1. Project Clover database Sat Feb 2 2019 06:45:20 CET
  2. Package org.xwiki.security.authorization

File DefaultAuthorizationManagerIntegrationTest.java

 

Code metrics

34
239
32
1
800
578
52
0.22
7.47
32
1.62

Classes

Class Line # Actions
DefaultAuthorizationManagerIntegrationTest 100 239 0% 52 21
0.931147593.1%
 

Contributing tests

This file is covered by 14 tests. .

Source view

1    /*
2    * See the NOTICE file distributed with this work for additional
3    * information regarding copyright ownership.
4    *
5    * This is free software; you can redistribute it and/or modify it
6    * under the terms of the GNU Lesser General Public License as
7    * published by the Free Software Foundation; either version 2.1 of
8    * the License, or (at your option) any later version.
9    *
10    * This software is distributed in the hope that it will be useful,
11    * but WITHOUT ANY WARRANTY; without even the implied warranty of
12    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13    * Lesser General Public License for more details.
14    *
15    * You should have received a copy of the GNU Lesser General Public
16    * License along with this software; if not, write to the Free
17    * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
18    * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
19    */
20   
21    package org.xwiki.security.authorization;
22   
23    import java.util.ArrayList;
24    import java.util.Collection;
25    import java.util.Collections;
26   
27    import org.junit.Assert;
28    import org.junit.Before;
29    import org.junit.Rule;
30    import org.junit.Test;
31    import org.mockito.invocation.InvocationOnMock;
32    import org.mockito.stubbing.Answer;
33    import org.xwiki.cache.CacheManager;
34    import org.xwiki.cache.config.CacheConfiguration;
35    import org.xwiki.model.internal.DefaultModelConfiguration;
36    import org.xwiki.model.internal.reference.DefaultEntityReferenceProvider;
37    import org.xwiki.model.internal.reference.DefaultStringEntityReferenceResolver;
38    import org.xwiki.model.internal.reference.DefaultStringEntityReferenceSerializer;
39    import org.xwiki.model.internal.reference.DefaultSymbolScheme;
40    import org.xwiki.model.reference.DocumentReference;
41    import org.xwiki.model.reference.EntityReference;
42    import org.xwiki.model.reference.WikiReference;
43    import org.xwiki.security.DefaultSecurityReferenceFactory;
44    import org.xwiki.security.GroupSecurityReference;
45    import org.xwiki.security.SecurityReference;
46    import org.xwiki.security.SecurityReferenceFactory;
47    import org.xwiki.security.UserSecurityReference;
48    import org.xwiki.security.authorization.cache.SecurityCache;
49    import org.xwiki.security.authorization.cache.SecurityCacheRulesInvalidator;
50    import org.xwiki.security.authorization.cache.internal.DefaultSecurityCache;
51    import org.xwiki.security.authorization.cache.internal.DefaultSecurityCacheLoader;
52    import org.xwiki.security.authorization.cache.internal.TestCache;
53    import org.xwiki.security.authorization.internal.AbstractSecurityRuleEntry;
54    import org.xwiki.security.authorization.internal.DefaultAuthorizationSettler;
55    import org.xwiki.security.authorization.testwikis.SecureTestEntity;
56    import org.xwiki.security.authorization.testwikis.TestAccessRule;
57    import org.xwiki.security.authorization.testwikis.TestDefinition;
58    import org.xwiki.security.authorization.testwikis.TestDocument;
59    import org.xwiki.security.authorization.testwikis.TestEntity;
60    import org.xwiki.security.authorization.testwikis.TestGroup;
61    import org.xwiki.security.authorization.testwikis.TestUserDocument;
62    import org.xwiki.security.authorization.testwikis.TestWiki;
63    import org.xwiki.security.internal.UserBridge;
64    import org.xwiki.security.internal.XWikiBridge;
65    import org.xwiki.test.LogRule;
66    import org.xwiki.test.annotation.BeforeComponent;
67    import org.xwiki.test.annotation.ComponentList;
68   
69    import static org.hamcrest.CoreMatchers.instanceOf;
70    import static org.hamcrest.CoreMatchers.notNullValue;
71    import static org.hamcrest.CoreMatchers.nullValue;
72    import static org.hamcrest.MatcherAssert.assertThat;
73    import static org.junit.Assert.fail;
74    import static org.mockito.ArgumentMatchers.any;
75    import static org.mockito.Mockito.mock;
76    import static org.mockito.Mockito.when;
77    import static org.xwiki.security.authorization.Right.ADMIN;
78    import static org.xwiki.security.authorization.Right.COMMENT;
79    import static org.xwiki.security.authorization.Right.CREATE_WIKI;
80    import static org.xwiki.security.authorization.Right.CREATOR;
81    import static org.xwiki.security.authorization.Right.DELETE;
82    import static org.xwiki.security.authorization.Right.EDIT;
83    import static org.xwiki.security.authorization.Right.ILLEGAL;
84    import static org.xwiki.security.authorization.Right.LOGIN;
85    import static org.xwiki.security.authorization.Right.PROGRAM;
86    import static org.xwiki.security.authorization.Right.REGISTER;
87    import static org.xwiki.security.authorization.Right.SCRIPT;
88    import static org.xwiki.security.authorization.Right.VIEW;
89    import static org.xwiki.security.authorization.Right.values;
90   
91    /**
92    * Test XWiki Authorization policy against the authentication module.
93    *
94    * @since 5.0M2
95    */
96    @ComponentList({ DefaultSecurityCache.class, DefaultStringEntityReferenceResolver.class,
97    DefaultStringEntityReferenceSerializer.class, DefaultEntityReferenceProvider.class, DefaultModelConfiguration.class,
98    AuthorizationManagerConfiguration.class, DefaultSecurityReferenceFactory.class, DefaultSecurityCacheLoader.class,
99    DefaultAuthorizationSettler.class, DefaultAuthorizationManager.class, DefaultSymbolScheme.class })
 
