Added:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManagerTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManagerTest.java?rev=1857551&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManagerTest.java
(added)
+++
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManagerTest.java
Mon Apr 15 07:16:49 2019
@@ -0,0 +1,516 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
+
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
+import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
+import org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants;
+import
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ImmutableACL;
+import
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.FilterProvider;
+import
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.PrincipalPolicy;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
+import org.jetbrains.annotations.NotNull;
+import org.junit.Before;
+import org.junit.Test;
+
+import javax.jcr.PathNotFoundException;
+import javax.jcr.RepositoryException;
+import javax.jcr.security.AccessControlException;
+import javax.jcr.security.AccessControlPolicy;
+import javax.jcr.security.Privilege;
+import java.security.Principal;
+import java.util.Set;
+
+import static
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.Constants.MIX_REP_PRINCIPAL_BASED_MIXIN;
+import static
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.Constants.REP_PRINCIPAL_POLICY;
+import static
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.MockUtility.mockFilterProvider;
+import static
org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_ADD_CHILD_NODES;
+import static
org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_LOCK_MANAGEMENT;
+import static
org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_NODE_TYPE_MANAGEMENT;
+import static
org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_READ;
+import static
org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_READ_ACCESS_CONTROL;
+import static
org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_REMOVE_CHILD_NODES;
+import static
org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_REMOVE_NODE;
+import static
org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_RETENTION_MANAGEMENT;
+import static
org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_VERSION_MANAGEMENT;
+import static
org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_WORKSPACE_MANAGEMENT;
+import static
org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.REP_READ_NODES;
+import static
org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.REP_WRITE;
+import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
+
+public class PrincipalBasedAccessControlManagerTest extends
AbstractPrincipalBasedTest {
+
+ private PrincipalBasedAccessControlManager acMgr;
+ private ItemBasedPrincipal validPrincipal;
+
+ @Before
+ public void testBefore() throws Exception {
+ super.before();
+
+ acMgr = createAccessControlManager(root, getFilterProvider());
+ validPrincipal = (ItemBasedPrincipal)
getTestSystemUser().getPrincipal();
+ }
+
+ private PrincipalBasedAccessControlManager createAccessControlManager(Root
root, @NotNull FilterProvider filterProvider) {
+ return new
PrincipalBasedAccessControlManager(getMgrProvider(this.root), filterProvider);
+ }
+
+ private PrincipalPolicyImpl createValidPolicy() throws RepositoryException
{
+ String oakPath =
getNamePathMapper().getOakPath(validPrincipal.getPath());
+ return new PrincipalPolicyImpl(validPrincipal, oakPath,
getMgrProvider(root));
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testGetApplicablePoliciesNullPrincipal() throws Exception {
+ acMgr.getApplicablePolicies((Principal) null);
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testGetApplicablePoliciesEmptyPrincipalName() throws Exception
{
+ acMgr.getApplicablePolicies(new PrincipalImpl(""));
+ }
+
+ @Test
+ public void testGetApplicablePoliciesPrincipalNotHandled() throws
Exception {
+ PrincipalBasedAccessControlManager mgr =
createAccessControlManager(root, mockFilterProvider(false));
+ assertEquals(0, mgr.getApplicablePolicies(validPrincipal).length);
+ }
+
+ @Test
+ public void testGetApplicablePoliciesPrincipalHandled() throws Exception {
+ PrincipalBasedAccessControlManager mgr =
createAccessControlManager(root, mockFilterProvider(true));
+ AccessControlPolicy[] applicable =
mgr.getApplicablePolicies(validPrincipal);
+ assertEquals(1, applicable.length);
+ assertTrue(applicable[0] instanceof PrincipalPolicyImpl);
+ }
+
+ @Test
+ public void testGetSetPolicy() throws Exception {
+ AccessControlPolicy[] applicable =
acMgr.getApplicablePolicies(validPrincipal);
+ assertEquals(1, applicable.length);
+ assertEquals(0, acMgr.getPolicies(validPrincipal).length);
+
+ PrincipalPolicyImpl policy = (PrincipalPolicyImpl) applicable[0];
+ policy.addEntry(testContentJcrPath, privilegesFromNames(JCR_READ));
+
+ acMgr.setPolicy(policy.getPath(), policy);
+ assertEquals(0, acMgr.getApplicablePolicies(validPrincipal).length);
+ assertEquals(1, acMgr.getPolicies(validPrincipal).length);
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testGetPoliciesNullPrincipal() throws Exception {
+ acMgr.getPolicies((Principal) null);
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testGetPoliciesEmptyPrincipalName() throws Exception {
+ acMgr.getPolicies(new PrincipalImpl(""));
+ }
+
+ @Test
+ public void testGetPoliciesPrincipalNotHandled() throws Exception {
+ PrincipalBasedAccessControlManager mgr =
createAccessControlManager(root, mockFilterProvider(false));
+ assertEquals(0, mgr.getPolicies(validPrincipal).length);
+ }
+
+ @Test
+ public void testGetPoliciesAccessControlledTree() throws Exception {
+ Tree tree =
root.getTree(getNamePathMapper().getOakPath(validPrincipal.getPath()));
+ TreeUtil.addMixin(tree, MIX_REP_PRINCIPAL_BASED_MIXIN,
root.getTree(NodeTypeConstants.NODE_TYPES_PATH), "uid");
+ assertEquals(0, acMgr.getPolicies(validPrincipal).length);
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testGetEffectivePoliciesEmptyPrincipalName() throws Exception {
+ acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal, new
PrincipalImpl("")));
+ }
+
+ @Test
+ public void testGetEffectivePoliciesNothingSet() throws Exception {
+ assertEquals(0,
acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal)).length);
+ }
+
+ @Test
+ public void testGetEffectivePolicies() throws Exception {
+ PrincipalPolicyImpl policy = (PrincipalPolicyImpl)
acMgr.getApplicablePolicies(validPrincipal)[0];
+ policy.addEntry(testContentJcrPath,
privilegesFromNames(PrivilegeConstants.JCR_ALL));
+ acMgr.setPolicy(policy.getPath(), policy);
+
+ // transient changes => no effective policy
+ AccessControlPolicy[] effective =
acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal));
+ assertEquals(0, effective.length);
+
+ // after commit => effective policy present
+ root.commit();
+ effective =
acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal));
+ assertEquals(1, effective.length);
+ }
+
+ @Test
+ public void testGetEffectivePoliciesEmptyPolicySet() throws Exception {
+ JackrabbitAccessControlPolicy emptyPolicy =
acMgr.getApplicablePolicies(validPrincipal)[0];
+ acMgr.setPolicy(emptyPolicy.getPath(), emptyPolicy);
+ root.commit();
+ assertEquals(0,
acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal)).length);
+ }
+
+ @Test
+ public void testGetEffectivePoliciesRemovedPrincipal() throws Exception {
+ setupPrincipalBasedAccessControl(validPrincipal, null,
JCR_WORKSPACE_MANAGEMENT);
+ root.commit();
+
+ String id = getTestSystemUser().getID();
+ Root latestRoot = adminSession.getLatestRoot();
+ getUserManager(latestRoot).getAuthorizable(validPrincipal).remove();
+ latestRoot.commit();
+ try {
+ assertEquals(0,
acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal)).length);
+ } finally {
+ root.refresh();
+ getUserManager(root).createSystemUser(id, INTERMEDIATE_PATH);
+ root.commit();
+ }
+ }
+
+ /**
+ * Since principal-based permissions are only evaluated if the complete
set of principals is supported, the same
+ * should apply for {@link AccessControlManager#getEffectivePolicies(Set)}.
