@Test public void testProjectMemberCannotAssignCloudAdminRole() throws Throwable { assertCannotAssignCloudAdminRoleAs(USER_EMAIL_PROJECT_MEMBER_1); }
private PrincipalRoles getUserRolesFor(String principalId) throws Throwable { String rolesLink = buildRolesLinkFor(principalId); return getDocument(PrincipalRoles.class, rolesLink); }
@Test public void testBasicUserRestrictionsToProjects() throws Throwable { ProjectState project = new ProjectState(); project.name = "test-name"; host.assumeIdentity(buildUserServicePath(USER_EMAIL_ADMIN)); ProjectState createdState = doPost(project, ProjectFactoryService.SELF_LINK); assertNotNull(createdState); assertNotNull(createdState.documentSelfLink); host.assumeIdentity(buildUserServicePath(USER_EMAIL_BASIC_USER)); // GET doGetWithRestrictionVerification(createdState, ProjectFactoryService.SELF_LINK, ProjectState.class.getName()); // POST project.name = "test1"; doPostWithRestrictionVerification(project, ProjectFactoryService.SELF_LINK); // PUT createdState.name = "updated-name"; doPutWithRestrictionVerification(createdState, ProjectFactoryService.SELF_LINK); // PATCH createdState.name = "updated-name"; doPatchWithRestrictionVerification(createdState, createdState.documentSelfLink); // DELETE doDeleteWithRestrictionVerification(createdState, ProjectFactoryService.SELF_LINK); }
private void assignCloudAdminRoleTo(String principalId) { String rolesLink = buildRolesLinkFor(principalId); PrincipalRoleAssignment body = new PrincipalRoleAssignment(); body.add = Collections.singletonList(AuthRole.CLOUD_ADMIN.toString()); doPatch(body, rolesLink); }
@Test public void testProjectAdminRestrictionsToCredentials() throws Throwable { AuthCredentialsServiceState cred = new AuthCredentialsServiceState(); cred.userEmail = "test"; host.assumeIdentity(buildUserServicePath(USER_EMAIL_ADMIN)); AuthCredentialsServiceState createdState = doPost(cred, AuthCredentialsService.FACTORY_LINK); assertNotNull(createdState); assertNotNull(createdState.documentSelfLink); host.assumeIdentity(buildUserServicePath(USER_EMAIL_GLORIA)); // GET getDocumentNoWait(AuthCredentialsServiceState.class, createdState.documentSelfLink); // POST doPost(cred, AuthCredentialsService.FACTORY_LINK); // PUT createdState.userEmail = "updated-name"; doPut(createdState); // DELETE doDelete(UriUtils.buildUri(host, createdState.documentSelfLink), false); }
@Test public void testProjectAdminHasAccessToTheProjectsHeBelongsToAsAdmin() throws Throwable { ProjectState project = new ProjectState(); project.name = "test"; host.assumeIdentity(buildUserServicePath(USER_EMAIL_GLORIA)); // GET ProjectState retrievedState = getDocument(ProjectState.class, createdProject.documentSelfLink); assertNotNull(retrievedState); // PUT this.createdProject.name = "updated-name"; ProjectState updatedState = doPut(createdProject); assertNotNull(updatedState); assertEquals(createdProject.name, updatedState.name); // PATCH ProjectState state = new ProjectState(); state.name = "patched-name"; ProjectState patchedState = doPatch(state, createdProject.documentSelfLink); assertNotNull(patchedState); assertEquals(state.name, patchedState.name); // DELETE doDeleteWithRestrictionVerification(retrievedState, ProjectFactoryService.SELF_LINK); }
@Test public void testCloudAdminCanAssignCloudAdminRole() throws Throwable { host.assumeIdentity(buildUserServicePath(USER_EMAIL_CLOUD_ADMIN)); assignCloudAdminRoleTo(USER_EMAIL_BASIC_USER); PrincipalRoles roles = getUserRolesFor(USER_EMAIL_BASIC_USER); assertNotNull("could not retrieve roles for user " + USER_EMAIL_BASIC_USER, roles); assertNotNull("roles set is empty or null for user " + USER_EMAIL_BASIC_USER, roles.roles); assertThat( "Expected user " + USER_EMAIL_BASIC_USER + " to have role " + AuthRole.CLOUD_ADMIN.toString(), roles.roles, hasItem(AuthRole.CLOUD_ADMIN)); }
@Before public void setupProjectRoles() throws Throwable { if (createdProject != null) { return; } createdProject = createProjectWithRoles(); }
