Google Git
Sign in
apache / jackrabbit-oak / refs/heads/trunk / . / oak-authorization-principalbased / src / test / java / org / apache / jackrabbit / oak / spi / security / authorization / principalbased / impl / ReadablePathsPermissionTest.java
blob: 224839d42499a428891ddf1c7630246c4d3a30f6 [file] [log] [blame]
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;
import org.apache.jackrabbit.guava.common.collect.Iterables;
import org.apache.jackrabbit.guava.common.collect.Iterators;
import org.apache.jackrabbit.guava.common.collect.Sets;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
import org.apache.jackrabbit.oak.spi.namespace.NamespaceConstants;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.jetbrains.annotations.NotNull;
import org.junit.Before;
import org.junit.Test;
import java.util.Collections;
import java.util.Iterator;
import java.util.Set;
import static org.apache.jackrabbit.JcrConstants.JCR_PRIMARYTYPE;
import static org.apache.jackrabbit.JcrConstants.JCR_SYSTEM;
import static org.apache.jackrabbit.oak.commons.PathUtils.ROOT_PATH;
import static org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.JCR_READ;
import static org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.REP_READ_NODES;
import static org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants.REP_READ_PROPERTIES;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
public class ReadablePathsPermissionTest extends AbstractPrincipalBasedTest {
private Iterator<String> readablePaths;
private Iterator<String> readableChildPaths;
private PrincipalBasedPermissionProvider permissionProvider;
@Before
public void before() throws Exception {
super.before();
Set<String> paths = getConfig(AuthorizationConfiguration.class).getParameters().getConfigValue(PermissionConstants.PARAM_READ_PATHS, PermissionConstants.DEFAULT_READ_PATHS);
assertFalse(paths.isEmpty());
readablePaths = Iterators.cycle(paths);
Set<String> childPaths = Sets.newHashSet();
for (String path : paths) {
Iterables.addAll(childPaths, Iterables.transform(root.getTree(path).getChildren(), Tree::getPath));
}
readableChildPaths = Iterators.cycle(childPaths);
permissionProvider = new PrincipalBasedPermissionProvider(root, root.getContentSession().getWorkspaceName(), Collections.singleton(getTestSystemUser().getPath()), getPrincipalBasedAuthorizationConfiguration());
}
@Override
protected ConfigurationParameters getSecurityConfigParameters() {
return ConfigurationParameters.of(AuthorizationConfiguration.NAME,
ConfigurationParameters.of(PermissionConstants.PARAM_READ_PATHS, new String[]{
NamespaceConstants.NAMESPACES_PATH,
PrivilegeConstants.PRIVILEGES_PATH
}));
}
@NotNull
private Tree getTree(@NotNull String path) {
return root.getTree(path);
}
@Test
public void testHasPrivileges() {
assertTrue(permissionProvider.hasPrivileges(getTree(readablePaths.next()), JCR_READ));
assertTrue(permissionProvider.hasPrivileges(getTree(readablePaths.next()), REP_READ_PROPERTIES));
assertTrue(permissionProvider.hasPrivileges(getTree(readableChildPaths.next()), REP_READ_NODES));
assertTrue(permissionProvider.hasPrivileges(getTree(readableChildPaths.next()), REP_READ_NODES, REP_READ_PROPERTIES));
}
@Test
public void testNotHasPrivileges() {
assertFalse(permissionProvider.hasPrivileges(getTree(readablePaths.next()), JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
