--- /dev/null
+/* Copyright (c) 2019 AT&T Intellectual Property. #\r
+# #\r
+# Licensed under the Apache License, Version 2.0 (the "License"); #\r
+# you may not use this file except in compliance with the License. #\r
+# You may obtain a copy of the License at #\r
+# #\r
+# http://www.apache.org/licenses/LICENSE-2.0 #\r
+# #\r
+# Unless required by applicable law or agreed to in writing, software #\r
+# distributed under the License is distributed on an "AS IS" BASIS, #\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #\r
+# See the License for the specific language governing permissions and #\r
+# limitations under the License. #\r
+##############################################################################*/\r
+\r
+\r
+package org.oran.otf.api.tests.integration.services.Permissions;\r
+\r
+import org.oran.otf.api.Application;\r
+import org.oran.otf.api.tests.shared.MemoryDatabase;\r
+import org.oran.otf.common.model.Group;\r
+import org.oran.otf.common.model.GroupMember;\r
+import org.oran.otf.common.model.User;\r
+import org.oran.otf.common.repository.GroupRepository;\r
+import org.oran.otf.common.utility.permissions.PermissionChecker;\r
+import org.oran.otf.common.utility.permissions.PermissionUtil;\r
+import org.oran.otf.common.utility.permissions.UserPermission;\r
+import org.bson.types.ObjectId;\r
+import org.junit.*;\r
+import org.junit.runner.RunWith;\r
+import org.mockito.Mockito;\r
+import org.springframework.beans.factory.annotation.Autowired;\r
+import org.springframework.boot.test.context.SpringBootTest;\r
+import org.springframework.test.context.ActiveProfiles;\r
+import org.springframework.test.context.TestPropertySource;\r
+import org.springframework.test.context.junit4.SpringRunner;\r
+\r
+import java.util.*;\r
+\r
+@RunWith(SpringRunner.class)\r
+@SpringBootTest(\r
+ webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT,\r
+ classes = {\r
+ Application.class,\r
+ })\r
+@TestPropertySource("classpath:application-test.properties")\r
+@ActiveProfiles("test")\r
+public class PermissionServiceIT {\r
+ @Autowired\r
+ private GroupRepository groupRepository;\r
+ private List<Group> groups;\r
+ private Group parentGroup;\r
+ private Group firstChildGroup;\r
+ private Group childOfChildGroup;\r
+\r
+ @BeforeClass\r
+ public static void setUp() throws Exception{\r
+ MemoryDatabase.setup();\r
+ MemoryDatabase.createGroupsForPermission();\r
+ }\r
+ @Before\r
+ public void setUpGroups()\r
+ {\r
+ groups = groupRepository.findAll();\r
+ parentGroup = groupRepository.findFirstByGroupName("parent group");\r
+ firstChildGroup = groupRepository.findFirstByGroupName("first child group");\r
+ childOfChildGroup = groupRepository.findFirstByGroupName("child of child group");\r
+ }\r
+ @AfterClass\r
+ public static void cleanup(){\r
+ MemoryDatabase.cleanup();\r
+ }\r
+ /*\r
+ if this test failed there was a error during set up so ignore the failures produced by other tests til this pass\r
+ */\r
+ @Test\r
+ public void setUpTest(){\r
+ List<Group> groups = groupRepository.findAll();\r
+ parentGroup = groupRepository.findFirstByGroupName("parent group");\r
+ firstChildGroup = groupRepository.findFirstByGroupName("first child group");\r
+ childOfChildGroup = groupRepository.findFirstByGroupName("child of child group");\r
+ Assert.assertNotNull(groups);\r
+ Assert.assertFalse(groups.isEmpty());\r
+\r
+ Assert.assertNotNull(parentGroup.getMembers());\r
+ Assert.assertFalse(parentGroup.getMembers().isEmpty());\r
+ Assert.assertNotNull(parentGroup.getRoles());\r
+ Assert.assertFalse(parentGroup.getRoles().isEmpty());\r
+\r
+ Assert.assertNotNull(firstChildGroup.getMembers());\r
+ Assert.assertFalse(firstChildGroup.getMembers().isEmpty());\r
+ Assert.assertNotNull(firstChildGroup.getRoles());\r
+ Assert.assertFalse(firstChildGroup.getRoles().isEmpty());\r
+\r
