Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderEmptyTest.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderEmptyTest.java?rev=1708563&r1=1708562&r2=1708563&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderEmptyTest.java (original) +++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderEmptyTest.java Wed Oct 14 09:02:49 2015 @@ -36,12 +36,9 @@ import org.apache.jackrabbit.oak.spi.sec import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider; -import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants; -import org.apache.jackrabbit.util.Text; import org.junit.Test; import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertTrue; /** @@ -89,15 +86,15 @@ public class CompositeProviderEmptyTest for (String p : NODE_PATHS) { Tree tree = root.getTree(p); - assertFalse(cpp.hasPrivileges(tree, PrivilegeConstants.JCR_READ)); - assertFalse(cpp.hasPrivileges(tree, PrivilegeConstants.JCR_WRITE)); - assertFalse(cpp.hasPrivileges(tree, PrivilegeConstants.REP_READ_NODES)); + assertFalse(cpp.hasPrivileges(tree, JCR_READ)); + assertFalse(cpp.hasPrivileges(tree, JCR_WRITE)); + assertFalse(cpp.hasPrivileges(tree, REP_READ_NODES)); } } @Test public void testHasPrivilegesOnRepo() throws Exception { - assertFalse(cpp.hasPrivileges(null, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT)); + assertFalse(cpp.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT)); } @@ -105,22 +102,24 @@ public class CompositeProviderEmptyTest public void testIsGranted() throws Exception { for (String p : NODE_PATHS) { Tree tree = root.getTree(p); - PropertyState ps = tree.getProperty(JcrConstants.JCR_PRIMARYTYPE); assertFalse(cpp.isGranted(tree, null, Permissions.READ_NODE)); - assertFalse(cpp.isGranted(tree, ps, Permissions.READ_PROPERTY)); - assertFalse(cpp.isGranted(tree, null, Permissions.READ_NODE | Permissions.MODIFY_CHILD_NODE_COLLECTION)); - assertFalse(cpp.isGranted(tree, ps, Permissions.MODIFY_PROPERTY)); - assertFalse(cpp.isGranted(tree, null, Permissions.READ_ACCESS_CONTROL | Permissions.MODIFY_ACCESS_CONTROL)); - assertFalse(cpp.isGranted(tree, ps, Permissions.READ_ACCESS_CONTROL | Permissions.MODIFY_ACCESS_CONTROL)); } } @Test public void testIsGrantedProperty() throws Exception { - // TODO + for (String p : NODE_PATHS) { + Tree tree = root.getTree(p); + + assertFalse(cpp.isGranted(tree, PROPERTY_STATE, Permissions.READ_PROPERTY)); + assertFalse(cpp.isGranted(tree, PROPERTY_STATE, Permissions.MODIFY_PROPERTY)); + assertFalse(cpp.isGranted(tree, PROPERTY_STATE, Permissions.ADD_PROPERTY)); + assertFalse(cpp.isGranted(tree, PROPERTY_STATE, Permissions.REMOVE_PROPERTY)); + assertFalse(cpp.isGranted(tree, PROPERTY_STATE, Permissions.READ_ACCESS_CONTROL | Permissions.MODIFY_ACCESS_CONTROL)); + } } @Test @@ -132,7 +131,7 @@ public class CompositeProviderEmptyTest assertFalse(cpp.isGranted(nodePath, Session.ACTION_REMOVE)); assertFalse(cpp.isGranted(propPath, JackrabbitSession.ACTION_MODIFY_PROPERTY)); - assertFalse(cpp.isGranted(nodePath, Text.implode(new String[] {JackrabbitSession.ACTION_MODIFY_ACCESS_CONTROL, JackrabbitSession.ACTION_READ_ACCESS_CONTROL}, ","))); + assertFalse(cpp.isGranted(nodePath, getActionString(JackrabbitSession.ACTION_MODIFY_ACCESS_CONTROL, JackrabbitSession.ACTION_READ_ACCESS_CONTROL))); assertFalse(cpp.isGranted(nonExisting, JackrabbitSession.ACTION_ADD_PROPERTY)); assertFalse(cpp.isGranted(nonExisting, Session.ACTION_ADD_NODE)); } @@ -146,32 +145,59 @@ public class CompositeProviderEmptyTest } @Test - public void testGetTreePermission() throws Exception { - TreePermission rootPermission = assertTreePermission(root.getTree("/"), TreePermission.EMPTY); - TreePermission testPermission = assertTreePermission(root.getTree(TEST_PATH), rootPermission); - assertTreePermission(root.getTree(TEST_CHILD_PATH), testPermission); + public void testTreePermissionIsGranted() throws Exception { + TreePermission parentPermission = TreePermission.EMPTY; + + for (String path : TP_PATHS) { + TreePermission tp = cpp.getTreePermission(root.getTree(path), parentPermission); + + assertFalse(tp.isGranted(Permissions.READ_NODE)); + assertFalse(tp.isGranted(Permissions.REMOVE_NODE)); + assertFalse(tp.isGranted(Permissions.ALL)); + + + parentPermission = tp; + } + } + + @Test + public void testTreePermissionIsGrantedProperty() throws Exception { + TreePermission parentPermission = TreePermission.EMPTY; + + for (String path : TP_PATHS) { + TreePermission tp = cpp.getTreePermission(root.getTree(path), parentPermission); + + assertFalse(tp.isGranted(Permissions.READ_PROPERTY, PROPERTY_STATE)); + assertFalse(tp.isGranted(Permissions.REMOVE_PROPERTY, PROPERTY_STATE)); + + parentPermission = tp; + } } - private TreePermission assertTreePermission(@Nonnull Tree tree, @Nonnull TreePermission parentPermission) { - PropertyState ps = tree.getProperty(JcrConstants.JCR_PRIMARYTYPE); - assertNotNull(ps); + @Test + public void testTreePermissionCanRead() throws Exception { + TreePermission parentPermission = TreePermission.EMPTY; - TreePermission treePermission = cpp.getTreePermission(tree, parentPermission); + for (String path : TP_PATHS) { + Tree t = root.getTree(path); + TreePermission tp = cpp.getTreePermission(t, parentPermission); + assertFalse(tp.canRead()); - assertFalse(treePermission.isGranted(Permissions.ALL)); - assertFalse(treePermission.isGranted(Permissions.READ_NODE)); - assertFalse(treePermission.isGranted(Permissions.REMOVE_NODE)); - assertFalse(treePermission.isGranted(Permissions.REMOVE_NODE)); + parentPermission = tp; + } + } - assertFalse(treePermission.isGranted(Permissions.READ_PROPERTY, ps)); - assertFalse(treePermission.isGranted(Permissions.REMOVE_PROPERTY, ps)); + @Test + public void testTreePermissionCanReadProperty() throws Exception { + TreePermission parentPermission = TreePermission.EMPTY; - assertFalse(treePermission.canRead()); - assertFalse(treePermission.canRead(ps)); - assertFalse(treePermission.canReadAll()); - assertFalse(treePermission.canReadProperties()); + for (String path : TP_PATHS) { + Tree t = root.getTree(path); + TreePermission tp = cpp.getTreePermission(t, parentPermission); + assertFalse(tp.canRead(PROPERTY_STATE)); - return treePermission; + parentPermission = tp; + } } /** @@ -229,7 +255,7 @@ public class CompositeProviderEmptyTest @Nonnull @Override public PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable PrivilegeBits privilegeBits) { - return (privilegeBits == null) ? new PrivilegeBitsProvider(root).getBits(PrivilegeConstants.JCR_ALL) : privilegeBits; + return (privilegeBits == null) ? new PrivilegeBitsProvider(root).getBits(JCR_ALL) : privilegeBits; } @Override @@ -243,7 +269,7 @@ public class CompositeProviderEmptyTest } @Override - public long supportedPermissions(@Nonnull TreePermission treePermission, long permissions) { + public long supportedPermissions(@Nonnull TreePermission treePermission, @Nullable PropertyState propertyState, long permissions) { return permissions; } @@ -251,5 +277,5 @@ public class CompositeProviderEmptyTest public boolean isGranted(@Nonnull TreeLocation location, long permissions) { return false; } - }; + } } \ No newline at end of file
Copied: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderFullScopeReverseTest.java (from r1708292, jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedReverseTest.java) URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderFullScopeReverseTest.java?p2=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderFullScopeReverseTest.java&p1=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedReverseTest.java&r1=1708292&r2=1708563&rev=1708563&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedReverseTest.java (original) +++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderFullScopeReverseTest.java Wed Oct 14 09:02:49 2015 @@ -17,10 +17,10 @@ package org.apache.jackrabbit.oak.security.authorization.composite; /** - * Same as {@link CompositeProviderLimitedTest} + * Same as {@link CompositeProviderFullScopeTest} * with reverse order of the aggregated providers. */ -public class CompositeProviderLimitedReverseTest extends CompositeProviderLimitedTest { +public class CompositeProviderFullScopeReverseTest extends CompositeProviderFullScopeTest { @Override boolean reverseOrder() { Copied: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderFullScopeTest.java (from r1708292, jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedTest.java) URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderFullScopeTest.java?p2=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderFullScopeTest.java&p1=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedTest.java&r1=1708292&r2=1708563&rev=1708563&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedTest.java (original) +++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderFullScopeTest.java Wed Oct 14 09:02:49 2015 @@ -16,12 +16,28 @@ */ package org.apache.jackrabbit.oak.security.authorization.composite; +import java.util.Map; +import java.util.Set; + +import javax.jcr.Session; + +import com.google.common.collect.ImmutableList; +import com.google.common.collect.ImmutableMap; +import com.google.common.collect.ImmutableSet; +import org.apache.jackrabbit.api.JackrabbitSession; +import org.apache.jackrabbit.oak.api.Tree; +import org.apache.jackrabbit.oak.commons.PathUtils; +import org.apache.jackrabbit.oak.plugins.tree.TreeLocation; import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider; import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions; import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission; import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal; +import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits; +import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider; import org.junit.Test; +import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; @@ -38,7 +54,7 @@ import static org.junit.Assert.assertTru * but has no other access granted * - admin user can only read nodes and register namespaces */ -public class CompositeProviderLimitedTest extends AbstractCompositeProviderTest { +public class CompositeProviderFullScopeTest extends AbstractCompositeProviderTest { private CompositePermissionProvider cppTestUser; private CompositePermissionProvider cppAdminUser; @@ -53,31 +69,205 @@ public class CompositeProviderLimitedTes @Override protected AggregatedPermissionProvider getTestPermissionProvider() { - return new TestPermissionProvider(root, true); + return new FullScopeProvider(root); } @Test public void testGetPrivileges() throws Exception { - // TODO + PrivilegeBitsProvider pbp = new PrivilegeBitsProvider(root); + PrivilegeBits readNodes = pbp.getBits(REP_READ_NODES); + Set<String> expected = ImmutableSet.of(REP_READ_NODES); + + for (String path : defPrivileges.keySet()) { + Set<String> defaultPrivs = defPrivileges.get(path); + Tree tree = root.getTree(path); + + Set<String> privNames = cppTestUser.getPrivileges(tree); + if (pbp.getBits(defaultPrivs).includes(readNodes)) { + assertEquals(expected, privNames); + } else { + assertTrue(privNames.isEmpty()); + } + } + } + + @Test + public void testGetPrivilegesAdmin() throws Exception { + PrivilegeBitsProvider pbp = new PrivilegeBitsProvider(root); + Set<String> expected = ImmutableSet.of(REP_READ_NODES); + + for (String path : NODE_PATHS) { + Tree tree = root.getTree(path); + assertEquals(expected, cppAdminUser.getPrivileges(tree)); + } + } + + @Test + public void testGetPrivilegesOnRepo() throws Exception { + Set<String> expected = ImmutableSet.of(JCR_NAMESPACE_MANAGEMENT); + assertEquals(expected, cppTestUser.getPrivileges(null)); } + @Test + public void testGetPrivilegesOnRepoAdmin() throws Exception { + Set<String> expected = ImmutableSet.of(JCR_NAMESPACE_MANAGEMENT); + assertEquals(expected, cppAdminUser.getPrivileges(null)); + } @Test public void testHasPrivileges() throws Exception { - // TODO + PrivilegeBitsProvider pbp = new PrivilegeBitsProvider(root); + PrivilegeBits readNodes = pbp.getBits(REP_READ_NODES); + + for (String path : defPrivileges.keySet()) { + Set<String> defaultPrivs = defPrivileges.get(path); + PrivilegeBits defaultBits = pbp.getBits(defaultPrivs); + Tree tree = root.getTree(path); + + if (defaultPrivs.isEmpty()) { + assertFalse(path, cppTestUser.hasPrivileges(tree, REP_READ_NODES)); + } else if (defaultBits.includes(readNodes)) { + assertTrue(path, cppTestUser.hasPrivileges(tree, REP_READ_NODES)); + if (!readNodes.equals(defaultBits)) { + assertFalse(path, cppTestUser.hasPrivileges(tree, defaultPrivs.toArray(new String[defaultPrivs.size()]))); + } + } else { + assertFalse(path, cppTestUser.hasPrivileges(tree, REP_READ_NODES)); + assertFalse(path, cppTestUser.hasPrivileges(tree, defaultPrivs.toArray(new String[defaultPrivs.size()]))); + } + } } + @Test + public void testHasPrivilegesAdmin() throws Exception { + for (String path : NODE_PATHS) { + Tree tree = root.getTree(path); + + assertTrue(cppAdminUser.hasPrivileges(tree, REP_READ_NODES)); + + assertFalse(cppAdminUser.hasPrivileges(tree, JCR_READ)); + assertFalse(cppAdminUser.hasPrivileges(tree, JCR_ALL)); + assertFalse(cppAdminUser.hasPrivileges(tree, JCR_WRITE)); + assertFalse(cppAdminUser.hasPrivileges(tree, REP_READ_NODES, REP_READ_PROPERTIES)); + assertFalse(cppAdminUser.hasPrivileges(tree, JCR_MODIFY_PROPERTIES)); + assertFalse(cppAdminUser.hasPrivileges(tree, JCR_LOCK_MANAGEMENT)); + } + } + + @Test + public void testHasPrivilegesOnRepo() throws Exception { + assertTrue(cppTestUser.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT)); + + assertFalse(cppTestUser.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT, JCR_NODE_TYPE_DEFINITION_MANAGEMENT)); + assertFalse(cppTestUser.hasPrivileges(null, JCR_ALL)); + + assertTrue(cppTestUser.hasPrivileges(null)); + } + + @Test + public void testHasPrivilegeOnRepoAdmin() throws Exception { + assertTrue(cppAdminUser.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT)); + + assertFalse(cppAdminUser.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT, JCR_NODE_TYPE_DEFINITION_MANAGEMENT)); + assertFalse(cppAdminUser.hasPrivileges(null, JCR_ALL)); + + assertTrue(cppAdminUser.hasPrivileges(null)); + } @Test public void testIsGranted() throws Exception { - // TODO + for (String p : defPermissions.keySet()) { + long defaultPerms = defPermissions.get(p); + Tree tree = root.getTree(p); + + if (Permissions.READ_NODE != defaultPerms) { + assertFalse(p, cppTestUser.isGranted(tree, null, defaultPerms)); + } + + boolean expectedReadNode = Permissions.includes(defaultPerms, Permissions.READ_NODE); + assertEquals(p, expectedReadNode, cppTestUser.isGranted(tree, null, Permissions.READ_NODE)); + } + } + + @Test + public void testIsGrantedAdmin() throws Exception { + for (String p : NODE_PATHS) { + Tree tree = root.getTree(p); + + assertTrue(p, cppAdminUser.isGranted(tree, null, Permissions.READ_NODE)); + + assertFalse(p, cppAdminUser.isGranted(tree, null, Permissions.READ)); + assertFalse(p, cppAdminUser.isGranted(tree, null, Permissions.WRITE)); + assertFalse(p, cppAdminUser.isGranted(tree, null, Permissions.ALL)); + } + } + + @Test + public void testIsGrantedProperty() throws Exception { + for (String p : NODE_PATHS) { + Tree tree = root.getTree(p); + + assertFalse(p, cppTestUser.isGranted(tree, PROPERTY_STATE, Permissions.READ_PROPERTY)); + assertFalse(p, cppTestUser.isGranted(tree, PROPERTY_STATE, Permissions.SET_PROPERTY)); + } + } + + @Test + public void testIsGrantedPropertyAdmin() throws Exception { + for (String p : NODE_PATHS) { + Tree tree = root.getTree(p); + + assertFalse(p, cppAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.READ_PROPERTY)); + assertFalse(p, cppAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.SET_PROPERTY)); + assertFalse(p, cppAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.ALL)); + } } @Test public void testIsGrantedAction() throws Exception { - // TODO + for (String p : defActionsGranted.keySet()) { + String[] actions = defActionsGranted.get(p); + + if (ImmutableList.copyOf(actions).contains(Session.ACTION_READ)) { + TreeLocation tl = TreeLocation.create(root, p); + assertEquals(p, tl.getTree() != null, cppTestUser.isGranted(p, Session.ACTION_READ)); + } else { + assertFalse(p, cppTestUser.isGranted(p, Session.ACTION_READ)); + } + + if (actions.length > 1) { + assertFalse(p, cppTestUser.isGranted(p, getActionString(actions))); + } + } + } + + @Test + public void testIsGrantedAction2() throws Exception { + Map<String, String[]> noAccess = ImmutableMap.