modules/core/dbutils/pom.xml | 9 modules/core/domain/src/main/java/org/rhq/core/domain/criteria/BundleCriteria.java | 17 modules/core/domain/src/main/java/org/rhq/core/domain/criteria/BundleGroupCriteria.java | 21 modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/bundle/BundleManagerBeanTest.java | 292 +++++++++- modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/util/SessionTestHelper.java | 13 modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerBean.java | 149 +++++ modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerLocal.java | 98 --- modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerRemote.java | 24 modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerBean.java | 28 modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerLocal.java | 18 modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/util/CriteriaQueryGenerator.java | 37 - 11 files changed, 538 insertions(+), 168 deletions(-)
New commits: commit 4d624b061398b84782c970bf5da587ea81ef0f7d Author: Jay Shaughnessy jshaughn@redhat.com Date: Fri Aug 2 15:25:52 2013 -0400
First authz test passing - fixed testing approach to use all slsbs and proper non-super-subject - fixed criteria bundle/bundleGroup auth token issues - fixed criteria filter override issues - fixed various bugs and added more supporting slsb methods - added some authz to bundle manager local methods where it seemed needed/useful - cleaned up RoleManagerLocal to extend the remote
diff --git a/modules/core/dbutils/pom.xml b/modules/core/dbutils/pom.xml index d7e2d65..360fdbc 100644 --- a/modules/core/dbutils/pom.xml +++ b/modules/core/dbutils/pom.xml @@ -17,7 +17,7 @@ <description>Database schema setup, upgrade and other utilities</description>
<properties> - <db.schema.version>2.134</db.schema.version> + <db.schema.version>2.135</db.schema.version> <rhq.ds.type-mapping>${rhq.test.ds.type-mapping}</rhq.ds.type-mapping> <rhq.ds.server-name>${rhq.test.ds.server-name}</rhq.ds.server-name> <rhq.ds.db-name>${rhq.test.ds.db-name}</rhq.ds.db-name> @@ -276,7 +276,7 @@ <script language="groovy"> import org.rhq.cassandra.schema.SchemaManager
- if (project.getProperty('dbsetup-upgrade') || project.getProperty('dbreset')) { + if (project.getProperty('dbsetup-upgrade') || project.getProperty('dbsetup')) { if (project.getProperty('storage-schema')) { if (project.getProperty('db') == 'dev') { self.log('PERFORMING STORAGE NODE SETUP TO LATEST SCHEMA') @@ -286,11 +286,6 @@
schemaManager = new SchemaManager(username, password, seeds)
- if (project.getProperty('dbreset') == 'true') { - self.log('Dropping schema') - schemaManager.drop() - } - self.log('Install schema') schemaManager.install() } else { diff --git a/modules/core/domain/src/main/java/org/rhq/core/domain/criteria/BundleCriteria.java b/modules/core/domain/src/main/java/org/rhq/core/domain/criteria/BundleCriteria.java index 32f2f9d..2e34174 100644 --- a/modules/core/domain/src/main/java/org/rhq/core/domain/criteria/BundleCriteria.java +++ b/modules/core/domain/src/main/java/org/rhq/core/domain/criteria/BundleCriteria.java @@ -26,6 +26,7 @@ import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlRootElement;
import org.rhq.core.domain.bundle.Bundle; +import org.rhq.core.domain.util.CriteriaUtils; import org.rhq.core.domain.util.PageOrdering;
/** @@ -64,8 +65,9 @@ public class BundleCriteria extends TaggedCriteria { filterOverrides.put("bundleTypeId", "bundleType.id = ?"); filterOverrides.put("bundleTypeName", "bundleType.name like ?"); filterOverrides.put("bundleGroupIds", "" // - + "id IN ( SELECT bg.bundle.id " // - + " FROM BundleGroup bg " // + + "id IN ( SELECT innerbundle.id " // + + " FROM Bundle innerbundle " // + + " JOIN innerbundle.bundleGroups bg" + " WHERE bg.id IN ( ? ) )"); filterOverrides.put("destinationIds", "" // + "id IN ( SELECT bd.bundle.id " // @@ -103,15 +105,8 @@ public class BundleCriteria extends TaggedCriteria { this.filterDescription = filterDescription; }
- /** Convenience routine calls addFilterBundleGroupIds */ - public void addFilterBundleGroupId(Integer filterBundleGroupId) { - List<Integer> ids = new ArrayList<Integer>(1); - ids.add(filterBundleGroupId); - this.addFilterBundleGroupIds(ids); - } - - public void addFilterBundleGroupIds(List<Integer> filterBundleGroupIds) { - this.filterBundleGroupIds = filterBundleGroupIds; + public void addFilterBundleGroupIds(Integer... filterBundleGroupIds) { + this.filterBundleGroupIds = CriteriaUtils.getListIgnoringNulls(filterBundleGroupIds); }
/** Convenience routine calls addFilterDestinationIds */ diff --git a/modules/core/domain/src/main/java/org/rhq/core/domain/criteria/BundleGroupCriteria.java b/modules/core/domain/src/main/java/org/rhq/core/domain/criteria/BundleGroupCriteria.java index 88886d7..69ceea4 100644 --- a/modules/core/domain/src/main/java/org/rhq/core/domain/criteria/BundleGroupCriteria.java +++ b/modules/core/domain/src/main/java/org/rhq/core/domain/criteria/BundleGroupCriteria.java @@ -18,7 +18,6 @@ */ package org.rhq.core.domain.criteria;
-import java.util.ArrayList; import java.util.List;
import javax.xml.bind.annotation.XmlAccessType; @@ -26,6 +25,7 @@ import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlRootElement;
import org.rhq.core.domain.bundle.BundleGroup; +import org.rhq.core.domain.util.CriteriaUtils; import org.rhq.core.domain.util.PageOrdering;
/** @@ -39,9 +39,7 @@ public class BundleGroupCriteria extends Criteria {
private String filterName; private String filterDescription; - private Integer filterBundleId; private List<Integer> filterBundleIds; // requires overrides - private Integer filterRoleId; private List<Integer> filterRoleIds; // requires overrides
private boolean fetchBundles; @@ -52,12 +50,14 @@ public class BundleGroupCriteria extends Criteria {
public BundleGroupCriteria() { filterOverrides.put("bundleIds", "" // - + "id IN ( SELECT b.id " // + + "id IN ( SELECT bg.id " // + " FROM Bundle b " // + + " JOIN b.bundleGroups bg" + " WHERE b.id IN ( ? ) )"); filterOverrides.put("roleIds", "" // - + "id IN ( SELECT r.id " // + + "id IN ( SELECT bg.id " // + " FROM Role r " // + + " JOIN r.bundleGroups bg" + " WHERE r.id IN ( ? ) )"); }
@@ -74,15 +74,12 @@ public class BundleGroupCriteria extends Criteria { this.filterDescription = filterDescription; }
- /** Convenience routine calls addFilterBundleVersionIds */ - public void addFilterBundleId(Integer filterBundleId) { - List<Integer> ids = new ArrayList<Integer>(1); - ids.add(filterBundleId); - this.addFilterBundleIds(ids); + public void addFilterBundleIds(Integer... filterBundleIds) { + this.filterBundleIds = CriteriaUtils.getListIgnoringNulls(filterBundleIds); }
- public void addFilterBundleIds(List<Integer> filterBundleIds) { - this.filterBundleIds = filterBundleIds; + public void addFilterRoleIds(Integer... filterRoleIds) { + this.filterRoleIds = CriteriaUtils.getListIgnoringNulls(filterRoleIds); }
