Search in sources :

Example 16 with CerberusPrincipal

use of com.nike.cerberus.security.CerberusPrincipal in project cerberus by Nike-Inc.

the class PermissionValidationServiceTest method testDoesPrincipalHaveOwnerPermissionsWithGroupsCaseSensitiveAndUserGroupsInUpperCase.

@Test
public void testDoesPrincipalHaveOwnerPermissionsWithGroupsCaseSensitiveAndUserGroupsInUpperCase() {
    PermissionValidationService permissionValidationService = createPermissionValidationServiceWithGroupCaseSensitive(true);
    Set<String> userGroups = new HashSet<>();
    userGroups.add("USERGROUP1");
    SafeDepositBoxV2 safeDepositBoxV2 = mockSafeDepositBoxV2WithOwner("userGroup1");
    Mockito.when(safeDepositBoxService.getSafeDepositBoxDangerouslyWithoutPermissionValidation("sdbId")).thenReturn(safeDepositBoxV2);
    CerberusPrincipal cerberusPrincipal = mockCerberusPrincipalWithPrincipalTypeAndUserGroups(PrincipalType.USER, userGroups);
    boolean hasOwnerPermission = permissionValidationService.doesPrincipalHaveOwnerPermissions(cerberusPrincipal, "sdbId");
    Assert.assertFalse(hasOwnerPermission);
}
Also used : SafeDepositBoxV2(com.nike.cerberus.domain.SafeDepositBoxV2) CerberusPrincipal(com.nike.cerberus.security.CerberusPrincipal) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 17 with CerberusPrincipal

use of com.nike.cerberus.security.CerberusPrincipal in project cerberus by Nike-Inc.

the class PermissionValidationServiceTest method testDoesPrincipalHaveOwnerPermissionsWithPrincipalTypeIAMWhenRoleIsNotAssumed.

@Test
public void testDoesPrincipalHaveOwnerPermissionsWithPrincipalTypeIAMWhenRoleIsNotAssumed() {
    PermissionValidationService permissionValidationService = createPermissionValidationServiceWithGroupCaseSensitive(false);
    SafeDepositBoxV2 safeDepositBoxV2 = mockSafeDepositBoxV2WithId("id");
    Mockito.when(safeDepositBoxService.getSafeDepositBoxDangerouslyWithoutPermissionValidation("sdbId")).thenReturn(safeDepositBoxV2);
    CerberusPrincipal cerberusPrincipal = mockCerberusPrincipalWithPrincipalTypeAndName(PrincipalType.IAM, IAM_PRINCIPAL_ARN);
    String iamRootArn = "iamRootArn";
    Mockito.when(awsIamRoleArnParser.convertPrincipalArnToRootArn(IAM_PRINCIPAL_ARN)).thenReturn(iamRootArn);
    Mockito.when(awsIamRoleArnParser.isAssumedRoleArn(IAM_PRINCIPAL_ARN)).thenReturn(false);
    String iamRoleArn = "iamRoleArn";
    Mockito.when(awsIamRoleArnParser.convertPrincipalArnToRoleArn(IAM_PRINCIPAL_ARN)).thenReturn(iamRoleArn);
    Mockito.when(permissionsDao.doesIamPrincipalHaveRoleForSdb(Mockito.eq("id"), Mockito.eq(IAM_PRINCIPAL_ARN), Mockito.eq(iamRootArn), Mockito.anySet())).thenReturn(true);
    boolean hasOwnerPermission = permissionValidationService.doesPrincipalHaveOwnerPermissions(cerberusPrincipal, "sdbId");
    Assert.assertTrue(hasOwnerPermission);
    Mockito.verify(awsIamRoleArnParser).convertPrincipalArnToRootArn(IAM_PRINCIPAL_ARN);
    Mockito.verify(awsIamRoleArnParser).isAssumedRoleArn(IAM_PRINCIPAL_ARN);
    Mockito.verify(awsIamRoleArnParser, Mockito.never()).convertPrincipalArnToRoleArn(IAM_PRINCIPAL_ARN);
    Mockito.verify(permissionsDao, Mockito.never()).doesAssumedRoleHaveRoleForSdb(Mockito.anyString(), Mockito.anyString(), Mockito.anyString(), Mockito.anyString(), Mockito.anySet());
}
Also used : SafeDepositBoxV2(com.nike.cerberus.domain.SafeDepositBoxV2) CerberusPrincipal(com.nike.cerberus.security.CerberusPrincipal) Test(org.junit.Test)

Example 18 with CerberusPrincipal

use of com.nike.cerberus.security.CerberusPrincipal in project cerberus by Nike-Inc.

the class PermissionValidationServiceTest method testDoesPrincipalHaveReadPermissionWithPrincipalTypeAndGroupsCaseSensitiveHavingUserGroupsInUpperCase.

@Test
public void testDoesPrincipalHaveReadPermissionWithPrincipalTypeAndGroupsCaseSensitiveHavingUserGroupsInUpperCase() {
    PermissionValidationService permissionValidationService = createPermissionValidationServiceWithGroupCaseSensitive(true);
    Set<String> userGroups = new HashSet<>();
    userGroups.add("USERGROUP1");
    CerberusPrincipal cerberusPrincipal = mockCerberusPrincipalWithPrincipalTypeAndUserGroups(PrincipalType.USER, userGroups);
    Set<UserGroupPermission> userGroupPermissions = mockUserGroupPermissionWithName();
    Mockito.when(userGroupPermissionService.getUserGroupPermissions("sdbId")).thenReturn(userGroupPermissions);
    boolean hasPermission = permissionValidationService.doesPrincipalHaveReadPermission(cerberusPrincipal, "sdbId");
    Assert.assertFalse(hasPermission);
}
Also used : UserGroupPermission(com.nike.cerberus.domain.UserGroupPermission) CerberusPrincipal(com.nike.cerberus.security.CerberusPrincipal) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 19 with CerberusPrincipal

use of com.nike.cerberus.security.CerberusPrincipal in project cerberus by Nike-Inc.

the class PermissionValidationServiceTest method testDoesPrincipalHavePermissionForSdbWithPrincipalTypeIAMAndRoleIsAssumed.

