jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1435202 - in /jackrabbit/oak/trunk/oak-core/src: main/java/org/apache/jackrabbit/oak/security/authorization/ main/java/org/apache/jackrabbit/oak/spi/security/authorization/ test/java/org/apache/jackrabbit/oak/security/authorization/ test/j...
Date Fri, 18 Jan 2013 15:49:49 GMT
Author: angela
Date: Fri Jan 18 15:49:49 2013
New Revision: 1435202

URL: http://svn.apache.org/viewvc?rev=1435202&view=rev
Log:
OAK-51 : Access Control Management (WIP)

Added:
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlTest.java
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/ACETest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java?rev=1435202&r1=1435201&r2=1435202&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java Fri Jan 18 15:49:49 2013
@@ -128,38 +128,6 @@ abstract class ACL extends AbstractAcces
     }
 
     //-------------------------------------------------------------< Object >---
-    /**
-     * Returns zero to satisfy the Object equals/hashCode contract.
-     * This class is mutable and not meant to be used as a hash key.
-     *
-     * @return always zero
-     */
-    @Override
-    public int hashCode() {
-        return 0;
-    }
-
-    /**
-     * Returns true if the path and the entries are equal; false otherwise.
-     *
-     * @param obj Object to test.
-     * @return true if the path and the entries are equal; false otherwise.
-     */
-    @Override
-    public boolean equals(Object obj) {
-        if (obj == this) {
-            return true;
-        }
-        if (obj instanceof ACL) {
-            ACL acl = (ACL) obj;
-            String path = getOakPath();
-            String otherPath = acl.getOakPath();
-            return ((path == null) ? otherPath == null : path.equals(otherPath))
-                    && entries.equals(acl.entries);
-        }
-        return false;
-    }
-
     @Override
     public String toString() {
         StringBuilder sb = new StringBuilder();

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java?rev=1435202&r1=1435201&r2=1435202&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java Fri Jan 18 15:49:49 2013
@@ -49,7 +49,9 @@ public interface AccessControlConstants 
      */
     String NT_REP_RESTRICTIONS = "rep:Restrictions";
 
+    Collection<String> POLICY_NODE_NAMES = ImmutableSet.of(REP_POLICY, REP_REPO_POLICY);
+
     Collection<String> AC_PROPERTY_NAMES = ImmutableSet.of(REP_PRINCIPAL_NAME, REP_PRIVILEGES, REP_GLOB);
-    Collection<String> AC_NODE_NAMES = ImmutableSet.of(REP_POLICY, REP_REPO_POLICY);
-    Collection<String> AC_NODE_TYPE_NAMES = ImmutableSet.of(NT_REP_POLICY, NT_REP_ACL, NT_REP_ACE, NT_REP_DENY_ACE, NT_REP_GRANT_ACE, NT_REP_RESTRICTIONS);
+    Collection<String> AC_NODE_NAMES = ImmutableSet.of(REP_POLICY, REP_REPO_POLICY, REP_RESTRICTIONS);
+    Collection<String> AC_NODETYPE_NAMES = ImmutableSet.of(NT_REP_POLICY, NT_REP_ACL, NT_REP_ACE, NT_REP_DENY_ACE, NT_REP_GRANT_ACE, NT_REP_RESTRICTIONS);
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java?rev=1435202&r1=1435201&r2=1435202&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlContext.java Fri Jan 18 15:49:49 2013
@@ -45,6 +45,6 @@ class AccessControlContext implements Co
     public boolean definesTree(Tree tree) {
         NodeUtil node = new NodeUtil(tree);
         String ntName = node.getPrimaryNodeTypeName();
-        return AC_NODE_TYPE_NAMES.contains(ntName);
+        return AC_NODETYPE_NAMES.contains(ntName);
     }
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1435202&r1=1435201&r2=1435202&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java Fri Jan 18 15:49:49 2013
@@ -25,6 +25,7 @@ import java.util.List;
 import java.util.Set;
 import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
 import javax.jcr.AccessDeniedException;
 import javax.jcr.PathNotFoundException;
 import javax.jcr.RepositoryException;
@@ -57,6 +58,7 @@ import org.apache.jackrabbit.oak.namepat
 import org.apache.jackrabbit.oak.plugins.memory.MemoryPropertyBuilder;
 import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
 import org.apache.jackrabbit.oak.security.authorization.restriction.PrincipalRestrictionProvider;
+import org.apache.jackrabbit.oak.security.principal.PrincipalImpl;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.ACE;
 import org.apache.jackrabbit.oak.spi.security.authorization.ImmutableACL;
@@ -70,6 +72,8 @@ import org.apache.jackrabbit.util.Text;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import static com.google.common.base.Preconditions.checkNotNull;
+
 /**
  * AccessControlManagerImpl... TODO
  */
@@ -274,10 +278,16 @@ public class AccessControlManagerImpl im
         Result aceResult = searchAces(principals);
         List<AccessControlPolicy> effective = new ArrayList<AccessControlPolicy>();
         for (ResultRow row : aceResult.getRows()) {
-            Tree aclTree = root.getTree(row.getPath()).getParent();
-            Tree accessControlledTree = aclTree.getParent();
+            String acePath = row.getPath();
+            String aclName = Text.getName(Text.getRelativeParent(acePath, 1));
+            Tree accessControlledTree = root.getTree(Text.getRelativeParent(acePath, 2));
+
+            if (aclName.isEmpty() || accessControlledTree == null) {
+                log.debug("Isolated access control entry -> ignore query result at " + acePath);
+                continue;
+            }
 
-            String path = (REP_REPO_POLICY.equals(aclTree.getName())) ? null : accessControlledTree.getPath();
+            String path = (REP_REPO_POLICY.equals(aclName)) ? null : accessControlledTree.getPath();
             AccessControlPolicy policy = createACL(path, accessControlledTree, true);
             if (policy != null) {
                 effective.add(policy);
@@ -302,7 +312,7 @@ public class AccessControlManagerImpl im
     @CheckForNull
     private String getOakPath(String jcrPath) throws RepositoryException {
         if (jcrPath == null) {
-            return "/";
+            return null;
         } else {
             String oakPath = namePathMapper.getOakPathKeepIndex(jcrPath);
             if (oakPath == null || !PathUtils.isAbsolute(oakPath)) {
@@ -313,39 +323,30 @@ public class AccessControlManagerImpl im
     }
 
