Author: angela
Date: Wed Aug 14 08:20:34 2019
New Revision: 1865092

URL: http://svn.apache.org/viewvc?rev=1865092&view=rev
Log:
OAK-8540 : Effective policies should implememt PrincipalAccessControlList

Added:
    
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractEntry.java
   (with props)
    
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ImmutablePrincipalPolicy.java
   (with props)
    
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractEntryTest.java
   (with props)
    
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ImmutablePrincipalPolicyTest.java
   (with props)
Modified:
    
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java
    
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalPolicyImpl.java
    
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EffectivePolicyTest.java
    
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManagerTest.java
    
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalPolicyImplTest.java

Added: 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractEntry.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractEntry.java?rev=1865092&view=auto
==============================================================================
--- 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractEntry.java
 (added)
+++ 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractEntry.java
 Wed Aug 14 08:20:34 2019
@@ -0,0 +1,80 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package 
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
+
+import com.google.common.base.Objects;
+import 
org.apache.jackrabbit.api.security.authorization.PrincipalAccessControlList;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE;
+import 
org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+
+import javax.jcr.security.AccessControlException;
+import java.security.Principal;
+import java.util.Set;
+
+abstract class AbstractEntry extends ACE implements 
PrincipalAccessControlList.Entry {
+
+    private final String oakPath;
+
+    private int hashCode;
+
+    AbstractEntry(@Nullable String oakPath, @NotNull Principal principal, 
@NotNull PrivilegeBits privilegeBits, @NotNull Set<Restriction> restrictions, 
@NotNull NamePathMapper namePathMapper) throws AccessControlException {
+        super(principal, privilegeBits, true, restrictions, namePathMapper);
+        this.oakPath = oakPath;
+    }
+
+    @Nullable
+    String getOakPath() {
+        return oakPath;
+    }
+
+    @NotNull
+    abstract NamePathMapper getNamePathMapper();
+
+    @Override
+    @Nullable
+    public String getEffectivePath() {
+        return (oakPath == null) ? null : 
getNamePathMapper().getJcrPath(oakPath);
+    }
+
+    @Override
+    public int hashCode() {
+        if (hashCode == 0) {
+            hashCode = Objects.hashCode(oakPath, getPrincipal().getName(), 
getPrivilegeBits(), Boolean.TRUE, getRestrictions());
+        }
+        return hashCode;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (obj == this) {
+            return true;
+        }
+        if (obj instanceof AbstractEntry) {
+            AbstractEntry other = (AbstractEntry) obj;
+            return equivalentPath(other.oakPath) && super.equals(obj);
+        }
+        return false;
+    }
+
+    private boolean equivalentPath(@Nullable String otherPath) {
+        return (oakPath == null) ? otherPath == null : 
oakPath.equals(otherPath);
+    }
+}
\ No newline at end of file

Propchange: 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractEntry.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ImmutablePrincipalPolicy.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ImmutablePrincipalPolicy.java?rev=1865092&view=auto
==============================================================================
--- 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ImmutablePrincipalPolicy.java
 (added)
+++ 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ImmutablePrincipalPolicy.java
 Wed Aug 14 08:20:34 2019
@@ -0,0 +1,93 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package 
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
+
+import com.google.common.base.Objects;
+import 
org.apache.jackrabbit.api.security.authorization.PrincipalAccessControlList;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import 
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ImmutableACL;
+import 
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.jcr.RepositoryException;
+import javax.jcr.Value;
+import javax.jcr.security.AccessControlException;
+import javax.jcr.security.Privilege;
+import java.security.Principal;
+import java.util.List;
+import java.util.Map;
+
+class ImmutablePrincipalPolicy extends ImmutableACL implements 
PrincipalAccessControlList {
+
+    private static final Logger log = 
LoggerFactory.getLogger(ImmutablePrincipalPolicy.class);
+
+    private final Principal principal;
+
+    private int hashCode;
+
+    public ImmutablePrincipalPolicy(@NotNull Principal principal, @NotNull 
String oakPath, @NotNull List<? extends PrincipalAccessControlList.Entry> 
entries, @NotNull RestrictionProvider restrictionProvider, @NotNull 
NamePathMapper namePathMapper) {
+        super(oakPath, entries, restrictionProvider, namePathMapper);
+        this.principal = principal;
+    }
+
+    public ImmutablePrincipalPolicy(@NotNull PrincipalPolicyImpl 
accessControlList) {
+        super(accessControlList);
+        this.principal = accessControlList.getPrincipal();
+    }
+
+    //-----------------------------------------< PrincipalAccessControlList 
>---
+    @Override
+    public @NotNull Principal getPrincipal() {
+        return principal;
+    }
+
+    @Override
+    public boolean addEntry(@Nullable String effectivePath, @NotNull 
Privilege[] privileges) throws RepositoryException {
+        throw new AccessControlException("Immutable 
PrincipalAccessControlList.");
+    }
+
+    @Override
+    public boolean addEntry(@Nullable String effectivePath, @NotNull 
Privilege[] privileges, @NotNull Map<String, Value> restrictions, @NotNull 
Map<String, Value[]> mvRestrictions) throws RepositoryException {
+        throw new AccessControlException("Immutable 
PrincipalAccessControlList.");
+    }
+
+    //-------------------------------------------------------------< Object 
>---
+    @Override
+    public int hashCode() {
+        if (hashCode == 0) {
+            hashCode = Objects.hashCode(principal, getOakPath(), getEntries());
+        }
+        return hashCode;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (obj == this) {
+            return true;
+        }
+        if (obj instanceof ImmutablePrincipalPolicy) {
+            ImmutablePrincipalPolicy other = (ImmutablePrincipalPolicy) obj;
+            return Objects.equal(getOakPath(), other.getOakPath())
+                    && principal.equals(other.principal)
+                    && getEntries().equals(other.getEntries());
+        }
+        return false;
+    }
+}
\ No newline at end of file

