.classpath | 4 modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/auth/test/SubjectManagerBeanTest.java | 174 ++++++++-- 2 files changed, 158 insertions(+), 20 deletions(-)
New commits: commit 3bb788b5b3d472e1500df7b4bec304814a45bcac Author: Thomas Segismont tsegismo@redhat.com Date: Thu Feb 28 18:38:03 2013 +0100
Better coverage of SubjectManagerBean following criteria API changes
diff --git a/.classpath b/.classpath index f6ced85..1a0df52 100644 --- a/.classpath +++ b/.classpath @@ -218,7 +218,7 @@ <classpathentry exported="true" kind="var" path="M2_REPO/log4j/log4j/1.2.14/log4j-1.2.14.jar"/> <classpathentry exported="true" kind="var" path="M2_REPO/tomcat/tomcat-jk/4.1.31/tomcat-jk-4.1.31.jar"/> <classpathentry exported="true" kind="var" path="M2_REPO/jdom/jdom/1.0/jdom-1.0.jar"/> - <classpathentry exported="true" kind="var" path="M2_REPO/commons-collections/commons-collections/3.2/commons-collections-3.2.jar"/> + <classpathentry exported="true" kind="var" path="M2_REPO/commons-collections/commons-collections/3.2/commons-collections-3.2.jar" sourcepath="/M2_REPO/commons-collections/commons-collections/3.2/commons-collections-3.2-sources.jar"/> <classpathentry exported="true" kind="var" path="M2_REPO/javax/persistence/persistence-api/1.0/persistence-api-1.0.jar" sourcepath="/M2_REPO/javax/persistence/persistence-api/1.0/persistence-api-1.0-sources.jar"/> <classpathentry exported="true" kind="var" path="M2_REPO/jboss/jboss-jmx/4.2.3.GA/jboss-jmx-4.2.3.GA.jar"/> <classpathentry exported="true" kind="var" path="M2_REPO/tomcat/catalina/5.5.20/catalina-5.5.20.jar"/> @@ -344,7 +344,7 @@ <classpathentry exported="true" kind="var" path="M2_REPO/javax/enterprise/cdi-api/1.0-SP4/cdi-api-1.0-SP4.jar" sourcepath="M2_REPO/javax/enterprise/cdi-api/1.0-SP4/cdi-api-1.0-SP4-sources.jar"/> <classpathentry exported="true" kind="var" path="M2_REPO/javax/inject/javax.inject/1/javax.inject-1.jar" sourcepath="M2_REPO/javax/inject/javax.inject/1/javax.inject-1-sources.jar"/> <classpathentry exported="true" kind="var" path="M2_REPO/org/mozilla/rhino/1.7R4/rhino-1.7R4.jar"/> - <classpathentry exported="true" kind="var" path="M2_REPO/org/picketbox/picketbox/4.0.7.Final/picketbox-4.0.7.Final.jar"/> + <classpathentry exported="true" kind="var" path="M2_REPO/org/picketbox/picketbox/4.0.7.Final/picketbox-4.0.7.Final.jar" sourcepath="/M2_REPO/org/picketbox/picketbox/4.0.7.Final/picketbox-4.0.7.Final-sources.jar"/> <classpathentry exported="true" kind="var" path="M2_REPO/org/python/jython-standalone/2.5.2/jython-standalone-2.5.2.jar"/> <classpathentry exported="true" kind="var" path="M2_REPO/com/wordnik/swagger-annotations_2.9.1/1.1.1-SNAPSHOT/swagger-annotations_2.9.1-1.1.1-20121031.024335-6.jar"/> <classpathentry exported="true" kind="var" path="M2_REPO/joda-time/joda-time/2.1/joda-time-2.1.jar"/> diff --git a/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/auth/test/SubjectManagerBeanTest.java b/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/auth/test/SubjectManagerBeanTest.java index fe7691d..4b17dc5 100644 --- a/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/auth/test/SubjectManagerBeanTest.java +++ b/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/auth/test/SubjectManagerBeanTest.java @@ -25,11 +25,14 @@ import java.util.List; import java.util.Set; import java.util.UUID;
+import javax.ejb.EJBException; import javax.persistence.EntityManager; import javax.security.auth.login.LoginException; import javax.transaction.NotSupportedException; import javax.transaction.SystemException;
+import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; import org.testng.annotations.Test;
