Example 66 with PermissionProvider
use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.
the class PermissionProviderImplTest method testIsGrantedNonExistingVersionStoreLocation.
@Test
public void testIsGrantedNonExistingVersionStoreLocation() {
TreeLocation location = TreeLocation.create(root, VersionConstants.VERSION_STORE_PATH + "/non/existing/tree");
PermissionProvider pp = createPermissionProvider(adminSession);
assertTrue(pp instanceof PermissionProviderImpl);
assertFalse(((PermissionProviderImpl) pp).isGranted(location, Permissions.ALL));
}
Also used :
TreeLocation(org.apache.jackrabbit.oak.plugins.tree.TreeLocation)
PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider)
AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest)
Test(org.junit.Test)
Example 67 with PermissionProvider
use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.
the class PermissionTest method testHasPermissionWithRestrictions.
/**
* Tests if the restrictions are properly inherited.
* the restriction enable/disable the ACE where it is defined.
* since the 'allow' on /a/b is after the 'deny' on a/b/c, the allow wins.
*
* The test currently fails on evaluation of /a/b/c/d. Probably because the evaluation
* of /a/b/c yields a deny, which terminates the iteration.
*/
@Test
public void testHasPermissionWithRestrictions() throws Exception {
// create permissions
// allow rep:write /testroot
// deny jcr:removeNode /testroot/a glob=*/c
// allow jcr:removeNode /testroot/a glob=*/b
addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
addEntry(TEST_A_PATH, false, "*/c", PrivilegeConstants.JCR_REMOVE_NODE);
addEntry(TEST_A_PATH, true, "*/b", PrivilegeConstants.JCR_REMOVE_NODE);
ContentSession testSession = createTestSession();
try {
Root testRoot = testSession.getLatestRoot();
PermissionProvider pp = getPermissionProvider(testSession);
assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_E_PATH, Permissions.REMOVE_NODE);
// should be able to remove /a/b/c/d
testRoot.getTree(TEST_D_PATH).remove();
testRoot.commit();
// should be able to remove /a/b/c
try {
testRoot.getTree(TEST_C_PATH).remove();
testRoot.commit();
fail("user should not be able to remove c");
} catch (CommitFailedException e) {
// ok
}
} finally {
testSession.close();
}
}
Also used :
Root(org.apache.jackrabbit.oak.api.Root)
PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider)
ContentSession(org.apache.jackrabbit.oak.api.ContentSession)
CommitFailedException(org.apache.jackrabbit.oak.api.CommitFailedException)
AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest)
Test(org.junit.Test)
Example 68 with PermissionProvider
use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.
the class CustomRestrictionProviderTest method testProtectByRestriction.
/**
* Tests the custom restriction provider that checks on the existence of a property.
* @throws Exception
*/
@Test
public void testProtectByRestriction() throws Exception {
// allow rep:write /testroot
// deny jcr:removeNode /testroot/a hasProperty=protect-me
addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
addEntry(TEST_A_PATH, false, PROP_NAME_PROTECT_ME, PrivilegeConstants.JCR_REMOVE_NODE);
ContentSession testSession = createTestSession();
try {
Root testRoot = testSession.getLatestRoot();
PermissionProvider pp = getPermissionProvider(testSession);
assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_E_PATH, Permissions.REMOVE_NODE);
// should be able to remove /a/b/c/d
testRoot.getTree(TEST_D_PATH).remove();
testRoot.commit();
try {
testRoot.getTree(TEST_C_PATH).remove();
testRoot.commit();
fail("should not be able to delete " + TEST_C_PATH);
} catch (CommitFailedException e) {
// all ok
}
} finally {
testSession.close();
}
}
Also used :
Root(org.apache.jackrabbit.oak.api.Root)
PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider)
ContentSession(org.apache.jackrabbit.oak.api.ContentSession)
CommitFailedException(org.apache.jackrabbit.oak.api.CommitFailedException)
AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest)
Test(org.junit.Test)
Example 69 with PermissionProvider
use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.
the class CustomRestrictionProviderTest method testProtectPropertiesByRestriction.
/**
* Tests the custom restriction provider that checks on the existence of a property.
* @throws Exception
*/
@Test
public void testProtectPropertiesByRestriction() throws Exception {
// allow rep:write /testroot
// deny jcr:modifyProperties /testroot/a hasProperty=protect-me
addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
addEntry(TEST_A_PATH, false, PROP_NAME_PROTECT_ME, PrivilegeConstants.JCR_MODIFY_PROPERTIES);
ContentSession testSession = createTestSession();
try {
Root testRoot = testSession.getLatestRoot();
PermissionProvider pp = getPermissionProvider(testSession);
assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.MODIFY_PROPERTY);
assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.MODIFY_PROPERTY);
assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.MODIFY_PROPERTY);
assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.MODIFY_PROPERTY);
assertIsGranted(pp, testRoot, true, TEST_E_PATH, Permissions.MODIFY_PROPERTY);
} finally {
testSession.close();
}
}
Also used :
Root(org.apache.jackrabbit.oak.api.Root)
PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider)
ContentSession(org.apache.jackrabbit.oak.api.ContentSession)
AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest)
Test(org.junit.Test)
Example 70 with PermissionProvider
use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.
the class CustomRestrictionProviderTest method testUnProtectByRestriction.
/**
* Tests the custom restriction provider that checks on the absence of a property.
* @throws Exception
*/
@Test
public void testUnProtectByRestriction() throws Exception {
// allow rep:write /testroot
// deny jcr:removeNode /testroot
// allow jcr:removeNode /testroot/a hasProperty=!protect-me
addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
addEntry(TEST_ROOT_PATH, false, "", PrivilegeConstants.JCR_REMOVE_NODE);
addEntry(TEST_A_PATH, true, "!" + PROP_NAME_PROTECT_ME, PrivilegeConstants.JCR_REMOVE_NODE);
ContentSession testSession = createTestSession();
try {
Root testRoot = testSession.getLatestRoot();
PermissionProvider pp = getPermissionProvider(testSession);
assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_E_PATH, Permissions.REMOVE_NODE);
} finally {
testSession.close();
}
}
Also used :
Root(org.apache.jackrabbit.oak.api.Root)
PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider)
ContentSession(org.apache.jackrabbit.oak.api.ContentSession)
AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest)
Test(org.junit.Test)
Aggregations
PermissionProvider (org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider)70
Test (org.junit.Test)65
AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)44
Tree (org.apache.jackrabbit.oak.api.Tree)21
AggregatedPermissionProvider (org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider)18
ContentSession (org.apache.jackrabbit.oak.api.ContentSession)15
Root (org.apache.jackrabbit.oak.api.Root)12
EmptyPermissionProvider (org.apache.jackrabbit.oak.spi.security.authorization.permission.EmptyPermissionProvider)11
TreePermission (org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission)11
ImmutableTree (org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree)8
PropertyState (org.apache.jackrabbit.oak.api.PropertyState)6
AccessControlManager (javax.jcr.security.AccessControlManager)4
CommitFailedException (org.apache.jackrabbit.oak.api.CommitFailedException)4
AuthorizationConfiguration (org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration)4
Principal (java.security.Principal)3
Nonnull (javax.annotation.Nonnull)3
AuthorizationConfigurationImpl (org.apache.jackrabbit.oak.security.authorization.AuthorizationConfigurationImpl)3
ConfigurationParameters (org.apache.jackrabbit.oak.spi.security.ConfigurationParameters)3
OpenAuthorizationConfiguration (org.apache.jackrabbit.oak.spi.security.authorization.OpenAuthorizationConfiguration)3
AccessControlList (javax.jcr.security.AccessControlList)2
