incubator-sling-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From enor...@apache.org
Subject svn commit: r1396899 - in /sling/trunk: bundles/jcr/jackrabbit-accessmanager/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/ launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/
Date Thu, 11 Oct 2012 04:12:29 GMT
Author: enorman
Date: Thu Oct 11 04:12:29 2012
New Revision: 1396899

URL: http://svn.apache.org/viewvc?rev=1396899&view=rev
Log:
SLING-2600 Attempt #2. Effective ACL servlet returns incorrect information.  Merge the information
from the applicable access control entries to produce the eacl JSON output.  + a few unit
tests

Modified:
    sling/trunk/bundles/jcr/jackrabbit-accessmanager/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/AbstractGetAclServlet.java
    sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/GetAclTest.java

Modified: sling/trunk/bundles/jcr/jackrabbit-accessmanager/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/AbstractGetAclServlet.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/jcr/jackrabbit-accessmanager/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/AbstractGetAclServlet.java?rev=1396899&r1=1396898&r2=1396899&view=diff
==============================================================================
--- sling/trunk/bundles/jcr/jackrabbit-accessmanager/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/AbstractGetAclServlet.java
(original)
+++ sling/trunk/bundles/jcr/jackrabbit-accessmanager/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/AbstractGetAclServlet.java
Thu Oct 11 04:12:29 2012
@@ -19,6 +19,9 @@ package org.apache.sling.jcr.jackrabbit.
 import java.io.IOException;
 import java.security.Principal;
 import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.LinkedHashSet;
 import java.util.List;
@@ -31,6 +34,7 @@ import javax.jcr.Item;
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
 import javax.jcr.security.AccessControlEntry;
+import javax.jcr.security.AccessControlManager;
 import javax.jcr.security.Privilege;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletResponse;
@@ -111,9 +115,29 @@ public abstract class AbstractGetAclServ
 			throw new ResourceNotFoundException("Resource is not a JCR Node");
 		}
 
+		// Calculate a map of privileges to all the aggregate privileges it is contained in.
+		// Use for fast lookup during the mergePrivilegeSets calls below.
+        AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(jcrSession);
+		Map<Privilege, Set<Privilege>> privilegeToAncestorMap = new HashMap<Privilege,
Set<Privilege>>();
+        Privilege[] supportedPrivileges = accessControlManager.getSupportedPrivileges(item.getPath());
+        for (Privilege privilege : supportedPrivileges) {
+			if (privilege.isAggregate()) {
+				Privilege[] ap = privilege.getAggregatePrivileges();
+				for (Privilege privilege2 : ap) {
+					Set<Privilege> set = privilegeToAncestorMap.get(privilege2);
+					if (set == null) {
+						set = new HashSet<Privilege>();
+						privilegeToAncestorMap.put(privilege2, set);
+					}
+					set.add(privilege);
+				}
+			}
+		}
+
         AccessControlEntry[] declaredAccessControlEntries = getAccessControlEntries(jcrSession,
resourcePath);
         Map<String, Map<String, Object>> aclMap = new LinkedHashMap<String,
Map<String,Object>>();
-            int sequence = 0;
+        int sequence = 0;
+
         for (AccessControlEntry ace : declaredAccessControlEntries) {
             Principal principal = ace.getPrincipal();
             Map<String, Object> map = aclMap.get(principal.getName());
@@ -122,27 +146,39 @@ public abstract class AbstractGetAclServ
                 aclMap.put(principal.getName(), map);
                 map.put("order", sequence++);
             }
+        }
+        //evaluate these in reverse order so the most entries with highest specificity are
last
+        for (int i = declaredAccessControlEntries.length - 1; i >= 0; i--) {
+			AccessControlEntry ace = declaredAccessControlEntries[i];
+
+			Principal principal = ace.getPrincipal();
+            Map<String, Object> map = aclMap.get(principal.getName());
+			
+            Set<Privilege> grantedSet = (Set<Privilege>) map.get("granted");
+            if (grantedSet == null) {
+                grantedSet = new LinkedHashSet<Privilege>();
