diff --git a/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoter.java b/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoter.java
index d01bcd17ed..490ea9d16d 100644
--- a/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoter.java
+++ b/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoter.java
@@ -1,30 +1,33 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software.
- * If the software was purchased under a paid Alfresco license, the terms of
- * the paid license agreement will prevail. Otherwise, the software is
- * provided under the following open source license terms:
- *
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see .
- * #L%
- */
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2021 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail. Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see .
+ * #L%
+ */
package org.alfresco.repo.security.permissions.impl.acegi;
+import static org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoterUtils.getNodeRef;
+import static org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoterUtils.shouldAbstainOrDeny;
+
import java.io.Serializable;
import java.lang.reflect.Method;
import java.util.ArrayList;
@@ -46,8 +49,6 @@ import org.alfresco.repo.security.permissions.impl.SimplePermissionReference;
import org.alfresco.service.cmr.repository.ChildAssociationRef;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
-import org.alfresco.service.cmr.repository.StoreRef;
-import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.AuthenticationService;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.OwnableService;
@@ -59,6 +60,7 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;
+
/**
* @author andyh
*/
@@ -395,61 +397,53 @@ public class ACLEntryVoter implements AccessDecisionVoter, InitializingBean
{
throw new ACLEntryVoterException("The specified parameter is not a NodeRef or ChildAssociationRef");
}
- else if (StoreRef.class.isAssignableFrom(params[cad.parameter[0]]))
+
+ if (List.class.isAssignableFrom(params[cad.parameter[0]]))
{
- StoreRef storeRef = getArgument(invocation, cad.parameter[0]);
- if (storeRef != null)
+ List listArgument = getArgument(invocation, cad.parameter[0]);
+ if (listArgument != null)
{
- if (log.isDebugEnabled())
+ NodeRef listNodeRef;
+ Integer accessAbstainOrDeny = null;
+ for (Object listElement : listArgument)
{
- log.debug("\tPermission test against the store - using permissions on the root node");
- }
- if (nodeService.exists(storeRef))
- {
- testNodeRef = nodeService.getRootNode(storeRef);
- }
- }
- }
- else if (NodeRef.class.isAssignableFrom(params[cad.parameter[0]]))
- {
- testNodeRef = getArgument(invocation, cad.parameter[0]);
- if (log.isDebugEnabled())
- {
- if (testNodeRef != null)
- {
- if (nodeService.exists(testNodeRef))
+ listNodeRef = getNodeRef(listElement, nodeService);
+ Integer currentValue = shouldAbstainOrDeny(cad.required, listNodeRef, abstainForClassQNames, nodeService, permissionService);
+
+ if (currentValue != null)
{
- log.debug("\tPermission test on node " + nodeService.getPath(testNodeRef));
+ if (currentValue == AccessDecisionVoter.ACCESS_DENIED)
+ {
+ return AccessDecisionVoter.ACCESS_DENIED;
+ }
+ else
+ {
+ accessAbstainOrDeny = currentValue;
+ }
}
- else
- {
- log.debug("\tPermission test on non-existing node " +testNodeRef);
- }
+
}
- }
- }
- else if (ChildAssociationRef.class.isAssignableFrom(params[cad.parameter[0]]))
- {
- ChildAssociationRef testChildRef = getArgument(invocation, cad.parameter[0]);
- if (testChildRef != null)
- {
- testNodeRef = testChildRef.getChildRef();
- if (log.isDebugEnabled())
+
+ if (accessAbstainOrDeny != null)
{
- if (nodeService.exists(testNodeRef))
- {
- log.debug("\tPermission test on node " + nodeService.getPath(testNodeRef));
- }
- else
- {
- log.debug("\tPermission test on non-existing node " + testNodeRef);
- }
+ return accessAbstainOrDeny;
}
+ if((hasMethodEntry == null) || (hasMethodEntry.booleanValue()))
+ {
+ return AccessDecisionVoter.ACCESS_GRANTED;
+ }
+ else
+ {
+ return AccessDecisionVoter.ACCESS_DENIED;
+ }
+
}
}
else
{
- throw new ACLEntryVoterException("The specified parameter is not a NodeRef or ChildAssociationRef");
+ Object testObject = getArgument(invocation, cad.parameter[0]);
+ //If the execution reaches here, then testNodeRef is always null
+ testNodeRef = getNodeRef(testObject, nodeService);
}
}
else if (cad.typeString.equals(ACL_ITEM))
@@ -584,44 +578,10 @@ public class ACLEntryVoter implements AccessDecisionVoter, InitializingBean
}
}
- if (testNodeRef != null)
+ Integer accessAbstainOrDeny = shouldAbstainOrDeny(cad.required, testNodeRef, abstainForClassQNames, nodeService, permissionService);
+ if (accessAbstainOrDeny != null)
{
- // now we know the node - we can abstain for certain types and aspects (eg. RM)
- if(abstainForClassQNames.size() > 0)
- {
- // check node exists
- if (nodeService.exists(testNodeRef))
- {
- QName typeQName = nodeService.getType(testNodeRef);
- if(abstainForClassQNames.contains(typeQName))
- {
- return AccessDecisionVoter.ACCESS_ABSTAIN;
- }
-
- Set aspectQNames = nodeService.getAspects(testNodeRef);
- for(QName abstain : abstainForClassQNames)
- {
- if(aspectQNames.contains(abstain))
- {
- return AccessDecisionVoter.ACCESS_ABSTAIN;
- }
- }
- }
- }
-
- if (log.isDebugEnabled())
- {
- log.debug("\t\tNode ref is not null");
- }
- if (permissionService.hasPermission(testNodeRef, cad.required.toString()) == AccessStatus.DENIED)
- {
- if (log.isDebugEnabled())
- {
- log.debug("\t\tPermission is denied");
- Thread.dumpStack();
- }
- return AccessDecisionVoter.ACCESS_DENIED;
- }
+ return accessAbstainOrDeny;
}
}
diff --git a/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterUtils.java b/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterUtils.java
new file mode 100644
index 0000000000..74dd48ed05
--- /dev/null
+++ b/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterUtils.java
@@ -0,0 +1,175 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2021 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail. Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see .
