jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1468422 - in /jackrabbit/oak/trunk/oak-core/src: main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
Date Tue, 16 Apr 2013 14:06:21 GMT
Author: angela
Date: Tue Apr 16 14:06:21 2013
New Revision: 1468422

URL: http://svn.apache.org/r1468422
Log:
OAK-527: permissions (wip, tests)

Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1468422&r1=1468421&r2=1468422&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
Tue Apr 16 14:06:21 2013
@@ -126,14 +126,14 @@ public class AccessControlManagerImpl im
     }
 
     @Override
-    public boolean hasPrivileges(@Nullable String absPath, @Nonnull Privilege[] privileges)
throws RepositoryException {
-        return hasPrivileges(absPath, privileges, getPermissionProvider());
+    public boolean hasPrivileges(@Nullable String absPath, @Nullable Privilege[] privileges)
throws RepositoryException {
+        return hasPrivileges(absPath, privileges, getPermissionProvider(), Permissions.NO_PERMISSION);
     }
 
     @Nonnull
     @Override
     public Privilege[] getPrivileges(@Nullable String absPath) throws RepositoryException
{
-        return getPrivileges(absPath, getPermissionProvider());
+        return getPrivileges(absPath, getPermissionProvider(), Permissions.NO_PERMISSION);
     }
 
     @Nonnull
@@ -316,15 +316,31 @@ public class AccessControlManagerImpl im
     }
 
     @Override
-    public boolean hasPrivileges(@Nullable String absPath, @Nonnull Set<Principal>
principals, @Nonnull Privilege[] privileges) throws RepositoryException {
-        PermissionProvider provider = acConfig.getPermissionProvider(root, principals);
-        return hasPrivileges(absPath, privileges, provider);
+    public boolean hasPrivileges(@Nullable String absPath, @Nonnull Set<Principal>
principals, @Nullable Privilege[] privileges) throws RepositoryException {
+        if (getPrincipals().equals(principals)) {
+            return hasPrivileges(absPath, privileges);
+        } else {
+            PermissionProvider provider = acConfig.getPermissionProvider(root, principals);
+            try {
+                return hasPrivileges(absPath, privileges, provider, Permissions.READ_ACCESS_CONTROL);
+            } finally {
+                provider = null;
+            }
+        }
     }
 
     @Override
     public Privilege[] getPrivileges(@Nullable String absPath, @Nonnull Set<Principal>
principals) throws RepositoryException {
-        PermissionProvider provider = acConfig.getPermissionProvider(root, principals);
-        return getPrivileges(absPath, provider);
+        if (getPrincipals().equals(principals)) {
+            return getPrivileges(absPath);
+        } else {
+            PermissionProvider provider = acConfig.getPermissionProvider(root, principals);
+            try {
+                return getPrivileges(absPath, provider, Permissions.READ_ACCESS_CONTROL);
+            } finally {
+                provider = null;
+            }
+        }
     }
 
     //------------------------------------------------------------< private >---
@@ -348,9 +364,8 @@ public class AccessControlManagerImpl im
             throw new PathNotFoundException("No tree at " + oakPath);
         }
         if (permissions != Permissions.NO_PERMISSION) {
-            if (!getPermissionProvider().isGranted(tree, null, permissions)) {
-                throw new AccessDeniedException("Access denied at " + tree);
-            }
+            // check permissions
+            checkPermissions((oakPath == null) ? null : tree, permissions);
             // check if the tree is access controlled
             if (acConfig.getContext().definesTree(tree)) {
                 throw new AccessControlException("Tree " + tree.getPath() + " defines access
control content.");
@@ -360,6 +375,18 @@ public class AccessControlManagerImpl im
         return tree;
     }
 
