Search in sources :

Example 31 with JackrabbitAccessControlList

use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit by apache.

the class WriteTest method testReorderGroupPermissions.

public void testReorderGroupPermissions() throws NotExecutableException, RepositoryException {
    Group testGroup = getTestGroup();
    /* create a second group the test user is member of */
    Principal principal = new TestPrincipal("testGroup" + UUID.randomUUID());
    UserManager umgr = getUserManager(superuser);
    Group group2 = umgr.createGroup(principal);
    try {
        group2.addMember(testUser);
        if (!umgr.isAutoSave() && superuser.hasPendingChanges()) {
            superuser.save();
        }
        /* add privileges for the Group the test-user is member of */
        Privilege[] privileges = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
        withdrawPrivileges(path, testGroup.getPrincipal(), privileges, getRestrictions(superuser, path));
        givePrivileges(path, group2.getPrincipal(), privileges, getRestrictions(superuser, path));
        /*
             testuser must get the permissions/privileges inherited from
             the group it is member of.
             granting permissions for group2 must be effective
            */
        String actions = javax.jcr.Session.ACTION_SET_PROPERTY + "," + javax.jcr.Session.ACTION_READ;
        AccessControlManager testAcMgr = getTestACManager();
        assertTrue(getTestSession().hasPermission(path, actions));
        Privilege[] privs = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
        assertTrue(testAcMgr.hasPrivileges(path, privs));
        // reorder the ACEs
        AccessControlEntry srcEntry = null;
        AccessControlEntry destEntry = null;
        JackrabbitAccessControlList acl = (JackrabbitAccessControlList) acMgr.getPolicies(path)[0];
        for (AccessControlEntry entry : acl.getAccessControlEntries()) {
            Principal princ = entry.getPrincipal();
            if (testGroup.getPrincipal().equals(princ)) {
                destEntry = entry;
            } else if (group2.getPrincipal().equals(princ)) {
                srcEntry = entry;
            }
        }
        acl.orderBefore(srcEntry, destEntry);
        acMgr.setPolicy(path, acl);
        superuser.save();
        /* after reordering the permissions must be denied */
        assertFalse(getTestSession().hasPermission(path, actions));
        assertFalse(testAcMgr.hasPrivileges(path, privs));
    } finally {
        group2.remove();
    }
}
Also used : AccessControlManager(javax.jcr.security.AccessControlManager) Group(org.apache.jackrabbit.api.security.user.Group) TestPrincipal(org.apache.jackrabbit.core.security.TestPrincipal) UserManager(org.apache.jackrabbit.api.security.user.UserManager) AccessControlEntry(javax.jcr.security.AccessControlEntry) Privilege(javax.jcr.security.Privilege) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) EveryonePrincipal(org.apache.jackrabbit.core.security.principal.EveryonePrincipal) TestPrincipal(org.apache.jackrabbit.core.security.TestPrincipal) Principal(java.security.Principal)

Example 32 with JackrabbitAccessControlList

use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit by apache.

the class WriteTest method givePrivileges.

private JackrabbitAccessControlList givePrivileges(String nPath, Principal principal, Privilege[] privileges, Map<String, Value> restrictions, boolean nodeBased) throws NotExecutableException, RepositoryException {
    if (nodeBased) {
        return givePrivileges(nPath, principal, privileges, getRestrictions(superuser, nPath));
    } else {
        JackrabbitAccessControlList tmpl = getPrincipalBasedPolicy(acMgr, nPath, principal);
        tmpl.addEntry(principal, privileges, true, restrictions);
        acMgr.setPolicy(tmpl.getPath(), tmpl);
        superuser.save();
        return tmpl;
    }
}
Also used : JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)

Example 33 with JackrabbitAccessControlList

use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit by apache.

the class WriteTest method withdrawPrivileges.

private JackrabbitAccessControlList withdrawPrivileges(String nPath, Principal principal, Privilege[] privileges, Map<String, Value> restrictions, boolean nodeBased) throws NotExecutableException, RepositoryException {
    if (nodeBased) {
        return withdrawPrivileges(nPath, principal, privileges, getRestrictions(superuser, nPath));
    } else {
        JackrabbitAccessControlList tmpl = getPrincipalBasedPolicy(acMgr, nPath, principal);
        tmpl.addEntry(principal, privileges, false, restrictions);
        acMgr.setPolicy(tmpl.getPath(), tmpl);
        superuser.save();
        return tmpl;
    }
}
Also used : JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)

Example 34 with JackrabbitAccessControlList

use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit by apache.

the class ACLTemplateTest method testGetRestrictionTypes.

