001: /*
002: * Licensed to the Apache Software Foundation (ASF) under one or more
003: * contributor license agreements. See the NOTICE file distributed with
004: * this work for additional information regarding copyright ownership.
005: * The ASF licenses this file to You under the Apache License, Version 2.0
006: * (the "License"); you may not use this file except in compliance with
007: * the License. You may obtain a copy of the License at
008: *
009: * http://www.apache.org/licenses/LICENSE-2.0
010: *
011: * Unless required by applicable law or agreed to in writing, software
012: * distributed under the License is distributed on an "AS IS" BASIS,
013: * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014: * See the License for the specific language governing permissions and
015: * limitations under the License.
016: */
017: package org.apache.jetspeed.security;
018:
019: import java.security.AccessControlException;
020: import java.security.AccessController;
021: import java.security.PrivilegedAction;
022:
023: import javax.security.auth.login.LoginContext;
024: import javax.security.auth.login.LoginException;
025:
026: import junit.framework.Test;
027: import junit.framework.TestSuite;
028:
029: import org.apache.jetspeed.security.FolderPermission;
030: import org.apache.jetspeed.security.SecurityException;
031: import org.apache.jetspeed.security.UserPrincipal;
032: import org.apache.jetspeed.security.impl.PassiveCallbackHandler;
033: import org.apache.jetspeed.security.impl.UserPrincipalImpl;
034: import org.apache.jetspeed.security.util.test.AbstractSecurityTestcase;
035:
036: /**
037: * @author <a href="mailto:christophe.lombart@sword-technologies.com">Christophe Lombart</a>
038: * @version $Id: TestRdbmsPolicyFolder.java 517121 2007-03-12 07:45:49Z ate $
039: */
040: public class TestRdbmsPolicyFolder extends AbstractSecurityTestcase {
041: /** <p>The JAAS login context.</p> */
042: private LoginContext loginContext = null;
043:
044: /**
045: * @see junit.framework.TestCase#setUp()
046: */
047: public void setUp() throws Exception {
048: super .setUp();
049:
050: initUser();
051:
052: // Let's login in.
053: try {
054: System.out
055: .println("\t\t[TestRdbmsPolicy - Folder] Creating login context.");
056: PassiveCallbackHandler pch = new PassiveCallbackHandler(
057: "anon", "password");
058: loginContext = new LoginContext("jetspeed", pch);
059: loginContext.login();
060: } catch (LoginException le) {
061: le.printStackTrace();
062: assertTrue(
063: "\t\t[TestRdbmsPolicy - Folder] Failed to setup test.",
064: false);
065: }
066:
067: }
068:
069: /**
070: * @see junit.framework.TestCase#tearDown()
071: */
072: public void tearDown() throws Exception {
073:
074: // Logout.
075: try {
076: loginContext.logout();
077: } catch (LoginException le) {
078: le.printStackTrace();
079: assertTrue(
080: "\t\t[TestRdbmsPolicy - Folder] Failed to tear down test.",
081: false);
082: }
083: destroyUser();
084: super .tearDown();
085: }
086:
087: public static Test suite() {
088: // All methods starting with "test" will be executed in the test suite.
089: return new TestSuite(TestRdbmsPolicy.class);
090: }
091:
092: /**
093: * Test simple permission on one document
094: *
095: */
096: public void testSimplePermission() {
097:
098: try {
099: JSSubject.doAs(loginContext.getSubject(),
100: new PrivilegedAction() {
101: public Object run() {
102: FolderPermission perm1 = new FolderPermission(
103: "/files/test.xml", "edit");
104: AccessController.checkPermission(perm1);
105: return null;
106: }
107: });
108: } catch (AccessControlException ace) {
109: assertTrue(
110: "did not authorize view permission on the Folder.",
111: false);
112: }
113:
114: // Should be denied.
