use of com.nike.cerberus.security.CerberusPrincipal in project cerberus by Nike-Inc.
the class PermissionValidationServiceTest method testDoesPrincipalHaveOwnerPermissionsWithGroupsCaseSensitiveAndUserGroupsInUpperCase.
@Test
public void testDoesPrincipalHaveOwnerPermissionsWithGroupsCaseSensitiveAndUserGroupsInUpperCase() {
PermissionValidationService permissionValidationService = createPermissionValidationServiceWithGroupCaseSensitive(true);
Set<String> userGroups = new HashSet<>();
userGroups.add("USERGROUP1");
SafeDepositBoxV2 safeDepositBoxV2 = mockSafeDepositBoxV2WithOwner("userGroup1");
Mockito.when(safeDepositBoxService.getSafeDepositBoxDangerouslyWithoutPermissionValidation("sdbId")).thenReturn(safeDepositBoxV2);
CerberusPrincipal cerberusPrincipal = mockCerberusPrincipalWithPrincipalTypeAndUserGroups(PrincipalType.USER, userGroups);
boolean hasOwnerPermission = permissionValidationService.doesPrincipalHaveOwnerPermissions(cerberusPrincipal, "sdbId");
Assert.assertFalse(hasOwnerPermission);
}
use of com.nike.cerberus.security.CerberusPrincipal in project cerberus by Nike-Inc.
the class PermissionValidationServiceTest method testDoesPrincipalHaveOwnerPermissionsWithPrincipalTypeIAMWhenRoleIsNotAssumed.
@Test
public void testDoesPrincipalHaveOwnerPermissionsWithPrincipalTypeIAMWhenRoleIsNotAssumed() {
PermissionValidationService permissionValidationService = createPermissionValidationServiceWithGroupCaseSensitive(false);
SafeDepositBoxV2 safeDepositBoxV2 = mockSafeDepositBoxV2WithId("id");
Mockito.when(safeDepositBoxService.getSafeDepositBoxDangerouslyWithoutPermissionValidation("sdbId")).thenReturn(safeDepositBoxV2);
CerberusPrincipal cerberusPrincipal = mockCerberusPrincipalWithPrincipalTypeAndName(PrincipalType.IAM, IAM_PRINCIPAL_ARN);
String iamRootArn = "iamRootArn";
Mockito.when(awsIamRoleArnParser.convertPrincipalArnToRootArn(IAM_PRINCIPAL_ARN)).thenReturn(iamRootArn);
Mockito.when(awsIamRoleArnParser.isAssumedRoleArn(IAM_PRINCIPAL_ARN)).thenReturn(false);
String iamRoleArn = "iamRoleArn";
Mockito.when(awsIamRoleArnParser.convertPrincipalArnToRoleArn(IAM_PRINCIPAL_ARN)).thenReturn(iamRoleArn);
Mockito.when(permissionsDao.doesIamPrincipalHaveRoleForSdb(Mockito.eq("id"), Mockito.eq(IAM_PRINCIPAL_ARN), Mockito.eq(iamRootArn), Mockito.anySet())).thenReturn(true);
boolean hasOwnerPermission = permissionValidationService.doesPrincipalHaveOwnerPermissions(cerberusPrincipal, "sdbId");
Assert.assertTrue(hasOwnerPermission);
Mockito.verify(awsIamRoleArnParser).convertPrincipalArnToRootArn(IAM_PRINCIPAL_ARN);
Mockito.verify(awsIamRoleArnParser).isAssumedRoleArn(IAM_PRINCIPAL_ARN);
Mockito.verify(awsIamRoleArnParser, Mockito.never()).convertPrincipalArnToRoleArn(IAM_PRINCIPAL_ARN);
Mockito.verify(permissionsDao, Mockito.never()).doesAssumedRoleHaveRoleForSdb(Mockito.anyString(), Mockito.anyString(), Mockito.anyString(), Mockito.anyString(), Mockito.anySet());
}
use of com.nike.cerberus.security.CerberusPrincipal in project cerberus by Nike-Inc.
the class PermissionValidationServiceTest method testDoesPrincipalHaveReadPermissionWithPrincipalTypeAndGroupsCaseSensitiveHavingUserGroupsInUpperCase.
