Search in sources :

Example 1 with Impersonation

use of org.apache.jackrabbit.api.security.user.Impersonation in project jackrabbit-oak by apache.

the class UserImportIgnoreTest method testImportInvalidImpersonationIgnore.

@Test
public void testImportInvalidImpersonationIgnore() throws Exception {
    List<String> invalid = new ArrayList<String>();
    // an non-existing princ-name
    invalid.add("anybody");
    // a group
    invalid.add("administrators");
    // principal of the user itself.
    invalid.add("t");
    for (String principalName : invalid) {
        String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" + "<sv:node sv:name=\"t\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" + "   <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:User</sv:value></sv:property>" + "   <sv:property sv:name=\"jcr:uuid\" sv:type=\"String\"><sv:value>e358efa4-89f5-3062-b10d-d7316b65649e</sv:value></sv:property>" + "   <sv:property sv:name=\"rep:password\" sv:type=\"String\"><sv:value>{sha1}8efd86fb78a56a5145ed7739dcb00c78581c5375</sv:value></sv:property>" + "   <sv:property sv:name=\"rep:principalName\" sv:type=\"String\"><sv:value>t</sv:value></sv:property><sv:property sv:name=\"rep:impersonators\" sv:type=\"String\"><sv:value>" + principalName + "</sv:value></sv:property>" + "</sv:node>";
        Subject subj = new Subject();
        subj.getPrincipals().add(new PrincipalImpl(principalName));
        try {
            doImport(getTargetPath(), xml);
            // no exception during import: no impersonation must be granted
            // for the invalid principal name
            Authorizable a = getUserManager().getAuthorizable("t");
            if (!a.isGroup()) {
                Impersonation imp = ((User) a).getImpersonation();
                Subject s = new Subject();
                s.getPrincipals().add(new PrincipalImpl(principalName));
                assertFalse(imp.allows(s));
                for (PrincipalIterator it = imp.getImpersonators(); it.hasNext(); ) {
                    assertFalse(principalName.equals(it.nextPrincipal().getName()));
                }
            } else {
                fail("Importing 't' didn't create a User.");
            }
        } finally {
            getImportSession().refresh(false);
        }
    }
}
Also used : Impersonation(org.apache.jackrabbit.api.security.user.Impersonation) User(org.apache.jackrabbit.api.security.user.User) ArrayList(java.util.ArrayList) Authorizable(org.apache.jackrabbit.api.security.user.Authorizable) PrincipalIterator(org.apache.jackrabbit.api.security.principal.PrincipalIterator) Subject(javax.security.auth.Subject) PrincipalImpl(org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl) Test(org.junit.Test)

Example 2 with Impersonation

use of org.apache.jackrabbit.api.security.user.Impersonation in project jackrabbit-oak by apache.

the class SystemUserImportTest method testImportImpersonation.

@Test
public void testImportImpersonation() throws Exception {
    String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + "<sv:node sv:name=\"uFolder\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" + "   <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:AuthorizableFolder</sv:value></sv:property>" + "<sv:node sv:name=\"t\">" + "   <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:SystemUser</sv:value></sv:property>" + "   <sv:property sv:name=\"jcr:uuid\" sv:type=\"String\"><sv:value>e358efa4-89f5-3062-b10d-d7316b65649e</sv:value></sv:property>" + "   <sv:property sv:name=\"rep:principalName\" sv:type=\"String\"><sv:value>t</sv:value></sv:property>" + "   <sv:property sv:name=\"rep:impersonators\" sv:type=\"String\"><sv:value>g</sv:value></sv:property>" + "</sv:node>" + "<sv:node sv:name=\"g\">" + "   <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:SystemUser</sv:value></sv:property>" + "   <sv:property sv:name=\"jcr:uuid\" sv:type=\"String\"><sv:value>b2f5ff47-4366-31b6-a533-d8dc3614845d</sv:value></sv:property>" + "   <sv:property sv:name=\"rep:principalName\" sv:type=\"String\"><sv:value>g</sv:value></sv:property>" + "</sv:node>" + "</sv:node>";
    doImport(getTargetPath(), xml);
    Authorizable newUser = getUserManager().getAuthorizable("t");
    assertNotNull(newUser);
    Authorizable u2 = getUserManager().getAuthorizable("g");
    assertNotNull(u2);
    Subject subj = new Subject();
    subj.getPrincipals().add(u2.getPrincipal());
    Impersonation imp = ((User) newUser).getImpersonation();
    assertTrue(imp.allows(subj));
}
Also used : Impersonation(org.apache.jackrabbit.api.security.user.Impersonation) User(org.apache.jackrabbit.api.security.user.User) Authorizable(org.apache.jackrabbit.api.security.user.Authorizable) Subject(javax.security.auth.Subject) Test(org.junit.Test)