+ * #L%
+ */
+package org.alfresco.repo.security.permissions.impl.acegi;
+
+import java.util.Set;
+
+import net.sf.acegisecurity.vote.AccessDecisionVoter;
+import org.alfresco.repo.security.permissions.impl.SimplePermissionReference;
+import org.alfresco.service.cmr.repository.ChildAssociationRef;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.service.cmr.repository.NodeService;
+import org.alfresco.service.cmr.repository.StoreRef;
+import org.alfresco.service.cmr.security.AccessStatus;
+import org.alfresco.service.cmr.security.PermissionService;
+import org.alfresco.service.namespace.QName;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+
+/**
+ * Utility methods extracted from AclEntryVoter
+ *
+ * @author Lev Belava
+ */
+final class ACLEntryVoterUtils
+{
+ private static final Logger LOG = LoggerFactory.getLogger(ACLEntryVoterUtils.class);
+
+ private ACLEntryVoterUtils()
+ {
+ }
+
+
+ /**
+ * Gets NodeRef for testObject based on inferred type
+ *
+ * @param testObject Tested object to work on
+ * @param nodeService Node service to perform checks on refs
+ * @return NodeRef for testObject or null if (testObject is null or StoreRef from testObject does not exist in the provided NodeService)
+ * @throws ACLEntryVoterException if testObject is not null and not one of a NodeRef or ChildAssociationRef types
+ */
+ static NodeRef getNodeRef(Object testObject, NodeService nodeService)
+ {
+ if (testObject == null)
+ {
+ return null;
+ }
+
+ if (StoreRef.class.isAssignableFrom(testObject.getClass()))
+ {
+ LOG.debug("Permission test against the store - using permissions on the root node");
+ StoreRef storeRef = (StoreRef) testObject;
+ if (nodeService.exists(storeRef))
+ {
+ return nodeService.getRootNode(storeRef);
+ }
+ else
+ {
+ LOG.debug("StoreRef does not exist");
+ return null;
+ }
+ }
+
+ if (NodeRef.class.isAssignableFrom(testObject.getClass()))
+ {
+ NodeRef result = (NodeRef) testObject;
+ if (LOG.isDebugEnabled())
+ {
+ if (nodeService.exists(result))
+ {
+ LOG.debug("Permission test on node {}", nodeService.getPath(result));
+ }
+ else
+ {
+ LOG.debug("Permission test on non-existing node {}", result);
+ }
+ }
+ return result;
+ }
+
+ if (ChildAssociationRef.class.isAssignableFrom(testObject.getClass()))
+ {
+ ChildAssociationRef testChildRef = (ChildAssociationRef) testObject;
+ NodeRef result = testChildRef.getChildRef();
+ if (LOG.isDebugEnabled())
+ {
+ if (nodeService.exists(result))
+ {
+ LOG.debug("Permission test on node {}", nodeService.getPath(result));
+ }
+ else
+ {
+ LOG.debug("Permission test on non-existing node {}", result);
+ }
+ }
+ return result;
+ }
+
+ throw new ACLEntryVoterException("The specified parameter is not a NodeRef or ChildAssociationRef");
+ }
+
+
+ /**
+ * Checks if tested NodeRef instance is abstained or denied based on set of QNames to abstain and
+ *
+ * @param requiredPermissionReference Required permissions
+ * @param testNodeRef NodeRef to be verified
+ * @param abstainForClassQNames Set of QNames to abstain
+ * @param nodeService Node service to perform checks on tested NodeRef
+ * @param permissionService Permission service to check for required permissions
+ * @return null if testNodeRef is not abstained or denied, otherwise returns appropriate status.
+ */
+ static Integer shouldAbstainOrDeny(SimplePermissionReference requiredPermissionReference, NodeRef testNodeRef, Set abstainForClassQNames,
+ NodeService nodeService, PermissionService permissionService)
+ {
+ if (testNodeRef == null)
+ {
+ return null;
+ }
+
+ LOG.debug("Node ref is not null");
+
+ if (abstainForClassQNames.size() > 0 && nodeService.exists(testNodeRef))
+ {
+ if (abstainForClassQNames.contains(nodeService.getType(testNodeRef)))
+ {
+ return AccessDecisionVoter.ACCESS_ABSTAIN;
+ }
+ Set testNodeRefAspects = nodeService.getAspects(testNodeRef);
+ for (QName abstain : abstainForClassQNames)
+ {
+ if (testNodeRefAspects.contains(abstain))
+ {
+ return AccessDecisionVoter.ACCESS_ABSTAIN;
+ }
+ }
+ }
+
+ if (AccessStatus.DENIED == permissionService.hasPermission(testNodeRef, requiredPermissionReference.toString()))
+ {
+ if (LOG.isDebugEnabled())
+ {
+ LOG.debug("Permission is denied");
+ Thread.dumpStack();
+ }
+ return AccessDecisionVoter.ACCESS_DENIED;
+ }
+
+ return null;
+ }
+
+}
diff --git a/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java b/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java
index c403da3452..365ab1741b 100644
--- a/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java
+++ b/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java
@@ -209,6 +209,7 @@ import org.junit.runners.Suite;
org.alfresco.repo.security.authentication.AuthorizationTest.class,
org.alfresco.repo.security.permissions.PermissionCheckedCollectionTest.class,
org.alfresco.repo.security.permissions.impl.acegi.FilteringResultSetTest.class,
+ org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoterUtilsTest.class,
org.alfresco.repo.security.authentication.ChainingAuthenticationServiceTest.class,
org.alfresco.repo.security.authentication.NameBasedUserNameGeneratorTest.class,
org.alfresco.repo.version.common.VersionImplTest.class,
diff --git a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java
index 955c28b8cf..03aee7a704 100644
--- a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java
+++ b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java
@@ -2,7 +2,7 @@
* #%L
* Alfresco Repository
* %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * Copyright (C) 2005 - 2021 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
@@ -96,6 +96,8 @@ public abstract class AbstractPermissionTest extends TestCase
protected NodeRef systemNodeRef;
+ protected NodeRef abstainedNode;
+
protected AuthenticationComponent authenticationComponent;
protected ModelDAO permissionModelDAO;
@@ -186,6 +188,8 @@ public abstract class AbstractPermissionTest extends TestCase
props = createPersonProperties(USER2_LEMUR);
nodeService.createNode(typesNodeRef, children, ContentModel.TYPE_PERSON, container, props).getChildRef();
+ abstainedNode= nodeService.createNode(rootNodeRef, ContentModel.ASSOC_FAILED_THUMBNAIL, system, ContentModel.TYPE_FAILED_THUMBNAIL).getChildRef();
+
// create an authentication object e.g. the user
if(authenticationDAO.userExists(USER1_ANDY))
{
diff --git a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterTest.java b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterTest.java
index 2802edd490..e2377654c0 100644
--- a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterTest.java
+++ b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterTest.java
@@ -1,33 +1,38 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software.
