public static RoleConfig fromJSON(JsonReader jsonReader) { RoleConfig model = new RoleConfig(); if (jsonReader == null) { return model; } jsonReader.readArrayIfPresent("users", users -> { users.forEach(user -> model.addUser(new RoleUser(user.getAsString()))); }); return model; }
@Test public void shouldCareAboutRoleConfigChange() { SecurityConfigChangeListener securityConfigChangeListener = new SecurityConfigChangeListener() { @Override public void onEntityConfigChange(Object entity) { } }; assertThat(securityConfigChangeListener.shouldCareAbout(new RoleConfig()), is(true)); }
@Test public void shouldBombIfDeletingARoleWhichDoesNotExist() throws Exception { try { SecurityConfig securityConfig = security(passwordFileAuthConfig(), admins()); securityConfig.deleteRole(new RoleConfig(new CaseInsensitiveString("role99"))); fail("Should have blown up with an exception on the previous line as deleting role99 should blow up"); } catch (RuntimeException e) { assertTrue(Pattern.compile("does not exist").matcher(e.getMessage()).find()); } }
@Test public void getRoleConfigsShouldReturnOnlyNonPluginRoles() { Role admin = new RoleConfig(new CaseInsensitiveString("admin")); Role view = new RoleConfig(new CaseInsensitiveString("view")); Role blackbird = new PluginRoleConfig("blackbird", "foo"); Role spacetiger = new PluginRoleConfig("spacetiger", "foo"); RolesConfig rolesConfig = new RolesConfig(admin, blackbird, view, spacetiger); List<RoleConfig> roles = rolesConfig.getRoleConfigs(); assertThat(roles, hasSize(2)); assertThat(roles, contains(admin, view)); }
@Test public void shouldUnderstandIfAUserIsAnAdminThroughRole() { AdminsConfig adminsConfig = new AdminsConfig(new AdminUser(new CaseInsensitiveString("loser")), new AdminRole(new CaseInsensitiveString("Role1"))); assertThat(adminsConfig.isAdminRole(Arrays.asList(new RoleConfig(new CaseInsensitiveString("first")), new RoleConfig(new CaseInsensitiveString("role1")))), is(true)); assertThat(adminsConfig.isAdminRole(Arrays.asList(new RoleConfig(new CaseInsensitiveString("role2")))), is(false)); assertThat(adminsConfig.isAdminRole(Arrays.asList(new RoleConfig(new CaseInsensitiveString("loser")))), is(false)); }
@Test public void shouldBeInvalidToHaveTwoRolesWithTheSameName() { Role role1 = new RoleConfig(new CaseInsensitiveString("role1")); Role role2 = new RoleConfig(new CaseInsensitiveString("role1")); RolesConfig rolesConfig = new RolesConfig(role1, role2); rolesConfig.validate(null); assertEquals(1, rolesConfig.errors().getAll().size()); }
@Test public void shouldReturnTrueIfAnUserBelongsToAnAdminRole() { Authorization authorization = new Authorization(new AdminsConfig(new AdminRole(new CaseInsensitiveString("bar1")), new AdminRole(new CaseInsensitiveString("bar2")))); assertThat(authorization.isUserAnAdmin(new CaseInsensitiveString("foo1"), Arrays.asList(new RoleConfig(new CaseInsensitiveString("bar1")), new RoleConfig(new CaseInsensitiveString("bar1") ))), is(true)); assertThat(authorization.isUserAnAdmin(new CaseInsensitiveString("foo2"), Arrays.asList(new RoleConfig(new CaseInsensitiveString("bar2")))), is(true)); assertThat(authorization.isUserAnAdmin(new CaseInsensitiveString("foo3"), Arrays.asList(new RoleConfig(new CaseInsensitiveString("bar1")))), is(true)); assertThat(authorization.isUserAnAdmin(new CaseInsensitiveString("foo4"), new ArrayList<>()), is(false)); }
public void validateUniquenessOfRoleName(Validator v) throws Exception { RoleConfig role = new RoleConfig(new CaseInsensitiveString("admin")); SecurityConfig securityConfig = new SecurityConfig(); ValidationContext validationContext = ValidationContextMother.validationContext(securityConfig); securityConfig.getRoles().add(new RoleConfig(new CaseInsensitiveString("admin"))); securityConfig.getRoles().add(role); v.validate(role, validationContext); assertThat(role.errors().size(), is(1)); assertThat(role.errors().get("name").get(0), is("Role names should be unique. Role with the same name exists.")); }