Propchange: 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ImmutablePrincipalPolicy.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java?rev=1865092&r1=1865091&r2=1865092&view=diff
==============================================================================
--- 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java
 (original)
+++ 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java
 Wed Aug 14 08:20:34 2019
@@ -19,8 +19,8 @@ package org.apache.jackrabbit.oak.spi.se
 import com.google.common.base.Strings;
 import com.google.common.collect.Iterables;
 import com.google.common.collect.Lists;
-import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
+import 
org.apache.jackrabbit.api.security.authorization.PrincipalAccessControlList;
 import org.apache.jackrabbit.api.security.principal.PrincipalManager;
 import 
org.apache.jackrabbit.commons.iterator.AccessControlPolicyIteratorAdapter;
 import org.apache.jackrabbit.oak.api.PropertyState;
@@ -36,17 +36,14 @@ import org.apache.jackrabbit.oak.namepat
 import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
 import org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants;
 import org.apache.jackrabbit.oak.spi.query.QueryConstants;
-import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE;
 import 
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager;
 import 
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
-import 
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ImmutableACL;
 import 
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.PolicyOwner;
 import 
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
 import 
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.Filter;
 import 
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.FilterProvider;
 import 
org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
 import 
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
-import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
 import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
@@ -68,11 +65,11 @@ import java.security.Principal;
 import java.text.ParseException;
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-import java.util.TreeMap;
 
 /**
  * Implementation of the {@link 
org.apache.jackrabbit.api.security.JackrabbitAccessControlManager}
@@ -182,15 +179,17 @@ class PrincipalBasedAccessControlManager
             QueryEngine queryEngine = getLatestRoot().getQueryEngine();
             Result result = queryEngine.executeQuery(stmt.toString(), 
Query.XPATH, QueryEngine.NO_BINDINGS, QueryEngine.NO_MAPPINGS);
 
-            Map<String, List<JackrabbitAccessControlEntry>> m = new 
TreeMap<>();
+            Map<Principal, List<AbstractEntry>> m = new HashMap<>();
             for (ResultRow row : result.getRows()) {
                 Tree entryTree = row.getTree(null);
-                String effectivePath = 
row.getValue(REP_EFFECTIVE_PATH).getValue(Type.STRING);
-                List<JackrabbitAccessControlEntry> entries = 
m.computeIfAbsent(effectivePath, s -> new ArrayList<>());
-                entries.add(createEffectiveEntry(entryTree, effectivePath));
+                AbstractEntry entry = createEffectiveEntry(entryTree);
+                if (entry != null) {
+                    List<AbstractEntry> entries = 
m.computeIfAbsent(entry.getPrincipal(), s -> new ArrayList<>());
+                    entries.add(entry);
+                }
             }
-            Iterable<ImmutableACL> acls = Iterables.transform(m.entrySet(), 
entry -> new ImmutableACL(entry.getKey(), entry.getValue(), 
mgrProvider.getRestrictionProvider(), getNamePathMapper()));
-            return Iterables.toArray(acls, ImmutableACL.class);
+            Iterable<PrincipalAccessControlList> acls = 
Iterables.transform(m.entrySet(), entry -> new 
ImmutablePrincipalPolicy(entry.getKey(), filter.getOakPath(entry.getKey()), 
entry.getValue(), mgrProvider.getRestrictionProvider(), getNamePathMapper()));
+            return Iterables.toArray(acls, PrincipalAccessControlList.class);
         } catch (ParseException e) {
             String msg = "Error while collecting effective policies at " 
+absPath;
             log.error(msg, e);
@@ -344,7 +343,7 @@ class PrincipalBasedAccessControlManager
             }
         }
         if (isEffectivePolicy && policy != null) {
-            return (policy.isEmpty()) ? null : new ImmutableACL(policy);
+            return (policy.isEmpty()) ? null : new 
ImmutablePrincipalPolicy(policy);
         } else {
             return policy;
         }
@@ -368,23 +367,28 @@ class PrincipalBasedAccessControlManager
         return paths;
     }
 
-    @NotNull
-    private JackrabbitAccessControlEntry createEffectiveEntry(@NotNull Tree 
entryTree, @NotNull String effectivePath) throws AccessControlException {
+    @Nullable
+    private AbstractEntry createEffectiveEntry(@NotNull Tree entryTree) throws 
AccessControlException {
         String principalName = TreeUtil.getString(entryTree.getParent(), 
AccessControlConstants.REP_PRINCIPAL_NAME);
-        PrivilegeBits bits = 
privilegeBitsProvider.getBits(entryTree.getProperty(Constants.REP_PRIVILEGES).getValue(Type.NAMES));
-        Set<Restriction> restrictions = 
mgrProvider.getRestrictionProvider().readRestrictions(effectivePath, entryTree);
-        return new EffectiveEntry(new PrincipalImpl(principalName), bits, 
true, restrictions, getNamePathMapper());
-    }
-
-    private final class EffectiveEntry extends ACE {
-        private EffectiveEntry(Principal principal, PrivilegeBits 
privilegeBits, boolean isAllow, Set<Restriction> restrictions, NamePathMapper 
namePathMapper) throws AccessControlException {
-            super(principal, privilegeBits, isAllow, restrictions, 
namePathMapper);
+        Principal principal = principalManager.getPrincipal(principalName);
+        if (principal == null || 
!filter.canHandle(Collections.singleton(principal))) {
+            return null;
         }
+        String oakPath = Strings.emptyToNull(TreeUtil.getString(entryTree, 
REP_EFFECTIVE_PATH));
+        PrivilegeBits bits = 
privilegeBitsProvider.getBits(entryTree.getProperty(Constants.REP_PRIVILEGES).getValue(Type.NAMES));
+        Set<Restriction> restrictions = 
mgrProvider.getRestrictionProvider().readRestrictions(oakPath, entryTree);
+        NamePathMapper npMapper = getNamePathMapper();
+        return new AbstractEntry(oakPath, principal, bits, restrictions, 
npMapper) {
+            @Override
+            @NotNull NamePathMapper getNamePathMapper() {
+                return npMapper;
+            }
 
