@Override public Collection<ResourcePermission> getRequiredPermissions(String regionName) { return Collections.singletonList(new ResourcePermission(ResourcePermission.Resource.DATA, ResourcePermission.Operation.READ, regionName)); }
@Override public Collection<ResourcePermission> getRequiredPermissions(String regionName) { return Collections.singletonList(new ResourcePermission(ResourcePermission.Resource.DATA, ResourcePermission.Operation.READ, regionName)); }
@Override public Collection<ResourcePermission> getRequiredPermissions(String onRegion) { return Collections.singletonList(new ResourcePermission(DATA, READ, onRegion)); }
@Override public void authorize(Resource resource, Operation operation, Target target, String key) { authorize(new ResourcePermission(resource, operation, target, key)); }
@Override public void authorize(Resource resource, Operation operation, String target, String key) { authorize(new ResourcePermission(resource, operation, target, key)); }
void authorize(ResourcePermission resourcePermission);
@Test public void invalidResourceOperation() { assertThatThrownBy(() -> new ResourcePermission("invalid", "invalid")) .isInstanceOf(java.lang.IllegalArgumentException.class); }
private void authorize(ResourcePermission.Resource resource, ResourcePermission.Operation operation, String region, String key) { doNothing().when(security).authorize(resource, operation, region, key); doNothing().when(security).authorize(new ResourcePermission(resource, operation, region, key)); }
@Test public void executeFunctionOnGroupsWithoutAuthorization() throws Exception { when(function.getRequiredPermissions(null, null)) .thenReturn(Collections.singleton(new ResourcePermission(CLUSTER, WRITE, REGION, ALL))); assertThatThrownBy( () -> functionService.executeFunctionOnGroups(FUNCTION_ID, null, Arrays.asList("group"))) .isInstanceOf(NotAuthorizedException.class); }
@Test public void executeFunctionOnMemberWithoutAuthorization() throws Exception { when(function.getRequiredPermissions(null, null)) .thenReturn(Collections.singleton(new ResourcePermission(CLUSTER, WRITE, REGION, ALL))); assertThatThrownBy( () -> functionService.executeFunctionOnMember(FUNCTION_ID, null, Arrays.asList("member"))) .isInstanceOf(NotAuthorizedException.class); }
@Test public void allImplies() { ResourcePermission permission = ResourcePermissions.ALL; assertThat(permission.implies(new ResourcePermission("DATA", "READ"))).isTrue(); assertThat(permission.implies(new ResourcePermission("DATA", "WRITE"))).isTrue(); assertThat(permission.implies(new ResourcePermission("DATA", "MANAGE"))).isTrue(); assertThat(permission.implies(new ResourcePermission("CLUSTER", "READ"))).isTrue(); assertThat(permission.implies(new ResourcePermission("CLUSTER", "WRITE"))).isTrue(); assertThat(permission.implies(new ResourcePermission("CLUSTER", "MANAGE"))).isTrue(); permission = ResourcePermissions.DATA_ALL; assertThat(permission.implies(new ResourcePermission("DATA", "READ"))).isTrue(); assertThat(permission.implies(new ResourcePermission("DATA", "WRITE"))).isTrue(); assertThat(permission.implies(new ResourcePermission("DATA", "MANAGE"))).isTrue(); assertThat(permission.implies(new ResourcePermission("CLUSTER", "READ"))).isFalse(); assertThat(permission.implies(new ResourcePermission("CLUSTER", "WRITE"))).isFalse(); assertThat(permission.implies(new ResourcePermission("CLUSTER", "MANAGE"))).isFalse(); permission = ResourcePermissions.CLUSTER_ALL; assertThat(permission.implies(new ResourcePermission("DATA", "READ"))).isFalse(); assertThat(permission.implies(new ResourcePermission("DATA", "WRITE"))).isFalse(); assertThat(permission.implies(new ResourcePermission("DATA", "MANAGE"))).isFalse(); assertThat(permission.implies(new ResourcePermission("CLUSTER", "READ"))).isTrue(); assertThat(permission.implies(new ResourcePermission("CLUSTER", "WRITE"))).isTrue(); assertThat(permission.implies(new ResourcePermission("CLUSTER", "MANAGE"))).isTrue(); }
@Test public void executeFunctionOnRegionWithoutAuthorization() throws Exception { when(function.getRequiredPermissions(REGION, null)) .thenReturn(Collections.singleton(new ResourcePermission(CLUSTER, WRITE, REGION, ALL))); assertThatThrownBy( () -> functionService.executeFunctionOnRegion(FUNCTION_ID, REGION, null, null)) .isInstanceOf(NotAuthorizedException.class); }
