Author: angela
Date: Wed Mar 26 08:42:14 2014
New Revision: 1581745
URL: http://svn.apache.org/r1581745
Log:
OAK-1612 : Limit number of wildcards in rep:glob
Added:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPatternTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPattern.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPattern.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPattern.java?rev=1581745&r1=1581744&r2=1581745&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPattern.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPattern.java
Wed Mar 26 08:42:14 2014
@@ -18,6 +18,7 @@ package org.apache.jackrabbit.oak.securi
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
+import javax.jcr.security.AccessControlException;
import com.google.common.base.Objects;
import org.apache.jackrabbit.oak.api.PropertyState;
@@ -67,6 +68,7 @@ import static com.google.common.base.Pre
final class GlobPattern implements RestrictionPattern {
private static final char WILDCARD_CHAR = '*';
+ private static final int MAX_WILDCARD = 20;
private final String path;
private final String restriction;
@@ -102,6 +104,18 @@ final class GlobPattern implements Restr
return new GlobPattern(nodePath, restrictions);
}
+ static void validate(@Nonnull String restriction) throws
AccessControlException {
+ int cnt = 0;
+ for (int i = 0; i < restriction.length(); i++) {
+ if (WILDCARD_CHAR == restriction.charAt(i)) {
+ cnt++;
+ }
+ if (cnt > MAX_WILDCARD) {
+ throw new AccessControlException("Number of wildcards in
rep:glob exceeds allowed complexity.");
+ }
+ }
+ }
+
//-------------------------------------------------< RestrictionPattern
>---
@Override
public boolean matches(@Nonnull Tree tree, @Nullable PropertyState
property) {
@@ -204,7 +218,7 @@ final class GlobPattern implements Restr
}
char[] tm = (toMatch.endsWith("/")) ? toMatch.substring(0,
toMatch.length()-1).toCharArray() : toMatch.toCharArray();
// shortcut didn't reveal mismatch -> need to process the internal
match method.
- return matches(patternChars, 0, tm, 0);
+ return matches(patternChars, 0, tm, 0, MAX_WILDCARD);
}
/**
@@ -216,7 +230,12 @@ final class GlobPattern implements Restr
* @return {@code true} if matches, {@code false} otherwise
*/
private boolean matches(char[] pattern, int pOff,
- char[] s, int sOff) {
+ char[] s, int sOff, int cnt) {
+
+ if (cnt <= 0) {
+ throw new IllegalArgumentException("Illegal glob pattern " +
GlobPattern.this);
+ }
+
int pLength = pattern.length;
int sLength = s.length;
@@ -240,8 +259,9 @@ final class GlobPattern implements Restr
return true;
}
+ cnt--;
while (true) {
- if (matches(pattern, pOff, s, sOff)) {
+ if (matches(pattern, pOff, s, sOff, cnt)) {
return true;
}
if (sOff >= sLength) {
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java?rev=1581745&r1=1581744&r2=1581745&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
Wed Mar 26 08:42:14 2014
@@ -19,6 +19,7 @@ package org.apache.jackrabbit.oak.securi
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
+import javax.jcr.security.AccessControlException;
import com.google.common.collect.ImmutableMap;
import org.apache.felix.scr.annotations.Component;
@@ -91,4 +92,15 @@ public class RestrictionProviderImpl ext
}
}
}
+
+ @Override
+ public void validateRestrictions(String oakPath, Tree aceTree) throws
AccessControlException {
+ super.validateRestrictions(oakPath, aceTree);
+
+ Tree restrictionsTree = getRestrictionsTree(aceTree);
+ PropertyState glob = restrictionsTree.getProperty(REP_GLOB);
+ if (glob != null) {
+ GlobPattern.validate(glob.getValue(Type.STRING));
+ }
+ }
}
Added:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPatternTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPatternTest.java?rev=1581745&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPatternTest.java