assertFalse(permissionProvider.hasPrivileges(getTree(readablePaths.next()), PrivilegeConstants.JCR_WRITE));
assertFalse(permissionProvider.hasPrivileges(getTree(readableChildPaths.next()), PrivilegeConstants.JCR_MODIFY_ACCESS_CONTROL, REP_READ_PROPERTIES));
assertFalse(permissionProvider.hasPrivileges(getTree(readableChildPaths.next()), REP_READ_NODES, PrivilegeConstants.JCR_REMOVE_NODE));
assertFalse(permissionProvider.hasPrivileges(getTree(ROOT_PATH), JCR_READ));
String systemPath = PathUtils.concat(ROOT_PATH, JCR_SYSTEM);
assertFalse(permissionProvider.hasPrivileges(getTree(systemPath), REP_READ_NODES));
}
@Test
public void testGetPrivileges() {
Set<String> expected = Collections.singleton(JCR_READ);
assertEquals(expected, permissionProvider.getPrivileges(getTree(readablePaths.next())));
assertEquals(expected, permissionProvider.getPrivileges(getTree(readableChildPaths.next())));
assertTrue(permissionProvider.getPrivileges(getTree(ROOT_PATH)).isEmpty());
String systemPath = PathUtils.concat(ROOT_PATH, JCR_SYSTEM);
assertTrue(permissionProvider.getPrivileges(getTree(systemPath)).isEmpty());
}
@Test
public void testIsGrantedPath() {
assertTrue(permissionProvider.isGranted(readablePaths.next(), Permissions.getString(Permissions.READ)));
assertTrue(permissionProvider.isGranted(readablePaths.next(), Permissions.getString(Permissions.READ_NODE|Permissions.READ_PROPERTY)));
assertTrue(permissionProvider.isGranted(readableChildPaths.next(), Permissions.getString(Permissions.READ_NODE)));
assertTrue(permissionProvider.isGranted(PathUtils.concat(readableChildPaths.next(), JCR_PRIMARYTYPE), Permissions.getString(Permissions.READ_PROPERTY)));
assertTrue(permissionProvider.isGranted(PathUtils.concat(readableChildPaths.next(), "nonExisting"), Permissions.getString(Permissions.READ)));
}
@Test
public void testNotIsGrantedPath() {
assertFalse(permissionProvider.isGranted(readablePaths.next(), Permissions.getString(Permissions.READ|Permissions.VERSION_MANAGEMENT)));
assertFalse(permissionProvider.isGranted(readablePaths.next(), Permissions.getString(Permissions.READ_ACCESS_CONTROL|Permissions.READ_NODE)));
assertFalse(permissionProvider.isGranted(readableChildPaths.next(), Permissions.getString(Permissions.READ_PROPERTY|Permissions.ALL)));
assertFalse(permissionProvider.isGranted(ROOT_PATH, Permissions.getString(Permissions.READ)));
assertFalse(permissionProvider.isGranted(PathUtils.concat(ROOT_PATH, JCR_SYSTEM), Permissions.getString(Permissions.READ_NODE)));
assertFalse(permissionProvider.isGranted("/nonExistingContent", Permissions.getString(Permissions.READ_PROPERTY)));
}
@Test
public void testIsGrantedTree() {
assertTrue(permissionProvider.isGranted(getTree(readablePaths.next()), null, Permissions.READ));
assertTrue(permissionProvider.isGranted(getTree(readablePaths.next()), null, Permissions.READ_NODE));
Tree t = getTree(readablePaths.next());
assertTrue(permissionProvider.isGranted(t, t.getProperty(JCR_PRIMARYTYPE), Permissions.READ_PROPERTY));
assertTrue(permissionProvider.isGranted(getTree(readableChildPaths.next()), null, Permissions.READ));
assertTrue(permissionProvider.isGranted(getTree(readableChildPaths.next()), null, Permissions.READ_NODE));
t = getTree(readableChildPaths.next());
assertTrue(permissionProvider.isGranted(t, t.getProperty(JCR_PRIMARYTYPE), Permissions.READ_PROPERTY));
