1 /* Copyright (c) 2019 AT&T Intellectual Property. #
\r
3 # Licensed under the Apache License, Version 2.0 (the "License"); #
\r
4 # you may not use this file except in compliance with the License. #
\r
5 # You may obtain a copy of the License at #
\r
7 # http://www.apache.org/licenses/LICENSE-2.0 #
\r
9 # Unless required by applicable law or agreed to in writing, software #
\r
10 # distributed under the License is distributed on an "AS IS" BASIS, #
\r
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
\r
12 # See the License for the specific language governing permissions and #
\r
13 # limitations under the License. #
\r
14 ##############################################################################*/
\r
17 package org.oran.otf.api.tests.integration.services.Permissions;
\r
19 import org.oran.otf.api.Application;
\r
20 import org.oran.otf.api.tests.shared.MemoryDatabase;
\r
21 import org.oran.otf.common.model.Group;
\r
22 import org.oran.otf.common.model.GroupMember;
\r
23 import org.oran.otf.common.model.User;
\r
24 import org.oran.otf.common.repository.GroupRepository;
\r
25 import org.oran.otf.common.utility.permissions.PermissionChecker;
\r
26 import org.oran.otf.common.utility.permissions.PermissionUtil;
\r
27 import org.oran.otf.common.utility.permissions.UserPermission;
\r
28 import org.bson.types.ObjectId;
\r
30 import org.junit.runner.RunWith;
\r
31 import org.mockito.Mockito;
\r
32 import org.springframework.beans.factory.annotation.Autowired;
\r
33 import org.springframework.boot.test.context.SpringBootTest;
\r
34 import org.springframework.test.context.ActiveProfiles;
\r
35 import org.springframework.test.context.TestPropertySource;
\r
36 import org.springframework.test.context.junit4.SpringRunner;
\r
40 @RunWith(SpringRunner.class)
\r
42 webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT,
\r
46 @TestPropertySource("classpath:application-test.properties")
\r
47 @ActiveProfiles("test")
\r
48 public class PermissionServiceIT {
\r
50 private GroupRepository groupRepository;
\r
51 private List<Group> groups;
\r
52 private Group parentGroup;
\r
53 private Group firstChildGroup;
\r
54 private Group childOfChildGroup;
\r
57 public static void setUp() throws Exception{
\r
58 MemoryDatabase.setup();
\r
59 MemoryDatabase.createGroupsForPermission();
\r
62 public void setUpGroups()
\r
64 groups = groupRepository.findAll();
\r
65 parentGroup = groupRepository.findFirstByGroupName("parent group");
\r
66 firstChildGroup = groupRepository.findFirstByGroupName("first child group");
\r
67 childOfChildGroup = groupRepository.findFirstByGroupName("child of child group");
\r
70 public static void cleanup(){
\r
71 MemoryDatabase.cleanup();
\r
74 if this test failed there was a error during set up so ignore the failures produced by other tests til this pass
\r
77 public void setUpTest(){
\r
78 List<Group> groups = groupRepository.findAll();
\r
79 parentGroup = groupRepository.findFirstByGroupName("parent group");
\r
80 firstChildGroup = groupRepository.findFirstByGroupName("first child group");
\r
81 childOfChildGroup = groupRepository.findFirstByGroupName("child of child group");
\r
82 Assert.assertNotNull(groups);
\r
83 Assert.assertFalse(groups.isEmpty());
\r
85 Assert.assertNotNull(parentGroup.getMembers());
\r
86 Assert.assertFalse(parentGroup.getMembers().isEmpty());
\r
87 Assert.assertNotNull(parentGroup.getRoles());
\r
88 Assert.assertFalse(parentGroup.getRoles().isEmpty());
\r
90 Assert.assertNotNull(firstChildGroup.getMembers());
\r
91 Assert.assertFalse(firstChildGroup.getMembers().isEmpty());
\r
92 Assert.assertNotNull(firstChildGroup.getRoles());
\r
93 Assert.assertFalse(firstChildGroup.getRoles().isEmpty());
\r
95 Assert.assertNotNull(childOfChildGroup.getMembers());
\r
96 Assert.assertFalse(childOfChildGroup.getMembers().isEmpty());
\r
97 Assert.assertNotNull(childOfChildGroup.getRoles());
