Add permission comments and tests.

commons.persistence/src/main/java/com/pmease/commons/persistence/dao/DefaultGeneralDao.java

@@ -8,7 +8,6 @@ import org.hibernate.SessionFactory;
 import org.hibernate.criterion.DetachedCriteria;
 import org.hibernate.criterion.Projections;
 
-import com.google.common.base.Optional;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import com.google.inject.Singleton;
@@ -31,8 +30,8 @@ public class DefaultGeneralDao implements GeneralDao {
 	
 	@Transactional
 	@Override
-	public <T extends AbstractEntity> Optional<T> find(Class<T> entityClass, Long entityId) {
-		return Optional.fromNullable((T) getSession().get(unproxy(entityClass), entityId));
+	public <T extends AbstractEntity> T find(Class<T> entityClass, Long entityId) {
+		return (T) getSession().get(unproxy(entityClass), entityId);
 	}
 
 	@Transactional

commons.persistence/src/main/java/com/pmease/commons/persistence/dao/DefaultGenericDao.java

@@ -9,7 +9,6 @@ import org.hibernate.criterion.Criterion;
 import org.hibernate.criterion.DetachedCriteria;
 import org.hibernate.criterion.Order;
 
-import com.google.common.base.Optional;
 import com.google.inject.Inject;
 import com.pmease.commons.persistence.AbstractEntity;
 import com.pmease.commons.util.ClassUtils;
@@ -32,7 +31,7 @@ public class DefaultGenericDao<T extends AbstractEntity> implements GenericDao<T
 	}
 	
 	@Override
-	public Optional<T> find(Long entityId) {
+	public T find(Long entityId) {
 		return generalDao.find(entityClass, entityId);
 	}
 

commons.persistence/src/main/java/com/pmease/commons/persistence/dao/GeneralDao.java

@@ -5,7 +5,6 @@ import java.util.List;
 import org.hibernate.HibernateException;
 import org.hibernate.criterion.DetachedCriteria;
 
-import com.google.common.base.Optional;
 import com.pmease.commons.persistence.AbstractEntity;
 
 public interface GeneralDao {
@@ -20,7 +19,7 @@ public interface GeneralDao {
 	 * @return
 	 *			found entity object, null if not found 			
 	 */
-	<T extends AbstractEntity> Optional<T> find(Class<T> entityClass, Long entityId);
+	<T extends AbstractEntity> T find(Class<T> entityClass, Long entityId);
 
 	/**
 	 * Get a reference to the entity with the specified type and id from data store.

commons.persistence/src/main/java/com/pmease/commons/persistence/dao/GenericDao.java

@@ -8,7 +8,6 @@ import org.hibernate.HibernateException;
 import org.hibernate.criterion.Criterion;
 import org.hibernate.criterion.Order;
 
-import com.google.common.base.Optional;
 import com.pmease.commons.persistence.AbstractEntity;
 
 
@@ -17,7 +16,7 @@ public interface GenericDao<T extends AbstractEntity> {
 	 * Get the entity with the specified type and id from the datastore.
 	 * If none is found, return null.
 	 */
-	public Optional<T> find(Long entityId);
+	public T find(Long entityId);
 
 	/**
 	 * Get a reference to the entity with the specified type and id from the

gitop.core/src/main/java/com/pmease/gitop/core/model/Account.java

@@ -8,11 +8,12 @@ import javax.persistence.OneToMany;
 import com.pmease.commons.security.AbstractUser;
 
 /**
- * This class represents an user (or project) in the system. In Gitop, users and projects
- * are the same thing. To create a project, one can register a new user account representing 
- * the project itself, and then under that user account, create repositories and organize 
- * teams to do project cooperation. 
- * 
+ * This class represents either a project or an user in the system. 
+ * <p>
+ * In Gitop, users and projects are the same thing. 
+ * If necessary, you can always treat an user account as a project account. 
+ * {@link Repository} and {@link Team} are always created under a specific account.  
+ *  
  * @author robin
  *
  */

gitop.core/src/main/java/com/pmease/gitop/core/model/Team.java

@@ -4,6 +4,7 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 
+import javax.annotation.Nullable;
 import javax.persistence.Column;
 import javax.persistence.Entity;
 import javax.persistence.FetchType;
@@ -16,13 +17,10 @@ import javax.persistence.UniqueConstraint;
 import org.apache.shiro.authz.Permission;
 import org.hibernate.annotations.FetchMode;
 