}
@Test
public void testNotIsGrantedTree() {
assertFalse(permissionProvider.isGranted(getTree(readablePaths.next()), null, Permissions.READ_ACCESS_CONTROL|Permissions.READ));
assertFalse(permissionProvider.isGranted(getTree(readablePaths.next()), null, Permissions.ADD_NODE));
Tree t = getTree(readableChildPaths.next());
assertFalse(permissionProvider.isGranted(t, t.getProperty(JCR_PRIMARYTYPE), Permissions.MODIFY_PROPERTY|Permissions.READ_PROPERTY));
t = getTree(PathUtils.ROOT_PATH);
assertFalse(permissionProvider.isGranted(t, null, Permissions.READ));
assertFalse(permissionProvider.isGranted(t, t.getProperty(JCR_PRIMARYTYPE), Permissions.READ_PROPERTY));
assertFalse(permissionProvider.isGranted(t.getChildren().iterator().next(), null, Permissions.READ_NODE));
}
@Test
public void testIsGrantedLocation() {
assertTrue(permissionProvider.isGranted(TreeLocation.create(root, readablePaths.next()), Permissions.READ));
assertTrue(permissionProvider.isGranted(TreeLocation.create(root, readableChildPaths.next()), Permissions.READ_NODE));
assertTrue(permissionProvider.isGranted(TreeLocation.create(root, readableChildPaths.next()).getChild(JCR_PRIMARYTYPE), Permissions.READ_PROPERTY));
}
@Test
public void testNotIsGrantedLocation() {
assertFalse(permissionProvider.isGranted(TreeLocation.create(root, readablePaths.next()), Permissions.READ|Permissions.WRITE));
assertFalse(permissionProvider.isGranted(TreeLocation.create(root, readableChildPaths.next()), Permissions.ALL));
assertFalse(permissionProvider.isGranted(TreeLocation.create(root, readableChildPaths.next()).getChild(JCR_PRIMARYTYPE), Permissions.READ_PROPERTY|Permissions.MODIFY_PROPERTY));
TreeLocation location = TreeLocation.create(root);
assertFalse(permissionProvider.isGranted(location, Permissions.READ));
assertFalse(permissionProvider.isGranted(location.getChild(JCR_SYSTEM), Permissions.READ_NODE));
assertFalse(permissionProvider.isGranted(location.getChild(JCR_PRIMARYTYPE), Permissions.READ_PROPERTY));
}
@Test
public void testTreePermission() {
Tree t = getTree(ROOT_PATH);
TreePermission tp = permissionProvider.getTreePermission(t, TreePermission.EMPTY);
assertFalse(tp.isGranted(Permissions.READ));
assertFalse(tp.canRead());
assertFalse(tp.canRead(t.getProperty(JCR_PRIMARYTYPE)));
tp = permissionProvider.getTreePermission(t.getChild(JCR_SYSTEM), tp);
assertFalse(tp.isGranted(Permissions.READ_NODE));
assertFalse(tp.canReadProperties());
assertFalse(tp.canReadAll());
// readable paths
t = root.getTree(readablePaths.next());
tp = permissionProvider.getTreePermission(t, tp);
assertTrue(tp.isGranted(Permissions.READ));
assertFalse(tp.isGranted(Permissions.READ_ACCESS_CONTROL));
assertTrue(tp.canRead());
assertTrue(tp.canRead(t.getProperty(JCR_PRIMARYTYPE)));
assertFalse(tp.canReadProperties());
t = t.getChildren().iterator().next();
tp = permissionProvider.getTreePermission(t, tp);
assertTrue(tp.isGranted(Permissions.READ_NODE));
assertTrue(tp.isGranted(Permissions.READ_PROPERTY, t.getProperty(JCR_PRIMARYTYPE)));
assertFalse(tp.isGranted(Permissions.READ_PROPERTY|Permissions.MODIFY_PROPERTY, t.getProperty(JCR_PRIMARYTYPE)));
assertTrue(tp.canRead());
assertFalse(tp.canReadAll());
}
@Test
public void testRepositoryPermission() {
assertFalse(permissionProvider.getRepositoryPermission().isGranted(Permissions.READ));
}
}