@Before
public void setUp() throws Exception {
admin =
(TestX509CertificateAuthenticationToken)
simpleAuthenticationProvider.authenticate(new AuthenticationSubject(null, null));
RoleData role = roleManagementSessionRemote.create(internalAdmin, ROLENAME);
Collection<AccessUserAspectData> subjects = new LinkedList<AccessUserAspectData>();
subjects.add(
new AccessUserAspectData(
ROLENAME,
CertTools.getIssuerDN(admin.getCertificate()).hashCode(),
X500PrincipalAccessMatchValue.WITH_COMMONNAME,
AccessMatchType.TYPE_EQUALCASEINS,
CertTools.getPartFromDN(SimpleAuthenticationProviderSessionRemote.DEFAULT_DN, "CN")));
role = roleManagementSessionRemote.addSubjectsToRole(internalAdmin, role, subjects);
Collection<AccessRuleData> accessRules = new LinkedList<AccessRuleData>();
accessRules.add(
new AccessRuleData(
ROLENAME, AccessRulesConstants.ROLE_ADMINISTRATOR, AccessRuleState.RULE_ACCEPT, false));
accessRules.add(
new AccessRuleData(
ROLENAME,
AccessRulesConstants.REGULAR_EDITUSERDATASOURCES,
AccessRuleState.RULE_ACCEPT,
false));
accessRules.add(
new AccessRuleData(
ROLENAME,
AccessRulesConstants.USERDATASOURCEPREFIX
+ Integer.valueOf(
userDataSourceSession.getUserDataSourceId(admin, "TESTNEWDUMMYCUSTOM"))
+ AccessRulesConstants.UDS_FETCH_RIGHTS,
AccessRuleState.RULE_ACCEPT,
false));
role = roleManagementSessionRemote.addAccessRulesToRole(internalAdmin, role, accessRules);
}
@Test
public void testIsAuthorizedToUserDataSource() throws Exception {
final String rolename = "testIsAuthorizedToUserDataSource";
Set<Principal> principals = new HashSet<Principal>();
principals.add(new X500Principal("CN=" + rolename));
TestX509CertificateAuthenticationToken adminNoAuth =
(TestX509CertificateAuthenticationToken)
simpleAuthenticationProvider.authenticate(new AuthenticationSubject(principals, null));
final int caid = CertTools.getIssuerDN(admin.getCertificate()).hashCode();
final String cN = CertTools.getPartFromDN(CertTools.getIssuerDN(admin.getCertificate()), "CN");
RoleData role = roleManagementSessionRemote.create(internalAdmin, rolename);
final String alias = "spacemonkeys";
try {
Collection<AccessUserAspectData> subjects = new ArrayList<AccessUserAspectData>();
subjects.add(
new AccessUserAspectData(
rolename,
caid,
X500PrincipalAccessMatchValue.WITH_COMMONNAME,
AccessMatchType.TYPE_EQUALCASE,
cN));
role = roleManagementSessionRemote.addSubjectsToRole(internalAdmin, role, subjects);
Collection<AccessRuleData> accessRules = new ArrayList<AccessRuleData>();
// Not authorized to user data sources
accessRules.add(
new AccessRuleData(
rolename,
AccessRulesConstants.REGULAR_EDITENDENTITYPROFILES,
AccessRuleState.RULE_ACCEPT,
true));
role = roleManagementSessionRemote.addAccessRulesToRole(internalAdmin, role, accessRules);
CustomUserDataSourceContainer userdatasource = new CustomUserDataSourceContainer();
userdatasource.setClassPath(
"org.ejbca.core.model.ra.userdatasource.DummyCustomUserDataSource");
userdatasource.setDescription("Used in Junit Test, Remove this one");
// Test authorization to edit with an unauthorized admin
try {
userDataSourceSession.addUserDataSource(adminNoAuth, alias, userdatasource);
fail("admin should not have been authorized to edit user data source");
} catch (AuthorizationDeniedException e) {
assertEquals("Error, not authorized to user data source spacemonkeys.", e.getMessage());
}
try {
userDataSourceSession.changeUserDataSource(adminNoAuth, alias, userdatasource);
fail("admin should not have been authorized to edit user data source");
} catch (AuthorizationDeniedException e) {
assertEquals("Error, not authorized to user data source spacemonkeys.", e.getMessage());
}
// Add so we can try to clone, remove and rename
userDataSourceSession.addUserDataSource(internalAdmin, alias, userdatasource);
try {
userDataSourceSession.cloneUserDataSource(adminNoAuth, alias, "newmonkeys");
fail("admin should not have been authorized to edit user data source");
} catch (AuthorizationDeniedException e) {
assertEquals("Error, not authorized to user data source newmonkeys.", e.getMessage());
}
try {
userDataSourceSession.removeUserDataSource(adminNoAuth, alias);
fail("admin should not have been authorized to edit user data source");
} catch (AuthorizationDeniedException e) {
assertEquals("Error, not authorized to user data source spacemonkeys.", e.getMessage());
}
try {
userDataSourceSession.renameUserDataSource(adminNoAuth, alias, "renamedmonkey");
fail("admin should not have been authorized to edit user data source");
} catch (AuthorizationDeniedException e) {
assertEquals("Error, not authorized to user data source spacemonkeys.", e.getMessage());
}
} finally {
userDataSourceSession.removeUserDataSource(internalAdmin, alias);
roleManagementSessionRemote.remove(internalAdmin, rolename);
}
}