You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by an...@apache.org on 2008/08/27 17:12:07 UTC
svn commit: r689499 [9/11] - in /jackrabbit/trunk:
jackrabbit-api/src/main/java/org/apache/jackrabbit/api/jsr283/
jackrabbit-api/src/main/java/org/apache/jackrabbit/api/jsr283/retention/
jackrabbit-api/src/main/java/org/apache/jackrabbit/api/jsr283/sec...
Added: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java?rev=689499&view=auto
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java (added)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java Wed Aug 27 08:12:04 2008
@@ -0,0 +1,260 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.authorization;
+
+import org.apache.jackrabbit.api.jsr283.security.AccessControlEntry;
+import org.apache.jackrabbit.api.jsr283.security.AccessControlException;
+import org.apache.jackrabbit.api.jsr283.security.Privilege;
+import org.apache.jackrabbit.api.jsr283.security.AbstractAccessControlTest;
+import org.apache.jackrabbit.api.JackrabbitSession;
+import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import org.apache.jackrabbit.api.security.principal.PrincipalIterator;
+import org.apache.jackrabbit.test.NotExecutableException;
+import org.apache.jackrabbit.core.security.TestPrincipal;
+
+import javax.jcr.RepositoryException;
+import javax.jcr.Value;
+import java.security.Principal;
+import java.util.Collections;
+
+/**
+ * <code>AbstractACLTemplateTest</code>...
+ */
+public abstract class AbstractACLTemplateTest extends AbstractAccessControlTest {
+
+ protected Principal testPrincipal;
+ protected PrincipalManager pMgr;
+
+ protected void setUp() throws Exception {
+ super.setUp();
+
+ if (!(superuser instanceof JackrabbitSession)) {
+ throw new NotExecutableException();
+ }
+
+ pMgr = ((JackrabbitSession) superuser).getPrincipalManager();
+ PrincipalIterator it = pMgr.getPrincipals(PrincipalManager.SEARCH_TYPE_NOT_GROUP);
+ if (it.hasNext()) {
+ testPrincipal = it.nextPrincipal();
+ } else {
+ throw new NotExecutableException();
+ }
+ }
+
+ protected static void assertSamePrivileges(Privilege[] privs1, Privilege[] privs2) throws AccessControlException {
+ assertEquals(PrivilegeRegistry.getBits(privs1), PrivilegeRegistry.getBits(privs2));
+ }
+
+ protected abstract String getTestPath();
+
+ protected abstract JackrabbitAccessControlList createEmptyTemplate(String path) throws RepositoryException;
+
+ public void testEmptyTemplate() throws RepositoryException {
+ JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
+
+ assertNotNull(pt.getAccessControlEntries());
+ assertTrue(pt.getAccessControlEntries().length == 0);
+ assertTrue(pt.size() == pt.getAccessControlEntries().length);
+ assertTrue(pt.isEmpty());
+ }
+
+ public void testGetPath() throws RepositoryException {
+ JackrabbitAccessControlList pt = (JackrabbitAccessControlList) createEmptyTemplate(getTestPath());
+ assertEquals(getTestPath(), pt.getPath());
+ }
+
+ public void testAddInvalidEntry() throws RepositoryException, NotExecutableException {
+ Principal unknownPrincipal;
+ if (!pMgr.hasPrincipal("an unknown principal")) {
+ unknownPrincipal = new TestPrincipal("an unknown principal");
+ } else {
+ throw new NotExecutableException();
+ }
+ JackrabbitAccessControlList pt = (JackrabbitAccessControlList) createEmptyTemplate(getTestPath());
+ try {
+ pt.addAccessControlEntry(unknownPrincipal, privilegesFromName(Privilege.JCR_READ));
+ fail("Adding an ACE with an unknown principal should fail");
+ } catch (AccessControlException e) {
+ // success
+ }
+ }
+
+ public void testAddInvalidEntry2() throws RepositoryException {
+ JackrabbitAccessControlList pt = (JackrabbitAccessControlList) createEmptyTemplate(getTestPath());
+ try {
+ pt.addAccessControlEntry(testPrincipal, new Privilege[0]);
+ fail("Adding an ACE with invalid privileges should fail");
+ } catch (AccessControlException e) {
+ // success
+ }
+ }
+
+ public void testRemoveInvalidEntry() throws RepositoryException {
+ JackrabbitAccessControlList pt = (JackrabbitAccessControlList) createEmptyTemplate(getTestPath());
+ try {
+ pt.removeAccessControlEntry(new JackrabbitAccessControlEntry() {
+ public boolean isAllow() {
+ return false;
+ }
+ public int getPrivilegeBits() {
+ return PrivilegeRegistry.READ;
+ }
+ public String[] getRestrictionNames() {
+ return new String[0];
+ }
+ public Value getRestriction(String restrictionName) {
+ return null;
+ }
+ public Principal getPrincipal() {
+ return testPrincipal;
+ }
+
+ public Privilege[] getPrivileges() {
+ try {
+ return privilegesFromName(Privilege.JCR_READ);
+ } catch (Exception e) {
+ return new Privilege[0];
+ }
+ }
+ });
+ fail("Passing an unknown ACE should fail");
+ } catch (AccessControlException e) {
+ // success
+ }
+ }
+
+ public void testRemoveInvalidEntry2() throws RepositoryException {
+ JackrabbitAccessControlList pt = (JackrabbitAccessControlList) createEmptyTemplate(getTestPath());
+ try {
+ pt.removeAccessControlEntry(new JackrabbitAccessControlEntry() {
+ public boolean isAllow() {
+ return false;
+ }
+ public int getPrivilegeBits() {
+ return 0;
+ }
+ public String[] getRestrictionNames() {
+ return new String[0];
+ }
+ public Value getRestriction(String restrictionName) {
+ return null;
+ }
+ public Principal getPrincipal() {
+ return testPrincipal;
+ }
+ public Privilege[] getPrivileges() {
+ return new Privilege[0];
+ }
+ });
+ fail("Passing a ACE with invalid privileges should fail");
+ } catch (AccessControlException e) {
+ // success
+ }
+ }
+
+ public void testAddEntry() throws RepositoryException, NotExecutableException {
+ JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
+ Privilege[] privs = privilegesFromName(Privilege.JCR_READ);
+ assertTrue(pt.addEntry(testPrincipal, privs, true, Collections.EMPTY_MAP));
+ }
+
+ public void testAddEntryTwice() throws RepositoryException, NotExecutableException {
+ JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
+ Privilege[] privs = privilegesFromName(Privilege.JCR_READ);
+
+ pt.addEntry(testPrincipal, privs, true, Collections.EMPTY_MAP);
+ assertFalse(pt.addEntry(testPrincipal, privs, true, Collections.EMPTY_MAP));
+ }
+
+ public void testEffect() throws RepositoryException, NotExecutableException {
+ JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
+ pt.addAccessControlEntry(testPrincipal, privilegesFromName(Privilege.JCR_READ));
+
+ // add deny entry for mod_props
+ assertTrue(pt.addEntry(testPrincipal, privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES),
+ false, null));
+
+ // test net-effect
+ int allows = PrivilegeRegistry.NO_PRIVILEGE;
+ int denies = PrivilegeRegistry.NO_PRIVILEGE;
+ AccessControlEntry[] entries = pt.getAccessControlEntries();
+ for (int i = 0; i < entries.length; i++) {
+ AccessControlEntry ace = entries[i];
+ if (testPrincipal.equals(ace.getPrincipal()) && ace instanceof JackrabbitAccessControlEntry) {
+ int entryBits = ((JackrabbitAccessControlEntry) ace).getPrivilegeBits();
+ if (((JackrabbitAccessControlEntry) ace).isAllow()) {
+ allows |= Permission.diff(entryBits, denies);
+ } else {
+ denies |= Permission.diff(entryBits, allows);
+ }
+ }
+ }
+ assertEquals(PrivilegeRegistry.READ, allows);
+ assertEquals(PrivilegeRegistry.MODIFY_PROPERTIES, denies);
+ }
+
+ public void testEffect2() throws RepositoryException, NotExecutableException {
+ JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
+ pt.addEntry(testPrincipal, privilegesFromName(Privilege.JCR_READ), true, Collections.EMPTY_MAP);
+
+ // same entry but with revers 'isAllow' flag
+ assertTrue(pt.addEntry(testPrincipal, privilegesFromName(Privilege.JCR_READ), false, Collections.EMPTY_MAP));
+
+ // test net-effect
+ int allows = PrivilegeRegistry.NO_PRIVILEGE;
+ int denies = PrivilegeRegistry.NO_PRIVILEGE;
+ AccessControlEntry[] entries = pt.getAccessControlEntries();
+ for (int i = 0; i < entries.length; i++) {
+ AccessControlEntry ace = entries[i];
+ if (testPrincipal.equals(ace.getPrincipal()) && ace instanceof JackrabbitAccessControlEntry) {
+ int entryBits = ((JackrabbitAccessControlEntry) ace).getPrivilegeBits();
+ if (((JackrabbitAccessControlEntry) ace).isAllow()) {
+ allows |= Permission.diff(entryBits, denies);
+ } else {
+ denies |= Permission.diff(entryBits, allows);
+ }
+ }
+ }
+
+ assertEquals(PrivilegeRegistry.NO_PRIVILEGE, allows);
+ assertEquals(PrivilegeRegistry.READ, denies);
+ }
+
+ public void testRemoveEntry() throws RepositoryException,
+ NotExecutableException {
+ JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
+ pt.addAccessControlEntry(testPrincipal, privilegesFromName(Privilege.JCR_READ));
+ pt.removeAccessControlEntry(pt.getAccessControlEntries()[0]);
+ }
+
+ public void testRemoveNonExisting() throws RepositoryException {
+ JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
+ try {
+ pt.removeAccessControlEntry(new AccessControlEntry() {
+ public Principal getPrincipal() {
+ return testPrincipal;
+ }
+ public Privilege[] getPrivileges() {
+ return new Privilege[0];
+ }
+ });
+ fail("Attemt to remove a non-existing, custom ACE must throw AccessControlException.");
+ } catch (AccessControlException e) {
+ // success
+ }
+ }
+}
\ No newline at end of file
Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java
------------------------------------------------------------------------------
svn:keywords = author date id revision url
Added: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java?rev=689499&view=auto
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java (added)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java Wed Aug 27 08:12:04 2008
@@ -0,0 +1,234 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.authorization;
+
+import org.apache.jackrabbit.api.jsr283.security.Privilege;
+import org.apache.jackrabbit.api.jsr283.security.AccessControlException;
+import org.apache.jackrabbit.api.jsr283.security.AbstractAccessControlTest;
+import org.apache.jackrabbit.test.NotExecutableException;
+
+import javax.jcr.RepositoryException;
+import javax.jcr.Value;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Iterator;
+import java.util.List;
+
+/**
+ * <code>AbstractEntryTest</code>...
