jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1375016 - in /jackrabbit/oak/trunk: oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/ oak-core/src/main/java/org/apache/jackrabbit/oak/util/ oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privilege/ oak-jcr...
Date Mon, 20 Aug 2012 13:35:08 GMT
Author: angela
Date: Mon Aug 20 13:35:07 2012
New Revision: 1375016

URL: http://svn.apache.org/viewvc?rev=1375016&view=rev
Log:
OAK-64 : Privilege Management (WIP)

Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeMigrator.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeRegistry.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java
    jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImpl.java
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImplTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionImpl.java?rev=1375016&r1=1375015&r2=1375016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeDefinitionImpl.java
Mon Aug 20 13:35:07 2012
@@ -16,8 +16,8 @@
  */
 package org.apache.jackrabbit.oak.security.privilege;
 
+import java.util.Collections;
 import java.util.Set;
-
 import javax.annotation.Nonnull;
 
 import com.google.common.collect.ImmutableSet;
@@ -41,7 +41,9 @@ class PrivilegeDefinitionImpl implements
 
     PrivilegeDefinitionImpl(String name, boolean isAbstract,
                             String... declaredAggregateNames) {
-        this(name, isAbstract, ImmutableSet.copyOf(declaredAggregateNames  == null ? new
String[0] : declaredAggregateNames));
+        this(name, isAbstract, (declaredAggregateNames == null) ?
+                Collections.<String>emptySet() :
+                ImmutableSet.copyOf(declaredAggregateNames));
     }
 
     //------------------------------------------------< PrivilegeDefinition >---

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeMigrator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeMigrator.java?rev=1375016&r1=1375015&r2=1375016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeMigrator.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeMigrator.java
Mon Aug 20 13:35:07 2012
@@ -52,9 +52,7 @@ public class PrivilegeMigrator {
             try {
                 NamespaceRegistry nsRegistry = new NamespaceRegistryImpl(contentSession);
                 PrivilegeDefinition[] custom = PrivilegeDefinitionReader.readCustomDefinitons(stream,
nsRegistry);
-                for (PrivilegeDefinition def : custom) {
-                    pr.registerDefinition(def);
-                }
+                pr.registerDefinitions(custom);
             } catch (IOException e) {
                 throw new RepositoryException(e);
             } finally {

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeRegistry.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeRegistry.java?rev=1375016&r1=1375015&r2=1375016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeRegistry.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeRegistry.java
Mon Aug 20 13:35:07 2012
@@ -17,6 +17,7 @@
 package org.apache.jackrabbit.oak.security.privilege;
 
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 import javax.annotation.Nonnull;
@@ -40,6 +41,7 @@ import org.apache.jackrabbit.oak.util.No
  * TODO: define if custom privileges are read with editing content session (thus enforcing
read permissions)
  *
  * FIXME: Session#refresh should refresh privileges exposed
+ * FIXME: Proper implementation for JCR_ALL privilege containing all custom privileges.
  */
 public class PrivilegeRegistry implements PrivilegeProvider, PrivilegeConstants {
 
