mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-06-30 18:15:39 +00:00
575c970565
17717: This check-in contains changes in Java and .NET TCK tests related to CMIS-43 and CMIS-44 JIRA tasks. Also some bugs were faced out and fixed in 17727: CMIS-69: Alfresco to CMIS ACL mapping: Part 1: API 17732: Merge HEAD to DEV/CMIS10 17756: MOB-563: SQL Tests - Lexer 17764: CMIS-69: Alfresco to CMIS ACL mapping: get ACL support 17802: More for CMIS-69: Alfresco to CMIS ACL mapping. Implementation for applyAcl. 17830: Fixes for CMIS lexer and parser tests 17838: Access fix ups for access by the WS/Rest layers 17869: 1) remote-api: 17874: SAIL-146: Alfresco to CMIS ACL mapping: Support to group ACEs by principal id 17883: Adjust version properties for dev/cmis10 branch. 17885: Update OASIS CMIS TC status. 17889: Fix issue where objectid is not rendered correctly for CMIS private working copies. 17890: SAIL-146: Alfresco to CMIS ACL mapping: Fixes for ACL merging when reporting and ordering of ACEs. Report full permissions and not unique short names. 17902: Fix issue where CMIS queries via GET used incorrect defaults for paging. 17909: Fix CMIS link relations for folder tree. 17912: Fix CMIS type descendants atompub link 17922: Update AtomPub binding to CMIS 1.0 CD05 XSDs. 17924: SAIL-146: Alfresco to CMIS ACL mapping: Test set using full permissions (as opposed to short unique names) 17927: Fix content stream create/update status to comply with CMIS 1.0 CD05. 17934: Resolve encoding issues in CMIS AtomPub binding. 17973: SAIL-171: CMIS Renditions REST binding 17975: SAIL-146: Alfresco to CMIS ACL mapping: Completed AllowedAction and Permissions mapping. Added missing canDeleteTree. 17990: Update CMIS AtomPub to CD06 17996: Updates for cmis.alfresco.com for CD06 in prep for public review 2. 18007: WS-Bindings were updated with CMIS 1.0 cd06 changes. 18016: CMIS web services: Add missing generated files from WSDL 18018: CMIS index page updates for cmis.alfresco.com 18041: Merged HEAD to DEV/CMIS_10 18059: SAIL-227: 18067: SAIL-157: Strict vs Non-Strict Query Language: Enforce restrictions on the use of SCORE() and CONTAINS() 18080: Fix for SAIL-213:Bug: Query engine does not check that select list properties are valid for selectors 18131: SAIL-156: Query Language Compliance: Fix support for LIKE, including escaping of '%' and '_' with '\'. 18132: SAIL-156: Query Language Compliance: Fix support for LIKE, including escaping of '%' and '_' with '\': Fix underlying lucene impl for prefix and fuzzy queries to match wildcard/like 18143: SAIL-156: Query Language Compliance: Fix and check qualifiers in IN_TREE and IN_FOLDER. Improved scoring for CONTAINS() 18173: SAIL-245: Exclude thumbnails from normal query results 18179: SAIL 214: Query Language Compliance: Check for valid object ids in IN_FOLDER and IN_TREE 18210: SAIL-156: Query Language Compliance: Support for simple column aliases in predicates/function arguments/embedded FTS. Check property/selector binding in embedded FTS. 18211: SAIL-156: Query Language Compliance: Support for simple column aliases in predicates/function arguments/embedded FTS. Check property/selector binding in embedded FTS. 18215: SAIL 156: Query Language Compliance: Fix CMIS type info to reflect the underlying settings of the Alfresco type for includeInSuperTypeQuery 18244: SAIL 156: Query Language Compliance: includeInSuperTypeQuery -> includedInSuperTypeQuery: First cut of cmis query test model. Fixed modelSchema.xml to validate 18255: SAIL 156: Query Language Compliance: First set of tests for predicates using properties mapped to CMIS Strings. 18261: CMIS-49 SAIL-163: Alfresco to CMIS Change Log mapping - New CMIS Audit mapping is implemented. ChangeLogDataExtractor was added. 18263: Build Fix 18285: SAIL 156: Query Language Compliance: Restrictions on predicates that may be used by single-valued and multi-valued properties 18287: SAIL-186: Changes to make CMIS Rendition REST bindings pass new TCK tests 18291: Fix Eclipse classpath problems 18323: CMIS-44 SAIL-187: Change Log tests (WS) – Java and .NET tests for change log were implemented. 18325: SAIL 156: Query Language Compliance: Fixes and tests for d:mltext mappings 18329: Updated Chemistry TCK jar including Dave W's rendition tests. 18333: Fix compile error - spurious imports. 18334: Fix issue where absurl web script method failed when deployed to root context. 18339: Update CMIS index page for start of public review 2. 18387: SAIL-147: CMIS ACL REST bindings + framework fixes 18392: Fix typo 18394: SAIL 156: Query Language Compliance: Fixes and tests for d:<numeric> 18406: SAIL 156: Query Language Compliance: Remaining type/predicate combinations. Restriction of In/Comparisons for ID/Boolean 18408: CMIS Query language - remove (pointless) multi-valued column from language definition 18409: Formatting change for CMIS.g 18410: Formatting change for FTS.g 18411: CMIS TCK tests were updated to CMIS 1.0 cd06 schemas. 