Example 3 with Impersonation

use of org.apache.jackrabbit.api.security.user.Impersonation in project jackrabbit-oak by apache.

the class ImpersonationTest method testImpersonation.

@Test
public void testImpersonation() throws RepositoryException, NotExecutableException {
    Principal user2Principal = user2.getPrincipal();
    Subject subject = new Subject(true, Collections.singleton(user2Principal), Collections.<Object>emptySet(), Collections.<Object>emptySet());
    Impersonation impers = user.getImpersonation();
    assertFalse(impers.allows(subject));
    assertTrue(impers.grantImpersonation(user2Principal));
    assertFalse(impers.grantImpersonation(user2Principal));
    superuser.save();
    assertTrue(impers.allows(subject));
    assertTrue(impers.revokeImpersonation(user2Principal));
    assertFalse(impers.revokeImpersonation(user2Principal));
    superuser.save();
    assertFalse(impers.allows(subject));
}
Also used : Impersonation(org.apache.jackrabbit.api.security.user.Impersonation) Principal(java.security.Principal) AdminPrincipal(org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal) Subject(javax.security.auth.Subject) Test(org.junit.Test)

Example 4 with Impersonation

use of org.apache.jackrabbit.api.security.user.Impersonation in project jackrabbit-oak by apache.

the class ImpersonationTest method testAdminAsImpersonator.

@Test
public void testAdminAsImpersonator() throws RepositoryException, NotExecutableException {
    String adminId = superuser.getUserID();
    Authorizable admin = userMgr.getAuthorizable(adminId);
    if (admin == null || admin.isGroup() || !((User) admin).isAdmin()) {
        throw new NotExecutableException(adminId + " is not administators ID");
    }
    Principal adminPrincipal = admin.getPrincipal();
    // admin cannot be add/remove to set of impersonators of 'u' but is
    // always allowed to impersonate that user.
    Impersonation impersonation = user.getImpersonation();
    assertFalse(impersonation.grantImpersonation(adminPrincipal));
    assertFalse(impersonation.revokeImpersonation(adminPrincipal));
    assertTrue(impersonation.allows(buildSubject(adminPrincipal)));
    // same if the impersonation object of the admin itself is used.
    Impersonation adminImpersonation = ((User) admin).getImpersonation();
    assertFalse(adminImpersonation.grantImpersonation(adminPrincipal));
    assertFalse(adminImpersonation.revokeImpersonation(adminPrincipal));
    assertTrue(impersonation.allows(buildSubject(adminPrincipal)));
}
Also used : Impersonation(org.apache.jackrabbit.api.security.user.Impersonation) User(org.apache.jackrabbit.api.security.user.User) NotExecutableException(org.apache.jackrabbit.test.NotExecutableException) Authorizable(org.apache.jackrabbit.api.security.user.Authorizable) Principal(java.security.Principal) AdminPrincipal(org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal) Test(org.junit.Test)

Example 5 with Impersonation

use of org.apache.jackrabbit.api.security.user.Impersonation in project jackrabbit by apache.