\r
98 Assert.assertFalse(childOfChildGroup.getRoles().isEmpty());
\r
99 // all groups are set up with 1 member in memory db
\r
100 Assert.assertEquals(1,parentGroup.getMembers().size());
\r
101 Assert.assertEquals(1,firstChildGroup.getMembers().size());
\r
102 Assert.assertEquals(1,childOfChildGroup.getMembers().size());
\r
105 public void findUserRoles(){
\r
106 GroupMember parentMember = parentGroup.getMembers().get(0);
\r
107 GroupMember firstChildMember = firstChildGroup.getMembers().get(0);
\r
108 GroupMember childOfChildMember = childOfChildGroup.getMembers().get(0);
\r
110 User parentUserMock = Mockito.mock(User.class);
\r
111 User firstChildUserMock = Mockito.mock(User.class);
\r
112 User childOfChildUserMock = Mockito.mock(User.class);
\r
114 Mockito.when(parentUserMock.get_id()).thenReturn(parentMember.getUserId());
\r
115 Mockito.when(firstChildUserMock.get_id()).thenReturn(firstChildMember.getUserId());
\r
116 Mockito.when(childOfChildUserMock.get_id()).thenReturn(childOfChildMember.getUserId());
\r
118 Set<String> parentMemberRoles = PermissionUtil.findUserRoles(parentUserMock, parentGroup);
\r
119 Set<String> firstChildRoles = PermissionUtil.findUserRoles(firstChildUserMock, firstChildGroup);
\r
120 Set<String> childOfChildRoles = PermissionUtil.findUserRoles(childOfChildUserMock, childOfChildGroup);
\r
122 // all group members should only have 1 role (admin) set up except first child
\r
123 Assert.assertEquals(1,parentMemberRoles.size());
\r
124 Assert.assertTrue(parentMemberRoles.contains("admin"));
\r
125 Assert.assertEquals(2,firstChildRoles.size());
\r
126 Assert.assertTrue(firstChildRoles.contains("admin"));
\r
127 Assert.assertTrue(firstChildRoles.contains("dev"));
\r
128 Assert.assertEquals(1,childOfChildRoles.size());
\r
129 Assert.assertTrue(childOfChildRoles.contains("executor"));
\r
131 Assert.assertFalse(parentMemberRoles.contains("executor"));
\r
132 Assert.assertFalse(firstChildRoles.contains("executor"));
\r
133 Assert.assertFalse("should not have admin roles in child of child", childOfChildRoles.contains("admin"));
\r
136 public void getRolePermissionsTest()
\r
138 ObjectId firstChildId =firstChildGroup.getMembers().get(0).getUserId();
\r
139 User firstChildUserMock = Mockito.mock(User.class);
\r
140 Mockito.when(firstChildUserMock.get_id()).thenReturn(firstChildId);
\r
141 Set<String> roles = PermissionUtil.findUserRoles(firstChildUserMock,firstChildGroup); //dev and admin roles only
\r
143 Assert.assertEquals(2,roles.size());
\r
144 for(String role : roles){
\r
145 Set<String> permissions = PermissionUtil.getRolePermissions(role,parentGroup);
\r
146 Assert.assertTrue("all permissions allowed except execute and delete",permissions.contains("READ"));
\r
147 Assert.assertTrue("all permissions allowed except execute and delete",permissions.contains("WRITE"));
\r
148 Assert.assertFalse("all permissions allowed except execute and delete",permissions.contains("DELETE"));
\r
149 Assert.assertFalse("all permissions allowed except execute and delete",permissions.contains("EXECUTE"));
\r
153 public void getUserGroupPermissionTest(){
\r
154 GroupMember firstChildMember = firstChildGroup.getMembers().get(0);
\r
155 User firstChildUser = Mockito.mock(User.class);
\r
156 Mockito.when(firstChildUser.get_id()).thenReturn(firstChildMember.getUserId());
\r
157 Set<String> permissions = PermissionUtil.getUserGroupPermissions(firstChildUser,firstChildGroup); // should include everything except execute and delete
\r
159 Assert.assertEquals(3,permissions.size());
\r
160 Assert.assertTrue("all permissions allowed except execute and delete",permissions.contains("READ"));
\r
161 Assert.assertTrue("all permissions allowed except execute and delete",permissions.contains("WRITE"));
\r
162 Assert.assertFalse("all permissions allowed except execute and delete",permissions.contains("DELETE"));