     @Nonnull
-    private Tree getTree(String oakPath) throws RepositoryException {
-        Tree tree = root.getTree(oakPath);
+    private Tree getTree(@Nullable String oakPath) throws RepositoryException {
+        Tree tree = (oakPath == null) ? root.getTree("/") : root.getTree(oakPath);
         if (tree == null) {
             throw new PathNotFoundException("No tree at " +oakPath);
         }
         checkPermission(tree);
-        checkIsAccessControlContent(tree);
+
+        // check if the tree is access controlled
+        String ntName = new NodeUtil(tree).getPrimaryNodeTypeName();
+        if (AC_NODETYPE_NAMES.contains(ntName)) {
+            throw new AccessControlException("Tree " + tree.getPath() + " defines access control content.");
+        }
         return tree;
     }
 
-    private void checkPermission(Tree tree) throws AccessDeniedException {
+    private void checkPermission(@Nonnull Tree tree) throws AccessDeniedException {
         // TODO
     }
 
-    private void checkValidPath(String jcrPath) throws RepositoryException {
+    private void checkValidPath(@Nullable String jcrPath) throws RepositoryException {
         getTree(getOakPath(jcrPath));
     }
 
-    /**
-     * Check if the specified tree is itself defines access control related
-     * content.
-     *
-     * @param tree the target tree
-     * @throws AccessControlException If the tree represents a ACL or ACE item.
-     */
-    private static void checkIsAccessControlContent(Tree tree) throws AccessControlException {
-        String ntName = new NodeUtil(tree).getPrimaryNodeTypeName();
-        if (AC_NODE_TYPE_NAMES.contains(ntName)) {
-            throw new AccessControlException("Tree " + tree.getPath() + " defines access control content.");
-        }
-    }
-
-    private static void checkValidPolicy(String oakPath, AccessControlPolicy policy) throws AccessControlException {
+    private static void checkValidPolicy(@Nullable String oakPath, @Nullable AccessControlPolicy policy) throws AccessControlException {
         if (policy instanceof ACL) {
             String path = ((ACL) policy).getOakPath();
             if ((path == null && oakPath != null) || (path != null && !path.equals(oakPath))) {
@@ -356,11 +357,11 @@ public class AccessControlManagerImpl im
         }
     }
 
-    private boolean isAccessControlled(Tree tree, String nodeTypeName) throws RepositoryException {
-        return tree != null && ntMgr.isNodeType(tree, nodeTypeName);
+    private boolean isAccessControlled(@Nonnull Tree tree, @Nonnull String nodeTypeName) throws RepositoryException {
+        return ntMgr.isNodeType(tree, nodeTypeName);
     }
 
-    private boolean isACE(Tree tree) throws RepositoryException {
+    private boolean isACE(@Nonnull Tree tree) throws RepositoryException {
         return ntMgr.isNodeType(tree, NT_REP_ACE);
     }
 
@@ -372,8 +373,7 @@ public class AccessControlManagerImpl im
      * @throws RepositoryException if an error occurs
      */
     @Nonnull
-    private NodeUtil createAclTree(String oakPath, Tree tree) throws RepositoryException {
-        NodeUtil node = new NodeUtil(tree);
+    private NodeUtil createAclTree(@Nullable String oakPath, @Nonnull Tree tree) throws RepositoryException {
         String mixinName = getMixinName(oakPath);
 
         if (!isAccessControlled(tree, mixinName)) {
@@ -386,17 +386,18 @@ public class AccessControlManagerImpl im
                 tree.setProperty(pb.getPropertyState());
             }
         }
-        return node.addChild(getAclName(oakPath), namePathMapper.getJcrName(NT_REP_ACL));
+        return new NodeUtil(tree).addChild(getAclName(oakPath), NT_REP_ACL);
     }
 
     @CheckForNull
-    private AccessControlList createACL(String oakPath, Tree accessControlledTree,
+    private AccessControlList createACL(@Nullable String oakPath,
+                                        @Nullable Tree accessControlledTree,
                                         boolean isReadOnly) throws RepositoryException {
         AccessControlList acl = null;
         String aclName = getAclName(oakPath);
         String mixinName = getMixinName(oakPath);
 
-        if (isAccessControlled(accessControlledTree, mixinName)) {
+        if (accessControlledTree != null && isAccessControlled(accessControlledTree, mixinName)) {
             Tree aclTree = accessControlledTree.getChild(aclName);
             if (aclTree != null) {
                 List<JackrabbitAccessControlEntry> entries = new ArrayList<JackrabbitAccessControlEntry>();
@@ -448,15 +449,13 @@ public class AccessControlManagerImpl im
     private JackrabbitAccessControlEntry createACE(String oakPath, Tree aceTree,
                                                    RestrictionProvider restrictionProvider) throws RepositoryException {
         NodeUtil aceNode = new NodeUtil(aceTree);
-        Principal principal = principalProvider.getPrincipal(aceNode.getString(REP_PRINCIPAL_NAME, null));
         boolean isAllow = aceNode.hasPrimaryNodeTypeName(NT_REP_GRANT_ACE);
         Set<Restriction> restrictions = restrictionProvider.readRestrictions(oakPath, aceTree);
-        return new ACE(principal, getPrivileges(aceNode), isAllow, restrictions);
+        return new ACE(getPrincipal(aceNode), getPrivileges(aceNode), isAllow, restrictions);
     }
 
     @Nonnull
-    private Result searchAces(Set<Principal> principals) throws RepositoryException {
-        // TODO: review if compiled permissions could be used instead of running a query.
+    private Result searchAces(@Nonnull Set<Principal> principals) throws RepositoryException {
         // TODO: replace XPATH
         // TODO: specify sort order
         StringBuilder stmt = new StringBuilder("/jcr:root");
@@ -488,7 +487,20 @@ public class AccessControlManagerImpl im
     }
 
     @Nonnull
-    private Set<Privilege> getPrivileges(NodeUtil aceNode) throws RepositoryException {
+    private Principal getPrincipal(@Nonnull NodeUtil aceNode) {
+        String principalName = aceNode.getString(REP_PRINCIPAL_NAME, null);
+        checkNotNull(principalName);
+
+        Principal principal = principalProvider.getPrincipal(principalName);
+        if (principal == null) {
+            log.debug("Unknown principal " + principalName);
+            principal = new PrincipalImpl(principalName);
+        }
+        return principal;
+    }
+
+    @Nonnull
+    private Set<Privilege> getPrivileges(@Nonnull NodeUtil aceNode) throws RepositoryException {
         String[] privNames = aceNode.getNames(REP_PRIVILEGES);
         Set<Privilege> privileges = new HashSet<Privilege>(privNames.length);
         for (String name : privNames) {
@@ -498,7 +510,7 @@ public class AccessControlManagerImpl im
     }
 
