001: package com.ecyrd.jspwiki.auth;
002:
003: import java.io.File;
004: import java.security.Permission;
005: import java.security.Principal;
006: import java.util.Properties;
007:
008: import junit.framework.Test;
009: import junit.framework.TestCase;
010: import junit.framework.TestSuite;
011:
012: import org.apache.commons.lang.ArrayUtils;
013:
014: import com.ecyrd.jspwiki.TestEngine;
015: import com.ecyrd.jspwiki.WikiException;
016: import com.ecyrd.jspwiki.WikiPage;
017: import com.ecyrd.jspwiki.WikiSession;
018: import com.ecyrd.jspwiki.WikiSessionTest;
019: import com.ecyrd.jspwiki.attachment.Attachment;
020: import com.ecyrd.jspwiki.auth.acl.UnresolvedPrincipal;
021: import com.ecyrd.jspwiki.auth.authorize.Group;
022: import com.ecyrd.jspwiki.auth.authorize.GroupManager;
023: import com.ecyrd.jspwiki.auth.authorize.Role;
024: import com.ecyrd.jspwiki.auth.permissions.AllPermission;
025: import com.ecyrd.jspwiki.auth.permissions.PagePermission;
026: import com.ecyrd.jspwiki.auth.permissions.PermissionFactory;
027: import com.ecyrd.jspwiki.auth.permissions.WikiPermission;
028: import com.ecyrd.jspwiki.auth.user.DefaultUserProfile;
029: import com.ecyrd.jspwiki.auth.user.UserProfile;
030: import com.ecyrd.jspwiki.providers.ProviderException;
031:
032: /**
033: * Tests the AuthorizationManager class.
034: * @author Janne Jalkanen
035: */
036: public class AuthorizationManagerTest extends TestCase {
037: private AuthorizationManager m_auth;
038:
039: private TestEngine m_engine;
040:
041: private GroupManager m_groupMgr;
042:
043: private WikiSession m_session;
044:
045: private static class TestPrincipal implements Principal {
046: private final String m_name;
047:
048: public TestPrincipal(String name) {
049: m_name = name;
050: }
051:
052: public String getName() {
053: return m_name;
054: }
055: }
056:
057: public AuthorizationManagerTest(String s) {
058: super (s);
059: }
060:
061: public static Test suite() {
062: TestSuite suite = new TestSuite("Authorization Manager test");
063: suite.addTestSuite(AuthorizationManagerTest.class);
064: return suite;
065: }
066:
067: public void setUp() throws Exception {
068: Properties props = new Properties();
069: props.load(TestEngine.findTestProperties());
070: m_engine = new TestEngine(props);
071: m_auth = m_engine.getAuthorizationManager();
072: m_groupMgr = m_engine.getGroupManager();
073: m_session = WikiSessionTest.adminSession(m_engine);
074: }
075:
076: /**
077: * Tests the default policy. Anonymous users can read, Authenticated can
078: * edit, etc. Uses the default tests/etc/jspwiki.policy file installed by
079: * the JRE at startup.
080: * @throws Exception
081: */
082: public void testDefaultPermissions() throws Exception {
083: // Save a page without an ACL
084: m_engine.saveText("TestDefaultPage", "Foo");
085: Permission view = PermissionFactory.getPagePermission(
086: "*:TestDefaultPage", "view");
087: Permission edit = PermissionFactory.getPagePermission(
088: "*:TestDefaultPage", "edit");
089: WikiSession session;
090:
091: // Alice is asserted
092: session = WikiSessionTest
093: .assertedSession(m_engine, Users.ALICE);
094: assertTrue("Alice view", m_auth.checkPermission(session, view));
095: assertTrue("Alice edit", m_auth.checkPermission(session, edit));
096:
097: // Bob is logged in
098: session = WikiSessionTest.authenticatedSession(m_engine,
099: Users.BOB, Users.BOB_PASS);
100: assertTrue("Bob view", m_auth.checkPermission(session, view));
101: assertTrue("Bob edit", m_auth.checkPermission(session, edit));
102:
103: // Delete the test page
104: try {
105: m_engine.deletePage("TestDefaultPage");
106: } catch (ProviderException e) {
107: assertTrue(false);
108: }
109: }
110:
111: public void testGetRoles() throws Exception {
112: WikiSession session;
113: Principal[] principals;
114:
115: // Create a new "asserted" session for Bob
116: session = WikiSessionTest.assertedSession(m_engine, Users.BOB);
117:
118: // Set up a group without Bob in it
119: Group test = m_groupMgr.parseGroup("Test", "Alice \n Charlie",
120: true);
121: m_groupMgr.setGroup(m_session, test);
122:
123: // Bob should have two roles: ASSERTED and ALL