+ */
+public abstract class AbstractEntryTest extends AbstractAccessControlTest {
+
+ protected Principal testPrincipal;
+
+ protected void setUp() throws Exception {
+ super.setUp();
+ testPrincipal = new Principal() {
+ public String getName() {
+ return "TestPrincipal";
+ }
+ };
+ }
+
+ protected JackrabbitAccessControlEntry createEntry(String[] privilegeNames, boolean isAllow)
+ throws RepositoryException, NotExecutableException {
+ Privilege[] privs = privilegesFromNames(privilegeNames);
+ return createEntry(testPrincipal, privs, isAllow);
+ }
+
+ protected abstract JackrabbitAccessControlEntry createEntry(Principal principal, Privilege[] privileges, boolean isAllow)
+ throws RepositoryException;
+
+ public void testIsAllow() throws RepositoryException, NotExecutableException {
+ JackrabbitAccessControlEntry tmpl = createEntry(new String[] {Privilege.JCR_READ}, true);
+ assertTrue(tmpl.isAllow());
+
+ tmpl = createEntry(new String[] {Privilege.JCR_READ}, false);
+ assertFalse(tmpl.isAllow());
+ }
+
+ public void testGetPrincipal() throws RepositoryException, NotExecutableException {
+ JackrabbitAccessControlEntry tmpl = createEntry(new String[] {Privilege.JCR_READ}, true);
+ assertNotNull(tmpl.getPrincipal());
+ assertEquals(testPrincipal.getName(), tmpl.getPrincipal().getName());
+ assertSame(testPrincipal, tmpl.getPrincipal());
+ }
+
+ public void testGetPrivilegeBits() throws RepositoryException, NotExecutableException {
+ JackrabbitAccessControlEntry tmpl = createEntry(new String[] {Privilege.JCR_READ}, true);
+
+ int privs = tmpl.getPrivilegeBits();
+ assertTrue(privs == PrivilegeRegistry.READ);
+
+ tmpl = createEntry(new String[] {Privilege.JCR_WRITE}, true);
+ privs = tmpl.getPrivilegeBits();
+ assertTrue(privs == PrivilegeRegistry.WRITE);
+ }
+
+ public void testGetPrivileges() throws RepositoryException, NotExecutableException {
+ JackrabbitAccessControlEntry entry = createEntry(new String[] {Privilege.JCR_READ}, true);
+
+ Privilege[] privs = entry.getPrivileges();
+ assertNotNull(privs);
+ assertEquals(1, privs.length);
+ assertEquals(privs[0], acMgr.privilegeFromName(Privilege.JCR_READ));
+ assertTrue(PrivilegeRegistry.getBits(privs) == entry.getPrivilegeBits());
+
+ entry = createEntry(new String[] {Privilege.JCR_WRITE}, true);
+ privs = entry.getPrivileges();
+ assertNotNull(privs);
+ assertEquals(1, privs.length);
+ assertEquals(privs[0], acMgr.privilegeFromName(Privilege.JCR_WRITE));
+ assertTrue(PrivilegeRegistry.getBits(privs) == entry.getPrivilegeBits());
+
+ entry = createEntry(new String[] {Privilege.JCR_ADD_CHILD_NODES,
+ Privilege.JCR_REMOVE_CHILD_NODES}, true);
+ privs = entry.getPrivileges();
+ assertNotNull(privs);
+ assertEquals(2, privs.length);
+
+ Privilege[] param = privilegesFromNames(new String[] {
+ Privilege.JCR_ADD_CHILD_NODES,
+ Privilege.JCR_REMOVE_CHILD_NODES
+ });
+ assertEquals(Arrays.asList(param), Arrays.asList(privs));
+ assertEquals(PrivilegeRegistry.getBits(privs), entry.getPrivilegeBits());
+ }
+
+ public void testEquals() throws RepositoryException, NotExecutableException {
+
+ JackrabbitAccessControlEntry ace = createEntry(new String[] {Privilege.JCR_ALL}, true);
+ List equalAces = new ArrayList();
+ equalAces.add(createEntry(new String[] {Privilege.JCR_ALL}, true));
+
+ Privilege[] privs = acMgr.privilegeFromName(Privilege.JCR_ALL).getDeclaredAggregatePrivileges();
+ equalAces.add(createEntry(testPrincipal, privs, true));
+
+ privs = acMgr.privilegeFromName(Privilege.JCR_ALL).getAggregatePrivileges();
+ equalAces.add(createEntry(testPrincipal, privs, true));
+
+ for (Iterator it = equalAces.iterator(); it.hasNext();) {
+ assertEquals(ace, it.next());
+ }
+ }
+
+ public void testNotEquals() throws RepositoryException, NotExecutableException {
+ JackrabbitAccessControlEntry ace = createEntry(new String[] {Privilege.JCR_ALL}, true);
+ List otherAces = new ArrayList();
+
+ try {
+ // ACE template with different principal
+ Principal princ = new Principal() {
+ public String getName() {
+ return "a name";
+ }
+ };
+ Privilege[] privs = new Privilege[] {
+ acMgr.privilegeFromName(Privilege.JCR_ALL)
+ };
+ otherAces.add(createEntry(princ, privs, true));
+ } catch (RepositoryException e) {
+ }
+
+ // ACE template with different privileges
+ try {
+ otherAces.add(createEntry(new String[] {Privilege.JCR_READ}, true));
+ } catch (RepositoryException e) {
+ }
+ // ACE template with different 'allow' flag
+ try {
+ otherAces.add(createEntry(new String[] {Privilege.JCR_ALL}, false));
+ } catch (RepositoryException e) {
+ }
+ // ACE template with different privileges and 'allows
+ try {
+ otherAces.add(createEntry(new String[] {Privilege.JCR_WRITE}, false));
+ } catch (RepositoryException e) {
+ }
+
+ // other ace impl
+ final Privilege[] privs = new Privilege[] {
+ acMgr.privilegeFromName(Privilege.JCR_ALL)
+ };
+ JackrabbitAccessControlEntry pe = new JackrabbitAccessControlEntry() {
+ public boolean isAllow() {
+ return true;
+ }
+ public int getPrivilegeBits() {
+ return PrivilegeRegistry.ALL;
+ }
+ public String[] getRestrictionNames() {
+ return new String[0];
+ }
+ public Value getRestriction(String restrictionName) {
+ return null;
+ }
+ public Principal getPrincipal() {
+ return testPrincipal;
+ }
+ public Privilege[] getPrivileges() {
+ return privs;
+ }
+ };
+ otherAces.add(pe);
+
+ for (Iterator it = otherAces.iterator(); it.hasNext();) {
+ assertFalse(ace.equals(it.next()));
+ }
+ }
+
+ public void testNullPrincipal() throws RepositoryException {
+ try {
+ Privilege[] privs = new Privilege[] {
+ acMgr.privilegeFromName(Privilege.JCR_ALL)
+ };
+ createEntry(null, privs, true);
+ fail("Principal must not be null");
+ } catch (IllegalArgumentException e) {
+ // success
+ }
+ }
+
+ public void testInvalidPrivilege() throws RepositoryException,
+ NotExecutableException {
+ Privilege invalidPriv = new Privilege() {
+ public String getName() {
+ return "";
+ }
+ public boolean isAbstract() {
+ return false;
+ }
+ public boolean isAggregate() {
+ return false;
+ }
+ public Privilege[] getDeclaredAggregatePrivileges() {
+ return new Privilege[0];
+ }
+ public Privilege[] getAggregatePrivileges() {
+ return new Privilege[0];
+ }
+ };
+ try {
+ Privilege[] privs = new Privilege[] {invalidPriv, privilegesFromName(Privilege.JCR_READ)[0]};
+ createEntry(testPrincipal, privs, true);
+ fail("Principal must not be null");
+ } catch (AccessControlException e) {
+ // success
+ }
+ }
+}
\ No newline at end of file
Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java
------------------------------------------------------------------------------
svn:keywords = author date id revision url
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java?rev=689499&r1=689498&r2=689499&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java Wed Aug 27 08:12:04 2008
@@ -20,7 +20,7 @@
import org.apache.jackrabbit.api.jsr283.security.AbstractAccessControlTest;
import org.apache.jackrabbit.api.jsr283.security.AccessControlManager;
import org.apache.jackrabbit.api.jsr283.security.Privilege;
-import org.apache.jackrabbit.api.security.user.Authorizable;
+import org.apache.jackrabbit.api.jsr283.security.AccessControlPolicy;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.api.security.user.Group;
@@ -44,6 +44,8 @@
import javax.jcr.observation.Event;
import javax.jcr.observation.ObservationManager;
import java.security.Principal;
+import java.util.Map;
+import java.util.UUID;
/**
* <code>AbstractEvaluationTest</code>...
