use of javax.jcr.security.AccessControlEntry in project jackrabbit-oak by apache.
the class AccessControlManagerImplTest method testEffectivePoliciesFiltering.
@Test
public void testEffectivePoliciesFiltering() throws Exception {
// create first policy with multiple ACEs for the test principal set.
ACL policy = getApplicablePolicy(testPath);
policy.addEntry(testPrincipal, testPrivileges, true, getGlobRestriction("*"));
policy.addEntry(testPrincipal, privilegesFromNames(PrivilegeConstants.JCR_VERSION_MANAGEMENT), false);
policy.addEntry(EveryonePrincipal.getInstance(), privilegesFromNames(PrivilegeConstants.JCR_LIFECYCLE_MANAGEMENT), false);
assertEquals(3, policy.getAccessControlEntries().length);
acMgr.setPolicy(testPath, policy);
root.commit();
// different ways to create the principal-set to make sure the filtering
// doesn't rely on principal equality but rather on the name.
List<Principal> principals = ImmutableList.of(testPrincipal, new PrincipalImpl(testPrincipal.getName()), new Principal() {
@Override
public String getName() {
return testPrincipal.getName();
}
});
for (Principal princ : principals) {
AccessControlPolicy[] policies = acMgr.getEffectivePolicies(ImmutableSet.of(princ));
assertEquals(1, policies.length);
assertTrue(policies[0] instanceof AccessControlList);
AccessControlList acl = (AccessControlList) policies[0];
assertEquals(2, acl.getAccessControlEntries().length);
for (AccessControlEntry ace : acl.getAccessControlEntries()) {
assertEquals(princ.getName(), ace.getPrincipal().getName());
}
}
}
use of javax.jcr.security.AccessControlEntry in project jackrabbit-oak by apache.
the class Jr2CompatibilityTest method after.
@Override
@After
public void after() throws Exception {
try {
AccessControlManager acMgr = getAccessControlManager(root);
JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/");
if (acl != null) {
boolean modified = false;
for (AccessControlEntry entry : acl.getAccessControlEntries()) {
if (entry.getPrincipal().equals(getTestUser().getPrincipal())) {
acl.removeAccessControlEntry(entry);
modified = true;
}
}
if (modified) {
acMgr.setPolicy("/", acl);
root.commit();
}
}
} finally {
super.after();
}
}
use of javax.jcr.security.AccessControlEntry in project jackrabbit by apache.
the class JackrabbitAccessControlListTest method testAllowWriteDenyRemove.
public void testAllowWriteDenyRemove() throws NotExecutableException, RepositoryException {
Principal princ = getValidPrincipal();
Privilege[] grPriv = privilegesFromName(PrivilegeRegistry.REP_WRITE);
Privilege[] dePriv = privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES);
templ.addEntry(princ, grPriv, true, Collections.<String, Value>emptyMap());
templ.addEntry(princ, dePriv, false, Collections.<String, Value>emptyMap());
Set<Privilege> allows = new HashSet<Privilege>();
Set<Privilege> denies = new HashSet<Privilege>();
AccessControlEntry[] entries = templ.getAccessControlEntries();
for (AccessControlEntry en : entries) {
if (princ.equals(en.getPrincipal()) && en instanceof JackrabbitAccessControlEntry) {
JackrabbitAccessControlEntry ace = (JackrabbitAccessControlEntry) en;
Privilege[] privs = ace.getPrivileges();
if (ace.isAllow()) {
allows.addAll(Arrays.asList(privs));
} else {
denies.addAll(Arrays.asList(privs));
}
}
}
String[] expected = new String[] { Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_REMOVE_NODE, Privilege.JCR_MODIFY_PROPERTIES, Privilege.JCR_NODE_TYPE_MANAGEMENT };
assertEquals(expected.length, allows.size());
for (String name : expected) {
assertTrue(allows.contains(acMgr.privilegeFromName(name)));
}
assertEquals(1, denies.size());
assertEquals(acMgr.privilegeFromName(Privilege.JCR_REMOVE_CHILD_NODES), denies.iterator().next());
}
use of javax.jcr.security.AccessControlEntry in project jackrabbit by apache.
the class AbstractRepositoryOperationTest method testGetEffectivePoliciesByPrincipal.
public void testGetEffectivePoliciesByPrincipal() throws Exception {
if (!(acMgr instanceof JackrabbitAccessControlManager)) {
throw new NotExecutableException();
}
JackrabbitAccessControlManager jAcMgr = (JackrabbitAccessControlManager) acMgr;
Set<Principal> principalSet = Collections.singleton(testUser.getPrincipal());
try {
// initial state: no repo level policy
AccessControlPolicy[] policies = acMgr.getPolicies(null);
assertNotNull(policies);
assertEquals(0, policies.length);
AccessControlPolicy[] effective = jAcMgr.getEffectivePolicies(principalSet);
assertNotNull(effective);
assertEquals(0, effective.length);
AccessControlPolicyIterator it = acMgr.getApplicablePolicies(null);
assertTrue(it.hasNext());
// modify the repo level policy
modifyPrivileges(null, NameConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT.toString(), false);
modifyPrivileges(null, NameConstants.JCR_NAMESPACE_MANAGEMENT.toString(), true);
// verify that the effective policies for the given principal set
// is properly calculated.