-        @Override
-        public Privilege[] getPrivileges() {
-            Set<String> names =  
privilegeBitsProvider.getPrivilegeNames(getPrivilegeBits());
-            return Utils.privilegesFromOakNames(names, 
mgrProvider.getPrivilegeManager(), getNamePathMapper());
-        }
+            @Override
+            public Privilege[] getPrivileges() {
+                Set<String> names =  
privilegeBitsProvider.getPrivilegeNames(getPrivilegeBits());
+                return Utils.privilegesFromOakNames(names, 
mgrProvider.getPrivilegeManager(), getNamePathMapper());
+            }
+        };
     }
 }

Modified: 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalPolicyImpl.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalPolicyImpl.java?rev=1865092&r1=1865091&r2=1865092&view=diff
==============================================================================
--- 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalPolicyImpl.java
 (original)
+++ 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalPolicyImpl.java
 Wed Aug 14 08:20:34 2019
@@ -16,7 +16,6 @@
  */
 package 
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
 
-import com.google.common.base.Objects;
 import com.google.common.base.Strings;
 import com.google.common.collect.Maps;
 import 
org.apache.jackrabbit.api.security.authorization.PrincipalAccessControlList;
@@ -24,8 +23,8 @@ import org.apache.jackrabbit.api.securit
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.api.Type;
 import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
-import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE;
 import 
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlList;
 import 
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
 import 
org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
@@ -260,26 +259,10 @@ class PrincipalPolicyImpl extends Abstra
 
     //--------------------------------------------------------------< Entry 
>---
 
-    final class EntryImpl extends ACE implements Entry {
-
-        private final String oakPath;
-
-        private int hashCode;
+    final class EntryImpl extends AbstractEntry {
 
         private EntryImpl(@Nullable String oakPath, @NotNull PrivilegeBits 
privilegeBits, @NotNull  Set<Restriction> restrictions) throws 
AccessControlException {
-            super(principal, privilegeBits, true, restrictions, 
getNamePathMapper());
-            this.oakPath = oakPath;
-        }
-
-        @Nullable
-        String getOakPath() {
-            return oakPath;
-        }
-
-        @Override
-        @Nullable
-        public String getEffectivePath() {
-            return (oakPath == null) ? null : 
getNamePathMapper().getJcrPath(oakPath);
+            super(oakPath, principal, privilegeBits, restrictions, 
PrincipalPolicyImpl.this.getNamePathMapper());
         }
 
         @Override
@@ -289,27 +272,8 @@ class PrincipalPolicyImpl extends Abstra
         }
 
         @Override
-        public int hashCode() {
-            if (hashCode == 0) {
-                hashCode = Objects.hashCode(oakPath, principal.getName(), 
getPrivilegeBits(), Boolean.TRUE, getRestrictions());
-            }
-            return hashCode;
-        }
-
-        @Override
-        public boolean equals(Object obj) {
-            if (obj == this) {
-                return true;
-            }
-            if (obj instanceof EntryImpl) {
-                EntryImpl other = (EntryImpl) obj;
-                return equivalentPath(other.oakPath) && super.equals(obj);
-            }
-            return false;
-        }
-
-        private boolean equivalentPath(@Nullable String otherPath) {
-            return (oakPath == null) ? otherPath == null : 
oakPath.equals(otherPath);
+        @NotNull NamePathMapper getNamePathMapper() {
+            return PrincipalPolicyImpl.this.getNamePathMapper();
         }
     }
 }

