private static void addRemoveIncldueForRole(
final ManagementInterface client, final String roleName, boolean accessible)
throws IOException {
String includeAddress = ROLE_MAPPING_BASE + roleName + "/include=temp";
ModelNode add = createOpNode(includeAddress, ADD);
add.get(NAME).set("temp");
add.get(TYPE).set(USER);
RbacUtil.executeOperation(client, add, accessible ? Outcome.SUCCESS : Outcome.UNAUTHORIZED);
if (accessible) {
ModelNode remove = createOpNode(includeAddress, REMOVE);
RbacUtil.executeOperation(client, remove, Outcome.SUCCESS);
}
}
private static void whoami(ManagementInterface client, String expectedUsername)
throws IOException {
ModelNode op = createOpNode(null, "whoami");
ModelNode result = RbacUtil.executeOperation(client, op, Outcome.SUCCESS);
String returnedUsername = result.get(RESULT, "identity", USERNAME).asString();
assertEquals(expectedUsername, returnedUsername);
}
protected void addPath(ModelControllerClient client, Outcome expectedOutcome, String... roles)
throws IOException {
ModelNode op = createOpNode(TEST_PATH, ADD);
op.get(PATH).set("/");
configureRoles(op, roles);
RbacUtil.executeOperation(client, op, expectedOutcome);
}
protected static void deployDeployment1(DomainClient domainClient) throws IOException {
ModelNode op = createOpNode(DEPLOYMENT_1, ADD);
op.get(ENABLED).set(false);
ModelNode content = op.get(CONTENT).add();
content.get(BYTES).set(DEPLOYMENT_2_CONTENT);
RbacUtil.executeOperation(domainClient, op, Outcome.SUCCESS);
}
private static ModelNode readAttribute(
ManagementInterface client, String address, String attributeName, Outcome expectedOutcome)
throws IOException {
ModelNode op = createOpNode(address, READ_ATTRIBUTE_OPERATION);
op.get(NAME).set(attributeName);
return RbacUtil.executeOperation(client, op, expectedOutcome);
}
private static void addDeployment2(ManagementInterface client, Outcome expectedOutcome)
throws IOException {
ModelNode op = createOpNode(DEPLOYMENT_2, ADD);
op.get(ENABLED).set(false);
ModelNode content = op.get(CONTENT).add();
content.get(BYTES).set(DEPLOYMENT_2_CONTENT);
RbacUtil.executeOperation(client, op, expectedOutcome);
}
protected void addDeployment2(
ModelControllerClient client, Outcome expectedOutcome, String... roles) throws IOException {
ModelNode op = createOpNode(DEPLOYMENT_2, ADD);
op.get(ENABLED).set(false);
ModelNode content = op.get(CONTENT).add();
content.get(BYTES).set(DEPLOYMENT_2_CONTENT);
configureRoles(op, roles);
RbacUtil.executeOperation(client, op, expectedOutcome);
}
/**
* @param expectedOutcome for standard and host-scoped roles tests, this is the expected outcome
* of all operations; for server-group-scoped roles tests, this is the expected outcome for
* the profile of the server group the user is member of, as for the other profiles and for
* read-config-as-xml, the outcome is well known
*/
protected void readWholeConfig(
ModelControllerClient client, Outcome expectedOutcome, String... roles) throws IOException {
Outcome expectedOutcomeForReadConfigAsXml = expectedOutcome;
if (this instanceof AbstractServerGroupScopedRolesTestCase) {
expectedOutcomeForReadConfigAsXml = Outcome.UNAUTHORIZED;
}
ModelNode op = createOpNode(null, READ_CONFIG_AS_XML_OPERATION);
configureRoles(op, roles);
RbacUtil.executeOperation(client, op, expectedOutcomeForReadConfigAsXml);
