Permission Overview

Adds an overview of the permissions of a user including its groups. To do so, a new cache is introduced that stores the groups of a user, when the user is authenticated. In doing so, SCM-Manager can also list groups assigned by external authentication plugins such as LDAP. On the other hand, the user has to have been logged in at least once to get external groups, and even then the cached groups may be out of date when the overview is created. Internal groups will always be added correctly, nonetheless.

Due to the cache, another problem arised: On some logins, the xml dao for the cache failed to be read, because it was read and written at the same time. To fix this, a more thorough synchronization of the stores has been implemented.

Committed-by: Konstantin Schaper <konstantin.schaper@cloudogu.com>
Co-authored-by: René Pfeuffer <rene.pfeuffer@cloudogu.com>
This commit is contained in:
Rene Pfeuffer
2023-02-09 10:29:05 +01:00
committed by SCM-Manager
parent 864ed9072d
commit e1b107849e
39 changed files with 1748 additions and 151 deletions

View File

@@ -0,0 +1,166 @@
/*
* MIT License
*
* Copyright (c) 2020-present Cloudogu GmbH and Contributors
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
package sonia.scm.api.v2.resources;
import de.otto.edison.hal.Links;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import sonia.scm.group.Group;
import sonia.scm.group.GroupManager;
import sonia.scm.repository.Repository;
import sonia.scm.user.PermissionOverview;
import java.net.URI;
import static java.util.Arrays.asList;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.Mockito.when;
@ExtendWith(MockitoExtension.class)
class PermissionOverviewToPermissionOverviewDtoMapperTest {
public static final Repository REPOSITORY_1 = new Repository("1", "git", "hog", "marvin");
public static final Repository REPOSITORY_2 = new Repository("1", "git", "vogon", "jeltz");
public static final PermissionOverview PERMISSION_OVERVIEW = new PermissionOverview(
asList(
new PermissionOverview.GroupEntry("hitchhiker", true, false),
new PermissionOverview.GroupEntry("vogons", false, true)
),
asList("hog", "earth"),
asList(
REPOSITORY_1,
REPOSITORY_2
)
);
@Mock
private ResourceLinks resourceLinks;
@Mock
private NamespaceToNamespaceDtoMapper namespaceToNamespaceDtoMapper;
@Mock
private RepositoryToRepositoryDtoMapper repositoryToRepositoryDtoMapper;
@Mock
private GroupManager groupManager;
@Mock
private GroupToGroupDtoMapper groupToGroupDtoMapper;
@InjectMocks
private PermissionOverviewToPermissionOverviewDtoMapperImpl permissionOverviewToPermissionOverviewDtoMapper;
@BeforeEach
void initResourceLinks() {
when(resourceLinks.user())
.thenReturn(new ResourceLinks.UserLinks(() -> URI.create("/")));
}
@BeforeEach
void initRepositoryMapper() {
when(repositoryToRepositoryDtoMapper.map(any()))
.thenAnswer(invocation -> {
Repository repository = invocation.getArgument(0, Repository.class);
RepositoryDto repositoryDto = new RepositoryDto();
repositoryDto.setNamespace(repository.getNamespace());
repositoryDto.setName(repository.getName());
return repositoryDto;
});
}
@BeforeEach
void initNamespaceMapper() {
when(namespaceToNamespaceDtoMapper.map(any()))
.thenAnswer(invocation -> new NamespaceDto(invocation.getArgument(0, String.class), Links.emptyLinks()));
}
@BeforeEach
void initGroupMapper() {
when(groupManager.get(anyString()))
.thenAnswer(invocation -> new Group("xml", invocation.getArgument(0, String.class)));
when(groupToGroupDtoMapper.map(any()))
.thenAnswer(invocation -> {
GroupDto groupDto = new GroupDto();
groupDto.setName(invocation.getArgument(0, Group.class).getName());
return groupDto;
});
}
@Test
void shouldMapRepositories() {
PermissionOverviewDto dto = permissionOverviewToPermissionOverviewDtoMapper
.toDto(PERMISSION_OVERVIEW, "Neo");
assertThat(dto.getRelevantRepositories())
.extracting("namespace")
.contains("hog", "vogon");
assertThat(dto.getRelevantRepositories())
.extracting("name")
.contains("marvin", "jeltz");
assertThat(
dto.
getEmbedded()
.getItemsBy("repositories")
).hasSize(2);
}
@Test
void shouldMapNamespaces() {
PermissionOverviewDto dto = permissionOverviewToPermissionOverviewDtoMapper
.toDto(PERMISSION_OVERVIEW, "Neo");
assertThat(dto.getRelevantNamespaces())
.contains("hog", "earth");
assertThat(dto.getEmbedded().getItemsBy("relevantNamespaces"))
.hasSize(2)
.extracting("namespace")
.contains("hog", "earth");
assertThat(dto.getEmbedded().getItemsBy("otherNamespaces"))
.hasSize(1)
.extracting("namespace")
.contains("vogon");
}
@Test
void shouldMapGroups() {
PermissionOverviewDto dto = permissionOverviewToPermissionOverviewDtoMapper
.toDto(PERMISSION_OVERVIEW, "Neo");
assertThat(dto.getRelevantGroups())
.extracting("name")
.contains("hitchhiker", "vogons");
assertThat(dto.getEmbedded().getItemsBy("groups"))
.hasSize(2)
.extracting("name")
.contains("hitchhiker", "vogons");
}
}

