This is an automated email from the ASF dual-hosted git repository.
enorman pushed a commit to branch master
in repository
https://gitbox.apache.org/repos/asf/sling-org-apache-sling-jcr-jackrabbit-accessmanager.git
The following commit(s) were added to refs/heads/master by this push:
new 022cb26 SLING-11273 Deprecate getDeclaredRestrictionsForPrincipal (#9)
022cb26 is described below
commit 022cb268238405f4aecb0966d79f745846cb5e2f
Author: Eric Norman <[email protected]>
AuthorDate: Sun May 1 13:39:54 2022 -0700
SLING-11273 Deprecate getDeclaredRestrictionsForPrincipal (#9)
---
.../jackrabbit/accessmanager/PrivilegesInfo.java | 340 ++++++++------
.../accessmanager/it/PrivilegesInfoIT.java | 519 +++++++++++++++++++++
2 files changed, 728 insertions(+), 131 deletions(-)
diff --git
a/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/PrivilegesInfo.java
b/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/PrivilegesInfo.java
index ff0775b..ddd2638 100644
---
a/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/PrivilegesInfo.java
+++
b/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/PrivilegesInfo.java
@@ -17,36 +17,49 @@
package org.apache.sling.jcr.jackrabbit.accessmanager;
import java.security.Principal;
-import java.util.ArrayList;
-import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
-import java.util.LinkedHashMap;
-import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.ResourceBundle;
import java.util.Set;
+import java.util.function.Function;
+import java.util.stream.Collectors;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
+import javax.jcr.ValueFactory;
import javax.jcr.ValueFormatException;
-import javax.jcr.security.AccessControlEntry;
-import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlManager;
-import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.Privilege;
-
-import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
+import javax.json.JsonArray;
+import javax.json.JsonObject;
+import javax.json.JsonString;
+import javax.json.JsonValue;
+import javax.json.JsonValue.ValueType;
+
+import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
+import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.sling.jcr.base.util.AccessControlUtil;
+import org.apache.sling.jcr.jackrabbit.accessmanager.impl.JsonConvert;
+import org.osgi.framework.Bundle;
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.FrameworkUtil;
+import org.osgi.framework.ServiceReference;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
/**
* Helper class to assist in the usage of access control from scripts.
*/
public class PrivilegesInfo {
+ private Logger logger = LoggerFactory.getLogger(getClass());
/**
* Return the supported Privileges for the specified node.
@@ -156,22 +169,66 @@ public class PrivilegesInfo {
* @throws RepositoryException if any errors reading the information
*/
public Map<Principal, AccessRights> getDeclaredAccessRights(Session
session, String absPath) throws RepositoryException {
- AccessControlEntry[] entries =
getDeclaredAccessControlEntries(session, absPath);
- return mergePrivilegesFromEntries(entries);
+ return toMap(session, useGetAcl(json -> {
+ try {
+ return json.getAcl(session, absPath);
+ } catch (RepositoryException e) {
+ logger.warn("Failed to load Acl", e);
+ }
+ return null;
+ }));
}
- private AccessControlEntry[] getDeclaredAccessControlEntries(Session
session, String absPath) throws RepositoryException {
- AccessControlManager accessControlManager =
AccessControlUtil.getAccessControlManager(session);
- AccessControlPolicy[] policies =
accessControlManager.getPolicies(absPath);
+ /**
+ * Convert the JSON acl to a map of Principal to AccessRights
+ * @param session the jcr session
+ * @param aclJson the acl JSON object
+ * @return map of Principal to AccessRights
+ */
+ protected Map<Principal, AccessRights> toMap(Session session, JsonObject
aclJson)
+ throws RepositoryException {
+ if (aclJson == null) {
+ return Collections.emptyMap();
+ }
- List<AccessControlEntry> allEntries = new ArrayList<>();
- for (AccessControlPolicy accessControlPolicy : policies) {
- if (accessControlPolicy instanceof AccessControlList) {
- AccessControlEntry[] accessControlEntries =
((AccessControlList)accessControlPolicy).getAccessControlEntries();
- allEntries.addAll(Arrays.asList(accessControlEntries));
+ Map<Principal, AccessRights> map;
+ AccessControlManager acm = session.getAccessControlManager();
