Search in sources :

Example 6 with UserInfo

use of com.emc.storageos.model.user.UserInfo in project coprhd-controller by CoprHD.

the class ApiTestTenants method testSubTenantEditByProviderTenantAdmin.

@Test
public void testSubTenantEditByProviderTenantAdmin() throws NoSuchAlgorithmException {
    final String testName = "testSubTenantEditByProviderTenantAdmin - ";
    // Create an authnprovider before creating a tenant.
    AuthnCreateParam authnProviderCreateParam = getDefaultAuthnCreateParam(testName + getTestDefaultAuthnProviderDescription());
    ClientResponse clientAuthnProviderCreateResp = rSys.path(getTestAuthnProviderApi()).post(ClientResponse.class, authnProviderCreateParam);
    // Validate the authn provider creation success and add the
    // resource to the resource clean up list.
    validateAuthnProviderCreateSuccess(clientAuthnProviderCreateResp);
    String groupToAddInUserMapping = getGroup(0);
    addUserMapping(rootTenantId, groupToAddInUserMapping);
    // Assign tenant admin role to the user ldapvipruser1@maxcrc.com
    // who is part of provider tenant.
    RoleAssignmentChanges roleAssignmentEntryParam = getDefaultRoleAssignmentChanges(false, true);
    roleAssignmentEntryParam.getAdd().get(0).setSubjectId(getUserWithDomain(0));
    roleAssignmentEntryParam.getAdd().get(0).getRoles().clear();
    roleAssignmentEntryParam.getAdd().get(0).getRoles().add(getTenantRole(0));
    String roleAssignmentsApi = getTestRoleAssignmentsApi(rootTenantId);
    RoleAssignments roleAssignmentCreateResp = rSys.path(roleAssignmentsApi).put(RoleAssignments.class, roleAssignmentEntryParam);
    validateRoleAssignmentCreateSuccess(roleAssignmentEntryParam, roleAssignmentCreateResp);
    // Create a ldapvipruser1@maxcrc.com who has provider tenant admin role.
    String ldapViPRUser1Name = getUserWithDomain(0);
    BalancedWebResource ldapViPRUser1 = getHttpsClient(ldapViPRUser1Name, getLDAPUserPassword());
    String whoAmIApi = getUserWhoAmIApi();
    UserInfo ldapViPRUser1UserInfo = ldapViPRUser1.path(whoAmIApi).get(UserInfo.class);
    List<String> expectedRoles = new ArrayList<String>();
    expectedRoles.add(getTenantRole(0));
    validateUserTenantRoles(ldapViPRUser1UserInfo, expectedRoles);
    TenantCreateParam createParam = this.getDefaultTenantCreateParam(testName + "Successful creation of tenant by sec admin.");
    TenantOrgRestRep createResp = rSys.path(getTestApi()).post(TenantOrgRestRep.class, createParam);
    validateTenantCreateSuccess(createParam, createResp);
    URI subTenantId = createResp.getId();
    String subTenantEditApi = getTestEditApi(subTenantId);
    TenantUpdateParam editParam = new TenantUpdateParam();
    editParam.setDescription(testName + "SubTenant - Set by provider tenant admin");
    // Edit the subtenant by changing its description. It should fail
    // as only the tenant admin or sec admin can edit the tenant.
    ClientResponse clientEditResp = ldapViPRUser1.path(subTenantEditApi).put(ClientResponse.class, editParam);
    String partialExpectedErrorMsg = ERROR_INSUFFICIENT_PERMISSION_FOR_USER;
    partialExpectedErrorMsg = String.format(partialExpectedErrorMsg, ldapViPRUser1Name.toLowerCase());
    validateTenantCreateAndEditBadRequest(HttpStatus.SC_FORBIDDEN, partialExpectedErrorMsg, clientEditResp);
    // Logout the user.
    logoutUser(ldapViPRUser1);
    // Remove the role assignment for the user.
    roleAssignmentEntryParam.getRemove().add(roleAssignmentEntryParam.getAdd().get(0));
    roleAssignmentEntryParam.getAdd().clear();
    roleAssignmentCreateResp = rSys.path(roleAssignmentsApi).put(RoleAssignments.class, roleAssignmentEntryParam);
    validateVDCRoleAssignmentsRemove(roleAssignmentCreateResp, ldapViPRUser1Name, false);
    // Remove the user mappings.
    removeUserMapping(rootTenantId, groupToAddInUserMapping);
}
Also used : ClientResponse(com.sun.jersey.api.client.ClientResponse) ArrayList(java.util.ArrayList) UserInfo(com.emc.storageos.model.user.UserInfo) URI(java.net.URI) Test(org.junit.Test)