View File

@@ -41,10 +41,13 @@ import org.mockito.Mock;
import sonia.scm.ContextEntry;
import sonia.scm.NotFoundException;
import sonia.scm.PageResult;
import sonia.scm.group.GroupManager;
import sonia.scm.security.ApiKeyService;
import sonia.scm.security.PermissionAssigner;
import sonia.scm.security.PermissionDescriptor;
import sonia.scm.user.ChangePasswordNotAllowedException;
import sonia.scm.user.PermissionOverview;
import sonia.scm.user.PermissionOverviewCollector;
import sonia.scm.user.User;
import sonia.scm.user.UserManager;
import sonia.scm.web.RestDispatcher;
@@ -58,6 +61,8 @@ import java.net.URL;
import java.util.Collection;
import java.util.function.Predicate;
import static de.otto.edison.hal.Links.emptyLinks;
import static java.util.Collections.emptyList;
import static java.util.Collections.singletonList;
import static org.assertj.core.api.Assertions.assertThat;
import static org.junit.Assert.assertEquals;
@@ -95,6 +100,16 @@ public class UserRootResourceTest {
private ApiKeyService apiKeyService;
@Mock
private PermissionAssigner permissionAssigner;
@Mock
private PermissionOverviewCollector permissionOverviewCollector;
@Mock
private RepositoryToRepositoryDtoMapper repositoryToRepositoryDtoMapper;
@Mock
private NamespaceToNamespaceDtoMapper namespaceToNamespaceDtoMapper;
@Mock
private GroupManager groupManager;
@Mock
private GroupToGroupDtoMapper groupToGroupDtoMapper;
@InjectMocks
private UserDtoToUserMapperImpl dtoToUserMapper;
@InjectMocks
@@ -103,6 +118,8 @@ public class UserRootResourceTest {
private PermissionCollectionToDtoMapper permissionCollectionToDtoMapper;
@InjectMocks
private ApiKeyToApiKeyDtoMapperImpl apiKeyMapper;
@InjectMocks
private PermissionOverviewToPermissionOverviewDtoMapperImpl permissionOverviewMapper;
@Captor
private ArgumentCaptor<User> userCaptor;
@@ -110,6 +127,7 @@ public class UserRootResourceTest {
private ArgumentCaptor<Predicate<User>> filterCaptor;
private User originalUser;
private MockHttpResponse response = new MockHttpResponse();
@Before
public void prepareEnvironment() {
@@ -125,7 +143,7 @@ public class UserRootResourceTest {
UserCollectionResource userCollectionResource = new UserCollectionResource(userManager, dtoToUserMapper,
userCollectionToDtoMapper, resourceLinks, passwordService);
UserPermissionResource userPermissionResource = new UserPermissionResource(permissionAssigner, permissionCollectionToDtoMapper);
UserResource userResource = new UserResource(dtoToUserMapper, userToDtoMapper, userManager, passwordService, userPermissionResource);
UserResource userResource = new UserResource(dtoToUserMapper, userToDtoMapper, permissionOverviewMapper, userManager, passwordService, userPermissionResource, permissionOverviewCollector);
ApiKeyCollectionToDtoMapper apiKeyCollectionToDtoMapper = new ApiKeyCollectionToDtoMapper(apiKeyMapper, resourceLinks);
UserApiKeyResource userApiKeyResource = new UserApiKeyResource(apiKeyService, apiKeyCollectionToDtoMapper, apiKeyMapper, resourceLinks);
UserRootResource userRootResource = new UserRootResource(Providers.of(userCollectionResource),
@@ -137,7 +155,6 @@ public class UserRootResourceTest {
@Test
public void shouldCreateFullResponseForAdmin() throws URISyntaxException, UnsupportedEncodingException {
MockHttpRequest request = MockHttpRequest.get("/" + UserRootResource.USERS_PATH_V2 + "Neo");
MockHttpResponse response = new MockHttpResponse();
dispatcher.invoke(request, response);
@@ -155,7 +172,6 @@ public class UserRootResourceTest {
.post("/" + UserRootResource.USERS_PATH_V2)
.contentType(VndMediaType.USER)
.content(userJson.getBytes());
MockHttpResponse response = new MockHttpResponse();
dispatcher.invoke(request, response);
@@ -177,7 +193,6 @@ public class UserRootResourceTest {
@SubjectAware(username = "unpriv")
public void shouldCreateLimitedResponseForSimpleUser() throws URISyntaxException, UnsupportedEncodingException {