@Test
public void testDoesPrincipalHaveReadPermissionWithPrincipalTypeAndGroupsCaseSensitiveHavingUserGroupsInUpperCase() {
PermissionValidationService permissionValidationService = createPermissionValidationServiceWithGroupCaseSensitive(true);
Set<String> userGroups = new HashSet<>();
userGroups.add("USERGROUP1");
CerberusPrincipal cerberusPrincipal = mockCerberusPrincipalWithPrincipalTypeAndUserGroups(PrincipalType.USER, userGroups);
Set<UserGroupPermission> userGroupPermissions = mockUserGroupPermissionWithName();
Mockito.when(userGroupPermissionService.getUserGroupPermissions("sdbId")).thenReturn(userGroupPermissions);
boolean hasPermission = permissionValidationService.doesPrincipalHaveReadPermission(cerberusPrincipal, "sdbId");
Assert.assertFalse(hasPermission);
}
use of com.nike.cerberus.security.CerberusPrincipal in project cerberus by Nike-Inc.
the class PermissionValidationServiceTest method testDoesPrincipalHavePermissionForSdbWithPrincipalTypeIAMAndRoleIsAssumed.
@Test
public void testDoesPrincipalHavePermissionForSdbWithPrincipalTypeIAMAndRoleIsAssumed() {
PermissionValidationService permissionValidationService = createPermissionValidationServiceWithGroupCaseSensitive(true);
CerberusPrincipal cerberusPrincipal = mockCerberusPrincipalWithPrincipalTypeAndName(PrincipalType.IAM, IAM_PRINCIPAL_ARN);
String iamRootArn = "iamRootArn";
Mockito.when(awsIamRoleArnParser.convertPrincipalArnToRootArn(IAM_PRINCIPAL_ARN)).thenReturn(iamRootArn);
Mockito.when(awsIamRoleArnParser.isAssumedRoleArn(IAM_PRINCIPAL_ARN)).thenReturn(true);
String iamRoleArn = "iamRoleArn";
Mockito.when(awsIamRoleArnParser.convertPrincipalArnToRoleArn(IAM_PRINCIPAL_ARN)).thenReturn(iamRoleArn);
Mockito.when(permissionsDao.doesAssumedRoleHaveRoleForSdb(Mockito.eq("sdbId"), Mockito.eq(IAM_PRINCIPAL_ARN), Mockito.eq(iamRoleArn), Mockito.eq(iamRootArn), Mockito.anySet())).thenReturn(true);
boolean hasPermission = permissionValidationService.doesPrincipalHavePermissionForSdb(cerberusPrincipal, "sdbId", SecureDataAction.READ);
Assert.assertTrue(hasPermission);
Mockito.verify(awsIamRoleArnParser).convertPrincipalArnToRootArn(IAM_PRINCIPAL_ARN);
Mockito.verify(awsIamRoleArnParser).isAssumedRoleArn(IAM_PRINCIPAL_ARN);
Mockito.verify(awsIamRoleArnParser).convertPrincipalArnToRoleArn(IAM_PRINCIPAL_ARN);
Mockito.verify(permissionsDao, Mockito.never()).doesIamPrincipalHaveRoleForSdb(Mockito.anyString(), Mockito.anyString(), Mockito.anyString(), Mockito.anySet());
}
use of com.nike.cerberus.security.CerberusPrincipal in project cerberus by Nike-Inc.
the class PermissionValidationServiceTest method testDoesPrincipalHaveReadPermissionWithPrincipalTypeAndGroupsCaseInSensitiveHavingUserGroupsInLowerCase.
@Test
public void testDoesPrincipalHaveReadPermissionWithPrincipalTypeAndGroupsCaseInSensitiveHavingUserGroupsInLowerCase() {
PermissionValidationService permissionValidationService = createPermissionValidationServiceWithGroupCaseSensitive(false);
Set<String> userGroups = new HashSet<>();
userGroups.add("usergroup1");
CerberusPrincipal cerberusPrincipal = mockCerberusPrincipalWithPrincipalTypeAndUserGroups(PrincipalType.USER, userGroups);
Set<UserGroupPermission> userGroupPermissions = mockUserGroupPermissionWithName();
Mockito.when(userGroupPermissionService.getUserGroupPermissions("sdbId")).thenReturn(userGroupPermissions);
boolean hasPermission = permissionValidationService.doesPrincipalHaveReadPermission(cerberusPrincipal, "sdbId");
Assert.assertTrue(hasPermission);
}
Aggregations