From cbd45fcb3e61eeac10a8d389b00bc82a49e890c7 Mon Sep 17 00:00:00 2001 From: Lev Belava Date: Thu, 14 Oct 2021 15:27:41 +0200 Subject: [PATCH] MNT-21706 NodeService setAssociations list of elements is now handled. (#746) MNT-21706 NodeService setAssociations list of elements is now handled. --- .../permissions/impl/acegi/ACLEntryVoter.java | 174 ++--- .../impl/acegi/ACLEntryVoterUtils.java | 175 +++++ .../java/org/alfresco/AllUnitTestsSuite.java | 1 + .../impl/AbstractPermissionTest.java | 6 +- .../impl/acegi/ACLEntryVoterTest.java | 620 ++++++++++-------- .../impl/acegi/ACLEntryVoterUtilsTest.java | 181 +++++ 6 files changed, 767 insertions(+), 390 deletions(-) create mode 100644 repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterUtils.java create mode 100644 repository/src/test/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterUtilsTest.java diff --git a/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoter.java b/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoter.java index d01bcd17ed..490ea9d16d 100644 --- a/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoter.java +++ b/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoter.java @@ -1,30 +1,33 @@ -/* - * #%L - * Alfresco Repository - * %% - * Copyright (C) 2005 - 2016 Alfresco Software Limited - * %% - * This file is part of the Alfresco software. - * If the software was purchased under a paid Alfresco license, the terms of - * the paid license agreement will prevail. Otherwise, the software is - * provided under the following open source license terms: - * - * Alfresco is free software: you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * Alfresco is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with Alfresco. If not, see . - * #L% - */ +/* + * #%L + * Alfresco Repository + * %% + * Copyright (C) 2005 - 2021 Alfresco Software Limited + * %% + * This file is part of the Alfresco software. + * If the software was purchased under a paid Alfresco license, the terms of + * the paid license agreement will prevail. Otherwise, the software is + * provided under the following open source license terms: + * + * Alfresco is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * Alfresco is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with Alfresco. If not, see . + * #L% + */ package org.alfresco.repo.security.permissions.impl.acegi; +import static org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoterUtils.getNodeRef; +import static org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoterUtils.shouldAbstainOrDeny; + import java.io.Serializable; import java.lang.reflect.Method; import java.util.ArrayList; @@ -46,8 +49,6 @@ import org.alfresco.repo.security.permissions.impl.SimplePermissionReference; import org.alfresco.service.cmr.repository.ChildAssociationRef; import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.NodeService; -import org.alfresco.service.cmr.repository.StoreRef; -import org.alfresco.service.cmr.security.AccessStatus; import org.alfresco.service.cmr.security.AuthenticationService; import org.alfresco.service.cmr.security.AuthorityService; import org.alfresco.service.cmr.security.OwnableService; @@ -59,6 +60,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.beans.factory.InitializingBean; + /** * @author andyh */ @@ -395,61 +397,53 @@ public class ACLEntryVoter implements AccessDecisionVoter, InitializingBean { throw new ACLEntryVoterException("The specified parameter is not a NodeRef or ChildAssociationRef"); } - else if (StoreRef.class.isAssignableFrom(params[cad.parameter[0]])) + + if (List.class.isAssignableFrom(params[cad.parameter[0]])) { - StoreRef storeRef = getArgument(invocation, cad.parameter[0]); - if (storeRef != null) + List listArgument = getArgument(invocation, cad.parameter[0]); + if (listArgument != null) { - if (log.isDebugEnabled()) + NodeRef listNodeRef; + Integer accessAbstainOrDeny = null; + for (Object listElement : listArgument) { - log.debug("\tPermission test against the store - using permissions on the root node"); - } - if (nodeService.exists(storeRef)) - { - testNodeRef = nodeService.getRootNode(storeRef); - } - } - } - else if (NodeRef.class.isAssignableFrom(params[cad.parameter[0]])) - { - testNodeRef = getArgument(invocation, cad.parameter[0]); - if (log.isDebugEnabled()) - { - if (testNodeRef != null) - { - if (nodeService.exists(testNodeRef)) + listNodeRef = getNodeRef(listElement, nodeService); + Integer currentValue = shouldAbstainOrDeny(cad.required, listNodeRef, abstainForClassQNames, nodeService, permissionService); + + if (currentValue != null) { - log.debug("\tPermission test on node " + nodeService.getPath(testNodeRef)); + if (currentValue == AccessDecisionVoter.ACCESS_DENIED) + { + return AccessDecisionVoter.ACCESS_DENIED; + } + else + { + accessAbstainOrDeny = currentValue; + } } - else - { - log.debug("\tPermission test on non-existing node " +testNodeRef); - } + } - } - } - else if (ChildAssociationRef.class.isAssignableFrom(params[cad.parameter[0]])) - { - ChildAssociationRef testChildRef = getArgument(invocation, cad.parameter[0]); - if (testChildRef != null) - { - testNodeRef = testChildRef.getChildRef(); - if (log.isDebugEnabled()) + + if (accessAbstainOrDeny != null) { - if (nodeService.exists(testNodeRef)) - { - log.debug("\tPermission test on node " + nodeService.getPath(testNodeRef)); - } - else - { - log.debug("\tPermission test on non-existing node " + testNodeRef); - } + return accessAbstainOrDeny; } + if((hasMethodEntry == null) || (hasMethodEntry.booleanValue())) + { + return AccessDecisionVoter.ACCESS_GRANTED; + } + else + { + return AccessDecisionVoter.ACCESS_DENIED; + } + } } else { - throw new ACLEntryVoterException("The specified parameter is not a NodeRef or ChildAssociationRef"); + Object testObject = getArgument(invocation, cad.parameter[0]); + //If the execution reaches here, then testNodeRef is always null + testNodeRef = getNodeRef(testObject, nodeService); } } else if (cad.typeString.equals(ACL_ITEM)) @@ -584,44 +578,10 @@ public class ACLEntryVoter implements AccessDecisionVoter, InitializingBean } } - if (testNodeRef != null) + Integer accessAbstainOrDeny = shouldAbstainOrDeny(cad.required, testNodeRef, abstainForClassQNames, nodeService, permissionService); + if (accessAbstainOrDeny != null) { - // now we know the node - we can abstain for certain types and aspects (eg. RM) - if(abstainForClassQNames.size() > 0) - { - // check node exists - if (nodeService.exists(testNodeRef)) - { - QName typeQName = nodeService.getType(testNodeRef); - if(abstainForClassQNames.contains(typeQName)) - { - return AccessDecisionVoter.ACCESS_ABSTAIN; - } - - Set aspectQNames = nodeService.getAspects(testNodeRef); - for(QName abstain : abstainForClassQNames) - { - if(aspectQNames.contains(abstain)) - { - return AccessDecisionVoter.ACCESS_ABSTAIN; - } - } - } - } - - if (log.isDebugEnabled()) - { - log.debug("\t\tNode ref is not null"); - } - if (permissionService.hasPermission(testNodeRef, cad.required.toString()) == AccessStatus.DENIED) - { - if (log.isDebugEnabled()) - { - log.debug("\t\tPermission is denied"); - Thread.dumpStack(); - } - return AccessDecisionVoter.ACCESS_DENIED; - } + return accessAbstainOrDeny; } } diff --git a/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterUtils.java b/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterUtils.java new file mode 100644 index 0000000000..74dd48ed05 --- /dev/null +++ b/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterUtils.java @@ -0,0 +1,175 @@ +/* + * #%L + * Alfresco Repository + * %% + * Copyright (C) 2005 - 2021 Alfresco Software Limited + * %% + * This file is part of the Alfresco software. + * If the software was purchased under a paid Alfresco license, the terms of + * the paid license agreement will prevail. Otherwise, the software is + * provided under the following open source license terms: + * + * Alfresco is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * Alfresco is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with Alfresco. If not, see . + * #L% + */ +package org.alfresco.repo.security.permissions.impl.acegi; + +import java.util.Set; + +import net.sf.acegisecurity.vote.AccessDecisionVoter; +import org.alfresco.repo.security.permissions.impl.SimplePermissionReference; +import org.alfresco.service.cmr.repository.ChildAssociationRef; +import org.alfresco.service.cmr.repository.NodeRef; +import org.alfresco.service.cmr.repository.NodeService; +import org.alfresco.service.cmr.repository.StoreRef; +import org.alfresco.service.cmr.security.AccessStatus; +import org.alfresco.service.cmr.security.PermissionService; +import org.alfresco.service.namespace.QName; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + + +/** + * Utility methods extracted from AclEntryVoter + * + * @author Lev Belava + */ +final class ACLEntryVoterUtils +{ + private static final Logger LOG = LoggerFactory.getLogger(ACLEntryVoterUtils.class); + + private ACLEntryVoterUtils() + { + } + + + /** + * Gets NodeRef for testObject based on inferred type + * + * @param testObject Tested object to work on + * @param nodeService Node service to perform checks on refs + * @return NodeRef for testObject or null if (testObject is null or StoreRef from testObject does not exist in the provided NodeService) + * @throws ACLEntryVoterException if testObject is not null and not one of a NodeRef or ChildAssociationRef types + */ + static NodeRef getNodeRef(Object testObject, NodeService nodeService) + { + if (testObject == null) + { + return null; + } + + if (StoreRef.class.isAssignableFrom(testObject.getClass())) + { + LOG.debug("Permission test against the store - using permissions on the root node"); + StoreRef storeRef = (StoreRef) testObject; + if (nodeService.exists(storeRef)) + { + return nodeService.getRootNode(storeRef); + } + else + { + LOG.debug("StoreRef does not exist"); + return null; + } + } + + if (NodeRef.class.isAssignableFrom(testObject.getClass())) + { + NodeRef result = (NodeRef) testObject; + if (LOG.isDebugEnabled()) + { + if (nodeService.exists(result)) + { + LOG.debug("Permission test on node {}", nodeService.getPath(result)); + } + else + { + LOG.debug("Permission test on non-existing node {}", result); + } + } + return result; + } + + if (ChildAssociationRef.class.isAssignableFrom(testObject.getClass())) + { + ChildAssociationRef testChildRef = (ChildAssociationRef) testObject; + NodeRef result = testChildRef.getChildRef(); + if (LOG.isDebugEnabled()) + { + if (nodeService.exists(result)) + { + LOG.debug("Permission test on node {}", nodeService.getPath(result)); + } + else + { + LOG.debug("Permission test on non-existing node {}", result); + } + } + return result; + } + + throw new ACLEntryVoterException("The specified parameter is not a NodeRef or ChildAssociationRef"); + } + + + /** + * Checks if tested NodeRef instance is abstained or denied based on set of QNames to abstain and + * + * @param requiredPermissionReference Required permissions + * @param testNodeRef NodeRef to be verified + * @param abstainForClassQNames Set of QNames to abstain + * @param nodeService Node service to perform checks on tested NodeRef + * @param permissionService Permission service to check for required permissions + * @return null if testNodeRef is not abstained or denied, otherwise returns appropriate status. + */ + static Integer shouldAbstainOrDeny(SimplePermissionReference requiredPermissionReference, NodeRef testNodeRef, Set abstainForClassQNames, + NodeService nodeService, PermissionService permissionService) + { + if (testNodeRef == null) + { + return null; + } + + LOG.debug("Node ref is not null"); + + if (abstainForClassQNames.size() > 0 && nodeService.exists(testNodeRef)) + { + if (abstainForClassQNames.contains(nodeService.getType(testNodeRef))) + { + return AccessDecisionVoter.ACCESS_ABSTAIN; + } + Set testNodeRefAspects = nodeService.getAspects(testNodeRef); + for (QName abstain : abstainForClassQNames) + { + if (testNodeRefAspects.contains(abstain)) + { + return AccessDecisionVoter.ACCESS_ABSTAIN; + } + } + } + + if (AccessStatus.DENIED == permissionService.hasPermission(testNodeRef, requiredPermissionReference.toString())) + { + if (LOG.isDebugEnabled()) + { + LOG.debug("Permission is denied"); + Thread.dumpStack(); + } + return AccessDecisionVoter.ACCESS_DENIED; + } + + return null; + } + +} diff --git a/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java b/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java index c403da3452..365ab1741b 100644 --- a/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java +++ b/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java @@ -209,6 +209,7 @@ import org.junit.runners.Suite; org.alfresco.repo.security.authentication.AuthorizationTest.class, org.alfresco.repo.security.permissions.PermissionCheckedCollectionTest.class, org.alfresco.repo.security.permissions.impl.acegi.FilteringResultSetTest.class, + org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoterUtilsTest.class, org.alfresco.repo.security.authentication.ChainingAuthenticationServiceTest.class, org.alfresco.repo.security.authentication.NameBasedUserNameGeneratorTest.class, org.alfresco.repo.version.common.VersionImplTest.class, diff --git a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java index 955c28b8cf..03aee7a704 100644 --- a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java +++ b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java @@ -2,7 +2,7 @@ * #%L * Alfresco Repository * %% - * Copyright (C) 2005 - 2016 Alfresco Software Limited + * Copyright (C) 2005 - 2021 Alfresco Software Limited * %% * This file is part of the Alfresco software. * If the software was purchased under a paid Alfresco license, the terms of @@ -96,6 +96,8 @@ public abstract class AbstractPermissionTest extends TestCase protected NodeRef systemNodeRef; + protected NodeRef abstainedNode; + protected AuthenticationComponent authenticationComponent; protected ModelDAO permissionModelDAO; @@ -186,6 +188,8 @@ public abstract class AbstractPermissionTest extends TestCase props = createPersonProperties(USER2_LEMUR); nodeService.createNode(typesNodeRef, children, ContentModel.TYPE_PERSON, container, props).getChildRef(); + abstainedNode= nodeService.createNode(rootNodeRef, ContentModel.ASSOC_FAILED_THUMBNAIL, system, ContentModel.TYPE_FAILED_THUMBNAIL).getChildRef(); + // create an authentication object e.g. the user if(authenticationDAO.userExists(USER1_ANDY)) { diff --git a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterTest.java b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterTest.java index 2802edd490..e2377654c0 100644 --- a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterTest.java +++ b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterTest.java @@ -1,33 +1,38 @@ -/* - * #%L - * Alfresco Repository - * %% - * Copyright (C) 2005 - 2016 Alfresco Software Limited - * %% - * This file is part of the Alfresco software. - * If the software was purchased under a paid Alfresco license, the terms of - * the paid license agreement will prevail. Otherwise, the software is - * provided under the following open source license terms: - * - * Alfresco is free software: you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * Alfresco is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with Alfresco. If not, see . - * #L% - */ +/* + * #%L + * Alfresco Repository + * %% + * Copyright (C) 2005 - 2021 Alfresco Software Limited + * %% + * This file is part of the Alfresco software. + * If the software was purchased under a paid Alfresco license, the terms of + * the paid license agreement will prevail. Otherwise, the software is + * provided under the following open source license terms: + * + * Alfresco is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * Alfresco is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with Alfresco. If not, see . + * #L% + */ package org.alfresco.repo.security.permissions.impl.acegi; +import static java.util.Collections.singletonList; + import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; +import java.util.Arrays; +import java.util.Collections; import java.util.HashSet; +import java.util.List; import java.util.Set; import net.sf.acegisecurity.ConfigAttribute; @@ -53,6 +58,13 @@ import org.springframework.aop.target.SingletonTargetSource; @Category(OwnJVMTestsCategory.class) public class ACLEntryVoterTest extends AbstractPermissionTest { + private static final String ANDY = "andy"; + private static final String ACL_NODE_0_SYS_BASE_READ = "ACL_NODE.0.sys:base.Read"; + private static final String TEST_LIST_OF_NODE_REFS = "testListOfNodeRefs"; + private static final String ABSTAIN = "ABSTAIN"; + private static final String DENIED = "Access denied"; + private static final String SHOULD_FAIL_DENIED = "Should fail because node is DENIED"; + private static final String SHOULD_FAIL_ABSTAINED = "Should fail because node is ABSTAINED"; public ACLEntryVoterTest() { @@ -61,38 +73,31 @@ public class ACLEntryVoterTest extends AbstractPermissionTest public void testBasicDenyNode() throws Exception { - runAs("andy"); + runAs(ANDY); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testOneNodeRef", new Class[] { NodeRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read"))); - - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); try { method.invoke(proxy, new Object[] { rootNodeRef }); - assertNotNull(null); + fail(SHOULD_FAIL_DENIED); } catch (InvocationTargetException e) { - + verifyAccessDenied(e); } try { method.invoke(proxy, new Object[] { systemNodeRef }); - assertNotNull(null); + fail(SHOULD_FAIL_DENIED); } catch (InvocationTargetException e) { - + verifyAccessDenied(e); } // Check we are allowed access to deleted nodes .. @@ -105,47 +110,33 @@ public class ACLEntryVoterTest extends AbstractPermissionTest public void testBasicDenyStore() throws Exception { - runAs("andy"); + runAs(ANDY); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testOneStoreRef", new Class[] { StoreRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read"))); - - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); try { method.invoke(proxy, new Object[] { rootNodeRef.getStoreRef() }); - assertNotNull(null); + fail(SHOULD_FAIL_DENIED); } catch (InvocationTargetException e) { - + verifyAccessDenied(e); } } public void testAllowNullNode() throws Exception { - runAs("andy"); + runAs(ANDY); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testOneNodeRef", new