jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1511344 - in /jackrabbit/oak/trunk/oak-core/src: main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/ test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ test/java/org/apache/jackrabbit/oak/spi/...
Date Wed, 07 Aug 2013 14:54:16 GMT
Author: angela
Date: Wed Aug  7 14:54:16 2013
New Revision: 1511344

URL: http://svn.apache.org/r1511344
Log:
OAK-51 : Access Control Management (preparation for JCR-3637 and restriction related test
cases)

Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/ACETest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProviderTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java?rev=1511344&r1=1511343&r2=1511344&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java
Wed Aug  7 14:54:16 2013
@@ -16,12 +16,14 @@
  */
 package org.apache.jackrabbit.oak.spi.security.authorization.restriction;
 
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
 import javax.jcr.AccessDeniedException;
 import javax.jcr.NamespaceRegistry;
 import javax.jcr.PropertyType;
@@ -61,13 +63,7 @@ public abstract class AbstractRestrictio
 
     @Override
     public Restriction createRestriction(String oakPath, String oakName, Value value) throws
RepositoryException {
-        if (isUnsupportedPath(oakPath)) {
-            throw new AccessControlException("Unsupported restriction at " + oakPath);
-        }
-        RestrictionDefinition definition = supported.get(oakName);
-        if (definition == null) {
-            throw new AccessControlException("Unsupported restriction: " + oakName);
-        }
+        RestrictionDefinition definition = getDefinition(oakPath, oakName);
         Type<?> requiredType = definition.getRequiredType();
         int tag = requiredType.tag();
         if (tag != PropertyType.UNDEFINED && tag != value.getType()) {
@@ -84,13 +80,7 @@ public abstract class AbstractRestrictio
 
     @Override
     public Restriction createRestriction(String oakPath, String oakName, Value... values)
throws RepositoryException {
-        if (isUnsupportedPath(oakPath)) {
-            throw new AccessControlException("Unsupported restriction at " + oakPath);
-        }
-        RestrictionDefinition definition = supported.get(oakName);
-        if (definition == null) {
-            throw new AccessControlException("Unsupported restriction: " + oakName);
-        }
+        RestrictionDefinition definition = getDefinition(oakPath, oakName);
         Type<?> requiredType = definition.getRequiredType();
         for (Value v : values) {
             if (requiredType.tag() != PropertyType.UNDEFINED && requiredType.tag()
!= v.getType()) {
@@ -100,7 +90,7 @@ public abstract class AbstractRestrictio
 
         PropertyState propertyState;
         if (requiredType.isArray()) {
-            propertyState = PropertyStates.createProperty(oakName, ImmutableList.of(values));
+            propertyState = PropertyStates.createProperty(oakName, Arrays.asList(values),
requiredType.tag());
         } else {
             if (values.length != 1) {
                 throw new AccessControlException("Unsupported restriction: Expected single
value.");
@@ -145,29 +135,46 @@ public abstract class AbstractRestrictio
     @Override
     public void validateRestrictions(String oakPath, Tree aceTree) throws AccessControlException
{
         Map<String, PropertyState> restrictionProperties = getRestrictionProperties(aceTree);
-        if (isUnsupportedPath(oakPath) && !restrictionProperties.isEmpty()) {
-            throw new AccessControlException("Restrictions not supported with 'null' path.");
-        }
-        for (Map.Entry<String, PropertyState> entry : restrictionProperties.entrySet())
{
-            String restrName = entry.getKey();
-            RestrictionDefinition def = supported.get(restrName);
-            if (def == null) {
-                throw new AccessControlException("Unsupported restriction: " + restrName);
-            }
-            Type<?> type = entry.getValue().getType();
-            if (type != def.getRequiredType()) {
-                throw new AccessControlException("Invalid restriction type '" + type + "'.
Expected " + def.getRequiredType());
-            }
-        }
-        for (RestrictionDefinition def : supported.values()) {
-            if (def.isMandatory() && !restrictionProperties.containsKey(def.getName()))
{
-                throw new AccessControlException("Mandatory restriction " + def.getName()
+ " is missing.");
+        if (isUnsupportedPath(oakPath)) {
+            if (!restrictionProperties.isEmpty()) {
+                throw new AccessControlException("Restrictions not supported with 'null'
path.");
+            }
+        } else {
+            // supported path -> validate restrictions and test if mandatory
+            // restrictions are present.
+            for (Map.Entry<String, PropertyState> entry : restrictionProperties.entrySet())
{
+                String restrName = entry.getKey();
+                RestrictionDefinition def = supported.get(restrName);
+                if (def == null) {
+                    throw new AccessControlException("Unsupported restriction: " + restrName);
+                }
+                Type<?> type = entry.getValue().getType();
+                if (type != def.getRequiredType()) {
+                    throw new AccessControlException("Invalid restriction type '" + type
+ "'. Expected " + def.getRequiredType());
+                }
+            }
+            for (RestrictionDefinition def : supported.values()) {
+                if (def.isMandatory() && !restrictionProperties.containsKey(def.getName()))
{
+                    throw new AccessControlException("Mandatory restriction " + def.getName()
+ " is missing.");
+                }
             }
         }
     }
 