18412: SAIL 156: Query Language Compliance: Tests and fixes for aliases for all data types in simple predicates (they behave as the direct column reference) 18417: Update Chemistry TCK which now incorporates Dave W's ACL tests. 18419: Update CMIS index page to include public review end date. 18427: SAIL 156: Query Language Compliance: Expose multi-valued properties in queries. Tests for all accessors. Fix content length to be long. 18435: SAIL 156: Query Language Compliance: Use queryable correctly and fix up model mappings. Add tests for baseTypeId, contentStreamId and path. 18472: SAIL 156: Query Language Compliance: Tests and fixes for FTS/Contains expressions. Adhere strictly to the spec - no extensions available by default. Improved FTS error reporting (and stop any recovery). 18477: SAIL-164: CMIS change log REST bindings 18495: SAIL 156: Query Language Compliance: Tests and fixes for escaping in string literals, LIKE and FTS expressions. 18537: SAIL 156: Query Language Compliance: Sorting support. Basic sort test for all orderable/indexed CMIS properties. 18538: SAIL-164: CMIS change log fixes for TCK compliance 18547: SAIL 156: Query Language Compliance: Ordering tests for all datatypes, including null values. 18582: Incorporate latest Chemistry TCK 18583: Update list of supported CMIS capabilities in index page. 18606: SAIL-156, SAIL-157, SAIL-158: Query Language Compliance: Respect all query options including locale. Fixes and tests for MLText cross language support. 18608: SAIL-159: Java / Javascript API access to CMIS Query Language 18617: SAIL-158: Query Tests: Check policy and relationship types are not queryable. 18636: SAIL-184: ACL tests (WS) 18663: ACL tests were updated in accordance with last requirements by David Caruana. 18680: Update to CMIS CD07 18681: Fix CMIS ContentStreamId property when document has no content. 18700: CMIS: Head merge problem resolution. Phase 1: Merge up to and including revision 18700, as this the point where both AtomPub and Web Services TCK tests succeed completely on dev branch. Note: includes CMIS rendition support ready for integration and testing with DM renditions. git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@18790 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
582 lines
33 KiB
Java
582 lines
33 KiB
Java
/*
|
|
* Copyright (C) 2005-2009 Alfresco Software Limited.
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License
|
|
* as published by the Free Software Foundation; either version 2
|
|
* of the License, or (at your option) any later version.
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
|
|
* As a special exception to the terms and conditions of version 2.0 of
|
|
* the GPL, you may redistribute this Program in connection with Free/Libre
|
|
* and Open Source Software ("FLOSS") applications as described in Alfresco's
|
|
* FLOSS exception. You should have recieved a copy of the text describing
|
|
* the FLOSS exception, and it is also available here:
|
|
* http://www.alfresco.com/legal/licensing"
|
|
*/
|
|
package org.alfresco.cmis.acl;
|
|
|
|
import java.util.ArrayList;
|
|
import java.util.Collections;
|
|
import java.util.HashSet;
|
|
import java.util.List;
|
|
import java.util.Set;
|
|
|
|
import org.alfresco.cmis.CMISAccessControlEntriesGroupedByPrincipalId;
|
|
import org.alfresco.cmis.CMISAccessControlEntry;
|
|
import org.alfresco.cmis.CMISAccessControlFormatEnum;
|
|
import org.alfresco.cmis.CMISAccessControlReport;
|
|
import org.alfresco.cmis.CMISAccessControlService;
|
|
import org.alfresco.cmis.CMISAclCapabilityEnum;
|
|
import org.alfresco.cmis.CMISAclPropagationEnum;
|
|
import org.alfresco.cmis.CMISConstraintException;
|
|
import org.alfresco.cmis.CMISPermissionDefinition;
|
|
import org.alfresco.cmis.CMISPermissionMapping;
|
|
import org.alfresco.cmis.acl.CMISAccessControlServiceImpl.AccessPermissionComparator;
|
|
import org.alfresco.cmis.mapping.BaseCMISTest;
|
|
import org.alfresco.model.ContentModel;
|
|
import org.alfresco.repo.security.permissions.PermissionReference;
|
|
import org.alfresco.service.cmr.repository.NodeRef;
|
|
import org.alfresco.service.cmr.security.AccessPermission;
|
|
import org.alfresco.service.cmr.security.AccessStatus;
|
|
import org.alfresco.service.cmr.security.PermissionService;
|
|
import org.alfresco.service.namespace.QName;
|
|
|
|
/**
|
|
* @author andyh
|
|
*/
|
|
public class CMISAccessControlServiceTest extends BaseCMISTest
|
|
{
|
|
private NodeRef parent;
|
|
|
|
private NodeRef child;
|
|
|
|
private NodeRef grandParent;
|
|
|
|
public void testAclPropagationMode()