@@ -52,11 +54,12 @@
protected static final long DEFAULT_WAIT_TIMEOUT = 5000;
- protected Credentials creds;
- protected User testUser;
- protected Group testGroup;
- protected SessionImpl testSession;
- protected AccessControlManager testAcMgr;
+ private Credentials creds;
+ private User testUser;
+ private Group testGroup;
+
+ private SessionImpl testSession;
+ private AccessControlManager testAccessControlManager;
protected String path;
protected String childNPath;
@@ -73,26 +76,12 @@
super.setUp();
UserManager uMgr = getUserManager(superuser);
- Principal princ = getTestPrincipal("testUser", uMgr);
- String uid = princ.getName();
- String pw = princ.getName();
+ // create the testUser
+ Principal principal = new TestPrincipal("testUser" + UUID.randomUUID());
+ String uid = principal.getName();
+ String pw = principal.getName();
creds = new SimpleCredentials(uid, pw.toCharArray());
-
- Authorizable a = uMgr.getAuthorizable(princ);
- if (a == null) {
- testUser = uMgr.createUser(uid, pw);
- } else if (a.isGroup()) {
- throw new NotExecutableException();
- } else {
- testUser = (User) a;
- }
-
- testGroup = uMgr.createGroup(getTestPrincipal("testGroup", uMgr));
- testGroup.addMember(testUser);
-
- // TODO: remove cast once 283 is released.
- testSession = (SessionImpl) helper.getRepository().login(creds);
- testAcMgr = getAccessControlManager(testSession);
+ testUser = uMgr.createUser(uid, pw);
// create some nodes below the test root in order to apply ac-stuff
Node node = testRootNode.addNode(nodeName1, testNodeType);
@@ -144,48 +133,86 @@
protected abstract void clearACInfo();
- protected abstract PolicyTemplate getPolicyTemplate(AccessControlManager acM, String path) throws RepositoryException, AccessDeniedException, NotExecutableException;
-
- protected abstract PolicyEntry createEntry(Principal principal, int privileges, boolean isAllow, String[] restrictions);
+ protected abstract Map getRestrictions(String path)
+ throws RepositoryException,
+ NotExecutableException;
- protected abstract String[] getRestrictions(String path);
+ protected abstract JackrabbitAccessControlList getPolicy(AccessControlManager acM, String path, Principal principal) throws RepositoryException, AccessDeniedException, NotExecutableException;
- protected PolicyTemplate givePrivileges(String nPath, int privileges, String[] restrictions) throws NotExecutableException, RepositoryException {
+ protected JackrabbitAccessControlList givePrivileges(String nPath, Privilege[] privileges,
+ Map restrictions) throws NotExecutableException, RepositoryException {
return givePrivileges(nPath, testUser.getPrincipal(), privileges, restrictions);
}
- protected PolicyTemplate givePrivileges(String nPath, Principal principal,
- int privileges, String[] restrictions) throws NotExecutableException, RepositoryException {
- PolicyTemplate tmpl = getPolicyTemplate(acMgr, nPath);
- tmpl.setEntry(createEntry(principal, privileges, true, restrictions));
+ protected JackrabbitAccessControlList givePrivileges(String nPath, Principal principal,
+ Privilege[] privileges, Map restrictions) throws NotExecutableException, RepositoryException {
+ JackrabbitAccessControlList tmpl = getPolicy(acMgr, nPath, principal);
+ tmpl.addEntry(principal, privileges, true, restrictions);
acMgr.setPolicy(tmpl.getPath(), tmpl);
superuser.save();
return tmpl;
}
- protected PolicyTemplate withdrawPrivileges(String nPath, int privileges, String[] restrictions) throws NotExecutableException, RepositoryException {
- PolicyTemplate tmpl = getPolicyTemplate(acMgr, nPath);
- tmpl.setEntry(createEntry(testUser.getPrincipal(), privileges, false, restrictions));
+ protected JackrabbitAccessControlList withdrawPrivileges(String nPath, Privilege[] privileges, Map restrictions) throws NotExecutableException, RepositoryException {
+ return withdrawPrivileges(nPath, testUser.getPrincipal(), privileges, restrictions);
+ }
+
+ protected JackrabbitAccessControlList withdrawPrivileges(String nPath, Principal principal, Privilege[] privileges, Map restrictions) throws NotExecutableException, RepositoryException {
+ JackrabbitAccessControlList tmpl = getPolicy(acMgr, nPath, principal);
+ tmpl.addEntry(principal, privileges, false, restrictions);
acMgr.setPolicy(tmpl.getPath(), tmpl);
superuser.save();
return tmpl;
}
- protected void checkReadOnly(String path) throws RepositoryException {
- Privilege[] privs = testAcMgr.getPrivileges(path);
+ protected void checkReadOnly(String path) throws RepositoryException, NotExecutableException {
+ Privilege[] privs = getTestACManager().getPrivileges(path);
assertTrue(privs.length == 1);
- assertEquals(PrivilegeRegistry.READ_PRIVILEGE, privs[0]);
+ assertEquals(privilegesFromName(Privilege.JCR_READ)[0], privs[0]);
+ }
+
+ protected User getTestUser() {
+ return testUser;
+ }
+
+ protected Group getTestGroup() throws RepositoryException, NotExecutableException {
+ if (testGroup == null) {
+ // create the testGroup
+ Principal principal = new TestPrincipal("testGroup" + UUID.randomUUID());
+ testGroup = getUserManager(superuser).createGroup(principal);
+ testGroup.addMember(testUser);
+ }
+ return testGroup;
+ }
+
+ protected SessionImpl getTestSession() throws RepositoryException {
+ if (testSession == null) {
+ // TODO: remove cast once 283 is released.
+ testSession = (SessionImpl) helper.getRepository().login(creds);
+ }
+ return testSession;
+ }
+
+ protected AccessControlManager getTestACManager() throws NotExecutableException, RepositoryException {
+ if (testAccessControlManager == null) {
+ testAccessControlManager = getAccessControlManager(getTestSession());
+ }
+ return testAccessControlManager;
}
public void testGrantedPermissions() throws RepositoryException, AccessDeniedException, NotExecutableException {
+ SessionImpl testSession = getTestSession();
/* precondition:
testuser must have READ-only permission on test-node and below
*/
checkReadOnly(path);
// give 'testUser' ADD_CHILD_NODES|MODIFY_PROPERTIES privileges at 'path'
- givePrivileges(path, PrivilegeRegistry.ADD_CHILD_NODES |
- PrivilegeRegistry.MODIFY_PROPERTIES, getRestrictions(path));
+ Privilege[] privileges = privilegesFromNames(new String[] {
+ Privilege.JCR_ADD_CHILD_NODES,
+ Privilege.JCR_MODIFY_PROPERTIES
+ });
+ givePrivileges(path, privileges, getRestrictions(path));
/*
testuser must now have
- ADD_NODE permission for child node
@@ -230,15 +257,18 @@
}
public void testDeniedPermission() throws RepositoryException, NotExecutableException, InterruptedException {
- /* precondition:
+ SessionImpl testSession = getTestSession();
+ /* precondition:
testuser must have READ-only permission on test-node and below
*/
checkReadOnly(path);
// withdraw READ privilege to 'testUser' at 'path'
- withdrawPrivileges(childNPath, PrivilegeRegistry.READ, getRestrictions(childNPath));
+ Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
+ withdrawPrivileges(childNPath, privileges, getRestrictions(childNPath));
/*
testuser must now have
+ - READ-only permission at path
- READ-only permission for the child-props of path
testuser must not have
@@ -253,12 +283,10 @@
// ... and props of path
assertTrue(n.getProperties().hasNext());
- /*
- testSession must not have access to 'childNPath'
- */
+ //testSession must not have access to 'childNPath'
assertFalse(testSession.itemExists(childNPath));
try {
- Node testN = testSession.getNode(childNPath);
+ testSession.getNode(childNPath);
fail("Read access has been denied -> cannot retrieve child node.");
} catch (PathNotFoundException e) {
// ok.