<String, String[]>builder(). + put(ROOT_PATH, new String[]{Session.ACTION_READ}). + put(ROOT_PATH + "jcr:primaryType", new String[]{Session.ACTION_READ, Session.ACTION_SET_PROPERTY}). + put("/nonexisting", new String[]{Session.ACTION_READ, Session.ACTION_ADD_NODE}). + put(TEST_PATH_2, new String[]{Session.ACTION_READ, Session.ACTION_REMOVE}). + put(TEST_PATH_2 + "/jcr:primaryType", new String[]{Session.ACTION_READ, Session.ACTION_SET_PROPERTY}). + put(TEST_A_B_C_PATH, new String[]{Session.ACTION_READ, Session.ACTION_REMOVE}). + put(TEST_A_B_C_PATH + "/noneExisting", new String[]{Session.ACTION_READ, JackrabbitSession.ACTION_REMOVE_NODE}). + put(TEST_A_B_C_PATH + "/jcr:primaryType", new String[]{JackrabbitSession.ACTION_REMOVE_PROPERTY}).build(); + + for (String p : noAccess.keySet()) { + assertFalse(p, cppTestUser.isGranted(p, getActionString(noAccess.get(p)))); + } + } + + @Test + public void testIsGrantedActionAdmin() throws Exception { + for (String p : defActionsGranted.keySet()) { + boolean expectedRead = root.getTree(p).exists(); + assertEquals(p, expectedRead, cppAdminUser.isGranted(p, Session.ACTION_READ)); + assertFalse(p, cppAdminUser.isGranted(p, getActionString(ALL_ACTIONS))); + } } + @Test public void testRepositoryPermissionIsGranted() throws Exception { RepositoryPermission rp = cppTestUser.getRepositoryPermission(); @@ -100,7 +290,90 @@ public class CompositeProviderLimitedTes } @Test - public void testGetTreePermission() throws Exception { - // TODO + public void testTreePermissionIsGranted() throws Exception { + TreePermission parentPermission = TreePermission.EMPTY; + + for (String path : TP_PATHS) { + TreePermission tp = cppTestUser.getTreePermission(root.getTree(path), parentPermission); + Long toTest = (defPermissions.containsKey(path)) ? defPermissions.get(path) : defPermissions.get(PathUtils.getAncestorPath(path, 1)); + if (toTest != null) { + if (Permissions.READ_NODE == toTest) { + assertTrue(path, tp.isGranted(toTest)); + } else { + boolean canRead = Permissions.includes(toTest, Permissions.READ_NODE); + assertEquals(path, canRead, tp.isGranted(Permissions.READ_NODE)); + assertFalse(path, tp.isGranted(toTest)); + } + } + parentPermission = tp; + } + } + + @Test + public void testTreePermissionIsGrantedProperty() throws Exception { + TreePermission parentPermission = TreePermission.EMPTY; + + for (String path : TP_PATHS) { + TreePermission tp = cppTestUser.getTreePermission(root.getTree(path), parentPermission); + Long toTest = (defPermissions.containsKey(path)) ? defPermissions.get(path) : defPermissions.get(PathUtils.getAncestorPath(path, 1)); + if (toTest != null) { + boolean granted = (toTest == Permissions.READ_NODE); + assertEquals(path, granted, tp.isGranted(toTest, PROPERTY_STATE)); + } + assertFalse(tp.isGranted(Permissions.READ_PROPERTY, PROPERTY_STATE)); + parentPermission = tp; + } + } + + @Test + public void testTreePermissionCanRead() throws Exception { + Map<String, Boolean> readMap = ImmutableMap.<String, Boolean>builder(). + put(ROOT_PATH, false). + put(TEST_PATH, true). + put(TEST_A_PATH, true). + put(TEST_A_B_PATH, true). + put(TEST_A_B_C_PATH, false). + put(TEST_A_B_C_PATH + "/nonexisting", false). + build(); + + TreePermission parentPermission = TreePermission.EMPTY; + for (String nodePath : readMap.keySet()) { + Tree tree = root.getTree(nodePath); + TreePermission tp = cppTestUser.getTreePermission(tree, parentPermission); + + boolean expectedResult = readMap.get(nodePath); + assertEquals(nodePath, expectedResult, tp.canRead()); + + parentPermission = tp; + } + } + + @Test + public void testTreePermissionCanReadProperty() throws Exception { + TreePermission parentPermission = TreePermission.EMPTY; + for (String nodePath : TP_PATHS) { + Tree tree = root.getTree(nodePath); + + TreePermission tp = cppTestUser.getTreePermission(tree, parentPermission); + assertFalse(nodePath, tp.canRead(PROPERTY_STATE)); + + parentPermission = tp; + } + } + + @Test + public void testTreePermissionCanReadAdmin() { + TreePermission parentPermission = TreePermission.EMPTY; + + for (String nodePath : TP_PATHS) { + Tree tree = root.getTree(nodePath); + + TreePermission tp = cppAdminUser.getTreePermission(tree, parentPermission); + + assertTrue(nodePath, tp.canRead()); + assertFalse(nodePath, tp.canRead(PROPERTY_STATE)); + + parentPermission = tp; + } } } \ No newline at end of file Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeTest.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeTest.java?rev=1708563&r1=1708562&r2=1708563&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeTest.java (original) +++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeTest.java Wed Oct 14 09:02:49 2015 @@ -16,16 +16,22 @@ */ package org.apache.jackrabbit.oak.security.authorization.composite; +import java.lang.reflect.Field; import java.security.Principal; +import java.util.List; +import java.util.Map; import java.util.Set; -import javax.annotation.Nonnull; -import javax.annotation.Nullable; +import javax.jcr.Session; +import com.google.common.collect.ImmutableList; +import com.google.common.collect.ImmutableMap; import com.google.common.collect.ImmutableSet; +import org.apache.jackrabbit.api.JackrabbitSession; import org.apache.jackrabbit.oak.api.ContentSession; -import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Tree; -import org.apache.jackrabbit.oak.plugins.tree.TreeLocation; +import org.apache.jackrabbit.oak.commons.PathUtils; +import org.apache.jackrabbit.oak.plugins.tree.RootFactory; +import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree; import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration; import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider; import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider; @@ -33,11 +39,11 @@ import org.apache.jackrabbit.oak.spi.sec import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission; import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission; import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal; -import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits; -import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants; +import org.apache.jackrabbit.oak.spi.state.NodeState; import org.junit.Test; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; /** @@ -49,7 +55,8 @@ import static org.junit.Assert.assertTru * The tests are executed both for the set of principals associated with the test * user and with the admin session. * The expected outcome is that the composite provider behaves exactly like the - * default provider (i.e. is never respected during evaluation). + * default provider (i.e. the {@code NotSupportingProvider} is never respected + * during evaluation). * * While there is no real use in such a {@link AggregatedPermissionProvider}, that * is never called, is is used here to verify that the composite provider doesn't @@ -81,7 +88,7 @@ public class CompositeProviderNoScopeTes @Override protected AggregatedPermissionProvider getTestPermissionProvider() { - return new NotSupportingProvider(); + return new NoScopeProvider(); } @Test @@ -97,7 +104,7 @@ public class CompositeProviderNoScopeTes @Test public void testGetPrivilegesAdmin() throws Exception { - Set<String> expected = ImmutableSet.of(PrivilegeConstants.JCR_ALL); + Set<String> expected = ImmutableSet.of(JCR_ALL); for (String p : NODE_PATHS) { Tree tree = root.getTree(p); @@ -108,7 +115,7 @@ public class CompositeProviderNoScopeTes @Test public void testGetPrivilegesOnRepo() throws Exception { - Set<String> expected = ImmutableSet.of(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT, PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT); + Set<String> expected = ImmutableSet.of(JCR_NAMESPACE_MANAGEMENT, JCR_NODE_TYPE_DEFINITION_MANAGEMENT); assertEquals(expected, cppTestUser.getPrivileges(null)); assertEquals(defTestUser.getPrivileges(null), cppTestUser.getPrivileges(null)); @@ -116,7 +123,7 @@ public class CompositeProviderNoScopeTes @Test public void testGetPrivilegesOnRepoAdmin() throws Exception { - Set<String> expected = ImmutableSet.of(PrivilegeConstants.JCR_ALL); + Set<String> expected = ImmutableSet.of(JCR_ALL); assertEquals(expected, cppAdminUser.getPrivileges(null)); assertEquals(defAdminUser.getPrivileges(null), cppAdminUser.getPrivileges(null)); @@ -140,38 +147,29 @@ public class CompositeProviderNoScopeTes for (String p : NODE_PATHS) { Tree tree = root.getTree(p); - assertTrue(p, cppAdminUser.hasPrivileges(tree, PrivilegeConstants.JCR_ALL)); - assertEquals(p, defAdminUser.hasPrivileges(tree, PrivilegeConstants.JCR_ALL), cppAdminUser.hasPrivileges(tree, PrivilegeConstants.JCR_ALL)); + assertTrue(p, cppAdminUser.hasPrivileges(tree, JCR_ALL)); + assertTrue(p, defAdminUser.hasPrivileges(tree, JCR_ALL)); } } @Test public void testHasPrivilegesOnRepo() throws Exception { - assertTrue(cppTestUser.hasPrivileges(null, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT, PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT)); - assertEquals( - defTestUser.hasPrivileges(null, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT, PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT), - cppTestUser.hasPrivileges(null, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT, PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT)); + assertTrue(cppTestUser.