Copied: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedTest.java (from r1705991, jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderTest.java) URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedTest.java?p2=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedTest.java&p1=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderTest.java&r1=1705991&r2=1707085&rev=1707085&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderTest.java (original) +++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedTest.java Tue Oct 6 16:27:36 2015 @@ -16,9 +16,91 @@ */ package org.apache.jackrabbit.oak.security.authorization.composite; -import org.apache.jackrabbit.oak.AbstractSecurityTest; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission; +import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal; +import org.junit.Test; -public class CompositePermissionProviderTest extends AbstractSecurityTest { +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; - // TODO +/** + * Test the effect of the combination of + * + * - default permission provider + * - custom provider that grants JCR_NAMESPACE_MANAGEMENT on repository level + * and REP_READ_NODES only + * + * both for the set of principals associated with the test user and with the admin session. + * The expected outcome is that + * - test user can only read nodes where this is also granted by the default provider + * but has no other access granted + * - admin user can only read nodes and register namespaces + */ +public class CompositeProviderLimitedTest extends AbstractCompositeProviderTest { + + private CompositePermissionProvider cppTestUser; + private CompositePermissionProvider cppAdminUser; + + @Override + public void before() throws Exception { + super.before(); + + cppTestUser = createPermissionProvider(getTestUser().getPrincipal(), EveryonePrincipal.getInstance()); + cppAdminUser = createPermissionProvider(root.getContentSession().getAuthInfo().getPrincipals()); + } + + @Override + protected AggregatedPermissionProvider getTestPermissionProvider() { + return new TestPermissionProvider(root, true); + } + + @Test + public void testGetPrivileges() throws Exception { + // TODO + } + + + @Test + public void testHasPrivileges() throws Exception { + // TODO + } + + + @Test + public void testIsGranted() throws Exception { + // TODO + } + + @Test + public void testIsGrantedAction() throws Exception { + // TODO + } + + @Test + public void testRepositoryPermissionIsGranted() throws Exception { + RepositoryPermission rp = cppTestUser.getRepositoryPermission(); + assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT)); + + assertFalse(rp.isGranted(Permissions.NODE_TYPE_DEFINITION_MANAGEMENT)); + assertFalse(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.NODE_TYPE_DEFINITION_MANAGEMENT)); + } + + @Test + public void testRepositoryPermissionIsGrantedAdminUser() throws Exception { + RepositoryPermission rp = cppAdminUser.getRepositoryPermission(); + assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT)); + + assertFalse(rp.isGranted(Permissions.NODE_TYPE_DEFINITION_MANAGEMENT)); + assertFalse(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.NODE_TYPE_DEFINITION_MANAGEMENT)); + assertFalse(rp.isGranted(Permissions.PRIVILEGE_MANAGEMENT)); + assertFalse(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT|Permissions.PRIVILEGE_MANAGEMENT)); + assertFalse(rp.isGranted(Permissions.ALL)); + } + + @Test + public void testGetTreePermission() throws Exception { + // TODO + } } \ No newline at end of file
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeReverseTest.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeReverseTest.java?rev=1707085&view=auto ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeReverseTest.java (added) +++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeReverseTest.java Tue Oct 6 16:27:36 2015 @@ -0,0 +1,29 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.oak.security.authorization.composite; + +/** + * Same as {@link CompositeProviderNoScopeTest} + * with reverse order of the aggregated providers. + */ +public class CompositeProviderNoScopeReverseTest extends CompositeProviderNoScopeTest { + + @Override + boolean reverseOrder() { + return true; + } +} \ No newline at end of file Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeTest.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeTest.java?rev=1707085&view=auto ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeTest.java (added) +++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeTest.java Tue Oct 6 16:27:36 2015 @@ -0,0 +1,294 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.oak.security.authorization.composite; + +import java.security.Principal; +import java.util.Set; +import javax.annotation.Nonnull; +import javax.annotation.Nullable; + +import com.google.common.collect.ImmutableSet; +import org.apache.jackrabbit.oak.api.ContentSession; +import org.apache.jackrabbit.oak.api.PropertyState; +import org.apache.jackrabbit.oak.api.Tree; +import org.apache.jackrabbit.oak.plugins.tree.TreeLocation; +import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission; +import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal; +import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits; +import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants; +import org.junit.Test; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; + +/** + * Test the effect of the combination of + * + * - default permission provider + * - custom provider that doesn't support any permissions nowhere + * + * The tests are executed both for the set of principals associated with the test + * user and with the admin session. + * The expected outcome is that the composite provider behaves exactly like the + * default provider (i.e. is never respected during evaluation). + * + * While there is no real use in such a {@link AggregatedPermissionProvider}, that + * is never called, is is used here to verify that the composite provider doesn't + * introduce any regressions compared to the default provider implementation. + */ +public class CompositeProviderNoScopeTest extends AbstractCompositeProviderTest { + + private CompositePermissionProvider cppTestUser; + private PermissionProvider defTestUser; + + private CompositePermissionProvider cppAdminUser; + private PermissionProvider defAdminUser; + + + @Override + public void before() throws Exception { + super.before(); + + ContentSession cs = root.getContentSession(); + + Set<Principal> testPrincipals = ImmutableSet.of(getTestUser().getPrincipal(), EveryonePrincipal.getInstance()); + cppTestUser = createPermissionProvider(testPrincipals); + defTestUser = getConfig(AuthorizationConfiguration.class).getPermissionProvider(root, cs.getWorkspaceName(), testPrincipals); + + Set<Principal> adminPrincipals = cs.getAuthInfo().getPrincipals(); + cppAdminUser = createPermissionProvider(adminPrincipals); + defAdminUser = getConfig(AuthorizationConfiguration.class).getPermissionProvider(root, cs.getWorkspaceName(), adminPrincipals); + } + + @Override + protected AggregatedPermissionProvider getTestPermissionProvider() { + return new NotSupportingProvider(); + } + + @Test + public void testGetPrivileges() throws Exception { + for (String p : defPrivileges.keySet()) { + Set<String> expected = defPrivileges.get(p); + Tree tree = root.getTree(p); + + assertEquals(p, expected, cppTestUser.getPrivileges(tree)); + assertEquals(p, defTestUser.getPrivileges(tree), cppTestUser.getPrivileges(tree)); + } + } + + @Test + public void testGetPrivilegesAdmin() throws Exception { + Set<String> expected = ImmutableSet.of(PrivilegeConstants.JCR_ALL); + for (String p : NODE_PATHS) { + Tree tree = root.getTree(p); + + assertEquals(p, expected, cppAdminUser.getPrivileges(tree)); + assertEquals(p, defAdminUser.getPrivileges(tree), cppAdminUser.getPrivileges(tree)); + } + } + + @Test + public void testGetPrivilegesOnRepo() throws Exception { + Set<String> expected = ImmutableSet.of(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT, PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT); + + assertEquals(expected, cppTestUser.getPrivileges(null)); + assertEquals(defTestUser.getPrivileges(null), cppTestUser.getPrivileges(null)); + } + + @Test + public void testGetPrivilegesOnRepoAdmin() throws Exception { + Set<String> expected = ImmutableSet.of(PrivilegeConstants.JCR_ALL); + + assertEquals(expected, cppAdminUser.getPrivileges(null)); + assertEquals(defAdminUser.getPrivileges(null), cppAdminUser.getPrivileges(null)); + } + + + @Test + public void testHasPrivileges() throws Exception { + for (String p : defPrivileges.keySet()) { + Set<String> expected = defPrivileges.get(p); + Tree tree = root.getTree(p); + + String[] privNames = expected.toArray(new String[expected.size()]); + assertTrue(p, cppTestUser.hasPrivileges(tree, privNames)); + assertEquals(p, defTestUser.hasPrivileges(tree, privNames), cppTestUser.hasPrivileges(tree, privNames)); + } + } + + @Test + public void testHasPrivilegesAdmin() throws Exception { + for (String p : NODE_PATHS) { + Tree tree = root.getTree(p); + + assertTrue(p, cppAdminUser.hasPrivileges(tree, PrivilegeConstants.JCR_ALL)); + assertEquals(p, defAdminUser.hasPrivileges(tree, PrivilegeConstants.JCR_ALL), cppAdminUser.hasPrivileges(tree, PrivilegeConstants.JCR_ALL)); + } + } + + @Test + public void testHasPrivilegesOnRepo() throws Exception { + assertTrue(cppTestUser.hasPrivileges(null, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT, PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT)); + assertEquals( + defTestUser.hasPrivileges(null, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT, PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT), + cppTestUser.hasPrivileges(null, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT, PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT)); + + assertTrue(cppTestUser.hasPrivileges(null)); + assertEquals( + defTestUser.hasPrivileges(null), + cppTestUser.hasPrivileges(null)); + } + + @Test + public void testHasPrivilegeOnRepoAdminUser() throws Exception { + assertTrue(cppAdminUser.hasPrivileges(null, PrivilegeConstants.JCR_ALL)); + assertEquals( + defAdminUser.hasPrivileges(null, PrivilegeConstants.JCR_ALL), + cppAdminUser.hasPrivileges(null, PrivilegeConstants.JCR_ALL)); + + assertTrue(cppAdminUser.hasPrivileges(null)); + assertEquals( + defAdminUser.hasPrivileges(null), + cppAdminUser.hasPrivileges(null)); + } + + + @Test + public void testIsGranted() throws Exception { + for (String p : defPermissions.keySet()) { + long expected = defPermissions.get(p); + Tree tree = root.getTree(p); + + assertTrue(p, cppTestUser.isGranted(tree, null, expected)); + assertEquals(p, defTestUser.isGranted(tree, null, expected), cppTestUser.isGranted(tree, null, expected)); + } + } + + @Test + public void testIsGrantedAdmin() throws Exception { + for (String p : defPermissions.keySet()) { + Tree tree = root.getTree(p); + + assertTrue(p, cppAdminUser.isGranted(tree, null, Permissions.ALL)); + assertEquals(p, defAdminUser.isGranted(tree, null, Permissions.ALL), cppAdminUser.isGranted(tree, null, Permissions.ALL)); + } + } + + @Test + public void testIsGrantedProperty() throws Exception { + // TODO + } + + @Test + public void testIsGrantedAction() throws Exception { + // TODO + } + + @Test + public void testRepositoryPermissionIsGranted() throws Exception { + RepositoryPermission rp = cppTestUser.getRepositoryPermission(); + + assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT)); + assertTrue(rp.isGranted(Permissions.NODE_TYPE_DEFINITION_MANAGEMENT)); + assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.NODE_TYPE_DEFINITION_MANAGEMENT)); + } + + @Test + public void testRepositoryPermissionIsGrantedAdminUser() throws Exception { + RepositoryPermission rp = cppAdminUser.getRepositoryPermission(); + + assertTrue(rp.isGranted(Permissions.ALL)); + } + + @Test + public void testGetTreePermission() throws Exception { + // TODO + } + + private static final class NotSupportingProvider implements AggregatedPermissionProvider { + + @Nonnull + @Override + public PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable PrivilegeBits privilegeBits) { + return PrivilegeBits.EMPTY; + } + + @Override + public long supportedPermissions(@Nullable Tree tree, @Nullable PropertyState property, long permissions) { + return Permissions.NO_PERMISSION; + } + + @Override + public long supportedPermissions(@Nonnull TreeLocation location, long permissions) { + return Permissions.NO_PERMISSION; + } + + @Override + public long supportedPermissions(@Nonnull TreePermission treePermission, long permissions) { + return Permissions.NO_PERMISSION; + } + + @Override + public boolean isGranted(@Nonnull TreeLocation location, long permissions) { + throw new UnsupportedOperationException("should never get here"); + } + + @Override + public void refresh() { + // nop + } + + @Nonnull + @Override + public Set<String> getPrivileges(@Nullable Tree tree) { + throw new UnsupportedOperationException("should never get here"); + } + + @Override + public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String... privilegeNames) { + throw new UnsupportedOperationException("should never get here"); + } + + @Nonnull + @Override + public RepositoryPermission getRepositoryPermission() { + throw new UnsupportedOperationException("should never get here"); + } + + @Nonnull + @Override + public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreePermission parentPermission) { + // TODO: fix such that this is no required + return TreePermission.EMPTY; + } + + @Override + public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState property, long permissions) { + throw new UnsupportedOperationException("should never get here"); + } + + @Override + public boolean isGranted(@Nonnull String oakPath, @Nonnull String jcrActions) { + throw new UnsupportedOperationException("should never get here"); + } + } +} \ No newline at end of file Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeReverseTest.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeReverseTest.java?rev=1707085&view=auto ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeReverseTest.java (added) +++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeReverseTest.java Tue Oct 6 16:27:36 2015 @@ -0,0 +1,29 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.oak.security.authorization.composite; + +/** + * Same as {@link CompositeProviderScopeTest} + * with reverse order of the aggregated providers. + */ +public class CompositeProviderScopeReverseTest extends CompositeProviderScopeTest { + + @Override + boolean reverseOrder() { + return true; + } +} \ No newline at end of file Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeTest.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeTest.java?rev=1707085&view=auto ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeTest.java (added) +++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeTest.java Tue Oct 6 16:27:36 2015 @@ -0,0 +1,114 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.oak.security.authorization.composite; + +import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission; +import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal; +import org.junit.Test; + +import static org.junit.Assert.assertTrue; + +/** + * Test the effect of the combination of + * + * - default permission provider + * - custom provider that only supports namespace-management permission on repository level + * and within the regular tree only supports permission evaluation of a limited + * set of permissions (write) below {@link #TEST_CHILD_PATH}. + * + * The tests are executed both for the set of principals associated with the test + * user and with the admin session. + * The expected outcome is that + * - the custom provider only takes effect below {@link #TEST_CHILD_PATH} and + * only for the supported permissions (read-nodes only). + * - admin user has full access except for read-node-access below {@link #TEST_CHILD_PATH} + * where the custom provider impacts the evaluation. + */ +public class CompositeProviderScopeTest extends AbstractCompositeProviderTest { + + private CompositePermissionProvider cppTestUser; + private CompositePermissionProvider cppAdminUser; + + @Override + public void before() throws Exception { + super.before(); + + cppTestUser = createPermissionProvider(getTestUser().getPrincipal(), EveryonePrincipal.getInstance()); + cppAdminUser = createPermissionProvider(root.getContentSession().getAuthInfo().getPrincipals()); + } + + @Override + protected AggregatedPermissionProvider getTestPermissionProvider() { + return new TestPermissionProvider(root, false); + } + + @Test + public void testGetPrivileges() throws Exception { + // TODO + } + + + @Test + public void testHasPrivileges() throws Exception { + // TODO + } + + + @Test + public void testIsGranted() throws Exception { + // TODO + } + + @Test + public void testIsGrantedProperty() throws Exception { + // TODO + } + + @Test + public void testIsGrantedAction() throws Exception { + // TODO + } + + @Test + public void testRepositoryPermissionIsGranted() throws Exception { + RepositoryPermission rp = cppTestUser.getRepositoryPermission(); + + assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT)); + assertTrue(rp.isGranted(Permissions.NODE_TYPE_DEFINITION_MANAGEMENT)); + assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.NODE_TYPE_DEFINITION_MANAGEMENT)); + } + + @Test + public void testRepositoryPermissionIsGrantedAdminUser() throws Exception { + RepositoryPermission rp = cppAdminUser.getRepositoryPermission(); + + assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT)); + assertTrue(rp.isGranted(Permissions.NODE_TYPE_DEFINITION_MANAGEMENT)); + assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.NODE_TYPE_DEFINITION_MANAGEMENT)); + + assertTrue(rp.isGranted(Permissions.PRIVILEGE_MANAGEMENT)); + assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT|Permissions.PRIVILEGE_MANAGEMENT)); + assertTrue(rp.isGranted(Permissions.ALL)); + } + + @Test + public void testGetTreePermission() throws Exception { + // TODO + } +} \ No newline at end of file Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/TestPermissionProvider.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/TestPermissionProvider.java?rev=1707085&view=auto ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/TestPermissionProvider.java (added) +++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/TestPermissionProvider.java Tue Oct 6 16:27:36 2015 @@ -0,0 +1,255 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.oak.security.authorization.composite; + +import java.util.Arrays; +import java.util.Set; +import javax.annotation.Nonnull; +import javax.annotation.Nullable; +import javax.jcr.Session; + +import com.google.common.collect.ImmutableSet; +import org.apache.jackrabbit.oak.api.PropertyState; +import org.apache.jackrabbit.oak.api.Root; +import org.apache.jackrabbit.oak.api.Tree; +import org.apache.jackrabbit.oak.commons.PathUtils; +import org.apache.jackrabbit.oak.plugins.tree.TreeLocation; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission; +import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits; +import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider; +import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants; +import org.apache.jackrabbit.oak.spi.state.NodeState; +import org.apache.jackrabbit.util.Text; + +/** + * Test implementation of the {@code AggregatedPermissionProvider} with following + * characteristics: + * + * If {@code supportsAll} is {@code true} this provider supports all permissions + * but only grants {@link Permissions#NAMESPACE_MANAGEMENT} on repository level + * and {@link Permissions#READ_NODE} on regular items. + * In this case the provider will always be respected for evaluation and will + * therefore cause the final result to be always restricted to the permissions + * granted by this provider. + * + * If {@code supportsAll} is {@code false} this provider supports + * - {@link Permissions#NAMESPACE_MANAGEMENT} on repository level + * - {@link Permissions#READ_NODE} at the tree defined by {@link AbstractCompositeProviderTest#TEST_A_PATH} + * - {@link Permissions#NO_PERMISSION} everywhere else. + * The permissions granted are the same as above. Due to the limited scope + * however, the provider will in this case only respected for evaluation at + * the supported paths (and at the repo level). The final result will restricted + * to the permissions granted by this provider at the supported paths. For all + * other paths the access limitations of this provider have no effect. + */ +class TestPermissionProvider implements AggregatedPermissionProvider { + + private final Root root; + private final boolean supportsAll; + + TestPermissionProvider(@Nonnull Root root, boolean supportsAll) { + this.root = root; + this.supportsAll = supportsAll; + } + + //-------------------------------------------------< PermissionProvider >--- + @Override + public void refresh() { + //nop + } + + @Nonnull + @Override + public Set<String> getPrivileges(@Nullable Tree tree) { + if (tree == null) { + return ImmutableSet.of(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT); + } else if (isSupported(tree)) { + return ImmutableSet.of(PrivilegeConstants.REP_READ_NODES); + } else { + return ImmutableSet.of(); + } + + } + + @Override + public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String... privilegeNames) { + if (tree == null) { + return Arrays.equals(new String[]{PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT}, privilegeNames); + } else if (isSupported(tree)) { + return Arrays.equals(new String[]{PrivilegeConstants.REP_READ_NODES}, privilegeNames); + } else { + return false; + } + } + + @Nonnull + @Override + public RepositoryPermission getRepositoryPermission() { + return new RepositoryPermission() { + @Override + public boolean isGranted(long repositoryPermissions) { + return Permissions.NAMESPACE_MANAGEMENT == repositoryPermissions; + } + }; + } + + @Nonnull + @Override + public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreePermission parentPermission) { + return (isSupported(tree)) ? new TestTreePermission(tree.getPath()) : TreePermission.EMPTY; + } + + @Override + public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState property, long permissions) { + return isSupported(tree) && property == null && permissions == Permissions.READ_NODE; + } + + @Override + public boolean isGranted(@Nonnull String oakPath, @Nonnull String jcrActions) { + Tree tree = root.getTree(oakPath); + return tree.exists() && isSupported(tree) && Session.ACTION_READ.equals(jcrActions); + } + + //---------------------------------------< AggregatedPermissionProvider >--- + @Nonnull + @Override + public PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable PrivilegeBits privilegeBits) { + if (supportsAll) { + return (privilegeBits == null) ? new PrivilegeBitsProvider(root).getBits(PrivilegeConstants.JCR_ALL) : privilegeBits; + } else { + PrivilegeBits supported; + if (tree == null) { + supported = PrivilegeBits.BUILT_IN.get(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT); + } else if (isSupportedPath(tree.getPath())) { + supported = PrivilegeBits.BUILT_IN.get(PrivilegeConstants.REP_READ_NODES); + } else { + supported = PrivilegeBits.EMPTY; + } + + if (privilegeBits != null && !supported.isEmpty()) { + return PrivilegeBits.getInstance(privilegeBits).retain(supported); + } else { + return supported; + } + } + } + + @Override + public long supportedPermissions(@Nullable Tree tree, @Nullable PropertyState property, long permissions) { + if (supportsAll) { + return permissions; + } else { + if (tree == null) { + return permissions & Permissions.NAMESPACE_MANAGEMENT; + } else if (isSupportedPath(tree.getPath())) { + return permissions & Permissions.READ_NODE; + } else { + return Permissions.NO_PERMISSION; + } + } + } + + @Override + public long supportedPermissions(@Nonnull TreeLocation location, long permissions) { + if (supportsAll) { + return permissions; + } else if (isSupportedPath(location.getPath())) { + return permissions & Permissions.READ_NODE; + } else { + return Permissions.NO_PERMISSION; + } + } + + @Override + public long supportedPermissions(@Nonnull TreePermission treePermission, long permissions) { + if (supportsAll) { + return permissions; + } else if (isSupportedPath(((TestTreePermission) treePermission).path)) { + return permissions & Permissions.READ_NODE; + } else { + return Permissions.NO_PERMISSION; + } + } + + @Override + public boolean isGranted(@Nonnull TreeLocation location, long permissions) { + if (supportsAll) { + return permissions == Permissions.READ_NODE; + } else if (isSupportedPath(location.getPath())) { + return permissions == Permissions.READ_NODE; + } else { + return false; + } + } + + //-------------------------------------------------------------------------- + private boolean isSupported(@Nonnull Tree tree) { + return supportsAll || isSupportedPath(tree.getPath()); + } + + private boolean isSupportedPath(@Nonnull String path) { + return Text.isDescendantOrEqual(AbstractCompositeProviderTest.TEST_A_PATH, path); + } + + private final class TestTreePermission implements TreePermission { + + private final String path; + + private TestTreePermission(@Nonnull String path) { + this.path = path; + } + + @Nonnull + @Override + public TreePermission getChildPermission(@Nonnull String childName, @Nonnull NodeState childState) { + return new TestTreePermission(PathUtils.concat(path, childName)); + } + + @Override + public boolean canRead() { + return true; + } + + @Override + public boolean canRead(@Nonnull PropertyState property) { + return false; + } + + @Override + public boolean canReadAll() { + return false; + } + + @Override + public boolean canReadProperties() { + return false; + } + + @Override + public boolean isGranted(long permissions) { + return Permissions.READ_NODE == permissions; + } + + @Override + public boolean isGranted(long permissions, @Nonnull PropertyState property) { + return false; + } + } +} \ No newline at end of file
