Search in sources :

Example 41 with AccessControlEntry

use of javax.jcr.security.AccessControlEntry in project jackrabbit-oak by apache.

the class AccessControlManagerImplTest method testEffectivePoliciesFiltering.

@Test
public void testEffectivePoliciesFiltering() throws Exception {
    // create first policy with multiple ACEs for the test principal set.
    ACL policy = getApplicablePolicy(testPath);
    policy.addEntry(testPrincipal, testPrivileges, true, getGlobRestriction("*"));
    policy.addEntry(testPrincipal, privilegesFromNames(PrivilegeConstants.JCR_VERSION_MANAGEMENT), false);
    policy.addEntry(EveryonePrincipal.getInstance(), privilegesFromNames(PrivilegeConstants.JCR_LIFECYCLE_MANAGEMENT), false);
    assertEquals(3, policy.getAccessControlEntries().length);
    acMgr.setPolicy(testPath, policy);
    root.commit();
    // different ways to create the principal-set to make sure the filtering
    // doesn't rely on principal equality but rather on the name.
    List<Principal> principals = ImmutableList.of(testPrincipal, new PrincipalImpl(testPrincipal.getName()), new Principal() {

        @Override
        public String getName() {
            return testPrincipal.getName();
        }
    });
    for (Principal princ : principals) {
        AccessControlPolicy[] policies = acMgr.getEffectivePolicies(ImmutableSet.of(princ));
        assertEquals(1, policies.length);
        assertTrue(policies[0] instanceof AccessControlList);
        AccessControlList acl = (AccessControlList) policies[0];
        assertEquals(2, acl.getAccessControlEntries().length);
        for (AccessControlEntry ace : acl.getAccessControlEntries()) {
            assertEquals(princ.getName(), ace.getPrincipal().getName());
        }
    }
}
Also used : JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) AccessControlList(javax.jcr.security.AccessControlList) JackrabbitAccessControlPolicy(org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) AccessControlEntry(javax.jcr.security.AccessControlEntry) TestACL(org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.TestACL) PrincipalImpl(org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl) Principal(java.security.Principal) EveryonePrincipal(org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Example 42 with AccessControlEntry

use of javax.jcr.security.AccessControlEntry in project jackrabbit-oak by apache.

the class Jr2CompatibilityTest method after.

@Override
@After
public void after() throws Exception {
    try {
        AccessControlManager acMgr = getAccessControlManager(root);
        JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/");
        if (acl != null) {
            boolean modified = false;
            for (AccessControlEntry entry : acl.getAccessControlEntries()) {
                if (entry.getPrincipal().equals(getTestUser().getPrincipal())) {
                    acl.removeAccessControlEntry(entry);
                    modified = true;
                }
            }
            if (modified) {
                acMgr.setPolicy("/", acl);
                root.commit();
            }
        }
    } finally {
        super.after();
    }
}
Also used : AccessControlManager(javax.jcr.security.AccessControlManager) AccessControlEntry(javax.jcr.security.AccessControlEntry) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) After(org.junit.After)

Example 43 with AccessControlEntry

use of javax.jcr.security.AccessControlEntry in project jackrabbit by apache.

the class JackrabbitAccessControlListTest method testAllowWriteDenyRemove.

public void testAllowWriteDenyRemove() throws NotExecutableException, RepositoryException {
    Principal princ = getValidPrincipal();
    Privilege[] grPriv = privilegesFromName(PrivilegeRegistry.REP_WRITE);
    Privilege[] dePriv = privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES);
    templ.addEntry(princ, grPriv, true, Collections.<String, Value>emptyMap());
    templ.addEntry(princ, dePriv, false, Collections.<String, Value>emptyMap());
    Set<Privilege> allows = new HashSet<Privilege>();
    Set<Privilege> denies = new HashSet<Privilege>();
    AccessControlEntry[] entries = templ.getAccessControlEntries();
    for (AccessControlEntry en : entries) {
        if (princ.equals(en.getPrincipal()) && en instanceof JackrabbitAccessControlEntry) {
            JackrabbitAccessControlEntry ace = (JackrabbitAccessControlEntry) en;
            Privilege[] privs = ace.getPrivileges();
            if (ace.isAllow()) {
                allows.addAll(Arrays.asList(privs));
            } else {
                denies.addAll(Arrays.asList(privs));
            }
        }
    }
    String[] expected = new String[] { Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_REMOVE_NODE, Privilege.JCR_MODIFY_PROPERTIES, Privilege.JCR_NODE_TYPE_MANAGEMENT };
    assertEquals(expected.length, allows.size());
    for (String name : expected) {
        assertTrue(allows.contains(acMgr.privilegeFromName(name)));
    }
    assertEquals(1, denies.size());
    assertEquals(acMgr.privilegeFromName(Privilege.JCR_REMOVE_CHILD_NODES), denies.iterator().next());
}
Also used : JackrabbitAccessControlEntry(org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry) JackrabbitAccessControlEntry(org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry) AccessControlEntry(javax.jcr.security.AccessControlEntry) Privilege(javax.jcr.security.Privilege) Principal(java.security.Principal) HashSet(java.util.HashSet)

