diff --git oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/SetRepoPolicyPermissionsTest.java oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/SetRepoPolicyPermissionsTest.java new file mode 100644 index 0000000000..069acdec2f --- /dev/null +++ oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/SetRepoPolicyPermissionsTest.java @@ -0,0 +1,125 @@ +package org.apache.jackrabbit.oak.jcr; + +import com.google.common.collect.ImmutableMap; +import org.apache.commons.lang3.RandomStringUtils; +import org.apache.jackrabbit.api.JackrabbitSession; +import org.apache.jackrabbit.api.security.JackrabbitAccessControlList; +import org.apache.jackrabbit.api.security.user.User; +import org.apache.jackrabbit.api.security.user.UserManager; +import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils; +import org.apache.jackrabbit.oak.fixture.NodeStoreFixture; +import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants; +import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction; +import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal; +import org.junit.After; +import org.junit.Before; +import org.junit.Ignore; +import org.junit.Test; + +import javax.jcr.AccessDeniedException; +import javax.jcr.Node; +import javax.jcr.RepositoryException; +import javax.jcr.Session; +import javax.jcr.SimpleCredentials; +import javax.jcr.Value; +import javax.jcr.ValueFactory; +import javax.jcr.security.AccessControlManager; +import javax.jcr.security.Privilege; +import java.util.Collections; +import java.util.Locale; +import java.util.Map; + +import static org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils.privilegesFromNames; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.fail; + +public class SetRepoPolicyPermissionsTest extends AbstractRepositoryTest { + + private User testUser; + + private Session testUserSession; + + private String testRootPath; + + public SetRepoPolicyPermissionsTest(final NodeStoreFixture fixture) { + super(fixture); + } + + @Before + public void setup() throws RepositoryException { + JackrabbitSession adminSession = (JackrabbitSession) this.getAdminSession(); + UserManager userManager = adminSession.getUserManager(); + final String uniqueTestId = RandomStringUtils.randomAlphabetic(12).toLowerCase(Locale.ROOT); + testUser = userManager.createSystemUser("testUser-" + uniqueTestId, null); + testRootPath = adminSession.getRootNode() + .addNode(getClass().getName(), "oak:Unstructured") + .addNode(uniqueTestId, "oak:Unstructured") + .getPath(); + adminSession.save(); + } + + @After + public void teardown() throws RepositoryException { + if (testUserSession != null) { + testUserSession.logout(); + } + testUser.remove(); + Session adminSession = getAdminSession(); + adminSession.getRootNode().getNode(getClass().getName()).remove(); + adminSession.save(); + super.logout(); + } + + @Test + public void setRepositoryPermissions() throws Exception { + // TODO: the following two lines should not be needed - however they currently allow the test to pass + // allow("/", "jcr:read"); + // allow("/", globRestriction("rep:repoPolicy"), "jcr:readAccessControl", "jcr:modifyAccessControl"); + + // set up repository ACL to allow the test user to read and modify repository ACEs + allow(null, "jcr:readAccessControl", "jcr:modifyAccessControl"); + + // test the newly granted access + Session session = getTestUserSession(); + AccessControlManager accessControlManager = session.getAccessControlManager(); + JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(accessControlManager, null); + acl.addEntry(EveryonePrincipal.getInstance(), + privilegesFromNames(accessControlManager, "jcr:namespaceManagement"), + true, + Collections.emptyMap()); + accessControlManager.setPolicy(null, acl); + session.save(); + } + + private void allow(final String path, final String... privilegeNames) throws RepositoryException { + allow(path, Collections.emptyMap(), privilegeNames); + } + + private void allow(final String path, Map restrictions, String... privilegeNames) + throws RepositoryException { + Session adminSession = getAdminSession(); + AccessControlManager accessControlManager = adminSession.getAccessControlManager(); + JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(accessControlManager, path); + Privilege[] privileges = privilegesFromNames(accessControlManager, privilegeNames); + if (acl.addEntry(testUser.getPrincipal(), privileges, true, restrictions)) { + accessControlManager.setPolicy(path, acl); + adminSession.save(); + } + } + + private Map globRestriction(final String globPattern) throws RepositoryException { + ValueFactory valueFactory = getAdminSession().getValueFactory(); + return ImmutableMap.of(AccessControlConstants.REP_GLOB, valueFactory.createValue(globPattern)); + } + + public Node getTestRoot(final Session session) throws RepositoryException { + return session.getNode(testRootPath); + } + + public Session getTestUserSession() throws RepositoryException { + if (testUserSession == null) { + testUserSession = getAdminSession().impersonate(new SimpleCredentials(testUser.getID(), new char[0])); + } + return testUserSession; + } +}