You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2015/10/14 11:02:49 UTC
svn commit: r1708563 [2/3] - in /jackrabbit/oak/trunk:
oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/
oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/...
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderEmptyTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderEmptyTest.java?rev=1708563&r1=1708562&r2=1708563&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderEmptyTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderEmptyTest.java Wed Oct 14 09:02:49 2015
@@ -36,12 +36,9 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
-import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
-import org.apache.jackrabbit.util.Text;
import org.junit.Test;
import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
/**
@@ -89,15 +86,15 @@ public class CompositeProviderEmptyTest
for (String p : NODE_PATHS) {
Tree tree = root.getTree(p);
- assertFalse(cpp.hasPrivileges(tree, PrivilegeConstants.JCR_READ));
- assertFalse(cpp.hasPrivileges(tree, PrivilegeConstants.JCR_WRITE));
- assertFalse(cpp.hasPrivileges(tree, PrivilegeConstants.REP_READ_NODES));
+ assertFalse(cpp.hasPrivileges(tree, JCR_READ));
+ assertFalse(cpp.hasPrivileges(tree, JCR_WRITE));
+ assertFalse(cpp.hasPrivileges(tree, REP_READ_NODES));
}
}
@Test
public void testHasPrivilegesOnRepo() throws Exception {
- assertFalse(cpp.hasPrivileges(null, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT));
+ assertFalse(cpp.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT));
}
@@ -105,22 +102,24 @@ public class CompositeProviderEmptyTest
public void testIsGranted() throws Exception {
for (String p : NODE_PATHS) {
Tree tree = root.getTree(p);
- PropertyState ps = tree.getProperty(JcrConstants.JCR_PRIMARYTYPE);
assertFalse(cpp.isGranted(tree, null, Permissions.READ_NODE));
- assertFalse(cpp.isGranted(tree, ps, Permissions.READ_PROPERTY));
-
assertFalse(cpp.isGranted(tree, null, Permissions.READ_NODE | Permissions.MODIFY_CHILD_NODE_COLLECTION));
- assertFalse(cpp.isGranted(tree, ps, Permissions.MODIFY_PROPERTY));
-
assertFalse(cpp.isGranted(tree, null, Permissions.READ_ACCESS_CONTROL | Permissions.MODIFY_ACCESS_CONTROL));
- assertFalse(cpp.isGranted(tree, ps, Permissions.READ_ACCESS_CONTROL | Permissions.MODIFY_ACCESS_CONTROL));
}
}
@Test
public void testIsGrantedProperty() throws Exception {
- // TODO
+ for (String p : NODE_PATHS) {
+ Tree tree = root.getTree(p);
+
+ assertFalse(cpp.isGranted(tree, PROPERTY_STATE, Permissions.READ_PROPERTY));
+ assertFalse(cpp.isGranted(tree, PROPERTY_STATE, Permissions.MODIFY_PROPERTY));
+ assertFalse(cpp.isGranted(tree, PROPERTY_STATE, Permissions.ADD_PROPERTY));
+ assertFalse(cpp.isGranted(tree, PROPERTY_STATE, Permissions.REMOVE_PROPERTY));
+ assertFalse(cpp.isGranted(tree, PROPERTY_STATE, Permissions.READ_ACCESS_CONTROL | Permissions.MODIFY_ACCESS_CONTROL));
+ }
}
@Test
@@ -132,7 +131,7 @@ public class CompositeProviderEmptyTest
assertFalse(cpp.isGranted(nodePath, Session.ACTION_REMOVE));
assertFalse(cpp.isGranted(propPath, JackrabbitSession.ACTION_MODIFY_PROPERTY));
- assertFalse(cpp.isGranted(nodePath, Text.implode(new String[] {JackrabbitSession.ACTION_MODIFY_ACCESS_CONTROL, JackrabbitSession.ACTION_READ_ACCESS_CONTROL}, ",")));
+ assertFalse(cpp.isGranted(nodePath, getActionString(JackrabbitSession.ACTION_MODIFY_ACCESS_CONTROL, JackrabbitSession.ACTION_READ_ACCESS_CONTROL)));
assertFalse(cpp.isGranted(nonExisting, JackrabbitSession.ACTION_ADD_PROPERTY));
assertFalse(cpp.isGranted(nonExisting, Session.ACTION_ADD_NODE));
}
@@ -146,32 +145,59 @@ public class CompositeProviderEmptyTest
}
@Test
- public void testGetTreePermission() throws Exception {
- TreePermission rootPermission = assertTreePermission(root.getTree("/"), TreePermission.EMPTY);
- TreePermission testPermission = assertTreePermission(root.getTree(TEST_PATH), rootPermission);
- assertTreePermission(root.getTree(TEST_CHILD_PATH), testPermission);
+ public void testTreePermissionIsGranted() throws Exception {
+ TreePermission parentPermission = TreePermission.EMPTY;
+
+ for (String path : TP_PATHS) {
+ TreePermission tp = cpp.getTreePermission(root.getTree(path), parentPermission);
+
+ assertFalse(tp.isGranted(Permissions.READ_NODE));
+ assertFalse(tp.isGranted(Permissions.REMOVE_NODE));
+ assertFalse(tp.isGranted(Permissions.ALL));
+
+
+ parentPermission = tp;
+ }
+ }
+
+ @Test
+ public void testTreePermissionIsGrantedProperty() throws Exception {
+ TreePermission parentPermission = TreePermission.EMPTY;
+
+ for (String path : TP_PATHS) {
+ TreePermission tp = cpp.getTreePermission(root.getTree(path), parentPermission);
+
+ assertFalse(tp.isGranted(Permissions.READ_PROPERTY, PROPERTY_STATE));
+ assertFalse(tp.isGranted(Permissions.REMOVE_PROPERTY, PROPERTY_STATE));
+
+ parentPermission = tp;
+ }
}
- private TreePermission assertTreePermission(@Nonnull Tree tree, @Nonnull TreePermission parentPermission) {
- PropertyState ps = tree.getProperty(JcrConstants.JCR_PRIMARYTYPE);
- assertNotNull(ps);
+ @Test
+ public void testTreePermissionCanRead() throws Exception {
+ TreePermission parentPermission = TreePermission.EMPTY;
- TreePermission treePermission = cpp.getTreePermission(tree, parentPermission);
+ for (String path : TP_PATHS) {
+ Tree t = root.getTree(path);
+ TreePermission tp = cpp.getTreePermission(t, parentPermission);
+ assertFalse(tp.canRead());
- assertFalse(treePermission.isGranted(Permissions.ALL));
- assertFalse(treePermission.isGranted(Permissions.READ_NODE));
- assertFalse(treePermission.isGranted(Permissions.REMOVE_NODE));
- assertFalse(treePermission.isGranted(Permissions.REMOVE_NODE));
+ parentPermission = tp;
+ }
+ }
- assertFalse(treePermission.isGranted(Permissions.READ_PROPERTY, ps));
- assertFalse(treePermission.isGranted(Permissions.REMOVE_PROPERTY, ps));
+ @Test
+ public void testTreePermissionCanReadProperty() throws Exception {
+ TreePermission parentPermission = TreePermission.EMPTY;
- assertFalse(treePermission.canRead());
- assertFalse(treePermission.canRead(ps));
- assertFalse(treePermission.canReadAll());
- assertFalse(treePermission.canReadProperties());
+ for (String path : TP_PATHS) {
+ Tree t = root.getTree(path);
+ TreePermission tp = cpp.getTreePermission(t, parentPermission);
+ assertFalse(tp.canRead(PROPERTY_STATE));
- return treePermission;
+ parentPermission = tp;
+ }
}
/**
@@ -229,7 +255,7 @@ public class CompositeProviderEmptyTest
@Nonnull
@Override
public PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable PrivilegeBits privilegeBits) {
- return (privilegeBits == null) ? new PrivilegeBitsProvider(root).getBits(PrivilegeConstants.JCR_ALL) : privilegeBits;
+ return (privilegeBits == null) ? new PrivilegeBitsProvider(root).getBits(JCR_ALL) : privilegeBits;
}
@Override
@@ -243,7 +269,7 @@ public class CompositeProviderEmptyTest
}
@Override
- public long supportedPermissions(@Nonnull TreePermission treePermission, long permissions) {
+ public long supportedPermissions(@Nonnull TreePermission treePermission, @Nullable PropertyState propertyState, long permissions) {
return permissions;
}
@@ -251,5 +277,5 @@ public class CompositeProviderEmptyTest
public boolean isGranted(@Nonnull TreeLocation location, long permissions) {
return false;
}
- };
+ }
}
\ No newline at end of file
Copied: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderFullScopeReverseTest.java (from r1708292, jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedReverseTest.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderFullScopeReverseTest.java?p2=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderFullScopeReverseTest.java&p1=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedReverseTest.java&r1=1708292&r2=1708563&rev=1708563&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedReverseTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderFullScopeReverseTest.java Wed Oct 14 09:02:49 2015
@@ -17,10 +17,10 @@
package org.apache.jackrabbit.oak.security.authorization.composite;
/**
- * Same as {@link CompositeProviderLimitedTest}
+ * Same as {@link CompositeProviderFullScopeTest}
* with reverse order of the aggregated providers.
