Author: angela
Date: Wed May 3 13:56:39 2017
New Revision: 1793646
URL: http://svn.apache.org/viewvc?rev=1793646&view=rev
Log:
OAK-5947 : Allowing non-admin user to set repository permissions fails
Added:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/RepoPolicyTreePermission.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/RepoLevelPolicyTest.java
- copied, changed from r1792701,
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/SetRepoLevelPolicyTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/RepoPolicyTreePermissionTest.java
Removed:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/SetRepoLevelPolicyTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java?rev=1793646&r1=1793645&r2=1793646&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
Wed May 3 13:56:39 2017
@@ -44,6 +44,7 @@ import org.apache.jackrabbit.oak.plugins
import org.apache.jackrabbit.oak.plugins.version.ReadOnlyVersionManager;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.Context;
+import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
@@ -165,6 +166,8 @@ final class CompiledPermissionImpl imple
}
if (parentPermission instanceof VersionTreePermission) {
return ((VersionTreePermission)
parentPermission).createChildPermission(tree);
+ } else if (parentPermission instanceof RepoPolicyTreePermission) {
+ return
((RepoPolicyTreePermission)parentPermission).getChildPermission();
}
switch (type) {
case HIDDEN:
@@ -190,6 +193,12 @@ final class CompiledPermissionImpl imple
return new VersionTreePermission(tree,
buildVersionDelegatee(versionableTree));
}
}
+ case ACCESS_CONTROL:
+ if
(AccessControlConstants.REP_REPO_POLICY.equals(tree.getName())) {
+ return new
RepoPolicyTreePermission(getRepositoryPermission());
+ } else {
+ return new TreePermissionImpl(tree, type,
parentPermission);
+ }
case INTERNAL:
return EMPTY;
default:
@@ -432,6 +441,8 @@ final class CompiledPermissionImpl imple
return TreeType.DEFAULT;
} else if (parentPermission instanceof VersionTreePermission) {
return TreeType.VERSION;
+ } else if (parentPermission instanceof RepoPolicyTreePermission) {
+ return TreeType.ACCESS_CONTROL;
} else {
throw new IllegalArgumentException("Illegal TreePermission
implementation.");
}
Added:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/RepoPolicyTreePermission.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/RepoPolicyTreePermission.java?rev=1793646&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/RepoPolicyTreePermission.java
(added)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/RepoPolicyTreePermission.java
Wed May 3 13:56:39 2017
@@ -0,0 +1,99 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.permission;
+
+import javax.annotation.Nonnull;
+
+import org.apache.jackrabbit.oak.api.PropertyState;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
+import org.apache.jackrabbit.oak.spi.state.NodeState;
+
+/**
+ * {@code TreePermission} implementation for the access control policy
coverying
+ * repository level permissions. In this implementation these permissions are
+ * managed in the policy tree defined at /rep:repoPolicy, which is considered
+ * protected access control content.
+ *
+ * This implementation relies on the precondition that the subtree defined by
the
+ * /rep:repoPolicy node only consists of trees of type access control.
Consequently,
+ * read access to trees and properties is granted if and only if {@link
Permissions#READ_ACCESS_CONTROL}
+ * is granted at the repo-level.
+ *
+ * For the same reason any other permissions are evaluated by checking the
+ * {@link
org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission},
+ * which apply for all items defined by this special subtree.
