oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PermissionProviderVersionStoreTest.java - jackrabbit-oak - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;

 import org.apache.jackrabbit.guava.common.collect.ImmutableMap;
 import org.apache.jackrabbit.guava.common.collect.ImmutableSet;
 import org.apache.jackrabbit.guava.common.collect.Iterables;
 import org.apache.jackrabbit.JcrConstants;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.commons.PathUtils;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
 import org.apache.jackrabbit.oak.plugins.tree.TreeType;
 import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
 import org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants;
 import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
 import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
 import org.apache.jackrabbit.oak.spi.state.NodeState;
 import org.junit.Before;
 import org.junit.Test;

 import javax.jcr.PropertyType;
 import javax.jcr.Value;
 import java.security.Principal;
 import java.util.Map;

 import static javax.jcr.Session.ACTION_READ;
 import static org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants.REP_NT_NAMES;
 import static org.apache.jackrabbit.oak.spi.version.VersionConstants.REP_VERSIONSTORAGE;
 import static org.apache.jackrabbit.oak.spi.version.VersionConstants.VERSION_STORE_PATH;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertSame;
 import static org.junit.Assert.assertTrue;

 public class PermissionProviderVersionStoreTest extends AbstractPrincipalBasedTest {

     private Principal testPrincipal;
     private PrincipalBasedPermissionProvider permissionProvider;

     @Before
     public void before() throws Exception {
         super.before();

         testPrincipal = getTestSystemUser().getPrincipal();
         setupContentTrees(TEST_OAK_PATH);

         String contentPath = PathUtils.getAncestorPath(TEST_OAK_PATH, 3);
         String andPath = PathUtils.getAncestorPath(TEST_OAK_PATH, 3);

         Tree typeRoot = root.getTree(NodeTypeConstants.NODE_TYPES_PATH);
         for (String path : new String[] {contentPath, andPath, TEST_OAK_PATH}) {
             TreeUtil.addMixin(root.getTree(path), NodeTypeConstants.MIX_VERSIONABLE, typeRoot, "uid");
         }
         root.commit();

         permissionProvider = createPermissionProvider(root, testPrincipal);
     }

     @Override
     protected NamePathMapper getNamePathMapper() {
         return NamePathMapper.DEFAULT;
     }

     private void grantReadOnVersionStoreTrees() throws Exception {
         JackrabbitAccessControlManager jacm = getAccessControlManager(root);
         PrincipalPolicyImpl policy = getPrincipalPolicyImpl(testPrincipal, jacm);
         Map<String, Value[]> restr = ImmutableMap.of(REP_NT_NAMES, new Value[] {getValueFactory(root).createValue(REP_VERSIONSTORAGE, PropertyType.NAME)});
         policy.addEntry(PathUtils.ROOT_PATH, privilegesFromNames(PrivilegeConstants.JCR_READ), ImmutableMap.of(), restr);
         jacm.setPolicy(policy.getPath(), policy);
         root.commit();

         permissionProvider.refresh();
     }

     @Test
     public void testGetTreePermission() {
         Tree tree = getRootProvider().createReadOnlyRoot(root).getTree(PathUtils.ROOT_PATH);
         TreePermission tp = permissionProvider.getTreePermission(tree, TreePermission.EMPTY);
         for (String elem : PathUtils.elements(VERSION_STORE_PATH)) {
             tree = tree.getChild(elem);
             tp = permissionProvider.getTreePermission(tree, tp);
         }

         assertTrue(tp instanceof AbstractTreePermission);
         AbstractTreePermission atp = (AbstractTreePermission) tp;
         assertSame(TreeType.VERSION, atp.getType());
         // must be 'regular' tree permission without extra versionable tree
         assertSame(tree, atp.getTree());
     }

     @Test
     public void testGetTreePermissionFromNodeState() {
         Tree tree = getRootProvider().createReadOnlyRoot(root).getTree(PathUtils.ROOT_PATH);
         TreePermission tp = permissionProvider.getTreePermission(tree, TreePermission.EMPTY);