|
|
{
|
|
assertEquals(CMISAclPropagationEnum.PROPAGATE, cmisAccessControlService.getAclPropagation());
|
|
}
|
|
|
|
public void testAclCapability()
|
|
{
|
|
assertEquals(CMISAclCapabilityEnum.MANAGE, cmisAccessControlService.getAclCapability());
|
|
}
|
|
|
|
public void testPermissions()
|
|
{
|
|
List<CMISPermissionDefinition> allPermissions = cmisAccessControlService.getRepositoryPermissions();
|
|
assertEquals(69, allPermissions.size());
|
|
HashSet<CMISPermissionDefinition> permissionSet = new HashSet<CMISPermissionDefinition>();
|
|
permissionSet.addAll(allPermissions);
|
|
assertEquals(69, permissionSet.size());
|
|
|
|
}
|
|
|
|
public void testAclReportingCmisPermissionsOnly()
|
|
{
|
|
createTestAcls();
|
|
|
|
CMISAccessControlReport grandParentReport = cmisAccessControlService.getAcl(grandParent, CMISAccessControlFormatEnum.CMIS_BASIC_PERMISSIONS);
|
|
assertFalse(grandParentReport.isExtract());
|
|
assertEquals(7, grandParentReport.getAccessControlEntries().size());
|
|
assertTrue(checkCounts(grandParentReport, PermissionService.ADMINISTRATOR_AUTHORITY, 1, 0));
|
|
assertTrue(checkCounts(grandParentReport, PermissionService.ALL_AUTHORITIES, 1, 0));
|
|
assertTrue(checkCounts(grandParentReport, "ToMask", 1, 0));
|
|
assertTrue(checkCounts(grandParentReport, "Full", 1, 0));
|
|
assertTrue(checkCounts(grandParentReport, "Reader", 1, 0));
|
|
assertTrue(checkCounts(grandParentReport, "Writer", 1, 0));
|
|
assertTrue(checkCounts(grandParentReport, "Multi", 1, 0));
|
|
|
|
CMISAccessControlReport parentReport = cmisAccessControlService.getAcl(parent, CMISAccessControlFormatEnum.CMIS_BASIC_PERMISSIONS);
|
|
assertFalse(parentReport.isExtract());
|
|
assertEquals(9, parentReport.getAccessControlEntries().size());
|
|
assertTrue(checkCounts(parentReport, PermissionService.ADMINISTRATOR_AUTHORITY, 0, 1));
|
|
assertTrue(checkCounts(parentReport, PermissionService.ALL_AUTHORITIES, 0, 1));
|
|
assertTrue(checkAbsent(parentReport, "ToMask"));
|
|
assertTrue(checkCounts(parentReport, "Full", 0, 1));
|
|
assertTrue(checkCounts(parentReport, "Reader", 0, 1));
|
|
assertTrue(checkCounts(parentReport, "Writer", 0, 1));
|
|
assertTrue(checkCounts(parentReport, "SplitRead", 1, 0));
|
|
assertTrue(checkCounts(parentReport, "SplitWrite", 1, 0));
|
|
assertTrue(checkCounts(parentReport, "DuplicateRead", 1, 0));
|
|
assertTrue(checkCounts(parentReport, "Multi", 1, 0));
|
|
|
|
CMISAccessControlReport childReport = cmisAccessControlService.getAcl(child, CMISAccessControlFormatEnum.CMIS_BASIC_PERMISSIONS);
|
|
assertFalse(childReport.isExtract());
|
|
assertEquals(12, childReport.getAccessControlEntries().size());
|
|
assertTrue(checkCounts(childReport, PermissionService.ADMINISTRATOR_AUTHORITY, 0, 1));
|
|
assertTrue(checkCounts(childReport, PermissionService.ALL_AUTHORITIES, 0, 1));
|
|
assertTrue(checkAbsent(childReport, "ToMask"));
|
|
assertTrue(checkCounts(childReport, "Full", 0, 1));
|
|
assertTrue(checkCounts(childReport, "Reader", 0, 1));
|
|
assertTrue(checkCounts(childReport, "Writer", 0, 1));
|
|
assertTrue(checkCounts(childReport, "SplitRead", 1, 0));
|
|
assertTrue(checkCounts(childReport, "SplitWrite", 1, 0));
|
|
assertTrue(checkCounts(childReport, "DuplicateRead", 1, 0));
|
|
assertTrue(checkCounts(childReport, "Writer2", 1, 0));
|
|
assertTrue(checkCounts(childReport, "Multi", 3, 0));
|
|
}
|
|
|
|
private Set<String> getAllPermissions()
|
|
{
|
|
HashSet<String> answer = new HashSet<String>();
|
|
PermissionReference allPermission = permissionModelDao.getPermissionReference(null, PermissionService.ALL_PERMISSIONS);
|
|
Set<PermissionReference> all = permissionModelDao.getAllPermissions();
|
|
for (PermissionReference pr : all)
|
|
{
|
|
answer.add(pr.toString());
|
|
}
|
|
// Add All
|
|
answer.add(allPermission.toString());
|
|
// Add CMIS permissions
|
|
answer.add(CMISAccessControlService.CMIS_ALL_PERMISSION);
|
|
answer.add(CMISAccessControlService.CMIS_READ_PERMISSION);
|
|
answer.add(CMISAccessControlService.CMIS_WRITE_PERMISSION);
|
|
return answer;
|
|
}
|
|
|
|
private boolean checkCounts(CMISAccessControlReport report, String key, int direct, int indirect)
|
|
{
|
|
// check all permissions are valid
|
|
|
|
Set<String> permissionNames = getAllPermissions();
|
|
|
|
for (CMISAccessControlEntry entry : report.getAccessControlEntries())
|
|
{
|
|
if (!permissionNames.contains(entry.getPermission()))
|
|
{
|
|
return false;
|
|
}
|
|
}
|
|
|
|
// check counts
|
|
|
|
for (CMISAccessControlEntriesGroupedByPrincipalId group : report.getAccessControlEntriesGroupedByPrincipalId())
|
|
{
|
|
if (group.getPrincipalId().equals(key))
|
|
{
|
|
if (group.getDirectPermissions().size() != direct)
|
|
{
|
|
return false;
|
|
}
|
|
if (group.getIndirectPermissions().size() != indirect)
