use of com.emc.storageos.model.user.UserInfo in project coprhd-controller by CoprHD.
the class ApiTestTenants method testSubTenantEditByProviderTenantAdmin.
@Test
public void testSubTenantEditByProviderTenantAdmin() throws NoSuchAlgorithmException {
final String testName = "testSubTenantEditByProviderTenantAdmin - ";
// Create an authnprovider before creating a tenant.
AuthnCreateParam authnProviderCreateParam = getDefaultAuthnCreateParam(testName + getTestDefaultAuthnProviderDescription());
ClientResponse clientAuthnProviderCreateResp = rSys.path(getTestAuthnProviderApi()).post(ClientResponse.class, authnProviderCreateParam);
// Validate the authn provider creation success and add the
// resource to the resource clean up list.
validateAuthnProviderCreateSuccess(clientAuthnProviderCreateResp);
String groupToAddInUserMapping = getGroup(0);
addUserMapping(rootTenantId, groupToAddInUserMapping);
// Assign tenant admin role to the user ldapvipruser1@maxcrc.com
// who is part of provider tenant.
RoleAssignmentChanges roleAssignmentEntryParam = getDefaultRoleAssignmentChanges(false, true);
roleAssignmentEntryParam.getAdd().get(0).setSubjectId(getUserWithDomain(0));
roleAssignmentEntryParam.getAdd().get(0).getRoles().clear();
roleAssignmentEntryParam.getAdd().get(0).getRoles().add(getTenantRole(0));
String roleAssignmentsApi = getTestRoleAssignmentsApi(rootTenantId);
RoleAssignments roleAssignmentCreateResp = rSys.path(roleAssignmentsApi).put(RoleAssignments.class, roleAssignmentEntryParam);
validateRoleAssignmentCreateSuccess(roleAssignmentEntryParam, roleAssignmentCreateResp);
// Create a ldapvipruser1@maxcrc.com who has provider tenant admin role.
String ldapViPRUser1Name = getUserWithDomain(0);
BalancedWebResource ldapViPRUser1 = getHttpsClient(ldapViPRUser1Name, getLDAPUserPassword());
String whoAmIApi = getUserWhoAmIApi();
UserInfo ldapViPRUser1UserInfo = ldapViPRUser1.path(whoAmIApi).get(UserInfo.class);
List<String> expectedRoles = new ArrayList<String>();
expectedRoles.add(getTenantRole(0));
validateUserTenantRoles(ldapViPRUser1UserInfo, expectedRoles);
TenantCreateParam createParam = this.getDefaultTenantCreateParam(testName + "Successful creation of tenant by sec admin.");
TenantOrgRestRep createResp = rSys.path(getTestApi()).post(TenantOrgRestRep.class, createParam);
validateTenantCreateSuccess(createParam, createResp);
URI subTenantId = createResp.getId();
String subTenantEditApi = getTestEditApi(subTenantId);
TenantUpdateParam editParam = new TenantUpdateParam();
editParam.setDescription(testName + "SubTenant - Set by provider tenant admin");
// Edit the subtenant by changing its description. It should fail
// as only the tenant admin or sec admin can edit the tenant.
ClientResponse clientEditResp = ldapViPRUser1.path(subTenantEditApi).put(ClientResponse.class, editParam);
String partialExpectedErrorMsg = ERROR_INSUFFICIENT_PERMISSION_FOR_USER;
partialExpectedErrorMsg = String.format(partialExpectedErrorMsg, ldapViPRUser1Name.toLowerCase());
validateTenantCreateAndEditBadRequest(HttpStatus.SC_FORBIDDEN, partialExpectedErrorMsg, clientEditResp);
// Logout the user.
logoutUser(ldapViPRUser1);
// Remove the role assignment for the user.
roleAssignmentEntryParam.getRemove().add(roleAssignmentEntryParam.getAdd().get(0));
roleAssignmentEntryParam.getAdd().clear();
roleAssignmentCreateResp = rSys.path(roleAssignmentsApi).put(RoleAssignments.class, roleAssignmentEntryParam);
validateVDCRoleAssignmentsRemove(roleAssignmentCreateResp, ldapViPRUser1Name, false);
// Remove the user mappings.
removeUserMapping(rootTenantId, groupToAddInUserMapping);
}
use of com.emc.storageos.model.user.UserInfo in project coprhd-controller by CoprHD.
the class ApiTestTenants method testProviderTenantDeleteByProviderTenantAdmin.
