Author: angela
Date: Thu Apr 27 08:53:56 2017
New Revision: 1792852
URL: http://svn.apache.org/viewvc?rev=1792852&view=rev
Log:
OAK-6038 : Drop dependency of spi.security.* tests from AbstractSecurityTest
(wip)
Added:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AbstractAccessControlTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/EntryTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidatorTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ReadPolicyTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/ACETest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AbstractAccessControlListTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AbstractAccessControlManagerTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AbstractAccessControlTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/ImmutableACLTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/TestACL.java
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java?rev=1792852&r1=1792851&r2=1792852&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
Thu Apr 27 08:53:56 2017
@@ -16,23 +16,16 @@
*/
package org.apache.jackrabbit.oak.security.authorization.accesscontrol;
-import static org.junit.Assert.assertArrayEquals;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
import java.security.Principal;
import java.security.acl.Group;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
+import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
-
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.jcr.PropertyType;
@@ -44,99 +37,175 @@ import javax.jcr.security.AccessControlE
import javax.jcr.security.AccessControlException;
import javax.jcr.security.Privilege;
+import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
-import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
-import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
+import org.apache.jackrabbit.oak.namepath.GlobalNameMapper;
+import org.apache.jackrabbit.oak.namepath.LocalNameMapper;
+import org.apache.jackrabbit.oak.namepath.NameMapper;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.namepath.NamePathMapperImpl;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE;
import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlList;
-import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlListTest;
import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.AbstractRestrictionProvider;
import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
+import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinitionImpl;
import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionPattern;
import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
-import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
-import org.junit.Before;
import org.junit.Test;
+import static java.util.Collections.singletonMap;
+import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertSame;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
/**
- * Test abstract {@code ACL} implementation.
+ * Test {@code ACL} implementation.
*/
-public class ACLTest extends AbstractAccessControlListTest implements
PrivilegeConstants, AccessControlConstants {
+public class ACLTest extends AbstractAccessControlTest implements
PrivilegeConstants, AccessControlConstants {
+
+ private static void assertACE(JackrabbitAccessControlEntry ace, boolean
isAllow, Privilege... privileges) {
+ assertEquals(isAllow, ace.isAllow());
+ assertEquals(Sets.newHashSet(privileges),
Sets.newHashSet(ace.getPrivileges()));
+ }
- private PrivilegeManager privilegeManager;
- private PrincipalManager principalManager;
+ @Test
+ public void testGetNamePathMapper() throws Exception {
+ assertSame(getNamePathMapper(), createEmptyACL().getNamePathMapper());
+ assertSame(NamePathMapper.DEFAULT, createACL(TEST_PATH,
ImmutableList.<ACE>of(), NamePathMapper.DEFAULT).getNamePathMapper());
+ }
- private AbstractAccessControlList acl;
- private Principal testPrincipal;
- private Privilege[] testPrivileges;
-
- @Override
- @Before
- public void before() throws Exception {
- super.before();
-
- privilegeManager = getPrivilegeManager(root);
- principalManager = getPrincipalManager(root);
-
- acl = createEmptyACL();
- testPrincipal = getTestPrincipal();
- testPrivileges = privilegesFromNames(JCR_ADD_CHILD_NODES,
JCR_LOCK_MANAGEMENT);
- }
-
- @Override
- protected AbstractAccessControlList createACL(@Nullable String jcrPath,
- @Nonnull List<ACE> entries,
- @Nonnull NamePathMapper
namePathMapper,
- final @Nonnull
RestrictionProvider restrictionProvider) {
- String path = (jcrPath == null) ? null :
namePathMapper.getOakPath(jcrPath);
- return new ACL(path, entries, namePathMapper) {
- @Nonnull
- @Override
- public RestrictionProvider getRestrictionProvider() {
- return restrictionProvider;
- }
+ @Test
+ public void testGetPath() {
+ NameMapper nameMapper = new GlobalNameMapper(
+ Collections.singletonMap("jr",
"http://jackrabbit.apache.org";));
+ NamePathMapper npMapper = new NamePathMapperImpl(nameMapper);
- @Override
- ACE createACE(Principal principal, PrivilegeBits privilegeBits,
boolean isAllow, Set<Restriction> restrictions) throws RepositoryException {
- return createEntry(principal, privilegeBits, isAllow,
restrictions);
- }
+ // map of jcr-path to standard jcr-path
+ Map<String, String> paths = new HashMap<String, String>();
+ paths.put(null, null);
+ paths.put(TEST_PATH, TEST_PATH);
+ paths.put("/", "/");
+ paths.put("/jr:testPath", "/jr:testPath");
+ paths.put("/{http://jackrabbit.apache.org}testPath";, "/jr:testPath");
- @Override
- boolean checkValidPrincipal(Principal principal) throws
AccessControlException {
- Util.checkValidPrincipal(principal, principalManager);
- return true;
- }
+ for (String path : paths.keySet()) {
+ AbstractAccessControlList acl = createACL(path,
Collections.<ACE>emptyList(), npMapper);
+ assertEquals(paths.get(path), acl.getPath());
+ }
+ }
- @Override
- PrivilegeManager getPrivilegeManager() {
- return privilegeManager;
- }
+ @Test
+ public void testGetOakPath() {
+ NamePathMapper npMapper = new NamePathMapperImpl(new LocalNameMapper(
+ singletonMap("oak", "http://jackrabbit.apache.org";),
+ singletonMap("jcr", "http://jackrabbit.apache.org";)));
+ // map of jcr-path to oak path
+ Map<String, String> paths = new HashMap();
+ paths.put(null, null);
+ paths.put(TEST_PATH, TEST_PATH);
+ paths.put("/", "/");
+ String oakPath = "/oak:testPath";
+ String jcrPath = "/jcr:testPath";
+ paths.put(jcrPath, oakPath);
+ jcrPath = "/{http://jackrabbit.apache.org}testPath";;
+ paths.put(jcrPath, oakPath);
- @Override
- PrivilegeBits getPrivilegeBits(Privilege[] privileges) {
- return getBitsProvider().getBits(privileges,
getNamePathMapper());
- }
- };
+ // test if oak-path is properly set.
+ for (String path : paths.keySet()) {
+ AbstractAccessControlList acl = createACL(path,
Collections.<ACE>emptyList(), npMapper);
+ assertEquals(paths.get(path), acl.getOakPath());
+ }
}
- private static void assertACE(JackrabbitAccessControlEntry ace, boolean
isAllow, Privilege... privileges) {
- assertEquals(isAllow, ace.isAllow());
- assertEquals(Sets.newHashSet(privileges),
Sets.newHashSet(ace.getPrivileges()));
+ @Test
+ public void testEmptyAcl() throws RepositoryException {
+ AbstractAccessControlList acl = createEmptyACL();
+
+ assertNotNull(acl.getAccessControlEntries());
+ assertNotNull(acl.getEntries());
+
+ assertTrue(acl.getAccessControlEntries().length == 0);
+ assertEquals(acl.getAccessControlEntries().length,
acl.getEntries().size());
+ assertEquals(0, acl.size());
+ assertTrue(acl.isEmpty());
}
@Test
+ public void testSize() throws RepositoryException {
+ AbstractAccessControlList acl = createACL(createTestEntries());
+ assertEquals(3, acl.size());
+ }
+
+ @Test
+ public void testIsEmpty() throws RepositoryException {
+ AbstractAccessControlList acl = createACL(createTestEntries());
+ assertFalse(acl.isEmpty());
+ }
+
+ @Test
+ public void testGetEntries() throws RepositoryException {
+ List<ACE> aces = createTestEntries();
+ AbstractAccessControlList acl = createACL(TEST_PATH, aces,
getNamePathMapper());
+
+ assertNotNull(acl.getEntries());
+ assertNotNull(acl.getAccessControlEntries());
+
+ assertEquals(aces.size(), acl.getEntries().size());
+ assertEquals(aces.size(), acl.getAccessControlEntries().length);
+ assertTrue(acl.getEntries().containsAll(aces));
+
assertTrue(Arrays.asList(acl.getAccessControlEntries()).containsAll(aces));
+ }
+
+ @Test
+ public void testGetRestrictionNames() throws RepositoryException {
+ AbstractAccessControlList acl = createEmptyACL();
+
+ String[] restrNames = acl.getRestrictionNames();
+ assertNotNull(restrNames);
+ List<String> names = Lists.newArrayList(restrNames);
+ for (RestrictionDefinition def :
getRestrictionProvider().getSupportedRestrictions(TEST_PATH)) {
+
assertTrue(names.remove(getNamePathMapper().getJcrName(def.getName())));
+ }
+ assertTrue(names.isEmpty());
+ }
+
+ @Test
+ public void testGetRestrictionType() throws RepositoryException {
+ AbstractAccessControlList acl = createEmptyACL();
+ for (RestrictionDefinition def :
getRestrictionProvider().getSupportedRestrictions(TEST_PATH)) {
+ int reqType =
acl.getRestrictionType(getNamePathMapper().getJcrName(def.getName()));
+
+ assertTrue(reqType > PropertyType.UNDEFINED);
+ assertEquals(def.getRequiredType().tag(), reqType);
