Add a test for "no super resource" authorization

This resolves MID-8004.
Evolveum · Sep 28, 2022 · d3f1f56 · d3f1f56
1 parent fd34b24
commit d3f1f56
Show file tree

Hide file tree

Showing 5 changed files with 171 additions and 14 deletions.
diff --git a/...ntest/src/test/java/com/evolveum/midpoint/model/intest/security/AbstractSecurityTest.java b/...ntest/src/test/java/com/evolveum/midpoint/model/intest/security/AbstractSecurityTest.java
@@ -14,10 +14,13 @@
 import javax.xml.datatype.XMLGregorianCalendar;
 import javax.xml.namespace.QName;
 
+import com.evolveum.midpoint.prism.delta.ItemDelta;
 import com.evolveum.midpoint.schema.processor.*;
 
 import com.evolveum.midpoint.test.TestResource;
 
+import com.evolveum.midpoint.util.MiscUtil;
+
 import org.springframework.test.annotation.DirtiesContext;
 import org.springframework.test.annotation.DirtiesContext.ClassMode;
 import org.springframework.test.context.ContextConfiguration;
@@ -933,19 +936,40 @@ protected <O extends ObjectType> void assertModifyDeny(Class<O> type, String oid
         assertModifyDenyOptions(type, oid, itemPath, null, newRealValue);
     }
 
-    protected <O extends ObjectType> void assertModifyDenyOptions(Class<O> type, String oid, ItemPath itemPath, ModelExecuteOptions options, Object... newRealValue) throws ObjectAlreadyExistsException, ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, PolicyViolationException {
+    @SuppressWarnings({ "rawtypes", "unchecked" })
+    protected <O extends ObjectType> void assertModifyDenyOptions(
+            Class<O> type, String oid, ItemPath itemPath, ModelExecuteOptions options, Object... newRealValue)
+            throws ObjectAlreadyExistsException, ObjectNotFoundException, SchemaException, ExpressionEvaluationException,
+            CommunicationException, ConfigurationException, PolicyViolationException {
+        ItemDefinition itemDef =
+                MiscUtil.requireNonNull(
+                        prismContext.getSchemaRegistry()
+                                .findObjectDefinitionByCompileTimeClass(type)
+                                .findItemDefinition(itemPath),
+                        () -> "No definition of item " + itemPath + " in " + type);
+        ItemDelta itemDelta = itemDef.createEmptyDelta(itemPath);
+        itemDelta.setValuesToReplace(
+                PrismValueCollectionsUtil.toPrismValues(newRealValue));
+        assertModifyDenyOptions(type, oid, itemDelta, options);
+    }
+
+    protected <O extends ObjectType> void assertModifyDenyOptions(
+            Class<O> type, String oid, ItemDelta<?, ?> itemDelta, ModelExecuteOptions options)
+            throws ObjectAlreadyExistsException, ObjectNotFoundException, SchemaException, ExpressionEvaluationException,
+            CommunicationException, ConfigurationException, PolicyViolationException {
         Task task = taskManager.createTaskInstance(AbstractSecurityTest.class.getName() + ".assertModifyDeny");
         OperationResult result = task.getResult();
-        ObjectDelta<O> objectDelta = prismContext.deltaFactory().object()
-                .createModificationReplaceProperty(type, oid, itemPath, newRealValue);
+        ObjectDelta<O> objectDelta =
+                prismContext.deltaFactory().object()
+                        .createModifyDelta(oid, itemDelta, type);
         Collection<ObjectDelta<? extends ObjectType>> deltas = MiscSchemaUtil.createCollection(objectDelta);
         try {
-            logAttempt("modify", type, oid, itemPath);
+            logAttempt("modify", type, oid, itemDelta.getPath());
             modelService.executeChanges(deltas, options, task, result);
-            failDeny("modify", type, oid, itemPath);
+            failDeny("modify", type, oid, itemDelta.getPath());
         } catch (SecurityViolationException e) {
             // this is expected
-            logDeny("modify", type, oid, itemPath);
+            logDeny("modify", type, oid, itemDelta.getPath());
             result.computeStatus();
             TestUtil.assertFailure(result);
         }

diff --git a/...-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityMedium.java b/...-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityMedium.java
@@ -6,18 +6,20 @@
  */
 package com.evolveum.midpoint.model.intest.security;
 
