Search in sources :

Example 41 with UserManagementService

use of org.exist.xmldb.UserManagementService in project exist by eXist-db.

the class XMLDBSecurityTest method canOpenRootCollectionWithExecute.

@Test
public void canOpenRootCollectionWithExecute() throws XMLDBException {
    final Collection test = DatabaseManager.getCollection(getBaseUri() + "/db", "admin", "");
    final UserManagementService ums = (UserManagementService) test.getService("UserManagementService", "1.0");
    ums.chmod("--x--x--x");
    test.close();
    DatabaseManager.getCollection(getBaseUri() + "/db", "test1", "test1");
}
Also used : Collection(org.xmldb.api.base.Collection) UserManagementService(org.exist.xmldb.UserManagementService) Test(org.junit.Test)

Example 42 with UserManagementService

use of org.exist.xmldb.UserManagementService in project exist by eXist-db.

the class XMLDBSecurityTest method canReadXmlResourceWithOnlyReadPermission.

@Test
public void canReadXmlResourceWithOnlyReadPermission() throws XMLDBException {
    Collection test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
    final UserManagementService ums = (UserManagementService) test.getService("UserManagementService", "1.0");
    Resource resource = test.getResource("test.xml");
    ums.chmod(resource, "r--------");
    test.close();
    test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
    resource = test.getResource("test.xml");
    assertEquals("<test/>", resource.getContent());
}
Also used : BinaryResource(org.xmldb.api.modules.BinaryResource) XMLResource(org.xmldb.api.modules.XMLResource) Resource(org.xmldb.api.base.Resource) Collection(org.xmldb.api.base.Collection) UserManagementService(org.exist.xmldb.UserManagementService) Test(org.junit.Test)

Example 43 with UserManagementService

use of org.exist.xmldb.UserManagementService in project exist by eXist-db.

the class XMLDBSecurityTest method ownerAndGroupMemberChownGidResource.

/**
 * Owner can change the owner gid of a resource
 * to a group of which they are a member
 *
 * As the user 'test1' (who is the owner and
 * who is in the group 'extusers')
 * attempt to change ownership gid of /db/securityTest1/test.xml
 * to the group 'extusers'
 */
@Test
public void ownerAndGroupMemberChownGidResource() throws XMLDBException {
    final Collection test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
    final Resource resource = test.getResource("test.xml");
    final UserManagementService ums = (UserManagementService) test.getService("UserManagementService", "1.0");
    // attempt to take gid ownership of /db/securityTest1
    ums.chgrp(resource, "extusers");
    final Permission perms = ums.getPermissions(resource);
    assertEquals("extusers", perms.getGroup().getName());
}
Also used : BinaryResource(org.xmldb.api.modules.BinaryResource) XMLResource(org.xmldb.api.modules.XMLResource) Resource(org.xmldb.api.base.Resource) Collection(org.xmldb.api.base.Collection) UserManagementService(org.exist.xmldb.UserManagementService) Test(org.junit.Test)

Example 44 with UserManagementService

use of org.exist.xmldb.UserManagementService in project exist by eXist-db.

the class XMLDBSecurityTest method nonSetUidXQueryCannotWriteRestrictedCollection.

@Test(expected = XMLDBException.class)
public void nonSetUidXQueryCannotWriteRestrictedCollection() throws XMLDBException {
    final Collection test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
    final long timestamp = System.currentTimeMillis();
    final String content = "<not_setuid>" + timestamp + "</not_setuid>";
    // create an XQuery /db/securityTest1/not_setuid.xquery
    final String xquery = "xmldb:store('/db/securityTest1/forSetUidWrite', 'not_setuid.xml', " + content + ")";
    Resource xqueryResource = test.createResource("not_setuid.xquery", "BinaryResource");
    xqueryResource.setContent(xquery);
    test.storeResource(xqueryResource);
    // set the xquery to be owned by 'test1' and do NOT set it 'setuid', and do set it 'rx' by 'users' group so 'test2' can execute it!
    UserManagementService ums = (UserManagementService) test.getService("UserManagementService", "1.0");
    xqueryResource = test.getResource("not_setuid.xquery");
    // NOT SETUID
    ums.chmod(xqueryResource, 00750);
    // create a collection for the XQuery to write into
    final CollectionManagementService cms = (CollectionManagementService) test.getService("CollectionManagementService", "1.0");
    final Collection colForSetUid = cms.createCollection("forSetUidWrite");
    // only allow the user 'test1' to write into the collection
    ums = (UserManagementService) colForSetUid.getService("UserManagementService", "1.0");
    ums.chmod(0700);
    // execute the XQuery as the 'test2' user... it should become 'setuid' of 'test1' and succeed.
    final Collection test2 = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test2", "test2");
    final EXistXPathQueryService queryService = (EXistXPathQueryService) test2.getService("XPathQueryService", "1.0");
    final ResourceSet result = queryService.executeStoredQuery("/db/securityTest1/not_setuid.xquery");
    assertFalse("/db/securityTest1/forSetUidWrite/not_setuid.xml".equals(result.getResource(0).getContent()));
}
Also used : EXistCollectionManagementService(org.exist.xmldb.EXistCollectionManagementService) CollectionManagementService(org.xmldb.api.modules.CollectionManagementService) EXistXPathQueryService(org.exist.xmldb.EXistXPathQueryService) BinaryResource(org.xmldb.api.modules.BinaryResource) XMLResource(org.xmldb.api.modules.XMLResource) Resource(org.xmldb.api.base.Resource) Collection(org.xmldb.api.base.Collection) UserManagementService(org.exist.xmldb.UserManagementService) ResourceSet(org.xmldb.api.base.ResourceSet) Test(org.junit.Test)

Example 45 with UserManagementService

use of org.exist.xmldb.UserManagementService in project exist by eXist-db.

the class XMLDBSecurityTest method canOpenCollectionWithExecute.

@Test
public void canOpenCollectionWithExecute() throws XMLDBException {
    final Collection test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
    final UserManagementService ums = (UserManagementService) test.getService("UserManagementService", "1.0");
    ums.chmod("--x--x--x");
    test.close();
    DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
}
Also used : Collection(org.xmldb.api.base.Collection) UserManagementService(org.exist.xmldb.UserManagementService) Test(org.junit.Test)

Aggregations

UserManagementService (org.exist.xmldb.UserManagementService)106 Collection (org.xmldb.api.base.Collection)91 Test (org.junit.Test)79 BinaryResource (org.xmldb.api.modules.BinaryResource)55 Resource (org.xmldb.api.base.Resource)52 XMLResource (org.xmldb.api.modules.XMLResource)51 EXistCollectionManagementService (org.exist.xmldb.EXistCollectionManagementService)26 XMLDBException (org.xmldb.api.base.XMLDBException)15 CollectionManagementService (org.xmldb.api.modules.CollectionManagementService)14 UserAider (org.exist.security.internal.aider.UserAider)9 GroupAider (org.exist.security.internal.aider.GroupAider)8 ResourceSet (org.xmldb.api.base.ResourceSet)8 EXistXPathQueryService (org.exist.xmldb.EXistXPathQueryService)7 EXistResource (org.exist.xmldb.EXistResource)6 Account (org.exist.security.Account)5 Before (org.junit.Before)3 BeforeClass (org.junit.BeforeClass)3 URISyntaxException (java.net.URISyntaxException)2 ExtendedResource (org.exist.xmldb.ExtendedResource)2 WindowAdapter (java.awt.event.WindowAdapter)1