Example 1 with DatabasePermission
use of org.apache.derby.security.DatabasePermission in project derby by apache.
the class EmbedConnection method checkDatabaseCreatePrivileges.
/**
* Checks that a user has the system privileges to create a database.
* To perform this check the following policy grants are required
* <ul>
* <li> to run the encapsulated test:
* permission javax.security.auth.AuthPermission "doAsPrivileged";
* <li> to resolve relative path names:
* permission java.util.PropertyPermission "user.dir", "read";
* <li> to canonicalize path names:
* permission java.io.FilePermission "...", "read";
* </ul>
* or a SQLException will be raised detailing the cause.
* <p>
* In addition, for the test to succeed
* <ul>
* <li> the given user needs to be covered by a grant:
* principal org.apache.derby.authentication.SystemPrincipal "..." {}
* <li> that lists a permission covering the database location:
* permission org.apache.derby.security.DatabasePermission "directory:...", "create";
* </ul>
* or it will fail with a SQLException detailing the cause.
*
* @param user The user to be checked for database create privileges
* @param dbname the name of the database to create
* @throws SQLException if the privileges check fails
*/
private void checkDatabaseCreatePrivileges(String user, String dbname) throws SQLException {
// approve action if not running under a security manager
if (System.getSecurityManager() == null) {
return;
}
if (dbname == null) {
throw new NullPointerException("dbname can't be null");
}
// the check
try {
// raises IOException if dbname is non-canonicalizable
final String url = (DatabasePermission.URL_PROTOCOL_DIRECTORY + stripSubSubProtocolPrefix(dbname));
final Permission dp = new DatabasePermission(url, DatabasePermission.CREATE);
factory.checkSystemPrivileges(user, dp);
} catch (AccessControlException ace) {
throw newSQLException(SQLState.AUTH_DATABASE_CREATE_MISSING_PERMISSION, user, dbname, ace);
} catch (IOException ioe) {
throw newSQLException(SQLState.AUTH_DATABASE_CREATE_EXCEPTION, dbname, // overloaded method
(Object) ioe);
} catch (Exception e) {
throw newSQLException(SQLState.AUTH_DATABASE_CREATE_EXCEPTION, dbname, // overloaded method
(Object) e);
}
}
Also used :
DatabasePermission(org.apache.derby.security.DatabasePermission)
Permission(java.security.Permission)
SQLPermission(java.sql.SQLPermission)
AccessControlException(java.security.AccessControlException)
IOException(java.io.IOException)
AccessControlException(java.security.AccessControlException)
XAException(javax.transaction.xa.XAException)
SQLClientInfoException(java.sql.SQLClientInfoException)
SQLException(java.sql.SQLException)
StandardException(org.apache.derby.shared.common.error.StandardException)
PrivilegedActionException(java.security.PrivilegedActionException)
IOException(java.io.IOException)
DatabasePermission(org.apache.derby.security.DatabasePermission)
Example 2 with DatabasePermission
use of org.apache.derby.security.DatabasePermission in project derby by apache.
the class SystemPrivilegesPermissionTest method checkNameAndActions.
/**
* Tests DatabasePermission.getName() and .getActions().
*/
private void checkNameAndActions(DatabasePermission[] dbperm, String[] dbpath) throws IOException {
// assert(dpperm.length == dbpath.length)
for (int i = 0; i < dbperm.length; i++) {
final DatabasePermission dbp = dbperm[i];
assertEquals("test: " + dbp + ".getName()", dbpath[i], dbp.getName());
assertEquals("test: " + dbp + ".getActions()", DatabasePermission.CREATE, dbp.getActions());
}
}
Also used :
DatabasePermission(org.apache.derby.security.DatabasePermission)
Example 3 with DatabasePermission
use of org.apache.derby.security.DatabasePermission in project derby by apache.
the class SystemPrivilegesPermissionTest method testDatabasePermissionSerialization.
/**
* Test serialization and deserialization of DatabasePermission objects.