@@ -276,10 +304,13 @@
}
public void testAccessControlRead() throws NotExecutableException, RepositoryException {
+ SessionImpl testSession = getTestSession();
+ AccessControlManager testAcMgr = getTestACManager();
checkReadOnly(path);
// re-grant READ in order to have an ACL-node
- PolicyTemplate tmpl = givePrivileges(path, PrivilegeRegistry.READ, getRestrictions(path));
+ Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
+ JackrabbitAccessControlList tmpl = givePrivileges(path, privileges, getRestrictions(path));
// make sure the 'rep:policy' node has been created.
assertTrue(superuser.itemExists(tmpl.getPath() + "/rep:policy"));
@@ -287,9 +318,7 @@
Testuser must still have READ-only access only and must not be
allowed to view the acl-node that has been created.
*/
- assertFalse(testAcMgr.hasPrivileges(path, new Privilege[] {
- PrivilegeRegistry.READ_AC_PRIVILEGE
- }));
+ assertFalse(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_READ_ACCESS_CONTROL)));
assertFalse(testSession.itemExists(path + "/rep:policy"));
Node n = testSession.getNode(tmpl.getPath());
@@ -303,7 +332,7 @@
/* Finally the test user must not be allowed to remove the policy. */
try {
- testAcMgr.removePolicy(path);
+ testAcMgr.removePolicy(path, new AccessControlPolicy() {});
fail("Test user must not be allowed to remove the access control policy.");
} catch (AccessDeniedException e) {
// success
@@ -311,16 +340,20 @@
}
public void testAccessControlModification() throws RepositoryException, NotExecutableException {
+ SessionImpl testSession = getTestSession();
+ AccessControlManager testAcMgr = getTestACManager();
/* precondition:
testuser must have READ-only permission on test-node and below
*/
checkReadOnly(path);
// give 'testUser' ADD_CHILD_NODES|MODIFY_PROPERTIES| REMOVE_CHILD_NODES privileges at 'path'
- PolicyTemplate tmpl = givePrivileges(path,
- PrivilegeRegistry.ADD_CHILD_NODES |
- PrivilegeRegistry.REMOVE_CHILD_NODES |
- PrivilegeRegistry.MODIFY_PROPERTIES, getRestrictions(path));
+ Privilege[] privileges = privilegesFromNames(new String[] {
+ Privilege.JCR_ADD_CHILD_NODES,
+ Privilege.JCR_REMOVE_CHILD_NODES,
+ Privilege.JCR_MODIFY_PROPERTIES
+ });
+ JackrabbitAccessControlList tmpl = givePrivileges(path, privileges, getRestrictions(path));
/*
testuser must not have
- permission to view AC items
@@ -332,31 +365,25 @@
// the policy node however must not be visible to the test-user
assertFalse(testSession.itemExists(tmpl.getPath() + "/rep:policy"));
try {
- testAcMgr.getPolicy(tmpl.getPath());
- fail("test user must not have READ_AC privilege.");
- } catch (AccessDeniedException e) {
- // success
- }
- try {
- testAcMgr.getEffectivePolicy(tmpl.getPath());
+ testAcMgr.getPolicies(tmpl.getPath());
fail("test user must not have READ_AC privilege.");
} catch (AccessDeniedException e) {
// success
}
try {
- testAcMgr.getEffectivePolicy(path);
+ testAcMgr.getEffectivePolicies(tmpl.getPath());
fail("test user must not have READ_AC privilege.");
} catch (AccessDeniedException e) {
// success
}
try {
- testAcMgr.getAccessControlEntries(tmpl.getPath());
+ testAcMgr.getEffectivePolicies(path);
fail("test user must not have READ_AC privilege.");
} catch (AccessDeniedException e) {
// success
}
try {
- testAcMgr.removePolicy(tmpl.getPath());
+ testAcMgr.removePolicy(tmpl.getPath(), new AccessControlPolicy() {});
fail("test user must not have MODIFY_AC privilege.");
} catch (AccessDeniedException e) {
// success
@@ -371,9 +398,11 @@
checkReadOnly(path);
// give 'testUser' READ_AC|MODIFY_AC privileges at 'path'
- givePrivileges(path, PrivilegeRegistry.WRITE, getRestrictions(path));
+ Privilege[] grPrivs = privilegesFromName(Privilege.JCR_WRITE);
+ givePrivileges(path, grPrivs, getRestrictions(path));
// withdraw the READ privilege
- withdrawPrivileges(path, PrivilegeRegistry.READ, getRestrictions(path));
+ Privilege[] dnPrivs = privilegesFromName(Privilege.JCR_READ);
+ withdrawPrivileges(path, dnPrivs, getRestrictions(path));
// test if login as testuser -> item at path must not exist.
Session s = null;
@@ -388,6 +417,7 @@
}
public void testEventGeneration() throws RepositoryException, NotExecutableException {
+ SessionImpl testSession = getTestSession();
/*
precondition:
testuser must have READ-only permission on test-node and below
@@ -395,7 +425,8 @@
checkReadOnly(path);
// withdraw the READ privilege
- withdrawPrivileges(path, PrivilegeRegistry.READ, getRestrictions(path));
+ Privilege[] dnPrivs = privilegesFromName(Privilege.JCR_READ);
+ withdrawPrivileges(path, dnPrivs, getRestrictions(path));
// testUser registers a eventlistener for 'path
ObservationManager obsMgr = testSession.getWorkspace().getObservationManager();
@@ -424,62 +455,296 @@
}
public void testInheritance() throws RepositoryException, NotExecutableException {
+ SessionImpl testSession = getTestSession();
+ AccessControlManager testAcMgr = getTestACManager();
/* precondition:
testuser must have READ-only permission on test-node and below
*/
checkReadOnly(path);
+ checkReadOnly(childNPath);
- // give 'modify-properties' privilege on 'path'
- givePrivileges(path, PrivilegeRegistry.MODIFY_PROPERTIES, getRestrictions(path));
- // give 'add-child-nodes' and 'remove-child-nodes' privilege on 'child-path'
- givePrivileges(childNPath, PrivilegeRegistry.ADD_CHILD_NODES |
- PrivilegeRegistry.REMOVE_CHILD_NODES, getRestrictions(childNPath));
+ // give 'modify_properties' and 'remove_node' privilege on 'path'
+ Privilege[] privileges = privilegesFromNames(new String[] {
+ Privilege.JCR_REMOVE_NODE, Privilege.JCR_MODIFY_PROPERTIES});
+ givePrivileges(path, privileges, getRestrictions(path));
+ // give 'add-child-nodes', remove_child_nodes' on 'childNPath'
+ privileges = privilegesFromNames(new String[] {
+ Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_REMOVE_CHILD_NODES});
+ givePrivileges(childNPath, privileges, getRestrictions(childNPath));
/*
- since permission evaluation respects inheritance through the node
+ since evaluation respects inheritance through the node
hierarchy, the following privileges must now be given at 'childNPath':
- - read
- - modify-properties
- - add-child-nodes
- - remove-child-nodes
- -> read + write
- */
- Privilege[] privs = new Privilege[] {
- PrivilegeRegistry.READ_PRIVILEGE,
- PrivilegeRegistry.WRITE_PRIVILEGE
- };
- assertTrue(testAcMgr.hasPrivileges(childNPath, privs));
+ - jcr:read
+ - jcr:modifyProperties
+ - jcr:addChildNodes
+ - jcr:removeChildNodes
+ - jcr:removeNode
+ */
+ privileges = privilegesFromNames(new String[] {
+ Privilege.JCR_READ,
+ Privilege.JCR_WRITE,
+ Privilege.JCR_REMOVE_NODE
+ });
+ assertTrue(testAcMgr.hasPrivileges(childNPath, privileges));
+
+ /*
+ ... permissions granted at childNPath:
+ - read
+ - set-property
+
+ BUT NOT:
+ - add-node
+ - remove.
+ */
+ String aActions = SessionImpl.SET_PROPERTY_ACTION + "," + SessionImpl.READ_ACTION;
+ assertTrue(testSession.hasPermission(childNPath, aActions));
+ String dActions = SessionImpl.REMOVE_ACTION + "," + SessionImpl.ADD_NODE_ACTION;
+ assertFalse(testSession.hasPermission(childNPath, dActions));
+
/*
- ... and the following permissions must be granted at any child item
- of child-path:
+ ... permissions granted at any child item of child-path:
- read
- set-property
- add-node
- remove
*/
String nonExistingItemPath = childNPath + "/anyItem";
- String actions = SessionImpl.ADD_NODE_ACTION + "," +
- SessionImpl.REMOVE_ACTION + "," +
- SessionImpl.SET_PROPERTY_ACTION + "," +
- SessionImpl.READ_ACTION;
- assertTrue(testSession.hasPermission(nonExistingItemPath, actions));
+ assertTrue(testSession.hasPermission(nonExistingItemPath, aActions + "," + dActions));
/* try adding a new child node -> must succeed. */
Node childN = testSession.getNode(childNPath);
- Node testChild = childN.addNode(nodeName2, testNodeType);
+ String testPath = childN.addNode(nodeName2, testNodeType).getPath();
/* test privileges on the 'new' child node */
- privs = testAcMgr.getPrivileges(testChild.getPath());
- int exptectedPrivs = PrivilegeRegistry.WRITE | PrivilegeRegistry.READ;
- assertTrue(exptectedPrivs == PrivilegeRegistry.getBits(privs));
+ Privilege[] expectedPrivs = privilegesFromNames(new String[] {
+ Privilege.JCR_READ, Privilege.JCR_WRITE, Privilege.JCR_REMOVE_NODE});
+ assertTrue(testAcMgr.hasPrivileges(testPath, expectedPrivs));
- /* repeate test after save. */
+ /* repeat test after save. */
testSession.save();
- privs = testAcMgr.getPrivileges(testChild.getPath());
- assertTrue(exptectedPrivs == PrivilegeRegistry.getBits(privs));
+ assertTrue(testAcMgr.hasPrivileges(testPath, expectedPrivs));
+ }
+
+ public void testRemovePermission() throws NotExecutableException, RepositoryException {
+ SessionImpl testSession = getTestSession();
+ /*
+ precondition:
+ testuser must have READ-only permission on test-node and below
+ */
+ checkReadOnly(path);
+ checkReadOnly(childNPath);
+
+ Privilege[] rmChildNodes = privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES);
+
+ // add 'remove_child_nodes' privilge at 'path'
+ givePrivileges(path, rmChildNodes, getRestrictions(path));
+ /*
+ expected result:
+ - neither node at path nor at childNPath can be removed since
+ REMOVE_NODE privilege is missing.