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT, JCR_NODE_TYPE_DEFINITION_MANAGEMENT)); + assertTrue(defTestUser.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT, JCR_NODE_TYPE_DEFINITION_MANAGEMENT)); assertTrue(cppTestUser.hasPrivileges(null)); - assertEquals( - defTestUser.hasPrivileges(null), - cppTestUser.hasPrivileges(null)); + assertTrue(defTestUser.hasPrivileges(null)); } @Test public void testHasPrivilegeOnRepoAdminUser() throws Exception { - assertTrue(cppAdminUser.hasPrivileges(null, PrivilegeConstants.JCR_ALL)); - assertEquals( - defAdminUser.hasPrivileges(null, PrivilegeConstants.JCR_ALL), - cppAdminUser.hasPrivileges(null, PrivilegeConstants.JCR_ALL)); + assertTrue(cppAdminUser.hasPrivileges(null, JCR_ALL)); + assertTrue(defAdminUser.hasPrivileges(null, JCR_ALL)); assertTrue(cppAdminUser.hasPrivileges(null)); - assertEquals( - defAdminUser.hasPrivileges(null), - cppAdminUser.hasPrivileges(null)); + assertTrue(defAdminUser.hasPrivileges(null)); } - @Test public void testIsGranted() throws Exception { for (String p : defPermissions.keySet()) { @@ -179,7 +177,7 @@ public class CompositeProviderNoScopeTes Tree tree = root.getTree(p); assertTrue(p, cppTestUser.isGranted(tree, null, expected)); - assertEquals(p, defTestUser.isGranted(tree, null, expected), cppTestUser.isGranted(tree, null, expected)); + assertTrue(p, defTestUser.isGranted(tree, null, expected)); } } @@ -189,18 +187,66 @@ public class CompositeProviderNoScopeTes Tree tree = root.getTree(p); assertTrue(p, cppAdminUser.isGranted(tree, null, Permissions.ALL)); - assertEquals(p, defAdminUser.isGranted(tree, null, Permissions.ALL), cppAdminUser.isGranted(tree, null, Permissions.ALL)); + assertTrue(p, defAdminUser.isGranted(tree, null, Permissions.ALL)); } } @Test public void testIsGrantedProperty() throws Exception { - // TODO + for (String p : defPermissions.keySet()) { + long expected = defPermissions.get(p); + Tree tree = root.getTree(p); + + assertTrue(p, cppTestUser.isGranted(tree, PROPERTY_STATE, expected)); + assertTrue(p, defTestUser.isGranted(tree, PROPERTY_STATE, expected)); + } + } + + @Test + public void testIsGrantedPropertyAdmin() throws Exception { + for (String p : defPermissions.keySet()) { + Tree tree = root.getTree(p); + + assertTrue(p, cppAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.ALL)); + assertTrue(p, defAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.ALL)); + } } @Test public void testIsGrantedAction() throws Exception { - // TODO + for (String p : defActionsGranted.keySet()) { + String actions = getActionString(defActionsGranted.get(p)); + assertTrue(p + " : " + actions, cppTestUser.isGranted(p, actions)); + assertTrue(p + " : " + actions, defTestUser.isGranted(p, actions)); + } + } + + @Test + public void testIsGrantedAction2() throws Exception { + Map<String, String[]> noAccess = ImmutableMap.<String, String[]>builder(). + put(ROOT_PATH, new String[] {Session.ACTION_READ}). + put(ROOT_PATH + "jcr:primaryType", new String[] {Session.ACTION_READ, Session.ACTION_SET_PROPERTY}). + put("/nonexisting", new String[] {Session.ACTION_READ, Session.ACTION_ADD_NODE}). + put(TEST_PATH_2, new String[] {Session.ACTION_READ, Session.ACTION_REMOVE}). + put(TEST_PATH_2 + "/jcr:primaryType", new String[] {Session.ACTION_READ, Session.ACTION_SET_PROPERTY}). + put(TEST_A_B_C_PATH, new String[] {Session.ACTION_READ, Session.ACTION_REMOVE}). + put(TEST_A_B_C_PATH + "/noneExisting", new String[] {Session.ACTION_READ, JackrabbitSession.ACTION_REMOVE_NODE}). + put(TEST_A_B_C_PATH + "/jcr:primaryType", new String[] {JackrabbitSession.ACTION_REMOVE_PROPERTY}).build(); + + for (String p : noAccess.keySet()) { + String actions = getActionString(noAccess.get(p)); + assertFalse(p, cppTestUser.isGranted(p, actions)); + assertFalse(p, defTestUser.isGranted(p, actions)); + } + } + + @Test + public void testIsGrantedActionAdmin() throws Exception { + String allActions = getActionString(ALL_ACTIONS); + for (String p : defActionsGranted.keySet()) { + assertTrue(p + " : " + allActions, cppAdminUser.isGranted(p, allActions)); + assertTrue(p + " : " + allActions, defAdminUser.isGranted(p, allActions)); + } } @Test @@ -220,75 +266,126 @@ public class CompositeProviderNoScopeTes } @Test - public void testGetTreePermission() throws Exception { - // TODO + public void testTreePermissionIsGranted() throws Exception { + TreePermission parentPermission = TreePermission.EMPTY; + + for (String path : TP_PATHS) { + TreePermission tp = cppTestUser.getTreePermission(root.getTree(path), parentPermission); + Long toTest = (defPermissions.containsKey(path)) ? defPermissions.get(path) : defPermissions.get(PathUtils.getAncestorPath(path, 1)); + if (toTest != null) { + assertTrue(tp.isGranted(toTest)); + } + parentPermission = tp; + } } - private static final class NotSupportingProvider implements AggregatedPermissionProvider { + @Test + public void testTreePermissionIsGrantedProperty() throws Exception { + TreePermission parentPermission = TreePermission.EMPTY; - @Nonnull - @Override - public PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable PrivilegeBits privilegeBits) { - return PrivilegeBits.EMPTY; + for (String path : TP_PATHS) { + TreePermission tp = cppTestUser.getTreePermission(root.getTree(path), parentPermission); + Long toTest = (defPermissions.containsKey(path)) ? defPermissions.get(path) : defPermissions.get(PathUtils.getAncestorPath(path, 1)); + if (toTest != null) { + assertTrue(tp.isGranted(toTest, PROPERTY_STATE)); + } + parentPermission = tp; } + } - @Override - public long supportedPermissions(@Nullable Tree tree, @Nullable PropertyState property, long permissions) { - return Permissions.NO_PERMISSION; - } + @Test + public void testTreePermissionCanRead() throws Exception { + Map<String, Boolean> readMap = ImmutableMap.<String, Boolean>builder(). + put(ROOT_PATH, false). + put(TEST_PATH, true). + put(TEST_A_PATH, true). + put(TEST_A_B_PATH, true). + put(TEST_A_B_C_PATH, false). + put(TEST_A_B_C_PATH + "/nonexisting", false). + build(); - @Override - public long supportedPermissions(@Nonnull TreeLocation location, long permissions) { - return Permissions.NO_PERMISSION; - } + TreePermission parentPermission = TreePermission.EMPTY; + TreePermission parentPermission2 = TreePermission.EMPTY; + for (String nodePath : readMap.keySet()) { + Tree tree = root.getTree(nodePath); + TreePermission tp = cppTestUser.getTreePermission(tree, parentPermission); + TreePermission tp2 = defTestUser.getTreePermission(tree, parentPermission2); - @Override - public long supportedPermissions(@Nonnull TreePermission treePermission, long permissions) { - return Permissions.NO_PERMISSION; - } + boolean expectedResult = readMap.get(nodePath); + assertEquals(nodePath, expectedResult, tp.canRead()); + assertEquals(nodePath + "(default)", expectedResult, tp2.canRead()); - @Override - public boolean isGranted(@Nonnull TreeLocation location, long permissions) { - throw new UnsupportedOperationException("should never get here"); + parentPermission = tp; + parentPermission2 = tp2; } + } - @Override - public void refresh() { - // nop - } + @Test + public void testTreePermissionCanReadProperty() throws Exception { + Map<String, Boolean> readMap = ImmutableMap.<String, Boolean>builder(). + put(ROOT_PATH, false). + put(TEST_PATH, true). + put(TEST_A_PATH, true). + put(TEST_A_B_PATH, true). + put(TEST_A_B_C_PATH, true). + put(TEST_A_B_C_PATH + "/nonexisting", true). + build(); - @Nonnull - @Override - public Set<String> getPrivileges(@Nullable Tree tree) { - throw new UnsupportedOperationException("should never get here"); - } + TreePermission parentPermission = TreePermission.EMPTY; + TreePermission parentPermission2 = TreePermission.EMPTY; + for (String nodePath : readMap.keySet()) { + Tree tree = root.getTree(nodePath); - @Override - public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String... privilegeNames) { - throw new UnsupportedOperationException("should never get here"); - } + TreePermission tp = cppTestUser.getTreePermission(tree, parentPermission); + TreePermission tp2 = defTestUser.getTreePermission(tree, parentPermission2); - @Nonnull - @Override - public RepositoryPermission getRepositoryPermission() { - throw new UnsupportedOperationException("should never get here"); - } + boolean expectedResult = readMap.get(nodePath); + assertEquals(nodePath, expectedResult, tp.canRead(PROPERTY_STATE)); + assertEquals(nodePath + "(default)", expectedResult, tp2.canRead(PROPERTY_STATE)); - @Nonnull - @Override - public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreePermission parentPermission) { - // TODO: fix such that this is no required - return TreePermission.EMPTY; + parentPermission = tp; + parentPermission2 = tp2; } + } - @Override - public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState property, long permissions) { - throw new UnsupportedOperationException("should never get here"); + @Test + public void testTreePermissionCanReadAdmin() { + TreePermission parentPermission = TreePermission.EMPTY; + TreePermission parentPermission2 = TreePermission.EMPTY; + + for (String nodePath : TP_PATHS) { + Tree tree = root.getTree(nodePath); + + TreePermission tp = cppAdminUser.getTreePermission(tree, parentPermission); + TreePermission tp2 = defAdminUser.getTreePermission(tree, parentPermission2); + + assertTrue(nodePath, tp.canRead()); + assertTrue(nodePath, tp.canRead(PROPERTY_STATE)); + + assertTrue(nodePath + "(default)", tp2.canRead()); + assertTrue(nodePath + "(default)", tp2.canRead(PROPERTY_STATE)); + + parentPermission = tp; + parentPermission2 = tp2; } + } + + @Test + public void testTreePermissionMapSize() throws Exception { + Field mapField = CompositeTreePermission.class.getDeclaredField("map"); + mapField.setAccessible(true); + + + NodeState ns = ((ImmutableTree) RootFactory.createReadOnlyRoot(root).getTree(ROOT_PATH)).getNodeState(); + TreePermission tp = cppTestUser.getTreePermission(root.getTree(ROOT_PATH), TreePermission.EMPTY); + assertEquals(2, ((Map<AggregatedPermissionProvider, TreePermission>) mapField.get(tp)).size()); + + List<String> childNames = ImmutableList.of("test", "a", "b", "c", "nonexisting"); + for (String cName : childNames) { + ns = ns.getChildNode(cName); + tp = tp.getChildPermission(cName, ns); - @Override - public boolean isGranted(@Nonnull String oakPath, @Nonnull String jcrActions) { - throw new UnsupportedOperationException("should never get here"); + assertEquals(1, ((Map<AggregatedPermissionProvider, TreePermission>) mapField.get(tp)).size()); } } } \ No newline at end of file Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeTest.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeTest.java?rev=1708563&r1=1708562&r2=1708563&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeTest.java (original) +++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeTest.java Wed Oct 14 09:02:49 2015 @@ -16,99 +16,517 @@ */ package org.apache.jackrabbit.oak.security.authorization.composite; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import javax.jcr.Session; + +import com.google.common.collect.ImmutableList; +import com.google.common.collect.ImmutableMap; +import com.google.common.collect.ImmutableSet; +import com.google.common.collect.Sets; +import org.apache.jackrabbit.api.JackrabbitSession; +import org.apache.jackrabbit.oak.api.Tree; +import org.apache.jackrabbit.oak.commons.PathUtils; +import org.apache.jackrabbit.oak.plugins.tree.TreeLocation; import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider; import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions; import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission; import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal; +import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits; +import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider; import org.junit.Test; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; /** * Test the effect of the combination of * * - default permission provider - * - custom provider that only supports namespace-management permission on repository level - * and within the regular tree only supports permission evaluation of a limited - * set of permissions (write) below {@link #TEST_CHILD_PATH}. + * - custom provider that + * > supports namespace-management and nodetype-def-mgt permission on repository level + * > write permission below {@link #TEST_A_PATH}. * * The tests are executed both for the set of principals associated with the test * user and with the admin session. - * The expected outcome is that - * - the custom provider only takes effect below {@link #TEST_CHILD_PATH} and - * only for the supported permissions (read-nodes only). - * - admin user has full access except for read-node-access below {@link #TEST_CHILD_PATH} - * where the custom provider impacts the evaluation. + * + * The expected outcome is that the custom provider only takes effect at the repo + * level. The effective permissions are the as defined for the default provider + * outside of the scope of the custom provider. + * + * At the repository level, the effective result is as follows: + * - admin has full access at repo-level without namespace management (which is denied) + * - test user has only nodetype-definition-mgt left as namespace management is + * denied by the custom provider. + * + * Below {@link #TEST_A_PATH} the effective result is as follows: + * - any permissions not covered by the custom provider are defined by the default + * - {@link Permissions#ADD_PROPERTY} and {@link Permissions#ADD_NODE} are denied + * for both admin and test user (due to deny in the custom provider) + * - the other aggregates of the write permission are allowed if the default + * provider allows them (different for admin and test user). + * + * All paths outside of the scope of the custom provider have the following + * characteristics: + * - admin has full access (all permissions granted) + * - effective permissions for the test user are define by the default setup. */ public class CompositeProviderScopeTest extends AbstractCompositeProviderTest { + private static List<String> PATH_OUTSIDE_SCOPE = ImmutableList.of(ROOT_PATH, TEST_PATH, TEST_CHILD_PATH); + private CompositePermissionProvider cppTestUser; private CompositePermissionProvider cppAdminUser; + private LimitedScopeProvider testProvider; + + private PrivilegeBitsProvider pbp; + private PrivilegeBits denied; + + @Override public void before() throws Exception { super.before(); cppTestUser = createPermissionProvider(getTestUser().getPrincipal(), EveryonePrincipal.getInstance()); cppAdminUser = createPermissionProvider(root.getContentSession().getAuthInfo().getPrincipals()); + + pbp = new PrivilegeBitsProvider(root); + denied = pbp.getBits(JCR_ADD_CHILD_NODES, REP_ADD_PROPERTIES); } @Override protected AggregatedPermissionProvider getTestPermissionProvider() { - return new TestPermissionProvider(root, false); + if (testProvider == null) { + testProvider = new LimitedScopeProvider(root); + } + return testProvider; } @Test public void testGetPrivileges() throws Exception { - // TODO + PrivilegeBitsProvider pbp = new PrivilegeBitsProvider(root); + + for (String path : defPrivileges.keySet()) { + Tree tree = root.getTree(path); + + Set<String> defaultPrivs = defPrivileges.get(path); + Set<String> privNames = cppTestUser.getPrivileges(tree); + + if (testProvider.isSupported(path)) { + PrivilegeBits expected = pbp.getBits(defaultPrivs).modifiable().diff(denied).unmodifiable(); + assertEquals(expected, pbp.getBits(privNames)); + } else { + assertEquals(path, defaultPrivs, privNames); + } + } + } + + @Test + public void testGetPrivilegesAdmin() throws Exception { + for (String path : NODE_PATHS) { + Tree tree = root.getTree(path); + Set<String> privNames = cppAdminUser.getPrivileges(tree); + + if (testProvider.isSupported(path)) { + PrivilegeBits expected = pbp.getBits(JCR_ALL).modifiable().diff(denied).unmodifiable(); + assertEquals(expected, pbp.getBits(privNames)); + } else { + assertEquals(path, ImmutableSet.of(JCR_ALL), privNames); + } + } + } + + @Test + public void testGetPrivilegesOnRepo() throws Exception { + Set<String> expected = ImmutableSet.of(JCR_NODE_TYPE_DEFINITION_MANAGEMENT); + assertEquals(expected, cppTestUser.getPrivileges(null)); + } + + @Test + public void testGetPrivilegesOnRepoAdmin() throws Exception { + PrivilegeBits expected = pbp.getBits(JCR_ALL).modifiable().diff(pbp.getBits(JCR_NAMESPACE_MANAGEMENT)).unmodifiable(); + assertEquals(expected, pbp.getBits(cppAdminUser.getPrivileges(null))); } @Test public void testHasPrivileges() throws Exception { - // TODO + for (String path : defPrivileges.keySet()) { + Set<String> defaultPrivs = defPrivileges.get(path); + PrivilegeBits defaultBits = pbp.getBits(defaultPrivs); + Tree tree = root.getTree(path); + + if (testProvider.isSupported(path)) { + Set<String> expected = pbp.getPrivilegeNames(pbp.getBits(defaultPrivs).modifiable().diff(denied)); + assertTrue(path, cppTestUser.hasPrivileges(tree, expected.toArray(new String[expected.size()]))); + + assertFalse(path, cppTestUser.hasPrivileges(tree, JCR_ADD_CHILD_NODES)); + assertFalse(path, cppTestUser.hasPrivileges(tree, REP_ADD_PROPERTIES)); + assertFalse(path, cppTestUser.hasPrivileges(tree, JCR_MODIFY_PROPERTIES)); + } else { + assertTrue(path, cppTestUser.hasPrivileges(tree, defaultPrivs.toArray(new String[defaultPrivs.size()]))); + } + } + } + + @Test + public void testHasPrivilegesAdmin() throws Exception { + Set<String> expectedAllowed = pbp.getPrivilegeNames(pbp.getBits(JCR_ALL).modifiable().diff(pbp.getBits(JCR_ADD_CHILD_NODES, REP_ADD_PROPERTIES))); + for (String path : NODE_PATHS) { + Tree tree = root.getTree(path); + + if (testProvider.isSupported(path)) { + assertTrue(cppAdminUser.hasPrivileges(tree, expectedAllowed.toArray(new String[expectedAllowed.size()]))); + assertFalse(cppAdminUser.hasPrivileges(tree, JCR_ADD_CHILD_NODES)); + assertFalse(cppAdminUser.hasPrivileges(tree, REP_ADD_PROPERTIES)); + assertFalse(cppAdminUser.hasPrivileges(tree, JCR_WRITE)); + } else { + assertTrue(cppAdminUser.hasPrivileges(tree, JCR_ALL)); + } + } } + @Test + public void testHasPrivilegesOnRepo() throws Exception { + assertFalse(cppTestUser.