src/test/java/org/apache/sling/jcr/jackrabbit/accessmanager/it/GetAclIT.java - sling-org-apache-sling-jcr-jackrabbit-accessmanager - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.sling.jcr.jackrabbit.accessmanager.it;

 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;

 import java.io.IOException;
 import java.util.List;

 import javax.json.JsonException;
 import javax.json.JsonObject;
 import javax.servlet.http.HttpServletResponse;

 import org.apache.http.NameValuePair;
 import org.apache.http.auth.Credentials;
 import org.apache.http.auth.UsernamePasswordCredentials;
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.ops4j.pax.exam.junit.PaxExam;
 import org.ops4j.pax.exam.spi.reactors.ExamReactorStrategy;
 import org.ops4j.pax.exam.spi.reactors.PerClass;

 /**
  * Tests for the 'acl' and 'eacl' Sling Get Operation
  */
 @RunWith(PaxExam.class)
 @ExamReactorStrategy(PerClass.class)
 public class GetAclIT extends AccessManagerClientTestSupport {

     /**
      * Test for SLING-2600, Effective ACL servlet returns incorrect information
      */
     @Test
     public void testEffectiveAclForUser() throws IOException, JsonException {
         testUserId = createTestUser();
         testUserId2 = createTestUser();

         testFolderUrl = createTestFolder(null, "sling-tests",
                 "{ \"jcr:primaryType\": \"nt:unstructured\", \"propOne\" : \"propOneValue\", \"child\" : { \"childPropOne\" : true } }");

         //1. create an initial set of privileges
         List<NameValuePair> postParams = new AcePostParamsBuilder(testUserId)
                 .withPrivilege(PrivilegeConstants.JCR_WRITE, PrivilegeValues.ALLOW)
                 .build();
         addOrUpdateAce(testFolderUrl, postParams);

         List<NameValuePair> postParams2 = new AcePostParamsBuilder(testUserId2)
                 .withPrivilege(PrivilegeConstants.JCR_WRITE, PrivilegeValues.ALLOW)
                 .build();
         addOrUpdateAce(testFolderUrl, postParams2);

         List<NameValuePair> postParams3 = new AcePostParamsBuilder(testUserId2)
                 .withPrivilege(PrivilegeConstants.JCR_LOCK_MANAGEMENT, PrivilegeValues.ALLOW)
                 .build();
         addOrUpdateAce(testFolderUrl + "/child", postParams3);

         Credentials creds = new UsernamePasswordCredentials("admin", "admin");

         //fetch the JSON for the eacl to verify the settings.
         String getUrl = testFolderUrl + "/child.eacl.json";

         String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
         assertNotNull(json);
         JsonObject jsonObject = parseJson(json);

         JsonObject aceObject = jsonObject.getJsonObject(testUserId);
         assertNotNull(aceObject);

         String principalString = aceObject.getString("principal");
         assertEquals(testUserId, principalString);

         JsonObject privilegesObject = aceObject.getJsonObject("privileges");
         assertNotNull(privilegesObject);
         assertEquals(1, privilegesObject.size());
         //allow privilege
         assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_WRITE);

         JsonObject aceObject2 = jsonObject.getJsonObject(testUserId2);
         assertNotNull(aceObject2);

         String principalString2 = aceObject2.getString("principal");
         assertEquals(testUserId2, principalString2);

         JsonObject privilegesObject2 = aceObject2.getJsonObject("privileges");
         assertNotNull(privilegesObject2);
         assertEquals(2, privilegesObject2.size());
         //allow privilege
         assertPrivilege(privilegesObject2, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_WRITE);
         assertPrivilege(privilegesObject2, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_LOCK_MANAGEMENT);
     }

     /**
      * Test for SLING-2600, Effective ACL servlet returns incorrect information
      */
     @Test
     public void testEffectiveAclMergeForUserReplacePrivilegeOnChild() throws IOException, JsonException {
         testUserId = createTestUser();

         testFolderUrl = createTestFolder(null, "sling-tests",
                 "{ \"jcr:primaryType\": \"nt:unstructured\", \"propOne\" : \"propOneValue\", \"child\" : { \"childPropOne\" : true } }");

