Search in sources :

Example 1 with RightCheck

use of com.cloudera.thunderhead.service.authorization.AuthorizationProto.RightCheck in project cloudbreak by hortonworks.

the class ResourceAuthorizationServiceTest method testAccessDeniedCombined.

@Test
public void testAccessDeniedCombined() throws NoSuchMethodException {
    Method method = ExampleClass.class.getMethod("methodCombined", String.class, String.class);
    when(methodSignature.getMethod()).thenReturn(method);
    when(authorizationFactory1.getAuthorization(any(), any(), any(), any())).thenReturn(Optional.of(new HasRight(AuthorizationResourceAction.EDIT_ENVIRONMENT, "crn1")));
    when(authorizationFactory2.getAuthorization(any(), any(), any(), any())).thenReturn(Optional.of(new HasRight(AuthorizationResourceAction.DESCRIBE_CREDENTIAL, "crn2")));
    when(grpcUmsClient.hasRights(anyString(), anyList(), any(), any())).thenReturn(List.of(false, false));
    AccessDeniedException accessDeniedException = assertThrows(AccessDeniedException.class, () -> {
        ThreadBasedUserCrnProvider.doAs(USER_CRN, () -> underTest.authorize(USER_CRN, proceedingJoinPoint, methodSignature, Optional.of("requestId")));
    });
    assertEquals("Not authorized for the following reasons. Doesn't have 'environments/editEnvironment' right on unknown resource type [crn: crn1]. " + "Doesn't have 'environments/describeCredential' right on unknown resource type [crn: crn2].", accessDeniedException.getMessage());
    verify(grpcUmsClient).hasRights(anyString(), captor.capture(), any(), any());
    List<RightCheck> rightChecks = captor.getValue();
    assertEquals(2, rightChecks.size());
    assertEquals("environments/editEnvironment", rightChecks.get(0).getRight());
    assertEquals("crn1", rightChecks.get(0).getResource());
    assertEquals("environments/describeCredential", rightChecks.get(1).getRight());
    assertEquals("crn2", rightChecks.get(1).getResource());
}
Also used : RightCheck(com.cloudera.thunderhead.service.authorization.AuthorizationProto.RightCheck) HasRight(com.sequenceiq.authorization.service.model.HasRight) AccessDeniedException(org.springframework.security.access.AccessDeniedException) Method(java.lang.reflect.Method) Test(org.junit.jupiter.api.Test)

Example 2 with RightCheck

use of com.cloudera.thunderhead.service.authorization.AuthorizationProto.RightCheck in project cloudbreak by hortonworks.

the class EnvironmentServiceIntegrationTest method setup.