- * If the software was purchased under a paid Alfresco license, the terms of
- * the paid license agreement will prevail. Otherwise, the software is
- * provided under the following open source license terms:
- *
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see .
- * #L%
- */
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2021 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail. Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see .
+ * #L%
+ */
package org.alfresco.repo.security.permissions.impl.acegi;
+import static java.util.Collections.singletonList;
+
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
+import java.util.Arrays;
+import java.util.Collections;
import java.util.HashSet;
+import java.util.List;
import java.util.Set;
import net.sf.acegisecurity.ConfigAttribute;
@@ -53,6 +58,13 @@ import org.springframework.aop.target.SingletonTargetSource;
@Category(OwnJVMTestsCategory.class)
public class ACLEntryVoterTest extends AbstractPermissionTest
{
+ private static final String ANDY = "andy";
+ private static final String ACL_NODE_0_SYS_BASE_READ = "ACL_NODE.0.sys:base.Read";
+ private static final String TEST_LIST_OF_NODE_REFS = "testListOfNodeRefs";
+ private static final String ABSTAIN = "ABSTAIN";
+ private static final String DENIED = "Access denied";
+ private static final String SHOULD_FAIL_DENIED = "Should fail because node is DENIED";
+ private static final String SHOULD_FAIL_ABSTAINED = "Should fail because node is ABSTAINED";
public ACLEntryVoterTest()
{
@@ -61,38 +73,31 @@ public class ACLEntryVoterTest extends AbstractPermissionTest
public void testBasicDenyNode() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testOneNodeRef", new Class[] { NodeRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read")));
-
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
-
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
try
{
method.invoke(proxy, new Object[] { rootNodeRef });
- assertNotNull(null);
+ fail(SHOULD_FAIL_DENIED);
}
catch (InvocationTargetException e)
{
-
+ verifyAccessDenied(e);
}
try
{
method.invoke(proxy, new Object[] { systemNodeRef });
- assertNotNull(null);
+ fail(SHOULD_FAIL_DENIED);
}
catch (InvocationTargetException e)
{
-
+ verifyAccessDenied(e);
}
// Check we are allowed access to deleted nodes ..
@@ -105,47 +110,33 @@ public class ACLEntryVoterTest extends AbstractPermissionTest
public void testBasicDenyStore() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testOneStoreRef", new Class[] { StoreRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read")));
-
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
-
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
try
{
method.invoke(proxy, new Object[] { rootNodeRef.getStoreRef() });
- assertNotNull(null);
+ fail(SHOULD_FAIL_DENIED);
}
catch (InvocationTargetException e)
{
-
+ verifyAccessDenied(e);
}
}
public void testAllowNullNode() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testOneNodeRef", new Class[] { NodeRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read")));
-
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
-
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
method.invoke(proxy, new Object[] { null });
@@ -153,19 +144,12 @@ public class ACLEntryVoterTest extends AbstractPermissionTest
public void testAllowNullStore() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testOneStoreRef", new Class[] { StoreRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read")));
-
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
-
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
method.invoke(proxy, new Object[] { null });
@@ -173,19 +157,12 @@ public class ACLEntryVoterTest extends AbstractPermissionTest
public void testAllowNullParentOnRealChildAssoc() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testOneChildAssociationRef", new Class[] { ChildAssociationRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_PARENT.0.sys:base.Read")));
-
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
-
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, "ACL_PARENT.0.sys:base.Read");
method.invoke(proxy, new Object[] { nodeService.getPrimaryParent(rootNodeRef) });
@@ -193,19 +170,12 @@ public class ACLEntryVoterTest extends AbstractPermissionTest
public void testAllowNullParent() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testOneChildAssociationRef", new Class[] { ChildAssociationRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_PARENT.0.sys:base.Read")));
-
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
-
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, "ACL_PARENT.0.sys:base.Read");
method.invoke(proxy, new Object[] { null });
@@ -213,19 +183,12 @@ public class ACLEntryVoterTest extends AbstractPermissionTest
public void testAllowNullChild() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testOneChildAssociationRef", new Class[] { ChildAssociationRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read")));
-
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
-
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
method.invoke(proxy, new Object[] { null });
@@ -233,218 +196,155 @@ public class ACLEntryVoterTest extends AbstractPermissionTest
public void testBasicDenyChildAssocNode() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testOneChildAssociationRef", new Class[] { ChildAssociationRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read")));
-
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
