Author: angela
Date: Thu May 11 15:20:20 2017
New Revision: 1794845

URL: http://svn.apache.org/viewvc?rev=1794845&view=rev
Log:
OAK-6212 : AccessControlAction: minor improvement when user or group privileges 
are empty 
OAK-6038 : Drop dependency of spi.security.* tests from AbstractSecurityTest 
(wip)

Added:
    
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/action/AccessControlActionTest.java
      - copied, changed from r1794697, 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlActionTest.java
Modified:
    
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java
    
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlActionTest.java

Modified: 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java?rev=1794845&r1=1794844&r2=1794845&view=diff
==============================================================================
--- 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java
 (original)
+++ 
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java
 Thu May 11 15:20:20 2017
@@ -149,14 +149,22 @@ public class AccessControlAction extends
         if (securityProvider == null) {
             throw new IllegalStateException("Not initialized");
         }
-        if (isBuiltInUser(authorizable)) {
-            log.debug("System user: " + authorizable.getID() + "; omit ac 
setup.");
-            return;
-        }
-        if (groupPrivilegeNames.length == 0 && userPrivilegeNames.length == 0) 
{
-            log.debug("No privileges configured for groups and users; omit ac 
setup.");
-            return;
+        if (authorizable.isGroup()) {
+            if (groupPrivilegeNames.length == 0) {
+                log.debug("No privileges configured for groups; omit ac 
setup.");
+                return;
+            }
+        } else {
+            if (userPrivilegeNames.length == 0) {
+                log.debug("No privileges configured for users; omit ac 
setup.");
+                return;
+            }
+            if (isBuiltInUser(authorizable)) {
+                log.debug("System user: " + authorizable.getID() + "; omit ac 
setup.");
+                return;
+            }
         }
+
         Principal principal = authorizable.getPrincipal();
         if (administrativePrincipals.contains(principal.getName())) {
             log.debug("Administrative principal: " + principal.getName() + "; 
omit ac setup.");
@@ -180,17 +188,8 @@ public class AccessControlAction extends
         } else {
             // setup acl according to configuration.
             boolean modified = false;
-            if (authorizable.isGroup()) {
-                // new authorizable is a Group
-                if (groupPrivilegeNames.length > 0) {
-                    modified = acl.addAccessControlEntry(principal, 
getPrivileges(groupPrivilegeNames, acMgr));
-                }
-            } else {
-                // new authorizable is a User
-                if (userPrivilegeNames.length > 0) {
-                    modified = acl.addAccessControlEntry(principal, 
getPrivileges(userPrivilegeNames, acMgr));
-                }
-            }
+            String[] privNames = (authorizable.isGroup()) ? 
groupPrivilegeNames : userPrivilegeNames;
+            modified = acl.addAccessControlEntry(principal, 
getPrivileges(privNames, acMgr));
             if (modified) {
                 acMgr.setPolicy(path, acl);
             }
@@ -198,9 +197,6 @@ public class AccessControlAction extends
     }
 
     private boolean isBuiltInUser(@Nonnull Authorizable authorizable) throws 
RepositoryException {
-        if (authorizable.isGroup()) {
-            return false;
-        }
         ConfigurationParameters userConfig = 
securityProvider.getConfiguration(UserConfiguration.class).getParameters();
         String userId = authorizable.getID();
         return UserUtil.getAdminId(userConfig).equals(userId) || 
UserUtil.getAnonymousId(userConfig).equals(userId);

Copied: 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/action/AccessControlActionTest.java
 (from r1794697, 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlActionTest.java)
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/action/AccessControlActionTest.java?p2=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/action/AccessControlActionTest.java&p1=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlActionTest.java&r1=1794697&r2=1794845&rev=1794845&view=diff
==============================================================================
--- 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlActionTest.java
 (original)
+++ 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/action/AccessControlActionTest.java
 Thu May 11 15:20:20 2017
@@ -14,7 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.jackrabbit.oak.spi.security.user.action;
+package org.apache.jackrabbit.oak.security.user.action;
 
 import javax.jcr.security.AccessControlList;
 import javax.jcr.security.AccessControlManager;
@@ -31,6 +31,7 @@ import org.apache.jackrabbit.oak.spi.sec
 import 
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
 import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
+import org.apache.jackrabbit.oak.spi.security.user.action.AccessControlAction;
 import org.junit.Test;
 
 import static org.junit.Assert.assertArrayEquals;
@@ -38,7 +39,7 @@ import static org.junit.Assert.assertEqu
 import static org.junit.Assert.assertTrue;
 
