public boolean canBeEditedBy(CaseInsensitiveString username, List<Role> roles) { return getAuthorization().isUserAnAdmin(username, roles); } }
public boolean canUserEditTemplate(PipelineTemplateConfig template, CaseInsensitiveString username, List<Role> roles) { return template.getAuthorization().isUserAnAdmin(username, roles); }
public boolean isAllowGroupAdmins() { return this.getAuthorization().isAllowGroupAdmins(); }
public boolean hasViewAccessToTemplate(PipelineTemplateConfig template, CaseInsensitiveString username, List<Role> roles, boolean isGroupAdministrator) { boolean hasViewAccessToTemplate = template.getAuthorization().isViewUser(username, roles); hasViewAccessToTemplate = hasViewAccessToTemplate || (template.isAllowGroupAdmins() && isGroupAdministrator); return hasViewAccessToTemplate; } }
@Override public boolean isValid(CruiseConfig preprocessedConfig) { TemplatesConfig templates = preprocessedConfig.getTemplates(); preprocessedTemplateConfig = findAddedTemplate(preprocessedConfig); preprocessedTemplateConfig.getAuthorization().validateTree(new DelegatingValidationContext(ConfigSaveValidationContext.forChain(preprocessedConfig, templates)) { @Override public boolean shouldNotCheckRole() { return false; } }); if (!preprocessedTemplateConfig.getAuthorization().getAllErrors().isEmpty()) { BasicCruiseConfig.copyErrors(preprocessedTemplateConfig.getAuthorization(), authorization); return false; } return true; } }
private void removeFromAllTemplates(CruiseConfig preprocessedConfig) { TemplatesConfig templates = preprocessedConfig.getTemplates(); for (PipelineTemplateConfig template : templates) { template.getAuthorization().removeAllUsagesOfRole(role); template.cleanupAllUsagesOfRole(role); } }
public void validate(ValidationContext validationContext) { validateTemplateName(); validateStageNameUniqueness(); this.getAuthorization().validateTree(new DelegatingValidationContext(validationContext) { @Override public boolean shouldNotCheckRole() { return false; } }); }
@Override public boolean isAuthorizedToViewTemplate(PipelineTemplateConfig templateConfig, CaseInsensitiveString username) { if (isAuthorizedToEditTemplate(templateConfig, username)) { return true; } return templateConfig.getAuthorization().isViewUser(username, rolesForUser(username)) || (templateConfig.isAllowGroupAdmins() && isGroupAdministrator(username)); }
@Override public void update(CruiseConfig modifiedConfig) { PipelineTemplateConfig existingTemplateConfig = findAddedTemplate(modifiedConfig); templateConfig.setAuthorization(existingTemplateConfig.getAuthorization()); TemplatesConfig templatesConfig = modifiedConfig.getTemplates(); templatesConfig.removeTemplateNamed(existingTemplateConfig.name()); templatesConfig.add(templateConfig); modifiedConfig.setTemplates(templatesConfig); }
@Test public void shouldAllowEmptyAuthorizationTagUnderEachTemplateWhileLoading() throws Exception { String configString = "<cruise schemaVersion='" + CONFIG_SCHEMA_VERSION + "'>\n" + " <templates>" + " <pipeline name='template-name'>" + " <authorization>" + " <admins>" + " </admins>" + " </authorization>" + " <stage name='stage-name'>" + " <jobs>" + " <job name='job-name'/>" + " </jobs>" + " </stage>" + " </pipeline>" + " </templates>" + "</cruise>"; CruiseConfig configForEdit = ConfigMigrator.loadWithMigration(configString).configForEdit; PipelineTemplateConfig template = configForEdit.getTemplateByName(new CaseInsensitiveString("template-name")); Authorization authorization = template.getAuthorization(); assertThat(authorization, is(not(nullValue()))); assertThat(authorization.getAdminsConfig().getUsers(), is(empty())); assertThat(authorization.getAdminsConfig().getRoles(), is(empty())); }
@Test public void shouldReturnFalseIfGroupAdminCanViewTemplate() { CaseInsensitiveString templateViewUser = new CaseInsensitiveString("view"); String templateName = "template"; PipelineTemplateConfig template = PipelineTemplateConfigMother.createTemplate(templateName, StageConfigMother.manualStage("stage")); template.getAuthorization().setAllowGroupAdmins(false); TemplatesConfig templates = new TemplatesConfig(template); assertThat(templates.hasViewAccessToTemplate(template, templateViewUser, null, true), is(false)); }
@Test public void shouldDisplayTheFlagInXmlIfTemplateAuthorizationDoesNotAllowGroupAdmins() throws Exception { CruiseConfig cruiseConfig = new BasicCruiseConfig(); PipelineTemplateConfig template = com.thoughtworks.go.helper.PipelineTemplateConfigMother.createTemplate("template-name", new Authorization(new AdminsConfig()), com.thoughtworks.go.helper.StageConfigMother.manualStage("stage-name")); template.getAuthorization().setAllowGroupAdmins(false); cruiseConfig.addTemplate(template); xmlWriter.write(cruiseConfig, output, false); String writtenConfigXml = this.output.toString(); assertThat(writtenConfigXml, containsString("allGroupAdminsAreViewers")); }