|
|
{
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
private boolean checkAbsent(CMISAccessControlReport report, String key)
|
|
{
|
|
for (CMISAccessControlEntriesGroupedByPrincipalId group : report.getAccessControlEntriesGroupedByPrincipalId())
|
|
{
|
|
if (group.getPrincipalId().equals(key))
|
|
{
|
|
return false;
|
|
}
|
|
}
|
|
return true;
|
|
}
|
|
|
|
public void testAclReportingAllPermissions()
|
|
{
|
|
createTestAcls();
|
|
|
|
CMISAccessControlReport grandParentReport = cmisAccessControlService.getAcl(grandParent, CMISAccessControlFormatEnum.REPOSITORY_SPECIFIC_PERMISSIONS);
|
|
assertFalse(grandParentReport.isExtract());
|
|
assertEquals(7, grandParentReport.getAccessControlEntries().size());
|
|
assertTrue(checkCounts(grandParentReport, PermissionService.ADMINISTRATOR_AUTHORITY, 1, 0));
|
|
assertTrue(checkCounts(grandParentReport, PermissionService.ALL_AUTHORITIES, 1, 0));
|
|
assertTrue(checkCounts(grandParentReport, "ToMask", 1, 0));
|
|
assertTrue(checkCounts(grandParentReport, "Full", 1, 0));
|
|
assertTrue(checkCounts(grandParentReport, "Reader", 1, 0));
|
|
assertTrue(checkCounts(grandParentReport, "Writer", 1, 0));
|
|
assertTrue(checkCounts(grandParentReport, "Multi", 1, 0));
|
|
|
|
CMISAccessControlReport parentReport = cmisAccessControlService.getAcl(parent, CMISAccessControlFormatEnum.REPOSITORY_SPECIFIC_PERMISSIONS);
|
|
assertFalse(parentReport.isExtract());
|
|
assertEquals(10, parentReport.getAccessControlEntries().size());
|
|
assertTrue(checkCounts(parentReport, PermissionService.ADMINISTRATOR_AUTHORITY, 0, 1));
|
|
assertTrue(checkCounts(parentReport, PermissionService.ALL_AUTHORITIES, 0, 1));
|
|
assertTrue(checkAbsent(parentReport, "ToMask"));
|
|
assertTrue(checkCounts(parentReport, "Full", 0, 1));
|
|
assertTrue(checkCounts(parentReport, "Reader", 0, 1));
|
|
assertTrue(checkCounts(parentReport, "Writer", 0, 1));
|
|
assertTrue(checkCounts(parentReport, "SplitRead", 1, 0));
|
|
assertTrue(checkCounts(parentReport, "SplitWrite", 1, 0));
|
|
assertTrue(checkCounts(parentReport, "DuplicateRead", 1, 0));
|
|
assertTrue(checkCounts(parentReport, "Multi", 1, 1));
|
|
|
|
CMISAccessControlReport childReport = cmisAccessControlService.getAcl(child, CMISAccessControlFormatEnum.REPOSITORY_SPECIFIC_PERMISSIONS);
|
|
assertFalse(childReport.isExtract());
|
|
assertEquals(16, childReport.getAccessControlEntries().size());
|
|
assertTrue(checkCounts(childReport, PermissionService.ADMINISTRATOR_AUTHORITY, 0, 1));
|
|
assertTrue(checkCounts(childReport, PermissionService.ALL_AUTHORITIES, 0, 1));
|
|
assertTrue(checkAbsent(childReport, "ToMask"));
|
|
assertTrue(checkCounts(childReport, "Full", 0, 1));
|
|
assertTrue(checkCounts(childReport, "Reader", 0, 1));
|
|
assertTrue(checkCounts(childReport, "Writer", 0, 1));
|
|
assertTrue(checkCounts(childReport, "SplitRead", 1, 1));
|
|
assertTrue(checkCounts(childReport, "SplitWrite", 1, 1));
|
|
assertTrue(checkCounts(childReport, "DuplicateRead", 1, 0));
|
|
assertTrue(checkCounts(childReport, "Multi", 3, 2));
|
|
assertTrue(checkCounts(childReport, "Writer2", 1, 0));
|
|
}
|
|
|
|
private void createTestAcls()
|
|
{
|
|
grandParent = nodeService.createNode(rootNodeRef, ContentModel.ASSOC_CHILDREN, QName.createQName("cm", "Parent", namespaceService), ContentModel.TYPE_FOLDER).getChildRef();
|
|
nodeService.setProperty(grandParent, ContentModel.PROP_NAME, "GrandParent");
|
|
parent = nodeService.createNode(grandParent, ContentModel.ASSOC_CHILDREN, QName.createQName("cm", "Child", namespaceService), ContentModel.TYPE_FOLDER).getChildRef();
|
|
nodeService.setProperty(parent, ContentModel.PROP_NAME, "Parent");
|
|
child = nodeService.createNode(parent, ContentModel.ASSOC_CHILDREN, QName.createQName("cm", "Child", namespaceService), ContentModel.TYPE_FOLDER).getChildRef();
|
|
nodeService.setProperty(child, ContentModel.PROP_NAME, "Child");
|
|
permissionService.setPermission(grandParent, PermissionService.ADMINISTRATOR_AUTHORITY, PermissionService.ALL_PERMISSIONS, true);
|
|
permissionService.setPermission(grandParent, PermissionService.ALL_AUTHORITIES, PermissionService.READ, true);
|
|
permissionService.setPermission(grandParent, "ToMask", PermissionService.READ, true);
|
|
permissionService.setPermission(grandParent, "Full", PermissionService.FULL_CONTROL, true);
|
|
permissionService.setPermission(grandParent, "Writer", PermissionService.WRITE, true);
|
|
permissionService.setPermission(grandParent, "Reader", PermissionService.READ, true);
|
|
permissionService.setPermission(grandParent, "Multi", PermissionService.DELETE, true);
|
|
|
|
permissionService.setPermission(parent, "ToMask", PermissionService.READ, false);
|
|
permissionService.setPermission(parent, "SplitRead", PermissionService.READ_PROPERTIES, true);
