1 16 package org.outerj.daisy.repository.test; 17 18 import org.outerj.daisy.repository.*; 19 import org.outerj.daisy.repository.comment.CommentVisibility; 20 import org.outerj.daisy.repository.testsupport.AbstractDaisyTestCase; 21 import org.outerj.daisy.repository.user.UserManager; 22 import org.outerj.daisy.repository.user.Role; 23 import org.outerj.daisy.repository.user.User; 24 import org.outerj.daisy.repository.acl.*; 25 import org.outerj.daisy.repository.schema.DocumentType; 26 import org.outerj.daisy.repository.schema.RepositorySchema; 27 import org.outerj.daisy.repository.schema.FieldType; 28 import org.outerj.daisy.repository.schema.PartType; 29 30 33 public abstract class AbstractAclTest extends AbstractDaisyTestCase { 34 protected boolean resetDataStores() { 35 return true; 36 } 37 38 protected abstract RepositoryManager getRepositoryManager() throws Exception ; 39 40 public void testAcl() throws Exception { 41 RepositoryManager repositoryManager = getRepositoryManager(); 42 43 Repository testuserRepository = repositoryManager.getRepository(new Credentials("testuser", "testuser")); 44 testuserRepository.switchRole(Role.ADMINISTRATOR); 45 46 RepositorySchema schema = testuserRepository.getRepositorySchema(); 48 49 FieldType stringField = schema.createFieldType("StringField", ValueType.STRING); 50 stringField.setAclAllowed(true); 51 stringField.save(); 52 FieldType longField = schema.createFieldType("LongField", ValueType.LONG); 53 longField.save(); 54 55 PartType partType = schema.createPartType("TestPart", ""); 56 partType.save(); 57 58 DocumentType documentType = schema.createDocumentType("acltesttype"); 59 documentType.addFieldType(stringField, false); 60 documentType.addFieldType(longField, false); 61 documentType.addPartType(partType, false); 62 documentType.save(); 63 64 UserManager userManager = testuserRepository.getUserManager(); 66 Role userRole = userManager.getRole("user", false); 67 68 User user1 = userManager.createUser("user1"); 69 user1.setPassword("user1"); 70 user1.addToRole(userRole); 71 user1.setDefaultRole(userRole); 72 user1.save(); 73 Repository user1Repository = repositoryManager.getRepository(new Credentials("user1", "user1")); 74 75 User user2 = userManager.createUser("user2"); 76 user2.setPassword("user2"); 77 user2.addToRole(userRole); 78 user2.setDefaultRole(userRole); 79 user2.save(); 80 Repository user2Repository = repositoryManager.getRepository(new Credentials("user2", "user2")); 81 82 Document document1 = testuserRepository.createDocument("Document1", documentType.getId()); 84 document1.setField(stringField.getId(), "hello"); 85 document1.setField(longField.getId(), new Long (55)); 86 document1.setPart(partType.getId(), "text/plain", "Once upon a time.".getBytes()); 87 document1.save(); 88 89 93 AccessManager accessManager = testuserRepository.getAccessManager(); 94 Acl acl = accessManager.getStagingAcl(); 95 AclObject aclObject = acl.createNewObject("true"); 96 acl.add(aclObject); 97 acl.save(); 98 99 Acl aclParallel = accessManager.getStagingAcl(); 100 aclParallel.save(); 101 try { 102 acl.save(); 103 fail("Saving ACL should have given concurrent modification exception."); 104 } catch (Exception e) {} 105 106 accessManager.copyStagingToLive(); 107 Acl liveAcl = accessManager.getLiveAcl(); 108 109 try { 110 liveAcl.save(); 111 fail("Saving the live ACL should not be possible."); 112 } catch (Exception e) {} 113 114 assertEquals(1, liveAcl.size()); 115 116 acl = accessManager.getStagingAcl(); 117 aclObject = acl.get(0); 118 119 try { 120 aclObject.createNewEntry(AclSubjectType.EVERYONE, 