Search in sources :

Example 66 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit by apache.

the class NodeImpl method rename.

//-------------------------------------------------------< JackrabbitNode >
/**
     * {@inheritDoc}
     */
public void rename(String newName) throws RepositoryException {
    // check if this is the root node
    if (getDepth() == 0) {
        throw new RepositoryException("Cannot rename the root node");
    }
    Name qName;
    try {
        qName = sessionContext.getQName(newName);
    } catch (NameException e) {
        throw new RepositoryException("invalid node name: " + newName, e);
    }
    NodeImpl parent = (NodeImpl) getParent();
    // check for name collisions
    NodeImpl existing = null;
    try {
        existing = parent.getNode(qName);
        // check same-name sibling setting of existing node
        if (!existing.getDefinition().allowsSameNameSiblings()) {
            throw new ItemExistsException("Same name siblings are not allowed: " + existing);
        }
    } catch (AccessDeniedException ade) {
        // FIXME by throwing ItemExistsException we're disclosing too much information
        throw new ItemExistsException();
    } catch (ItemNotFoundException infe) {
    // no name collision, fall through
    }
    // verify that parent node
    // - is checked-out
    // - is not protected neither by node type constraints nor by retention/hold
    int options = ItemValidator.CHECK_CHECKED_OUT | ItemValidator.CHECK_LOCK | ItemValidator.CHECK_CONSTRAINTS | ItemValidator.CHECK_HOLD | ItemValidator.CHECK_RETENTION;
    sessionContext.getItemValidator().checkRemove(parent, options, Permission.NONE);
    sessionContext.getItemValidator().checkModify(parent, options, Permission.NONE);
    // check constraints
    // get applicable definition of renamed target node
    NodeTypeImpl nt = (NodeTypeImpl) getPrimaryNodeType();
    org.apache.jackrabbit.spi.commons.nodetype.NodeDefinitionImpl newTargetDef;
    try {
        newTargetDef = parent.getApplicableChildNodeDefinition(qName, nt.getQName());
    } catch (RepositoryException re) {
        String msg = safeGetJCRPath() + ": no definition found in parent node's node type for renamed node";
        log.debug(msg);
        throw new ConstraintViolationException(msg, re);
    }
    // necessarily have identical definitions
    if (existing != null && !newTargetDef.allowsSameNameSiblings()) {
        throw new ItemExistsException("Same name siblings not allowed: " + existing);
    }
    // check permissions:
    // 1. on the parent node the session must have permission to manipulate the child-entries
    AccessManager acMgr = sessionContext.getAccessManager();
    if (!acMgr.isGranted(parent.getPrimaryPath(), qName, Permission.MODIFY_CHILD_NODE_COLLECTION)) {
        String msg = "Not allowed to rename node " + safeGetJCRPath() + " to " + newName;
        log.debug(msg);
        throw new AccessDeniedException(msg);
    }
    //    the primary node type on this node itself.
    if (!nt.getName().equals(newTargetDef.getName()) && !(acMgr.isGranted(getPrimaryPath(), Permission.NODE_TYPE_MNGMT))) {
        String msg = "Not allowed to rename node " + safeGetJCRPath() + " to " + newName;
        log.debug(msg);
        throw new AccessDeniedException(msg);
    }
    // change definition
    onRedefine(newTargetDef.unwrap());
    // delegate to parent
    parent.renameChildNode(getNodeId(), qName, true);
}
Also used : AccessManager(org.apache.jackrabbit.core.security.AccessManager) AccessDeniedException(javax.jcr.AccessDeniedException) NodeDefinitionImpl(org.apache.jackrabbit.spi.commons.nodetype.NodeDefinitionImpl) NodeTypeImpl(org.apache.jackrabbit.core.nodetype.NodeTypeImpl) RepositoryException(javax.jcr.RepositoryException) Name(org.apache.jackrabbit.spi.Name) NameException(org.apache.jackrabbit.spi.commons.conversion.NameException) ItemExistsException(javax.jcr.ItemExistsException) ConstraintViolationException(javax.jcr.nodetype.ConstraintViolationException) ItemNotFoundException(javax.jcr.ItemNotFoundException)

Example 67 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit by apache.

the class ACLProvider method getEffectivePolicies.