-import com.google.common.base.Optional;
 import com.pmease.commons.persistence.AbstractEntity;
-import com.pmease.gitop.core.model.permission.account.AccountOperation;
 import com.pmease.gitop.core.model.permission.account.AccountPermission;
 import com.pmease.gitop.core.model.permission.account.AccountWideOperation;
 import com.pmease.gitop.core.model.permission.account.OperationOfRepositorySet;
-import com.pmease.gitop.core.model.permission.account.PrivilegedOperation;
 import com.pmease.gitop.core.model.permission.account.ReadFromAccount;
 
 /**
@@ -46,7 +44,7 @@ public class Team extends AbstractEntity implements Permission {
 	
 	private String description;
 	
-	private Optional<? extends AccountWideOperation> authorizedAccountWideOperation = Optional.of(new ReadFromAccount());
+	private AccountWideOperation authorizedAccountWideOperation = new ReadFromAccount();
 	
 	private List<OperationOfRepositorySet> authorizedRepositoryOperations = new ArrayList<OperationOfRepositorySet>();
 	
@@ -91,19 +89,42 @@ public class Team extends AbstractEntity implements Permission {
 		this.memberships = memberships;
 	}
 
-	public Optional<? extends AccountWideOperation> getAuthorizedAccountWideOperation() {
+	/**
+	 * Get authorized account wide operation.
+	 * 
+	 * @return
+	 * 			null if account wide operation is not authorized
+	 */
+	public AccountWideOperation getAuthorizedAccountWideOperation() {
 		return authorizedAccountWideOperation;
 	}
 
-	public void setAuthorizedAccountWideOperation(
-			Optional<? extends AccountWideOperation> authorizedAccountWideOperation) {
+	/**
+	 * Specify authorized account wide operation for this team. 
+	 * 
+	 * @param authorizedAccountWideOperation
+	 * 			null to do not authorize any account wide operation
+	 */
+	public void setAuthorizedAccountWideOperation(@Nullable AccountWideOperation authorizedAccountWideOperation) {
 		this.authorizedAccountWideOperation = authorizedAccountWideOperation;
 	}
 
+	/**
+	 * Get list of authorized repository operations.
+	 * 
+	 * @return
+	 * 			list of authorized repository operations
+	 */
 	public List<OperationOfRepositorySet> getAuthorizedRepositoryOperations() {
 		return authorizedRepositoryOperations;
 	}
 
+	/**
+	 * Specify list of authorized repository operations.
+	 * 
+	 * @param authorizedRepositoryOperations
+	 *			list of authorized repository operations 
+	 */
 	public void setAuthorizedRepositoryOperations(
 			List<OperationOfRepositorySet> authorizedRepositoryOperations) {
 		this.authorizedRepositoryOperations = authorizedRepositoryOperations;
@@ -111,26 +132,16 @@ public class Team extends AbstractEntity implements Permission {
 
 	@Override
 	public boolean implies(Permission permission) {
-		if (permission instanceof AccountPermission) {
-			AccountPermission accountPermission = (AccountPermission) permission;
-			if (accountPermission.getAccount().getId().equals(getAccount().getId())) {
-				if (getAuthorizedAccountWideOperation().isPresent()) {
-					AccountOperation accountAction = getAuthorizedAccountWideOperation().get();
-					if (accountAction.can(accountPermission.getOperation()))
-						return true;
-				}
-				for (PrivilegedOperation action: getAuthorizedRepositoryOperations()) {
-					if (action.can(accountPermission.getOperation()))
-						return true;
-				}
-				
-				return false;
-			} else {
-				return false;
-			}
-		} else {
-			return false;
+		if (getAuthorizedAccountWideOperation() != null 
+				&& new AccountPermission(getAccount(), getAuthorizedAccountWideOperation()).implies(permission)) {
+			return true;
 		}
+		for (OperationOfRepositorySet operation: getAuthorizedRepositoryOperations()) {
+			if (new AccountPermission(getAccount(), operation).implies(permission))
+				return true;
+		}
+		
+		return false;
 	}
 
