public static boolean noSuperAdminsDefined(SecurityConfig securityConfig) { AdminsConfig adminsConfig = securityConfig.adminsConfig(); return adminsConfig.getRoles().isEmpty() && adminsConfig.getUsers().isEmpty(); }
public AdminsConfig systemAdmins() { return goConfigService.serverConfig().security().adminsConfig(); }
final AdminsConfig findExistingAdmin(CruiseConfig cruiseConfig) { return cruiseConfig.server().security().adminsConfig(); }
private Users superAdmins() { final SecurityConfig security = goConfigService.security(); final Map<String, Collection<String>> rolesToUsersMap = rolesToUsers(security); final Set<String> superAdminUsers = namesOf(security.adminsConfig(), rolesToUsersMap); final Set<PluginRoleConfig> superAdminPluginRoles = pluginRolesFor(security, security.adminsConfig().getRoles()); if (!goConfigService.isSecurityEnabled() || noSuperAdminsDefined(security)) { return Everyone.INSTANCE; } return new AllowedUsers(superAdminUsers, superAdminPluginRoles); }
public AdminAndRoleSelections getAdminAndRoleSelections(List<String> users) { final SecurityConfig securityConfig = goConfigService.security(); Set<Role> roles = new HashSet<>(securityConfig.getRoles().getRoleConfigs()); final List<TriStateSelection> roleSelections = TriStateSelection.forRoles(roles, users); final TriStateSelection adminSelection = TriStateSelection.forSystemAdmin(securityConfig.adminsConfig(), roles, new SecurityService.UserRoleMatcherImpl(securityConfig), users); return new AdminAndRoleSelections(adminSelection, roleSelections); }
@Override public boolean isValid(CruiseConfig preprocessedConfig) { preprocessedAdmin = preprocessedConfig.server().security().adminsConfig(); if (!preprocessedAdmin.validateTree(ConfigSaveValidationContext.forChain(preprocessedConfig))) { BasicCruiseConfig.copyErrors(preprocessedAdmin, admin); return false; } return true; }
private void removeFromServerAdmins(CruiseConfig preprocessedConfig) { preprocessedConfig.server().security().adminsConfig().remove(new AdminRole(role.getName())); }
final Set<String> superAdminUsers = namesOf(security.adminsConfig(), rolesToUsers); final Set<PluginRoleConfig> superAdminPluginRoles = pluginRolesFor(security, security.adminsConfig().getRoles()); final boolean hasNoAdminsDefinedAtRootLevel = noSuperAdminsDefined(security);
public static CruiseConfig addUserAsSuperAdmin(CruiseConfig config, String adminName) { config.server().security().adminsConfig().add(new AdminUser(new CaseInsensitiveString(adminName))); return config; }
public void addRoleAsSuperAdmin(CruiseConfig cruiseConfig, String rolename) { AdminsConfig adminsConfig = cruiseConfig.server().security().adminsConfig(); adminsConfig.addRole(new AdminRole(new CaseInsensitiveString(rolename))); }
public CruiseConfig update(CruiseConfig cruiseConfig) { final AdminsConfig adminsConfig = cruiseConfig.server().security().adminsConfig(); switch (adminPrivilegeSelection.getAction()) { case add: if (!adminsConfig.hasUser(new CaseInsensitiveString(user), ALWAYS_FALSE_MATCHER)) { adminsConfig.add(new AdminUser(new CaseInsensitiveString(user))); } break; case remove: adminsConfig.remove(new AdminUser(new CaseInsensitiveString(user))); break; } return cruiseConfig; } }
private CruiseConfig cruiseConfigWithSecurity(Role roleDefinition, Admin admins) { CruiseConfig cruiseConfig = GoConfigMother.configWithPipelines("pipeline"); SecurityConfig securityConfig = cruiseConfig.server().security(); securityConfig.securityAuthConfigs().add(new SecurityAuthConfig("file", "cd.go.authentication.passwordfile")); securityConfig.addRole(roleDefinition); securityConfig.adminsConfig().add(admins); return cruiseConfig; }
@Test public void shouldReturnAMapOfAllTemplateNamesWithAssociatedPipelines() { PipelineTemplateConfig template = template("first_template"); PipelineConfig pipelineConfig1 = PipelineConfigMother.pipelineConfig("first"); pipelineConfig1.clear(); pipelineConfig1.setTemplateName(new CaseInsensitiveString("first_template")); pipelineConfig1.usingTemplate(template); PipelineConfig pipelineConfig2 = PipelineConfigMother.pipelineConfig("second"); pipelineConfig2.clear(); pipelineConfig2.setTemplateName(new CaseInsensitiveString("FIRST_template")); pipelineConfig2.usingTemplate(template); PipelineConfig pipelineConfigWithoutTemplate = PipelineConfigMother.pipelineConfig("third"); BasicPipelineConfigs pipelineConfigs = new BasicPipelineConfigs(pipelineConfig1, pipelineConfig2, pipelineConfigWithoutTemplate); pipelineConfigs.setOrigin(new FileConfigOrigin()); CruiseConfig cruiseConfig = createCruiseConfig(pipelineConfigs); cruiseConfig.addTemplate(template); SecurityConfig securityConfig = new SecurityConfig(false); securityConfig.adminsConfig().add(new AdminUser(new CaseInsensitiveString("root"))); cruiseConfig.server().useSecurity(securityConfig); Map<CaseInsensitiveString, Map<CaseInsensitiveString, Authorization>> allTemplatesWithAssociatedPipelines = cruiseConfig.templatesWithAssociatedPipelines(); assertThat(allTemplatesWithAssociatedPipelines.size(), is(1)); HashMap<CaseInsensitiveString, Map<CaseInsensitiveString, Authorization>> expectedTemplatesMap = new HashMap<>(); expectedTemplatesMap.put(new CaseInsensitiveString("first_template"), new HashMap<>()); expectedTemplatesMap.get(new CaseInsensitiveString("first_template")).put(new CaseInsensitiveString("first"), new Authorization()); expectedTemplatesMap.get(new CaseInsensitiveString("first_template")).put(new CaseInsensitiveString("second"), new Authorization()); assertThat(allTemplatesWithAssociatedPipelines, is(expectedTemplatesMap)); }
@Test public void shouldResolve_ConfigValue_MappedAsObject() { SecurityConfig securityConfig = new SecurityConfig(); securityConfig.adminsConfig().add(new AdminUser(new CaseInsensitiveString("lo#{foo}"))); securityConfig.addRole(new RoleConfig(new CaseInsensitiveString("boo#{bar}"), new RoleUser(new CaseInsensitiveString("choo#{foo}")))); new ParamResolver(new ParamSubstitutionHandlerFactory(params(param("foo", "ser"), param("bar", "zer"))), fieldCache).resolve(securityConfig); assertThat(CaseInsensitiveString.str(securityConfig.adminsConfig().get(0).getName()), is("loser")); assertThat(CaseInsensitiveString.str(securityConfig.getRoles().get(0).getName()), is("boozer")); assertThat(CaseInsensitiveString.str(securityConfig.getRoles().get(0).getUsers().get(0).getName()), is("chooser")); }
@Test public void shouldGetServerSecurityContext() { BasicCruiseConfig cruiseConfig = new BasicCruiseConfig(); SecurityConfig securityConfig = new SecurityConfig(); securityConfig.addRole(new RoleConfig(new CaseInsensitiveString("admin"))); securityConfig.adminsConfig().add(new AdminUser(new CaseInsensitiveString("super-admin"))); cruiseConfig.server().useSecurity(securityConfig); PipelineConfigSaveValidationContext context = PipelineConfigSaveValidationContext.forChain(true, "group", cruiseConfig); Assert.assertThat(context.getServerSecurityConfig(), is(securityConfig)); }
@Test public void shouldValidateTree() { Approval approval = new Approval(new AuthConfig(new AdminRole(new CaseInsensitiveString("role")))); BasicCruiseConfig cruiseConfig = GoConfigMother.defaultCruiseConfig(); cruiseConfig.server().security().adminsConfig().addRole(new AdminRole(new CaseInsensitiveString("super-admin"))); PipelineConfig pipelineConfig = new PipelineConfig(new CaseInsensitiveString("p1"), new MaterialConfigs()); cruiseConfig.addPipeline("g1", pipelineConfig); assertThat(approval.validateTree(PipelineConfigSaveValidationContext.forChain(true, "g1", cruiseConfig, pipelineConfig)), is(false)); assertThat(approval.getAuthConfig().errors().isEmpty(), is(false)); }
@Test public void shouldValidateStagePermissionsOfATemplateStageInTheContextOfPipelineUsingTheTemplate() { StageConfig stageConfig = StageConfigMother.custom("stage", new JobConfigs(new JobConfig(new CaseInsensitiveString("defaultJob")))); stageConfig.setApproval(new Approval(new AuthConfig(new AdminUser(new CaseInsensitiveString("non-admin-non-operate"))))); PipelineTemplateConfig template = PipelineTemplateConfigMother.createTemplate("template", stageConfig); PipelineConfig pipelineConfig = PipelineConfigMother.pipelineConfigWithTemplate("pipeline", "template"); pipelineConfig.usingTemplate(template); BasicCruiseConfig cruiseConfig = GoConfigMother.defaultCruiseConfig(); cruiseConfig.addTemplate(template); cruiseConfig.addPipelineWithoutValidation("group", pipelineConfig); PipelineConfigs group = cruiseConfig.findGroup("group"); group.setAuthorization(new Authorization(new ViewConfig(), new OperationConfig(new AdminUser(new CaseInsensitiveString("foo"))), new AdminsConfig())); cruiseConfig.server().security().securityAuthConfigs().add(new SecurityAuthConfig()); cruiseConfig.server().security().adminsConfig().add(new AdminUser(new CaseInsensitiveString("super-admin"))); template.validateTree(ConfigSaveValidationContext.forChain(cruiseConfig), cruiseConfig, false); assertThat(template.errors().getAllOn("name"), is(Arrays.asList("User \"non-admin-non-operate\" who is not authorized to operate pipeline group `group` can not be authorized to approve stage"))); }