jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r689499 [9/11] - in /jackrabbit/trunk: jackrabbit-api/src/main/java/org/apache/jackrabbit/api/jsr283/ jackrabbit-api/src/main/java/org/apache/jackrabbit/api/jsr283/retention/ jackrabbit-api/src/main/java/org/apache/jackrabbit/api/jsr283/sec...
Date Wed, 27 Aug 2008 15:12:07 GMT
Added: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java?rev=689499&view=auto
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java (added)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java Wed Aug 27 08:12:04 2008
@@ -0,0 +1,260 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.authorization;
+
+import org.apache.jackrabbit.api.jsr283.security.AccessControlEntry;
+import org.apache.jackrabbit.api.jsr283.security.AccessControlException;
+import org.apache.jackrabbit.api.jsr283.security.Privilege;
+import org.apache.jackrabbit.api.jsr283.security.AbstractAccessControlTest;
+import org.apache.jackrabbit.api.JackrabbitSession;
+import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import org.apache.jackrabbit.api.security.principal.PrincipalIterator;
+import org.apache.jackrabbit.test.NotExecutableException;
+import org.apache.jackrabbit.core.security.TestPrincipal;
+
+import javax.jcr.RepositoryException;
+import javax.jcr.Value;
+import java.security.Principal;
+import java.util.Collections;
+
+/**
+ * <code>AbstractACLTemplateTest</code>...
+ */
+public abstract class AbstractACLTemplateTest extends AbstractAccessControlTest {
+
+    protected Principal testPrincipal;
+    protected PrincipalManager pMgr;
+
+    protected void setUp() throws Exception {
+        super.setUp();
+
+        if (!(superuser instanceof JackrabbitSession)) {
+            throw new NotExecutableException();
+        }
+
+        pMgr = ((JackrabbitSession) superuser).getPrincipalManager();
+        PrincipalIterator it = pMgr.getPrincipals(PrincipalManager.SEARCH_TYPE_NOT_GROUP);
+        if (it.hasNext()) {
+            testPrincipal = it.nextPrincipal();
+        } else {
+            throw new NotExecutableException();
+        }
+    }
+
+    protected static void assertSamePrivileges(Privilege[] privs1, Privilege[] privs2) throws AccessControlException {
+        assertEquals(PrivilegeRegistry.getBits(privs1), PrivilegeRegistry.getBits(privs2));
+    }
+
+    protected abstract String getTestPath();
+
+    protected abstract JackrabbitAccessControlList createEmptyTemplate(String path) throws RepositoryException;
+
+    public void testEmptyTemplate() throws RepositoryException {
+        JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
+
+        assertNotNull(pt.getAccessControlEntries());
+        assertTrue(pt.getAccessControlEntries().length == 0);
+        assertTrue(pt.size() == pt.getAccessControlEntries().length);
+        assertTrue(pt.isEmpty());
+    }
+
+    public void testGetPath() throws RepositoryException {
+        JackrabbitAccessControlList pt = (JackrabbitAccessControlList) createEmptyTemplate(getTestPath());
+        assertEquals(getTestPath(), pt.getPath());
+    }
+
+    public void testAddInvalidEntry() throws RepositoryException, NotExecutableException {
+        Principal unknownPrincipal;
+        if (!pMgr.hasPrincipal("an unknown principal")) {
+            unknownPrincipal = new TestPrincipal("an unknown principal");
+        } else {
+            throw new NotExecutableException();
+        }
+        JackrabbitAccessControlList pt = (JackrabbitAccessControlList) createEmptyTemplate(getTestPath());
+        try {
+            pt.addAccessControlEntry(unknownPrincipal, privilegesFromName(Privilege.JCR_READ));
+            fail("Adding an ACE with an unknown principal should fail");
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+
+    public void testAddInvalidEntry2() throws RepositoryException {
+        JackrabbitAccessControlList pt = (JackrabbitAccessControlList) createEmptyTemplate(getTestPath());
+        try {
+            pt.addAccessControlEntry(testPrincipal, new Privilege[0]);
+            fail("Adding an ACE with invalid privileges should fail");
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+
+    public void testRemoveInvalidEntry() throws RepositoryException {
+        JackrabbitAccessControlList pt = (JackrabbitAccessControlList) createEmptyTemplate(getTestPath());
+        try {
+            pt.removeAccessControlEntry(new JackrabbitAccessControlEntry() {
+                public boolean isAllow() {
+                    return false;
+                }
+                public int getPrivilegeBits() {
+                    return PrivilegeRegistry.READ;
+                }
+                public String[] getRestrictionNames() {
+                    return new String[0];
+                }
+                public Value getRestriction(String restrictionName) {
+                    return null;
+                }
+                public Principal getPrincipal() {
+                    return testPrincipal;
+                }
+
+                public Privilege[] getPrivileges() {
+                    try {
+                        return privilegesFromName(Privilege.JCR_READ);
+                    } catch (Exception e) {
+                        return new Privilege[0];
+                    }
+                }
+            });
+            fail("Passing an unknown ACE should fail");
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+
+    public void testRemoveInvalidEntry2() throws RepositoryException {
+        JackrabbitAccessControlList pt = (JackrabbitAccessControlList) createEmptyTemplate(getTestPath());
+        try {
+            pt.removeAccessControlEntry(new JackrabbitAccessControlEntry() {
+                public boolean isAllow() {
+                    return false;
+                }
+                public int getPrivilegeBits() {
+                    return 0;
+                }
+                public String[] getRestrictionNames() {
+                    return new String[0];
+                }
+                public Value getRestriction(String restrictionName) {
+                    return null;
+                }
+                public Principal getPrincipal() {
+                    return testPrincipal;
+                }
+                public Privilege[] getPrivileges() {
+                    return new Privilege[0];
+                }
+            });
+            fail("Passing a ACE with invalid privileges should fail");
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+
+    public void testAddEntry() throws RepositoryException, NotExecutableException {
+        JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
+        Privilege[] privs = privilegesFromName(Privilege.JCR_READ);
+        assertTrue(pt.addEntry(testPrincipal, privs, true, Collections.EMPTY_MAP));
+    }
+
+    public void testAddEntryTwice() throws RepositoryException, NotExecutableException {
+        JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
+        Privilege[] privs = privilegesFromName(Privilege.JCR_READ);
+
+        pt.addEntry(testPrincipal, privs, true, Collections.EMPTY_MAP);
+        assertFalse(pt.addEntry(testPrincipal, privs, true, Collections.EMPTY_MAP));
+    }
+
+    public void testEffect() throws RepositoryException, NotExecutableException {
+        JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
+        pt.addAccessControlEntry(testPrincipal, privilegesFromName(Privilege.JCR_READ));
+
+        // add deny entry for mod_props
+        assertTrue(pt.addEntry(testPrincipal, privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES),
+                false, null));
+
+        // test net-effect
+        int allows = PrivilegeRegistry.NO_PRIVILEGE;
+        int denies = PrivilegeRegistry.NO_PRIVILEGE;
+        AccessControlEntry[] entries = pt.getAccessControlEntries();
+        for (int i = 0; i < entries.length; i++) {
+            AccessControlEntry ace = entries[i];
+            if (testPrincipal.equals(ace.getPrincipal()) && ace instanceof JackrabbitAccessControlEntry) {
+                int entryBits = ((JackrabbitAccessControlEntry) ace).getPrivilegeBits();
+                if (((JackrabbitAccessControlEntry) ace).isAllow()) {
+                    allows |= Permission.diff(entryBits, denies);
+                } else {
+                    denies |= Permission.diff(entryBits, allows);
+                }
+            }
+        }
+        assertEquals(PrivilegeRegistry.READ, allows);
+        assertEquals(PrivilegeRegistry.MODIFY_PROPERTIES, denies);
+    }
+
+    public void testEffect2() throws RepositoryException, NotExecutableException {
+        JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
+        pt.addEntry(testPrincipal, privilegesFromName(Privilege.JCR_READ), true, Collections.EMPTY_MAP);
+
+        // same entry but with revers 'isAllow' flag
+        assertTrue(pt.addEntry(testPrincipal, privilegesFromName(Privilege.JCR_READ), false, Collections.EMPTY_MAP));
+
+        // test net-effect
+        int allows = PrivilegeRegistry.NO_PRIVILEGE;
+        int denies = PrivilegeRegistry.NO_PRIVILEGE;
+        AccessControlEntry[] entries = pt.getAccessControlEntries();
+        for (int i = 0; i < entries.length; i++) {
+            AccessControlEntry ace = entries[i];
+            if (testPrincipal.equals(ace.getPrincipal()) && ace instanceof JackrabbitAccessControlEntry) {
+                int entryBits = ((JackrabbitAccessControlEntry) ace).getPrivilegeBits();
+                if (((JackrabbitAccessControlEntry) ace).isAllow()) {
+                    allows |= Permission.diff(entryBits, denies);
+                } else {
+                    denies |= Permission.diff(entryBits, allows);
+                }
+            }
+        }
+
+        assertEquals(PrivilegeRegistry.NO_PRIVILEGE, allows);
+        assertEquals(PrivilegeRegistry.READ, denies);
+    }
+
+    public void testRemoveEntry() throws RepositoryException,
+            NotExecutableException {
+        JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
+        pt.addAccessControlEntry(testPrincipal, privilegesFromName(Privilege.JCR_READ));
+        pt.removeAccessControlEntry(pt.getAccessControlEntries()[0]);
+    }
+
+    public void testRemoveNonExisting() throws RepositoryException {
+        JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
+        try {
+            pt.removeAccessControlEntry(new AccessControlEntry() {
+                public Principal getPrincipal() {
+                    return testPrincipal;
+                }
+                public Privilege[] getPrivileges() {
+                    return new Privilege[0];
+                }
+            });
+            fail("Attemt to remove a non-existing, custom ACE must throw AccessControlException.");
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+}
\ No newline at end of file

Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java
------------------------------------------------------------------------------
    svn:keywords = author date id revision url

Added: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java?rev=689499&view=auto
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java (added)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java Wed Aug 27 08:12:04 2008
@@ -0,0 +1,234 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.authorization;
+
+import org.apache.jackrabbit.api.jsr283.security.Privilege;
+import org.apache.jackrabbit.api.jsr283.security.AccessControlException;
+import org.apache.jackrabbit.api.jsr283.security.AbstractAccessControlTest;
+import org.apache.jackrabbit.test.NotExecutableException;
+
+import javax.jcr.RepositoryException;
+import javax.jcr.Value;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Iterator;
+import java.util.List;
+
+/**
+ * <code>AbstractEntryTest</code>...
+ */
+public abstract class AbstractEntryTest extends AbstractAccessControlTest {
+
+    protected Principal testPrincipal;
+
+    protected void setUp() throws Exception {
+        super.setUp();
+        testPrincipal = new Principal() {
+            public String getName() {
+                return "TestPrincipal";
+            }
+        };
+    }
+
+    protected JackrabbitAccessControlEntry createEntry(String[] privilegeNames, boolean isAllow)
+            throws RepositoryException, NotExecutableException {
+        Privilege[] privs = privilegesFromNames(privilegeNames);
+        return createEntry(testPrincipal, privs, isAllow);
+    }
+
+    protected abstract JackrabbitAccessControlEntry createEntry(Principal principal, Privilege[] privileges, boolean isAllow)
+            throws RepositoryException;
+
+    public void testIsAllow() throws RepositoryException, NotExecutableException {
+        JackrabbitAccessControlEntry tmpl = createEntry(new String[] {Privilege.JCR_READ}, true);
+        assertTrue(tmpl.isAllow());
+
+        tmpl = createEntry(new String[] {Privilege.JCR_READ}, false);
+        assertFalse(tmpl.isAllow());
+    }
+
+    public void testGetPrincipal() throws RepositoryException, NotExecutableException {
+        JackrabbitAccessControlEntry tmpl = createEntry(new String[] {Privilege.JCR_READ}, true);
+        assertNotNull(tmpl.getPrincipal());
+        assertEquals(testPrincipal.getName(), tmpl.getPrincipal().getName());
+        assertSame(testPrincipal, tmpl.getPrincipal());
+    }
+
+    public void testGetPrivilegeBits() throws RepositoryException, NotExecutableException {
+        JackrabbitAccessControlEntry tmpl = createEntry(new String[] {Privilege.JCR_READ}, true);
+
+        int privs = tmpl.getPrivilegeBits();
+        assertTrue(privs == PrivilegeRegistry.READ);
+
+        tmpl = createEntry(new String[] {Privilege.JCR_WRITE}, true);
+        privs = tmpl.getPrivilegeBits();
+        assertTrue(privs == PrivilegeRegistry.WRITE);
+    }
+
+    public void testGetPrivileges() throws RepositoryException, NotExecutableException {
+        JackrabbitAccessControlEntry entry = createEntry(new String[] {Privilege.JCR_READ}, true);
+
+        Privilege[] privs = entry.getPrivileges();
+        assertNotNull(privs);
+        assertEquals(1, privs.length);
+        assertEquals(privs[0], acMgr.privilegeFromName(Privilege.JCR_READ));
+        assertTrue(PrivilegeRegistry.getBits(privs) == entry.getPrivilegeBits());
+
+        entry = createEntry(new String[] {Privilege.JCR_WRITE}, true);
+        privs = entry.getPrivileges();
+        assertNotNull(privs);
+        assertEquals(1, privs.length);
+        assertEquals(privs[0], acMgr.privilegeFromName(Privilege.JCR_WRITE));
+        assertTrue(PrivilegeRegistry.getBits(privs) == entry.getPrivilegeBits());
+
+        entry = createEntry(new String[] {Privilege.JCR_ADD_CHILD_NODES,
+                Privilege.JCR_REMOVE_CHILD_NODES}, true);
+        privs = entry.getPrivileges();
+        assertNotNull(privs);
+        assertEquals(2, privs.length);
+
+        Privilege[] param = privilegesFromNames(new String[] {
+                Privilege.JCR_ADD_CHILD_NODES,
+                Privilege.JCR_REMOVE_CHILD_NODES
+        });
+        assertEquals(Arrays.asList(param), Arrays.asList(privs));
+        assertEquals(PrivilegeRegistry.getBits(privs), entry.getPrivilegeBits());
+    }
+
+    public void testEquals() throws RepositoryException, NotExecutableException  {
+
+        JackrabbitAccessControlEntry ace = createEntry(new String[] {Privilege.JCR_ALL}, true);
+        List equalAces = new ArrayList();
+        equalAces.add(createEntry(new String[] {Privilege.JCR_ALL}, true));
+
+        Privilege[] privs = acMgr.privilegeFromName(Privilege.JCR_ALL).getDeclaredAggregatePrivileges();
+        equalAces.add(createEntry(testPrincipal, privs, true));
+
+        privs = acMgr.privilegeFromName(Privilege.JCR_ALL).getAggregatePrivileges();
+        equalAces.add(createEntry(testPrincipal, privs, true));
+
+        for (Iterator it = equalAces.iterator(); it.hasNext();) {
+            assertEquals(ace, it.next());
+        }
+    }
+
+    public void testNotEquals() throws RepositoryException, NotExecutableException  {
+        JackrabbitAccessControlEntry ace = createEntry(new String[] {Privilege.JCR_ALL}, true);
+        List otherAces = new ArrayList();
+
+        try {
+            // ACE template with different principal
+            Principal princ = new Principal() {
+                public String getName() {
+                    return "a name";
+                }
+            };
+            Privilege[] privs = new Privilege[] {
+                    acMgr.privilegeFromName(Privilege.JCR_ALL)
+            };
+            otherAces.add(createEntry(princ, privs, true));
+        } catch (RepositoryException e) {
+        }
+
+        // ACE template with different privileges
+        try {
+            otherAces.add(createEntry(new String[] {Privilege.JCR_READ}, true));
+        } catch (RepositoryException e) {
+        }
+        // ACE template with different 'allow' flag
+        try {
+            otherAces.add(createEntry(new String[] {Privilege.JCR_ALL}, false));
+        } catch (RepositoryException e) {
+        }
+        // ACE template with different privileges and 'allows
+        try {
+            otherAces.add(createEntry(new String[] {Privilege.JCR_WRITE}, false));
+        } catch (RepositoryException e) {
+        }
+
+        // other ace impl
+        final Privilege[] privs = new Privilege[] {
+                acMgr.privilegeFromName(Privilege.JCR_ALL)
+        };
+        JackrabbitAccessControlEntry pe = new JackrabbitAccessControlEntry() {
+            public boolean isAllow() {
+                return true;
+            }
+            public int getPrivilegeBits() {
+                return PrivilegeRegistry.ALL;
+            }
+            public String[] getRestrictionNames() {
+                return new String[0];
+            }
+            public Value getRestriction(String restrictionName) {
+                return null;
+            }
+            public Principal getPrincipal() {
+                return testPrincipal;
+            }
+            public Privilege[] getPrivileges() {
+                return privs;
+            }
+        };
+        otherAces.add(pe);
+
+        for (Iterator it = otherAces.iterator(); it.hasNext();) {
+            assertFalse(ace.equals(it.next()));
+        }
+    }
+
+    public void testNullPrincipal() throws RepositoryException {
+        try {
+            Privilege[] privs = new Privilege[] {
+                    acMgr.privilegeFromName(Privilege.JCR_ALL)
+            };
+            createEntry(null, privs, true);
+            fail("Principal must not be null");
+        } catch (IllegalArgumentException e) {
+            // success
+        }
+    }
+
+    public void testInvalidPrivilege() throws RepositoryException,
+            NotExecutableException {
+        Privilege invalidPriv = new Privilege() {
+                public String getName() {
+                    return "";
+                }
+                public boolean isAbstract() {
+                    return false;
+                }
+                public boolean isAggregate() {
+                    return false;
+                }
+                public Privilege[] getDeclaredAggregatePrivileges() {
+                    return new Privilege[0];
+                }
+                public Privilege[] getAggregatePrivileges() {
+                    return new Privilege[0];
+                }
+            };
+        try {
+            Privilege[] privs = new Privilege[] {invalidPriv, privilegesFromName(Privilege.JCR_READ)[0]};
+            createEntry(testPrincipal, privs, true);
+            fail("Principal must not be null");
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+}
\ No newline at end of file

Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java
------------------------------------------------------------------------------
    svn:keywords = author date id revision url

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java?rev=689499&r1=689498&r2=689499&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java Wed Aug 27 08:12:04 2008
@@ -20,7 +20,7 @@
 import org.apache.jackrabbit.api.jsr283.security.AbstractAccessControlTest;
 import org.apache.jackrabbit.api.jsr283.security.AccessControlManager;
 import org.apache.jackrabbit.api.jsr283.security.Privilege;
-import org.apache.jackrabbit.api.security.user.Authorizable;
+import org.apache.jackrabbit.api.jsr283.security.AccessControlPolicy;
 import org.apache.jackrabbit.api.security.user.User;
 import org.apache.jackrabbit.api.security.user.UserManager;
 import org.apache.jackrabbit.api.security.user.Group;
@@ -44,6 +44,8 @@
 import javax.jcr.observation.Event;
 import javax.jcr.observation.ObservationManager;
 import java.security.Principal;
+import java.util.Map;
+import java.util.UUID;
 
