This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch OAK-10135 in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git
commit dde38356dc8cb23910c10eb036726844674063d7 Author: angela <anch...@adobe.com> AuthorDate: Thu Mar 9 13:25:13 2023 +0100 OAK-10135 : JackrabbitAccessControlManager.getEffectivePolicies(Set principals) should include ReadPolicy --- .../impl/PrincipalBasedAccessControlManager.java | 7 ++- .../impl/AbstractPrincipalBasedTest.java | 16 +++++++ .../impl/AccessControlManagerLimitedUserTest.java | 10 ++++ .../principalbased/impl/EffectivePolicyTest.java | 6 +-- .../impl/ImmutablePrincipalPolicyTest.java | 2 +- .../PrincipalBasedAccessControlManagerTest.java | 26 +++++------ .../impl/ReadablePathsAccessControlTest.java | 6 ++- .../impl/TransientPrincipalTest.java | 4 +- .../accesscontrol/AccessControlManagerImpl.java | 6 ++- .../accesscontrol/PolicyComparator.java | 33 ++++++++++---- .../accesscontrol/AbstractAccessControlTest.java | 8 ++++ .../AccessControlManagerImplTest.java | 28 ++++++------ ...AccessControlManagerLimitedPermissionsTest.java | 53 +++++++++++++++++++--- .../AccessControlWithUnknownPrincipalTest.java | 11 ++--- .../accesscontrol/PolicyComparatorTest.java | 26 +++++++++++ .../accesscontrol/ReadPolicyTest.java | 53 ++++++++++++++++++++-- .../authorization/accesscontrol/ReadPolicy.java | 20 ++++++++ .../authorization/accesscontrol/package-info.java | 2 +- .../accesscontrol/ReadPolicyTest.java | 20 ++++++++ 19 files changed, 268 insertions(+), 69 deletions(-) diff --git a/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java b/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java index 21876483c2..fe00e9695b 100644 --- a/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java +++ b/oak-authorization-principalbased/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.java @@ -69,7 +69,6 @@ import java.text.ParseException; import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; -import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; @@ -145,13 +144,17 @@ class PrincipalBasedAccessControlManager extends AbstractAccessControlManager im // this implementation only takes effect if the complete set of principals can be handled. see also // PrincipalBasedAuthorizationConfiguration.getPermissionProvider if (canHandle(principals)) { - Set<AccessControlPolicy> effective = new HashSet<>(principals.size()); + List<AccessControlPolicy> effective = new ArrayList<>(principals.size()); for (Principal principal : principals) { AccessControlPolicy policy = createPolicy(principal, true); if (policy != null) { effective.add(policy); } } + // add read-policy if there are configured paths + if (ReadPolicy.canAccessReadPolicy(getPermissionProvider(), readPaths.toArray(new String[0]))) { + effective.add(ReadPolicy.INSTANCE); + } return effective.toArray(new AccessControlPolicy[0]); } else { return new JackrabbitAccessControlPolicy[0]; diff --git a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractPrincipalBasedTest.java b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractPrincipalBasedTest.java index b7d64f690b..68e06622f5 100644 --- a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractPrincipalBasedTest.java +++ b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AbstractPrincipalBasedTest.java @@ -36,6 +36,7 @@ import org.apache.jackrabbit.oak.security.internal.SecurityProviderHelper; import org.apache.jackrabbit.oak.spi.mount.Mounts; import org.apache.jackrabbit.oak.spi.security.SecurityProvider; import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration; +import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ReadPolicy; import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider; import org.apache.jackrabbit.oak.spi.security.authorization.principalbased.FilterProvider; import org.apache.jackrabbit.oak.spi.security.user.UserConstants; @@ -46,6 +47,7 @@ import org.junit.Before; import javax.jcr.RepositoryException; import javax.jcr.Value; import javax.jcr.security.AccessControlManager; +import javax.jcr.security.AccessControlPolicy; import javax.jcr.security.Privilege; import java.security.Principal; import java.util.Collections; @@ -54,6 +56,8 @@ import java.util.UUID; import static com.google.common.base.Preconditions.checkNotNull; import static org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants.NT_OAK_UNSTRUCTURED; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; @@ -220,4 +224,16 @@ public abstract class AbstractPrincipalBasedTest extends AbstractSecurityTest { PrincipalBasedAuthorizationConfiguration getPrincipalBasedAuthorizationConfiguration() { return principalBasedAuthorizationConfiguration; } + + static void assertEffectivePolicies(@NotNull AccessControlPolicy[] effective, int expectedPolicies, + int principalPolicySize, boolean readPolicyExpected) { + assertEquals(expectedPolicies, effective.length); + if (principalPolicySize > -1) { + assertTrue(effective[0] instanceof ImmutablePrincipalPolicy); + assertEquals(principalPolicySize, ((ImmutablePrincipalPolicy) effective[0]).size()); + } + if (readPolicyExpected) { + assertTrue(effective[effective.length-1] instanceof ReadPolicy); + } + } } \ No newline at end of file diff --git a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AccessControlManagerLimitedUserTest.java b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AccessControlManagerLimitedUserTest.java index fca1d6dccc..52e43e5a5f 100644 --- a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AccessControlManagerLimitedUserTest.java +++ b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AccessControlManagerLimitedUserTest.java @@ -30,6 +30,7 @@ import org.apache.jackrabbit.oak.commons.PathUtils; import org.apache.jackrabbit.oak.plugins.tree.TreeUtil; import org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants; import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ImmutableACL; +import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ReadPolicy; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants; import org.jetbrains.annotations.NotNull; import org.jetbrains.annotations.Nullable; @@ -258,6 +259,15 @@ public class AccessControlManagerLimitedUserTest extends AbstractPrincipalBasedT root.commit(); testRoot.refresh(); assertPolicies(testAcMgr.getEffectivePolicies(ImmutableSet.of(systemPrincipal)), ImmutableACL.class, 1, 2); + + // make sure test-user has read-accesscontrol permission on any readable-path + grant(testPrincipal, PathUtils.ROOT_PATH, JCR_READ_ACCESS_CONTROL); + root.commit(); + testRoot.refresh(); + + AccessControlPolicy[] effective = testAcMgr.getEffectivePolicies(ImmutableSet.of(systemPrincipal));; + assertPolicies(effective, ImmutableACL.class, 2, 2); + assertTrue(effective[1] instanceof ReadPolicy); } @Test(expected = AccessDeniedException.class) diff --git a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EffectivePolicyTest.java b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EffectivePolicyTest.java index d12f18b39b..b77477fa57 100644 --- a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EffectivePolicyTest.java +++ b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EffectivePolicyTest.java @@ -96,8 +96,7 @@ public class EffectivePolicyTest extends AbstractPrincipalBasedTest { @Test public void testEffectivePolicyByPrincipal() throws Exception { AccessControlPolicy[] effective = acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal)); - assertEquals(1, effective.length); - assertTrue(effective[0] instanceof ImmutablePrincipalPolicy); + assertEffectivePolicies(effective, 2, 2, true); List<JackrabbitAccessControlEntry> entries = ((ImmutablePrincipalPolicy)effective[0]).getEntries(); assertEquals(2, entries.size()); @@ -113,8 +112,7 @@ public class EffectivePolicyTest extends AbstractPrincipalBasedTest { @Test public void testEffectivePolicyByPrincipal2() throws Exception { AccessControlPolicy[] effective = acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal2)); - assertEquals(1, effective.length); - assertTrue(effective[0] instanceof ImmutablePrincipalPolicy); + assertEffectivePolicies(effective, 2, 2, true); List<JackrabbitAccessControlEntry> entries = ((ImmutablePrincipalPolicy)effective[0]).getEntries(); assertEquals(2, entries.size()); diff --git a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ImmutablePrincipalPolicyTest.java b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ImmutablePrincipalPolicyTest.java index e17d8af0ff..d36fb64714 100644 --- a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ImmutablePrincipalPolicyTest.java +++ b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ImmutablePrincipalPolicyTest.java @@ -64,7 +64,7 @@ public class ImmutablePrincipalPolicyTest extends AbstractPrincipalBasedTest { int expectedHashCode = immutable.hashCode(); ImmutablePrincipalPolicy ipp = new ImmutablePrincipalPolicy(policy.getPrincipal(), policy.getOakPath(), policy.getEntries(), policy.getRestrictionProvider(), policy.getNamePathMapper()); assertEquals(expectedHashCode, ipp.hashCode()); - assertEquals(expectedHashCode, new ImmutablePrincipalPolicy(policy).hashCode()); + assertEquals(ipp.hashCode(), new ImmutablePrincipalPolicy(policy).hashCode()); } @Test diff --git a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManagerTest.java b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManagerTest.java index 7cdb2aba30..16fdc18b36 100644 --- a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManagerTest.java +++ b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManagerTest.java @@ -86,12 +86,6 @@ public class PrincipalBasedAccessControlManagerTest extends AbstractPrincipalBas return new PrincipalPolicyImpl(validPrincipal, oakPath, getMgrProvider(root)); } - private static void assertEffectivePolicy(@NotNull AccessControlPolicy[] effective, int size) { - assertEquals(1, effective.length); - assertTrue(effective[0] instanceof ImmutablePrincipalPolicy); - assertEquals(size, ((ImmutablePrincipalPolicy) effective[0]).size()); - } - @Test(expected = AccessControlException.class) public void testGetApplicablePoliciesNullPrincipal() throws