Search in sources :

Example 46 with AccessControlManager

use of javax.jcr.security.AccessControlManager in project jackrabbit by apache.

the class EffectivePolicyTest method testGetEffectivePoliciesByPrincipal.

public void testGetEffectivePoliciesByPrincipal() throws Exception {
    Privilege[] privileges = privilegesFromNames(new String[] { Privilege.JCR_READ_ACCESS_CONTROL });
    JackrabbitAccessControlManager jacMgr = (JackrabbitAccessControlManager) acMgr;
    Principal everyone = ((SessionImpl) superuser).getPrincipalManager().getEveryone();
    AccessControlPolicy[] acp = jacMgr.getEffectivePolicies(Collections.singleton(everyone));
    assertNotNull(acp);
    assertEquals(1, acp.length);
    assertTrue(acp[0] instanceof JackrabbitAccessControlPolicy);
    JackrabbitAccessControlPolicy jacp = (JackrabbitAccessControlPolicy) acp[0];
    assertFalse(jacMgr.hasPrivileges(jacp.getPath(), Collections.singleton(testUser.getPrincipal()), privileges));
    assertFalse(jacMgr.hasPrivileges(jacp.getPath(), Collections.singleton(everyone), privileges));
    acp = jacMgr.getApplicablePolicies(testUser.getPrincipal());
    if (acp.length == 0) {
        acp = jacMgr.getPolicies(testUser.getPrincipal());
    }
    assertNotNull(acp);
    assertEquals(1, acp.length);
    assertTrue(acp[0] instanceof JackrabbitAccessControlList);
    // let testuser read the ACL defined for 'testUser' principal.
    JackrabbitAccessControlList acl = (JackrabbitAccessControlList) acp[0];
    acl.addEntry(testUser.getPrincipal(), privileges, true, getRestrictions(superuser, acl.getPath()));
    jacMgr.setPolicy(acl.getPath(), acl);
    superuser.save();
    Session testSession = getTestSession();
    AccessControlManager testAcMgr = getTestACManager();
    // effective policies for testPrinicpal only on path -> must succeed.
    ((JackrabbitAccessControlManager) testAcMgr).getEffectivePolicies(Collections.singleton(testUser.getPrincipal()));
    // effective policies for a combination of principals -> must fail
    try {
        ((JackrabbitAccessControlManager) testAcMgr).getEffectivePolicies(((SessionImpl) testSession).getSubject().getPrincipals());
        fail();
    } catch (AccessDeniedException e) {
    // success
    }
}
Also used : JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager) AccessControlManager(javax.jcr.security.AccessControlManager) JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) JackrabbitAccessControlPolicy(org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy) AccessDeniedException(javax.jcr.AccessDeniedException) SessionImpl(org.apache.jackrabbit.core.SessionImpl) Privilege(javax.jcr.security.Privilege) JackrabbitAccessControlPolicy(org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) Principal(java.security.Principal) Session(javax.jcr.Session)

Example 47 with AccessControlManager

use of javax.jcr.security.AccessControlManager in project jackrabbit by apache.

the class AuthorizableActionTest method assertAcAction.

private static void assertAcAction(Authorizable a, UserManagerImpl umgr) throws RepositoryException, NotExecutableException {
    Session s = umgr.getSession();
    AccessControlManager acMgr = s.getAccessControlManager();
    boolean hasACL = false;
    AccessControlPolicyIterator it = acMgr.getApplicablePolicies("/");
    while (it.hasNext()) {
        if (it.nextAccessControlPolicy() instanceof AccessControlList) {
            hasACL = true;
            break;
        }
    }
    if (!hasACL) {
        for (AccessControlPolicy p : acMgr.getPolicies("/")) {
            if (p instanceof AccessControlList) {
                hasACL = true;
                break;
            }
        }
    }
    if (!hasACL) {
        throw new NotExecutableException("No ACLs in workspace containing users.");
    }
    String path = a.getPath();
    assertEquals(1, acMgr.getPolicies(path).length);
    assertTrue(acMgr.getPolicies(path)[0] instanceof AccessControlList);
}
Also used : AccessControlManager(javax.jcr.security.AccessControlManager) AccessControlList(javax.jcr.security.AccessControlList) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) NotExecutableException(org.apache.jackrabbit.test.NotExecutableException) AccessControlPolicyIterator(javax.jcr.security.AccessControlPolicyIterator) Session(javax.jcr.Session)

Example 48 with AccessControlManager

use of javax.jcr.security.AccessControlManager in project jackrabbit-oak by apache.

the class FlatTreeWithAceForSamePrincipalTest method beforeSuite.