/**
     * @see org.apache.jackrabbit.core.security.authorization.AccessControlProvider#getEffectivePolicies(org.apache.jackrabbit.spi.Path,org.apache.jackrabbit.core.security.authorization.CompiledPermissions)
     */
public AccessControlPolicy[] getEffectivePolicies(Path absPath, CompiledPermissions permissions) throws ItemNotFoundException, RepositoryException {
    if (absPath == null) {
        // TODO: JCR-2774
        log.warn("TODO: JCR-2774 - Repository level permissions.");
        return new AccessControlPolicy[0];
    }
    String jcrPath = session.getJCRPath(absPath);
    String pName = ISO9075.encode(session.getJCRName(ACLTemplate.P_NODE_PATH));
    int ancestorCnt = absPath.getAncestorCount();
    // search all ACEs whose rep:nodePath property equals the specified
    // absPath or any of it's ancestors
    StringBuilder stmt = new StringBuilder("/jcr:root");
    stmt.append(acRoot.getPath());
    stmt.append("//element(*,");
    stmt.append(session.getJCRName(NT_REP_ACE));
    stmt.append(")[");
    for (int i = 0; i <= ancestorCnt; i++) {
        String path = Text.getRelativeParent(jcrPath, i);
        if (i > 0) {
            stmt.append(" or ");
        }
        stmt.append("@");
        stmt.append(pName);
        stmt.append("='");
        stmt.append(path.replaceAll("'", "''"));
        stmt.append("'");
    }
    stmt.append("]");
    QueryResult result;
    try {
        QueryManager qm = session.getWorkspace().getQueryManager();
        Query q = qm.createQuery(stmt.toString(), Query.XPATH);
        result = q.execute();
    } catch (RepositoryException e) {
        log.error("Unexpected error while searching effective policies. {}", e.getMessage());
        throw new UnsupportedOperationException("Retrieve effective policies at absPath '" + jcrPath + "' not supported.", e);
    }
    /**
         * Loop over query results and verify that
         * - the corresponding ACE really takes effect on the specified absPath.
         * - the corresponding ACL can be read by the editing session.
         */
    Set<AccessControlPolicy> acls = new LinkedHashSet<AccessControlPolicy>();
    for (NodeIterator it = result.getNodes(); it.hasNext(); ) {
        Node aceNode = it.nextNode();
        String accessControlledNodePath = Text.getRelativeParent(aceNode.getPath(), 2);
        Path acPath = session.getQPath(accessControlledNodePath);
        AccessControlPolicy[] policies = editor.getPolicies(accessControlledNodePath);
        if (policies.length > 0) {
            ACLTemplate acl = (ACLTemplate) policies[0];
            for (AccessControlEntry ace : acl.getAccessControlEntries()) {
                ACLTemplate.Entry entry = (ACLTemplate.Entry) ace;
                if (entry.matches(jcrPath)) {
                    if (permissions.grants(acPath, Permission.READ_AC)) {
                        acls.add(new UnmodifiableAccessControlList(acl));
                        break;
                    } else {
                        throw new AccessDeniedException("Access denied at " + accessControlledNodePath);
                    }
                }
            }
        }
    }
    return acls.toArray(new AccessControlPolicy[acls.size()]);
}
Also used : LinkedHashSet(java.util.LinkedHashSet) NodeIterator(javax.jcr.NodeIterator) Path(org.apache.jackrabbit.spi.Path) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) AccessDeniedException(javax.jcr.AccessDeniedException) Query(javax.jcr.query.Query) Node(javax.jcr.Node) AccessControlEntry(javax.jcr.security.AccessControlEntry) RepositoryException(javax.jcr.RepositoryException) QueryResult(javax.jcr.query.QueryResult) AccessControlEntry(javax.jcr.security.AccessControlEntry) QueryManager(javax.jcr.query.QueryManager) UnmodifiableAccessControlList(org.apache.jackrabbit.core.security.authorization.UnmodifiableAccessControlList)

