Search in sources :

Example 1 with EXistXPathQueryService

use of org.exist.xmldb.EXistXPathQueryService in project exist by eXist-db.

the class XMLDBSecurityTest method nonSetGidXQueryCannotWriteRestrictedCollection.

@Test(expected = XMLDBException.class)
public void nonSetGidXQueryCannotWriteRestrictedCollection() throws XMLDBException {
    final Collection test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest2", "test1", "test1");
    final long timestamp = System.currentTimeMillis();
    final String content = "<not_setgid>" + timestamp + "</not_setgid>";
    // create an XQuery /db/securityTest1/not_setgid.xquery
    final String xquery = "xmldb:store('/db/securityTest2/forSetGidWrite', 'not_setgid.xml', " + content + ")";
    Resource xqueryResource = test.createResource("not_setgid.xquery", "BinaryResource");
    xqueryResource.setContent(xquery);
    test.storeResource(xqueryResource);
    // set the xquery to be owned by 'test1':'users' and set it 'setgid', and set it 'rx' by ohers, so 'test3' can execute it!
    UserManagementService ums = (UserManagementService) test.getService("UserManagementService", "1.0");
    xqueryResource = test.getResource("not_setgid.xquery");
    // NOT setgid
    ums.chmod(xqueryResource, 00705);
    // create a collection for the XQuery to write into
    final CollectionManagementService cms = (CollectionManagementService) test.getService("CollectionManagementService", "1.0");
    final Collection colForSetUid = cms.createCollection("forSetGidWrite");
    // only allow the group 'users' to write into the collection
    ums = (UserManagementService) colForSetUid.getService("UserManagementService", "1.0");
    ums.chmod(0070);
    // execute the XQuery as the 'test3' user... it should become 'setgid' of 'users' and succeed.
    final Collection test3 = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest2", "test3", "test3");
    final EXistXPathQueryService queryService = (EXistXPathQueryService) test3.getService("XPathQueryService", "1.0");
    final ResourceSet result = queryService.executeStoredQuery("/db/securityTest2/not_setgid.xquery");
    assertFalse("/db/securityTest2/forSetGidWrite/not_setgid.xml".equals(result.getResource(0).getContent()));
}
Also used : EXistCollectionManagementService(org.exist.xmldb.EXistCollectionManagementService) CollectionManagementService(org.xmldb.api.modules.CollectionManagementService) EXistXPathQueryService(org.exist.xmldb.EXistXPathQueryService) BinaryResource(org.xmldb.api.modules.BinaryResource) XMLResource(org.xmldb.api.modules.XMLResource) Resource(org.xmldb.api.base.Resource) Collection(org.xmldb.api.base.Collection) UserManagementService(org.exist.xmldb.UserManagementService) ResourceSet(org.xmldb.api.base.ResourceSet) Test(org.junit.Test)

Example 2 with EXistXPathQueryService

use of org.exist.xmldb.EXistXPathQueryService in project exist by eXist-db.

the class XMLDBSecurityTest method canExecuteXQueryWithOnlyExecutePermissionOnParentCollection.

@Test
public void canExecuteXQueryWithOnlyExecutePermissionOnParentCollection() throws XMLDBException {
    Collection test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
    final UserManagementService ums = (UserManagementService) test.getService("UserManagementService", "1.0");
    final String xquery = "<xquery>{ 1 + 1 }</xquery>";
    Resource xqueryResource = test.createResource("test.xquery", BinaryResource.RESOURCE_TYPE);
    xqueryResource.setContent(xquery);
    test.storeResource(xqueryResource);
    ums.chmod("--x------");
    // set execute bit on xquery (its off by default!)
    ums.chmod(xqueryResource, "rwx------");
    test.close();
    test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
    xqueryResource = test.getResource("test.xquery");
    assertEquals(xquery, new String((byte[]) xqueryResource.getContent()));
    // execute the stored XQuery
    final EXistXPathQueryService queryService = (EXistXPathQueryService) test.getService("XPathQueryService", "1.0");
    final ResourceSet result = queryService.executeStoredQuery("/db/securityTest1/test.xquery");
    assertEquals("<xquery>2</xquery>", result.getResource(0).getContent());
}
Also used : EXistXPathQueryService(org.exist.xmldb.EXistXPathQueryService) BinaryResource(org.xmldb.api.modules.BinaryResource) XMLResource(org.xmldb.api.modules.XMLResource) Resource(org.xmldb.api.base.Resource) Collection(org.xmldb.api.base.Collection) UserManagementService(org.exist.xmldb.UserManagementService) ResourceSet(org.xmldb.api.base.ResourceSet) Test(org.junit.Test)

Example 3 with EXistXPathQueryService

use of org.exist.xmldb.EXistXPathQueryService in project exist by eXist-db.

the class XMLDBSecurityTest method nonSetUidXQueryCannotWriteRestrictedCollection.

