SLING-997 handle merges involving aggregate privileges properly
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk@915670 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/src/test/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/ModifyAceTest.java b/src/test/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/ModifyAceTest.java
index a12e8ac..f63b165 100644
--- a/src/test/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/ModifyAceTest.java
+++ b/src/test/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/ModifyAceTest.java
@@ -243,5 +243,197 @@
assertTrue(deniedPrivilegeNames2.contains("jcr:modifyAccessControl"));
assertTrue(deniedPrivilegeNames2.contains("jcr:removeNode"));
}
+
+
+ /**
+ * Test for SLING-997, preserve privileges that were not posted with the modifyAce
+ * request.
+ */
+ public void testMergeAceForUserSplitAggregatePrincipal() throws IOException, JSONException {
+ testUserId = createTestUser();
+ testFolderUrl = createTestFolder();
+
+ String postUrl = testFolderUrl + ".modifyAce.html";
+
+ //1. create an initial set of privileges
+ List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+ postParams.add(new NameValuePair("principalId", testUserId));
+ postParams.add(new NameValuePair("privilege@jcr:read", "granted"));
+ postParams.add(new NameValuePair("privilege@jcr:write", "denied"));
+
+ Credentials creds = new UsernamePasswordCredentials("admin", "admin");
+ assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+
+ //fetch the JSON for the acl to verify the settings.
+ String getUrl = testFolderUrl + ".acl.json";
+
+ String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ JSONObject jsonObj = new JSONObject(json);
+ String aceString = jsonObj.getString(testUserId);
+ assertNotNull(aceString);
+
+ JSONObject aceObject = new JSONObject(aceString);
+ assertNotNull(aceObject);
+
+ JSONArray grantedArray = aceObject.getJSONArray("granted");
+ assertNotNull(grantedArray);
+ assertEquals(1, grantedArray.length());
+ Set<String> grantedPrivilegeNames = new HashSet<String>();
+ for (int i=0; i < grantedArray.length(); i++) {
+ grantedPrivilegeNames.add(grantedArray.getString(i));
+ }
+ assertTrue(grantedPrivilegeNames.contains("jcr:read"));
+
+ JSONArray deniedArray = aceObject.getJSONArray("denied");
+ assertNotNull(deniedArray);
+ assertEquals(1, deniedArray.length());
+ Set<String> deniedPrivilegeNames = new HashSet<String>();
+ for (int i=0; i < deniedArray.length(); i++) {
+ deniedPrivilegeNames.add(deniedArray.getString(i));
+ }
+ assertTrue(deniedPrivilegeNames.contains("jcr:write"));
+
+
+
+ //2. post a new set of privileges to merge with the existing privileges
+ List<NameValuePair> postParams2 = new ArrayList<NameValuePair>();
+ postParams2.add(new NameValuePair("principalId", testUserId));
+ //jcr:read is not posted, so it should remain in the granted ACE
+ postParams2.add(new NameValuePair("privilege@jcr:modifyProperties", "granted")); //add a new privilege
+ //jcr:write is not posted, but one of the aggregate privileges is now granted, so the aggregate priviledge should be disagreaged into
+ // the remaining denied privileges in the denied ACE
+
+ assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams2, null);
+
+
+ //fetch the JSON for the acl to verify the settings.
+ String json2 = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+
+ assertNotNull(json2);
+ JSONObject jsonObj2 = new JSONObject(json2);
+ String aceString2 = jsonObj2.getString(testUserId);
+ assertNotNull(aceString2);
+
+ JSONObject aceObject2 = new JSONObject(aceString2);
+ assertNotNull(aceObject2);
+
+ JSONArray grantedArray2 = aceObject2.getJSONArray("granted");
+ assertNotNull(grantedArray2);
+ assertEquals(2, grantedArray2.length());
+ Set<String> grantedPrivilegeNames2 = new HashSet<String>();
+ for (int i=0; i < grantedArray2.length(); i++) {
+ grantedPrivilegeNames2.add(grantedArray2.getString(i));
+ }
+ assertTrue(grantedPrivilegeNames2.contains("jcr:read"));
+ assertTrue(grantedPrivilegeNames2.contains("jcr:modifyProperties"));
+
+ JSONArray deniedArray2 = aceObject2.getJSONArray("denied");
+ assertNotNull(deniedArray2);
+ assertEquals(3, deniedArray2.length());
+ Set<String> deniedPrivilegeNames2 = new HashSet<String>();
+ for (int i=0; i < deniedArray2.length(); i++) {
+ deniedPrivilegeNames2.add(deniedArray2.getString(i));
+ }
+ assertFalse(deniedPrivilegeNames2.contains("jcr:write"));
+ //only the remaining privileges from the disaggregated jcr:write collection should remain.
