util: allow to create r/o users with no permission

Note that the "role" won't be really created (since we define a role as a set of permissions in the roles_permissions table). Signed-off-by: Pierre-Alexandre Meyer <pierre@mouraf.org>
killbill · Jul 30, 2016 · 467c528 · 467c528 · sbrossie · Jul 30, 2016
1 parent 24168e6
commit 467c528
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 16 deletions.
diff --git a/profiles/killbill/src/test/java/org/killbill/billing/jaxrs/TestSecurity.java b/profiles/killbill/src/test/java/org/killbill/billing/jaxrs/TestSecurity.java
@@ -22,11 +22,13 @@
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
+import java.util.UUID;
 
 import javax.annotation.Nullable;
 import javax.ws.rs.core.Response.Status;
 
 import org.killbill.billing.client.KillBillClientException;
+import org.killbill.billing.client.RequestOptions;
 import org.killbill.billing.client.model.Permissions;
 import org.killbill.billing.client.model.RoleDefinition;
 import org.killbill.billing.client.model.UserRoles;
@@ -84,6 +86,17 @@ public void testDynamicUserRolesIncorrectPermissions() throws Exception {
         testDynamicUserRolesInternal("wqsdeqwe", "jd23fsh63s", "incorrect", ImmutableList.of("account:*"), false);
     }
 
+    @Test(groups = "slow")
+    public void testDynamicUserRolesNoPermissions() throws Exception {
+        final String username = UUID.randomUUID().toString();
+        final String password = UUID.randomUUID().toString();
+        final String role = UUID.randomUUID().toString();
+        testDynamicUserRolesInternal(username, password, role, ImmutableList.of(""), false);
+
+        final Permissions permissions = killBillClient.getPermissions(RequestOptions.builder().withUser(username).withPassword(password).build());
+        Assert.assertEquals(permissions.size(), 0);
+    }
+
     @Test(groups = "slow")
     public void testUserPermission() throws KillBillClientException {
 

diff --git a/util/src/main/java/org/killbill/billing/util/security/api/DefaultSecurityApi.java b/util/src/main/java/org/killbill/billing/util/security/api/DefaultSecurityApi.java
@@ -52,6 +52,9 @@
 import com.google.common.base.Function;
 import com.google.common.base.Functions;
 import com.google.common.base.Predicate;
+import com.google.common.base.Predicates;
+import com.google.common.base.Strings;
+import com.google.common.collect.Collections2;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.Iterables;
 import com.google.common.collect.Lists;
@@ -214,12 +217,20 @@ public String apply(final RolesPermissionsModelDao input) {
         }));
     }
 
-    private List<String> sanitizeAndValidatePermissions(final List<String> permissions) throws SecurityApiException {
-
-        if (permissions == null || permissions.isEmpty()) {
-            throw new SecurityApiException(ErrorCode.SECURITY_INVALID_PERMISSIONS, "null");
+    private List<String> sanitizeAndValidatePermissions(final List<String> permissionsRaw) throws SecurityApiException {
+        if (permissionsRaw == null) {
+            return ImmutableList.<String>of();
         }
 
+        final Collection<String> permissions = Collections2.<String>filter(Lists.<String, String>transform(permissionsRaw,
+                                                                                                           new Function<String, String>() {
+                                                                                                               @Override
+                                                                                                               public String apply(final String input) {
+                                                                                                                   return Strings.emptyToNull(input);
+                                                                                                               }
+                                                                                                           }),
+                                                                           Predicates.<String>notNull());
+
         final Map<String, Set<String>> groupToValues = new HashMap<String, Set<String>>();
         for (final String curPerm : permissions) {
             if ("*".equals(curPerm)) {

diff --git a/util/src/main/java/org/killbill/billing/util/security/shiro/dao/DefaultUserDao.java b/util/src/main/java/org/killbill/billing/util/security/shiro/dao/DefaultUserDao.java
@@ -70,12 +70,7 @@ public void insertUser(final String username, final String password, final List<
             @Override
             public Void inTransaction(final Handle handle, final TransactionStatus status) throws Exception {
                 final UserRolesSqlDao userRolesSqlDao = handle.attach(UserRolesSqlDao.class);
-                for (String role : roles) {
-                    final RolesPermissionsSqlDao rolesPermissionsSqlDao = handle.attach(RolesPermissionsSqlDao.class);
-                    final List<RolesPermissionsModelDao> currentRolePermissions = rolesPermissionsSqlDao.getByRoleName(role);
-                    if (currentRolePermissions.isEmpty()) {
-                        throw new SecurityApiException(ErrorCode.SECURITY_INVALID_ROLE, role);
-                    }
+                for (final String role : roles) {
                     userRolesSqlDao.create(new UserRolesModelDao(username, role, createdDate, createdBy));
                 }
 

diff --git a/util/src/test/java/org/killbill/billing/util/security/shiro/realm/TestKillBillJdbcRealm.java b/util/src/test/java/org/killbill/billing/util/security/shiro/realm/TestKillBillJdbcRealm.java
@@ -1,6 +1,6 @@
 /*
- * Copyright 2014-2015 Groupon, Inc
- * Copyright 2014-2015 The Billing Project, LLC
+ * Copyright 2014-2016 Groupon, Inc
+ * Copyright 2014-2016 The Billing Project, LLC
  *
  * The Billing Project licenses this file to you under the Apache License, version 2.0
  * (the "License"); you may not use this file except in compliance with the
@@ -97,7 +97,6 @@ public void testAuthentication() throws SecurityApiException {
         } catch (final AuthenticationException e) {
         }
 
-
         final AuthenticationToken newGoodToken = new UsernamePasswordToken(username, newPassword);
         securityManager.login(subject, newGoodToken);
         Assert.assertTrue(true);
@@ -114,10 +113,17 @@ public void testAuthentication() throws SecurityApiException {
 
     }
 
+    @Test(groups = "slow")
+    public void testEmptyPermissions() throws SecurityApiException {
+        securityApi.addRoleDefinition("sanity1", null, callContext);
+        validateUserRoles(securityApi.getRoleDefinition("sanity1", callContext), ImmutableList.<String>of());
+
+        securityApi.addRoleDefinition("sanity2", ImmutableList.<String>of(), callContext);
+        validateUserRoles(securityApi.getRoleDefinition("sanity2", callContext), ImmutableList.<String>of());
+    }
+
     @Test(groups = "slow")
     public void testInvalidPermissions() {
-        testInvalidPermissionScenario(null);
-        testInvalidPermissionScenario(ImmutableList.<String>of());
         testInvalidPermissionScenario(ImmutableList.of("foo"));
         testInvalidPermissionScenario(ImmutableList.of("account:garbage"));
         testInvalidPermissionScenario(ImmutableList.of("tag:delete_tag_definition", "account:hsgdsgdjsgd"));
@@ -162,7 +168,6 @@ public void testAuthorization() throws SecurityApiException {
         securityApi.addRoleDefinition("newRestricted", ImmutableList.of("account:*", "invoice", "tag:delete_tag_definition"), callContext);
         securityApi.updateUserRoles(username, ImmutableList.of("newRestricted"), callContext);
 
-
         final Subject newSubject = securityManager.login(null, goodToken);
         newSubject.checkPermission(Permission.ACCOUNT_CAN_CHARGE.toString());
         newSubject.checkPermission(Permission.INVOICE_CAN_CREDIT.toString());