+import com.evolveum.midpoint.model.api.ModelExecuteOptions;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
+import com.evolveum.midpoint.test.TestResource;
+import com.evolveum.midpoint.util.exception.CommonException;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
+
 import org.springframework.test.annotation.DirtiesContext;
 import org.springframework.test.annotation.DirtiesContext.ClassMode;
 import org.springframework.test.context.ContextConfiguration;
 import org.testng.annotations.Test;
 
 import java.io.File;
+import java.io.IOException;
 
 /**
  * @author semancik
@@ -26,20 +28,28 @@
 @DirtiesContext(classMode = ClassMode.AFTER_CLASS)
 public class TestSecurityMedium extends AbstractSecurityTest {
 
-    protected static final File USER_EMPLOYEE_FRED_FILE = new File(TEST_DIR, "user-employee-fred.xml");
+    private static final File USER_EMPLOYEE_FRED_FILE = new File(TEST_DIR, "user-employee-fred.xml");
+
+    private static final File ROLE_EMPLOYEE_MANAGER_FILE = new File(TEST_DIR, "role-employee-manager.xml");
+    private static final String ROLE_EMPLOYEE_MANAGER_OID = "5549cb8e-d573-11e9-a61e-7f2eff22715a";
 
-    protected static final File ROLE_EMPLOYEE_MANAGER_FILE = new File(TEST_DIR, "role-employee-manager.xml");
-    protected static final String ROLE_EMPLOYEE_MANAGER_OID = "5549cb8e-d573-11e9-a61e-7f2eff22715a";
+    private static final TestResource<RoleType> ROLE_RESOURCE_NO_SUPER =
+            new TestResource<>(TEST_DIR, "role-resource-no-super.xml", "127e6393-371d-4a15-952f-e454748bfc09");
+    private static final TestResource<ResourceType> RESOURCE_NO_SUPER =
+            new TestResource<>(TEST_DIR, "resource-no-super.xml", "801c9610-5cb7-411f-af3f-a14b303154ca");
+    private static final TestResource<ResourceType> RESOURCE_WITH_SUPER =
+            new TestResource<>(TEST_DIR, "resource-with-super.xml", "9e785491-7207-4288-8d1e-7f7a21a6455f");
 
     @Override
     public void initSystem(Task initTask, OperationResult initResult) throws Exception {
         super.initSystem(initTask, initResult);
 
         repoAddObjectFromFile(ARCHETYPE_EMPLOYEE_FILE, initResult);
         repoAddObjectFromFile(ROLE_EMPLOYEE_MANAGER_FILE, initResult);
+        repoAdd(ROLE_RESOURCE_NO_SUPER, initResult);
     }
 
-    protected static final int NUMBER_OF_IMPORTED_ROLES = 1;
+    private static final int NUMBER_OF_IMPORTED_ROLES = 2;
 
