Added 'hasClearance' method to SecurityClearanceService to support EntryVoter and AfterInvocationProvider implementations

* relates to RM-2129 & RM-2130
 * added 'getCurrentClassification" method to ClassificationService
 * added concept of system classification level "Unclassified" .. it no longer is required to be specified in the JSON bootstrap since this is a well known and alway required basic classification level
 * added concept of system security clearance level "No Clearance" .. automatically added and relates to unclassified classificaiton level
 * unit tests updated and added
 * started to move some of the logic out of unit test base class and into helper library called 'AlfMock'!



git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@104229 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

rm-server/config/alfresco/module/org_alfresco_module_rm/classified-content-context.xml

@@ -76,11 +76,12 @@
       <property name="objectDefinitionSource">
          <value>
             org.alfresco.module.org_alfresco_module_rm.classification.ClassificationService.getClassificationLevels=ACL_ALLOW
+            org.alfresco.module.org_alfresco_module_rm.classification.ClassificationService.getCurrentClassification=ACL_ALLOW
             org.alfresco.module.org_alfresco_module_rm.classification.ClassificationService.getClassificationReasons=ACL_ALLOW
             org.alfresco.module.org_alfresco_module_rm.classification.ClassificationService.classifyContent=ACL_ALLOW
             org.alfresco.module.org_alfresco_module_rm.classification.ClassificationService.getClassificationLevelById=ACL_ALLOW
             org.alfresco.module.org_alfresco_module_rm.classification.ClassificationService.getClassificationReasonById=ACL_ALLOW
-            org.alfresco.module.org_alfresco_module_rm.classification.ClassificationService.getDefaultClassificationLevel=ACL_ALLOW
+            org.alfresco.module.org_alfresco_module_rm.classification.ClassificationService.getUnclassifiedClassificationLevel=ACL_ALLOW
             org.alfresco.module.org_alfresco_module_rm.classification.ClassificationService.*=ACL_DENY
          </value>
       </property>
@@ -139,6 +140,7 @@
    <bean id="SecurityClearanceService_security" parent="baseSecurity">
       <property name="objectDefinitionSource">
          <value>
+         	org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.hasClearance=ACL_ALLOW
             org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.getUserSecurityClearance=ACL_ALLOW
             org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.getUsersSecurityClearance=ACL_ALLOW
             org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.setUserSecurityClearance=ACL_ALLOW

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/ClassificationLevelManager.java

@@ -18,11 +18,13 @@
  */
 package org.alfresco.module.org_alfresco_module_rm.classification;
 
+import java.util.ArrayList;
 import java.util.List;
 
-import com.google.common.collect.ImmutableList;
 import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceException.LevelIdNotFound;
 
+import com.google.common.collect.ImmutableList;
+
 /**
  * Container for the configured {@link ClassificationLevel} objects.
  * 
@@ -30,6 +32,11 @@ import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationS
  */
 public class ClassificationLevelManager
 {
+	/** Unclassified classificaiton level */
+	public static final String UNCLASSIFIED_ID = "Unclassified";
+	private static final String UNCLASSIFIED_MSG = "rm.classification.unclassified";	
+	public static final ClassificationLevel UNCLASSIFIED = new ClassificationLevel(UNCLASSIFIED_ID, UNCLASSIFIED_MSG);
+	
     /** An immutable list of classification levels ordered from most to least secure. */
     private ImmutableList<ClassificationLevel> classificationLevels;
 
@@ -40,7 +47,9 @@ public class ClassificationLevelManager
      */
     public ClassificationLevelManager(List<ClassificationLevel> classificationLevels)
     {
-        this.classificationLevels = ImmutableList.copyOf(classificationLevels);
+    	List<ClassificationLevel> temp = new ArrayList<ClassificationLevel>(classificationLevels);
+    	temp.add(temp.size(), UNCLASSIFIED);    	
+        this.classificationLevels = ImmutableList.copyOf(temp);
     }
 
     /** @return the highest security classification level. */

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/ClassificationService.java

@@ -45,6 +45,14 @@ public interface ClassificationService
      */
     List<ClassificationLevel> getClassificationLevels();
     
+    /**
+     * Returns the current classification level of a given node.
+     * 
+     * @param  nodeRef						node reference
+     * @return {@link ClassificationLevel}	classification level, unclassified if none
+     */
+    ClassificationLevel getCurrentClassification(NodeRef nodeRef);
+
     /**
      * Returns an immutable list of the defined classification reasons.
      * @return classification reasons in the order that they are defined.
@@ -63,15 +71,14 @@ public interface ClassificationService
      * @throws InvalidNodeRefException If the node could not be found.
      * @throws InvalidNode If the supplied node is not a content node.
      */
-    void classifyContent(String classificationLevelId, String classificationAuthority,
+    void classifyContent(String classificationLevelId, String classificationAuthority, Set<String> classificationReasonIds, NodeRef content) 
-                Set<String> classificationReasonIds, NodeRef content) throws LevelIdNotFound, ReasonIdNotFound,
+    		throws LevelIdNotFound, ReasonIdNotFound, InvalidNodeRefException, InvalidNode;
-                InvalidNodeRefException, InvalidNode;
 
     /**
-     * Gets the default {@link ClassificationLevel}, which will usually be the level with the lowest security clearance.
+     * Gets the unclassified {@link ClassificationLevel}.
-     * @return the default classification level, or {@code null} if no security levels are configured.
+     * @return the unclassified classification level
      */
-    ClassificationLevel getDefaultClassificationLevel();
+    ClassificationLevel getUnclassifiedClassificationLevel();
 
