Search in sources :

Example 21 with Principal

use of org.structr.core.entity.Principal in project structr by structr.

the class RestAuthenticator method getUser.

@Override
public Principal getUser(final HttpServletRequest request, final boolean tryLogin) throws FrameworkException {
    Principal user = null;
    // First, check session (JSESSIONID cookie)
    final HttpSession session = request.getSession(false);
    if (session != null) {
        user = AuthHelper.getPrincipalForSessionId(session.getId());
    }
    if (user == null) {
        // Second, check X-Headers
        String userName = request.getHeader("X-User");
        String password = request.getHeader("X-Password");
        String token = request.getHeader("X-StructrSessionToken");
        // Try to authorize with a session token first
        if (token != null) {
            user = AuthHelper.getPrincipalForSessionId(token);
        } else if ((userName != null) && (password != null)) {
            if (tryLogin) {
                user = AuthHelper.getPrincipalForPassword(AbstractNode.name, userName, password);
            }
        }
    }
    return user;
}
Also used : HttpSession(javax.servlet.http.HttpSession) Principal(org.structr.core.entity.Principal)

Example 22 with Principal

use of org.structr.core.entity.Principal in project structr by structr.

the class AccessControlTest method testGroupMembershipVisibility.

@Test
public void testGroupMembershipVisibility() {
    Principal user1 = null;
    Principal user2 = null;
    Group group = null;
    try (final Tx tx = app.tx()) {
        user1 = createTestNode(Principal.class, "user1");
        user2 = createTestNode(Principal.class, "user2");
        tx.success();
    } catch (FrameworkException t) {
        logger.warn("", t);
        fail("Unexpected exception.");
    }
    final SecurityContext user1Context = SecurityContext.getInstance(user1, AccessMode.Backend);
    final App user1App = StructrApp.getInstance(user1Context);
    try (final Tx tx = user1App.tx()) {
        group = user1App.create(Group.class, "group");
        user1App.create(TestOne.class, "testone");
        assertEquals("Invalid group owner", user1, group.getOwnerNode());
        tx.success();
    } catch (FrameworkException t) {
        logger.warn("", t);
        fail("Unexpected exception.");
    }
    try (final Tx tx = user1App.tx()) {
        final TestOne test = user1App.nodeQuery(TestOne.class).getFirst();
        assertNotNull(test);
        test.grant(Permission.read, group);
        tx.success();
    } catch (FrameworkException t) {
        logger.warn("", t);
        fail("Unexpected exception.");
    }
    // ################################################################################################################
    // user2 is not yet member of the group, so
    // it should not be possible to access the object
    final SecurityContext user2Context = SecurityContext.getInstance(user2, AccessMode.Backend);
    final App user2App = StructrApp.getInstance(user2Context);
    try (final Tx tx = user2App.tx()) {
        final TestOne test = user2App.nodeQuery(TestOne.class).getFirst();
        assertNull(test);
        tx.success();
    } catch (FrameworkException fex) {
        logger.warn("", fex);
        fail("Unexpected exception.");
    }
    try (final Tx tx = user1App.tx()) {
        group.addMember(user2);
        tx.success();
    } catch (FrameworkException t) {
        logger.warn("", t);
        fail("Unexpected exception.");
    }
    try (final Tx tx = user2App.tx()) {
        final TestOne test = user2App.nodeQuery(TestOne.class).getFirst();
        assertNotNull("Group should be readable for members", test);
        tx.success();
    } catch (FrameworkException fex) {
        logger.warn("", fex);
        fail("Unexpected exception.");
    }
    try (final Tx tx = user2App.tx()) {
        final TestOne test = user2App.nodeQuery(TestOne.class).getFirst();
        assertNotNull("Group should be readable for members", test);
        test.setProperty(TestOne.name, "newname");
        tx.success();
        fail("User should not be able to write an object that it doesn't own.");
    } catch (FrameworkException fex) {
        assertEquals("Invalid group permissions result", 403, fex.getStatus());
        assertEquals("Invalid group permissions result", "Modification not permitted.", fex.getMessage());
    }
    try (final Tx tx = user1App.tx()) {
        final TestOne test = app.nodeQuery(TestOne.class).getFirst();
        assertNotNull("Group should be readable for members", test);
        test.grant(Permission.write, group);
        tx.success();
    } catch (FrameworkException t) {
        logger.warn("", t);
        fail("Unexpected exception.");
    }
    try (final Tx tx = user2App.tx()) {
        final TestOne test = user2App.nodeQuery(TestOne.class).getFirst();
        assertNotNull("Group should be readable for members", test);
        test.setProperty(TestOne.name, "newname");
        tx.success();
    } catch (FrameworkException fex) {
        logger.warn("", fex);
        fail("Unexpected exception.");
    }
}
Also used : StructrApp(org.structr.core.app.StructrApp) App(org.structr.core.app.App) Group(org.structr.core.entity.Group) Tx(org.structr.core.graph.Tx) FrameworkException(org.structr.common.error.FrameworkException) TestOne(org.structr.core.entity.TestOne) Principal(org.structr.core.entity.Principal) Test(org.junit.Test)