Example 7 with UserInfo

use of com.emc.storageos.model.user.UserInfo in project coprhd-controller by CoprHD.

the class ApiTestTenants method testProviderTenantDeleteByProviderTenantAdmin.

@Test
public void testProviderTenantDeleteByProviderTenantAdmin() throws NoSuchAlgorithmException {
    final String testName = "testProviderTenantDeleteByProviderTenantAdmin - ";
    // Create an authnprovider before creating a tenant.
    AuthnCreateParam authnProviderCreateParam = getDefaultAuthnCreateParam(testName + getTestDefaultAuthnProviderDescription());
    ClientResponse clientAuthnProviderCreateResp = rSys.path(getTestAuthnProviderApi()).post(ClientResponse.class, authnProviderCreateParam);
    // Validate the authn provider creation success and add the
    // resource to the resource clean up list.
    validateAuthnProviderCreateSuccess(clientAuthnProviderCreateResp);
    String groupToAddInUserMapping = getGroup(0);
    addUserMapping(rootTenantId, groupToAddInUserMapping);
    // Assign tenant admin role to the user ldapvipruser1@maxcrc.com
    // who is part of provider tenant.
    RoleAssignmentChanges roleAssignmentEntryParam = getDefaultRoleAssignmentChanges(false, true);
    roleAssignmentEntryParam.getAdd().get(0).setSubjectId(getUserWithDomain(0));
    roleAssignmentEntryParam.getAdd().get(0).getRoles().clear();
    roleAssignmentEntryParam.getAdd().get(0).getRoles().add(getTenantRole(0));
    String roleAssignmentsApi = getTestRoleAssignmentsApi(rootTenantId);
    RoleAssignments roleAssignmentCreateResp = rSys.path(roleAssignmentsApi).put(RoleAssignments.class, roleAssignmentEntryParam);
    validateRoleAssignmentCreateSuccess(roleAssignmentEntryParam, roleAssignmentCreateResp);
    // Create a ldapvipruser1@maxcrc.com who has tenant admin role.
    String ldapViPRUser1Name = getUserWithDomain(0);
    BalancedWebResource ldapViPRUser1 = getHttpsClient(ldapViPRUser1Name, getLDAPUserPassword());
    String whoAmIApi = getUserWhoAmIApi();
    UserInfo ldapViPRUser1UserInfo = ldapViPRUser1.path(whoAmIApi).get(UserInfo.class);
    List<String> expectedRoles = new ArrayList<String>();
    expectedRoles.add(getTenantRole(0));
    validateUserTenantRoles(ldapViPRUser1UserInfo, expectedRoles);
    String rootTenantDeleteApi = getTestDeleteApi(rootTenantId);
    // Delete the provider tenant. It should fail. Deleting provider tenant can't be done.
    ClientResponse clientEditResp = ldapViPRUser1.path(rootTenantDeleteApi).post(ClientResponse.class);
    String partialExpectedErrorMsg = ERROR_INSUFFICIENT_PERMISSION_FOR_USER;
    partialExpectedErrorMsg = String.format(partialExpectedErrorMsg, ldapViPRUser1Name.toLowerCase());
    validateTenantCreateAndEditBadRequest(HttpStatus.SC_FORBIDDEN, partialExpectedErrorMsg, clientEditResp);
    // Logout the user.
    logoutUser(ldapViPRUser1);
    // Remove the role assignment for the user.
    roleAssignmentEntryParam.getRemove().add(roleAssignmentEntryParam.getAdd().get(0));
    roleAssignmentEntryParam.getAdd().clear();
    roleAssignmentCreateResp = rSys.path(roleAssignmentsApi).put(RoleAssignments.class, roleAssignmentEntryParam);
    validateVDCRoleAssignmentsRemove(roleAssignmentCreateResp, ldapViPRUser1Name, false);
    // Remove the user mappings.
    removeUserMapping(rootTenantId, groupToAddInUserMapping);
}
Also used : ClientResponse(com.sun.jersey.api.client.ClientResponse) ArrayList(java.util.ArrayList) UserInfo(com.emc.storageos.model.user.UserInfo) Test(org.junit.Test)