the class UserImporterTest method testImportInvalidImpersonationIgnore.

public void testImportInvalidImpersonationIgnore() throws IOException, RepositoryException, SAXException, NotExecutableException {
    List<String> invalid = new ArrayList<String>();
    // an non-existing princ-name
    invalid.add("anybody");
    // a group
    invalid.add("administrators");
    // principal of the user itself.
    invalid.add("t");
    for (String principalName : invalid) {
        String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" + "<sv:node sv:name=\"t\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" + "   <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:User</sv:value></sv:property>" + "   <sv:property sv:name=\"jcr:uuid\" sv:type=\"String\"><sv:value>e358efa4-89f5-3062-b10d-d7316b65649e</sv:value></sv:property>" + "   <sv:property sv:name=\"rep:password\" sv:type=\"String\"><sv:value>{sha1}8efd86fb78a56a5145ed7739dcb00c78581c5375</sv:value></sv:property>" + "   <sv:property sv:name=\"rep:principalName\" sv:type=\"String\"><sv:value>t</sv:value></sv:property><sv:property sv:name=\"rep:impersonators\" sv:type=\"String\"><sv:value>" + principalName + "</sv:value></sv:property>" + "</sv:node>";
        Subject subj = new Subject();
        subj.getPrincipals().add(new PrincipalImpl(principalName));
        NodeImpl target = (NodeImpl) sImpl.getNode(umgr.getUsersPath());
        try {
            doImport(target, xml, UserImporter.ImportBehavior.IGNORE);
            // no exception during import: no impersonation must be granted
            // for the invalid principal name
            Authorizable a = umgr.getAuthorizable("t");
            if (!a.isGroup()) {
                Impersonation imp = ((User) a).getImpersonation();
                Subject s = new Subject();
                s.getPrincipals().add(new PrincipalImpl(principalName));
                assertFalse(imp.allows(s));
                for (PrincipalIterator it = imp.getImpersonators(); it.hasNext(); ) {
                    assertFalse(principalName.equals(it.nextPrincipal().getName()));
                }
            } else {
                fail("Importing 't' didn't create a User.");
            }
        } finally {
            sImpl.refresh(false);
        }
    }
}
Also used : Impersonation(org.apache.jackrabbit.api.security.user.Impersonation) User(org.apache.jackrabbit.api.security.user.User) NodeImpl(org.apache.jackrabbit.core.NodeImpl) ArrayList(java.util.ArrayList) Authorizable(org.apache.jackrabbit.api.security.user.Authorizable) PrincipalIterator(org.apache.jackrabbit.api.security.principal.PrincipalIterator) Subject(javax.security.auth.Subject) PrincipalImpl(org.apache.jackrabbit.core.security.principal.PrincipalImpl)

Aggregations

Impersonation (org.apache.jackrabbit.api.security.user.Impersonation)18 User (org.apache.jackrabbit.api.security.user.User)14 Principal (java.security.Principal)12 Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)10 Subject (javax.security.auth.Subject)7 Test (org.junit.Test)7 NotExecutableException (org.apache.jackrabbit.test.NotExecutableException)4 ArrayList (java.util.ArrayList)3 PrincipalIterator (org.apache.jackrabbit.api.security.principal.PrincipalIterator)3 NodeImpl (org.apache.jackrabbit.core.NodeImpl)3 SystemPrincipal (org.apache.jackrabbit.core.security.SystemPrincipal)3 AdminPrincipal (org.apache.jackrabbit.core.security.principal.AdminPrincipal)3 AdminPrincipal (org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal)3 AccessDeniedException (javax.jcr.AccessDeniedException)2 UserManager (org.apache.jackrabbit.api.security.user.UserManager)2 PrincipalImpl (org.apache.jackrabbit.core.security.principal.PrincipalImpl)2 HashMap (java.util.HashMap)1 LinkedList (java.util.LinkedList)1 List (java.util.List)1 Map (java.util.Map)1