124: principals = session.getRoles();
125: assertTrue("Bob in ALL", ArrayUtils.contains(principals,
126: Role.ALL));
127: assertTrue("Bob in ASSERTED", ArrayUtils.contains(principals,
128: Role.ASSERTED));
129: assertFalse("Bob not in ANONYMOUS", ArrayUtils.contains(
130: principals, Role.ANONYMOUS));
131: assertFalse("Bob not in Test", ArrayUtils.contains(principals,
132: test.getPrincipal()));
133:
134: // Re-save group "Test" with Bob as a member
135: test = m_groupMgr.parseGroup("Test", "Alice \n Bob \nCharlie",
136: true);
137: m_groupMgr.setGroup(m_session, test);
138:
139: // Bob not authenticated: should still have only two romes
140: principals = session.getRoles();
141: assertTrue("Bob in ALL", ArrayUtils.contains(principals,
142: Role.ALL));
143: assertTrue("Bob in ASSERTED", ArrayUtils.contains(principals,
144: Role.ASSERTED));
145: assertFalse("Bob not in ANONYMOUS", ArrayUtils.contains(
146: principals, Role.ANONYMOUS));
147: assertFalse("Bob in Test", ArrayUtils.contains(principals, test
148: .getPrincipal()));
149:
150: // Elevate Bob to "authenticated" status
151: session = WikiSessionTest.authenticatedSession(m_engine,
152: Users.BOB, Users.BOB_PASS);
153:
154: // Re-save the group; Bob should possess the role now
155: test = m_groupMgr.parseGroup("Test", "Alice \n Bob \n Charlie",
156: true);
157: m_groupMgr.setGroup(m_session, test);
158: principals = session.getRoles();
159: assertTrue("Bob in ALL", ArrayUtils.contains(principals,
160: Role.ALL));
161: assertFalse("Bob in ASSERTED", ArrayUtils.contains(principals,
162: Role.ASSERTED));
163: assertFalse("Bob not in ANONYMOUS", ArrayUtils.contains(
164: principals, Role.ANONYMOUS));
165: assertTrue("Bob in Test", ArrayUtils.contains(principals, test
166: .getPrincipal()));
167:
168: // Cleanup
169: m_groupMgr.removeGroup("Test");
170: }
171:
172: public void testAssertedSession() throws Exception {
173: // Create Alice and her roles
174: Principal alice = new WikiPrincipal(Users.ALICE);
175: Role it = new Role("IT");
176: Role engineering = new Role("Engineering");
177: Role finance = new Role("Finance");
178: Principal admin = new GroupPrincipal("Admin");
179: WikiSession session = WikiSessionTest
180: .assertedSession(m_engine, Users.ALICE,
181: new Principal[] { it, engineering, admin });
182:
183: // Create two groups: Alice should be part of group Bar, but not Foo
184: Group fooGroup = m_groupMgr.parseGroup("Foo", "", true);
185: Group barGroup = m_groupMgr.parseGroup("Bar", "", true);
186: barGroup.add(alice);
187: m_groupMgr.setGroup(m_session, fooGroup);
188: m_groupMgr.setGroup(m_session, barGroup);
189:
190: // Test user principal posession: Alice isn't considered to
191: // have the "Alice" principal because she's not authenticated
192: assertFalse("Alice has Alice", m_auth.hasRoleOrPrincipal(
193: session, new WikiPrincipal(Users.ALICE)));
194: assertFalse("Alice has Alice", m_auth.hasRoleOrPrincipal(
195: session, new TestPrincipal(Users.ALICE)));
196: assertFalse("Alice not has Bob", m_auth.hasRoleOrPrincipal(
197: session, new WikiPrincipal(Users.BOB)));
198: assertFalse("Alice not has Bob", m_auth.hasRoleOrPrincipal(
199: session, new TestPrincipal(Users.BOB)));
200:
201: // Built-in role memberships
202: assertTrue("Alice in ALL", m_auth.hasRoleOrPrincipal(session,
203: Role.ALL));
204: assertFalse("Alice not in ANONYMOUS", m_auth
205: .hasRoleOrPrincipal(session, Role.ANONYMOUS));
206: assertTrue("Alice in ASSERTED", m_auth.hasRoleOrPrincipal(
207: session, Role.ASSERTED));
208: assertFalse("Alice not in AUTHENTICATED", m_auth
209: .hasRoleOrPrincipal(session, Role.AUTHENTICATED));
210:
211: // Custom roles should be FALSE because Alice is asserted
212: assertFalse("Alice not in IT", m_auth.hasRoleOrPrincipal(
213: session, it));
214: assertFalse("Alice not in Engineering", m_auth
215: .hasRoleOrPrincipal(session, engineering));
216: assertFalse("Alice not in Finance", m_auth.hasRoleOrPrincipal(
217: session, finance));
218:
219: // Group memberships should be FALSE because Alice is asserted
220: assertFalse("Alice not in Foo", m_auth.hasRoleOrPrincipal(