public void testGetRestrictionTypes() throws RepositoryException {
    JackrabbitAccessControlList acl = createEmptyTemplate(getTestPath());
    NameResolver resolver = (NameResolver) superuser;
    assertEquals(PropertyType.PATH, acl.getRestrictionType(resolver.getJCRName(ACLTemplate.P_NODE_PATH)));
    assertEquals(PropertyType.STRING, acl.getRestrictionType(resolver.getJCRName(ACLTemplate.P_GLOB)));
}
Also used : JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) NameResolver(org.apache.jackrabbit.spi.commons.conversion.NameResolver)

Example 35 with JackrabbitAccessControlList

use of org.apache.jackrabbit.api.security.JackrabbitAccessControlList in project jackrabbit by apache.

the class EffectivePolicyTest method testGetEffectivePoliciesByPrincipal.

public void testGetEffectivePoliciesByPrincipal() throws Exception {
    Privilege[] privileges = privilegesFromNames(new String[] { Privilege.JCR_READ_ACCESS_CONTROL });
    JackrabbitAccessControlManager jacMgr = (JackrabbitAccessControlManager) acMgr;
    Principal everyone = ((SessionImpl) superuser).getPrincipalManager().getEveryone();
    AccessControlPolicy[] acp = jacMgr.getEffectivePolicies(Collections.singleton(everyone));
    assertNotNull(acp);
    assertEquals(1, acp.length);
    assertTrue(acp[0] instanceof JackrabbitAccessControlPolicy);
    JackrabbitAccessControlPolicy jacp = (JackrabbitAccessControlPolicy) acp[0];
    assertFalse(jacMgr.hasPrivileges(jacp.getPath(), Collections.singleton(testUser.getPrincipal()), privileges));
    assertFalse(jacMgr.hasPrivileges(jacp.getPath(), Collections.singleton(everyone), privileges));
    acp = jacMgr.getApplicablePolicies(testUser.getPrincipal());
    if (acp.length == 0) {
        acp = jacMgr.getPolicies(testUser.getPrincipal());
    }
    assertNotNull(acp);
    assertEquals(1, acp.length);
    assertTrue(acp[0] instanceof JackrabbitAccessControlList);
    // let testuser read the ACL defined for 'testUser' principal.
    JackrabbitAccessControlList acl = (JackrabbitAccessControlList) acp[0];
    acl.addEntry(testUser.getPrincipal(), privileges, true, getRestrictions(superuser, acl.getPath()));
    jacMgr.setPolicy(acl.getPath(), acl);
    superuser.save();
    Session testSession = getTestSession();
    AccessControlManager testAcMgr = getTestACManager();
    // effective policies for testPrinicpal only on path -> must succeed.
    ((JackrabbitAccessControlManager) testAcMgr).getEffectivePolicies(Collections.singleton(testUser.getPrincipal()));
    // effective policies for a combination of principals -> must fail
    try {
        ((JackrabbitAccessControlManager) testAcMgr).getEffectivePolicies(((SessionImpl) testSession).getSubject().getPrincipals());
        fail();
    } catch (AccessDeniedException e) {
    // success
    }
}
Also used : JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager) AccessControlManager(javax.jcr.security.AccessControlManager) JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) JackrabbitAccessControlPolicy(org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy) AccessDeniedException(javax.jcr.AccessDeniedException) SessionImpl(org.apache.jackrabbit.core.SessionImpl) Privilege(javax.jcr.security.Privilege) JackrabbitAccessControlPolicy(org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) Principal(java.security.Principal) Session(javax.jcr.Session)

Aggregations

JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)165 AccessControlManager (javax.jcr.security.AccessControlManager)75 Privilege (javax.jcr.security.Privilege)56 AccessControlEntry (javax.jcr.security.AccessControlEntry)46 AccessControlPolicy (javax.jcr.security.AccessControlPolicy)46 Test (org.junit.Test)40 JackrabbitAccessControlEntry (org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)32 Principal (java.security.Principal)29 Node (javax.jcr.Node)23 Session (javax.jcr.Session)17 Value (javax.jcr.Value)17 AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)15 Tree (org.apache.jackrabbit.oak.api.Tree)15 JackrabbitAccessControlManager (org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)13 AccessControlPolicyIterator (javax.jcr.security.AccessControlPolicyIterator)12 AccessControlException (javax.jcr.security.AccessControlException)10 NodeImpl (org.apache.jackrabbit.core.NodeImpl)9 ByteArrayInputStream (java.io.ByteArrayInputStream)8 InputStream (java.io.InputStream)8 Group (org.apache.jackrabbit.api.security.user.Group)8