You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by bd...@apache.org on 2015/12/31 13:39:32 UTC
svn commit: r1722439 - in /sling/trunk/contrib/extensions/acldef/it: pom.xml
src/main/provisioning/model.txt
src/test/java/org/apache/sling/acldef/it/ProvisionedAclIT.java
Author: bdelacretaz
Date: Thu Dec 31 12:39:31 2015
New Revision: 1722439
URL: http://svn.apache.org/viewvc?rev=1722439&view=rev
Log:
SLING-5355 - test more ACL definitions in provisioning model
Modified:
sling/trunk/contrib/extensions/acldef/it/pom.xml
sling/trunk/contrib/extensions/acldef/it/src/main/provisioning/model.txt
sling/trunk/contrib/extensions/acldef/it/src/test/java/org/apache/sling/acldef/it/ProvisionedAclIT.java
Modified: sling/trunk/contrib/extensions/acldef/it/pom.xml
URL: http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/acldef/it/pom.xml?rev=1722439&r1=1722438&r2=1722439&view=diff
==============================================================================
--- sling/trunk/contrib/extensions/acldef/it/pom.xml (original)
+++ sling/trunk/contrib/extensions/acldef/it/pom.xml Thu Dec 31 12:39:31 2015
@@ -166,6 +166,10 @@
<version>2.0.18</version>
<exclusions>
<exclusion>
+ <groupId>javax.jcr</groupId>
+ <artifactId>jcr</artifactId>
+ </exclusion>
+ <exclusion>
<groupId>junit</groupId>
<artifactId>junit-dep</artifactId>
</exclusion>
Modified: sling/trunk/contrib/extensions/acldef/it/src/main/provisioning/model.txt
URL: http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/acldef/it/src/main/provisioning/model.txt?rev=1722439&r1=1722438&r2=1722439&view=diff
==============================================================================
--- sling/trunk/contrib/extensions/acldef/it/src/main/provisioning/model.txt (original)
+++ sling/trunk/contrib/extensions/acldef/it/src/main/provisioning/model.txt Thu Dec 31 12:39:31 2015
@@ -37,12 +37,22 @@ org.apache.sling.acldef.jcr.AclSetup-one
# multiline acldef statement
acldef.text.2="
set ACL for fredWilma
- allow jcr:read on /var
- deny jcr:write on /var
+ allow jcr:all on /acltest
+ deny jcr:write on /acltest/A
end"
#
- # single line with backslash n should work as well
- acldef.text.backs="set ACL for fredWilma \n deny jcr:write on /var \n end"
- #
- # this user will be created from code, to validate the async ACL setting
- acldef.text.another="set ACL for anotherUser \n deny jcr:write on /tmp \n end"
\ No newline at end of file
+ # single line with backslash n works as well
+ acldef.text.backs="set ACL for fredWilma \n allow jcr:write on /acltest/A/B \n end"
+
+# try some acldef in a separate config
+org.apache.sling.acldef.jcr.AclSetup-two
+ # this user will be created from code, to validate the async ACL setting
+ # and using the path-oriented notation, to test that
+ acldef.text.another="
+ set ACL on /acltest
+ allow jcr:all for anotherUser
+ end
+ set ACL on /acltest/A/B
+ deny jcr:write for anotherUser
+ end
+ "
\ No newline at end of file
Modified: sling/trunk/contrib/extensions/acldef/it/src/test/java/org/apache/sling/acldef/it/ProvisionedAclIT.java
URL: http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/acldef/it/src/test/java/org/apache/sling/acldef/it/ProvisionedAclIT.java?rev=1722439&r1=1722438&r2=1722439&view=diff
==============================================================================
--- sling/trunk/contrib/extensions/acldef/it/src/test/java/org/apache/sling/acldef/it/ProvisionedAclIT.java (original)
+++ sling/trunk/contrib/extensions/acldef/it/src/test/java/org/apache/sling/acldef/it/ProvisionedAclIT.java Thu Dec 31 12:39:31 2015
@@ -16,49 +16,133 @@
*/
package org.apache.sling.acldef.it;
+import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
+import java.util.Dictionary;
+import java.util.Hashtable;
+import java.util.UUID;
+
+import javax.jcr.AccessDeniedException;
import javax.jcr.LoginException;
+import javax.jcr.Node;
+import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
+import javax.jcr.SimpleCredentials;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.sling.jcr.api.SlingRepository;
import org.apache.sling.junit.rules.TeleporterRule;
+import org.junit.After;
+import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
+import org.osgi.service.cm.Configuration;
+import org.osgi.service.cm.ConfigurationAdmin;
/** Test service users and ACLs set from
* our provisioning model.
