Example 1 with ResourceAccess
use of org.structr.core.entity.ResourceAccess in project structr by structr.
the class ResourceAccessTest method test03ResourceAccessPUT.
@Test
public void test03ResourceAccessPUT() {
// clear resource access objects that are created by the dynamic schema
clearResourceAccess();
final String name = "testuser-01";
final String password = "testpassword-01";
ResourceAccess folderGrant = null;
User testUser = null;
Folder testFolder = null;
try (final Tx tx = app.tx()) {
testUser = createTestNodes(User.class, 1).get(0);
testFolder = createTestNodes(Folder.class, 1).get(0);
assertNotNull(testFolder);
// no resource access node at all => forbidden
RestAssured.given().contentType("application/json; charset=UTF-8").expect().statusCode(401).when().put("/folder/" + testFolder.getUuid());
folderGrant = createResourceAccess("Folder", UiAuthenticator.FORBIDDEN);
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
logger.error(fex.toString());
fail("Unexpected exception");
}
try (final Tx tx = app.tx()) {
// resource access explicitly set to FORBIDDEN => forbidden
RestAssured.given().contentType("application/json; charset=UTF-8").expect().statusCode(401).when().put("/folder/" + testFolder.getUuid());
// allow PUT for authenticated users => access without user/pass should be still forbidden
folderGrant.setFlag(UiAuthenticator.AUTH_USER_PUT);
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
logger.error(fex.toString());
fail("Unexpected exception");
}
try (final Tx tx = app.tx()) {
RestAssured.given().contentType("application/json; charset=UTF-8").expect().statusCode(401).when().put("/folder/" + testFolder.getUuid());
// allow PUT for non-authenticated users =>
folderGrant.setProperties(folderGrant.getSecurityContext(), new PropertyMap(GraphObject.visibleToPublicUsers, true));
folderGrant.setFlag(UiAuthenticator.NON_AUTH_USER_PUT);
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
logger.error(fex.toString());
fail("Unexpected exception");
}
try (final Tx tx = app.tx()) {
// ownerless non-public node cannot be found by anonymous user
RestAssured.given().contentType("application/json; charset=UTF-8").expect().statusCode(404).when().put("/folder/" + testFolder.getUuid());
// Prepare for next test
final PropertyMap testUserProperties = new PropertyMap();
testUserProperties.put(StructrApp.key(User.class, "name"), name);
testUserProperties.put(StructrApp.key(User.class, "password"), password);
testUser.setProperties(testUser.getSecurityContext(), testUserProperties);
// now we give the user ownership and expect a 200
testFolder.setProperties(testFolder.getSecurityContext(), new PropertyMap(AbstractNode.owner, testUser));
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
logger.error(fex.toString());
fail("Unexpected exception");
}
try (final Tx tx = app.tx()) {
RestAssured.given().headers("X-User", name, "X-Password", password).contentType("application/json; charset=UTF-8").expect().statusCode(200).when().put("/folder/" + testFolder.getUuid());
tx.success();
} catch (FrameworkException ex) {
logger.warn("", ex);
logger.error(ex.toString());
fail("Unexpected exception");
}
}
Also used :
ResourceAccess(org.structr.core.entity.ResourceAccess)
User(org.structr.web.entity.User)
PropertyMap(org.structr.core.property.PropertyMap)
Tx(org.structr.core.graph.Tx)
FrameworkException(org.structr.common.error.FrameworkException)
Folder(org.structr.web.entity.Folder)
Test(org.junit.Test)
StructrUiTest(org.structr.web.StructrUiTest)
Example 2 with ResourceAccess
use of org.structr.core.entity.ResourceAccess in project structr by structr.
the class ResourceAccessTest method test01ResourceAccessGET.