\r
163 Assert.assertFalse("all permissions allowed except execute and delete",permissions.contains("EXECUTE"));
\r
164 Assert.assertTrue("all permissions allowed except execute and delete",permissions.contains("MANAGEMENT"));
\r
168 public void hasPermissionToTest(){
\r
169 GroupMember parentMember = parentGroup.getMembers().get(0);
\r
170 GroupMember firstChildMember = firstChildGroup.getMembers().get(0);
\r
171 GroupMember childOfChildMember = childOfChildGroup.getMembers().get(0);
\r
173 User parentGroupUser = Mockito.mock(User.class);
\r
174 User firstChildUser = Mockito.mock(User.class);
\r
175 User childOfChildUser =Mockito.mock(User.class);
\r
176 Mockito.when(parentGroupUser.get_id()).thenReturn(parentMember.getUserId());
\r
177 Mockito.when(firstChildUser.get_id()).thenReturn(firstChildMember.getUserId());
\r
178 Mockito.when(childOfChildUser.get_id()).thenReturn(childOfChildMember.getUserId());
\r
180 String read = "read";
\r
181 String write= "write";
\r
182 String manage = "management";
\r
183 String delete = "delete";
\r
184 String execute= "execute";
\r
186 Assert.assertTrue(PermissionUtil.hasPermissionTo(read,parentGroupUser,parentGroup));
\r
187 Assert.assertTrue(PermissionUtil.hasPermissionTo(write,parentGroupUser,parentGroup));
\r
188 Assert.assertTrue(PermissionUtil.hasPermissionTo(manage,parentGroupUser,parentGroup));
\r
189 Assert.assertFalse(PermissionUtil.hasPermissionTo(delete,parentGroupUser,parentGroup));
\r
190 Assert.assertFalse(PermissionUtil.hasPermissionTo(execute,parentGroupUser,parentGroup));
\r
192 Assert.assertTrue(PermissionUtil.hasPermissionTo(read,firstChildUser,firstChildGroup));
\r
193 Assert.assertTrue(PermissionUtil.hasPermissionTo(write,firstChildUser,firstChildGroup));
\r
194 Assert.assertTrue(PermissionUtil.hasPermissionTo(manage,firstChildUser,firstChildGroup));
\r
195 Assert.assertFalse(PermissionUtil.hasPermissionTo(delete,firstChildUser,firstChildGroup));
\r
196 Assert.assertFalse(PermissionUtil.hasPermissionTo(execute,firstChildUser,firstChildGroup));
\r
198 Assert.assertFalse(PermissionUtil.hasPermissionTo(read,childOfChildUser,childOfChildGroup));
\r
199 Assert.assertFalse(PermissionUtil.hasPermissionTo(write,childOfChildUser,childOfChildGroup));
\r
200 Assert.assertFalse(PermissionUtil.hasPermissionTo(manage,childOfChildUser,childOfChildGroup));
\r
201 Assert.assertFalse(PermissionUtil.hasPermissionTo(delete,childOfChildUser,childOfChildGroup));
\r
202 Assert.assertTrue(PermissionUtil.hasPermissionTo(execute,childOfChildUser,childOfChildGroup));
\r
205 public void buildUserPermissionTest()
\r
208 should be the following format
\r
210 parentGroup = {read,write,management}
\r
211 first Child group = {read}
\r
212 child of child group = {read}
\r
215 parentGroup = {read}
\r
216 first Child group = {read,write,management}
\r
217 child of child group = {read}
\r
220 parentGroup = {read}
\r
221 first Child group = {read}
\r
222 child of child group = {execute}
\r
225 GroupMember parentMember = parentGroup.getMembers().get(0);
\r
226 GroupMember firstChildMember = firstChildGroup.getMembers().get(0);
\r
227 GroupMember childOfChildMember = childOfChildGroup.getMembers().get(0);
\r
229 User parentGroupUser = Mockito.mock(User.class);
\r
230 User firstChildUser = Mockito.mock(User.class);
\r
231 User childOfChildUser =Mockito.mock(User.class);
\r
232 Mockito.when(parentGroupUser.get_id()).thenReturn(parentMember.getUserId());
\r
233 Mockito.when(firstChildUser.get_id()).thenReturn(firstChildMember.getUserId());
\r
234 Mockito.when(childOfChildUser.get_id()).thenReturn(childOfChildMember.getUserId());
\r
236 String read = "READ";
\r
237 String write= "WRITE";
\r
238 String manage = "MANAGEMENT";
\r
239 String delete = "DELETE";
\r
240 String execute= "EXECUTE";
\r
