@Test public void testAssignSystemRoleOnPrincipalWithoutUserGroupState() { deleteUserGroup(encode(USER_GROUP_DEVELOPERS)); assertDocumentNotExists(UriUtils.buildUriPath(UserGroupService.FACTORY_LINK, encode(USER_GROUP_DEVELOPERS))); PrincipalRoleAssignment roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = Collections.singletonList(AuthRole.CLOUD_ADMIN.name()); doPatch(roleAssignment, UriUtils.buildUriPath(PrincipalService.SELF_LINK, USER_GROUP_DEVELOPERS, PrincipalService.ROLES_SUFFIX)); assertDocumentExists(UriUtils.buildUriPath(UserGroupService.FACTORY_LINK, encode(USER_GROUP_DEVELOPERS))); SecurityContext developersContext = getSecurityContext(USER_GROUP_DEVELOPERS); assertTrue(developersContext.roles.contains(AuthRole.CLOUD_ADMIN)); assertTrue(developersContext.roles.contains(AuthRole.BASIC_USER)); assertTrue(developersContext.roles.contains(AuthRole.BASIC_USER_EXTENDED)); }
@Test public void testGetSecurityContextShouldPass() throws GeneralSecurityException { // Assume the identity of admin, because basic user should not be able to use // PrincipalService and get data for other users. host.assumeIdentity(buildUserServicePath(USER_EMAIL_ADMIN)); SecurityContext securityContext = testRequest(Operation::createGet, UriUtils.buildUriPath(PrincipalService.SELF_LINK, USER_EMAIL_ADMIN, PrincipalService.SECURITY_CONTEXT_SUFFIX), false, null, SecurityContext.class); assertEquals(USER_EMAIL_ADMIN, securityContext.id); }
@Test public void testAssignSystemRoleOnPrincipalWithoutUserState() { deleteUser(encode(USER_EMAIL_CONNIE)); assertDocumentNotExists(AuthUtil.buildUserServicePathFromPrincipalId( encode(USER_EMAIL_CONNIE))); PrincipalRoleAssignment roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = Collections.singletonList(AuthRole.CLOUD_ADMIN.name()); doPatch(roleAssignment, UriUtils.buildUriPath(PrincipalService.SELF_LINK, USER_EMAIL_CONNIE, PrincipalService.ROLES_SUFFIX)); assertDocumentExists( AuthUtil.buildUserServicePathFromPrincipalId(encode(USER_EMAIL_CONNIE))); SecurityContext connieContext = getSecurityContext(USER_EMAIL_CONNIE); assertTrue(connieContext.roles.contains(AuthRole.CLOUD_ADMIN)); assertTrue(connieContext.roles.contains(AuthRole.BASIC_USER)); assertTrue(connieContext.roles.contains(AuthRole.BASIC_USER_EXTENDED)); }
@SuppressWarnings("unchecked") @Test public void testGetAllRolesForPrincipalWithIndirectRoles() throws Throwable { host.assumeIdentity(buildUserServicePath(USER_EMAIL_ADMIN2)); root.groupMembersLinks = Collections.singletonList(UriUtils.buildUriPath( LocalPrincipalFactoryService.SELF_LINK, encode(USER_EMAIL_CONNIE))); root = doPost(root, LocalPrincipalFactoryService.SELF_LINK); assertNotNull(root.documentSelfLink); nestedGroup1.groupMembersLinks = Collections.singletonList(UriUtils.buildUriPath( LocalPrincipalFactoryService.SELF_LINK, encode(USER_EMAIL_CONNIE))); nestedGroup1 = doPost(nestedGroup1, LocalPrincipalFactoryService.SELF_LINK); assertNotNull(nestedGroup1.documentSelfLink); nestedGroup2.name = "nestedGroup2"; nestedGroup2.groupMembersLinks = Collections.singletonList(nestedGroup1.documentSelfLink); nestedGroup2 = doPost(nestedGroup2, LocalPrincipalFactoryService.SELF_LINK); assertNotNull(nestedGroup2.documentSelfLink); doPatch(roleAssignment, UriUtils.buildUriPath(PrincipalService.SELF_LINK, root.id, PrincipalService.ROLES_SUFFIX)); ProjectState firstProject = createProject("first-project"); assertNotNull(firstProject.documentSelfLink); ProjectRoles projectRoles = new ProjectRoles(); admins.add = Collections.singletonList(nestedGroup1.id); projectRoles.administrators = admins; doPatch(projectRoles, firstProject.documentSelfLink);
