1. Project Clover database Sat Feb 2 2019 06:45:20 CET
  2. Package org.xwiki.security.authorization.internal

File DefaultAuthorizationSettlerTest.java

 

Code metrics

6
183
12
1
720
579
15
0.08
15.25
12
1.25

Classes

Class Line # Actions
DefaultAuthorizationSettlerTest 64 183 0% 15 0
1.0100%
 

Contributing tests

This file is covered by 8 tests. .

Source view

1    /*
2    * See the NOTICE file distributed with this work for additional
3    * information regarding copyright ownership.
4    *
5    * This is free software; you can redistribute it and/or modify it
6    * under the terms of the GNU Lesser General Public License as
7    * published by the Free Software Foundation; either version 2.1 of
8    * the License, or (at your option) any later version.
9    *
10    * This software is distributed in the hope that it will be useful,
11    * but WITHOUT ANY WARRANTY; without even the implied warranty of
12    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13    * Lesser General Public License for more details.
14    *
15    * You should have received a copy of the GNU Lesser General Public
16    * License along with this software; if not, write to the Free
17    * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
18    * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
19    */
20    package org.xwiki.security.authorization.internal;
21   
22    import java.util.ArrayDeque;
23    import java.util.ArrayList;
24    import java.util.Arrays;
25    import java.util.Collections;
26    import java.util.Deque;
27    import java.util.List;
28   
29    import org.hamcrest.Matcher;
30    import org.junit.Before;
31    import org.junit.Rule;
32    import org.junit.Test;
33    import org.xwiki.security.GroupSecurityReference;
34    import org.xwiki.security.SecurityReference;
35    import org.xwiki.security.UserSecurityReference;
36    import org.xwiki.security.authorization.AbstractAdditionalRightsTestCase;
37    import org.xwiki.security.authorization.AuthorizationSettler;
38    import org.xwiki.security.authorization.Right;
39    import org.xwiki.security.authorization.RuleState;
40    import org.xwiki.security.authorization.SecurityAccess;
41    import org.xwiki.security.authorization.SecurityAccessEntry;
42    import org.xwiki.security.authorization.SecurityRule;
43    import org.xwiki.security.authorization.SecurityRuleEntry;
44    import org.xwiki.test.mockito.MockitoComponentMockingRule;
45   
46    import static org.hamcrest.CoreMatchers.anyOf;
47    import static org.hamcrest.CoreMatchers.equalTo;
48    import static org.hamcrest.CoreMatchers.is;
49    import static org.hamcrest.CoreMatchers.not;
50    import static org.junit.Assert.assertThat;
51    import static org.mockito.Mockito.mock;
52    import static org.mockito.Mockito.when;
53    import static org.mockito.hamcrest.MockitoHamcrest.argThat;
54    import static org.xwiki.security.authorization.RuleState.ALLOW;
55    import static org.xwiki.security.authorization.RuleState.DENY;
56    import static org.xwiki.security.authorization.RuleState.UNDETERMINED;
57   
58    /**
59    * Default authorization settler unit tests.
60    *
61    * @version $Id: 8bc5d6b5f5bda87f7307f5650c536f6c6cf45b8c $
62    * @since 4.0M2
63    */
 
64    public class DefaultAuthorizationSettlerTest extends AbstractAdditionalRightsTestCase
65    {
66    @Rule
67    public final MockitoComponentMockingRule<AuthorizationSettler> authorizationSettlerMocker =
68    new MockitoComponentMockingRule<AuthorizationSettler>(DefaultAuthorizationSettler.class);
69   
70    private AuthorizationSettler authorizationSettler;
71   
72    private XWikiSecurityAccess defaultAccess;
73    private XWikiSecurityAccess denyAllAccess;
74   
 
75  8 toggle @Before
76    public void configure() throws Exception
77    {
78  8 defaultAccess = XWikiSecurityAccess.getDefaultAccess();
79  8 denyAllAccess = new XWikiSecurityAccess();
80  8 for (Right right : Right.values()) {
81  179 denyAllAccess.deny(right);
82    }
83   
84  8 this.authorizationSettler = authorizationSettlerMocker.getComponentUnderTest();
85    }
86   
 
87  31 toggle private Deque<SecurityRuleEntry> getMockedSecurityRuleEntries(String name, final SecurityReference reference,
88    final List<List<SecurityRule>> ruleEntries)
89    {
90  31 final Deque<SecurityReference> refs = reference.getReversedSecurityReferenceChain();
91  31 final Deque<SecurityRuleEntry> entries = new ArrayDeque<SecurityRuleEntry>(refs.size());
92   
93  31 for (SecurityReference ref : refs) {
94  119 entries.push(mock(SecurityRuleEntry.class, name + ref));
95    }
96   
97  31 int i = 0;
98  31 SecurityReference ref = reference;
99  31 for (SecurityRuleEntry entry : entries) {
100  119 List<SecurityRule> rules;
101   
102  119 if (i < ruleEntries.size()) {
103  47 rules = ruleEntries.get(i);
104    } else {
105  72 rules = Collections.emptyList();
106    }
107   
108  119 when(entry.getReference()).thenReturn(ref);
109  119 when(entry.getRules()).thenReturn(rules);
110  119 when(entry.isEmpty()).thenReturn(rules.size() == 0);
111   
112  119 ref = ref.getParentSecurityReference();
113  119 i++;
114    }
115   
116  31 return entries;
117    }
118   
 
