jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1437562 [1/2] - /jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/
Date Wed, 23 Jan 2013 16:52:29 GMT
Author: angela
Date: Wed Jan 23 16:52:29 2013
New Revision: 1437562

URL: http://svn.apache.org/viewvc?rev=1437562&view=rev
Log:
OAK-51 : Access Control Management

- access control evaluation tests using jcr-api

Added:
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/InheritanceTest.java
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ObservationTest.java
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ReadTest.java
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java
Modified:
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractEvaluationTest.java
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlManagementTest.java
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/MoveTest.java
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/NamespaceManagementTest.java
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/NodeTypeDefinitionManagementTest.java
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/NodeTypeManagementTest.java
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/PrivilegeManagementTest.java
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/VersionManagementTest.java

Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractEvaluationTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractEvaluationTest.java?rev=1437562&r1=1437561&r2=1437562&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractEvaluationTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractEvaluationTest.java Wed Jan 23 16:52:29 2013
@@ -24,6 +24,7 @@ import java.util.Set;
 import java.util.UUID;
 import javax.jcr.Credentials;
 import javax.jcr.Node;
+import javax.jcr.Property;
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
 import javax.jcr.SimpleCredentials;
@@ -54,13 +55,25 @@ public abstract class AbstractEvaluation
 
     protected static final String REP_WRITE = "rep:write";
 
+    protected Privilege[] readPrivileges;
+    protected Privilege[] modPropPrivileges;
+    protected Privilege[] readWritePrivileges;
+    protected Privilege[] repWritePrivileges;
+
+    protected String path;
+    protected String childNPath;
+    protected String childNPath2;
+    protected String childPPath;
+    protected String childchildPPath;
+    protected String siblingPath;
+
     protected User testUser;
     protected Credentials creds;
-
     protected Group testGroup;
 
-    private Session testSession;
-    private AccessControlManager testAccessControlManager;
+    protected Session testSession;
+    protected AccessControlManager testAcMgr;
+
     private Node trn;
     private Set<String> toClear = new HashSet<String>();
 
@@ -68,18 +81,43 @@ public abstract class AbstractEvaluation
     @Before
     protected void setUp() throws Exception {
         super.setUp();
-        try {
-            UserManager uMgr = getUserManager(superuser);
-            // create the testUser
-            String uid = "testUser" + UUID.randomUUID();
-            creds = new SimpleCredentials(uid, uid.toCharArray());
 
-            testUser = uMgr.createUser(uid, uid);
-            superuser.save();
-        } catch (Exception e) {
-            superuser.logout();
-            throw e;
-        }
+        readPrivileges = privilegesFromName(Privilege.JCR_READ);
+        modPropPrivileges = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+        readWritePrivileges = privilegesFromNames(new String[]{Privilege.JCR_READ, REP_WRITE});
+        repWritePrivileges = privilegesFromName(REP_WRITE);
+
+        UserManager uMgr = getUserManager(superuser);
+        // create the testUser
+        String uid = "testUser" + UUID.randomUUID();
+        creds = new SimpleCredentials(uid, uid.toCharArray());
+        testUser = uMgr.createUser(uid, uid);
+
+        testSession = getTestSession();
+        testAcMgr = getAccessControlManager(testSession);
+
+        // create some nodes below the test root in order to apply ac-stuff
+        Node node = testRootNode.addNode(nodeName1, testNodeType);
+        Node cn1 = node.addNode(nodeName2, testNodeType);
+        Property cp1 = node.setProperty(propertyName1, "anyValue");
+        Node cn2 = node.addNode(nodeName3, testNodeType);
+        Property ccp1 = cn1.setProperty(propertyName1, "childNodeProperty");
+        Node n2 = testRootNode.addNode(nodeName2, testNodeType);
+        superuser.save();
+
+        path = node.getPath();
+        childNPath = cn1.getPath();
+        childNPath2 = cn2.getPath();
+        childPPath = cp1.getPath();
+        childchildPPath = ccp1.getPath();
+        siblingPath = n2.getPath();
+
+        /*
+        precondition:
+        testuser must have READ-only permission on test-node and below
+        */
+        assertReadOnly(path);
+        assertReadOnly(childNPath);
     }
 
     @Override
@@ -107,6 +145,13 @@ public abstract class AbstractEvaluation
         }
     }
 
+    private Session getTestSession() throws RepositoryException {
+        if (testSession == null) {
+            testSession = getHelper().getRepository().login(creds);
+        }
+        return testSession;
+    }
+
     protected static UserManager getUserManager(Session session) throws
             NotExecutableException {
         if (!(session instanceof JackrabbitSession)) {
@@ -119,20 +164,6 @@ public abstract class AbstractEvaluation
         }
     }
 
-    protected Session getTestSession() throws RepositoryException {
-        if (testSession == null) {
-            testSession = getHelper().getRepository().login(creds);
-        }
-        return testSession;
-    }
-
-    protected AccessControlManager getTestAccessControlManager() throws Exception {
-        if (testAccessControlManager == null) {
-            testAccessControlManager = getAccessControlManager(getTestSession());
-        }
-        return testAccessControlManager;
-    }
-
     protected Group getTestGroup() throws Exception {
         if (testGroup == null) {
             UserManager umgr = getUserManager(superuser);
@@ -145,18 +176,32 @@ public abstract class AbstractEvaluation
 
     protected Node getTestNode() throws RepositoryException {
         if (trn == null) {
-            trn = getTestSession().getNode(testRootNode.getPath());
+            trn = testSession.getNode(testRootNode.getPath());
         }
         return trn;
     }
 
-    protected void assertPrivilege(String path, String privName, boolean isAllow) throws Exception {
+    protected String getActions(String... actions) {
+        StringBuilder sb = new StringBuilder();
+        for (String action : actions) {
+            if (sb.length() > 0) {
+                sb.append(',');
+            }
+            sb.append(action);
+        }
+        return sb.toString();
+    }
+    protected Map<String, Value> createGlobRestriction(String value) throws RepositoryException {
+        return Collections.singletonMap("rep:glob", testSession.getValueFactory().createValue(value));
+    }
+
+    protected void assertHasPrivilege(String path, String privName, boolean isAllow) throws Exception {
         Privilege[] privs = privilegesFromName(privName.toString());
-        assertEquals(isAllow, getTestAccessControlManager().hasPrivileges(path, privs));
+        assertEquals(isAllow, testAcMgr.hasPrivileges(path, privs));
     }
 
-    protected void checkReadOnly(String path) throws Exception {
-        Privilege[] privs = getTestAccessControlManager().getPrivileges(path);
+    protected void assertReadOnly(String path) throws Exception {
+        Privilege[] privs = testAcMgr.getPrivileges(path);
         assertArrayEquals(privilegesFromName(Privilege.JCR_READ), privs);
     }
 
@@ -188,9 +233,9 @@ public abstract class AbstractEvaluation
     }
 
     protected JackrabbitAccessControlList allow(String nPath, Principal principal,
-                                                Privilege[] privileges, Map<String, Value> restrictions)
+                                                Privilege[] privileges)
             throws Exception {
-        return modify(nPath, principal, privileges, true, restrictions);
+        return modify(nPath, principal, privileges, true, EMPTY_RESTRICTIONS);
     }
 
     protected JackrabbitAccessControlList deny(String nPath, Privilege[] privileges)
@@ -203,8 +248,8 @@ public abstract class AbstractEvaluation
         return modify(nPath, testUser.getPrincipal(), privileges, false, restrictions);
     }
 
-    protected JackrabbitAccessControlList deny(String nPath, Principal principal, Privilege[] privileges, Map<String, Value> restrictions)
+    protected JackrabbitAccessControlList deny(String nPath, Principal principal, Privilege[] privileges)
             throws Exception {
-        return modify(nPath, principal, privileges, false, restrictions);
+        return modify(nPath, principal, privileges, false, EMPTY_RESTRICTIONS);
     }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlManagementTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlManagementTest.java?rev=1437562&r1=1437561&r2=1437562&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlManagementTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlManagementTest.java Wed Jan 23 16:52:29 2013
@@ -16,15 +16,14 @@
  */
 package org.apache.jackrabbit.oak.jcr.security.authorization;
 
-import java.util.HashMap;
-import java.util.Map;
 import javax.jcr.AccessDeniedException;
 import javax.jcr.Node;
 import javax.jcr.NodeIterator;
-import javax.jcr.Property;
+import javax.jcr.PathNotFoundException;
 import javax.jcr.PropertyIterator;
+import javax.jcr.RepositoryException;
 import javax.jcr.Session;
-import javax.jcr.Value;
+import javax.jcr.nodetype.ConstraintViolationException;
 import javax.jcr.security.AccessControlList;
 import javax.jcr.security.AccessControlManager;
 import javax.jcr.security.AccessControlPolicy;
@@ -32,48 +31,19 @@ import javax.jcr.security.AccessControlP
 import javax.jcr.security.Privilege;
 
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
-import org.junit.Before;
+import org.apache.jackrabbit.test.NotExecutableException;
+import org.apache.jackrabbit.util.Text;
 import org.junit.Ignore;
 import org.junit.Test;
 
 /**
  * AccessControlManagementTest... TODO
- *
- * copied from jr2.x AcReadWriteTest
  */
 @Ignore("OAK-51")
 public class AccessControlManagementTest extends AbstractEvaluationTest {
 