5); 121 fail("For subject type EVERYONE, -1 is required as subject value."); 122 } catch (Exception e) {} 123 124 try { 125 aclObject.createNewEntry(AclSubjectType.USER, -1); 126 fail("For subject type USER, -1 is not allowed as subject value."); 127 } catch (Exception e) {} 128 129 try { 130 aclObject.createNewEntry(AclSubjectType.ROLE, -1); 131 fail("For subject type USER, -1 is not allowed as subject value."); 132 } catch (Exception e) {} 133 134 try { 135 AclEntry aclEntry = aclObject.createNewEntry(AclSubjectType.EVERYONE, -1); 136 aclEntry.setSubjectValue(5); 137 fail("For subject type EVERYONE, 5 is not allowed as subject value."); 138 } catch (Exception e) {} 139 140 AclEntry aclEntry = aclObject.createNewEntry(AclSubjectType.EVERYONE, -1); 141 aclEntry.set(AclPermission.READ_LIVE, AclActionType.GRANT); 142 aclEntry.set(AclPermission.READ, AclActionType.GRANT); 143 assertEquals(AclActionType.DO_NOTHING, aclEntry.get(AclPermission.WRITE)); 144 assertEquals(AclActionType.DO_NOTHING, aclEntry.get(AclPermission.PUBLISH)); 145 aclEntry.set(AclPermission.PUBLISH, AclActionType.GRANT); 146 assertEquals(AclActionType.GRANT, aclEntry.get(AclPermission.PUBLISH)); 147 aclEntry.set(AclPermission.DELETE, AclActionType.GRANT); 148 assertEquals(AclActionType.GRANT, aclEntry.get(AclPermission.DELETE)); 149 aclObject.add(aclEntry); 150 151 acl.save(); 152 153 liveAcl = accessManager.getLiveAcl(); 155 assertEquals(0, liveAcl.get(0).size()); 156 157 accessManager.copyLiveToStaging(); 159 acl = accessManager.getStagingAcl(); 160 assertEquals(0, acl.get(0).size()); 161 162 aclObject = acl.createNewObject("$LongField = 55"); 164 acl.add(aclObject); 165 acl.save(); 166 try { 167 accessManager.getAclInfoOnStaging(-1, new long[] {-1}, document1.getId()); 168 fail("Evaluating an ACL containg a check on a non-ACL allowed field should have failed."); 169 } catch (RepositoryException e) {} 170 171 188 acl = accessManager.getStagingAcl(); 189 acl.clear(); 190 191 AclObject object = acl.createNewObject("true"); 192 acl.add(object); 193 AclEntry entry = object.createNewEntry(AclSubjectType.ROLE, userRole.getId()); 194 object.add(entry); 195 entry.set(AclPermission.READ_LIVE, AclActionType.GRANT); 196 entry.set(AclPermission.READ, AclActionType.GRANT); 197 entry.set(AclPermission.WRITE, AclActionType.GRANT); 198 entry.set(AclPermission.PUBLISH, AclActionType.GRANT); 199 entry.set(AclPermission.DELETE, AclActionType.GRANT); 200 201 object = acl.createNewObject("documentType = 'acltesttype' and $StringField='ciao'"); 202 acl.add(object); 203 entry = object.createNewEntry(AclSubjectType.USER, user1.getId()); 204 object.add(entry); 205 entry.set(AclPermission.READ_LIVE, AclActionType.GRANT); 206 entry.set(AclPermission.READ, AclActionType.GRANT); 207 entry.set(AclPermission.WRITE, AclActionType.DENY); 208 entry.set(AclPermission.PUBLISH, AclActionType.DENY); 209 entry.set(AclPermission.DELETE, AclActionType.DENY); 210 211 object = acl.createNewObject("documentType = 'acltesttype' and $StringField='hello'"); 212 acl.add(object); 213 entry = object.createNewEntry(AclSubjectType.EVERYONE, -1); 214 object.add(entry); 215 entry.set(AclPermission.READ_LIVE, AclActionType.GRANT); 216 entry.set(AclPermission.READ, AclActionType.GRANT); 217 entry.set(AclPermission.WRITE, AclActionType.DENY); 218 entry.set(AclPermission.PUBLISH, AclActionType.DENY); 219 entry.set(AclPermission.DELETE, AclActionType.DENY); 220 221 object = acl.createNewObject("documentType = 'acltesttype'"); 222 acl.add(object); 223 entry = object.createNewEntry(AclSubjectType.USER, user2.getId()); 