Google Git
Sign in
apache / sling-org-apache-sling-jcr-jackrabbit-accessmanager / 302c1def09d37b9c94d5081e0ba4cc80715742ea / . / src / test / java / org / apache / sling / jcr / jackrabbit / accessmanager / it / PrivilegesInfoIT.java
blob: 87aeeefff12286c7710d8aa61899d4f305cb4e24 [file] [log] [blame]
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.sling.jcr.jackrabbit.accessmanager.it;
import static org.junit.Assert.assertArrayEquals;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
import java.io.IOException;
import java.security.Principal;
import java.util.Collections;
import java.util.HashMap;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import javax.inject.Inject;
import javax.jcr.Node;
import javax.jcr.PropertyType;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.sling.jcr.api.SlingRepository;
import org.apache.sling.jcr.jackrabbit.accessmanager.ModifyAce;
import org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo;
import org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo.AccessRights;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.ops4j.pax.exam.junit.PaxExam;
import org.ops4j.pax.exam.spi.reactors.ExamReactorStrategy;
import org.ops4j.pax.exam.spi.reactors.PerClass;
@RunWith(PaxExam.class)
@ExamReactorStrategy(PerClass.class)
public class PrivilegesInfoIT extends AccessManagerClientTestSupport {
private static final String NOT_A_REAL_PATH = "/not_a_real_path";
@Inject
private ModifyAce modifyAce;
@Inject
protected SlingRepository repository;
protected Session adminSession;
protected Session testUserSession;
private Node testNodeForAdmin;
private Node testNodeForTestUser;
@Before
public void setup() throws RepositoryException, IOException {
testUserId = createTestUser();
adminSession = repository.login(new SimpleCredentials("admin", "admin".toCharArray()));
assertNotNull("Expected adminSession to not be null", adminSession);
testNodeForAdmin = adminSession.getRootNode().addNode("testNode");
setupTestUserAce();
adminSession.save();
testUserSession = repository.login(new SimpleCredentials(testUserId, "testPwd".toCharArray()));
testNodeForTestUser = testUserSession.getNode(testNodeForAdmin.getPath());
}
protected void setupTestUserAce() throws RepositoryException {
assertNotNull(modifyAce);
Map<String, String> privilegesMap = new HashMap<>();
privilegesMap.put(PrivilegeConstants.JCR_READ, "allow");
modifyAce.modifyAce(adminSession,
testNodeForAdmin.getPath(),
testUserId,
privilegesMap,
"first",
Collections.emptyMap(),
Collections.emptyMap(),
Collections.emptySet(),
true);
}
@After
public void teardown() throws RepositoryException {
adminSession.refresh(false);
testNodeForAdmin.remove();
if (adminSession.hasPendingChanges()) {
adminSession.save();
}
adminSession.logout();
testUserSession.logout();
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getSupportedPrivileges(javax.jcr.Node)}.
*/
@Test
public void testGetSupportedPrivilegesNode() throws RepositoryException {
PrivilegesInfo pi = new PrivilegesInfo();
Privilege[] supportedPrivileges = pi.getSupportedPrivileges(testNodeForAdmin);
assertNotNull(supportedPrivileges);
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getSupportedPrivileges(javax.jcr.Session, java.lang.String)}.
*/
@Test
public void testGetSupportedPrivilegesSessionString() throws RepositoryException {
PrivilegesInfo pi = new PrivilegesInfo();
Privilege[] supportedPrivileges = pi.getSupportedPrivileges(adminSession, testNodeForAdmin.getPath());
assertNotNull(supportedPrivileges);
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getDeclaredAccessRights(javax.jcr.Node)}.
*/
@Test
public void testGetDeclaredAccessRightsNode() throws RepositoryException {
setupEveryoneAce();
PrivilegesInfo pi = new PrivilegesInfo();
Map<Principal, AccessRights> declaredAccessRights = pi.getDeclaredAccessRights(testNodeForAdmin);
Optional<Principal> findFirst = declaredAccessRights.keySet().stream()
.filter(p -> "everyone".equals(p.getName()))
.findFirst();
assertTrue(findFirst.isPresent());
AccessRights rights = declaredAccessRights.get(findFirst.get());
assertNotNull(rights);
Privilege jcrReadPrivilege = adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ);
assertTrue(rights.getGranted().contains(jcrReadPrivilege));
}
private Value val(int type, String value) throws RepositoryException {
return adminSession.getValueFactory().createValue(value, type);
}
private Value[] vals(int type, String ... value) throws RepositoryException {
Value[] values = new Value[value.length];
ValueFactory vf = adminSession.getValueFactory();
for (int i = 0; i < value.length; i++) {
values[i] = vf.createValue(value[i], type);
}
return values;
}
protected void setupEveryoneAce() throws RepositoryException {
assertNotNull(modifyAce);
Map<String, String> privilegesMap = new HashMap<>();
privilegesMap.put(PrivilegeConstants.JCR_READ, "allow");
privilegesMap.put(PrivilegeConstants.JCR_WRITE, "deny");
modifyAce.modifyAce(adminSession,
testNodeForAdmin.getPath(),
"everyone",
privilegesMap,
"first",
Collections.singletonMap(AccessControlConstants.REP_GLOB, val(PropertyType.STRING, "/hello")),
Collections.singletonMap(AccessControlConstants.REP_ITEM_NAMES, vals(PropertyType.NAME, "child1", "child2")),
Collections.emptySet(),
true);
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getDeclaredAccessRights(javax.jcr.Session, java.lang.String)}.