+ */
+ @Test
+ public void testGetEffectivePoliciesMixedPrincipalSet() throws Exception {
+ setupPrincipalBasedAccessControl(validPrincipal, testJcrPath,
JCR_READ);
+ root.commit();
+
+ Set<Principal> mixedPrincipalSet = ImmutableSet.of(validPrincipal,
getTestUser().getPrincipal());
+ assertEquals(0, acMgr.getEffectivePolicies(mixedPrincipalSet).length);
+ }
+
+ @Test
+ public void testGetEffectivePoliciesRemovedPolicy() throws Exception {
+ setupPrincipalBasedAccessControl(validPrincipal, null,
JCR_WORKSPACE_MANAGEMENT);
+ root.commit();
+
+ Root latestRoot = adminSession.getLatestRoot();
+
latestRoot.getTree(getNamePathMapper().getOakPath(validPrincipal.getPath())).getChild(REP_PRINCIPAL_POLICY).remove();
+ latestRoot.commit();
+
+ assertEquals(0,
acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal)).length);
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testSetInvalidPolicy() throws Exception {
+ PrincipalPolicy policy = mock(PrincipalPolicy.class);
+ acMgr.setPolicy(validPrincipal.getPath(), policy);
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testSetEffectivePolicy() throws Exception {
+ setupPrincipalBasedAccessControl(validPrincipal, testContentJcrPath,
REP_WRITE);
+ root.commit();
+
+ ImmutableACL effective = (ImmutableACL)
acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal))[0];
+ acMgr.setPolicy(effective.getPath(), effective);
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testSetPolicyPathMismatch() throws Exception {
+ PrincipalPolicyImpl policy = createValidPolicy();
+ acMgr.setPolicy(policy.getOakPath(), policy);
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testSetPolicyNullPath() throws Exception {
+ PrincipalPolicy policy = mock(PrincipalPolicy.class);
+ acMgr.setPolicy(null, policy);
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testSetPolicyUnsupportedPath() throws Exception {
+ String unsupportedJcrPath =
getNamePathMapper().getJcrPath(PathUtils.getParentPath(SUPPORTED_PATH));
+ acMgr.setPolicy(unsupportedJcrPath, createValidPolicy());
+ }
+
+ @Test
+ public void testSetEmptyPolicy() throws Exception {
+ PrincipalPolicyImpl policy = createValidPolicy();
+ acMgr.setPolicy(policy.getPath(), policy);
+
+ assertEquals(1, acMgr.getPolicies(validPrincipal).length);
+ assertEquals(0, acMgr.getApplicablePolicies(validPrincipal).length);
+
assertTrue(root.getTree(policy.getOakPath()).hasChild(REP_PRINCIPAL_POLICY));
+ }
+
+ @Test
+ public void testSetPolicyNonExistingEffectivePath() throws Exception {
+ PrincipalPolicyImpl policy = getPrincipalPolicyImpl(validPrincipal,
acMgr);
+ policy.addEntry(testJcrPath, privilegesFromNames(JCR_READ));
+ acMgr.setPolicy(policy.getPath(), policy);
+ root.commit();
+ }
+
+ @Test
+ public void testSetPolicyRemovedEffectivePath() throws Exception {
+ setupContentTrees(TEST_OAK_PATH);
+ root.commit();
+
+ PrincipalPolicyImpl policy = getPrincipalPolicyImpl(validPrincipal,
acMgr);
+ policy.addEntry(testJcrPath, privilegesFromNames(JCR_READ));
+
+ root.getTree(TEST_OAK_PATH).remove();
+ root.commit();
+
+ acMgr.setPolicy(policy.getPath(), policy);
+ root.commit();
+ }
+
+ @Test
+ public void testSetPolicy() throws Exception {
+ PrincipalPolicyImpl policy =
setupPrincipalBasedAccessControl(validPrincipal, PathUtils.ROOT_PATH,
JCR_READ_ACCESS_CONTROL);
+ addPrincipalBasedEntry(policy, null, JCR_WORKSPACE_MANAGEMENT);
+
+ Tree policyTree =
root.getTree(policy.getOakPath()).getChild(REP_PRINCIPAL_POLICY);
+ assertTrue(policyTree.exists());
+ assertEquals(2, policyTree.getChildrenCount(10));
+
+ AccessControlPolicy[] policies = acMgr.getPolicies(validPrincipal);
+ assertEquals(1, policies.length);
+ assertEquals(2, ((PrincipalPolicyImpl)policies[0]).size());
+ assertEquals(0, acMgr.getApplicablePolicies(validPrincipal).length);
+ }
+
+ @Test
+ public void testSetPolicyRemovesAllChildNodes() throws Exception {
+ PrincipalPolicyImpl policy =
setupPrincipalBasedAccessControl(validPrincipal, testJcrPath, JCR_READ);
+
+ Tree policyTree =
root.getTree(policy.getOakPath()).getChild(REP_PRINCIPAL_POLICY);
+ TreeUtil.addChild(policyTree, "nonEntryChild",
NodeTypeConstants.NT_OAK_UNSTRUCTURED);
+
+ policy.removeAccessControlEntry(policy.getEntries().get(0));
+ policy.addEntry(testJcrPath, privilegesFromNames(REP_READ_NODES));
