Fixing REST authorizations. Extended REST tests.

Evolveum · Mar 27, 2015 · 04d3b67 · 04d3b67
1 parent 467de62
commit 04d3b67
Show file tree

Hide file tree

Showing 7 changed files with 261 additions and 21 deletions.
diff --git a/...security-api/src/main/java/com/evolveum/midpoint/security/api/AuthorizationConstants.java b/...security-api/src/main/java/com/evolveum/midpoint/security/api/AuthorizationConstants.java
@@ -36,7 +36,7 @@ public class AuthorizationConstants {
 	public static final QName AUTZ_ALL_QNAME = new QName(NS_AUTHORIZATION, "all");
 	public static final String AUTZ_ALL_URL = QNameUtil.qNameToUri(AUTZ_ALL_QNAME);
 
-	public static final QName AUTZ_REST_QNAME = new QName(NS_AUTHORIZATION, "all");
+	public static final QName AUTZ_REST_QNAME = new QName(NS_AUTHORIZATION_REST, "all");
 	public static final String AUTZ_REST_URL = QNameUtil.qNameToUri(AUTZ_REST_QNAME);
 
 //	public static final QName AUTZ_DEVEL_QNAME = new QName(NS_AUTHORIZATION, "devel");

diff --git a/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestRestService.java b/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestRestService.java
@@ -21,6 +21,7 @@
 import static org.testng.AssertJUnit.fail;
 
 import java.io.File;
+import java.io.IOException;
 
 import javax.ws.rs.core.Response;
 
@@ -39,14 +40,14 @@
 import org.testng.annotations.BeforeClass;
 import org.testng.annotations.Test;
 
+import com.evolveum.midpoint.common.InternalsConfig;
 import com.evolveum.midpoint.common.monitor.InternalMonitor;
 import com.evolveum.midpoint.model.api.ModelService;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.delta.ChangeType;
 import com.evolveum.midpoint.provisioning.api.ProvisioningService;
 import com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl;
-import com.evolveum.midpoint.repo.api.RepoAddOptions;
 import com.evolveum.midpoint.repo.api.RepositoryService;
 import com.evolveum.midpoint.repo.sql.SqlRepositoryServiceImpl;
 import com.evolveum.midpoint.schema.GetOperationOptions;
@@ -58,10 +59,13 @@
 import com.evolveum.midpoint.test.DummyAuditService;
 import com.evolveum.midpoint.test.IntegrationTestTools;
 import com.evolveum.midpoint.test.util.TestUtil;
+import com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
+import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectTemplateType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
@@ -77,7 +81,25 @@ public class TestRestService {
 	public static final File USER_ADMINISTRATOR_FILE = new File(REPO_DIR, "user-administrator.xml");
 	public static final String USER_ADMINISTRATOR_USERNAME = "administrator";
 	public static final String USER_ADMINISTRATOR_PASSWORD = "5ecr3t";
+
+	// No authorization
+	public static final File USER_NOBODY_FILE = new File(REPO_DIR, "user-nobody.xml");
+	public static final String USER_NOBODY_USERNAME = "nobody";
+	public static final String USER_NOBODY_PASSWORD = "nopassword";
+
+	// REST authorization only
+	public static final File USER_CYCLOPS_FILE = new File(REPO_DIR, "user-cyclops.xml");
+	public static final String USER_CYCLOPS_USERNAME = "cyclops";
+	public static final String USER_CYCLOPS_PASSWORD = "cyclopassword";
+
+	// REST and reader authorization
+	public static final File USER_SOMEBODY_FILE = new File(REPO_DIR, "user-somebody.xml");
+	public static final String USER_SOMEBODY_USERNAME = "somebody";
+	public static final String USER_SOMEBODY_PASSWORD = "somepassword";
+
 	public static final File ROLE_SUPERUSER_FILE = new File(REPO_DIR, "role-superuser.xml");
+	public static final File ROLE_REST_FILE = new File(REPO_DIR, "role-rest.xml");
+	public static final File ROLE_READER_FILE = new File(REPO_DIR, "role-reader.xml");
 