Example 23 with Principal

use of org.structr.core.entity.Principal in project structr by structr.

the class AccessControlTest method test01WriteAccess.

@Test
public void test01WriteAccess() {
    // remove auto-generated resource access objects
    clearResourceAccess();
    try {
        final Principal owner = createTestNode(Principal.class);
        final Principal user = createTestNode(Principal.class);
        // create new node
        final TestOne t1 = createTestNode(TestOne.class, owner);
        final SecurityContext ownerContext = SecurityContext.getInstance(owner, AccessMode.Frontend);
        final SecurityContext userContext = SecurityContext.getInstance(user, AccessMode.Frontend);
        final App ownerAppContext = StructrApp.getInstance(ownerContext);
        final App userAppContext = StructrApp.getInstance(userContext);
        // test with owner, expect success
        try (final Tx tx = ownerAppContext.tx()) {
            final TestOne t = StructrApp.getInstance(ownerContext).nodeQuery(TestOne.class).getFirst();
            assertNotNull(t);
            t.setProperty(TestOne.aString, "aString");
            assertEquals("aString", t.getProperty(TestOne.aString));
            tx.success();
        }
        // test with foreign user, expect failure, node should not be found
        try (final Tx tx = userAppContext.tx()) {
            // node should not be found
            assertNull(StructrApp.getInstance(userContext).nodeQuery(TestOne.class).getFirst());
            tx.success();
        }
        // test with foreign user, expect failure, node should not be found
        try (final Tx tx = ownerAppContext.tx()) {
            // make node visible to user
            t1.grant(Permission.read, user);
            tx.success();
        }
        // try to grant read permissions in user context, should fail because user doesn't have access control permission
        try (final Tx tx = userAppContext.tx()) {
            try {
                final TestOne t = StructrApp.getInstance(userContext).nodeQuery(TestOne.class).getFirst();
                t.grant(Permission.read, user);
                fail("Non-owner should not be allowed to change permissions on object");
            } catch (FrameworkException fex) {
                // expect status 403 forbidden
                assertEquals(fex.getStatus(), 403);
            }
            tx.success();
        }
        // try to grant read permissions in owner context, should succeed (?)
        try (final Tx tx = ownerAppContext.tx()) {
            // important lesson here: the context under which the node is constructed defines the security context
            final TestOne t = StructrApp.getInstance(ownerContext).nodeQuery(TestOne.class).getFirst();
            t.grant(Permission.accessControl, user);
            tx.success();
        }
        // test with foreign user, expect failure
        try (final Tx tx = userAppContext.tx()) {
            final TestOne t = StructrApp.getInstance(userContext).nodeQuery(TestOne.class).getFirst();
            // node should be found because it's public
            assertNotNull(t);
            // setProperty should fail because of missing write permissions
            try {
                t.setProperty(TestOne.aString, "aString");
                fail("setProperty should not be allowed for non-owner on publicly visible nodes");
            } catch (FrameworkException fex) {
                // expect status 403 forbidden
                assertEquals(fex.getStatus(), 403);
            }
            tx.success();
        }
        // grant write
        try (final Tx tx = app.tx()) {
            // make t1 visible to public users explicitely
            t1.setProperty(GraphObject.visibleToPublicUsers, true);
            tx.success();
        }
    } catch (FrameworkException ex) {
        logger.warn("", ex);
        fail("Unexpected exception");
    }
}
Also used : StructrApp(org.structr.core.app.StructrApp) App(org.structr.core.app.App) Tx(org.structr.core.graph.Tx) FrameworkException(org.structr.common.error.FrameworkException) TestOne(org.structr.core.entity.TestOne) Principal(org.structr.core.entity.Principal) Test(org.junit.Test)

Example 24 with Principal

use of org.structr.core.entity.Principal in project structr by structr.

the class AccessControlTest method test05FrontendUserAccessToProtectedNode.