         //1. create an initial set of privileges
         List<NameValuePair> postParams = new AcePostParamsBuilder(testUserId)
                 .withPrivilege(PrivilegeConstants.JCR_WRITE, PrivilegeValues.DENY)
                 .build();
         addOrUpdateAce(testFolderUrl, postParams);

         List<NameValuePair> postParams3 = new AcePostParamsBuilder(testUserId)
                 .withPrivilege(PrivilegeConstants.JCR_WRITE, PrivilegeValues.ALLOW)
                 .build();
         addOrUpdateAce(testFolderUrl + "/child", postParams3);

         Credentials creds = new UsernamePasswordCredentials("admin", "admin");

         //fetch the JSON for the eacl to verify the settings.
         String getUrl = testFolderUrl + "/child.eacl.json";

         String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
         assertNotNull(json);
         JsonObject jsonObject = parseJson(json);

         JsonObject aceObject = jsonObject.getJsonObject(testUserId);
         assertNotNull(aceObject);

         String principalString = aceObject.getString("principal");
         assertEquals(testUserId, principalString);

         JsonObject privilegesObject = aceObject.getJsonObject("privileges");
         assertNotNull(privilegesObject);
         assertEquals(1, privilegesObject.size());
         //allow privilege
         assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_WRITE);
     }

     /**
      * Test for SLING-2600, Effective ACL servlet returns incorrect information
      */
     @Test
     public void testEffectiveAclMergeForUserFewerPrivilegesGrantedOnChild() throws IOException, JsonException {
         testUserId = createTestUser();

         testFolderUrl = createTestFolder(null, "sling-tests",
                 "{ \"jcr:primaryType\": \"nt:unstructured\", \"propOne\" : \"propOneValue\", \"child\" : { \"childPropOne\" : true } }");

         List<NameValuePair> postParams = new AcePostParamsBuilder(testUserId)
                 .withPrivilege(PrivilegeConstants.JCR_ALL, PrivilegeValues.ALLOW)
                 .build();
         addOrUpdateAce(testFolderUrl, postParams);

         List<NameValuePair> postParams3 = new AcePostParamsBuilder(testUserId)
                 .withPrivilege(PrivilegeConstants.JCR_WRITE, PrivilegeValues.ALLOW)
                 .build();
         addOrUpdateAce(testFolderUrl + "/child", postParams3);

         Credentials creds = new UsernamePasswordCredentials("admin", "admin");

         //fetch the JSON for the eacl to verify the settings.
         String getUrl = testFolderUrl + "/child.eacl.json";

         String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
         assertNotNull(json);
         JsonObject jsonObject = parseJson(json);

         JsonObject aceObject = jsonObject.getJsonObject(testUserId);
         assertNotNull(aceObject);

         String principalString = aceObject.getString("principal");
         assertEquals(testUserId, principalString);

         JsonObject privilegesObject = aceObject.getJsonObject("privileges");
         assertNotNull(privilegesObject);
         assertEquals(1, privilegesObject.size());
         //allow privilege
         assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_ALL);
     }

     /**
      * Test for SLING-2600, Effective ACL servlet returns incorrect information
      */
     @Test
     public void testEffectiveAclMergeForUserMorePrivilegesGrantedOnChild() throws IOException, JsonException {
         testUserId = createTestUser();

         testFolderUrl = createTestFolder(null, "sling-tests",
                 "{ \"jcr:primaryType\": \"nt:unstructured\", \"propOne\" : \"propOneValue\", \"child\" : { \"childPropOne\" : true } }");

         List<NameValuePair> postParams = new AcePostParamsBuilder(testUserId)
                 .withPrivilege(PrivilegeConstants.JCR_WRITE, PrivilegeValues.ALLOW)
                 .build();
         addOrUpdateAce(testFolderUrl, postParams);

         List<NameValuePair> postParams3 = new AcePostParamsBuilder(testUserId)
                 .withPrivilege(PrivilegeConstants.JCR_ALL, PrivilegeValues.ALLOW)
                 .build();
         addOrUpdateAce(testFolderUrl + "/child", postParams3);