@Test public void shouldThrowExceptionIfRoleDoesNotExist() { RolesConfig rolesConfig = new RolesConfig(new RoleConfig(new CaseInsensitiveString("role1"), new RoleUser(new CaseInsensitiveString("user1")))); try { rolesConfig.isUserMemberOfRole(new CaseInsensitiveString("anyone"), new CaseInsensitiveString("invalid-role-name")); } catch (Exception e) { assertThat(e.getMessage(), is("Role \"invalid-role-name\" does not exist!")); } }
@Test public void shouldSayThatAViewUserWithinARole_HasAdminOrViewPermissions() { CaseInsensitiveString viewUser = new CaseInsensitiveString("view"); RoleConfig role = new RoleConfig(new CaseInsensitiveString("role1"), new RoleUser(viewUser)); List<Role> roles = new ArrayList<>(); roles.add(role); Authorization authorization = new Authorization(new ViewConfig(new AdminRole(role))); assertThat(authorization.hasAdminOrViewPermissions(viewUser, roles), is(true)); }
public static SecurityConfig securityConfigWithRole(SecurityConfig securityConfig, String roleName, String... users) { RoleConfig role = new RoleConfig(new CaseInsensitiveString(roleName)); for (String user : users) { role.addUser(new RoleUser(new CaseInsensitiveString(user))); } securityConfig.addRole(role); return securityConfig; } }
@Test public void shouldReturnFalseForNonAdminNonViewUserWithinARole() { CaseInsensitiveString viewUser = new CaseInsensitiveString("view"); RoleConfig role = new RoleConfig(new CaseInsensitiveString("role1"), new RoleUser(viewUser)); List<Role> roles = new ArrayList<>(); roles.add(role); Authorization authorization = new Authorization(new ViewConfig(new AdminUser(new CaseInsensitiveString("other-user")))); assertThat(authorization.hasAdminOrViewPermissions(viewUser, roles), is(false)); }
@Test public void shouldListItselfWhenARoleExists() { Role firstRole = new RoleConfig(new CaseInsensitiveString("role1"), new RoleUser(new CaseInsensitiveString("USER1")), new RoleUser(new CaseInsensitiveString("user2"))); Role secondRole = new RoleConfig(new CaseInsensitiveString("ROLE2"), new RoleUser(new CaseInsensitiveString("user1")), new RoleUser(new CaseInsensitiveString("user3"))); RolesConfig rolesConfig = new RolesConfig(firstRole, secondRole); assertThat(rolesConfig.memberRoles(new AdminRole(new CaseInsensitiveString("role1"))), is(asList(firstRole))); assertThat(rolesConfig.memberRoles(new AdminRole(new CaseInsensitiveString("role2"))), is(asList(secondRole))); }
@Test public void shouldGetPluginRolesWhichBelogsToSpecifiedPlugin() throws Exception { SecurityConfig securityConfig = new SecurityConfig(); securityConfig.addRole(new PluginRoleConfig("foo", "ldap")); securityConfig.addRole(new PluginRoleConfig("bar", "github")); securityConfig.addRole(new RoleConfig(new CaseInsensitiveString("xyz"))); securityConfig.securityAuthConfigs().add(new SecurityAuthConfig("ldap", "cd.go.ldap")); securityConfig.securityAuthConfigs().add(new SecurityAuthConfig("github", "cd.go.github")); List<PluginRoleConfig> pluginRolesConfig = securityConfig.getPluginRoles("cd.go.ldap"); assertThat(pluginRolesConfig, hasSize(1)); assertThat(pluginRolesConfig, contains(new PluginRoleConfig("foo", "ldap"))); }
@Test public void getPluginRolesConfig_shouldReturnNothingWhenBadPluginIdSpecified() throws Exception { SecurityConfig securityConfig = new SecurityConfig(); securityConfig.addRole(new PluginRoleConfig("foo", "ldap")); securityConfig.addRole(new PluginRoleConfig("bar", "github")); securityConfig.addRole(new RoleConfig(new CaseInsensitiveString("xyz"))); securityConfig.securityAuthConfigs().add(new SecurityAuthConfig("ldap", "cd.go.ldap")); securityConfig.securityAuthConfigs().add(new SecurityAuthConfig("github", "cd.go.github")); List<PluginRoleConfig> pluginRolesConfig = securityConfig.getPluginRoles("non-existant-plugin"); assertThat(pluginRolesConfig, hasSize(0)); }