 	public static final File RESOURCE_OPENDJ_FILE = new File(REPO_DIR, "reosurce-opendj.xml");
 	public static final String RESOURCE_OPENDJ_OID = "ef2bc95b-76e0-59e2-86d6-3d4f02d3ffff";
@@ -94,6 +116,7 @@ public class TestRestService {
 
 	private final static String ENDPOINT_ADDRESS = "http://localhost:18080/rest";
 
+	private static PrismContext prismContext;
 	private static TaskManager taskManager;
 	private static ModelService modelService;
 
@@ -126,14 +149,17 @@ private static void startServer() throws Exception {
 		Task initTask = taskManager.createTaskInstance(TestRestService.class.getName() + ".startServer");
 		OperationResult result = initTask.getResult();
 
-		PrismContext prismContext = (PrismContext) applicationContext.getBean("prismContext");
-		PrismObject<RoleType> superuser = prismContext.parseObject(ROLE_SUPERUSER_FILE);
-		repositoryService.addObject(superuser, null, result);
-		PrismObject<UserType> admin = prismContext.parseObject(USER_ADMINISTRATOR_FILE);
-		repositoryService.addObject(admin, RepoAddOptions.createAllowUnencryptedValues(), result);
-
-		PrismObject<UserType> sysConfig = prismContext.parseObject(SYSTEM_CONFIGURATION_FILE);
-		repositoryService.addObject(sysConfig, RepoAddOptions.createAllowUnencryptedValues(), result);
+		InternalsConfig.encryptionChecks = false;
+
+		prismContext = (PrismContext) applicationContext.getBean("prismContext");
+		addObject(ROLE_SUPERUSER_FILE, result);
+		addObject(ROLE_REST_FILE, result);
+		addObject(ROLE_READER_FILE, result);
+		addObject(USER_ADMINISTRATOR_FILE, result);
+		addObject(USER_NOBODY_FILE, result);
+		addObject(USER_CYCLOPS_FILE, result);
+		addObject(USER_SOMEBODY_FILE, result);
+		addObject(SYSTEM_CONFIGURATION_FILE, result);
 
 		dummyAuditService = DummyAuditService.getInstance();
 
@@ -144,6 +170,13 @@ private static void startServer() throws Exception {
 		result.computeStatus();
 		TestUtil.assertSuccessOrWarning("startServer failed (result)", result, 1);
 	}
+
+	private static <O extends ObjectType> PrismObject<O> addObject(File file, OperationResult result) throws SchemaException, IOException, ObjectAlreadyExistsException {
+		PrismObject<O> object = prismContext.parseObject(file);
+		String oid = repositoryService.addObject(object, null, result);
+		object.setOid(oid);
+		return object;
+	}
 
 	@AfterClass
 	public static void destroy() throws Exception {
@@ -155,12 +188,6 @@ public TestRestService() {
 		super();
 	}
 
-	// TODO: authenticate as user that: has no authorization
-	// TODO: authenticate as user that: has only authorization for REST
-	// TODO: authenticate as user that: has only authorization for some REST operations
-
-	// TODO: check audit
-
 	@Test
 	public void test001GetUserAdministrator() {
 		final String TEST_NAME = "test001GetUserAdministrator";
@@ -212,7 +239,7 @@ public void test003GetNoAuthHeaders() {
 		displayTestTile(this, TEST_NAME);
 
 		WebClient client = prepareClient(null, null);
-		client.path("/users/12345");
+		client.path("/users/" + SystemObjectsType.USER_ADMINISTRATOR.value());
 
 		dummyAuditService.clear();
 
@@ -232,8 +259,8 @@ public void test004GetAuthBadUsername() {
 		final String TEST_NAME = "test004GetAuthBadUsername";
 		displayTestTile(this, TEST_NAME);
 