+ */
+final class RepoPolicyTreePermission implements TreePermission {
+
+ private RepositoryPermission repoPermission;
+ private ReadStatus readStatus;
+
+ RepoPolicyTreePermission(RepositoryPermission repoPermission) {
+ this.repoPermission = repoPermission;
+ }
+
+ TreePermission getChildPermission() {
+ return this;
+ }
+
+ //-----------------------------------------------------< TreePermission
>---
+ @Nonnull
+ @Override
+ public TreePermission getChildPermission(@Nonnull String childName,
@Nonnull NodeState childState) {
+ return getChildPermission();
+ }
+
+ @Override
+ public boolean canRead() {
+ return getReadStatus().allowsThis();
+ }
+
+ @Override
+ public boolean canRead(@Nonnull PropertyState property) {
+ return getReadStatus().allowsThis();
+ }
+
+ @Override
+ public boolean canReadAll() {
+ return getReadStatus().allowsAll();
+ }
+
+ @Override
+ public boolean canReadProperties() {
+ return getReadStatus().allowsProperties();
+ }
+
+ @Override
+ public boolean isGranted(long permissions) {
+ return repoPermission.isGranted(permissions);
+ }
+
+ @Override
+ public boolean isGranted(long permissions, @Nonnull PropertyState
property) {
+ return repoPermission.isGranted(permissions);
+ }
+
+ private ReadStatus getReadStatus() {
+ if (readStatus == null) {
+ boolean canRead =
repoPermission.isGranted(Permissions.READ_ACCESS_CONTROL);
+ readStatus = (canRead) ? ReadStatus.ALLOW_ALL :
ReadStatus.DENY_ALL;
+ }
+ return readStatus;
+ }
+}
Copied:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/RepoLevelPolicyTest.java
(from r1792701,
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/SetRepoLevelPolicyTest.java)
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/RepoLevelPolicyTest.java?p2=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/RepoLevelPolicyTest.java&p1=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/SetRepoLevelPolicyTest.java&r1=1792701&r2=1793646&rev=1793646&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/SetRepoLevelPolicyTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/RepoLevelPolicyTest.java
Wed May 3 13:56:39 2017
@@ -16,84 +16,112 @@
*/
package org.apache.jackrabbit.oak.security.authorization.evaluation;
+import java.util.Set;
import javax.jcr.AccessDeniedException;
import javax.jcr.PathNotFoundException;
+import javax.jcr.security.AccessControlManager;
+import javax.jcr.security.Privilege;
+import com.google.common.collect.ImmutableSet;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
-import org.junit.Ignore;
import org.junit.Test;
-public class SetRepoLevelPolicyTest extends AbstractOakCoreTest {
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+public class RepoLevelPolicyTest extends AbstractOakCoreTest implements
PrivilegeConstants {
@Test(expected = PathNotFoundException.class)
public void testGetApplicablePoliciesRootNotReadable() throws Exception {
- setupPermission(null, getTestUser().getPrincipal(), true,
PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
+ setupPermission(null, getTestUser().getPrincipal(), true,
JCR_READ_ACCESS_CONTROL);
getAccessControlManager(getTestRoot()).getApplicablePolicies((String)
null);
}
@Test(expected = PathNotFoundException.class)
public void testGetApplicablePoliciesRootNotReadable2() throws Exception {
- setupPermission(null, getTestUser().getPrincipal(), true,
PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
+ setupPermission(null, getTestUser().getPrincipal(), true, JCR_READ,
JCR_READ_ACCESS_CONTROL);
getAccessControlManager(getTestRoot()).getApplicablePolicies((String)
null);
}
