MLE-28498 11.3.5 Test Fixes for Security Update

examples/src/main/java/com/marklogic/client/example/handle/URIHandleExample.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
+ * Copyright (c) 2010-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
  */
 package com.marklogic.client.example.handle;
 
@@ -12,6 +12,7 @@
 import com.marklogic.client.document.XMLDocumentManager;
 import com.marklogic.client.example.cookbook.Util;
 import com.marklogic.client.example.cookbook.Util.ExampleProperties;
+import com.marklogic.client.io.DocumentMetadataHandle;
 import com.marklogic.client.io.InputStreamHandle;
 
 /**
@@ -82,7 +83,11 @@ public static void setUpExample(XMLDocumentManager docMgr, String docId, String
     InputStreamHandle handle = new InputStreamHandle();
     handle.set(docStream);
 
-    docMgr.write(docId, handle);
+    DocumentMetadataHandle metadata = new DocumentMetadataHandle();
+    metadata.getPermissions().add("rest-writer",
+      DocumentMetadataHandle.Capability.READ, DocumentMetadataHandle.Capability.UPDATE);
+
+    docMgr.write(docId, metadata, handle);
   }
 
   // clean up by deleting the documents for the example

marklogic-client-api-functionaltests/src/test/java/com/marklogic/client/datamovement/functionaltests/StringQueryHostBatcherTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
+ * Copyright (c) 2010-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
  */
 package com.marklogic.client.datamovement.functionaltests;
 
@@ -92,7 +92,7 @@ public static void setUpBeforeClass() throws Exception {
     };
     addRangePathIndex(dbName, rangePaths);
 
-    createUserRolesWithPrevilages("test-eval", "xdbc:eval", "xdbc:eval-in", "xdmp:eval-in", "any-uri", "xdbc:invoke");
+    createUserRolesWithPrevilages("test-eval", "xdbc:eval", "xdbc:eval-in", "xdmp:eval-in", "any-uri", "xdbc:invoke", "xdmp-login");
     createRESTUser("eval-user", "x", "test-eval", "rest-admin", "rest-writer", "rest-reader", "rest-extension-user", "manage-user");
   }
 

marklogic-client-api-functionaltests/src/test/java/com/marklogic/client/fastfunctest/TestBulkWriteWithTransformations.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
+ * Copyright (c) 2010-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
  */
 
 package com.marklogic.client.fastfunctest;
@@ -54,7 +54,7 @@ public static void tearDownAfterClass() throws Exception {
   @BeforeEach
   public void setUp() throws Exception {
     // create new connection for each test below
-    createUserRolesWithPrevilages("test-eval", "xdbc:eval", "xdbc:eval-in", "xdmp:eval-in", "any-uri", "xdbc:invoke");
+    createUserRolesWithPrevilages("test-eval", "xdbc:eval", "xdbc:eval-in", "xdmp:eval-in", "any-uri", "xdbc:invoke", "xdmp-login");
     createRESTUser("eval-user", "x", "test-eval", "rest-admin", "rest-writer", "rest-reader");
 	client = newClientAsUser("eval-user", "x");
   }

marklogic-client-api-functionaltests/src/test/java/com/marklogic/client/fastfunctest/TestJSResourceExtensions.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
+ * Copyright (c) 2010-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
  */
 
 package com.marklogic.client.fastfunctest;
@@ -112,7 +112,7 @@ public String deleteJSON(String docUri) {
 
   @BeforeAll
   public static void setUpBeforeClass() throws Exception {
-    createUserRolesWithPrevilages("test-eval", "xdbc:eval", "xdbc:eval-in", "xdmp:value", "xdmp:eval", "xdmp:eval-in", "any-uri", "xdbc:invoke");
+    createUserRolesWithPrevilages("test-eval", "xdbc:eval", "xdbc:eval-in", "xdmp:value", "xdmp:eval", "xdmp:eval-in", "any-uri", "xdbc:invoke", "xdmp-login");
     createRESTUser("eval-user", "x", "test-eval", "rest-admin", "rest-writer", "rest-reader", "rest-extension-user");
   }
 

marklogic-client-api-functionaltests/src/test/java/com/marklogic/client/functionaltest/TestBiTemporal.java