     //------------------------------------------------------------< private >---
     @Nonnull
+    private RestrictionDefinition getDefinition(@Nullable String oakPath, @Nonnull String
oakName) throws AccessControlException {
+        if (isUnsupportedPath(oakPath)) {
+            throw new AccessControlException("Unsupported restriction at " + oakPath);
+        }
+        RestrictionDefinition definition = supported.get(oakName);
+        if (definition == null) {
+            throw new AccessControlException("Unsupported restriction: " + oakName);
+        }
+        return definition;
+    }
+
+    @Nonnull
     private Restriction createRestriction(PropertyState propertyState, RestrictionDefinition
definition) {
         return new RestrictionImpl(propertyState, definition.isMandatory());
     }

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java?rev=1511344&r1=1511343&r2=1511344&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
Wed Aug  7 14:54:16 2013
@@ -211,6 +211,10 @@ public class ACLTest extends AbstractAcc
                     return null;
                 }
 
+                public Value[] getRestrictions(String restrictionName) {
+                    return null;
+                }
+
                 public Principal getPrincipal() {
                     return testPrincipal;
                 }

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/ACETest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/ACETest.java?rev=1511344&r1=1511343&r2=1511344&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/ACETest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/ACETest.java
Wed Aug  7 14:54:16 2013
@@ -19,26 +19,36 @@ package org.apache.jackrabbit.oak.spi.se
 import java.security.Principal;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
+import javax.jcr.PropertyType;
 import javax.jcr.RepositoryException;
 import javax.jcr.Value;
+import javax.jcr.ValueFactory;
+import javax.jcr.ValueFormatException;
 import javax.jcr.security.AccessControlEntry;
 import javax.jcr.security.AccessControlException;
 import javax.jcr.security.AccessControlManager;
 import javax.jcr.security.Privilege;
 
+import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Lists;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
 import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
+import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
 import org.junit.Before;
 import org.junit.Test;
 
+import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertSame;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
@@ -51,6 +61,10 @@ public class ACETest extends AbstractAcc
     private Principal testPrincipal;
     private AccessControlManager acMgr;
 
+    private Value globValue;
+    private Value[] nameValues;
+    private Value nameValue;
+
     @Override
     @Before
     public void before() throws Exception {
@@ -62,6 +76,13 @@ public class ACETest extends AbstractAcc
                 return "TestPrincipal";
             }
         };
+        ValueFactory valueFactory = new ValueFactoryImpl(root.getBlobFactory(), namePathMapper);
+        globValue = valueFactory.createValue("*");
+        nameValue = valueFactory.createValue("nt:file", PropertyType.NAME);
+        nameValues = new Value[] {
+                valueFactory.createValue("nt:folder", PropertyType.NAME),
+                valueFactory.createValue("nt:file", PropertyType.NAME)
+        };
     }
 
     private ACE createEntry(String... privilegeNames)
@@ -80,6 +101,20 @@ public class ACETest extends AbstractAcc
         return new ACE(principal, privileges, isAllow, null, namePathMapper);
     }
 
