1. Project Clover database Tue Dec 20 2016 21:24:09 CET
  2. Package org.xwiki.security.authorization

File DefaultAuthorizationManagerIntegrationTest.java

 

Code metrics

34
237
31
1
744
526
51
0.22
7.65
31
1.65

Classes

Class Line # Actions
DefaultAuthorizationManagerIntegrationTest 108 237 0% 51 21
0.9304635593%
 

Contributing tests

This file is covered by 14 tests. .

Source view

1    /*
2    * See the NOTICE file distributed with this work for additional
3    * information regarding copyright ownership.
4    *
5    * This is free software; you can redistribute it and/or modify it
6    * under the terms of the GNU Lesser General Public License as
7    * published by the Free Software Foundation; either version 2.1 of
8    * the License, or (at your option) any later version.
9    *
10    * This software is distributed in the hope that it will be useful,
11    * but WITHOUT ANY WARRANTY; without even the implied warranty of
12    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13    * Lesser General Public License for more details.
14    *
15    * You should have received a copy of the GNU Lesser General Public
16    * License along with this software; if not, write to the Free
17    * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
18    * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
19    */
20   
21    package org.xwiki.security.authorization;
22   
23    import java.util.ArrayList;
24    import java.util.Collection;
25    import java.util.Collections;
26   
27    import org.junit.Assert;
28    import org.junit.Before;
29    import org.junit.Rule;
30    import org.junit.Test;
31    import org.mockito.invocation.InvocationOnMock;
32    import org.mockito.stubbing.Answer;
33    import org.xwiki.cache.CacheManager;
34    import org.xwiki.cache.config.CacheConfiguration;
35    import org.xwiki.model.internal.DefaultModelConfiguration;
36    import org.xwiki.model.internal.reference.DefaultEntityReferenceProvider;
37    import org.xwiki.model.internal.reference.DefaultStringEntityReferenceResolver;
38    import org.xwiki.model.internal.reference.DefaultStringEntityReferenceSerializer;
39    import org.xwiki.model.internal.reference.DefaultSymbolScheme;
40    import org.xwiki.model.reference.DocumentReference;
41    import org.xwiki.model.reference.EntityReference;
42    import org.xwiki.model.reference.WikiReference;
43    import org.xwiki.security.DefaultSecurityReferenceFactory;
44    import org.xwiki.security.GroupSecurityReference;
45    import org.xwiki.security.SecurityReference;
46    import org.xwiki.security.SecurityReferenceFactory;
47    import org.xwiki.security.UserSecurityReference;
48    import org.xwiki.security.authorization.cache.SecurityCache;
49    import org.xwiki.security.authorization.cache.SecurityCacheRulesInvalidator;
50    import org.xwiki.security.authorization.cache.internal.DefaultSecurityCache;
51    import org.xwiki.security.authorization.cache.internal.DefaultSecurityCacheLoader;
52    import org.xwiki.security.authorization.cache.internal.TestCache;
53    import org.xwiki.security.authorization.internal.AbstractSecurityRuleEntry;
54    import org.xwiki.security.authorization.internal.DefaultAuthorizationSettler;
55    import org.xwiki.security.authorization.testwikis.SecureTestEntity;
56    import org.xwiki.security.authorization.testwikis.TestAccessRule;
57    import org.xwiki.security.authorization.testwikis.TestDefinition;
58    import org.xwiki.security.authorization.testwikis.TestDocument;
59    import org.xwiki.security.authorization.testwikis.TestEntity;
60    import org.xwiki.security.authorization.testwikis.TestGroup;
61    import org.xwiki.security.authorization.testwikis.TestUserDocument;
62    import org.xwiki.security.authorization.testwikis.TestWiki;
63    import org.xwiki.security.internal.UserBridge;
64    import org.xwiki.security.internal.XWikiBridge;
65    import org.xwiki.test.LogRule;
66    import org.xwiki.test.annotation.BeforeComponent;
67    import org.xwiki.test.annotation.ComponentList;
68   
69    import static org.hamcrest.CoreMatchers.instanceOf;
70    import static org.hamcrest.CoreMatchers.notNullValue;
71    import static org.hamcrest.CoreMatchers.nullValue;
72    import static org.hamcrest.MatcherAssert.assertThat;
73    import static org.junit.Assert.fail;
74    import static org.mockito.ArgumentMatchers.any;
75    import static org.mockito.Mockito.mock;
76    import static org.mockito.Mockito.when;
77    import static org.xwiki.security.authorization.Right.ADMIN;
78    import static org.xwiki.security.authorization.Right.COMMENT;
79    import static org.xwiki.security.authorization.Right.CREATE_WIKI;
80    import static org.xwiki.security.authorization.Right.CREATOR;
81    import static org.xwiki.security.authorization.Right.DELETE;
82    import static org.xwiki.security.authorization.Right.EDIT;
83    import static org.xwiki.security.authorization.Right.ILLEGAL;
84    import static org.xwiki.security.authorization.Right.LOGIN;
85    import static org.xwiki.security.authorization.Right.PROGRAM;
86    import static org.xwiki.security.authorization.Right.REGISTER;
87    import static org.xwiki.security.authorization.Right.SCRIPT;
88    import static org.xwiki.security.authorization.Right.VIEW;
89    import static org.xwiki.security.authorization.Right.values;
90   
91    /**
92    * Test XWiki Authorization policy against the authentication module.
93    * @since 5.0M2
94    */
95    @ComponentList({
96    DefaultSecurityCache.class,
97    DefaultStringEntityReferenceResolver.class,
98    DefaultStringEntityReferenceSerializer.class,
99    DefaultEntityReferenceProvider.class,
100    DefaultModelConfiguration.class,
101    AuthorizationManagerConfiguration.class,
102    DefaultSecurityReferenceFactory.class,
103    DefaultSecurityCacheLoader.class,
104    DefaultAuthorizationSettler.class,
105    DefaultAuthorizationManager.class,
106    DefaultSymbolScheme.class
107    })
 