+ acMgr.setPolicy(policy.getPath(), policy);
+
+ policyTree =
root.getTree(policy.getOakPath()).getChild(REP_PRINCIPAL_POLICY);
+ assertFalse(policyTree.hasChild("nonEntryChild"));
+ policy = (PrincipalPolicyImpl) acMgr.getPolicies(validPrincipal)[0];
+ assertArrayEquals(privilegesFromNames(REP_READ_NODES),
policy.getEntries().get(0).getPrivileges());
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testRemoveInvalidPolicy() throws Exception {
+ PrincipalPolicy policy = mock(PrincipalPolicy.class);
+ acMgr.removePolicy(validPrincipal.getPath(), policy);
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testRemoveEffectivePolicy() throws Exception {
+ setupPrincipalBasedAccessControl(validPrincipal, testContentJcrPath,
REP_WRITE);
+ root.commit();
+
+ ImmutableACL effective = (ImmutableACL)
acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal))[0];
+ acMgr.removePolicy(effective.getPath(), effective);
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testRemovePolicyPathMismatch() throws Exception {
+ PrincipalPolicyImpl policy = createValidPolicy();
+ acMgr.removePolicy(PathUtils.getParentPath(policy.getPath()), policy);
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testRemovePolicyNullPath() throws Exception {
+ PrincipalPolicy policy = mock(PrincipalPolicy.class);
+ acMgr.removePolicy(null, policy);
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testRemovePolicyUnsupportedPath() throws Exception {
+ String unsupportedJcrPath =
getNamePathMapper().getJcrPath(PathUtils.getParentPath(SUPPORTED_PATH));
+ acMgr.removePolicy(unsupportedJcrPath, createValidPolicy());
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testRemovePolicyTreeAlreadyRemoved() throws Exception {
+ PrincipalPolicyImpl policy = createValidPolicy();
+ acMgr.setPolicy(policy.getPath(), policy);
+
+ // remove tree => then try to remove the policy
+
root.getTree(policy.getOakPath()).getChild(REP_PRINCIPAL_POLICY).remove();
+ acMgr.removePolicy(policy.getPath(), policy);
+ }
+
+ @Test
+ public void testRemoveEmptyPolicy() throws Exception {
+ PrincipalPolicyImpl policy = createValidPolicy();
+ acMgr.setPolicy(policy.getPath(), policy);
+
+ acMgr.removePolicy(policy.getPath(), policy);
+ assertEquals(0, acMgr.getPolicies(validPrincipal).length);
+ assertEquals(1, acMgr.getApplicablePolicies(validPrincipal).length);
+
assertFalse(root.getTree(policy.getOakPath()).hasChild(REP_PRINCIPAL_POLICY));
+ }
+
+ @Test
+ public void testRemovePolicy() throws Exception {
+ PrincipalPolicyImpl policy =
setupPrincipalBasedAccessControl(validPrincipal,
getNamePathMapper().getJcrPath(UserConstants.DEFAULT_USER_PATH),
PrivilegeConstants.REP_USER_MANAGEMENT);
+ addPrincipalBasedEntry(policy, null,
PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT);
+
+ acMgr.removePolicy(policy.getPath(), policy);
+ assertEquals(0, acMgr.getPolicies(validPrincipal).length);
+ assertEquals(1, acMgr.getApplicablePolicies(validPrincipal).length);
+
assertFalse(root.getTree(policy.getOakPath()).hasChild(REP_PRINCIPAL_POLICY));
+ }
+
+ @Test
+ public void testGetApplicableByPath() throws RepositoryException {
+
assertFalse(acMgr.getApplicablePolicies(validPrincipal.getPath()).hasNext());
+ }
+
+ @Test(expected = PathNotFoundException.class)
+ public void testGetApplicableByNonExistingPath() throws
RepositoryException {
+ acMgr.getApplicablePolicies(testContentJcrPath);
+ }
+
+ @Test
+ public void testGetPoliciesByPath() throws RepositoryException {
+ assertEquals(0, acMgr.getPolicies(validPrincipal.getPath()).length);
+ }
+
+ @Test(expected = PathNotFoundException.class)
+ public void testGetPoliciesByNonExistingPath() throws RepositoryException {
+ acMgr.getPolicies(testContentJcrPath);
+ }
+
+ @Test
+ public void testGetEffectivePoliciesByPathNothingSet() throws Exception {
+ setupContentTrees(TEST_OAK_PATH);
+ assertEquals(0, acMgr.getEffectivePolicies(testContentJcrPath).length);
+ assertEquals(0, acMgr.getEffectivePolicies((String) null).length);
+ }
+
+ @Test
+ public void testGetEffectivePoliciesByPathTransientPolicy() throws
Exception {
+ setupContentTrees(TEST_OAK_PATH);
+ setupPrincipalBasedAccessControl(validPrincipal, testContentJcrPath,
JCR_VERSION_MANAGEMENT);
+
+ assertEquals(0, acMgr.getEffectivePolicies(testContentJcrPath).length);