MockHttpRequest request = MockHttpRequest.get("/" + UserRootResource.USERS_PATH_V2 + "Neo");
MockHttpResponse response = new MockHttpResponse();
dispatcher.invoke(request, response);
@@ -195,7 +210,6 @@ public class UserRootResourceTest {
.put("/" + UserRootResource.USERS_PATH_V2 + "Neo/password")
.contentType(VndMediaType.PASSWORD_OVERWRITE)
.content(content.getBytes());
MockHttpResponse response = new MockHttpResponse();
when(passwordService.encryptPassword(newPassword)).thenReturn("encrypted123");
dispatcher.invoke(request, response);
@@ -213,7 +227,6 @@ public class UserRootResourceTest {
.put("/" + UserRootResource.USERS_PATH_V2 + "Neo/password")
.contentType(VndMediaType.PASSWORD_OVERWRITE)
.content(content.getBytes());
MockHttpResponse response = new MockHttpResponse();
doThrow(new ChangePasswordNotAllowedException(ContextEntry.ContextBuilder.entity("passwordChange", "-"), "xml")).when(userManager).overwritePassword(any(), any());
@@ -231,7 +244,6 @@ public class UserRootResourceTest {
.put("/" + UserRootResource.USERS_PATH_V2 + "Neo/password")
.contentType(VndMediaType.PASSWORD_OVERWRITE)
.content(content.getBytes());
MockHttpResponse response = new MockHttpResponse();
doThrow(new NotFoundException("Test", "x")).when(userManager).overwritePassword(any(), any());
@@ -249,7 +261,6 @@ public class UserRootResourceTest {
.put("/" + UserRootResource.USERS_PATH_V2 + "Neo/password")
.contentType(VndMediaType.PASSWORD_OVERWRITE)
.content(content.getBytes());
MockHttpResponse response = new MockHttpResponse();
when(passwordService.encryptPassword(newPassword)).thenReturn("encrypted123");
dispatcher.invoke(request, response);
@@ -267,7 +278,6 @@ public class UserRootResourceTest {
.post("/" + UserRootResource.USERS_PATH_V2)
.contentType(VndMediaType.USER)
.content(userJson);
MockHttpResponse response = new MockHttpResponse();
when(passwordService.encryptPassword("pwd123")).thenReturn("encrypted123");
dispatcher.invoke(request, response);
@@ -287,7 +297,6 @@ public class UserRootResourceTest {
.put("/" + UserRootResource.USERS_PATH_V2 + "Neo")
.contentType(VndMediaType.USER)
.content(userJson);
MockHttpResponse response = new MockHttpResponse();
dispatcher.invoke(request, response);
@@ -303,7 +312,6 @@ public class UserRootResourceTest {
.post("/" + UserRootResource.USERS_PATH_V2)
.contentType(VndMediaType.USER)
.content(new byte[]{});
MockHttpResponse response = new MockHttpResponse();
when(passwordService.encryptPassword("pwd123")).thenReturn("encrypted123");
dispatcher.invoke(request, response);
@@ -314,7 +322,6 @@ public class UserRootResourceTest {
@Test
public void shouldGetNotFoundForNotExistentUser() throws URISyntaxException {
MockHttpRequest request = MockHttpRequest.get("/" + UserRootResource.USERS_PATH_V2 + "nosuchuser");
MockHttpResponse response = new MockHttpResponse();
dispatcher.invoke(request, response);
@@ -324,7 +331,6 @@ public class UserRootResourceTest {
@Test
public void shouldDeleteUser() throws Exception {
MockHttpRequest request = MockHttpRequest.delete("/" + UserRootResource.USERS_PATH_V2 + "Neo");
MockHttpResponse response = new MockHttpResponse();
dispatcher.invoke(request, response);
@@ -342,7 +348,6 @@ public class UserRootResourceTest {
.put("/" + UserRootResource.USERS_PATH_V2 + "Other")
.contentType(VndMediaType.USER)
.content(userJson);
MockHttpResponse response = new MockHttpResponse();
dispatcher.invoke(request, response);
@@ -360,7 +365,6 @@ public class UserRootResourceTest {
.put("/" + UserRootResource.USERS_PATH_V2 + "Neo")
.contentType(VndMediaType.USER)
.content(userJson);
MockHttpResponse response = new MockHttpResponse();
dispatcher.invoke(request, response);
@@ -373,7 +377,6 @@ public class UserRootResourceTest {
PageResult<User> singletonPageResult = createSingletonPageResult(1);
when(userManager.getPage(any(), any(), eq(0), eq(10))).thenReturn(singletonPageResult);
