Search in sources :

Example 16 with AccessControlException

use of javax.jcr.security.AccessControlException in project pentaho-kettle by pentaho.

the class PurRepositoryTestingUtils method setAclManagementCallback.

/**
 * Create a {@linkplain JcrCallback} for setting up ACL management in test repository
 *
 * @return acl management callback
 */
static JcrCallback setAclManagementCallback() {
    return new JcrCallback() {

        @Override
        public Object doInJcr(Session session) throws IOException, RepositoryException {
            PentahoJcrConstants pentahoJcrConstants = new PentahoJcrConstants(session);
            Workspace workspace = session.getWorkspace();
            PrivilegeManager privilegeManager = ((JackrabbitWorkspace) workspace).getPrivilegeManager();
            try {
                privilegeManager.getPrivilege(pentahoJcrConstants.getPHO_ACLMANAGEMENT_PRIVILEGE());
            } catch (AccessControlException ace) {
                privilegeManager.registerPrivilege(pentahoJcrConstants.getPHO_ACLMANAGEMENT_PRIVILEGE(), false, new String[0]);
            }
            session.save();
            return null;
        }
    };
}
Also used : PentahoJcrConstants(org.pentaho.platform.repository2.unified.jcr.PentahoJcrConstants) PrivilegeManager(org.apache.jackrabbit.api.security.authorization.PrivilegeManager) AccessControlException(javax.jcr.security.AccessControlException) JackrabbitWorkspace(org.apache.jackrabbit.api.JackrabbitWorkspace) JcrCallback(org.springframework.extensions.jcr.JcrCallback) Session(javax.jcr.Session) StandaloneSession(org.pentaho.platform.engine.core.system.StandaloneSession) IPentahoSession(org.pentaho.platform.api.engine.IPentahoSession) JackrabbitWorkspace(org.apache.jackrabbit.api.JackrabbitWorkspace) Workspace(javax.jcr.Workspace)

Example 17 with AccessControlException

use of javax.jcr.security.AccessControlException in project pentaho-platform by pentaho.

the class DefaultBackingRepositoryLifecycleManager method createCustomPrivilege.

private void createCustomPrivilege() {
    txnTemplate.execute(new TransactionCallbackWithoutResult() {

        public void doInTransactionWithoutResult(final TransactionStatus status) {
            adminJcrTemplate.execute(new JcrCallback() {

                @Override
                public Object doInJcr(Session session) throws IOException, RepositoryException {
                    PentahoJcrConstants pentahoJcrConstants = new PentahoJcrConstants(session);
                    Workspace workspace = session.getWorkspace();
                    PrivilegeManager privilegeManager = ((JackrabbitWorkspace) workspace).getPrivilegeManager();
                    try {
                        privilegeManager.getPrivilege(pentahoJcrConstants.getPHO_ACLMANAGEMENT_PRIVILEGE());
                    } catch (AccessControlException ace) {
                        privilegeManager.registerPrivilege(pentahoJcrConstants.getPHO_ACLMANAGEMENT_PRIVILEGE(), false, new String[0]);
                    }
                    session.save();
                    return null;
                }
            });
        }
    });
}
Also used : PentahoJcrConstants(org.pentaho.platform.repository2.unified.jcr.PentahoJcrConstants) PrivilegeManager(org.apache.jackrabbit.api.security.authorization.PrivilegeManager) TransactionStatus(org.springframework.transaction.TransactionStatus) AccessControlException(javax.jcr.security.AccessControlException) JackrabbitWorkspace(org.apache.jackrabbit.api.JackrabbitWorkspace) JcrCallback(org.springframework.extensions.jcr.JcrCallback) TransactionCallbackWithoutResult(org.springframework.transaction.support.TransactionCallbackWithoutResult) Session(javax.jcr.Session) StandaloneSession(org.pentaho.platform.engine.core.system.StandaloneSession) IPentahoSession(org.pentaho.platform.api.engine.IPentahoSession) JackrabbitWorkspace(org.apache.jackrabbit.api.JackrabbitWorkspace) Workspace(javax.jcr.Workspace)

Example 18 with AccessControlException

use of javax.jcr.security.AccessControlException in project jackrabbit-oak by apache.

the class AdminPrincipalsBaseTest method testAdminPrincipal.

/**
 * Test if the ACL code properly deals the creation of ACEs for administrative
 * principals which have full access anyway.
 *
 * @since Oak 1.1.1
 * @see <a href="https://issues.apache.org/jira/browse/OAK-2158">OAK-2158</a>
 */
@Test
public void testAdminPrincipal() throws Exception {
    try {
        boolean success = acl.addAccessControlEntry(new AdminPrincipal() {

            @Override
            public String getName() {
                return "admin";
            }
        }, privilegesFromNames(PrivilegeConstants.JCR_READ));
        assertResult(success);
    } catch (AccessControlException e) {
        assertException();
    }
}
Also used : AdminPrincipal(org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal) AccessControlException(javax.jcr.security.AccessControlException) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Example 19 with AccessControlException

use of javax.jcr.security.AccessControlException in project jackrabbit-oak by apache.

the class CugAccessControlManager method setPolicy.