Example 8 with UserInfo

use of com.emc.storageos.model.user.UserInfo in project coprhd-controller by CoprHD.

the class ApiTestTenants method testTenantCreateByProviderTenantAdmin.

@Test
public void testTenantCreateByProviderTenantAdmin() throws NoSuchAlgorithmException {
    final String testName = "testTenantCreateByProviderTenantAdmin - ";
    // Create an authnprovider before creating a tenant.
    AuthnCreateParam authnProviderCreateParam = getDefaultAuthnCreateParam(testName + getTestDefaultAuthnProviderDescription());
    ClientResponse clientAuthnProviderCreateResp = rSys.path(getTestAuthnProviderApi()).post(ClientResponse.class, authnProviderCreateParam);
    // Validate the authn provider creation success and add the
    // resource to the resource clean up list.
    validateAuthnProviderCreateSuccess(clientAuthnProviderCreateResp);
    String groupToAddInUserMapping = getGroup(0);
    addUserMapping(rootTenantId, groupToAddInUserMapping);
    // Assign tenant admin role to the user ldapvipruser1@maxcrc.com
    // who is part of provider tenant.
    RoleAssignmentChanges roleAssignmentEntryParam = getDefaultRoleAssignmentChanges(false, true);
    roleAssignmentEntryParam.getAdd().get(0).setSubjectId(getUserWithDomain(0));
    roleAssignmentEntryParam.getAdd().get(0).getRoles().clear();
    roleAssignmentEntryParam.getAdd().get(0).getRoles().add(getTenantRole(0));
    String roleAssignmentsApi = getTestRoleAssignmentsApi(rootTenantId);
    RoleAssignments roleAssignmentCreateResp = rSys.path(roleAssignmentsApi).put(RoleAssignments.class, roleAssignmentEntryParam);
    validateRoleAssignmentCreateSuccess(roleAssignmentEntryParam, roleAssignmentCreateResp);
    // Create a ldapvipruser1@maxcrc.com who has provider tenant admin role.
    String ldapViPRUser1Name = getUserWithDomain(0);
    BalancedWebResource ldapViPRUser1 = getHttpsClient(ldapViPRUser1Name, getLDAPUserPassword());
    String whoAmIApi = getUserWhoAmIApi();
    UserInfo ldapViPRUser1UserInfo = ldapViPRUser1.path(whoAmIApi).get(UserInfo.class);
    List<String> expectedRoles = new ArrayList<String>();
    expectedRoles.add(getTenantRole(0));
    validateUserTenantRoles(ldapViPRUser1UserInfo, expectedRoles);
    // Create a subtenant by provider tenant admin.
    TenantCreateParam createParam = this.getDefaultTenantCreateParam(testName + "Tenant creation by Provider tenant admin should fail.");
    ClientResponse clientCreateResp = ldapViPRUser1.path(getTestApi()).post(ClientResponse.class, createParam);
    // Only sec admin can create sub tenants, the operation will fail.
    String partialExpectedErrorMsg = ERROR_INSUFFICIENT_PERMISSION_FOR_USER;
    partialExpectedErrorMsg = String.format(partialExpectedErrorMsg, ldapViPRUser1Name.toLowerCase());
    validateTenantCreateAndEditBadRequest(HttpStatus.SC_FORBIDDEN, partialExpectedErrorMsg, clientCreateResp);
    // Logout the user.
    logoutUser(ldapViPRUser1);
    // Remove the role assignment for the user.
    roleAssignmentEntryParam.getRemove().add(roleAssignmentEntryParam.getAdd().get(0));
    roleAssignmentEntryParam.getAdd().clear();
    roleAssignmentCreateResp = rSys.path(roleAssignmentsApi).put(RoleAssignments.class, roleAssignmentEntryParam);
    validateVDCRoleAssignmentsRemove(roleAssignmentCreateResp, ldapViPRUser1Name, false);
    // Remove the user mappings.
    removeUserMapping(rootTenantId, groupToAddInUserMapping);
}
Also used : ClientResponse(com.sun.jersey.api.client.ClientResponse) ArrayList(java.util.ArrayList) UserInfo(com.emc.storageos.model.user.UserInfo) Test(org.junit.Test)