+    private void checkPermissions(@Nullable Tree tree, long permissions) throws AccessDeniedException
{
+        boolean isGranted;
+        if (tree == null) {
+            isGranted = getPermissionProvider().isGranted(permissions);
+        } else {
+            isGranted = getPermissionProvider().isGranted(tree, null, permissions);
+        }
+        if (!isGranted) {
+            throw new AccessDeniedException("Access denied.");
+        }
+    }
+
     private static void checkValidPolicy(@Nullable String oakPath, @Nonnull AccessControlPolicy
policy) throws AccessControlException {
         if (policy instanceof ACL) {
             String path = ((ACL) policy).getOakPath();
@@ -509,9 +536,14 @@ public class AccessControlManagerImpl im
     }
 
     @Nonnull
+    private Set<Principal> getPrincipals() {
+        return root.getContentSession().getAuthInfo().getPrincipals();
+    }
+
+    @Nonnull
     private PermissionProvider getPermissionProvider() {
         if (permissionProvider == null) {
-            permissionProvider = acConfig.getPermissionProvider(root, root.getContentSession().getAuthInfo().getPrincipals());
+            permissionProvider = acConfig.getPermissionProvider(root, getPrincipals());
         } else {
             permissionProvider.refresh();
         }
@@ -529,8 +561,17 @@ public class AccessControlManagerImpl im
     }
 
     @Nonnull
-    private Privilege[] getPrivileges(@Nullable String absPath, @Nonnull PermissionProvider
provider) throws RepositoryException {
-        Tree tree = (absPath == null) ? null : getTree(getOakPath(absPath), Permissions.NO_PERMISSION);
+    private Privilege[] getPrivileges(@Nullable String absPath, @Nonnull PermissionProvider
provider,
+                                      long permissions) throws RepositoryException {
+        Tree tree;
+        if (absPath == null) {
+            tree = null;
+            if (permissions != Permissions.NO_PERMISSION) {
+                checkPermissions(null, permissions);
+            }
+        } else {
+            tree = getTree(getOakPath(absPath), permissions);
+        }
         Set<String> pNames = provider.getPrivileges(tree);
         if (pNames.isEmpty()) {
             return new Privilege[0];
@@ -543,14 +584,28 @@ public class AccessControlManagerImpl im
         }
     }
 
-    private boolean hasPrivileges(@Nullable String absPath, @Nonnull Privilege[] privileges,
-                                  @Nonnull PermissionProvider provider) throws RepositoryException
{
-        Tree tree = (absPath == null) ? null : getTree(getOakPath(absPath), Permissions.NO_PERMISSION);
-        Set<String> privilegeNames = new HashSet<String>(privileges.length);
-        for (Privilege privilege : privileges) {
-            privilegeNames.add(namePathMapper.getOakName(privilege.getName()));
+    private boolean hasPrivileges(@Nullable String absPath, @Nullable Privilege[] privileges,
+                                  @Nonnull PermissionProvider provider, long permissions)
throws RepositoryException {
+        Tree tree;
+        if (absPath == null) {
+            tree = null;
+            if (permissions != Permissions.NO_PERMISSION) {
+                checkPermissions(null, permissions);
+            }
+        } else {
+            tree = getTree(getOakPath(absPath), permissions);
+        }
+        if (privileges == null || privileges.length == 0) {
+            // null or empty privilege array -> return true
+            log.debug("No privileges passed -> allowed.");
+            return true;
+        } else {
+            Set<String> privilegeNames = new HashSet<String>(privileges.length);
+            for (Privilege privilege : privileges) {
+                privilegeNames.add(namePathMapper.getOakName(privilege.getName()));
+            }
+            return provider.hasPrivileges(tree, privilegeNames.toArray(new String[privilegeNames.size()]));
         }
-        return (privilegeNames.isEmpty()) || provider.hasPrivileges(tree, privilegeNames.toArray(new
String[privilegeNames.size()]));
     }
 
