From b88e9e78942ce4f7f3b18623d0c2e266151155ee Mon Sep 17 00:00:00 2001 From: chasegawa Date: Mon, 7 Nov 2022 09:53:23 -0700 Subject: [PATCH] SHIBUI-2394 test changes --- .../permission/ShibUiPermissionDelegate.java | 45 +++- .../ui/security/service/UserService.java | 31 +-- .../JPAEntityDescriptorServiceImpl.java | 28 +-- .../admin/ui/AbstractBaseDataJpaTest.groovy | 5 + ...ityDescriptorVersionControllerTests.groovy | 5 +- ...yDescriptorFilesScheduledTasksTests.groovy | 8 +- .../ShibUiPermissionDelegateTests.groovy | 202 ++++++++++++++++++ 7 files changed, 265 insertions(+), 59 deletions(-) create mode 100644 backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/security/permission/ShibUiPermissionDelegateTests.groovy diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/permission/ShibUiPermissionDelegate.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/permission/ShibUiPermissionDelegate.java index d211f6927..0560b569b 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/permission/ShibUiPermissionDelegate.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/permission/ShibUiPermissionDelegate.java @@ -1,23 +1,29 @@ package edu.internet2.tier.shibboleth.admin.ui.security.permission; +import edu.internet2.tier.shibboleth.admin.ui.domain.EntityDescriptor; import edu.internet2.tier.shibboleth.admin.ui.domain.IActivatable; import edu.internet2.tier.shibboleth.admin.ui.domain.IApprovable; import edu.internet2.tier.shibboleth.admin.ui.exception.ForbiddenException; import edu.internet2.tier.shibboleth.admin.ui.repository.EntityDescriptorProjection; import edu.internet2.tier.shibboleth.admin.ui.repository.EntityDescriptorRepository; import edu.internet2.tier.shibboleth.admin.ui.security.model.Ownable; +import edu.internet2.tier.shibboleth.admin.ui.security.model.User; import edu.internet2.tier.shibboleth.admin.ui.security.service.UserAccess; import edu.internet2.tier.shibboleth.admin.ui.security.service.UserService; import lombok.AllArgsConstructor; import org.springframework.security.core.Authentication; import java.io.Serializable; +import java.util.Arrays; import java.util.Collection; import java.util.List; /** - * The ShibUiPermissionDelegate is the default service for SHIBUI, which delegates calls (primarily) to the the userService to determine - * whether a user has the correct abilty to act a particular way (possibly on certain objects). + * The ShibUiPermissionDelegate is the default service for SHIBUI, which delegates calls (primarily) to the the UserService to determine + * whether a user has the correct abilty to act a particular way (possibly on certain objects). Because the Authentication being + * supplied to this implmentation comes from the user service, we ignore it and defer to the UserService (which is ultimately using + * the Authentication from the security context anyway). + * */ @AllArgsConstructor public class ShibUiPermissionDelegate implements IShibUiPermissionEvaluator { @@ -26,7 +32,7 @@ public class ShibUiPermissionDelegate implements IShibUiPermissionEvaluator { private UserService userService; @Override - public Collection getPersistentEntities(Authentication authentication, ShibUiPermissibleType shibUiType, PermissionType permissionType) throws ForbiddenException { + public Collection getPersistentEntities(Authentication ignored, ShibUiPermissibleType shibUiType, PermissionType permissionType) throws ForbiddenException { switch (shibUiType) { case entityDescriptorProjection: switch (permissionType) { @@ -34,12 +40,12 @@ public Collection getPersistentEntities(Authentication authentication, ShibUiPer return getAllEntityDescriptorProjectionsNeedingApprovalBasedOnUserAccess(); case enable: // This particular list is used for an admin function, so the user must be an ADMIN - if (!hasPermission(authentication, null, PermissionType.admin)) { + if (!hasPermission(ignored, null, PermissionType.admin)) { throw