@Test
public void test01ResourceAccessGET() {
// clear resource access objects that are created by the dynamic schema
clearResourceAccess();
Folder testFolder = null;
ResourceAccess folderGrant = null;
try (final Tx tx = app.tx()) {
testFolder = createTestNodes(Folder.class, 1).get(0);
assertNotNull(testFolder);
// no resource access node at all => forbidden
RestAssured.given().contentType("application/json; charset=UTF-8").expect().statusCode(401).when().get("/folders");
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
logger.error(fex.toString());
fail("Unexpected exception");
}
try (final Tx tx = app.tx()) {
folderGrant = createResourceAccess("Folder", UiAuthenticator.FORBIDDEN);
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
logger.error(fex.toString());
fail("Unexpected exception");
}
try (final Tx tx = app.tx()) {
// resource access explicetly set to FORBIDDEN => forbidden
RestAssured.given().contentType("application/json; charset=UTF-8").expect().statusCode(401).when().get("/folders");
// allow GET for authenticated users => access without user/pass should be still forbidden
folderGrant.setProperties(folderGrant.getSecurityContext(), new PropertyMap(GraphObject.visibleToPublicUsers, true));
folderGrant.setFlag(UiAuthenticator.AUTH_USER_GET);
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
logger.error(fex.toString());
fail("Unexpected exception");
}
try (final Tx tx = app.tx()) {
RestAssured.given().contentType("application/json; charset=UTF-8").expect().statusCode(401).when().get("/folders");
// allow GET for non-authenticated users => access without user/pass should be allowed
folderGrant.setFlag(UiAuthenticator.NON_AUTH_USER_GET);
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
logger.error(fex.toString());
fail("Unexpected exception");
}
try (final Tx tx = app.tx()) {
RestAssured.given().contentType("application/json; charset=UTF-8").expect().statusCode(200).when().get("/folders");
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
logger.error(fex.toString());
fail("Unexpected exception");
}
}
Also used :
ResourceAccess(org.structr.core.entity.ResourceAccess)
PropertyMap(org.structr.core.property.PropertyMap)
Tx(org.structr.core.graph.Tx)
FrameworkException(org.structr.common.error.FrameworkException)
Folder(org.structr.web.entity.Folder)
Test(org.junit.Test)
StructrUiTest(org.structr.web.StructrUiTest)
Example 3 with ResourceAccess
use of org.structr.core.entity.ResourceAccess in project structr by structr.
the class ResourceAccessTest method test04ResourceAccessDELETE.
@Test
public void test04ResourceAccessDELETE() {
// clear resource access objects that are created by the dynamic schema
clearResourceAccess();
final String name = "testuser-01";
final String password = "testpassword-01";
Folder testFolder = null;
User testUser = null;
ResourceAccess folderGrant = null;
try (final Tx tx = app.tx()) {
testFolder = createTestNodes(Folder.class, 1).get(0);
assertNotNull(testFolder);
testUser = createTestNodes(User.class, 1).get(0);
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
logger.error(fex.toString());
fail("Unexpected exception");
}
try (final Tx tx = app.tx()) {
// no resource access node at all => forbidden
RestAssured.given().contentType("application/json; charset=UTF-8").expect().statusCode(401).when().delete("/folder/" + testFolder.getUuid());
folderGrant = createResourceAccess("Folder", UiAuthenticator.FORBIDDEN);
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
logger.error(fex.toString());
fail("Unexpected exception");
}
try (final Tx tx = app.tx()) {
// resource access explicitly set to FORBIDDEN => forbidden
RestAssured.given().contentType("application/json; charset=UTF-8").expect().statusCode(401).when().delete("/folder/" + testFolder.getUuid());
folderGrant.setFlag(UiAuthenticator.AUTH_USER_DELETE);
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
logger.error(fex.toString());
fail("Unexpected exception");
}
try (final Tx tx = app.tx()) {
RestAssured.given().contentType("application/json; charset=UTF-8").expect().statusCode(401).when().delete("/folder/" + testFolder.getUuid());
folderGrant.setProperties(folderGrant.getSecurityContext(), new PropertyMap(GraphObject.visibleToPublicUsers, true));
folderGrant.setFlag(UiAuthenticator.NON_AUTH_USER_DELETE);
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
logger.error(fex.toString());
fail("Unexpected exception");
}
try (final Tx tx = app.tx()) {
RestAssured.given().contentType("application/json; charset=UTF-8").expect().statusCode(404).when().delete("/folder/" + testFolder.getUuid());
final PropertyMap changedProperties = new PropertyMap();
changedProperties.put(StructrApp.key(User.class, "name"), name);
changedProperties.put(StructrApp.key(User.class, "password"), password);
testUser.setProperties(testUser.getSecurityContext(), changedProperties);
// make user own folder
testFolder.setProperties(testFolder.getSecurityContext(), new PropertyMap(AbstractNode.owner, testUser));
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
logger.error(fex.toString());
fail("Unexpected exception");
}
try (final Tx tx = app.tx()) {
// test user owns object now => 200
RestAssured.given().headers("X-User", name, "X-Password", password).contentType("application/json; charset=UTF-8").expect().statusCode(200).when().delete("/folder/" + testFolder.getUuid());
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
logger.error(fex.toString());
fail("Unexpected exception");
}
}
Also used :
ResourceAccess(org.structr.core.entity.ResourceAccess)
User(org.structr.web.entity.User)
PropertyMap(org.structr.core.property.PropertyMap)
Tx(org.structr.core.graph.Tx)
FrameworkException(org.structr.common.error.FrameworkException)
Folder(org.structr.web.entity.Folder)
Test(org.junit.Test)
StructrUiTest(org.structr.web.StructrUiTest)
Example 4 with ResourceAccess
use of org.structr.core.entity.ResourceAccess in project structr by structr.