 }

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/account/AccountAdministration.java

@@ -12,7 +12,8 @@ public class AccountAdministration implements AccountWideOperation {
 	@Override
 	public boolean can(PrivilegedOperation operation) {
 		return operation instanceof AccountAdministration 
-				|| new WriteToAccount().can(operation);
+				|| new WriteToAccount().can(operation)
+				|| OperationOfRepositorySet.ofRepositoryAdmin("**").can(operation);
 	}
 
 }

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/account/AccountOperation.java

@@ -1,5 +1,11 @@
 package com.pmease.gitop.core.model.permission.account;
 
+/**
+ * This mark interface identifiers all operations against an account and its belongings.
+ * 
+ * @author robin
+ *
+ */
 public interface AccountOperation extends PrivilegedOperation {
 
 }

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/account/AccountPermission.java

@@ -1,15 +1,16 @@
 package com.pmease.gitop.core.model.permission.account;
 
+import org.apache.shiro.authz.Permission;
+
 import com.pmease.gitop.core.model.Account;
 
 /**
- * This interface serves as a mark up interface to indicate that all permissions
- * implementing this interface are project level permissions. 
- * 
+ * This class represents permissions to operate an account and its belongings.
+ *  
  * @author robin
  *
  */
-public class AccountPermission {
+public class AccountPermission implements Permission {
 	
 	private Account account;
 	
@@ -49,31 +50,45 @@ public class AccountPermission {
 	}
 
 	public static AccountPermission ofRepositoryAdmin(Account account, String repositoryName) {
-		return new AccountPermission(account, new OperationOfRepositorySet(repositoryName, new RepositoryAdministration()));
+		return new AccountPermission(account, OperationOfRepositorySet.ofRepositoryAdmin(repositoryName));
 	}
 
 	public static AccountPermission ofRepositoryRead(Account account, String repositoryName) {
-		return new AccountPermission(account, new OperationOfRepositorySet(repositoryName, new ReadFromRepository()));
+		return new AccountPermission(account, OperationOfRepositorySet.ofRepositoryRead(repositoryName));
 	}
 
 	public static AccountPermission ofRepositoryWrite(Account account, String repositoryName) {
-		return new AccountPermission(account, new OperationOfRepositorySet(repositoryName, new WriteToRepository()));
+		return new AccountPermission(account, OperationOfRepositorySet.ofRepositoryWrite(repositoryName));
 	}
 
 	public static AccountPermission ofBranchAdmin(Account account, String repositoryName, String branchName) {
-		return new AccountPermission(account, new OperationOfRepositorySet(repositoryName, new OperationOfBranchSet(branchName, new BranchAdministration())));
+		return new AccountPermission(account, OperationOfRepositorySet.ofBranchAdmin(repositoryName, branchName));
 	}
 
 	public static AccountPermission ofBranchRead(Account account, String repositoryName, String branchName) {
-		return new AccountPermission(account, new OperationOfRepositorySet(repositoryName, new OperationOfBranchSet(branchName, new ReadFromBranch())));
+		return new AccountPermission(account, OperationOfRepositorySet.ofBranchRead(repositoryName, branchName));
 	}
 
 	public static AccountPermission ofBranchWrite(Account account, String repositoryName, String branchName) {
-		return new AccountPermission(account, new OperationOfRepositorySet(repositoryName, new OperationOfBranchSet(branchName, new WriteToBranch("**"))));
+		return new AccountPermission(account, OperationOfRepositorySet.ofBranchWrite(repositoryName, branchName, "**"));
 	}
 
 	public static AccountPermission ofBranchWrite(Account account, String repositoryName, String branchName, String filePath) {
-		return new AccountPermission(account, new OperationOfRepositorySet(repositoryName, new OperationOfBranchSet(branchName, new WriteToBranch(filePath))));
+		return new AccountPermission(account, OperationOfRepositorySet.ofBranchWrite(repositoryName, branchName, filePath));
+	}
+
+	@Override
+	public boolean implies(Permission permission) {
+		if (permission instanceof AccountPermission) {
+			AccountPermission accountPermission = (AccountPermission) permission;
+			if (getAccount().getId().equals(accountPermission.getAccount().getId())) {
+				return getOperation().can(accountPermission.getOperation());
+			} else {
+				return false;
+			}
+		} else {
+			return false;
+		}
 	}
 