@@ -89,11 +91,33 @@ public class PrivilegeRegistry implement
 
     private static void updateJcrAllPrivilege(Map<String, PrivilegeDefinition> definitions)
{
         // TODO: add proper implementation taking custom privileges into account.
-        definitions.put(JCR_ALL, new PrivilegeDefinitionImpl(JCR_ALL, false,
-                JCR_READ, JCR_READ_ACCESS_CONTROL, JCR_MODIFY_ACCESS_CONTROL,
-                JCR_VERSION_MANAGEMENT, JCR_LOCK_MANAGEMENT, JCR_LIFECYCLE_MANAGEMENT,
-                JCR_RETENTION_MANAGEMENT, JCR_WORKSPACE_MANAGEMENT, JCR_NODE_TYPE_DEFINITION_MANAGEMENT,
-                JCR_NAMESPACE_MANAGEMENT, REP_PRIVILEGE_MANAGEMENT, REP_WRITE));
+        Set<String> declaredAggregateNames = new HashSet<String>();
+        declaredAggregateNames.add(JCR_READ);
+        declaredAggregateNames.add(JCR_READ_ACCESS_CONTROL);
+        declaredAggregateNames.add(JCR_MODIFY_ACCESS_CONTROL);
+        declaredAggregateNames.add(JCR_VERSION_MANAGEMENT);
+        declaredAggregateNames.add(JCR_LOCK_MANAGEMENT);
+        declaredAggregateNames.add(JCR_LIFECYCLE_MANAGEMENT);
+        declaredAggregateNames.add(JCR_RETENTION_MANAGEMENT);
+        declaredAggregateNames.add(JCR_WORKSPACE_MANAGEMENT);
+        declaredAggregateNames.add(JCR_NODE_TYPE_DEFINITION_MANAGEMENT);
+        declaredAggregateNames.add(JCR_NAMESPACE_MANAGEMENT);
+        declaredAggregateNames.add(REP_PRIVILEGE_MANAGEMENT);
+        declaredAggregateNames.add(REP_WRITE);
+
+        definitions.put(JCR_ALL, new PrivilegeDefinitionImpl(JCR_ALL, false, declaredAggregateNames));
+    }
+
+    void registerDefinitions(PrivilegeDefinition[] definitions) throws RepositoryException
{
+        for (PrivilegeDefinition definition : definitions) {
+            PrivilegeDefinition toRegister;
+            if (definition instanceof PrivilegeDefinitionImpl) {
+                toRegister = definition;
+            } else {
+                toRegister = new PrivilegeDefinitionImpl(definition.getName(), definition.isAbstract(),
definition.getDeclaredAggregateNames());
+            }
+            internalRegisterDefinitions(toRegister);
+        }
     }
 
     //--------------------------------------------------< PrivilegeProvider >---
@@ -119,16 +143,6 @@ public class PrivilegeRegistry implement
         return definition;
     }
 
-    public void registerDefinition(PrivilegeDefinition definition) throws RepositoryException
{
-        PrivilegeDefinition toRegister;
-        if (definition instanceof PrivilegeDefinitionImpl) {
-            toRegister = definition;
-        } else {
-            toRegister = new PrivilegeDefinitionImpl(definition.getName(), definition.isAbstract(),
definition.getDeclaredAggregateNames());
-        }
-        internalRegisterDefinitions(toRegister);
-    }
-
     //------------------------------------------------------------< private >---
 
     private void internalRegisterDefinitions(PrivilegeDefinition toRegister) throws RepositoryException
{
@@ -149,7 +163,12 @@ public class PrivilegeRegistry implement
             root.commit(DefaultConflictHandler.OURS);
 
         } catch (CommitFailedException e) {
-            throw new RepositoryException(e.getMessage());
+            Throwable t = e.getCause();
+            if (t instanceof RepositoryException) {
+                throw (RepositoryException) t;
+            } else {
+                throw new RepositoryException(e.getMessage());
+            }
         }
 
         definitions.put(toRegister.getName(), toRegister);

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java?rev=1375016&r1=1375015&r2=1375016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.java
Mon Aug 20 13:35:07 2012
@@ -16,6 +16,7 @@
  */
 package org.apache.jackrabbit.oak.security.privilege;
 
+import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 import javax.jcr.RepositoryException;
@@ -125,12 +126,16 @@ class PrivilegeValidator implements Priv
      * the checks listed above fails.
      */
     private void validateDefinition(PrivilegeDefinition definition) throws CommitFailedException
{
-        Set<String> aggrNames = definition.getDeclaredAggregateNames();
-        if (aggrNames.isEmpty()) {
+        Set<String> declaredNames = definition.getDeclaredAggregateNames();
+        if (declaredNames.isEmpty()) {
             return;
         }
 
-        for (String aggrName : aggrNames) {
+        if (declaredNames.size() == 1) {
+            throw new CommitFailedException("Singular aggregation is equivalent to existing
privilege.");
+        }
+
+        for (String aggrName : declaredNames) {
             // aggregated privilege not registered
             if (!definitions.containsKey(aggrName)) {
                 throw new CommitFailedException("Declared aggregate '"+ aggrName +"' is not
a registered privilege.");
@@ -143,8 +148,15 @@ class PrivilegeValidator implements Priv
             }
         }
 