|
|
permissionService.setPermission(parent, "SplitWrite", PermissionService.WRITE_CONTENT, true);
|
|
permissionService.setPermission(parent, "DuplicateRead", PermissionService.READ, true);
|
|
permissionService.setPermission(parent, "Multi", PermissionService.CREATE_CHILDREN, true);
|
|
|
|
permissionService.setPermission(child, "SplitRead", PermissionService.READ_CONTENT, true);
|
|
permissionService.setPermission(child, "Writer2", PermissionService.WRITE, true);
|
|
permissionService.setPermission(child, "SplitWrite", PermissionService.WRITE_PROPERTIES, true);
|
|
permissionService.setPermission(child, "DuplicateRead", PermissionService.READ, true);
|
|
permissionService.setPermission(child, "Multi", PermissionService.READ, true);
|
|
permissionService.setPermission(child, "Multi", PermissionService.WRITE, true);
|
|
permissionService.setPermission(child, "Multi", PermissionService.SET_OWNER, true);
|
|
|
|
}
|
|
|
|
public void testAccessEntryOrdering()
|
|
{
|
|
createTestAcls();
|
|
|
|
Set<CMISPermissionDefinition> permDefs = new HashSet<CMISPermissionDefinition>();
|
|
permDefs.addAll(cmisAccessControlService.getRepositoryPermissions());
|
|
|
|
Set<AccessPermission> permissions = permissionService.getAllSetPermissions(child);
|
|
ArrayList<AccessPermission> ordered = new ArrayList<AccessPermission>();
|
|
AccessPermissionComparator comparator = new AccessPermissionComparator();
|
|
for (AccessPermission current : permissions)
|
|
{
|
|
int index = Collections.binarySearch(ordered, current, comparator);
|
|
if (index < 0)
|
|
{
|
|
ordered.add(-index - 1, current);
|
|
}
|
|
}
|
|
int i = 0;
|
|
assertEquals(4, ordered.get(i).getPosition());
|
|
assertEquals(AccessStatus.ALLOWED, ordered.get(i).getAccessStatus());
|
|
assertEquals("Full", ordered.get(i).getAuthority());
|
|
|
|
i++;
|
|
assertEquals(4, ordered.get(i).getPosition());
|
|
assertEquals(AccessStatus.ALLOWED, ordered.get(i).getAccessStatus());
|
|
assertEquals(PermissionService.ALL_AUTHORITIES, ordered.get(i).getAuthority());
|
|
|
|
i++;
|
|
assertEquals(4, ordered.get(i).getPosition());
|
|
assertEquals(AccessStatus.ALLOWED, ordered.get(i).getAccessStatus());
|
|
assertEquals("Multi", ordered.get(i).getAuthority());
|
|
|
|
i++;
|
|
assertEquals(4, ordered.get(i).getPosition());
|
|
assertEquals(AccessStatus.ALLOWED, ordered.get(i).getAccessStatus());
|
|
assertEquals(PermissionService.ADMINISTRATOR_AUTHORITY, ordered.get(i).getAuthority());
|
|
|
|
i++;
|
|
assertEquals(4, ordered.get(i).getPosition());
|
|
assertEquals(AccessStatus.ALLOWED, ordered.get(i).getAccessStatus());
|
|
assertEquals("Reader", ordered.get(i).getAuthority());
|
|
|
|
i++;
|
|
assertEquals(4, ordered.get(i).getPosition());
|
|
assertEquals(AccessStatus.ALLOWED, ordered.get(i).getAccessStatus());
|
|
assertEquals("ToMask", ordered.get(i).getAuthority());
|
|
|
|
i++;
|
|
assertEquals(4, ordered.get(i).getPosition());
|
|
assertEquals(AccessStatus.ALLOWED, ordered.get(i).getAccessStatus());
|
|
assertEquals("Writer", ordered.get(i).getAuthority());
|
|
|
|
i++;
|
|
assertEquals(2, ordered.get(i).getPosition());
|
|
assertEquals(AccessStatus.DENIED, ordered.get(i).getAccessStatus());
|
|
assertEquals("ToMask", ordered.get(i).getAuthority());
|
|
|
|
i++;
|
|
assertEquals(2, ordered.get(i).getPosition());
|
|
assertEquals(AccessStatus.ALLOWED, ordered.get(i).getAccessStatus());
|
|
assertEquals("DuplicateRead", ordered.get(i).getAuthority());
|
|
|
|
i++;
|
|
assertEquals(2, ordered.get(i).getPosition());
|
|
assertEquals(AccessStatus.ALLOWED, ordered.get(i).getAccessStatus());
|
|
assertEquals("Multi", ordered.get(i).getAuthority());
|
|
|
|
i++;
|
|
assertEquals(2, ordered.get(i).getPosition());
|
|
assertEquals(AccessStatus.ALLOWED, ordered.get(i).getAccessStatus());
|
|
assertEquals("SplitRead", ordered.get(i).getAuthority());
|
|
|
|
i++;
|
|
assertEquals(2, ordered.get(i).getPosition());
|
|
assertEquals(AccessStatus.ALLOWED, ordered.get(i).getAccessStatus());
|
|
assertEquals("SplitWrite", ordered.get(i).getAuthority());
|
|
|
|
i++;
|
|
assertEquals(0, ordered.get(i).getPosition());
|
|
assertEquals(AccessStatus.ALLOWED, ordered.get(i).getAccessStatus());
|
|
assertEquals("DuplicateRead", ordered.get(i).getAuthority());
|
|
|
|
i++;
|
|
assertEquals(0, ordered.get(i).getPosition());
|
|
assertEquals(AccessStatus.ALLOWED, ordered.get(i).getAccessStatus());
|
|
assertEquals("Multi", ordered.get(i).getAuthority());
|
|
|
|
i++;
|
|
assertEquals(0, ordered.get(i).getPosition());
|
|
assertEquals(AccessStatus.ALLOWED, ordered.get(i).getAccessStatus());
|
|
assertEquals("Multi", ordered.get(i).getAuthority());
|
|
|
|
i++;
|
|
assertEquals(0, ordered.get(i).getPosition());
|
|
assertEquals(AccessStatus.ALLOWED, ordered.get(i).getAccessStatus());