119  25 toggle private SecurityRule getMockedSecurityRule(String name, Iterable<UserSecurityReference> users,
120    Iterable<GroupSecurityReference> groups, Iterable<Right> rights, final RuleState state) {
121  25 final SecurityRule rule = mock(SecurityRule.class, name);
122   
123  25 final List<Matcher<? super UserSecurityReference>> userMatchers
124    = new ArrayList<Matcher<? super UserSecurityReference>>();
125  25 final List<Matcher<? super GroupSecurityReference>> groupMatchers
126    = new ArrayList<Matcher<? super GroupSecurityReference>>();
127  25 final List<Matcher<? super Right>> rightMatchers = new ArrayList<Matcher<? super Right>>();
128   
129  25 for (UserSecurityReference user : users) {
130  24 userMatchers.add(is(user));
131    }
132  25 for (GroupSecurityReference group : groups) {
133  13 groupMatchers.add(is(group));
134    }
135  25 for (Right right : rights) {
136  116 rightMatchers.add(is(right));
137    }
138   
139  25 when(rule.match(argThat(anyOf(userMatchers)))).thenReturn(true);
140  25 when(rule.match(argThat(anyOf(groupMatchers)))).thenReturn(true);
141  25 when(rule.match(argThat(anyOf(rightMatchers)))).thenReturn(true);
142  25 when(rule.match(argThat(not(anyOf(userMatchers))))).thenReturn(false);
143  25 when(rule.match(argThat(not(anyOf(groupMatchers))))).thenReturn(false);
144  25 when(rule.match(argThat(not(anyOf(rightMatchers))))).thenReturn(false);
145  25 when(rule.getState()).thenReturn(state);
146   
147  25 return rule;
148    }
149   
150   
 
151  53 toggle private void assertAccess(String message, UserSecurityReference user, SecurityReference entity,
152    SecurityAccess access, SecurityAccessEntry actual)
153    {
154  53 assertThat(message + " - user", actual.getUserReference(), equalTo(user));
155  53 assertThat(message + " - entity", actual.getReference(), equalTo(entity));
156  53 for (Right right : Right.values()) {
157  1178 if (access.get(right) != UNDETERMINED) {
158  898 assertThat(message + " - Right(" + right.getName() + ")",
159    actual.getAccess().get(right), equalTo(access.get(right)));
160    }
161    }
162    }
163   
 
164  1 toggle @Test
165    public void testSettleNoRulesOnMainWiki() throws Exception
166    {
167  1 Deque<SecurityRuleEntry> emptyXdocRules
168    = getMockedSecurityRuleEntries("emptyXdocRules", xdocRef, Collections.<List<SecurityRule>>emptyList());
169   
170  1 assertAccess("When no rules are defined, return default access for main wiki user on main wiki doc",
171    xuserRef, xdocRef.getParentSecurityReference().getParentSecurityReference(), defaultAccess,
172    authorizationSettler.settle(xuserRef, Collections.<GroupSecurityReference>emptyList(), emptyXdocRules));
173   
174  1 assertAccess("When no rules are defined, deny all access for local wiki user on main wiki doc",
175    userRef, xdocRef.getParentSecurityReference().getParentSecurityReference(), denyAllAccess,
176    authorizationSettler.settle(userRef, Collections.<GroupSecurityReference>emptyList(),
177    emptyXdocRules));
178   
179  1 assertAccess("When no rules are defined, deny all access for another wiki user on main wiki doc",
180    anotherWikiUserRef, xdocRef.getParentSecurityReference().getParentSecurityReference(), denyAllAccess,
181    authorizationSettler.settle(anotherWikiUserRef, Collections.<GroupSecurityReference>emptyList(),
182    emptyXdocRules));
183    }
184   
 
185  1 toggle @Test
186    public void testSettleNoRulesOnLocalWiki() throws Exception
187    {
188  1 Deque<SecurityRuleEntry> emptydocRules
189    = getMockedSecurityRuleEntries("emptydocRules", docRef, Collections.<List<SecurityRule>>emptyList());
190   
191  1 assertAccess("When no rules are defined, return default access for local wiki user on local wiki doc",
192    userRef, docRef.getParentSecurityReference().getParentSecurityReference(), defaultAccess,
193    authorizationSettler.settle(userRef, Collections.<GroupSecurityReference>emptyList(), emptydocRules));
194   
195  1 assertAccess("When no rules are defined, return default access for main wiki on local wiki doc",
196    xuserRef, docRef.getParentSecurityReference().getParentSecurityReference(), defaultAccess,
197    authorizationSettler.settle(xuserRef, Collections.<GroupSecurityReference>emptyList(), emptydocRules));
198   
199  1 assertAccess("When no rules are defined, deny all access for another wiki user on local wiki doc",
200    anotherWikiUserRef, docRef.getParentSecurityReference().getParentSecurityReference(), denyAllAccess,
201    authorizationSettler.settle(anotherWikiUserRef, Collections.<GroupSecurityReference>emptyList(),
202    emptydocRules));
203    }
204   
 