         Credentials creds = new UsernamePasswordCredentials("admin", "admin");

         //fetch the JSON for the eacl to verify the settings.
         String getUrl = testFolderUrl + "/child.eacl.json";

         String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
         assertNotNull(json);
         JsonObject jsonObject = parseJson(json);

         JsonObject aceObject = jsonObject.getJsonObject(testUserId);
         assertNotNull(aceObject);

         String principalString = aceObject.getString("principal");
         assertEquals(testUserId, principalString);

         JsonObject privilegesObject = aceObject.getJsonObject("privileges");
         assertNotNull(privilegesObject);
         assertEquals(1, privilegesObject.size());
         //allow privilege
         assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_ALL);
     }

     /**
      * Test for SLING-2600, Effective ACL servlet returns incorrect information
      */
     @Test
     public void testEffectiveAclMergeForUserSubsetOfPrivilegesDeniedOnChild2() throws IOException, JsonException {
         testUserId = createTestUser();

         testFolderUrl = createTestFolder(null, "sling-tests",
                 "{ \"jcr:primaryType\": \"nt:unstructured\", \"propOne\" : \"propOneValue\", \"child\" : { \"childPropOne\" : true } }");

         List<NameValuePair> postParams = new AcePostParamsBuilder(testUserId)
                 .withPrivilege(PrivilegeConstants.JCR_ALL, PrivilegeValues.ALLOW)
                 .build();
         addOrUpdateAce(testFolderUrl, postParams);

         List<NameValuePair> postParams3 = new AcePostParamsBuilder(testUserId)
                 .withPrivilege(PrivilegeConstants.JCR_REMOVE_NODE, PrivilegeValues.DENY)
                 .build();
         addOrUpdateAce(testFolderUrl + "/child", postParams3);

         Credentials creds = new UsernamePasswordCredentials("admin", "admin");

         //fetch the JSON for the eacl to verify the settings.
         String getUrl = testFolderUrl + "/child.eacl.json";

         String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
         assertNotNull(json);
         JsonObject jsonObject = parseJson(json);

         JsonObject aceObject = jsonObject.getJsonObject(testUserId);
         assertNotNull(aceObject);

         String principalString = aceObject.getString("principal");
         assertEquals(testUserId, principalString);

         JsonObject privilegesObject = aceObject.getJsonObject("privileges");
         assertNotNull(privilegesObject);
         assertTrue(privilegesObject.size() >= 11);
         // not there privileges
         assertPrivilege(privilegesObject, false, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_ALL);
         assertPrivilege(privilegesObject, false, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_WRITE);
         // allow privileges
         assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_READ);
         assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
         assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_MODIFY_ACCESS_CONTROL);
         assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_LOCK_MANAGEMENT);
         assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_VERSION_MANAGEMENT);
         assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_NODE_TYPE_MANAGEMENT);
         assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_RETENTION_MANAGEMENT);
         assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_LIFECYCLE_MANAGEMENT);
         assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_MODIFY_PROPERTIES);
         assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_ADD_CHILD_NODES);
         assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_REMOVE_CHILD_NODES);
         //deny privileges
         assertPrivilege(privilegesObject, true, PrivilegeValues.DENY, PrivilegeConstants.JCR_REMOVE_NODE);
     }

     /**
      * Test for SLING-2600, Effective ACL servlet returns incorrect information
      */
     @Test
     public void testEffectiveAclMergeForUserSupersetOfPrivilegesDeniedOnChild() throws IOException, JsonException {
         testUserId = createTestUser();

         testFolderUrl = createTestFolder(null, "sling-tests",
                 "{ \"jcr:primaryType\": \"nt:unstructured\", \"propOne\" : \"propOneValue\", \"child\" : { \"childPropOne\" : true } }");

         List<NameValuePair> postParams = new AcePostParamsBuilder(testUserId)
                 .withPrivilege(PrivilegeConstants.JCR_WRITE, PrivilegeValues.ALLOW)
                 .build();
         addOrUpdateAce(testFolderUrl, postParams);

