Search in sources :

Example 66 with PermissionProvider

use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.

the class PermissionProviderImplTest method testIsGrantedNonExistingVersionStoreLocation.

@Test
public void testIsGrantedNonExistingVersionStoreLocation() {
    TreeLocation location = TreeLocation.create(root, VersionConstants.VERSION_STORE_PATH + "/non/existing/tree");
    PermissionProvider pp = createPermissionProvider(adminSession);
    assertTrue(pp instanceof PermissionProviderImpl);
    assertFalse(((PermissionProviderImpl) pp).isGranted(location, Permissions.ALL));
}
Also used : TreeLocation(org.apache.jackrabbit.oak.plugins.tree.TreeLocation) PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Example 67 with PermissionProvider

use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.

the class PermissionTest method testHasPermissionWithRestrictions.

/**
     * Tests if the restrictions are properly inherited.
     * the restriction enable/disable the ACE where it is defined.
     * since the 'allow' on /a/b is after the 'deny' on a/b/c, the allow wins.
     *
     * The test currently fails on evaluation of /a/b/c/d. Probably because the evaluation
     * of /a/b/c yields a deny, which terminates the iteration.
     */
@Test
public void testHasPermissionWithRestrictions() throws Exception {
    // create permissions
    // allow rep:write      /testroot
    // deny  jcr:removeNode /testroot/a  glob=*/c
    // allow jcr:removeNode /testroot/a  glob=*/b
    addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
    addEntry(TEST_A_PATH, false, "*/c", PrivilegeConstants.JCR_REMOVE_NODE);
    addEntry(TEST_A_PATH, true, "*/b", PrivilegeConstants.JCR_REMOVE_NODE);
    ContentSession testSession = createTestSession();
    try {
        Root testRoot = testSession.getLatestRoot();
        PermissionProvider pp = getPermissionProvider(testSession);
        assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, true, TEST_E_PATH, Permissions.REMOVE_NODE);
        // should be able to remove /a/b/c/d
        testRoot.getTree(TEST_D_PATH).remove();
        testRoot.commit();
        // should be able to remove /a/b/c
        try {
            testRoot.getTree(TEST_C_PATH).remove();
            testRoot.commit();
            fail("user should not be able to remove c");
        } catch (CommitFailedException e) {
        // ok
        }
    } finally {
        testSession.close();
    }
}
Also used : Root(org.apache.jackrabbit.oak.api.Root) PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider) ContentSession(org.apache.jackrabbit.oak.api.ContentSession) CommitFailedException(org.apache.jackrabbit.oak.api.CommitFailedException) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Example 68 with PermissionProvider

use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.

the class CustomRestrictionProviderTest method testProtectByRestriction.

/**
     * Tests the custom restriction provider that checks on the existence of a property.
     * @throws Exception
     */
@Test
public void testProtectByRestriction() throws Exception {
    // allow rep:write      /testroot
    // deny  jcr:removeNode /testroot/a  hasProperty=protect-me
    addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
    addEntry(TEST_A_PATH, false, PROP_NAME_PROTECT_ME, PrivilegeConstants.JCR_REMOVE_NODE);
    ContentSession testSession = createTestSession();
    try {
        Root testRoot = testSession.getLatestRoot();
        PermissionProvider pp = getPermissionProvider(testSession);
        assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, true, TEST_E_PATH, Permissions.REMOVE_NODE);
        // should be able to remove /a/b/c/d
        testRoot.getTree(TEST_D_PATH).remove();
        testRoot.commit();
        try {
            testRoot.getTree(TEST_C_PATH).remove();
            testRoot.commit();
            fail("should not be able to delete " + TEST_C_PATH);
        } catch (CommitFailedException e) {
        // all ok
        }
    } finally {
        testSession.close();
    }
}
Also used : Root(org.apache.jackrabbit.oak.api.Root) PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider) ContentSession(org.apache.jackrabbit.oak.api.ContentSession) CommitFailedException(org.apache.jackrabbit.oak.api.CommitFailedException) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Example 69 with PermissionProvider

use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.

the class CustomRestrictionProviderTest method testProtectPropertiesByRestriction.