+        Set<String> aggregateNames = resolveAggregates(declaredNames);
         for (PrivilegeDefinition existing : definitions.values()) {
-            if (aggrNames.equals(existing.getDeclaredAggregateNames())) {
+            Set<String> existingDeclared = existing.getDeclaredAggregateNames();
+            if (existingDeclared.isEmpty()) {
+                continue;
+            }
+
+            // test for exact same aggregation or aggregation with the same net effect
+            if (declaredNames.equals(existingDeclared) || aggregateNames.equals(resolveAggregates(existingDeclared)))
{
                 String msg = "Custom aggregate privilege '" + definition.getName() + "' is
already covered by '" + existing.getName() + '\'';
                 throw new CommitFailedException(msg);
             }
@@ -173,6 +185,24 @@ class PrivilegeValidator implements Priv
         }
     }
 
+    private Set<String> resolveAggregates(Set<String> declared) throws CommitFailedException
{
+        Set<String> aggregateNames = new HashSet<String>();
+        for (String name : declared) {
+            PrivilegeDefinition d = definitions.get(name);
+            if (d == null) {
+                throw new CommitFailedException("Invalid declared aggregate name " + name
+ ": Unknown privilege.");
+            }
+
+            Set<String> names = d.getDeclaredAggregateNames();
+            if (names.isEmpty()) {
+                aggregateNames.add(name);
+            } else {
+                aggregateNames.addAll(resolveAggregates(names));
+            }
+        }
+        return aggregateNames;
+    }
+
     private void checkInitialized() throws CommitFailedException {
         if (reader == null || definitions == null) {
             throw new CommitFailedException(new IllegalStateException("Mandatory privileges
root is missing."));

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java?rev=1375016&r1=1375015&r2=1375016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/util/NodeUtil.java
Mon Aug 20 13:35:07 2012
@@ -191,7 +191,7 @@ public class NodeUtil {
         for (String value : values) {
             String oakName = mapper.getOakName(value);
             if (oakName == null) {
-                throw new IllegalArgumentException("Invalid name:" + name);
+                throw new IllegalArgumentException(new RepositoryException("Invalid name:"
+ name));
             }
 
             cvs.add(factory.createValue(oakName, PropertyType.NAME));

Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImpl.java?rev=1375016&r1=1375015&r2=1375016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImpl.java
Mon Aug 20 13:35:07 2012
@@ -20,6 +20,7 @@ import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
+import javax.jcr.NamespaceException;
 import javax.jcr.RepositoryException;
 import javax.jcr.security.AccessControlException;
 import javax.jcr.security.Privilege;
@@ -72,23 +73,36 @@ public class PrivilegeManagerImpl implem
     @Override
     public Privilege registerPrivilege(String privilegeName, boolean isAbstract,
                                        String[] declaredAggregateNames) throws RepositoryException
{
-        PrivilegeDefinition def = provider.registerDefinition(getOakName(privilegeName),
isAbstract, getOakNames(declaredAggregateNames));
+        if (privilegeName == null || privilegeName.isEmpty()) {
+            throw new RepositoryException("Invalid privilege name " + privilegeName);
+        }
+        String oakName = getOakName(privilegeName);
+        if (oakName == null) {
+            throw new NamespaceException("Invalid privilege name " + privilegeName);
+        }
+
+        PrivilegeDefinition def = provider.registerDefinition(oakName, isAbstract, getOakNames(declaredAggregateNames));
         return new PrivilegeImpl(def);
     }
 
-    //--------------------------------------------------------------------------
+    //------------------------------------------------------------< private >---
+
     private String getOakName(String jcrName) {
         return sessionDelegate.getNamePathMapper().getOakName(jcrName);
     }
 
-    private Set<String> getOakNames(String[] jcrNames) {
+    private Set<String> getOakNames(String[] jcrNames) throws RepositoryException {
         Set<String> oakNames;
         if (jcrNames == null || jcrNames.length == 0) {
             oakNames = Collections.emptySet();
         } else {
             oakNames = new HashSet<String>(jcrNames.length);
             for (String jcrName : jcrNames) {
-                oakNames.add(getOakName(jcrName));
+                String oakName = getOakName(jcrName);
+                if (oakName == null) {
+                    throw new RepositoryException("Invalid name " + jcrName);
+                }
+                oakNames.add(oakName);
             }
         }
         return oakNames;

Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImplTest.java?rev=1375016&r1=1375015&r2=1375016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImplTest.java
(original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/privilege/PrivilegeManagerImplTest.java
Mon Aug 20 13:35:07 2012
@@ -18,122 +18,152 @@ package org.apache.jackrabbit.oak.jcr.se
 
