security.Principal; import java.util.Collections; import java.util.List; +import java.util.Set; import javax.annotation.Nonnull; @@ -27,7 +29,7 @@ import org.apache.jackrabbit.api.security.user.UserManager; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.security.user.autosave.AutoSaveEnabledManager; -import org.apache.jackrabbit.oak.spi.commit.CommitInfo; +import org.apache.jackrabbit.oak.spi.commit.MoveTracker; import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider; import org.apache.jackrabbit.oak.spi.lifecycle.WorkspaceInitializer; import org.apache.jackrabbit.oak.spi.security.ConfigurationBase; @@ -68,7 +70,7 @@ public class UserConfigurationImpl extends ConfigurationBase implements UserConf @Nonnull @Override - public List getValidators(String workspaceName, CommitInfo commitInfo) { + public List getValidators(String workspaceName, Set principals, MoveTracker moveTracker) { return Collections.singletonList(new UserValidatorProvider(getParameters())); } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/commit/CommitInfo.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/commit/CommitInfo.java index 261d25f..f19b23c 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/commit/CommitInfo.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/commit/CommitInfo.java @@ -16,7 +16,6 @@ * specific language governing permissions and limitations * under the License. */ - package org.apache.jackrabbit.oak.spi.commit; import static com.google.common.base.Objects.toStringHelper; @@ -26,8 +25,6 @@ import javax.annotation.CheckForNull; import javax.annotation.Nonnull; import javax.annotation.Nullable; -import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider; - /** * Commit info instances associate some meta data with a commit. */ @@ -39,31 +36,20 @@ public class CommitInfo { private final String userId; - private final PermissionProvider permissionProvider; - private final String message; private final long date = System.currentTimeMillis(); - private final MoveTracker moveTracker; - /** * Creates a commit info for the given session and user. * * @param sessionId session identifier * @param userId The user id. - * @param permissionProvider The permission provider associated with the - * root that is committing changes. - * @param moveTracker Information regarding move operations associated with this commit. * @param message message attached to this commit, or {@code null} */ - public CommitInfo(@Nonnull String sessionId, @Nullable String userId, - @Nonnull PermissionProvider permissionProvider, - @Nonnull MoveTracker moveTracker, @Nullable String message) { + public CommitInfo(@Nonnull String sessionId, @Nullable String userId, @Nullable String message) { this.sessionId = checkNotNull(sessionId); this.userId = (userId == null) ? OAK_UNKNOWN : userId; - this.permissionProvider = checkNotNull(permissionProvider); - this.moveTracker = checkNotNull(moveTracker); this.message = message; } @@ -83,16 +69,6 @@ public class CommitInfo { return userId; } - @Nonnull - public MoveTracker getMoveTracker() { - return moveTracker; - } - - @Nonnull - public PermissionProvider getPermissionProvider() { - return permissionProvider; - } - /** * @return message attached to this commit */ diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/CompositeConfiguration.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/CompositeConfiguration.java index b1b4e52..375e61c 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/CompositeConfiguration.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/CompositeConfiguration.java @@ -18,18 +18,22 @@ */ package org.apache.jackrabbit.oak.spi.security; +import java.security.Principal; import java.util.ArrayList; import java.util.List; +import java.util.Set; + import javax.annotation.Nonnull; import com.google.common.base.Function; import com.google.common.collect.ImmutableList; import com.google.common.collect.Iterables; import com.google.common.collect.Lists; + import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.spi.commit.CommitHook; -import org.apache.jackrabbit.oak.spi.commit.CommitInfo; +import org.apache.jackrabbit.oak.spi.commit.MoveTracker; import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider; import org.apache.jackrabbit.oak.spi.lifecycle.CompositeInitializer; import org.apache.jackrabbit.oak.spi.lifecycle.CompositeWorkspaceInitializer; @@ -122,11 +126,11 @@ public abstract class CompositeConfiguration im @Nonnull @Override - public List getValidators(final String workspaceName, final CommitInfo commitInfo) { + public List getValidators(final String workspaceName, final Set principals, final MoveTracker moveTracker) { return ImmutableList.copyOf(Iterables.concat(Lists.transform(configurations, new Function>() { @Override public List apply(T securityConfiguration) { - return securityConfiguration.getValidators(workspaceName, commitInfo); + return securityConfiguration.getValidators(workspaceName, principals, moveTracker); } }))); } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/SecurityConfiguration.