Example 66 with JackrabbitAccessControlList
use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit-oak by apache.
the class AccessControlImporterTest method testImportPolicyExists.
/**
* Imports a resource-based ACL containing a single entry for a policy that
* already exists: expected outcome its that the existing ACE is replaced.
*/
public void testImportPolicyExists() throws Exception {
try {
Node target = createImportTargetWithPolicy(EveryonePrincipal.getInstance());
doImport(target.getPath(), XML_POLICY_TREE_2);
AccessControlManager acMgr = superuser.getAccessControlManager();
AccessControlPolicy[] policies = acMgr.getPolicies(target.getPath());
assertEquals(1, policies.length);
assertTrue(policies[0] instanceof JackrabbitAccessControlList);
AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
assertEquals(1, entries.length);
AccessControlEntry entry = entries[0];
assertEquals(EveryonePrincipal.getInstance(), entry.getPrincipal());
List<Privilege> privs = Arrays.asList(entry.getPrivileges());
assertEquals(1, privs.size());
assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]);
if (entry instanceof JackrabbitAccessControlEntry) {
assertTrue(((JackrabbitAccessControlEntry) entry).isAllow());
}
} finally {
superuser.refresh(false);
}
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
JackrabbitAccessControlEntry(org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)
Node(javax.jcr.Node)
JackrabbitAccessControlEntry(org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)
AccessControlEntry(javax.jcr.security.AccessControlEntry)
Privilege(javax.jcr.security.Privilege)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
Example 67 with JackrabbitAccessControlList
use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit-oak by apache.
the class AccessControlManagementTest method testReadAccessControlWithoutPrivilege.
@Test
public void testReadAccessControlWithoutPrivilege() throws Exception {
// re-grant READ in order to have an ACL-node
Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
JackrabbitAccessControlList tmpl = allow(path, privileges);
String policyPath = tmpl.getPath() + "/rep:policy";
// make sure the 'rep:policy' node has been created.
assertTrue(superuser.itemExists(policyPath));
/*
Testuser must still have READ-only access only and must not be
allowed to view the acl-node nor any item in the subtree that
has been created.
*/
assertFalse(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_READ_ACCESS_CONTROL)));
assertFalse(testSession.itemExists(policyPath));
assertFalse(testSession.nodeExists(policyPath));
try {
testSession.getNode(policyPath);
fail("Accessing the rep:policy node must throw PathNotFoundException.");
} catch (PathNotFoundException e) {
// ok.
}
try {
testAcMgr.getPolicies(tmpl.getPath());
fail("test user must not have READ_AC privilege.");
} catch (AccessDeniedException e) {
// success
}
try {
testAcMgr.getEffectivePolicies(tmpl.getPath());
fail("test user must not have READ_AC privilege.");
} catch (AccessDeniedException e) {
// success
}
for (NodeIterator aceNodes = superuser.getNode(policyPath).getNodes(); aceNodes.hasNext(); ) {
Node aceNode = aceNodes.nextNode();
String aceNodePath = aceNode.getPath();
assertFalse(testSession.nodeExists(aceNodePath));
for (PropertyIterator it = aceNode.getProperties(); it.hasNext(); ) {
assertFalse(testSession.propertyExists(it.nextProperty().getPath()));
}
}
}
Also used :
NodeIterator(javax.jcr.NodeIterator)
AccessDeniedException(javax.jcr.AccessDeniedException)
Node(javax.jcr.Node)
PropertyIterator(javax.jcr.PropertyIterator)
PathNotFoundException(javax.jcr.PathNotFoundException)
Privilege(javax.jcr.security.Privilege)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
Test(org.junit.Test)
Example 68 with JackrabbitAccessControlList
use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit-oak by apache.
the class AccessControlManagementTest method testAclReferingToRemovedPrincipal.
@Test
public void testAclReferingToRemovedPrincipal() throws Exception {
JackrabbitAccessControlList acl = allow(path, repWritePrivileges);
String acPath = acl.getPath();
// remove the test user
testUser.remove();
superuser.save();
testUser = null;
// try to retrieve the acl again
Session s = getHelper().getSuperuserSession();
try {
AccessControlManager acMgr = getAccessControlManager(s);
acMgr.getPolicies(acPath);
} finally {
s.logout();
}
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
Session(javax.jcr.Session)
Test(org.junit.Test)
Example 69 with JackrabbitAccessControlList
use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit-oak by apache.
the class AccessControlManagementTest method testRetrievePrivilegesOnAcNodes.
