oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AdminPrincipalsBaseTest.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.jackrabbit.oak.security.authorization.accesscontrol;

import java.security.Principal;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;

import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.junit.Test;

public abstract class AdminPrincipalsBaseTest extends AbstractSecurityTest {

    static final String ADMINISTRATORS_PRINCIPAL_NAME = "administrators";

    AccessControlList acl;
    private Principal administrativePrincipal;

    @Override
    public void before() throws Exception {
        super.before();

        Tree rootNode = root.getTree(PathUtils.ROOT_PATH);
        TreeUtil.addChild(rootNode, "testNode", JcrConstants.NT_UNSTRUCTURED);

        administrativePrincipal = getUserManager(root).createGroup(new PrincipalImpl(ADMINISTRATORS_PRINCIPAL_NAME)).getPrincipal();
        root.commit();

        AccessControlManager acMgr = getAccessControlManager(root);
        AccessControlPolicyIterator itr = acMgr.getApplicablePolicies("/testNode");
        while (itr.hasNext() && acl == null) {
            AccessControlPolicy policy = itr.nextAccessControlPolicy();
            if (policy instanceof AccessControlList)  {
                acl = (AccessControlList) policy;
            }
        }

        if (acl == null) {
            throw new RepositoryException("No applicable policy found.");
        }
    }

    @Override
    public void after() throws Exception {
        try {
            root.refresh();
            root.getTree("/testNode").remove();

            Authorizable gr = getUserManager(root).getAuthorizable(administrativePrincipal);
            if (gr != null) {
                gr.remove();
            }
            root.commit();
        } finally {
            super.after();
        }
    }

    abstract void assertResult(boolean success) throws Exception;
    abstract void assertException() throws Exception;

    /**
     * Test if the ACL code properly deals the creation of ACEs for administrative
     * principals which have full access anyway.
     *
     * @since Oak 1.1.1
     * @see <a href="https://issues.apache.org/jira/browse/OAK-2158">OAK-2158</a>
     */
    @Test
    public void testAdminPrincipal() throws Exception {
        try {
            boolean success = acl.addAccessControlEntry((AdminPrincipal) () -> "admin", privilegesFromNames(PrivilegeConstants.JCR_READ));
            assertResult(success);
        } catch (AccessControlException e) {
            assertException();
        }
    }

    @Test
    public void testAdminAuthInfoPrincipals() throws Exception {
        try {
            for (Principal p : adminSession.getAuthInfo().getPrincipals()) {
                if (p instanceof AdminPrincipal) {
                    boolean success = acl.addAccessControlEntry(p, privilegesFromNames(PrivilegeConstants.JCR_READ));
                    assertResult(success);
                }
            }
        } catch (AccessControlException e) {
            assertException();
        }
    }

    /**
     * Test if the ACL code properly deals the creation of ACEs for system
     * principals which have full access anyway.
     *
     * @since Oak 1.3.0
     * @see <a href="https://issues.apache.org/jira/browse/OAK-2955">OAK-2955</a>
     */
    @Test
    public void testSystemPrincipal() throws Exception {
        try {
            boolean success = acl.addAccessControlEntry(SystemPrincipal.INSTANCE, privilegesFromNames(PrivilegeConstants.JCR_READ));
            assertResult(success);
        } catch (AccessControlException e) {
            assertException();
        }
    }

    /**
     * Test if the ACL code properly deals the creation of ACEs for configured
     * admin-principals, which have full access anyway.
     *
     * @since Oak 1.3.0
     * @see <a href="https://issues.apache.org/jira/browse/OAK-2955">OAK-2955</a>
     */
    @Test
    public void testConfiguredAdministrativePrincipal() throws Exception {
        try {
            boolean success = acl.addAccessControlEntry(administrativePrincipal, privilegesFromNames(PrivilegeConstants.JCR_READ));
            assertResult(success);
        } catch (AccessControlException e) {
            assertException();
        }
    }
}