221: session, fooGroup.getPrincipal()));
222: assertFalse("Alice not in Bar", m_auth.hasRoleOrPrincipal(
223: session, barGroup.getPrincipal()));
224:
225: // Clean up
226: m_groupMgr.removeGroup("Foo");
227: m_groupMgr.removeGroup("Bar");
228: }
229:
230: public void testAuthenticatedSession() throws Exception {
231: // Create Alice and her roles
232: Principal alice = new WikiPrincipal(Users.ALICE);
233: Role it = new Role("IT");
234: Role engineering = new Role("Engineering");
235: Role finance = new Role("Finance");
236: Principal admin = new GroupPrincipal("Admin");
237: WikiSession session = WikiSessionTest
238: .containerAuthenticatedSession(m_engine, Users.ALICE,
239: new Principal[] { it, engineering, admin });
240:
241: // Create two groups: Alice should be part of group Bar, but not Foo
242: Group fooGroup = m_groupMgr.parseGroup("Foo", "", true);
243: Group barGroup = m_groupMgr.parseGroup("Bar", "", true);
244: barGroup.add(alice);
245: m_groupMgr.setGroup(m_session, fooGroup);
246: m_groupMgr.setGroup(m_session, barGroup);
247:
248: // Test user principal posession: user principals of different
249: // types should still be "the same" if their names are equal
250: assertTrue("Alice has Alice", m_auth.hasRoleOrPrincipal(
251: session, new WikiPrincipal(Users.ALICE)));
252: assertTrue("Alice has Alice", m_auth.hasRoleOrPrincipal(
253: session, new TestPrincipal(Users.ALICE)));
254: assertFalse("Alice not has Bob", m_auth.hasRoleOrPrincipal(
255: session, new WikiPrincipal(Users.BOB)));
256: assertFalse("Alice not has Bob", m_auth.hasRoleOrPrincipal(
257: session, new TestPrincipal(Users.BOB)));
258:
259: // Built-in role membership
260: assertTrue("Alice in ALL", m_auth.hasRoleOrPrincipal(session,
261: Role.ALL));
262: assertFalse("Alice not in ANONYMOUS", m_auth
263: .hasRoleOrPrincipal(session, Role.ANONYMOUS));
264: assertFalse("Alice not in ASSERTED", m_auth.hasRoleOrPrincipal(
265: session, Role.ASSERTED));
266: assertTrue("Alice in AUTHENTICATED", m_auth.hasRoleOrPrincipal(
267: session, Role.AUTHENTICATED));
268:
269: // Custom roles
270: assertTrue("Alice in IT", m_auth
271: .hasRoleOrPrincipal(session, it));
272: assertTrue("Alice in Engineering", m_auth.hasRoleOrPrincipal(
273: session, engineering));
274: assertFalse("Alice not in Finance", m_auth.hasRoleOrPrincipal(
275: session, finance));
276:
277: // Group memberships
278: assertFalse("Alice not in Foo", m_auth.hasRoleOrPrincipal(
279: session, fooGroup.getPrincipal()));
280: assertTrue("Alice in Bar", m_auth.hasRoleOrPrincipal(session,
281: barGroup.getPrincipal()));
282:
283: // Cleanup
284: m_groupMgr.removeGroup("Foo");
285: m_groupMgr.removeGroup("Bar");
286: }
287:
288: public void testInheritedPermissions() throws Exception {
289: // Create test page & attachment
290: String src = "[{ALLOW edit Alice}] ";
291: m_engine.saveText("Test", src);
292:
293: File f = m_engine.makeAttachmentFile();
294: Attachment att = new Attachment(m_engine, "Test", "test1.txt");
295: att.setAuthor("FirstPost");
296: m_engine.getAttachmentManager().storeAttachment(att, f);
297:
298: Attachment p = (Attachment) m_engine.getPage("Test/test1.txt");
299: Permission view = PermissionFactory
300: .getPagePermission(p, "view");
301: Permission edit = PermissionFactory
302: .getPagePermission(p, "edit");
303:
304: // Create authenticated session with user 'Alice', who can read & edit (in ACL)
305: WikiSession session;
306: session = WikiSessionTest.authenticatedSession(m_engine,
307: Users.ALICE, Users.ALICE_PASS);
308: assertTrue("Alice view Test/test1.txt", m_auth.checkPermission(
309: session, view));
310: assertTrue("Alice edit Test/test1.txt", m_auth.checkPermission(
311: session, edit));
312:
313: // Create authenticated session with user 'Bob', who can't read or edit (not in ACL)
314: session = WikiSessionTest.authenticatedSession(m_engine,
315: Users.BOB, Users.BOB_PASS);
316: assertFalse("Bob !view Test/test1.txt", m_auth.checkPermission(
317: session, view));
318: assertFalse("Bob !edit Test/test1.txt", m_auth.checkPermission(
319: session, edit));
320:
321: // Delete test page & attachment
