You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2017/02/23 17:44:49 UTC
svn commit: r1784181 - in
/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction:
AbstractRestrictionProviderTest.java CompositePatternTest.java
CompositeRestrictionProviderTest.java TestProvider.java
Author: angela
Date: Thu Feb 23 17:44:49 2017
New Revision: 1784181
URL: http://svn.apache.org/viewvc?rev=1784181&view=rev
Log:
OAK-5793 : Improve coverage for security code in oak-core (wip)
Added:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositePatternTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProviderTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProviderTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/TestProvider.java
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProviderTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProviderTest.java?rev=1784181&r1=1784180&r2=1784181&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProviderTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProviderTest.java Thu Feb 23 17:44:49 2017
@@ -41,6 +41,7 @@ import org.junit.Test;
import static org.junit.Assert.assertArrayEquals;
import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
@@ -134,14 +135,14 @@ public class AbstractRestrictionProvider
@Test
public void testCreateForUnsupportedName() throws Exception {
try {
- restrictionProvider.createRestriction(unsupportedPath, "unsupported", globValue);
+ restrictionProvider.createRestriction(testPath, "unsupported", globValue);
fail();
} catch (AccessControlException e) {
// success
}
try {
- restrictionProvider.createRestriction(unsupportedPath, "unsupported", nameValues);
+ restrictionProvider.createRestriction(testPath, "unsupported", nameValues);
fail();
} catch (AccessControlException e) {
// success
@@ -151,13 +152,13 @@ public class AbstractRestrictionProvider
@Test
public void testCreateForUnsupportedType() throws Exception {
try {
- restrictionProvider.createRestriction(unsupportedPath, REP_GLOB, valueFactory.createValue(true));
+ restrictionProvider.createRestriction(testPath, REP_GLOB, valueFactory.createValue(true));
fail();
} catch (AccessControlException e) {
// success
}
try {
- restrictionProvider.createRestriction(unsupportedPath, REP_NT_NAMES,
+ restrictionProvider.createRestriction(testPath, REP_NT_NAMES,
valueFactory.createValue("nt:file", PropertyType.NAME),
valueFactory.createValue(true));
fail();
@@ -169,7 +170,7 @@ public class AbstractRestrictionProvider
@Test
public void testCreateForUnsupportedMultiValues() throws Exception {
try {
- restrictionProvider.createRestriction(unsupportedPath, REP_GLOB,
+ restrictionProvider.createRestriction(testPath, REP_GLOB,
valueFactory.createValue("*"),
valueFactory.createValue("/a/*"));
fail();
@@ -187,6 +188,15 @@ public class AbstractRestrictionProvider
}
@Test
+ public void testCreateRestrictionFromArray() throws Exception {
+ Restriction r = restrictionProvider.createRestriction(testPath, REP_GLOB, new Value[] {globValue});
+ assertNotNull(r);
+ assertEquals(REP_GLOB, r.getDefinition().getName());
+ assertEquals(globValue.getString(), r.getProperty().getValue(Type.STRING));
+ assertFalse(r.getProperty().isArray());
+ }
+
+ @Test
public void testCreateMvRestriction() throws Exception {
Restriction r = restrictionProvider.createRestriction(testPath, REP_NT_NAMES,
valueFactory.createValue("nt:folder", PropertyType.NAME),
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositePatternTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositePatternTest.java?rev=1784181&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositePatternTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositePatternTest.java Thu Feb 23 17:44:49 2017
