Search in sources :

Example 46 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.

the class L5_SpecialPermissionsTest method testUserManagement.

@Test
public void testUserManagement() throws RepositoryException {
    // EXERCISE: fix the permission setup and explain why!
    // grant full access to all users for 'testGroup'...
    paths.add(UserConstants.DEFAULT_USER_PATH);
    AccessControlUtils.addAccessControlEntry(superuser, UserConstants.DEFAULT_USER_PATH, testGroupPrincipal, new String[] { Privilege.JCR_ALL }, true);
    // ... but prevent the test user to write the admin user
    String adminPath = ((JackrabbitSession) superuser).getUserManager().getAuthorizable(superuser.getUserID()).getPath();
    paths.add(adminPath);
    AccessControlUtils.addAccessControlEntry(superuser, adminPath, EveryonePrincipal.getInstance(), new String[] { PrivilegeConstants.REP_WRITE }, false);
    // execute the test verifying that pw of 'testUser2' can be change
    // but not the pw of the admin user
    JackrabbitSession s = (JackrabbitSession) createTestSession();
    User u2 = s.getUserManager().getAuthorizable(testUser2.getID(), User.class);
    u2.changePassword("gugus");
    s.save();
    try {
        User admin = s.getUserManager().getAuthorizable(superuser.getUserID(), User.class);
        admin.changePassword("gugus");
        s.save();
        fail("privilege escalation!");
    } catch (AccessDeniedException e) {
    // success
    } finally {
        s.refresh(false);
    }
}
Also used : AccessDeniedException(javax.jcr.AccessDeniedException) User(org.apache.jackrabbit.api.security.user.User) JackrabbitSession(org.apache.jackrabbit.api.JackrabbitSession) L3_BuiltInPrivilegesTest(org.apache.jackrabbit.oak.exercise.security.privilege.L3_BuiltInPrivilegesTest) AbstractJCRTest(org.apache.jackrabbit.test.AbstractJCRTest) Test(org.junit.Test)

Example 47 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.

the class AbstractAutoCreatedPropertyTest method testReplaceNode.

@Test
public void testReplaceNode() throws Exception {
    allow(path, privilegesFromNames(new String[] { Privilege.JCR_MODIFY_PROPERTIES, Privilege.JCR_NODE_TYPE_MANAGEMENT }));
    testSession.removeItem(targetNode.getPath());
    Node newNode = testSession.getNode(childNPath).addNode(targetNode.getName(), targetNode.getPrimaryNodeType().getName());
    newNode.addMixin(getMixinName());
    try {
        testSession.save();
        fail();
    } catch (AccessDeniedException e) {
        testSession.refresh(false);
    }
}
Also used : AccessDeniedException(javax.jcr.AccessDeniedException) Node(javax.jcr.Node) Test(org.junit.Test)

Example 48 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.

the class AccessControlManagementTest method testReadAccessControlWithoutPrivilege.

@Test
public void testReadAccessControlWithoutPrivilege() throws Exception {
    // re-grant READ in order to have an ACL-node
    Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
    JackrabbitAccessControlList tmpl = allow(path, privileges);
    String policyPath = tmpl.getPath() + "/rep:policy";
    // make sure the 'rep:policy' node has been created.
    assertTrue(superuser.itemExists(policyPath));
    /*
         Testuser must still have READ-only access only and must not be
         allowed to view the acl-node nor any item in the subtree that
         has been created.
        */
    assertFalse(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_READ_ACCESS_CONTROL)));
    assertFalse(testSession.itemExists(policyPath));
    assertFalse(testSession.nodeExists(policyPath));
    try {
        testSession.getNode(policyPath);
        fail("Accessing the rep:policy node must throw PathNotFoundException.");
    } catch (PathNotFoundException e) {
    // ok.
    }
    try {
        testAcMgr.getPolicies(tmpl.getPath());
        fail("test user must not have READ_AC privilege.");
    } catch (AccessDeniedException e) {
    // success
    }
    try {
        testAcMgr.getEffectivePolicies(tmpl.getPath());
        fail("test user must not have READ_AC privilege.");
    } catch (AccessDeniedException e) {
    // success
    }
    for (NodeIterator aceNodes = superuser.getNode(policyPath).getNodes(); aceNodes.hasNext(); ) {
        Node aceNode = aceNodes.nextNode();
        String aceNodePath = aceNode.getPath();
        assertFalse(testSession.nodeExists(aceNodePath));
        for (PropertyIterator it = aceNode.getProperties(); it.hasNext(); ) {
            assertFalse(testSession.propertyExists(it.nextProperty().getPath()));
        }
    }
}
Also used : NodeIterator(javax.jcr.NodeIterator) AccessDeniedException(javax.jcr.AccessDeniedException) Node(javax.jcr.Node) PropertyIterator(javax.jcr.PropertyIterator) PathNotFoundException(javax.jcr.PathNotFoundException) Privilege(javax.jcr.security.Privilege) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) Test(org.junit.Test)