         List<NameValuePair> postParams3 = new AcePostParamsBuilder(testUserId)
                 .withPrivilege(PrivilegeConstants.JCR_ALL, PrivilegeValues.DENY)
                 .build();
         addOrUpdateAce(testFolderUrl + "/child", postParams3);

         Credentials creds = new UsernamePasswordCredentials("admin", "admin");

         //fetch the JSON for the eacl to verify the settings.
         String getUrl = testFolderUrl + "/child.eacl.json";

         String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
         assertNotNull(json);
         JsonObject jsonObject = parseJson(json);

         JsonObject aceObject = jsonObject.getJsonObject(testUserId);
         assertNotNull(aceObject);

         String principalString = aceObject.getString("principal");
         assertEquals(testUserId, principalString);

         JsonObject privilegesObject = aceObject.getJsonObject("privileges");
         assertNotNull(privilegesObject);
         assertEquals(1, privilegesObject.size());
         assertPrivilege(privilegesObject, true, PrivilegeValues.DENY, PrivilegeConstants.JCR_ALL);
     }

     /**
      * Test for SLING-2600, Effective ACL servlet returns incorrect information
      */
     @Test
     public void testEffectiveAclMergeForUserSupersetOfPrivilegesDeniedOnChild2() throws IOException, JsonException {
         testUserId = createTestUser();

         testFolderUrl = createTestFolder(null, "sling-tests",
                 "{ \"jcr:primaryType\": \"nt:unstructured\", \"propOne\" : \"propOneValue\", \"child\" : { \"childPropOne\" : true } }");

         List<NameValuePair> postParams = new AcePostParamsBuilder(testUserId)
                 .withPrivilege(PrivilegeConstants.JCR_MODIFY_PROPERTIES, PrivilegeValues.ALLOW)
                 .build();
         addOrUpdateAce(testFolderUrl, postParams);

         List<NameValuePair> postParams3 = new AcePostParamsBuilder(testUserId)
                 .withPrivilege(PrivilegeConstants.JCR_ALL, PrivilegeValues.DENY)
                 .build();
         addOrUpdateAce(testFolderUrl + "/child", postParams3);

         Credentials creds = new UsernamePasswordCredentials("admin", "admin");

         //fetch the JSON for the eacl to verify the settings.
         String getUrl = testFolderUrl + "/child.eacl.json";

         String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
         assertNotNull(json);
         JsonObject jsonObject = parseJson(json);

         JsonObject aceObject = jsonObject.getJsonObject(testUserId);
         assertNotNull(aceObject);

         String principalString = aceObject.getString("principal");
         assertEquals(testUserId, principalString);

         JsonObject privilegesObject = aceObject.getJsonObject("privileges");
         assertNotNull(privilegesObject);
         assertEquals(1, privilegesObject.size());
         assertPrivilege(privilegesObject, true, PrivilegeValues.DENY, PrivilegeConstants.JCR_ALL);
     }

     /**
      * ACL servlet returns 404 when no read access rights permissions
      */
     @Test
     public void testNoAccessToDeclaredAclForUser() throws IOException, JsonException {
         testUserId = createTestUser();
         testFolderUrl = createTestFolder(null, "sling-tests",
                 "{ \"jcr:primaryType\": \"nt:unstructured\", \"child\" : { \"childPropOne\" : true } }");

         //1. create an initial set of privileges
         List<NameValuePair> postParams = new AcePostParamsBuilder(testUserId)
                 .withPrivilege(PrivilegeConstants.JCR_READ_ACCESS_CONTROL, PrivilegeValues.DENY)
                 .build();
         addOrUpdateAce(testFolderUrl, postParams);

         Credentials creds = new UsernamePasswordCredentials(testUserId, "testPwd");