+ assertEquals(0, acMgr.getEffectivePolicies(testJcrPath).length);
+ }
+
+ @Test(expected = PathNotFoundException.class)
+ public void testGetEffectivePoliciesByNonExistingPath() throws Exception {
+ PrincipalPolicyImpl policy =
setupPrincipalBasedAccessControl(validPrincipal, testContentJcrPath,
JCR_VERSION_MANAGEMENT);
+ addPrincipalBasedEntry(policy, PathUtils.ROOT_PATH, JCR_READ);
+ root.commit();
+
+ acMgr.getEffectivePolicies(testContentJcrPath);
+ }
+
+ @Test
+ public void testGetEffectivePoliciesByPath() throws Exception {
+ setupContentTrees(TEST_OAK_PATH);
+ PrincipalPolicyImpl policy =
setupPrincipalBasedAccessControl(validPrincipal, testContentJcrPath,
JCR_REMOVE_CHILD_NODES);
+ addPrincipalBasedEntry(policy, PathUtils.ROOT_PATH, JCR_READ);
+ root.commit();
+
+ assertEquals(2, acMgr.getEffectivePolicies(testJcrPath).length);
+ assertEquals(2, acMgr.getEffectivePolicies(testContentJcrPath).length);
+ assertEquals(1,
acMgr.getEffectivePolicies(PathUtils.ROOT_PATH).length);
+ }
+
+ @Test
+ public void testGetPolicyWithNonAceChild() throws Exception {
+ setupContentTrees(TEST_OAK_PATH);
+ PrincipalPolicyImpl policy =
setupPrincipalBasedAccessControl(validPrincipal, testContentJcrPath,
JCR_RETENTION_MANAGEMENT);
+ addPrincipalBasedEntry(policy, PathUtils.ROOT_PATH, JCR_READ);
+
+ Tree policyTree =
root.getTree(getNamePathMapper().getOakPath(policy.getPath())).getChild(REP_PRINCIPAL_POLICY);
+ TreeUtil.addChild(policyTree, "nonAceChild",
NodeTypeConstants.NT_OAK_UNSTRUCTURED);
+ // don't commit as adding such child without extra mixins was invalid
+
+ // read policy again -> must only contain 2 entries and ignore the
invalid child
+ policy = (PrincipalPolicyImpl) acMgr.getPolicies(validPrincipal)[0];
+ assertEquals(2, policy.size());
+ }
+
+ @Test
+ public void testGetPolicyMissingMixinType() throws Exception {
+ setupContentTrees(TEST_OAK_PATH);
+ PrincipalPolicyImpl policy =
setupPrincipalBasedAccessControl(validPrincipal, testContentJcrPath,
JCR_LOCK_MANAGEMENT);
+ addPrincipalBasedEntry(policy, PathUtils.ROOT_PATH, JCR_READ);
+
+ Tree policyTree =
root.getTree(getNamePathMapper().getOakPath(policy.getPath()));
+ policyTree.removeProperty(JcrConstants.JCR_MIXINTYPES);
+ // don't commit as access controlled node without mixin is invalid
+
+ // read policy again -> princial policy must not be read due to
missing mixin
+ assertEquals(0, acMgr.getPolicies(validPrincipal).length);
+ }
+
+ @Test
+ public void testHasPrivilegesByPrincipals() throws Exception {
+ setupContentTrees(TEST_OAK_PATH);
+ setupPrincipalBasedAccessControl(validPrincipal, testContentJcrPath,
JCR_NODE_TYPE_MANAGEMENT);
+
+ // setup default ac mgt only on subtree (testJcrPath)
+ addDefaultEntry(testJcrPath, validPrincipal, JCR_NODE_TYPE_MANAGEMENT);
+ root.commit();
+
+ // priv is only granted where both models are granting.
+ assertFalse(acMgr.hasPrivileges(testContentJcrPath,
ImmutableSet.of(validPrincipal),
privilegesFromNames(JCR_NODE_TYPE_MANAGEMENT)));
+ assertTrue(acMgr.hasPrivileges(testJcrPath,
ImmutableSet.of(validPrincipal),
privilegesFromNames(JCR_NODE_TYPE_MANAGEMENT)));
+
+ // set of principals not supported by principalbased-authorization =>
only default impl takes effect.
+ assertFalse(acMgr.hasPrivileges(testContentJcrPath,
ImmutableSet.of(validPrincipal, EveryonePrincipal.getInstance()),
privilegesFromNames(JCR_NODE_TYPE_MANAGEMENT)));
+ assertTrue(acMgr.hasPrivileges(testJcrPath,
ImmutableSet.of(validPrincipal, EveryonePrincipal.getInstance()),
privilegesFromNames(JCR_NODE_TYPE_MANAGEMENT)));
+ }
+
+ @Test
+ public void testGetPrivilegesByPrincipals() throws Exception {
+ setupContentTrees(TEST_OAK_PATH);
+ setupPrincipalBasedAccessControl(validPrincipal, testContentJcrPath,
JCR_ADD_CHILD_NODES, JCR_REMOVE_CHILD_NODES, JCR_REMOVE_NODE);
+
+ // grant different set of privs using the default ac mgt
+ addDefaultEntry(testContentJcrPath, validPrincipal, JCR_READ,
JCR_REMOVE_NODE);
+ root.commit();
+
+ // only subset is is granted
+ assertPrivileges(acMgr.getPrivileges(testContentJcrPath,
ImmutableSet.of(validPrincipal)), JCR_REMOVE_NODE);
+ assertPrivileges(acMgr.getPrivileges(testJcrPath,
ImmutableSet.of(validPrincipal)), JCR_REMOVE_NODE);
+
+ // set of principals not supported by principalbased-authorization =>
only default impl takes effect.
