use of org.structr.core.app.App in project structr by structr.
the class AccessControlTest method test09PrivilegeEscalation.
@Test
public void test09PrivilegeEscalation() {
// remove auto-generated resource access objects
clearResourceAccess();
try {
final Class principalType = StructrApp.getConfiguration().getNodeEntityClass("Principal");
Principal nonAdmin = (Principal) createTestNode(principalType);
final PropertyKey<Boolean> isAdminKey = StructrApp.key(principalType, "isAdmin");
final SecurityContext userContext = SecurityContext.getInstance(nonAdmin, AccessMode.Frontend);
nonAdmin.setSecurityContext(userContext);
App userApp = StructrApp.getInstance(userContext);
try (final Tx tx = userApp.tx()) {
assertFalse(nonAdmin.isAdmin());
nonAdmin.setProperty(isAdminKey, true);
fail("Privilege escalation using setProperty()-method! Non-admin may not set an admin flag!");
tx.success();
} catch (FrameworkException ex) {
assertFalse("Privilege escalation using setProperty()-method! Non-admin may not set an admin flag!", nonAdmin.isAdmin());
}
try (final Tx tx = userApp.tx()) {
assertFalse(nonAdmin.isAdmin());
PropertyMap props = new PropertyMap();
props.put(isAdminKey, true);
nonAdmin.setProperties(userContext, props);
fail("Privilege escalation using setProperties()-method! Non-admin may not set an admin flag!");
tx.success();
} catch (FrameworkException ex) {
assertFalse("Privilege escalation using setProperties()-method! Non-admin may not set an admin flag!", nonAdmin.isAdmin());
}
} catch (FrameworkException ex) {
fail("Unexpected Exception");
}
}
use of org.structr.core.app.App in project structr by structr.
the class AccessControlTest method testGroupVisibilityForMembers.
@Test
public void testGroupVisibilityForMembers() {
Principal user1 = null;
Principal user2 = null;
Group group = null;
try (final Tx tx = app.tx()) {
user1 = createTestNode(Principal.class, "user1");
user2 = createTestNode(Principal.class, "user2");
tx.success();
} catch (FrameworkException t) {
logger.warn("", t);
fail("Unexpected exception.");
}
final SecurityContext user1Context = SecurityContext.getInstance(user1, AccessMode.Backend);
final SecurityContext user2Context = SecurityContext.getInstance(user2, AccessMode.Backend);
final App user1App = StructrApp.getInstance(user1Context);
final App user2App = StructrApp.getInstance(user2Context);
try (final Tx tx = user1App.tx()) {
group = user1App.create(Group.class, "group");
assertEquals("Invalid group owner", user1, group.getOwnerNode());
// add user2 to group
group.addMember(user2);
tx.success();
} catch (FrameworkException t) {
logger.warn("", t);
fail("Unexpected exception.");
}
try (final Tx tx = user2App.tx()) {
final Group testGroup = user2App.nodeQuery(Group.class).andName("group").getFirst();
assertNotNull("Group should be readable for members", testGroup);
assertEquals("Group name should be readable for members", "group", testGroup.getName());
tx.success();
} catch (FrameworkException t) {
logger.warn("", t);
fail("Unexpected exception.");
}
try (final Tx tx = user2App.tx()) {
final Group testGroup = user2App.nodeQuery(Group.class).andName("group").getFirst();
assertNotNull("Group should be readable for members", testGroup);
assertEquals("Group name should be readable for members", "group", testGroup.getName());
testGroup.setProperty(Group.name, "dontchangeme");
fail("Griup name should not be writable for members");
tx.success();
} catch (FrameworkException t) {
assertEquals(403, t.getStatus());
assertEquals("Modification not permitted.", t.getMessage());
}
}
use of org.structr.core.app.App in project structr by structr.
the class CustomPermissionQueriesTest method test01SimplePermissionResolutionRead.
