public static Map<String, Collection<String>> rolesToUsers(SecurityConfig securityConfig) { Map<String, Collection<String>> rolesToUsers = new HashMap<>(); for (Role role : securityConfig.getRoles()) { if (role instanceof RoleConfig) { rolesToUsers.put(role.getName().toLower(), role.usersOfRole()); } } return rolesToUsers; }
@Test public void getPluginRolesConfig_shouldReturnNothingWhenBadPluginIdSpecified() throws Exception { SecurityConfig securityConfig = new SecurityConfig(); securityConfig.addRole(new PluginRoleConfig("foo", "ldap")); securityConfig.addRole(new PluginRoleConfig("bar", "github")); securityConfig.addRole(new RoleConfig(new CaseInsensitiveString("xyz"))); securityConfig.securityAuthConfigs().add(new SecurityAuthConfig("ldap", "cd.go.ldap")); securityConfig.securityAuthConfigs().add(new SecurityAuthConfig("github", "cd.go.github")); List<PluginRoleConfig> pluginRolesConfig = securityConfig.getPluginRoles("non-existant-plugin"); assertThat(pluginRolesConfig, hasSize(0)); }
private CruiseConfig cruiseConfigWithSecurity(Role roleDefinition, Admin admins) { CruiseConfig cruiseConfig = GoConfigMother.configWithPipelines("pipeline"); SecurityConfig securityConfig = cruiseConfig.server().security(); securityConfig.securityAuthConfigs().add(new SecurityAuthConfig("file", "cd.go.authentication.passwordfile")); securityConfig.addRole(roleDefinition); securityConfig.adminsConfig().add(admins); return cruiseConfig; }
public static SecurityConfig security(SecurityAuthConfig securityAuthConfig, AdminsConfig admins) { final SecurityConfig security = new SecurityConfig(admins); if (securityAuthConfig != null) { security.securityAuthConfigs().add(securityAuthConfig); } for (Role role : DEFAULT_ROLES) { security.addRole(role); } return security; }
@Test public void testEqualsAndHashCode() { SecurityConfig one = new SecurityConfig(null, true); SecurityConfig two = new SecurityConfig(null, false); SecurityConfig three = new SecurityConfig(null, true); assertThat(one, is(three)); assertThat(one, not(is(two))); assertThat(one.hashCode(), is(three.hashCode())); assertThat(one.hashCode(), not(is(two.hashCode()))); }
public AdminAndRoleSelections getAdminAndRoleSelections(List<String> users) { final SecurityConfig securityConfig = goConfigService.security(); Set<Role> roles = new HashSet<>(securityConfig.getRoles().getRoleConfigs()); final List<TriStateSelection> roleSelections = TriStateSelection.forRoles(roles, users); final TriStateSelection adminSelection = TriStateSelection.forSystemAdmin(securityConfig.adminsConfig(), roles, new SecurityService.UserRoleMatcherImpl(securityConfig), users); return new AdminAndRoleSelections(adminSelection, roleSelections); }
@Test public void shouldResolve_ConfigValue_MappedAsObject() { SecurityConfig securityConfig = new SecurityConfig(); securityConfig.adminsConfig().add(new AdminUser(new CaseInsensitiveString("lo#{foo}"))); securityConfig.addRole(new RoleConfig(new CaseInsensitiveString("boo#{bar}"), new RoleUser(new CaseInsensitiveString("choo#{foo}")))); new ParamResolver(new ParamSubstitutionHandlerFactory(params(param("foo", "ser"), param("bar", "zer"))), fieldCache).resolve(securityConfig); assertThat(CaseInsensitiveString.str(securityConfig.adminsConfig().get(0).getName()), is("loser")); assertThat(CaseInsensitiveString.str(securityConfig.getRoles().get(0).getName()), is("boozer")); assertThat(CaseInsensitiveString.str(securityConfig.getRoles().get(0).getUsers().get(0).getName()), is("chooser")); }
@Override protected List<SecurityAuthConfig> getSecurityAuthConfigsToAuthenticateWith(String pluginId) { return goConfigService.security().securityAuthConfigs(); }
public void validateUniquenessOfRoleName(Validator v) throws Exception { PluginRoleConfig role = new PluginRoleConfig("admin", "auth_config_id"); SecurityConfig securityConfig = new SecurityConfig(); ValidationContext validationContext = ValidationContextMother.validationContext(securityConfig); securityConfig.securityAuthConfigs().add(new SecurityAuthConfig("auth_config_id", "plugin_id")); securityConfig.getRoles().add(new RoleConfig(new CaseInsensitiveString("admin"))); securityConfig.getRoles().add(role); v.validate(role, validationContext); assertThat(role.errors().size(), is(1)); assertThat(role.errors().get("name").get(0), is("Role names should be unique. Role with the same name exists.")); }
public static SecurityConfig securityConfigWith(String passwordFilePath) { final SecurityConfig securityConfig = new SecurityConfig(true); final SecurityAuthConfig passwordFile = new SecurityAuthConfig("file", "cd.go.authentication.passwordfile", create("PasswordFilePath", false, passwordFilePath)); securityConfig.securityAuthConfigs().add(passwordFile); return securityConfig; }
@Override public void update(CruiseConfig preprocessedConfig) { preprocessedConfig.server().security().addRole(role); }
