Search in sources :

Example 26 with Principal

use of org.structr.core.entity.Principal in project structr by structr.

the class AccessControlTest method test09PrivilegeEscalation.

@Test
public void test09PrivilegeEscalation() {
    // remove auto-generated resource access objects
    clearResourceAccess();
    try {
        final Class principalType = StructrApp.getConfiguration().getNodeEntityClass("Principal");
        Principal nonAdmin = (Principal) createTestNode(principalType);
        final PropertyKey<Boolean> isAdminKey = StructrApp.key(principalType, "isAdmin");
        final SecurityContext userContext = SecurityContext.getInstance(nonAdmin, AccessMode.Frontend);
        nonAdmin.setSecurityContext(userContext);
        App userApp = StructrApp.getInstance(userContext);
        try (final Tx tx = userApp.tx()) {
            assertFalse(nonAdmin.isAdmin());
            nonAdmin.setProperty(isAdminKey, true);
            fail("Privilege escalation using setProperty()-method! Non-admin may not set an admin flag!");
            tx.success();
        } catch (FrameworkException ex) {
            assertFalse("Privilege escalation using setProperty()-method! Non-admin may not set an admin flag!", nonAdmin.isAdmin());
        }
        try (final Tx tx = userApp.tx()) {
            assertFalse(nonAdmin.isAdmin());
            PropertyMap props = new PropertyMap();
            props.put(isAdminKey, true);
            nonAdmin.setProperties(userContext, props);
            fail("Privilege escalation using setProperties()-method! Non-admin may not set an admin flag!");
            tx.success();
        } catch (FrameworkException ex) {
            assertFalse("Privilege escalation using setProperties()-method! Non-admin may not set an admin flag!", nonAdmin.isAdmin());
        }
    } catch (FrameworkException ex) {
        fail("Unexpected Exception");
    }
}
Also used : StructrApp(org.structr.core.app.StructrApp) App(org.structr.core.app.App) PropertyMap(org.structr.core.property.PropertyMap) Tx(org.structr.core.graph.Tx) FrameworkException(org.structr.common.error.FrameworkException) Principal(org.structr.core.entity.Principal) Test(org.junit.Test)

Example 27 with Principal

use of org.structr.core.entity.Principal in project structr by structr.

the class AccessControlTest method testGroupVisibilityForMembers.

@Test
public void testGroupVisibilityForMembers() {
    Principal user1 = null;
    Principal user2 = null;
    Group group = null;
    try (final Tx tx = app.tx()) {
        user1 = createTestNode(Principal.class, "user1");
        user2 = createTestNode(Principal.class, "user2");
        tx.success();
    } catch (FrameworkException t) {
        logger.warn("", t);
        fail("Unexpected exception.");
    }
    final SecurityContext user1Context = SecurityContext.getInstance(user1, AccessMode.Backend);
    final SecurityContext user2Context = SecurityContext.getInstance(user2, AccessMode.Backend);
    final App user1App = StructrApp.getInstance(user1Context);
    final App user2App = StructrApp.getInstance(user2Context);
    try (final Tx tx = user1App.tx()) {
        group = user1App.create(Group.class, "group");
        assertEquals("Invalid group owner", user1, group.getOwnerNode());
        // add user2 to group
        group.addMember(user2);
        tx.success();
    } catch (FrameworkException t) {
        logger.warn("", t);
        fail("Unexpected exception.");
    }
    try (final Tx tx = user2App.tx()) {
        final Group testGroup = user2App.nodeQuery(Group.class).andName("group").getFirst();
        assertNotNull("Group should be readable for members", testGroup);
        assertEquals("Group name should be readable for members", "group", testGroup.getName());
        tx.success();
    } catch (FrameworkException t) {
        logger.warn("", t);
        fail("Unexpected exception.");
    }
    try (final Tx tx = user2App.tx()) {
        final Group testGroup = user2App.nodeQuery(Group.class).andName("group").getFirst();
        assertNotNull("Group should be readable for members", testGroup);
        assertEquals("Group name should be readable for members", "group", testGroup.getName());
        testGroup.setProperty(Group.name, "dontchangeme");
        fail("Griup name should not be writable for members");
        tx.success();
    } catch (FrameworkException t) {
        assertEquals(403, t.getStatus());
        assertEquals("Modification not permitted.", t.getMessage());
    }
}
Also used : StructrApp(org.structr.core.app.StructrApp) App(org.structr.core.app.App) Group(org.structr.core.entity.Group) Tx(org.structr.core.graph.Tx) FrameworkException(org.structr.common.error.FrameworkException) Principal(org.structr.core.entity.Principal) Test(org.junit.Test)

Example 28 with Principal

use of org.structr.core.entity.Principal in project structr by structr.

the class AccessControlTest method test02SetDifferentPrincipalTypesAsOwner.

@Test
public void test02SetDifferentPrincipalTypesAsOwner() {
    try (final Tx tx = app.tx()) {
        final List<Principal> users = createTestNodes(Principal.class, 2);
        final Principal user1 = (Principal) users.get(0);
        final Group group1 = createTestNode(Group.class, "test group");
        final TestOne t1 = createTestNode(TestOne.class);
        t1.setProperty(AbstractNode.owner, user1);
        t1.setProperty(AbstractNode.owner, group1);
        assertEquals(group1, t1.getProperty(AbstractNode.owner));
        Ownership ownerRel = t1.getIncomingRelationship(PrincipalOwnsNode.class);
        assertNotNull(ownerRel);
        // Do additional low-level check here to ensure cardinality!
        List<Relationship> incomingRels = Iterables.toList(t1.getNode().getRelationships(Direction.INCOMING, new PrincipalOwnsNode()));
        assertEquals(1, incomingRels.size());
        tx.success();
    } catch (FrameworkException ex) {
        logger.error(ex.toString());
        fail("Unexpected exception");
    }
}
Also used : Group(org.structr.core.entity.Group) Ownership(org.structr.core.entity.relationship.Ownership) PrincipalOwnsNode(org.structr.core.entity.relationship.PrincipalOwnsNode) Tx(org.structr.core.graph.Tx) FrameworkException(org.structr.common.error.FrameworkException) Relationship(org.structr.api.graph.Relationship) TestOne(org.structr.core.entity.TestOne) Principal(org.structr.core.entity.Principal) Test(org.junit.Test)

Example 29 with Principal

use of org.structr.core.entity.Principal in project structr by structr.

the class BasicTest method testRelationshipEndNodeTypeRestriction.

@Test
public void testRelationshipEndNodeTypeRestriction() {
    // types are filtered according to the types of their end nodes
    try (final Tx tx = app.tx()) {
        // create two OWNS relationships with different end node types
        final TestOne testOne = app.create(TestOne.class, "testone");
        final TestThree testThree = app.create(TestThree.class, "testthree");
        final Principal testUser = app.create(Principal.class, "testuser");
        testOne.setProperty(TestOne.testThree, testThree);
        testThree.setProperty(TestThree.owner, testUser);
        tx.success();
    } catch (FrameworkException fex) {
        logger.warn("", fex);
        fail("Unexpected exception.");
    }
    try (final Tx tx = app.tx()) {
        final List<OneThreeOneToOne> rels = app.relationshipQuery(OneThreeOneToOne.class).getAsList();
        assertEquals("Relationship query returns wrong number of results", 1, rels.size());
        for (final OneThreeOneToOne rel : rels) {
            assertEquals("Relationship query returns wrong type", OneThreeOneToOne.class, rel.getClass());
        }
        tx.success();
    } catch (FrameworkException fex) {
        logger.warn("", fex);
        fail("Unexpected exception.");
    }
}
Also used : OneThreeOneToOne(org.structr.core.entity.OneThreeOneToOne) Tx(org.structr.core.graph.Tx) FrameworkException(org.structr.common.error.FrameworkException) TestThree(org.structr.core.entity.TestThree) TestOne(org.structr.core.entity.TestOne) Principal(org.structr.core.entity.Principal) Test(org.junit.Test)

Example 30 with Principal

use of org.structr.core.entity.Principal in project structr by structr.

the class CustomPermissionQueriesTest method test01SimplePermissionResolutionRead.

