Google Git
Sign in
apache / sling-org-apache-sling-jcr-jackrabbit-accessmanager / 302c1def09d37b9c94d5081e0ba4cc80715742ea / . / src / test / java / org / apache / sling / jcr / jackrabbit / accessmanager / it / AccessPrivilegesInfoIT.java
blob: 337c1eb0d6f35c052f03066f6aca604f008a76a7 [file] [log] [blame]
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.sling.jcr.jackrabbit.accessmanager.it;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import javax.json.JsonArray;
import javax.json.JsonException;
import javax.json.JsonObject;
import javax.servlet.http.HttpServletResponse;
import org.apache.http.NameValuePair;
import org.apache.http.auth.Credentials;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.message.BasicNameValuePair;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.ops4j.pax.exam.Option;
import org.ops4j.pax.exam.junit.PaxExam;
import org.ops4j.pax.exam.spi.reactors.ExamReactorStrategy;
import org.ops4j.pax.exam.spi.reactors.PerClass;
@RunWith(PaxExam.class)
@ExamReactorStrategy(PerClass.class)
public class AccessPrivilegesInfoIT extends AccessManagerClientTestSupport {
@Override
protected Option buildBundleResourcesBundle() throws IOException {
final List<String> resourcePaths = Arrays.asList("/apps/nt/unstructured/privileges-info.json.esp");
final String bundleResourcesHeader = String.join(",", resourcePaths);
return buildBundleResourcesBundle(bundleResourcesHeader, resourcePaths);
}
/*
* testuser granted read / denied write
*/
@Test
public void testDeniedWriteForUser() throws IOException, JsonException {
testUserId = createTestUser();
testFolderUrl = createTestFolder();
//assign some privileges
String postUrl = testFolderUrl + ".modifyAce.html";
List<NameValuePair> postParams = new ArrayList<>();
postParams.add(new BasicNameValuePair("principalId", testUserId));
postParams.add(new BasicNameValuePair("privilege@jcr:read", "granted"));
postParams.add(new BasicNameValuePair("privilege@jcr:readAccessControl", "granted"));
postParams.add(new BasicNameValuePair("privilege@jcr:write", "denied"));
Credentials adminCreds = new UsernamePasswordCredentials("admin", "admin");
assertAuthenticatedPostStatus(adminCreds, postUrl, HttpServletResponse.SC_OK, postParams, null);
String getUrl = testFolderUrl + ".privileges-info.json";
//fetch the JSON for the test page to verify the settings.
Credentials testUserCreds = new UsernamePasswordCredentials(testUserId, "testPwd");
String json = getAuthenticatedContent(testUserCreds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
assertNotNull(json);
JsonObject jsonObj = parseJson(json);
assertNotNull(jsonObj);
assertEquals(false, jsonObj.getBoolean("canAddChildren"));
assertEquals(false, jsonObj.getBoolean("canDeleteChildren"));
assertEquals(false, jsonObj.getBoolean("canDelete"));
assertEquals(false, jsonObj.getBoolean("canModifyProperties"));
assertEquals(true, jsonObj.getBoolean("canReadAccessControl"));
assertEquals(false, jsonObj.getBoolean("canModifyAccessControl"));
}
/*
* testuser granted read / granted write
*/
@Test
public void testGrantedWriteForUser() throws IOException, JsonException {
testUserId = createTestUser();
testFolderUrl = createTestFolder();
//assign some privileges
String postUrl = testFolderUrl + ".modifyAce.html";
List<NameValuePair> postParams = new ArrayList<>();
postParams.add(new BasicNameValuePair("principalId", testUserId));
postParams.add(new BasicNameValuePair("privilege@jcr:read", "granted"));
postParams.add(new BasicNameValuePair("privilege@jcr:write", "granted"));
postParams.add(new BasicNameValuePair("privilege@jcr:readAccessControl", "granted"));
postParams.add(new BasicNameValuePair("privilege@jcr:modifyAccessControl", "granted"));
Credentials adminCreds = new UsernamePasswordCredentials("admin", "admin");
assertAuthenticatedPostStatus(adminCreds, postUrl, HttpServletResponse.SC_OK, postParams, null);
String getUrl = testFolderUrl + ".privileges-info.json";
//fetch the JSON for the test page to verify the settings.
