Example 1 with TestOne
use of org.structr.core.entity.TestOne in project structr by structr.
the class AccessControlTest method testGroupMembershipVisibility.
@Test
public void testGroupMembershipVisibility() {
Principal user1 = null;
Principal user2 = null;
Group group = null;
try (final Tx tx = app.tx()) {
user1 = createTestNode(Principal.class, "user1");
user2 = createTestNode(Principal.class, "user2");
tx.success();
} catch (FrameworkException t) {
logger.warn("", t);
fail("Unexpected exception.");
}
final SecurityContext user1Context = SecurityContext.getInstance(user1, AccessMode.Backend);
final App user1App = StructrApp.getInstance(user1Context);
try (final Tx tx = user1App.tx()) {
group = user1App.create(Group.class, "group");
user1App.create(TestOne.class, "testone");
assertEquals("Invalid group owner", user1, group.getOwnerNode());
tx.success();
} catch (FrameworkException t) {
logger.warn("", t);
fail("Unexpected exception.");
}
try (final Tx tx = user1App.tx()) {
final TestOne test = user1App.nodeQuery(TestOne.class).getFirst();
assertNotNull(test);
test.grant(Permission.read, group);
tx.success();
} catch (FrameworkException t) {
logger.warn("", t);
fail("Unexpected exception.");
}
// ################################################################################################################
// user2 is not yet member of the group, so
// it should not be possible to access the object
final SecurityContext user2Context = SecurityContext.getInstance(user2, AccessMode.Backend);
final App user2App = StructrApp.getInstance(user2Context);
try (final Tx tx = user2App.tx()) {
final TestOne test = user2App.nodeQuery(TestOne.class).getFirst();
assertNull(test);
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
fail("Unexpected exception.");
}
try (final Tx tx = user1App.tx()) {
group.addMember(user2);
tx.success();
} catch (FrameworkException t) {
logger.warn("", t);
fail("Unexpected exception.");
}
try (final Tx tx = user2App.tx()) {
final TestOne test = user2App.nodeQuery(TestOne.class).getFirst();
assertNotNull("Group should be readable for members", test);
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
fail("Unexpected exception.");
}
try (final Tx tx = user2App.tx()) {
final TestOne test = user2App.nodeQuery(TestOne.class).getFirst();
assertNotNull("Group should be readable for members", test);
test.setProperty(TestOne.name, "newname");
tx.success();
fail("User should not be able to write an object that it doesn't own.");
} catch (FrameworkException fex) {
assertEquals("Invalid group permissions result", 403, fex.getStatus());
assertEquals("Invalid group permissions result", "Modification not permitted.", fex.getMessage());
}
try (final Tx tx = user1App.tx()) {
final TestOne test = app.nodeQuery(TestOne.class).getFirst();
assertNotNull("Group should be readable for members", test);
test.grant(Permission.write, group);
tx.success();
} catch (FrameworkException t) {
logger.warn("", t);
fail("Unexpected exception.");
}
try (final Tx tx = user2App.tx()) {
final TestOne test = user2App.nodeQuery(TestOne.class).getFirst();
assertNotNull("Group should be readable for members", test);
test.setProperty(TestOne.name, "newname");
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
fail("Unexpected exception.");
}
}
Also used :
StructrApp(org.structr.core.app.StructrApp)
App(org.structr.core.app.App)
Group(org.structr.core.entity.Group)
Tx(org.structr.core.graph.Tx)
FrameworkException(org.structr.common.error.FrameworkException)
TestOne(org.structr.core.entity.TestOne)
Principal(org.structr.core.entity.Principal)
Test(org.junit.Test)
Example 2 with TestOne
use of org.structr.core.entity.TestOne in project structr by structr.
the class AccessControlTest method test01WriteAccess.