-    private String path;
-    private String childNPath;
-
-    @Override
-    @Before
-    protected void setUp() throws Exception {
-        super.setUp();
-
-        // create some nodes below the test root in order to apply ac-stuff
-        Node node = testRootNode.addNode(nodeName1, testNodeType);
-        Node cn1 = node.addNode(nodeName2, testNodeType);
-        Property cp1 = node.setProperty(propertyName1, "anyValue");
-        Node cn2 = node.addNode(nodeName3, testNodeType);
-
-        Property ccp1 = cn1.setProperty(propertyName1, "childNodeProperty");
-
-        Node n2 = testRootNode.addNode(nodeName2, testNodeType);
-        superuser.save();
-
-        path = node.getPath();
-        childNPath = cn1.getPath();
-    }
-
     @Test
     public void testAccessControlPrivileges() throws Exception {
-        /* precondition:
-          testuser must have READ-only permission on test-node and below
-        */
-        checkReadOnly(path);
-
         /* grant 'testUser' rep:write, rep:readAccessControl and
            rep:modifyAccessControl privileges at 'path' */
         Privilege[] privileges = privilegesFromNames(new String[] {
@@ -83,8 +53,6 @@ public class AccessControlManagementTest
         });
         JackrabbitAccessControlList acl = allow(path, privileges);
 
-        Session testSession = getTestSession();
-        AccessControlManager testAcMgr = getTestAccessControlManager();
         /*
          testuser must have
          - permission to view AC items
@@ -98,18 +66,13 @@ public class AccessControlManagementTest
     }
 
     /**
-     * Test if a new applicable policy can be applied within a individual
-     * subtree where AC-modification is allowed.
+     * Test if a new applicable policy can be applied within a
+     * sub-tree where AC-modification is allowed.
      *
      * @see <a href="https://issues.apache.org/jira/browse/JCR-2869">JCR-2869</a>
      */
     @Test
     public void testSetNewPolicy() throws Exception {
-        /* precondition:
-          testuser must have READ-only permission on test-node and below
-        */
-        checkReadOnly(path);
-
         /* grant 'testUser' rep:write, rep:readAccessControl and
            rep:modifyAccessControl privileges at 'path' */
         Privilege[] privileges = privilegesFromNames(new String[] {
@@ -119,7 +82,6 @@ public class AccessControlManagementTest
         });
         allow(path, privileges);
 
-        AccessControlManager testAcMgr = getTestAccessControlManager();
         /*
          testuser must be allowed to set a new policy at a child node.
         */
@@ -127,17 +89,14 @@ public class AccessControlManagementTest
         while (it.hasNext()) {
             AccessControlPolicy plc = it.nextAccessControlPolicy();
             testAcMgr.setPolicy(childNPath, plc);
+            testSession.save();
             testAcMgr.removePolicy(childNPath, plc);
+            testSession.save();
         }
     }
 
     @Test
     public void testSetModifiedPolicy() throws Exception {
-        /* precondition:
-          testuser must have READ-only permission on test-node and below
-        */
-        checkReadOnly(path);
-
         /* grant 'testUser' rep:write, rep:readAccessControl and
            rep:modifyAccessControl privileges at 'path' */
         Privilege[] privileges = privilegesFromNames(new String[] {
@@ -147,12 +106,10 @@ public class AccessControlManagementTest
         });
 
         JackrabbitAccessControlList acl = allow(path, privileges);
+
         /*
          testuser must be allowed to set (modified) policy at target node.
         */
-        Session testSession = getTestSession();
-        AccessControlManager testAcMgr = getTestAccessControlManager();
-
         AccessControlPolicy[] policies  = testAcMgr.getPolicies(path);
 
         assertEquals(1, policies.length);
@@ -167,21 +124,13 @@ public class AccessControlManagementTest
 
     @Test
     public void testRetrievePrivilegesOnAcNodes() throws Exception {
-        /* precondition:
-          testuser must have READ-only permission on test-node and below
-        */
-        checkReadOnly(path);
-
         // give 'testUser' jcr:readAccessControl privileges at 'path'
         Privilege[] privileges = privilegesFromName(Privilege.JCR_READ_ACCESS_CONTROL);
-        JackrabbitAccessControlList acl = allow(path, privileges);
+        allow(path, privileges);
 
         /*
          testuser must be allowed to read ac-content at target node.
         */
-        Session testSession = getTestSession();
-        AccessControlManager testAcMgr = getTestAccessControlManager();
-
         assertTrue(testAcMgr.hasPrivileges(path, privileges));
 
         AccessControlPolicy[] policies  = testAcMgr.getPolicies(path);
@@ -211,28 +160,50 @@ public class AccessControlManagementTest
         }
     }
 
-    @Test
-    public void testReadAccessControl() throws Exception {
-        /* precondition:
-          testuser must have READ-only permission on test-node and below
+    @Test // TODO: check if this duplicates the next test
+    public void testAccessControlRead() throws Exception {
+        // re-grant READ in order to have an ACL-node
+        Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
+        JackrabbitAccessControlList tmpl = allow(path, privileges);
+        // make sure the 'rep:policy' node has been created.
+        assertTrue(superuser.itemExists(tmpl.getPath() + "/rep:policy"));
+
+        /*
+         Testuser must still have READ-only access only and must not be
+         allowed to view the acl-node that has been created.
         */
-        checkReadOnly(path);
+        assertFalse(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_READ_ACCESS_CONTROL)));
+        assertFalse(testSession.itemExists(path + "/rep:policy"));
+
+        Node n = testSession.getNode(tmpl.getPath());
+        assertFalse(n.hasNode("rep:policy"));
+        try {
+            n.getNode("rep:policy");
+            fail("Accessing the rep:policy node must throw PathNotFoundException.");
+        } catch (PathNotFoundException e) {
+            // ok.
+        }
+
+        /* Finally the test user must not be allowed to remove the policy. */
+        try {
+            testAcMgr.removePolicy(path, new AccessControlPolicy() {});
+            fail("Test user must not be allowed to remove the access control policy.");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+    }
 
+    @Test
+    public void testReadAccessControl() throws Exception {
         /* give 'testUser' jcr:readAccessControl privileges at subtree below
            path excluding the node at path itself. */
-        Privilege[] privileges = privilegesFromNames(new String[] {
-                Privilege.JCR_READ_ACCESS_CONTROL
-        });
-        Map<String, Value> restrictions = new HashMap<String, Value>();
-        restrictions.put("rep:glob", vf.createValue('/' + nodeName2));
-        JackrabbitAccessControlList acl = allow(path, privileges, restrictions);
+        Privilege[] privileges = privilegesFromName(Privilege.JCR_READ_ACCESS_CONTROL);
+        allow(path, privileges, createGlobRestriction('/' + nodeName2));
 
         /*
          testuser must not be allowed to read AC content at the target node;
          however, retrieving potential AC content at 'childPath' is granted.
         */
-        Session testSession = getTestSession();
-        AccessControlManager testAcMgr = getTestAccessControlManager();
 
