This repository has been archived by the owner on Nov 22, 2023. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1068 from square/violet/AlwaysAllowPermissionChec…
…k_dev Added a permission check that always allows the action to take place. Will be adding real permission check on top of this skeleton.
- Loading branch information
Showing
12 changed files
with
275 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
54 changes: 54 additions & 0 deletions
54
server/src/main/java/keywhiz/service/permissions/AlwaysAllowDelegatingPermissionCheck.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
package keywhiz.service.permissions; | ||
|
||
import com.codahale.metrics.MetricRegistry; | ||
import com.google.inject.Inject; | ||
import org.slf4j.Logger; | ||
import org.slf4j.LoggerFactory; | ||
|
||
public class AlwaysAllowDelegatingPermissionCheck implements PermissionCheck { | ||
private static final Logger logger = LoggerFactory.getLogger(AlwaysAllowDelegatingPermissionCheck.class); | ||
|
||
private PermissionCheck delegate; | ||
private MetricRegistry metricRegistry; | ||
|
||
@Inject | ||
public AlwaysAllowDelegatingPermissionCheck(MetricRegistry metricRegistry, PermissionCheck delegate) { | ||
this.delegate = delegate; | ||
this.metricRegistry = metricRegistry; | ||
} | ||
|
||
public boolean isAllowed(KeywhizPrincipal source, String action, Object target) { | ||
boolean hasPermission = delegate.isAllowed(source, action, target); | ||
|
||
int hasPermissionSuccessMetricInt = hasPermission ? 1 : 0; | ||
String successMetricName = MetricRegistry.name(AlwaysAllowDelegatingPermissionCheck.class, "isAllowed", "success", "histogram"); | ||
metricRegistry.histogram(successMetricName).update(hasPermissionSuccessMetricInt); | ||
|
||
int hasPermissionFailureMetricInt = hasPermission ? 0 : 1; | ||
String failureMetricName = MetricRegistry.name(AlwaysAllowDelegatingPermissionCheck.class, "isAllowed", "failure", "histogram"); | ||
metricRegistry.histogram(failureMetricName).update(hasPermissionFailureMetricInt); | ||
|
||
logger.info( | ||
String.format("isAllowed Actor: %s, Action: %s, Target: %s, Result: %s", source, action, target, | ||
hasPermission)); | ||
|
||
return true; | ||
} | ||
|
||
@Override | ||
public void checkAllowedOrThrow(KeywhizPrincipal source, String action, Object target) { | ||
String successMetricName = MetricRegistry.name(AlwaysAllowDelegatingPermissionCheck.class, "checkAllowedOrThrow", "success", "histogram"); | ||
String exceptionMetricName = MetricRegistry.name(AlwaysAllowDelegatingPermissionCheck.class, "checkAllowedOrThrow", "exception", "histogram"); | ||
try { | ||
delegate.checkAllowedOrThrow(source, action, target); | ||
|
||
metricRegistry.histogram(successMetricName).update(1); | ||
metricRegistry.histogram(exceptionMetricName).update(0); | ||
} catch (RuntimeException e) { | ||
metricRegistry.histogram(successMetricName).update(0); | ||
metricRegistry.histogram(exceptionMetricName).update(1); | ||
|
||
logger.error(String.format("checkAllowedOrThrow Actor: %s, Action: %s, Target: %s throws exception", source, action, target),e); | ||
} | ||
} | ||
} |
12 changes: 12 additions & 0 deletions
12
server/src/main/java/keywhiz/service/permissions/AlwaysFailPermissionCheck.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
package keywhiz.service.permissions; | ||
|
||
import javax.inject.Inject; | ||
|
||
public class AlwaysFailPermissionCheck implements PermissionCheck { | ||
@Inject | ||
public AlwaysFailPermissionCheck() {} | ||
|
||
public boolean isAllowed(KeywhizPrincipal source, String action, Object target) { | ||
return false; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
18 changes: 18 additions & 0 deletions
18
server/src/main/java/keywhiz/service/permissions/PermissionCheckModule.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
package keywhiz.service.permissions; | ||
|
||
import com.codahale.metrics.MetricRegistry; | ||