+ PrincipalManager principalManager =
AccessControlUtil.getPrincipalManager(session);
+ Function<? super JsonValue, ? extends Principal> keyMapper = val -> {
+ String principalId =
((JsonObject)val).getString(JsonConvert.KEY_PRINCIPAL);
+ return principalManager.getPrincipal(principalId);
+ };
+ Function<? super JsonValue, ? extends AccessRights> valueMapper = val
-> {
+ AccessRights rights = new AccessRights();
+ JsonObject privilegesObj =
((JsonObject)val).getJsonObject(JsonConvert.KEY_PRIVILEGES);
+ if (privilegesObj != null) {
+ privilegesObj.entrySet().stream()
+ .forEach(entry -> {
+ Privilege privilege = null;
+ try {
+ privilege = acm.privilegeFromName(entry.getKey());
+ } catch (RepositoryException e) {
+ logger.warn("Failed to resolve privilege", e);
+ }
+ if (privilege != null) {
+ JsonValue value = entry.getValue();
+ if (value instanceof JsonObject) {
+ JsonObject privilegeObj = (JsonObject)value;
+ if
(privilegeObj.containsKey(JsonConvert.KEY_ALLOW)) {
+ rights.granted.add(privilege);
+ }
+ if
(privilegeObj.containsKey(JsonConvert.KEY_DENY)) {
+ rights.denied.add(privilege);
+ }
+ }
+ }
+ });
}
- }
- return allEntries.toArray(new AccessControlEntry[allEntries.size()]);
+ return rights;
+ };
+ map = aclJson.values().stream()
+ .collect(Collectors.toMap(keyMapper, valueMapper));
+ return map;
}
/**
@@ -198,42 +255,10 @@ public class PrivilegesInfo {
* @throws RepositoryException if any errors reading the information
*/
public AccessRights getDeclaredAccessRightsForPrincipal(Session session,
String absPath, String principalId) throws RepositoryException {
- AccessRights rights = null;
- if (principalId != null && principalId.length() > 0) {
- AccessControlManager accessControlManager =
AccessControlUtil.getAccessControlManager(session);
- AccessControlPolicy[] policies =
accessControlManager.getPolicies(absPath);
- rights = toAccessRights(principalId, policies);
- }
-
- return rights;
- }
-
- /**
- * Populate and return an AccessRights object by iterating through each of
the policies
- *
- * @param principalId the user or group the get the rights for
- * @param policies the access control policies to consider
- * @throws RepositoryException
- */
- private AccessRights toAccessRights(String principalId,
AccessControlPolicy[] policies)
- throws RepositoryException {
- AccessRights rights = new AccessRights();
- for (AccessControlPolicy accessControlPolicy : policies) {
- if (accessControlPolicy instanceof AccessControlList) {
- AccessControlEntry[] accessControlEntries =
((AccessControlList)accessControlPolicy).getAccessControlEntries();
- for (AccessControlEntry ace : accessControlEntries) {
- if (principalId.equals(ace.getPrincipal().getName())) {
- boolean isAllow = AccessControlUtil.isAllow(ace);
- if (isAllow) {
-
rights.getGranted().addAll(Arrays.asList(ace.getPrivileges()));
- } else {
-
rights.getDenied().addAll(Arrays.asList(ace.getPrivileges()));
- }
- }
- }
- }
- }
- return rights;
+ Map<Principal, AccessRights> declaredAccessRights =
getDeclaredAccessRights(session, absPath);
+ PrincipalManager principalManager =
AccessControlUtil.getPrincipalManager(session);
+ Principal principal = principalManager.getPrincipal(principalId);
+ return declaredAccessRights.get(principal);
}
/**
@@ -243,7 +268,9 @@ public class PrivilegesInfo {
* @param principalId the principalId to get the access rights for
* @return map of restrictions (key is restriction name, value is Value or
Value[])
* @throws RepositoryException if any errors reading the information
+ * @deprecated don't use this as it assumes that all the privileges have
the same restrictions which may not be true
*/
+ @Deprecated
public Map<String, Object> getDeclaredRestrictionsForPrincipal(Node node,
String principalId) throws RepositoryException {
return getDeclaredRestrictionsForPrincipal(node.getSession(),
node.getPath(), principalId);
}
@@ -256,36 +283,78 @@ public class PrivilegesInfo {
* @param principalId the principalId to get the access rights for
* @return map of restrictions (key is restriction name, value is Value or
Value[])
* @throws RepositoryException if any errors reading the information
+ * @deprecated don't use this as it assumes that all the privileges have
the same restrictions which may not be true
*/
+ @Deprecated
public Map<String, Object> getDeclaredRestrictionsForPrincipal(Session
session, String absPath, String principalId) throws RepositoryException {
- Map<String, Object> restrictions = new LinkedHashMap<>();
