private DeferredResult<Void> handleUserGroupRoleUnassignment(AuthRole role) { if (role == AuthRole.CLOUD_ADMIN) { return handleCloudAdminGroupUnassignment(); } return DeferredResult.failed(new LocalizableValidationException( ROLE_NOT_SUPPORTED_MESSAGE, ROLE_NOT_SUPPORTED_MESSAGE_CODE, role.name())); }
private DeferredResult<Void> handleUserGroupRoleAssignment(AuthRole role) { if (role == AuthRole.CLOUD_ADMIN) { return handleCloudAdminGroupAssignment(principalId); } return DeferredResult.failed(new LocalizableValidationException( ROLE_NOT_SUPPORTED_MESSAGE, ROLE_NOT_SUPPORTED_MESSAGE_CODE, role.name())); }
private static DeferredResult<List<Principal>> getGroupPrincipals(Service service, Operation requestorOperation, Set<String> groupLinks, String projectId, AuthRole role) { if (projectId == null || projectId.isEmpty()) { return DeferredResult.failed(new LocalizableValidationException( String.format(PROPERTY_CANNOT_BE_EMPTY_MESSAGE_FORMAT, "projectId"), "common.assertion.property.not.empty", "projectId")); } if (groupLinks == null || groupLinks.isEmpty()) { return DeferredResult.completed(new ArrayList<>()); } if (!EnumSet.of(AuthRole.PROJECT_ADMIN, AuthRole.PROJECT_MEMBER, AuthRole.PROJECT_VIEWER) .contains(role)) { return DeferredResult.failed(new IllegalArgumentException(role.name() + "is not " + "project role.")); } String defaultProjectGroupLink = UriUtils.buildUriPath(UserGroupService.FACTORY_LINK, role.buildRoleWithSuffix(projectId)); List<DeferredResult<Principal>> results = new ArrayList<>(); for (String groupLink : groupLinks) { if (!defaultProjectGroupLink.equals(groupLink)) { results.add(PrincipalUtil.getPrincipal(service, requestorOperation, Service.getId(groupLink))); } } return DeferredResult.allOf(results); }
private DeferredResult<Void> handleUserRoleUnassignment(AuthRole role) { if (role == AuthRole.CLOUD_ADMIN) { return UserGroupsUpdater.create() .setService(service) .setGroupLink(CLOUD_ADMINS_USER_GROUP_LINK) .setUsersToRemove(Collections.singletonList(principalId)) .update(); } return DeferredResult.failed(new LocalizableValidationException( ROLE_NOT_SUPPORTED_MESSAGE, ROLE_NOT_SUPPORTED_MESSAGE_CODE, role.name())); }
private DeferredResult<ResourceGroupState> createProjectResourceGroup(ProjectState projectState, AuthRole role) { String projectId = Service.getId(projectState.documentSelfLink); ResourceGroupState resourceGroupState; switch (role) { case PROJECT_ADMIN: resourceGroupState = AuthUtil.buildProjectAdminResourceGroup(projectId); break; case PROJECT_VIEWER: resourceGroupState = AuthUtil.buildProjectViewerResourceGroup(projectId); break; case PROJECT_MEMBER: resourceGroupState = AuthUtil.buildProjectMemberResourceGroup(projectId); break; case PROJECT_MEMBER_EXTENDED: resourceGroupState = AuthUtil.buildProjectExtendedMemberResourceGroup(projectId); break; default: String message = String.format("%s is not project role.", role.name()); throw new IllegalStateException(message); } return getHost().sendWithDeferredResult( buildCreateResourceGroupOperation(resourceGroupState), ResourceGroupState.class); }
private DeferredResult<Void> handleUserRoleAssignment(AuthRole role) { if (role != AuthRole.CLOUD_ADMIN) { return DeferredResult.failed(new LocalizableValidationException( ROLE_NOT_SUPPORTED_MESSAGE, ROLE_NOT_SUPPORTED_MESSAGE_CODE, role.name())); } return PrincipalUtil.getOrCreateUser(service, principalId) .thenCompose(user -> UserGroupsUpdater.create() .setService(service) .setGroupLink(AuthUtil.CLOUD_ADMINS_USER_GROUP_LINK) .setUsersToAdd(Collections.singletonList(principalId)) .update()); }