     /**
      * Gets the classification level for the given classification level id

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/ClassificationServiceImpl.java

@@ -167,6 +167,23 @@ public class ClassificationServiceImpl extends ServiceBaseImpl
         return classificationServiceDao.getConfiguredLevels();
     }
     
+    /**
+     * @see org.alfresco.module.org_alfresco_module_rm.classification.ClassificationService#getCurrentClassification(org.alfresco.service.cmr.repository.NodeRef)
+     */
+    public ClassificationLevel getCurrentClassification(NodeRef nodeRef) 
+    {
+    	// by default everything is unclassified
+    	ClassificationLevel result = ClassificationLevelManager.UNCLASSIFIED;
+    	
+    	if (nodeService.hasAspect(nodeRef, ASPECT_CLASSIFIED))
+    	{
+    		String classificationId = (String)nodeService.getProperty(nodeRef, PROP_CURRENT_CLASSIFICATION);
+    		result = levelManager.findLevelById(classificationId);
+    	}
+    	
+    	return result;
+    };
+
     /**
      * Gets the list of classification reasons as persisted in the system.
      * @return the list of classification reasons if they have been persisted, else {@code null}.
@@ -273,10 +290,9 @@ public class ClassificationServiceImpl extends ServiceBaseImpl
         nodeService.addAspect(content, ASPECT_CLASSIFIED, properties);
     }
     
-    @Override public ClassificationLevel getDefaultClassificationLevel()
+    @Override public ClassificationLevel getUnclassifiedClassificationLevel()
     {
-        List<ClassificationLevel> classificationLevels = getClassificationLevels();
+    	return ClassificationLevelManager.UNCLASSIFIED;
-        return classificationLevels.isEmpty() ? null : classificationLevels.get(classificationLevels.size() - 1);
     }
 
     /**

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/ClearanceLevelManager.java

@@ -18,11 +18,13 @@
  */
 package org.alfresco.module.org_alfresco_module_rm.classification;
 
+import java.util.ArrayList;
 import java.util.List;
 
-import com.google.common.collect.ImmutableList;
 import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceException.LevelIdNotFound;
 
+import com.google.common.collect.ImmutableList;
+
 /**
  * Container for the configured {@link ClearanceLevel} objects.
  *
@@ -30,6 +32,9 @@ import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationS
  */
 public class ClearanceLevelManager
 {
+	private static String NO_CLEARANCE_MSG = "rm.classification.noClearance";	
+	public static final ClearanceLevel NO_CLEARANCE = new ClearanceLevel(ClassificationLevelManager.UNCLASSIFIED, NO_CLEARANCE_MSG);
+	
     /** An immutable list of clearance levels ordered from most to least secure. */
     private ImmutableList<ClearanceLevel> clearanceLevels;
 
@@ -40,7 +45,9 @@ public class ClearanceLevelManager
      */
     public ClearanceLevelManager(List<ClearanceLevel> clearanceLevels)
     {
-        this.clearanceLevels = ImmutableList.copyOf(clearanceLevels);
+    	List<ClearanceLevel> temp = new ArrayList<ClearanceLevel>(clearanceLevels);
+    	temp.add(temp.size(), NO_CLEARANCE);
+        this.clearanceLevels = ImmutableList.copyOf(temp);
     }
 
     /** @return An immutable list of clearance levels ordered from most to least secure. */

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/SecurityClearanceService.java

@@ -19,6 +19,7 @@
 package org.alfresco.module.org_alfresco_module_rm.classification;
 
 import org.alfresco.query.PagingResults;
+import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.security.NoSuchPersonException;
 
 /**
@@ -29,6 +30,18 @@ import org.alfresco.service.cmr.security.NoSuchPersonException;
  */
 public interface SecurityClearanceService
 {
+	/**
+	 * Indicates whether the currently authenticated user has clearance to see the
+	 * provided node.
+	 * <p>
+	 * Note that users, regardless of their clearance level, are always cleared to see a node that has no classification 
+	 * applied.
+	 * 
+	 * @param  nodeRef	node reference
+	 * @return boolean	true if cleared to see node, false otherwise
+	 */
+	boolean hasClearance(NodeRef nodeRef);
+	
     /**
      * Get the currently authenticated user's security clearance.
      *

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/SecurityClearanceServiceImpl.java

@@ -57,15 +57,12 @@ public class SecurityClearanceServiceImpl extends ServiceBaseImpl implements Sec
     {
         ArrayList<ClearanceLevel> clearanceLevels = new ArrayList<ClearanceLevel>();
         List<ClassificationLevel> classificationLevels = classificationService.getClassificationLevels();
-        ClassificationLevel unclassified = classificationLevels.get(classificationLevels.size() - 1);
         for (ClassificationLevel classificationLevel : classificationLevels)
         {
-            String displayLabelKey = classificationLevel.getDisplayLabelKey();
+        	if (!ClassificationLevelManager.UNCLASSIFIED.equals(classificationLevel))
-            if (classificationLevel.equals(unclassified))
+        	{
-            {
+        		clearanceLevels.add(new ClearanceLevel(classificationLevel, classificationLevel.getDisplayLabelKey()));
-                displayLabelKey = "rm.classification.noClearance";
+        	}
-            }
-            clearanceLevels.add(new ClearanceLevel(classificationLevel, displayLabelKey));
         }
         this.clearanceManager = new ClearanceLevelManager(clearanceLevels);
     }
@@ -73,6 +70,46 @@ public class SecurityClearanceServiceImpl extends ServiceBaseImpl implements Sec
     /** Get the clearance manager (for use in unit testing). */
     protected ClearanceLevelManager getClearanceManager() { return clearanceManager; }
 