- AccessControlEntry[] entries =
getDeclaredAccessControlEntries(session, absPath);
- if (entries != null) {
- for (AccessControlEntry ace : entries) {
- if (principalId.equals(ace.getPrincipal().getName()) &&
- ace instanceof JackrabbitAccessControlEntry) {
- JackrabbitAccessControlEntry jace =
(JackrabbitAccessControlEntry)ace;
- String[] restrictionNames = jace.getRestrictionNames();
- if (restrictionNames != null) {
- for (String name : restrictionNames) {
- try {
- Value value = jace.getRestriction(name);
- if (value != null) {
- restrictions.put(name, value);
- }
- } catch (ValueFormatException vfe) {
- //try multi-value restriction
- Value[] values = jace.getRestrictions(name);
- if (values != null && values.length > 0) {
- restrictions.put(name, values);
- }
- }
- }
- }
- }
+ JsonObject aclJson = useGetAcl(json -> {
+ try {
+ return json.getAcl(session, absPath);
+ } catch (RepositoryException e) {
+ logger.warn("Failed to load Acl", e);
}
+ return null;
+ });
+
+ Map<String, Object> map;
+ if (aclJson == null) {
+ map = Collections.emptyMap();
+ } else {
+ Map<String, RestrictionDefinition> srMap = new HashMap<>();
+ useRestrictionProvider(restrictionProvider -> {
+ Set<RestrictionDefinition> supportedRestrictions =
restrictionProvider.getSupportedRestrictions(absPath);
+ for (RestrictionDefinition restrictionDefinition :
supportedRestrictions) {
+ srMap.put(restrictionDefinition.getName(),
restrictionDefinition);
+ }
+ return null;
+ });
+
+ ValueFactory valueFactory = session.getValueFactory();
+ map = new HashMap<>();
+ aclJson.values().stream()
+ .filter(val -> val instanceof JsonObject &&
((JsonObject)val).getString(JsonConvert.KEY_PRINCIPAL).equals(principalId))
+ .forEach(item -> {
+ JsonObject privilegesObj =
((JsonObject)item).getJsonObject(JsonConvert.KEY_PRIVILEGES);
+ if (privilegesObj != null) {
+ privilegesObj.values()
+ .forEach(privItem -> {
+ if (privItem instanceof JsonObject) {
+ JsonObject privilegeObj =
(JsonObject)privItem;
+ JsonValue jsonValue =
privilegeObj.get(JsonConvert.KEY_ALLOW);
+ if (jsonValue instanceof JsonObject) {
+ JsonObject restriction =
(JsonObject)jsonValue;
+ restriction.entrySet().stream()
+ .forEach(restrictionItem -> {
+ String restrictionName =
restrictionItem.getKey();
+ int type =
srMap.get(restrictionName).getRequiredType().tag();
+ JsonValue value =
restrictionItem.getValue();
+ if
(ValueType.ARRAY.equals(value.getValueType())) {
+ JsonArray jsonArray =
((JsonArray)value);
+ Value []
restrictionValues = new Value[jsonArray.size()];
+ for (int i=0; i <
jsonArray.size(); i++) {
+ try {
+
restrictionValues[i] = valueFactory.createValue(jsonArray.getString(i), type);
+ } catch
(ValueFormatException e) {
+
logger.warn("Failed to create restriction value", e);
+ }
+ }
+
map.put(restrictionName, restrictionValues);
+ } else if (value
instanceof JsonString){
+ try {
+ Value
restrictionValue = valueFactory.createValue(((JsonString)value).getString(),
type);
+
map.put(restrictionName, restrictionValue);
+ } catch
(ValueFormatException e) {
+
logger.warn("Failed to create restriction value", e);
+ }
+ }
+ });
+ }
+ }
+ });
+ }
+ });
}
- return restrictions;
+ return map;
}
/**
@@ -310,47 +379,14 @@ public class PrivilegesInfo {
* @throws RepositoryException if any errors reading the information
*/
public Map<Principal, AccessRights> getEffectiveAccessRights(Session
session, String absPath) throws RepositoryException {
- AccessControlEntry[] entries =
getEffectiveAccessControlEntries(session, absPath);
- return mergePrivilegesFromEntries(entries);
- }
-
- /**
- * Loop through each of the entries to merge the granted and denied
privileges into
- * the map
- *
- * @param entries the entries to process
- * @throws RepositoryException if any errors reading the information
- */
- private Map<Principal, AccessRights>
mergePrivilegesFromEntries(AccessControlEntry[] entries)
- throws RepositoryException {
- Map<Principal, AccessRights> accessMap = new LinkedHashMap<>();
- if (entries != null) {
- for (AccessControlEntry ace : entries) {
- Principal principal = ace.getPrincipal();
- AccessRights accessPrivileges =
accessMap.computeIfAbsent(principal, k -> new AccessRights());
- boolean allow = AccessControlUtil.isAllow(ace);
- if (allow) {
-
accessPrivileges.getGranted().addAll(Arrays.asList(ace.getPrivileges()));
- } else {
-
accessPrivileges.getDenied().addAll(Arrays.asList(ace.getPrivileges()));