322: m_engine.getAttachmentManager().deleteAttachment(att);
323: m_engine.deletePage("Test");
324: }
325:
326: public void testInheritedAclPermissions() throws Exception {
327: // Create test page & attachment
328: String src = "[{ALLOW view Alice}] ";
329: m_engine.saveText("Test", src);
330:
331: File f = m_engine.makeAttachmentFile();
332: Attachment att = new Attachment(m_engine, "Test", "test1.txt");
333: att.setAuthor("FirstPost");
334: m_engine.getAttachmentManager().storeAttachment(att, f);
335:
336: Attachment p = (Attachment) m_engine.getPage("Test/test1.txt");
337: Permission view = PermissionFactory
338: .getPagePermission(p, "view");
339: Permission edit = PermissionFactory
340: .getPagePermission(p, "edit");
341:
342: // Create session with user 'Alice', who can read (in ACL)
343: WikiSession session;
344: session = WikiSessionTest.authenticatedSession(m_engine,
345: Users.ALICE, Users.ALICE_PASS);
346: assertTrue("Foo view Test", m_auth.checkPermission(session,
347: view));
348: assertFalse("Foo !edit Test", m_auth.checkPermission(session,
349: edit));
350:
351: // Create session with user 'Bob', who can't read or edit (not in ACL)
352: session = WikiSessionTest.authenticatedSession(m_engine,
353: Users.BOB, Users.BOB_PASS);
354: assertFalse("Bar !view Test", m_auth.checkPermission(session,
355: view));
356: assertFalse("Bar !edit Test", m_auth.checkPermission(session,
357: view));
358:
359: // Delete test page & attachment
360: m_engine.getAttachmentManager().deleteAttachment(att);
361: m_engine.deletePage("Test");
362: }
363:
364: public void testHasRoleOrPrincipal() throws Exception {
365: // Create new user Alice and 2 sample roles
366: Principal alice = new WikiPrincipal(Users.ALICE);
367: Role it = new Role("IT");
368: Role finance = new Role("Finance");
369:
370: // Create Group1 with Alice in it, Group2 without
371: WikiSession session = WikiSessionTest.adminSession(m_engine);
372: Group g1 = m_groupMgr.parseGroup("Group1", "Alice", true);
373: m_groupMgr.setGroup(session, g1);
374: Principal group1 = g1.getPrincipal();
375: Group g2 = m_groupMgr.parseGroup("Group2", "Bob", true);
376: m_groupMgr.setGroup(session, g2);
377: Principal group2 = g2.getPrincipal();
378:
379: // Create anonymous session; not in ANY custom roles or groups
380: session = WikiSessionTest.anonymousSession(m_engine);
381: assertTrue("Anon anonymous", m_auth.hasRoleOrPrincipal(session,
382: Role.ANONYMOUS));
383: assertFalse("Anon not asserted", m_auth.hasRoleOrPrincipal(
384: session, Role.ASSERTED));
385: assertFalse("Anon not authenticated", m_auth
386: .hasRoleOrPrincipal(session, Role.AUTHENTICATED));
387: assertFalse("Alice not in Anon", m_auth.hasRoleOrPrincipal(
388: session, alice));
389: assertFalse("Anon not in IT", m_auth.hasRoleOrPrincipal(
390: session, it));
391: assertFalse("Anon not in Finance", m_auth.hasRoleOrPrincipal(
392: session, finance));
393: assertFalse("Anon not in Group1", m_auth.hasRoleOrPrincipal(
394: session, group1));
395: assertFalse("Anon not in Group2", m_auth.hasRoleOrPrincipal(
396: session, group2));
397:
398: // Create asserted session with 1 GroupPrincipal & 1 custom Role
399: // Alice is asserted, and thus not in ANY custom roles or groups
400: session = WikiSessionTest.assertedSession(m_engine,
401: Users.ALICE, new Principal[] { it });
402: assertFalse("Alice not anonymous", m_auth.hasRoleOrPrincipal(
403: session, Role.ANONYMOUS));
404: assertTrue("Alice asserted", m_auth.hasRoleOrPrincipal(session,
405: Role.ASSERTED));
406: assertFalse("Alice not authenticated", m_auth
407: .hasRoleOrPrincipal(session, Role.AUTHENTICATED));
408: assertFalse("Alice not in Alice", m_auth.hasRoleOrPrincipal(
409: session, alice));
410: assertFalse("Alice not in IT", m_auth.hasRoleOrPrincipal(
411: session, it));
412: assertFalse("Alice not in Finance", m_auth.hasRoleOrPrincipal(
413: session, finance));
414: assertFalse("Alice not in Group1", m_auth.hasRoleOrPrincipal(
415: session, group1));
416: assertFalse("Alice not in Group2", m_auth.hasRoleOrPrincipal(
417: session, group2));
418:
419: // Create authenticated session with 1 GroupPrincipal & 1 custom Role