import org.rhq.core.domain.auth.Subject; @@ -48,6 +51,7 @@ import org.rhq.enterprise.server.authz.AuthorizationManagerLocal; import org.rhq.enterprise.server.authz.PermissionException; import org.rhq.enterprise.server.authz.RoleManagerLocal; import org.rhq.enterprise.server.test.AbstractEJB3Test; +import org.rhq.enterprise.server.test.TransactionCallback; import org.rhq.enterprise.server.util.LookupUtil; import org.rhq.enterprise.server.util.SessionTestHelper;
@@ -57,18 +61,27 @@ import org.rhq.enterprise.server.util.SessionTestHelper; @Test public class SubjectManagerBeanTest extends AbstractEJB3Test {
+ private static final Log LOG = LogFactory.getLog(SubjectManagerBeanTest.class); + + private static final String RHQADMIN = "rhqadmin"; + + private static final String ITEST_USER = "smb_itest_user"; + private SubjectManagerLocal subjectManager; private AuthorizationManagerLocal authorizationManager; private RoleManagerLocal roleManager;
- /** - * Prepares things for the entire test class. - */ @Override protected void beforeMethod() { subjectManager = LookupUtil.getSubjectManager(); authorizationManager = LookupUtil.getAuthorizationManager(); roleManager = LookupUtil.getRoleManager(); + createITestSubject(); + } + + private Subject createITestSubject() { + Subject subjectToCreate = new Subject(ITEST_USER, true, false); + return subjectManager.createSubject(subjectManager.getOverlord(), subjectToCreate, ITEST_USER); }
/** @@ -76,11 +89,14 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test { */ @Override protected void afterMethod() { + deleteITestSubject(); + // create a list of all users we know our tests have used List<String> usernames = new ArrayList<String>(); usernames.add("admin"); - usernames.add("rhqadmin"); + usernames.add(RHQADMIN); usernames.add("new_user"); + usernames.add(ITEST_USER);
SessionManager session_manager = SessionManager.getInstance();
@@ -95,6 +111,13 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test { } }
+ private void deleteITestSubject() { + Subject subject = subjectManager.getSubjectByName(ITEST_USER); + if (subject != null) { + subjectManager.deleteSubjects(subjectManager.getOverlord(), new int[] { subject.getId() }); + } + } + /** * Tests persisting and retrieving user configuration. * @@ -173,7 +196,7 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test { getTransactionManager().begin(); try { superuser = subjectManager.getOverlord(); - rhqadmin = subjectManager.getSubjectByName("rhqadmin"); + rhqadmin = subjectManager.getSubjectByName(RHQADMIN); rhqadmin = createSession(rhqadmin);
try { @@ -214,7 +237,7 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test { try { superuser = subjectManager.getOverlord(); superuser = createSession(superuser); - rhqadmin = subjectManager.getSubjectByName("rhqadmin"); + rhqadmin = subjectManager.getSubjectByName(RHQADMIN); rhqadmin = createSession(rhqadmin);
try { @@ -268,9 +291,9 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test { assert authorizationManager.getExplicitGlobalPermissions(superuser).containsAll(all_global_perms);
// get the rhqadmin subject - Subject rhqadmin = subjectManager.getSubjectByName("rhqadmin"); + Subject rhqadmin = subjectManager.getSubjectByName(RHQADMIN); assert rhqadmin.getId() == 2; - assert rhqadmin.getName().equals("rhqadmin"); + assert rhqadmin.getName().equals(RHQADMIN); assert authorizationManager.getExplicitGlobalPermissions(rhqadmin).containsAll(all_global_perms);
rhqadmin = createSession(rhqadmin); // our test needs to ensure the rhqadmin user has a session @@ -286,7 +309,7 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test { SubjectManagerLocal subjectManager = LookupUtil.getSubjectManager(); Subject subject = null; try { - subject = subjectManager.loginUnauthenticated("rhqadmin"); + subject = subjectManager.loginUnauthenticated(RHQADMIN); } catch (Exception e) { assert false : "There must be at least rhqadmin user"; } @@ -441,30 +464,30 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test { getTransactionManager().begin();