Added: 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractEntryTest.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractEntryTest.java?rev=1865092&view=auto
==============================================================================
--- 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractEntryTest.java
 (added)
+++ 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractEntryTest.java
 Wed Aug 14 08:20:34 2019
@@ -0,0 +1,159 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package 
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
+
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import 
org.apache.jackrabbit.oak.security.authorization.restriction.RestrictionProviderImpl;
+import 
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import 
org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
+import 
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+import org.junit.Before;
+import org.junit.Test;
+
+import javax.jcr.PropertyType;
+import javax.jcr.RepositoryException;
+import javax.jcr.ValueFactory;
+import javax.jcr.security.AccessControlException;
+import javax.jcr.security.Privilege;
+import java.security.Principal;
+import java.util.Collections;
+import java.util.Set;
+
+import static org.apache.jackrabbit.JcrConstants.NT_UNSTRUCTURED;
+import static 
org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants.NT_OAK_UNSTRUCTURED;
+import static 
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants.NT_REP_POLICY;
+import static 
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants.NT_REP_RESTRICTIONS;
+import static 
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants.REP_GLOB;
+import static 
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants.REP_NT_NAMES;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotEquals;
+
+public class AbstractEntryTest extends AbstractPrincipalBasedTest {
+
+    private PrivilegeBitsProvider bitsProvider;
+
+    private AbstractEntry entryA;
+    private AbstractEntry entryB;
+
+    private Restriction restriction;
+
+    @Before
+    public void before() throws Exception {
+        super.before();
+
+        this.bitsProvider = new PrivilegeBitsProvider(root);
+
+        ValueFactory vf = getValueFactory(root);
+        RestrictionProvider rp = new RestrictionProviderImpl();
+        Restriction r = rp.createRestriction(TEST_OAK_PATH, REP_NT_NAMES, 
vf.createValue(getNamePathMapper().getJcrName(NT_OAK_UNSTRUCTURED), 
PropertyType.NAME));
+
+        Principal principal = getTestSystemUser().getPrincipal();
+        entryA = new TestEntry(TEST_OAK_PATH, principal, 
bitsProvider.getBits(PrivilegeConstants.JCR_NODE_TYPE_MANAGEMENT, 
PrivilegeConstants.REP_WRITE), r);
+        entryB = new TestEntry(null, principal, 
bitsProvider.getBits(PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT));
+
+        restriction = rp.createRestriction(entryA.getOakPath(), REP_GLOB, 
vf.createValue("*"));
+    }
+
+    @Test
+    public void testHashCode() throws Exception {
+        assertNotEquals(entryA.hashCode(), entryB.hashCode());
+
+        // same entry -> same hash
+        assertEquals(entryA.hashCode(), entryA.hashCode());
+
+        // equivalent entry -> same hash
+        assertEquals(entryA.hashCode(), new TestEntry(entryA).hashCode());
+        assertEquals(entryB.hashCode(), new TestEntry(entryB).hashCode());
+
+        // different restrictions -> different hash
+        AbstractEntry differentRestriction = new 
TestEntry(entryA.getOakPath(), entryA.getPrincipal(), 
entryA.getPrivilegeBits(), restriction);
+        assertNotEquals(entryA.hashCode(), differentRestriction.hashCode());
+
+        // different path -> different hash
+        AbstractEntry differentPath = new TestEntry(PathUtils.ROOT_PATH, 
entryA.getPrincipal(), entryA.getPrivilegeBits(), 
entryA.getRestrictions().toArray(new Restriction[0]));
+        assertNotEquals(entryA.hashCode(), differentPath.hashCode());
+
+        // different path -> different hash
+        AbstractEntry differentPrincipal = new TestEntry(entryB.getOakPath(), 
EveryonePrincipal.getInstance(), entryB.getPrivilegeBits(), 
entryB.getRestrictions().toArray(new Restriction[0]));
+        assertNotEquals(entryB.hashCode(), differentPath.hashCode());
+
+        // different path -> different hash
+        AbstractEntry differentPrivs = new TestEntry(entryB.getOakPath(), 
entryB.getPrincipal(), bitsProvider.getBits(PrivilegeConstants.JCR_READ), 
entryB.getRestrictions().toArray(new Restriction[0]));
+        assertNotEquals(entryB.hashCode(), differentPrivs.hashCode());
+    }
+
+    @Test
+    public void testEquals() throws Exception {
+        assertNotEquals(entryA, entryB);
+        assertNotEquals(entryB, entryA);
+
+        assertEquals(entryA, entryA);
+
+        // equivalent entry -> equals
+        assertEquals(entryA, new TestEntry(entryA));
+        assertEquals(entryB, new TestEntry(entryB));
+
+        // different restrictions -> different hash
+        AbstractEntry differentRestriction = new 
TestEntry(entryA.getOakPath(), entryA.getPrincipal(), 
entryA.getPrivilegeBits(), restriction);
+        assertNotEquals(entryA, differentRestriction);
+
+        // different path -> different hash
+        AbstractEntry differentPath = new TestEntry(PathUtils.ROOT_PATH, 
entryA.getPrincipal(), entryA.getPrivilegeBits(), 
entryA.getRestrictions().toArray(new Restriction[0]));
+        assertNotEquals(entryA, differentPath);
+
+        // different path -> different hash
+        AbstractEntry differentPrincipal = new TestEntry(entryB.getOakPath(), 
EveryonePrincipal.getInstance(), entryB.getPrivilegeBits(), 
entryB.getRestrictions().toArray(new Restriction[0]));
+        assertNotEquals(entryB, differentPath);
+
+        // different path -> different hash
+        AbstractEntry differentPrivs = new TestEntry(entryB.getOakPath(), 
entryB.getPrincipal(), bitsProvider.getBits(PrivilegeConstants.JCR_READ), 
entryB.getRestrictions().toArray(new Restriction[0]));
+        assertNotEquals(entryB, differentPrivs);
+    }
+
+    private final class TestEntry extends AbstractEntry {
+
+        TestEntry(@Nullable String oakPath, @NotNull Principal principal, 
@NotNull PrivilegeBits privilegeBits, @NotNull Restriction... restrictions) 
throws AccessControlException {
+            super(oakPath, principal, privilegeBits, 
ImmutableSet.copyOf(restrictions), AbstractEntryTest.this.getNamePathMapper());
+        }
+
+        TestEntry(@NotNull AbstractEntry base) throws AccessControlException {
+            super(base.getOakPath(), base.getPrincipal(), 
base.getPrivilegeBits(), base.getRestrictions(), 
AbstractEntryTest.this.getNamePathMapper());
+        }
+
+        @Override
+        @NotNull NamePathMapper getNamePathMapper() {
+            return AbstractEntryTest.this.getNamePathMapper();
+        }
+
+        @Override
+        public Privilege[] getPrivileges() {
+            try {
+                return 
privilegesFromNames(bitsProvider.getPrivilegeNames(getPrivilegeBits()));
+            } catch (RepositoryException e) {
+                throw new RuntimeException(e);
+            }
+        }
+    }
+}
\ No newline at end of file

