oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugContextTest.java - jackrabbit-oak - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;

 import java.util.List;
 import javax.jcr.security.AccessControlList;
 import javax.jcr.security.AccessControlManager;

 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import org.apache.jackrabbit.JcrConstants;
 import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.api.Type;
 import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
 import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
 import org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants;
 import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
 import org.junit.Before;
 import org.junit.Test;

 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;

 public class CugContextTest extends AbstractCugTest implements NodeTypeConstants {

     private static String CUG_PATH = "/content/a/rep:cugPolicy";
     private static List<String> NO_CUG_PATH = ImmutableList.of(
             "/content",
             "/content/a",
             "/content/rep:policy",
             "/content/rep:cugPolicy",
             "/content/a/rep:cugPolicy/rep:principalNames",
             UNSUPPORTED_PATH + "/rep:cugPolicy"
     );

     @Before
     @Override
     public void before() throws Exception {
         super.before();

         // add more child nodes
         Tree n = root.getTree(SUPPORTED_PATH);
         createTrees(n, "a", "b", "c");
         createTrees(n, "aa", "bb", "cc");

         // create cugs
         createCug("/content/a", getTestUser().getPrincipal());

         // setup regular acl at /content
         AccessControlManager acMgr = getAccessControlManager(root);
         AccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/content");
         acl.addAccessControlEntry(getTestUser().getPrincipal(), privilegesFromNames(PrivilegeConstants.JCR_READ));
         acMgr.setPolicy("/content", acl);

         root.commit();
     }

     @Override
     public void after() throws Exception {
         try {
             root.refresh();
         } finally {
             super.after();
         }
     }

     @Test
     public void testDefinesContextRoot() {
         assertTrue(CugContext.INSTANCE.definesContextRoot(root.getTree(CUG_PATH)));

         for (String path : NO_CUG_PATH) {
             assertFalse(path, CugContext.INSTANCE.definesContextRoot(root.getTree(path)));
         }
     }

     @Test
     public void testDefinesTree() {
         assertTrue(CugContext.INSTANCE.definesTree(root.getTree(CUG_PATH)));

         for (String path : NO_CUG_PATH) {
             assertFalse(path, CugContext.INSTANCE.definesTree(root.getTree(path)));
         }
     }

     @Test
     public void testDefinesProperty() {
         Tree cugTree = root.getTree(CUG_PATH);
         PropertyState repPrincipalNames = cugTree.getProperty(CugConstants.REP_PRINCIPAL_NAMES);
         assertTrue(CugContext.INSTANCE.definesProperty(cugTree, repPrincipalNames));
         assertFalse(CugContext.INSTANCE.definesProperty(cugTree, cugTree.getProperty(JcrConstants.JCR_PRIMARYTYPE)));

         for (String path : NO_CUG_PATH) {
             assertFalse(path, CugContext.INSTANCE.definesProperty(root.getTree(path), repPrincipalNames));
         }
     }

     @Test
     public void testDefinesLocation() {
         assertTrue(CugContext.INSTANCE.definesLocation(TreeLocation.create(root, CUG_PATH)));
         assertTrue(CugContext.INSTANCE.definesLocation(TreeLocation.create(root, CUG_PATH + "/" + CugConstants.REP_PRINCIPAL_NAMES)));

         List<String> existingNoCug = ImmutableList.of(
                 "/content",
                 "/content/a",
                 "/content/rep:policy"
         );
         for (String path : existingNoCug) {
             assertFalse(path, CugContext.INSTANCE.definesLocation(TreeLocation.create(root, path)));
             assertFalse(path, CugContext.INSTANCE.definesLocation(TreeLocation.create(root, path + "/" + CugConstants.REP_PRINCIPAL_NAMES)));
         }