* TODO test /var ACLs and use @Retry rule
*/
public class ProvisionedAclIT {
+
+ private Session session;
+ private static final String FRED_WILMA = "fredWilma";
+ private static final String ANOTHER = "anotherUser";
@Rule
public TeleporterRule teleporter = TeleporterRule.forClass(getClass(), "IT");
+ @Before
+ public void setup() throws LoginException, RepositoryException {
+ WaitFor.services(teleporter, SlingRepository.class, ConfigurationAdmin.class);
+ session = teleporter.getService(SlingRepository.class).loginAdministrative(null);
+
+ try {
+ session.getRootNode().addNode("acltest").addNode("A").addNode("B").save();;
+ } catch(RepositoryException ignore) {
+ }
+ assertTrue("Expecting test nodes to be created", session.itemExists("/acltest/A/B"));
+ }
+
+ @After
+ public void cleanup() {
+ if(session != null) {
+ session.logout();
+ }
+ }
+
private boolean userExists(String id) throws LoginException, RepositoryException, InterruptedException {
- final Session s = teleporter.getService(SlingRepository.class).loginAdministrative(null);
+ final Authorizable a = ((JackrabbitSession)session).getUserManager().getAuthorizable(id);
+ return a != null;
+ }
+
+ private Session getServiceSession(String serviceId) throws LoginException, RepositoryException {
+ return session.impersonate(new SimpleCredentials(serviceId, new char[0]));
+ }
+
+ /** True if user can write to specified path.
+ * @throws PathNotFoundException if the path doesn't exist */
+ private boolean canWrite(String userId, String path) throws PathNotFoundException,RepositoryException {
+ if(!session.itemExists(path)) {
+ throw new PathNotFoundException(path);
+ }
+ final Session serviceSession = getServiceSession(userId);
+ final String testNodeName = "test_" + UUID.randomUUID().toString();
try {
- final Authorizable a = ((JackrabbitSession)s).getUserManager().getAuthorizable(id);
- if(a != null) {
- return true;
- }
+ ((Node)serviceSession.getItem(path)).addNode(testNodeName);
+ serviceSession.save();
+ } catch(AccessDeniedException ade) {
+ return false;
} finally {
- s.logout();
+ serviceSession.logout();
}
- return false;
+ return true;
}
@Test
public void serviceUserCreated() throws Exception {
- final String id = "fredWilma";
new Retry() {
@Override
public Void call() throws Exception {
- assertTrue("Expecting user " + id, userExists(id));
+ assertTrue("Expecting user " + FRED_WILMA, userExists(FRED_WILMA));
+ return null;
+ }
+ };
+ }
+
+ @Test
+ public void fredWilmaAcl() throws Exception {
+ new Retry() {
+ @Override
+ public Void call() throws Exception {
+ assertFalse("Expecting no write access to A", canWrite(FRED_WILMA, "/acltest/A"));
+ assertTrue("Expecting write access to A/B", canWrite(FRED_WILMA, "/acltest/A/B"));
+ return null;
+ }
+ };
+ }
+
+ @Test
+ public void anotherUserAcl() throws Exception {
+ // Verify that user creation causes its ACL
+ // to be set. Use a config to create the user,
+ // to also test that mechanism.
+ final ConfigurationAdmin ca = teleporter.getService(ConfigurationAdmin.class);
+ final Configuration cfg = ca.createFactoryConfiguration("org.apache.sling.acldef.jcr.AclSetup");
+ final Dictionary<String, Object> props = new Hashtable<String, Object>();
+ props.put("acldef.text.1", "create service user " + ANOTHER);
+ cfg.setBundleLocation(null);
+ cfg.update(props);
+
+ new Retry() {
+ @Override
+ public Void call() throws Exception {
+ assertTrue("Expecting write access to A", canWrite(ANOTHER, "/acltest/A"));
+ assertFalse("Expecting no write access to B", canWrite(ANOTHER, "/acltest/A/B"));
return null;
}
};