public static AuthConfig fromJSON(JsonReader jsonReader) { AuthConfig authConfig = new AuthConfig(); jsonReader.readArrayIfPresent("roles", roles -> { roles.forEach(role -> { authConfig.add(new AdminRole(new CaseInsensitiveString(role.getAsString()))); }); }); jsonReader.readArrayIfPresent("users", users -> { users.forEach(user -> { authConfig.add(new AdminUser(new CaseInsensitiveString(user.getAsString()))); }); }); return authConfig; } }
public static void toJSON(OutputWriter jsonWriter, AuthConfig authConfig) { if (!authConfig.errors().isEmpty()) { jsonWriter.addChild("errors", errorWriter -> { new ErrorGetter(new HashMap<>()).toJSON(errorWriter, authConfig); }); } jsonWriter.addChildList("roles", authConfig.getRoles().stream().map(eachItem -> eachItem.getName().toString()).collect(Collectors.toList())); jsonWriter.addChildList("users", authConfig.getUsers().stream().map(eachItem -> eachItem.getName().toString()).collect(Collectors.toList())); }
public boolean isAuthorizationDefined() { return !this.authConfig.isEmpty(); }
public List<AdminUser> getOperateUsers() { return getApproval().getAuthConfig().getUsers(); }
@Test public void shouldClearAllPermissions() { Approval approval = Approval.automaticApproval(); approval.getAuthConfig().add(new AdminUser(new CaseInsensitiveString("sachin"))); approval.getAuthConfig().add(new AdminRole(new CaseInsensitiveString("admin"))); approval.removeOperatePermissions(); assertThat(approval.getAuthConfig().isEmpty(), is(true)); }
public Approval toApproval(CRApproval crApproval) { if (crApproval == null) return Approval.automaticApproval(); Approval approval; if (crApproval.getType() == CRApprovalCondition.manual) approval = Approval.manualApproval(); else approval = Approval.automaticApproval(); AuthConfig authConfig = approval.getAuthConfig(); for (String user : crApproval.getAuthorizedUsers()) { authConfig.add(new AdminUser(new CaseInsensitiveString(user))); } for (String user : crApproval.getAuthorizedRoles()) { authConfig.add(new AdminRole(new CaseInsensitiveString(user))); } return approval; }
private CRApproval approvalToCRApproval(Approval approval) { CRApproval crApproval = new CRApproval(); for(AdminUser user: approval.getAuthConfig().getUsers()) { crApproval.addAuthorizedUser(user.getName().toString()); } for(AdminRole role: approval.getAuthConfig().getRoles()) { crApproval.addAuthorizedRole(role.getName().toString()); } if (approval.getType().equals(Approval.SUCCESS)) { crApproval.setApprovalCondition(CRApprovalCondition.success); } else { crApproval.setApprovalCondition(CRApprovalCondition.manual); } return crApproval; }
public List<AdminRole> getOperateRoles() { return getApproval().getAuthConfig().getRoles(); }
@Test public void shouldNotAllowEmptyAuthInApproval() throws Exception { CruiseConfig cruiseConfig = ConfigMigrator.load(ConfigFileFixture.ONE_PIPELINE); StageConfig stageConfig = com.thoughtworks.go.helper.StageConfigMother.custom("newStage", new AuthConfig()); cruiseConfig.pipelineConfigByName(new CaseInsensitiveString("pipeline1")).add(stageConfig); try { xmlWriter.write(cruiseConfig, output, false); assertThat("Should not allow approval with empty auth", output.toString().contains("<auth"), is(false)); } catch (JDOMParseException expected) { assertThat(expected.getMessage(), containsString("The content of element 'auth' is not complete")); } }
@Test public void shouldOverwriteExistingUsersWhileSettingNewUsers() { Approval approval = Approval.automaticApproval(); approval.getAuthConfig().add(new AdminUser(new CaseInsensitiveString("sachin"))); approval.getAuthConfig().add(new AdminRole(new CaseInsensitiveString("admin"))); List names = new ArrayList(); names.add(nameMap("awesome_shilpa")); names.add(nameMap("youth")); names.add(nameMap("")); List roles = new ArrayList(); roles.add(nameMap("role1")); roles.add(nameMap("role2")); roles.add(nameMap("")); approval.setOperatePermissions(names, roles); assertThat(approval.getAuthConfig().size(), is(4)); assertThat(approval.getAuthConfig(), hasItem((Admin) new AdminUser(new CaseInsensitiveString("awesome_shilpa")))); assertThat(approval.getAuthConfig(), hasItem((Admin) new AdminUser(new CaseInsensitiveString("youth")))); assertThat(approval.getAuthConfig(), hasItem((Admin) new AdminRole(new CaseInsensitiveString("role1")))); assertThat(approval.getAuthConfig(), hasItem((Admin) new AdminRole(new CaseInsensitiveString("role2")))); }
