use of com.emc.storageos.model.auth.RoleAssignmentChanges in project coprhd-controller by CoprHD.
the class ApiTest method proxyTokenTests.
private void proxyTokenTests() {
// Login as root
TenantResponse tenantResp = rSys.path("/tenant").get(TenantResponse.class);
rootTenantId = tenantResp.getTenant();
// Get a proxy token for root
ClientResponse resp = rSys.path("/proxytoken").get(ClientResponse.class);
Assert.assertEquals(200, resp.getStatus());
String proxyToken = (String) _savedProxyTokens.get("root");
Assert.assertNotNull(proxyToken);
// try to access tenant/id as proxy user. Does not work because proxy token was not passed in.
// Proxy user by itself doesn't have TENANT_ADMIN.
resp = rProxyUser.path("/tenants/" + rootTenantId.toString()).get(ClientResponse.class);
Assert.assertEquals(403, resp.getStatus());
// try to access tenant/id as proxy user with proxy token this time.
resp = rProxyUser.path("/tenants/" + rootTenantId.toString()).header(ApiTestBase.AUTH_PROXY_TOKEN_HEADER, proxyToken).get(ClientResponse.class);
Assert.assertEquals(200, resp.getStatus());
// negative tests
// proxy token, but a user without PROXY_USER role
resp = rZAdmin.path("/tenants/" + rootTenantId.toString()).header(ApiTestBase.AUTH_PROXY_TOKEN_HEADER, proxyToken).get(ClientResponse.class);
Assert.assertEquals(403, resp.getStatus());
// check that the root when proxied does not have SECURITY_ADMIN in it.
UserInfo info = rProxyUser.path("/user/whoami").header(ApiTestBase.AUTH_PROXY_TOKEN_HEADER, proxyToken).get(UserInfo.class);
Assert.assertEquals("root", info.getCommonName());
Assert.assertTrue(!info.getVdcRoles().contains(Role.SECURITY_ADMIN.toString()));
// zone admin, when proxied, can not do role assignments
resp = rZAdmin.path("/proxytoken").get(ClientResponse.class);
Assert.assertEquals(200, resp.getStatus());
String zAdminProxyToken = (String) _savedProxyTokens.get(ZONEADMIN);
Assert.assertNotNull(zAdminProxyToken);
resp = rProxyUser.path("/vdc/role-assignments").header(ApiTestBase.AUTH_PROXY_TOKEN_HEADER, zAdminProxyToken).put(ClientResponse.class, new RoleAssignmentChanges());
Assert.assertEquals(403, resp.getStatus());
// logout issuer of the proxy token with the force option. This should wipe out
// all tokens including proxy tokens. Consequently, proxyuser should no longer be able
// to access the tenants/id call with that proxy token anymore.
// ( added .xml and used mixed cases to test that the logout filter forwards the request
// appropriately)
// resp = rSys.path("/loGout.XmL").queryParam("force", "true").get(ClientResponse.class);
resp = rSys.path("/logout.xml").queryParam("force", "true").queryParam("proxytokens", "true").get(ClientResponse.class);
Assert.assertEquals(200, resp.getStatus());
resp = rProxyUser.path("/tenants/" + rootTenantId.toString()).header(ApiTestBase.AUTH_PROXY_TOKEN_HEADER, proxyToken).get(ClientResponse.class);
Assert.assertEquals(401, resp.getStatus());
}
use of com.emc.storageos.model.auth.RoleAssignmentChanges in project coprhd-controller by CoprHD.
the class ApiTest method testVDCs.
// TODO: to be moved in another test suite
public void testVDCs() {
// TODO: once devkit gets switched to 1+0 appliance, we should enable it again.
if (System.getenv("APP_HOST_NAMES").equals("localhost")) {
return;
}
VirtualDataCenterAddParam addParam = new VirtualDataCenterAddParam();
addParam.setApiEndpoint("http://apitest");
addParam.setSecretKey("apitestSecret");
addParam.setCertificateChain("apitestCertchain");
addParam.setName("apitestName" + System.currentTimeMillis());
// TODO: enhance to track task progress
// root should NOT do this.
ClientResponse rsp = rSys.path("/vdc").post(ClientResponse.class, addParam);
Assert.assertEquals(403, rsp.getStatus());
// use super admin with geo securityAdmin role to do post vdc
// assign geo securityadmin to superuser.
RoleAssignmentChanges changes = new RoleAssignmentChanges();
changes.setAdd(new ArrayList<RoleAssignmentEntry>());
RoleAssignmentEntry entry1 = new RoleAssignmentEntry();
entry1.setSubjectId(SUPERUSER);
entry1.getRoles().add("SECURITY_ADMIN");
changes.getAdd().add(entry1);
ClientResponse rsp1 = rSys.path("/vdc/role-assignments").put(ClientResponse.class, changes);
Assert.assertEquals(200, rsp1.getStatus());
// then do post VDC using superuser. should pass.