(added)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPatternTest.java
Wed Mar 26 08:42:14 2014
@@ -0,0 +1,350 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.jackrabbit.oak.security.authorization.restriction;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public class GlobPatternTest {
+
+ private static void assertMatch(GlobPattern gp, String testPath, Boolean
expectedResult) {
+ Boolean match = Boolean.valueOf(gp.matches(testPath));
+ assertEquals("Pattern : " + gp + "; TestPath : " + testPath,
expectedResult, match);
+ }
+
+ @Test
+ public void testMatchesWildcardAll() {
+
+ Map<String,Boolean> tests = new HashMap<String,Boolean>();
+
+ // restriction "*" matches /foo, all siblings of foo and foo's and the
siblings' descendants
+ GlobPattern gp = GlobPattern.create("/a/b/c", "*");
+ // matching
+ tests.put("/a/b/c", true); // foo itself
+ tests.put("/a/b/c/d", true); // child of foo
+ tests.put("/a/b/c/d/e", true); // child of foo
+ tests.put("/a/b/c/d/e/f", true); // child of foo
+ tests.put("/a/b/cde", true); // sibling
+ tests.put("/a/b/cde/e/f", true); // child of the sibling
+ // not-matching
+ tests.put("/", false);
+ tests.put("/a", false);
+ tests.put("/b/c", false);
+
+ for (String testPath : tests.keySet()) {
+ assertMatch(gp, testPath, tests.get(testPath));
+ }
+
+ // restriction "*cat" matches all siblings and descendants of /foo
that have a name ending with cat
+ gp = GlobPattern.create("/a/b/c", "*e");
+ tests = new HashMap<String,Boolean>();
+ // matching
+ tests.put("/a/b/c/e", true); // descendant with name segment 'e'
+ tests.put("/a/b/c/d/e", true); // descendant with name segment 'e'
+ tests.put("/a/b/c/gge", true); // descendant with name segment
ending with 'e'
+ tests.put("/a/b/c/d/gge", true); // descendant with name segment
ending with 'e'
+ tests.put("/a/b/ce", true); // sibling whose name ends with 'e'
+ tests.put("/a/b/chee", true); // sibling whose name ends with 'e'
+ tests.put("/a/b/cd/e", true); // descendant of sibling named 'e'
+ tests.put("/a/b/cd/f/e", true); // descendant of sibling named 'e'
+ tests.put("/a/b/cd/e", true); // descendant of sibling with name
ending with 'e'
+ tests.put("/a/b/cd/f/e", true); // descendant of sibling with name
ending with 'e'
+ // not-matching
+ tests.put("/", false);
+ tests.put("/a", false);
+ tests.put("/b/c", false);
+ tests.put("/a/b/c", false);
+ tests.put("/a/b/c/d", false);
+ tests.put("/a/b/c/d/e/f", false);
+ tests.put("/a/b/c/d/f/e/f", false);
+ tests.put("/a/b/c/d/f/efg", false);
+ tests.put("/a/b/c/d/f/f", false);
+ tests.put("/a/b/c/e/f", false);
+ tests.put("/a/b/ce/", false);
+ tests.put("/a/b/ceg", false);
+
+ for (String testPath : tests.keySet()) {
+ assertMatch(gp, testPath, tests.get(testPath));
+ }
+
+ // restriction "*/cat" matches all descendants of /foo and foo's
siblings that have a name segment "cat"
+ gp = GlobPattern.create("/a/b/c", "*/e");
+ tests = new HashMap<String,Boolean>();
+ // matching
+ tests.put("/a/b/c/e", true); // descendant with name segment 'e'
+ tests.put("/a/b/c/d/e", true); // descendant with name segment 'e'
+ tests.put("/a/b/cd/e", true); // descendant of sibling named 'e'
+ tests.put("/a/b/cd/f/e", true); // descendant of sibling named 'e'
+ // not-matching
+ tests.put("/", false);
+ tests.put("/a", false);
+ tests.put("/b/c", false);
+ tests.put("/a/b/c", false);
+ tests.put("/a/b/c/d", false);
+ tests.put("/a/b/c/d/e/f", false);
+ tests.put("/a/b/c/d/f/e/f", false);
+ tests.put("/a/b/c/d/f/efg", false);
+ tests.put("/a/b/c/d/f/f", false);
+ tests.put("/a/b/c/e/f", false);
+ tests.put("/a/b/ce/", false);
+
+ for (String testPath : tests.keySet()) {
+ assertMatch(gp, testPath, tests.get(testPath));
+ }
+
+ // matches target path '/a/b/c/e', all siblings whose name starts with
e
+ // and child nodes of either.