@Test public void getPluginRole_shouldReturnPluginRoleMatchingTheGivenName() throws Exception { PluginRoleConfig role = new PluginRoleConfig("foo", "ldap"); SecurityConfig securityConfig = new SecurityConfig(); securityConfig.addRole(role); assertThat(securityConfig.getPluginRole(new CaseInsensitiveString("FOO")), is(role)); }
@Test public void shouldGetServerSecurityContext() { BasicCruiseConfig cruiseConfig = new BasicCruiseConfig(); SecurityConfig securityConfig = new SecurityConfig(); securityConfig.addRole(new RoleConfig(new CaseInsensitiveString("admin"))); securityConfig.adminsConfig().add(new AdminUser(new CaseInsensitiveString("super-admin"))); cruiseConfig.server().useSecurity(securityConfig); PipelineConfigSaveValidationContext context = PipelineConfigSaveValidationContext.forChain(true, "group", cruiseConfig); Assert.assertThat(context.getServerSecurityConfig(), is(securityConfig)); }
@Test public void twoEmptySecurityConfigsShouldBeTheSame() throws Exception { SecurityConfig one = new SecurityConfig(); SecurityConfig two = new SecurityConfig(); assertThat(one, is(two)); }
private void validateOperatePermissions(ValidationContext validationContext) { if (validationContext.isWithinPipelines()) { PipelineConfigs group = validationContext.getPipelineGroup(); if (!group.hasOperationPermissionDefined()) { return; } AdminsConfig groupOperators = group.getAuthorization().getOperationConfig(); SecurityConfig serverSecurityConfig = validationContext.getServerSecurityConfig(); RolesConfig roles = serverSecurityConfig.getRoles(); for (Admin approver : authConfig) { boolean approverIsASuperAdmin = serverSecurityConfig.isAdmin(approver); boolean approverIsAGroupAdmin = group.isUserAnAdmin(approver.getName(), roles.memberRoles(approver)); boolean approverIsNotAnAdmin = !(approverIsASuperAdmin || approverIsAGroupAdmin); boolean approverIsNotAGroupOperator = !groupOperators.has(approver, roles.memberRoles(approver)); if (approverIsNotAnAdmin && approverIsNotAGroupOperator) { approver.addError(String.format("%s \"%s\" who is not authorized to operate pipeline group `%s` can not be authorized to approve stage", approver.describe(), approver, group.getGroup())); } } } }
public static boolean noSuperAdminsDefined(SecurityConfig securityConfig) { AdminsConfig adminsConfig = securityConfig.adminsConfig(); return adminsConfig.getRoles().isEmpty() && adminsConfig.getUsers().isEmpty(); }
public void validateUniquenessOfRoleName(Validator v) throws Exception { RoleConfig role = new RoleConfig(new CaseInsensitiveString("admin")); SecurityConfig securityConfig = new SecurityConfig(); ValidationContext validationContext = ValidationContextMother.validationContext(securityConfig); securityConfig.getRoles().add(new RoleConfig(new CaseInsensitiveString("admin"))); securityConfig.getRoles().add(role); v.validate(role, validationContext); assertThat(role.errors().size(), is(1)); assertThat(role.errors().get("name").get(0), is("Role names should be unique. Role with the same name exists.")); }
@Test public void shouldValidateStagePermissionsOfATemplateStageInTheContextOfPipelineUsingTheTemplate() { StageConfig stageConfig = StageConfigMother.custom("stage", new JobConfigs(new JobConfig(new CaseInsensitiveString("defaultJob")))); stageConfig.setApproval(new Approval(new AuthConfig(new AdminUser(new CaseInsensitiveString("non-admin-non-operate"))))); PipelineTemplateConfig template = PipelineTemplateConfigMother.createTemplate("template", stageConfig); PipelineConfig pipelineConfig = PipelineConfigMother.pipelineConfigWithTemplate("pipeline", "template"); pipelineConfig.usingTemplate(template); BasicCruiseConfig cruiseConfig = GoConfigMother.defaultCruiseConfig(); cruiseConfig.addTemplate(template); cruiseConfig.addPipelineWithoutValidation("group", pipelineConfig); PipelineConfigs group = cruiseConfig.findGroup("group"); group.setAuthorization(new Authorization(new ViewConfig(), new OperationConfig(new AdminUser(new CaseInsensitiveString("foo"))), new AdminsConfig())); cruiseConfig.server().security().securityAuthConfigs().add(new SecurityAuthConfig()); cruiseConfig.server().security().adminsConfig().add(new AdminUser(new CaseInsensitiveString("super-admin"))); template.validateTree(ConfigSaveValidationContext.forChain(cruiseConfig), cruiseConfig, false); assertThat(template.errors().getAllOn("name"), is(Arrays.asList("User \"non-admin-non-operate\" who is not authorized to operate pipeline group `group` can not be authorized to approve stage"))); }
@Test public void getPluginRole_shouldReturnNullInAbsenceOfPluginRoleForTheGivenName() throws Exception { SecurityConfig securityConfig = new SecurityConfig(); assertNull(securityConfig.getPluginRole(new CaseInsensitiveString("foo"))); } }
private boolean hasAdminPrivileges(Admin admin) { return server().security().isAdmin(admin); }