Author: angela
Date: Tue Dec 18 16:48:19 2018
New Revision: 1849195
URL: http://svn.apache.org/viewvc?rev=1849195&view=rev
Log:
OAK-7966 : Avoid adding excluded principal to cug policy
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManager.java
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPolicyImpl.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManagerTest.java
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPolicyImplTest.java
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManager.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManager.java?rev=1849195&r1=1849194&r2=1849195&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManager.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManager.java
Tue Dec 18 16:48:19 2018
@@ -43,6 +43,7 @@ import org.apache.jackrabbit.oak.namepat
import org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.PolicyOwner;
+import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugExclude;
import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugPolicy;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
@@ -68,16 +69,19 @@ class CugAccessControlManager extends Ab
private static final Logger log =
LoggerFactory.getLogger(CugAccessControlManager.class);
private final Set<String> supportedPaths;
+ private final CugExclude cugExclude;
private final ConfigurationParameters config;
private final PrincipalManager principalManager;
CugAccessControlManager(@NotNull Root root,
- @NotNull NamePathMapper namePathMapper,
- @NotNull SecurityProvider securityProvider,
- @NotNull Set<String> supportedPaths) {
+ @NotNull NamePathMapper namePathMapper,
+ @NotNull SecurityProvider securityProvider,
+ @NotNull Set<String> supportedPaths,
+ @NotNull CugExclude cugExclude) {
super(root, namePathMapper, securityProvider);
this.supportedPaths = supportedPaths;
+ this.cugExclude = cugExclude;
config =
securityProvider.getConfiguration(AuthorizationConfiguration.class).getParameters();
principalManager =
securityProvider.getConfiguration(PrincipalConfiguration.class).getPrincipalManager(root,
namePathMapper);
@@ -139,7 +143,7 @@ class CugAccessControlManager extends Ab
} else {
CugPolicy cug = getCugPolicy(oakPath);
if (cug == null) {
- cug = new CugPolicyImpl(oakPath, getNamePathMapper(),
principalManager, CugUtil.getImportBehavior(config));
+ cug = new CugPolicyImpl(oakPath, getNamePathMapper(),
principalManager, CugUtil.getImportBehavior(config), cugExclude);
return new
AccessControlPolicyIteratorAdapter(ImmutableSet.of(cug));
} else {
return AccessControlPolicyIteratorAdapter.EMPTY;
@@ -246,7 +250,7 @@ class CugAccessControlManager extends Ab
private CugPolicy getCugPolicy(@NotNull String oakPath, @NotNull Tree
tree) {
Tree cug = tree.getChild(REP_CUG_POLICY);
if (CugUtil.definesCug(cug)) {
- return new CugPolicyImpl(oakPath, getNamePathMapper(),
principalManager, CugUtil.getImportBehavior(config), getPrincipals(cug));
+ return new CugPolicyImpl(oakPath, getNamePathMapper(),
principalManager, CugUtil.getImportBehavior(config), cugExclude,
getPrincipals(cug));
} else {
return null;
}
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java?rev=1849195&r1=1849194&r2=1849195&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java
Tue Dec 18 16:48:19 2018
@@ -120,7 +120,7 @@ public class CugConfiguration extends Co
@NotNull
@Override
public AccessControlManager getAccessControlManager(@NotNull Root root,
@NotNull NamePathMapper namePathMapper) {
- return new CugAccessControlManager(root, namePathMapper,
getSecurityProvider(), supportedPaths);
+ return new CugAccessControlManager(root, namePathMapper,
getSecurityProvider(), supportedPaths, getExclude());
}
@NotNull