*/
-public class CompositeProviderLimitedReverseTest extends CompositeProviderLimitedTest {
+public class CompositeProviderFullScopeReverseTest extends CompositeProviderFullScopeTest {
@Override
boolean reverseOrder() {
Copied: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderFullScopeTest.java (from r1708292, jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedTest.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderFullScopeTest.java?p2=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderFullScopeTest.java&p1=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedTest.java&r1=1708292&r2=1708563&rev=1708563&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderFullScopeTest.java Wed Oct 14 09:02:49 2015
@@ -16,12 +16,28 @@
*/
package org.apache.jackrabbit.oak.security.authorization.composite;
+import java.util.Map;
+import java.util.Set;
+
+import javax.jcr.Session;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.api.JackrabbitSession;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.junit.Test;
+import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
@@ -38,7 +54,7 @@ import static org.junit.Assert.assertTru
* but has no other access granted
* - admin user can only read nodes and register namespaces
*/
-public class CompositeProviderLimitedTest extends AbstractCompositeProviderTest {
+public class CompositeProviderFullScopeTest extends AbstractCompositeProviderTest {
private CompositePermissionProvider cppTestUser;
private CompositePermissionProvider cppAdminUser;
@@ -53,31 +69,205 @@ public class CompositeProviderLimitedTes
@Override
protected AggregatedPermissionProvider getTestPermissionProvider() {
- return new TestPermissionProvider(root, true);
+ return new FullScopeProvider(root);
}
@Test
public void testGetPrivileges() throws Exception {
- // TODO
+ PrivilegeBitsProvider pbp = new PrivilegeBitsProvider(root);
+ PrivilegeBits readNodes = pbp.getBits(REP_READ_NODES);
+ Set<String> expected = ImmutableSet.of(REP_READ_NODES);
+
+ for (String path : defPrivileges.keySet()) {
+ Set<String> defaultPrivs = defPrivileges.get(path);
+ Tree tree = root.getTree(path);
+
+ Set<String> privNames = cppTestUser.getPrivileges(tree);
+ if (pbp.getBits(defaultPrivs).includes(readNodes)) {
+ assertEquals(expected, privNames);
+ } else {
+ assertTrue(privNames.isEmpty());
+ }
+ }
+ }
+
+ @Test
+ public void testGetPrivilegesAdmin() throws Exception {
+ PrivilegeBitsProvider pbp = new PrivilegeBitsProvider(root);
+ Set<String> expected = ImmutableSet.of(REP_READ_NODES);
+
+ for (String path : NODE_PATHS) {
+ Tree tree = root.getTree(path);
+ assertEquals(expected, cppAdminUser.getPrivileges(tree));
+ }
+ }
+
+ @Test
+ public void testGetPrivilegesOnRepo() throws Exception {
+ Set<String> expected = ImmutableSet.of(JCR_NAMESPACE_MANAGEMENT);
+ assertEquals(expected, cppTestUser.getPrivileges(null));
}
+ @Test
+ public void testGetPrivilegesOnRepoAdmin() throws Exception {
+ Set<String> expected = ImmutableSet.of(JCR_NAMESPACE_MANAGEMENT);
+ assertEquals(expected, cppAdminUser.getPrivileges(null));
+ }
@Test
public void testHasPrivileges() throws Exception {
- // TODO
+ PrivilegeBitsProvider pbp = new PrivilegeBitsProvider(root);
+ PrivilegeBits readNodes = pbp.getBits(REP_READ_NODES);
+
+ for (String path : defPrivileges.keySet()) {
+ Set<String> defaultPrivs = defPrivileges.get(path);
+ PrivilegeBits defaultBits = pbp.getBits(defaultPrivs);
+ Tree tree = root.getTree(path);
+
+ if (defaultPrivs.isEmpty()) {
+ assertFalse(path, cppTestUser.hasPrivileges(tree, REP_READ_NODES));
+ } else if (defaultBits.includes(readNodes)) {
+ assertTrue(path, cppTestUser.hasPrivileges(tree, REP_READ_NODES));
+ if (!readNodes.equals(defaultBits)) {
+ assertFalse(path, cppTestUser.hasPrivileges(tree, defaultPrivs.toArray(new String[defaultPrivs.size()])));
+ }
+ } else {
+ assertFalse(path, cppTestUser.hasPrivileges(tree, REP_READ_NODES));
+ assertFalse(path, cppTestUser.hasPrivileges(tree, defaultPrivs.toArray(new String[defaultPrivs.size()])));
+ }
+ }
}
+ @Test
+ public void testHasPrivilegesAdmin() throws Exception {
+ for (String path : NODE_PATHS) {
+ Tree tree = root.getTree(path);
+
+ assertTrue(cppAdminUser.hasPrivileges(tree, REP_READ_NODES));
+
+ assertFalse(cppAdminUser.hasPrivileges(tree, JCR_READ));
+ assertFalse(cppAdminUser.hasPrivileges(tree, JCR_ALL));
+ assertFalse(cppAdminUser.hasPrivileges(tree, JCR_WRITE));
+ assertFalse(cppAdminUser.hasPrivileges(tree, REP_READ_NODES, REP_READ_PROPERTIES));
+ assertFalse(cppAdminUser.hasPrivileges(tree, JCR_MODIFY_PROPERTIES));
+ assertFalse(cppAdminUser.hasPrivileges(tree, JCR_LOCK_MANAGEMENT));
+ }
+ }
+
+ @Test
+ public void testHasPrivilegesOnRepo() throws Exception {
+ assertTrue(cppTestUser.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT));
+
+ assertFalse(cppTestUser.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT, JCR_NODE_TYPE_DEFINITION_MANAGEMENT));
+ assertFalse(cppTestUser.hasPrivileges(null, JCR_ALL));
+
+ assertTrue(cppTestUser.hasPrivileges(null));
+ }
+
+ @Test
+ public void testHasPrivilegeOnRepoAdmin() throws Exception {
+ assertTrue(cppAdminUser.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT));
+
+ assertFalse(cppAdminUser.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT, JCR_NODE_TYPE_DEFINITION_MANAGEMENT));
+ assertFalse(cppAdminUser.hasPrivileges(null, JCR_ALL));
+
+ assertTrue(cppAdminUser.hasPrivileges(null));
+ }
@Test
public void testIsGranted() throws Exception {
- // TODO
+ for (String p : defPermissions.keySet()) {
+ long defaultPerms = defPermissions.get(p);
+ Tree tree = root.getTree(p);
+
+ if (Permissions.READ_NODE != defaultPerms) {
+ assertFalse(p, cppTestUser.isGranted(tree, null, defaultPerms));
+ }
+
+ boolean expectedReadNode = Permissions.includes(defaultPerms, Permissions.READ_NODE);
+ assertEquals(p, expectedReadNode, cppTestUser.isGranted(tree, null, Permissions.READ_NODE));
+ }
+ }
+
+ @Test
+ public void testIsGrantedAdmin() throws Exception {
+ for (String p : NODE_PATHS) {
+ Tree tree = root.getTree(p);
+
+ assertTrue(p, cppAdminUser.isGranted(tree, null, Permissions.READ_NODE));
+
+ assertFalse(p, cppAdminUser.isGranted(tree, null, Permissions.READ));
+ assertFalse(p, cppAdminUser.isGranted(tree, null, Permissions.WRITE));
+ assertFalse(p, cppAdminUser.isGranted(tree, null, Permissions.ALL));
+ }
+ }
+
+ @Test
+ public void testIsGrantedProperty() throws Exception {
+ for (String p : NODE_PATHS) {
+ Tree tree = root.getTree(p);
+
+ assertFalse(p, cppTestUser.isGranted(tree, PROPERTY_STATE, Permissions.READ_PROPERTY));
+ assertFalse(p, cppTestUser.isGranted(tree, PROPERTY_STATE, Permissions.SET_PROPERTY));
+ }
+ }
+
+ @Test
+ public void testIsGrantedPropertyAdmin() throws Exception {
+ for (String p : NODE_PATHS) {
+ Tree tree = root.getTree(p);
+
+ assertFalse(p, cppAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.READ_PROPERTY));
+ assertFalse(p, cppAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.SET_PROPERTY));
+ assertFalse(p, cppAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.ALL));
+ }
}
@Test
public void testIsGrantedAction() throws Exception {
- // TODO
+ for (String p : defActionsGranted.keySet()) {
+ String[] actions = defActionsGranted.get(p);
+
+ if (ImmutableList.copyOf(actions).contains(Session.ACTION_READ)) {
+ TreeLocation tl = TreeLocation.create(root, p);
+ assertEquals(p, tl.getTree() != null, cppTestUser.isGranted(p, Session.ACTION_READ));
+ } else {
+ assertFalse(p, cppTestUser.isGranted(p, Session.ACTION_READ));
+ }
+
+ if (actions.length > 1) {
+ assertFalse(p, cppTestUser.isGranted(p, getActionString(actions)));
+ }
+ }
+ }
+
+ @Test
+ public void testIsGrantedAction2() throws Exception {
+ Map<String, String[]> noAccess = ImmutableMap.<String, String[]>builder().
+ put(ROOT_PATH, new String[]{Session.ACTION_READ}).
+ put(ROOT_PATH + "jcr:primaryType", new String[]{Session.ACTION_READ, Session.ACTION_SET_PROPERTY}).
+ put("/nonexisting", new String[]{Session.ACTION_READ, Session.ACTION_ADD_NODE}).
+ put(TEST_PATH_2, new String[]{Session.ACTION_READ, Session.ACTION_REMOVE}).
+ put(TEST_PATH_2 + "/jcr:primaryType", new String[]{Session.ACTION_READ, Session.ACTION_SET_PROPERTY}).
