Index: oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java (revision 1826837) +++ oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java (revision ) @@ -70,6 +70,8 @@ import org.apache.jackrabbit.oak.spi.state.NodeState; import org.apache.jackrabbit.oak.spi.state.NodeStore; import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import static org.apache.jackrabbit.oak.spi.security.RegistrationConstants.OAK_SECURITY_NAME; @@ -97,10 +99,12 @@ }) public class CugConfiguration extends ConfigurationBase implements AuthorizationConfiguration, CugConstants { + private static final Logger log = LoggerFactory.getLogger(CugConfiguration.class); + /** * Reference to services implementing {@link org.apache.jackrabbit.oak.spi.security.authorization.cug.CugExclude}. */ - @Reference(cardinality = ReferenceCardinality.OPTIONAL_UNARY) + @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) private CugExclude exclude; /** @@ -215,6 +219,16 @@ // set to null (and not default) to comply with OSGi lifecycle, // if the reference is unset it means the service is being deactivated this.mountInfoProvider = null; + } + + public void bindExclude(CugExclude exclude) { + log.debug("Bind CugExclude " + exclude); + this.exclude = exclude; + } + + public void unbindExclude(CugExclude exclude) { + log.debug("Unbind CugExclude " + exclude); + this.exclude = null; } //-------------------------------------------------------------------------- \ No newline at end of file Index: oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugExcludeImpl.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugExcludeImpl.java (revision 1826837) +++ oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugExcludeImpl.java (revision ) @@ -25,13 +25,14 @@ import com.google.common.collect.ImmutableSet; import org.apache.felix.scr.annotations.Activate; import org.apache.felix.scr.annotations.Component; -import org.apache.felix.scr.annotations.ConfigurationPolicy; import org.apache.felix.scr.annotations.Modified; import org.apache.felix.scr.annotations.Properties; import org.apache.felix.scr.annotations.Property; import org.apache.felix.scr.annotations.Service; import org.apache.jackrabbit.oak.commons.PropertiesUtil; import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugExclude; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * Extension of the default {@link org.apache.jackrabbit.oak.spi.security.authorization.cug.CugExclude} @@ -42,9 +43,9 @@ * principal names) in order to be activated. */ @Component(metatype = true, + immediate = true, label = "Apache Jackrabbit Oak CUG Exclude List", - description = "Allows to exclude principal(s) with the configured name(s) from CUG evaluation.", - policy = ConfigurationPolicy.REQUIRE) + description = "Allows to exclude principal(s) with the configured name(s) from CUG evaluation.") @Service({CugExclude.class}) @Properties({ @Property(name = "principalNames", @@ -54,6 +55,8 @@ }) public class CugExcludeImpl extends CugExclude.Default { + private static final Logger log = LoggerFactory.getLogger(CugExcludeImpl.class); + private Set principalNames = Collections.emptySet(); @Override @@ -82,6 +85,8 @@ } private void setPrincipalNames(@Nonnull Map properties) { - this.principalNames = ImmutableSet.copyOf(PropertiesUtil.toStringArray(properties.get("principalNames"), new String[0])); + Set pNames = ImmutableSet.copyOf(PropertiesUtil.toStringArray(properties.get("principalNames"), new String[0])); + log.debug("Setting excluded principal names to " + pNames); + this.principalNames = pNames; } } \ No newline at end of file Index: oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfigurationOsgiTest.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfigurationOsgiTest.java (revision ) +++ oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfigurationOsgiTest.java (revision ) @@ -0,0 +1,120 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl; + +import java.util.Map; + +import com.google.common.collect.ImmutableMap; +import com.google.common.collect.ImmutableSet; +import org.apache.jackrabbit.oak.AbstractSecurityTest; +import org.apache.jackrabbit.oak.composite.MountInfoProviderService; +import org.apache.jackrabbit.oak.plugins.tree.impl.RootProviderService; +import org.apache.jackrabbit.oak.plugins.tree.impl.TreeProviderService; +import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.EmptyPermissionProvider; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider; +import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl; +import