+    /**
+     * @see org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService#hasClearance(org.alfresco.service.cmr.repository.NodeRef)
+     */
+    @Override
+    public boolean hasClearance(NodeRef nodeRef) 
+    {
+    	boolean result = false;
+    	
+    	// get the nodes current classification
+    	ClassificationLevel currentClassification = classificationService.getCurrentClassification(nodeRef);
+    	if (ClassificationLevelManager.UNCLASSIFIED.equals(currentClassification))
+    	{
+    		// since the node is not classified user has clearance
+    		result = true;
+    	}
+    	else
+    	{
+    		// get the users security clearance
+    		SecurityClearance securityClearance = getUserSecurityClearance();
+    		if (!ClearanceLevelManager.NO_CLEARANCE.equals(securityClearance.getClearanceLevel()))
+    		{
+    			// get the users highest classification clearance
+    			ClassificationLevel highestClassification = securityClearance.getClearanceLevel().getHighestClassificationLevel();
+    			
+    			// if classification is less than or equal to highest classification then user has clearance
+    			List<ClassificationLevel> allClassificationLevels = classificationService.getClassificationLevels();
+    			int highestIndex = allClassificationLevels.indexOf(highestClassification);
+    			int currentIndex = allClassificationLevels.indexOf(currentClassification);
+    			
+    			if (highestIndex <= currentIndex)
+    			{
+    				// user has clearance
+    				result = true;
+    			}	
+    		}
+    	}
+    	
+    	return result;
+    }
+    
     @Override
     public SecurityClearance getUserSecurityClearance()
     {
@@ -82,6 +119,12 @@ public class SecurityClearanceServiceImpl extends ServiceBaseImpl implements Sec
         return getUserSecurityClearance(currentUser);
     }
 
+    /**
+     * Gets the users security clearnace.
+     * 
+     * @param  userName						user name
+     * @return {@link SecurityClearance}	provides information about the user and their clearance level
+     */
     private SecurityClearance getUserSecurityClearance(final String userName)
     {
         final NodeRef    personNode = personService.getPerson(userName, false);
@@ -91,12 +134,15 @@ public class SecurityClearanceServiceImpl extends ServiceBaseImpl implements Sec
 
         if (nodeService.hasAspect(personNode, ASPECT_SECURITY_CLEARANCE))
         {
-            final String clearanceLevel = (String)nodeService.getProperty(personNode, PROP_CLEARANCE_LEVEL);
+            final String clearanceLevelValue = (String)nodeService.getProperty(personNode, PROP_CLEARANCE_LEVEL);
 
-            classificationLevel = clearanceLevel == null ? classificationService.getDefaultClassificationLevel() :
+            classificationLevel = clearanceLevelValue == null ? classificationService.getUnclassifiedClassificationLevel() :
-                                                           classificationService.getClassificationLevelById(clearanceLevel);
+                                                           		classificationService.getClassificationLevelById(clearanceLevelValue);
+        }
+        else 
+        { 
+        	classificationLevel = classificationService.getUnclassifiedClassificationLevel(); 
         }
-        else { classificationLevel = classificationService.getDefaultClassificationLevel(); }
 
         ClearanceLevel clearanceLevel = clearanceManager.findLevelByClassificationLevelId(classificationLevel.getId());
         return new SecurityClearance(personInfo, clearanceLevel);

rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/integration/classification/ClassificationLevelsTest.java

@@ -22,6 +22,7 @@ import java.io.InputStream;
 import java.util.List;
 
 import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationLevel;
+import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationLevelManager;
 import org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase;
 
 /**
@@ -63,7 +64,7 @@ public class ClassificationLevelsTest extends BaseRMTestCase
             {
                 List<ClassificationLevel> levels = classificationService.getClassificationLevels();
                 assertNotNull(levels);
-                assertEquals(4, levels.size());
+                assertEquals(5, levels.size());
 
                 ClassificationLevel level1 = levels.get(0);
                 ClassificationLevel level2 = levels.get(1);
@@ -79,6 +80,8 @@ public class ClassificationLevelsTest extends BaseRMTestCase
                 assertEquals(level2.getId(), LEVEL2_ID);
                 assertEquals(level3.getId(), LEVEL3_ID);
                 assertEquals(level4.getId(), LEVEL4_ID);
+                
+                assertEquals(ClassificationLevelManager.UNCLASSIFIED, levels.get(4));
             }
         });
     }

rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/action/impl/UnlinkFromActionUnitTest.java

@@ -18,6 +18,7 @@
  */
 package org.alfresco.module.org_alfresco_module_rm.action.impl;
 
+import static org.alfresco.module.org_alfresco_module_rm.test.util.AlfMock.generateText;
 import static org.mockito.Matchers.any;
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.mock;

rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/classification/ClassificationLevelManagerUnitTest.java

@@ -62,4 +62,14 @@ public class ClassificationLevelManagerUnitTest
         ClassificationLevel actual = classificationLevelManager.getMostSecureLevel();
         assertEquals(LEVEL_1, actual);
     }
+    
+    /**
+     * Given that I have created the classification level manager with a list of classification levels
+     * Then the unclassified level is available
+     */
+    @Test public void getUnclassifiedLevel()
+    {
+        assertEquals(LEVELS.size() + 1, classificationLevelManager.getClassificationLevels().size());         	
+    	assertEquals(ClassificationLevelManager.UNCLASSIFIED, classificationLevelManager.findLevelById(ClassificationLevelManager.UNCLASSIFIED_ID));
+    }     
 }

rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/classification/ClassificationServiceImplUnitTest.java