+                map.put("granted", grantedSet);
+            }
+            Set<Privilege> deniedSet = (Set<Privilege>) map.get("denied");
+            if (deniedSet == null) {
+                deniedSet = new LinkedHashSet<Privilege>();
+                map.put("denied", deniedSet);
+            }
 
             boolean allow = AccessControlUtil.isAllow(ace);
             if (allow) {
-                Set<String> grantedSet = (Set<String>) map.get("granted");
-                if (grantedSet == null) {
-                    grantedSet = new LinkedHashSet<String>();
-                    map.put("granted", grantedSet);
-                }
                 Privilege[] privileges = ace.getPrivileges();
                 for (Privilege privilege : privileges) {
-                    grantedSet.add(privilege.getName());
+                	mergePrivilegeSets(privilege, 
+                			privilegeToAncestorMap,
+							grantedSet, deniedSet);
                 }
             } else {
-                Set<String> deniedSet = (Set<String>) map.get("denied");
-                if (deniedSet == null) {
-                    deniedSet = new LinkedHashSet<String>();
-                    map.put("denied", deniedSet);
-                }
                 Privilege[] privileges = ace.getPrivileges();
                 for (Privilege privilege : privileges) {
-                    deniedSet.add(privilege.getName());
+                	mergePrivilegeSets(privilege, 
+                			privilegeToAncestorMap,
+							deniedSet, grantedSet);
                 }
             }
         }
@@ -157,12 +193,12 @@ public abstract class AbstractGetAclServ
             aceObject.put("principal", principalName);
 
             Set<String> grantedSet = (Set<String>) value.get("granted");
-            if (grantedSet != null) {
+            if (grantedSet != null && !grantedSet.isEmpty()) {
                 aceObject.put("granted", grantedSet);
             }
 
             Set<String> deniedSet = (Set<String>) value.get("denied");
-            if (deniedSet != null) {
+            if (deniedSet != null && !deniedSet.isEmpty()) {
                 aceObject.put("denied", deniedSet);
             }
             aceObject.put("order", value.get("order"));
@@ -175,6 +211,87 @@ public abstract class AbstractGetAclServ
         
         return jsonAclMap;
     }
+
+	/**
+	 * Update the granted and denied privilege sets by merging the result of adding
+	 * the supplied privilege.
+	 */
+	private void mergePrivilegeSets(Privilege privilege,
+			Map<Privilege, Set<Privilege>> privilegeToAncestorMap,
+			Set<Privilege> firstSet, Set<Privilege> secondSet) {
+		//1. remove duplicates and invalid privileges from the list
+		if (privilege.isAggregate()) {
+			Privilege[] aggregatePrivileges = privilege.getAggregatePrivileges();
+			//remove duplicates from the granted set
+			List<Privilege> asList = Arrays.asList(aggregatePrivileges);
+			firstSet.removeAll(asList);
+			
+			//remove from the denied set
+			secondSet.removeAll(asList);
+		}
+		secondSet.remove(privilege);
+
+		//2. check if the privilege is already contained in another granted privilege
+		boolean isAlreadyGranted = false;
+		Set<Privilege> ancestorSet = privilegeToAncestorMap.get(privilege);
+		if (ancestorSet != null) {
+			for (Privilege privilege2 : ancestorSet) {
+				if (firstSet.contains(privilege2)) {
+					isAlreadyGranted = true;
+					break;
+				}
+			}
+		}
+
+		//3. add the privilege
+		if (!isAlreadyGranted) {
+		    firstSet.add(privilege);
+		}
+
+		//4. Deal with expanding existing aggregate privileges to remove the invalid
+		//  items and add the valid ones.
+		Set<Privilege> filterSet = privilegeToAncestorMap.get(privilege);
+		if (filterSet != null) {    	
+	    	//re-pack the denied set to compensate 
+	    	for (Privilege privilege2 : filterSet) {
+	    		if (secondSet.contains(privilege2)) {
+	    			secondSet.remove(privilege2);
+	    			if (privilege2.isAggregate()) {
+		    			filterAndMergePrivilegesFromAggregate(privilege2, 
+		    					firstSet, secondSet, filterSet, privilege);
+	    			}
+	    		}
+			}
+		}
+	}
+
+	/**
+	 * Add all the declared aggregate privileges from the supplied privilege to the secondSet
+	 * unless the privilege is already in the firstSet and not contained in the supplied filterSet.