+ }
+ }
+
+ @Test
+ public void testGetRestrictionTypeForUnknownName() throws
RepositoryException {
+ AbstractAccessControlList acl = createEmptyACL();
+ // for backwards compatibility getRestrictionType(String) must return
+ // UNDEFINED for a unknown restriction name:
+ assertEquals(PropertyType.UNDEFINED,
acl.getRestrictionType("unknownRestrictionName"));
+ }
+
+
+ @Test
public void testUnknownPrincipal() throws Exception {
Principal unknownPrincipal = new InvalidTestPrincipal("unknown");
try {
@@ -253,7 +322,7 @@ public class ACLTest extends AbstractAcc
@Test
public void testRemoveEntries() throws Exception {
- JackrabbitAccessControlList acl = createACL(getTestPath(),
createTestEntries(), namePathMapper);
+ JackrabbitAccessControlList acl = createACL(TEST_PATH,
createTestEntries(), namePathMapper);
for (AccessControlEntry ace : acl.getAccessControlEntries()) {
acl.removeAccessControlEntry(ace);
}
@@ -740,7 +809,7 @@ public class ACLTest extends AbstractAcc
public void testUnsupportedRestrictions2() throws Exception {
RestrictionProvider rp = new TestRestrictionProvider("restr",
Type.NAME, false);
- JackrabbitAccessControlList acl = createACL(getTestPath(), new
ArrayList(), namePathMapper, rp);
+ JackrabbitAccessControlList acl = createACL(TEST_PATH, new
ArrayList(), namePathMapper, rp);
try {
acl.addEntry(testPrincipal, testPrivileges, false,
Collections.<String, Value>singletonMap("unsupported",
getValueFactory().createValue("value")));
fail("Unsupported restriction must be detected.");
@@ -753,7 +822,7 @@ public class ACLTest extends AbstractAcc
public void testInvalidRestrictionType() throws Exception {
RestrictionProvider rp = new TestRestrictionProvider("restr",
Type.NAME, false);
- JackrabbitAccessControlList acl = createACL(getTestPath(), new
ArrayList(), namePathMapper, rp);
+ JackrabbitAccessControlList acl = createACL(TEST_PATH, new
ArrayList(), namePathMapper, rp);
try {
acl.addEntry(testPrincipal, testPrivileges, false,
Collections.<String, Value>singletonMap("restr",
getValueFactory().createValue(true)));
fail("Invalid restriction type.");
@@ -766,7 +835,7 @@ public class ACLTest extends AbstractAcc
public void testMandatoryRestrictions() throws Exception {
RestrictionProvider rp = new TestRestrictionProvider("mandatory",
Type.NAME, true);
- JackrabbitAccessControlList acl = createACL(getTestPath(), new
ArrayList(), namePathMapper, rp);
+ JackrabbitAccessControlList acl = createACL(TEST_PATH, new
ArrayList(), namePathMapper, rp);
try {
acl.addEntry(testPrincipal, testPrivileges, false,
Collections.<String, Value>emptyMap());
fail("Mandatory restriction must be enforced.");
Added:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AbstractAccessControlTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AbstractAccessControlTest.java?rev=1792852&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AbstractAccessControlTest.java
(added)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AbstractAccessControlTest.java
Thu Apr 27 08:53:56 2017
@@ -0,0 +1,169 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.accesscontrol;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Set;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import javax.jcr.RepositoryException;
+import javax.jcr.security.AccessControlException;
+import javax.jcr.security.AccessControlPolicy;
+import javax.jcr.security.AccessControlPolicyIterator;
+import javax.jcr.security.Privilege;
+
+import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
+import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE;
+import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
+import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.apache.jackrabbit.oak.util.NodeUtil;
+import org.junit.Before;
+
+public abstract class AbstractAccessControlTest extends AbstractSecurityTest
implements PrivilegeConstants {
+
+ static final String TEST_PATH = "/testPath";
+
+ PrivilegeManager privilegeManager;
+ PrincipalManager principalManager;
+
+ ACL acl;
+ Principal testPrincipal;
+ Privilege[] testPrivileges;
+
+ @Override
+ @Before
+ public void before() throws Exception {
+ super.before();
+
+ NodeUtil rootNode = new NodeUtil(root.getTree("/"),
getNamePathMapper());
+ rootNode.addChild("testPath", JcrConstants.NT_UNSTRUCTURED);
+ root.commit();
+
+ testPrincipal = getTestUser().getPrincipal();
+ testPrivileges = privilegesFromNames(JCR_ADD_CHILD_NODES,
JCR_LOCK_MANAGEMENT);
+
+ privilegeManager = getPrivilegeManager(root);
+ principalManager = getPrincipalManager(root);
+
+ acl = createEmptyACL();
+ }
+
+ RestrictionProvider getRestrictionProvider() {
+ return
getConfig(AuthorizationConfiguration.class).getRestrictionProvider();
+ }
+
+ PrivilegeBitsProvider getBitsProvider() {
+ return new PrivilegeBitsProvider(root);
+ }
+
+ List<ACE> createTestEntries() throws RepositoryException {
+ List<ACE> entries = new ArrayList(3);
+ for (int i = 0; i < 3; i++) {
+ entries.add(createEntry(
+ new PrincipalImpl("testPrincipal" + i), true, null,
PrivilegeConstants.JCR_READ));
+ }
+ return entries;
+ }
+
+ ACE createEntry(Principal principal, boolean isAllow, Set<Restriction>
restrictions, String... privilegeNames) throws RepositoryException {
+ return createEntry(principal, privilegesFromNames(privilegeNames),
isAllow, restrictions);
+ }
+
+ ACE createEntry(Principal principal, Privilege[] privileges, boolean
isAllow)
+ throws RepositoryException {
+ return createEntry(principal, privileges, isAllow, null);
+ }
+
+ ACE createEntry(Principal principal, PrivilegeBits bits, boolean isAllow,
Set<Restriction> restrictions) throws RepositoryException {
+ AccessControlPolicyIterator it =
getAccessControlManager(root).getApplicablePolicies(TEST_PATH);
+ while (it.hasNext()) {
+ AccessControlPolicy policy = it.nextAccessControlPolicy();
+ if (policy instanceof ACL) {
+ return ((ACL) policy).createACE(principal, bits, isAllow,
restrictions);
+ }
+ }
+
+ throw new UnsupportedOperationException();
+ }
+
+ private ACE createEntry(@Nonnull Principal principal, @Nonnull Privilege[]
privileges, boolean isAllow, @Nullable Set<Restriction> restrictions)
+ throws RepositoryException {
+ ACL acl = createEmptyACL();
+ return acl.createACE(principal, getBitsProvider().getBits(privileges,
getNamePathMapper()), isAllow, restrictions);
+ }
+
+ ACL createEmptyACL() {
+ return createACL(TEST_PATH, Collections.<ACE>emptyList(),
getNamePathMapper(), getRestrictionProvider());
+ }
+
+ ACL createACL(@Nonnull List<ACE> entries) {
+ return createACL(TEST_PATH, entries, namePathMapper,
getRestrictionProvider());
+ }
+
+ ACL createACL(@Nullable String jcrPath,
+ @Nonnull List<ACE> entries,
+ @Nonnull NamePathMapper namePathMapper) {
+ return createACL(jcrPath, entries, namePathMapper,
getRestrictionProvider());
+ }
+
+ ACL createACL(@Nullable String jcrPath,
+ @Nonnull List<ACE> entries,
+ @Nonnull NamePathMapper namePathMapper,
+ final @Nonnull RestrictionProvider restrictionProvider) {
+ String path = (jcrPath == null) ? null :
namePathMapper.getOakPath(jcrPath);
+ return new ACL(path, entries, namePathMapper) {
+ @Nonnull
+ @Override
+ public RestrictionProvider getRestrictionProvider() {
+ return restrictionProvider;
+ }
+
+ @Override
+ ACE createACE(Principal principal, PrivilegeBits privilegeBits,
boolean isAllow, Set<Restriction> restrictions) throws RepositoryException {
+ return createEntry(principal, privilegeBits, isAllow,
restrictions);
+ }
+
+ @Override
+ boolean checkValidPrincipal(Principal principal) throws
AccessControlException {
+ Util.checkValidPrincipal(principal, principalManager);
+ return true;
+ }
+
+ @Override
+ PrivilegeManager getPrivilegeManager() {
+ return privilegeManager;
+ }
+
+ @Override
+ PrivilegeBits getPrivilegeBits(Privilege[] privileges) {
+ return new PrivilegeBitsProvider(root).getBits(privileges,
getNamePathMapper());
+ }
+ };
+ }
+}
\ No newline at end of file
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java?rev=1792852&r1=1792851&r2=1792852&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
Thu Apr 27 08:53:56 2017
@@ -43,7 +43,6 @@ import javax.jcr.security.AccessControlP
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;
-import com.google.common.base.Function;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
@@ -54,6 +53,8 @@ import org.apache.jackrabbit.api.securit
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
@@ -65,8 +66,9 @@ import org.apache.jackrabbit.oak.namepat
import org.apache.jackrabbit.oak.plugins.name.ReadWriteNamespaceRegistry;
import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
import org.apache.jackrabbit.oak.plugins.value.jcr.ValueFactoryImpl;
+import
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE;
-import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManagerTest;
+import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager;
import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.TestACL;
import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
@@ -74,9 +76,11 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.util.NodeUtil;
import org.apache.jackrabbit.oak.util.TreeUtil;
+import org.junit.After;
import org.junit.Before;
import org.junit.Test;
@@ -93,32 +97,64 @@ import static org.junit.Assert.fail;
/**
* Tests for the default {@code AccessControlManager} implementation.