MockHttpRequest request = MockHttpRequest.get("/" + UserRootResource.USERS_PATH_V2);
MockHttpResponse response = new MockHttpResponse();
dispatcher.invoke(request, response);
@@ -389,7 +392,6 @@ public class UserRootResourceTest {
PageResult<User> singletonPageResult = createSingletonPageResult(3);
when(userManager.getPage(any(), any(), eq(1), eq(1))).thenReturn(singletonPageResult);
MockHttpRequest request = MockHttpRequest.get("/" + UserRootResource.USERS_PATH_V2 + "?page=1&pageSize=1");
MockHttpResponse response = new MockHttpResponse();
dispatcher.invoke(request, response);
@@ -407,7 +409,6 @@ public class UserRootResourceTest {
PageResult<User> singletonPageResult = createSingletonPageResult(1);
when(userManager.getPage(filterCaptor.capture(), any(), eq(0), eq(10))).thenReturn(singletonPageResult);
MockHttpRequest request = MockHttpRequest.get("/" + UserRootResource.USERS_PATH_V2 + "?q=One");
MockHttpResponse response = new MockHttpResponse();
dispatcher.invoke(request, response);
@@ -427,7 +428,6 @@ public class UserRootResourceTest {
@Test
public void shouldGetPermissionLink() throws URISyntaxException, UnsupportedEncodingException {
MockHttpRequest request = MockHttpRequest.get("/" + UserRootResource.USERS_PATH_V2 + "Neo");
MockHttpResponse response = new MockHttpResponse();
dispatcher.invoke(request, response);
@@ -440,7 +440,6 @@ public class UserRootResourceTest {
public void shouldGetPermissions() throws URISyntaxException, UnsupportedEncodingException {
when(permissionAssigner.readPermissionsForUser("Neo")).thenReturn(singletonList(new PermissionDescriptor("something:*")));
MockHttpRequest request = MockHttpRequest.get("/" + UserRootResource.USERS_PATH_V2 + "Neo/permissions");
MockHttpResponse response = new MockHttpResponse();
dispatcher.invoke(request, response);
@@ -455,7 +454,6 @@ public class UserRootResourceTest {
.put("/" + UserRootResource.USERS_PATH_V2 + "Neo/permissions")
.contentType(VndMediaType.PERMISSION_COLLECTION)
.content("{\"permissions\":[\"other:*\"]}".getBytes());
MockHttpResponse response = new MockHttpResponse();
ArgumentCaptor<Collection<PermissionDescriptor>> captor = ArgumentCaptor.forClass(Collection.class);
doNothing().when(permissionAssigner).setPermissionsForUser(eq("Neo"), captor.capture());
@@ -466,6 +464,19 @@ public class UserRootResourceTest {
assertEquals("other:*", captor.getValue().iterator().next().getValue());
}
@Test
public void shouldGetPermissionsOverviewWithNamespaces() throws URISyntaxException, UnsupportedEncodingException {
when(permissionOverviewCollector.create("Neo")).thenReturn(new PermissionOverview(emptyList(), singletonList("hog"), emptyList()));
when(namespaceToNamespaceDtoMapper.map("hog")).thenReturn(new NamespaceDto("hog", emptyLinks()));
MockHttpRequest request = MockHttpRequest.get("/" + UserRootResource.USERS_PATH_V2 + "Neo/permissionOverview");
dispatcher.invoke(request, response);
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
assertThat(response.getContentAsString()).contains("hog");
assertThat(response.getContentAsString()).contains("\"self\":{\"href\":\"/v2/users/Neo/permissionOverview\"}");
}
@Test
public void shouldConvertUserToInternalAndSetNewPassword() throws URISyntaxException {
when(passwordService.encryptPassword(anyString())).thenReturn("abc");
@@ -474,7 +485,6 @@ public class UserRootResourceTest {
.put("/" + UserRootResource.USERS_PATH_V2 + "Neo/convert-to-internal")
.contentType(VndMediaType.USER)
.content("{\"newPassword\":\"trillian\"}".getBytes());
MockHttpResponse response = new MockHttpResponse();
dispatcher.invoke(request, response);
@@ -492,7 +502,6 @@ public class UserRootResourceTest {
MockHttpRequest request = MockHttpRequest
.put("/" + UserRootResource.USERS_PATH_V2 + "Neo/convert-to-external")
.contentType(VndMediaType.USER);
MockHttpResponse response = new MockHttpResponse();
dispatcher.invoke(request, response);

