javax.jcr.security.AccessControlManager Java Examples

@Test
public void testGetPackageRootNoRootAccess() throws Exception {
    Node packageRoot = packMgr.getPackageRoot();

    // TODO: maybe rather change the setup of the test-base to not assume that everyone has full read-access
    AccessControlManager acMgr = admin.getAccessControlManager();
    JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/");
    acMgr.removePolicy(acl.getPath(), acl);

    AccessControlUtils.getAccessControlList(acMgr, "/etc/packages");
    AccessControlUtils.allow(packageRoot, org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal.NAME, javax.jcr.security.Privilege.JCR_READ);

    admin.save();

    Session anonymous = repository.login(new GuestCredentials());
    try {
        assertFalse(anonymous.nodeExists("/"));
        assertFalse(anonymous.nodeExists("/etc"));
        assertTrue(anonymous.nodeExists("/etc/packages"));

        JcrPackageManagerImpl jcrPackageManager = new JcrPackageManagerImpl(anonymous, new String[0]);
        jcrPackageManager.getPackageRoot(false);
    } finally {
        anonymous.logout();
    }
}
 

public List<Privilege> createPrivileges(final AccessControlManager accessControlManager,
    final List<String> permissions) throws RepositoryException, PermissionException {
  final List<Privilege> privileges = new ArrayList<>();
  final List<String> unknownPermissions = new ArrayList<>();
  for (final String permission : permissions) {
    try {
      privileges.addAll(createPrivileges(accessControlManager, permission));
    } catch (PermissionException e) {
      unknownPermissions.add(permission);
    }
  }
  if (!unknownPermissions.isEmpty()) {
    throw new PermissionException(MessagingUtils.unknownPermissions(unknownPermissions));
  }

  return privileges;
}
 

@Test
public void testGetPackageRootNoCreateAccess() throws Exception {
    // TODO: maybe rather change the setup of the test-base to not assume that everyone has full read-access
    AccessControlManager acMgr = admin.getAccessControlManager();
    JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/");
    for (AccessControlEntry ace : acl.getAccessControlEntries()) {
        acl.removeAccessControlEntry(ace);
    }
    acl.addEntry(AccessControlUtils.getEveryonePrincipal(admin),
            AccessControlUtils.privilegesFromNames(admin, javax.jcr.security.Privilege.JCR_READ),
            true,
            Collections.singletonMap("rep:glob", admin.getValueFactory().createValue("etc/*")));
    admin.save();

    Session anonymous = repository.login(new GuestCredentials());
    try {
        JcrPackageManagerImpl jcrPackageManager = new JcrPackageManagerImpl(anonymous, new String[0]);
        assertNull(jcrPackageManager.getPackageRoot(true));

        try {
            jcrPackageManager.getPackageRoot(false);
            fail();
        } catch (AccessDeniedException | PathNotFoundException e) {
            // success
        }
    }  finally {
        anonymous.logout();
    }
}
 

@Override
public AccessControlManager getAccessControlManager() throws UnsupportedRepositoryOperationException, RepositoryException {
    AccessControlManager manager = this.wrappedSession.getAccessControlManager();
    return manager instanceof JackrabbitAccessControlManager ?
            new JackrabbitAccessControlManagerWrapper(this, (JackrabbitAccessControlManager) manager) :
            new AccessControlManagerWrapper<>(this, manager);
}
 

@Test
@Ignore("JCRVLT-100")
public void exportNoRootAccess() throws RepositoryException, IOException, PackageException {
    // setup access control
    Node packageRoot = new JcrPackageManagerImpl(admin, new String[0]).getPackageRoot();
    AccessControlManager acMgr = admin.getAccessControlManager();
    JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/");
    acMgr.removePolicy(acl.getPath(), acl);

    AccessControlUtils.getAccessControlList(acMgr, packageRoot.getPath());
    AccessControlUtils.allow(packageRoot, org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal.NAME, Privilege.JCR_ALL);

    Node tmpNode = new JcrPackageManagerImpl(admin, new String[0]).getPackageRoot();
    AccessControlUtils.getAccessControlList(acMgr, tmpNode.getPath());
    AccessControlUtils.allow(tmpNode, org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal.NAME, Privilege.JCR_ALL);

    admin.save();

    // import existing package
    JcrPackage pack = packMgr.upload(getStream("/test-packages/tmp_foo_bar_test.zip"), false);
    PackageId id = pack.getDefinition().getId();
    assertNotNull(pack);
    pack.extract(getDefaultOptions());
    assertNodeExists("/tmp/foo/bar/test.txt");

    // login as guest an
    Session anonymous = repository.login(new GuestCredentials());
    JcrPackageManagerImpl jcrPackageManager = new JcrPackageManagerImpl(anonymous, new String[0]);
    pack = jcrPackageManager.open(id);
    jcrPackageManager.assemble(pack, null);
}
 

/**
 * Tests if an 'empty' node serialization includes the jcr namespace. see JCRVLT-266
 */
@Test
public void testFormatterIncludesJcrNamespace() throws Exception {
    // rep:itemNames restrictions are only supported in oak.
    Assume.assumeTrue(isOak());

    JcrUtils.getOrCreateByPath("/testroot", NodeType.NT_UNSTRUCTURED, admin);
    admin.save();

    // setup access control
    AccessControlManager acMgr = admin.getAccessControlManager();
    JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/testroot");