public void fetchBundles(boolean fetchBundles) { diff --git a/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/bundle/BundleManagerBeanTest.java b/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/bundle/BundleManagerBeanTest.java index c4d9a79..117d2df 100644 --- a/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/bundle/BundleManagerBeanTest.java +++ b/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/bundle/BundleManagerBeanTest.java @@ -39,11 +39,14 @@ import org.hibernate.LazyInitializationException; import org.testng.annotations.Test;
import org.rhq.core.domain.auth.Subject; +import org.rhq.core.domain.authz.Permission; +import org.rhq.core.domain.authz.Role; import org.rhq.core.domain.bundle.Bundle; import org.rhq.core.domain.bundle.BundleDeployment; import org.rhq.core.domain.bundle.BundleDeploymentStatus; import org.rhq.core.domain.bundle.BundleDestination; import org.rhq.core.domain.bundle.BundleFile; +import org.rhq.core.domain.bundle.BundleGroup; import org.rhq.core.domain.bundle.BundleResourceDeployment; import org.rhq.core.domain.bundle.BundleResourceDeploymentHistory; import org.rhq.core.domain.bundle.BundleType; @@ -65,8 +68,11 @@ import org.rhq.core.domain.content.Repo; import org.rhq.core.domain.criteria.BundleCriteria; import org.rhq.core.domain.criteria.BundleDeploymentCriteria; import org.rhq.core.domain.criteria.BundleFileCriteria; +import org.rhq.core.domain.criteria.BundleGroupCriteria; import org.rhq.core.domain.criteria.BundleResourceDeploymentCriteria; import org.rhq.core.domain.criteria.BundleVersionCriteria; +import org.rhq.core.domain.criteria.RoleCriteria; +import org.rhq.core.domain.criteria.SubjectCriteria; import org.rhq.core.domain.resource.Agent; import org.rhq.core.domain.resource.InventoryStatus; import org.rhq.core.domain.resource.Resource; @@ -78,6 +84,7 @@ import org.rhq.core.domain.util.PageOrdering; import org.rhq.core.util.file.FileUtil; import org.rhq.core.util.stream.StreamUtil; import org.rhq.core.util.updater.DeploymentProperties; +import org.rhq.enterprise.server.authz.PermissionException; import org.rhq.enterprise.server.plugin.pc.MasterServerPluginContainer; import org.rhq.enterprise.server.resource.ResourceManagerLocal; import org.rhq.enterprise.server.test.AbstractEJB3Test; @@ -98,10 +105,13 @@ public class BundleManagerBeanTest extends AbstractEJB3Test {
private static final boolean TESTS_ENABLED = true;
- private static final String TEST_PREFIX = "bundletest"; + private static final String TEST_PREFIX = BundleManagerBeanTest.class.getSimpleName(); private static final String TEST_BUNDLE_DESTBASEDIR_PROP = TEST_PREFIX + ".destBaseDirProp"; private static final String TEST_BUNDLE_DESTBASEDIR_PROP_VALUE = TEST_PREFIX + "/destBaseDir"; + private static final String TEST_BUNDLE_GROUP_NAME = TEST_PREFIX + ".bundleGroup"; private static final String TEST_DESTBASEDIR_NAME = TEST_PREFIX + ".destBaseDirName"; + private static final String TEST_ROLE_NAME = TEST_PREFIX + ".role"; + private static final String TEST_USER_NAME = TEST_PREFIX + ".user";
private BundleManagerLocal bundleManager; private ResourceManagerLocal resourceManager; @@ -143,6 +153,21 @@ public class BundleManagerBeanTest extends AbstractEJB3Test {
private void cleanupDatabase() { try { + RoleCriteria roleCriteria = new RoleCriteria(); + roleCriteria.addFilterName(TEST_ROLE_NAME); + List<Role> testRoles = LookupUtil.getRoleManager().findRolesByCriteria(overlord, roleCriteria); + for (Role testRole : testRoles) { + LookupUtil.getRoleManager().deleteRoles(overlord, new int[] { testRole.getId() }); + } + + SubjectCriteria subjectCriteria = new SubjectCriteria(); + subjectCriteria.addFilterName(TEST_USER_NAME); + List<Subject> testSubjects = LookupUtil.getSubjectManager().findSubjectsByCriteria(overlord, + subjectCriteria); + for (Subject testSubject : testSubjects) { + LookupUtil.getSubjectManager().deleteSubjects(overlord, new int[] { testSubject.getId() }); + } + getTransactionManager().begin();
Query q; @@ -232,6 +257,13 @@ public class BundleManagerBeanTest extends AbstractEJB3Test { em.remove(em.getReference(Repo.class, ((Repo) removeMe).getId())); }
+ // remove bundle groups no longer referenced by bundles + q = em.createQuery("SELECT bg FROM BundleGroup bg WHERE bg.name LIKE '" + TEST_PREFIX + "%'"); + doomed = q.getResultList(); + for (Object removeMe : doomed) { + em.remove(em.getReference(BundleGroup.class, ((BundleGroup) removeMe).getId())); + } + // remove Resource Groups left over from test deployments freeing up test resources q = em.createQuery("SELECT rg FROM ResourceGroup rg WHERE rg.name LIKE '" + TEST_PREFIX + "%'"); doomed = q.getResultList(); @@ -755,7 +787,7 @@ public class BundleManagerBeanTest extends AbstractEJB3Test { public void testAddBundleFilesToDifferentBundles() throws Exception { // create a bundle type to use for both bundles. BundleType bt = createBundleType("one"); - Bundle b1 = createBundle("one", bt); + Bundle b1 = createBundle(overlord, "one", bt, 0); assertNotNull(b1); BundleVersion bv1 = createBundleVersion(b1.getName(), "1.0", b1); assertNotNull(bv1); @@ -763,7 +795,7 @@ public class BundleManagerBeanTest extends AbstractEJB3Test { null, "Bundle #1 File # 1".getBytes());
// create a second bundle but create file of the same name as above - Bundle b2 = createBundle("two", bt); + Bundle b2 = createBundle(overlord, "two", bt, 0); assertNotNull(b2); BundleVersion bv2 = createBundleVersion(b2.getName(), "1.0", b2); assertNotNull(bv2); @@ -860,9 +892,10 @@ public class BundleManagerBeanTest extends AbstractEJB3Test { int size = brd.getBundleResourceDeploymentHistories().size(); assertTrue(size > 0); String auditMessage = "BundleTest-Message"; - bundleManager.addBundleResourceDeploymentHistoryInNewTrans(overlord, brd.getId(), new BundleResourceDeploymentHistory( - overlord.getName(), auditMessage, auditMessage, BundleResourceDeploymentHistory.Category.DEPLOY_STEP, - BundleResourceDeploymentHistory.Status.SUCCESS, auditMessage, auditMessage)); + bundleManager.addBundleResourceDeploymentHistoryInNewTrans(overlord, brd.getId(), + new BundleResourceDeploymentHistory(overlord.getName(), auditMessage, auditMessage, + BundleResourceDeploymentHistory.Category.DEPLOY_STEP, BundleResourceDeploymentHistory.Status.SUCCESS, + auditMessage, auditMessage));
brds = bundleManager.findBundleResourceDeploymentsByCriteria(overlord, c); assertEquals(1, brds.size()); @@ -1284,31 +1317,253 @@ public class BundleManagerBeanTest extends AbstractEJB3Test { assertEquals(1, bundles.size()); }
