use of org.structr.core.entity.Principal in project structr by structr.
the class AccessControlTest method test09PrivilegeEscalation.
@Test
public void test09PrivilegeEscalation() {
// remove auto-generated resource access objects
clearResourceAccess();
try {
final Class principalType = StructrApp.getConfiguration().getNodeEntityClass("Principal");
Principal nonAdmin = (Principal) createTestNode(principalType);
final PropertyKey<Boolean> isAdminKey = StructrApp.key(principalType, "isAdmin");
final SecurityContext userContext = SecurityContext.getInstance(nonAdmin, AccessMode.Frontend);
nonAdmin.setSecurityContext(userContext);
App userApp = StructrApp.getInstance(userContext);
try (final Tx tx = userApp.tx()) {
assertFalse(nonAdmin.isAdmin());
nonAdmin.setProperty(isAdminKey, true);
fail("Privilege escalation using setProperty()-method! Non-admin may not set an admin flag!");
tx.success();
} catch (FrameworkException ex) {
assertFalse("Privilege escalation using setProperty()-method! Non-admin may not set an admin flag!", nonAdmin.isAdmin());
}
try (final Tx tx = userApp.tx()) {
assertFalse(nonAdmin.isAdmin());
PropertyMap props = new PropertyMap();
props.put(isAdminKey, true);
nonAdmin.setProperties(userContext, props);
fail("Privilege escalation using setProperties()-method! Non-admin may not set an admin flag!");
tx.success();
} catch (FrameworkException ex) {
assertFalse("Privilege escalation using setProperties()-method! Non-admin may not set an admin flag!", nonAdmin.isAdmin());
}
} catch (FrameworkException ex) {
fail("Unexpected Exception");
}
}
use of org.structr.core.entity.Principal in project structr by structr.
the class AccessControlTest method testGroupVisibilityForMembers.
@Test
public void testGroupVisibilityForMembers() {
Principal user1 = null;
Principal user2 = null;
Group group = null;
try (final Tx tx = app.tx()) {
user1 = createTestNode(Principal.class, "user1");
user2 = createTestNode(Principal.class, "user2");
tx.success();
} catch (FrameworkException t) {
logger.warn("", t);
fail("Unexpected exception.");
}
final SecurityContext user1Context = SecurityContext.getInstance(user1, AccessMode.Backend);
final SecurityContext user2Context = SecurityContext.getInstance(user2, AccessMode.Backend);
final App user1App = StructrApp.getInstance(user1Context);
final App user2App = StructrApp.getInstance(user2Context);
try (final Tx tx = user1App.tx()) {
group = user1App.create(Group.class, "group");
assertEquals("Invalid group owner", user1, group.getOwnerNode());
// add user2 to group
group.addMember(user2);
tx.success();
} catch (FrameworkException t) {
logger.warn("", t);
fail("Unexpected exception.");
}
try (final Tx tx = user2App.tx()) {
final Group testGroup = user2App.nodeQuery(Group.class).andName("group").getFirst();
assertNotNull("Group should be readable for members", testGroup);
assertEquals("Group name should be readable for members", "group", testGroup.getName());
tx.success();
} catch (FrameworkException t) {
logger.warn("", t);
fail("Unexpected exception.");
}
try (final Tx tx = user2App.tx()) {
final Group testGroup = user2App.nodeQuery(Group.class).andName("group").getFirst();
assertNotNull("Group should be readable for members", testGroup);
assertEquals("Group name should be readable for members", "group", testGroup.getName());
testGroup.setProperty(Group.name, "dontchangeme");
fail("Griup name should not be writable for members");
tx.success();
} catch (FrameworkException t) {
assertEquals(403, t.getStatus());
assertEquals("Modification not permitted.", t.getMessage());
}
}
use of org.structr.core.entity.Principal in project structr by structr.
the class AccessControlTest method test02SetDifferentPrincipalTypesAsOwner.
@Test
public void test02SetDifferentPrincipalTypesAsOwner() {
try (final Tx tx = app.tx()) {
final List<Principal> users = createTestNodes(Principal.class, 2);
final Principal user1 = (Principal) users.get(0);
final Group group1 = createTestNode(Group.class, "test group");
final TestOne t1 = createTestNode(TestOne.class);
t1.setProperty(AbstractNode.owner, user1);
t1.setProperty(AbstractNode.owner, group1);
assertEquals(group1, t1.getProperty(AbstractNode.owner));
Ownership ownerRel = t1.getIncomingRelationship(PrincipalOwnsNode.class);
assertNotNull(ownerRel);
// Do additional low-level check here to ensure cardinality!
