oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PermissionProviderVersionTest.java - jackrabbit-oak - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;

 import org.apache.jackrabbit.guava.common.collect.Sets;
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.api.Type;
 import org.apache.jackrabbit.oak.commons.PathUtils;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManager;
 import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
 import org.apache.jackrabbit.oak.plugins.tree.TreeType;
 import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
 import org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants;
 import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
 import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
 import org.jetbrains.annotations.NotNull;
 import org.junit.Before;
 import org.junit.Test;

 import java.security.Principal;

 import static org.apache.jackrabbit.guava.common.base.Preconditions.checkNotNull;
 import static javax.jcr.Session.ACTION_READ;
 import static org.apache.jackrabbit.JcrConstants.JCR_BASEVERSION;
 import static org.apache.jackrabbit.JcrConstants.JCR_ISCHECKEDOUT;
 import static org.apache.jackrabbit.JcrConstants.JCR_PRIMARYTYPE;
 import static org.apache.jackrabbit.JcrConstants.JCR_VERSIONHISTORY;
 import static org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_LOCK_MANAGEMENT;
 import static org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_READ;
 import static org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_VERSION_MANAGEMENT;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotSame;
 import static org.junit.Assert.assertSame;
 import static org.junit.Assert.assertTrue;

 public class PermissionProviderVersionTest extends AbstractPrincipalBasedTest {

     private PrincipalBasedPermissionProvider permissionProvider;

     private String contentPath;
     private String grandchildPath;

     @Before
     public void before() throws Exception {
         super.before();

         Principal testPrincipal = getTestSystemUser().getPrincipal();
         setupContentTrees(TEST_OAK_PATH);

         contentPath = PathUtils.getAncestorPath(TEST_OAK_PATH, 3);
         String childPath = PathUtils.getAncestorPath(TEST_OAK_PATH, 2);
         grandchildPath = PathUtils.getAncestorPath(TEST_OAK_PATH, 1);

         // setup permissions on childPath + TEST_OAK_PATH
         PrincipalPolicyImpl policy = setupPrincipalBasedAccessControl(testPrincipal, getNamePathMapper().getJcrPath(childPath), JCR_READ);
         addPrincipalBasedEntry(policy, getNamePathMapper().getJcrPath(TEST_OAK_PATH), PrivilegeConstants.JCR_VERSION_MANAGEMENT);

         // versionabel nodes: contentPath + grandChildPath + TEST_OAK_PATH
         // -> 1 TEST_OAK_PATH node hold policy, grandchildPath get it inherited and contentPath has no permissions granted
         Tree typeRoot = root.getTree(NodeTypeConstants.NODE_TYPES_PATH);
         for (String path : new String[] {contentPath, grandchildPath, TEST_OAK_PATH}) {
             Tree versionable = root.getTree(path);
             TreeUtil.addMixin(root.getTree(path), NodeTypeConstants.MIX_VERSIONABLE, typeRoot, "uid");
         }
         root.commit();

         // force creation of a new version for grandchildPath, TEST_OAK_PATH but not for contentPath
         // removing tree for contentPath will then also result in removal of VH upon removal.
         for (String path : new String[] {grandchildPath, TEST_OAK_PATH}) {
             root.getTree(path).setProperty(JCR_ISCHECKEDOUT, false);
             root.commit();
             root.getTree(path).setProperty(JCR_ISCHECKEDOUT, true);
             root.commit();
         }

         permissionProvider = createPermissionProvider(root, testPrincipal);
     }

     @Override
     protected NamePathMapper getNamePathMapper() {
         return NamePathMapper.DEFAULT;
     }

     @NotNull
     private String getVersionPath(@NotNull String versionablePath, boolean history) {
         Tree versionable = root.getTree(versionablePath);
         String path;
         if (history) {
             path = new IdentifierManager(root).getPath(versionable.getProperty(JCR_VERSIONHISTORY));
         } else {
             path = new IdentifierManager(root).getPath(versionable.getProperty(JCR_BASEVERSION));
         }
         checkNotNull(path);
         return path;
     }