205  1 toggle @Test
206    public void testSettleInheritancePolicy() throws Exception
207    {
208  1 SecurityRule allowAllTestRightsRulesToXuser = getMockedSecurityRule("allowAllTestRightsRulesToXuser",
209    Arrays.asList(xuserRef), Collections.<GroupSecurityReference>emptyList(), allTestRights, ALLOW);
210  1 SecurityRule denyAllTestRightsRulesToXuser = getMockedSecurityRule("denyAllTestRightsRulesToXuser",
211    Arrays.asList(xuserRef), Collections.<GroupSecurityReference>emptyList(), allTestRights, DENY);
212  1 SecurityRule allowAllTestRightsRulesToUser = getMockedSecurityRule("allowAllTestRightsRulesToUser",
213    Arrays.asList(userRef), Collections.<GroupSecurityReference>emptyList(), allTestRights, ALLOW);
214  1 SecurityRule denyAllTestRightsRulesToUser = getMockedSecurityRule("denyAllTestRightsRulesToUser",
215    Arrays.asList(userRef), Collections.<GroupSecurityReference>emptyList(), allTestRights, DENY);
216  1 SecurityRule allowAllTestRightsRulesToAnotherWikiUser = getMockedSecurityRule("allowAllTestRightsRulesToAnotherWikiUser",
217    Arrays.asList(anotherWikiUserRef), Collections.<GroupSecurityReference>emptyList(), allTestRights, ALLOW);
218  1 SecurityRule denyAllTestRightsRulesToAnotherWikiUser = getMockedSecurityRule(
219    "denyAllTestRightsRulesToAnotherWikiUser",
220    Arrays.asList(anotherWikiUserRef), Collections.<GroupSecurityReference>emptyList(), allTestRights, DENY);
221   
222  1 Deque<SecurityRuleEntry> allowThenDenyRulesForXdocSpace
223    = getMockedSecurityRuleEntries("allowThenDenyRulesForXdocSpace", xdocRef, Arrays.asList(
224    Arrays.asList(allowAllTestRightsRulesToXuser, allowAllTestRightsRulesToUser,
225    allowAllTestRightsRulesToAnotherWikiUser),
226    Arrays.asList(denyAllTestRightsRulesToXuser, denyAllTestRightsRulesToUser,
227    denyAllTestRightsRulesToAnotherWikiUser)));
228   
229  1 Deque<SecurityRuleEntry> denyThenAllowRulesForXdocSpace
230    = getMockedSecurityRuleEntries("denyThenAllowRulesForXdocSpace", xdocRef, Arrays.asList(
231    Arrays.asList(denyAllTestRightsRulesToXuser, denyAllTestRightsRulesToUser, denyAllTestRightsRulesToAnotherWikiUser),
232    Arrays.asList(allowAllTestRightsRulesToXuser, allowAllTestRightsRulesToUser, allowAllTestRightsRulesToAnotherWikiUser)));
233   
234  1 Deque<SecurityRuleEntry> allowThenDenyRulesForDocSpace
235    = getMockedSecurityRuleEntries("allowThenDenyRulesForDocSpace", docRef, Arrays.asList(
236    Arrays.asList(allowAllTestRightsRulesToXuser, allowAllTestRightsRulesToUser,
237    allowAllTestRightsRulesToAnotherWikiUser),
238    Arrays.asList(denyAllTestRightsRulesToXuser, denyAllTestRightsRulesToUser, denyAllTestRightsRulesToAnotherWikiUser)));
239   
240  1 Deque<SecurityRuleEntry> denyThenAllowRulesForDocSpace
241    = getMockedSecurityRuleEntries("denyThenAllowRulesForDocSpace", docRef, Arrays.asList(
242    Arrays.asList(denyAllTestRightsRulesToXuser, denyAllTestRightsRulesToUser,
243    denyAllTestRightsRulesToAnotherWikiUser),
244    Arrays.asList(allowAllTestRightsRulesToXuser, allowAllTestRightsRulesToUser, allowAllTestRightsRulesToAnotherWikiUser)));
245   
246  1 Deque<SecurityRuleEntry> allowThenDenyRulesForXDocWiki
247    = getMockedSecurityRuleEntries("allowThenDenyRulesForXDocWiki", xdocRef, Arrays.asList(
248    Arrays.asList(allowAllTestRightsRulesToXuser, allowAllTestRightsRulesToUser,
249    allowAllTestRightsRulesToAnotherWikiUser),
250    Collections.<SecurityRule>emptyList(),
251    Arrays.asList(denyAllTestRightsRulesToXuser, denyAllTestRightsRulesToUser,
252    denyAllTestRightsRulesToAnotherWikiUser)));
253   
254  1 Deque<SecurityRuleEntry> denyThenAllowRulesForXdocWiki
255    = getMockedSecurityRuleEntries("denyThenAllowRulesForXdocWiki", xdocRef, Arrays.asList(
256    Arrays.asList(denyAllTestRightsRulesToXuser, denyAllTestRightsRulesToUser, denyAllTestRightsRulesToAnotherWikiUser),
257    Collections.<SecurityRule>emptyList(),
258    Arrays.asList(allowAllTestRightsRulesToXuser, allowAllTestRightsRulesToUser, allowAllTestRightsRulesToAnotherWikiUser)));
259   
260  1 Deque<SecurityRuleEntry> allowThenDenyRulesForDocWiki
261    = getMockedSecurityRuleEntries("allowThenDenyRulesForDocWiki", docRef, Arrays.asList(
262    Arrays.asList(allowAllTestRightsRulesToXuser, allowAllTestRightsRulesToUser, allowAllTestRightsRulesToAnotherWikiUser),
263    Collections.<SecurityRule>emptyList(),
264    Arrays.asList(denyAllTestRightsRulesToXuser, denyAllTestRightsRulesToUser, denyAllTestRightsRulesToAnotherWikiUser)));
265   
266  1 Deque<SecurityRuleEntry> denyThenAllowRulesForDocWiki
267    = getMockedSecurityRuleEntries("denyThenAllowRulesForDocWiki", docRef, Arrays.asList(
268    Arrays.asList(denyAllTestRightsRulesToXuser, denyAllTestRightsRulesToUser, denyAllTestRightsRulesToAnotherWikiUser),
269    Collections.<SecurityRule>emptyList(),
270    Arrays.asList(allowAllTestRightsRulesToXuser, allowAllTestRightsRulesToUser, allowAllTestRightsRulesToAnotherWikiUser)));
271   
272  1 Deque<SecurityRuleEntry> allowThenDenyRulesForDocXWiki
273    = getMockedSecurityRuleEntries("allowThenDenyRulesForDocXWiki", docRef, Arrays.asList(
274    Arrays.asList(allowAllTestRightsRulesToXuser, allowAllTestRightsRulesToUser, allowAllTestRightsRulesToAnotherWikiUser),
275    Collections.<SecurityRule>emptyList(),
276    Collections.<SecurityRule>emptyList(),
277    Arrays.asList(denyAllTestRightsRulesToXuser, denyAllTestRightsRulesToUser, denyAllTestRightsRulesToAnotherWikiUser)));
278   
279  1 Deque<SecurityRuleEntry> denyThenAllowRulesForDocXWiki
280    = getMockedSecurityRuleEntries("denyThenAllowRulesForDocXWiki", docRef, Arrays.asList(
281    Arrays.asList(denyAllTestRightsRulesToXuser, denyAllTestRightsRulesToUser, denyAllTestRightsRulesToAnotherWikiUser),
282    Collections.<SecurityRule>emptyList(),
283    Collections.<SecurityRule>emptyList(),
284    Arrays.asList(allowAllTestRightsRulesToXuser, allowAllTestRightsRulesToUser, allowAllTestRightsRulesToAnotherWikiUser)));
285   
286  1 XWikiSecurityAccess allowDenyAccess = new XWikiSecurityAccess();
287  1 for (Right right : allTestRights) {
288  8 allowDenyAccess.allow(right);
289    }
290   
291  1 XWikiSecurityAccess denyAllowAccess = new XWikiSecurityAccess();
292  1 for (Right right : allTestRights) {
293  8 denyAllowAccess.set(right, right.getInheritanceOverridePolicy() ? DENY : ALLOW);
294    }
295   
