jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1560428 - in /jackrabbit/oak/trunk: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ oak-jcr/src/test/java/org/apa...
Date Wed, 22 Jan 2014 17:21:15 GMT
Author: angela
Date: Wed Jan 22 17:21:14 2014
New Revision: 1560428

URL: http://svn.apache.org/r1560428
Log:
OAK-1350 : Inconsistent Principal Validation between API and Import behavior

Added:
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportAbortTest.java   (with props)
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportBesteffortTest.java   (with props)
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportIgnoreTest.java
      - copied, changed from r1559977, jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.java
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlImporter.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java?rev=1560428&r1=1560427&r2=1560428&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java Wed Jan 22 17:21:14 2014
@@ -52,25 +52,18 @@ abstract class ACL extends AbstractAcces
 
     private final List<ACE> entries = new ArrayList<ACE>();
 
-    private final PrincipalManager principalManager;
-    private final PrivilegeManager privilegeManager;
-    private final PrivilegeBitsProvider privilegeBitsProvider;
-
     ACL(@Nullable String oakPath, @Nullable List<ACE> entries,
-        @Nonnull NamePathMapper namePathMapper,
-        @Nonnull PrincipalManager principalManager,
-        @Nonnull PrivilegeManager privilegeManager,
-        @Nonnull PrivilegeBitsProvider privilegeBitsProvider) {
+        @Nonnull NamePathMapper namePathMapper) {
         super(oakPath, namePathMapper);
         if (entries != null) {
             this.entries.addAll(entries);
         }
-        this.principalManager = principalManager;
-        this.privilegeManager = privilegeManager;
-        this.privilegeBitsProvider = privilegeBitsProvider;
     }
 
     abstract ACE createACE(Principal principal, PrivilegeBits privilegeBits, boolean isAllow, Set<Restriction> restrictions) throws RepositoryException;
+    abstract void checkValidPrincipal(Principal principal) throws AccessControlException;
+    abstract PrivilegeManager getPrivilegeManager();
+    abstract PrivilegeBits getPrivilegeBits(Privilege[] privileges);
 
     //------------------------------------------< AbstractAccessControlList >---
     @Nonnull
@@ -98,13 +91,13 @@ abstract class ACL extends AbstractAcces
             throw new AccessControlException("Privileges may not be null nor an empty array");
         }
         for (Privilege p : privileges) {
-            Privilege pv = privilegeManager.getPrivilege(p.getName());
+            Privilege pv = getPrivilegeManager().getPrivilege(p.getName());
             if (pv.isAbstract()) {
                 throw new AccessControlException("Privilege " + p + " is abstract.");
             }
         }
 
-        Util.checkValidPrincipal(principal, principalManager);
+        checkValidPrincipal(principal);
 
         for (RestrictionDefinition def : getRestrictionProvider().getSupportedRestrictions(getOakPath())) {
             String jcrName = getNamePathMapper().getJcrName(def.getName());
@@ -241,8 +234,4 @@ abstract class ACL extends AbstractAcces
     private ACE createACE(@Nonnull ACE existing, @Nonnull PrivilegeBits newPrivilegeBits) throws RepositoryException {
         return createACE(existing.getPrincipal(), newPrivilegeBits, existing.isAllow(), existing.getRestrictions());
     }
-
-    private PrivilegeBits getPrivilegeBits(Privilege[] privileges) {
-        return privilegeBitsProvider.getBits(privileges, getNamePathMapper());
-    }
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlImporter.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlImporter.java?rev=1560428&r1=1560427&r2=1560428&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlImporter.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlImporter.java Wed Jan 22 17:21:14 2014
@@ -16,6 +16,7 @@
  */
 package org.apache.jackrabbit.oak.security.authorization.accesscontrol;
 
+import java.security.AccessControlException;
 import java.security.Principal;
 import java.util.ArrayList;
 import java.util.HashMap;
@@ -44,6 +45,7 @@ import org.apache.jackrabbit.oak.spi.sec
 import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
 import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration;
 import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
+import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
 import org.apache.jackrabbit.oak.spi.xml.NodeInfo;
 import org.apache.jackrabbit.oak.spi.xml.PropInfo;
 import org.apache.jackrabbit.oak.spi.xml.ProtectedNodeImporter;
@@ -76,6 +78,8 @@ public class AccessControlImporter imple
     private JackrabbitAccessControlList acl;
     private MutableEntry entry;
 
+    private int importBehavior;
+
     //----------------------------------------------< ProtectedItemImporter >---
 
     @Override
@@ -86,8 +90,10 @@ public class AccessControlImporter imple
             throw new IllegalStateException("Already initialized");
         }
         try {
+            AuthorizationConfiguration config = securityProvider.getConfiguration(AuthorizationConfiguration.class);
+            importBehavior = Util.getImportBehavior(config);
+
             if (isWorkspaceImport) {
-                AuthorizationConfiguration config = securityProvider.getConfiguration(AuthorizationConfiguration.class);
                 acMgr = config.getAccessControlManager(root, namePathMapper);
                 PrincipalConfiguration pConfig = securityProvider.getConfiguration(PrincipalConfiguration.class);
                 principalManager = pConfig.getPrincipalManager(root, namePathMapper);
@@ -230,10 +236,13 @@ public class AccessControlImporter imple
     private final class MutableEntry {
 
         final boolean isAllow;
+
         Principal principal;
         List<Privilege> privileges;
         Map<String, Value> restrictions = new HashMap<String, Value>();
 
