use of com.cloudera.thunderhead.service.authorization.AuthorizationProto.RightCheck in project cloudbreak by hortonworks.
the class ResourceAuthorizationServiceTest method testAccessDeniedCombined.
@Test
public void testAccessDeniedCombined() throws NoSuchMethodException {
Method method = ExampleClass.class.getMethod("methodCombined", String.class, String.class);
when(methodSignature.getMethod()).thenReturn(method);
when(authorizationFactory1.getAuthorization(any(), any(), any(), any())).thenReturn(Optional.of(new HasRight(AuthorizationResourceAction.EDIT_ENVIRONMENT, "crn1")));
when(authorizationFactory2.getAuthorization(any(), any(), any(), any())).thenReturn(Optional.of(new HasRight(AuthorizationResourceAction.DESCRIBE_CREDENTIAL, "crn2")));
when(grpcUmsClient.hasRights(anyString(), anyList(), any(), any())).thenReturn(List.of(false, false));
AccessDeniedException accessDeniedException = assertThrows(AccessDeniedException.class, () -> {
ThreadBasedUserCrnProvider.doAs(USER_CRN, () -> underTest.authorize(USER_CRN, proceedingJoinPoint, methodSignature, Optional.of("requestId")));
});
assertEquals("Not authorized for the following reasons. Doesn't have 'environments/editEnvironment' right on unknown resource type [crn: crn1]. " + "Doesn't have 'environments/describeCredential' right on unknown resource type [crn: crn2].", accessDeniedException.getMessage());
verify(grpcUmsClient).hasRights(anyString(), captor.capture(), any(), any());
List<RightCheck> rightChecks = captor.getValue();
assertEquals(2, rightChecks.size());
assertEquals("environments/editEnvironment", rightChecks.get(0).getRight());
assertEquals("crn1", rightChecks.get(0).getResource());
assertEquals("environments/describeCredential", rightChecks.get(1).getRight());
assertEquals("crn2", rightChecks.get(1).getResource());
}
use of com.cloudera.thunderhead.service.authorization.AuthorizationProto.RightCheck in project cloudbreak by hortonworks.
the class EnvironmentServiceIntegrationTest method setup.
@BeforeEach
public void setup() {
client = new EnvironmentServiceClientBuilder(String.format(SERVICE_ADDRESS, port)).withCertificateValidation(false).withDebug(true).withIgnorePreValidation(true).build().withCrn(TEST_USER_CRN);
credential = new Credential();
credential.setName("credential_test");
credential.setResourceCrn(TEST_RESOURCE_CRN);
credential.setAccountId(TEST_ACCOUNT_ID);
credential.setCloudPlatform("AWS");
credential.setCreator(TEST_USER_CRN);
credential.setDescription("description");
credential.setGovCloud(false);
credential.setArchived(false);
credential.setType(ENVIRONMENT);
credentialRequest = new CredentialRequest();
when(entitlementService.azureEnabled(any())).thenReturn(true);
doNothing().when(grpcUmsClient).assignResourceRole(anyString(), anyString(), anyString(), any(), any());
lenient().when(grpcUmsClient.hasRights(anyString(), anyList(), any(), any())).then(i -> {
List<RightCheck> rightChecks = i.getArgument(1);
return rightChecks.stream().map(r -> Boolean.TRUE).collect(toList());
});
lenient().when(grpcUmsClient.checkAccountRight(anyString(), anyString(), any(), any())).thenReturn(true);
Map<String, Boolean> rightCheckMap = Maps.newHashMap();
rightCheckMap.put(credential.getResourceCrn(), true);
when(umsResourceAuthorizationService.getRightOfUserOnResources(anyString(), any(), anyList())).thenReturn(rightCheckMap);
when(grpcUmsClient.getResourceRoles(any(), any())).thenReturn(Set.of("crn:altus:iam:us-west-1:altus:resourceRole:Owner", "crn:altus:iam:us-west-1:altus:resourceRole:EnvironmentAdmin"));
}
Aggregations