Added tests for acls/afterinvocation package

acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationCollectionFilteringProvider.java

@@ -75,9 +75,7 @@ public class AclEntryAfterInvocationCollectionFilteringProvider extends Abstract
             Object returnedObject) throws AccessDeniedException {
 
         if (returnedObject == null) {
-            if (logger.isDebugEnabled()) {
-                logger.debug("Return object is null, skipping");
-            }
+            logger.debug("Return object is null, skipping");
 
             return null;
         }

acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationProvider.java

@@ -65,7 +65,7 @@ public class AclEntryAfterInvocationProvider extends AbstractAclProvider impleme
     //~ Constructors ===================================================================================================
 
     public AclEntryAfterInvocationProvider(AclService aclService, List<Permission> requirePermission) {
-        super(aclService, "AFTER_ACL_READ", requirePermission);
+        this(aclService, "AFTER_ACL_READ", requirePermission);
     }
 
     public AclEntryAfterInvocationProvider(AclService aclService, String processConfigAttribute,
@@ -81,17 +81,13 @@ public class AclEntryAfterInvocationProvider extends AbstractAclProvider impleme
         if (returnedObject == null) {
             // AclManager interface contract prohibits nulls
             // As they have permission to null/nothing, grant access
-            if (logger.isDebugEnabled()) {
-                logger.debug("Return object is null, skipping");
-            }
+            logger.debug("Return object is null, skipping");
 
             return null;
         }
 
         if (!getProcessDomainObjectClass().isAssignableFrom(returnedObject.getClass())) {
-            if (logger.isDebugEnabled()) {
-                logger.debug("Return object is not applicable for this provider, skipping");
-            }
+            logger.debug("Return object is not applicable for this provider, skipping");
 
             return returnedObject;
         }

acl/src/test/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationCollectionFilteringProviderTests.java

@@ -0,0 +1,64 @@
+package org.springframework.security.acls.afterinvocation;
+
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertSame;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Matchers.any;
+import static org.mockito.Matchers.anyBoolean;
+import static org.mockito.Mockito.*;
+import static org.mockito.Mockito.when;
+
+import org.junit.Test;
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.access.SecurityConfig;
+import org.springframework.security.acls.model.*;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.SpringSecurityMessageSource;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * @author Luke Taylor
+ */
+@SuppressWarnings({"unchecked"})
+public class AclEntryAfterInvocationCollectionFilteringProviderTests {
+    @Test
+    public void objectsAreRemovedIfPermissionDenied() throws Exception {
+        AclService service = mock(AclService.class);
+        Acl acl = mock(Acl.class);
+        when(acl.isGranted(any(List.class), any(List.class), anyBoolean())).thenReturn(false);
+        when(service.readAclById(any(ObjectIdentity.class), any(List.class))).thenReturn(acl);
+        AclEntryAfterInvocationCollectionFilteringProvider provider = new AclEntryAfterInvocationCollectionFilteringProvider(service, Arrays.asList(mock(Permission.class)));
+        provider.setObjectIdentityRetrievalStrategy(mock(ObjectIdentityRetrievalStrategy.class));
+        provider.setProcessDomainObjectClass(Object.class);
+        provider.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class));
+
+        Object returned = provider.decide(mock(Authentication.class), new Object(), SecurityConfig.createList("AFTER_ACL_COLLECTION_READ"), new ArrayList(Arrays.asList(new Object(), new Object())));
+        assertTrue(returned instanceof List);
+        assertTrue(((List)returned).isEmpty());
+        returned = provider.decide(mock(Authentication.class), new Object(), SecurityConfig.createList("UNSUPPORTED", "AFTER_ACL_COLLECTION_READ"), new Object[] {new Object(), new Object()});
+        assertTrue(returned instanceof Object[]);
+        assertTrue(((Object[])returned).length == 0);
+    }
+
+    @Test
+    public void accessIsGrantedIfNoAttributesDefined() throws Exception {
+        AclEntryAfterInvocationCollectionFilteringProvider provider = new AclEntryAfterInvocationCollectionFilteringProvider(mock(AclService.class), Arrays.asList(mock(Permission.class)));
+        Object returned = new Object();
+
+        assertSame(returned, provider.decide(mock(Authentication.class), new Object(), Collections.<ConfigAttribute>emptyList(), returned));
+    }
+
+    @Test
+    public void nullReturnObjectIsIgnored() throws Exception {
+        AclService service = mock(AclService.class);
+        AclEntryAfterInvocationCollectionFilteringProvider provider = new AclEntryAfterInvocationCollectionFilteringProvider(service, Arrays.asList(mock(Permission.class)));
+
+        assertNull(provider.decide(mock(Authentication.class), new Object(), SecurityConfig.createList("AFTER_ACL_COLLECTION_READ"), null));
+        verify(service, never()).readAclById(any(ObjectIdentity.class), any(List.class));
+    }
+
+}

acl/src/test/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationProviderTests.java