242 UserPermission parentUserPermissions = new PermissionUtil().buildUserPermission(parentGroupUser,groupRepository);
\r
243 UserPermission firstChildUserPermissions = new PermissionUtil().buildUserPermission(firstChildUser,groupRepository);
\r
244 UserPermission childOfChildUserPermissions = new PermissionUtil().buildUserPermission(childOfChildUser,groupRepository);
\r
245 Map<String,Set<String>> parentAccessControl = parentUserPermissions.getUserAccessMap();
\r
246 Map<String,Set<String>> firstChildAccessControl = firstChildUserPermissions.getUserAccessMap();
\r
247 Map<String,Set<String>> childOfChildAccessControl = childOfChildUserPermissions.getUserAccessMap();
\r
249 //test for parent access control
\r
250 Assert.assertTrue(parentAccessControl.get(parentGroup.get_id().toString()).contains(read));
\r
251 Assert.assertTrue(parentAccessControl.get(parentGroup.get_id().toString()).contains(write));
\r
252 Assert.assertTrue(parentAccessControl.get(parentGroup.get_id().toString()).contains(manage));
\r
253 //test all access is passed to firstChildGroup
\r
254 Assert.assertTrue(parentAccessControl.get(firstChildGroup.get_id().toString()).contains(read));
\r
255 Assert.assertTrue(parentAccessControl.get(firstChildGroup.get_id().toString()).contains(write));
\r
256 Assert.assertTrue(parentAccessControl.get(firstChildGroup.get_id().toString()).contains(manage));
\r
257 //test all access is passed to child of child group
\r
258 Assert.assertTrue(parentAccessControl.get(childOfChildGroup.get_id().toString()).contains(read));
\r
259 Assert.assertTrue(parentAccessControl.get(childOfChildGroup.get_id().toString()).contains(write));
\r
260 Assert.assertTrue(parentAccessControl.get(childOfChildGroup.get_id().toString()).contains(manage));
\r
261 // make sure parent user dont have other permissions in first child group
\r
262 Assert.assertFalse(parentAccessControl.get(firstChildGroup.get_id().toString()).contains(delete));
\r
263 Assert.assertFalse(parentAccessControl.get(firstChildGroup.get_id().toString()).contains(execute));
\r
264 //test that parent dont have other permissions in child of child group
\r
265 Assert.assertFalse(parentAccessControl.get(childOfChildGroup.get_id().toString()).contains(delete));
\r
266 Assert.assertFalse(parentAccessControl.get(childOfChildGroup.get_id().toString()).contains(execute));
\r
268 //test for first child access control
\r
269 Assert.assertTrue(firstChildAccessControl.get(parentGroup.get_id().toString()).contains(read));
\r
270 Assert.assertTrue(firstChildAccessControl.get(firstChildGroup.get_id().toString()).contains(read));
\r
271 Assert.assertTrue(firstChildAccessControl.get(firstChildGroup.get_id().toString()).contains(write));
\r
272 Assert.assertTrue(firstChildAccessControl.get(firstChildGroup.get_id().toString()).contains(manage));
\r
273 // test that first child group get passed to child of child
\r
274 Assert.assertTrue(firstChildAccessControl.get(childOfChildGroup.get_id().toString()).contains(read));
\r
275 Assert.assertTrue(firstChildAccessControl.get(childOfChildGroup.get_id().toString()).contains(write));
\r
276 Assert.assertTrue(firstChildAccessControl.get(childOfChildGroup.get_id().toString()).contains(manage));
\r
277 // make sure firstchild user dont have other permissions
\r
278 Assert.assertFalse(firstChildAccessControl.get(parentGroup.get_id().toString()).contains(write));
\r
279 Assert.assertFalse(firstChildAccessControl.get(parentGroup.get_id().toString()).contains(manage));
\r
280 Assert.assertFalse(firstChildAccessControl.get(parentGroup.get_id().toString()).contains(delete));
\r
281 Assert.assertFalse(firstChildAccessControl.get(parentGroup.get_id().toString()).contains(execute));
\r
282 // test to confirm no extra permission is passed to child of child
\r
283 Assert.assertFalse(firstChildAccessControl.get(childOfChildGroup.get_id().toString()).contains(delete));
\r
