private DeferredResult<Void> assignPrincipal(String role, String principalId) { PrincipalRoleAssignment rolePatch = new PrincipalRoleAssignment(); rolePatch.add = new ArrayList<>(); rolePatch.add.add(role); return sendWithDeferredResult(Operation.createPatch(this, UriUtils.buildUriPath(PrincipalService.SELF_LINK, principalId, PrincipalService.ROLES_SUFFIX)) .setBody(rolePatch)) .thenAccept(ignore -> { }); }
private DeferredResult<Void> unassignPrincipal(String role, String principalId) { PrincipalRoleAssignment rolePatch = new PrincipalRoleAssignment(); rolePatch.remove = new ArrayList<>(); rolePatch.remove.add(role); return sendWithDeferredResult(Operation.createPatch(this, UriUtils.buildUriPath(PrincipalService.SELF_LINK, principalId, PrincipalService.ROLES_SUFFIX)) .setBody(rolePatch)) .thenAccept(ignore -> { }); }
private ProjectState createTestProject() throws Throwable { // Prepare harbor id for this project HashMap<String, String> customProperties = new HashMap<>(); customProperties.put(ProjectService.CUSTOM_PROPERTY_PROJECT_INDEX, "" + MockHarborApiProxyService.MOCKED_PROJECT_ID); // Create project ProjectState project = createProject(TEST_PROJECT_NAME, customProperties); // Add the ADMIN as admin and a member ProjectRoles projectRoles = new ProjectRoles(); projectRoles.viewers = new PrincipalRoleAssignment(); projectRoles.members = new PrincipalRoleAssignment(); projectRoles.administrators = new PrincipalRoleAssignment(); projectRoles.administrators.add = Collections.singletonList(USER_EMAIL_ADMIN); projectRoles.members.add = Collections.singletonList(USER_EMAIL_ADMIN); projectRoles.viewers.add = Collections.singletonList(USER_EMAIL_BASIC_USER); doPatch(projectRoles, project.documentSelfLink); // return the result return getDocument(ProjectState.class, project.documentSelfLink); }
@Test public void testGetRolesForPrincipalOfTypeGroup() throws Throwable { PrincipalRoleAssignment roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = Collections.singletonList(AuthRole.CLOUD_ADMIN.name()); doPatch(roleAssignment, UriUtils.buildUriPath(PrincipalService.SELF_LINK, USER_GROUP_SUPERUSERS, PrincipalService.ROLES_SUFFIX)); ProjectState projectState = new ProjectState(); projectState.name = "test"; projectState = doPost(projectState, ProjectFactoryService.SELF_LINK); ProjectRoles roles = new ProjectRoles(); roles.administrators = new PrincipalRoleAssignment(); roles.administrators.add = Collections.singletonList(USER_GROUP_SUPERUSERS); doPatch(roles, projectState.documentSelfLink); SecurityContext contextById = getDocumentNoWait(SecurityContext.class, UriUtils.buildUriPath(PrincipalService.SELF_LINK, USER_GROUP_SUPERUSERS, PrincipalService.ROLES_SUFFIX)); assertTrue(contextById.name.equals(USER_GROUP_SUPERUSERS)); assertTrue(contextById.roles.contains(AuthRole.CLOUD_ADMIN)); assertTrue(contextById.projects.size() == 1); assertTrue(contextById.projects.get(0).roles.contains(AuthRole.PROJECT_ADMIN)); String uriString = UriUtils.buildUriPath(PrincipalService.SELF_LINK); URI uri = UriUtils.buildUri(uriString); uri = UriUtils.extendUriWithQuery(uri, PrincipalService.CRITERIA_QUERY, USER_GROUP_SUPERUSERS, PrincipalService.ROLES_QUERY, PrincipalService.ROLES_QUERY_VALUE); PrincipalRoles[] principalRoles = getDocumentNoWait(PrincipalRoles[].class, uri.toString()); assertTrue(principalRoles.length == 1); }
