Search in sources :

Example 26 with Privilege

use of javax.jcr.security.Privilege in project jackrabbit-oak by apache.

the class AccessControlManagementTest method testRetrievePrivilegesOnAcNodes.

@Test
public void testRetrievePrivilegesOnAcNodes() throws Exception {
    // give 'testUser' jcr:readAccessControl privileges at 'path'
    Privilege[] privileges = privilegesFromName(Privilege.JCR_READ_ACCESS_CONTROL);
    allow(path, privileges);
    /*
         testuser must be allowed to read ac-content at target node.
        */
    assertTrue(testAcMgr.hasPrivileges(path, privileges));
    AccessControlPolicy[] policies = testAcMgr.getPolicies(path);
    assertEquals(1, policies.length);
    assertTrue(policies[0] instanceof JackrabbitAccessControlList);
    String aclNodePath = null;
    Node n = superuser.getNode(path);
    for (NodeIterator itr = n.getNodes(); itr.hasNext(); ) {
        Node child = itr.nextNode();
        if (child.isNodeType("rep:Policy")) {
            aclNodePath = child.getPath();
        }
    }
    if (aclNodePath == null) {
        fail("Expected node at " + path + " to have an ACL child node.");
    }
    assertTrue(testAcMgr.hasPrivileges(aclNodePath, privileges));
    assertTrue(testSession.hasPermission(aclNodePath, Session.ACTION_READ));
    for (NodeIterator aceNodes = superuser.getNode(aclNodePath).getNodes(); aceNodes.hasNext(); ) {
        String aceNodePath = aceNodes.nextNode().getPath();
        assertTrue(testAcMgr.hasPrivileges(aceNodePath, privileges));
        assertTrue(testSession.hasPermission(aceNodePath, Session.ACTION_READ));
    }
}
Also used : NodeIterator(javax.jcr.NodeIterator) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) Node(javax.jcr.Node) Privilege(javax.jcr.security.Privilege) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) Test(org.junit.Test)

Example 27 with Privilege

use of javax.jcr.security.Privilege in project jackrabbit-oak by apache.

the class AccessControlManagementTest method testAccessControlModificationWithoutPrivilege.

@Test
public void testAccessControlModificationWithoutPrivilege() throws Exception {
    // give 'testUser' ADD_CHILD_NODES|MODIFY_PROPERTIES| REMOVE_CHILD_NODES privileges at 'path'
    Privilege[] privileges = privilegesFromNames(new String[] { Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_REMOVE_CHILD_NODES, Privilege.JCR_MODIFY_PROPERTIES });
    JackrabbitAccessControlList tmpl = allow(path, privileges);
    String policyPath = tmpl.getPath() + "/rep:policy";
    // make sure the 'rep:policy' node has been created.
    assertTrue(superuser.itemExists(policyPath));
    /*
         testuser must not have
         - permission to modify AC items
        */
    try {
        testAcMgr.setPolicy(tmpl.getPath(), tmpl);
        fail("test user must not have MODIFY_AC privilege.");
    } catch (AccessDeniedException e) {
    // success
    }
    try {
        testAcMgr.removePolicy(tmpl.getPath(), tmpl);
        fail("test user must not have MODIFY_AC privilege.");
    } catch (AccessDeniedException e) {
    // success
    }
}
Also used : AccessDeniedException(javax.jcr.AccessDeniedException) Privilege(javax.jcr.security.Privilege) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) Test(org.junit.Test)

Example 28 with Privilege

use of javax.jcr.security.Privilege in project jackrabbit-oak by apache.

the class AccessControlManagementTest method testAccessControlModification.

@Test
public void testAccessControlModification() throws Exception {
    // give 'testUser' READ_AC|MODIFY_AC privileges at 'path'
    Privilege[] privileges = privilegesFromNames(new String[] { Privilege.JCR_READ_ACCESS_CONTROL, Privilege.JCR_MODIFY_ACCESS_CONTROL });
    JackrabbitAccessControlList tmpl = allow(path, privileges);
    /*
         testuser must
         - still have the inherited READ permission.
         - must have permission to view AC items at 'path' (and below)
         - must have permission to modify AC items at 'path'

         testuser must not have
         - permission to view AC items outside of the tree defined by path.
        */
    // make sure the 'rep:policy' node has been created.
    assertTrue(superuser.itemExists(tmpl.getPath() + "/rep:policy"));
    // test: MODIFY_AC granted at 'path'
    assertTrue(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
    // test if testuser can READ access control on the path and on the
    // entire subtree that gets the policy inherited.
    AccessControlPolicy[] policies = testAcMgr.getPolicies(path);
    testAcMgr.getPolicies(childNPath);
    // test: READ_AC privilege does not apply outside of the tree.
    try {
        testAcMgr.getPolicies(siblingPath);
        fail("READ_AC privilege must not apply outside of the tree it has applied to.");
    } catch (AccessDeniedException e) {
    // success
    }
    // test: MODIFY_AC privilege does not apply outside of the tree.
    assertFalse(testAcMgr.hasPrivileges(siblingPath, privilegesFromName(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
    // test if testuser can modify AC-items
    // 1) add an ac-entry
    AccessControlList acl = (AccessControlList) policies[0];
    acl.addAccessControlEntry(testUser.getPrincipal(), repWritePrivileges);
    testAcMgr.setPolicy(path, acl);
    testSession.save();
    assertTrue(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES)));
    // 2) remove the policy
    testAcMgr.removePolicy(path, policies[0]);
    testSession.save();
    // privileges must be gone again...
    try {
        testAcMgr.getEffectivePolicies(childNPath);
        fail("READ_AC privilege has been revoked -> must throw again.");
    } catch (AccessDeniedException e) {
    // success
    }
    // ... and since the ACE is stored with the policy all right except
    // READ must be gone.
    assertReadOnly(path);
}
Also used : AccessControlList(javax.jcr.security.AccessControlList) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) AccessDeniedException(javax.jcr.AccessDeniedException) Privilege(javax.jcr.security.Privilege) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) Test(org.junit.Test)

Example 29 with Privilege

use of javax.jcr.security.Privilege in project jackrabbit-oak by apache.

the class PrivilegeUpgradeTest method verifyCustomPrivileges.