+ put(TEST_A_B_C_PATH, new String[]{Session.ACTION_READ, Session.ACTION_REMOVE}).
+ put(TEST_A_B_C_PATH + "/noneExisting", new String[]{Session.ACTION_READ, JackrabbitSession.ACTION_REMOVE_NODE}).
+ put(TEST_A_B_C_PATH + "/jcr:primaryType", new String[]{JackrabbitSession.ACTION_REMOVE_PROPERTY}).build();
+
+ for (String p : noAccess.keySet()) {
+ assertFalse(p, cppTestUser.isGranted(p, getActionString(noAccess.get(p))));
+ }
+ }
+
+ @Test
+ public void testIsGrantedActionAdmin() throws Exception {
+ for (String p : defActionsGranted.keySet()) {
+ boolean expectedRead = root.getTree(p).exists();
+ assertEquals(p, expectedRead, cppAdminUser.isGranted(p, Session.ACTION_READ));
+ assertFalse(p, cppAdminUser.isGranted(p, getActionString(ALL_ACTIONS)));
+ }
}
+
@Test
public void testRepositoryPermissionIsGranted() throws Exception {
RepositoryPermission rp = cppTestUser.getRepositoryPermission();
@@ -100,7 +290,90 @@ public class CompositeProviderLimitedTes
}
@Test
- public void testGetTreePermission() throws Exception {
- // TODO
+ public void testTreePermissionIsGranted() throws Exception {
+ TreePermission parentPermission = TreePermission.EMPTY;
+
+ for (String path : TP_PATHS) {
+ TreePermission tp = cppTestUser.getTreePermission(root.getTree(path), parentPermission);
+ Long toTest = (defPermissions.containsKey(path)) ? defPermissions.get(path) : defPermissions.get(PathUtils.getAncestorPath(path, 1));
+ if (toTest != null) {
+ if (Permissions.READ_NODE == toTest) {
+ assertTrue(path, tp.isGranted(toTest));
+ } else {
+ boolean canRead = Permissions.includes(toTest, Permissions.READ_NODE);
+ assertEquals(path, canRead, tp.isGranted(Permissions.READ_NODE));
+ assertFalse(path, tp.isGranted(toTest));
+ }
+ }
+ parentPermission = tp;
+ }
+ }
+
+ @Test
+ public void testTreePermissionIsGrantedProperty() throws Exception {
+ TreePermission parentPermission = TreePermission.EMPTY;
+
+ for (String path : TP_PATHS) {
+ TreePermission tp = cppTestUser.getTreePermission(root.getTree(path), parentPermission);
+ Long toTest = (defPermissions.containsKey(path)) ? defPermissions.get(path) : defPermissions.get(PathUtils.getAncestorPath(path, 1));
+ if (toTest != null) {
+ boolean granted = (toTest == Permissions.READ_NODE);
+ assertEquals(path, granted, tp.isGranted(toTest, PROPERTY_STATE));
+ }
+ assertFalse(tp.isGranted(Permissions.READ_PROPERTY, PROPERTY_STATE));
+ parentPermission = tp;
+ }
+ }
+
+ @Test
+ public void testTreePermissionCanRead() throws Exception {
+ Map<String, Boolean> readMap = ImmutableMap.<String, Boolean>builder().
+ put(ROOT_PATH, false).
+ put(TEST_PATH, true).
+ put(TEST_A_PATH, true).
+ put(TEST_A_B_PATH, true).
+ put(TEST_A_B_C_PATH, false).
+ put(TEST_A_B_C_PATH + "/nonexisting", false).
+ build();
+
+ TreePermission parentPermission = TreePermission.EMPTY;
+ for (String nodePath : readMap.keySet()) {
+ Tree tree = root.getTree(nodePath);
+ TreePermission tp = cppTestUser.getTreePermission(tree, parentPermission);
+
+ boolean expectedResult = readMap.get(nodePath);
+ assertEquals(nodePath, expectedResult, tp.canRead());
+
+ parentPermission = tp;
+ }
+ }
+
+ @Test
+ public void testTreePermissionCanReadProperty() throws Exception {
+ TreePermission parentPermission = TreePermission.EMPTY;
+ for (String nodePath : TP_PATHS) {
+ Tree tree = root.getTree(nodePath);
+
+ TreePermission tp = cppTestUser.getTreePermission(tree, parentPermission);
+ assertFalse(nodePath, tp.canRead(PROPERTY_STATE));
+
+ parentPermission = tp;
+ }
+ }
+
+ @Test
+ public void testTreePermissionCanReadAdmin() {
+ TreePermission parentPermission = TreePermission.EMPTY;
+
+ for (String nodePath : TP_PATHS) {
+ Tree tree = root.getTree(nodePath);
+
+ TreePermission tp = cppAdminUser.getTreePermission(tree, parentPermission);
+
+ assertTrue(nodePath, tp.canRead());
+ assertFalse(nodePath, tp.canRead(PROPERTY_STATE));
+
+ parentPermission = tp;
+ }
}
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeTest.java?rev=1708563&r1=1708562&r2=1708563&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeTest.java Wed Oct 14 09:02:49 2015
@@ -16,16 +16,22 @@
*/
package org.apache.jackrabbit.oak.security.authorization.composite;
+import java.lang.reflect.Field;
import java.security.Principal;
+import java.util.List;
+import java.util.Map;
import java.util.Set;
-import javax.annotation.Nonnull;
-import javax.annotation.Nullable;
+import javax.jcr.Session;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.oak.api.ContentSession;
-import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
-import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
+import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.plugins.tree.RootFactory;
+import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
@@ -33,11 +39,11 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
-import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
-import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.junit.Test;
import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
/**
@@ -49,7 +55,8 @@ import static org.junit.Assert.assertTru
* The tests are executed both for the set of principals associated with the test
* user and with the admin session.
* The expected outcome is that the composite provider behaves exactly like the
- * default provider (i.e. is never respected during evaluation).
+ * default provider (i.e. the {@code NotSupportingProvider} is never respected
+ * during evaluation).
*
* While there is no real use in such a {@link AggregatedPermissionProvider}, that
* is never called, is is used here to verify that the composite provider doesn't
@@ -81,7 +88,7 @@ public class CompositeProviderNoScopeTes
@Override
protected AggregatedPermissionProvider getTestPermissionProvider() {
- return new NotSupportingProvider();
+ return new NoScopeProvider();
}
@Test
@@ -97,7 +104,7 @@ public class CompositeProviderNoScopeTes
@Test
public void testGetPrivilegesAdmin() throws Exception {
- Set<String> expected = ImmutableSet.of(PrivilegeConstants.JCR_ALL);
+ Set<String> expected = ImmutableSet.of(JCR_ALL);
for (String p : NODE_PATHS) {
Tree tree = root.getTree(p);
@@ -108,7 +115,7 @@ public class CompositeProviderNoScopeTes
@Test
public void testGetPrivilegesOnRepo() throws Exception {
- Set<String> expected = ImmutableSet.of(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT, PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT);
+ Set<String> expected = ImmutableSet.of(JCR_NAMESPACE_MANAGEMENT, JCR_NODE_TYPE_DEFINITION_MANAGEMENT);
assertEquals(expected, cppTestUser.getPrivileges(null));
assertEquals(defTestUser.getPrivileges(null), cppTestUser.getPrivileges(null));
@@ -116,7 +123,7 @@ public class CompositeProviderNoScopeTes
@Test
public void testGetPrivilegesOnRepoAdmin() throws Exception {
- Set<String> expected = ImmutableSet.of(PrivilegeConstants.JCR_ALL);
+ Set<String> expected = ImmutableSet.of(JCR_ALL);
assertEquals(expected, cppAdminUser.getPrivileges(null));
assertEquals(defAdminUser.getPrivileges(null), cppAdminUser.getPrivileges(null));
@@ -140,38 +147,29 @@ public class CompositeProviderNoScopeTes
for (String p : NODE_PATHS) {
Tree tree = root.getTree(p);
- assertTrue(p, cppAdminUser.hasPrivileges(tree, PrivilegeConstants.JCR_ALL));
- assertEquals(p, defAdminUser.hasPrivileges(tree, PrivilegeConstants.JCR_ALL), cppAdminUser.hasPrivileges(tree, PrivilegeConstants.JCR_ALL));
+ assertTrue(p, cppAdminUser.hasPrivileges(tree, JCR_ALL));
+ assertTrue(p, defAdminUser.hasPrivileges(tree, JCR_ALL));
}
}
@Test
public void testHasPrivilegesOnRepo() throws Exception {
- assertTrue(cppTestUser.hasPrivileges(null, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT, PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT));
- assertEquals(