- @Test(enabled = false) - public void testNoAuthz() throws Exception { - // create + @Test(enabled = TESTS_ENABLED) + public void authzBundleGroupTest() throws Exception { + Subject subject = null; + Role role = null; + + subject = createNewSubject(TEST_USER_NAME); + role = createNewRoleForSubject(subject, TEST_ROLE_NAME); + + subject = createSession(subject); // start a session so we can use this subject in SLSB calls + + // deny bundle group create + try { + bundleManager.createBundleGroup(subject, TEST_BUNDLE_GROUP_NAME, "test"); + fail("Should have thrown PermissionException"); + } catch (PermissionException e) { + // expected + } + + // allow bundle group create + addRolePermissions(role, Permission.MANAGE_BUNDLE_GROUPS); + BundleGroup bundleGroup = bundleManager.createBundleGroup(subject, TEST_BUNDLE_GROUP_NAME, "test"); + + // deny bundle group delete + removeRolePermissions(role, Permission.MANAGE_BUNDLE_GROUPS); + try { + bundleManager.deleteBundleGroups(subject, new int[] { bundleGroup.getId() }); + fail("Should have thrown PermissionException"); + } catch (PermissionException e) { + // expected + } + + // deny global perm bundleGroup view + BundleGroupCriteria bgCriteria = new BundleGroupCriteria(); + List<BundleGroup> bundleGroups = bundleManager.findBundleGroupsByCriteria(subject, bgCriteria); + assertNotNull(bundleGroups); + assert bundleGroups.isEmpty() : "Should not be able to see unassociated bundle group"; + + // allow global perm bundleGroup view + addRolePermissions(role, Permission.MANAGE_BUNDLE_GROUPS); + bundleGroups = bundleManager.findBundleGroupsByCriteria(subject, bgCriteria); + assertNotNull(bundleGroups); + assertEquals("Should be able to see unassociated bundle group", 1, bundleGroups.size()); + + // allow bundle group delete + bundleManager.deleteBundleGroups(subject, new int[] { bundleGroup.getId() }); + + // deny unassigned bundle create (no global create or view) + try { + createBundle(subject, TEST_PREFIX + ".bundle"); + fail("Should have thrown PermissionException"); + } catch (PermissionException e) { + // expected + } + + // deny unassigned bundle create (no global view) + addRolePermissions(role, Permission.CREATE_BUNDLES); + try { + createBundle(subject, TEST_PREFIX + ".bundle"); + fail("Should have thrown PermissionException"); + } catch (PermissionException e) { + // expected + } + + // deny unassigned bundle create (no global create) + removeRolePermissions(role, Permission.CREATE_BUNDLES); + addRolePermissions(role, Permission.VIEW_BUNDLES); + try { + createBundle(subject, TEST_PREFIX + ".bundle"); + fail("Should have thrown PermissionException"); + } catch (PermissionException e) { + // expected + } + + // allow unassigned bundle create + addRolePermissions(role, Permission.CREATE_BUNDLES); + Bundle bundle = createBundle(subject, TEST_PREFIX + ".bundle"); + + // deny unassigned bundle view + removeRolePermissions(role, Permission.CREATE_BUNDLES, Permission.VIEW_BUNDLES); + BundleCriteria bCriteria = new BundleCriteria(); + List<Bundle> bundles = bundleManager.findBundlesByCriteria(subject, bCriteria); + assertNotNull(bundles); + assert bundles.isEmpty() : "Should not be able to see unassigned bundle"; + + // allow unassigned bundle view + addRolePermissions(role, Permission.VIEW_BUNDLES); + bundles = bundleManager.findBundlesByCriteria(subject, bCriteria); + assertNotNull(bundles); + assertEquals("Should be able to see unassigned bundle", 1, bundles.size()); + + // deny global perm bundle assign + bundleGroup = bundleManager.createBundleGroup(subject, TEST_BUNDLE_GROUP_NAME, "test"); + try { + bundleManager.assignBundlesToBundleGroup(subject, bundleGroup.getId(), new int[] { bundle.getId() }); + fail("Should have thrown PermissionException"); + } catch (PermissionException e) { + // expected + } + + // allow global perm bundle assign + addRolePermissions(role, Permission.CREATE_BUNDLES); + bundleManager.assignBundlesToBundleGroup(subject, bundleGroup.getId(), new int[] { bundle.getId() }); + + // deny assigned, unassociated-bundle-group bundle view + removeRolePermissions(role, Permission.CREATE_BUNDLES, Permission.VIEW_BUNDLES); + bundles = bundleManager.findBundlesByCriteria(subject, bCriteria); + assertNotNull(bundles); + assert bundles.isEmpty() : "Should not be able to see assigned bundle"; + + // allow assigned, associated-bundle-group bundle view + addRoleBundleGroup(role, bundleGroup); + bundles = bundleManager.findBundlesByCriteria(subject, bCriteria); + assertNotNull(bundles); + assertEquals("Should be able to see assigned bundle", 1, bundles.size()); + + // check new bundle criteria options (no match) + bCriteria.addFilterBundleGroupIds(87678); + bCriteria.fetchBundleGroups(true); + bundles = bundleManager.findBundlesByCriteria(subject, bCriteria); + assertNotNull(bundles); + assert bundles.isEmpty() : "Should not have found anything"; + + // check new bundle criteria options (match) + bCriteria.addFilterBundleGroupIds(bundleGroup.getId()); + bCriteria.fetchBundleGroups(true); + bundles = bundleManager.findBundlesByCriteria(subject, bCriteria); + assertNotNull(bundles); + assertEquals("Should be able to see assigned bundle", 1, bundles.size()); + assertNotNull(bundles.get(0).getBundleGroups()); + assertEquals("Should have fetched bundlegroup", 1, bundles.get(0).getBundleGroups().size()); + assertEquals("Should have fetched expected bundlegroup", bundleGroup, bundles.get(0).getBundleGroups() + .iterator().next()); + + // check new bundle group criteria options (no match) + bgCriteria.addFilterId(87678); + bgCriteria.addFilterBundleIds(87678); + bgCriteria.addFilterRoleIds(87678); + bgCriteria.fetchBundles(true); + bgCriteria.fetchRoles(true); + bundleGroups = bundleManager.findBundleGroupsByCriteria(subject, bgCriteria); + assertNotNull(bundleGroups); + assert bundleGroups.isEmpty() : "Should not have found anything"; + + // check new bundle group criteria options (no match) + bgCriteria.addFilterId(bundleGroup.getId()); + bundleGroups = bundleManager.findBundleGroupsByCriteria(subject, bgCriteria); + assertNotNull(bundleGroups); + assert bundleGroups.isEmpty() : "Should not have found anything"; + + // check new bundle group criteria options (no match) + bgCriteria.addFilterBundleIds(bundle.getId()); + bundleGroups = bundleManager.findBundleGroupsByCriteria(subject, bgCriteria); + assertNotNull(bundleGroups); + assert bundleGroups.isEmpty() : "Should not have found anything"; + + // check new bundle group criteria options (match) + bgCriteria.addFilterRoleIds(role.getId()); + bundleGroups = bundleManager.findBundleGroupsByCriteria(subject, bgCriteria); + assertNotNull(bundleGroups); + assertEquals("Should be able to see assigned bundle", 1, bundleGroups.size()); + assertNotNull(bundleGroups.get(0).getBundles()); + assertEquals("Should have fetched bundle in bundle group", 1, bundleGroups.get(0).getBundles().size()); + assertEquals("Should have fetched bundle in bundle group", bundle, bundleGroups.get(0).getBundles() + .iterator().next()); + assertNotNull(bundleGroups.get(0).getRoles()); + assertEquals("Should have fetched role for bundle group", 1, bundleGroups.get(0).getRoles().size()); + assertEquals("Should have fetched role for bundle group", role, bundleGroups.get(0).getRoles().iterator() + .next()); + } + + private Subject createNewSubject(String subjectName) throws Exception { + + Subject newSubject = new Subject(); + newSubject.setName(subjectName); + newSubject.setFactive(true); + newSubject.setFsystem(false); + + return LookupUtil.getSubjectManager().createSubject(overlord, newSubject); + } + + private Role createNewRoleForSubject(Subject subject, String roleName) throws Exception { + Role newRole = new Role(roleName); + newRole.setFsystem(false); + newRole.addSubject(subject);