     @CheckForNull
-    private NodeUtil getAclNode(String oakPath, Tree accessControlledTree) throws RepositoryException {
+    private NodeUtil getAclNode(@Nullable String oakPath, @Nonnull Tree accessControlledTree) throws RepositoryException {
         if (isAccessControlled(accessControlledTree, getMixinName(oakPath))) {
             Tree policyTree = accessControlledTree.getChild(getAclName(oakPath));
             if (policyTree != null) {
@@ -510,12 +522,12 @@ public class AccessControlManagerImpl im
     }
 
     @Nonnull
-    private static String getMixinName(String oakPath) {
+    private static String getMixinName(@Nullable String oakPath) {
         return (oakPath == null) ? MIX_REP_REPO_ACCESS_CONTROLLABLE : MIX_REP_ACCESS_CONTROLLABLE;
     }
 
     @Nonnull
-    private static String getAclName(String oakPath) {
+    private static String getAclName(@Nullable String oakPath) {
         return (oakPath == null) ? REP_REPO_POLICY : REP_POLICY;
     }
 
@@ -527,7 +539,7 @@ public class AccessControlManagerImpl im
      * @return the name of the ACE node.
      */
     @Nonnull
-    public static String generateAceName(NodeUtil aclNode, boolean isAllow) {
+    public static String generateAceName(@Nonnull NodeUtil aclNode, boolean isAllow) {
         int i = 0;
         String hint = (isAllow) ? "allow" : "deny";
         String aceName = hint;

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java?rev=1435202&r1=1435201&r2=1435202&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.java Fri Jan 18 15:49:49 2013
@@ -16,11 +16,16 @@
  */
 package org.apache.jackrabbit.oak.security.authorization;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.Map;
+import javax.jcr.RepositoryException;
 import javax.jcr.security.AccessControlException;
 
 import org.apache.jackrabbit.oak.api.CommitFailedException;
 import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
 import org.apache.jackrabbit.oak.spi.commit.Validator;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition;
@@ -37,16 +42,19 @@ class AccessControlValidator implements 
 
     private final NodeUtil parentBefore;
     private final NodeUtil parentAfter;
+
     private final Map<String, PrivilegeDefinition> privilegeDefinitions;
     private final RestrictionProvider restrictionProvider;
+    private final ReadOnlyNodeTypeManager ntMgr;
 
     AccessControlValidator(NodeUtil parentBefore, NodeUtil parentAfter,
                            Map<String, PrivilegeDefinition> privilegeDefinitions,
-                           RestrictionProvider restrictionProvider) {
+                           RestrictionProvider restrictionProvider, ReadOnlyNodeTypeManager ntMgr) {
         this.parentBefore = parentBefore;
         this.parentAfter = parentAfter;
         this.privilegeDefinitions = privilegeDefinitions;
         this.restrictionProvider = restrictionProvider;
+        this.ntMgr = ntMgr;
     }
 
     //----------------------------------------------------------< Validator >---
@@ -71,15 +79,11 @@ class AccessControlValidator implements 
 
     @Override
     public Validator childNodeAdded(String name, NodeState after) throws CommitFailedException {
-        NodeUtil node = parentAfter.getChild(name);
-        checkNotNull(node);
+        NodeUtil nodeAfter = parentAfter.getChild(name);
+        checkNotNull(nodeAfter);
 
-        if (isAccessControlEntry(node)) {
-            checkValidAccessControlEntry(node);
-            return null;
-        } else {
-            return new AccessControlValidator(null, node, privilegeDefinitions, restrictionProvider);
-        }
+        checkValidNode(parentAfter, nodeAfter);
+        return new AccessControlValidator(null, nodeAfter, privilegeDefinitions, restrictionProvider, ntMgr);
     }
 
     @Override
@@ -89,12 +93,8 @@ class AccessControlValidator implements 
         checkNotNull(nodeBefore);
         checkNotNull(nodeAfter);
 
-        if (isAccessControlEntry(nodeAfter)) {
-            checkValidAccessControlEntry(nodeAfter);
-            return null;
-        } else {
-            return new AccessControlValidator(nodeBefore, nodeAfter, privilegeDefinitions, restrictionProvider);
-        }
+        checkValidNode(parentAfter, nodeAfter);
+        return new AccessControlValidator(nodeBefore, nodeAfter, privilegeDefinitions, restrictionProvider, ntMgr);
     }
 
     @Override
@@ -104,12 +104,72 @@ class AccessControlValidator implements 
     }
 
     //------------------------------------------------------------< private >---
-    private boolean isAccessControlEntry(NodeUtil node) {
+
+    private void checkValidNode(NodeUtil parentAfter, NodeUtil nodeAfter) throws CommitFailedException {
+        if (isPolicy(nodeAfter)) {
+            checkValidPolicy(parentAfter, nodeAfter);
+        } else if (isAccessControlEntry(nodeAfter)) {
+            checkValidAccessControlEntry(nodeAfter);
+        } else if (REP_RESTRICTIONS.equals(nodeAfter.getName())) {
+            checkIsAccessControlEntry(parentAfter);
+            checkValidRestrictions(parentAfter);
+        }
+    }
+
+    private static boolean isPolicy(NodeUtil node) {
+        return POLICY_NODE_NAMES.contains(node.getName());
+    }
+
+    private static boolean isAccessControlEntry(NodeUtil node) {
         String ntName = node.getPrimaryNodeTypeName();
         return NT_REP_DENY_ACE.equals(ntName) || NT_REP_GRANT_ACE.equals(ntName);
     }
 
