/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.jackrabbit.oak.security.authorization.evaluation;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import java.util.Collections;
import java.util.Map;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlManager;
import com.google.common.collect.ImmutableMap;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
/**
* Test compatibility with Jackrabbit 2.x using the
* {@link org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants#PARAM_PERMISSIONS_JR2} configuration parameter.
*/
public class Jr2CompatibilityTest extends AbstractOakCoreTest {
@Override
@Before
public void before() throws Exception {
super.before();
setupPermission("/", getTestUser().getPrincipal(), true, PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
}
@Override
@After
public void after() throws Exception {
try {
AccessControlManager acMgr = getAccessControlManager(root);
JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/");
if (acl != null) {
boolean modified = false;
for (AccessControlEntry entry : acl.getAccessControlEntries()) {
if (entry.getPrincipal().equals(getTestUser().getPrincipal())) {
acl.removeAccessControlEntry(entry);
modified = true;
}
}
if (modified) {
acMgr.setPolicy("/", acl);
root.commit();
}
}
} finally {
super.after();
}
}
@Override
protected ConfigurationParameters getSecurityConfigParameters() {
Map<String, String> map = Collections.singletonMap(PermissionConstants.PARAM_PERMISSIONS_JR2, PermissionConstants.VALUE_PERMISSIONS_JR2);
ConfigurationParameters acConfig = new ConfigurationParameters(map);
return new ConfigurationParameters(ImmutableMap.of(AuthorizationConfiguration.NAME, acConfig));
}
@Test
public void testUserManagementPermissionWithJr2Flag() throws Exception {
Root testRoot = getTestRoot();
testRoot.refresh();
UserManager testUserMgr = getUserConfiguration().getUserManager(testRoot, NamePathMapper.DEFAULT);
try {
User u = testUserMgr.createUser("a", "b");
testRoot.commit();
u.changePassword("c");
testRoot.commit();
u.remove();
testRoot.commit();
} finally {
root.refresh();
Authorizable user = getUserManager(root).getAuthorizable("a");
if (user != null) {
user.remove();
root.commit();
}
}
}
@Test
public void testRemoveNodeWithJr2Flag() throws Exception {
/* allow READ/WRITE privilege for testUser at 'path' */
setupPermission("/a", testPrincipal, true, PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
/* deny REMOVE_NODE privilege at subtree. */
setupPermission("/a/b", testPrincipal, false, PrivilegeConstants.JCR_REMOVE_NODE);
Root testRoot = getTestRoot();
AccessControlManager acMgr = getAccessControlManager(testRoot);
assertTrue(acMgr.hasPrivileges("/a", privilegesFromNames(PrivilegeConstants.REP_WRITE)));
assertFalse(acMgr.hasPrivileges("/a/b", privilegesFromNames(PrivilegeConstants.JCR_REMOVE_NODE)));
// removing the tree must fail
try {
testRoot.getTree("/a").remove();
testRoot.commit();
fail();
} catch (CommitFailedException e) {
// success
assertTrue(e.isAccessViolation());
}
}
@Test
public void testRemoveNodeWithJr2Flag2() throws Exception {
/* allow READ/WRITE privilege for testUser at 'path' */
setupPermission("/a", testPrincipal, true, PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE);
/* deny REP_REMOVE_PROPERTIES privilege at subtree. */
setupPermission("/a/b", testPrincipal, false, PrivilegeConstants.REP_REMOVE_PROPERTIES);
Root testRoot = getTestRoot();
AccessControlManager acMgr = getAccessControlManager(testRoot);
assertTrue(acMgr.hasPrivileges("/a", privilegesFromNames(PrivilegeConstants.REP_WRITE)));
assertFalse(acMgr.hasPrivileges("/a/b", privilegesFromNames(PrivilegeConstants.REP_REMOVE_PROPERTIES)));
// removing the tree must fail
try {
testRoot.getTree("/a").remove();
testRoot.commit();
fail();
} catch (CommitFailedException e) {
// success
assertTrue(e.isAccessViolation());
}
}
}