Search in sources :

Example 61 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.

the class AbstractAutoCreatedPropertyTest method testReplaceNode.

@Test
public void testReplaceNode() throws Exception {
    allow(path, privilegesFromNames(new String[] { Privilege.JCR_MODIFY_PROPERTIES, Privilege.JCR_NODE_TYPE_MANAGEMENT }));
    testSession.removeItem(targetNode.getPath());
    Node newNode = testSession.getNode(childNPath).addNode(targetNode.getName(), targetNode.getPrimaryNodeType().getName());
    newNode.addMixin(getMixinName());
    try {
        testSession.save();
        fail();
    } catch (AccessDeniedException e) {
        testSession.refresh(false);
    }
}
Also used : AccessDeniedException(javax.jcr.AccessDeniedException) Node(javax.jcr.Node) Test(org.junit.Test)

Example 62 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.

the class AccessControlManagementTest method testReadAccessControlWithoutPrivilege.

@Test
public void testReadAccessControlWithoutPrivilege() throws Exception {
    // re-grant READ in order to have an ACL-node
    Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
    JackrabbitAccessControlList tmpl = allow(path, privileges);
    String policyPath = tmpl.getPath() + "/rep:policy";
    // make sure the 'rep:policy' node has been created.
    assertTrue(superuser.itemExists(policyPath));
    /*
         Testuser must still have READ-only access only and must not be
         allowed to view the acl-node nor any item in the subtree that
         has been created.
        */
    assertFalse(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_READ_ACCESS_CONTROL)));
    assertFalse(testSession.itemExists(policyPath));
    assertFalse(testSession.nodeExists(policyPath));
    try {
        testSession.getNode(policyPath);
        fail("Accessing the rep:policy node must throw PathNotFoundException.");
    } catch (PathNotFoundException e) {
    // ok.
    }
    try {
        testAcMgr.getPolicies(tmpl.getPath());
        fail("test user must not have READ_AC privilege.");
    } catch (AccessDeniedException e) {
    // success
    }
    try {
        testAcMgr.getEffectivePolicies(tmpl.getPath());
        fail("test user must not have READ_AC privilege.");
    } catch (AccessDeniedException e) {
    // success
    }
    for (NodeIterator aceNodes = superuser.getNode(policyPath).getNodes(); aceNodes.hasNext(); ) {
        Node aceNode = aceNodes.nextNode();
        String aceNodePath = aceNode.getPath();
        assertFalse(testSession.nodeExists(aceNodePath));
        for (PropertyIterator it = aceNode.getProperties(); it.hasNext(); ) {
            assertFalse(testSession.propertyExists(it.nextProperty().getPath()));
        }
    }
}
Also used : NodeIterator(javax.jcr.NodeIterator) AccessDeniedException(javax.jcr.AccessDeniedException) Node(javax.jcr.Node) PropertyIterator(javax.jcr.PropertyIterator) PathNotFoundException(javax.jcr.PathNotFoundException) Privilege(javax.jcr.security.Privilege) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) Test(org.junit.Test)

Example 63 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.

the class AccessControlManagementTest method testAccessControlModificationWithoutPrivilege.

@Test
public void testAccessControlModificationWithoutPrivilege() throws Exception {
    // give 'testUser' ADD_CHILD_NODES|MODIFY_PROPERTIES| REMOVE_CHILD_NODES privileges at 'path'
    Privilege[] privileges = privilegesFromNames(new String[] { Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_REMOVE_CHILD_NODES, Privilege.JCR_MODIFY_PROPERTIES });
    JackrabbitAccessControlList tmpl = allow(path, privileges);
    String policyPath = tmpl.getPath() + "/rep:policy";
    // make sure the 'rep:policy' node has been created.
    assertTrue(superuser.itemExists(policyPath));
    /*
         testuser must not have
         - permission to modify AC items
        */
    try {
        testAcMgr.setPolicy(tmpl.getPath(), tmpl);
        fail("test user must not have MODIFY_AC privilege.");
    } catch (AccessDeniedException e) {
    // success
    }
    try {
        testAcMgr.removePolicy(tmpl.getPath(), tmpl);
        fail("test user must not have MODIFY_AC privilege.");
    } catch (AccessDeniedException e) {
    // success
    }
}
Also used : AccessDeniedException(javax.jcr.AccessDeniedException) Privilege(javax.jcr.security.Privilege) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) Test(org.junit.Test)

Example 64 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.

the class AccessControlManagementTest method testReorderPolicyNode.

