Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java (revision 1852981) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java (date 1549372358000) @@ -593,7 +593,8 @@ if (v == null) { throw new AccessControlException("Missing mandatory restriction rep:nodePath"); } else { - return getOakPath(v.getString()); + String jcrPath = v.getString(); + return (REPOSITORY_PATH_MARKER.equals(jcrPath)) ? null : getOakPath(jcrPath); } } Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java (revision 1852981) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/PrincipalRestrictionProvider.java (date 1548764092000) @@ -80,7 +80,7 @@ @Override public Set readRestrictions(@Nullable String oakPath, @NotNull Tree aceTree) { Set restrictions = new HashSet<>(base.readRestrictions(oakPath, aceTree)); - String value = (oakPath == null) ? "" : oakPath; + String value = (oakPath == null) ? REPOSITORY_PATH_MARKER : oakPath; PropertyState nodePathProp = PropertyStates.createProperty(REP_NODE_PATH, value, Type.PATH); restrictions.add(new RestrictionImpl(nodePathProp, true)); return restrictions; Index: oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java (revision 1852981) +++ oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java (date 1549372204000) @@ -1860,6 +1860,27 @@ assertEquals(1, policies.length); } + @Test + public void testGetPoliciesByPrincipalRepositoryLevel() throws Exception { + setupPolicy(null, privilegesFromNames(PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT)); + + // changes not yet persisted -> no existing policies found for user + AccessControlPolicy[] policies = acMgr.getPolicies(testPrincipal); + assertNotNull(policies); + assertEquals(0, policies.length); + + // after persisting changes -> policies must be found + root.commit(); + policies = acMgr.getPolicies(testPrincipal); + assertNotNull(policies); + assertEquals(1, policies.length); + JackrabbitAccessControlList acl = (JackrabbitAccessControlList) policies[0]; + AccessControlEntry[] entries = acl.getAccessControlEntries(); + assertEquals(1, entries.length); + JackrabbitAccessControlEntry entry = (JackrabbitAccessControlEntry) entries[0]; + assertEquals(REPOSITORY_PATH_MARKER, entry.getRestriction(REP_NODE_PATH).getString()); + } + @Test public void testTestSessionGetPolicies() throws Exception { setupPolicy(testPath); @@ -2255,6 +2276,30 @@ assertEquals(2, ((ACL) acMgr.getPolicies(testPath)[0]).getAccessControlEntries().length); } + @Test + public void testSetPrincipalPolicyForRepositoryLevel() throws Exception { + assertEquals(0, acMgr.getPolicies((String)null).length); + + JackrabbitAccessControlPolicy[] policies = acMgr.getApplicablePolicies(testPrincipal); + ACL acl = (ACL) policies[0]; + + Map restrictions = new HashMap(); + restrictions.put(REP_NODE_PATH, getValueFactory().createValue(REPOSITORY_PATH_MARKER, PropertyType.PATH)); + Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT); + assertTrue(acl.addEntry(testPrincipal, privs, true, restrictions)); + + acMgr.setPolicy(acl.getPath(), acl); + + AccessControlPolicy[] repoLevelPolicies = acMgr.getPolicies((String)null); + assertEquals(1, repoLevelPolicies.length); + + AccessControlEntry[] entries = ((JackrabbitAccessControlList) repoLevelPolicies[0]).getAccessControlEntries(); + assertEquals(1, entries.length); + + assertArrayEquals(privs, entries[0].getPrivileges()); + assertEquals(testPrincipal, entries[0].getPrincipal()); + } + @Test public void testSetPrincipalPolicyWithNewMvRestriction() throws Exception { setupPolicy(testPath); @@ -2371,6 +2416,21 @@ acMgr.removePolicy(acl.getPath(), acl); } + @Test + public void testRemovePrincipalPolicyForRepositoryLevel() throws Exception { + setupPolicy(null, privilegesFromNames(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT)); + root.commit(); + + JackrabbitAccessControlPolicy[] policies = acMgr.getPolicies(testPrincipal); + assertEquals(1, policies.length); + + acMgr.removePolicy(policies[0].getPath(), policies[0]); + root.commit(); + + AccessControlPolicy[] repoLevelPolicies = acMgr.getPolicies((String)null); + assertEquals(0, repoLevelPolicies.length); + } + private final static class TestACL extends AbstractAccessControlList { private final List entries = new ArrayList(); Index: oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AccessControlConstants.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AccessControlConstants.java (revision 1852981) +++ oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AccessControlConstants.java (date 1549370583000) @@ -82,4 +82,6 @@ Collection AC_NODETYPE_NAMES = ImmutableSet.of(NT_REP_POLICY, NT_REP_ACL, NT_REP_ACE, NT_REP_DENY_ACE, NT_REP_GRANT_ACE, NT_REP_RESTRICTIONS); String PARAM_RESTRICTION_PROVIDER = "restrictionProvider"; + + String REPOSITORY_PATH_MARKER = "null"; }