296  1 assertAccess("When allowed right on doc are denied on space from main wiki for main wiki user, use inheritance policy",
297    xuserRef, xdocRef, allowDenyAccess,
298    authorizationSettler.settle(xuserRef, Collections.<GroupSecurityReference>emptyList(),
299    allowThenDenyRulesForXdocSpace));
300   
301  1 assertAccess("When denied right on doc are allowed on space from main wiki for main wiki user, use inheritance policy",
302    xuserRef, xdocRef, denyAllowAccess,
303    authorizationSettler.settle(xuserRef, Collections.<GroupSecurityReference>emptyList(),
304    denyThenAllowRulesForXdocSpace));
305   
306  1 assertAccess("When allowed right on doc are denied on space from local wiki for main wiki user, use inheritance policy",
307    xuserRef, docRef, allowDenyAccess,
308    authorizationSettler.settle(xuserRef, Collections.<GroupSecurityReference>emptyList(),
309    allowThenDenyRulesForDocSpace));
310   
311  1 assertAccess("When denied right on doc are allowed on space from local wiki for main wiki user, use inheritance policy",
312    xuserRef, docRef, denyAllowAccess,
313    authorizationSettler.settle(xuserRef, Collections.<GroupSecurityReference>emptyList(),
314    denyThenAllowRulesForDocSpace));
315   
316  1 assertAccess("When allowed right on doc are denied on space from local wiki for local wiki user, use inheritance policy",
317    userRef, docRef, allowDenyAccess,
318    authorizationSettler.settle(userRef, Collections.<GroupSecurityReference>emptyList(),
319    allowThenDenyRulesForDocSpace));
320   
321  1 assertAccess("When denied right on doc are allowed on space from local wiki for local wiki user, use inheritance policy",
322    userRef, docRef, denyAllowAccess,
323    authorizationSettler.settle(userRef, Collections.<GroupSecurityReference>emptyList(),
324    denyThenAllowRulesForDocSpace));
325   
326  1 assertAccess("When allowed right on doc are denied on space from local wiki for another wiki user, use inheritance policy",
327    anotherWikiUserRef, docRef, allowDenyAccess,
328    authorizationSettler.settle(anotherWikiUserRef, Collections.<GroupSecurityReference>emptyList(),
329    allowThenDenyRulesForDocSpace));
330   
331  1 assertAccess("When denied right on doc are allowed on space from local wiki for another wiki user, use inheritance policy",
332    anotherWikiUserRef, docRef, denyAllowAccess,
333    authorizationSettler.settle(anotherWikiUserRef, Collections.<GroupSecurityReference>emptyList(),
334    denyThenAllowRulesForDocSpace));
335   
336    //
337  1 assertAccess("When allowed right on doc are denied on wiki from main wiki for main wiki user, use inheritance policy",
338    xuserRef, xdocRef, allowDenyAccess,
339    authorizationSettler.settle(xuserRef, Collections.<GroupSecurityReference>emptyList(),
340    allowThenDenyRulesForXDocWiki));
341   
342  1 assertAccess("When denied right on doc are allowed on wiki from main wiki for main wiki user, use inheritance policy",
343    xuserRef, xdocRef, denyAllowAccess,
344    authorizationSettler.settle(xuserRef, Collections.<GroupSecurityReference>emptyList(),
345    denyThenAllowRulesForXdocWiki));
346   
347  1 assertAccess("When allowed right on doc are denied on wiki from local wiki for main wiki user, use inheritance policy",
348    xuserRef, docRef, allowDenyAccess,
349    authorizationSettler.settle(xuserRef, Collections.<GroupSecurityReference>emptyList(),
350    allowThenDenyRulesForDocWiki));
351   
352  1 assertAccess("When denied right on doc are allowed on wiki from local wiki for main wiki user, use inheritance policy",
353    xuserRef, docRef, denyAllowAccess,
354    authorizationSettler.settle(xuserRef, Collections.<GroupSecurityReference>emptyList(),
355    denyThenAllowRulesForDocWiki));
356   
357  1 assertAccess("When allowed right on doc are denied on wiki from local wiki for local wiki user, use inheritance policy",
358    userRef, docRef, allowDenyAccess,
359    authorizationSettler.settle(userRef, Collections.<GroupSecurityReference>emptyList(),
360    allowThenDenyRulesForDocWiki));
361   
362  1 assertAccess("When denied right on doc are allowed on wiki from local wiki for local wiki user, use inheritance policy",
363    userRef, docRef, denyAllowAccess,
364    authorizationSettler.settle(userRef, Collections.<GroupSecurityReference>emptyList(),
365    denyThenAllowRulesForDocWiki));
366   
367  1 assertAccess("When allowed right on doc are denied on wiki from local wiki for another wiki user, use inheritance policy",
368    anotherWikiUserRef, docRef, allowDenyAccess,
369    authorizationSettler.settle(anotherWikiUserRef, Collections.<GroupSecurityReference>emptyList(),
370    allowThenDenyRulesForDocWiki));
371   
372  1 assertAccess("When denied right on doc are allowed on wiki from local wiki for another wiki user, use inheritance policy",
373    anotherWikiUserRef, docRef, denyAllowAccess,
374    authorizationSettler.settle(anotherWikiUserRef, Collections.<GroupSecurityReference>emptyList(),
375    denyThenAllowRulesForDocWiki));
376   
377    //
378  1 assertAccess("When allowed right on doc are denied on main wiki from local wiki for local wiki user, use inheritance policy",
379    userRef, docRef, allowDenyAccess,
380    authorizationSettler.settle(userRef, Collections.<GroupSecurityReference>emptyList(),
381    allowThenDenyRulesForDocXWiki));
382   
383  1 assertAccess("When denied right on doc are allowed on main wiki from local wiki for local wiki user, use inheritance policy",
384    userRef, docRef, denyAllowAccess,
385    authorizationSettler.settle(userRef, Collections.<GroupSecurityReference>emptyList(),
386    denyThenAllowRulesForDocXWiki));
387   
388  1 assertAccess("When allowed right on doc are denied on main wiki from local wiki for another wiki user, use inheritance policy",
389    anotherWikiUserRef, docRef, allowDenyAccess,
390    authorizationSettler.settle(anotherWikiUserRef, Collections.<GroupSecurityReference>emptyList(),
391    allowThenDenyRulesForDocXWiki));
392   
393  1 assertAccess("When denied right on doc are allowed on main wiki from local wiki for another wiki user, use inheritance policy",
394    anotherWikiUserRef, docRef, denyAllowAccess,
395    authorizationSettler.settle(anotherWikiUserRef, Collections.<GroupSecurityReference>emptyList(),
396    denyThenAllowRulesForDocXWiki));
397   
398    }
399   
 