@Test
public void test05FrontendUserAccessToProtectedNode() {
    // remove auto-generated resource access objects
    clearResourceAccess();
    try {
        List<Principal> users = createTestNodes(Principal.class, 2);
        Principal user1 = (Principal) users.get(0);
        Principal user2 = (Principal) users.get(1);
        PropertyMap props = new PropertyMap();
        props.put(AbstractNode.visibleToPublicUsers, true);
        // Create two nodes with user context, one of them is visible to public users
        Class type = TestOne.class;
        TestOne t1 = createTestNode(TestOne.class, props, user1);
        props = new PropertyMap();
        props.put(AbstractNode.visibleToAuthenticatedUsers, true);
        TestOne t2 = createTestNode(TestOne.class, props, user1);
        // Let another user search
        SecurityContext user2Context = SecurityContext.getInstance(user2, AccessMode.Frontend);
        try (final Tx tx = app.tx()) {
            Result result = StructrApp.getInstance(user2Context).nodeQuery(type).getResult();
            assertEquals(2, result.size());
        }
    } catch (FrameworkException ex) {
        logger.warn("", ex);
        fail("Unexpected exception");
    }
}
Also used : PropertyMap(org.structr.core.property.PropertyMap) Tx(org.structr.core.graph.Tx) FrameworkException(org.structr.common.error.FrameworkException) TestOne(org.structr.core.entity.TestOne) Principal(org.structr.core.entity.Principal) Result(org.structr.core.Result) Test(org.junit.Test)

Example 25 with Principal

use of org.structr.core.entity.Principal in project structr by structr.

the class AccessControlTest method test08WriteAccess.

@Test
public void test08WriteAccess() {
    // remove auto-generated resource access objects
    clearResourceAccess();
    try {
        final Principal owner = createTestNode(Principal.class);
        // create new node
        createTestNode(TestOne.class, owner);
        final SecurityContext userContext = SecurityContext.getInstance(owner, AccessMode.Frontend);
        final App userApp = StructrApp.getInstance(userContext);
        try (final Tx tx = userApp.tx()) {
            final TestOne t = StructrApp.getInstance(userContext).nodeQuery(TestOne.class).getFirst();
            assertNotNull(t);
            t.setProperty(TestOne.aString, "aString");
            assertEquals("aString", t.getProperty(TestOne.aString));
            tx.success();
        }
    } catch (FrameworkException ex) {
        logger.warn("", ex);
        fail("Unexpected exception");
    }
}
Also used : StructrApp(org.structr.core.app.StructrApp) App(org.structr.core.app.App) Tx(org.structr.core.graph.Tx) FrameworkException(org.structr.common.error.FrameworkException) TestOne(org.structr.core.entity.TestOne) Principal(org.structr.core.entity.Principal) Test(org.junit.Test)

Aggregations

Principal (org.structr.core.entity.Principal)112 FrameworkException (org.structr.common.error.FrameworkException)68 Tx (org.structr.core.graph.Tx)65 Test (org.junit.Test)41 App (org.structr.core.app.App)31 StructrApp (org.structr.core.app.StructrApp)31 TestOne (org.structr.core.entity.TestOne)16 Group (org.structr.core.entity.Group)14 NodeAttribute (org.structr.core.graph.NodeAttribute)13 PropertyMap (org.structr.core.property.PropertyMap)13 SecurityContext (org.structr.common.SecurityContext)10 LinkedList (java.util.LinkedList)9 Result (org.structr.core.Result)8 User (org.structr.web.entity.User)8 AbstractNode (org.structr.core.entity.AbstractNode)7 SuperUser (org.structr.core.entity.SuperUser)7 StructrUiTest (org.structr.web.StructrUiTest)7 Page (org.structr.web.entity.dom.Page)7 IOException (java.io.IOException)6 List (java.util.List)6