         //fetch the JSON for the ace to verify the settings.
         String getUrl = testFolderUrl + "/child.acl.json";
         // no declared access control entry returns a 404
         assertAuthenticatedHttpStatus(creds, getUrl, HttpServletResponse.SC_NOT_FOUND, "Did not expect an ace to be returned");
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.sling.jcr.jackrabbit.accessmanager.it;

	import static org.junit.Assert.assertEquals;
	import static org.junit.Assert.assertNotNull;
	import static org.junit.Assert.assertTrue;

	import java.io.IOException;
	import java.util.List;

	import javax.json.JsonException;
	import javax.json.JsonObject;
	import javax.servlet.http.HttpServletResponse;

	import org.apache.http.NameValuePair;
	import org.apache.http.auth.Credentials;
	import org.apache.http.auth.UsernamePasswordCredentials;
	import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
	import org.junit.Test;
	import org.junit.runner.RunWith;
	import org.ops4j.pax.exam.junit.PaxExam;
	import org.ops4j.pax.exam.spi.reactors.ExamReactorStrategy;
	import org.ops4j.pax.exam.spi.reactors.PerClass;

	/**
	* Tests for the 'acl' and 'eacl' Sling Get Operation
	*/
	@RunWith(PaxExam.class)
	@ExamReactorStrategy(PerClass.class)
	public class GetAclIT extends AccessManagerClientTestSupport {

	/**
	* Test for SLING-2600, Effective ACL servlet returns incorrect information
	*/
	@Test
	public void testEffectiveAclForUser() throws IOException, JsonException {
	testUserId = createTestUser();
	testUserId2 = createTestUser();

	testFolderUrl = createTestFolder(null, "sling-tests",
	"{ \"jcr:primaryType\": \"nt:unstructured\", \"propOne\" : \"propOneValue\", \"child\" : { \"childPropOne\" : true } }");

	//1. create an initial set of privileges
	List<NameValuePair> postParams = new AcePostParamsBuilder(testUserId)
	.withPrivilege(PrivilegeConstants.JCR_WRITE, PrivilegeValues.ALLOW)
	.build();
	addOrUpdateAce(testFolderUrl, postParams);

	List<NameValuePair> postParams2 = new AcePostParamsBuilder(testUserId2)
	.withPrivilege(PrivilegeConstants.JCR_WRITE, PrivilegeValues.ALLOW)
	.build();
	addOrUpdateAce(testFolderUrl, postParams2);

	List<NameValuePair> postParams3 = new AcePostParamsBuilder(testUserId2)
	.withPrivilege(PrivilegeConstants.JCR_LOCK_MANAGEMENT, PrivilegeValues.ALLOW)
	.build();
	addOrUpdateAce(testFolderUrl + "/child", postParams3);

	Credentials creds = new UsernamePasswordCredentials("admin", "admin");

	//fetch the JSON for the eacl to verify the settings.
	String getUrl = testFolderUrl + "/child.eacl.json";

	String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
	assertNotNull(json);
	JsonObject jsonObject = parseJson(json);

	JsonObject aceObject = jsonObject.getJsonObject(testUserId);
	assertNotNull(aceObject);

	String principalString = aceObject.getString("principal");
	assertEquals(testUserId, principalString);

	JsonObject privilegesObject = aceObject.getJsonObject("privileges");
	assertNotNull(privilegesObject);
	assertEquals(1, privilegesObject.size());
	//allow privilege
	assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_WRITE);

	JsonObject aceObject2 = jsonObject.getJsonObject(testUserId2);
	assertNotNull(aceObject2);

	String principalString2 = aceObject2.getString("principal");
	assertEquals(testUserId2, principalString2);

	JsonObject privilegesObject2 = aceObject2.getJsonObject("privileges");
	assertNotNull(privilegesObject2);
	assertEquals(2, privilegesObject2.size());
	//allow privilege
	assertPrivilege(privilegesObject2, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_WRITE);
	assertPrivilege(privilegesObject2, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_LOCK_MANAGEMENT);
	}

	/**
	* Test for SLING-2600, Effective ACL servlet returns incorrect information
	*/
	@Test
	public void testEffectiveAclMergeForUserReplacePrivilegeOnChild() throws IOException, JsonException {
	testUserId = createTestUser();

	testFolderUrl = createTestFolder(null, "sling-tests",
	"{ \"jcr:primaryType\": \"nt:unstructured\", \"propOne\" : \"propOneValue\", \"child\" : { \"childPropOne\" : true } }");