+	 */
+	private void filterAndMergePrivilegesFromAggregate(Privilege privilege, Set<Privilege>
firstSet,
+			Set<Privilege> secondSet, Set<Privilege> filterSet, Privilege ignorePrivilege)
{
+		Privilege[] declaredAggregatePrivileges = privilege.getDeclaredAggregatePrivileges();
+		for (Privilege privilege3 : declaredAggregatePrivileges) {
+			if (ignorePrivilege.equals(privilege3)) {
+				continue; //skip it.
+			}
+			if (!firstSet.contains(privilege3) && !filterSet.contains(privilege3)) {
+				secondSet.add(privilege3);
+			}
+			if (privilege3.isAggregate()) {
+				Privilege[] declaredAggregatePrivileges2 = privilege3.getDeclaredAggregatePrivileges();
+				for (Privilege privilege2 : declaredAggregatePrivileges2) {
+					if (!ignorePrivilege.equals(privilege2)) {
+						if (privilege2.isAggregate()) {
+							filterAndMergePrivilegesFromAggregate(privilege2, 
+									firstSet, secondSet, filterSet, ignorePrivilege);
+						}
+					}
+				}
+			}
+		}
+	}
     
     protected abstract AccessControlEntry[] getAccessControlEntries(Session session, String
absPath) throws RepositoryException;
 

Modified: sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/GetAclTest.java
URL: http://svn.apache.org/viewvc/sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/GetAclTest.java?rev=1396899&r1=1396898&r2=1396899&view=diff
==============================================================================
--- sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/GetAclTest.java
(original)
+++ sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/GetAclTest.java
Thu Oct 11 04:12:29 2012
@@ -137,4 +137,422 @@ public class GetAclTest extends Abstract
 		assertNull(deniedArray2);
 	
 	}
+
+	/**
+	 * Test for SLING-2600, Effective ACL servlet returns incorrect information
+	 */
+	public void testEffectiveAclMergeForUser_ReplacePrivilegeOnChild() throws IOException, JSONException
{
+		testUserId = createTestUser();
+		
+		String testFolderUrl = createTestFolder("{ 'jcr:primaryType': 'nt:unstructured', 'propOne'
: 'propOneValue', 'child' : { 'childPropOne' : true } }");
+		
+        String postUrl = testFolderUrl + ".modifyAce.html";
+
+        //1. create an initial set of privileges
+		List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+		postParams.add(new NameValuePair("principalId", testUserId));
+		postParams.add(new NameValuePair("privilege@jcr:write", "denied"));
+		
+		Credentials creds = new UsernamePasswordCredentials("admin", "admin");
+		assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+		
+		assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+		
+		postParams = new ArrayList<NameValuePair>();
+		postParams.add(new NameValuePair("principalId", testUserId));
+		postParams.add(new NameValuePair("privilege@jcr:write", "granted"));
+		
+        postUrl = testFolderUrl + "/child.modifyAce.html";
+		assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+
+		
+		//fetch the JSON for the eacl to verify the settings.