@Test
public void test01WriteAccess() {
// remove auto-generated resource access objects
clearResourceAccess();
try {
final Principal owner = createTestNode(Principal.class);
final Principal user = createTestNode(Principal.class);
// create new node
final TestOne t1 = createTestNode(TestOne.class, owner);
final SecurityContext ownerContext = SecurityContext.getInstance(owner, AccessMode.Frontend);
final SecurityContext userContext = SecurityContext.getInstance(user, AccessMode.Frontend);
final App ownerAppContext = StructrApp.getInstance(ownerContext);
final App userAppContext = StructrApp.getInstance(userContext);
// test with owner, expect success
try (final Tx tx = ownerAppContext.tx()) {
final TestOne t = StructrApp.getInstance(ownerContext).nodeQuery(TestOne.class).getFirst();
assertNotNull(t);
t.setProperty(TestOne.aString, "aString");
assertEquals("aString", t.getProperty(TestOne.aString));
tx.success();
}
// test with foreign user, expect failure, node should not be found
try (final Tx tx = userAppContext.tx()) {
// node should not be found
assertNull(StructrApp.getInstance(userContext).nodeQuery(TestOne.class).getFirst());
tx.success();
}
// test with foreign user, expect failure, node should not be found
try (final Tx tx = ownerAppContext.tx()) {
// make node visible to user
t1.grant(Permission.read, user);
tx.success();
}
// try to grant read permissions in user context, should fail because user doesn't have access control permission
try (final Tx tx = userAppContext.tx()) {
try {
final TestOne t = StructrApp.getInstance(userContext).nodeQuery(TestOne.class).getFirst();
t.grant(Permission.read, user);
fail("Non-owner should not be allowed to change permissions on object");
} catch (FrameworkException fex) {
// expect status 403 forbidden
assertEquals(fex.getStatus(), 403);
}
tx.success();
}
// try to grant read permissions in owner context, should succeed (?)
try (final Tx tx = ownerAppContext.tx()) {
// important lesson here: the context under which the node is constructed defines the security context
final TestOne t = StructrApp.getInstance(ownerContext).nodeQuery(TestOne.class).getFirst();
t.grant(Permission.accessControl, user);
tx.success();
}
// test with foreign user, expect failure
try (final Tx tx = userAppContext.tx()) {
final TestOne t = StructrApp.getInstance(userContext).nodeQuery(TestOne.class).getFirst();
// node should be found because it's public
assertNotNull(t);
// setProperty should fail because of missing write permissions
try {
t.setProperty(TestOne.aString, "aString");
fail("setProperty should not be allowed for non-owner on publicly visible nodes");
} catch (FrameworkException fex) {
// expect status 403 forbidden
assertEquals(fex.getStatus(), 403);
}
tx.success();
}
// grant write
try (final Tx tx = app.tx()) {
// make t1 visible to public users explicitely
t1.setProperty(GraphObject.visibleToPublicUsers, true);
tx.success();
}
} catch (FrameworkException ex) {
logger.warn("", ex);
fail("Unexpected exception");
}
}
Also used :
StructrApp(org.structr.core.app.StructrApp)
App(org.structr.core.app.App)
Tx(org.structr.core.graph.Tx)
FrameworkException(org.structr.common.error.FrameworkException)
TestOne(org.structr.core.entity.TestOne)
Principal(org.structr.core.entity.Principal)
Test(org.junit.Test)
Example 3 with TestOne
use of org.structr.core.entity.TestOne in project structr by structr.
the class AccessControlTest method test05FrontendUserAccessToProtectedNode.
@Test
public void test05FrontendUserAccessToProtectedNode() {
// remove auto-generated resource access objects
clearResourceAccess();
try {
List<Principal> users = createTestNodes(Principal.class, 2);
Principal user1 = (Principal) users.get(0);
Principal user2 = (Principal) users.get(1);
PropertyMap props = new PropertyMap();
props.put(AbstractNode.visibleToPublicUsers, true);
// Create two nodes with user context, one of them is visible to public users
Class type = TestOne.class;
TestOne t1 = createTestNode(TestOne.class, props, user1);
props = new PropertyMap();
props.put(AbstractNode.visibleToAuthenticatedUsers, true);
TestOne t2 = createTestNode(TestOne.class, props, user1);
// Let another user search
SecurityContext user2Context = SecurityContext.getInstance(user2, AccessMode.Frontend);
try (final Tx tx = app.tx()) {
Result result = StructrApp.getInstance(user2Context).nodeQuery(type).getResult();
assertEquals(2, result.size());
}
} catch (FrameworkException ex) {
logger.warn("", ex);
fail("Unexpected exception");
}
}
Also used :
PropertyMap(org.structr.core.property.PropertyMap)
Tx(org.structr.core.graph.Tx)
FrameworkException(org.structr.common.error.FrameworkException)
TestOne(org.structr.core.entity.TestOne)
Principal(org.structr.core.entity.Principal)
Result(org.structr.core.Result)
Test(org.junit.Test)
Example 4 with TestOne
use of org.structr.core.entity.TestOne in project structr by structr.
the class AccessControlTest method test08WriteAccess.