- defTestUser.hasPrivileges(null, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT, PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT),
- cppTestUser.hasPrivileges(null, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT, PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT));
+ assertTrue(cppTestUser.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT, JCR_NODE_TYPE_DEFINITION_MANAGEMENT));
+ assertTrue(defTestUser.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT, JCR_NODE_TYPE_DEFINITION_MANAGEMENT));
assertTrue(cppTestUser.hasPrivileges(null));
- assertEquals(
- defTestUser.hasPrivileges(null),
- cppTestUser.hasPrivileges(null));
+ assertTrue(defTestUser.hasPrivileges(null));
}
@Test
public void testHasPrivilegeOnRepoAdminUser() throws Exception {
- assertTrue(cppAdminUser.hasPrivileges(null, PrivilegeConstants.JCR_ALL));
- assertEquals(
- defAdminUser.hasPrivileges(null, PrivilegeConstants.JCR_ALL),
- cppAdminUser.hasPrivileges(null, PrivilegeConstants.JCR_ALL));
+ assertTrue(cppAdminUser.hasPrivileges(null, JCR_ALL));
+ assertTrue(defAdminUser.hasPrivileges(null, JCR_ALL));
assertTrue(cppAdminUser.hasPrivileges(null));
- assertEquals(
- defAdminUser.hasPrivileges(null),
- cppAdminUser.hasPrivileges(null));
+ assertTrue(defAdminUser.hasPrivileges(null));
}
-
@Test
public void testIsGranted() throws Exception {
for (String p : defPermissions.keySet()) {
@@ -179,7 +177,7 @@ public class CompositeProviderNoScopeTes
Tree tree = root.getTree(p);
assertTrue(p, cppTestUser.isGranted(tree, null, expected));
- assertEquals(p, defTestUser.isGranted(tree, null, expected), cppTestUser.isGranted(tree, null, expected));
+ assertTrue(p, defTestUser.isGranted(tree, null, expected));
}
}
@@ -189,18 +187,66 @@ public class CompositeProviderNoScopeTes
Tree tree = root.getTree(p);
assertTrue(p, cppAdminUser.isGranted(tree, null, Permissions.ALL));
- assertEquals(p, defAdminUser.isGranted(tree, null, Permissions.ALL), cppAdminUser.isGranted(tree, null, Permissions.ALL));
+ assertTrue(p, defAdminUser.isGranted(tree, null, Permissions.ALL));
}
}
@Test
public void testIsGrantedProperty() throws Exception {
- // TODO
+ for (String p : defPermissions.keySet()) {
+ long expected = defPermissions.get(p);
+ Tree tree = root.getTree(p);
+
+ assertTrue(p, cppTestUser.isGranted(tree, PROPERTY_STATE, expected));
+ assertTrue(p, defTestUser.isGranted(tree, PROPERTY_STATE, expected));
+ }
+ }
+
+ @Test
+ public void testIsGrantedPropertyAdmin() throws Exception {
+ for (String p : defPermissions.keySet()) {
+ Tree tree = root.getTree(p);
+
+ assertTrue(p, cppAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.ALL));
+ assertTrue(p, defAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.ALL));
+ }
}
@Test
public void testIsGrantedAction() throws Exception {
- // TODO
+ for (String p : defActionsGranted.keySet()) {
+ String actions = getActionString(defActionsGranted.get(p));
+ assertTrue(p + " : " + actions, cppTestUser.isGranted(p, actions));
+ assertTrue(p + " : " + actions, defTestUser.isGranted(p, actions));
+ }
+ }
+
+ @Test
+ public void testIsGrantedAction2() throws Exception {
+ Map<String, String[]> noAccess = ImmutableMap.<String, String[]>builder().
+ put(ROOT_PATH, new String[] {Session.ACTION_READ}).
+ put(ROOT_PATH + "jcr:primaryType", new String[] {Session.ACTION_READ, Session.ACTION_SET_PROPERTY}).
+ put("/nonexisting", new String[] {Session.ACTION_READ, Session.ACTION_ADD_NODE}).
+ put(TEST_PATH_2, new String[] {Session.ACTION_READ, Session.ACTION_REMOVE}).
+ put(TEST_PATH_2 + "/jcr:primaryType", new String[] {Session.ACTION_READ, Session.ACTION_SET_PROPERTY}).
+ put(TEST_A_B_C_PATH, new String[] {Session.ACTION_READ, Session.ACTION_REMOVE}).
+ put(TEST_A_B_C_PATH + "/noneExisting", new String[] {Session.ACTION_READ, JackrabbitSession.ACTION_REMOVE_NODE}).
+ put(TEST_A_B_C_PATH + "/jcr:primaryType", new String[] {JackrabbitSession.ACTION_REMOVE_PROPERTY}).build();
+
+ for (String p : noAccess.keySet()) {
+ String actions = getActionString(noAccess.get(p));
+ assertFalse(p, cppTestUser.isGranted(p, actions));
+ assertFalse(p, defTestUser.isGranted(p, actions));
+ }
+ }
+
+ @Test
+ public void testIsGrantedActionAdmin() throws Exception {
+ String allActions = getActionString(ALL_ACTIONS);
+ for (String p : defActionsGranted.keySet()) {
+ assertTrue(p + " : " + allActions, cppAdminUser.isGranted(p, allActions));
+ assertTrue(p + " : " + allActions, defAdminUser.isGranted(p, allActions));
+ }
}
@Test
@@ -220,75 +266,126 @@ public class CompositeProviderNoScopeTes
}
@Test
- public void testGetTreePermission() throws Exception {
- // TODO
+ public void testTreePermissionIsGranted() throws Exception {
+ TreePermission parentPermission = TreePermission.EMPTY;
+
+ for (String path : TP_PATHS) {
+ TreePermission tp = cppTestUser.getTreePermission(root.getTree(path), parentPermission);
+ Long toTest = (defPermissions.containsKey(path)) ? defPermissions.get(path) : defPermissions.get(PathUtils.getAncestorPath(path, 1));
+ if (toTest != null) {
+ assertTrue(tp.isGranted(toTest));
+ }
+ parentPermission = tp;
+ }
}
- private static final class NotSupportingProvider implements AggregatedPermissionProvider {
+ @Test
+ public void testTreePermissionIsGrantedProperty() throws Exception {
+ TreePermission parentPermission = TreePermission.EMPTY;
- @Nonnull
- @Override
- public PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable PrivilegeBits privilegeBits) {
- return PrivilegeBits.EMPTY;
+ for (String path : TP_PATHS) {
+ TreePermission tp = cppTestUser.getTreePermission(root.getTree(path), parentPermission);
+ Long toTest = (defPermissions.containsKey(path)) ? defPermissions.get(path) : defPermissions.get(PathUtils.getAncestorPath(path, 1));
+ if (toTest != null) {
+ assertTrue(tp.isGranted(toTest, PROPERTY_STATE));
+ }
+ parentPermission = tp;
}
+ }
- @Override
- public long supportedPermissions(@Nullable Tree tree, @Nullable PropertyState property, long permissions) {
- return Permissions.NO_PERMISSION;
- }
+ @Test
+ public void testTreePermissionCanRead() throws Exception {
+ Map<String, Boolean> readMap = ImmutableMap.<String, Boolean>builder().
+ put(ROOT_PATH, false).
+ put(TEST_PATH, true).
+ put(TEST_A_PATH, true).
+ put(TEST_A_B_PATH, true).
+ put(TEST_A_B_C_PATH, false).
+ put(TEST_A_B_C_PATH + "/nonexisting", false).
+ build();
- @Override
- public long supportedPermissions(@Nonnull TreeLocation location, long permissions) {
- return Permissions.NO_PERMISSION;
- }
+ TreePermission parentPermission = TreePermission.EMPTY;
+ TreePermission parentPermission2 = TreePermission.EMPTY;
+ for (String nodePath : readMap.keySet()) {
+ Tree tree = root.getTree(nodePath);
+ TreePermission tp = cppTestUser.getTreePermission(tree, parentPermission);
+ TreePermission tp2 = defTestUser.getTreePermission(tree, parentPermission2);
- @Override
- public long supportedPermissions(@Nonnull TreePermission treePermission, long permissions) {
- return Permissions.NO_PERMISSION;
- }
+ boolean expectedResult = readMap.get(nodePath);
+ assertEquals(nodePath, expectedResult, tp.canRead());
+ assertEquals(nodePath + "(default)", expectedResult, tp2.canRead());
- @Override
- public boolean isGranted(@Nonnull TreeLocation location, long permissions) {
- throw new UnsupportedOperationException("should never get here");
+ parentPermission = tp;
+ parentPermission2 = tp2;
}
+ }
- @Override
- public void refresh() {
- // nop
- }
+ @Test
+ public void testTreePermissionCanReadProperty() throws Exception {
+ Map<String, Boolean> readMap = ImmutableMap.<String, Boolean>builder().
+ put(ROOT_PATH, false).
+ put(TEST_PATH, true).
+ put(TEST_A_PATH, true).
+ put(TEST_A_B_PATH, true).
+ put(TEST_A_B_C_PATH, true).
+ put(TEST_A_B_C_PATH + "/nonexisting", true).