+    private ACE createEntry(Set<Restriction> restrictions) throws Exception {
+        return new ACE(testPrincipal,
+                privilegesFromNames(PrivilegeConstants.JCR_READ), true,
+                restrictions, namePathMapper);
+    }
+
+    private Restriction createRestriction(String name, Value value) throws Exception {
+        return getRestrictionProvider().createRestriction("/a/b/c", name, value);
+    }
+
+    private Restriction createRestriction(String name, Value[] values) throws Exception {
+        return getRestrictionProvider().createRestriction("/a/b/c", name, values);
+    }
+
     @Test
     public void testIsAllow() throws RepositoryException {
         ACE ace = createEntry(new String[]{PrivilegeConstants.JCR_READ}, true);
@@ -98,6 +133,19 @@ public class ACETest extends AbstractAcc
     }
 
     @Test
+    public void testNullPrincipal() throws Exception {
+        try {
+            Privilege[] privs = new Privilege[]{
+                    acMgr.privilegeFromName(PrivilegeConstants.JCR_ALL)
+            };
+            createEntry(null, privs, true);
+            fail("Principal must not be null");
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+
+    @Test
     public void testGetPrivileges() throws RepositoryException {
         ACE entry = createEntry(new String[]{PrivilegeConstants.JCR_READ}, true);
 