+ assertPrivileges(acMgr.getPrivileges(testContentJcrPath,
ImmutableSet.of(validPrincipal, EveryonePrincipal.getInstance())), JCR_READ,
JCR_REMOVE_NODE);
+ assertPrivileges(acMgr.getPrivileges(testJcrPath,
ImmutableSet.of(validPrincipal, EveryonePrincipal.getInstance())), JCR_READ,
JCR_REMOVE_NODE);
+ }
+
+ private void assertPrivileges(@NotNull Privilege[] privs, @NotNull
String... expectedOakPrivNames) throws Exception {
+
assertEquals(ImmutableSet.copyOf(privilegesFromNames(expectedOakPrivNames)),
ImmutableSet.copyOf(privs));
+ }
+}
\ No newline at end of file
Propchange:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManagerTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Added:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationOsgiTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationOsgiTest.java?rev=1857551&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationOsgiTest.java
(added)
+++
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationOsgiTest.java
Mon Apr 15 07:16:49 2019
@@ -0,0 +1,109 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
+
+import com.google.common.collect.ImmutableMap;
+import org.apache.jackrabbit.oak.composite.MountInfoProviderService;
+import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
+import org.apache.jackrabbit.util.Text;
+import org.apache.sling.testing.mock.osgi.ReferenceViolationException;
+import org.apache.sling.testing.mock.osgi.junit.OsgiContext;
+import org.jetbrains.annotations.NotNull;
+import org.junit.Rule;
+import org.junit.Test;
+
+import static
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.AbstractPrincipalBasedTest.SUPPORTED_PATH;
+import static org.junit.Assert.assertTrue;
+
+public class PrincipalBasedAuthorizationConfigurationOsgiTest {
+
+ @Rule
+ public final OsgiContext context = new OsgiContext();
+
+ private final PrincipalBasedAuthorizationConfiguration pbac = new
PrincipalBasedAuthorizationConfiguration();
+
+ @NotNull
+ protected PrincipalBasedAuthorizationConfiguration
initPrincipalBasedAuthorizationConfiguration() {
+ // create instance without binding mandatory references
+ return new PrincipalBasedAuthorizationConfiguration();
+ }
+
+ @Test(expected = ReferenceViolationException.class)
+ public void testMissingMandatoryReferences() {
+ context.registerInjectActivateService(pbac, ImmutableMap.of());
+ }
+
+ @Test(expected = ReferenceViolationException.class)
+ public void testMissingMountInfoProviderReference() {
+ context.registerInjectActivateService(new FilterProviderImpl(),
ImmutableMap.of("path", SUPPORTED_PATH));
+ context.registerInjectActivateService(pbac);
+ }
+
+ @Test(expected = ReferenceViolationException.class)
+ public void testMissingFilterProviderReference() {
+ context.registerInjectActivateService(new MountInfoProviderService());
+ context.registerInjectActivateService(pbac, ImmutableMap.of());
+ }
+
+ @Test
+ public void testMountCollidingWithFilterRoot() {
+ FilterProviderImpl fp = new FilterProviderImpl();
+ context.registerInjectActivateService(fp, ImmutableMap.of("path",
SUPPORTED_PATH));
+
+ MountInfoProviderService mipService = new MountInfoProviderService();
+ context.registerInjectActivateService(mipService,
ImmutableMap.of("mountedPaths", new String[] {SUPPORTED_PATH + "/some/subtree",
"/etc"}));
+
+ try {
+ context.registerInjectActivateService(pbac, ImmutableMap.of());
+ } catch (RuntimeException e) {
+ assertTrue(e.getCause() instanceof IllegalStateException);
+ }
+ }
+
+ @Test
+ public void testMountMatchingFilterRoot() {
+ FilterProviderImpl fp = new FilterProviderImpl();
+ context.registerInjectActivateService(fp, ImmutableMap.of("path",
SUPPORTED_PATH));
+
+ MountInfoProviderService mipService = new MountInfoProviderService();
+ context.registerInjectActivateService(mipService,
ImmutableMap.of("mountedPaths", new String[] {SUPPORTED_PATH}));
+
+ context.registerInjectActivateService(pbac, ImmutableMap.of());
+ }
+
+ @Test
+ public void testMountAboveFilterRoot() {
+ FilterProviderImpl fp = new FilterProviderImpl();
+ context.registerInjectActivateService(fp, ImmutableMap.of("path",
SUPPORTED_PATH));
+
+ MountInfoProviderService mipService = new MountInfoProviderService();
+ context.registerInjectActivateService(mipService,
ImmutableMap.of("mountedPaths", new String[]
{Text.getRelativeParent(SUPPORTED_PATH, 1)}));
+
+ context.registerInjectActivateService(pbac, ImmutableMap.of());
+ }
+
+ @Test
+ public void testMountsElsewhere() {
+ FilterProviderImpl fp = new FilterProviderImpl();
+ context.registerInjectActivateService(fp, ImmutableMap.of("path",
SUPPORTED_PATH));
+
+ MountInfoProviderService mipService = new MountInfoProviderService();
+ context.registerInjectActivateService(mipService,
ImmutableMap.of("mountedPaths", new String[] {"/etc", "/var/some/mount",
UserConstants.DEFAULT_GROUP_PATH}));
+
+ context.registerInjectActivateService(pbac, ImmutableMap.of());
+ }
+}
\ No newline at end of file
Propchange:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationOsgiTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Added:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationTest.java?rev=1857551&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationTest.java
(added)
+++
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationTest.java
Mon Apr 15 07:16:49 2019
@@ -0,0 +1,236 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
+
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
+import
org.apache.jackrabbit.oak.security.authorization.restriction.RestrictionProviderImpl;
+import org.apache.jackrabbit.oak.spi.commit.MoveTracker;
+import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
+import org.apache.jackrabbit.oak.spi.lifecycle.RepositoryInitializer;
+import org.apache.jackrabbit.oak.spi.mount.MountInfoProvider;
+import org.apache.jackrabbit.oak.spi.security.CompositeConfiguration;
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
+import
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.EmptyPermissionProvider;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
+import
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.Filter;