Exception { acMgr.getApplicablePolicies((Principal) null); @@ -160,7 +154,8 @@ public class PrincipalBasedAccessControlManagerTest extends AbstractPrincipalBas @Test public void testGetEffectivePoliciesNothingSet() throws Exception { - assertEquals(0, acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal)).length); + AccessControlPolicy[] effective = acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal)); + assertEffectivePolicies(effective, 1, -1, true); } @Test @@ -171,12 +166,12 @@ public class PrincipalBasedAccessControlManagerTest extends AbstractPrincipalBas // transient changes => no effective policy AccessControlPolicy[] effective = acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal)); - assertEquals(0, effective.length); + assertEffectivePolicies(effective, 1, -1, true); // after commit => effective policy present root.commit(); effective = acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal)); - assertEffectivePolicy(effective, 1); + assertEffectivePolicies(effective, 2, 1, true); } @Test @@ -184,7 +179,8 @@ public class PrincipalBasedAccessControlManagerTest extends AbstractPrincipalBas JackrabbitAccessControlPolicy emptyPolicy = acMgr.getApplicablePolicies(validPrincipal)[0]; acMgr.setPolicy(emptyPolicy.getPath(), emptyPolicy); root.commit(); - assertEquals(0, acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal)).length); + AccessControlPolicy[] effective = acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal)); + assertEffectivePolicies(effective, 1, -1, true); } @Test @@ -197,7 +193,7 @@ public class PrincipalBasedAccessControlManagerTest extends AbstractPrincipalBas getUserManager(latestRoot).getAuthorizable(validPrincipal).remove(); latestRoot.commit(); try { - assertEquals(0, acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal)).length); + assertEffectivePolicies(acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal)), 1, -1, true); } finally { root.refresh(); getUserManager(root).createSystemUser(id, INTERMEDIATE_PATH); @@ -227,7 +223,7 @@ public class PrincipalBasedAccessControlManagerTest extends AbstractPrincipalBas latestRoot.getTree(getNamePathMapper().getOakPath(validPrincipal.getPath())).getChild(REP_PRINCIPAL_POLICY).remove(); latestRoot.commit(); - assertEquals(0, acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal)).length); + assertEffectivePolicies(acMgr.getEffectivePolicies(ImmutableSet.of(validPrincipal)), 1, -1, true); } @Test(expected = AccessControlException.class) @@ -445,9 +441,9 @@ public class PrincipalBasedAccessControlManagerTest extends AbstractPrincipalBas addPrincipalBasedEntry(policy, PathUtils.ROOT_PATH, JCR_READ); root.commit(); - assertEffectivePolicy(acMgr.getEffectivePolicies(testJcrPath), 2); - assertEffectivePolicy(acMgr.getEffectivePolicies(testContentJcrPath), 2); - assertEffectivePolicy(acMgr.getEffectivePolicies(PathUtils.ROOT_PATH), 1); + assertEffectivePolicies(acMgr.getEffectivePolicies(testJcrPath), 1,2, false); + assertEffectivePolicies(acMgr.getEffectivePolicies(testContentJcrPath), 1, 2, false); + assertEffectivePolicies(acMgr.getEffectivePolicies(PathUtils.ROOT_PATH), 1,1, false); } @Test diff --git a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ReadablePathsAccessControlTest.java b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ReadablePathsAccessControlTest.java index 0c94593be5..3f82bdbe7c 100644 --- a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ReadablePathsAccessControlTest.java +++ b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ReadablePathsAccessControlTest.java @@ -231,7 +231,9 @@ public class ReadablePathsAccessControlTest extends AbstractPrincipalBasedTest { @Test public void testGetEffectivePoliciesByPrincipal() throws Exception { - // NOTE: lookup by principal currently doesn't include READ_POLICY in accordance to default ac implementation - assertEquals(0, acMgr.getEffectivePolicies(Collections.singleton(testPrincipal)).length); + // OAK-10135 : include read-policy in effective policies by principal result + AccessControlPolicy[] effective = acMgr.getEffectivePolicies(Collections.singleton(testPrincipal)); + assertEquals(1, effective.length); + assertTrue(effective[0] instanceof ReadPolicy); } } \ No newline at end of file diff --git a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/TransientPrincipalTest.java b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/TransientPrincipalTest.java index eee533f016..0d17776c84 100644 --- a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/TransientPrincipalTest.java +++ b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/TransientPrincipalTest.java @@ -140,14 +140,14 @@ public class TransientPrincipalTest extends AbstractPrincipalBasedTest { @Test public void testGetEffectivePolicies() throws Exception { AccessControlPolicy[] effective = acMgr.getEffectivePolicies(ImmutableSet.of(principal)); - assertEquals(0, effective.length); + assertEffectivePolicies(effective, 1, -1, true); PrincipalPolicyImpl policy = getApplicable(); policy.addEntry(testJcrPath, privilegesFromNames(JCR_WRITE)); acMgr.setPolicy(policy.getPath(), policy); effective = acMgr.getEffectivePolicies(ImmutableSet.of(principal)); - assertEquals(0, effective.length); + assertEffectivePolicies(effective, 1, -1, true); } @Test diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java index 4a040c2125..76e193a36f 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java @@ -370,7 +370,7 @@ public class AccessControlManagerImpl extends AbstractAccessControlManager imple Root r = getLatestRoot(); Result aceResult = searchAces(principals, r); - Set<JackrabbitAccessControlList> effective = Sets.newTreeSet(new PolicyComparator()); + Set<AccessControlPolicy> effective = Sets.newTreeSet(new PolicyComparator()); Set<String> processed = Sets.newHashSet(); Predicate<Tree> predicate = new PrincipalPredicate(principals); @@ -394,6 +394,10 @@ public class AccessControlManagerImpl extends AbstractAccessControlManager imple } } } + // add read-policy if there are readable paths configured where the editing session has READ_ACCESS_CONTROL granted + if (ReadPolicy.canAccessReadPolicy(getPermissionProvider(), readPaths.toArray(new String[0]))) { + effective.add(ReadPolicy.INSTANCE); + } return effective.toArray(new AccessControlPolicy[0]); } diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/PolicyComparator.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/PolicyComparator.java index cfc17ef99b..9a7030ec35 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/PolicyComparator.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/PolicyComparator.java @@ -20,27 +20,40 @@ import com.google.common.primitives.Ints; import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy; import org.apache.jackrabbit.oak.commons.PathUtils; +import javax.jcr.security.AccessControlPolicy; import java.util.Comparator; -final class PolicyComparator implements Comparator<JackrabbitAccessControlPolicy> { +final class PolicyComparator implements Comparator<AccessControlPolicy> { @Override - public int compare(JackrabbitAccessControlPolicy policy1, JackrabbitAccessControlPolicy policy2) { + public int compare(AccessControlPolicy policy1, AccessControlPolicy policy2) { if (policy1.equals(policy2)) { return 0; + } else if (policy1 instanceof JackrabbitAccessControlPolicy && policy2 instanceof JackrabbitAccessControlPolicy) { + return compare((JackrabbitAccessControlPolicy) policy1, (JackrabbitAccessControlPolicy) policy2); } else { - String p1 = policy1.getPath(); - String p2 = policy2.getPath(); - - if (p1 == null) { + if (policy1 instanceof JackrabbitAccessControlPolicy) { return -1; - } else if (p2 == null) { + } else if (policy2 instanceof JackrabbitAccessControlPolicy) { return 1; } else { - int depth1 = PathUtils.getDepth(p1); - int depth2 = PathUtils.getDepth(p2); - return (depth1 == depth2) ? p1.compareTo(p2) : Ints.compare(depth1, depth2); + return 0; } } } + + private static int compare(JackrabbitAccessControlPolicy policy1, JackrabbitAccessControlPolicy policy2) { + String p1 = policy1.getPath(); + String p2 = policy2.getPath(); + + if (p1 == null) { + return -1; + } else if (p2 == null) { + return 1; + } else { + int depth1 = PathUtils.getDepth(p1); + int depth2 = PathUtils.getDepth(p2); + return (depth1 == depth2) ? p1.compareTo(p2) : Ints.compare(depth1, depth2); + } + } } \ No newline at end of file diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AbstractAccessControlTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AbstractAccessControlTest.java index 55a2b760bb..4b11e805dd 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AbstractAccessControlTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AbstractAccessControlTest.java @@ -27,6 +27,7 @@ import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.plugins.tree.TreeUtil; import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration; import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE; +import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ReadPolicy; import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction; import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits; @@ -179,7 +180,14 @@ public abstract class AbstractAccessControlTest extends AbstractSecurityTest { } static void assertPolicies(@Nullable AccessControlPolicy[] policies, long expectedSize) { + assertPolicies(policies, expectedSize, false); + } + + static void assertPolicies(@Nullable AccessControlPolicy[] policies, long expectedSize, boolean readPolicyExpected) { assertNotNull(policies); assertEquals(expectedSize, policies.length); + if (policies.length > 0) { + assertEquals(readPolicyExpected, policies[policies.length - 1] instanceof ReadPolicy); + } } } diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java index fc0a33e344..12256cbe37 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java @@ -1591,14 +1591,14 @@ public class AccessControlManagerImplTest extends AbstractAccessControlTest impl for (Set<Principal> principals : principalSets) { AccessControlPolicy[] policies = acMgr.getEffectivePolicies(principals); - assertPolicies(policies, 