 /**
  * <code>AbstractEvaluationTest</code>...
@@ -52,11 +54,12 @@
 
     protected static final long DEFAULT_WAIT_TIMEOUT = 5000;
 
-    protected Credentials creds;
-    protected User testUser;
-    protected Group testGroup;
-    protected SessionImpl testSession;
-    protected AccessControlManager testAcMgr;
+    private Credentials creds;
+    private User testUser;
+    private Group testGroup;
+
+    private SessionImpl testSession;
+    private AccessControlManager testAccessControlManager;
 
     protected String path;
     protected String childNPath;
@@ -73,26 +76,12 @@
         super.setUp();
 
         UserManager uMgr = getUserManager(superuser);
-        Principal princ = getTestPrincipal("testUser", uMgr);
-        String uid = princ.getName();
-        String pw = princ.getName();
+        // create the testUser
+        Principal principal = new TestPrincipal("testUser" + UUID.randomUUID());
+        String uid = principal.getName();
+        String pw = principal.getName();
         creds = new SimpleCredentials(uid, pw.toCharArray());
-
-        Authorizable a = uMgr.getAuthorizable(princ);
-        if (a == null) {
-            testUser = uMgr.createUser(uid, pw);
-        } else if (a.isGroup()) {
-            throw new NotExecutableException();
-        } else {
-            testUser = (User) a;
-        }
-
-        testGroup = uMgr.createGroup(getTestPrincipal("testGroup", uMgr));
-        testGroup.addMember(testUser);
-
-        // TODO: remove cast once 283 is released.
-        testSession = (SessionImpl) helper.getRepository().login(creds);
-        testAcMgr = getAccessControlManager(testSession);
+        testUser = uMgr.createUser(uid, pw);
 
         // create some nodes below the test root in order to apply ac-stuff
         Node node = testRootNode.addNode(nodeName1, testNodeType);
@@ -144,48 +133,86 @@
 
     protected abstract void clearACInfo();
 
-    protected abstract PolicyTemplate getPolicyTemplate(AccessControlManager acM, String path) throws RepositoryException, AccessDeniedException, NotExecutableException;
-
-    protected abstract PolicyEntry createEntry(Principal principal, int privileges, boolean isAllow, String[] restrictions);
+    protected abstract Map getRestrictions(String path)
+            throws RepositoryException,
+            NotExecutableException;
 
-    protected abstract String[] getRestrictions(String path);
+    protected abstract JackrabbitAccessControlList getPolicy(AccessControlManager acM, String path, Principal principal) throws RepositoryException, AccessDeniedException, NotExecutableException;
 
-    protected PolicyTemplate givePrivileges(String nPath, int privileges, String[] restrictions) throws NotExecutableException, RepositoryException {
+    protected JackrabbitAccessControlList givePrivileges(String nPath, Privilege[] privileges,
+                                                         Map restrictions) throws NotExecutableException, RepositoryException {
         return givePrivileges(nPath, testUser.getPrincipal(), privileges, restrictions);
     }
 
-    protected PolicyTemplate givePrivileges(String nPath, Principal principal,
-                                            int privileges, String[] restrictions) throws NotExecutableException, RepositoryException {
-        PolicyTemplate tmpl = getPolicyTemplate(acMgr, nPath);
-        tmpl.setEntry(createEntry(principal, privileges, true, restrictions));
+    protected JackrabbitAccessControlList givePrivileges(String nPath, Principal principal,
+                                                         Privilege[] privileges, Map restrictions) throws NotExecutableException, RepositoryException {
+        JackrabbitAccessControlList tmpl = getPolicy(acMgr, nPath, principal);
+        tmpl.addEntry(principal, privileges, true, restrictions);
         acMgr.setPolicy(tmpl.getPath(), tmpl);
         superuser.save();
         return tmpl;
     }
 
-    protected PolicyTemplate withdrawPrivileges(String nPath, int privileges, String[] restrictions) throws NotExecutableException, RepositoryException {
-        PolicyTemplate tmpl = getPolicyTemplate(acMgr, nPath);
-        tmpl.setEntry(createEntry(testUser.getPrincipal(), privileges, false, restrictions));
+    protected JackrabbitAccessControlList withdrawPrivileges(String nPath, Privilege[] privileges, Map restrictions) throws NotExecutableException, RepositoryException {
+        return withdrawPrivileges(nPath, testUser.getPrincipal(), privileges, restrictions);
+    }
+
+    protected JackrabbitAccessControlList withdrawPrivileges(String nPath, Principal principal, Privilege[] privileges, Map restrictions) throws NotExecutableException, RepositoryException {
+        JackrabbitAccessControlList tmpl = getPolicy(acMgr, nPath, principal);
+        tmpl.addEntry(principal, privileges, false, restrictions);
         acMgr.setPolicy(tmpl.getPath(), tmpl);
         superuser.save();
         return tmpl;
     }
 
-    protected void checkReadOnly(String path) throws RepositoryException {
-        Privilege[] privs = testAcMgr.getPrivileges(path);
+    protected void checkReadOnly(String path) throws RepositoryException, NotExecutableException {
+        Privilege[] privs = getTestACManager().getPrivileges(path);
         assertTrue(privs.length == 1);
-        assertEquals(PrivilegeRegistry.READ_PRIVILEGE, privs[0]);
+        assertEquals(privilegesFromName(Privilege.JCR_READ)[0], privs[0]);
+    }
+
+    protected User getTestUser() {
+        return testUser;
+    }
+
+    protected Group getTestGroup() throws RepositoryException, NotExecutableException {
+        if (testGroup == null) {
+            // create the testGroup
+            Principal principal = new TestPrincipal("testGroup" + UUID.randomUUID());
+            testGroup = getUserManager(superuser).createGroup(principal);
+            testGroup.addMember(testUser);
+        }
+        return testGroup;
+    }
+
+    protected SessionImpl getTestSession() throws RepositoryException {
+        if (testSession == null) {
+            // TODO: remove cast once 283 is released.
+            testSession = (SessionImpl) helper.getRepository().login(creds);
+        }
+        return testSession;
+    }
+
+    protected AccessControlManager getTestACManager() throws NotExecutableException, RepositoryException {
+        if (testAccessControlManager == null) {
+            testAccessControlManager = getAccessControlManager(getTestSession());
+        }
+        return testAccessControlManager;
     }
 
     public void testGrantedPermissions() throws RepositoryException, AccessDeniedException, NotExecutableException {
+        SessionImpl testSession = getTestSession();
         /* precondition:
            testuser must have READ-only permission on test-node and below
          */
         checkReadOnly(path);
 
         // give 'testUser' ADD_CHILD_NODES|MODIFY_PROPERTIES privileges at 'path'
-        givePrivileges(path, PrivilegeRegistry.ADD_CHILD_NODES |
-                PrivilegeRegistry.MODIFY_PROPERTIES, getRestrictions(path));
+        Privilege[] privileges = privilegesFromNames(new String[] {
+                Privilege.JCR_ADD_CHILD_NODES,
+                Privilege.JCR_MODIFY_PROPERTIES
+        });
+        givePrivileges(path, privileges, getRestrictions(path));
         /*
          testuser must now have
          - ADD_NODE permission for child node
@@ -230,15 +257,18 @@
     }
 
     public void testDeniedPermission() throws RepositoryException, NotExecutableException, InterruptedException {
-         /* precondition:
+        SessionImpl testSession = getTestSession();
+        /* precondition:
            testuser must have READ-only permission on test-node and below
          */
         checkReadOnly(path);
 
         // withdraw READ privilege to 'testUser' at 'path'
-        withdrawPrivileges(childNPath, PrivilegeRegistry.READ, getRestrictions(childNPath));
+        Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
+        withdrawPrivileges(childNPath, privileges, getRestrictions(childNPath));
         /*
          testuser must now have
+         - READ-only permission at path
          - READ-only permission for the child-props of path
 
          testuser must not have
@@ -253,12 +283,10 @@
         // ... and props of path
         assertTrue(n.getProperties().hasNext());
 
-        /*
-        testSession must not have access to 'childNPath'
-        */
+        //testSession must not have access to 'childNPath'
         assertFalse(testSession.itemExists(childNPath));
         try {
-            Node testN = testSession.getNode(childNPath);
+            testSession.getNode(childNPath);
             fail("Read access has been denied -> cannot retrieve child node.");
         } catch (PathNotFoundException e) {
             // ok.
@@ -276,10 +304,13 @@
     }
 
     public void testAccessControlRead() throws NotExecutableException, RepositoryException {
+        SessionImpl testSession = getTestSession();
+        AccessControlManager testAcMgr = getTestACManager();
         checkReadOnly(path);
 
         // re-grant READ in order to have an ACL-node
-        PolicyTemplate tmpl = givePrivileges(path, PrivilegeRegistry.READ, getRestrictions(path));
+        Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
+        JackrabbitAccessControlList tmpl = givePrivileges(path, privileges, getRestrictions(path));
         // make sure the 'rep:policy' node has been created.
         assertTrue(superuser.itemExists(tmpl.getPath() + "/rep:policy"));
 
