Search in sources :

Example 6 with JackrabbitAccessControlList

use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit by apache.

the class EffectivePolicyTest method testGetEffectivePoliciesByPrincipal.

public void testGetEffectivePoliciesByPrincipal() throws Exception {
    Privilege[] privileges = privilegesFromNames(new String[] { Privilege.JCR_READ_ACCESS_CONTROL });
    JackrabbitAccessControlManager jacMgr = (JackrabbitAccessControlManager) acMgr;
    Principal everyone = ((SessionImpl) superuser).getPrincipalManager().getEveryone();
    AccessControlPolicy[] acp = jacMgr.getEffectivePolicies(Collections.singleton(everyone));
    assertNotNull(acp);
    assertEquals(1, acp.length);
    assertTrue(acp[0] instanceof JackrabbitAccessControlPolicy);
    JackrabbitAccessControlPolicy jacp = (JackrabbitAccessControlPolicy) acp[0];
    assertFalse(jacMgr.hasPrivileges(jacp.getPath(), Collections.singleton(testUser.getPrincipal()), privileges));
    assertFalse(jacMgr.hasPrivileges(jacp.getPath(), Collections.singleton(everyone), privileges));
    acp = jacMgr.getApplicablePolicies(testUser.getPrincipal());
    if (acp.length == 0) {
        acp = jacMgr.getPolicies(testUser.getPrincipal());
    }
    assertNotNull(acp);
    assertEquals(1, acp.length);
    assertTrue(acp[0] instanceof JackrabbitAccessControlList);
    // let testuser read the ACL defined for 'testUser' principal.
    JackrabbitAccessControlList acl = (JackrabbitAccessControlList) acp[0];
    acl.addEntry(testUser.getPrincipal(), privileges, true, getRestrictions(superuser, acl.getPath()));
    jacMgr.setPolicy(acl.getPath(), acl);
    superuser.save();
    Session testSession = getTestSession();
    AccessControlManager testAcMgr = getTestACManager();
    // effective policies for testPrinicpal only on path -> must succeed.
    ((JackrabbitAccessControlManager) testAcMgr).getEffectivePolicies(Collections.singleton(testUser.getPrincipal()));
    // effective policies for a combination of principals -> must fail
    try {
        ((JackrabbitAccessControlManager) testAcMgr).getEffectivePolicies(((SessionImpl) testSession).getSubject().getPrincipals());
        fail();
    } catch (AccessDeniedException e) {
    // success
    }
}
Also used : JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager) AccessControlManager(javax.jcr.security.AccessControlManager) JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) JackrabbitAccessControlPolicy(org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy) AccessDeniedException(javax.jcr.AccessDeniedException) SessionImpl(org.apache.jackrabbit.core.SessionImpl) Privilege(javax.jcr.security.Privilege) JackrabbitAccessControlPolicy(org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) Principal(java.security.Principal) Session(javax.jcr.Session)

Example 7 with JackrabbitAccessControlList

use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit by apache.

the class AccessControlListImplTest method testMultipleEntryEffect2.

public void testMultipleEntryEffect2() throws Exception {
    JackrabbitAccessControlList acl = createAccessControList(testRoot);
    // GRANT a read privilege
    Privilege[] privileges = privilegesFromNames(new String[] { Privilege.JCR_READ });
    assertTrue("New Entry -> grants read privilege", acl.addAccessControlEntry(unknownPrincipal, privileges));
    assertTrue("Fail to revoke the read privilege", acl.addEntry(unknownPrincipal, privileges, false, createEmptyRestriction()));
    Assert.assertEquals(2, acl.size());
}
Also used : Privilege(javax.jcr.security.Privilege) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)

Example 8 with JackrabbitAccessControlList

use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit-oak by apache.

the class FlatTreeWithAceForSamePrincipalTest method beforeSuite.

@Override
protected void beforeSuite() throws Exception {
    long start = System.currentTimeMillis();
    admin = loginWriter();
    userManager = ((JackrabbitSession) admin).getUserManager();
    Principal userPrincipal = userManager.createUser(TEST_USER_ID, TEST_USER_ID).getPrincipal();
    AccessControlManager acm = admin.getAccessControlManager();
    JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acm, "/");
    acl.addEntry(userPrincipal, AccessControlUtils.privilegesFromNames(acm, PrivilegeConstants.JCR_READ), true);
    acm.setPolicy("/", acl);
    Node a = admin.getRootNode().addNode(ROOT_NODE_NAME, "nt:folder");
    for (int i = 1; i < 10000; i++) {
        a.addNode("node" + i, "nt:folder");
        acl = AccessControlUtils.getAccessControlList(acm, ROOT_PATH + "/node" + i);
        acl.addEntry(userPrincipal, AccessControlUtils.privilegesFromNames(acm, PrivilegeConstants.JCR_READ), true);
        acm.setPolicy(ROOT_PATH + "/node" + i, acl);
    }
    admin.save();
    reader = login(new SimpleCredentials(TEST_USER_ID, TEST_USER_ID.toCharArray()));
    long end = System.currentTimeMillis();
    System.out.println("setup time " + (end - start));
}
Also used : AccessControlManager(javax.jcr.security.AccessControlManager) SimpleCredentials(javax.jcr.SimpleCredentials) Node(javax.jcr.Node) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) Principal(java.security.Principal)

Example 9 with JackrabbitAccessControlList

use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit-oak by apache.

the class ClusterPermissionsTest method testAclPropagation.