0); + assertPolicies(policies, 1, true); } setupPolicy(testPath); // changes not yet persisted -> no effecitve policies found for testprincipal for (Set<Principal> principals : principalSets) { AccessControlPolicy[] policies = acMgr.getEffectivePolicies(principals); - assertPolicies(policies, 0); + assertPolicies(policies, 1, true); } root.commit(); @@ -1606,9 +1606,9 @@ public class AccessControlManagerImplTest extends AbstractAccessControlTest impl for (Set<Principal> principals : principalSets) { AccessControlPolicy[] policies = acMgr.getEffectivePolicies(principals); if (principals.contains(testPrincipal)) { - assertPolicies(policies, 1); + assertPolicies(policies, 2, true); } else { - assertPolicies(policies, 0); + assertPolicies(policies, 1, true); } } @@ -1619,9 +1619,9 @@ public class AccessControlManagerImplTest extends AbstractAccessControlTest impl for (Set<Principal> principals : principalSets) { AccessControlPolicy[] policies = acMgr.getEffectivePolicies(principals); if (principals.contains(testPrincipal)) { - assertPolicies(policies, 1); + assertPolicies(policies, 2, true); } else { - assertPolicies(policies, 0); + assertPolicies(policies, 1, true); } } @@ -1630,9 +1630,9 @@ public class AccessControlManagerImplTest extends AbstractAccessControlTest impl for (Set<Principal> principals : principalSets) { AccessControlPolicy[] policies = acMgr.getEffectivePolicies(principals); if (principals.contains(testPrincipal)) { - assertPolicies(policies, 2); + assertPolicies(policies, 3, true); } else { - assertPolicies(policies, 0); + assertPolicies(policies, 1, true); } } } @@ -1651,7 +1651,7 @@ public class AccessControlManagerImplTest extends AbstractAccessControlTest impl root.commit(); AccessControlPolicy[] policies = acMgr.getEffectivePolicies(principalSet); - assertPolicies(policies, 1); + assertPolicies(policies, 2, true); // add another policy Tree child = TreeUtil.addChild(root.getTree(testPath), "child", JcrConstants.NT_UNSTRUCTURED); @@ -1659,7 +1659,7 @@ public class AccessControlManagerImplTest extends AbstractAccessControlTest impl setupPolicy(childPath); root.commit(); - assertPolicies(acMgr.getEffectivePolicies(principalSet), 2); + assertPolicies(acMgr.getEffectivePolicies(principalSet), 3, true); } @Test @@ -1689,7 +1689,7 @@ public class AccessControlManagerImplTest extends AbstractAccessControlTest impl root.commit(); AccessControlPolicy[] effectivePolicies = acMgr.getEffectivePolicies(principalSet); - assertPolicies(effectivePolicies, 3); + assertPolicies(effectivePolicies, 4, true); assertNull(((JackrabbitAccessControlPolicy) effectivePolicies[0]).getPath()); assertEquals(testPath, ((JackrabbitAccessControlPolicy) effectivePolicies[1]).getPath()); @@ -1723,7 +1723,7 @@ public class AccessControlManagerImplTest extends AbstractAccessControlTest impl for (Principal princ : principals) { AccessControlPolicy[] policies = acMgr.getEffectivePolicies(ImmutableSet.of(princ)); - assertPolicies(policies, 1); + assertPolicies(policies, 2, true); assertTrue(policies[0] instanceof AccessControlList); AccessControlList acl = (AccessControlList) policies[0]; @@ -1750,7 +1750,7 @@ public class AccessControlManagerImplTest extends AbstractAccessControlTest impl AccessControlManagerImpl mgr = createAccessControlManager(r, getNamePathMapper()); AccessControlPolicy[] policies = mgr.getEffectivePolicies(ImmutableSet.of(testPrincipal)); - assertPolicies(policies, 0); + assertPolicies(policies, 1, true); } @Test @@ -1770,7 +1770,7 @@ public class AccessControlManagerImplTest extends AbstractAccessControlTest impl AccessControlManagerImpl mgr = createAccessControlManager(r, getNamePathMapper()); AccessControlPolicy[] policies = mgr.getEffectivePolicies(ImmutableSet.of(testPrincipal)); - assertPolicies(policies, 0); + assertPolicies(policies, 1, true); } private static QueryEngine mockQueryEngine(@NotNull Tree aceTree) throws Exception { diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerLimitedPermissionsTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerLimitedPermissionsTest.java index 44aebe340a..68969133a6 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerLimitedPermissionsTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerLimitedPermissionsTest.java @@ -54,6 +54,7 @@ import java.util.Iterator; import java.util.List; import java.util.Set; +import static org.apache.jackrabbit.oak.security.authorization.accesscontrol.AbstractAccessControlTest.assertPolicies; import static org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants.REP_POLICY; import static org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants.REP_RESTRICTIONS; import static org.junit.Assert.assertArrayEquals; @@ -120,11 +121,6 @@ public class AccessControlManagerLimitedPermissionsTest extends AbstractSecurity return npMapper; } - private static void assertPolicies(@Nullable AccessControlPolicy[] policies, long expectedSize) { - assertNotNull(policies); - assertEquals(expectedSize, policies.length); - } - private void setupPolicy(@Nullable