@BeforeEach
public void setup() {
    client = new EnvironmentServiceClientBuilder(String.format(SERVICE_ADDRESS, port)).withCertificateValidation(false).withDebug(true).withIgnorePreValidation(true).build().withCrn(TEST_USER_CRN);
    credential = new Credential();
    credential.setName("credential_test");
    credential.setResourceCrn(TEST_RESOURCE_CRN);
    credential.setAccountId(TEST_ACCOUNT_ID);
    credential.setCloudPlatform("AWS");
    credential.setCreator(TEST_USER_CRN);
    credential.setDescription("description");
    credential.setGovCloud(false);
    credential.setArchived(false);
    credential.setType(ENVIRONMENT);
    credentialRequest = new CredentialRequest();
    when(entitlementService.azureEnabled(any())).thenReturn(true);
    doNothing().when(grpcUmsClient).assignResourceRole(anyString(), anyString(), anyString(), any(), any());
    lenient().when(grpcUmsClient.hasRights(anyString(), anyList(), any(), any())).then(i -> {
        List<RightCheck> rightChecks = i.getArgument(1);
        return rightChecks.stream().map(r -> Boolean.TRUE).collect(toList());
    });
    lenient().when(grpcUmsClient.checkAccountRight(anyString(), anyString(), any(), any())).thenReturn(true);
    Map<String, Boolean> rightCheckMap = Maps.newHashMap();
    rightCheckMap.put(credential.getResourceCrn(), true);
    when(umsResourceAuthorizationService.getRightOfUserOnResources(anyString(), any(), anyList())).thenReturn(rightCheckMap);
    when(grpcUmsClient.getResourceRoles(any(), any())).thenReturn(Set.of("crn:altus:iam:us-west-1:altus:resourceRole:Owner", "crn:altus:iam:us-west-1:altus:resourceRole:EnvironmentAdmin"));
}
Also used : RightCheck(com.cloudera.thunderhead.service.authorization.AuthorizationProto.RightCheck) BeforeEach(org.junit.jupiter.api.BeforeEach) CloudContext(com.sequenceiq.cloudbreak.cloud.context.CloudContext) EntitlementService(com.sequenceiq.cloudbreak.auth.altus.EntitlementService) CredentialVerificationRequest(com.sequenceiq.cloudbreak.cloud.event.credential.CredentialVerificationRequest) ResourceDefinitionResult(com.sequenceiq.cloudbreak.cloud.event.platform.ResourceDefinitionResult) SecretService(com.sequenceiq.cloudbreak.service.secret.service.SecretService) ActiveProfiles(org.springframework.test.context.ActiveProfiles) CredentialResponse(com.sequenceiq.environment.api.v1.credential.model.response.CredentialResponse) NetworkService(com.sequenceiq.environment.network.NetworkService) Map(java.util.Map) ENVIRONMENT(com.sequenceiq.common.model.CredentialType.ENVIRONMENT) AzureCredentialRequestParameters(com.sequenceiq.environment.api.v1.credential.model.parameters.azure.AzureCredentialRequestParameters) BadRequestException(javax.ws.rs.BadRequestException) RoleBasedRequest(com.sequenceiq.environment.api.v1.credential.model.parameters.azure.RoleBasedRequest) AwsDefaultRegionSelectionFailed(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsDefaultRegionSelectionFailed) InteractiveLoginRequest(com.sequenceiq.cloudbreak.cloud.event.credential.InteractiveLoginRequest) MockBean(org.springframework.boot.test.mock.mockito.MockBean) UmsResourceAuthorizationService(com.sequenceiq.authorization.service.UmsResourceAuthorizationService) AwsCredentialParameters(com.sequenceiq.environment.api.v1.credential.model.parameters.aws.AwsCredentialParameters) Set(java.util.Set) Mockito.doNothing(org.mockito.Mockito.doNothing) ArgumentMatchers.anyList(org.mockito.ArgumentMatchers.anyList) CredentialStatus(com.sequenceiq.cloudbreak.cloud.model.CredentialStatus) NotFoundException(javax.ws.rs.NotFoundException) Test(org.junit.jupiter.api.Test) ProxyResponses(com.sequenceiq.environment.api.v1.proxy.model.response.ProxyResponses) List(java.util.List) SpringBootTest(org.springframework.boot.test.context.SpringBootTest) CloudCredentialStatus(com.sequenceiq.cloudbreak.cloud.model.CloudCredentialStatus) Assertions.assertTrue(org.junit.jupiter.api.Assertions.assertTrue) Optional(java.util.Optional) ProxyTestSource.getProxyConfig(com.sequenceiq.environment.proxy.v1.ProxyTestSource.getProxyConfig) ProxyConfigRepository(com.sequenceiq.environment.proxy.repository.ProxyConfigRepository) InitCodeGrantFlowRequest(com.sequenceiq.cloudbreak.cloud.event.credential.InitCodeGrantFlowRequest) UmsAccountAuthorizationService(com.sequenceiq.authorization.service.UmsAccountAuthorizationService) Assertions.assertThrows(org.junit.jupiter.api.Assertions.assertThrows) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) Mock(org.mockito.Mock) Credential(com.sequenceiq.environment.credential.domain.Credential) ProxyRequest(com.sequenceiq.environment.api.v1.proxy.model.request.ProxyRequest) ArgumentMatchers.anyBoolean(org.mockito.ArgumentMatchers.anyBoolean) Mockito.lenient(org.mockito.Mockito.lenient) CredentialRepository(com.sequenceiq.environment.credential.repository.CredentialRepository) TestConfigurationForServiceIntegration(com.sequenceiq.environment.service.integration.testconfiguration.TestConfigurationForServiceIntegration) Inject(javax.inject.Inject) ProxyResponse(com.sequenceiq.environment.api.v1.proxy.model.response.ProxyResponse) CredentialRequest(com.sequenceiq.environment.api.v1.credential.model.request.CredentialRequest) FileReaderUtils(com.sequenceiq.cloudbreak.util.FileReaderUtils) Assertions.assertEquals(org.junit.jupiter.api.Assertions.assertEquals) RightCheck(com.cloudera.thunderhead.service.authorization.AuthorizationProto.RightCheck) EnvironmentServiceClientBuilder(com.sequenceiq.environment.client.EnvironmentServiceClientBuilder) ForbiddenException(javax.ws.rs.ForbiddenException) QuartzJobInitializer(com.sequenceiq.cloudbreak.quartz.configuration.QuartzJobInitializer) CredentialVerificationResult(com.sequenceiq.cloudbreak.cloud.event.credential.CredentialVerificationResult) ResourceDefinitionRequest(com.sequenceiq.cloudbreak.cloud.event.platform.ResourceDefinitionRequest) Mockito.when(org.mockito.Mockito.when) CloudCredential(com.sequenceiq.cloudbreak.cloud.model.CloudCredential) Maps(com.google.common.collect.Maps) GrpcUmsClient(com.sequenceiq.cloudbreak.auth.altus.GrpcUmsClient) KeyBasedParameters(com.sequenceiq.environment.api.v1.credential.model.parameters.aws.KeyBasedParameters) LocalServerPort(org.springframework.boot.web.server.LocalServerPort) EnvironmentServiceCrnEndpoints(com.sequenceiq.environment.client.EnvironmentServiceCrnEndpoints) Collectors.toList(java.util.stream.Collectors.toList) AfterEach(org.junit.jupiter.api.AfterEach) ProxyTestSource.getProxyRequest(com.sequenceiq.environment.proxy.v1.ProxyTestSource.getProxyRequest) Assertions(org.junit.jupiter.api.Assertions) InteractiveCredentialResponse(com.sequenceiq.environment.api.v1.credential.model.response.InteractiveCredentialResponse) RequestProvider(com.sequenceiq.environment.credential.service.RequestProvider) InteractiveLoginResult(com.sequenceiq.cloudbreak.cloud.event.credential.InteractiveLoginResult) ProxyConfig(com.sequenceiq.environment.proxy.domain.ProxyConfig) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) CredentialResponses(com.sequenceiq.environment.api.v1.credential.model.response.CredentialResponses) CredentialRequest(com.sequenceiq.environment.api.v1.credential.model.request.CredentialRequest) Credential(com.sequenceiq.environment.credential.domain.Credential) CloudCredential(com.sequenceiq.cloudbreak.cloud.model.CloudCredential) EnvironmentServiceClientBuilder(com.sequenceiq.environment.client.EnvironmentServiceClientBuilder) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) ArgumentMatchers.anyBoolean(org.mockito.ArgumentMatchers.anyBoolean) BeforeEach(org.junit.jupiter.api.BeforeEach)