@Test public void testAssignRoleToUserTwice() throws Throwable { PrincipalRoleAssignment roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = new ArrayList<>(); roleAssignment.add.add(AuthRole.CLOUD_ADMIN.name()); // Assign. doRoleAssignment(roleAssignment, USER_EMAIL_BASIC_USER); UserState state = getDocument(UserState.class, buildUserServicePath(USER_EMAIL_BASIC_USER)); assertNotNull(state); assertTrue(state.userGroupLinks.contains(CLOUD_ADMINS_USER_GROUP_LINK)); // Unassign. roleAssignment = new PrincipalRoleAssignment(); roleAssignment.remove = new ArrayList<>(); roleAssignment.remove.add(AuthRole.CLOUD_ADMIN.name()); doRoleAssignment(roleAssignment, USER_EMAIL_BASIC_USER); state = getDocument(UserState.class, buildUserServicePath(USER_EMAIL_BASIC_USER)); assertNotNull(state); assertTrue(!state.userGroupLinks.contains(CLOUD_ADMINS_USER_GROUP_LINK)); // Assign again. roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = new ArrayList<>(); roleAssignment.add.add(AuthRole.CLOUD_ADMIN.name()); doRoleAssignment(roleAssignment, USER_EMAIL_BASIC_USER); state = getDocument(UserState.class, buildUserServicePath(USER_EMAIL_BASIC_USER)); assertNotNull(state); assertTrue(state.userGroupLinks.contains(CLOUD_ADMINS_USER_GROUP_LINK)); }
@Test public void getRolesForPrincipal() throws Throwable { ProjectState project = new ProjectState(); project.name = "test"; project.description = "test-description"; project = doPost(project, ProjectFactoryService.SELF_LINK); assertNotNull(project.documentSelfLink); PrincipalRoleAssignment roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = Collections.singletonList(USER_EMAIL_ADMIN); ProjectRoles projectRoles = new ProjectRoles(); projectRoles.members = roleAssignment; projectRoles.administrators = roleAssignment; projectRoles.viewers = roleAssignment; doPatch(projectRoles, project.documentSelfLink); PrincipalRoles roles = getDocumentNoWait(PrincipalRoles.class, UriUtils.buildUriPath( PrincipalService.SELF_LINK, USER_EMAIL_ADMIN, PrincipalService.ROLES_SUFFIX)); assertTrue(roles.roles.contains(AuthRole.CLOUD_ADMIN)); assertTrue(roles.roles.contains(AuthRole.BASIC_USER)); assertTrue(roles.roles.contains(AuthRole.BASIC_USER_EXTENDED)); assertEquals(1, roles.projects.size()); assertEquals(project.documentSelfLink, roles.projects.get(0).documentSelfLink); assertEquals(project.name, roles.projects.get(0).name); assertTrue(roles.projects.get(0).roles.contains(AuthRole.PROJECT_ADMIN)); assertTrue(roles.projects.get(0).roles.contains(AuthRole.PROJECT_MEMBER)); assertTrue(roles.projects.get(0).roles.contains(AuthRole.PROJECT_VIEWER)); }
@Test public void testAssignExistingPrincipalGroupWithNotExistingUserGroupStateShouldCreateANewUserGroupState() throws Throwable { ProjectRoles projectRoles = new ProjectRoles(); projectRoles.members = new PrincipalRoleAssignment(); projectRoles.administrators = new PrincipalRoleAssignment(); projectRoles.members.add = Collections.singletonList(USER_GROUP_SUPERUSERS); String userGroupLink = UriUtils.buildUriPath(UserGroupService.FACTORY_LINK, encode(USER_GROUP_SUPERUSERS)); // delete the existing user group doDelete(UriUtils.buildUri(host, userGroupLink), false); assertDocumentNotExists(userGroupLink); host.testStart(1); rolesHandler.handleRolesUpdate(project, projectRoles, testOperationByAdmin) .whenComplete((ignore, ex) -> { if (ex != null) { host.failIteration(ex); return; } host.completeIteration(); }); host.testWait(); // verify that the user group is created assertDocumentExists(userGroupLink); }
