private static NodeUtil createACE(NodeUtil acl, String aceName, String ntName, String principalName, String... privilegeNames) throws AccessDeniedException { NodeUtil ace = acl.addChild(aceName, ntName); ace.setString(REP_PRINCIPAL_NAME, principalName); ace.setNames(REP_PRIVILEGES, privilegeNames); return ace; }
private NodeUtil createAcl() throws AccessDeniedException { NodeUtil testRoot = getTestRoot(); testRoot.setNames(JcrConstants.JCR_MIXINTYPES, MIX_REP_ACCESS_CONTROLLABLE); NodeUtil acl = testRoot.addChild(REP_POLICY, NT_REP_ACL); NodeUtil ace = createACE(acl, aceName, NT_REP_GRANT_ACE, testPrincipal.getName(), PrivilegeConstants.JCR_READ); ace.addChild(REP_RESTRICTIONS, NT_REP_RESTRICTIONS); return acl; }
@Test public void testOnlyRootIsRepoAccessControllable() { NodeUtil testRoot = getTestRoot(); testRoot.setNames(JcrConstants.JCR_MIXINTYPES, MIX_REP_REPO_ACCESS_CONTROLLABLE); try { root.commit(); fail("Only the root node can be made RepoAccessControllable."); } catch (CommitFailedException e) { // success assertTrue(e.isAccessControlViolation()); assertThat(e.getMessage(), containsString("/testRoot")); } }
@Test public void testGetPolicyWithInvalidPrincipal() throws Exception { ACL policy = getApplicablePolicy(testPath); policy.addEntry(testPrincipal, testPrivileges, true, getGlobRestriction("*")); acMgr.setPolicy(testPath, policy); NodeUtil aclNode = new NodeUtil(root.getTree(testPath + '/' + REP_POLICY)); NodeUtil aceNode = aclNode.addChild("testACE", NT_REP_DENY_ACE); aceNode.setString(REP_PRINCIPAL_NAME, "invalidPrincipal"); aceNode.setNames(REP_PRIVILEGES, PrivilegeConstants.JCR_READ); // reading policies with unknown principal name should not fail. AccessControlPolicy[] policies = acMgr.getPolicies(testPath); assertNotNull(policies); assertEquals(1, policies.length); ACL acl = (ACL) policies[0]; List<String> principalNames = new ArrayList<String>(); for (AccessControlEntry ace : acl.getEntries()) { principalNames.add(ace.getPrincipal().getName()); } assertTrue(principalNames.remove("invalidPrincipal")); assertTrue(principalNames.remove(testPrincipal.getName())); assertTrue(principalNames.isEmpty()); }
@Test public void testPolicyWithOutChildOrder() throws AccessDeniedException { NodeUtil testRoot = getTestRoot(); testRoot.setNames(JcrConstants.JCR_MIXINTYPES, MIX_REP_ACCESS_CONTROLLABLE); testRoot.addChild(REP_POLICY, NT_REP_ACL); try { root.commit(); fail("Policy node with child node ordering"); } catch (CommitFailedException e) { // success assertTrue(e.isAccessControlViolation()); assertThat(e.getMessage(), containsString("OakAccessControl0004")); // Order of children is not stable assertThat(e.getMessage(), containsString("/testRoot/rep:policy")); } }
@Test public void testGetApplicablePoliciesOnAccessControllable() throws Exception { NodeUtil node = new NodeUtil(root.getTree(testPath)); node.setNames(JcrConstants.JCR_MIXINTYPES, MIX_REP_ACCESS_CONTROLLABLE); AccessControlPolicyIterator itr = acMgr.getApplicablePolicies(testPath); assertNotNull(itr); assertTrue(itr.hasNext()); }
@Test public void testReorderAndAddAce() throws Exception { Tree entry = getEntry(testPrincipal, testPath, 0); assertIndex(0, entry); Tree aclTree = root.getTree(testPath + "/rep:policy"); // reorder aclTree.getChildren().iterator().next().orderBefore(null); // add a new entry NodeUtil ace = new NodeUtil(aclTree).addChild("denyEveryoneLockMgt", NT_REP_DENY_ACE); ace.setString(REP_PRINCIPAL_NAME, EveryonePrincipal.NAME); ace.setNames(AccessControlConstants.REP_PRIVILEGES, JCR_LOCK_MANAGEMENT); root.commit(); entry = getEntry(testPrincipal, testPath, 1); assertIndex(1, entry); }