@@ -28,6 +28,9 @@ import static org.mockito.Mockito.doThrow;
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
+import static org.alfresco.module.org_alfresco_module_rm.test.util.AlfMock.generateNodeRef;
+import static org.alfresco.module.org_alfresco_module_rm.test.util.AlfMock.generateText;
 
 import java.io.Serializable;
 import java.util.ArrayList;
@@ -84,6 +87,10 @@ public class ClassificationServiceImplUnitTest
                                                                                                 new ClassificationReason("id2", "label2"));
     private static final List<ClassificationReason> ALTERNATIVE_CLASSIFICATION_REASONS = asList(new ClassificationReason("id8", "label8"),
                                                                                                 new ClassificationReason("id9", "label9"));
+    
+    private static final String CLASSIFICATION_LEVEL_ID = "classificationLevelId";
+    private static final ClassificationLevel CLASSIFICATION_LEVEL = new ClassificationLevel(CLASSIFICATION_LEVEL_ID, generateText());
+    
     /**
      * A convenience method for turning lists of level id Strings into lists
      * of {@code ClassificationLevel} objects.
@@ -100,7 +107,6 @@ public class ClassificationServiceImplUnitTest
         }
 
         final List<ClassificationLevel> levels = new ArrayList<>(idsAndLabels.length / 2);
-
         for (int i = 0; i < idsAndLabels.length; i += 2)
         {
             levels.add(new ClassificationLevel(idsAndLabels[i], idsAndLabels[i+1]));
@@ -363,4 +369,48 @@ public class ClassificationServiceImplUnitTest
         doThrow(new ReasonIdNotFound("Id not found!")).when(mockReasonManager).findReasonById(classificationReasonId);
         classificationServiceImpl.getClassificationReasonById(classificationReasonId);
     }
+    
+    /**
+     * Given that a node does not have the classify aspect applied
+     * When I ask for the nodes classification
+     * Then 'Unclassified' is returned
+     */
+    @Test
+    public void getCurrentClassificationWithoutAspectApplied()
+    {
+    	NodeRef nodeRef = generateNodeRef(mockNodeService);
+    	when(mockNodeService.hasAspect(nodeRef, ClassifiedContentModel.ASPECT_CLASSIFIED))
+    		.thenReturn(false);
+    	
+    	ClassificationLevel classificationLevel = classificationServiceImpl.getCurrentClassification(nodeRef);
+    	
+    	assertEquals(ClassificationLevelManager.UNCLASSIFIED, classificationLevel);
+    	verify(mockNodeService).hasAspect(nodeRef, ClassifiedContentModel.ASPECT_CLASSIFIED);
+    	verifyNoMoreInteractions(mockNodeService);
+    }
+    
+    /**
+     * Given that a node is classified
+     * When I ask for the node classification
+     * Then I get the correct classificationlevel
+     */
+    @Test
+    public void getCurrentClassification()
+    {
+    	NodeRef nodeRef = generateNodeRef(mockNodeService);
+    	when(mockNodeService.hasAspect(nodeRef, ClassifiedContentModel.ASPECT_CLASSIFIED))
+			.thenReturn(true);
+    	when(mockNodeService.getProperty(nodeRef, ClassifiedContentModel.PROP_CURRENT_CLASSIFICATION))
+    		.thenReturn(CLASSIFICATION_LEVEL_ID);
+    	when(mockLevelManager.findLevelById(CLASSIFICATION_LEVEL_ID))
+    		.thenReturn(CLASSIFICATION_LEVEL);
+    	
+    	ClassificationLevel classificationLevel = classificationServiceImpl.getCurrentClassification(nodeRef);
+    	
+    	assertEquals(CLASSIFICATION_LEVEL, classificationLevel);
+    	verify(mockNodeService).hasAspect(nodeRef, ClassifiedContentModel.ASPECT_CLASSIFIED);
+    	verify(mockNodeService).getProperty(nodeRef, ClassifiedContentModel.PROP_CURRENT_CLASSIFICATION);
+    	verify(mockLevelManager).findLevelById(CLASSIFICATION_LEVEL_ID);
+    	verifyNoMoreInteractions(mockNodeService, mockLevelManager);
+    }
 }

rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/classification/ClearanceLevelManagerUnitTest.java

@@ -36,11 +36,9 @@ public class ClearanceLevelManagerUnitTest
 {
     static final ClassificationLevel TOP_SECRET = new ClassificationLevel("TS", "Top Secret Classification");
     static final ClassificationLevel SECRET = new ClassificationLevel("S", "Secret Classification");
-    static final ClassificationLevel UNCLASSIFIED = new ClassificationLevel("U", "Unclassified Classification");
 
     static final ClearanceLevel TOP_SECRET_CLEARANCE = new ClearanceLevel(TOP_SECRET , "Top Secret Clearance");
     static final ClearanceLevel SECRET_CLEARANCE = new ClearanceLevel(SECRET, "Secret Clearance");
-    static final ClearanceLevel NO_CLEARANCE = new ClearanceLevel(UNCLASSIFIED, "No Clearance");
 
     /** The class under test. */
     ClearanceLevelManager clearanceLevelManager;
@@ -49,7 +47,7 @@ public class ClearanceLevelManagerUnitTest
     @Before
     public void setup()
     {
-        List<ClearanceLevel> clearanceLevels = ImmutableList.of(TOP_SECRET_CLEARANCE, SECRET_CLEARANCE, NO_CLEARANCE);
+        List<ClearanceLevel> clearanceLevels = ImmutableList.of(TOP_SECRET_CLEARANCE, SECRET_CLEARANCE);
         clearanceLevelManager = new ClearanceLevelManager(clearanceLevels);
     }
 
