Search in sources :

Example 71 with PermissionProvider

use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.

the class PermissionHookTest method testDynamicJcrAll.

/**
 * @see <a href="https://issues.apache.org/jira/browse/OAK-2015">OAK-2015</a>
 */
@Test
public void testDynamicJcrAll() throws Exception {
    AccessControlManager acMgr = getAccessControlManager(root);
    // grant 'everyone' jcr:all at the child path.
    JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, childPath);
    acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames(JCR_ALL));
    acMgr.setPolicy(childPath, acl);
    root.commit();
    // verify that the permission store contains an entry for everyone at childPath
    // and the privilegeBits for jcr:all are reflect with a placeholder value.
    Tree allEntry = getEntry(EveryonePrincipal.getInstance(), childPath, 0);
    assertTrue(allEntry.exists());
    PropertyState ps = allEntry.getProperty(PermissionConstants.REP_PRIVILEGE_BITS);
    assertEquals(1, ps.count());
    assertEquals(PermissionStore.DYNAMIC_ALL_BITS, ps.getValue(Type.LONG, 0).longValue());
    // verify that the permission provider still exposes the correct privilege
    // (jcr:all) for the given childPath irrespective of the dynamic nature of
    // the privilege bits in the persisted permission entry.
    Set<Principal> principalSet = ImmutableSet.<Principal>of(EveryonePrincipal.getInstance());
    PermissionProvider permissionProvider = getConfig(AuthorizationConfiguration.class).getPermissionProvider(root, root.getContentSession().getWorkspaceName(), principalSet);
    Tree childTree = root.getTree(childPath);
    assertTrue(permissionProvider.hasPrivileges(childTree, PrivilegeConstants.JCR_ALL));
    assertTrue(permissionProvider.getPrivileges(childTree).contains(PrivilegeConstants.JCR_ALL));
    // also verify the permission evaluation
    long diff = Permissions.diff(Permissions.ALL, Permissions.REMOVE_NODE | Permissions.ADD_NODE);
    assertFalse(permissionProvider.isGranted(childTree, null, Permissions.REMOVE_NODE));
    assertFalse(permissionProvider.isGranted(childTree, null, Permissions.ADD_NODE));
    assertTrue(permissionProvider.isGranted(childTree, null, diff));
    // remove the ACE again
    acl = AccessControlUtils.getAccessControlList(acMgr, childPath);
    for (AccessControlEntry ace : acl.getAccessControlEntries()) {
        if (EveryonePrincipal.NAME.equals(ace.getPrincipal().getName())) {
            acl.removeAccessControlEntry(ace);
        }
    }
    acMgr.setPolicy(childPath, acl);
    root.commit();
    // verify that the corresponding permission entry has been removed.
    Tree everyoneRoot = getPrincipalRoot(EveryonePrincipal.getInstance());
    Tree parent = everyoneRoot.getChild(PermissionUtil.getEntryName(childPath));
    if (parent.exists()) {
        assertFalse(parent.getChild("0").exists());
    }
}
Also used : AccessControlManager(javax.jcr.security.AccessControlManager) AuthorizationConfiguration(org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration) PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider) Tree(org.apache.jackrabbit.oak.api.Tree) AccessControlEntry(javax.jcr.security.AccessControlEntry) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) EveryonePrincipal(org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal) Principal(java.security.Principal) PropertyState(org.apache.jackrabbit.oak.api.PropertyState) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Example 72 with PermissionProvider

use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.

the class PermissionProviderImplTest method testAdministatorConfig.

@Test
public void testAdministatorConfig() throws Exception {
    adminstrators.addMember(getTestUser());
    root.commit();
    ContentSession testSession = createTestSession();
    try {
        Root r = testSession.getLatestRoot();
        Root immutableRoot = getRootProvider().createReadOnlyRoot(r);
        PermissionProvider pp = createPermissionProvider(testSession);
        assertTrue(r.getTree("/").exists());
        TreePermission tp = pp.getTreePermission(immutableRoot.getTree("/"), TreePermission.EMPTY);
        assertSame(TreePermission.ALL, tp);
        for (String path : READ_PATHS) {
            Tree tree = r.getTree(path);
            assertTrue(tree.exists());
            assertSame(TreePermission.ALL, pp.getTreePermission(tree, TreePermission.EMPTY));
        }
    } finally {
        testSession.close();
    }
}
Also used : Root(org.apache.jackrabbit.oak.api.Root) PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider) ContentSession(org.apache.jackrabbit.oak.api.ContentSession) Tree(org.apache.jackrabbit.oak.api.Tree) TreePermission(org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Example 73 with PermissionProvider

use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.

the class PermissionTest method testHasPermissionWithRestrictions.