100    public class DefaultAuthorizationManagerIntegrationTest extends AbstractAuthorizationTestCase
101    {
102    private AuthorizationManager authorizationManager;
103   
104    @Rule
105    public final LogRule logCapture = new LogRule();
106   
107    /** Mocked xWikiBridge */
108    private XWikiBridge xWikiBridge;
109   
110    /** Mocked userBridge */
111    private UserBridge userBridge;
112   
113    /** Mocked securityEntryReader */
114    private SecurityEntryReader securityEntryReader;
115   
116    /** Mocked securityCacheRulesInvalidator */
117    private SecurityCacheRulesInvalidator securityCacheRulesInvalidator;
118   
119    /** Mocked cache */
120    private TestCache<Object> cache;
121   
122    /** Factory for security reference */
123    private SecurityReferenceFactory securityReferenceFactory;
124   
 
125  14 toggle @BeforeComponent
126    public void initializeMocks() throws Exception
127    {
128  14 cache = new TestCache<Object>();
129  14 final CacheManager cacheManager = componentManager.registerMockComponent(CacheManager.class);
130  14 when(cacheManager.createNewCache(any(CacheConfiguration.class))).thenReturn(cache);
131   
132  14 xWikiBridge = componentManager.registerMockComponent(XWikiBridge.class);
133  14 userBridge = componentManager.registerMockComponent(UserBridge.class);
134  14 securityEntryReader = componentManager.registerMockComponent(SecurityEntryReader.class);
135  14 securityCacheRulesInvalidator = componentManager.registerMockComponent(SecurityCacheRulesInvalidator.class);
136   
137  14 when(xWikiBridge.toCompatibleEntityReference(any(EntityReference.class)))
138    .thenAnswer(new Answer<EntityReference>()
139    {
 
140  1277 toggle @Override
141    public EntityReference answer(InvocationOnMock invocation) throws Throwable
142    {
143  1277 return invocation.getArgument(0);
144    }
145    });
146    }
147   
 
148  14 toggle @Before
149    public void setUp() throws Exception
150    {
151  14 securityReferenceFactory = componentManager.getInstance(SecurityReferenceFactory.class);
152  14 authorizationManager = componentManager.getInstance(AuthorizationManager.class);
153    }
154   
155    /**
156    * Assert an allowed access for a given right for a given user on a given entity.
157    *
158    * @param message the assert message
159    * @param right the right to check for allowance
160    * @param userReference the reference of the user to test.
161    * @param entityReference the reference of the entity to test.
162    * @throws Exception on error.
163    */
 
164  0 toggle protected void assertAccessTrue(String message, Right right, DocumentReference userReference,
165    EntityReference entityReference) throws Exception
166    {
167  0 Assert.assertTrue(message, authorizationManager.hasAccess(right, userReference, entityReference));
168    }
169   
170    /**
171    * Assert a denied access for a given right for a given user on a given entity.
172    *
173    * @param message the assert message
174    * @param right the right to check for denial
175    * @param userReference the reference of the user to test.
176    * @param entityReference the reference of the entity to test.
177    * @throws Exception on error.
178    */
 
179  0 toggle protected void assertAccessFalse(String message, Right right, DocumentReference userReference,
180    EntityReference entityReference) throws Exception
181    {
182  0 Assert.assertFalse(message, authorizationManager.hasAccess(right, userReference, entityReference));
183    }
184   
185    /**
186    * Check all rights for access by given user on a given entity.
187    *
188    * @param allowedRights the set of rights that should be allowed.
189    * @param userReference the reference of the user to test.
190    * @param entityReference the reference of the entity to test.
191    * @throws Exception on error.
192    */
 
193  117 toggle protected void assertAccess(RightSet allowedRights, DocumentReference userReference,
194    EntityReference entityReference) throws Exception
195    {
196  117 for (Right right : values()) {
197  1404 if (allowedRights != null && allowedRights.contains(right)) {
198  646 if (!authorizationManager.hasAccess(right, userReference, entityReference)) {
199  0 fail(String.format("[%s] should have [%s] right on [%s].", getUserReadableName(userReference),
200    right, getEntityReadableName(entityReference)));
201    }
202    } else {
203  758 if (authorizationManager.hasAccess(right, userReference, entityReference)) {
204  0 fail(String.format("[%s] should not have [%s] right on [%s].", getUserReadableName(userReference),
205    right, getEntityReadableName(entityReference)));
206    }
207    }
208    }
209    }
210   
 
