jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1477665 - in /jackrabbit/oak/trunk/oak-core/src: main/java/org/apache/jackrabbit/oak/security/authorization/ main/java/org/apache/jackrabbit/oak/security/authorization/permission/ test/java/org/apache/jackrabbit/oak/security/authorization/...
Date Tue, 30 Apr 2013 14:39:07 GMT
Author: angela
Date: Tue Apr 30 14:39:07 2013
New Revision: 1477665

URL: http://svn.apache.org/r1477665
Log:
OAK-787 : Accessibility of NodeTypes, Namespaces and Privileges

Added:
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ReadPolicyTest.java
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImplTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java?rev=1477665&r1=1477664&r2=1477665&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
Tue Apr 30 14:39:07 2013
@@ -17,8 +17,12 @@
 package org.apache.jackrabbit.oak.security.authorization;
 
 import java.util.Collection;
+import java.util.Set;
 
 import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.oak.plugins.name.NamespaceConstants;
+import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
 
 /**
  * Constants for this access control management implementation.
@@ -66,4 +70,18 @@ public interface AccessControlConstants 
      * @since OAK 1.0
      */
     String PARAM_PERMISSIONS_JR2 = "permissionsJr2";
+
+    /**
+     * Configuration parameter to enable full read access to regular nodes and
+     * properties at the specified paths.
+     */
+    String PARAM_READ_PATHS = "readPaths";
+
+    /**
+     * Default value for the {@link #PARAM_READ_PATHS} configuration parameter.
+     */
+    Set<String> DEFAULT_READ_PATHS = ImmutableSet.of(
+            NamespaceConstants.NAMESPACES_PATH,
+            NodeTypeConstants.NODE_TYPES_PATH,
+            PrivilegeConstants.PRIVILEGES_PATH);
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1477665&r1=1477664&r2=1477665&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
Tue Apr 30 14:39:07 2013
@@ -39,6 +39,7 @@ import javax.jcr.security.AccessControlE
 import javax.jcr.security.AccessControlException;
 import javax.jcr.security.AccessControlPolicy;
 import javax.jcr.security.AccessControlPolicyIterator;
+import javax.jcr.security.NamedAccessControlPolicy;
 import javax.jcr.security.Privilege;
 
 import com.google.common.base.Objects;
@@ -104,6 +105,8 @@ public class AccessControlManagerImpl im
     private final RestrictionProvider restrictionProvider;
     private final ReadOnlyNodeTypeManager ntMgr;
 
+    private final Set<String> readPaths;
+
     private PermissionProvider permissionProvider;
 
     public AccessControlManagerImpl(@Nonnull Root root, @Nonnull NamePathMapper namePathMapper,
@@ -117,6 +120,8 @@ public class AccessControlManagerImpl im
         acConfig = securityProvider.getAccessControlConfiguration();
         restrictionProvider = acConfig.getRestrictionProvider(namePathMapper);
         ntMgr = ReadOnlyNodeTypeManager.getInstance(root, namePathMapper);
+
+        readPaths = acConfig.getConfigurationParameters().getConfigValue(PARAM_READ_PATHS,
DEFAULT_READ_PATHS);
     }
 
     //-----------------------------------------------< AccessControlManager >---
@@ -150,11 +155,15 @@ public class AccessControlManagerImpl im
         String oakPath = getOakPath(absPath);
         Tree tree = getTree(oakPath, Permissions.READ_ACCESS_CONTROL);
         AccessControlPolicy policy = createACL(oakPath, tree, false);
+
+        List<AccessControlPolicy> policies = new ArrayList<AccessControlPolicy>(2);
         if (policy != null) {
-            return new AccessControlPolicy[]{policy};
-        } else {
-            return new AccessControlPolicy[0];
+            policies.add(policy);
         }
+        if (readPaths.contains(oakPath)) {
+            policies.add(ReadPolicy.INSTANCE);
+        }
+        return policies.toArray(new AccessControlPolicy[policies.size()]);
     }
 