+		String getUrl = testFolderUrl + "/child.eacl.json";
+
+		String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+		assertNotNull(json);
+		JSONObject jsonObject = new JSONObject(json);
+		
+		JSONObject aceObject = jsonObject.optJSONObject(testUserId);
+		assertNotNull(aceObject);
+
+		String principalString = aceObject.optString("principal");
+		assertEquals(testUserId, principalString);
+		
+		JSONArray grantedArray = aceObject.optJSONArray("granted");
+		assertNotNull(grantedArray);
+		assertEquals(1, grantedArray.length());
+		Set<String> grantedPrivilegeNames = new HashSet<String>();
+		for (int i=0; i < grantedArray.length(); i++) {
+			grantedPrivilegeNames.add(grantedArray.getString(i));
+		}
+		assertTrue(grantedPrivilegeNames.contains("jcr:write"));
+
+		JSONArray deniedArray = aceObject.optJSONArray("denied");
+		assertNull(deniedArray);
+	}
+	
+	/**
+	 * Test for SLING-2600, Effective ACL servlet returns incorrect information
+	 */
+	public void testEffectiveAclMergeForUser_FewerPrivilegesGrantedOnChild() throws IOException,
JSONException {
+		testUserId = createTestUser();
+		
+		String testFolderUrl = createTestFolder("{ 'jcr:primaryType': 'nt:unstructured', 'propOne'
: 'propOneValue', 'child' : { 'childPropOne' : true } }");
+		
+        String postUrl = testFolderUrl + ".modifyAce.html";
+
+        //1. create an initial set of privileges
+		List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+		postParams.add(new NameValuePair("principalId", testUserId));
+		postParams.add(new NameValuePair("privilege@jcr:all", "granted"));
+		
+		Credentials creds = new UsernamePasswordCredentials("admin", "admin");
+		assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+		
+		assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+		
+		postParams = new ArrayList<NameValuePair>();
+		postParams.add(new NameValuePair("principalId", testUserId));
+		postParams.add(new NameValuePair("privilege@jcr:write", "granted"));
+		
+        postUrl = testFolderUrl + "/child.modifyAce.html";
+		assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+
+		
+		//fetch the JSON for the eacl to verify the settings.
+		String getUrl = testFolderUrl + "/child.eacl.json";
+
+		String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+		assertNotNull(json);
+		JSONObject jsonObject = new JSONObject(json);
+		
+		JSONObject aceObject = jsonObject.optJSONObject(testUserId);
+		assertNotNull(aceObject);
+
+		String principalString = aceObject.optString("principal");
+		assertEquals(testUserId, principalString);
+		
+		JSONArray grantedArray = aceObject.optJSONArray("granted");
+		assertNotNull(grantedArray);
+		assertEquals(1, grantedArray.length());
+		Set<String> grantedPrivilegeNames = new HashSet<String>();
+		for (int i=0; i < grantedArray.length(); i++) {
+			grantedPrivilegeNames.add(grantedArray.getString(i));
+		}
+		assertTrue(grantedPrivilegeNames.contains("jcr:all"));
+
+		JSONArray deniedArray = aceObject.optJSONArray("denied");
+		assertNull(deniedArray);
+	}
+
+	/**
+	 * Test for SLING-2600, Effective ACL servlet returns incorrect information
+	 */
+	public void testEffectiveAclMergeForUser_MorePrivilegesGrantedOnChild() throws IOException,
JSONException {
+		testUserId = createTestUser();
+		
+		String testFolderUrl = createTestFolder("{ 'jcr:primaryType': 'nt:unstructured', 'propOne'
: 'propOneValue', 'child' : { 'childPropOne' : true } }");
+		
+        String postUrl = testFolderUrl + ".modifyAce.html";
+
+        //1. create an initial set of privileges
+		List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+		postParams.add(new NameValuePair("principalId", testUserId));
+		postParams.add(new NameValuePair("privilege@jcr:write", "granted"));
+		
+		Credentials creds = new UsernamePasswordCredentials("admin", "admin");
+		assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+		
+		assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+		
+		postParams = new ArrayList<NameValuePair>();
+		postParams.add(new NameValuePair("principalId", testUserId));
+		postParams.add(new NameValuePair("privilege@jcr:all", "granted"));
+		
+        postUrl = testFolderUrl + "/child.modifyAce.html";
+		assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+
+		
+		//fetch the JSON for the eacl to verify the settings.
