You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/04/16 16:06:21 UTC
svn commit: r1468422 - in /jackrabbit/oak/trunk/oak-core/src:
main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
Author: angela
Date: Tue Apr 16 14:06:21 2013
New Revision: 1468422
URL: http://svn.apache.org/r1468422
Log:
OAK-527: permissions (wip, tests)
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1468422&r1=1468421&r2=1468422&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java Tue Apr 16 14:06:21 2013
@@ -126,14 +126,14 @@ public class AccessControlManagerImpl im
}
@Override
- public boolean hasPrivileges(@Nullable String absPath, @Nonnull Privilege[] privileges) throws RepositoryException {
- return hasPrivileges(absPath, privileges, getPermissionProvider());
+ public boolean hasPrivileges(@Nullable String absPath, @Nullable Privilege[] privileges) throws RepositoryException {
+ return hasPrivileges(absPath, privileges, getPermissionProvider(), Permissions.NO_PERMISSION);
}
@Nonnull
@Override
public Privilege[] getPrivileges(@Nullable String absPath) throws RepositoryException {
- return getPrivileges(absPath, getPermissionProvider());
+ return getPrivileges(absPath, getPermissionProvider(), Permissions.NO_PERMISSION);
}
@Nonnull
@@ -316,15 +316,31 @@ public class AccessControlManagerImpl im
}
@Override
- public boolean hasPrivileges(@Nullable String absPath, @Nonnull Set<Principal> principals, @Nonnull Privilege[] privileges) throws RepositoryException {
- PermissionProvider provider = acConfig.getPermissionProvider(root, principals);
- return hasPrivileges(absPath, privileges, provider);
+ public boolean hasPrivileges(@Nullable String absPath, @Nonnull Set<Principal> principals, @Nullable Privilege[] privileges) throws RepositoryException {
+ if (getPrincipals().equals(principals)) {
+ return hasPrivileges(absPath, privileges);
+ } else {
+ PermissionProvider provider = acConfig.getPermissionProvider(root, principals);
+ try {
+ return hasPrivileges(absPath, privileges, provider, Permissions.READ_ACCESS_CONTROL);
+ } finally {
+ provider = null;
+ }
+ }
}
@Override
public Privilege[] getPrivileges(@Nullable String absPath, @Nonnull Set<Principal> principals) throws RepositoryException {
- PermissionProvider provider = acConfig.getPermissionProvider(root, principals);
- return getPrivileges(absPath, provider);
+ if (getPrincipals().equals(principals)) {
+ return getPrivileges(absPath);
+ } else {
+ PermissionProvider provider = acConfig.getPermissionProvider(root, principals);
+ try {
+ return getPrivileges(absPath, provider, Permissions.READ_ACCESS_CONTROL);
+ } finally {
+ provider = null;
+ }
+ }
}
//------------------------------------------------------------< private >---
@@ -348,9 +364,8 @@ public class AccessControlManagerImpl im
throw new PathNotFoundException("No tree at " + oakPath);
}
if (permissions != Permissions.NO_PERMISSION) {
- if (!getPermissionProvider().isGranted(tree, null, permissions)) {
- throw new AccessDeniedException("Access denied at " + tree);
- }
+ // check permissions
+ checkPermissions((oakPath == null) ? null : tree, permissions);
// check if the tree is access controlled
if (acConfig.getContext().definesTree(tree)) {
throw new AccessControlException("Tree " + tree.getPath() + " defines access control content.");
@@ -360,6 +375,18 @@ public class AccessControlManagerImpl im
return tree;
}
+ private void checkPermissions(@Nullable Tree tree, long permissions) throws AccessDeniedException {
+ boolean isGranted;
+ if (tree == null) {
+ isGranted = getPermissionProvider().isGranted(permissions);
+ } else {
+ isGranted = getPermissionProvider().isGranted(tree, null, permissions);
+ }
+ if (!isGranted) {
+ throw new AccessDeniedException("Access denied.");
+ }
+ }
+
private static void checkValidPolicy(@Nullable String oakPath, @Nonnull AccessControlPolicy policy) throws AccessControlException {
if (policy instanceof ACL) {
String path = ((ACL) policy).getOakPath();
@@ -509,9 +536,14 @@ public class AccessControlManagerImpl im
}
@Nonnull
+ private Set<Principal> getPrincipals() {
+ return root.getContentSession().getAuthInfo().getPrincipals();
+ }
+
+ @Nonnull
private PermissionProvider getPermissionProvider() {
if (permissionProvider == null) {
- permissionProvider = acConfig.getPermissionProvider(root, root.getContentSession().getAuthInfo().getPrincipals());
+ permissionProvider = acConfig.getPermissionProvider(root, getPrincipals());
} else {
permissionProvider.refresh();
}
@@ -529,8 +561,17 @@ public class AccessControlManagerImpl im
}
@Nonnull
- private Privilege[] getPrivileges(@Nullable String absPath, @Nonnull PermissionProvider provider) throws RepositoryException {
- Tree tree = (absPath == null) ? null : getTree(getOakPath(absPath), Permissions.NO_PERMISSION);
+ private Privilege[] getPrivileges(@Nullable String absPath, @Nonnull PermissionProvider provider,
+ long permissions) throws RepositoryException {
+ Tree tree;
+ if (absPath == null) {
+ tree = null;
+ if (permissions != Permissions.NO_PERMISSION) {
+ checkPermissions(null, permissions);
+ }
+ } else {
+ tree = getTree(getOakPath(absPath), permissions);
+ }
Set<String> pNames = provider.getPrivileges(tree);
if (pNames.isEmpty()) {
return new Privilege[0];
@@ -543,14 +584,28 @@ public class AccessControlManagerImpl im
}
}
- private boolean hasPrivileges(@Nullable String absPath, @Nonnull Privilege[] privileges,
- @Nonnull PermissionProvider provider) throws RepositoryException {
- Tree tree = (absPath == null) ? null : getTree(getOakPath(absPath), Permissions.NO_PERMISSION);
- Set<String> privilegeNames = new HashSet<String>(privileges.length);
- for (Privilege privilege : privileges) {
- privilegeNames.add(namePathMapper.getOakName(privilege.getName()));
+ private boolean hasPrivileges(@Nullable String absPath, @Nullable Privilege[] privileges,
+ @Nonnull PermissionProvider provider, long permissions) throws RepositoryException {
+ Tree tree;
+ if (absPath == null) {
+ tree = null;
+ if (permissions != Permissions.NO_PERMISSION) {
+ checkPermissions(null, permissions);
+ }
+ } else {
+ tree = getTree(getOakPath(absPath), permissions);
+ }
+ if (privileges == null || privileges.length == 0) {
+ // null or empty privilege array -> return true
+ log.debug("No privileges passed -> allowed.");
+ return true;
+ } else {
+ Set<String> privilegeNames = new HashSet<String>(privileges.length);
+ for (Privilege privilege : privileges) {
+ privilegeNames.add(namePathMapper.getOakName(privilege.getName()));
+ }
+ return provider.hasPrivileges(tree, privilegeNames.toArray(new String[privilegeNames.size()]));
}
- return (privilegeNames.isEmpty()) || provider.hasPrivileges(tree, privilegeNames.toArray(new String[privilegeNames.size()]));
}
@CheckForNull
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java?rev=1468422&r1=1468421&r2=1468422&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java Tue Apr 16 14:06:21 2013
@@ -23,10 +23,13 @@ import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
+import java.util.Set;
import javax.annotation.Nonnull;
+import javax.jcr.AccessDeniedException;
import javax.jcr.NamespaceRegistry;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
+import javax.jcr.SimpleCredentials;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import javax.jcr.security.AccessControlEntry;
@@ -37,10 +40,14 @@ import javax.jcr.security.AccessControlP
import javax.jcr.security.Privilege;
import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import org.apache.jackrabbit.api.security.user.Authorizable;
+import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.oak.TestNameMapper;
+import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.namepath.NameMapper;
@@ -48,7 +55,6 @@ import org.apache.jackrabbit.oak.namepat
import org.apache.jackrabbit.oak.namepath.NamePathMapperImpl;
import org.apache.jackrabbit.oak.plugins.name.Namespaces;
import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
-import org.apache.jackrabbit.oak.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlTest;
@@ -69,15 +75,17 @@ import static org.junit.Assert.assertTru
import static org.junit.Assert.fail;
/**
- * AccessControlManagerImplTest... TODO
+ * Tests for the default {@code AccessControlManager} implementation.
*/
public class AccessControlManagerImplTest extends AbstractAccessControlTest implements AccessControlConstants {
private final String testName = TestNameMapper.TEST_PREFIX + ":testRoot";
private final String testPath = '/' + testName;
+ private final String testUserId = "test";
private Principal testPrincipal;
private Privilege[] testPrivileges;
+ private Root testRoot;
private TestNameMapper nameMapper;
private NamePathMapper npMapper;
@@ -99,18 +107,33 @@ public class AccessControlManagerImplTes
NodeUtil rootNode = new NodeUtil(root.getTree("/"), npMapper);
rootNode.addChild(testName, JcrConstants.NT_UNSTRUCTURED);
- root.commit();
- // TODO
- testPrincipal = new PrincipalImpl("admin");
+ User user = getUserManager().createUser(testUserId, testUserId);
+ testPrincipal = user.getPrincipal();
testPrivileges = privilegesFromNames(Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_READ);
+
+ root.commit();
}
@After
public void after() throws Exception {
- root.refresh();
- root.getTree(testPath).remove();
- root.commit();
+ try {
+ root.refresh();
+ root.getTree(testPath).remove();
+
+ Authorizable testUser = getUserManager().getAuthorizable(testUserId);
+ if (testUser != null) {
+ testUser.remove();
+ }
+ root.commit();
+
+ if (testRoot != null) {
+ testRoot.getContentSession().close();
+ testRoot = null;
+ }
+ } finally {
+ super.after();
+ }
}
@Override
@@ -122,6 +145,17 @@ public class AccessControlManagerImplTes
return new AccessControlManagerImpl(root, npMapper, getSecurityProvider());
}
+ private Root getTestRoot() throws Exception {
+ if (testRoot == null) {
+ testRoot = login(new SimpleCredentials(testUserId, testUserId.toCharArray())).getLatestRoot();
+ }
+ return testRoot;
+ }
+
+ private AccessControlManagerImpl getTestAccessControlManager() throws Exception {
+ return new AccessControlManagerImpl(getTestRoot(), getNamePathMapper(), getSecurityProvider());
+ }
+
private NamePathMapper getLocalNamePathMapper() {
NameMapper remapped = new TestNameMapper(nameMapper, TestNameMapper.LOCAL_MAPPING);
return new NamePathMapperImpl(remapped);
@@ -211,6 +245,10 @@ public class AccessControlManagerImplTes
return acContentPath;
}
+ private Set<Principal> getPrincipals(ContentSession session) {
+ return session.getAuthInfo().getPrincipals();
+ }
+
//---------------------------------------------< getSupportedPrivileges >---
@Test
public void testGetSupportedPrivileges() throws Exception {
@@ -332,14 +370,360 @@ public class AccessControlManagerImplTes
//------------------------------------------------------< hasPrivileges >---
@Test
- public void testHasPrivileges() throws Exception {
- // TODO
+ public void testHasNullPrivileges() throws Exception {
+ assertTrue(acMgr.hasPrivileges(testPath, null));
+ }
+
+ @Test
+ public void testHasEmptyPrivileges() throws Exception {
+ assertTrue(acMgr.hasPrivileges(testPath, new Privilege[0]));
+ }
+
+ @Test
+ public void testHasPrivilegesForPropertyPath() throws Exception {
+ String propertyPath = "/jcr:primaryType";
+ Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_ALL);
+ try {
+ acMgr.hasPrivileges(propertyPath, privs);
+ fail("AccessControlManager#hasPrivileges for property should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+
+ try {
+ acMgr.hasPrivileges(propertyPath, getPrincipals(adminSession), privs);
+ fail("AccessControlManager#hasPrivileges for property should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+ }
+
+ @Test
+ public void testHasPrivilegesNonExistingNodePath() throws Exception {
+ String nonExistingPath = "/not/existing";
+ Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_ALL);
+ try {
+ acMgr.hasPrivileges(nonExistingPath, privs);
+ fail("AccessControlManager#hasPrivileges for node that doesn't exist should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+ try {
+ acMgr.hasPrivileges(nonExistingPath, getPrincipals(adminSession), privs);
+ fail("AccessControlManager#hasPrivileges for node that doesn't exist should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+ }
+
+ @Test
+ public void testHasPrivilegesInvalidPaths() throws Exception {
+ Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_ALL);
+ for (String path : getInvalidPaths()) {
+ try {
+ acMgr.hasPrivileges(path, privs);
+ fail("AccessControlManager#hasPrivileges for node that doesn't exist should fail.");
+ } catch (RepositoryException e) {
+ // success
+ }
+ }
+ for (String path : getInvalidPaths()) {
+ try {
+ acMgr.hasPrivileges(path, getPrincipals(adminSession), privs);
+ fail("AccessControlManager#hasPrivileges for node that doesn't exist should fail.");
+ } catch (RepositoryException e) {
+ // success
+ }
+ }
+ }
+
+ @Test
+ public void testHasPrivilegesAccessControlledNodePath() throws Exception {
+ Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_ALL);
+ for (String path : getAcContentPaths()) {
+ assertTrue(acMgr.hasPrivileges(path, privs));
+ assertTrue(acMgr.hasPrivileges(path, getPrincipals(adminSession), privs));
+ }
+ }
+
+ /**
+ * @since OAK 1.0 As of OAK AccessControlManager#hasPrivilege will throw
+ * PathNotFoundException in case the node associated with a given path is
+ * not readable to the editing session.
+ */
+ @Test
+ public void testHasPrivilegesNotAccessiblePath() throws Exception {
+ List<String> notAccessible = new ArrayList();
+ notAccessible.add("/");
+ notAccessible.addAll(getAcContentPaths());
+
+ Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_ALL);
+ AccessControlManagerImpl testAcMgr = getTestAccessControlManager();
+ for (String path : notAccessible) {
+ try {
+ testAcMgr.hasPrivileges(path, privs);
+ fail("AccessControlManager#hasPrivileges for node that is not accessible should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+ }
+ for (String path : notAccessible) {
+ try {
+ testAcMgr.hasPrivileges(path, getPrincipals(getTestRoot().getContentSession()), privs);
+ fail("AccessControlManager#hasPrivileges for node that is not accessible should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+ }
+ }
+
+ @Test
+ public void testTestSessionHasPrivileges() throws Exception {
+ setupPolicy(testPath);
+ root.commit();
+
+ AccessControlManagerImpl testAcMgr = getTestAccessControlManager();
+
+ // granted privileges
+ List<Privilege[]> granted = new ArrayList<Privilege[]>();
+ granted.add(privilegesFromNames(PrivilegeConstants.JCR_READ));
+ granted.add(privilegesFromNames(PrivilegeConstants.REP_READ_NODES));
+ granted.add(privilegesFromNames(PrivilegeConstants.REP_READ_PROPERTIES));
+ granted.add(privilegesFromNames(PrivilegeConstants.JCR_ADD_CHILD_NODES));
+ granted.add(testPrivileges);
+
+ for (Privilege[] privileges : granted) {
+ assertTrue(testAcMgr.hasPrivileges(testPath, privileges));
+ assertTrue(testAcMgr.hasPrivileges(testPath, getPrincipals(getTestRoot().getContentSession()), privileges));
+ }
+
+ // denied privileges
+ List<Privilege[]> denied = new ArrayList<Privilege[]>();
+ denied.add(privilegesFromNames(PrivilegeConstants.JCR_ALL));
+ denied.add(privilegesFromNames(PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
+ denied.add(privilegesFromNames(PrivilegeConstants.JCR_WRITE));
+ denied.add(privilegesFromNames(PrivilegeConstants.JCR_LOCK_MANAGEMENT));
+
+ for (Privilege[] privileges : denied) {
+ assertFalse(testAcMgr.hasPrivileges(testPath, privileges));
+ assertFalse(testAcMgr.hasPrivileges(testPath, getPrincipals(getTestRoot().getContentSession()), privileges));
+ }
+ }
+
+ @Test
+ public void testTestSessionHasPrivilegesForPrincipals() throws Exception {
+ setupPolicy(testPath);
+ root.commit();
+
+ AccessControlManagerImpl testAcMgr = getTestAccessControlManager();
+ // but for 'admin' the test-session doesn't have sufficient privileges
+ try {
+ testAcMgr.getPrivileges(testPath, getPrincipals(adminSession));
+ fail("testSession doesn't have sufficient permission to read access control information at testPath");
+ } catch (AccessDeniedException e) {
+ // success
+ }
+ }
+
+ @Test
+ public void testHasRepoPrivileges() throws Exception {
+ assertTrue(acMgr.hasPrivileges(null, privilegesFromNames(PrivilegeConstants.JCR_ALL)));
+ assertTrue(acMgr.hasPrivileges(null, getPrincipals(adminSession), privilegesFromNames(PrivilegeConstants.JCR_ALL)));
+ }
+
+ @Test
+ public void testTestSessionHasRepoPrivileges() throws Exception {
+ AccessControlManagerImpl testAcMgr = getTestAccessControlManager();
+
+ assertFalse(testAcMgr.hasPrivileges(null, testPrivileges));
+ assertFalse(testAcMgr.hasPrivileges(null, getPrincipals(getTestRoot().getContentSession()), testPrivileges));
+
+ // but for 'admin' the test-session doesn't have sufficient privileges
+ try {
+ testAcMgr.getPrivileges(null, getPrincipals(adminSession));
+ fail("testSession doesn't have sufficient permission to read access control information");
+ } catch (AccessDeniedException e) {
+ // success
+ }
}
//------------------------------------------------------< getPrivileges >---
@Test
- public void testGetPrivileges() throws Exception {
- // TODO
+ public void testGetPrivilegesForPropertyPath() throws Exception {
+ String propertyPath = "/jcr:primaryType";
+ try {
+ acMgr.getPrivileges(propertyPath);
+ fail("AccessControlManager#getPrivileges for property should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+
+ try {
+ acMgr.getPrivileges(propertyPath, Collections.singleton(testPrincipal));
+ fail("AccessControlManager#getPrivileges for property should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+ }
+
+ @Test
+ public void testGetPrivilegesNonExistingNodePath() throws Exception {
+ String nonExistingPath = "/not/existing";
+ try {
+ acMgr.getPrivileges(nonExistingPath);
+ fail("AccessControlManager#getPrivileges for node that doesn't exist should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+
+ try {
+ acMgr.getPrivileges(nonExistingPath, Collections.singleton(testPrincipal));
+ fail("AccessControlManager#getPrivileges for node that doesn't exist should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+ }
+
+ @Test
+ public void testGetPrivilegesInvalidPaths() throws Exception {
+ for (String path : getInvalidPaths()) {
+ try {
+ acMgr.getPrivileges(path);
+ fail("AccessControlManager#getPrivileges for node that doesn't exist should fail.");
+ } catch (RepositoryException e) {
+ // success
+ }
+ }
+
+ for (String path : getInvalidPaths()) {
+ try {
+ acMgr.getPrivileges(path, Collections.singleton(testPrincipal));
+ fail("AccessControlManager#getPrivileges for node that doesn't exist should fail.");
+ } catch (RepositoryException e) {
+ // success
+ }
+ }
+ }
+
+ @Test
+ public void testGetPrivilegesAccessControlledNodePath() throws Exception {
+ Privilege[] expected = privilegesFromNames(PrivilegeConstants.JCR_ALL);
+ for (String path : getAcContentPaths()) {
+ assertArrayEquals(expected, acMgr.getPrivileges(path));
+ assertArrayEquals(expected, acMgr.getPrivileges(path, getPrincipals(adminSession)));
+ }
+ }
+
+ /**
+ * @since OAK 1.0 As of OAK AccessControlManager#hasPrivilege will throw
+ * PathNotFoundException in case the node associated with a given path is
+ * not readable to the editing session.
+ */
+ @Test
+ public void testGetPrivilegesNotAccessiblePath() throws Exception {
+ List<String> notAccessible = new ArrayList();
+ notAccessible.add("/");
+ notAccessible.addAll(getAcContentPaths());
+
+ for (String path : notAccessible) {
+ try {
+ getTestAccessControlManager().getPrivileges(path);
+ fail("AccessControlManager#getPrivileges for node that is not accessible should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+ }
+
+ for (String path : notAccessible) {
+ try {
+ getTestAccessControlManager().getPrivileges(path, Collections.singleton(testPrincipal));
+ fail("AccessControlManager#getPrivileges for node that is not accessible should fail.");
+ } catch (PathNotFoundException e) {
+ // success
+ }
+ }
+
+ }
+
+ /**
+ * // TODO review again
+ * @since OAK 1.0 : access to privileges needs read access to the corresponding tree.
+ */
+ @Test
+ public void testTestSessionGetPrivileges() throws Exception {
+ setupPolicy(testPath);
+ root.commit();
+
+ AccessControlManagerImpl testAcMgr = getTestAccessControlManager();
+ Set<Principal> testPrincipals = getPrincipals(getTestRoot().getContentSession());
+
+ // TODO: check again...