Example 9 with UserInfo

use of com.emc.storageos.model.user.UserInfo in project coprhd-controller by CoprHD.

the class ApiTest method prepareVdcTest.

/**
 * test for API /vdc/prepare-vdc, which will remove all root's tenant roles and project ownerships
 *
 * before calling the API, prepare root to be:
 * 1. Provider Tenant's tenant admin
 * 2. owner of a project of Provider Tenant
 * 3. Tenant Admin of a subtenant
 * 4. owner of a project from subtenant
 */
public void prepareVdcTest() throws Exception {
    ClientResponse resp = null;
    BalancedWebResource rootUser = createHttpsClient(SYSADMIN, SYSADMIN_PASS_WORD, baseUrls);
    UserInfo info = rootUser.path("/user/whoami").get(UserInfo.class);
    String rootTenantId = info.getTenant();
    String rootToken = (String) _savedTokens.get(SYSADMIN);
    BalancedWebResource superSanity = createHttpsClient(SUPERUSER, AD_PASS_WORD, baseUrls);
    superSanity.path("/tenant").get(TenantResponse.class);
    String superSanityToken = (String) _savedTokens.get(SUPERUSER);
    // prepare tenant roles and project ownership
    // also assign TenantAdmin to superuser, so it can be used to verify afterwards
    boolean bRootHasProviderTenantAdmin = true;
    if (info.getHomeTenantRoles().isEmpty()) {
        bRootHasProviderTenantAdmin = false;
        resp = assignTenantRole(rootTenantId, SYSADMIN, "TENANT_ADMIN");
        Assert.assertEquals(200, resp.getStatus());
        resp = assignTenantRole(rootTenantId, SUPERUSER, "TENANT_ADMIN");
        Assert.assertEquals(200, resp.getStatus());
    }
    // create a project of Provider Tenant by root, root will be its owner.
    ProjectParam paramProj = new ProjectParam("project_" + new Random().nextInt());
    ProjectEntry rootProject1 = rootUser.path(String.format(_projectsUrlFormat, rootTenantId.toString())).header(AUTH_TOKEN_HEADER, rootToken).post(ProjectEntry.class, paramProj);
    Assert.assertTrue(rootProject1.name.equals(paramProj.getName()));
    Assert.assertTrue(rootProject1.id != null);
    // create a subtenant by root, root will be its TenantAdmin
    String tenantLabel = "tenant_" + new Random().nextInt();
    TenantOrgRestRep subtenant = createTenant(tenantLabel, "sanity.local", "key", tenantLabel);
    resp = assignTenantRole(subtenant.getId().toString(), SUPERUSER, "TENANT_ADMIN");
    Assert.assertEquals(200, resp.getStatus());
    // create a project under the subtenant created above, root will be its owner