         NodeState ns = getTreeProvider().asNodeState(tree);
         for (String elem : PathUtils.elements(VERSION_STORE_PATH)) {
             ns = ns.getChildNode(elem);
             tp = permissionProvider.getTreePermission(elem, ns, (AbstractTreePermission) tp);
             assertTrue(tp instanceof AbstractTreePermission);
         }

         AbstractTreePermission atp = (AbstractTreePermission) tp;
         assertSame(TreeType.VERSION, atp.getType());
     }

     @Test
     public void testIsGranted() throws Exception {
         Tree versionStore = root.getTree(VERSION_STORE_PATH);
         assertFalse(permissionProvider.isGranted(versionStore, null, Permissions.READ_NODE));
         assertFalse(permissionProvider.isGranted(versionStore, versionStore.getProperty(JcrConstants.JCR_PRIMARYTYPE), Permissions.READ_PROPERTY));

         grantReadOnVersionStoreTrees();

         assertTrue(permissionProvider.isGranted(versionStore, null, Permissions.READ_NODE));
         assertTrue(permissionProvider.isGranted(versionStore, versionStore.getProperty(JcrConstants.JCR_PRIMARYTYPE), Permissions.READ_PROPERTY));
     }

     @Test
     public void testIsGrantedTreeLocation() throws Exception {
         TreeLocation tl = TreeLocation.create(root, VERSION_STORE_PATH);
         assertFalse(permissionProvider.isGranted(tl, Permissions.READ_NODE));

         grantReadOnVersionStoreTrees();

         assertTrue(permissionProvider.isGranted(tl, Permissions.READ));
     }

     @Test
     public void testIsGrantedPropertyLocation() throws Exception {
         TreeLocation tl = TreeLocation.create(root, VERSION_STORE_PATH).getChild(JcrConstants.JCR_PRIMARYTYPE);
         assertNotNull(tl.getProperty());

         assertFalse(permissionProvider.isGranted(tl, Permissions.READ_PROPERTY));

         grantReadOnVersionStoreTrees();

         assertTrue(permissionProvider.isGranted(tl, Permissions.READ_PROPERTY));
     }

     @Test
     public void testIsGrantedNonExistingLocation() throws Exception {
         TreeLocation tl = TreeLocation.create(root, VERSION_STORE_PATH + "/nonExisting");
         assertFalse(permissionProvider.isGranted(tl, Permissions.READ_NODE));

         grantReadOnVersionStoreTrees();

         assertFalse(permissionProvider.isGranted(tl, Permissions.READ_NODE));
     }

     @Test
     public void testIsGrantedByPath() throws Exception {
         assertFalse(permissionProvider.isGranted(VERSION_STORE_PATH, ACTION_READ));

         grantReadOnVersionStoreTrees();

         assertTrue(permissionProvider.isGranted(VERSION_STORE_PATH, ACTION_READ));
     }

     @Test
     public void testIsGrantedByNonExistingPath() throws Exception {
         assertFalse(permissionProvider.isGranted(VERSION_STORE_PATH + "/nonExisting", ACTION_READ));

         grantReadOnVersionStoreTrees();

         assertFalse(permissionProvider.isGranted(VERSION_STORE_PATH + "/nonExisting", ACTION_READ));
     }

     @Test
     public void testGetPrivileges() throws Exception {
         Tree versionStore = root.getTree(VERSION_STORE_PATH);
         assertTrue(permissionProvider.getPrivileges(versionStore).isEmpty());

         grantReadOnVersionStoreTrees();

         assertTrue(Iterables.elementsEqual(ImmutableSet.of(PrivilegeConstants.JCR_READ), permissionProvider.getPrivileges(versionStore)));
     }

