Source Code of org.apache.jackrabbit.oak.jcr.security.authorization.JackrabbitAccessControlListTest

/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.jackrabbit.oak.jcr.security.authorization;

import java.security.Principal;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import javax.jcr.Node;
import javax.jcr.PropertyType;
import javax.jcr.RepositoryException;
import javax.jcr.Value;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;

import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.principal.PrincipalIterator;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.test.NotExecutableException;
import org.apache.jackrabbit.test.api.security.AbstractAccessControlTest;
import org.junit.Test;

import static org.junit.Assert.assertArrayEquals;

/**
 * Testing {@code JackrabbitAccessControlList} functionality exposed by the API.
 */
public class JackrabbitAccessControlListTest extends AbstractAccessControlTest {

    private JackrabbitAccessControlList acl;
    private Principal testPrincipal;
    private Privilege[] testPrivileges;

    @Override
    protected void setUp() throws Exception {
        super.setUp();

        Node n = testRootNode.addNode(nodeName1, testNodeType);
        superuser.save();

        AccessControlPolicyIterator it = acMgr.getApplicablePolicies(n.getPath());
        while (it.hasNext() && acl == null) {
            AccessControlPolicy p = it.nextAccessControlPolicy();
            if (p instanceof JackrabbitAccessControlList) {
                acl = (JackrabbitAccessControlList) p;
            }
        }
        if (acl == null) {
            superuser.logout();
            throw new NotExecutableException("No JackrabbitAccessControlList to test.");
        }

        testPrincipal = getValidPrincipal();
        testPrivileges = privilegesFromName(Privilege.JCR_ALL);
    }

    @Override
    protected void tearDown() throws Exception {
        // make sure transient ac-changes are reverted.
        superuser.refresh(false);
        super.tearDown();
    }

    private Principal getValidPrincipal() throws NotExecutableException, RepositoryException {
        if (!(superuser instanceof JackrabbitSession)) {
            throw new NotExecutableException();
        }

        PrincipalManager pMgr = ((JackrabbitSession) superuser).getPrincipalManager();
        PrincipalIterator it = pMgr.getPrincipals(PrincipalManager.SEARCH_TYPE_NOT_GROUP);
        if (it.hasNext()) {
            return it.nextPrincipal();
        } else {
            throw new NotExecutableException();
        }
    }

    @Test
    public void testGetRestrictionNames() throws RepositoryException {
        assertNotNull(acl.getRestrictionNames());
    }

    @Test
    public void testGetRestrictionType() throws RepositoryException {
        String[] names = acl.getRestrictionNames();
        for (String name : names) {
            int type = acl.getRestrictionType(name);
            assertTrue(type > PropertyType.UNDEFINED);
        }
    }

    @Test
    public void testApplicablePolicyIsEmpty() {
        assertTrue(acl.isEmpty());
        assertEquals(0, acl.size());
    }

    @Test
    public void testIsEmpty() throws RepositoryException {
        if (acl.addAccessControlEntry(testPrincipal, testPrivileges)) {
            assertFalse(acl.isEmpty());
        } else {
            assertTrue(acl.isEmpty());
        }
    }

    @Test
    public void testSize() throws RepositoryException {
        if (acl.addAccessControlEntry(testPrincipal, testPrivileges)) {
            assertTrue(acl.size() > 0);
        } else {
            assertEquals(0, acl.size());
        }
    }

    @Test
    public void testAddEntry() throws NotExecutableException, RepositoryException {
        List<AccessControlEntry> entriesBefore = Arrays.asList(acl.getAccessControlEntries());
        if (acl.addEntry(testPrincipal, testPrivileges, true, Collections.<String, Value>emptyMap())) {
            AccessControlEntry[] entries = acl.getAccessControlEntries();
            AccessControlEntry ace = null;
            for (AccessControlEntry entry : entries) {
                if (testPrincipal.equals(entry.getPrincipal())) {
                    ace = entry;
                }
            }
            assertNotNull("addEntry was successful -> expected entry for tesPrincipal.", ace);
            assertTrue("addEntry was successful -> at least 1 entry.", entries.length > 0);
        } else {
            AccessControlEntry[] entries = acl.getAccessControlEntries();
            assertEquals("Grant ALL not successful -> entries must not have changed.", entriesBefore, Arrays.asList(entries));
        }
    }

    @Test
    public void testRemoveEntry() throws NotExecutableException, RepositoryException {
        Principal princ = getValidPrincipal();
        Privilege[] grPriv = privilegesFromName("rep:write");

        acl.addEntry(princ, grPriv, true, Collections.<String, Value>emptyMap());
        AccessControlEntry[] entries = acl.getAccessControlEntries();
        int length = entries.length;
        assertTrue("Grant was both successful -> at least 1 entry.", length > 0);
        for (AccessControlEntry entry : entries) {
            acl.removeAccessControlEntry(entry);
            length = length - 1;
            assertEquals(length, acl.size());
            assertEquals(length, acl.getAccessControlEntries().length);
        }

        assertTrue(acl.isEmpty());
        assertEquals(0, acl.size());
        assertEquals(0, acl.getAccessControlEntries().length);
    }

    /**
     * <a href="https://issues.apache.org/jira/browse/OAK-1026">OAK-1026</a>
     */
    @Test
    public void testEntryWithAggregatePrivileges() throws Exception {
        Privilege write = acMgr.privilegeFromName(Privilege.JCR_WRITE);
        acl.addEntry(testPrincipal, write.getAggregatePrivileges(), true);

        AccessControlEntry[] entries = acl.getAccessControlEntries();
        assertEquals(1, entries.length);
        assertArrayEquals(new Privilege[]{write}, entries[0].getPrivileges());

        acMgr.setPolicy(acl.getPath(), acl);

        AccessControlPolicy policy = AccessControlUtils.getAccessControlList(acMgr, acl.getPath());
        assertNotNull(policy);

        entries = acl.getAccessControlEntries();
        assertEquals(1, entries.length);
        assertArrayEquals(new Privilege[]{write}, entries[0].getPrivileges());
    }
}