Example 1 with Permission
use of org.killbill.billing.security.Permission in project killbill by killbill.
the class TestSecurity method testUserPermission.
@Test(groups = "slow")
public void testUserPermission() throws KillBillClientException {
final String roleDefinition = "notEnoughToAddUserAndRoles";
final List<String> permissions = new ArrayList<String>();
for (Permission cur : Permission.values()) {
if (!cur.getGroup().equals("user")) {
permissions.add(cur.toString());
}
}
Response response = killBillClient.addRoleDefinition(new RoleDefinition(roleDefinition, permissions), createdBy, reason, comment);
Assert.assertEquals(response.getStatusCode(), 201);
final String username = "candy";
final String password = "lolipop";
response = killBillClient.addUserRoles(new UserRoles(username, password, ImmutableList.of(roleDefinition)), createdBy, reason, comment);
Assert.assertEquals(response.getStatusCode(), 201);
// Now 'login' as new user (along with roles to make an API call requiring permissions), and check behavior
logout();
login(username, password);
boolean success = false;
try {
killBillClient.addRoleDefinition(new RoleDefinition("dsfdsfds", ImmutableList.of("*")), createdBy, reason, comment);
success = true;
} catch (final Exception e) {
} finally {
Assert.assertFalse(success);
}
success = false;
try {
killBillClient.addUserRoles(new UserRoles("sdsd", "sdsdsd", ImmutableList.of(roleDefinition)), createdBy, reason, comment);
success = true;
} catch (final Exception e) {
} finally {
Assert.assertFalse(success);
}
}
Also used :
Response(com.ning.http.client.Response)
UserRoles(org.killbill.billing.client.model.UserRoles)
ArrayList(java.util.ArrayList)
Permission(org.killbill.billing.security.Permission)
RoleDefinition(org.killbill.billing.client.model.RoleDefinition)
KillBillClientException(org.killbill.billing.client.KillBillClientException)
Test(org.testng.annotations.Test)
Example 2 with Permission
use of org.killbill.billing.security.Permission in project killbill by killbill.
the class SecurityResource method getCurrentUserPermissions.
@TimedResource
@GET
@Path("/permissions")
@Produces(APPLICATION_JSON)
@ApiOperation(value = "List user permissions", response = String.class, responseContainer = "List")
@ApiResponses(value = {})
public Response getCurrentUserPermissions(@javax.ws.rs.core.Context final HttpServletRequest request) {
// The getCurrentUserPermissions takes a TenantContext which is not used because permissions are cross tenants (at this point)
final TenantContext nullTenantContext = null;
final Set<Permission> permissions = securityApi.getCurrentUserPermissions(nullTenantContext);
final List<String> json = ImmutableList.<String>copyOf(Iterables.<Permission, String>transform(permissions, Functions.toStringFunction()));
return Response.status(Status.OK).entity(json).build();
}
Also used :
Permission(org.killbill.billing.security.Permission)
TenantContext(org.killbill.billing.util.callcontext.TenantContext)
Path(javax.ws.rs.Path)
TimedResource(org.killbill.commons.metrics.TimedResource)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
ApiOperation(io.swagger.annotations.ApiOperation)
ApiResponses(io.swagger.annotations.ApiResponses)
Example 3 with Permission
use of org.killbill.billing.security.Permission in project killbill by killbill.
the class TestDefaultSecurityApi method testRetrievePermissions.
@Test(groups = "fast")
public void testRetrievePermissions() throws Exception {
configureShiro();
// We don't want the Guice injected one (it has Shiro disabled)
final SecurityApi securityApi = new DefaultSecurityApi(null);
final Set<Permission> anonsPermissions = securityApi.getCurrentUserPermissions(callContext);
Assert.assertEquals(anonsPermissions.size(), 0);
login("pierre");
final Set<Permission> pierresPermissions = securityApi.getCurrentUserPermissions(callContext);
Assert.assertEquals(pierresPermissions.size(), 2);
Assert.assertTrue(pierresPermissions.containsAll(ImmutableList.<Permission>of(Permission.INVOICE_CAN_CREDIT, Permission.INVOICE_CAN_ITEM_ADJUST)));
login("stephane");
final Set<Permission> stephanesPermissions = securityApi.getCurrentUserPermissions(callContext);
Assert.assertEquals(stephanesPermissions.size(), 1);
Assert.assertTrue(stephanesPermissions.containsAll(ImmutableList.<Permission>of(Permission.PAYMENT_CAN_REFUND)));
}
Also used :
SecurityApi(org.killbill.billing.security.api.SecurityApi)
Permission(org.killbill.billing.security.Permission)
Test(org.testng.annotations.Test)
Example 4 with Permission
use of org.killbill.billing.security.Permission in project killbill by killbill.
the class DefaultSecurityApi method getCurrentUserPermissions.