// the code below calls the non-published operation 'describe'; see WFLY-2379 for more info
ModelControllerClient domainClient =
testSupport.getDomainMasterLifecycleUtil().getDomainClient();
op = createOpNode(null, READ_CHILDREN_NAMES_OPERATION);
op.get(CHILD_TYPE).set(PROFILE);
ModelNode profiles = RbacUtil.executeOperation(domainClient, op, Outcome.SUCCESS);
for (ModelNode profile : profiles.get(RESULT).asList()) {
Outcome expectedOutcomeForProfile = expectedOutcome;
if (this instanceof AbstractServerGroupScopedRolesTestCase) {
expectedOutcomeForProfile =
"profile-a".equals(profile.asString()) ? expectedOutcome : Outcome.HIDDEN;
}
op = createOpNode("profile=" + profile.asString(), DESCRIBE);
configureRoles(op, roles);
ModelNode result = RbacUtil.executeOperation(client, op, expectedOutcomeForProfile);
assertEquals(expectedOutcomeForProfile == Outcome.SUCCESS, result.hasDefined(RESULT));
op = createOpNode("profile=" + profile.asString(), READ_CHILDREN_NAMES_OPERATION);
op.get(CHILD_TYPE).set(SUBSYSTEM);
ModelNode subsystems = RbacUtil.executeOperation(domainClient, op, Outcome.SUCCESS);
for (ModelNode subsystem : subsystems.get(RESULT).asList()) {
op =
createOpNode(
"profile=" + profile.asString() + "/subsystem=" + subsystem.asString(), DESCRIBE);
configureRoles(op, roles);
result = RbacUtil.executeOperation(client, op, expectedOutcomeForProfile);
assertEquals(expectedOutcomeForProfile == Outcome.SUCCESS, result.hasDefined(RESULT));
}
}
}
protected ModelNode getServerConfigAccessControl(ModelControllerClient client, String... roles)
throws IOException {
ModelNode op = createOpNode(GENERIC_SERVER_CONFIG_ADDRESS, READ_RESOURCE_DESCRIPTION_OPERATION);
op.get(ACCESS_CONTROL).set("trim-descriptions");
op.get(OPERATIONS).set(true);
configureRoles(op, roles);
return RbacUtil.executeOperation(client, op, Outcome.SUCCESS)
.get(RESULT)
.get(0)
.get(RESULT, ACCESS_CONTROL);
}
protected void addJvm(
ModelControllerClient client,
String prefixKey,
String prefixValue,
Outcome expectedOutcome,
String... roles)
throws IOException {
String fullAddress = getPrefixedAddress(prefixKey, prefixValue, SMALL_JVM);
ModelNode op = createOpNode(fullAddress, ADD);
configureRoles(op, roles);
RbacUtil.executeOperation(client, op, expectedOutcome);
}
protected void runGC(
ModelControllerClient client,
String host,
String server,
Outcome expectedOutcome,
String... roles)
throws IOException {
String serverAddress = server == null ? "" : "/server=" + server;
String fullAddress = "host=" + host + serverAddress + "/" + MEMORY_MBEAN;
ModelNode op = createOpNode(fullAddress, "gc");
configureRoles(op, roles);
RbacUtil.executeOperation(client, op, expectedOutcome);
}
protected void restartServer(
ModelControllerClient client,
String host,
String server,
Outcome expectedOutcome,
String... roles)
throws IOException {
String fullAddress = String.format("host=%s/server-config=%s", host, server);
ModelNode op = createOpNode(fullAddress, RESTART);
op.get(BLOCKING).set(true);
configureRoles(op, roles);
RbacUtil.executeOperation(client, op, expectedOutcome);
}
protected void addServerConfig(
ModelControllerClient client,
String host,
String serverGroup,
Outcome expectedOutcome,
String... roles)
throws IOException {
String fullAddress = getPrefixedAddress(HOST, host, SCOPED_ROLE_SERVER);
ModelNode op = createOpNode(fullAddress, ADD);
op.get(GROUP).set(serverGroup);
op.get(AUTO_START).set(false);