@Test
public void testReorderPolicyNode() throws Exception {
    Node n = testSession.getNode(path);
    try {
        if (!n.getPrimaryNodeType().hasOrderableChildNodes()) {
            throw new NotExecutableException("Reordering child nodes is not supported..");
        }
        n.orderBefore(Text.getName(childNPath2), Text.getName(childNPath));
        testSession.save();
        fail("test session must not be allowed to reorder nodes.");
    } catch (AccessDeniedException e) {
    // success.
    }
    // grant all privileges
    allow(path, privilegesFromNames(new String[] { Privilege.JCR_ALL }));
    n.orderBefore(Text.getName(childNPath2), Text.getName(childNPath));
    testSession.save();
    n.orderBefore("rep:policy", Text.getName(childNPath2));
    testSession.save();
}
Also used : AccessDeniedException(javax.jcr.AccessDeniedException) NotExecutableException(org.apache.jackrabbit.test.NotExecutableException) Node(javax.jcr.Node) Test(org.junit.Test)

Example 65 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.

the class AccessControlManagementTest method testAccessControlModification.

@Test
public void testAccessControlModification() throws Exception {
    // give 'testUser' READ_AC|MODIFY_AC privileges at 'path'
    Privilege[] privileges = privilegesFromNames(new String[] { Privilege.JCR_READ_ACCESS_CONTROL, Privilege.JCR_MODIFY_ACCESS_CONTROL });
    JackrabbitAccessControlList tmpl = allow(path, privileges);
    /*
         testuser must
         - still have the inherited READ permission.
         - must have permission to view AC items at 'path' (and below)
         - must have permission to modify AC items at 'path'

         testuser must not have
         - permission to view AC items outside of the tree defined by path.
        */
    // make sure the 'rep:policy' node has been created.
    assertTrue(superuser.itemExists(tmpl.getPath() + "/rep:policy"));
    // test: MODIFY_AC granted at 'path'
    assertTrue(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
    // test if testuser can READ access control on the path and on the
    // entire subtree that gets the policy inherited.
    AccessControlPolicy[] policies = testAcMgr.getPolicies(path);
    testAcMgr.getPolicies(childNPath);
    // test: READ_AC privilege does not apply outside of the tree.
    try {
        testAcMgr.getPolicies(siblingPath);
        fail("READ_AC privilege must not apply outside of the tree it has applied to.");
    } catch (AccessDeniedException e) {
    // success
    }
    // test: MODIFY_AC privilege does not apply outside of the tree.
    assertFalse(testAcMgr.hasPrivileges(siblingPath, privilegesFromName(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
    // test if testuser can modify AC-items
    // 1) add an ac-entry
    AccessControlList acl = (AccessControlList) policies[0];
    acl.addAccessControlEntry(testUser.getPrincipal(), repWritePrivileges);
    testAcMgr.setPolicy(path, acl);
    testSession.save();
    assertTrue(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES)));
    // 2) remove the policy
    testAcMgr.removePolicy(path, policies[0]);
    testSession.save();
    // privileges must be gone again...
    try {
        testAcMgr.getEffectivePolicies(childNPath);
        fail("READ_AC privilege has been revoked -> must throw again.");
    } catch (AccessDeniedException e) {
    // success
    }
    // ... and since the ACE is stored with the policy all right except
    // READ must be gone.
    assertReadOnly(path);
}
Also used : AccessControlList(javax.jcr.security.AccessControlList) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) AccessDeniedException(javax.jcr.AccessDeniedException) Privilege(javax.jcr.security.Privilege) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) Test(org.junit.Test)

Aggregations

AccessDeniedException (javax.jcr.AccessDeniedException)189 Node (javax.jcr.Node)80 Test (org.junit.Test)68 Session (javax.jcr.Session)33 RepositoryException (javax.jcr.RepositoryException)23 Privilege (javax.jcr.security.Privilege)22 UserManager (org.apache.jackrabbit.api.security.user.UserManager)19 Workspace (javax.jcr.Workspace)18 Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)15 ItemNotFoundException (javax.jcr.ItemNotFoundException)13 PathNotFoundException (javax.jcr.PathNotFoundException)13 Path (org.apache.jackrabbit.spi.Path)13 Principal (java.security.Principal)11 User (org.apache.jackrabbit.api.security.user.User)11 NotExecutableException (org.apache.jackrabbit.test.NotExecutableException)10 AccessControlManager (javax.jcr.security.AccessControlManager)9 AccessControlPolicy (javax.jcr.security.AccessControlPolicy)9 Property (javax.jcr.Property)8 JackrabbitWorkspace (org.apache.jackrabbit.api.JackrabbitWorkspace)8 JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)7