|
|
assertEquals("Multi", ordered.get(i).getAuthority());
|
|
|
|
i++;
|
|
assertEquals(0, ordered.get(i).getPosition());
|
|
assertEquals(AccessStatus.ALLOWED, ordered.get(i).getAccessStatus());
|
|
assertEquals("SplitRead", ordered.get(i).getAuthority());
|
|
|
|
i++;
|
|
assertEquals(0, ordered.get(i).getPosition());
|
|
assertEquals(AccessStatus.ALLOWED, ordered.get(i).getAccessStatus());
|
|
assertEquals("SplitWrite", ordered.get(i).getAuthority());
|
|
|
|
i++;
|
|
assertEquals(0, ordered.get(i).getPosition());
|
|
assertEquals(AccessStatus.ALLOWED, ordered.get(i).getAccessStatus());
|
|
assertEquals("Writer2", ordered.get(i).getAuthority());
|
|
}
|
|
|
|
public void testApplyAcl()
|
|
{
|
|
grandParent = nodeService.createNode(rootNodeRef, ContentModel.ASSOC_CHILDREN, QName.createQName("cm", "Parent", namespaceService), ContentModel.TYPE_FOLDER).getChildRef();
|
|
nodeService.setProperty(grandParent, ContentModel.PROP_NAME, "GrandParent");
|
|
parent = nodeService.createNode(grandParent, ContentModel.ASSOC_CHILDREN, QName.createQName("cm", "Child", namespaceService), ContentModel.TYPE_FOLDER).getChildRef();
|
|
nodeService.setProperty(parent, ContentModel.PROP_NAME, "Parent");
|
|
child = nodeService.createNode(parent, ContentModel.ASSOC_CHILDREN, QName.createQName("cm", "Child", namespaceService), ContentModel.TYPE_CONTENT).getChildRef();
|
|
nodeService.setProperty(child, ContentModel.PROP_NAME, "Child");
|
|
|
|
List<CMISAccessControlEntry> acesToAdd = new ArrayList<CMISAccessControlEntry>();
|
|
acesToAdd.add(new CMISAccessControlEntryImpl(PermissionService.ADMINISTRATOR_AUTHORITY, PermissionService.ALL_PERMISSIONS));
|
|
acesToAdd.add(new CMISAccessControlEntryImpl(PermissionService.ALL_AUTHORITIES, PermissionService.READ));
|
|
acesToAdd.add(new CMISAccessControlEntryImpl("ToMask", PermissionService.READ));
|
|
acesToAdd.add(new CMISAccessControlEntryImpl("Full", PermissionService.FULL_CONTROL));
|
|
acesToAdd.add(new CMISAccessControlEntryImpl("Writer", PermissionService.WRITE));
|
|
acesToAdd.add(new CMISAccessControlEntryImpl("Reader", PermissionService.READ));
|
|
|
|
CMISAccessControlReport grandParentReport = cmisAccessControlService.applyAcl(grandParent, null, acesToAdd, CMISAclPropagationEnum.PROPAGATE,
|
|
CMISAccessControlFormatEnum.REPOSITORY_SPECIFIC_PERMISSIONS);
|
|
assertFalse(grandParentReport.isExtract());
|
|
assertEquals(6, grandParentReport.getAccessControlEntries().size());
|
|
|
|
List<CMISAccessControlEntry> acesToRemove = new ArrayList<CMISAccessControlEntry>();
|
|
acesToRemove.add(new CMISAccessControlEntryImpl("ToMask", PermissionService.READ));
|
|
|
|
grandParentReport = cmisAccessControlService.applyAcl(grandParent, acesToRemove, null, CMISAclPropagationEnum.PROPAGATE,
|
|
CMISAccessControlFormatEnum.REPOSITORY_SPECIFIC_PERMISSIONS);
|
|
assertFalse(grandParentReport.isExtract());
|
|
assertEquals(5, grandParentReport.getAccessControlEntries().size());
|
|
|
|
try
|
|
{
|
|
grandParentReport = cmisAccessControlService.applyAcl(grandParent, acesToRemove, null, CMISAclPropagationEnum.PROPAGATE,
|
|
CMISAccessControlFormatEnum.REPOSITORY_SPECIFIC_PERMISSIONS);
|
|
fail("A non existent ACE should not be removable");
|
|
}
|
|
catch (CMISConstraintException e)
|
|
{
|
|
|
|
}
|
|
acesToAdd = new ArrayList<CMISAccessControlEntry>();
|
|
acesToAdd.add(new CMISAccessControlEntryImpl("SplitRead", permissionModelDao.getPermissionReference(null, PermissionService.READ_PROPERTIES).toString()));
|
|
acesToAdd.add(new CMISAccessControlEntryImpl("SplitWrite", permissionModelDao.getPermissionReference(null, PermissionService.WRITE_CONTENT).toString()));
|
|
acesToAdd.add(new CMISAccessControlEntryImpl("DuplicateRead", permissionModelDao.getPermissionReference(null, PermissionService.READ).toString()));
|
|
|
|
CMISAccessControlReport parentReport = cmisAccessControlService.applyAcl(parent, null, acesToAdd, CMISAclPropagationEnum.PROPAGATE,
|
|
CMISAccessControlFormatEnum.REPOSITORY_SPECIFIC_PERMISSIONS);
|
|
assertFalse(parentReport.isExtract());
|
|
assertEquals(8, parentReport.getAccessControlEntries().size());
|
|
|
|
acesToAdd = new ArrayList<CMISAccessControlEntry>();
|
|
acesToAdd.add(new CMISAccessControlEntryImpl("SplitRead", PermissionService.READ_CONTENT));
|
|
acesToAdd.add(new CMISAccessControlEntryImpl("Writer2", PermissionService.WRITE));
|
|
acesToAdd.add(new CMISAccessControlEntryImpl("SplitWrite", PermissionService.WRITE_PROPERTIES));
|
|
acesToAdd.add(new CMISAccessControlEntryImpl("DuplicateRead", PermissionService.READ));
|
|
|
|
CMISAccessControlReport childReport = cmisAccessControlService.applyAcl(child, null, acesToAdd, CMISAclPropagationEnum.PROPAGATE,
|
|
CMISAccessControlFormatEnum.REPOSITORY_SPECIFIC_PERMISSIONS);
|
|