224 object.add(entry); 225 entry.set(AclPermission.READ_LIVE, AclActionType.DENY); 226 entry.set(AclPermission.READ, AclActionType.DENY); 227 entry.set(AclPermission.WRITE, AclActionType.GRANT); 228 entry.set(AclPermission.PUBLISH, AclActionType.DENY); 229 entry.set(AclPermission.DELETE, AclActionType.DENY); 230 231 object = acl.createNewObject("$StringField = 'ta'"); 232 acl.add(object); 233 entry = object.createNewEntry(AclSubjectType.USER, user2.getId()); 234 object.add(entry); 235 entry.set(AclPermission.READ_LIVE, AclActionType.GRANT); 236 entry.set(AclPermission.READ, AclActionType.GRANT); 237 entry.set(AclPermission.WRITE, AclActionType.GRANT); 238 entry.set(AclPermission.PUBLISH, AclActionType.DENY); 239 entry.set(AclPermission.DELETE, AclActionType.DENY); 240 entry = object.createNewEntry(AclSubjectType.USER, user1.getId()); 241 object.add(entry); 242 entry.set(AclPermission.READ_LIVE, AclActionType.GRANT); 243 entry.set(AclPermission.READ, AclActionType.GRANT); 244 entry.set(AclPermission.WRITE, AclActionType.GRANT); 245 entry.set(AclPermission.PUBLISH, AclActionType.GRANT); 246 entry.set(AclPermission.DELETE, AclActionType.GRANT); 247 248 object = acl.createNewObject("$StringField = 'tata'"); 249 acl.add(object); 250 entry = object.createNewEntry(AclSubjectType.USER, user2.getId()); 251 object.add(entry); 252 entry.set(AclPermission.READ_LIVE, AclActionType.GRANT); 253 entry.set(AclPermission.READ, AclActionType.DENY); 254 entry.set(AclPermission.WRITE, AclActionType.DENY); 255 entry.set(AclPermission.PUBLISH, AclActionType.DENY); 256 entry.set(AclPermission.DELETE, AclActionType.DENY); 257 entry = object.createNewEntry(AclSubjectType.USER, user1.getId()); 258 object.add(entry); 259 entry.set(AclPermission.READ_LIVE, AclActionType.GRANT); 260 entry.set(AclPermission.READ, AclActionType.GRANT); 261 entry.set(AclPermission.WRITE, AclActionType.GRANT); 262 entry.set(AclPermission.PUBLISH, AclActionType.GRANT); 263 entry.set(AclPermission.DELETE, AclActionType.GRANT); 264 265 acl.save(); 266 accessManager.copyStagingToLive(); 267 268 AclResultInfo result = accessManager.getAclInfoOnLive(testuserRepository.getUserId(), new long[] {-1}, document1.getId()); 270 assertEquals("owner should have read access", result.isAllowed(AclPermission.READ), true); 271 assertEquals("owner should have write access", result.isAllowed(AclPermission.WRITE), true); 272 273 result = accessManager.getAclInfoOnLive(-1, new long[] {-1}, document1.getId()); 275 assertEquals(result.isAllowed(AclPermission.READ), true); 276 assertEquals(result.isAllowed(AclPermission.WRITE), false); 277 278 result = accessManager.getAclInfoOnLive(user2.getId(), new long[] {userRole.getId()}, document1.getId()); 280 assertEquals(result.isAllowed(AclPermission.READ), false); 281 assertEquals(result.isAllowed(AclPermission.WRITE), false); 285 testuserRepository.getDocument(document1.getId(), true); 287 288 try { 290 user2Repository.getDocument(document1.getId(), true); 291 fail("user 'user2' should not be able to access Document1"); 292 } catch (RepositoryException e) {} 293 294 try { 296 user2Repository.getPartData(document1.getId(), 1, partType.getId()); 297 } catch (RepositoryException e) {} 298 299 Document document2 = user1Repository.createDocument("Document2", documentType.getId()); 300 document2.setField(stringField.getId(), "hi"); 301 document2.setField(longField.getId(), new Long (55)); 302 document2.save(); 303 304 document2 = user1Repository.getDocument(document2.getId(), true); 306 document2.setField("StringField", "ciao"); 307 document2.save(); 308 309 Document