     @CheckForNull

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java?rev=1468422&r1=1468421&r2=1468422&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
Tue Apr 16 14:06:21 2013
@@ -23,10 +23,13 @@ import java.util.Collections;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import javax.annotation.Nonnull;
+import javax.jcr.AccessDeniedException;
 import javax.jcr.NamespaceRegistry;
 import javax.jcr.PathNotFoundException;
 import javax.jcr.RepositoryException;
+import javax.jcr.SimpleCredentials;
 import javax.jcr.Value;
 import javax.jcr.ValueFactory;
 import javax.jcr.security.AccessControlEntry;
@@ -37,10 +40,14 @@ import javax.jcr.security.AccessControlP
 import javax.jcr.security.Privilege;
 
 import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
 import org.apache.jackrabbit.JcrConstants;
 import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
 import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import org.apache.jackrabbit.api.security.user.Authorizable;
+import org.apache.jackrabbit.api.security.user.User;
 import org.apache.jackrabbit.oak.TestNameMapper;
+import org.apache.jackrabbit.oak.api.ContentSession;
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.namepath.NameMapper;
@@ -48,7 +55,6 @@ import org.apache.jackrabbit.oak.namepat
 import org.apache.jackrabbit.oak.namepath.NamePathMapperImpl;
 import org.apache.jackrabbit.oak.plugins.name.Namespaces;
 import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
-import org.apache.jackrabbit.oak.security.principal.PrincipalImpl;
 import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
 import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
 import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlTest;
@@ -69,15 +75,17 @@ import static org.junit.Assert.assertTru
 import static org.junit.Assert.fail;
 
 /**
- * AccessControlManagerImplTest... TODO
+ * Tests for the default {@code AccessControlManager} implementation.
  */
 public class AccessControlManagerImplTest extends AbstractAccessControlTest implements AccessControlConstants
{
 
     private final String testName = TestNameMapper.TEST_PREFIX + ":testRoot";
     private final String testPath = '/' + testName;
+    private final String testUserId = "test";
 
     private Principal testPrincipal;
     private Privilege[] testPrivileges;
+    private Root testRoot;
 
     private TestNameMapper nameMapper;
     private NamePathMapper npMapper;
@@ -99,18 +107,33 @@ public class AccessControlManagerImplTes
 
         NodeUtil rootNode = new NodeUtil(root.getTree("/"), npMapper);
         rootNode.addChild(testName, JcrConstants.NT_UNSTRUCTURED);
-        root.commit();
 
-        // TODO
-        testPrincipal = new PrincipalImpl("admin");
+        User user = getUserManager().createUser(testUserId, testUserId);
+        testPrincipal = user.getPrincipal();
         testPrivileges = privilegesFromNames(Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_READ);
+
+        root.commit();
     }
 
     @After
     public void after() throws Exception {
-        root.refresh();
-        root.getTree(testPath).remove();
-        root.commit();
+        try {
+            root.refresh();
+            root.getTree(testPath).remove();
+
+            Authorizable testUser = getUserManager().getAuthorizable(testUserId);
+            if (testUser != null) {
+                testUser.remove();
+            }
+            root.commit();
+
+            if (testRoot != null) {
+                testRoot.getContentSession().close();
+                testRoot = null;
+            }
+        } finally {
+            super.after();
+        }
     }
 
     @Override
@@ -122,6 +145,17 @@ public class AccessControlManagerImplTes
         return new AccessControlManagerImpl(root, npMapper, getSecurityProvider());
     }
 
+    private Root getTestRoot() throws Exception {
+        if (testRoot == null) {
+            testRoot = login(new SimpleCredentials(testUserId, testUserId.toCharArray())).getLatestRoot();
+        }
+        return testRoot;
+    }
+
+    private AccessControlManagerImpl getTestAccessControlManager() throws Exception {
+        return new AccessControlManagerImpl(getTestRoot(), getNamePathMapper(), getSecurityProvider());
+    }
+
     private NamePathMapper getLocalNamePathMapper() {
         NameMapper remapped = new TestNameMapper(nameMapper, TestNameMapper.LOCAL_MAPPING);
         return new NamePathMapperImpl(remapped);
@@ -211,6 +245,10 @@ public class AccessControlManagerImplTes
         return acContentPath;
     }
 