+ return toMap(session, useGetEffectiveAcl(json -> {
+ try {
+ return json.getEffectiveAcl(session, absPath);
+ } catch (RepositoryException e) {
+ logger.warn("Failed to load EffectiveAcl", e);
}
- }
- }
- return accessMap;
- }
-
- private AccessControlEntry[] getEffectiveAccessControlEntries(Session
session, String absPath) throws RepositoryException {
- AccessControlManager accessControlManager =
AccessControlUtil.getAccessControlManager(session);
- AccessControlPolicy[] policies =
accessControlManager.getEffectivePolicies(absPath);
-
- List<AccessControlEntry> allEntries = new ArrayList<>();
- for (AccessControlPolicy accessControlPolicy : policies) {
- if (accessControlPolicy instanceof AccessControlList) {
- AccessControlEntry[] accessControlEntries =
((AccessControlList)accessControlPolicy).getAccessControlEntries();
- allEntries.addAll(Arrays.asList(accessControlEntries));
- }
- }
- return allEntries.toArray(new AccessControlEntry[allEntries.size()]);
+ return null;
+ }));
}
/**
@@ -377,14 +413,10 @@ public class PrivilegesInfo {
* @throws RepositoryException if any errors reading the information
*/
public AccessRights getEffectiveAccessRightsForPrincipal(Session session,
String absPath, String principalId) throws RepositoryException {
- AccessRights rights = null;
- if (principalId != null && principalId.length() > 0) {
- AccessControlManager accessControlManager =
AccessControlUtil.getAccessControlManager(session);
- AccessControlPolicy[] policies =
accessControlManager.getEffectivePolicies(absPath);
- rights = toAccessRights(principalId, policies);
- }
-
- return rights;
+ Map<Principal, AccessRights> effectiveAccessRights =
getEffectiveAccessRights(session, absPath);
+ PrincipalManager principalManager =
AccessControlUtil.getPrincipalManager(session);
+ Principal principal = principalManager.getPrincipal(principalId);
+ return effectiveAccessRights.get(principal);
}
/**
@@ -602,4 +634,50 @@ public class PrivilegesInfo {
}
}
+ /**
+ * Utility to lookup a service and then run a function
+ *
+ * @param <S> the service interface type
+ * @param <T> the return type of the fun
+ * @param svc the service class
+ * @param fn the function to invoke
+ * @return the value of invoking the fn
+ */
+ private static <S, T> T useSvc(Class<S> svc, Function<S, T> fn) {
+ T value = null;
+ Bundle bundle = FrameworkUtil.getBundle(PrivilegesInfo.class);
+ if (bundle != null) {
+ BundleContext bundleContext = bundle.getBundleContext();
+ if (bundleContext != null) {
+ ServiceReference<S> serviceReference =
bundleContext.getServiceReference(svc);
+ if (serviceReference != null) {
+ S service = null;
+ try {
+ service = bundleContext.getService(serviceReference);
+ if (service != null) {
+ value = fn.apply(service);
+ }
+ } finally {
+ if (service != null) {
+ bundleContext.ungetService(serviceReference);
+ }
+ }
+ }
+ }
+ }
+ return value;
+ }
+
+ private static <T> T useGetAcl(Function<GetAcl, T> fn) {
+ return useSvc(GetAcl.class, fn);
+ }
+
+ private static <T> T useGetEffectiveAcl(Function<GetEffectiveAcl, T> fn) {
+ return useSvc(GetEffectiveAcl.class, fn);
+ }
+
+ private static <T> T useRestrictionProvider(Function<RestrictionProvider,
T> fn) {
+ return useSvc(RestrictionProvider.class, fn);
+ }
+
}
diff --git
a/src/test/java/org/apache/sling/jcr/jackrabbit/accessmanager/it/PrivilegesInfoIT.java
b/src/test/java/org/apache/sling/jcr/jackrabbit/accessmanager/it/PrivilegesInfoIT.java
new file mode 100644
index 0000000..87aeeef
--- /dev/null
+++
b/src/test/java/org/apache/sling/jcr/jackrabbit/accessmanager/it/PrivilegesInfoIT.java
@@ -0,0 +1,519 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sling.jcr.jackrabbit.accessmanager.it;
+
+import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Optional;
+
+import javax.inject.Inject;
+import javax.jcr.Node;
+import javax.jcr.PropertyType;
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+import javax.jcr.SimpleCredentials;
+import javax.jcr.Value;
+import javax.jcr.ValueFactory;
+import javax.jcr.security.Privilege;
+
+import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.apache.sling.jcr.api.SlingRepository;
+import org.apache.sling.jcr.jackrabbit.accessmanager.ModifyAce;
+import org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo;
+import
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo.AccessRights;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.ops4j.pax.exam.junit.PaxExam;
