Skip to content

Commit

Permalink
OAK-3210 : Complete privilege management related exercises (WIP)
Browse files Browse the repository at this point in the history 
git-svn-id: https://svn.apache.org/repos/asf/jackrabbit/oak/trunk@1731901 13f79535-47bb-0310-9956-ffa450edef68
  • Loading branch information
@anchela
anchela committed Feb 23, 2016
1 parent 648631d commit 4ca0872
Show file tree
Hide file tree
Showing 2 changed files with 210 additions and 9 deletions.
2 changes: 1 addition & 1 deletion ...e/src/test/java/org/apache/jackrabbit/oak/security/privilege/L5_PrivilegeContentTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@
* This exercises aims to help you understand how the implementation keeps
* track of the internal long representation of privileges and how those
* long representations are being calculated for newly registered privileges.
* Resolve the TODOs in the test-case and explain the behavior.
* Resolve the EXERCISE marks in the test-case and explain the behavior.
*
* Question: Can you identify where 'rep:next' is being updated?
* Question: Try to set the value of rep:next manually and explain what happens.
Expand Down
217 changes: 209 additions & 8 deletions ...src/test/java/org/apache/jackrabbit/oak/security/privilege/L7_PrivilegeDiscoveryTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,24 @@
*/
package org.apache.jackrabbit.oak.security.privilege;

import java.security.Principal;
import java.util.Set;
import javax.jcr.Node;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.Privilege;

import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.test.AbstractJCRTest;

/**
Expand All @@ -30,20 +48,45 @@
* The aim of this exercise is to make you familiar on how to discover privileges
* granted for a given {@link javax.jcr.Session} or a given set of {@link java.security.Principal}s.
* After having completed this exercise you should be able to explain the difference
* compare to permission discovery as well as the benefit/drawback of using
* compared to permission discovery as well as the benefit/drawback of using
* this API.
*
* Exercises:
*
* - {@link #testHasPrivileges()}
* TODO
*
* - {@link #testGetPrivileges()}
* - {@link #testHasPrivilegesPropertyPath()}
* TODO
*
* - {@link #testHasPrivilegeNonExistingPath()}
* TODO
*
* - {@link #testGetPrivileges()}
* Practise {@link AccessControlManager#getPrivileges(String)}, which evaluates
* the effective privileges for the editing {@code Session} associated with
* the access control manager: fill in the expected privileges at the different
* node paths.
*
* - {@link #testGetPrivilegesForPrincipals()}
* This test illustrates the usage of {@link JackrabbitAccessControlManager#getPrivileges(String, Set)}
* for different combinations of principals: fill in the expected privileges
* granted at the different paths.
* NOTE: the test is executed with the super-privileged adminitrative session.
* Compare the results with the next test case.
*
* - {@link #testGetPrivilegesForPrincipalsUserSession()}
* Same as {@link #testGetPrivilegesForPrincipals()} but this time the method
* is called with the user session that as you could see in {@link #testGetPrivileges}
* isn't granted to complete set of privileges.
* Complete the test case and explain the behavior; in particular in comparison
* with the previous test.
*
* - {@link #testCanAddNode()}
* TODO
*
* - {@link #testHasPermissionVsHasPrivilege()}
* TODO
*
* Related Exercises:
* -----------------------------------------------------------------------------
Expand All @@ -53,22 +96,180 @@
*
* </pre>
*
* @see TODO
* @see AccessControlManager#hasPrivileges(String, Privilege[])
* @see AccessControlManager#getPrivileges(String)
* @see org.apache.jackrabbit.api.security.JackrabbitAccessControlManager#hasPrivileges(String, Privilege[])
* @see org.apache.jackrabbit.api.security.JackrabbitAccessControlManager#getPrivileges(String)
*/
public class L7_PrivilegeDiscoveryTest extends AbstractJCRTest {

public void testHasPrivileges() {
private Session userSession;

private Principal uPrincipal;
private Principal gPrincipal;

private String testPath;
private String childPath;

@Override
protected void setUp() throws Exception {
super.setUp();

SimpleCredentials creds = new SimpleCredentials("u", "u".toCharArray());
UserManager uMgr = ((JackrabbitSession) superuser).getUserManager();
User u = uMgr.createUser(creds.getUserID(), creds.getUserID());
Group g = uMgr.createGroup("g");
g.addMember(u);

uPrincipal = u.getPrincipal();
gPrincipal = g.getPrincipal();

Node n = superuser.getNode(testRoot).addNode(nodeName1);
testPath = n.getPath();
Privilege[] privs = AccessControlUtils.privilegesFromNames(superuser,
Privilege.JCR_VERSION_MANAGEMENT,
Privilege.JCR_ADD_CHILD_NODES,
Privilege.JCR_MODIFY_PROPERTIES);
AccessControlUtils.addAccessControlEntry(superuser, n.getPath(), gPrincipal,
privs, true);
AccessControlUtils.addAccessControlEntry(superuser, n.getPath(), uPrincipal,
new String[] {Privilege.JCR_VERSION_MANAGEMENT}, false);