assertFalse(childReport.isExtract());
|
|
assertEquals(11, childReport.getAccessControlEntries().size());
|
|
|
|
grandParentReport = cmisAccessControlService.getAcl(grandParent, CMISAccessControlFormatEnum.CMIS_BASIC_PERMISSIONS);
|
|
assertFalse(grandParentReport.isExtract());
|
|
assertEquals(5, grandParentReport.getAccessControlEntries().size());
|
|
|
|
parentReport = cmisAccessControlService.getAcl(parent, CMISAccessControlFormatEnum.CMIS_BASIC_PERMISSIONS);
|
|
assertFalse(parentReport.isExtract());
|
|
assertEquals(8, parentReport.getAccessControlEntries().size());
|
|
|
|
childReport = cmisAccessControlService.getAcl(child, CMISAccessControlFormatEnum.CMIS_BASIC_PERMISSIONS);
|
|
assertFalse(childReport.isExtract());
|
|
assertEquals(9, childReport.getAccessControlEntries().size());
|
|
|
|
grandParentReport = cmisAccessControlService.getAcl(grandParent, CMISAccessControlFormatEnum.REPOSITORY_SPECIFIC_PERMISSIONS);
|
|
assertFalse(grandParentReport.isExtract());
|
|
assertEquals(5, grandParentReport.getAccessControlEntries().size());
|
|
|
|
parentReport = cmisAccessControlService.getAcl(parent, CMISAccessControlFormatEnum.REPOSITORY_SPECIFIC_PERMISSIONS);
|
|
assertFalse(parentReport.isExtract());
|
|
assertEquals(8, parentReport.getAccessControlEntries().size());
|
|
|
|
childReport = cmisAccessControlService.getAcl(child, CMISAccessControlFormatEnum.REPOSITORY_SPECIFIC_PERMISSIONS);
|
|
assertFalse(childReport.isExtract());
|
|
assertEquals(11, childReport.getAccessControlEntries().size());
|
|
|
|
acesToAdd = new ArrayList<CMISAccessControlEntry>();
|
|
acesToAdd.add(new CMISAccessControlEntryImpl("CMISReader", CMISAccessControlService.CMIS_READ_PERMISSION));
|
|
acesToAdd.add(new CMISAccessControlEntryImpl("CMISWriter", CMISAccessControlService.CMIS_WRITE_PERMISSION));
|
|
acesToAdd.add(new CMISAccessControlEntryImpl("CMISAll", CMISAccessControlService.CMIS_ALL_PERMISSION));
|
|
|
|
childReport = cmisAccessControlService.applyAcl(child, null, acesToAdd, CMISAclPropagationEnum.PROPAGATE, CMISAccessControlFormatEnum.REPOSITORY_SPECIFIC_PERMISSIONS);
|
|
assertFalse(childReport.isExtract());
|
|
assertEquals(14, childReport.getAccessControlEntries().size());
|
|
|
|
childReport = cmisAccessControlService.applyAcl(child, acesToAdd, acesToAdd, CMISAclPropagationEnum.PROPAGATE, CMISAccessControlFormatEnum.REPOSITORY_SPECIFIC_PERMISSIONS);
|
|
assertFalse(childReport.isExtract());
|
|
assertEquals(14, childReport.getAccessControlEntries().size());
|
|
|
|
childReport = cmisAccessControlService.applyAcl(child, acesToAdd, null, CMISAclPropagationEnum.PROPAGATE, CMISAccessControlFormatEnum.REPOSITORY_SPECIFIC_PERMISSIONS);
|
|
assertFalse(childReport.isExtract());
|
|
assertEquals(11, childReport.getAccessControlEntries().size());
|
|
|
|
try
|
|
{
|
|
childReport = cmisAccessControlService.applyAcl(child, acesToAdd, null, CMISAclPropagationEnum.PROPAGATE, CMISAccessControlFormatEnum.REPOSITORY_SPECIFIC_PERMISSIONS);
|
|
fail("A non existent ACE should not be removable");
|
|
}
|
|
catch (CMISConstraintException e)
|
|
{
|
|
|
|
}
|
|
}
|
|
|
|
public void testAllowableActionsAndPermissionMapping()
|
|
{
|
|
List<? extends CMISPermissionMapping> mappings = cmisAccessControlService.getPermissionMappings();
|
|
assertEquals(29, mappings.size());
|
|
assertTrue(contains(mappings, "canGetDescendants.Folder", CMISAccessControlService.CMIS_READ_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.ReadChildren"));
|
|
assertTrue(contains(mappings, "canGetFolderTree.Folder", CMISAccessControlService.CMIS_READ_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.ReadChildren"));
|
|
assertTrue(contains(mappings, "canGetChildren.Folder", CMISAccessControlService.CMIS_READ_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.ReadChildren"));
|
|
assertTrue(contains(mappings, "canGetFolderParent.Folder", CMISAccessControlService.CMIS_READ_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.ReadProperties"));
|
|
assertTrue(contains(mappings, "canGetObjectParents.Object", CMISAccessControlService.CMIS_READ_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.ReadProperties"));
|
|
assertTrue(contains(mappings, "canCreateDocument.Folder", CMISAccessControlService.CMIS_ALL_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.CreateChildren"));
|
|
assertTrue(contains(mappings, "canCreateFolder.Folder", CMISAccessControlService.CMIS_ALL_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.CreateChildren"));
|
|
// "canCreateRelationship.Source"
|
|
// "canCreateRelationship.Target"
|
|
assertTrue(contains(mappings, "canGetProperties.Object", CMISAccessControlService.CMIS_READ_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.ReadProperties"));
|
|