     @Nonnull
@@ -162,6 +171,7 @@ public class AccessControlManagerImpl im
     public AccessControlPolicy[] getEffectivePolicies(@Nullable String absPath) throws RepositoryException
{
         String oakPath = getOakPath(absPath);
         Tree tree = getTree(oakPath, Permissions.READ_ACCESS_CONTROL);
+
         List<AccessControlPolicy> effective = new ArrayList<AccessControlPolicy>();
         AccessControlPolicy policy = createACL(oakPath, tree, true);
         if (policy != null) {
@@ -178,6 +188,9 @@ public class AccessControlManagerImpl im
                 parentPath = (PathUtils.denotesRoot(parentPath)) ? "" : Text.getRelativeParent(parentPath,
1);
             }
         }
+        if (readPaths.contains(oakPath)) {
+            effective.add(ReadPolicy.INSTANCE);
+        }
         return effective.toArray(new AccessControlPolicy[effective.size()]);
     }
 
@@ -852,4 +865,16 @@ public class AccessControlManagerImpl im
             return 0;
         }
     }
+
+    private static class ReadPolicy implements NamedAccessControlPolicy {
+
+        private static final NamedAccessControlPolicy INSTANCE = new ReadPolicy();
+
+        private ReadPolicy() {}
+
+        @Override
+        public String getName() throws RepositoryException {
+            return "Grants read access on configured trees (default: node types, namespaces
and privileges).";
+        }
+    }
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java?rev=1477665&r1=1477664&r2=1477665&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
Tue Apr 30 14:39:07 2013
@@ -46,6 +46,7 @@ import org.apache.jackrabbit.oak.spi.sec
 import org.apache.jackrabbit.oak.spi.security.authorization.permission.ReadStatus;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionPattern;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
 import org.apache.jackrabbit.oak.util.TreeUtil;
 import org.apache.jackrabbit.util.Text;
 
@@ -61,6 +62,9 @@ class CompiledPermissionImpl implements 
     private final RestrictionProvider restrictionProvider;
     private final Map<String, ImmutableTree> trees;
 
+    // TODO: merge readPaths with readStatus structure
+    private final Set<String> readPaths;
+
     private PrivilegeBitsProvider bitsProvider;
     private Map<Key, PermissionEntry> repoEntries;
     private Map<Key, PermissionEntry> userEntries;
@@ -69,11 +73,13 @@ class CompiledPermissionImpl implements 
     CompiledPermissionImpl(@Nonnull Set<Principal> principals,
                            @Nonnull ImmutableTree permissionsTree,
                            @Nonnull PrivilegeBitsProvider bitsProvider,
-                           @Nonnull RestrictionProvider restrictionProvider) {
+                           @Nonnull RestrictionProvider restrictionProvider,
+                           @Nonnull Set<String> readPaths) {
         checkArgument(!principals.isEmpty());
         this.principals = principals;
         this.restrictionProvider = restrictionProvider;
         this.bitsProvider = bitsProvider;
+        this.readPaths = readPaths;
         this.trees = new HashMap<String, ImmutableTree>(principals.size());
         buildEntries(permissionsTree);
     }
@@ -111,6 +117,10 @@ class CompiledPermissionImpl implements 
     //------------------------------------------------< CompiledPermissions >---
     @Override
     public ReadStatus getReadStatus(@Nonnull Tree tree, @Nullable PropertyState property)
{
+        // TODO merge with readstatus
+        if (isReadablePath(tree, null)) {
+            return ReadStatus.ALLOW_ALL_REGULAR;
+        }
         long permission = (property == null) ? Permissions.READ_NODE : Permissions.READ_PROPERTY;
         Iterator<PermissionEntry> it = getEntryIterator(tree, property);
         while (it.hasNext()) {
@@ -182,7 +192,9 @@ class CompiledPermissionImpl implements 
 
     private boolean hasPermissions(@Nonnull Iterator<PermissionEntry> entries,
                                    long permissions, @Nullable Tree tree, @Nullable String
path) {
-        if (!entries.hasNext()) {
+        // calculate readable paths if the given permissions includes any read permission.
+        boolean isReadable = Permissions.diff(Permissions.READ, permissions) != Permissions.READ
&& isReadablePath(tree, path);
+        if (!entries.hasNext() && !isReadable) {
             return false;
         }
 
@@ -191,10 +203,13 @@ class CompiledPermissionImpl implements 
                 Permissions.includes(permissions, Permissions.REMOVE_NODE) ||
                 Permissions.includes(permissions, Permissions.MODIFY_CHILD_NODE_COLLECTION));
 
-        long allows = Permissions.NO_PERMISSION;
+        long allows = (isReadable) ? Permissions.READ : Permissions.NO_PERMISSION;
         long denies = Permissions.NO_PERMISSION;
 