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.LinkedHashMap;
 import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import javax.jcr.AccessDeniedException;
+import javax.jcr.NamespaceException;
 import javax.jcr.RepositoryException;
+import javax.jcr.Session;
 import javax.jcr.security.AccessControlException;
 import javax.jcr.security.Privilege;
 
 import org.apache.jackrabbit.api.JackrabbitWorkspace;
 import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
 import org.apache.jackrabbit.test.AbstractJCRTest;
 import org.junit.Before;
 import org.junit.Test;
 
 /**
  * PrivilegeManagerTest...
+ *
+ * TODO: more tests for cyclic aggregation
  */
 public class PrivilegeManagerImplTest extends AbstractJCRTest {
 
-    private PrivilegeManager privilegeMgr;
+    private PrivilegeManager privilegeManager;
 
     @Before
     @Override
     protected void setUp() throws Exception {
         super.setUp();
-        privilegeMgr = ((JackrabbitWorkspace) superuser.getWorkspace()).getPrivilegeManager();
+        privilegeManager = getPrivilegeManager(superuser);
+    }
+
+    private static PrivilegeManager getPrivilegeManager(Session s) throws RepositoryException
{
+        return ((JackrabbitWorkspace) s.getWorkspace()).getPrivilegeManager();
+    }
+
+    private static String[] getAggregateNames(String... names) {
+        return names;
+    }
+
+    private static void assertContainsDeclared(Privilege privilege, String aggrName) {
+        boolean found = false;
+        for (Privilege p : privilege.getDeclaredAggregatePrivileges()) {
+            if (aggrName.equals(p.getName())) {
+                found = true;
+                break;
+            }
+        }
+        assertTrue(found);
     }
 
     @Test
     public void testRegisteredPrivileges() throws RepositoryException {
-        Privilege[] ps = privilegeMgr.getRegisteredPrivileges();
+        Privilege[] ps = privilegeManager.getRegisteredPrivileges();
 
         List<Privilege> l = new ArrayList<Privilege>(Arrays.asList(ps));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_READ)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_ADD_CHILD_NODES)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_REMOVE_CHILD_NODES)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_MODIFY_PROPERTIES)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_REMOVE_NODE)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_READ_ACCESS_CONTROL)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_WRITE)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_ALL)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_LIFECYCLE_MANAGEMENT)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_LOCK_MANAGEMENT)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_NODE_TYPE_MANAGEMENT)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_RETENTION_MANAGEMENT)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_VERSION_MANAGEMENT)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege("rep:write")));
-        assertTrue(l.remove(privilegeMgr.getPrivilege("rep:addProperties")));
-        assertTrue(l.remove(privilegeMgr.getPrivilege("rep:alterProperties")));
-        assertTrue(l.remove(privilegeMgr.getPrivilege("rep:removeProperties")));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_READ)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_ADD_CHILD_NODES)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_REMOVE_CHILD_NODES)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_MODIFY_PROPERTIES)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_REMOVE_NODE)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_READ_ACCESS_CONTROL)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_WRITE)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_ALL)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_LIFECYCLE_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_LOCK_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_NODE_TYPE_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_RETENTION_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_VERSION_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_WRITE)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_ADD_PROPERTIES)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_ALTER_PROPERTIES)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_REMOVE_PROPERTIES)));
         // including repo-level operation privileges
-        assertTrue(l.remove(privilegeMgr.getPrivilege("jcr:namespaceManagement")));
-        assertTrue(l.remove(privilegeMgr.getPrivilege("jcr:nodeTypeDefinitionManagement")));
-        assertTrue(l.remove(privilegeMgr.getPrivilege("jcr:workspaceManagement")));
-        assertTrue(l.remove(privilegeMgr.getPrivilege("rep:privilegeManagement")));
+        assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.JCR_WORKSPACE_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT)));
 
         assertTrue(l.isEmpty());
     }
 
     @Test
     public void testAllPrivilege() throws RepositoryException {
-        Privilege p = privilegeMgr.getPrivilege(Privilege.JCR_ALL);
+        Privilege p = privilegeManager.getPrivilege(Privilege.JCR_ALL);
         assertEquals("jcr:all",p.getName());
         assertTrue(p.isAggregate());
         assertFalse(p.isAbstract());
 
