Search in sources :

Example 1 with RoleAssignmentChanges

use of com.emc.storageos.model.auth.RoleAssignmentChanges in project coprhd-controller by CoprHD.

the class ApiTest method proxyTokenTests.

private void proxyTokenTests() {
    // Login as root
    TenantResponse tenantResp = rSys.path("/tenant").get(TenantResponse.class);
    rootTenantId = tenantResp.getTenant();
    // Get a proxy token for root
    ClientResponse resp = rSys.path("/proxytoken").get(ClientResponse.class);
    Assert.assertEquals(200, resp.getStatus());
    String proxyToken = (String) _savedProxyTokens.get("root");
    Assert.assertNotNull(proxyToken);
    // try to access tenant/id as proxy user. Does not work because proxy token was not passed in.
    // Proxy user by itself doesn't have TENANT_ADMIN.
    resp = rProxyUser.path("/tenants/" + rootTenantId.toString()).get(ClientResponse.class);
    Assert.assertEquals(403, resp.getStatus());
    // try to access tenant/id as proxy user with proxy token this time.
    resp = rProxyUser.path("/tenants/" + rootTenantId.toString()).header(ApiTestBase.AUTH_PROXY_TOKEN_HEADER, proxyToken).get(ClientResponse.class);
    Assert.assertEquals(200, resp.getStatus());
    // negative tests
    // proxy token, but a user without PROXY_USER role
    resp = rZAdmin.path("/tenants/" + rootTenantId.toString()).header(ApiTestBase.AUTH_PROXY_TOKEN_HEADER, proxyToken).get(ClientResponse.class);
    Assert.assertEquals(403, resp.getStatus());
    // check that the root when proxied does not have SECURITY_ADMIN in it.
    UserInfo info = rProxyUser.path("/user/whoami").header(ApiTestBase.AUTH_PROXY_TOKEN_HEADER, proxyToken).get(UserInfo.class);
    Assert.assertEquals("root", info.getCommonName());
    Assert.assertTrue(!info.getVdcRoles().contains(Role.SECURITY_ADMIN.toString()));
    // zone admin, when proxied, can not do role assignments
    resp = rZAdmin.path("/proxytoken").get(ClientResponse.class);
    Assert.assertEquals(200, resp.getStatus());
    String zAdminProxyToken = (String) _savedProxyTokens.get(ZONEADMIN);
    Assert.assertNotNull(zAdminProxyToken);
    resp = rProxyUser.path("/vdc/role-assignments").header(ApiTestBase.AUTH_PROXY_TOKEN_HEADER, zAdminProxyToken).put(ClientResponse.class, new RoleAssignmentChanges());
    Assert.assertEquals(403, resp.getStatus());
    // logout issuer of the proxy token with the force option. This should wipe out
    // all tokens including proxy tokens. Consequently, proxyuser should no longer be able
    // to access the tenants/id call with that proxy token anymore.
    // ( added .xml and used mixed cases to test that the logout filter forwards the request
    // appropriately)
    // resp = rSys.path("/loGout.XmL").queryParam("force", "true").get(ClientResponse.class);
    resp = rSys.path("/logout.xml").queryParam("force", "true").queryParam("proxytokens", "true").get(ClientResponse.class);
    Assert.assertEquals(200, resp.getStatus());
    resp = rProxyUser.path("/tenants/" + rootTenantId.toString()).header(ApiTestBase.AUTH_PROXY_TOKEN_HEADER, proxyToken).get(ClientResponse.class);
    Assert.assertEquals(401, resp.getStatus());
}
Also used : ClientResponse(com.sun.jersey.api.client.ClientResponse) RoleAssignmentChanges(com.emc.storageos.model.auth.RoleAssignmentChanges) UserInfo(com.emc.storageos.model.user.UserInfo) TenantResponse(com.emc.storageos.model.tenant.TenantResponse)

Example 2 with RoleAssignmentChanges

use of com.emc.storageos.model.auth.RoleAssignmentChanges in project coprhd-controller by CoprHD.

the class ApiTest method testVDCs.