String path, @Nullable Privilege... privileges) throws RepositoryException { Privilege[] privs = (privileges == null || privileges.length == 0) ? testPrivileges : privileges; TestUtility.setupPolicy(getAccessControlManager(root), path, testPrincipal, privs, true, TestUtility.getGlobRestriction("*", getValueFactory(root)), null); @@ -515,7 +511,7 @@ public class AccessControlManagerLimitedPermissionsTest extends AbstractSecurity acMgr.setPolicy(testPath, acl); // grant access at childpath - setupPolicy(childPath, privilegesFromNames(PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL)); + setupPolicy(childPath, privs); root.commit(); testRoot.refresh(); @@ -524,4 +520,49 @@ public class AccessControlManagerLimitedPermissionsTest extends AbstractSecurity AccessControlPolicy[] policies = testAcMgr.getEffectivePolicies(principals); assertPolicies(policies, 1); } + + @Test + public void testGetEffectivePoliciesByPrincipalsReadPolicy1() throws Exception { + // grant test-principal READ access at root node (but not READ_ACCESS_CONTROL) + setupPolicy(PathUtils.ROOT_PATH, privilegesFromNames(PrivilegeConstants.JCR_READ)); + root.commit(); + + testRoot.refresh(); + + // effective policies must NOT include ReadPolicy + Set<Principal> principals = ImmutableSet.of(testPrincipal, EveryonePrincipal.getInstance()); + AccessControlPolicy[] policies = testAcMgr.getEffectivePolicies(principals); + assertPolicies(policies, 0, false); + } + + @Test + public void testGetEffectivePoliciesByPrincipalsReadPolicy2() throws Exception { + // grant test-principal READ_ACCESS_CONTROL access at root node (but not READ) + setupPolicy(PathUtils.ROOT_PATH, privilegesFromNames(PrivilegeConstants.JCR_READ_ACCESS_CONTROL)); + root.commit(); + + testRoot.refresh(); + + // effective policies must include ReadPolicy + // but no path-not-found must be raised if the readable-path is not accessible + Set<Principal> principals = ImmutableSet.of(testPrincipal, EveryonePrincipal.getInstance()); + AccessControlPolicy[] policies = testAcMgr.getEffectivePolicies(principals); + // since no other ac-setup exists for 'everyone' principal -> only ReadPolicy is found + assertPolicies(policies, 1, true); + } + + @Test + public void testGetEffectivePoliciesByPrincipalsIncludesReadPolicy3() throws Exception { + // grant test-principal READ and READ_ACCESS_CONTROL at root node + setupPolicy(PathUtils.ROOT_PATH, privilegesFromNames(PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL)); + root.commit(); + + testRoot.refresh(); + + // effective policies must include ReadPolicy + Set<Principal> principals = ImmutableSet.of(testPrincipal, EveryonePrincipal.getInstance()); + AccessControlPolicy[] policies = testAcMgr.getEffectivePolicies(principals); + // since no other ac-setup exists for 'everyone' principal -> only ReadPolicy is found + assertPolicies(policies, 1, true); + } } diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlWithUnknownPrincipalTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlWithUnknownPrincipalTest.java index 889970e8c7..e0a54ce1f9 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlWithUnknownPrincipalTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlWithUnknownPrincipalTest.java @@ -16,13 +16,11 @@ */ package org.apache.jackrabbit.oak.security.authorization.accesscontrol; -import com.google.common.collect.ImmutableSet; import com.google.common.collect.Lists; import org.apache.jackrabbit.api.security.JackrabbitAccessControlList; import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils; import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration; -import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal; import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl; import org.apache.jackrabbit.oak.spi.xml.ImportBehavior; import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter; @@ -33,7 +31,6 @@ import org.junit.runner.RunWith; import org.junit.runners.Parameterized; import javax.jcr.RepositoryException; -import javax.jcr.ValueFactory; import javax.jcr.security.AccessControlException; import javax.jcr.security.AccessControlPolicy; import java.security.Principal; @@ -63,7 +60,6 @@ public class AccessControlWithUnknownPrincipalTest extends AbstractAccessControl private final String importBehaviorName; private AccessControlManagerImpl acMgr; - private ValueFactory valueFactory; public AccessControlWithUnknownPrincipalTest(int importBehavior, String importBehaviorName) { this.importBehavior = importBehavior; @@ -75,7 +71,6 @@ public class AccessControlWithUnknownPrincipalTest extends AbstractAccessControl super.before(); acMgr = new AccessControlManagerImpl(root, getNamePathMapper(), getSecurityProvider()); - valueFactory = getValueFactory(root); } @Override @@ -180,8 +175,10 @@ public class AccessControlWithUnknownPrincipalTest extends AbstractAccessControl AccessControlPolicy[] effective = acMgr.getEffectivePolicies(Collections.singleton(unknown)); switch (importBehavior) { case ImportBehavior.IGNORE: + assertPolicies(effective, 0, false); + break; case