Propchange: 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractEntryTest.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EffectivePolicyTest.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EffectivePolicyTest.java?rev=1865092&r1=1865091&r2=1865092&view=diff
==============================================================================
--- 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EffectivePolicyTest.java
 (original)
+++ 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EffectivePolicyTest.java
 Wed Aug 14 08:20:34 2019
@@ -18,13 +18,15 @@ package org.apache.jackrabbit.oak.spi.se
 
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Iterables;
 import org.apache.jackrabbit.JcrConstants;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
 import 
org.apache.jackrabbit.api.security.authorization.PrincipalAccessControlList;
+import org.apache.jackrabbit.api.security.principal.PrincipalManager;
 import org.apache.jackrabbit.oak.commons.PathUtils;
-import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE;
-import 
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ImmutableACL;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.apache.jackrabbit.util.Text;
 import org.junit.Before;
 import org.junit.Test;
 
@@ -34,9 +36,11 @@ import javax.jcr.security.AccessControlP
 import java.security.Principal;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 import static 
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants.REP_GLOB;
 import static 
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants.REP_NT_NAMES;
+import static 
org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_LIFECYCLE_MANAGEMENT;
 import static 
org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT;
 import static 
org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_READ;
 import static 
org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.REP_WRITE;
@@ -44,6 +48,8 @@ import static org.junit.Assert.assertArr
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
 
 public class EffectivePolicyTest extends AbstractPrincipalBasedTest {
 
@@ -65,9 +71,15 @@ public class EffectivePolicyTest extends
         acMgr = createAccessControlManager(root);
         validPrincipal = getTestSystemUser().getPrincipal();
 
+        // create 2 entries for 'validPrincipal'
+        // - jcrEffectivePath : read, write
+        // - null : namespaceMgt
         PrincipalPolicyImpl policy = 
setupPrincipalBasedAccessControl(validPrincipal, jcrEffectivePath, JCR_READ, 
REP_WRITE);
         addPrincipalBasedEntry(policy, null, JCR_NAMESPACE_MANAGEMENT);
 
+        // create 2 entries for 'validPrincipal2'
+        // - jcrEffectivePath : read
+        // - root : lifecycleMgt
         policy = (PrincipalPolicyImpl) 
acMgr.getApplicablePolicies(validPrincipal2)[0];
         Map<String, Value> restrictions = 
ImmutableMap.of(getNamePathMapper().getJcrName(REP_GLOB), 
getValueFactory(root).createValue("/*/glob"));
         policy.addEntry(jcrEffectivePath, privilegesFromNames(JCR_READ), 
restrictions, ImmutableMap.of());
@@ -85,9 +97,9 @@ public class EffectivePolicyTest extends
     public void testEffectivePolicyByPrincipal() throws Exception {
         AccessControlPolicy[] effective = 
acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal));
         assertEquals(1, effective.length);
-        assertTrue(effective[0] instanceof ImmutableACL);
+        assertTrue(effective[0] instanceof ImmutablePrincipalPolicy);
 
-        List<JackrabbitAccessControlEntry> entries = 
((ImmutableACL)effective[0]).getEntries();
+        List<JackrabbitAccessControlEntry> entries = 
((ImmutablePrincipalPolicy)effective[0]).getEntries();
         assertEquals(2, entries.size());
 
         assertTrue(entries.get(0) instanceof PrincipalAccessControlList.Entry);
@@ -99,53 +111,78 @@ public class EffectivePolicyTest extends
     }
 
     @Test
+    public void testEffectivePolicyByPrincipal2() throws Exception {
+        AccessControlPolicy[] effective = 
acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal2));
+        assertEquals(1, effective.length);
+        assertTrue(effective[0] instanceof ImmutablePrincipalPolicy);
+
+        List<JackrabbitAccessControlEntry> entries = 
((ImmutablePrincipalPolicy)effective[0]).getEntries();
+        assertEquals(2, entries.size());
+
+        assertTrue(entries.get(0) instanceof PrincipalAccessControlList.Entry);
+        assertEquals(validPrincipal2, entries.get(0).getPrincipal());
+        assertArrayEquals(privilegesFromNames(JCR_READ), 
entries.get(0).getPrivileges());
+        assertEquals(jcrEffectivePath, ((PrincipalAccessControlList.Entry) 
entries.get(0)).getEffectivePath());
+
+        assertEquals(validPrincipal2, entries.get(1).getPrincipal());
+        assertArrayEquals(privilegesFromNames(JCR_LIFECYCLE_MANAGEMENT), 
entries.get(1).getPrivileges());
+        assertEquals(PathUtils.ROOT_PATH, ((PrincipalAccessControlList.Entry) 
entries.get(1)).getEffectivePath());
+    }
+
+    @Test
     public void testEffectivePolicyByPath() throws Exception {
-        AccessControlPolicy[] effective = 
acMgr.getEffectivePolicies(getNamePathMapper().getJcrPath(TEST_OAK_PATH));
+        String path = getNamePathMapper().getJcrPath(TEST_OAK_PATH);
+        AccessControlPolicy[] effective = acMgr.getEffectivePolicies(path);
         assertEquals(2, effective.length);
 
