Search in sources :

Example 1 with JackrabbitAccessControlManager

use of org.apache.jackrabbit.api.security.JackrabbitAccessControlManager in project jackrabbit by apache.

the class WriteTest method testEditor2.

public void testEditor2() throws NotExecutableException, RepositoryException {
    UserManager uMgr = getUserManager(superuser);
    User u = null;
    User u2 = null;
    try {
        u = uMgr.createUser("t", "t");
        u2 = uMgr.createUser("tt", "tt", new TestPrincipal("tt"), "t/tt");
        if (!uMgr.isAutoSave()) {
            superuser.save();
        }
        Principal p = u.getPrincipal();
        Principal p2 = u2.getPrincipal();
        if (p instanceof ItemBasedPrincipal && p2 instanceof ItemBasedPrincipal && Text.isDescendant(((ItemBasedPrincipal) p).getPath(), ((ItemBasedPrincipal) p2).getPath())) {
            JackrabbitAccessControlManager acMgr = (JackrabbitAccessControlManager) getAccessControlManager(superuser);
            JackrabbitAccessControlPolicy[] acls = acMgr.getApplicablePolicies(p2);
            acMgr.setPolicy(acls[0].getPath(), acls[0]);
            acls = acMgr.getApplicablePolicies(p);
            String path = acls[0].getPath();
            Node n = superuser.getNode(path);
            assertEquals("rep:PrincipalAccessControl", n.getPrimaryNodeType().getName());
        } else {
            throw new NotExecutableException();
        }
    } finally {
        superuser.refresh(false);
        if (u2 != null)
            u2.remove();
        if (u != null)
            u.remove();
        if (!uMgr.isAutoSave()) {
            superuser.save();
        }
    }
}
Also used : JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager) User(org.apache.jackrabbit.api.security.user.User) TestPrincipal(org.apache.jackrabbit.core.security.TestPrincipal) NotExecutableException(org.apache.jackrabbit.test.NotExecutableException) UserManager(org.apache.jackrabbit.api.security.user.UserManager) Node(javax.jcr.Node) ItemBasedPrincipal(org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal) JackrabbitAccessControlPolicy(org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy) ItemBasedPrincipal(org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal) TestPrincipal(org.apache.jackrabbit.core.security.TestPrincipal) Principal(java.security.Principal)

Example 2 with JackrabbitAccessControlManager

use of org.apache.jackrabbit.api.security.JackrabbitAccessControlManager in project jackrabbit by apache.

the class WriteTest method testEditor.

public void testEditor() throws NotExecutableException, RepositoryException {
    UserManager uMgr = getUserManager(superuser);
    User u = null;
    try {
        u = uMgr.createUser("t", "t");
        if (!uMgr.isAutoSave()) {
            superuser.save();
        }
        Principal p = u.getPrincipal();
        JackrabbitAccessControlManager acMgr = (JackrabbitAccessControlManager) getAccessControlManager(superuser);
        JackrabbitAccessControlPolicy[] acls = acMgr.getApplicablePolicies(p);
        assertEquals(1, acls.length);
        assertTrue(acls[0] instanceof ACLTemplate);
        // access again
        acls = acMgr.getApplicablePolicies(p);
        assertEquals(1, acls.length);
        assertEquals(1, acMgr.getApplicablePolicies(acls[0].getPath()).getSize());
        assertEquals(0, acMgr.getPolicies(p).length);
        assertEquals(0, acMgr.getPolicies(acls[0].getPath()).length);
        acMgr.setPolicy(acls[0].getPath(), acls[0]);
        assertEquals(0, acMgr.getApplicablePolicies(p).length);
        assertEquals(1, acMgr.getPolicies(p).length);
        assertEquals(1, acMgr.getPolicies(acls[0].getPath()).length);
    } finally {
        superuser.refresh(false);
        if (u != null) {
            u.remove();
            if (!uMgr.isAutoSave()) {
                superuser.save();
            }
        }
    }
}
Also used : JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager) User(org.apache.jackrabbit.api.security.user.User) UserManager(org.apache.jackrabbit.api.security.user.UserManager) JackrabbitAccessControlPolicy(org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy) ItemBasedPrincipal(org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal) TestPrincipal(org.apache.jackrabbit.core.security.TestPrincipal) Principal(java.security.Principal)

Example 3 with JackrabbitAccessControlManager

use of org.apache.jackrabbit.api.security.JackrabbitAccessControlManager in project jackrabbit by apache.

the class WriteTest method testInvalidPrincipal.

