diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/AbstractJpaIntegrationTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/AbstractJpaIntegrationTest.java index 9b286d67e..1f61a5fbd 100644 --- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/AbstractJpaIntegrationTest.java +++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/AbstractJpaIntegrationTest.java @@ -87,7 +87,7 @@ public abstract class AbstractJpaIntegrationTest extends AbstractIntegrationTest protected static final String NOT_EXIST_ID = "12345678990"; protected static final long NOT_EXIST_IDL = Long.parseLong(NOT_EXIST_ID); - protected static final List REPOSITORY_AND_TARGET_PERMISSIONS = List.of(SpPermission.READ_REPOSITORY, SpPermission.CREATE_REPOSITORY, SpPermission.UPDATE_REPOSITORY, SpPermission.DELETE_REPOSITORY, SpPermission.READ_TARGET, SpPermission.CREATE_TARGET, SpPermission.UPDATE_TARGET, SpPermission.DELETE_TARGET); + private static final List REPOSITORY_AND_TARGET_PERMISSIONS = List.of(SpPermission.READ_REPOSITORY, SpPermission.CREATE_REPOSITORY, SpPermission.UPDATE_REPOSITORY, SpPermission.DELETE_REPOSITORY, SpPermission.READ_TARGET, SpPermission.CREATE_TARGET, SpPermission.UPDATE_TARGET, SpPermission.DELETE_TARGET); @PersistenceContext protected EntityManager entityManager; @@ -247,9 +247,22 @@ public abstract class AbstractJpaIntegrationTest extends AbstractIntegrationTest * * @param callable the callable to call */ - @SneakyThrows protected void assertPermissions(final Callable callable, List requiredPermissions) { - final List insufficiantPermissions = REPOSITORY_AND_TARGET_PERMISSIONS.stream() + assertPermissions(callable, requiredPermissions, null); + } + + /** + * Asserts that the given callable throws an InsufficientPermissionException. + * @param callable the callable to call + * @param requiredPermissions required permissions for the callable + * @param insufficientPermissions can be null, if null, it will be resolved automatically. But in some cases (e.g. @PreAuthorized Permissions with OR, it is safer to pass directly the insufficient permissions) + */ + @SneakyThrows + protected void assertPermissions(final Callable callable, final List requiredPermissions, final List insufficientPermissions) { + // if READ_PERMISSION is required and required permissions are multiple, give only READ_PERMISSION to eliminate internal read_permission check failure that would confuse the actual test + final List resolvedInsufficientPermissions = insufficientPermissions != null ? insufficientPermissions : + requiredPermissions.contains(SpPermission.READ_REPOSITORY) && requiredPermissions.size() > 1 ? + List.of(SpPermission.READ_REPOSITORY) : REPOSITORY_AND_TARGET_PERMISSIONS.stream() .filter(p -> !requiredPermissions.contains(p)).toList(); // check if the user has the correct permissions SecurityContextSwitch.runAs(SecurityContextSwitch.withUser("user_with_permissions", requiredPermissions.toArray(new String[0])), () -> { @@ -259,13 +272,14 @@ public abstract class AbstractJpaIntegrationTest extends AbstractIntegrationTest }); // check if the user has the insufficient permissions - SecurityContextSwitch.runAs(SecurityContextSwitch.withUser("user_without_permissions", insufficiantPermissions.toArray(new String[0])), () -> { + SecurityContextSwitch.runAs(SecurityContextSwitch.withUser("user_without_permissions", resolvedInsufficientPermissions.toArray(new String[0])), () -> { assertInsufficientPermission(callable); log.info("assertInsufficientPermission Passed"); return null; }); } + /** * Asserts that the given callable throws an InsufficientPermissionException. * If callable succeeds without any exception or exception other than InsufficientPermissionException, it will be considered as an assert failure. diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ArtifactManagementSecurityTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ArtifactManagementSecurityTest.java index a4c061e64..6d9d65675 100644 --- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ArtifactManagementSecurityTest.java +++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ArtifactManagementSecurityTest.java @@ -52,25 +52,30 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest { @Description("Tests ArtifactManagement#get() method") void getPermissionCheck() { assertPermissions(() -> artifactManagement.get(1L), List.of(SpPermission.READ_REPOSITORY)); + assertPermissions(() -> artifactManagement.get(1L), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY)); } @Test @Description("Tests ArtifactManagement#getByFilenameAndSoftwareModule() method") void getByFilenameAndSoftwareModulePermissionCheck() { assertPermissions(() -> artifactManagement.getByFilenameAndSoftwareModule("filename", 1L), - List.of(SpPermission.READ_REPOSITORY)); + List.of(SpPermission.READ_REPOSITORY), List.of(SpPermission.CREATE_REPOSITORY)); + assertPermissions(() -> artifactManagement.getByFilenameAndSoftwareModule("filename", 1L), + List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY)); } @Test @Description("Tests ArtifactManagement#findFirstBySHA1() method") void findFirstBySHA1PermissionCheck() { assertPermissions(() -> artifactManagement.findFirstBySHA1("sha1"), List.of(SpPermission.READ_REPOSITORY)); + assertPermissions(() -> artifactManagement.findFirstBySHA1("sha1"), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY)); } @Test @Description("Tests