diff --git oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidatorTest.java oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidatorTest.java index 67e447c..3f56601 100644 --- oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidatorTest.java +++ oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidatorTest.java @@ -123,14 +123,15 @@ public class AccessControlValidatorTest extends AbstractAccessControlTest implem try { root.commit(); fail("Only the root node can be made RepoAccessControllable."); } catch (CommitFailedException e) { // success assertTrue(e.isAccessControlViolation()); + assertThat(e.getMessage(), containsString("OakAccessControl0012")); assertThat(e.getMessage(), containsString("/testRoot")); } } @Test public void testAddInvalidRepoPolicy() throws Exception { NodeUtil testRoot = getTestRoot(); @@ -138,14 +139,15 @@ public class AccessControlValidatorTest extends AbstractAccessControlTest implem NodeUtil policy = getTestRoot().addChild(REP_REPO_POLICY, NT_REP_ACL); try { root.commit(); fail("Attempt to add repo-policy with rep:AccessControllable node."); } catch (CommitFailedException e) { // success assertTrue(e.isAccessControlViolation()); + assertThat(e.getMessage(), containsString("OakAccessControl0006")); // Isolated policy node assertThat(e.getMessage(), containsString("/testRoot")); } finally { policy.getTree().remove(); } } @Test @@ -158,14 +160,15 @@ public class AccessControlValidatorTest extends AbstractAccessControlTest implem NodeUtil policy = node.addChild(REP_POLICY, NT_REP_ACL); try { root.commit(); fail("Adding an ACL below access control content should fail"); } catch (CommitFailedException e) { // success assertTrue(e.isConstraintViolation()); + assertThat(e.getMessage(), containsString("OakConstraint0001")); // No matching definition found for child node assertThat(e.getMessage(), containsString("/testRoot/rep:policy")); } finally { policy.getTree().remove(); } } } @@ -179,14 +182,15 @@ public class AccessControlValidatorTest extends AbstractAccessControlTest implem NodeUtil policy = node.addChild(REP_REPO_POLICY, NT_REP_ACL); try { root.commit(); fail("Adding an ACL below access control content should fail"); } catch (CommitFailedException e) { // success assertTrue(e.isConstraintViolation()); + assertThat(e.getMessage(), containsString("OakConstraint0001")); // No matching definition found for child node assertThat(e.getMessage(), containsString("/testRoot/rep:policy")); } finally { policy.getTree().remove(); } } } @@ -200,14 +204,15 @@ public class AccessControlValidatorTest extends AbstractAccessControlTest implem NodeUtil entry = node.addChild("invalidACE", NT_REP_DENY_ACE); try { root.commit(); fail("Adding an ACE below an ACE or restriction should fail"); } catch (CommitFailedException e) { // success assertTrue(e.isConstraintViolation()); + assertThat(e.getMessage(), containsString("OakConstraint0001")); // No matching definition found for child node assertThat(e.getMessage(), containsString("/testRoot/rep:policy/validAce")); } finally { entry.getTree().remove(); } } } @@ -221,14 +226,15 @@ public class AccessControlValidatorTest extends AbstractAccessControlTest implem NodeUtil entry = node.addChild("invalidRestriction", NT_REP_RESTRICTIONS); try { root.commit(); fail("Adding an ACE below an ACE or restriction should fail"); } catch (CommitFailedException e) { // success assertTrue(e.isConstraintViolation()); + assertThat(e.getMessage(), containsString("OakConstraint0001")); // No matching definition found for child node assertThat(e.getMessage(), containsString("/testRoot/rep:policy")); } finally { entry.getTree().remove(); } } } @@ -240,15 +246,16 @@ public class AccessControlValidatorTest extends AbstractAccessControlTest implem for (String policyName : policyNames) { NodeUtil policy = node.addChild(policyName, NT_REP_ACL); try { root.commit(); fail("Writing an isolated ACL without the parent being rep:AccessControllable should fail."); } catch (CommitFailedException e) { // success - assertTrue(e.isAccessControlViolation()); + assertTrue(e.isAccessControlViolation()); [~anchela] There are several occasions + assertThat(e.getMessage(), containsString("OakAccessControl0006")); // Isolated policy node assertThat(e.getMessage(), containsString("/testRoot")); } finally { // revert pending changes that cannot be saved. policy.getTree().remove(); } } @@ -263,14 +270,15 @@ public class AccessControlValidatorTest