420: // Alice is authenticated, and thus part of custom roles and groups
421: session = WikiSessionTest.containerAuthenticatedSession(
422: m_engine, Users.ALICE, new Principal[] { it });
423: assertFalse("Alice not anonymous", m_auth.hasRoleOrPrincipal(
424: session, Role.ANONYMOUS));
425: assertFalse("Alice not asserted", m_auth.hasRoleOrPrincipal(
426: session, Role.ASSERTED));
427: assertTrue("Alice authenticated", m_auth.hasRoleOrPrincipal(
428: session, Role.AUTHENTICATED));
429: assertTrue("Alice in Ernie", m_auth.hasRoleOrPrincipal(session,
430: alice));
431: assertTrue("Alice in IT", m_auth
432: .hasRoleOrPrincipal(session, it));
433: assertFalse("Alice not in Finance", m_auth.hasRoleOrPrincipal(
434: session, finance));
435: assertTrue("Alice in Group1", m_auth.hasRoleOrPrincipal(
436: session, group1));
437: assertFalse("Alice not in Group2", m_auth.hasRoleOrPrincipal(
438: session, group2));
439:
440: // Clean up
441: m_groupMgr.removeGroup("Group1");
442: m_groupMgr.removeGroup("Group2");
443: }
444:
445: public void testIsUserInRole() throws Exception {
446: // Create new user Alice and 2 sample roles
447: Principal alice = new WikiPrincipal(Users.ALICE);
448: Role it = new Role("IT");
449: Role finance = new Role("Finance");
450:
451: // Create Group1 with Alice in it, Group2 without
452: WikiSession session = WikiSessionTest.adminSession(m_engine);
453: Group g1 = m_groupMgr.parseGroup("Group1", "Alice", true);
454: m_groupMgr.setGroup(session, g1);
455: Principal group1 = g1.getPrincipal();
456: Group g2 = m_groupMgr.parseGroup("Group2", "Bob", true);
457: m_groupMgr.setGroup(session, g2);
458: Principal group2 = g2.getPrincipal();
459:
460: // Create anonymous session; not in ANY custom roles or groups
461: session = WikiSessionTest.anonymousSession(m_engine);
462: assertTrue("Anon anonymous", m_auth.isUserInRole(session,
463: Role.ANONYMOUS));
464: assertFalse("Anon not asserted", m_auth.isUserInRole(session,
465: Role.ASSERTED));
466: assertFalse("Anon not authenticated", m_auth.isUserInRole(
467: session, Role.AUTHENTICATED));
468: assertFalse("Anon not in Ernie", m_auth.isUserInRole(session,
469: alice));
470: assertFalse("Anon not in IT", m_auth.isUserInRole(session, it));
471: assertFalse("Anon not in Finance", m_auth.isUserInRole(session,
472: finance));
473: assertFalse("Anon not in Group1", m_auth.isUserInRole(session,
474: group1));
475: assertFalse("Anon not in Group2", m_auth.isUserInRole(session,
476: group2));
477:
478: // Create asserted session with 1 GroupPrincipal & 1 custom Role
479: // Alice is asserted, and thus not in ANY custom roles or groups
480: session = WikiSessionTest.assertedSession(m_engine,
481: Users.ALICE, new Principal[] { it });
482: assertFalse("Alice not anonymous", m_auth.isUserInRole(session,
483: Role.ANONYMOUS));
484: assertTrue("Alice asserted", m_auth.isUserInRole(session,
485: Role.ASSERTED));
486: assertFalse("Alice not authenticated", m_auth.isUserInRole(
487: session, Role.AUTHENTICATED));
488: assertFalse("Alice not in Alice", m_auth.isUserInRole(session,
489: alice));
490: assertFalse("Alice not in IT", m_auth.isUserInRole(session, it));
491: assertFalse("Alice not in Finance", m_auth.isUserInRole(
492: session, finance));
493: assertFalse("Alice not in Group1", m_auth.isUserInRole(session,
494: group1));
495: assertFalse("Alice not in Group2", m_auth.isUserInRole(session,
496: group2));
497:
498: // Create authenticated session with 1 GroupPrincipal & 1 custom Role
499: // Ernie is authenticated, and thus part of custom roles and groups
500: session = WikiSessionTest.containerAuthenticatedSession(
501: m_engine, Users.ALICE, new Principal[] { it });
502: assertFalse("Alice not anonymous", m_auth.isUserInRole(session,
503: Role.ANONYMOUS));
504: assertFalse("Alice not asserted", m_auth.isUserInRole(session,
505: Role.ASSERTED));
506: assertTrue("Alice not authenticated", m_auth.isUserInRole(
507: session, Role.AUTHENTICATED));
508: assertFalse("Alice not in Alice", m_auth.isUserInRole(session,
509: alice));
510: assertTrue("Alice in IT", m_auth.isUserInRole(session, it));