211  2103 toggle private boolean compareReferenceNullSafe(EntityReference entity1, EntityReference entity2)
212    {
213  2103 return entity1 == entity2 || (entity1 != null && entity1.equals(entity2));
214    }
215   
 
216  1051 toggle private SecurityRule mockSecurityRule(SecurityReference reference, final Right right, RuleState state,
217    final DocumentReference userOrGroup, boolean isUser)
218    {
219  1051 SecurityRule mockedRule = mock(SecurityRule.class,
220    String.format("Rule for [%s] %s [%s] right to %s [%s]", reference.toString(),
221  1051 state == RuleState.ALLOW ? "allowing" : "denying", right.getName(), (isUser) ? "user" : "group",
222    userOrGroup.toString()));
223  1051 when(mockedRule.getState()).thenReturn(state);
224  1051 when(mockedRule.match(any(Right.class))).thenAnswer(new Answer<Boolean>()
225    {
 
226  17526 toggle @Override
227    public Boolean answer(InvocationOnMock invocationOnMock) throws Throwable
228    {
229  17526 Right reqRight = (Right) invocationOnMock.getArguments()[0];
230  17526 return (reqRight == right);
231    }
232    });
233  1051 if (isUser) {
234  841 when(mockedRule.match(any(UserSecurityReference.class))).thenAnswer(new Answer<Boolean>()
235    {
 
236  1786 toggle @Override
237    public Boolean answer(InvocationOnMock invocationOnMock) throws Throwable
238    {
239  1786 SecurityReference reference = (UserSecurityReference) invocationOnMock.getArguments()[0];
240  1786 return compareReferenceNullSafe(userOrGroup, reference.getOriginalDocumentReference());
241    }
242    });
243    // when(mockedRule.match(any(GroupSecurityReference.class))).thenReturn(false);
244    } else {
245  210 when(mockedRule.match(any(GroupSecurityReference.class))).thenAnswer(new Answer<Boolean>()
246    {
 
247  313 toggle @Override
248    public Boolean answer(InvocationOnMock invocationOnMock) throws Throwable
249    {
250  313 SecurityReference reference = (GroupSecurityReference) invocationOnMock.getArguments()[0];
251  313 return compareReferenceNullSafe(userOrGroup, reference.getOriginalDocumentReference());
252    }
253    });
254    // when(mockedRule.match(any(UserSecurityReference.class))).thenReturn(false);
255    }
256  1051 return mockedRule;
257    }
258   
 
259  14 toggle @Override
260    public TestDefinition initialiseWikiMock(String filename) throws Exception
261    {
262  14 super.initialiseWikiMock(filename);
263   
264  14 when(xWikiBridge.getMainWikiReference()).thenReturn(testDefinition.getMainWiki().getWikiReference());
265  14 when(xWikiBridge.isWikiReadOnly()).thenReturn(false);
266   
267  14 when(userBridge.getAllGroupsFor(any(UserSecurityReference.class), any(WikiReference.class)))
268    .thenAnswer(new Answer<Collection<GroupSecurityReference>>()
269    {
 
270  81 toggle @Override
271    public Collection<GroupSecurityReference> answer(InvocationOnMock invocationOnMock) throws Throwable
272    {
273  81 UserSecurityReference userReference = (UserSecurityReference) invocationOnMock.getArguments()[0];
274  81 WikiReference wikiReference = (WikiReference) invocationOnMock.getArguments()[1];
275   
276  81 if (userReference.getOriginalReference() == null) {
277    // Public users (not logged in) may not appears in any group
278  0 return Collections.emptyList();
279    }
280   
281  81 TestWiki wiki = testDefinition.getWiki(userReference.getOriginalReference().getWikiReference());
282  81 if (wiki == null) {
283  0 throw new AuthorizationException(
284    String.format("Failed to get groups for user or group [%s] in wiki [%s]. Unknown wiki.",
285    userReference, wikiReference),
286    null);
287    }
288   
289  81 TestUserDocument user = wiki.getUser(userReference.getName());
290  81 if (user == null) {
291  3 return Collections.emptyList();
292    }
293   
294  78 Collection<GroupSecurityReference> groups = new ArrayList<GroupSecurityReference>();
295  78 for (TestGroup group : user.getGroups()) {
296    // Ensure we return only group of the requested wiki
297  35 if (group.getGroupReference().getWikiReference().equals(wikiReference)) {
298  29 groups.add(securityReferenceFactory.newGroupReference(group.getGroupReference()));
299    }
300    }
301  78 return groups;
302    }
303    });
304   
305  14 when(securityEntryReader.read(any(SecurityReference.class))).thenAnswer(new Answer<SecurityRuleEntry>()
306    {
 
