コード例 #1
0
ファイル: TestTreeIndexing.java プロジェクト: mindis/nuxeo
  @Test
  public void shouldDenyAccessOnUnsupportedACL() throws Exception {
    assumeTrue(session.isNegativeAclAllowed());

    buildAndIndexTree();
    DocumentModelList docs = ess.query(new NxQueryBuilder(session).nxql("select * from Document"));
    Assert.assertEquals(10, docs.totalSize());

    // check for user with no rights
    CoreSession restrictedSession = getRestrictedSession("toto");
    try {
      docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document"));
      Assert.assertEquals(0, docs.totalSize());

      // add READ rights and check that user now has access
      DocumentRef ref = new PathRef("/folder0/folder1/folder2");
      ACP acp = new ACPImpl();
      ACL acl = ACPImpl.newACL(ACL.LOCAL_ACL);
      acl.add(new ACE("toto", SecurityConstants.READ, true));
      acp.addACL(acl);
      session.setACP(ref, acp, true);

      TransactionHelper.commitOrRollbackTransaction();
      waitForCompletion();

      startTransaction();
      docs =
          ess.query(
              new NxQueryBuilder(restrictedSession)
                  .nxql("select * from Document order by dc:title"));
      Assert.assertEquals(8, docs.totalSize());

      // Add an unsupported negative ACL
      ref = new PathRef("/folder0/folder1/folder2/folder3/folder4/folder5");
      acp = new ACPImpl();
      acl = ACPImpl.newACL(ACL.LOCAL_ACL);
      acl.add(new ACE("bob", SecurityConstants.EVERYTHING, false));

      acp.addACL(acl);
      session.setACP(ref, acp, true);
      session.save();
      TransactionHelper.commitOrRollbackTransaction();
      waitForCompletion();

      startTransaction();
      docs =
          ess.query(
              new NxQueryBuilder(restrictedSession)
                  .nxql("select * from Document order by dc:title"));
      // can view folder2, folder3 and folder4
      Assert.assertEquals(3, docs.totalSize());
    } finally {
      restrictedSession.close();
    }
  }
コード例 #2
0
ファイル: TestTreeIndexing.java プロジェクト: mindis/nuxeo
  @Test
  public void shouldStoreOnlyEffectiveACEs() throws Exception {
    buildAndIndexTree();

    DocumentModelList docs = ess.query(new NxQueryBuilder(session).nxql("select * from Document"));
    Assert.assertEquals(10, docs.totalSize());

    CoreSession restrictedSession = getRestrictedSession("toto");
    try {
      docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document"));
      Assert.assertEquals(0, docs.totalSize());

      DocumentRef ref = new PathRef("/folder0");
      ACP acp = new ACPImpl();
      ACL acl = ACPImpl.newACL(ACL.LOCAL_ACL);
      acl.add(ACE.builder("toto", SecurityConstants.READ).build());
      acp.addACL(acl);
      session.setACP(ref, acp, true);

      TransactionHelper.commitOrRollbackTransaction();
      waitForCompletion();

      startTransaction();
      docs =
          ess.query(
              new NxQueryBuilder(restrictedSession)
                  .nxql("select * from Document order by dc:title"));
      Assert.assertEquals(10, docs.totalSize());

      acp = new ACPImpl();
      acl = ACPImpl.newACL(ACL.LOCAL_ACL);
      // make the ACE archived
      Date now = new Date();
      Calendar begin = new GregorianCalendar();
      begin.setTimeInMillis(now.toInstant().minus(10, ChronoUnit.DAYS).toEpochMilli());
      Calendar end = new GregorianCalendar();
      end.setTimeInMillis(now.toInstant().minus(2, ChronoUnit.DAYS).toEpochMilli());
      acl.add(ACE.builder("toto", SecurityConstants.READ).begin(begin).end(end).build());
      acp.addACL(acl);
      session.setACP(ref, acp, true);

      TransactionHelper.commitOrRollbackTransaction();
      waitForCompletion();

      startTransaction();
      docs =
          ess.query(
              new NxQueryBuilder(restrictedSession)
                  .nxql("select * from Document order by dc:title"));
      Assert.assertEquals(0, docs.totalSize());
    } finally {
      restrictedSession.close();
    }
  }
コード例 #3
0
  // security on versions, see TestLocalAPIWithCustomVersioning
  @Test
  public void testVersionSecurity() throws Exception {
    DocumentModel folder = new DocumentModelImpl("/", "folder", "Folder");
    folder = session.createDocument(folder);
    ACP acp = new ACPImpl();
    ACE ace = new ACE("princ1", "perm1", true);
    ACL acl = new ACLImpl("acl1", false);
    acl.add(ace);
    acp.addACL(acl);
    session.setACP(folder.getRef(), acp, true);
    DocumentModel file = new DocumentModelImpl("/folder", "file", "File");
    file = session.createDocument(file);
    // set security
    acp = new ACPImpl();
    ace = new ACE("princ2", "perm2", true);
    acl = new ACLImpl("acl2", false);
    acl.add(ace);
    acp.addACL(acl);
    session.setACP(file.getRef(), acp, true);
    session.save();