*/
private void testDatabasePermissionSerialization() throws IOException {
// Simple test of serialization/deserialization of a valid object
DatabasePermission perm = new DatabasePermission("directory:dir", "create");
assertEquals(perm, serializeDeserialize(perm, null));
// Test of relative paths
for (String url : relDirPaths) {
perm = new DatabasePermission(url, "create");
assertEquals(perm, serializeDeserialize(perm, null));
}
// Test of relative path aliases
for (String url : relDirPathAliases) {
perm = new DatabasePermission(url, "create");
assertEquals(perm, serializeDeserialize(perm, null));
}
// Test of absolute paths
for (String url : absDirPaths) {
perm = new DatabasePermission(url, "create");
assertEquals(perm, serializeDeserialize(perm, null));
}
// Test of absolute path aliases
for (String url : absDirPathAliases) {
perm = new DatabasePermission(url, "create");
assertEquals(perm, serializeDeserialize(perm, null));
}
// Actions should be normalized when read from the stream.
for (String actions : Arrays.asList("create", "CrEaTe", " create , create")) {
perm = serializeDeserialize(createDBPermNoCheck("directory:dir", actions), null);
assertEquals("create", perm.getActions());
}
// Null URL should fail on deserialization (didn't before DERBY-3476)
perm = createDBPermNoCheck(null, "create");
serializeDeserialize(perm, NullPointerException.class);
// Empty URL should fail on deserialization (didn't before DERBY-3476)
perm = createDBPermNoCheck("", "create");
serializeDeserialize(perm, IllegalArgumentException.class);
// Unsupported protocol should fail on deserialization (didn't before
// DERBY-3476)
perm = createDBPermNoCheck("unknown:test", "create");
serializeDeserialize(perm, IllegalArgumentException.class);
// Null actions should fail on deserialization
serializeDeserialize(createDBPermNoCheck("directory:dir", null), NullPointerException.class);
// Empty and invalid actions should fail on deserialization
serializeDeserialize(createDBPermNoCheck("directory:dir", ""), IllegalArgumentException.class);
serializeDeserialize(createDBPermNoCheck("directory:dir", " "), IllegalArgumentException.class);
serializeDeserialize(createDBPermNoCheck("directory:dir", ","), IllegalArgumentException.class);
serializeDeserialize(createDBPermNoCheck("directory:dir", "create,"), IllegalArgumentException.class);
serializeDeserialize(createDBPermNoCheck("directory:dir", "invalid"), IllegalArgumentException.class);
serializeDeserialize(createDBPermNoCheck("directory:dir", "create,invalid"), IllegalArgumentException.class);
}
Also used :
DatabasePermission(org.apache.derby.security.DatabasePermission)
Example 4 with DatabasePermission
use of org.apache.derby.security.DatabasePermission in project derby by apache.
the class SystemPrivilegesPermissionTest method testDatabasePermission.
/**
* Tests DatabasePermission.
*/
public void testDatabasePermission() throws IOException {
// test DatabasePermission with null url
try {
new DatabasePermission(null, DatabasePermission.CREATE);
fail("expected NullPointerException");
} catch (NullPointerException ex) {
// expected exception
}
// test DatabasePermission with empty url
try {
new DatabasePermission("", DatabasePermission.CREATE);
fail("expected IllegalArgumentException");
} catch (IllegalArgumentException ex) {
// expected exception
}
// test DatabasePermission with illegal url
try {
new DatabasePermission("no_url", DatabasePermission.CREATE);
fail("expected IllegalArgumentException");
} catch (IllegalArgumentException ex) {
// expected exception
}
// test DatabasePermission with unsupported protocol
try {
new DatabasePermission("unknown:test", DatabasePermission.CREATE);
fail("expected IllegalArgumentException");
} catch (IllegalArgumentException ex) {
// expected exception
}
// test DatabasePermission with null actions
try {
new DatabasePermission("directory:dir", null);
fail("expected NullPointerException");
} catch (NullPointerException ex) {
// expected exception
}
// test DatabasePermission with empty actions
try {
new DatabasePermission("directory:dir", "");
fail("expected IllegalArgumentException");
} catch (IllegalArgumentException ex) {
// expected exception
}
// test DatabasePermission with illegal action list
try {
new DatabasePermission("directory:dir", "illegal_action");
fail("expected IllegalArgumentException");
} catch (IllegalArgumentException ex) {
// expected exception
}
// test DatabasePermission with illegal action list
try {
new DatabasePermission("directory:dir", "illegal,action");