     @NotNull
     private Tree getVersionTree(@NotNull String versionablePath, boolean history) {
         Tree versionable = root.getTree(versionablePath);
         PropertyState reference;
         if (history) {
             reference = versionable.getProperty(JCR_VERSIONHISTORY);
         } else {
             reference = versionable.getProperty(JCR_BASEVERSION);
         }
         Tree t = new IdentifierManager(root).getTree(reference.getValue(Type.STRING));
         checkNotNull(t);
         return t;
     }

     @Test
     public void testGetTreePermission() {
         Tree tree = getRootProvider().createReadOnlyRoot(root).getTree(PathUtils.ROOT_PATH);
         TreePermission tp = permissionProvider.getTreePermission(tree, TreePermission.EMPTY);

         for (String elem : PathUtils.elements(getVersionPath(TEST_OAK_PATH, false))) {
             tree = tree.getChild(elem);
             tp = permissionProvider.getTreePermission(tree, tp);
         }

         assertTrue(tp instanceof AbstractTreePermission);
         AbstractTreePermission atp = (AbstractTreePermission) tp;
         assertSame(TreeType.VERSION, atp.getType());
         // tree must point to versionable node and NOT to the version tree
         assertNotSame(tree, atp.getTree());
         assertEquals(TEST_OAK_PATH, atp.getTree().getPath());
     }

     @Test
     public void testGetTreePermissionVersionableNodeRemoved() throws Exception {
         String versionPath = getVersionPath(TEST_OAK_PATH, false);

         root.getTree(TEST_OAK_PATH).remove();
         root.commit();
         permissionProvider.refresh();

         Tree tree = getRootProvider().createReadOnlyRoot(root).getTree(PathUtils.ROOT_PATH);
         TreePermission tp = permissionProvider.getTreePermission(tree, TreePermission.EMPTY);

         for (String elem : PathUtils.elements(versionPath)) {
             tree = tree.getChild(elem);
             tp = permissionProvider.getTreePermission(tree, tp);
         }

         assertTrue(tp instanceof AbstractTreePermission);
         AbstractTreePermission atp = (AbstractTreePermission) tp;
         assertSame(TreeType.VERSION, atp.getType());
         // tree must point to non-existing versionable node and NOT to the version tree
         assertNotSame(tree, atp.getTree());
         assertFalse(atp.getTree().exists());
         assertEquals(TEST_OAK_PATH, atp.getTree().getPath());
     }

     @Test
     public void testGetTreePermissionVersionHistoryRemoved() throws Exception {
         String vhPath = getVersionPath(contentPath, true);

         root.getTree(contentPath).remove();
         root.commit();
         permissionProvider.refresh();

         Tree tree = getRootProvider().createReadOnlyRoot(root).getTree(PathUtils.ROOT_PATH);
         TreePermission tp = permissionProvider.getTreePermission(tree, TreePermission.EMPTY);

         for (String elem : PathUtils.elements(vhPath)) {
             tree = tree.getChild(elem);
             tp = permissionProvider.getTreePermission(tree, tp);
         }

         assertSame(TreePermission.EMPTY, tp);
     }

     @Test
     public void testIsGranted() throws Exception {
         assertFalse(permissionProvider.isGranted(getVersionTree(contentPath, true), null, Permissions.READ_NODE));
         assertFalse(permissionProvider.isGranted(getVersionTree(grandchildPath, true), null, Permissions.READ_NODE|Permissions.VERSION_MANAGEMENT));
         assertFalse(permissionProvider.isGranted(getVersionTree(TEST_OAK_PATH, true), null, Permissions.READ|Permissions.WRITE));


         assertTrue(permissionProvider.isGranted(getVersionTree(grandchildPath, true), null, Permissions.READ_NODE));
         assertTrue(permissionProvider.isGranted(getVersionTree(TEST_OAK_PATH, true), null, Permissions.READ|Permissions.VERSION_MANAGEMENT));
     }