         PrivilegeBits allowBits = PrivilegeBits.getInstance();
+        if (isReadable) {
+            allowBits.add(bitsProvider.getBits(PrivilegeConstants.JCR_READ));
+        }
         PrivilegeBits denyBits = PrivilegeBits.getInstance();
         PrivilegeBits parentAllowBits;
         PrivilegeBits parentDenyBits;
@@ -243,7 +258,8 @@ class CompiledPermissionImpl implements 
                 }
             }
         }
-        return false;
+
+        return (allows | ~permissions) == -1;
     }
 
     private PrivilegeBits getPrivilegeBits(@Nullable Tree tree) {
@@ -262,6 +278,11 @@ class CompiledPermissionImpl implements 
                 denyBits.addDifference(entry.privilegeBits, allowBits);
             }
         }
+
+        // special handling for paths that are always readable
+        if (isReadablePath(tree, null)) {
+            allowBits.add(bitsProvider.getBits(PrivilegeConstants.JCR_READ));
+        }
         return allowBits;
     }
 
@@ -273,6 +294,20 @@ class CompiledPermissionImpl implements 
         return Iterators.concat(new EntryIterator(userEntries, path), new EntryIterator(groupEntries,
path));
     }
 
+    private boolean isReadablePath(@Nullable Tree tree, @Nullable String treePath) {
+        if (!readPaths.isEmpty()) {
+            String targetPath = (tree != null) ? tree.getPath() : treePath;
+            if (targetPath != null) {
+                for (String path : readPaths) {
+                    if (Text.isDescendantOrEqual(path, targetPath)) {
+                        return true;
+                    }
+                }
+            }
+        }
+        return false;
+    }
+
     private static final class Key implements Comparable<Key> {
 
         private final String path;

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java?rev=1477665&r1=1477664&r2=1477665&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
Tue Apr 30 14:39:07 2013
@@ -81,7 +81,10 @@ public class PermissionProviderImpl impl
             if (permissionsTree == null || principals.isEmpty()) {
                 compiledPermissions = NoPermissions.getInstance();
             } else {
-                compiledPermissions = new CompiledPermissionImpl(principals, permissionsTree,
getBitsProvider(), acConfig.getRestrictionProvider(NamePathMapper.DEFAULT));
+                compiledPermissions = new CompiledPermissionImpl(principals,
+                        permissionsTree, getBitsProvider(),
+                        acConfig.getRestrictionProvider(NamePathMapper.DEFAULT),
+                        acConfig.getConfigurationParameters().getConfigValue(AccessControlConstants.PARAM_READ_PATHS,
AccessControlConstants.DEFAULT_READ_PATHS));
             }
         }
     }

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java?rev=1477665&r1=1477664&r2=1477665&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
Tue Apr 30 14:39:07 2013
@@ -70,7 +70,6 @@ import org.apache.jackrabbit.oak.util.No
 import org.apache.jackrabbit.oak.util.TreeUtil;
 import org.junit.After;
 import org.junit.Before;
-import org.junit.Ignore;
 import org.junit.Test;
 
 import static org.junit.Assert.assertArrayEquals;
@@ -646,7 +645,6 @@ public class AccessControlManagerImplTes
 
     }
 
-    @Ignore("OAK-787") // FIXME
     @Test
     public void testTestSessionGetPrivileges() throws Exception {
         setupPolicy(testPath);

Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ReadPolicyTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ReadPolicyTest.java?rev=1477665&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ReadPolicyTest.java
(added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ReadPolicyTest.java
Tue Apr 30 14:39:07 2013
@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization;
+
+import java.util.Set;
+import javax.jcr.security.AccessControlPolicy;
+
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlTest;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.junit.Assert.assertTrue;
+
+/**
+ * Tests for the special {@code ReadPolicy} exposed at specified paths.
+ */
+public class ReadPolicyTest extends AbstractAccessControlTest {
+
+    private Set<String> readPaths;
+
+    @Override
+    @Before
+    public void before() throws Exception {
+        super.before();
+
+        ConfigurationParameters options = getSecurityProvider().getAccessControlConfiguration().getConfigurationParameters();
+        readPaths = options.getConfigValue(AccessControlConstants.PARAM_READ_PATHS, AccessControlConstants.DEFAULT_READ_PATHS);
+    }
+
+    @Test
+    public void testGetPolicies() throws Exception {
+        for (String path : readPaths) {
+            AccessControlPolicy[] policies = getAccessControlManager(root).getPolicies(path);
+            assertTrue(policies.length > 0);
+            boolean found = false;
+            for (AccessControlPolicy policy : policies) {
+                if ("org.apache.jackrabbit.oak.security.authorization.AccessControlManagerImpl$ReadPolicy".equals(policy.getClass().getName()))
{
+                    found = true;
+                    break;
+                }
+            }
+            assertTrue(found);
+        }
+    }
+
+    @Test
+    public void testGetEffectivePolicies() throws Exception {
+        for (String path : readPaths) {
+            AccessControlPolicy[] policies = getAccessControlManager(root).getPolicies(path);
+            assertTrue(policies.length > 0);
+            boolean found = false;
+            for (AccessControlPolicy policy : policies) {
+                if ("org.apache.jackrabbit.oak.security.authorization.AccessControlManagerImpl$ReadPolicy".equals(policy.getClass().getName()))
{
+                    found = true;
+                    break;
+                }
+            }
+            assertTrue(found);
+        }
+    }
+}
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImplTest.java?rev=1477665&r1=1477664&r2=1477665&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImplTest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImplTest.java
Tue Apr 30 14:39:07 2013
@@ -18,6 +18,7 @@ package org.apache.jackrabbit.oak.securi
 