@Test(expected = AccessDeniedException.class)
public void testGetApplicablePoliciesMissingAcPermission() throws
Exception {
- setupPermission(PathUtils.ROOT_PATH, getTestUser().getPrincipal(),
true, PrivilegeConstants.JCR_READ);
+ setupPermission(PathUtils.ROOT_PATH, getTestUser().getPrincipal(),
true, JCR_READ);
getAccessControlManager(getTestRoot()).getApplicablePolicies((String)
null);
}
@Test(expected = AccessDeniedException.class)
public void testGetApplicablePoliciesMissingAcPermission2() throws
Exception {
- setupPermission(PathUtils.ROOT_PATH, getTestUser().getPrincipal(),
true, PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
+ setupPermission(PathUtils.ROOT_PATH, getTestUser().getPrincipal(),
true, JCR_READ, JCR_READ_ACCESS_CONTROL);
getAccessControlManager(getTestRoot()).getApplicablePolicies((String)
null);
}
@Test
public void testGetApplicablePolicies() throws Exception {
- setupPermission(PathUtils.ROOT_PATH, getTestUser().getPrincipal(),
true, PrivilegeConstants.JCR_READ);
- setupPermission(null, getTestUser().getPrincipal(), true,
PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
+ setupPermission(PathUtils.ROOT_PATH, getTestUser().getPrincipal(),
true, JCR_READ);
+ setupPermission(null, getTestUser().getPrincipal(), true,
JCR_READ_ACCESS_CONTROL);
getAccessControlManager(getTestRoot()).getApplicablePolicies((String)
null);
}
@Test(expected = AccessDeniedException.class)
public void testSetPolicyMissingAcPermission() throws Exception {
- setupPermission(PathUtils.ROOT_PATH, getTestUser().getPrincipal(),
true, PrivilegeConstants.JCR_READ);
- setupPermission(null, getTestUser().getPrincipal(), true,
PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
+ setupPermission(PathUtils.ROOT_PATH, getTestUser().getPrincipal(),
true, JCR_READ);
+ setupPermission(null, getTestUser().getPrincipal(), true,
JCR_READ_ACCESS_CONTROL);
- setupPermission(getTestRoot(), null, EveryonePrincipal.getInstance(),
false, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT);
+ setupPermission(getTestRoot(), null, EveryonePrincipal.getInstance(),
false, JCR_NAMESPACE_MANAGEMENT);
}
@Test(expected = AccessDeniedException.class)
public void testSetPolicyMissingAcPermission2() throws Exception {
- setupPermission(PathUtils.ROOT_PATH, getTestUser().getPrincipal(),
true, PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL,
PrivilegeConstants.JCR_MODIFY_ACCESS_CONTROL);
- setupPermission(null, getTestUser().getPrincipal(), true,
PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
+ setupPermission(PathUtils.ROOT_PATH, getTestUser().getPrincipal(),
true, JCR_READ, JCR_READ_ACCESS_CONTROL, JCR_MODIFY_ACCESS_CONTROL);
+ setupPermission(null, getTestUser().getPrincipal(), true,
JCR_READ_ACCESS_CONTROL);
- setupPermission(getTestRoot(), null, EveryonePrincipal.getInstance(),
false, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT);
+ setupPermission(getTestRoot(), null, EveryonePrincipal.getInstance(),
false, JCR_NAMESPACE_MANAGEMENT);
}
- @Ignore("OAK-5947")
@Test
public void testSetPolicy() throws Exception {
- setupPermission(PathUtils.ROOT_PATH, getTestUser().getPrincipal(),
true, PrivilegeConstants.JCR_READ);
- setupPermission(null, getTestUser().getPrincipal(), true,
PrivilegeConstants.JCR_READ_ACCESS_CONTROL,
PrivilegeConstants.JCR_MODIFY_ACCESS_CONTROL);
+ setupPermission(PathUtils.ROOT_PATH, getTestUser().getPrincipal(),
true, JCR_READ);
+ setupPermission(null, getTestUser().getPrincipal(), true,
JCR_READ_ACCESS_CONTROL, JCR_MODIFY_ACCESS_CONTROL);
- setupPermission(getTestRoot(), null, EveryonePrincipal.getInstance(),
false, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT);
+ setupPermission(getTestRoot(), null, EveryonePrincipal.getInstance(),
false, JCR_NAMESPACE_MANAGEMENT);
}
@Test
public void testSetPolicy2() throws Exception {
// see above: ac-related permissions should not be required on
ROOT_PATH (workaround for OAK-5947)
- setupPermission(PathUtils.ROOT_PATH, getTestUser().getPrincipal(),
true, PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL,
PrivilegeConstants.JCR_MODIFY_ACCESS_CONTROL);
- setupPermission(null, getTestUser().getPrincipal(), true,
PrivilegeConstants.JCR_READ_ACCESS_CONTROL,
PrivilegeConstants.JCR_MODIFY_ACCESS_CONTROL);
+ setupPermission(PathUtils.ROOT_PATH, getTestUser().getPrincipal(),
true, JCR_READ, JCR_READ_ACCESS_CONTROL, JCR_MODIFY_ACCESS_CONTROL);
+ setupPermission(null, getTestUser().getPrincipal(), true,
JCR_READ_ACCESS_CONTROL, JCR_MODIFY_ACCESS_CONTROL);
+
+ setupPermission(getTestRoot(), null, EveryonePrincipal.getInstance(),
false, JCR_NAMESPACE_MANAGEMENT);
+ }
+
+ @Test
+ public void testHasPrivilege() throws Exception {
+ setupPermission(null, getTestUser().getPrincipal(), true,
JCR_READ_ACCESS_CONTROL, JCR_NAMESPACE_MANAGEMENT);
+
+ AccessControlManager testAcMgr =
getAccessControlManager(getTestRoot());
+ assertTrue(testAcMgr.hasPrivileges(null,
privilegesFromNames(JCR_NAMESPACE_MANAGEMENT)));
+ assertTrue(testAcMgr.hasPrivileges(null,
privilegesFromNames(JCR_READ_ACCESS_CONTROL)));
+ assertTrue(testAcMgr.hasPrivileges(null,
privilegesFromNames(JCR_READ_ACCESS_CONTROL, JCR_NAMESPACE_MANAGEMENT)));
+ assertFalse(testAcMgr.hasPrivileges(null,
privilegesFromNames(JCR_READ_ACCESS_CONTROL, JCR_MODIFY_ACCESS_CONTROL)));
+ assertFalse(testAcMgr.hasPrivileges(null,
privilegesFromNames(JCR_ALL)));
+ }
+
+ @Test
+ public void testGetPrivileges() throws Exception {
+ setupPermission(null, getTestUser().getPrincipal(), true,
JCR_READ_ACCESS_CONTROL, JCR_NAMESPACE_MANAGEMENT);
+
+ Set<Privilege> expected =
ImmutableSet.copyOf(privilegesFromNames(JCR_READ_ACCESS_CONTROL,
JCR_NAMESPACE_MANAGEMENT));
- setupPermission(getTestRoot(), null, EveryonePrincipal.getInstance(),
false, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT);
+ AccessControlManager testAcMgr =
getAccessControlManager(getTestRoot());
+ assertEquals(expected,
ImmutableSet.copyOf(testAcMgr.getPrivileges(null)));
}
}
\ No newline at end of file
Added:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/RepoPolicyTreePermissionTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/RepoPolicyTreePermissionTest.java?rev=1793646&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/RepoPolicyTreePermissionTest.java
(added)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/RepoPolicyTreePermissionTest.java
Wed May 3 13:56:39 2017
@@ -0,0 +1,244 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.permission;
+
+import java.security.Principal;
+import java.security.PrivilegedAction;
+import javax.annotation.Nonnull;
+import javax.jcr.security.AccessControlManager;
+import javax.security.auth.Subject;
+
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import
org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
+import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.api.ContentSession;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.plugins.memory.EmptyNodeState;
+import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
+import
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.junit.Test;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertSame;
+import static org.junit.Assert.assertTrue;