+    private Set<Principal> getPrincipals(ContentSession session) {
+        return session.getAuthInfo().getPrincipals();
+    }
+
     //---------------------------------------------< getSupportedPrivileges >---
     @Test
     public void testGetSupportedPrivileges() throws Exception {
@@ -332,14 +370,360 @@ public class AccessControlManagerImplTes
 
     //------------------------------------------------------< hasPrivileges >---
     @Test
-    public void testHasPrivileges() throws Exception {
-        // TODO
+    public void testHasNullPrivileges() throws Exception {
+        assertTrue(acMgr.hasPrivileges(testPath, null));
+    }
+
+    @Test
+    public void testHasEmptyPrivileges() throws Exception {
+        assertTrue(acMgr.hasPrivileges(testPath, new Privilege[0]));
+    }
+
+    @Test
+    public void testHasPrivilegesForPropertyPath() throws Exception {
+        String propertyPath = "/jcr:primaryType";
+        Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_ALL);
+        try {
+            acMgr.hasPrivileges(propertyPath, privs);
+            fail("AccessControlManager#hasPrivileges for property should fail.");
+        } catch (PathNotFoundException e) {
+            // success
+        }
+
+        try {
+            acMgr.hasPrivileges(propertyPath, getPrincipals(adminSession), privs);
+            fail("AccessControlManager#hasPrivileges for property should fail.");
+        } catch (PathNotFoundException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testHasPrivilegesNonExistingNodePath() throws Exception {
+        String nonExistingPath = "/not/existing";
+        Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_ALL);
+        try {
+            acMgr.hasPrivileges(nonExistingPath, privs);
+            fail("AccessControlManager#hasPrivileges  for node that doesn't exist should
fail.");
+        } catch (PathNotFoundException e) {
+            // success
+        }
+        try {
+            acMgr.hasPrivileges(nonExistingPath, getPrincipals(adminSession), privs);
+            fail("AccessControlManager#hasPrivileges  for node that doesn't exist should
fail.");
+        } catch (PathNotFoundException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testHasPrivilegesInvalidPaths() throws Exception {
+        Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_ALL);
+        for (String path : getInvalidPaths()) {
+            try {
+                acMgr.hasPrivileges(path, privs);
+                fail("AccessControlManager#hasPrivileges  for node that doesn't exist should
fail.");
+            } catch (RepositoryException e) {
+                // success
+            }
+        }
+        for (String path : getInvalidPaths()) {
+            try {
+                acMgr.hasPrivileges(path, getPrincipals(adminSession), privs);
+                fail("AccessControlManager#hasPrivileges  for node that doesn't exist should
fail.");
+            } catch (RepositoryException e) {
+                // success
+            }
+        }
+    }
+
+    @Test
+    public void testHasPrivilegesAccessControlledNodePath() throws Exception {
+        Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_ALL);
+        for (String path : getAcContentPaths()) {
+            assertTrue(acMgr.hasPrivileges(path, privs));
+            assertTrue(acMgr.hasPrivileges(path, getPrincipals(adminSession), privs));
+        }
+    }
+
+    /**
+     * @since OAK 1.0 As of OAK AccessControlManager#hasPrivilege will throw
+     * PathNotFoundException in case the node associated with a given path is
+     * not readable to the editing session.
+     */
+    @Test
+    public void testHasPrivilegesNotAccessiblePath() throws Exception {
+        List<String> notAccessible = new ArrayList();
+        notAccessible.add("/");
+        notAccessible.addAll(getAcContentPaths());
+
+        Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_ALL);