document3 = testuserRepository.createDocument("Document3", documentType.getId()); 311 document3.save(); 312 document3 = user1Repository.getDocument(document3.getId(), true); 313 document3.save(); try { 315 document3.setField("StringField", "ciao"); 316 document3.save(); 317 fail("Saving document3 by user 'user1' should have failed."); 318 } catch (RepositoryException e) {} 319 320 Document document4 = user1Repository.createDocument("Document4", documentType.getId()); 324 try { 325 document4.setField("StringField", "ciao"); 326 document4.save(); 327 fail("Saving a new document (document4) to which the user would not have access (if he/she were not owner) should fail."); 328 } catch (RepositoryException e) {} 329 330 331 try { 333 user2Repository.getCommentManager().addComment(document1.getId(), CommentVisibility.PUBLIC, "hello"); 334 fail("Adding a comment should have failed because user2 does not have read access."); 335 } catch (Exception e) {} 336 337 user1Repository.getCommentManager().addComment(document1.getId(), CommentVisibility.PUBLIC, "hello"); 338 339 340 Document document5 = user1Repository.createDocument("Document5", documentType.getId()); 342 document5.setPrivate(true); 343 document5.save(); 344 345 user1Repository.getDocument(document5.getId(), true); 347 testuserRepository.getDocument(document5.getId(), true); 349 350 Document document6 = testuserRepository.createDocument("Document6", documentType.getId()); 351 document6.setPrivate(true); 352 document6.save(); 353 try { 354 user1Repository.getDocument(document6.getId(), true); 355 fail("user1 should not have access to a private document of someone else."); 356 } catch (Exception e) {} 357 358 Document document7 = user2Repository.createDocument("Document7", documentType.getId()); 359 document7.setOwner(user1.getId()); document7.setField("StringField", "ta"); 361 document7.setNewVersionState(VersionState.PUBLISH); 362 document7.save(); 363 document7 = user2Repository.getDocument(document7.getId(), true); 364 assertTrue("user2 can't put publish document", document7.getLastVersion().getState() == VersionState.DRAFT); 365 366 AclResultInfo info = testuserRepository.getAccessManager().getAclInfoOnLive(user2Repository.getUserId(), user2Repository.getActiveRoleIds(), document7.getId()); 367 info.dump(); 368 369 try { 370 document7.getLastVersion().setState(VersionState.PUBLISH); 371 fail("Setting state to publish should have failed."); 372 } catch (Exception e) {} 373 374 Document document7user1 = user1Repository.getDocument(document7.getId(), true); 375 try { 376 document7user1.getLastVersion().setState(VersionState.PUBLISH); 377 } catch (Exception e) {} 378 379 assertTrue(user2Repository.getAccessManager().getAclInfoOnLive(user2.getId(), user2Repository.getActiveRoleIds(), document7.getId()).getActionType(AclPermission.DELETE) == AclActionType.DENY); 380 try { 381 user2Repository.deleteDocument(document7.getId()); 382 fail("user2 shouldn't be able to delete document."); 383 } catch (AccessException e) {} 384 385 assertTrue(user1Repository.getAccessManager().getAclInfoOnLive(user1.getId(), user1Repository.getActiveRoleIds(), document7.getId()).getActionType(AclPermission.DELETE) == AclActionType.GRANT); 386 user1Repository.deleteDocument(document7.getId()); 387 388 Document document8 = user1Repository.createDocument("Document8", documentType.getId()); 390 document8.setField("StringField", "tata"); 391 document8.save(); 392 document8.setName("Document8 - 2"); 393 document8.setNewVersionState(VersionState.DRAFT); 394 document8.save(); 395 396 