 }

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/account/AccountWideOperation.java

@@ -1,5 +1,8 @@
 package com.pmease.gitop.core.model.permission.account;
 
+/**
+ * This mark interface identifies account wide operations.
+ */
 public interface AccountWideOperation extends AccountOperation {
 
 }

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/account/OperationOfRepositorySet.java

@@ -43,4 +43,32 @@ public class OperationOfRepositorySet implements AccountOperation {
 		}
 	}
 	
+	public static OperationOfRepositorySet ofRepositoryAdmin(String repositoryName) {
+		return new OperationOfRepositorySet(repositoryName, new RepositoryAdministration());
+	}
+
+	public static OperationOfRepositorySet ofRepositoryRead(String repositoryName) {
+		return new OperationOfRepositorySet(repositoryName, new ReadFromRepository());
+	}
+
+	public static OperationOfRepositorySet ofRepositoryWrite(String repositoryName) {
+		return new OperationOfRepositorySet(repositoryName, new WriteToRepository());
+	}
+
+	public static OperationOfRepositorySet ofBranchAdmin(String repositoryName, String branchName) {
+		return new OperationOfRepositorySet(repositoryName, new OperationOfBranchSet(branchName, new BranchAdministration()));
+	}
+
+	public static OperationOfRepositorySet ofBranchRead(String repositoryName, String branchName) {
+		return new OperationOfRepositorySet(repositoryName, new OperationOfBranchSet(branchName, new ReadFromBranch()));
+	}
+
+	public static OperationOfRepositorySet ofBranchWrite(String repositoryName, String branchName) {
+		return new OperationOfRepositorySet(repositoryName, new OperationOfBranchSet(branchName, new WriteToBranch("**")));
+	}
+
+	public static OperationOfRepositorySet ofBranchWrite(String repositoryName, String branchName, String filePath) {
+		return new OperationOfRepositorySet(repositoryName, new OperationOfBranchSet(branchName, new WriteToBranch(filePath)));
+	}
+
 }

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/account/PrivilegedOperation.java

@@ -6,8 +6,14 @@ package com.pmease.gitop.core.model.permission.account;
  */
 public interface PrivilegedOperation {
 	/**
-	 * Whether or not accounts with permission to perform current operation can perform 
-	 * specified operation.  
+	 * Whether or not if an user has permission to perform current operation 
+	 * can also perform specified operation.
+	 * 
+	 * @param operation
+	 * 			the operation to check against
+	 * @return
+	 * 			true if user has permission to perform current operation can also 
+	 * 			perform specified operation; false otherwise 
 	 */
 	boolean can(PrivilegedOperation operation);
 }

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/system/SystemPermission.java

@@ -4,6 +4,14 @@ import java.io.Serializable;
 
 import org.apache.shiro.authz.Permission;
 
+/**
+ * Mark interface to identify system level permissions. 
+ * <p>
+ * System level permissions are used to define user roles. 
+ * 
+ * @author robin
+ *
+ */
 public interface SystemPermission extends Permission, Serializable {
 
 }

gitop.core/src/test/java/com/pmease/gitop/core/model/PermissionTest.java

@@ -1,12 +1,294 @@
 package com.pmease.gitop.core.model;
 
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
 import org.junit.Test;
 
+import com.pmease.gitop.core.model.permission.account.AccountAdministration;
+import com.pmease.gitop.core.model.permission.account.AccountPermission;
+import com.pmease.gitop.core.model.permission.account.OperationOfRepositorySet;
+import com.pmease.gitop.core.model.permission.account.ReadFromAccount;
+import com.pmease.gitop.core.model.permission.account.WriteToAccount;
+import com.pmease.gitop.core.model.permission.system.AdminAllAccounts;
+import com.pmease.gitop.core.model.permission.system.ReadFromAllAccounts;
+import com.pmease.gitop.core.model.permission.system.SystemAdministration;
+import com.pmease.gitop.core.model.permission.system.WriteToAllAccounts;
+
 public class PermissionTest {
 