+		String getUrl = testFolderUrl + "/child.eacl.json";
+
+		String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+		assertNotNull(json);
+		JSONObject jsonObject = new JSONObject(json);
+		
+		JSONObject aceObject = jsonObject.optJSONObject(testUserId);
+		assertNotNull(aceObject);
+
+		String principalString = aceObject.optString("principal");
+		assertEquals(testUserId, principalString);
+		
+		JSONArray grantedArray = aceObject.optJSONArray("granted");
+		assertNotNull(grantedArray);
+		assertEquals(1, grantedArray.length());
+		Set<String> grantedPrivilegeNames = new HashSet<String>();
+		for (int i=0; i < grantedArray.length(); i++) {
+			grantedPrivilegeNames.add(grantedArray.getString(i));
+		}
+		assertTrue(grantedPrivilegeNames.contains("jcr:all"));
+
+		JSONArray deniedArray = aceObject.optJSONArray("denied");
+		assertNull(deniedArray);
+	}
+
+	/**
+	 * Test for SLING-2600, Effective ACL servlet returns incorrect information
+	 */
+	public void testEffectiveAclMergeForUser_SubsetOfPrivilegesDeniedOnChild() throws IOException,
JSONException {
+		testUserId = createTestUser();
+		
+		String testFolderUrl = createTestFolder("{ 'jcr:primaryType': 'nt:unstructured', 'propOne'
: 'propOneValue', 'child' : { 'childPropOne' : true } }");
+		
+        String postUrl = testFolderUrl + ".modifyAce.html";
+
+        //1. create an initial set of privileges
+		List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+		postParams.add(new NameValuePair("principalId", testUserId));
+		postParams.add(new NameValuePair("privilege@jcr:all", "granted"));
+		
+		Credentials creds = new UsernamePasswordCredentials("admin", "admin");
+		assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+		
+		assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+		
+		postParams = new ArrayList<NameValuePair>();
+		postParams.add(new NameValuePair("principalId", testUserId));
+		postParams.add(new NameValuePair("privilege@jcr:write", "denied"));
+		
+        postUrl = testFolderUrl + "/child.modifyAce.html";
+		assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+
+		
+		//fetch the JSON for the eacl to verify the settings.
+		String getUrl = testFolderUrl + "/child.eacl.json";
+
+		String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+		assertNotNull(json);
+		JSONObject jsonObject = new JSONObject(json);
+		
+		JSONObject aceObject = jsonObject.optJSONObject(testUserId);
+		assertNotNull(aceObject);
+
+		String principalString = aceObject.optString("principal");
+		assertEquals(testUserId, principalString);
+		
+		JSONArray grantedArray = aceObject.optJSONArray("granted");
+		assertNotNull(grantedArray);
+		assertTrue(grantedArray.length() >= 8);
+		Set<String> grantedPrivilegeNames = new HashSet<String>();
+		for (int i=0; i < grantedArray.length(); i++) {
+			grantedPrivilegeNames.add(grantedArray.getString(i));
+		}
+		assertFalse(grantedPrivilegeNames.contains("jcr:all"));
+		assertFalse(grantedPrivilegeNames.contains("jcr:write"));
+		assertTrue(grantedPrivilegeNames.contains("jcr:read"));
+		assertTrue(grantedPrivilegeNames.contains("jcr:readAccessControl"));
+		assertTrue(grantedPrivilegeNames.contains("jcr:modifyAccessControl"));
+		assertTrue(grantedPrivilegeNames.contains("jcr:lockManagement"));
+		assertTrue(grantedPrivilegeNames.contains("jcr:versionManagement"));
+		assertTrue(grantedPrivilegeNames.contains("jcr:nodeTypeManagement"));
+		assertTrue(grantedPrivilegeNames.contains("jcr:retentionManagement"));
+		assertTrue(grantedPrivilegeNames.contains("jcr:lifecycleManagement"));
+		//jcr:write aggregate privileges should be denied
+		assertFalse(grantedPrivilegeNames.contains("jcr:modifyProperties"));
+		assertFalse(grantedPrivilegeNames.contains("jcr:addChildNodes"));
+		assertFalse(grantedPrivilegeNames.contains("jcr:removeNode"));
+		assertFalse(grantedPrivilegeNames.contains("jcr:removeChildNodes"));
+		
+		
+		JSONArray deniedArray = aceObject.optJSONArray("denied");
+		assertNotNull(deniedArray);
+		assertEquals(1, deniedArray.length());
+		Set<String> deniedPrivilegeNames = new HashSet<String>();
+		for (int i=0; i < deniedArray.length(); i++) {
+			deniedPrivilegeNames.add(deniedArray.getString(i));
+		}
+		assertTrue(deniedPrivilegeNames.contains("jcr:write"));
+	}
+
+	/**
+	 * Test for SLING-2600, Effective ACL servlet returns incorrect information
+	 */
+	public void testEffectiveAclMergeForUser_SubsetOfPrivilegesDeniedOnChild2() throws IOException,
