oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AbstractAccessControlTest.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.jackrabbit.oak.security.authorization.accesscontrol;

import java.security.Principal;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;

import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.junit.Before;

public abstract class AbstractAccessControlTest extends AbstractSecurityTest implements PrivilegeConstants {

    static final String TEST_PATH = "/testPath";

    private PrivilegeManager privilegeManager;
    PrincipalManager principalManager;

    ACL acl;
    Principal testPrincipal;
    Privilege[] testPrivileges;

    @Override
    @Before
    public void before() throws Exception {
        super.before();

        TreeUtil.addChild(root.getTree(PathUtils.ROOT_PATH), "testPath", JcrConstants.NT_UNSTRUCTURED);
        root.commit();

        testPrincipal = getTestUser().getPrincipal();
        testPrivileges = privilegesFromNames(JCR_ADD_CHILD_NODES, JCR_LOCK_MANAGEMENT);

        privilegeManager = getPrivilegeManager(root);
        principalManager = getPrincipalManager(root);

        acl = createEmptyACL();
    }

    @Override
    public void after() throws Exception {
        try {
            root.refresh();
            Tree t = root.getTree(TEST_PATH);
            if (t.exists()) {
                t.remove();
                root.commit();
            }
        } finally {
            super.after();
        }
    }

    @NotNull
    RestrictionProvider getRestrictionProvider() {
        return getConfig(AuthorizationConfiguration.class).getRestrictionProvider();
    }

    @NotNull
    PrivilegeBitsProvider getBitsProvider() {
        return new PrivilegeBitsProvider(root);
    }

    @NotNull
    List<ACE> createTestEntries() throws RepositoryException {
        List<ACE> entries = new ArrayList<>(3);
        for (int i = 0; i < 3; i++) {
            entries.add(createEntry(new PrincipalImpl("testPrincipal" + i), true, null, PrivilegeConstants.JCR_READ));
        }
        return entries;
    }

    @NotNull
    ACE createEntry(@NotNull Principal principal, boolean isAllow, @Nullable Set<Restriction> restrictions, @NotNull String... privilegeNames) throws RepositoryException {
        return createEntry(principal, privilegesFromNames(privilegeNames), isAllow, restrictions);
    }

    @NotNull
    ACE createEntry(@NotNull Principal principal, @NotNull Privilege[] privileges, boolean isAllow) throws RepositoryException {
        return createEntry(principal, privileges, isAllow, null);
    }

    @NotNull
    ACE createEntry(@NotNull Principal principal, @NotNull PrivilegeBits bits, boolean isAllow, @NotNull Set<Restriction> restrictions) throws RepositoryException {
        AccessControlPolicyIterator it = getAccessControlManager(root).getApplicablePolicies(TEST_PATH);
        while (it.hasNext()) {
            AccessControlPolicy policy = it.nextAccessControlPolicy();
            if (policy instanceof ACL) {
                return ((ACL) policy).createACE(principal, bits, isAllow, restrictions);
            }
        }

        throw new UnsupportedOperationException();
    }

    @NotNull
    private ACE createEntry(@NotNull Principal principal, @NotNull Privilege[] privileges, boolean isAllow, @Nullable Set<Restriction> restrictions)
            throws RepositoryException {
        ACL acl = createEmptyACL();
        return acl.createACE(principal, getBitsProvider().getBits(privileges, getNamePathMapper()), isAllow, restrictions);
    }

    @NotNull
    ACL createEmptyACL() {
        return createACL(TEST_PATH, Collections.emptyList(), getNamePathMapper(), getRestrictionProvider());
    }

    @NotNull
    ACL createACL(@Nullable String jcrPath,
                  @NotNull List<ACE> entries,
                  @NotNull NamePathMapper namePathMapper) {
        return createACL(jcrPath, entries, namePathMapper, getRestrictionProvider());
    }

    @NotNull
    ACL createACL(@Nullable String jcrPath,
                  @NotNull List<ACE> entries,
                  @NotNull NamePathMapper namePathMapper,
                  @NotNull RestrictionProvider restrictionProvider) {
        return createACL(jcrPath, entries, namePathMapper, restrictionProvider, privilegeManager);
    }

    @NotNull
    ACL createACL(@Nullable String jcrPath,
                  @NotNull List<ACE> entries,
                  @NotNull NamePathMapper namePathMapper,
                  @NotNull RestrictionProvider restrictionProvider,
                  @NotNull PrivilegeManager privilegeManager) {
        String path = (jcrPath == null) ? null : namePathMapper.getOakPath(jcrPath);
        return new ACL(path, entries, namePathMapper) {
            @NotNull
            @Override
            public RestrictionProvider getRestrictionProvider() {
                return restrictionProvider;
            }

            @Override
            ACE createACE(Principal principal, PrivilegeBits privilegeBits, boolean isAllow, Set<Restriction> restrictions) throws RepositoryException {
                return createEntry(principal, privilegeBits, isAllow, restrictions);
            }

            @Override
            boolean checkValidPrincipal(Principal principal) throws AccessControlException {
                Util.checkValidPrincipal(principal, principalManager);
                return true;
            }

            @Override
            PrivilegeManager getPrivilegeManager() {
                return privilegeManager;
            }

            @Override
            PrivilegeBits getPrivilegeBits(Privilege[] privileges) {
                return new PrivilegeBitsProvider(root).getBits(privileges, getNamePathMapper());
            }
        };
    }
}