@Test public void testAssignRoleToUser() throws Throwable { PrincipalRoleAssignment roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = new ArrayList<>(); roleAssignment.add.add(AuthRole.CLOUD_ADMIN.name()); doRoleAssignment(roleAssignment, USER_EMAIL_BASIC_USER); UserState state = getDocument(UserState.class, buildUserServicePath(USER_EMAIL_BASIC_USER)); assertNotNull(state); assertTrue(state.userGroupLinks.contains(CLOUD_ADMINS_USER_GROUP_LINK)); }
@Test public void testUnAssignRoleToUser() throws Throwable { PrincipalRoleAssignment roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = new ArrayList<>(); roleAssignment.add.add(AuthRole.CLOUD_ADMIN.name()); // Assign. doRoleAssignment(roleAssignment, USER_EMAIL_BASIC_USER); UserState state = getDocument(UserState.class, buildUserServicePath(USER_EMAIL_BASIC_USER)); assertNotNull(state); assertTrue(state.userGroupLinks.contains(CLOUD_ADMINS_USER_GROUP_LINK)); // Unassign. roleAssignment = new PrincipalRoleAssignment(); roleAssignment.remove = new ArrayList<>(); roleAssignment.remove.add(AuthRole.CLOUD_ADMIN.name()); doRoleAssignment(roleAssignment, USER_EMAIL_BASIC_USER); // Verify. state = getDocument(UserState.class, buildUserServicePath(USER_EMAIL_BASIC_USER)); assertNotNull(state); assertTrue(!state.userGroupLinks.contains(CLOUD_ADMINS_USER_GROUP_LINK)); }
@Test public void testAssignRoleToUserTwice() throws Throwable { PrincipalRoleAssignment roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = new ArrayList<>(); roleAssignment.add.add(AuthRole.CLOUD_ADMIN.name()); // Assign. doRoleAssignment(roleAssignment, USER_EMAIL_BASIC_USER); UserState state = getDocument(UserState.class, buildUserServicePath(USER_EMAIL_BASIC_USER)); assertNotNull(state); assertTrue(state.userGroupLinks.contains(CLOUD_ADMINS_USER_GROUP_LINK)); // Unassign. roleAssignment = new PrincipalRoleAssignment(); roleAssignment.remove = new ArrayList<>(); roleAssignment.remove.add(AuthRole.CLOUD_ADMIN.name()); doRoleAssignment(roleAssignment, USER_EMAIL_BASIC_USER); state = getDocument(UserState.class, buildUserServicePath(USER_EMAIL_BASIC_USER)); assertNotNull(state); assertTrue(!state.userGroupLinks.contains(CLOUD_ADMINS_USER_GROUP_LINK)); // Assign again. roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = new ArrayList<>(); roleAssignment.add.add(AuthRole.CLOUD_ADMIN.name()); doRoleAssignment(roleAssignment, USER_EMAIL_BASIC_USER); state = getDocument(UserState.class, buildUserServicePath(USER_EMAIL_BASIC_USER)); assertNotNull(state); assertTrue(state.userGroupLinks.contains(CLOUD_ADMINS_USER_GROUP_LINK)); }
@Test public void testAssignRoleToUserGroup() throws Throwable { PrincipalRoleAssignment roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = new ArrayList<>(); roleAssignment.add.add(AuthRole.CLOUD_ADMIN.name()); doRoleAssignment(roleAssignment, USER_GROUP_DEVELOPERS); RoleState roleState = getDocument(RoleState.class, UriUtils.buildUriPath(RoleService.FACTORY_LINK, AuthRole.CLOUD_ADMIN .buildRoleWithSuffix(encode(USER_GROUP_DEVELOPERS)))); assertNotNull(roleState); assertEquals(UriUtils.buildUriPath(UserGroupService.FACTORY_LINK, encode(USER_GROUP_DEVELOPERS)), roleState.userGroupLink); }
@Test public void testAssignSystemRoleOnPrincipalWithoutUserState() { deleteUser(encode(USER_EMAIL_CONNIE)); assertDocumentNotExists(AuthUtil.buildUserServicePathFromPrincipalId( encode(USER_EMAIL_CONNIE))); PrincipalRoleAssignment roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = Collections.singletonList(AuthRole.CLOUD_ADMIN.name()); doPatch(roleAssignment, UriUtils.buildUriPath(PrincipalService.SELF_LINK, USER_EMAIL_CONNIE, PrincipalService.ROLES_SUFFIX)); assertDocumentExists( AuthUtil.buildUserServicePathFromPrincipalId(encode(USER_EMAIL_CONNIE))); SecurityContext connieContext = getSecurityContext(USER_EMAIL_CONNIE); assertTrue(connieContext.roles.contains(AuthRole.CLOUD_ADMIN)); assertTrue(connieContext.roles.contains(AuthRole.BASIC_USER)); assertTrue(connieContext.roles.contains(AuthRole.BASIC_USER_EXTENDED)); }