Credentials testUserCreds = new UsernamePasswordCredentials(testUserId, "testPwd");
String json = getAuthenticatedContent(testUserCreds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
assertNotNull(json);
JsonObject jsonObj = parseJson(json);
assertEquals(true, jsonObj.getBoolean("canAddChildren"));
assertEquals(true, jsonObj.getBoolean("canDeleteChildren"));
//the parent node must also have jcr:removeChildren granted for 'canDelete' to be true
assertEquals(false, jsonObj.getBoolean("canDelete"));
assertEquals(true, jsonObj.getBoolean("canModifyProperties"));
assertEquals(true, jsonObj.getBoolean("canReadAccessControl"));
assertEquals(true, jsonObj.getBoolean("canModifyAccessControl"));
//add a child node to verify the 'canDelete' use case
String parentPath = testFolderUrl.substring(baseServerUri.toString().length());
String childFolderUrl = createTestFolder(parentPath, "testFolder");
String childPostUrl = childFolderUrl + ".modifyAce.html";
postParams = new ArrayList<>();
postParams.add(new BasicNameValuePair("principalId", testUserId));
postParams.add(new BasicNameValuePair("privilege@jcr:read", "granted"));
postParams.add(new BasicNameValuePair("privilege@jcr:removeNode", "granted"));
assertAuthenticatedPostStatus(adminCreds, childPostUrl, HttpServletResponse.SC_OK, postParams, null);
String childGetUrl = childFolderUrl + ".privileges-info.json";
String childJson = getAuthenticatedContent(testUserCreds, childGetUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
assertNotNull(childJson);
JsonObject childJsonObj = parseJson(childJson);
assertEquals(true, childJsonObj.getBoolean("canDelete"));
}
/*
* group testuser granted read / denied write
*/
@Test
public void testDeniedWriteForGroup() throws IOException, JsonException {
testGroupId = createTestGroup();
testUserId = createTestUser();
testFolderUrl = createTestFolder();
Credentials adminCreds = new UsernamePasswordCredentials("admin", "admin");
//add testUserId to testGroup
String groupPostUrl = String.format("%s/system/userManager/group/%s.update.html", baseServerUri, testGroupId);
List<NameValuePair> groupPostParams = new ArrayList<>();
groupPostParams.add(new BasicNameValuePair(":member", testUserId));
assertAuthenticatedPostStatus(adminCreds, groupPostUrl, HttpServletResponse.SC_OK, groupPostParams, null);
//assign some privileges
String postUrl = testFolderUrl + ".modifyAce.html";
List<NameValuePair> postParams = new ArrayList<>();
postParams.add(new BasicNameValuePair("principalId", testGroupId));
postParams.add(new BasicNameValuePair("privilege@jcr:read", "granted"));
postParams.add(new BasicNameValuePair("privilege@jcr:readAccessControl", "granted"));
postParams.add(new BasicNameValuePair("privilege@jcr:write", "denied"));
assertAuthenticatedPostStatus(adminCreds, postUrl, HttpServletResponse.SC_OK, postParams, null);
String getUrl = testFolderUrl + ".privileges-info.json";
//fetch the JSON for the test page to verify the settings.