fail("expected IllegalArgumentException");
} catch (IllegalArgumentException ex) {
// expected exception
}
// test DatabasePermission with illegal action list
try {
new DatabasePermission("directory:dir", "illegal,create,action");
fail("expected IllegalArgumentException");
} catch (IllegalArgumentException ex) {
// expected exception
}
// test DatabasePermission on illegal action list
try {
new DatabasePermission("directory:dir", "illegal;action");
fail("expected IllegalArgumentException");
} catch (IllegalArgumentException ex) {
// expected exception
}
// test DatabasePermission with illegal action list
try {
new DatabasePermission("directory:dir", ",");
fail("expected IllegalArgumentException");
} catch (IllegalArgumentException ex) {
// expected exception
}
// test DatabasePermission with illegal action list
try {
new DatabasePermission("directory:dir", " ");
fail("expected IllegalArgumentException");
} catch (IllegalArgumentException ex) {
// expected exception
}
// test DatabasePermission with illegal action list
try {
new DatabasePermission("directory:dir", "create,");
fail("expected IllegalArgumentException");
} catch (IllegalArgumentException ex) {
// expected exception
}
// test DatabasePermission on relative directory paths
final DatabasePermission[] relDirPathPerms = new DatabasePermission[relDirPaths.length];
for (int i = 0; i < relDirPaths.length; i++) {
relDirPathPerms[i] = new DatabasePermission(relDirPaths[i], DatabasePermission.CREATE);
}
checkNameAndActions(relDirPathPerms, relDirPaths);
checkHashCodeAndEquals(relDirPathPerms, relDirPathPerms);
checkImplies(relDirPathPerms, relDirPathPerms, dirPathImpls);
// test DatabasePermission on relative directory path aliases
final DatabasePermission[] relDirPathAliasPerms = new DatabasePermission[relDirPathAliases.length];
for (int i = 0; i < relDirPathAliases.length; i++) {
relDirPathAliasPerms[i] = new DatabasePermission(relDirPathAliases[i], DatabasePermission.CREATE);
}
checkNameAndActions(relDirPathAliasPerms, relDirPathAliases);
checkHashCodeAndEquals(relDirPathPerms, relDirPathAliasPerms);
checkImplies(relDirPathPerms, relDirPathAliasPerms, dirPathImpls);
checkImplies(relDirPathAliasPerms, relDirPathPerms, dirPathImpls);
// test DatabasePermission on absolute directory paths
final DatabasePermission[] absDirPathPerms = new DatabasePermission[absDirPaths.length];
for (int i = 0; i < absDirPaths.length; i++) {
absDirPathPerms[i] = new DatabasePermission(absDirPaths[i], DatabasePermission.CREATE);
}
checkNameAndActions(absDirPathPerms, absDirPaths);
checkHashCodeAndEquals(absDirPathPerms, absDirPathPerms);
checkImplies(absDirPathPerms, absDirPathPerms, dirPathImpls);
// test DatabasePermission on absolute directory path aliases
final DatabasePermission[] absDirPathAliasPerms = new DatabasePermission[absDirPathAliases.length];
for (int i = 0; i < absDirPathAliases.length; i++) {
absDirPathAliasPerms[i] = new DatabasePermission(absDirPathAliases[i], DatabasePermission.CREATE);
}
checkNameAndActions(absDirPathAliasPerms, absDirPathAliases);
checkHashCodeAndEquals(absDirPathPerms, absDirPathAliasPerms);
checkImplies(absDirPathPerms, absDirPathAliasPerms, dirPathImpls);
checkImplies(absDirPathAliasPerms, absDirPathPerms, dirPathImpls);
// test DatabasePermission for the inclusive path specification
final String inclPermissionUrl = "directory:<<ALL FILES>>";
final DatabasePermission[] inclPerms = { new DatabasePermission(inclPermissionUrl, DatabasePermission.CREATE) };
checkNameAndActions(inclPerms, new String[] { inclPermissionUrl });
final DatabasePermission[] inclPerms1 = { new DatabasePermission(inclPermissionUrl, DatabasePermission.CREATE) };
checkHashCodeAndEquals(inclPerms, inclPerms1);
checkImplies(inclPerms, inclPerms1, new boolean[][] { { true } });
final boolean[][] allTrue = new boolean[1][dirPaths.length];
for (int j = 0; j < dirPaths.length; j++) {
allTrue[0][j] = true;
}
final boolean[][] allFalse = new boolean[dirPaths.length][1];
for (int i = 0; i < dirPaths.length; i++) {
allFalse[i][0] = false;
}
checkImplies(inclPerms, relDirPathPerms, allTrue);
checkImplies(relDirPathPerms, inclPerms, allFalse);
checkImplies(inclPerms, relDirPathAliasPerms, allTrue);
checkImplies(relDirPathAliasPerms, inclPerms, allFalse);
checkImplies(inclPerms, absDirPathPerms, allTrue);
checkImplies(absDirPathPerms, inclPerms, allFalse);
checkImplies(inclPerms, absDirPathAliasPerms, allTrue);
checkImplies(absDirPathAliasPerms, inclPerms, allFalse);
// Actions string is washed (lower-cased, trimmed) and duplicates
// are removed.