AccessControlPolicy[] eff = jAcMgr.getEffectivePolicies(principalSet);
assertNotNull(eff);
assertEquals(1, eff.length);
assertTrue(eff[0] instanceof AccessControlList);
AccessControlList acl = (AccessControlList) eff[0];
AccessControlEntry[] aces = acl.getAccessControlEntries();
assertNotNull(aces);
assertEquals(2, aces.length);
for (AccessControlEntry ace : aces) {
assertEquals(testUser.getPrincipal(), ace.getPrincipal());
}
} catch (UnsupportedRepositoryOperationException e) {
throw new NotExecutableException();
} finally {
// remove it again
for (AccessControlPolicy plc : acMgr.getPolicies(null)) {
acMgr.removePolicy(null, plc);
}
superuser.save();
// back to initial state: no repo level policy
AccessControlPolicy[] policies = acMgr.getPolicies(null);
assertNotNull(policies);
assertEquals(0, policies.length);
}
}
use of javax.jcr.security.AccessControlEntry in project jackrabbit by apache.
the class AbstractRepositoryOperationTest method testRepoPolicyAPI.
public void testRepoPolicyAPI() throws Exception {
try {
// initial state: no repo level policy
AccessControlPolicy[] policies = acMgr.getPolicies(null);
assertNotNull(policies);
assertEquals(0, policies.length);
AccessControlPolicy[] effective = acMgr.getEffectivePolicies(null);
assertNotNull(effective);
assertEquals(0, effective.length);
AccessControlPolicyIterator it = acMgr.getApplicablePolicies(null);
assertNotNull(it);
assertTrue(it.hasNext());
AccessControlPolicy acp = it.nextAccessControlPolicy();
assertNotNull(acp);
assertTrue(acp instanceof JackrabbitAccessControlPolicy);
// modify the repo level policy
modifyPrivileges(null, NameConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT.toString(), false);
modifyPrivileges(null, NameConstants.JCR_NAMESPACE_MANAGEMENT.toString(), true);
AccessControlPolicy[] plcs = acMgr.getPolicies(null);
assertNotNull(plcs);
assertEquals(1, plcs.length);
assertTrue(plcs[0] instanceof AccessControlList);
AccessControlList acl = (AccessControlList) plcs[0];
AccessControlEntry[] aces = acl.getAccessControlEntries();
assertNotNull(aces);
assertEquals(2, aces.length);
assertPrivilege(NameConstants.JCR_NAMESPACE_MANAGEMENT, true);
assertPermission(Permission.NAMESPACE_MNGMT, true);
assertPrivilege(NameConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT, false);
assertPermission(Permission.NODE_TYPE_DEF_MNGMT, false);
effective = acMgr.getEffectivePolicies(null);
assertNotNull(effective);
assertEquals(1, effective.length);
assertTrue(effective[0] instanceof AccessControlList);
acl = (AccessControlList) effective[0];
aces = acl.getAccessControlEntries();
assertNotNull(aces);
assertEquals(2, aces.length);
// change the policy: removing the second entry in the access control list
acl = (AccessControlList) acMgr.getPolicies(null)[0];
AccessControlEntry toRemove = acl.getAccessControlEntries()[1];
acl.removeAccessControlEntry(toRemove);
acMgr.setPolicy(null, acl);
superuser.save();
acl = (AccessControlList) acMgr.getPolicies(null)[0];
aces = acl.getAccessControlEntries();
assertNotNull(aces);
assertEquals(1, aces.length);
assertPrivilege(NameConstants.JCR_NAMESPACE_MANAGEMENT, false);
assertPermission(Permission.NAMESPACE_MNGMT, false);
assertPrivilege(NameConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT, false);
assertPermission(Permission.NODE_TYPE_DEF_MNGMT, false);
} catch (UnsupportedRepositoryOperationException e) {
throw new NotExecutableException();
} finally {
// remove it again
for (AccessControlPolicy plc : acMgr.getPolicies(null)) {
acMgr.removePolicy(null, plc);
}
superuser.save();
// back to initial state: no repo level policy
AccessControlPolicy[] policies = acMgr.getPolicies(null);
assertNotNull(policies);
assertEquals(0, policies.length);
AccessControlPolicy[] effective = acMgr.getEffectivePolicies(null);
assertNotNull(effective);
assertEquals(0, effective.length);
AccessControlPolicyIterator it = acMgr.getApplicablePolicies(null);
assertNotNull(it);
assertTrue(it.hasNext());
AccessControlPolicy acp = it.nextAccessControlPolicy();
assertNotNull(acp);
assertTrue(acp instanceof JackrabbitAccessControlPolicy);
}
}
Aggregations