Example 71 with JackrabbitAccessControlList
use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit-oak by apache.
the class AccessControlManagementTest method testAccessControlModification.
@Test
public void testAccessControlModification() throws Exception {
// give 'testUser' READ_AC|MODIFY_AC privileges at 'path'
Privilege[] privileges = privilegesFromNames(new String[] { Privilege.JCR_READ_ACCESS_CONTROL, Privilege.JCR_MODIFY_ACCESS_CONTROL });
JackrabbitAccessControlList tmpl = allow(path, privileges);
/*
testuser must
- still have the inherited READ permission.
- must have permission to view AC items at 'path' (and below)
- must have permission to modify AC items at 'path'
testuser must not have
- permission to view AC items outside of the tree defined by path.
*/
// make sure the 'rep:policy' node has been created.
assertTrue(superuser.itemExists(tmpl.getPath() + "/rep:policy"));
// test: MODIFY_AC granted at 'path'
assertTrue(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
// test if testuser can READ access control on the path and on the
// entire subtree that gets the policy inherited.
AccessControlPolicy[] policies = testAcMgr.getPolicies(path);
testAcMgr.getPolicies(childNPath);
// test: READ_AC privilege does not apply outside of the tree.
try {
testAcMgr.getPolicies(siblingPath);
fail("READ_AC privilege must not apply outside of the tree it has applied to.");
} catch (AccessDeniedException e) {
// success
}
// test: MODIFY_AC privilege does not apply outside of the tree.
assertFalse(testAcMgr.hasPrivileges(siblingPath, privilegesFromName(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
// test if testuser can modify AC-items
// 1) add an ac-entry
AccessControlList acl = (AccessControlList) policies[0];
acl.addAccessControlEntry(testUser.getPrincipal(), repWritePrivileges);
testAcMgr.setPolicy(path, acl);
testSession.save();
assertTrue(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES)));
// 2) remove the policy
testAcMgr.removePolicy(path, policies[0]);
testSession.save();
// privileges must be gone again...
try {
testAcMgr.getEffectivePolicies(childNPath);
fail("READ_AC privilege has been revoked -> must throw again.");
} catch (AccessDeniedException e) {
// success
}
// ... and since the ACE is stored with the policy all right except
// READ must be gone.
assertReadOnly(path);
}
Also used :
AccessControlList(javax.jcr.security.AccessControlList)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
AccessDeniedException(javax.jcr.AccessDeniedException)
Privilege(javax.jcr.security.Privilege)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
Test(org.junit.Test)
Example 72 with JackrabbitAccessControlList
use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit-oak by apache.
the class AccessControlImporterTest method testImportEmptyExistingPolicy.
/**
* Imports an empty resource-based ACL for a policy that already exists.
*
* @throws Exception
*/
public void testImportEmptyExistingPolicy() throws Exception {
try {
Node target = createImportTargetWithPolicy(null);
doImport(target.getPath(), XML_POLICY_ONLY);
AccessControlPolicy[] policies = superuser.getAccessControlManager().getPolicies(target.getPath());
assertEquals(1, policies.length);
assertTrue(policies[0] instanceof JackrabbitAccessControlList);
AccessControlEntry[] entries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
assertEquals(0, entries.length);
} finally {
superuser.refresh(false);
}
}
Also used :
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
Node(javax.jcr.Node)
JackrabbitAccessControlEntry(org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)
AccessControlEntry(javax.jcr.security.AccessControlEntry)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
Example 73 with JackrabbitAccessControlList
use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit-oak by apache.
the class InheritanceTest method testReorderGroupPermissions.