new ForbiddenException(); } return entityDescriptorRepository.getEntityDescriptorsNeedingEnabling(); case fetch: - if (!hasPermission(authentication, null, PermissionType.fetch)) { + if (!hasPermission(ignored, null, PermissionType.fetch)) { throw new ForbiddenException("User has no access rights to get a list of Metadata Sources"); } return getAllEntityDescriptorProjectionsBasedOnUserAccess(); @@ -63,7 +69,7 @@ private List getAllEntityDescriptorProjectionsNeedin } @Override - public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) { + public boolean hasPermission(Authentication ignored, Object targetDomainObject, Object permission) { switch ((PermissionType) permission) { case admin: // we don't care about the object - the user is an admin or not return userService.currentUserIsAdmin(); @@ -71,7 +77,7 @@ public boolean hasPermission(Authentication authentication, Object targetDomainO if (userService.currentUserIsAdmin()) { return true; } return targetDomainObject instanceof IApprovable ? userService.getGroupsCurrentUserCanApprove().contains(((IApprovable)targetDomainObject).getIdOfOwner()) : false; case enable: - return targetDomainObject instanceof IActivatable ? userService.currentUserCanEnable((IActivatable) targetDomainObject) : false; + return targetDomainObject instanceof IActivatable ? currentUserCanEnable((IActivatable) targetDomainObject) : false; case fetch: return userService.currentUserIsAdmin() || userService.getCurrentUserAccess().equals(UserAccess.GROUP); case viewOrEdit: @@ -84,4 +90,27 @@ public boolean hasPermission(Authentication authentication, Object targetDomainO public boolean hasPermission(Authentication authentication, Serializable targetId, String target, Object permission) { return false; // Unused and Unimplemented - we don't need for this implementation to lookup objects } -} + + private boolean currentUserCanEnable(IActivatable activatableObject) { + if (userService.currentUserIsAdmin()) { return true; } + switch (activatableObject.getActivatableType()) { + case ENTITY_DESCRIPTOR: { + return currentUserHasExpectedRole(Arrays.asList("ROLE_ENABLE" )) && userService.getCurrentUserGroup().getOwnerId().equals(((EntityDescriptor) activatableObject).getIdOfOwner()); + } + // Currently filters and providers dont have ownership, so we just look for the right role + case FILTER: + case METADATA_RESOLVER: + return currentUserHasExpectedRole(Arrays.asList("ROLE_ENABLE" )); + default: + return false; + } + } + + /** + * This basic logic assumes users only have a single role (despite users having a list of roles, we assume only 1 currently) + */ + private boolean currentUserHasExpectedRole(List acceptedRoles) { + User user = userService.getCurrentUser(); + return acceptedRoles.contains(user.getRole()); + } +} \ No newline at end of file diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java index 684be9009..097f745fb 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java @@ -56,37 +56,10 @@ public UserService(IGroupService groupService, OwnershipRepository ownershipRepo this.userRepository = userRepository; } - public boolean currentUserCanApprove(List approverGroups) { - if (currentUserIsAdmin()) { - return true; - } - Group currentUserGroup = getCurrentUserGroup(); - return approverGroups.contains(currentUserGroup); - } - - public boolean currentUserCanEnable(IActivatable activatableObject) { - if (currentUserIsAdmin()) { return true; } - switch (activatableObject.getActivatableType()) { - case ENTITY_DESCRIPTOR: { - return currentUserHasExpectedRole(Arrays.asList("ROLE_ENABLE" )) && getCurrentUserGroup().getOwnerId().equals(((EntityDescriptor) activatableObject).getIdOfOwner()); - } - // Currently filters and providers dont have ownership, so we just look for the right role - case FILTER: - case METADATA_RESOLVER: - return currentUserHasExpectedRole(Arrays.asList("ROLE_ENABLE" )); - default: - return false; - } - } - /** - * This basic logic assumes users only have a single role (despite users having a list of roles, we assume only 1 currently) + * @deprecated don't call this, call the ShibUiPermissionDelegate method hasPermission(...) */ - private boolean currentUserHasExpectedRole(List acceptedRoles) { - User user = getCurrentUser(); - return acceptedRoles.contains(user.getRole()); - } - + @Deprecated public boolean currentUserIsAdmin() { User user = getCurrentUser(); return user != null && user.getRole().equals("ROLE_ADMIN"); diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java index 182f239cc..a1c80b9dc 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java @@ -85,7 +85,7 @@ public class JPAEntityDescriptorServiceImpl implements EntityDescriptorService { private OwnershipRepository ownershipRepository; @Autowired - private IShibUiPermissionEvaluator shibUiService; + private IShibUiPermissionEvaluator shibUiAuthorizationDelegate; @Autowired private UserService userService; @@ -183,7 +183,7 @@ public EntityDescriptorRepresentation changeApproveStatusOfEntityDescriptor(Stri if (ed == null) { throw new PersistentEntityNotFound("Entity with resourceid[" + resourceId + "] was not found for approval"); } - if (!shibUiService.hasPermission(userService.getCurrentUserAuthentication(), ed, PermissionType.approve)) { + if (!shibUiAuthorizationDelegate.hasPermission(userService.getCurrentUserAuthentication(), ed, PermissionType.approve)) { throw new ForbiddenException("You do not have the permissions necessary to approve this entity descriptor."); } if (status) { // approve @@ -221,7 +221,7 @@ public EntityDescriptorRepresentation createNew(EntityDescriptorRepresentation e } EntityDescriptor ed = (EntityDescriptor) createDescriptorFromRepresentation(edRep); - if (ed.isServiceEnabled() && !shibUiService.hasPermission(userService.getCurrentUserAuthentication(), ed, PermissionType.enable)) { + if (ed.isServiceEnabled() && !shibUiAuthorizationDelegate.hasPermission(userService.getCurrentUserAuthentication(), ed, PermissionType.enable)) { throw new ForbiddenException("You do not have the permissions necessary to enable this entity descriptor."); } @@ -231,7 +231,7 @@ public EntityDescriptorRepresentation createNew(EntityDescriptorRepresentation e validateEntityIdAndACSUrls(edRep); ed.setIdOfOwner(userService.getCurrentUserGroup().getOwnerId()); - if (shibUiService.hasPermission(userService.getCurrentUserAuthentication(), null, PermissionType.admin)) { + if (shibUiAuthorizationDelegate.hasPermission(userService.getCurrentUserAuthentication(), null, PermissionType.admin)) { ed.setApproved(true); } @@ -250,7 +250,7 @@ public EntityDescriptorRepresentation createNewEntityDescriptorFromXMLOrigin(Ent if (ed.getProtocol() == EntityDescriptorProtocol.OIDC) { ed.getSPSSODescriptor("").addSupportedProtocol("http://openid.net/specs/openid-connect-core-1_0.html"); } - if (shibUiService.hasPermission(userService.getCurrentUserAuthentication(), null, PermissionType.admin)) { + if (shibUiAuthorizationDelegate.hasPermission(userService.getCurrentUserAuthentication(), null, PermissionType.admin)) { ed.setApproved(true); } EntityDescriptor savedEntity = entityDescriptorRepository.save(ed); @@ -493,7 +493,7 @@ public boolean entityExists(String entityID) { */ @Override public List getAllEntityDescriptorProjectionsBasedOnUserAccess() throws ForbiddenException { - return (List) shibUiService.getPersistentEntities(userService.getCurrentUserAuthentication(), ShibUiPermissibleType.entityDescriptorProjection, PermissionType.fetch); + return (List) shibUiAuthorizationDelegate.getPersistentEntities(userService.getCurrentUserAuthentication(), ShibUiPermissibleType.entityDescriptorProjection, PermissionType.fetch); } /** @@ -501,7 +501,7 @@ public List getAllEntityDescriptorProjectionsBasedOn */ @Override