+ assertTrue(deniedPrivilegeNames2.contains("jcr:addChildNodes"));
+ assertTrue(deniedPrivilegeNames2.contains("jcr:removeNode"));
+ assertTrue(deniedPrivilegeNames2.contains("jcr:removeChildNodes"));
+ }
+
+ /**
+ * Test for SLING-997, preserve privileges that were not posted with the modifyAce
+ * request.
+ */
+ public void testMergeAceForUserCombineAggregatePrincipal() throws IOException, JSONException {
+ testUserId = createTestUser();
+ testFolderUrl = createTestFolder();
+
+ String postUrl = testFolderUrl + ".modifyAce.html";
+
+ //1. create an initial set of privileges
+ List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+ postParams.add(new NameValuePair("principalId", testUserId));
+ postParams.add(new NameValuePair("privilege@jcr:read", "granted"));
+ postParams.add(new NameValuePair("privilege@jcr:removeNode", "denied"));
+
+ Credentials creds = new UsernamePasswordCredentials("admin", "admin");
+ assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+
+ //fetch the JSON for the acl to verify the settings.
+ String getUrl = testFolderUrl + ".acl.json";
+
+ String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ JSONObject jsonObj = new JSONObject(json);
+ String aceString = jsonObj.getString(testUserId);
+ assertNotNull(aceString);
+
+ JSONObject aceObject = new JSONObject(aceString);
+ assertNotNull(aceObject);
+
+ JSONArray grantedArray = aceObject.getJSONArray("granted");
+ assertNotNull(grantedArray);
+ assertEquals(1, grantedArray.length());
+ Set<String> grantedPrivilegeNames = new HashSet<String>();
+ for (int i=0; i < grantedArray.length(); i++) {
+ grantedPrivilegeNames.add(grantedArray.getString(i));
+ }
+ assertTrue(grantedPrivilegeNames.contains("jcr:read"));
+
+ JSONArray deniedArray = aceObject.getJSONArray("denied");
+ assertNotNull(deniedArray);
+ assertEquals(1, deniedArray.length());
+ Set<String> deniedPrivilegeNames = new HashSet<String>();
+ for (int i=0; i < deniedArray.length(); i++) {
+ deniedPrivilegeNames.add(deniedArray.getString(i));
+ }
+ assertTrue(deniedPrivilegeNames.contains("jcr:removeNode"));
+
+
+
+ //2. post a new set of privileges to merge with the existing privileges
+ List<NameValuePair> postParams2 = new ArrayList<NameValuePair>();
+ postParams2.add(new NameValuePair("principalId", testUserId));
+ //jcr:read is not posted, so it should remain in the granted ACE
+
+ //post the remaining privileges that when combined, correspond to the jcr:write aggregate privilege
+ postParams2.add(new NameValuePair("privilege@jcr:addChildNodes", "denied")); //add a new privilege
+ postParams2.add(new NameValuePair("privilege@jcr:removeChildNodes", "denied")); //add a new privilege
+ postParams2.add(new NameValuePair("privilege@jcr:modifyProperties", "denied")); //add a new privilege
+
+ assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams2, null);
+
+
+ //fetch the JSON for the acl to verify the settings.
+ String json2 = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+
+ assertNotNull(json2);
+ JSONObject jsonObj2 = new JSONObject(json2);
+ String aceString2 = jsonObj2.getString(testUserId);
+ assertNotNull(aceString2);
+
+ JSONObject aceObject2 = new JSONObject(aceString2);
+ assertNotNull(aceObject2);
+
+ JSONArray grantedArray2 = aceObject2.getJSONArray("granted");
+ assertNotNull(grantedArray2);
+ assertEquals(1, grantedArray2.length());
+ Set<String> grantedPrivilegeNames2 = new HashSet<String>();
+ for (int i=0; i < grantedArray2.length(); i++) {
+ grantedPrivilegeNames2.add(grantedArray2.getString(i));
+ }
+ assertTrue(grantedPrivilegeNames2.contains("jcr:read"));
+
+ JSONArray deniedArray2 = aceObject2.getJSONArray("denied");
+ assertNotNull(deniedArray2);
+ assertEquals(1, deniedArray2.length());
+ Set<String> deniedPrivilegeNames2 = new HashSet<String>();
+ for (int i=0; i < deniedArray2.length(); i++) {
+ deniedPrivilegeNames2.add(deniedArray2.getString(i));
+ }
+ assertTrue(deniedPrivilegeNames2.contains("jcr:write"));
+ }
}