jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1522632 - in /jackrabbit/oak/trunk/oak-core/src: main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/ test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/
Date Thu, 12 Sep 2013 15:46:31 GMT
Author: angela
Date: Thu Sep 12 15:46:31 2013
New Revision: 1522632

URL: http://svn.apache.org/r1522632
Log:
OAK-51 : Access Control Management

- composite restrictions

Added:
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProviderTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/TestProvider.java
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProviderTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java?rev=1522632&r1=1522631&r2=1522632&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProvider.java
Thu Sep 12 15:46:31 2013
@@ -70,7 +70,7 @@ public abstract class AbstractRestrictio
         }
         PropertyState propertyState;
         if (requiredType.isArray()) {
-            propertyState = PropertyStates.createProperty(oakName, ImmutableList.of(value));
+            propertyState = PropertyStates.createProperty(oakName, ImmutableList.of(value),
tag);
         } else {
             propertyState = PropertyStates.createProperty(oakName, value);
         }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProvider.java?rev=1522632&r1=1522631&r2=1522632&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProvider.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProvider.java
Thu Sep 12 15:46:31 2013
@@ -17,9 +17,13 @@
 package org.apache.jackrabbit.oak.spi.security.authorization.restriction;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
@@ -30,6 +34,7 @@ import javax.jcr.security.AccessControlE
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Sets;
 import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
 
 /**
  * Aggregates of a collection of {@link RestrictionProvider} implementations
@@ -43,6 +48,10 @@ public class CompositeRestrictionProvide
         this.providers = ImmutableSet.copyOf(providers);
     }
 
+    public static RestrictionProvider newInstance(@Nonnull RestrictionProvider... providers)
{
+        return newInstance(Arrays.<RestrictionProvider>asList(providers));
+    }
+
     public static RestrictionProvider newInstance(@Nonnull Collection<? extends RestrictionProvider>
providers) {
         switch (providers.size()) {
             case 0: return EMPTY;
@@ -87,31 +96,31 @@ public class CompositeRestrictionProvide
     public void writeRestrictions(String oakPath, Tree aceTree, Set<Restriction> restrictions)
throws RepositoryException {
         for (Restriction r : restrictions) {
             RestrictionProvider rp = getProvider(oakPath, getName(r));
-            rp.writeRestrictions(oakPath, aceTree, restrictions);
+            rp.writeRestrictions(oakPath, aceTree, Collections.singleton(r));
         }
     }
 
     @Override
     public void validateRestrictions(@Nullable String oakPath, @Nonnull Tree aceTree) throws
AccessControlException, RepositoryException {
-        Set<RestrictionDefinition> supported = getSupportedRestrictions(oakPath);
+        Map<String,RestrictionDefinition> supported = getSupported(oakPath);
         Set<String> rNames = new HashSet<String>();
         for (Restriction r : readRestrictions(oakPath, aceTree)) {
             String name = getName(r);
             rNames.add(name);
-            boolean valid = false;
-            for (RestrictionDefinition def : supported) {
-                if (name.equals(def.getName())) {
-                    valid = def.equals(r.getDefinition());
-                    break;
-                }
+            if (!supported.containsKey(name)) {
+                throw new AccessControlException("Unsupported restriction: " + name + " at
" + oakPath);
             }
-            if (!valid) {
-                throw new AccessControlException("Invalid restriction: " + r + " at " + oakPath);
+            if (!r.getDefinition().equals(supported.get(name))) {
+                throw new AccessControlException("Invalid restriction: " + name + " at "
+ oakPath);
             }
         }
-        for (RestrictionDefinition def : supported) {
-            if (def.isMandatory() && !rNames.contains(def.getName())) {
-                throw new AccessControlException("Mandatory restriction " + def.getName()
+ " is missing.");
+        for (RestrictionDefinition def : supported.values()) {
+            String defName = def.getName();
+            if (hasRestrictionProperty(aceTree, defName) && !rNames.contains(defName))
{
+                throw new AccessControlException("Invalid restriction " + defName + " at
" + oakPath);
+            }
+            if (def.isMandatory() && !rNames.contains(defName)) {
+                throw new AccessControlException("Mandatory restriction " + defName + " is
missing.");
             }
         }
     }
@@ -145,6 +154,24 @@ public class CompositeRestrictionProvide
         throw new AccessControlException("Unsupported restriction (path = " + oakPath + ";
name = " + oakName + ')');
     }
 
