use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.
the class PermissionProviderImplTest method testIsGrantedNonExistingVersionStoreLocation.
@Test
public void testIsGrantedNonExistingVersionStoreLocation() {
TreeLocation location = TreeLocation.create(root, VersionConstants.VERSION_STORE_PATH + "/non/existing/tree");
PermissionProvider pp = createPermissionProvider(adminSession);
assertTrue(pp instanceof PermissionProviderImpl);
assertFalse(((PermissionProviderImpl) pp).isGranted(location, Permissions.ALL));
}
use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.
the class PermissionTest method testHasPermissionWithRestrictions.
/**
* Tests if the restrictions are properly inherited.
* the restriction enable/disable the ACE where it is defined.
* since the 'allow' on /a/b is after the 'deny' on a/b/c, the allow wins.
*
* The test currently fails on evaluation of /a/b/c/d. Probably because the evaluation
* of /a/b/c yields a deny, which terminates the iteration.
*/
@Test
public void testHasPermissionWithRestrictions() throws Exception {
// create permissions
// allow rep:write /testroot
// deny jcr:removeNode /testroot/a glob=*/c
// allow jcr:removeNode /testroot/a glob=*/b
addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
addEntry(TEST_A_PATH, false, "*/c", PrivilegeConstants.JCR_REMOVE_NODE);
addEntry(TEST_A_PATH, true, "*/b", PrivilegeConstants.JCR_REMOVE_NODE);
ContentSession testSession = createTestSession();
try {
Root testRoot = testSession.getLatestRoot();
PermissionProvider pp = getPermissionProvider(testSession);
assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_E_PATH, Permissions.REMOVE_NODE);
// should be able to remove /a/b/c/d
testRoot.getTree(TEST_D_PATH).remove();
testRoot.commit();
// should be able to remove /a/b/c
try {
testRoot.getTree(TEST_C_PATH).remove();
testRoot.commit();
fail("user should not be able to remove c");
} catch (CommitFailedException e) {
// ok
}
} finally {
testSession.close();
}
}
use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.
the class CustomRestrictionProviderTest method testProtectByRestriction.
/**
* Tests the custom restriction provider that checks on the existence of a property.
* @throws Exception
*/
@Test
public void testProtectByRestriction() throws Exception {
// allow rep:write /testroot
// deny jcr:removeNode /testroot/a hasProperty=protect-me
addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
addEntry(TEST_A_PATH, false, PROP_NAME_PROTECT_ME, PrivilegeConstants.JCR_REMOVE_NODE);
ContentSession testSession = createTestSession();
try {
Root testRoot = testSession.getLatestRoot();
PermissionProvider pp = getPermissionProvider(testSession);
assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_E_PATH, Permissions.REMOVE_NODE);
// should be able to remove /a/b/c/d
testRoot.getTree(TEST_D_PATH).remove();
testRoot.commit();
try {
testRoot.getTree(TEST_C_PATH).remove();
testRoot.commit();
fail("should not be able to delete " + TEST_C_PATH);
} catch (CommitFailedException e) {
// all ok
}
} finally {
testSession.close();
}
}
use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.
the class CustomRestrictionProviderTest method testProtectPropertiesByRestriction.
/**
* Tests the custom restriction provider that checks on the existence of a property.
* @throws Exception
*/
@Test
public void testProtectPropertiesByRestriction() throws Exception {
// allow rep:write /testroot
// deny jcr:modifyProperties /testroot/a hasProperty=protect-me
addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
addEntry(TEST_A_PATH, false, PROP_NAME_PROTECT_ME, PrivilegeConstants.JCR_MODIFY_PROPERTIES);
ContentSession testSession = createTestSession();
try {
Root testRoot = testSession.getLatestRoot();
PermissionProvider pp = getPermissionProvider(testSession);
assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.MODIFY_PROPERTY);
assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.MODIFY_PROPERTY);
assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.MODIFY_PROPERTY);
assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.MODIFY_PROPERTY);
assertIsGranted(pp, testRoot, true, TEST_E_PATH, Permissions.MODIFY_PROPERTY);
} finally {
testSession.close();
}
}
use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.
the class CustomRestrictionProviderTest method testUnProtectByRestriction.
/**
* Tests the custom restriction provider that checks on the absence of a property.
* @throws Exception
*/
@Test
public void testUnProtectByRestriction() throws Exception {
// allow rep:write /testroot
// deny jcr:removeNode /testroot
// allow jcr:removeNode /testroot/a hasProperty=!protect-me
addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
addEntry(TEST_ROOT_PATH, false, "", PrivilegeConstants.JCR_REMOVE_NODE);
addEntry(TEST_A_PATH, true, "!" + PROP_NAME_PROTECT_ME, PrivilegeConstants.JCR_REMOVE_NODE);
ContentSession testSession = createTestSession();
try {
Root testRoot = testSession.getLatestRoot();
PermissionProvider pp = getPermissionProvider(testSession);
assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_E_PATH, Permissions.REMOVE_NODE);
} finally {
testSession.close();
}
}
Aggregations