@Test
public void testProviderTenantDeleteByProviderTenantAdmin() throws NoSuchAlgorithmException {
final String testName = "testProviderTenantDeleteByProviderTenantAdmin - ";
// Create an authnprovider before creating a tenant.
AuthnCreateParam authnProviderCreateParam = getDefaultAuthnCreateParam(testName + getTestDefaultAuthnProviderDescription());
ClientResponse clientAuthnProviderCreateResp = rSys.path(getTestAuthnProviderApi()).post(ClientResponse.class, authnProviderCreateParam);
// Validate the authn provider creation success and add the
// resource to the resource clean up list.
validateAuthnProviderCreateSuccess(clientAuthnProviderCreateResp);
String groupToAddInUserMapping = getGroup(0);
addUserMapping(rootTenantId, groupToAddInUserMapping);
// Assign tenant admin role to the user ldapvipruser1@maxcrc.com
// who is part of provider tenant.
RoleAssignmentChanges roleAssignmentEntryParam = getDefaultRoleAssignmentChanges(false, true);
roleAssignmentEntryParam.getAdd().get(0).setSubjectId(getUserWithDomain(0));
roleAssignmentEntryParam.getAdd().get(0).getRoles().clear();
roleAssignmentEntryParam.getAdd().get(0).getRoles().add(getTenantRole(0));
String roleAssignmentsApi = getTestRoleAssignmentsApi(rootTenantId);
RoleAssignments roleAssignmentCreateResp = rSys.path(roleAssignmentsApi).put(RoleAssignments.class, roleAssignmentEntryParam);
validateRoleAssignmentCreateSuccess(roleAssignmentEntryParam, roleAssignmentCreateResp);
// Create a ldapvipruser1@maxcrc.com who has tenant admin role.
String ldapViPRUser1Name = getUserWithDomain(0);
BalancedWebResource ldapViPRUser1 = getHttpsClient(ldapViPRUser1Name, getLDAPUserPassword());
String whoAmIApi = getUserWhoAmIApi();
UserInfo ldapViPRUser1UserInfo = ldapViPRUser1.path(whoAmIApi).get(UserInfo.class);
List<String> expectedRoles = new ArrayList<String>();
expectedRoles.add(getTenantRole(0));
validateUserTenantRoles(ldapViPRUser1UserInfo, expectedRoles);
String rootTenantDeleteApi = getTestDeleteApi(rootTenantId);
// Delete the provider tenant. It should fail. Deleting provider tenant can't be done.
ClientResponse clientEditResp = ldapViPRUser1.path(rootTenantDeleteApi).post(ClientResponse.class);
String partialExpectedErrorMsg = ERROR_INSUFFICIENT_PERMISSION_FOR_USER;
partialExpectedErrorMsg = String.format(partialExpectedErrorMsg, ldapViPRUser1Name.toLowerCase());
validateTenantCreateAndEditBadRequest(HttpStatus.SC_FORBIDDEN, partialExpectedErrorMsg, clientEditResp);
// Logout the user.
logoutUser(ldapViPRUser1);
// Remove the role assignment for the user.
roleAssignmentEntryParam.getRemove().add(roleAssignmentEntryParam.getAdd().get(0));
roleAssignmentEntryParam.getAdd().clear();
roleAssignmentCreateResp = rSys.path(roleAssignmentsApi).put(RoleAssignments.class, roleAssignmentEntryParam);
validateVDCRoleAssignmentsRemove(roleAssignmentCreateResp, ldapViPRUser1Name, false);
// Remove the user mappings.
removeUserMapping(rootTenantId, groupToAddInUserMapping);
}
use of com.emc.storageos.model.user.UserInfo in project coprhd-controller by CoprHD.
the class ApiTestTenants method testTenantCreateByProviderTenantAdmin.
