use of org.xmldb.api.base.Collection in project exist by eXist-db.
the class XMLDBSecurityTest method noSetGid_copyResource_resourceGroupIsUsersPrimaryGroup.
@Test
public void noSetGid_copyResource_resourceGroupIsUsersPrimaryGroup() throws XMLDBException {
Collection test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest2", "test1", "test1");
EXistCollectionManagementService cms = (EXistCollectionManagementService) test.getService("CollectionManagementService", "1.0");
// create the /db/securityTest2/test.xml resource
Resource resource = test.createResource("test.xml", XMLResource.RESOURCE_TYPE);
resource.setContent("<test/>");
test.storeResource(resource);
// create /db/securityTest2/parentCollection with owner "test1:users" and mode "rwxrwxrwx"
Collection parentCollection = cms.createCollection("parentCollection");
UserManagementService ums = (UserManagementService) parentCollection.getService("UserManagementService", "1.0");
ums.chmod("rwxrwxrwx");
// now copy /db/securityTest2/test.xml to /db/securityTest2/parentCollection/test.xml
// as user3, it should have it's group set to the primary group of user3 i.e. 'guest'
// as the collection is NOT setGid and it should not have the setGid bit
test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest2", "test3", "test3");
cms = (EXistCollectionManagementService) test.getService("CollectionManagementService", "1.0");
cms.copyResource("test.xml", "/db/securityTest2/parentCollection", "test.xml");
ums = (UserManagementService) parentCollection.getService("UserManagementService", "1.0");
parentCollection = test.getChildCollection("parentCollection");
resource = parentCollection.getResource("test.xml");
final Permission permissions = ums.getPermissions(resource);
assertEquals("guest", permissions.getGroup().getName());
assertFalse(permissions.isSetGid());
}
use of org.xmldb.api.base.Collection in project exist by eXist-db.
the class XMLDBSecurityTest method worldChmodResource.
// fails since guest has no write permissions
@Test(expected = XMLDBException.class)
public void worldChmodResource() throws XMLDBException {
final Collection test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "guest", "guest");
final Resource resource = test.getResource("test.xml");
final UserManagementService ums = (UserManagementService) test.getService("UserManagementService", "1.0");
// grant myself all rights ;-)
ums.chmod(resource, 0777);
}
use of org.xmldb.api.base.Collection in project exist by eXist-db.
the class XMLDBSecurityTest method nonSetGidXQueryCannotWriteRestrictedCollection.
@Test(expected = XMLDBException.class)
public void nonSetGidXQueryCannotWriteRestrictedCollection() throws XMLDBException {
final Collection test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest2", "test1", "test1");
final long timestamp = System.currentTimeMillis();
final String content = "<not_setgid>" + timestamp + "</not_setgid>";
// create an XQuery /db/securityTest1/not_setgid.xquery
final String xquery = "xmldb:store('/db/securityTest2/forSetGidWrite', 'not_setgid.xml', " + content + ")";
Resource xqueryResource = test.createResource("not_setgid.xquery", "BinaryResource");
xqueryResource.setContent(xquery);
test.storeResource(xqueryResource);
// set the xquery to be owned by 'test1':'users' and set it 'setgid', and set it 'rx' by ohers, so 'test3' can execute it!
UserManagementService ums = (UserManagementService) test.getService("UserManagementService", "1.0");
xqueryResource = test.getResource("not_setgid.xquery");
// NOT setgid
ums.chmod(xqueryResource, 00705);
// create a collection for the XQuery to write into
final CollectionManagementService cms = (CollectionManagementService) test.getService("CollectionManagementService", "1.0");
final Collection colForSetUid = cms.createCollection("forSetGidWrite");
// only allow the group 'users' to write into the collection
ums = (UserManagementService) colForSetUid.getService("UserManagementService", "1.0");
ums.chmod(0070);
// execute the XQuery as the 'test3' user... it should become 'setgid' of 'users' and succeed.
final Collection test3 = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest2", "test3", "test3");
final EXistXPathQueryService queryService = (EXistXPathQueryService) test3.getService("XPathQueryService", "1.0");
final ResourceSet result = queryService.executeStoredQuery("/db/securityTest2/not_setgid.xquery");
assertFalse("/db/securityTest2/forSetGidWrite/not_setgid.xml".equals(result.getResource(0).getContent()));
}
use of org.xmldb.api.base.Collection in project exist by eXist-db.
the class XMLDBSecurityTest method groupChmodResource_asNotOwnerAndNotDBA.
@Test(expected = XMLDBException.class)
public void groupChmodResource_asNotOwnerAndNotDBA() throws XMLDBException {
final Collection test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test2", "test2");
final Resource resource = test.getResource("test.xml");
final UserManagementService ums = (UserManagementService) test.getService("UserManagementService", "1.0");
// grant myself all rights ;-)
ums.chmod(resource, 0777);
}
use of org.xmldb.api.base.Collection in project exist by eXist-db.
the class XMLDBSecurityTest method copyCollection_doesPreservePermissionsOfSubCollections.
@Test
public void copyCollection_doesPreservePermissionsOfSubCollections() throws XMLDBException {
final Collection test = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest1", "test1", "test1");
EXistCollectionManagementService cms = (EXistCollectionManagementService) test.getService("CollectionManagementService", "1.0");
cms.copy(XmldbURI.create("/db/securityTest1"), XmldbURI.create("/db/securityTest3"), XmldbURI.create("copy-of-securityTest1"));
final Collection testCopy = DatabaseManager.getCollection(getBaseUri() + "/db/securityTest3/copy-of-securityTest1", "test1", "test1");
final Collection sub1 = testCopy.getChildCollection("sub1");
final UserManagementService ums = (UserManagementService) sub1.getService("UserManagementService", "1.0");
final Permission permissions = ums.getPermissions(sub1);
assertEquals("test1", permissions.getOwner().getName());
assertEquals("users", permissions.getGroup().getName());
assertEquals(0777, permissions.getMode());
}
Aggregations