public void testInvalidPrincipal() throws Exception {
    PrincipalManager pMgr = ((JackrabbitSession) superuser).getPrincipalManager();
    String unknown = "unknown";
    while (pMgr.hasPrincipal(unknown)) {
        unknown = unknown + "_";
    }
    Principal principal = new PrincipalImpl(unknown);
    if (acMgr instanceof JackrabbitAccessControlManager) {
        // first try applicable policies
        try {
            AccessControlPolicy[] policies = ((JackrabbitAccessControlManager) acMgr).getApplicablePolicies(principal);
            assertNotNull(policies);
            assertEquals(0, policies.length);
        } catch (AccessControlException e) {
        // success
        }
        // second existing policies
        try {
            AccessControlPolicy[] policies = ((JackrabbitAccessControlManager) acMgr).getPolicies(principal);
            assertNotNull(policies);
            assertEquals(0, policies.length);
        } catch (AccessControlException e) {
        // success
        }
    } else {
        throw new NotExecutableException();
    }
}
Also used : PrincipalManager(org.apache.jackrabbit.api.security.principal.PrincipalManager) JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager) JackrabbitAccessControlPolicy(org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) NotExecutableException(org.apache.jackrabbit.test.NotExecutableException) AccessControlException(javax.jcr.security.AccessControlException) JackrabbitSession(org.apache.jackrabbit.api.JackrabbitSession) ItemBasedPrincipal(org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal) TestPrincipal(org.apache.jackrabbit.core.security.TestPrincipal) Principal(java.security.Principal) PrincipalImpl(org.apache.jackrabbit.core.security.principal.PrincipalImpl)

Example 4 with JackrabbitAccessControlManager

use of org.apache.jackrabbit.api.security.JackrabbitAccessControlManager in project jackrabbit by apache.

the class EffectivePolicyTest method testGetEffectivePoliciesByPrincipal.

public void testGetEffectivePoliciesByPrincipal() throws Exception {
    Privilege[] privileges = privilegesFromNames(new String[] { Privilege.JCR_READ_ACCESS_CONTROL });
    JackrabbitAccessControlManager jacMgr = (JackrabbitAccessControlManager) acMgr;
    Principal everyone = ((SessionImpl) superuser).getPrincipalManager().getEveryone();
    AccessControlPolicy[] acp = jacMgr.getEffectivePolicies(Collections.singleton(everyone));
    assertNotNull(acp);
    assertEquals(1, acp.length);
    assertTrue(acp[0] instanceof JackrabbitAccessControlPolicy);
    JackrabbitAccessControlPolicy jacp = (JackrabbitAccessControlPolicy) acp[0];
    assertFalse(jacMgr.hasPrivileges(jacp.getPath(), Collections.singleton(testUser.getPrincipal()), privileges));
    assertFalse(jacMgr.hasPrivileges(jacp.getPath(), Collections.singleton(everyone), privileges));
    acp = jacMgr.getApplicablePolicies(testUser.getPrincipal());
    if (acp.length == 0) {
        acp = jacMgr.getPolicies(testUser.getPrincipal());
    }
    assertNotNull(acp);
    assertEquals(1, acp.length);
    assertTrue(acp[0] instanceof JackrabbitAccessControlList);
    // let testuser read the ACL defined for 'testUser' principal.
    JackrabbitAccessControlList acl = (JackrabbitAccessControlList) acp[0];
    acl.addEntry(testUser.getPrincipal(), privileges, true, getRestrictions(superuser, acl.getPath()));
    jacMgr.setPolicy(acl.getPath(), acl);
    superuser.save();
    Session testSession = getTestSession();
    AccessControlManager testAcMgr = getTestACManager();
    // effective policies for testPrinicpal only on path -> must succeed.
    ((JackrabbitAccessControlManager) testAcMgr).getEffectivePolicies(Collections.singleton(testUser.getPrincipal()));
    // effective policies for a combination of principals -> must fail
    try {
        ((JackrabbitAccessControlManager) testAcMgr).getEffectivePolicies(((SessionImpl) testSession).getSubject().getPrincipals());
        fail();
    } catch (AccessDeniedException e) {
    // success
    }
}
Also used : JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager) AccessControlManager(javax.jcr.security.AccessControlManager) JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) JackrabbitAccessControlPolicy(org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy) AccessDeniedException(javax.jcr.AccessDeniedException) SessionImpl(org.apache.jackrabbit.core.SessionImpl) Privilege(javax.jcr.security.Privilege) JackrabbitAccessControlPolicy(org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) Principal(java.security.Principal) Session(javax.jcr.Session)

Example 5 with JackrabbitAccessControlManager

use of org.apache.jackrabbit.api.security.JackrabbitAccessControlManager in project jackrabbit by apache.

the class AccessControlImporterTest method testImportPrincipalBasedACL.