Credentials testUserCreds = new UsernamePasswordCredentials(testUserId, "testPwd");
String json = getAuthenticatedContent(testUserCreds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
assertNotNull(json);
JsonObject jsonObj = parseJson(json);
assertEquals(false, jsonObj.getBoolean("canAddChildren"));
assertEquals(false, jsonObj.getBoolean("canDeleteChildren"));
assertEquals(false, jsonObj.getBoolean("canDelete"));
assertEquals(false, jsonObj.getBoolean("canModifyProperties"));
assertEquals(true, jsonObj.getBoolean("canReadAccessControl"));
assertEquals(false, jsonObj.getBoolean("canModifyAccessControl"));
}
/*
* group testuser granted read / granted write
*/
@Test
public void testGrantedWriteForGroup() throws IOException, JsonException {
testGroupId = createTestGroup();
testUserId = createTestUser();
testFolderUrl = createTestFolder();
Credentials adminCreds = new UsernamePasswordCredentials("admin", "admin");
//add testUserId to testGroup
String groupPostUrl = String.format("%s/system/userManager/group/%s.update.html", baseServerUri, testGroupId);
List<NameValuePair> groupPostParams = new ArrayList<>();
groupPostParams.add(new BasicNameValuePair(":member", testUserId));
assertAuthenticatedPostStatus(adminCreds, groupPostUrl, HttpServletResponse.SC_OK, groupPostParams, null);
//assign some privileges
String postUrl = testFolderUrl + ".modifyAce.html";
List<NameValuePair> postParams = new ArrayList<>();
postParams.add(new BasicNameValuePair("principalId", testGroupId));
postParams.add(new BasicNameValuePair("privilege@jcr:read", "granted"));
postParams.add(new BasicNameValuePair("privilege@jcr:write", "granted"));
postParams.add(new BasicNameValuePair("privilege@jcr:readAccessControl", "granted"));
postParams.add(new BasicNameValuePair("privilege@jcr:modifyAccessControl", "granted"));
assertAuthenticatedPostStatus(adminCreds, postUrl, HttpServletResponse.SC_OK, postParams, null);
String getUrl = testFolderUrl + ".privileges-info.json";
//fetch the JSON for the test page to verify the settings.
Credentials testUserCreds = new UsernamePasswordCredentials(testUserId, "testPwd");
String json = getAuthenticatedContent(testUserCreds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
assertNotNull(json);
JsonObject jsonObj = parseJson(json);
assertEquals(true, jsonObj.getBoolean("canAddChildren"));
assertEquals(true, jsonObj.getBoolean("canDeleteChildren"));
//the parent node must also have jcr:removeChildren granted for 'canDelete' to be true
assertEquals(false, jsonObj.getBoolean("canDelete"));
assertEquals(true, jsonObj.getBoolean("canModifyProperties"));
assertEquals(true, jsonObj.getBoolean("canReadAccessControl"));
assertEquals(true, jsonObj.getBoolean("canModifyAccessControl"));
//add a child node to verify the 'canDelete' use case
String parentPath = testFolderUrl.substring(baseServerUri.toString().length());
String childFolderUrl = createTestFolder(parentPath, "testFolder");
String childPostUrl = childFolderUrl + ".modifyAce.html";
postParams = new ArrayList<>();
postParams.add(new BasicNameValuePair("principalId", testGroupId));
postParams.add(new BasicNameValuePair("privilege@jcr:read", "granted"));
postParams.add(new BasicNameValuePair("privilege@jcr:removeNode", "granted"));
assertAuthenticatedPostStatus(adminCreds, childPostUrl, HttpServletResponse.SC_OK, postParams, null);
String childGetUrl = childFolderUrl + ".privileges-info.json";
String childJson = getAuthenticatedContent(testUserCreds, childGetUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
assertNotNull(childJson);
JsonObject childJsonObj = parseJson(childJson);
assertEquals(true, childJsonObj.getBoolean("canDelete"));
}
/**
* Test the fix for SLING-1090
*/
@Test
public void testSLING1090() throws IOException {
testUserId = createTestUser();
//grant jcr: removeChildNodes to the root node
ArrayList<NameValuePair> postParams = new ArrayList<>();
postParams.add(new BasicNameValuePair("principalId", testUserId));
postParams.add(new BasicNameValuePair("privilege@jcr:read", "granted"));
postParams.add(new BasicNameValuePair("privilege@jcr:removeChildNodes", "granted"));
Credentials adminCreds = new UsernamePasswordCredentials("admin", "admin");
assertAuthenticatedPostStatus(adminCreds, String.format("%s/.modifyAce.html", baseServerUri), HttpServletResponse.SC_OK, postParams, null);
//create a node as a child of the root folder
testFolderUrl = createTestFolder("/", "testSLING1090");
String postUrl = testFolderUrl + ".modifyAce.html";
//grant jcr:removeNode to the test node
postParams = new ArrayList<>();
postParams.add(new BasicNameValuePair("principalId", testUserId));
postParams.add(new BasicNameValuePair("privilege@jcr:read", "granted"));
postParams.add(new BasicNameValuePair("privilege@jcr:removeNode", "granted"));
assertAuthenticatedPostStatus(adminCreds, postUrl, HttpServletResponse.SC_OK, postParams, null);
//fetch the JSON for the test page to verify the settings.