@Test public void getRolesForPrincipal() throws Throwable { ProjectState project = new ProjectState(); project.name = "test"; project.description = "test-description"; project = doPost(project, ProjectFactoryService.SELF_LINK); assertNotNull(project.documentSelfLink); PrincipalRoleAssignment roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = Collections.singletonList(USER_EMAIL_ADMIN); ProjectRoles projectRoles = new ProjectRoles(); projectRoles.members = roleAssignment; projectRoles.administrators = roleAssignment; projectRoles.viewers = roleAssignment; doPatch(projectRoles, project.documentSelfLink); PrincipalRoles roles = getDocumentNoWait(PrincipalRoles.class, UriUtils.buildUriPath( PrincipalService.SELF_LINK, USER_EMAIL_ADMIN, PrincipalService.ROLES_SUFFIX)); assertTrue(roles.roles.contains(AuthRole.CLOUD_ADMIN)); assertTrue(roles.roles.contains(AuthRole.BASIC_USER)); assertTrue(roles.roles.contains(AuthRole.BASIC_USER_EXTENDED)); assertEquals(1, roles.projects.size()); assertEquals(project.documentSelfLink, roles.projects.get(0).documentSelfLink); assertEquals(project.name, roles.projects.get(0).name); assertTrue(roles.projects.get(0).roles.contains(AuthRole.PROJECT_ADMIN)); assertTrue(roles.projects.get(0).roles.contains(AuthRole.PROJECT_MEMBER)); assertTrue(roles.projects.get(0).roles.contains(AuthRole.PROJECT_VIEWER)); }
"roles"); doPatch(roleAssignment, uri); AuthRole.CLOUD_ADMIN.buildRoleWithSuffix(encode(USER_GROUP_SUPERUSERS))); RoleState roleState = getDocument(RoleState.class, superusersRoleLink); assertNotNull(roleState); assertEquals(superusersRoleLink, roleState.documentSelfLink); roleAssignment.remove = new ArrayList<>(); roleAssignment.remove.add(AuthRole.CLOUD_ADMIN.name()); doPatch(roleAssignment, uri); TestContext ctx = testCreate(1); Operation getSuperusersRole = Operation.createGet(host, superusersRoleLink) .setReferer(host.getUri())
itGroup.groupMembersLinks = Collections.singletonList(UriUtils.buildUriPath( LocalPrincipalFactoryService.SELF_LINK, encode(USER_GROUP_SUPERUSERS))); itGroup = doPost(itGroup, LocalPrincipalFactoryService.SELF_LINK); assertNotNull(itGroup); organization.groupMembersLinks = Collections.singletonList(UriUtils.buildUriPath( LocalPrincipalFactoryService.SELF_LINK, encode("it@admiral.com"))); organization = doPost(organization, LocalPrincipalFactoryService.SELF_LINK); assertNotNull(organization); TestContext ctx = testCreate(1); Set<String> groups = new HashSet<>(); host.send(Operation.createGet(host, UriUtils.buildUriPath(PrincipalService.SELF_LINK,
@Before public void setIdentity() throws GeneralSecurityException { host.assumeIdentity(buildUserServicePath(USER_EMAIL_ADMIN)); }
@Test public void testGetRolesForPrincipalOfTypeGroup() throws Throwable { PrincipalRoleAssignment roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = Collections.singletonList(AuthRole.CLOUD_ADMIN.name()); doPatch(roleAssignment, UriUtils.buildUriPath(PrincipalService.SELF_LINK, USER_GROUP_SUPERUSERS, PrincipalService.ROLES_SUFFIX)); ProjectState projectState = new ProjectState(); projectState.name = "test"; projectState = doPost(projectState, ProjectFactoryService.SELF_LINK); ProjectRoles roles = new ProjectRoles(); roles.administrators = new PrincipalRoleAssignment(); roles.administrators.add = Collections.singletonList(USER_GROUP_SUPERUSERS); doPatch(roles, projectState.documentSelfLink); SecurityContext contextById = getDocumentNoWait(SecurityContext.class, UriUtils.buildUriPath(PrincipalService.SELF_LINK, USER_GROUP_SUPERUSERS, PrincipalService.ROLES_SUFFIX)); assertTrue(contextById.name.equals(USER_GROUP_SUPERUSERS)); assertTrue(contextById.roles.contains(AuthRole.CLOUD_ADMIN)); assertTrue(contextById.projects.size() == 1); assertTrue(contextById.projects.get(0).roles.contains(AuthRole.PROJECT_ADMIN)); String uriString = UriUtils.buildUriPath(PrincipalService.SELF_LINK); URI uri = UriUtils.buildUri(uriString); uri = UriUtils.extendUriWithQuery(uri, PrincipalService.CRITERIA_QUERY, USER_GROUP_SUPERUSERS, PrincipalService.ROLES_QUERY, PrincipalService.ROLES_QUERY_VALUE); PrincipalRoles[] principalRoles = getDocumentNoWait(PrincipalRoles[].class, uri.toString()); assertTrue(principalRoles.length == 1); }