Search in sources :

Example 1 with AdminPrincipal

use of org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal in project jackrabbit-oak by apache.

the class AdminPrincipalsBaseTest method testAdminPrincipal.

/**
     * Test if the ACL code properly deals the creation of ACEs for administrative
     * principals which have full access anyway.
     *
     * @since Oak 1.1.1
     * @see <a href="https://issues.apache.org/jira/browse/OAK-2158">OAK-2158</a>
     */
@Test
public void testAdminPrincipal() throws Exception {
    try {
        boolean success = acl.addAccessControlEntry(new AdminPrincipal() {

            @Override
            public String getName() {
                return "admin";
            }
        }, privilegesFromNames(PrivilegeConstants.JCR_READ));
        assertResult(success);
    } catch (AccessControlException e) {
        assertException();
    }
}
Also used : AdminPrincipal(org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal) AccessControlException(javax.jcr.security.AccessControlException) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Example 2 with AdminPrincipal

use of org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal in project jackrabbit-oak by apache.

the class CugConfigurationTest method testExcludedPrincipals.

@Test
public void testExcludedPrincipals() {
    ConfigurationParameters params = ConfigurationParameters.of(CugConstants.PARAM_CUG_ENABLED, true, CugConstants.PARAM_CUG_SUPPORTED_PATHS, "/content");
    CugConfiguration cc = createConfiguration(params);
    List<Principal> excluded = ImmutableList.of(SystemPrincipal.INSTANCE, new AdminPrincipal() {

        @Override
        public String getName() {
            return "admin";
        }
    }, new SystemUserPrincipal() {

        @Override
        public String getName() {
            return "systemUser";
        }
    });
    for (Principal p : excluded) {
        Set<Principal> principals = ImmutableSet.of(p, EveryonePrincipal.getInstance());
        PermissionProvider pp = cc.getPermissionProvider(root, "default", principals);
        assertSame(EmptyPermissionProvider.getInstance(), pp);
    }
}
Also used : AdminPrincipal(org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal) SystemUserPrincipal(org.apache.jackrabbit.oak.spi.security.principal.SystemUserPrincipal) EmptyPermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.EmptyPermissionProvider) PermissionProvider(org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider) ConfigurationParameters(org.apache.jackrabbit.oak.spi.security.ConfigurationParameters) AdminPrincipal(org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal) EveryonePrincipal(org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal) SystemPrincipal(org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal) SystemUserPrincipal(org.apache.jackrabbit.oak.spi.security.principal.SystemUserPrincipal) Principal(java.security.Principal) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Example 3 with AdminPrincipal

use of org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal in project jackrabbit-oak by apache.

the class ImpersonationTest method testAdminAsImpersonator.

@Test
public void testAdminAsImpersonator() throws RepositoryException, NotExecutableException {
    String adminId = superuser.getUserID();
    Authorizable admin = userMgr.getAuthorizable(adminId);
    if (admin == null || admin.isGroup() || !((User) admin).isAdmin()) {
        throw new NotExecutableException(adminId + " is not administators ID");
    }
    Principal adminPrincipal = admin.getPrincipal();
    // admin cannot be add/remove to set of impersonators of 'u' but is
    // always allowed to impersonate that user.
    Impersonation impersonation = user.getImpersonation();
    assertFalse(impersonation.grantImpersonation(adminPrincipal));
    assertFalse(impersonation.revokeImpersonation(adminPrincipal));
    assertTrue(impersonation.allows(buildSubject(adminPrincipal)));
    // same if the impersonation object of the admin itself is used.
    Impersonation adminImpersonation = ((User) admin).getImpersonation();
    assertFalse(adminImpersonation.grantImpersonation(adminPrincipal));
    assertFalse(adminImpersonation.revokeImpersonation(adminPrincipal));
    assertTrue(impersonation.allows(buildSubject(adminPrincipal)));
}
Also used : Impersonation(org.apache.jackrabbit.api.security.user.Impersonation) User(org.apache.jackrabbit.api.security.user.User) NotExecutableException(org.apache.jackrabbit.test.NotExecutableException) Authorizable(org.apache.jackrabbit.api.security.user.Authorizable) Principal(java.security.Principal) AdminPrincipal(org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal) Test(org.junit.Test)

Example 4 with AdminPrincipal

use of org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal in project jackrabbit-oak by apache.

the class UserInitializerTest method testAdminUser.

