@Test public void testInvalidPrivilege() throws Exception { NodeUtil acl = createAcl(); String privName = "invalidPrivilegeName"; createACE(acl, "invalid", NT_REP_GRANT_ACE, testPrincipal.getName(), privName); try { root.commit(); fail("Creating an ACE with invalid privilege should fail."); } catch (CommitFailedException e) { // success assertTrue(e.isAccessControlViolation()); assertThat(e.getMessage(), containsString("/testRoot/rep:policy")); } }
@Test public void testOnlyRootIsRepoAccessControllable() { NodeUtil testRoot = getTestRoot(); testRoot.setNames(JcrConstants.JCR_MIXINTYPES, MIX_REP_REPO_ACCESS_CONTROLLABLE); try { root.commit(); fail("Only the root node can be made RepoAccessControllable."); } catch (CommitFailedException e) { // success assertTrue(e.isAccessControlViolation()); assertThat(e.getMessage(), containsString("/testRoot")); } }
@Test public void testAbstractPrivilege() throws Exception { PrivilegeManager pMgr = getPrivilegeManager(root); pMgr.registerPrivilege("abstractPrivilege", true, new String[0]); NodeUtil acl = createAcl(); createACE(acl, "invalid", NT_REP_GRANT_ACE, testPrincipal.getName(), "abstractPrivilege"); try { root.commit(); fail("Creating an ACE with an abstract privilege should fail."); } catch (CommitFailedException e) { // success assertTrue(e.isAccessControlViolation()); assertThat(e.getMessage(), containsString("/testRoot/rep:policy")); } }
@Test public void testPolicyWithOutChildOrder() throws AccessDeniedException { NodeUtil testRoot = getTestRoot(); testRoot.setNames(JcrConstants.JCR_MIXINTYPES, MIX_REP_ACCESS_CONTROLLABLE); testRoot.addChild(REP_POLICY, NT_REP_ACL); try { root.commit(); fail("Policy node with child node ordering"); } catch (CommitFailedException e) { // success assertTrue(e.isAccessControlViolation()); assertThat(e.getMessage(), containsString("OakAccessControl0004")); // Order of children is not stable assertThat(e.getMessage(), containsString("/testRoot/rep:policy")); } }
@Test public void testAddIsolatedAce() throws Exception { String[] ntNames = new String[]{NT_REP_DENY_ACE, NT_REP_GRANT_ACE}; NodeUtil node = getTestRoot(); for (String aceNtName : ntNames) { NodeUtil ace = createACE(node, "isolatedACE", aceNtName, testPrincipal.getName(), PrivilegeConstants.JCR_READ); try { root.commit(); fail("Writing an isolated ACE should fail."); } catch (CommitFailedException e) { // success assertTrue(e.isAccessControlViolation()); assertThat(e.getMessage(), containsString("/testRoot/isolatedACE")); } finally { // revert pending changes that cannot be saved. ace.getTree().remove(); } } }
@Test public void testInvalidRestriction() throws Exception { NodeUtil restriction = createAcl().getChild(aceName).getChild(REP_RESTRICTIONS); restriction.setString("invalid", "value"); try { root.commit(); fail("Creating an unsupported restriction should fail."); } catch (CommitFailedException e) { // success assertTrue(e.isAccessControlViolation()); assertThat(e.getMessage(), containsString("/testRoot/rep:policy")); } }
@Test public void testRestrictionWithInvalidType() throws Exception { NodeUtil restriction = createAcl().getChild(aceName).getChild(REP_RESTRICTIONS); restriction.setName(REP_GLOB, "rep:glob"); try { root.commit(); fail("Creating restriction with invalid type should fail."); } catch (CommitFailedException e) { // success assertTrue(e.isAccessControlViolation()); assertThat(e.getMessage(), containsString("/testRoot/rep:policy")); } }
@Test public void testCugValidPrincipalsNoMixin() throws Exception { testGroup = ((JackrabbitSession) adminSession).getUserManager().createGroup(new PrincipalImpl(TEST_GROUP_PRINCIPAL_NAME)); adminSession.save(); doImport(getTargetPath(), XML_CUG_POLICY); try { adminSession.save(); fail(); } catch (AccessControlException e) { Throwable cause = e.getCause(); assertTrue(cause instanceof CommitFailedException); assertTrue(((CommitFailedException) cause).isAccessControlViolation()); assertEquals(22, ((CommitFailedException) cause).getCode()); } }
@Test public void testAddIsolatedPolicy() throws Exception { String[] policyNames = new String[]{"isolatedACL", REP_POLICY, REP_REPO_POLICY}; NodeUtil node = getTestRoot(); for (String policyName : policyNames) { NodeUtil policy = node.addChild(policyName, NT_REP_ACL); try { root.commit(); fail("Writing an isolated ACL without the parent being rep:AccessControllable should fail."); } catch (CommitFailedException e) { // success assertTrue(e.isAccessControlViolation()); assertThat(e.getMessage(), containsString("/testRoot")); } finally { // revert pending changes that cannot be saved. policy.getTree().remove(); } } }