-
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
try
{
method.invoke(proxy, new Object[] { nodeService.getPrimaryParent(rootNodeRef) });
- assertNotNull(null);
+ fail(SHOULD_FAIL_DENIED);
}
catch (InvocationTargetException e)
{
-
+ verifyAccessDenied(e);
}
}
public void testBasicDenyParentAssocNode() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testOneChildAssociationRef", new Class[] { ChildAssociationRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_PARENT.0.sys:base.Read")));
-
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
-
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, "ACL_PARENT.0.sys:base.Read");
try
{
method.invoke(proxy, new Object[] { nodeService.getPrimaryParent(systemNodeRef) });
- assertNotNull(null);
+ fail(SHOULD_FAIL_DENIED);
}
catch (InvocationTargetException e)
{
-
+ verifyAccessDenied(e);
}
}
public void testBasicAllowNode() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ),
- "andy", AccessStatus.ALLOWED));
+ ANDY, AccessStatus.ALLOWED));
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testOneNodeRef", new Class[] { NodeRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read")));
-
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
-
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
method.invoke(proxy, new Object[] { rootNodeRef });
}
public void testBasicAllow() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ),
- "andy", AccessStatus.ALLOWED));
+ ANDY, AccessStatus.ALLOWED));
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testOneNodeRef", new Class[] { NodeRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_ALLOW")));
-
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
-
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, "ACL_ALLOW");
method.invoke(proxy, new Object[] { rootNodeRef });
}
public void testBasicAllowStore() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ),
- "andy", AccessStatus.ALLOWED));
+ ANDY, AccessStatus.ALLOWED));
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testOneStoreRef", new Class[] { StoreRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read")));
-
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
-
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
method.invoke(proxy, new Object[] { rootNodeRef.getStoreRef() });
}
public void testBasicAllowChildAssocNode() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ),
- "andy", AccessStatus.ALLOWED));
+ ANDY, AccessStatus.ALLOWED));
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testOneChildAssociationRef", new Class[] { ChildAssociationRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read")));
-
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
-
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
method.invoke(proxy, new Object[] { nodeService.getPrimaryParent(rootNodeRef) });
}
public void testBasicAllowParentAssocNode() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ),
- "andy", AccessStatus.ALLOWED));
+ ANDY, AccessStatus.ALLOWED));
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testOneChildAssociationRef", new Class[] { ChildAssociationRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_PARENT.0.sys:base.Read")));
-
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
-
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, "ACL_PARENT.0.sys:base.Read");
method.invoke(proxy, new Object[] { nodeService.getPrimaryParent(systemNodeRef) });
}
public void testDenyParentAssocNode() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
permissionService.setPermission(new SimplePermissionEntry(systemNodeRef, getPermission(PermissionService.READ),
- "andy", AccessStatus.ALLOWED));
+ ANDY, AccessStatus.ALLOWED));
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testOneChildAssociationRef", new Class[] { ChildAssociationRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_PARENT.0.sys:base.Read")));
-
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
-
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, "ACL_PARENT.0.sys:base.Read");
try
{
method.invoke(proxy, new Object[] { nodeService.getPrimaryParent(systemNodeRef) });
- assertNotNull(null);
+ fail(SHOULD_FAIL_DENIED);
}
catch (InvocationTargetException e)
{
-
+ verifyAccessDenied(e);
}
}
public void testAllowChildAssocNode() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
permissionService.setPermission(new SimplePermissionEntry(systemNodeRef, getPermission(PermissionService.READ),
- "andy", AccessStatus.ALLOWED));
+ ANDY, AccessStatus.ALLOWED));
permissionService.setPermission(new SimplePermissionEntry(rootNodeRef,
- getPermission(PermissionService.READ_CHILDREN), "andy", AccessStatus.ALLOWED));
+ getPermission(PermissionService.READ_CHILDREN), ANDY, AccessStatus.ALLOWED));
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testOneChildAssociationRef", new Class[] { ChildAssociationRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read")));
-
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
-
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
method.invoke(proxy, new Object[] { nodeService.getPrimaryParent(systemNodeRef) });
@@ -452,135 +352,115 @@ public class ACLEntryVoterTest extends AbstractPermissionTest
public void testMultiNodeMethodsArg0() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testManyNodeRef",
new Class[] { NodeRef.class, NodeRef.class, NodeRef.class, NodeRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read")));
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