 /**
- * Testing the {@code AccessControlAction}
+ * Integration tests for the {@code AccessControlAction} with complete 
security setup
  */
 public class AccessControlActionTest extends AbstractSecurityTest {
 

Modified: 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlActionTest.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlActionTest.java?rev=1794845&r1=1794844&r2=1794845&view=diff
==============================================================================
--- 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlActionTest.java
 (original)
+++ 
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlActionTest.java
 Thu May 11 15:20:20 2017
@@ -16,108 +16,193 @@
  */
 package org.apache.jackrabbit.oak.spi.security.user.action;
 
-import javax.jcr.security.AccessControlList;
-import javax.jcr.security.AccessControlManager;
-import javax.jcr.security.AccessControlPolicy;
-import javax.jcr.security.Privilege;
+import javax.annotation.CheckForNull;
+import javax.annotation.Nonnull;
+import javax.jcr.RepositoryException;
 
 import org.apache.jackrabbit.api.security.user.Authorizable;
 import org.apache.jackrabbit.api.security.user.Group;
 import org.apache.jackrabbit.api.security.user.User;
-import org.apache.jackrabbit.api.security.user.UserManager;
-import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import 
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
 import 
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
 import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
+import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
 import org.junit.Test;
+import org.mockito.Mockito;
 
-import static org.junit.Assert.assertArrayEquals;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.when;
 
 /**
- * Testing the {@code AccessControlAction}
+ * Unit tests for {@code AccessControlAction}.
+ *
+ * @see {@link 
org.apache.jackrabbit.oak.security.user.action.AccessControlActionTest} for 
integration tests include complete setup.
  */
-public class AccessControlActionTest extends AbstractSecurityTest {
+public class AccessControlActionTest implements UserConstants {
+
+    private final Root root = Mockito.mock(Root.class);
+    private final SecurityProvider securityProvider = 
Mockito.mock(SecurityProvider.class);
+    private final UserConfiguration userConfiguration = 
Mockito.mock(UserConfiguration.class);
+    private final AuthorizationConfiguration authorizationConfiguration = 
Mockito.mock(AuthorizationConfiguration.class);
+
+    private void initSecurityProvider(@Nonnull String adminId, @Nonnull String 
anonymousId, @Nonnull String... adminPrincipalNames) {
+        
when(userConfiguration.getParameters()).thenReturn(ConfigurationParameters.of(
+                PARAM_ADMIN_ID, adminId,
+                PARAM_ANONYMOUS_ID, anonymousId));
+
+        
when(authorizationConfiguration.getParameters()).thenReturn(ConfigurationParameters.of(PermissionConstants.PARAM_ADMINISTRATIVE_PRINCIPALS,
 adminPrincipalNames));
+
+        
when(securityProvider.getConfiguration(UserConfiguration.class)).thenReturn(userConfiguration);
+        
when(securityProvider.getConfiguration(AuthorizationConfiguration.class)).thenReturn(authorizationConfiguration);
 
-    @Override
-    protected ConfigurationParameters getSecurityConfigParameters() {
-        ConfigurationParameters userConfig = ConfigurationParameters.of(
-                AccessControlAction.GROUP_PRIVILEGE_NAMES, new String[] 
{PrivilegeConstants.JCR_READ},
-                AccessControlAction.USER_PRIVILEGE_NAMES, new String[] 
{PrivilegeConstants.JCR_ALL}
-        );
-        ConfigurationParameters authorizationConfig = 
ConfigurationParameters.of(
-                PermissionConstants.PARAM_ADMINISTRATIVE_PRINCIPALS, new 
String[] {"administrativePrincipalName"}
-        );
-        return ConfigurationParameters.of(UserConfiguration.NAME, userConfig, 
AuthorizationConfiguration.NAME, authorizationConfig);
     }
 