@Test
public void testTenantCreateByProviderTenantAdmin() throws NoSuchAlgorithmException {
final String testName = "testTenantCreateByProviderTenantAdmin - ";
// Create an authnprovider before creating a tenant.
AuthnCreateParam authnProviderCreateParam = getDefaultAuthnCreateParam(testName + getTestDefaultAuthnProviderDescription());
ClientResponse clientAuthnProviderCreateResp = rSys.path(getTestAuthnProviderApi()).post(ClientResponse.class, authnProviderCreateParam);
// Validate the authn provider creation success and add the
// resource to the resource clean up list.
validateAuthnProviderCreateSuccess(clientAuthnProviderCreateResp);
String groupToAddInUserMapping = getGroup(0);
addUserMapping(rootTenantId, groupToAddInUserMapping);
// Assign tenant admin role to the user ldapvipruser1@maxcrc.com
// who is part of provider tenant.
RoleAssignmentChanges roleAssignmentEntryParam = getDefaultRoleAssignmentChanges(false, true);
roleAssignmentEntryParam.getAdd().get(0).setSubjectId(getUserWithDomain(0));
roleAssignmentEntryParam.getAdd().get(0).getRoles().clear();
roleAssignmentEntryParam.getAdd().get(0).getRoles().add(getTenantRole(0));
String roleAssignmentsApi = getTestRoleAssignmentsApi(rootTenantId);
RoleAssignments roleAssignmentCreateResp = rSys.path(roleAssignmentsApi).put(RoleAssignments.class, roleAssignmentEntryParam);
validateRoleAssignmentCreateSuccess(roleAssignmentEntryParam, roleAssignmentCreateResp);
// Create a ldapvipruser1@maxcrc.com who has provider tenant admin role.
String ldapViPRUser1Name = getUserWithDomain(0);
BalancedWebResource ldapViPRUser1 = getHttpsClient(ldapViPRUser1Name, getLDAPUserPassword());
String whoAmIApi = getUserWhoAmIApi();
UserInfo ldapViPRUser1UserInfo = ldapViPRUser1.path(whoAmIApi).get(UserInfo.class);
List<String> expectedRoles = new ArrayList<String>();
expectedRoles.add(getTenantRole(0));
validateUserTenantRoles(ldapViPRUser1UserInfo, expectedRoles);
// Create a subtenant by provider tenant admin.
TenantCreateParam createParam = this.getDefaultTenantCreateParam(testName + "Tenant creation by Provider tenant admin should fail.");
ClientResponse clientCreateResp = ldapViPRUser1.path(getTestApi()).post(ClientResponse.class, createParam);
// Only sec admin can create sub tenants, the operation will fail.
String partialExpectedErrorMsg = ERROR_INSUFFICIENT_PERMISSION_FOR_USER;
partialExpectedErrorMsg = String.format(partialExpectedErrorMsg, ldapViPRUser1Name.toLowerCase());
validateTenantCreateAndEditBadRequest(HttpStatus.SC_FORBIDDEN, partialExpectedErrorMsg, clientCreateResp);
// Logout the user.
logoutUser(ldapViPRUser1);
// Remove the role assignment for the user.
roleAssignmentEntryParam.getRemove().add(roleAssignmentEntryParam.getAdd().get(0));
roleAssignmentEntryParam.getAdd().clear();
roleAssignmentCreateResp = rSys.path(roleAssignmentsApi).put(RoleAssignments.class, roleAssignmentEntryParam);
validateVDCRoleAssignmentsRemove(roleAssignmentCreateResp, ldapViPRUser1Name, false);
// Remove the user mappings.
removeUserMapping(rootTenantId, groupToAddInUserMapping);
}
use of com.emc.storageos.model.user.UserInfo in project coprhd-controller by CoprHD.
the class ApiTest method prepareVdcTest.