// TODO: to be moved in another test suite
public void testVDCs() {
    // TODO: once devkit gets switched to 1+0 appliance, we should enable it again.
    if (System.getenv("APP_HOST_NAMES").equals("localhost")) {
        return;
    }
    VirtualDataCenterAddParam addParam = new VirtualDataCenterAddParam();
    addParam.setApiEndpoint("http://apitest");
    addParam.setSecretKey("apitestSecret");
    addParam.setCertificateChain("apitestCertchain");
    addParam.setName("apitestName" + System.currentTimeMillis());
    // TODO: enhance to track task progress
    // root should NOT do this.
    ClientResponse rsp = rSys.path("/vdc").post(ClientResponse.class, addParam);
    Assert.assertEquals(403, rsp.getStatus());
    // use super admin with geo securityAdmin role to do post vdc
    // assign geo securityadmin to superuser.
    RoleAssignmentChanges changes = new RoleAssignmentChanges();
    changes.setAdd(new ArrayList<RoleAssignmentEntry>());
    RoleAssignmentEntry entry1 = new RoleAssignmentEntry();
    entry1.setSubjectId(SUPERUSER);
    entry1.getRoles().add("SECURITY_ADMIN");
    changes.getAdd().add(entry1);
    ClientResponse rsp1 = rSys.path("/vdc/role-assignments").put(ClientResponse.class, changes);
    Assert.assertEquals(200, rsp1.getStatus());
    // then do post VDC using superuser. should pass.
    TaskResourceRep taskRep = rZAdminGr.path("/vdc").post(TaskResourceRep.class, addParam);
    Assert.assertNotNull("vdc create task should not be null", taskRep);
    VirtualDataCenterList vdcList = rSys.path("/vdc").get(VirtualDataCenterList.class);
    Assert.assertNotNull("vdcList should not be null", vdcList);
    Assert.assertNotNull("vdcList.getVirtualDataCenters should not be null", vdcList.getVirtualDataCenters());
    // boolean found = false;
    // for (NamedRelatedResourceRep vdcResource : vdcList.getVirtualDataCenters()) {
    // if (vdcResource.getName().equals(addParam.getName())) {
    // found = true;
    // }
    // }
    // Assert.assertTrue("newly created vdc could not be found in vdc list", found);
    VirtualDataCenterRestRep vdc = rZAdminGr.path("/vdc/" + taskRep.getResource().getId()).get(VirtualDataCenterRestRep.class);
    Assert.assertNotNull("created vdc object can't be retrieved", vdc);
    Assert.assertTrue("vdc name does not match", vdc.getName().equals(addParam.getName()));
    // TODO: enhance to track task progress
    ClientResponse response = rZAdminGr.path("/vdc/" + vdc.getId() + "/disconnect").post(ClientResponse.class);
    Assert.assertEquals(405, response.getStatus());
    // TODO: enhance to track task progress
    response = rZAdminGr.path("/vdc/" + vdc.getId() + "/reconnect").post(ClientResponse.class);
    Assert.assertEquals(405, response.getStatus());
    // TODO: enhance to track task progress
    taskRep = rZAdminGr.path("/vdc/" + vdc.getId()).delete(TaskResourceRep.class);
    Assert.assertNotNull("vdc delete task should not be null", taskRep);
}
Also used : ClientResponse(com.sun.jersey.api.client.ClientResponse) RoleAssignmentChanges(com.emc.storageos.model.auth.RoleAssignmentChanges) VirtualDataCenterList(com.emc.storageos.model.vdc.VirtualDataCenterList) VirtualDataCenterRestRep(com.emc.storageos.model.vdc.VirtualDataCenterRestRep) RoleAssignmentEntry(com.emc.storageos.model.auth.RoleAssignmentEntry) TaskResourceRep(com.emc.storageos.model.TaskResourceRep) VirtualDataCenterAddParam(com.emc.storageos.model.vdc.VirtualDataCenterAddParam)

Example 3 with RoleAssignmentChanges

use of com.emc.storageos.model.auth.RoleAssignmentChanges in project coprhd-controller by CoprHD.

the class ApiTest method changeTenantRoles.

private ClientResponse changeTenantRoles(String tenantId, String subjectId, List<String> addRoles, List<String> removeRoles) throws Exception {
    BalancedWebResource rootUser = createHttpsClient(SYSADMIN, SYSADMIN_PASS_WORD, baseUrls);
    rootUser.path("/user/whoami").get(UserInfo.class);
    String rootToken = (String) _savedTokens.get(SYSADMIN);
    RoleAssignmentEntry roleAssignmentEntry;
    RoleAssignmentChanges roleAssignmentChanges = new RoleAssignmentChanges();
    if (!addRoles.isEmpty()) {
        List<RoleAssignmentEntry> add = new ArrayList<>();
        roleAssignmentEntry = new RoleAssignmentEntry();
        roleAssignmentEntry.setSubjectId(subjectId);
        roleAssignmentEntry.setRoles(addRoles);
        add.add(roleAssignmentEntry);
        roleAssignmentChanges.setAdd(add);
    }
    if (!removeRoles.isEmpty()) {
        List<RoleAssignmentEntry> remove = new ArrayList<>();
        roleAssignmentEntry = new RoleAssignmentEntry();
        roleAssignmentEntry.setSubjectId(subjectId);
        roleAssignmentEntry.setRoles(removeRoles);
        remove.add(roleAssignmentEntry);
        roleAssignmentChanges.setRemove(remove);
    }
    return rootUser.path("/tenants/" + tenantId + "/role-assignments").header(AUTH_TOKEN_HEADER, rootToken).put(ClientResponse.class, roleAssignmentChanges);
}
Also used : RoleAssignmentChanges(com.emc.storageos.model.auth.RoleAssignmentChanges) RoleAssignmentEntry(com.emc.storageos.model.auth.RoleAssignmentEntry) VirtualArrayList(com.emc.storageos.model.varray.VirtualArrayList) ArrayList(java.util.ArrayList)