400  1 toggle @Test
401    public void testSettleTieResolutionPolicy() throws Exception
402    {
403  1 SecurityRule allowAllTestRightsUserAndAnotherGroup = getMockedSecurityRule("allowAllTestRightsUserAndAnotherGroup",
404    Arrays.asList(userRef), Arrays.asList(anotherGroupRef), allTestRights, ALLOW);
405  1 SecurityRule denyAllTestRightsUserAndAnotherGroup = getMockedSecurityRule("denyAllTestRightsUserAndAnotherGroup",
406    Arrays.asList(userRef), Arrays.asList(anotherGroupRef), allTestRights, DENY);
407  1 SecurityRule denyAllTestRightsAnotherUserAndGroup = getMockedSecurityRule("denyAllTestRightsAnotherUserAndGroup",
408    Arrays.asList(anotherUserRef), Arrays.asList(groupRef), allTestRights, DENY);
409   
410   
411  1 Deque<SecurityRuleEntry> conflictAllowDenySameTarget
412    = getMockedSecurityRuleEntries("conflictAllowDenySameTarget", docRef, Arrays.asList(
413    Arrays.asList(allowAllTestRightsUserAndAnotherGroup, denyAllTestRightsUserAndAnotherGroup)));
414  1 Deque<SecurityRuleEntry> conflictDenyAllowSameTarget
415    = getMockedSecurityRuleEntries("conflictDenyAllowSameTarget", docRef, Arrays.asList(
416    Arrays.asList(denyAllTestRightsUserAndAnotherGroup, allowAllTestRightsUserAndAnotherGroup)));
417  1 Deque<SecurityRuleEntry> conflictAllowDenyUserGroup
418    = getMockedSecurityRuleEntries("conflictAllowDenyUserGroup", docRef, Arrays.asList(
419    Arrays.asList(allowAllTestRightsUserAndAnotherGroup, denyAllTestRightsAnotherUserAndGroup)));
420  1 Deque<SecurityRuleEntry> conflictDenyAllowUserGroup
421    = getMockedSecurityRuleEntries("conflictDenyAllowUserGroup", docRef, Arrays.asList(
422    Arrays.asList(denyAllTestRightsAnotherUserAndGroup, allowAllTestRightsUserAndAnotherGroup)));
423   
424  1 XWikiSecurityAccess allowAccess = defaultAccess.clone();
425  1 for (Right right : allTestRights) {
426  8 allowAccess.allow(right);
427    }
428   
429  1 XWikiSecurityAccess denyAccess = defaultAccess.clone();
430  1 for (Right right : allTestRights) {
431  8 denyAccess.deny(right);
432    }
433   
434  1 XWikiSecurityAccess tieAccess = defaultAccess.clone();
435  1 for (Right right : allTestRights) {
436  8 tieAccess.set(right, right.getTieResolutionPolicy());
437    }
438   
439  1 assertAccess("When allowed right for user is denied for same user in another rule, use tie resolution policy",
440    userRef, docRef, tieAccess,
441    authorizationSettler.settle(userRef, Arrays.asList(groupRef), conflictAllowDenySameTarget));
442   
443  1 assertAccess("When denied right for user is allowed for same user in another rule, use tie resolution policy",
444    userRef, docRef, tieAccess,
445    authorizationSettler.settle(userRef, Arrays.asList(groupRef), conflictDenyAllowSameTarget));
446   
447  1 assertAccess("When allowed right for group is denied for same group in another rule, use tie resolution policy",
448    anotherUserRef, docRef, tieAccess,
449    authorizationSettler.settle(anotherUserRef, Arrays.asList(anotherGroupRef), conflictAllowDenySameTarget));
450   
451  1 assertAccess("When denied right for group is allowed for same group in another rule, use tie resolution policy",
452    anotherUserRef, docRef, tieAccess,
453    authorizationSettler.settle(anotherUserRef, Arrays.asList(anotherGroupRef), conflictDenyAllowSameTarget));
454   
455  1 assertAccess("When allowed right for user is denied for its group in another rule, allow it.",
456    userRef, docRef, allowAccess,
457    authorizationSettler.settle(userRef, Arrays.asList(groupRef), conflictAllowDenyUserGroup));
458   
459  1 assertAccess("When allowed right for group is denied for one of its user in another rule, deny it.",
460    anotherUserRef, docRef, denyAccess,
461    authorizationSettler.settle(anotherUserRef, Arrays.asList(anotherGroupRef), conflictAllowDenyUserGroup));
462   
463  1 assertAccess("When denied right for group is allowed for one of its user in another rule, allow it.",
464    userRef, docRef, allowAccess,
465    authorizationSettler.settle(userRef, Arrays.asList(groupRef), conflictDenyAllowUserGroup));
466   
467  1 assertAccess("When denied right for user is allowed for its group in another rule, deny it.",
468    anotherUserRef, docRef, denyAccess,
469    authorizationSettler.settle(anotherUserRef, Arrays.asList(anotherGroupRef), conflictDenyAllowUserGroup));
470   
471    }
472   
 