Node child = n.addNode(nodeName2);
childPath = child.getPath();
superuser.save();

userSession = getHelper().getRepository().login(creds);

// NOTE the following precondition defined by the test-setup!
assertTrue(userSession.nodeExists(testPath));
assertTrue(userSession.nodeExists(childPath));
}

@Override
protected void tearDown() throws Exception {
try {
userSession.logout();

superuser.getNode(testPath).remove();

UserManager uMgr = ((JackrabbitSession) superuser).getUserManager();
Authorizable a = uMgr.getAuthorizable("u");
if (a != null) {
a.remove();
}
a = uMgr.getAuthorizable("g");
if (a != null) {
a.remove();
}
superuser.save();
} finally {
super.tearDown();
}
}

public void testHasPrivileges() throws Exception {
AccessControlManager acMgr = userSession.getAccessControlManager();


// TODO
}

public void testGetPrivileges() {
public void testHasPrivilegesPropertyPath() throws Exception {
// TODO
}

public void testCanAddNode() {
public void testHasPrivilegeNonExistingPath() throws Exception {
// TODO
}
// TODO; diff wrt session.haspermission
// TODO: Acmgr.hasPrivilege || getPrivileges

public void testGetPrivileges() throws Exception {
AccessControlManager acMgr = userSession.getAccessControlManager();

Set<Privilege> expected = null; // EXERCISE
Privilege[] testRootPrivs = acMgr.getPrivileges(testRoot);
assertEquals(expected, ImmutableSet.copyOf(testRootPrivs));

expected = null; // EXERCISE
Privilege[] privs = acMgr.getPrivileges(testPath);
assertEquals(expected, ImmutableSet.copyOf(privs));

expected = null; // EXERCISE
Privilege[] childPrivs = acMgr.getPrivileges(childPath);
assertEquals(expected, ImmutableSet.copyOf(childPrivs));
}

public void testGetPrivilegesForPrincipals() throws Exception {
JackrabbitAccessControlManager acMgr = (JackrabbitAccessControlManager) superuser.getAccessControlManager();

// 1. EXERCISE: expected privileges for the 'uPrincipal' only
Set<Principal> principals = ImmutableSet.of(uPrincipal);
java.util.Map<String, Set<Privilege>> expected = ImmutableMap.of(
testRoot, null, // EXERCISE
testPath, null, // EXERCISE
childPath, null // EXERCISE
);
for (String path : expected.keySet()) {
Set<Privilege> expectedPrivs = expected.get(path);
Privilege[] privs = acMgr.getPrivileges(path, principals);
assertEquals(expectedPrivs, ImmutableSet.copyOf(privs));
}

// 2. EXERCISE: expected privileges for the 'gPrincipal' only
principals = ImmutableSet.of(gPrincipal);
expected = ImmutableMap.of(
testRoot, null,
testPath, null,
childPath, null
);
for (String path : expected.keySet()) {
Set<Privilege> expectedPrivs = expected.get(path);
Privilege[] privs = acMgr.getPrivileges(path, principals);
assertEquals(expectedPrivs, ImmutableSet.copyOf(privs));
}

// 3. EXERCISE: expected privileges for the 'uPrincipal' and 'gPrincipal'
principals = ImmutableSet.of(uPrincipal, gPrincipal);
expected = ImmutableMap.of(
testRoot, null,
testPath, null,
childPath, null
);
for (String path : expected.keySet()) {
Set<Privilege> expectedPrivs = expected.get(path);
Privilege[] privs = acMgr.getPrivileges(path, principals);
assertEquals(expectedPrivs, ImmutableSet.copyOf(privs));
}

// 4. EXERCISE: expected privileges for the 'uPrincipal', 'gPrincipal' + everyone
principals = ImmutableSet.of(uPrincipal, gPrincipal, EveryonePrincipal.getInstance());
expected = ImmutableMap.of(
testRoot, null,
testPath, null,
childPath, null
);
for (String path : expected.keySet()) {
Set<Privilege> expectedPrivs = expected.get(path);
Privilege[] privs = acMgr.getPrivileges(path, principals);
assertEquals(expectedPrivs, ImmutableSet.copyOf(privs));
}
}

public void testGetPrivilegesForPrincipalsUserSession() throws Exception {
JackrabbitAccessControlManager acMgr = (JackrabbitAccessControlManager) userSession.getAccessControlManager();

// EXERCISE: complete the test case and explain the behaviour

Privilege[] privs = acMgr.getPrivileges(testPath, ImmutableSet.of(gPrincipal));
Set<Privilege> expectedPrivs = null;
assertEquals(expectedPrivs, ImmutableSet.copyOf(privs));
}

public void testCanAddNode() throws Exception {
// TODO
}

public void testHasPermissionVsHasPrivilege() throws Exception {
// TODO
}
}

0 comments on commit 4ca0872

Please sign in to comment.