@@ -121,7 +121,7 @@ public static void tearDownAfterClass() throws Exception {
   @BeforeEach
   public void setUp() throws Exception {
     createUserRolesWithPrevilages("test-eval", "xdbc:eval", "xdbc:eval-in", "xdmp:eval-in", "any-uri",
-        "xdbc:invoke", "temporal:statement-set-system-time");
+        "xdbc:invoke", "temporal:statement-set-system-time", "xdmp-login");
     createRESTUser("eval-user", "x", "test-eval", "rest-admin", "rest-writer", "rest-reader", "temporal-admin");
 
     adminClient = getDatabaseClient("rest-admin", "x", getConnType());

marklogic-client-api/src/main/java/com/marklogic/client/datamovement/ApplyTransformListener.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
+ * Copyright (c) 2010-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
  */
 package com.marklogic.client.datamovement;
 
@@ -253,10 +253,8 @@ public enum ApplyResult {
     REPLACE,
 
     /** Run the transform on each document, but ignore the value returned by
-     * the transform because the transform will do any necessary database
-     * modifications or other processing.  For example, a transform might call
-     * out to an external REST service or perhaps write multiple additional
-     * documents.
+     * the transform because the transform will do any necessary other processing.
+	 * For example, a transform might call out to an external REST service.
      */
     IGNORE
   };

marklogic-client-api/src/test/java/com/marklogic/client/test/datamovement/ApplyTransformTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
+ * Copyright (c) 2010-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
  */
 package com.marklogic.client.test.datamovement;
 
@@ -25,7 +25,9 @@
 import java.util.List;
 import java.util.Random;
 import java.util.concurrent.atomic.AtomicInteger;
+import java.util.concurrent.atomic.AtomicReference;
 
+import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.fail;
 
@@ -92,17 +94,19 @@ public void testResultIgnore() throws Exception {
     StructuredQueryDefinition query = sqb.value(sqb.jsonProperty("testProperty"), "test2");
     ServerTransform transform = new ServerTransform(transformName2)
       .addParameter("newValue", "test2a");
+	AtomicReference<Throwable> e = new AtomicReference<>();
     ApplyTransformListener listener = new ApplyTransformListener()
       .withTransform(transform)
-      .withApplyResult(ApplyResult.IGNORE);
+      .withApplyResult(ApplyResult.IGNORE).onFailure((batch, throwable) -> e.set(throwable));
     QueryBatcher batcher = moveMgr.newQueryBatcher(query)
       .onUrisReady(listener);
     JobTicket ticket = moveMgr.startJob( batcher );
     batcher.awaitCompletion();
     moveMgr.stopJob(ticket);
 
+    assertNotNull(e.get());
     JsonNode docContents = docMgr.readAs(collection + "/test2.json", JsonNode.class);
-    assertEquals("test2a", docContents.get("testProperty").textValue() );
+    assertEquals("test2", docContents.get("testProperty").textValue() );
   }
 
   @Test

test-app/src/main/ml-config/security/roles/java-test-xdmp-login.json

@@ -0,0 +1,46 @@
+{
+	"role-name": "java-test-xdmp-login",
+	"description": "Grants privileges required in ML 11 for invoking server-side transforms and resource extensions",
+	"privilege": [
+		{
+			"privilege-name": "xdmp-login",
+			"action": "http://marklogic.com/xdmp/privileges/xdmp-login",
+			"kind": "execute"
+		},
+		{
+			"privilege-name": "rest-reader",
+			"action": "http://marklogic.com/xdmp/privileges/rest-reader",
+			"kind": "execute"
+		},
+		{
+			"privilege-name": "xdmp:xslt-eval",
+			"action": "http://marklogic.com/xdmp/privileges/xslt-eval",
+			"kind": "execute"
+		},
+		{
+			"privilege-name": "xdmp:xslt-invoke",
+			"action": "http://marklogic.com/xdmp/privileges/xslt-invoke",
+			"kind": "execute"
+		},
+		{
+			"privilege-name": "xdmp:invoke",
+			"action": "http://marklogic.com/xdmp/privileges/xdmp-invoke",
+			"kind": "execute"
+		},
+		{
+			"privilege-name": "unprotected-uri",
+			"action": "http://marklogic.com/xdmp/privileges/unprotected-uri",
+			"kind": "execute"
+		},
+		{
+			"privilege-name": "unprotected-collections",
+			"action": "http://marklogic.com/xdmp/privileges/unprotected-collections",
+			"kind": "execute"
+		},
+		{
+			"privilege-name": "xdmp:value",
+			"action": "http://marklogic.com/xdmp/privileges/xdmp-value",
+			"kind": "execute"
+		}
+	]
+}