+
+public class RepoPolicyTreePermissionTest extends AbstractSecurityTest
implements AccessControlConstants {
+
+ private static final String REPO_POLICY_PATH = '/' + REP_REPO_POLICY;
+
+ private AuthorizationConfiguration config;
+
+ private ContentSession accessSession;
+ private ContentSession noAccessSession;
+
+ @Override
+ public void before() throws Exception {
+ super.before();
+
+ Principal testPrincipal = getTestUser().getPrincipal();
+
+ AccessControlManager acMgr = getAccessControlManager(root);
+ JackrabbitAccessControlList acl =
AccessControlUtils.getAccessControlList(acMgr, null);
+ if (acl == null) {
+ throw new RuntimeException();
+ }
+
+ acl.addAccessControlEntry(testPrincipal,
privilegesFromNames(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT,
PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
+ acl.addAccessControlEntry(EveryonePrincipal.getInstance(),
privilegesFromNames(PrivilegeConstants.JCR_READ));
+ acMgr.setPolicy(null, acl);
+ root.commit();
+ config =
getSecurityProvider().getConfiguration(AuthorizationConfiguration.class);
+
+ accessSession = createTestSession();
+
+ Subject notAllowedSubject = new Subject(true,
ImmutableSet.<Principal>of(EveryonePrincipal.getInstance()), ImmutableSet.of(),
ImmutableSet.of());
+ noAccessSession = Subject.doAs(notAllowedSubject,
(PrivilegedAction<ContentSession>) () -> {
+ try {
+ return getContentRepository().login(null, null);
+ } catch (Exception e) {
+ throw new RuntimeException();
+ }
+ });
+ }
+
+ @Override
+ public void after() throws Exception {
+ try {
+ AccessControlManager acMgr = getAccessControlManager(root);
+ JackrabbitAccessControlList acl =
AccessControlUtils.getAccessControlList(acMgr, null);
+ if (acl != null) {
+ acMgr.removePolicy(null, acl);
+ root.commit();
+ }
+ accessSession.close();
+ noAccessSession.close();
+ } finally {
+ super.after();
+ }
+ }
+
+ @Nonnull
+ private TreePermission getTreePermission(@Nonnull ContentSession cs,
@Nonnull String path) throws Exception {
+ Root r = cs.getLatestRoot();
+ PermissionProvider pp = config.getPermissionProvider(r,
cs.getWorkspaceName(), cs.getAuthInfo().getPrincipals());
+
+ Tree t = r.getTree(PathUtils.ROOT_PATH);
+ TreePermission tp = pp.getTreePermission(t, TreePermission.EMPTY);
+ for (String name : PathUtils.elements(path)) {
+ t = t.getChild(name);
+ tp = pp.getTreePermission(t, tp);
+ }
+ return tp;
+ }
+
+ @Test
+ public void testTreePermissionImpl() throws Exception {
+ TreePermission tp = getTreePermission(accessSession, REPO_POLICY_PATH);
+ assertTrue(tp instanceof RepoPolicyTreePermission);
+ }
+
+ @Test
+ public void testGetChildPermission() throws Exception {
+ TreePermission tp = getTreePermission(accessSession, REPO_POLICY_PATH);
+ assertSame(tp, tp.getChildPermission("childName",
EmptyNodeState.EMPTY_NODE));
+ }
+
+ @Test
+ public void testCanRead() throws Exception {
+ TreePermission tp = getTreePermission(accessSession, REPO_POLICY_PATH);
+ assertTrue(tp.canRead());
+ }
+
+ @Test
+ public void testCanRead2() throws Exception {
+ TreePermission tp = getTreePermission(noAccessSession,
REPO_POLICY_PATH);
+ assertFalse(tp.canRead());
+ }
+
+ @Test
+ public void testCanReadAceNode() throws Exception {
+ TreePermission tp = getTreePermission(accessSession,
root.getTree(REPO_POLICY_PATH).getChildren().iterator().next().getPath());
+ assertTrue(tp.canRead());
+ }
+
+ @Test
+ public void testCanReadAceNode2() throws Exception {
+ TreePermission tp = getTreePermission(noAccessSession,
root.getTree(REPO_POLICY_PATH).getChildren().iterator().next().getPath());