+    private static void checkIsAccessControlEntry(NodeUtil node) throws CommitFailedException {
+        if (!isAccessControlEntry(node)) {
+            fail("Access control entry node expected.");
+        }
+    }
+
+    private void checkValidPolicy(NodeUtil parent, NodeUtil policyNode) throws CommitFailedException {
+        String mixinType = (REP_REPO_POLICY.equals(policyNode.getName())) ?
+                MIX_REP_REPO_ACCESS_CONTROLLABLE :
+                MIX_REP_ACCESS_CONTROLLABLE;
+        checkValidAccessControlledNode(parent, mixinType);
+
+        Collection<String> validPolicyNames = (parent.isRoot()) ?
+                POLICY_NODE_NAMES :
+                Collections.singleton(REP_POLICY);
+        if (!validPolicyNames.contains(policyNode.getName())) {
+            fail("Invalid policy name " + policyNode.getName());
+        }
+    }
+
+    private void checkValidAccessControlledNode(NodeUtil accessControlledNode, String requiredMixin) throws CommitFailedException {
+        Tree accessControlledTree = accessControlledNode.getTree();
+        if (AC_NODETYPE_NAMES.contains(accessControlledNode.getPrimaryNodeTypeName())) {
+            fail("Access control policy within access control content (" + accessControlledTree.getPath() + ')');
+        }
+
+        String msg = "Isolated policy node. Parent is not of type " + requiredMixin;
+        try {
+            if (!ntMgr.isNodeType(accessControlledTree, requiredMixin)) {
+                fail(msg);
+            }
+        } catch (RepositoryException e) {
+            throw new CommitFailedException(msg, e);
+        }
+
+        if (MIX_REP_REPO_ACCESS_CONTROLLABLE.equals(requiredMixin) && !accessControlledTree.isRoot()) {
+            fail("Only root can store repository level policies.");
+        }
+    }
+
     private void checkValidAccessControlEntry(NodeUtil aceNode) throws CommitFailedException {
+        NodeUtil parent = aceNode.getParent();
+        if (parent == null || !NT_REP_ACL.equals(parent.getPrimaryNodeTypeName())) {
+            fail("Isolated access control entry at " + aceNode.getTree().getPath());
+        }
         checkValidPrincipal(aceNode.getString(REP_PRINCIPAL_NAME, null));
         checkValidPrivileges(aceNode.getNames(REP_PRIVILEGES));
         checkValidRestrictions(aceNode);
@@ -142,14 +202,17 @@ class AccessControlValidator implements 
     }
 
     private void checkValidRestrictions(NodeUtil aceNode) throws CommitFailedException {
+        String path;
+        NodeUtil aclNode = aceNode.getParent();
+        checkNotNull(aclNode);
+
+        String aclPath = aclNode.getTree().getPath();
+        if (REP_REPO_POLICY.equals(Text.getName(aclPath))) {
+            path = null;
+        } else {
+            path = Text.getRelativeParent(aclPath, 1);
+        }
         try {
-            String path;
-            String aclPath = parentAfter.getTree().getPath();
-            if (REP_REPO_POLICY.equals(Text.getName(aclPath))) {
-                path = null;
-            } else {
-                path = Text.getRelativeParent(aclPath, 1);
-            }
             restrictionProvider.validateRestrictions(path, aceNode.getTree());
         } catch (AccessControlException e) {
             throw new CommitFailedException(e);

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java?rev=1435202&r1=1435201&r2=1435202&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorProvider.java Fri Jan 18 15:49:49 2013
@@ -22,6 +22,7 @@ import javax.annotation.Nonnull;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.core.ReadOnlyTree;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
 import org.apache.jackrabbit.oak.spi.commit.Validator;
 import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
@@ -56,9 +57,13 @@ class AccessControlValidatorProvider imp
 
         PrivilegeDefinitionReader reader = securityProvider.getPrivilegeConfiguration().getPrivilegeDefinitionReader(treeBefore);
         Map<String, PrivilegeDefinition> privilegeDefinitions = reader.readDefinitions();
+
         AccessControlConfiguration acConfig = securityProvider.getAccessControlConfiguration();
         RestrictionProvider restrictionProvider = acConfig.getRestrictionProvider(NamePathMapper.DEFAULT);
-        return new AccessControlValidator(rootBefore, rootAfter, privilegeDefinitions, restrictionProvider);
+
+        ReadOnlyNodeTypeManager ntMgr = ReadOnlyNodeTypeManager.getInstance(before);
+
+        return new AccessControlValidator(rootBefore, rootAfter, privilegeDefinitions, restrictionProvider, ntMgr);
     }
 
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java?rev=1435202&r1=1435201&r2=1435202&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java Fri Jan 18 15:49:49 2013
@@ -24,7 +24,7 @@ import java.util.Map;
  */
 public final class Permissions {
 
-    private Permissions() {};
+    private Permissions() {}
 
     public static final int NO_PERMISSION = 0;
 
@@ -70,8 +70,10 @@ public final class Permissions {
 
     public static final int READ = READ_NODE | READ_PROPERTY;
 
+    public static final int SET_PROPERTY = ADD_PROPERTY | MODIFY_PROPERTY | REMOVE_PROPERTY;
+
     public static final int ALL = (READ
-            | ADD_PROPERTY | MODIFY_PROPERTY | REMOVE_PROPERTY
+            | SET_PROPERTY
             | ADD_NODE | REMOVE_NODE
             | READ_ACCESS_CONTROL | MODIFY_ACCESS_CONTROL
             | NODE_TYPE_MANAGEMENT
@@ -89,8 +91,11 @@ public final class Permissions {
 
     private static final Map<Integer,String> PERMISSION_NAMES = new LinkedHashMap<Integer, String>();
     static {
+        PERMISSION_NAMES.put(ALL, "ALL");
+        PERMISSION_NAMES.put(READ, "READ");
         PERMISSION_NAMES.put(READ_NODE, "READ_NODE");
         PERMISSION_NAMES.put(READ_PROPERTY, "READ_PROPERTY");
+        PERMISSION_NAMES.put(SET_PROPERTY, "SET_PROPERTY");
         PERMISSION_NAMES.put(ADD_PROPERTY, "ADD_PROPERTY");
         PERMISSION_NAMES.put(MODIFY_PROPERTY, "MODIFY_PROPERTY");
         PERMISSION_NAMES.put(REMOVE_PROPERTY, "REMOVE_PROPERTY");
@@ -116,10 +121,13 @@ public final class Permissions {
             return PERMISSION_NAMES.get(permissions);
         } else {
             StringBuilder sb = new StringBuilder();
-            sb.append('|');
-            for (int key : PERMISSION_NAMES.keySet()) {
+            for (Map.Entry<Integer, String> entry : PERMISSION_NAMES.entrySet()) {
+                int key = entry.getKey();
                 if ((permissions & key) == key) {
-                    sb.append(PERMISSION_NAMES.get(key)).append('|');
+                    if (sb.length() != 0) {
+                        sb.append(',');
+                    }
+                    sb.append(entry.getValue());
                 }
             }
             return sb.toString();
@@ -132,4 +140,4 @@ public final class Permissions {
                permission == PRIVILEGE_MANAGEMENT ||
                permission == WORKSPACE_MANAGEMENT;
     }
-}
+}
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java?rev=1435202&r1=1435201&r2=1435202&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java Fri Jan 18 15:49:49 2013
@@ -16,12 +16,17 @@
  */
 package org.apache.jackrabbit.oak.security.authorization;
 