+ build();
- @Nonnull
- @Override
- public Set<String> getPrivileges(@Nullable Tree tree) {
- throw new UnsupportedOperationException("should never get here");
- }
+ TreePermission parentPermission = TreePermission.EMPTY;
+ TreePermission parentPermission2 = TreePermission.EMPTY;
+ for (String nodePath : readMap.keySet()) {
+ Tree tree = root.getTree(nodePath);
- @Override
- public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String... privilegeNames) {
- throw new UnsupportedOperationException("should never get here");
- }
+ TreePermission tp = cppTestUser.getTreePermission(tree, parentPermission);
+ TreePermission tp2 = defTestUser.getTreePermission(tree, parentPermission2);
- @Nonnull
- @Override
- public RepositoryPermission getRepositoryPermission() {
- throw new UnsupportedOperationException("should never get here");
- }
+ boolean expectedResult = readMap.get(nodePath);
+ assertEquals(nodePath, expectedResult, tp.canRead(PROPERTY_STATE));
+ assertEquals(nodePath + "(default)", expectedResult, tp2.canRead(PROPERTY_STATE));
- @Nonnull
- @Override
- public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreePermission parentPermission) {
- // TODO: fix such that this is no required
- return TreePermission.EMPTY;
+ parentPermission = tp;
+ parentPermission2 = tp2;
}
+ }
- @Override
- public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState property, long permissions) {
- throw new UnsupportedOperationException("should never get here");
+ @Test
+ public void testTreePermissionCanReadAdmin() {
+ TreePermission parentPermission = TreePermission.EMPTY;
+ TreePermission parentPermission2 = TreePermission.EMPTY;
+
+ for (String nodePath : TP_PATHS) {
+ Tree tree = root.getTree(nodePath);
+
+ TreePermission tp = cppAdminUser.getTreePermission(tree, parentPermission);
+ TreePermission tp2 = defAdminUser.getTreePermission(tree, parentPermission2);
+
+ assertTrue(nodePath, tp.canRead());
+ assertTrue(nodePath, tp.canRead(PROPERTY_STATE));
+
+ assertTrue(nodePath + "(default)", tp2.canRead());
+ assertTrue(nodePath + "(default)", tp2.canRead(PROPERTY_STATE));
+
+ parentPermission = tp;
+ parentPermission2 = tp2;
}
+ }
+
+ @Test
+ public void testTreePermissionMapSize() throws Exception {
+ Field mapField = CompositeTreePermission.class.getDeclaredField("map");
+ mapField.setAccessible(true);
+
+
+ NodeState ns = ((ImmutableTree) RootFactory.createReadOnlyRoot(root).getTree(ROOT_PATH)).getNodeState();
+ TreePermission tp = cppTestUser.getTreePermission(root.getTree(ROOT_PATH), TreePermission.EMPTY);
+ assertEquals(2, ((Map<AggregatedPermissionProvider, TreePermission>) mapField.get(tp)).size());
+
+ List<String> childNames = ImmutableList.of("test", "a", "b", "c", "nonexisting");
+ for (String cName : childNames) {
+ ns = ns.getChildNode(cName);
+ tp = tp.getChildPermission(cName, ns);
- @Override
- public boolean isGranted(@Nonnull String oakPath, @Nonnull String jcrActions) {
- throw new UnsupportedOperationException("should never get here");
+ assertEquals(1, ((Map<AggregatedPermissionProvider, TreePermission>) mapField.get(tp)).size());
}
}
}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeTest.java?rev=1708563&r1=1708562&r2=1708563&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeTest.java Wed Oct 14 09:02:49 2015
@@ -16,99 +16,517 @@
*/
package org.apache.jackrabbit.oak.security.authorization.composite;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import javax.jcr.Session;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
+import org.apache.jackrabbit.api.JackrabbitSession;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.junit.Test;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
/**
* Test the effect of the combination of
*
* - default permission provider
- * - custom provider that only supports namespace-management permission on repository level
- * and within the regular tree only supports permission evaluation of a limited
- * set of permissions (write) below {@link #TEST_CHILD_PATH}.
+ * - custom provider that
+ * > supports namespace-management and nodetype-def-mgt permission on repository level
+ * > write permission below {@link #TEST_A_PATH}.
*
* The tests are executed both for the set of principals associated with the test
* user and with the admin session.
- * The expected outcome is that
- * - the custom provider only takes effect below {@link #TEST_CHILD_PATH} and
- * only for the supported permissions (read-nodes only).
- * - admin user has full access except for read-node-access below {@link #TEST_CHILD_PATH}
- * where the custom provider impacts the evaluation.
+ *
+ * The expected outcome is that the custom provider only takes effect at the repo
+ * level. The effective permissions are the as defined for the default provider
+ * outside of the scope of the custom provider.
+ *
+ * At the repository level, the effective result is as follows:
+ * - admin has full access at repo-level without namespace management (which is denied)
+ * - test user has only nodetype-definition-mgt left as namespace management is
+ * denied by the custom provider.
+ *
+ * Below {@link #TEST_A_PATH} the effective result is as follows:
+ * - any permissions not covered by the custom provider are defined by the default
+ * - {@link Permissions#ADD_PROPERTY} and {@link Permissions#ADD_NODE} are denied
+ * for both admin and test user (due to deny in the custom provider)
+ * - the other aggregates of the write permission are allowed if the default
+ * provider allows them (different for admin and test user).
+ *
+ * All paths outside of the scope of the custom provider have the following
+ * characteristics:
+ * - admin has full access (all permissions granted)
+ * - effective permissions for the test user are define by the default setup.
*/
public class CompositeProviderScopeTest extends AbstractCompositeProviderTest {
+ private static List<String> PATH_OUTSIDE_SCOPE = ImmutableList.of(ROOT_PATH, TEST_PATH, TEST_CHILD_PATH);
+
private CompositePermissionProvider cppTestUser;
private CompositePermissionProvider cppAdminUser;
+ private LimitedScopeProvider testProvider;
+
+ private PrivilegeBitsProvider pbp;
+ private PrivilegeBits denied;
+
+
@Override
public void before() throws Exception {
super.before();
cppTestUser = createPermissionProvider(getTestUser().getPrincipal(), EveryonePrincipal.getInstance());
cppAdminUser = createPermissionProvider(root.getContentSession().getAuthInfo().getPrincipals());
+
+ pbp = new PrivilegeBitsProvider(root);
+ denied = pbp.getBits(JCR_ADD_CHILD_NODES, REP_ADD_PROPERTIES);
}
@Override
protected AggregatedPermissionProvider getTestPermissionProvider() {
- return new TestPermissionProvider(root, false);
+ if (testProvider == null) {
+ testProvider = new LimitedScopeProvider(root);
+ }
+ return testProvider;
}
@Test
public void testGetPrivileges() throws Exception {
- // TODO
+ PrivilegeBitsProvider pbp = new PrivilegeBitsProvider(root);
+
+ for (String path : defPrivileges.keySet()) {
+ Tree tree = root.getTree(path);
+
+ Set<String> defaultPrivs = defPrivileges.get(path);
+ Set<String> privNames = cppTestUser.getPrivileges(tree);
+
+ if (testProvider.isSupported(path)) {
+ PrivilegeBits expected = pbp.getBits(defaultPrivs).modifiable().diff(denied).unmodifiable();
+ assertEquals(expected, pbp.getBits(privNames));
+ } else {
+ assertEquals(path, defaultPrivs, privNames);
+ }
+ }
+ }
+
+ @Test
+ public void testGetPrivilegesAdmin() throws Exception {
+ for (String path : NODE_PATHS) {
+ Tree tree = root.getTree(path);
+ Set<String> privNames = cppAdminUser.getPrivileges(tree);
+
+ if (testProvider.isSupported(path)) {
+ PrivilegeBits expected = pbp.getBits(JCR_ALL).modifiable().diff(denied).unmodifiable();
+ assertEquals(expected, pbp.getBits(privNames));
+ } else {
+ assertEquals(path, ImmutableSet.of(JCR_ALL), privNames);
+ }
+ }
+ }
+
+ @Test
+ public void testGetPrivilegesOnRepo() throws Exception {
+ Set<String> expected = ImmutableSet.of(JCR_NODE_TYPE_DEFINITION_MANAGEMENT);
+ assertEquals(expected, cppTestUser.getPrivileges(null));
+ }
+
+ @Test
+ public void testGetPrivilegesOnRepoAdmin() throws Exception {
+ PrivilegeBits expected = pbp.getBits(JCR_ALL).modifiable().diff(pbp.getBits(JCR_NAMESPACE_MANAGEMENT)).unmodifiable();
+ assertEquals(expected, pbp.getBits(cppAdminUser.getPrivileges(null)));
}
@Test
public void testHasPrivileges() throws Exception {
- // TODO
+ for (String path : defPrivileges.keySet()) {
+ Set<String> defaultPrivs = defPrivileges.get(path);
+ PrivilegeBits defaultBits = pbp.getBits(defaultPrivs);
+ Tree tree = root.getTree(path);
+
+ if (testProvider.isSupported(path)) {