-        for (AccessControlPolicy effectivePolicy : effective) {
-            assertTrue(effectivePolicy instanceof ImmutableACL);
-
-            ImmutableACL acl = (ImmutableACL) effectivePolicy;
-            if (jcrEffectivePath.equals(acl.getPath())) {
-                List<JackrabbitAccessControlEntry> entries = acl.getEntries();
-                assertEquals(2, entries.size());
-
-                for (JackrabbitAccessControlEntry entry : entries) {
-                    if (validPrincipal.equals(entry.getPrincipal())) {
-                        assertArrayEquals(privilegesFromNames(JCR_READ, 
REP_WRITE), entry.getPrivileges());
-                        assertEquals(0, entry.getRestrictionNames().length);
-                    } else {
-                        assertEquals(validPrincipal2, entry.getPrincipal());
-                        assertArrayEquals(privilegesFromNames(JCR_READ), 
entry.getPrivileges());
-                        assertArrayEquals(new String[] 
{getNamePathMapper().getJcrName(REP_GLOB)}, entry.getRestrictionNames());
-                    }
-                }
-            } else {
-                assertEquals(PathUtils.ROOT_PATH, acl.getPath());
-
-                List<JackrabbitAccessControlEntry> entries = acl.getEntries();
-                assertEquals(1, entries.size());
-
-                JackrabbitAccessControlEntry entry = entries.get(0);
-                assertTrue(entry instanceof ACE);
-                
assertArrayEquals(privilegesFromNames(PrivilegeConstants.JCR_LIFECYCLE_MANAGEMENT),
 entry.getPrivileges());
-                assertEquals(1, ((ACE) entry).getRestrictions().size());
-                assertArrayEquals(new String[] 
{getNamePathMapper().getJcrName(REP_NT_NAMES)}, entry.getRestrictionNames());
+        for (AccessControlPolicy policy : effective) {
+            assertTrue(policy instanceof ImmutablePrincipalPolicy);
+            ImmutablePrincipalPolicy effectivePolicy = 
(ImmutablePrincipalPolicy) policy;
+
+            // filter expected entries: only entries that take effect at the 
target path should be taken into consideration
+            ImmutablePrincipalPolicy byPrincipal = (ImmutablePrincipalPolicy) 
acMgr.getEffectivePolicies(ImmutableSet.of(effectivePolicy.getPrincipal()))[0];
+            Set<JackrabbitAccessControlEntry> expected = 
ImmutableSet.copyOf(Iterables.filter(byPrincipal.getEntries(), entry -> {
+                String effectivePath = ((PrincipalAccessControlList.Entry) 
entry).getEffectivePath();
+                return effectivePath != null && 
Text.isDescendantOrEqual(effectivePath, path);
+            }));
+
+            assertEquals(expected.size(), effectivePolicy.size());
+            List<JackrabbitAccessControlEntry> entries = 
effectivePolicy.getEntries();
+            for (JackrabbitAccessControlEntry entry : expected) {
+                assertTrue(entries.contains(entry));
             }
         }
     }
 
     @Test
+    public void testEffectivePolicyByPathVerifiesPrincipals() throws Exception 
{
+        PrincipalManager principalMgr = mock(PrincipalManager.class);
+        
when(principalMgr.getPrincipal(validPrincipal.getName())).thenReturn(null);
+        
when(principalMgr.getPrincipal(validPrincipal2.getName())).thenReturn(new 
PrincipalImpl(validPrincipal2.getName()));
+
+        MgrProvider provider = mock(MgrProvider.class);
+        when(provider.getPrincipalManager()).thenReturn(principalMgr);
+        when(provider.getRoot()).thenReturn(root);
+        when(provider.getSecurityProvider()).thenReturn(securityProvider);
+        when(provider.getNamePathMapper()).thenReturn(getNamePathMapper());
+
+        PrincipalBasedAccessControlManager acm = new 
PrincipalBasedAccessControlManager(provider, getFilterProvider());
+        AccessControlPolicy[] effective = 
acm.getEffectivePolicies(getNamePathMapper().getJcrPath(TEST_OAK_PATH));
+        assertEquals(0, effective.length);
+    }
+
+    @Test
     public void testEffectivePolicyByNullPath() throws Exception {
         AccessControlPolicy[] effective = acMgr.getEffectivePolicies((String) 
null);
         assertEquals(1, effective.length);
-        assertTrue(effective[0] instanceof ImmutableACL);
+        assertTrue(effective[0] instanceof ImmutablePrincipalPolicy);
+        assertEquals(validPrincipal, 
((ImmutablePrincipalPolicy)effective[0]).getPrincipal());
 
-        List<JackrabbitAccessControlEntry> entries = 
((ImmutableACL)effective[0]).getEntries();
+        List<JackrabbitAccessControlEntry> entries = 
((ImmutablePrincipalPolicy)effective[0]).getEntries();
         assertEquals(1, entries.size());
 
-        assertTrue(entries.get(0) instanceof ACE);
+        assertTrue(entries.get(0) instanceof PrincipalAccessControlList.Entry);
+        
assertNull(((PrincipalAccessControlList.Entry)entries.get(0)).getEffectivePath());
         assertEquals(validPrincipal, entries.get(0).getPrincipal());
         assertArrayEquals(privilegesFromNames(JCR_NAMESPACE_MANAGEMENT), 
entries.get(0).getPrivileges());
     }