108    public class DefaultAuthorizationManagerIntegrationTest extends AbstractAuthorizationTestCase
109    {
110    private AuthorizationManager authorizationManager;
111   
112    @Rule
113    public final LogRule logCapture = new LogRule();
114   
115    /** Mocked xWikiBridge */
116    private XWikiBridge xWikiBridge;
117   
118    /** Mocked userBridge */
119    private UserBridge userBridge;
120   
121    /** Mocked securityEntryReader */
122    private SecurityEntryReader securityEntryReader;
123   
124    /** Mocked securityCacheRulesInvalidator */
125    private SecurityCacheRulesInvalidator securityCacheRulesInvalidator;
126   
127    /** Mocked cache */
128    private TestCache<Object> cache;
129   
130    /** Factory for security reference */
131    private SecurityReferenceFactory securityReferenceFactory;
132   
 
133  14 toggle @BeforeComponent
134    public void initializeMocks() throws Exception {
135  14 cache = new TestCache<Object>();
136  14 final CacheManager cacheManager = componentManager.registerMockComponent(CacheManager.class);
137  14 when(cacheManager.createNewCache(any(CacheConfiguration.class))).thenReturn(cache);
138   
139  14 xWikiBridge = componentManager.registerMockComponent(XWikiBridge.class);
140  14 userBridge = componentManager.registerMockComponent(UserBridge.class);
141  14 securityEntryReader = componentManager.registerMockComponent(SecurityEntryReader.class);
142  14 securityCacheRulesInvalidator = componentManager.registerMockComponent(SecurityCacheRulesInvalidator.class);
143    }
144   
 
145  14 toggle @Before
146    public void setUp() throws Exception
147    {
148  14 securityReferenceFactory = componentManager.getInstance(SecurityReferenceFactory.class);
149  14 authorizationManager = componentManager.getInstance(AuthorizationManager.class);
150    }
151   
152   
153    /**
154    * Assert an allowed access for a given right for a given user on a given entity.
155    * @param message the assert message
156    * @param right the right to check for allowance
157    * @param userReference the reference of the user to test.
158    * @param entityReference the reference of the entity to test.
159    * @throws Exception on error.
160    */
 
161  0 toggle protected void assertAccessTrue(String message, Right right, DocumentReference userReference,
162    EntityReference entityReference) throws Exception
163    {
164  0 Assert.assertTrue(message,
165    authorizationManager.hasAccess(right, userReference, entityReference));
166    }
167   
168    /**
169    * Assert a denied access for a given right for a given user on a given entity.
170    * @param message the assert message
171    * @param right the right to check for denial
172    * @param userReference the reference of the user to test.
173    * @param entityReference the reference of the entity to test.
174    * @throws Exception on error.
175    */
 
176  0 toggle protected void assertAccessFalse(String message, Right right, DocumentReference userReference,
177    EntityReference entityReference) throws Exception
178    {
179  0 Assert.assertFalse(message, authorizationManager.hasAccess(right, userReference, entityReference));
180    }
181   
182    /**
183    * Check all rights for access by given user on a given entity.
184    * @param allowedRights the set of rights that should be allowed.
185    * @param userReference the reference of the user to test.
186    * @param entityReference the reference of the entity to test.
187    * @throws Exception on error.
188    */
 
189  117 toggle protected void assertAccess(RightSet allowedRights, DocumentReference userReference,
190    EntityReference entityReference) throws Exception
191    {
192  117 for (Right right : values()) {
193  1404 if (allowedRights != null && allowedRights.contains(right)) {
194  646 if (!authorizationManager.hasAccess(right, userReference, entityReference)) {
195  0 fail(String.format("[%s] should have [%s] right on [%s].",
196    getUserReadableName(userReference), right, getEntityReadableName(entityReference)));
197    }
198    } else {
199  758 if (authorizationManager.hasAccess(right, userReference, entityReference)) {
200  0 fail(String.format("[%s] should not have [%s] right on [%s].",
201    getUserReadableName(userReference), right, getEntityReadableName(entityReference)));
202    }
203    }
204    }
205    }
206   
 
207  2109 toggle private boolean compareReferenceNullSafe(EntityReference entity1, EntityReference entity2) {
208  2109 return entity1 == entity2 || (entity1 != null && entity1.equals(entity2));
209    }
210   
 