+import org.ops4j.pax.exam.spi.reactors.ExamReactorStrategy;
+import org.ops4j.pax.exam.spi.reactors.PerClass;
+
+@RunWith(PaxExam.class)
+@ExamReactorStrategy(PerClass.class)
+public class PrivilegesInfoIT extends AccessManagerClientTestSupport {
+
+ private static final String NOT_A_REAL_PATH = "/not_a_real_path";
+
+ @Inject
+ private ModifyAce modifyAce;
+
+ @Inject
+ protected SlingRepository repository;
+
+ protected Session adminSession;
+ protected Session testUserSession;
+
+ private Node testNodeForAdmin;
+ private Node testNodeForTestUser;
+
+ @Before
+ public void setup() throws RepositoryException, IOException {
+ testUserId = createTestUser();
+ adminSession = repository.login(new SimpleCredentials("admin",
"admin".toCharArray()));
+ assertNotNull("Expected adminSession to not be null", adminSession);
+ testNodeForAdmin = adminSession.getRootNode().addNode("testNode");
+ setupTestUserAce();
+ adminSession.save();
+
+ testUserSession = repository.login(new SimpleCredentials(testUserId,
"testPwd".toCharArray()));
+ testNodeForTestUser =
testUserSession.getNode(testNodeForAdmin.getPath());
+ }
+
+ protected void setupTestUserAce() throws RepositoryException {
+ assertNotNull(modifyAce);
+ Map<String, String> privilegesMap = new HashMap<>();
+ privilegesMap.put(PrivilegeConstants.JCR_READ, "allow");
+ modifyAce.modifyAce(adminSession,
+ testNodeForAdmin.getPath(),
+ testUserId,
+ privilegesMap,
+ "first",
+ Collections.emptyMap(),
+ Collections.emptyMap(),
+ Collections.emptySet(),
+ true);
+ }
+
+ @After
+ public void teardown() throws RepositoryException {
+ adminSession.refresh(false);
+ testNodeForAdmin.remove();
+ if (adminSession.hasPendingChanges()) {
+ adminSession.save();
+ }
+ adminSession.logout();
+ testUserSession.logout();
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getSupportedPrivileges(javax.jcr.Node)}.
+ */
+ @Test
+ public void testGetSupportedPrivilegesNode() throws RepositoryException {
+ PrivilegesInfo pi = new PrivilegesInfo();
+ Privilege[] supportedPrivileges =
pi.getSupportedPrivileges(testNodeForAdmin);
+ assertNotNull(supportedPrivileges);
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getSupportedPrivileges(javax.jcr.Session,
java.lang.String)}.
+ */
+ @Test
+ public void testGetSupportedPrivilegesSessionString() throws
RepositoryException {
+ PrivilegesInfo pi = new PrivilegesInfo();
+ Privilege[] supportedPrivileges =
pi.getSupportedPrivileges(adminSession, testNodeForAdmin.getPath());
+ assertNotNull(supportedPrivileges);
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getDeclaredAccessRights(javax.jcr.Node)}.
+ */
+ @Test
+ public void testGetDeclaredAccessRightsNode() throws RepositoryException {
+ setupEveryoneAce();
+
+ PrivilegesInfo pi = new PrivilegesInfo();
+ Map<Principal, AccessRights> declaredAccessRights =
pi.getDeclaredAccessRights(testNodeForAdmin);
+ Optional<Principal> findFirst = declaredAccessRights.keySet().stream()
+ .filter(p -> "everyone".equals(p.getName()))
+ .findFirst();
+ assertTrue(findFirst.isPresent());
+ AccessRights rights = declaredAccessRights.get(findFirst.get());
+ assertNotNull(rights);
+ Privilege jcrReadPrivilege =
adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ);
+ assertTrue(rights.getGranted().contains(jcrReadPrivilege));
+ }
+
+ private Value val(int type, String value) throws RepositoryException {
+ return adminSession.getValueFactory().createValue(value, type);
+ }
+ private Value[] vals(int type, String ... value) throws
RepositoryException {
+ Value[] values = new Value[value.length];
+ ValueFactory vf = adminSession.getValueFactory();
+ for (int i = 0; i < value.length; i++) {
+ values[i] = vf.createValue(value[i], type);
+ }
+ return values;
+ }
+
+ protected void setupEveryoneAce() throws RepositoryException {
+ assertNotNull(modifyAce);
+ Map<String, String> privilegesMap = new HashMap<>();
+ privilegesMap.put(PrivilegeConstants.JCR_READ, "allow");
+ privilegesMap.put(PrivilegeConstants.JCR_WRITE, "deny");
+ modifyAce.modifyAce(adminSession,
+ testNodeForAdmin.getPath(),
+ "everyone",
+ privilegesMap,
+ "first",
+ Collections.singletonMap(AccessControlConstants.REP_GLOB,
val(PropertyType.STRING, "/hello")),
+
Collections.singletonMap(AccessControlConstants.REP_ITEM_NAMES,
vals(PropertyType.NAME, "child1", "child2")),
+ Collections.emptySet(),
+ true);
+
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getDeclaredAccessRights(javax.jcr.Session,
java.lang.String)}.