@Test public void testAssignProjectRoleToPrincipalWithoutUserState() throws Throwable { deleteUser(encode(USER_EMAIL_CONNIE)); assertDocumentNotExists( AuthUtil.buildUserServicePathFromPrincipalId(encode(USER_EMAIL_CONNIE))); ProjectState projectState = createProject("test-test"); ProjectRoles roleAssignment = new ProjectRoles(); roleAssignment.administrators = new PrincipalRoleAssignment(); roleAssignment.administrators.add = Collections.singletonList(USER_EMAIL_CONNIE); doPatch(roleAssignment, projectState.documentSelfLink); ExpandedProjectState expandedProjectState = getExpandedProjectState( projectState.documentSelfLink); assertTrue(expandedProjectState.administrators.size() == 1); Principal principal = expandedProjectState.administrators.get(0); assertEquals(USER_EMAIL_CONNIE, principal.id); assertDocumentExists( AuthUtil.buildUserServicePathFromPrincipalId(encode(USER_EMAIL_CONNIE))); SecurityContext connieContext = getSecurityContext(USER_EMAIL_CONNIE); assertTrue(connieContext.roles.contains(AuthRole.BASIC_USER)); assertTrue(connieContext.roles.contains(AuthRole.BASIC_USER_EXTENDED)); assertTrue(connieContext.projects.size() == 1); ProjectEntry entry = connieContext.projects.get(0); assertEquals(projectState.documentSelfLink, entry.documentSelfLink); assertEquals(projectState.name, entry.name); assertTrue(entry.roles.contains(AuthRole.PROJECT_ADMIN)); }
@Test public void testAssignNotExistingPrincipalGroupShouldFail() { ProjectRoles projectRoles = new ProjectRoles(); projectRoles.members = new PrincipalRoleAssignment(); projectRoles.administrators = new PrincipalRoleAssignment(); projectRoles.administrators.add = Collections.singletonList("test-group"); host.testStart(1); rolesHandler.handleRolesUpdate(project, projectRoles, testOperationByAdmin) .whenComplete((ignore, ex) -> { if (ex != null) { if (ex.getCause() instanceof ServiceNotFoundException) { host.completeIteration(); return; } host.failIteration(ex); return; } host.failIteration(new Exception( String.format("Should've thrown %s", new ServiceNotFoundException()))); }); host.testWait(); }
@Test public void testAssignPrincipalOfTypeGroupTwice() { String groupId = "superusers@admiral.com"; ProjectRoles projectRoles = new ProjectRoles(); projectRoles.members = new PrincipalRoleAssignment(); projectRoles.members.add = Collections.singletonList(groupId); String projectId = Service.getId(project.documentSelfLink); // patch twice and verify principal is present only once in the project. doPatch(projectRoles, project.documentSelfLink); doPatch(projectRoles, project.documentSelfLink); String resourceGroupLink = UriUtils.buildUriPath(ResourceGroupService.FACTORY_LINK, AuthRole.PROJECT_MEMBER_EXTENDED.buildRoleWithSuffix(projectId, encode(groupId))); String roleLink = UriUtils.buildUriPath(RoleService.FACTORY_LINK, AuthRole.PROJECT_MEMBER_EXTENDED.buildRoleWithSuffix(projectId, encode(groupId))); assertDocumentExists(resourceGroupLink); assertDocumentExists(roleLink); ExpandedProjectState projectState = getExpandedProjectState(project.documentSelfLink); assertEquals(1, projectState.members.size()); // default one and the assigned one. assertEquals(2, projectState.membersUserGroupLinks.size()); } }
@Test public void testUnAssignRoleToUser() throws Throwable { PrincipalRoleAssignment roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = new ArrayList<>(); roleAssignment.add.add(AuthRole.CLOUD_ADMIN.name()); // Assign. doRoleAssignment(roleAssignment, USER_EMAIL_BASIC_USER); UserState state = getDocument(UserState.class, buildUserServicePath(USER_EMAIL_BASIC_USER)); assertNotNull(state); assertTrue(state.userGroupLinks.contains(CLOUD_ADMINS_USER_GROUP_LINK)); // Unassign. roleAssignment = new PrincipalRoleAssignment(); roleAssignment.remove = new ArrayList<>(); roleAssignment.remove.add(AuthRole.CLOUD_ADMIN.name()); doRoleAssignment(roleAssignment, USER_EMAIL_BASIC_USER); // Verify. state = getDocument(UserState.class, buildUserServicePath(USER_EMAIL_BASIC_USER)); assertNotNull(state); assertTrue(!state.userGroupLinks.contains(CLOUD_ADMINS_USER_GROUP_LINK)); }