Added: 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ImmutablePrincipalPolicyTest.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ImmutablePrincipalPolicyTest.java?rev=1865092&view=auto
==============================================================================
--- 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ImmutablePrincipalPolicyTest.java
 (added)
+++ 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ImmutablePrincipalPolicyTest.java
 Wed Aug 14 08:20:34 2019
@@ -0,0 +1,97 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package 
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
+
+import org.apache.jackrabbit.oak.commons.PathUtils;
+import 
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ImmutableACL;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.junit.Before;
+import org.junit.Test;
+
+import javax.jcr.security.AccessControlException;
+import java.util.Collections;
+
+import static 
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants.REP_GLOB;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotEquals;
+
+public class ImmutablePrincipalPolicyTest extends AbstractPrincipalBasedTest {
+
+    private PrincipalPolicyImpl policy;
+    private ImmutablePrincipalPolicy immutable;
+
+    @Before
+    @Override
+    public void before() throws Exception {
+        super.before();
+
+        policy = 
setupPrincipalBasedAccessControl(getTestSystemUser().getPrincipal(), 
testContentJcrPath, PrivilegeConstants.JCR_READ);
+        immutable = new ImmutablePrincipalPolicy(policy);
+    }
+
+    @Test
+    public void testGetPrincipal() throws Exception {
+        assertEquals(getTestSystemUser().getPrincipal(), 
immutable.getPrincipal());
+    }
+
+    @Test(expected = AccessControlException.class)
+    public void testAddEntry() throws Exception {
+        immutable.addEntry(PathUtils.ROOT_PATH, 
privilegesFromNames(PrivilegeConstants.JCR_READ));
+    }
+
+    @Test(expected = AccessControlException.class)
+    public void testAddEntryWithRestrictions() throws Exception {
+        immutable.addEntry(null, 
privilegesFromNames(PrivilegeConstants.JCR_ALL), 
Collections.singletonMap(getNamePathMapper().getJcrName(REP_GLOB), 
getValueFactory(root).createValue("*")), Collections.emptyMap());
+    }
+
+    @Test
+    public void testHashcode() {
+        int expectedHashCode = immutable.hashCode();
+        ImmutablePrincipalPolicy ipp = new 
ImmutablePrincipalPolicy(policy.getPrincipal(), policy.getOakPath(), 
policy.getEntries(), policy.getRestrictionProvider(), 
policy.getNamePathMapper());
+        assertEquals(expectedHashCode, ipp.hashCode());
+        assertEquals(expectedHashCode, new 
ImmutablePrincipalPolicy(policy).hashCode());
+    }
+
+    @Test
+    public void testEquals() {
+        ImmutablePrincipalPolicy ipp = new 
ImmutablePrincipalPolicy(policy.getPrincipal(), policy.getOakPath(), 
policy.getEntries(), policy.getRestrictionProvider(), 
policy.getNamePathMapper());
+        assertEquals(immutable, ipp);
+        assertEquals(immutable, new ImmutablePrincipalPolicy(policy));
+        assertEquals(immutable, immutable);
+    }
+
+    @Test
+    public void testNotEquals() {
+        ImmutablePrincipalPolicy differentPath = new 
ImmutablePrincipalPolicy(policy.getPrincipal(), "/different/path", 
policy.getEntries(), policy.getRestrictionProvider(), 
policy.getNamePathMapper());
+        ImmutablePrincipalPolicy differentPrincipal = new 
ImmutablePrincipalPolicy(EveryonePrincipal.getInstance(), policy.getOakPath(), 
policy.getEntries(), policy.getRestrictionProvider(), 
policy.getNamePathMapper());
+        ImmutablePrincipalPolicy differentEntries = new 
ImmutablePrincipalPolicy(policy.getPrincipal(), policy.getOakPath(), 
Collections.emptyList(), policy.getRestrictionProvider(), 
policy.getNamePathMapper());
+
+        assertNotEquals(immutable, policy);
+        assertNotEquals(immutable, new ImmutableACL(policy));
+        assertNotEquals(immutable, differentPath);
+        assertNotEquals(immutable, differentPrincipal);
+        assertNotEquals(immutable, differentEntries);
+
+        int hc = immutable.hashCode();
+        assertNotEquals(hc, policy.hashCode());
+        assertNotEquals(hc, new ImmutableACL(policy).hashCode());
+        assertNotEquals(hc, differentPath.hashCode());
+        assertNotEquals(hc, differentPrincipal.hashCode());
+        assertNotEquals(hc, differentEntries.hashCode());
+    }
+}
\ No newline at end of file

Propchange: 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ImmutablePrincipalPolicyTest.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManagerTest.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManagerTest.java?rev=1865092&r1=1865091&r2=1865092&view=diff
==============================================================================
--- 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManagerTest.java
 (original)
+++ 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManagerTest.java
 Wed Aug 14 08:20:34 2019
@@ -26,7 +26,6 @@ import org.apache.jackrabbit.oak.api.Tre
 import org.apache.jackrabbit.oak.commons.PathUtils;
 import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
 import org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants;
-import 
org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ImmutableACL;
 import 
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.FilterProvider;
 import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
 import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
@@ -87,6 +86,12 @@ public class PrincipalBasedAccessControl
         return new PrincipalPolicyImpl(validPrincipal, oakPath, 
getMgrProvider(root));
     }
 