+import
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.FilterProvider;
+import
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.state.ReadOnlyBuilder;
+import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
+import org.junit.Test;
+
+import javax.jcr.nodetype.NodeTypeManager;
+import javax.jcr.security.AccessControlManager;
+import java.lang.reflect.Field;
+import java.security.Principal;
+import java.util.List;
+import java.util.Set;
+
+import static
org.apache.jackrabbit.oak.spi.security.CompositeConfiguration.PARAM_RANKING;
+import static
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.Constants.NT_REP_PRINCIPAL_ENTRY;
+import static
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.Constants.NT_REP_PRINCIPAL_POLICY;
+import static
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.Constants.NT_REP_RESTRICTIONS;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNotSame;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertSame;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+public class PrincipalBasedAuthorizationConfigurationTest extends
AbstractPrincipalBasedTest {
+
+ @Test
+ public void testEmptyConstructor() {
+ assertEquals(ConfigurationParameters.EMPTY, new
PrincipalBasedAuthorizationConfiguration().getParameters());
+ }
+
+ @Test
+ public void testGetName() {
+ assertEquals(AuthorizationConfiguration.NAME, new
PrincipalBasedAuthorizationConfiguration().getName());
+ }
+
+ @Test
+ public void testGetCommitHooks() {
+ assertTrue(new
PrincipalBasedAuthorizationConfiguration().getCommitHooks("wspName").isEmpty());
+ }
+
+ @Test
+ public void testGetValidators() {
+ List<? extends ValidatorProvider> l = new
PrincipalBasedAuthorizationConfiguration().getValidators("wspName",
ImmutableSet.of(), new MoveTracker());
+ assertEquals(1, l.size());
+ assertTrue(l.get(0) instanceof PrincipalPolicyValidatorProvider);
+ }
+
+ @Test
+ public void testGetProtectedItemImporters() {
+ List<ProtectedItemImporter> l = new
PrincipalBasedAuthorizationConfiguration().getProtectedItemImporters();
+ assertEquals(1, l.size());
+ assertTrue(l.get(0) instanceof PrincipalPolicyImporter);
+ }
+
+ @Test
+ public void testGetRepositoryInitializer() {
+ RepositoryInitializer ri = new
PrincipalBasedAuthorizationConfiguration().getRepositoryInitializer();
+ assertNotSame(RepositoryInitializer.DEFAULT, ri);
+ }
+
+ @Test
+ public void testInitialized() throws Exception {
+ NodeTypeManager nodeTypeManager =
ReadOnlyNodeTypeManager.getInstance(root, NamePathMapper.DEFAULT);
+ for (String ntName : new String[] {NT_REP_PRINCIPAL_POLICY,
NT_REP_PRINCIPAL_ENTRY, NT_REP_RESTRICTIONS}) {
+ assertTrue(nodeTypeManager.hasNodeType(ntName));
+ }
+ }
+
+ @Test
+ public void testGetRepositoryInitializerInitialized() {
+ Root r = getRootProvider().createReadOnlyRoot(root);
+ CompositeConfiguration<AuthorizationConfiguration> cc =
(CompositeConfiguration)
getSecurityProvider().getConfiguration(AuthorizationConfiguration.class);
+ PrincipalBasedAuthorizationConfiguration pbac = null;
+ for (AuthorizationConfiguration ac : cc.getConfigurations()) {
+ if (ac instanceof PrincipalBasedAuthorizationConfiguration) {
+ pbac = (PrincipalBasedAuthorizationConfiguration) ac;
+ break;
+ }
+ }
+
+ assertNotNull(pbac);
+ RepositoryInitializer ri = pbac.getRepositoryInitializer();
+ ri.initialize(new
ReadOnlyBuilder(getTreeProvider().asNodeState(r.getTree("/"))));
+ }
+
+ @Test
+ public void testGetContext() {
+ assertSame(ContextImpl.INSTANCE, new
PrincipalBasedAuthorizationConfiguration().getContext());
+ }
+
+ @Test
+ public void testGetPermissionProviderUnsupportedPrincipals() throws
Exception {
+ FilterProvider fp =
when(mock(FilterProvider.class).getFilter(any(SecurityProvider.class),
any(Root.class),
any(NamePathMapper.class))).thenReturn(mock(Filter.class)).getMock();
+
+ PrincipalBasedAuthorizationConfiguration pbac = new
PrincipalBasedAuthorizationConfiguration();
+ pbac.bindFilterProvider(fp);
+ pbac.setSecurityProvider(securityProvider);
+ pbac.setRootProvider(getRootProvider());
+
+ Set<Principal> principals =
ImmutableSet.of(EveryonePrincipal.getInstance(), getTestUser().getPrincipal());
+ PermissionProvider pp = pbac.getPermissionProvider(root, "wspName",
principals);
+ assertSame(EmptyPermissionProvider.getInstance(), pp);
+
+ principals = ImmutableSet.of(getTestSystemUser().getPrincipal());
+ pp = pbac.getPermissionProvider(root, "wspName", principals);
+ assertSame(EmptyPermissionProvider.getInstance(), pp);
+ }
+
+ @Test
+ public void testGetPermissionProvider() throws Exception {
+ Filter filter = mock(Filter.class);
+ when(filter.canHandle(any(Set.class))).thenReturn(Boolean.TRUE);
+ when(filter.getOakPath(any(Principal.class))).thenReturn("/some/path");
+ FilterProvider fp =
when(mock(FilterProvider.class).getFilter(any(SecurityProvider.class),
any(Root.class), any(NamePathMapper.class))).thenReturn(filter).getMock();
+
+ PrincipalBasedAuthorizationConfiguration pbac = new
PrincipalBasedAuthorizationConfiguration();
+ pbac.bindFilterProvider(fp);
+ pbac.setSecurityProvider(getSecurityProvider());
+ pbac.setRootProvider(getRootProvider());
+
+ Set<Principal> principals =
ImmutableSet.of(getTestUser().getPrincipal());
+ PermissionProvider pp = pbac.getPermissionProvider(root, "wspName",
principals);
+ assertTrue(pp instanceof PrincipalBasedPermissionProvider);
+ }
+
+ @Test
+ public void testGetAccessControlManager() {
+ PrincipalBasedAuthorizationConfiguration pbac = new
PrincipalBasedAuthorizationConfiguration();
+ pbac.setSecurityProvider(getSecurityProvider());
+ pbac.bindFilterProvider(mock(FilterProvider.class));
+
+ AccessControlManager acMgr = pbac.getAccessControlManager(root,
NamePathMapper.DEFAULT);
+ assertTrue(acMgr instanceof PrincipalBasedAccessControlManager);
+ }
+
+ @Test
+ public void testGetRestrictionProvider() {
+ PrincipalBasedAuthorizationConfiguration pbac = new
PrincipalBasedAuthorizationConfiguration();
+ assertSame(RestrictionProvider.EMPTY, pbac.getRestrictionProvider());
+
+
pbac.setParameters(getSecurityProvider().getParameters(AuthorizationConfiguration.NAME));