@Test
public void test01SimplePermissionResolutionRead() {
final Class<Principal> principalType = StructrApp.getConfiguration().getNodeEntityClass("Principal");
Principal user1 = null;
Class type1 = null;
try (final Tx tx = app.tx()) {
// create a test user
user1 = app.create(principalType, "user1");
final SchemaNode t1 = app.create(SchemaNode.class, "Type1");
tx.success();
} catch (FrameworkException fex) {
fex.printStackTrace();
fail("Unexpected exception");
}
Assert.assertNotNull("User should have been created", user1);
try (final Tx tx = app.tx()) {
type1 = StructrApp.getConfiguration().getNodeEntityClass("Type1");
Assert.assertNotNull("Node type Type1 should exist.", type1);
final NodeInterface instance1 = app.create(type1, "instance1OfType1");
Assert.assertNotNull("Instance of type Type1 should exist", instance1);
tx.success();
} catch (FrameworkException fex) {
fex.printStackTrace();
fail("Unexpected exception");
}
// check access for user1 on instance1
final App userApp = StructrApp.getInstance(SecurityContext.getInstance(user1, AccessMode.Backend));
try (final Tx tx = userApp.tx()) {
Assert.assertNull("User1 should NOT be able to find instance of type Type1", userApp.nodeQuery(type1).getFirst());
tx.success();
} catch (FrameworkException fex) {
fex.printStackTrace();
fail("Unexpected exception");
}
// set custom permission query on user
try (final Tx tx = userApp.tx()) {
// query returns always true if user exists
user1.setProperty(StructrApp.key(Principal.class, "customPermissionQueryRead"), "MATCH (p:Principal {id: {principalUuid}}) RETURN p IS NOT NULL");
tx.success();
} catch (FrameworkException fex) {
fex.printStackTrace();
fail("Unexpected exception");
}
// check access for user1 on instance1
try (final Tx tx = userApp.tx()) {
Assert.assertNotNull("User1 should be able to find instance of type Type1", userApp.nodeQuery(type1).getFirst());
tx.success();
} catch (FrameworkException fex) {
fex.printStackTrace();
fail("Unexpected exception");
}
// set custom permission query on user
try (final Tx tx = userApp.tx()) {
// query returns always false if user exists
user1.setProperty(StructrApp.key(Principal.class, "customPermissionQueryRead"), "MATCH (p:Principal {id: {principalUuid}}) RETURN p IS NULL");
tx.success();
} catch (FrameworkException fex) {
fex.printStackTrace();
fail("Unexpected exception");
}
// check access for user1 on instance1
try (final Tx tx = userApp.tx()) {
Assert.assertNull("User1 should NOT be able to find instance of type Type1", userApp.nodeQuery(type1).getFirst());
tx.success();
} catch (FrameworkException fex) {
fex.printStackTrace();
fail("Unexpected exception");
}
}
use of org.structr.core.app.App in project structr by structr.
the class LicensingTest method createTestNode.
protected <T extends AbstractNode> T createTestNode(final Class<T> type, final PropertyMap props, final Principal owner) throws FrameworkException {
final App backendApp = StructrApp.getInstance(SecurityContext.getInstance(owner, AccessMode.Backend));
try (final Tx tx = backendApp.tx()) {
final T result = backendApp.create(type, props);
tx.success();
return result;
}
}
use of org.structr.core.app.App in project structr by structr.
the class ScriptingTest method testGrantViaScripting.
@Test
public void testGrantViaScripting() {
Settings.LogSchemaOutput.setValue(true);
// setup phase: create schema nodes
try (final Tx tx = app.tx()) {
// create two nodes and associate them with each other
final SchemaNode sourceNode = createTestNode(SchemaNode.class, "Source");
final SchemaMethod method = createTestNode(SchemaMethod.class, new NodeAttribute(AbstractNode.name, "doTest01"), new NodeAttribute(SchemaMethod.source, "{ var e = Structr.get('this'); e.grant(Structr.find('Principal')[0], 'read', 'write'); }"));
sourceNode.setProperty(SchemaNode.schemaMethods, Arrays.asList(new SchemaMethod[] { method }));
tx.success();
} catch (FrameworkException fex) {
fex.printStackTrace();
fail("Unexpected exception.");
}
final ConfigurationProvider config = StructrApp.getConfiguration();
final Class sourceType = config.getNodeEntityClass("Source");
Principal testUser = null;
// create test node as superuser
try (final Tx tx = app.tx()) {
app.create(sourceType);
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
fail("Unexpected exception.");
}
// create test user
try (final Tx tx = app.tx()) {
testUser = app.create(Principal.class, new NodeAttribute<>(Principal.name, "test"), new NodeAttribute<>(StructrApp.key(Principal.class, "password"), "test"));
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
fail("Unexpected exception.");
}
final App userApp = StructrApp.getInstance(SecurityContext.getInstance(testUser, AccessMode.Backend));
// first test without grant, expect no test object to be found using the user context
try (final Tx tx = userApp.tx()) {
assertEquals("Invalid grant() scripting result", 0, userApp.nodeQuery(sourceType).getAsList().size());
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
fail("Unexpected exception.");
}
// grant read access to test user
try (final Tx tx = app.tx()) {
app.nodeQuery(sourceType).getFirst().invokeMethod("doTest01", Collections.EMPTY_MAP, true);
tx.success();
} catch (FrameworkException fex) {
fex.printStackTrace();
fail("Unexpected exception.");
}
// first test without grant, expect no test object to be found using the user context
try (final Tx tx = userApp.tx()) {
assertEquals("Invalid grant() scripting result", 1, userApp.nodeQuery(sourceType).getAsList().size());
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
fail("Unexpected exception.");
}
}
Aggregations