511: assertFalse("Alice not in Finance", m_auth.isUserInRole(
512: session, finance));
513: assertTrue("Alice in Group1", m_auth.isUserInRole(session,
514: group1));
515: assertFalse("Alice not in Group2", m_auth.isUserInRole(session,
516: group2));
517:
518: // Clean up
519: m_groupMgr.removeGroup("Group1");
520: m_groupMgr.removeGroup("Group2");
521: }
522:
523: public void testPrincipalAcl() throws Exception {
524: // Create test page & attachment
525: String src = "[{ALLOW edit Alice}] ";
526: m_engine.saveText("Test", src);
527:
528: WikiPage p = m_engine.getPage("Test");
529: Permission view = PermissionFactory
530: .getPagePermission(p, "view");
531: Permission edit = PermissionFactory
532: .getPagePermission(p, "edit");
533:
534: // Create session with authenticated user 'Alice', who can read & edit (in ACL)
535: WikiSession session;
536: session = WikiSessionTest.authenticatedSession(m_engine,
537: Users.ALICE, Users.ALICE_PASS);
538: assertTrue("Alice view Test", m_auth.checkPermission(session,
539: view));
540: assertTrue("Alice edit Test", m_auth.checkPermission(session,
541: edit));
542:
543: // Create session with authenticated user 'Bob', who can't read or edit (not in ACL)
544: session = WikiSessionTest.authenticatedSession(m_engine,
545: Users.BOB, Users.BOB_PASS);
546: assertFalse("Bob !view Test", m_auth.checkPermission(session,
547: view));
548: assertFalse("Bob !edit Test", m_auth.checkPermission(session,
549: edit));
550:
551: // Cleanup
552: try {
553: m_engine.deletePage("Test");
554: } catch (ProviderException e) {
555: fail("Could not delete page");
556: }
557: }
558:
559: /**
560: * Any principal strings that have same names as built-in roles should
561: * resolve as built-in roles!
562: */
563: public void testResolveBuiltInRoles() {
564: Principal principal = Role.AUTHENTICATED;
565: assertEquals(principal, m_auth
566: .resolvePrincipal("Authenticated"));
567: principal = Role.ASSERTED;
568: assertEquals(principal, m_auth.resolvePrincipal("Asserted"));
569: principal = Role.ALL;
570: assertEquals(principal, m_auth.resolvePrincipal("All"));
571: principal = Role.ANONYMOUS;
572: assertEquals(principal, m_auth.resolvePrincipal("Anonymous"));
573:
574: // This should not resolve because there's no built-in role Admin
575: principal = new WikiPrincipal("Admin");
576: assertFalse(principal.equals(m_auth.resolvePrincipal("Admin")));
577: }
578:
579: public void testResolveGroups() throws WikiException {
580: Group group1 = m_groupMgr.parseGroup("SampleGroup", "", true);
581: m_groupMgr.setGroup(m_session, group1);
582:
583: assertEquals(group1.getPrincipal(), m_auth
584: .resolvePrincipal("SampleGroup"));
585: m_groupMgr.removeGroup("SampleGroup");
586:
587: // We shouldn't be able to spoof a built-in role
588: try {
589: Group group2 = m_groupMgr.parseGroup("Authenticated", "",
590: true);
591: assertNotSame(group2.getPrincipal(), m_auth
592: .resolvePrincipal("Authenticated"));
593: } catch (WikiSecurityException e) {
594: assertTrue("Authenticated not allowed as group name.", true);
595: }
596: assertEquals(Role.AUTHENTICATED, m_auth
597: .resolvePrincipal("Authenticated"));
598: }
599:
600: public void testResolveUsers() throws WikiException {
601: // We should be able to resolve a user by login, user, or wiki name
602: UserProfile profile = new DefaultUserProfile();
603: profile.setEmail("authmanagertest@tester.net");
604: profile.setFullname("AuthorizationManagerTest User");
605: profile.setLoginName("authmanagertest");
606: try {
607: m_engine.getUserManager().getUserDatabase().save(profile);
608: } catch (WikiSecurityException e) {
609: fail("Failed save: " + e.getLocalizedMessage());
610: }
611: assertEquals(new WikiPrincipal("authmanagertest",
612: WikiPrincipal.LOGIN_NAME), m_auth
613: .resolvePrincipal("authmanagertest"));
614: assertEquals(new WikiPrincipal("AuthorizationManagerTest User",
615: WikiPrincipal.FULL_NAME), m_auth
616: .resolvePrincipal("AuthorizationManagerTest User"));
617: assertEquals(new WikiPrincipal("AuthorizationManagerTestUser",
618: WikiPrincipal.WIKI_NAME), m_auth
619: .resolvePrincipal("AuthorizationManagerTestUser"));
620: try {