+        boolean ignore;
+
         private MutableEntry(boolean isAllow) {
             this.isAllow = isAllow;
         }
@@ -242,7 +251,16 @@ public class AccessControlImporter imple
             String principalName = txtValue.getString();
             principal = principalManager.getPrincipal(principalName);
             if (principal == null) {
-                principal = new PrincipalImpl(principalName);
+                switch (importBehavior) {
+                    case ImportBehavior.IGNORE:
+                        log.debug("Unknown principal " + principalName + " -> Ignoring this ACE.");
+                        ignore = true;
+                        break;
+                    case ImportBehavior.ABORT:
+                        throw new AccessControlException("Unknown principal " + principalName);
+                    case ImportBehavior.BESTEFFORT:
+                        principal = new PrincipalImpl(principalName);
+                }
             }
         }
 
@@ -268,7 +286,11 @@ public class AccessControlImporter imple
 
         private void applyTo(JackrabbitAccessControlList acl) throws RepositoryException {
             checkNotNull(acl);
-            acl.addEntry(principal, privileges.toArray(new Privilege[privileges.size()]), isAllow, restrictions);
+            if (!ignore) {
+                acl.addEntry(principal, privileges.toArray(new Privilege[privileges.size()]), isAllow, restrictions);
+            } else {
+                log.debug("Unknown principal: Ignore ACE based on ImportBehavior.IGNORE configuration.");
+            }
         }
     }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java?rev=1560428&r1=1560427&r2=1560428&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java Wed Jan 22 17:21:14 2014
@@ -46,6 +46,7 @@ import com.google.common.collect.Lists;
 import org.apache.jackrabbit.JcrConstants;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
+import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
 import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
 import org.apache.jackrabbit.api.security.principal.PrincipalManager;
 import org.apache.jackrabbit.commons.iterator.AccessControlPolicyIteratorAdapter;
@@ -75,6 +76,7 @@ import org.apache.jackrabbit.oak.spi.sec
 import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
+import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
 import org.apache.jackrabbit.oak.util.NodeUtil;
 import org.apache.jackrabbit.oak.util.PropertyBuilder;
 import org.apache.jackrabbit.oak.util.TreeUtil;
@@ -320,7 +322,7 @@ public class AccessControlManagerImpl ex
     @Nonnull
     @Override
     public JackrabbitAccessControlPolicy[] getApplicablePolicies(@Nonnull Principal principal) throws RepositoryException {
-        Util.checkValidPrincipal(principal, principalManager);
+        Util.checkValidPrincipal(principal, principalManager, true);
 
         String oakPath = (principal instanceof ItemBasedPrincipal) ? ((ItemBasedPrincipal) principal).getPath() : null;
         JackrabbitAccessControlPolicy policy = createPrincipalACL(oakPath, principal);
@@ -335,7 +337,7 @@ public class AccessControlManagerImpl ex
     @Nonnull
     @Override
     public JackrabbitAccessControlPolicy[] getPolicies(@Nonnull Principal principal) throws RepositoryException {
-        Util.checkValidPrincipal(principal, principalManager);
+        Util.checkValidPrincipal(principal, principalManager, true);
 
         String oakPath = (principal instanceof ItemBasedPrincipal) ? ((ItemBasedPrincipal) principal).getPath() : null;
         JackrabbitAccessControlPolicy policy = createPrincipalACL(oakPath, principal);
@@ -543,7 +545,7 @@ public class AccessControlManagerImpl ex
         }
 
         NodeACL(@Nullable String oakPath, @Nullable List<ACE> entries) {
-            super(oakPath, entries, AccessControlManagerImpl.this.getNamePathMapper(), principalManager, getPrivilegeManager(), bitsProvider);
+            super(oakPath, entries, AccessControlManagerImpl.this.getNamePathMapper());
         }
 
         @Nonnull
@@ -558,6 +560,21 @@ public class AccessControlManagerImpl ex
         }
 
         @Override
+        void checkValidPrincipal(Principal principal) throws AccessControlException {
+            Util.checkValidPrincipal(principal, principalManager, ImportBehavior.BESTEFFORT != Util.getImportBehavior(getConfig()));
+        }
+
+        @Override
+        PrivilegeManager getPrivilegeManager() {
+            return AccessControlManagerImpl.this.getPrivilegeManager();
+        }
+
+        @Override
+        PrivilegeBits getPrivilegeBits(Privilege[] privileges) {
+            return bitsProvider.getBits(privileges, getNamePathMapper());
+        }
+
+        @Override
         public boolean equals(Object obj) {
             if (obj == this) {
                 return true;
@@ -588,7 +605,7 @@ public class AccessControlManagerImpl ex
         private PrincipalACL(@Nullable String oakPath, @Nonnull Principal principal,
                              @Nullable List<ACE> entries,
                              @Nonnull RestrictionProvider restrictionProvider) {
-            super(oakPath, entries, AccessControlManagerImpl.this.getNamePathMapper(), principalManager, getPrivilegeManager(), bitsProvider);
+            super(oakPath, entries, AccessControlManagerImpl.this.getNamePathMapper());
             this.principal = principal;
             rProvider = restrictionProvider;
         }
@@ -605,6 +622,21 @@ public class AccessControlManagerImpl ex
         }
 