method.invoke(proxy, new Object[] { null, null, null, null });
try
{
method.invoke(proxy, new Object[] { rootNodeRef, null, null, null });
- assertNotNull(null);
+ fail(SHOULD_FAIL_DENIED);
}
catch (InvocationTargetException e)
{
-
+ verifyAccessDenied(e);
}
permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ),
- "andy", AccessStatus.ALLOWED));
+ ANDY, AccessStatus.ALLOWED));
method.invoke(proxy, new Object[] { rootNodeRef, null, null, null });
}
public void testMultiNodeMethodsArg1() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testManyNodeRef",
new Class[] { NodeRef.class, NodeRef.class, NodeRef.class, NodeRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.1.sys:base.Read")));
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, "ACL_NODE.1.sys:base.Read");
method.invoke(proxy, new Object[] { null, null, null, null });
try
{
method.invoke(proxy, new Object[] { null, rootNodeRef, null, null });
- assertNotNull(null);
+ fail(SHOULD_FAIL_DENIED);
}
catch (InvocationTargetException e)
{
-
+ verifyAccessDenied(e);
}
permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ),
- "andy", AccessStatus.ALLOWED));
+ ANDY, AccessStatus.ALLOWED));
method.invoke(proxy, new Object[] { null, rootNodeRef, null, null });
}
public void testMultiNodeMethodsArg2() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testManyNodeRef",
new Class[] { NodeRef.class, NodeRef.class, NodeRef.class, NodeRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.2.sys:base.Read")));
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, "ACL_NODE.2.sys:base.Read");
method.invoke(proxy, new Object[] { null, null, null, null });
try
{
method.invoke(proxy, new Object[] { null, null, rootNodeRef, null });
- assertNotNull(null);
+ fail(SHOULD_FAIL_DENIED);
}
catch (InvocationTargetException e)
{
-
+ verifyAccessDenied(e);
}
permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ),
- "andy", AccessStatus.ALLOWED));
+ ANDY, AccessStatus.ALLOWED));
method.invoke(proxy, new Object[] { null, null, rootNodeRef, null });
}
public void testMultiNodeMethodsArg3() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testManyNodeRef",
new Class[] { NodeRef.class, NodeRef.class, NodeRef.class, NodeRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.3.sys:base.Read")));
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, "ACL_NODE.3.sys:base.Read");
method.invoke(proxy, new Object[] { null, null, null, null });
try
{
method.invoke(proxy, new Object[] { null, null, null, rootNodeRef });
- assertNotNull(null);
+ fail(SHOULD_FAIL_DENIED);
}
catch (InvocationTargetException e)
{
-
+ verifyAccessDenied(e);
}
permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ),
- "andy", AccessStatus.ALLOWED));
+ ANDY, AccessStatus.ALLOWED));
method.invoke(proxy, new Object[] { null, null, null, rootNodeRef });
}
public void testMultiChildAssocRefMethodsArg0() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod(
@@ -588,33 +468,28 @@ public class ACLEntryVoterTest extends AbstractPermissionTest
new Class[] { ChildAssociationRef.class, ChildAssociationRef.class, ChildAssociationRef.class,
ChildAssociationRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read")));
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
method.invoke(proxy, new Object[] { null, null, null, null });
try
{
method.invoke(proxy, new Object[] { nodeService.getPrimaryParent(rootNodeRef), null, null, null });
- assertNotNull(null);
+ fail(SHOULD_FAIL_DENIED);
}
catch (InvocationTargetException e)
{
-
+ verifyAccessDenied(e);
}
permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ),
- "andy", AccessStatus.ALLOWED));
+ ANDY, AccessStatus.ALLOWED));
method.invoke(proxy, new Object[] { nodeService.getPrimaryParent(rootNodeRef), null, null, null });
}
public void testMultiChildAssocRefMethodsArg1() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod(
@@ -622,33 +497,28 @@ public class ACLEntryVoterTest extends AbstractPermissionTest
new Class[] { ChildAssociationRef.class, ChildAssociationRef.class, ChildAssociationRef.class,
ChildAssociationRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.1.sys:base.Read")));
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, "ACL_NODE.1.sys:base.Read");
method.invoke(proxy, new Object[] { null, null, null, null });
try
{
method.invoke(proxy, new Object[] { null, nodeService.getPrimaryParent(rootNodeRef), null, null });
- assertNotNull(null);
+ fail(SHOULD_FAIL_DENIED);
}
catch (InvocationTargetException e)
{
-
+ verifyAccessDenied(e);
}
permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ),
- "andy", AccessStatus.ALLOWED));
+ ANDY, AccessStatus.ALLOWED));
method.invoke(proxy, new Object[] { null, nodeService.getPrimaryParent(rootNodeRef), null, null });
}
public void testMultiChildAssocRefMethodsArg2() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod(
@@ -656,33 +526,28 @@ public class ACLEntryVoterTest extends AbstractPermissionTest
new Class[] { ChildAssociationRef.class, ChildAssociationRef.class, ChildAssociationRef.class,
ChildAssociationRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.2.sys:base.Read")));
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, "ACL_NODE.2.sys:base.Read");
method.invoke(proxy, new Object[] { null, null, null, null });
try
{
method.invoke(proxy, new Object[] { null, null, nodeService.getPrimaryParent(rootNodeRef), null });
- assertNotNull(null);
+ fail(SHOULD_FAIL_DENIED);
}
catch (InvocationTargetException e)
{
-
+ verifyAccessDenied(e);
}
permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ),