    paramProj = new ProjectParam("project_" + new Random().nextInt());
    ProjectEntry rootProject2 = rootUser.path(String.format(_projectsUrlFormat, subtenant.getId().toString())).header(AUTH_TOKEN_HEADER, rootToken).post(ProjectEntry.class, paramProj);
    Assert.assertTrue(rootProject2.name.equals(paramProj.getName()));
    Assert.assertTrue(rootProject2.id != null);
    // call /vdc/prepare-vdc
    ClientResponse response = rootUser.path("/vdc/prepare-vdc").header(AUTH_TOKEN_HEADER, rootToken).post(ClientResponse.class);
    Assert.assertEquals(200, response.getStatus());
    // verify root's tenant roles and project ownership be removed
    resp = rootUser.path("/user/whoami").get(ClientResponse.class);
    String output = resp.getEntity(String.class);
    Assert.assertFalse(output.contains("TENANT_ADMIN"));
    resp = superSanity.path(String.format(_projectUrl, rootProject1.id.toString())).get(ClientResponse.class);
    output = resp.getEntity(String.class);
    Assert.assertFalse(output.contains(SYSADMIN));
    resp = superSanity.path(String.format(_projectUrl, rootProject2.id.toString())).get(ClientResponse.class);
    output = resp.getEntity(String.class);
    Assert.assertFalse(output.contains(SYSADMIN));
    // test done, restore root's tenant role and remove the project
    if (bRootHasProviderTenantAdmin) {
        assignTenantRole(rootTenantId, SYSADMIN, "TENANT_ADMIN");
    }
    if (rootProject1 != null) {
        superSanity.path(String.format(_projectUrl + "/deactivate", rootProject1.id.toString())).header(AUTH_TOKEN_HEADER, superSanityToken).post(ClientResponse.class);
    }
    if (rootProject2 != null) {
        superSanity.path(String.format(_projectUrl + "/deactivate", rootProject2.id.toString())).header(AUTH_TOKEN_HEADER, superSanityToken).post(ClientResponse.class);
    }
    if (subtenant != null) {
        superSanity.path("/tenants/" + subtenant.getId() + "/deactivate").header(AUTH_TOKEN_HEADER, superSanityToken).post();
    }
}
Also used : ClientResponse(com.sun.jersey.api.client.ClientResponse) ProjectParam(com.emc.storageos.model.project.ProjectParam) Random(java.util.Random) UserInfo(com.emc.storageos.model.user.UserInfo) TenantOrgRestRep(com.emc.storageos.model.tenant.TenantOrgRestRep)

Example 10 with UserInfo

use of com.emc.storageos.model.user.UserInfo in project coprhd-controller by CoprHD.

the class ApiTest method proxyTokenTests.