Example 4 with RoleAssignmentChanges

use of com.emc.storageos.model.auth.RoleAssignmentChanges in project coprhd-controller by CoprHD.

the class AuthSvcTests method runProxyTokenExpiryTest.

private void runProxyTokenExpiryTest() throws Exception {
    try {
        String timeToWaitInMinsStr = System.getenv("TIME_TO_WAIT_IN_MINUTES_SET_IN_SECURITY_MODULE_XML");
        int timeToWaitInMinutes = Integer.parseInt(timeToWaitInMinsStr);
    } catch (Exception e) {
        timeToWaitInMinutes = 1;
    }
    WebResource rRoot = createHttpsClient(SYSADMIN, SYSADMIN_PASS_WORD, true).resource(baseAuthServiceURL);
    rRoot.path("/login").get(ClientResponse.class);
    // post authProvider
    updateADConfig();
    // login with a user from ldap
    WebResource rSanityUser = createHttpsClient(ROOTUSER, AD_PASS_WORD, true).resource(baseAuthServiceURL);
    rSanityUser.path("/login").get(ClientResponse.class);
    TenantResponse tenant = rSanityUser.path("/tenant").get(TenantResponse.class);
    // make the user a tenant_admin
    RoleAssignmentChanges changes = new RoleAssignmentChanges();
    RoleAssignmentEntry addTenantAdmin = new RoleAssignmentEntry();
    addTenantAdmin.setSubjectId(ROOTUSER);
    addTenantAdmin.getRoles().add("TENANT_ADMIN");
    changes.setAdd(new ArrayList<RoleAssignmentEntry>());
    changes.getAdd().add(addTenantAdmin);
    rRoot.path("/tenants/" + tenant.getTenant() + "/role-assignments").put(changes);
    // create a proxy token for that user
    ClientResponse resp = rSanityUser.path("/proxytoken").get(ClientResponse.class);
    Assert.assertEquals(200, resp.getStatus());
    String proxyToken = (String) _savedProxyTokens.get(ROOTUSER);
    Assert.assertNotNull(proxyToken);
    // logon with proxyuser
    WebResource rProxy = createHttpsClient(PROXY_USER, PROXY_USER_PWD, true).resource(baseApiServiceURL);
    rProxy.path("/login").get(ClientResponse.class);
    // try to get sanity user's tenant as proxy user with proxy token
    // should get a 200
    resp = rProxy.path("/tenants/" + tenant.getTenant()).header(AUTH_PROXY_TOKEN_HEADER, proxyToken).get(ClientResponse.class);
    Assert.assertEquals(200, resp.getStatus());
    // wait x amount of time for token to expire
    Thread.sleep(timeToWaitInMinutes * 60 * 1000);
    // try to get sanity user's tenant as proxy user with proxy token
    // should get a 200 again
    resp = rProxy.path("/tenants/" + tenant.getTenant()).header(AUTH_PROXY_TOKEN_HEADER, proxyToken).get(ClientResponse.class);
    Assert.assertEquals(200, resp.getStatus());
    // do a put on the authprovider so it is disabled
    AuthnUpdateParam updateParam = new AuthnUpdateParam();
    updateParam.setDisable(true);
    rRoot.path("/vdc/admin/authnproviders/" + _goodADConfig).put(updateParam);
    // wait x amount of time for token to expire
    Thread.sleep(timeToWaitInMinutes * 60 * 1000);
    // try to get the tenant with proxy user using the proxy token
    // should fail with a 401
    resp = rProxy.path("/tenants/" + tenant.getTenant()).header(AUTH_PROXY_TOKEN_HEADER, proxyToken).get(ClientResponse.class);
    Assert.assertEquals(401, resp.getStatus());
}
Also used : AuthnUpdateParam(com.emc.storageos.model.auth.AuthnUpdateParam) RoleAssignmentChanges(com.emc.storageos.model.auth.RoleAssignmentChanges) RoleAssignmentEntry(com.emc.storageos.model.auth.RoleAssignmentEntry) TenantResponse(com.emc.storageos.model.tenant.TenantResponse) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)

Example 5 with RoleAssignmentChanges

use of com.emc.storageos.model.auth.RoleAssignmentChanges in project coprhd-controller by CoprHD.

the class RoleChangeTest method tenantAdmin.

