/** * Returns Roles which have a Restriction matching the provided Permission * * @param permission Permission to match * @return */ private List<RoleEntity> getRolesHavingRestrictionsWithPermission(Permission permission) { List<RoleEntity> result = entityManager .createQuery("from RoleEntity r left join fetch r.restrictions res where res.permission.value =:permission", RoleEntity.class) .setParameter("permission", permission.name()).getResultList(); return result == null ? new ArrayList<RoleEntity>() : result; }
/** * Returns Roles which have a Restriction matching the provided Permission and Action * * @param permission * @param action * @return */ private List<RoleEntity> getRolesHavingRestrictionsWithPermissionAndAction(Permission permission, Action action) { List<RoleEntity> result = entityManager .createQuery("from RoleEntity r left join fetch r.restrictions res where res.permission.value =:permission and (res.action =:action or res.action = 'ALL')", RoleEntity.class) .setParameter("permission", permission.name()).setParameter("action", action).getResultList(); return result == null ? new ArrayList<RoleEntity>() : result; }
/** * Checks if a user has a role or a restriction with a certain Permission no matter for which Actions * Useful for displaying/hiding navigation elements in views * The specific Action required has to be checked when the action is involved (button) * * @param permission */ public boolean hasPermission(Permission permission) { return hasRole(permission.name(), null, null, null, null) || hasUserRestriction(permission.name(), null, null, null, null); }
/** * Checks if a user has a role or a restriction with a certain Permission and Action * Useful for displaying/hiding navigation elements in views * * @param permission */ public boolean hasPermission(Permission permission, Action action) { return hasRole(permission.name(), null, action, null, null) || hasUserRestriction(permission.name(), null, action, null, null); }
/** * Checks if a user has a role or a restriction with a certain Permission * * @param permission the required Permission * @param context the requested Context (null = irrelevant) * @param action the required Action * @param resourceGroup the requested resourceGroup (null = irrelevant) * @param resourceType the requested resourceType (null = irrelevant) */ public boolean hasPermission(Permission permission, ContextEntity context, Action action, ResourceGroupEntity resourceGroup, ResourceTypeEntity resourceType) { return hasRole(permission.name(), context, action, resourceGroup, resourceType) || hasUserRestriction(permission.name(), context, action, resourceGroup, resourceType); }
/** * Checks if a user has a role or a restriction with a certain Permission on ALL Contexts * => context MUST NOT be restricted to a specific environment * * @param permission the required Permission * @param action the required Action * @param resourceGroup the requested resourceGroup (null = irrelevant) * @param resourceType the requested resourceType (null = irrelevant) */ public boolean hasPermissionOnAllContext(Permission permission, Action action, ResourceGroupEntity resourceGroup, ResourceTypeEntity resourceType) { return hasRoleOnAllContext(permission.name(), action, resourceGroup, resourceType) || hasUserRestrictionOnAllContext(permission.name(), action, resourceGroup, resourceType); }
/** * Checks if the caller is allowed to see Deployments */ public boolean hasPermissionToSeeDeployment() { for (Map.Entry<String, List<RestrictionDTO>> entry : getDeployableRoles().entrySet()) { if (sessionContext.isCallerInRole(entry.getKey())) { return true; } } return hasUserRestriction(Permission.DEPLOYMENT.name(), null, null, null, null); }
public RestrictionDTO mockRestrictionDTO(Permission permission, RestrictionEntity restrictionEntity) { RestrictionDTO mock = mock(RestrictionDTO.class); when(mock.getPermissionName()).thenReturn(permission.name()); when(mock.getRestriction()).thenReturn(restrictionEntity); return mock; }