assertThat(cruiseConfig.getTemplateByName(new CaseInsensitiveString("template1")).getAuthorization().isAllowGroupAdmins(), is(true));
assertThat(cruiseConfig.getTemplateByName(new CaseInsensitiveString("template1")).getAuthorization().isAllowGroupAdmins(), is(false));
@Test public void shouldReInitializeAuthorizationIfWeClearAllPermissions() { PipelineTemplateConfig templateConfig = PipelineTemplateConfigMother.createTemplate("template-1"); templateConfig.setConfigAttributes(m(BasicPipelineConfigs.AUTHORIZATION, a( DataStructureUtils.m(Authorization.NAME, "loser", Authorization.TYPE, Authorization.UserType.USER.toString(), Authorization.PRIVILEGES, a(DataStructureUtils.m(Authorization.PrivilegeType.ADMIN.toString(), Authorization.PrivilegeState.ON.toString()))), DataStructureUtils.m(Authorization.NAME, "boozer", Authorization.TYPE, Authorization.UserType.USER.toString(), Authorization.PRIVILEGES, a(DataStructureUtils.m(Authorization.PrivilegeType.ADMIN.toString(), Authorization.PrivilegeState.ON.toString()))), DataStructureUtils.m(Authorization.NAME, "geezer", Authorization.TYPE, Authorization.UserType.USER.toString(), Authorization.PRIVILEGES, a(DataStructureUtils.m(Authorization.PrivilegeType.ADMIN.toString(), Authorization.PrivilegeState.ON.toString())))))); Authorization authorization = templateConfig.getAuthorization(); assertThat(authorization.getAdminsConfig().size(), Matchers.is(3)); templateConfig.setConfigAttributes(m()); authorization = templateConfig.getAuthorization(); assertThat(authorization.getAdminsConfig().size(), Matchers.is(0)); }
@Test public void shouldUpdateAuthorization() { PipelineTemplateConfig templateConfig = PipelineTemplateConfigMother.createTemplate("template-1"); templateConfig.setConfigAttributes(m(BasicPipelineConfigs.AUTHORIZATION, a( DataStructureUtils.m(Authorization.NAME, "loser", Authorization.TYPE, Authorization.UserType.USER.toString(), Authorization.PRIVILEGES, a(DataStructureUtils.m(Authorization.PrivilegeType.ADMIN.toString(), Authorization.PrivilegeState.ON.toString()))), DataStructureUtils.m(Authorization.NAME, "boozer", Authorization.TYPE, Authorization.UserType.USER.toString(), Authorization.PRIVILEGES, a(DataStructureUtils.m(Authorization.PrivilegeType.ADMIN.toString(), Authorization.PrivilegeState.ON.toString()))), DataStructureUtils.m(Authorization.NAME, "geezer", Authorization.TYPE, Authorization.UserType.USER.toString(), Authorization.PRIVILEGES, a(DataStructureUtils.m(Authorization.PrivilegeType.ADMIN.toString(), Authorization.PrivilegeState.ON.toString())))))); Authorization authorization = templateConfig.getAuthorization(); assertThat(authorization.getAdminsConfig().size(), Matchers.is(3)); assertThat(authorization.getAdminsConfig(), hasItem(new AdminUser(new CaseInsensitiveString("loser")))); assertThat(authorization.getAdminsConfig(), hasItem(new AdminUser(new CaseInsensitiveString("boozer")))); assertThat(authorization.getAdminsConfig(), hasItem(new AdminUser(new CaseInsensitiveString("geezer")))); assertThat(authorization.getOperationConfig().size(), Matchers.is(0)); assertThat(authorization.getViewConfig().size(), Matchers.is(0)); }
@Test public void shouldIgnoreBlankUserWhileSettingAttributes() { PipelineTemplateConfig templateConfig = PipelineTemplateConfigMother.createTemplate("template-1"); templateConfig.setConfigAttributes(m(BasicPipelineConfigs.AUTHORIZATION, a( DataStructureUtils.m(Authorization.NAME, "", Authorization.TYPE, Authorization.UserType.USER.toString(), Authorization.PRIVILEGES, a(DataStructureUtils.m(Authorization.PrivilegeType.ADMIN.toString(), Authorization.PrivilegeState.ON.toString()))), DataStructureUtils.m(Authorization.NAME, null, Authorization.TYPE, Authorization.UserType.USER.toString(), Authorization.PRIVILEGES, a(DataStructureUtils.m(Authorization.PrivilegeType.ADMIN.toString(), Authorization.PrivilegeState.ON.toString()))), DataStructureUtils.m(Authorization.NAME, "geezer", Authorization.TYPE, Authorization.UserType.USER.toString(), Authorization.PRIVILEGES, a(DataStructureUtils.m(Authorization.PrivilegeType.ADMIN.toString(), Authorization.PrivilegeState.ON.toString())))))); Authorization authorization = templateConfig.getAuthorization(); assertThat(authorization.getAdminsConfig().size(), Matchers.is(1)); assertThat(authorization.getAdminsConfig(), hasItem(new AdminUser(new CaseInsensitiveString("geezer")))); }
ViewConfig expectedViewConfig = new ViewConfig(new AdminUser(new CaseInsensitiveString("foo")), new AdminRole(new RoleConfig(new CaseInsensitiveString("role1"), new RoleUser("duck"), new RoleUser("jyoti")))); assertThat(cruiseConfig.getTemplateByName(new CaseInsensitiveString("template1")).getAuthorization().getViewConfig(), is(expectedViewConfig));