*/
-public class AccessControlManagerImplTest extends
AbstractAccessControlManagerTest implements AccessControlConstants {
+public class AccessControlManagerImplTest extends AbstractSecurityTest
implements AccessControlConstants {
public static final String TEST_LOCAL_PREFIX = "test";
+ public static final String TEST_PREFIX = "jr";
+ public static final String TEST_URI = "http://jackrabbit.apache.org";;
+ private final String testName = TEST_PREFIX + ":testRoot";
+ private final String testPath = '/' + testName;
+
+ private Principal testPrincipal;
+ private Privilege[] testPrivileges;
+
+ private AccessControlManagerImpl acMgr;
private NamePathMapper npMapper;
private ValueFactory valueFactory;
+ private Root testRoot;
+
@Override
@Before
public void before() throws Exception {
super.before();
+ registerNamespace(TEST_PREFIX, TEST_URI);
+
+ NameMapper nameMapper = new GlobalNameMapper(root);
+ npMapper = new NamePathMapperImpl(nameMapper);
+
+ acMgr = new AccessControlManagerImpl(root, npMapper,
getSecurityProvider());
+
+ NodeUtil rootNode = new NodeUtil(root.getTree("/"),
getNamePathMapper());
+ rootNode.addChild(testName, JcrConstants.NT_UNSTRUCTURED);
+ root.commit();
+
valueFactory = new ValueFactoryImpl(root, npMapper);
+
+ testPrivileges =
privilegesFromNames(PrivilegeConstants.JCR_ADD_CHILD_NODES,
PrivilegeConstants.JCR_READ);
+ testPrincipal = getTestUser().getPrincipal();
}
- @Override
- protected NamePathMapper getNamePathMapper() {
- if (npMapper == null) {
- try {
- registerNamespace(TEST_PREFIX, TEST_URI);
- } catch (Exception e) {
- throw new RuntimeException(e);
+ @After
+ public void after() throws Exception {
+ try {
+ root.refresh();
+ root.getTree(testPath).remove();
+ root.commit();
+
+ if (testRoot != null) {
+ testRoot.getContentSession().close();
+ testRoot = null;
}
- NameMapper nameMapper = new GlobalNameMapper(root);
- npMapper = new NamePathMapperImpl(nameMapper);
+ } finally {
+ super.after();
}
+ }
+
+ @Override
+ protected NamePathMapper getNamePathMapper() {
return npMapper;
}
@@ -132,16 +168,47 @@ public class AccessControlManagerImplTes
nsRegistry.registerNamespace(prefix, uri);
}
- @Override
- protected AccessControlManagerImpl createAccessControlManager(@Nonnull
Root root, @Nonnull NamePathMapper namePathMapper) {
+ private AccessControlManagerImpl createAccessControlManager(@Nonnull Root
root, @Nonnull NamePathMapper namePathMapper) {
return new AccessControlManagerImpl(root, namePathMapper,
getSecurityProvider());
}
- @Override
- protected AccessControlManagerImpl getTestAccessControlManager() throws
Exception {
+ private RestrictionProvider getRestrictionProvider() {
+ return
getConfig(AuthorizationConfiguration.class).getRestrictionProvider();
+ }
+
+ private PrivilegeBitsProvider getBitsProvider() {
+ return new PrivilegeBitsProvider(root);
+ }
+
+ private AccessControlManagerImpl getTestAccessControlManager() throws
Exception {
return new AccessControlManagerImpl(getTestRoot(),
getNamePathMapper(), getSecurityProvider());
}
+ private Root getTestRoot() throws Exception {
+ if (testRoot == null) {
+ testRoot = createTestSession().getLatestRoot();
+ }
+ return testRoot;
+ }
+
+ private List<String> getInvalidPaths() {
+ List<String> invalid = new ArrayList<String>();
+ invalid.add("");
+ invalid.add("../../jcr:testRoot");
+ invalid.add("jcr:testRoot");
+ invalid.add("jcr:test/Root");
+ invalid.add("./jcr:testRoot");
+ return invalid;
+ }
+
+ private static Set<Principal> getPrincipals(ContentSession session) {
+ return session.getAuthInfo().getPrincipals();
+ }
+
+ private static Set<Principal> getEveryonePrincipalSet() {
+ return ImmutableSet.<Principal>of(EveryonePrincipal.getInstance());
+ }
+
private ACL getApplicablePolicy(@Nullable String path) throws
RepositoryException {
AccessControlPolicyIterator itr = acMgr.getApplicablePolicies(path);
if (itr.hasNext()) {
@@ -229,6 +296,47 @@ public class AccessControlManagerImplTes
//---------------------------------------------< getSupportedPrivileges
>---
@Test
+ public void testGetSupportedPrivileges() throws Exception {
+ List<Privilege> allPrivileges =
Arrays.asList(getPrivilegeManager(root).getRegisteredPrivileges());
+
+ List<String> testPaths = new ArrayList<String>();
+ testPaths.add(null);
+ testPaths.add("/");
+ testPaths.add("/jcr:system");
+ testPaths.add(testPath);
+
+ for (String path : testPaths) {
+ Privilege[] supported = acMgr.getSupportedPrivileges(path);
+
+ assertNotNull(supported);
+ assertEquals(allPrivileges.size(), supported.length);
+ assertTrue(allPrivileges.containsAll(Arrays.asList(supported)));
+ }
+ }
+
+ @Test
+ public void testGetSupportedPrivilegesInvalidPath() throws Exception {
+ for (String path : getInvalidPaths()) {
+ try {
+ acMgr.getSupportedPrivileges(path);
+ fail("Expects valid node path, found: " + path);
+ } catch (RepositoryException e) {
+ // success
+ }
+ }
+ }
+
+ @Test(expected = PathNotFoundException.class)
+ public void testGetSupportedPrivilegesPropertyPath() throws Exception {
+ acMgr.getSupportedPrivileges("/jcr:primaryType");
+ }
+
+ @Test(expected = PathNotFoundException.class)
+ public void testGetSupportedPrivilegesNonExistingPath() throws Exception {
+ acMgr.getSupportedPrivileges("/non/existing/node");
+ }
+
+ @Test
public void testGetSupportedPrivilegesIncludingPathConversion() throws
Exception {
List<Privilege> allPrivileges =
Arrays.asList(getPrivilegeManager(root).getRegisteredPrivileges());
@@ -262,16 +370,239 @@ public class AccessControlManagerImplTes
}
}
-
//--------------------------------------------------< privilegeFromName
>---
+
+ @Test
+ public void testPrivilegeFromName() throws Exception {
+ List<Privilege> allPrivileges =
Arrays.asList(getPrivilegeManager(root).getRegisteredPrivileges());
+ for (Privilege privilege : allPrivileges) {
+ Privilege p = acMgr.privilegeFromName(privilege.getName());
+ assertEquals(privilege, p);
+ }
+ }
+
@Test
public void testPrivilegeFromExpandedName() throws Exception {
Privilege readPriv =
getPrivilegeManager(root).getPrivilege(PrivilegeConstants.JCR_READ);
assertEquals(readPriv, acMgr.privilegeFromName(Privilege.JCR_READ));
}
+ @Test
+ public void testPrivilegeFromInvalidName() throws Exception {
+ List<String> invalid = new ArrayList<String>();
+ invalid.add(null);
+ invalid.add("");
+ invalid.add("test:read");
+
+ for (String privilegeName : invalid) {
+ try {
+ acMgr.privilegeFromName(privilegeName);
+ fail("Invalid privilege name " + privilegeName);
+ } catch (RepositoryException e) {
+ // success
+ }
+ }
+ }
+
+ @Test
+ public void testPrivilegeFromUnknownName() throws Exception {
+ List<String> invalid = new ArrayList<String>();
+ invalid.add("unknownPrivilege");
+ invalid.add('{' + NamespaceRegistry.NAMESPACE_JCR + "}unknown");
+
+ for (String privilegeName : invalid) {
+ try {
+ acMgr.privilegeFromName(privilegeName);
+ fail("Invalid privilege name " + privilegeName);
+ } catch (AccessControlException e) {
+ // success
+ }
+ }
+ }
+
//------------------------------------------------------< hasPrivileges
>---
@Test
+ public void testHasNullPrivileges() throws Exception {
+ assertTrue(acMgr.hasPrivileges(testPath, null));
+ }
+
+ @Test
+ public void testHasEmptyPrivileges() throws Exception {
+ assertTrue(acMgr.hasPrivileges(testPath, new Privilege[0]));
+ }
+
+ @Test(expected = PathNotFoundException.class)
+ public void testHasPrivilegesForPropertyPath() throws Exception {
+ String propertyPath = "/jcr:primaryType";
+ Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_ALL);
+
+ acMgr.hasPrivileges(propertyPath, privs);
+ }
+
+ @Test(expected = PathNotFoundException.class)
+ public void testHasPrivilegesForPropertyPathSessionPrincipals() throws
Exception {
+ String propertyPath = "/jcr:primaryType";
+ Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_ALL);
+
+ acMgr.hasPrivileges(propertyPath, getPrincipals(adminSession), privs);
+ }
+
+ @Test
+ public void testHasPrivilegesNonExistingNodePath() throws Exception {
+ String nonExistingPath = "/not/existing";
+ Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_ALL);
+ try {
+ acMgr.hasPrivileges(nonExistingPath, privs);
+ fail("AccessControlManager#hasPrivileges for node that doesn't
exist should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+ try {
+ acMgr.hasPrivileges(nonExistingPath, getPrincipals(adminSession),
privs);
+ fail("AccessControlManager#hasPrivileges for node that doesn't
exist should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+ try {
+ acMgr.hasPrivileges(nonExistingPath, getEveryonePrincipalSet(),
privs);
+ fail("AccessControlManager#hasPrivileges for node that doesn't
exist should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+ try {
+ acMgr.hasPrivileges(nonExistingPath, ImmutableSet.<Principal>of(),
privs);
+ fail("AccessControlManager#hasPrivileges for node that doesn't
exist should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+ }
+
+ @Test
+ public void testHasPrivilegesInvalidPaths() throws Exception {
+ Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_ALL);
+ for (String path : getInvalidPaths()) {
+ try {
+ acMgr.hasPrivileges(path, privs);
+ fail("AccessControlManager#hasPrivileges for node that doesn't
exist should fail.");
+ } catch (RepositoryException e) {
+ // success
+ }
+ }
+ for (String path : getInvalidPaths()) {
+ try {
+ acMgr.hasPrivileges(path, getPrincipals(adminSession), privs);
+ fail("AccessControlManager#hasPrivileges for node that doesn't
exist should fail.");
+ } catch (RepositoryException e) {
+ // success
+ }
+ }
+ for (String path : getInvalidPaths()) {
+ try {
+ acMgr.hasPrivileges(path,
ImmutableSet.<Principal>of(EveryonePrincipal.getInstance()), privs);
+ fail("AccessControlManager#hasPrivileges for node that doesn't
exist should fail.");
+ } catch (RepositoryException e) {
+ // success
+ }
+ }
+ }
+
+ @Test
+ public void testHasPrivilegesAccessControlledNodePath() throws Exception {
+ Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_ALL);
+ for (String path : getAcContentPaths()) {
+ assertTrue(acMgr.hasPrivileges(path, privs));
+ assertTrue(acMgr.hasPrivileges(path, getPrincipals(adminSession),
privs));
+ assertFalse(acMgr.hasPrivileges(path,
ImmutableSet.<Principal>of(EveryonePrincipal.getInstance()), privs));
+ }
+ }
+
+ /**
+ * @since OAK 1.0 As of OAK AccessControlManager#hasPrivilege will throw
+ * PathNotFoundException in case the node associated with a given path is
+ * not readable to the editing session (compatibility with the
specification
+ * which was missing in jackrabbit).
+ */
+ @Test
+ public void testHasPrivilegesNotAccessiblePath() throws Exception {
+ List<String> notAccessible = new ArrayList();
+ notAccessible.add("/");
+ notAccessible.addAll(getAcContentPaths());
+
+ Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_ALL);
+ AbstractAccessControlManager testAcMgr = getTestAccessControlManager();
+ for (String path : notAccessible) {
+ try {
+ testAcMgr.hasPrivileges(path, privs);
+ fail("AccessControlManager#hasPrivileges for node that is not
accessible should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+ }
+ for (String path : notAccessible) {
+ try {
+ testAcMgr.hasPrivileges(path,
getPrincipals(root.getContentSession()), privs);
+ fail("AccessControlManager#hasPrivileges for node that is not
accessible should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+ }
+ for (String path : notAccessible) {
+ try {
+ testAcMgr.hasPrivileges(path,
getPrincipals(getTestRoot().getContentSession()), privs);
+ fail("AccessControlManager#hasPrivileges for node that is not
accessible should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+ }
+ for (String path : notAccessible) {
+ try {
+ testAcMgr.hasPrivileges(path, ImmutableSet.<Principal>of(),
privs);
+ fail("AccessControlManager#hasPrivileges for node that is not
accessible should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+ }
+ }
+
+ @Test
+ public void testHasRepoPrivileges() throws Exception {
+ assertTrue(acMgr.hasPrivileges(null,
privilegesFromNames(PrivilegeConstants.JCR_ALL)));
+ assertTrue(acMgr.hasPrivileges(null, getPrincipals(adminSession),
privilegesFromNames(PrivilegeConstants.JCR_ALL)));
+ }
+
+ @Test
+ public void testHasRepoPrivilegesEmptyPrincipalSet() throws Exception {
+ assertFalse(acMgr.hasPrivileges(null, ImmutableSet.<Principal>of(),
privilegesFromNames(PrivilegeConstants.JCR_ALL)));
+ }
+
+ @Test
+ public void testTestSessionHasRepoPrivileges() throws Exception {
+ AbstractAccessControlManager testAcMgr = getTestAccessControlManager();
+
+ assertFalse(testAcMgr.hasPrivileges(null, testPrivileges));
+ assertFalse(testAcMgr.hasPrivileges(null,
getPrincipals(getTestRoot().getContentSession()), testPrivileges));
+ }
+
+ @Test
+ public void testHasRepoPrivilegesNoAccessToPrincipals() throws Exception {
+ AbstractAccessControlManager testAcMgr = getTestAccessControlManager();
+ // the test-session doesn't have sufficient permissions to read
privilege set for admin session.
+ try {
+ testAcMgr.getPrivileges(null, getPrincipals(adminSession));
+ fail("testSession doesn't have sufficient permission to read
access control information");
+ } catch (AccessDeniedException e) {
+ // success
+ }
+ }
+
+ @Test(expected = AccessDeniedException.class)
+ public void testHasRepoPrivilegesForEmptyPrincipalSet() throws Exception {
+ AbstractAccessControlManager testAcMgr = getTestAccessControlManager();
+ // the test-session doesn't have sufficient permissions to read
privilege set.
+ testAcMgr.getPrivileges(null, ImmutableSet.<Principal>of());
+ }
+
+ @Test
public void testTestSessionHasPrivileges() throws Exception {
setupPolicy(testPath);
root.commit();
@@ -304,22 +635,195 @@ public class AccessControlManagerImplTes
}
}
- @Test
+ @Test(expected = AccessDeniedException.class)
public void testTestSessionHasPrivilegesForPrincipals() throws Exception {
setupPolicy(testPath);
root.commit();
AccessControlManagerImpl testAcMgr = getTestAccessControlManager();
// but for 'admin' the test-session doesn't have sufficient privileges
+ testAcMgr.getPrivileges(testPath, getPrincipals(adminSession));
+ }
+
+ //------------------------------------------------------< getPrivileges
>---
+ @Test
+ public void testGetPrivilegesForPropertyPath() throws Exception {
+ String propertyPath = "/jcr:primaryType";
try {
- testAcMgr.getPrivileges(testPath, getPrincipals(adminSession));
- fail("testSession doesn't have sufficient permission to read
access control information at testPath");
- } catch (AccessDeniedException e) {
+ acMgr.getPrivileges(propertyPath);
+ fail("AccessControlManager#getPrivileges for property should
fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+
+ try {
+ acMgr.getPrivileges(propertyPath,
Collections.singleton(testPrincipal));
+ fail("AccessControlManager#getPrivileges for property should
fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+
+ try {
+ acMgr.getPrivileges(propertyPath, getPrincipals(adminSession));
+ fail("AccessControlManager#getPrivileges for property should
fail.");
+ } catch (PathNotFoundException e) {
// success
}
}
- //------------------------------------------------------< getPrivileges
>---
+ @Test
+ public void testGetPrivilegesNonExistingNodePath() throws Exception {
+ String nonExistingPath = "/not/existing";
+ try {
+ acMgr.getPrivileges(nonExistingPath);
+ fail("AccessControlManager#getPrivileges for node that doesn't
exist should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+
+ try {
+ acMgr.getPrivileges(nonExistingPath, getPrincipals(adminSession));
+ fail("AccessControlManager#getPrivileges for node that doesn't
exist should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+
+ try {
+ acMgr.getPrivileges(nonExistingPath,
Collections.singleton(testPrincipal));
+ fail("AccessControlManager#getPrivileges for node that doesn't
exist should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+
+ try {
+ acMgr.getPrivileges(nonExistingPath, ImmutableSet.<Principal>of());
+ fail("AccessControlManager#getPrivileges for node that doesn't
exist should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+ }
+
+ @Test
+ public void testGetPrivilegesInvalidPaths() throws Exception {
+ for (String path : getInvalidPaths()) {
+ try {
+ acMgr.getPrivileges(path);
+ fail("AccessControlManager#getPrivileges for node that
doesn't exist should fail.");
+ } catch (RepositoryException e) {
+ // success
+ }
+ }
+
+ for (String path : getInvalidPaths()) {
+ try {
+ acMgr.getPrivileges(path, getPrincipals(adminSession));
+ fail("AccessControlManager#getPrivileges for node that
doesn't exist should fail.");
+ } catch (RepositoryException e) {
+ // success
+ }
+ }
+
+ for (String path : getInvalidPaths()) {
+ try {
+ acMgr.getPrivileges(path,
Collections.singleton(testPrincipal));
+ fail("AccessControlManager#getPrivileges for node that
doesn't exist should fail.");
+ } catch (RepositoryException e) {
+ // success
+ }
+ }
+
+ for (String path : getInvalidPaths()) {
+ try {
+ acMgr.getPrivileges(path, ImmutableSet.<Principal>of());
+ fail("AccessControlManager#getPrivileges for node that
doesn't exist should fail.");
+ } catch (RepositoryException e) {
+ // success
+ }
+ }
+ }
+
+ /**
+ * @since OAK 1.0 As of OAK AccessControlManager#hasPrivilege will throw
+ * PathNotFoundException in case the node associated with a given path is
+ * not readable to the editing session.