/**
     * Imports a principal-based ACL containing a single entry mist fail with
     * the default configuration.
     *
     * @throws Exception
     */
public void testImportPrincipalBasedACL() throws Exception {
    JackrabbitAccessControlManager acMgr = (JackrabbitAccessControlManager) sImpl.getAccessControlManager();
    if (acMgr.getApplicablePolicies(EveryonePrincipal.getInstance()).length > 0 || acMgr.getPolicies(EveryonePrincipal.getInstance()).length > 0) {
        // test expects that only resource-based acl is supported
        throw new NotExecutableException();
    }
    PrincipalManager pmgr = sImpl.getPrincipalManager();
    if (!pmgr.hasPrincipal(SecurityConstants.ADMINISTRATORS_NAME)) {
        UserManager umgr = sImpl.getUserManager();
        umgr.createGroup(new PrincipalImpl(SecurityConstants.ADMINISTRATORS_NAME));
        if (!umgr.isAutoSave()) {
            sImpl.save();
        }
        if (pmgr.hasPrincipal(SecurityConstants.ADMINISTRATORS_NAME)) {
            throw new NotExecutableException();
        }
    }
    NodeImpl target;
    NodeImpl root = (NodeImpl) sImpl.getRootNode();
    if (!root.hasNode(AccessControlConstants.N_ACCESSCONTROL)) {
        target = root.addNode(AccessControlConstants.N_ACCESSCONTROL, AccessControlConstants.NT_REP_ACCESS_CONTROL, null);
    } else {
        target = root.getNode(AccessControlConstants.N_ACCESSCONTROL);
        if (!target.isNodeType(AccessControlConstants.NT_REP_ACCESS_CONTROL)) {
            target.setPrimaryType(sImpl.getJCRName(AccessControlConstants.NT_REP_ACCESS_CONTROL));
        }
    }
    try {
        InputStream in = new ByteArrayInputStream(XML_AC_TREE.getBytes("UTF-8"));
        SessionImporter importer = new SessionImporter(target, sImpl, ImportUUIDBehavior.IMPORT_UUID_COLLISION_THROW, new PseudoConfig());
        ImportHandler ih = new ImportHandler(importer, sImpl);
        new ParsingContentHandler(ih).parse(in);
        fail("Default config only allows resource-based ACL -> protected import must fail");
    } catch (SAXException e) {
        if (e.getException() instanceof ConstraintViolationException) {
        // success
        } else {
            throw e;
        }
    } finally {
        superuser.refresh(false);
    }
}
Also used : JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager) PrincipalManager(org.apache.jackrabbit.api.security.principal.PrincipalManager) NodeImpl(org.apache.jackrabbit.core.NodeImpl) ByteArrayInputStream(java.io.ByteArrayInputStream) InputStream(java.io.InputStream) ParsingContentHandler(org.apache.jackrabbit.commons.xml.ParsingContentHandler) SAXException(org.xml.sax.SAXException) NotExecutableException(org.apache.jackrabbit.test.NotExecutableException) ByteArrayInputStream(java.io.ByteArrayInputStream) UserManager(org.apache.jackrabbit.api.security.user.UserManager) ConstraintViolationException(javax.jcr.nodetype.ConstraintViolationException) PrincipalImpl(org.apache.jackrabbit.core.security.principal.PrincipalImpl)

Aggregations

JackrabbitAccessControlManager (org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)29 AccessControlPolicy (javax.jcr.security.AccessControlPolicy)16 Principal (java.security.Principal)15 JackrabbitAccessControlPolicy (org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy)15 Privilege (javax.jcr.security.Privilege)11 Test (org.junit.Test)8 AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)7 Root (org.apache.jackrabbit.oak.api.Root)7 AccessControlManager (javax.jcr.security.AccessControlManager)6 EveryonePrincipal (org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal)6 NodeUtil (org.apache.jackrabbit.oak.util.NodeUtil)5 NotExecutableException (org.apache.jackrabbit.test.NotExecutableException)5 JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)4 TestPrincipal (org.apache.jackrabbit.core.security.TestPrincipal)4 ImmutableList (com.google.common.collect.ImmutableList)3 Session (javax.jcr.Session)3 ItemBasedPrincipal (org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal)3 PrincipalManager (org.apache.jackrabbit.api.security.principal.PrincipalManager)3 UserManager (org.apache.jackrabbit.api.security.user.UserManager)3 PrincipalImpl (org.apache.jackrabbit.core.security.principal.PrincipalImpl)3