/** * Checks if the caller is allowed to create (re-)Deployments */ public boolean hasPermissionToCreateDeployment() { for (Map.Entry<String, List<RestrictionDTO>> entry : getDeployableRoles().entrySet()) { if (sessionContext.isCallerInRole(entry.getKey())) { for (RestrictionDTO restrictionDTO : entry.getValue()) { if (restrictionDTO.getRestriction().getAction().equals(Action.CREATE) || restrictionDTO.getRestriction().getAction().equals(Action.ALL)) { return true; } } } } return hasUserRestriction(Permission.DEPLOYMENT.name(), null, Action.CREATE, null, null); }
/** * Checks if the caller is allowed to edit Deployments */ public boolean hasPermissionToEditDeployment() { for (Map.Entry<String, List<RestrictionDTO>> entry : getDeployableRoles().entrySet()) { if (sessionContext.isCallerInRole(entry.getKey())) { for (RestrictionDTO restrictionDTO : entry.getValue()) { if (restrictionDTO.getRestriction().getAction().equals(Action.UPDATE) || restrictionDTO.getRestriction().getAction().equals(Action.ALL)) { return true; } } } } return hasUserRestriction(Permission.DEPLOYMENT.name(), null, Action.UPDATE, null, null); }
public boolean canDelegatePermissionsForThisResource(ResourceEntity resource, ContextEntity context) { return (permissionService.hasPermission(Permission.PERMISSION_DELEGATION) && canDelegateThisPermission(Permission.RESOURCE.name(), resource.getResourceGroup().getId(), null, context.getName(), null)); }
@Test public void shouldReturnFalseIfCallerHasNoDelegationPermission() { // given when(sessionContext.isCallerInRole(CONFIG_ADMIN)).thenReturn(true); when(sessionContext.getCallerPrincipal()).thenReturn(principal); RestrictionEntity res = new RestrictionEntity(); res.setAction(Action.ALL); PermissionEntity perm = new PermissionEntity(); perm.setValue(Permission.RESOURCE_PROPERTY_DECRYPT.name()); res.setPermission(perm); myRoles = new HashMap<>(); permissionService.rolesWithRestrictions = myRoles; when(permissionRepository.getUserWithRestrictions(anyString())).thenReturn(Arrays.asList(res)); // when boolean result = permissionService.hasPermissionToDelegatePermission(Permission.RESOURCE_PROPERTY_DECRYPT, null, null, null, Action.CREATE); // then Assert.assertFalse(result); }
@Test public void shouldReturnFalseIfCallerHasDelegationPermissionButNotSimilarRestriction() { // given when(sessionContext.isCallerInRole(CONFIG_ADMIN)).thenReturn(true); when(sessionContext.getCallerPrincipal()).thenReturn(principal); RestrictionEntity res = new RestrictionEntity(); res.setAction(Action.ALL); PermissionEntity perm = new PermissionEntity(); perm.setValue(Permission.PERMISSION_DELEGATION.name()); res.setPermission(perm); myRoles = new HashMap<>(); permissionService.rolesWithRestrictions = myRoles; when(permissionRepository.getUserWithRestrictions(anyString())).thenReturn(Arrays.asList(res)); // when boolean result = permissionService.hasPermissionToDelegatePermission(Permission.RESOURCE_PROPERTY_DECRYPT, null, null, null, Action.CREATE); // then Assert.assertFalse(result); }
public RestrictionDTO buildRestrictionDTO(Permission permission, RestrictionEntity restrictionEntity) { PermissionEntity pe = new PermissionEntity(); pe.setValue(permission.name()); restrictionEntity.setPermission(pe); RestrictionDTO dto = new RestrictionDTO(restrictionEntity); return dto; } }
@Test public void shouldNotAllowToRemoveInstanceOfNonDefaultResTypeIfHasPermissionToDeleteInstancesOfDefaultResourceTypeOnly(){ // given ResourceTypeEntity nonDefaultResType = new ResourceTypeEntity(); when(sessionContext.isCallerInRole(SERVER_ADMIN)).thenReturn(true); when(sessionContext.getCallerPrincipal()).thenReturn(principal); myRoles = new HashMap<>(); PermissionEntity permission = new PermissionEntity(); permission.setValue(Permission.RESOURCE.name()); RestrictionEntity res = new RestrictionEntity(); res.setAction(Action.DELETE); res.setResourceTypePermission(ResourceTypePermission.DEFAULT_ONLY); res.setPermission(permission); myRoles.put(SERVER_ADMIN, Arrays.asList(new RestrictionDTO(res))); permissionService.rolesWithRestrictions = myRoles; // when boolean result = permissionService.hasPermissionToRemoveInstanceOfResType(nonDefaultResType); // then Assert.assertFalse(result); }