+ */
+ @Test
+ public void testGetPrivilegesNotAccessiblePath() throws Exception {
+ List<String> notAccessible = new ArrayList();
+ notAccessible.add("/");
+ notAccessible.addAll(getAcContentPaths());
+
+ for (String path : notAccessible) {
+ try {
+ getTestAccessControlManager().getPrivileges(path);
+ fail("AccessControlManager#getPrivileges for node that is not
accessible should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+ }
+
+ for (String path : notAccessible) {
+ try {
+ getTestAccessControlManager().getPrivileges(path,
getPrincipals(adminSession));
+ fail("AccessControlManager#getPrivileges for node that is not
accessible should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+ }
+
+ for (String path : notAccessible) {
+ try {
+ getTestAccessControlManager().getPrivileges(path,
Collections.singleton(testPrincipal));
+ fail("AccessControlManager#getPrivileges for node that is not
accessible should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+ }
+
+ }
+
+ @Test
+ public void testGetPrivilegesAccessControlledNodePath() throws Exception {
+ Privilege[] expected = privilegesFromNames(PrivilegeConstants.JCR_ALL);
+ for (String path : getAcContentPaths()) {
+ assertArrayEquals(expected, acMgr.getPrivileges(path));
+ assertArrayEquals(expected, acMgr.getPrivileges(path,
getPrincipals(adminSession)));
+ }
+ }
+
+ @Test
+ public void testGetPrivilegesForPrincipalsAccessControlledNodePath()
throws Exception {
+ Set<Principal> testPrincipals = ImmutableSet.of(testPrincipal);
+ Privilege[] expected = new Privilege[0];
+ for (String path : getAcContentPaths()) {
+ assertArrayEquals(expected, acMgr.getPrivileges(path,
testPrincipals));
+ }
+ }
+
+ @Test
+ public void testGetPrivilegesForNoPrincipalsAccessControlledNodePath()
throws Exception {
+ Privilege[] expected = new Privilege[0];
+ for (String path : getAcContentPaths()) {
+ assertArrayEquals(expected, acMgr.getPrivileges(path,
ImmutableSet.<Principal>of()));
+ }
+ }
+
+ @Test
+ public void testGetRepoPrivileges() throws Exception {
+ assertArrayEquals(privilegesFromNames(PrivilegeConstants.JCR_ALL),
acMgr.getPrivileges(null));
+ assertArrayEquals(privilegesFromNames(PrivilegeConstants.JCR_ALL),
acMgr.getPrivileges(null, getPrincipals(adminSession)));
+ }
+
+ @Test
+ public void testGetRepoPrivilegesEveryonePrincipalSet() throws Exception {
+ assertArrayEquals(new Privilege[0], acMgr.getPrivileges(null,
getEveryonePrincipalSet()));
+ }
+
+ @Test
+ public void testGetRepoPrivilegesEmptyPrincipalSet() throws Exception {
+ assertArrayEquals(new Privilege[0], acMgr.getPrivileges(null,
ImmutableSet.<Principal>of()));
+ }
+
@Test
public void testTestSessionGetPrivileges() throws Exception {
setupPolicy(testPath);
@@ -930,7 +1434,7 @@ public class AccessControlManagerImplTes
@Test
public void testSetInvalidPolicy() throws Exception {
try {
- acMgr.setPolicy(testPath, new TestACL(testPath,
getRestrictionProvider()));
+ acMgr.setPolicy(testPath, new TestACL(testPath,
getRestrictionProvider(), getNamePathMapper()));
fail("Setting invalid policy must fail");
} catch (AccessControlException e) {
// success
@@ -938,7 +1442,7 @@ public class AccessControlManagerImplTes
ACL acl = setupPolicy(testPath);
try {
- acMgr.setPolicy(testPath, new TestACL(testPath,
getRestrictionProvider()));
+ acMgr.setPolicy(testPath, new TestACL(testPath,
getRestrictionProvider(), getNamePathMapper()));
fail("Setting invalid policy must fail");
} catch (AccessControlException e) {
// success
@@ -1071,12 +1575,7 @@ public class AccessControlManagerImplTes
assertEquals(4, acl.getAccessControlEntries().length);
Iterable<Tree> aceTrees =
root.getTree(testPath).getChild(AccessControlConstants.REP_POLICY).getChildren();
- String[] aceNodeNames =
Iterables.toArray(Iterables.transform(aceTrees, new Function<Tree, String>() {
- @Override
- public String apply(Tree aceTree) {
- return aceTree.getName();
- }
- }), String.class);
+ String[] aceNodeNames =
Iterables.toArray(Iterables.transform(aceTrees, aceTree -> aceTree.getName()),
String.class);
assertArrayEquals(new String[]{"allow", "allow1", "deny2", "deny3"},
aceNodeNames);
}
@@ -1105,7 +1604,7 @@ public class AccessControlManagerImplTes
public void testRemoveInvalidPolicy() throws Exception {
ACL acl = setupPolicy(testPath);
try {
- acMgr.removePolicy(testPath, new TestACL(testPath,
getRestrictionProvider()));
+ acMgr.removePolicy(testPath, new TestACL(testPath,
getRestrictionProvider(), getNamePathMapper()));
fail("Invalid policy -> removal must fail");
} catch (AccessControlException e) {
// success
@@ -1411,7 +1910,7 @@ public class AccessControlManagerImplTes
// no ACLs containing entries for the specified principals
// -> no effective policies expected
Set<Set<Principal>> principalSets = new HashSet<Set<Principal>>();
- principalSets.add(Collections.singleton(getTestPrincipal()));
+ principalSets.add(Collections.singleton(testPrincipal));
principalSets.add(Collections.<Principal>singleton(EveryonePrincipal.getInstance()));
principalSets.add(ImmutableSet.of(testPrincipal,
EveryonePrincipal.getInstance()));
@@ -1434,7 +1933,7 @@ public class AccessControlManagerImplTes
for (Set<Principal> principals : principalSets) {
AccessControlPolicy[] policies =
acMgr.getEffectivePolicies(principals);
assertNotNull(policies);
- if (principals.contains(getTestPrincipal())) {
+ if (principals.contains(testPrincipal)) {
assertEquals(1, policies.length);
} else {
assertEquals(0, policies.length);
@@ -1448,7 +1947,7 @@ public class AccessControlManagerImplTes
for (Set<Principal> principals : principalSets) {
AccessControlPolicy[] policies =
acMgr.getEffectivePolicies(principals);
assertNotNull(policies);
- if (principals.contains(getTestPrincipal())) {
+ if (principals.contains(testPrincipal)) {
assertEquals(1, policies.length);
} else {
assertEquals(0, policies.length);
@@ -1460,7 +1959,7 @@ public class AccessControlManagerImplTes
for (Set<Principal> principals : principalSets) {
AccessControlPolicy[] policies =
acMgr.getEffectivePolicies(principals);
assertNotNull(policies);
- if (principals.contains(getTestPrincipal())) {
+ if (principals.contains(testPrincipal)) {
assertEquals(2, policies.length);
} else {
assertEquals(0, policies.length);
@@ -1586,7 +2085,7 @@ public class AccessControlManagerImplTes
testRoot.refresh();
JackrabbitAccessControlManager testAcMgr =
getTestAccessControlManager();
- AccessControlPolicy[] effective =
testAcMgr.getEffectivePolicies(Collections.singleton(getTestPrincipal()));
+ AccessControlPolicy[] effective =
testAcMgr.getEffectivePolicies(Collections.singleton(testPrincipal));
assertNotNull(effective);
assertEquals(2, effective.length);
}
@@ -1611,7 +2110,7 @@ public class AccessControlManagerImplTes
testRoot.refresh();
JackrabbitAccessControlManager testAcMgr =
getTestAccessControlManager();
- AccessControlPolicy[] effective =
testAcMgr.getEffectivePolicies(Collections.singleton(getTestPrincipal()));
+ AccessControlPolicy[] effective =
testAcMgr.getEffectivePolicies(Collections.singleton(testPrincipal));
assertNotNull(effective);
assertEquals(1, effective.length);
}
@@ -1633,7 +2132,7 @@ public class AccessControlManagerImplTes
testRoot.refresh();
JackrabbitAccessControlManager testAcMgr =
getTestAccessControlManager();
- AccessControlPolicy[] effective =
testAcMgr.getEffectivePolicies(Collections.singleton(getTestPrincipal()));
+ AccessControlPolicy[] effective =
testAcMgr.getEffectivePolicies(Collections.singleton(testPrincipal));
assertNotNull(effective);
assertEquals(1, effective.length);
}
@@ -1656,7 +2155,7 @@ public class AccessControlManagerImplTes
testRoot.refresh();
JackrabbitAccessControlManager testAcMgr =
getTestAccessControlManager();
- Set<Principal> principals = ImmutableSet.of(getTestPrincipal(),
EveryonePrincipal.getInstance());
+ Set<Principal> principals = ImmutableSet.of(testPrincipal,
EveryonePrincipal.getInstance());
AccessControlPolicy[] policies =
testAcMgr.getEffectivePolicies(principals);
assertNotNull(policies);
assertEquals(2, policies.length);
@@ -1675,7 +2174,7 @@ public class AccessControlManagerImplTes
// create policy on testPath -> but deny access to test session
JackrabbitAccessControlList acl = getApplicablePolicy(testPath);
- acl.addEntry(getTestPrincipal(), privs, false);