211  1051 toggle private SecurityRule mockSecurityRule(SecurityReference reference, final Right right, RuleState state,
212    final DocumentReference userOrGroup, boolean isUser) {
213  1051 SecurityRule mockedRule = mock(SecurityRule.class,
214    String.format("Rule for [%s] %s [%s] right to %s [%s]", reference.toString(),
215  1051 state == RuleState.ALLOW ? "allowing" : "denying",
216  1051 right.getName(), (isUser) ? "user" : "group", userOrGroup.toString()));
217  1051 when(mockedRule.getState()).thenReturn(state);
218  1051 when(mockedRule.match(any(Right.class))).thenAnswer(new Answer<Boolean>()
219    {
 
220  17526 toggle @Override
221    public Boolean answer(InvocationOnMock invocationOnMock) throws Throwable
222    {
223  17526 Right reqRight = (Right) invocationOnMock.getArguments()[0];
224  17526 return (reqRight == right);
225    }
226    });
227  1051 if (isUser) {
228  841 when(mockedRule.match(any(UserSecurityReference.class))).thenAnswer(new Answer<Boolean>()
229    {
 
230  1786 toggle @Override
231    public Boolean answer(InvocationOnMock invocationOnMock) throws Throwable
232    {
233  1786 SecurityReference reference =
234    (UserSecurityReference) invocationOnMock.getArguments()[0];
235  1786 return compareReferenceNullSafe(userOrGroup,
236    reference.getOriginalDocumentReference());
237    }
238    });
239    //when(mockedRule.match(any(GroupSecurityReference.class))).thenReturn(false);
240    } else {
241  210 when(mockedRule.match(any(GroupSecurityReference.class))).thenAnswer(new Answer<Boolean>()
242    {
 
243  319 toggle @Override
244    public Boolean answer(InvocationOnMock invocationOnMock) throws Throwable
245    {
246  319 SecurityReference reference =
247    (GroupSecurityReference) invocationOnMock.getArguments()[0];
248  319 return compareReferenceNullSafe(userOrGroup,
249    reference.getOriginalDocumentReference());
250    }
251    });
252    //when(mockedRule.match(any(UserSecurityReference.class))).thenReturn(false);
253    }
254  1051 return mockedRule;
255    }
256   
 
257  14 toggle @Override
258    public TestDefinition initialiseWikiMock(String filename) throws Exception
259    {
260  14 super.initialiseWikiMock(filename);
261   
262  14 when(xWikiBridge.getMainWikiReference()).thenReturn(testDefinition.getMainWiki().getWikiReference());
263  14 when(xWikiBridge.isWikiReadOnly()).thenReturn(false);
264   
265  14 when(userBridge.getAllGroupsFor(any(UserSecurityReference.class), any(WikiReference.class))).thenAnswer(
266    new Answer<Collection<GroupSecurityReference>>()
267    {
 
268  81 toggle @Override
269    public Collection<GroupSecurityReference> answer(InvocationOnMock invocationOnMock) throws Throwable
270    {
271  81 UserSecurityReference userReference = (UserSecurityReference) invocationOnMock.getArguments()[0];
272  81 WikiReference wikiReference = (WikiReference) invocationOnMock.getArguments()[1];
273   
274  81 if (userReference.getOriginalReference() == null) {
275    // Public users (not logged in) may not appears in any group
276  0 return Collections.emptyList();
277    }
278   
279  81 TestWiki wiki = testDefinition.getWiki(userReference.getOriginalReference().getWikiReference());
280  81 if (wiki == null) {
281  0 throw new AuthorizationException(
282    String.format("Failed to get groups for user or group [%s] in wiki [%s]. Unknown wiki.",
283    userReference, wikiReference), null);
284    }
285   
286  81 TestUserDocument user = wiki.getUser(userReference.getName());
287  81 if (user == null) {
288  3 return Collections.emptyList();
289    }
290   
291  78 Collection<GroupSecurityReference> groups = new ArrayList<GroupSecurityReference>();
292  78 for (TestGroup group : user.getGroups()) {
293    // Ensure we return only group of the requested wiki
294  35 if (group.getGroupReference().getWikiReference().equals(wikiReference)) {
295  29 groups.add(securityReferenceFactory.newGroupReference(group.getGroupReference()));
296    }
297    }
298  78 return groups;
299    }
300    }
301    );
302   
303  14 when(securityEntryReader.read(any(SecurityReference.class))).thenAnswer(
304    new Answer<SecurityRuleEntry>()
305    {
 