         List<Privilege> l = new ArrayList<Privilege>(Arrays.asList(p.getAggregatePrivileges()));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_READ)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_ADD_CHILD_NODES)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_REMOVE_CHILD_NODES)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_MODIFY_PROPERTIES)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_REMOVE_NODE)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_READ_ACCESS_CONTROL)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_LIFECYCLE_MANAGEMENT)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_LOCK_MANAGEMENT)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_NODE_TYPE_MANAGEMENT)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_RETENTION_MANAGEMENT)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_VERSION_MANAGEMENT)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_WRITE)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege("rep:write")));
-        assertTrue(l.remove(privilegeMgr.getPrivilege("rep:addProperties")));
-        assertTrue(l.remove(privilegeMgr.getPrivilege("rep:alterProperties")));
-        assertTrue(l.remove(privilegeMgr.getPrivilege("rep:removeProperties")));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_READ)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_ADD_CHILD_NODES)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_REMOVE_CHILD_NODES)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_MODIFY_PROPERTIES)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_REMOVE_NODE)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_READ_ACCESS_CONTROL)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_LIFECYCLE_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_LOCK_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_NODE_TYPE_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_RETENTION_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_VERSION_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_WRITE)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_WRITE)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_ADD_PROPERTIES)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_ALTER_PROPERTIES)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_REMOVE_PROPERTIES)));
         // including repo-level operation privileges
-        assertTrue(l.remove(privilegeMgr.getPrivilege("jcr:namespaceManagement")));
-        assertTrue(l.remove(privilegeMgr.getPrivilege("jcr:nodeTypeDefinitionManagement")));
-        assertTrue(l.remove(privilegeMgr.getPrivilege("jcr:workspaceManagement")));
-        assertTrue(l.remove(privilegeMgr.getPrivilege("rep:privilegeManagement")));
+        assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.JCR_WORKSPACE_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT)));
         assertTrue(l.isEmpty());
 
         l = new ArrayList<Privilege>(Arrays.asList(p.getDeclaredAggregatePrivileges()));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_READ)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege("rep:write")));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_READ_ACCESS_CONTROL)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_LIFECYCLE_MANAGEMENT)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_LOCK_MANAGEMENT)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_RETENTION_MANAGEMENT)));
-        assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_VERSION_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_READ)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_READ_ACCESS_CONTROL)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_LIFECYCLE_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_LOCK_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_RETENTION_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(Privilege.JCR_VERSION_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_WRITE)));
         // including repo-level operation privileges
-        assertTrue(l.remove(privilegeMgr.getPrivilege("jcr:namespaceManagement")));
-        assertTrue(l.remove(privilegeMgr.getPrivilege("jcr:nodeTypeDefinitionManagement")));
-        assertTrue(l.remove(privilegeMgr.getPrivilege("jcr:workspaceManagement")));
-        assertTrue(l.remove(privilegeMgr.getPrivilege("rep:privilegeManagement")));
+        assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.JCR_WORKSPACE_MANAGEMENT)));
+        assertTrue(l.remove(privilegeManager.getPrivilege(PrivilegeConstants.REP_PRIVILEGE_MANAGEMENT)));
 
         assertTrue(l.isEmpty());
     }
 
     @Test
     public void testGetPrivilegeFromName() throws AccessControlException, RepositoryException
{
-        Privilege p = privilegeMgr.getPrivilege(Privilege.JCR_READ);
+        Privilege p = privilegeManager.getPrivilege(Privilege.JCR_READ);
 
         assertTrue(p != null);
         assertEquals("jcr:read", p.getName());
         assertFalse(p.isAggregate());
 
-        p = privilegeMgr.getPrivilege(Privilege.JCR_WRITE);
+        p = privilegeManager.getPrivilege(Privilege.JCR_WRITE);
 
         assertTrue(p != null);
         assertEquals("jcr:write", p.getName());
@@ -143,7 +173,7 @@ public class PrivilegeManagerImplTest ex
     @Test
     public void testGetPrivilegesFromInvalidName() throws RepositoryException {
         try {
-            privilegeMgr.getPrivilege("unknown");
+            privilegeManager.getPrivilege("unknown");
             fail("invalid privilege name");
         } catch (AccessControlException e) {
             // OK
@@ -153,7 +183,7 @@ public class PrivilegeManagerImplTest ex
     @Test
     public void testGetPrivilegesFromEmptyNames() {
         try {
-            privilegeMgr.getPrivilege("");
+            privilegeManager.getPrivilege("");
             fail("invalid privilege name array");
         } catch (AccessControlException e) {
             // OK
@@ -165,12 +195,279 @@ public class PrivilegeManagerImplTest ex
     @Test
     public void testGetPrivilegesFromNullNames() {
         try {
-            privilegeMgr.getPrivilege(null);
+            privilegeManager.getPrivilege(null);
             fail("invalid privilege name (null)");
         } catch (Exception e) {
             // OK
         }
     }
 