+ gp = GlobPattern.create("/a/b/c/e", "*");
+ tests = new HashMap<String,Boolean>();
+ // matching
+ tests.put("/a/b/c/e/f/g/h", true);
+ tests.put("/a/b/c/e/d/e/f", true);
+ tests.put("/a/b/c/e/d/e/f", true);
+ tests.put("/a/b/c/e", true);
+ tests.put("/a/b/c/e/", true);
+ tests.put("/a/b/c/ef", true);
+ tests.put("/a/b/c/ef/g", true);
+ // not-matching
+ tests.put("/a/b/ce/f/g/h", false);
+ tests.put("/a/b/ce/d/e/f", false);
+ tests.put("/a/b/c", false);
+ tests.put("/a/b/c/d", false);
+ tests.put("/a/b/c/d/e/f", false);
+ tests.put("/a/b/c/d/f/f", false);
+ tests.put("/a/b/c/d/f/e/f", false);
+ tests.put("/a/b/cee/d/e/f", false);
+
+ for (String testPath : tests.keySet()) {
+ assertMatch(gp, testPath, tests.get(testPath));
+ }
+
+ // all descendants of '/a/b/c/e'
+ gp = GlobPattern.create("/a/b/c/e", "/*");
+ tests = new HashMap<String,Boolean>();
+ // matching
+ tests.put("/a/b/c/e/f/g/h", true);
+ tests.put("/a/b/c/e/d/e/f", true);
+ // not-matching
+ tests.put("/a/b/c/e", false); // not matching node path
+ tests.put("/a/b/c/e/", false); // not matching node path + /
+ tests.put("/a/b/c/ef", false); // not matching siblings of node path
+ tests.put("/a/b/ce/f/g/h", false);
+ tests.put("/a/b/ce/d/e/f", false);
+ tests.put("/a/b/c", false);
+ tests.put("/a/b/c/d", false);
+ tests.put("/a/b/c/d/e", false);
+ tests.put("/a/b/c/d/e/f", false);
+ tests.put("/a/b/c/d/f/f", false);
+ tests.put("/a/b/c/d/f/e/f", false);
+ tests.put("/a/b/cee/d/e/f", false);
+
+ for (String testPath : tests.keySet()) {
+ assertMatch(gp, testPath, tests.get(testPath));
+ }
+
+ // all descendants of '/a/b/ce'
+ gp = GlobPattern.create("/a/b/c", "e/*");
+ tests = new HashMap<String,Boolean>();
+ // not-matching
+ tests.put("/a/b/ce/f/g/h", true);
+ tests.put("/a/b/ce/d/e/f", true);
+ // not-matching
+ tests.put("/a/b/c", false);
+ tests.put("/a/b/ce", false);
+ tests.put("/a/b/c/d", false);
+ tests.put("/a/b/c/d/e", false);
+ tests.put("/a/b/c/d/e/f", false);
+ tests.put("/a/b/c/d/f/f", false);
+ tests.put("/a/b/c/d/f/e/f", false);
+ tests.put("/a/b/cee/d/e/f", false);
+ tests.put("/a/b/ce/", false); // missing * after ce/
+
+ for (String testPath : tests.keySet()) {
+ assertMatch(gp, testPath, tests.get(testPath));
+ }
+
+ // all descendants of '/'
+ gp = GlobPattern.create("/", "*");
+ tests = new HashMap<String,Boolean>();
+ // matching
+ tests.put("/a", true);
+ tests.put("/b/", true);
+ tests.put("/c/d", true);
+ tests.put("/a/b/ce/", true);
+ tests.put("/a/b/ce/f/g/h", true);
+ tests.put("/a/b/ce/d/e/f", true);
+ // not-matching
+ tests.put("/", false);
+
+ for (String testPath : tests.keySet()) {
+ assertMatch(gp, testPath, tests.get(testPath));
+ }
+
+ // restriction "*e/*" matches all descendants of /foo that have an
intermediate segment ending with 'e'
+ gp = GlobPattern.create("/a/b/c", "*e/*");
+ tests = new HashMap<String,Boolean>();
+ // matching
+ tests.put("/a/b/ceeeeeee/f/g/h", true);
+ tests.put("/a/b/cde/d/e/f", true);
+ tests.put("/a/b/c/d/e/f", true);
+ tests.put("/a/b/ced/d/e/f", true);
+ // not-matching
+ tests.put("/a/b/ce/", false); // ignore trailing / in test path
+ tests.put("/a/b/c/d/e/", false); // ignore trailing / in test path
+ tests.put("/a/b/c/d", false); // missing *e/*
+ tests.put("/a/b/c/d/e", false); // missing /*
+ tests.put("/a/b/c/d/f/f", false); // missing *e
+ tests.put("/a/b/c/ed/f/f", false); // missing e/