         assertFalse(testAcMgr.hasPrivileges(path, privileges));
         try {
@@ -270,4 +241,236 @@ public class AccessControlManagementTest
             }
         }
     }
+
+    @Test
+    public void testAclReferingToRemovedPrincipal() throws Exception {
+
+        JackrabbitAccessControlList acl = allow(path, repWritePrivileges);
+        String acPath = acl.getPath();
+
+        // remove the test user
+        testUser.remove();
+        superuser.save();
+
+        // try to retrieve the acl again
+        Session s = getHelper().getSuperuserSession();
+        try {
+            AccessControlManager acMgr = getAccessControlManager(s);
+            acMgr.getPolicies(acPath);
+        } finally {
+            s.logout();
+        }
+    }
+
+    @Test
+    public void testAccessControlModification() throws Exception {
+        // give 'testUser' ADD_CHILD_NODES|MODIFY_PROPERTIES| REMOVE_CHILD_NODES privileges at 'path'
+        Privilege[] privileges = privilegesFromNames(new String[] {
+                Privilege.JCR_ADD_CHILD_NODES,
+                Privilege.JCR_REMOVE_CHILD_NODES,
+                Privilege.JCR_MODIFY_PROPERTIES
+        });
+        JackrabbitAccessControlList tmpl = allow(path, privileges);
+        /*
+         testuser must not have
+         - permission to view AC items
+         - permission to modify AC items
+        */
+
+        // make sure the 'rep:policy' node has been created.
+        assertTrue(superuser.itemExists(tmpl.getPath() + "/rep:policy"));
+        // the policy node however must not be visible to the test-user
+        assertFalse(testSession.itemExists(tmpl.getPath() + "/rep:policy"));
+        try {
+            testAcMgr.getPolicies(tmpl.getPath());
+            fail("test user must not have READ_AC privilege.");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+        try {
+            testAcMgr.getEffectivePolicies(tmpl.getPath());
+            fail("test user must not have READ_AC privilege.");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+        try {
+            testAcMgr.getEffectivePolicies(path);
+            fail("test user must not have READ_AC privilege.");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+        try {
+            testAcMgr.removePolicy(tmpl.getPath(), new AccessControlPolicy() {});
+            fail("test user must not have MODIFY_AC privilege.");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testAccessControlModification2() throws Exception {
+        // give 'testUser' READ_AC|MODIFY_AC privileges at 'path'
+        Privilege[] privileges = privilegesFromNames(new String[] {
+                Privilege.JCR_READ_ACCESS_CONTROL,
+                Privilege.JCR_MODIFY_ACCESS_CONTROL
+        });
+        JackrabbitAccessControlList tmpl = allow(path, privileges);
+        /*
+         testuser must
+         - still have the inherited READ permission.
+         - must have permission to view AC items at 'path' (and below)
+         - must have permission to modify AC items at 'path'
+
+         testuser must not have
+         - permission to view AC items outside of the tree defined by path.
+        */
+
+        // make sure the 'rep:policy' node has been created.
+        assertTrue(superuser.itemExists(tmpl.getPath() + "/rep:policy"));
+
+        // test: MODIFY_AC granted at 'path'
+        assertTrue(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
+
+        // test if testuser can READ access control on the path and on the
+        // entire subtree that gets the policy inherited.
+        AccessControlPolicy[] policies = testAcMgr.getPolicies(path);
+        testAcMgr.getPolicies(childNPath);
+
+        // test: READ_AC privilege does not apply outside of the tree.
+        try {
+            testAcMgr.getPolicies(siblingPath);
+            fail("READ_AC privilege must not apply outside of the tree it has applied to.");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+
+        // test: MODIFY_AC privilege does not apply outside of the tree.
+        try {
+            testAcMgr.setPolicy(siblingPath, policies[0]);
+            fail("MODIFY_AC privilege must not apply outside of the tree it has applied to.");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+
+        // test if testuser can modify AC-items
+        // 1) add an ac-entry
+        AccessControlList acl = (AccessControlList) policies[0];
+        acl.addAccessControlEntry(testUser.getPrincipal(), repWritePrivileges);
+        testAcMgr.setPolicy(path, acl);
+        testSession.save();
+
+        assertTrue(testAcMgr.hasPrivileges(path,
+                privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES)));
+
+        // 2) remove the policy
+        testAcMgr.removePolicy(path, policies[0]);
+        testSession.save();
+
+        // Finally: testuser removed the policy that granted him permission
+        // to modify the AC content. Since testuser removed the policy, it's
+        // privileges must be gone again...
+        try {
+            testAcMgr.getEffectivePolicies(childNPath);
+            fail("READ_AC privilege has been revoked -> must throw again.");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+        // ... and since the ACE is stored with the policy all right except
+        // READ must be gone.
+        assertReadOnly(path);
+    }
+
+    @Test
+    public void testAcContentIsProtected() throws Exception {
+        // search for a rep:policy node
+        Node policyNode = findPolicyNode(superuser.getRootNode());
+        if (policyNode == null) {
+            throw new NotExecutableException("no policy node found.");
+        }
+
+        assertTrue("The rep:Policy node must be protected", policyNode.getDefinition().isProtected());
+        try {
+            policyNode.remove();
+            fail("rep:Policy node must be protected.");
+        } catch (ConstraintViolationException e) {
+            // success
+        }
+
+        for (NodeIterator it = policyNode.getNodes(); it.hasNext();) {
+            Node n = it.nextNode();
+            if (n.isNodeType("rep:ACE")) {
+                try {
+                    n.remove();
+                    fail("ACE node must be protected.");
+                } catch (ConstraintViolationException e) {
+                    // success
+                }
+                break;
+            }
+        }
+
+        try {
+            policyNode.setProperty("test", "anyvalue");
+            fail("rep:policy node must be protected.");
+        } catch (ConstraintViolationException e) {
+            // success
+        }
+        try {
+            policyNode.addNode("test", "rep:ACE");
+            fail("rep:policy node must be protected.");
+        } catch (ConstraintViolationException e) {
+            // success
+        }
+    }
+
+    private static Node findPolicyNode(Node start) throws RepositoryException {
+        Node policyNode = null;
+        if (start.isNodeType("rep:Policy")) {
+            policyNode = start;
+        }
+        for (NodeIterator it = start.getNodes(); it.hasNext() && policyNode == null;) {
+            Node n = it.nextNode();
+            if (!"jcr:system".equals(n.getName())) {
+                policyNode = findPolicyNode(n);
+            }
+        }
+        return policyNode;
+    }
+
+    @Test
+    public void testReorderPolicyNode() throws Exception {
+        Node n = testSession.getNode(path);
+        try {
+            if (!n.getPrimaryNodeType().hasOrderableChildNodes()) {
+                throw new NotExecutableException("Reordering child nodes is not supported..");
+            }
+
+            n.orderBefore(Text.getName(childNPath), Text.getName(childNPath2));
+            testSession.save();
+            fail("test session must not be allowed to reorder nodes.");
+        } catch (AccessDeniedException e) {
+            // success.
+        }
+
+        // grant all privileges
+        allow(path, privilegesFromNames(new String[] {Privilege.JCR_ALL}));
+
+        n.orderBefore("rep:policy", Text.getName(childNPath2));
+        testSession.save();
+    }
+
+    @Test
+    public void testRemoveMixin() throws Exception {
+        Node n = superuser.getNode(path);
+        deny(path, readPrivileges);
+
+        assertTrue(n.hasNode("rep:policy"));
+        assertTrue(n.isNodeType("rep:AccessControllable"));
+
+        n.removeMixin("rep:AccessControllable");
+
+        superuser.save();
+        assertFalse(n.hasNode("rep:policy"));
+        assertFalse(n.isNodeType("rep:AccessControllable"));
+    }
 }
\ No newline at end of file