@@ -0,0 +1,117 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.restriction;
+
+import java.util.List;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
+import com.google.common.collect.ImmutableList;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.plugins.memory.EmptyNodeState;
+import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
+import org.apache.jackrabbit.oak.plugins.tree.TreeFactory;
+import org.junit.Test;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertSame;
+import static org.junit.Assert.assertTrue;
+
+public class CompositePatternTest {
+
+ private final RestrictionPattern alwaysMatching = CompositePattern.create(ImmutableList.of(TestRestrictionPatter.INSTANCE_TRUE, TestRestrictionPatter.INSTANCE_TRUE));
+ private final RestrictionPattern neverMatching = CompositePattern.create(ImmutableList.of(TestRestrictionPatter.INSTANCE_TRUE, TestRestrictionPatter.INSTANCE_FALSE));
+
+ @Test
+ public void testCreateFromEmptyList() {
+ RestrictionPattern rp = CompositePattern.create(ImmutableList.<RestrictionPattern>of());
+ assertSame(RestrictionPattern.EMPTY, rp);
+ }
+
+ @Test
+ public void testCreateFromSingletonList() {
+ RestrictionPattern rp = CompositePattern.create(ImmutableList.of(TestRestrictionPatter.INSTANCE_TRUE));
+ assertSame(TestRestrictionPatter.INSTANCE_TRUE, rp);
+ }
+
+ @Test
+ public void testCreateFromList() {
+ RestrictionPattern rp = CompositePattern.create(ImmutableList.of(TestRestrictionPatter.INSTANCE_TRUE, TestRestrictionPatter.INSTANCE_FALSE));
+ assertTrue(rp instanceof CompositePattern);
+ }
+
+ @Test
+ public void testMatches() {
+ assertTrue(alwaysMatching.matches());
+ assertFalse(neverMatching.matches());
+ }
+
+ @Test
+ public void testMatchesPath() {
+ List<String> paths = ImmutableList.of("/", "/a", "/a/b/c", "");
+
+ for (String path : paths) {
+ assertTrue(alwaysMatching.matches(path));
+ assertFalse(neverMatching.matches(path));
+ }
+ }
+
+ @Test
+ public void testMatchesTree() {
+ Tree tree = TreeFactory.createReadOnlyTree(EmptyNodeState.EMPTY_NODE);
+
+ assertTrue(alwaysMatching.matches(tree, null));
+ assertFalse(neverMatching.matches(tree, null));
+ }
+
+ @Test
+ public void testMatchesTreeProperty() {
+ Tree tree = TreeFactory.createReadOnlyTree(EmptyNodeState.EMPTY_NODE);
+ PropertyState property = PropertyStates.createProperty("prop", "value");
+
+ assertTrue(alwaysMatching.matches(tree, property));
+ assertFalse(neverMatching.matches(tree, property));
+ }
+
+ private static final class TestRestrictionPatter implements RestrictionPattern {
+
+ private static RestrictionPattern INSTANCE_TRUE = new TestRestrictionPatter(true);
+ private static RestrictionPattern INSTANCE_FALSE = new TestRestrictionPatter(false);
+
+ private final boolean matches;
+
+ private TestRestrictionPatter(boolean matches) {
+ this.matches = matches;
+ }
+
+ @Override
+ public boolean matches(@Nonnull Tree tree, @Nullable PropertyState property) {
+ return matches;
+ }
+
+ @Override
+ public boolean matches(@Nonnull String path) {
+ return matches;
+ }
+
+ @Override
+ public boolean matches() {
+ return matches;
+ }
+ }
+}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProviderTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProviderTest.java?rev=1784181&r1=1784180&r2=1784181&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProviderTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProviderTest.java Thu Feb 23 17:44:49 2017
@@ -53,6 +53,12 @@ public class CompositeRestrictionProvide
"boolean", new RestrictionDefinitionImpl("boolean", Type.BOOLEAN, true),
"longs", new RestrictionDefinitionImpl("longs", Type.LONGS, false)