@@ -58,7 +56,6 @@ public class ClearanceLevelManagerUnitTest
     public void findLevelByClassificationLevelId_found()
     {
         ClearanceLevel actual = clearanceLevelManager.findLevelByClassificationLevelId("S");
-
         assertEquals(SECRET_CLEARANCE, actual);
     }
 
@@ -68,4 +65,16 @@ public class ClearanceLevelManagerUnitTest
     {
         clearanceLevelManager.findLevelByClassificationLevelId("UNKNOWN ID");
     }
+    
+    /**
+     * Given that I have created a clearance level manager from a list of clearance levels
+     * Then the no clearance level is available
+     */
+    @Test public void noClearanceLevel()
+    {
+    	assertEquals(3, clearanceLevelManager.getClearanceLevels().size());
+    	ClearanceLevel noClearance = clearanceLevelManager.findLevelByClassificationLevelId(ClassificationLevelManager.UNCLASSIFIED_ID);
+    	assertEquals(ClearanceLevelManager.NO_CLEARANCE, noClearance);
+    	assertEquals(ClassificationLevelManager.UNCLASSIFIED, noClearance.getHighestClassificationLevel());
+    }
 }

rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/classification/SecurityClearanceServiceImplUnitTest.java

@@ -20,11 +20,12 @@ package org.alfresco.module.org_alfresco_module_rm.classification;
 
 import static org.alfresco.module.org_alfresco_module_rm.classification.model.ClassifiedContentModel.ASPECT_SECURITY_CLEARANCE;
 import static org.alfresco.module.org_alfresco_module_rm.classification.model.ClassifiedContentModel.PROP_CLEARANCE_LEVEL;
-import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.*;
 import static org.mockito.Matchers.anyBoolean;
 import static org.mockito.Matchers.eq;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
+import static org.alfresco.module.org_alfresco_module_rm.test.util.AlfMock.*;
 
 import java.util.Arrays;
 import java.util.List;
@@ -91,14 +92,15 @@ public class SecurityClearanceServiceImplUnitTest
         final PersonInfo user1 = createMockPerson("user1", "User", "One", null);
         MockAuthenticationUtilHelper.setup(mockedAuthenticationUtil, user1.getUserName());
         
-        ClassificationLevel defaultClassificationLevel = new ClassificationLevel("default", "default");
+        when(mockClassificationService.getUnclassifiedClassificationLevel())
-        when(mockClassificationService.getDefaultClassificationLevel()).thenReturn(defaultClassificationLevel);
+        	.thenReturn(ClassificationLevelManager.UNCLASSIFIED);
-        ClearanceLevel defaultClearanceLevel = new ClearanceLevel(defaultClassificationLevel, "defaultClearanceMessageKey");
+        when(mockClearanceLevelManager.findLevelByClassificationLevelId(ClassificationLevelManager.UNCLASSIFIED_ID))
-        when(mockClearanceLevelManager.findLevelByClassificationLevelId("default")).thenReturn(defaultClearanceLevel);
+        	.thenReturn(ClearanceLevelManager.NO_CLEARANCE);
 
         final SecurityClearance clearance = securityClearanceServiceImpl.getUserSecurityClearance();
         
-        assertEquals(defaultClearanceLevel, clearance.getClearanceLevel());
+        assertEquals(ClassificationLevelManager.UNCLASSIFIED, clearance.getClearanceLevel().getHighestClassificationLevel());
+
     }
 
     /** Check that a user can have their clearance set. */
@@ -158,8 +160,7 @@ public class SecurityClearanceServiceImplUnitTest
     {
         ClassificationLevel topSecret = new ClassificationLevel("1", "TopSecret");
         ClassificationLevel secret = new ClassificationLevel("2", "Secret");
-        ClassificationLevel unclassified = new ClassificationLevel("3", "Unclassified");
+        List<ClassificationLevel> classificationLevels = Arrays.asList(topSecret, secret, ClassificationLevelManager.UNCLASSIFIED);
-        List<ClassificationLevel> classificationLevels = Arrays.asList(topSecret, secret, unclassified);
         when(mockClassificationService.getClassificationLevels()).thenReturn(classificationLevels );
 