Added: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/InheritanceTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/InheritanceTest.java?rev=1437562&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/InheritanceTest.java (added)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/InheritanceTest.java Wed Jan 23 16:52:29 2013
@@ -0,0 +1,321 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.jcr.security.authorization;
+
+import java.security.Principal;
+import java.util.UUID;
+import javax.jcr.Node;
+import javax.jcr.Session;
+import javax.jcr.security.AccessControlEntry;
+import javax.jcr.security.AccessControlManager;
+import javax.jcr.security.Privilege;
+
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import org.apache.jackrabbit.api.security.user.Group;
+import org.apache.jackrabbit.api.security.user.UserManager;
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * InheritanceTest... TODO
+ */
+public class InheritanceTest extends AbstractEvaluationTest {
+
+    @Test
+    public void testInheritance() throws Exception {
+        // give 'modify_properties' and 'remove_node' privilege on 'path'
+        Privilege[] privileges = privilegesFromNames(new String[] {
+                Privilege.JCR_REMOVE_NODE, Privilege.JCR_MODIFY_PROPERTIES});
+        allow(path, privileges);
+        // give 'add-child-nodes', remove_child_nodes' on 'childNPath'
+        privileges = privilegesFromNames(new String[] {
+                Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_REMOVE_CHILD_NODES});
+        allow(childNPath, privileges);
+
+        /*
+        since evaluation respects inheritance through the node
+        hierarchy, the following privileges must now be given at 'childNPath':
+        - jcr:read
+        - jcr:modifyProperties
+        - jcr:addChildNodes
+        - jcr:removeChildNodes
+        - jcr:removeNode
+        */
+        Privilege[] expectedPrivileges =  privilegesFromNames(new String[] {
+                Privilege.JCR_READ,
+                Privilege.JCR_ADD_CHILD_NODES,
+                Privilege.JCR_REMOVE_CHILD_NODES,
+                Privilege.JCR_REMOVE_NODE,
+                Privilege.JCR_MODIFY_PROPERTIES
+        });
+        assertTrue(testAcMgr.hasPrivileges(childNPath, expectedPrivileges));
+
+        /*
+         ... permissions granted at childNPath:
+         - read
+         - set-property
+
+         BUT NOT:
+         - add-node
+         - remove.
+         */
+        String aActions = javax.jcr.Session.ACTION_SET_PROPERTY + ',' + javax.jcr.Session.ACTION_READ;
+        assertTrue(testSession.hasPermission(childNPath, aActions));
+        String dActions = javax.jcr.Session.ACTION_REMOVE + ',' + javax.jcr.Session.ACTION_ADD_NODE;
+        assertFalse(testSession.hasPermission(childNPath, dActions));
+
+        /*
+        ... permissions granted at any child item of child-path:
+        - read
+        - set-property
+        - add-node
+        - remove
+        */
+        String nonExistingItemPath = childNPath + "/anyItem";
+        assertTrue(testSession.hasPermission(nonExistingItemPath, aActions + ',' + dActions));
+
+        /* try adding a new child node -> must succeed. */
+        Node childN = testSession.getNode(childNPath);
+        String testPath = childN.addNode(nodeName2).getPath();
+
+        /* test privileges on the 'new' child node */
+        assertTrue(testAcMgr.hasPrivileges(testPath, expectedPrivileges));
+
+        /* repeat test after save. */
+        testSession.save();
+        assertTrue(testAcMgr.hasPrivileges(testPath, expectedPrivileges));
+    }
+
+    @Test
+    public void testInheritance2() throws Exception {
+        // give jcr:write privilege on 'path' and withdraw them on 'childNPath'
+        Privilege[] privileges = privilegesFromNames(new String[] {Privilege.JCR_WRITE});
+        allow(path, privileges);
+        deny(childNPath, privileges);
+
+        /*
+        since evaluation respects inheritance through the node
+        hierarchy, the jcr:write privilege must not be granted at childNPath
+        */
+        assertFalse(testAcMgr.hasPrivileges(childNPath, privileges));
+
+        /*
+         ... same for permissions at 'childNPath'
+         */
+        String actions = getActions(Session.ACTION_SET_PROPERTY, Session.ACTION_REMOVE, Session.ACTION_ADD_NODE);
+
+        String nonExistingItemPath = childNPath + "/anyItem";
+        assertFalse(testSession.hasPermission(nonExistingItemPath, actions));
+
+        // yet another level in the hierarchy
+        Node grandChild = superuser.getNode(childNPath).addNode(nodeName3);
+        superuser.save();
+        String gcPath = grandChild.getPath();
+
+        // grant write privilege again
+        allow(gcPath, privileges);
+        assertTrue(testAcMgr.hasPrivileges(gcPath, privileges));
+        assertTrue(testSession.hasPermission(gcPath + "/anyProp", Session.ACTION_SET_PROPERTY));
+        // however: removing the grand-child nodes must not be allowed as
+        // remove_child_node privilege is missing on the direct ancestor.
+        assertFalse(testSession.hasPermission(gcPath, Session.ACTION_REMOVE));
+    }
+
+    @Test
+    public void testInheritedGroupPermissions() throws Exception {
+        Group testGroup = getTestGroup();
+
+        /* allow MODIFY_PROPERTIES privilege for testGroup at 'path' */
+        allow(path, testGroup.getPrincipal(), modPropPrivileges);
+        /* deny MODIFY_PROPERTIES privilege for everyone at 'childNPath' */
+        deny(childNPath, EveryonePrincipal.getInstance(), modPropPrivileges);
+
+        // result at 'child path' must be deny
+        assertFalse(testAcMgr.hasPrivileges(childNPath, modPropPrivileges));
+    }
+
+    @Test
+    public void testInheritedGroupPermissions2() throws Exception {
+        Group testGroup = getTestGroup();
+
+        // NOTE: same as testInheritedGroupPermissions above but using
+        // everyone on path, testgroup on childpath -> result must be the same
+
+        /* allow MODIFY_PROPERTIES privilege for everyone at 'path' */
+        allow(path, EveryonePrincipal.getInstance(), modPropPrivileges);
+        /* deny MODIFY_PROPERTIES privilege for testGroup at 'childNPath' */
+        deny(childNPath, testGroup.getPrincipal(), modPropPrivileges);
+
+        // result at 'child path' must be deny
+        assertFalse(testAcMgr.hasPrivileges(childNPath, modPropPrivileges));
+    }
+
+    @Test
+    public void testMultipleGroupPermissionsOnNode() throws Exception {
+        Group testGroup = getTestGroup();
+
+        /* create a second group the test user is member of */
+        UserManager umgr = getUserManager(superuser);
+        Group group2 = umgr.createGroup("testGroup" + UUID.randomUUID());
+        try {
+            group2.addMember(testUser);
+            superuser.save();
+
+            /* add privileges for the Group the test-user is member of */
+            allow(path, testGroup.getPrincipal(), modPropPrivileges);
+            deny(path, group2.getPrincipal(), modPropPrivileges);
+
+            /*
+             testuser must get the permissions/privileges inherited from
+             the group it is member of.
+             the denial of group2 must succeed
+            */
+            String actions = getActions(Session.ACTION_SET_PROPERTY, Session.ACTION_READ);
+            assertFalse(testSession.hasPermission(path, actions));
+            assertFalse(testAcMgr.hasPrivileges(path, modPropPrivileges));
+
+        } finally {
+            group2.remove();
+        }
+    }
+
+    @Test
+    public void testMultipleGroupPermissionsOnNode2() throws Exception {
+        Group testGroup = getTestGroup();
+
+        /* create a second group the test user is member of */
+        UserManager umgr = getUserManager(superuser);
+        Group group2 = umgr.createGroup("testGroup" + UUID.randomUUID());
+
+        try {
+            group2.addMember(testUser);
+            if (!umgr.isAutoSave() && superuser.hasPendingChanges()) {
+                superuser.save();
+            }
+
+            /* add privileges for the Group the test-user is member of */
+            deny(path, testGroup.getPrincipal(), modPropPrivileges);
+            allow(path, group2.getPrincipal(), modPropPrivileges);
+
+            /*
+             testuser must get the permissions/privileges inherited from
+             the group it is member of.
+             granting permissions for group2 must be effective
+            */
+            String actions = getActions(Session.ACTION_SET_PROPERTY, Session.ACTION_READ);
+            assertTrue(testSession.hasPermission(path, actions));
+
+            assertTrue(testAcMgr.hasPrivileges(path, modPropPrivileges));
+        } finally {
+            group2.remove();
+        }
+    }
+
+    @Test
+    public void testReorderGroupPermissions() throws Exception {
+        Group testGroup = getTestGroup();
+
+        /* create a second group the test user is member of */
+        UserManager umgr = getUserManager(superuser);
+        Group group2 = umgr.createGroup("testGroup" + UUID.randomUUID());
+
+        try {
+            group2.addMember(testUser);
+            superuser.save();
+
+            /* add privileges for the Group the test-user is member of */
+            deny(path, testGroup.getPrincipal(), modPropPrivileges);
+            allow(path, group2.getPrincipal(), modPropPrivileges);
+
+            /*
+             testuser must get the permissions/privileges inherited from
+             the group it is member of.
+             granting permissions for group2 must be effective
+            */
+            String actions = getActions(Session.ACTION_SET_PROPERTY, Session.ACTION_READ);
+
+            assertTrue(testSession.hasPermission(path, actions));
+            Privilege[] privs = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+            assertTrue(testAcMgr.hasPrivileges(path, privs));
+
+            // reorder the ACEs
+            AccessControlEntry srcEntry = null;
+            AccessControlEntry destEntry = null;
+            JackrabbitAccessControlList acl = (JackrabbitAccessControlList) acMgr.getPolicies(path)[0];
+            for (AccessControlEntry entry : acl.getAccessControlEntries()) {
+                Principal princ = entry.getPrincipal();
+                if (testGroup.getPrincipal().equals(princ)) {
+                    destEntry = entry;
+                } else if (group2.getPrincipal().equals(princ)) {
+                    srcEntry = entry;
+                }
+
+            }
+
+            acl.orderBefore(srcEntry, destEntry);
+            acMgr.setPolicy(path, acl);
+            superuser.save();
+
+            /* after reordering the permissions must be denied */
+            assertFalse(testSession.hasPermission(path, actions));
+            assertFalse(testAcMgr.hasPrivileges(path, privs));
+
+        } finally {
+            group2.remove();
+        }
+    }
+
+    @Test
+    public void testInheritanceAndMixedUserGroupPermissions() throws Exception {
+        Group testGroup = getTestGroup();
+
+        /* give MODIFY_PROPERTIES privilege for testGroup at 'path' */
+        allow(path, testGroup.getPrincipal(), modPropPrivileges);
+
+        /* withdraw MODIFY_PROPERTIES for the user at 'path' */
+        deny(path, testUser.getPrincipal(), modPropPrivileges);
+
+        /*
+         since user-permissions overrule the group permissions, testuser must
+         not have set_property action / modify_properties privilege.
+         */
+        assertFalse(testAcMgr.hasPrivileges(path, modPropPrivileges));
+
+        /*
+         give MODIFY_PROPERTIES privilege for everyone at 'childNPath'
+         -> user-privileges still overrule group privileges
+         */
+        allow(childNPath, testGroup.getPrincipal(), modPropPrivileges);
+        assertFalse(testAcMgr.hasPrivileges(childNPath, modPropPrivileges));
+    }
+
+    @Test
+    public void testCancelInheritanceRestriction() throws Exception {
+        allow(path, repWritePrivileges, createGlobRestriction(""));
+
+        assertTrue(testAcMgr.hasPrivileges(path, repWritePrivileges));
+        assertTrue(testSession.hasPermission(path, Session.ACTION_SET_PROPERTY));
+
+        assertFalse(testAcMgr.hasPrivileges(childNPath, repWritePrivileges));
+        assertFalse(testSession.hasPermission(childNPath, Session.ACTION_SET_PROPERTY));
+
+        assertFalse(testAcMgr.hasPrivileges(childNPath2, repWritePrivileges));
+        assertFalse(testSession.hasPermission(childNPath2, Session.ACTION_SET_PROPERTY));
+    }
+}
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/MoveTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/MoveTest.java?rev=1437562&r1=1437561&r2=1437562&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/MoveTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/MoveTest.java Wed Jan 23 16:52:29 2013
@@ -16,13 +16,8 @@
  */
 package org.apache.jackrabbit.oak.jcr.security.authorization;
 
-import java.util.Collections;
-import java.util.Map;
+import javax.jcr.AccessDeniedException;
 import javax.jcr.Node;
-import javax.jcr.RepositoryException;
-import javax.jcr.Session;
-import javax.jcr.Value;
-import javax.jcr.security.AccessControlManager;
 import javax.jcr.security.Privilege;
 
 import org.junit.Before;
@@ -35,13 +30,6 @@ import org.junit.Test;
 @Ignore("OAK-51")
 public class MoveTest extends AbstractEvaluationTest {
 
-    private Privilege[] readPrivileges;
-
-    private Session testSession;
-    private AccessControlManager testAcManager;
-
-    private String path;
-    private String nodePath2;
     private String nodePath3;
 
     @Override
@@ -49,60 +37,123 @@ public class MoveTest extends AbstractEv
     protected void setUp() throws Exception {
         super.setUp();
 
-        readPrivileges = privilegesFromName(Privilege.JCR_READ);
-        testSession = getTestSession();
-        testAcManager = getTestAccessControlManager();
-
-        // create some nodes below the test root in order to apply ac-stuff
-        Node node = testRootNode.addNode(nodeName1, testNodeType);
-        Node node2 = node.addNode(nodeName2, testNodeType);
-        Node node3 = node2.addNode(nodeName3);
-        superuser.save();
-
+        Node node3 = testRootNode.getNode(childNPath).addNode(nodeName3);
         nodePath3 = node3.getPath();
-
         superuser.save();
+    }
 