+import java.security.Principal;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
+import java.util.Iterator;
 import java.util.List;
 import javax.jcr.NamespaceRegistry;
 import javax.jcr.PathNotFoundException;
 import javax.jcr.RepositoryException;
+import javax.jcr.ValueFactory;
+import javax.jcr.security.AccessControlEntry;
 import javax.jcr.security.AccessControlException;
 import javax.jcr.security.AccessControlManager;
 import javax.jcr.security.AccessControlPolicy;
@@ -30,7 +35,6 @@ import javax.jcr.security.Privilege;
 
 import org.apache.jackrabbit.JcrConstants;
 import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
-import org.apache.jackrabbit.oak.AbstractSecurityTest;
 import org.apache.jackrabbit.oak.TestNameMapper;
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.api.Tree;
@@ -39,7 +43,10 @@ import org.apache.jackrabbit.oak.namepat
 import org.apache.jackrabbit.oak.namepath.NamePathMapperImpl;
 import org.apache.jackrabbit.oak.plugins.name.Namespaces;
 import org.apache.jackrabbit.oak.plugins.name.ReadWriteNamespaceRegistry;
+import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
+import org.apache.jackrabbit.oak.security.principal.PrincipalImpl;
 import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
+import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlTest;
 import org.apache.jackrabbit.oak.util.NodeUtil;
 import org.junit.After;
 import org.junit.Before;
@@ -48,22 +55,27 @@ import org.junit.Test;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
 /**
  * AccessControlManagerImplTest... TODO
  */
-public class AccessControlManagerImplTest extends AbstractSecurityTest {
+public class AccessControlManagerImplTest extends AbstractAccessControlTest implements AccessControlConstants {
 
-    final String testName = TestNameMapper.TEST_PREFIX + ":testRoot";
-    final String testPath = "/"+testName;
+    private final String testName = TestNameMapper.TEST_PREFIX + ":testRoot";
+    private final String testPath = '/' +testName;
 
-    TestNameMapper nameMapper;
-    NamePathMapper npMapper;
+    private Principal testPrincipal;
+    private Privilege[] testPrivileges;
 
-    AccessControlManagerImpl acMgr;
-    PrivilegeManager privilegeManager;
+    private TestNameMapper nameMapper;
+    private NamePathMapper npMapper;
+
+    private AccessControlManagerImpl acMgr;
+    private PrivilegeManager privilegeManager;
+    private ValueFactory valueFactory;
 
     @Override
     @Before
@@ -88,19 +100,29 @@ public class AccessControlManagerImplTes
 
         acMgr = getAccessControlManager(npMapper);
         privilegeManager = getSecurityProvider().getPrivilegeConfiguration().getPrivilegeManager(root, npMapper);
+        valueFactory = new ValueFactoryImpl(root.getBlobFactory(), npMapper);
 
         NodeUtil rootNode = new NodeUtil(root.getTree("/"), npMapper);
         rootNode.addChild(testName, JcrConstants.NT_UNSTRUCTURED);
 
         root.commit();
+
+        testPrincipal = new PrincipalImpl("admin"); // TODO
+        testPrivileges = privilegesFromNames(Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_READ);
     }
 
     @After
     public void after() throws Exception {
+        root.refresh();
         root.getTree(testPath).remove();
         root.commit();
     }
 
+    @Override
+    protected NamePathMapper getNamePathMapper() {
+        return npMapper;
+    }
+
     private AccessControlManagerImpl getAccessControlManager(NamePathMapper npMapper) {
         return new AccessControlManagerImpl(root, npMapper, getSecurityProvider());
     }
@@ -119,6 +141,16 @@ public class AccessControlManagerImplTes
         }
     }
 
+    private void setupPolicy(String path) throws RepositoryException {
+        ACL policy = (ACL) getApplicablePolicy(path);
+        if (path == null) {
+            policy.addAccessControlEntry(testPrincipal, testPrivileges);
+        } else {
+            policy.addEntry(testPrincipal, testPrivileges, true, Collections.singletonMap(REP_GLOB, valueFactory.createValue("*")));
+        }
+        acMgr.setPolicy(path, policy);
+    }
+
     @Test
     public void testGetSupportedPrivileges() throws Exception {
         List<Privilege> allPrivileges = Arrays.asList(privilegeManager.getRegisteredPrivileges());
@@ -157,6 +189,16 @@ public class AccessControlManagerImplTes
     }
 
     @Test
+    public void testGetSupportedPrivilegesFromPropertyPath() throws Exception {
+        try {
+            acMgr.getSupportedPrivileges("/jcr:primaryType");
+            fail("Property path -> PathNotFoundException expected.");
+        } catch (PathNotFoundException e) {
+            // success
+        }
+    }
+
+    @Test
     public void testGetSupportedPrivilegesWithNonExistingPath() throws Exception {
         try {
             acMgr.getSupportedPrivileges("/non/existing/node");
@@ -171,7 +213,7 @@ public class AccessControlManagerImplTes
         List<Privilege> allPrivileges = Arrays.asList(privilegeManager.getRegisteredPrivileges());
 
         List<String> testPaths = new ArrayList<String>();
-        testPaths.add("/"+ TestNameMapper.TEST_LOCAL_PREFIX + ":testRoot");
+        testPaths.add('/' + TestNameMapper.TEST_LOCAL_PREFIX + ":testRoot");
         testPaths.add("/{"+ TestNameMapper.TEST_URI+"}testRoot");
 
