oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/MountPermissionProviderTest.java - jackrabbit-oak - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.jackrabbit.oak.security.authorization.permission;

 import org.apache.jackrabbit.JcrConstants;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
 import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
 import org.apache.jackrabbit.oak.AbstractSecurityTest;
 import org.apache.jackrabbit.oak.api.ContentSession;
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
 import org.apache.jackrabbit.oak.spi.mount.Mount;
 import org.apache.jackrabbit.oak.spi.mount.MountInfoProvider;
 import org.apache.jackrabbit.oak.spi.mount.Mounts;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
 import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;

 import javax.jcr.security.AccessControlManager;
 import java.security.Principal;

 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;

 public class MountPermissionProviderTest extends AbstractSecurityTest
         implements AccessControlConstants, PrivilegeConstants, PermissionConstants {

     private MountInfoProvider mountInfoProvider;
     private String testNode = "MultiplexingProviderTest";
     private String testPath = "/" + testNode;

     @Override
     @Before
     public void before() throws Exception {
         mountInfoProvider = Mounts.newBuilder().mount("testMount", testPath).build();
         super.before();
     }

     @Override
     @After
     public void after() throws Exception {
         try {
             root.refresh();
             Tree test = root.getTree(testPath);
             if (test.exists()) {
                 test.remove();
             }
             root.commit();
         } finally {
             super.after();
         }
     }

     @Override
     protected SecurityProvider initSecurityProvider() {
         SecurityProvider sp = super.initSecurityProvider();
         MountUtils.bindMountInfoProvider(sp, mountInfoProvider);
         return sp;
     }

     @Test
     public void multiplexingProvider() throws Exception {

         // check init
         Tree permStore = root.getTree(PERMISSIONS_STORE_PATH);
         String wsName = adminSession.getWorkspaceName();
         assertTrue(permStore.hasChild(wsName));
         for (Mount m : mountInfoProvider.getNonDefaultMounts()) {
             assertTrue(permStore.hasChild(MountPermissionProvider.getPermissionRootName(m, wsName)));
         }

         Tree rootNode = root.getTree("/");
         Tree test = TreeUtil.addChild(rootNode, testNode, JcrConstants.NT_UNSTRUCTURED);
         Tree content = TreeUtil.addChild(test, "content", JcrConstants.NT_UNSTRUCTURED);
         root.commit();

         Principal p = getTestUser().getPrincipal();
         setPrivileges(p, test.getPath(), true, JCR_READ);
         setPrivileges(p, content.getPath(), false, JCR_READ);

         permStore = root.getTree(PERMISSIONS_STORE_PATH);
         // no entries in the default store
         assertFalse(permStore.getChild(wsName).hasChild(p.getName()));
         for (Mount m : mountInfoProvider.getNonDefaultMounts()) {
             Tree mps = permStore.getChild(MountPermissionProvider.getPermissionRootName(m, wsName));
             assertTrue(mps.hasChild(p.getName()));
         }

         try (ContentSession testSession = createTestSession()) {
             Root r = testSession.getLatestRoot();
             assertFalse(r.getTree("/").exists());
             assertTrue(r.getTree(test.getPath()).exists());
             assertFalse(r.getTree(content.getPath()).exists());
         }
     }

     @Test
     public void multiplexingProviderOpen() throws Exception {

         Tree rootNode = root.getTree("/");
         Tree test = TreeUtil.addChild(rootNode, testNode, JcrConstants.NT_UNSTRUCTURED);
         Tree content = TreeUtil.addChild(test, "content", JcrConstants.NT_UNSTRUCTURED);
         root.commit();

         Principal p = getTestUser().getPrincipal();
         setPrivileges(p, "/", true, JCR_READ);
         setPrivileges(p, test.getPath(), false, JCR_READ);
         setPrivileges(p, content.getPath(), true, JCR_READ);

         try (ContentSession testSession = createTestSession()) {
             Root r = testSession.getLatestRoot();
             assertTrue(r.getTree("/").exists());
             assertFalse(test.getPath(), r.getTree(test.getPath()).exists());
             assertTrue(r.getTree(content.getPath()).exists());
         }
     }

     @Test
     public void testPermissionProviderName() {
         assertEquals("oak.default",
                 MountPermissionProvider.getPermissionRootName(mountInfoProvider.getDefaultMount(), "oak.default"));
         assertEquals("oak:mount-testMount-oak.default", MountPermissionProvider
                 .getPermissionRootName(mountInfoProvider.getMountByName("testMount"), "oak.default"));
     }

     private void setPrivileges(Principal principal, String path, boolean allow, String... privileges) throws Exception {
         AccessControlManager acm = getAccessControlManager(root);
         JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acm, path);
         acl.addEntry(principal, privilegesFromNames(privileges), allow);
         acm.setPolicy(path, acl);
         root.commit();
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.jackrabbit.oak.security.authorization.permission;