+ */
+ @Test
+ public void testGetDeclaredAccessRightsSessionString() throws
RepositoryException {
+ setupEveryoneAce();
+
+ PrivilegesInfo pi = new PrivilegesInfo();
+ Map<Principal, AccessRights> declaredAccessRights =
pi.getDeclaredAccessRights(adminSession, testNodeForAdmin.getPath());
+ Optional<Principal> findFirst = declaredAccessRights.keySet().stream()
+ .filter(p -> "everyone".equals(p.getName()))
+ .findFirst();
+ assertTrue(findFirst.isPresent());
+ AccessRights rights = declaredAccessRights.get(findFirst.get());
+ assertNotNull(rights);
+ Privilege jcrReadPrivilege =
adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ);
+ assertTrue(rights.getGranted().contains(jcrReadPrivilege));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getDeclaredAccessRightsForPrincipal(javax.jcr.Node,
java.lang.String)}.
+ */
+ @Test
+ public void testGetDeclaredAccessRightsForPrincipalNodeString() throws
RepositoryException {
+ setupEveryoneAce();
+
+ PrivilegesInfo pi = new PrivilegesInfo();
+ AccessRights rights =
pi.getDeclaredAccessRightsForPrincipal(testNodeForAdmin, "everyone");
+ assertNotNull(rights);
+ Privilege jcrReadPrivilege =
adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ);
+ assertTrue(rights.getGranted().contains(jcrReadPrivilege));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getDeclaredAccessRightsForPrincipal(javax.jcr.Session,
java.lang.String, java.lang.String)}.
+ */
+ @Test
+ public void testGetDeclaredAccessRightsForPrincipalSessionStringString()
throws RepositoryException {
+ setupEveryoneAce();
+
+ PrivilegesInfo pi = new PrivilegesInfo();
+ AccessRights rights =
pi.getDeclaredAccessRightsForPrincipal(adminSession,
testNodeForAdmin.getPath(), "everyone");
+ assertNotNull(rights);
+ Privilege jcrReadPrivilege =
adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ);
+ assertTrue(rights.getGranted().contains(jcrReadPrivilege));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getDeclaredRestrictionsForPrincipal(javax.jcr.Node,
java.lang.String)}.
+ * @deprecated api deprecated, test left for regression testing
+ */
+ @Deprecated
+ @Test
+ public void testGetDeclaredRestrictionsForPrincipalNodeString() throws
RepositoryException {
+ setupEveryoneAce();
+
+ PrivilegesInfo pi = new PrivilegesInfo();
+ Map<String, Object> restrictions =
pi.getDeclaredRestrictionsForPrincipal(testNodeForAdmin, "everyone");
+ assertNotNull(restrictions);
+ assertEquals(val(PropertyType.STRING, "/hello"),
restrictions.get(AccessControlConstants.REP_GLOB));
+ assertArrayEquals(vals(PropertyType.NAME, "child1", "child2"),
(Value[])restrictions.get(AccessControlConstants.REP_ITEM_NAMES));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getDeclaredRestrictionsForPrincipal(javax.jcr.Session,
java.lang.String, java.lang.String)}.
+ * @deprecated api deprecated, test left for regression testing
+ */
+ @Deprecated
+ @Test
+ public void testGetDeclaredRestrictionsForPrincipalSessionStringString()
throws RepositoryException {
+ setupEveryoneAce();
+
+ PrivilegesInfo pi = new PrivilegesInfo();
+ Map<String, Object> restrictions =
pi.getDeclaredRestrictionsForPrincipal(adminSession,
testNodeForAdmin.getPath(), "everyone");
+ assertNotNull(restrictions);
+ assertEquals(val(PropertyType.STRING, "/hello"),
restrictions.get(AccessControlConstants.REP_GLOB));
+ assertArrayEquals(vals(PropertyType.NAME, "child1", "child2"),
(Value[])restrictions.get(AccessControlConstants.REP_ITEM_NAMES));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getEffectiveAccessRights(javax.jcr.Node)}.
+ */
+ @Test
+ public void testGetEffectiveAccessRightsNode() throws RepositoryException {
+ setupEveryoneAce();
+
+ PrivilegesInfo pi = new PrivilegesInfo();
+ Map<Principal, AccessRights> effectiveAccessRights =
pi.getEffectiveAccessRights(adminSession, testNodeForAdmin.getPath());
+ Optional<Principal> findFirst = effectiveAccessRights.keySet().stream()
+ .filter(p -> "everyone".equals(p.getName()))
+ .findFirst();
+ assertTrue(findFirst.isPresent());
+ AccessRights rights = effectiveAccessRights.get(findFirst.get());
+ assertNotNull(rights);
+ Privilege jcrReadPrivilege =
adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ);
+ assertTrue(rights.getGranted().contains(jcrReadPrivilege));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getEffectiveAccessRights(javax.jcr.Session,
java.lang.String)}.
