Example 11 with AccessControlPolicyIterator
use of javax.jcr.security.AccessControlPolicyIterator in project jackrabbit-oak by apache.
the class AccessControlAction method setAC.
private void setAC(@Nonnull Authorizable authorizable, @Nonnull Root root, @Nonnull NamePathMapper namePathMapper) throws RepositoryException {
if (securityProvider == null) {
throw new IllegalStateException("Not initialized");
}
if (authorizable.isGroup()) {
if (groupPrivilegeNames.length == 0) {
log.debug("No privileges configured for groups; omit ac setup.");
return;
}
} else {
if (userPrivilegeNames.length == 0) {
log.debug("No privileges configured for users; omit ac setup.");
return;
}
if (isBuiltInUser(authorizable)) {
log.debug("System user: " + authorizable.getID() + "; omit ac setup.");
return;
}
}
Principal principal = authorizable.getPrincipal();
if (administrativePrincipals.contains(principal.getName())) {
log.debug("Administrative principal: " + principal.getName() + "; omit ac setup.");
return;
}
String path = authorizable.getPath();
AuthorizationConfiguration acConfig = securityProvider.getConfiguration(AuthorizationConfiguration.class);
AccessControlManager acMgr = acConfig.getAccessControlManager(root, namePathMapper);
JackrabbitAccessControlList acl = null;
for (AccessControlPolicyIterator it = acMgr.getApplicablePolicies(path); it.hasNext(); ) {
AccessControlPolicy plc = it.nextAccessControlPolicy();
if (plc instanceof JackrabbitAccessControlList) {
acl = (JackrabbitAccessControlList) plc;
break;
}
}
if (acl == null) {
log.warn("Cannot process AccessControlAction: no applicable ACL at " + path);
} else {
// setup acl according to configuration.
boolean modified = false;
String[] privNames = (authorizable.isGroup()) ? groupPrivilegeNames : userPrivilegeNames;
modified = acl.addAccessControlEntry(principal, getPrivileges(privNames, acMgr));
if (modified) {
acMgr.setPolicy(path, acl);
}
}
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
AuthorizationConfiguration(org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration)
AccessControlPolicyIterator(javax.jcr.security.AccessControlPolicyIterator)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
Principal(java.security.Principal)
Example 12 with AccessControlPolicyIterator
use of javax.jcr.security.AccessControlPolicyIterator in project jackrabbit by apache.
the class AuthorizableActionTest method assertAcAction.
private static void assertAcAction(Authorizable a, UserManagerImpl umgr) throws RepositoryException, NotExecutableException {
Session s = umgr.getSession();
AccessControlManager acMgr = s.getAccessControlManager();
boolean hasACL = false;
AccessControlPolicyIterator it = acMgr.getApplicablePolicies("/");
while (it.hasNext()) {
if (it.nextAccessControlPolicy() instanceof AccessControlList) {
hasACL = true;
break;
}
}
if (!hasACL) {
for (AccessControlPolicy p : acMgr.getPolicies("/")) {
if (p instanceof AccessControlList) {
hasACL = true;
break;
}
}
}
if (!hasACL) {
throw new NotExecutableException("No ACLs in workspace containing users.");
}
String path = a.getPath();
assertEquals(1, acMgr.getPolicies(path).length);
assertTrue(acMgr.getPolicies(path)[0] instanceof AccessControlList);
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
AccessControlList(javax.jcr.security.AccessControlList)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
NotExecutableException(org.apache.jackrabbit.test.NotExecutableException)
AccessControlPolicyIterator(javax.jcr.security.AccessControlPolicyIterator)
Session(javax.jcr.Session)
Example 13 with AccessControlPolicyIterator
use of javax.jcr.security.AccessControlPolicyIterator in project jackrabbit by apache.
the class AccessControlImporterTest method testImportEmptyExistingPolicy.
/**
* Imports an empty resource-based ACL for a policy that already exists.
*
* @throws Exception
*/
public void testImportEmptyExistingPolicy() throws Exception {
NodeImpl target = (NodeImpl) testRootNode;
target = (NodeImpl) target.addNode("test", "test:sameNameSibsFalseChildNodeDefinition");
AccessControlManager acMgr = sImpl.getAccessControlManager();
for (AccessControlPolicyIterator it = acMgr.getApplicablePolicies(target.getPath()); it.hasNext(); ) {
AccessControlPolicy policy = it.nextAccessControlPolicy();
if (policy instanceof AccessControlList) {
acMgr.setPolicy(target.getPath(), policy);
}
}
try {
InputStream in = new ByteArrayInputStream(XML_POLICY_ONLY.getBytes("UTF-8"));
SessionImporter importer = new SessionImporter(target, sImpl, ImportUUIDBehavior.IMPORT_UUID_CREATE_NEW, new PseudoConfig());
ImportHandler ih = new ImportHandler(importer, sImpl);
new ParsingContentHandler(ih).parse(in);
AccessControlPolicy[] policies = acMgr.getPolicies(target.getPath());
assertEquals(1, policies.length);
assertTrue(policies[0] instanceof JackrabbitAccessControlList);
AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
assertEquals(0, entries.length);
} finally {
superuser.refresh(false);
}
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
AccessControlList(javax.jcr.security.AccessControlList)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
NodeImpl(org.apache.jackrabbit.core.NodeImpl)
ByteArrayInputStream(java.io.ByteArrayInputStream)
InputStream(java.io.InputStream)
ParsingContentHandler(org.apache.jackrabbit.commons.xml.ParsingContentHandler)
JackrabbitAccessControlEntry(org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)
AccessControlEntry(javax.jcr.security.AccessControlEntry)
AccessControlPolicyIterator(javax.jcr.security.AccessControlPolicyIterator)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Example 14 with AccessControlPolicyIterator
use of javax.jcr.security.AccessControlPolicyIterator in project jackrabbit by apache.
the class AccessControlImporterTest method testImportPolicyExists.