ImportBehavior.BESTEFFORT: - assertEquals(0, effective.length); + assertPolicies(effective, 1, true); break; case ImportBehavior.ABORT: default: @@ -196,7 +193,7 @@ public class AccessControlWithUnknownPrincipalTest extends AbstractAccessControl public void testGetEffectivePoliciesInternalPrincipal() throws Exception { Principal unknown = new PrincipalImpl(getUnknownPrincipalName()); AccessControlPolicy[] effective = acMgr.getEffectivePolicies(Collections.singleton(unknown)); - assertEquals(0, effective.length); + assertPolicies(effective, 1, true); } @Test diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/PolicyComparatorTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/PolicyComparatorTest.java index 5bed6417c4..87bf7e4f53 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/PolicyComparatorTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/PolicyComparatorTest.java @@ -19,10 +19,14 @@ package org.apache.jackrabbit.oak.security.authorization.accesscontrol; import com.google.common.primitives.Ints; import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy; import org.apache.jackrabbit.oak.commons.PathUtils; +import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ReadPolicy; import org.junit.Test; +import javax.jcr.security.AccessControlPolicy; + import static org.junit.Assert.assertEquals; import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.verifyNoInteractions; import static org.mockito.Mockito.when; public class PolicyComparatorTest { @@ -97,4 +101,26 @@ public class PolicyComparatorTest { int expected = Ints.compare(PathUtils.getDepth("/path"), PathUtils.getDepth("/a/deeper/path")); assertEquals(expected, comparator.compare(policy1, policy2)); } + + @Test + public void testOneNonJackrabbitPolicy() { + JackrabbitAccessControlPolicy p1 = mock(JackrabbitAccessControlPolicy.class); + AccessControlPolicy p2 = mock(AccessControlPolicy.class); + + assertEquals(-1, comparator.compare(p1, p2)); + assertEquals(1, comparator.compare(p2, p1)); + + verifyNoInteractions(p1, p2); + } + + @Test + public void testNonJackrabbitPolicies() { + AccessControlPolicy p1 = mock(AccessControlPolicy.class); + AccessControlPolicy p2 = mock(AccessControlPolicy.class); + assertEquals(0, comparator.compare(p1, p2)); + assertEquals(0, comparator.compare(p2, p1)); + assertEquals(0, comparator.compare(p1, ReadPolicy.INSTANCE)); + + verifyNoInteractions(p1, p2); + } } \ No newline at end of file diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ReadPolicyTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ReadPolicyTest.java index 2ddd85fd9b..08e71d78eb 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ReadPolicyTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ReadPolicyTest.java @@ -16,21 +16,31 @@ */ package org.apache.jackrabbit.oak.security.authorization.accesscontrol; +import java.util.Collection; +import java.util.Collections; import java.util.HashSet; import java.util.Iterator; import java.util.Set; import javax.jcr.security.AccessControlPolicy; import javax.jcr.security.NamedAccessControlPolicy; +import com.google.common.collect.Lists; +import org.apache.jackrabbit.JcrConstants; import org.apache.jackrabbit.oak.AbstractSecurityTest; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration; import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ReadPolicy; import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants; +import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal; +import org.jetbrains.annotations.NotNull; +import org.jetbrains.annotations.Nullable; import org.junit.Before; import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import static org.apache.jackrabbit.oak.security.authorization.accesscontrol.AbstractAccessControlTest.assertPolicies; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertTrue; @@ -41,11 +51,27 @@ import static org.junit.Assert.fail; * * @since OAK 1.0 */ +@RunWith(Parameterized.class) public class ReadPolicyTest extends AbstractSecurityTest { + private final Set<String> configuredPaths; + private Set<String> readPaths; private Set<String> subTreePaths = new HashSet<>(); + @Parameterized.Parameters(name = "Configured Readable Paths = {1}") + public static Collection<Object[]> parameters() { + return Lists.newArrayList( + new Object[] {null , "null => default set"}, + new Object[] {Collections.emptySet(), "empty set"}, + new Object[] {Collections.emptySet(), "/"+JcrConstants.JCR_SYSTEM} + ); + } + + public ReadPolicyTest(@Nullable Set<String> configuredPaths, @NotNull String name) { + this.configuredPaths = configuredPaths; + } + @Override @Before public void before() throws Exception { @@ -63,6 +89,16 @@ public class ReadPolicyTest extends AbstractSecurityTest { } } + @Override + protected ConfigurationParameters getSecurityConfigParameters() { + if (configuredPaths != null) { + ConfigurationParameters params = ConfigurationParameters.of(PermissionConstants.PARAM_READ_PATHS, configuredPaths); + return ConfigurationParameters.of(AuthorizationConfiguration.NAME, params); + } else { + return super.getSecurityConfigParameters(); + } + } + @Test public void testGetPolicies() throws Exception { for (String path : readPaths) { @@ -119,13 +155,22 @@ public class ReadPolicyTest extends AbstractSecurityTest { assertTrue(found); } } + + @Test + public void testGetEffectivePoliciesPrincipalSet() throws Exception { + AccessControlPolicy[] policies = getAccessControlManager(root).getEffectivePolicies(Collections.singleton(EveryonePrincipal.getInstance())); + long expSize = (readPaths.isEmpty()) ? 