configureRoles(op, roles);
RbacUtil.executeOperation(client, op, expectedOutcome);
}
protected ModelNode readResource(
ModelControllerClient client,
String address,
String host,
String server,
Outcome expectedOutcome,
String... roles)
throws IOException {
String serverPart = server == null ? "" : "/server=" + server;
String fullAddress = host == null ? address : "host=" + host + serverPart + "/" + address;
ModelNode op = createOpNode(fullAddress, READ_RESOURCE_OPERATION);
configureRoles(op, roles);
return RbacUtil.executeOperation(client, op, expectedOutcome);
}
private void readWholeConfig(ManagementInterface client, Outcome expectedOutcome)
throws IOException {
ModelNode op = createOpNode(null, READ_CONFIG_AS_XML_OPERATION);
RbacUtil.executeOperation(client, op, expectedOutcome);
// the code below calls the non-published operation 'describe'; see WFLY-2379 for more info
// once that issue is fixed, the test will only make sense for native mgmt interface
// (or maybe not even that)
if (this instanceof JmxInterfaceStandardRolesBasicTestCase) {
return;
}
op = createOpNode(null, READ_CHILDREN_NAMES_OPERATION);
op.get(CHILD_TYPE).set(SUBSYSTEM);
ModelNode subsystems =
RbacUtil.executeOperation(getManagementClient().getControllerClient(), op, Outcome.SUCCESS);
for (ModelNode subsystem : subsystems.get(RESULT).asList()) {
op = createOpNode("subsystem=" + subsystem.asString(), DESCRIBE);
ModelNode result = RbacUtil.executeOperation(client, op, expectedOutcome);
assertEquals(expectedOutcome == Outcome.SUCCESS, result.hasDefined(RESULT));
}
}
@Test
public void testSuperUser() throws Exception {
ManagementInterface client = getClientForUser(SUPERUSER_USER);
whoami(client, SUPERUSER_USER);
readWholeConfig(client, Outcome.SUCCESS);
checkStandardReads(client);
readResource(client, AUTHORIZATION, Outcome.SUCCESS);
readResource(client, MANAGEMENT_REALM, Outcome.SUCCESS);
checkSensitiveAttribute(client, true);
runGC(client, Outcome.SUCCESS);
if (this instanceof JmxInterfaceStandardRolesBasicTestCase) {
return; // the 'add' operation is not implemented in JmxManagementInterface
}
modifyAccessibleRoles(client, RbacUtil.allStandardRoles());
addDeployment2(client, Outcome.SUCCESS);
addPath(client, Outcome.SUCCESS);
testWFLY1916(client, Outcome.SUCCESS);
}
private static void runGC(ManagementInterface client, Outcome expectedOutcome)
throws IOException {
ModelNode op = createOpNode(MEMORY_MBEAN, "gc");
RbacUtil.executeOperation(client, op, expectedOutcome);
}
protected static void removeDeployment1(DomainClient domainClient) throws IOException {
ModelNode op = createOpNode(DEPLOYMENT_1, REMOVE);
RbacUtil.executeOperation(domainClient, op, Outcome.SUCCESS);
}
private void testWFLY1916(ManagementInterface client, Outcome expected) throws IOException {
ModelNode op = WFLY_1916_OP.clone();
RbacUtil.executeOperation(client, op, expected);
}
private static void addPath(ManagementInterface client, Outcome expectedOutcome)
throws IOException {
ModelNode op = createOpNode(TEST_PATH, ADD);
op.get(PATH).set("/");
RbacUtil.executeOperation(client, op, expectedOutcome);
}
private static ModelNode readResource(
ManagementInterface client, String address, Outcome expectedOutcome) throws IOException {
ModelNode op = createOpNode(address, READ_RESOURCE_OPERATION);
return RbacUtil.executeOperation(client, op, expectedOutcome);
}