@Test
public void test01SimplePermissionResolutionRead() {
    final Class<Principal> principalType = StructrApp.getConfiguration().getNodeEntityClass("Principal");
    Principal user1 = null;
    Class type1 = null;
    try (final Tx tx = app.tx()) {
        // create a test user
        user1 = app.create(principalType, "user1");
        final SchemaNode t1 = app.create(SchemaNode.class, "Type1");
        tx.success();
    } catch (FrameworkException fex) {
        fex.printStackTrace();
        fail("Unexpected exception");
    }
    Assert.assertNotNull("User should have been created", user1);
    try (final Tx tx = app.tx()) {
        type1 = StructrApp.getConfiguration().getNodeEntityClass("Type1");
        Assert.assertNotNull("Node type Type1 should exist.", type1);
        final NodeInterface instance1 = app.create(type1, "instance1OfType1");
        Assert.assertNotNull("Instance of type Type1 should exist", instance1);
        tx.success();
    } catch (FrameworkException fex) {
        fex.printStackTrace();
        fail("Unexpected exception");
    }
    // check access for user1 on instance1
    final App userApp = StructrApp.getInstance(SecurityContext.getInstance(user1, AccessMode.Backend));
    try (final Tx tx = userApp.tx()) {
        Assert.assertNull("User1 should NOT be able to find instance of type Type1", userApp.nodeQuery(type1).getFirst());
        tx.success();
    } catch (FrameworkException fex) {
        fex.printStackTrace();
        fail("Unexpected exception");
    }
    // set custom permission query on user
    try (final Tx tx = userApp.tx()) {
        // query returns always true if user exists
        user1.setProperty(StructrApp.key(Principal.class, "customPermissionQueryRead"), "MATCH (p:Principal {id: {principalUuid}}) RETURN p IS NOT NULL");
        tx.success();
    } catch (FrameworkException fex) {
        fex.printStackTrace();
        fail("Unexpected exception");
    }
    // check access for user1 on instance1
    try (final Tx tx = userApp.tx()) {
        Assert.assertNotNull("User1 should be able to find instance of type Type1", userApp.nodeQuery(type1).getFirst());
        tx.success();
    } catch (FrameworkException fex) {
        fex.printStackTrace();
        fail("Unexpected exception");
    }
    // set custom permission query on user
    try (final Tx tx = userApp.tx()) {
        // query returns always false if user exists
        user1.setProperty(StructrApp.key(Principal.class, "customPermissionQueryRead"), "MATCH (p:Principal {id: {principalUuid}}) RETURN p IS NULL");
        tx.success();
    } catch (FrameworkException fex) {
        fex.printStackTrace();
        fail("Unexpected exception");
    }
    // check access for user1 on instance1
    try (final Tx tx = userApp.tx()) {
        Assert.assertNull("User1 should NOT be able to find instance of type Type1", userApp.nodeQuery(type1).getFirst());
        tx.success();
    } catch (FrameworkException fex) {
        fex.printStackTrace();
        fail("Unexpected exception");
    }
}
Also used : StructrApp(org.structr.core.app.StructrApp) App(org.structr.core.app.App) SchemaNode(org.structr.core.entity.SchemaNode) Tx(org.structr.core.graph.Tx) FrameworkException(org.structr.common.error.FrameworkException) Principal(org.structr.core.entity.Principal) NodeInterface(org.structr.core.graph.NodeInterface) Test(org.junit.Test)

Aggregations

Principal (org.structr.core.entity.Principal)112 FrameworkException (org.structr.common.error.FrameworkException)68 Tx (org.structr.core.graph.Tx)65 Test (org.junit.Test)41 App (org.structr.core.app.App)31 StructrApp (org.structr.core.app.StructrApp)31 TestOne (org.structr.core.entity.TestOne)16 Group (org.structr.core.entity.Group)14 NodeAttribute (org.structr.core.graph.NodeAttribute)13 PropertyMap (org.structr.core.property.PropertyMap)13 SecurityContext (org.structr.common.SecurityContext)10 LinkedList (java.util.LinkedList)9 Result (org.structr.core.Result)8 User (org.structr.web.entity.User)8 AbstractNode (org.structr.core.entity.AbstractNode)7 SuperUser (org.structr.core.entity.SuperUser)7 StructrUiTest (org.structr.web.StructrUiTest)7 Page (org.structr.web.entity.dom.Page)7 IOException (java.io.IOException)6 List (java.util.List)6