+ RestrictionProvider rp = pbac.getRestrictionProvider();
+
+ assert(rp instanceof RestrictionProviderImpl);
+ }
+
+ @Test
+ public void testActivate() {
+ PrincipalBasedAuthorizationConfiguration pbac =
getPrincipalBasedAuthorizationConfiguration();
+
pbac.activate(mock(PrincipalBasedAuthorizationConfiguration.Configuration.class),
ImmutableMap.of(PARAM_RANKING, 50, "invalid", "someValue"));
+
+ ConfigurationParameters params = pbac.getParameters();
+ assertEquals(50, params.get(PARAM_RANKING));
+ assertEquals("someValue", params.get("invalid"));
+ }
+
+ @Test
+ public void testModified() {
+ PrincipalBasedAuthorizationConfiguration pbac =
getPrincipalBasedAuthorizationConfiguration();
+
pbac.activate(mock(PrincipalBasedAuthorizationConfiguration.Configuration.class),
ImmutableMap.of(PARAM_RANKING, 50, "invalid", "someValue"));
+
pbac.modified(mock(PrincipalBasedAuthorizationConfiguration.Configuration.class),
ImmutableMap.of(PARAM_RANKING, 85, "test", "someValue"));
+
+ ConfigurationParameters params = pbac.getParameters();
+ assertEquals(85, params.get(PARAM_RANKING));
+ assertEquals("someValue", params.get("test"));
+ assertNull(params.get("invalid"));
+ }
+
+ @Test
+ public void testBindUnbindFilterProvider() throws Exception {
+ Field fp =
PrincipalBasedAuthorizationConfiguration.class.getDeclaredField("filterProvider");
+ fp.setAccessible(true);
+
+ PrincipalBasedAuthorizationConfiguration pbac = new
PrincipalBasedAuthorizationConfiguration();
+ pbac.bindFilterProvider(mock(FilterProvider.class));
+
+ assertNotNull(fp.get(pbac));
+
+ pbac.unbindFilterProvider(mock(FilterProvider.class));
+ assertNull(fp.get(pbac));
+ }
+
+ @Test
+ public void testBindUnbindMountInfoProvider() throws Exception {
+ Field f =
PrincipalBasedAuthorizationConfiguration.class.getDeclaredField("mountInfoProvider");
+ f.setAccessible(true);
+
+ PrincipalBasedAuthorizationConfiguration pbac = new
PrincipalBasedAuthorizationConfiguration();
+ pbac.bindMountInfoProvider(mock(MountInfoProvider.class));
+
+ assertNotNull(f.get(pbac));
+
+ pbac.unbindMountInfoProvider(mock(MountInfoProvider.class));
+ assertNull(f.get(pbac));
+ }
+}
\ No newline at end of file
Propchange:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfigurationTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Added:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedPermissionProviderTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedPermissionProviderTest.java?rev=1857551&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedPermissionProviderTest.java
(added)
+++
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedPermissionProviderTest.java
Mon Apr 15 07:16:49 2019
@@ -0,0 +1,229 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
+
+import com.google.common.collect.ImmutableMap;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
+import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
+import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
+import org.apache.jackrabbit.oak.plugins.tree.TreeType;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import
org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.junit.Before;
+import org.junit.Test;
+
+import javax.jcr.PropertyType;
+import javax.jcr.Value;
+import java.security.Principal;
+import java.util.Map;
+
+import static org.apache.jackrabbit.JcrConstants.JCR_PRIMARYTYPE;
+import static org.apache.jackrabbit.JcrConstants.NT_FOLDER;
+import static
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants.REP_NT_NAMES;
+import static
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.Constants.REP_PRINCIPAL_POLICY;
+import static
org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_READ;
+import static
org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_REMOVE_CHILD_NODES;
+import static
org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_REMOVE_NODE;
+import static
org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_VERSION_MANAGEMENT;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertSame;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
+
+public class PrincipalBasedPermissionProviderTest extends
AbstractPrincipalBasedTest {
+
+ private Principal testPrincipal;
+
+ private PrincipalBasedPermissionProvider permissionProvider;
+
+ private String contentPath;
+ private String childPath;
+
+ @Before
+ public void before() throws Exception {
+ super.before();
+
+ contentPath = PathUtils.getAncestorPath(TEST_OAK_PATH, 3);
+ childPath = PathUtils.getAncestorPath(TEST_OAK_PATH, 2);
+
+ testPrincipal = getTestSystemUser().getPrincipal();
+ setupContentTrees(TEST_OAK_PATH);
+ setupContentTrees(NT_FOLDER, childPath + "/folder", TEST_OAK_PATH +
"/folder");
+
+ // setup permissions on childPath + TEST_OAK_PATH
+ PrincipalPolicyImpl policy =
setupPrincipalBasedAccessControl(testPrincipal,
getNamePathMapper().getJcrPath(childPath), JCR_READ, JCR_REMOVE_CHILD_NODES);
+ addPrincipalBasedEntry(policy,
getNamePathMapper().getJcrPath(TEST_OAK_PATH), JCR_VERSION_MANAGEMENT);
+
+ // add an entry with nt-name restriction at childPath
+ JackrabbitAccessControlManager jacm = getAccessControlManager(root);
+ policy = getPrincipalPolicyImpl(testPrincipal, jacm);
+ Map<String, Value[]> restrictions = ImmutableMap.of(REP_NT_NAMES, new
Value[] {getValueFactory(root).createValue(NT_FOLDER, PropertyType.NAME)});
+ policy.addEntry(childPath, privilegesFromNames(JCR_REMOVE_NODE),
ImmutableMap.of(), restrictions);
+ jacm.setPolicy(policy.getPath(), policy);
+ root.commit();
+
+ permissionProvider = createPermissionProvider(root,
getTestSystemUser().getPrincipal());
+ }
+
+ @Override
+ protected NamePathMapper getNamePathMapper() {
+ return NamePathMapper.DEFAULT;
+ }
+
+ @Test
+ public void testSupportedPrivileges() {
+ for (PrivilegeBits bits : PrivilegeBits.BUILT_IN.values()) {
+ assertEquals(bits, permissionProvider.supportedPrivileges(null,
bits));
+ assertEquals(bits,
permissionProvider.supportedPrivileges(mock(Tree.class), bits));
+ }
+ }
+
+ @Test
+ public void testSupportedPrivilegesAllBits() {
+ PrivilegeBits all = new
PrivilegeBitsProvider(root).getBits(PrivilegeConstants.JCR_ALL);