+
+ for (String testPath : tests.keySet()) {
+ assertMatch(gp, testPath, tests.get(testPath));
+ }
+
+ // restriction /*cat matches all children of /a/b/c whose path ends
with "cat"
+ gp = GlobPattern.create("/a/b/c", "/*cat");
+ tests = new HashMap<String,Boolean>();
+ // matching
+ tests.put("/a/b/c/cat", true);
+ tests.put("/a/b/c/acat", true);
+ tests.put("/a/b/c/f/cat", true);
+ tests.put("/a/b/c/f/acat", true);
+ // not-matching
+ tests.put("/a/b/c/d", false);
+ tests.put("/a/b/c/d/cat/e", false); // cat only intermediate segment
+ tests.put("/a/b/c/d/acat/e", false); // cat only intermediate segment
+ tests.put("/a/b/c/d/cata/e", false); // cat only intermediate segment
+ tests.put("/a/b/c/d/cate", false);
+ tests.put("/a/b/cat", false); // siblings do no match
+ tests.put("/a/b/cat/ed/f/f", false); // ... nor do siblings' children
+ tests.put("/a/b/ced/cat", false); // ... nor do siblings' children
+
+ for (String testPath : tests.keySet()) {
+ assertMatch(gp, testPath, tests.get(testPath));
+ }
+
+ // restriction /*/cat matches all non-direct descendants of /foo
named "cat"
+ gp = GlobPattern.create("/a/b/c", "/*/cat");
+ tests = new HashMap<String,Boolean>();
+ // matching
+ tests.put("/a/b/c/a/cat", true);
+ tests.put("/a/b/c/d/e/f/cat", true);
+ // not-matching
+ tests.put("/a/b/c/cat", false);
+ tests.put("/a/b/c/cate", false);
+ tests.put("/a/b/c/acat", false);
+ tests.put("/a/b/c/cat/d", false);
+ tests.put("/a/b/c/d/acat", false);
+ tests.put("/a/b/c/d/cate", false);
+ tests.put("/a/b/c/d/cat/e", false); // cat only intermediate segment
+ tests.put("/a/b/c/d/acat/e", false); // cat only intermediate segment
+ tests.put("/a/b/c/d/cata/e", false); // cat only intermediate segment
+ tests.put("/a/b/cat", false); // siblings do no match
+ tests.put("/a/b/cat/ed/f/f", false); // ... nor do siblings' children
+ tests.put("/a/b/ced/cat", false); // ... nor do siblings' children
+ tests.put("/a/b/ced/f/cat", false); // ... nor do siblings' children
+
+ for (String testPath : tests.keySet()) {
+ assertMatch(gp, testPath, tests.get(testPath));
+ }
+
+ // restriction /cat* matches all descendant paths of /foo that have
the
+ // direct foo-descendant segment starting with "cat"
+ gp = GlobPattern.create("/a/b/c", "/cat*");
+ tests = new HashMap<String,Boolean>();
+ // matching
+ tests.put("/a/b/c/cat", true);
+ tests.put("/a/b/c/cats", true);
+ tests.put("/a/b/c/cat/s", true);
+ tests.put("/a/b/c/cats/d/e/f", true);
+ // not-matching
+ tests.put("/a/b/c/d/cat", false);
+ tests.put("/a/b/c/d/cats", false);
+ tests.put("/a/b/c/d/e/cat", false);
+ tests.put("/a/b/c/d/e/cats", false);
+ tests.put("/a/b/c/acat", false);
+ tests.put("/a/b/c/d/acat", false);
+ tests.put("/a/b/c/d/cat/e", false);
+ tests.put("/a/b/c/d/acat/e", false);
+ tests.put("/a/b/c/d/cata/e", false);
+ tests.put("/a/b/cat", false); // siblings do no match
+ tests.put("/a/b/cat/ed/f/f", false); // ... nor do siblings' children
+ tests.put("/a/b/ced/cat", false); // ... nor do siblings' children
+ tests.put("/a/b/ced/f/cat", false); // ... nor do siblings' children
+
+ for (String testPath : tests.keySet()) {
+ assertMatch(gp, testPath, tests.get(testPath));
+ }
+ }
+
+ @Test
+ public void testEmptyRestriction() {
+ GlobPattern gp = GlobPattern.create("/", "");
+ Map<String,Boolean> tests = new HashMap<String,Boolean>();
+ tests.put("/", true);
+