+ Set<String> expected = pbp.getPrivilegeNames(pbp.getBits(defaultPrivs).modifiable().diff(denied));
+ assertTrue(path, cppTestUser.hasPrivileges(tree, expected.toArray(new String[expected.size()])));
+
+ assertFalse(path, cppTestUser.hasPrivileges(tree, JCR_ADD_CHILD_NODES));
+ assertFalse(path, cppTestUser.hasPrivileges(tree, REP_ADD_PROPERTIES));
+ assertFalse(path, cppTestUser.hasPrivileges(tree, JCR_MODIFY_PROPERTIES));
+ } else {
+ assertTrue(path, cppTestUser.hasPrivileges(tree, defaultPrivs.toArray(new String[defaultPrivs.size()])));
+ }
+ }
+ }
+
+ @Test
+ public void testHasPrivilegesAdmin() throws Exception {
+ Set<String> expectedAllowed = pbp.getPrivilegeNames(pbp.getBits(JCR_ALL).modifiable().diff(pbp.getBits(JCR_ADD_CHILD_NODES, REP_ADD_PROPERTIES)));
+ for (String path : NODE_PATHS) {
+ Tree tree = root.getTree(path);
+
+ if (testProvider.isSupported(path)) {
+ assertTrue(cppAdminUser.hasPrivileges(tree, expectedAllowed.toArray(new String[expectedAllowed.size()])));
+ assertFalse(cppAdminUser.hasPrivileges(tree, JCR_ADD_CHILD_NODES));
+ assertFalse(cppAdminUser.hasPrivileges(tree, REP_ADD_PROPERTIES));
+ assertFalse(cppAdminUser.hasPrivileges(tree, JCR_WRITE));
+ } else {
+ assertTrue(cppAdminUser.hasPrivileges(tree, JCR_ALL));
+ }
+ }
}
+ @Test
+ public void testHasPrivilegesOnRepo() throws Exception {
+ assertFalse(cppTestUser.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT));
+ assertFalse(cppTestUser.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT, JCR_NODE_TYPE_DEFINITION_MANAGEMENT));
+ assertFalse(cppTestUser.hasPrivileges(null, JCR_ALL));
+
+ assertTrue(cppTestUser.hasPrivileges(null, JCR_NODE_TYPE_DEFINITION_MANAGEMENT));
+ assertTrue(cppTestUser.hasPrivileges(null));
+ }
+
+ @Test
+ public void testHasPrivilegeOnRepoAdmin() throws Exception {
+ assertFalse(cppAdminUser.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT));
+ assertFalse(cppAdminUser.hasPrivileges(null, JCR_NAMESPACE_MANAGEMENT, JCR_NODE_TYPE_DEFINITION_MANAGEMENT));
+ assertFalse(cppAdminUser.hasPrivileges(null, JCR_ALL));
+
+ assertTrue(cppAdminUser.hasPrivileges(null, JCR_NODE_TYPE_DEFINITION_MANAGEMENT));
+ Set<String> expected = pbp.getPrivilegeNames(pbp.getBits(JCR_ALL).modifiable().diff(pbp.getBits(JCR_NAMESPACE_MANAGEMENT)));
+ assertTrue(cppAdminUser.hasPrivileges(null, expected.toArray(new String[expected.size()])));
+ assertTrue(cppAdminUser.hasPrivileges(null));
+ }
@Test
public void testIsGranted() throws Exception {
- // TODO
+ for (String p : defPermissions.keySet()) {
+ long defaultPerms = defPermissions.get(p);
+ Tree tree = root.getTree(p);
+
+ if (testProvider.isSupported(p)) {
+ long expected = Permissions.diff(defaultPerms, Permissions.ADD_NODE|Permissions.ADD_PROPERTY);
+ assertTrue(cppTestUser.isGranted(tree, null, expected));
+
+ assertFalse(cppTestUser.isGranted(tree, null, Permissions.ADD_NODE));
+ assertFalse(cppTestUser.isGranted(tree, null, Permissions.ADD_PROPERTY));
+ assertFalse(cppTestUser.isGranted(tree, null, Permissions.SET_PROPERTY));
+ assertFalse(cppTestUser.isGranted(tree, null, Permissions.WRITE));
+ } else {
+ assertTrue(cppTestUser.isGranted(tree, null, defaultPerms));
+ }
+ }
+ }
+
+ @Test
+ public void testIsGrantedAdmin() throws Exception {
+ for (String path : NODE_PATHS) {
+ Tree tree = root.getTree(path);
+
+ if (testProvider.isSupported(path)) {
+ assertTrue(cppAdminUser.isGranted(tree, null, Permissions.diff(Permissions.ALL, Permissions.ADD_NODE|Permissions.ADD_PROPERTY)));
+ assertFalse(cppAdminUser.isGranted(tree, null, Permissions.ADD_NODE));
+ assertFalse(cppAdminUser.isGranted(tree, null, Permissions.ADD_PROPERTY));
+ assertFalse(cppAdminUser.isGranted(tree, null, Permissions.ADD_NODE | Permissions.ADD_PROPERTY));
+ assertFalse(cppAdminUser.isGranted(tree, null, Permissions.WRITE));
+ } else {
+ assertTrue(cppAdminUser.isGranted(tree, null, Permissions.ALL));
+ }
+ }
}
@Test
public void testIsGrantedProperty() throws Exception {
- // TODO
+ for (String p : defPermissions.keySet()) {
+ long defaultPerms = defPermissions.get(p);
+ Tree tree = root.getTree(p);
+
+ if (testProvider.isSupported(p)) {
+ long expected = Permissions.diff(defaultPerms, Permissions.ADD_NODE|Permissions.ADD_PROPERTY);
+ assertTrue(cppTestUser.isGranted(tree, PROPERTY_STATE, expected));
+
+ assertFalse(cppTestUser.isGranted(tree, PROPERTY_STATE, Permissions.ADD_PROPERTY));
+ assertFalse(cppTestUser.isGranted(tree, PROPERTY_STATE, Permissions.SET_PROPERTY));
+ assertFalse(cppTestUser.isGranted(tree, PROPERTY_STATE, Permissions.WRITE));
+ } else {
+ assertTrue(cppTestUser.isGranted(tree, PROPERTY_STATE, defaultPerms));
+ }
+ }
+ }
+
+ @Test
+ public void testIsGrantedPropertyAdmin() throws Exception {
+ for (String p : NODE_PATHS) {
+ Tree tree = root.getTree(p);
+
+ if (testProvider.isSupported(p)) {
+ assertTrue(cppAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.diff(Permissions.ALL, Permissions.ADD_NODE|Permissions.ADD_PROPERTY)));
+ assertFalse(cppAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.ADD_NODE));
+ assertFalse(cppAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.ADD_PROPERTY));
+ assertFalse(cppAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.ADD_NODE | Permissions.ADD_PROPERTY));
+ assertFalse(cppAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.WRITE));
+ } else {
+ assertTrue(cppAdminUser.isGranted(tree, PROPERTY_STATE, Permissions.ALL));
+ }
+ }
}
@Test
public void testIsGrantedAction() throws Exception {
- // TODO
+ Set<String> denied = ImmutableSet.of(Session.ACTION_ADD_NODE, JackrabbitSession.ACTION_ADD_PROPERTY);
+
+ for (String p : defActionsGranted.keySet()) {
+ String[] actions = defActionsGranted.get(p);
+
+ if (testProvider.isSupported(p)) {
+ Set<String> expected = Sets.newHashSet(actions);
+ expected.removeAll(denied);
+
+ boolean canSetProperty = TreeLocation.create(root, p).getProperty() != null;
+ if (!canSetProperty) {
+ expected.remove(Session.ACTION_SET_PROPERTY);
+ }
+
+ assertTrue(p, cppTestUser.isGranted(p, getActionString(expected.toArray(new String[expected.size()]))));
+
+ assertEquals(p, canSetProperty, cppTestUser.isGranted(p, Session.ACTION_SET_PROPERTY));
+ assertFalse(p, cppTestUser.isGranted(p, Session.ACTION_ADD_NODE));
+ assertFalse(p, cppTestUser.isGranted(p, JackrabbitSession.ACTION_ADD_PROPERTY));
+ } else {
+ assertTrue(p, cppTestUser.isGranted(p, getActionString(actions)));
+ }
+ }
+ }
+
+ @Test
+ public void testIsGrantedActionAdmin() throws Exception {
+ String[] grantedActions = new String[]{
+ Session.ACTION_READ,
+ JackrabbitSession.ACTION_REMOVE_NODE,
+ JackrabbitSession.ACTION_MODIFY_PROPERTY,
+ JackrabbitSession.ACTION_REMOVE_PROPERTY,
+ Session.ACTION_REMOVE,
+ JackrabbitSession.ACTION_READ_ACCESS_CONTROL,
+ JackrabbitSession.ACTION_MODIFY_ACCESS_CONTROL,
+ JackrabbitSession.ACTION_LOCKING,
+ JackrabbitSession.ACTION_NODE_TYPE_MANAGEMENT,
+ JackrabbitSession.ACTION_VERSIONING,
+ JackrabbitSession.ACTION_USER_MANAGEMENT
+ };
+
+ for (String path : NODE_PATHS) {
+ if (testProvider.isSupported(path)) {
+ assertTrue(cppAdminUser.isGranted(path, getActionString(grantedActions)));
+ assertFalse(cppAdminUser.isGranted(path, Session.ACTION_ADD_NODE));
+ assertFalse(cppAdminUser.isGranted(path, Session.ACTION_SET_PROPERTY));
+ assertFalse(cppAdminUser.isGranted(path, JackrabbitSession.ACTION_ADD_PROPERTY));
+ } else {
+ assertTrue(cppAdminUser.isGranted(path, Permissions.getString(Permissions.ALL)));
+ assertTrue(cppAdminUser.isGranted(path, getActionString(ALL_ACTIONS)));
+ }
+ }
}
@Test
public void testRepositoryPermissionIsGranted() throws Exception {
RepositoryPermission rp = cppTestUser.getRepositoryPermission();
- assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT));
+ assertFalse(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT));
+ assertFalse(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.NODE_TYPE_DEFINITION_MANAGEMENT));
+ assertFalse(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.PRIVILEGE_MANAGEMENT));
+
assertTrue(rp.isGranted(Permissions.NODE_TYPE_DEFINITION_MANAGEMENT));
- assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.NODE_TYPE_DEFINITION_MANAGEMENT));
+
+ assertFalse(rp.isGranted(Permissions.PRIVILEGE_MANAGEMENT));
+ assertFalse(rp.isGranted(Permissions.NODE_TYPE_DEFINITION_MANAGEMENT | Permissions.PRIVILEGE_MANAGEMENT | Permissions.WORKSPACE_MANAGEMENT));
+
+ assertFalse(rp.isGranted(Permissions.ALL));
+
}
@Test
- public void testRepositoryPermissionIsGrantedAdminUser() throws Exception {
+ public void testRepositoryPermissionIsGrantedAdmin() throws Exception {
RepositoryPermission rp = cppAdminUser.getRepositoryPermission();
- assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT));
+ assertFalse(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT));
+ assertFalse(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.NODE_TYPE_DEFINITION_MANAGEMENT));
+ assertFalse(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.PRIVILEGE_MANAGEMENT));
+
assertTrue(rp.isGranted(Permissions.NODE_TYPE_DEFINITION_MANAGEMENT));
- assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.NODE_TYPE_DEFINITION_MANAGEMENT));
assertTrue(rp.isGranted(Permissions.PRIVILEGE_MANAGEMENT));
- assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT|Permissions.PRIVILEGE_MANAGEMENT));
- assertTrue(rp.isGranted(Permissions.ALL));
+ assertTrue(rp.isGranted(Permissions.NODE_TYPE_DEFINITION_MANAGEMENT|Permissions.PRIVILEGE_MANAGEMENT|Permissions.WORKSPACE_MANAGEMENT));
+
+ assertFalse(rp.isGranted(Permissions.ALL));
+ }
+
+ @Test
+ public void testTreePermissionIsGranted() throws Exception {
+ TreePermission parentPermission = TreePermission.EMPTY;
+
+ for (String path : TP_PATHS) {
+ TreePermission tp = cppTestUser.getTreePermission(root.getTree(path), parentPermission);
+
+ Long toTest = (defPermissions.containsKey(path)) ? defPermissions.get(path) : defPermissions.get(PathUtils.getAncestorPath(path, 1));
+ if (toTest != null) {
+ if (testProvider.isSupported(path)) {
+ assertTrue(tp.isGranted(Permissions.diff(toTest, Permissions.ADD_NODE|Permissions.ADD_PROPERTY)));
+ assertFalse(tp.isGranted(Permissions.ADD_PROPERTY | Permissions.ADD_NODE));
+ } else {
+ assertTrue(tp.isGranted(toTest));
+ }
+ }
+ parentPermission = tp;
+ }
+ }
+
+ @Test
+ public void testTreePermissionIsGrantedAdmin( ) {
+ TreePermission parentPermission = TreePermission.EMPTY;
+
+ for (String path : TP_PATHS) {
+ TreePermission tp = cppAdminUser.getTreePermission(root.getTree(path), parentPermission);
+
+ if (testProvider.isSupported(path)) {
+ assertTrue(path, tp.isGranted(Permissions.diff(Permissions.ALL, Permissions.ADD_NODE|Permissions.ADD_PROPERTY)));
+ assertFalse(path, tp.isGranted(Permissions.ADD_PROPERTY | Permissions.ADD_NODE));
+ assertFalse(path, tp.isGranted(Permissions.ALL));
+ } else {
+ assertTrue(path, tp.isGranted(Permissions.ALL));
+ }
+ parentPermission = tp;
+ }
+
+ parentPermission = TreePermission.EMPTY;
+ for (String nodePath : PATH_OUTSIDE_SCOPE) {
+ Tree tree = root.getTree(nodePath);
+
+ TreePermission tp = cppAdminUser.getTreePermission(tree, parentPermission);
+ assertTrue(nodePath, tp.isGranted(Permissions.ALL));
+
+ parentPermission = tp;
+ }
}
@Test
- public void testGetTreePermission() throws Exception {
- // TODO
+ public void testTreePermissionIsGrantedProperty() throws Exception {
+ TreePermission parentPermission = TreePermission.EMPTY;
+
+ for (String path : TP_PATHS) {
+ TreePermission tp = cppTestUser.getTreePermission(root.getTree(path), parentPermission);
+ Long toTest = (defPermissions.containsKey(path)) ? defPermissions.get(path) : defPermissions.get(PathUtils.getAncestorPath(path, 1));
+ if (toTest != null) {
+ if (testProvider.isSupported(path)) {
+ assertTrue(tp.isGranted(Permissions.diff(toTest, Permissions.ADD_NODE|Permissions.ADD_PROPERTY), PROPERTY_STATE));
+ assertFalse(tp.isGranted(Permissions.ADD_PROPERTY, PROPERTY_STATE));
+ } else {
+ assertTrue(tp.isGranted(toTest, PROPERTY_STATE));
+ }
+ }
+ parentPermission = tp;
+ }
+ }
+
+ @Test
+ public void testTreePermissionCanRead() throws Exception {
+ Map<String, Boolean> readMap = ImmutableMap.<String, Boolean>builder().
+ put(ROOT_PATH, false).
+ put(TEST_PATH, true).
+ put(TEST_A_PATH, true).
+ put(TEST_A_B_PATH, true).
+ put(TEST_A_B_C_PATH, false).
+ put(TEST_A_B_C_PATH + "/nonexisting", false).
+ build();
+
+ TreePermission parentPermission = TreePermission.EMPTY;
+ for (String nodePath : readMap.keySet()) {
+ Tree tree = root.getTree(nodePath);
+ TreePermission tp = cppTestUser.getTreePermission(tree, parentPermission);
+
+ boolean expectedResult = readMap.get(nodePath);
+ assertEquals(nodePath, expectedResult, tp.canRead());
+
+ parentPermission = tp;
+ }
+ }
+
+ @Test
+ public void testTreePermissionCanReadProperty() throws Exception {
+ Map<String, Boolean> readMap = ImmutableMap.<String, Boolean>builder().
+ put(ROOT_PATH, false).
+ put(TEST_PATH, true).
+ put(TEST_A_PATH, true).
+ put(TEST_A_B_PATH, true).
+ put(TEST_A_B_C_PATH, true).
+ put(TEST_A_B_C_PATH + "/nonexisting", true).
+ build();
+
+ TreePermission parentPermission = TreePermission.EMPTY;
+ for (String nodePath : readMap.keySet()) {
+ Tree tree = root.getTree(nodePath);
+
+ TreePermission tp = cppTestUser.getTreePermission(tree, parentPermission);
+ assertEquals(nodePath, readMap.get(nodePath), tp.canRead(PROPERTY_STATE));
+
+ parentPermission = tp;
+ }
+ }
+
+ @Test
+ public void testTreePermissionCanReadAdmin() {
+ TreePermission parentPermission = TreePermission.EMPTY;
+
+ for (String nodePath : TP_PATHS) {
+ Tree tree = root.getTree(nodePath);
+
+ TreePermission tp = cppAdminUser.getTreePermission(tree, parentPermission);
+
+ assertTrue(nodePath, tp.canRead());
+ assertTrue(nodePath, tp.canRead(PROPERTY_STATE));
+
+ parentPermission = tp;
+ }
+ }
+
+ @Test
+ public void testTreePermissionCanReadAllAdmin() {
+ TreePermission parentPermission = TreePermission.EMPTY;
+
+ for (String nodePath : TP_PATHS) {
+ Tree tree = root.getTree(nodePath);
+
+ TreePermission tp = cppAdminUser.getTreePermission(tree, parentPermission);
+
+ assertFalse(nodePath, tp.canReadAll());
+ assertFalse(nodePath, tp.canReadProperties());
+
+ parentPermission = tp;
+ }
+
+ parentPermission = TreePermission.EMPTY;
+ for (String nodePath : PATH_OUTSIDE_SCOPE) {
+ Tree tree = root.getTree(nodePath);
+
+ TreePermission tp = cppAdminUser.getTreePermission(tree, parentPermission);
+ assertFalse(nodePath, tp.canReadAll());
+ assertFalse(nodePath, tp.canReadProperties());
+
+ parentPermission = tp;
+ }
}
}
\ No newline at end of file
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermissionTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermissionTest.java?rev=1708563&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermissionTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeTreePermissionTest.java Wed Oct 14 09:02:49 2015
@@ -0,0 +1,128 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.composite;
+
+import java.lang.reflect.Field;
+import java.util.List;
+import java.util.Map;
+
+import com.google.common.collect.ImmutableList;
+import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
+import org.apache.jackrabbit.oak.plugins.tree.RootFactory;
+import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
+import org.apache.jackrabbit.oak.spi.state.NodeState;
+import org.apache.jackrabbit.oak.util.NodeUtil;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
+public class CompositeTreePermissionTest extends AbstractSecurityTest {
+
+ private ImmutableTree rootTree;
+
+ @Override
+ public void before() throws Exception {
+ super.before();
+
+ NodeUtil rootNode = new NodeUtil(root.getTree("/"));
+ NodeUtil test = rootNode.addChild("test", NodeTypeConstants.NT_OAK_UNSTRUCTURED);
+ root.commit();
+
+ rootTree = (ImmutableTree) RootFactory.createReadOnlyRoot(root).getTree("/");
+ }
+
+ @Override
+ public void after() throws Exception {
+ try {
+ root.refresh();
+ root.getTree("/test").remove();
+ root.commit();
+ } finally {
+ super.after();
+ }
+ }
+
+ private List<AggregatedPermissionProvider> getProviders() {
+ return ImmutableList.<AggregatedPermissionProvider>of(new FullScopeProvider(root));
+ }
+
+ @Test
+ public void testEmptyProviderList() {
+ CompositeTreePermission parent = new CompositeTreePermission(ImmutableList.<AggregatedPermissionProvider>of());
+ assertFalse(parent.canRead());
+
+ CompositeTreePermission rootTp = new CompositeTreePermission(rootTree, parent);
+ assertFalse(rootTp.canRead());
+
+ CompositeTreePermission testTp = new CompositeTreePermission(rootTree.getChild("test"), rootTp);
+ assertFalse(testTp.canRead());
+ }
+
+ @Test(expected = IllegalStateException.class)
+ public void testGetChildOnParent() {
+ NodeState childState = rootTree.getChild("test").getNodeState();
+ CompositeTreePermission parent = new CompositeTreePermission(getProviders());
+ parent.getChildPermission("illegal", childState);
+ }
+
+ @Test
+ public void testGetChildOnRoot() {
+ CompositeTreePermission rootTp = new CompositeTreePermission(rootTree,
+ new CompositeTreePermission(getProviders()));
+ TreePermission testTp = rootTp.getChildPermission("test", rootTree.getChild("test").getNodeState());
+ }
+
+ @Test
+ public void testCanRead() throws Exception {