         AccessControlManager acMgr = getAccessControlManager(getLocalNamePathMapper());
@@ -221,7 +263,7 @@ public class AccessControlManagerImplTes
     public void testPrivilegeFromUnknownName() throws Exception {
         List<String> invalid = new ArrayList<String>();
         invalid.add("unknownPrivilege");
-        invalid.add("{"+ NamespaceRegistry.NAMESPACE_JCR+"}unknown");
+        invalid.add('{' + NamespaceRegistry.NAMESPACE_JCR+"}unknown");
 
         for (String privilegeName : invalid) {
             try {
@@ -253,25 +295,47 @@ public class AccessControlManagerImplTes
         AccessControlPolicy policy = itr.nextAccessControlPolicy();
         assertNotNull(policy);
         assertTrue(policy instanceof ACL);
-        assertTrue(((ACL) policy).isEmpty());
+
+        ACL acl = (ACL) policy;
+        assertTrue(acl.isEmpty());
+        assertEquals(testPath, acl.getPath());
 
         assertFalse(itr.hasNext());
     }
 
     @Test
-    public void testGetApplicablePoliciesNodeAccessControlled() throws Exception {
-        AccessControlPolicy policy = getApplicablePolicy(testPath);
-        acMgr.setPolicy(testPath, policy);
+    public void testGetApplicablePoliciesOnAccessControllable() throws Exception {
+        NodeUtil node = new NodeUtil(root.getTree(testPath));
+        node.setNames(JcrConstants.JCR_MIXINTYPES, MIX_REP_ACCESS_CONTROLLABLE);
 
         AccessControlPolicyIterator itr = acMgr.getApplicablePolicies(testPath);
+
+        assertNotNull(itr);
+        assertTrue(itr.hasNext());
+    }
+
+    @Test
+    public void testGetApplicableRepoPolicies() throws Exception {
+        AccessControlPolicyIterator itr = acMgr.getApplicablePolicies((String) null);
+
         assertNotNull(itr);
+        assertTrue(itr.hasNext());
+
+        AccessControlPolicy policy = itr.nextAccessControlPolicy();
+        assertNotNull(policy);
+        assertTrue(policy instanceof ACL);
+
+        ACL acl = (ACL) policy;
+        assertTrue(acl.isEmpty());
+        assertNull(acl.getPath());
+
         assertFalse(itr.hasNext());
     }
 
     @Test
     public void testGetApplicablePoliciesWithCollidingNode() throws Exception {
         NodeUtil testTree = new NodeUtil(root.getTree(testPath));
-        testTree.addChild(AccessControlConstants.REP_POLICY, JcrConstants.NT_UNSTRUCTURED);
+        testTree.addChild(REP_POLICY, JcrConstants.NT_UNSTRUCTURED);
 
         AccessControlPolicyIterator itr = acMgr.getApplicablePolicies(testPath);
         assertNotNull(itr);
@@ -279,45 +343,215 @@ public class AccessControlManagerImplTes
     }
 
     @Test
-    public void testGetApplicablePoliciesOnAclNode() throws Exception {
+    public void testGetApplicablePoliciesForAccessControlled() throws Exception {
         AccessControlPolicy policy = getApplicablePolicy(testPath);
         acMgr.setPolicy(testPath, policy);
 
-        String aclPath = testPath + "/rep:policy";
-        assertNotNull(root.getTree(aclPath));
+        AccessControlPolicyIterator itr = acMgr.getApplicablePolicies(testPath);
+        assertNotNull(itr);
+        assertFalse(itr.hasNext());
+    }
 
-        try {
-            AccessControlPolicyIterator itr = acMgr.getApplicablePolicies(aclPath);
-            fail("Getting applicable policies for ACL node.");
-        } catch (AccessControlException e) {
-            // success
-        }
+    @Test
+    public void testGetPoliciesNodeNotAccessControlled() throws Exception {
+        AccessControlPolicy[] policies = acMgr.getPolicies(testPath);
+        assertNotNull(policies);
+        assertEquals(0, policies.length);
     }
 
     @Test
-    public void testGetApplicablePoliciesOnAceNode() throws Exception {
-        // TODO
+    public void testGetPolicies() throws Exception {
+        AccessControlPolicy policy = getApplicablePolicy(testPath);
+        acMgr.setPolicy(testPath, policy);
+
+        AccessControlPolicy[] policies = acMgr.getPolicies(testPath);
+        assertNotNull(policies);
+        assertEquals(1, policies.length);
+
+        assertTrue(policies[0] instanceof ACL);
+        ACL acl = (ACL) policies[0];
+        assertTrue(acl.isEmpty());
+        assertEquals(testPath, acl.getOakPath());
     }
 
     @Test
-    public void testGetPoliciesNodeNotAccessControlled() throws Exception {
+    public void testGetPoliciesAfterSet() throws Exception {
+        setupPolicy(testPath);
+
         AccessControlPolicy[] policies = acMgr.getPolicies(testPath);
         assertNotNull(policies);
+        assertEquals(1, policies.length);
+
+        assertTrue(policies[0] instanceof ACL);
+        ACL acl = (ACL) policies[0];
+        assertFalse(acl.isEmpty());
+    }
+
+    @Test
+    public void testGetPoliciesAfterRemove() throws Exception {
+        setupPolicy(testPath);
+
+        AccessControlPolicy[] policies = acMgr.getPolicies(testPath);
+        assertNotNull(policies);
+        assertEquals(1, policies.length);
+
+        acMgr.removePolicy(testPath, policies[0]);
+
+        policies = acMgr.getPolicies(testPath);
+        assertNotNull(policies);
         assertEquals(0, policies.length);
+        assertTrue(acMgr.getApplicablePolicies(testPath).hasNext());
     }
 
     @Test
-    public void testGetPolicies() throws Exception {
-        AccessControlPolicy policy = getApplicablePolicy(testPath);
+    public void testGetPolicyWithInvalidPrincipal() throws Exception {
+        ACL policy = (ACL) getApplicablePolicy(testPath);
+        policy.addEntry(testPrincipal, testPrivileges, true, Collections.singletonMap(REP_GLOB, valueFactory.createValue("*")));
         acMgr.setPolicy(testPath, policy);
 
+        NodeUtil aclNode = new NodeUtil(root.getTree(testPath + '/' + REP_POLICY));
+        NodeUtil aceNode = aclNode.addChild("testACE", NT_REP_DENY_ACE);
+        aceNode.setString(REP_PRINCIPAL_NAME, "invalidPrincipal");
+        aceNode.setNames(REP_PRIVILEGES, PrivilegeConstants.JCR_READ);
+
+        // reading policies with unknown principal name should not fail.
         AccessControlPolicy[] policies = acMgr.getPolicies(testPath);
         assertNotNull(policies);
         assertEquals(1, policies.length);
 