	//1. create an initial set of privileges
	List<NameValuePair> postParams = new AcePostParamsBuilder(testUserId)
	.withPrivilege(PrivilegeConstants.JCR_WRITE, PrivilegeValues.DENY)
	.build();
	addOrUpdateAce(testFolderUrl, postParams);

	List<NameValuePair> postParams3 = new AcePostParamsBuilder(testUserId)
	.withPrivilege(PrivilegeConstants.JCR_WRITE, PrivilegeValues.ALLOW)
	.build();
	addOrUpdateAce(testFolderUrl + "/child", postParams3);

	Credentials creds = new UsernamePasswordCredentials("admin", "admin");

	//fetch the JSON for the eacl to verify the settings.
	String getUrl = testFolderUrl + "/child.eacl.json";

	String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
	assertNotNull(json);
	JsonObject jsonObject = parseJson(json);

	JsonObject aceObject = jsonObject.getJsonObject(testUserId);
	assertNotNull(aceObject);

	String principalString = aceObject.getString("principal");
	assertEquals(testUserId, principalString);

	JsonObject privilegesObject = aceObject.getJsonObject("privileges");
	assertNotNull(privilegesObject);
	assertEquals(1, privilegesObject.size());
	//allow privilege
	assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_WRITE);
	}

	/**
	* Test for SLING-2600, Effective ACL servlet returns incorrect information
	*/
	@Test
	public void testEffectiveAclMergeForUserFewerPrivilegesGrantedOnChild() throws IOException, JsonException {
	testUserId = createTestUser();

	testFolderUrl = createTestFolder(null, "sling-tests",
	"{ \"jcr:primaryType\": \"nt:unstructured\", \"propOne\" : \"propOneValue\", \"child\" : { \"childPropOne\" : true } }");

	List<NameValuePair> postParams = new AcePostParamsBuilder(testUserId)
	.withPrivilege(PrivilegeConstants.JCR_ALL, PrivilegeValues.ALLOW)
	.build();
	addOrUpdateAce(testFolderUrl, postParams);

	List<NameValuePair> postParams3 = new AcePostParamsBuilder(testUserId)
	.withPrivilege(PrivilegeConstants.JCR_WRITE, PrivilegeValues.ALLOW)
	.build();
	addOrUpdateAce(testFolderUrl + "/child", postParams3);

	Credentials creds = new UsernamePasswordCredentials("admin", "admin");

	//fetch the JSON for the eacl to verify the settings.
	String getUrl = testFolderUrl + "/child.eacl.json";

	String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
	assertNotNull(json);
	JsonObject jsonObject = parseJson(json);

	JsonObject aceObject = jsonObject.getJsonObject(testUserId);
	assertNotNull(aceObject);

	String principalString = aceObject.getString("principal");
	assertEquals(testUserId, principalString);

	JsonObject privilegesObject = aceObject.getJsonObject("privileges");
	assertNotNull(privilegesObject);
	assertEquals(1, privilegesObject.size());
	//allow privilege
	assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_ALL);
	}

	/**
	* Test for SLING-2600, Effective ACL servlet returns incorrect information
	*/
	@Test
	public void testEffectiveAclMergeForUserMorePrivilegesGrantedOnChild() throws IOException, JsonException {
	testUserId = createTestUser();

	testFolderUrl = createTestFolder(null, "sling-tests",
	"{ \"jcr:primaryType\": \"nt:unstructured\", \"propOne\" : \"propOneValue\", \"child\" : { \"childPropOne\" : true } }");

	List<NameValuePair> postParams = new AcePostParamsBuilder(testUserId)
	.withPrivilege(PrivilegeConstants.JCR_WRITE, PrivilegeValues.ALLOW)
	.build();
	addOrUpdateAce(testFolderUrl, postParams);

	List<NameValuePair> postParams3 = new AcePostParamsBuilder(testUserId)
	.withPrivilege(PrivilegeConstants.JCR_ALL, PrivilegeValues.ALLOW)
	.build();
	addOrUpdateAce(testFolderUrl + "/child", postParams3);