@@ -287,9 +318,7 @@
          Testuser must still have READ-only access only and must not be
          allowed to view the acl-node that has been created.
         */
-        assertFalse(testAcMgr.hasPrivileges(path, new Privilege[] {
-                PrivilegeRegistry.READ_AC_PRIVILEGE
-        }));
+        assertFalse(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_READ_ACCESS_CONTROL)));
         assertFalse(testSession.itemExists(path + "/rep:policy"));
 
         Node n = testSession.getNode(tmpl.getPath());
@@ -303,7 +332,7 @@
 
         /* Finally the test user must not be allowed to remove the policy. */
         try {
-            testAcMgr.removePolicy(path);
+            testAcMgr.removePolicy(path, new AccessControlPolicy() {});
             fail("Test user must not be allowed to remove the access control policy.");
         } catch (AccessDeniedException e) {
             // success
@@ -311,16 +340,20 @@
     }
 
     public void testAccessControlModification() throws RepositoryException, NotExecutableException {
+        SessionImpl testSession = getTestSession();
+        AccessControlManager testAcMgr = getTestACManager();
         /* precondition:
           testuser must have READ-only permission on test-node and below
         */
         checkReadOnly(path);
 
         // give 'testUser' ADD_CHILD_NODES|MODIFY_PROPERTIES| REMOVE_CHILD_NODES privileges at 'path'
-        PolicyTemplate tmpl = givePrivileges(path,
-                PrivilegeRegistry.ADD_CHILD_NODES |
-                PrivilegeRegistry.REMOVE_CHILD_NODES |
-                PrivilegeRegistry.MODIFY_PROPERTIES, getRestrictions(path));
+        Privilege[] privileges = privilegesFromNames(new String[] {
+                Privilege.JCR_ADD_CHILD_NODES,
+                Privilege.JCR_REMOVE_CHILD_NODES,
+                Privilege.JCR_MODIFY_PROPERTIES
+        });
+        JackrabbitAccessControlList tmpl = givePrivileges(path, privileges, getRestrictions(path));
         /*
          testuser must not have
          - permission to view AC items
@@ -332,31 +365,25 @@
         // the policy node however must not be visible to the test-user
         assertFalse(testSession.itemExists(tmpl.getPath() + "/rep:policy"));
         try {
-            testAcMgr.getPolicy(tmpl.getPath());
-            fail("test user must not have READ_AC privilege.");
-        } catch (AccessDeniedException e) {
-            // success
-        }
-        try {
-            testAcMgr.getEffectivePolicy(tmpl.getPath());
+            testAcMgr.getPolicies(tmpl.getPath());
             fail("test user must not have READ_AC privilege.");
         } catch (AccessDeniedException e) {
             // success
         }
         try {
-            testAcMgr.getEffectivePolicy(path);
+            testAcMgr.getEffectivePolicies(tmpl.getPath());
             fail("test user must not have READ_AC privilege.");
         } catch (AccessDeniedException e) {
             // success
         }
         try {
-            testAcMgr.getAccessControlEntries(tmpl.getPath());
+            testAcMgr.getEffectivePolicies(path);
             fail("test user must not have READ_AC privilege.");
         } catch (AccessDeniedException e) {
             // success
         }
         try {
-            testAcMgr.removePolicy(tmpl.getPath());
+            testAcMgr.removePolicy(tmpl.getPath(), new AccessControlPolicy() {});
             fail("test user must not have MODIFY_AC privilege.");
         } catch (AccessDeniedException e) {
             // success
@@ -371,9 +398,11 @@
         checkReadOnly(path);
 
         // give 'testUser' READ_AC|MODIFY_AC privileges at 'path'
-        givePrivileges(path, PrivilegeRegistry.WRITE, getRestrictions(path));
+        Privilege[] grPrivs = privilegesFromName(Privilege.JCR_WRITE);
+        givePrivileges(path, grPrivs, getRestrictions(path));
         // withdraw the READ privilege
-        withdrawPrivileges(path, PrivilegeRegistry.READ, getRestrictions(path));
+        Privilege[] dnPrivs = privilegesFromName(Privilege.JCR_READ);
+        withdrawPrivileges(path, dnPrivs, getRestrictions(path));
 
         // test if login as testuser -> item at path must not exist.
         Session s = null;
@@ -388,6 +417,7 @@
     }
 
     public void testEventGeneration() throws RepositoryException, NotExecutableException {
+        SessionImpl testSession = getTestSession();
         /*
          precondition:
          testuser must have READ-only permission on test-node and below
@@ -395,7 +425,8 @@
         checkReadOnly(path);
 
         // withdraw the READ privilege
-        withdrawPrivileges(path, PrivilegeRegistry.READ, getRestrictions(path));
+        Privilege[] dnPrivs = privilegesFromName(Privilege.JCR_READ);
+        withdrawPrivileges(path, dnPrivs, getRestrictions(path));
 
         // testUser registers a eventlistener for 'path
         ObservationManager obsMgr = testSession.getWorkspace().getObservationManager();
@@ -424,62 +455,296 @@
     }
 
     public void testInheritance() throws RepositoryException, NotExecutableException {
+        SessionImpl testSession = getTestSession();
+        AccessControlManager testAcMgr = getTestACManager();
         /* precondition:
           testuser must have READ-only permission on test-node and below
         */
         checkReadOnly(path);
+        checkReadOnly(childNPath);
 
-        // give 'modify-properties' privilege on 'path'
-        givePrivileges(path, PrivilegeRegistry.MODIFY_PROPERTIES, getRestrictions(path));
-        // give 'add-child-nodes' and 'remove-child-nodes' privilege on 'child-path'
-        givePrivileges(childNPath, PrivilegeRegistry.ADD_CHILD_NODES |
-                PrivilegeRegistry.REMOVE_CHILD_NODES, getRestrictions(childNPath));
+        // give 'modify_properties' and 'remove_node' privilege on 'path'
+        Privilege[] privileges = privilegesFromNames(new String[] {
+                Privilege.JCR_REMOVE_NODE, Privilege.JCR_MODIFY_PROPERTIES});
+        givePrivileges(path, privileges, getRestrictions(path));
+        // give 'add-child-nodes', remove_child_nodes' on 'childNPath'
+        privileges = privilegesFromNames(new String[] {
+                Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_REMOVE_CHILD_NODES});
+        givePrivileges(childNPath, privileges, getRestrictions(childNPath));
 
         /*
-        since permission evaluation respects inheritance through the node
+        since evaluation respects inheritance through the node
         hierarchy, the following privileges must now be given at 'childNPath':
-        - read
-        - modify-properties
-        - add-child-nodes
-        - remove-child-nodes
-        -> read + write
-        */
-        Privilege[] privs = new Privilege[] {
-                PrivilegeRegistry.READ_PRIVILEGE,
-                PrivilegeRegistry.WRITE_PRIVILEGE
-        };
-        assertTrue(testAcMgr.hasPrivileges(childNPath, privs));
+        - jcr:read
+        - jcr:modifyProperties
+        - jcr:addChildNodes
+        - jcr:removeChildNodes
+        - jcr:removeNode
+        */
+        privileges =  privilegesFromNames(new String[] {
+                Privilege.JCR_READ,
+                Privilege.JCR_WRITE,
+                Privilege.JCR_REMOVE_NODE
+        });
+        assertTrue(testAcMgr.hasPrivileges(childNPath, privileges));
+
+        /*
+         ... permissions granted at childNPath:
+         - read
+         - set-property
+
+         BUT NOT:
+         - add-node
+         - remove.
+         */
+        String aActions = SessionImpl.SET_PROPERTY_ACTION + "," + SessionImpl.READ_ACTION;
+        assertTrue(testSession.hasPermission(childNPath, aActions));
+        String dActions = SessionImpl.REMOVE_ACTION + "," + SessionImpl.ADD_NODE_ACTION;
+        assertFalse(testSession.hasPermission(childNPath, dActions));
+
         /*
-        ... and the following permissions must be granted at any child item
-        of child-path:
+        ... permissions granted at any child item of child-path:
         - read
         - set-property
         - add-node
         - remove
         */
         String nonExistingItemPath = childNPath + "/anyItem";
-        String actions = SessionImpl.ADD_NODE_ACTION + "," +
-                SessionImpl.REMOVE_ACTION + "," +
-                SessionImpl.SET_PROPERTY_ACTION + "," +
-                SessionImpl.READ_ACTION;
-        assertTrue(testSession.hasPermission(nonExistingItemPath, actions));
+        assertTrue(testSession.hasPermission(nonExistingItemPath, aActions + "," + dActions));
 
         /* try adding a new child node -> must succeed. */
         Node childN = testSession.getNode(childNPath);
-        Node testChild = childN.addNode(nodeName2, testNodeType);
+        String testPath = childN.addNode(nodeName2, testNodeType).getPath();
 
         /* test privileges on the 'new' child node */
-        privs = testAcMgr.getPrivileges(testChild.getPath());
-        int exptectedPrivs = PrivilegeRegistry.WRITE | PrivilegeRegistry.READ;
-        assertTrue(exptectedPrivs == PrivilegeRegistry.getBits(privs));
+        Privilege[] expectedPrivs = privilegesFromNames(new String[] {
+                Privilege.JCR_READ, Privilege.JCR_WRITE, Privilege.JCR_REMOVE_NODE});
+        assertTrue(testAcMgr.hasPrivileges(testPath, expectedPrivs));
 
