You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/05/10 16:13:22 UTC
svn commit: r1481016 - in /jackrabbit/oak/trunk/oak-core/src:
main/java/org/apache/jackrabbit/oak/security/authorization/
main/java/org/apache/jackrabbit/oak/spi/security/authorization/
main/java/org/apache/jackrabbit/oak/spi/security/authorization/res...
Author: angela
Date: Fri May 10 14:13:22 2013
New Revision: 1481016
URL: http://svn.apache.org/r1481016
Log:
OAK-50 : Implement User Management
Removed:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/EffectivePolicyTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java?rev=1481016&r1=1481015&r2=1481016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java Fri May 10 14:13:22 2013
@@ -229,7 +229,7 @@ abstract class ACL extends AbstractAcces
return true;
}
- // TODO
+ // TODO: OAK-814
private boolean isRedundantOrExtending(ACE existing, ACE entry) {
return existing.isAllow() == entry.isAllow()
&& (!(existing.getPrincipal() instanceof Group) || entries.indexOf(existing) == entries.size() - 1);
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1481016&r1=1481015&r2=1481016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java Fri May 10 14:13:22 2013
@@ -489,21 +489,20 @@ public class AccessControlManagerImpl im
@CheckForNull
private JackrabbitAccessControlList createACL(@Nullable String oakPath,
@Nonnull Tree accessControlledTree,
- boolean isReadOnly) throws RepositoryException {
+ boolean isEffectivePolicy) throws RepositoryException {
JackrabbitAccessControlList acl = null;
String aclName = AccessControlUtils.getAclName(oakPath);
- String mixinName = AccessControlUtils.getMixinName(oakPath);
-
if (accessControlledTree.exists() && AccessControlUtils.isAccessControlled(oakPath, accessControlledTree, ntMgr)) {
Tree aclTree = accessControlledTree.getChild(aclName);
- if (aclTree.exists()) {
+ // TODO: effective policies: add proper handling for modified ACLs
+ if (aclTree.exists() && (!isEffectivePolicy || aclTree.getStatus() != Tree.Status.NEW)) {
List<JackrabbitAccessControlEntry> entries = new ArrayList<JackrabbitAccessControlEntry>();
for (Tree child : aclTree.getChildren()) {
if (AccessControlUtils.isACE(child, ntMgr)) {
entries.add(createACE(oakPath, child, restrictionProvider));
}
}
- if (isReadOnly) {
+ if (isEffectivePolicy) {
acl = new ImmutableACL(oakPath, entries, restrictionProvider, namePathMapper);
} else {
acl = new NodeACL(oakPath, entries);
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java?rev=1481016&r1=1481015&r2=1481016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java Fri May 10 14:13:22 2013
@@ -28,7 +28,7 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
/**
- * {@code AccessControlContextProvider}...
+ * Configuration for access control management and permission evaluation.
*/
public interface AccessControlConfiguration extends SecurityConfiguration {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java?rev=1481016&r1=1481015&r2=1481016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java Fri May 10 14:13:22 2013
@@ -22,13 +22,27 @@ import javax.jcr.Value;
import org.apache.jackrabbit.oak.api.PropertyState;
/**
- * Restriction... TODO
+ * A {@code Restriction} object represents a "live" restriction object that
+ * has been created using the Jackrabbit specific extensions of the
+ * {@link javax.jcr.security.AccessControlEntry AccessControlEntry} interface.
+ *
+ * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlList#addEntry(java.security.Principal, javax.jcr.security.Privilege[], boolean, java.util.Map)
*/
public interface Restriction extends RestrictionDefinition {
+ /**
+ * The OAK property state associated with this restriction.
+ *
+ * @return An {@code PropertyState}.
+ */
@Nonnull
PropertyState getProperty();
+ /**
+ * The JCR value of this restriction object contained in {@link #getProperty()}.
+ *
+ * @return The JCR value of this restriction.
+ */
@Nonnull
Value getValue();
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java?rev=1481016&r1=1481015&r2=1481016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java Fri May 10 14:13:22 2013
@@ -19,7 +19,21 @@ package org.apache.jackrabbit.oak.spi.se
import javax.annotation.Nonnull;
/**
- * RestrictionDefinition... TODO
+ * The {@code RestrictionDefinition} interface provides methods for
+ * discovering the static definition of any additional policy-internal refinements
+ * of the access control definitions. These restrictions are intended to be
+ * used wherever effects are too fine-grained to be exposed through privilege
+ * discovery or define a different restriction mechanism. A common case may be
+ * to provide finer-grained access restrictions to individual properties or
+ * child nodes of the node to which the policy applies e.g. by means of
+ * naming patterns or node type restrictions.
+ *
+ * Its subclass {@code Restriction} adds methods that are relevant only when
+ * a given restriction is "live" after being created and applied to a given
+ * policy.