+        AccessControlManagerImpl testAcMgr = getTestAccessControlManager();
+        for (String path : notAccessible) {
+            try {
+                testAcMgr.hasPrivileges(path, privs);
+                fail("AccessControlManager#hasPrivileges for node that is not accessible
should fail.");
+            } catch (PathNotFoundException e) {
+                // success
+            }
+        }
+        for (String path : notAccessible) {
+            try {
+                testAcMgr.hasPrivileges(path, getPrincipals(getTestRoot().getContentSession()),
privs);
+                fail("AccessControlManager#hasPrivileges for node that is not accessible
should fail.");
+            } catch (PathNotFoundException e) {
+                // success
+            }
+        }
+    }
+
+    @Test
+    public void testTestSessionHasPrivileges() throws Exception {
+        setupPolicy(testPath);
+        root.commit();
+
+        AccessControlManagerImpl testAcMgr = getTestAccessControlManager();
+
+        // granted privileges
+        List<Privilege[]> granted = new ArrayList<Privilege[]>();
+        granted.add(privilegesFromNames(PrivilegeConstants.JCR_READ));
+        granted.add(privilegesFromNames(PrivilegeConstants.REP_READ_NODES));
+        granted.add(privilegesFromNames(PrivilegeConstants.REP_READ_PROPERTIES));
+        granted.add(privilegesFromNames(PrivilegeConstants.JCR_ADD_CHILD_NODES));
+        granted.add(testPrivileges);
+
+        for (Privilege[] privileges : granted) {
+            assertTrue(testAcMgr.hasPrivileges(testPath, privileges));
+            assertTrue(testAcMgr.hasPrivileges(testPath, getPrincipals(getTestRoot().getContentSession()),
privileges));
+        }
+
+        // denied privileges
+        List<Privilege[]> denied = new ArrayList<Privilege[]>();
+        denied.add(privilegesFromNames(PrivilegeConstants.JCR_ALL));
+        denied.add(privilegesFromNames(PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
+        denied.add(privilegesFromNames(PrivilegeConstants.JCR_WRITE));
+        denied.add(privilegesFromNames(PrivilegeConstants.JCR_LOCK_MANAGEMENT));
+
+        for (Privilege[] privileges : denied) {
+            assertFalse(testAcMgr.hasPrivileges(testPath, privileges));
+            assertFalse(testAcMgr.hasPrivileges(testPath, getPrincipals(getTestRoot().getContentSession()),
privileges));
+        }
+    }
+
+    @Test
+    public void testTestSessionHasPrivilegesForPrincipals() throws Exception {
+        setupPolicy(testPath);
+        root.commit();
+
+        AccessControlManagerImpl testAcMgr = getTestAccessControlManager();
+        // but for 'admin' the test-session doesn't have sufficient privileges
+        try {
+            testAcMgr.getPrivileges(testPath, getPrincipals(adminSession));
+            fail("testSession doesn't have sufficient permission to read access control information
at testPath");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testHasRepoPrivileges() throws Exception {
+        assertTrue(acMgr.hasPrivileges(null, privilegesFromNames(PrivilegeConstants.JCR_ALL)));
+        assertTrue(acMgr.hasPrivileges(null, getPrincipals(adminSession), privilegesFromNames(PrivilegeConstants.JCR_ALL)));
+    }
+
+    @Test
+    public void testTestSessionHasRepoPrivileges() throws Exception {
+        AccessControlManagerImpl testAcMgr = getTestAccessControlManager();
+
+        assertFalse(testAcMgr.hasPrivileges(null, testPrivileges));
+        assertFalse(testAcMgr.hasPrivileges(null, getPrincipals(getTestRoot().getContentSession()),
testPrivileges));
+
+        // but for 'admin' the test-session doesn't have sufficient privileges
+        try {
+            testAcMgr.getPrivileges(null, getPrincipals(adminSession));
+            fail("testSession doesn't have sufficient permission to read access control information");
+        } catch (AccessDeniedException e) {
+            // success
+        }
     }
 