@Test
public void verifyCustomPrivileges() throws Exception {
    JackrabbitSession session = createAdminSession();
    try {
        JackrabbitWorkspace workspace = (JackrabbitWorkspace) session.getWorkspace();
        PrivilegeManager manager = workspace.getPrivilegeManager();
        Privilege privilege = manager.getPrivilege("test:privilege");
        assertNotNull(privilege);
        assertFalse(privilege.isAbstract());
        assertFalse(privilege.isAggregate());
        assertEquals(0, privilege.getDeclaredAggregatePrivileges().length);
        Privilege privilege2 = manager.getPrivilege("test:privilege2");
        assertNotNull(privilege2);
        assertTrue(privilege2.isAbstract());
        assertFalse(privilege2.isAggregate());
        assertEquals(0, privilege.getDeclaredAggregatePrivileges().length);
        Privilege aggregate = manager.getPrivilege("test:aggregate");
        assertNotNull(aggregate);
        assertFalse(aggregate.isAbstract());
        assertTrue(aggregate.isAggregate());
        List<Privilege> agg = ImmutableList.copyOf(aggregate.getDeclaredAggregatePrivileges());
        assertEquals(2, agg.size());
        assertTrue(agg.contains(privilege));
        assertTrue(agg.contains(manager.getPrivilege(JCR_READ)));
        Privilege aggregate2 = manager.getPrivilege("test:aggregate2");
        assertNotNull(aggregate2);
        assertTrue(aggregate2.isAbstract());
        assertTrue(aggregate2.isAggregate());
        List<Privilege> agg2 = ImmutableList.copyOf(aggregate2.getDeclaredAggregatePrivileges());
        assertEquals(2, agg2.size());
        assertTrue(agg2.contains(aggregate));
        assertTrue(agg2.contains(privilege2));
        Privilege jcrAll = manager.getPrivilege("jcr:all");
        List<Privilege> privileges = asList(jcrAll.getAggregatePrivileges());
        assertTrue(privileges.contains(privilege));
        assertTrue(privileges.contains(privilege2));
        assertTrue(privileges.contains(aggregate));
        assertTrue(privileges.contains(aggregate2));
    } finally {
        session.logout();
    }
}
Also used : PrivilegeManager(org.apache.jackrabbit.api.security.authorization.PrivilegeManager) JackrabbitWorkspace(org.apache.jackrabbit.api.JackrabbitWorkspace) JackrabbitSession(org.apache.jackrabbit.api.JackrabbitSession) Privilege(javax.jcr.security.Privilege) Test(org.junit.Test)

Example 30 with Privilege

use of javax.jcr.security.Privilege in project jackrabbit-oak by apache.

the class ReadTest method testGlobRestriction3.

@Test
public void testGlobRestriction3() throws Exception {
    Group group2 = getUserManager(superuser).createGroup(generateId("group2_"));
    Group group3 = getUserManager(superuser).createGroup(generateId("group3_"));
    superuser.save();
    try {
        Privilege[] readPrivs = privilegesFromName(Privilege.JCR_READ);
        allow(path, group2.getPrincipal(), readPrivs);
        deny(path, group3.getPrincipal(), readPrivs);
        modify(path, getTestGroup().getPrincipal(), readPrivs, true, createGlobRestriction("/*"));
        Set<Principal> principals = new HashSet<Principal>();
        principals.add(getTestGroup().getPrincipal());
        principals.add(group2.getPrincipal());
        principals.add(group3.getPrincipal());
        assertFalse(((JackrabbitAccessControlManager) acMgr).hasPrivileges(path, principals, readPrivs));
        assertTrue(((JackrabbitAccessControlManager) acMgr).hasPrivileges(childNPath, principals, readPrivs));
    } finally {
        group2.remove();
        group3.remove();
        superuser.save();
    }
}
Also used : Group(org.apache.jackrabbit.api.security.user.Group) Privilege(javax.jcr.security.Privilege) Principal(java.security.Principal) EveryonePrincipal(org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal) HashSet(java.util.HashSet) Test(org.junit.Test)

Aggregations

Privilege (javax.jcr.security.Privilege)336 Test (org.junit.Test)95 AccessControlManager (javax.jcr.security.AccessControlManager)94 Session (javax.jcr.Session)80 Principal (java.security.Principal)63 JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)60 Node (javax.jcr.Node)54 AccessControlEntry (javax.jcr.security.AccessControlEntry)52 JackrabbitAccessControlEntry (org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)39 Value (javax.jcr.Value)31 AccessControlPolicy (javax.jcr.security.AccessControlPolicy)31 HashMap (java.util.HashMap)28 AccessDeniedException (javax.jcr.AccessDeniedException)26 JackrabbitAccessControlManager (org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)26 AccessControlList (javax.jcr.security.AccessControlList)25 AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)25 JackrabbitSession (org.apache.jackrabbit.api.JackrabbitSession)24 ArrayList (java.util.ArrayList)23 HashSet (java.util.HashSet)21 AccessControlException (javax.jcr.security.AccessControlException)21