+    private Map<String, RestrictionDefinition> getSupported(@Nullable String oakPath)
{
+        Map<String, RestrictionDefinition> supported = new HashMap<String, RestrictionDefinition>();
+        for (RestrictionProvider rp : providers) {
+            for (RestrictionDefinition rd : rp.getSupportedRestrictions(oakPath)) {
+                supported.put(rd.getName(), rd);
+            }
+        }
+        return supported;
+    }
+
+    private static boolean hasRestrictionProperty(Tree aceTree, String name) {
+        if (aceTree.hasProperty(name)) {
+            return true;
+        }
+        Tree restrictionTree = aceTree.getChild(AccessControlConstants.REP_RESTRICTIONS);
+        return restrictionTree.exists() && restrictionTree.hasProperty(name);
+    }
+
     private static String getName(Restriction restriction) {
         return restriction.getDefinition().getName();
     }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java?rev=1522632&r1=1522631&r2=1522632&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.java
Thu Sep 12 15:46:31 2013
@@ -95,7 +95,7 @@ public interface RestrictionProvider {
 
     /**
      * Writes the given restrictions to the specified ACE tree. Note, that this
-     * method does not validate the specified restrictions (see also
+     * method does not need to validate the specified restrictions (see also
      * {@link #validateRestrictions(String, org.apache.jackrabbit.oak.api.Tree)}).
      *
      * @param oakPath The path of the access controlled tree or {@code null} if

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProviderTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProviderTest.java?rev=1522632&r1=1522631&r2=1522632&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProviderTest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/AbstractRestrictionProviderTest.java
Thu Sep 12 15:46:31 2013
@@ -19,8 +19,6 @@ package org.apache.jackrabbit.oak.spi.se
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-import javax.annotation.Nonnull;
-import javax.annotation.Nullable;
 import javax.jcr.PropertyType;
 import javax.jcr.Value;
 import javax.jcr.ValueFactory;
@@ -57,6 +55,7 @@ public class AbstractRestrictionProvider
     private Value nameValue;
 
     private ValueFactory valueFactory;
+    private Map<String, ? extends RestrictionDefinition> supported;
     private AbstractRestrictionProvider restrictionProvider;
 
     @Before
@@ -72,7 +71,11 @@ public class AbstractRestrictionProvider
                 valueFactory.createValue("nt:file", PropertyType.NAME)
         };
 
-        restrictionProvider = new TestProvider();
+        RestrictionDefinition glob = new RestrictionDefinitionImpl(REP_GLOB, Type.STRING,
false);
+        RestrictionDefinition nts  = new RestrictionDefinitionImpl(REP_NT_NAMES, Type.NAMES,
false);
+        RestrictionDefinition mand = new RestrictionDefinitionImpl("mandatory", Type.BOOLEAN,
true);
+        supported = ImmutableMap.of(glob.getName(), glob, nts.getName(), nts, mand.getName(),
mand);
+        restrictionProvider = new TestProvider(supported);
     }
 
     @After
@@ -98,8 +101,8 @@ public class AbstractRestrictionProvider
     public void testGetSupportedRestrictions() throws Exception {
         Set<RestrictionDefinition> defs = restrictionProvider.getSupportedRestrictions(testPath);
         assertNotNull(defs);
-        assertEquals(TestProvider.supportedRestrictions().size(), defs.size());
-        for (RestrictionDefinition def : TestProvider.supportedRestrictions().values()) {
+        assertEquals(supported.size(), defs.size());
+        for (RestrictionDefinition def : supported.values()) {
             assertTrue(defs.contains(def));
         }
     }
@@ -365,24 +368,4 @@ public class AbstractRestrictionProvider
         restrictionProvider.validateRestrictions(testPath, getAceTree(mand, ntNames));
         restrictionProvider.validateRestrictions(testPath, getAceTree(mand, glob, ntNames));
     }
-
-    private static final class TestProvider extends AbstractRestrictionProvider {
-
-        private TestProvider() {
-            super(supportedRestrictions());
-        }
-
-        private static Map<String, RestrictionDefinition> supportedRestrictions() {
-            RestrictionDefinition glob = new RestrictionDefinitionImpl(REP_GLOB, Type.STRING,
false);
-            RestrictionDefinition nts  = new RestrictionDefinitionImpl(REP_NT_NAMES, Type.NAMES,
false);
-            RestrictionDefinition mand = new RestrictionDefinitionImpl("mandatory", Type.BOOLEAN,
true);
-            return ImmutableMap.of(glob.getName(), glob, nts.getName(), nts, mand.getName(),
mand);
-        }
-
-        @Nonnull
-        @Override
-        public RestrictionPattern getPattern(@Nullable String oakPath, @Nonnull Tree tree)
{
-            throw new UnsupportedOperationException();
-        }
-    }
 }
\ No newline at end of file

Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProviderTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProviderTest.java?rev=1522632&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProviderTest.java
(added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/CompositeRestrictionProviderTest.java
Thu Sep 12 15:46:31 2013
@@ -0,0 +1,282 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.restriction;
+
+import java.util.Collections;
+import java.util.Map;
+import java.util.Set;
+import javax.jcr.PropertyType;
+import javax.jcr.RepositoryException;
+import javax.jcr.Value;
+import javax.jcr.ValueFactory;
+import javax.jcr.security.AccessControlException;
+
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.api.Type;
+import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
+import org.apache.jackrabbit.oak.security.authorization.restriction.RestrictionProviderImpl;
+import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
+import org.apache.jackrabbit.oak.util.NodeUtil;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertSame;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public class CompositeRestrictionProviderTest extends AbstractSecurityTest implements AccessControlConstants
{
+
+    private RestrictionProvider rp1 = new TestProvider(ImmutableMap.<String, RestrictionDefinition>of(
+            REP_GLOB, new RestrictionDefinitionImpl(REP_GLOB, Type.STRING, false),
+            REP_NT_NAMES, new RestrictionDefinitionImpl(REP_NT_NAMES, Type.NAMES, false)
+    ));
+    private RestrictionProvider rp2 = new TestProvider(ImmutableMap.of(
+            "boolean", new RestrictionDefinitionImpl("boolean", Type.BOOLEAN, true),
+            "longs", new RestrictionDefinitionImpl("longs", Type.LONGS, false)
+    ));
+    private Set<String> supported = ImmutableSet.of("boolean", "longs", REP_NT_NAMES,
REP_GLOB);
+    private RestrictionProvider provider = CompositeRestrictionProvider.newInstance(rp1,
rp2);
+
+    private ValueFactory vf;
+
+    @Override
+    @Before
+    public void before() throws Exception {
+        super.before();
+        vf = getValueFactory();
+    }
+
+    @Override
+    @After
+    public void after() throws Exception {
+        try {
+            root.refresh();
+        } finally {
+            super.after();
+        }
+    }
+
+    @Test
+    public void testEmpty() {
+        assertSame(RestrictionProvider.EMPTY, CompositeRestrictionProvider.newInstance(Collections.<RestrictionProvider>emptySet()));
+    }
+
+    @Test
+    public void testSingle() {
+        RestrictionProvider rp = new RestrictionProviderImpl();
+        assertSame(rp, CompositeRestrictionProvider.newInstance(Collections.singleton(rp)));
+    }
+
+    @Test
+    public void testNewInstance() {
+        RestrictionProvider crp = CompositeRestrictionProvider.newInstance(ImmutableSet.of(rp1,
rp2));
+        RestrictionProvider crp2 = CompositeRestrictionProvider.newInstance(rp1, rp2);
+
+        assertEquals(crp.getSupportedRestrictions("/testPath"), crp2.getSupportedRestrictions("/testPath"));
+
+    }
+
+    @Test
+    public void testGetSupportedRestrictions() {
+        String[] paths = new String[] {null, "/testPath"};
+        for (String path : paths) {
+            Set<RestrictionDefinition> defs = provider.getSupportedRestrictions(path);
+            int expectedSize = rp1.getSupportedRestrictions(path).size() + rp2.getSupportedRestrictions(path).size();
+            assertEquals(expectedSize, defs.size());
+            assertTrue(defs.containsAll(rp1.getSupportedRestrictions(path)));
+            assertTrue(defs.containsAll(rp2.getSupportedRestrictions(path)));
+        }
+    }
+
+    @Test
+    public void testCreateRestriction() throws Exception {
+        Map<String, Value> valid = ImmutableMap.of(
+                "boolean", vf.createValue(true),
+                "longs", vf.createValue(10),
+                REP_GLOB, vf.createValue("*")
+        );
+        for (String name : valid.keySet()) {
+            provider.createRestriction("/testPath", name, valid.get(name));
+        }
+    }
+
+    @Test
+    public void testCreateRestrictionWithInvalidPath() throws Exception {
+        try {
+            provider.createRestriction(null, REP_GLOB, vf.createValue("*"));
+            fail("rep:glob not supported at 'null' path");
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testCreateInvalidRestriction() throws Exception {
+        Map<String, Value> invalid = ImmutableMap.of(
+                "boolean", vf.createValue("wrong_type"),
+                REP_GLOB, vf.createValue(true)
+        );
+        for (String name : invalid.keySet()) {
+            try {
+                provider.createRestriction("/testPath", name, invalid.get(name));
+                fail("invalid restriction " + name);
+            } catch (AccessControlException e) {
+                // success
+            }
+        }
+    }
+
+    @Test
+    public void testMvCreateRestriction() throws RepositoryException {
+        Map<String, Value[]> valid = ImmutableMap.of(
+                "longs", new Value[] {vf.createValue(100)},
+                REP_NT_NAMES, new Value[] {vf.createValue("nt:base", PropertyType.NAME),
vf.createValue("nt:unstructured", PropertyType.NAME)}
+        );
+        for (String name : valid.keySet()) {