*/
@Test
public void testGetDeclaredAccessRightsSessionString() throws RepositoryException {
setupEveryoneAce();
PrivilegesInfo pi = new PrivilegesInfo();
Map<Principal, AccessRights> declaredAccessRights = pi.getDeclaredAccessRights(adminSession, testNodeForAdmin.getPath());
Optional<Principal> findFirst = declaredAccessRights.keySet().stream()
.filter(p -> "everyone".equals(p.getName()))
.findFirst();
assertTrue(findFirst.isPresent());
AccessRights rights = declaredAccessRights.get(findFirst.get());
assertNotNull(rights);
Privilege jcrReadPrivilege = adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ);
assertTrue(rights.getGranted().contains(jcrReadPrivilege));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getDeclaredAccessRightsForPrincipal(javax.jcr.Node, java.lang.String)}.
*/
@Test
public void testGetDeclaredAccessRightsForPrincipalNodeString() throws RepositoryException {
setupEveryoneAce();
PrivilegesInfo pi = new PrivilegesInfo();
AccessRights rights = pi.getDeclaredAccessRightsForPrincipal(testNodeForAdmin, "everyone");
assertNotNull(rights);
Privilege jcrReadPrivilege = adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ);
assertTrue(rights.getGranted().contains(jcrReadPrivilege));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getDeclaredAccessRightsForPrincipal(javax.jcr.Session, java.lang.String, java.lang.String)}.
*/
@Test
public void testGetDeclaredAccessRightsForPrincipalSessionStringString() throws RepositoryException {
setupEveryoneAce();
PrivilegesInfo pi = new PrivilegesInfo();
AccessRights rights = pi.getDeclaredAccessRightsForPrincipal(adminSession, testNodeForAdmin.getPath(), "everyone");
assertNotNull(rights);
Privilege jcrReadPrivilege = adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ);
assertTrue(rights.getGranted().contains(jcrReadPrivilege));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getDeclaredRestrictionsForPrincipal(javax.jcr.Node, java.lang.String)}.
* @deprecated api deprecated, test left for regression testing
*/
@Deprecated
@Test
public void testGetDeclaredRestrictionsForPrincipalNodeString() throws RepositoryException {
setupEveryoneAce();
PrivilegesInfo pi = new PrivilegesInfo();
Map<String, Object> restrictions = pi.getDeclaredRestrictionsForPrincipal(testNodeForAdmin, "everyone");
assertNotNull(restrictions);
assertEquals(val(PropertyType.STRING, "/hello"), restrictions.get(AccessControlConstants.REP_GLOB));
assertArrayEquals(vals(PropertyType.NAME, "child1", "child2"), (Value[])restrictions.get(AccessControlConstants.REP_ITEM_NAMES));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getDeclaredRestrictionsForPrincipal(javax.jcr.Session, java.lang.String, java.lang.String)}.
* @deprecated api deprecated, test left for regression testing
*/
@Deprecated
@Test
public void testGetDeclaredRestrictionsForPrincipalSessionStringString() throws RepositoryException {
setupEveryoneAce();
PrivilegesInfo pi = new PrivilegesInfo();
Map<String, Object> restrictions = pi.getDeclaredRestrictionsForPrincipal(adminSession, testNodeForAdmin.getPath(), "everyone");
assertNotNull(restrictions);
assertEquals(val(PropertyType.STRING, "/hello"), restrictions.get(AccessControlConstants.REP_GLOB));
assertArrayEquals(vals(PropertyType.NAME, "child1", "child2"), (Value[])restrictions.get(AccessControlConstants.REP_ITEM_NAMES));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getEffectiveAccessRights(javax.jcr.Node)}.