+ acl.addEntry(testPrincipal, privs, false);
acMgr.setPolicy(testPath, acl);
// grant access at childpath
@@ -1686,7 +2185,7 @@ public class AccessControlManagerImplTes
testRoot.refresh();
JackrabbitAccessControlManager testAcMgr =
getTestAccessControlManager();
- Set<Principal> principals = ImmutableSet.of(getTestPrincipal(),
EveryonePrincipal.getInstance());
+ Set<Principal> principals = ImmutableSet.of(testPrincipal,
EveryonePrincipal.getInstance());
AccessControlPolicy[] policies =
testAcMgr.getEffectivePolicies(principals);
assertNotNull(policies);
assertEquals(1, policies.length);
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidatorTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidatorTest.java?rev=1792852&r1=1792851&r2=1792852&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidatorTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidatorTest.java
Thu Apr 27 08:53:56 2017
@@ -28,13 +28,13 @@ import org.apache.jackrabbit.JcrConstant
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import
org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
+import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.plugins.memory.MemoryNodeStore;
import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
import org.apache.jackrabbit.oak.spi.commit.CommitInfo;
import org.apache.jackrabbit.oak.spi.commit.Validator;
-import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlTest;
import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.spi.state.NodeBuilder;
@@ -52,7 +52,7 @@ import static org.junit.Assert.assertTha
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
-public class AccessControlValidatorTest extends AbstractAccessControlTest
implements AccessControlConstants {
+public class AccessControlValidatorTest extends AbstractSecurityTest
implements AccessControlConstants {
private final String testName = "testRoot";
private final String testPath = '/' + testName;
@@ -69,7 +69,7 @@ public class AccessControlValidatorTest
root.commit();
- testPrincipal = getTestPrincipal();
+ testPrincipal = getTestUser().getPrincipal();
}
@After
Added:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/EntryTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/EntryTest.java?rev=1792852&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/EntryTest.java
(added)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/EntryTest.java
Thu Apr 27 08:53:56 2017
@@ -0,0 +1,604 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.accesscontrol;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import javax.jcr.PropertyType;
+import javax.jcr.RepositoryException;
+import javax.jcr.Value;
+import javax.jcr.ValueFactory;
+import javax.jcr.ValueFormatException;
+import javax.jcr.security.AccessControlEntry;
+import javax.jcr.security.AccessControlException;
+import javax.jcr.security.AccessControlManager;
+import javax.jcr.security.Privilege;
+
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Lists;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
+import
org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
+import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE;
+import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
+import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertSame;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public class EntryTest extends AbstractAccessControlTest {
+
+ private AccessControlManager acMgr;
+
+ private Value globValue;
+ private Value[] nameValues;
+ private Value nameValue;
+
+ @Override
+ @Before
+ public void before() throws Exception {
+ super.before();
+
+ acMgr = getAccessControlManager(root);
+ testPrincipal = new Principal() {
+ public String getName() {
+ return "TestPrincipal";
+ }
+ };
+ ValueFactory valueFactory = getValueFactory(root);
+ globValue = valueFactory.createValue("*");
+ nameValue = valueFactory.createValue("nt:file", PropertyType.NAME);
+ nameValues = new Value[] {
+ valueFactory.createValue("nt:folder", PropertyType.NAME),
+ valueFactory.createValue("nt:file", PropertyType.NAME)
+ };
+ }
+
+ private ACE createEntry(String... privilegeNames)
+ throws RepositoryException {
+ return createEntry(testPrincipal, true, null, privilegeNames);
+ }
+
+ private ACE createEntry(String[] privilegeNames, boolean isAllow)
+ throws RepositoryException {
+ return createEntry(testPrincipal, isAllow, null, privilegeNames);
+ }
+
+ private ACE createEntry(Set<Restriction> restrictions) throws Exception {
+ return createEntry(testPrincipal, true, restrictions,
PrivilegeConstants.JCR_READ);
+ }
+
+ private Restriction createRestriction(String name, Value value) throws
Exception {
+ return getRestrictionProvider().createRestriction("/a/b/c", name,
value);
+ }
+
+ private Restriction createRestriction(String name, Value[] values) throws
Exception {
+ return getRestrictionProvider().createRestriction("/a/b/c", name,
values);
+ }
+
+ @Test
+ public void testIsAllow() throws RepositoryException {
+ ACE ace = createEntry(new String[]{PrivilegeConstants.JCR_READ}, true);
+ assertTrue(ace.isAllow());
+
+ ace = createEntry(new String[]{PrivilegeConstants.JCR_READ}, false);
+ assertFalse(ace.isAllow());
+ }
+
+ @Test
+ public void testGetPrincipal() throws RepositoryException {
+ ACE tmpl = createEntry(new String[]{PrivilegeConstants.JCR_READ},
true);
+ assertNotNull(tmpl.getPrincipal());
+ assertEquals(testPrincipal.getName(), tmpl.getPrincipal().getName());
+ assertSame(testPrincipal, tmpl.getPrincipal());
+ }
+
+ @Test
+ public void testNullPrincipal() throws Exception {
+ try {
+ Privilege[] privs = new Privilege[]{
+ acMgr.privilegeFromName(PrivilegeConstants.JCR_ALL)
+ };
+ createEntry(null, privs, true);
+ fail("Principal must not be null");
+ } catch (AccessControlException e) {
+ // success
+ }
+ }
+
+ @Test
+ public void testGetPrivileges() throws RepositoryException {
+ ACE entry = createEntry(new String[]{PrivilegeConstants.JCR_READ},
true);
+
+ Privilege[] privs = entry.getPrivileges();
+ assertNotNull(privs);
+ assertEquals(1, privs.length);
+ assertEquals(privs[0],
acMgr.privilegeFromName(PrivilegeConstants.JCR_READ));
+
+ entry = createEntry(new String[]{PrivilegeConstants.REP_WRITE}, true);
+ privs = entry.getPrivileges();
+ assertNotNull(privs);
+ assertEquals(1, privs.length);
+ assertEquals(privs[0],
acMgr.privilegeFromName(PrivilegeConstants.REP_WRITE));
+
+ entry = createEntry(new
String[]{PrivilegeConstants.JCR_ADD_CHILD_NODES,
+ PrivilegeConstants.JCR_REMOVE_CHILD_NODES}, true);
+ privs = entry.getPrivileges();
+ assertNotNull(privs);
+ assertEquals(2, privs.length);
+
+ Privilege[] expected = AccessControlUtils.privilegesFromNames(acMgr,
+ PrivilegeConstants.JCR_ADD_CHILD_NODES,
+ PrivilegeConstants.JCR_REMOVE_CHILD_NODES);
+ assertEquals(ImmutableSet.copyOf(expected),
ImmutableSet.copyOf(privs));
+ }
+
+ @Test
+ public void testGetPrivilegeBits() throws RepositoryException {
+ ACE entry = createEntry(new String[]{PrivilegeConstants.JCR_READ},
true);
+
+ PrivilegeBits bits = entry.getPrivilegeBits();
+ assertNotNull(bits);
+ assertEquals(bits,
getBitsProvider().getBits(PrivilegeConstants.JCR_READ));
+
+ entry = createEntry(new String[]{PrivilegeConstants.REP_WRITE}, true);
+ bits = entry.getPrivilegeBits();
+ assertNotNull(bits);
+ assertEquals(bits,
getBitsProvider().getBits(PrivilegeConstants.REP_WRITE));
+
+ entry = createEntry(new
String[]{PrivilegeConstants.JCR_ADD_CHILD_NODES,
+ PrivilegeConstants.JCR_REMOVE_CHILD_NODES}, true);
+ bits = entry.getPrivilegeBits();
+ assertNotNull(bits);
+
+ PrivilegeBits expected = getBitsProvider().getBits(
+ PrivilegeConstants.JCR_ADD_CHILD_NODES,
+ PrivilegeConstants.JCR_REMOVE_CHILD_NODES);
+ assertEquals(expected, bits);
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testNullPrivileges() throws Exception {
+ new EmptyACE(null);
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testEmptyPrivileges() throws Exception {
+ new EmptyACE(PrivilegeBits.EMPTY);
+ }
+
+ @Test
+ public void testRedundantPrivileges() throws Exception {
+ ACE ace = createEntry(PrivilegeConstants.JCR_READ,
PrivilegeConstants.JCR_READ);
+ assertEquals(getBitsProvider().getBits(PrivilegeConstants.JCR_READ),
ace.getPrivilegeBits());
+ }
+
+ /**
+ * @since oak 1.0 ACE doesn't validate privileges.