         @Override
+        void checkValidPrincipal(Principal principal) throws AccessControlException {
+            Util.checkValidPrincipal(principal, principalManager, true);
+        }
+
+        @Override
+        PrivilegeManager getPrivilegeManager() {
+            return AccessControlManagerImpl.this.getPrivilegeManager();
+        }
+
+        @Override
+        PrivilegeBits getPrivilegeBits(Privilege[] privileges) {
+            return bitsProvider.getBits(privileges, getNamePathMapper());
+        }
+
+        @Override
         public void orderBefore(AccessControlEntry srcEntry, AccessControlEntry destEntry) throws RepositoryException {
             throw new UnsupportedRepositoryOperationException("reordering is not supported");
         }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java?rev=1560428&r1=1560427&r2=1560428&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java Wed Jan 22 17:21:14 2014
@@ -26,8 +26,11 @@ import javax.jcr.security.AccessControlP
 import org.apache.jackrabbit.api.security.principal.PrincipalManager;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
+import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
 import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
 import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
+import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
+import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
 
 /**
  * Implementation specific access control utility methods
@@ -40,12 +43,13 @@ final class Util implements AccessContro
     private Util() {}
 
     public static void checkValidPrincipal(@Nullable Principal principal,
-                                           @Nonnull PrincipalManager principalManager) throws AccessControlException {
+                                           @Nonnull PrincipalManager principalManager,
+                                           boolean verifyExists) throws AccessControlException {
         String name = (principal == null) ? null : principal.getName();
         if (name == null || name.isEmpty()) {
             throw new AccessControlException("Invalid principal " + name);
         }
-        if (!(principal instanceof PrincipalImpl) && !principalManager.hasPrincipal(name)) {
+        if (verifyExists && !(principal instanceof PrincipalImpl) && !principalManager.hasPrincipal(name)) {
             throw new AccessControlException("Unknown principal " + name);
         }
     }
@@ -56,7 +60,7 @@ final class Util implements AccessContro
             throw new AccessControlException("Valid principals expected. Found null.");
         }
         for (Principal principal : principals) {
-            checkValidPrincipal(principal, principalManager);
+            checkValidPrincipal(principal, principalManager, true);
         }
     }
 
@@ -112,4 +116,9 @@ final class Util implements AccessContro
         }
         return aceName;
     }
+
+    public static int getImportBehavior(AuthorizationConfiguration config) {
+        String importBehaviorStr = config.getParameters().getConfigValue(ProtectedItemImporter.PARAM_IMPORT_BEHAVIOR, ImportBehavior.NAME_ABORT);
+        return ImportBehavior.valueFromString(importBehaviorStr);
+    }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java?rev=1560428&r1=1560427&r2=1560428&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java Wed Jan 22 17:21:14 2014
@@ -100,7 +100,7 @@ public class ACLTest extends AbstractAcc
                                                   @Nonnull NamePathMapper namePathMapper,
                                                   final @Nonnull RestrictionProvider restrictionProvider) {
         String path = (jcrPath == null) ? null : namePathMapper.getOakPathKeepIndex(jcrPath);
-        return new ACL(path, entries, namePathMapper, principalManager, privilegeManager, getBitsProvider()) {
+        return new ACL(path, entries, namePathMapper) {
             @Override
             public RestrictionProvider getRestrictionProvider() {
                 return restrictionProvider;
@@ -110,6 +110,22 @@ public class ACLTest extends AbstractAcc
             ACE createACE(Principal principal, PrivilegeBits privilegeBits, boolean isAllow, Set<Restriction> restrictions) throws RepositoryException {
                 return createEntry(principal, privilegeBits, isAllow, restrictions);
             }
+
+            @Override
+            void checkValidPrincipal(Principal principal) throws AccessControlException {
+                Util.checkValidPrincipal(principal, principalManager, true);
+
+            }
+
+            @Override
+            PrivilegeManager getPrivilegeManager() {
+                return privilegeManager;
+            }
+
+            @Override
+            PrivilegeBits getPrivilegeBits(Privilege[] privileges) {
+                return getBitsProvider().getBits(privileges, getNamePathMapper());
+            }
         };
     }
 

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java?rev=1560428&r1=1560427&r2=1560428&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java Wed Jan 22 17:21:14 2014
@@ -50,6 +50,7 @@ import org.apache.jackrabbit.JcrConstant
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
+import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
 import org.apache.jackrabbit.api.security.principal.PrincipalManager;
 import org.apache.jackrabbit.oak.TestNameMapper;
 import org.apache.jackrabbit.oak.api.ContentSession;
@@ -175,14 +176,30 @@ public class AccessControlManagerImplTes
 
     private ACL createPolicy(@Nullable String path) {
         final PrincipalManager pm = getPrincipalManager(root);
+        final PrivilegeManager pvMgr = getPrivilegeManager(root);
         final RestrictionProvider rp = getRestrictionProvider();
-        return new ACL(path, null, getNamePathMapper(), pm, AccessControlManagerImplTest.this.getPrivilegeManager(root), getBitsProvider()) {
+        return new ACL(path, null, getNamePathMapper()) {
 