/**
 * verify TenantAdmin can do something: list RoleAssignment, whoami, create project
 */
@Test
public void tenantAdmin() throws Exception {
    // assign Provider Tenant's Tenant admin to AD user
    RoleAssignmentEntry roleAssignmentEntry = new RoleAssignmentEntry();
    roleAssignmentEntry.setSubjectId(TENANTADMIN);
    roleAssignmentEntry.setRoles(new ArrayList<String>(Arrays.asList("TENANT_ADMIN")));
    List<RoleAssignmentEntry> add = new ArrayList<RoleAssignmentEntry>();
    add.add(roleAssignmentEntry);
    RoleAssignmentChanges roleAssignmentChanges = new RoleAssignmentChanges();
    roleAssignmentChanges.setAdd(add);
    ClientResponse resp = superSanity.path("/tenants/" + rootTenantId + "/role-assignments").header(AUTH_TOKEN_HEADER, superSanityToken).put(ClientResponse.class, roleAssignmentChanges);
    Assert.assertEquals(200, resp.getStatus());
    // list tenant's role-assignments
    BalancedWebResource tenantAdmin = createHttpsClient(TENANTADMIN, AD_PASS_WORD, baseUrls);
    resp = tenantAdmin.path("/tenants/" + rootTenantId + "/role-assignments").get(ClientResponse.class);
    Assert.assertEquals(200, resp.getStatus());
    String tenantAdminToken = (String) _savedTokens.get(TENANTADMIN);
    // tenantadmin whoami
    UserInfo info = tenantAdmin.path("/user/whoami").get(UserInfo.class);
    Assert.assertEquals(TENANTADMIN, info.getCommonName());
    Assert.assertEquals(0, info.getVdcRoles().size());
    Assert.assertEquals(1, info.getHomeTenantRoles().size());
    Assert.assertEquals(0, info.getSubTenantRoles().size());
    Assert.assertTrue(info.getHomeTenantRoles().contains("TENANT_ADMIN"));
    // create project
    ProjectParam projectParam = new ProjectParam();
    projectParam.setName("project_unittest" + new Random().nextInt());
    resp = tenantAdmin.path("/tenants/" + rootTenantId + "/projects").header(AUTH_TOKEN_HEADER, tenantAdminToken).post(ClientResponse.class, projectParam);
    Assert.assertEquals(200, resp.getStatus());
}
Also used : ClientResponse(com.sun.jersey.api.client.ClientResponse) RoleAssignmentChanges(com.emc.storageos.model.auth.RoleAssignmentChanges) ProjectParam(com.emc.storageos.model.project.ProjectParam) RoleAssignmentEntry(com.emc.storageos.model.auth.RoleAssignmentEntry) UserInfo(com.emc.storageos.model.user.UserInfo) Test(org.junit.Test)

Aggregations

RoleAssignmentChanges (com.emc.storageos.model.auth.RoleAssignmentChanges)8 RoleAssignmentEntry (com.emc.storageos.model.auth.RoleAssignmentEntry)7 ClientResponse (com.sun.jersey.api.client.ClientResponse)6 TenantResponse (com.emc.storageos.model.tenant.TenantResponse)3 Test (org.junit.Test)3 AuthnUpdateParam (com.emc.storageos.model.auth.AuthnUpdateParam)2 ProjectParam (com.emc.storageos.model.project.ProjectParam)2 UserInfo (com.emc.storageos.model.user.UserInfo)2 VirtualArrayList (com.emc.storageos.model.varray.VirtualArrayList)2 ArrayList (java.util.ArrayList)2 TaskResourceRep (com.emc.storageos.model.TaskResourceRep)1 RoleAssignments (com.emc.storageos.model.auth.RoleAssignments)1 TenantCreateParam (com.emc.storageos.model.tenant.TenantCreateParam)1 TenantOrgList (com.emc.storageos.model.tenant.TenantOrgList)1 TenantOrgRestRep (com.emc.storageos.model.tenant.TenantOrgRestRep)1 TenantUpdateParam (com.emc.storageos.model.tenant.TenantUpdateParam)1 UserMappingAttributeParam (com.emc.storageos.model.tenant.UserMappingAttributeParam)1 UserMappingChanges (com.emc.storageos.model.tenant.UserMappingChanges)1 UserMappingParam (com.emc.storageos.model.tenant.UserMappingParam)1 VirtualDataCenterAddParam (com.emc.storageos.model.vdc.VirtualDataCenterAddParam)1