         List<String> nonExistingCug = ImmutableList.of(
                 "/content/rep:cugPolicy",
                 UNSUPPORTED_PATH + "/rep:cugPolicy");
         for (String path : nonExistingCug) {
             assertTrue(path, CugContext.INSTANCE.definesLocation(TreeLocation.create(root, path)));
             assertTrue(path, CugContext.INSTANCE.definesLocation(TreeLocation.create(root, path + "/" + CugConstants.REP_PRINCIPAL_NAMES)));
             assertFalse(path, CugContext.INSTANCE.definesLocation(TreeLocation.create(root, path + "/" + JcrConstants.JCR_PRIMARYTYPE)));
         }
     }

     @Test
     public void testInvalidCug() throws Exception {
         PropertyState ps = PropertyStates.createProperty(CugConstants.REP_PRINCIPAL_NAMES, ImmutableSet.of(getTestUser().getPrincipal().getName()), Type.STRINGS);

         // cug at unsupported path -> context doesn't take supported paths into account.
         Tree invalidCug = TreeUtil.addChild(root.getTree(UNSUPPORTED_PATH), CugConstants.REP_CUG_POLICY, CugConstants.NT_REP_CUG_POLICY);
         invalidCug.setProperty(ps);

         assertTrue(CugContext.INSTANCE.definesContextRoot(invalidCug));
         assertTrue(CugContext.INSTANCE.definesTree(invalidCug));
         assertTrue(CugContext.INSTANCE.definesProperty(invalidCug, invalidCug.getProperty(CugConstants.REP_PRINCIPAL_NAMES)));

         // 'cug' with wrong node type -> detected as no-cug by context
         invalidCug = TreeUtil.addChild(root.getTree(UNSUPPORTED_PATH), CugConstants.REP_CUG_POLICY, NT_OAK_UNSTRUCTURED);
         invalidCug.setProperty(ps);

         assertFalse(CugContext.INSTANCE.definesContextRoot(invalidCug));
         assertFalse(CugContext.INSTANCE.definesTree(invalidCug));
         assertFalse(CugContext.INSTANCE.definesProperty(invalidCug, invalidCug.getProperty(CugConstants.REP_PRINCIPAL_NAMES)));
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;

	import java.util.List;
	import javax.jcr.security.AccessControlList;
	import javax.jcr.security.AccessControlManager;

	import com.google.common.collect.ImmutableList;
	import com.google.common.collect.ImmutableSet;
	import org.apache.jackrabbit.JcrConstants;
	import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
	import org.apache.jackrabbit.oak.api.PropertyState;
	import org.apache.jackrabbit.oak.api.Tree;
	import org.apache.jackrabbit.oak.api.Type;
	import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
	import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
	import org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants;
	import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
	import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
	import org.junit.Before;
	import org.junit.Test;

	import static org.junit.Assert.assertFalse;
	import static org.junit.Assert.assertTrue;

	public class CugContextTest extends AbstractCugTest implements NodeTypeConstants {

	private static String CUG_PATH = "/content/a/rep:cugPolicy";
	private static List<String> NO_CUG_PATH = ImmutableList.of(
	"/content",
	"/content/a",
	"/content/rep:policy",
	"/content/rep:cugPolicy",
	"/content/a/rep:cugPolicy/rep:principalNames",
	UNSUPPORTED_PATH + "/rep:cugPolicy"
	);

	@Before
	@Override
	public void before() throws Exception {
	super.before();

	// add more child nodes
	Tree n = root.getTree(SUPPORTED_PATH);
	createTrees(n, "a", "b", "c");
	createTrees(n, "aa", "bb", "cc");

	// create cugs
	createCug("/content/a", getTestUser().getPrincipal());

	// setup regular acl at /content
	AccessControlManager acMgr = getAccessControlManager(root);
	AccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/content");
	acl.addAccessControlEntry(getTestUser().getPrincipal(), privilegesFromNames(PrivilegeConstants.JCR_READ));
	acMgr.setPolicy("/content", acl);

	root.commit();
	}

	@Override
	public void after() throws Exception {
	try {
	root.refresh();
	} finally {
	super.after();
	}
	}

	@Test
	public void testDefinesContextRoot() {
	assertTrue(CugContext.INSTANCE.definesContextRoot(root.getTree(CUG_PATH)));

	for (String path : NO_CUG_PATH) {
	assertFalse(path, CugContext.INSTANCE.definesContextRoot(root.getTree(path)));
	}
	}