+    private static void assertEffectivePolicy(@NotNull AccessControlPolicy[] 
effective, int size) {
+        assertEquals(1, effective.length);
+        assertTrue(effective[0] instanceof ImmutablePrincipalPolicy);
+        assertEquals(size, ((ImmutablePrincipalPolicy) effective[0]).size());
+    }
+
     @Test(expected = AccessControlException.class)
     public void testGetApplicablePoliciesNullPrincipal() throws Exception {
         acMgr.getApplicablePolicies((Principal) null);
@@ -171,7 +176,7 @@ public class PrincipalBasedAccessControl
         // after commit => effective policy present
         root.commit();
         effective = 
acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal));
-        assertEquals(1, effective.length);
+        assertEffectivePolicy(effective, 1);
     }
 
     @Test
@@ -236,7 +241,7 @@ public class PrincipalBasedAccessControl
         setupPrincipalBasedAccessControl(validPrincipal, testContentJcrPath, 
REP_WRITE);
         root.commit();
 
-        ImmutableACL effective = (ImmutableACL) 
acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal))[0];
+        ImmutablePrincipalPolicy effective = (ImmutablePrincipalPolicy) 
acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal))[0];
         acMgr.setPolicy(effective.getPath(), effective);
     }
 
@@ -334,7 +339,7 @@ public class PrincipalBasedAccessControl
         setupPrincipalBasedAccessControl(validPrincipal, testContentJcrPath, 
REP_WRITE);
         root.commit();
 
-        ImmutableACL effective = (ImmutableACL) 
acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal))[0];
+        ImmutablePrincipalPolicy effective = (ImmutablePrincipalPolicy) 
acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal))[0];
         acMgr.removePolicy(effective.getPath(), effective);
     }
 
@@ -440,9 +445,9 @@ public class PrincipalBasedAccessControl
         addPrincipalBasedEntry(policy, PathUtils.ROOT_PATH, JCR_READ);
         root.commit();
 
-        assertEquals(2, acMgr.getEffectivePolicies(testJcrPath).length);
-        assertEquals(2, acMgr.getEffectivePolicies(testContentJcrPath).length);
-        assertEquals(1, 
acMgr.getEffectivePolicies(PathUtils.ROOT_PATH).length);
+        assertEffectivePolicy(acMgr.getEffectivePolicies(testJcrPath), 2);
+        assertEffectivePolicy(acMgr.getEffectivePolicies(testContentJcrPath), 
2);
+        assertEffectivePolicy(acMgr.getEffectivePolicies(PathUtils.ROOT_PATH), 
1);
     }
 
     @Test

Modified: 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalPolicyImplTest.java
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalPolicyImplTest.java?rev=1865092&r1=1865091&r2=1865092&view=diff
==============================================================================
--- 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalPolicyImplTest.java
 (original)
+++ 
jackrabbit/oak/trunk/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalPolicyImplTest.java
 Wed Aug 14 08:20:34 2019
@@ -67,7 +67,6 @@ import static org.apache.jackrabbit.oak.
 import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNotEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertSame;
@@ -584,44 +583,6 @@ public class PrincipalPolicyImplTest ext
         assertTrue(entry.isAllow());
     }
 
-    @Test
-    public void testEntryHashCode() throws Exception {
-        PrincipalPolicyImpl.EntryImpl entryA = policy.getEntries().get(0);
-        PrincipalPolicyImpl.EntryImpl entryB = policy.getEntries().get(1);
-        assertNotEquals(entryA.hashCode(), entryB.hashCode());
-
-        // same entry -> same hash
-        assertEquals(entryA.hashCode(), policy.getEntries().get(0).hashCode());
-
-        // equivalent entry on different policy -> same hash
-        emptyPolicy.addEntry(entryB.getEffectivePath(), 
entryB.getPrivileges(), Collections.emptyMap(), Collections.emptyMap());
-        assertEquals(entryB.hashCode(), 
emptyPolicy.getEntries().get(0).hashCode());
-
-        // different restrictions -> different hash
-        emptyPolicy.addEntry(entryA.getEffectivePath(), 
entryA.getPrivileges(), createGlobRestriction("*"), Collections.emptyMap());
-        assertNotEquals(entryA.hashCode(), 
emptyPolicy.getEntries().get(1).hashCode());
-    }
-
-    @Test
-    public void testEntryEquals() throws Exception {
-        PrincipalPolicyImpl.EntryImpl entryA = policy.getEntries().get(0);
-        PrincipalPolicyImpl.EntryImpl entryB = policy.getEntries().get(1);
-        assertNotEquals(entryA, entryB);
-        assertNotEquals(entryB, entryA);
-
-        assertEquals(entryA, entryA);
-        assertEquals(entryA, policy.getEntries().get(0));
-
-        // equivalent entry on different policy -> same hash
-        emptyPolicy.addEntry(entryB.getEffectivePath(), 
entryB.getPrivileges(), Collections.emptyMap(), Collections.emptyMap());
-        assertEquals(entryB, emptyPolicy.getEntries().get(0));
-
-        // different restrictions -> different hash
-        emptyPolicy.addEntry(entryA.getEffectivePath(), 
entryA.getPrivileges(), createGlobRestriction("*"), Collections.emptyMap());
-        assertNotEquals(entryA, emptyPolicy.getEntries().get(1));
-    }
-
-
     private static PrincipalAccessControlList.Entry invalidEntry(@NotNull 
PrincipalAccessControlList.Entry entry) {
         return new PrincipalAccessControlList.Entry() {
             @Override


Reply via email to