@Test public void shouldResolve_ConfigValue_MappedAsObject() { SecurityConfig securityConfig = new SecurityConfig(); securityConfig.adminsConfig().add(new AdminUser(new CaseInsensitiveString("lo#{foo}"))); securityConfig.addRole(new RoleConfig(new CaseInsensitiveString("boo#{bar}"), new RoleUser(new CaseInsensitiveString("choo#{foo}")))); new ParamResolver(new ParamSubstitutionHandlerFactory(params(param("foo", "ser"), param("bar", "zer"))), fieldCache).resolve(securityConfig); assertThat(CaseInsensitiveString.str(securityConfig.adminsConfig().get(0).getName()), is("loser")); assertThat(CaseInsensitiveString.str(securityConfig.getRoles().get(0).getName()), is("boozer")); assertThat(CaseInsensitiveString.str(securityConfig.getRoles().get(0).getUsers().get(0).getName()), is("chooser")); }
@Test public void shouldNotThrowExceptionIfRoleNameExistInPipelinesAuthorization() { AdminRole role = new AdminRole(new CaseInsensitiveString("role2")); PipelineConfigs pipelinesConfig = new BasicPipelineConfigs(new Authorization(new ViewConfig(role))); CruiseConfig config = new BasicCruiseConfig(pipelinesConfig); config.server().security().addRole(new RoleConfig(new CaseInsensitiveString("role2"))); role.validate(ConfigSaveValidationContext.forChain(config)); assertThat(role.errors().isEmpty(), is(true)); }
@Test public void shouldValidateRoleNamesInTemplateAdminAuthorization() { BasicCruiseConfig cruiseConfig = GoConfigMother.defaultCruiseConfig(); ServerConfig serverConfig = new ServerConfig(new SecurityConfig(new AdminsConfig(new AdminUser(new CaseInsensitiveString("admin")))), null); cruiseConfig.setServerConfig(serverConfig); GoConfigMother.enableSecurityWithPasswordFilePlugin(cruiseConfig); RoleConfig roleConfig = new RoleConfig(new CaseInsensitiveString("non-existent-role"), new RoleUser("non-existent-user")); PipelineTemplateConfig template = new PipelineTemplateConfig(new CaseInsensitiveString("template"), new Authorization(new AdminsConfig(new AdminRole(roleConfig))), StageConfigMother.manualStage("stage2"), StageConfigMother.manualStage("stage")); template.validate(ConfigSaveValidationContext.forChain(cruiseConfig)); assertThat(template.getAllErrors().get(0).getAllOn("name"), is(Arrays.asList("Role \"non-existent-role\" does not exist."))); }
@Test public void shouldValidateRoleNamesInTemplateViewAuthorization() { BasicCruiseConfig cruiseConfig = GoConfigMother.defaultCruiseConfig(); ServerConfig serverConfig = new ServerConfig(new SecurityConfig(new AdminsConfig(new AdminUser(new CaseInsensitiveString("admin")))), null); cruiseConfig.setServerConfig(serverConfig); GoConfigMother.enableSecurityWithPasswordFilePlugin(cruiseConfig); RoleConfig roleConfig = new RoleConfig(new CaseInsensitiveString("non-existent-role"), new RoleUser("non-existent-user")); PipelineTemplateConfig template = new PipelineTemplateConfig(new CaseInsensitiveString("template"), new Authorization(new ViewConfig(new AdminRole(roleConfig))), StageConfigMother.manualStage("stage2"), StageConfigMother.manualStage("stage")); template.validate(ConfigSaveValidationContext.forChain(cruiseConfig)); assertThat(template.getAllErrors().get(0).getAllOn("name"), is(Arrays.asList("Role \"non-existent-role\" does not exist."))); }
@Test public void shouldNotThrowExceptionIfRoleNameExist() { AdminRole role = new AdminRole(new CaseInsensitiveString("role1")); StageConfig stage = StageConfigMother.custom("ft", new AuthConfig(role)); PipelineConfigs pipelineConfigs = new BasicPipelineConfigs(new PipelineConfig(new CaseInsensitiveString("pipeline"), new MaterialConfigs(), stage)); CruiseConfig config = new BasicCruiseConfig(pipelineConfigs); config.server().security().addRole(new RoleConfig(new CaseInsensitiveString("role1"))); role.validate(ConfigSaveValidationContext.forChain(config)); assertThat(role.errors().isEmpty(), is(true)); }