+ */
+ @Test
+ public void testGetEffectiveAccessRightsSessionString() throws
RepositoryException {
+ setupEveryoneAce();
+
+ PrivilegesInfo pi = new PrivilegesInfo();
+ Map<Principal, AccessRights> effectiveAccessRights =
pi.getEffectiveAccessRights(testNodeForAdmin);
+ Optional<Principal> findFirst = effectiveAccessRights.keySet().stream()
+ .filter(p -> "everyone".equals(p.getName()))
+ .findFirst();
+ assertTrue(findFirst.isPresent());
+ AccessRights rights = effectiveAccessRights.get(findFirst.get());
+ assertNotNull(rights);
+ Privilege jcrReadPrivilege =
adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ);
+ assertTrue(rights.getGranted().contains(jcrReadPrivilege));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getEffectiveAccessRightsForPrincipal(javax.jcr.Node,
java.lang.String)}.
+ */
+ @Test
+ public void testGetEffectiveAccessRightsForPrincipalNodeString() throws
RepositoryException {
+ setupEveryoneAce();
+
+ PrivilegesInfo pi = new PrivilegesInfo();
+ AccessRights rights =
pi.getEffectiveAccessRightsForPrincipal(testNodeForAdmin, "everyone");
+ assertNotNull(rights);
+ Privilege jcrReadPrivilege =
adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ);
+ assertTrue(rights.getGranted().contains(jcrReadPrivilege));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getEffectiveAccessRightsForPrincipal(javax.jcr.Session,
java.lang.String, java.lang.String)}.
+ */
+ @Test
+ public void testGetEffectiveAccessRightsForPrincipalSessionStringString()
throws RepositoryException {
+ setupEveryoneAce();
+
+ PrivilegesInfo pi = new PrivilegesInfo();
+ AccessRights rights =
pi.getEffectiveAccessRightsForPrincipal(adminSession,
testNodeForAdmin.getPath(), "everyone");
+ assertNotNull(rights);
+ Privilege jcrReadPrivilege =
adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ);
+ assertTrue(rights.getGranted().contains(jcrReadPrivilege));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canAddChildren(javax.jcr.Node)}.
+ */
+ @Test
+ public void testCanAddChildrenNode() {
+ PrivilegesInfo pi = new PrivilegesInfo();
+ assertTrue(pi.canAddChildren(testNodeForAdmin));
+ assertFalse(pi.canAddChildren(testNodeForTestUser));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canAddChildren(javax.jcr.Session,
java.lang.String)}.
+ */
+ @Test
+ public void testCanAddChildrenSessionString() throws RepositoryException {
+ PrivilegesInfo pi = new PrivilegesInfo();
+ assertTrue(pi.canAddChildren(adminSession,
testNodeForAdmin.getPath()));
+ assertFalse(pi.canAddChildren(testUserSession,
testNodeForTestUser.getPath()));
+ assertFalse(pi.canAddChildren(testUserSession, NOT_A_REAL_PATH));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canDeleteChildren(javax.jcr.Node)}.
+ */
+ @Test
+ public void testCanDeleteChildrenNode() {
+ PrivilegesInfo pi = new PrivilegesInfo();
+ assertTrue(pi.canDeleteChildren(testNodeForAdmin));
+ assertFalse(pi.canDeleteChildren(testNodeForTestUser));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canDeleteChildren(javax.jcr.Session,
java.lang.String)}.
+ */
+ @Test
+ public void testCanDeleteChildrenSessionString() throws
RepositoryException {
+ PrivilegesInfo pi = new PrivilegesInfo();
+ assertTrue(pi.canDeleteChildren(adminSession,
testNodeForAdmin.getPath()));
+ assertFalse(pi.canDeleteChildren(testUserSession,
testNodeForTestUser.getPath()));
+ assertFalse(pi.canDeleteChildren(testUserSession, NOT_A_REAL_PATH));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canDelete(javax.jcr.Node)}.
+ */
+ @Test
+ public void testCanDeleteNode() {
+ PrivilegesInfo pi = new PrivilegesInfo();
+ assertTrue(pi.canDelete(testNodeForAdmin));
+ assertFalse(pi.canDelete(testNodeForTestUser));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canDelete(javax.jcr.Session,
java.lang.String)}.
+ */
+ @Test
+ public void testCanDeleteSessionString() throws RepositoryException {
+ PrivilegesInfo pi = new PrivilegesInfo();
+ assertTrue(pi.canDelete(adminSession, testNodeForAdmin.getPath()));
+ assertFalse(pi.canDelete(testUserSession,
testNodeForTestUser.getPath()));
+ assertFalse(pi.canDelete(testUserSession, NOT_A_REAL_PATH));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canModifyProperties(javax.jcr.Node)}.
+ */
+ @Test
+ public void testCanModifyPropertiesNode() {
+ PrivilegesInfo pi = new PrivilegesInfo();
+ assertTrue(pi.canModifyProperties(testNodeForAdmin));
+ assertFalse(pi.canModifyProperties(testNodeForTestUser));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canModifyProperties(javax.jcr.Session,
java.lang.String)}.
