/*
* (C) Copyright 2006-2011 Nuxeo SA (http://nuxeo.com/) and others.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Contributors:
* Anahide Tchertchian
* Florent Guillaume
*/
package org.nuxeo.ecm.core.security;
import static org.nuxeo.ecm.core.CoreUTConstants.CORE_BUNDLE;
import static org.nuxeo.ecm.core.CoreUTConstants.CORE_TESTS_BUNDLE;
import static org.nuxeo.ecm.core.api.security.Access.DENY;
import static org.nuxeo.ecm.core.api.security.Access.GRANT;
import static org.nuxeo.ecm.core.api.security.Access.UNKNOWN;
import static org.nuxeo.ecm.core.api.security.SecurityConstants.WRITE;
import static org.nuxeo.ecm.core.api.security.SecurityConstants.WRITE_PROPERTIES;
import java.security.Principal;
import java.util.ArrayList;
import java.util.GregorianCalendar;
import org.junit.Before;
import org.jmock.Expectations;
import org.jmock.Mockery;
import org.jmock.integration.junit4.JUnit4Mockery;
import org.junit.After;
import org.junit.Test;
import static org.junit.Assert.*;
import org.nuxeo.ecm.core.api.Lock;
import org.nuxeo.ecm.core.api.impl.UserPrincipal;
import org.nuxeo.ecm.core.model.Document;
import org.nuxeo.runtime.api.Framework;
import org.nuxeo.runtime.test.NXRuntimeTestCase;
public class TestSecurityPolicyService extends NXRuntimeTestCase {
static final String creator = "Bodie";
static final String user = "Bubbles";
static final Principal creatorPrincipal = new UserPrincipal("Bodie", new ArrayList<String>(), false, false);
static final Principal userPrincipal = new UserPrincipal("Bubbles", new ArrayList<String>(), false, false);
private SecurityPolicyService service;
protected Mockery mockery = new JUnit4Mockery();
@Before
public void setUp() throws Exception {
super.setUp();
deployContrib(CORE_BUNDLE, "OSGI-INF/SecurityService.xml");
deployContrib(CORE_BUNDLE, "OSGI-INF/permissions-contrib.xml");
deployContrib(CORE_BUNDLE, "OSGI-INF/security-policy-contrib.xml");
service = Framework.getService(SecurityPolicyService.class);
assertNotNull(service);
}
@After
public void tearDown() throws Exception {
super.tearDown();
service = null;
}
@Test
public void testPolicies() throws Exception {
String permission = WRITE;
String[] permissions = { WRITE };
Document doc = mockery.mock(Document.class, "document1");
mockery.checking(new Expectations() {
{
allowing(doc).getLock();
will(returnValue(null));
}
});
// without lock
assertSame(UNKNOWN, service.checkPermission(doc, null, creatorPrincipal, permission, permissions, null));
assertSame(UNKNOWN, service.checkPermission(doc, null, userPrincipal, permission, permissions, null));
// with lock
Lock lock = new Lock(user, new GregorianCalendar());
Document doc2 = mockery.mock(Document.class, "document2");
mockery.checking(new Expectations() {
{
allowing(doc2).getLock();
will(returnValue(lock));
allowing(doc2).getPropertyValue("dc:creator");
will(returnValue(creator));
}
});
assertSame(DENY, service.checkPermission(doc2, null, creatorPrincipal, permission, permissions, null));
assertSame(UNKNOWN, service.checkPermission(doc2, null, userPrincipal, permission, permissions, null));
// test creator policy with lower order takes over lock
deployContrib(CORE_TESTS_BUNDLE, "test-security-policy-contrib.xml");
assertSame(GRANT, service.checkPermission(doc2, null, creatorPrincipal, permission, permissions, null));
assertSame(UNKNOWN, service.checkPermission(doc2, null, userPrincipal, permission, permissions, null));
}
@Test
public void testCheckOutPolicy() throws Exception {
String permission = WRITE;
String[] permissions = { WRITE, WRITE_PROPERTIES };
// checked out
Document doc = mockery.mock(Document.class, "document3");
mockery.checking(new Expectations() {
{
allowing(doc).getLock();
will(returnValue(null));
allowing(doc).isVersion();
will(returnValue(Boolean.FALSE));
allowing(doc).isProxy();
will(returnValue(Boolean.FALSE));
allowing(doc).isCheckedOut();
will(returnValue(Boolean.TRUE));
}
});
assertSame(UNKNOWN, service.checkPermission(doc, null, creatorPrincipal, permission, permissions, null));
// not checked out
Document doc2 = mockery.mock(Document.class, "document4");
mockery.checking(new Expectations() {
{
allowing(doc2).getLock();
will(returnValue(null));
allowing(doc2).isVersion();
will(returnValue(Boolean.FALSE));
allowing(doc2).isProxy();
will(returnValue(Boolean.FALSE));
allowing(doc2).isCheckedOut();
will(returnValue(Boolean.FALSE));
}
});
assertSame(UNKNOWN, service.checkPermission(doc2, null, creatorPrincipal, permission, permissions, null));
deployContrib(CORE_TESTS_BUNDLE, "test-security-policy2-contrib.xml");
assertSame(DENY, service.checkPermission(doc2, null, creatorPrincipal, permission, permissions, null));
}
}