+ */
+ @Test
+ public void testUnknownPrivilege() throws Exception {
+ Privilege invalidPriv = new Privilege() {
+ public String getName() {
+ return "";
+ }
+
+ public boolean isAbstract() {
+ return false;
+ }
+
+ public boolean isAggregate() {
+ return false;
+ }
+
+ public Privilege[] getDeclaredAggregatePrivileges() {
+ return new Privilege[0];
+ }
+
+ public Privilege[] getAggregatePrivileges() {
+ return new Privilege[0];
+ }
+ };
+ Privilege[] privs = new Privilege[]{invalidPriv,
acMgr.privilegeFromName(PrivilegeConstants.JCR_READ)};
+ ACE entry = createEntry(testPrincipal, privs, true);
+ assertEquals(getBitsProvider().getBits(PrivilegeConstants.JCR_READ),
entry.getPrivilegeBits());
+ }
+
+ @Test
+ public void testAggregatePrivileges() throws Exception {
+ ACE ace = createEntry(PrivilegeConstants.REP_READ_NODES,
PrivilegeConstants.REP_READ_PROPERTIES);
+
+ assertEquals(getBitsProvider().getBits(PrivilegeConstants.JCR_READ),
ace.getPrivilegeBits());
+ assertArrayEquals(privilegesFromNames(PrivilegeConstants.JCR_READ),
ace.getPrivileges());
+ }
+
+ @Test
+ public void testGetRestrictionNames() throws Exception {
+ // empty restrictions
+ String[] restrictionNames =
createEntry(Collections.<Restriction>emptySet()).getRestrictionNames();
+ assertNotNull(restrictionNames);
+ assertEquals(0, restrictionNames.length);
+
+ Restriction globRestr =
createRestriction(AccessControlConstants.REP_GLOB, globValue);
+ Restriction nameRestr =
createRestriction(AccessControlConstants.REP_NT_NAMES, nameValues);
+
+ // single restriction
+ restrictionNames =
createEntry(ImmutableSet.of(globRestr)).getRestrictionNames();
+ assertEquals(1, restrictionNames.length);
+
+ // 2 restrictions
+ restrictionNames = createEntry(ImmutableSet.of(globRestr,
nameRestr)).getRestrictionNames();
+ assertEquals(2, restrictionNames.length);
+ }
+
+ @Test
+ public void testGetRestrictionForEmpty() throws Exception {
+ // empty restrictions
+ Value val =
createEntry(Collections.<Restriction>emptySet()).getRestriction(AccessControlConstants.REP_GLOB);
+ assertNull(val);
+ }
+
+ @Test
+ public void testGetNonExistingRestriction() throws Exception {
+ // single valued restriction
+ Restriction globRestr =
createRestriction(AccessControlConstants.REP_GLOB, globValue);
+ ACE ace = createEntry(ImmutableSet.of(globRestr));
+ assertNull(ace.getRestriction(AccessControlConstants.REP_NT_NAMES));
+ }
+
+ @Test
+ public void testGetRestrictionForSingleValued() throws Exception {
+ // single valued restriction
+ Restriction globRestr =
createRestriction(AccessControlConstants.REP_GLOB, globValue);
+ ACE ace = createEntry(ImmutableSet.of(globRestr));
+ Value val = ace.getRestriction(AccessControlConstants.REP_GLOB);
+ assertNotNull(val);
+ assertEquals(globValue, val);
+ }
+
+ /**
+ * @since OAK 1.0: support for multi-value restrictions
+ */
+ @Test(expected = ValueFormatException.class)
+ public void testGetRestrictionForMultiValued() throws Exception {
+ // multivalued restriction
+ Restriction nameRestr =
createRestriction(AccessControlConstants.REP_NT_NAMES, nameValues);
+ ACE ace = createEntry(ImmutableSet.of(nameRestr));
+
+ ace.getRestriction(AccessControlConstants.REP_NT_NAMES);
+ }
+
+ /**
+ * @since OAK 1.0: support for multi-value restrictions
+ */
+ @Test
+ public void testGetRestrictionForMultiValued2() throws Exception {
+ // single value restriction stored in multi-value property
+ Restriction singleNameRestr =
createRestriction(AccessControlConstants.REP_NT_NAMES, new Value[] {nameValue});
+
+ ACE ace = createEntry(ImmutableSet.of(singleNameRestr));
+ Value val = ace.getRestriction(AccessControlConstants.REP_NT_NAMES);
+ assertEquals(nameValue, val);
+ }
+
+ /**
+ * @since OAK 1.0: support for multi-value restrictions
+ */
+ @Test
+ public void testGetEmptyRestrictions() throws Exception {
+ // empty restrictions
+ Value[] vs =
createEntry(Collections.<Restriction>emptySet()).getRestrictions(AccessControlConstants.REP_GLOB);
+ assertNull(vs);
+ }
+
+ /**
+ * @since OAK 1.0: support for multi-value restrictions
+ */
+ @Test
+ public void testGetNonExistingRestrictions() throws Exception {
+ Restriction nameRestr =
createRestriction(AccessControlConstants.REP_NT_NAMES, nameValues);
+ ACE ace = createEntry(ImmutableSet.of(nameRestr));
+ assertNull(ace.getRestrictions(AccessControlConstants.REP_GLOB));
+ }
+
+ /**
+ * @since OAK 1.0: support for multi-value restrictions
+ */
+ @Test
+ public void testGetRestrictionsForSingleValue() throws Exception {
+ // single valued restriction
+ Restriction globRestr =
createRestriction(AccessControlConstants.REP_GLOB, globValue);
+ ACE ace = createEntry(ImmutableSet.of(globRestr));
+ Value[] vs = ace.getRestrictions(AccessControlConstants.REP_GLOB);
+ assertNotNull(vs);
+ assertArrayEquals(new Value[]{globValue}, vs);
+ }
+
+ /**
+ * @since OAK 1.0: support for multi-value restrictions
+ */
+ @Test
+ public void testGetRestrictionsForMultiValued() throws Exception {
+ // multivalued restriction
+ Restriction nameRestr =
createRestriction(AccessControlConstants.REP_NT_NAMES, nameValues);
+ ACE ace = createEntry(ImmutableSet.of(nameRestr));
+ Value[] vs = ace.getRestrictions(AccessControlConstants.REP_NT_NAMES);
+ assertEquals(2, vs.length);
+ assertArrayEquals(nameValues, vs);
+ }
+
+ /**
+ * @since OAK 1.0: support for multi-value restrictions
+ */
+ @Test
+ public void testGetRestrictionsForMultiValued2() throws Exception {
+ // single value restriction stored in multi-value property
+ Restriction singleNameRestr =
createRestriction(AccessControlConstants.REP_NT_NAMES, new Value[]{nameValue});
+ ACE ace = createEntry(ImmutableSet.of(singleNameRestr));
+ Value[] vs = ace.getRestrictions(AccessControlConstants.REP_NT_NAMES);
+ assertEquals(1, vs.length);
+ assertEquals(nameValue, vs[0]);
+ }
+
+ @Test
+ public void testGetRestrictions() throws Exception {
+ Restriction nameRestr =
createRestriction(AccessControlConstants.REP_NT_NAMES, nameValues);
+ Restriction globRestr =
createRestriction(AccessControlConstants.REP_GLOB, globValue);
+
+ Set<Restriction> expected = ImmutableSet.of(nameRestr, globRestr);
+ ACE ace = createEntry(expected);
+
+ assertEquals(expected, ace.getRestrictions());
+ }
+
+ @Test
+ public void testGetRestrictionsNone() throws Exception {
+ ACE ace = createEntry(ImmutableSet.<Restriction>of());
+
+ assertTrue(ace.getRestrictions().isEmpty());
+ }
+
+ @Test
+ public void testEquals() throws RepositoryException {
+
+ Map<AccessControlEntry, AccessControlEntry> equalAces = new
HashMap<AccessControlEntry, AccessControlEntry>();
+
+ ACE ace = createEntry(PrivilegeConstants.JCR_ALL);
+ // create same entry again
+ equalAces.put(ace, createEntry(PrivilegeConstants.JCR_ALL));
+
+ // create entry with declared aggregate privileges
+ Privilege[] declaredAllPrivs =
acMgr.privilegeFromName(PrivilegeConstants.JCR_ALL).getDeclaredAggregatePrivileges();
+ equalAces.put(ace, createEntry(testPrincipal, declaredAllPrivs, true));
+
+ // create entry with aggregate privileges
+ Privilege[] aggregateAllPrivs =
acMgr.privilegeFromName(PrivilegeConstants.JCR_ALL).getAggregatePrivileges();
+ equalAces.put(ace, createEntry(testPrincipal, aggregateAllPrivs,
true));
+
+ // create entry with different privilege order
+ List<Privilege> reordered = new