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/SecurityConfiguration.java index b2c35db..45e0d0f 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/SecurityConfiguration.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/SecurityConfiguration.java @@ -16,13 +16,15 @@ */ package org.apache.jackrabbit.oak.spi.security; +import java.security.Principal; import java.util.Collections; import java.util.List; +import java.util.Set; import javax.annotation.Nonnull; import org.apache.jackrabbit.oak.spi.commit.CommitHook; -import org.apache.jackrabbit.oak.spi.commit.CommitInfo; +import org.apache.jackrabbit.oak.spi.commit.MoveTracker; import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider; import org.apache.jackrabbit.oak.spi.lifecycle.RepositoryInitializer; import org.apache.jackrabbit.oak.spi.lifecycle.WorkspaceInitializer; @@ -75,7 +77,7 @@ public interface SecurityConfiguration { List getCommitHooks(String workspaceName); @Nonnull - List getValidators(String workspaceName, CommitInfo commitInfo); + List getValidators(String workspaceName, Set principals, MoveTracker moveTracker); @Nonnull List getProtectedItemImporters(); @@ -122,7 +124,7 @@ public interface SecurityConfiguration { @Nonnull @Override public List getValidators( - String workspaceName, CommitInfo commitInfo) { + String workspaceName, Set principals, MoveTracker moveTracker) { return Collections.emptyList(); } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AuthorizationConfiguration.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AuthorizationConfiguration.java index d8831eb..95f149e 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AuthorizationConfiguration.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AuthorizationConfiguration.java @@ -43,5 +43,6 @@ public interface AuthorizationConfiguration extends SecurityConfiguration { @Nonnull PermissionProvider getPermissionProvider(@Nonnull Root root, + @Nonnull String workspaceName, @Nonnull Set principals); } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompositeAuthorizationConfiguration.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompositeAuthorizationConfiguration.java index 1d17feb..7811e02 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompositeAuthorizationConfiguration.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompositeAuthorizationConfiguration.java @@ -80,7 +80,7 @@ public class CompositeAuthorizationConfiguration extends CompositeConfiguration< @Nonnull @Override - public PermissionProvider getPermissionProvider(@Nonnull Root root, @Nonnull Set principals) { + public PermissionProvider getPermissionProvider(@Nonnull Root root, @Nonnull String workspaceName, @Nonnull Set principals) { // TODO throw new UnsupportedOperationException("not yet implemented."); } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAuthorizationConfiguration.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAuthorizationConfiguration.java index e3d7673..618fc83 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAuthorizationConfiguration.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAuthorizationConfiguration.java @@ -48,7 +48,7 @@ public class OpenAuthorizationConfiguration extends SecurityConfiguration.Defaul @Nonnull @Override - public PermissionProvider getPermissionProvider(Root root, Set principals) { + public PermissionProvider getPermissionProvider(Root root, String workspaceName, Set principals) { return OpenPermissionProvider.getInstance(); } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AbstractAccessControlManager.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AbstractAccessControlManager.java index 71ef004..d854b2d 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AbstractAccessControlManager.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AbstractAccessControlManager.java @@ -19,6 +19,7 @@ package org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol; import java.security.Principal; import java.util.HashSet; import java.util.Set; + import javax.annotation.CheckForNull; import javax.annotation.Nonnull; import javax.annotation.Nullable; @@ -52,6 +53,7 @@ public abstract class AbstractAccessControlManager implements JackrabbitAccessCo private static final Logger log = LoggerFactory.getLogger(AbstractAccessControlManager.class); private final Root root; + private final String workspaceName; private final NamePathMapper namePathMapper; private final AuthorizationConfiguration config; private final PrivilegeManager privilegeManager; @@ -62,6 +64,7 @@ public abstract class AbstractAccessControlManager implements JackrabbitAccessCo @Nonnull NamePathMapper namePathMapper, @Nonnull SecurityProvider securityProvider) { this.root = root; + this.workspaceName = root.getContentSession().getWorkspaceName(); this.namePathMapper = namePathMapper; privilegeManager = securityProvider.getConfiguration(PrivilegeConfiguration.class).getPrivilegeManager(root, namePathMapper); @@ -99,7 +102,7 @@ public abstract class AbstractAccessControlManager implements JackrabbitAccessCo if (getPrincipals().equals(principals)) { return hasPrivileges(absPath, privileges); } else { - PermissionProvider