String getUrl = testFolderUrl + ".privileges-info.json";
Credentials testUserCreds = new UsernamePasswordCredentials(testUserId, "testPwd");
String json = getAuthenticatedContent(testUserCreds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
assertNotNull(json);
JsonObject jsonObj = parseJson(json);
assertEquals(true, jsonObj.getBoolean("canDelete"));
}
/**
* Test for SLING-7835, PrivilegesInfo#getDeclaredAccessRights returns incorrect information
*/
@Test
public void testDeclaredAclForUser() throws IOException, JsonException {
testUserId = createTestUser();
testUserId2 = createTestUser();
testFolderUrl = createTestFolder(null, "sling-tests",
"{ \"jcr:primaryType\": \"nt:unstructured\", \"propOne\" : \"propOneValue\", \"child\" : { \"childPropOne\" : true } }");
String postUrl = testFolderUrl + ".modifyAce.html";
//1. create an initial set of privileges
List<NameValuePair> postParams = new ArrayList<>();
postParams.add(new BasicNameValuePair("principalId", testUserId));
postParams.add(new BasicNameValuePair("privilege@jcr:write", "granted"));
Credentials creds = new UsernamePasswordCredentials("admin", "admin");
assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
postParams = new ArrayList<>();
postParams.add(new BasicNameValuePair("principalId", testUserId2));
postParams.add(new BasicNameValuePair("privilege@jcr:write", "granted"));
assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
postParams = new ArrayList<>();
postParams.add(new BasicNameValuePair("principalId", testUserId2));
postParams.add(new BasicNameValuePair("privilege@jcr:lockManagement", "granted"));
postUrl = testFolderUrl + "/child.modifyAce.html";
assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
//fetch the JSON for the eacl to verify the settings.
String getUrl = testFolderUrl + "/child.privileges-info.json";
Credentials testUserCreds = new UsernamePasswordCredentials("admin", "admin");
String json = getAuthenticatedContent(testUserCreds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
assertNotNull(json);
JsonObject jsonObject = parseJson(json);
jsonObject = jsonObject.getJsonObject("declaredAccessRights");
assertNull(jsonObject.get(testUserId));
JsonObject aceObject2 = jsonObject.getJsonObject(testUserId2);
assertNotNull(aceObject2);
JsonArray grantedArray2 = aceObject2.getJsonArray("granted");
assertNotNull(grantedArray2);
assertEquals(1, grantedArray2.size());
Set<String> grantedPrivilegeNames2 = new HashSet<>();
for (int i=0; i < grantedArray2.size(); i++) {
grantedPrivilegeNames2.add(grantedArray2.getString(i));
}
assertPrivilege(grantedPrivilegeNames2, true, "jcr:lockManagement");
JsonArray deniedArray2 = aceObject2.getJsonArray("denied");
assertNotNull(deniedArray2);
assertEquals(0, deniedArray2.size());
getUrl = testFolderUrl + ".privileges-info.json";
json = getAuthenticatedContent(testUserCreds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
assertNotNull(json);
jsonObject = parseJson(json);
jsonObject = jsonObject.getJsonObject("declaredAccessRights");
JsonObject aceObject = jsonObject.getJsonObject(testUserId);
assertNotNull(aceObject);
JsonArray grantedArray = aceObject.getJsonArray("granted");
assertNotNull(grantedArray);
assertEquals(1, grantedArray.size());
Set<String> grantedPrivilegeNames = new HashSet<>();
for (int i=0; i < grantedArray.size(); i++) {
grantedPrivilegeNames.add(grantedArray.getString(i));
}
assertPrivilege(grantedPrivilegeNames,true, PrivilegeConstants.JCR_WRITE);
JsonArray deniedArray = aceObject.getJsonArray("denied");
assertNotNull(deniedArray);
assertEquals(0, deniedArray.size());