ArrayList<Privilege>(Arrays.asList(aggregateAllPrivs));
+ reordered.add(reordered.remove(0));
+ equalAces.put(createEntry(testPrincipal, reordered.toArray(new
Privilege[reordered.size()]), true),
+ createEntry(testPrincipal, aggregateAllPrivs, true));
+
+ // even if entries are build with aggregated or declared aggregate
privileges
+ equalAces.put(createEntry(testPrincipal, declaredAllPrivs, true),
+ createEntry(testPrincipal, aggregateAllPrivs, true));
+
+ for (AccessControlEntry entry : equalAces.keySet()) {
+ assertEquals(entry, equalAces.get(entry));
+ }
+ }
+
+ @Test
+ public void testEquals2() throws RepositoryException {
+ ACE ace = createEntry(PrivilegeConstants.JCR_ADD_CHILD_NODES,
PrivilegeConstants.JCR_READ);
+ // priv array contains duplicates
+ ACE ace2 = createEntry(PrivilegeConstants.JCR_ADD_CHILD_NODES,
PrivilegeConstants.JCR_ADD_CHILD_NODES, PrivilegeConstants.JCR_READ);
+
+ assertEquals(ace, ace2);
+ }
+
+ @Test
+ public void testNotEquals() throws RepositoryException {
+ ACE ace = createEntry(new String[]{PrivilegeConstants.JCR_ALL}, true);
+ List<JackrabbitAccessControlEntry> otherAces = new
ArrayList<JackrabbitAccessControlEntry>();
+
+ try {
+ // ACE template with different principal
+ Principal princ = new Principal() {
+ public String getName() {
+ return "a name";
+ }
+ };
+ Privilege[] privs = new Privilege[]{
+ acMgr.privilegeFromName(PrivilegeConstants.JCR_ALL)
+ };
+ otherAces.add(createEntry(princ, privs, true));
+ } catch (RepositoryException e) {
+ }
+
+ // ACE template with different privileges
+ try {
+ otherAces.add(createEntry(new
String[]{PrivilegeConstants.JCR_READ}, true));
+ } catch (RepositoryException e) {
+ }
+ // ACE template with different 'allow' flag
+ try {
+ otherAces.add(createEntry(new
String[]{PrivilegeConstants.JCR_ALL}, false));
+ } catch (RepositoryException e) {
+ }
+ // ACE template with different privileges and 'allows
+ try {
+ otherAces.add(createEntry(new
String[]{PrivilegeConstants.REP_WRITE}, false));
+ } catch (RepositoryException e) {
+ }
+
+ // other ace impl
+ final Privilege[] privs = new Privilege[]{
+ acMgr.privilegeFromName(PrivilegeConstants.JCR_ALL)
+ };
+
+ JackrabbitAccessControlEntry pe = new JackrabbitAccessControlEntry() {
+ public boolean isAllow() {
+ return true;
+ }
+
+ public String[] getRestrictionNames() {
+ return new String[0];
+ }
+
+ public Value getRestriction(String restrictionName) {
+ return null;
+ }
+
+ public Value[] getRestrictions(String restrictionName) {
+ return null;
+ }
+
+ public Principal getPrincipal() {
+ return testPrincipal;
+ }
+
+ public Privilege[] getPrivileges() {
+ return privs;
+ }
+ };
+ otherAces.add(pe);
+
+ for (JackrabbitAccessControlEntry otherAce : otherAces) {
+ assertFalse(ace.equals(otherAce));
+ }
+ }
+
+ @Test
+ public void testHashCode() throws RepositoryException {
+ JackrabbitAccessControlEntry ace =
createEntry(PrivilegeConstants.JCR_ALL);
+ Privilege[] declaredAllPrivs =
acMgr.privilegeFromName(PrivilegeConstants.JCR_ALL).getDeclaredAggregatePrivileges();
+ Privilege[] aggregateAllPrivs =
acMgr.privilegeFromName(PrivilegeConstants.JCR_ALL).getAggregatePrivileges();
+ List<Privilege> l = Lists.newArrayList(aggregateAllPrivs);
+ l.add(l.remove(0));
+ Privilege[] reordered = l.toArray(new Privilege[l.size()]);
+
+ Map<AccessControlEntry, AccessControlEntry> equivalent = new
HashMap<AccessControlEntry, AccessControlEntry>();
+ // create same entry again
+ equivalent.put(ace, createEntry(PrivilegeConstants.JCR_ALL));
+ // create entry with duplicate privs
+ equivalent.put(ace, createEntry(PrivilegeConstants.JCR_ALL,
PrivilegeConstants.JCR_ALL));
+ // create entry with declared aggregate privileges
+ equivalent.put(ace, createEntry(testPrincipal, declaredAllPrivs,
true));
+ // create entry with aggregate privileges
+ equivalent.put(ace, createEntry(testPrincipal, aggregateAllPrivs,
true));
+ // create entry with different privilege order
+ equivalent.put(ace, createEntry(testPrincipal, reordered, true));
+ equivalent.put(createEntry(testPrincipal, declaredAllPrivs, true),
+ createEntry(testPrincipal, reordered, true));
+ // even if entries are build with aggregated or declared aggregate
privileges
+ equivalent.put(createEntry(testPrincipal, declaredAllPrivs, true),
+ createEntry(testPrincipal, aggregateAllPrivs, true));
+
+ for (AccessControlEntry entry : equivalent.keySet()) {
+ AccessControlEntry eqv = equivalent.get(entry);
+ assertEquals(entry.hashCode(), eqv.hashCode());
+ }
+ }
+
+ @Test
+ public void testHashCode2() throws Exception {
+ JackrabbitAccessControlEntry ace = createEntry(new
String[]{PrivilegeConstants.JCR_ALL}, true);
+ final Privilege[] privs =
AccessControlUtils.privilegesFromNames(acMgr, PrivilegeConstants.JCR_ALL);
+
+ // and the opposite:
+ List<JackrabbitAccessControlEntry> otherAces = new
ArrayList<JackrabbitAccessControlEntry>();
+ // ACE template with different principal
+ Principal princ = new Principal() {
+ public String getName() {
+ return "a name";
+ }
+ };
+ otherAces.add(createEntry(princ, privs, true));
+
+ // ACE template with different privileges
+ otherAces.add(createEntry(new String[]{PrivilegeConstants.JCR_READ},
true));
+
+ // ACE template with different 'allow' flag
+ otherAces.add(createEntry(new String[]{PrivilegeConstants.JCR_ALL},
false));
+
+ // ACE template with different privileges and 'allows
+ otherAces.add(createEntry(new String[]{PrivilegeConstants.REP_WRITE},
false));
+
+ // other ace impl
+ JackrabbitAccessControlEntry pe = new JackrabbitAccessControlEntry() {
+ public boolean isAllow() {
+ return true;
+ }
+
+ public String[] getRestrictionNames() {
+ return new String[0];
+ }
+
+ public Value getRestriction(String restrictionName) {
+ return null;
+ }
+
+ public Value[] getRestrictions(String restrictionName) {
+ return null;
+ }
+
+ public Principal getPrincipal() {
+ return testPrincipal;
+ }
+
+ public Privilege[] getPrivileges() {
+ return privs;
+ }
+ };
+ otherAces.add(pe);
+
+ for (JackrabbitAccessControlEntry otherAce : otherAces) {
+ assertFalse(ace.hashCode() == otherAce.hashCode());
+ }
+
+ }
+
+ private class EmptyACE extends ACE {
+
+ public EmptyACE(PrivilegeBits privilegeBits) throws
AccessControlException {
+ super(testPrincipal, privilegeBits, true, null, namePathMapper);
+ }
+
+ @Override
+ public Privilege[] getPrivileges() {
+ return new Privilege[0];
+ }
+ }
+}
\ No newline at end of file
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ReadPolicyTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ReadPolicyTest.java?rev=1792852&r1=1792851&r2=1792852&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ReadPolicyTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ReadPolicyTest.java
Thu Apr 27 08:53:56 2017
@@ -19,9 +19,9 @@ package org.apache.jackrabbit.oak.securi
import java.util.Set;
import javax.jcr.security.AccessControlPolicy;
+import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
-import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlTest;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.junit.Before;
import org.junit.Test;
@@ -33,7 +33,7 @@ import static org.junit.Assert.assertTru
*
* @since OAK 1.0
*/
-public class ReadPolicyTest extends AbstractAccessControlTest {
+public class ReadPolicyTest extends AbstractSecurityTest {
private Set<String> readPaths;