-    // TODO test privilege registration
+    @Test
+    public void testRegisterPrivilegeWithIllegalName() {
+        Map<String, String[]> illegal = new HashMap<String, String[]>();
+        // invalid privilege name
+        illegal.put(null, new String[0]);
+        illegal.put("", new String[0]);
+        illegal.put("invalid:privilegeName", new String[0]);
+        illegal.put(".e:privilegeName", new String[0]);
+        // invalid aggregate names
+        illegal.put("newPrivilege", new String[] {"invalid:privilegeName"});
+        illegal.put("newPrivilege", new String[] {".e:privilegeName"});
+        illegal.put("newPrivilege", new String[] {null});
+        illegal.put("newPrivilege", new String[] {""});
+
+        for (String illegalName : illegal.keySet()) {
+            try {
+                privilegeManager.registerPrivilege(illegalName, true, illegal.get(illegalName));
+                fail("Illegal name -> Exception expected");
+            } catch (NamespaceException e) {
+                // success
+            } catch (RepositoryException e) {
+                // success
+            }
+        }
+    }
+
+    @Test
+    public void testRegisterReservedName() {
+        Map<String, String[]> illegal = new HashMap<String, String[]>();
+        // invalid privilege name
+        illegal.put(null, new String[0]);
+        illegal.put("jcr:privilegeName", new String[0]);
+        illegal.put("rep:privilegeName", new String[0]);
+        illegal.put("nt:privilegeName", new String[0]);
+        illegal.put("mix:privilegeName", new String[0]);
+        illegal.put("sv:privilegeName", new String[0]);
+        illegal.put("xml:privilegeName", new String[0]);
+        illegal.put("xmlns:privilegeName", new String[0]);
+        // invalid aggregate names
+        illegal.put("newPrivilege", new String[] {"jcr:privilegeName"});
+
+        for (String illegalName : illegal.keySet()) {
+            try {
+                privilegeManager.registerPrivilege(illegalName, true, illegal.get(illegalName));
+                fail("Illegal name -> Exception expected");
+            } catch (RepositoryException e) {
+                // success
+            }
+        }
+    }
+
+    @Test
+    public void testRegisterPrivilegeWithReadOnly() throws RepositoryException {
+        Session s = getHelper().getReadOnlySession();
+        try {
+            ((JackrabbitWorkspace) s.getWorkspace()).getPrivilegeManager().registerPrivilege("test",
true, new String[0]);
+            fail("Only admin is allowed to register privileges.");
+        } catch (AccessDeniedException e) {
+            // success
+        } finally {
+            s.logout();
+        }
+    }
+
+    @Test
+    public void testCustomDefinitionsWithCyclicReferences() throws RepositoryException {
+        try {
+            privilegeManager.registerPrivilege("cycl-1", false, new String[] {"cycl-1"});
+            fail("Cyclic definitions must be detected upon registry startup.");
+        } catch (RepositoryException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testCustomEquivalentDefinitions() throws RepositoryException {
+        privilegeManager.registerPrivilege("custom4", false, new String[0]);
+        privilegeManager.registerPrivilege("custom5", false, new String[0]);
+        privilegeManager.registerPrivilege("custom2", false, new String[] {"custom4", "custom5"});
+
+        List<String[]> equivalent = new ArrayList<String[]>();
+        equivalent.add(new String[] {"custom4", "custom5"});
+        equivalent.add(new String[] {"custom2", "custom4"});
+        equivalent.add(new String[] {"custom2", "custom5"});
+        int cnt = 6;
+        for (String[] aggrNames : equivalent) {
+            try {
+                // the equivalent definition to 'custom1'
+                String name = "custom"+(cnt++);
+                privilegeManager.registerPrivilege(name, false, aggrNames);
+                fail("Equivalent '"+name+"' definitions must be detected.");
+            } catch (RepositoryException e) {
+                // success
+            }
+        }
+    }
+