@Test
public void test08WriteAccess() {
// remove auto-generated resource access objects
clearResourceAccess();
try {
final Principal owner = createTestNode(Principal.class);
// create new node
createTestNode(TestOne.class, owner);
final SecurityContext userContext = SecurityContext.getInstance(owner, AccessMode.Frontend);
final App userApp = StructrApp.getInstance(userContext);
try (final Tx tx = userApp.tx()) {
final TestOne t = StructrApp.getInstance(userContext).nodeQuery(TestOne.class).getFirst();
assertNotNull(t);
t.setProperty(TestOne.aString, "aString");
assertEquals("aString", t.getProperty(TestOne.aString));
tx.success();
}
} catch (FrameworkException ex) {
logger.warn("", ex);
fail("Unexpected exception");
}
}
Also used :
StructrApp(org.structr.core.app.StructrApp)
App(org.structr.core.app.App)
Tx(org.structr.core.graph.Tx)
FrameworkException(org.structr.common.error.FrameworkException)
TestOne(org.structr.core.entity.TestOne)
Principal(org.structr.core.entity.Principal)
Test(org.junit.Test)
Example 5 with TestOne
use of org.structr.core.entity.TestOne in project structr by structr.
the class AccessControlTest method test02SetDifferentPrincipalTypesAsOwner.
@Test
public void test02SetDifferentPrincipalTypesAsOwner() {
try (final Tx tx = app.tx()) {
final List<Principal> users = createTestNodes(Principal.class, 2);
final Principal user1 = (Principal) users.get(0);
final Group group1 = createTestNode(Group.class, "test group");
final TestOne t1 = createTestNode(TestOne.class);
t1.setProperty(AbstractNode.owner, user1);
t1.setProperty(AbstractNode.owner, group1);
assertEquals(group1, t1.getProperty(AbstractNode.owner));
Ownership ownerRel = t1.getIncomingRelationship(PrincipalOwnsNode.class);
assertNotNull(ownerRel);
// Do additional low-level check here to ensure cardinality!
List<Relationship> incomingRels = Iterables.toList(t1.getNode().getRelationships(Direction.INCOMING, new PrincipalOwnsNode()));
assertEquals(1, incomingRels.size());
tx.success();
} catch (FrameworkException ex) {
logger.error(ex.toString());
fail("Unexpected exception");
}
}
Also used :
Group(org.structr.core.entity.Group)
Ownership(org.structr.core.entity.relationship.Ownership)
PrincipalOwnsNode(org.structr.core.entity.relationship.PrincipalOwnsNode)
Tx(org.structr.core.graph.Tx)
FrameworkException(org.structr.common.error.FrameworkException)
Relationship(org.structr.api.graph.Relationship)
TestOne(org.structr.core.entity.TestOne)
Principal(org.structr.core.entity.Principal)
Test(org.junit.Test)
Aggregations
Test (org.junit.Test)74
TestOne (org.structr.core.entity.TestOne)74
Tx (org.structr.core.graph.Tx)72
FrameworkException (org.structr.common.error.FrameworkException)70
StructrTest (org.structr.common.StructrTest)20
Result (org.structr.core.Result)15
Principal (org.structr.core.entity.Principal)15
TestSix (org.structr.core.entity.TestSix)15
NodeInterface (org.structr.core.graph.NodeInterface)15
Random (java.util.Random)12
ActionContext (org.structr.schema.action.ActionContext)12
LinkedList (java.util.LinkedList)10
TestFour (org.structr.core.entity.TestFour)9
PropertyMap (org.structr.core.property.PropertyMap)9
PropertyKey (org.structr.core.property.PropertyKey)8
Date (java.util.Date)7
App (org.structr.core.app.App)7
StructrApp (org.structr.core.app.StructrApp)7
NotFoundException (org.structr.api.NotFoundException)6
UnlicensedException (org.structr.common.error.UnlicensedException)6