import com.google.inject.AbstractModule; | ||
import com.google.inject.Provides; | ||
|
||
public class PermissionCheckModule extends AbstractModule { | ||
|
||
@Override | ||
protected void configure() {} | ||
|
||
@Provides | ||
public PermissionCheck createPermissionCheck(MetricRegistry metricRegistry) { | ||
PermissionCheck alwaysFail = new AlwaysFailPermissionCheck(); | ||
PermissionCheck alwaysAllow = new AlwaysAllowDelegatingPermissionCheck(metricRegistry, alwaysFail); | ||
return alwaysAllow; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
97 changes: 97 additions & 0 deletions
97
...er/src/test/java/keywhiz/service/permission/AlwaysAllowDelegatingPermissionCheckTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
package keywhiz.service.permission; | ||
|
||
import com.codahale.metrics.MetricRegistry; | ||
import java.util.Objects; | ||
import keywhiz.service.permissions.Action; | ||
import keywhiz.service.permissions.AlwaysAllowDelegatingPermissionCheck; | ||
import keywhiz.service.permissions.KeywhizPrincipal; | ||
import keywhiz.service.permissions.PermissionCheck; | ||
import org.junit.Before; | ||
import org.junit.Rule; | ||
import org.junit.Test; | ||
import org.mockito.Mock; | ||
import org.mockito.junit.MockitoJUnit; | ||
import org.mockito.junit.MockitoRule; | ||
|
||
import static org.assertj.core.api.Assertions.assertThat; | ||
import static org.mockito.ArgumentMatchers.any; | ||
import static org.mockito.Mockito.doNothing; | ||
import static org.mockito.Mockito.doThrow; | ||
import static org.mockito.Mockito.when; | ||
|
||
public class AlwaysAllowDelegatingPermissionCheckTest { | ||
|
||
@Rule public MockitoRule mockito = MockitoJUnit.rule(); | ||
|
||
@Mock PermissionCheck delegate; | ||
|
||
private MetricRegistry metricRegistry; | ||
private AlwaysAllowDelegatingPermissionCheck alwaysAllow; | ||
|
||
private static KeywhizPrincipal principal; | ||
private static Objects target; | ||
|
||
private static final String ISALLOWED_SUCCESS_METRIC_NAME = "keywhiz.service.permissions.AlwaysAllowDelegatingPermissionCheck.isAllowed.success.histogram"; | ||
private static final String ISALLOWED_FAILURE_METRIC_NAME = "keywhiz.service.permissions.AlwaysAllowDelegatingPermissionCheck.isAllowed.failure.histogram"; | ||
private static final String CHECKALLOWEDORTHROW_SUCCESS_METRIC_NAME = "keywhiz.service.permissions.AlwaysAllowDelegatingPermissionCheck.checkAllowedOrThrow.success.histogram"; | ||
private static final String CHECKALLOWEDORTHROW_EXCEPTION_METRIC_NAME = "keywhiz.service.permissions.AlwaysAllowDelegatingPermissionCheck.checkAllowedOrThrow.exception.histogram"; | ||
|
||
@Before | ||
public void setUp() { | ||
metricRegistry = new MetricRegistry(); | ||
alwaysAllow = new AlwaysAllowDelegatingPermissionCheck(metricRegistry, delegate); | ||
} | ||
|
||
@Test public void isAllowedReturnsTrueWhenDelegateReturnsTrue() { | ||
when(delegate.isAllowed(any(), any(), any())).thenReturn(true); | ||
|
||
boolean permitted = alwaysAllow.isAllowed(principal, Action.ADD, target); | ||
|
||
assertThat(permitted); | ||
|
||
assertThat(metricRegistry.histogram(ISALLOWED_SUCCESS_METRIC_NAME).getCount()).isEqualTo(1); | ||
assertThat(metricRegistry.histogram(ISALLOWED_SUCCESS_METRIC_NAME).getSnapshot().getMean()).isEqualTo(1); | ||
|
||
assertThat(metricRegistry.histogram(ISALLOWED_FAILURE_METRIC_NAME).getCount()).isEqualTo(1); | ||
assertThat(metricRegistry.histogram(ISALLOWED_FAILURE_METRIC_NAME).getSnapshot().getMean()).isEqualTo(0); | ||
} | ||
|
||
@Test public void isAllowedReturnsTrueWhenDelegateReturnsFalse() { | ||
when(delegate.isAllowed(any(), any(), any())).thenReturn(false); | ||
|
||
boolean permitted = alwaysAllow.isAllowed(principal, Action.ADD, target); | ||
|
||
assertThat(permitted); | ||
|
||
assertThat(metricRegistry.histogram(ISALLOWED_SUCCESS_METRIC_NAME).getCount()).isEqualTo(1); | ||
assertThat(metricRegistry.histogram(ISALLOWED_SUCCESS_METRIC_NAME).getSnapshot().getMean()).isEqualTo(0); | ||