621: m_engine.getUserManager().getUserDatabase()
622: .deleteByLoginName("authmanagertest");
623: } catch (WikiSecurityException e) {
624: fail("Failed delete: " + e.getLocalizedMessage());
625: }
626:
627: // A wiki group should resolve to itself
628: Group group1 = m_groupMgr.parseGroup("SampleGroup", "", true);
629: m_groupMgr.setGroup(m_session, group1);
630: assertEquals(group1.getPrincipal(), m_auth
631: .resolvePrincipal("SampleGroup"));
632: m_groupMgr.removeGroup("SampleGroup");
633:
634: // A built-in role should resolve to itself
635: assertEquals(Role.AUTHENTICATED, m_auth
636: .resolvePrincipal("Authenticated"));
637:
638: // We shouldn't be able to spoof a built-in role
639: assertNotSame(new WikiPrincipal("Authenticated"), m_auth
640: .resolvePrincipal("Authenticated"));
641:
642: // An unknown user should resolve to a generic UnresolvedPrincipal
643: Principal principal = new UnresolvedPrincipal("Bart Simpson");
644: assertEquals(principal, m_auth.resolvePrincipal("Bart Simpson"));
645: }
646:
647: public void testRoleAcl() throws Exception {
648: // Create test page & attachment
649: String src = "[{ALLOW edit Authenticated}] ";
650: m_engine.saveText("Test", src);
651:
652: WikiPage p = m_engine.getPage("Test");
653: Permission view = PermissionFactory
654: .getPagePermission(p, "view");
655: Permission edit = PermissionFactory
656: .getPagePermission(p, "edit");
657:
658: // Create session with authenticated user 'Alice', who can read & edit
659: WikiSession session;
660: session = WikiSessionTest.authenticatedSession(m_engine,
661: Users.ALICE, Users.ALICE_PASS);
662: assertTrue("Alice view Test", m_auth.checkPermission(session,
663: view));
664: assertTrue("Alice edit Test", m_auth.checkPermission(session,
665: edit));
666:
667: // Create session with asserted user 'Bob', who can't read or edit (not in ACL)
668: session = WikiSessionTest.assertedSession(m_engine, Users.BOB);
669: assertFalse("Bob !view Test", m_auth.checkPermission(session,
670: view));
671: assertFalse("Bob !edit Test", m_auth.checkPermission(session,
672: edit));
673:
674: // Cleanup
675: try {
676: m_engine.deletePage("Test");
677: } catch (ProviderException e) {
678: assertTrue(false);
679: }
680: }
681:
682: public void testStaticPermission() throws Exception {
683: WikiSession s = WikiSessionTest.anonymousSession(m_engine);
684: assertTrue("Anonymous view", m_auth.checkStaticPermission(s,
685: PagePermission.VIEW));
686: assertTrue("Anonymous edit", m_auth.checkStaticPermission(s,
687: PagePermission.EDIT));
688: assertTrue("Anonymous comment", m_auth.checkStaticPermission(s,
689: PagePermission.COMMENT));
690: assertFalse("Anonymous modify", m_auth.checkStaticPermission(s,
691: PagePermission.MODIFY));
692: assertFalse("Anonymous upload", m_auth.checkStaticPermission(s,
693: PagePermission.UPLOAD));
694: assertFalse("Anonymous rename", m_auth.checkStaticPermission(s,
695: PagePermission.RENAME));
696: assertFalse("Anonymous delete", m_auth.checkStaticPermission(s,
697: PagePermission.DELETE));
698: assertTrue("Anonymous prefs", m_auth.checkStaticPermission(s,
699: WikiPermission.EDIT_PREFERENCES));
700: assertTrue("Anonymous profile", m_auth.checkStaticPermission(s,
701: WikiPermission.EDIT_PROFILE));
702: assertTrue("Anonymous pages", m_auth.checkStaticPermission(s,
703: WikiPermission.CREATE_PAGES));
704: assertFalse("Anonymous groups", m_auth.checkStaticPermission(s,
705: WikiPermission.CREATE_GROUPS));
706:
707: s = WikiSessionTest.assertedSession(m_engine, "Jack Sparrow");
708: assertTrue("Asserted view", m_auth.checkStaticPermission(s,
709: PagePermission.VIEW));
710: assertTrue("Asserted edit", m_auth.checkStaticPermission(s,
711: PagePermission.EDIT));
712: assertTrue("Asserted comment", m_auth.checkStaticPermission(s,
713: PagePermission.COMMENT));
714: assertFalse("Asserted modify", m_auth.checkStaticPermission(s,
715: PagePermission.MODIFY));
716: assertFalse("Asserted upload", m_auth.checkStaticPermission(s,
717: PagePermission.UPLOAD));
718: assertFalse("Asserted rename", m_auth.checkStaticPermission(s,
719: PagePermission.RENAME));