public List getAllEntityDescriptorProjectionsNeedingApprovalBasedOnUserAccess() throws ForbiddenException { - return (List) shibUiService.getPersistentEntities(userService.getCurrentUserAuthentication(), ShibUiPermissibleType.entityDescriptorProjection, PermissionType.approve); + return (List) shibUiAuthorizationDelegate.getPersistentEntities(userService.getCurrentUserAuthentication(), ShibUiPermissibleType.entityDescriptorProjection, PermissionType.approve); } @Override @@ -515,7 +515,7 @@ public List getAttributeReleaseListFromAttributeList(List att @Override public Iterable getDisabledMetadataSources() throws ForbiddenException { - return (List) shibUiService.getPersistentEntities(userService.getCurrentUserAuthentication(), ShibUiPermissibleType.entityDescriptorProjection, PermissionType.enable); + return (List) shibUiAuthorizationDelegate.getPersistentEntities(userService.getCurrentUserAuthentication(), ShibUiPermissibleType.entityDescriptorProjection, PermissionType.enable); } @Override @@ -524,7 +524,7 @@ public EntityDescriptor getEntityDescriptorByResourceId(String resourceId) throw if (ed == null) { throw new PersistentEntityNotFound(String.format("The entity descriptor with entity id [%s] was not found.", resourceId)); } - if (!shibUiService.hasPermission(userService.getCurrentUserAuthentication(), ed, PermissionType.viewOrEdit)) { + if (!shibUiAuthorizationDelegate.hasPermission(userService.getCurrentUserAuthentication(), ed, PermissionType.viewOrEdit)) { throw new ForbiddenException(); } return ed; @@ -605,13 +605,13 @@ public EntityDescriptorRepresentation update(EntityDescriptorRepresentation edRe if (existingEd == null) { throw new PersistentEntityNotFound(String.format("The entity descriptor with entity id [%s] was not found for update.", edRep.getId())); } - if (edRep.isServiceEnabled() && !shibUiService.hasPermission(userService.getCurrentUserAuthentication(), existingEd, PermissionType.enable)) { + if (edRep.isServiceEnabled() && !shibUiAuthorizationDelegate.hasPermission(userService.getCurrentUserAuthentication(), existingEd, PermissionType.enable)) { throw new ForbiddenException("You do not have the permissions necessary to enable this service."); } if (StringUtils.isEmpty(edRep.getIdOfOwner())) { edRep.setIdOfOwner(StringUtils.isNotEmpty(existingEd.getIdOfOwner()) ? existingEd.getIdOfOwner() : userService.getCurrentUserGroup().getOwnerId()); } - if (!shibUiService.hasPermission(userService.getCurrentUserAuthentication(), existingEd, PermissionType.viewOrEdit)) { + if (!shibUiAuthorizationDelegate.hasPermission(userService.getCurrentUserAuthentication(), existingEd, PermissionType.viewOrEdit)) { throw new ForbiddenException(); } // Verify we're the only one attempting to update the EntityDescriptor @@ -645,7 +645,7 @@ public EntityDescriptorRepresentation updateEntityDescriptorEnabledStatus(String if (ed == null) { throw new PersistentEntityNotFound("Entity with resourceid[" + resourceId + "] was not found for update"); } - if (!shibUiService.hasPermission(userService.getCurrentUserAuthentication(), ed, PermissionType.enable)) { + if (!shibUiAuthorizationDelegate.hasPermission(userService.getCurrentUserAuthentication(), ed, PermissionType.enable)) { throw new ForbiddenException("You do not have the permissions necessary to change the enable status of this entity descriptor."); } // check to see if approvals have been completed @@ -653,7 +653,7 @@ public EntityDescriptorRepresentation updateEntityDescriptorEnabledStatus(String List approversList = groupService.find(ed.getIdOfOwner()).getApproversList(); if (enabled == true && !ed.isServiceEnabled() && - !shibUiService.hasPermission(userService.getCurrentUserAuthentication(), null, PermissionType.admin) && + !shibUiAuthorizationDelegate.hasPermission(userService.getCurrentUserAuthentication(), null, PermissionType.admin) && approversList.size() > approvedCount) { throw new ForbiddenException("Approval must be completed before you can change the enable status of this entity descriptor."); } @@ -691,4 +691,4 @@ private void validateEntityIdAndACSUrls(EntityDescriptorRepresentation edRep) th } } } -} +} \ No newline at end of file diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/AbstractBaseDataJpaTest.