             @Override
             ACE createACE(Principal principal, PrivilegeBits privilegeBits, boolean isAllow, Set<Restriction> restrictions) {
                 throw new UnsupportedOperationException();
             }
 
+            @Override
+            void checkValidPrincipal(Principal principal) throws AccessControlException {
+                Util.checkValidPrincipal(principal, pm, true);
+            }
+
+            @Override
+            PrivilegeManager getPrivilegeManager() {
+                return pvMgr;
+            }
+
+            @Override
+            PrivilegeBits getPrivilegeBits(Privilege[] privileges) {
+                return getBitsProvider().getBits(privileges, getNamePathMapper());
+            }
+
             @Nonnull
             @Override
             public RestrictionProvider getRestrictionProvider() {

Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.java?rev=1560428&r1=1560427&r2=1560428&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.java Wed Jan 22 17:21:14 2014
@@ -335,41 +335,6 @@ public class AccessControlImporterTest e
         }
     }
 
-    public void testImportACLUnknown() throws Exception {
-        try {
-            Node target = createImportTarget();
-
-            doImport(target.getPath(), XML_POLICY_TREE_4);
-
-            String path = target.getPath();
-
-            AccessControlManager acMgr = superuser.getAccessControlManager();
-            AccessControlPolicy[] policies = acMgr.getPolicies(path);
-
-            assertEquals(1, policies.length);
-            assertTrue(policies[0] instanceof JackrabbitAccessControlList);
-
-            AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
-            assertEquals(2, entries.length);
-
-            AccessControlEntry entry = entries[0];
-            assertEquals("unknownprincipal", entry.getPrincipal().getName());
-            assertEquals(1, entry.getPrivileges().length);
-            assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
-
-            entry = entries[1];
-            assertEquals("admin", entry.getPrincipal().getName());
-            assertEquals(1, entry.getPrivileges().length);
-            assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
-
-            if (entry instanceof JackrabbitAccessControlEntry) {
-                assertTrue(((JackrabbitAccessControlEntry) entry).isAllow());
-            }
-        } finally {
-            superuser.refresh(false);
-        }
-    }
-
     /**
      * Imports a resource-based ACL containing a single entry for a policy that
      * already exists: expected outcome its that the existing ACE is replaced.

Added: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportAbortTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportAbortTest.java?rev=1560428&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportAbortTest.java (added)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportAbortTest.java Wed Jan 22 17:21:14 2014
@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.jcr.security.authorization;
+
+import java.security.AccessControlException;
+
+import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
+import org.junit.Test;
+
+import static org.junit.Assert.fail;
+
+public class ImportAbortTest extends ImportIgnoreTest {
+
+    protected String getImportBehavior() {
+        return ImportBehavior.NAME_ABORT;
+    }
+
+    @Test
+    public void testImportUnknownPrincipal() throws Exception {
+        try {
+            runImport();
+            fail("Import with unknown principal must fail.");
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
+}

Propchange: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportAbortTest.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportAbortTest.java
------------------------------------------------------------------------------
    svn:executable = *

Added: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportBesteffortTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportBesteffortTest.java?rev=1560428&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportBesteffortTest.java (added)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportBesteffortTest.java Wed Jan 22 17:21:14 2014
@@ -0,0 +1,74 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.jcr.security.authorization;
+
+import java.security.Principal;
+import javax.jcr.RepositoryException;
+import javax.jcr.security.AccessControlEntry;
+import javax.jcr.security.AccessControlManager;
+import javax.jcr.security.AccessControlPolicy;
+import javax.jcr.security.Privilege;
+
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
+import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+public class ImportBesteffortTest extends ImportIgnoreTest {
+
+    protected String getImportBehavior() {
+        return ImportBehavior.NAME_BESTEFFORT;
+    }
+
+    @Test
+    public void testImportUnknownPrincipal() throws Exception {
+        runImport();
+
+        AccessControlManager acMgr = adminSession.getAccessControlManager();
+        AccessControlPolicy[] policies = acMgr.getPolicies(target.getPath());
+
+        assertEquals(1, policies.length);
+        assertTrue(policies[0] instanceof JackrabbitAccessControlList);
+
+        AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
+        assertEquals(1, entries.length);
+
+        AccessControlEntry entry = entries[0];
+        assertEquals("unknownprincipal", entry.getPrincipal().getName());
+        assertEquals(1, entry.getPrivileges().length);
+        assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
+
+        if (entry instanceof JackrabbitAccessControlEntry) {
+            assertTrue(((JackrabbitAccessControlEntry) entry).isAllow());
+        }
+    }
+
+    @Test
+    public void testAddEntry() throws RepositoryException {
+        Principal unknown = new Principal() {
+            @Override
+            public String getName() {
+                return "anotherUnknown";
+            }
+        };
+        AccessControlUtils.addAccessControlEntry(adminSession, target.getPath(), unknown, new String[] {Privilege.JCR_READ}, true);
+    }
+}

Propchange: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportBesteffortTest.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportBesteffortTest.java
------------------------------------------------------------------------------
    svn:executable = *

