protected DocumentRef createDocumentModelWithSamplePermissions(String name) {
DocumentModel root = session.getRootDocument();
DocumentModel doc = new DocumentModelImpl(root.getPathAsString(), name, "Folder");
doc = session.createDocument(doc);
ACP acp = doc.getACP();
ACL localACL = acp.getOrCreateACL();
localACL.add(new ACE("joe_reader", READ, true));
localACL.add(new ACE("joe_contributor", READ, true));
localACL.add(new ACE("joe_contributor", WRITE_PROPERTIES, true));
localACL.add(new ACE("joe_contributor", ADD_CHILDREN, true));
localACL.add(new ACE("joe_localmanager", READ, true));
localACL.add(new ACE("joe_localmanager", WRITE, true));
localACL.add(new ACE("joe_localmanager", WRITE_SECURITY, true));
acp.addACL(localACL);
doc.setACP(acp, true);
// add the permission to remove children on the root
ACP rootACP = root.getACP();
ACL rootACL = rootACP.getOrCreateACL();
rootACL.add(new ACE("joe_localmanager", REMOVE_CHILDREN, true));
rootACP.addACL(rootACL);
root.setACP(rootACP, true);
// make it visible for others
session.save();
return doc.getRef();
}
@Test
public void testACLEscaping() {
// temporary set an Everything privileges on the root for anonymous
// so that we can create a folder
setPermissionToAnonymous(EVERYTHING);
DocumentModel root = session.getRootDocument();
DocumentModel folder = new DocumentModelImpl(root.getPathAsString(), "folder1", "Folder");
folder = session.createDocument(folder);
ACP acp = new ACPImpl();
ACL acl = new ACLImpl();
acl.add(new ACE("xyz", "Read", true));
acl.add(new ACE("abc@def<&>/ ", "Read", true));
acl.add(new ACE("caf\u00e9", "Read", true));
acl.add(new ACE("o'hara", "Read", true)); // name to quote
acl.add(new ACE("A_x1234_", "Read", true)); // name to quote
acp.addACL(acl);
folder.setACP(acp, true);
// check what we read
acp = folder.getACP();
assertNotNull(acp);
acl = acp.getACL(ACL.LOCAL_ACL);
assertEquals("xyz", acl.get(0).getUsername());
assertEquals("abc@def<&>/ ", acl.get(1).getUsername());
assertEquals("caf\u00e9", acl.get(2).getUsername());
assertEquals("o'hara", acl.get(3).getUsername());
assertEquals("A_x1234_", acl.get(4).getUsername());
}
protected void removePermissionToEveryone() {
DocumentModel doc = session.getRootDocument();
ACP acp = doc.getACP();
acp.removeACL("test");
doc.setACP(acp, true);
session.save();
}
@Test
public void testEmptyLocalACL() throws Exception {
DocumentModel doc = session.createDocumentModel("/", "folder", "Folder");
doc = session.createDocument(doc);
ACP acp = doc.getACP();
ACL acl = acp.getOrCreateACL();
// don't add anything
doc.setACP(acp, true);
session.save();
nextTransaction();
session.getDocument(doc.getRef());
acp = doc.getACP();
acl = acp.getACL(ACL.LOCAL_ACL);
assertNull(acl);
}
// assumes that the global "session" belongs to an Administrator
protected void setPermissionToAnonymous(String perm) {
DocumentModel doc = session.getRootDocument();
ACP acp = doc.getACP();
if (acp == null) {
acp = new ACPImpl();
}
UserEntryImpl userEntry = new UserEntryImpl("anonymous");
userEntry.addPrivilege(perm);
acp.setRules("test", new UserEntry[] {userEntry});
doc.setACP(acp, true);
session.save();
}
protected void setPermissionToEveryone(String... perms) {
DocumentModel doc = session.getRootDocument();
ACP acp = doc.getACP();
if (acp == null) {
acp = new ACPImpl();
}
UserEntryImpl userEntry = new UserEntryImpl(EVERYONE);
for (String perm : perms) {
userEntry.addPrivilege(perm);
}
acp.setRules("test", new UserEntry[] {userEntry});
doc.setACP(acp, true);
session.save();
}
@Test
public void testACPInheritance() throws Exception {
DocumentModel root = new DocumentModelImpl("/", "testACPInheritance", "Folder");
root = session.createDocument(root);
DocumentModel doc = new DocumentModelImpl("/testACPInheritance", "folder", "Folder");
doc = session.createDocument(doc);
ACP rootAcp = root.getACP();
ACL localACL = rootAcp.getOrCreateACL();
localACL.add(new ACE("joe_reader", READ, true));
root.setACP(rootAcp, true);
ACP acp = doc.getACP();
localACL = acp.getOrCreateACL();