View File

@@ -21,7 +21,7 @@
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
package sonia.scm.api.v2.resources;
import org.apache.shiro.subject.Subject;
@@ -43,7 +43,6 @@ import java.time.Instant;
import static org.assertj.core.api.Assertions.assertThat;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import static org.mockito.MockitoAnnotations.initMocks;
@@ -177,4 +176,16 @@ public class UserToUserDtoMapperTest {
assertEquals("http://trillian", userDto.getLinks().getLinkBy("sample").get().getHref());
}
@Test
public void shouldMapLinks_forPermissionOverview() {
User user = createDefaultUser();
when(subject.isPermitted("permission:read")).thenReturn(true);
when(subject.isPermitted("group:list")).thenReturn(true);
UserDto userDto = mapper.map(user);
assertEquals("expected permissions link", expectedBaseUri.resolve("abc/permissions").toString(), userDto.getLinks().getLinkBy("permissions").get().getHref());
assertEquals("expected permission overview link", expectedBaseUri.resolve("abc/permissionOverview").toString(), userDto.getLinks().getLinkBy("permissionOverview").get().getHref());
}
}

View File

@@ -30,17 +30,21 @@ import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Nested;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.Answers;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import sonia.scm.HandlerEventType;
import sonia.scm.cache.MapCache;
import sonia.scm.cache.MapCacheManager;
import sonia.scm.security.LogoutEvent;
import sonia.scm.store.ConfigurationStore;
import sonia.scm.store.ConfigurationStoreFactory;
import sonia.scm.user.User;
import sonia.scm.user.UserEvent;
import java.util.HashSet;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import static org.assertj.core.api.Assertions.assertThat;
@@ -59,6 +63,11 @@ class DefaultGroupCollectorTest {
@Mock
private GroupResolver groupResolver;
@Mock(answer = Answers.RETURNS_DEEP_STUBS)
private ConfigurationStoreFactory configurationStoreFactory;
@Mock(answer = Answers.RETURNS_DEEP_STUBS)
private ConfigurationStore configurationStore;
private MapCacheManager mapCacheManager;
private Set<GroupResolver> groupResolvers;
@@ -69,7 +78,14 @@ class DefaultGroupCollectorTest {
void initCollector() {
groupResolvers = new HashSet<>();
mapCacheManager = new MapCacheManager();
collector = new DefaultGroupCollector(groupDAO, mapCacheManager, groupResolvers);
collector = new DefaultGroupCollector(groupDAO, mapCacheManager, groupResolvers, configurationStoreFactory);
}
@BeforeEach
void initStore() {
when(configurationStoreFactory.withType(UserGroupCache.class).withName("user-group-cache").build())
.thenReturn(configurationStore);
when(configurationStore.getOptional()).thenReturn(Optional.empty());
}
@Test
@@ -141,7 +157,16 @@ class DefaultGroupCollectorTest {
verify(groupDAO, never()).getAll();
}
@Test
void shouldGetCachedGroupsFromLastLogin() {
UserGroupCache cache = new UserGroupCache();
cache.put("trillian", Set.of("hog"));
when(configurationStore.getOptional()).thenReturn(Optional.of(cache));
Set<String> cachedGroups = collector.fromLastLoginPlusInternal("trillian");
assertThat(cachedGroups).contains("hog");
}
@Nested
class WithGroupsFromDao {
@@ -169,5 +194,23 @@ class DefaultGroupCollectorTest {
Iterable<String> groupNames = collector.collect("trillian");
assertThat(groupNames).containsOnly("_authenticated", "heartOfGold", "fjordsOfAfrican", "awesome", "incredible");
}
@Test
void shouldGetScmGroupsForLastLoginWhenNothingCached() {
Set<String> cachedGroups = collector.fromLastLoginPlusInternal("trillian");
assertThat(cachedGroups).contains("heartOfGold", "fjordsOfAfrican");
}
@Test
void shouldGetCachedGroupsFromLastLoginWithInternalGroups() {
UserGroupCache cache = new UserGroupCache();
cache.put("trillian", Set.of("earth"));
when(configurationStore.getOptional()).thenReturn(Optional.of(cache));
Set<String> cachedGroups = collector.fromLastLoginPlusInternal("trillian");
assertThat(cachedGroups).contains("earth", "heartOfGold", "fjordsOfAfrican");
}
}
}