     @Test
     public void testIsGrantedWithProperty() throws Exception {
         Tree t = getVersionTree(contentPath, true);
         assertFalse(permissionProvider.isGranted(t, t.getProperty(JCR_PRIMARYTYPE), Permissions.READ_PROPERTY));

         t = getVersionTree(grandchildPath, false);
         assertFalse(permissionProvider.isGranted(t, t.getProperty(JCR_PRIMARYTYPE), Permissions.READ_PROPERTY|Permissions.VERSION_MANAGEMENT));

         t = getVersionTree(TEST_OAK_PATH, true);
         assertFalse(permissionProvider.isGranted(t, t.getProperty(JCR_PRIMARYTYPE), Permissions.READ_PROPERTY|Permissions.WRITE));


         t = getVersionTree(grandchildPath, true);
         assertTrue(permissionProvider.isGranted(t, t.getProperty(JCR_PRIMARYTYPE), Permissions.READ_PROPERTY));

         t = getVersionTree(TEST_OAK_PATH, false);
         assertTrue(permissionProvider.isGranted(t, t.getProperty(JCR_PRIMARYTYPE), Permissions.READ_PROPERTY|Permissions.VERSION_MANAGEMENT));
     }

     @Test
     public void testIsGrantedVersionableTreeRemoved() throws Exception {
         String versionPath = getVersionPath(TEST_OAK_PATH, false);

         root.getTree(TEST_OAK_PATH).remove();
         root.commit();
         permissionProvider.refresh();

         Tree versionTree = root.getTree(versionPath);
         assertTrue(versionTree.exists());

         // permissions not affected as they are stored with the principal.
         assertTrue(permissionProvider.isGranted(versionTree, null, Permissions.READ|Permissions.VERSION_MANAGEMENT));
     }

     @Test
     public void testIsGrantedVersionHistoryRemoved() throws Exception {
         String vhPath = getVersionPath(contentPath, true);

         root.getTree(contentPath).remove();
         root.commit();
         permissionProvider.refresh();

         Tree vhTree = root.getTree(vhPath);
         assertFalse(vhTree.exists());

         // permissions affected because unable to resolve versionable tree
         assertFalse(permissionProvider.isGranted(vhTree, null, Permissions.READ|Permissions.VERSION_MANAGEMENT));
     }

     @Test
     public void testIsGrantedTreeLocation() throws Exception {
         TreeLocation tl = TreeLocation.create(root, getVersionPath(contentPath, false));
         assertFalse(permissionProvider.isGranted(tl, Permissions.READ_NODE));

         tl = TreeLocation.create(root, getVersionPath(grandchildPath, true));
         assertTrue(permissionProvider.isGranted(tl, Permissions.READ));

         tl = TreeLocation.create(root, getVersionPath(TEST_OAK_PATH, false));
         assertTrue(permissionProvider.isGranted(tl, Permissions.READ|Permissions.VERSION_MANAGEMENT));
     }

     @Test
     public void testIsGrantedByPath() throws Exception {
         assertFalse(permissionProvider.isGranted(getVersionPath(contentPath, false), ACTION_READ));
         assertFalse(permissionProvider.isGranted(getVersionPath(grandchildPath, true), Permissions.getString(Permissions.READ|Permissions.VERSION_MANAGEMENT)));
         assertFalse(permissionProvider.isGranted(getVersionPath(TEST_OAK_PATH, false), Permissions.getString(Permissions.READ|Permissions.WRITE)));

         assertTrue(permissionProvider.isGranted(getVersionPath(grandchildPath, false), ACTION_READ));
         assertTrue(permissionProvider.isGranted(getVersionPath(TEST_OAK_PATH, true), Permissions.getString(Permissions.READ|Permissions.VERSION_MANAGEMENT)));
     }

     @Test
     public void testGetPrivileges() throws Exception {
         assertTrue(permissionProvider.getPrivileges(getVersionTree(contentPath, true)).isEmpty());
         assertEquals(Sets.newHashSet(JCR_READ), permissionProvider.getPrivileges(getVersionTree(grandchildPath, false)));
         assertEquals(Sets.newHashSet(JCR_READ, JCR_VERSION_MANAGEMENT), permissionProvider.getPrivileges(getVersionTree(TEST_OAK_PATH, true)));
     }