localACL.add(new ACE("joe_contributor", WRITE, true));
doc.setACP(acp, true);
session.save();
doc = session.getDocument(new PathRef("/testACPInheritance/folder"));
acp = doc.getACP();
ACL acl = acp.getACL(ACL.INHERITED_ACL);
assertEquals("joe_reader", acl.getACEs()[0].getUsername());
// block inheritance
acp.getOrCreateACL()
.add(new ACE(SecurityConstants.EVERYONE, SecurityConstants.EVERYTHING, false));
doc.setACP(acp, true);
session.save();
// now the inherited acl should be null
doc = session.getDocument(new PathRef("/testACPInheritance/folder"));
acp = doc.getACP();
acl = acp.getACL(ACL.INHERITED_ACL);
assertNull(acl);
}
@Test
public void testReadAclSecurityUpdate() {
// check that aclOptimization update the user aclr cache
// NXP-13109
DocumentModel root = session.getRootDocument();
// Create a doc and set a new ACLR on it
DocumentModel doc = new DocumentModelImpl(root.getPathAsString(), "foo", "Folder");
doc = session.createDocument(doc);
ACP acp = doc.getACP();
assertNotNull(acp);
acp = new ACPImpl();
ACL acl = new ACLImpl();
acl.add(new ACE("Everyone", "Read", true));
acp.addACL(acl);
doc.setACP(acp, true);
session.save();
CoreSession joeSession = openSessionAs("joe");
try {
DocumentModelList list;
list = joeSession.query("SELECT * FROM Folder");
assertEquals(1, list.size());
// Remove the document, so the ACLR created is not anymore assigned
session.removeDocument(doc.getRef());
session.save();
list = joeSession.query("SELECT * FROM Folder");
assertEquals(0, list.size());
} finally {
closeSession(joeSession);
}
CoreSession bobSession = openSessionAs("bob");
try {
DocumentModelList list;
// Perform a query to init the ACLR cache
list = bobSession.query("SELECT * FROM Folder");
assertEquals(0, list.size());
// Create a new doc with the same ACLR
doc = new DocumentModelImpl(root.getPathAsString(), "bar", "Folder");
doc = session.createDocument(doc);
doc.setACP(acp, true);
session.save();
// Check that the ACLR has been added to the user cache
list = bobSession.query("SELECT * FROM Folder");
assertEquals(1, list.size());
} finally {
closeSession(bobSession);
}
}
@Test
public void testReadAclSecurity() {
// Check that all permissions that contain Browse enable to list a
// document using aclOptimization
SecurityService securityService = NXCore.getSecurityService();
String[] browsePermissions = securityService.getPermissionsToCheck(BROWSE);
// Check for test permission contribution
assertTrue(Arrays.asList(browsePermissions).contains("ViewTest"));
List<String> docNames = new ArrayList<String>(browsePermissions.length);
DocumentModel root = session.getRootDocument();
for (String permission : browsePermissions) {
// Create a folder with only the browse permission
String name = "joe-has-" + permission + "-permission";
docNames.add(name);
DocumentModel folder = new DocumentModelImpl(root.getPathAsString(), name, "Folder");
folder = session.createDocument(folder);
ACP acp = folder.getACP();
assertNotNull(acp); // the acp inherited from root is returned
acp = new ACPImpl();
ACL acl = new ACLImpl();
acl.add(new ACE("joe", permission, true));
acp.addACL(acl);
folder.setACP(acp, true);
}
session.save();
CoreSession joeSession = openSessionAs("joe");
try {
DocumentModelList list;
list = joeSession.query("SELECT * FROM Folder");
List<String> names = new ArrayList<String>();
for (DocumentModel doc : list) {
names.add(doc.getName());
}
assertEquals(
"Expecting " + docNames + " got " + names, browsePermissions.length, list.size());
list = joeSession.query("SELECT * FROM Folder WHERE ecm:isProxy = 0");
names.clear();
for (DocumentModel doc : list) {
names.add(doc.getName());
}
assertEquals(
"Expecting " + docNames + " got " + names, browsePermissions.length, list.size());
// Add a new folder to update the read acls
DocumentModel folder = new DocumentModelImpl(root.getPathAsString(), "new-folder", "Folder");
folder = session.createDocument(folder);
ACP acp = folder.getACP();
assertNotNull(acp); // the acp inherited from root is returned
acp = new ACPImpl();
