@Test(groups = "slow") public void testEmptyPermissions() throws SecurityApiException { securityApi.addRoleDefinition("sanity1", null, callContext); validateUserRoles(securityApi.getRoleDefinition("sanity1", callContext), ImmutableList.<String>of()); securityApi.addRoleDefinition("sanity2", ImmutableList.<String>of(), callContext); validateUserRoles(securityApi.getRoleDefinition("sanity2", callContext), ImmutableList.<String>of()); }
@Test(groups = "slow") public void testSanityOfPermissions() throws SecurityApiException { securityApi.addRoleDefinition("sanity1", ImmutableList.of("account:*", "*"), callContext); validateUserRoles(securityApi.getRoleDefinition("sanity1", callContext), ImmutableList.of("*")); securityApi.addRoleDefinition("sanity2", ImmutableList.of("account:charge", "account:charge"), callContext); validateUserRoles(securityApi.getRoleDefinition("sanity2", callContext), ImmutableList.of("account:charge")); securityApi.addRoleDefinition("sanity3", ImmutableList.of("account:charge", "account:credit", "account:*", "invoice:*"), callContext); validateUserRoles(securityApi.getRoleDefinition("sanity3", callContext), ImmutableList.of("account:*", "invoice:*")); }
private void testInvalidPermissionScenario(final List<String> permissions) { try { securityApi.addRoleDefinition("failed", permissions, callContext); Assert.fail("Should fail permissions " + permissions + " were invalid"); } catch (SecurityApiException expected) { Assert.assertEquals(expected.getCode(), ErrorCode.SECURITY_INVALID_PERMISSIONS.getCode()); } }
@Test(groups = "slow") public void testUpdateRoleDefinition() throws SecurityApiException { final String username = "siskiyou"; final String password = "siskiyou33"; securityApi.addRoleDefinition("original", ImmutableList.of("account:*", "invoice", "tag:create_tag_definition"), callContext); securityApi.addUserRoles(username, password, ImmutableList.of("restricted"), callContext); final AuthenticationToken goodToken = new UsernamePasswordToken(username, password); final List<String> roleDefinition = securityApi.getRoleDefinition("original", callContext); Assert.assertEquals(roleDefinition.size(), 3); Assert.assertTrue(roleDefinition.contains("account:*")); Assert.assertTrue(roleDefinition.contains("invoice:*")); Assert.assertTrue(roleDefinition.contains("tag:create_tag_definition")); securityApi.updateRoleDefinition("original", ImmutableList.of("account:*", "payment", "tag:create_tag_definition", "entitlement:create"), callContext); final List<String> updatedRoleDefinition = securityApi.getRoleDefinition("original", callContext); Assert.assertEquals(updatedRoleDefinition.size(), 4); Assert.assertTrue(updatedRoleDefinition.contains("account:*")); Assert.assertTrue(updatedRoleDefinition.contains("payment:*")); Assert.assertTrue(updatedRoleDefinition.contains("tag:create_tag_definition")); Assert.assertTrue(updatedRoleDefinition.contains("entitlement:create")); securityApi.updateRoleDefinition("original", ImmutableList.<String>of(), callContext); Assert.assertEquals(securityApi.getRoleDefinition("original", callContext).size(), 0); }
final String password = "supperCompli43cated"; securityApi.addRoleDefinition("root", ImmutableList.of("*"), callContext); securityApi.addUserRoles(username, password, ImmutableList.of("root"), callContext); final DelegatingSubject subject = new DelegatingSubject(securityManager);
@Test(groups = "slow") public void testAuthorization() throws SecurityApiException { final String username = "i like"; final String password = "c0ff33"; securityApi.addRoleDefinition("restricted", ImmutableList.of("account:*", "invoice", "tag:create_tag_definition"), callContext); securityApi.addUserRoles(username, password, ImmutableList.of("restricted"), callContext); final AuthenticationToken goodToken = new UsernamePasswordToken(username, password); final Subject subject = securityManager.login(null, goodToken); subject.checkPermission(Permission.ACCOUNT_CAN_CHARGE.toString()); subject.checkPermission(Permission.INVOICE_CAN_CREDIT.toString()); subject.checkPermission(Permission.TAG_CAN_CREATE_TAG_DEFINITION.toString()); try { subject.checkPermission(Permission.TAG_CAN_DELETE_TAG_DEFINITION.toString()); Assert.fail("Subject should not have rights to delete tag definitions"); } catch (AuthorizationException e) { } subject.logout(); securityApi.addRoleDefinition("newRestricted", ImmutableList.of("account:*", "invoice", "tag:delete_tag_definition"), callContext); securityApi.updateUserRoles(username, ImmutableList.of("newRestricted"), callContext); final Subject newSubject = securityManager.login(null, goodToken); newSubject.checkPermission(Permission.ACCOUNT_CAN_CHARGE.toString()); newSubject.checkPermission(Permission.INVOICE_CAN_CREDIT.toString()); newSubject.checkPermission(Permission.TAG_CAN_DELETE_TAG_DEFINITION.toString()); try { newSubject.checkPermission(Permission.TAG_CAN_CREATE_TAG_DEFINITION.toString()); Assert.fail("Subject should not have rights to create tag definitions"); } catch (AuthorizationException e) { } }
