protected void login(final String username) { securityApi.login(username, "password"); }
@Test(groups = "slow") public void testUpdateRoleDefinition() throws SecurityApiException { final String username = "siskiyou"; final String password = "siskiyou33"; securityApi.addRoleDefinition("original", ImmutableList.of("account:*", "invoice", "tag:create_tag_definition"), callContext); securityApi.addUserRoles(username, password, ImmutableList.of("restricted"), callContext); final AuthenticationToken goodToken = new UsernamePasswordToken(username, password); final List<String> roleDefinition = securityApi.getRoleDefinition("original", callContext); Assert.assertEquals(roleDefinition.size(), 3); Assert.assertTrue(roleDefinition.contains("account:*")); Assert.assertTrue(roleDefinition.contains("invoice:*")); Assert.assertTrue(roleDefinition.contains("tag:create_tag_definition")); securityApi.updateRoleDefinition("original", ImmutableList.of("account:*", "payment", "tag:create_tag_definition", "entitlement:create"), callContext); final List<String> updatedRoleDefinition = securityApi.getRoleDefinition("original", callContext); Assert.assertEquals(updatedRoleDefinition.size(), 4); Assert.assertTrue(updatedRoleDefinition.contains("account:*")); Assert.assertTrue(updatedRoleDefinition.contains("payment:*")); Assert.assertTrue(updatedRoleDefinition.contains("tag:create_tag_definition")); Assert.assertTrue(updatedRoleDefinition.contains("entitlement:create")); securityApi.updateRoleDefinition("original", ImmutableList.<String>of(), callContext); Assert.assertEquals(securityApi.getRoleDefinition("original", callContext).size(), 0); }
@Test(groups = "fast") public void testRetrievePermissions() throws Exception { configureShiro(); // We don't want the Guice injected one (it has Shiro disabled) final SecurityApi securityApi = new DefaultSecurityApi(null); logout(); final Set<Permission> anonsPermissions = securityApi.getCurrentUserPermissions(callContext); Assert.assertEquals(anonsPermissions.size(), 0, "Invalid permissions: " + anonsPermissions); login("pierre"); final Set<Permission> pierresPermissions = securityApi.getCurrentUserPermissions(callContext); Assert.assertEquals(pierresPermissions.size(), 2); Assert.assertTrue(pierresPermissions.containsAll(ImmutableList.<Permission>of(Permission.INVOICE_CAN_CREDIT, Permission.INVOICE_CAN_ITEM_ADJUST))); login("stephane"); final Set<Permission> stephanesPermissions = securityApi.getCurrentUserPermissions(callContext); Assert.assertEquals(stephanesPermissions.size(), 1); Assert.assertTrue(stephanesPermissions.containsAll(ImmutableList.<Permission>of(Permission.PAYMENT_CAN_REFUND))); } }
@Test(groups = "slow") public void testSanityOfPermissions() throws SecurityApiException { securityApi.addRoleDefinition("sanity1", ImmutableList.of("account:*", "*"), callContext); validateUserRoles(securityApi.getRoleDefinition("sanity1", callContext), ImmutableList.of("*")); securityApi.addRoleDefinition("sanity2", ImmutableList.of("account:charge", "account:charge"), callContext); validateUserRoles(securityApi.getRoleDefinition("sanity2", callContext), ImmutableList.of("account:charge")); securityApi.addRoleDefinition("sanity3", ImmutableList.of("account:charge", "account:credit", "account:*", "invoice:*"), callContext); validateUserRoles(securityApi.getRoleDefinition("sanity3", callContext), ImmutableList.of("account:*", "invoice:*")); }
final String password = "supperCompli43cated"; securityApi.addRoleDefinition("root", ImmutableList.of("*"), callContext); securityApi.addUserRoles(username, password, ImmutableList.of("root"), callContext); final DelegatingSubject subject = new DelegatingSubject(securityManager); securityApi.updateUserPassword(username, newPassword, callContext); securityApi.invalidateUser(username, callContext);