- "andy", AccessStatus.ALLOWED));
+ ANDY, AccessStatus.ALLOWED));
method.invoke(proxy, new Object[] { null, null, nodeService.getPrimaryParent(rootNodeRef), null });
}
public void testMultiChildAssocRefMethodsArg3() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod(
@@ -690,33 +555,28 @@ public class ACLEntryVoterTest extends AbstractPermissionTest
new Class[] { ChildAssociationRef.class, ChildAssociationRef.class, ChildAssociationRef.class,
ChildAssociationRef.class });
- AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
-
- ProxyFactory proxyFactory = new ProxyFactory();
- proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.3.sys:base.Read")));
- proxyFactory.setTargetSource(new SingletonTargetSource(o));
- Object proxy = proxyFactory.getProxy();
+ Object proxy = getProxy(o, "ACL_NODE.3.sys:base.Read");
method.invoke(proxy, new Object[] { null, null, null, null });
try
{
method.invoke(proxy, new Object[] { null, null, null, nodeService.getPrimaryParent(rootNodeRef) });
- assertNotNull(null);
+ fail(SHOULD_FAIL_DENIED);
}
catch (InvocationTargetException e)
{
-
+ verifyAccessDenied(e);
}
permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ),
- "andy", AccessStatus.ALLOWED));
+ ANDY, AccessStatus.ALLOWED));
method.invoke(proxy, new Object[] { null, null, null, nodeService.getPrimaryParent(rootNodeRef) });
}
public void testMethodACL() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testMethod", new Class[] {});
@@ -733,7 +593,7 @@ public class ACLEntryVoterTest extends AbstractPermissionTest
public void testMethodACL2() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testMethod", new Class[] {});
@@ -751,7 +611,7 @@ public class ACLEntryVoterTest extends AbstractPermissionTest
public void testMethodACL3() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testMethod", new Class[] {});
@@ -770,7 +630,7 @@ public class ACLEntryVoterTest extends AbstractPermissionTest
public void testMethodACL4() throws Exception
{
- runAs("andy");
+ runAs(ANDY);
Object o = new ClassWithMethods();
Method method = o.getClass().getMethod("testMethod", new Class[] {});
@@ -788,10 +648,190 @@ public class ACLEntryVoterTest extends AbstractPermissionTest
}
catch (InvocationTargetException e)
{
-
+ verifyAccessDenied(e);
}
}
+ public void testBasicAllowNodeCollection() throws Exception
+ {
+ runAs(ANDY);
+ permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ), ANDY, AccessStatus.ALLOWED));
+
+ Object o = new ClassWithMethods();
+ Method method = o.getClass().getMethod(TEST_LIST_OF_NODE_REFS, List.class);
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
+
+ method.invoke(proxy, singletonList(rootNodeRef));
+ }
+
+ public void testBasicDenyNodeCollection() throws Exception
+ {
+ runAs(ANDY);
+
+ Object o = new ClassWithMethods();
+ Method method = o.getClass().getMethod(TEST_LIST_OF_NODE_REFS, List.class);
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
+
+ try
+ {
+ method.invoke(proxy, singletonList(rootNodeRef));
+ fail(SHOULD_FAIL_DENIED);
+ } catch (InvocationTargetException e)
+ {
+ verifyAccessDenied(e);
+ }
+ }
+
+ public void testAllowNullCollection() throws Exception
+ {
+ runAs(ANDY);
+
+ Object o = new ClassWithMethods();
+ Method method = o.getClass().getMethod(TEST_LIST_OF_NODE_REFS, List.class);
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
+
+ method.invoke(proxy, singletonList(null));
+ }
+
+ public void testAllowNodeCollection() throws Exception
+ {
+ runAs(ANDY);
+ permissionService.setPermission(new SimplePermissionEntry(systemNodeRef, getPermission(PermissionService.READ), ANDY, AccessStatus.ALLOWED));
+
+ Object o = new ClassWithMethods();
+ Method method = o.getClass().getMethod(TEST_LIST_OF_NODE_REFS, List.class);
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
+
+ method.invoke(proxy, Arrays.asList(systemNodeRef, systemNodeRef, systemNodeRef));
+ }
+
+ public void testDenyNodeCollectionWhenOneElementShouldBeDenied() throws Exception
+ {
+ runAs(ANDY);
+ permissionService.setPermission(new SimplePermissionEntry(systemNodeRef, getPermission(PermissionService.READ), ANDY, AccessStatus.ALLOWED));
+
+ Object o = new ClassWithMethods();
+ Method method = o.getClass().getMethod(TEST_LIST_OF_NODE_REFS, List.class);
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
+
+ try
+ {
+ method.invoke(proxy, Arrays.asList(systemNodeRef, rootNodeRef, systemNodeRef));
+ fail(SHOULD_FAIL_DENIED);
+ } catch (InvocationTargetException e)
+ {
+ verifyAccessDenied(e);
+ }
+ }
+
+ public void testSimpleAbstain() throws Exception
+ {
+ runAs(ANDY);
+ permissionService.setPermission(new SimplePermissionEntry(abstainedNode, getPermission(PermissionService.READ), ANDY, AccessStatus.ALLOWED));
+
+ Object o = new ClassWithMethods();
+ Method method = o.getClass().getMethod(TEST_LIST_OF_NODE_REFS, List.class);
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
+
+ try
+ {
+ method.invoke(proxy, Collections.singletonList(abstainedNode));
+ fail(SHOULD_FAIL_ABSTAINED);
+ } catch (InvocationTargetException e)
+ {
+ verifyAccessAbstain(e);
+ }
+ }
+
+ public void testAbstainHasAPriorityOverDeny() throws Exception
+ {
+ runAs(ANDY);
+ permissionService.setPermission(new SimplePermissionEntry(abstainedNode, getPermission(PermissionService.READ), ANDY, AccessStatus.DENIED));
+
+ Object o = new ClassWithMethods();
+ Method method = o.getClass().getMethod(TEST_LIST_OF_NODE_REFS, List.class);
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
+
+ try
+ {