Copied: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportIgnoreTest.java (from r1559977, jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportIgnoreTest.java?p2=jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportIgnoreTest.java&p1=jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.java&r1=1559977&r2=1560428&rev=1560428&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ImportIgnoreTest.java Wed Jan 22 17:21:14 2014
@@ -19,100 +19,36 @@ package org.apache.jackrabbit.oak.jcr.se
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.security.Principal;
-import java.util.Arrays;
-import java.util.List;
-import javax.annotation.Nullable;
+import java.util.HashMap;
+import java.util.Map;
 import javax.jcr.ImportUUIDBehavior;
 import javax.jcr.Node;
+import javax.jcr.Repository;
 import javax.jcr.RepositoryException;
-import javax.jcr.security.AccessControlEntry;
-import javax.jcr.security.AccessControlException;
+import javax.jcr.Session;
+import javax.jcr.SimpleCredentials;
 import javax.jcr.security.AccessControlList;
 import javax.jcr.security.AccessControlManager;
 import javax.jcr.security.AccessControlPolicy;
-import javax.jcr.security.AccessControlPolicyIterator;
-import javax.jcr.security.Privilege;
 
-import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
-import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
-import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
-import org.apache.jackrabbit.test.AbstractJCRTest;
-
-public class AccessControlImporterTest extends AbstractJCRTest {
-
-    public static final String XML_POLICY_TREE = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
-            "<sv:node sv:name=\"test\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" +
-            "  <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>nt:unstructured</sv:value></sv:property>" +
-            "  <sv:property sv:name=\"jcr:mixinTypes\" sv:type=\"Name\">" +
-            "     <sv:value>rep:AccessControllable</sv:value>" +
-            "  </sv:property>" +
-            "  <sv:node sv:name=\"rep:policy\">" +
-            "     <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:ACL</sv:value></sv:property>" +
-            "     <sv:node sv:name=\"allow\">" +
-            "         <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
-            "             <sv:value>rep:GrantACE</sv:value>" +
-            "         </sv:property>" +
-            "         <sv:property sv:name=\"rep:principalName\" sv:type=\"String\">" +
-            "             <sv:value>everyone</sv:value>" +
-            "         </sv:property>" +
-            "         <sv:property sv:name=\"rep:privileges\" sv:type=\"Name\">" +
-            "             <sv:value>jcr:write</sv:value>" +
-            "         </sv:property>" +
-            "     </sv:node>" +
-            "  </sv:node>" +
-            "</sv:node>";
+import com.google.common.collect.ImmutableMap;
+import org.apache.jackrabbit.oak.jcr.Jcr;
+import org.apache.jackrabbit.oak.security.SecurityProviderImpl;
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
+import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
+import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
 
-    public static final String XML_POLICY_TREE_2 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
-            "<sv:node sv:name=\"rep:policy\" " +
-            "xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" +
-            "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
-            "<sv:value>rep:ACL</sv:value>" +
-            "</sv:property>" +
-            "<sv:node sv:name=\"allow\">" +
-            "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
-            "<sv:value>rep:GrantACE</sv:value>" +
-            "</sv:property>" +
-            "<sv:property sv:name=\"rep:principalName\" sv:type=\"String\">" +
-            "<sv:value>everyone</sv:value>" +
-            "</sv:property>" +
-            "<sv:property sv:name=\"rep:privileges\" sv:type=\"Name\">" +
-            "<sv:value>jcr:write</sv:value>" +
-            "</sv:property>" +
-            "</sv:node>" +
-            "</sv:node>";
+import static org.junit.Assert.assertEquals;
 
-    public static final String XML_POLICY_TREE_3 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
-            "<sv:node sv:name=\"rep:policy\" " +
-            "xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" +
-            "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
-            "<sv:value>rep:ACL</sv:value>" +
-            "</sv:property>" +
-            "<sv:node sv:name=\"allow\">" +
-            "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
-            "<sv:value>rep:GrantACE</sv:value>" +
-            "</sv:property>" +
-            "<sv:property sv:name=\"rep:principalName\" sv:type=\"String\">" +
-            "<sv:value>everyone</sv:value>" +
-            "</sv:property>" +
-            "<sv:property sv:name=\"rep:privileges\" sv:type=\"Name\">" +
-            "<sv:value>jcr:write</sv:value>" +
-            "</sv:property>" +
-            "</sv:node>" +
-            "<sv:node sv:name=\"allow0\">" +
-            "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
-            "<sv:value>rep:GrantACE</sv:value>" +
-            "</sv:property>" +
-            "<sv:property sv:name=\"rep:principalName\" sv:type=\"String\">" +
-            "<sv:value>admin</sv:value>" +
-            "</sv:property>" +
-            "<sv:property sv:name=\"rep:privileges\" sv:type=\"Name\">" +
-            "<sv:value>jcr:write</sv:value>" +
-            "</sv:property>" +
-            "</sv:node>" +
-            "</sv:node>";
+public class ImportIgnoreTest {
 