/**
     * Tests the custom restriction provider that checks on the existence of a property.
     * @throws Exception
     */
@Test
public void testProtectPropertiesByRestriction() throws Exception {
    // allow rep:write            /testroot
    // deny  jcr:modifyProperties /testroot/a  hasProperty=protect-me
    addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
    addEntry(TEST_A_PATH, false, PROP_NAME_PROTECT_ME, PrivilegeConstants.JCR_MODIFY_PROPERTIES);
    ContentSession testSession = createTestSession();
    try {
        Root testRoot = testSession.getLatestRoot();
        PermissionProvider pp = getPermissionProvider(testSession);
        assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.MODIFY_PROPERTY);
        assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.MODIFY_PROPERTY);
        assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.MODIFY_PROPERTY);
        assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.MODIFY_PROPERTY);
        assertIsGranted(pp, testRoot, true, TEST_E_PATH, Permissions.MODIFY_PROPERTY);
    } finally {
        testSession.close();
    }
}
Also used : Root(org.apache.jackrabbit.oak.api.Root) PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider) ContentSession(org.apache.jackrabbit.oak.api.ContentSession) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Example 70 with PermissionProvider

use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.

the class CustomRestrictionProviderTest method testUnProtectByRestriction.

/**
     * Tests the custom restriction provider that checks on the absence of a property.
     * @throws Exception
     */
@Test
public void testUnProtectByRestriction() throws Exception {
    // allow rep:write      /testroot
    // deny  jcr:removeNode /testroot
    // allow jcr:removeNode /testroot/a  hasProperty=!protect-me
    addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
    addEntry(TEST_ROOT_PATH, false, "", PrivilegeConstants.JCR_REMOVE_NODE);
    addEntry(TEST_A_PATH, true, "!" + PROP_NAME_PROTECT_ME, PrivilegeConstants.JCR_REMOVE_NODE);
    ContentSession testSession = createTestSession();
    try {
        Root testRoot = testSession.getLatestRoot();
        PermissionProvider pp = getPermissionProvider(testSession);
        assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, true, TEST_E_PATH, Permissions.REMOVE_NODE);
    } finally {
        testSession.close();
    }
}
Also used : Root(org.apache.jackrabbit.oak.api.Root) PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider) ContentSession(org.apache.jackrabbit.oak.api.ContentSession) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Aggregations

PermissionProvider (org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider)70 Test (org.junit.Test)65 AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)44 Tree (org.apache.jackrabbit.oak.api.Tree)21 AggregatedPermissionProvider (org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider)18 ContentSession (org.apache.jackrabbit.oak.api.ContentSession)15 Root (org.apache.jackrabbit.oak.api.Root)12 EmptyPermissionProvider (org.apache.jackrabbit.oak.spi.security.authorization.permission.EmptyPermissionProvider)11 TreePermission (org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission)11 ImmutableTree (org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree)8 PropertyState (org.apache.jackrabbit.oak.api.PropertyState)6 AccessControlManager (javax.jcr.security.AccessControlManager)4 CommitFailedException (org.apache.jackrabbit.oak.api.CommitFailedException)4 AuthorizationConfiguration (org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration)4 Principal (java.security.Principal)3 Nonnull (javax.annotation.Nonnull)3 AuthorizationConfigurationImpl (org.apache.jackrabbit.oak.security.authorization.AuthorizationConfigurationImpl)3 ConfigurationParameters (org.apache.jackrabbit.oak.spi.security.ConfigurationParameters)3 OpenAuthorizationConfiguration (org.apache.jackrabbit.oak.spi.security.authorization.OpenAuthorizationConfiguration)3 AccessControlList (javax.jcr.security.AccessControlList)2