@Test public void shouldNotAllowToRemoveDefaultInstanceOfResTypeIfHasPermissionForResourcesOnly(){ // given ResourceTypeEntity applicationResTypeEntity = new ResourceTypeEntity(); applicationResTypeEntity.setName(DefaultResourceTypeDefinition.APPLICATION.name()); when(sessionContext.isCallerInRole(CONFIG_ADMIN)).thenReturn(true); when(sessionContext.getCallerPrincipal()).thenReturn(principal); myRoles = new HashMap<>(); PermissionEntity permission = new PermissionEntity(); permission.setValue(Permission.RESOURCE.name()); RestrictionEntity res = new RestrictionEntity(); res.setAction(Action.DELETE); res.setResourceTypePermission(ResourceTypePermission.NON_DEFAULT_ONLY); res.setPermission(permission); myRoles.put(CONFIG_ADMIN, Arrays.asList(new RestrictionDTO(res))); permissionService.rolesWithRestrictions = myRoles; // when boolean result = permissionService.hasPermissionToRemoveInstanceOfResType(applicationResTypeEntity); // then Assert.assertFalse(result); }
@Test public void shouldReturnTrueIfASameUserRestrictionAlreadyExists() { // given UserRestrictionEntity userRestrictionEntity = new UserRestrictionEntity(); userRestrictionEntity.setName("tester"); PermissionEntity permission = new PermissionEntity(); permission.setValue(Permission.RESOURCE.name()); RestrictionEntity restriction = new RestrictionEntity(); restriction.setUser(userRestrictionEntity); restriction.setAction(Action.UPDATE); restriction.setContext(envC); restriction.setPermission(permission); myRoles = new HashMap<>(); permissionService.rolesWithRestrictions = myRoles; when(permissionRepository.getUserWithRestrictions("tester")).thenReturn(Arrays.asList(restriction)); // when boolean exists = permissionService.identicalOrMoreGeneralRestrictionExists(restriction); // then Assert.assertTrue(exists); }
@Test public void shouldReturnFalseIfASimilarButActionRestrictedUserRestrictionExists() { // given UserRestrictionEntity userRestrictionEntity = new UserRestrictionEntity(); userRestrictionEntity.setName("tester"); PermissionEntity permission = new PermissionEntity(); permission.setValue(Permission.RESOURCE.name()); RestrictionEntity existingRestriction = new RestrictionEntity(); existingRestriction.setUser(userRestrictionEntity); existingRestriction.setAction(Action.UPDATE); existingRestriction.setPermission(permission); RestrictionEntity newRestriction = new RestrictionEntity(); newRestriction.setUser(userRestrictionEntity); newRestriction.setAction(Action.ALL); newRestriction.setPermission(permission); myRoles = new HashMap<>(); permissionService.rolesWithRestrictions = myRoles; when(permissionRepository.getUserWithRestrictions("tester")).thenReturn(Arrays.asList(existingRestriction)); // when boolean exists = permissionService.identicalOrMoreGeneralRestrictionExists(newRestriction); // then Assert.assertFalse(exists); }
@Test public void shouldReturnTrueIfASameRoleRestrictionAlreadyExists() { // given RoleEntity role = new RoleEntity(); role.setName(CONFIG_ADMIN); PermissionEntity permission = new PermissionEntity(); permission.setValue(Permission.RESOURCE.name()); RestrictionEntity restriction = new RestrictionEntity(); restriction.setRole(role); restriction.setAction(Action.UPDATE); restriction.setContext(envC); restriction.setPermission(permission); myRoles = new HashMap<>(); myRoles.put(role.getName(), Arrays.asList(new RestrictionDTOBuilder().buildRestrictionDTO(Permission.RESOURCE, restriction))); permissionService.rolesWithRestrictions = myRoles; // when boolean exists = permissionService.identicalOrMoreGeneralRestrictionExists(restriction); // then Assert.assertTrue(exists); }