     protected int getNumberOfRoles() {
         return super.getNumberOfRoles() + NUMBER_OF_IMPORTED_ROLES;
@@ -121,4 +131,37 @@ public void test102AutzEmployeeManagerAddEmployee() throws Exception {
         assertDeleteDeny();
         assertGlobalStateUntouched();
     }
+
+    @Test
+    public void test200AutzAddResource() throws CommonException, IOException {
+        cleanupAutzTest(USER_JACK_OID);
+        assignRole(USER_JACK_OID, ROLE_RESOURCE_NO_SUPER.oid);
+        login(USER_JACK_USERNAME);
+
+        then("adding resource with no 'super' is allowed");
+        assertAddAllow(RESOURCE_NO_SUPER.file, ModelExecuteOptions.create().setIsImport());
+
+        then("adding resource with 'super' is denied");
+        assertAddDeny(RESOURCE_WITH_SUPER.file, ModelExecuteOptions.create().setIsImport());
+
+        then("modifying resource item other than 'super' is allowed");
+        assertModifyAllow(ResourceType.class, RESOURCE_NO_SUPER.oid, ResourceType.F_DESCRIPTION, "anything");
+
+        String randomOid = "0a4b3d14-7c39-4117-b029-babacf7b254e";
+
+        then("modifying resource 'super' item is denied");
+        assertModifyDeny(
+                ResourceType.class,
+                RESOURCE_NO_SUPER.oid,
+                ResourceType.F_SUPER,
+                new SuperResourceDeclarationType()
+                        .resourceRef(randomOid, ResourceType.COMPLEX_TYPE));
+
+        then("modifying resource 'super/resourceRef' item is denied");
+        assertModifyDeny(
+                ResourceType.class,
+                RESOURCE_NO_SUPER.oid,
+                ResourceType.F_SUPER.append(SuperResourceDeclarationType.F_RESOURCE_REF),
+                new ObjectReferenceType().oid(randomOid).type(ResourceType.COMPLEX_TYPE));
+    }
 }
diff --git a/model/model-intest/src/test/resources/security/resource-no-super.xml b/model/model-intest/src/test/resources/security/resource-no-super.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (C) 2010-2022 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
+<resource oid="801c9610-5cb7-411f-af3f-a14b303154ca"
+          xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
+    <name>resource-no-super</name>
+    <connectorRef type="ConnectorType">
+        <filter>
+            <q:and>
+                <q:equal>
+                    <q:path>connectorType</q:path>
+                    <q:value>com.evolveum.icf.dummy.connector.DummyConnector</q:value>
+                </q:equal>
+                <q:equal>
+                    <q:path>connectorVersion</q:path>
+                    <q:value>2.0</q:value>
+                </q:equal>
+            </q:and>
+        </filter>
+    </connectorRef>
+    <connectorConfiguration xmlns:icfi="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.icf.dummy/com.evolveum.icf.dummy.connector.DummyConnector"
+                   xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3">
+        <icfc:configurationProperties>
+            <icfi:instanceId>no-super</icfi:instanceId>
+        </icfc:configurationProperties>
+    </connectorConfiguration>
+</resource>
diff --git a/model/model-intest/src/test/resources/security/resource-with-super.xml b/model/model-intest/src/test/resources/security/resource-with-super.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (C) 2010-2022 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
+<resource oid="9e785491-7207-4288-8d1e-7f7a21a6455f"
+          xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
+    <name>resource-with-super</name>
+    <super>
+        <resourceRef oid="801c9610-5cb7-411f-af3f-a14b303154ca"/> <!-- no-super -->
+    </super>
+    <connectorRef type="ConnectorType">
+        <filter>
+            <q:and>
+                <q:equal>
+                    <q:path>connectorType</q:path>
+                    <q:value>com.evolveum.icf.dummy.connector.DummyConnector</q:value>
+                </q:equal>
+                <q:equal>
+                    <q:path>connectorVersion</q:path>
+                    <q:value>2.0</q:value>
+                </q:equal>
+            </q:and>
+        </filter>
+    </connectorRef>
+    <connectorConfiguration xmlns:icfi="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.icf.dummy/com.evolveum.icf.dummy.connector.DummyConnector"
+                   xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3">
+        <icfc:configurationProperties>
+            <icfi:instanceId>with-super</icfi:instanceId>
+        </icfc:configurationProperties>
+    </connectorConfiguration>
+</resource>
diff --git a/model/model-intest/src/test/resources/security/role-resource-no-super.xml b/model/model-intest/src/test/resources/security/role-resource-no-super.xml
@@ -0,0 +1,21 @@
+<!--
+  ~ Copyright (c) 2014 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+<role oid="127e6393-371d-4a15-952f-e454748bfc09"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+    <name>resource-no-super</name>
+    <authorization>
+        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+    </authorization>
+    <authorization>
+        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
+        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
+        <object>
+            <type>ResourceType</type>
+        </object>
+        <exceptItem>super</exceptItem>
+    </authorization>
+</role>