+ return LookupUtil.getRoleManager().createRole(overlord, newRole); + } + + private void addRolePermissions(Role role, Permission... permissions) throws Exception { + + for (Permission p : permissions) { + role.getPermissions().add(p); + } + LookupUtil.getRoleManager().setPermissions(overlord, role.getId(), role.getPermissions()); + } + + private void removeRolePermissions(Role role, Permission... permissions) throws Exception { + + for (Permission p : permissions) { + role.getPermissions().remove(p); + } + LookupUtil.getRoleManager().setPermissions(overlord, role.getId(), role.getPermissions()); + } + + private void addRoleBundleGroup(Role role, BundleGroup bundleGroup) throws Exception { + + int[] ids = new int[1]; + ids[0] = bundleGroup.getId(); + LookupUtil.getRoleManager().addBundleGroupsToRole(overlord, role.getId(), ids); + } + + private void removeRoleBundleGroup(Role role, BundleGroup bundleGroup) throws Exception { + + int[] ids = new int[1]; + ids[0] = bundleGroup.getId(); + LookupUtil.getRoleManager().removeBundleGroupsFromRole(overlord, role.getId(), ids); }
// helper methods private BundleType createBundleType(String name) throws Exception { final String fullName = TEST_PREFIX + "-type-" + name; - ResourceType rt = createResourceTypeForBundleType(name); - BundleType bt = bundleManager.createBundleType(overlord, fullName, rt.getId()); + BundleType bt = null; + try { + bt = bundleManager.getBundleType(overlord, fullName); + } catch (Throwable t) { + ResourceType rt = createResourceTypeForBundleType(name); + bt = bundleManager.createBundleType(overlord, fullName, rt.getId()); + + assert bt.getId() > 0; + assert bt.getName().endsWith(fullName); + }
- assert bt.getId() > 0; - assert bt.getName().endsWith(fullName); return bt; }
private Bundle createBundle(String name) throws Exception { + return createBundle(overlord, name); + } + + private Bundle createBundle(Subject subject, String name) throws Exception { BundleType bt = createBundleType(name); - return createBundle(name, bt); + return createBundle(subject, name, bt, 0); }
- private Bundle createBundle(String name, BundleType bt) throws Exception { + private Bundle createBundle(Subject subject, String name, BundleType bt, int bundleGroupId) throws Exception { final String fullName = TEST_PREFIX + "-bundle-" + name; - Bundle b = bundleManager.createBundle(overlord, fullName, fullName + "-desc", bt.getId(), 0); + Bundle b = bundleManager.createBundle(subject, fullName, fullName + "-desc", bt.getId(), bundleGroupId);
assert b.getId() > 0; assert b.getName().endsWith(fullName); @@ -1316,6 +1571,11 @@ public class BundleManagerBeanTest extends AbstractEJB3Test { }
private BundleVersion createBundleVersion(String name, String version, Bundle bundle) throws Exception { + return createBundleVersion(overlord, name, version, bundle); + } + + private BundleVersion createBundleVersion(Subject subject, String name, String version, Bundle bundle) + throws Exception { final String fullName = TEST_PREFIX + "-bundleversion-" + version + "-" + name; final String recipe = "deploy -f " + TEST_PREFIX + ".zip -d @@ test.path @@"; BundleVersion bv = bundleManager.createBundleVersion(overlord, bundle.getId(), fullName, fullName + "-desc", diff --git a/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/util/SessionTestHelper.java b/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/util/SessionTestHelper.java index 10b5dbc..b85408d 100644 --- a/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/util/SessionTestHelper.java +++ b/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/util/SessionTestHelper.java @@ -19,6 +19,7 @@ package org.rhq.enterprise.server.util;
import java.util.ArrayList; +import java.util.Arrays; import java.util.Collection; import java.util.EnumSet; import java.util.Random; @@ -137,6 +138,18 @@ public class SessionTestHelper { return newRole; }
+ public static void addRolePermissions(EntityManager em, Role role, Permission... permissions) { + role.getPermissions().addAll(Arrays.asList(permissions)); + em.merge(role); + em.flush(); + } + + public static void removeRolePermissions(EntityManager em, Role role, Permission... permissions) { + role.getPermissions().removeAll(Arrays.asList(permissions)); + em.merge(role); + em.flush(); + } + public static ResourceType createNewResourceType(EntityManager em) { ResourceType type = new ResourceType(preprocess("testType"), "testPlugin", ResourceCategory.PLATFORM, null); ConfigurationDefinition resourceConfigDef = new ConfigurationDefinition("Fake def", diff --git a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerBean.java b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerBean.java index af4c81f..aeaf597 100644 --- a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerBean.java +++ b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerBean.java @@ -39,6 +39,7 @@ import org.apache.commons.logging.LogFactory; import org.rhq.core.domain.auth.Subject; import org.rhq.core.domain.authz.Permission; import org.rhq.core.domain.authz.Role; +import org.rhq.core.domain.bundle.BundleGroup; import org.rhq.core.domain.criteria.RoleCriteria; import org.rhq.core.domain.resource.group.LdapGroup; import org.rhq.core.domain.resource.group.ResourceGroup; @@ -88,6 +89,7 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { /** * @see org.rhq.enterprise.server.authz.RoleManagerLocal#findRolesBySubject(int subjectId,PageControl pageControl) */ + @Override @SuppressWarnings("unchecked") // the first param, subject, is not the subject making the request, its the subject whose roles are to be returned. // therefore, we won't want our security interceptor to check this method since the subject won't have a session associated with it @@ -109,6 +111,7 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { /** * @see org.rhq.enterprise.server.authz.RoleManagerLocal#findRoles(PageControl) */ + @Override @SuppressWarnings("unchecked") public PageList<Role> findRoles(PageControl pc) { pc.initDefaultOrderingField("r.name"); @@ -135,6 +138,7 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { /** * @see org.rhq.enterprise.server.authz.RoleManagerLocal#createRole(Subject, Role) */ + @Override @RequiredPermission(Permission.MANAGE_SECURITY) public Role createRole(Subject whoami, Role newRole) { // Make sure there's not an existing role with the same name. @@ -182,6 +186,7 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { /** * @see org.rhq.enterprise.server.authz.RoleManagerLocal#deleteRoles(Subject, int[]) */ + @Override @RequiredPermission(Permission.MANAGE_SECURITY) public void deleteRoles(Subject subject, int[] doomedRoleIds) { if (doomedRoleIds != null) { @@ -202,6 +207,13 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { entityManager.merge(doomedResourceGroupRelationship); }