-        path = node.getPath();
-        nodePath2 = node2.getPath();
+    @Test
+    public void testSessionMove() throws Exception {
+        String destPath = path + '/' + nodeName1;
 
-        /*
-        precondition:
-        testuser must have READ-only permission on test-node and below
-        */
-        checkReadOnly(path);
-        checkReadOnly(nodePath2);
+        // give 'add_child_nodes' and 'nt-management' privilege
+        // -> not sufficient privileges for a move
+        allow(path, privilegesFromNames(new String[] {Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_NODE_TYPE_MANAGEMENT}));
+        try {
+            testSession.move(childNPath, destPath);
+            testSession.save();
+            fail("Move requires add and remove permission.");
+        } catch (AccessDeniedException e) {
+            // success.
+        }
+
+        // add 'remove_child_nodes' at 'path
+        // -> not sufficient for a move since 'remove_node' privilege is missing
+        //    on the move-target
+        allow(path, privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES));
+        try {
+            testSession.move(childNPath, destPath);
+            testSession.save();
+            fail("Move requires add and remove permission.");
+        } catch (AccessDeniedException e) {
+            // success.
+        }
+
+        // allow 'remove_node' at childNPath
+        // -> now move must succeed
+        allow(childNPath, privilegesFromName(Privilege.JCR_REMOVE_NODE));
+        testSession.move(childNPath, destPath);
+        testSession.save();
+
+        // withdraw  'add_child_nodes' privilege on former src-parent
+        // -> moving child-node back must fail
+        deny(path, privilegesFromName(Privilege.JCR_ADD_CHILD_NODES));
+        try {
+            testSession.move(destPath, childNPath);
+            testSession.save();
+            fail("Move requires add and remove permission.");
+        } catch (AccessDeniedException e) {
+            // success.
+        }
     }
 
-    private Map<String, Value> createGlobRestriction(String value) throws RepositoryException {
-        return Collections.singletonMap("rep:glob", getTestSession().getValueFactory().createValue(value));
+    @Test
+    public void testWorkspaceMove() throws Exception {
+        String destPath = path + '/' + nodeName1;
+
+        // give 'add_child_nodes', 'nt-mgmt' privilege
+        // -> not sufficient privileges for a move.
+        allow(path, privilegesFromNames(new String[] {Privilege.JCR_ADD_CHILD_NODES,
+                Privilege.JCR_NODE_TYPE_MANAGEMENT}));
+        try {
+            testSession.getWorkspace().move(childNPath, destPath);
+            fail("Move requires add and remove permission.");
+        } catch (AccessDeniedException e) {
+            // success.
+        }
+
+        // add 'remove_child_nodes' at 'path
+        // -> no sufficient for a move since 'remove_node' privilege is missing
+        //    on the move-target
+        allow(path, privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES));
+        try {
+            testSession.getWorkspace().move(childNPath, destPath);
+            fail("Move requires add and remove permission.");
+        } catch (AccessDeniedException e) {
+            // success.
+        }
+
+        // allow 'remove_node' at childNPath
+        // -> now move must succeed
+        allow(childNPath, privilegesFromName(Privilege.JCR_REMOVE_NODE));
+        testSession.getWorkspace().move(childNPath, destPath);
+
+        // withdraw  'add_child_nodes' privilege on former src-parent
+        // -> moving child-node back must fail
+        deny(path, privilegesFromName(Privilege.JCR_ADD_CHILD_NODES));
+        try {
+            testSession.getWorkspace().move(destPath, childNPath);
+            fail("Move requires add and remove permission.");
+        } catch (AccessDeniedException e) {
+            // success.
+        }
     }
 
     @Test
     public void testMoveAccessControlledNode() throws Exception {
         // permissions defined @ childNode
         // -> revoke read permission
-        deny(nodePath2, readPrivileges);
+        deny(childNPath, readPrivileges);
 
-        assertFalse(testSession.nodeExists(nodePath2));
-        assertFalse(testAcManager.hasPrivileges(nodePath2, readPrivileges));
+        assertFalse(testSession.nodeExists(childNPath));
+        assertFalse(testAcMgr.hasPrivileges(childNPath, readPrivileges));
         assertFalse(testSession.nodeExists(nodePath3));
-        assertFalse(testAcManager.hasPrivileges(nodePath3, readPrivileges));
+        assertFalse(testAcMgr.hasPrivileges(nodePath3, readPrivileges));
 
         // move the ancestor node
         String movedChildNPath = path + "/movedNode";
         String movedNode3Path = movedChildNPath + '/' + nodeName3;
 
-        superuser.move(nodePath2, movedChildNPath);
+        superuser.move(childNPath, movedChildNPath);
         superuser.save();
 
         // expected behavior:
         // the AC-content present on childNode is still enforced both on
         // the node itself and on the subtree.
         assertFalse(testSession.nodeExists(movedChildNPath));
-        assertFalse(testAcManager.hasPrivileges(movedChildNPath, readPrivileges));
+        assertFalse(testAcMgr.hasPrivileges(movedChildNPath, readPrivileges));
         assertFalse(testSession.nodeExists(movedNode3Path));
-        assertFalse(testAcManager.hasPrivileges(movedNode3Path, readPrivileges));
+        assertFalse(testAcMgr.hasPrivileges(movedNode3Path, readPrivileges));
     }
 
     @Test
@@ -112,29 +163,29 @@ public class MoveTest extends AbstractEv
         deny(nodePath3, readPrivileges);
 
         assertFalse(testSession.nodeExists(nodePath3));
-        assertFalse(testAcManager.hasPrivileges(nodePath3, readPrivileges));
+        assertFalse(testAcMgr.hasPrivileges(nodePath3, readPrivileges));
 
         // move the ancestor node
         String movedChildNPath = path + "/movedNode";
         String movedNode3Path = movedChildNPath + '/' + nodeName3;
 
-        superuser.move(nodePath2, movedChildNPath);
+        superuser.move(childNPath, movedChildNPath);
         superuser.save();
 
         // expected behavior:
         // the AC-content present on node3 is still enforced
         assertFalse(testSession.nodeExists(movedNode3Path));
-        assertFalse(testAcManager.hasPrivileges(movedNode3Path, readPrivileges));
+        assertFalse(testAcMgr.hasPrivileges(movedNode3Path, readPrivileges));
     }
 
     @Test
     public void testMoveWithDifferentEffectiveAc() throws Exception {
         // @path read is denied, @childNode its allowed again
         deny(path, readPrivileges);
-        allow(nodePath2, readPrivileges);
+        allow(childNPath, readPrivileges);
 
         assertTrue(testSession.nodeExists(nodePath3));
-        assertTrue(testAcManager.hasPrivileges(nodePath3, readPrivileges));
+        assertTrue(testAcMgr.hasPrivileges(nodePath3, readPrivileges));
 
         // move the ancestor node
         String movedPath = path + "/movedNode";
@@ -145,44 +196,44 @@ public class MoveTest extends AbstractEv
         // expected behavior:
         // due to move node3 should not e visible any more
         assertFalse(testSession.nodeExists(movedPath));
-        assertFalse(testAcManager.hasPrivileges(movedPath, readPrivileges));
+        assertFalse(testAcMgr.hasPrivileges(movedPath, readPrivileges));
     }
 
     @Test
     public void testMoveNodeWithGlobRestriction() throws Exception {
         // permissions defined @ path
         // restriction: remove read priv to nodeName3 node
-        deny(nodePath2, readPrivileges, createGlobRestriction('/' +nodeName3));
+        deny(childNPath, readPrivileges, createGlobRestriction('/' +nodeName3));
 
         assertFalse(testSession.nodeExists(nodePath3));
-        assertFalse(testAcManager.hasPrivileges(nodePath3, readPrivileges));
+        assertFalse(testAcMgr.hasPrivileges(nodePath3, readPrivileges));
 
         String movedChildNPath = path + "/movedNode";
         String movedNode3Path = movedChildNPath + '/' + nodeName3;
 
-        superuser.move(nodePath2, movedChildNPath);
+        superuser.move(childNPath, movedChildNPath);
         superuser.save();
 
         assertFalse(testSession.nodeExists(movedNode3Path));
-        assertFalse(testAcManager.hasPrivileges(movedNode3Path, readPrivileges));
+        assertFalse(testAcMgr.hasPrivileges(movedNode3Path, readPrivileges));
     }
 
     @Test
     public void testMoveNodeWithGlobRestriction2() throws Exception {
         // permissions defined @ path
         // restriction: remove read priv to nodeName3 node
-        deny(nodePath2, readPrivileges, createGlobRestriction('/' + nodeName3));
+        deny(childNPath, readPrivileges, createGlobRestriction('/' + nodeName3));
 
         // don't fill the per-session read-cache by calling Session.nodeExists
-        assertFalse(testAcManager.hasPrivileges(nodePath3, readPrivileges));
+        assertFalse(testAcMgr.hasPrivileges(nodePath3, readPrivileges));
 
         String movedChildNPath = path + "/movedNode";
         String movedNode3Path = movedChildNPath + '/' + nodeName3;
 