ACL acl = new ACLImpl();
acl.add(new ACE("joe", browsePermissions[0], true));
acl.add(new ACE("bob", browsePermissions[0], true));
acp.addACL(acl);
folder.setACP(acp, true);
session.save();
list = joeSession.query("SELECT * FROM Folder");
assertEquals(browsePermissions.length + 1, list.size());
} finally {
closeSession(joeSession);
}
}
@Test
public void testSecurity() {
// temporary set an Everything privileges on the root for anonymous
// so that we can create a folder
setPermissionToAnonymous(EVERYTHING);
CoreSession anonSession = openSessionAs("anonymous");
try {
DocumentModel root = anonSession.getRootDocument();
DocumentModel folder = new DocumentModelImpl(root.getPathAsString(), "folder#1", "Folder");
folder = anonSession.createDocument(folder);
ACP acp = folder.getACP();
assertNotNull(acp); // the acp inherited from root is returned
acp = new ACPImpl();
ACL acl = new ACLImpl();
acl.add(new ACE("a", "Read", true));
acl.add(new ACE("b", "Write", true));
acp.addACL(acl);
folder.setACP(acp, true);
acp = folder.getACP();
assertNotNull(acp);
assertEquals("a", acp.getACL(ACL.LOCAL_ACL).get(0).getUsername());
assertEquals("b", acp.getACL(ACL.LOCAL_ACL).get(1).getUsername());
assertSame(GRANT, acp.getAccess("a", "Read"));
assertSame(UNKNOWN, acp.getAccess("a", "Write"));
assertSame(GRANT, acp.getAccess("b", "Write"));
assertSame(UNKNOWN, acp.getAccess("b", "Read"));
assertSame(UNKNOWN, acp.getAccess("c", "Read"));
assertSame(UNKNOWN, acp.getAccess("c", "Write"));
// insert a deny Write ACE before the GRANT
acp.getACL(ACL.LOCAL_ACL).add(0, new ACE("b", "Write", false));
// store changes
folder.setACP(acp, true);
// refetch ac
acp = folder.getACP();
// check perms now
assertSame(GRANT, acp.getAccess("a", "Read"));
assertSame(UNKNOWN, acp.getAccess("a", "Write"));
assertSame(DENY, acp.getAccess("b", "Write"));
assertSame(UNKNOWN, acp.getAccess("b", "Read"));
assertSame(UNKNOWN, acp.getAccess("c", "Read"));
assertSame(UNKNOWN, acp.getAccess("c", "Write"));
// create a child document and grant on it the write for b
// remove anonymous Everything privileges on the root
// so that it not influence test results
removePermissionToAnonymous();
anonSession.save(); // process invalidations
try {
DocumentModel folder2 =
new DocumentModelImpl(folder.getPathAsString(), "folder#2", "Folder");
folder2 = anonSession.createDocument(folder2);
fail("privilege is granted but should not be");
} catch (DocumentSecurityException e) {
// ok
}
setPermissionToAnonymous(EVERYTHING);
anonSession.save(); // process invalidations
root = anonSession.getRootDocument();
// and try again - this time it should work
DocumentModel folder2 = new DocumentModelImpl(folder.getPathAsString(), "folder#2", "Folder");
folder2 = anonSession.createDocument(folder2);
ACP acp2 = new ACPImpl();
acl = new ACLImpl();
acl.add(new ACE("b", "Write", true));
acp2.addACL(acl);
folder2.setACP(acp2, true);
acp2 = folder2.getACP();
assertSame(GRANT, acp2.getAccess("a", "Read"));
assertSame(UNKNOWN, acp2.getAccess("a", "Write"));
assertSame(GRANT, acp2.getAccess("b", "Write"));
assertSame(UNKNOWN, acp2.getAccess("b", "Read"));
assertSame(UNKNOWN, acp2.getAccess("c", "Read"));
assertSame(UNKNOWN, acp2.getAccess("c", "Write"));
// remove anonymous Everything privileges on the root
// so that it not influence test results
removePermissionToAnonymous();
anonSession.save(); // process invalidations
setPermissionToEveryone(WRITE, REMOVE, ADD_CHILDREN, REMOVE_CHILDREN, READ);
root = anonSession.getRootDocument();
DocumentModel folder3 = new DocumentModelImpl(folder.getPathAsString(), "folder#3", "Folder");
folder3 = anonSession.createDocument(folder3);
anonSession.removeDocument(folder3.getRef());
removePermissionToEveryone();
setPermissionToEveryone(REMOVE);
anonSession.save(); // process invalidations
try {
folder3 = new DocumentModelImpl(folder.getPathAsString(), "folder#3", "Folder");
folder3 = anonSession.createDocument(folder3);
fail();
} catch (Exception e) {
}
} finally {
closeSession(anonSession);
}
}