     //------------------------------------------------------< getPrivileges >---
     @Test
-    public void testGetPrivileges() throws Exception {
-        // TODO
+    public void testGetPrivilegesForPropertyPath() throws Exception {
+        String propertyPath = "/jcr:primaryType";
+        try {
+            acMgr.getPrivileges(propertyPath);
+            fail("AccessControlManager#getPrivileges for property should fail.");
+        } catch (PathNotFoundException e) {
+            // success
+        }
+
+        try {
+            acMgr.getPrivileges(propertyPath, Collections.singleton(testPrincipal));
+            fail("AccessControlManager#getPrivileges for property should fail.");
+        } catch (PathNotFoundException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testGetPrivilegesNonExistingNodePath() throws Exception {
+        String nonExistingPath = "/not/existing";
+        try {
+            acMgr.getPrivileges(nonExistingPath);
+            fail("AccessControlManager#getPrivileges  for node that doesn't exist should
fail.");
+        } catch (PathNotFoundException e) {
+            // success
+        }
+
+        try {
+            acMgr.getPrivileges(nonExistingPath, Collections.singleton(testPrincipal));
+            fail("AccessControlManager#getPrivileges  for node that doesn't exist should
fail.");
+        } catch (PathNotFoundException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testGetPrivilegesInvalidPaths() throws Exception {
+        for (String path : getInvalidPaths()) {
+            try {
+                acMgr.getPrivileges(path);
+                fail("AccessControlManager#getPrivileges  for node that doesn't exist should
fail.");
+            } catch (RepositoryException e) {
+                // success
+            }
+        }
+
+        for (String path : getInvalidPaths()) {
+            try {
+                acMgr.getPrivileges(path, Collections.singleton(testPrincipal));
+                fail("AccessControlManager#getPrivileges  for node that doesn't exist should
fail.");
+            } catch (RepositoryException e) {
+                // success
+            }
+        }
+    }
+
+    @Test
+    public void testGetPrivilegesAccessControlledNodePath() throws Exception {
+        Privilege[] expected = privilegesFromNames(PrivilegeConstants.JCR_ALL);
+        for (String path : getAcContentPaths()) {
+            assertArrayEquals(expected, acMgr.getPrivileges(path));
+            assertArrayEquals(expected, acMgr.getPrivileges(path, getPrincipals(adminSession)));
+        }
+    }
+
+    /**
+     * @since OAK 1.0 As of OAK AccessControlManager#hasPrivilege will throw
+     * PathNotFoundException in case the node associated with a given path is
+     * not readable to the editing session.
+     */
+    @Test
+    public void testGetPrivilegesNotAccessiblePath() throws Exception {
+        List<String> notAccessible = new ArrayList();
+        notAccessible.add("/");
+        notAccessible.addAll(getAcContentPaths());
+
+        for (String path : notAccessible) {
+            try {
+                getTestAccessControlManager().getPrivileges(path);
+                fail("AccessControlManager#getPrivileges for node that is not accessible
should fail.");
+            } catch (PathNotFoundException e) {
+                // success
+            }
+        }
+
+        for (String path : notAccessible) {
+            try {
+                getTestAccessControlManager().getPrivileges(path, Collections.singleton(testPrincipal));
+                fail("AccessControlManager#getPrivileges for node that is not accessible
should fail.");
+            } catch (PathNotFoundException e) {
+                // success
+            }
+        }
+
+    }
+
+    /**
+     * // TODO review again
+     * @since OAK 1.0 : access to privileges needs read access to the corresponding tree.
+     */
+    @Test
+    public void testTestSessionGetPrivileges() throws Exception {
+        setupPolicy(testPath);
+        root.commit();
+
+        AccessControlManagerImpl testAcMgr = getTestAccessControlManager();
+        Set<Principal> testPrincipals = getPrincipals(getTestRoot().getContentSession());
+
+        // TODO: check again...
+        try {
+            testAcMgr.getPrivileges(testPath);
+            fail("no read access to the privilege store.");
+        } catch (AccessControlException e) {
+            // success
+        }
+        try {
+            getTestAccessControlManager().getPrivileges(testPath, testPrincipals);
+            fail("no read access to the privilege store.");
+        } catch (AccessControlException e) {
+            // success
+        }
+
+        // ensure readability of the privileges
+        try {
+            setupPolicy("/jcr:system");
+            root.commit();
+
+            getTestRoot().refresh();
+
+            assertArrayEquals(new Privilege[0], testAcMgr.getPrivileges(null));
+            assertArrayEquals(new Privilege[0], testAcMgr.getPrivileges(null, testPrincipals));
+
+            Privilege[] privs = testAcMgr.getPrivileges(testPath);
+            assertEquals(ImmutableSet.copyOf(testPrivileges), ImmutableSet.copyOf(privs));
+
+            privs = testAcMgr.getPrivileges(testPath, testPrincipals);
+            assertEquals(ImmutableSet.copyOf(testPrivileges), ImmutableSet.copyOf(privs));
+
+        } finally {
+            for (AccessControlPolicy policy : acMgr.getPolicies("/jcr:system")) {
+                acMgr.removePolicy("/jcr:system", policy);
+            }
+            root.commit();
+        }
+
+        // but for 'admin' the test-session doesn't have sufficient privileges
+        try {
+            testAcMgr.getPrivileges(testPath, getPrincipals(adminSession));
+            fail("testSession doesn't have sufficient permission to read access control information
at testPath");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testGetRepoPrivileges() throws Exception {
+        assertArrayEquals(privilegesFromNames(PrivilegeConstants.JCR_ALL), acMgr.getPrivileges(null));
+    }
+
+    @Test
+    public void testGetPrivilegesForPrincipals() throws Exception {
+        Set<Principal> adminPrincipals = getPrincipals(adminSession);
+        Privilege[] expected = privilegesFromNames(PrivilegeConstants.JCR_ALL);
+        assertArrayEquals(expected, acMgr.getPrivileges("/", adminPrincipals));
+        assertArrayEquals(expected, acMgr.getPrivileges(null, adminPrincipals));
+        assertArrayEquals(expected, acMgr.getPrivileges(testPath, adminPrincipals));
+
+        setupPolicy(testPath);
+        root.commit();
+        Set<Principal> testPrincipals = Collections.singleton(testPrincipal);
+        assertArrayEquals(new Privilege[0], acMgr.getPrivileges(null, testPrincipals));
+        assertArrayEquals(new Privilege[0], acMgr.getPrivileges("/", testPrincipals));
+        assertEquals(
+                ImmutableSet.copyOf(testPrivileges),
+                ImmutableSet.copyOf(acMgr.getPrivileges(testPath, testPrincipals)));
     }
 