@Test
public void testReorderGroupPermissions() throws Exception {
/* add privileges for the Group the test-user is member of */
deny(path, testGroup.getPrincipal(), modPropPrivileges);
allow(path, group2.getPrincipal(), modPropPrivileges);
/*
testuser must get the permissions/privileges inherited from
the group it is member of.
granting permissions for group2 must be effective
*/
String actions = getActions(Session.ACTION_SET_PROPERTY, Session.ACTION_READ);
assertTrue(testSession.hasPermission(path, actions));
Privilege[] privs = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
assertTrue(testAcMgr.hasPrivileges(path, privs));
// reorder the ACEs
AccessControlEntry srcEntry = null;
AccessControlEntry destEntry = null;
JackrabbitAccessControlList acl = (JackrabbitAccessControlList) acMgr.getPolicies(path)[0];
for (AccessControlEntry entry : acl.getAccessControlEntries()) {
Principal princ = entry.getPrincipal();
if (testGroup.getPrincipal().equals(princ)) {
destEntry = entry;
} else if (group2.getPrincipal().equals(princ)) {
srcEntry = entry;
}
}
acl.orderBefore(srcEntry, destEntry);
acMgr.setPolicy(path, acl);
superuser.save();
testSession.refresh(false);
/* after reordering the permissions must be denied */
assertFalse(testSession.hasPermission(path, actions));
assertFalse(testAcMgr.hasPrivileges(path, privs));
}
Also used :
AccessControlEntry(javax.jcr.security.AccessControlEntry)
Privilege(javax.jcr.security.Privilege)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
Principal(java.security.Principal)
EveryonePrincipal(org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal)
Test(org.junit.Test)
Example 74 with JackrabbitAccessControlList
use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit-oak by apache.
the class ReadVersionContentTest method tearDown.
@Override
@After
protected void tearDown() throws Exception {
JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(superuser, VersionConstants.VERSION_STORE_PATH);
if (acl != null) {
for (AccessControlEntry entry : acl.getAccessControlEntries()) {
if (entry.getPrincipal().equals(testUser.getPrincipal())) {
acl.removeAccessControlEntry(entry);
}
}
acMgr.setPolicy(VersionConstants.VERSION_STORE_PATH, acl);
superuser.save();
}
}
Also used :
AccessControlEntry(javax.jcr.security.AccessControlEntry)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
After(org.junit.After)
Example 75 with JackrabbitAccessControlList
use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit-oak by apache.
the class OpvIgnoreTest method addIgnoredChild.
private void addIgnoredChild(@Nonnull Node node) throws Exception {
AccessControlManager acMgr = superuser.getAccessControlManager();
JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, node.getPath());
acl.addAccessControlEntry(EveryonePrincipal.getInstance(), AccessControlUtils.privilegesFromNames(acMgr, Privilege.JCR_READ));
acMgr.setPolicy(acl.getPath(), acl);
superuser.save();
Node c = node.getNode(AccessControlConstants.REP_POLICY);
assertEquals(OnParentVersionAction.IGNORE, c.getDefinition().getOnParentVersion());
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
Node(javax.jcr.Node)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
Aggregations
JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)165
AccessControlManager (javax.jcr.security.AccessControlManager)75
Privilege (javax.jcr.security.Privilege)56
AccessControlEntry (javax.jcr.security.AccessControlEntry)46
AccessControlPolicy (javax.jcr.security.AccessControlPolicy)46
Test (org.junit.Test)40
JackrabbitAccessControlEntry (org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)32
Principal (java.security.Principal)29
Node (javax.jcr.Node)23
Session (javax.jcr.Session)17
Value (javax.jcr.Value)17
AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)15
Tree (org.apache.jackrabbit.oak.api.Tree)15
JackrabbitAccessControlManager (org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)13
AccessControlPolicyIterator (javax.jcr.security.AccessControlPolicyIterator)12
AccessControlException (javax.jcr.security.AccessControlException)10
NodeImpl (org.apache.jackrabbit.core.NodeImpl)9
ByteArrayInputStream (java.io.ByteArrayInputStream)8
InputStream (java.io.InputStream)8
Group (org.apache.jackrabbit.api.security.user.Group)8
