@Test(expected = AccessDeniedException.class)
public void accessIsDeniedIfPermissionIsNotGranted() {
AclService service = mock(AclService.class);
Acl acl = mock(Acl.class);
when(acl.isGranted(any(List.class), any(List.class), anyBoolean())).thenReturn(false);
// Try a second time with no permissions found
when(acl.isGranted(any(List.class), any(List.class), anyBoolean()))
.thenThrow(new NotFoundException(""));
when(service.readAclById(any(ObjectIdentity.class), any(List.class))).thenReturn(acl);
AclEntryAfterInvocationProvider provider =
new AclEntryAfterInvocationProvider(service, Arrays.asList(mock(Permission.class)));
provider.setProcessConfigAttribute("MY_ATTRIBUTE");
provider.setMessageSource(new SpringSecurityMessageSource());
provider.setObjectIdentityRetrievalStrategy(mock(ObjectIdentityRetrievalStrategy.class));
provider.setProcessDomainObjectClass(Object.class);
provider.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class));
try {
provider.decide(
mock(Authentication.class),
new Object(),
SecurityConfig.createList("UNSUPPORTED", "MY_ATTRIBUTE"),
new Object());
fail("Expected Exception");
} catch (AccessDeniedException expected) {
}
// Second scenario with no acls found
provider.decide(
mock(Authentication.class),
new Object(),
SecurityConfig.createList("UNSUPPORTED", "MY_ATTRIBUTE"),
new Object());
}
private String getTenant(long aclId, long aclChangeSetId) {
String tenantDomain = getAclTenant(aclId);
if (tenantDomain == null) {
List<Long> aclChangeSetIds = new ArrayList<Long>(1);
aclChangeSetIds.add(aclChangeSetId);
List<Acl> acls = solrDAO.getAcls(aclChangeSetIds, null, 1024);
for (Acl acl : acls) {
tenantDomain = getAclTenant(acl.getId());
if (tenantDomain != null) {
break;
}
}
if (tenantDomain == null) {
// tenant not found - log warning ?
tenantDomain = null; // temp - for debug breakpoint only
}
}
return tenantDomain;
}
@Test
public void accessIsAllowedIfPermissionIsGranted() {
AclService service = mock(AclService.class);
Acl acl = mock(Acl.class);
when(acl.isGranted(any(List.class), any(List.class), anyBoolean())).thenReturn(true);
when(service.readAclById(any(ObjectIdentity.class), any(List.class))).thenReturn(acl);
AclEntryAfterInvocationProvider provider =
new AclEntryAfterInvocationProvider(service, Arrays.asList(mock(Permission.class)));
provider.setMessageSource(new SpringSecurityMessageSource());
provider.setObjectIdentityRetrievalStrategy(mock(ObjectIdentityRetrievalStrategy.class));
provider.setProcessDomainObjectClass(Object.class);
provider.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class));
Object returned = new Object();
assertThat(returned)
.isSameAs(
provider.decide(
mock(Authentication.class),
new Object(),
SecurityConfig.createList("AFTER_ACL_READ"),
returned));
}
@Test
public void testCRUDAcl() throws NiciraNvpApiException {
Acl acl = new Acl();
acl.setDisplayName("Acl" + timestamp);
// Note that if the protocol is 6 (TCP) then you cannot put ICMP code and type
// Note that if the protocol is 1 (ICMP) then you cannot put ports
final List<AclRule> egressRules = new ArrayList<AclRule>();
acl.setLogicalPortEgressRules(egressRules);
egressRules.add(
new AclRule(
AclRule.ETHERTYPE_IPV4,
1,
"allow",
null,
null,
"1.10.10.0",
"1.10.10.1",
null,
null,
null,
null,
0,
0,
5));
egressRules.add(
new AclRule(
AclRule.ETHERTYPE_IPV4,
6,
"allow",
null,
null,
"1.10.10.6",
"1.10.10.7",
80,
80,
80,
80,
1,
null,
null));
final List<AclRule> ingressRules = new ArrayList<AclRule>();
acl.setLogicalPortIngressRules(ingressRules);
ingressRules.add(
new AclRule(
AclRule.ETHERTYPE_IPV4,
1,
"allow",
null,
null,
"1.10.10.0",
"1.10.10.1",
null,
null,
null,
null,
0,
0,
5));
ingressRules.add(
new AclRule(
AclRule.ETHERTYPE_IPV4,
6,
"allow",
null,
null,
"1.10.10.6",
"1.10.10.7",
80,
80,
80,
80,
1,
null,
null));
final List<NiciraNvpTag> tags = new ArrayList<NiciraNvpTag>();
acl.setTags(tags);
tags.add(new NiciraNvpTag("nvp", "MyTag1"));
tags.add(new NiciraNvpTag("nicira", "MyTag2"));
// In the creation we don't get to specify UUID, href or schema: they don't exist yet
try {