@Test public void testProjectAdminRestrictionsToRegistries() throws Throwable { RegistryState registry = new RegistryState(); registry.name = "test"; registry.address = UUID.randomUUID().toString(); registry.tenantLinks = Collections.singletonList(createdProject.documentSelfLink); host.assumeIdentity(buildUserServicePath(USER_EMAIL_ADMIN)); RegistryState createdState = doPost(registry, RegistryFactoryService.SELF_LINK); assertNotNull(createdState); assertNotNull(createdState.documentSelfLink); host.assumeIdentity(buildUserServicePath(USER_EMAIL_GLORIA)); // GET getDocument(RegistryState.class, createdState.documentSelfLink); // POST registry.address = UUID.randomUUID().toString(); doPost(registry, RegistryFactoryService.SELF_LINK); // PUT createdState.name = "updated-name"; doPut(createdState); // DELETE doDelete(UriUtils.buildUri(host, createdState.documentSelfLink), false); }
private void assertCannotAssignCloudAdminRoleAs(String principalId) throws Throwable { host.assumeIdentity(buildUserServicePath(principalId)); try { assignCloudAdminRoleTo(USER_EMAIL_BASIC_USER); fail(String.format( "Expected user '%s' not to have the privilege to assign the cloud admin role", principalId)); } catch (IllegalAccessError e) { assertThat("Unexpected failure, expected forbidden message", e.getMessage(), containsString(FORBIDDEN)); } PrincipalRoles roles = getUserRolesFor(USER_EMAIL_BASIC_USER); assertNotNull("could not retrieve roles for user " + USER_EMAIL_BASIC_USER, roles); assertNotNull("roles set is empty or null for user " + USER_EMAIL_BASIC_USER, roles.roles); String msg = String.format("Expected user '%s' not to have role '%s'", USER_EMAIL_BASIC_USER, AuthRole.CLOUD_ADMIN); Assert.assertThat(msg, roles.roles, not(hasItem(AuthRole.CLOUD_ADMIN))); }
@Test public void testBasicUserRestrictionsToCredentials() throws Throwable { AuthCredentialsServiceState cred = new AuthCredentialsServiceState(); cred.userEmail = "test"; // GET host.assumeIdentity(buildUserServicePath(USER_EMAIL_ADMIN)); AuthCredentialsServiceState createdState = doPost(cred, AuthCredentialsService.FACTORY_LINK); assertNotNull(createdState); assertNotNull(createdState.documentSelfLink); host.assumeIdentity(buildUserServicePath(USER_EMAIL_BASIC_USER)); doGetWithRestrictionVerification(createdState, AuthCredentialsService.FACTORY_LINK, AuthCredentialsServiceState.class.getName()); // POST doPostWithRestrictionVerification(cred, AuthCredentialsService.FACTORY_LINK); // PUT createdState.userEmail = "updated-name"; doPutWithRestrictionVerification(createdState, AuthCredentialsService.FACTORY_LINK); // DELETE doDeleteWithRestrictionVerification(createdState, AuthCredentialsService.FACTORY_LINK); }
@Test public void testProjectAdminRestrictionsToCertificates() throws Throwable { SslTrustCertificateState cert = new SslTrustCertificateState(); cert.certificate = CommonTestStateFactory.getFileContent("test_ssl_trust.PEM").trim(); host.assumeIdentity(buildUserServicePath(USER_EMAIL_ADMIN)); SslTrustCertificateState createdState = doPost(cert, SslTrustCertificateService.FACTORY_LINK); assertNotNull(createdState); assertNotNull(createdState.documentSelfLink); host.assumeIdentity(buildUserServicePath(USER_EMAIL_GLORIA)); // GET getDocument(SslTrustCertificateState.class, createdState.documentSelfLink); // POST doPost(cert, SslTrustCertificateService.FACTORY_LINK); // PUT createdState.commonName = "updated-name"; doPut(createdState); // DELETE doDelete(UriUtils.buildUri(host, createdState.documentSelfLink), false); }
@Test public void testProjectAdminCannotAssignCloudAdminRole() throws Throwable { assertCannotAssignCloudAdminRoleAs(USER_EMAIL_PROJECT_ADMIN_1); }
@Test public void testBasicUserRestrictionsToCertificates() throws Throwable { SslTrustCertificateState cert = new SslTrustCertificateState(); cert.certificate = CommonTestStateFactory.getFileContent(FIRST_CERTIFICATE_PATH).trim(); // GET host.assumeIdentity(buildUserServicePath(USER_EMAIL_ADMIN)); SslTrustCertificateState createdState = doPost(cert, SslTrustCertificateService.FACTORY_LINK); assertNotNull(createdState); assertNotNull(createdState.documentSelfLink); host.assumeIdentity(buildUserServicePath(USER_EMAIL_BASIC_USER)); doGetWithRestrictionVerification(createdState, SslTrustCertificateService.FACTORY_LINK, SslTrustCertificateState.class.getName()); // POST doPostWithRestrictionVerification(cert, SslTrustCertificateService.FACTORY_LINK); // PUT createdState.commonName = "updated-name"; doPutWithRestrictionVerification(createdState, SslTrustCertificateService.FACTORY_LINK); // DELETE doDeleteWithRestrictionVerification(createdState, SslTrustCertificateService.FACTORY_LINK); }
