use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.
the class PermissionHookTest method testDynamicJcrAll.
/**
* @see <a href="https://issues.apache.org/jira/browse/OAK-2015">OAK-2015</a>
*/
@Test
public void testDynamicJcrAll() throws Exception {
AccessControlManager acMgr = getAccessControlManager(root);
// grant 'everyone' jcr:all at the child path.
JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, childPath);
acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames(JCR_ALL));
acMgr.setPolicy(childPath, acl);
root.commit();
// verify that the permission store contains an entry for everyone at childPath
// and the privilegeBits for jcr:all are reflect with a placeholder value.
Tree allEntry = getEntry(EveryonePrincipal.getInstance(), childPath, 0);
assertTrue(allEntry.exists());
PropertyState ps = allEntry.getProperty(PermissionConstants.REP_PRIVILEGE_BITS);
assertEquals(1, ps.count());
assertEquals(PermissionStore.DYNAMIC_ALL_BITS, ps.getValue(Type.LONG, 0).longValue());
// verify that the permission provider still exposes the correct privilege
// (jcr:all) for the given childPath irrespective of the dynamic nature of
// the privilege bits in the persisted permission entry.
Set<Principal> principalSet = ImmutableSet.<Principal>of(EveryonePrincipal.getInstance());
PermissionProvider permissionProvider = getConfig(AuthorizationConfiguration.class).getPermissionProvider(root, root.getContentSession().getWorkspaceName(), principalSet);
Tree childTree = root.getTree(childPath);
assertTrue(permissionProvider.hasPrivileges(childTree, PrivilegeConstants.JCR_ALL));
assertTrue(permissionProvider.getPrivileges(childTree).contains(PrivilegeConstants.JCR_ALL));
// also verify the permission evaluation
long diff = Permissions.diff(Permissions.ALL, Permissions.REMOVE_NODE | Permissions.ADD_NODE);
assertFalse(permissionProvider.isGranted(childTree, null, Permissions.REMOVE_NODE));
assertFalse(permissionProvider.isGranted(childTree, null, Permissions.ADD_NODE));
assertTrue(permissionProvider.isGranted(childTree, null, diff));
// remove the ACE again
acl = AccessControlUtils.getAccessControlList(acMgr, childPath);
for (AccessControlEntry ace : acl.getAccessControlEntries()) {
if (EveryonePrincipal.NAME.equals(ace.getPrincipal().getName())) {
acl.removeAccessControlEntry(ace);
}
}
acMgr.setPolicy(childPath, acl);
root.commit();
// verify that the corresponding permission entry has been removed.
Tree everyoneRoot = getPrincipalRoot(EveryonePrincipal.getInstance());
Tree parent = everyoneRoot.getChild(PermissionUtil.getEntryName(childPath));
if (parent.exists()) {
assertFalse(parent.getChild("0").exists());
}
}
use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.
the class PermissionProviderImplTest method testAdministatorConfig.
@Test
public void testAdministatorConfig() throws Exception {
adminstrators.addMember(getTestUser());
root.commit();
ContentSession testSession = createTestSession();
try {
Root r = testSession.getLatestRoot();
Root immutableRoot = getRootProvider().createReadOnlyRoot(r);
PermissionProvider pp = createPermissionProvider(testSession);
assertTrue(r.getTree("/").exists());
TreePermission tp = pp.getTreePermission(immutableRoot.getTree("/"), TreePermission.EMPTY);
assertSame(TreePermission.ALL, tp);
for (String path : READ_PATHS) {
Tree tree = r.getTree(path);
assertTrue(tree.exists());
assertSame(TreePermission.ALL, pp.getTreePermission(tree, TreePermission.EMPTY));
}
} finally {
testSession.close();
}
}
use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.
the class PermissionTest method testHasPermissionWithRestrictions.
/**
* Tests if the restrictions are properly inherited.
* the restriction enable/disable the ACE where it is defined.
* since the 'allow' on /a/b is after the 'deny' on a/b/c, the allow wins.
*
* The test currently fails on evaluation of /a/b/c/d. Probably because the evaluation
* of /a/b/c yields a deny, which terminates the iteration.
*/
@Test
public void testHasPermissionWithRestrictions() throws Exception {
// create permissions
// allow rep:write /testroot
// deny jcr:removeNode /testroot/a glob=*/c
// allow jcr:removeNode /testroot/a glob=*/b
addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
addEntry(TEST_A_PATH, false, "*/c", PrivilegeConstants.JCR_REMOVE_NODE);
addEntry(TEST_A_PATH, true, "*/b", PrivilegeConstants.JCR_REMOVE_NODE);
ContentSession testSession = createTestSession();
try {
Root testRoot = testSession.getLatestRoot();
PermissionProvider pp = getPermissionProvider(testSession);
assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_E_PATH, Permissions.REMOVE_NODE);
// should be able to remove /a/b/c/d
testRoot.getTree(TEST_D_PATH).remove();
testRoot.commit();
// should be able to remove /a/b/c
try {
testRoot.getTree(TEST_C_PATH).remove();
testRoot.commit();
fail("user should not be able to remove c");
} catch (CommitFailedException e) {
// ok
}
} finally {
testSession.close();
}
}
use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.
the class CustomRestrictionProviderTest method testProtectPropertiesByRestriction.
/**
* Tests the custom restriction provider that checks on the existence of a property.
* @throws Exception
*/
@Test
public void testProtectPropertiesByRestriction() throws Exception {
// allow rep:write /testroot
// deny jcr:modifyProperties /testroot/a hasProperty=protect-me
addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
addEntry(TEST_A_PATH, false, PROP_NAME_PROTECT_ME, PrivilegeConstants.JCR_MODIFY_PROPERTIES);
ContentSession testSession = createTestSession();
try {
Root testRoot = testSession.getLatestRoot();
PermissionProvider pp = getPermissionProvider(testSession);
assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.MODIFY_PROPERTY);
assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.MODIFY_PROPERTY);
assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.MODIFY_PROPERTY);
assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.MODIFY_PROPERTY);
assertIsGranted(pp, testRoot, true, TEST_E_PATH, Permissions.MODIFY_PROPERTY);
} finally {
testSession.close();
}
}
use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.
the class CustomRestrictionProviderTest method testProtectByRestriction.
/**
* Tests the custom restriction provider that checks on the existence of a property.
* @throws Exception
*/
@Test
public void testProtectByRestriction() throws Exception {
// allow rep:write /testroot
// deny jcr:removeNode /testroot/a hasProperty=protect-me
addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
addEntry(TEST_A_PATH, false, PROP_NAME_PROTECT_ME, PrivilegeConstants.JCR_REMOVE_NODE);
ContentSession testSession = createTestSession();
try {
Root testRoot = testSession.getLatestRoot();
PermissionProvider pp = getPermissionProvider(testSession);
assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_E_PATH, Permissions.REMOVE_NODE);
// should be able to remove /a/b/c/d
testRoot.getTree(TEST_D_PATH).remove();
testRoot.commit();
try {
testRoot.getTree(TEST_C_PATH).remove();
testRoot.commit();
fail("should not be able to delete " + TEST_C_PATH);
} catch (CommitFailedException e) {
// all ok
}
} finally {
testSession.close();
}
}
Aggregations