|
||
assertThat(metricRegistry.histogram(ISALLOWED_FAILURE_METRIC_NAME).getCount()).isEqualTo(1); | ||
assertThat(metricRegistry.histogram(ISALLOWED_FAILURE_METRIC_NAME).getSnapshot().getMean()).isEqualTo(1); | ||
} | ||
|
||
@Test public void CheckAllowedOrThrowReturnsVoidWhenDelegateReturnsVoid() { | ||
doNothing().when(delegate).checkAllowedOrThrow(any(), any(), any()); | ||
|
||
alwaysAllow.checkAllowedOrThrow(principal, Action.ADD, target); | ||
|
||
assertThat(metricRegistry.histogram(CHECKALLOWEDORTHROW_SUCCESS_METRIC_NAME).getCount()).isEqualTo(1); | ||
assertThat(metricRegistry.histogram(CHECKALLOWEDORTHROW_SUCCESS_METRIC_NAME).getSnapshot().getMean()).isEqualTo(1); | ||
|
||
assertThat(metricRegistry.histogram(CHECKALLOWEDORTHROW_EXCEPTION_METRIC_NAME).getCount()).isEqualTo(1); | ||
assertThat(metricRegistry.histogram(CHECKALLOWEDORTHROW_EXCEPTION_METRIC_NAME).getSnapshot().getMean()).isEqualTo(0); | ||
} | ||
|
||
@Test public void CheckAllowedOrThrowReturnsVoidWhenDelegateThrowException() { | ||
doThrow(RuntimeException.class).when(delegate).checkAllowedOrThrow(any(), any(), any()); | ||
|
||
alwaysAllow.checkAllowedOrThrow(principal, Action.ADD, target); | ||
|
||
assertThat(metricRegistry.histogram(CHECKALLOWEDORTHROW_SUCCESS_METRIC_NAME).getCount()).isEqualTo(1); | ||
assertThat(metricRegistry.histogram(CHECKALLOWEDORTHROW_SUCCESS_METRIC_NAME).getSnapshot().getMean()).isEqualTo(0); | ||
|
||
assertThat(metricRegistry.histogram(CHECKALLOWEDORTHROW_EXCEPTION_METRIC_NAME).getCount()).isEqualTo(1); | ||
assertThat(metricRegistry.histogram(CHECKALLOWEDORTHROW_EXCEPTION_METRIC_NAME).getSnapshot().getMean()).isEqualTo(1); | ||
} | ||
} | ||
|
35 changes: 35 additions & 0 deletions
35
server/src/test/java/keywhiz/service/permission/AlwaysFailPermissionCheckTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
package keywhiz.service.permission; | ||
|
||
import com.codahale.metrics.MetricRegistry; | ||
import java.util.Objects; | ||
import keywhiz.service.permissions.Action; | ||
import keywhiz.service.permissions.AlwaysFailPermissionCheck; | ||
import keywhiz.service.permissions.KeywhizPrincipal; | ||
import org.junit.Before; | ||
import org.junit.Test; | ||
|
||
import static org.assertj.core.api.Assertions.assertThat; | ||
import static org.assertj.core.api.Assertions.assertThatThrownBy; | ||
|
||
public class AlwaysFailPermissionCheckTest { | ||
MetricRegistry metricRegistry; | ||
AlwaysFailPermissionCheck alwaysFail; | ||
KeywhizPrincipal principal; | ||
Objects target; | ||
|
||
@Before | ||
public void setUp() { | ||
alwaysFail = new AlwaysFailPermissionCheck(); | ||
} | ||
|
||
@Test | ||
public void isAllowedReturnsFalse() { | ||
boolean permitted = alwaysFail.isAllowed(principal, Action.ADD, target); | ||
assertThat(permitted).isEqualTo(false); | ||
} | ||
|
||
@Test | ||
public void checkAllowedOrThrowThrowsException() { | ||
assertThatThrownBy(() -> {alwaysFail.checkAllowedOrThrow(principal, Action.ADD, target);}).isInstanceOf(RuntimeException.class); | ||
} | ||
} |
25 changes: 25 additions & 0 deletions
25
server/src/test/java/keywhiz/service/permission/PermissionCheckModuleTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
package keywhiz.service.permission; | ||
|
||
import javax.inject.Inject; | ||
import keywhiz.service.permissions.PermissionCheck; | ||
import org.junit.Test; | ||
|
||
import static keywhiz.test.KeywhizTests.createInjector; | ||
import static org.junit.Assert.assertNotNull; | ||
|
||
public class PermissionCheckModuleTest { | ||
@Test | ||
public void createsInjector() { | ||
assertNotNull(createInjector()); | ||
} | ||
|
||
@Test | ||
public void injectPermissionCheckProvider() { | ||
class Holder { | ||
@Inject PermissionCheck permissionCheck; | ||
} | ||
Holder holder = new Holder(); | ||
createInjector().injectMembers(holder); | ||
assertNotNull(holder.permissionCheck); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters