You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2015/10/06 18:27:37 UTC
svn commit: r1707085 [2/2] - in /jackrabbit/oak/trunk:
oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/
oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/...
Copied: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedTest.java (from r1705991, jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderTest.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedTest.java?p2=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedTest.java&p1=jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderTest.java&r1=1705991&r2=1707085&rev=1707085&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProviderTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderLimitedTest.java Tue Oct 6 16:27:36 2015
@@ -16,9 +16,91 @@
*/
package org.apache.jackrabbit.oak.security.authorization.composite;
-import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.junit.Test;
-public class CompositePermissionProviderTest extends AbstractSecurityTest {
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
- // TODO
+/**
+ * Test the effect of the combination of
+ *
+ * - default permission provider
+ * - custom provider that grants JCR_NAMESPACE_MANAGEMENT on repository level
+ * and REP_READ_NODES only
+ *
+ * both for the set of principals associated with the test user and with the admin session.
+ * The expected outcome is that
+ * - test user can only read nodes where this is also granted by the default provider
+ * but has no other access granted
+ * - admin user can only read nodes and register namespaces
+ */
+public class CompositeProviderLimitedTest extends AbstractCompositeProviderTest {
+
+ private CompositePermissionProvider cppTestUser;
+ private CompositePermissionProvider cppAdminUser;
+
+ @Override
+ public void before() throws Exception {
+ super.before();
+
+ cppTestUser = createPermissionProvider(getTestUser().getPrincipal(), EveryonePrincipal.getInstance());
+ cppAdminUser = createPermissionProvider(root.getContentSession().getAuthInfo().getPrincipals());
+ }
+
+ @Override
+ protected AggregatedPermissionProvider getTestPermissionProvider() {
+ return new TestPermissionProvider(root, true);
+ }
+
+ @Test
+ public void testGetPrivileges() throws Exception {
+ // TODO
+ }
+
+
+ @Test
+ public void testHasPrivileges() throws Exception {
+ // TODO
+ }
+
+
+ @Test
+ public void testIsGranted() throws Exception {
+ // TODO
+ }
+
+ @Test
+ public void testIsGrantedAction() throws Exception {
+ // TODO
+ }
+
+ @Test
+ public void testRepositoryPermissionIsGranted() throws Exception {
+ RepositoryPermission rp = cppTestUser.getRepositoryPermission();
+ assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT));
+
+ assertFalse(rp.isGranted(Permissions.NODE_TYPE_DEFINITION_MANAGEMENT));
+ assertFalse(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.NODE_TYPE_DEFINITION_MANAGEMENT));
+ }
+
+ @Test
+ public void testRepositoryPermissionIsGrantedAdminUser() throws Exception {
+ RepositoryPermission rp = cppAdminUser.getRepositoryPermission();
+ assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT));
+
+ assertFalse(rp.isGranted(Permissions.NODE_TYPE_DEFINITION_MANAGEMENT));
+ assertFalse(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.NODE_TYPE_DEFINITION_MANAGEMENT));
+ assertFalse(rp.isGranted(Permissions.PRIVILEGE_MANAGEMENT));
+ assertFalse(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT|Permissions.PRIVILEGE_MANAGEMENT));
+ assertFalse(rp.isGranted(Permissions.ALL));
+ }
+
+ @Test
+ public void testGetTreePermission() throws Exception {
+ // TODO
+ }
}
\ No newline at end of file
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeReverseTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeReverseTest.java?rev=1707085&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeReverseTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeReverseTest.java Tue Oct 6 16:27:36 2015
@@ -0,0 +1,29 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.composite;
+
+/**
+ * Same as {@link CompositeProviderNoScopeTest}
+ * with reverse order of the aggregated providers.
+ */
+public class CompositeProviderNoScopeReverseTest extends CompositeProviderNoScopeTest {
+
+ @Override
+ boolean reverseOrder() {
+ return true;
+ }
+}
\ No newline at end of file
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeTest.java?rev=1707085&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderNoScopeTest.java Tue Oct 6 16:27:36 2015
@@ -0,0 +1,294 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.composite;
+
+import java.security.Principal;
+import java.util.Set;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.oak.api.ContentSession;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
+import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+/**
+ * Test the effect of the combination of
+ *
+ * - default permission provider
+ * - custom provider that doesn't support any permissions nowhere
+ *
+ * The tests are executed both for the set of principals associated with the test
+ * user and with the admin session.
+ * The expected outcome is that the composite provider behaves exactly like the
+ * default provider (i.e. is never respected during evaluation).
+ *
+ * While there is no real use in such a {@link AggregatedPermissionProvider}, that
+ * is never called, is is used here to verify that the composite provider doesn't
+ * introduce any regressions compared to the default provider implementation.
+ */
+public class CompositeProviderNoScopeTest extends AbstractCompositeProviderTest {
+
+ private CompositePermissionProvider cppTestUser;
+ private PermissionProvider defTestUser;
+
+ private CompositePermissionProvider cppAdminUser;
+ private PermissionProvider defAdminUser;
+
+
+ @Override
+ public void before() throws Exception {
+ super.before();
+
+ ContentSession cs = root.getContentSession();
+
+ Set<Principal> testPrincipals = ImmutableSet.of(getTestUser().getPrincipal(), EveryonePrincipal.getInstance());
+ cppTestUser = createPermissionProvider(testPrincipals);
+ defTestUser = getConfig(AuthorizationConfiguration.class).getPermissionProvider(root, cs.getWorkspaceName(), testPrincipals);
+
+ Set<Principal> adminPrincipals = cs.getAuthInfo().getPrincipals();
+ cppAdminUser = createPermissionProvider(adminPrincipals);
+ defAdminUser = getConfig(AuthorizationConfiguration.class).getPermissionProvider(root, cs.getWorkspaceName(), adminPrincipals);
+ }
+
+ @Override
+ protected AggregatedPermissionProvider getTestPermissionProvider() {
+ return new NotSupportingProvider();
+ }
+
+ @Test
+ public void testGetPrivileges() throws Exception {
+ for (String p : defPrivileges.keySet()) {
+ Set<String> expected = defPrivileges.get(p);
+ Tree tree = root.getTree(p);
+
+ assertEquals(p, expected, cppTestUser.getPrivileges(tree));
+ assertEquals(p, defTestUser.getPrivileges(tree), cppTestUser.getPrivileges(tree));
+ }
+ }
+
+ @Test
+ public void testGetPrivilegesAdmin() throws Exception {
+ Set<String> expected = ImmutableSet.of(PrivilegeConstants.JCR_ALL);
+ for (String p : NODE_PATHS) {
+ Tree tree = root.getTree(p);
+
+ assertEquals(p, expected, cppAdminUser.getPrivileges(tree));
+ assertEquals(p, defAdminUser.getPrivileges(tree), cppAdminUser.getPrivileges(tree));
+ }
+ }
+
+ @Test
+ public void testGetPrivilegesOnRepo() throws Exception {
+ Set<String> expected = ImmutableSet.of(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT, PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT);
+
+ assertEquals(expected, cppTestUser.getPrivileges(null));
+ assertEquals(defTestUser.getPrivileges(null), cppTestUser.getPrivileges(null));
+ }
+
+ @Test
+ public void testGetPrivilegesOnRepoAdmin() throws Exception {
+ Set<String> expected = ImmutableSet.of(PrivilegeConstants.JCR_ALL);
+
+ assertEquals(expected, cppAdminUser.getPrivileges(null));
+ assertEquals(defAdminUser.getPrivileges(null), cppAdminUser.getPrivileges(null));
+ }
+
+
+ @Test
+ public void testHasPrivileges() throws Exception {
+ for (String p : defPrivileges.keySet()) {
+ Set<String> expected = defPrivileges.get(p);
+ Tree tree = root.getTree(p);
+
+ String[] privNames = expected.toArray(new String[expected.size()]);
+ assertTrue(p, cppTestUser.hasPrivileges(tree, privNames));
+ assertEquals(p, defTestUser.hasPrivileges(tree, privNames), cppTestUser.hasPrivileges(tree, privNames));
+ }
+ }
+
+ @Test
+ public void testHasPrivilegesAdmin() throws Exception {
+ for (String p : NODE_PATHS) {
+ Tree tree = root.getTree(p);
+
+ assertTrue(p, cppAdminUser.hasPrivileges(tree, PrivilegeConstants.JCR_ALL));
+ assertEquals(p, defAdminUser.hasPrivileges(tree, PrivilegeConstants.JCR_ALL), cppAdminUser.hasPrivileges(tree, PrivilegeConstants.JCR_ALL));
+ }
+ }
+
+ @Test
+ public void testHasPrivilegesOnRepo() throws Exception {
+ assertTrue(cppTestUser.hasPrivileges(null, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT, PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT));
+ assertEquals(
+ defTestUser.hasPrivileges(null, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT, PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT),
+ cppTestUser.hasPrivileges(null, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT, PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT));
+
+ assertTrue(cppTestUser.hasPrivileges(null));
+ assertEquals(
+ defTestUser.hasPrivileges(null),
+ cppTestUser.hasPrivileges(null));
+ }
+
+ @Test
+ public void testHasPrivilegeOnRepoAdminUser() throws Exception {
+ assertTrue(cppAdminUser.hasPrivileges(null, PrivilegeConstants.JCR_ALL));
+ assertEquals(
+ defAdminUser.hasPrivileges(null, PrivilegeConstants.JCR_ALL),
+ cppAdminUser.hasPrivileges(null, PrivilegeConstants.JCR_ALL));
+
+ assertTrue(cppAdminUser.hasPrivileges(null));
+ assertEquals(
+ defAdminUser.hasPrivileges(null),
+ cppAdminUser.hasPrivileges(null));
+ }
+
+
+ @Test
+ public void testIsGranted() throws Exception {
+ for (String p : defPermissions.keySet()) {
+ long expected = defPermissions.get(p);
+ Tree tree = root.getTree(p);
+
+ assertTrue(p, cppTestUser.isGranted(tree, null, expected));
+ assertEquals(p, defTestUser.isGranted(tree, null, expected), cppTestUser.isGranted(tree, null, expected));
+ }
+ }
+
+ @Test
+ public void testIsGrantedAdmin() throws Exception {
+ for (String p : defPermissions.keySet()) {
+ Tree tree = root.getTree(p);
+
+ assertTrue(p, cppAdminUser.isGranted(tree, null, Permissions.ALL));
+ assertEquals(p, defAdminUser.isGranted(tree, null, Permissions.ALL), cppAdminUser.isGranted(tree, null, Permissions.ALL));
+ }
+ }
+
+ @Test
+ public void testIsGrantedProperty() throws Exception {
+ // TODO
+ }
+
+ @Test
+ public void testIsGrantedAction() throws Exception {
+ // TODO
+ }
+
+ @Test
+ public void testRepositoryPermissionIsGranted() throws Exception {
+ RepositoryPermission rp = cppTestUser.getRepositoryPermission();
+
+ assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT));
+ assertTrue(rp.isGranted(Permissions.NODE_TYPE_DEFINITION_MANAGEMENT));
+ assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.NODE_TYPE_DEFINITION_MANAGEMENT));
+ }
+
+ @Test
+ public void testRepositoryPermissionIsGrantedAdminUser() throws Exception {
+ RepositoryPermission rp = cppAdminUser.getRepositoryPermission();
+
+ assertTrue(rp.isGranted(Permissions.ALL));
+ }
+
+ @Test
+ public void testGetTreePermission() throws Exception {
+ // TODO
+ }
+
+ private static final class NotSupportingProvider implements AggregatedPermissionProvider {
+
+ @Nonnull
+ @Override
+ public PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable PrivilegeBits privilegeBits) {
+ return PrivilegeBits.EMPTY;
+ }
+
+ @Override
+ public long supportedPermissions(@Nullable Tree tree, @Nullable PropertyState property, long permissions) {
+ return Permissions.NO_PERMISSION;
+ }
+
+ @Override
+ public long supportedPermissions(@Nonnull TreeLocation location, long permissions) {
+ return Permissions.NO_PERMISSION;
+ }
+
+ @Override
+ public long supportedPermissions(@Nonnull TreePermission treePermission, long permissions) {
+ return Permissions.NO_PERMISSION;
+ }
+
+ @Override
+ public boolean isGranted(@Nonnull TreeLocation location, long permissions) {
+ throw new UnsupportedOperationException("should never get here");
+ }
+
+ @Override
+ public void refresh() {
+ // nop
+ }
+
+ @Nonnull
+ @Override
+ public Set<String> getPrivileges(@Nullable Tree tree) {
+ throw new UnsupportedOperationException("should never get here");
+ }
+
+ @Override
+ public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String... privilegeNames) {
+ throw new UnsupportedOperationException("should never get here");
+ }
+
+ @Nonnull
+ @Override
+ public RepositoryPermission getRepositoryPermission() {
+ throw new UnsupportedOperationException("should never get here");
+ }
+
+ @Nonnull
+ @Override
+ public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreePermission parentPermission) {
+ // TODO: fix such that this is no required
+ return TreePermission.EMPTY;
+ }
+
+ @Override
+ public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState property, long permissions) {
+ throw new UnsupportedOperationException("should never get here");
+ }
+
+ @Override
+ public boolean isGranted(@Nonnull String oakPath, @Nonnull String jcrActions) {
+ throw new UnsupportedOperationException("should never get here");
+ }
+ }
+}
\ No newline at end of file
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeReverseTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeReverseTest.java?rev=1707085&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeReverseTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeReverseTest.java Tue Oct 6 16:27:36 2015
@@ -0,0 +1,29 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.composite;
+
+/**
+ * Same as {@link CompositeProviderScopeTest}
+ * with reverse order of the aggregated providers.
+ */
+public class CompositeProviderScopeReverseTest extends CompositeProviderScopeTest {
+
+ @Override
+ boolean reverseOrder() {
+ return true;
+ }
+}
\ No newline at end of file
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeTest.java?rev=1707085&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeProviderScopeTest.java Tue Oct 6 16:27:36 2015
@@ -0,0 +1,114 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.composite;
+
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.junit.Test;
+
+import static org.junit.Assert.assertTrue;
+
+/**
+ * Test the effect of the combination of
+ *
+ * - default permission provider
+ * - custom provider that only supports namespace-management permission on repository level
+ * and within the regular tree only supports permission evaluation of a limited
+ * set of permissions (write) below {@link #TEST_CHILD_PATH}.
+ *
+ * The tests are executed both for the set of principals associated with the test
+ * user and with the admin session.
+ * The expected outcome is that
+ * - the custom provider only takes effect below {@link #TEST_CHILD_PATH} and
+ * only for the supported permissions (read-nodes only).
+ * - admin user has full access except for read-node-access below {@link #TEST_CHILD_PATH}
+ * where the custom provider impacts the evaluation.
+ */
+public class CompositeProviderScopeTest extends AbstractCompositeProviderTest {
+
+ private CompositePermissionProvider cppTestUser;
+ private CompositePermissionProvider cppAdminUser;
+
+ @Override
+ public void before() throws Exception {
+ super.before();
+
+ cppTestUser = createPermissionProvider(getTestUser().getPrincipal(), EveryonePrincipal.getInstance());
+ cppAdminUser = createPermissionProvider(root.getContentSession().getAuthInfo().getPrincipals());
+ }
+
+ @Override
+ protected AggregatedPermissionProvider getTestPermissionProvider() {
+ return new TestPermissionProvider(root, false);
+ }
+
+ @Test
+ public void testGetPrivileges() throws Exception {
+ // TODO
+ }
+
+
+ @Test
+ public void testHasPrivileges() throws Exception {
+ // TODO
+ }
+
+
+ @Test
+ public void testIsGranted() throws Exception {
+ // TODO
+ }
+
+ @Test
+ public void testIsGrantedProperty() throws Exception {
+ // TODO
+ }
+
+ @Test
+ public void testIsGrantedAction() throws Exception {
+ // TODO
+ }
+
+ @Test
+ public void testRepositoryPermissionIsGranted() throws Exception {
+ RepositoryPermission rp = cppTestUser.getRepositoryPermission();
+
+ assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT));
+ assertTrue(rp.isGranted(Permissions.NODE_TYPE_DEFINITION_MANAGEMENT));
+ assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.NODE_TYPE_DEFINITION_MANAGEMENT));
+ }
+
+ @Test
+ public void testRepositoryPermissionIsGrantedAdminUser() throws Exception {
+ RepositoryPermission rp = cppAdminUser.getRepositoryPermission();
+
+ assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT));
+ assertTrue(rp.isGranted(Permissions.NODE_TYPE_DEFINITION_MANAGEMENT));
+ assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT | Permissions.NODE_TYPE_DEFINITION_MANAGEMENT));
+
+ assertTrue(rp.isGranted(Permissions.PRIVILEGE_MANAGEMENT));
+ assertTrue(rp.isGranted(Permissions.NAMESPACE_MANAGEMENT|Permissions.PRIVILEGE_MANAGEMENT));
+ assertTrue(rp.isGranted(Permissions.ALL));
+ }
+
+ @Test
+ public void testGetTreePermission() throws Exception {
+ // TODO
+ }
+}
\ No newline at end of file
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/TestPermissionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/TestPermissionProvider.java?rev=1707085&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/TestPermissionProvider.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/TestPermissionProvider.java Tue Oct 6 16:27:36 2015
@@ -0,0 +1,255 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.composite;
+
+import java.util.Arrays;
+import java.util.Set;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import javax.jcr.Session;
+
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.commons.PathUtils;
+import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.apache.jackrabbit.oak.spi.state.NodeState;
+import org.apache.jackrabbit.util.Text;
+
+/**
+ * Test implementation of the {@code AggregatedPermissionProvider} with following
+ * characteristics:
+ *
+ * If {@code supportsAll} is {@code true} this provider supports all permissions
+ * but only grants {@link Permissions#NAMESPACE_MANAGEMENT} on repository level
+ * and {@link Permissions#READ_NODE} on regular items.
+ * In this case the provider will always be respected for evaluation and will
+ * therefore cause the final result to be always restricted to the permissions
+ * granted by this provider.
+ *
+ * If {@code supportsAll} is {@code false} this provider supports
+ * - {@link Permissions#NAMESPACE_MANAGEMENT} on repository level
+ * - {@link Permissions#READ_NODE} at the tree defined by {@link AbstractCompositeProviderTest#TEST_A_PATH}
+ * - {@link Permissions#NO_PERMISSION} everywhere else.
+ * The permissions granted are the same as above. Due to the limited scope
+ * however, the provider will in this case only respected for evaluation at
+ * the supported paths (and at the repo level). The final result will restricted
+ * to the permissions granted by this provider at the supported paths. For all
+ * other paths the access limitations of this provider have no effect.
+ */
+class TestPermissionProvider implements AggregatedPermissionProvider {
+
+ private final Root root;
+ private final boolean supportsAll;
+
+ TestPermissionProvider(@Nonnull Root root, boolean supportsAll) {
+ this.root = root;
+ this.supportsAll = supportsAll;
+ }
+
+ //-------------------------------------------------< PermissionProvider >---
+ @Override
+ public void refresh() {
+ //nop
+ }
+
+ @Nonnull
+ @Override
+ public Set<String> getPrivileges(@Nullable Tree tree) {
+ if (tree == null) {
+ return ImmutableSet.of(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT);
+ } else if (isSupported(tree)) {
+ return ImmutableSet.of(PrivilegeConstants.REP_READ_NODES);
+ } else {
+ return ImmutableSet.of();
+ }
+
+ }
+
+ @Override
+ public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String... privilegeNames) {
+ if (tree == null) {
+ return Arrays.equals(new String[]{PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT}, privilegeNames);
+ } else if (isSupported(tree)) {
+ return Arrays.equals(new String[]{PrivilegeConstants.REP_READ_NODES}, privilegeNames);
+ } else {
+ return false;
+ }
+ }
+
+ @Nonnull
+ @Override
+ public RepositoryPermission getRepositoryPermission() {
+ return new RepositoryPermission() {
+ @Override
+ public boolean isGranted(long repositoryPermissions) {
+ return Permissions.NAMESPACE_MANAGEMENT == repositoryPermissions;
+ }
+ };
+ }
+
+ @Nonnull
+ @Override
+ public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreePermission parentPermission) {