+ method.invoke(proxy, Collections.singletonList(abstainedNode));
+ fail(SHOULD_FAIL_ABSTAINED);
+ } catch (InvocationTargetException e)
+ {
+ verifyAccessAbstain(e);
+ }
+ }
+
+ public void testSimpleAbstainList() throws Exception
+ {
+ runAs(ANDY);
+ permissionService.setPermission(new SimplePermissionEntry(abstainedNode, getPermission(PermissionService.READ), ANDY, AccessStatus.ALLOWED));
+
+ Object o = new ClassWithMethods();
+ Method method = o.getClass().getMethod(TEST_LIST_OF_NODE_REFS, List.class);
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
+
+ try
+ {
+ method.invoke(proxy, Collections.singletonList(abstainedNode));
+ fail(SHOULD_FAIL_ABSTAINED);
+ } catch (InvocationTargetException e)
+ {
+ verifyAccessAbstain(e);
+ }
+ }
+
+ public void testAbstainNodeCollectionWhenOneElementShouldBeAbstained() throws Exception
+ {
+ runAs(ANDY);
+ permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ), ANDY, AccessStatus.ALLOWED));
+ permissionService.setPermission(new SimplePermissionEntry(abstainedNode, getPermission(PermissionService.READ), ANDY, AccessStatus.ALLOWED));
+
+ Object o = new ClassWithMethods();
+ Method method = o.getClass().getMethod(TEST_LIST_OF_NODE_REFS, List.class);
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
+
+ try
+ {
+ method.invoke(proxy, Arrays.asList(rootNodeRef, abstainedNode, rootNodeRef));
+ fail(SHOULD_FAIL_ABSTAINED);
+ } catch (InvocationTargetException e)
+ {
+ verifyAccessAbstain(e);
+ }
+ }
+
+ public void testDenyNodeCollectionWhenOneElementShouldBeDeniedAndThereAreAlsoAbstained() throws Exception
+ {
+ runAs(ANDY);
+ permissionService.setPermission(new SimplePermissionEntry(abstainedNode, getPermission(PermissionService.READ), ANDY, AccessStatus.ALLOWED));
+
+ Object o = new ClassWithMethods();
+ Method method = o.getClass().getMethod(TEST_LIST_OF_NODE_REFS, List.class);
+ Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ);
+
+ try
+ {
+ method.invoke(proxy, Arrays.asList(abstainedNode, systemNodeRef, abstainedNode));
+ fail(SHOULD_FAIL_DENIED);
+ } catch (InvocationTargetException e)
+ {
+ verifyAccessDenied(e);
+ }
+ }
+
+
+ private void verifyAccessAbstain(InvocationTargetException e)
+ {
+ assertEquals(ABSTAIN, e.getCause().getMessage());
+ }
+
+ private void verifyAccessDenied(InvocationTargetException e)
+ {
+ String causeMessage = e.getCause().getMessage();
+ assertEquals(DENIED, causeMessage.substring(causeMessage.length() - 13));
+ }
+
public static class ClassWithMethods
{
public void testMethod()
@@ -824,6 +864,11 @@ public class ACLEntryVoterTest extends AbstractPermissionTest
{
}
+
+ public void testListOfNodeRefs(List listOfNodeRefs)
+ {
+ }
+
}
public class Interceptor implements MethodInterceptor
@@ -888,22 +933,33 @@ public class ACLEntryVoterTest extends AbstractPermissionTest
voter.setNodeService(nodeService);
voter.setAuthenticationService(authenticationService);
voter.setAuthorityService(authorityService);
-
- // TODO: add explicit abstain tests (for now, configure dummy "abstainFor" to test deleted nodes - see ALF-898)
- Set abstainFor = new HashSet(1);
+
+ Set abstainFor = new HashSet<>(2);
abstainFor.add("{http://www.alfresco.org/model/content/1.0}emailed");
+ abstainFor.add("{http://www.alfresco.org/model/content/1.0}failedThumbnail");
voter.setAbstainFor(abstainFor);
voter.afterPropertiesSet();
- if (!(voter.vote(null, invocation, cad) == AccessDecisionVoter.ACCESS_DENIED))
+ int voteResult = voter.vote(null, invocation, cad);
+ if (voteResult == AccessDecisionVoter.ACCESS_DENIED)
{
- return invocation.proceed();
+ throw new ACLEntryVoterException(DENIED);
}
- else
+ if (voteResult == AccessDecisionVoter.ACCESS_ABSTAIN)
{
- throw new ACLEntryVoterException("Access denied");
+ throw new RuntimeException(ABSTAIN);
}
-
+ return invocation.proceed();
}
}
+
+ private Object getProxy(Object o, String s)
+ {
+ AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance();
+ ProxyFactory proxyFactory = new ProxyFactory();
+ proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor(s)));
+ proxyFactory.setTargetSource(new SingletonTargetSource(o));
+ return proxyFactory.getProxy();
+ }
+
}
diff --git a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterUtilsTest.java b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterUtilsTest.java
new file mode 100644
index 0000000000..56ce194018
--- /dev/null
+++ b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterUtilsTest.java
@@ -0,0 +1,181 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2021 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail. Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see .
+ * #L%
+ */
+package org.alfresco.repo.security.permissions.impl.acegi;
+
+import static org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoterUtils.getNodeRef;
+import static org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoterUtils.shouldAbstainOrDeny;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.nullValue;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.ArgumentMatchers.nullable;
+import static org.mockito.Mockito.when;
+
+import java.util.Collections;
+import java.util.Set;
+
+import net.sf.acegisecurity.vote.AccessDecisionVoter;
+import org.alfresco.repo.security.permissions.impl.SimplePermissionReference;
+import org.alfresco.service.cmr.repository.ChildAssociationRef;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.service.cmr.repository.NodeService;
+import org.alfresco.service.cmr.repository.StoreRef;