@Test public void testReorderAddAndRemoveAces() throws Exception { Tree entry = getEntry(testPrincipal, testPath, 0); assertIndex(0, entry); Tree aclTree = root.getTree(testPath + "/rep:policy"); // reorder testPrincipal entry to the end aclTree.getChildren().iterator().next().orderBefore(null); Iterator<Tree> aceIt = aclTree.getChildren().iterator(); // remove the everyone entry aceIt.next().remove(); // remember the name of the testPrincipal entry. String name = aceIt.next().getName(); // add a new entry NodeUtil ace = new NodeUtil(aclTree).addChild("denyEveryoneLockMgt", NT_REP_DENY_ACE); ace.setString(REP_PRINCIPAL_NAME, EveryonePrincipal.NAME); ace.setNames(AccessControlConstants.REP_PRIVILEGES, JCR_LOCK_MANAGEMENT); // reorder the new entry before the remaining existing entry ace.getTree().orderBefore(name); root.commit(); entry = getEntry(testPrincipal, testPath, 1); assertIndex(1, entry); }
@Test public void testInvalidDeclaredAggregate() throws Exception { NodeUtil privilegeDefs = new NodeUtil(root.getTree(PRIVILEGES_PATH)); NodeUtil privDef = privilegeDefs.addChild("test", NT_REP_PRIVILEGE); privDef.setNames(REP_AGGREGATES, JCR_READ, "invalid"); Privilege p = getPrivilegeManager(root).getPrivilege("test"); assertAggregation(p.getDeclaredAggregatePrivileges(), JCR_READ); }
@Test public void testCyclicDeclaredAggregate() throws Exception { NodeUtil privilegeDefs = new NodeUtil(root.getTree(PRIVILEGES_PATH)); NodeUtil privDef = privilegeDefs.addChild("test", NT_REP_PRIVILEGE); privDef.setNames(REP_AGGREGATES, JCR_READ, "test"); Privilege p = getPrivilegeManager(root).getPrivilege("test"); assertAggregation(p.getDeclaredAggregatePrivileges(), JCR_READ); } }
@Test public void testAddInvalidRepoPolicy() throws Exception { NodeUtil testRoot = getTestRoot(); testRoot.setNames(JcrConstants.JCR_MIXINTYPES, MIX_REP_ACCESS_CONTROLLABLE); NodeUtil policy = getTestRoot().addChild(REP_REPO_POLICY, NT_REP_ACL); try { root.commit(); fail("Attempt to add repo-policy with rep:AccessControllable node."); } catch (CommitFailedException e) { // success assertTrue(e.isAccessControlViolation()); assertThat(e.getMessage(), containsString("/testRoot")); } finally { policy.getTree().remove(); } }
@Test public void testDuplicateAce() throws Exception { AccessControlManager acMgr = getAccessControlManager(root); JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, testPath); acl.addAccessControlEntry(testPrincipal, privilegesFromNames(PrivilegeConstants.JCR_ADD_CHILD_NODES)); acMgr.setPolicy(testPath, acl); // add duplicate ac-entry on OAK-API NodeUtil policy = new NodeUtil(root.getTree(testPath + "/rep:policy")); NodeUtil ace = policy.addChild("duplicateAce", NT_REP_GRANT_ACE); ace.setString(REP_PRINCIPAL_NAME, testPrincipal.getName()); ace.setNames(AccessControlConstants.REP_PRIVILEGES, PrivilegeConstants.JCR_ADD_CHILD_NODES); try { root.commit(); fail("Creating duplicate ACE must be detected"); } catch (CommitFailedException e) { assertTrue(e.isAccessControlViolation()); assertThat(e.getMessage(), containsString("/testRoot/rep:policy/duplicateAce")); } }