+ *
+ * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlList#getRestrictionNames()
+ * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlList#getRestrictionType(String)
*/
public interface RestrictionDefinition {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java?rev=1481016&r1=1481015&r2=1481016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java Fri May 10 14:13:22 2013
@@ -64,7 +64,7 @@ public class RestrictionImpl extends Res
}
if (o instanceof RestrictionImpl) {
RestrictionImpl other = (RestrictionImpl) o;
- return super.equals(other) && getValue().equals(other.getValue());
+ return super.equals(other) && property.equals(property);
}
return false;
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java?rev=1481016&r1=1481015&r2=1481016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java Fri May 10 14:13:22 2013
@@ -417,7 +417,7 @@ public class ACLTest extends AbstractAcc
assertFalse(acl.getEntries().get(0).isAllow());
}
- @Ignore("OAK-51") // TODO
+ @Ignore("OAK-814") // TODO
@Test
public void testUpdateGroupEntry() throws Exception {
Privilege[] readPriv = privilegesFromNames(JCR_READ);
@@ -439,7 +439,7 @@ public class ACLTest extends AbstractAcc
assertACE(princ2AllowEntry, true, privilegesFromNames(JCR_READ, JCR_WRITE));
}
- @Ignore("OAK-51") // TODO
+ @Ignore("OAK-814") // TODO
@Test
public void testComplementaryGroupEntry() throws Exception {
Privilege[] readPriv = privilegesFromNames(JCR_READ);
@@ -466,7 +466,7 @@ public class ACLTest extends AbstractAcc
assertACE(second, false, privilegesFromNames(JCR_READ, JCR_WRITE));
}
- @Ignore("OAK-51") // TODO
+ @Ignore("OAK-814") // TODO
@Test
public void testAllowWriteDenyRemoveGroupEntries() throws Exception {
Principal everyone = principalManager.getEveryone();
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java?rev=1481016&r1=1481015&r2=1481016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java Fri May 10 14:13:22 2013
@@ -46,6 +46,7 @@ import com.google.common.collect.Immutab
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
@@ -58,6 +59,7 @@ import org.apache.jackrabbit.oak.namepat
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.namepath.NamePathMapperImpl;
import org.apache.jackrabbit.oak.plugins.name.Namespaces;
+import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlTest;
@@ -196,12 +198,13 @@ public class AccessControlManagerImplTes
}
@Nonnull
- private ACL setupPolicy(@Nullable String path) throws RepositoryException {
+ private ACL setupPolicy(@Nullable String path, @Nullable Privilege... privileges) throws RepositoryException {
+ Privilege[] privs = (privileges == null || privileges.length == 0) ? testPrivileges : privileges;
ACL policy = getApplicablePolicy(path);
if (path == null) {
- policy.addAccessControlEntry(testPrincipal, testPrivileges);
+ policy.addAccessControlEntry(testPrincipal, privs);
} else {
- policy.addEntry(testPrincipal, testPrivileges, true, getGlobRestriction("*"));
+ policy.addEntry(testPrincipal, privs, true, getGlobRestriction("*"));
}
acMgr.setPolicy(path, policy);
return policy;
@@ -963,7 +966,38 @@ public class AccessControlManagerImplTes
//---------------------------------------< getEffectivePolicies(String) >---
@Test
public void testGetEffectivePolicies() throws Exception {
- // TODO
+ AccessControlPolicy[] policies = acMgr.getEffectivePolicies(testPath);
+ assertNotNull(policies);
+ assertEquals(0, policies.length);
+
+ setupPolicy(testPath);
+ policies = acMgr.getEffectivePolicies(testPath);
+ assertNotNull(policies);
+ assertEquals(0, policies.length);
+
+ root.commit();
+ policies = acMgr.getEffectivePolicies(testPath);
+ assertNotNull(policies);
+ assertEquals(1, policies.length);
+
+ NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED);
+ String childPath = child.getTree().getPath();
+
+ policies = acMgr.getEffectivePolicies(childPath);
+ assertNotNull(policies);
+ assertEquals(1, policies.length);
+
+ setupPolicy(childPath);
+
+ policies = acMgr.getEffectivePolicies(childPath);
+ assertNotNull(policies);
+ assertEquals(1, policies.length);
+
+ root.commit();
+
+ policies = acMgr.getEffectivePolicies(childPath);
+ assertNotNull(policies);
+ assertEquals(2, policies.length);
}
@Test
@@ -1012,6 +1046,77 @@ public class AccessControlManagerImplTes
}
}
+ /**
+ * @since OAK 1.0
+ */
+ @Test
+ public void testTestSessionGetEffectivePolicies() throws Exception {
+ // grant 'testUser' READ + READ_AC privileges at 'path'
+ Privilege[] privileges = privilegesFromNames(PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
+ setupPolicy(testPath, privileges);
+ root.commit();
+
+ Root testRoot = getTestRoot();
+ testRoot.refresh();
+ AccessControlManager testAcMgr = getTestAccessControlManager();
+
+ assertTrue(testAcMgr.hasPrivileges(testPath, privileges));
+
+ // diff to jr core: getEffectivePolicies will just return the policies
+ // accessible for the editing session but not throw an exception.