the class UiAuthenticator method checkResourceAccess.
@Override
public void checkResourceAccess(final SecurityContext securityContext, final HttpServletRequest request, final String rawResourceSignature, final String propertyView) throws FrameworkException {
final ResourceAccess resourceAccess = ResourceAccess.findGrant(securityContext, rawResourceSignature);
final Method method = methods.get(request.getMethod());
final Principal user = securityContext.getUser(false);
final boolean validUser = (user != null);
// super user is always authenticated
if (validUser && (user instanceof SuperUser || user.isAdmin())) {
return;
}
// no grants => no access rights
if (resourceAccess == null) {
logger.info("No resource access grant found for signature {}. (URI: {})", new Object[] { rawResourceSignature, securityContext.getCompoundRequestURI() });
throw new UnauthorizedException("Forbidden");
} else {
switch(method) {
case GET:
if (!validUser && resourceAccess.hasFlag(NON_AUTH_USER_GET)) {
return;
}
if (validUser && resourceAccess.hasFlag(AUTH_USER_GET)) {
return;
}
break;
case PUT:
if (!validUser && resourceAccess.hasFlag(NON_AUTH_USER_PUT)) {
return;
}
if (validUser && resourceAccess.hasFlag(AUTH_USER_PUT)) {
return;
}
break;
case POST:
if (!validUser && resourceAccess.hasFlag(NON_AUTH_USER_POST)) {
return;
}
if (validUser && resourceAccess.hasFlag(AUTH_USER_POST)) {
return;
}
break;
case DELETE:
if (!validUser && resourceAccess.hasFlag(NON_AUTH_USER_DELETE)) {
return;
}
if (validUser && resourceAccess.hasFlag(AUTH_USER_DELETE)) {
return;
}
break;
case OPTIONS:
if (!validUser && resourceAccess.hasFlag(NON_AUTH_USER_OPTIONS)) {
return;
}
if (validUser && resourceAccess.hasFlag(AUTH_USER_OPTIONS)) {
return;
}
break;
case HEAD:
if (!validUser && resourceAccess.hasFlag(NON_AUTH_USER_HEAD)) {
return;
}
if (validUser && resourceAccess.hasFlag(AUTH_USER_HEAD)) {
return;
}
break;
}
}
logger.info("Resource access grant found for signature {}, but method {} not allowed for {}.", new Object[] { rawResourceSignature, method, validUser ? "authenticated users" : "public users" });
throw new UnauthorizedException("Forbidden");
}
Also used :
ResourceAccess(org.structr.core.entity.ResourceAccess)
UnauthorizedException(org.structr.core.auth.exception.UnauthorizedException)
SuperUser(org.structr.core.entity.SuperUser)
Principal(org.structr.core.entity.Principal)
Example 5 with ResourceAccess
use of org.structr.core.entity.ResourceAccess in project structr by structr.
the class BasicTest method test04CheckNodeEntities.