@Test public void testDevOpsAdminCanAssignUsersToProject() throws Throwable { ProjectState project = createProject("project"); ProjectRoles roles = new ProjectRoles(); roles.administrators = new PrincipalRoleAssignment(); roles.administrators.add = Collections.singletonList(USER_EMAIL_BASIC_USER); doPatch(roles, project.documentSelfLink); host.assumeIdentity(buildUserServicePath(USER_EMAIL_BASIC_USER)); ProjectRoles roles1 = new ProjectRoles(); roles1.members = new PrincipalRoleAssignment(); roles1.members.add = Collections.singletonList(USER_EMAIL_CONNIE); doPatch(roles1, project.documentSelfLink); ExpandedProjectState expandedProjectState = getExpandedProjectState( project.documentSelfLink); assertTrue(expandedProjectState.administrators.size() == 1); assertTrue(expandedProjectState.administrators.get(0).id.equals(USER_EMAIL_BASIC_USER)); assertTrue(expandedProjectState.members.size() == 1); assertTrue(expandedProjectState.members.get(0).id.equals(USER_EMAIL_CONNIE)); }
@Test public void testAssignPrincipalAsGroup() { String groupId = "superusers@admiral.com"; ProjectRoles projectRoles = new ProjectRoles(); projectRoles.members = new PrincipalRoleAssignment(); projectRoles.members.add = Collections.singletonList(groupId); String projectId = Service.getId(project.documentSelfLink); doPatch(projectRoles, project.documentSelfLink); String resourceGroupLink = UriUtils.buildUriPath(ResourceGroupService.FACTORY_LINK, AuthRole.PROJECT_MEMBER_EXTENDED.buildRoleWithSuffix(projectId, encode(groupId))); String roleLink = UriUtils.buildUriPath(RoleService.FACTORY_LINK, AuthRole.PROJECT_MEMBER_EXTENDED.buildRoleWithSuffix(projectId, encode(groupId))); assertDocumentExists(resourceGroupLink); assertDocumentExists(roleLink); projectRoles = new ProjectRoles(); projectRoles.members = new PrincipalRoleAssignment(); projectRoles.members.remove = Collections.singletonList(groupId); doPatch(projectRoles, project.documentSelfLink); assertDocumentNotExists(resourceGroupLink); assertDocumentNotExists(roleLink); }
@Test public void testAssignSystemRoleOnPrincipalWithoutUserState() { deleteUser(encode(USER_EMAIL_CONNIE)); assertDocumentNotExists(AuthUtil.buildUserServicePathFromPrincipalId( encode(USER_EMAIL_CONNIE))); PrincipalRoleAssignment roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = Collections.singletonList(AuthRole.CLOUD_ADMIN.name()); doPatch(roleAssignment, UriUtils.buildUriPath(PrincipalService.SELF_LINK, USER_EMAIL_CONNIE, PrincipalService.ROLES_SUFFIX)); assertDocumentExists( AuthUtil.buildUserServicePathFromPrincipalId(encode(USER_EMAIL_CONNIE))); SecurityContext connieContext = getSecurityContext(USER_EMAIL_CONNIE); assertTrue(connieContext.roles.contains(AuthRole.CLOUD_ADMIN)); assertTrue(connieContext.roles.contains(AuthRole.BASIC_USER)); assertTrue(connieContext.roles.contains(AuthRole.BASIC_USER_EXTENDED)); }