@Test public void shouldValidateTree() { Approval approval = new Approval(new AuthConfig(new AdminRole(new CaseInsensitiveString("role")))); BasicCruiseConfig cruiseConfig = GoConfigMother.defaultCruiseConfig(); cruiseConfig.server().security().adminsConfig().addRole(new AdminRole(new CaseInsensitiveString("super-admin"))); PipelineConfig pipelineConfig = new PipelineConfig(new CaseInsensitiveString("p1"), new MaterialConfigs()); cruiseConfig.addPipeline("g1", pipelineConfig); assertThat(approval.validateTree(PipelineConfigSaveValidationContext.forChain(true, "g1", cruiseConfig, pipelineConfig)), is(false)); assertThat(approval.getAuthConfig().errors().isEmpty(), is(false)); }
private boolean validateAuthConfig(ValidationContext validationContext, boolean isValid) { for (Admin admin : authConfig) { admin.validate(validationContext); authConfig.errors().addAll(admin.errors()); isValid = admin.errors().isEmpty() && isValid; } return isValid; }
@Test public void shouldBeAbleToParseNewAuthorization() throws Exception { AuthConfig config = new MagicalGoConfigXmlLoader(new ConfigCache(), ConfigElementImplementationRegistryMother.withNoPlugins()).fromXmlPartial(NEW_AUTHORIZATION, AuthConfig.class); assertThat(config.size(), is(3)); }
@Test public void shouldShowBugWhichAllowsAUserWithoutOperatePermissionToOperateAStage() throws Exception { CruiseConfig cruiseConfig = cruiseConfigWithSecurity( new RoleConfig(new CaseInsensitiveString("role"), new RoleUser(new CaseInsensitiveString("first")), new RoleUser(new CaseInsensitiveString("second"))), new AdminUser(new CaseInsensitiveString("admin"))); addRoleAsAdminToDefaultGroup(cruiseConfig, "role"); PipelineConfig pipeline = cruiseConfig.find(DEFAULT_GROUP, 0); StageConfig stage = pipeline.get(0); StageConfigMother.addApprovalWithUsers(stage, "first", "some-other-user-who-is-not-operate-authorized"); Approval approval = stage.getApproval(); approval.validate(PipelineConfigSaveValidationContext.forChain(true, DEFAULT_GROUP, cruiseConfig, pipeline, stage)); assertNoErrors(approval.getAuthConfig().getUsers().get(0)); /* https://github.com/gocd/gocd/pull/1779#issuecomment-170161521 */ assertNoErrors(approval.getAuthConfig().getUsers().get(1)); }
@Test public void shouldClearAllPermissionsWhenTheAttributesAreNull() { Approval approval = Approval.automaticApproval(); approval.getAuthConfig().add(new AdminUser(new CaseInsensitiveString("sachin"))); approval.getAuthConfig().add(new AdminRole(new CaseInsensitiveString("admin"))); approval.setOperatePermissions(null, null); assertThat(approval.getAuthConfig().isEmpty(), is(true)); }
public static void addApprovalWithUsers(StageConfig stage, String... users) { Approval approval = stage.getApproval(); for (String user : users) { approval.getAuthConfig().add(new AdminUser(new CaseInsensitiveString(user))); } stage.updateApproval(approval); }
private AllowedUsers pipelineOperators(PipelineConfig pipeline, Set<String> admins, AllowedUsers groupLevelOperators, Map<String, Collection<String>> rolesToUsers) { if (!pipeline.first().hasOperatePermissionDefined()) { return groupLevelOperators; } Set<String> stageLevelApproversOfFirstStage = namesOf(pipeline.first().getApproval().getAuthConfig(), rolesToUsers); Set<PluginRoleConfig> stageLevelPluginRoleApproversOfFirstStage = pluginRolesFor(goConfigService.security(), pipeline.first().getApproval().getAuthConfig().getRoles()); Set<String> pipelineOperators = new HashSet<>(); pipelineOperators.addAll(admins); pipelineOperators.addAll(stageLevelApproversOfFirstStage); return new AllowedUsers(pipelineOperators, stageLevelPluginRoleApproversOfFirstStage); } }
@Test public void shouldValidateStageApprovalAuthorizationOfATemplateInTheContextOfPipelinesUsingTheTemplate() throws Exception { JobConfig jobConfig = new JobConfig(new CaseInsensitiveString("defaultJob")); JobConfigs jobConfigs = new JobConfigs(jobConfig); StageConfig stageConfig = StageConfigMother.custom("stage", jobConfigs); stageConfig.setApproval(new Approval(new AuthConfig(new AdminRole(new CaseInsensitiveString("non-existent-role"))))); PipelineTemplateConfig template = PipelineTemplateConfigMother.createTemplate("template", stageConfig); PipelineConfig pipelineConfig = PipelineConfigMother.pipelineConfigWithTemplate("pipeline", "template"); pipelineConfig.usingTemplate(template); BasicCruiseConfig cruiseConfig = GoConfigMother.defaultCruiseConfig(); cruiseConfig.addTemplate(template); cruiseConfig.addPipelineWithoutValidation("group", pipelineConfig); template.validateTree(ConfigSaveValidationContext.forChain(cruiseConfig), cruiseConfig, false); assertThat(template.errors().getAllOn("name"), is(Arrays.asList("Role \"non-existent-role\" does not exist."))); }
@Test public void shouldBeAbleToParseNewConfig() throws Exception { CruiseConfig newConfig = ConfigMigrator.loadWithMigration(CONFIG_WITH_AUTH).config; assertThat(newConfig.stageConfigByName(new CaseInsensitiveString("pipeline1"), new CaseInsensitiveString("stage1")).getApproval().getAuthConfig().size(), is(3)); }