JSONException {
+		testUserId = createTestUser();
+		
+		String testFolderUrl = createTestFolder("{ 'jcr:primaryType': 'nt:unstructured', 'propOne'
: 'propOneValue', 'child' : { 'childPropOne' : true } }");
+		
+        String postUrl = testFolderUrl + ".modifyAce.html";
+
+        //1. create an initial set of privileges
+		List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+		postParams.add(new NameValuePair("principalId", testUserId));
+		postParams.add(new NameValuePair("privilege@jcr:all", "granted"));
+		
+		Credentials creds = new UsernamePasswordCredentials("admin", "admin");
+		assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+		
+		assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+		
+		postParams = new ArrayList<NameValuePair>();
+		postParams.add(new NameValuePair("principalId", testUserId));
+		postParams.add(new NameValuePair("privilege@jcr:removeNode", "denied"));
+		
+        postUrl = testFolderUrl + "/child.modifyAce.html";
+		assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+
+		
+		//fetch the JSON for the eacl to verify the settings.
+		String getUrl = testFolderUrl + "/child.eacl.json";
+
+		String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+		assertNotNull(json);
+		JSONObject jsonObject = new JSONObject(json);
+		
+		JSONObject aceObject = jsonObject.optJSONObject(testUserId);
+		assertNotNull(aceObject);
+
+		String principalString = aceObject.optString("principal");
+		assertEquals(testUserId, principalString);
+		
+		JSONArray grantedArray = aceObject.optJSONArray("granted");
+		assertNotNull(grantedArray);
+		assertTrue(grantedArray.length() >= 11);
+		Set<String> grantedPrivilegeNames = new HashSet<String>();
+		for (int i=0; i < grantedArray.length(); i++) {
+			grantedPrivilegeNames.add(grantedArray.getString(i));
+		}
+		assertFalse(grantedPrivilegeNames.contains("jcr:all"));
+		assertFalse(grantedPrivilegeNames.contains("jcr:write"));
+		assertTrue(grantedPrivilegeNames.contains("jcr:read"));
+		assertTrue(grantedPrivilegeNames.contains("jcr:readAccessControl"));
+		assertTrue(grantedPrivilegeNames.contains("jcr:modifyAccessControl"));
+		assertTrue(grantedPrivilegeNames.contains("jcr:lockManagement"));
+		assertTrue(grantedPrivilegeNames.contains("jcr:versionManagement"));
+		assertTrue(grantedPrivilegeNames.contains("jcr:nodeTypeManagement"));
+		assertTrue(grantedPrivilegeNames.contains("jcr:retentionManagement"));
+		assertTrue(grantedPrivilegeNames.contains("jcr:lifecycleManagement"));
+		assertTrue(grantedPrivilegeNames.contains("jcr:modifyProperties"));
+		assertTrue(grantedPrivilegeNames.contains("jcr:addChildNodes"));
+		assertTrue(grantedPrivilegeNames.contains("jcr:removeChildNodes"));
+
+		JSONArray deniedArray = aceObject.optJSONArray("denied");
+		assertNotNull(deniedArray);
+		assertEquals(1, deniedArray.length());
+		Set<String> deniedPrivilegeNames = new HashSet<String>();
+		for (int i=0; i < deniedArray.length(); i++) {
+			deniedPrivilegeNames.add(deniedArray.getString(i));
+		}
+		assertTrue(deniedPrivilegeNames.contains("jcr:removeNode"));
+	}
+
+	/**
+	 * Test for SLING-2600, Effective ACL servlet returns incorrect information
+	 */
+	public void testEffectiveAclMergeForUser_SupersetOfPrivilegesDeniedOnChild() throws IOException,
JSONException {
+		testUserId = createTestUser();
+		
+		String testFolderUrl = createTestFolder("{ 'jcr:primaryType': 'nt:unstructured', 'propOne'
: 'propOneValue', 'child' : { 'childPropOne' : true } }");
+		
+        String postUrl = testFolderUrl + ".modifyAce.html";
+
+        //1. create an initial set of privileges
+		List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+		postParams.add(new NameValuePair("principalId", testUserId));
+		postParams.add(new NameValuePair("privilege@jcr:write", "granted"));
+		
+		Credentials creds = new UsernamePasswordCredentials("admin", "admin");
+		assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+		
+		assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+		
+		postParams = new ArrayList<NameValuePair>();
+		postParams.add(new NameValuePair("principalId", testUserId));
+		postParams.add(new NameValuePair("privilege@jcr:all", "denied"));
+		
+        postUrl = testFolderUrl + "/child.modifyAce.html";
+		assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+
+		
+		//fetch the JSON for the eacl to verify the settings.
