This is an automated email from the ASF dual-hosted git repository. daim pushed a commit to branch OAK-10199 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git
commit db5a6f8fed0b4206bc61b34ed9ac534ef9d1f8f8 Author: angela <[email protected]> AuthorDate: Thu Apr 20 17:14:10 2023 +0200 OAK-10200 : CompositeAccessControlManager.getEffectivePolicies(String) should filter duplicate policies --- .../authorization/composite/CompositeAccessControlManager.java | 3 +-- .../composite/CompositeAccessControlManagerTest.java | 10 ++++++++++ .../security/internal/SecurityProviderRegistrationTest.java | 6 ++++-- 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManager.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManager.java index 202ff0e611..24cc670463 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManager.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManager.java @@ -98,8 +98,7 @@ class CompositeAccessControlManager extends AbstractAccessControlManager { break; } } - List<AccessControlPolicy> l = policies.build(); - return l.toArray(new AccessControlPolicy[0]); + return policies.build().stream().distinct().toArray(AccessControlPolicy[]::new); } @Override diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManagerTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManagerTest.java index b858ff181e..a7d7514e1e 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManagerTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManagerTest.java @@ -194,6 +194,16 @@ public class CompositeAccessControlManagerTest extends AbstractSecurityTest { assertEquals(1, acMgr.getEffectivePolicies(child.getPath()).length); } + @Test + public void testGetEffectivePoliciesFiltersDuplicates() throws Exception { + TestAcMgr test = new TestAcMgr(); + test.hasPolicy = true; + + // create a composite that would result in duplicate effective policies + AccessControlManager composite = createComposite(test, test); + assertEquals(1, composite.getEffectivePolicies(TEST_PATH).length); + } + @Test public void testSetPolicyAtRoot() throws Exception { AccessControlPolicyIterator it = acMgr.getApplicablePolicies("/"); diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/internal/SecurityProviderRegistrationTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/internal/SecurityProviderRegistrationTest.java index 23d66cd93f..78449a5626 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/internal/SecurityProviderRegistrationTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/internal/SecurityProviderRegistrationTest.java @@ -56,6 +56,7 @@ import org.apache.jackrabbit.oak.spi.security.authentication.LoginModuleStatsCol import org.apache.jackrabbit.oak.spi.security.authentication.token.CompositeTokenConfiguration; import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenConfiguration; import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration; +import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ReadPolicy; import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider; import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregationFilter; import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider; @@ -1019,9 +1020,10 @@ public class SecurityProviderRegistrationTest extends AbstractSecurityTest { AggregatedPermissionProvider pp = mock(AggregatedPermissionProvider.class); JackrabbitAccessControlManager acMgr = mock(JackrabbitAccessControlManager.class); + // make sure different policies are returned for subsequent calls of the aggregated configurations AccessControlPolicy policy = mock(AccessControlPolicy.class); - when(acMgr.getEffectivePolicies(anyString())).thenReturn(new AccessControlPolicy[] {policy}); - when(acMgr.getEffectivePolicies(any(Set.class))).thenReturn(new AccessControlPolicy[] {policy}); + when(acMgr.getEffectivePolicies(anyString())).thenReturn(new AccessControlPolicy[] {policy}).thenReturn(new AccessControlPolicy[] {ReadPolicy.INSTANCE}); + when(acMgr.getEffectivePolicies(any(Set.class))).thenReturn(new AccessControlPolicy[] {policy}).thenReturn(new AccessControlPolicy[] {ReadPolicy.INSTANCE}); AuthorizationConfiguration ac1 = mock(AuthorizationConfiguration.class); AuthorizationConfiguration ac2 = mock(AuthorizationConfiguration.class);