Example 44 with AccessControlEntry

use of javax.jcr.security.AccessControlEntry in project jackrabbit by apache.

the class AbstractRepositoryOperationTest method testGetEffectivePoliciesByPrincipal.

public void testGetEffectivePoliciesByPrincipal() throws Exception {
    if (!(acMgr instanceof JackrabbitAccessControlManager)) {
        throw new NotExecutableException();
    }
    JackrabbitAccessControlManager jAcMgr = (JackrabbitAccessControlManager) acMgr;
    Set<Principal> principalSet = Collections.singleton(testUser.getPrincipal());
    try {
        // initial state: no repo level policy
        AccessControlPolicy[] policies = acMgr.getPolicies(null);
        assertNotNull(policies);
        assertEquals(0, policies.length);
        AccessControlPolicy[] effective = jAcMgr.getEffectivePolicies(principalSet);
        assertNotNull(effective);
        assertEquals(0, effective.length);
        AccessControlPolicyIterator it = acMgr.getApplicablePolicies(null);
        assertTrue(it.hasNext());
        // modify the repo level policy
        modifyPrivileges(null, NameConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT.toString(), false);
        modifyPrivileges(null, NameConstants.JCR_NAMESPACE_MANAGEMENT.toString(), true);
        // verify that the effective policies for the given principal set
        // is properly calculated.
        AccessControlPolicy[] eff = jAcMgr.getEffectivePolicies(principalSet);
        assertNotNull(eff);
        assertEquals(1, eff.length);
        assertTrue(eff[0] instanceof AccessControlList);
        AccessControlList acl = (AccessControlList) eff[0];
        AccessControlEntry[] aces = acl.getAccessControlEntries();
        assertNotNull(aces);
        assertEquals(2, aces.length);
        for (AccessControlEntry ace : aces) {
            assertEquals(testUser.getPrincipal(), ace.getPrincipal());
        }
    } catch (UnsupportedRepositoryOperationException e) {
        throw new NotExecutableException();
    } finally {
        // remove it again
        for (AccessControlPolicy plc : acMgr.getPolicies(null)) {
            acMgr.removePolicy(null, plc);
        }
        superuser.save();
        // back to initial state: no repo level policy
        AccessControlPolicy[] policies = acMgr.getPolicies(null);
        assertNotNull(policies);
        assertEquals(0, policies.length);
    }
}
Also used : JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager) AccessControlList(javax.jcr.security.AccessControlList) UnsupportedRepositoryOperationException(javax.jcr.UnsupportedRepositoryOperationException) JackrabbitAccessControlPolicy(org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) NotExecutableException(org.apache.jackrabbit.test.NotExecutableException) AccessControlEntry(javax.jcr.security.AccessControlEntry) AccessControlPolicyIterator(javax.jcr.security.AccessControlPolicyIterator) Principal(java.security.Principal)

Example 45 with AccessControlEntry

use of javax.jcr.security.AccessControlEntry in project jackrabbit by apache.

the class AbstractRepositoryOperationTest method testRepoPolicyAPI.