+ Assert.assertNotNull(childOfChildGroup.getMembers());\r
+ Assert.assertFalse(childOfChildGroup.getMembers().isEmpty());\r
+ Assert.assertNotNull(childOfChildGroup.getRoles());\r
+ Assert.assertFalse(childOfChildGroup.getRoles().isEmpty());\r
+ // all groups are set up with 1 member in memory db\r
+ Assert.assertEquals(1,parentGroup.getMembers().size());\r
+ Assert.assertEquals(1,firstChildGroup.getMembers().size());\r
+ Assert.assertEquals(1,childOfChildGroup.getMembers().size());\r
+ }\r
+ @Test\r
+ public void findUserRoles(){\r
+ GroupMember parentMember = parentGroup.getMembers().get(0);\r
+ GroupMember firstChildMember = firstChildGroup.getMembers().get(0);\r
+ GroupMember childOfChildMember = childOfChildGroup.getMembers().get(0);\r
+\r
+ User parentUserMock = Mockito.mock(User.class);\r
+ User firstChildUserMock = Mockito.mock(User.class);\r
+ User childOfChildUserMock = Mockito.mock(User.class);\r
+\r
+ Mockito.when(parentUserMock.get_id()).thenReturn(parentMember.getUserId());\r
+ Mockito.when(firstChildUserMock.get_id()).thenReturn(firstChildMember.getUserId());\r
+ Mockito.when(childOfChildUserMock.get_id()).thenReturn(childOfChildMember.getUserId());\r
+\r
+ Set<String> parentMemberRoles = PermissionUtil.findUserRoles(parentUserMock, parentGroup);\r
+ Set<String> firstChildRoles = PermissionUtil.findUserRoles(firstChildUserMock, firstChildGroup);\r
+ Set<String> childOfChildRoles = PermissionUtil.findUserRoles(childOfChildUserMock, childOfChildGroup);\r
+\r
+ // all group members should only have 1 role (admin) set up except first child\r
+ Assert.assertEquals(1,parentMemberRoles.size());\r
+ Assert.assertTrue(parentMemberRoles.contains("admin"));\r
+ Assert.assertEquals(2,firstChildRoles.size());\r
+ Assert.assertTrue(firstChildRoles.contains("admin"));\r
+ Assert.assertTrue(firstChildRoles.contains("dev"));\r
+ Assert.assertEquals(1,childOfChildRoles.size());\r
+ Assert.assertTrue(childOfChildRoles.contains("executor"));\r
+\r
+ Assert.assertFalse(parentMemberRoles.contains("executor"));\r
+ Assert.assertFalse(firstChildRoles.contains("executor"));\r
+ Assert.assertFalse("should not have admin roles in child of child", childOfChildRoles.contains("admin"));\r
+ }\r
+ @Test\r
+ public void getRolePermissionsTest()\r
+ {\r
+ ObjectId firstChildId =firstChildGroup.getMembers().get(0).getUserId();\r
+ User firstChildUserMock = Mockito.mock(User.class);\r
+ Mockito.when(firstChildUserMock.get_id()).thenReturn(firstChildId);\r
+ Set<String> roles = PermissionUtil.findUserRoles(firstChildUserMock,firstChildGroup); //dev and admin roles only\r
+\r
+ Assert.assertEquals(2,roles.size());\r
+ for(String role : roles){\r
+ Set<String> permissions = PermissionUtil.getRolePermissions(role,parentGroup);\r
+ Assert.assertTrue("all permissions allowed except execute and delete",permissions.contains("READ"));\r
+ Assert.assertTrue("all permissions allowed except execute and delete",permissions.contains("WRITE"));\r
+ Assert.assertFalse("all permissions allowed except execute and delete",permissions.contains("DELETE"));\r
+ Assert.assertFalse("all permissions allowed except execute and delete",permissions.contains("EXECUTE"));\r
+ }\r
+ }\r
+ @Test\r
+ public void getUserGroupPermissionTest(){\r
+ GroupMember firstChildMember = firstChildGroup.getMembers().get(0);\r
+ User firstChildUser = Mockito.mock(User.class);\r
+ Mockito.when(firstChildUser.get_id()).thenReturn(firstChildMember.getUserId());\r
+ Set<String> permissions = PermissionUtil.getUserGroupPermissions(firstChildUser,firstChildGroup); // should include everything except execute and delete\r
+\r
+ Assert.assertEquals(3,permissions.size());\r
+ Assert.assertTrue("all permissions allowed except execute and delete",permissions.contains("READ"));\r
+ Assert.assertTrue("all permissions allowed except execute and delete",permissions.contains("WRITE"));\r
