Search in sources :

Example 51 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.

the class AccessControlManagementTest method testAccessControlModification.

@Test
public void testAccessControlModification() throws Exception {
    // give 'testUser' READ_AC|MODIFY_AC privileges at 'path'
    Privilege[] privileges = privilegesFromNames(new String[] { Privilege.JCR_READ_ACCESS_CONTROL, Privilege.JCR_MODIFY_ACCESS_CONTROL });
    JackrabbitAccessControlList tmpl = allow(path, privileges);
    /*
         testuser must
         - still have the inherited READ permission.
         - must have permission to view AC items at 'path' (and below)
         - must have permission to modify AC items at 'path'

         testuser must not have
         - permission to view AC items outside of the tree defined by path.
        */
    // make sure the 'rep:policy' node has been created.
    assertTrue(superuser.itemExists(tmpl.getPath() + "/rep:policy"));
    // test: MODIFY_AC granted at 'path'
    assertTrue(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
    // test if testuser can READ access control on the path and on the
    // entire subtree that gets the policy inherited.
    AccessControlPolicy[] policies = testAcMgr.getPolicies(path);
    testAcMgr.getPolicies(childNPath);
    // test: READ_AC privilege does not apply outside of the tree.
    try {
        testAcMgr.getPolicies(siblingPath);
        fail("READ_AC privilege must not apply outside of the tree it has applied to.");
    } catch (AccessDeniedException e) {
    // success
    }
    // test: MODIFY_AC privilege does not apply outside of the tree.
    assertFalse(testAcMgr.hasPrivileges(siblingPath, privilegesFromName(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
    // test if testuser can modify AC-items
    // 1) add an ac-entry
    AccessControlList acl = (AccessControlList) policies[0];
    acl.addAccessControlEntry(testUser.getPrincipal(), repWritePrivileges);
    testAcMgr.setPolicy(path, acl);
    testSession.save();
    assertTrue(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES)));
    // 2) remove the policy
    testAcMgr.removePolicy(path, policies[0]);
    testSession.save();
    // privileges must be gone again...
    try {
        testAcMgr.getEffectivePolicies(childNPath);
        fail("READ_AC privilege has been revoked -> must throw again.");
    } catch (AccessDeniedException e) {
    // success
    }
    // ... and since the ACE is stored with the policy all right except
    // READ must be gone.
    assertReadOnly(path);
}
Also used : AccessControlList(javax.jcr.security.AccessControlList) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) AccessDeniedException(javax.jcr.AccessDeniedException) Privilege(javax.jcr.security.Privilege) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) Test(org.junit.Test)

Example 52 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.

the class IndexManagementTest method testAddOakIndexWithoutPermission.

public void testAddOakIndexWithoutPermission() throws Exception {
    allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
    Node n = testSession.getNode(path);
    try {
        n.addNode(IndexConstants.INDEX_DEFINITIONS_NAME);
        testSession.save();
        fail("AccessDeniedException expected. Test session is not allowed to add oak:index node.");
    } catch (AccessDeniedException e) {
    // success
    }
}
Also used : AccessDeniedException(javax.jcr.AccessDeniedException) Node(javax.jcr.Node)

Example 53 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.

the class IndexManagementTest method testModifyIndexDefinitionWithoutPermission3.

public void testModifyIndexDefinitionWithoutPermission3() throws Exception {
    Node indexDef = superuser.getNode(path).addNode(IndexConstants.INDEX_DEFINITIONS_NAME).addNode("myIndex", IndexConstants.INDEX_DEFINITIONS_NODE_TYPE);
    indexDef.setProperty(IndexConstants.TYPE_PROPERTY_NAME, "myType");
    indexDef.setProperty("customProp", "val");
    superuser.save();
    allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
    try {
        Node n = testSession.getNode(path).getNode(IndexConstants.INDEX_DEFINITIONS_NAME).getNode("myIndex");
        n.getProperty("customProp").setValue("val2");
        testSession.save();
        fail("AccessDeniedException expected. Test session is not allowed to modify index definition property.");
    } catch (AccessDeniedException e) {
    // success
    }
}
Also used : AccessDeniedException(javax.jcr.AccessDeniedException) Node(javax.jcr.Node)

Example 54 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.

the class AbstractAutoCreatedPropertyTest method testRemoveReAddMixin.

@Test
public void testRemoveReAddMixin() throws Exception {
    allow(path, privilegesFromNames(new String[] { Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_REMOVE_NODE, Privilege.JCR_REMOVE_CHILD_NODES }));
    try {
        Node refNode = testSession.getNode(targetNode.getPath());
        refNode.removeMixin(getMixinName());
        refNode.addMixin(getMixinName());
        testSession.save();
        fail();
    } catch (AccessDeniedException e) {
    // success
    }
}
Also used : AccessDeniedException(javax.jcr.AccessDeniedException) Node(javax.jcr.Node) Test(org.junit.Test)

Example 55 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.

the class AbstractAutoCreatedPropertyTest method testReplaceNode3.

@Test
public void testReplaceNode3() throws Exception {
    allow(path, privilegesFromNames(new String[] { Privilege.JCR_REMOVE_CHILD_NODES, Privilege.JCR_NODE_TYPE_MANAGEMENT }));
    testSession.removeItem(targetNode.getPath());
    Node newNode = testSession.getNode(childNPath).addNode(targetNode.getName(), targetNode.getPrimaryNodeType().getName());
    newNode.addMixin(getMixinName());
    try {
        testSession.save();
        fail();
    } catch (AccessDeniedException e) {
        testSession.refresh(false);
    }
}
Also used : AccessDeniedException(javax.jcr.AccessDeniedException) Node(javax.jcr.Node) Test(org.junit.Test)

Aggregations

AccessDeniedException (javax.jcr.AccessDeniedException)189 Node (javax.jcr.Node)80 Test (org.junit.Test)68 Session (javax.jcr.Session)33 RepositoryException (javax.jcr.RepositoryException)23 Privilege (javax.jcr.security.Privilege)22 UserManager (org.apache.jackrabbit.api.security.user.UserManager)19 Workspace (javax.jcr.Workspace)18 Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)15 ItemNotFoundException (javax.jcr.ItemNotFoundException)13 PathNotFoundException (javax.jcr.PathNotFoundException)13 Path (org.apache.jackrabbit.spi.Path)13 Principal (java.security.Principal)11 User (org.apache.jackrabbit.api.security.user.User)11 NotExecutableException (org.apache.jackrabbit.test.NotExecutableException)10 AccessControlManager (javax.jcr.security.AccessControlManager)9 AccessControlPolicy (javax.jcr.security.AccessControlPolicy)9 Property (javax.jcr.Property)8 JackrabbitWorkspace (org.apache.jackrabbit.api.JackrabbitWorkspace)8 JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)7