307  283 toggle @Override
308    public SecurityRuleEntry answer(InvocationOnMock invocationOnMock) throws Throwable
309    {
310  283 final SecurityReference reference = (SecurityReference) invocationOnMock.getArguments()[0];
311   
312  283 TestEntity entity = testDefinition.searchEntity(reference);
313   
314  283 Collection<TestAccessRule> rules = (entity != null && entity instanceof SecureTestEntity)
315    ? ((SecureTestEntity) entity).getAccessRules() : Collections.<TestAccessRule>emptyList();
316   
317  283 final Collection<SecurityRule> mockedRules = new ArrayList<SecurityRule>();
318  283 for (final TestAccessRule rule : rules) {
319  853 mockedRules.add(
320    mockSecurityRule(reference, rule.getRight(), rule.getState(), rule.getUser(), rule.isUser()));
321    }
322   
323  283 if (entity instanceof TestWiki) {
324  48 TestWiki wiki = (TestWiki) entity;
325  48 if (wiki.getOwner() != null) {
326  48 mockedRules
327    .add(mockSecurityRule(reference, Right.ADMIN, RuleState.ALLOW, wiki.getOwner(), true));
328    }
329    }
330   
331  283 if (entity instanceof TestDocument) {
332  150 TestDocument document = (TestDocument) entity;
333  150 if (document.getCreator() != null) {
334  150 mockedRules.add(
335    mockSecurityRule(reference, Right.CREATOR, RuleState.ALLOW, document.getCreator(), true));
336    }
337    }
338   
339    // This mock should be barely comparable for #testLoadUserInAnotherWikiAfterUserDoc()
340    /*
341    * SecurityRuleEntry accessEntry = mock(SecurityRuleEntry.class,
342    * String.format("Rule entry for %s containing %d rules", reference.toString(), mockedRules.size()));
343    * when(accessEntry.getReference()).thenReturn(reference);
344    * when(accessEntry.isEmpty()).thenReturn(mockedRules.isEmpty());
345    * when(accessEntry.getRules()).thenReturn(mockedRules);
346    */
347   
348  283 return new AbstractSecurityRuleEntry()
349    {
 
350  4515 toggle @Override
351    public Collection<SecurityRule> getRules()
352    {
353  4515 return mockedRules;
354    }
355   
 
356  1693 toggle @Override
357    public SecurityReference getReference()
358    {
359  1693 return reference;
360    }
361   
 
362  0 toggle @Override
363    public String toString()
364    {
365  0 return String.format("Rule entry for %s containing %d rules", reference.toString(),
366    mockedRules.size());
367    }
368   
 
369  4 toggle @Override
370    public boolean equals(Object object)
371    {
372  4 if (object == this) {
373  0 return true;
374    }
375  4 if (!(object instanceof SecurityRuleEntry)) {
376  0 return false;
377    }
378  4 SecurityRuleEntry other = (SecurityRuleEntry) object;
379   
380  4 return compareReferenceNullSafe(other.getReference(), reference)
381    && other.getRules().size() == mockedRules.size();
382    }
383    };
384    }
385    });
386   
387  14 return testDefinition;
388    }
389   
 
390  1 toggle @Test
391    public void testDefaultAccessOnEmptyWikis() throws Exception
392    {
393  1 initialiseWikiMock("emptyWikis");
394   
395    // Public access on main wiki
396  1 assertAccess(new RightSet(VIEW, EDIT, COMMENT, REGISTER, LOGIN), null,
397    getXDoc("an empty main wiki", "anySpace"));
398   
399    // SuperAdmin access on main wiki
400  1 assertAccess(new RightSet(VIEW, EDIT, SCRIPT, COMMENT, DELETE, CREATOR, REGISTER, LOGIN, ADMIN, PROGRAM,
401    CREATE_WIKI, ILLEGAL), SUPERADMIN, getXDoc("an empty main wiki", "anySpace"));
402   
403    // Any Global user without access rules on main wiki
404  1 assertAccess(new RightSet(VIEW, EDIT, COMMENT, REGISTER, LOGIN),
405    getXUser("a global user without any access rule"), getXDoc("main wiki", "anySpace"));
406   
407    // Any Local user on main wiki
408  1 assertAccess(null, getUser("a local user", "any SubWiki"), getXDoc("main wiki", "anySpace"));
409   
410    // Public access on sub wiki
411  1 assertAccess(new RightSet(VIEW, EDIT, COMMENT, REGISTER, LOGIN), null,
412    getDoc("an empty sub wiki", "anySpace", "any SubWiki"));
413   
414    // SuperAdmin access on sub wiki
415  1 assertAccess(new RightSet(VIEW, EDIT, SCRIPT, COMMENT, DELETE, CREATOR, REGISTER, LOGIN, ADMIN, PROGRAM,
416    CREATE_WIKI, ILLEGAL), SUPERADMIN, getDoc("an empty sub wiki", "anySpace", "any SubWiki"));
417   
418    // Any Global user without access rules on sub wiki
419  1 assertAccess(new RightSet(VIEW, EDIT, COMMENT, REGISTER, LOGIN),
420    getXUser("a global user without any access rule"), getDoc("a subwiki", "anySpace", "any SubWiki"));
421   
422    // Any Local user on another subwiki
423  1 assertAccess(null, getUser("a local user", "any SubWiki"),
424    getDoc("an another subwiki", "anySpace", "any Other SubWiki"));
425   
426    }
427   
 