Example 68 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit by apache.

the class RSessionAccessControlTest method testWorkspaceMoveNode.

public void testWorkspaceMoveNode() throws Exception {
    Node n = (Node) readOnlySession.getItem(testNodePath);
    String destPath = testRootNode.getPath() + "/" + nodeName2;
    try {
        readOnlySession.getWorkspace().move(n.getPath(), destPath);
        fail("A read only session must not be allowed to move a node");
    } catch (AccessDeniedException e) {
        // expected
        log.debug(e.getMessage());
    }
}
Also used : AccessDeniedException(javax.jcr.AccessDeniedException) Node(javax.jcr.Node)

Example 69 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.

the class AccessControlManagerImplTest method testHasRepoPrivilegesNoAccessToPrincipals.

@Test
public void testHasRepoPrivilegesNoAccessToPrincipals() throws Exception {
    AbstractAccessControlManager testAcMgr = getTestAccessControlManager();
    // the test-session doesn't have sufficient permissions to read privilege set for admin session.
    try {
        testAcMgr.getPrivileges(null, getPrincipals(adminSession));
        fail("testSession doesn't have sufficient permission to read access control information");
    } catch (AccessDeniedException e) {
    // success
    }
}
Also used : AbstractAccessControlManager(org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager) AccessDeniedException(javax.jcr.AccessDeniedException) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Example 70 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.

the class VersionManagementTest method testRemoveVersion3.

/**
     * @since oak (DIFF: jr required jcr:versionManagement privilege on the version store)
     */
@Test
public void testRemoveVersion3() throws Exception {
    Node n = createVersionableNode(superuser.getNode(path));
    Version v = n.checkin();
    n.checkout();
    n.checkin();
    testSession.refresh(false);
    assertFalse(testAcMgr.hasPrivileges(n.getPath(), versionPrivileges));
    AccessControlList acl = allow(SYSTEM, versionPrivileges);
    try {
        Node testNode = testSession.getNode(n.getPath());
        testNode.getVersionHistory().removeVersion(v.getName());
        fail("Missing jcr:versionManagement privilege -> remove a version must fail.");
    } catch (AccessDeniedException e) {
    // success
    } finally {
        // revert privilege modification (manually remove the ACE added)
        for (AccessControlEntry entry : acl.getAccessControlEntries()) {
            if (entry.getPrincipal().equals(testUser.getPrincipal())) {
                acl.removeAccessControlEntry(entry);
            }
        }
        acMgr.setPolicy(SYSTEM, acl);
        superuser.save();
    }
}
Also used : AccessControlList(javax.jcr.security.AccessControlList) AccessDeniedException(javax.jcr.AccessDeniedException) Version(javax.jcr.version.Version) Node(javax.jcr.Node) AccessControlEntry(javax.jcr.security.AccessControlEntry) Test(org.junit.Test)

Aggregations

AccessDeniedException (javax.jcr.AccessDeniedException)189 Node (javax.jcr.Node)80 Test (org.junit.Test)68 Session (javax.jcr.Session)33 RepositoryException (javax.jcr.RepositoryException)23 Privilege (javax.jcr.security.Privilege)22 UserManager (org.apache.jackrabbit.api.security.user.UserManager)19 Workspace (javax.jcr.Workspace)18 Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)15 ItemNotFoundException (javax.jcr.ItemNotFoundException)13 PathNotFoundException (javax.jcr.PathNotFoundException)13 Path (org.apache.jackrabbit.spi.Path)13 Principal (java.security.Principal)11 User (org.apache.jackrabbit.api.security.user.User)11 NotExecutableException (org.apache.jackrabbit.test.NotExecutableException)10 AccessControlManager (javax.jcr.security.AccessControlManager)9 AccessControlPolicy (javax.jcr.security.AccessControlPolicy)9 Property (javax.jcr.Property)8 JackrabbitWorkspace (org.apache.jackrabbit.api.JackrabbitWorkspace)8 JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)7