-		WebClient client = prepareClient("nobody", null);
-		client.path("/users/12345");
+		WebClient client = prepareClient("NoSUCHuser", null);
+		client.path("/users/" + SystemObjectsType.USER_ADMINISTRATOR.value());
 
 		dummyAuditService.clear();
 
@@ -254,7 +281,7 @@ public void test005GetAuthNoPassword() {
 		displayTestTile(this, TEST_NAME);
 
 		WebClient client = prepareClient(USER_ADMINISTRATOR_USERNAME, null);
-		client.path("/users/12345");
+		client.path("/users/" + SystemObjectsType.USER_ADMINISTRATOR.value());
 
 		dummyAuditService.clear();
 
@@ -275,7 +302,7 @@ public void test006GetAuthBadPassword() {
 		displayTestTile(this, TEST_NAME);
 
 		WebClient client = prepareClient(USER_ADMINISTRATOR_USERNAME, "forgot");
-		client.path("/users/12345");
+		client.path("/users/" + SystemObjectsType.USER_ADMINISTRATOR.value());
 
 		dummyAuditService.clear();
 
@@ -289,6 +316,72 @@ public void test006GetAuthBadPassword() {
 		dummyAuditService.assertRecords(1);
 		dummyAuditService.assertFailedLogin(SchemaConstants.CHANNEL_REST_URI);
 	}
+
+	@Test
+	public void test007GetUnauthorizedUser() {
+		final String TEST_NAME = "test007GetUnauthorizedUser";
+		displayTestTile(this, TEST_NAME);
+
+		WebClient client = prepareClient(USER_NOBODY_USERNAME, USER_NOBODY_PASSWORD);
+		client.path("/users/" + SystemObjectsType.USER_ADMINISTRATOR.value());
+
+		dummyAuditService.clear();
+
+		TestUtil.displayWhen(TEST_NAME);
+		Response response = client.get();
+
+		TestUtil.displayThen(TEST_NAME);
+		assertEquals("Expected 403 but got " + response.getStatus(), 403, response.getStatus());
+
+		IntegrationTestTools.display("Audit", dummyAuditService);
+		dummyAuditService.assertRecords(1);
+		dummyAuditService.assertFailedLogin(SchemaConstants.CHANNEL_REST_URI);
+	}
+
+	@Test
+	public void test008GetUserAdministratorByCyclops() {
+		final String TEST_NAME = "test008GetUserAdministratorByCyclops";
+		displayTestTile(this, TEST_NAME);
+
+		WebClient client = prepareClient(USER_CYCLOPS_USERNAME, USER_CYCLOPS_PASSWORD);
+		client.path("/users/" + SystemObjectsType.USER_ADMINISTRATOR.value());
+
+		dummyAuditService.clear();
+
+		TestUtil.displayWhen(TEST_NAME);
+		Response response = client.get();
+
+		TestUtil.displayThen(TEST_NAME);
+		assertEquals("Expected 403 but got " + response.getStatus(), 403, response.getStatus());
+
+		IntegrationTestTools.display("Audit", dummyAuditService);
+		dummyAuditService.assertRecords(2);
+		dummyAuditService.assertLoginLogout(SchemaConstants.CHANNEL_REST_URI);
+	}
+
+	@Test
+	public void test009GetUserAdministratorBySomebody() {
+		final String TEST_NAME = "test009GetUserAdministratorBySomebody";
+		displayTestTile(this, TEST_NAME);
+
+		WebClient client = prepareClient(USER_SOMEBODY_USERNAME, USER_SOMEBODY_PASSWORD);
+		client.path("/users/" + SystemObjectsType.USER_ADMINISTRATOR.value());
+
+		dummyAuditService.clear();
+
+		TestUtil.displayWhen(TEST_NAME);
+		Response response = client.get();
+
+		TestUtil.displayThen(TEST_NAME);
+		assertEquals("Expected 200 but got " + response.getStatus(), 200, response.getStatus());
+		UserType userType = response.readEntity(UserType.class);
+		assertNotNull("Returned entity in body must not be null.", userType);
+		LOGGER.info("Returned entity: {}", userType.asPrismObject().debugDump());
+
+		IntegrationTestTools.display("Audit", dummyAuditService);
+		dummyAuditService.assertRecords(2);
+		dummyAuditService.assertLoginLogout(SchemaConstants.CHANNEL_REST_URI);
+	}
 