     @Test
     public void testHasPrivileges() throws Exception {
         Tree versionStore = root.getTree(VERSION_STORE_PATH);
         assertFalse(permissionProvider.hasPrivileges(versionStore, PrivilegeConstants.REP_READ_NODES));

         grantReadOnVersionStoreTrees();

         assertTrue(permissionProvider.hasPrivileges(versionStore, PrivilegeConstants.REP_READ_NODES, PrivilegeConstants.REP_READ_PROPERTIES));
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;

	import org.apache.jackrabbit.guava.common.collect.ImmutableMap;
	import org.apache.jackrabbit.guava.common.collect.ImmutableSet;
	import org.apache.jackrabbit.guava.common.collect.Iterables;
	import org.apache.jackrabbit.JcrConstants;
	import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
	import org.apache.jackrabbit.oak.api.Tree;
	import org.apache.jackrabbit.oak.commons.PathUtils;
	import org.apache.jackrabbit.oak.namepath.NamePathMapper;
	import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
	import org.apache.jackrabbit.oak.plugins.tree.TreeType;
	import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
	import org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants;
	import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
	import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
	import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
	import org.apache.jackrabbit.oak.spi.state.NodeState;
	import org.junit.Before;
	import org.junit.Test;

	import javax.jcr.PropertyType;
	import javax.jcr.Value;
	import java.security.Principal;
	import java.util.Map;

	import static javax.jcr.Session.ACTION_READ;
	import static org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants.REP_NT_NAMES;
	import static org.apache.jackrabbit.oak.spi.version.VersionConstants.REP_VERSIONSTORAGE;
	import static org.apache.jackrabbit.oak.spi.version.VersionConstants.VERSION_STORE_PATH;
	import static org.junit.Assert.assertFalse;
	import static org.junit.Assert.assertNotNull;
	import static org.junit.Assert.assertSame;
	import static org.junit.Assert.assertTrue;

	public class PermissionProviderVersionStoreTest extends AbstractPrincipalBasedTest {

	private Principal testPrincipal;
	private PrincipalBasedPermissionProvider permissionProvider;

	@Before
	public void before() throws Exception {
	super.before();

	testPrincipal = getTestSystemUser().getPrincipal();
	setupContentTrees(TEST_OAK_PATH);

	String contentPath = PathUtils.getAncestorPath(TEST_OAK_PATH, 3);
	String andPath = PathUtils.getAncestorPath(TEST_OAK_PATH, 3);

	Tree typeRoot = root.getTree(NodeTypeConstants.NODE_TYPES_PATH);
	for (String path : new String[] {contentPath, andPath, TEST_OAK_PATH}) {
	TreeUtil.addMixin(root.getTree(path), NodeTypeConstants.MIX_VERSIONABLE, typeRoot, "uid");
	}
	root.commit();

	permissionProvider = createPermissionProvider(root, testPrincipal);
	}

	@Override
	protected NamePathMapper getNamePathMapper() {
	return NamePathMapper.DEFAULT;
	}

	private void grantReadOnVersionStoreTrees() throws Exception {
	JackrabbitAccessControlManager jacm = getAccessControlManager(root);
	PrincipalPolicyImpl policy = getPrincipalPolicyImpl(testPrincipal, jacm);
	Map<String, Value[]> restr = ImmutableMap.of(REP_NT_NAMES, new Value[] {getValueFactory(root).createValue(REP_VERSIONSTORAGE, PropertyType.NAME)});
	policy.addEntry(PathUtils.ROOT_PATH, privilegesFromNames(PrivilegeConstants.JCR_READ), ImmutableMap.of(), restr);
	jacm.setPolicy(policy.getPath(), policy);
	root.commit();

	permissionProvider.refresh();
	}

	@Test
	public void testGetTreePermission() {
	Tree tree = getRootProvider().createReadOnlyRoot(root).getTree(PathUtils.ROOT_PATH);
	TreePermission tp = permissionProvider.getTreePermission(tree, TreePermission.EMPTY);
	for (String elem : PathUtils.elements(VERSION_STORE_PATH)) {
	tree = tree.getChild(elem);
	tp = permissionProvider.getTreePermission(tree, tp);
	}

	assertTrue(tp instanceof AbstractTreePermission);
	AbstractTreePermission atp = (AbstractTreePermission) tp;
	assertSame(TreeType.VERSION, atp.getType());
	// must be 'regular' tree permission without extra versionable tree
	assertSame(tree, atp.getTree());
	}

	@Test
	public void testGetTreePermissionFromNodeState() {
	Tree tree = getRootProvider().createReadOnlyRoot(root).getTree(PathUtils.ROOT_PATH);
	TreePermission tp = permissionProvider.getTreePermission(tree, TreePermission.EMPTY);