-        superuser.move(nodePath2, movedChildNPath);
+        superuser.move(childNPath, movedChildNPath);
         superuser.save();
 
         assertFalse(testSession.nodeExists(movedNode3Path));
-        assertFalse(testAcManager.hasPrivileges(movedNode3Path, readPrivileges));
+        assertFalse(testAcMgr.hasPrivileges(movedNode3Path, readPrivileges));
     }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/NamespaceManagementTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/NamespaceManagementTest.java?rev=1437562&r1=1437561&r2=1437562&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/NamespaceManagementTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/NamespaceManagementTest.java Wed Jan 23 16:52:29 2013
@@ -31,8 +31,6 @@ import org.junit.Test;
 
 /**
  * NamespaceManagementTest... TODO
- *
- * copied from jr2x RepositoryOperationTest
  */
 @Ignore("OAK-51")
 public class NamespaceManagementTest extends AbstractEvaluationTest {
@@ -44,7 +42,7 @@ public class NamespaceManagementTest ext
     protected void setUp() throws Exception {
         super.setUp();
 
-        assertPrivilege(null, JCR_NAMESPACE_MANAGEMENT, false);
+        assertHasPrivilege(null, JCR_NAMESPACE_MANAGEMENT, false);
     }
 
     @Override
@@ -85,7 +83,7 @@ public class NamespaceManagementTest ext
     @Test
     public void testRegisterNamespace() throws Exception {
         try {
-            Workspace testWsp = getTestSession().getWorkspace();
+            Workspace testWsp = testSession.getWorkspace();
             testWsp.getNamespaceRegistry().registerNamespace(getNewNamespacePrefix(testWsp), getNewNamespaceURI(testWsp));
             fail("Namespace registration should be denied.");
         } catch (AccessDeniedException e) {
@@ -96,16 +94,16 @@ public class NamespaceManagementTest ext
     @Test
     public void testRegisterNamespaceWithPrivilege() throws Exception {
         modify(null, JCR_NAMESPACE_MANAGEMENT.toString(), true);
-        assertPrivilege(null, JCR_NAMESPACE_MANAGEMENT, true);
+        assertHasPrivilege(null, JCR_NAMESPACE_MANAGEMENT, true);
 
         try {
-            Workspace testWsp = getTestSession().getWorkspace();
+            Workspace testWsp = testSession.getWorkspace();
             testWsp.getNamespaceRegistry().registerNamespace(getNewNamespacePrefix(testWsp), getNewNamespaceURI(testWsp));
         } finally {
             modify(null, JCR_NAMESPACE_MANAGEMENT.toString(), false);
         }
 
-        assertPrivilege(null, JCR_NAMESPACE_MANAGEMENT, false);
+        assertHasPrivilege(null, JCR_NAMESPACE_MANAGEMENT, false);
     }
 
     @Test
@@ -115,7 +113,7 @@ public class NamespaceManagementTest ext
         wsp.getNamespaceRegistry().registerNamespace(pfx, getNewNamespaceURI(wsp));
 
         try {
-            Workspace testWsp = getTestSession().getWorkspace();
+            Workspace testWsp = testSession.getWorkspace();
             testWsp.getNamespaceRegistry().unregisterNamespace(pfx);
             fail("Namespace unregistration should be denied.");
         } catch (AccessDeniedException e) {

Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/NodeTypeDefinitionManagementTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/NodeTypeDefinitionManagementTest.java?rev=1437562&r1=1437561&r2=1437562&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/NodeTypeDefinitionManagementTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/NodeTypeDefinitionManagementTest.java Wed Jan 23 16:52:29 2013
@@ -29,8 +29,6 @@ import org.junit.Test;
 
 /**
  * NodeTypeDefinitionManagementTest... TODO
- *
- * copied from jr2x RepositoryOperationTest
  */
 @Ignore("OAK-51")
 public class NodeTypeDefinitionManagementTest extends AbstractEvaluationTest {
@@ -41,7 +39,7 @@ public class NodeTypeDefinitionManagemen
     protected void setUp() throws Exception {
         super.setUp();
 
-        assertPrivilege(null, JCR_NODE_TYPE_DEFINITION_MANAGEMENT, false);
+        assertHasPrivilege(null, JCR_NODE_TYPE_DEFINITION_MANAGEMENT, false);
     }
 
     @Override
@@ -59,7 +57,7 @@ public class NodeTypeDefinitionManagemen
 
     @Test
     public void testRegisterNodeType() throws Exception {
-        Workspace testWsp = getTestSession().getWorkspace();
+        Workspace testWsp = testSession.getWorkspace();
         NodeTypeManager ntm = testWsp.getNodeTypeManager();
         NodeTypeTemplate ntd = ntm.createNodeTypeTemplate();
         ntd.setName("testNodeType");
@@ -101,10 +99,10 @@ public class NodeTypeDefinitionManagemen
     @Test
     public void testRegisterNodeTypeWithPrivilege() throws Exception {
         modify(null, JCR_NODE_TYPE_DEFINITION_MANAGEMENT.toString(), true);
-        assertPrivilege(null, JCR_NODE_TYPE_DEFINITION_MANAGEMENT, true);
+        assertHasPrivilege(null, JCR_NODE_TYPE_DEFINITION_MANAGEMENT, true);
 
         try {
-            Workspace testWsp = getTestSession().getWorkspace();
+            Workspace testWsp = testSession.getWorkspace();
             NodeTypeManager ntm = testWsp.getNodeTypeManager();
             NodeTypeTemplate ntd = ntm.createNodeTypeTemplate();
             ntd.setName("testNodeType");
@@ -121,7 +119,7 @@ public class NodeTypeDefinitionManagemen
             modify(null, JCR_NODE_TYPE_DEFINITION_MANAGEMENT.toString(), false);
         }
 
-        assertPrivilege(null, JCR_NODE_TYPE_DEFINITION_MANAGEMENT, false);
+        assertHasPrivilege(null, JCR_NODE_TYPE_DEFINITION_MANAGEMENT, false);
     }
 
     @Test
@@ -132,7 +130,7 @@ public class NodeTypeDefinitionManagemen
         ntd.setMixin(true);
         ntm.registerNodeType(ntd, true);
 
-        Workspace testWsp = getTestSession().getWorkspace();
+        Workspace testWsp = testSession.getWorkspace();
         try {
             try {
                 NodeTypeManager testNtm = testWsp.getNodeTypeManager();

Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/NodeTypeManagementTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/NodeTypeManagementTest.java?rev=1437562&r1=1437561&r2=1437562&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/NodeTypeManagementTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/NodeTypeManagementTest.java Wed Jan 23 16:52:29 2013
@@ -21,7 +21,6 @@ import java.io.InputStream;
 import javax.jcr.AccessDeniedException;
 import javax.jcr.ImportUUIDBehavior;
 import javax.jcr.Node;
-import javax.jcr.Session;
 import javax.jcr.Workspace;
 import javax.jcr.security.Privilege;
 
@@ -32,8 +31,6 @@ import org.junit.Test;
 
 /**
  * NodeTypeManagementTest... TODO
- *
- * copied from jr2.x NodeTypeTest
  */
 @Ignore("OAK-51")
 public class NodeTypeManagementTest extends AbstractEvaluationTest {
@@ -52,14 +49,14 @@ public class NodeTypeManagementTest exte
         }
         superuser.save();
         
-        mixinName = getTestSession().getNamespacePrefix(NS_MIX_URI) + ":referenceable";
-        childNode = getTestSession().getNode(child.getPath());
+        mixinName = testSession.getNamespacePrefix(NS_MIX_URI) + ":referenceable";
+        childNode = testSession.getNode(child.getPath());
+
+        assertReadOnly(childNode.getPath());
     }
 
     @Test
     public void testCanAddMixin() throws Exception {
-        checkReadOnly(childNode.getPath());
-
         assertFalse(childNode.canAddMixin(mixinName));
 
         modify(childNode.getPath(), Privilege.JCR_NODE_TYPE_MANAGEMENT, true);
@@ -71,8 +68,6 @@ public class NodeTypeManagementTest exte
 
     @Test
     public void testAddMixin() throws Exception {
-        checkReadOnly(childNode.getPath());
-
         try {
             childNode.addMixin(mixinName);
             superuser.save();
@@ -91,8 +86,6 @@ public class NodeTypeManagementTest exte
         ((Node) superuser.getItem(childNode.getPath())).addMixin(mixinName);
         superuser.save();
 
-        checkReadOnly(childNode.getPath());
-
         try {
             childNode.removeMixin(mixinName);
             superuser.save();
@@ -116,15 +109,13 @@ public class NodeTypeManagementTest exte
         superuser.save();
 
         try {
-            checkReadOnly(childNode.getPath());
-
             try {
                 childNode.setPrimaryType(ntName);
                 superuser.save();
                 fail("TestSession does not have sufficient privileges to change the primary type.");
             } catch (AccessDeniedException e) {
                 // success
-                getTestSession().refresh(false); // TODO: see JCR-1916
+                testSession.refresh(false); // TODO: see JCR-1916
             }
 
             modify(childNode.getPath(), Privilege.JCR_NODE_TYPE_MANAGEMENT, true);
@@ -146,8 +137,6 @@ public class NodeTypeManagementTest exte
      */
     @Test
     public void testAddNode() throws Exception {
-        checkReadOnly(childNode.getPath());
-
         // with simple write privilege a child node can be added BUT no
         // node type must be specified.
         modify(childNode.getPath(), Privilege.JCR_WRITE, true);
@@ -180,12 +169,11 @@ public class NodeTypeManagementTest exte
 