Class[] { NodeRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read"))); - - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); method.invoke(proxy, new Object[] { null }); @@ -153,19 +144,12 @@ public class ACLEntryVoterTest extends AbstractPermissionTest public void testAllowNullStore() throws Exception { - runAs("andy"); + runAs(ANDY); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testOneStoreRef", new Class[] { StoreRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read"))); - - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); method.invoke(proxy, new Object[] { null }); @@ -173,19 +157,12 @@ public class ACLEntryVoterTest extends AbstractPermissionTest public void testAllowNullParentOnRealChildAssoc() throws Exception { - runAs("andy"); + runAs(ANDY); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testOneChildAssociationRef", new Class[] { ChildAssociationRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_PARENT.0.sys:base.Read"))); - - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, "ACL_PARENT.0.sys:base.Read"); method.invoke(proxy, new Object[] { nodeService.getPrimaryParent(rootNodeRef) }); @@ -193,19 +170,12 @@ public class ACLEntryVoterTest extends AbstractPermissionTest public void testAllowNullParent() throws Exception { - runAs("andy"); + runAs(ANDY); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testOneChildAssociationRef", new Class[] { ChildAssociationRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_PARENT.0.sys:base.Read"))); - - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, "ACL_PARENT.0.sys:base.Read"); method.invoke(proxy, new Object[] { null }); @@ -213,19 +183,12 @@ public class ACLEntryVoterTest extends AbstractPermissionTest public void testAllowNullChild() throws Exception { - runAs("andy"); + runAs(ANDY); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testOneChildAssociationRef", new Class[] { ChildAssociationRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read"))); - - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); method.invoke(proxy, new Object[] { null }); @@ -233,218 +196,155 @@ public class ACLEntryVoterTest extends AbstractPermissionTest public void testBasicDenyChildAssocNode() throws Exception { - runAs("andy"); + runAs(ANDY); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testOneChildAssociationRef", new Class[] { ChildAssociationRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read"))); - - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); try { method.invoke(proxy, new Object[] { nodeService.getPrimaryParent(rootNodeRef) }); - assertNotNull(null); + fail(SHOULD_FAIL_DENIED); } catch (InvocationTargetException e) { - + verifyAccessDenied(e); } } public void testBasicDenyParentAssocNode() throws Exception { - runAs("andy"); + runAs(ANDY); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testOneChildAssociationRef", new Class[] { ChildAssociationRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_PARENT.0.sys:base.Read"))); - - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, "ACL_PARENT.0.sys:base.Read"); try { method.invoke(proxy, new Object[] { nodeService.getPrimaryParent(systemNodeRef) }); - assertNotNull(null); + fail(SHOULD_FAIL_DENIED); } catch (InvocationTargetException e) { - + verifyAccessDenied(e); } } public void testBasicAllowNode() throws Exception { - runAs("andy"); + runAs(ANDY); permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ), - "andy", AccessStatus.ALLOWED)); + ANDY, AccessStatus.ALLOWED)); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testOneNodeRef", new Class[] { NodeRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read"))); - - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); method.invoke(proxy, new Object[] { rootNodeRef }); } public void testBasicAllow() throws Exception { - runAs("andy"); + runAs(ANDY); permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ), - "andy", AccessStatus.ALLOWED)); + ANDY, AccessStatus.ALLOWED)); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testOneNodeRef", new Class[] { NodeRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_ALLOW"))); - - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, "ACL_ALLOW"); method.invoke(proxy, new Object[] { rootNodeRef }); } public void testBasicAllowStore() throws Exception { - runAs("andy"); + runAs(ANDY); permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ), - "andy", AccessStatus.ALLOWED)); + ANDY, AccessStatus.ALLOWED)); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testOneStoreRef", new Class[] { StoreRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read"))); - - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); method.invoke(proxy, new Object[] { rootNodeRef.getStoreRef() }); } public void testBasicAllowChildAssocNode() throws Exception { - runAs("andy"); + runAs(ANDY); permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ), - "andy", AccessStatus.ALLOWED)); + ANDY, AccessStatus.ALLOWED)); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testOneChildAssociationRef", new Class[] { ChildAssociationRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read"))); - - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); method.invoke(proxy, new Object[] { nodeService.getPrimaryParent(rootNodeRef) }); } public void testBasicAllowParentAssocNode() throws Exception { - runAs("andy"); + runAs(ANDY); permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ), - "andy", AccessStatus.ALLOWED)); + ANDY, AccessStatus.ALLOWED)); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testOneChildAssociationRef", new Class[] { ChildAssociationRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_PARENT.0.sys:base.Read"))); - - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, "ACL_PARENT.0.sys:base.Read"); method.invoke(proxy, new Object[] { nodeService.getPrimaryParent(systemNodeRef) }); } public void testDenyParentAssocNode() throws Exception { - runAs("andy"); + runAs(ANDY); permissionService.setPermission(new SimplePermissionEntry(systemNodeRef, getPermission(PermissionService.READ), - "andy", AccessStatus.ALLOWED)); + ANDY, AccessStatus.ALLOWED)); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testOneChildAssociationRef", new