@Test public void testAddIsolatedRestriction() throws Exception { NodeUtil node = getTestRoot(); NodeUtil restriction = node.addChild("isolatedRestriction", NT_REP_RESTRICTIONS); try { root.commit(); fail("Writing an isolated Restriction should fail."); } catch (CommitFailedException e) { // success assertTrue(e.isAccessControlViolation()); assertThat(e.getMessage(), containsString("/testRoot")); } finally { // revert pending changes that cannot be saved. restriction.getTree().remove(); } }
@Test public void testMissingMixin() throws Exception { NodeUtil cug = node.addChild(REP_CUG_POLICY, NT_REP_CUG_POLICY); cug.setStrings(REP_PRINCIPAL_NAMES, EveryonePrincipal.NAME); try { root.commit(); fail(); } catch (CommitFailedException e) { assertTrue(e.isAccessControlViolation()); assertEquals(22, e.getCode()); } finally { root.refresh(); } }
@Test public void testAddInvalidRepoPolicy() throws Exception { NodeUtil testRoot = getTestRoot(); testRoot.setNames(JcrConstants.JCR_MIXINTYPES, MIX_REP_ACCESS_CONTROLLABLE); NodeUtil policy = getTestRoot().addChild(REP_REPO_POLICY, NT_REP_ACL); try { root.commit(); fail("Attempt to add repo-policy with rep:AccessControllable node."); } catch (CommitFailedException e) { // success assertTrue(e.isAccessControlViolation()); assertThat(e.getMessage(), containsString("/testRoot")); } finally { policy.getTree().remove(); } }
@Test public void testInvalidPrimaryType() throws Exception { NodeUtil cug = node.addChild(REP_CUG_POLICY, NodeTypeConstants.NT_OAK_UNSTRUCTURED); cug.setStrings(REP_PRINCIPAL_NAMES, EveryonePrincipal.NAME); try { root.commit(); fail(); } catch (CommitFailedException e) { assertTrue(e.isAccessControlViolation()); assertEquals(21, e.getCode()); } finally { root.refresh(); } }
@Test public void testDuplicateAce() throws Exception { AccessControlManager acMgr = getAccessControlManager(root); JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, testPath); acl.addAccessControlEntry(testPrincipal, privilegesFromNames(PrivilegeConstants.JCR_ADD_CHILD_NODES)); acMgr.setPolicy(testPath, acl); // add duplicate ac-entry on OAK-API NodeUtil policy = new NodeUtil(root.getTree(testPath + "/rep:policy")); NodeUtil ace = policy.addChild("duplicateAce", NT_REP_GRANT_ACE); ace.setString(REP_PRINCIPAL_NAME, testPrincipal.getName()); ace.setNames(AccessControlConstants.REP_PRIVILEGES, PrivilegeConstants.JCR_ADD_CHILD_NODES); try { root.commit(); fail("Creating duplicate ACE must be detected"); } catch (CommitFailedException e) { assertTrue(e.isAccessControlViolation()); assertThat(e.getMessage(), containsString("/testRoot/rep:policy/duplicateAce")); } }
@Test public void testChangePrimaryType() { node = new NodeUtil(root.getTree(SUPPORTED_PATH2)); try { node.setName(JcrConstants.JCR_PRIMARYTYPE, NT_REP_CUG_POLICY); node.setStrings(REP_PRINCIPAL_NAMES, EveryonePrincipal.NAME); root.commit(); fail(); } catch (CommitFailedException e) { assertTrue(e.isAccessControlViolation()); assertEquals(20, e.getCode()); } }
@Test public void testCugPolicyWithDifferentName() throws Exception { node.setNames(JcrConstants.JCR_MIXINTYPES, MIX_REP_CUG_MIXIN); NodeUtil cug = node.addChild("anotherName", NT_REP_CUG_POLICY); cug.setStrings(REP_PRINCIPAL_NAMES, EveryonePrincipal.NAME); try { root.commit(); fail(); } catch (CommitFailedException e) { assertTrue(e.isAccessControlViolation()); assertEquals(23, e.getCode()); } finally { root.refresh(); } }
} else if (isAccessViolation()) { return new AccessDeniedException(message, this); } else if (isAccessControlViolation()) { return new AccessControlException(message, this); } else if (isOfType(INTEGRITY)) {
} else if (isAccessViolation()) { return new AccessDeniedException(message, this); } else if (isAccessControlViolation()) { return new AccessControlException(message, this); } else if (isOfType(INTEGRITY)) {
@Test public void testChangePrimaryTypeOfCug() throws Exception { node.setNames(JcrConstants.JCR_MIXINTYPES, MIX_REP_CUG_MIXIN); NodeUtil cug = node.addChild(REP_CUG_POLICY, NT_REP_CUG_POLICY); cug.setStrings(REP_PRINCIPAL_NAMES, EveryonePrincipal.NAME); root.commit(); try { cug.setName(JcrConstants.JCR_PRIMARYTYPE, NodeTypeConstants.NT_OAK_UNSTRUCTURED); root.commit(); fail(); } catch (CommitFailedException e) { assertTrue(e.isAccessControlViolation()); assertEquals(21, e.getCode()); } }
@Test public void testRemoveMixin() throws Exception { node.setNames(JcrConstants.JCR_MIXINTYPES, MIX_REP_CUG_MIXIN); NodeUtil cug = node.addChild(REP_CUG_POLICY, NT_REP_CUG_POLICY); cug.setStrings(REP_PRINCIPAL_NAMES, EveryonePrincipal.NAME); root.commit(); try { node.removeProperty(JcrConstants.JCR_MIXINTYPES); root.commit(); fail(); } catch (CommitFailedException e) { assertTrue(e.isAccessControlViolation()); assertEquals(22, e.getCode()); } finally { root.refresh(); } }