     @Test
     public void testCopy() throws Exception {
-        Workspace wsp = getTestSession().getWorkspace();
+        Workspace wsp = testSession.getWorkspace();
         String parentPath = childNode.getParent().getPath();
         String srcPath = childNode.getPath();
         String destPath = parentPath + '/' + nodeName3;
 
-        checkReadOnly(parentPath);
         try {
             wsp.copy(srcPath, destPath);
             fail("Missing write privilege.");
@@ -209,12 +197,11 @@ public class NodeTypeManagementTest exte
 
     @Test
     public void testWorkspaceMove() throws Exception {
-        Workspace wsp = getTestSession().getWorkspace();
+        Workspace wsp = testSession.getWorkspace();
         String parentPath = childNode.getParent().getPath();
         String srcPath = childNode.getPath();
         String destPath = parentPath + '/' + nodeName3;
 
-        checkReadOnly(parentPath);
         try {
             wsp.move(srcPath, destPath);
             fail("Missing write privilege.");
@@ -238,15 +225,13 @@ public class NodeTypeManagementTest exte
 
     @Test
     public void testSessionMove() throws Exception {
-        Session s = getTestSession();
         String parentPath = childNode.getParent().getPath();
         String srcPath = childNode.getPath();
         String destPath = parentPath + '/' + nodeName3;
 
-        checkReadOnly(parentPath);
         try {
-            s.move(srcPath, destPath);
-            s.save();
+            testSession.move(srcPath, destPath);
+            testSession.save();
             fail("Missing write privilege.");
         } catch (AccessDeniedException e) {
             // success
@@ -255,8 +240,8 @@ public class NodeTypeManagementTest exte
         // with simple write privilege moving a node is not allowed.
         modify(parentPath, Privilege.JCR_WRITE, true);
         try {
-            s.move(srcPath, destPath);
-            s.save();
+            testSession.move(srcPath, destPath);
+            testSession.save();
             fail("Missing privilege jcr:nodeTypeManagement.");
         } catch (AccessDeniedException e) {
             // success
@@ -264,50 +249,46 @@ public class NodeTypeManagementTest exte
 
         // adding jcr:nodeTypeManagement privilege will grant permission to move.
         modify(parentPath, REP_WRITE, true);
-        s.move(srcPath, destPath);
-        s.save();
+        testSession.move(srcPath, destPath);
+        testSession.save();
     }
 
     @Test
     public void testSessionImportXML() throws Exception {
-        Session s = getTestSession();
         String parentPath = childNode.getPath();
-
-        checkReadOnly(parentPath);
         try {
-            s.importXML(parentPath, getXmlForImport(), ImportUUIDBehavior.IMPORT_UUID_CREATE_NEW);
-            s.save();
+            testSession.importXML(parentPath, getXmlForImport(), ImportUUIDBehavior.IMPORT_UUID_CREATE_NEW);
+            testSession.save();
             fail("Missing write privilege.");
         } catch (AccessDeniedException e) {
             // success
         } finally {
-            s.refresh(false);
+            testSession.refresh(false);
         }
 
         // with simple write privilege moving a node is not allowed.
         modify(parentPath, Privilege.JCR_WRITE, true);
         try {
-            s.importXML(parentPath, getXmlForImport(), ImportUUIDBehavior.IMPORT_UUID_CREATE_NEW);
-            s.save();
+            testSession.importXML(parentPath, getXmlForImport(), ImportUUIDBehavior.IMPORT_UUID_CREATE_NEW);
+            testSession.save();
             fail("Missing privilege jcr:nodeTypeManagement.");
         } catch (AccessDeniedException e) {
             // success
         } finally {
-            s.refresh(false);
+            testSession.refresh(false);
         }
 
         // adding jcr:nodeTypeManagement privilege will grant permission to move.
         modify(parentPath, REP_WRITE, true);
-        s.importXML(parentPath, getXmlForImport(), ImportUUIDBehavior.IMPORT_UUID_CREATE_NEW);
-        s.save();
+        testSession.importXML(parentPath, getXmlForImport(), ImportUUIDBehavior.IMPORT_UUID_CREATE_NEW);
+        testSession.save();
     }
 
     @Test
     public void testWorkspaceImportXML() throws Exception {
-        Workspace wsp = getTestSession().getWorkspace();
+        Workspace wsp = testSession.getWorkspace();
         String parentPath = childNode.getPath();
 
-        checkReadOnly(parentPath);
         try {
             wsp.importXML(parentPath, getXmlForImport(), ImportUUIDBehavior.IMPORT_UUID_CREATE_NEW);
             fail("Missing write privilege.");

Added: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ObservationTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ObservationTest.java?rev=1437562&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ObservationTest.java (added)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ObservationTest.java Wed Jan 23 16:52:29 2013
@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.jcr.security.authorization;
+
+import javax.jcr.observation.Event;
+import javax.jcr.observation.ObservationManager;
+
+import org.apache.jackrabbit.test.api.observation.EventResult;
+import org.junit.Ignore;
+import org.junit.Test;
+
+/**
+ * ObservationTest... TODO
+ */
+@Ignore("OAK-51")
+public class ObservationTest extends AbstractEvaluationTest {
+
+    private static final long DEFAULT_WAIT_TIMEOUT = 5000;
+
+    @Test
+    public void testEventGeneration() throws Exception {
+        // withdraw the READ privilege
+        deny(path, readPrivileges);
+
+        // testUser registers a event listener for 'path
+        ObservationManager obsMgr = testSession.getWorkspace().getObservationManager();
+        EventResult listener = new EventResult(this.log);
+        try {
+            obsMgr.addEventListener(listener, Event.NODE_REMOVED, path, true, new String[0], new String[0], true);
+
+            // superuser removes the node with childNPath in order to provoke
+            // events being generated
+            superuser.getItem(childNPath).remove();
+            superuser.save();
+
+            obsMgr.removeEventListener(listener);
+            // since the testUser does not have read-permission on the removed
+            // node, no corresponding event must be generated.
+            Event[] evts = listener.getEvents(DEFAULT_WAIT_TIMEOUT);
+            for (Event evt : evts) {
+                if (evt.getType() == Event.NODE_REMOVED &&
+                        evt.getPath().equals(childNPath)) {
+                    fail("TestUser does not have READ permission below " + path + " -> events below must not show up.");
+                }
+            }
+        } finally {
+            obsMgr.removeEventListener(listener);
+        }
+    }
+}
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/PrivilegeManagementTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/PrivilegeManagementTest.java?rev=1437562&r1=1437561&r2=1437562&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/PrivilegeManagementTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/PrivilegeManagementTest.java Wed Jan 23 16:52:29 2013
@@ -30,8 +30,6 @@ import org.junit.Test;
 
 /**
  * PrivilegeManagementTest... TODO
- *
- * copied from jr2x RepositoryOperationTest
  */
 @Ignore("OAK-51")
 public class PrivilegeManagementTest extends AbstractEvaluationTest {
@@ -43,7 +41,7 @@ public class PrivilegeManagementTest ext
         super.setUp();
 
         // test user must not be allowed
-        assertPrivilege(null, REP_PRIVILEGE_MANAGEMENT, false);
+        assertHasPrivilege(null, REP_PRIVILEGE_MANAGEMENT, false);
     }
 
     @Override
@@ -79,7 +77,7 @@ public class PrivilegeManagementTest ext
     @Test
     public void testRegisterPrivilege() throws Exception {
         try {
-            Workspace testWsp = getTestSession().getWorkspace();
+            Workspace testWsp = testSession.getWorkspace();
             ((JackrabbitWorkspace) testWsp).getPrivilegeManager().registerPrivilege(getNewPrivilegeName(testWsp), false, new String[0]);
             fail("Privilege registration should be denied.");
         } catch (AccessDeniedException e) {
@@ -90,14 +88,14 @@ public class PrivilegeManagementTest ext
     @Test
     public void testRegisterPrivilegeWithPrivilege() throws Exception {
         modify(null, REP_PRIVILEGE_MANAGEMENT, true);
-        assertPrivilege(null, REP_PRIVILEGE_MANAGEMENT, true);
+        assertHasPrivilege(null, REP_PRIVILEGE_MANAGEMENT, true);
 
         try {
-            Workspace testWsp = getTestSession().getWorkspace();
+            Workspace testWsp = testSession.getWorkspace();
             ((JackrabbitWorkspace) testWsp).getPrivilegeManager().registerPrivilege(getNewPrivilegeName(testWsp), false, new String[0]);        } finally {
             modify(null, REP_PRIVILEGE_MANAGEMENT, false);
         }
 
-        assertPrivilege(null, REP_PRIVILEGE_MANAGEMENT, false);
+        assertHasPrivilege(null, REP_PRIVILEGE_MANAGEMENT, false);
     }
 }
\ No newline at end of file