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/AbstractBaseDataJpaTest.groovy index 65195d7ae..791cbbc2e 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/AbstractBaseDataJpaTest.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/AbstractBaseDataJpaTest.groovy @@ -1,5 +1,7 @@ package edu.internet2.tier.shibboleth.admin.ui +import edu.internet2.tier.shibboleth.admin.ui.domain.EntityDescriptor +import edu.internet2.tier.shibboleth.admin.ui.repository.EntityDescriptorRepository import edu.internet2.tier.shibboleth.admin.ui.security.model.Role import edu.internet2.tier.shibboleth.admin.ui.security.model.User import edu.internet2.tier.shibboleth.admin.ui.security.model.listener.GroupUpdatedEntityListener @@ -37,6 +39,9 @@ abstract class AbstractBaseDataJpaTest extends Specification implements ResetsDa @Autowired ApproversRepository approversRepository + @Autowired + EntityDescriptorRepository entityDescriptorRepository + @Autowired EntityManager entityManager diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorVersionControllerTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorVersionControllerTests.groovy index 0dbb40471..fd8838b4e 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorVersionControllerTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorVersionControllerTests.groovy @@ -43,9 +43,6 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers. @ContextConfiguration(classes=[EDCLocalConfig]) class EntityDescriptorVersionControllerTests extends AbstractBaseDataJpaTest { - @Autowired - EntityDescriptorRepository entityDescriptorRepository - @Autowired private TestEntityManager testEntityManager @@ -166,4 +163,4 @@ class EntityDescriptorVersionControllerTests extends AbstractBaseDataJpaTest { return new EnversVersionServiceSupport(entityManager) } } -} +} \ No newline at end of file diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/scheduled/EntityDescriptorFilesScheduledTasksTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/scheduled/EntityDescriptorFilesScheduledTasksTests.groovy index b9e9856dd..f25d67682 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/scheduled/EntityDescriptorFilesScheduledTasksTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/scheduled/EntityDescriptorFilesScheduledTasksTests.groovy @@ -28,7 +28,7 @@ class EntityDescriptorFilesScheduledTasksTests extends AbstractBaseDataJpaTest { def directory - def entityDescriptorRepository = Mock(EntityDescriptorRepository) + def entityDescriptorRepo = Mock(EntityDescriptorRepository) def entityDescriptorFilesScheduledTasks @@ -38,7 +38,7 @@ class EntityDescriptorFilesScheduledTasksTests extends AbstractBaseDataJpaTest { randomGenerator = new RandomGenerator() tempPath = tempPath + randomGenerator.randomRangeInt(10000, 20000) EntityDescriptorConversionUtils.setOpenSamlObjects(openSamlObjects) - entityDescriptorFilesScheduledTasks = new EntityDescriptorFilesScheduledTasks(tempPath, entityDescriptorRepository, openSamlObjects, new FileCheckingFileWritingService()) + entityDescriptorFilesScheduledTasks = new EntityDescriptorFilesScheduledTasks(tempPath, entityDescriptorRepo, openSamlObjects, new FileCheckingFileWritingService()) directory = new File(tempPath) directory.mkdir() } @@ -74,7 +74,7 @@ class EntityDescriptorFilesScheduledTasksTests extends AbstractBaseDataJpaTest { } it }) - 1 * entityDescriptorRepository.findAllStreamByServiceEnabled(true) >> [entityDescriptor].stream() + 1 * entityDescriptorRepo.findAllStreamByServiceEnabled(true) >> [entityDescriptor].stream() when: if (directory.exists()) { @@ -107,7 +107,7 @@ class EntityDescriptorFilesScheduledTasksTests extends AbstractBaseDataJpaTest { def file = new File(directory, randomGenerator.randomId() + ".xml") file.text = "Delete me!" - 1 * entityDescriptorRepository.findAllStreamByServiceEnabled(true) >> [entityDescriptor].stream() + 1 * entityDescriptorRepo.findAllStreamByServiceEnabled(true) >> [entityDescriptor].stream() when: entityDescriptorFilesScheduledTasks.removeDanglingEntityDescriptorFiles() diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/security/permission/ShibUiPermissionDelegateTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/security/permission/ShibUiPermissionDelegateTests.groovy new file mode 100644 index 000000000..f3c3ab8fd --- /dev/null +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/security/permission/ShibUiPermissionDelegateTests.groovy @@ -0,0 +1,202 @@ +package edu.internet2.tier.shibboleth.admin.ui.security.permission + +import edu.internet2.tier.shibboleth.admin.ui.AbstractBaseDataJpaTest +import edu.internet2.tier.shibboleth.admin.ui.domain.EntityDescriptor +import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.EntityDescriptorRepresentation +import edu.internet2.tier.shibboleth.admin.ui.exception.ForbiddenException +import edu.internet2.tier.shibboleth.admin.ui.repository.EntityDescriptorProjection +import edu.internet2.tier.shibboleth.admin.ui.security.model.Approvers +import edu.internet2.tier.shibboleth.admin.ui.security.model.Group +import edu.internet2.tier.shibboleth.admin.ui.security.model.Role +import edu.internet2.tier.shibboleth.admin.ui.security.model.User +import edu.internet2.tier.shibboleth.admin.ui.service.JPAEntityDescriptorServiceImpl +import edu.internet2.tier.shibboleth.admin.ui.util.WithMockAdmin +import org.springframework.beans.factory.annotation.Autowired +import org.springframework.security.test.context.support.WithMockUser +import org.springframework.test.annotation.Rollback +import org.springframework.transaction.annotation.Transactional + +@Rollback +class ShibUiPermissionDelegateTests extends AbstractBaseDataJpaTest { + ShibUiPermissionDelegate delegate + + @Autowired + JPAEntityDescriptorServiceImpl jpaEntityDescriptorService + + def entityDescriptor + def entityDescriptor2 + def entityDescriptor3 + + @Transactional + def setup() { + delegate = new ShibUiPermissionDelegate(entityDescriptorRepository, userService) + createDevUsersAndGroups() + } + + def createDevUsersAndGroups() { + def groups = [ + new Group().with { + it.name = "A1" + it.description = "AAA Group" + it.resourceId = "AAA" + it + }, + new Group().with { + it.name = "B1" + it.description = "BBB Group" + it.resourceId = "BBB" + it + }] + groups.each { + try { + groupRepository.save(it) + } catch (Throwable e) { + // Must already exist (from a unit test) + } + } + groupRepository.flush() + + List apprGroups = new ArrayList<>() + String[] groupNames = ['XXX', 'YYY', 'ZZZ'] + groupNames.each {name -> { + Group group = new Group().with({ + it.name = name + it.description = name + it.resourceId = name + it + }) + if (name != "ZZZ") { + apprGroups.add(groupRepository.save(group)) + } else { + Approvers approvers = new Approvers() + approvers.setApproverGroups(apprGroups) + List apprList = new ArrayList<>() + apprList.add(approversRepository.save(approvers)) + group.setApproversList(apprList) + groupRepository.save(group) + } + }} + groupRepository.flush() + + if (roleRepository.count() == 0) { + def roles = [new Role().with { + name = 'ROLE_ADMIN' + it + }, new Role().with { + name = 'ROLE_USER' + it + }, new Role().with { + name = 'ROLE_NONE' + it + }, new Role().with { + name = 'ROLE_ENABLE' + it + }] + roles.each { + roleRepository.save(it) + } + } + roleRepository.flush() + if (userRepository.count() < 2) { + userRepository.deleteAll() + def users = [new User().with { + username = 'admin' + password = '{noop}adminpass' + firstName = 'Joe' + lastName = 'Doe' + emailAddress = 'joe@institution.edu' + roles.add(roleRepository.findByName('ROLE_ADMIN').get()) + it + }, new User().with { + username = 'enableZ' + password = '{noop}nonadminpass' + firstName = 'Peter' + lastName = 'Vandelay' + emailAddress = 'peter@institution.edu' + setGroupId('ZZZ') + roles.add(roleRepository.findByName('ROLE_ENABLE').get()) + it + }, new User().with { + username = 'Approver' + password = '{noop}password' + firstName = 'Bad' + lastName = 'robot' + emailAddress = 'badboy@institution.edu' + setGroupId('XXX') + roles.add(roleRepository.findByName('ROLE_USER').get()) + it + }, new User().with { + username = 'Submitter' + password = '{noop}password' + firstName = 'Bad' + lastName = 'robot2' + emailAddress = 'badboy2@institution.edu' + setGroupId('ZZZ') + roles.add(roleRepository.findByName('ROLE_NONE').get()) + it + }] + users.each { + userService.save(it) + } + } + entityManager.flush() + entityManager.clear() + + entityDescriptor = new EntityDescriptor(resourceId: 'uuid-1', entityID: 'eid1', serviceProviderName: 'sp1', serviceEnabled: false, idOfOwner: 'ZZZ') + def edid = jpaEntityDescriptorService.createNew(entityDescriptor).getId() + entityManager.flush() + entityDescriptor2 = new EntityDescriptor(resourceId: 'uuid-2', entityID: 'eid2', serviceProviderName: 'sp2', serviceEnabled: false, idOfOwner: 'XXX') + def edid2 = jpaEntityDescriptorService.createNew(entityDescriptor2).getId() + entityManager.flush() + entityDescriptor3 = new EntityDescriptor(resourceId: 'uuid-3', entityID: 'eid3', serviceProviderName: 'sp3', serviceEnabled: false, idOfOwner: 'YYY') + def edid3 = jpaEntityDescriptorService.createNew(entityDescriptor3).getId() + entityManager.flush() + + jpaEntityDescriptorService.updateGroupForEntityDescriptor(edid, 'ZZZ') + jpaEntityDescriptorService.updateGroupForEntityDescriptor(edid2, 'XXX') + jpaEntityDescriptorService.updateGroupForEntityDescriptor(edid3, 'YYY') + entityManager.flush() + } + + @WithMockAdmin + def testAdmin() { + expect: + delegate.hasPermission(userService.getCurrentUserAuthentication(), "doesn't matter", PermissionType.admin) + delegate.hasPermission(null, "doesn't matter", PermissionType.admin) + } + + @WithMockUser(username = "Approver", roles = ["USER"]) + def testApproverPerms() { + expect: + userRepository.findAll().size() == 4 + !delegate.hasPermission(null, "doesn't matter", PermissionType.admin) + !delegate.hasPermission(null, entityDescriptor, PermissionType.enable) + !delegate.hasPermission(null, entityDescriptor2, PermissionType.enable) + !delegate.hasPermission(null, entityDescriptor3, PermissionType.enable) + + delegate.hasPermission(null, entityDescriptor, PermissionType.approve) + !delegate.hasPermission(null, entityDescriptor2, PermissionType.approve) + !delegate.hasPermission(null, entityDescriptor3, PermissionType.approve) + + delegate.hasPermission(null, entityDescriptor, PermissionType.viewOrEdit) + delegate.hasPermission(null, entityDescriptor2, PermissionType.viewOrEdit) + !delegate.hasPermission(null, entityDescriptor3, PermissionType.viewOrEdit) + + when: + def Collection fetch = delegate.getPersistentEntities(null, ShibUiPermissibleType.entityDescriptorProjection, PermissionType.fetch) + def Collection approve = delegate.getPersistentEntities(null, ShibUiPermissibleType.entityDescriptorProjection, PermissionType.approve) + + then: + fetch.size() == 1 + ((EntityDescriptorProjection)fetch.iterator().next()).getEntityID().equals("eid2") + + approve.size() == 1 + ((EntityDescriptorProjection)approve.iterator().next()).getEntityID().equals("eid1") + + when: + delegate.getPersistentEntities(null, ShibUiPermissibleType.entityDescriptorProjection, PermissionType.enable) + + then: + thrown (ForbiddenException) + } +} \ No newline at end of file