	Credentials creds = new UsernamePasswordCredentials("admin", "admin");

	//fetch the JSON for the eacl to verify the settings.
	String getUrl = testFolderUrl + "/child.eacl.json";

	String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
	assertNotNull(json);
	JsonObject jsonObject = parseJson(json);

	JsonObject aceObject = jsonObject.getJsonObject(testUserId);
	assertNotNull(aceObject);

	String principalString = aceObject.getString("principal");
	assertEquals(testUserId, principalString);

	JsonObject privilegesObject = aceObject.getJsonObject("privileges");
	assertNotNull(privilegesObject);
	assertEquals(1, privilegesObject.size());
	//allow privilege
	assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_ALL);
	}

	/**
	* Test for SLING-2600, Effective ACL servlet returns incorrect information
	*/
	@Test
	public void testEffectiveAclMergeForUserSubsetOfPrivilegesDeniedOnChild2() throws IOException, JsonException {
	testUserId = createTestUser();

	testFolderUrl = createTestFolder(null, "sling-tests",
	"{ \"jcr:primaryType\": \"nt:unstructured\", \"propOne\" : \"propOneValue\", \"child\" : { \"childPropOne\" : true } }");

	List<NameValuePair> postParams = new AcePostParamsBuilder(testUserId)
	.withPrivilege(PrivilegeConstants.JCR_ALL, PrivilegeValues.ALLOW)
	.build();
	addOrUpdateAce(testFolderUrl, postParams);

	List<NameValuePair> postParams3 = new AcePostParamsBuilder(testUserId)
	.withPrivilege(PrivilegeConstants.JCR_REMOVE_NODE, PrivilegeValues.DENY)
	.build();
	addOrUpdateAce(testFolderUrl + "/child", postParams3);

	Credentials creds = new UsernamePasswordCredentials("admin", "admin");

	//fetch the JSON for the eacl to verify the settings.
	String getUrl = testFolderUrl + "/child.eacl.json";

	String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
	assertNotNull(json);
	JsonObject jsonObject = parseJson(json);

	JsonObject aceObject = jsonObject.getJsonObject(testUserId);
	assertNotNull(aceObject);

	String principalString = aceObject.getString("principal");
	assertEquals(testUserId, principalString);

	JsonObject privilegesObject = aceObject.getJsonObject("privileges");
	assertNotNull(privilegesObject);
	assertTrue(privilegesObject.size() >= 11);
	// not there privileges
	assertPrivilege(privilegesObject, false, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_ALL);
	assertPrivilege(privilegesObject, false, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_WRITE);
	// allow privileges
	assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_READ);
	assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
	assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_MODIFY_ACCESS_CONTROL);
	assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_LOCK_MANAGEMENT);
	assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_VERSION_MANAGEMENT);
	assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_NODE_TYPE_MANAGEMENT);
	assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_RETENTION_MANAGEMENT);
	assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_LIFECYCLE_MANAGEMENT);
	assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_MODIFY_PROPERTIES);
	assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_ADD_CHILD_NODES);
	assertPrivilege(privilegesObject, true, PrivilegeValues.ALLOW, PrivilegeConstants.JCR_REMOVE_CHILD_NODES);
	//deny privileges
	assertPrivilege(privilegesObject, true, PrivilegeValues.DENY, PrivilegeConstants.JCR_REMOVE_NODE);
	}

	/**
	* Test for SLING-2600, Effective ACL servlet returns incorrect information
	*/
	@Test
	public void testEffectiveAclMergeForUserSupersetOfPrivilegesDeniedOnChild() throws IOException, JsonException {
	testUserId = createTestUser();

	testFolderUrl = createTestFolder(null, "sling-tests",
	"{ \"jcr:primaryType\": \"nt:unstructured\", \"propOne\" : \"propOneValue\", \"child\" : { \"childPropOne\" : true } }");

	List<NameValuePair> postParams = new AcePostParamsBuilder(testUserId)
	.withPrivilege(PrivilegeConstants.JCR_WRITE, PrivilegeValues.ALLOW)
	.build();
	addOrUpdateAce(testFolderUrl, postParams);