private ResourcePermission getOperationContext(Descriptor descriptor, ResourcePermission defaultValue) { String resource = (String) descriptor.getFieldValue("resource"); String operationCode = (String) descriptor.getFieldValue("operation"); String targetCode = (String) descriptor.getFieldValue("target"); if (resource != null && operationCode != null) { if (StringUtils.isBlank(targetCode)) { return new ResourcePermission(Resource.valueOf(resource), Operation.valueOf(operationCode)); } else { return new ResourcePermission(Resource.valueOf(resource), Operation.valueOf(operationCode), Target.valueOf(targetCode).getName()); } } return defaultValue; }
@Test public void testToString() { ResourcePermission context = new ResourcePermission(); assertThat("NULL:NULL").isEqualTo(context.toString()); context = new ResourcePermission("data", "manage"); assertThat("DATA:MANAGE").isEqualTo(context.toString()); context = new ResourcePermission("data", "read", "regionA"); assertThat("DATA:READ:regionA").isEqualTo(context.toString()); context = new ResourcePermission("DATA", "READ", "/regionA", "key"); assertThat("DATA:READ:regionA:key").isEqualTo(context.toString()); context = new ResourcePermission(Resource.DATA, Operation.MANAGE, "REGIONA"); assertThat("DATA:MANAGE:REGIONA").isEqualTo(context.toString()); context = new ResourcePermission(Resource.DATA, Operation.MANAGE); assertThat("DATA:MANAGE").isEqualTo(context.toString()); context = new ResourcePermission("ALL", "READ"); assertThat(context.toString()).isEqualTo("*:READ"); context = new ResourcePermission("DATA", "ALL"); assertThat(context.toString()).isEqualTo("DATA"); context = new ResourcePermission("ALL", "ALL", "regionA", "*"); assertThat(context.toString()).isEqualTo("*:*:regionA"); }
@Test public void regionNameIsStripped() { ResourcePermission permission = new ResourcePermission("DATA", "READ", "/regionA"); assertThat(permission.getResource()).isEqualTo(Resource.DATA); assertThat(permission.getOperation()).isEqualTo(Operation.READ); assertThat(permission.getTarget()).isEqualTo("regionA"); assertThat(permission.getKey()).isEqualTo(ResourcePermission.ALL); }
@Test public void testEmptyConstructor() { ResourcePermission context = new ResourcePermission(); assertThat(Resource.NULL).isEqualTo(context.getResource()); assertThat(Operation.NULL).isEqualTo(context.getOperation()); assertThat(ResourcePermission.ALL).isEqualTo(context.getTarget()); }
@Test public void impliesWithWildCardPermission() { // If caseSensitive=false, the permission string becomes lower-case, which will cause failures // when testing implication against our (case sensitive) resources, e.g., DATA WildcardPermission context = new WildcardPermission("*:READ", true); assertThat(context.implies(new ResourcePermission(Resource.DATA, Operation.READ))).isTrue(); assertThat(context.implies(new ResourcePermission(Resource.CLUSTER, Operation.READ))).isTrue(); context = new WildcardPermission("*:READ:*", true); assertThat(context.implies(new ResourcePermission(Resource.DATA, Operation.READ, "testRegion"))) .isTrue(); assertThat(context .implies(new ResourcePermission(Resource.CLUSTER, Operation.READ, "anotherRegion", "key1"))) .isTrue(); context = new WildcardPermission("DATA:*:testRegion", true); assertThat(context.implies(new ResourcePermission(Resource.DATA, Operation.READ, "testRegion"))) .isTrue(); assertThat( context.implies(new ResourcePermission(Resource.DATA, Operation.WRITE, "testRegion"))) .isTrue(); } }
@Test public void testIsPermission() { ResourcePermission context = new ResourcePermission(); assertTrue(context instanceof WildcardPermission); }
@Test public void testMultipleRoleAuthorization() { ResourcePermission permission = new ResourcePermission(Resource.CLUSTER, Operation.READ); assertTrue(manager.authorize("clusterRead,clusterWrite", permission)); assertTrue(manager.authorize("cluster,data", permission)); assertFalse(manager.authorize("clusterWrite,data", permission)); permission = new ResourcePermission(Resource.DATA, Operation.WRITE, "regionA", "key1"); assertTrue(manager.authorize("data,cluster", permission)); assertTrue(manager.authorize("dataWrite,clusterWrite", permission)); }
@Test public void testAuthorization() { ResourcePermission permission = new ResourcePermission(Resource.CLUSTER, Operation.READ); assertTrue(manager.authorize("clusterRead", permission)); assertTrue(manager.authorize("cluster", permission)); assertFalse(manager.authorize("data", permission)); permission = new ResourcePermission(Resource.DATA, Operation.WRITE, "regionA", "key1"); assertTrue(manager.authorize("data", permission)); assertTrue(manager.authorize("dataWrite", permission)); assertTrue(manager.authorize("dataWriteRegionA", permission)); assertTrue(manager.authorize("dataWriteRegionAKey1", permission)); assertFalse(manager.authorize("dataRead", permission)); }