    Privilege[] privs = new Privilege[]{acMgr.privilegeFromName(Privilege.JCR_READ)};
    Map<String, Value[]> rest = new HashMap<>();
    rest.put("rep:itemNames", new Value[]{
            admin.getValueFactory().createValue("jcr:mixinTypes", PropertyType.NAME),
            admin.getValueFactory().createValue("jcr:primaryType", PropertyType.NAME)
    });
    acl.addEntry(EveryonePrincipal.getInstance(), privs, false, null, rest);
    acMgr.setPolicy("/testroot", acl);
    admin.save();

    Session guest = repository.login(new GuestCredentials());

    DefaultWorkspaceFilter filter = new DefaultWorkspaceFilter();
    filter.add(new PathFilterSet("/testroot"));
    RepositoryAddress addr = new RepositoryAddress("/" + admin.getWorkspace().getName() + "/");
    VaultFileSystem jcrfs = Mounter.mount(null, filter, addr, null, guest);
    Aggregate a = jcrfs.getAggregateManager().getRoot().getAggregate("testroot");
    DocViewSerializer s = new DocViewSerializer(a);

    ByteArrayOutputStream out = new ByteArrayOutputStream();
    s.writeContent(out);

    assertEquals("valid xml",
            "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
            "<jcr:root xmlns:jcr=\"http://www.jcp.org/jcr/1.0\"/>\n", out.toString("utf-8"));
}
 

private void removeAll(final Context context, Authorizable authorizable) throws RepositoryException {
  final AccessControlManager accessControlManager = context.getAccessControlManager();
  final Principal principal = authorizable.getPrincipal();

  final JackrabbitAccessControlList jackrabbitAcl = JackrabbitAccessControlListUtil
      .getModifiableAcl(accessControlManager, path);
  final AccessControlEntry[] accessControlEntries = jackrabbitAcl.getAccessControlEntries();
  for (final AccessControlEntry accessControlEntry : accessControlEntries) {
    if (accessControlEntry.getPrincipal().equals(principal)) {
      jackrabbitAcl.removeAccessControlEntry(accessControlEntry);
    }
  }
  accessControlManager.setPolicy(path, jackrabbitAcl);
}
 

private List<Privilege> createPrivileges(final AccessControlManager accessControlManager,
    final String permission) throws RepositoryException, PermissionException {
  try {
    Optional<PrivilegeGroup> privilegeGroup = PrivilegeGroup.getFromTitle(permission);
    if (privilegeGroup.isPresent()) {
      return privilegeGroup.get().toPrivileges(accessControlManager);
    } else {
      return Collections.singletonList(accessControlManager.privilegeFromName(permission));
    }
  } catch (AccessControlException e) {
    throw new PermissionException("Unknown permission " + permission, e);
  }
}
 

private void updateAccessControlList(boolean allow,
    final AccessControlManager accessControlManager,
    final List<Privilege> privileges, final Principal principal) throws RepositoryException {
  final JackrabbitAccessControlList jackrabbitAcl = JackrabbitAccessControlListUtil
      .getModifiableAcl(accessControlManager, path);

  addEntry(allow, privileges, principal, jackrabbitAcl);
  accessControlManager.setPolicy(path, jackrabbitAcl);
}
 

public static JackrabbitAccessControlList getAccessControlList(final AccessControlManager accessManager,
		final String path) throws RepositoryException {
	final AccessControlPolicy[] existing = accessManager.getPolicies(path);
	for (final AccessControlPolicy policy : existing) {
		if (policy instanceof JackrabbitAccessControlList) {
			return (JackrabbitAccessControlList) policy;
		}
	}
	return null;
}
 

public static JackrabbitAccessControlList getApplicableAccessControlList(
		final AccessControlManager accessManager, final String path) throws RepositoryException {
	// find policies which may be applied to node indicated by path (may be treated as policy factory)
	final AccessControlPolicyIterator applicablePolicies = accessManager.getApplicablePolicies(path);
	while (applicablePolicies.hasNext()) {
		final AccessControlPolicy policy = applicablePolicies.nextAccessControlPolicy();
		if (policy instanceof JackrabbitAccessControlList) {
			return (JackrabbitAccessControlList) policy;
		}
	}
	return null;
}
 

public static JackrabbitAccessControlList getModifiableAcl(final AccessControlManager accessManager,
		final String path) throws RepositoryException {
	final JackrabbitAccessControlList acl = getAccessControlList(accessManager, path);
	if (null != acl) {
		return acl;
	}

	final JackrabbitAccessControlList applicableAcl = getApplicableAccessControlList(accessManager, path);
	if (null != applicableAcl) {
		return applicableAcl;
	}

	throw new AccessControlException("No modifiable ACL at " + path);
}
 

public void applyPermissions(AccessControlManager accessControlManager, Principal principal,
    boolean allow) throws RepositoryException, PermissionException {
  final List<Privilege> privileges = createPrivileges(accessControlManager, permissions);
  updateAccessControlList(allow, accessControlManager, privileges, principal);
}
 

public void checkPermissions(AccessControlManager accessControlManager)
    throws RepositoryException, PermissionException {
  createPrivileges(accessControlManager, permissions);
}
 

@Override
public AccessControlManager getAccessControlManager() throws UnsupportedRepositoryOperationException, RepositoryException {
    throw new UnsupportedRepositoryOperationException();
}
 

Privilege[] getPrivileges(AccessControlManager acMgr) throws RepositoryException {
    return AccessControlUtils.privilegesFromNames(acMgr, privileges);
}
 

AccessControlManager getAccessControlManager();