use of org.apache.jackrabbit.api.security.user.Impersonation in project jackrabbit-oak by apache.
the class UserImportIgnoreTest method testImportInvalidImpersonationIgnore.
@Test
public void testImportInvalidImpersonationIgnore() throws Exception {
List<String> invalid = new ArrayList<String>();
// an non-existing princ-name
invalid.add("anybody");
// a group
invalid.add("administrators");
// principal of the user itself.
invalid.add("t");
for (String principalName : invalid) {
String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" + "<sv:node sv:name=\"t\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" + " <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:User</sv:value></sv:property>" + " <sv:property sv:name=\"jcr:uuid\" sv:type=\"String\"><sv:value>e358efa4-89f5-3062-b10d-d7316b65649e</sv:value></sv:property>" + " <sv:property sv:name=\"rep:password\" sv:type=\"String\"><sv:value>{sha1}8efd86fb78a56a5145ed7739dcb00c78581c5375</sv:value></sv:property>" + " <sv:property sv:name=\"rep:principalName\" sv:type=\"String\"><sv:value>t</sv:value></sv:property><sv:property sv:name=\"rep:impersonators\" sv:type=\"String\"><sv:value>" + principalName + "</sv:value></sv:property>" + "</sv:node>";
Subject subj = new Subject();
subj.getPrincipals().add(new PrincipalImpl(principalName));
try {
doImport(getTargetPath(), xml);
// no exception during import: no impersonation must be granted
// for the invalid principal name
Authorizable a = getUserManager().getAuthorizable("t");
if (!a.isGroup()) {
Impersonation imp = ((User) a).getImpersonation();
Subject s = new Subject();
s.getPrincipals().add(new PrincipalImpl(principalName));
assertFalse(imp.allows(s));
for (PrincipalIterator it = imp.getImpersonators(); it.hasNext(); ) {
assertFalse(principalName.equals(it.nextPrincipal().getName()));
}
} else {
fail("Importing 't' didn't create a User.");
}
} finally {
getImportSession().refresh(false);
}
}
}
use of org.apache.jackrabbit.api.security.user.Impersonation in project jackrabbit-oak by apache.
the class SystemUserImportTest method testImportImpersonation.
@Test
public void testImportImpersonation() throws Exception {
String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + "<sv:node sv:name=\"uFolder\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" + " <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:AuthorizableFolder</sv:value></sv:property>" + "<sv:node sv:name=\"t\">" + " <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:SystemUser</sv:value></sv:property>" + " <sv:property sv:name=\"jcr:uuid\" sv:type=\"String\"><sv:value>e358efa4-89f5-3062-b10d-d7316b65649e</sv:value></sv:property>" + " <sv:property sv:name=\"rep:principalName\" sv:type=\"String\"><sv:value>t</sv:value></sv:property>" + " <sv:property sv:name=\"rep:impersonators\" sv:type=\"String\"><sv:value>g</sv:value></sv:property>" + "</sv:node>" + "<sv:node sv:name=\"g\">" + " <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:SystemUser</sv:value></sv:property>" + " <sv:property sv:name=\"jcr:uuid\" sv:type=\"String\"><sv:value>b2f5ff47-4366-31b6-a533-d8dc3614845d</sv:value></sv:property>" + " <sv:property sv:name=\"rep:principalName\" sv:type=\"String\"><sv:value>g</sv:value></sv:property>" + "</sv:node>" + "</sv:node>";
doImport(getTargetPath(), xml);
Authorizable newUser = getUserManager().getAuthorizable("t");
assertNotNull(newUser);
Authorizable u2 = getUserManager().getAuthorizable("g");
assertNotNull(u2);
Subject subj = new Subject();
subj.getPrincipals().add(u2.getPrincipal());
Impersonation imp = ((User) newUser).getImpersonation();
assertTrue(imp.allows(subj));
}
use of org.apache.jackrabbit.api.security.user.Impersonation in project jackrabbit-oak by apache.
the class ImpersonationTest method testImpersonation.