+ Assert.assertFalse("all permissions allowed except execute and delete",permissions.contains("DELETE"));\r
+ Assert.assertFalse("all permissions allowed except execute and delete",permissions.contains("EXECUTE"));\r
+ Assert.assertTrue("all permissions allowed except execute and delete",permissions.contains("MANAGEMENT"));\r
+ }\r
+\r
+ @Test\r
+ public void hasPermissionToTest(){\r
+ GroupMember parentMember = parentGroup.getMembers().get(0);\r
+ GroupMember firstChildMember = firstChildGroup.getMembers().get(0);\r
+ GroupMember childOfChildMember = childOfChildGroup.getMembers().get(0);\r
+\r
+ User parentGroupUser = Mockito.mock(User.class);\r
+ User firstChildUser = Mockito.mock(User.class);\r
+ User childOfChildUser =Mockito.mock(User.class);\r
+ Mockito.when(parentGroupUser.get_id()).thenReturn(parentMember.getUserId());\r
+ Mockito.when(firstChildUser.get_id()).thenReturn(firstChildMember.getUserId());\r
+ Mockito.when(childOfChildUser.get_id()).thenReturn(childOfChildMember.getUserId());\r
+\r
+ String read = "read";\r
+ String write= "write";\r
+ String manage = "management";\r
+ String delete = "delete";\r
+ String execute= "execute";\r
+\r
+ Assert.assertTrue(PermissionUtil.hasPermissionTo(read,parentGroupUser,parentGroup));\r
+ Assert.assertTrue(PermissionUtil.hasPermissionTo(write,parentGroupUser,parentGroup));\r
+ Assert.assertTrue(PermissionUtil.hasPermissionTo(manage,parentGroupUser,parentGroup));\r
+ Assert.assertFalse(PermissionUtil.hasPermissionTo(delete,parentGroupUser,parentGroup));\r
+ Assert.assertFalse(PermissionUtil.hasPermissionTo(execute,parentGroupUser,parentGroup));\r
+\r
+ Assert.assertTrue(PermissionUtil.hasPermissionTo(read,firstChildUser,firstChildGroup));\r
+ Assert.assertTrue(PermissionUtil.hasPermissionTo(write,firstChildUser,firstChildGroup));\r
+ Assert.assertTrue(PermissionUtil.hasPermissionTo(manage,firstChildUser,firstChildGroup));\r
+ Assert.assertFalse(PermissionUtil.hasPermissionTo(delete,firstChildUser,firstChildGroup));\r
+ Assert.assertFalse(PermissionUtil.hasPermissionTo(execute,firstChildUser,firstChildGroup));\r
+\r
+ Assert.assertFalse(PermissionUtil.hasPermissionTo(read,childOfChildUser,childOfChildGroup));\r
+ Assert.assertFalse(PermissionUtil.hasPermissionTo(write,childOfChildUser,childOfChildGroup));\r
+ Assert.assertFalse(PermissionUtil.hasPermissionTo(manage,childOfChildUser,childOfChildGroup));\r
+ Assert.assertFalse(PermissionUtil.hasPermissionTo(delete,childOfChildUser,childOfChildGroup));\r
+ Assert.assertTrue(PermissionUtil.hasPermissionTo(execute,childOfChildUser,childOfChildGroup));\r
+ }\r
+ @Test\r
+ public void buildUserPermissionTest()\r
+ {\r
+ /*\r
+ should be the following format\r
+ parent members:\r
+ parentGroup = {read,write,management}\r
+ first Child group = {read}\r
+ child of child group = {read}\r
+\r
+ first child group:\r
+ parentGroup = {read}\r
+ first Child group = {read,write,management}\r
+ child of child group = {read}\r
+\r
+ child of child:\r
+ parentGroup = {read}\r
+ first Child group = {read}\r
+ child of child group = {execute}\r
+ */\r
+\r
+ GroupMember parentMember = parentGroup.getMembers().get(0);\r
+ GroupMember firstChildMember = firstChildGroup.getMembers().get(0);\r
+ GroupMember childOfChildMember = childOfChildGroup.getMembers().get(0);\r
+\r
+ User parentGroupUser = Mockito.mock(User.class);\r
+ User firstChildUser = Mockito.mock(User.class);\r
+ User childOfChildUser =Mockito.mock(User.class);\r
+ Mockito.when(parentGroupUser.get_id()).thenReturn(parentMember.getUserId());\r
+ Mockito.when(firstChildUser.get_id()).thenReturn(firstChildMember.getUserId());\r
+ Mockito.when(childOfChildUser.get_id()).thenReturn(childOfChildMember.getUserId());\r
+\r
+ String read = "READ";\r
+ String write= "WRITE";\r