306  283 toggle @Override
307    public SecurityRuleEntry answer(InvocationOnMock invocationOnMock) throws Throwable
308    {
309  283 final SecurityReference reference = (SecurityReference) invocationOnMock.getArguments()[0];
310   
311  283 TestEntity entity = testDefinition.searchEntity(reference);
312   
313  283 Collection<TestAccessRule> rules = (entity != null && entity instanceof SecureTestEntity)
314    ? ((SecureTestEntity) entity).getAccessRules()
315    : Collections.<TestAccessRule>emptyList();
316   
317  283 final Collection<SecurityRule> mockedRules = new ArrayList<SecurityRule>();
318  283 for (final TestAccessRule rule : rules) {
319  853 mockedRules.add(mockSecurityRule(reference, rule.getRight(), rule.getState(), rule.getUser(),
320    rule.isUser()));
321    }
322   
323  283 if (entity instanceof TestWiki) {
324  48 TestWiki wiki = (TestWiki) entity;
325  48 if (wiki.getOwner() != null) {
326  48 mockedRules.add(mockSecurityRule(reference, Right.ADMIN, RuleState.ALLOW, wiki.getOwner(),
327    true));
328    }
329    }
330   
331  283 if (entity instanceof TestDocument) {
332  150 TestDocument document = (TestDocument) entity;
333  150 if (document.getCreator() != null) {
334  150 mockedRules.add(mockSecurityRule(reference, Right.CREATOR, RuleState.ALLOW,
335    document.getCreator(), true));
336    }
337    }
338   
339    // This mock should be barely comparable for #testLoadUserInAnotherWikiAfterUserDoc()
340    /*
341    SecurityRuleEntry accessEntry = mock(SecurityRuleEntry.class,
342    String.format("Rule entry for %s containing %d rules", reference.toString(), mockedRules.size()));
343    when(accessEntry.getReference()).thenReturn(reference);
344    when(accessEntry.isEmpty()).thenReturn(mockedRules.isEmpty());
345    when(accessEntry.getRules()).thenReturn(mockedRules);
346    */
347   
348  283 return new AbstractSecurityRuleEntry()
349    {
 
350  4515 toggle @Override
351    public Collection<SecurityRule> getRules()
352    {
353  4515 return mockedRules;
354    }
355   
 
356  1693 toggle @Override
357    public SecurityReference getReference()
358    {
359  1693 return reference;
360    }
361   
 
362  0 toggle @Override
363    public String toString()
364    {
365  0 return String.format("Rule entry for %s containing %d rules", reference.toString(), mockedRules.size());
366    }
367   
 
368  4 toggle @Override
369    public boolean equals(Object object)
370    {
371  4 if (object == this) {
372  0 return true;
373    }
374  4 if (!(object instanceof SecurityRuleEntry)) {
375  0 return false;
376    }
377  4 SecurityRuleEntry other = (SecurityRuleEntry) object;
378   
379  4 return compareReferenceNullSafe(other.getReference(), reference)
380    && other.getRules().size() == mockedRules.size();
381    }
382    };
383    }
384    }
385    );
386   
387  14 return testDefinition;
388    }
389   
 
390  1 toggle @Test
391    public void testDefaultAccessOnEmptyWikis() throws Exception
392    {
393  1 initialiseWikiMock("emptyWikis");
394   
395    // Public access on main wiki
396  1 assertAccess(new RightSet(VIEW, EDIT, COMMENT, REGISTER, LOGIN),
397    null, getXDoc("an empty main wiki", "anySpace"));
398   
399    // SuperAdmin access on main wiki
400  1 assertAccess(new RightSet(VIEW, EDIT, SCRIPT, COMMENT, DELETE, CREATOR, REGISTER, LOGIN, ADMIN, PROGRAM,
401    CREATE_WIKI, ILLEGAL), SUPERADMIN, getXDoc("an empty main wiki", "anySpace"));
402   
403    // Any Global user without access rules on main wiki
404  1 assertAccess(new RightSet(VIEW, EDIT, COMMENT, REGISTER, LOGIN),
405    getXUser("a global user without any access rule"), getXDoc("main wiki", "anySpace"));
406   
407    // Any Local user on main wiki
408  1 assertAccess(null,
409    getUser("a local user", "any SubWiki"), getXDoc("main wiki", "anySpace"));
410   
411    // Public access on sub wiki
412  1 assertAccess(new RightSet(VIEW, EDIT, COMMENT, REGISTER, LOGIN),
413    null, getDoc("an empty sub wiki", "anySpace", "any SubWiki"));
414   
415    // SuperAdmin access on sub wiki
416  1 assertAccess(new RightSet(VIEW, EDIT, SCRIPT, COMMENT, DELETE, CREATOR, REGISTER, LOGIN, ADMIN, PROGRAM,
417    CREATE_WIKI, ILLEGAL),
418    SUPERADMIN, getDoc("an empty sub wiki", "anySpace", "any SubWiki"));
419   
420    // Any Global user without access rules on sub wiki
421  1 assertAccess(new RightSet(VIEW, EDIT, COMMENT, REGISTER, LOGIN),
422    getXUser("a global user without any access rule"), getDoc("a subwiki", "anySpace", "any SubWiki"));
423   
424    // Any Local user on another subwiki
425  1 assertAccess(null,
426    getUser("a local user", "any SubWiki"), getDoc("an another subwiki", "anySpace", "any Other SubWiki"));
427   
428    }
429   
 
430  1 toggle @Test
431    public void testInheritancePolicyForFullFarmAccess() throws Exception
432    {
433  1 initialiseWikiMock("inheritancePolicyFullFarmAccess");
434   
435    // Main wiki allowing all access to A
436  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getXDoc("any document", "any space"));
437  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getXDoc("any document", "spaceDenyA"));
438  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getXDoc("docAllowA", "spaceDenyA"));
439  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getXDoc("docDenyA", "any space"));
440   
441  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getDoc("any document", "any space", "wikiNoRules"));
442  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getDoc("any document", "spaceDenyA", "wikiNoRules"));
443  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getDoc("docAllowA", "spaceDenyA", "wikiNoRules"));
444  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getDoc("docDenyA", "any space", "wikiNoRules"));
445   
446  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getDoc("any document", "any space", "wikiDenyA"));
447  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getDoc("any document", "spaceAllowA", "wikiDenyA"));
448  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getDoc("docDenyA", "spaceAllowA", "wikiDenyA"));
449  1 assertAccess(ALL_RIGHTS, getXUser("userA"), getDoc("docAllowA", "any space", "wikiDenyA"));
450    }
451   
 