428  1 toggle @Test
429    public void testInheritancePolicyForFullFarmAccess() throws Exception
430    {
431  1 initialiseWikiMock("inheritancePolicyFullFarmAccess");
432   
433    // Main wiki allowing all access to A
434  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getXDoc("any document", "any space"));
435  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getXDoc("any document", "spaceDenyA"));
436  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getXDoc("docAllowA", "spaceDenyA"));
437  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getXDoc("docDenyA", "any space"));
438   
439  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getDoc("any document", "any space", "wikiNoRules"));
440  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getDoc("any document", "spaceDenyA", "wikiNoRules"));
441  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getDoc("docAllowA", "spaceDenyA", "wikiNoRules"));
442  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getDoc("docDenyA", "any space", "wikiNoRules"));
443   
444  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getDoc("any document", "any space", "wikiDenyA"));
445  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getDoc("any document", "spaceAllowA", "wikiDenyA"));
446  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getDoc("docDenyA", "spaceAllowA", "wikiDenyA"));
447  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getDoc("docAllowA", "any space", "wikiDenyA"));
448    }
449   
 
450  1 toggle @Test
451    public void testInheritancePolicyForGlobalFullWikiAccess() throws Exception
452    {
453  1 initialiseWikiMock("inheritancePolicyForGlobalFullWikiAccess");
454   
455    // Main wiki denying all access to A
456  1 assertAccess(null, getXUser("userA"), getXDoc("any document", "any space"));
457  1 assertAccess(ALL_SPACE_RIGHTS, getXUser("userA"), getXDoc("any document", "spaceAllowA"));
458  1 assertAccess(ALL_SPACE_RIGHTS, getXUser("userA"), getXDoc("docDenyA", "spaceAllowA"));
459  1 assertAccess(ALL_DOCUMENT_RIGHTS, getXUser("userA"), getXDoc("docAllowA", "any space"));
460   
461  1 assertAccess(null, getXUser("userA"), getDoc("any document", "any space", "wikiNoRules"));
462  1 assertAccess(ALL_SPACE_RIGHTS, getXUser("userA"), getDoc("any document", "spaceAllowA", "wikiNoRules"));
463  1 assertAccess(ALL_SPACE_RIGHTS, getXUser("userA"), getDoc("docDenyA", "spaceAllowA", "wikiNoRules"));
464  1 assertAccess(ALL_DOCUMENT_RIGHTS, getXUser("userA"), getDoc("docAllowA", "any space", "wikiNoRules"));
465   
466  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getXUser("userA"),
467    getDoc("any document", "any space", "wikiAllowA"));
468  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getXUser("userA"),
469    getDoc("any document", "spaceDenyA", "wikiAllowA"));
470  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getXUser("userA"),
471    getDoc("docAllowA", "spaceDenyA", "wikiAllowA"));
472  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getXUser("userA"),
473    getDoc("docDenyA", "any space", "wikiAllowA"));
474    }
475   
 
476  1 toggle @Test
477    public void testInheritancePolicyForLocalWikiAccess() throws Exception
478    {
479  1 initialiseWikiMock("inheritancePolicyForLocalWikiAccess");
480   
481    // Main wiki denying all access to A
482  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiAllowA"),
483    getDoc("any document", "any space", "wikiAllowA"));
484  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiAllowA"),
485    getDoc("any document", "spaceDenyA", "wikiAllowA"));
486  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiAllowA"),
487    getDoc("docAllowA", "spaceDenyA", "wikiAllowA"));
488  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiAllowA"),
489    getDoc("docDenyA", "any space", "wikiAllowA"));
490   
491  1 assertAccess(null, getUser("userA", "wikiDenyA"), getDoc("any document", "any space", "wikiDenyA"));
492  1 assertAccess(ALL_SPACE_RIGHTS, getUser("userA", "wikiDenyA"),
493    getDoc("any document", "spaceAllowA", "wikiDenyA"));
494  1 assertAccess(ALL_SPACE_RIGHTS, getUser("userA", "wikiDenyA"), getDoc("docDenyA", "spaceAllowA", "wikiDenyA"));
495  1 assertAccess(ALL_DOCUMENT_RIGHTS, getUser("userA", "wikiDenyA"),
496    getDoc("any document", "spaceAllowANoAdmin", "wikiDenyA"));
497  1 assertAccess(null, getUser("userA", "wikiDenyA"), getDoc("docDenyA", "spaceAllowANoAdmin", "wikiDenyA"));
498  1 assertAccess(ALL_DOCUMENT_RIGHTS, getUser("userA", "wikiDenyA"), getDoc("docAllowA", "any space", "wikiDenyA"));
499   
500  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getUser("userA", "wikiAllowNoAdminA"),
501    getDoc("any document", "any space", "wikiAllowNoAdminA"));
502  1 assertAccess(new RightSet(LOGIN, REGISTER), getUser("userA", "wikiAllowNoAdminA"),
503    getDoc("any document", "spaceDenyA", "wikiAllowNoAdminA"));
504  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getUser("userA", "wikiAllowNoAdminA"),
505    getDoc("docAllowA", "spaceDenyA", "wikiAllowNoAdminA"));
506  1 assertAccess(new RightSet(LOGIN, REGISTER), getUser("userA", "wikiAllowNoAdminA"),
507    getDoc("docDenyA", "any space", "wikiAllowNoAdminA"));
508    }
509   
 
