Example 6 with AccessControlList
use of javax.jcr.security.AccessControlList in project jackrabbit-oak by apache.
the class HiddenTest method testCombinedSetup.
@Test
public void testCombinedSetup() throws Exception {
AccessControlManager acMgr = getAccessControlManager(root);
try {
AccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/");
acl.addAccessControlEntry(EveryonePrincipal.getInstance(), AccessControlUtils.privilegesFromNames(acMgr, PrivilegeConstants.JCR_READ));
acMgr.setPolicy("/", acl);
root.commit();
PermissionProvider combined = getConfig(AuthorizationConfiguration.class).getPermissionProvider(readOnlyRoot, root.getContentSession().getWorkspaceName(), ImmutableSet.<Principal>of(EveryonePrincipal.getInstance()));
assertFalse(combined.hasPrivileges(hiddenTree, PrivilegeConstants.JCR_READ));
assertTrue(combined.getPrivileges(hiddenTree).isEmpty());
assertTrue(combined.isGranted(hiddenTree, null, Permissions.ALL));
assertTrue(combined.isGranted(hiddenTree.getPath(), Permissions.getString(Permissions.ALL)));
Tree t = readOnlyRoot.getTree("/");
TreePermission tp = combined.getTreePermission(t, TreePermission.EMPTY);
for (String name : PathUtils.elements(hiddenTree.getPath())) {
t = t.getChild(name);
tp = combined.getTreePermission(t, tp);
}
assertTrue(tp.isGranted(Permissions.ALL));
} finally {
AccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/");
acl.addAccessControlEntry(EveryonePrincipal.getInstance(), AccessControlUtils.privilegesFromNames(acMgr, PrivilegeConstants.JCR_READ));
acMgr.removePolicy("/", acl);
root.commit();
}
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
AccessControlList(javax.jcr.security.AccessControlList)
AuthorizationConfiguration(org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration)
PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider)
Tree(org.apache.jackrabbit.oak.api.Tree)
TreePermission(org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission)
Test(org.junit.Test)
Example 7 with AccessControlList
use of javax.jcr.security.AccessControlList in project jackrabbit-oak by apache.
the class L3_UserVsPrincipalTest method testAccessControlEntryWithId.
@Test
public void testAccessControlEntryWithId() throws RepositoryException {
AccessControlManager acMgr = getAccessControlManager(root);
// EXERCISE fix the test case
String[] ids = new String[] { testId, testGroupId };
for (String id : ids) {
AccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/");
acl.addAccessControlEntry(new PrincipalImpl(id), AccessControlUtils.privilegesFromNames(acMgr, PrivilegeConstants.JCR_READ));
}
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
AccessControlList(javax.jcr.security.AccessControlList)
PrincipalImpl(org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl)
AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest)
Test(org.junit.Test)
L2_AuthInfoTest(org.apache.jackrabbit.oak.exercise.security.authentication.L2_AuthInfoTest)
Example 8 with AccessControlList
use of javax.jcr.security.AccessControlList in project jackrabbit-oak by apache.
the class RandomizedReadTest method clearContent.
@Override
protected void clearContent() throws Exception {
for (JackrabbitSession session : writeSessions) {
Node root = session.getRootNode();
if (root.hasNode("n1")) {
root.getNode("n1").remove();
}
if (root.hasNode("n2")) {
root.getNode("n2").remove();
}
AccessControlList acl = AccessControlUtils.getAccessControlList(session, "/");
if (acl != null) {
boolean modified = false;
for (AccessControlEntry ace : acl.getAccessControlEntries()) {
if (getTestPrincipal(session).equals(ace.getPrincipal())) {
acl.removeAccessControlEntry(ace);
modified = true;
}
}
if (modified) {
session.getAccessControlManager().setPolicy("/", acl);
}
}
session.save();
}
}
Also used :
AccessControlList(javax.jcr.security.AccessControlList)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
Node(javax.jcr.Node)
AccessControlEntry(javax.jcr.security.AccessControlEntry)
JackrabbitSession(org.apache.jackrabbit.api.JackrabbitSession)
Example 9 with AccessControlList
use of javax.jcr.security.AccessControlList in project jackrabbit-oak by apache.
the class AccessControlImporterTest method createImportTargetWithPolicy.
