Example 1 with InternalUserPermissions
use of com.redhat.cloud.notifications.routers.internal.models.InternalUserPermissions in project notifications-backend by RedHatInsights.
the class InternalPermissionResource method getPermissions.
@GET
@Path("/me")
@Produces(MediaType.APPLICATION_JSON)
// Overrides admin permission
@RolesAllowed(ConsoleIdentityProvider.RBAC_INTERNAL_USER)
public InternalUserPermissions getPermissions() {
InternalUserPermissions permissions = new InternalUserPermissions();
if (securityIdentity.hasRole(ConsoleIdentityProvider.RBAC_INTERNAL_ADMIN)) {
permissions.setAdmin(true);
return permissions;
}
String privateRolePrefix = InternalRoleAccess.INTERNAL_ROLE_PREFIX;
Set<String> roles = securityIdentity.getRoles().stream().filter(s -> s.startsWith(privateRolePrefix)).map(s -> s.substring(privateRolePrefix.length())).collect(Collectors.toSet());
permissions.getRoles().addAll(roles);
List<InternalRoleAccess> accessList = internalRoleAccessRepository.getByRoles(roles);
for (InternalRoleAccess access : accessList) {
permissions.addApplication(access.getApplicationId(), access.getApplication().getDisplayName());
}
return permissions;
}
Also used :
PathParam(javax.ws.rs.PathParam)
RolesAllowed(javax.annotation.security.RolesAllowed)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
Path(javax.ws.rs.Path)
API_INTERNAL(com.redhat.cloud.notifications.Constants.API_INTERNAL)
Inject(javax.inject.Inject)
Valid(javax.validation.Valid)
MediaType(javax.ws.rs.core.MediaType)
InternalUserPermissions(com.redhat.cloud.notifications.routers.internal.models.InternalUserPermissions)
Consumes(javax.ws.rs.Consumes)
SecurityIdentity(io.quarkus.security.identity.SecurityIdentity)
InternalRoleAccess(com.redhat.cloud.notifications.models.InternalRoleAccess)
ConsoleIdentityProvider(com.redhat.cloud.notifications.auth.ConsoleIdentityProvider)
DELETE(javax.ws.rs.DELETE)
Application(com.redhat.cloud.notifications.models.Application)
ApplicationRepository(com.redhat.cloud.notifications.db.repositories.ApplicationRepository)
POST(javax.ws.rs.POST)
Set(java.util.Set)
UUID(java.util.UUID)
InternalRoleAccessRepository(com.redhat.cloud.notifications.db.repositories.InternalRoleAccessRepository)
Collectors(java.util.stream.Collectors)
AddAccessRequest(com.redhat.cloud.notifications.routers.internal.models.AddAccessRequest)
List(java.util.List)
InternalApplicationUserPermission(com.redhat.cloud.notifications.routers.internal.models.InternalApplicationUserPermission)
InternalUserPermissions(com.redhat.cloud.notifications.routers.internal.models.InternalUserPermissions)
InternalRoleAccess(com.redhat.cloud.notifications.models.InternalRoleAccess)
Path(javax.ws.rs.Path)
RolesAllowed(javax.annotation.security.RolesAllowed)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
Example 2 with InternalUserPermissions
use of com.redhat.cloud.notifications.routers.internal.models.InternalUserPermissions in project notifications-backend by RedHatInsights.
the class InternalPermissionsServiceTest method createAppWithPermissions.
@Test
void createAppWithPermissions() {
String appRole = "crc-app-team";
Header turnpikeAdminHeader = TestHelpers.createTurnpikeIdentityHeader("admin", adminRole);
Header turnpikeAppDev = TestHelpers.createTurnpikeIdentityHeader("app-admin", appRole);
String bundleId = CrudTestHelpers.createBundle(turnpikeAdminHeader, "test-with-permission-bundle", "Test permissions Bundle", 200).get();
// regular user can't create apps without a role
CrudTestHelpers.createApp(turnpikeAppDev, bundleId, "will-fail", "will-faill", null, 403);
// regular user can't create aps with a role they do not own
CrudTestHelpers.createApp(turnpikeAppDev, bundleId, "will-fail", "will-faill", "policies-team", 403);
// regular users can create apps with a role they own
String appDisplayName = "Test permissions App";
String appId = CrudTestHelpers.createApp(turnpikeAppDev, bundleId, "app-with-role", appDisplayName, appRole, 200).get();
InternalUserPermissions permissions = permissions(turnpikeAppDev);
assertEquals(List.of(new InternalUserPermissions.Application(UUID.fromString(appId), appDisplayName)), permissions.getApplications());
// admins can create apps without a role
CrudTestHelpers.createApp(turnpikeAdminHeader, bundleId, "i-will-succeed-no-role", "i-will-succeed-no-role", null, 200);
// admins can create apps with any role
CrudTestHelpers.createApp(turnpikeAdminHeader, bundleId, "i-will-succeed-with-role", "i-will-succeed-with-role", "policies-team", 200);
}
Also used :
InternalUserPermissions(com.redhat.cloud.notifications.routers.internal.models.InternalUserPermissions)
Header(io.restassured.http.Header)
QuarkusTest(io.quarkus.test.junit.QuarkusTest)
Test(org.junit.jupiter.api.Test)
DbIsolatedTest(com.redhat.cloud.notifications.db.DbIsolatedTest)
Example 3 with InternalUserPermissions
use of com.redhat.cloud.notifications.routers.internal.models.InternalUserPermissions in project notifications-backend by RedHatInsights.
the class InternalPermissionsServiceTest method userAccess.