try { - Subject subject1 = subjectManager.loginUnauthenticated("rhqadmin"); + Subject subject1 = subjectManager.loginUnauthenticated(RHQADMIN); int session1 = subject1.getSessionId();
Thread.sleep(500); // just wait a bit
- Subject subject2 = subjectManager.loginUnauthenticated("rhqadmin"); + Subject subject2 = subjectManager.loginUnauthenticated(RHQADMIN); int session2 = subject2.getSessionId();
assert session1 != session2 : "The same sessionId should never be assigned when logging in twice"; assert subject1.equals(subject2);
- Subject s = subjectManager.getSubjectByNameAndSessionId("rhqadmin", subject1.getSessionId()); + Subject s = subjectManager.getSubjectByNameAndSessionId(RHQADMIN, subject1.getSessionId()); assert s.getSessionId() == session1; - s = subjectManager.getSubjectByNameAndSessionId("rhqadmin", subject2.getSessionId()); + s = subjectManager.getSubjectByNameAndSessionId(RHQADMIN, subject2.getSessionId()); assert s.getSessionId() == session2;
subjectManager.logout(session1); try { - s = subjectManager.getSubjectByNameAndSessionId("rhqadmin", subject1.getSessionId()); + s = subjectManager.getSubjectByNameAndSessionId(RHQADMIN, subject1.getSessionId()); assert false : "Session should be invalid"; } catch (SessionNotFoundException ok) { }
- s = subjectManager.getSubjectByNameAndSessionId("rhqadmin", subject2.getSessionId()); + s = subjectManager.getSubjectByNameAndSessionId(RHQADMIN, subject2.getSessionId()); assert s.getSessionId() == session2;
// this should ne a no-op, no exception @@ -472,7 +495,7 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test {
subjectManager.logout(session2); try { - s = subjectManager.getSubjectByNameAndSessionId("rhqadmin", subject2.getSessionId()); + s = subjectManager.getSubjectByNameAndSessionId(RHQADMIN, subject2.getSessionId()); fail("Session should be invalid"); } catch (SessionNotFoundException e) { // expected @@ -521,7 +544,7 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test {
try { Subject overlord = subjectManager.getOverlord(); - Subject rhqadmin = subjectManager.getSubjectByName("rhqadmin"); + Subject rhqadmin = subjectManager.getSubjectByName(RHQADMIN);
Role roleWithViewUsersPerm = new Role("role" + UUID.randomUUID()); roleWithViewUsersPerm.addPermission(Permission.VIEW_USERS); @@ -552,7 +575,7 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test { try { Subject overlord = subjectManager.getOverlord();
- Subject rhqadmin = subjectManager.getSubjectByName("rhqadmin"); + Subject rhqadmin = subjectManager.getSubjectByName(RHQADMIN); rhqadmin = subjectManager.loginUnauthenticated(rhqadmin.getName());
Subject anotherSubject = new Subject("subject" + UUID.randomUUID(), true, false); @@ -618,4 +641,119 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test { } }
+ public void subjectCannotUpdateAnotherSubjectWithoutPermission() throws LoginException { + executeInTransaction(new TransactionCallback() { + + @Override + public void execute() throws Exception { + Subject fakeSubject = new Subject("fakeUser", true, false); + Subject itestSubject = subjectManager.loginUnauthenticated(ITEST_USER); + try { + subjectManager.updateSubject(itestSubject, fakeSubject, "newPassword"); + fail("Subject without permission should not be able to update another subject"); + } catch (PermissionException e) { + assertTrue(e.getMessage().contains("do not have permission to update user")); + } + } + }); + } + + public void