use of javax.jcr.security.Privilege in project jackrabbit-oak by apache.
the class AccessControlManagementTest method testRetrievePrivilegesOnAcNodes.
@Test
public void testRetrievePrivilegesOnAcNodes() throws Exception {
// give 'testUser' jcr:readAccessControl privileges at 'path'
Privilege[] privileges = privilegesFromName(Privilege.JCR_READ_ACCESS_CONTROL);
allow(path, privileges);
/*
testuser must be allowed to read ac-content at target node.
*/
assertTrue(testAcMgr.hasPrivileges(path, privileges));
AccessControlPolicy[] policies = testAcMgr.getPolicies(path);
assertEquals(1, policies.length);
assertTrue(policies[0] instanceof JackrabbitAccessControlList);
String aclNodePath = null;
Node n = superuser.getNode(path);
for (NodeIterator itr = n.getNodes(); itr.hasNext(); ) {
Node child = itr.nextNode();
if (child.isNodeType("rep:Policy")) {
aclNodePath = child.getPath();
}
}
if (aclNodePath == null) {
fail("Expected node at " + path + " to have an ACL child node.");
}
assertTrue(testAcMgr.hasPrivileges(aclNodePath, privileges));
assertTrue(testSession.hasPermission(aclNodePath, Session.ACTION_READ));
for (NodeIterator aceNodes = superuser.getNode(aclNodePath).getNodes(); aceNodes.hasNext(); ) {
String aceNodePath = aceNodes.nextNode().getPath();
assertTrue(testAcMgr.hasPrivileges(aceNodePath, privileges));
assertTrue(testSession.hasPermission(aceNodePath, Session.ACTION_READ));
}
}
use of javax.jcr.security.Privilege in project jackrabbit-oak by apache.
the class AccessControlManagementTest method testAccessControlModificationWithoutPrivilege.
@Test
public void testAccessControlModificationWithoutPrivilege() throws Exception {
// give 'testUser' ADD_CHILD_NODES|MODIFY_PROPERTIES| REMOVE_CHILD_NODES privileges at 'path'
Privilege[] privileges = privilegesFromNames(new String[] { Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_REMOVE_CHILD_NODES, Privilege.JCR_MODIFY_PROPERTIES });
JackrabbitAccessControlList tmpl = allow(path, privileges);
String policyPath = tmpl.getPath() + "/rep:policy";
// make sure the 'rep:policy' node has been created.
assertTrue(superuser.itemExists(policyPath));
/*
testuser must not have
- permission to modify AC items
*/
try {
testAcMgr.setPolicy(tmpl.getPath(), tmpl);
fail("test user must not have MODIFY_AC privilege.");
} catch (AccessDeniedException e) {
// success
}
try {
testAcMgr.removePolicy(tmpl.getPath(), tmpl);
fail("test user must not have MODIFY_AC privilege.");
} catch (AccessDeniedException e) {
// success
}
}
use of javax.jcr.security.Privilege in project jackrabbit-oak by apache.
the class AccessControlManagementTest method testAccessControlModification.
@Test
public void testAccessControlModification() throws Exception {
// give 'testUser' READ_AC|MODIFY_AC privileges at 'path'
Privilege[] privileges = privilegesFromNames(new String[] { Privilege.JCR_READ_ACCESS_CONTROL, Privilege.JCR_MODIFY_ACCESS_CONTROL });
JackrabbitAccessControlList tmpl = allow(path, privileges);
/*
testuser must
- still have the inherited READ permission.
- must have permission to view AC items at 'path' (and below)
- must have permission to modify AC items at 'path'
testuser must not have
- permission to view AC items outside of the tree defined by path.
*/
// make sure the 'rep:policy' node has been created.
assertTrue(superuser.itemExists(tmpl.getPath() + "/rep:policy"));
// test: MODIFY_AC granted at 'path'
assertTrue(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
// test if testuser can READ access control on the path and on the
// entire subtree that gets the policy inherited.