-        /* repeate test after save. */
+        /* repeat test after save. */
         testSession.save();
-        privs = testAcMgr.getPrivileges(testChild.getPath());
-        assertTrue(exptectedPrivs == PrivilegeRegistry.getBits(privs));
+        assertTrue(testAcMgr.hasPrivileges(testPath, expectedPrivs));
+    }
+
+    public void testRemovePermission() throws NotExecutableException, RepositoryException {
+        SessionImpl testSession = getTestSession();
+        /*
+          precondition:
+          testuser must have READ-only permission on test-node and below
+        */
+        checkReadOnly(path);
+        checkReadOnly(childNPath);
+
+        Privilege[] rmChildNodes = privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES);
+
+        // add 'remove_child_nodes' privilge at 'path'
+        givePrivileges(path, rmChildNodes, getRestrictions(path));
+        /*
+         expected result:
+         - neither node at path nor at childNPath can be removed since
+           REMOVE_NODE privilege is missing.
+         */
+        assertFalse(testSession.hasPermission(path, SessionImpl.REMOVE_ACTION));
+        assertFalse(testSession.hasPermission(childNPath, SessionImpl.REMOVE_ACTION));
+    }
+
+    public void testRemovePermission2() throws NotExecutableException, RepositoryException {
+        SessionImpl testSession = getTestSession();
+        /*
+          precondition:
+          testuser must have READ-only permission on test-node and below
+        */
+        checkReadOnly(path);
+        checkReadOnly(childNPath);
+
+        Privilege[] rmChildNodes = privilegesFromName(Privilege.JCR_REMOVE_NODE);
+
+        // add 'remove_node' privilege at 'path'
+        givePrivileges(path, rmChildNodes, getRestrictions(path));
+        /*
+         expected result:
+         - neither node at path nor at childNPath can be removed permission
+           due to missing remove_child_nodes privilege.
+         */
+        assertFalse(testSession.hasPermission(path, SessionImpl.REMOVE_ACTION));
+        assertFalse(testSession.hasPermission(childNPath, SessionImpl.REMOVE_ACTION));
+    }
+
+   public void testRemovePermission3() throws NotExecutableException, RepositoryException {
+       SessionImpl testSession = getTestSession();
+       AccessControlManager testAcMgr = getTestACManager();
+       /*
+          precondition:
+          testuser must have READ-only permission on test-node and below
+        */
+        checkReadOnly(path);
+        checkReadOnly(childNPath);
+
+        Privilege[] privs = privilegesFromNames(new String[] {
+                Privilege.JCR_REMOVE_CHILD_NODES, Privilege.JCR_REMOVE_NODE
+        });
+        // add 'remove_node' and 'remove_child_nodes' privilge at 'path'
+        givePrivileges(path, privs, getRestrictions(path));
+        /*
+         expected result:
+         - missing remove permission at path since REMOVE_CHILD_NODES present
+           at path only applies for nodes below. REMOVE_CHILD_NODES must
+           be present at the parent instead (which isn't)
+         - remove permission is however granted at childNPath.
+         - privileges: both at path and at childNPath 'remove_node' and
+           'remove_child_nodes' are present.
+        */
+       assertFalse(testSession.hasPermission(path, SessionImpl.REMOVE_ACTION));
+       assertTrue(testSession.hasPermission(childNPath, SessionImpl.REMOVE_ACTION));
+
+       assertTrue(testAcMgr.hasPrivileges(path, privs));
+       assertTrue(testAcMgr.hasPrivileges(childNPath, privs));
+   }
+
+    public void testRemovePermission4() throws NotExecutableException, RepositoryException {
+        SessionImpl testSession = getTestSession();
+        AccessControlManager testAcMgr = getTestACManager();
+        /*
+          precondition:
+          testuser must have READ-only permission on test-node and below
+        */
+        checkReadOnly(path);
+        checkReadOnly(childNPath);
+
+        Privilege[] rmChildNodes = privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES);
+        Privilege[] rmNode = privilegesFromName(Privilege.JCR_REMOVE_NODE);
+
+        // add 'remove_child_nodes' privilge at 'path'...
+        givePrivileges(path, rmChildNodes, getRestrictions(path));
+        // ... and add 'remove_node' privilge at 'childNPath'
+        givePrivileges(childNPath, rmNode, getRestrictions(childNPath));
+        /*
+         expected result:
+         - remove not allowed for node at path
+         - remove-permission present for node at childNPath
+         - both remove_node and remove_childNodes privilege present at childNPath
+         */
+        assertFalse(testSession.hasPermission(path, SessionImpl.REMOVE_ACTION));
+        assertTrue(testSession.hasPermission(childNPath, SessionImpl.REMOVE_ACTION));
+        assertTrue(testAcMgr.hasPrivileges(childNPath, new Privilege[] {rmChildNodes[0], rmNode[0]}));
+    }
+
+    public void testRemovePermission5() throws NotExecutableException, RepositoryException {
+        SessionImpl testSession = getTestSession();
+        /*
+          precondition:
+          testuser must have READ-only permission on test-node and below
+        */
+        checkReadOnly(path);
+        checkReadOnly(childNPath);
+
+        Privilege[] rmNode = privilegesFromName(Privilege.JCR_REMOVE_NODE);
+
+        // add 'remove_node' privilege at 'childNPath'
+        givePrivileges(childNPath, rmNode, getRestrictions(childNPath));
+        /*
+         expected result:
+         - node at childNPath can't be removed since REMOVE_CHILD_NODES is missing.
+         */
+        assertFalse(testSession.hasPermission(childNPath, SessionImpl.REMOVE_ACTION));
+    }
+
+    public void testRemovePermission6() throws NotExecutableException, RepositoryException {
+        SessionImpl testSession = getTestSession();
+        AccessControlManager testAcMgr = getTestACManager();
+        /*
+          precondition:
+          testuser must have READ-only permission on test-node and below
+        */
+        checkReadOnly(path);
+        checkReadOnly(childNPath);
+
+        Privilege[] privs = privilegesFromNames(new String[] {
+                Privilege.JCR_REMOVE_CHILD_NODES, Privilege.JCR_REMOVE_NODE
+        });
+        Privilege[] rmNode = privilegesFromName(Privilege.JCR_REMOVE_NODE);
+
+        // add 'remove_child_nodes' and 'remove_node' privilge at 'path'
+        givePrivileges(path, privs, getRestrictions(path));
+        // ... but deny 'remove_node' at childNPath
+        withdrawPrivileges(childNPath, rmNode, getRestrictions(childNPath));
+        /*
+         expected result:
+         - neither node at path nor at childNPath could be removed.
+         - no remove_node privilege at childNPath
+         - read, remove_child_nodes privilege at childNPath
+         */
+        assertFalse(testSession.hasPermission(path, SessionImpl.REMOVE_ACTION));
+        assertFalse(testSession.hasPermission(childNPath, SessionImpl.REMOVE_ACTION));
+        assertTrue(testAcMgr.hasPrivileges(childNPath, privilegesFromNames(new String[] {Privilege.JCR_READ, Privilege.JCR_REMOVE_CHILD_NODES})));
+        assertFalse(testAcMgr.hasPrivileges(childNPath, privilegesFromName(Privilege.JCR_REMOVE_NODE)));
+    }
+
+    public void testRemovePermission7() throws NotExecutableException, RepositoryException {
+        SessionImpl testSession = getTestSession();
+        AccessControlManager testAcMgr = getTestACManager();
+        /*
+          precondition:
+          testuser must have READ-only permission on test-node and below
+        */
+        checkReadOnly(path);
+        checkReadOnly(childNPath);
+
+        Privilege[] rmChildNodes = privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES);
+        Privilege[] rmNode = privilegesFromName(Privilege.JCR_REMOVE_NODE);
+
+        // deny 'remove_child_nodes' at 'path'
+        withdrawPrivileges(path, rmChildNodes, getRestrictions(path));
+        // ... but allow 'remove_node' at childNPath
+        givePrivileges(childNPath, rmNode, getRestrictions(childNPath));
+        /*
+         expected result:
+         - node at childNPath can't be removed.
+         */
+        assertFalse(testSession.hasPermission(childNPath, SessionImpl.REMOVE_ACTION));
+
+        // additionally add remove_child_nodes priv at 'childNPath'
+        givePrivileges(childNPath, rmChildNodes, getRestrictions(childNPath));
+        /*
+         expected result:
+         - node at childNPath still can't be removed.
+         - but both privileges (remove_node, remove_child_nodes) are present.
+         */
+        assertFalse(testSession.hasPermission(childNPath, SessionImpl.REMOVE_ACTION));
+        assertTrue(testAcMgr.hasPrivileges(childNPath, new Privilege[] {rmChildNodes[0], rmNode[0]}));
+    }
+
+    public void testRemovePermission8() throws NotExecutableException, RepositoryException {
+        SessionImpl testSession = getTestSession();
+        AccessControlManager testAcMgr = getTestACManager();
+        /*
+          precondition:
+          testuser must have READ-only permission on test-node and below
+        */
+        checkReadOnly(path);
+        checkReadOnly(childNPath);
+
+        Privilege[] rmChildNodes = privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES);
+        Privilege[] rmNode = privilegesFromName(Privilege.JCR_REMOVE_NODE);
+
+        // add 'remove_child_nodes' at 'path
+        givePrivileges(path, rmChildNodes, getRestrictions(path));
+        // deny 'remove_nodes' at 'path'
+        withdrawPrivileges(path, rmNode, getRestrictions(path));
+        // and allow 'remove_node' at childNPath
+        givePrivileges(childNPath, rmNode, getRestrictions(childNPath));
+        /*
+         expected result:
+         - remove permission must be granted at childNPath
+         */
+        assertTrue(testSession.hasPermission(childNPath, SessionImpl.REMOVE_ACTION));
+        assertTrue(testAcMgr.hasPrivileges(childNPath, new Privilege[] {rmChildNodes[0], rmNode[0]}));
     }
 
     public void testGroupPermissions() throws NotExecutableException, RepositoryException {
+        Group testGroup = getTestGroup();
+        SessionImpl testSession = getTestSession();
+        AccessControlManager testAcMgr = getTestACManager();
         /*
          precondition:
          testuser must have READ-only permission on test-node and below
@@ -487,17 +752,45 @@
         checkReadOnly(path);
 