 	@Test
-	public void shouldPermitPullIfAllowedAnyPush() {
+	public void shouldHandleAccountAdminPermissionAppropriately() {
+		Account account = new Account();
+		account.setId(100L);
+		
 		Team team = new Team();
+		team.setAccount(account);
+		
+		team.setAuthorizedAccountWideOperation(new AccountAdministration());
+		
+		assertTrue(team.implies(AccountPermission.ofAccountAdmin(account)));
+		assertTrue(team.implies(AccountPermission.ofAccountWrite(account)));
+		assertTrue(team.implies(AccountPermission.ofAccountRead(account)));
+		assertTrue(team.implies(AccountPermission.ofRepositoryAdmin(account, "repo1")));
+		assertTrue(team.implies(AccountPermission.ofRepositoryWrite(account, "repo1")));
+		assertTrue(team.implies(AccountPermission.ofRepositoryRead(account, "repo1")));
+		assertTrue(team.implies(AccountPermission.ofBranchAdmin(account, "repo1", "branch1")));
+		assertTrue(team.implies(AccountPermission.ofBranchWrite(account, "repo1", "branch1")));
+		assertTrue(team.implies(AccountPermission.ofBranchRead(account, "repo1", "branch1")));
+		assertTrue(team.implies(AccountPermission.ofBranchWrite(account, "repo1", "branch1", "src/file")));
+
+		assertFalse(team.implies(new SystemAdministration()));
+		assertFalse(team.implies(new AdminAllAccounts()));
+		assertFalse(team.implies(new WriteToAllAccounts()));
+		assertFalse(team.implies(new ReadFromAllAccounts()));
+	}
+
+	@Test
+	public void shouldHandleAccountWriterPermissionAppropriately() {
+		Account account = new Account();
+		account.setId(100L);
+		
+		Team team = new Team();
+		team.setAccount(account);
+		
+		team.setAuthorizedAccountWideOperation(new WriteToAccount());
+		
+		assertTrue(team.implies(AccountPermission.ofAccountWrite(account)));
+		assertTrue(team.implies(AccountPermission.ofAccountRead(account)));
+		assertTrue(team.implies(AccountPermission.ofRepositoryWrite(account, "repo1")));
+		assertTrue(team.implies(AccountPermission.ofRepositoryRead(account, "repo1")));
+		assertTrue(team.implies(AccountPermission.ofBranchWrite(account, "repo1", "branch1")));
+		assertTrue(team.implies(AccountPermission.ofBranchRead(account, "repo1", "branch1")));
+		assertTrue(team.implies(AccountPermission.ofBranchWrite(account, "repo1", "branch1", "src/file")));
+
+		assertFalse(team.implies(AccountPermission.ofAccountAdmin(account)));
+		assertFalse(team.implies(AccountPermission.ofRepositoryAdmin(account, "repo1")));
+		assertFalse(team.implies(AccountPermission.ofBranchAdmin(account, "repo1", "branch1")));
+	}
+
+	@Test
+	public void shouldHandleAccountReaderPermissionAppropriately() {
+		Account account = new Account();
+		account.setId(100L);
+		
+		Team team = new Team();
+		team.setAccount(account);
+		
+		team.setAuthorizedAccountWideOperation(new ReadFromAccount());
+		
+		assertTrue(team.implies(AccountPermission.ofAccountRead(account)));
+		assertTrue(team.implies(AccountPermission.ofRepositoryRead(account, "repo1")));
+		assertTrue(team.implies(AccountPermission.ofBranchRead(account, "repo1", "branch1")));
+
+		assertFalse(team.implies(AccountPermission.ofBranchWrite(account, "repo1", "branch1", "src/file")));
+		assertFalse(team.implies(AccountPermission.ofBranchWrite(account, "repo1", "branch1")));
+		assertFalse(team.implies(AccountPermission.ofRepositoryWrite(account, "repo1")));
+		assertFalse(team.implies(AccountPermission.ofAccountWrite(account)));
+		assertFalse(team.implies(AccountPermission.ofAccountAdmin(account)));
+		assertFalse(team.implies(AccountPermission.ofRepositoryAdmin(account, "repo1")));
+		assertFalse(team.implies(AccountPermission.ofBranchAdmin(account, "repo1", "branch1")));
+	}
+	
+	@Test
+	public void shouldHandleRepositoryAdminPermissionAppropriately() {
+		Account account = new Account();
+		account.setId(100L);
+		
+		Team team = new Team();
+		team.setAccount(account);
+		team.setAuthorizedAccountWideOperation(null);
+		
+		team.getAuthorizedRepositoryOperations().add(OperationOfRepositorySet.ofRepositoryAdmin("-repo2, *"));
+		
+		assertTrue(team.implies(AccountPermission.ofRepositoryAdmin(account, "repo1")));
+		assertTrue(team.implies(AccountPermission.ofBranchAdmin(account, "repo1", "branch1")));
+		assertTrue(team.implies(AccountPermission.ofBranchWrite(account, "repo1", "branch1", "src/file")));
+		assertTrue(team.implies(AccountPermission.ofBranchWrite(account, "repo1", "branch1")));
+		assertTrue(team.implies(AccountPermission.ofRepositoryWrite(account, "repo1")));
+		assertTrue(team.implies(AccountPermission.ofRepositoryRead(account, "repo1")));
+		assertTrue(team.implies(AccountPermission.ofBranchRead(account, "repo1", "branch1")));
+
+		assertFalse(team.implies(AccountPermission.ofAccountRead(account)));
+		assertFalse(team.implies(AccountPermission.ofAccountWrite(account)));
+		assertFalse(team.implies(AccountPermission.ofAccountAdmin(account)));
+		assertFalse(team.implies(AccountPermission.ofRepositoryRead(account, "repo2")));
+	}
+	
+	@Test
+	public void shouldHandleRepositoryWritePermissionAppropriately() {
+		Account account = new Account();
+		account.setId(100L);
+		
+		Team team = new Team();
+		team.setAccount(account);
+		team.setAuthorizedAccountWideOperation(null);
+		
+		team.getAuthorizedRepositoryOperations().add(OperationOfRepositorySet.ofRepositoryWrite("-repo2, *"));
+		
+		assertTrue(team.implies(AccountPermission.ofBranchWrite(account, "repo1", "branch1", "src/file")));
+		assertTrue(team.implies(AccountPermission.ofBranchWrite(account, "repo1", "branch1")));
+		assertTrue(team.implies(AccountPermission.ofRepositoryWrite(account, "repo1")));
+		assertTrue(team.implies(AccountPermission.ofRepositoryRead(account, "repo1")));
+		assertTrue(team.implies(AccountPermission.ofBranchRead(account, "repo1", "branch1")));
+
+		assertFalse(team.implies(AccountPermission.ofBranchAdmin(account, "repo1", "branch1")));
+		assertFalse(team.implies(AccountPermission.ofRepositoryAdmin(account, "repo1")));
+		assertFalse(team.implies(AccountPermission.ofAccountRead(account)));
+		assertFalse(team.implies(AccountPermission.ofAccountWrite(account)));
+		assertFalse(team.implies(AccountPermission.ofAccountAdmin(account)));
+		assertFalse(team.implies(AccountPermission.ofRepositoryRead(account, "repo2")));
+	}
+	
+	@Test
+	public void shouldHandleRepositoryReadPermissionAppropriately() {
+		Account account = new Account();
+		account.setId(100L);
+		
+		Team team = new Team();
+		team.setAccount(account);
+		team.setAuthorizedAccountWideOperation(null);
+		
+		team.getAuthorizedRepositoryOperations().add(OperationOfRepositorySet.ofRepositoryRead("-repo2, *"));
+		
+		assertTrue(team.implies(AccountPermission.ofRepositoryRead(account, "repo1")));
+		assertTrue(team.implies(AccountPermission.ofBranchRead(account, "repo1", "branch1")));
+
+		assertFalse(team.implies(AccountPermission.ofBranchWrite(account, "repo1", "branch1", "src/file")));
+		assertFalse(team.implies(AccountPermission.ofBranchWrite(account, "repo1", "branch1")));
+		assertFalse(team.implies(AccountPermission.ofRepositoryWrite(account, "repo1")));
+		assertFalse(team.implies(AccountPermission.ofBranchAdmin(account, "repo1", "branch1")));
+		assertFalse(team.implies(AccountPermission.ofRepositoryAdmin(account, "repo1")));
+		assertFalse(team.implies(AccountPermission.ofAccountRead(account)));
+		assertFalse(team.implies(AccountPermission.ofAccountWrite(account)));
+		assertFalse(team.implies(AccountPermission.ofAccountAdmin(account)));
+		assertFalse(team.implies(AccountPermission.ofRepositoryRead(account, "repo2")));
+	}
+
+	@Test
+	public void shouldHandleBranchAdminPermissionAppropriately() {
+		Account account = new Account();
+		account.setId(100L);
+		
+		Team team = new Team();
+		team.setAccount(account);
+		team.setAuthorizedAccountWideOperation(null);
+		
+		team.getAuthorizedRepositoryOperations().add(OperationOfRepositorySet.ofBranchAdmin("-repo2, *", "**/release"));
+		
+		assertTrue(team.implies(AccountPermission.ofBranchAdmin(account, "repo1", "5.0/release")));
+		assertTrue(team.implies(AccountPermission.ofBranchRead(account, "repo1", "test/release")));
+		assertTrue(team.implies(AccountPermission.ofBranchWrite(account, "repo1", "1.0/release", "src/file")));
+		assertTrue(team.implies(AccountPermission.ofBranchWrite(account, "repo1", "2.0/release")));
+		
+		assertFalse(team.implies(AccountPermission.ofBranchAdmin(account, "repo2", "release")));
+		assertFalse(team.implies(AccountPermission.ofRepositoryWrite(account, "repo1")));
+		assertFalse(team.implies(AccountPermission.ofRepositoryRead(account, "repo1")));
+		assertFalse(team.implies(AccountPermission.ofBranchAdmin(account, "repo1", "branch1")));
+		assertFalse(team.implies(AccountPermission.ofAccountRead(account)));
+		assertFalse(team.implies(AccountPermission.ofAccountWrite(account)));
+		assertFalse(team.implies(AccountPermission.ofAccountAdmin(account)));
+		assertFalse(team.implies(AccountPermission.ofRepositoryAdmin(account, "repo1")));
+		assertFalse(team.implies(AccountPermission.ofRepositoryRead(account, "repo2")));
+	}
+
+	@Test
+	public void shouldHandleBranchWritePermissionAppropriately() {
+		Account account = new Account();
+		account.setId(100L);
+		
+		Team team = new Team();
+		team.setAccount(account);
+		team.setAuthorizedAccountWideOperation(null);
+		
+		team.getAuthorizedRepositoryOperations().add(OperationOfRepositorySet.ofBranchWrite("-repo2, *", "**/release", "-**/*.java, **"));
+		
+		assertTrue(team.implies(AccountPermission.ofBranchRead(account, "repo1", "test/release")));
+		assertTrue(team.implies(AccountPermission.ofBranchWrite(account, "repo1", "1.0/release", "src/file")));
+		
+		assertFalse(team.implies(AccountPermission.ofBranchWrite(account, "repo1", "2.0/release", "test.java")));
+		assertFalse(team.implies(AccountPermission.ofBranchAdmin(account, "repo1", "1.0/release")));
+		assertFalse(team.implies(AccountPermission.ofRepositoryWrite(account, "repo1")));
+		assertFalse(team.implies(AccountPermission.ofRepositoryRead(account, "repo1")));
+		assertFalse(team.implies(AccountPermission.ofBranchAdmin(account, "repo1", "branch1")));
+		assertFalse(team.implies(AccountPermission.ofAccountRead(account)));
+		assertFalse(team.implies(AccountPermission.ofAccountWrite(account)));
+		assertFalse(team.implies(AccountPermission.ofAccountAdmin(account)));
+		assertFalse(team.implies(AccountPermission.ofRepositoryAdmin(account, "repo1")));
+		assertFalse(team.implies(AccountPermission.ofRepositoryRead(account, "repo2")));
+	}
+
+	@Test