Added: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ReadTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ReadTest.java?rev=1437562&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ReadTest.java (added)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ReadTest.java Wed Jan 23 16:52:29 2013
@@ -0,0 +1,322 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.jcr.security.authorization;
+
+import javax.jcr.Node;
+import javax.jcr.PathNotFoundException;
+import javax.jcr.Session;
+
+import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.junit.Ignore;
+import org.junit.Test;
+
+import static org.junit.Assert.assertArrayEquals;
+
+/**
+ * ReadTest... TODO
+ */
+@Ignore("OAK-51")
+public class ReadTest extends AbstractEvaluationTest {
+
+    @Test
+    public void testNewNodes() throws Exception {
+        /* create some new nodes below 'path' */
+        Node n = superuser.getNode(path);
+        for (int i = 0; i < 5; i++) {
+            n = n.addNode(nodeName2, testNodeType);
+        }
+        superuser.save();
+
+        /* make sure the same privileges/permissions are granted as at path. */
+        String childPath = n.getPath();
+        assertArrayEquals(readPrivileges, testAcMgr.getPrivileges(childPath));
+        testSession.checkPermission(childPath, Session.ACTION_READ);
+    }
+
+    @Test
+    public void testNonExistingItem() throws Exception {
+        /*
+          precondition:
+          testuser must have READ-only permission on the root node and below
+        */
+        String rootPath = testSession.getRootNode().getPath();
+        assertReadOnly(rootPath);
+        testSession.checkPermission(rootPath + "nonExistingItem", Session.ACTION_READ);
+    }
+
+    @Test
+    public void testDeniedReadOnSubTree() throws Exception, InterruptedException {
+        // withdraw READ privilege to 'testUser' at 'path'
+        deny(childNPath, readPrivileges);
+        /*
+         testuser must now have
+         - READ-only permission at path
+         - READ-only permission for the child-props of path
+
+         testuser must not have
+         - any permission on child-node and all its subtree
+        */
+
+        // must still have read-access to path, ...
+        assertTrue(testSession.hasPermission(path, Session.ACTION_READ));
+        Node n = testSession.getNode(path);
+        // ... siblings of childN
+        testSession.getNode(childNPath2);
+        // ... and props of path
+        assertTrue(n.getProperties().hasNext());
+
+        //testSession must not have access to 'childNPath'
+        assertFalse(testSession.itemExists(childNPath));
+        try {
+            testSession.getNode(childNPath);
+            fail("Read access has been denied -> cannot retrieve child node.");
+        } catch (PathNotFoundException e) {
+            // ok.
+        }
+        /*
+        -> must not have access to subtree below 'childNPath'
+        */
+        assertFalse(testSession.itemExists(childchildPPath));
+        try {
+            testSession.getItem(childchildPPath);
+            fail("Read access has been denied -> cannot retrieve prop below child node.");
+        } catch (PathNotFoundException e) {
+            // ok.
+        }
+    }
+
+    @Test
+    public void testAllowWriteDenyRead() throws Exception {
+        // allow 'testUser' to write at 'path'
+        allow(path, repWritePrivileges);
+        // deny read access
+        deny(path, readPrivileges);
+
+        // testuser must not be able to access that node
+        assertFalse(testSession.nodeExists(path));
+    }
+
+    @Test
+    public void testReadDenied() throws Exception {
+        /* deny READ privilege for testUser at 'path' */
+        deny(path, readPrivileges);
+        /*
+         allow READ privilege for testUser at 'childNPath'
+         */
+        allow(childNPath, readPrivileges);
+
+        assertFalse(testSession.nodeExists(path));
+        assertTrue(testSession.nodeExists(childNPath));
+        Node n = testSession.getNode(childNPath);
+        n.getDefinition();
+    }
+
+    @Test
+    public void testDenyUserAllowGroup() throws Exception {
+        /*
+         deny READ privilege for testUser at 'path'
+         */
+        deny(path, testUser.getPrincipal(), readPrivileges);
+        /*
+         allow READ privilege for group at 'path'
+         */
+        allow(path, getTestGroup().getPrincipal(), readPrivileges);
+
+        assertFalse(testSession.nodeExists(path));
+    }
+
+    @Test
+    public void testAllowGroupDenyUser() throws Exception {
+        /*
+        allow READ privilege for group at 'path'
+        */
+        allow(path, getTestGroup().getPrincipal(), readPrivileges);
+        /*
+        deny READ privilege for testUser at 'path'
+        */
+        deny(path, testUser.getPrincipal(), readPrivileges);
+
+        assertFalse(testSession.nodeExists(path));
+    }
+
+    @Test
+    public void testAllowUserDenyGroup() throws Exception {
+        /*
+         allow READ privilege for testUser at 'path'
+         */
+        allow(path, testUser.getPrincipal(), readPrivileges);
+        /*
+         deny READ privilege for group at 'path'
+         */
+        deny(path, getTestGroup().getPrincipal(), readPrivileges);
+
+        assertTrue(testSession.nodeExists(path));
+    }
+
+    @Test
+    public void testDenyGroupAllowUser() throws Exception {
+        /*
+         deny READ privilege for group at 'path'
+         */
+        deny(path, getTestGroup().getPrincipal(), readPrivileges);
+
+        /*
+         allow READ privilege for testUser at 'path'
+         */
+        allow(path, testUser.getPrincipal(), readPrivileges);
+
+        assertTrue(testSession.nodeExists(path));
+    }
+
+    @Test
+    public void testDenyGroupAllowEveryone() throws Exception {
+        /*
+         deny READ privilege for group at 'path'
+         */
+        deny(path, getTestGroup().getPrincipal(), readPrivileges);
+
+        /*
+         allow READ privilege for everyone at 'path'
+         */
+        allow(path, EveryonePrincipal.getInstance(), readPrivileges);
+
+        assertTrue(testSession.nodeExists(path));
+    }
+
+    @Test
+    public void testAllowEveryoneDenyGroup() throws Exception {
+        /*
+         allow READ privilege for everyone at 'path'
+         */
+        allow(path, EveryonePrincipal.getInstance(), readPrivileges);
+
+        /*
+         deny READ privilege for group at 'path'
+         */
+        deny(path, getTestGroup().getPrincipal(), readPrivileges);
+
+        assertFalse(testSession.nodeExists(path));
+    }
+
+    @Test
+    public void testDenyGroupPathAllowEveryoneChildPath() throws Exception {
+        /*
+         deny READ privilege for group at 'path'
+         */
+        deny(path, getTestGroup().getPrincipal(), readPrivileges);
+
+        /*
+         allow READ privilege for everyone at 'childNPath'
+         */
+        allow(path, EveryonePrincipal.getInstance(), readPrivileges);
+
+        assertTrue(testSession.nodeExists(childNPath));
+    }
+
+    @Test
+    public void testAllowEveryonePathDenyGroupChildPath() throws Exception {
+        /*
+         allow READ privilege for everyone at 'path'
+         */
+        allow(path, EveryonePrincipal.getInstance(), readPrivileges);
+
+        /*
+         deny READ privilege for group at 'childNPath'
+         */
+        deny(path, getTestGroup().getPrincipal(), readPrivileges);
+
+        assertFalse(testSession.nodeExists(childNPath));
+    }
+
+    @Test
+    public void testAllowUserPathDenyGroupChildPath() throws Exception {
+        /*
+         allow READ privilege for testUser at 'path'
+         */
+        allow(path, testUser.getPrincipal(), readPrivileges);
+        /*
+         deny READ privilege for group at 'childPath'
+         */
+        deny(path, getTestGroup().getPrincipal(), readPrivileges);
+
+        assertTrue(testSession.nodeExists(childNPath));
+    }
+
+    @Test
+    public void testDenyGroupPathAllowUserChildPath() throws Exception {
+        /*
+         deny READ privilege for group at 'path'
+         */
+        deny(path, getTestGroup().getPrincipal(), readPrivileges);
+
+        /*
+         allow READ privilege for testUser at 'childNPath'
+         */
+        allow(path, testUser.getPrincipal(), readPrivileges);
+
+        assertTrue(testSession.nodeExists(childNPath));
+    }
+
+    @Test
+    public void testDenyUserPathAllowGroupChildPath() throws Exception {
+        /*
+         deny READ privilege for testUser at 'path'
+         */
+        deny(path, testUser.getPrincipal(), readPrivileges);
+        /*
+         allow READ privilege for group at 'childNPath'
+         */
+        allow(path, getTestGroup().getPrincipal(), readPrivileges);
+
+        assertFalse(testSession.nodeExists(childNPath));
+    }
+
+    @Test
+    public void testAllowGroupPathDenyUserChildPath() throws Exception {
+        /*
+        allow READ privilege for the group at 'path'
+        */
+        allow(path, getTestGroup().getPrincipal(), readPrivileges);
+        /*
+        deny READ privilege for testUser at 'childNPath'
+        */
+        deny(path, testUser.getPrincipal(), readPrivileges);
+
+        assertFalse(testSession.nodeExists(childNPath));
+    }
+
+    @Test
+    public void testGlobRestriction() throws Exception {
+        deny(path, readPrivileges, createGlobRestriction("*/" + jcrPrimaryType));
+
+        assertTrue(testAcMgr.hasPrivileges(path, readPrivileges));
+        assertTrue(testSession.hasPermission(path, javax.jcr.Session.ACTION_READ));
+        testSession.getNode(path);
+
+        assertTrue(testAcMgr.hasPrivileges(childNPath, readPrivileges));
+        assertTrue(testSession.hasPermission(childNPath, javax.jcr.Session.ACTION_READ));
+        testSession.getNode(childNPath);
+
+        String propPath = path + '/' + jcrPrimaryType;
+        assertFalse(testSession.hasPermission(propPath, javax.jcr.Session.ACTION_READ));
+        assertFalse(testSession.propertyExists(propPath));
+
+        propPath = childNPath + '/' + jcrPrimaryType;
+        assertFalse(testSession.hasPermission(propPath, javax.jcr.Session.ACTION_READ));
+        assertFalse(testSession.propertyExists(propPath));
+    }
+}
\ No newline at end of file



Mime
View raw message