+ //remove attached Bundle Groups + Set<BundleGroup> bundleGroupsToUnhook = new HashSet<BundleGroup>(doomedRole.getBundleGroups()); // avoid concurrent mod exception + for (BundleGroup doomedBundleGroupRelationship : bundleGroupsToUnhook) { + doomedRole.removeBundleGroup(doomedBundleGroupRelationship); + entityManager.merge(doomedBundleGroupRelationship); + } + //remove attached LDAP Subjects Set<Subject> ldapSubjectsToUnhook = new HashSet<Subject>(doomedRole.getLdapSubjects()); // avoid concurrent mod exception for (Subject doomedLdapSubjectRelationship : ldapSubjectsToUnhook) { @@ -232,6 +244,7 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { /** * @see org.rhq.enterprise.server.authz.RoleManagerLocal#addRolesToSubject(Subject, int, int[]) */ + @Override @RequiredPermission(Permission.MANAGE_SECURITY) public void addRolesToSubject(Subject subject, int subjectId, int[] roleIds) { addRolesToSubject(subject, subjectId, roleIds, false); @@ -272,6 +285,7 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { /** * @see org.rhq.enterprise.server.authz.RoleManagerLocal#addSubjectsToRole(Subject, int, int[]) */ + @Override @RequiredPermission(Permission.MANAGE_SECURITY) public void addSubjectsToRole(Subject subject, int roleId, int[] subjectIds) { if (subjectIds != null) { @@ -303,6 +317,7 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { /** * @see org.rhq.enterprise.server.authz.RoleManagerLocal#removeRolesFromSubject(Subject, int, int[]) */ + @Override @RequiredPermission(Permission.MANAGE_SECURITY) public void removeRolesFromSubject(Subject subject, int subjectId, int[] roleIds) { if (roleIds != null) { @@ -324,6 +339,7 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { return; }
+ @Override @RequiredPermission(Permission.MANAGE_SECURITY) public void setAssignedSubjectRoles(Subject subject, int subjectId, int[] roleIds) {
@@ -359,6 +375,7 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { /** * @see org.rhq.enterprise.server.authz.RoleManagerLocal#getRoleById(Integer) */ + @Override public Role getRoleById(Integer roleId) { Role role = entityManager.find(Role.class, roleId); return role; @@ -367,6 +384,7 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { /** * @see org.rhq.enterprise.server.authz.RoleManagerLocal#setPermissions(Subject, Integer, Set) */ + @Override @RequiredPermission(Permission.MANAGE_SECURITY) public void setPermissions(Subject subject, Integer roleId, Set<Permission> permissions) { Role role = entityManager.find(Role.class, roleId); @@ -381,6 +399,7 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { /** * @see org.rhq.enterprise.server.authz.RoleManagerLocal#getPermissions(Integer) */ + @Override public Set<Permission> getPermissions(Integer roleId) { Role role = entityManager.find(Role.class, roleId); Set<Permission> rolePermissions = role.getPermissions(); @@ -390,6 +409,7 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { /** * @see org.rhq.enterprise.server.authz.RoleManagerLocal#updateRole(Subject, Role) */ + @Override @RequiredPermission(Permission.MANAGE_SECURITY) public Role updateRole(Subject whoami, Role role) { Role attachedRole = entityManager.find(Role.class, role.getId()); @@ -481,6 +501,7 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { /** * @see org.rhq.enterprise.server.authz.RoleManagerLocal#findSubjectsByRole(Integer,PageControl) */ + @Override @SuppressWarnings("unchecked") public PageList<Subject> findSubjectsByRole(Integer roleId, PageControl pc) { pc.initDefaultOrderingField("s.name"); @@ -501,6 +522,7 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { /** * @see org.rhq.enterprise.server.authz.RoleManagerLocal#findRolesByIds(Integer[],PageControl) */ + @Override @SuppressWarnings("unchecked") public PageList<Role> findRolesByIds(Integer[] roleIds, PageControl pc) { if ((roleIds == null) || (roleIds.length == 0)) { @@ -528,6 +550,7 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { return new PageList<Role>(roles, (int) count, pc); }
+ @Override @RequiredPermission(Permission.MANAGE_SECURITY) @SuppressWarnings("unchecked") public PageList<Role> findAvailableRolesForSubject(Subject subject, Integer subjectId, Integer[] pendingRoleIds, @@ -565,14 +588,39 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { return new PageList<Role>(roles, (int) count, pc); }
+ @Override @RequiredPermission(Permission.MANAGE_SECURITY) public PageList<Role> findSubjectUnassignedRoles(Subject subject, int subjectId, PageControl pc) { return findAvailableRolesForSubject(subject, subjectId, null, pc); }
+ @Override + @RequiredPermission(Permission.MANAGE_SECURITY) + public void addBundleGroupsToRole(Subject subject, int roleId, int[] bundleGroupIds) { + if ((bundleGroupIds != null) && (bundleGroupIds.length > 0)) { + Role role = entityManager.find(Role.class, roleId); + if (role == null) { + throw new IllegalArgumentException("Could not find role[" + roleId + "] in order to add resourceGroups"); + } + role.getBundleGroups().size(); // load them in + + for (Integer bundleGroupId : bundleGroupIds) { + BundleGroup bundleGroup = entityManager.find(BundleGroup.class, bundleGroupId); + if (bundleGroup == null) { + throw new IllegalArgumentException("Tried to add BundleGroup[" + bundleGroupId + "] to role[" + + roleId + "], but bundleGroup was not found."); + } + role.addBundleGroup(bundleGroup); + } + } + + return; + } + /** * @see org.rhq.enterprise.server.authz.RoleManagerLocal#addResourceGroupsToRole(Subject, int, int[]) */ + @Override @RequiredPermission(Permission.MANAGE_SECURITY) public void addResourceGroupsToRole(Subject subject, int roleId, int[] groupIds) { if ((groupIds != null) && (groupIds.length > 0)) { @@ -595,9 +643,32 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { return; }
+ @Override + @RequiredPermission(Permission.MANAGE_SECURITY) + public void removeBundleGroupsFromRole(Subject subject, int roleId, int[] bundleGroupIds) { + if ((bundleGroupIds != null) && (bundleGroupIds.length > 0)) { + Role role = entityManager.find(Role.class, roleId); + if (role == null) { + throw new IllegalArgumentException("Could not find role[" + roleId + + "] in order to remove BundleGroups"); + } + role.getBundleGroups().size(); // load them in + + for (Integer bundleGroupId : bundleGroupIds) { + BundleGroup bundleGroup = entityManager.find(BundleGroup.class, bundleGroupId); + if (bundleGroup == null) { + throw new IllegalArgumentException("Tried to remove BundleGroup[" + bundleGroupId + "] from role[" + + roleId + "], but BundleGroup was not found"); + } + role.removeBundleGroup(bundleGroup); + } + } + } + /** * @see org.rhq.enterprise.server.authz.RoleManagerLocal#removeResourceGroupsFromRole(Subject, int, int[]) */ + @Override @RequiredPermission(Permission.MANAGE_SECURITY) public void removeResourceGroupsFromRole(Subject subject, int roleId, int[] groupIds) { if ((groupIds != null) && (groupIds.length > 0)) { @@ -618,6 +689,27 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { } }
+ @Override + @RequiredPermission(Permission.MANAGE_SECURITY) + public void setAssignedBundleGroups(Subject subject, int roleId, int[] bundleGroupIds) { + Role role = getRole(subject, roleId); + List<Integer> currentBundleGroups = new ArrayList<Integer>(); + for (BundleGroup group : role.getBundleGroups()) { + currentBundleGroups.add(group.getId()); + } + + List<Integer> newBundleGroups = ArrayUtils.wrapInList(bundleGroupIds); // members needing addition + newBundleGroups.removeAll(currentBundleGroups); + int[] newBundleGroupIds = ArrayUtils.unwrapCollection(newBundleGroups); + roleManager.addBundleGroupsToRole(subject, roleId, newBundleGroupIds); + + List<Integer> removedBundleGroups = new ArrayList<Integer>(currentBundleGroups); // members needing removal + removedBundleGroups.removeAll(ArrayUtils.wrapInList(bundleGroupIds)); + int[] removedGroupIds = ArrayUtils.unwrapCollection(removedBundleGroups); + roleManager.removeBundleGroupsFromRole(subject, roleId, removedGroupIds); + } + + @Override @RequiredPermission(Permission.MANAGE_SECURITY) public void setAssignedResourceGroups(Subject subject, int roleId, int[] groupIds) { Role role = getRole(subject, roleId); @@ -668,11 +760,13 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { } }
+ @Override public PageList<Role> findSubjectAssignedRoles(Subject subject, int subjectId, PageControl pc) { PageList<Role> assignedRoles = findRolesBySubject(subjectId, pc); return assignedRoles; }
+ @Override @RequiredPermission(Permission.MANAGE_SECURITY) public void removeSubjectsFromRole(Subject subject, int roleId, int[] subjectIds) { if ((subjectIds != null) && (subjectIds.length > 0)) { @@ -697,6 +791,7 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { } }
+ @Override @RequiredPermission(Permission.MANAGE_SECURITY) public void setAssignedSubjects(Subject subject, int roleId, int[] subjectIds) {
@@ -729,6 +824,31 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { } }
+ @Override + @RequiredPermission(Permission.MANAGE_SECURITY) + public void removeRolesFromBundleGroup(Subject subject, int bundleGroupId, int[] roleIds) { + if ((roleIds != null) && (roleIds.length > 0)) { + BundleGroup bundleGroup = entityManager.find(BundleGroup.class, bundleGroupId); + if (bundleGroup == null) { + throw new IllegalArgumentException("Could not find BundleGroup[" + bundleGroupId + + "] in order to remove roles"); + } + bundleGroup.getRoles().size(); // load them in + + for (Integer roleId : roleIds) { + Role doomedRole = entityManager.find(Role.class, roleId); + if (doomedRole == null) { + throw new IllegalArgumentException("Tried to remove role[" + roleId + "] from BundleGroup[" + + bundleGroupId + "], but role was not found"); + } + bundleGroup.removeRole(doomedRole); + } + } + + return; + } + + @Override @RequiredPermission(Permission.MANAGE_SECURITY) public void removeRolesFromResourceGroup(Subject subject, int groupId, int[] roleIds) { if ((roleIds != null) && (roleIds.length > 0)) { @@ -751,10 +871,36 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { return; }
+ @Override public Role getRole(Subject subject, int roleId) { return entityManager.find(Role.class, roleId); }
+ @Override + @RequiredPermission(Permission.MANAGE_SECURITY) + public void addRolesToBundleGroup(Subject subject, int bundleGroupId, int[] roleIds) { + if ((roleIds != null) && (roleIds.length > 0)) { + BundleGroup bundleGroup = entityManager.find(BundleGroup.class, bundleGroupId); + if (bundleGroup == null) { + throw new IllegalArgumentException("Could not find bundleGroup[" + bundleGroupId + + "] in order to add roles"); + } + bundleGroup.getRoles().size(); // load them in + + for (Integer roleId : roleIds) { + Role role = entityManager.find(Role.class, roleId); + if (role == null) { + throw new IllegalArgumentException("Tried to add role[" + roleId + "] to bundleGroup[" + + bundleGroupId + "], but role was not found"); + } + bundleGroup.addRole(role); + } + } + + return; + } + + @Override @RequiredPermission(Permission.MANAGE_SECURITY) public void addRolesToResourceGroup(Subject subject, int groupId, int[] roleIds) { if ((roleIds != null) && (roleIds.length > 0)) { @@ -777,6 +923,7 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote { return; }
+ @Override @SuppressWarnings("unchecked") public PageList<Role> findRolesByCriteria(Subject subject, RoleCriteria criteria) {
@@ -788,7 +935,7 @@ public class RoleManagerBean implements RoleManagerLocal, RoleManagerRemote {
CriteriaQueryGenerator generator = new CriteriaQueryGenerator(subject, criteria); CriteriaQueryRunner<Role> queryRunner = new CriteriaQueryRunner<Role>(criteria, generator, entityManager); - @SuppressWarnings({ "UnnecessaryLocalVariable" }) + PageList<Role> roles = queryRunner.execute();
return roles; diff --git a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerLocal.java b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerLocal.java index 5c2e1cb..d099f7c 100644 --- a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerLocal.java +++ b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerLocal.java @@ -25,7 +25,6 @@ import javax.ejb.Local; import org.rhq.core.domain.auth.Subject; import org.rhq.core.domain.authz.Permission; import org.rhq.core.domain.authz.Role; -import org.rhq.core.domain.criteria.RoleCriteria; import org.rhq.core.domain.util.PageControl; import org.rhq.core.domain.util.PageList;
@@ -36,7 +35,7 @@ import org.rhq.core.domain.util.PageList; * @author John Mazzitelli */ @Local -public interface RoleManagerLocal { +public interface RoleManagerLocal extends RoleManagerRemote { /** * This returns a page list of all the roles that a subject is authorized to access. * @@ -57,26 +56,6 @@ public interface RoleManagerLocal { PageList<Role> findRoles(PageControl pc);
/** - * Persists the new role to the database. The subjects assigned to the role are ignored - this only creates the role - * entity with 0 subjects initially assigned to it. - * - * @param subject the user attempting to create the role - * @param newRole the new role to persist - * - * @return the persisted role with the primary key populated - */ - Role createRole(Subject subject, Role newRole); - - /** - * Removes a set of roles from the database. The subjects assigned to the roles are no longer authorized with the - * deleted roles. Groups attached to the deleted roles are left alone. - * - * @param subject the user attempting to delete the role - * @param doomedRoleIds the IDs of the roles to delete - */ - void deleteRoles(Subject subject, int[] doomedRoleIds); - - /** * Sets the permissions for the specified role. Any currently existing role permissions are overwritten - that is, * <code>permissions</code> will be the complete set of permissions the role will now be authorized with. * @@ -96,16 +75,6 @@ public interface RoleManagerLocal { Set<Permission> getPermissions(Integer roleId);
/** - * Updates the given role, excluding the subjects and groups. This updates permissions, name, description, etc. - * - * @param subject user asking to update the role - * @param role - * - * @return the updated role - */ - Role updateRole(Subject subject, Role role); - - /** * Given a set of role Ids, this returns a list of all the roles. * * @param roleIds @@ -140,12 +109,6 @@ public interface RoleManagerLocal { PageList<Role> findAvailableRolesForSubject(Subject subject, Integer subjectId, Integer[] pendingRoleIds, PageControl pc);
- // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - // - // The following are shared with the Remote Interface - // - // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - /** * Returns the role with the given ID * @@ -157,64 +120,5 @@ public interface RoleManagerLocal { // Use getRole instead Role getRoleById(Integer roleId);
