Index: oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java (revision 1851744) +++ oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java (date 1548256977000) @@ -16,37 +16,11 @@ */ package org.apache.jackrabbit.oak.security.authorization.accesscontrol; -import java.security.Principal; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collections; -import java.util.HashMap; -import java.util.HashSet; -import java.util.Iterator; -import java.util.List; -import java.util.Map; -import java.util.Set; -import javax.jcr.AccessDeniedException; -import javax.jcr.NamespaceRegistry; -import javax.jcr.PathNotFoundException; -import javax.jcr.PropertyType; -import javax.jcr.RepositoryException; -import javax.jcr.Value; -import javax.jcr.ValueFactory; -import javax.jcr.security.AccessControlEntry; -import javax.jcr.security.AccessControlException; -import javax.jcr.security.AccessControlList; -import javax.jcr.security.AccessControlManager; -import javax.jcr.security.AccessControlPolicy; -import javax.jcr.security.AccessControlPolicyIterator; -import javax.jcr.security.Privilege; - import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableMap; import com.google.common.collect.ImmutableSet; import com.google.common.collect.Iterables; import com.google.common.collect.Lists; - import org.apache.jackrabbit.JcrConstants; import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry; import org.apache.jackrabbit.api.security.JackrabbitAccessControlList; @@ -59,19 +33,21 @@ import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.api.Type; -import org.apache.jackrabbit.oak.namepath.impl.GlobalNameMapper; -import org.apache.jackrabbit.oak.namepath.impl.LocalNameMapper; import org.apache.jackrabbit.oak.namepath.NameMapper; import org.apache.jackrabbit.oak.namepath.NamePathMapper; +import org.apache.jackrabbit.oak.namepath.impl.GlobalNameMapper; +import org.apache.jackrabbit.oak.namepath.impl.LocalNameMapper; import org.apache.jackrabbit.oak.namepath.impl.NamePathMapperImpl; import org.apache.jackrabbit.oak.plugins.name.ReadWriteNamespaceRegistry; +import org.apache.jackrabbit.oak.plugins.tree.TreeUtil; +import org.apache.jackrabbit.oak.plugins.value.jcr.ValueFactoryImpl; import org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants; -import org.apache.jackrabbit.oak.plugins.value.jcr.ValueFactoryImpl; import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration; import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE; import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlList; import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager; import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants; +import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ImmutableACL; import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction; import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider; import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal; @@ -80,13 +56,38 @@ import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants; import org.apache.jackrabbit.oak.util.NodeUtil; -import org.apache.jackrabbit.oak.plugins.tree.TreeUtil; import org.jetbrains.annotations.NotNull; import org.jetbrains.annotations.Nullable; import org.junit.After; import org.junit.Before; import org.junit.Test; +import javax.jcr.AccessDeniedException; +import javax.jcr.NamespaceRegistry; +import javax.jcr.PathNotFoundException; +import javax.jcr.PropertyType; +import javax.jcr.RepositoryException; +import javax.jcr.Value; +import javax.jcr.ValueFactory; +import javax.jcr.ValueFormatException; +import javax.jcr.security.AccessControlEntry; +import javax.jcr.security.AccessControlException; +import javax.jcr.security.AccessControlList; +import