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT)); + assertFalse(cppTestUser.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT, JCR_NODE_TYPE_DEFINITION_MANAGEMENT)); + assertFalse(cppTestUser.hasPrivileges(null, JCR_ALL)); + + assertTrue(cppTestUser.hasPrivileges(null, JCR_NODE_TYPE_DEFINITION_MANAGEMENT)); + assertTrue(cppTestUser.hasPrivileges(null)); + } + + @Test + public void testHasPrivilegeOnRepoAdmin() throws Exception { + assertFalse(cppAdminUser.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT)); + assertFalse(cppAdminUser.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT, JCR_NODE_TYPE_DEFINITION_MANAGEMENT)); + assertFalse(cppAdminUser.hasPrivileges(null, JCR_ALL)); + + assertTrue(cppAdminUser.hasPrivileges(null, JCR_NODE_TYPE_DEFINITION_MANAGEMENT)); + Set<String> expected = pbp.getPrivilegeNames(pbp.getBits(JCR_ALL).modifiable().diff(pbp.getBits(JCR_NAMESPACE_MANAGEMENT))); + assertTrue(cppAdminUser.hasPrivileges(null, expected.toArray(new String[expected.size()]))); + assertTrue(cppAdminUser.hasPrivileges(null)); + } @Test public void testIsGranted() throws Exception { - // TODO + for (String p : defPermissions.keySet()) { + long defaultPerms = defPermissions.get(p); + Tree tree = root.getTree(p); + + if (testProvider.isSupported(p)) { + long expected = Permissions.diff(defaultPerms, Permissions.ADD_NODE|Permissions.ADD_PROPERTY); + assertTrue(cppTestUser.isGranted(tree, null, expected)); + + assertFalse(cppTestUser.isGranted(tree, null, Permissions.ADD_NODE)); + assertFalse(cppTestUser.isGranted(tree, null, Permissions.ADD_PROPERTY)); + assertFalse(cppTestUser.isGranted(tree, null, Permissions.SET_PROPERTY)); + assertFalse(cppTestUser.isGranted(tree, null, Permissions.WRITE)); + } else { + assertTrue(cppTestUser.isGranted(tree, null, defaultPerms)); + } + } + } + + @Test + public void testIsGrantedAdmin() throws Exception { + for (String path : NODE_PATHS) { + Tree tree = root.getTree(path); + + if (testProvider.isSupported(path)) { + assertTrue(cppAdminUser.isGranted(tree, null, Permissions.diff(Permissions.ALL, Permissions.ADD_NODE|Permissions.ADD_PROPERTY))); + assertFalse(cppAdminUser.isGranted(tree, null, Permissions.ADD_NODE)); + assertFalse(cppAdminUser.isGranted(tree, null, Permissions.ADD_PROPERTY)); + assertFalse(cppAdminUser.isGranted(tree, null, Permissions.ADD_NODE | Permissions.ADD_PROPERTY)); + assertFalse(cppAdminUser.isGranted(tree, null, Permissions.WRITE)); + } else { + assertTrue(cppAdminUser.isGranted(tree, null, Permissions.ALL)); + } + } } @Test public void testIsGrantedProperty() throws Exception { - // TODO + for (String p : defPermissions.keySet()) { + long defaultPerms = defPermissions.get(p); + Tree tree = root.getTree(p); + + if (testProvider.isSupported(p)) { + long expected = Permissions.diff(defaultPerms, Permissions.ADD_NODE|Permissions.ADD_PROPERTY); + assertTrue(cppTestUser.isGranted(tree, PROPERTY_STATE, expected)); + + assertFalse(cppTestUser.isGranted(tree, PROPERTY_STATE, Permissions.ADD_PROPERTY)); + assertFalse(cppTestUser.isGranted(tree, PROPERTY_STATE, Permissions.SET_PROPERTY)); + assertFalse(cppTestUser.isGranted(tree, PROPERTY_STATE, Permissions.WRITE)); + } else { + assertTrue(cppTestUser.isGranted(tree, PROPERTY_STATE, defaultPerms)); + } + } + } + + @Test + public void testIsGrantedPropertyAdmin() throws Exception { + for (String p : NODE_PATHS) { + Tree tree = root.getTree(p); + + if (testProvider.isSupported(p)) { + assertTrue(cppAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.diff(Permissions.ALL, Permissions.ADD_NODE|Permissions.ADD_PROPERTY))); + assertFalse(cppAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.ADD_NODE)); + assertFalse(cppAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.ADD_PROPERTY)); + assertFalse(cppAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.ADD_NODE | Permissions.ADD_PROPERTY)); + assertFalse(cppAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.WRITE)); + } else { + assertTrue(cppAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.ALL)); + } + } } @Test public void testIsGrantedAction() throws Exception { - // TODO + Set<String> denied = ImmutableSet.of(Session.ACTION_ADD_NODE, JackrabbitSession.ACTION_ADD_PROPERTY); + + for (String p : defActionsGranted.keySet()) { + String[] actions = defActionsGranted.get(p); + + if (testProvider.isSupported(p)) { + Set<String> expected = Sets.newHashSet(actions); + expected.removeAll(denied); + + boolean canSetProperty = TreeLocation.create(root, p).getProperty() != null; + if (!canSetProperty) { + expected.remove(Session.ACTION_SET_PROPERTY); + } + + assertTrue(p, cppTestUser.isGranted(p, getActionString(expected.toArray(new String[expected.size()])))); + + assertEquals(p, canSetProperty, cppTestUser.isGranted(p, Session.ACTION_SET_PROPERTY)); + assertFalse(p, cppTestUser.isGranted(p, Session.ACTION_ADD_NODE)); + assertFalse(p, cppTestUser.isGranted(p, JackrabbitSession.ACTION_ADD_PROPERTY)); + } else { + assertTrue(p, cppTestUser.isGranted(p, getActionString(actions))); + } + } + } + + @Test + public void testIsGrantedActionAdmin() throws Exception { + String[] grantedActions = new String[]{ + Session.ACTION_READ, + JackrabbitSession.ACTION_REMOVE_NODE, + JackrabbitSession.ACTION_MODIFY_PROPERTY, + JackrabbitSession.ACTION_REMOVE_PROPERTY, + Session.ACTION_REMOVE, + JackrabbitSession.ACTION_READ_ACCESS_CONTROL, + JackrabbitSession.ACTION_MODIFY_ACCESS_CONTROL, + JackrabbitSession.ACTION_LOCKING, + JackrabbitSession.ACTION_NODE_TYPE_MANAGEMENT, + JackrabbitSession.ACTION_VERSIONING, + JackrabbitSession.ACTION_USER_MANAGEMENT + }; + + for (String path : NODE_PATHS) { + if (testProvider.isSupported(path)) { + assertTrue(cppAdminUser.isGranted(path, getActionString(grantedActions))); + assertFalse(cppAdminUser.isGranted(path, Session.ACTION_ADD_NODE)); + assertFalse(cppAdminUser.isGranted(path, Session.ACTION_SET_PROPERTY)); + assertFalse(cppAdminUser.isGranted(path, JackrabbitSession.ACTION_ADD_PROPERTY)); + } else { + assertTrue(cppAdminUser.isGranted(path, Permissions.getString(Permissions.ALL))); + assertTrue(cppAdminUser.isGranted(path, getActionString(ALL_ACTIONS))); + } + } } @Test public void testRepositoryPermissionIsGranted() throws Exception { RepositoryPermission rp = cppTestUser.getRepositoryPermission(); - assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT)); + assertFalse(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT)); + assertFalse(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.NODE_TYPE_DEFINITION_MANAGEMENT)); + assertFalse(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.PRIVILEGE_MANAGEMENT)); + assertTrue(rp.isGranted(Permissions.NODE_TYPE_DEFINITION_MANAGEMENT)); - assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.NODE_TYPE_DEFINITION_MANAGEMENT)); + + assertFalse(rp.isGranted(Permissions.PRIVILEGE_MANAGEMENT)); + assertFalse(rp.isGranted(Permissions.NODE_TYPE_DEFINITION_MANAGEMENT | Permissions.PRIVILEGE_MANAGEMENT | Permissions.WORKSPACE_MANAGEMENT)); + + assertFalse(rp.isGranted(Permissions.ALL)); + } @Test - public void testRepositoryPermissionIsGrantedAdminUser() throws Exception { + public void testRepositoryPermissionIsGrantedAdmin() throws Exception { RepositoryPermission rp = cppAdminUser.getRepositoryPermission(); - assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT)); + assertFalse(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT)); + assertFalse(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.NODE_TYPE_DEFINITION_MANAGEMENT)); + assertFalse(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.PRIVILEGE_MANAGEMENT)); + assertTrue(rp.isGranted(Permissions.NODE_TYPE_DEFINITION_MANAGEMENT)); - assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.NODE_TYPE_DEFINITION_MANAGEMENT)); assertTrue(rp.isGranted(Permissions.PRIVILEGE_MANAGEMENT)); - assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT|Permissions.PRIVILEGE_MANAGEMENT)); - assertTrue(rp.isGranted(Permissions.ALL)); + assertTrue(rp.isGranted(Permissions.NODE_TYPE_DEFINITION_MANAGEMENT|Permissions.PRIVILEGE_MANAGEMENT|Permissions.WORKSPACE_MANAGEMENT)); + + assertFalse(rp.isGranted(Permissions.ALL)); + } + + @Test + public void testTreePermissionIsGranted() throws Exception { + TreePermission parentPermission = TreePermission.EMPTY; + + for (String path : TP_PATHS) { + TreePermission tp = cppTestUser.getTreePermission(root.getTree(path), parentPermission); + + Long toTest = (defPermissions.containsKey(path)) ? defPermissions.get(path) : defPermissions.get(PathUtils.getAncestorPath(path, 1)); + if (toTest != null) { + if (testProvider.isSupported(path)) { + assertTrue(tp.isGranted(Permissions.diff(toTest, Permissions.ADD_NODE|Permissions.ADD_PROPERTY))); + assertFalse(tp.isGranted(Permissions.ADD_PROPERTY | Permissions.ADD_NODE)); + } else { + assertTrue(tp.isGranted(toTest)); + } + } + parentPermission = tp; + } + } + + @Test + public void testTreePermissionIsGrantedAdmin( ) { + TreePermission parentPermission = TreePermission.EMPTY; + + for (String path : TP_PATHS) { + TreePermission tp = cppAdminUser.getTreePermission(root.getTree(path), parentPermission); + + if (testProvider.isSupported(path)) { + assertTrue(path, tp.isGranted(Permissions.diff(Permissions.ALL, Permissions.ADD_NODE|Permissions.ADD_PROPERTY))); + assertFalse(path, tp.isGranted(Permissions.ADD_PROPERTY | Permissions.ADD_NODE)); + assertFalse(path, tp.isGranted(Permissions.ALL)); + } else { + assertTrue(path, tp.isGranted(Permissions.ALL)); + } + parentPermission = tp; + } + + parentPermission = TreePermission.EMPTY; + for (String nodePath : PATH_OUTSIDE_SCOPE) { + Tree tree = root.getTree(nodePath); + + TreePermission tp = cppAdminUser.getTreePermission(tree, parentPermission); + assertTrue(nodePath, tp.isGranted(Permissions.ALL)); + + parentPermission = tp; + } } @Test - public void testGetTreePermission() throws Exception { - // TODO + public void testTreePermissionIsGrantedProperty() throws Exception { + TreePermission parentPermission = TreePermission.EMPTY; + + for (String path : TP_PATHS) { + TreePermission tp = cppTestUser.getTreePermission(root.getTree(path), parentPermission); + Long toTest = (defPermissions.containsKey(path)) ? defPermissions.get(path) : defPermissions.get(PathUtils.getAncestorPath(path, 1)); + if (toTest != null) { + if (testProvider.isSupported(path)) { + assertTrue(tp.isGranted(Permissions.diff(toTest, Permissions.ADD_NODE|Permissions.ADD_PROPERTY), PROPERTY_STATE)); + assertFalse(tp.isGranted(Permissions.ADD_PROPERTY, PROPERTY_STATE)); + } else { + assertTrue(tp.isGranted(toTest, PROPERTY_STATE)); + } + } + parentPermission = tp; + } + } + + @Test + public void testTreePermissionCanRead() throws Exception { + Map<String, Boolean> readMap = ImmutableMap.<String, Boolean>builder(). + put(ROOT_PATH, false). + put(TEST_PATH, true). + put(TEST_A_PATH, true). + put(TEST_A_B_PATH, true). + put(TEST_A_B_C_PATH, false). + put(TEST_A_B_C_PATH + "/nonexisting", false). + build(); + + TreePermission parentPermission = TreePermission.EMPTY; + for (String nodePath : readMap.keySet()) { + Tree tree = root.getTree(nodePath); + TreePermission tp = cppTestUser.getTreePermission(tree, parentPermission); + + boolean expectedResult = readMap.get(nodePath); + assertEquals(nodePath, expectedResult, tp.canRead()); + + parentPermission = tp; + } + } + + @Test + public void testTreePermissionCanReadProperty() throws Exception { + Map<String, Boolean> readMap = ImmutableMap.<String, Boolean>builder(). + put(ROOT_PATH, false). + put(TEST_PATH, true). + put(TEST_A_PATH, true). + put(TEST_A_B_PATH, true). + put(TEST_A_B_C_PATH, true). + put(TEST_A_B_C_PATH + "/nonexisting", true). + build(); + + TreePermission parentPermission = TreePermission.EMPTY; + for (String nodePath : readMap.keySet()) { + Tree tree = root.getTree(nodePath); + + TreePermission tp = cppTestUser.getTreePermission(tree, parentPermission); + assertEquals(nodePath, readMap.get(nodePath), tp.canRead(PROPERTY_STATE)); + + parentPermission = tp; + } + } + + @Test + public void testTreePermissionCanReadAdmin() { + TreePermission parentPermission = TreePermission.EMPTY; + + for (String nodePath : TP_PATHS) { + Tree tree = root.getTree(nodePath); + + TreePermission tp = cppAdminUser.getTreePermission(tree, parentPermission); + + assertTrue(nodePath, tp.canRead()); + assertTrue(nodePath, tp.canRead(PROPERTY_STATE)); + + parentPermission = tp; + } + } + + @Test + public void testTreePermissionCanReadAllAdmin() { + TreePermission parentPermission = TreePermission.EMPTY; + + for (String nodePath : TP_PATHS) { + Tree tree = root.getTree(nodePath); + + TreePermission tp = cppAdminUser.getTreePermission(tree, parentPermission); + + assertFalse(nodePath, tp.canReadAll()); + assertFalse(nodePath, tp.canReadProperties()); + + parentPermission = tp; + } + + parentPermission = TreePermission.EMPTY; + for (String nodePath : PATH_OUTSIDE_SCOPE) { + Tree tree = root.getTree(nodePath); + + TreePermission tp = cppAdminUser.getTreePermission(tree, parentPermission); + assertFalse(nodePath, tp.canReadAll()); + assertFalse(nodePath, tp.canReadProperties()); + + parentPermission = tp; + } } } \ No newline at end of file Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermissionTest.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermissionTest.java?rev=1708563&view=auto ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermissionTest.java (added) +++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermissionTest.java Wed Oct 14 09:02:49 2015 @@ -0,0 +1,128 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.oak.security.authorization.composite; + +import java.lang.reflect.Field; +import java.util.List; +import java.util.Map; + +import com.google.common.collect.ImmutableList; +import org.apache.jackrabbit.oak.AbstractSecurityTest; +import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants; +import org.apache.jackrabbit.oak.plugins.tree.RootFactory; +import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission; +import org.apache.jackrabbit.oak.spi.state.NodeState; +import org.apache.jackrabbit.oak.util.NodeUtil; +import org.junit.Test; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; + +public class CompositeTreePermissionTest extends AbstractSecurityTest { + + private ImmutableTree rootTree; + + @Override + public void before() throws Exception { + super.before(); + + NodeUtil rootNode = new NodeUtil(root.getTree("/")); + NodeUtil test = rootNode.addChild("test", NodeTypeConstants.NT_OAK_UNSTRUCTURED); + root.commit(); + + rootTree = (ImmutableTree) RootFactory.createReadOnlyRoot(root).getTree("/"); + } + + @Override + public void after() throws Exception { + try { + root.refresh(); + root.getTree("/test").remove(); + root.commit(); + } finally { + super.after(); + } + } + + private List<AggregatedPermissionProvider> getProviders() { + return ImmutableList.<AggregatedPermissionProvider>of(new FullScopeProvider(root)); + } + + @Test + public void testEmptyProviderList() { + CompositeTreePermission parent = new CompositeTreePermission(ImmutableList.<AggregatedPermissionProvider>of()); + assertFalse(parent.canRead()); + + CompositeTreePermission rootTp = new CompositeTreePermission(rootTree, parent); + assertFalse(rootTp.canRead()); + + CompositeTreePermission testTp = new CompositeTreePermission(rootTree.getChild("test"), rootTp); + assertFalse(testTp.canRead()); + } + + @Test(expected = IllegalStateException.class) + public void testGetChildOnParent() { + NodeState childState = rootTree.getChild("test").getNodeState(); + CompositeTreePermission parent = new CompositeTreePermission(getProviders()); + parent.getChildPermission("illegal", childState); + } + + @Test + public void testGetChildOnRoot() { + CompositeTreePermission rootTp = new CompositeTreePermission(rootTree, + new CompositeTreePermission(getProviders())); + TreePermission testTp = rootTp.getChildPermission("test", rootTree.getChild("test").getNodeState()); + } + + @Test + public void testCanRead() throws Exception { + CompositeTreePermission rootTp = new CompositeTreePermission(rootTree, + new CompositeTreePermission(getProviders())); + + Field f = CompositeTreePermission.class.getDeclaredField("canRead"); + f.setAccessible(true); + + Object canRead = f.get(rootTp); + assertNull(canRead); + + rootTp.canRead(); + + canRead = f.get(rootTp); + assertNotNull(canRead); + } + + @Test + public void testParentNoRecourse() throws Exception { + Field f = CompositeTreePermission.class.getDeclaredField("map"); + f.setAccessible(true); + + CompositeTreePermission rootTp = new CompositeTreePermission(rootTree, + new CompositeTreePermission(ImmutableList.