452  1 toggle @Test
453    public void testInheritancePolicyForGlobalFullWikiAccess() throws Exception
454    {
455  1 initialiseWikiMock("inheritancePolicyForGlobalFullWikiAccess");
456   
457    // Main wiki denying all access to A
458  1 assertAccess(null, getXUser("userA"), getXDoc("any document", "any space"));
459  1 assertAccess(ALL_SPACE_RIGHTS, getXUser("userA"), getXDoc("any document", "spaceAllowA"));
460  1 assertAccess(ALL_SPACE_RIGHTS, getXUser("userA"), getXDoc("docDenyA", "spaceAllowA"));
461  1 assertAccess(ALL_DOCUMENT_RIGHTS, getXUser("userA"), getXDoc("docAllowA", "any space"));
462   
463  1 assertAccess(null, getXUser("userA"), getDoc("any document", "any space", "wikiNoRules"));
464  1 assertAccess(ALL_SPACE_RIGHTS, getXUser("userA"), getDoc("any document", "spaceAllowA", "wikiNoRules"));
465  1 assertAccess(ALL_SPACE_RIGHTS, getXUser("userA"), getDoc("docDenyA", "spaceAllowA", "wikiNoRules"));
466  1 assertAccess(ALL_DOCUMENT_RIGHTS, getXUser("userA"), getDoc("docAllowA", "any space", "wikiNoRules"));
467   
468  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getXUser("userA"), getDoc("any document", "any space", "wikiAllowA"));
469  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getXUser("userA"), getDoc("any document", "spaceDenyA", "wikiAllowA"));
470  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getXUser("userA"), getDoc("docAllowA", "spaceDenyA", "wikiAllowA"));
471  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getXUser("userA"), getDoc("docDenyA", "any space", "wikiAllowA"));
472    }
473   
 
474  1 toggle @Test
475    public void testInheritancePolicyForLocalWikiAccess() throws Exception
476    {
477  1 initialiseWikiMock("inheritancePolicyForLocalWikiAccess");
478   
479    // Main wiki denying all access to A
480  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiAllowA"), getDoc("any document", "any space", "wikiAllowA"));
481  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiAllowA"), getDoc("any document", "spaceDenyA", "wikiAllowA"));
482  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiAllowA"), getDoc("docAllowA", "spaceDenyA", "wikiAllowA"));
483  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiAllowA"), getDoc("docDenyA", "any space", "wikiAllowA"));
484   
485  1 assertAccess(null, getUser("userA", "wikiDenyA"), getDoc("any document", "any space", "wikiDenyA"));
486  1 assertAccess(ALL_SPACE_RIGHTS, getUser("userA", "wikiDenyA"), getDoc("any document", "spaceAllowA", "wikiDenyA"));
487  1 assertAccess(ALL_SPACE_RIGHTS, getUser("userA", "wikiDenyA"), getDoc("docDenyA", "spaceAllowA", "wikiDenyA"));
488  1 assertAccess(ALL_DOCUMENT_RIGHTS, getUser("userA", "wikiDenyA"), getDoc("any document", "spaceAllowANoAdmin", "wikiDenyA"));
489  1 assertAccess(null, getUser("userA", "wikiDenyA"), getDoc("docDenyA", "spaceAllowANoAdmin", "wikiDenyA"));
490  1 assertAccess(ALL_DOCUMENT_RIGHTS, getUser("userA", "wikiDenyA"), getDoc("docAllowA", "any space", "wikiDenyA"));
491   
492  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getUser("userA", "wikiAllowNoAdminA"), getDoc("any document", "any space", "wikiAllowNoAdminA"));
493  1 assertAccess(new RightSet(LOGIN, REGISTER), getUser("userA", "wikiAllowNoAdminA"), getDoc("any document", "spaceDenyA", "wikiAllowNoAdminA"));
494  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getUser("userA", "wikiAllowNoAdminA"), getDoc("docAllowA", "spaceDenyA", "wikiAllowNoAdminA"));
495  1 assertAccess(new RightSet(LOGIN, REGISTER), getUser("userA", "wikiAllowNoAdminA"), getDoc("docDenyA", "any space", "wikiAllowNoAdminA"));
496    }
497   
 