     @Test
     public void testGetPrivilegesVersionableTreeRemoved() throws Exception {
         String versionPath = getVersionPath(TEST_OAK_PATH, false);
         String versionHPath = getVersionPath(TEST_OAK_PATH, true);
         assertTrue(root.getTree(versionPath).exists());

         root.getTree(TEST_OAK_PATH).remove();
         root.commit();
         permissionProvider.refresh();

         Tree versionTree = root.getTree(versionPath);
         assertTrue(versionTree.exists());

         // permissions not affected (as long as no restrictions involved) due to the fact that permissions are not
         // stored with the versionable node.
         assertEquals(Sets.newHashSet(JCR_READ, JCR_VERSION_MANAGEMENT), permissionProvider.getPrivileges(versionTree));
     }

     @Test
     public void testGetPrivilegesVersionHistoryRemoved() throws Exception {
         String vhPath = getVersionPath(contentPath, true);
         assertTrue(root.getTree(vhPath).exists());

         root.getTree(contentPath).remove();
         root.commit();
         permissionProvider.refresh();

         Tree vhTree = root.getTree(vhPath);
         assertFalse(vhTree.exists());
         assertTrue(permissionProvider.getPrivileges(vhTree).isEmpty());
     }

     @Test
     public void testHasPrivileges() {
         assertFalse(permissionProvider.hasPrivileges(getVersionTree(contentPath, false), JCR_READ));
         assertFalse(permissionProvider.hasPrivileges(getVersionTree(grandchildPath, true), JCR_VERSION_MANAGEMENT));
         assertFalse(permissionProvider.hasPrivileges(getVersionTree(TEST_OAK_PATH, false), JCR_READ, JCR_LOCK_MANAGEMENT));

         assertTrue(permissionProvider.hasPrivileges(getVersionTree(grandchildPath, false), JCR_READ));
         assertTrue(permissionProvider.hasPrivileges(getVersionTree(TEST_OAK_PATH, true), JCR_READ, JCR_VERSION_MANAGEMENT));
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;

	import org.apache.jackrabbit.guava.common.collect.Sets;
	import org.apache.jackrabbit.oak.api.PropertyState;
	import org.apache.jackrabbit.oak.api.Tree;
	import org.apache.jackrabbit.oak.api.Type;
	import org.apache.jackrabbit.oak.commons.PathUtils;
	import org.apache.jackrabbit.oak.namepath.NamePathMapper;
	import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManager;
	import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
	import org.apache.jackrabbit.oak.plugins.tree.TreeType;
	import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
	import org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants;
	import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
	import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
	import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
	import org.jetbrains.annotations.NotNull;
	import org.junit.Before;
	import org.junit.Test;

	import java.security.Principal;

	import static org.apache.jackrabbit.guava.common.base.Preconditions.checkNotNull;
	import static javax.jcr.Session.ACTION_READ;
	import static org.apache.jackrabbit.JcrConstants.JCR_BASEVERSION;
	import static org.apache.jackrabbit.JcrConstants.JCR_ISCHECKEDOUT;
	import static org.apache.jackrabbit.JcrConstants.JCR_PRIMARYTYPE;
	import static org.apache.jackrabbit.JcrConstants.JCR_VERSIONHISTORY;
	import static org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_LOCK_MANAGEMENT;
	import static org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_READ;
	import static org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_VERSION_MANAGEMENT;
	import static org.junit.Assert.assertEquals;
	import static org.junit.Assert.assertFalse;
	import static org.junit.Assert.assertNotSame;
	import static org.junit.Assert.assertSame;
	import static org.junit.Assert.assertTrue;

	public class PermissionProviderVersionTest extends AbstractPrincipalBasedTest {

	private PrincipalBasedPermissionProvider permissionProvider;

	private String contentPath;
	private String grandchildPath;

	@Before
	public void before() throws Exception {
	super.before();

	Principal testPrincipal = getTestSystemUser().getPrincipal();
	setupContentTrees(TEST_OAK_PATH);

	contentPath = PathUtils.getAncestorPath(TEST_OAK_PATH, 3);
	String childPath = PathUtils.getAncestorPath(TEST_OAK_PATH, 2);
	grandchildPath = PathUtils.getAncestorPath(TEST_OAK_PATH, 1);