private void proxyTokenTests() {
    // Login as root
    TenantResponse tenantResp = rSys.path("/tenant").get(TenantResponse.class);
    rootTenantId = tenantResp.getTenant();
    // Get a proxy token for root
    ClientResponse resp = rSys.path("/proxytoken").get(ClientResponse.class);
    Assert.assertEquals(200, resp.getStatus());
    String proxyToken = (String) _savedProxyTokens.get("root");
    Assert.assertNotNull(proxyToken);
    // try to access tenant/id as proxy user. Does not work because proxy token was not passed in.
    // Proxy user by itself doesn't have TENANT_ADMIN.
    resp = rProxyUser.path("/tenants/" + rootTenantId.toString()).get(ClientResponse.class);
    Assert.assertEquals(403, resp.getStatus());
    // try to access tenant/id as proxy user with proxy token this time.
    resp = rProxyUser.path("/tenants/" + rootTenantId.toString()).header(ApiTestBase.AUTH_PROXY_TOKEN_HEADER, proxyToken).get(ClientResponse.class);
    Assert.assertEquals(200, resp.getStatus());
    // negative tests
    // proxy token, but a user without PROXY_USER role
    resp = rZAdmin.path("/tenants/" + rootTenantId.toString()).header(ApiTestBase.AUTH_PROXY_TOKEN_HEADER, proxyToken).get(ClientResponse.class);
    Assert.assertEquals(403, resp.getStatus());
    // check that the root when proxied does not have SECURITY_ADMIN in it.
    UserInfo info = rProxyUser.path("/user/whoami").header(ApiTestBase.AUTH_PROXY_TOKEN_HEADER, proxyToken).get(UserInfo.class);
    Assert.assertEquals("root", info.getCommonName());
    Assert.assertTrue(!info.getVdcRoles().contains(Role.SECURITY_ADMIN.toString()));
    // zone admin, when proxied, can not do role assignments
    resp = rZAdmin.path("/proxytoken").get(ClientResponse.class);
    Assert.assertEquals(200, resp.getStatus());
    String zAdminProxyToken = (String) _savedProxyTokens.get(ZONEADMIN);
    Assert.assertNotNull(zAdminProxyToken);
    resp = rProxyUser.path("/vdc/role-assignments").header(ApiTestBase.AUTH_PROXY_TOKEN_HEADER, zAdminProxyToken).put(ClientResponse.class, new RoleAssignmentChanges());
    Assert.assertEquals(403, resp.getStatus());
    // logout issuer of the proxy token with the force option. This should wipe out
    // all tokens including proxy tokens. Consequently, proxyuser should no longer be able
    // to access the tenants/id call with that proxy token anymore.
    // ( added .xml and used mixed cases to test that the logout filter forwards the request
    // appropriately)
    // resp = rSys.path("/loGout.XmL").queryParam("force", "true").get(ClientResponse.class);
    resp = rSys.path("/logout.xml").queryParam("force", "true").queryParam("proxytokens", "true").get(ClientResponse.class);
    Assert.assertEquals(200, resp.getStatus());
    resp = rProxyUser.path("/tenants/" + rootTenantId.toString()).header(ApiTestBase.AUTH_PROXY_TOKEN_HEADER, proxyToken).get(ClientResponse.class);
    Assert.assertEquals(401, resp.getStatus());
}
Also used : ClientResponse(com.sun.jersey.api.client.ClientResponse) RoleAssignmentChanges(com.emc.storageos.model.auth.RoleAssignmentChanges) UserInfo(com.emc.storageos.model.user.UserInfo) TenantResponse(com.emc.storageos.model.tenant.TenantResponse)

Aggregations

UserInfo (com.emc.storageos.model.user.UserInfo)22 ClientResponse (com.sun.jersey.api.client.ClientResponse)17 Test (org.junit.Test)16 ArrayList (java.util.ArrayList)12 URI (java.net.URI)9 RoleAssignmentChanges (com.emc.storageos.model.auth.RoleAssignmentChanges)2 ProjectParam (com.emc.storageos.model.project.ProjectParam)2 TenantOrgRestRep (com.emc.storageos.model.tenant.TenantOrgRestRep)2 DatabaseException (com.emc.storageos.db.exceptions.DatabaseException)1 RoleAssignmentEntry (com.emc.storageos.model.auth.RoleAssignmentEntry)1 TenantCreateParam (com.emc.storageos.model.tenant.TenantCreateParam)1 TenantResponse (com.emc.storageos.model.tenant.TenantResponse)1 UserMappingAttributeParam (com.emc.storageos.model.tenant.UserMappingAttributeParam)1 UserMappingParam (com.emc.storageos.model.tenant.UserMappingParam)1 SubTenantRoles (com.emc.storageos.model.user.SubTenantRoles)1 VirtualArrayList (com.emc.storageos.model.varray.VirtualArrayList)1 StorageOSUser (com.emc.storageos.security.authentication.StorageOSUser)1 Principal (java.security.Principal)1 Random (java.util.Random)1 GET (javax.ws.rs.GET)1