nobodyCanDisableASystemSubject() { + executeInTransaction(new TransactionCallback() { + + @Override + public void execute() throws Exception { + Subject rhqAdminSubject = subjectManager.getSubjectByName(RHQADMIN); + try { + Subject changedSubject = new Subject(rhqAdminSubject.getName(), false, rhqAdminSubject.getFsystem()); + changedSubject.setId(rhqAdminSubject.getId()); + subjectManager.updateSubject(subjectManager.getOverlord(), changedSubject, "newPassword"); + fail("Nobody should be able to disable a system subject"); + } catch (PermissionException e) { + assertTrue(e.getMessage().startsWith("You cannot disable the system user")); + } + } + }); + } + + public void nobodyCanChangeASubjectName() { + executeInTransaction(new TransactionCallback() { + + @Override + public void execute() throws Exception { + Subject itestSubject = subjectManager.getSubjectByName(ITEST_USER); + Subject changedSubject = new Subject("pipo", itestSubject.getFactive(), itestSubject.getFsystem()); + changedSubject.setId(itestSubject.getId()); + try { + subjectManager.updateSubject(subjectManager.getOverlord(), changedSubject, "newPassword"); + fail("Nobody should be able to change a subject name"); + } catch (EJBException e) { + Exception cause = e.getCausedByException(); + assertEquals(IllegalArgumentException.class, cause.getClass()); + assertTrue(cause.getMessage().equals("You cannot change a user's username.")); + } + } + }); + } + + public void nobodyCanChangeAnUnknowSubject() { + executeInTransaction(new TransactionCallback() { + + @Override + public void execute() throws Exception { + try { + Subject fakeSubject = new Subject("fakeUser", true, false); + subjectManager.updateSubject(subjectManager.getOverlord(), fakeSubject, "newPassword"); + fail("Nobody should be able to change an unknown subject"); + } catch (EJBException e) { + Exception cause = e.getCausedByException(); + assertEquals(IllegalArgumentException.class, cause.getClass()); + assertTrue(cause.getMessage().startsWith("No user exists with id")); + } + } + }); + } + + public void subjectCanUpdateItself() { + executeInTransaction(new TransactionCallback() { + + @Override + public void execute() throws Exception { + Subject itestSubject = subjectManager.loginUnauthenticated(ITEST_USER); + Subject changedSubject = new Subject(itestSubject.getName(), itestSubject.getFactive(), + itestSubject.getFsystem()); + changedSubject.setId(itestSubject.getId()); + changedSubject.setEmailAddress("pipo@molo.com"); + try { + changedSubject = subjectManager.updateSubject(itestSubject, changedSubject, "newPassword"); + assertEquals("pipo@molo.com", changedSubject.getEmailAddress()); + } catch (Exception e) { + LOG.error(e); + fail("Subject should be able to update itself"); + } + } + }); + } + + public void subjectWhitoutManageSecurityPermissionCannotUpdateItsRoles() throws LoginException { + executeInTransaction(new TransactionCallback() { + + @Override + public void execute() throws Exception { + Subject itestSubject = subjectManager.loginUnauthenticated(ITEST_USER); + final PageList<Role> allRoles = roleManager.findRoles(PageControl.getUnlimitedInstance()); + Subject changedSubject = new Subject(itestSubject.getName(), itestSubject.getFactive(), + itestSubject.getFsystem()); + changedSubject.setId(itestSubject.getId()); + changedSubject.getRoles().addAll(allRoles); + try { + subjectManager.updateSubject(itestSubject, changedSubject, "newPassword"); + fail("Subject whitout " + Permission.MANAGE_SECURITY + + " permission should not be able to update its roles"); + } catch (PermissionException e) { + assertTrue(e.getMessage().contains("is not authorized for")); + } + } + }); + } } \ No newline at end of file
rhq-commits@lists.fedorahosted.org