javax.jcr.security.AccessControlManager; +import javax.jcr.security.AccessControlPolicy; +import javax.jcr.security.AccessControlPolicyIterator; +import javax.jcr.security.Privilege; +import java.security.Principal; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Map; +import java.util.Set; + import static com.google.common.collect.Sets.newHashSet; import static java.util.Collections.singletonMap; import static org.junit.Assert.assertArrayEquals; @@ -212,6 +213,11 @@ return ImmutableSet.of(EveryonePrincipal.getInstance()); } + private static void assertPolicies(@Nullable AccessControlPolicy[] policies, long expectedSize) { + assertNotNull(policies); + assertEquals(expectedSize, policies.length); + } + private ACL getApplicablePolicy(@Nullable String path) throws RepositoryException { AccessControlPolicyIterator itr = acMgr.getApplicablePolicies(path); if (itr.hasNext()) { @@ -259,11 +265,20 @@ @NotNull private ACL setupPolicy(@Nullable String path, @Nullable Privilege... privileges) throws RepositoryException { Privilege[] privs = (privileges == null || privileges.length == 0) ? testPrivileges : privileges; + return setupPolicy(path, privs, true, getGlobRestriction("*"), null); + } + + @NotNull + private ACL setupPolicy(@Nullable String path, + @NotNull Privilege[] privileges, + boolean isAllow, + @Nullable Map restrictions, + @Nullable Map mvRestrictions) throws RepositoryException { ACL policy = getApplicablePolicy(path); if (path == null) { - policy.addAccessControlEntry(testPrincipal, privs); + policy.addAccessControlEntry(testPrincipal, privileges); } else { - policy.addEntry(testPrincipal, privs, true, getGlobRestriction("*")); + policy.addEntry(testPrincipal, privileges, isAllow, restrictions, mvRestrictions); } acMgr.setPolicy(path, policy); return policy; @@ -273,6 +288,14 @@ return ImmutableMap.of(REP_GLOB, valueFactory.createValue(value)); } + private Map getMvRestriction(@NotNull String name, int type, @NotNull String... values) throws ValueFormatException { + List list = new ArrayList<>(); + for (String v : values) { + list.add(valueFactory.createValue(v, type)); + } + return ImmutableMap.of(name, list.toArray(new Value[0])); + } + protected List getAcContentPaths() throws RepositoryException { ACL policy = getApplicablePolicy(testPath); policy.addEntry(testPrincipal, testPrivileges, true, getGlobRestriction("*")); @@ -941,7 +964,7 @@ } @Test - public void testGetApplicablePoliciesInvalidPath() throws Exception { + public void testGetApplicablePoliciesInvalidPath() { for (String invalid : getInvalidPaths()) { try { acMgr.getPolicies(invalid); @@ -993,8 +1016,7 @@ acMgr.setPolicy(testPath, policy); AccessControlPolicy[] policies = acMgr.getPolicies(testPath); - assertNotNull(policies); - assertEquals(1, policies.length); + assertPolicies(policies, 1); assertTrue(policies[0] instanceof ACL); ACL acl = (ACL) policies[0]; @@ -1005,8 +1027,7 @@ @Test public void testGetPoliciesNodeNotAccessControlled() throws Exception { AccessControlPolicy[] policies = acMgr.getPolicies(testPath); - assertNotNull(policies); - assertEquals(0, policies.length); + assertPolicies(policies, 0); } @Test @@ -1014,8 +1035,7 @@ setupPolicy(testPath); AccessControlPolicy[] policies = acMgr.getPolicies(testPath); - assertNotNull(policies); - assertEquals(1, policies.length); + assertPolicies(policies, 1); assertTrue(policies[0] instanceof ACL); ACL acl = (ACL) policies[0]; @@ -1027,14 +1047,12 @@ setupPolicy(testPath); AccessControlPolicy[] policies = acMgr.getPolicies(testPath); - assertNotNull(policies); - assertEquals(1, policies.length); + assertPolicies(policies, 1); acMgr.removePolicy(testPath, policies[0]); policies = acMgr.getPolicies(testPath); - assertNotNull(policies); - assertEquals(0, policies.length); + assertPolicies(policies, 