use of org.exist.xmldb.UserManagementService in project exist by eXist-db.
the class XMLDBSecurityTest method canOpenRootCollectionWithExecute.
@Test
public void canOpenRootCollectionWithExecute() throws XMLDBException {
final Collection test = DatabaseManager.getCollection(getBaseUri() + "/db", "admin", "");
final UserManagementService ums = (UserManagementService) test.getService("UserManagementService", "1.0");
ums.chmod("--x--x--x");
test.close();
DatabaseManager.getCollection(getBaseUri() + "/db", "test1", "test1");
}
use of org.exist.xmldb.UserManagementService in project exist by eXist-db.
the class XMLDBSecurityTest method canReadXmlResourceWithOnlyReadPermission.
@Test
public void canReadXmlResourceWithOnlyReadPermission() throws XMLDBException {
Collection test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
final UserManagementService ums = (UserManagementService) test.getService("UserManagementService", "1.0");
Resource resource = test.getResource("test.xml");
ums.chmod(resource, "r--------");
test.close();
test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
resource = test.getResource("test.xml");
assertEquals("<test/>", resource.getContent());
}
use of org.exist.xmldb.UserManagementService in project exist by eXist-db.
the class XMLDBSecurityTest method ownerAndGroupMemberChownGidResource.
/**
* Owner can change the owner gid of a resource
* to a group of which they are a member
*
* As the user 'test1' (who is the owner and
* who is in the group 'extusers')
* attempt to change ownership gid of /db/securityTest1/test.xml
* to the group 'extusers'
*/
@Test
public void ownerAndGroupMemberChownGidResource() throws XMLDBException {
final Collection test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
final Resource resource = test.getResource("test.xml");
final UserManagementService ums = (UserManagementService) test.getService("UserManagementService", "1.0");
// attempt to take gid ownership of /db/securityTest1
ums.chgrp(resource, "extusers");
final Permission perms = ums.getPermissions(resource);
assertEquals("extusers", perms.getGroup().getName());
}
use of org.exist.xmldb.UserManagementService in project exist by eXist-db.
the class XMLDBSecurityTest method nonSetUidXQueryCannotWriteRestrictedCollection.
@Test(expected = XMLDBException.class)
public void nonSetUidXQueryCannotWriteRestrictedCollection() throws XMLDBException {
final Collection test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
final long timestamp = System.currentTimeMillis();
final String content = "<not_setuid>" + timestamp + "</not_setuid>";
// create an XQuery /db/securityTest1/not_setuid.xquery
final String xquery = "xmldb:store('/db/securityTest1/forSetUidWrite', 'not_setuid.xml', " + content + ")";
Resource xqueryResource = test.createResource("not_setuid.xquery", "BinaryResource");
xqueryResource.setContent(xquery);
test.storeResource(xqueryResource);
// set the xquery to be owned by 'test1' and do NOT set it 'setuid', and do set it 'rx' by 'users' group so 'test2' can execute it!
UserManagementService ums = (UserManagementService) test.getService("UserManagementService", "1.0");
xqueryResource = test.getResource("not_setuid.xquery");
// NOT SETUID
ums.chmod(xqueryResource, 00750);
// create a collection for the XQuery to write into
final CollectionManagementService cms = (CollectionManagementService) test.getService("CollectionManagementService", "1.0");
final Collection colForSetUid = cms.createCollection("forSetUidWrite");
// only allow the user 'test1' to write into the collection
ums = (UserManagementService) colForSetUid.getService("UserManagementService", "1.0");
ums.chmod(0700);
// execute the XQuery as the 'test2' user... it should become 'setuid' of 'test1' and succeed.
final Collection test2 = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test2", "test2");
final EXistXPathQueryService queryService = (EXistXPathQueryService) test2.getService("XPathQueryService", "1.0");
final ResourceSet result = queryService.executeStoredQuery("/db/securityTest1/not_setuid.xquery");
assertFalse("/db/securityTest1/forSetUidWrite/not_setuid.xml".equals(result.getResource(0).getContent()));
}
use of org.exist.xmldb.UserManagementService in project exist by eXist-db.
the class XMLDBSecurityTest method canOpenCollectionWithExecute.
@Test
public void canOpenCollectionWithExecute() throws XMLDBException {
final Collection test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
final UserManagementService ums = (UserManagementService) test.getService("UserManagementService", "1.0");
ums.chmod("--x--x--x");
test.close();
DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
}
Aggregations