- Role getRole(Subject subject, int roleId); - - PageList<Role> findSubjectAssignedRoles(Subject subject, int subjectId, PageControl pc); - - //This is a proxy of getAvailableRolesForSubject but without pendingRoleIds as required by remote spec - PageList<Role> findSubjectUnassignedRoles(Subject subject, int subjectId, PageControl pc); - - /** - * Assigns a set of roles to a subject which authorizes the subject to do anything the roles permit. - * - * @param subject the user attempting to assign the roles to the subject - * @param subjectId the subject who is to be authorized with the given roles - * @param roleIds the roles to assign - */ - void addRolesToSubject(Subject subject, int subjectId, int[] roleIds); - - /** - * Disassociates particular roles from a subject. Once complete, the subject will no longer be authorized with the - * given roles. - * - * @param subject the user that is attempting to perform the remove - * @param subjectId the user that is to have the roles unassigned from it - * @param roleIds list of role IDs that are to be removed from user - */ - void removeRolesFromSubject(Subject subject, int subjectId, int[] roleIds); - - void setAssignedSubjectRoles(Subject subject, int subjectId, int[] roleIds); - - void addSubjectsToRole(Subject subject, int roleId, int[] subjectIds); - - void removeSubjectsFromRole(Subject subject, int roleId, int[] subjectIds); - void setAssignedSubjects(Subject sessionSubject, int roleId, int[] subjectIds); - - /** - * Adds the given resource groups to the given role. - * - * @param subject user attempting to add the groups to the role - * @param roleId - * @param pendingGroupIds - */ - void addResourceGroupsToRole(Subject subject, int roleId, int[] pendingGroupIds); - - void addRolesToResourceGroup(Subject subject, int groupId, int[] roleIds); - - void setAssignedResourceGroups(Subject subject, int roleId, int[] groupIds); - - /** - * Removes the given resource groups from the given role. - * - * @param subject user attempting to remove the groups from the role - * @param roleId - * @param groupIds - */ - void removeResourceGroupsFromRole(Subject subject, int roleId, int[] groupIds); - - void removeRolesFromResourceGroup(Subject subject, int groupId, int[] roleIds); - - PageList<Role> findRolesByCriteria(Subject subject, RoleCriteria criteria); - } \ No newline at end of file diff --git a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerRemote.java b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerRemote.java index 0586998..83194da 100644 --- a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerRemote.java +++ b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerRemote.java @@ -130,6 +130,15 @@ public interface RoleManagerRemote { void setAssignedSubjectRoles(Subject subject, int subjectId, int[] roleIds);
/** + * Adds the given bundle groups to the given role. + * + * @param subject The logged in user's subject. + * @param roleId + * @param bundleGroupIds + */ + void addBundleGroupsToRole(Subject subject, int roleId, int[] bundleGroupIds); + + /** * Adds the given resource groups to the given role. * * @param subject The logged in user's subject. @@ -138,11 +147,24 @@ public interface RoleManagerRemote { */ void addResourceGroupsToRole(Subject subject, int roleId, int[] pendingGroupIds);
+ void addRolesToBundleGroup(Subject subject, int bundleGroupId, int[] roleIds); + void addRolesToResourceGroup(Subject subject, int groupId, int[] roleIds);
+ void setAssignedBundleGroups(Subject subject, int roleId, int[] bundleGroupIds); + void setAssignedResourceGroups(Subject subject, int roleId, int[] groupIds);
/** + * Removes the given bundle groups from the given role. + * + * @param subject user attempting to remove the groups from the role + * @param roleId + * @param bundleGroupIds + */ + void removeBundleGroupsFromRole(Subject subject, int roleId, int[] bundleGroupIds); + + /** * Removes the given resource groups from the given role. * * @param subject user attempting to remove the groups from the role @@ -151,6 +173,8 @@ public interface RoleManagerRemote { */ void removeResourceGroupsFromRole(Subject subject, int roleId, int[] groupIds);
+ void removeRolesFromBundleGroup(Subject subject, int bundleGroupId, int[] roleIds); + void removeRolesFromResourceGroup(Subject subject, int groupId, int[] roleIds);
PageList<Role> findRolesByCriteria(Subject subject, RoleCriteria criteria); diff --git a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerBean.java b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerBean.java index a9882c4..bc85e6d 100644 --- a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerBean.java +++ b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerBean.java @@ -66,6 +66,7 @@ import org.rhq.core.clientapi.agent.bundle.BundleScheduleResponse; import org.rhq.core.clientapi.agent.configuration.ConfigurationUtility; import org.rhq.core.domain.auth.Subject; import org.rhq.core.domain.authz.Permission; +import org.rhq.core.domain.authz.Role; import org.rhq.core.domain.bundle.Bundle; import org.rhq.core.domain.bundle.BundleDeployment; import org.rhq.core.domain.bundle.BundleDeploymentStatus; @@ -233,6 +234,8 @@ public class BundleManagerBean implements BundleManagerLocal, BundleManagerRemot } }
+ checkCreateInitialBundleVersionAuthz(subject, bundleGroupId); + // create and add the required Repo. the Repo is a detached object which helps in its eventual removal. Repo repo = new Repo(name); repo.setCandidate(false); @@ -761,7 +764,6 @@ public class BundleManagerBean implements BundleManagerLocal, BundleManagerRemot }
if (isInitialVersion) { - checkCreateInitialBundleVersionAuthz(subject, initialBundleGroupId); bundle = bundleManager.createBundle(subject, bundleName, bundleDescription, bundleType.getId(), initialBundleGroupId); createdBundle = true; @@ -1619,7 +1621,7 @@ public class BundleManagerBean implements BundleManagerLocal, BundleManagerRemot
// filter by bundles that are viewable if (!authorizationManager.hasGlobalPermission(subject, Permission.VIEW_BUNDLES)) { - generator.setAuthorizationResourceFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE, null, + generator.setAuthorizationBundleFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE, subject.getId()); }
@@ -1660,7 +1662,7 @@ public class BundleManagerBean implements BundleManagerLocal, BundleManagerRemot CriteriaQueryGenerator generator = new CriteriaQueryGenerator(subject, criteria);
if (!authorizationManager.hasGlobalPermission(subject, Permission.VIEW_BUNDLES)) { - generator.setAuthorizationResourceFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE, null, + generator.setAuthorizationBundleFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE, subject.getId()); }
@@ -1720,7 +1722,7 @@ public class BundleManagerBean implements BundleManagerLocal, BundleManagerRemot
// filter by bundles that are viewable if (!authorizationManager.hasGlobalPermission(subject, Permission.VIEW_BUNDLES)) { - generator.setAuthorizationResourceFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE, null, + generator.setAuthorizationBundleFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE, subject.getId()); }
@@ -1735,8 +1737,8 @@ public class BundleManagerBean implements BundleManagerLocal, BundleManagerRemot CriteriaQueryGenerator generator = new CriteriaQueryGenerator(subject, criteria);