ArtifactManagement#getByFilename() method") void getByFilenamePermissionCheck() { assertPermissions(() -> artifactManagement.getByFilename("filename"), List.of(SpPermission.READ_REPOSITORY)); + assertPermissions(() -> artifactManagement.getByFilename("filename"), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY)); } @Test @@ -88,7 +93,8 @@ class ArtifactManagementSecurityTest extends AbstractJpaIntegrationTest { @Test @Description("Tests ArtifactManagement#loadArtifactBinary() method") void loadArtifactBinaryPermissionCheck() { - assertPermissions(() -> artifactManagement.loadArtifactBinary("sha1", 1L, false), List.of(SpPermission.DOWNLOAD_REPOSITORY_ARTIFACT)); + assertPermissions(() -> artifactManagement.loadArtifactBinary("sha1", 1L, false), List.of(SpPermission.DOWNLOAD_REPOSITORY_ARTIFACT), List.of(SpPermission.CREATE_REPOSITORY)); + assertPermissions(() -> artifactManagement.loadArtifactBinary("sha1", 1L, false), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY)); } } \ No newline at end of file diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ConfirmationManagementSecurityTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ConfirmationManagementSecurityTest.java index cdddb9ef9..567c1df18 100644 --- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ConfirmationManagementSecurityTest.java +++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ConfirmationManagementSecurityTest.java @@ -38,7 +38,9 @@ class ConfirmationManagementSecurityTest extends AbstractJpaIntegrationTest { @Test @Description("Tests ConfirmationManagement#getStatus() method") void getStatusPermissionsCheck() { - assertPermissions(() -> confirmationManagement.getStatus("controllerId"), List.of(SpPermission.READ_TARGET)); + assertPermissions(() -> confirmationManagement.getStatus("controllerId"), List.of(SpPermission.READ_TARGET), + List.of(SpPermission.CREATE_TARGET)); + assertPermissions(() -> confirmationManagement.getStatus("controllerId"), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_TARGET)); } @Test diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ControllerManagementSecurityTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ControllerManagementSecurityTest.java index 9bd9c58bc..f616024e0 100644 --- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ControllerManagementSecurityTest.java +++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/ControllerManagementSecurityTest.java @@ -159,12 +159,15 @@ class ControllerManagementSecurityTest extends AbstractJpaIntegrationTest { void getByControllerIdPermissionsCheck() { assertPermissions(() -> controllerManagement.getByControllerId("controllerId"), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE)); + assertPermissions(() -> controllerManagement.getByControllerId("controllerId"), + List.of(SpPermission.SpringEvalExpressions.SYSTEM_ROLE)); } @Test @Description("Tests ControllerManagement#get() method") void getPermissionsCheck() { assertPermissions(() -> controllerManagement.get(1L), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE)); + assertPermissions(() -> controllerManagement.get(1L), List.of(SpPermission.SpringEvalExpressions.SYSTEM_ROLE)); } @Test diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/DistributionSetManagementSecurityTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/DistributionSetManagementSecurityTest.java index 8dbede46e..59cfde26f 100644 --- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/DistributionSetManagementSecurityTest.java +++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/DistributionSetManagementSecurityTest.java @@ -10,6 +10,7 @@ package org.eclipse.hawkbit.repository.jpa.management; import java.util.List; +import java.util.Random; import io.qameta.allure.Description; import io.qameta.allure.Feature; @@ -244,6 +245,7 @@ class DistributionSetManagementSecurityTest @Test @Description("Tests ManagementAPI PreAuthorized method with correct and insufficient permissions.") void invalidatePermissionsCheck() { + distributionSetTypeManagement.create(entityFactory.distributionSetType().create().key("type").name("name")); assertPermissions(() -> { distributionSetManagement.invalidate(entityFactory.distributionSet().create().name("name").version("1.0").type("type").build()); return null; diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/DistributionSetTagManagementSecurityTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/DistributionSetTagManagementSecurityTest.java index 3f091179c..907c284ee 100644 --- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/DistributionSetTagManagementSecurityTest.java +++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/DistributionSetTagManagementSecurityTest.java @@ -10,6 +10,7 @@ package org.eclipse.hawkbit.repository.jpa.management; import java.util.List; +import java.util.Random; import io.qameta.allure.Description; import io.qameta.allure.Feature; @@ -35,7 +36,7 @@ public class DistributionSetTagManagementSecurityTest @Override protected TagCreate getCreateObject() { - return entityFactory.tag().create().name("tag"); + return entityFactory.tag().create().name(String.format("tag-%d", new Random().nextInt())); } @Override diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/DistributionSetTypeManagementSecurityTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/DistributionSetTypeManagementSecurityTest.java index d3d0596e9..2f60ab584 100644 --- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/DistributionSetTypeManagementSecurityTest.java +++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/DistributionSetTypeManagementSecurityTest.java @@ -10,6 +10,7 @@ package org.eclipse.hawkbit.repository.jpa.management; import java.util.List; +import java.util.Random; import io.qameta.allure.Description; import io.qameta.allure.Feature; @@ -34,7 +35,7 @@ public class DistributionSetTypeManagementSecurityTest @Override protected DistributionSetTypeCreate getCreateObject() { - return entityFactory.distributionSetType().create().key("key").name("name"); + return entityFactory.distributionSetType().create().key(String.format("key-%d", new Random().nextInt())).name(String.format("name-%d", new Random().nextInt())); } @Override diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/RolloutManagementSecurityTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/RolloutManagementSecurityTest.java index 48677b9cd..7e5479e0c 100644 --- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/RolloutManagementSecurityTest.java +++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/RolloutManagementSecurityTest.java @@ -22,9 +22,11 @@ import org.eclipse.hawkbit.repository.builder.DistributionSetCreate; import org.eclipse.hawkbit.repository.builder.DistributionSetTypeCreate; import org.eclipse.hawkbit.repository.builder.DynamicRolloutGroupTemplate; import org.eclipse.hawkbit.repository.jpa.AbstractJpaIntegrationTest; +import org.eclipse.hawkbit.repository.jpa.model.JpaRollout; import org.eclipse.hawkbit.repository.model.DistributionSet; import org.eclipse.hawkbit.repository.model.Rollout; import org.eclipse.hawkbit.repository.model.RolloutGroupConditionBuilder; +import org.eclipse.hawkbit.repository.model.SoftwareModule; import org.eclipse.hawkbit.repository.test.util.WithUser; import org.junit.jupiter.api.Test; import org.springframework.data.domain.PageImpl; @@ -158,8 +160,16 @@ public class RolloutManagementSecurityTest extends AbstractJpaIntegrationTest { @Test @Description("Tests ManagementAPI PreAuthorized method with correct and insufficient permissions.") void setRolloutStatusDetailsPermissionsCheck() { + final String rolloutName = "rollout-std"; + final int amountGroups = 5; // static only + final String targetPrefix = "controller-rollout-std-"; + final DistributionSet distributionSet = testdataFactory.createDistributionSet("dsFor" + rolloutName); + + testdataFactory.createTargets(targetPrefix, 0, amountGroups * 3); + final Rollout rollout = testdataFactory.createRolloutByVariables(rolloutName, rolloutName, amountGroups, + "controllerid==" + targetPrefix + "*", distributionSet, "60", "30", false, false); assertPermissions(() -> { - rolloutManagement.setRolloutStatusDetails(new PageImpl<>(List.of(entityFactory.rollout().create().distributionSetId(1L).build()))); + rolloutManagement.setRolloutStatusDetails(new PageImpl<>(List.of(rollout))); return null; }, List.of(SpPermission.UPDATE_ROLLOUT, SpPermission.READ_REPOSITORY)); } diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/SoftwareModuleTypeManagementSecurityTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/SoftwareModuleTypeManagementSecurityTest.java index 101315269..3cf5bc042 100644 --- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/SoftwareModuleTypeManagementSecurityTest.java +++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/SoftwareModuleTypeManagementSecurityTest.java @@ -10,6 +10,7 @@ package org.eclipse.hawkbit.repository.jpa.management; import java.util.List; +import java.util.Random; import io.qameta.allure.Description; import io.qameta.allure.Feature; @@ -34,7 +35,7 @@ public class SoftwareModuleTypeManagementSecurityTest @Override protected SoftwareModuleTypeCreate getCreateObject() { - return entityFactory.softwareModuleType().create().key("key").name("name"); + return entityFactory.softwareModuleType().create().key(String.format("key-%d", new Random().nextInt())).name(String.format("name-%d", new Random().nextInt())); } @Override diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/SystemManagementSecurityTest.java b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/SystemManagementSecurityTest.java index 8c4178ad4..448b532bd 100644 --- a/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/SystemManagementSecurityTest.java +++ b/hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/management/SystemManagementSecurityTest.java @@ -63,7 +63,10 @@ public class SystemManagementSecurityTest extends AbstractJpaIntegrationTest { @Test @Description("Tests ManagementAPI PreAuthorized method with correct and insufficient permissions.") void getTenantMetadataPermissionsCheck() { - assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpPermission.READ_REPOSITORY, SpPermission.READ_TARGET, SpPermission.READ_TENANT_CONFIGURATION)); + assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpPermission.READ_REPOSITORY), List.of(SpPermission.CREATE_REPOSITORY)); + assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpPermission.READ_TARGET), List.of(SpPermission.CREATE_REPOSITORY)); + assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpPermission.READ_TENANT_CONFIGURATION), List.of(SpPermission.CREATE_REPOSITORY)); + assertPermissions(() -> systemManagement.getTenantMetadata(), List.of(SpPermission.SpringEvalExpressions.CONTROLLER_ROLE), List.of(SpPermission.CREATE_REPOSITORY)); } @Test