+ tests.put("/a/b/c/d", false);
+ tests.put("/a/b/c/d/e", false);
+ tests.put("/a/b/c/d/e/f", false);
+ tests.put("/a/b/c", false);
+ tests.put("/a", false);
+ tests.put("/a/b/cde", false);
+
+ for (String toTest : tests.keySet()) {
+ assertTrue(gp + " : " + toTest, tests.get(toTest) ==
gp.matches(toTest));
+ }
+
+ gp = GlobPattern.create("/a/b/c", "");
+
+ tests = new HashMap<String,Boolean>();
+ tests.put("/a/b/c", true);
+
+ tests.put("/a/b/c/d", false);
+ tests.put("/a/b/c/d/e", false);
+ tests.put("/a/b/c/d/e/f", false);
+ tests.put("/", false);
+ tests.put("/a", false);
+ tests.put("/a/b/cde", false);
+
+ for (String toTest : tests.keySet()) {
+ assertTrue(gp + " : " + toTest, tests.get(toTest) ==
gp.matches(toTest));
+ }
+ }
+
+ @Test
+ public void testMaxOccurrences() {
+ GlobPattern gp = GlobPattern.create("/",
"1*/2*/3*/4*/5*/6*/7*/8*/9*/10*/11*/12*/13*/14*/15*/16*/17*/18*/19*/20*/21*");
+ try {
+
gp.matches("/1/2/3/4/5/6/7/8/9/10/11/12/13/14/15/16/17/18/19/20/21");
+ fail();
+ } catch (IllegalArgumentException e) {
+ // success
+ };
+ try {
+
gp.matches("/11/22/33/44/55/66/77/88/99/100/111/122/133/144/155/166/177/188/199/200/211");
+ fail();
+ } catch (IllegalArgumentException e) {
+ // success
+ };
+ }
+}
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java?rev=1581745&r1=1581744&r2=1581745&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java
Wed Mar 26 08:42:14 2014
@@ -16,13 +16,17 @@
*/
package org.apache.jackrabbit.oak.security.authorization.restriction;
+import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
+import javax.jcr.security.AccessControlException;
+import javax.jcr.security.AccessControlManager;
import com.google.common.collect.ImmutableList;
-
import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import
org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
@@ -32,6 +36,7 @@ import org.apache.jackrabbit.oak.spi.sec
import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.CompositePattern;
import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionPattern;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.util.NodeUtil;
import org.junit.Before;
import org.junit.Test;
@@ -108,4 +113,32 @@ public class RestrictionProviderImplTest
RestrictionPattern pattern = provider.getPattern("/testPath",
restrictions);
assertTrue(pattern instanceof CompositePattern);
}
+
+ @Test
+ public void testValidateGlobRestriction() throws Exception {
+ Tree t = new NodeUtil(root.getTree("/")).addChild("testTree",
"nt:unstructured").getTree();
+ String path = t.getPath();
+
+ AccessControlManager acMgr = getAccessControlManager(root);
+
+ List<String> globs = ImmutableList.of(
+
"/1*/2*/3*/4*/5*/6*/7*/8*/9*/10*/11*/12*/13*/14*/15*/16*/17*/18*/19*/20*/21*",
+ "*********************");
+ for (String glob : globs) {
+ JackrabbitAccessControlList acl =
AccessControlUtils.getAccessControlList(acMgr, path);
+ acl.addEntry(getTestPrincipal(),
+ AccessControlUtils.privilegesFromNames(acMgr,
PrivilegeConstants.JCR_READ),
+ true, Collections.singletonMap(REP_GLOB,
getValueFactory().createValue(glob)));
+ acMgr.setPolicy(path, acl);
+
+ try {
+ provider.validateRestrictions(path,
t.getChild(REP_POLICY).getChild("allow"));
+ fail("AccessControlException expected.");
+ } catch (AccessControlException e) {
+ // success
+ } finally {
+ acMgr.removePolicy(path, acl);
+ }
+ }
+ }
}
\ No newline at end of file