-    public static final String XML_POLICY_TREE_4 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
+    private static final String XML = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
             "<sv:node sv:name=\"rep:policy\" " +
             "xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" +
             "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
@@ -129,378 +65,68 @@ public class AccessControlImporterTest e
             "<sv:value>jcr:write</sv:value>" +
             "</sv:property>" +
             "</sv:node>" +
-            "<sv:node sv:name=\"allow0\">" +
-            "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
-            "<sv:value>rep:GrantACE</sv:value>" +
-            "</sv:property>" +
-            "<sv:property sv:name=\"rep:principalName\" sv:type=\"String\">" +
-            "<sv:value>admin</sv:value>" +
-            "</sv:property>" +
-            "<sv:property sv:name=\"rep:privileges\" sv:type=\"Name\">" +
-            "<sv:value>jcr:write</sv:value>" +
-            "</sv:property>" +
-            "</sv:node>" +
-            "</sv:node>";
-
-    public static final String XML_POLICY_TREE_5 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
-            "<sv:node sv:name=\"rep:policy\" " +
-            "xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" +
-            "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
-            "<sv:value>rep:ACL</sv:value>" +
-            "</sv:property>" +
-            "<sv:node sv:name=\"allow0\">" +
-            "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
-            "<sv:value>rep:GrantACE</sv:value>" +
-            "</sv:property>" +
-            "<sv:property sv:name=\"rep:principalName\" sv:type=\"String\">" +
-            "<sv:value>admin</sv:value>" +
-            "</sv:property>" +
-            "<sv:property sv:name=\"rep:privileges\" sv:type=\"Name\">" +
-            "<sv:value>jcr:write</sv:value>" +
-            "</sv:property>" +
-            "</sv:node>" +
-            "</sv:node>";
-
-    public static final String XML_REPO_POLICY_TREE = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
-            "<sv:node sv:name=\"rep:repoPolicy\" " +
-            "xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" +
-            "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
-            "<sv:value>rep:ACL</sv:value>" +
-            "</sv:property>" +
-            "<sv:node sv:name=\"allow\">" +
-            "<sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">" +
-            "<sv:value>rep:GrantACE</sv:value>" +
-            "</sv:property>" +
-            "<sv:property sv:name=\"rep:principalName\" sv:type=\"String\">" +
-            "<sv:value>admin</sv:value>" +
-            "</sv:property>" +
-            "<sv:property sv:name=\"rep:privileges\" sv:type=\"Name\">" +
-            "<sv:value>jcr:workspaceManagement</sv:value>" +
-            "</sv:property>" +
-            "</sv:node>" +
             "</sv:node>";
 
-    public static final String XML_POLICY_ONLY = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
-            "<sv:node sv:name=\"test\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" +
-            "  <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>nt:unstructured</sv:value></sv:property>" +
-            "  <sv:property sv:name=\"jcr:mixinTypes\" sv:type=\"Name\">" +
-            "     <sv:value>rep:AccessControllable</sv:value>" +
-            "  </sv:property>" +
-            "  <sv:node sv:name=\"rep:policy\">" +
-            "     <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:ACL</sv:value></sv:property>" +
-            "  </sv:node>" +
-            "</sv:node>";
+    private Repository repo;
+    protected Session adminSession;
+    protected Node target;
+
+    @Before
+    public void before() throws Exception {
+        String importBehavior = getImportBehavior();
+        SecurityProvider securityProvider;
+        if (importBehavior != null) {
+            Map<String, String> params = new HashMap<String, String>();
+            params.put(ProtectedItemImporter.PARAM_IMPORT_BEHAVIOR, getImportBehavior());
+            ConfigurationParameters config = ConfigurationParameters.of(ImmutableMap.of(AuthorizationConfiguration.NAME, ConfigurationParameters.of(params)));
 
-    protected void doImport(String parentPath, String xml) throws IOException, RepositoryException {
-        InputStream in = new ByteArrayInputStream(xml.getBytes("UTF-8"));
-        if (isSessionImport()) {
-            superuser.importXML(parentPath, in, ImportUUIDBehavior.IMPORT_UUID_COLLISION_THROW);
+            securityProvider = new SecurityProviderImpl(config);
         } else {
-            superuser.save();
-            superuser.getWorkspace().importXML(parentPath, in, ImportUUIDBehavior.IMPORT_UUID_COLLISION_THROW);
+            securityProvider = new SecurityProviderImpl();
         }
-    }
-
-    protected boolean isSessionImport() {
-        return true;
-    }
+        Jcr jcr = new Jcr();
+        jcr.with(securityProvider);
+        repo = jcr.createRepository();
+        adminSession = repo.login(new SimpleCredentials(UserConstants.DEFAULT_ADMIN_ID, UserConstants.DEFAULT_ADMIN_ID.toCharArray()));
 