+ try {
+ testAcMgr.getPrivileges(testPath);
+ fail("no read access to the privilege store.");
+ } catch (AccessControlException e) {
+ // success
+ }
+ try {
+ getTestAccessControlManager().getPrivileges(testPath, testPrincipals);
+ fail("no read access to the privilege store.");
+ } catch (AccessControlException e) {
+ // success
+ }
+
+ // ensure readability of the privileges
+ try {
+ setupPolicy("/jcr:system");
+ root.commit();
+
+ getTestRoot().refresh();
+
+ assertArrayEquals(new Privilege[0], testAcMgr.getPrivileges(null));
+ assertArrayEquals(new Privilege[0], testAcMgr.getPrivileges(null, testPrincipals));
+
+ Privilege[] privs = testAcMgr.getPrivileges(testPath);
+ assertEquals(ImmutableSet.copyOf(testPrivileges), ImmutableSet.copyOf(privs));
+
+ privs = testAcMgr.getPrivileges(testPath, testPrincipals);
+ assertEquals(ImmutableSet.copyOf(testPrivileges), ImmutableSet.copyOf(privs));
+
+ } finally {
+ for (AccessControlPolicy policy : acMgr.getPolicies("/jcr:system")) {
+ acMgr.removePolicy("/jcr:system", policy);
+ }
+ root.commit();
+ }
+
+ // but for 'admin' the test-session doesn't have sufficient privileges
+ try {
+ testAcMgr.getPrivileges(testPath, getPrincipals(adminSession));
+ fail("testSession doesn't have sufficient permission to read access control information at testPath");
+ } catch (AccessDeniedException e) {
+ // success
+ }
+ }
+
+ @Test
+ public void testGetRepoPrivileges() throws Exception {
+ assertArrayEquals(privilegesFromNames(PrivilegeConstants.JCR_ALL), acMgr.getPrivileges(null));
+ }
+
+ @Test
+ public void testGetPrivilegesForPrincipals() throws Exception {
+ Set<Principal> adminPrincipals = getPrincipals(adminSession);
+ Privilege[] expected = privilegesFromNames(PrivilegeConstants.JCR_ALL);
+ assertArrayEquals(expected, acMgr.getPrivileges("/", adminPrincipals));
+ assertArrayEquals(expected, acMgr.getPrivileges(null, adminPrincipals));
+ assertArrayEquals(expected, acMgr.getPrivileges(testPath, adminPrincipals));
+
+ setupPolicy(testPath);
+ root.commit();
+ Set<Principal> testPrincipals = Collections.singleton(testPrincipal);
+ assertArrayEquals(new Privilege[0], acMgr.getPrivileges(null, testPrincipals));
+ assertArrayEquals(new Privilege[0], acMgr.getPrivileges("/", testPrincipals));
+ assertEquals(
+ ImmutableSet.copyOf(testPrivileges),
+ ImmutableSet.copyOf(acMgr.getPrivileges(testPath, testPrincipals)));
}
//--------------------------------------< getApplicablePolicies(String) >---
@@ -436,9 +820,9 @@ public class AccessControlManagerImplTes
@Test
public void testGetApplicablePoliciesNonExistingNodePath() throws Exception {
- String propertyPath = "/not/existing";
+ String nonExistingPath = "/not/existing";
try {
- acMgr.getApplicablePolicies(propertyPath);
+ acMgr.getApplicablePolicies(nonExistingPath);
fail("Getting applicable policies for node that doesn't exist should fail.");
} catch (PathNotFoundException e) {
// success
@@ -587,9 +971,9 @@ public class AccessControlManagerImplTes
@Test
public void testGetPoliciesNonExistingNodePath() throws Exception {
- String propertyPath = "/not/existing";
+ String nonExistingPath = "/not/existing";
try {
- acMgr.getPolicies(propertyPath);
+ acMgr.getPolicies(nonExistingPath);
fail("Getting policies for node that doesn't exist should fail.");
} catch (PathNotFoundException e) {
// success
@@ -639,9 +1023,9 @@ public class AccessControlManagerImplTes
@Test
public void testGetEffectivePoliciesNonExistingNodePath() throws Exception {
- String propertyPath = "/not/existing";
+ String nonExistingPath = "/not/existing";
try {
- acMgr.getEffectivePolicies(propertyPath);
+ acMgr.getEffectivePolicies(nonExistingPath);
fail("Getting policies for node that doesn't exist should fail.");
} catch (PathNotFoundException e) {
// success