Aggregations

RightCheck (com.cloudera.thunderhead.service.authorization.AuthorizationProto.RightCheck)2 Maps (com.google.common.collect.Maps)1 UmsAccountAuthorizationService (com.sequenceiq.authorization.service.UmsAccountAuthorizationService)1 UmsResourceAuthorizationService (com.sequenceiq.authorization.service.UmsResourceAuthorizationService)1 HasRight (com.sequenceiq.authorization.service.model.HasRight)1 EntitlementService (com.sequenceiq.cloudbreak.auth.altus.EntitlementService)1 GrpcUmsClient (com.sequenceiq.cloudbreak.auth.altus.GrpcUmsClient)1 AwsDefaultRegionSelectionFailed (com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsDefaultRegionSelectionFailed)1 CloudContext (com.sequenceiq.cloudbreak.cloud.context.CloudContext)1 CredentialVerificationRequest (com.sequenceiq.cloudbreak.cloud.event.credential.CredentialVerificationRequest)1 CredentialVerificationResult (com.sequenceiq.cloudbreak.cloud.event.credential.CredentialVerificationResult)1 InitCodeGrantFlowRequest (com.sequenceiq.cloudbreak.cloud.event.credential.InitCodeGrantFlowRequest)1 InteractiveLoginRequest (com.sequenceiq.cloudbreak.cloud.event.credential.InteractiveLoginRequest)1 InteractiveLoginResult (com.sequenceiq.cloudbreak.cloud.event.credential.InteractiveLoginResult)1 ResourceDefinitionRequest (com.sequenceiq.cloudbreak.cloud.event.platform.ResourceDefinitionRequest)1 ResourceDefinitionResult (com.sequenceiq.cloudbreak.cloud.event.platform.ResourceDefinitionResult)1 CloudCredential (com.sequenceiq.cloudbreak.cloud.model.CloudCredential)1 CloudCredentialStatus (com.sequenceiq.cloudbreak.cloud.model.CloudCredentialStatus)1 CredentialStatus (com.sequenceiq.cloudbreak.cloud.model.CredentialStatus)1 QuartzJobInitializer (com.sequenceiq.cloudbreak.quartz.configuration.QuartzJobInitializer)1