public void testRepoPolicyAPI() throws Exception {
    try {
        // initial state: no repo level policy
        AccessControlPolicy[] policies = acMgr.getPolicies(null);
        assertNotNull(policies);
        assertEquals(0, policies.length);
        AccessControlPolicy[] effective = acMgr.getEffectivePolicies(null);
        assertNotNull(effective);
        assertEquals(0, effective.length);
        AccessControlPolicyIterator it = acMgr.getApplicablePolicies(null);
        assertNotNull(it);
        assertTrue(it.hasNext());
        AccessControlPolicy acp = it.nextAccessControlPolicy();
        assertNotNull(acp);
        assertTrue(acp instanceof JackrabbitAccessControlPolicy);
        // modify the repo level policy
        modifyPrivileges(null, NameConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT.toString(), false);
        modifyPrivileges(null, NameConstants.JCR_NAMESPACE_MANAGEMENT.toString(), true);
        AccessControlPolicy[] plcs = acMgr.getPolicies(null);
        assertNotNull(plcs);
        assertEquals(1, plcs.length);
        assertTrue(plcs[0] instanceof AccessControlList);
        AccessControlList acl = (AccessControlList) plcs[0];
        AccessControlEntry[] aces = acl.getAccessControlEntries();
        assertNotNull(aces);
        assertEquals(2, aces.length);
        assertPrivilege(NameConstants.JCR_NAMESPACE_MANAGEMENT, true);
        assertPermission(Permission.NAMESPACE_MNGMT, true);
        assertPrivilege(NameConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT, false);
        assertPermission(Permission.NODE_TYPE_DEF_MNGMT, false);
        effective = acMgr.getEffectivePolicies(null);
        assertNotNull(effective);
        assertEquals(1, effective.length);
        assertTrue(effective[0] instanceof AccessControlList);
        acl = (AccessControlList) effective[0];
        aces = acl.getAccessControlEntries();
        assertNotNull(aces);
        assertEquals(2, aces.length);
        // change the policy: removing the second entry in the access control list
        acl = (AccessControlList) acMgr.getPolicies(null)[0];
        AccessControlEntry toRemove = acl.getAccessControlEntries()[1];
        acl.removeAccessControlEntry(toRemove);
        acMgr.setPolicy(null, acl);
        superuser.save();
        acl = (AccessControlList) acMgr.getPolicies(null)[0];
        aces = acl.getAccessControlEntries();
        assertNotNull(aces);
        assertEquals(1, aces.length);
        assertPrivilege(NameConstants.JCR_NAMESPACE_MANAGEMENT, false);
        assertPermission(Permission.NAMESPACE_MNGMT, false);
        assertPrivilege(NameConstants.JCR_NODE_TYPE_DEFINITION_MANAGEMENT, false);
        assertPermission(Permission.NODE_TYPE_DEF_MNGMT, false);
    } catch (UnsupportedRepositoryOperationException e) {
        throw new NotExecutableException();
    } finally {
        // remove it again
        for (AccessControlPolicy plc : acMgr.getPolicies(null)) {
            acMgr.removePolicy(null, plc);
        }
        superuser.save();
        // back to initial state: no repo level policy
        AccessControlPolicy[] policies = acMgr.getPolicies(null);
        assertNotNull(policies);
        assertEquals(0, policies.length);
        AccessControlPolicy[] effective = acMgr.getEffectivePolicies(null);
        assertNotNull(effective);
        assertEquals(0, effective.length);
        AccessControlPolicyIterator it = acMgr.getApplicablePolicies(null);
        assertNotNull(it);
        assertTrue(it.hasNext());
        AccessControlPolicy acp = it.nextAccessControlPolicy();
        assertNotNull(acp);
        assertTrue(acp instanceof JackrabbitAccessControlPolicy);
    }
}
Also used : AccessControlList(javax.jcr.security.AccessControlList) UnsupportedRepositoryOperationException(javax.jcr.UnsupportedRepositoryOperationException) JackrabbitAccessControlPolicy(org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) NotExecutableException(org.apache.jackrabbit.test.NotExecutableException) AccessControlEntry(javax.jcr.security.AccessControlEntry) AccessControlPolicyIterator(javax.jcr.security.AccessControlPolicyIterator) JackrabbitAccessControlPolicy(org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy)

Aggregations

AccessControlEntry (javax.jcr.security.AccessControlEntry)126 JackrabbitAccessControlEntry (org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)50 JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)50 Privilege (javax.jcr.security.Privilege)47 AccessControlManager (javax.jcr.security.AccessControlManager)39 AccessControlPolicy (javax.jcr.security.AccessControlPolicy)39 AccessControlList (javax.jcr.security.AccessControlList)38 Test (org.junit.Test)29 Principal (java.security.Principal)28 NodeImpl (org.apache.jackrabbit.core.NodeImpl)13 ArrayList (java.util.ArrayList)12 Node (javax.jcr.Node)12 Value (javax.jcr.Value)10 JackrabbitAccessControlManager (org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)9 NotExecutableException (org.apache.jackrabbit.test.NotExecutableException)9 ByteArrayInputStream (java.io.ByteArrayInputStream)8 InputStream (java.io.InputStream)8 RepositoryException (javax.jcr.RepositoryException)8 Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)8 ParsingContentHandler (org.apache.jackrabbit.commons.xml.ParsingContentHandler)8