+    @Test
+    public void testRegisterBuiltInPrivilege() throws RepositoryException {
+        Map<String, String[]> builtIns = new HashMap<String, String[]>();
+        builtIns.put(PrivilegeConstants.JCR_READ, new String[0]);
+        builtIns.put(PrivilegeConstants.JCR_LIFECYCLE_MANAGEMENT, new String[] {PrivilegeConstants.JCR_ADD_CHILD_NODES});
+        builtIns.put(PrivilegeConstants.REP_WRITE, new String[0]);
+        builtIns.put(PrivilegeConstants.JCR_ALL, new String[0]);
+
+        for (String builtInName : builtIns.keySet()) {
+            try {
+                privilegeManager.registerPrivilege(builtInName, false, builtIns.get(builtInName));
+                fail("Privilege name " +builtInName+ " already in use -> Exception expected");
+            } catch (RepositoryException e) {
+                // success
+            }
+        }
+    }
+
+    @Test
+    public void testRegisterInvalidNewAggregate() throws RepositoryException {
+        Map<String, String[]> newAggregates = new LinkedHashMap<String, String[]>();
+        // same as jcr:read
+        newAggregates.put("jcrReadAggregate", getAggregateNames(PrivilegeConstants.JCR_READ));
+        // aggregated combining built-in and an unknown privilege
+        newAggregates.put("newAggregate2", getAggregateNames(PrivilegeConstants.JCR_READ,
"unknownPrivilege"));
+        // aggregate containing unknown privilege
+        newAggregates.put("newAggregate3", getAggregateNames("unknownPrivilege"));
+        // custom aggregated contains itself
+        newAggregates.put("newAggregate4", getAggregateNames("newAggregate"));
+        // same as rep:write
+        newAggregates.put("repWriteAggregate", getAggregateNames(PrivilegeConstants.JCR_MODIFY_PROPERTIES,
PrivilegeConstants.JCR_ADD_CHILD_NODES, PrivilegeConstants.JCR_NODE_TYPE_MANAGEMENT, PrivilegeConstants.JCR_REMOVE_CHILD_NODES,
PrivilegeConstants.JCR_REMOVE_NODE));
+        // aggregated combining built-in and unknown custom
+        newAggregates.put("newAggregate5", getAggregateNames(PrivilegeConstants.JCR_READ,
"unknownPrivilege"));
+
+        for (String name : newAggregates.keySet()) {
+            try {
+                privilegeManager.registerPrivilege(name, true, newAggregates.get(name));
+                fail("New aggregate "+ name +" referring to unknown Privilege  -> Exception
expected");
+            } catch (RepositoryException e) {
+                // success
+            }
+        }
+    }
+
+    @Test
+    public void testRegisterInvalidNewAggregate2() throws RepositoryException {
+        Map<String, String[]> newCustomPrivs = new LinkedHashMap<String, String[]>();
+        newCustomPrivs.put("new", new String[0]);
+        newCustomPrivs.put("new2", new String[0]);
+        Set<String> decl = new HashSet<String>();
+        decl.add("new");
+        decl.add("new2");
+        newCustomPrivs.put("new3", getAggregateNames("new", "new2"));
+
+        for (String name : newCustomPrivs.keySet()) {
+            boolean isAbstract = true;
+            String[] aggrNames = newCustomPrivs.get(name);
+            privilegeManager.registerPrivilege(name, isAbstract, aggrNames);
+        }
+
+        Map<String, String[]> newAggregates = new LinkedHashMap<String, String[]>();
+         // other illegal aggregates already represented by registered definition.
+        newAggregates.put("newA2", getAggregateNames("new"));
+        newAggregates.put("newA3", getAggregateNames("new2"));
+
+        for (String name : newAggregates.keySet()) {
+            boolean isAbstract = false;
+            String[] aggrNames = newAggregates.get(name);
+
+            try {
+                privilegeManager.registerPrivilege(name, isAbstract, aggrNames);
+                fail("Invalid aggregation in definition '"+ name.toString()+"' : Exception
expected");
+            } catch (RepositoryException e) {
+                // success
+            }
+        }
+    }
+
+// FIXME: JCR_ALL privilege must be updated
+//    @Test
+//    public void testRegisterCustomPrivileges() throws RepositoryException {