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPolicyImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPolicyImpl.java?rev=1849195&r1=1849194&r2=1849195&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPolicyImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPolicyImpl.java
Tue Dec 18 16:48:19 2018
@@ -27,6 +27,7 @@ import com.google.common.collect.Iterabl
import com.google.common.collect.Sets;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugExclude;
import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugPolicy;
import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
import org.jetbrains.annotations.NotNull;
@@ -46,22 +47,24 @@ class CugPolicyImpl implements CugPolicy
private final NamePathMapper namePathMapper;
private final PrincipalManager principalManager;
private final int importBehavior;
+ private final CugExclude cugExclude;
private final Set<Principal> principals = new HashSet<>();
CugPolicyImpl(@NotNull String oakPath, @NotNull NamePathMapper
namePathMapper,
- @NotNull PrincipalManager principalManager, int
importBehavior) {
- this(oakPath, namePathMapper, principalManager, importBehavior,
Collections.<Principal>emptySet());
+ @NotNull PrincipalManager principalManager, int
importBehavior, @NotNull CugExclude cugExclude) {
+ this(oakPath, namePathMapper, principalManager, importBehavior,
cugExclude, Collections.<Principal>emptySet());
}
CugPolicyImpl(@NotNull String oakPath, @NotNull NamePathMapper
namePathMapper,
@NotNull PrincipalManager principalManager, int
importBehavior,
- @NotNull Set<Principal> principals) {
+ @NotNull CugExclude cugExclude, @NotNull Set<Principal>
principals) {
ImportBehavior.nameFromValue(importBehavior);
this.oakPath = oakPath;
this.namePathMapper = namePathMapper;
this.principalManager = principalManager;
this.importBehavior = importBehavior;
+ this.cugExclude = cugExclude;
this.principals.addAll(principals);
}
@@ -128,6 +131,11 @@ class CugPolicyImpl implements CugPolicy
throw new AccessControlException("Invalid principal " + name);
}
+ if (cugExclude.isExcluded(Collections.singleton(principal))) {
+ log.warn("Attempt to add excluded principal {} to CUG.",
principal);
+ return false;
+ }
+
boolean isValid = true;
switch (importBehavior) {
case ImportBehavior.ABORT:
@@ -137,7 +145,7 @@ class CugPolicyImpl implements CugPolicy
break;
case ImportBehavior.IGNORE:
if (!principalManager.hasPrincipal(name)) {
- log.debug("Ignoring unknown principal " + name);
+ log.debug("Ignoring unknown principal {}", name);
isValid = false;
}
break;
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java?rev=1849195&r1=1849194&r2=1849195&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.java
Tue Dec 18 16:48:19 2018
@@ -43,6 +43,7 @@ import org.apache.jackrabbit.oak.spi.nod
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugExclude;
import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugPolicy;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
@@ -190,6 +191,10 @@ public class AbstractCugTest extends Abs
root.commit();
}
+ CugExclude getExclude() {
+ return new CugExclude.Default();
+ }
+
void createCug(@NotNull String absPath, @NotNull Principal principal)
throws RepositoryException {
AccessControlManager acMgr = getAccessControlManager(root);
AccessControlPolicyIterator it = acMgr.getApplicablePolicies(absPath);
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManagerTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManagerTest.java?rev=1849195&r1=1849194&r2=1849195&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManagerTest.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManagerTest.java
Tue Dec 18 16:48:19 2018
@@ -65,11 +65,11 @@ public class CugAccessControlManagerTest
public void before() throws Exception {
super.before();
- cugAccessControlManager = new CugAccessControlManager(root,
NamePathMapper.DEFAULT, getSecurityProvider(),
ImmutableSet.copyOf(SUPPORTED_PATHS));