@Test
public void testImpersonation() throws RepositoryException, NotExecutableException {
Principal user2Principal = user2.getPrincipal();
Subject subject = new Subject(true, Collections.singleton(user2Principal), Collections.<Object>emptySet(), Collections.<Object>emptySet());
Impersonation impers = user.getImpersonation();
assertFalse(impers.allows(subject));
assertTrue(impers.grantImpersonation(user2Principal));
assertFalse(impers.grantImpersonation(user2Principal));
superuser.save();
assertTrue(impers.allows(subject));
assertTrue(impers.revokeImpersonation(user2Principal));
assertFalse(impers.revokeImpersonation(user2Principal));
superuser.save();
assertFalse(impers.allows(subject));
}
use of org.apache.jackrabbit.api.security.user.Impersonation in project jackrabbit-oak by apache.
the class ImpersonationTest method testAdminAsImpersonator.
@Test
public void testAdminAsImpersonator() throws RepositoryException, NotExecutableException {
String adminId = superuser.getUserID();
Authorizable admin = userMgr.getAuthorizable(adminId);
if (admin == null || admin.isGroup() || !((User) admin).isAdmin()) {
throw new NotExecutableException(adminId + " is not administators ID");
}
Principal adminPrincipal = admin.getPrincipal();
// admin cannot be add/remove to set of impersonators of 'u' but is
// always allowed to impersonate that user.
Impersonation impersonation = user.getImpersonation();
assertFalse(impersonation.grantImpersonation(adminPrincipal));
assertFalse(impersonation.revokeImpersonation(adminPrincipal));
assertTrue(impersonation.allows(buildSubject(adminPrincipal)));
// same if the impersonation object of the admin itself is used.
Impersonation adminImpersonation = ((User) admin).getImpersonation();
assertFalse(adminImpersonation.grantImpersonation(adminPrincipal));
assertFalse(adminImpersonation.revokeImpersonation(adminPrincipal));
assertTrue(impersonation.allows(buildSubject(adminPrincipal)));
}
use of org.apache.jackrabbit.api.security.user.Impersonation in project jackrabbit by apache.
the class UserImporterTest method testImportInvalidImpersonationIgnore.
public void testImportInvalidImpersonationIgnore() throws IOException, RepositoryException, SAXException, NotExecutableException {
List<String> invalid = new ArrayList<String>();
// an non-existing princ-name
invalid.add("anybody");
// a group
invalid.add("administrators");
// principal of the user itself.
invalid.add("t");
for (String principalName : invalid) {
String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" + "<sv:node sv:name=\"t\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" + " <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:User</sv:value></sv:property>" + " <sv:property sv:name=\"jcr:uuid\" sv:type=\"String\"><sv:value>e358efa4-89f5-3062-b10d-d7316b65649e</sv:value></sv:property>" + " <sv:property sv:name=\"rep:password\" sv:type=\"String\"><sv:value>{sha1}8efd86fb78a56a5145ed7739dcb00c78581c5375</sv:value></sv:property>" + " <sv:property sv:name=\"rep:principalName\" sv:type=\"String\"><sv:value>t</sv:value></sv:property><sv:property sv:name=\"rep:impersonators\" sv:type=\"String\"><sv:value>" + principalName + "</sv:value></sv:property>" + "</sv:node>";
Subject subj = new Subject();
subj.getPrincipals().add(new PrincipalImpl(principalName));
NodeImpl target = (NodeImpl) sImpl.getNode(umgr.getUsersPath());
try {
doImport(target, xml, UserImporter.ImportBehavior.IGNORE);
// no exception during import: no impersonation must be granted
// for the invalid principal name
Authorizable a = umgr.getAuthorizable("t");
if (!a.isGroup()) {
Impersonation imp = ((User) a).getImpersonation();
Subject s = new Subject();
s.getPrincipals().add(new PrincipalImpl(principalName));
assertFalse(imp.allows(s));
for (PrincipalIterator it = imp.getImpersonators(); it.hasNext(); ) {
assertFalse(principalName.equals(it.nextPrincipal().getName()));
}
} else {
fail("Importing 't' didn't create a User.");
}
} finally {
sImpl.refresh(false);
}
}
}
Aggregations