         /* add privileges for the Group the test-user is member of */
-        givePrivileges(path, testGroup.getPrincipal(), PrivilegeRegistry.MODIFY_PROPERTIES, getRestrictions(path));
+        Privilege[] privileges = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+        givePrivileges(path, testGroup.getPrincipal(), privileges, getRestrictions(path));
 
         /* testuser must get the permissions/privileges inherited from
            the group it is member of.
          */
         String actions = SessionImpl.SET_PROPERTY_ACTION + "," + SessionImpl.READ_ACTION;
         assertTrue(testSession.hasPermission(path, actions));
-        assertTrue(testAcMgr.hasPrivileges(path, new Privilege[] {PrivilegeRegistry.MODIFY_PROPERTIES_PRIVILEGE}));
+        Privilege[] privs = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+        assertTrue(testAcMgr.hasPrivileges(path, privs));
+    }
+
+    public void testMixedUserGroupPermissions() throws NotExecutableException, RepositoryException {
+        Group testGroup = getTestGroup();
+        SessionImpl testSession = getTestSession();
+        AccessControlManager testAcMgr = getTestACManager();
+        /*
+         precondition:
+         testuser must have READ-only permission on test-node and below
+        */
+        checkReadOnly(path);
+
+        /* explicitely withdraw MODIFY_PROPERTIES for the user */
+        Privilege[] privileges = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+        withdrawPrivileges(path, testUser.getPrincipal(), privileges, getRestrictions(path));
+        /* give MODIFY_PROPERTIES privilege for a Group the test-user is member of */
+        givePrivileges(path, testGroup.getPrincipal(), privileges, getRestrictions(path));
+        /*
+         since user-permissions overrule the group permissions, testuser must
+         not have set_property action / modify_properties privilege.
+         */
+        String actions = SessionImpl.SET_PROPERTY_ACTION;
+        assertFalse(testSession.hasPermission(path, actions));
+        assertFalse(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES)));
     }
 
-    public void testNewNodes() throws RepositoryException {
+    public void testNewNodes() throws RepositoryException, NotExecutableException {
+        SessionImpl testSession = getTestSession();
+        AccessControlManager testAcMgr = getTestACManager();
         /*
          precondition:
          testuser must have READ-only permission on test-node and below
@@ -505,23 +798,26 @@
         checkReadOnly(path);
 
         /* create some new nodes below 'path' */
-        Node n = testSession.getNode(path);
+        Node n = ((SessionImpl) superuser).getNode(path);
         for (int i = 0; i < 5; i++) {
             n = n.addNode(nodeName2, testNodeType);
         }
+        superuser.save();
 
         /* make sure the same privileges/permissions are granted as at path. */
-        Privilege[] privs = testAcMgr.getPrivileges(n.getPath());
+        String childPath = n.getPath();
+        Privilege[] privs = testAcMgr.getPrivileges(childPath);
         assertTrue(PrivilegeRegistry.READ == PrivilegeRegistry.getBits(privs));
-        testSession.checkPermission(n.getPath(), SessionImpl.READ_ACTION);
+        testSession.checkPermission(childPath, SessionImpl.READ_ACTION);
     }
 
-    public void testNonExistingItem() throws RepositoryException {
+    public void testNonExistingItem() throws RepositoryException, NotExecutableException {
+        SessionImpl testSession = getTestSession();
         /*
           precondition:
           testuser must have READ-only permission on the root node and below
         */
-        String rootPath = testSession.getRootNode().getPath();
+        String rootPath = getTestSession().getRootNode().getPath();
         checkReadOnly(rootPath);
         testSession.checkPermission(rootPath + "nonExistingItem", SessionImpl.READ_ACTION);
     }
@@ -568,24 +864,53 @@
         }
     }
 
+    /**
+     * the ADD_CHILD_NODES privileges assigned on a node to a specific principal
+     * grants the corresponding user the permission to add nodes below the
+     * target node but not 'at' the target node.
+     *
+     * @throws RepositoryException
+     * @throws NotExecutableException
+     */
+    public void testAddChildNodePrivilege() throws RepositoryException, NotExecutableException {
+        SessionImpl testSession = getTestSession();
+        /*
+         precondition:
+         testuser must have READ-only permission on test-node and below
+        */
+        checkReadOnly(path);
+
+        /* create a child node below node at 'path' */
+        Node n = ((SessionImpl) superuser).getNode(path);
+        n = n.addNode(nodeName2, testNodeType);
+        superuser.save();
+
+        /* add 'add_child_nodes' privilege for testSession at path. */
+        Privilege[] privileges = privilegesFromName(Privilege.JCR_ADD_CHILD_NODES);
+        givePrivileges(path, privileges, getRestrictions(path));
+
+        /* test permissions. expected result:
+           - testSession cannot add child-nodes at 'path'
+           - testSession can add child-nodes below path
+         */
+        assertFalse(testSession.hasPermission(path, SessionImpl.ADD_NODE_ACTION));
+        assertTrue(testSession.hasPermission(path+"/anychild", SessionImpl.ADD_NODE_ACTION));
+        String childPath = n.getPath();
+        assertTrue(testSession.hasPermission(childPath, SessionImpl.ADD_NODE_ACTION));
+    }
+
+
     private static Node findPolicyNode(Node start) throws RepositoryException {
         Node policyNode = null;
-        if (start.isNodeType("rep:ACL")) {
+        if (start.isNodeType("rep:Policy")) {
             policyNode = start;
         }
         for (NodeIterator it = start.getNodes(); it.hasNext() && policyNode == null;) {
-            policyNode = findPolicyNode(it.nextNode());
+            Node n = it.nextNode();
+            if (!"jcr:system".equals(n.getName())) {
+                policyNode = findPolicyNode(n);
+            }
         }
         return policyNode;
     }
-
-    protected Principal getTestPrincipal(String nameHint, UserManager uMgr) throws RepositoryException {
-        Principal principal = new TestPrincipal(nameHint);
-        int i = 0;
-        while (uMgr.getAuthorizable(principal) != null) {
-            principal = new TestPrincipal(nameHint + i);
-            i++;
-        }
-        return principal;
-    }
 }
\ No newline at end of file