+	public void shouldHandleMultipleTeamPermissionsAppropriately() {
+		Account account = new Account();
+		account.setId(100L);
+		
+		Team team = new Team();
+		team.setAccount(account);
+		team.setAuthorizedAccountWideOperation(null);
+		
+		team.getAuthorizedRepositoryOperations().add(OperationOfRepositorySet.ofBranchWrite("repo1", "branch1"));
+		team.getAuthorizedRepositoryOperations().add(OperationOfRepositorySet.ofBranchRead("repo1", "branch2"));
+		
+		assertTrue(team.implies(AccountPermission.ofBranchRead(account, "repo1", "branch1")));
+		assertTrue(team.implies(AccountPermission.ofBranchRead(account, "repo1", "branch2")));
+		assertTrue(team.implies(AccountPermission.ofBranchWrite(account, "repo1", "branch1")));
+		
+		assertFalse(team.implies(AccountPermission.ofBranchWrite(account, "repo1", "branch2")));
+		
+		team.setAuthorizedAccountWideOperation(new ReadFromAccount());
+		
+		assertTrue(team.implies(AccountPermission.ofBranchRead(account, "repo1", "branch1")));
+		assertTrue(team.implies(AccountPermission.ofBranchRead(account, "repo2", "branch2")));
+		assertTrue(team.implies(AccountPermission.ofBranchWrite(account, "repo1", "branch1")));
+		
+		assertFalse(team.implies(AccountPermission.ofBranchWrite(account, "repo1", "branch2")));
+	}
+	
+	@Test
+	public void systemAdministratorShouldBeAbleToDoAnything() {
+		assertTrue(new SystemAdministration().implies(new SystemAdministration()));
+		assertTrue(new SystemAdministration().implies(new WriteToAllAccounts()));
+		assertTrue(new SystemAdministration().implies(new ReadFromAllAccounts()));
+
+		Account account = new Account();
+		account.setId(100L);
+		assertTrue(new SystemAdministration().implies(AccountPermission.ofBranchWrite(account, "repo1", "branch1")));
+	}
+	
+	@Test
+	public void shouldHandleAllAccountWriterPermissionAppropriately() {
+		WriteToAllAccounts writeToAllAccounts = new WriteToAllAccounts();
+		
+		Account account = new Account();
+		account.setId(100L);
+
+		assertTrue(writeToAllAccounts.implies(new WriteToAllAccounts()));
+		assertTrue(writeToAllAccounts.implies(new ReadFromAllAccounts()));
+		assertTrue(writeToAllAccounts.implies(AccountPermission.ofAccountWrite(account)));
+		assertTrue(writeToAllAccounts.implies(AccountPermission.ofBranchWrite(account, "repo1", "branch1", "src/file")));
+		
+		assertFalse(writeToAllAccounts.implies(AccountPermission.ofAccountAdmin(account)));
+		assertFalse(writeToAllAccounts.implies(AccountPermission.ofBranchAdmin(account, "repo1", "branch1")));
+		assertFalse(writeToAllAccounts.implies(new SystemAdministration()));
+	}
+	
+	@Test
+	public void shouldHandleAllAccountReaderPermissionAppropriately() {
+		ReadFromAllAccounts readFromAllAccounts = new ReadFromAllAccounts();
+		
+		Account account = new Account();
+		account.setId(100L);
+
+		assertTrue(readFromAllAccounts.implies(new ReadFromAllAccounts()));
+		assertTrue(readFromAllAccounts.implies(AccountPermission.ofBranchRead(account, "repo1", "branch1")));
+		
+		assertFalse(readFromAllAccounts.implies(AccountPermission.ofBranchWrite(account, "repo1", "branch1", "src/file")));
+		assertFalse(readFromAllAccounts.implies(AccountPermission.ofAccountWrite(account)));
+		assertFalse(readFromAllAccounts.implies(AccountPermission.ofAccountAdmin(account)));
+		assertFalse(readFromAllAccounts.implies(AccountPermission.ofBranchAdmin(account, "repo1", "branch1")));
+		assertFalse(readFromAllAccounts.implies(new WriteToAllAccounts()));
+		assertFalse(readFromAllAccounts.implies(new SystemAdministration()));
 	}
 
 }