473  1 toggle @Test
474    public void testSettleOneAllowImpliesDenyForAllOthers() throws Exception
475    {
476  1 XWikiSecurityAccess defaultAllowRight0 = defaultAccess.clone();
477  1 XWikiSecurityAccess defaultDenyRight0 = defaultAccess.clone();
478  1 XWikiSecurityAccess defaultAllowRight6 = defaultAccess.clone();
479  1 defaultAllowRight0.allow(allTestRights.get(0));
480  1 defaultDenyRight0.deny(allTestRights.get(0));
481  1 defaultAllowRight6.allow(allTestRights.get(6));
482   
483  1 assertAccess("When an allow rules is found, deny any not matching user",
484    anotherUserRef, docRef, defaultDenyRight0,
485    authorizationSettler.settle(anotherUserRef, Arrays.asList(anotherGroupRef),
486    getMockedSecurityRuleEntries("onlyRight0",
487    docRef,
488    Arrays.asList(Arrays.asList(getMockedSecurityRule(
489    "onlyRight0",
490    Arrays.asList(userRef),
491    Collections.<GroupSecurityReference>emptyList(),
492    Arrays.asList(allTestRights.get(0)),
493    RuleState.ALLOW))))));
494   
495   
496  1 assertAccess("When an allow rules is found, do not deny a user matching in another rule",
497    anotherUserRef, docRef, defaultAllowRight6,
498    authorizationSettler.settle(anotherUserRef, Arrays.asList(anotherGroupRef),
499    getMockedSecurityRuleEntries("allowRight6ToAnotherUser",
500    docRef,
501    Arrays.asList(Arrays.asList(
502    getMockedSecurityRule(
503    "allowRight6ToUser",
504    Arrays.asList(userRef),
505    Collections.<GroupSecurityReference>emptyList(),
506    Arrays.asList(allTestRights.get(6)),
507    RuleState.ALLOW),
508    getMockedSecurityRule(
509    "allowRight6ToAnotherUser",
510    Arrays.asList(anotherUserRef),
511    Collections.<GroupSecurityReference>emptyList(),
512    Arrays.asList(allTestRights.get(6)),
513    RuleState.ALLOW))))));
514   
515  1 assertAccess("When an allow rules is found, do not deny a user matching in another rule",
516    anotherUserRef, docRef, defaultAllowRight6,
517    authorizationSettler.settle(anotherUserRef, Arrays.asList(anotherGroupRef),
518    getMockedSecurityRuleEntries("allowRight6ToAnotherGroup",
519    docRef,
520    Arrays.asList(Arrays.asList(
521    getMockedSecurityRule(
522    "allowRight6ToUserAndGroup",
523    Arrays.asList(userRef),
524    Arrays.asList(groupRef),
525    Arrays.asList(allTestRights.get(6)),
526    RuleState.ALLOW),
527    getMockedSecurityRule(
528    "allowRight6ToAnotherGroup",
529    Collections.<UserSecurityReference>emptyList(),
530    Arrays.asList(anotherGroupRef),
531    Arrays.asList(allTestRights.get(6)),
532    RuleState.ALLOW))))));
533   
534  1 assertAccess("When an allow rules is found, do not deny a user matching the rule",
535    userRef, docRef, defaultAllowRight6,
536    authorizationSettler.settle(userRef, Arrays.asList(groupRef),
537    getMockedSecurityRuleEntries("onlyRight6",
538    docRef,
539    Arrays.asList(Arrays.asList(getMockedSecurityRule(
540    "onlyRight6",
541    Arrays.asList(userRef),
542    Collections.<GroupSecurityReference>emptyList(),
543    Arrays.asList(allTestRights.get(6)),
544    RuleState.ALLOW))))));
545   
546  1 assertAccess("When an allow rules is found, do not deny a user matching a group in the rule",
547    anotherUserRef, docRef, defaultAllowRight6,
548    authorizationSettler.settle(anotherUserRef, Arrays.asList(anotherGroupRef),
549    getMockedSecurityRuleEntries("allowRight6",
550    docRef,
551    Arrays.asList(Arrays.asList(
552    getMockedSecurityRule(
553    "allowRight6ToUserAndAnotherGroup",
554    Arrays.asList(userRef),
555    Arrays.asList(anotherGroupRef),
556    Arrays.asList(allTestRights.get(6)),
557    RuleState.ALLOW))))));
558   
559    }
560   
 
