use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.
the class PermissionTest method testHasPermission.
@Test
public void testHasPermission() throws Exception {
// create permissions
// allow rep:write /testroot
// allow jcr:removeNode /testroot/a/b
// deny jcr:removeNode /testroot/a/b/c
addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
addEntry(TEST_B_PATH, true, "", PrivilegeConstants.JCR_REMOVE_NODE);
addEntry(TEST_C_PATH, false, "", PrivilegeConstants.JCR_REMOVE_NODE);
ContentSession testSession = createTestSession();
try {
Root testRoot = testSession.getLatestRoot();
PermissionProvider pp = getPermissionProvider(testSession);
assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.REMOVE_NODE);
try {
testRoot.getTree(TEST_C_PATH).remove();
testRoot.commit();
fail("removing node on /a/b/c should fail");
} catch (CommitFailedException e) {
// all ok
}
} finally {
testSession.close();
}
}
use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.
the class PermissionTest method testHasPermissionWithRestrictions2.
/**
* Tests if the restrictions are properly inherited.
* the restriction enable/disable the ACE where it is defined.
* since the 'deny' on /a/b is after the 'allow' on a/b/c, the deny wins.
*/
@Test
public void testHasPermissionWithRestrictions2() throws Exception {
// create permissions
// allow rep:write /testroot
// allow jcr:removeNode /testroot/a glob=*/b
// deny jcr:removeNode /testroot/a glob=*/c
addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
addEntry(TEST_A_PATH, true, "*/b", PrivilegeConstants.JCR_REMOVE_NODE);
addEntry(TEST_A_PATH, false, "*/c", PrivilegeConstants.JCR_REMOVE_NODE);
ContentSession testSession = createTestSession();
try {
Root testRoot = testSession.getLatestRoot();
PermissionProvider pp = getPermissionProvider(testSession);
assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.REMOVE_NODE);
assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.REMOVE_NODE);
testRoot.getTree(TEST_D_PATH).remove();
testRoot.commit();
try {
// should not be able to remove /a/b/c
testRoot.getTree(TEST_C_PATH).remove();
testRoot.commit();
fail("should not be able to delete " + TEST_C_PATH);
} catch (CommitFailedException e) {
// ok
testRoot.refresh();
}
} finally {
testSession.close();
}
}
use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.
the class PermissionTest method testProtectPropertiesByRestriction.
/**
* Tests the custom restriction provider that checks on the existence of a property.
* @throws Exception
*/
@Test
public void testProtectPropertiesByRestriction() throws Exception {
// create permissions
// allow rep:write /testroot
// deny jcr:modifyProperties /testroot/a glob = */c
addEntry(TEST_ROOT_PATH, true, "", PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
addEntry(TEST_A_PATH, false, "*/c", PrivilegeConstants.JCR_MODIFY_PROPERTIES);
ContentSession testSession = createTestSession();
try {
Root testRoot = testSession.getLatestRoot();
PermissionProvider pp = getPermissionProvider(testSession);
assertIsGranted(pp, testRoot, true, TEST_A_PATH, Permissions.MODIFY_PROPERTY);
assertIsGranted(pp, testRoot, true, TEST_B_PATH, Permissions.MODIFY_PROPERTY);
assertIsGranted(pp, testRoot, false, TEST_C_PATH, Permissions.MODIFY_PROPERTY);
assertIsGranted(pp, testRoot, true, TEST_D_PATH, Permissions.MODIFY_PROPERTY);
assertIsGranted(pp, testRoot, true, TEST_E_PATH, Permissions.MODIFY_PROPERTY);
} finally {
testSession.close();
}
}
use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.
the class CugEvaluationTest method testIsGrantedEveryone.
@Test
public void testIsGrantedEveryone() throws Exception {
// everyone
PermissionProvider pp = createPermissionProvider(EveryonePrincipal.getInstance());
assertFalse(pp.isGranted(content, null, Permissions.READ));
assertFalse(pp.isGranted(content2, null, Permissions.READ));
assertFalse(pp.isGranted(a, null, Permissions.READ));
assertFalse(pp.isGranted(c, null, Permissions.READ));
assertFalse(pp.isGranted(content, null, Permissions.READ_ACCESS_CONTROL));
assertFalse(pp.isGranted(content2, null, Permissions.READ_ACCESS_CONTROL));
assertFalse(pp.isGranted(a, null, Permissions.READ_ACCESS_CONTROL));
assertFalse(pp.isGranted(c, null, Permissions.READ_ACCESS_CONTROL));
}
use of org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider in project jackrabbit-oak by apache.
the class CugPermissionProviderTest method testGetPrivilegesAtCug2.
/**
* @see PermissionProvider#getPrivileges(org.apache.jackrabbit.oak.api.Tree)
*/
@Test
public void testGetPrivilegesAtCug2() {
PermissionProvider pp = createCugPermissionProvider(ImmutableSet.of(SUPPORTED_PATH), testGroupPrincipal);
Set<String> expected = ImmutableSet.of(PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_READ_NODES, PrivilegeConstants.REP_READ_PROPERTIES);
assertEquals(expected, pp.getPrivileges(root.getTree("/content/a")));
assertEquals(expected, pp.getPrivileges(root.getTree("/content/aa/bb")));
assertTrue(pp.getPrivileges(root.getTree("/content/a/b/c")).isEmpty());
}
Aggregations