+ CompositeTreePermission rootTp = new CompositeTreePermission(rootTree,
+ new CompositeTreePermission(getProviders()));
+
+ Field f = CompositeTreePermission.class.getDeclaredField("canRead");
+ f.setAccessible(true);
+
+ Object canRead = f.get(rootTp);
+ assertNull(canRead);
+
+ rootTp.canRead();
+
+ canRead = f.get(rootTp);
+ assertNotNull(canRead);
+ }
+
+ @Test
+ public void testParentNoRecourse() throws Exception {
+ Field f = CompositeTreePermission.class.getDeclaredField("map");
+ f.setAccessible(true);
+
+ CompositeTreePermission rootTp = new CompositeTreePermission(rootTree,
+ new CompositeTreePermission(ImmutableList.<AggregatedPermissionProvider>of(new NoScopeProvider())));
+ assertFalse(rootTp.canRead());
+ assertEquals(1, ((Map) f.get(rootTp)).size());
+
+
+ TreePermission testTp = rootTp.getChildPermission("test", rootTree.getChild("test").getNodeState());
+ assertFalse(testTp.canRead());
+ assertTrue(((Map) f.get(testTp)).isEmpty());
+ }
+}
\ No newline at end of file
Copied: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/FullScopeProvider.java (from r1708074, jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/TestPermissionProvider.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/FullScopeProvider.java?p2=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/FullScopeProvider.java&p1=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/TestPermissionProvider.java&r1=1708074&r2=1708563&rev=1708563&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/TestPermissionProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/FullScopeProvider.java Wed Oct 14 09:02:49 2015
@@ -36,37 +36,29 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.spi.state.NodeState;
-import org.apache.jackrabbit.util.Text;
/**
* Test implementation of the {@code AggregatedPermissionProvider} with following
* characteristics:
*
- * If {@code supportsAll} is {@code true} this provider supports all permissions
- * but only grants {@link Permissions#NAMESPACE_MANAGEMENT} on repository level
- * and {@link Permissions#READ_NODE} on regular items.
+ * This provider supports all permissions
+ * but only grants {@link org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions#NAMESPACE_MANAGEMENT} on repository level
+ * and {@link org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions#READ_NODE} on regular items.
+ *
* In this case the provider will always be respected for evaluation and will
* therefore cause the final result to be always restricted to the permissions
* granted by this provider.
*
- * If {@code supportsAll} is {@code false} this provider supports
- * - {@link Permissions#NAMESPACE_MANAGEMENT} on repository level
- * - {@link Permissions#READ_NODE} at the tree defined by {@link AbstractCompositeProviderTest#TEST_A_PATH}
- * - {@link Permissions#NO_PERMISSION} everywhere else.
- * The permissions granted are the same as above. Due to the limited scope
- * however, the provider will in this case only respected for evaluation at
- * the supported paths (and at the repo level). The final result will restricted
- * to the permissions granted by this provider at the supported paths. For all
- * other paths the access limitations of this provider have no effect.
+ * NOTE: this provider implementation doesn't properly filter out access
+ * control content for which {@link Permissions#READ_ACCESS_CONTROL} must be
+ * enforced. this has been omitted here for the simplicity of the test.
*/
-class TestPermissionProvider implements AggregatedPermissionProvider {
+class FullScopeProvider implements AggregatedPermissionProvider, PrivilegeConstants {
private final Root root;
- private final boolean supportsAll;
- TestPermissionProvider(@Nonnull Root root, boolean supportsAll) {
+ FullScopeProvider(@Nonnull Root root) {
this.root = root;
- this.supportsAll = supportsAll;
}
//-------------------------------------------------< PermissionProvider >---
@@ -79,23 +71,18 @@ class TestPermissionProvider implements
@Override
public Set<String> getPrivileges(@Nullable Tree tree) {
if (tree == null) {
- return ImmutableSet.of(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT);
- } else if (isSupported(tree)) {
- return ImmutableSet.of(PrivilegeConstants.REP_READ_NODES);
+ return ImmutableSet.of(JCR_NAMESPACE_MANAGEMENT);
} else {
- return ImmutableSet.of();
+ return ImmutableSet.of(REP_READ_NODES);
}
-
}
@Override
public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String... privilegeNames) {
if (tree == null) {
- return Arrays.equals(new String[]{PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT}, privilegeNames);
- } else if (isSupported(tree)) {
- return Arrays.equals(new String[]{PrivilegeConstants.REP_READ_NODES}, privilegeNames);
+ return Arrays.equals(new String[]{JCR_NAMESPACE_MANAGEMENT}, privilegeNames);
} else {
- return false;
+ return Arrays.equals(new String[]{REP_READ_NODES}, privilegeNames);
}
}
@@ -113,100 +100,48 @@ class TestPermissionProvider implements
@Nonnull
@Override
public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreePermission parentPermission) {
- return (isSupported(tree)) ? new TestTreePermission(tree.getPath()) : TreePermission.EMPTY;
+ return new TestTreePermission(tree.getPath());
}
@Override
public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState property, long permissions) {
- return isSupported(tree) && property == null && permissions == Permissions.READ_NODE;
+ return property == null && permissions == Permissions.READ_NODE;
}
@Override
public boolean isGranted(@Nonnull String oakPath, @Nonnull String jcrActions) {
Tree tree = root.getTree(oakPath);
- return tree.exists() && isSupported(tree) && Session.ACTION_READ.equals(jcrActions);
+ return tree.exists() && Session.ACTION_READ.equals(jcrActions);
}
//---------------------------------------< AggregatedPermissionProvider >---
@Nonnull
@Override
public PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable PrivilegeBits privilegeBits) {
- if (supportsAll) {
- return (privilegeBits == null) ? new PrivilegeBitsProvider(root).getBits(PrivilegeConstants.JCR_ALL) : privilegeBits;
- } else {
- PrivilegeBits supported;
- if (tree == null) {
- supported = PrivilegeBits.BUILT_IN.get(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT);
- } else if (isSupportedPath(tree.getPath())) {
- supported = PrivilegeBits.BUILT_IN.get(PrivilegeConstants.REP_READ_NODES);
- } else {
- supported = PrivilegeBits.EMPTY;
- }
-
- if (privilegeBits != null && !supported.isEmpty()) {
- return PrivilegeBits.getInstance(privilegeBits).retain(supported);
- } else {
- return supported;
- }
- }
+ return (privilegeBits == null) ? new PrivilegeBitsProvider(root).getBits(JCR_ALL) : privilegeBits;
}
@Override
public long supportedPermissions(@Nullable Tree tree, @Nullable PropertyState property, long permissions) {
- if (supportsAll) {
- return permissions;
- } else {
- if (tree == null) {
- return permissions & Permissions.NAMESPACE_MANAGEMENT;
- } else if (isSupportedPath(tree.getPath())) {
- return permissions & Permissions.READ_NODE;
- } else {
- return Permissions.NO_PERMISSION;
- }
- }
+ return permissions;
}
@Override
public long supportedPermissions(@Nonnull TreeLocation location, long permissions) {
- if (supportsAll) {
- return permissions;
- } else if (isSupportedPath(location.getPath())) {
- return permissions & Permissions.READ_NODE;
- } else {
- return Permissions.NO_PERMISSION;
- }
+ return permissions;
}
@Override
- public long supportedPermissions(@Nonnull TreePermission treePermission, long permissions) {
- if (supportsAll) {
- return permissions;
- } else if (isSupportedPath(((TestTreePermission) treePermission).path)) {
- return permissions & Permissions.READ_NODE;
- } else {
- return Permissions.NO_PERMISSION;
- }
+ public long supportedPermissions(@Nonnull TreePermission treePermission, @Nullable PropertyState propertyState, long permissions) {
+ return permissions;
}
@Override
public boolean isGranted(@Nonnull TreeLocation location, long permissions) {
- if (supportsAll) {
- return permissions == Permissions.READ_NODE;
- } else if (isSupportedPath(location.getPath())) {
- return permissions == Permissions.READ_NODE;
- } else {
- return false;
- }
+ return permissions == Permissions.READ_NODE;
}
//--------------------------------------------------------------------------
- private boolean isSupported(@Nonnull Tree tree) {
- return supportsAll || isSupportedPath(tree.getPath());
- }
-
- private boolean isSupportedPath(@Nonnull String path) {
- return Text.isDescendantOrEqual(AbstractCompositeProviderTest.TEST_A_PATH, path);
- }
private final class TestTreePermission implements TreePermission {