use of org.exist.xmldb.EXistXPathQueryService in project exist by eXist-db.
the class XMLDBSecurityTest method nonSetGidXQueryCannotWriteRestrictedCollection.
@Test(expected = XMLDBException.class)
public void nonSetGidXQueryCannotWriteRestrictedCollection() throws XMLDBException {
final Collection test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest2", "test1", "test1");
final long timestamp = System.currentTimeMillis();
final String content = "<not_setgid>" + timestamp + "</not_setgid>";
// create an XQuery /db/securityTest1/not_setgid.xquery
final String xquery = "xmldb:store('/db/securityTest2/forSetGidWrite', 'not_setgid.xml', " + content + ")";
Resource xqueryResource = test.createResource("not_setgid.xquery", "BinaryResource");
xqueryResource.setContent(xquery);
test.storeResource(xqueryResource);
// set the xquery to be owned by 'test1':'users' and set it 'setgid', and set it 'rx' by ohers, so 'test3' can execute it!
UserManagementService ums = (UserManagementService) test.getService("UserManagementService", "1.0");
xqueryResource = test.getResource("not_setgid.xquery");
// NOT setgid
ums.chmod(xqueryResource, 00705);
// create a collection for the XQuery to write into
final CollectionManagementService cms = (CollectionManagementService) test.getService("CollectionManagementService", "1.0");
final Collection colForSetUid = cms.createCollection("forSetGidWrite");
// only allow the group 'users' to write into the collection
ums = (UserManagementService) colForSetUid.getService("UserManagementService", "1.0");
ums.chmod(0070);
// execute the XQuery as the 'test3' user... it should become 'setgid' of 'users' and succeed.
final Collection test3 = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest2", "test3", "test3");
final EXistXPathQueryService queryService = (EXistXPathQueryService) test3.getService("XPathQueryService", "1.0");
final ResourceSet result = queryService.executeStoredQuery("/db/securityTest2/not_setgid.xquery");
assertFalse("/db/securityTest2/forSetGidWrite/not_setgid.xml".equals(result.getResource(0).getContent()));
}
use of org.exist.xmldb.EXistXPathQueryService in project exist by eXist-db.
the class XMLDBSecurityTest method canExecuteXQueryWithOnlyExecutePermissionOnParentCollection.
@Test
public void canExecuteXQueryWithOnlyExecutePermissionOnParentCollection() throws XMLDBException {
Collection test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
final UserManagementService ums = (UserManagementService) test.getService("UserManagementService", "1.0");
final String xquery = "<xquery>{ 1 + 1 }</xquery>";
Resource xqueryResource = test.createResource("test.xquery", BinaryResource.RESOURCE_TYPE);
xqueryResource.setContent(xquery);
test.storeResource(xqueryResource);
ums.chmod("--x------");
// set execute bit on xquery (its off by default!)
ums.chmod(xqueryResource, "rwx------");
test.close();
test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
xqueryResource = test.getResource("test.xquery");
assertEquals(xquery, new String((byte[]) xqueryResource.getContent()));
// execute the stored XQuery
final EXistXPathQueryService queryService = (EXistXPathQueryService) test.getService("XPathQueryService", "1.0");
final ResourceSet result = queryService.executeStoredQuery("/db/securityTest1/test.xquery");
assertEquals("<xquery>2</xquery>", result.getResource(0).getContent());
}
use of org.exist.xmldb.EXistXPathQueryService in project exist by eXist-db.
the class XMLDBSecurityTest method nonSetUidXQueryCannotWriteRestrictedCollection.
@Test(expected = XMLDBException.class)
public void nonSetUidXQueryCannotWriteRestrictedCollection() throws XMLDBException {
final Collection test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
final long timestamp = System.currentTimeMillis();
final String content = "<not_setuid>" + timestamp + "</not_setuid>";
// create an XQuery /db/securityTest1/not_setuid.xquery
final String xquery = "xmldb:store('/db/securityTest1/forSetUidWrite', 'not_setuid.xml', " + content + ")";
Resource xqueryResource = test.createResource("not_setuid.xquery", "BinaryResource");
xqueryResource.setContent(xquery);
test.storeResource(xqueryResource);
// set the xquery to be owned by 'test1' and do NOT set it 'setuid', and do set it 'rx' by 'users' group so 'test2' can execute it!
UserManagementService ums = (UserManagementService) test.getService("UserManagementService", "1.0");
xqueryResource = test.getResource("not_setuid.xquery");
// NOT SETUID
ums.chmod(xqueryResource, 00750);
// create a collection for the XQuery to write into
final CollectionManagementService cms = (CollectionManagementService) test.getService("CollectionManagementService", "1.0");
final Collection colForSetUid = cms.createCollection("forSetUidWrite");
// only allow the user 'test1' to write into the collection
ums = (UserManagementService) colForSetUid.getService("UserManagementService", "1.0");
ums.chmod(0700);
// execute the XQuery as the 'test2' user... it should become 'setuid' of 'test1' and succeed.
final Collection test2 = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test2", "test2");
final EXistXPathQueryService queryService = (EXistXPathQueryService) test2.getService("XPathQueryService", "1.0");
final ResourceSet result = queryService.executeStoredQuery("/db/securityTest1/not_setuid.xquery");
assertFalse("/db/securityTest1/forSetUidWrite/not_setuid.xml".equals(result.getResource(0).getContent()));
}
use of org.exist.xmldb.EXistXPathQueryService in project exist by eXist-db.
the class ProtectedModeTest method queryCollection.
@Test
public void queryCollection() throws XMLDBException {
final Collection root = DatabaseManager.getCollection("xmldb:exist:///db/protected", "admin", "");
final EXistXPathQueryService service = (EXistXPathQueryService) root.getService("XQueryService", "1.0");
try {
service.beginProtected();
final ResourceSet result = service.query("collection('/db/protected/test5')//book");
assertEquals(DOCUMENT_COUNT, result.getSize());
} finally {
service.endProtected();
}
}
use of org.exist.xmldb.EXistXPathQueryService in project exist by eXist-db.
the class ProtectedModeTest method queryRoot.
@Test
public void queryRoot() throws XMLDBException {
final Collection root = DatabaseManager.getCollection("xmldb:exist:///db/protected", "admin", "");
final EXistXPathQueryService service = (EXistXPathQueryService) root.getService("XQueryService", "1.0");
try {
service.beginProtected();
final ResourceSet result = service.query("//book");
assertEquals(COLLECTION_COUNT * DOCUMENT_COUNT, result.getSize());
} finally {
service.endProtected();
}
}
Aggregations