private Node createImportTargetWithPolicy(@Nullable Principal principal) throws RepositoryException {
Node target = testRootNode.addNode("test", "test:sameNameSibsFalseChildNodeDefinition");
AccessControlManager acMgr = superuser.getAccessControlManager();
for (AccessControlPolicyIterator it = acMgr.getApplicablePolicies(target.getPath()); it.hasNext(); ) {
AccessControlPolicy policy = it.nextAccessControlPolicy();
if (policy instanceof AccessControlList) {
if (principal != null) {
Privilege[] privs = new Privilege[] { acMgr.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT) };
((AccessControlList) policy).addAccessControlEntry(principal, privs);
}
acMgr.setPolicy(target.getPath(), policy);
}
}
if (!isSessionImport()) {
superuser.save();
}
return target;
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
AccessControlList(javax.jcr.security.AccessControlList)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
Node(javax.jcr.Node)
AccessControlPolicyIterator(javax.jcr.security.AccessControlPolicyIterator)
Privilege(javax.jcr.security.Privilege)
Example 10 with AccessControlList
use of javax.jcr.security.AccessControlList in project jackrabbit-oak by apache.
the class AccessControlManagementTest method testAccessControlModification.
@Test
public void testAccessControlModification() throws Exception {
// give 'testUser' READ_AC|MODIFY_AC privileges at 'path'
Privilege[] privileges = privilegesFromNames(new String[] { Privilege.JCR_READ_ACCESS_CONTROL, Privilege.JCR_MODIFY_ACCESS_CONTROL });
JackrabbitAccessControlList tmpl = allow(path, privileges);
/*
testuser must
- still have the inherited READ permission.
- must have permission to view AC items at 'path' (and below)
- must have permission to modify AC items at 'path'
testuser must not have
- permission to view AC items outside of the tree defined by path.
*/
// make sure the 'rep:policy' node has been created.
assertTrue(superuser.itemExists(tmpl.getPath() + "/rep:policy"));
// test: MODIFY_AC granted at 'path'
assertTrue(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
// test if testuser can READ access control on the path and on the
// entire subtree that gets the policy inherited.
AccessControlPolicy[] policies = testAcMgr.getPolicies(path);
testAcMgr.getPolicies(childNPath);
// test: READ_AC privilege does not apply outside of the tree.
try {
testAcMgr.getPolicies(siblingPath);
fail("READ_AC privilege must not apply outside of the tree it has applied to.");
} catch (AccessDeniedException e) {
// success
}
// test: MODIFY_AC privilege does not apply outside of the tree.
assertFalse(testAcMgr.hasPrivileges(siblingPath, privilegesFromName(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
// test if testuser can modify AC-items
// 1) add an ac-entry
AccessControlList acl = (AccessControlList) policies[0];
acl.addAccessControlEntry(testUser.getPrincipal(), repWritePrivileges);
testAcMgr.setPolicy(path, acl);
testSession.save();
assertTrue(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES)));
// 2) remove the policy
testAcMgr.removePolicy(path, policies[0]);
testSession.save();
// privileges must be gone again...
try {
testAcMgr.getEffectivePolicies(childNPath);
fail("READ_AC privilege has been revoked -> must throw again.");
} catch (AccessDeniedException e) {
// success
}
// ... and since the ACE is stored with the policy all right except
// READ must be gone.
assertReadOnly(path);
}
Also used :
AccessControlList(javax.jcr.security.AccessControlList)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
AccessDeniedException(javax.jcr.AccessDeniedException)
Privilege(javax.jcr.security.Privilege)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
Test(org.junit.Test)
Aggregations
AccessControlList (javax.jcr.security.AccessControlList)97
AccessControlEntry (javax.jcr.security.AccessControlEntry)49
AccessControlManager (javax.jcr.security.AccessControlManager)49
AccessControlPolicy (javax.jcr.security.AccessControlPolicy)39
Privilege (javax.jcr.security.Privilege)25
Node (javax.jcr.Node)17
RepositoryException (javax.jcr.RepositoryException)17
JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)17
AccessControlPolicyIterator (javax.jcr.security.AccessControlPolicyIterator)15
NotExecutableException (org.apache.jackrabbit.test.NotExecutableException)15
Test (org.junit.Test)13
Principal (java.security.Principal)12
AccessDeniedException (javax.jcr.AccessDeniedException)12
ArrayList (java.util.ArrayList)9
HashSet (java.util.HashSet)6
AccessControlException (javax.jcr.security.AccessControlException)6
Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)6
NodeImpl (org.apache.jackrabbit.core.NodeImpl)6
MetadataRepositoryException (com.thinkbiganalytics.metadata.modeshape.MetadataRepositoryException)5
AccessControlException (java.security.AccessControlException)5