acl = api.createAcl(acl);
// We can now update the new entity
acl.setDisplayName("UpdatedAcl" + timestamp);
api.updateAcl(acl, acl.getUuid());
// Read them all
NiciraNvpList<Acl> acls = api.findAcl();
Acl scInList = null;
for (final Acl iAcl : acls.getResults()) {
if (iAcl.getUuid().equalsIgnoreCase(acl.getUuid())) {
scInList = iAcl;
}
}
assertEquals("Read a ACL different from the one just created and updated", acl, scInList);
// Read them filtered by uuid (get one)
acls = api.findAcl(acl.getUuid());
assertEquals(
"Read a ACL different from the one just created and updated",
acl,
acls.getResults().get(0));
assertEquals(
"Read a ACL filtered by unique id (UUID) with more than one item",
1,
acls.getResults().size());
// We can now delete the new entity
api.deleteAcl(acl.getUuid());
} catch (final NiciraNvpApiException e) {
e.printStackTrace();
assertTrue("Errors in ACL CRUD", false);
}
}
public class SerializationTest extends BaseSerializationTest {
private static final Storage STORAGE =
StorageOptions.newBuilder().setProjectId("p").build().getService();
private static final Acl.Domain ACL_DOMAIN = new Acl.Domain("domain");
private static final Acl.Group ACL_GROUP = new Acl.Group("group");
private static final Acl.Project ACL_PROJECT_ = new Acl.Project(ProjectRole.VIEWERS, "pid");
private static final Acl.User ACL_USER = new Acl.User("user");
private static final Acl.RawEntity ACL_RAW = new Acl.RawEntity("raw");
private static final Acl ACL = Acl.of(ACL_DOMAIN, Acl.Role.OWNER);
private static final BlobInfo BLOB_INFO = BlobInfo.newBuilder("b", "n").build();
private static final BucketInfo BUCKET_INFO = BucketInfo.of("b");
private static final Blob BLOB = new Blob(STORAGE, new BlobInfo.BuilderImpl(BLOB_INFO));
private static final Bucket BUCKET = new Bucket(STORAGE, new BucketInfo.BuilderImpl(BUCKET_INFO));
private static final Cors.Origin ORIGIN = Cors.Origin.any();
private static final Cors CORS =
Cors.newBuilder().setMaxAgeSeconds(1).setOrigins(Collections.singleton(ORIGIN)).build();
private static final PageImpl<Blob> PAGE_RESULT =
new PageImpl<>(null, "c", Collections.singletonList(BLOB));
private static final StorageException STORAGE_EXCEPTION = new StorageException(42, "message");
private static final Storage.BlobListOption BLOB_LIST_OPTIONS =
Storage.BlobListOption.pageSize(100);
private static final Storage.BlobSourceOption BLOB_SOURCE_OPTIONS =
Storage.BlobSourceOption.generationMatch(1);
private static final Storage.BlobTargetOption BLOB_TARGET_OPTIONS =
Storage.BlobTargetOption.generationMatch();
private static final Storage.BucketListOption BUCKET_LIST_OPTIONS =
Storage.BucketListOption.prefix("bla");
private static final Storage.BucketSourceOption BUCKET_SOURCE_OPTIONS =
Storage.BucketSourceOption.metagenerationMatch(1);
private static final Storage.BucketTargetOption BUCKET_TARGET_OPTIONS =
Storage.BucketTargetOption.metagenerationNotMatch();
private static final Map<StorageRpc.Option, ?> EMPTY_RPC_OPTIONS = ImmutableMap.of();
@Override
protected Serializable[] serializableObjects() {
StorageOptions options =
StorageOptions.newBuilder()
.setProjectId("p1")
.setCredentials(NoCredentials.getInstance())
.build();
StorageOptions otherOptions = options.toBuilder().setProjectId("p2").build();
return new Serializable[] {
ACL_DOMAIN,
ACL_GROUP,
ACL_PROJECT_,
ACL_USER,
ACL_RAW,
ACL,
BLOB_INFO,
BLOB,
BUCKET_INFO,
BUCKET,
ORIGIN,
CORS,
PAGE_RESULT,
BLOB_LIST_OPTIONS,
BLOB_SOURCE_OPTIONS,
BLOB_TARGET_OPTIONS,
BUCKET_LIST_OPTIONS,
BUCKET_SOURCE_OPTIONS,
BUCKET_TARGET_OPTIONS,
STORAGE_EXCEPTION,
options,
otherOptions
};
}
@Override
protected Restorable<?>[] restorableObjects() {
StorageOptions options = StorageOptions.newBuilder().setProjectId("p2").build();
ReadChannel reader = new BlobReadChannel(options, BlobId.of("b", "n"), EMPTY_RPC_OPTIONS);
// avoid closing when you don't want partial writes to GCS upon failure
@SuppressWarnings("resource")
BlobWriteChannel writer =
new BlobWriteChannel(
options, BlobInfo.newBuilder(BlobId.of("b", "n")).build(), "upload-id");
return new Restorable<?>[] {reader, writer};
}
}