/**
* Imports a resource-based ACL containing a single entry for a policy that
* already exists.
*
* @throws Exception
*/
public void testImportPolicyExists() throws Exception {
// all ACEs for an import. maybe control this behavior via uuid-flag.
if (true) {
return;
}
NodeImpl target = (NodeImpl) testRootNode;
target = (NodeImpl) target.addNode("test", "test:sameNameSibsFalseChildNodeDefinition");
AccessControlManager acMgr = sImpl.getAccessControlManager();
for (AccessControlPolicyIterator it = acMgr.getApplicablePolicies(target.getPath()); it.hasNext(); ) {
AccessControlPolicy policy = it.nextAccessControlPolicy();
if (policy instanceof AccessControlList) {
Privilege[] privs = new Privilege[] { acMgr.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT) };
((AccessControlList) policy).addAccessControlEntry(sImpl.getPrincipalManager().getEveryone(), privs);
acMgr.setPolicy(target.getPath(), policy);
}
}
try {
InputStream in = new ByteArrayInputStream(XML_POLICY_TREE_2.getBytes("UTF-8"));
SessionImporter importer = new SessionImporter(target, sImpl, ImportUUIDBehavior.IMPORT_UUID_CREATE_NEW, new PseudoConfig());
ImportHandler ih = new ImportHandler(importer, sImpl);
new ParsingContentHandler(ih).parse(in);
AccessControlPolicy[] policies = acMgr.getPolicies(target.getPath());
assertEquals(1, policies.length);
assertTrue(policies[0] instanceof JackrabbitAccessControlList);
AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
assertEquals(1, entries.length);
AccessControlEntry entry = entries[0];
assertEquals("everyone", entry.getPrincipal().getName());
List<Privilege> privs = Arrays.asList(entry.getPrivileges());
assertEquals(2, privs.size());
assertTrue(privs.contains(acMgr.privilegeFromName(Privilege.JCR_WRITE)) && privs.contains(acMgr.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT)));
assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
if (entry instanceof JackrabbitAccessControlEntry) {
assertTrue(((JackrabbitAccessControlEntry) entry).isAllow());
}
} finally {
superuser.refresh(false);
}
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
AccessControlList(javax.jcr.security.AccessControlList)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
NodeImpl(org.apache.jackrabbit.core.NodeImpl)
ByteArrayInputStream(java.io.ByteArrayInputStream)
InputStream(java.io.InputStream)
ParsingContentHandler(org.apache.jackrabbit.commons.xml.ParsingContentHandler)
JackrabbitAccessControlEntry(org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)
AccessControlEntry(javax.jcr.security.AccessControlEntry)
AccessControlPolicyIterator(javax.jcr.security.AccessControlPolicyIterator)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
JackrabbitAccessControlEntry(org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Privilege(javax.jcr.security.Privilege)
Example 15 with AccessControlPolicyIterator
use of javax.jcr.security.AccessControlPolicyIterator in project jackrabbit by apache.
the class NodeImplTest method changeReadPermission.
public static void changeReadPermission(Principal principal, Node n, boolean allowRead) throws RepositoryException, NotExecutableException {
SessionImpl s = (SessionImpl) n.getSession();
JackrabbitAccessControlList acl = null;
AccessControlManager acMgr = s.getAccessControlManager();
AccessControlPolicyIterator it = acMgr.getApplicablePolicies(n.getPath());
while (it.hasNext()) {
AccessControlPolicy acp = it.nextAccessControlPolicy();
if (acp instanceof JackrabbitAccessControlList) {
acl = (JackrabbitAccessControlList) acp;
break;
}
}
if (acl == null) {
AccessControlPolicy[] acps = acMgr.getPolicies(n.getPath());
for (AccessControlPolicy acp : acps) {
if (acp instanceof JackrabbitAccessControlList) {
acl = (JackrabbitAccessControlList) acp;
break;
}
}
}
if (acl != null) {
acl.addEntry(principal, new Privilege[] { acMgr.privilegeFromName(Privilege.JCR_READ) }, allowRead);
acMgr.setPolicy(n.getPath(), acl);
s.save();
} else {
// no JackrabbitAccessControlList found.
throw new NotExecutableException();
}
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
NotExecutableException(org.apache.jackrabbit.test.NotExecutableException)
AccessControlPolicyIterator(javax.jcr.security.AccessControlPolicyIterator)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
Aggregations
AccessControlPolicyIterator (javax.jcr.security.AccessControlPolicyIterator)69
AccessControlPolicy (javax.jcr.security.AccessControlPolicy)54
NotExecutableException (org.apache.jackrabbit.test.NotExecutableException)22
Test (org.junit.Test)16
NamedAccessControlPolicy (javax.jcr.security.NamedAccessControlPolicy)15
JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)15
AccessControlList (javax.jcr.security.AccessControlList)14
AccessControlManager (javax.jcr.security.AccessControlManager)13
AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)11
Node (javax.jcr.Node)7
Privilege (javax.jcr.security.Privilege)6
JackrabbitAccessControlPolicy (org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy)6
AccessControlEntry (javax.jcr.security.AccessControlEntry)5
Principal (java.security.Principal)3
HashSet (java.util.HashSet)3
Item (javax.jcr.Item)3
RepositoryException (javax.jcr.RepositoryException)3
JackrabbitAccessControlManager (org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)3
NodeUtil (org.apache.jackrabbit.oak.util.NodeUtil)3
ByteArrayInputStream (java.io.ByteArrayInputStream)2