+		String getUrl = testFolderUrl + "/child.eacl.json";
+
+		String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+		assertNotNull(json);
+		JSONObject jsonObject = new JSONObject(json);
+		
+		JSONObject aceObject = jsonObject.optJSONObject(testUserId);
+		assertNotNull(aceObject);
+
+		String principalString = aceObject.optString("principal");
+		assertEquals(testUserId, principalString);
+		
+		JSONArray grantedArray = aceObject.optJSONArray("granted");
+		assertNull(grantedArray);
+		
+		JSONArray deniedArray = aceObject.optJSONArray("denied");
+		assertNotNull(deniedArray);
+		assertEquals(1, deniedArray.length());
+		Set<String> deniedPrivilegeNames = new HashSet<String>();
+		for (int i=0; i < deniedArray.length(); i++) {
+			deniedPrivilegeNames.add(deniedArray.getString(i));
+		}
+		assertTrue(deniedPrivilegeNames.contains("jcr:all"));
+	}
+
+	/**
+	 * Test for SLING-2600, Effective ACL servlet returns incorrect information
+	 */
+	public void testEffectiveAclMergeForUser_SupersetOfPrivilegesDeniedOnChild2() throws IOException,
JSONException {
+		testUserId = createTestUser();
+		
+		String testFolderUrl = createTestFolder("{ 'jcr:primaryType': 'nt:unstructured', 'propOne'
: 'propOneValue', 'child' : { 'childPropOne' : true } }");
+		
+        String postUrl = testFolderUrl + ".modifyAce.html";
+
+        //1. create an initial set of privileges
+		List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+		postParams.add(new NameValuePair("principalId", testUserId));
+		postParams.add(new NameValuePair("privilege@jcr:modifyProperties", "granted"));
+		
+		Credentials creds = new UsernamePasswordCredentials("admin", "admin");
+		assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+		
+		assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+		
+		postParams = new ArrayList<NameValuePair>();
+		postParams.add(new NameValuePair("principalId", testUserId));
+		postParams.add(new NameValuePair("privilege@jcr:all", "denied"));
+		
+        postUrl = testFolderUrl + "/child.modifyAce.html";
+		assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
+
+		
+		//fetch the JSON for the eacl to verify the settings.
+		String getUrl = testFolderUrl + "/child.eacl.json";
+
+		String json = getAuthenticatedContent(creds, getUrl, CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+		assertNotNull(json);
+		JSONObject jsonObject = new JSONObject(json);
+		
+		JSONObject aceObject = jsonObject.optJSONObject(testUserId);
+		assertNotNull(aceObject);
+
+		String principalString = aceObject.optString("principal");
+		assertEquals(testUserId, principalString);
+		
+		JSONArray grantedArray = aceObject.optJSONArray("granted");
+		assertNull(grantedArray);
+		
+		JSONArray deniedArray = aceObject.optJSONArray("denied");
+		assertNotNull(deniedArray);
+		assertEquals(1, deniedArray.length());
+		Set<String> deniedPrivilegeNames = new HashSet<String>();
+		for (int i=0; i < deniedArray.length(); i++) {
+			deniedPrivilegeNames.add(deniedArray.getString(i));
+		}
+		assertTrue(deniedPrivilegeNames.contains("jcr:all"));
+	}
+	
 }



Mime
View raw message