testuserRepository.getAccessManager().getAclInfoOnLive(user2.getId(), user2.getAllRoleIds(), document8.getVariantKey()).dump(); 397 398 document8 = user2Repository.getDocument(document8.getId(), false); 399 callDisallowedVersionMethods(document8); 400 document8 = user2Repository.getDocument(document8.getId(), true); 401 callDisallowedVersionMethods(document8); 402 403 document8 = user1Repository.getDocument(document8.getId(), true); 404 document8.setRetired(true); 405 document8.save(); 406 407 try { 408 document8 = user2Repository.getDocument(document8.getId(), false); 409 fail("Getting live version of retired document should fail if user has only read live permission"); 410 } catch (DocumentReadDeniedException e) {} 411 412 try { 413 document8 = user2Repository.getDocument(document8.getId(), true); 414 fail("Getting live version of retired document should fail if user has only read live permission"); 415 } catch (DocumentReadDeniedException e) {} 416 417 421 DocumentType documentTypeA = schema.createDocumentType("A"); 423 documentTypeA.save(); 424 DocumentType documentTypeB = schema.createDocumentType("B"); 425 documentTypeB.save(); 426 DocumentType documentTypeC = schema.createDocumentType("C"); 427 documentTypeC.save(); 428 429 acl = accessManager.getStagingAcl(); 431 acl.clear(); 432 433 aclObject = acl.createNewObject("documentType = 'A'"); 434 aclEntry = aclObject.createNewEntry(AclSubjectType.EVERYONE, -1); 435 aclEntry.set(AclPermission.READ, AclActionType.GRANT); 436 aclEntry.set(AclPermission.WRITE, AclActionType.GRANT); 437 aclObject.add(aclEntry); 438 acl.add(aclObject); 439 440 aclObject = acl.createNewObject("documentType = 'B' and $StringField = 'hello'"); 441 aclEntry = aclObject.createNewEntry(AclSubjectType.EVERYONE, -1); 442 aclEntry.set(AclPermission.READ, AclActionType.GRANT); 443 aclEntry.set(AclPermission.WRITE, AclActionType.GRANT); 444 aclObject.add(aclEntry); 445 acl.add(aclObject); 446 447 aclObject = acl.createNewObject("documentType = 'C'"); 448 aclEntry = aclObject.createNewEntry(AclSubjectType.EVERYONE, -1); 449 aclEntry.set(AclPermission.READ, AclActionType.DENY); 450 aclEntry.set(AclPermission.WRITE, AclActionType.DENY); 451 aclObject.add(aclEntry); 452 acl.add(aclObject); 453 454 acl.save(); 455 accessManager.copyStagingToLive(); 456 457 long[] filteredDocTypes = user1Repository.getAccessManager().filterDocumentTypes(new long[] {documentTypeA.getId(), documentTypeB.getId(), documentTypeC.getId()}, -1); 458 assertEquals(2, filteredDocTypes.length); 459 assertEquals(documentTypeA.getId(), filteredDocTypes[0]); 460 assertEquals(documentTypeB.getId(), filteredDocTypes[1]); 461 462 464 465 } 468 469 private void callDisallowedVersionMethods(Document document) throws Exception { 470 document.getLiveVersion(); 471 472 try { 473 document.getVersions(); 474 fail("Getting non-live version data should fail."); 475 } catch (RuntimeException e) {} 476 477 try { 478 document.getLastVersion(); 479 fail("Getting non-live version data should fail."); 480 } catch (RuntimeException e) {} 481 482 try { 483 document.getXml(); 484 fail("Getting non-live version data should fail."); 485 } catch (RuntimeException e) {} 486 487 try { 488 document.getXml(2); 489 fail("Getting non-live version data should fail."); 490 } catch (RuntimeException e) {} 491 492 try { 493 document.getName(); 494 fail("Getting non-live version data should fail."); 495 } catch (RuntimeException e) {} 496 497 try { 498 document.getField("whatever"); 499 fail("Getting non-live version data should fail."); 500 } catch (RuntimeException e) {} 501 } 502 } 503 | Popular Tags |