	NodeState ns = getTreeProvider().asNodeState(tree);
	for (String elem : PathUtils.elements(VERSION_STORE_PATH)) {
	ns = ns.getChildNode(elem);
	tp = permissionProvider.getTreePermission(elem, ns, (AbstractTreePermission) tp);
	assertTrue(tp instanceof AbstractTreePermission);
	}

	AbstractTreePermission atp = (AbstractTreePermission) tp;
	assertSame(TreeType.VERSION, atp.getType());
	}

	@Test
	public void testIsGranted() throws Exception {
	Tree versionStore = root.getTree(VERSION_STORE_PATH);
	assertFalse(permissionProvider.isGranted(versionStore, null, Permissions.READ_NODE));
	assertFalse(permissionProvider.isGranted(versionStore, versionStore.getProperty(JcrConstants.JCR_PRIMARYTYPE), Permissions.READ_PROPERTY));

	grantReadOnVersionStoreTrees();

	assertTrue(permissionProvider.isGranted(versionStore, null, Permissions.READ_NODE));
	assertTrue(permissionProvider.isGranted(versionStore, versionStore.getProperty(JcrConstants.JCR_PRIMARYTYPE), Permissions.READ_PROPERTY));
	}

	@Test
	public void testIsGrantedTreeLocation() throws Exception {
	TreeLocation tl = TreeLocation.create(root, VERSION_STORE_PATH);
	assertFalse(permissionProvider.isGranted(tl, Permissions.READ_NODE));

	grantReadOnVersionStoreTrees();

	assertTrue(permissionProvider.isGranted(tl, Permissions.READ));
	}

	@Test
	public void testIsGrantedPropertyLocation() throws Exception {
	TreeLocation tl = TreeLocation.create(root, VERSION_STORE_PATH).getChild(JcrConstants.JCR_PRIMARYTYPE);
	assertNotNull(tl.getProperty());

	assertFalse(permissionProvider.isGranted(tl, Permissions.READ_PROPERTY));

	grantReadOnVersionStoreTrees();

	assertTrue(permissionProvider.isGranted(tl, Permissions.READ_PROPERTY));
	}

	@Test
	public void testIsGrantedNonExistingLocation() throws Exception {
	TreeLocation tl = TreeLocation.create(root, VERSION_STORE_PATH + "/nonExisting");
	assertFalse(permissionProvider.isGranted(tl, Permissions.READ_NODE));

	grantReadOnVersionStoreTrees();

	assertFalse(permissionProvider.isGranted(tl, Permissions.READ_NODE));
	}

	@Test
	public void testIsGrantedByPath() throws Exception {
	assertFalse(permissionProvider.isGranted(VERSION_STORE_PATH, ACTION_READ));

	grantReadOnVersionStoreTrees();

	assertTrue(permissionProvider.isGranted(VERSION_STORE_PATH, ACTION_READ));
	}

	@Test
	public void testIsGrantedByNonExistingPath() throws Exception {
	assertFalse(permissionProvider.isGranted(VERSION_STORE_PATH + "/nonExisting", ACTION_READ));

	grantReadOnVersionStoreTrees();

	assertFalse(permissionProvider.isGranted(VERSION_STORE_PATH + "/nonExisting", ACTION_READ));
	}

	@Test
	public void testGetPrivileges() throws Exception {
	Tree versionStore = root.getTree(VERSION_STORE_PATH);
	assertTrue(permissionProvider.getPrivileges(versionStore).isEmpty());

	grantReadOnVersionStoreTrees();

	assertTrue(Iterables.elementsEqual(ImmutableSet.of(PrivilegeConstants.JCR_READ), permissionProvider.getPrivileges(versionStore)));
	}

	@Test
	public void testHasPrivileges() throws Exception {
	Tree versionStore = root.getTree(VERSION_STORE_PATH);
	assertFalse(permissionProvider.hasPrivileges(versionStore, PrivilegeConstants.REP_READ_NODES));

	grantReadOnVersionStoreTrees();

	assertTrue(permissionProvider.hasPrivileges(versionStore, PrivilegeConstants.REP_READ_NODES, PrivilegeConstants.REP_READ_PROPERTIES));
	}
	}