+ */
+ assertFalse(testSession.hasPermission(path, SessionImpl.REMOVE_ACTION));
+ assertFalse(testSession.hasPermission(childNPath, SessionImpl.REMOVE_ACTION));
+ }
+
+ public void testRemovePermission2() throws NotExecutableException, RepositoryException {
+ SessionImpl testSession = getTestSession();
+ /*
+ precondition:
+ testuser must have READ-only permission on test-node and below
+ */
+ checkReadOnly(path);
+ checkReadOnly(childNPath);
+
+ Privilege[] rmChildNodes = privilegesFromName(Privilege.JCR_REMOVE_NODE);
+
+ // add 'remove_node' privilege at 'path'
+ givePrivileges(path, rmChildNodes, getRestrictions(path));
+ /*
+ expected result:
+ - neither node at path nor at childNPath can be removed permission
+ due to missing remove_child_nodes privilege.
+ */
+ assertFalse(testSession.hasPermission(path, SessionImpl.REMOVE_ACTION));
+ assertFalse(testSession.hasPermission(childNPath, SessionImpl.REMOVE_ACTION));
+ }
+
+ public void testRemovePermission3() throws NotExecutableException, RepositoryException {
+ SessionImpl testSession = getTestSession();
+ AccessControlManager testAcMgr = getTestACManager();
+ /*
+ precondition:
+ testuser must have READ-only permission on test-node and below
+ */
+ checkReadOnly(path);
+ checkReadOnly(childNPath);
+
+ Privilege[] privs = privilegesFromNames(new String[] {
+ Privilege.JCR_REMOVE_CHILD_NODES, Privilege.JCR_REMOVE_NODE
+ });
+ // add 'remove_node' and 'remove_child_nodes' privilge at 'path'
+ givePrivileges(path, privs, getRestrictions(path));
+ /*
+ expected result:
+ - missing remove permission at path since REMOVE_CHILD_NODES present
+ at path only applies for nodes below. REMOVE_CHILD_NODES must
+ be present at the parent instead (which isn't)
+ - remove permission is however granted at childNPath.
+ - privileges: both at path and at childNPath 'remove_node' and
+ 'remove_child_nodes' are present.
+ */
+ assertFalse(testSession.hasPermission(path, SessionImpl.REMOVE_ACTION));
+ assertTrue(testSession.hasPermission(childNPath, SessionImpl.REMOVE_ACTION));
+
+ assertTrue(testAcMgr.hasPrivileges(path, privs));
+ assertTrue(testAcMgr.hasPrivileges(childNPath, privs));
+ }
+
+ public void testRemovePermission4() throws NotExecutableException, RepositoryException {
+ SessionImpl testSession = getTestSession();
+ AccessControlManager testAcMgr = getTestACManager();
+ /*
+ precondition:
+ testuser must have READ-only permission on test-node and below
+ */
+ checkReadOnly(path);
+ checkReadOnly(childNPath);
+
+ Privilege[] rmChildNodes = privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES);
+ Privilege[] rmNode = privilegesFromName(Privilege.JCR_REMOVE_NODE);
+
+ // add 'remove_child_nodes' privilge at 'path'...
+ givePrivileges(path, rmChildNodes, getRestrictions(path));
+ // ... and add 'remove_node' privilge at 'childNPath'
+ givePrivileges(childNPath, rmNode, getRestrictions(childNPath));
+ /*
+ expected result:
+ - remove not allowed for node at path
+ - remove-permission present for node at childNPath
+ - both remove_node and remove_childNodes privilege present at childNPath
+ */
+ assertFalse(testSession.hasPermission(path, SessionImpl.REMOVE_ACTION));
+ assertTrue(testSession.hasPermission(childNPath, SessionImpl.REMOVE_ACTION));
+ assertTrue(testAcMgr.hasPrivileges(childNPath, new Privilege[] {rmChildNodes[0], rmNode[0]}));
+ }
+
+ public void testRemovePermission5() throws NotExecutableException, RepositoryException {
+ SessionImpl testSession = getTestSession();
+ /*
+ precondition:
+ testuser must have READ-only permission on test-node and below
+ */
+ checkReadOnly(path);
+ checkReadOnly(childNPath);
+
+ Privilege[] rmNode = privilegesFromName(Privilege.JCR_REMOVE_NODE);
+
+ // add 'remove_node' privilege at 'childNPath'
+ givePrivileges(childNPath, rmNode, getRestrictions(childNPath));
+ /*
+ expected result:
+ - node at childNPath can't be removed since REMOVE_CHILD_NODES is missing.
+ */
+ assertFalse(testSession.hasPermission(childNPath, SessionImpl.REMOVE_ACTION));
+ }
+
+ public void testRemovePermission6() throws NotExecutableException, RepositoryException {
+ SessionImpl testSession = getTestSession();
+ AccessControlManager testAcMgr = getTestACManager();
+ /*
+ precondition:
+ testuser must have READ-only permission on test-node and below
+ */
+ checkReadOnly(path);
+ checkReadOnly(childNPath);
+
+ Privilege[] privs = privilegesFromNames(new String[] {
+ Privilege.JCR_REMOVE_CHILD_NODES, Privilege.JCR_REMOVE_NODE
+ });
+ Privilege[] rmNode = privilegesFromName(Privilege.JCR_REMOVE_NODE);
+
+ // add 'remove_child_nodes' and 'remove_node' privilge at 'path'
+ givePrivileges(path, privs, getRestrictions(path));
+ // ... but deny 'remove_node' at childNPath
+ withdrawPrivileges(childNPath, rmNode, getRestrictions(childNPath));
+ /*
+ expected result:
+ - neither node at path nor at childNPath could be removed.
+ - no remove_node privilege at childNPath
+ - read, remove_child_nodes privilege at childNPath
+ */
+ assertFalse(testSession.hasPermission(path, SessionImpl.REMOVE_ACTION));
+ assertFalse(testSession.hasPermission(childNPath, SessionImpl.REMOVE_ACTION));
+ assertTrue(testAcMgr.hasPrivileges(childNPath, privilegesFromNames(new String[] {Privilege.JCR_READ, Privilege.JCR_REMOVE_CHILD_NODES})));
+ assertFalse(testAcMgr.hasPrivileges(childNPath, privilegesFromName(Privilege.JCR_REMOVE_NODE)));
+ }
+
+ public void testRemovePermission7() throws NotExecutableException, RepositoryException {
+ SessionImpl testSession = getTestSession();
+ AccessControlManager testAcMgr = getTestACManager();
+ /*
+ precondition:
+ testuser must have READ-only permission on test-node and below
+ */
+ checkReadOnly(path);
+ checkReadOnly(childNPath);
+
+ Privilege[] rmChildNodes = privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES);
+ Privilege[] rmNode = privilegesFromName(Privilege.JCR_REMOVE_NODE);
+
+ // deny 'remove_child_nodes' at 'path'
+ withdrawPrivileges(path, rmChildNodes, getRestrictions(path));
+ // ... but allow 'remove_node' at childNPath
+ givePrivileges(childNPath, rmNode, getRestrictions(childNPath));
+ /*
+ expected result:
+ - node at childNPath can't be removed.
+ */
+ assertFalse(testSession.hasPermission(childNPath, SessionImpl.REMOVE_ACTION));
+
+ // additionally add remove_child_nodes priv at 'childNPath'
+ givePrivileges(childNPath, rmChildNodes, getRestrictions(childNPath));
+ /*
+ expected result:
+ - node at childNPath still can't be removed.
+ - but both privileges (remove_node, remove_child_nodes) are present.