@Test(groups = "slow") public void testAuthorization() throws SecurityApiException { final String username = "i like"; final String password = "c0ff33"; securityApi.addRoleDefinition("restricted", ImmutableList.of("account:*", "invoice", "tag:create_tag_definition"), callContext); securityApi.addUserRoles(username, password, ImmutableList.of("restricted"), callContext); final AuthenticationToken goodToken = new UsernamePasswordToken(username, password); final Subject subject = securityManager.login(null, goodToken); subject.checkPermission(Permission.ACCOUNT_CAN_CHARGE.toString()); subject.checkPermission(Permission.INVOICE_CAN_CREDIT.toString()); subject.checkPermission(Permission.TAG_CAN_CREATE_TAG_DEFINITION.toString()); try { subject.checkPermission(Permission.TAG_CAN_DELETE_TAG_DEFINITION.toString()); Assert.fail("Subject should not have rights to delete tag definitions"); } catch (AuthorizationException e) { } subject.logout(); securityApi.addRoleDefinition("newRestricted", ImmutableList.of("account:*", "invoice", "tag:delete_tag_definition"), callContext); securityApi.updateUserRoles(username, ImmutableList.of("newRestricted"), callContext); final Subject newSubject = securityManager.login(null, goodToken); newSubject.checkPermission(Permission.ACCOUNT_CAN_CHARGE.toString()); newSubject.checkPermission(Permission.INVOICE_CAN_CREDIT.toString()); newSubject.checkPermission(Permission.TAG_CAN_DELETE_TAG_DEFINITION.toString()); try { newSubject.checkPermission(Permission.TAG_CAN_CREATE_TAG_DEFINITION.toString()); Assert.fail("Subject should not have rights to create tag definitions"); } catch (AuthorizationException e) { } }
private void testInvalidPermissionScenario(final List<String> permissions) { try { securityApi.addRoleDefinition("failed", permissions, callContext); Assert.fail("Should fail permissions " + permissions + " were invalid"); } catch (SecurityApiException expected) { Assert.assertEquals(expected.getCode(), ErrorCode.SECURITY_INVALID_PERMISSIONS.getCode()); } }
protected void logout() { securityApi.logout(); }
@TimedResource @GET @Produces(APPLICATION_JSON) @Path("/roles/{role:" + ANYTHING_PATTERN + "}") @ApiOperation(value = "Get role definition", response = RoleDefinitionJson.class) public Response getRoleDefinition(@PathParam("role") final String role, @javax.ws.rs.core.Context final HttpServletRequest request, @javax.ws.rs.core.Context final UriInfo uriInfo) throws SecurityApiException { final List<String> roleDefinitions = securityApi.getRoleDefinition(role, context.createTenantContextNoAccountId(request)); final RoleDefinitionJson result = new RoleDefinitionJson(role, roleDefinitions); return Response.status(Status.OK).entity(result).build(); }
@TimedResource @DELETE @Consumes(APPLICATION_JSON) @Produces(APPLICATION_JSON) @Path("/users/{username:" + ANYTHING_PATTERN + "}") @ApiOperation(value = "Invalidate an existing user") @ApiResponses(value = {@ApiResponse(code = 204, message = "Successful operation")}) public Response invalidateUser(@PathParam("username") final String username, @HeaderParam(HDR_CREATED_BY) final String createdBy, @HeaderParam(HDR_REASON) final String reason, @HeaderParam(HDR_COMMENT) final String comment, @javax.ws.rs.core.Context final HttpServletRequest request, @javax.ws.rs.core.Context final UriInfo uriInfo) throws SecurityApiException { securityApi.invalidateUser(username, context.createCallContextNoAccountId(createdBy, reason, comment, request)); return Response.status(Status.NO_CONTENT).build(); }
@TimedResource @PUT @Consumes(APPLICATION_JSON) @Produces(APPLICATION_JSON) @Path("/users/{username:" + ANYTHING_PATTERN + "}/roles") @ApiOperation(value = "Update roles associated to a user") @ApiResponses(value = {@ApiResponse(code = 204, message = "Successful operation")}) public Response updateUserRoles(@PathParam("username") final String username, final UserRolesJson json, @HeaderParam(HDR_CREATED_BY) final String createdBy, @HeaderParam(HDR_REASON) final String reason, @HeaderParam(HDR_COMMENT) final String comment, @javax.ws.rs.core.Context final HttpServletRequest request, @javax.ws.rs.core.Context final UriInfo uriInfo) throws SecurityApiException { securityApi.updateUserRoles(username, json.getRoles(), context.createCallContextNoAccountId(createdBy, reason, comment, request)); return Response.status(Status.NO_CONTENT).build(); }