498  1 toggle @Test
499    public void testInheritancePolicyForNoAdminFarmAccess() throws Exception
500    {
501  1 initialiseWikiMock("inheritancePolicyForNoAdminFarmAccess");
502   
503    // Main wiki allowing all but admin access to A
504  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"), getXDoc("any document", "any space"));
505  1 assertAccess(new RightSet(LOGIN, REGISTER), getXUser("userA"), getXDoc("any document", "spaceDenyA"));
506  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"), getXDoc("docAllowA", "spaceDenyA"));
507  1 assertAccess(new RightSet(LOGIN, REGISTER), getXUser("userA"), getXDoc("docDenyA", "any space"));
508   
509  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"), getDoc("any document", "any space", "wikiNoRules"));
510  1 assertAccess(new RightSet(LOGIN, REGISTER), getXUser("userA"), getDoc("any document", "spaceDenyA", "wikiNoRules"));
511  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"), getDoc("docAllowA", "spaceDenyA", "wikiNoRules"));
512  1 assertAccess(new RightSet(LOGIN, REGISTER), getXUser("userA"), getDoc("docDenyA", "any space", "wikiNoRules"));
513   
514  1 assertAccess(null, getXUser("userA"), getDoc("any document", "any space", "wikiDenyA"));
515  1 assertAccess(ALL_DOCUMENT_RIGHTS, getXUser("userA"), getDoc("any document", "spaceAllowA", "wikiDenyA"));
516  1 assertAccess(null, getXUser("userA"), getDoc("docDenyA", "spaceAllowA", "wikiDenyA"));
517  1 assertAccess(ALL_DOCUMENT_RIGHTS, getXUser("userA"), getDoc("docAllowA", "any space", "wikiDenyA"));
518    }
519   
 
520  1 toggle @Test
521    public void testInheritancePolicyForNoAdminWikiAccess() throws Exception
522    {
523  1 initialiseWikiMock("inheritancePolicyForNoAdminWikiAccess");
524   
525    // Main wiki denying all access to A
526  1 assertAccess(null, getXUser("userA"), getXDoc("any document", "any space"));
527  1 assertAccess(ALL_DOCUMENT_RIGHTS, getXUser("userA"), getXDoc("any document", "spaceAllowA"));
528  1 assertAccess(null, getXUser("userA"), getXDoc("docDenyA", "spaceAllowA"));
529  1 assertAccess(ALL_DOCUMENT_RIGHTS, getXUser("userA"), getXDoc("docAllowA", "any space"));
530   
531  1 assertAccess(null, getXUser("userA"), getDoc("any document", "any space", "wikiNoRules"));
532  1 assertAccess(ALL_DOCUMENT_RIGHTS, getXUser("userA"), getDoc("any document", "spaceAllowA", "wikiNoRules"));
533  1 assertAccess(null, getXUser("userA"), getDoc("docDenyA", "spaceAllowA", "wikiNoRules"));
534  1 assertAccess(ALL_DOCUMENT_RIGHTS, getXUser("userA"), getDoc("docAllowA", "any space", "wikiNoRules"));
535   
536  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"), getDoc("any document", "any space", "wikiAllowA"));
537  1 assertAccess(new RightSet(LOGIN, REGISTER), getXUser("userA"), getDoc("any document", "spaceDenyA", "wikiAllowA"));
538  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"), getDoc("docAllowA", "spaceDenyA", "wikiAllowA"));
539  1 assertAccess(new RightSet(LOGIN, REGISTER), getXUser("userA"), getDoc("docDenyA", "any space", "wikiAllowA"));
540    }
541   
 
542  1 toggle @Test
543    public void testTieResolutionPolicy() throws Exception
544    {
545  1 initialiseWikiMock("tieResolutionPolicy");
546   
547  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiUserAllowDeny"), getWiki("wikiUserAllowDeny"));
548  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiUserDenyAllow"), getWiki("wikiUserDenyAllow"));
549  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiGroupAllowDeny"), getWiki("wikiGroupAllowDeny"));
550  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiGroupDenyAllow"), getWiki("wikiGroupDenyAllow"));
551  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiUserGroupAllowDeny"), getWiki("wikiUserGroupAllowDeny"));
552  1 assertAccess(null, getUser("userA", "wikiUserGroupDenyAllow"), getWiki("wikiUserGroupDenyAllow"));
553  1 assertAccess(null, getUser("userA", "wikiGroupUserAllowDeny"), getWiki("wikiGroupUserAllowDeny"));
554  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiGroupUserDenyAllow"), getWiki("wikiGroupUserDenyAllow"));
555   
556  1 assertAccess(new RightSet(LOGIN, REGISTER), getUser("userA", "wikiUserAllowDenyNoAdmin"), getWiki("wikiUserAllowDenyNoAdmin"));
557  1 assertAccess(new RightSet(LOGIN, REGISTER), getUser("userA", "wikiUserDenyAllowNoAdmin"), getWiki("wikiUserDenyAllowNoAdmin"));
558  1 assertAccess(new RightSet(LOGIN, REGISTER), getUser("userA", "wikiGroupAllowDenyNoAdmin"), getWiki("wikiGroupAllowDenyNoAdmin"));
559  1 assertAccess(new RightSet(LOGIN, REGISTER), getUser("userA", "wikiGroupDenyAllowNoAdmin"), getWiki("wikiGroupDenyAllowNoAdmin"));
560  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getUser("userA", "wikiUserGroupAllowDenyNoAdmin"), getWiki("wikiUserGroupAllowDenyNoAdmin"));
561  1 assertAccess(null, getUser("userA", "wikiUserGroupDenyAllowNoAdmin"), getWiki("wikiUserGroupDenyAllowNoAdmin"));
562  1 assertAccess(null, getUser("userA", "wikiGroupUserAllowDenyNoAdmin"), getWiki("wikiGroupUserAllowDenyNoAdmin"));
563  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getUser("userA", "wikiGroupUserDenyAllowNoAdmin"), getWiki("wikiGroupUserDenyAllowNoAdmin"));
564    }
565   
 