));
+
+ private RestrictionProvider rp3 = new TestProvider(ImmutableMap.of(
+ "string", new RestrictionDefinitionImpl("string", Type.STRING, false)),
+ true
+ );
+
private Set<String> supported = ImmutableSet.of("boolean", "longs", REP_NT_NAMES, REP_GLOB);
private RestrictionProvider provider = CompositeRestrictionProvider.newInstance(rp1, rp2);
@@ -264,6 +270,49 @@ public class CompositeRestrictionProvide
} catch (AccessControlException e) {
// success
}
+ }
+
+ @Test
+ public void testValidateRestrictionsAtEntryNode() throws Exception {
+ NodeUtil aceNode = new NodeUtil(root.getTree("/")).addChild("test", NT_REP_GRANT_ACE);
+ aceNode.setBoolean("boolean", true);
+ aceNode.setValues("longs", new Value[] {vf.createValue(10), vf.createValue(290)});
+ aceNode.setString(REP_GLOB, "*");
+ aceNode.setNames(REP_NT_NAMES); // empty array
+
+ provider.validateRestrictions("/test", aceNode.getTree());
+ }
+
+ @Test
+ public void testValidateInvalidRestrictionDef() throws Exception {
+ RestrictionProvider rp = CompositeRestrictionProvider.newInstance(rp1, rp3);
+
+ NodeUtil aceNode = new NodeUtil(root.getTree("/")).addChild("test", NT_REP_GRANT_ACE);
+ NodeUtil rNode = aceNode.addChild(REP_RESTRICTIONS, NT_REP_RESTRICTIONS);
+ rNode.setValues(REP_GLOB, new Value[]{vf.createValue(10), vf.createValue(290)});
+
+ try {
+ rp.validateRestrictions("/test", aceNode.getTree());
+ fail("Validation must detect invalid restriction definition");
+ } catch (AccessControlException e) {
+ // success
+ }
+ }
+
+ @Test
+ public void testValidateUnsupportedRestriction() throws Exception {
+ RestrictionProvider rp = CompositeRestrictionProvider.newInstance(rp1, rp3);
+
+ NodeUtil aceNode = new NodeUtil(root.getTree("/")).addChild("test", NT_REP_GRANT_ACE);
+ NodeUtil rNode = aceNode.addChild(REP_RESTRICTIONS, NT_REP_RESTRICTIONS);
+ rNode.setString("unsupported", "value");
+
+ try {
+ rp.validateRestrictions("/test", aceNode.getTree());
+ fail("Validation must detect unsupported restriction");
+ } catch (AccessControlException e) {
+ // success
+ }
}
@Test
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/TestProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/TestProvider.java?rev=1784181&r1=1784180&r2=1784181&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/TestProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/TestProvider.java Thu Feb 23 17:44:49 2017
@@ -16,11 +16,13 @@
*/
package org.apache.jackrabbit.oak.spi.security.authorization.restriction;
+import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
+import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
@@ -29,8 +31,32 @@ import org.apache.jackrabbit.oak.api.Tre
*/
final class TestProvider extends AbstractRestrictionProvider {
+ private final boolean nonValidatingRead;
+
TestProvider(Map<String, ? extends RestrictionDefinition> supportedRestrictions) {
+ this(supportedRestrictions, false);
+ }
+
+ TestProvider(Map<String, ? extends RestrictionDefinition> supportedRestrictions, boolean nonValidatingRead) {
super(supportedRestrictions);
+ this.nonValidatingRead = nonValidatingRead;
+ }
+
+ @Nonnull
+ @Override
+ public Set<Restriction> readRestrictions(String oakPath, @Nonnull Tree aceTree) {
+ if (nonValidatingRead) {
+ Set<Restriction> restrictions = new HashSet();
+ for (PropertyState propertyState : getRestrictionsTree(aceTree).getProperties()) {
+ String name = propertyState.getName();
+ if (!JcrConstants.JCR_PRIMARYTYPE.equals(name)) {
+ restrictions.add(new RestrictionImpl(propertyState, new RestrictionDefinitionImpl(name, propertyState.getType(), false)));
+ }
+ }
+ return restrictions;
+ } else {
+ return super.readRestrictions(oakPath, aceTree);
+ }
}
@Nonnull