@@ -125,6 +173,196 @@ public class ACETest extends AbstractAcc
     }
 
     @Test
+    public void testNullPrivileges() throws Exception {
+        try {
+            createEntry(testPrincipal, null, true);
+            fail("Principal must not be null");
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testEmptyPrivileges() throws Exception {
+        try {
+            createEntry(testPrincipal, new Privilege[0], true);
+            fail("Privilege array must not be null.");
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testRedundantPrivileges() throws Exception {
+        ACE ace = createEntry(PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ);
+        Privilege[] privs = ace.getPrivileges();
+        assertEquals(1, privs.length);
+        assertEquals(PrivilegeConstants.JCR_READ, privs[0].getName());
+    }
+
+    /**
+     * @since oak 1.0 ACE doesn't validate privileges.
+     */
+    @Test
+    public void testUnknownPrivilege() throws Exception {
+        Privilege invalidPriv = new Privilege() {
+            public String getName() {
+                return "";
+            }
+
+            public boolean isAbstract() {
+                return false;
+            }
+
+            public boolean isAggregate() {
+                return false;
+            }
+
+            public Privilege[] getDeclaredAggregatePrivileges() {
+                return new Privilege[0];
+            }
+
+            public Privilege[] getAggregatePrivileges() {
+                return new Privilege[0];
+            }
+        };
+        Privilege[] privs = new Privilege[]{invalidPriv, acMgr.privilegeFromName(PrivilegeConstants.JCR_READ)};
+        createEntry(testPrincipal, privs, true);
+    }
+
+    @Test
+    public void testGetRestrictionNames() throws Exception {
+        // empty restrictions
+        String[] restrictionNames = createEntry(Collections.<Restriction>emptySet()).getRestrictionNames();
+        assertNotNull(restrictionNames);
+        assertEquals(0, restrictionNames.length);
+
+        Restriction globRestr = createRestriction(AccessControlConstants.REP_GLOB, globValue);
+        Restriction nameRestr = createRestriction(AccessControlConstants.REP_NT_NAMES, nameValues);
+
+        // single restriction
+        restrictionNames = createEntry(ImmutableSet.of(globRestr)).getRestrictionNames();
+        assertEquals(1, restrictionNames.length);
+
+        // 2 restrictions
+        restrictionNames = createEntry(ImmutableSet.of(globRestr, nameRestr)).getRestrictionNames();
+        assertEquals(2, restrictionNames.length);
+    }
+
+    @Test
+    public void testGetRestrictionForEmpty() throws Exception {
+        // empty restrictions
+        Value val = createEntry(Collections.<Restriction>emptySet()).getRestriction(AccessControlConstants.REP_GLOB);
+        assertNull(val);
+    }
+
+    @Test
+    public void testGetNonExistingRestriction() throws Exception {
+        // single valued restriction
+        Restriction globRestr = createRestriction(AccessControlConstants.REP_GLOB, globValue);
+        ACE ace = createEntry(ImmutableSet.of(globRestr));
+        assertNull(ace.getRestriction(AccessControlConstants.REP_NT_NAMES));
+    }
+
+    @Test
+    public void testGetRestrictionForSingleValued() throws Exception {
+        // single valued restriction
+        Restriction globRestr = createRestriction(AccessControlConstants.REP_GLOB, globValue);
+        ACE ace = createEntry(ImmutableSet.of(globRestr));
+        Value val = ace.getRestriction(AccessControlConstants.REP_GLOB);
+        assertNotNull(val);
+        assertEquals(globValue, val);
+    }
+
+    /**
+     * @since OAK 1.0: support for multi-value restrictions
+     */
+    @Test
+    public void testGetRestrictionForMultiValued() throws Exception {
+        // multivalued restriction
+        Restriction nameRestr = createRestriction(AccessControlConstants.REP_NT_NAMES, nameValues);
+        ACE ace = createEntry(ImmutableSet.of(nameRestr));
+        try {
+            ace.getRestriction(AccessControlConstants.REP_NT_NAMES);
+            fail("Multiple restriction values");
+        } catch (ValueFormatException e) {
+            // success
+        }
+    }
+
+    /**
+     * @since OAK 1.0: support for multi-value restrictions
+     */
+    @Test
+    public void testGetRestrictionForMultiValued2() throws Exception {
+        // single value restriction stored in multi-value property
+        Restriction singleNameRestr = createRestriction(AccessControlConstants.REP_NT_NAMES,
new Value[] {nameValue});
+
+        ACE ace = createEntry(ImmutableSet.of(singleNameRestr));
+        Value val = ace.getRestriction(AccessControlConstants.REP_NT_NAMES);
+        assertEquals(nameValue, val);
+    }
+
+    /**
+     * @since OAK 1.0: support for multi-value restrictions
+     */
+    @Test
+    public void testGetEmptyRestrictions() throws Exception {
+        // empty restrictions
+        Value[] vs = createEntry(Collections.<Restriction>emptySet()).getRestrictions(AccessControlConstants.REP_GLOB);
+        assertNull(vs);
+    }
+
+    /**
+     * @since OAK 1.0: support for multi-value restrictions
+     */
+    @Test
+    public void testGetNonExistingRestrictions() throws Exception {
+        Restriction nameRestr = createRestriction(AccessControlConstants.REP_NT_NAMES, nameValues);
+        ACE ace = createEntry(ImmutableSet.of(nameRestr));
+        assertNull(ace.getRestrictions(AccessControlConstants.REP_GLOB));
+    }
+
+    /**
+     * @since OAK 1.0: support for multi-value restrictions
+     */
+    @Test
+    public void testGetRestrictionsForSingleValue() throws Exception {
+        // single valued restriction
+        Restriction globRestr = createRestriction(AccessControlConstants.REP_GLOB, globValue);
+        ACE ace = createEntry(ImmutableSet.of(globRestr));
+        Value[] vs = ace.getRestrictions(AccessControlConstants.REP_GLOB);
+        assertNotNull(vs);
+        assertArrayEquals(new Value[] {globValue}, vs);
+    }
+
+    /**
+     * @since OAK 1.0: support for multi-value restrictions
+     */
+    @Test
+    public void testGetRestrictionsForMultiValued() throws Exception {
+        // multivalued restriction
+        Restriction nameRestr = createRestriction(AccessControlConstants.REP_NT_NAMES, nameValues);
+        ACE ace = createEntry(ImmutableSet.of(nameRestr));
+        Value[] vs = ace.getRestrictions(AccessControlConstants.REP_NT_NAMES);
+        assertEquals(2, vs.length);
+        assertArrayEquals(nameValues, vs);
+    }
+
+    /**
+     * @since OAK 1.0: support for multi-value restrictions
+     */
+    @Test
+    public void testGetRestrictionsForMultiValued2() throws Exception {
+        // single value restriction stored in multi-value property
+        Restriction singleNameRestr = createRestriction(AccessControlConstants.REP_NT_NAMES,
new Value[] {nameValue});
+        ACE ace = createEntry(ImmutableSet.of(singleNameRestr));
+        Value[] vs = ace.getRestrictions(AccessControlConstants.REP_NT_NAMES);
+        assertEquals(1, vs.length);
+        assertEquals(nameValue, vs[0]);
+    }
+
+    @Test
     public void testEquals() throws RepositoryException {
 
         Map<AccessControlEntry, AccessControlEntry> equalAces = new HashMap<AccessControlEntry,
AccessControlEntry>();
@@ -218,6 +456,10 @@ public class ACETest extends AbstractAcc
                 return null;
             }
 
+            public Value[] getRestrictions(String restrictionName) {
+                return null;
+            }
+
             public Principal getPrincipal() {
                 return testPrincipal;
             }
@@ -303,6 +545,10 @@ public class ACETest extends AbstractAcc
                 return null;
             }
 
+            public Value[] getRestrictions(String restrictionName) {
+                return null;
+            }
+
             public Principal getPrincipal() {
                 return testPrincipal;
             }
@@ -318,75 +564,4 @@ public class ACETest extends AbstractAcc
         }
 
     }
-
-    @Test
-    public void testNullPrincipal() throws Exception {
-        try {
-            Privilege[] privs = new Privilege[]{
-                    acMgr.privilegeFromName(PrivilegeConstants.JCR_ALL)
-            };
-            createEntry(null, privs, true);
-            fail("Principal must not be null");
-        } catch (AccessControlException e) {
-            // success
-        }
-    }
-
-    @Test
-    public void testNullPrivileges() throws Exception {
-        try {
-            createEntry(testPrincipal, null, true);
-            fail("Principal must not be null");
-        } catch (AccessControlException e) {
-            // success
-        }
-    }
-
-    @Test
-    public void testEmptyPrivileges() throws Exception {
-        try {
-            createEntry(testPrincipal, new Privilege[0], true);
-            fail("Privilege array must not be null.");
-        } catch (AccessControlException e) {
-            // success
-        }
-    }
-
-    @Test
-    public void testRedundantPrivileges() throws Exception {
-        ACE ace = createEntry(PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ);
-        Privilege[] privs = ace.getPrivileges();
-        assertEquals(1, privs.length);
-        assertEquals(PrivilegeConstants.JCR_READ, privs[0].getName());
-    }
-
-    /**
-     * @since oak 1.0 ACE doesn't validate privileges.
-     */
-    @Test
-    public void testUnknownPrivilege() throws Exception {
-        Privilege invalidPriv = new Privilege() {
-            public String getName() {
-                return "";
-            }
-
-            public boolean isAbstract() {
-                return false;
-            }
-
-            public boolean isAggregate() {
-                return false;
-            }
-
-            public Privilege[] getDeclaredAggregatePrivileges() {
-                return new Privilege[0];
-            }
-
-            public Privilege[] getAggregatePrivileges() {
-                return new Privilege[0];
-            }
-        };
-        Privilege[] privs = new Privilege[]{invalidPriv, acMgr.privilegeFromName(PrivilegeConstants.JCR_READ)};
-        createEntry(testPrincipal, privs, true);
-    }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProviderTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProviderTest.java?rev=1511344&r1=1511343&r2=1511344&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProviderTest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProviderTest.java
Wed Aug  7 14:54:16 2013
@@ -16,18 +16,246 @@
  */
 package org.apache.jackrabbit.oak.spi.security.authorization.restriction;
 