-    private Node createImportTarget() throws RepositoryException {
-        Node target = testRootNode.addNode(nodeName1);
+        target = adminSession.getRootNode().addNode("nodeName1");
         target.addMixin("rep:AccessControllable");
-        if (!isSessionImport()) {
-            superuser.save();
-        }
-        return target;
-    }
-
-    private Node createImportTargetWithPolicy(@Nullable Principal principal) throws RepositoryException {
-        Node target = testRootNode.addNode("test", "test:sameNameSibsFalseChildNodeDefinition");
-        AccessControlManager acMgr = superuser.getAccessControlManager();
-        for (AccessControlPolicyIterator it = acMgr.getApplicablePolicies(target.getPath()); it.hasNext(); ) {
-            AccessControlPolicy policy = it.nextAccessControlPolicy();
-            if (policy instanceof AccessControlList) {
-                if (principal != null) {
-                    Privilege[] privs = new Privilege[]{acMgr.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT)};
-                    ((AccessControlList) policy).addAccessControlEntry(principal, privs);
-                }
-                acMgr.setPolicy(target.getPath(), policy);
-            }
-        }
-        if (!isSessionImport()) {
-            superuser.save();
-        }
-        return target;
-    }
-
-    /**
-     * Imports a resource-based ACL containing a single entry.
-     *
-     * @throws Exception
-     */
-    public void testImportACL() throws Exception {
-        try {
-            Node target = testRootNode;
-            doImport(target.getPath(), XML_POLICY_TREE);
-
-            assertTrue(target.hasNode("test"));
-            String path = target.getNode("test").getPath();
-
-            AccessControlManager acMgr = superuser.getAccessControlManager();
-            AccessControlPolicy[] policies = acMgr.getPolicies(path);
-
-            assertEquals(1, policies.length);
-            assertTrue(policies[0] instanceof JackrabbitAccessControlList);
-
-            AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
-            assertEquals(1, entries.length);
-
-            AccessControlEntry entry = entries[0];
-            assertEquals("everyone", entry.getPrincipal().getName());
-            assertEquals(1, entry.getPrivileges().length);
-            assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
-
-            if (entry instanceof JackrabbitAccessControlEntry) {
-                assertTrue(((JackrabbitAccessControlEntry) entry).isAllow());
-            }
-
-        } finally {
-            superuser.refresh(false);
-        }
+        adminSession.save();
     }
 
-    public void testImportACLOnly() throws Exception {
-        try {
-            Node target = createImportTarget();
-
-            doImport(target.getPath(), XML_POLICY_TREE_3);
-
-            String path = target.getPath();
-
-            AccessControlManager acMgr = superuser.getAccessControlManager();
-            AccessControlPolicy[] policies = acMgr.getPolicies(path);
-
-            assertEquals(1, policies.length);
-            assertTrue(policies[0] instanceof JackrabbitAccessControlList);
-
-            AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
-            assertEquals(2, entries.length);
-
-            AccessControlEntry entry = entries[0];
-            assertEquals("everyone", entry.getPrincipal().getName());
-            assertEquals(1, entry.getPrivileges().length);
-            assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
-
-            entry = entries[1];
-            assertEquals("admin", entry.getPrincipal().getName());
-            assertEquals(1, entry.getPrivileges().length);
-            assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
-
-            if (entry instanceof JackrabbitAccessControlEntry) {
-                assertTrue(((JackrabbitAccessControlEntry) entry).isAllow());
-            }
-        } finally {
-            superuser.refresh(false);
+    @After
+    public void after() throws Exception {
+        if (adminSession != null) {
+            adminSession.refresh(false);
+            adminSession.logout();
         }
+        repo = null;
     }
 
-    public void testImportACLRemoveACE() throws Exception {
-        try {
-            Node target = createImportTarget();
-
-            doImport(target.getPath(), XML_POLICY_TREE_3);
-            doImport(target.getPath(), XML_POLICY_TREE_5);
-
-            String path = target.getPath();
-
-            AccessControlManager acMgr = superuser.getAccessControlManager();
-            AccessControlPolicy[] policies = acMgr.getPolicies(path);
-
-            assertEquals(1, policies.length);
-            assertTrue(policies[0] instanceof JackrabbitAccessControlList);
-
-            AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
-            assertEquals(1, entries.length);
-
-            AccessControlEntry entry = entries[0];
-            assertEquals("admin", entry.getPrincipal().getName());
-            assertEquals(1, entry.getPrivileges().length);
-            assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
-
-            if (entry instanceof JackrabbitAccessControlEntry) {
-                assertTrue(((JackrabbitAccessControlEntry) entry).isAllow());
-            }
-        } finally {
-            superuser.refresh(false);
-        }
+    protected String getImportBehavior() {
+        return ImportBehavior.NAME_IGNORE;
     }
 
-    public void testImportACLUnknown() throws Exception {
-        try {
-            Node target = createImportTarget();
-
-            doImport(target.getPath(), XML_POLICY_TREE_4);
-
-            String path = target.getPath();
+    protected void runImport() throws RepositoryException, IOException {
+        String path = target.getPath();
 
-            AccessControlManager acMgr = superuser.getAccessControlManager();
-            AccessControlPolicy[] policies = acMgr.getPolicies(path);
+        InputStream in = new ByteArrayInputStream(XML.getBytes("UTF-8"));
+        adminSession.importXML(target.getPath(), in, ImportUUIDBehavior.IMPORT_UUID_COLLISION_THROW);
 
-            assertEquals(1, policies.length);
-            assertTrue(policies[0] instanceof JackrabbitAccessControlList);
-
-            AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
-            assertEquals(2, entries.length);
-
-            AccessControlEntry entry = entries[0];
-            assertEquals("unknownprincipal", entry.getPrincipal().getName());
-            assertEquals(1, entry.getPrivileges().length);
-            assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
-
-            entry = entries[1];
-            assertEquals("admin", entry.getPrincipal().getName());
-            assertEquals(1, entry.getPrivileges().length);
-            assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
-
-            if (entry instanceof JackrabbitAccessControlEntry) {
-                assertTrue(((JackrabbitAccessControlEntry) entry).isAllow());
-            }
-        } finally {
-            superuser.refresh(false);
-        }
     }
 