@Test
public void testAclPropagation() throws Exception {
    Tree node = root1.getTree("/").addChild("testNode");
    node.setProperty(JcrConstants.JCR_PRIMARYTYPE, JcrConstants.NT_UNSTRUCTURED, Type.NAME);
    User user1 = userManager1.createUser("testUser", "testUser");
    JackrabbitAccessControlList acl1 = AccessControlUtils.getAccessControlList(aclMgr1, "/testNode");
    acl1.addEntry(user1.getPrincipal(), AccessControlUtils.privilegesFromNames(aclMgr1, "jcr:all"), true);
    aclMgr1.setPolicy("/testNode", acl1);
    root1.commit();
    syncClusterNodes();
    root2.refresh();
    JackrabbitAccessControlList acl2 = AccessControlUtils.getAccessControlList(aclMgr2, "/testNode");
    AccessControlEntry[] aces = acl2.getAccessControlEntries();
    assertEquals(1, aces.length);
}
Also used : User(org.apache.jackrabbit.api.security.user.User) Tree(org.apache.jackrabbit.oak.api.Tree) AccessControlEntry(javax.jcr.security.AccessControlEntry) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) Test(org.junit.Test)

Example 10 with JackrabbitAccessControlList

use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit-oak by apache.

the class ClusterPermissionsTest method testPermissionPropagation.

@Test
public void testPermissionPropagation() throws Exception {
    // create a "/testNode"
    Tree node = root1.getTree("/").addChild("testNode");
    node.setProperty(JcrConstants.JCR_PRIMARYTYPE, JcrConstants.NT_UNSTRUCTURED, Type.NAME);
    // create 2 users
    User user1 = userManager1.createUser("testUser1", "testUser1");
    User user2 = userManager1.createUser("testUser2", "testUser2");
    JackrabbitAccessControlList acl1 = AccessControlUtils.getAccessControlList(aclMgr1, "/testNode");
    // deny jcr:all for everyone on /testNode
    acl1.addEntry(EveryonePrincipal.getInstance(), AccessControlUtils.privilegesFromNames(aclMgr1, "jcr:all"), false);
    // allow jcr:read for testUser1 on /testNode
    acl1.addEntry(user1.getPrincipal(), AccessControlUtils.privilegesFromNames(aclMgr1, "jcr:read"), true);
    aclMgr1.setPolicy("/testNode", acl1);
    root1.commit();
    syncClusterNodes();
    root2.refresh();
    // login with testUser1 and testUser2 (on cluster node 2)
    ContentSession session1 = contentRepository2.login(new SimpleCredentials("testUser1", "testUser1".toCharArray()), null);
    ContentSession session2 = contentRepository2.login(new SimpleCredentials("testUser2", "testUser2".toCharArray()), null);
    // testUser1 can read /testNode
    assertTrue(session1.getLatestRoot().getTree("/testNode").exists());
    // testUser2 cannot read /testNode
    assertFalse(session2.getLatestRoot().getTree("/testNode").exists());
    // now, allow jcr:read also for 'everyone' (on cluster node 1)
    acl1 = AccessControlUtils.getAccessControlList(aclMgr1, "/testNode");
    acl1.addEntry(EveryonePrincipal.getInstance(), AccessControlUtils.privilegesFromNames(aclMgr1, "jcr:read"), true);
    aclMgr1.setPolicy("/testNode", acl1);
    root1.commit();
    syncClusterNodes();
    root2.refresh();
    // testUser1 can read /testNode
    assertTrue(session1.getLatestRoot().getTree("/testNode").exists());
    // testUser2 can also read /testNode
    assertTrue(session2.getLatestRoot().getTree("/testNode").exists());
}
Also used : SimpleCredentials(javax.jcr.SimpleCredentials) User(org.apache.jackrabbit.api.security.user.User) Tree(org.apache.jackrabbit.oak.api.Tree) ContentSession(org.apache.jackrabbit.oak.api.ContentSession) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) Test(org.junit.Test)

Aggregations

JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)165 AccessControlManager (javax.jcr.security.AccessControlManager)75 Privilege (javax.jcr.security.Privilege)56 AccessControlEntry (javax.jcr.security.AccessControlEntry)46 AccessControlPolicy (javax.jcr.security.AccessControlPolicy)46 Test (org.junit.Test)40 JackrabbitAccessControlEntry (org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)32 Principal (java.security.Principal)29 Node (javax.jcr.Node)23 Session (javax.jcr.Session)17 Value (javax.jcr.Value)17 AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)15 Tree (org.apache.jackrabbit.oak.api.Tree)15 JackrabbitAccessControlManager (org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)13 AccessControlPolicyIterator (javax.jcr.security.AccessControlPolicyIterator)12 AccessControlException (javax.jcr.security.AccessControlException)10 NodeImpl (org.apache.jackrabbit.core.NodeImpl)9 ByteArrayInputStream (java.io.ByteArrayInputStream)8 InputStream (java.io.InputStream)8 Group (org.apache.jackrabbit.api.security.user.Group)8