View File

@@ -0,0 +1,250 @@
/*
* MIT License
*
* Copyright (c) 2020-present Cloudogu GmbH and Contributors
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
package sonia.scm.user;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.ThreadContext;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Nested;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import sonia.scm.group.Group;
import sonia.scm.group.GroupCollector;
import sonia.scm.group.GroupManager;
import sonia.scm.repository.Namespace;
import sonia.scm.repository.NamespaceManager;
import sonia.scm.repository.Repository;
import sonia.scm.repository.RepositoryManager;
import sonia.scm.repository.RepositoryPermission;
import sonia.scm.repository.RepositoryTestData;
import sonia.scm.security.PermissionAssigner;
import sonia.scm.security.PermissionDescriptor;
import java.util.Collection;
import java.util.Collections;
import java.util.Set;
import static java.util.Collections.singleton;
import static java.util.Collections.singletonList;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
@ExtendWith(MockitoExtension.class)
class PermissionOverviewCollectorTest {
@Mock
private GroupCollector groupCollector;
@Mock
private PermissionAssigner permissionAssigner;
@Mock
private GroupManager groupManager;
@Mock
private RepositoryManager repositoryManager;
@Mock
private NamespaceManager namespaceManager;
@InjectMocks
private PermissionOverviewCollector permissionOverviewCollector;
private final String unknownGroupName = "hog";
private final String knownGroupName = "earth";
@BeforeEach
void mockGroups() {
when(groupCollector.fromLastLoginPlusInternal("trillian"))
.thenReturn(Set.of(unknownGroupName, knownGroupName));
}
@BeforeEach
void mockSubject() {
Subject subject = mock(Subject.class);
ThreadContext.bind(subject);
}
@AfterEach
void clearContext() {
ThreadContext.unbindSubject();
}
@Nested
class WithGroups {
@Test
void shouldCollectGroupsFromGroupCollector() {
when(groupManager.getAllNames()).thenReturn(singleton(knownGroupName));
mockUnknownGroup(unknownGroupName);
mockKnownGroup(knownGroupName);
PermissionOverview permissionOverview = permissionOverviewCollector.create("trillian");
Collection<PermissionOverview.GroupEntry> relevantGroups = permissionOverview.getRelevantGroups();
assertThat(relevantGroups)
.extracting("name")
.contains(unknownGroupName, knownGroupName);
assertThat(relevantGroups)
.extracting("permissions")
.contains(false, true);
assertThat(relevantGroups)
.extracting("externalOnly")
.contains(false, true);
}
private void mockKnownGroup(String knownGroupName) {
when(permissionAssigner.readPermissionsForGroup(knownGroupName))
.thenReturn(singleton(new PermissionDescriptor()));
}
private void mockUnknownGroup(String unknownGroupName) {
when(permissionAssigner.readPermissionsForGroup(unknownGroupName))
.thenReturn(Collections.emptyList());
}
}
@Nested
class WithNamespaces {
private Namespace namespace = new Namespace("git");
@BeforeEach
void mockNamespace() {
when(namespaceManager.getAll())
.thenReturn(singletonList(namespace));
}
@Test
void shouldFindNamespaces() {
namespace.addPermission(new RepositoryPermission("trillian", "read", false));
PermissionOverview permissionOverview = permissionOverviewCollector.create("trillian");