Class[] { ChildAssociationRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_PARENT.0.sys:base.Read"))); - - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, "ACL_PARENT.0.sys:base.Read"); try { method.invoke(proxy, new Object[] { nodeService.getPrimaryParent(systemNodeRef) }); - assertNotNull(null); + fail(SHOULD_FAIL_DENIED); } catch (InvocationTargetException e) { - + verifyAccessDenied(e); } } public void testAllowChildAssocNode() throws Exception { - runAs("andy"); + runAs(ANDY); permissionService.setPermission(new SimplePermissionEntry(systemNodeRef, getPermission(PermissionService.READ), - "andy", AccessStatus.ALLOWED)); + ANDY, AccessStatus.ALLOWED)); permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, - getPermission(PermissionService.READ_CHILDREN), "andy", AccessStatus.ALLOWED)); + getPermission(PermissionService.READ_CHILDREN), ANDY, AccessStatus.ALLOWED)); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testOneChildAssociationRef", new Class[] { ChildAssociationRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read"))); - - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); method.invoke(proxy, new Object[] { nodeService.getPrimaryParent(systemNodeRef) }); @@ -452,135 +352,115 @@ public class ACLEntryVoterTest extends AbstractPermissionTest public void testMultiNodeMethodsArg0() throws Exception { - runAs("andy"); + runAs(ANDY); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testManyNodeRef", new Class[] { NodeRef.class, NodeRef.class, NodeRef.class, NodeRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read"))); - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); method.invoke(proxy, new Object[] { null, null, null, null }); try { method.invoke(proxy, new Object[] { rootNodeRef, null, null, null }); - assertNotNull(null); + fail(SHOULD_FAIL_DENIED); } catch (InvocationTargetException e) { - + verifyAccessDenied(e); } permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ), - "andy", AccessStatus.ALLOWED)); + ANDY, AccessStatus.ALLOWED)); method.invoke(proxy, new Object[] { rootNodeRef, null, null, null }); } public void testMultiNodeMethodsArg1() throws Exception { - runAs("andy"); + runAs(ANDY); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testManyNodeRef", new Class[] { NodeRef.class, NodeRef.class, NodeRef.class, NodeRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.1.sys:base.Read"))); - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, "ACL_NODE.1.sys:base.Read"); method.invoke(proxy, new Object[] { null, null, null, null }); try { method.invoke(proxy, new Object[] { null, rootNodeRef, null, null }); - assertNotNull(null); + fail(SHOULD_FAIL_DENIED); } catch (InvocationTargetException e) { - + verifyAccessDenied(e); } permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ), - "andy", AccessStatus.ALLOWED)); + ANDY, AccessStatus.ALLOWED)); method.invoke(proxy, new Object[] { null, rootNodeRef, null, null }); } public void testMultiNodeMethodsArg2() throws Exception { - runAs("andy"); + runAs(ANDY); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testManyNodeRef", new Class[] { NodeRef.class, NodeRef.class, NodeRef.class, NodeRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.2.sys:base.Read"))); - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, "ACL_NODE.2.sys:base.Read"); method.invoke(proxy, new Object[] { null, null, null, null }); try { method.invoke(proxy, new Object[] { null, null, rootNodeRef, null }); - assertNotNull(null); + fail(SHOULD_FAIL_DENIED); } catch (InvocationTargetException e) { - + verifyAccessDenied(e); } permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ), - "andy", AccessStatus.ALLOWED)); + ANDY, AccessStatus.ALLOWED)); method.invoke(proxy, new Object[] { null, null, rootNodeRef, null }); } public void testMultiNodeMethodsArg3() throws Exception { - runAs("andy"); + runAs(ANDY); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testManyNodeRef", new Class[] { NodeRef.class, NodeRef.class, NodeRef.class, NodeRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.3.sys:base.Read"))); - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, "ACL_NODE.3.sys:base.Read"); method.invoke(proxy, new Object[] { null, null, null, null }); try { method.invoke(proxy, new Object[] { null, null, null, rootNodeRef }); - assertNotNull(null); + fail(SHOULD_FAIL_DENIED); } catch (InvocationTargetException e) { - + verifyAccessDenied(e); } permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ), - "andy", AccessStatus.ALLOWED)); + ANDY, AccessStatus.ALLOWED)); method.invoke(proxy, new Object[] { null, null, null, rootNodeRef }); } public void testMultiChildAssocRefMethodsArg0() throws Exception { - runAs("andy"); + runAs(ANDY); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod( @@ -588,33 +468,28 @@ public class ACLEntryVoterTest extends AbstractPermissionTest new Class[] { ChildAssociationRef.class, ChildAssociationRef.class, ChildAssociationRef.class, ChildAssociationRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.0.sys:base.Read"))); - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); method.invoke(proxy, new Object[] { null, null, null, null }); try { method.invoke(proxy, new Object[] { nodeService.getPrimaryParent(rootNodeRef), null, null, null }); - assertNotNull(null); + fail(SHOULD_FAIL_DENIED); } catch (InvocationTargetException e) { - + verifyAccessDenied(e); } permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ), - "andy", AccessStatus.ALLOWED)); + ANDY, AccessStatus.ALLOWED)); method.invoke(proxy, new Object[] { nodeService.getPrimaryParent(rootNodeRef), null, null, null }); } public void testMultiChildAssocRefMethodsArg1() throws Exception { - runAs("andy"); + runAs(ANDY); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod( @@ -622,33 +497,28 @@ public class ACLEntryVoterTest extends AbstractPermissionTest new Class[] { ChildAssociationRef.class, ChildAssociationRef.class, ChildAssociationRef.class, ChildAssociationRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.1.sys:base.Read"))); - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, "ACL_NODE.1.sys:base.Read"); method.invoke(proxy, new Object[] { null, null, null, null }); try { method.invoke(proxy, new Object[] { null, nodeService.getPrimaryParent(rootNodeRef), null, null }); - assertNotNull(null); + fail(SHOULD_FAIL_DENIED); } catch (InvocationTargetException e) { - + verifyAccessDenied(e); } permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ), - "andy", AccessStatus.ALLOWED)); + ANDY, AccessStatus.ALLOWED)); method.invoke(proxy, new Object[] { null, nodeService.getPrimaryParent(rootNodeRef), null, null }); } public void testMultiChildAssocRefMethodsArg2() throws Exception { - runAs("andy"); + runAs(ANDY); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod( @@ -656,33 +526,28 @@ public class ACLEntryVoterTest extends AbstractPermissionTest new Class[] { ChildAssociationRef.class, ChildAssociationRef.class, ChildAssociationRef.class, ChildAssociationRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.2.sys:base.Read"))); - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, "ACL_NODE.2.sys:base.Read"); method.invoke(proxy, new Object[] { null, null, null, null }); try { method.invoke(proxy, new Object[] { null, null, nodeService.getPrimaryParent(rootNodeRef), null }); - assertNotNull(null); + fail(SHOULD_FAIL_DENIED); } catch (InvocationTargetException e) { - + verifyAccessDenied(e); } permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ), - "andy", AccessStatus.ALLOWED)); + ANDY, AccessStatus.ALLOWED)); method.invoke(proxy, new Object[] { null, null, nodeService.getPrimaryParent(rootNodeRef), null }); } public void testMultiChildAssocRefMethodsArg3() throws Exception { - runAs("andy"); + runAs(ANDY); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod( @@ -690,33 +555,28 @@ public class ACLEntryVoterTest extends AbstractPermissionTest new Class[] { ChildAssociationRef.class, ChildAssociationRef.class, ChildAssociationRef.class, ChildAssociationRef.class }); - AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); - - ProxyFactory proxyFactory = new ProxyFactory(); - proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor("ACL_NODE.3.sys:base.Read"))); - proxyFactory.setTargetSource(new SingletonTargetSource(o)); - Object proxy = proxyFactory.getProxy(); + Object proxy = getProxy(o, "ACL_NODE.3.sys:base.Read"); method.invoke(proxy, new Object[] { null, null, null, null }); try { method.invoke(proxy, new Object[] { null, null, null, nodeService.getPrimaryParent(rootNodeRef) }); - assertNotNull(null); + fail(SHOULD_FAIL_DENIED); } catch (InvocationTargetException e) { - + verifyAccessDenied(e); } permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ), - "andy", AccessStatus.ALLOWED)); + ANDY, AccessStatus.ALLOWED)); method.invoke(proxy, new Object[] { null, null, null, nodeService.getPrimaryParent(rootNodeRef) }); } public void testMethodACL() throws Exception { - runAs("andy"); + runAs(ANDY); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testMethod", new Class[] {}); @@ -733,7 +593,7 @@ public class ACLEntryVoterTest extends AbstractPermissionTest public void testMethodACL2() throws Exception { - runAs("andy"); + runAs(ANDY); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testMethod", new Class[] {}); @@ -751,7 +611,7 @@ public class ACLEntryVoterTest extends AbstractPermissionTest public void testMethodACL3() throws Exception { - runAs("andy"); + runAs(ANDY); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testMethod", new Class[] {}); @@ -770,7 +630,7 @@ public class ACLEntryVoterTest extends AbstractPermissionTest public void testMethodACL4() throws Exception { - runAs("andy"); + runAs(ANDY); Object o = new ClassWithMethods(); Method method = o.getClass().getMethod("testMethod", new Class[] {}); @@ -788,10 +648,190 @@ public class ACLEntryVoterTest extends AbstractPermissionTest } catch (InvocationTargetException e) { - + verifyAccessDenied(e); } } + public void testBasicAllowNodeCollection() throws Exception + { + runAs(ANDY); + permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ), ANDY, AccessStatus.ALLOWED)); + + Object o = new ClassWithMethods(); + Method method = o.getClass().getMethod(TEST_LIST_OF_NODE_REFS, List.class); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); + + method.invoke(proxy, singletonList(rootNodeRef)); + } + + public void testBasicDenyNodeCollection() throws Exception + { + runAs(ANDY); + + Object o = new ClassWithMethods(); + Method method = o.getClass().getMethod(TEST_LIST_OF_NODE_REFS, List.class); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); + + try + { + method.invoke(proxy, singletonList(rootNodeRef)); + fail(SHOULD_FAIL_DENIED); + } catch (InvocationTargetException e) + { + verifyAccessDenied(e); + } + } + + public void testAllowNullCollection() throws Exception + { + runAs(ANDY); + + Object o = new ClassWithMethods(); + Method method = o.getClass().getMethod(TEST_LIST_OF_NODE_REFS, List.class); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); + + method.invoke(proxy, singletonList(null)); + } + + public void testAllowNodeCollection() throws Exception + { + runAs(ANDY); + permissionService.setPermission(new SimplePermissionEntry(systemNodeRef, getPermission(PermissionService.READ), ANDY, AccessStatus.ALLOWED)); + + Object o = new ClassWithMethods(); + Method method = o.getClass().getMethod(TEST_LIST_OF_NODE_REFS, List.class); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); + + method.invoke(proxy, Arrays.asList(systemNodeRef, systemNodeRef, systemNodeRef)); + } + + public void testDenyNodeCollectionWhenOneElementShouldBeDenied() throws Exception + { + runAs(ANDY); + permissionService.setPermission(new SimplePermissionEntry(systemNodeRef, getPermission(PermissionService.READ), ANDY, AccessStatus.ALLOWED)); + + Object o = new ClassWithMethods(); + Method method = o.getClass().getMethod(TEST_LIST_OF_NODE_REFS, List.class); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); + + try + { + method.invoke(proxy, Arrays.asList(systemNodeRef, rootNodeRef, systemNodeRef)); + fail(SHOULD_FAIL_DENIED); + } catch (InvocationTargetException e) + { + verifyAccessDenied(e); + } + } + + public void testSimpleAbstain() throws Exception + { + runAs(ANDY); + permissionService.setPermission(new SimplePermissionEntry(abstainedNode, getPermission(PermissionService.READ), ANDY, AccessStatus.ALLOWED)); + + Object