/**
* test for API /vdc/prepare-vdc, which will remove all root's tenant roles and project ownerships
*
* before calling the API, prepare root to be:
* 1. Provider Tenant's tenant admin
* 2. owner of a project of Provider Tenant
* 3. Tenant Admin of a subtenant
* 4. owner of a project from subtenant
*/
public void prepareVdcTest() throws Exception {
ClientResponse resp = null;
BalancedWebResource rootUser = createHttpsClient(SYSADMIN, SYSADMIN_PASS_WORD, baseUrls);
UserInfo info = rootUser.path("/user/whoami").get(UserInfo.class);
String rootTenantId = info.getTenant();
String rootToken = (String) _savedTokens.get(SYSADMIN);
BalancedWebResource superSanity = createHttpsClient(SUPERUSER, AD_PASS_WORD, baseUrls);
superSanity.path("/tenant").get(TenantResponse.class);
String superSanityToken = (String) _savedTokens.get(SUPERUSER);
// prepare tenant roles and project ownership
// also assign TenantAdmin to superuser, so it can be used to verify afterwards
boolean bRootHasProviderTenantAdmin = true;
if (info.getHomeTenantRoles().isEmpty()) {
bRootHasProviderTenantAdmin = false;
resp = assignTenantRole(rootTenantId, SYSADMIN, "TENANT_ADMIN");
Assert.assertEquals(200, resp.getStatus());
resp = assignTenantRole(rootTenantId, SUPERUSER, "TENANT_ADMIN");
Assert.assertEquals(200, resp.getStatus());
}
// create a project of Provider Tenant by root, root will be its owner.
ProjectParam paramProj = new ProjectParam("project_" + new Random().nextInt());
ProjectEntry rootProject1 = rootUser.path(String.format(_projectsUrlFormat, rootTenantId.toString())).header(AUTH_TOKEN_HEADER, rootToken).post(ProjectEntry.class, paramProj);
Assert.assertTrue(rootProject1.name.equals(paramProj.getName()));
Assert.assertTrue(rootProject1.id != null);
// create a subtenant by root, root will be its TenantAdmin
String tenantLabel = "tenant_" + new Random().nextInt();
TenantOrgRestRep subtenant = createTenant(tenantLabel, "sanity.local", "key", tenantLabel);
resp = assignTenantRole(subtenant.getId().toString(), SUPERUSER, "TENANT_ADMIN");
Assert.assertEquals(200, resp.getStatus());
// create a project under the subtenant created above, root will be its owner
paramProj = new ProjectParam("project_" + new Random().nextInt());
ProjectEntry rootProject2 = rootUser.path(String.format(_projectsUrlFormat, subtenant.getId().toString())).header(AUTH_TOKEN_HEADER, rootToken).post(ProjectEntry.class, paramProj);
Assert.assertTrue(rootProject2.name.equals(paramProj.getName()));
Assert.assertTrue(rootProject2.id != null);
// call /vdc/prepare-vdc
ClientResponse response = rootUser.path("/vdc/prepare-vdc").header(AUTH_TOKEN_HEADER, rootToken).post(ClientResponse.class);
Assert.assertEquals(200, response.getStatus());
// verify root's tenant roles and project ownership be removed
resp = rootUser.path("/user/whoami").get(ClientResponse.class);
String output = resp.getEntity(String.class);
Assert.assertFalse(output.contains("TENANT_ADMIN"));
resp = superSanity.path(String.format(_projectUrl, rootProject1.id.toString())).get(ClientResponse.class);
output = resp.getEntity(String.class);
Assert.assertFalse(output.contains(SYSADMIN));
resp = superSanity.path(String.format(_projectUrl, rootProject2.id.toString())).get(ClientResponse.class);
output = resp.getEntity(String.class);
Assert.assertFalse(output.contains(SYSADMIN));
// test done, restore root's tenant role and remove the project
if (bRootHasProviderTenantAdmin) {
assignTenantRole(rootTenantId, SYSADMIN, "TENANT_ADMIN");
}
if (rootProject1 != null) {
superSanity.path(String.format(_projectUrl + "/deactivate", rootProject1.id.toString())).header(AUTH_TOKEN_HEADER, superSanityToken).post(ClientResponse.class);
}
if (rootProject2 != null) {
superSanity.path(String.format(_projectUrl + "/deactivate", rootProject2.id.toString())).header(AUTH_TOKEN_HEADER, superSanityToken).post(ClientResponse.class);
}
if (subtenant != null) {
superSanity.path("/tenants/" + subtenant.getId() + "/deactivate").header(AUTH_TOKEN_HEADER, superSanityToken).post();
}
}
use of com.emc.storageos.model.user.UserInfo in project coprhd-controller by CoprHD.