510  1 toggle @Test
511    public void testInheritancePolicyForNoAdminFarmAccess() throws Exception
512    {
513  1 initialiseWikiMock("inheritancePolicyForNoAdminFarmAccess");
514   
515    // Main wiki allowing all but admin access to A
516  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"), getXDoc("any document", "any space"));
517  1 assertAccess(new RightSet(LOGIN, REGISTER), getXUser("userA"), getXDoc("any document", "spaceDenyA"));
518  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"), getXDoc("docAllowA", "spaceDenyA"));
519  1 assertAccess(new RightSet(LOGIN, REGISTER), getXUser("userA"), getXDoc("docDenyA", "any space"));
520   
521  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"),
522    getDoc("any document", "any space", "wikiNoRules"));
523  1 assertAccess(new RightSet(LOGIN, REGISTER), getXUser("userA"),
524    getDoc("any document", "spaceDenyA", "wikiNoRules"));
525  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"),
526    getDoc("docAllowA", "spaceDenyA", "wikiNoRules"));
527  1 assertAccess(new RightSet(LOGIN, REGISTER), getXUser("userA"), getDoc("docDenyA", "any space", "wikiNoRules"));
528   
529  1 assertAccess(null, getXUser("userA"), getDoc("any document", "any space", "wikiDenyA"));
530  1 assertAccess(ALL_DOCUMENT_RIGHTS, getXUser("userA"), getDoc("any document", "spaceAllowA", "wikiDenyA"));
531  1 assertAccess(null, getXUser("userA"), getDoc("docDenyA", "spaceAllowA", "wikiDenyA"));
532  1 assertAccess(ALL_DOCUMENT_RIGHTS, getXUser("userA"), getDoc("docAllowA", "any space", "wikiDenyA"));
533    }
534   
 
535  1 toggle @Test
536    public void testInheritancePolicyForNoAdminWikiAccess() throws Exception
537    {
538  1 initialiseWikiMock("inheritancePolicyForNoAdminWikiAccess");
539   
540    // Main wiki denying all access to A
541  1 assertAccess(null, getXUser("userA"), getXDoc("any document", "any space"));
542  1 assertAccess(ALL_DOCUMENT_RIGHTS, getXUser("userA"), getXDoc("any document", "spaceAllowA"));
543  1 assertAccess(null, getXUser("userA"), getXDoc("docDenyA", "spaceAllowA"));
544  1 assertAccess(ALL_DOCUMENT_RIGHTS, getXUser("userA"), getXDoc("docAllowA", "any space"));
545   
546  1 assertAccess(null, getXUser("userA"), getDoc("any document", "any space", "wikiNoRules"));
547  1 assertAccess(ALL_DOCUMENT_RIGHTS, getXUser("userA"), getDoc("any document", "spaceAllowA", "wikiNoRules"));
548  1 assertAccess(null, getXUser("userA"), getDoc("docDenyA", "spaceAllowA", "wikiNoRules"));
549  1 assertAccess(ALL_DOCUMENT_RIGHTS, getXUser("userA"), getDoc("docAllowA", "any space", "wikiNoRules"));
550   
551  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"),
552    getDoc("any document", "any space", "wikiAllowA"));
553  1 assertAccess(new RightSet(LOGIN, REGISTER), getXUser("userA"),
554    getDoc("any document", "spaceDenyA", "wikiAllowA"));
555  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"),
556    getDoc("docAllowA", "spaceDenyA", "wikiAllowA"));
557  1 assertAccess(new RightSet(LOGIN, REGISTER), getXUser("userA"), getDoc("docDenyA", "any space", "wikiAllowA"));
558    }
559   
 
560  1 toggle @Test
561    public void testTieResolutionPolicy() throws Exception
562    {
563  1 initialiseWikiMock("tieResolutionPolicy");
564   
565  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiUserAllowDeny"),
566    getWiki("wikiUserAllowDeny"));
567  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiUserDenyAllow"),
568    getWiki("wikiUserDenyAllow"));
569  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiGroupAllowDeny"),
570    getWiki("wikiGroupAllowDeny"));
571  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiGroupDenyAllow"),
572    getWiki("wikiGroupDenyAllow"));
573  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiUserGroupAllowDeny"),
574    getWiki("wikiUserGroupAllowDeny"));
575  1 assertAccess(null, getUser("userA", "wikiUserGroupDenyAllow"), getWiki("wikiUserGroupDenyAllow"));
576  1 assertAccess(null, getUser("userA", "wikiGroupUserAllowDeny"), getWiki("wikiGroupUserAllowDeny"));
577  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiGroupUserDenyAllow"),
578    getWiki("wikiGroupUserDenyAllow"));
579   
580  1 assertAccess(new RightSet(LOGIN, REGISTER), getUser("userA", "wikiUserAllowDenyNoAdmin"),
581    getWiki("wikiUserAllowDenyNoAdmin"));
582  1 assertAccess(new RightSet(LOGIN, REGISTER), getUser("userA", "wikiUserDenyAllowNoAdmin"),
583    getWiki("wikiUserDenyAllowNoAdmin"));
584  1 assertAccess(new RightSet(LOGIN, REGISTER), getUser("userA", "wikiGroupAllowDenyNoAdmin"),
585    getWiki("wikiGroupAllowDenyNoAdmin"));
586  1 assertAccess(new RightSet(LOGIN, REGISTER), getUser("userA", "wikiGroupDenyAllowNoAdmin"),
587    getWiki("wikiGroupDenyAllowNoAdmin"));
588  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getUser("userA", "wikiUserGroupAllowDenyNoAdmin"),
589    getWiki("wikiUserGroupAllowDenyNoAdmin"));
590  1 assertAccess(null, getUser("userA", "wikiUserGroupDenyAllowNoAdmin"), getWiki("wikiUserGroupDenyAllowNoAdmin"));
591  1 assertAccess(null, getUser("userA", "wikiGroupUserAllowDenyNoAdmin"), getWiki("wikiGroupUserAllowDenyNoAdmin"));
592  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getUser("userA", "wikiGroupUserDenyAllowNoAdmin"),
593    getWiki("wikiGroupUserDenyAllowNoAdmin"));
594    }
595   
 