	// setup permissions on childPath + TEST_OAK_PATH
	PrincipalPolicyImpl policy = setupPrincipalBasedAccessControl(testPrincipal, getNamePathMapper().getJcrPath(childPath), JCR_READ);
	addPrincipalBasedEntry(policy, getNamePathMapper().getJcrPath(TEST_OAK_PATH), PrivilegeConstants.JCR_VERSION_MANAGEMENT);

	// versionabel nodes: contentPath + grandChildPath + TEST_OAK_PATH
	// -> 1 TEST_OAK_PATH node hold policy, grandchildPath get it inherited and contentPath has no permissions granted
	Tree typeRoot = root.getTree(NodeTypeConstants.NODE_TYPES_PATH);
	for (String path : new String[] {contentPath, grandchildPath, TEST_OAK_PATH}) {
	Tree versionable = root.getTree(path);
	TreeUtil.addMixin(root.getTree(path), NodeTypeConstants.MIX_VERSIONABLE, typeRoot, "uid");
	}
	root.commit();

	// force creation of a new version for grandchildPath, TEST_OAK_PATH but not for contentPath
	// removing tree for contentPath will then also result in removal of VH upon removal.
	for (String path : new String[] {grandchildPath, TEST_OAK_PATH}) {
	root.getTree(path).setProperty(JCR_ISCHECKEDOUT, false);
	root.commit();
	root.getTree(path).setProperty(JCR_ISCHECKEDOUT, true);
	root.commit();
	}

	permissionProvider = createPermissionProvider(root, testPrincipal);
	}

	@Override
	protected NamePathMapper getNamePathMapper() {
	return NamePathMapper.DEFAULT;
	}

	@NotNull
	private String getVersionPath(@NotNull String versionablePath, boolean history) {
	Tree versionable = root.getTree(versionablePath);
	String path;
	if (history) {
	path = new IdentifierManager(root).getPath(versionable.getProperty(JCR_VERSIONHISTORY));
	} else {
	path = new IdentifierManager(root).getPath(versionable.getProperty(JCR_BASEVERSION));
	}
	checkNotNull(path);
	return path;
	}

	@NotNull
	private Tree getVersionTree(@NotNull String versionablePath, boolean history) {
	Tree versionable = root.getTree(versionablePath);
	PropertyState reference;
	if (history) {
	reference = versionable.getProperty(JCR_VERSIONHISTORY);
	} else {
	reference = versionable.getProperty(JCR_BASEVERSION);
	}
	Tree t = new IdentifierManager(root).getTree(reference.getValue(Type.STRING));
	checkNotNull(t);
	return t;
	}

	@Test
	public void testGetTreePermission() {
	Tree tree = getRootProvider().createReadOnlyRoot(root).getTree(PathUtils.ROOT_PATH);
	TreePermission tp = permissionProvider.getTreePermission(tree, TreePermission.EMPTY);

	for (String elem : PathUtils.elements(getVersionPath(TEST_OAK_PATH, false))) {
	tree = tree.getChild(elem);
	tp = permissionProvider.getTreePermission(tree, tp);
	}

	assertTrue(tp instanceof AbstractTreePermission);
	AbstractTreePermission atp = (AbstractTreePermission) tp;
	assertSame(TreeType.VERSION, atp.getType());
	// tree must point to versionable node and NOT to the version tree
	assertNotSame(tree, atp.getTree());
	assertEquals(TEST_OAK_PATH, atp.getTree().getPath());
	}

	@Test
	public void testGetTreePermissionVersionableNodeRemoved() throws Exception {
	String versionPath = getVersionPath(TEST_OAK_PATH, false);

	root.getTree(TEST_OAK_PATH).remove();
	root.commit();
	permissionProvider.refresh();

	Tree tree = getRootProvider().createReadOnlyRoot(root).getTree(PathUtils.ROOT_PATH);
	TreePermission tp = permissionProvider.getTreePermission(tree, TreePermission.EMPTY);

	for (String elem : PathUtils.elements(versionPath)) {
	tree = tree.getChild(elem);
	tp = permissionProvider.getTreePermission(tree, tp);
	}

	assertTrue(tp instanceof AbstractTreePermission);
	AbstractTreePermission atp = (AbstractTreePermission) tp;
	assertSame(TreeType.VERSION, atp.getType());
	// tree must point to non-existing versionable node and NOT to the version tree
	assertNotSame(tree, atp.getTree());
	assertFalse(atp.getTree().exists());
	assertEquals(TEST_OAK_PATH, atp.getTree().getPath());
	}

	@Test
	public void testGetTreePermissionVersionHistoryRemoved() throws Exception {
	String vhPath = getVersionPath(contentPath, true);

	root.getTree(contentPath).remove();
	root.commit();
	permissionProvider.refresh();

	Tree tree = getRootProvider().createReadOnlyRoot(root).getTree(PathUtils.ROOT_PATH);
	TreePermission tp = permissionProvider.getTreePermission(tree, TreePermission.EMPTY);

	for (String elem : PathUtils.elements(vhPath)) {
	tree = tree.getChild(elem);
	tp = permissionProvider.getTreePermission(tree, tp);
	}

	assertSame(TreePermission.EMPTY, tp);
	}

	@Test
	public void testIsGranted() throws Exception {
	assertFalse(permissionProvider.isGranted(getVersionTree(contentPath, true), null, Permissions.READ_NODE));
	assertFalse(permissionProvider.isGranted(getVersionTree(grandchildPath, true), null, Permissions.READ_NODE\|Permissions.VERSION_MANAGEMENT));
	assertFalse(permissionProvider.isGranted(getVersionTree(TEST_OAK_PATH, true), null, Permissions.READ\|Permissions.WRITE));


	assertTrue(permissionProvider.isGranted(getVersionTree(grandchildPath, true), null, Permissions.READ_NODE));
	assertTrue(permissionProvider.isGranted(getVersionTree(TEST_OAK_PATH, true), null, Permissions.READ\|Permissions.VERSION_MANAGEMENT));
	}

	@Test
	public void testIsGrantedWithProperty() throws Exception {
	Tree t = getVersionTree(contentPath, true);
	assertFalse(permissionProvider.isGranted(t, t.getProperty(JCR_PRIMARYTYPE), Permissions.READ_PROPERTY));

	t = getVersionTree(grandchildPath, false);
	assertFalse(permissionProvider.isGranted(t, t.getProperty(JCR_PRIMARYTYPE), Permissions.READ_PROPERTY\|Permissions.VERSION_MANAGEMENT));

	t = getVersionTree(TEST_OAK_PATH, true);
	assertFalse(permissionProvider.isGranted(t, t.getProperty(JCR_PRIMARYTYPE), Permissions.READ_PROPERTY\|Permissions.WRITE));


	t = getVersionTree(grandchildPath, true);
	assertTrue(permissionProvider.isGranted(t, t.getProperty(JCR_PRIMARYTYPE), Permissions.READ_PROPERTY));

	t = getVersionTree(TEST_OAK_PATH, false);
	assertTrue(permissionProvider.isGranted(t, t.getProperty(JCR_PRIMARYTYPE), Permissions.READ_PROPERTY\|Permissions.VERSION_MANAGEMENT));
	}

	@Test
	public void testIsGrantedVersionableTreeRemoved() throws Exception {
	String versionPath = getVersionPath(TEST_OAK_PATH, false);

	root.getTree(TEST_OAK_PATH).remove();
	root.commit();
	permissionProvider.refresh();

	Tree versionTree = root.getTree(versionPath);
	assertTrue(versionTree.exists());

	// permissions not affected as they are stored with the principal.
	assertTrue(permissionProvider.isGranted(versionTree, null, Permissions.READ\|Permissions.VERSION_MANAGEMENT));
	}

	@Test
	public void testIsGrantedVersionHistoryRemoved() throws Exception {
	String vhPath = getVersionPath(contentPath, true);

	root.getTree(contentPath).remove();
	root.commit();
	permissionProvider.refresh();

	Tree vhTree = root.getTree(vhPath);
	assertFalse(vhTree.exists());