 import java.security.Principal;
 import java.security.acl.Group;
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.List;
@@ -27,6 +28,7 @@ import javax.annotation.Nonnull;
 import com.google.common.base.Objects;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.JcrConstants;
 import org.apache.jackrabbit.oak.AbstractSecurityTest;
 import org.apache.jackrabbit.oak.api.CommitFailedException;
 import org.apache.jackrabbit.oak.api.Tree;
@@ -35,12 +37,14 @@ import org.apache.jackrabbit.oak.core.Im
 import org.apache.jackrabbit.oak.core.TreeTypeProvider;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.security.SecurityProviderImpl;
+import org.apache.jackrabbit.oak.security.authorization.AccessControlConstants;
 import org.apache.jackrabbit.oak.security.authorization.restriction.RestrictionProviderImpl;
 import org.apache.jackrabbit.oak.security.privilege.PrivilegeBits;
 import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration;
 import org.apache.jackrabbit.oak.spi.security.authorization.OpenAccessControlConfiguration;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
 import org.apache.jackrabbit.oak.spi.security.authorization.permission.ReadStatus;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
@@ -55,14 +59,15 @@ import org.junit.Test;
 
 import static org.apache.jackrabbit.JcrConstants.JCR_PRIMARYTYPE;
 import static org.apache.jackrabbit.JcrConstants.NT_UNSTRUCTURED;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertSame;
+import static org.junit.Assert.assertTrue;
 
 /**
  * CompiledPermissionImplTest... TODO
  */
-@Ignore("work in progress")
-public class CompiledPermissionImplTest extends AbstractSecurityTest 
-        implements PermissionConstants, PrivilegeConstants {
+public class CompiledPermissionImplTest extends AbstractSecurityTest implements PermissionConstants,
PrivilegeConstants {
 
     private Principal userPrincipal;
     private Principal group1;
@@ -129,6 +134,7 @@ public class CompiledPermissionImplTest 
         };
     }
 
+    @Ignore("OAK-774")
     @Test
     public void testGetReadStatus() throws Exception {
         allow(userPrincipal, "/", 0, JCR_READ);
@@ -137,6 +143,7 @@ public class CompiledPermissionImplTest 
         assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, cp, allPaths);
     }
 
+    @Ignore("OAK-774")
     @Test
     public void testGetReadStatus1() throws Exception {
         allow(group1, node2Path, 0, JCR_READ);
@@ -147,6 +154,7 @@ public class CompiledPermissionImplTest 
         assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, cp, node2Path);
     }
 
+    @Ignore("OAK-774")
     @Test
     public void testGetReadStatus2() throws Exception {
         allow(userPrincipal, "/", 0, JCR_READ);
@@ -156,6 +164,7 @@ public class CompiledPermissionImplTest 
         assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, cp, allPaths);
     }
 
+    @Ignore("OAK-774")
     @Test
     public void testGetReadStatus3() throws Exception {
         allow(group1, "/", 0, JCR_READ);
@@ -165,6 +174,7 @@ public class CompiledPermissionImplTest 
         assertReadStatus(ReadStatus.DENY_ALL_REGULAR, cp, allPaths);
     }
 