-    /**
-     * Imports a resource-based ACL containing a single entry for a policy that
-     * already exists: expected outcome its that the existing ACE is replaced.
-     */
-    public void testImportPolicyExists() throws Exception {
+    @Test
+    public void testImportUnknownPrincipal() throws Exception {
         try {
-            Node target = createImportTargetWithPolicy(EveryonePrincipal.getInstance());
-            doImport(target.getPath(), XML_POLICY_TREE_2);
+            runImport();
 
-            AccessControlManager acMgr = superuser.getAccessControlManager();
+            AccessControlManager acMgr = adminSession.getAccessControlManager();
             AccessControlPolicy[] policies = acMgr.getPolicies(target.getPath());
-            assertEquals(1, policies.length);
-            assertTrue(policies[0] instanceof JackrabbitAccessControlList);
-
-            AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
-            assertEquals(1, entries.length);
-
-            AccessControlEntry entry = entries[0];
-            assertEquals(EveryonePrincipal.getInstance(), entry.getPrincipal());
-            List<Privilege> privs = Arrays.asList(entry.getPrivileges());
-            assertEquals(1, privs.size());
-            assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
-
-            if (entry instanceof JackrabbitAccessControlEntry) {
-                assertTrue(((JackrabbitAccessControlEntry) entry).isAllow());
-            }
-        } finally {
-            superuser.refresh(false);
-        }
-    }
-
-    /**
-     * Imports an empty resource-based ACL for a policy that already exists.
-     *
-     * @throws Exception
-     */
-    public void testImportEmptyExistingPolicy() throws Exception {
-        try {
-            Node target = createImportTargetWithPolicy(null);
-            doImport(target.getPath(), XML_POLICY_ONLY);
-
-            AccessControlPolicy[] policies = superuser.getAccessControlManager().getPolicies(target.getPath());
-
-            assertEquals(1, policies.length);
-            assertTrue(policies[0] instanceof JackrabbitAccessControlList);
-
-            AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
-            assertEquals(0, entries.length);
-
-        } finally {
-            superuser.refresh(false);
-        }
-    }
-
-    /**
-     * Repo level acl must be imported underneath the root node.
-     *
-     * @throws Exception
-     */
-    public void testImportRepoACLAtRoot() throws Exception {
-        Node target = superuser.getRootNode();
-        AccessControlManager acMgr = superuser.getAccessControlManager();
-        try {
-            // need to add mixin. in contrast to only using JCR API to retrieve
-            // and set the policies the protected item import only is called if
-            // the node to be imported is defined to be protected. however, if
-            // the root node doesn't have the mixin assigned the defining node
-            // type of the imported policy nodes will be rep:root (unstructured)
-            // and the items will not be detected as being protected.
-            target.addMixin("rep:RepoAccessControllable");
-            if (!isSessionImport()) {
-                superuser.save();
-            }
-
-            doImport(target.getPath(), XML_REPO_POLICY_TREE);
-
-            AccessControlPolicy[] policies = acMgr.getPolicies(null);
 
             assertEquals(1, policies.length);
-            assertTrue(policies[0] instanceof JackrabbitAccessControlList);
-
-            AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
-            assertEquals(1, entries.length);
-            assertEquals(1, entries[0].getPrivileges().length);
-            assertEquals(acMgr.privilegeFromName("jcr:workspaceManagement"), entries[0].getPrivileges()[0]);
-
-            assertTrue(target.hasNode("rep:repoPolicy"));
-            assertTrue(target.hasNode("rep:repoPolicy/allow"));
-
-            // clean up again
-            acMgr.removePolicy(null, policies[0]);
-            assertFalse(target.hasNode("rep:repoPolicy"));
-            assertFalse(target.hasNode("rep:repoPolicy/allow"));
-
-        } finally {
-            if (isSessionImport()) {
-                superuser.refresh(false);
-            } else {
-                superuser.save();
-            }
-            assertEquals(0, acMgr.getPolicies(null).length);
-        }
-    }
-
-    /**
-     * Make sure repo-level acl is not imported below any other node than the
-     * root node.
-     *
-     * @throws Exception
-     */
-    public void testImportRepoACLAtTestNode() throws Exception {
-        try {
-            Node target = testRootNode.addNode("test");
-            target.addMixin("rep:RepoAccessControllable");
-
-            doImport(target.getPath(), XML_REPO_POLICY_TREE);
-
-            assertTrue(target.hasNode("rep:repoPolicy"));
-            assertFalse(target.hasNode("rep:repoPolicy/allow0"));
-
-            Node n = target.getNode("rep:repoPolicy");
-            assertEquals("rep:RepoAccessControllable", n.getDefinition().getDeclaringNodeType().getName());
-
-            try {
-                superuser.save();
-                fail("Importing repo policy to non-root node must fail");
-            } catch (AccessControlException e) {
-                // success
-            }
+            assertEquals(0, ((AccessControlList) policies[0]).getAccessControlEntries().length);
         } finally {
-            superuser.refresh(false);
+            adminSession.refresh(false);
         }
     }
 }



Mime
View raw message