@Test(expected = XMLDBException.class)
public void nonSetUidXQueryCannotWriteRestrictedCollection() throws XMLDBException {
    final Collection test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
    final long timestamp = System.currentTimeMillis();
    final String content = "<not_setuid>" + timestamp + "</not_setuid>";
    // create an XQuery /db/securityTest1/not_setuid.xquery
    final String xquery = "xmldb:store('/db/securityTest1/forSetUidWrite', 'not_setuid.xml', " + content + ")";
    Resource xqueryResource = test.createResource("not_setuid.xquery", "BinaryResource");
    xqueryResource.setContent(xquery);
    test.storeResource(xqueryResource);
    // set the xquery to be owned by 'test1' and do NOT set it 'setuid', and do set it 'rx' by 'users' group so 'test2' can execute it!
    UserManagementService ums = (UserManagementService) test.getService("UserManagementService", "1.0");
    xqueryResource = test.getResource("not_setuid.xquery");
    // NOT SETUID
    ums.chmod(xqueryResource, 00750);
    // create a collection for the XQuery to write into
    final CollectionManagementService cms = (CollectionManagementService) test.getService("CollectionManagementService", "1.0");
    final Collection colForSetUid = cms.createCollection("forSetUidWrite");
    // only allow the user 'test1' to write into the collection
    ums = (UserManagementService) colForSetUid.getService("UserManagementService", "1.0");
    ums.chmod(0700);
    // execute the XQuery as the 'test2' user... it should become 'setuid' of 'test1' and succeed.
    final Collection test2 = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test2", "test2");
    final EXistXPathQueryService queryService = (EXistXPathQueryService) test2.getService("XPathQueryService", "1.0");
    final ResourceSet result = queryService.executeStoredQuery("/db/securityTest1/not_setuid.xquery");
    assertFalse("/db/securityTest1/forSetUidWrite/not_setuid.xml".equals(result.getResource(0).getContent()));
}
Also used : EXistCollectionManagementService(org.exist.xmldb.EXistCollectionManagementService) CollectionManagementService(org.xmldb.api.modules.CollectionManagementService) EXistXPathQueryService(org.exist.xmldb.EXistXPathQueryService) BinaryResource(org.xmldb.api.modules.BinaryResource) XMLResource(org.xmldb.api.modules.XMLResource) Resource(org.xmldb.api.base.Resource) Collection(org.xmldb.api.base.Collection) UserManagementService(org.exist.xmldb.UserManagementService) ResourceSet(org.xmldb.api.base.ResourceSet) Test(org.junit.Test)

Example 4 with EXistXPathQueryService

use of org.exist.xmldb.EXistXPathQueryService in project exist by eXist-db.

the class ProtectedModeTest method queryCollection.

@Test
public void queryCollection() throws XMLDBException {
    final Collection root = DatabaseManager.getCollection("xmldb:exist:///db/protected", "admin", "");
    final EXistXPathQueryService service = (EXistXPathQueryService) root.getService("XQueryService", "1.0");
    try {
        service.beginProtected();
        final ResourceSet result = service.query("collection('/db/protected/test5')//book");
        assertEquals(DOCUMENT_COUNT, result.getSize());
    } finally {
        service.endProtected();
    }
}
Also used : EXistXPathQueryService(org.exist.xmldb.EXistXPathQueryService) Collection(org.xmldb.api.base.Collection) ResourceSet(org.xmldb.api.base.ResourceSet) Test(org.junit.Test)

Example 5 with EXistXPathQueryService

use of org.exist.xmldb.EXistXPathQueryService in project exist by eXist-db.

the class ProtectedModeTest method queryRoot.

@Test
public void queryRoot() throws XMLDBException {
    final Collection root = DatabaseManager.getCollection("xmldb:exist:///db/protected", "admin", "");
    final EXistXPathQueryService service = (EXistXPathQueryService) root.getService("XQueryService", "1.0");
    try {
        service.beginProtected();
        final ResourceSet result = service.query("//book");
        assertEquals(COLLECTION_COUNT * DOCUMENT_COUNT, result.getSize());
    } finally {
        service.endProtected();
    }
}
Also used : EXistXPathQueryService(org.exist.xmldb.EXistXPathQueryService) Collection(org.xmldb.api.base.Collection) ResourceSet(org.xmldb.api.base.ResourceSet) Test(org.junit.Test)

Aggregations

EXistXPathQueryService (org.exist.xmldb.EXistXPathQueryService)15 ResourceSet (org.xmldb.api.base.ResourceSet)13 Collection (org.xmldb.api.base.Collection)12 Test (org.junit.Test)10 XMLResource (org.xmldb.api.modules.XMLResource)10 Resource (org.xmldb.api.base.Resource)8 UserManagementService (org.exist.xmldb.UserManagementService)7 BinaryResource (org.xmldb.api.modules.BinaryResource)7 EXistCollectionManagementService (org.exist.xmldb.EXistCollectionManagementService)4 CollectionManagementService (org.xmldb.api.modules.CollectionManagementService)4 Random (java.util.Random)1 Source (javax.xml.transform.Source)1 DetailedDiff (org.custommonkey.xmlunit.DetailedDiff)1 EXistResource (org.exist.xmldb.EXistResource)1 DefaultHandler (org.xml.sax.helpers.DefaultHandler)1 Database (org.xmldb.api.base.Database)1 XPathQueryService (org.xmldb.api.modules.XPathQueryService)1 Diff (org.xmlunit.diff.Diff)1