@TimedResource @POST @Path("/roles") @Consumes(APPLICATION_JSON) @Produces(APPLICATION_JSON) @ApiOperation(value = "Add a new role definition)", response = RoleDefinitionJson.class) @ApiResponses(value = {@ApiResponse(code = 201, message = "Role definition created successfully")}) public Response addRoleDefinition(final RoleDefinitionJson json, @HeaderParam(HDR_CREATED_BY) final String createdBy, @HeaderParam(HDR_REASON) final String reason, @HeaderParam(HDR_COMMENT) final String comment, @javax.ws.rs.core.Context final HttpServletRequest request, @javax.ws.rs.core.Context final UriInfo uriInfo) throws SecurityApiException { securityApi.addRoleDefinition(json.getRole(), json.getPermissions(), context.createCallContextNoAccountId(createdBy, reason, comment, request)); return uriBuilder.buildResponse(uriInfo, SecurityResource.class, "getRoleDefinition", json.getRole(), request); }
@Test(groups = "slow") public void testEmptyPermissions() throws SecurityApiException { securityApi.addRoleDefinition("sanity1", null, callContext); validateUserRoles(securityApi.getRoleDefinition("sanity1", callContext), ImmutableList.<String>of()); securityApi.addRoleDefinition("sanity2", ImmutableList.<String>of(), callContext); validateUserRoles(securityApi.getRoleDefinition("sanity2", callContext), ImmutableList.<String>of()); }
@Test(groups = "slow") public void testSanityOfPermissions() throws SecurityApiException { securityApi.addRoleDefinition("sanity1", ImmutableList.of("account:*", "*"), callContext); validateUserRoles(securityApi.getRoleDefinition("sanity1", callContext), ImmutableList.of("*")); securityApi.addRoleDefinition("sanity2", ImmutableList.of("account:charge", "account:charge"), callContext); validateUserRoles(securityApi.getRoleDefinition("sanity2", callContext), ImmutableList.of("account:charge")); securityApi.addRoleDefinition("sanity3", ImmutableList.of("account:charge", "account:credit", "account:*", "invoice:*"), callContext); validateUserRoles(securityApi.getRoleDefinition("sanity3", callContext), ImmutableList.of("account:*", "invoice:*")); }
private void testInvalidPermissionScenario(final List<String> permissions) { try { securityApi.addRoleDefinition("failed", permissions, callContext); Assert.fail("Should fail permissions " + permissions + " were invalid"); } catch (SecurityApiException expected) { Assert.assertEquals(expected.getCode(), ErrorCode.SECURITY_INVALID_PERMISSIONS.getCode()); } }
@Test(groups = "slow") public void testUpdateRoleDefinition() throws SecurityApiException { final String username = "siskiyou"; final String password = "siskiyou33"; securityApi.addRoleDefinition("original", ImmutableList.of("account:*", "invoice", "tag:create_tag_definition"), callContext); securityApi.addUserRoles(username, password, ImmutableList.of("restricted"), callContext); final AuthenticationToken goodToken = new UsernamePasswordToken(username, password); final List<String> roleDefinition = securityApi.getRoleDefinition("original", callContext); Assert.assertEquals(roleDefinition.size(), 3); Assert.assertTrue(roleDefinition.contains("account:*")); Assert.assertTrue(roleDefinition.contains("invoice:*")); Assert.assertTrue(roleDefinition.contains("tag:create_tag_definition")); securityApi.updateRoleDefinition("original", ImmutableList.of("account:*", "payment", "tag:create_tag_definition", "entitlement:create"), callContext); final List<String> updatedRoleDefinition = securityApi.getRoleDefinition("original", callContext); Assert.assertEquals(updatedRoleDefinition.size(), 4); Assert.assertTrue(updatedRoleDefinition.contains("account:*")); Assert.assertTrue(updatedRoleDefinition.contains("payment:*")); Assert.assertTrue(updatedRoleDefinition.contains("tag:create_tag_definition")); Assert.assertTrue(updatedRoleDefinition.contains("entitlement:create")); securityApi.updateRoleDefinition("original", ImmutableList.<String>of(), callContext); Assert.assertEquals(securityApi.getRoleDefinition("original", callContext).size(), 0); }
final String password = "supperCompli43cated"; securityApi.addRoleDefinition("root", ImmutableList.of("*"), callContext); securityApi.addUserRoles(username, password, ImmutableList.of("root"), callContext); final DelegatingSubject subject = new DelegatingSubject(securityManager);
@Test(groups = "slow") public void testAuthorization() throws SecurityApiException { final String username = "i like"; final String password = "c0ff33"; securityApi.addRoleDefinition("restricted", ImmutableList.of("account:*", "invoice", "tag:create_tag_definition"), callContext); securityApi.addUserRoles(username, password, ImmutableList.of("restricted"), callContext); final AuthenticationToken goodToken = new UsernamePasswordToken(username, password); final Subject subject = securityManager.login(null, goodToken); subject.checkPermission(Permission.ACCOUNT_CAN_CHARGE.toString()); subject.checkPermission(Permission.INVOICE_CAN_CREDIT.toString()); subject.checkPermission(Permission.TAG_CAN_CREATE_TAG_DEFINITION.toString()); try { subject.checkPermission(Permission.TAG_CAN_DELETE_TAG_DEFINITION.toString()); Assert.fail("Subject should not have rights to delete tag definitions"); } catch (AuthorizationException e) { } subject.logout(); securityApi.addRoleDefinition("newRestricted", ImmutableList.of("account:*", "invoice", "tag:delete_tag_definition"), callContext); securityApi.updateUserRoles(username, ImmutableList.of("newRestricted"), callContext); final Subject newSubject = securityManager.login(null, goodToken); newSubject.checkPermission(Permission.ACCOUNT_CAN_CHARGE.toString()); newSubject.checkPermission(Permission.INVOICE_CAN_CREDIT.toString()); newSubject.checkPermission(Permission.TAG_CAN_DELETE_TAG_DEFINITION.toString()); try { newSubject.checkPermission(Permission.TAG_CAN_CREATE_TAG_DEFINITION.toString()); Assert.fail("Subject should not have rights to create tag definitions"); } catch (AuthorizationException e) { } }