@Test
public void testDoesPrincipalHavePermissionForSdbWithPrincipalTypeIAMAndRoleIsAssumed() {
    PermissionValidationService permissionValidationService = createPermissionValidationServiceWithGroupCaseSensitive(true);
    CerberusPrincipal cerberusPrincipal = mockCerberusPrincipalWithPrincipalTypeAndName(PrincipalType.IAM, IAM_PRINCIPAL_ARN);
    String iamRootArn = "iamRootArn";
    Mockito.when(awsIamRoleArnParser.convertPrincipalArnToRootArn(IAM_PRINCIPAL_ARN)).thenReturn(iamRootArn);
    Mockito.when(awsIamRoleArnParser.isAssumedRoleArn(IAM_PRINCIPAL_ARN)).thenReturn(true);
    String iamRoleArn = "iamRoleArn";
    Mockito.when(awsIamRoleArnParser.convertPrincipalArnToRoleArn(IAM_PRINCIPAL_ARN)).thenReturn(iamRoleArn);
    Mockito.when(permissionsDao.doesAssumedRoleHaveRoleForSdb(Mockito.eq("sdbId"), Mockito.eq(IAM_PRINCIPAL_ARN), Mockito.eq(iamRoleArn), Mockito.eq(iamRootArn), Mockito.anySet())).thenReturn(true);
    boolean hasPermission = permissionValidationService.doesPrincipalHavePermissionForSdb(cerberusPrincipal, "sdbId", SecureDataAction.READ);
    Assert.assertTrue(hasPermission);
    Mockito.verify(awsIamRoleArnParser).convertPrincipalArnToRootArn(IAM_PRINCIPAL_ARN);
    Mockito.verify(awsIamRoleArnParser).isAssumedRoleArn(IAM_PRINCIPAL_ARN);
    Mockito.verify(awsIamRoleArnParser).convertPrincipalArnToRoleArn(IAM_PRINCIPAL_ARN);
    Mockito.verify(permissionsDao, Mockito.never()).doesIamPrincipalHaveRoleForSdb(Mockito.anyString(), Mockito.anyString(), Mockito.anyString(), Mockito.anySet());
}
Also used : CerberusPrincipal(com.nike.cerberus.security.CerberusPrincipal) Test(org.junit.Test)

Example 20 with CerberusPrincipal

use of com.nike.cerberus.security.CerberusPrincipal in project cerberus by Nike-Inc.

the class PermissionValidationServiceTest method testDoesPrincipalHaveReadPermissionWithPrincipalTypeAndGroupsCaseInSensitiveHavingUserGroupsInLowerCase.

@Test
public void testDoesPrincipalHaveReadPermissionWithPrincipalTypeAndGroupsCaseInSensitiveHavingUserGroupsInLowerCase() {
    PermissionValidationService permissionValidationService = createPermissionValidationServiceWithGroupCaseSensitive(false);
    Set<String> userGroups = new HashSet<>();
    userGroups.add("usergroup1");
    CerberusPrincipal cerberusPrincipal = mockCerberusPrincipalWithPrincipalTypeAndUserGroups(PrincipalType.USER, userGroups);
    Set<UserGroupPermission> userGroupPermissions = mockUserGroupPermissionWithName();
    Mockito.when(userGroupPermissionService.getUserGroupPermissions("sdbId")).thenReturn(userGroupPermissions);
    boolean hasPermission = permissionValidationService.doesPrincipalHaveReadPermission(cerberusPrincipal, "sdbId");
    Assert.assertTrue(hasPermission);
}
Also used : UserGroupPermission(com.nike.cerberus.domain.UserGroupPermission) CerberusPrincipal(com.nike.cerberus.security.CerberusPrincipal) HashSet(java.util.HashSet) Test(org.junit.Test)

Aggregations

CerberusPrincipal (com.nike.cerberus.security.CerberusPrincipal)33 Test (org.junit.Test)27 HashSet (java.util.HashSet)11 SafeDepositBoxV2 (com.nike.cerberus.domain.SafeDepositBoxV2)7 ApiException (com.nike.backstopper.exception.ApiException)4 UserGroupPermission (com.nike.cerberus.domain.UserGroupPermission)4 SafeDepositBoxSummary (com.nike.cerberus.domain.SafeDepositBoxSummary)3 RequestAttributes (org.springframework.web.context.request.RequestAttributes)3 ServletRequestAttributes (org.springframework.web.context.request.ServletRequestAttributes)3 JsonProcessingException (com.fasterxml.jackson.core.JsonProcessingException)2 SafeDepositBoxRecord (com.nike.cerberus.record.SafeDepositBoxRecord)2 SuppressFBWarnings (edu.umd.cs.findbugs.annotations.SuppressFBWarnings)2 OffsetDateTime (java.time.OffsetDateTime)2 IsInstanceOf (org.hamcrest.core.IsInstanceOf)2 PrincipalType (com.nike.cerberus.PrincipalType)1 AuthResponse (com.nike.cerberus.auth.connector.AuthResponse)1 CerberusAuthToken (com.nike.cerberus.domain.CerberusAuthToken)1 PrincipalHasWritePermsForPath (com.nike.cerberus.security.PrincipalHasWritePermsForPath)1 ArrayList (java.util.ArrayList)1 HttpEntity (org.springframework.http.HttpEntity)1