+ */
+ assertFalse(testSession.hasPermission(childNPath, SessionImpl.REMOVE_ACTION));
+ assertTrue(testAcMgr.hasPrivileges(childNPath, new Privilege[] {rmChildNodes[0], rmNode[0]}));
+ }
+
+ public void testRemovePermission8() throws NotExecutableException, RepositoryException {
+ SessionImpl testSession = getTestSession();
+ AccessControlManager testAcMgr = getTestACManager();
+ /*
+ precondition:
+ testuser must have READ-only permission on test-node and below
+ */
+ checkReadOnly(path);
+ checkReadOnly(childNPath);
+
+ Privilege[] rmChildNodes = privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES);
+ Privilege[] rmNode = privilegesFromName(Privilege.JCR_REMOVE_NODE);
+
+ // add 'remove_child_nodes' at 'path
+ givePrivileges(path, rmChildNodes, getRestrictions(path));
+ // deny 'remove_nodes' at 'path'
+ withdrawPrivileges(path, rmNode, getRestrictions(path));
+ // and allow 'remove_node' at childNPath
+ givePrivileges(childNPath, rmNode, getRestrictions(childNPath));
+ /*
+ expected result:
+ - remove permission must be granted at childNPath
+ */
+ assertTrue(testSession.hasPermission(childNPath, SessionImpl.REMOVE_ACTION));
+ assertTrue(testAcMgr.hasPrivileges(childNPath, new Privilege[] {rmChildNodes[0], rmNode[0]}));
}
public void testGroupPermissions() throws NotExecutableException, RepositoryException {
+ Group testGroup = getTestGroup();
+ SessionImpl testSession = getTestSession();
+ AccessControlManager testAcMgr = getTestACManager();
/*
precondition:
testuser must have READ-only permission on test-node and below
@@ -487,17 +752,45 @@
checkReadOnly(path);
/* add privileges for the Group the test-user is member of */
- givePrivileges(path, testGroup.getPrincipal(), PrivilegeRegistry.MODIFY_PROPERTIES, getRestrictions(path));
+ Privilege[] privileges = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+ givePrivileges(path, testGroup.getPrincipal(), privileges, getRestrictions(path));
/* testuser must get the permissions/privileges inherited from
the group it is member of.
*/
String actions = SessionImpl.SET_PROPERTY_ACTION + "," + SessionImpl.READ_ACTION;
assertTrue(testSession.hasPermission(path, actions));
- assertTrue(testAcMgr.hasPrivileges(path, new Privilege[] {PrivilegeRegistry.MODIFY_PROPERTIES_PRIVILEGE}));
+ Privilege[] privs = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+ assertTrue(testAcMgr.hasPrivileges(path, privs));
+ }
+
+ public void testMixedUserGroupPermissions() throws NotExecutableException, RepositoryException {
+ Group testGroup = getTestGroup();
+ SessionImpl testSession = getTestSession();
+ AccessControlManager testAcMgr = getTestACManager();
+ /*
+ precondition:
+ testuser must have READ-only permission on test-node and below
+ */
+ checkReadOnly(path);
+
+ /* explicitely withdraw MODIFY_PROPERTIES for the user */
+ Privilege[] privileges = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+ withdrawPrivileges(path, testUser.getPrincipal(), privileges, getRestrictions(path));
+ /* give MODIFY_PROPERTIES privilege for a Group the test-user is member of */
+ givePrivileges(path, testGroup.getPrincipal(), privileges, getRestrictions(path));
+ /*
+ since user-permissions overrule the group permissions, testuser must
+ not have set_property action / modify_properties privilege.
+ */
+ String actions = SessionImpl.SET_PROPERTY_ACTION;
+ assertFalse(testSession.hasPermission(path, actions));
+ assertFalse(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES)));
}
- public void testNewNodes() throws RepositoryException {
+ public void testNewNodes() throws RepositoryException, NotExecutableException {
+ SessionImpl testSession = getTestSession();
+ AccessControlManager testAcMgr = getTestACManager();
/*
precondition:
testuser must have READ-only permission on test-node and below
@@ -505,23 +798,26 @@
checkReadOnly(path);
/* create some new nodes below 'path' */
- Node n = testSession.getNode(path);
+ Node n = ((SessionImpl) superuser).getNode(path);
for (int i = 0; i < 5; i++) {
n = n.addNode(nodeName2, testNodeType);
}
+ superuser.save();
/* make sure the same privileges/permissions are granted as at path. */
- Privilege[] privs = testAcMgr.getPrivileges(n.getPath());
+ String childPath = n.getPath();
+ Privilege[] privs = testAcMgr.getPrivileges(childPath);
assertTrue(PrivilegeRegistry.READ == PrivilegeRegistry.getBits(privs));
- testSession.checkPermission(n.getPath(), SessionImpl.READ_ACTION);
+ testSession.checkPermission(childPath, SessionImpl.READ_ACTION);
}
- public void testNonExistingItem() throws RepositoryException {
+ public void testNonExistingItem() throws RepositoryException, NotExecutableException {
+ SessionImpl testSession = getTestSession();
/*
precondition:
testuser must have READ-only permission on the root node and below
*/
- String rootPath = testSession.getRootNode().getPath();
+ String rootPath = getTestSession().getRootNode().getPath();
checkReadOnly(rootPath);
testSession.checkPermission(rootPath + "nonExistingItem", SessionImpl.READ_ACTION);
}
@@ -568,24 +864,53 @@
}
}
+ /**
+ * the ADD_CHILD_NODES privileges assigned on a node to a specific principal
+ * grants the corresponding user the permission to add nodes below the
+ * target node but not 'at' the target node.
+ *
+ * @throws RepositoryException
+ * @throws NotExecutableException
+ */
+ public void testAddChildNodePrivilege() throws RepositoryException, NotExecutableException {
+ SessionImpl testSession = getTestSession();
+ /*
+ precondition:
+ testuser must have READ-only permission on test-node and below
+ */
+ checkReadOnly(path);
+
+ /* create a child node below node at 'path' */
+ Node n = ((SessionImpl) superuser).getNode(path);
+ n = n.addNode(nodeName2, testNodeType);
+ superuser.save();
+
+ /* add 'add_child_nodes' privilege for testSession at path. */
+ Privilege[] privileges = privilegesFromName(Privilege.JCR_ADD_CHILD_NODES);
+ givePrivileges(path, privileges, getRestrictions(path));
+
+ /* test permissions. expected result:
+ - testSession cannot add child-nodes at 'path'
+ - testSession can add child-nodes below path
+ */
+ assertFalse(testSession.hasPermission(path, SessionImpl.ADD_NODE_ACTION));
+ assertTrue(testSession.hasPermission(path+"/anychild", SessionImpl.ADD_NODE_ACTION));
+ String childPath = n.getPath();
+ assertTrue(testSession.hasPermission(childPath, SessionImpl.ADD_NODE_ACTION));
+ }
+
+
private static Node findPolicyNode(Node start) throws RepositoryException {
Node policyNode = null;
- if (start.isNodeType("rep:ACL")) {
+ if (start.isNodeType("rep:Policy")) {
policyNode = start;
}
for (NodeIterator it = start.getNodes(); it.hasNext() && policyNode == null;) {
- policyNode = findPolicyNode(it.nextNode());
+ Node n = it.nextNode();
+ if (!"jcr:system".equals(n.getName())) {
+ policyNode = findPolicyNode(n);
+ }
}
return policyNode;
}
-
- protected Principal getTestPrincipal(String nameHint, UserManager uMgr) throws RepositoryException {
- Principal principal = new TestPrincipal(nameHint);
- int i = 0;
- while (uMgr.getAuthorizable(principal) != null) {
- principal = new TestPrincipal(nameHint + i);
- i++;
- }
- return principal;
- }
}
\ No newline at end of file
Added: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java?rev=689499&view=auto
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java (added)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java Wed Aug 27 08:12:04 2008
@@ -0,0 +1,191 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.authorization;
+
+import org.apache.jackrabbit.api.JackrabbitSession;
+import org.apache.jackrabbit.api.jsr283.security.AbstractAccessControlTest;
+import org.apache.jackrabbit.api.jsr283.security.AccessControlEntry;
+import org.apache.jackrabbit.api.jsr283.security.AccessControlPolicy;
+import org.apache.jackrabbit.api.jsr283.security.AccessControlPolicyIterator;
+import org.apache.jackrabbit.api.jsr283.security.Privilege;
+import org.apache.jackrabbit.api.security.principal.PrincipalIterator;
+import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import org.apache.jackrabbit.test.NotExecutableException;
+
+import javax.jcr.Node;
+import javax.jcr.RepositoryException;
+import java.security.Principal;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <code>JackrabbitAccessControlListTest</code>...
+ */
+public class JackrabbitAccessControlListTest extends AbstractAccessControlTest {
+
+ private JackrabbitAccessControlList templ;
+
+ protected void setUp() throws Exception {
+ super.setUp();
+
+ Node n = testRootNode.addNode(nodeName1, testNodeType);
+ superuser.save();
+
+ AccessControlPolicyIterator it = acMgr.getApplicablePolicies(n.getPath());
+ if (it.hasNext()) {
+ AccessControlPolicy p = it.nextAccessControlPolicy();
+ if (p instanceof JackrabbitAccessControlList) {
+ templ = (JackrabbitAccessControlList) p;
+ } else {
+ throw new NotExecutableException("No JackrabbitAccessControlList to test.");
+ }
+ } else {
+ throw new NotExecutableException("No JackrabbitAccessControlList to test.");
+ }
+ }
+
+ protected void tearDown() throws Exception {
+ // make sure transient ac-changes are reverted.