org.apache.sling.testing.mock.osgi.ReferenceViolationException; +import org.apache.sling.testing.mock.osgi.junit.OsgiContext; +import org.junit.Before; +import org.junit.Rule; +import org.junit.Test; + +import static org.junit.Assert.assertSame; +import static org.junit.Assert.assertTrue; + +public class CugConfigurationOsgiTest extends AbstractSecurityTest { + + private static final String EXCLUDED_PRINCIPAL_NAME = "excludedPrincipal"; + private static final String ANY_PRINCIPAL_NAME = "anyPrincipal"; + + private static final Map PROPERTIES = ImmutableMap.of( + CugConstants.PARAM_CUG_ENABLED, true, + CugConstants.PARAM_CUG_SUPPORTED_PATHS, new String[] {"/"}); + + @Rule + public final OsgiContext context = new OsgiContext(); + + private CugConfiguration cugConfiguration; + private CugExcludeImpl cugExclude; + private String wspName; + + @Before + public void before() throws Exception { + super.before(); + + wspName = root.getContentSession().getWorkspaceName(); + + cugConfiguration = new CugConfiguration(getSecurityProvider()); + cugConfiguration.setRootProvider(new RootProviderService()); + cugConfiguration.setTreeProvider(new TreeProviderService()); + + cugExclude = new CugExcludeImpl(); + + MountInfoProviderService mip = new MountInfoProviderService(); + context.registerInjectActivateService(mip); + } + + @Test(expected = ReferenceViolationException.class) + public void testMissingCugExclude() { + context.registerInjectActivateService(cugConfiguration, PROPERTIES); + } + + @Test + public void testCugExcludeExcludedPrincipal() { + context.registerInjectActivateService(cugExclude, ImmutableMap.of("principalNames", new String[] {EXCLUDED_PRINCIPAL_NAME})); + context.registerInjectActivateService(cugConfiguration, PROPERTIES); + + AuthorizationConfiguration config = context.getService(AuthorizationConfiguration.class); + PermissionProvider permissionProvider = config.getPermissionProvider(root, wspName, ImmutableSet.of(new PrincipalImpl(EXCLUDED_PRINCIPAL_NAME))); + assertSame(EmptyPermissionProvider.getInstance(), permissionProvider); + } + + @Test + public void testCugExcludeAnyPrincipal() { + context.registerInjectActivateService(cugExclude, ImmutableMap.of("principalNames", new String[] {EXCLUDED_PRINCIPAL_NAME})); + context.registerInjectActivateService(cugConfiguration, PROPERTIES); + + AuthorizationConfiguration config = context.getService(AuthorizationConfiguration.class); + PermissionProvider permissionProvider = config.getPermissionProvider(root, wspName, ImmutableSet.of(new PrincipalImpl(ANY_PRINCIPAL_NAME))); + assertTrue(permissionProvider instanceof CugPermissionProvider); + } + + @Test + public void testNotEnabled() { + context.registerInjectActivateService(cugExclude, ImmutableMap.of("principalNames", new String[] {ANY_PRINCIPAL_NAME})); + context.registerInjectActivateService(cugConfiguration, ImmutableMap.of( + CugConstants.PARAM_CUG_ENABLED, false, + CugConstants.PARAM_CUG_SUPPORTED_PATHS, new String[]{"/"})); + + AuthorizationConfiguration config = context.getService(AuthorizationConfiguration.class); + PermissionProvider permissionProvider = config.getPermissionProvider(root, wspName, ImmutableSet.of(new PrincipalImpl(ANY_PRINCIPAL_NAME))); + assertSame(EmptyPermissionProvider.getInstance(), permissionProvider); + } + + @Test + public void testNoSupportedPaths() { + context.registerInjectActivateService(cugExclude, ImmutableMap.of("principalNames", new String[] {ANY_PRINCIPAL_NAME})); + context.registerInjectActivateService(cugConfiguration, ImmutableMap.of( + CugConstants.PARAM_CUG_ENABLED, true, + CugConstants.PARAM_CUG_SUPPORTED_PATHS, new String[0])); + + AuthorizationConfiguration config = context.getService(AuthorizationConfiguration.class); + PermissionProvider permissionProvider = config.getPermissionProvider(root, wspName, ImmutableSet.of(new PrincipalImpl(ANY_PRINCIPAL_NAME))); + assertSame(EmptyPermissionProvider.getInstance(), permissionProvider); + } +} \ No newline at end of file Index: oak-authorization-cug/pom.xml IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-authorization-cug/pom.xml (revision 1826837) +++ oak-authorization-cug/pom.xml (revision ) @@ -155,6 +155,12 @@ org.apache.jackrabbit + oak-store-composite + ${project.version} + test + + + org.apache.jackrabbit oak-jcr ${project.version} tests @@ -164,6 +170,11 @@ org.mockito mockito-core 1.10.19 + test + + + org.apache.sling + org.apache.sling.testing.osgi-mock test \ No newline at end of file