You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2017/03/22 10:21:30 UTC

svn commit: r1788080 - /jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/SetRepoLevelPolicyTest.java

Author: angela
Date: Wed Mar 22 10:21:30 2017
New Revision: 1788080

URL: http://svn.apache.org/viewvc?rev=1788080&view=rev
Log:
OAK-5947 : Allowing non-admin user to set repository permissions fails (adding test-case illustrating the issue)

Added:
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/SetRepoLevelPolicyTest.java

Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/SetRepoLevelPolicyTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/SetRepoLevelPolicyTest.java?rev=1788080&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/SetRepoLevelPolicyTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/SetRepoLevelPolicyTest.java Wed Mar 22 10:21:30 2017
@@ -0,0 +1,99 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.evaluation;
+
+import javax.jcr.AccessDeniedException;
+import javax.jcr.PathNotFoundException;
+
+import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.junit.Ignore;
+import org.junit.Test;
+
+public class SetRepoLevelPolicyTest extends AbstractOakCoreTest {
+
+    @Test(expected = PathNotFoundException.class)
+    public void testGetApplicablePoliciesRootNotReadable() throws Exception {
+        setupPermission(null, getTestUser().getPrincipal(), true, PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
+
+        getAccessControlManager(getTestRoot()).getApplicablePolicies((String) null);
+    }
+
+    @Test(expected = PathNotFoundException.class)
+    public void testGetApplicablePoliciesRootNotReadable2() throws Exception {
+        setupPermission(null, getTestUser().getPrincipal(), true, PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
+
+        getAccessControlManager(getTestRoot()).getApplicablePolicies((String) null);
+    }
+
+    @Test(expected = AccessDeniedException.class)
+    public void testGetApplicablePoliciesMissingAcPermission() throws Exception {
+        setupPermission(PathUtils.ROOT_PATH, getTestUser().getPrincipal(), true, PrivilegeConstants.JCR_READ);
+
+        getAccessControlManager(getTestRoot()).getApplicablePolicies((String) null);
+    }
+
+    @Test(expected = AccessDeniedException.class)
+    public void testGetApplicablePoliciesMissingAcPermission2() throws Exception {
+        setupPermission(PathUtils.ROOT_PATH, getTestUser().getPrincipal(), true, PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
+
+        getAccessControlManager(getTestRoot()).getApplicablePolicies((String) null);
+    }
+
+    @Test
+    public void testGetApplicablePolicies() throws Exception {
+        setupPermission(PathUtils.ROOT_PATH, getTestUser().getPrincipal(), true, PrivilegeConstants.JCR_READ);
+        setupPermission(null, getTestUser().getPrincipal(), true, PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
+
+        getAccessControlManager(getTestRoot()).getApplicablePolicies((String) null);
+    }
+
+    @Test(expected = AccessDeniedException.class)
+    public void testSetPolicyMissingAcPermission() throws Exception {
+        setupPermission(PathUtils.ROOT_PATH, getTestUser().getPrincipal(), true, PrivilegeConstants.JCR_READ);
+        setupPermission(null, getTestUser().getPrincipal(), true, PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
+
+        setupPermission(getTestRoot(), null, EveryonePrincipal.getInstance(), false, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT);
+    }
+
+    @Test(expected = AccessDeniedException.class)
+    public void testSetPolicyMissingAcPermission2() throws Exception {
+        setupPermission(PathUtils.ROOT_PATH, getTestUser().getPrincipal(), true, PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL, PrivilegeConstants.JCR_MODIFY_ACCESS_CONTROL);
+        setupPermission(null, getTestUser().getPrincipal(), true, PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
+
+        setupPermission(getTestRoot(), null, EveryonePrincipal.getInstance(), false, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT);
+    }
+
+    @Ignore("OAK-5947")
+    @Test
+    public void testSetPolicy() throws Exception {
+        setupPermission(PathUtils.ROOT_PATH, getTestUser().getPrincipal(), true, PrivilegeConstants.JCR_READ);
+        setupPermission(null, getTestUser().getPrincipal(), true, PrivilegeConstants.JCR_READ_ACCESS_CONTROL, PrivilegeConstants.JCR_MODIFY_ACCESS_CONTROL);
+
+        setupPermission(getTestRoot(), null, EveryonePrincipal.getInstance(), false, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT);
+    }
+
+    @Test
+    public void testSetPolicy2() throws Exception {
+        // see above: ac-related permissions should not be required on ROOT_PATH (workaround for OAK-5947)
+        setupPermission(PathUtils.ROOT_PATH, getTestUser().getPrincipal(), true, PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL, PrivilegeConstants.JCR_MODIFY_ACCESS_CONTROL);
+        setupPermission(null, getTestUser().getPrincipal(), true, PrivilegeConstants.JCR_READ_ACCESS_CONTROL, PrivilegeConstants.JCR_MODIFY_ACCESS_CONTROL);
+
+        setupPermission(getTestRoot(), null, EveryonePrincipal.getInstance(), false, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT);
+    }
+}
\ No newline at end of file