Search in sources :

Example 11 with PermissionProvider

use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.

the class PermissionTest method testHasPermission.

@Test
public void testHasPermission() throws Exception {
    // create permissions
    // allow rep:write      /testroot
    // allow jcr:removeNode /testroot/a/b
    // deny  jcr:removeNode /testroot/a/b/c
    addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
    addEntry(TEST_B_PATH, true, "", PrivilegeConstants.JCR_REMOVE_NODE);
    addEntry(TEST_C_PATH, false, "", PrivilegeConstants.JCR_REMOVE_NODE);
    ContentSession testSession = createTestSession();
    try {
        Root testRoot = testSession.getLatestRoot();
        PermissionProvider pp = getPermissionProvider(testSession);
        assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.REMOVE_NODE);
        try {
            testRoot.getTree(TEST_C_PATH).remove();
            testRoot.commit();
            fail("removing node on /a/b/c should fail");
        } catch (CommitFailedException e) {
        // all ok
        }
    } finally {
        testSession.close();
    }
}
Also used : Root(org.apache.jackrabbit.oak.api.Root) PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider) ContentSession(org.apache.jackrabbit.oak.api.ContentSession) CommitFailedException(org.apache.jackrabbit.oak.api.CommitFailedException) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Example 12 with PermissionProvider

use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.

the class PermissionTest method testHasPermissionWithRestrictions2.

/**
     * Tests if the restrictions are properly inherited.
     * the restriction enable/disable the ACE where it is defined.
     * since the 'deny' on /a/b is after the 'allow' on a/b/c, the deny wins.
     */
@Test
public void testHasPermissionWithRestrictions2() throws Exception {
    // create permissions
    // allow rep:write      /testroot
    // allow jcr:removeNode /testroot/a  glob=*/b
    // deny  jcr:removeNode /testroot/a  glob=*/c
    addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
    addEntry(TEST_A_PATH, true, "*/b", PrivilegeConstants.JCR_REMOVE_NODE);
    addEntry(TEST_A_PATH, false, "*/c", PrivilegeConstants.JCR_REMOVE_NODE);
    ContentSession testSession = createTestSession();
    try {
        Root testRoot = testSession.getLatestRoot();
        PermissionProvider pp = getPermissionProvider(testSession);
        assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.REMOVE_NODE);
        assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.REMOVE_NODE);
        testRoot.getTree(TEST_D_PATH).remove();
        testRoot.commit();
        try {
            // should not be able to remove /a/b/c
            testRoot.getTree(TEST_C_PATH).remove();
            testRoot.commit();
            fail("should not be able to delete " + TEST_C_PATH);
        } catch (CommitFailedException e) {
            // ok
            testRoot.refresh();
        }
    } finally {
        testSession.close();
    }
}
Also used : Root(org.apache.jackrabbit.oak.api.Root) PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider) ContentSession(org.apache.jackrabbit.oak.api.ContentSession) CommitFailedException(org.apache.jackrabbit.oak.api.CommitFailedException) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Example 13 with PermissionProvider

use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.

the class PermissionTest method testProtectPropertiesByRestriction.

/**
     * Tests the custom restriction provider that checks on the existence of a property.
     * @throws Exception
     */
@Test
public void testProtectPropertiesByRestriction() throws Exception {
    // create permissions
    // allow rep:write          /testroot
    // deny  jcr:modifyProperties /testroot/a  glob = */c
    addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
    addEntry(TEST_A_PATH, false, "*/c", PrivilegeConstants.JCR_MODIFY_PROPERTIES);
    ContentSession testSession = createTestSession();
    try {
        Root testRoot = testSession.getLatestRoot();
        PermissionProvider pp = getPermissionProvider(testSession);
        assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.MODIFY_PROPERTY);
        assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.MODIFY_PROPERTY);
        assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.MODIFY_PROPERTY);
        assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.MODIFY_PROPERTY);
        assertIsGranted(pp, testRoot, true, TEST_E_PATH, Permissions.MODIFY_PROPERTY);
    } finally {
        testSession.close();
    }
}
Also used : Root(org.apache.jackrabbit.oak.api.Root) PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider) ContentSession(org.apache.jackrabbit.oak.api.ContentSession) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Example 14 with PermissionProvider

use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.

the class CugEvaluationTest method testIsGrantedEveryone.

@Test
public void testIsGrantedEveryone() throws Exception {
    // everyone
    PermissionProvider pp = createPermissionProvider(EveryonePrincipal.getInstance());
    assertFalse(pp.isGranted(content, null, Permissions.READ));
    assertFalse(pp.isGranted(content2, null, Permissions.READ));
    assertFalse(pp.isGranted(a, null, Permissions.READ));
    assertFalse(pp.isGranted(c, null, Permissions.READ));
    assertFalse(pp.isGranted(content, null, Permissions.READ_ACCESS_CONTROL));
    assertFalse(pp.isGranted(content2, null, Permissions.READ_ACCESS_CONTROL));
    assertFalse(pp.isGranted(a, null, Permissions.READ_ACCESS_CONTROL));
    assertFalse(pp.isGranted(c, null, Permissions.READ_ACCESS_CONTROL));
}
Also used : PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider) Test(org.junit.Test)

Example 15 with PermissionProvider

use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.

the class CugPermissionProviderTest method testGetPrivilegesAtCug2.

/**
     * @see PermissionProvider#getPrivileges(org.apache.jackrabbit.oak.api.Tree)
     */
@Test
public void testGetPrivilegesAtCug2() {
    PermissionProvider pp = createCugPermissionProvider(ImmutableSet.of(SUPPORTED_PATH), testGroupPrincipal);
    Set<String> expected = ImmutableSet.of(PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_READ_NODES, PrivilegeConstants.REP_READ_PROPERTIES);
    assertEquals(expected, pp.getPrivileges(root.getTree("/content/a")));
    assertEquals(expected, pp.getPrivileges(root.getTree("/content/aa/bb")));
    assertTrue(pp.getPrivileges(root.getTree("/content/a/b/c")).isEmpty());
}
Also used : PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider) Test(org.junit.Test)

Aggregations

PermissionProvider (org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider)70 Test (org.junit.Test)65 AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)44 Tree (org.apache.jackrabbit.oak.api.Tree)21 AggregatedPermissionProvider (org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider)18 ContentSession (org.apache.jackrabbit.oak.api.ContentSession)15 Root (org.apache.jackrabbit.oak.api.Root)12 EmptyPermissionProvider (org.apache.jackrabbit.oak.spi.security.authorization.permission.EmptyPermissionProvider)11 TreePermission (org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission)11 ImmutableTree (org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree)8 PropertyState (org.apache.jackrabbit.oak.api.PropertyState)6 AccessControlManager (javax.jcr.security.AccessControlManager)4 CommitFailedException (org.apache.jackrabbit.oak.api.CommitFailedException)4 AuthorizationConfiguration (org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration)4 Principal (java.security.Principal)3 Nonnull (javax.annotation.Nonnull)3 AuthorizationConfigurationImpl (org.apache.jackrabbit.oak.security.authorization.AuthorizationConfigurationImpl)3 ConfigurationParameters (org.apache.jackrabbit.oak.spi.security.ConfigurationParameters)3 OpenAuthorizationConfiguration (org.apache.jackrabbit.oak.spi.security.authorization.OpenAuthorizationConfiguration)3 AccessControlList (javax.jcr.security.AccessControlList)2