@Override
public void setPolicy(String absPath, AccessControlPolicy policy) throws RepositoryException {
    String oakPath = getOakPath(absPath);
    if (isSupportedPath(oakPath)) {
        checkValidPolicy(absPath, policy);
        Tree tree = getTree(oakPath, Permissions.MODIFY_ACCESS_CONTROL, true);
        Tree typeRoot = getRoot().getTree(NodeTypeConstants.NODE_TYPES_PATH);
        if (!TreeUtil.isNodeType(tree, MIX_REP_CUG_MIXIN, typeRoot)) {
            TreeUtil.addMixin(tree, MIX_REP_CUG_MIXIN, typeRoot, null);
        }
        Tree cug;
        if (tree.hasChild(REP_CUG_POLICY)) {
            cug = tree.getChild(REP_CUG_POLICY);
            if (!CugUtil.definesCug(cug)) {
                throw new AccessControlException("Unexpected primary type of node rep:cugPolicy.");
            }
        } else {
            cug = TreeUtil.addChild(tree, REP_CUG_POLICY, NT_REP_CUG_POLICY, typeRoot, null);
        }
        cug.setProperty(REP_PRINCIPAL_NAMES, ((CugPolicyImpl) policy).getPrincipalNames(), Type.STRINGS);
    } else {
        throw new AccessControlException("Unsupported path: " + absPath);
    }
}
Also used : Tree(org.apache.jackrabbit.oak.api.Tree) AccessControlException(javax.jcr.security.AccessControlException)

Example 20 with AccessControlException

use of javax.jcr.security.AccessControlException in project jackrabbit-oak by apache.

the class ACL method addEntry.

// ----------------------------------------< JackrabbitAccessControlList >---
@Override
public boolean addEntry(Principal principal, Privilege[] privileges, boolean isAllow, Map<String, Value> restrictions, Map<String, Value[]> mvRestrictions) throws RepositoryException {
    if (privileges == null || privileges.length == 0) {
        throw new AccessControlException("Privileges may not be null nor an empty array");
    }
    for (Privilege p : privileges) {
        Privilege pv = getPrivilegeManager().getPrivilege(p.getName());
        if (pv.isAbstract()) {
            throw new AccessControlException("Privilege " + p + " is abstract.");
        }
    }
    if (!checkValidPrincipal(principal)) {
        return false;
    }
    for (RestrictionDefinition def : getRestrictionProvider().getSupportedRestrictions(getOakPath())) {
        String jcrName = getNamePathMapper().getJcrName(def.getName());
        if (def.isMandatory() && (restrictions == null || !restrictions.containsKey(jcrName))) {
            throw new AccessControlException("Mandatory restriction " + jcrName + " is missing.");
        }
    }
    Set<Restriction> rs;
    if (restrictions == null && mvRestrictions == null) {
        rs = Collections.emptySet();
    } else {
        rs = new HashSet<Restriction>();
        if (restrictions != null) {
            for (String jcrName : restrictions.keySet()) {
                String oakName = getNamePathMapper().getOakName(jcrName);
                rs.add(getRestrictionProvider().createRestriction(getOakPath(), oakName, restrictions.get(oakName)));
            }
        }
        if (mvRestrictions != null) {
            for (String jcrName : mvRestrictions.keySet()) {
                String oakName = getNamePathMapper().getOakName(jcrName);
                rs.add(getRestrictionProvider().createRestriction(getOakPath(), oakName, mvRestrictions.get(oakName)));
            }
        }
    }
    ACE entry = createACE(principal, getPrivilegeBits(privileges), isAllow, rs);
    if (entries.contains(entry)) {
        log.debug("Entry is already contained in policy -> no modification.");
        return false;
    } else {
        return internalAddEntry(entry);
    }
}
Also used : Restriction(org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction) ACE(org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE) AccessControlException(javax.jcr.security.AccessControlException) Privilege(javax.jcr.security.Privilege) RestrictionDefinition(org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition)

Aggregations

AccessControlException (javax.jcr.security.AccessControlException)86 Test (org.junit.Test)32 Privilege (javax.jcr.security.Privilege)20 AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)19 Principal (java.security.Principal)17 JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)11 Tree (org.apache.jackrabbit.oak.api.Tree)11 AccessControlPolicy (javax.jcr.security.AccessControlPolicy)9 JackrabbitAccessControlEntry (org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)8 JackrabbitAccessControlPolicy (org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy)8 RepositoryException (javax.jcr.RepositoryException)6 Value (javax.jcr.Value)6 TestPrincipal (org.apache.jackrabbit.core.security.TestPrincipal)6 Restriction (org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction)6 NodeUtil (org.apache.jackrabbit.oak.util.NodeUtil)6 NotExecutableException (org.apache.jackrabbit.test.NotExecutableException)6 AccessControlEntry (javax.jcr.security.AccessControlEntry)5 AccessControlList (javax.jcr.security.AccessControlList)5 EveryonePrincipal (org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal)5 PrivilegeManager (org.apache.jackrabbit.api.security.authorization.PrivilegeManager)4