     //--------------------------------------< getApplicablePolicies(String) >---
@@ -436,9 +820,9 @@ public class AccessControlManagerImplTes
 
     @Test
     public void testGetApplicablePoliciesNonExistingNodePath() throws Exception {
-        String propertyPath = "/not/existing";
+        String nonExistingPath = "/not/existing";
         try {
-            acMgr.getApplicablePolicies(propertyPath);
+            acMgr.getApplicablePolicies(nonExistingPath);
             fail("Getting applicable policies for node that doesn't exist should fail.");
         } catch (PathNotFoundException e) {
             // success
@@ -587,9 +971,9 @@ public class AccessControlManagerImplTes
 
     @Test
     public void testGetPoliciesNonExistingNodePath() throws Exception {
-        String propertyPath = "/not/existing";
+        String nonExistingPath = "/not/existing";
         try {
-            acMgr.getPolicies(propertyPath);
+            acMgr.getPolicies(nonExistingPath);
             fail("Getting policies for node that doesn't exist should fail.");
         } catch (PathNotFoundException e) {
             // success
@@ -639,9 +1023,9 @@ public class AccessControlManagerImplTes
 
     @Test
     public void testGetEffectivePoliciesNonExistingNodePath() throws Exception {
-        String propertyPath = "/not/existing";
+        String nonExistingPath = "/not/existing";
         try {
-            acMgr.getEffectivePolicies(propertyPath);
+            acMgr.getEffectivePolicies(nonExistingPath);
             fail("Getting policies for node that doesn't exist should fail.");
         } catch (PathNotFoundException e) {
             // success



Mime
View raw message