Example 49 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.

the class AccessControlManagementTest method testAccessControlModificationWithoutPrivilege.

@Test
public void testAccessControlModificationWithoutPrivilege() throws Exception {
    // give 'testUser' ADD_CHILD_NODES|MODIFY_PROPERTIES| REMOVE_CHILD_NODES privileges at 'path'
    Privilege[] privileges = privilegesFromNames(new String[] { Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_REMOVE_CHILD_NODES, Privilege.JCR_MODIFY_PROPERTIES });
    JackrabbitAccessControlList tmpl = allow(path, privileges);
    String policyPath = tmpl.getPath() + "/rep:policy";
    // make sure the 'rep:policy' node has been created.
    assertTrue(superuser.itemExists(policyPath));
    /*
         testuser must not have
         - permission to modify AC items
        */
    try {
        testAcMgr.setPolicy(tmpl.getPath(), tmpl);
        fail("test user must not have MODIFY_AC privilege.");
    } catch (AccessDeniedException e) {
    // success
    }
    try {
        testAcMgr.removePolicy(tmpl.getPath(), tmpl);
        fail("test user must not have MODIFY_AC privilege.");
    } catch (AccessDeniedException e) {
    // success
    }
}
Also used : AccessDeniedException(javax.jcr.AccessDeniedException) Privilege(javax.jcr.security.Privilege) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) Test(org.junit.Test)

Example 50 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.

the class AccessControlManagementTest method testReorderPolicyNode.

@Test
public void testReorderPolicyNode() throws Exception {
    Node n = testSession.getNode(path);
    try {
        if (!n.getPrimaryNodeType().hasOrderableChildNodes()) {
            throw new NotExecutableException("Reordering child nodes is not supported..");
        }
        n.orderBefore(Text.getName(childNPath2), Text.getName(childNPath));
        testSession.save();
        fail("test session must not be allowed to reorder nodes.");
    } catch (AccessDeniedException e) {
    // success.
    }
    // grant all privileges
    allow(path, privilegesFromNames(new String[] { Privilege.JCR_ALL }));
    n.orderBefore(Text.getName(childNPath2), Text.getName(childNPath));
    testSession.save();
    n.orderBefore("rep:policy", Text.getName(childNPath2));
    testSession.save();
}
Also used : AccessDeniedException(javax.jcr.AccessDeniedException) NotExecutableException(org.apache.jackrabbit.test.NotExecutableException) Node(javax.jcr.Node) Test(org.junit.Test)

Aggregations

AccessDeniedException (javax.jcr.AccessDeniedException)189 Node (javax.jcr.Node)80 Test (org.junit.Test)68 Session (javax.jcr.Session)33 RepositoryException (javax.jcr.RepositoryException)23 Privilege (javax.jcr.security.Privilege)22 UserManager (org.apache.jackrabbit.api.security.user.UserManager)19 Workspace (javax.jcr.Workspace)18 Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)15 ItemNotFoundException (javax.jcr.ItemNotFoundException)13 PathNotFoundException (javax.jcr.PathNotFoundException)13 Path (org.apache.jackrabbit.spi.Path)13 Principal (java.security.Principal)11 User (org.apache.jackrabbit.api.security.user.User)11 NotExecutableException (org.apache.jackrabbit.test.NotExecutableException)10 AccessControlManager (javax.jcr.security.AccessControlManager)9 AccessControlPolicy (javax.jcr.security.AccessControlPolicy)9 Property (javax.jcr.Property)8 JackrabbitWorkspace (org.apache.jackrabbit.api.JackrabbitWorkspace)8 JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)7