+        ACL acl = (ACL) policies[0];
+        List<String> principalNames = new ArrayList<String>();
+        for (AccessControlEntry ace :acl.getEntries()) {
+            principalNames.add(ace.getPrincipal().getName());
+        }
+        assertTrue(principalNames.remove("invalidPrincipal"));
+        assertTrue(principalNames.remove(testPrincipal.getName()));
+        assertTrue(principalNames.isEmpty());
+    }
+
+    @Test
+    public void testGetRepoPolicies() throws Exception {
+        String path = null;
+
+        AccessControlPolicy[] policies = acMgr.getPolicies(path);
+        assertNotNull(policies);
+        assertEquals(0, policies.length);
+
+        acMgr.setPolicy(null, acMgr.getApplicablePolicies(path).nextAccessControlPolicy());
+        assertFalse(acMgr.getApplicablePolicies(path).hasNext());
+
+        policies = acMgr.getPolicies(path);
+        assertNotNull(policies);
+        assertEquals(1, policies.length);
+
         assertTrue(policies[0] instanceof ACL);
         ACL acl = (ACL) policies[0];
         assertTrue(acl.isEmpty());
+        assertNull(acl.getPath());
+        assertNull(acl.getOakPath());
+        assertFalse(acMgr.getApplicablePolicies(path).hasNext());
+
+        acMgr.removePolicy(null, acl);
+        assertEquals(0, acMgr.getPolicies(path).length);
+        assertTrue(acMgr.getApplicablePolicies(path).hasNext());
+    }
+
+    @Test
+    public void testAccessControlContentPaths() throws Exception {
+        ACL policy = (ACL) getApplicablePolicy(testPath);
+        policy.addEntry(testPrincipal, testPrivileges, true, Collections.singletonMap(REP_GLOB, valueFactory.createValue("*")));
+        acMgr.setPolicy(testPath, policy);
+
+        String aclPath = testPath + '/' + REP_POLICY;
+        Tree acl = root.getTree(aclPath);
+        assertNotNull(acl);
+        Iterator<Tree> aces = acl.getChildren().iterator();
+        assertTrue(aces.hasNext());
+        Tree ace = aces.next();
+        assertNotNull(ace);
+
+        List<String> accessControlledPaths = new ArrayList<String>();
+        accessControlledPaths.add(aclPath);
+        accessControlledPaths.add(ace.getPath());
+
+        Tree rest = ace.getChild(REP_RESTRICTIONS);
+        if (rest != null) {
+            accessControlledPaths.add(rest.getPath());
+        }
+
+        for (String path : accessControlledPaths) {
+            try {
+                acMgr.getApplicablePolicies(path);
+                fail("Getting applicable policies for access control content should fail.");
+            } catch (AccessControlException e) {
+                // success
+            }
+
+            try {
+                acMgr.getPolicies(path);
+                fail("Getting policies for access control content should fail.");
+            } catch (AccessControlException e) {
+                // success
+            }
+
+            try {
+                acMgr.getEffectivePolicies(path);
+                fail("Getting effective policies for access control content should fail.");
+            } catch (AccessControlException e) {
+                // success
+            }
+        }
+    }
+
+    @Test
+    public void testNonExistingNodePath() throws Exception {
+        String propertyPath = "/not/existing";
+
+        try {
+            acMgr.getApplicablePolicies(propertyPath);
+            fail("Getting applicable policies for node that doesn't exist should fail.");
+        } catch (PathNotFoundException e) {
+            // success
+        }
+        try {
+            acMgr.getPolicies(propertyPath);
+            fail("Getting policies for node that doesn't exist should fail.");
+        } catch (PathNotFoundException e) {
+            // success
+        }
+
+        try {
+            acMgr.getEffectivePolicies(propertyPath);
+            fail("Getting policies for node that doesn't exist should fail.");
+        } catch (PathNotFoundException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testPropertyPath() throws Exception {
+        String propertyPath = "/jcr:primaryType";
+
+        try {
+            acMgr.getApplicablePolicies(propertyPath);
+            fail("Getting applicable policies for property should fail.");
+        } catch (PathNotFoundException e) {
+            // success
+        }
+
+        try {
+            acMgr.getPolicies(propertyPath);
+            fail("Getting policies for property should fail.");
+        } catch (PathNotFoundException e) {
+            // success
+        }
+
+        try {
+            acMgr.getEffectivePolicies(propertyPath);
+            fail("Getting policies for property should fail.");
+        } catch (PathNotFoundException e) {
+            // success
+        }
     }
 
     @Test
@@ -331,7 +565,47 @@ public class AccessControlManagerImplTes
     }
 
     @Test
+    public void testSetInvalidPolicy() throws Exception {
+        // TODO
+    }
+
+    @Test
+    public void testSetPolicyWithInvalidPath() throws Exception {
+        // TODO
+    }
+
+    @Test
+    public void testSetPolicyOnAclNode() throws Exception {
+        // TODO
+    }
+
+    @Test
+    public void testSetRepoPolicy() throws Exception {
+        // TODO
+    }
+
+    @Test
     public void testRemovePolicy() throws Exception {
         // TODO
     }
+
+    @Test
+    public void testRemoveInvalidPolicy() throws Exception {
+        // TODO
+    }
+
+    @Test
+    public void testRemovePolicyWithInvalidPath() throws Exception {
+        // TODO
+    }
+
+    @Test
+    public void testRemovePolicyOnAclNode() throws Exception {
+        // TODO
+    }
+
+    @Test
+    public void testRemoveRepoPolicy() throws Exception {
+        // TODO
+    }
 }
\ No newline at end of file

Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorTest.java?rev=1435202&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlValidatorTest.java Fri Jan 18 15:49:49 2013
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization;
+
+import org.junit.Test;
+
+/**
+ * AccessControlValidatorTest... TODO
+ */
+public class AccessControlValidatorTest {
+
+    @Test
+    public void testPropertyAdded() {
+        // TODO
+    }
+
+    @Test
+    public void testPropertyModified() {
+        // TODO
+    }
+
+    @Test
+    public void testPropertyDeleted() {
+        // TODO
+    }
+
+    @Test
+    public void testChildNodeAdded() {
+        // TODO
+    }
+
+    @Test
+    public void testChildNodeModified() {
+        // TODO
+    }
+
+    @Test
+    public void testChildNodeDeleted() {
+        // TODO
+    }
+}
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/ACETest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/ACETest.java?rev=1435202&r1=1435201&r2=1435202&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/ACETest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/ACETest.java Fri Jan 18 15:49:49 2013
@@ -30,11 +30,7 @@ import javax.jcr.security.AccessControlM
 import javax.jcr.security.Privilege;
 