o = new ClassWithMethods(); + Method method = o.getClass().getMethod(TEST_LIST_OF_NODE_REFS, List.class); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); + + try + { + method.invoke(proxy, Collections.singletonList(abstainedNode)); + fail(SHOULD_FAIL_ABSTAINED); + } catch (InvocationTargetException e) + { + verifyAccessAbstain(e); + } + } + + public void testAbstainHasAPriorityOverDeny() throws Exception + { + runAs(ANDY); + permissionService.setPermission(new SimplePermissionEntry(abstainedNode, getPermission(PermissionService.READ), ANDY, AccessStatus.DENIED)); + + Object o = new ClassWithMethods(); + Method method = o.getClass().getMethod(TEST_LIST_OF_NODE_REFS, List.class); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); + + try + { + method.invoke(proxy, Collections.singletonList(abstainedNode)); + fail(SHOULD_FAIL_ABSTAINED); + } catch (InvocationTargetException e) + { + verifyAccessAbstain(e); + } + } + + public void testSimpleAbstainList() throws Exception + { + runAs(ANDY); + permissionService.setPermission(new SimplePermissionEntry(abstainedNode, getPermission(PermissionService.READ), ANDY, AccessStatus.ALLOWED)); + + Object o = new ClassWithMethods(); + Method method = o.getClass().getMethod(TEST_LIST_OF_NODE_REFS, List.class); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); + + try + { + method.invoke(proxy, Collections.singletonList(abstainedNode)); + fail(SHOULD_FAIL_ABSTAINED); + } catch (InvocationTargetException e) + { + verifyAccessAbstain(e); + } + } + + public void testAbstainNodeCollectionWhenOneElementShouldBeAbstained() throws Exception + { + runAs(ANDY); + permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ), ANDY, AccessStatus.ALLOWED)); + permissionService.setPermission(new SimplePermissionEntry(abstainedNode, getPermission(PermissionService.READ), ANDY, AccessStatus.ALLOWED)); + + Object o = new ClassWithMethods(); + Method method = o.getClass().getMethod(TEST_LIST_OF_NODE_REFS, List.class); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); + + try + { + method.invoke(proxy, Arrays.asList(rootNodeRef, abstainedNode, rootNodeRef)); + fail(SHOULD_FAIL_ABSTAINED); + } catch (InvocationTargetException e) + { + verifyAccessAbstain(e); + } + } + + public void testDenyNodeCollectionWhenOneElementShouldBeDeniedAndThereAreAlsoAbstained() throws Exception + { + runAs(ANDY); + permissionService.setPermission(new SimplePermissionEntry(abstainedNode, getPermission(PermissionService.READ), ANDY, AccessStatus.ALLOWED)); + + Object o = new ClassWithMethods(); + Method method = o.getClass().getMethod(TEST_LIST_OF_NODE_REFS, List.class); + Object proxy = getProxy(o, ACL_NODE_0_SYS_BASE_READ); + + try + { + method.invoke(proxy, Arrays.asList(abstainedNode, systemNodeRef, abstainedNode)); + fail(SHOULD_FAIL_DENIED); + } catch (InvocationTargetException e) + { + verifyAccessDenied(e); + } + } + + + private void verifyAccessAbstain(InvocationTargetException e) + { + assertEquals(ABSTAIN, e.getCause().getMessage()); + } + + private void verifyAccessDenied(InvocationTargetException e) + { + String causeMessage = e.getCause().getMessage(); + assertEquals(DENIED, causeMessage.substring(causeMessage.length() - 13)); + } + public static class ClassWithMethods { public void testMethod() @@ -824,6 +864,11 @@ public class ACLEntryVoterTest extends AbstractPermissionTest { } + + public void testListOfNodeRefs(List listOfNodeRefs) + { + } + } public class Interceptor implements MethodInterceptor @@ -888,22 +933,33 @@ public class ACLEntryVoterTest extends AbstractPermissionTest voter.setNodeService(nodeService); voter.setAuthenticationService(authenticationService); voter.setAuthorityService(authorityService); - - // TODO: add explicit abstain tests (for now, configure dummy "abstainFor" to test deleted nodes - see ALF-898) - Set abstainFor = new HashSet(1); + + Set abstainFor = new HashSet<>(2); abstainFor.add("{http://www.alfresco.org/model/content/1.0}emailed"); + abstainFor.add("{http://www.alfresco.org/model/content/1.0}failedThumbnail"); voter.setAbstainFor(abstainFor); voter.afterPropertiesSet(); - if (!(voter.vote(null, invocation, cad) == AccessDecisionVoter.ACCESS_DENIED)) + int voteResult = voter.vote(null, invocation, cad); + if (voteResult == AccessDecisionVoter.ACCESS_DENIED) { - return invocation.proceed(); + throw new ACLEntryVoterException(DENIED); } - else + if (voteResult == AccessDecisionVoter.ACCESS_ABSTAIN) { - throw new ACLEntryVoterException("Access denied"); + throw new RuntimeException(ABSTAIN); } - + return invocation.proceed(); } } + + private Object getProxy(Object o, String s) + { + AdvisorAdapterRegistry advisorAdapterRegistry = GlobalAdvisorAdapterRegistry.getInstance(); + ProxyFactory proxyFactory = new ProxyFactory(); + proxyFactory.addAdvisor(advisorAdapterRegistry.wrap(new Interceptor(s))); + proxyFactory.setTargetSource(new SingletonTargetSource(o)); + return proxyFactory.getProxy(); + } + } diff --git a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterUtilsTest.java b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterUtilsTest.java new file mode 100644 index 0000000000..56ce194018 --- /dev/null +++ b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoterUtilsTest.java @@ -0,0 +1,181 @@ +/* + * #%L + * Alfresco Repository + * %% + * Copyright (C) 2005 - 2021 Alfresco Software Limited + * %% + * This file is part of the Alfresco software. + * If the software was purchased under a paid Alfresco license, the terms of + * the paid license agreement will prevail. Otherwise, the software is + * provided under the following open source license terms: + * + * Alfresco is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * Alfresco is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with Alfresco. If not, see . + * #L% + */ +package org.alfresco.repo.security.permissions.impl.acegi; + +import static org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoterUtils.getNodeRef; +import static org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoterUtils.shouldAbstainOrDeny; +import static org.hamcrest.CoreMatchers.is; +import static