Index: src/test/java/org/apache/jackrabbit/core/security/authorization/acl/AutorizablesTest.java =================================================================== --- src/test/java/org/apache/jackrabbit/core/security/authorization/acl/AutorizablesTest.java (revision 0) +++ src/test/java/org/apache/jackrabbit/core/security/authorization/acl/AutorizablesTest.java (revision 0) @@ -0,0 +1,171 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.core.security.authorization.acl; + +import java.security.Principal; +import java.util.Collections; +import java.util.Iterator; +import java.util.Map; + +import javax.jcr.AccessDeniedException; +import javax.jcr.NodeIterator; +import javax.jcr.PathNotFoundException; +import javax.jcr.RepositoryException; +import javax.jcr.Session; +import javax.jcr.Value; +import javax.jcr.query.Query; +import javax.jcr.query.QueryManager; +import javax.jcr.security.AccessControlManager; + +import org.apache.jackrabbit.api.security.JackrabbitAccessControlList; +import org.apache.jackrabbit.api.security.user.Authorizable; +import org.apache.jackrabbit.api.security.user.UserManager; +import org.apache.jackrabbit.core.security.authorization.AbstractEvaluationTest; +import org.apache.jackrabbit.test.NotExecutableException; + +public class AutorizablesTest extends AbstractEvaluationTest { + + @Override + protected boolean isExecutable() { + return EvaluationUtil.isExecutable(acMgr); + } + + @Override + protected JackrabbitAccessControlList getPolicy(AccessControlManager acM, + String path, Principal principal) throws RepositoryException, + AccessDeniedException, NotExecutableException { + return EvaluationUtil.getPolicy(acM, path, principal); + } + + @Override + protected Map getRestrictions(Session s, String path) { + return Collections.emptyMap(); + } + + /** + * @see https://issues.apache.org/jira/browse/JCR-3412 + */ + @SuppressWarnings("deprecation") + public void testFindUserReducedACLs() throws RepositoryException, + NotExecutableException { + + String baseSecurityPath = "/rep:security"; // UserConstants.SECURITY_ROOT_PATH; + String path = baseSecurityPath + "/rep:authorizables"; // UserConstants.AUTHORIZABLES_PATH + String wsName = "security"; + String uid = testUser.getID(); + + Session uSession = null; + Session uAdmSession = null; + try { + uSession = superuser.getRepository().login(creds, wsName); + QueryManager qm = uSession.getWorkspace().getQueryManager(); + UserManager uMgr = getUserManager(uSession); + boolean found; + String userSecurityHome = null; + + found = false; + Query q = qm.createQuery("//element(*,rep:User)", Query.XPATH); + NodeIterator iter = q.execute().getNodes(); + while (iter.hasNext()) { + String p = iter.nextNode().getPath(); + if (p.endsWith(uid)) { + userSecurityHome = p; + found = true; + break; + } + } + assertTrue( + "Searching for authorizables via xpath must find the created user - before tweaking acls.", + found); + + found = false; + Iterator it = uMgr.findAuthorizables(uid, null, + UserManager.SEARCH_TYPE_USER); + while (it.hasNext()) { + Authorizable authorizable = it.next(); + if (uid.equals(authorizable.getID())) { + found = true; + break; + } + } + assertTrue( + "Searching for authorizables must find the created user - before tweaking acls.", + found); + + // TODO + // - remove read access to 'path' + // - grant read access to 'userSecurityHome' + + uAdmSession = getHelper().getSuperuserSession(wsName); + JackrabbitAccessControlList tmpl = null; + try { + tmpl = getPolicy(getAccessControlManager(uAdmSession), path, + testUser.getPrincipal()); + } catch (Exception e) { + fail("Unable to acquire policy for " + path + ": " + + e.getMessage()); + } + assertNotNull( + "Expecting a JackrabbitAccessControlList non-null object ", + tmpl); + + // must not have read access + try { + uSession.getNode(path); + fail("session must not have read access to path " + path); + } catch (PathNotFoundException e) { + // good + } + + // check authorizables again + + found = false; + q = qm.createQuery("//element(*,rep:User)", Query.XPATH); + iter = q.execute().getNodes(); + while (iter.hasNext()) { + if (iter.nextNode().getPath().endsWith(uid)) { + found = true; + } + } + assertTrue( + "Searching for authorizables via xpath must find the created user - after tweaking acls.", + found); + + found = false; + it = uMgr + .findAuthorizables(uid, null, UserManager.SEARCH_TYPE_USER); + while (it.hasNext()) { + Authorizable authorizable = it.next(); + if (uid.equals(authorizable.getID())) { + found = true; + break; + } + } + assertTrue( + "Searching for authorizables must find the created user - after tweaking acls.", + found); + + } finally { + if (uSession != null) { + uSession.logout(); + } + if (uAdmSession != null) { + uAdmSession.logout(); + } + } + } +}