+ cugAccessControlManager = new CugAccessControlManager(root,
NamePathMapper.DEFAULT, getSecurityProvider(),
ImmutableSet.copyOf(SUPPORTED_PATHS), getExclude());
}
private CugPolicy createCug(@NotNull String path) {
- return new CugPolicyImpl(path, NamePathMapper.DEFAULT,
getPrincipalManager(root), ImportBehavior.ABORT);
+ return new CugPolicyImpl(path, NamePathMapper.DEFAULT,
getPrincipalManager(root), ImportBehavior.ABORT, getExclude());
}
private CugPolicy getApplicableCug(@NotNull String path) throws
RepositoryException {
@@ -224,7 +224,7 @@ public class CugAccessControlManagerTest
ConfigurationParameters config =
ConfigurationParameters.of(AuthorizationConfiguration.NAME,
ConfigurationParameters.of(
CugConstants.PARAM_CUG_SUPPORTED_PATHS, SUPPORTED_PATHS,
CugConstants.PARAM_CUG_ENABLED, false));
- CugAccessControlManager acMgr = new CugAccessControlManager(root,
NamePathMapper.DEFAULT, CugSecurityProvider.newTestSecurityProvider(config),
ImmutableSet.copyOf(SUPPORTED_PATHS));
+ CugAccessControlManager acMgr = new CugAccessControlManager(root,
NamePathMapper.DEFAULT, CugSecurityProvider.newTestSecurityProvider(config),
ImmutableSet.copyOf(SUPPORTED_PATHS), getExclude());
AccessControlPolicy[] policies =
acMgr.getEffectivePolicies(SUPPORTED_PATH);
assertEquals(0, policies.length);
@@ -313,7 +313,7 @@ public class CugAccessControlManagerTest
Tree supportedTree = root.getTree(SUPPORTED_PATH);
new NodeUtil(supportedTree).addChild(REP_CUG_POLICY,
NodeTypeConstants.NT_OAK_UNSTRUCTURED);
- cugAccessControlManager.setPolicy(SUPPORTED_PATH, new
CugPolicyImpl(SUPPORTED_PATH, NamePathMapper.DEFAULT,
getPrincipalManager(root), ImportBehavior.BESTEFFORT));
+ cugAccessControlManager.setPolicy(SUPPORTED_PATH, new
CugPolicyImpl(SUPPORTED_PATH, NamePathMapper.DEFAULT,
getPrincipalManager(root), ImportBehavior.BESTEFFORT, getExclude()));
}
@Test
@@ -380,7 +380,7 @@ public class CugAccessControlManagerTest
Tree supportedTree = root.getTree(SUPPORTED_PATH);
new NodeUtil(supportedTree).addChild(REP_CUG_POLICY,
NodeTypeConstants.NT_OAK_UNSTRUCTURED);
- cugAccessControlManager.removePolicy(SUPPORTED_PATH, new
CugPolicyImpl(SUPPORTED_PATH, NamePathMapper.DEFAULT,
getPrincipalManager(root), ImportBehavior.BESTEFFORT));
+ cugAccessControlManager.removePolicy(SUPPORTED_PATH, new
CugPolicyImpl(SUPPORTED_PATH, NamePathMapper.DEFAULT,
getPrincipalManager(root), ImportBehavior.BESTEFFORT, getExclude()));
}
@Test(expected = PathNotFoundException.class)
Modified:
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPolicyImplTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPolicyImplTest.java?rev=1849195&r1=1849194&r2=1849195&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPolicyImplTest.java
(original)
+++
jackrabbit/oak/trunk/oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPolicyImplTest.java
Tue Dec 18 16:48:19 2018
@@ -16,30 +16,32 @@
*/
package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;
-import java.security.Principal;
-import java.util.Iterator;
-import java.util.Set;
-import javax.jcr.security.AccessControlException;
-
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Iterables;
import org.apache.jackrabbit.api.security.authorization.PrincipalSetPolicy;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
-import org.apache.jackrabbit.oak.namepath.impl.LocalNameMapper;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.namepath.impl.LocalNameMapper;
import org.apache.jackrabbit.oak.namepath.impl.NamePathMapperImpl;
+import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugExclude;
import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugPolicy;
+import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
+import org.apache.jackrabbit.oak.spi.security.principal.SystemUserPrincipal;
import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