+ superuser.refresh(false);
+ super.tearDown();
+ }
+
+ private Principal getValidPrincipal() throws NotExecutableException, RepositoryException {
+ if (!(superuser instanceof JackrabbitSession)) {
+ throw new NotExecutableException();
+ }
+
+ PrincipalManager pMgr = ((JackrabbitSession) superuser).getPrincipalManager();
+ PrincipalIterator it = pMgr.getPrincipals(PrincipalManager.SEARCH_TYPE_NOT_GROUP);
+ if (it.hasNext()) {
+ return it.nextPrincipal();
+ } else {
+ throw new NotExecutableException();
+ }
+ }
+
+ public void testIsEmpty() throws RepositoryException {
+ if (templ.isEmpty()) {
+ assertEquals(0, templ.getAccessControlEntries().length);
+ } else {
+ assertTrue(templ.getAccessControlEntries().length > 0);
+ }
+ }
+
+ public void testSize() {
+ if (templ.isEmpty()) {
+ assertEquals(0, templ.size());
+ } else {
+ assertTrue(templ.size() > 0);
+ }
+ }
+
+ public void testAddEntry() throws NotExecutableException, RepositoryException {
+ Principal princ = getValidPrincipal();
+ Privilege[] priv = privilegesFromName(Privilege.JCR_ALL);
+
+ List entriesBefore = Arrays.asList(templ.getAccessControlEntries());
+ if (templ.addEntry(princ, priv, true, Collections.EMPTY_MAP)) {
+ AccessControlEntry[] entries = templ.getAccessControlEntries();
+ if (entries.length == 0) {
+ fail("GrantPrivileges was successful -> at least 1 entry for principal.");
+ }
+ int allows = 0;
+ for (int i = 0; i < entries.length; i++) {
+ AccessControlEntry en = entries[i];
+ int bits = PrivilegeRegistry.getBits(en.getPrivileges());
+ if (en instanceof JackrabbitAccessControlEntry && ((JackrabbitAccessControlEntry) en).isAllow()) {
+ allows |= bits;
+ }
+ }
+ assertEquals(PrivilegeRegistry.ALL, allows);
+ } else {
+ AccessControlEntry[] entries = templ.getAccessControlEntries();
+ assertEquals("Grant ALL not successful -> entries must not have changed.", entriesBefore, Arrays.asList(entries));
+ }
+ }
+
+ public void testAddEntry2() throws NotExecutableException, RepositoryException {
+ Principal princ = getValidPrincipal();
+ Privilege[] privs = privilegesFromName(Privilege.JCR_WRITE);
+
+ int allows = 0;
+ templ.addEntry(princ, privs, true, Collections.EMPTY_MAP);
+ AccessControlEntry[] entries = templ.getAccessControlEntries();
+ assertTrue("GrantPrivileges was successful -> at least 1 entry for principal.", entries.length > 0);
+
+ for (int i = 0; i < entries.length; i++) {
+ AccessControlEntry en = entries[i];
+ int bits = PrivilegeRegistry.getBits(en.getPrivileges());
+ if (en instanceof JackrabbitAccessControlEntry && ((JackrabbitAccessControlEntry) en).isAllow()) {
+ allows |= bits;
+ }
+ }
+ assertTrue("After successfully granting WRITE, the entries must reflect this", allows >= PrivilegeRegistry.WRITE);
+ }
+
+ public void testAllowWriteDenyRemove() throws NotExecutableException, RepositoryException {
+ Principal princ = getValidPrincipal();
+ Privilege[] grPriv = privilegesFromName(Privilege.JCR_WRITE);
+ Privilege[] dePriv = privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES);
+
+ templ.addEntry(princ, grPriv, true, Collections.EMPTY_MAP);
+ templ.addEntry(princ, dePriv, false, Collections.EMPTY_MAP);
+
+ int allows = PrivilegeRegistry.NO_PRIVILEGE;
+ int denies = PrivilegeRegistry.NO_PRIVILEGE;
+ AccessControlEntry[] entries = templ.getAccessControlEntries();
+ for (int i = 0; i < entries.length; i++) {
+ AccessControlEntry en = entries[i];
+ if (princ.equals(en.getPrincipal()) && en instanceof JackrabbitAccessControlEntry) {
+ JackrabbitAccessControlEntry ace = (JackrabbitAccessControlEntry) en;
+ int entryBits = ace.getPrivilegeBits();
+ if (ace.isAllow()) {
+ allows |= Permission.diff(entryBits, denies);
+ } else {
+ denies |= Permission.diff(entryBits, allows);
+ }
+ }
+ }
+
+ int expectedAllows = Permission.diff(PrivilegeRegistry.WRITE, PrivilegeRegistry.REMOVE_CHILD_NODES);
+ assertEquals(expectedAllows, allows & expectedAllows);
+ int expectedDenies = PrivilegeRegistry.REMOVE_CHILD_NODES;
+ assertEquals(expectedDenies, denies);
+ }
+
+ public void testRemoveEntry() throws NotExecutableException, RepositoryException {
+ Principal princ = getValidPrincipal();
+ Privilege[] grPriv = privilegesFromName(Privilege.JCR_WRITE);
+
+ templ.addEntry(princ, grPriv, true, Collections.EMPTY_MAP);
+ AccessControlEntry[] entries = templ.getAccessControlEntries();
+ int length = entries.length;
+ assertTrue("Grant was both successful -> at least 1 entry.", length > 0);
+ for (int i = 0; i < entries.length; i++) {
+ templ.removeAccessControlEntry(entries[i]);
+ length = length - 1;
+ assertEquals(length, templ.size());
+ assertEquals(length, templ.getAccessControlEntries().length);
+ }
+
+ assertTrue(templ.isEmpty());
+ assertEquals(0, templ.size());
+ assertEquals(0, templ.getAccessControlEntries().length);
+ }
+}
\ No newline at end of file
Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java
------------------------------------------------------------------------------
svn:keywords = author date id revision url
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistryTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistryTest.java?rev=689499&r1=689498&r2=689499&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistryTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistryTest.java Wed Aug 27 08:12:04 2008
@@ -19,7 +19,14 @@
import junit.framework.TestCase;
import org.apache.jackrabbit.api.jsr283.security.AccessControlException;
import org.apache.jackrabbit.api.jsr283.security.Privilege;
+import org.apache.jackrabbit.spi.commons.conversion.ParsingNameResolver;
+import org.apache.jackrabbit.spi.commons.conversion.NameResolver;
+import org.apache.jackrabbit.spi.commons.name.NameFactoryImpl;
+import org.apache.jackrabbit.spi.commons.namespace.NamespaceResolver;
+import org.apache.jackrabbit.spi.Name;
+import javax.jcr.NamespaceException;
+import javax.jcr.RepositoryException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
@@ -29,40 +36,83 @@
*/
public class PrivilegeRegistryTest extends TestCase {
- public void testRegisteredPrivileges() {
- Privilege[] ps = PrivilegeRegistry.getRegisteredPrivileges();
+ private NameResolver resolver;
+ private PrivilegeRegistry privilegeRegistry;
+
+ protected void setUp() throws Exception {
+ super.setUp();
+ NamespaceResolver nsResolver = new NamespaceResolver() {
+ public String getURI(String prefix) throws NamespaceException {
+ if (Name.NS_JCR_PREFIX.equals(prefix)) {
+ return Name.NS_JCR_URI;
+ } else if (Name.NS_EMPTY_PREFIX.equals(prefix)) {
+ return Name.NS_DEFAULT_URI;
+ } else {
+ throw new NamespaceException();
+ }
+ }
+ public String getPrefix(String uri) throws NamespaceException {
+ if (Name.NS_JCR_URI.equals(uri)) {
+ return Name.NS_JCR_PREFIX;
+ } else if (Name.NS_DEFAULT_URI.equals(uri)) {
+ return Name.NS_EMPTY_PREFIX;
+ } else {
+ throw new NamespaceException();
+ }
+ }
+ };
+ resolver = new ParsingNameResolver(NameFactoryImpl.getInstance(), nsResolver);
+ privilegeRegistry = new PrivilegeRegistry(resolver);
+ }
+
+ private void assertSamePrivilegeName(String expected, String present) throws RepositoryException {
+ assertEquals("Privilege names are not the same", resolver.getQName(expected), resolver.getQName(present));
+ }
+
+ public void testRegisteredPrivileges() throws RepositoryException {
+ Privilege[] ps = privilegeRegistry.getRegisteredPrivileges();
List l = new ArrayList(Arrays.asList(ps));
- assertTrue(l.remove(PrivilegeRegistry.READ_PRIVILEGE));
- assertTrue(l.remove(PrivilegeRegistry.ADD_CHILD_NODES_PRIVILEGE));
- assertTrue(l.remove(PrivilegeRegistry.REMOVE_CHILD_NODES_PRIVILEGE));
- assertTrue(l.remove(PrivilegeRegistry.MODIFY_PROPERTIES_PRIVILEGE));
- assertTrue(l.remove(PrivilegeRegistry.READ_AC_PRIVILEGE));
- assertTrue(l.remove(PrivilegeRegistry.MODIFY_AC_PRIVILEGE));
- assertTrue(l.remove(PrivilegeRegistry.WRITE_PRIVILEGE));