+import org.alfresco.service.cmr.security.AccessStatus;
+import org.alfresco.service.cmr.security.PermissionService;
+import org.alfresco.service.namespace.QName;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+
+
+@RunWith(MockitoJUnitRunner.class)
+public class ACLEntryVoterUtilsTest
+{
+ private final NodeRef testNodeRef = new NodeRef("workspace://testNodeRef/testNodeRef");
+ private final NodeRef rootNodeRef = new NodeRef("workspace://rootNodeRef/rootNodeRef");
+ private final NodeRef refNodeForTestObject = new NodeRef("workspace://refNodeForTestObject/refNodeForTestObject");
+ private final NodeRef childRefNode = new NodeRef("workspace://childRefNode/childRefNode");
+ private final StoreRef testStoreNodeRef = new StoreRef("system://testStoreRefMock/testStoreRefMock");
+ private final SimplePermissionReference simplePermissionReference = SimplePermissionReference.getPermissionReference(QName.createQName("uri", "local"), "Write");
+ private final QName qNameToAbstain1 = QName.createQName("{test}testnode1");
+ private final QName qNameToAbstain2 = QName.createQName("{test}testnode2");
+ private final QName qNameToAbstain3 = QName.createQName("{test}testnode3");
+ private final QName qNameNotFromTheAbstainSet = QName.createQName("{test}testnodeAbstain");
+ private final Set qNamesToAbstain = Set.of(qNameToAbstain1, qNameToAbstain2, qNameToAbstain3);
+ @Mock
+ private PermissionService permissionServiceMock;
+ @Mock
+ private NodeService nodeServiceMock;
+ @Mock
+ private ChildAssociationRef childAssocRefMock;
+
+ @Before
+ public void setUp()
+ {
+ when(nodeServiceMock.exists(testStoreNodeRef)).thenReturn(Boolean.TRUE);
+ when(nodeServiceMock.exists(testNodeRef)).thenReturn(Boolean.TRUE);
+ when(nodeServiceMock.getRootNode(testStoreNodeRef)).thenReturn(rootNodeRef);
+ when(nodeServiceMock.getType(testNodeRef)).thenReturn(qNameNotFromTheAbstainSet);
+ when(nodeServiceMock.getAspects(testNodeRef)).thenReturn(Set.of(qNameNotFromTheAbstainSet));
+ when(permissionServiceMock.hasPermission(eq(testNodeRef), nullable(String.class))).thenReturn(AccessStatus.DENIED);
+ }
+
+ @Test
+ public void returnsAccessDeniedFromPermissionService()
+ {
+ assertThat(shouldAbstainOrDeny(simplePermissionReference, testNodeRef, qNamesToAbstain, nodeServiceMock, permissionServiceMock),
+ is(AccessDecisionVoter.ACCESS_DENIED));
+ }
+
+ @Test
+ public void returnsNullOnNullTestObject()
+ {
+ assertThat(getNodeRef(null, nodeServiceMock), is(nullValue()));
+ }
+
+ @Test(expected = ACLEntryVoterException.class)
+ public void throwsExceptionWhenParameterIsNotNodeRefOrChildAssociationRef()
+ {
+ getNodeRef("TEST", nodeServiceMock);
+ }
+
+ @Test
+ public void returnsGivenTestNodeRefWhenStoreRefDoesNotExist()
+ {
+ when(nodeServiceMock.exists(testStoreNodeRef)).thenReturn(Boolean.FALSE);
+ assertThat(getNodeRef(testStoreNodeRef, nodeServiceMock), is(nullValue()));
+ }
+
+ @Test
+ public void returnsRootNode()
+ {
+ assertThat(getNodeRef(testStoreNodeRef, nodeServiceMock), is(rootNodeRef));
+ }
+
+ @Test
+ public void returnsNodeRefFromTestObject()
+ {
+ assertThat(getNodeRef(refNodeForTestObject, nodeServiceMock), is(refNodeForTestObject));
+ }
+
+ @Test
+ public void returnsChildRefFromChildAssocRef()
+ {
+ when(childAssocRefMock.getChildRef()).thenReturn(childRefNode);
+ assertThat(getNodeRef(childAssocRefMock, nodeServiceMock), is(childRefNode));
+ }
+
+ @Test
+ public void returnsNullOnNullTestNodeRef()
+ {
+ assertThat(shouldAbstainOrDeny(simplePermissionReference, null, qNamesToAbstain, nodeServiceMock, permissionServiceMock),
+ is(nullValue()));
+ }
+
+ @Test
+ public void returnsNullOnAbstainClassQnamesIsEmptyAndThereAreNoDeniedPermissions()
+ {
+ when(permissionServiceMock.hasPermission(eq(testNodeRef), nullable(String.class))).thenReturn(AccessStatus.ALLOWED);
+ assertThat(shouldAbstainOrDeny(simplePermissionReference, testNodeRef, Collections.emptySet(), nodeServiceMock, permissionServiceMock),
+ is(nullValue()));
+ }
+
+ @Test
+ public void returnsNullOnTestNodeRefDoesNotExistAndThereAreNoDeniedPermissions()
+ {
+ when(nodeServiceMock.exists(testNodeRef)).thenReturn(Boolean.FALSE);
+ when(permissionServiceMock.hasPermission(eq(testNodeRef), nullable(String.class))).thenReturn(AccessStatus.ALLOWED);
+ assertThat(shouldAbstainOrDeny(simplePermissionReference, testNodeRef, qNamesToAbstain, nodeServiceMock, permissionServiceMock),
+ is(nullValue()));
+ }
+
+ @Test
+ public void returnsNullOnNodeTypeAndNodeAspectsAreNotInSetToAbstainAndThereAreNoDeniedPermissions()
+ {
+ when(permissionServiceMock.hasPermission(eq(testNodeRef), nullable(String.class))).thenReturn(AccessStatus.ALLOWED);
+ assertThat(shouldAbstainOrDeny(simplePermissionReference, testNodeRef, qNamesToAbstain, nodeServiceMock, permissionServiceMock),
+ is(nullValue()));
+ }
+
+ @Test
+ public void returnsAbstainWhenNodeRefTypeIsInSetToAbstain()
+ {
+ when(nodeServiceMock.getType(testNodeRef)).thenReturn(qNameToAbstain2);
+ assertThat(shouldAbstainOrDeny(simplePermissionReference, testNodeRef, qNamesToAbstain, nodeServiceMock, permissionServiceMock),
+ is(AccessDecisionVoter.ACCESS_ABSTAIN));
+ }
+
+ @Test
+ public void returnsAbstainWhenAtLeastOneAspectIsInSetToAbstain()
+ {
+ when(nodeServiceMock.getAspects(testNodeRef)).thenReturn(Set.of(qNameNotFromTheAbstainSet, qNameToAbstain3));
+ assertThat(shouldAbstainOrDeny(simplePermissionReference, testNodeRef, qNamesToAbstain, nodeServiceMock, permissionServiceMock),
+ is(AccessDecisionVoter.ACCESS_ABSTAIN));
+ }
+
+}
\ No newline at end of file