+            provider.createRestriction("/testPath", name, valid.get(name));
+        }
+    }
+
+    @Test
+    public void testCreateMvRestrictionWithInvalidPath() throws Exception {
+        try {
+            provider.createRestriction(null, REP_NT_NAMES, new Value[] {vf.createValue("nt:base",
PropertyType.NAME)});
+            fail("rep:glob not supported at 'null' path");
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testCreateInvalidMvRestriction() throws Exception {
+        Map<String, Value[]> invalid = ImmutableMap.of(
+                "boolean", new Value[] {vf.createValue(true), vf.createValue(false)},
+                "longs", new Value[] {vf.createValue("wrong_type")},
+                REP_NT_NAMES, new Value[] {vf.createValue(true)}
+        );
+        for (String name : invalid.keySet()) {
+            try {
+                provider.createRestriction("/testPath", name, invalid.get(name));
+                fail("invalid restriction " + name);
+            } catch (AccessControlException e) {
+                // success
+            }
+        }
+    }
+
+    @Test
+    public void testReadRestrictions() throws Exception {
+        NodeUtil aceNode = new NodeUtil(root.getTree("/")).addChild("test", NT_REP_GRANT_ACE);
+        aceNode.setBoolean("boolean", true);
+        aceNode.setValues("longs", new Value[] {vf.createValue(10), vf.createValue(290)});
+        aceNode.setString(REP_GLOB, "*");
+        aceNode.setNames(REP_NT_NAMES); // empty array
+        aceNode.setString("invalid", "val");
+        aceNode.setStrings("invalid2", "val1", "val2", "val3");
+
+        Set<Restriction> restrictions = provider.readRestrictions("/test", aceNode.getTree());
+        assertEquals(4, restrictions.size());
+        for (Restriction r : restrictions) {
+            String name = r.getDefinition().getName();
+            if (!supported.contains(name)) {
+                fail("read unsupported restriction");
+            }
+        }
+    }
+
+    @Test
+    public void testWriteRestrictions() throws Exception {
+        NodeUtil aceNode = new NodeUtil(root.getTree("/")).addChild("test", NT_REP_GRANT_ACE);
+        Set<Restriction> restrictions = ImmutableSet.of(
+                provider.createRestriction("/test","boolean", vf.createValue(true)),
+                provider.createRestriction("/test", "longs"),
+                provider.createRestriction("/test", REP_GLOB, vf.createValue("*")),
+                provider.createRestriction("/test", REP_NT_NAMES, vf.createValue("nt:base",
PropertyType.NAME), vf.createValue("nt:version", PropertyType.NAME)));
+        provider.writeRestrictions("/test", aceNode.getTree(), restrictions);
+    }
+
+    @Test
+    public void testWriteUnsupportedRestrictions() throws Exception {
+        NodeUtil aceNode = new NodeUtil(root.getTree("/")).addChild("test", NT_REP_GRANT_ACE);
+        Restriction invalid = new RestrictionImpl(PropertyStates.createProperty("invalid",
vf.createValue(true)), false);
+        try {
+            provider.writeRestrictions("/test", aceNode.getTree(), ImmutableSet.<Restriction>of(invalid));
+            fail("AccessControlException expected");
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testValidateRestrictions() throws Exception {
+        NodeUtil aceNode = new NodeUtil(root.getTree("/")).addChild("test", NT_REP_GRANT_ACE);
+        NodeUtil rNode = aceNode.addChild(REP_RESTRICTIONS, NT_REP_RESTRICTIONS);
+        rNode.setBoolean("boolean", true);
+        rNode.setValues("longs", new Value[] {vf.createValue(10), vf.createValue(290)});
+        rNode.setString(REP_GLOB, "*");
+        rNode.setNames(REP_NT_NAMES); // empty array
+
+        provider.validateRestrictions("/test", aceNode.getTree());
+
+        // remove mandatory restriction
+        rNode.removeProperty("boolean");
+        try {
+            provider.validateRestrictions("/test", aceNode.getTree());
+            fail("validation should detect missing mandatory restrictions");
+        } catch (AccessControlException e) {
+            // success
+        }
+
+        // set with wrong type
+        rNode.setName("boolean", "nt:base");
+        try {
+            provider.validateRestrictions("/test", aceNode.getTree());
+            fail("validation should detect wrong restriction type");
+        } catch (AccessControlException e) {
+            // success
+        } finally {
+            rNode.setBoolean("boolean", true);
+        }
+
+        rNode.setStrings(REP_GLOB, "*", "/jcr:content");
+        try {
+            provider.validateRestrictions("/test", aceNode.getTree());
+            fail("validation should detect wrong restriction type (multi vs single valued)");
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testGetRestrictionPattern() throws Exception {
+        NodeUtil aceNode = new NodeUtil(root.getTree("/")).addChild("test", NT_REP_GRANT_ACE);
+        NodeUtil rNode = aceNode.addChild(REP_RESTRICTIONS, NT_REP_RESTRICTIONS);
+        rNode.setString(REP_GLOB, "*");
+
+        assertFalse(provider.getPattern("/test", aceNode.getTree()) instanceof CompositePattern);
+
+        rNode.setBoolean("boolean", true);
+        rNode.setValues("longs", new Value[]{vf.createValue(10), vf.createValue(290)});
+
+        assertTrue(provider.getPattern("/test", rNode.getTree()) instanceof CompositePattern);
+    }
+}
\ No newline at end of file

Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/TestProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/TestProvider.java?rev=1522632&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/TestProvider.java
(added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/TestProvider.java
Thu Sep 12 15:46:31 2013
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authorization.restriction;
+
+import java.util.Map;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+
+/**
+ * RestrictionProvider for tests.
+ */
+final class TestProvider extends AbstractRestrictionProvider {
+
+    TestProvider(Map<String, ? extends RestrictionDefinition> supportedRestrictions)
{
+        super(supportedRestrictions);
+    }
+
+    @Nonnull
+    @Override
+    public RestrictionPattern getPattern(@Nullable String oakPath, @Nonnull Tree tree) {
+        boolean hasRestriction = false;
+        for (RestrictionDefinition rd : getSupportedRestrictions(oakPath)) {
+            if (tree.hasProperty(rd.getName())) {
+                hasRestriction = true;
+                break;
+            }
+        }
+        return (hasRestriction) ? new MatchingPattern() : RestrictionPattern.EMPTY;
+    }
+
+    private static final class MatchingPattern implements RestrictionPattern {
+
+        @Override
+        public boolean matches(@Nonnull Tree tree, @Nullable PropertyState property) {
+            return true;
+        }
+
+        @Override
+        public boolean matches(@Nonnull String path) {
+            return true;
+        }
+
+        @Override
+        public boolean matches() {
+            return true;
+        }
+    }
+}
\ No newline at end of file



Mime
View raw message