+ return (isSupported(tree)) ? new TestTreePermission(tree.getPath()) : TreePermission.EMPTY;
+ }
+
+ @Override
+ public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState property, long permissions) {
+ return isSupported(tree) && property == null && permissions == Permissions.READ_NODE;
+ }
+
+ @Override
+ public boolean isGranted(@Nonnull String oakPath, @Nonnull String jcrActions) {
+ Tree tree = root.getTree(oakPath);
+ return tree.exists() && isSupported(tree) && Session.ACTION_READ.equals(jcrActions);
+ }
+
+ //---------------------------------------< AggregatedPermissionProvider >---
+ @Nonnull
+ @Override
+ public PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable PrivilegeBits privilegeBits) {
+ if (supportsAll) {
+ return (privilegeBits == null) ? new PrivilegeBitsProvider(root).getBits(PrivilegeConstants.JCR_ALL) : privilegeBits;
+ } else {
+ PrivilegeBits supported;
+ if (tree == null) {
+ supported = PrivilegeBits.BUILT_IN.get(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT);
+ } else if (isSupportedPath(tree.getPath())) {
+ supported = PrivilegeBits.BUILT_IN.get(PrivilegeConstants.REP_READ_NODES);
+ } else {
+ supported = PrivilegeBits.EMPTY;
+ }
+
+ if (privilegeBits != null && !supported.isEmpty()) {
+ return PrivilegeBits.getInstance(privilegeBits).retain(supported);
+ } else {
+ return supported;
+ }
+ }
+ }
+
+ @Override
+ public long supportedPermissions(@Nullable Tree tree, @Nullable PropertyState property, long permissions) {
+ if (supportsAll) {
+ return permissions;
+ } else {
+ if (tree == null) {
+ return permissions & Permissions.NAMESPACE_MANAGEMENT;
+ } else if (isSupportedPath(tree.getPath())) {
+ return permissions & Permissions.READ_NODE;
+ } else {
+ return Permissions.NO_PERMISSION;
+ }
+ }
+ }
+
+ @Override
+ public long supportedPermissions(@Nonnull TreeLocation location, long permissions) {
+ if (supportsAll) {
+ return permissions;
+ } else if (isSupportedPath(location.getPath())) {
+ return permissions & Permissions.READ_NODE;
+ } else {
+ return Permissions.NO_PERMISSION;
+ }
+ }
+
+ @Override
+ public long supportedPermissions(@Nonnull TreePermission treePermission, long permissions) {
+ if (supportsAll) {
+ return permissions;
+ } else if (isSupportedPath(((TestTreePermission) treePermission).path)) {
+ return permissions & Permissions.READ_NODE;
+ } else {
+ return Permissions.NO_PERMISSION;
+ }
+ }
+
+ @Override
+ public boolean isGranted(@Nonnull TreeLocation location, long permissions) {
+ if (supportsAll) {
+ return permissions == Permissions.READ_NODE;
+ } else if (isSupportedPath(location.getPath())) {
+ return permissions == Permissions.READ_NODE;
+ } else {
+ return false;
+ }
+ }
+
+ //--------------------------------------------------------------------------
+ private boolean isSupported(@Nonnull Tree tree) {
+ return supportsAll || isSupportedPath(tree.getPath());
+ }
+
+ private boolean isSupportedPath(@Nonnull String path) {
+ return Text.isDescendantOrEqual(AbstractCompositeProviderTest.TEST_A_PATH, path);
+ }
+
+ private final class TestTreePermission implements TreePermission {
+
+ private final String path;
+
+ private TestTreePermission(@Nonnull String path) {
+ this.path = path;
+ }
+
+ @Nonnull
+ @Override
+ public TreePermission getChildPermission(@Nonnull String childName, @Nonnull NodeState childState) {
+ return new TestTreePermission(PathUtils.concat(path, childName));
+ }
+
+ @Override
+ public boolean canRead() {
+ return true;
+ }
+
+ @Override
+ public boolean canRead(@Nonnull PropertyState property) {
+ return false;
+ }
+
+ @Override
+ public boolean canReadAll() {
+ return false;
+ }
+
+ @Override
+ public boolean canReadProperties() {
+ return false;
+ }
+
+ @Override
+ public boolean isGranted(long permissions) {
+ return Permissions.READ_NODE == permissions;
+ }
+
+ @Override
+ public boolean isGranted(long permissions, @Nonnull PropertyState property) {
+ return false;
+ }
+ }
+}
\ No newline at end of file