596  1 toggle @Test
597    public void testDocumentCreator() throws Exception
598    {
599  1 initialiseWikiMock("documentCreator");
600   
601  1 assertAccess(new RightSet(VIEW, EDIT, COMMENT, DELETE, CREATOR, LOGIN, REGISTER), getXUser("userA"),
602    getXDoc("userAdoc", "space"));
603  1 assertAccess(new RightSet(VIEW, EDIT, COMMENT, LOGIN, REGISTER), getXUser("userA"),
604    getXDoc("userBdoc", "space"));
605  1 assertAccess(new RightSet(VIEW, EDIT, COMMENT, LOGIN, REGISTER), getXUser("userB"),
606    getXDoc("userAdoc", "space"));
607  1 assertAccess(new RightSet(VIEW, EDIT, COMMENT, DELETE, CREATOR, LOGIN, REGISTER), getXUser("userB"),
608    getXDoc("userBdoc", "space"));
609    }
610   
 
611  1 toggle @Test
612    public void testOwnerAccess() throws Exception
613    {
614  1 initialiseWikiMock("ownerAccess");
615   
616    // Owner of main wiki has admin access to all wikis whatever the wiki access is
617  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getXUser("userA"),
618    getXDoc("any document", "any space"));
619  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getXUser("userA"),
620    getDoc("any document", "any space", "wikiNoRules"));
621  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getXUser("userA"),
622    getDoc("any document", "any space", "wikiLocalUserA"));
623  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getXUser("userA"),
624    getDoc("any document", "any space", "wikiDenyLocalUserA"));
625   
626    // Local owner has admin access whatever the wiki access is
627  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiLocalUserA"),
628    getDoc("any document", "any space", "wikiLocalUserA"));
629  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiDenyLocalUserA"),
630    getDoc("any document", "any space", "wikiDenyLocalUserA"));
631    }
632   
 
633  1 toggle @Test
634    public void testGroupAccess() throws Exception
635    {
636  1 initialiseWikiMock("groupAccess");
637   
638  1 assertAccess(DEFAULT_DOCUMENT_RIGHTS, getXUser("userA"), getXDoc("any document", "any space"));
639  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"),
640    getXDoc("docAllowGroupA", "any space"));
641  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"),
642    getXDoc("docAllowGroupB", "any space"));
643  1 assertAccess(new RightSet(LOGIN, REGISTER), getXUser("userA"), getXDoc("docDenyGroupA", "any space"));
644  1 assertAccess(new RightSet(LOGIN, REGISTER), getXUser("userA"), getXDoc("docDenyGroupB", "any space"));
645  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"),
646    getXDoc("docDenyGroupAAllowUserA", "any space"));
647  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"),
648    getXDoc("docDenyGroupBAllowUserA", "any space"));
649  1 assertAccess(new RightSet(LOGIN, REGISTER), getXUser("userA"),
650    getXDoc("docDenyGroupBAllowGroupA", "any space"));
651  1 assertAccess(new RightSet(LOGIN, REGISTER), getXUser("userA"),
652    getXDoc("docDenyGroupAAllowGroupB", "any space"));
653   
654  1 assertAccess(DEFAULT_DOCUMENT_RIGHTS, getUser("userB", "subwiki"),
655    getDoc("any document", "any space", "subwiki"));
656  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getUser("userB", "subwiki"),
657    getDoc("docAllowGroupA", "any space", "subwiki"));
658  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getUser("userB", "subwiki"),
659    getDoc("docAllowGroupB", "any space", "subwiki"));
660  1 assertAccess(new RightSet(LOGIN, REGISTER), getUser("userB", "subwiki"),
661    getDoc("docAllowGroupC", "any space", "subwiki"));
662   
663  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"),
664    getDoc("docAllowGlobalGroupA", "any space", "subwiki"));
665  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"),
666    getDoc("docAllowGlobalGroupB", "any space", "subwiki"));
667  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"),
668    getDoc("docAllowGroupA", "any space", "subwiki"));
669  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"),
670    getDoc("docAllowGroupB", "any space", "subwiki"));
671  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"),
672    getDoc("docAllowGroupC", "any space", "subwiki"));
673   
674    /** Test XWIKI-13574 **/
675  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userD"),
676    getXDoc("docAllowGroupB", "any space"));
677  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userC"),
678    getXDoc("docAllowGroupB", "any space"));
679  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userB"),
680    getXDoc("docAllowGroupB", "any space"));
681    }
682   
 