@Test
public void testAdminUser() throws Exception {
    Authorizable a = userMgr.getAuthorizable(UserUtil.getAdminId(config));
    assertFalse(a.isGroup());
    User admin = (User) a;
    assertTrue(admin.isAdmin());
    assertTrue(admin.getPrincipal() instanceof AdminPrincipal);
    assertTrue(admin.getPrincipal() instanceof TreeBasedPrincipal);
    assertEquals(admin.getID(), admin.getPrincipal().getName());
}
Also used : AdminPrincipal(org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal) User(org.apache.jackrabbit.api.security.user.User) Authorizable(org.apache.jackrabbit.api.security.user.Authorizable) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Example 5 with AdminPrincipal

use of org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal in project sling by apache.

the class OakSlingRepository method createAdministrativeSession.

@Override
protected Session createAdministrativeSession(String workspace) throws RepositoryException {
    // TODO: use principal provider to retrieve admin principal
    Set<? extends Principal> principals = singleton(new AdminPrincipal() {

        @Override
        public String getName() {
            return OakSlingRepository.this.adminId;
        }
    });
    AuthInfo authInfo = new AuthInfoImpl(this.adminId, Collections.<String, Object>emptyMap(), principals);
    Subject subject = new Subject(true, principals, singleton(authInfo), Collections.<Object>emptySet());
    Session adminSession;
    try {
        adminSession = Subject.doAsPrivileged(subject, new PrivilegedExceptionAction<Session>() {

            @Override
            public Session run() throws Exception {
                Map<String, Object> attrs = new HashMap<String, Object>();
                attrs.put("oak.refresh-interval", 0);
                // TODO OAK-803: Backwards compatibility of long-lived sessions
                JackrabbitRepository repo = (JackrabbitRepository) getRepository();
                return repo.login(null, null, attrs);
            }
        }, null);
    } catch (PrivilegedActionException e) {
        throw new RepositoryException("failed to retrieve admin session.", e);
    }
    return adminSession;
}
Also used : AuthInfo(org.apache.jackrabbit.oak.api.AuthInfo) HashMap(java.util.HashMap) PrivilegedActionException(java.security.PrivilegedActionException) RepositoryException(javax.jcr.RepositoryException) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) Subject(javax.security.auth.Subject) AdminPrincipal(org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal) AuthInfoImpl(org.apache.jackrabbit.oak.spi.security.authentication.AuthInfoImpl) JackrabbitRepository(org.apache.jackrabbit.api.JackrabbitRepository) Session(javax.jcr.Session)

Aggregations

AdminPrincipal (org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal)12 Test (org.junit.Test)9 Principal (java.security.Principal)7 AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)7 Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)4 Subject (javax.security.auth.Subject)3 User (org.apache.jackrabbit.api.security.user.User)3 SystemPrincipal (org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal)3 SystemUserPrincipal (org.apache.jackrabbit.oak.spi.security.principal.SystemUserPrincipal)3 PrivilegedActionException (java.security.PrivilegedActionException)2 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)2 RepositoryException (javax.jcr.RepositoryException)2 Session (javax.jcr.Session)2 AccessControlException (javax.jcr.security.AccessControlException)2 Impersonation (org.apache.jackrabbit.api.security.user.Impersonation)2 AuthInfo (org.apache.jackrabbit.oak.api.AuthInfo)2 AuthInfoImpl (org.apache.jackrabbit.oak.spi.security.authentication.AuthInfoImpl)2 EveryonePrincipal (org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal)2 HashMap (java.util.HashMap)1 JackrabbitRepository (org.apache.jackrabbit.api.JackrabbitRepository)1