	@Test
	public void testDefinesTree() {
	assertTrue(CugContext.INSTANCE.definesTree(root.getTree(CUG_PATH)));

	for (String path : NO_CUG_PATH) {
	assertFalse(path, CugContext.INSTANCE.definesTree(root.getTree(path)));
	}
	}

	@Test
	public void testDefinesProperty() {
	Tree cugTree = root.getTree(CUG_PATH);
	PropertyState repPrincipalNames = cugTree.getProperty(CugConstants.REP_PRINCIPAL_NAMES);
	assertTrue(CugContext.INSTANCE.definesProperty(cugTree, repPrincipalNames));
	assertFalse(CugContext.INSTANCE.definesProperty(cugTree, cugTree.getProperty(JcrConstants.JCR_PRIMARYTYPE)));

	for (String path : NO_CUG_PATH) {
	assertFalse(path, CugContext.INSTANCE.definesProperty(root.getTree(path), repPrincipalNames));
	}
	}

	@Test
	public void testDefinesLocation() {
	assertTrue(CugContext.INSTANCE.definesLocation(TreeLocation.create(root, CUG_PATH)));
	assertTrue(CugContext.INSTANCE.definesLocation(TreeLocation.create(root, CUG_PATH + "/" + CugConstants.REP_PRINCIPAL_NAMES)));

	List<String> existingNoCug = ImmutableList.of(
	"/content",
	"/content/a",
	"/content/rep:policy"
	);
	for (String path : existingNoCug) {
	assertFalse(path, CugContext.INSTANCE.definesLocation(TreeLocation.create(root, path)));
	assertFalse(path, CugContext.INSTANCE.definesLocation(TreeLocation.create(root, path + "/" + CugConstants.REP_PRINCIPAL_NAMES)));
	}

	List<String> nonExistingCug = ImmutableList.of(
	"/content/rep:cugPolicy",
	UNSUPPORTED_PATH + "/rep:cugPolicy");
	for (String path : nonExistingCug) {
	assertTrue(path, CugContext.INSTANCE.definesLocation(TreeLocation.create(root, path)));
	assertTrue(path, CugContext.INSTANCE.definesLocation(TreeLocation.create(root, path + "/" + CugConstants.REP_PRINCIPAL_NAMES)));
	assertFalse(path, CugContext.INSTANCE.definesLocation(TreeLocation.create(root, path + "/" + JcrConstants.JCR_PRIMARYTYPE)));
	}
	}

	@Test
	public void testInvalidCug() throws Exception {
	PropertyState ps = PropertyStates.createProperty(CugConstants.REP_PRINCIPAL_NAMES, ImmutableSet.of(getTestUser().getPrincipal().getName()), Type.STRINGS);

	// cug at unsupported path -> context doesn't take supported paths into account.
	Tree invalidCug = TreeUtil.addChild(root.getTree(UNSUPPORTED_PATH), CugConstants.REP_CUG_POLICY, CugConstants.NT_REP_CUG_POLICY);
	invalidCug.setProperty(ps);

	assertTrue(CugContext.INSTANCE.definesContextRoot(invalidCug));
	assertTrue(CugContext.INSTANCE.definesTree(invalidCug));
	assertTrue(CugContext.INSTANCE.definesProperty(invalidCug, invalidCug.getProperty(CugConstants.REP_PRINCIPAL_NAMES)));

	// 'cug' with wrong node type -> detected as no-cug by context
	invalidCug = TreeUtil.addChild(root.getTree(UNSUPPORTED_PATH), CugConstants.REP_CUG_POLICY, NT_OAK_UNSTRUCTURED);
	invalidCug.setProperty(ps);

	assertFalse(CugContext.INSTANCE.definesContextRoot(invalidCug));
	assertFalse(CugContext.INSTANCE.definesTree(invalidCug));
	assertFalse(CugContext.INSTANCE.definesProperty(invalidCug, invalidCug.getProperty(CugConstants.REP_PRINCIPAL_NAMES)));
	}
	}