test-app/src/main/ml-config/security/roles/test-rest-writer.json

@@ -1,21 +1,41 @@
 {
-  "role-name": "test-rest-writer",
-  "description": "Role for test users that can write documents; does not inherit the OOTB rest-writer role so as to avoid having default permissions",
-  "privilege": [
-    {
-      "privilege-name": "rest-writer",
-      "action": "http://marklogic.com/xdmp/privileges/rest-writer",
-      "kind": "execute"
-    },
-    {
-      "privilege-name": "rest-reader",
-      "action": "http://marklogic.com/xdmp/privileges/rest-reader",
-      "kind": "execute"
-    },
-    {
-      "privilege-name": "rest-tracer",
-      "action": "http://marklogic.com/xdmp/privileges/rest-tracer",
-      "kind": "execute"
-    }
-  ]
-}
+	"role-name": "test-rest-writer",
+	"description": "Role for test users that can write documents; does not inherit the OOTB rest-writer role so as to avoid having default permissions",
+	"privilege": [
+		{
+			"privilege-name": "rest-writer",
+			"action": "http://marklogic.com/xdmp/privileges/rest-writer",
+			"kind": "execute"
+		},
+		{
+			"privilege-name": "rest-reader",
+			"action": "http://marklogic.com/xdmp/privileges/rest-reader",
+			"kind": "execute"
+		},
+		{
+			"privilege-name": "rest-tracer",
+			"action": "http://marklogic.com/xdmp/privileges/rest-tracer",
+			"kind": "execute"
+		},
+		{
+			"privilege-name": "xdmp-login",
+			"action": "http://marklogic.com/xdmp/privileges/xdmp-login",
+			"kind": "execute"
+		},
+		{
+			"privilege-name": "xdmp:invoke",
+			"action": "http://marklogic.com/xdmp/privileges/xdmp-invoke",
+			"kind": "execute"
+		},
+		{
+			"privilege-name": "unprotected-uri",
+			"action": "http://marklogic.com/xdmp/privileges/unprotected-uri",
+			"kind": "execute"
+		},
+		{
+			"privilege-name": "unprotected-collections",
+			"action": "http://marklogic.com/xdmp/privileges/unprotected-collections",
+			"kind": "execute"
+		}
+	]
+}

test-app/src/main/ml-config/security/users/opticUser.json

@@ -1,6 +1,6 @@
 {
   "user-name": "opticUser",
-  "description": "user discription",
+  "description": "user description",
   "password": "0pt1c",
   "role": [
     "tde-admin",
@@ -12,4 +12,4 @@
     "rest-extension-user",
     "manage-user"
   ]
-}
+}

test-app/src/main/ml-config/security/users/rest-admin.json

@@ -1,9 +1,6 @@
 {
   "user-name": "rest-admin",
   "description": "rest-admin user",
-  "role": [
-    "rest-admin",
-    "java-test-delete-temporal"
-  ],
+  "role": ["rest-admin", "java-test-delete-temporal", "java-test-xdmp-login"],
   "password": "x"
 }

test-app/src/main/ml-config/security/users/rest-evaluator.json

@@ -1,8 +1,6 @@
 {
   "user-name": "rest-evaluator",
   "description": "Test user for the java-client-api-project",
-  "role": [
-    "java-test-evaluator"
-  ],
+  "role": ["java-test-evaluator", "java-test-xdmp-login"],
   "password": "x"
 }

test-app/src/main/ml-config/security/users/rest-transform-user.json

@@ -0,0 +1,15 @@
+{
+  "user-name": "rest-transform-user",
+  "description": "REST API transform execution user",
+  "password": "x",
+  "role": [
+    "rest-transform-internal",
+    "rest-reader",
+    "rest-writer",
+    "java-test-xdmp-login"
+  ],
+  "permission": [
+    { "role-name": "rest-reader", "capability": "read" },
+    { "role-name": "rest-writer", "capability": "update" }
+  ]
+}

test-app/src/main/ml-config/security/users/rest-writer.json

@@ -1,9 +1,6 @@
 {
   "user-name": "rest-writer",
   "description": "rest-writer user",
-  "role": [
-    "rest-writer",
-    "java-test-delete-graph"
-  ],
+  "role": ["rest-writer", "java-test-delete-graph", "java-test-xdmp-login"],
   "password": "x"
 }

test-app/src/main/ml-config/security/users/writer-no-default-permissions.json

@@ -5,7 +5,8 @@
     "test-rest-writer",
     "java-test-delete-graph",
     "rest-extension-user",
-    "rest-reader"
+    "rest-reader",
+    "java-test-xdmp-login"
   ],
   "password": "x"
 }