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import javax.jcr.PropertyType;
+import javax.jcr.Value;
+import javax.jcr.ValueFactory;
+import javax.jcr.security.AccessControlException;
+
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.api.Type;
+import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
+import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
+import org.apache.jackrabbit.oak.util.NodeUtil;
+import org.junit.After;
+import org.junit.Before;
 import org.junit.Test;
 
-public class AbstractRestrictionProviderTest {
+import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public class AbstractRestrictionProviderTest extends AbstractSecurityTest implements AccessControlConstants
{
+
+    private String unsupportedPath = null;
+    private String testPath = "/testRoot";
+
+    private Value globValue;
+    private Value[] nameValues;
+    private Value nameValue;
+
+    private ValueFactory valueFactory;
+    private AbstractRestrictionProvider restrictionProvider;
+
+    @Before
+    @Override
+    public void before() throws Exception {
+        super.before();
+
+        valueFactory = new ValueFactoryImpl(root.getBlobFactory(), namePathMapper);
+        globValue = valueFactory.createValue("*");
+        nameValue = valueFactory.createValue("nt:file", PropertyType.NAME);
+        nameValues = new Value[] {
+                valueFactory.createValue("nt:folder", PropertyType.NAME),
+                valueFactory.createValue("nt:file", PropertyType.NAME)
+        };
+
+        restrictionProvider = new TestProvider();
+    }
+
+    @After
+    @Override
+    public void after() throws Exception {
+        try {
+            root.refresh();
+        } finally {
+            super.after();
+        }
+    }
+
+    private Tree getAceTree(Restriction... restrictions) throws Exception {
+        NodeUtil rootNode = new NodeUtil(root.getTree("/"));
+        NodeUtil tmp = rootNode.addChild("testRoot", JcrConstants.NT_UNSTRUCTURED);
+        Tree ace = tmp.addChild("rep:policy", NT_REP_ACL).addChild("ace0", NT_REP_GRANT_ACE).getTree();
+        restrictionProvider.writeRestrictions(tmp.getTree().getPath(), ace, ImmutableSet.copyOf(restrictions));
+        return ace;
+    }
+
 
     @Test
-    public void testCreateRestriction() {
-        // TODO
+    public void testGetSupportedRestrictions() throws Exception {
+        Set<RestrictionDefinition> defs = restrictionProvider.getSupportedRestrictions(testPath);
+        assertNotNull(defs);
+        assertEquals(TestProvider.supportedRestrictions().size(), defs.size());
+        for (RestrictionDefinition def : TestProvider.supportedRestrictions().values()) {
+            assertTrue(defs.contains(def));
+        }
     }
 