+//        Map<String, String[]> newCustomPrivs = new HashMap<String, String[]>();
+//        newCustomPrivs.put("new", new String[0]);
+//        newCustomPrivs.put("test:new", new String[0]);
+//
+//        for (String name : newCustomPrivs.keySet()) {
+//            boolean isAbstract = true;
+//            String[] aggrNames = newCustomPrivs.get(name);
+//
+//            Privilege registered = privilegeManager.registerPrivilege(name, isAbstract,
aggrNames);
+//
+//            // validate definition
+//            Privilege privilege = privilegeManager.getPrivilege(name);
+//            assertNotNull(privilege);
+//            assertEquals(name, privilege.getName());
+//            assertTrue(privilege.isAbstract());
+//            assertEquals(0, privilege.getDeclaredAggregatePrivileges().length);
+//            assertContainsDeclared(privilegeManager.getPrivilege(PrivilegeConstants.JCR_ALL),
name);
+//        }
+//
+//        Map<String, String[]> newAggregates = new HashMap<String, String[]>();
+//        // a new aggregate of custom privileges
+//        newAggregates.put("newA2", getAggregateNames("test:new", "new"));
+//        // a new aggregate of custom and built-in privilege
+//        newAggregates.put("newA1", getAggregateNames("new", PrivilegeConstants.JCR_READ));
+//        // aggregating built-in privileges
+//        newAggregates.put("aggrBuiltIn", getAggregateNames(PrivilegeConstants.JCR_MODIFY_PROPERTIES,
PrivilegeConstants.JCR_READ));
+//
+//        for (String name : newAggregates.keySet()) {
+//            boolean isAbstract = false;
+//            String[] aggrNames = newAggregates.get(name);
+//            privilegeManager.registerPrivilege(name, isAbstract, aggrNames);
+//            Privilege p = privilegeManager.getPrivilege(name);
+//
+//            assertNotNull(p);
+//            assertEquals(name, p.getName());
+//            assertFalse(p.isAbstract());
+//
+//            for (String n : aggrNames) {
+//                assertContainsDeclared(p, n);
+//            }
+//            assertContainsDeclared(privilegeManager.getPrivilege(PrivilegeConstants.JCR_ALL),
name);
+//        }
+//    }
+
+    @Test
+    public void testCustomPrivilegeVisibleToNewSession() throws RepositoryException {
+        boolean isAbstract = false;
+        String privName = "testCustomPrivilegeVisibleToNewSession";
+        privilegeManager.registerPrivilege(privName, isAbstract, new String[0]);
+
+        Session s2 = getHelper().getSuperuserSession();
+        try {
+            PrivilegeManager pm = getPrivilegeManager(s2);
+            Privilege priv = pm.getPrivilege(privName);
+            assertEquals(privName, priv.getName());
+            assertEquals(isAbstract, priv.isAbstract());
+            assertFalse(priv.isAggregate());
+        } finally {
+            s2.logout();
+        }
+    }
+
+//    FIXME: Session#refresh must refresh privilege definitions
+//    @Test
+//    public void testCustomPrivilegeVisibleAfterRefresh() throws RepositoryException {
+//        Session s2 = getHelper().getSuperuserSession();
+//        try {
+//            boolean isAbstract = false;
+//            String privName = "testCustomPrivilegeVisibleAfterRefresh";
+//            privilegeManager.registerPrivilege(privName, isAbstract, new String[0]);
+//
+//            // before refreshing: privilege not visible
+//            PrivilegeManager pm = getPrivilegeManager(s2);
+//            try {
+//                Privilege priv = pm.getPrivilege(privName);
+//                fail("Custom privilege must show up after Session#refresh()");
+//            } catch (AccessControlException e) {
+//                // success
+//            }
+//
+//            // after refresh privilege manager must be updated
+//            s2.refresh(true);
+//            Privilege priv = pm.getPrivilege(privName);
+//            assertEquals(privName, priv.getName());
+//            assertEquals(isAbstract, priv.isAbstract());
+//            assertFalse(priv.isAggregate());
+//        } finally {
+//            s2.logout();
+//        }
+//    }
 }
\ No newline at end of file



Mime
View raw message