720: assertFalse("Asserted delete", m_auth.checkStaticPermission(s,
721: PagePermission.DELETE));
722: assertTrue("Asserted prefs", m_auth.checkStaticPermission(s,
723: WikiPermission.EDIT_PREFERENCES));
724: assertTrue("Asserted profile", m_auth.checkStaticPermission(s,
725: WikiPermission.EDIT_PROFILE));
726: assertTrue("Asserted pages", m_auth.checkStaticPermission(s,
727: WikiPermission.CREATE_PAGES));
728: assertFalse("Asserted groups", m_auth.checkStaticPermission(s,
729: WikiPermission.CREATE_GROUPS));
730:
731: s = WikiSessionTest.authenticatedSession(m_engine, Users.JANNE,
732: Users.JANNE_PASS);
733: assertTrue("Authenticated view", m_auth.checkStaticPermission(
734: s, PagePermission.VIEW));
735: assertTrue("Authenticated edit", m_auth.checkStaticPermission(
736: s, PagePermission.EDIT));
737: assertTrue("Authenticated comment", m_auth
738: .checkStaticPermission(s, PagePermission.COMMENT));
739: assertTrue("Authenticated modify", m_auth
740: .checkStaticPermission(s, PagePermission.MODIFY));
741: assertTrue("Authenticated upload", m_auth
742: .checkStaticPermission(s, PagePermission.UPLOAD));
743: assertTrue("Authenticated rename", m_auth
744: .checkStaticPermission(s, PagePermission.RENAME));
745: assertFalse("Authenticated delete", m_auth
746: .checkStaticPermission(s, PagePermission.DELETE));
747: assertTrue("Authenticated prefs", m_auth.checkStaticPermission(
748: s, WikiPermission.EDIT_PREFERENCES));
749: assertTrue("Authenticated profile", m_auth
750: .checkStaticPermission(s, WikiPermission.EDIT_PROFILE));
751: assertTrue("Authenticated pages", m_auth.checkStaticPermission(
752: s, WikiPermission.CREATE_PAGES));
753: assertTrue("Authenticated groups", m_auth
754: .checkStaticPermission(s, WikiPermission.CREATE_GROUPS));
755:
756: s = WikiSessionTest.adminSession(m_engine);
757: assertTrue("Admin view", m_auth.checkStaticPermission(s,
758: PagePermission.VIEW));
759: assertTrue("Admin edit", m_auth.checkStaticPermission(s,
760: PagePermission.EDIT));
761: assertTrue("Admin comment", m_auth.checkStaticPermission(s,
762: PagePermission.COMMENT));
763: assertTrue("Admin modify", m_auth.checkStaticPermission(s,
764: PagePermission.MODIFY));
765: assertTrue("Admin upload", m_auth.checkStaticPermission(s,
766: PagePermission.UPLOAD));
767: assertTrue("Admin rename", m_auth.checkStaticPermission(s,
768: PagePermission.RENAME));
769: // Even though we grant AllPermission in the policy, 'delete' isn't explicit so the check
770: // for delete privileges will fail (but it will succeed if requested via the checkPermission())
771: assertFalse("Admin delete", m_auth.checkStaticPermission(s,
772: PagePermission.DELETE));
773: assertTrue("Admin prefs", m_auth.checkStaticPermission(s,
774: WikiPermission.EDIT_PREFERENCES));
775: assertTrue("Admin profile", m_auth.checkStaticPermission(s,
776: WikiPermission.EDIT_PROFILE));
777: assertTrue("Admin pages", m_auth.checkStaticPermission(s,
778: WikiPermission.CREATE_PAGES));
779: assertTrue("Admin groups", m_auth.checkStaticPermission(s,
780: WikiPermission.CREATE_GROUPS));
781: }
782:
783: public void testAdminView() throws Exception {
784: m_engine.saveText("TestDefaultPage",
785: "Foo [{ALLOW view FooBar}]");
786:
787: Principal admin = new GroupPrincipal("Admin");
788: WikiSession session = WikiSessionTest
789: .containerAuthenticatedSession(m_engine, Users.ALICE,
790: new Principal[] { admin });
791:
792: assertTrue("Alice has AllPermission", m_auth.checkPermission(
793: session, new AllPermission(m_engine
794: .getApplicationName())));
795: assertTrue("Alice cannot read", m_auth.checkPermission(session,
796: new PagePermission("TestDefaultPage", "view")));
797: }
798:
799: public void testAdminView2() throws Exception {
800: m_engine.saveText("TestDefaultPage",
801: "Foo [{ALLOW view FooBar}]");
802:
803: WikiSession session = WikiSessionTest.adminSession(m_engine);
804:
805: assertTrue("Alice has AllPermission", m_auth.checkPermission(
806: session, new AllPermission(m_engine
807: .getApplicationName())));
808: assertTrue("Alice cannot read", m_auth.checkPermission(session,
809: new PagePermission("TestDefaultPage", "view")));
810: }
811:
812: }
|