561  1 toggle @Test
562    public void testSettleRightWithImpliedRights() throws Exception
563    {
564  1 SecurityRule allowImpliedADT = getMockedSecurityRule("allowImpliedADT",
565    Arrays.asList(userRef), Arrays.asList(anotherGroupRef), Arrays.asList(impliedTestRightsADT), ALLOW);
566  1 SecurityRule denyImpliedADT = getMockedSecurityRule("denyImpliedADT",
567    Arrays.asList(userRef), Arrays.asList(anotherGroupRef), Arrays.asList(impliedTestRightsADT), DENY);
568   
569  1 SecurityRule allowImpliedDAF = getMockedSecurityRule("allowImpliedDAF",
570    Arrays.asList(userRef), Arrays.asList(anotherGroupRef), Arrays.asList(impliedTestRightsDAF), ALLOW);
571  1 SecurityRule denyImpliedDAF = getMockedSecurityRule("denyImpliedDAF",
572    Arrays.asList(userRef), Arrays.asList(anotherGroupRef), Arrays.asList(impliedTestRightsDAF), DENY);
573   
574   
575  1 XWikiSecurityAccess allowAccessADT = defaultAccess.clone();
576  1 allowAccessADT.set(impliedTestRightsADT, ALLOW);
577  1 for (Right right : allTestRights) {
578  8 allowAccessADT.allow(right);
579    }
580  1 XWikiSecurityAccess tieADT = defaultAccess.clone();
581  1 tieADT.set(impliedTestRightsADT, ALLOW);
582  1 for (Right right : allTestRights) {
583  8 tieADT.set(right, right.getTieResolutionPolicy());
584    }
585  1 XWikiSecurityAccess allowAccessDAF = defaultAccess.clone();
586  1 allowAccessDAF.set(impliedTestRightsDAF, ALLOW);
587  1 for (Right right : allTestRights) {
588  8 allowAccessDAF.allow(right);
589    }
590  1 XWikiSecurityAccess denyADTAccess = defaultAccess.clone();
591  1 denyADTAccess.deny(impliedTestRightsADT);
592  1 XWikiSecurityAccess denyDAFAccess = defaultAccess.clone();
593  1 denyDAFAccess.deny(impliedTestRightsDAF);
594   
595  1 XWikiSecurityAccess denyAccessADT = defaultAccess.clone();
596  1 denyAccessADT.set(impliedTestRightsADT, ALLOW);
597  1 for (Right right : allTestRights) {
598  8 denyAccessADT.deny(right);
599    }
600  1 XWikiSecurityAccess denyAccessDAF = defaultAccess.clone();
601  1 denyAccessDAF.set(impliedTestRightsDAF, ALLOW);
602  1 for (Right right : allTestRights) {
603  8 denyAccessDAF.deny(right);
604    }
605   
606   
607   
608  1 assertAccess("When a right implying others rights is allowed, imply those rights (ADT)",
609    userRef, docRef, allowAccessADT,
610    authorizationSettler.settle(userRef, Arrays.asList(groupRef),
611    getMockedSecurityRuleEntries("allowAccessADT", docRef,
612    Arrays.asList(Arrays.asList(allowImpliedADT)))));
613   
614  1 assertAccess("When a right implying others rights is allowed, imply those rights (DAF)",
615    userRef, docRef, allowAccessDAF,
616    authorizationSettler.settle(userRef, Arrays.asList(groupRef),
617    getMockedSecurityRuleEntries("allowAccessDAF", docRef,
618    Arrays.asList(Arrays.asList(allowImpliedDAF)))));
619   
620  1 assertAccess("When a right implying others rights is denied, do not denied implied rights (ADT)",
621    userRef, docRef, denyADTAccess,
622    authorizationSettler.settle(userRef, Arrays.asList(groupRef),
623    getMockedSecurityRuleEntries("denyAccessADT", docRef,
624    Arrays.asList(Arrays.asList(denyImpliedADT)))));
625   
626  1 assertAccess("When a right implying others rights is denied, do not denied implied rights (DAF)",
627    userRef, docRef, denyDAFAccess,
628    authorizationSettler.settle(userRef, Arrays.asList(groupRef),
629    getMockedSecurityRuleEntries("denyAccessDAF", docRef,
630    Arrays.asList(Arrays.asList(denyImpliedDAF)))));
631   
632  1 SecurityRule allowAllTestRightsUserAndAnotherGroup = getMockedSecurityRule("allowAllTestRightsUserAndAnotherGroup",
633    Arrays.asList(userRef), Arrays.asList(anotherGroupRef), allTestRights, ALLOW);
634  1 SecurityRule denyAllTestRightsUserAndAnotherGroup = getMockedSecurityRule("denyAllTestRightsUserAndAnotherGroup",
635    Arrays.asList(userRef), Arrays.asList(anotherGroupRef), allTestRights, DENY);
636  1 SecurityRule denyAllTestRightsAnotherUserAndGroup = getMockedSecurityRule("denyAllTestRightsAnotherUserAndGroup",
637    Arrays.asList(anotherUserRef), Arrays.asList(groupRef), allTestRights, DENY);
638   
639   
640  1 Deque<SecurityRuleEntry> conflictAllowDenySameTargetADT
641    = getMockedSecurityRuleEntries("conflictAllowDenySameTargetADT", docRef, Arrays.asList(
642    Arrays.asList(allowImpliedADT, denyAllTestRightsUserAndAnotherGroup)));
643  1 Deque<SecurityRuleEntry> conflictAllowDenySameTargetDAF
644    = getMockedSecurityRuleEntries("conflictAllowDenySameTargetDAF", docRef, Arrays.asList(
645    Arrays.asList(allowImpliedDAF, denyAllTestRightsUserAndAnotherGroup)));
646   
647  1 Deque<SecurityRuleEntry> conflictAllowDenyUserGroupADT
648    = getMockedSecurityRuleEntries("conflictAllowDenyUserGroupADT", docRef, Arrays.asList(
649    Arrays.asList(allowImpliedADT, denyAllTestRightsAnotherUserAndGroup)));
650  1 Deque<SecurityRuleEntry> conflictAllowDenyUserGroupDAF
651    = getMockedSecurityRuleEntries("conflictAllowDenyUserGroupDAF", docRef, Arrays.asList(
652    Arrays.asList(allowImpliedDAF, denyAllTestRightsAnotherUserAndGroup)));
653   
654  1 assertAccess("When allowed implied right for user is denied for same user in another rule, use most favorable tie resolution policy (ADT)",
655    userRef, docRef, tieADT,
656    authorizationSettler.settle(userRef, Arrays.asList(groupRef), conflictAllowDenySameTargetADT));
657   
658  1 assertAccess("When allowed implied right for user is denied for same user in another rule, use most favorable tie resolution policy (DAF)",
659    userRef, docRef, allowAccessDAF,
660    authorizationSettler.settle(userRef, Arrays.asList(groupRef), conflictAllowDenySameTargetDAF));
661   
662  1 assertAccess("When allowed implied right for group is denied for same group in another rule, use most favorable tie resolution policy (ADT)",
663    anotherUserRef, docRef, tieADT,
664    authorizationSettler.settle(anotherUserRef, Arrays.asList(anotherGroupRef), conflictAllowDenySameTargetADT));
665   
666  1 assertAccess("When allowed implied right for group is denied for same group in another rule, use most favorable tie resolution policy (DAF)",
667    anotherUserRef, docRef, allowAccessDAF,
668    authorizationSettler.settle(anotherUserRef, Arrays.asList(anotherGroupRef), conflictAllowDenySameTargetDAF));
669   
670  1 assertAccess("When allowed implied right for user is denied for its group in another rule, allow it. (ADT)",
671    userRef, docRef, allowAccessADT,
672    authorizationSettler.settle(userRef, Arrays.asList(groupRef), conflictAllowDenyUserGroupADT));
673   
674  1 assertAccess("When allowed implied right for user is denied for its group in another rule, allow it. (DAF)",
675    userRef, docRef, allowAccessDAF,
676    authorizationSettler.settle(userRef, Arrays.asList(groupRef), conflictAllowDenyUserGroupDAF));
677   
678  1 assertAccess("When allowed implied right for group is denied for one of its user in another rule, deny it. (ADT)",
679    anotherUserRef, docRef, denyAccessADT,
680    authorizationSettler.settle(anotherUserRef, Arrays.asList(anotherGroupRef), conflictAllowDenyUserGroupADT));
681   
682  1 assertAccess("When allowed implied right for group is denied for one of its user in another rule, deny it. (DAF)",
683    anotherUserRef, docRef, denyAccessDAF,
684    authorizationSettler.settle(anotherUserRef, Arrays.asList(anotherGroupRef), conflictAllowDenyUserGroupDAF));
685    }
686   
 