@TimedResource @PUT @Consumes(APPLICATION_JSON) @Produces(APPLICATION_JSON) @Path("/users/{username:" + ANYTHING_PATTERN + "}/password") @ApiOperation(value = "Update a user password") @ApiResponses(value = {@ApiResponse(code = 204, message = "Successful operation")}) public Response updateUserPassword(@PathParam("username") final String username, final UserRolesJson json, @HeaderParam(HDR_CREATED_BY) final String createdBy, @HeaderParam(HDR_REASON) final String reason, @HeaderParam(HDR_COMMENT) final String comment, @javax.ws.rs.core.Context final HttpServletRequest request, @javax.ws.rs.core.Context final UriInfo uriInfo) throws SecurityApiException { securityApi.updateUserPassword(username, json.getPassword(), context.createCallContextNoAccountId(createdBy, reason, comment, request)); return Response.status(Status.NO_CONTENT).build(); }
@TimedResource @PUT @Consumes(APPLICATION_JSON) @Produces(APPLICATION_JSON) @Path("/roles") @ApiOperation(value = "Update a new role definition)") @ApiResponses(value = {@ApiResponse(code = 204, message = "Successful operation")}) public Response updateRoleDefinition(final RoleDefinitionJson json, @HeaderParam(HDR_CREATED_BY) final String createdBy, @HeaderParam(HDR_REASON) final String reason, @HeaderParam(HDR_COMMENT) final String comment, @javax.ws.rs.core.Context final HttpServletRequest request, @javax.ws.rs.core.Context final UriInfo uriInfo) throws SecurityApiException { securityApi.updateRoleDefinition(json.getRole(), json.getPermissions(), context.createCallContextNoAccountId(createdBy, reason, comment, request)); return Response.status(Status.NO_CONTENT).build(); }
@TimedResource @POST @Path("/users") @Consumes(APPLICATION_JSON) @Produces(APPLICATION_JSON) @ApiOperation(value = "Add a new user with roles (to make api requests)", response = UserRolesJson.class) @ApiResponses(value = {@ApiResponse(code = 201, message = "User role created successfully")}) public Response addUserRoles(final UserRolesJson json, @HeaderParam(HDR_CREATED_BY) final String createdBy, @HeaderParam(HDR_REASON) final String reason, @HeaderParam(HDR_COMMENT) final String comment, @javax.ws.rs.core.Context final HttpServletRequest request, @javax.ws.rs.core.Context final UriInfo uriInfo) throws SecurityApiException { securityApi.addUserRoles(json.getUsername(), json.getPassword(), json.getRoles(), context.createCallContextNoAccountId(createdBy, reason, comment, request)); return uriBuilder.buildResponse(uriInfo, SecurityResource.class, "getUserRoles", json.getUsername(), request); }
final String password = "supperCompli43cated"; securityApi.addRoleDefinition("root", ImmutableList.of("*"), callContext); securityApi.addUserRoles(username, password, ImmutableList.of("root"), callContext); final DelegatingSubject subject = new DelegatingSubject(securityManager); securityApi.updateUserPassword(username, newPassword, callContext); securityApi.invalidateUser(username, callContext);
@Test(groups = "slow") public void testAuthorization() throws SecurityApiException { final String username = "i like"; final String password = "c0ff33"; securityApi.addRoleDefinition("restricted", ImmutableList.of("account:*", "invoice", "tag:create_tag_definition"), callContext); securityApi.addUserRoles(username, password, ImmutableList.of("restricted"), callContext); final AuthenticationToken goodToken = new UsernamePasswordToken(username, password); final Subject subject = securityManager.login(null, goodToken); subject.checkPermission(Permission.ACCOUNT_CAN_CHARGE.toString()); subject.checkPermission(Permission.INVOICE_CAN_CREDIT.toString()); subject.checkPermission(Permission.TAG_CAN_CREATE_TAG_DEFINITION.toString()); try { subject.checkPermission(Permission.TAG_CAN_DELETE_TAG_DEFINITION.toString()); Assert.fail("Subject should not have rights to delete tag definitions"); } catch (AuthorizationException e) { } subject.logout(); securityApi.addRoleDefinition("newRestricted", ImmutableList.of("account:*", "invoice", "tag:delete_tag_definition"), callContext); securityApi.updateUserRoles(username, ImmutableList.of("newRestricted"), callContext); final Subject newSubject = securityManager.login(null, goodToken); newSubject.checkPermission(Permission.ACCOUNT_CAN_CHARGE.toString()); newSubject.checkPermission(Permission.INVOICE_CAN_CREDIT.toString()); newSubject.checkPermission(Permission.TAG_CAN_DELETE_TAG_DEFINITION.toString()); try { newSubject.checkPermission(Permission.TAG_CAN_CREATE_TAG_DEFINITION.toString()); Assert.fail("Subject should not have rights to create tag definitions"); } catch (AuthorizationException e) { } }
@Test(groups = "slow") public void testEmptyPermissions() throws SecurityApiException { securityApi.addRoleDefinition("sanity1", null, callContext); validateUserRoles(securityApi.getRoleDefinition("sanity1", callContext), ImmutableList.<String>of()); securityApi.addRoleDefinition("sanity2", ImmutableList.<String>of(), callContext); validateUserRoles(securityApi.getRoleDefinition("sanity2", callContext), ImmutableList.<String>of()); }
@TimedResource @POST @Path("/roles") @Consumes(APPLICATION_JSON) @Produces(APPLICATION_JSON) @ApiOperation(value = "Add a new role definition)", response = RoleDefinitionJson.class) @ApiResponses(value = {@ApiResponse(code = 201, message = "Role definition created successfully")}) public Response addRoleDefinition(final RoleDefinitionJson json, @HeaderParam(HDR_CREATED_BY) final String createdBy, @HeaderParam(HDR_REASON) final String reason, @HeaderParam(HDR_COMMENT) final String comment, @javax.ws.rs.core.Context final HttpServletRequest request, @javax.ws.rs.core.Context final UriInfo uriInfo) throws SecurityApiException { securityApi.addRoleDefinition(json.getRole(), json.getPermissions(), context.createCallContextNoAccountId(createdBy, reason, comment, request)); return uriBuilder.buildResponse(uriInfo, SecurityResource.class, "getRoleDefinition", json.getRole(), request); }
protected void logout() { securityApi.logout(); }
@Test(groups = "slow") public void testUpdateRoleDefinition() throws SecurityApiException { final String username = "siskiyou"; final String password = "siskiyou33"; securityApi.addRoleDefinition("original", ImmutableList.of("account:*", "invoice", "tag:create_tag_definition"), callContext); securityApi.addUserRoles(username, password, ImmutableList.of("restricted"), callContext); final AuthenticationToken goodToken = new UsernamePasswordToken(username, password); final List<String> roleDefinition = securityApi.getRoleDefinition("original", callContext); Assert.assertEquals(roleDefinition.size(), 3); Assert.assertTrue(roleDefinition.contains("account:*")); Assert.assertTrue(roleDefinition.contains("invoice:*")); Assert.assertTrue(roleDefinition.contains("tag:create_tag_definition")); securityApi.updateRoleDefinition("original", ImmutableList.of("account:*", "payment", "tag:create_tag_definition", "entitlement:create"), callContext); final List<String> updatedRoleDefinition = securityApi.getRoleDefinition("original", callContext); Assert.assertEquals(updatedRoleDefinition.size(), 4); Assert.assertTrue(updatedRoleDefinition.contains("account:*")); Assert.assertTrue(updatedRoleDefinition.contains("payment:*")); Assert.assertTrue(updatedRoleDefinition.contains("tag:create_tag_definition")); Assert.assertTrue(updatedRoleDefinition.contains("entitlement:create")); securityApi.updateRoleDefinition("original", ImmutableList.<String>of(), callContext); Assert.assertEquals(securityApi.getRoleDefinition("original", callContext).size(), 0); }