- assertTrue(l.remove(PrivilegeRegistry.ALL_PRIVILEGE));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_READ)));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_ADD_CHILD_NODES)));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_REMOVE_CHILD_NODES)));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_MODIFY_PROPERTIES)));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_REMOVE_NODE)));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_READ_ACCESS_CONTROL)));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_WRITE)));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_ALL)));
assertTrue(l.isEmpty());
}
- public void testAllPrivilege() {
- Privilege p = PrivilegeRegistry.ALL_PRIVILEGE;
- assertEquals(p.getName(), Privilege.ALL);
+ public void testAllPrivilege() throws RepositoryException {
+ Privilege p = privilegeRegistry.getPrivilege(Privilege.JCR_ALL);
+ assertSamePrivilegeName(p.getName(), Privilege.JCR_ALL);
assertTrue(p.isAggregate());
assertFalse(p.isAbstract());
List l = new ArrayList(Arrays.asList(p.getAggregatePrivileges()));
- assertTrue(l.remove(PrivilegeRegistry.READ_PRIVILEGE));
- assertTrue(l.remove(PrivilegeRegistry.ADD_CHILD_NODES_PRIVILEGE));
- assertTrue(l.remove(PrivilegeRegistry.REMOVE_CHILD_NODES_PRIVILEGE));
- assertTrue(l.remove(PrivilegeRegistry.MODIFY_PROPERTIES_PRIVILEGE));
- assertTrue(l.remove(PrivilegeRegistry.READ_AC_PRIVILEGE));
- assertTrue(l.remove(PrivilegeRegistry.MODIFY_AC_PRIVILEGE));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_READ)));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_ADD_CHILD_NODES)));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_REMOVE_CHILD_NODES)));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_MODIFY_PROPERTIES)));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_REMOVE_NODE)));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_READ_ACCESS_CONTROL)));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
+ assertTrue(l.isEmpty());
+
+ l = new ArrayList(Arrays.asList(p.getDeclaredAggregatePrivileges()));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_READ)));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_WRITE)));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_REMOVE_NODE)));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_READ_ACCESS_CONTROL)));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
assertTrue(l.isEmpty());
}
- public void testGetBits() throws AccessControlException {
- Privilege[] privs = new Privilege[] {PrivilegeRegistry.ADD_CHILD_NODES_PRIVILEGE,
- PrivilegeRegistry.REMOVE_CHILD_NODES_PRIVILEGE};
+ public void testGetBits() throws RepositoryException {
+ Privilege[] privs = new Privilege[] {privilegeRegistry.getPrivilege(Privilege.JCR_ADD_CHILD_NODES),
+ privilegeRegistry.getPrivilege(Privilege.JCR_REMOVE_CHILD_NODES)};
int bits = PrivilegeRegistry.getBits(privs);
assertTrue(bits > PrivilegeRegistry.NO_PRIVILEGE);
@@ -70,21 +120,23 @@
}
public void testGetBitsFromCustomPrivilege() throws AccessControlException {
- Privilege p = buildCustomPrivilege("anyName", PrivilegeRegistry.WRITE_PRIVILEGE);
-
- int bits = PrivilegeRegistry.getBits(new Privilege[] {p});
-
- assertTrue(bits > PrivilegeRegistry.NO_PRIVILEGE);
- assertTrue(bits == PrivilegeRegistry.WRITE);
+ Privilege p = buildCustomPrivilege(Privilege.JCR_READ, null);
+ try {
+ int bits = PrivilegeRegistry.getBits(new Privilege[] {p});
+ fail("Retrieving bits from unknown privilege should fail.");
+ } catch (AccessControlException e) {
+ // ok
+ }
}
- public void testGetBitsFromCustomPrivilege2() throws AccessControlException {
- Privilege p = buildCustomPrivilege(Privilege.READ, null);
-
- int bits = PrivilegeRegistry.getBits(new Privilege[] {p});
-
- assertTrue(bits > PrivilegeRegistry.NO_PRIVILEGE);
- assertTrue(bits == PrivilegeRegistry.READ);
+ public void testGetBitsFromCustomAggregatePrivilege() throws RepositoryException {
+ Privilege p = buildCustomPrivilege("anyName", privilegeRegistry.getPrivilege(Privilege.JCR_WRITE));
+ try {
+ int bits = PrivilegeRegistry.getBits(new Privilege[] {p});
+ fail("Retrieving bits from unknown privilege should fail.");
+ } catch (AccessControlException e) {
+ // ok
+ }
}
public void testGetBitsFromNull() {
@@ -115,52 +167,42 @@
}
}
- public void testGetPrivilegesFromBits() throws AccessControlException {
- Privilege[] pvs = PrivilegeRegistry.getPrivileges(PrivilegeRegistry.READ_AC);
+ public void testGetPrivilegesFromBits() throws RepositoryException {
+ Privilege[] pvs = privilegeRegistry.getPrivileges(PrivilegeRegistry.READ_AC);
assertTrue(pvs != null);
assertTrue(pvs.length == 1);
- assertEquals(pvs[0].getName(), Privilege.READ_ACCESS_CONTROL);
+ assertSamePrivilegeName(pvs[0].getName(), Privilege.JCR_READ_ACCESS_CONTROL);
}
- public void testGetPrivilegesFromBits2() throws AccessControlException {
+ public void testGetPrivilegesFromBits2() throws RepositoryException {
int writeBits = PrivilegeRegistry.ADD_CHILD_NODES | PrivilegeRegistry.REMOVE_CHILD_NODES | PrivilegeRegistry.MODIFY_PROPERTIES;
- Privilege[] pvs = PrivilegeRegistry.getPrivileges(writeBits);
+ Privilege[] pvs = privilegeRegistry.getPrivileges(writeBits);
assertTrue(pvs != null);
assertTrue(pvs.length == 1);
- assertEquals(pvs[0].getName(), Privilege.WRITE);
+ assertSamePrivilegeName(pvs[0].getName(), Privilege.JCR_WRITE);
assertTrue(pvs[0].isAggregate());
assertTrue(pvs[0].getDeclaredAggregatePrivileges().length == 3);
}
- public void testGetPrivilegesFromNames() throws AccessControlException {
- Privilege[] p = PrivilegeRegistry.getPrivileges(new String[] {Privilege.READ});
+ public void testGetPrivilegeFromName() throws AccessControlException, RepositoryException {
+ Privilege p = privilegeRegistry.getPrivilege(Privilege.JCR_READ);
- assertTrue(p != null && p.length == 1);
- assertEquals(p[0].getName(), PrivilegeRegistry.READ_PRIVILEGE.getName());
- assertEquals(p[0], PrivilegeRegistry.READ_PRIVILEGE);
- assertFalse(p[0].isAggregate());
-
- p = PrivilegeRegistry.getPrivileges(new String[] {Privilege.WRITE});
-
- assertTrue(p != null && p.length == 1);
- assertEquals(p[0].getName(), PrivilegeRegistry.WRITE_PRIVILEGE.getName());
- assertEquals(p[0], PrivilegeRegistry.WRITE_PRIVILEGE);
- assertTrue(p[0].isAggregate());
-
- p = PrivilegeRegistry.getPrivileges(new String[] {Privilege.READ,
- Privilege.MODIFY_ACCESS_CONTROL});
assertTrue(p != null);
- assertTrue(p.length == 2);
+ assertSamePrivilegeName(Privilege.JCR_READ, p.getName());
+ assertFalse(p.isAggregate());
+
+ p = privilegeRegistry.getPrivilege(Privilege.JCR_WRITE);
- List l = Arrays.asList(p);
- assertTrue(l.contains(PrivilegeRegistry.READ_PRIVILEGE) && l.contains(PrivilegeRegistry.MODIFY_AC_PRIVILEGE));
+ assertTrue(p != null);
+ assertSamePrivilegeName(p.getName(), Privilege.JCR_WRITE);
+ assertTrue(p.isAggregate());
}
- public void testGetPrivilegesFromInvalidNames() {
+ public void testGetPrivilegesFromInvalidName() throws RepositoryException {
try {
- PrivilegeRegistry.getPrivileges(new String[]{"unknown"});
+ privilegeRegistry.getPrivilege("unknown");
fail("invalid privilege name");
} catch (AccessControlException e) {
// OK
@@ -169,18 +211,20 @@
public void testGetPrivilegesFromEmptyNames() {
try {
- PrivilegeRegistry.getPrivileges(new String[0]);
+ privilegeRegistry.getPrivilege("");
fail("invalid privilege name array");
} catch (AccessControlException e) {
// OK
+ } catch (RepositoryException e) {
+ // OK
}
}
public void testGetPrivilegesFromNullNames() {
try {
- PrivilegeRegistry.getPrivileges(null);
- fail("invalid privilege names (null)");
- } catch (AccessControlException e) {
+ privilegeRegistry.getPrivilege(null);
+ fail("invalid privilege name (null)");
+ } catch (Exception e) {
// OK
}
}
@@ -191,9 +235,6 @@
public String getName() {
return name;
}
- public String getDescription() {
- return null;
- }
public boolean isAbstract() {
return false;
}
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java?rev=689499&r1=689498&r2=689499&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java Wed Aug 27 08:12:04 2008
@@ -33,10 +33,10 @@
* package.
*/
public static Test suite() {
- TestSuite suite = new TestSuite("security.authorization tests");
+ TestSuite suite = new TestSuite("core.security.authorization tests");
suite.addTestSuite(PrivilegeRegistryTest.class);
- suite.addTestSuite(PolicyTemplateTest.class);
+ suite.addTestSuite(JackrabbitAccessControlListTest.class);
return suite;
}