@Test
public void testRetrievePrivilegesOnAcNodes() throws Exception {
// give 'testUser' jcr:readAccessControl privileges at 'path'
Privilege[] privileges = privilegesFromName(Privilege.JCR_READ_ACCESS_CONTROL);
allow(path, privileges);
/*
testuser must be allowed to read ac-content at target node.
*/
assertTrue(testAcMgr.hasPrivileges(path, privileges));
AccessControlPolicy[] policies = testAcMgr.getPolicies(path);
assertEquals(1, policies.length);
assertTrue(policies[0] instanceof JackrabbitAccessControlList);
String aclNodePath = null;
Node n = superuser.getNode(path);
for (NodeIterator itr = n.getNodes(); itr.hasNext(); ) {
Node child = itr.nextNode();
if (child.isNodeType("rep:Policy")) {
aclNodePath = child.getPath();
}
}
if (aclNodePath == null) {
fail("Expected node at " + path + " to have an ACL child node.");
}
assertTrue(testAcMgr.hasPrivileges(aclNodePath, privileges));
assertTrue(testSession.hasPermission(aclNodePath, Session.ACTION_READ));
for (NodeIterator aceNodes = superuser.getNode(aclNodePath).getNodes(); aceNodes.hasNext(); ) {
String aceNodePath = aceNodes.nextNode().getPath();
assertTrue(testAcMgr.hasPrivileges(aceNodePath, privileges));
assertTrue(testSession.hasPermission(aceNodePath, Session.ACTION_READ));
}
}
Also used :
NodeIterator(javax.jcr.NodeIterator)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
Node(javax.jcr.Node)
Privilege(javax.jcr.security.Privilege)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
Test(org.junit.Test)
Example 70 with JackrabbitAccessControlList
use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit-oak by apache.
the class AccessControlManagementTest method testAccessControlModificationWithoutPrivilege.
@Test
public void testAccessControlModificationWithoutPrivilege() throws Exception {
// give 'testUser' ADD_CHILD_NODES|MODIFY_PROPERTIES| REMOVE_CHILD_NODES privileges at 'path'
Privilege[] privileges = privilegesFromNames(new String[] { Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_REMOVE_CHILD_NODES, Privilege.JCR_MODIFY_PROPERTIES });
JackrabbitAccessControlList tmpl = allow(path, privileges);
String policyPath = tmpl.getPath() + "/rep:policy";
// make sure the 'rep:policy' node has been created.
assertTrue(superuser.itemExists(policyPath));
/*
testuser must not have
- permission to modify AC items
*/
try {
testAcMgr.setPolicy(tmpl.getPath(), tmpl);
fail("test user must not have MODIFY_AC privilege.");
} catch (AccessDeniedException e) {
// success
}
try {
testAcMgr.removePolicy(tmpl.getPath(), tmpl);
fail("test user must not have MODIFY_AC privilege.");
} catch (AccessDeniedException e) {
// success
}
}
Also used :
AccessDeniedException(javax.jcr.AccessDeniedException)
Privilege(javax.jcr.security.Privilege)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
Test(org.junit.Test)
Aggregations
JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)165
AccessControlManager (javax.jcr.security.AccessControlManager)75
Privilege (javax.jcr.security.Privilege)56
AccessControlEntry (javax.jcr.security.AccessControlEntry)46
AccessControlPolicy (javax.jcr.security.AccessControlPolicy)46
Test (org.junit.Test)40
JackrabbitAccessControlEntry (org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)32
Principal (java.security.Principal)29
Node (javax.jcr.Node)23
Session (javax.jcr.Session)17
Value (javax.jcr.Value)17
AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)15
Tree (org.apache.jackrabbit.oak.api.Tree)15
JackrabbitAccessControlManager (org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)13
AccessControlPolicyIterator (javax.jcr.security.AccessControlPolicyIterator)12
AccessControlException (javax.jcr.security.AccessControlException)10
NodeImpl (org.apache.jackrabbit.core.NodeImpl)9
ByteArrayInputStream (java.io.ByteArrayInputStream)8
InputStream (java.io.InputStream)8
Group (org.apache.jackrabbit.api.security.user.Group)8
