private void assertAllAccess(Principal principal, EntityId... entityIds) throws Exception { for (EntityId entityId : entityIds) { getAuthorizer().enforce(entityId, principal, EnumSet.allOf(Action.class)); } }
private void assertNoAccess(Principal principal, final EntityId entityId) throws Exception { Authorizer authorizer = getAuthorizer(); Predicate<Privilege> entityFilter = new Predicate<Privilege>() { @Override public boolean apply(Privilege input) { return Authorizable.fromEntityId(entityId).equals(input.getAuthorizable()); } }; Assert.assertTrue(Sets.filter(authorizer.listPrivileges(principal), entityFilter).isEmpty()); } private void assertNoAccess(final EntityId entityId) throws Exception {
private void grantAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> actions) throws Exception { Authorizer authorizer = getAuthorizer(); Set<Privilege> existingPrivileges = authorizer.listPrivileges(principal); authorizer.grant(Authorizable.fromEntityId(entityId), principal, actions); ImmutableSet.Builder<Privilege> expectedPrivilegesAfterGrant = ImmutableSet.builder(); for (Action action : actions) { expectedPrivilegesAfterGrant.add(new Privilege(entityId, action)); } Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), authorizer.listPrivileges(principal)); }
@Before public void setupTest() throws Exception { Assert.assertEquals(ImmutableSet.<Privilege>of(), getAuthorizer().listPrivileges(ALICE)); SecurityRequestContext.setUserId(ALICE.getName()); cleanUpEntities = new HashSet<>(); }
private void revokeAndAssertSuccess(final EntityId entityId) throws Exception { Authorizer authorizer = getAuthorizer(); authorizer.revoke(Authorizable.fromEntityId(entityId)); assertNoAccess(entityId); }
private void createAuthNamespace() throws Exception { Authorizer authorizer = getAuthorizer(); grantAndAssertSuccess(AUTH_NAMESPACE, ALICE, ImmutableSet.of(Action.ADMIN)); getNamespaceAdmin().create(AUTH_NAMESPACE_META); Assert.assertEquals(ImmutableSet.of(new Privilege(AUTH_NAMESPACE, Action.ADMIN)), authorizer.listPrivileges(ALICE)); }
Authorizer authorizer = getAuthorizer(); ApplicationId dummyAppId = AUTH_NAMESPACE.app(DummyApp.class.getSimpleName()); Map<EntityId, Set<Action>> neededPrivileges = ImmutableMap.<EntityId, Set<Action>>builder() Assert.assertTrue(!getAuthorizer().isVisible(Collections.singleton(dummyAppId), BOB).isEmpty());
@After @Override public void afterTest() throws Exception { Authorizer authorizer = getAuthorizer(); SecurityRequestContext.setUserId(ALICE.getName()); grantAndAssertSuccess(AUTH_NAMESPACE, SecurityRequestContext.toPrincipal(), EnumSet.of(Action.ADMIN)); // clean up. remove the namespace if it exists if (getNamespaceAdmin().exists(AUTH_NAMESPACE)) { getNamespaceAdmin().delete(AUTH_NAMESPACE); Assert.assertFalse(getNamespaceAdmin().exists(AUTH_NAMESPACE)); } revokeAndAssertSuccess(AUTH_NAMESPACE); for (EntityId entityId : cleanUpEntities) { revokeAndAssertSuccess(entityId); } Assert.assertEquals(Collections.emptySet(), authorizer.listPrivileges(ALICE)); }
@Test public void testNamespaces() throws Exception { NamespaceAdmin namespaceAdmin = getNamespaceAdmin(); Authorizer authorizer = getAuthorizer(); try { namespaceAdmin.create(AUTH_NAMESPACE_META); Assert.fail("Namespace create should have failed because alice is not authorized on " + AUTH_NAMESPACE); } catch (UnauthorizedException expected) { // expected } createAuthNamespace(); Assert.assertTrue(namespaceAdmin.list().contains(AUTH_NAMESPACE_META)); namespaceAdmin.get(AUTH_NAMESPACE); // revoke privileges revokeAndAssertSuccess(AUTH_NAMESPACE); try { Assert.assertTrue(namespaceAdmin.list().isEmpty()); namespaceAdmin.exists(AUTH_NAMESPACE); Assert.fail("Namespace existence check should fail since the privilege of alice has been revoked"); } catch (UnauthorizedException expected) { // expected } // grant privileges again grantAndAssertSuccess(AUTH_NAMESPACE, ALICE, ImmutableSet.of(Action.ADMIN)); namespaceAdmin.exists(AUTH_NAMESPACE); Assert.assertEquals(ImmutableSet.of(new Privilege(AUTH_NAMESPACE, Action.ADMIN)), authorizer.listPrivileges(ALICE)); NamespaceMeta updated = new NamespaceMeta.Builder(AUTH_NAMESPACE_META).setDescription("new desc").build(); namespaceAdmin.updateProperties(AUTH_NAMESPACE, updated); Assert.assertEquals(updated, namespaceAdmin.get(AUTH_NAMESPACE)); }
getAuthorizer().revoke(Authorizable.fromEntityId(appId), BOB, EnumSet.of(Action.ADMIN));