@Test
void userAccess() {
String appRole = "crc-app-team";
String otherRole = "other-role";
Header turnpikeAdminHeader = TestHelpers.createTurnpikeIdentityHeader("admin", adminRole);
Header turnpikeAppDev = TestHelpers.createTurnpikeIdentityHeader("app-admin", appRole, otherRole);
String bundleId = CrudTestHelpers.createBundle(turnpikeAdminHeader, "test-permission-bundle", "Test permissions Bundle", 200).get();
String appDisplayName = "Test permissions App";
String appId = CrudTestHelpers.createApp(turnpikeAdminHeader, bundleId, "test-permission-app", appDisplayName, null, 200).get();
// admin - Has admin access and no applicationIds and no roles.
InternalUserPermissions permissions = permissions(turnpikeAdminHeader);
assertTrue(permissions.isAdmin());
assertTrue(permissions.getApplications().isEmpty());
assertTrue(permissions.getRoles().isEmpty());
// App admin - no permissions are set yet, no admin, no applicationIds but has roles
permissions = permissions(turnpikeAppDev);
assertFalse(permissions.isAdmin());
assertTrue(permissions.getApplications().isEmpty());
assertEquals(List.of(appRole, otherRole), permissions.getRoles());
// Can't create an event type without the permission
CrudTestHelpers.createEventType(turnpikeAppDev, appId, "my-event", "My event", "Event description", 403);
// non admins can't create a role
CrudTestHelpers.createInternalRoleAccess(turnpikeAppDev, appRole, appId, 403);
// Give permissions to appRole over appId
String appRoleInternalAccessId = CrudTestHelpers.createInternalRoleAccess(turnpikeAdminHeader, appRole, appId, 200).get();
// Non admins can't create a role - even if they have permissions to an app
CrudTestHelpers.createInternalRoleAccess(turnpikeAppDev, appRole, appId, 403);
// App admin - no admin, applicationIds is [ appId ] and has roles
permissions = permissions(turnpikeAppDev);
assertFalse(permissions.isAdmin());
assertEquals(List.of(new InternalUserPermissions.Application(UUID.fromString(appId), appDisplayName)), permissions.getApplications());
assertEquals(List.of(appRole, otherRole), permissions.getRoles());
// We can create the event type now
String eventTypeId = CrudTestHelpers.createEventType(turnpikeAppDev, appId, "my-event", "My event", "Event description", 200).get();
List<Map> roleAccessList = given().header(turnpikeAdminHeader).get("/internal/access").then().contentType(JSON).statusCode(200).extract().as(List.class);
assertEquals(1, roleAccessList.size());
// Give permissions to randomRole over appId
CrudTestHelpers.createInternalRoleAccess(turnpikeAdminHeader, "random-role", appId, 200);
roleAccessList = given().header(turnpikeAdminHeader).get("/internal/access").then().contentType(JSON).statusCode(200).extract().jsonPath().getList(".");
assertEquals(2, roleAccessList.size());
CrudTestHelpers.deleteInternalRoleAccess(turnpikeAdminHeader, appRoleInternalAccessId, 204);
// permission removed
permissions = permissions(turnpikeAppDev);
assertFalse(permissions.isAdmin());
assertTrue(permissions.getApplications().isEmpty());
// Without permissions we can't remove the event type
CrudTestHelpers.deleteEventType(turnpikeAppDev, eventTypeId, null, 403);
// but the admin can
CrudTestHelpers.deleteEventType(turnpikeAdminHeader, eventTypeId, true, 200);
}
Also used :
InternalUserPermissions(com.redhat.cloud.notifications.routers.internal.models.InternalUserPermissions)
Header(io.restassured.http.Header)
Map(java.util.Map)
QuarkusTest(io.quarkus.test.junit.QuarkusTest)
Test(org.junit.jupiter.api.Test)
DbIsolatedTest(com.redhat.cloud.notifications.db.DbIsolatedTest)
Aggregations
InternalUserPermissions (com.redhat.cloud.notifications.routers.internal.models.InternalUserPermissions)3
DbIsolatedTest (com.redhat.cloud.notifications.db.DbIsolatedTest)2
QuarkusTest (io.quarkus.test.junit.QuarkusTest)2
Header (io.restassured.http.Header)2
Test (org.junit.jupiter.api.Test)2
API_INTERNAL (com.redhat.cloud.notifications.Constants.API_INTERNAL)1
ConsoleIdentityProvider (com.redhat.cloud.notifications.auth.ConsoleIdentityProvider)1
ApplicationRepository (com.redhat.cloud.notifications.db.repositories.ApplicationRepository)1
InternalRoleAccessRepository (com.redhat.cloud.notifications.db.repositories.InternalRoleAccessRepository)1
Application (com.redhat.cloud.notifications.models.Application)1
InternalRoleAccess (com.redhat.cloud.notifications.models.InternalRoleAccess)1
AddAccessRequest (com.redhat.cloud.notifications.routers.internal.models.AddAccessRequest)1
InternalApplicationUserPermission (com.redhat.cloud.notifications.routers.internal.models.InternalApplicationUserPermission)1
SecurityIdentity (io.quarkus.security.identity.SecurityIdentity)1
List (java.util.List)1
Map (java.util.Map)1
Set (java.util.Set)1
UUID (java.util.UUID)1
Collectors (java.util.stream.Collectors)1
RolesAllowed (javax.annotation.security.RolesAllowed)1