TaskResourceRep taskRep = rZAdminGr.path("/vdc").post(TaskResourceRep.class, addParam);
Assert.assertNotNull("vdc create task should not be null", taskRep);
VirtualDataCenterList vdcList = rSys.path("/vdc").get(VirtualDataCenterList.class);
Assert.assertNotNull("vdcList should not be null", vdcList);
Assert.assertNotNull("vdcList.getVirtualDataCenters should not be null", vdcList.getVirtualDataCenters());
// boolean found = false;
// for (NamedRelatedResourceRep vdcResource : vdcList.getVirtualDataCenters()) {
// if (vdcResource.getName().equals(addParam.getName())) {
// found = true;
// }
// }
// Assert.assertTrue("newly created vdc could not be found in vdc list", found);
VirtualDataCenterRestRep vdc = rZAdminGr.path("/vdc/" + taskRep.getResource().getId()).get(VirtualDataCenterRestRep.class);
Assert.assertNotNull("created vdc object can't be retrieved", vdc);
Assert.assertTrue("vdc name does not match", vdc.getName().equals(addParam.getName()));
// TODO: enhance to track task progress
ClientResponse response = rZAdminGr.path("/vdc/" + vdc.getId() + "/disconnect").post(ClientResponse.class);
Assert.assertEquals(405, response.getStatus());
// TODO: enhance to track task progress
response = rZAdminGr.path("/vdc/" + vdc.getId() + "/reconnect").post(ClientResponse.class);
Assert.assertEquals(405, response.getStatus());
// TODO: enhance to track task progress
taskRep = rZAdminGr.path("/vdc/" + vdc.getId()).delete(TaskResourceRep.class);
Assert.assertNotNull("vdc delete task should not be null", taskRep);
}
use of com.emc.storageos.model.auth.RoleAssignmentChanges in project coprhd-controller by CoprHD.
the class ApiTest method changeTenantRoles.
private ClientResponse changeTenantRoles(String tenantId, String subjectId, List<String> addRoles, List<String> removeRoles) throws Exception {
BalancedWebResource rootUser = createHttpsClient(SYSADMIN, SYSADMIN_PASS_WORD, baseUrls);
rootUser.path("/user/whoami").get(UserInfo.class);
String rootToken = (String) _savedTokens.get(SYSADMIN);
RoleAssignmentEntry roleAssignmentEntry;
RoleAssignmentChanges roleAssignmentChanges = new RoleAssignmentChanges();
if (!addRoles.isEmpty()) {
List<RoleAssignmentEntry> add = new ArrayList<>();
roleAssignmentEntry = new RoleAssignmentEntry();
roleAssignmentEntry.setSubjectId(subjectId);
roleAssignmentEntry.setRoles(addRoles);
add.add(roleAssignmentEntry);
roleAssignmentChanges.setAdd(add);
}
if (!removeRoles.isEmpty()) {
List<RoleAssignmentEntry> remove = new ArrayList<>();
roleAssignmentEntry = new RoleAssignmentEntry();
roleAssignmentEntry.setSubjectId(subjectId);
roleAssignmentEntry.setRoles(removeRoles);
remove.add(roleAssignmentEntry);
roleAssignmentChanges.setRemove(remove);
}
return rootUser.path("/tenants/" + tenantId + "/role-assignments").header(AUTH_TOKEN_HEADER, rootToken).put(ClientResponse.class, roleAssignmentChanges);
}
use of com.emc.storageos.model.auth.RoleAssignmentChanges in project coprhd-controller by CoprHD.
the class AuthSvcTests method runProxyTokenExpiryTest.