+ String manage = "MANAGEMENT";\r
+ String delete = "DELETE";\r
+ String execute= "EXECUTE";\r
+\r
+ UserPermission parentUserPermissions = new PermissionUtil().buildUserPermission(parentGroupUser,groupRepository);\r
+ UserPermission firstChildUserPermissions = new PermissionUtil().buildUserPermission(firstChildUser,groupRepository);\r
+ UserPermission childOfChildUserPermissions = new PermissionUtil().buildUserPermission(childOfChildUser,groupRepository);\r
+ Map<String,Set<String>> parentAccessControl = parentUserPermissions.getUserAccessMap();\r
+ Map<String,Set<String>> firstChildAccessControl = firstChildUserPermissions.getUserAccessMap();\r
+ Map<String,Set<String>> childOfChildAccessControl = childOfChildUserPermissions.getUserAccessMap();\r
+\r
+ //test for parent access control\r
+ Assert.assertTrue(parentAccessControl.get(parentGroup.get_id().toString()).contains(read));\r
+ Assert.assertTrue(parentAccessControl.get(parentGroup.get_id().toString()).contains(write));\r
+ Assert.assertTrue(parentAccessControl.get(parentGroup.get_id().toString()).contains(manage));\r
+ //test all access is passed to firstChildGroup\r
+ Assert.assertTrue(parentAccessControl.get(firstChildGroup.get_id().toString()).contains(read));\r
+ Assert.assertTrue(parentAccessControl.get(firstChildGroup.get_id().toString()).contains(write));\r
+ Assert.assertTrue(parentAccessControl.get(firstChildGroup.get_id().toString()).contains(manage));\r
+ //test all access is passed to child of child group\r
+ Assert.assertTrue(parentAccessControl.get(childOfChildGroup.get_id().toString()).contains(read));\r
+ Assert.assertTrue(parentAccessControl.get(childOfChildGroup.get_id().toString()).contains(write));\r
+ Assert.assertTrue(parentAccessControl.get(childOfChildGroup.get_id().toString()).contains(manage));\r
+ // make sure parent user dont have other permissions in first child group\r
+ Assert.assertFalse(parentAccessControl.get(firstChildGroup.get_id().toString()).contains(delete));\r
+ Assert.assertFalse(parentAccessControl.get(firstChildGroup.get_id().toString()).contains(execute));\r
+ //test that parent dont have other permissions in child of child group\r
+ Assert.assertFalse(parentAccessControl.get(childOfChildGroup.get_id().toString()).contains(delete));\r
+ Assert.assertFalse(parentAccessControl.get(childOfChildGroup.get_id().toString()).contains(execute));\r
+\r
+ //test for first child access control\r
+ Assert.assertTrue(firstChildAccessControl.get(parentGroup.get_id().toString()).contains(read));\r
+ Assert.assertTrue(firstChildAccessControl.get(firstChildGroup.get_id().toString()).contains(read));\r
+ Assert.assertTrue(firstChildAccessControl.get(firstChildGroup.get_id().toString()).contains(write));\r
+ Assert.assertTrue(firstChildAccessControl.get(firstChildGroup.get_id().toString()).contains(manage));\r
+ // test that first child group get passed to child of child\r
+ Assert.assertTrue(firstChildAccessControl.get(childOfChildGroup.get_id().toString()).contains(read));\r
+ Assert.assertTrue(firstChildAccessControl.get(childOfChildGroup.get_id().toString()).contains(write));\r
+ Assert.assertTrue(firstChildAccessControl.get(childOfChildGroup.get_id().toString()).contains(manage));\r
+ // make sure firstchild user dont have other permissions\r
+ Assert.assertFalse(firstChildAccessControl.get(parentGroup.get_id().toString()).contains(write));\r
+ Assert.assertFalse(firstChildAccessControl.get(parentGroup.get_id().toString()).contains(manage));\r
+ Assert.assertFalse(firstChildAccessControl.get(parentGroup.get_id().toString()).contains(delete));\r
+ Assert.assertFalse(firstChildAccessControl.get(parentGroup.get_id().toString()).contains(execute));\r
+ // test to confirm no extra permission is passed to child of child\r
+ Assert.assertFalse(firstChildAccessControl.get(childOfChildGroup.get_id().toString()).contains(delete));\r