	List<NameValuePair> postParams3 = new AcePostParamsBuilder(testUserId)
	.withPrivilege(PrivilegeConstants.JCR_ALL, PrivilegeValues.DENY)
	.build();
	addOrUpdateAce(testFolderUrl + "/child", postParams3);

	Credentials creds = new UsernamePasswordCredentials("admin", "admin");

	//fetch the JSON for the eacl to verify the settings.
	String getUrl = testFolderUrl + "/child.eacl.json";

	String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
	assertNotNull(json);
	JsonObject jsonObject = parseJson(json);

	JsonObject aceObject = jsonObject.getJsonObject(testUserId);
	assertNotNull(aceObject);

	String principalString = aceObject.getString("principal");
	assertEquals(testUserId, principalString);

	JsonObject privilegesObject = aceObject.getJsonObject("privileges");
	assertNotNull(privilegesObject);
	assertEquals(1, privilegesObject.size());
	assertPrivilege(privilegesObject, true, PrivilegeValues.DENY, PrivilegeConstants.JCR_ALL);
	}

	/**
	* Test for SLING-2600, Effective ACL servlet returns incorrect information
	*/
	@Test
	public void testEffectiveAclMergeForUserSupersetOfPrivilegesDeniedOnChild2() throws IOException, JsonException {
	testUserId = createTestUser();

	testFolderUrl = createTestFolder(null, "sling-tests",
	"{ \"jcr:primaryType\": \"nt:unstructured\", \"propOne\" : \"propOneValue\", \"child\" : { \"childPropOne\" : true } }");

	List<NameValuePair> postParams = new AcePostParamsBuilder(testUserId)
	.withPrivilege(PrivilegeConstants.JCR_MODIFY_PROPERTIES, PrivilegeValues.ALLOW)
	.build();
	addOrUpdateAce(testFolderUrl, postParams);

	List<NameValuePair> postParams3 = new AcePostParamsBuilder(testUserId)
	.withPrivilege(PrivilegeConstants.JCR_ALL, PrivilegeValues.DENY)
	.build();
	addOrUpdateAce(testFolderUrl + "/child", postParams3);

	Credentials creds = new UsernamePasswordCredentials("admin", "admin");

	//fetch the JSON for the eacl to verify the settings.
	String getUrl = testFolderUrl + "/child.eacl.json";

	String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
	assertNotNull(json);
	JsonObject jsonObject = parseJson(json);

	JsonObject aceObject = jsonObject.getJsonObject(testUserId);
	assertNotNull(aceObject);

	String principalString = aceObject.getString("principal");
	assertEquals(testUserId, principalString);

	JsonObject privilegesObject = aceObject.getJsonObject("privileges");
	assertNotNull(privilegesObject);
	assertEquals(1, privilegesObject.size());
	assertPrivilege(privilegesObject, true, PrivilegeValues.DENY, PrivilegeConstants.JCR_ALL);
	}

	/**
	* ACL servlet returns 404 when no read access rights permissions
	*/
	@Test
	public void testNoAccessToDeclaredAclForUser() throws IOException, JsonException {
	testUserId = createTestUser();
	testFolderUrl = createTestFolder(null, "sling-tests",
	"{ \"jcr:primaryType\": \"nt:unstructured\", \"child\" : { \"childPropOne\" : true } }");

	//1. create an initial set of privileges
	List<NameValuePair> postParams = new AcePostParamsBuilder(testUserId)
	.withPrivilege(PrivilegeConstants.JCR_READ_ACCESS_CONTROL, PrivilegeValues.DENY)
	.build();
	addOrUpdateAce(testFolderUrl, postParams);

	Credentials creds = new UsernamePasswordCredentials(testUserId, "testPwd");

	//fetch the JSON for the ace to verify the settings.
	String getUrl = testFolderUrl + "/child.acl.json";
	// no declared access control entry returns a 404
	assertAuthenticatedHttpStatus(creds, getUrl, HttpServletResponse.SC_NOT_FOUND, "Did not expect an ace to be returned");
	}
	}