-    @Test
-    public void testAccessControlActionForUser() throws Exception {
-        UserManager userMgr = getUserManager(root);
-        User u = null;
-        try {
-            String uid = "actionTestUser";
-            u = userMgr.createUser(uid, uid);
-            root.commit();
-
-            assertAcAction(u, PrivilegeConstants.JCR_ALL);
-        } finally {
-            root.refresh();
-            if (u != null) {
-                u.remove();
-            }
-            root.commit();
+    private AccessControlAction createAction(@Nonnull String... privNames) {
+        AccessControlAction action = new AccessControlAction();
+        action.init(securityProvider, ConfigurationParameters.of(
+                AccessControlAction.USER_PRIVILEGE_NAMES, privNames,
+                AccessControlAction.GROUP_PRIVILEGE_NAMES, privNames));
+        return action;
+    }
+
+    private AccessControlAction createAction(@Nonnull String[] userPrivNames, 
@Nonnull String[] groupPrivNames) {
+        AccessControlAction action = new AccessControlAction();
+        action.init(securityProvider, ConfigurationParameters.of(
+                AccessControlAction.USER_PRIVILEGE_NAMES, userPrivNames,
+                AccessControlAction.GROUP_PRIVILEGE_NAMES, groupPrivNames));
+        return action;
+    }
+
+    private static void mockAuthorizable(@Nonnull Authorizable a, @Nonnull 
String id, @CheckForNull String principalName, @CheckForNull String path) 
throws RepositoryException {
+        when(a.getID()).thenReturn(id);
+        if (principalName != null) {
+            when(a.getPrincipal()).thenReturn(new 
PrincipalImpl(principalName));
+        } else {
+            when(a.getPrincipal()).thenThrow(new RepositoryException());
+        }
+        if (path != null) {
+            when(a.getPath()).thenReturn(path);
+        } else {
+            when(a.getPath()).thenThrow(new RepositoryException());
         }
     }
 
+    private static User mockUser(@Nonnull String id, @CheckForNull String 
principalName, @CheckForNull String path) throws RepositoryException {
+        User user = Mockito.mock(User.class);
+        when(user.isGroup()).thenReturn(false);
+        mockAuthorizable(user, id, principalName, path);
+        return user;
+    }
+
+    private static Group mockGroup(@Nonnull String id, @CheckForNull String 
principalName, @CheckForNull String path) throws RepositoryException {
+        Group gr = Mockito.mock(Group.class);
+        when(gr.isGroup()).thenReturn(true);
+        mockAuthorizable(gr, id, principalName, path);
+        return gr;
+    }
+
     @Test
-    public void testAccessControlAction() throws Exception {
-        UserManager userMgr = getUserManager(root);
-        Group gr = null;
-        try {
-            gr = userMgr.createGroup("actionTestGroup");
-            root.commit();
-
-            assertAcAction(gr, PrivilegeConstants.JCR_READ);
-        } finally {
-            root.refresh();
-            if (gr != null) {
-                gr.remove();
-            }
-            root.commit();
-        }
+    public void testInit() {
+        // TODO
+    }
+
+    @Test(expected = IllegalStateException.class)
+    public void testOnCreateUserMissingSecurityProvider() throws Exception {
+        new AccessControlAction().onCreate(Mockito.mock(User.class), null, 
root, NamePathMapper.DEFAULT);
+    }
+
+    @Test(expected = IllegalStateException.class)
+    public void testOnCreateGroupMissingSecurityProvider() throws Exception {
+        new AccessControlAction().onCreate(Mockito.mock(Group.class), root, 
NamePathMapper.DEFAULT);
     }
 
     @Test
-    public void testAdministrativePrincipals() throws Exception {
-        UserManager userMgr = getUserManager(root);
-        Group gr = null;
-        try {
-            gr = userMgr.createGroup("administrativePrincipalName");
-            root.commit();
-
-            AccessControlManager acMgr = getAccessControlManager(root);
-            AccessControlPolicy[] policies = acMgr.getPolicies(gr.getPath());
-            assertEquals(0, policies.length);
-        } finally {
-            root.refresh();
-            if (gr != null) {
-                gr.remove();
-            }
-            root.commit();
+    public void testOnCreateBuiltinUser() throws Exception {
+        initSecurityProvider("adminId", "anonymousId");
+        AccessControlAction action = createAction(PrivilegeConstants.JCR_READ);
+
+        String[] buildinIds = new String[] {"adminId", "anonymousId"};
+        for (String id : buildinIds) {
+            // throw upon getPrincipal as onCreate for builtin users must not 
reach that statement
+            User user = mockUser(id, null, null);
+            action.onCreate(user, null, root, NamePathMapper.DEFAULT);
         }
     }
 