+    @Ignore("OAK-774")
     @Test
     public void testGetReadStatus4() throws Exception {
         allow(group1, "/", 0, JCR_READ);
@@ -174,6 +184,7 @@ public class CompiledPermissionImplTest 
         assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, cp, allPaths);
     }
 
+    @Ignore("OAK-774")
     @Test
     public void testGetReadStatus5() throws Exception {
         allow(userPrincipal, "/", 0, JCR_READ);
@@ -183,6 +194,7 @@ public class CompiledPermissionImplTest 
         assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, cp, allPaths);
     }
 
+    @Ignore("OAK-774")
     @Test
     public void testGetReadStatus6() throws Exception {
         allow(group2, "/", 0, JCR_READ);
@@ -194,6 +206,7 @@ public class CompiledPermissionImplTest 
         assertReadStatus(ReadStatus.DENY_ALL_REGULAR, cp, nodePaths);
     }
 
+    @Ignore("OAK-774")
     @Test
     public void testGetReadStatus7() throws Exception {
         allow(group2, "/", 0, REP_READ_PROPERTIES);
@@ -205,6 +218,7 @@ public class CompiledPermissionImplTest 
         assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, cp, nodePaths);
     }
 
+    @Ignore("OAK-774")
     @Test
     public void testGetReadStatus8() throws Exception {
         allow(userPrincipal, "/", 0, REP_READ_PROPERTIES);
@@ -216,6 +230,7 @@ public class CompiledPermissionImplTest 
         assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, cp, nodePaths);
     }
 
+    @Ignore("OAK-774")
     @Test
     public void testGetReadStatus9() throws Exception {
         allow(group2, "/", 0, REP_READ_PROPERTIES);
@@ -227,6 +242,7 @@ public class CompiledPermissionImplTest 
         assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, cp, nodePaths);
     }
 
+    @Ignore("OAK-774")
     @Test
     public void testGetReadStatus10() throws Exception {
         deny(group2, "/", 0, JCR_READ);
@@ -238,6 +254,7 @@ public class CompiledPermissionImplTest 
         assertReadStatus(ReadStatus.ALLOW_NODES, cp, nodePaths);
     }
 
+    @Ignore("OAK-774")
     @Test
     public void testGetReadStatus11() throws Exception {
         deny(group2, "/", 0, JCR_READ);
@@ -251,6 +268,7 @@ public class CompiledPermissionImplTest 
         assertReadStatus(ReadStatus.ALLOW_NODES, cp, node2Path);
     }
 
+    @Ignore("OAK-774")
     @Test
     public void testGetReadStatus12() throws Exception {
         allow(group1, "/", 0, JCR_READ);
@@ -263,6 +281,7 @@ public class CompiledPermissionImplTest 
         assertReadStatus(ReadStatus.ALLOW_NODES, cp, nodePaths);
     }
 
+    @Ignore("OAK-774")
     @Test
     public void testGetReadStatus13() throws Exception {
         allow(group1, "/", 0, JCR_READ);
@@ -276,6 +295,7 @@ public class CompiledPermissionImplTest 
         assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, cp, nodePaths);
     }
 
+    @Ignore("OAK-774")
     @Test
     public void testGetReadStatus14() throws Exception {
         allow(group1, "/", 0, REP_READ_NODES);
@@ -289,6 +309,7 @@ public class CompiledPermissionImplTest 
         assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, cp, nodePaths);
     }
 
+    @Ignore("OAK-774")
     @Test
     public void testGetReadStatus15() throws Exception {
         allow(group1, "/", 0, REP_READ_NODES);
@@ -303,6 +324,7 @@ public class CompiledPermissionImplTest 
         assertReadStatus(ReadStatus.ALLOW_PROPERTIES, cp, node2Path);
     }
 
+    @Ignore("OAK-774")
     @Test
     public void testGetReadStatus16() throws Exception {
         allow(group1, "/", 0, JCR_READ, JCR_READ_ACCESS_CONTROL);
@@ -311,6 +333,7 @@ public class CompiledPermissionImplTest 
         assertReadStatus(ReadStatus.ALLOW_ALL, cp, allPaths);
     }
 
+    @Ignore("OAK-774")
     @Test
     public void testGetReadStatus17() throws Exception {
         allow(group1, node1Path, 0, JCR_READ, JCR_READ_ACCESS_CONTROL);
@@ -321,6 +344,7 @@ public class CompiledPermissionImplTest 
         assertReadStatus(ReadStatus.ALLOW_NODES, cp, node2Path);
     }
 
