Search in sources :

Example 96 with Privilege

use of javax.jcr.security.Privilege in project jackrabbit-oak by apache.

the class L5_PrivilegeContentTest method testNext.

@Test
public void testNext() throws RepositoryException, CommitFailedException {
    PropertyState next = PrivilegeUtil.getPrivilegesTree(root).getProperty(PrivilegeConstants.REP_NEXT);
    PrivilegeManager privilegeManager = getPrivilegeManager(root);
    Privilege newPrivilege = privilegeManager.registerPrivilege("myPrivilege", true, null);
    root.commit();
    // EXERCISE: compare the 'next' property state with rep:bits property of the newly created privilege.
    PropertyState nextAgain = PrivilegeUtil.getPrivilegesTree(root).getProperty(PrivilegeConstants.REP_NEXT);
// EXERCISE: look at the new value of rep:next and explain it. Q: where did it get modified?
// EXERCISE: try to modify rep:next manually and explain what happens.
}
Also used : PrivilegeManager(org.apache.jackrabbit.api.security.authorization.PrivilegeManager) Privilege(javax.jcr.security.Privilege) PropertyState(org.apache.jackrabbit.oak.api.PropertyState) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) L4_PrivilegesAndPermissionsTest(org.apache.jackrabbit.oak.exercise.security.authorization.permission.L4_PrivilegesAndPermissionsTest) Test(org.junit.Test) L7_PermissionContentTest(org.apache.jackrabbit.oak.exercise.security.authorization.permission.L7_PermissionContentTest)

Example 97 with Privilege

use of javax.jcr.security.Privilege in project jackrabbit-oak by apache.

the class L7_PrivilegeDiscoveryTest method setUp.

@Override
protected void setUp() throws Exception {
    super.setUp();
    SimpleCredentials creds = new SimpleCredentials("u", "u".toCharArray());
    UserManager uMgr = ((JackrabbitSession) superuser).getUserManager();
    User u = uMgr.createUser(creds.getUserID(), creds.getUserID());
    Group g = uMgr.createGroup("g");
    g.addMember(u);
    uPrincipal = u.getPrincipal();
    gPrincipal = g.getPrincipal();
    Node n = superuser.getNode(testRoot).addNode(nodeName1);
    testPath = n.getPath();
    Property p = n.setProperty(propertyName1, "value");
    propPath = p.getPath();
    Privilege[] privs = AccessControlUtils.privilegesFromNames(superuser, Privilege.JCR_VERSION_MANAGEMENT, Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_MODIFY_PROPERTIES);
    AccessControlUtils.addAccessControlEntry(superuser, n.getPath(), gPrincipal, privs, true);
    AccessControlUtils.addAccessControlEntry(superuser, n.getPath(), uPrincipal, new String[] { Privilege.JCR_VERSION_MANAGEMENT }, false);
    Node child = n.addNode(nodeName2);
    childPath = child.getPath();
    superuser.save();
    userSession = getHelper().getRepository().login(creds);
    // NOTE the following precondition defined by the test-setup!
    assertTrue(userSession.nodeExists(testPath));
    assertTrue(userSession.nodeExists(childPath));
}
Also used : SimpleCredentials(javax.jcr.SimpleCredentials) Group(org.apache.jackrabbit.api.security.user.Group) User(org.apache.jackrabbit.api.security.user.User) UserManager(org.apache.jackrabbit.api.security.user.UserManager) Node(javax.jcr.Node) JackrabbitSession(org.apache.jackrabbit.api.JackrabbitSession) Privilege(javax.jcr.security.Privilege) Property(javax.jcr.Property)

Example 98 with Privilege

use of javax.jcr.security.Privilege in project jackrabbit-oak by apache.

the class AccessControlImporterTest method testImportPolicyExists.

/**
     * Imports a resource-based ACL containing a single entry for a policy that
     * already exists: expected outcome its that the existing ACE is replaced.
     */
public void testImportPolicyExists() throws Exception {
    try {
        Node target = createImportTargetWithPolicy(EveryonePrincipal.getInstance());
        doImport(target.getPath(), XML_POLICY_TREE_2);
        AccessControlManager acMgr = superuser.getAccessControlManager();
        AccessControlPolicy[] policies = acMgr.getPolicies(target.getPath());
        assertEquals(1, policies.length);
        assertTrue(policies[0] instanceof JackrabbitAccessControlList);
        AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
        assertEquals(1, entries.length);
        AccessControlEntry entry = entries[0];
        assertEquals(EveryonePrincipal.getInstance(), entry.getPrincipal());
        List<Privilege> privs = Arrays.asList(entry.getPrivileges());
        assertEquals(1, privs.size());
        assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
        if (entry instanceof JackrabbitAccessControlEntry) {
            assertTrue(((JackrabbitAccessControlEntry) entry).isAllow());
        }
    } finally {
        superuser.refresh(false);
    }
}
Also used : AccessControlManager(javax.jcr.security.AccessControlManager) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) JackrabbitAccessControlEntry(org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry) Node(javax.jcr.Node) JackrabbitAccessControlEntry(org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry) AccessControlEntry(javax.jcr.security.AccessControlEntry) Privilege(javax.jcr.security.Privilege) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)

Example 99 with Privilege

use of javax.jcr.security.Privilege in project jackrabbit-oak by apache.

the class AccessControlImporterTest method createImportTargetWithPolicy.

private Node createImportTargetWithPolicy(@Nullable Principal principal) throws RepositoryException {
    Node target = testRootNode.addNode("test", "test:sameNameSibsFalseChildNodeDefinition");
    AccessControlManager acMgr = superuser.getAccessControlManager();
    for (AccessControlPolicyIterator it = acMgr.getApplicablePolicies(target.getPath()); it.hasNext(); ) {
        AccessControlPolicy policy = it.nextAccessControlPolicy();
        if (policy instanceof AccessControlList) {
            if (principal != null) {
                Privilege[] privs = new Privilege[] { acMgr.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT) };
                ((AccessControlList) policy).addAccessControlEntry(principal, privs);
            }
            acMgr.setPolicy(target.getPath(), policy);
        }
    }
    if (!isSessionImport()) {
        superuser.save();
    }
    return target;
}
Also used : AccessControlManager(javax.jcr.security.AccessControlManager) AccessControlList(javax.jcr.security.AccessControlList) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) Node(javax.jcr.Node) AccessControlPolicyIterator(javax.jcr.security.AccessControlPolicyIterator) Privilege(javax.jcr.security.Privilege)

Example 100 with Privilege

use of javax.jcr.security.Privilege in project jackrabbit-oak by apache.

the class AccessControlManagementTest method testReadAccessControlWithoutPrivilege.

@Test
public void testReadAccessControlWithoutPrivilege() throws Exception {
    // re-grant READ in order to have an ACL-node
    Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
    JackrabbitAccessControlList tmpl = allow(path, privileges);
    String policyPath = tmpl.getPath() + "/rep:policy";
    // make sure the 'rep:policy' node has been created.
    assertTrue(superuser.itemExists(policyPath));
    /*
         Testuser must still have READ-only access only and must not be
         allowed to view the acl-node nor any item in the subtree that
         has been created.
        */
    assertFalse(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_READ_ACCESS_CONTROL)));
    assertFalse(testSession.itemExists(policyPath));
    assertFalse(testSession.nodeExists(policyPath));
    try {
        testSession.getNode(policyPath);
        fail("Accessing the rep:policy node must throw PathNotFoundException.");
    } catch (PathNotFoundException e) {
    // ok.
    }
    try {
        testAcMgr.getPolicies(tmpl.getPath());
        fail("test user must not have READ_AC privilege.");
    } catch (AccessDeniedException e) {
    // success
    }
    try {
        testAcMgr.getEffectivePolicies(tmpl.getPath());
        fail("test user must not have READ_AC privilege.");
    } catch (AccessDeniedException e) {
    // success
    }
    for (NodeIterator aceNodes = superuser.getNode(policyPath).getNodes(); aceNodes.hasNext(); ) {
        Node aceNode = aceNodes.nextNode();
        String aceNodePath = aceNode.getPath();
        assertFalse(testSession.nodeExists(aceNodePath));
        for (PropertyIterator it = aceNode.getProperties(); it.hasNext(); ) {
            assertFalse(testSession.propertyExists(it.nextProperty().getPath()));
        }
    }
}
Also used : NodeIterator(javax.jcr.NodeIterator) AccessDeniedException(javax.jcr.AccessDeniedException) Node(javax.jcr.Node) PropertyIterator(javax.jcr.PropertyIterator) PathNotFoundException(javax.jcr.PathNotFoundException) Privilege(javax.jcr.security.Privilege) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) Test(org.junit.Test)

Aggregations

Privilege (javax.jcr.security.Privilege)316 Test (org.junit.Test)95 AccessControlManager (javax.jcr.security.AccessControlManager)82 Session (javax.jcr.Session)76 JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)59 Principal (java.security.Principal)57 Node (javax.jcr.Node)53 AccessControlEntry (javax.jcr.security.AccessControlEntry)47 JackrabbitAccessControlEntry (org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)37 Value (javax.jcr.Value)30 AccessControlPolicy (javax.jcr.security.AccessControlPolicy)28 HashMap (java.util.HashMap)26 AccessDeniedException (javax.jcr.AccessDeniedException)25 AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)25 JackrabbitSession (org.apache.jackrabbit.api.JackrabbitSession)24 JackrabbitAccessControlManager (org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)24 ArrayList (java.util.ArrayList)21 AccessControlException (javax.jcr.security.AccessControlException)21 AccessControlList (javax.jcr.security.AccessControlList)21 Group (org.apache.jackrabbit.api.security.user.Group)20