@Override
protected void beforeSuite() throws Exception {
    long start = System.currentTimeMillis();
    admin = loginWriter();
    userManager = ((JackrabbitSession) admin).getUserManager();
    Principal userPrincipal = userManager.createUser(TEST_USER_ID, TEST_USER_ID).getPrincipal();
    AccessControlManager acm = admin.getAccessControlManager();
    JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acm, "/");
    acl.addEntry(userPrincipal, AccessControlUtils.privilegesFromNames(acm, PrivilegeConstants.JCR_READ), true);
    acm.setPolicy("/", acl);
    Node a = admin.getRootNode().addNode(ROOT_NODE_NAME, "nt:folder");
    for (int i = 1; i < 10000; i++) {
        a.addNode("node" + i, "nt:folder");
        acl = AccessControlUtils.getAccessControlList(acm, ROOT_PATH + "/node" + i);
        acl.addEntry(userPrincipal, AccessControlUtils.privilegesFromNames(acm, PrivilegeConstants.JCR_READ), true);
        acm.setPolicy(ROOT_PATH + "/node" + i, acl);
    }
    admin.save();
    reader = login(new SimpleCredentials(TEST_USER_ID, TEST_USER_ID.toCharArray()));
    long end = System.currentTimeMillis();
    System.out.println("setup time " + (end - start));
}
Also used : AccessControlManager(javax.jcr.security.AccessControlManager) SimpleCredentials(javax.jcr.SimpleCredentials) Node(javax.jcr.Node) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) Principal(java.security.Principal)

Example 49 with AccessControlManager

use of javax.jcr.security.AccessControlManager in project jackrabbit-oak by apache.

the class PermissionHookTest method before.

@Override
@Before
public void before() throws Exception {
    super.before();
    testPrincipal = getTestUser().getPrincipal();
    NodeUtil rootNode = new NodeUtil(root.getTree("/"), namePathMapper);
    NodeUtil testNode = rootNode.addChild("testPath", JcrConstants.NT_UNSTRUCTURED);
    testNode.addChild("childNode", JcrConstants.NT_UNSTRUCTURED);
    AccessControlManager acMgr = getAccessControlManager(root);
    JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, testPath);
    acl.addAccessControlEntry(testPrincipal, privilegesFromNames(JCR_ADD_CHILD_NODES));
    acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames(JCR_READ));
    acMgr.setPolicy(testPath, acl);
    root.commit();
    bitsProvider = new PrivilegeBitsProvider(root);
}
Also used : AccessControlManager(javax.jcr.security.AccessControlManager) PrivilegeBitsProvider(org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) NodeUtil(org.apache.jackrabbit.oak.util.NodeUtil) Before(org.junit.Before)

Example 50 with AccessControlManager

use of javax.jcr.security.AccessControlManager in project jackrabbit-oak by apache.

the class TreePermissionImplTest method testCanReadProperties2.

@Test
public void testCanReadProperties2() throws Exception {
    AccessControlManager acMgr = getAccessControlManager(root);
    JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/test");
    acl.addEntry(getTestUser().getPrincipal(), privilegesFromNames(PrivilegeConstants.JCR_READ), true);
    acMgr.setPolicy("/test", acl);
    root.commit();
    Tree policyTree = root.getTree("/test/rep:policy");
    NodeUtil ace = new NodeUtil(policyTree).addChild("ace2", NT_REP_DENY_ACE);
    ace.setNames(REP_PRIVILEGES, PrivilegeConstants.REP_READ_PROPERTIES);
    ace.setString(REP_PRINCIPAL_NAME, getTestUser().getPrincipal().getName());
    root.commit();
    TreePermission tp = getTreePermission("/test");
    assertFalse(tp.canReadProperties());
    assertTrue(tp.canRead());
    assertFalse(tp.canReadProperties());
}
Also used : AccessControlManager(javax.jcr.security.AccessControlManager) Tree(org.apache.jackrabbit.oak.api.Tree) TreePermission(org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) NodeUtil(org.apache.jackrabbit.oak.util.NodeUtil) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Aggregations

AccessControlManager (javax.jcr.security.AccessControlManager)192 Privilege (javax.jcr.security.Privilege)82 JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)77 AccessControlPolicy (javax.jcr.security.AccessControlPolicy)62 Session (javax.jcr.Session)47 Test (org.junit.Test)45 AccessControlEntry (javax.jcr.security.AccessControlEntry)39 Node (javax.jcr.Node)33 AccessControlList (javax.jcr.security.AccessControlList)32 JackrabbitAccessControlManager (org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)32 AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)23 Principal (java.security.Principal)22 Value (javax.jcr.Value)17 HashMap (java.util.HashMap)14 JackrabbitAccessControlEntry (org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)14 Group (org.apache.jackrabbit.api.security.user.Group)14 ValueFactory (javax.jcr.ValueFactory)13 AccessControlPolicyIterator (javax.jcr.security.AccessControlPolicyIterator)13 NodeImpl (org.apache.jackrabbit.core.NodeImpl)13 NodeUtil (org.apache.jackrabbit.oak.util.NodeUtil)12