0); assertTrue(acMgr.getApplicablePolicies(testPath).hasNext()); } @@ -1051,8 +1069,7 @@ // reading policies with unknown principal name should not fail. AccessControlPolicy[] policies = acMgr.getPolicies(testPath); - assertNotNull(policies); - assertEquals(1, policies.length); + assertPolicies(policies, 1); ACL acl = (ACL) policies[0]; List principalNames = new ArrayList(); @@ -1069,15 +1086,13 @@ String path = null; AccessControlPolicy[] policies = acMgr.getPolicies(path); - assertNotNull(policies); - assertEquals(0, policies.length); + assertPolicies(policies, 0); acMgr.setPolicy(null, acMgr.getApplicablePolicies(path).nextAccessControlPolicy()); assertFalse(acMgr.getApplicablePolicies(path).hasNext()); policies = acMgr.getPolicies(path); - assertNotNull(policies); - assertEquals(1, policies.length); + assertPolicies(policies, 1); assertTrue(policies[0] instanceof ACL); ACL acl = (ACL) policies[0]; @@ -1087,7 +1102,7 @@ assertFalse(acMgr.getApplicablePolicies(path).hasNext()); acMgr.removePolicy(path, acl); - assertEquals(0, acMgr.getPolicies(path).length); + assertPolicies(acMgr.getPolicies(path), 0); assertTrue(acMgr.getApplicablePolicies(path).hasNext()); } @@ -1138,56 +1153,140 @@ } //---------------------------------------< getEffectivePolicies(String) >--- + @Test + public void testGetEffectivePoliciesNoPoliciesSet() throws Exception { + assertPolicies(acMgr.getEffectivePolicies(testPath), 0); + } + @Test public void testGetEffectivePolicies() throws Exception { - AccessControlPolicy[] policies = acMgr.getEffectivePolicies(testPath); - assertNotNull(policies); - assertEquals(0, policies.length); + setupPolicy(testPath); + root.commit(); + + assertPolicies(acMgr.getEffectivePolicies(testPath), 1); + } + @Test + public void testGetEffectivePoliciesEmptyACL() throws Exception { + // set empty policy -> no effective ACEs + acMgr.setPolicy(testPath, acMgr.getApplicablePolicies(testPath).nextAccessControlPolicy()); + root.commit(); + + // resulting effective policies should be empty array + assertPolicies(acMgr.getEffectivePolicies(testPath), 0); + } + + @Test + public void testGetEffectivePoliciesOnChild() throws Exception { + setupPolicy(testPath); + Tree child = TreeUtil.addChild(root.getTree(testPath), "child", JcrConstants.NT_UNSTRUCTURED); + root.commit(); + + String childPath = child.getPath(); + assertPolicies(acMgr.getEffectivePolicies(childPath), 1); + } + + @Test + public void testGetEffectivePoliciesOnNewChild() throws Exception { setupPolicy(testPath); root.commit(); - policies = acMgr.getEffectivePolicies(testPath); - assertNotNull(policies); - assertEquals(1, policies.length); + Tree child = TreeUtil.addChild(root.getTree(testPath), "child", JcrConstants.NT_UNSTRUCTURED); + String childPath = child.getPath(); - NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED); - String childPath = child.getTree().getPath(); + assertPolicies(acMgr.getEffectivePolicies(childPath), 1); + } - policies = acMgr.getEffectivePolicies(childPath); - assertNotNull(policies); - assertEquals(1, policies.length); - + @Test + public void testGetEffectivePoliciesOnChild2() throws Exception { + Tree child = TreeUtil.addChild(root.getTree(testPath), "child", JcrConstants.NT_UNSTRUCTURED); + String childPath = child.getPath(); setupPolicy(childPath); + setupPolicy(testPath); + root.commit(); + + AccessControlPolicy[] policies = acMgr.getEffectivePolicies(childPath); + assertPolicies(policies, 2); + + for (AccessControlPolicy policy : policies) { + assertTrue(policy instanceof ImmutableACL); + } + } + + @Test + public void testGetEffectivePoliciesMatchingRestriction() throws Exception { + ACL policy = setupPolicy(testPath, privilegesFromNames(PrivilegeConstants.JCR_READ), true, null, + getMvRestriction(REP_ITEM_NAMES, PropertyType.NAME,"child")); + policy.addEntry(EveryonePrincipal.getInstance(), testPrivileges, false, null, + getMvRestriction(REP_ITEM_NAMES, PropertyType.NAME,"notMatching")); + acMgr.setPolicy(policy.getPath(), policy); + + Tree child = TreeUtil.addChild(root.getTree(testPath), "child", JcrConstants.NT_UNSTRUCTURED); + Tree grandChild = TreeUtil.addChild(child, "child", JcrConstants.NT_UNSTRUCTURED); root.commit(); - policies = acMgr.getEffectivePolicies(childPath); - assertNotNull(policies); - assertEquals(2, policies.length); + assertPolicies(acMgr.getEffectivePolicies(testPath), 0); + AccessControlPolicy[] policies = acMgr.getEffectivePolicies(child.getPath()); + assertPolicies(policies, 1); + + // only the matching ACE must be included in the effective policy + AccessControlPolicy effective = policies[0]; + assertTrue(effective instanceof ImmutableACL); + assertEquals(1, ((ImmutableACL) effective).getAccessControlEntries().length); + + assertPolicies(acMgr.getEffectivePolicies(grandChild.getPath()), 1); + } + + /** + * An ACE restriction matching only a property (like e.g. jcr:primaryType) would not be included in the effective + * policies, becauce AccessControlManager.getEffectivePolicies(String) requires the path to point to an existing + * JCR node. + */ + @Test + public void testGetEffectivePoliciesMatchingPropertyRestriction() throws Exception { + ACL policy = setupPolicy(testPath, privilegesFromNames(PrivilegeConstants.JCR_READ), true, null, + getMvRestriction(REP_ITEM_NAMES, PropertyType.NAME,JcrConstants.JCR_PRIMARYTYPE)); + acMgr.setPolicy(policy.getPath(), policy); + + Tree child = TreeUtil.addChild(root.getTree(testPath), "child", JcrConstants.NT_UNSTRUCTURED); + Tree grandChild = TreeUtil.addChild(child, "child", JcrConstants.NT_UNSTRUCTURED); + root.commit(); + + assertPolicies(acMgr.getEffectivePolicies(testPath), 0); + assertPolicies(acMgr.getEffectivePolicies(child.getPath()), 0); + assertPolicies(acMgr.getEffectivePolicies(grandChild.getPath()), 0); + } + + @Test + public void testGetEffectivePoliciesNotMatchingRestriction() throws Exception { + setupPolicy(testPath, privilegesFromNames(PrivilegeConstants.JCR_READ), true, null, + getMvRestriction(REP_ITEM_NAMES, PropertyType.NAME,"child")); + + Tree child = TreeUtil.addChild(root.getTree(testPath), "child", JcrConstants.NT_UNSTRUCTURED); + Tree grandChild = TreeUtil.addChild(child, "grandChild", JcrConstants.NT_UNSTRUCTURED); + Tree other = TreeUtil.addChild(root.getTree(testPath), "other", JcrConstants.NT_UNSTRUCTURED); + + root.commit(); + + assertPolicies(acMgr.getEffectivePolicies(testPath), 0); + assertPolicies(acMgr.getEffectivePolicies(grandChild.getPath()), 0); + assertPolicies(acMgr.getEffectivePolicies(other.getPath()), 0); } @Test public void testGetEffectivePoliciesNewPolicy() throws Exception { - AccessControlPolicy[] policies = acMgr.getEffectivePolicies(testPath); - assertNotNull(policies); - assertEquals(0, policies.length); + assertPolicies(acMgr.getEffectivePolicies(testPath), 0); setupPolicy(testPath); - policies = acMgr.getEffectivePolicies(testPath); - assertNotNull(policies); - assertEquals(0, policies.length); + assertPolicies(acMgr.getEffectivePolicies(testPath), 0); - NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED); - String childPath = child.getTree().getPath(); + Tree child = TreeUtil.addChild(root.getTree(testPath),"child", JcrConstants.NT_UNSTRUCTURED); + String childPath = child.getPath(); - policies = acMgr.getEffectivePolicies(childPath); - assertNotNull(policies); - assertEquals(0, policies.length); + assertPolicies(acMgr.getEffectivePolicies(childPath), 0); setupPolicy(childPath); - policies = acMgr.getEffectivePolicies(childPath); - assertNotNull(policies); - assertEquals(0, policies.length); + assertPolicies(acMgr.getEffectivePolicies(childPath), 0); } @Test @@ -1200,8 +1299,8 @@ acMgr.setPolicy(testPath, acl); AccessControlPolicy[] policies = acMgr.getEffectivePolicies(testPath); - assertNotNull(policies); - assertEquals(1, policies.length); + assertPolicies(acMgr.getEffectivePolicies(testPath), 1); + assertTrue(policies[0] instanceof AccessControlList); AccessControlEntry[] effectiveAces = ((AccessControlList) policies[0]).getAccessControlEntries(); assertArrayEquals(aces, effectiveAces); @@ -1209,7 +1308,7 @@ } @Test - public void testGetEffectivePoliciesInvalidPath() throws Exception { + public void testGetEffectivePoliciesInvalidPath() { for (String invalid : getInvalidPaths()) { try { acMgr.getEffectivePolicies(invalid); @@ -1220,26 +1319,16 @@ } } - @Test + @Test(expected = PathNotFoundException.class) public void testGetEffectivePoliciesForPropertyPath() throws Exception { String propertyPath = "/jcr:primaryType"; - try { - acMgr.getEffectivePolicies(propertyPath); - fail("Getting policies for property should fail."); - } catch (PathNotFoundException e) { - // success - } + acMgr.getEffectivePolicies(propertyPath); } - @Test + @Test(expected = PathNotFoundException.class) public void testGetEffectivePoliciesNonExistingNodePath() throws Exception { String nonExistingPath = "/not/existing"; - try { - acMgr.getEffectivePolicies(nonExistingPath); - fail("Getting policies for node that doesn't exist should fail."); - } catch (PathNotFoundException e) { - // success - } + acMgr.getEffectivePolicies(nonExistingPath); } @Test @@ -1273,8 +1362,7 @@ // diff to jr core: getEffectivePolicies will just return the policies // accessible for the editing session but not throw an exception. AccessControlPolicy[] effective = testAcMgr.getEffectivePolicies(testPath); - assertNotNull(effective); - assertEquals(1, effective.length); + assertPolicies(effective, 1); } /** @@ -1298,8 +1386,7 @@ // diff to jr core: getEffectivePolicies will just return the policies // accessible for the editing session but not throw an exception. AccessControlPolicy[] effective = testAcMgr.getEffectivePolicies(childPath); - assertNotNull(effective); - assertEquals(1, effective.length); + assertPolicies(effective, 1); } @Test @@ -1337,7 +1424,7 @@ Root root2 = adminSession.getLatestRoot(); AccessControlPolicy[] policies = getAccessControlManager(root2).getPolicies(testPath); - assertEquals(1, policies.length); + assertPolicies(policies, 1); assertArrayEquals(acl.getAccessControlEntries(), ((ACL) policies[0]).getAccessControlEntries()); } @@ -1351,7 +1438,7 @@ Root root2 = adminSession.getLatestRoot(); AccessControlPolicy[] policies = getAccessControlManager(root2).getPolicies((String) null); - assertEquals(1, policies.length); + assertPolicies(policies, 1); assertArrayEquals(acl.getAccessControlEntries(), ((ACL) policies[0]).getAccessControlEntries()); } @@ -1602,7 +1689,7 @@ acMgr.removePolicy(testPath, acl); - assertEquals(0, acMgr.getPolicies(testPath).length); + assertPolicies(acMgr.getPolicies(testPath), 0); assertTrue(acMgr.getApplicablePolicies(testPath).hasNext()); } @@ -1612,7 +1699,7 @@ acMgr.removePolicy(null, acl); - assertEquals(0, acMgr.getPolicies((String) null).length); + assertPolicies(acMgr.getPolicies((String) null), 0); assertTrue(acMgr.getApplicablePolicies((String) null).hasNext()); } @@ -1744,7 +1831,7 @@ } unknown = new PrincipalImpl("unknown" + i); - assertEquals(1, acMgr.getApplicablePolicies(unknown).length); + assertPolicies(acMgr.getApplicablePolicies(unknown), 1); } @Test @@ -1752,9 +1839,7 @@ List principals = ImmutableList.of(testPrincipal, EveryonePrincipal.getInstance()); for (Principal principal : principals) { AccessControlPolicy[] applicable = acMgr.getApplicablePolicies(principal); - - assertNotNull(applicable); - assertEquals(1, applicable.length); + assertPolicies(applicable, 1); assertTrue(applicable[0] instanceof ACL); } } @@ -1765,15 +1850,12 @@ // changes not yet persisted -> no existing policies found for user AccessControlPolicy[] applicable = acMgr.getApplicablePolicies(testPrincipal); - assertNotNull(applicable); - assertEquals(1, applicable.length); + assertPolicies(applicable, 1); assertTrue(applicable[0] instanceof ACL); // after persisting changes -> no applicable policies present any more. root.commit(); - applicable = acMgr.getApplicablePolicies(testPrincipal); - assertNotNull(applicable); - assertEquals(0, applicable.length); + assertPolicies(acMgr.getApplicablePolicies(testPrincipal), 0); } @Test @@ -1789,8 +1871,7 @@ // testRoot can't read access control content -> doesn't see // the existing policies and creates a new applicable policy. AccessControlPolicy[] applicable = testAcMgr.getApplicablePolicies(principal); - assertNotNull(applicable); - assertEquals(1, applicable.length); + assertPolicies(applicable, 1); assertTrue(applicable[0] instanceof ACL); } } @@ -1830,17 +1911,14 @@ unknown = getPrincipalManager(root).getPrincipal("unknown"+i); } unknown = new PrincipalImpl("unknown" + i); - assertEquals(0, acMgr.getPolicies(unknown).length); + assertPolicies(acMgr.getPolicies(unknown), 0); } @Test public void testGetPoliciesByPrincipal() throws Exception { List principals = ImmutableList.of(testPrincipal, EveryonePrincipal.getInstance()); for (Principal principal : principals) { - AccessControlPolicy[] policies = acMgr.getPolicies(principal); - - assertNotNull(policies); - assertEquals(0, policies.length); + assertPolicies(acMgr.getPolicies(principal), 0); } } @@ -1849,15 +1927,11 @@ setupPolicy(testPath); // changes not yet persisted -> no existing policies found for user - AccessControlPolicy[] policies = acMgr.getPolicies(testPrincipal); - assertNotNull(policies); - assertEquals(0, policies.length); + assertPolicies(acMgr.getPolicies(testPrincipal), 0); // after persisting changes -> policies must be found root.commit(); - policies = acMgr.getPolicies(testPrincipal); - assertNotNull(policies); - assertEquals(1, policies.length); + assertPolicies(acMgr.getPolicies(testPrincipal), 1); } @Test @@ -1876,11 +1950,10 @@ // testRoot can't read access control content -> doesn't see // the existing policies and creates a new applicable policy. AccessControlPolicy[] policies = testAcMgr.getPolicies(principal); - assertNotNull(policies); - assertEquals(0, policies.length); + assertPolicies(policies, 0); } else { // testRoot can't read principal -> no policies for that principal - assertEquals(0, testAcMgr.getPolicies(principal).length); + assertPolicies(testAcMgr.getPolicies(principal), 0); } } } @@ -1936,27 +2009,24 @@ for (Set principals : principalSets) { AccessControlPolicy[] policies = acMgr.getEffectivePolicies(principals); - assertNotNull(policies); - assertEquals(0, policies.length); + assertPolicies(policies, 0); } setupPolicy(testPath); // changes not yet persisted -> no effecitve policies found for testprincipal for (Set principals : principalSets) { AccessControlPolicy[] policies = acMgr.getEffectivePolicies(principals); - assertNotNull(policies); - assertEquals(0, policies.length); + assertPolicies(policies, 0); } root.commit(); // after persisting changes -> the policy must be found for (Set principals : principalSets) { AccessControlPolicy[] policies = acMgr.getEffectivePolicies(principals); - assertNotNull(policies); if (principals.contains(testPrincipal)) { - assertEquals(1, policies.length); + assertPolicies(policies, 