the class ApiTest method proxyTokenTests.
private void proxyTokenTests() {
// Login as root
TenantResponse tenantResp = rSys.path("/tenant").get(TenantResponse.class);
rootTenantId = tenantResp.getTenant();
// Get a proxy token for root
ClientResponse resp = rSys.path("/proxytoken").get(ClientResponse.class);
Assert.assertEquals(200, resp.getStatus());
String proxyToken = (String) _savedProxyTokens.get("root");
Assert.assertNotNull(proxyToken);
// try to access tenant/id as proxy user. Does not work because proxy token was not passed in.
// Proxy user by itself doesn't have TENANT_ADMIN.
resp = rProxyUser.path("/tenants/" + rootTenantId.toString()).get(ClientResponse.class);
Assert.assertEquals(403, resp.getStatus());
// try to access tenant/id as proxy user with proxy token this time.
resp = rProxyUser.path("/tenants/" + rootTenantId.toString()).header(ApiTestBase.AUTH_PROXY_TOKEN_HEADER, proxyToken).get(ClientResponse.class);
Assert.assertEquals(200, resp.getStatus());
// negative tests
// proxy token, but a user without PROXY_USER role
resp = rZAdmin.path("/tenants/" + rootTenantId.toString()).header(ApiTestBase.AUTH_PROXY_TOKEN_HEADER, proxyToken).get(ClientResponse.class);
Assert.assertEquals(403, resp.getStatus());
// check that the root when proxied does not have SECURITY_ADMIN in it.
UserInfo info = rProxyUser.path("/user/whoami").header(ApiTestBase.AUTH_PROXY_TOKEN_HEADER, proxyToken).get(UserInfo.class);
Assert.assertEquals("root", info.getCommonName());
Assert.assertTrue(!info.getVdcRoles().contains(Role.SECURITY_ADMIN.toString()));
// zone admin, when proxied, can not do role assignments
resp = rZAdmin.path("/proxytoken").get(ClientResponse.class);
Assert.assertEquals(200, resp.getStatus());
String zAdminProxyToken = (String) _savedProxyTokens.get(ZONEADMIN);
Assert.assertNotNull(zAdminProxyToken);
resp = rProxyUser.path("/vdc/role-assignments").header(ApiTestBase.AUTH_PROXY_TOKEN_HEADER, zAdminProxyToken).put(ClientResponse.class, new RoleAssignmentChanges());
Assert.assertEquals(403, resp.getStatus());
// logout issuer of the proxy token with the force option. This should wipe out
// all tokens including proxy tokens. Consequently, proxyuser should no longer be able
// to access the tenants/id call with that proxy token anymore.
// ( added .xml and used mixed cases to test that the logout filter forwards the request
// appropriately)
// resp = rSys.path("/loGout.XmL").queryParam("force", "true").get(ClientResponse.class);
resp = rSys.path("/logout.xml").queryParam("force", "true").queryParam("proxytokens", "true").get(ClientResponse.class);
Assert.assertEquals(200, resp.getStatus());
resp = rProxyUser.path("/tenants/" + rootTenantId.toString()).header(ApiTestBase.AUTH_PROXY_TOKEN_HEADER, proxyToken).get(ClientResponse.class);
Assert.assertEquals(401, resp.getStatus());
}
Aggregations