[
https://issues.apache.org/jira/browse/OAK-8855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17024307#comment-17024307
]
Kunal Shubham commented on OAK-8855:
------------------------------------
[~angela] Here's explanation about some parts of the test case:
{quote}Tree cugPolicyNode = root.getTree("/content/a/rep:cugPolicy");
cugPolicyNode.removeProperty(HIDDEN_NESTED_CUGS);{quote}
Remove :nestedCugs from /content/a/rep:cugPolicy. I have verified with the
assertNestedCugs(root, getRootProvider(), "/content/a", true, "/content/a/b1",
"/content/a/b2") statement that indeed *we are able to remove :nestedCugs with
this API.* Please correct me if I am wrong but there are several places where
hidden properties are read/added/removed, [1] and [2] being examples.
{quote}PropertyState ps1 =
PropertyStates.createProperty(CugConstants.REP_PRINCIPAL_NAMES,
ImmutableSet.of(TEST_GROUP_ID), Type.STRINGS);
PropertyState ps2 =
PropertyStates.createProperty(CugConstants.REP_PRINCIPAL_NAMES,
ImmutableSet.of(TEST_GROUP2_ID), Type.STRINGS);
root.getTree("/content/a/b1/rep:cugPolicy").setProperty(ps1);
root.getTree("/content/a/b2/rep:cugPolicy").setProperty(ps2);
root.commit(); // should restore :nestedCugs in
"/content/a/rep:cugPolicy"{quote}
The intent here is to "touch" the children nodes b1 and b2 so that these nodes
are also considered to be modified, so that :nestedCugs on
/content/a/rep:cugPolicy can be reconstructed. In reality the property
rep:principalNames are overwritten but not changed. The intention was not to
add principals on these nodes again but to get them considered for modification
by the NestedCugHook. I could not find a better API for this job so I just
reassigned the users to the nodes. Please note that b1 and b2 need to be
"touched" so that the :nestedCugs can be reconstructed on
/content/a/rep:cugPolicy. I hope it makes sense. Any suggestion for improvement
on this step will be appreciated!!
After this, the permissions of a user on different nodes are verified. Please
also refer to my first comment [3] which explains more about this.
{quote}i would appreciate if you could explain/rework the test class.
{quote}
The existing setup of nodes, users and groups defined in *AbstractCugTest.java*
did not allow me to test out this specific scenario. For example,
* I needed a group which contains two users (both non-admin).
* I needed a node (non-root) which contains two child node.
That's why I thought it reasonable to add another test class, and define
*setupNestedCugsAndAcls()* which creates the node structure and groups that I
required.
{quote}the names sound super generic but you have a very specific case instead.
{quote}
For naming, I think *"NestedCugPermissionTest.java"* is more fitting.
[1]
[https://github.com/apache/jackrabbit-oak/blob/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtil.java#L81-83|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtil.java#L81]
[2]
[https://github.com/apache/jackrabbit-oak/blob/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/NestedCugHook.java#L114]
[3]
https://issues.apache.org/jira/browse/OAK-8855?focusedCommentId=17015025&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17015025
> Permission evaluation of nodes broken after :nestedCug removed from parent
> node
> -------------------------------------------------------------------------------
>
> Key: OAK-8855
> URL: https://issues.apache.org/jira/browse/OAK-8855
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: authorization-cug
> Affects Versions: 1.8.7
> Reporter: Kunal Shubham
> Assignee: Angela Schreiber
> Priority: Major
> Attachments: 0001-Fix-nestedcug-permission-issue.patch,
> OAK-8855_backport.patch
>
>
> Steps to Reproduce:
> # Create a node 'a' which has two children nodes 'b1' and 'b2'. The content
> tree looks as shown: /content/a/b1, /content/a/b2. Create two users user1 and
> user2.
> # Apply CUG policy on /content/a.
> ** Authorize user1 and user2 to read /content/a.
> ** Authorize user1 to read /content/a/b1.
> ** Authorize user2 to read /content/a/b2.
> # Remove :nestedCugs property from /content/a/rep:cugPolicy.
> # Create a content session, login with user2. Try to read /content/a/b1.
> *Observed behavior* : user2 is able to read /content/a/b1.
> *Expected behavior* : user2 should not be able to read /content/a/b1 as it is
> unauthorized to do so.
> Please note that :nestedCugs is removed by a mechanism which completely
> overwrites content tree below "/content/a".
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