1); } else { - assertEquals(0, policies.length); + assertPolicies(policies, 0); } } @@ -1966,11 +2036,10 @@ // changes not yet persisted -> no effecitve policies found for testprincipal for (Set principals : principalSets) { AccessControlPolicy[] policies = acMgr.getEffectivePolicies(principals); - assertNotNull(policies); if (principals.contains(testPrincipal)) { - assertEquals(1, policies.length); + assertPolicies(policies, 1); } else { - assertEquals(0, policies.length); + assertPolicies(policies, 0); } } @@ -1978,11 +2047,10 @@ // after persisting changes -> the policy must be found for (Set principals : principalSets) { AccessControlPolicy[] policies = acMgr.getEffectivePolicies(principals); - assertNotNull(policies); if (principals.contains(testPrincipal)) { - assertEquals(2, policies.length); + assertPolicies(policies, 2); } else { - assertEquals(0, policies.length); + assertPolicies(policies, 0); } } } @@ -2001,7 +2069,7 @@ root.commit(); AccessControlPolicy[] policies = acMgr.getEffectivePolicies(principalSet); - assertEquals(1, policies.length); + assertPolicies(policies, 1); // add another policy NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED); @@ -2009,8 +2077,7 @@ setupPolicy(childPath); root.commit(); - policies = acMgr.getEffectivePolicies(principalSet); - assertEquals(2, policies.length); + assertPolicies(acMgr.getEffectivePolicies(principalSet), 2); } @Test @@ -2040,7 +2107,7 @@ root.commit(); AccessControlPolicy[] effectivePolicies = acMgr.getEffectivePolicies(principalSet); - assertEquals(3, effectivePolicies.length); + assertPolicies(effectivePolicies, 3); assertNull(((JackrabbitAccessControlPolicy) effectivePolicies[0]).getPath()); assertEquals(testPath, ((JackrabbitAccessControlPolicy) effectivePolicies[1]).getPath()); @@ -2080,7 +2147,7 @@ for (Principal princ : principals) { AccessControlPolicy[] policies = acMgr.getEffectivePolicies(ImmutableSet.of(princ)); - assertEquals(1, policies.length); + assertPolicies(policies, 1); assertTrue(policies[0] instanceof AccessControlList); AccessControlList acl = (AccessControlList) policies[0]; @@ -2106,8 +2173,7 @@ JackrabbitAccessControlManager testAcMgr = getTestAccessControlManager(); AccessControlPolicy[] effective = testAcMgr.getEffectivePolicies(Collections.singleton(testPrincipal)); - assertNotNull(effective); - assertEquals(2, effective.length); + assertPolicies(effective, 2); } /** @@ -2131,8 +2197,7 @@ JackrabbitAccessControlManager testAcMgr = getTestAccessControlManager(); AccessControlPolicy[] effective = testAcMgr.getEffectivePolicies(Collections.singleton(testPrincipal)); - assertNotNull(effective); - assertEquals(1, effective.length); + assertPolicies(effective, 1); } /** @@ -2153,8 +2218,7 @@ JackrabbitAccessControlManager testAcMgr = getTestAccessControlManager(); AccessControlPolicy[] effective = testAcMgr.getEffectivePolicies(Collections.singleton(testPrincipal)); - assertNotNull(effective); - assertEquals(1, effective.length); + assertPolicies(effective, 1); } @Test @@ -2177,8 +2241,7 @@ Set principals = ImmutableSet.of(testPrincipal, EveryonePrincipal.getInstance()); AccessControlPolicy[] policies = testAcMgr.getEffectivePolicies(principals); - assertNotNull(policies); - assertEquals(2, policies.length); + assertPolicies(policies, 2); } /** @@ -2207,16 +2270,14 @@ Set principals = ImmutableSet.of(testPrincipal, EveryonePrincipal.getInstance()); AccessControlPolicy[] policies = testAcMgr.getEffectivePolicies(principals); - assertNotNull(policies); - assertEquals(1, policies.length); + assertPolicies(policies, 1); } //-----------------------------------------------< setPrincipalPolicy() >--- @Test public void testSetPrincipalPolicy() throws Exception { JackrabbitAccessControlPolicy[] applicable = acMgr.getApplicablePolicies(testPrincipal); - assertNotNull(applicable); - assertEquals(1, applicable.length); + assertPolicies(applicable, 1); assertTrue(applicable[0] instanceof ACL); ACL acl = (ACL) applicable[0]; @@ -2227,11 +2288,11 @@ Root root2 = adminSession.getLatestRoot(); AccessControlPolicy[] policies = getAccessControlManager(root2).getPolicies(testPath); - assertEquals(1, policies.length); + assertPolicies(policies, 1); assertEquals(1, ((ACL) policies[0]).getAccessControlEntries().length); policies = getAccessControlManager(root2).getPolicies(testPrincipal); - assertEquals(1, policies.length); + assertPolicies(policies, 1); assertArrayEquals(acl.getAccessControlEntries(), ((ACL) policies[0]).getAccessControlEntries()); } @@ -2310,7 +2371,7 @@ acMgr.setPolicy(acl.getPath(), acl); // ... which must not have an effect and the policy must not be re-added. - assertEquals(0, acMgr.getPolicies(testPath).length); + assertPolicies(acMgr.getPolicies(testPath), 0); } //--------------------------------------------< removePrincipalPolicy() >--- @@ -2318,8 +2379,7 @@ @Test public void testRemovePrincipalPolicy() throws Exception { JackrabbitAccessControlPolicy[] applicable = acMgr.getApplicablePolicies(testPrincipal); - assertNotNull(applicable); - assertEquals(1, applicable.length); + assertPolicies(applicable, 1); assertTrue(applicable[0] instanceof ACL); ACL acl = (ACL) applicable[0]; @@ -2331,8 +2391,8 @@ acMgr.removePolicy(acl.getPath(), acl); root.commit(); - assertEquals(0, acMgr.getPolicies(testPrincipal).length); - assertEquals(0, acMgr.getPolicies(testPath).length); + assertPolicies(acMgr.getPolicies(testPrincipal), 0); + assertPolicies(acMgr.getPolicies(testPath), 0); } @Test @@ -2341,18 +2401,14 @@ root.commit(); AccessControlPolicy[] policies = acMgr.getPolicies(testPrincipal); - assertNotNull(policies); - assertEquals(1, policies.length); + assertPolicies(policies, 1); assertTrue(policies[0] instanceof ACL); ACL acl = (ACL) policies[0]; acMgr.removePolicy(acl.getPath(), acl); - policies = acMgr.getPolicies(testPath); - assertEquals(0, policies.length); - - policies = acMgr.getPolicies(testPrincipal); - assertEquals(0, policies.length); + assertPolicies(acMgr.getPolicies(testPath), 0); + assertPolicies(acMgr.getPolicies(testPrincipal), 0); } @Test(expected = AccessControlException.class) Index: oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManagerTest.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManagerTest.java (revision 1851744) +++ oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManagerTest.java (date 1548255553000) @@ -20,6 +20,7 @@ import java.util.List; import java.util.Set; import javax.jcr.security.AccessControlException; +import javax.jcr.security.AccessControlList; import javax.jcr.security.AccessControlManager; import javax.jcr.security.AccessControlPolicy; import javax.jcr.security.AccessControlPolicyIterator; @@ -36,6 +37,8 @@ import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants; import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.PolicyOwner; +import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal; +import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants; import org.apache.jackrabbit.oak.util.NodeUtil; import org.jetbrains.annotations.NotNull; import org.junit.Test; @@ -139,6 +142,9 @@ AccessControlPolicyIterator it = acMgr.getApplicablePolicies(TEST_PATH); while (it.hasNext()) { AccessControlPolicy plc = it.nextAccessControlPolicy(); + if (plc instanceof AccessControlList) { + ((AccessControlList) plc).addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames(PrivilegeConstants.JCR_READ)); + } acMgr.setPolicy(TEST_PATH, plc); } root.commit();