-    private void assertAcAction(Authorizable a, String expectedPrivName) 
throws Exception {
-        AccessControlManager acMgr = getAccessControlManager(root);
-        AccessControlPolicy[] policies = acMgr.getPolicies(a.getPath());
-        assertEquals(1, policies.length);
-        assertTrue(policies[0] instanceof AccessControlList);
-        AccessControlList acl = (AccessControlList) policies[0];
-        assertEquals(1, acl.getAccessControlEntries().length);
-        assertArrayEquals(new 
Privilege[]{getPrivilegeManager(root).getPrivilege(expectedPrivName)}, 
acl.getAccessControlEntries()[0].getPrivileges());
+    @Test(expected = RepositoryException.class)
+    public void testOnCreateBuiltinIsGroup() throws Exception {
+        initSecurityProvider("adminIdIsUsedByGroup", "anonymousId");
+        AccessControlAction action = createAction(PrivilegeConstants.JCR_READ);
+
+        // the check for built-in user must ignore groups
+        Group gr = mockGroup("adminIdIsUsedByGroup", null, null);
+        action.onCreate(gr, root, NamePathMapper.DEFAULT);
     }
+
+    @Test
+    public void testOnCreateUserEmptyPrivs() throws Exception {
+        initSecurityProvider(DEFAULT_ADMIN_ID, DEFAULT_ANONYMOUS_ID);
+        AccessControlAction action = createAction(new String[0], new String[] 
{PrivilegeConstants.JCR_READ});
+
+        // throw upon getPrincipal as onCreate without configured privileges 
call must not reach that statement
+        User user = mockUser("id", null, null);
+        action.onCreate(user, null, root, NamePathMapper.DEFAULT);
+    }
+
+    @Test
+    public void testOnCreateGroupEmptyPrivs() throws Exception {
+        initSecurityProvider(DEFAULT_ADMIN_ID, DEFAULT_ANONYMOUS_ID);
+        AccessControlAction action = createAction(new String[] 
{PrivilegeConstants.JCR_READ}, new String[0]);
+
+        // throw upon getPrincipal as onCreate without configured privileges 
call must not reach that statement
+        Group gr = mockGroup("id", null, null);
+        action.onCreate(gr, root, NamePathMapper.DEFAULT);
+    }
+
+    @Test
+    public void testOnCreateAdminUser() throws Exception {
+        initSecurityProvider(DEFAULT_ADMIN_ID, DEFAULT_ANONYMOUS_ID, 
"administrativePrincipal");
+        AccessControlAction action = createAction(PrivilegeConstants.JCR_READ);
+
+        // throw upon getPath as onCreate for administrative principal call 
must not reach that statement
+        User user = mockUser("id", "administrativePrincipal", null);
+        action.onCreate(user, null, root, NamePathMapper.DEFAULT);
+    }
+
+    @Test
+    public void testOnCreateAdminGroup() throws Exception {
+        initSecurityProvider(DEFAULT_ADMIN_ID, DEFAULT_ANONYMOUS_ID, 
"administrativePrincipal");
+        AccessControlAction action = createAction(PrivilegeConstants.JCR_READ);
+
+        // throw upon getPath as onCreate for administrative principal call 
must not reach that statement
+        Group gr = mockGroup("id", "administrativePrincipal", null);
+        action.onCreate(gr, root, NamePathMapper.DEFAULT);
+    }
+
+
+    @Test(expected = RepositoryException.class)
+    public void testOnCreateUserWithoutPath() throws Exception {
+        initSecurityProvider(DEFAULT_ADMIN_ID, DEFAULT_ANONYMOUS_ID);
+        AccessControlAction action = createAction(PrivilegeConstants.JCR_READ);
+
+        // throw upon getPath
+        User user = mockUser("id", "principalName", null);
+        action.onCreate(user, null, root, NamePathMapper.DEFAULT);
+    }
+
+    @Test(expected = RepositoryException.class)
+    public void testOnCreateGroupWithoutPath() throws Exception {
+        initSecurityProvider(DEFAULT_ADMIN_ID, DEFAULT_ANONYMOUS_ID);
+        AccessControlAction action = createAction(PrivilegeConstants.JCR_READ);
+
+        // throw upon getPath as onCreate for administrative principal call 
must not reach that statement
+        Group gr = mockGroup("id", "principal", null);
+        action.onCreate(gr, root, NamePathMapper.DEFAULT);
+    }
+
 }
\ No newline at end of file


Reply via email to