0 : 1; + assertPolicies(policies, expSize, true); + } @Test public void testGetName() throws Exception { - AccessControlPolicy[] policies = getAccessControlManager(root).getPolicies(readPaths.iterator().next()); - assertEquals(1, policies.length); - assertTrue(policies[0] instanceof NamedAccessControlPolicy); - assertNotNull(((NamedAccessControlPolicy) policies[0]).getName()); + if (!readPaths.isEmpty()) { + AccessControlPolicy[] policies = getAccessControlManager(root).getPolicies(readPaths.iterator().next()); + assertEquals(1, policies.length); + assertTrue(policies[0] instanceof NamedAccessControlPolicy); + assertNotNull(((NamedAccessControlPolicy) policies[0]).getName()); + } } } \ No newline at end of file diff --git a/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/ReadPolicy.java b/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/ReadPolicy.java index 3ed3530eac..b905fb0ae6 100644 --- a/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/ReadPolicy.java +++ b/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/ReadPolicy.java @@ -16,6 +16,8 @@ */ package org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions; import org.apache.jackrabbit.util.Text; import org.jetbrains.annotations.NotNull; import org.jetbrains.annotations.Nullable; @@ -49,4 +51,22 @@ public final class ReadPolicy implements NamedAccessControlPolicy { } return false; } + + /** + * Evaluates if a {@code ReadPolicy} is accessible for a session object. Note that this method does not verify if + * the specified paths point to existing/accessible trees. + * + * @param permissionProvider A permission provider used for evaluating access + * @param oakPaths The set of configured readable paths. + * @return {@code true} if the given permission provider has READ_ACCESS_CONTROL granted on any of the specified + * readable oak paths; {@code false} otherwise. + */ + public static boolean canAccessReadPolicy(@NotNull PermissionProvider permissionProvider, @NotNull String... oakPaths) { + for (String path : oakPaths) { + if (permissionProvider.isGranted(path, Permissions.PERMISSION_NAMES.get(Permissions.READ_ACCESS_CONTROL))) { + return true; + } + } + return false; + } } \ No newline at end of file diff --git a/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/package-info.java b/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/package-info.java index fdd635b15e..fef70dc81f 100644 --- a/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/package-info.java +++ b/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/package-info.java @@ -14,7 +14,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -@Version("1.10.0") +@Version("1.11.0") package org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol; import org.osgi.annotation.versioning.Version; diff --git a/oak-security-spi/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/ReadPolicyTest.java b/oak-security-spi/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/ReadPolicyTest.java index 2e8d32b130..f3895e9744 100644 --- a/oak-security-spi/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/ReadPolicyTest.java +++ b/oak-security-spi/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/ReadPolicyTest.java @@ -18,6 +18,8 @@ package org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol; import com.google.common.collect.ImmutableSet; import org.apache.jackrabbit.oak.commons.PathUtils; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions; import org.junit.Test; import java.util.Collections; @@ -25,6 +27,8 @@ import java.util.Collections; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; public class ReadPolicyTest { @@ -54,4 +58,20 @@ public class ReadPolicyTest { assertTrue(ReadPolicy.hasEffectiveReadPolicy(ImmutableSet.of("/another/path", "/some/random/path"), path)); assertTrue(ReadPolicy.hasEffectiveReadPolicy(ImmutableSet.of("/another/path", PathUtils.ROOT_PATH), path)); } + + @Test + public void testCanAccessReadPolicy() { + PermissionProvider pp = mock(PermissionProvider.class); + + assertFalse(ReadPolicy.canAccessReadPolicy(pp)); + assertFalse(ReadPolicy.canAccessReadPolicy(pp, "/test/path")); + + when(pp.isGranted("/test/path", Permissions.PERMISSION_NAMES.get(Permissions.READ_ACCESS_CONTROL))).thenReturn(true); + + assertFalse(ReadPolicy.canAccessReadPolicy(pp)); + assertFalse(ReadPolicy.canAccessReadPolicy(pp, "/different/path")); + + assertTrue(ReadPolicy.canAccessReadPolicy(pp, "/test/path")); + assertTrue(ReadPolicy.canAccessReadPolicy(pp, "/different/path", "/test/path")); + } } \ No newline at end of file