         // Call the method under test.
@@ -171,4 +172,163 @@ public class SecurityClearanceServiceImplUnitTest
         assertEquals("Secret", clearanceLevels.get(1).getDisplayLabel());
         assertEquals("rm.classification.noClearance", clearanceLevels.get(2).getDisplayLabel());
     }
+    
+    /**
+     * Given that the node is unclassified
+     * When I ask if the current user has clearance
+     * Then true
+     */
+    @Test public void clearedForUnclassifiedNode()
+    {
+    	NodeRef nodeRef = generateNodeRef(mockNodeService);
+    	when(mockClassificationService.getCurrentClassification(nodeRef))
+    		.thenReturn(ClassificationLevelManager.UNCLASSIFIED);
+    	
+    	assertTrue(securityClearanceServiceImpl.hasClearance(nodeRef));    	
+    }
+    
+    /**
+     * Given that the node is classified
+     * And the user has no security clearance
+     * When I ask if the current user has clearance
+     * Then false
+     */
+    @Test public void userWithNoClearanceIsntClearedOnClassifiedNode()
+    {
+    	// assign test classification to node
+    	String classificationLevelId = generateText();
+    	ClassificationLevel classificationLevel = new ClassificationLevel(classificationLevelId, generateText());
+    	NodeRef nodeRef = generateNodeRef(mockNodeService);    	
+    	when(mockClassificationService.getCurrentClassification(nodeRef))
+    		.thenReturn(classificationLevel);    	
+    	when(mockClearanceLevelManager.findLevelByClassificationLevelId(classificationLevelId))
+    		.thenReturn(new ClearanceLevel(classificationLevel, generateText()));
+    	
+    	// create user with no clearance
+    	final PersonInfo user1 = createMockPerson(generateText(), generateText(), generateText(), null);
+        MockAuthenticationUtilHelper.setup(mockedAuthenticationUtil, user1.getUserName());
+        when(mockClassificationService.getUnclassifiedClassificationLevel())
+    		.thenReturn(ClassificationLevelManager.UNCLASSIFIED);
+    	when(mockClearanceLevelManager.findLevelByClassificationLevelId(ClassificationLevelManager.UNCLASSIFIED_ID))
+    		.thenReturn(ClearanceLevelManager.NO_CLEARANCE);
+    	
+    	assertFalse(securityClearanceServiceImpl.hasClearance(nodeRef));      	
+    }
+    
+    /**
+     * Given that the node is classified
+     * And the user has clearance grater than the classification
+     * When I ask if the user has clearance
+     * Then true
+     */
+    @Test public void classifiedNodeUserClearanceGreater()
+    {
+    	// init classification levels
+    	ClassificationLevel topSecret = new ClassificationLevel("TopSecret", generateText());
+        ClassificationLevel secret = new ClassificationLevel("Secret", generateText());
+        ClassificationLevel confidential = new ClassificationLevel("Confidential", generateText());
+        List<ClassificationLevel> classificationLevels = Arrays.asList(topSecret, secret, confidential, ClassificationLevelManager.UNCLASSIFIED);
+        when(mockClassificationService.getClassificationLevels()).thenReturn(classificationLevels);
+
+        // init classification levels
+    	when(mockClearanceLevelManager.findLevelByClassificationLevelId("TopSecret"))
+    		.thenReturn(new ClearanceLevel(topSecret, generateText()));
+    	when(mockClearanceLevelManager.findLevelByClassificationLevelId("Secret"))
+    		.thenReturn(new ClearanceLevel(secret, generateText()));
+    	when(mockClearanceLevelManager.findLevelByClassificationLevelId("Confidential"))
+    		.thenReturn(new ClearanceLevel(confidential, generateText()));
+    	when(mockClearanceLevelManager.findLevelByClassificationLevelId(ClassificationLevelManager.UNCLASSIFIED_ID))
+			.thenReturn(ClearanceLevelManager.NO_CLEARANCE);
+    	when(mockClassificationService.getUnclassifiedClassificationLevel())
+			.thenReturn(ClassificationLevelManager.UNCLASSIFIED);
+    	
+    	// set nodes classification
+    	NodeRef nodeRef = generateNodeRef(mockNodeService);    	
+    	when(mockClassificationService.getCurrentClassification(nodeRef))
+    		.thenReturn(secret);    	
+    	
+    	// set users security clearance
+    	final PersonInfo user1 = createMockPerson(generateText(), generateText(), generateText(), "TopSecret");
+        MockAuthenticationUtilHelper.setup(mockedAuthenticationUtil, user1.getUserName());
+        
+        assertTrue(securityClearanceServiceImpl.hasClearance(nodeRef));    	
+    }
+    
+    /**
+     * Given that the node is classified
+     * And the user has clearance equal to the the classification
+     * When I ask if the user has clearance
+     * Then true
+     */
+    @Test public void classifiedNodeUserClearanceEqual()
+    {
+    	// init classification levels
+    	ClassificationLevel topSecret = new ClassificationLevel("TopSecret", generateText());
+        ClassificationLevel secret = new ClassificationLevel("Secret", generateText());
+        ClassificationLevel confidential = new ClassificationLevel("Confidential", generateText());
+        List<ClassificationLevel> classificationLevels = Arrays.asList(topSecret, secret, confidential, ClassificationLevelManager.UNCLASSIFIED);
+        when(mockClassificationService.getClassificationLevels()).thenReturn(classificationLevels);
+
+        // init classification levels
+    	when(mockClearanceLevelManager.findLevelByClassificationLevelId("TopSecret"))
+    		.thenReturn(new ClearanceLevel(topSecret, generateText()));
+    	when(mockClearanceLevelManager.findLevelByClassificationLevelId("Secret"))
+    		.thenReturn(new ClearanceLevel(secret, generateText()));
+    	when(mockClearanceLevelManager.findLevelByClassificationLevelId("Confidential"))
+    		.thenReturn(new ClearanceLevel(confidential, generateText()));
+    	when(mockClearanceLevelManager.findLevelByClassificationLevelId(ClassificationLevelManager.UNCLASSIFIED_ID))
+			.thenReturn(ClearanceLevelManager.NO_CLEARANCE);
+    	when(mockClassificationService.getUnclassifiedClassificationLevel())
+			.thenReturn(ClassificationLevelManager.UNCLASSIFIED);
+    	
+    	// set nodes classification
+    	NodeRef nodeRef = generateNodeRef(mockNodeService);    	
+    	when(mockClassificationService.getCurrentClassification(nodeRef))
+    		.thenReturn(secret);    	
+    	
+    	// set users security clearance
+    	final PersonInfo user1 = createMockPerson(generateText(), generateText(), generateText(), "Secret");
+        MockAuthenticationUtilHelper.setup(mockedAuthenticationUtil, user1.getUserName());
+        
+        assertTrue(securityClearanceServiceImpl.hasClearance(nodeRef));    	
+    }
+    
+    /**
+     * Given that the node is classified
+     * And the user has clearance less than the classification
+     * When I ask if the user has clearance
+     * Then true
+     */
+    @Test public void classifiedNodeUserClearanceLess()
+    {
+    	// init classification levels
+    	ClassificationLevel topSecret = new ClassificationLevel("TopSecret", generateText());
+        ClassificationLevel secret = new ClassificationLevel("Secret", generateText());
+        ClassificationLevel confidential = new ClassificationLevel("Confidential", generateText());
+        List<ClassificationLevel> classificationLevels = Arrays.asList(topSecret, secret, confidential, ClassificationLevelManager.UNCLASSIFIED);
+        when(mockClassificationService.getClassificationLevels()).thenReturn(classificationLevels);
+
+        // init classification levels
+    	when(mockClearanceLevelManager.findLevelByClassificationLevelId("TopSecret"))
+    		.thenReturn(new ClearanceLevel(topSecret, generateText()));
+    	when(mockClearanceLevelManager.findLevelByClassificationLevelId("Secret"))
+    		.thenReturn(new ClearanceLevel(secret, generateText()));
+    	when(mockClearanceLevelManager.findLevelByClassificationLevelId("Confidential"))
+    		.thenReturn(new ClearanceLevel(confidential, generateText()));
+    	when(mockClearanceLevelManager.findLevelByClassificationLevelId(ClassificationLevelManager.UNCLASSIFIED_ID))
+			.thenReturn(ClearanceLevelManager.NO_CLEARANCE);
+    	when(mockClassificationService.getUnclassifiedClassificationLevel())
+			.thenReturn(ClassificationLevelManager.UNCLASSIFIED);
+    	
+    	// set nodes classification
+    	NodeRef nodeRef = generateNodeRef(mockNodeService);    	
+    	when(mockClassificationService.getCurrentClassification(nodeRef))
+    		.thenReturn(secret);    	
+    	
+    	// set users security clearance
+    	final PersonInfo user1 = createMockPerson(generateText(), generateText(), generateText(), "Confidential");
+        MockAuthenticationUtilHelper.setup(mockedAuthenticationUtil, user1.getUserName());
+        
+        assertFalse(securityClearanceServiceImpl.hasClearance(nodeRef));    	
+    }
 }

rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/forms/RecordsManagementTypeFormFilterUnitTest.java

@@ -18,6 +18,7 @@
  */
 package org.alfresco.module.org_alfresco_module_rm.forms;
 
+import static org.alfresco.module.org_alfresco_module_rm.test.util.AlfMock.generateQName;
 import static org.mockito.Matchers.any;
 import static org.mockito.Matchers.anyListOf;
 import static org.mockito.Matchers.anyString;
@@ -56,7 +57,7 @@ import org.mockito.Spy;
  */
 public class RecordsManagementTypeFormFilterUnitTest extends BaseUnitTest
 {
-    private static final QName MY_CUSTOM_TYPE = generateQName();
+    private static final QName MY_CUSTOM_TYPE = generateQName(RM_URI);
     
     @Mock private Form mockForm;
     @Mock private TypeDefinition mockTypeDefinition;
@@ -163,7 +164,7 @@ public class RecordsManagementTypeFormFilterUnitTest extends BaseUnitTest
         Map<QName, PropertyDefinition> properties = new HashMap<QName, PropertyDefinition>(size);
         for (int i = 0; i < size; i++)
         {
-            QName name = generateQName();
+            QName name = generateQName(RM_URI);
             PropertyDefinition propDef = mock(PropertyDefinition.class);
             when(propDef.getName()).thenReturn(name);
             DataTypeDefinition mockDataTypeDefinition = mock(DataTypeDefinition.class);

rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/hold/HoldServiceImplUnitTest.java

@@ -18,6 +18,7 @@
  */
 package org.alfresco.module.org_alfresco_module_rm.hold;
 
+import static org.alfresco.module.org_alfresco_module_rm.test.util.AlfMock.generateQName;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;

rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/job/DispositionLifecycleJobExecuterUnitTest.java

@@ -18,16 +18,17 @@
  */
 package org.alfresco.module.org_alfresco_module_rm.job;
 
+import static org.alfresco.module.org_alfresco_module_rm.test.util.AlfMock.generateQName;
 import static org.mockito.Matchers.any;
+import static org.mockito.Matchers.anyMap;
 import static org.mockito.Matchers.anyString;
+import static org.mockito.Matchers.contains;
 import static org.mockito.Matchers.eq;
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoMoreInteractions;
 import static org.mockito.Mockito.verifyZeroInteractions;
-import static org.mockito.Mockito.anyMap;
-import static org.mockito.Mockito.contains;
 
 import java.util.Collections;
 import java.util.List;

rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/jscript/app/evaluator/TransferEvaluatorUnitTest.java

@@ -18,6 +18,7 @@
  */
 package org.alfresco.module.org_alfresco_module_rm.jscript.app.evaluator;
 
+import static org.alfresco.module.org_alfresco_module_rm.test.util.AlfMock.generateQName;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 import static org.mockito.Mockito.doReturn;

rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/record/RecordServiceImplUnitTest.java

@@ -18,6 +18,8 @@
  */
 package org.alfresco.module.org_alfresco_module_rm.record;
 
