private void testAttribute(
AuthorizerConfiguration authorizerConfiguration,
StandardRole[] userRoles,
StandardRole[] allowedRoles,
boolean accessExpectation) {
ConstraintFactory constraintFactory = new TestConstraintFactory(allowedRoles);
TestRoleMapper roleMapper = new TestRoleMapper(userRoles);
DefaultPermissionFactory permissionFactory =
new DefaultPermissionFactory(
roleMapper, Collections.singleton(constraintFactory), authorizerConfiguration);
Action action = new Action(null, null, EnumSet.of(Action.ActionEffect.ADDRESS));
TargetResource targetResource =
TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);
TargetAttribute targetAttribute =
new TargetAttribute("test", null, new ModelNode(), targetResource);
PermissionCollection userPermissions =
permissionFactory.getUserPermissions(caller, environment, action, targetAttribute);
PermissionCollection requiredPermissions =
permissionFactory.getRequiredPermissions(action, targetAttribute);
for (Permission requiredPermission : toSet(requiredPermissions)) {
assertEquals(accessExpectation, userPermissions.implies(requiredPermission));
}
}
private static boolean assertSameAddress(Action action, TargetResource target) {
ModelNode operation = action.getOperation();
// operation can be null in some unit tests; to be lazy ignore those cases
return operation == null
|| target
.getResourceAddress()
.equals(PathAddress.pathAddress(operation.get(ModelDescriptionConstants.OP_ADDR)));
}
@Test
public void testAuthorizerResourcePermit() {
Action action =
new Action(
null, null, EnumSet.of(Action.ActionEffect.ADDRESS, Action.ActionEffect.READ_CONFIG));
TargetResource targetResource =
TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);
AuthorizationResult result = authorizer.authorize(caller, environment, action, targetResource);
assertEquals(AuthorizationResult.Decision.PERMIT, result.getDecision());
}
@Test
public void testRoleCombinationRejecting() {
Action action =
new Action(
null, null, EnumSet.of(Action.ActionEffect.ADDRESS, Action.ActionEffect.READ_CONFIG));
TargetResource targetResource =
TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);
DefaultPermissionFactory permissionFactory = null;
try {
permissionFactory =
new DefaultPermissionFactory(
new TestRoleMapper(), Collections.<ConstraintFactory>emptySet(), REJECTING);
permissionFactory.getUserPermissions(caller, environment, action, targetResource);
} catch (Exception e) {
fail();
}
try {
permissionFactory =
new DefaultPermissionFactory(
new TestRoleMapper(StandardRole.MONITOR),
Collections.<ConstraintFactory>emptySet(),
REJECTING);
permissionFactory.getUserPermissions(caller, environment, action, targetResource);
} catch (Exception e) {
fail();
}
permissionFactory =
new DefaultPermissionFactory(
new TestRoleMapper(StandardRole.MONITOR, StandardRole.DEPLOYER), REJECTING);
try {
permissionFactory.getUserPermissions(caller, environment, action, targetResource);
fail();
} catch (Exception e) {
/* expected */
}
permissionFactory =
new DefaultPermissionFactory(
new TestRoleMapper(StandardRole.MONITOR, StandardRole.DEPLOYER, StandardRole.AUDITOR),
Collections.<ConstraintFactory>emptySet(),
REJECTING);
try {
permissionFactory.getUserPermissions(caller, environment, action, targetResource);
fail();
} catch (Exception e) {
/* expected */
}
}
@Test
public void testAuthorizerAttributeDeny() {
Action action =
new Action(
null,
null,
EnumSet.of(
Action.ActionEffect.ADDRESS,
Action.ActionEffect.READ_CONFIG,
Action.ActionEffect.WRITE_CONFIG));
TargetResource targetResource =
TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);
TargetAttribute targetAttribute =
new TargetAttribute("test", null, new ModelNode(), targetResource);
AuthorizationResult result = authorizer.authorize(caller, environment, action, targetAttribute);
assertEquals(AuthorizationResult.Decision.DENY, result.getDecision());
}
private boolean isAuditResource(TargetResource target) {
return AuditLogAddressUtil.isAuditLogAddress(target.getResourceAddress());
}