List<Relationship> incomingRels = Iterables.toList(t1.getNode().getRelationships(Direction.INCOMING, new PrincipalOwnsNode()));
assertEquals(1, incomingRels.size());
tx.success();
} catch (FrameworkException ex) {
logger.error(ex.toString());
fail("Unexpected exception");
}
}
use of org.structr.core.entity.Principal in project structr by structr.
the class BasicTest method testRelationshipEndNodeTypeRestriction.
@Test
public void testRelationshipEndNodeTypeRestriction() {
// types are filtered according to the types of their end nodes
try (final Tx tx = app.tx()) {
// create two OWNS relationships with different end node types
final TestOne testOne = app.create(TestOne.class, "testone");
final TestThree testThree = app.create(TestThree.class, "testthree");
final Principal testUser = app.create(Principal.class, "testuser");
testOne.setProperty(TestOne.testThree, testThree);
testThree.setProperty(TestThree.owner, testUser);
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
fail("Unexpected exception.");
}
try (final Tx tx = app.tx()) {
final List<OneThreeOneToOne> rels = app.relationshipQuery(OneThreeOneToOne.class).getAsList();
assertEquals("Relationship query returns wrong number of results", 1, rels.size());
for (final OneThreeOneToOne rel : rels) {
assertEquals("Relationship query returns wrong type", OneThreeOneToOne.class, rel.getClass());
}
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
fail("Unexpected exception.");
}
}
use of org.structr.core.entity.Principal in project structr by structr.
the class CustomPermissionQueriesTest method test01SimplePermissionResolutionRead.
@Test
public void test01SimplePermissionResolutionRead() {
final Class<Principal> principalType = StructrApp.getConfiguration().getNodeEntityClass("Principal");
Principal user1 = null;
Class type1 = null;
try (final Tx tx = app.tx()) {
// create a test user
user1 = app.create(principalType, "user1");
final SchemaNode t1 = app.create(SchemaNode.class, "Type1");
tx.success();
} catch (FrameworkException fex) {
fex.printStackTrace();
fail("Unexpected exception");
}
Assert.assertNotNull("User should have been created", user1);
try (final Tx tx = app.tx()) {
type1 = StructrApp.getConfiguration().getNodeEntityClass("Type1");
Assert.assertNotNull("Node type Type1 should exist.", type1);
final NodeInterface instance1 = app.create(type1, "instance1OfType1");
Assert.assertNotNull("Instance of type Type1 should exist", instance1);
tx.success();
} catch (FrameworkException fex) {
fex.printStackTrace();
fail("Unexpected exception");
}
// check access for user1 on instance1
final App userApp = StructrApp.getInstance(SecurityContext.getInstance(user1, AccessMode.Backend));
try (final Tx tx = userApp.tx()) {
Assert.assertNull("User1 should NOT be able to find instance of type Type1", userApp.nodeQuery(type1).getFirst());
tx.success();
} catch (FrameworkException fex) {
fex.printStackTrace();
fail("Unexpected exception");
}
// set custom permission query on user
try (final Tx tx = userApp.tx()) {
// query returns always true if user exists
user1.setProperty(StructrApp.key(Principal.class, "customPermissionQueryRead"), "MATCH (p:Principal {id: {principalUuid}}) RETURN p IS NOT NULL");
tx.success();
} catch (FrameworkException fex) {
fex.printStackTrace();
fail("Unexpected exception");
}
// check access for user1 on instance1
try (final Tx tx = userApp.tx()) {
Assert.assertNotNull("User1 should be able to find instance of type Type1", userApp.nodeQuery(type1).getFirst());
tx.success();
} catch (FrameworkException fex) {
fex.printStackTrace();
fail("Unexpected exception");
}
// set custom permission query on user
try (final Tx tx = userApp.tx()) {
// query returns always false if user exists
user1.setProperty(StructrApp.key(Principal.class, "customPermissionQueryRead"), "MATCH (p:Principal {id: {principalUuid}}) RETURN p IS NULL");
tx.success();
} catch (FrameworkException fex) {
fex.printStackTrace();
fail("Unexpected exception");
}
// check access for user1 on instance1
try (final Tx tx = userApp.tx()) {
Assert.assertNull("User1 should NOT be able to find instance of type Type1", userApp.nodeQuery(type1).getFirst());
tx.success();
} catch (FrameworkException fex) {
fex.printStackTrace();
fail("Unexpected exception");
}
}
Aggregations