115: try {
116: JSSubject.doAs(loginContext.getSubject(),
117: new PrivilegedAction() {
118: public Object run() {
119: FolderPermission perm2 = new FolderPermission(
120: "/files/test.xml", "secure");
121: AccessController.checkPermission(perm2);
122: return null;
123: }
124: });
125: assertTrue("did not deny update permission on the folder.",
126: false);
127: } catch (AccessControlException ace) {
128: }
129: }
130:
131: /**
132: * Test permissions with wild card (eg. /file/*) & with recursive setting (eg. /files/- )
133: *
134: */
135: public void testAdvancedPermission() {
136:
137: try {
138: JSSubject.doAs(loginContext.getSubject(),
139: new PrivilegedAction() {
140: public Object run() {
141: FolderPermission perm1 = new FolderPermission(
142: "/files/subfolder1/test.xml",
143: "view");
144: AccessController.checkPermission(perm1);
145: return null;
146: }
147: });
148: } catch (AccessControlException ace) {
149: fail("did not authorize view permission on the Folder.");
150: }
151:
152: try {
153: JSSubject.doAs(loginContext.getSubject(),
154: new PrivilegedAction() {
155: public Object run() {
156: FolderPermission perm1 = new FolderPermission(
157: "/files/subfolder1/foo", "view");
158: AccessController.checkPermission(perm1);
159: return null;
160: }
161: });
162: } catch (AccessControlException ace) {
163: fail("did not authorize view permission on the Folder.");
164: }
165:
166: try {
167: JSSubject.doAs(loginContext.getSubject(),
168: new PrivilegedAction() {
169: public Object run() {
170: FolderPermission perm1 = new FolderPermission(
171: "/files/subfolder1/foo/anotherdoc.xml",
172: "view");
173: AccessController.checkPermission(perm1);
174: return null;
175: }
176: });
177: fail("Permission error - should not view the document ");
178: } catch (AccessControlException ace) {
179: // Correct behavior - not authorise to view the document
180: }
181:
182: try {
183: JSSubject.doAs(loginContext.getSubject(),
184: new PrivilegedAction() {
185: public Object run() {
186: FolderPermission perm1 = new FolderPermission(
187: "/files/subfolder2/test.xml",
188: "view");
189: AccessController.checkPermission(perm1);
190: return null;
191: }
192: });
193: } catch (AccessControlException ace) {
194: fail("did not authorize view permission on the Folder.");
195: }
196:
197: try {
198: JSSubject.doAs(loginContext.getSubject(),
199: new PrivilegedAction() {
200: public Object run() {
201: FolderPermission perm1 = new FolderPermission(
202: "/files/subfolder2/foo", "view");
203: AccessController.checkPermission(perm1);
204: return null;
205: }
206: });
207: } catch (AccessControlException ace) {
208: fail("did not authorize view permission on the Folder.");
209: }
210:
211: try {
212: JSSubject.doAs(loginContext.getSubject(),
213: new PrivilegedAction() {
214: public Object run() {
215: FolderPermission perm1 = new FolderPermission(
216: "/files/subfolder2/foo/anotherdoc.xml",
217: "view");
218: AccessController.checkPermission(perm1);
219: return null;
220: }
221: });
222: } catch (AccessControlException ace) {
223: fail("did not authorize view permission on the Folder.");
224: }
225: }
226:
227: /**
228: * <p>Initialize user test object.</p>
229: */
230: protected void initUser() {
231: try {
232: ums.addUser("anon", "password");
233: } catch (SecurityException sex) {
234: }
235:
236: UserPrincipal user = new UserPrincipalImpl("anon");
237:
238: FolderPermission perm1 = new FolderPermission(
239: "/files/test.xml", "edit");
240: FolderPermission perm2 = new FolderPermission(
241: "/files/subfolder1/*", "view");
242: FolderPermission perm3 = new FolderPermission(
243: "/files/subfolder2/-", "view");
244: try {
245: pms.addPermission(perm1);
246: pms.addPermission(perm2);
247: pms.addPermission(perm3);
248:
249: pms.grantPermission(user, perm1);
250: pms.grantPermission(user, perm2);
251: pms.grantPermission(user, perm3);
252: } catch (SecurityException sex) {
253: sex.printStackTrace();
254: }
255: }
256:
257: /**
258: * <p>Destroy user test object.</p>
259: */
260: protected void destroyUser() throws Exception {
261: ums.removeUser("anon");
262:
263: FolderPermission perm1 = new FolderPermission(
264: "/files/test.xml", "edit");
265: FolderPermission perm2 = new FolderPermission(
266: "/files/subfolder1/*", "view");
267: FolderPermission perm3 = new FolderPermission(
268: "/files/subfolder2/-", "view");
269: pms.removePermission(perm1);
270: pms.removePermission(perm2);
271: pms.removePermission(perm3);
272: }
273:
274: }
|