+ AccessControlPolicy[] effective = testAcMgr.getEffectivePolicies(testPath);
+ assertNotNull(effective);
+ assertEquals(1, effective.length);
+ }
+
+ /**
+ * @since OAK 1.0
+ */
+ @Test
+ public void testTestSessionGetEffectivePolicies2() throws Exception {
+ NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED);
+ String childPath = child.getTree().getPath();
+
+ setupPolicy(testPath, privilegesFromNames(PrivilegeConstants.JCR_READ));
+ setupPolicy(childPath, privilegesFromNames(PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
+ root.commit();
+
+ Root testRoot = getTestRoot();
+ testRoot.refresh();
+ AccessControlManager testAcMgr = getTestAccessControlManager();
+
+ assertTrue(testAcMgr.hasPrivileges(childPath, privilegesFromNames(PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL)));
+
+ // diff to jr core: getEffectivePolicies will just return the policies
+ // accessible for the editing session but not throw an exception.
+ AccessControlPolicy[] effective = testAcMgr.getEffectivePolicies(childPath);
+ assertNotNull(effective);
+ assertEquals(1, effective.length);
+ }
+
+ @Test
+ public void testTestSessionGetEffectivePoliciesWithoutPrivilege() throws Exception {
+ // grant 'testUser' READ + READ_AC privileges at 'path'
+ Privilege[] privileges = privilegesFromNames(PrivilegeConstants.JCR_READ);
+ setupPolicy(testPath, privileges);
+ root.commit();
+
+ Root testRoot = getTestRoot();
+ testRoot.refresh();
+ AccessControlManager testAcMgr = getTestAccessControlManager();
+
+ List<String> paths = ImmutableList.of(testPath, NodeTypeConstants.NODE_TYPES_PATH);
+ for (String path : paths) {
+ assertFalse(testAcMgr.hasPrivileges(path, privilegesFromNames(PrivilegeConstants.JCR_READ_ACCESS_CONTROL)));
+ try {
+ testAcMgr.getEffectivePolicies(path);
+ fail("READ_ACCESS_CONTROL is not granted at " + path);
+ } catch (AccessDeniedException e) {
+ // success
+ }
+ }
+ }
+
//-----------------------------< setPolicy(String, AccessControlPolicy) >---
@Test
public void testSetPolicy() throws Exception {
@@ -1554,20 +1659,170 @@ public class AccessControlManagerImplTes
assertNotNull(policies);
assertEquals(0, policies.length);
}
- }
- @Test
- public void testGetEffectivePoliciesByPrincipal2() throws Exception {
setupPolicy(testPath);
+ // changes not yet persisted -> no effecitve policies found for testprincipal
+ for (Set<Principal> principals : principalSets) {
+ AccessControlPolicy[] policies = acMgr.getEffectivePolicies(principals);
+ assertNotNull(policies);
+ assertEquals(0, policies.length);
+ }
+
+ root.commit();
+ // after persisting changes -> the policy must be found
+ for (Set<Principal> principals : principalSets) {
+ AccessControlPolicy[] policies = acMgr.getEffectivePolicies(principals);
+ assertNotNull(policies);
+ if (principals.contains(getTestPrincipal())) {
+ assertEquals(1, policies.length);
+ } else {
+ assertEquals(0, policies.length);
+ }
+ }
+ NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED);
+ String childPath = child.getTree().getPath();
+ setupPolicy(childPath);
// changes not yet persisted -> no effecitve policies found for testprincipal
- AccessControlPolicy[] policies = acMgr.getEffectivePolicies(ImmutableSet.of(testPrincipal));
- assertNotNull(policies);
- assertEquals(0, policies.length);
+ for (Set<Principal> principals : principalSets) {
+ AccessControlPolicy[] policies = acMgr.getEffectivePolicies(principals);
+ assertNotNull(policies);
+ if (principals.contains(getTestPrincipal())) {
+ assertEquals(1, policies.length);
+ } else {
+ assertEquals(0, policies.length);
+ }
+ }
+ root.commit();
// after persisting changes -> the policy must be found
+ for (Set<Principal> principals : principalSets) {
+ AccessControlPolicy[] policies = acMgr.getEffectivePolicies(principals);
+ assertNotNull(policies);
+ if (principals.contains(getTestPrincipal())) {
+ assertEquals(2, policies.length);
+ } else {
+ assertEquals(0, policies.length);
+ }
+ }
+
+ }
+
+ @Test
+ public void testTestSessionGetEffectivePoliciesByPrincipal() throws Exception {
+ NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED);
+ String childPath = child.getTree().getPath();
+
+ Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
+ setupPolicy(testPath, privs);
+ setupPolicy(childPath, privs);
+ root.commit();
+
+ Root testRoot = getTestRoot();
+ testRoot.refresh();
+ JackrabbitAccessControlManager testAcMgr = getTestAccessControlManager();
+
+ AccessControlPolicy[] effective = testAcMgr.getEffectivePolicies(Collections.singleton(getTestPrincipal()));
+ assertNotNull(effective);
+ assertEquals(2, effective.length);
+ }
+
+ /**
+ * @since OAK 1.0 Policy at testPath not accessible -> getEffectivePolicies
+ * only returns the readable policy but doesn't fail.