/**
 * Tests if the restrictions are properly inherited.
 * the restriction enable/disable the ACE where it is defined.
 * since the 'allow' on /a/b is after the 'deny' on a/b/c, the allow wins.
 *
 * The test currently fails on evaluation of /a/b/c/d. Probably because the evaluation
 * of /a/b/c yields a deny, which terminates the iteration.
 */
@Test
public void testHasPermissionWithRestrictions() throws Exception {
    // create permissions
    // allow rep:write      /testroot
    // deny  jcr:removeNode /testroot/a  glob=*/c
    // allow jcr:removeNode /testroot/a  glob=*/b
    addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
    addEntry(TEST_A_PATH, false, "*/c", PrivilegeConstants.JCR_REMOVE_NODE);
    addEntry(TEST_A_PATH, true, "*/b", PrivilegeConstants.JCR_REMOVE_NODE);
    ContentSession testSession = createTestSession();
    try {
        Root testRoot = testSession.getLatestRoot();
        PermissionProvider pp = getPermissionProvider(testSession);
        assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, true, TEST_E_PATH, Permissions.REMOVE_NODE);
        // should be able to remove /a/b/c/d
        testRoot.getTree(TEST_D_PATH).remove();
        testRoot.commit();
        // should be able to remove /a/b/c
        try {
            testRoot.getTree(TEST_C_PATH).remove();
            testRoot.commit();
            fail("user should not be able to remove c");
        } catch (CommitFailedException e) {
        // ok
        }
    } finally {
        testSession.close();
    }
}
Also used : Root(org.apache.jackrabbit.oak.api.Root) PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider) ContentSession(org.apache.jackrabbit.oak.api.ContentSession) CommitFailedException(org.apache.jackrabbit.oak.api.CommitFailedException) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Example 74 with PermissionProvider

use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.

the class CustomRestrictionProviderTest method testProtectPropertiesByRestriction.

/**
 * Tests the custom restriction provider that checks on the existence of a property.
 * @throws Exception
 */
@Test
public void testProtectPropertiesByRestriction() throws Exception {
    // allow rep:write            /testroot
    // deny  jcr:modifyProperties /testroot/a  hasProperty=protect-me
    addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
    addEntry(TEST_A_PATH, false, PROP_NAME_PROTECT_ME, PrivilegeConstants.JCR_MODIFY_PROPERTIES);
    ContentSession testSession = createTestSession();
    try {
        Root testRoot = testSession.getLatestRoot();
        PermissionProvider pp = getPermissionProvider(testSession);
        assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.MODIFY_PROPERTY);
        assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.MODIFY_PROPERTY);
        assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.MODIFY_PROPERTY);
        assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.MODIFY_PROPERTY);
        assertIsGranted(pp, testRoot, true, TEST_E_PATH, Permissions.MODIFY_PROPERTY);
    } finally {
        testSession.close();
    }
}
Also used : Root(org.apache.jackrabbit.oak.api.Root) PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider) ContentSession(org.apache.jackrabbit.oak.api.ContentSession) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Example 75 with PermissionProvider

use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.

the class CustomRestrictionProviderTest method testProtectByRestriction.

/**
 * Tests the custom restriction provider that checks on the existence of a property.
 * @throws Exception
 */
@Test
public void testProtectByRestriction() throws Exception {
    // allow rep:write      /testroot
    // deny  jcr:removeNode /testroot/a  hasProperty=protect-me
    addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
    addEntry(TEST_A_PATH, false, PROP_NAME_PROTECT_ME, PrivilegeConstants.JCR_REMOVE_NODE);
    ContentSession testSession = createTestSession();
    try {
        Root testRoot = testSession.getLatestRoot();
        PermissionProvider pp = getPermissionProvider(testSession);
        assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, true, TEST_E_PATH, Permissions.REMOVE_NODE);
        // should be able to remove /a/b/c/d
        testRoot.getTree(TEST_D_PATH).remove();
        testRoot.commit();
        try {
            testRoot.getTree(TEST_C_PATH).remove();
            testRoot.commit();
            fail("should not be able to delete " + TEST_C_PATH);
        } catch (CommitFailedException e) {
        // all ok
        }
    } finally {
        testSession.close();
    }
}
Also used : Root(org.apache.jackrabbit.oak.api.Root) PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider) ContentSession(org.apache.jackrabbit.oak.api.ContentSession) CommitFailedException(org.apache.jackrabbit.oak.api.CommitFailedException) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Aggregations

PermissionProvider (org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider)93 Test (org.junit.Test)86 AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)49 AggregatedPermissionProvider (org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider)33 Tree (org.apache.jackrabbit.oak.api.Tree)32 TreePermission (org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission)20 EmptyPermissionProvider (org.apache.jackrabbit.oak.spi.security.authorization.permission.EmptyPermissionProvider)16 ContentSession (org.apache.jackrabbit.oak.api.ContentSession)15 Root (org.apache.jackrabbit.oak.api.Root)13 PropertyState (org.apache.jackrabbit.oak.api.PropertyState)12 ImmutableTree (org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree)12 AuthorizationConfiguration (org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration)11 OpenPermissionProvider (org.apache.jackrabbit.oak.spi.security.authorization.permission.OpenPermissionProvider)8 Principal (java.security.Principal)5 AccessControlManager (javax.jcr.security.AccessControlManager)5 PrincipalImpl (org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl)5 CommitFailedException (org.apache.jackrabbit.oak.api.CommitFailedException)4 Nonnull (javax.annotation.Nonnull)3 AccessControlList (javax.jcr.security.AccessControlList)3 ConfigurationParameters (org.apache.jackrabbit.oak.spi.security.ConfigurationParameters)3