687  1 toggle @Test
688    public void testSettleNewRightJustAdded() throws Exception
689    {
690  1 Right newRight = getNewTestRight("RightAddedLater",DENY,DENY,true);
691  1 XWikiSecurityAccess defaultNewRight = defaultAccess.clone();
692  1 defaultNewRight.allow(newRight);
693   
694  1 assertAccess("Allow a new right just added now",
695    userRef, docRef, defaultNewRight,
696    authorizationSettler.settle(userRef, Arrays.asList(groupRef),
697    getMockedSecurityRuleEntries("onlyNewRight",
698    docRef,
699    Arrays.asList(Arrays.asList(getMockedSecurityRule(
700    "onlyNewRight",
701    Arrays.asList(userRef),
702    Collections.<GroupSecurityReference>emptyList(),
703    Arrays.asList(newRight),
704    RuleState.ALLOW))))));
705    }
706   
 
707  1 toggle @Test
708    public void testSettleEntityTypeWithoutAnyEnabledRight() throws Exception
709    {
710  1 SecurityRule allowAllTestRightsRulesToXuser = getMockedSecurityRule("allowAllTestRightsRulesToXuser",
711    Collections.singletonList(xuserRef), Collections.<GroupSecurityReference>emptyList(), allTestRights, ALLOW);
712   
713  1 assertAccess("Allow rights to entity without any acceptable right on itself but having some (XWIKI-12552)",
714    xuserRef, xattachmentRef, defaultAccess,
715    authorizationSettler.settle(xuserRef, Collections.<GroupSecurityReference>emptyList(),
716    getMockedSecurityRuleEntries("allrights",
717    xattachmentRef,
718    Collections.singletonList(Collections.singletonList(allowAllTestRightsRulesToXuser)))));
719    }
720    }