org.hamcrest.CoreMatchers.nullValue; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.mockito.ArgumentMatchers.eq; +import static org.mockito.ArgumentMatchers.nullable; +import static org.mockito.Mockito.when; + +import java.util.Collections; +import java.util.Set; + +import net.sf.acegisecurity.vote.AccessDecisionVoter; +import org.alfresco.repo.security.permissions.impl.SimplePermissionReference; +import org.alfresco.service.cmr.repository.ChildAssociationRef; +import org.alfresco.service.cmr.repository.NodeRef; +import org.alfresco.service.cmr.repository.NodeService; +import org.alfresco.service.cmr.repository.StoreRef; +import org.alfresco.service.cmr.security.AccessStatus; +import org.alfresco.service.cmr.security.PermissionService; +import org.alfresco.service.namespace.QName; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.Mock; +import org.mockito.junit.MockitoJUnitRunner; + + +@RunWith(MockitoJUnitRunner.class) +public class ACLEntryVoterUtilsTest +{ + private final NodeRef testNodeRef = new NodeRef("workspace://testNodeRef/testNodeRef"); + private final NodeRef rootNodeRef = new NodeRef("workspace://rootNodeRef/rootNodeRef"); + private final NodeRef refNodeForTestObject = new NodeRef("workspace://refNodeForTestObject/refNodeForTestObject"); + private final NodeRef childRefNode = new NodeRef("workspace://childRefNode/childRefNode"); + private final StoreRef testStoreNodeRef = new StoreRef("system://testStoreRefMock/testStoreRefMock"); + private final SimplePermissionReference simplePermissionReference = SimplePermissionReference.getPermissionReference(QName.createQName("uri", "local"), "Write"); + private final QName qNameToAbstain1 = QName.createQName("{test}testnode1"); + private final QName qNameToAbstain2 = QName.createQName("{test}testnode2"); + private final QName qNameToAbstain3 = QName.createQName("{test}testnode3"); + private final QName qNameNotFromTheAbstainSet = QName.createQName("{test}testnodeAbstain"); + private final Set qNamesToAbstain = Set.of(qNameToAbstain1, qNameToAbstain2, qNameToAbstain3); + @Mock + private PermissionService permissionServiceMock; + @Mock + private NodeService nodeServiceMock; + @Mock + private ChildAssociationRef childAssocRefMock; + + @Before + public void setUp() + { + when(nodeServiceMock.exists(testStoreNodeRef)).thenReturn(Boolean.TRUE); + when(nodeServiceMock.exists(testNodeRef)).thenReturn(Boolean.TRUE); + when(nodeServiceMock.getRootNode(testStoreNodeRef)).thenReturn(rootNodeRef); + when(nodeServiceMock.getType(testNodeRef)).thenReturn(qNameNotFromTheAbstainSet); + when(nodeServiceMock.getAspects(testNodeRef)).thenReturn(Set.of(qNameNotFromTheAbstainSet)); + when(permissionServiceMock.hasPermission(eq(testNodeRef), nullable(String.class))).thenReturn(AccessStatus.DENIED); + } + + @Test + public void returnsAccessDeniedFromPermissionService() + { + assertThat(shouldAbstainOrDeny(simplePermissionReference, testNodeRef, qNamesToAbstain, nodeServiceMock, permissionServiceMock), + is(AccessDecisionVoter.ACCESS_DENIED)); + } + + @Test + public void returnsNullOnNullTestObject() + { + assertThat(getNodeRef(null, nodeServiceMock), is(nullValue())); + } + + @Test(expected = ACLEntryVoterException.class) + public void throwsExceptionWhenParameterIsNotNodeRefOrChildAssociationRef() + { + getNodeRef("TEST", nodeServiceMock); + } + + @Test + public void returnsGivenTestNodeRefWhenStoreRefDoesNotExist() + { + when(nodeServiceMock.exists(testStoreNodeRef)).thenReturn(Boolean.FALSE); + assertThat(getNodeRef(testStoreNodeRef, nodeServiceMock), is(nullValue())); + } + + @Test + public void returnsRootNode() + { + assertThat(getNodeRef(testStoreNodeRef, nodeServiceMock), is(rootNodeRef)); + } + + @Test + public void returnsNodeRefFromTestObject() + { + assertThat(getNodeRef(refNodeForTestObject, nodeServiceMock), is(refNodeForTestObject)); + } + + @Test + public void returnsChildRefFromChildAssocRef() + { + when(childAssocRefMock.getChildRef()).thenReturn(childRefNode); + assertThat(getNodeRef(childAssocRefMock, nodeServiceMock), is(childRefNode)); + } + + @Test + public void returnsNullOnNullTestNodeRef() + { + assertThat(shouldAbstainOrDeny(simplePermissionReference, null, qNamesToAbstain, nodeServiceMock, permissionServiceMock), + is(nullValue())); + } + + @Test + public void returnsNullOnAbstainClassQnamesIsEmptyAndThereAreNoDeniedPermissions() + { + when(permissionServiceMock.hasPermission(eq(testNodeRef), nullable(String.class))).thenReturn(AccessStatus.ALLOWED); + assertThat(shouldAbstainOrDeny(simplePermissionReference, testNodeRef, Collections.emptySet(), nodeServiceMock, permissionServiceMock), + is(nullValue())); + } + + @Test + public void returnsNullOnTestNodeRefDoesNotExistAndThereAreNoDeniedPermissions() + { + when(nodeServiceMock.exists(testNodeRef)).thenReturn(Boolean.FALSE); + when(permissionServiceMock.hasPermission(eq(testNodeRef), nullable(String.class))).thenReturn(AccessStatus.ALLOWED); + assertThat(shouldAbstainOrDeny(simplePermissionReference, testNodeRef, qNamesToAbstain, nodeServiceMock, permissionServiceMock), + is(nullValue())); + } + + @Test + public void returnsNullOnNodeTypeAndNodeAspectsAreNotInSetToAbstainAndThereAreNoDeniedPermissions() + { + when(permissionServiceMock.hasPermission(eq(testNodeRef), nullable(String.class))).thenReturn(AccessStatus.ALLOWED); + assertThat(shouldAbstainOrDeny(simplePermissionReference, testNodeRef, qNamesToAbstain, nodeServiceMock, permissionServiceMock), + is(nullValue())); + } + + @Test + public void returnsAbstainWhenNodeRefTypeIsInSetToAbstain() + { + when(nodeServiceMock.getType(testNodeRef)).thenReturn(qNameToAbstain2); + assertThat(shouldAbstainOrDeny(simplePermissionReference, testNodeRef, qNamesToAbstain, nodeServiceMock, permissionServiceMock), + is(AccessDecisionVoter.ACCESS_ABSTAIN)); + } + + @Test + public void returnsAbstainWhenAtLeastOneAspectIsInSetToAbstain() + { + when(nodeServiceMock.getAspects(testNodeRef)).thenReturn(Set.of(qNameNotFromTheAbstainSet, qNameToAbstain3)); + assertThat(shouldAbstainOrDeny(simplePermissionReference, testNodeRef, qNamesToAbstain, nodeServiceMock, permissionServiceMock), + is(AccessDecisionVoter.ACCESS_ABSTAIN)); + } + +} \ No newline at end of file