     @Test
-    public void testCreateMvRestriction() {
-        // TODO
+    public void testGetSupportedRestrictionsForUnsupportedPath() throws Exception {
+        Set<RestrictionDefinition> defs = restrictionProvider.getSupportedRestrictions(unsupportedPath);
+        assertNotNull(defs);
+        assertTrue(defs.isEmpty());
+    }
+
+    @Test
+    public void testCreateForUnsupportedPath() throws Exception {
+        try {
+            restrictionProvider.createRestriction(unsupportedPath, REP_GLOB, globValue);
+            fail();
+        } catch (AccessControlException e) {
+            // success
+        }
+
+        try {
+            restrictionProvider.createRestriction(unsupportedPath, REP_NT_NAMES, nameValues);
+            fail();
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testCreateForUnsupportedName() throws Exception {
+        try {
+            restrictionProvider.createRestriction(unsupportedPath, "unsupported", globValue);
+            fail();
+        } catch (AccessControlException e) {
+            // success
+        }
+
+        try {
+            restrictionProvider.createRestriction(unsupportedPath, "unsupported", nameValues);
+            fail();
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testCreateForUnsupportedType() throws Exception {
+        try {
+            restrictionProvider.createRestriction(unsupportedPath, REP_GLOB, valueFactory.createValue(true));
+            fail();
+        } catch (AccessControlException e) {
+            // success
+        }
+        try {
+            restrictionProvider.createRestriction(unsupportedPath, REP_NT_NAMES,
+                    valueFactory.createValue("nt:file", PropertyType.NAME),
+                    valueFactory.createValue(true));
+            fail();
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testCreateForUnsupportedMultiValues() throws Exception {
+        try {
+            restrictionProvider.createRestriction(unsupportedPath, REP_GLOB,
+                    valueFactory.createValue("*"),
+                    valueFactory.createValue("/a/*"));
+            fail();
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testCreateRestriction() throws Exception {
+        Restriction r = restrictionProvider.createRestriction(testPath, REP_GLOB, globValue);
+        assertNotNull(r);
+        assertEquals(REP_GLOB, r.getName());
+        assertEquals(globValue.getString(), r.getProperty().getValue(Type.STRING));
+    }
+
+    @Test
+    public void testCreateMvRestriction() throws Exception {
+        Restriction r = restrictionProvider.createRestriction(testPath, REP_NT_NAMES,
+                valueFactory.createValue("nt:folder", PropertyType.NAME),
+                valueFactory.createValue("nt:file", PropertyType.NAME));
+        assertNotNull(r);
+        assertEquals(REP_NT_NAMES, r.getName());
+        assertEquals(Type.NAMES, r.getRequiredType());
+
+        PropertyState ps = r.getProperty();
+        assertTrue(ps.isArray());
+        assertEquals(Type.NAMES, ps.getType());
+
+        List<Value> vs = ValueFactoryImpl.createValues(ps, namePathMapper);
+        assertArrayEquals(nameValues, vs.toArray(new Value[vs.size()]));
+    }
+
+    @Test
+    public void testCreateMvRestriction2() throws Exception {
+        Restriction r = restrictionProvider.createRestriction(testPath, REP_NT_NAMES, nameValues);
+        assertNotNull(r);
+        assertEquals(REP_NT_NAMES, r.getName());
+        assertEquals(Type.NAMES, r.getRequiredType());
+
+        PropertyState ps = r.getProperty();
+        assertTrue(ps.isArray());
+        assertEquals(Type.NAMES, ps.getType());
+
+        List<Value> vs = ValueFactoryImpl.createValues(ps, namePathMapper);
+        assertArrayEquals(nameValues, vs.toArray(new Value[vs.size()]));
+    }
+
+    @Test
+    public void testCreateMvRestriction3() throws Exception {
+        Restriction r = restrictionProvider.createRestriction(testPath, REP_NT_NAMES, nameValue);
+        assertNotNull(r);
+        assertEquals(REP_NT_NAMES, r.getName());
+        assertEquals(Type.NAMES, r.getRequiredType());
+
+        assertTrue(r.getProperty().isArray());
+        assertEquals(Type.NAMES, r.getProperty().getType());
+
+        List<Value> vs = ValueFactoryImpl.createValues(r.getProperty(), namePathMapper);
+        assertArrayEquals(new Value[] {nameValue}, vs.toArray(new Value[vs.size()]));
+    }
+
+    @Test
+    public void testCreateEmptyMvRestriction() throws Exception {
+        Restriction r = restrictionProvider.createRestriction(testPath, REP_NT_NAMES);
+        assertNotNull(r);
+        assertEquals(REP_NT_NAMES, r.getName());
+        assertEquals(Type.NAMES, r.getRequiredType());
+
+        assertTrue(r.getProperty().isArray());
+        assertEquals(Type.NAMES, r.getProperty().getType());
+
+        List<Value> vs = ValueFactoryImpl.createValues(r.getProperty(), namePathMapper);
+        assertNotNull(vs);
+        assertEquals(0, vs.size());
+    }
+
+    @Test
+    public void testCreateEmptyMvRestriction2() throws Exception {
+        Restriction r = restrictionProvider.createRestriction(testPath, REP_NT_NAMES, new
Value[0]);
+        assertNotNull(r);
+        assertEquals(REP_NT_NAMES, r.getName());
+        assertEquals(Type.NAMES, r.getRequiredType());
+
+        assertTrue(r.getProperty().isArray());
+        assertEquals(Type.NAMES, r.getProperty().getType());
+
+        List<Value> vs = ValueFactoryImpl.createValues(r.getProperty(), namePathMapper);
+        assertNotNull(vs);
+        assertEquals(0, vs.size());
     }
 