284 Assert.assertFalse(firstChildAccessControl.get(childOfChildGroup.get_id().toString()).contains(execute));
\r
286 //test for child of child access control
\r
287 Assert.assertTrue(childOfChildAccessControl.get(parentGroup.get_id().toString()).contains(read));
\r
288 Assert.assertTrue(childOfChildAccessControl.get(firstChildGroup.get_id().toString()).contains(read));
\r
289 Assert.assertTrue(childOfChildAccessControl.get(childOfChildGroup.get_id().toString()).contains(execute));
\r
290 // make sure child of child user dont have other permissions
\r
291 Assert.assertFalse(childOfChildAccessControl.get(parentGroup.get_id().toString()).contains(write));
\r
292 Assert.assertFalse(childOfChildAccessControl.get(parentGroup.get_id().toString()).contains(manage));
\r
293 Assert.assertFalse(childOfChildAccessControl.get(parentGroup.get_id().toString()).contains(delete));
\r
294 Assert.assertFalse(childOfChildAccessControl.get(parentGroup.get_id().toString()).contains(execute));
\r
296 Assert.assertFalse(childOfChildAccessControl.get(firstChildGroup.get_id().toString()).contains(write));
\r
297 Assert.assertFalse(childOfChildAccessControl.get(firstChildGroup.get_id().toString()).contains(manage));
\r
298 Assert.assertFalse(childOfChildAccessControl.get(firstChildGroup.get_id().toString()).contains(delete));
\r
299 Assert.assertFalse(childOfChildAccessControl.get(firstChildGroup.get_id().toString()).contains(execute));
\r
301 Assert.assertFalse(childOfChildAccessControl.get(childOfChildGroup.get_id().toString()).contains(write));
\r
302 Assert.assertFalse(childOfChildAccessControl.get(childOfChildGroup.get_id().toString()).contains(manage));
\r
303 Assert.assertFalse(childOfChildAccessControl.get(childOfChildGroup.get_id().toString()).contains(delete));
\r
304 Assert.assertFalse(childOfChildAccessControl.get(childOfChildGroup.get_id().toString()).contains(read));
\r
307 public void basicTest(){
\r
308 GroupMember parentMember = parentGroup.getMembers().get(0);
\r
309 GroupMember firstChildMember = firstChildGroup.getMembers().get(0);
\r
310 GroupMember childOfChildMember = childOfChildGroup.getMembers().get(0);
\r
312 User parentGroupUser = Mockito.mock(User.class);
\r
313 User firstChildUser = Mockito.mock(User.class);
\r
314 User childOfChildUser =Mockito.mock(User.class);
\r
315 Mockito.when(parentGroupUser.get_id()).thenReturn(parentMember.getUserId());
\r
316 Mockito.when(firstChildUser.get_id()).thenReturn(firstChildMember.getUserId());
\r
317 Mockito.when(childOfChildUser.get_id()).thenReturn(childOfChildMember.getUserId());
\r
319 Assert.assertTrue(PermissionChecker.hasPermissionTo(childOfChildUser,firstChildGroup,UserPermission.Permission.READ,groupRepository));
\r
320 Assert.assertTrue(PermissionChecker.hasPermissionTo(childOfChildUser,parentGroup,UserPermission.Permission.READ,groupRepository));
\r
321 Assert.assertFalse(PermissionChecker.hasPermissionTo(childOfChildUser,childOfChildGroup,UserPermission.Permission.READ,groupRepository));
\r
323 Assert.assertFalse(PermissionChecker.hasPermissionTo(childOfChildUser,firstChildGroup,UserPermission.Permission.EXECUTE,groupRepository));
\r
324 Assert.assertTrue(PermissionChecker.hasPermissionTo(firstChildUser,firstChildGroup,UserPermission.Permission.WRITE,groupRepository));
\r
325 Assert.assertFalse(PermissionChecker.hasPermissionTo(firstChildUser,firstChildGroup,UserPermission.Permission.EXECUTE,groupRepository));
\r
327 Assert.assertFalse(PermissionChecker.hasPermissionTo(parentGroupUser,parentGroup,UserPermission.Permission.DELETE,groupRepository));
\r
328 Assert.assertFalse(PermissionChecker.hasPermissionTo(parentGroupUser,parentGroup,UserPermission.Permission.EXECUTE,groupRepository));
\r
329 Assert.assertFalse(PermissionChecker.hasPermissionTo(parentGroupUser,firstChildGroup,UserPermission.Permission.EXECUTE,groupRepository));
\r