@Override
public Set<Permission> getCurrentUserPermissions(final TenantContext context) {
final Permission[] killbillPermissions = Permission.values();
final String[] killbillPermissionsString = getAllPermissionsAsStrings();
final Subject subject = SecurityUtils.getSubject();
// Bulk (optimized) call
final boolean[] permissions = subject.isPermitted(killbillPermissionsString);
final Set<Permission> userPermissions = new HashSet<Permission>();
for (int i = 0; i < permissions.length; i++) {
if (permissions[i]) {
userPermissions.add(killbillPermissions[i]);
}
}
return userPermissions;
}
Also used :
Permission(org.killbill.billing.security.Permission)
Subject(org.apache.shiro.subject.Subject)
HashSet(java.util.HashSet)
Example 5 with Permission
use of org.killbill.billing.security.Permission in project killbill by killbill.
the class DefaultSecurityApi method sanitizeAndValidatePermissions.
private List<String> sanitizeAndValidatePermissions(final List<String> permissionsRaw) throws SecurityApiException {
if (permissionsRaw == null) {
return ImmutableList.<String>of();
}
final Collection<String> permissions = Collections2.<String>filter(Lists.<String, String>transform(permissionsRaw, new Function<String, String>() {
@Override
public String apply(final String input) {
return Strings.emptyToNull(input);
}
}), Predicates.<String>notNull());
final Map<String, Set<String>> groupToValues = new HashMap<String, Set<String>>();
for (final String curPerm : permissions) {
if ("*".equals(curPerm)) {
return ImmutableList.of("*");
}
final String[] permissionParts = curPerm.split(":");
if (permissionParts.length != 1 && permissionParts.length != 2) {
throw new SecurityApiException(ErrorCode.SECURITY_INVALID_PERMISSIONS, curPerm);
}
boolean resolved = false;
for (final Permission cur : Permission.values()) {
if (!cur.getGroup().equals(permissionParts[0])) {
continue;
}
Set<String> groupPermissions = groupToValues.get(permissionParts[0]);
if (groupPermissions == null) {
groupPermissions = new HashSet<String>();
groupToValues.put(permissionParts[0], groupPermissions);
}
if (permissionParts.length == 1 || "*".equals(permissionParts[1])) {
groupPermissions.clear();
groupPermissions.add("*");
resolved = true;
break;
}
if (cur.getValue().equals(permissionParts[1])) {
groupPermissions.add(permissionParts[1]);
resolved = true;
break;
}
}
if (!resolved) {
throw new SecurityApiException(ErrorCode.SECURITY_INVALID_PERMISSIONS, curPerm);
}
}
final List<String> sanitizedPermissions = new ArrayList<String>();
for (final String group : groupToValues.keySet()) {
final Set<String> groupPermissions = groupToValues.get(group);
for (final String value : groupPermissions) {
sanitizedPermissions.add(String.format("%s:%s", group, value));
}
}
return sanitizedPermissions;
}
Also used :
HashSet(java.util.HashSet)
Set(java.util.Set)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
Function(com.google.common.base.Function)
Permission(org.killbill.billing.security.Permission)
SecurityApiException(org.killbill.billing.security.SecurityApiException)
Aggregations
Permission (org.killbill.billing.security.Permission)5
ArrayList (java.util.ArrayList)2
HashSet (java.util.HashSet)2
Test (org.testng.annotations.Test)2
Function (com.google.common.base.Function)1
Response (com.ning.http.client.Response)1
ApiOperation (io.swagger.annotations.ApiOperation)1
ApiResponses (io.swagger.annotations.ApiResponses)1
HashMap (java.util.HashMap)1
Set (java.util.Set)1
GET (javax.ws.rs.GET)1
Path (javax.ws.rs.Path)1
Produces (javax.ws.rs.Produces)1
Subject (org.apache.shiro.subject.Subject)1
KillBillClientException (org.killbill.billing.client.KillBillClientException)1
RoleDefinition (org.killbill.billing.client.model.RoleDefinition)1
UserRoles (org.killbill.billing.client.model.UserRoles)1
SecurityApiException (org.killbill.billing.security.SecurityApiException)1
SecurityApi (org.killbill.billing.security.api.SecurityApi)1
TenantContext (org.killbill.billing.util.callcontext.TenantContext)1