683  1 toggle @Test
684    public void testCheckAccess() throws Exception
685    {
686  1 initialiseWikiMock("emptyWikis");
687   
688  1 authorizationManager.checkAccess(VIEW, null, getXDoc("an empty main wiki", "anySpace"));
689   
690  1 try {
691  1 authorizationManager.checkAccess(ADMIN, null, getXDoc("an empty main wiki", "anySpace"));
692  0 fail("checkAccess should throw access denied exception when access is denied.");
693    } catch (AccessDeniedException e) {
694  1 assertThat("checkAccess should throw access denied exception without any cause when access is denied",
695    e.getCause(), nullValue());
696    }
697    }
698   
 
699  1 toggle @Test
700    public void testLoadUserAfterUserDoc() throws Exception
701    {
702  1 initialiseWikiMock("loadUserAfterUserDoc");
703   
704    // Check access to the userA document => introduce the userA as a simple document into the cache
705  1 authorizationManager.checkAccess(VIEW, getXUser("userB"), getXUser("userA"));
706   
707    // Check access of userA to the userB document => it prove userA is in groupA and has access
708  1 authorizationManager.checkAccess(VIEW, getXUser("userA"), getXUser("userB"));
709   
710  1 SecurityCache securityCache = componentManager.getInstance(SecurityCache.class);
711   
712    // a userA entry is in the cache
713  1 assertThat(securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA"))), notNullValue());
714   
715  1 assertThat("UserA should be considered as a user by the cache, else the group cache will not be used",
716    securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA"))).getReference(),
717    instanceOf(UserSecurityReference.class));
718   
719    // remove group A from the cache => this should also remove all members of groupA
720  1 securityCache.remove(securityReferenceFactory.newUserReference(getXUser("groupA")));
721   
722    // check that userA was seen as a member of groupA by the cache => implies document userA was considered as a
723    // user (and not simply a document) after the second check.
724  1 assertThat(securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA"))), nullValue());
725    }
726   
727    // Test XWIKI-12016
 
728  1 toggle @Test
729    public void testGroupCacheLoadingUserAfterGroupDoc() throws Exception
730    {
731  1 initialiseWikiMock("loadUserAfterUserDoc");
732   
733    // Check access to the groupA document => introduce the groupA as a simple document into the cache
734  1 authorizationManager.checkAccess(VIEW, getXUser("userB"), getXUser("groupA"));
735   
736    // Check access of userA to the userA document => it transform group document into a true group
737  1 authorizationManager.checkAccess(VIEW, getXUser("userA"), getXUser("userA"));
738   
739    // Check access of userA to the userB document => it prove userA is in groupA (from cache) and has access
740  1 authorizationManager.checkAccess(VIEW, getXUser("userA"), getXUser("userB"));
741   
742  1 SecurityCache securityCache = componentManager.getInstance(SecurityCache.class);
743   
744    // a userA entry is in the cache
745  1 assertThat(securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA"))), notNullValue());
746   
747  1 assertThat("UserA should be considered as a user by the cache, else the group cache will not be used",
748    securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA"))).getReference(),
749    instanceOf(UserSecurityReference.class));
750   
751    // a userA entry in the cache is know as a user, else the group cache is inactive for her
752  1 assertThat(securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA"))).getReference(),
753    instanceOf(UserSecurityReference.class));
754   
755    // remove group A from the cache => this should also remove all members of groupA
756  1 securityCache.remove(securityReferenceFactory.newUserReference(getXUser("groupA")));
757   
758    // check that userA was seen as a member of groupA by the cache => implies document userA was considered as a
759    // user (and not simply a document) after the second check.
760  1 assertThat(securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA"))), nullValue());
761    }
762   
 
763  1 toggle @Test
764    public void testLoadUserInAnotherWikiAfterUserDoc() throws Exception
765    {
766  1 initialiseWikiMock("loadUserAfterUserDoc");
767   
768    // Check access to the userA document => introduce the userA as a simple document into the cache
769  1 authorizationManager.checkAccess(VIEW, getXUser("userB"), getXUser("userA"));
770   
771    // Check access of userA to the userB document => it prove userA is in groupA and has access
772  1 authorizationManager.checkAccess(VIEW, getXUser("userA"), getDoc("any document", "any space", "subwiki"));
773   
774    // Check access of userA to the userB document => it prove userA is in groupA and has access
775  1 authorizationManager.checkAccess(VIEW, getXUser("userA"), getXUser("userB"));
776   
777  1 SecurityCache securityCache = componentManager.getInstance(SecurityCache.class);
778   
779    // a userA entry is in the cache
780  1 assertThat(securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA"))), notNullValue());
781   
782    // a userA accessEntry is still in the cache for the document in the subwiki
783  1 assertThat(
784    securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA")),
785    securityReferenceFactory.newEntityReference(getDoc("any document", "any space", "subwiki"))),
786    notNullValue());
787   
788    // remove group A from the cache => this should also remove all members of groupA
789  1 securityCache.remove(securityReferenceFactory.newUserReference(getXUser("groupA")));
790   
791    // check that userA was seen as a member of groupA by the cache => implies document userA is now a user
792  1 assertThat(securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA"))), nullValue());
793   
794    // check that the shadow userA has also been affected
795  1 assertThat(
796    securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA")),
797    securityReferenceFactory.newEntityReference(getDoc("any document", "any space", "subwiki"))),
798    nullValue());
799    }
800    }