+ Assert.assertFalse(firstChildAccessControl.get(childOfChildGroup.get_id().toString()).contains(execute));\r
+\r
+ //test for child of child access control\r
+ Assert.assertTrue(childOfChildAccessControl.get(parentGroup.get_id().toString()).contains(read));\r
+ Assert.assertTrue(childOfChildAccessControl.get(firstChildGroup.get_id().toString()).contains(read));\r
+ Assert.assertTrue(childOfChildAccessControl.get(childOfChildGroup.get_id().toString()).contains(execute));\r
+ // make sure child of child user dont have other permissions\r
+ Assert.assertFalse(childOfChildAccessControl.get(parentGroup.get_id().toString()).contains(write));\r
+ Assert.assertFalse(childOfChildAccessControl.get(parentGroup.get_id().toString()).contains(manage));\r
+ Assert.assertFalse(childOfChildAccessControl.get(parentGroup.get_id().toString()).contains(delete));\r
+ Assert.assertFalse(childOfChildAccessControl.get(parentGroup.get_id().toString()).contains(execute));\r
+\r
+ Assert.assertFalse(childOfChildAccessControl.get(firstChildGroup.get_id().toString()).contains(write));\r
+ Assert.assertFalse(childOfChildAccessControl.get(firstChildGroup.get_id().toString()).contains(manage));\r
+ Assert.assertFalse(childOfChildAccessControl.get(firstChildGroup.get_id().toString()).contains(delete));\r
+ Assert.assertFalse(childOfChildAccessControl.get(firstChildGroup.get_id().toString()).contains(execute));\r
+\r
+ Assert.assertFalse(childOfChildAccessControl.get(childOfChildGroup.get_id().toString()).contains(write));\r
+ Assert.assertFalse(childOfChildAccessControl.get(childOfChildGroup.get_id().toString()).contains(manage));\r
+ Assert.assertFalse(childOfChildAccessControl.get(childOfChildGroup.get_id().toString()).contains(delete));\r
+ Assert.assertFalse(childOfChildAccessControl.get(childOfChildGroup.get_id().toString()).contains(read));\r
+ }\r
+ @Test\r
+ public void basicTest(){\r
+ GroupMember parentMember = parentGroup.getMembers().get(0);\r
+ GroupMember firstChildMember = firstChildGroup.getMembers().get(0);\r
+ GroupMember childOfChildMember = childOfChildGroup.getMembers().get(0);\r
+\r
+ User parentGroupUser = Mockito.mock(User.class);\r
+ User firstChildUser = Mockito.mock(User.class);\r
+ User childOfChildUser =Mockito.mock(User.class);\r
+ Mockito.when(parentGroupUser.get_id()).thenReturn(parentMember.getUserId());\r
+ Mockito.when(firstChildUser.get_id()).thenReturn(firstChildMember.getUserId());\r
+ Mockito.when(childOfChildUser.get_id()).thenReturn(childOfChildMember.getUserId());\r
+\r
+ Assert.assertTrue(PermissionChecker.hasPermissionTo(childOfChildUser,firstChildGroup,UserPermission.Permission.READ,groupRepository));\r
+ Assert.assertTrue(PermissionChecker.hasPermissionTo(childOfChildUser,parentGroup,UserPermission.Permission.READ,groupRepository));\r
+ Assert.assertFalse(PermissionChecker.hasPermissionTo(childOfChildUser,childOfChildGroup,UserPermission.Permission.READ,groupRepository));\r
+\r
+ Assert.assertFalse(PermissionChecker.hasPermissionTo(childOfChildUser,firstChildGroup,UserPermission.Permission.EXECUTE,groupRepository));\r
+ Assert.assertTrue(PermissionChecker.hasPermissionTo(firstChildUser,firstChildGroup,UserPermission.Permission.WRITE,groupRepository));\r
+ Assert.assertFalse(PermissionChecker.hasPermissionTo(firstChildUser,firstChildGroup,UserPermission.Permission.EXECUTE,groupRepository));\r
+\r
+ Assert.assertFalse(PermissionChecker.hasPermissionTo(parentGroupUser,parentGroup,UserPermission.Permission.DELETE,groupRepository));\r
+ Assert.assertFalse(PermissionChecker.hasPermissionTo(parentGroupUser,parentGroup,UserPermission.Permission.EXECUTE,groupRepository));\r
+ Assert.assertFalse(PermissionChecker.hasPermissionTo(parentGroupUser,firstChildGroup,UserPermission.Permission.EXECUTE,groupRepository));\r
+ }\r
+}\r