use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit by apache.
the class EffectivePolicyTest method testGetEffectivePoliciesByPrincipal.
public void testGetEffectivePoliciesByPrincipal() throws Exception {
Privilege[] privileges = privilegesFromNames(new String[] { Privilege.JCR_READ_ACCESS_CONTROL });
JackrabbitAccessControlManager jacMgr = (JackrabbitAccessControlManager) acMgr;
Principal everyone = ((SessionImpl) superuser).getPrincipalManager().getEveryone();
AccessControlPolicy[] acp = jacMgr.getEffectivePolicies(Collections.singleton(everyone));
assertNotNull(acp);
assertEquals(1, acp.length);
assertTrue(acp[0] instanceof JackrabbitAccessControlPolicy);
JackrabbitAccessControlPolicy jacp = (JackrabbitAccessControlPolicy) acp[0];
assertFalse(jacMgr.hasPrivileges(jacp.getPath(), Collections.singleton(testUser.getPrincipal()), privileges));
assertFalse(jacMgr.hasPrivileges(jacp.getPath(), Collections.singleton(everyone), privileges));
acp = jacMgr.getApplicablePolicies(testUser.getPrincipal());
if (acp.length == 0) {
acp = jacMgr.getPolicies(testUser.getPrincipal());
}
assertNotNull(acp);
assertEquals(1, acp.length);
assertTrue(acp[0] instanceof JackrabbitAccessControlList);
// let testuser read the ACL defined for 'testUser' principal.
JackrabbitAccessControlList acl = (JackrabbitAccessControlList) acp[0];
acl.addEntry(testUser.getPrincipal(), privileges, true, getRestrictions(superuser, acl.getPath()));
jacMgr.setPolicy(acl.getPath(), acl);
superuser.save();
Session testSession = getTestSession();
AccessControlManager testAcMgr = getTestACManager();
// effective policies for testPrinicpal only on path -> must succeed.
((JackrabbitAccessControlManager) testAcMgr).getEffectivePolicies(Collections.singleton(testUser.getPrincipal()));
// effective policies for a combination of principals -> must fail
try {
((JackrabbitAccessControlManager) testAcMgr).getEffectivePolicies(((SessionImpl) testSession).getSubject().getPrincipals());
fail();
} catch (AccessDeniedException e) {
// success
}
}
use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit by apache.
the class AccessControlListImplTest method testMultipleEntryEffect2.
public void testMultipleEntryEffect2() throws Exception {
JackrabbitAccessControlList acl = createAccessControList(testRoot);
// GRANT a read privilege
Privilege[] privileges = privilegesFromNames(new String[] { Privilege.JCR_READ });
assertTrue("New Entry -> grants read privilege", acl.addAccessControlEntry(unknownPrincipal, privileges));
assertTrue("Fail to revoke the read privilege", acl.addEntry(unknownPrincipal, privileges, false, createEmptyRestriction()));
Assert.assertEquals(2, acl.size());
}
use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit-oak by apache.
the class FlatTreeWithAceForSamePrincipalTest method beforeSuite.
@Override
protected void beforeSuite() throws Exception {
long start = System.currentTimeMillis();
admin = loginWriter();
userManager = ((JackrabbitSession) admin).getUserManager();
Principal userPrincipal = userManager.createUser(TEST_USER_ID, TEST_USER_ID).getPrincipal();
AccessControlManager acm = admin.getAccessControlManager();
JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acm, "/");
acl.addEntry(userPrincipal, AccessControlUtils.privilegesFromNames(acm, PrivilegeConstants.JCR_READ), true);
acm.setPolicy("/", acl);
Node a = admin.getRootNode().addNode(ROOT_NODE_NAME, "nt:folder");
for (int i = 1; i < 10000; i++) {
a.addNode("node" + i, "nt:folder");
acl = AccessControlUtils.getAccessControlList(acm, ROOT_PATH + "/node" + i);
acl.addEntry(userPrincipal, AccessControlUtils.privilegesFromNames(acm, PrivilegeConstants.JCR_READ), true);
acm.setPolicy(ROOT_PATH + "/node" + i, acl);
}
admin.save();
reader = login(new SimpleCredentials(TEST_USER_ID, TEST_USER_ID.toCharArray()));
long end = System.currentTimeMillis();
System.out.println("setup time " + (end - start));
}
use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit-oak by apache.
the class ClusterPermissionsTest method testAclPropagation.
@Test
public void testAclPropagation() throws Exception {
Tree node = root1.getTree("/").addChild("testNode");
node.setProperty(JcrConstants.JCR_PRIMARYTYPE, JcrConstants.NT_UNSTRUCTURED, Type.NAME);
User user1 = userManager1.createUser("testUser", "testUser");
JackrabbitAccessControlList acl1 = AccessControlUtils.getAccessControlList(aclMgr1, "/testNode");
acl1.addEntry(user1.getPrincipal(), AccessControlUtils.privilegesFromNames(aclMgr1, "jcr:all"), true);
aclMgr1.setPolicy("/testNode", acl1);
root1.commit();
syncClusterNodes();
root2.refresh();
JackrabbitAccessControlList acl2 = AccessControlUtils.getAccessControlList(aclMgr2, "/testNode");
AccessControlEntry[] aces = acl2.getAccessControlEntries();
assertEquals(1, aces.length);
}
use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit-oak by apache.
the class ClusterPermissionsTest method testPermissionPropagation.
@Test
public void testPermissionPropagation() throws Exception {
// create a "/testNode"
Tree node = root1.getTree("/").addChild("testNode");
node.setProperty(JcrConstants.JCR_PRIMARYTYPE, JcrConstants.NT_UNSTRUCTURED, Type.NAME);
// create 2 users
User user1 = userManager1.createUser("testUser1", "testUser1");
User user2 = userManager1.createUser("testUser2", "testUser2");
JackrabbitAccessControlList acl1 = AccessControlUtils.getAccessControlList(aclMgr1, "/testNode");
// deny jcr:all for everyone on /testNode
acl1.addEntry(EveryonePrincipal.getInstance(), AccessControlUtils.privilegesFromNames(aclMgr1, "jcr:all"), false);
// allow jcr:read for testUser1 on /testNode
acl1.addEntry(user1.getPrincipal(), AccessControlUtils.privilegesFromNames(aclMgr1, "jcr:read"), true);
aclMgr1.setPolicy("/testNode", acl1);
root1.commit();
syncClusterNodes();
root2.refresh();
// login with testUser1 and testUser2 (on cluster node 2)
ContentSession session1 = contentRepository2.login(new SimpleCredentials("testUser1", "testUser1".toCharArray()), null);
ContentSession session2 = contentRepository2.login(new SimpleCredentials("testUser2", "testUser2".toCharArray()), null);
// testUser1 can read /testNode
assertTrue(session1.getLatestRoot().getTree("/testNode").exists());
// testUser2 cannot read /testNode
assertFalse(session2.getLatestRoot().getTree("/testNode").exists());
// now, allow jcr:read also for 'everyone' (on cluster node 1)
acl1 = AccessControlUtils.getAccessControlList(aclMgr1, "/testNode");
acl1.addEntry(EveryonePrincipal.getInstance(), AccessControlUtils.privilegesFromNames(aclMgr1, "jcr:read"), true);
aclMgr1.setPolicy("/testNode", acl1);
root1.commit();
syncClusterNodes();
root2.refresh();
// testUser1 can read /testNode
assertTrue(session1.getLatestRoot().getTree("/testNode").exists());
// testUser2 can also read /testNode
assertTrue(session2.getLatestRoot().getTree("/testNode").exists());
}
Aggregations