+ assertFalse(tp.canRead());
+ }
+
+
+ @Test
+ public void testCanReadProperty() throws Exception {
+ TreePermission tp = getTreePermission(accessSession, REPO_POLICY_PATH);
+
assertTrue(tp.canRead(PropertyStates.createProperty(JcrConstants.JCR_PRIMARYTYPE,
NT_REP_ACL)));
+ }
+
+ @Test
+ public void testCanReadProperty2() throws Exception {
+ TreePermission tp = getTreePermission(noAccessSession,
REPO_POLICY_PATH);
+
assertFalse(tp.canRead(PropertyStates.createProperty(JcrConstants.JCR_PRIMARYTYPE,
NT_REP_ACL)));
+ }
+
+
+ @Test
+ public void testCanReadPropertyAceNode() throws Exception {
+ Tree aceTree =
root.getTree(REPO_POLICY_PATH).getChildren().iterator().next();
+ PropertyState principalProp = aceTree.getProperty(REP_PRINCIPAL_NAME);
+
+ TreePermission tp = getTreePermission(accessSession,
aceTree.getPath());
+ assertTrue(tp.canRead(principalProp));
+ }
+
+ @Test
+ public void testCanReadPropertyAceNode2() throws Exception {
+ Tree aceTree =
root.getTree(REPO_POLICY_PATH).getChildren().iterator().next();
+ PropertyState principalProp = aceTree.getProperty(REP_PRINCIPAL_NAME);
+
+ TreePermission tp = getTreePermission(noAccessSession,
aceTree.getPath());
+ assertFalse(tp.canRead(principalProp));
+ }
+
+ @Test
+ public void testCanReadProperties() throws Exception {
+ TreePermission tp = getTreePermission(accessSession, REPO_POLICY_PATH);
+ assertTrue(tp.canReadProperties());
+ }
+
+ @Test
+ public void testCanReadProperties2() throws Exception {
+ TreePermission tp = getTreePermission(noAccessSession,
REPO_POLICY_PATH);
+ assertFalse(tp.canReadProperties());
+ }
+
+ @Test
+ public void testCanReadAll() throws Exception {
+ TreePermission tp = getTreePermission(accessSession, REPO_POLICY_PATH);
+ assertFalse(tp.canReadAll());
+ }
+
+ @Test
+ public void testCanReadAll2() throws Exception {
+ TreePermission tp = getTreePermission(noAccessSession,
REPO_POLICY_PATH);
+ assertFalse(tp.canReadAll());
+ }
+
+ @Test
+ public void testIsGranted() throws Exception {
+ TreePermission tp = getTreePermission(accessSession, REPO_POLICY_PATH);
+ assertTrue(tp.isGranted(Permissions.NAMESPACE_MANAGEMENT));
+ assertFalse(tp.isGranted(Permissions.WORKSPACE_MANAGEMENT));
+
assertFalse(tp.isGranted(Permissions.NAMESPACE_MANAGEMENT|Permissions.WORKSPACE_MANAGEMENT));
+ }
+
+ @Test
+ public void testIsGranted2() throws Exception {
+ TreePermission tp = getTreePermission(noAccessSession,
REPO_POLICY_PATH);
+ assertFalse(tp.isGranted(Permissions.NAMESPACE_MANAGEMENT));
+ assertFalse(tp.isGranted(Permissions.WORKSPACE_MANAGEMENT));
+
assertFalse(tp.isGranted(Permissions.NAMESPACE_MANAGEMENT|Permissions.WORKSPACE_MANAGEMENT));
+ }
+
+ @Test
+ public void testIsGrantedProperty() throws Exception {
+ PropertyState ps = PropertyStates.createProperty("name", "value");
+ TreePermission tp = getTreePermission(accessSession, REPO_POLICY_PATH);
+ assertTrue(tp.isGranted(Permissions.NAMESPACE_MANAGEMENT, ps));
+ assertFalse(tp.isGranted(Permissions.WORKSPACE_MANAGEMENT, ps));
+
assertFalse(tp.isGranted(Permissions.NAMESPACE_MANAGEMENT|Permissions.WORKSPACE_MANAGEMENT,
ps));
+ }
+
+ @Test
+ public void testIsGrantedProperty2() throws Exception {
+ PropertyState ps = PropertyStates.createProperty("name", "value");
+ TreePermission tp = getTreePermission(noAccessSession,
REPO_POLICY_PATH);
+ assertFalse(tp.isGranted(Permissions.NAMESPACE_MANAGEMENT, ps));
+ assertFalse(tp.isGranted(Permissions.WORKSPACE_MANAGEMENT, ps));
+
assertFalse(tp.isGranted(Permissions.NAMESPACE_MANAGEMENT|Permissions.WORKSPACE_MANAGEMENT,
ps));
+ }
+}
\ No newline at end of file