	import org.apache.jackrabbit.JcrConstants;
	import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
	import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
	import org.apache.jackrabbit.oak.AbstractSecurityTest;
	import org.apache.jackrabbit.oak.api.ContentSession;
	import org.apache.jackrabbit.oak.api.Root;
	import org.apache.jackrabbit.oak.api.Tree;
	import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
	import org.apache.jackrabbit.oak.spi.mount.Mount;
	import org.apache.jackrabbit.oak.spi.mount.MountInfoProvider;
	import org.apache.jackrabbit.oak.spi.mount.Mounts;
	import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
	import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
	import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
	import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
	import org.junit.After;
	import org.junit.Before;
	import org.junit.Test;

	import javax.jcr.security.AccessControlManager;
	import java.security.Principal;

	import static org.junit.Assert.assertEquals;
	import static org.junit.Assert.assertFalse;
	import static org.junit.Assert.assertTrue;

	public class MountPermissionProviderTest extends AbstractSecurityTest
	implements AccessControlConstants, PrivilegeConstants, PermissionConstants {

	private MountInfoProvider mountInfoProvider;
	private String testNode = "MultiplexingProviderTest";
	private String testPath = "/" + testNode;

	@Override
	@Before
	public void before() throws Exception {
	mountInfoProvider = Mounts.newBuilder().mount("testMount", testPath).build();
	super.before();
	}

	@Override
	@After
	public void after() throws Exception {
	try {
	root.refresh();
	Tree test = root.getTree(testPath);
	if (test.exists()) {
	test.remove();
	}
	root.commit();
	} finally {
	super.after();
	}
	}

	@Override
	protected SecurityProvider initSecurityProvider() {
	SecurityProvider sp = super.initSecurityProvider();
	MountUtils.bindMountInfoProvider(sp, mountInfoProvider);
	return sp;
	}

	@Test
	public void multiplexingProvider() throws Exception {

	// check init
	Tree permStore = root.getTree(PERMISSIONS_STORE_PATH);
	String wsName = adminSession.getWorkspaceName();
	assertTrue(permStore.hasChild(wsName));
	for (Mount m : mountInfoProvider.getNonDefaultMounts()) {
	assertTrue(permStore.hasChild(MountPermissionProvider.getPermissionRootName(m, wsName)));
	}

	Tree rootNode = root.getTree("/");
	Tree test = TreeUtil.addChild(rootNode, testNode, JcrConstants.NT_UNSTRUCTURED);
	Tree content = TreeUtil.addChild(test, "content", JcrConstants.NT_UNSTRUCTURED);
	root.commit();

	Principal p = getTestUser().getPrincipal();
	setPrivileges(p, test.getPath(), true, JCR_READ);
	setPrivileges(p, content.getPath(), false, JCR_READ);

	permStore = root.getTree(PERMISSIONS_STORE_PATH);
	// no entries in the default store
	assertFalse(permStore.getChild(wsName).hasChild(p.getName()));
	for (Mount m : mountInfoProvider.getNonDefaultMounts()) {
	Tree mps = permStore.getChild(MountPermissionProvider.getPermissionRootName(m, wsName));
	assertTrue(mps.hasChild(p.getName()));
	}

	try (ContentSession testSession = createTestSession()) {
	Root r = testSession.getLatestRoot();
	assertFalse(r.getTree("/").exists());
	assertTrue(r.getTree(test.getPath()).exists());
	assertFalse(r.getTree(content.getPath()).exists());
	}
	}

	@Test
	public void multiplexingProviderOpen() throws Exception {

	Tree rootNode = root.getTree("/");
	Tree test = TreeUtil.addChild(rootNode, testNode, JcrConstants.NT_UNSTRUCTURED);
	Tree content = TreeUtil.addChild(test, "content", JcrConstants.NT_UNSTRUCTURED);
	root.commit();

	Principal p = getTestUser().getPrincipal();
	setPrivileges(p, "/", true, JCR_READ);
	setPrivileges(p, test.getPath(), false, JCR_READ);
	setPrivileges(p, content.getPath(), true, JCR_READ);

	try (ContentSession testSession = createTestSession()) {
	Root r = testSession.getLatestRoot();
	assertTrue(r.getTree("/").exists());
	assertFalse(test.getPath(), r.getTree(test.getPath()).exists());
	assertTrue(r.getTree(content.getPath()).exists());
	}
	}

	@Test
	public void testPermissionProviderName() {
	assertEquals("oak.default",
	MountPermissionProvider.getPermissionRootName(mountInfoProvider.getDefaultMount(), "oak.default"));
	assertEquals("oak:mount-testMount-oak.default", MountPermissionProvider
	.getPermissionRootName(mountInfoProvider.getMountByName("testMount"), "oak.default"));
	}

	private void setPrivileges(Principal principal, String path, boolean allow, String... privileges) throws Exception {
	AccessControlManager acm = getAccessControlManager(root);
	JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acm, path);
	acl.addEntry(principal, privilegesFromNames(privileges), allow);
	acm.setPolicy(path, acl);
	root.commit();
	}
	}