コード例 #1
0
  public void testActionAuthorizationMultifile() throws Exception {
    Map<String, String> resource = createJobResource("test1", "QA blah");
    Subject subject = createSubject("user1", "multi1");

    Decision decision = authorization.evaluate(resource, subject, "read", environment);
    assertEquals(Code.GRANTED, decision.explain().getCode());
    assertTrue(decision.isAuthorized());

    Decision decision2 = authorization.evaluate(resource, subject, "update", environment);
    assertEquals(Code.GRANTED, decision2.explain().getCode());
    assertTrue(decision2.isAuthorized());

    Decision decision3 = authorization.evaluate(resource, subject, "blee", environment);
    assertEquals(Code.GRANTED, decision3.explain().getCode());
    assertTrue(decision3.isAuthorized());

    // test deny actions: delete, blah

    Decision decision4 = authorization.evaluate(resource, subject, "delete", environment);
    assertEquals(Code.REJECTED_DENIED, decision4.explain().getCode());
    assertFalse(decision4.isAuthorized());

    Decision decision5 = authorization.evaluate(resource, subject, "blah", environment);
    assertEquals(Code.REJECTED_DENIED, decision5.explain().getCode());
    assertFalse(decision5.isAuthorized());
  }
コード例 #2
0
  public void testInvalidInput() throws Exception {
    Map<String, String> resource = createJobResource("", "bar/baz/boo");
    Subject subject = createSubject("testActionAuthorization", "admin-invalidinput");

    // subject does not match
    Decision decision = authorization.evaluate(resource, subject, "run", environment);
    assertEquals(
        "Expecting to see REJECTED_NO_SUBJECT_OR_ENV_FOUND.",
        Code.REJECTED_NO_SUBJECT_OR_ENV_FOUND,
        decision.explain().getCode());

    assertFalse("An empty job name should not be authorized.", decision.isAuthorized());

    subject = createSubject("testActionAuthorization", "admin");
    try {
      authorization.evaluate(
          createJobResource(null, "test"), subject, "invalid_input_missing_key", environment);
      assertTrue("A null resource key should not be evaluated.", false);
    } catch (IllegalArgumentException e) {
      assert e.getMessage().contains("Resource definition cannot contain null value");
    }

    try {
      authorization.evaluate(
          createJobResource("test_key_with_null_value", null),
          subject,
          "invalid_input_missing_value",
          environment);
      assertTrue("A null resource value should not be evaluated.", false);
    } catch (IllegalArgumentException e) {
      assert e.getMessage().contains("Resource definition cannot contain null value");
    }
  }
コード例 #3
0
  public void testActionAuthorizationYml() throws Exception {
    Map<String, String> resource = createJobResource("myScript", "/yml/bar/baz/boo");
    Subject subject = createSubject("yml_user_1", "yml_group_1");

    /* Check that workflow_run is actually a matching action */
    Decision decision = authorization.evaluate(resource, subject, "pattern_match", environment);
    assertEquals(
        "Decision for successful authoraztion for action: pattern_match does not match, but should."
            + decision,
        Code.GRANTED,
        decision.explain().getCode());
    assertTrue("Action not granted authorization.", decision.isAuthorized());

    resource = createJobResource("Script2", "/listAction");
    decision = authorization.evaluate(resource, subject, "action_list_2", environment);
    assertEquals(
        "Decision for successful authoraztion for action: action_list_2 does not match, but should.",
        Code.GRANTED,
        decision.explain().getCode());
    assertTrue("Action not granted authorization.", decision.isAuthorized());

    resource = createJobResource("Script3", "/wldcrd");
    decision =
        authorization.evaluate(
            resource, subject, "action_list_not_in_list_and_shouldn't_be", environment);
    assertEquals(
        "Decision for successful authoraztion for action: action_list_not_in_list_and_shouldn't_be does not match, but should.",
        Code.GRANTED,
        decision.explain().getCode());
    assertTrue("Action not granted authorization.", decision.isAuthorized());
  }
コード例 #4
0
  public void testInvalidParameters() throws Exception {
    try {
      authorization.evaluate((Map<String, String>) null, null, null, null);
    } catch (Exception e) {
      /* ignore...it should throw an exception */
    }

    try {
      authorization.evaluate(
          new HashMap<String, String>(), new Subject(), "", new HashSet<Attribute>());
    } catch (Exception e) {
      /* ignore...it should throw an exception */
    }
  }
コード例 #5
0
  public void testAdminModulePrivileges() throws Exception {