+ */
+ @Test
+ public void testCanModifyPropertiesSessionString() throws
RepositoryException {
+ PrivilegesInfo pi = new PrivilegesInfo();
+ assertTrue(pi.canModifyProperties(adminSession,
testNodeForAdmin.getPath()));
+ assertFalse(pi.canModifyProperties(testUserSession,
testNodeForTestUser.getPath()));
+ assertFalse(pi.canModifyProperties(testUserSession, NOT_A_REAL_PATH));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canReadAccessControl(javax.jcr.Node)}.
+ */
+ @Test
+ public void testCanReadAccessControlNode() {
+ PrivilegesInfo pi = new PrivilegesInfo();
+ assertTrue(pi.canReadAccessControl(testNodeForAdmin));
+ assertFalse(pi.canReadAccessControl(testNodeForTestUser));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canReadAccessControl(javax.jcr.Session,
java.lang.String)}.
+ */
+ @Test
+ public void testCanReadAccessControlSessionString() throws
RepositoryException {
+ PrivilegesInfo pi = new PrivilegesInfo();
+ assertTrue(pi.canReadAccessControl(adminSession,
testNodeForAdmin.getPath()));
+ assertFalse(pi.canReadAccessControl(testUserSession,
testNodeForTestUser.getPath()));
+ assertFalse(pi.canReadAccessControl(testUserSession, NOT_A_REAL_PATH));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canModifyAccessControl(javax.jcr.Node)}.
+ */
+ @Test
+ public void testCanModifyAccessControlNode() {
+ PrivilegesInfo pi = new PrivilegesInfo();
+ assertTrue(pi.canModifyAccessControl(testNodeForAdmin));
+ assertFalse(pi.canModifyAccessControl(testNodeForTestUser));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canModifyAccessControl(javax.jcr.Session,
java.lang.String)}.
+ */
+ @Test
+ public void testCanModifyAccessControlSessionString() throws
RepositoryException {
+ PrivilegesInfo pi = new PrivilegesInfo();
+ assertTrue(pi.canModifyAccessControl(adminSession,
testNodeForAdmin.getPath()));
+ assertFalse(pi.canModifyAccessControl(testUserSession,
testNodeForTestUser.getPath()));
+ assertFalse(pi.canModifyAccessControl(testUserSession,
NOT_A_REAL_PATH));
+ }
+
+ protected AccessRights setupAccessRights() throws RepositoryException {
+ AccessRights rights = new AccessRights();
+ Privilege jcrReadPrivilege =
adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ);
+ rights.getGranted().add(jcrReadPrivilege);
+ Privilege jcrWritePrivilege =
adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_WRITE);
+ rights.getDenied().add(jcrWritePrivilege);
+ return rights;
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo.AccessRights#getGranted()}.
+ */
+ @Test
+ public void testGetGranted() throws RepositoryException {
+ AccessRights rights = setupAccessRights();
+
assertTrue(rights.getGranted().contains(adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ)));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo.AccessRights#getDenied()}.
+ */
+ @Test
+ public void testGetDenied() throws RepositoryException {
+ AccessRights rights = setupAccessRights();
+
assertTrue(rights.getDenied().contains(adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_WRITE)));
+ }
+
+ /**
+ * Test method for {@link
org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo.AccessRights#getPrivilegeSetDisplayName(java.util.Locale)}.
+ */
+ @Test
+ public void testGetPrivilegeSetDisplayName() throws RepositoryException {
+ AccessRights rights = new AccessRights();
+ //none
+ assertEquals("None",
rights.getPrivilegeSetDisplayName(Locale.getDefault()));
+
+ //all
+
rights.getGranted().add(adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_ALL));
+ assertEquals("Full Control",
rights.getPrivilegeSetDisplayName(Locale.getDefault()));
+
+ //read-only
+ rights.getGranted().clear();
+
rights.getGranted().add(adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ));
+ assertEquals("Read Only",
rights.getPrivilegeSetDisplayName(Locale.getDefault()));
+
+ //read-write
+
rights.getGranted().add(adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_WRITE));
+ assertEquals("Read/Write",
rights.getPrivilegeSetDisplayName(Locale.getDefault()));
+
+ //custom
+ rights.getGranted().clear();
+
rights.getGranted().add(adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
+ assertEquals("Custom",
rights.getPrivilegeSetDisplayName(Locale.getDefault()));
+
+ //custom
+ rights.getGranted().clear();
+
rights.getGranted().add(adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ));
+
rights.getGranted().add(adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
+ assertEquals("Custom",
rights.getPrivilegeSetDisplayName(Locale.getDefault()));
+
+ //custom
+ rights.getGranted().clear();
+
rights.getDenied().add(adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_WRITE));
+ assertEquals("Custom",
rights.getPrivilegeSetDisplayName(Locale.getDefault()));
+ }
+
+}