provider = config.getPermissionProvider(root, principals); + PermissionProvider provider = config.getPermissionProvider(root, workspaceName, principals); return hasPrivileges(absPath, privileges, provider, Permissions.READ_ACCESS_CONTROL, false); } } @@ -109,7 +112,7 @@ public abstract class AbstractAccessControlManager implements JackrabbitAccessCo if (getPrincipals().equals(principals)) { return getPrivileges(absPath); } else { - PermissionProvider provider = config.getPermissionProvider(root, principals); + PermissionProvider provider = config.getPermissionProvider(root, workspaceName, principals); return getPrivileges(absPath, provider, Permissions.READ_ACCESS_CONTROL); } } @@ -173,7 +176,7 @@ public abstract class AbstractAccessControlManager implements JackrabbitAccessCo @Nonnull protected PermissionProvider getPermissionProvider() { if (permissionProvider == null) { - permissionProvider = config.getPermissionProvider(root, getPrincipals()); + permissionProvider = config.getPermissionProvider(root, workspaceName, getPrincipals()); } else { permissionProvider.refresh(); } diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImplTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImplTest.java index 0e054fe..f9ff40b 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImplTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImplTest.java @@ -102,7 +102,7 @@ public class PermissionProviderImplTest extends AbstractSecurityTest implements } private PermissionProvider createPermissionProvider(ContentSession session) { - return config.getPermissionProvider(session.getLatestRoot(), session.getAuthInfo().getPrincipals()); + return config.getPermissionProvider(session.getLatestRoot(), session.getWorkspaceName(), session.getAuthInfo().getPrincipals()); } @Test diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreTest.java index 03cd6aa..35aa8ee 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionStoreTest.java @@ -88,7 +88,7 @@ public class PermissionStoreTest extends AbstractSecurityTest { } private PermissionProvider createPermissionProvider() { - return acConfig.getPermissionProvider(testRoot, testSession.getAuthInfo().getPrincipals()); + return acConfig.getPermissionProvider(testRoot, testSession.getWorkspaceName(), testSession.getAuthInfo().getPrincipals()); } @Test diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/TreePermissionImplTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/TreePermissionImplTest.java index 7db68ab..cb6099e 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/TreePermissionImplTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/TreePermissionImplTest.java @@ -65,7 +65,7 @@ public class TreePermissionImplTest extends AbstractSecurityTest implements Acce private TreePermission getTreePermission(String path) throws Exception { ContentSession testSession = createTestSession(); - PermissionProvider pp = config.getPermissionProvider(testSession.getLatestRoot(), testSession.getAuthInfo().getPrincipals()); + PermissionProvider pp = config.getPermissionProvider(testSession.getLatestRoot(), testSession.getWorkspaceName(), testSession.getAuthInfo().getPrincipals()); return pp.getTreePermission(root.getTree(path), TreePermission.EMPTY); } diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/commit/BackgroundObserverTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/commit/BackgroundObserverTest.java index e3d9d79..b7e36d5 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/commit/BackgroundObserverTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/commit/BackgroundObserverTest.java @@ -35,14 +35,14 @@ import javax.annotation.Nonnull; import javax.annotation.Nullable; import com.google.common.collect.Lists; + import org.apache.jackrabbit.oak.api.Type; -import org.apache.jackrabbit.oak.spi.security.authorization.permission.OpenPermissionProvider; import org.apache.jackrabbit.oak.spi.state.NodeState; import org.junit.Test; public class BackgroundObserverTest { - private static final CommitInfo COMMIT_INFO = new CommitInfo - ("no-session", null, OpenPermissionProvider.getInstance(), new MoveTracker(), null); + private static final CommitInfo COMMIT_INFO = + new CommitInfo("no-session", null, null); private final List> assertionLists = Lists.newArrayList(); private CountDownLatch doneCounter; diff --git a/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionContext.java b/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionContext.java index 1bcc046..9d5ae2d 100644 --- a/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionContext.java +++ b/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionContext.java @@ -413,7 +413,7 @@ public class SessionContext implements NamePathMapper { if (permissionProvider == null) { permissionProvider = checkNotNull(securityProvider) .getConfiguration(AuthorizationConfiguration.class) - .getPermissionProvider(delegate.getRoot(), delegate.getAuthInfo().getPrincipals()); + .getPermissionProvider(delegate.getRoot(), delegate.getWorkspaceName(), delegate.getAuthInfo().getPrincipals()); } return permissionProvider; } -- 1.8.3.msysgit.0