assertThat(permissionOverview.getRelevantNamespaces())
.contains("git");
}
@Test
void shouldFindNamespacesWithPermissionForUser() {
namespace.addPermission(new RepositoryPermission("trillian", "read", false));
PermissionOverview permissionOverview = permissionOverviewCollector.create("trillian");
assertThat(permissionOverview.getRelevantNamespaces())
.contains("git");
}
@Test
void shouldFindNamespaceWithPermissionForGroupOfUser() {
namespace.addPermission(new RepositoryPermission(knownGroupName, "read", true));
when(groupCollector.fromLastLoginPlusInternal("trillian"))
.thenReturn(singleton(knownGroupName));
PermissionOverview permissionOverview = permissionOverviewCollector.create("trillian");
assertThat(permissionOverview.getRelevantNamespaces())
.contains("git");
}
@Test
void shouldIgnoreNamespaceWithPermissionForOtherUser() {
namespace.addPermission(new RepositoryPermission("arthur", "read", false));
PermissionOverview permissionOverview = permissionOverviewCollector.create("trillian");
assertThat(permissionOverview.getRelevantNamespaces())
.doesNotContain("git");
}
@Test
void shouldIgnoreRepositoryWithPermissionForOtherGroups() {
namespace.addPermission(new RepositoryPermission("vogons", "read", true));
when(groupCollector.fromLastLoginPlusInternal("trillian"))
.thenReturn(singleton(knownGroupName));
PermissionOverview permissionOverview = permissionOverviewCollector.create("trillian");
assertThat(permissionOverview.getRelevantNamespaces())
.doesNotContain("git");
}
}
@Nested
class WithRepositories {
private final Repository repository = RepositoryTestData.create42Puzzle();
@BeforeEach
void mockRepository() {
when(repositoryManager.getAll())
.thenReturn(singletonList(repository));
}
@Test
void shouldFindRepositoryWithPermissionForUser() {
repository.addPermission(new RepositoryPermission("trillian", "read", false));
PermissionOverview permissionOverview = permissionOverviewCollector.create("trillian");
assertThat(permissionOverview.getRelevantRepositories())
.contains(repository);
}
@Test
void shouldFindRepositoryWithPermissionForGroupOfUser() {
repository.addPermission(new RepositoryPermission(knownGroupName, "read", true));
when(groupCollector.fromLastLoginPlusInternal("trillian"))
.thenReturn(singleton(knownGroupName));
PermissionOverview permissionOverview = permissionOverviewCollector.create("trillian");
assertThat(permissionOverview.getRelevantRepositories())
.contains(repository);
}
@Test
void shouldIgnoreRepositoryWithPermissionForOtherUser() {
repository.addPermission(new RepositoryPermission("arthur", "read", false));
PermissionOverview permissionOverview = permissionOverviewCollector.create("trillian");
assertThat(permissionOverview.getRelevantRepositories())
.doesNotContain(repository);
}
@Test
void shouldIgnoreRepositoryWithPermissionForOtherGroups() {
repository.addPermission(new RepositoryPermission("vogons", "read", true));
when(groupCollector.fromLastLoginPlusInternal("trillian"))
.thenReturn(singleton(knownGroupName));
PermissionOverview permissionOverview = permissionOverviewCollector.create("trillian");
assertThat(permissionOverview.getRelevantRepositories())
.doesNotContain(repository);
}
}
}