/**
* Create a node for each configured entity class and check the type
*/
@Test
public void test04CheckNodeEntities() {
AccessControlTest.clearResourceAccess();
final PropertyMap props = new PropertyMap();
try (final Tx tx = app.tx()) {
List<Class> entityList = Collections.EMPTY_LIST;
try {
entityList = getClasses("org.structr.core.entity");
} catch (IOException | ClassNotFoundException ex) {
logger.error("", ex);
}
assertTrue(entityList.contains(AbstractNode.class));
assertTrue(entityList.contains(GenericNode.class));
assertTrue(entityList.contains(Location.class));
assertTrue(entityList.contains(ResourceAccess.class));
// Don't test these, it would fail due to violated constraints
entityList.remove(TestTwo.class);
entityList.remove(TestNine.class);
entityList.remove(SchemaNode.class);
entityList.remove(SchemaRelationshipNode.class);
for (Class type : entityList) {
// Class entityClass = entity.getValue();
if (AbstractNode.class.isAssignableFrom(type)) {
props.clear();
// For Group, fill mandatory fields
if (type.equals(Group.class)) {
props.put(Group.name, "Group-0");
}
// For TestSeven, fill mandatory fields
if (type.equals(TestSeven.class)) {
props.put(TestSeven.name, "TestSeven-0");
}
// For ResourceAccess, fill mandatory fields
if (type.equals(ResourceAccess.class)) {
props.put(ResourceAccess.signature, "/X");
props.put(ResourceAccess.flags, 6L);
}
// For DynamicResourceAccess, fill mandatory fields
if (type.equals(DynamicResourceAccess.class)) {
props.put(DynamicResourceAccess.signature, "/Y");
props.put(DynamicResourceAccess.flags, 6L);
}
// For Localization, fill mandatory fields
if (type.equals(Localization.class)) {
/*
props.put(Localization.name, "localizationKey");
props.put(Localization.locale, "de_DE");
*/
}
// For Location, set coordinates
if (type.equals(Location.class)) {
props.put(StructrApp.key(Location.class, "latitude"), 12.34);
props.put(StructrApp.key(Location.class, "longitude"), 56.78);
}
logger.info("Creating node of type {}", type);
NodeInterface node = app.create(type, props);
assertTrue(type.getSimpleName().equals(node.getProperty(AbstractNode.type)));
// Remove mandatory fields for ResourceAccess from props map
if (type.equals(ResourceAccess.class)) {
props.remove(ResourceAccess.signature);
props.remove(ResourceAccess.flags);
}
}
}
tx.success();
} catch (FrameworkException ex) {
logger.error(ex.toString());
logger.warn("", ex);
fail("Unexpected exception");
}
}
Also used :
ResourceAccess(org.structr.core.entity.ResourceAccess)
DynamicResourceAccess(org.structr.core.entity.DynamicResourceAccess)
Tx(org.structr.core.graph.Tx)
FrameworkException(org.structr.common.error.FrameworkException)
AbstractNode(org.structr.core.entity.AbstractNode)
GenericNode(org.structr.core.entity.GenericNode)
IOException(java.io.IOException)
PropertyMap(org.structr.core.property.PropertyMap)
NodeInterface(org.structr.core.graph.NodeInterface)
Location(org.structr.core.entity.Location)
NodeHasLocation(org.structr.core.entity.relationship.NodeHasLocation)
Test(org.junit.Test)
Aggregations
ResourceAccess (org.structr.core.entity.ResourceAccess)10
PropertyMap (org.structr.core.property.PropertyMap)7
Tx (org.structr.core.graph.Tx)6
Test (org.junit.Test)5
FrameworkException (org.structr.common.error.FrameworkException)5
StructrUiTest (org.structr.web.StructrUiTest)4
App (org.structr.core.app.App)3
StructrApp (org.structr.core.app.StructrApp)3
Folder (org.structr.web.entity.Folder)3
IOException (java.io.IOException)2
LinkedList (java.util.LinkedList)2
UnauthorizedException (org.structr.core.auth.exception.UnauthorizedException)2
DynamicResourceAccess (org.structr.core.entity.DynamicResourceAccess)2
Principal (org.structr.core.entity.Principal)2
SuperUser (org.structr.core.entity.SuperUser)2
User (org.structr.web.entity.User)2
FileOutputStream (java.io.FileOutputStream)1
FileWriter (java.io.FileWriter)1
OutputStreamWriter (java.io.OutputStreamWriter)1
Writer (java.io.Writer)1