import org.jetbrains.annotations.NotNull;
import org.junit.Test;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNotSame;
-import static org.junit.Assert.assertTrue;
+import javax.jcr.security.AccessControlException;
+import java.security.Principal;
+import java.util.Collections;
+import java.util.Iterator;
+import java.util.Set;
+
+import static org.junit.Assert.*;
public class CugPolicyImplTest extends AbstractSecurityTest {
@@ -48,6 +50,8 @@ public class CugPolicyImplTest extends A
private Principal testPrincipal = new PrincipalImpl("test");
Set<Principal> principals = ImmutableSet.of(testPrincipal);
+ private CugExclude exclude = new CugExclude.Default();
+
@Override
public void before() throws Exception {
super.before();
@@ -56,13 +60,29 @@ public class CugPolicyImplTest extends A
}
private CugPolicyImpl createEmptyCugPolicy() {
- return new CugPolicyImpl(path, NamePathMapper.DEFAULT,
principalManager, ImportBehavior.ABORT);
+ return createEmptyCugPolicy(ImportBehavior.ABORT);
+ }
+
+ private CugPolicyImpl createEmptyCugPolicy(int importBehavior) {
+ return new CugPolicyImpl(path, NamePathMapper.DEFAULT,
principalManager, importBehavior, exclude);
}
private CugPolicyImpl createCugPolicy(@NotNull Set<Principal> principals) {
- return new CugPolicyImpl(path, NamePathMapper.DEFAULT,
principalManager, ImportBehavior.ABORT, principals);
+ return createCugPolicy(ImportBehavior.ABORT, principals);
+ }
+
+ private CugPolicyImpl createCugPolicy(int importBehavior, @NotNull
Set<Principal> principals) {
+ return new CugPolicyImpl(path, NamePathMapper.DEFAULT,
principalManager, importBehavior, exclude, principals);
}
+ private Principal getExcludedPrincipal() {
+ return new SystemUserPrincipal() {
+ @Override
+ public String getName() {
+ return "excluded";
+ }
+ };
+ }
@Test
public void testPrincipalSetPolicy() {
assertTrue(createCugPolicy(principals) instanceof PrincipalSetPolicy);
@@ -115,7 +135,7 @@ public class CugPolicyImplTest extends A
@Test(expected = AccessControlException.class)
public void testAddInvalidPrincipalsAbort() throws Exception {
- CugPolicy cug = new CugPolicyImpl(path, NamePathMapper.DEFAULT,
principalManager, ImportBehavior.ABORT);
+ CugPolicy cug = createEmptyCugPolicy(ImportBehavior.ABORT);
cug.addPrincipals(
EveryonePrincipal.getInstance(),
new PrincipalImpl("unknown"));
@@ -123,7 +143,7 @@ public class CugPolicyImplTest extends A
@Test
public void testAddInvalidPrincipalsBestEffort() throws Exception {
- CugPolicy cug = new CugPolicyImpl(path, NamePathMapper.DEFAULT,
principalManager, ImportBehavior.BESTEFFORT, principals);
+ CugPolicy cug = createCugPolicy(ImportBehavior.BESTEFFORT, principals);
assertTrue(cug.addPrincipals(
EveryonePrincipal.getInstance(),
new PrincipalImpl("unknown")));
@@ -134,7 +154,7 @@ public class CugPolicyImplTest extends A
@Test
public void testAddInvalidPrincipalsIgnore() throws Exception {
- CugPolicy cug = new CugPolicyImpl(path, NamePathMapper.DEFAULT,
principalManager, ImportBehavior.IGNORE, principals);
+ CugPolicy cug = createCugPolicy(ImportBehavior.IGNORE, principals);
assertTrue(cug.addPrincipals(
new PrincipalImpl("unknown"),
EveryonePrincipal.getInstance()));
@@ -147,7 +167,7 @@ public class CugPolicyImplTest extends A
@Test
public void testAddContainedPrincipal() throws Exception {
- CugPolicy cug = new CugPolicyImpl(path, NamePathMapper.DEFAULT,
principalManager, ImportBehavior.BESTEFFORT, principals);
+ CugPolicy cug = createCugPolicy(ImportBehavior.BESTEFFORT, principals);
assertFalse(cug.addPrincipals(
new PrincipalImpl("test")));
@@ -156,7 +176,7 @@ public class CugPolicyImplTest extends A
@Test
public void testAddNullPrincipal() throws Exception {
- CugPolicy cug = new CugPolicyImpl(path, NamePathMapper.DEFAULT,
principalManager, ImportBehavior.ABORT, principals);