@@ -0,0 +1,101 @@
+package org.springframework.security.acls.afterinvocation;
+
+import static org.junit.Assert.*;
+import static org.mockito.Matchers.any;
+import static org.mockito.Mockito.*;
+
+import org.junit.Test;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.access.SecurityConfig;
+import org.springframework.security.acls.model.*;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.SpringSecurityMessageSource;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * @author Luke Taylor
+ */
+@SuppressWarnings({"unchecked"})
+public class AclEntryAfterInvocationProviderTests {
+
+    @Test(expected=IllegalArgumentException.class)
+    public void rejectsMissingPermissions() throws Exception {
+        try {
+            new AclEntryAfterInvocationProvider(mock(AclService.class), null);
+            fail("Exception expected");
+        } catch (IllegalArgumentException expected) {
+        }
+        new AclEntryAfterInvocationProvider(mock(AclService.class), Collections.<Permission>emptyList());
+    }
+
+    @Test
+    public void accessIsAllowedIfPermissionIsGranted() {
+        AclService service = mock(AclService.class);
+        Acl acl = mock(Acl.class);
+        when(acl.isGranted(any(List.class), any(List.class), anyBoolean())).thenReturn(true);
+        when(service.readAclById(any(ObjectIdentity.class), any(List.class))).thenReturn(acl);
+        AclEntryAfterInvocationProvider provider = new AclEntryAfterInvocationProvider(service, Arrays.asList(mock(Permission.class)));
+        provider.setMessageSource(new SpringSecurityMessageSource());
+        provider.setObjectIdentityRetrievalStrategy(mock(ObjectIdentityRetrievalStrategy.class));
+        provider.setProcessDomainObjectClass(Object.class);
+        provider.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class));
+        Object returned = new Object();
+
+        assertSame(returned, provider.decide(mock(Authentication.class), new Object(), SecurityConfig.createList("AFTER_ACL_READ"), returned));
+    }
+
+    @Test
+    public void accessIsGrantedIfNoAttributesDefined() throws Exception {
+        AclEntryAfterInvocationProvider provider = new AclEntryAfterInvocationProvider(mock(AclService.class), Arrays.asList(mock(Permission.class)));
+        Object returned = new Object();
+
+        assertSame(returned, provider.decide(mock(Authentication.class), new Object(), Collections.<ConfigAttribute>emptyList(), returned));
+    }
+
+    @Test
+    public void accessIsGrantedIfObjectTypeNotSupported() throws Exception {
+        AclEntryAfterInvocationProvider provider = new AclEntryAfterInvocationProvider(mock(AclService.class), Arrays.asList(mock(Permission.class)));
+        provider.setProcessDomainObjectClass(String.class);
+        // Not a String
+        Object returned = new Object();
+
+        assertSame(returned, provider.decide(mock(Authentication.class), new Object(), SecurityConfig.createList("AFTER_ACL_READ"), returned));
+    }
+
+
+    @Test(expected= AccessDeniedException.class)
+    public void accessIsDeniedIfPermissionIsNotGranted() {
+        AclService service = mock(AclService.class);
+        Acl acl = mock(Acl.class);
+        when(acl.isGranted(any(List.class), any(List.class), anyBoolean())).thenReturn(false);
+        // Try a second time with no permissions found
+        when(acl.isGranted(any(List.class), any(List.class), anyBoolean())).thenThrow(new NotFoundException(""));
+        when(service.readAclById(any(ObjectIdentity.class), any(List.class))).thenReturn(acl);
+        AclEntryAfterInvocationProvider provider = new AclEntryAfterInvocationProvider(service, Arrays.asList(mock(Permission.class)));
+        provider.setProcessConfigAttribute("MY_ATTRIBUTE");
+        provider.setMessageSource(new SpringSecurityMessageSource());
+        provider.setObjectIdentityRetrievalStrategy(mock(ObjectIdentityRetrievalStrategy.class));
+        provider.setProcessDomainObjectClass(Object.class);
+        provider.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class));
+        try {
+            provider.decide(mock(Authentication.class), new Object(), SecurityConfig.createList("UNSUPPORTED", "MY_ATTRIBUTE"), new Object());
+            fail();
+        } catch (AccessDeniedException expected) {
+        }
+        // Second scenario with no acls found
+        provider.decide(mock(Authentication.class), new Object(), SecurityConfig.createList("UNSUPPORTED", "MY_ATTRIBUTE"), new Object());
+    }
+
+    @Test
+    public void nullReturnObjectIsIgnored() throws Exception {
+        AclService service = mock(AclService.class);
+        AclEntryAfterInvocationProvider provider = new AclEntryAfterInvocationProvider(service, Arrays.asList(mock(Permission.class)));
+
+        assertNull(provider.decide(mock(Authentication.class), new Object(), SecurityConfig.createList("AFTER_ACL_COLLECTION_READ"), null));
+        verify(service, never()).readAclById(any(ObjectIdentity.class), any(List.class));
+    }
+}