566  1 toggle @Test
567    public void testDocumentCreator() throws Exception
568    {
569  1 initialiseWikiMock("documentCreator");
570   
571  1 assertAccess(new RightSet(VIEW, EDIT, COMMENT, DELETE, CREATOR, LOGIN, REGISTER), getXUser("userA"),
572    getXDoc("userAdoc", "space"));
573  1 assertAccess(new RightSet(VIEW, EDIT, COMMENT, LOGIN, REGISTER), getXUser("userA"),
574    getXDoc("userBdoc", "space"));
575  1 assertAccess(new RightSet(VIEW, EDIT, COMMENT, LOGIN, REGISTER), getXUser("userB"),
576    getXDoc("userAdoc", "space"));
577  1 assertAccess(new RightSet(VIEW, EDIT, COMMENT, DELETE, CREATOR, LOGIN, REGISTER), getXUser("userB"),
578    getXDoc("userBdoc", "space"));
579    }
580   
 
581  1 toggle @Test
582    public void testOwnerAccess() throws Exception
583    {
584  1 initialiseWikiMock("ownerAccess");
585   
586    // Owner of main wiki has admin access to all wikis whatever the wiki access is
587  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getXUser("userA"), getXDoc("any document", "any space"));
588  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getXUser("userA"), getDoc("any document", "any space", "wikiNoRules"));
589  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getXUser("userA"), getDoc("any document", "any space", "wikiLocalUserA"));
590  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getXUser("userA"), getDoc("any document", "any space", "wikiDenyLocalUserA"));
591   
592    // Local owner has admin access whatever the wiki access is
593  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiLocalUserA"), getDoc("any document", "any space", "wikiLocalUserA"));
594  1 assertAccess(ALL_RIGHTS_EXCEPT_PROGRAMING_AND_CREATE_WIKI, getUser("userA", "wikiDenyLocalUserA"), getDoc("any document", "any space", "wikiDenyLocalUserA"));
595    }
596   
 
597  1 toggle @Test
598    public void testGroupAccess() throws Exception
599    {
600  1 initialiseWikiMock("groupAccess");
601   
602  1 assertAccess(DEFAULT_DOCUMENT_RIGHTS, getXUser("userA"), getXDoc("any document", "any space"));
603  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"), getXDoc("docAllowGroupA", "any space"));
604  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"), getXDoc("docAllowGroupB", "any space"));
605  1 assertAccess(new RightSet(LOGIN, REGISTER), getXUser("userA"), getXDoc("docDenyGroupA", "any space"));
606  1 assertAccess(new RightSet(LOGIN, REGISTER), getXUser("userA"), getXDoc("docDenyGroupB", "any space"));
607  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"), getXDoc("docDenyGroupAAllowUserA", "any space"));
608  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"), getXDoc("docDenyGroupBAllowUserA", "any space"));
609  1 assertAccess(new RightSet(LOGIN, REGISTER), getXUser("userA"), getXDoc("docDenyGroupBAllowGroupA", "any space"));
610  1 assertAccess(new RightSet(LOGIN, REGISTER), getXUser("userA"), getXDoc("docDenyGroupAAllowGroupB", "any space"));
611   
612  1 assertAccess(DEFAULT_DOCUMENT_RIGHTS, getUser("userB","subwiki"), getDoc("any document", "any space", "subwiki"));
613  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getUser("userB","subwiki"), getDoc("docAllowGroupA", "any space", "subwiki"));
614  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getUser("userB","subwiki"), getDoc("docAllowGroupB", "any space", "subwiki"));
615  1 assertAccess(new RightSet(LOGIN, REGISTER), getUser("userB","subwiki"), getDoc("docAllowGroupC", "any space", "subwiki"));
616   
617  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"), getDoc("docAllowGlobalGroupA", "any space", "subwiki"));
618  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"), getDoc("docAllowGlobalGroupB", "any space", "subwiki"));
619  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"), getDoc("docAllowGroupA", "any space", "subwiki"));
620  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"), getDoc("docAllowGroupB", "any space", "subwiki"));
621  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userA"), getDoc("docAllowGroupC", "any space", "subwiki"));
622   
623    /** Test XWIKI-13574 **/
624  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userD"), getXDoc("docAllowGroupB", "any space"));
625  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userC"), getXDoc("docAllowGroupB", "any space"));
626  1 assertAccess(ALL_RIGHTS_EXCEPT_ADMIN_AND_CREATE_WIKI, getXUser("userB"), getXDoc("docAllowGroupB", "any space"));
627    }
628   
 