@Before public void setUp() throws Throwable { waitForServiceAvailability(ProjectService.UNIQUE_PROJECT_NAMES_SERVICE_LINK); waitForServiceAvailability(ProjectFactoryService.SELF_LINK); waitForServiceAvailability(GroupResourcePlacementService.FACTORY_LINK); host.assumeIdentity(buildUserServicePath(USER_EMAIL_ADMIN)); project = createProject(PROJECT_NAME, PROJECT_DESCRIPTION, PROJECT_IS_PUBLIC); ProjectRoles projectRoles = new ProjectRoles(); projectRoles.members = new PrincipalRoleAssignment(); projectRoles.administrators = new PrincipalRoleAssignment(); projectRoles.viewers = new PrincipalRoleAssignment(); projectRoles.administrators.add = Collections.singletonList(USER_EMAIL_ADMIN); projectRoles.members.add = Collections.singletonList(USER_EMAIL_ADMIN); projectRoles.viewers.add = Collections.singletonList(USER_EMAIL_BASIC_USER); doPatch(projectRoles, project.documentSelfLink); }
@Before public void setUp() throws Throwable { waitForServiceAvailability(ProjectFactoryService.SELF_LINK); waitForServiceAvailability(GroupResourcePlacementService.FACTORY_LINK); host.assumeIdentity(buildUserServicePath(USER_EMAIL_ADMIN)); project = createProject(PROJECT_NAME, PROJECT_DESCRIPTION, PROJECT_IS_PUBLIC); ProjectRoles projectRoles = new ProjectRoles(); projectRoles.viewers = new PrincipalRoleAssignment(); projectRoles.members = new PrincipalRoleAssignment(); projectRoles.administrators = new PrincipalRoleAssignment(); projectRoles.administrators.add = Collections.singletonList(USER_EMAIL_ADMIN); projectRoles.members.add = Collections.singletonList(USER_EMAIL_ADMIN); projectRoles.viewers.add = Collections.singletonList(USER_EMAIL_BASIC_USER); doPatch(projectRoles, project.documentSelfLink); }
@Test public void testAssignSystemRoleOnPrincipalWithoutUserGroupState() { deleteUserGroup(encode(USER_GROUP_DEVELOPERS)); assertDocumentNotExists(UriUtils.buildUriPath(UserGroupService.FACTORY_LINK, encode(USER_GROUP_DEVELOPERS))); PrincipalRoleAssignment roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = Collections.singletonList(AuthRole.CLOUD_ADMIN.name()); doPatch(roleAssignment, UriUtils.buildUriPath(PrincipalService.SELF_LINK, USER_GROUP_DEVELOPERS, PrincipalService.ROLES_SUFFIX)); assertDocumentExists(UriUtils.buildUriPath(UserGroupService.FACTORY_LINK, encode(USER_GROUP_DEVELOPERS))); SecurityContext developersContext = getSecurityContext(USER_GROUP_DEVELOPERS); assertTrue(developersContext.roles.contains(AuthRole.CLOUD_ADMIN)); assertTrue(developersContext.roles.contains(AuthRole.BASIC_USER)); assertTrue(developersContext.roles.contains(AuthRole.BASIC_USER_EXTENDED)); }
@Test public void testAssignRoleToUserGroup() throws Throwable { PrincipalRoleAssignment roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = new ArrayList<>(); roleAssignment.add.add(AuthRole.CLOUD_ADMIN.name()); doRoleAssignment(roleAssignment, USER_GROUP_DEVELOPERS); RoleState roleState = getDocument(RoleState.class, UriUtils.buildUriPath(RoleService.FACTORY_LINK, AuthRole.CLOUD_ADMIN .buildRoleWithSuffix(encode(USER_GROUP_DEVELOPERS)))); assertNotNull(roleState); assertEquals(UriUtils.buildUriPath(UserGroupService.FACTORY_LINK, encode(USER_GROUP_DEVELOPERS)), roleState.userGroupLink); }
private void assignCloudAdminRoleTo(String principalId) { String rolesLink = buildRolesLinkFor(principalId); PrincipalRoleAssignment body = new PrincipalRoleAssignment(); body.add = Collections.singletonList(AuthRole.CLOUD_ADMIN.toString()); doPatch(body, rolesLink); }
@Test public void testAssignRoleToUser() throws Throwable { PrincipalRoleAssignment roleAssignment = new PrincipalRoleAssignment(); roleAssignment.add = new ArrayList<>(); roleAssignment.add.add(AuthRole.CLOUD_ADMIN.name()); doRoleAssignment(roleAssignment, USER_EMAIL_BASIC_USER); UserState state = getDocument(UserState.class, buildUserServicePath(USER_EMAIL_BASIC_USER)); assertNotNull(state); assertTrue(state.userGroupLinks.contains(CLOUD_ADMINS_USER_GROUP_LINK)); }