extends AbstractAccessControlTest implem NodeUtil ace = createACE(node, "isolatedACE", aceNtName, testPrincipal.getName(), PrivilegeConstants.JCR_READ); try { root.commit(); fail("Writing an isolated ACE should fail."); } catch (CommitFailedException e) { // success assertTrue(e.isAccessControlViolation()); + assertThat(e.getMessage(), containsString("OakAccessControl0007")); // Isolated access control entry assertThat(e.getMessage(), containsString("/testRoot/isolatedACE")); } finally { // revert pending changes that cannot be saved. ace.getTree().remove(); } } } @@ -281,14 +289,15 @@ public class AccessControlValidatorTest extends AbstractAccessControlTest implem NodeUtil restriction = node.addChild("isolatedRestriction", NT_REP_RESTRICTIONS); try { root.commit(); fail("Writing an isolated Restriction should fail."); } catch (CommitFailedException e) { // success assertTrue(e.isAccessControlViolation()); + assertThat(e.getMessage(), containsString("OakAccessControl0002")); // Access control entry node expected at /testRoot assertThat(e.getMessage(), containsString("/testRoot")); } finally { // revert pending changes that cannot be saved. restriction.getTree().remove(); } } @@ -300,14 +309,16 @@ public class AccessControlValidatorTest extends AbstractAccessControlTest implem createACE(acl, "invalid", NT_REP_GRANT_ACE, testPrincipal.getName(), privName); try { root.commit(); fail("Creating an ACE with invalid privilege should fail."); } catch (CommitFailedException e) { // success assertTrue(e.isAccessControlViolation()); + // TODO: is the following exception correct? + assertThat(e.getMessage(), containsString("OakAccessControl0004")); // Order of children is not stable assertThat(e.getMessage(), containsString("/testRoot/rep:policy")); } } @Test public void testAbstractPrivilege() throws Exception { PrivilegeManager pMgr = getPrivilegeManager(root); @@ -317,42 +328,48 @@ public class AccessControlValidatorTest extends AbstractAccessControlTest implem createACE(acl, "invalid", NT_REP_GRANT_ACE, testPrincipal.getName(), "abstractPrivilege"); try { root.commit(); fail("Creating an ACE with an abstract privilege should fail."); } catch (CommitFailedException e) { // success assertTrue(e.isAccessControlViolation()); + // TODO: is the following exception correct? + assertThat(e.getMessage(), containsString("OakAccessControl0004")); // Order of children is not stable assertThat(e.getMessage(), containsString("/testRoot/rep:policy")); } } @Test public void testInvalidRestriction() throws Exception { NodeUtil restriction = createAcl().getChild(aceName).getChild(REP_RESTRICTIONS); restriction.setString("invalid", "value"); try { root.commit(); fail("Creating an unsupported restriction should fail."); } catch (CommitFailedException e) { // success assertTrue(e.isAccessControlViolation()); + // TODO: is the following exception correct? + assertThat(e.getMessage(), containsString("OakAccessControl0004")); // Order of children is not stable assertThat(e.getMessage(), containsString("/testRoot/rep:policy")); } } @Test public void testRestrictionWithInvalidType() throws Exception { NodeUtil restriction = createAcl().getChild(aceName).getChild(REP_RESTRICTIONS); restriction.setName(REP_GLOB, "rep:glob"); try { root.commit(); fail("Creating restriction with invalid type should fail."); } catch (CommitFailedException e) { // success assertTrue(e.isAccessControlViolation()); + // TODO: is the following exception correct? + assertThat(e.getMessage(), containsString("OakAccessControl0004")); // Order of children is not stable assertThat(e.getMessage(), containsString("/testRoot/rep:policy")); } } @Test public void testDuplicateAce() throws Exception { AccessControlManager acMgr = getAccessControlManager(root); @@ -367,14 +384,15 @@ public class AccessControlValidatorTest extends AbstractAccessControlTest implem ace.setNames(AccessControlConstants.REP_PRIVILEGES, PrivilegeConstants.JCR_ADD_CHILD_NODES); try { root.commit(); fail("Creating duplicate ACE must be detected"); } catch (CommitFailedException e) { assertTrue(e.isAccessControlViolation()); + assertThat(e.getMessage(), containsString("OakAccessControl0013")); // Duplicate ACE assertThat(e.getMessage(), containsString("/testRoot/rep:policy/duplicateAce")); } } @Test public void hiddenNodeAdded() throws CommitFailedException { AccessControlValidatorProvider provider = new AccessControlValidatorProvider(getSecurityProvider());