aceObject2 = jsonObject.getJsonObject(testUserId2);
assertNotNull(aceObject2);
grantedArray2 = aceObject2.getJsonArray("granted");
assertNotNull(grantedArray2);
assertEquals(1, grantedArray2.size());
grantedPrivilegeNames2 = new HashSet<>();
for (int i=0; i < grantedArray2.size(); i++) {
grantedPrivilegeNames2.add(grantedArray2.getString(i));
}
assertPrivilege(grantedPrivilegeNames2, true, PrivilegeConstants.JCR_WRITE);
deniedArray2 = aceObject2.getJsonArray("denied");
assertNotNull(deniedArray2);
assertEquals(0, deniedArray2.size());
}
/**
* Test for SLING-7835, PrivilegesInfo#getEffectiveAccessRights returns incorrect information
*/
@Test
public void testEffectiveAclForUser() throws IOException, JsonException {
testUserId = createTestUser();
testUserId2 = createTestUser();
testFolderUrl = createTestFolder(null, "sling-tests",
"{ \"jcr:primaryType\": \"nt:unstructured\", \"propOne\" : \"propOneValue\", \"child\" : { \"childPropOne\" : true } }");
String postUrl = testFolderUrl + ".modifyAce.html";
//1. create an initial set of privileges
List<NameValuePair> postParams = new ArrayList<>();
postParams.add(new BasicNameValuePair("principalId", testUserId));
postParams.add(new BasicNameValuePair("privilege@jcr:write", "granted"));
Credentials creds = new UsernamePasswordCredentials("admin", "admin");
assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
postParams = new ArrayList<>();
postParams.add(new BasicNameValuePair("principalId", testUserId2));
postParams.add(new BasicNameValuePair("privilege@jcr:write", "granted"));
assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
postParams = new ArrayList<>();
postParams.add(new BasicNameValuePair("principalId", testUserId2));
postParams.add(new BasicNameValuePair("privilege@jcr:lockManagement", "granted"));
postUrl = testFolderUrl + "/child.modifyAce.html";
assertAuthenticatedPostStatus(creds, postUrl, HttpServletResponse.SC_OK, postParams, null);
//fetch the JSON for the eacl to verify the settings.
String getUrl = testFolderUrl + "/child.privileges-info.json";
Credentials testUserCreds = new UsernamePasswordCredentials("admin", "admin");
String json = getAuthenticatedContent(testUserCreds, getUrl, CONTENT_TYPE_JSON, HttpServletResponse.SC_OK);
assertNotNull(json);
JsonObject jsonObject = parseJson(json);
jsonObject = jsonObject.getJsonObject("effectiveAccessRights");
JsonObject aceObject = jsonObject.getJsonObject(testUserId);
assertNotNull(aceObject);
JsonArray grantedArray = aceObject.getJsonArray("granted");
assertNotNull(grantedArray);
assertEquals(1, grantedArray.size());
Set<String> grantedPrivilegeNames = new HashSet<>();
for (int i=0; i < grantedArray.size(); i++) {
grantedPrivilegeNames.add(grantedArray.getString(i));
}
assertPrivilege(grantedPrivilegeNames,true, PrivilegeConstants.JCR_WRITE);
JsonArray deniedArray = aceObject.getJsonArray("denied");
assertNotNull(deniedArray);
assertEquals(0, deniedArray.size());
JsonObject aceObject2 = jsonObject.getJsonObject(testUserId2);
assertNotNull(aceObject2);
JsonArray grantedArray2 = aceObject2.getJsonArray("granted");
assertNotNull(grantedArray2);
assertEquals(2, grantedArray2.size());
Set<String> grantedPrivilegeNames2 = new HashSet<>();
for (int i=0; i < grantedArray2.size(); i++) {
grantedPrivilegeNames2.add(grantedArray2.getString(i));
}
assertPrivilege(grantedPrivilegeNames2, true, PrivilegeConstants.JCR_WRITE);
assertPrivilege(grantedPrivilegeNames2, true, "jcr:lockManagement");
JsonArray deniedArray2 = aceObject2.getJsonArray("denied");
assertNotNull(deniedArray2);
assertEquals(0, deniedArray2.size());
}
}