assertTrue(contains(mappings, "canGetRenditions.Object", CMISAccessControlService.CMIS_READ_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.ReadProperties"));
|
|
assertTrue(contains(mappings, "canGetContentStream.Object", CMISAccessControlService.CMIS_READ_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.ReadContent"));
|
|
assertTrue(contains(mappings, "canUpdateProperties.Object", CMISAccessControlService.CMIS_WRITE_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.WriteProperties"));
|
|
assertTrue(contains(mappings, "canMoveObject.Object", CMISAccessControlService.CMIS_ALL_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.DeleteNode"));
|
|
assertTrue(contains(mappings, "canMoveObject.Target", CMISAccessControlService.CMIS_ALL_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.CreateChildren"));
|
|
// "canMoveObject.Source"
|
|
assertTrue(contains(mappings, "canDelete.Object", CMISAccessControlService.CMIS_ALL_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.DeleteNode"));
|
|
// "canDelete.Folder"
|
|
// === SPEC BUG - should really be those below ...
|
|
// "canDeleteObject.Object"
|
|
// "canDeleteObject.Folder"
|
|
assertTrue(contains(mappings, "canSetContentStream.Document", CMISAccessControlService.CMIS_WRITE_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.WriteContent"));
|
|
assertTrue(contains(mappings, "canDeleteContentStream.Document", CMISAccessControlService.CMIS_WRITE_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.WriteContent"));
|
|
assertTrue(contains(mappings, "canDeleteTree.Folder", CMISAccessControlService.CMIS_ALL_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.DeleteNode"));
|
|
assertTrue(contains(mappings, "canAddObjectToFolder.Object", CMISAccessControlService.CMIS_READ_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.ReadProperties"));
|
|
assertTrue(contains(mappings, "canAddObjectToFolder.Folder", CMISAccessControlService.CMIS_ALL_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.CreateChildren"));
|
|
assertTrue(contains(mappings, "canRemoveObjectFromFolder.Object", CMISAccessControlService.CMIS_ALL_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.DeleteNode"));
|
|
// "canRemoveObjectFromFolder.Folder"
|
|
assertTrue(contains(mappings, "canCheckOut.Document", CMISAccessControlService.CMIS_ALL_PERMISSION, "{http://www.alfresco.org/model/content/1.0}lockable.CheckOut"));
|
|
assertTrue(contains(mappings, "canCancelCheckOut.Document", CMISAccessControlService.CMIS_ALL_PERMISSION, "{http://www.alfresco.org/model/content/1.0}lockable.CancelCheckOut"));
|
|
assertTrue(contains(mappings, "canCheckIn.Document", CMISAccessControlService.CMIS_ALL_PERMISSION, "{http://www.alfresco.org/model/content/1.0}lockable.CheckIn"));
|
|
assertTrue(contains(mappings, "canGetAllVersions.Document", CMISAccessControlService.CMIS_READ_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.Read"));
|
|
// "canGetObjectRelationships.Object"
|
|
assertTrue(contains(mappings, "canApplyPolicy.Object", CMISAccessControlService.CMIS_WRITE_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.Write"));
|
|
assertTrue(contains(mappings, "canApplyPolicy.Policy", CMISAccessControlService.CMIS_READ_PERMISSION));
|
|
assertTrue(contains(mappings, "canRemovePolicy.Object", CMISAccessControlService.CMIS_WRITE_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.Write"));
|
|
assertTrue(contains(mappings, "canRemovePolicy.Policy", CMISAccessControlService.CMIS_READ_PERMISSION));
|
|
assertTrue(contains(mappings, "canGetAppliedPolicies.Object", CMISAccessControlService.CMIS_READ_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.ReadProperties"));
|
|
assertTrue(contains(mappings, "canGetACL.Object", CMISAccessControlService.CMIS_ALL_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.ReadPermissions"));
|
|
assertTrue(contains(mappings, "canApplyACL.Object", CMISAccessControlService.CMIS_ALL_PERMISSION, "{http://www.alfresco.org/model/system/1.0}base.ChangePermissions"));
|
|
}
|
|
|
|
private boolean contains(List<? extends CMISPermissionMapping> mappings, String key, String... entries)
|
|
{
|
|
for (CMISPermissionMapping mapping : mappings)
|
|
{
|
|
if (mapping.getKey().equals(key))
|
|
{
|
|
// check entries are all valid
|
|
Set<String> permissionNames = getAllPermissions();
|
|
|
|
for (String permission : mapping.getPermissions())
|
|
{
|
|
if (!permissionNames.contains(permission))
|
|
{
|
|
return false;
|
|
}
|
|
}
|
|
if (entries.length > 0)
|
|
{
|
|
if (mapping.getPermissions().size() == entries.length)
|
|
{
|
|
for (String entry : entries)
|
|
{
|
|
if (!mapping.getPermissions().contains(entry))
|
|
{
|
|
return false;
|
|
}
|
|
}
|
|
return true;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
return true;
|
|
}
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
}
|