+import static org.alfresco.module.org_alfresco_module_rm.test.util.AlfMock.generateQName;
+import static org.alfresco.module.org_alfresco_module_rm.test.util.AlfMock.generateText;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;

rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/test/util/AlfMock.java

@@ -0,0 +1,121 @@
+/*
+ * Copyright (C) 2005-2014 Alfresco Software Limited.
+ *
+ * This file is part of Alfresco
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.alfresco.module.org_alfresco_module_rm.test.util;
+
+import static org.mockito.Matchers.eq;
+import static org.mockito.Mockito.doReturn;
+import static org.mockito.Mockito.when;
+
+import java.util.UUID;
+
+import org.alfresco.model.ContentModel;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.service.cmr.repository.NodeService;
+import org.alfresco.service.cmr.repository.StoreRef;
+import org.alfresco.service.namespace.QName;
+import org.alfresco.util.GUID;
+
+/**
+ * Utilities helpful when mocking Alfresco constructs.
+ * 
+ * @author Roy Wetherall
+ * @since 3.0
+ */
+public class AlfMock 
+{
+	/**
+     * Helper to generate random text value suitable for a property
+     * value or node name
+     */
+    public static String generateText()
+    {
+        return UUID.randomUUID().toString();
+    }
+
+    /**
+     * Helper method to generate a qname.
+     */
+    public static QName generateQName()
+    {
+        return generateQName(GUID.generate());
+    }
+    
+    /**
+     * Helper method to generate a qname.
+     */
+    public static QName generateQName(String uri)
+    {
+        return QName.createQName(uri, GUID.generate());
+    }
+	
+	/**
+     * Helper method to generate a node reference.
+     *
+     * @return  {@link NodeRef} node reference that behaves like a node that exists in the spaces store
+     */
+    public static NodeRef generateNodeRef(NodeService mockedNodeService)
+    {
+        return generateNodeRef(mockedNodeService, null);
+    }
+
+    /**
+     * Helper method to generate a node reference of a particular type.
+     *
+     * @param type  content type qualified name
+     * @return {@link NodeRef}  node reference that behaves like a node that exists in the spaces store with
+     *                          the content type provided
+     */
+    public static NodeRef generateNodeRef(NodeService mockedNodeService, QName type)
+    {
+        return generateNodeRef(mockedNodeService, type, true);
+    }
+
+    /**
+     * Helper method to generate a cm:content node reference with a given name.
+     *
+     * @param name      content name
+     * @return NodeRef  node reference
+     */
+    public static NodeRef generateCmContent(NodeService mockedNodeService, String name)
+    {
+        NodeRef nodeRef = generateNodeRef(mockedNodeService, ContentModel.TYPE_CONTENT, true);
+        doReturn(name).when(mockedNodeService).getProperty(nodeRef, ContentModel.PROP_NAME);
+        return nodeRef;
+    }
+
+    /**
+     * Helper method to generate a node reference of a particular type with a given existence characteristic.
+     *
+     * @param type  content type qualified name
+     * @param exists indicates whether this node should behave like a node that exists or not
+     * @return {@link NodeRef}  node reference that behaves like a node that exists (or not) in the spaces store with
+     *                          the content type provided
+     */
+    public static NodeRef generateNodeRef(NodeService mockedNodeService, QName type, boolean exists)
+    {
+        NodeRef nodeRef = new NodeRef(StoreRef.STORE_REF_WORKSPACE_SPACESSTORE, GUID.generate());
+        when(mockedNodeService.exists(eq(nodeRef))).thenReturn(exists);
+        if (type != null)
+        {
+            when(mockedNodeService.getType(eq(nodeRef))).thenReturn(type);
+        }
+        return nodeRef;
+    }
+
+}

rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/test/util/BaseUnitTest.java

@@ -18,6 +18,7 @@
  */
 package org.alfresco.module.org_alfresco_module_rm.test.util;
 
+import static org.alfresco.module.org_alfresco_module_rm.test.util.AlfMock.generateQName;
 import static org.mockito.Matchers.any;
 import static org.mockito.Matchers.eq;
 import static org.mockito.Mockito.doAnswer;
@@ -28,7 +29,6 @@ import static org.mockito.Mockito.when;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
-import java.util.UUID;
 
 import org.alfresco.model.ContentModel;
 import org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementActionService;
@@ -189,32 +189,13 @@ public class BaseUnitTest implements RecordsManagementModel, ContentModel
 
         // set record as child of record folder
         List<ChildAssociationRef> result = new ArrayList<ChildAssociationRef>(1);
-        result.add(new ChildAssociationRef(ContentModel.ASSOC_CONTAINS, recordFolder, generateQName(), record, true, 1));
+        result.add(new ChildAssociationRef(ContentModel.ASSOC_CONTAINS, recordFolder, generateQName(RM_URI), record, true, 1));
         doReturn(result).when(mockedNodeService).getChildAssocs(eq(recordFolder), eq(ContentModel.ASSOC_CONTAINS), any(QNamePattern.class));
         doReturn(result).when(mockedNodeService).getParentAssocs(record);
         doReturn(Collections.singletonList(recordFolder)).when(mockedRecordFolderService).getRecordFolders(record);
         doReturn(Collections.singletonList(record)).when(mockedRecordService).getRecords(recordFolder);
     }
 
-    /**
-     * Helper to generate random text value suitable for a property
-     * value or node name
-     */
-    protected String generateText()
-    {
-        return UUID.randomUUID().toString();
-    }
-
-    /**
-     * Helper method to generate a qname.
-     *
-     * @return  QName   qualified name
-     */
-    protected static QName generateQName()
-    {
-        return QName.createQName(RM_URI, GUID.generate());
-    }
-
     /**
      * Helper method to generate hold reference
      *