+ assertEquals(all, permissionProvider.supportedPrivileges(null, all));
+ assertEquals(all,
permissionProvider.supportedPrivileges(mock(Tree.class), all));
+ }
+
+ @Test
+ public void testSupportedPrivilegesNullBits() {
+ PrivilegeBits all = new
PrivilegeBitsProvider(root).getBits(PrivilegeConstants.JCR_ALL);
+ assertEquals(all, permissionProvider.supportedPrivileges(null, null));
+ assertEquals(all,
permissionProvider.supportedPrivileges(mock(Tree.class), null));
+ }
+
+ @Test
+ public void testSupportedPermissions() {
+ Tree tree = mock(Tree.class);
+ PropertyState property = mock(PropertyState.class);
+ for (long permission : Permissions.aggregates(Permissions.ALL)) {
+ assertEquals(permission,
permissionProvider.supportedPermissions(tree, property, permission));
+ assertEquals(permission,
permissionProvider.supportedPermissions(tree, null, permission));
+ }
+ assertEquals(Permissions.ALL,
permissionProvider.supportedPermissions(tree, property, Permissions.ALL));
+ assertEquals(Permissions.ALL,
permissionProvider.supportedPermissions(tree, null, Permissions.ALL));
+ }
+
+ @Test
+ public void testSupportedPermissionsTreeLocation() {
+ TreeLocation location = mock(TreeLocation.class);
+ for (long permission : Permissions.aggregates(Permissions.ALL)) {
+ assertEquals(permission,
permissionProvider.supportedPermissions(location, permission));
+ }
+ assertEquals(Permissions.ALL,
permissionProvider.supportedPermissions(location, Permissions.ALL));
+ }
+
+ @Test
+ public void testSupportedPermissionsTreePermission() {
+ TreePermission tp = mock(TreePermission.class);
+ PropertyState property = mock(PropertyState.class);
+ for (long permission : Permissions.aggregates(Permissions.ALL)) {
+ assertEquals(permission,
permissionProvider.supportedPermissions(tp, property, permission));
+ assertEquals(permission,
permissionProvider.supportedPermissions(tp, null, permission));
+ }
+ assertEquals(Permissions.ALL,
permissionProvider.supportedPermissions(tp, property, Permissions.ALL));
+ assertEquals(Permissions.ALL,
permissionProvider.supportedPermissions(tp, null, Permissions.ALL));
+ }
+
+ @Test
+ public void testHasPrivileges() {
+ assertTrue(permissionProvider.hasPrivileges(root.getTree(childPath),
PrivilegeConstants.JCR_READ));
+ assertFalse(permissionProvider.hasPrivileges(root.getTree(childPath),
PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_REMOVE_NODE));
+ assertTrue(permissionProvider.hasPrivileges(root.getTree(childPath +
"/folder"), PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_REMOVE_NODE));
+ assertFalse(permissionProvider.hasPrivileges(root.getTree(childPath),
PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_VERSION_MANAGEMENT));
+
assertTrue(permissionProvider.hasPrivileges(root.getTree(TEST_OAK_PATH),
PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_VERSION_MANAGEMENT));
+ }
+
+ @Test
+ public void testGetTreePermission() {
+ Tree tree = root.getTree(PathUtils.ROOT_PATH);
+ TreePermission tp = permissionProvider.getTreePermission(tree,
TreePermission.EMPTY);
+ for (String elem : PathUtils.elements(TEST_OAK_PATH)) {
+ tree = tree.getChild(elem);
+ tp = permissionProvider.getTreePermission(tree, tp);
+ assertTrue(tp instanceof AbstractTreePermission);
+ assertSame(TreeType.DEFAULT, ((AbstractTreePermission)
tp).getType());
+ }
+ }
+
+ @Test
+ public void testIsGranted() {
+ Tree t = root.getTree(childPath);
+ assertTrue(permissionProvider.isGranted(t, null,
Permissions.READ_NODE));
+ assertTrue(permissionProvider.isGranted(t,
t.getProperty(JCR_PRIMARYTYPE), Permissions.READ_PROPERTY));
+ assertFalse(permissionProvider.isGranted(t, null,
Permissions.READ_NODE|Permissions.VERSION_MANAGEMENT));
+
+
+ t = root.getTree(TEST_OAK_PATH);
+ assertTrue(permissionProvider.isGranted(t, null,
Permissions.READ_NODE|Permissions.VERSION_MANAGEMENT));
+ assertTrue(permissionProvider.isGranted(t,
t.getProperty(JCR_PRIMARYTYPE),
Permissions.READ_PROPERTY|Permissions.VERSION_MANAGEMENT));
+ }
+
+ @Test
+ public void testIsGrantedNonExistingTree() {
+ Tree nonExisting = root.getTree(TEST_OAK_PATH).getChild("nonExisting");
+
+ assertTrue(permissionProvider.isGranted(nonExisting, null,
Permissions.READ));
+ assertTrue(permissionProvider.isGranted(nonExisting,
PropertyStates.createProperty("propName", "value"), Permissions.READ));
+ }
+
+ @Test
+ public void testIsGrantedWithRestriction() {
+ assertFalse(permissionProvider.isGranted(root.getTree(TEST_OAK_PATH),
null, Permissions.REMOVE_NODE));
+ assertFalse(permissionProvider.isGranted(root.getTree(childPath),
null, Permissions.REMOVE_NODE));
+
+ assertTrue(permissionProvider.isGranted(root.getTree(TEST_OAK_PATH +
"/folder"), null, Permissions.REMOVE_NODE));
+ assertTrue(permissionProvider.isGranted(root.getTree(childPath +
"/folder"), null, Permissions.REMOVE_NODE));
+ }
+
+ @Test
+ public void testIsGrantedTreeLocation() {
+ TreeLocation tl = TreeLocation.create(root, TEST_OAK_PATH);
+ assertFalse(permissionProvider.isGranted(tl,
Permissions.READ|Permissions.REMOVE_NODE));
+ }
+
+ @Test
+ public void testIsGrantedNonExistingTreeLocation() {
+ TreeLocation tl = TreeLocation.create(root, childPath +
"/nonExisting");
+
+ assertTrue(permissionProvider.isGranted(tl, Permissions.READ));
+ assertFalse(permissionProvider.isGranted(tl, Permissions.REMOVE_NODE));
+ }
+
+ @Test
+ public void testIsGrantedNonExistingParentTreeLocation() {
+ TreeLocation tl = TreeLocation.create(root, childPath +
"/nonExistingParent/nonExisting");
+
+ assertTrue(permissionProvider.isGranted(tl, Permissions.READ));
+ assertFalse(permissionProvider.isGranted(tl, Permissions.REMOVE_NODE));
+ }
+
+ @Test
+ public void testIsGrantedAccessControlTreeLocation() throws Exception{
+ TreeLocation tl = TreeLocation.create(root,
PathUtils.concat(getTestSystemUser().getPath(), REP_PRINCIPAL_POLICY));
+ assertFalse(permissionProvider.isGranted(tl, Permissions.READ));
+ }
+}
\ No newline at end of file
Propchange:
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedPermissionProviderTest.java
------------------------------------------------------------------------------
svn:eol-style = native