@Test public void testReadRestrictions() throws Exception { NodeUtil aceNode = new NodeUtil(root.getTree("/")).addChild("test", NT_REP_GRANT_ACE); aceNode.setBoolean("boolean", true); aceNode.setValues("longs", new Value[] {vf.createValue(10), vf.createValue(290)}); aceNode.setString(REP_GLOB, "*"); aceNode.setNames(REP_NT_NAMES); // empty array aceNode.setString("invalid", "val"); aceNode.setStrings("invalid2", "val1", "val2", "val3"); Set<Restriction> restrictions = provider.readRestrictions("/test", aceNode.getTree()); assertEquals(4, restrictions.size()); for (Restriction r : restrictions) { String name = r.getDefinition().getName(); if (!supported.contains(name)) { fail("read unsupported restriction"); } } }
@Test public void testValidateRestrictionsAtEntryNode() throws Exception { NodeUtil aceNode = new NodeUtil(root.getTree("/")).addChild("test", NT_REP_GRANT_ACE); aceNode.setBoolean("boolean", true); aceNode.setValues("longs", new Value[] {vf.createValue(10), vf.createValue(290)}); aceNode.setString(REP_GLOB, "*"); aceNode.setNames(REP_NT_NAMES); // empty array provider.validateRestrictions("/test", aceNode.getTree()); }
@Test public void testCugPolicyWithDifferentName() throws Exception { node.setNames(JcrConstants.JCR_MIXINTYPES, MIX_REP_CUG_MIXIN); NodeUtil cug = node.addChild("anotherName", NT_REP_CUG_POLICY); cug.setStrings(REP_PRINCIPAL_NAMES, EveryonePrincipal.NAME); try { root.commit(); fail(); } catch (CommitFailedException e) { assertTrue(e.isAccessControlViolation()); assertEquals(23, e.getCode()); } finally { root.refresh(); } }
@Test public void testChangePrimaryTypeOfCug() throws Exception { node.setNames(JcrConstants.JCR_MIXINTYPES, MIX_REP_CUG_MIXIN); NodeUtil cug = node.addChild(REP_CUG_POLICY, NT_REP_CUG_POLICY); cug.setStrings(REP_PRINCIPAL_NAMES, EveryonePrincipal.NAME); root.commit(); try { cug.setName(JcrConstants.JCR_PRIMARYTYPE, NodeTypeConstants.NT_OAK_UNSTRUCTURED); root.commit(); fail(); } catch (CommitFailedException e) { assertTrue(e.isAccessControlViolation()); assertEquals(21, e.getCode()); } }
@Test public void testRemoveMixin() throws Exception { node.setNames(JcrConstants.JCR_MIXINTYPES, MIX_REP_CUG_MIXIN); NodeUtil cug = node.addChild(REP_CUG_POLICY, NT_REP_CUG_POLICY); cug.setStrings(REP_PRINCIPAL_NAMES, EveryonePrincipal.NAME); root.commit(); try { node.removeProperty(JcrConstants.JCR_MIXINTYPES); root.commit(); fail(); } catch (CommitFailedException e) { assertTrue(e.isAccessControlViolation()); assertEquals(22, e.getCode()); } finally { root.refresh(); } }
@Test public void testCanReadProperties2() throws Exception { AccessControlManager acMgr = getAccessControlManager(root); JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/test"); acl.addEntry(getTestUser().getPrincipal(), privilegesFromNames(PrivilegeConstants.JCR_READ), true); acMgr.setPolicy("/test", acl); root.commit(); Tree policyTree = root.getTree("/test/rep:policy"); NodeUtil ace = new NodeUtil(policyTree).addChild("ace2", NT_REP_DENY_ACE); ace.setNames(REP_PRIVILEGES, PrivilegeConstants.REP_READ_PROPERTIES); ace.setString(REP_PRINCIPAL_NAME, getTestUser().getPrincipal().getName()); root.commit(); TreePermission tp = getTreePermission("/test"); assertFalse(tp.canReadProperties()); assertTrue(tp.canRead()); assertFalse(tp.canReadProperties()); } }
rNode.setValues("longs", new Value[] {vf.createValue(10), vf.createValue(290)}); rNode.setString(REP_GLOB, "*"); rNode.setNames(REP_NT_NAMES); // empty array