+ */
+ @Test
+ public void testTestSessionGetEffectivePoliciesByPrincipal2() throws Exception {
+ NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED);
+ String childPath = child.getTree().getPath();
+
+ // policy at testPath: ac content was visible but the policy can't be
+ // retrieved from AcMgr as the accesscontrolled node is not visible.
+ setupPolicy(testPath, privilegesFromNames(PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
+ // policy at childPath: will be found by the getEffectivePolicies
+ setupPolicy(childPath, privilegesFromNames(PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
+ root.commit();
+
+ Root testRoot = getTestRoot();
+ testRoot.refresh();
+ JackrabbitAccessControlManager testAcMgr = getTestAccessControlManager();
+
+ AccessControlPolicy[] effective = testAcMgr.getEffectivePolicies(Collections.singleton(getTestPrincipal()));
+ assertNotNull(effective);
+ assertEquals(1, effective.length);
+ }
+
+ /**
+ * @since OAK 1.0 Policy at testPath not accessible -> getEffectivePolicies
+ * only returns the readable policy but doesn't fail.
+ */
+ @Test
+ public void testTestSessionGetEffectivePoliciesByPrincipal3() throws Exception {
+ NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED);
+ String childPath = child.getTree().getPath();
+
+ setupPolicy(testPath, privilegesFromNames(PrivilegeConstants.JCR_READ));
+ setupPolicy(childPath, privilegesFromNames(PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
root.commit();
- policies = acMgr.getEffectivePolicies(ImmutableSet.of(testPrincipal));
+
+ Root testRoot = getTestRoot();
+ testRoot.refresh();
+ JackrabbitAccessControlManager testAcMgr = getTestAccessControlManager();
+
+ AccessControlPolicy[] effective = testAcMgr.getEffectivePolicies(Collections.singleton(getTestPrincipal()));
+ assertNotNull(effective);
+ assertEquals(1, effective.length);
+ }
+
+ @Test
+ public void testTestSessionGetEffectivePoliciesByPrincipals() throws Exception {
+ NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED);
+ String childPath = child.getTree().getPath();
+
+ Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
+ setupPolicy(testPath, privilegesFromNames(PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
+
+ JackrabbitAccessControlList acl = getApplicablePolicy(childPath);
+ acl.addEntry(EveryonePrincipal.getInstance(), privs, true);
+ acMgr.setPolicy(childPath, acl);
+
+ root.commit();
+
+ Root testRoot = getTestRoot();
+ testRoot.refresh();
+ JackrabbitAccessControlManager testAcMgr = getTestAccessControlManager();
+
+ Set<Principal> principals = ImmutableSet.of(getTestPrincipal(), EveryonePrincipal.getInstance());
+ AccessControlPolicy[] policies = testAcMgr.getEffectivePolicies(principals);
+ assertNotNull(policies);
+ assertEquals(2, policies.length);
+ }
+
+ /**
+ * @since OAK 1.0 : only accessible policies are returned by call succeeds
+ */
+ @Test
+ public void testTestSessionGetEffectivePoliciesByPrincipals2() throws Exception {
+ NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED);
+ String childPath = child.getTree().getPath();
+
+ Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
+
+ // create policy on testPath -> but deny access to test session
+ JackrabbitAccessControlList acl = getApplicablePolicy(testPath);
+ acl.addEntry(getTestPrincipal(), privs, false);
+ acMgr.setPolicy(testPath, acl);
+
+ // grant access at childpath
+ setupPolicy(childPath, privilegesFromNames(PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
+ root.commit();
+
+ Root testRoot = getTestRoot();
+ testRoot.refresh();
+ JackrabbitAccessControlManager testAcMgr = getTestAccessControlManager();
+
+ Set<Principal> principals = ImmutableSet.of(getTestPrincipal(), EveryonePrincipal.getInstance());
+ AccessControlPolicy[] policies = testAcMgr.getEffectivePolicies(principals);
assertNotNull(policies);
assertEquals(1, policies.length);
}