    Map<String, String> resource = createJobResource("adhocScript", "foo/bar");
    Subject subject = createSubject("default", "admin", "foo");
    String action = "EXECUTE";

    final Decision evaluate = authorization.evaluate(resource, subject, action, environment);
    evaluate.explain().describe(System.err);
    assertTrue(
        "'default' does not have access to 'foo/bar/adhocScript' to 'EXECUTE' with no environment specified.",
        evaluate.isAuthorized());

    assertTrue(
        "'default' does not have access to 'foo/bar/adhocScript' to 'EXECUTE' with no environment specified.",
        authorization.evaluate(resource, subject, action, environment).isAuthorized());
  }
コード例 #6
0
  public void off_testProjectEnvironment() throws Exception {
    Map<String, String> resource = createJobResource("adhocScript", "foo/bar");
    Subject subject = createSubject("testProjectEnvironment", "admin-environment");

    environment.add(new Attribute(URI.create("http://dtolabs.com/rundeck/env/project"), "Lion"));

    assertTrue(
        "Policy did not match the Lion context.",
        authorization.evaluate(resource, subject, "READ", environment).isAuthorized());

    environment.add(new Attribute(URI.create("http://dtolabs.com/rundeck/env/project"), "Tiger"));

    assertFalse(
        "Policy should not match the Lion context.",
        authorization.evaluate(resource, subject, "READ", environment).isAuthorized());
  }
コード例 #7
0
  public void testActionAuthorizationYmlInvalid() throws Exception {
    Map<String, String> resource = createJobResource("Script3", "/noactions");
    Subject subject = createSubject("yml_usr_2", "broken");

    Decision decision = authorization.evaluate(resource, subject, "none", environment);
    assertEquals(
        "Decision for authoraztion for action: none is not REJECTED_NO_ACTIONS_DECLARED.",
        Code.REJECTED,
        decision.explain().getCode());
    assertFalse("Action granted authorization.", decision.isAuthorized());

    subject = createSubject("yml_usr_3", "missing_rules");

    decision = authorization.evaluate(resource, subject, "none", environment);
    assertEquals(
        "Decision for authoraztion for action: none is not REJECTED_NO_RULES_DEFINED.",
        Code.REJECTED_NO_SUBJECT_OR_ENV_FOUND,
        decision.explain().getCode());
    assertFalse("Action granted authorization.", decision.isAuthorized());
  }
コード例 #8
0
  public void testActionAuthorizationYmlNoMatchIssue() throws Exception {
    Map<String, String> resource = createJobResource("Script_123", "/AB3");
    Subject subject = createSubject("yml_usr_2", "issue_not_match");

    Decision decision = authorization.evaluate(resource, subject, "foobar", environment);
    assertEquals(
        "Decision for authoraztion for action: foobar is not GRANTED_ACTIONS_AND_COMMANDS_MATCHED. "
            + decision,
        Code.GRANTED,
        decision.explain().getCode());
    assertTrue("Action granted authorization.", decision.isAuthorized());
  }
コード例 #9
0
  public void testActionAuthorization() throws Exception {
    Map<String, String> resource = createJobResource("testjob", "bar/baz/boo");
    Subject subject = createSubject("testActionAuthorization", "test1");

    /* Check that workflow_run is actually a matching action */
    Decision decision = authorization.evaluate(resource, subject, "run", environment);
    assertEquals(
        "Decision for successful authoraztion for action: run does not match, but should."
            + decision,
        Code.GRANTED,
        decision.explain().getCode());
    assertTrue("Action not granted authorization.", decision.isAuthorized());

    /* bobble_head action doesn't exist, so should not be authorized */
    decision = authorization.evaluate(resource, subject, "bobble_head", environment);
    assertEquals(
        "Decision does not contain the proper explanation. ",
        Code.REJECTED,
        decision.explain().getCode());
    assertFalse("Action bobble_head should not have been authorized", decision.isAuthorized());

    /* Empty actions never match. */
    decision = authorization.evaluate(resource, subject, "", environment);
    assertEquals(
        "Decision for empty action does not match",
        Code.REJECTED_NO_ACTION_PROVIDED,
        decision.explain().getCode());
    assertFalse("An empty action should not select", decision.isAuthorized());

    /* The given job=anyaction of group=foobar should allow any action. */
    decision =
        authorization.evaluate(
            createJobResource("anyaction", "foobar"), subject, "my_wacky_action", environment);
    assertEquals(
        "my_wacky_action reason does not match.", Code.GRANTED, decision.explain().getCode());
    assertTrue(
        "foobar/barbaz was denied even though it allows any action.", decision.isAuthorized());

    decision =
        authorization.evaluate(
            declareModule("foobar", "moduleName"), subject, "execute", environment);
    assertFalse(
        "foobar/moduleName was granted authorization when it shouldn't.", decision.isAuthorized());

    Set<Map<String, String>> resources = new HashSet<Map<String, String>>();
    final int resourcesCount = 100;
    final int actionsCount = 10;
    for (int i = 0; i < resourcesCount; i++) {
      resources.add(createJobResource(Integer.toString(i), "big/test/" + Integer.toString(i)));
    }
    Set<String> actions = new HashSet<String>();
    for (int i = 0; i < actionsCount; i++) {
      actions.add("Action" + Integer.toString(i));
    }
    long start = System.currentTimeMillis();
    authorization.evaluate(resources, subject, actions, environment);
    long end = System.currentTimeMillis() - start;
    System.out.println(
        "Took "
            + end
            + "ms for "
            + resourcesCount
            + " resources and "
            + actionsCount
            + " actions.");
  }