	// permissions affected because unable to resolve versionable tree
	assertFalse(permissionProvider.isGranted(vhTree, null, Permissions.READ\|Permissions.VERSION_MANAGEMENT));
	}

	@Test
	public void testIsGrantedTreeLocation() throws Exception {
	TreeLocation tl = TreeLocation.create(root, getVersionPath(contentPath, false));
	assertFalse(permissionProvider.isGranted(tl, Permissions.READ_NODE));

	tl = TreeLocation.create(root, getVersionPath(grandchildPath, true));
	assertTrue(permissionProvider.isGranted(tl, Permissions.READ));

	tl = TreeLocation.create(root, getVersionPath(TEST_OAK_PATH, false));
	assertTrue(permissionProvider.isGranted(tl, Permissions.READ\|Permissions.VERSION_MANAGEMENT));
	}

	@Test
	public void testIsGrantedByPath() throws Exception {
	assertFalse(permissionProvider.isGranted(getVersionPath(contentPath, false), ACTION_READ));
	assertFalse(permissionProvider.isGranted(getVersionPath(grandchildPath, true), Permissions.getString(Permissions.READ\|Permissions.VERSION_MANAGEMENT)));
	assertFalse(permissionProvider.isGranted(getVersionPath(TEST_OAK_PATH, false), Permissions.getString(Permissions.READ\|Permissions.WRITE)));

	assertTrue(permissionProvider.isGranted(getVersionPath(grandchildPath, false), ACTION_READ));
	assertTrue(permissionProvider.isGranted(getVersionPath(TEST_OAK_PATH, true), Permissions.getString(Permissions.READ\|Permissions.VERSION_MANAGEMENT)));
	}

	@Test
	public void testGetPrivileges() throws Exception {
	assertTrue(permissionProvider.getPrivileges(getVersionTree(contentPath, true)).isEmpty());
	assertEquals(Sets.newHashSet(JCR_READ), permissionProvider.getPrivileges(getVersionTree(grandchildPath, false)));
	assertEquals(Sets.newHashSet(JCR_READ, JCR_VERSION_MANAGEMENT), permissionProvider.getPrivileges(getVersionTree(TEST_OAK_PATH, true)));
	}

	@Test
	public void testGetPrivilegesVersionableTreeRemoved() throws Exception {
	String versionPath = getVersionPath(TEST_OAK_PATH, false);
	String versionHPath = getVersionPath(TEST_OAK_PATH, true);
	assertTrue(root.getTree(versionPath).exists());

	root.getTree(TEST_OAK_PATH).remove();
	root.commit();
	permissionProvider.refresh();

	Tree versionTree = root.getTree(versionPath);
	assertTrue(versionTree.exists());

	// permissions not affected (as long as no restrictions involved) due to the fact that permissions are not
	// stored with the versionable node.
	assertEquals(Sets.newHashSet(JCR_READ, JCR_VERSION_MANAGEMENT), permissionProvider.getPrivileges(versionTree));
	}

	@Test
	public void testGetPrivilegesVersionHistoryRemoved() throws Exception {
	String vhPath = getVersionPath(contentPath, true);
	assertTrue(root.getTree(vhPath).exists());

	root.getTree(contentPath).remove();
	root.commit();
	permissionProvider.refresh();

	Tree vhTree = root.getTree(vhPath);
	assertFalse(vhTree.exists());
	assertTrue(permissionProvider.getPrivileges(vhTree).isEmpty());
	}

	@Test
	public void testHasPrivileges() {
	assertFalse(permissionProvider.hasPrivileges(getVersionTree(contentPath, false), JCR_READ));
	assertFalse(permissionProvider.hasPrivileges(getVersionTree(grandchildPath, true), JCR_VERSION_MANAGEMENT));
	assertFalse(permissionProvider.hasPrivileges(getVersionTree(TEST_OAK_PATH, false), JCR_READ, JCR_LOCK_MANAGEMENT));

	assertTrue(permissionProvider.hasPrivileges(getVersionTree(grandchildPath, false), JCR_READ));
	assertTrue(permissionProvider.hasPrivileges(getVersionTree(TEST_OAK_PATH, true), JCR_READ, JCR_VERSION_MANAGEMENT));
	}
	}