@Test public void testCloudAdminHasAccessToCredentials() throws Throwable { host.assumeIdentity(buildUserServicePath(USER_EMAIL_ADMIN)); AuthCredentialsServiceState cred = new AuthCredentialsServiceState(); cred.userEmail = "test"; // POST AuthCredentialsServiceState createdState = doPost(cred, AuthCredentialsService.FACTORY_LINK); assertNotNull(createdState); assertNotNull(createdState.documentSelfLink); // GET AuthCredentialsServiceState retrievedState = getDocument(AuthCredentialsServiceState.class, createdState.documentSelfLink); assertNotNull(retrievedState); // PUT createdState.userEmail = "updated-name"; AuthCredentialsServiceState updatedState = doPut(createdState); assertNotNull(updatedState); assertTrue(createdState.userEmail.equals(updatedState.userEmail)); // DELETE doDelete(UriUtils.buildUri(host, createdState.documentSelfLink), false); retrievedState = getDocumentNoWait(AuthCredentialsServiceState.class, createdState.documentSelfLink); assertNull(retrievedState); }
@Test public void testProjectViewerCannotAssignCloudAdminRole() throws Throwable { assertCannotAssignCloudAdminRoleAs(USER_EMAIL_PROJECT_VIEWER_1); }
@Test public void testProjectAdminRestrictionsToProjectsHeDoesNotBelongToAsAdmin() throws Throwable { ProjectState project = new ProjectState(); project.name = "test-name"; host.assumeIdentity(buildUserServicePath(USER_EMAIL_ADMIN)); ProjectState createdState = doPost(project, ProjectFactoryService.SELF_LINK); assertNotNull(createdState); assertNotNull(createdState.documentSelfLink); host.assumeIdentity(buildUserServicePath(USER_EMAIL_GLORIA)); // POST project.name = "test.name"; doPostWithRestrictionVerification(project, ProjectFactoryService.SELF_LINK); // PUT createdState.name = "updated-name"; doPutWithRestrictionVerification(createdState, ProjectFactoryService.SELF_LINK); // DELETE doDeleteWithRestrictionVerification(createdState, ProjectFactoryService.SELF_LINK); }
@Test public void testProjectAdminHasAccessToTheResourcesOfTheProjectHeBelongsToAsAdmin() throws Throwable { host.assumeIdentity(buildUserServicePath(USER_EMAIL_GLORIA)); ContainerDescription cd = new ContainerDescription(); cd.image = "test"; cd.tenantLinks = new ArrayList<String>(); cd.tenantLinks.add(createdProject.documentSelfLink); // POST ContainerDescription createdContainerDesc = doPost(cd, ContainerDescriptionService.FACTORY_LINK); // GET ContainerDescription retrievedState = getDocument(ContainerDescription.class, createdContainerDesc.documentSelfLink); assertNotNull(retrievedState); assertEquals(retrievedState.tenantLinks, createdContainerDesc.tenantLinks); // PUT retrievedState.name = "updated_name"; ContainerDescription updatedState = doPut(retrievedState); assertNotNull(updatedState); assertEquals(retrievedState.name, updatedState.name); // DELETE doDelete(UriUtils.buildUri(host, createdContainerDesc.documentSelfLink), false); }
@Test public void testBasicUserCannotAssignCloudAdminRole() throws Throwable { assertCannotAssignCloudAdminRoleAs(USER_EMAIL_BASIC_USER); }
@Test public void testBasicUserRestrictionsToLogs() throws Throwable { LogServiceState log = new LogServiceState(); log.logs = new byte[] { 1 }; // use admin for creation of the state host.assumeIdentity(buildUserServicePath(USER_EMAIL_ADMIN)); LogServiceState createdState = doPost(log, LogService.FACTORY_LINK); assertNotNull(createdState); assertNotNull(createdState.documentSelfLink); assertEquals(log.logs[0], createdState.logs[0]); // switch role to basic user host.assumeIdentity(buildUserServicePath(USER_EMAIL_BASIC_USER)); // GET doGetWithRestrictionVerification(createdState, LogService.FACTORY_LINK, LogServiceState.class.getName()); // POST doPostWithRestrictionVerification(log, LogService.FACTORY_LINK); // PUT doPutWithRestrictionVerification(createdState, LogService.FACTORY_LINK); // DELETE doDeleteWithRestrictionVerification(createdState, LogService.FACTORY_LINK); }