*/
@Test
public void testGetEffectiveAccessRightsNode() throws RepositoryException {
setupEveryoneAce();
PrivilegesInfo pi = new PrivilegesInfo();
Map<Principal, AccessRights> effectiveAccessRights = pi.getEffectiveAccessRights(adminSession, testNodeForAdmin.getPath());
Optional<Principal> findFirst = effectiveAccessRights.keySet().stream()
.filter(p -> "everyone".equals(p.getName()))
.findFirst();
assertTrue(findFirst.isPresent());
AccessRights rights = effectiveAccessRights.get(findFirst.get());
assertNotNull(rights);
Privilege jcrReadPrivilege = adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ);
assertTrue(rights.getGranted().contains(jcrReadPrivilege));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getEffectiveAccessRights(javax.jcr.Session, java.lang.String)}.
*/
@Test
public void testGetEffectiveAccessRightsSessionString() throws RepositoryException {
setupEveryoneAce();
PrivilegesInfo pi = new PrivilegesInfo();
Map<Principal, AccessRights> effectiveAccessRights = pi.getEffectiveAccessRights(testNodeForAdmin);
Optional<Principal> findFirst = effectiveAccessRights.keySet().stream()
.filter(p -> "everyone".equals(p.getName()))
.findFirst();
assertTrue(findFirst.isPresent());
AccessRights rights = effectiveAccessRights.get(findFirst.get());
assertNotNull(rights);
Privilege jcrReadPrivilege = adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ);
assertTrue(rights.getGranted().contains(jcrReadPrivilege));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getEffectiveAccessRightsForPrincipal(javax.jcr.Node, java.lang.String)}.
*/
@Test
public void testGetEffectiveAccessRightsForPrincipalNodeString() throws RepositoryException {
setupEveryoneAce();
PrivilegesInfo pi = new PrivilegesInfo();
AccessRights rights = pi.getEffectiveAccessRightsForPrincipal(testNodeForAdmin, "everyone");
assertNotNull(rights);
Privilege jcrReadPrivilege = adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ);
assertTrue(rights.getGranted().contains(jcrReadPrivilege));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#getEffectiveAccessRightsForPrincipal(javax.jcr.Session, java.lang.String, java.lang.String)}.
*/
@Test
public void testGetEffectiveAccessRightsForPrincipalSessionStringString() throws RepositoryException {
setupEveryoneAce();
PrivilegesInfo pi = new PrivilegesInfo();
AccessRights rights = pi.getEffectiveAccessRightsForPrincipal(adminSession, testNodeForAdmin.getPath(), "everyone");
assertNotNull(rights);
Privilege jcrReadPrivilege = adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ);
assertTrue(rights.getGranted().contains(jcrReadPrivilege));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canAddChildren(javax.jcr.Node)}.
*/
@Test
public void testCanAddChildrenNode() {
PrivilegesInfo pi = new PrivilegesInfo();
assertTrue(pi.canAddChildren(testNodeForAdmin));
assertFalse(pi.canAddChildren(testNodeForTestUser));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canAddChildren(javax.jcr.Session, java.lang.String)}.
*/
@Test
public void testCanAddChildrenSessionString() throws RepositoryException {
PrivilegesInfo pi = new PrivilegesInfo();
assertTrue(pi.canAddChildren(adminSession, testNodeForAdmin.getPath()));
assertFalse(pi.canAddChildren(testUserSession, testNodeForTestUser.getPath()));
assertFalse(pi.canAddChildren(testUserSession, NOT_A_REAL_PATH));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canDeleteChildren(javax.jcr.Node)}.
*/
@Test
public void testCanDeleteChildrenNode() {
PrivilegesInfo pi = new PrivilegesInfo();
assertTrue(pi.canDeleteChildren(testNodeForAdmin));
assertFalse(pi.canDeleteChildren(testNodeForTestUser));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canDeleteChildren(javax.jcr.Session, java.lang.String)}.
*/
@Test
public void testCanDeleteChildrenSessionString() throws RepositoryException {
PrivilegesInfo pi = new PrivilegesInfo();
assertTrue(pi.canDeleteChildren(adminSession, testNodeForAdmin.getPath()));
assertFalse(pi.canDeleteChildren(testUserSession, testNodeForTestUser.getPath()));
assertFalse(pi.canDeleteChildren(testUserSession, NOT_A_REAL_PATH));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canDelete(javax.jcr.Node)}.
*/
@Test
public void testCanDeleteNode() {
PrivilegesInfo pi = new PrivilegesInfo();
assertTrue(pi.canDelete(testNodeForAdmin));
assertFalse(pi.canDelete(testNodeForTestUser));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canDelete(javax.jcr.Session, java.lang.String)}.
*/
@Test
public void testCanDeleteSessionString() throws RepositoryException {
PrivilegesInfo pi = new PrivilegesInfo();
assertTrue(pi.canDelete(adminSession, testNodeForAdmin.getPath()));
assertFalse(pi.canDelete(testUserSession, testNodeForTestUser.getPath()));
assertFalse(pi.canDelete(testUserSession, NOT_A_REAL_PATH));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canModifyProperties(javax.jcr.Node)}.