Added: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java?rev=689499&view=auto
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java (added)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java Wed Aug 27 08:12:04 2008
@@ -0,0 +1,191 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.authorization;
+
+import org.apache.jackrabbit.api.JackrabbitSession;
+import org.apache.jackrabbit.api.jsr283.security.AbstractAccessControlTest;
+import org.apache.jackrabbit.api.jsr283.security.AccessControlEntry;
+import org.apache.jackrabbit.api.jsr283.security.AccessControlPolicy;
+import org.apache.jackrabbit.api.jsr283.security.AccessControlPolicyIterator;
+import org.apache.jackrabbit.api.jsr283.security.Privilege;
+import org.apache.jackrabbit.api.security.principal.PrincipalIterator;
+import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import org.apache.jackrabbit.test.NotExecutableException;
+
+import javax.jcr.Node;
+import javax.jcr.RepositoryException;
+import java.security.Principal;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <code>JackrabbitAccessControlListTest</code>...
+ */
+public class JackrabbitAccessControlListTest extends AbstractAccessControlTest {
+
+    private JackrabbitAccessControlList templ;
+
+    protected void setUp() throws Exception {
+        super.setUp();
+
+        Node n = testRootNode.addNode(nodeName1, testNodeType);
+        superuser.save();
+
+        AccessControlPolicyIterator it = acMgr.getApplicablePolicies(n.getPath());
+        if (it.hasNext()) {
+            AccessControlPolicy p = it.nextAccessControlPolicy();
+            if (p instanceof JackrabbitAccessControlList) {
+                templ = (JackrabbitAccessControlList) p;
+            } else {
+                throw new NotExecutableException("No JackrabbitAccessControlList to test.");
+            }
+        } else {
+            throw new NotExecutableException("No JackrabbitAccessControlList to test.");
+        }
+    }
+
+    protected void tearDown() throws Exception {
+        // make sure transient ac-changes are reverted.
+        superuser.refresh(false);
+        super.tearDown();
+    }
+
+    private Principal getValidPrincipal() throws NotExecutableException, RepositoryException {
+        if (!(superuser instanceof JackrabbitSession)) {
+            throw new NotExecutableException();
+        }
+
+        PrincipalManager pMgr = ((JackrabbitSession) superuser).getPrincipalManager();
+        PrincipalIterator it = pMgr.getPrincipals(PrincipalManager.SEARCH_TYPE_NOT_GROUP);
+        if (it.hasNext()) {
+            return it.nextPrincipal();
+        } else {
+            throw new NotExecutableException();
+        }
+    }
+
+    public void testIsEmpty() throws RepositoryException {
+        if (templ.isEmpty()) {
+            assertEquals(0, templ.getAccessControlEntries().length);
+        } else {
+            assertTrue(templ.getAccessControlEntries().length > 0);
+        }
+    }
+
+    public void testSize() {
+        if (templ.isEmpty()) {
+            assertEquals(0, templ.size());
+        } else {
+            assertTrue(templ.size() > 0);
+        }
+    }
+
+    public void testAddEntry() throws NotExecutableException, RepositoryException {
+        Principal princ = getValidPrincipal();
+        Privilege[] priv = privilegesFromName(Privilege.JCR_ALL);
+
+        List entriesBefore = Arrays.asList(templ.getAccessControlEntries());
+        if (templ.addEntry(princ, priv, true, Collections.EMPTY_MAP)) {
+            AccessControlEntry[] entries = templ.getAccessControlEntries();
+            if (entries.length == 0) {
+                fail("GrantPrivileges was successful -> at least 1 entry for principal.");
+            }
+            int allows = 0;
+            for (int i = 0; i < entries.length; i++) {
+                AccessControlEntry en = entries[i];
+                int bits = PrivilegeRegistry.getBits(en.getPrivileges());
+                if (en instanceof JackrabbitAccessControlEntry && ((JackrabbitAccessControlEntry) en).isAllow()) {
+                    allows |= bits;
+                }
+            }
+            assertEquals(PrivilegeRegistry.ALL, allows);
+        } else {
+            AccessControlEntry[] entries = templ.getAccessControlEntries();
+            assertEquals("Grant ALL not successful -> entries must not have changed.", entriesBefore, Arrays.asList(entries));
+        }
+    }
+
+    public void testAddEntry2() throws NotExecutableException, RepositoryException {
+        Principal princ = getValidPrincipal();
+        Privilege[] privs = privilegesFromName(Privilege.JCR_WRITE);
+
+        int allows = 0;
+        templ.addEntry(princ, privs, true, Collections.EMPTY_MAP);
+        AccessControlEntry[] entries = templ.getAccessControlEntries();
+        assertTrue("GrantPrivileges was successful -> at least 1 entry for principal.", entries.length > 0);
+
+        for (int i = 0; i < entries.length; i++) {
+            AccessControlEntry en = entries[i];
+            int bits = PrivilegeRegistry.getBits(en.getPrivileges());
+            if (en instanceof JackrabbitAccessControlEntry && ((JackrabbitAccessControlEntry) en).isAllow()) {
+                allows |= bits;
+            }
+        }
+        assertTrue("After successfully granting WRITE, the entries must reflect this", allows >= PrivilegeRegistry.WRITE);
+    }
+
+    public void testAllowWriteDenyRemove() throws NotExecutableException, RepositoryException {
+        Principal princ = getValidPrincipal();
+        Privilege[] grPriv = privilegesFromName(Privilege.JCR_WRITE);
+        Privilege[] dePriv = privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES);
+
+        templ.addEntry(princ, grPriv, true, Collections.EMPTY_MAP);
+        templ.addEntry(princ, dePriv, false, Collections.EMPTY_MAP);
+
+        int allows = PrivilegeRegistry.NO_PRIVILEGE;
+        int denies = PrivilegeRegistry.NO_PRIVILEGE;
+        AccessControlEntry[] entries = templ.getAccessControlEntries();
+        for (int i = 0; i < entries.length; i++) {
+            AccessControlEntry en = entries[i];
+            if (princ.equals(en.getPrincipal()) && en instanceof JackrabbitAccessControlEntry) {
+                JackrabbitAccessControlEntry ace = (JackrabbitAccessControlEntry) en;
+                int entryBits = ace.getPrivilegeBits();
+                if (ace.isAllow()) {
+                    allows |= Permission.diff(entryBits, denies);
+                } else {
+                    denies |= Permission.diff(entryBits, allows);
+                }
+            }
+        }
+
+        int expectedAllows = Permission.diff(PrivilegeRegistry.WRITE, PrivilegeRegistry.REMOVE_CHILD_NODES);
+        assertEquals(expectedAllows, allows & expectedAllows);
+        int expectedDenies = PrivilegeRegistry.REMOVE_CHILD_NODES;
+        assertEquals(expectedDenies, denies);
+    }
+
+    public void testRemoveEntry() throws NotExecutableException, RepositoryException {
+        Principal princ = getValidPrincipal();
+        Privilege[] grPriv = privilegesFromName(Privilege.JCR_WRITE);
+
+        templ.addEntry(princ, grPriv, true, Collections.EMPTY_MAP);
+        AccessControlEntry[] entries = templ.getAccessControlEntries();
+        int length = entries.length;
+        assertTrue("Grant was both successful -> at least 1 entry.", length > 0);
+        for (int i = 0; i < entries.length; i++) {
+            templ.removeAccessControlEntry(entries[i]);
+            length = length - 1;
+            assertEquals(length, templ.size());
+            assertEquals(length, templ.getAccessControlEntries().length);
+        }
+
+        assertTrue(templ.isEmpty());
+        assertEquals(0, templ.size());
+        assertEquals(0, templ.getAccessControlEntries().length);
+    }
+}
\ No newline at end of file

Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java
------------------------------------------------------------------------------
    svn:keywords = author date id revision url

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistryTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistryTest.java?rev=689499&r1=689498&r2=689499&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistryTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistryTest.java Wed Aug 27 08:12:04 2008
@@ -19,7 +19,14 @@
 import junit.framework.TestCase;
 import org.apache.jackrabbit.api.jsr283.security.AccessControlException;
 import org.apache.jackrabbit.api.jsr283.security.Privilege;
+import org.apache.jackrabbit.spi.commons.conversion.ParsingNameResolver;
+import org.apache.jackrabbit.spi.commons.conversion.NameResolver;
+import org.apache.jackrabbit.spi.commons.name.NameFactoryImpl;
+import org.apache.jackrabbit.spi.commons.namespace.NamespaceResolver;
+import org.apache.jackrabbit.spi.Name;
 
+import javax.jcr.NamespaceException;
+import javax.jcr.RepositoryException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
@@ -29,40 +36,83 @@
  */
 public class PrivilegeRegistryTest extends TestCase {
 
-    public void testRegisteredPrivileges() {
-        Privilege[] ps = PrivilegeRegistry.getRegisteredPrivileges();
+    private NameResolver resolver;
+    private PrivilegeRegistry privilegeRegistry;
+
+    protected void setUp() throws Exception {
+        super.setUp();
+        NamespaceResolver nsResolver = new NamespaceResolver() {
+            public String getURI(String prefix) throws NamespaceException {
+                if (Name.NS_JCR_PREFIX.equals(prefix)) {
+                    return Name.NS_JCR_URI;
+                } else if (Name.NS_EMPTY_PREFIX.equals(prefix)) {
+                    return Name.NS_DEFAULT_URI;
+                } else {
+                    throw new NamespaceException();
+                }
+            }
+            public String getPrefix(String uri) throws NamespaceException {
+                if (Name.NS_JCR_URI.equals(uri)) {
+                    return Name.NS_JCR_PREFIX;
+                } else if (Name.NS_DEFAULT_URI.equals(uri)) {
+                    return Name.NS_EMPTY_PREFIX;
+                } else {
+                    throw new NamespaceException();
+                }
+            }
+        };
+        resolver = new ParsingNameResolver(NameFactoryImpl.getInstance(), nsResolver);
+        privilegeRegistry = new PrivilegeRegistry(resolver);
+    }
+
+    private void assertSamePrivilegeName(String expected, String present) throws RepositoryException {
+        assertEquals("Privilege names are not the same", resolver.getQName(expected), resolver.getQName(present));
+    }
+
+    public void testRegisteredPrivileges() throws RepositoryException {
+        Privilege[] ps = privilegeRegistry.getRegisteredPrivileges();
 
         List l = new ArrayList(Arrays.asList(ps));
-        assertTrue(l.remove(PrivilegeRegistry.READ_PRIVILEGE));
-        assertTrue(l.remove(PrivilegeRegistry.ADD_CHILD_NODES_PRIVILEGE));
-        assertTrue(l.remove(PrivilegeRegistry.REMOVE_CHILD_NODES_PRIVILEGE));
-        assertTrue(l.remove(PrivilegeRegistry.MODIFY_PROPERTIES_PRIVILEGE));
-        assertTrue(l.remove(PrivilegeRegistry.READ_AC_PRIVILEGE));
-        assertTrue(l.remove(PrivilegeRegistry.MODIFY_AC_PRIVILEGE));
-        assertTrue(l.remove(PrivilegeRegistry.WRITE_PRIVILEGE));
-        assertTrue(l.remove(PrivilegeRegistry.ALL_PRIVILEGE));
+        assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_READ)));
+        assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_ADD_CHILD_NODES)));
+        assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_REMOVE_CHILD_NODES)));
+        assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_MODIFY_PROPERTIES)));
+        assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_REMOVE_NODE)));
+        assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_READ_ACCESS_CONTROL)));
+        assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
+        assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_WRITE)));
+        assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_ALL)));
         assertTrue(l.isEmpty());
     }
 
-    public void testAllPrivilege() {
-        Privilege p = PrivilegeRegistry.ALL_PRIVILEGE;
-        assertEquals(p.getName(), Privilege.ALL);
+    public void testAllPrivilege() throws RepositoryException {
+        Privilege p = privilegeRegistry.getPrivilege(Privilege.JCR_ALL);
+        assertSamePrivilegeName(p.getName(), Privilege.JCR_ALL);
         assertTrue(p.isAggregate());
         assertFalse(p.isAbstract());
 