    DocumentModel proxy = session.publishDocument(file, folder);
    DocumentModel version = session.getLastDocumentVersion(file.getRef());
    session.save();

    // check security on version
    acp = session.getACP(version.getRef());
    ACL[] acls = acp.getACLs();
    assertEquals(2, acls.length);
    acl = acls[0];
    assertEquals(1, acl.size());
    assertEquals("princ2", acl.get(0).getUsername());
    acl = acls[1];
    assertEquals(1 + 3, acl.size()); // 1 + 3 root defaults
    assertEquals("princ1", acl.get(0).getUsername());

    // remove live document (there's a proxy so the version stays)
    session.removeDocument(file.getRef());
    session.save();
    // recheck security on version (works because we're administrator)
    acp = session.getACP(version.getRef());
    assertNull(acp);
    // check proxy still accessible (in another session)
    try (CoreSession session2 = openSessionAs(SecurityConstants.ADMINISTRATOR)) {
      session2.getDocument(proxy.getRef());
    }
  }
コード例 #4
0
 protected void setPermission(
     DocumentModel doc, String userName, String permission, boolean isGranted) {
   ACP acp = session.getACP(doc.getRef());
   ACL localACL = acp.getOrCreateACL(ACL.LOCAL_ACL);
   localACL.add(new ACE(userName, permission, isGranted));
   session.setACP(doc.getRef(), acp, true);
   session.save();
 }
コード例 #5
0
 protected void resetPermissions(DocumentModel doc, String userName) {
   ACP acp = session.getACP(doc.getRef());
   ACL localACL = acp.getOrCreateACL(ACL.LOCAL_ACL);
   Iterator<ACE> localACLIt = localACL.iterator();
   while (localACLIt.hasNext()) {
     ACE ace = localACLIt.next();
     if (userName.equals(ace.getUsername())) {
       localACLIt.remove();
     }
   }
   session.setACP(doc.getRef(), acp, true);
   session.save();
 }
コード例 #6
0
 protected void resetPermissions(DocumentRef docRef, String userName) {
   ACP acp = session.getACP(docRef);
   ACL localACL = acp.getOrCreateACL(ACL.LOCAL_ACL);
   Iterator<ACE> localACLIt = localACL.iterator();
   while (localACLIt.hasNext()) {
     ACE ace = localACLIt.next();
     if (userName.equals(ace.getUsername())) {
       localACLIt.remove();
     }
   }
   session.setACP(docRef, acp, true);
   TransactionHelper.commitOrRollbackTransaction();
   TransactionHelper.startTransaction();
 }
コード例 #7
0
ファイル: TestTreeIndexing.java プロジェクト: mindis/nuxeo
  @Test
  public void shouldFilterTreeOnSecurity() throws Exception {

    buildAndIndexTree();

    DocumentModelList docs = ess.query(new NxQueryBuilder(session).nxql("select * from Document"));
    Assert.assertEquals(10, docs.totalSize());

    // check for user with no rights
    startTransaction();
    CoreSession restrictedSession = getRestrictedSession("toto");
    try {
      docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document"));
      Assert.assertEquals(0, docs.totalSize());

      // add READ rights and check that user now has access

      DocumentRef ref = new PathRef("/folder0/folder1/folder2");
      ACP acp = new ACPImpl();
      ACL acl = ACPImpl.newACL(ACL.LOCAL_ACL);
      acl.add(new ACE("toto", SecurityConstants.READ, true));
      acp.addACL(acl);
      session.setACP(ref, acp, true);

      TransactionHelper.commitOrRollbackTransaction();
      waitForCompletion();
      if (syncMode) {
        // in sync we split recursive update into 2 commands:
        // 1 sync non recurse + 1 async recursive
        assertNumberOfCommandProcessed(9);
      } else {
        assertNumberOfCommandProcessed(8);
      }

      startTransaction();
      docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document"));
      Assert.assertEquals(8, docs.totalSize());

      // block rights and check that blocking is taken into account

      ref = new PathRef("/folder0/folder1/folder2/folder3/folder4/folder5");
      acp = new ACPImpl();
      acl = ACPImpl.newACL(ACL.LOCAL_ACL);

      acl.add(new ACE(SecurityConstants.EVERYONE, SecurityConstants.EVERYTHING, false));
      acl.add(new ACE("Administrator", SecurityConstants.EVERYTHING, true));
      acp.addACL(acl);

      session.setACP(ref, acp, true);

      session.save();
      TransactionHelper.commitOrRollbackTransaction();
      waitForCompletion();
      if (syncMode) {
        assertNumberOfCommandProcessed(6);
      } else {
        assertNumberOfCommandProcessed(5);
      }
      startTransaction();
      docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document"));
      Assert.assertEquals(3, docs.totalSize());
    } finally {
      restrictedSession.close();
    }
  }