*/
@Test
public void testCanModifyPropertiesNode() {
PrivilegesInfo pi = new PrivilegesInfo();
assertTrue(pi.canModifyProperties(testNodeForAdmin));
assertFalse(pi.canModifyProperties(testNodeForTestUser));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canModifyProperties(javax.jcr.Session, java.lang.String)}.
*/
@Test
public void testCanModifyPropertiesSessionString() throws RepositoryException {
PrivilegesInfo pi = new PrivilegesInfo();
assertTrue(pi.canModifyProperties(adminSession, testNodeForAdmin.getPath()));
assertFalse(pi.canModifyProperties(testUserSession, testNodeForTestUser.getPath()));
assertFalse(pi.canModifyProperties(testUserSession, NOT_A_REAL_PATH));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canReadAccessControl(javax.jcr.Node)}.
*/
@Test
public void testCanReadAccessControlNode() {
PrivilegesInfo pi = new PrivilegesInfo();
assertTrue(pi.canReadAccessControl(testNodeForAdmin));
assertFalse(pi.canReadAccessControl(testNodeForTestUser));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canReadAccessControl(javax.jcr.Session, java.lang.String)}.
*/
@Test
public void testCanReadAccessControlSessionString() throws RepositoryException {
PrivilegesInfo pi = new PrivilegesInfo();
assertTrue(pi.canReadAccessControl(adminSession, testNodeForAdmin.getPath()));
assertFalse(pi.canReadAccessControl(testUserSession, testNodeForTestUser.getPath()));
assertFalse(pi.canReadAccessControl(testUserSession, NOT_A_REAL_PATH));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canModifyAccessControl(javax.jcr.Node)}.
*/
@Test
public void testCanModifyAccessControlNode() {
PrivilegesInfo pi = new PrivilegesInfo();
assertTrue(pi.canModifyAccessControl(testNodeForAdmin));
assertFalse(pi.canModifyAccessControl(testNodeForTestUser));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo#canModifyAccessControl(javax.jcr.Session, java.lang.String)}.
*/
@Test
public void testCanModifyAccessControlSessionString() throws RepositoryException {
PrivilegesInfo pi = new PrivilegesInfo();
assertTrue(pi.canModifyAccessControl(adminSession, testNodeForAdmin.getPath()));
assertFalse(pi.canModifyAccessControl(testUserSession, testNodeForTestUser.getPath()));
assertFalse(pi.canModifyAccessControl(testUserSession, NOT_A_REAL_PATH));
}
protected AccessRights setupAccessRights() throws RepositoryException {
AccessRights rights = new AccessRights();
Privilege jcrReadPrivilege = adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ);
rights.getGranted().add(jcrReadPrivilege);
Privilege jcrWritePrivilege = adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_WRITE);
rights.getDenied().add(jcrWritePrivilege);
return rights;
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo.AccessRights#getGranted()}.
*/
@Test
public void testGetGranted() throws RepositoryException {
AccessRights rights = setupAccessRights();
assertTrue(rights.getGranted().contains(adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ)));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo.AccessRights#getDenied()}.
*/
@Test
public void testGetDenied() throws RepositoryException {
AccessRights rights = setupAccessRights();
assertTrue(rights.getDenied().contains(adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_WRITE)));
}
/**
* Test method for {@link org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo.AccessRights#getPrivilegeSetDisplayName(java.util.Locale)}.
*/
@Test
public void testGetPrivilegeSetDisplayName() throws RepositoryException {
AccessRights rights = new AccessRights();
//none
assertEquals("None", rights.getPrivilegeSetDisplayName(Locale.getDefault()));
//all
rights.getGranted().add(adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_ALL));
assertEquals("Full Control", rights.getPrivilegeSetDisplayName(Locale.getDefault()));
//read-only
rights.getGranted().clear();
rights.getGranted().add(adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ));
assertEquals("Read Only", rights.getPrivilegeSetDisplayName(Locale.getDefault()));
//read-write
rights.getGranted().add(adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_WRITE));
assertEquals("Read/Write", rights.getPrivilegeSetDisplayName(Locale.getDefault()));
//custom
rights.getGranted().clear();
rights.getGranted().add(adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
assertEquals("Custom", rights.getPrivilegeSetDisplayName(Locale.getDefault()));
//custom
rights.getGranted().clear();
rights.getGranted().add(adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ));
rights.getGranted().add(adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
assertEquals("Custom", rights.getPrivilegeSetDisplayName(Locale.getDefault()));
//custom
rights.getGranted().clear();
rights.getDenied().add(adminSession.getAccessControlManager().privilegeFromName(PrivilegeConstants.JCR_WRITE));
assertEquals("Custom", rights.getPrivilegeSetDisplayName(Locale.getDefault()));
}
}