AccessControlPolicy[] policies = testAcMgr.getPolicies(path);
testAcMgr.getPolicies(childNPath);
// test: READ_AC privilege does not apply outside of the tree.
try {
testAcMgr.getPolicies(siblingPath);
fail("READ_AC privilege must not apply outside of the tree it has applied to.");
} catch (AccessDeniedException e) {
// success
}
// test: MODIFY_AC privilege does not apply outside of the tree.
assertFalse(testAcMgr.hasPrivileges(siblingPath, privilegesFromName(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
// test if testuser can modify AC-items
// 1) add an ac-entry
AccessControlList acl = (AccessControlList) policies[0];
acl.addAccessControlEntry(testUser.getPrincipal(), repWritePrivileges);
testAcMgr.setPolicy(path, acl);
testSession.save();
assertTrue(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES)));
// 2) remove the policy
testAcMgr.removePolicy(path, policies[0]);
testSession.save();
// privileges must be gone again...
try {
testAcMgr.getEffectivePolicies(childNPath);
fail("READ_AC privilege has been revoked -> must throw again.");
} catch (AccessDeniedException e) {
// success
}
// ... and since the ACE is stored with the policy all right except
// READ must be gone.
assertReadOnly(path);
}
use of javax.jcr.security.Privilege in project jackrabbit-oak by apache.
the class PrivilegeUpgradeTest method verifyCustomPrivileges.
@Test
public void verifyCustomPrivileges() throws Exception {
JackrabbitSession session = createAdminSession();
try {
JackrabbitWorkspace workspace = (JackrabbitWorkspace) session.getWorkspace();
PrivilegeManager manager = workspace.getPrivilegeManager();
Privilege privilege = manager.getPrivilege("test:privilege");
assertNotNull(privilege);
assertFalse(privilege.isAbstract());
assertFalse(privilege.isAggregate());
assertEquals(0, privilege.getDeclaredAggregatePrivileges().length);
Privilege privilege2 = manager.getPrivilege("test:privilege2");
assertNotNull(privilege2);
assertTrue(privilege2.isAbstract());
assertFalse(privilege2.isAggregate());
assertEquals(0, privilege.getDeclaredAggregatePrivileges().length);
Privilege aggregate = manager.getPrivilege("test:aggregate");
assertNotNull(aggregate);
assertFalse(aggregate.isAbstract());
assertTrue(aggregate.isAggregate());
List<Privilege> agg = ImmutableList.copyOf(aggregate.getDeclaredAggregatePrivileges());
assertEquals(2, agg.size());
assertTrue(agg.contains(privilege));
assertTrue(agg.contains(manager.getPrivilege(JCR_READ)));
Privilege aggregate2 = manager.getPrivilege("test:aggregate2");
assertNotNull(aggregate2);
assertTrue(aggregate2.isAbstract());
assertTrue(aggregate2.isAggregate());
List<Privilege> agg2 = ImmutableList.copyOf(aggregate2.getDeclaredAggregatePrivileges());
assertEquals(2, agg2.size());
assertTrue(agg2.contains(aggregate));
assertTrue(agg2.contains(privilege2));
Privilege jcrAll = manager.getPrivilege("jcr:all");
List<Privilege> privileges = asList(jcrAll.getAggregatePrivileges());
assertTrue(privileges.contains(privilege));
assertTrue(privileges.contains(privilege2));
assertTrue(privileges.contains(aggregate));
assertTrue(privileges.contains(aggregate2));
} finally {
session.logout();
}
}
use of javax.jcr.security.Privilege in project jackrabbit-oak by apache.
the class ReadTest method testGlobRestriction3.
@Test
public void testGlobRestriction3() throws Exception {
Group group2 = getUserManager(superuser).createGroup(generateId("group2_"));
Group group3 = getUserManager(superuser).createGroup(generateId("group3_"));
superuser.save();
try {
Privilege[] readPrivs = privilegesFromName(Privilege.JCR_READ);
allow(path, group2.getPrincipal(), readPrivs);
deny(path, group3.getPrincipal(), readPrivs);
modify(path, getTestGroup().getPrincipal(), readPrivs, true, createGlobRestriction("/*"));
Set<Principal> principals = new HashSet<Principal>();
principals.add(getTestGroup().getPrincipal());
principals.add(group2.getPrincipal());
principals.add(group3.getPrincipal());
assertFalse(((JackrabbitAccessControlManager) acMgr).hasPrivileges(path, principals, readPrivs));
assertTrue(((JackrabbitAccessControlManager) acMgr).hasPrivileges(childNPath, principals, readPrivs));
} finally {
group2.remove();
group3.remove();
superuser.save();
}
}
Aggregations