<AggregatedPermissionProvider>of(new NoScopeProvider()))); + assertFalse(rootTp.canRead()); + assertEquals(1, ((Map) f.get(rootTp)).size()); + + + TreePermission testTp = rootTp.getChildPermission("test", rootTree.getChild("test").getNodeState()); + assertFalse(testTp.canRead()); + assertTrue(((Map) f.get(testTp)).isEmpty()); + } +} \ No newline at end of file Copied: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/FullScopeProvider.java (from r1708074, jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/TestPermissionProvider.java) URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/FullScopeProvider.java?p2=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/FullScopeProvider.java&p1=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/TestPermissionProvider.java&r1=1708074&r2=1708563&rev=1708563&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/TestPermissionProvider.java (original) +++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/FullScopeProvider.java Wed Oct 14 09:02:49 2015 @@ -36,37 +36,29 @@ import org.apache.jackrabbit.oak.spi.sec import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants; import org.apache.jackrabbit.oak.spi.state.NodeState; -import org.apache.jackrabbit.util.Text; /** * Test implementation of the {@code AggregatedPermissionProvider} with following * characteristics: * - * If {@code supportsAll} is {@code true} this provider supports all permissions - * but only grants {@link Permissions#NAMESPACE_MANAGEMENT} on repository level - * and {@link Permissions#READ_NODE} on regular items. + * This provider supports all permissions + * but only grants {@link org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions#NAMESPACE_MANAGEMENT} on repository level + * and {@link org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions#READ_NODE} on regular items. + * * In this case the provider will always be respected for evaluation and will * therefore cause the final result to be always restricted to the permissions * granted by this provider. * - * If {@code supportsAll} is {@code false} this provider supports - * - {@link Permissions#NAMESPACE_MANAGEMENT} on repository level - * - {@link Permissions#READ_NODE} at the tree defined by {@link AbstractCompositeProviderTest#TEST_A_PATH} - * - {@link Permissions#NO_PERMISSION} everywhere else. - * The permissions granted are the same as above. Due to the limited scope - * however, the provider will in this case only respected for evaluation at - * the supported paths (and at the repo level). The final result will restricted - * to the permissions granted by this provider at the supported paths. For all - * other paths the access limitations of this provider have no effect. + * NOTE: this provider implementation doesn't properly filter out access + * control content for which {@link Permissions#READ_ACCESS_CONTROL} must be + * enforced. this has been omitted here for the simplicity of the test. */ -class TestPermissionProvider implements AggregatedPermissionProvider { +class FullScopeProvider implements AggregatedPermissionProvider, PrivilegeConstants { private final Root root; - private final boolean supportsAll; - TestPermissionProvider(@Nonnull Root root, boolean supportsAll) { + FullScopeProvider(@Nonnull Root root) { this.root = root; - this.supportsAll = supportsAll; } //-------------------------------------------------< PermissionProvider >--- @@ -79,23 +71,18 @@ class TestPermissionProvider implements @Override public Set<String> getPrivileges(@Nullable Tree tree) { if (tree == null) { - return ImmutableSet.of(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT); - } else if (isSupported(tree)) { - return ImmutableSet.of(PrivilegeConstants.REP_READ_NODES); + return ImmutableSet.of(JCR_NAMESPACE_MANAGEMENT); } else { - return ImmutableSet.of(); + return ImmutableSet.of(REP_READ_NODES); } - } @Override public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String... privilegeNames) { if (tree == null) { - return Arrays.equals(new String[]{PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT}, privilegeNames); - } else if (isSupported(tree)) { - return Arrays.equals(new String[]{PrivilegeConstants.REP_READ_NODES}, privilegeNames); + return Arrays.equals(new String[]{JCR_NAMESPACE_MANAGEMENT}, privilegeNames); } else { - return false; + return Arrays.equals(new String[]{REP_READ_NODES}, privilegeNames); } } @@ -113,100 +100,48 @@ class TestPermissionProvider implements @Nonnull @Override public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreePermission parentPermission) { - return (isSupported(tree)) ? new TestTreePermission(tree.getPath()) : TreePermission.EMPTY; + return new TestTreePermission(tree.getPath()); } @Override public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState property, long permissions) { - return isSupported(tree) && property == null && permissions == Permissions.READ_NODE; + return property == null && permissions == Permissions.READ_NODE; } @Override public boolean isGranted(@Nonnull String oakPath, @Nonnull String jcrActions) { Tree tree = root.getTree(oakPath); - return tree.exists() && isSupported(tree) && Session.ACTION_READ.equals(jcrActions); + return tree.exists() && Session.ACTION_READ.equals(jcrActions); } //---------------------------------------< AggregatedPermissionProvider >--- @Nonnull @Override public PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable PrivilegeBits privilegeBits) { - if (supportsAll) { - return (privilegeBits == null) ? new PrivilegeBitsProvider(root).getBits(PrivilegeConstants.JCR_ALL) : privilegeBits; - } else { - PrivilegeBits supported; - if (tree == null) { - supported = PrivilegeBits.BUILT_IN.get(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT); - } else if (isSupportedPath(tree.getPath())) { - supported = PrivilegeBits.BUILT_IN.get(PrivilegeConstants.REP_READ_NODES); - } else { - supported = PrivilegeBits.EMPTY; - } - - if (privilegeBits != null && !supported.isEmpty()) { - return PrivilegeBits.getInstance(privilegeBits).retain(supported); - } else { - return supported; - } - } + return (privilegeBits == null) ? new PrivilegeBitsProvider(root).getBits(JCR_ALL) : privilegeBits; } @Override public long supportedPermissions(@Nullable Tree tree, @Nullable PropertyState property, long permissions) { - if (supportsAll) { - return permissions; - } else { - if (tree == null) { - return permissions & Permissions.NAMESPACE_MANAGEMENT; - } else if (isSupportedPath(tree.getPath())) { - return permissions & Permissions.READ_NODE; - } else { - return Permissions.NO_PERMISSION; - } - } + return permissions; } @Override public long supportedPermissions(@Nonnull TreeLocation location, long permissions) { - if (supportsAll) { - return permissions; - } else if (isSupportedPath(location.getPath())) { - return permissions & Permissions.READ_NODE; - } else { - return Permissions.NO_PERMISSION; - } + return permissions; } @Override - public long supportedPermissions(@Nonnull TreePermission treePermission, long permissions) { - if (supportsAll) { - return permissions; - } else if (isSupportedPath(((TestTreePermission) treePermission).path)) { - return permissions & Permissions.READ_NODE; - } else { - return Permissions.NO_PERMISSION; - } + public long supportedPermissions(@Nonnull TreePermission treePermission, @Nullable PropertyState propertyState, long permissions) { + return permissions; } @Override public boolean isGranted(@Nonnull TreeLocation location, long permissions) { - if (supportsAll) { - return permissions == Permissions.READ_NODE; - } else if (isSupportedPath(location.getPath())) { - return permissions == Permissions.READ_NODE; - } else { - return false; - } + return permissions == Permissions.READ_NODE; } //-------------------------------------------------------------------------- - private boolean isSupported(@Nonnull Tree tree) { - return supportsAll || isSupportedPath(tree.getPath()); - } - - private boolean isSupportedPath(@Nonnull String path) { - return Text.isDescendantOrEqual(AbstractCompositeProviderTest.TEST_A_PATH, path); - } private final class TestTreePermission implements TreePermission {