629  1 toggle @Test
630    public void testCheckAccess() throws Exception
631    {
632  1 initialiseWikiMock("emptyWikis");
633   
634  1 authorizationManager.checkAccess(VIEW, null, getXDoc("an empty main wiki", "anySpace"));
635   
636  1 try {
637  1 authorizationManager.checkAccess(ADMIN, null, getXDoc("an empty main wiki", "anySpace"));
638  0 fail("checkAccess should throw access denied exception when access is denied.");
639    } catch (AccessDeniedException e) {
640  1 assertThat("checkAccess should throw access denied exception without any cause when access is denied",
641    e.getCause(), nullValue());
642    }
643    }
644   
 
645  1 toggle @Test
646    public void testLoadUserAfterUserDoc() throws Exception
647    {
648  1 initialiseWikiMock("loadUserAfterUserDoc");
649   
650    // Check access to the userA document => introduce the userA as a simple document into the cache
651  1 authorizationManager.checkAccess(VIEW, getXUser("userB"), getXUser("userA"));
652   
653    // Check access of userA to the userB document => it prove userA is in groupA and has access
654  1 authorizationManager.checkAccess(VIEW, getXUser("userA"), getXUser("userB"));
655   
656  1 SecurityCache securityCache = componentManager.getInstance(SecurityCache.class);
657   
658    // a userA entry is in the cache
659  1 assertThat(securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA"))), notNullValue());
660   
661  1 assertThat("UserA should be considered as a user by the cache, else the group cache will not be used",
662    securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA"))).getReference(),
663    instanceOf(UserSecurityReference.class));
664   
665    // remove group A from the cache => this should also remove all members of groupA
666  1 securityCache.remove(securityReferenceFactory.newUserReference(getXUser("groupA")));
667   
668    // check that userA was seen as a member of groupA by the cache => implies document userA was considered as a
669    // user (and not simply a document) after the second check.
670  1 assertThat(securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA"))), nullValue());
671    }
672   
673    // Test XWIKI-12016
 
674  1 toggle @Test
675    public void testGroupCacheLoadingUserAfterGroupDoc() throws Exception
676    {
677  1 initialiseWikiMock("loadUserAfterUserDoc");
678   
679    // Check access to the groupA document => introduce the groupA as a simple document into the cache
680  1 authorizationManager.checkAccess(VIEW, getXUser("userB"), getXUser("groupA"));
681   
682    // Check access of userA to the userA document => it transform group document into a true group
683  1 authorizationManager.checkAccess(VIEW, getXUser("userA"), getXUser("userA"));
684   
685    // Check access of userA to the userB document => it prove userA is in groupA (from cache) and has access
686  1 authorizationManager.checkAccess(VIEW, getXUser("userA"), getXUser("userB"));
687   
688  1 SecurityCache securityCache = componentManager.getInstance(SecurityCache.class);
689   
690    // a userA entry is in the cache
691  1 assertThat(securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA"))), notNullValue());
692   
693  1 assertThat("UserA should be considered as a user by the cache, else the group cache will not be used",
694    securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA"))).getReference(),
695    instanceOf(UserSecurityReference.class));
696   
697    // a userA entry in the cache is know as a user, else the group cache is inactive for her
698  1 assertThat(securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA"))).getReference(),
699    instanceOf(UserSecurityReference.class));
700   
701    // remove group A from the cache => this should also remove all members of groupA
702  1 securityCache.remove(securityReferenceFactory.newUserReference(getXUser("groupA")));
703   
704    // check that userA was seen as a member of groupA by the cache => implies document userA was considered as a
705    // user (and not simply a document) after the second check.
706  1 assertThat(securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA"))), nullValue());
707    }
708   
 
709  1 toggle @Test
710    public void testLoadUserInAnotherWikiAfterUserDoc() throws Exception
711    {
712  1 initialiseWikiMock("loadUserAfterUserDoc");
713   
714    // Check access to the userA document => introduce the userA as a simple document into the cache
715  1 authorizationManager.checkAccess(VIEW, getXUser("userB"), getXUser("userA"));
716   
717    // Check access of userA to the userB document => it prove userA is in groupA and has access
718  1 authorizationManager.checkAccess(VIEW, getXUser("userA"), getDoc("any document", "any space", "subwiki"));
719   
720    // Check access of userA to the userB document => it prove userA is in groupA and has access
721  1 authorizationManager.checkAccess(VIEW, getXUser("userA"), getXUser("userB"));
722   
723  1 SecurityCache securityCache = componentManager.getInstance(SecurityCache.class);
724   
725    // a userA entry is in the cache
726  1 assertThat(securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA"))), notNullValue());
727   
728    // a userA accessEntry is still in the cache for the document in the subwiki
729  1 assertThat(securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA")),
730    securityReferenceFactory.newEntityReference(getDoc("any document", "any space", "subwiki"))),
731    notNullValue());
732   
733    // remove group A from the cache => this should also remove all members of groupA
734  1 securityCache.remove(securityReferenceFactory.newUserReference(getXUser("groupA")));
735   
736    // check that userA was seen as a member of groupA by the cache => implies document userA is now a user
737  1 assertThat(securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA"))), nullValue());
738   
739    // check that the shadow userA has also been affected
740  1 assertThat(securityCache.get(securityReferenceFactory.newUserReference(getXUser("userA")),
741    securityReferenceFactory.newEntityReference(getDoc("any document", "any space", "subwiki"))),
742    nullValue());
743    }
744    }