private void runProxyTokenExpiryTest() throws Exception {
try {
String timeToWaitInMinsStr = System.getenv("TIME_TO_WAIT_IN_MINUTES_SET_IN_SECURITY_MODULE_XML");
int timeToWaitInMinutes = Integer.parseInt(timeToWaitInMinsStr);
} catch (Exception e) {
timeToWaitInMinutes = 1;
}
WebResource rRoot = createHttpsClient(SYSADMIN, SYSADMIN_PASS_WORD, true).resource(baseAuthServiceURL);
rRoot.path("/login").get(ClientResponse.class);
// post authProvider
updateADConfig();
// login with a user from ldap
WebResource rSanityUser = createHttpsClient(ROOTUSER, AD_PASS_WORD, true).resource(baseAuthServiceURL);
rSanityUser.path("/login").get(ClientResponse.class);
TenantResponse tenant = rSanityUser.path("/tenant").get(TenantResponse.class);
// make the user a tenant_admin
RoleAssignmentChanges changes = new RoleAssignmentChanges();
RoleAssignmentEntry addTenantAdmin = new RoleAssignmentEntry();
addTenantAdmin.setSubjectId(ROOTUSER);
addTenantAdmin.getRoles().add("TENANT_ADMIN");
changes.setAdd(new ArrayList<RoleAssignmentEntry>());
changes.getAdd().add(addTenantAdmin);
rRoot.path("/tenants/" + tenant.getTenant() + "/role-assignments").put(changes);
// create a proxy token for that user
ClientResponse resp = rSanityUser.path("/proxytoken").get(ClientResponse.class);
Assert.assertEquals(200, resp.getStatus());
String proxyToken = (String) _savedProxyTokens.get(ROOTUSER);
Assert.assertNotNull(proxyToken);
// logon with proxyuser
WebResource rProxy = createHttpsClient(PROXY_USER, PROXY_USER_PWD, true).resource(baseApiServiceURL);
rProxy.path("/login").get(ClientResponse.class);
// try to get sanity user's tenant as proxy user with proxy token
// should get a 200
resp = rProxy.path("/tenants/" + tenant.getTenant()).header(AUTH_PROXY_TOKEN_HEADER, proxyToken).get(ClientResponse.class);
Assert.assertEquals(200, resp.getStatus());
// wait x amount of time for token to expire
Thread.sleep(timeToWaitInMinutes * 60 * 1000);
// try to get sanity user's tenant as proxy user with proxy token
// should get a 200 again
resp = rProxy.path("/tenants/" + tenant.getTenant()).header(AUTH_PROXY_TOKEN_HEADER, proxyToken).get(ClientResponse.class);
Assert.assertEquals(200, resp.getStatus());
// do a put on the authprovider so it is disabled
AuthnUpdateParam updateParam = new AuthnUpdateParam();
updateParam.setDisable(true);
rRoot.path("/vdc/admin/authnproviders/" + _goodADConfig).put(updateParam);
// wait x amount of time for token to expire
Thread.sleep(timeToWaitInMinutes * 60 * 1000);
// try to get the tenant with proxy user using the proxy token
// should fail with a 401
resp = rProxy.path("/tenants/" + tenant.getTenant()).header(AUTH_PROXY_TOKEN_HEADER, proxyToken).get(ClientResponse.class);
Assert.assertEquals(401, resp.getStatus());
}
use of com.emc.storageos.model.auth.RoleAssignmentChanges in project coprhd-controller by CoprHD.
the class RoleChangeTest method tenantAdmin.
/**
* verify TenantAdmin can do something: list RoleAssignment, whoami, create project
*/
@Test
public void tenantAdmin() throws Exception {
// assign Provider Tenant's Tenant admin to AD user
RoleAssignmentEntry roleAssignmentEntry = new RoleAssignmentEntry();
roleAssignmentEntry.setSubjectId(TENANTADMIN);
roleAssignmentEntry.setRoles(new ArrayList<String>(Arrays.asList("TENANT_ADMIN")));
List<RoleAssignmentEntry> add = new ArrayList<RoleAssignmentEntry>();
add.add(roleAssignmentEntry);
RoleAssignmentChanges roleAssignmentChanges = new RoleAssignmentChanges();
roleAssignmentChanges.setAdd(add);
ClientResponse resp = superSanity.path("/tenants/" + rootTenantId + "/role-assignments").header(AUTH_TOKEN_HEADER, superSanityToken).put(ClientResponse.class, roleAssignmentChanges);
Assert.assertEquals(200, resp.getStatus());
// list tenant's role-assignments
BalancedWebResource tenantAdmin = createHttpsClient(TENANTADMIN, AD_PASS_WORD, baseUrls);
resp = tenantAdmin.path("/tenants/" + rootTenantId + "/role-assignments").get(ClientResponse.class);
Assert.assertEquals(200, resp.getStatus());
String tenantAdminToken = (String) _savedTokens.get(TENANTADMIN);
// tenantadmin whoami
UserInfo info = tenantAdmin.path("/user/whoami").get(UserInfo.class);
Assert.assertEquals(TENANTADMIN, info.getCommonName());
Assert.assertEquals(0, info.getVdcRoles().size());
Assert.assertEquals(1, info.getHomeTenantRoles().size());
Assert.assertEquals(0, info.getSubTenantRoles().size());
Assert.assertTrue(info.getHomeTenantRoles().contains("TENANT_ADMIN"));
// create project
ProjectParam projectParam = new ProjectParam();
projectParam.setName("project_unittest" + new Random().nextInt());
resp = tenantAdmin.path("/tenants/" + rootTenantId + "/projects").header(AUTH_TOKEN_HEADER, tenantAdminToken).post(ClientResponse.class, projectParam);
Assert.assertEquals(200, resp.getStatus());
}
Aggregations