+ CugPolicy cug = createCugPolicy(ImportBehavior.ABORT, principals);
assertTrue(cug.addPrincipals(EveryonePrincipal.getInstance(), null));
assertTrue(cug.getPrincipals().contains(EveryonePrincipal.getInstance()));
@@ -165,13 +185,13 @@ public class CugPolicyImplTest extends A
@Test(expected = AccessControlException.class)
public void testAddEmptyPrincipalName() throws Exception {
- CugPolicy cug = new CugPolicyImpl(path, NamePathMapper.DEFAULT,
principalManager, ImportBehavior.BESTEFFORT);
+ CugPolicy cug = createEmptyCugPolicy(ImportBehavior.BESTEFFORT);
cug.addPrincipals(new PrincipalImpl(""));
}
@Test(expected = AccessControlException.class)
public void testAddNullPrincipalName() throws Exception {
- CugPolicy cug = new CugPolicyImpl(path, NamePathMapper.DEFAULT,
principalManager, ImportBehavior.BESTEFFORT);
+ CugPolicy cug = createEmptyCugPolicy(ImportBehavior.BESTEFFORT);
cug.addPrincipals(new Principal() {
@Override
public String getName() {
@@ -182,9 +202,7 @@ public class CugPolicyImplTest extends A
@Test
public void testRemovePrincipals() throws Exception {
- CugPolicy cug = new CugPolicyImpl(path, NamePathMapper.DEFAULT,
principalManager,
- ImportBehavior.BESTEFFORT,
- ImmutableSet.of(testPrincipal,
EveryonePrincipal.getInstance()));
+ CugPolicy cug = createCugPolicy(ImportBehavior.BESTEFFORT,
ImmutableSet.of(testPrincipal, EveryonePrincipal.getInstance()));
assertFalse(cug.removePrincipals(new PrincipalImpl("unknown")));
assertTrue(cug.removePrincipals(testPrincipal,
EveryonePrincipal.getInstance(), new PrincipalImpl("unknown")));
@@ -193,7 +211,7 @@ public class CugPolicyImplTest extends A
@Test
public void testRemoveNullPrincipal() throws Exception {
- CugPolicy cug = new CugPolicyImpl(path, NamePathMapper.DEFAULT,
principalManager, ImportBehavior.ABORT, principals);
+ CugPolicy cug = createCugPolicy(ImportBehavior.ABORT, principals);
assertTrue(cug.removePrincipals(testPrincipal, null));
assertTrue(cug.getPrincipals().isEmpty());
@@ -210,12 +228,42 @@ public class CugPolicyImplTest extends A
String oakPath = "/oak:testPath";
NamePathMapper mapper = new NamePathMapperImpl(new
LocalNameMapper(root, ImmutableMap.of("quercus",
"http://jackrabbit.apache.org/oak/ns/1.0";)));
- CugPolicy empty = new CugPolicyImpl(oakPath, mapper, principalManager,
ImportBehavior.ABORT);
+ CugPolicy empty = new CugPolicyImpl(oakPath, mapper, principalManager,
ImportBehavior.ABORT, exclude);
assertEquals("/quercus:testPath", empty.getPath());
}
@Test(expected = IllegalArgumentException.class)
public void testInvalidImportBehavior() {
- CugPolicy cug = new CugPolicyImpl(path, NamePathMapper.DEFAULT,
principalManager, -1, principals);
+ CugPolicy cug = createCugPolicy(-1, principals);
+ }
+
+ @Test
+ public void testAddSingleExcludedPrincipal() throws Exception {
+ CugPolicy cug = createEmptyCugPolicy(ImportBehavior.ABORT);
+
+ assertFalse(cug.addPrincipals(getExcludedPrincipal()));
+ }
+
+ @Test
+ public void testAddExcludedPrincipal() throws Exception {
+ CugPolicyImpl cug = createEmptyCugPolicy(ImportBehavior.ABORT);
+
+ Principal excluded = getExcludedPrincipal();
+ assertTrue(cug.addPrincipals(EveryonePrincipal.getInstance(),
excluded));
+ assertFalse(Iterables.contains(cug.getPrincipalNames(),
excluded.getName()));
+ }
+
+ @Test
+ public void testExcludedPrincipalAddedBefore() throws Exception {
+ Principal excluded = getExcludedPrincipal();
+ CugPolicyImpl cug = createCugPolicy(ImportBehavior.ABORT,
Collections.singleton(excluded));
+ assertTrue(Iterables.contains(cug.getPrincipalNames(),
excluded.getName()));
+ }
+
+ @Test
+ public void removeExcludedPrincipal() throws Exception {
+ Principal excluded = getExcludedPrincipal();
+ CugPolicyImpl cug = createCugPolicy(ImportBehavior.ABORT,
Collections.singleton(excluded));
+ assertTrue(cug.removePrincipals(excluded));
}
}