@Test public void testAssignSystemRoleOnPrincipalWithoutUserGroupState() { deleteUserGroup(encode(USER_GROUP_DEVELOPERS)); assertDocumentNotExists(UriUtils.buildUriPath(UserGroupService.FACTORY_LINK, encode(USER_GROUP_DEVELOPERS))); PrincipalRoleAssignment roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = Collections.singletonList(AuthRole.CLOUD_ADMIN.name()); doPatch(roleAssignment, UriUtils.buildUriPath(PrincipalService.SELF_LINK, USER_GROUP_DEVELOPERS, PrincipalService.ROLES_SUFFIX)); assertDocumentExists(UriUtils.buildUriPath(UserGroupService.FACTORY_LINK, encode(USER_GROUP_DEVELOPERS))); SecurityContext developersContext = getSecurityContext(USER_GROUP_DEVELOPERS); assertTrue(developersContext.roles.contains(AuthRole.CLOUD_ADMIN)); assertTrue(developersContext.roles.contains(AuthRole.BASIC_USER)); assertTrue(developersContext.roles.contains(AuthRole.BASIC_USER_EXTENDED)); }
@Test public void testGetRolesForPrincipalOfTypeGroup() throws Throwable { PrincipalRoleAssignment roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = Collections.singletonList(AuthRole.CLOUD_ADMIN.name()); doPatch(roleAssignment, UriUtils.buildUriPath(PrincipalService.SELF_LINK, USER_GROUP_SUPERUSERS, PrincipalService.ROLES_SUFFIX)); ProjectState projectState = new ProjectState(); projectState.name = "test"; projectState = doPost(projectState, ProjectFactoryService.SELF_LINK); ProjectRoles roles = new ProjectRoles(); roles.administrators = new PrincipalRoleAssignment(); roles.administrators.add = Collections.singletonList(USER_GROUP_SUPERUSERS); doPatch(roles, projectState.documentSelfLink); SecurityContext contextById = getDocumentNoWait(SecurityContext.class, UriUtils.buildUriPath(PrincipalService.SELF_LINK, USER_GROUP_SUPERUSERS, PrincipalService.ROLES_SUFFIX)); assertTrue(contextById.name.equals(USER_GROUP_SUPERUSERS)); assertTrue(contextById.roles.contains(AuthRole.CLOUD_ADMIN)); assertTrue(contextById.projects.size() == 1); assertTrue(contextById.projects.get(0).roles.contains(AuthRole.PROJECT_ADMIN)); String uriString = UriUtils.buildUriPath(PrincipalService.SELF_LINK); URI uri = UriUtils.buildUri(uriString); uri = UriUtils.extendUriWithQuery(uri, PrincipalService.CRITERIA_QUERY, USER_GROUP_SUPERUSERS, PrincipalService.ROLES_QUERY, PrincipalService.ROLES_QUERY_VALUE); PrincipalRoles[] principalRoles = getDocumentNoWait(PrincipalRoles[].class, uri.toString()); assertTrue(principalRoles.length == 1); }
roleAssignment.add = Collections.singletonList(AuthRole.CLOUD_ADMIN.name()); doPatch(roleAssignment, UriUtils.buildUriPath(PrincipalService.SELF_LINK, root.id, PrincipalService.ROLES_SUFFIX));
roleAssignment.add = Collections.singletonList(AuthRole.CLOUD_ADMIN.name()); doPatch(roleAssignment, UriUtils.buildUriPath(PrincipalService.SELF_LINK, root.id, PrincipalService.ROLES_SUFFIX));
roleAssignment.add = Collections.singletonList(AuthRole.CLOUD_ADMIN.name()); doPatch(roleAssignment, UriUtils.buildUriPath(PrincipalService.SELF_LINK, root.id, PrincipalService.ROLES_SUFFIX));
PrincipalRoleAssignment roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = new ArrayList<>(); roleAssignment.add.add(AuthRole.CLOUD_ADMIN.name()); doPatch(roleAssignment, UriUtils.buildUriPath(PrincipalService.SELF_LINK, developers, PrincipalService.ROLES_SUFFIX));