DatabasePermission perm = new DatabasePermission("directory:dir", "create, create");
assertEquals("create", perm.getActions());
perm = new DatabasePermission("directory:dir", " CrEaTe ");
assertEquals("create", perm.getActions());
// DERBY-3476: The DatabasePermission class should be final.
assertTrue(Modifier.isFinal(DatabasePermission.class.getModifiers()));
}
Also used :
DatabasePermission(org.apache.derby.security.DatabasePermission)
Example 5 with DatabasePermission
use of org.apache.derby.security.DatabasePermission in project derby by apache.
the class SystemPrivilegesPermissionTest method policyTestDatabasePermissionGrants.
/**
* Tests DatabasePermissions against the Policy.
*/
public void policyTestDatabasePermissionGrants() throws IOException {
final DatabasePermission[] relDirPathPerms = new DatabasePermission[relDirPaths.length];
for (int i = 0; i < relDirPaths.length; i++) {
relDirPathPerms[i] = new DatabasePermission(relDirPaths[i], DatabasePermission.CREATE);
}
// test DatabasePermission for unauthorized, authorized, and
// all-authorized users
final int[] singleLocPaths = { 2, 3, 6, 7 };
final SystemPrincipal authorizedUser = new SystemPrincipal("authorizedSystemUser");
final SystemPrincipal unAuthorizedUser = new SystemPrincipal("unAuthorizedSystemUser");
final SystemPrincipal superUser = new SystemPrincipal("superUser");
for (int i = 0; i < singleLocPaths.length; i++) {
final int j = singleLocPaths[i];
execute(unAuthorizedUser, new CreateDatabaseAction(relDirPathPerms[j]), false);
execute(authorizedUser, new CreateDatabaseAction(relDirPathPerms[j]), (j != 6));
execute(superUser, new CreateDatabaseAction(relDirPathPerms[j]), true);
}
// test DatabasePermission for any user
final SystemPrincipal anyUser = new SystemPrincipal("anyUser");
final DatabasePermission dbPerm = new DatabasePermission("directory:dir", DatabasePermission.CREATE);
execute(anyUser, new CreateDatabaseAction(dbPerm), true);
}
Also used :
SystemPrincipal(org.apache.derby.authentication.SystemPrincipal)
DatabasePermission(org.apache.derby.security.DatabasePermission)
Aggregations
DatabasePermission (org.apache.derby.security.DatabasePermission)6
IOException (java.io.IOException)1
AccessControlException (java.security.AccessControlException)1
Permission (java.security.Permission)1
PrivilegedActionException (java.security.PrivilegedActionException)1
SQLClientInfoException (java.sql.SQLClientInfoException)1
SQLException (java.sql.SQLException)1
SQLPermission (java.sql.SQLPermission)1
XAException (javax.transaction.xa.XAException)1
SystemPrincipal (org.apache.derby.authentication.SystemPrincipal)1
StandardException (org.apache.derby.shared.common.error.StandardException)1