+    @Ignore("OAK-774")
     @Test
     public void testGetReadStatus18() throws Exception {
         allow(group1, node1Path, 0, JCR_READ);
@@ -331,6 +355,61 @@ public class CompiledPermissionImplTest 
         assertReadStatus(ReadStatus.ALLOW_ALL, cp, node2Path);
     }
 
+    @Test
+    public void testGetReadStatusForReadPaths() throws Exception {
+        CompiledPermissionImpl cp = createPermissions(Collections.singleton(userPrincipal));
+        assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, ReadStatus.ALLOW_ALL_REGULAR, cp,
new ArrayList<String>(AccessControlConstants.DEFAULT_READ_PATHS));
+    }
+
+    @Test
+    public void testIsGrantedForReadPaths() throws Exception {
+        CompiledPermissionImpl cp = createPermissions(Collections.singleton(userPrincipal));
+        for (String path : AccessControlConstants.DEFAULT_READ_PATHS) {
+            assertTrue(cp.isGranted(path, Permissions.READ));
+            assertTrue(cp.isGranted(path, Permissions.READ_NODE));
+            assertTrue(cp.isGranted(path + '/' + JcrConstants.JCR_PRIMARYTYPE, Permissions.READ_PROPERTY));
+            assertFalse(cp.isGranted(path, Permissions.READ_ACCESS_CONTROL));
+        }
+
+        for (String path : AccessControlConstants.DEFAULT_READ_PATHS) {
+            Tree tree = root.getTree(path);
+            assertTrue(cp.isGranted(tree, null, Permissions.READ));
+            assertTrue(cp.isGranted(tree, null, Permissions.READ_NODE));
+            assertTrue(cp.isGranted(tree, tree.getProperty(JcrConstants.JCR_PRIMARYTYPE),
Permissions.READ_PROPERTY));
+            assertFalse(cp.isGranted(tree, null, Permissions.READ_ACCESS_CONTROL));
+        }
+
+        assertFalse(cp.isGranted(Permissions.READ));
+        assertFalse(cp.isGranted(Permissions.READ_NODE));
+        assertFalse(cp.isGranted(Permissions.READ_PROPERTY));
+        assertFalse(cp.isGranted(Permissions.READ_ACCESS_CONTROL));
+    }
+
+    @Test
+    public void testGetPrivilegesForReadPaths() throws Exception {
+        CompiledPermissionImpl cp = createPermissions(Collections.singleton(userPrincipal));
+        for (String path : AccessControlConstants.DEFAULT_READ_PATHS) {
+            Tree tree = root.getTree(path);
+            assertEquals(Collections.singleton(PrivilegeConstants.JCR_READ), cp.getPrivileges(tree));
+        }
+
+        assertEquals(Collections.<String>emptySet(), cp.getPrivileges(null));
+    }
+
+    @Test
+    public void testHasPrivilegesForReadPaths() throws Exception {
+        CompiledPermissionImpl cp = createPermissions(Collections.singleton(userPrincipal));
+        for (String path : AccessControlConstants.DEFAULT_READ_PATHS) {
+            Tree tree = root.getTree(path);
+            assertTrue(cp.hasPrivileges(tree, PrivilegeConstants.JCR_READ));
+            assertTrue(cp.hasPrivileges(tree, PrivilegeConstants.REP_READ_NODES));
+            assertTrue(cp.hasPrivileges(tree, PrivilegeConstants.REP_READ_PROPERTIES));
+            assertFalse(cp.hasPrivileges(tree, PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
+        }
+
+        assertFalse(cp.hasPrivileges(null, PrivilegeConstants.JCR_READ));
+    }
+
     // TODO: tests with restrictions
     // TODO: complex tests with entries for paths outside of the tested hierarchy
     // TODO: tests for isGranted
@@ -339,7 +418,7 @@ public class CompiledPermissionImplTest 
 
     private CompiledPermissionImpl createPermissions(Set<Principal> principals) {
         ImmutableTree permissionsTree = new ImmutableRoot(root, TreeTypeProvider.EMPTY).getTreeOrNull(PERMISSIONS_STORE_PATH);
-        return new CompiledPermissionImpl(principals, permissionsTree, pbp, rp);
+        return new CompiledPermissionImpl(principals, permissionsTree, pbp, rp, AccessControlConstants.DEFAULT_READ_PATHS);
     }
 
     private void allow(Principal principal, String path, int index, String... privilegeNames)
throws CommitFailedException {



Mime
View raw message