         List l = new ArrayList(Arrays.asList(p.getAggregatePrivileges()));
-        assertTrue(l.remove(PrivilegeRegistry.READ_PRIVILEGE));
-        assertTrue(l.remove(PrivilegeRegistry.ADD_CHILD_NODES_PRIVILEGE));
-        assertTrue(l.remove(PrivilegeRegistry.REMOVE_CHILD_NODES_PRIVILEGE));
-        assertTrue(l.remove(PrivilegeRegistry.MODIFY_PROPERTIES_PRIVILEGE));
-        assertTrue(l.remove(PrivilegeRegistry.READ_AC_PRIVILEGE));
-        assertTrue(l.remove(PrivilegeRegistry.MODIFY_AC_PRIVILEGE));
+        assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_READ)));
+        assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_ADD_CHILD_NODES)));
+        assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_REMOVE_CHILD_NODES)));
+        assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_MODIFY_PROPERTIES)));
+        assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_REMOVE_NODE)));
+        assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_READ_ACCESS_CONTROL)));
+        assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
+        assertTrue(l.isEmpty());
+
+        l = new ArrayList(Arrays.asList(p.getDeclaredAggregatePrivileges()));
+        assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_READ)));
+        assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_WRITE)));
+        assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_REMOVE_NODE)));
+        assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_READ_ACCESS_CONTROL)));
+        assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
         assertTrue(l.isEmpty());
     }
 
-    public void testGetBits() throws AccessControlException {
-        Privilege[] privs = new Privilege[] {PrivilegeRegistry.ADD_CHILD_NODES_PRIVILEGE,
-                                             PrivilegeRegistry.REMOVE_CHILD_NODES_PRIVILEGE};
+    public void testGetBits() throws RepositoryException {
+        Privilege[] privs = new Privilege[] {privilegeRegistry.getPrivilege(Privilege.JCR_ADD_CHILD_NODES),
+                                             privilegeRegistry.getPrivilege(Privilege.JCR_REMOVE_CHILD_NODES)};
 
         int bits = PrivilegeRegistry.getBits(privs);
         assertTrue(bits > PrivilegeRegistry.NO_PRIVILEGE);
@@ -70,21 +120,23 @@
     }
 
     public void testGetBitsFromCustomPrivilege() throws AccessControlException {
-        Privilege p = buildCustomPrivilege("anyName", PrivilegeRegistry.WRITE_PRIVILEGE);
-
-        int bits = PrivilegeRegistry.getBits(new Privilege[] {p});
-
-        assertTrue(bits > PrivilegeRegistry.NO_PRIVILEGE);
-        assertTrue(bits == PrivilegeRegistry.WRITE);
+        Privilege p = buildCustomPrivilege(Privilege.JCR_READ, null);
+        try {
+            int bits = PrivilegeRegistry.getBits(new Privilege[] {p});
+            fail("Retrieving bits from unknown privilege should fail.");
+        } catch (AccessControlException e) {
+            // ok
+        }
     }
 
-    public void testGetBitsFromCustomPrivilege2() throws AccessControlException {
-        Privilege p = buildCustomPrivilege(Privilege.READ, null);
-
-        int bits = PrivilegeRegistry.getBits(new Privilege[] {p});
-
-        assertTrue(bits > PrivilegeRegistry.NO_PRIVILEGE);
-        assertTrue(bits == PrivilegeRegistry.READ);
+    public void testGetBitsFromCustomAggregatePrivilege() throws RepositoryException {
+        Privilege p = buildCustomPrivilege("anyName", privilegeRegistry.getPrivilege(Privilege.JCR_WRITE));
+        try {
+            int bits = PrivilegeRegistry.getBits(new Privilege[] {p});
+            fail("Retrieving bits from unknown privilege should fail.");
+        } catch (AccessControlException e) {
+            // ok
+        }
     }
 
     public void testGetBitsFromNull() {
@@ -115,52 +167,42 @@
         }
     }
 
-    public void testGetPrivilegesFromBits() throws AccessControlException {
-        Privilege[] pvs = PrivilegeRegistry.getPrivileges(PrivilegeRegistry.READ_AC);
+    public void testGetPrivilegesFromBits() throws RepositoryException {
+        Privilege[] pvs = privilegeRegistry.getPrivileges(PrivilegeRegistry.READ_AC);
 
         assertTrue(pvs != null);
         assertTrue(pvs.length == 1);
-        assertEquals(pvs[0].getName(), Privilege.READ_ACCESS_CONTROL);
+        assertSamePrivilegeName(pvs[0].getName(), Privilege.JCR_READ_ACCESS_CONTROL);
     }
 
-    public void testGetPrivilegesFromBits2() throws AccessControlException {
+    public void testGetPrivilegesFromBits2() throws RepositoryException {
         int writeBits = PrivilegeRegistry.ADD_CHILD_NODES | PrivilegeRegistry.REMOVE_CHILD_NODES | PrivilegeRegistry.MODIFY_PROPERTIES;
-        Privilege[] pvs = PrivilegeRegistry.getPrivileges(writeBits);
+        Privilege[] pvs = privilegeRegistry.getPrivileges(writeBits);
 
         assertTrue(pvs != null);
         assertTrue(pvs.length == 1);
-        assertEquals(pvs[0].getName(), Privilege.WRITE);
+        assertSamePrivilegeName(pvs[0].getName(), Privilege.JCR_WRITE);
         assertTrue(pvs[0].isAggregate());
         assertTrue(pvs[0].getDeclaredAggregatePrivileges().length == 3);
     }
 
-    public void testGetPrivilegesFromNames() throws AccessControlException {
-        Privilege[] p = PrivilegeRegistry.getPrivileges(new String[] {Privilege.READ});
+    public void testGetPrivilegeFromName() throws AccessControlException, RepositoryException {
+        Privilege p = privilegeRegistry.getPrivilege(Privilege.JCR_READ);
 
-        assertTrue(p != null && p.length == 1);
-        assertEquals(p[0].getName(), PrivilegeRegistry.READ_PRIVILEGE.getName());
-        assertEquals(p[0], PrivilegeRegistry.READ_PRIVILEGE);
-        assertFalse(p[0].isAggregate());
-
-        p = PrivilegeRegistry.getPrivileges(new String[] {Privilege.WRITE});
-
-        assertTrue(p != null && p.length == 1);
-        assertEquals(p[0].getName(), PrivilegeRegistry.WRITE_PRIVILEGE.getName());
-        assertEquals(p[0], PrivilegeRegistry.WRITE_PRIVILEGE);
-        assertTrue(p[0].isAggregate());
-
-        p = PrivilegeRegistry.getPrivileges(new String[] {Privilege.READ,
-                                                          Privilege.MODIFY_ACCESS_CONTROL});
         assertTrue(p != null);
-        assertTrue(p.length == 2);
+        assertSamePrivilegeName(Privilege.JCR_READ, p.getName());
+        assertFalse(p.isAggregate());
+
+        p = privilegeRegistry.getPrivilege(Privilege.JCR_WRITE);
 
-        List l = Arrays.asList(p);
-        assertTrue(l.contains(PrivilegeRegistry.READ_PRIVILEGE) && l.contains(PrivilegeRegistry.MODIFY_AC_PRIVILEGE));
+        assertTrue(p != null);
+        assertSamePrivilegeName(p.getName(), Privilege.JCR_WRITE);
+        assertTrue(p.isAggregate());
     }
 
-    public void testGetPrivilegesFromInvalidNames() {
+    public void testGetPrivilegesFromInvalidName() throws RepositoryException {
         try {
-            PrivilegeRegistry.getPrivileges(new String[]{"unknown"});
+            privilegeRegistry.getPrivilege("unknown");
             fail("invalid privilege name");
         } catch (AccessControlException e) {
             // OK
@@ -169,18 +211,20 @@
 
     public void testGetPrivilegesFromEmptyNames() {
         try {
-            PrivilegeRegistry.getPrivileges(new String[0]);
+            privilegeRegistry.getPrivilege("");
             fail("invalid privilege name array");
         } catch (AccessControlException e) {
             // OK
+        } catch (RepositoryException e) {
+            // OK
         }
     }
 
     public void testGetPrivilegesFromNullNames() {
         try {
-            PrivilegeRegistry.getPrivileges(null);
-            fail("invalid privilege names (null)");
-        } catch (AccessControlException e) {
+            privilegeRegistry.getPrivilege(null);
+            fail("invalid privilege name (null)");
+        } catch (Exception e) {
             // OK
         }
     }
@@ -191,9 +235,6 @@
             public String getName() {
                 return name;
             }
-            public String getDescription() {
-                return null;
-            }
             public boolean isAbstract() {
                 return false;
             }

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java?rev=689499&r1=689498&r2=689499&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java Wed Aug 27 08:12:04 2008
@@ -33,10 +33,10 @@
      *         package.
      */
     public static Test suite() {
-        TestSuite suite = new TestSuite("security.authorization tests");
+        TestSuite suite = new TestSuite("core.security.authorization tests");
 
         suite.addTestSuite(PrivilegeRegistryTest.class);
-        suite.addTestSuite(PolicyTemplateTest.class);
+        suite.addTestSuite(JackrabbitAccessControlListTest.class);
 
         return suite;
     }



Mime
View raw message