 	@Test
 	public void test102AddUserTemplate() throws Exception {

diff --git a/testing/rest/src/test/resources/repo/role-reader.xml b/testing/rest/src/test/resources/repo/role-reader.xml
@@ -0,0 +1,24 @@
+<!--
+  ~ Copyright (c) 2010-2015 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<role oid="eb243068-d48d-11e4-a83a-001e8c717e5b"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3">
+    <name>Reader</name>    
+    <authorization>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+    </authorization>
+</role>
diff --git a/testing/rest/src/test/resources/repo/role-rest.xml b/testing/rest/src/test/resources/repo/role-rest.xml
@@ -0,0 +1,24 @@
+<!--
+  ~ Copyright (c) 2010-2015 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<role oid="20bbf2f2-d48d-11e4-a091-001e8c717e5b"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3">
+    <name>REST</name>    
+    <authorization>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#all</action>
+    </authorization>
+</role>
diff --git a/testing/rest/src/test/resources/repo/user-cyclops.xml b/testing/rest/src/test/resources/repo/user-cyclops.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2015 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<c:user oid="6020bb52-d48e-11e4-9eaf-001e8c717e5b" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+	<c:name>cyclops</c:name>
+	<c:assignment>
+		<c:targetRef oid="20bbf2f2-d48d-11e4-a091-001e8c717e5b" type="c:RoleType"/>
+	</c:assignment>
+	<c:fullName>Cyclops</c:fullName>
+	<c:givenName>Cyclo</c:givenName>
+	<c:familyName>Cyclops</c:familyName>
+	<c:credentials xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+		<c:password>
+			<c:value xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+				<clearValue>cyclopassword</clearValue>
+			</c:value>
+		</c:password>
+	</c:credentials>
+</c:user>
diff --git a/testing/rest/src/test/resources/repo/user-nobody.xml b/testing/rest/src/test/resources/repo/user-nobody.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2015 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<c:user oid="ffb9729c-d48b-11e4-9720-001e8c717e5b" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+	<c:name>nobody</c:name>
+	<c:fullName>No Body</c:fullName>
+	<c:givenName>No</c:givenName>
+	<c:familyName>Body</c:familyName>
+	<c:credentials xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+		<c:password>
+			<c:value xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+				<clearValue>nopassword</clearValue>
+			</c:value>
+		</c:password>
+	</c:credentials>
+</c:user>
diff --git a/testing/rest/src/test/resources/repo/user-somebody.xml b/testing/rest/src/test/resources/repo/user-somebody.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2015 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<c:user oid="a5f3e3c8-d48b-11e4-8d88-001e8c717e5b" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+	<c:name>somebody</c:name>
+	<c:assignment>
+		<c:targetRef oid="20bbf2f2-d48d-11e4-a091-001e8c717e5b" type="c:RoleType"/>
+	</c:assignment>
+	<c:assignment>
+		<c:targetRef oid="eb243068-d48d-11e4-a83a-001e8c717e5b" type="c:RoleType"/>
+	</c:assignment>
+	<c:fullName>Some Body</c:fullName>
+	<c:givenName>Some</c:givenName>
+	<c:familyName>body</c:familyName>
+	<c:credentials xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+		<c:password>
+			<c:value xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+				<clearValue>somepassword</clearValue>
+			</c:value>
+		</c:password>
+	</c:credentials>
+</c:user>