if (!authorizationManager.hasGlobalPermission(subject, Permission.VIEW_BUNDLES)) { - generator.setAuthorizationResourceFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE, null, - subject.getId()); + generator.setAuthorizationBundleFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE, + subject.getId(), null); }
CriteriaQueryRunner<Bundle> queryRunner = new CriteriaQueryRunner<Bundle>(criteria, generator, entityManager); @@ -1781,7 +1783,7 @@ public class BundleManagerBean implements BundleManagerLocal, BundleManagerRemot generator.alterProjection(replacementSelectList);
if (!authorizationManager.hasGlobalPermission(subject, Permission.VIEW_BUNDLES)) { - generator.setAuthorizationResourceFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE, null, + generator.setAuthorizationBundleFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE, subject.getId()); }
@@ -1990,7 +1992,7 @@ public class BundleManagerBean implements BundleManagerLocal, BundleManagerRemot public void deleteBundleGroups(Subject subject, int[] bundleGroupIds) throws Exception {
for (int bundleGroupId : bundleGroupIds) { - BundleGroup bundleGroup = this.entityManager.find(BundleGroup.class, bundleGroupIds); + BundleGroup bundleGroup = this.entityManager.find(BundleGroup.class, bundleGroupId); if (null == bundleGroup) { return; } @@ -1999,6 +2001,12 @@ public class BundleManagerBean implements BundleManagerLocal, BundleManagerRemot for (Bundle b : bundleGroup.getBundles()) { bundleGroup.removeBundle(b); } + + // remove from any roles + for (Role r : bundleGroup.getRoles()) { + bundleGroup.removeRole(r); + } + bundleGroup = entityManager.merge(bundleGroup);
// now remove the bundle group @@ -2012,8 +2020,8 @@ public class BundleManagerBean implements BundleManagerLocal, BundleManagerRemot
// filter by bundle groups that are viewable if (!authorizationManager.hasGlobalPermission(subject, Permission.MANAGE_BUNDLE_GROUPS)) { - generator.setAuthorizationResourceFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE_GROUP, - null, subject.getId()); + generator.setAuthorizationBundleFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE_GROUP, + subject.getId(), null); }
CriteriaQueryRunner<BundleGroup> queryRunner = new CriteriaQueryRunner<BundleGroup>(criteria, generator, diff --git a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerLocal.java b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerLocal.java index 01ca620..f96d356 100644 --- a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerLocal.java +++ b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerLocal.java @@ -68,9 +68,12 @@ public interface BundleManagerLocal extends BundleManagerRemote {
/** * Internal use only, and test entry point. - * </p> - * This method performs NO AUTHZ! - * </p> + * <pre> + * Required Permissions (same as createInitialBundleVersionXxx): Either: + * - Global.CREATE_BUNDLES and Global.VIEW_BUNDLES + * - Global.CREATE_BUNDLES and BundleGroup.VIEW_BUNDLES_IN_GROUP for bundle group BG + * - BundleGroup.CREATE_BUNDLES_IN_GROUP for bundle group BG + * </pre> * @param subject user that must have proper permissions * @param name not null or empty * @param description optional long description of the bundle @@ -87,9 +90,12 @@ public interface BundleManagerLocal extends BundleManagerRemote { * Convenience method that combines {@link #createBundle(Subject, String, int)} and {@link #createBundleVersion(Subject, int, String, String, String)}. * This will first check to see if a bundle with the given type/name exists - if it doesn't, it will be created. If it does, it will be reused. * This will then create the bundle version that will be associated with the bundle that was created or found. - * </p> - * This method performs NO AUTHZ! - * </p> + * <pre> + * Required Permissions (same as createInitialBundleVersionXxx): Either: + * - Global.CREATE_BUNDLES and Global.VIEW_BUNDLES + * - Global.CREATE_BUNDLES and BundleGroup.VIEW_BUNDLES_IN_GROUP for bundle group BG + * - BundleGroup.CREATE_BUNDLES_IN_GROUP for bundle group BG + * </pre> * @param subject user that must have proper permissions * @param bundleName name of the bundle to use (if not found, it will be created) * @param bundleDescription optional long description of the bundle diff --git a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/util/CriteriaQueryGenerator.java b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/util/CriteriaQueryGenerator.java index 0a1060d..3692b78 100644 --- a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/util/CriteriaQueryGenerator.java +++ b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/util/CriteriaQueryGenerator.java @@ -124,10 +124,9 @@ public final class CriteriaQueryGenerator { } else if (type == AuthorizationTokenType.GROUP) { defaultFragment = "group"; setAuthorizationResourceFragment(type, defaultFragment, subjectId); - } else if (type == AuthorizationTokenType.BUNDLE) { - setAuthorizationBundleFragment(subjectId); - } else if (type == AuthorizationTokenType.BUNDLE_GROUP) { - setAuthorizationBundleGroupFragment(subjectId); + } else { + throw new IllegalArgumentException(this.getClass().getSimpleName() + + " does not yet support generating resource queries for '" + type + "' token types"); } }
@@ -237,10 +236,31 @@ public final class CriteriaQueryGenerator { return customAuthzFragment; }
- public void setAuthorizationBundleFragment(int subjectId) { + public void setAuthorizationBundleFragment(AuthorizationTokenType type, int subjectId) { + if (type == AuthorizationTokenType.BUNDLE) { + setAuthorizationBundleFragment(type, subjectId, "bundle"); + } else if (type == AuthorizationTokenType.BUNDLE_GROUP) { + setAuthorizationBundleFragment(type, subjectId, "bundleGroup"); + } else { + throw new IllegalArgumentException(this.getClass().getSimpleName() + + " does not yet support generating bundle queries for '" + type + "' token types"); + } + } + + public void setAuthorizationBundleFragment(AuthorizationTokenType type, int subjectId, String fragment) { + if (type == AuthorizationTokenType.BUNDLE) { + setAuthorizationBundleFragment(subjectId, fragment); + } else if (type == AuthorizationTokenType.BUNDLE_GROUP) { + setAuthorizationBundleGroupFragment(subjectId, fragment); + } else { + throw new IllegalArgumentException(this.getClass().getSimpleName() + + " does not yet support generating bundle queries for '" + type + "' token types"); + } + } + + private void setAuthorizationBundleFragment(int subjectId, String fragment) { this.authorizationSubjectId = subjectId;
- String fragment = "bundle"; String customAuthzFragment = "" // + "( %aliasWithFragment%.id IN ( SELECT %innerAlias%.id " + NL // + " FROM %alias% innerAlias " + NL // @@ -271,8 +291,9 @@ public final class CriteriaQueryGenerator { } }
- public void setAuthorizationBundleGroupFragment(int subjectId) { - String fragment = "bundleGroup"; + private void setAuthorizationBundleGroupFragment(int subjectId, String fragment) { + this.authorizationSubjectId = subjectId; + String customAuthzFragment = "" // + "( %aliasWithFragment%.id IN ( SELECT %innerAlias%.id " + NL // + " FROM %alias% innerAlias " + NL //