     @Test
@@ -41,7 +269,89 @@ public class AbstractRestrictionProvider
     }
 
     @Test
-    public void testValidateRestrictions() {
-        // TODO
+    public void testValidateRestrictionsUnsupportedPath() throws Exception {
+        // empty restrictions => must succeed
+        restrictionProvider.validateRestrictions(null, getAceTree());
+
+
+        // non-empty restrictions => must fail
+        try {
+            Restriction restr = restrictionProvider.createRestriction(testPath, REP_GLOB,
globValue);
+            restrictionProvider.validateRestrictions(null, getAceTree(restr));
+            fail();
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testValidateRestrictionsWrongType() throws Exception {
+        Restriction mand = restrictionProvider.createRestriction(testPath, "mandatory", valueFactory.createValue(true));
+        try {
+            Tree ace = getAceTree(mand);
+            new NodeUtil(ace).getChild(REP_RESTRICTIONS).setBoolean(REP_GLOB, true);
+
+            restrictionProvider.validateRestrictions(testPath, ace);
+            fail("wrong type with restriction 'rep:glob");
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testValidateRestrictionsUnsupportedRestriction() throws Exception {
+        Restriction mand = restrictionProvider.createRestriction(testPath, "mandatory", valueFactory.createValue(true));
+        try {
+            Tree ace = getAceTree(mand);
+            new NodeUtil(ace).getChild(REP_RESTRICTIONS).setString("Unsupported", "value");
+
+            restrictionProvider.validateRestrictions(testPath, ace);
+            fail("wrong type with restriction 'rep:glob");
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testValidateRestrictionsMissingMandatory() throws Exception {
+        Restriction glob = restrictionProvider.createRestriction(testPath, REP_GLOB, globValue);
+        try {
+            restrictionProvider.validateRestrictions(testPath, getAceTree(glob));
+            fail("missing mandatory restriction");
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testValidateRestrictions() throws Exception {
+        Restriction glob = restrictionProvider.createRestriction(testPath, REP_GLOB, globValue);
+        Restriction ntNames = restrictionProvider.createRestriction(testPath, REP_NT_NAMES,
nameValues);
+        Restriction mand = restrictionProvider.createRestriction(testPath, "mandatory", valueFactory.createValue(true));
+
+        restrictionProvider.validateRestrictions(testPath, getAceTree(mand));
+        restrictionProvider.validateRestrictions(testPath, getAceTree(mand, glob));
+        restrictionProvider.validateRestrictions(testPath, getAceTree(mand, ntNames));
+        restrictionProvider.validateRestrictions(testPath, getAceTree(mand, glob, ntNames));
+    }
+
+    private static final class TestProvider extends AbstractRestrictionProvider {
+
+        private TestProvider() {
+            super(supportedRestrictions());
+        }
+
+        private static Map<String, RestrictionDefinition> supportedRestrictions() {
+            RestrictionDefinition glob = new RestrictionDefinitionImpl(REP_GLOB, Type.STRING,
false);
+            RestrictionDefinition nts  = new RestrictionDefinitionImpl(REP_NT_NAMES, Type.NAMES,
false);
+            RestrictionDefinition mand = new RestrictionDefinitionImpl("mandatory", Type.BOOLEAN,
true);
+            return ImmutableMap.of(glob.getName(), glob, nts.getName(), nts, mand.getName(),
mand);
+        }
+
+        @Nonnull
+        @Override
+        public RestrictionPattern getPattern(@Nullable String oakPath, @Nonnull Tree tree)
{
+            throw new UnsupportedOperationException();
+        }
     }
 }
\ No newline at end of file



Mime
View raw message