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
-import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
 import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
-import org.apache.jackrabbit.oak.AbstractSecurityTest;
-import org.apache.jackrabbit.oak.namepath.NamePathMapper;
-import org.apache.jackrabbit.oak.security.authorization.AccessControlManagerImpl;
 import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
 import org.junit.Before;
 import org.junit.Ignore;
@@ -50,11 +46,10 @@ import static org.junit.Assert.fail;
 /**
  * ACETest... TODO
  */
-public class ACETest extends AbstractSecurityTest {
+public class ACETest extends AbstractAccessControlTest {
 
     private Principal testPrincipal;
     private AccessControlManager acMgr;
-    private PrivilegeManager privMgr;
 
     @Override
     @Before
@@ -65,10 +60,8 @@ public class ACETest extends AbstractSec
                 return "TestPrincipal";
             }
         };
-        // TODO
-        //acMgr = securityProvider.getAccessControlConfiguration().getAccessControlManager(root, NamePathMapper.DEFAULT);
-        acMgr = new AccessControlManagerImpl(root, NamePathMapper.DEFAULT, getSecurityProvider());
-        privMgr = securityProvider.getPrivilegeConfiguration().getPrivilegeManager(root, NamePathMapper.DEFAULT);
+
+        acMgr = getAccessControlManager();
     }
 
     private ACE createEntry(String[] privilegeNames, boolean isAllow)
@@ -341,7 +334,7 @@ public class ACETest extends AbstractSec
                 }
             };
         try {
-            Privilege[] privs = new Privilege[] {invalidPriv, privMgr.getPrivilege(PrivilegeConstants.JCR_READ)};
+            Privilege[] privs = new Privilege[] {invalidPriv, acMgr.privilegeFromName(PrivilegeConstants.JCR_READ)};
             createEntry(testPrincipal, privs, true);
             fail("Invalid privilege");
         } catch (AccessControlException e) {

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java?rev=1435202&r1=1435201&r2=1435202&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlListTest.java Fri Jan 18 15:49:49 2013
@@ -28,8 +28,6 @@ import javax.jcr.security.Privilege;
 
 import com.google.common.collect.Lists;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
-import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
-import org.apache.jackrabbit.oak.AbstractSecurityTest;
 import org.apache.jackrabbit.oak.TestNameMapper;
 import org.apache.jackrabbit.oak.namepath.GlobalNameMapper;
 import org.apache.jackrabbit.oak.namepath.NameMapper;
@@ -38,8 +36,6 @@ import org.apache.jackrabbit.oak.namepat
 import org.apache.jackrabbit.oak.security.principal.PrincipalImpl;
 import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
-import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
-import org.junit.Before;
 import org.junit.Test;
 
 import static org.junit.Assert.assertEquals;
@@ -50,37 +46,14 @@ import static org.junit.Assert.assertTru
 /**
  * AbstractAccessControlListTest... TODO
  */
-public abstract class AbstractAccessControlListTest extends AbstractSecurityTest {
+public abstract class AbstractAccessControlListTest extends AbstractAccessControlTest {
 
     private final String testPath = "/testPath";
-    private PrivilegeManager privMgr;
-    private RestrictionProvider restrictionProvider;
-
-    @Override
-    @Before
-    public void before() throws Exception {
-        super.before();
-
-        privMgr = getSecurityProvider().getPrivilegeConfiguration().getPrivilegeManager(root, namePathMapper);
-        restrictionProvider = getSecurityProvider().getAccessControlConfiguration().getRestrictionProvider(namePathMapper);
-    }
 
     protected String getTestPath() {
         return testPath;
     }
 
-    protected Privilege[] privilegesFromNames(String... privilegeNames) throws RepositoryException {
-        Privilege[] privs = new Privilege[privilegeNames.length];
-        for (int i = 0; i < privilegeNames.length; i++) {
-            privs[i] = privMgr.getPrivilege(privilegeNames[i]);
-        }
-        return privs;
-    }
-
-    protected RestrictionProvider getRestrictionProvider() {
-        return restrictionProvider;
-    }
-
     protected AbstractAccessControlList createEmptyACL() {
         return createACL(getTestPath(), Collections.<JackrabbitAccessControlEntry>emptyList(), namePathMapper);
     }
@@ -102,7 +75,7 @@ public abstract class AbstractAccessCont
         for (int i = 0; i < 3; i++) {
             entries.add(new ACE(
                     new PrincipalImpl("testPrincipal"+i),
-                    new Privilege[] {privMgr.getPrivilege(PrivilegeConstants.JCR_READ)},
+                    new Privilege[] {getPrivilegeManager().getPrivilege(PrivilegeConstants.JCR_READ)},
                     true, null));
         }
         return entries;

Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlTest.java?rev=1435202&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlTest.java Fri Jan 18 15:49:49 2013
@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization;
+
+import javax.jcr.RepositoryException;
+import javax.jcr.security.Privilege;
+
+import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
+import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.security.authorization.AccessControlManagerImpl;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
+
+/**
+ * AbstractAccessControlTest... TODO
+ */
+public abstract class AbstractAccessControlTest extends AbstractSecurityTest {
+
+    private PrivilegeManager privMgr;
+    private RestrictionProvider restrictionProvider;
+
+    protected NamePathMapper getNamePathMapper() {
+        return namePathMapper;
+    }
+
+    protected Privilege[] privilegesFromNames(String... privilegeNames) throws RepositoryException {
+        Privilege[] privs = new Privilege[privilegeNames.length];
+        for (int i = 0; i < privilegeNames.length; i++) {
+            privs[i] = getPrivilegeManager().getPrivilege(privilegeNames[i]);
+        }
+        return privs;
+    }
+
+    protected AccessControlManagerImpl getAccessControlManager() {
+        // TODO
+        //acMgr = securityProvider.getAccessControlConfiguration().getAccessControlManager(root, NamePathMapper.DEFAULT);
+        return new AccessControlManagerImpl(root, getNamePathMapper(), getSecurityProvider());
+    }
+
+    protected RestrictionProvider getRestrictionProvider() {
+        if (restrictionProvider == null) {
+            restrictionProvider = getSecurityProvider().getAccessControlConfiguration().getRestrictionProvider(getNamePathMapper());
+        }
+        return restrictionProvider;
+    }
+
+    protected PrivilegeManager getPrivilegeManager() {
+        if (privMgr == null) {
+            privMgr = getSecurityProvider().getPrivilegeConfiguration().getPrivilegeManager(root, getNamePathMapper());
+        }
+        return privMgr;
+    }
+}
\ No newline at end of file



Mime
View raw message