modules/core/dbutils/pom.xml
| 9
modules/core/domain/src/main/java/org/rhq/core/domain/criteria/BundleCriteria.java
| 17
modules/core/domain/src/main/java/org/rhq/core/domain/criteria/BundleGroupCriteria.java
| 21
modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/bundle/BundleManagerBeanTest.java
| 292 +++++++++-
modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/util/SessionTestHelper.java
| 13
modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerBean.java
| 149 +++++
modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerLocal.java
| 98 ---
modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerRemote.java
| 24
modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerBean.java
| 28
modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerLocal.java
| 18
modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/util/CriteriaQueryGenerator.java
| 37 -
11 files changed, 538 insertions(+), 168 deletions(-)
New commits:
commit 4d624b061398b84782c970bf5da587ea81ef0f7d
Author: Jay Shaughnessy <jshaughn(a)redhat.com>
Date: Fri Aug 2 15:25:52 2013 -0400
First authz test passing
- fixed testing approach to use all slsbs and proper non-super-subject
- fixed criteria bundle/bundleGroup auth token issues
- fixed criteria filter override issues
- fixed various bugs and added more supporting slsb methods
- added some authz to bundle manager local methods where it seemed needed/useful
- cleaned up RoleManagerLocal to extend the remote
diff --git a/modules/core/dbutils/pom.xml b/modules/core/dbutils/pom.xml
index d7e2d65..360fdbc 100644
--- a/modules/core/dbutils/pom.xml
+++ b/modules/core/dbutils/pom.xml
@@ -17,7 +17,7 @@
<description>Database schema setup, upgrade and other
utilities</description>
<properties>
- <db.schema.version>2.134</db.schema.version>
+ <db.schema.version>2.135</db.schema.version>
<rhq.ds.type-mapping>${rhq.test.ds.type-mapping}</rhq.ds.type-mapping>
<rhq.ds.server-name>${rhq.test.ds.server-name}</rhq.ds.server-name>
<rhq.ds.db-name>${rhq.test.ds.db-name}</rhq.ds.db-name>
@@ -276,7 +276,7 @@
<script language="groovy">
import org.rhq.cassandra.schema.SchemaManager
- if
(project.getProperty('dbsetup-upgrade') || project.getProperty('dbreset'))
{
+ if
(project.getProperty('dbsetup-upgrade') || project.getProperty('dbsetup'))
{
if
(project.getProperty('storage-schema')) {
if (project.getProperty('db') ==
'dev') {
self.log('PERFORMING STORAGE NODE
SETUP TO LATEST SCHEMA')
@@ -286,11 +286,6 @@
schemaManager = new
SchemaManager(username, password, seeds)
- if
(project.getProperty('dbreset') == 'true') {
- self.log('Dropping schema')
- schemaManager.drop()
- }
-
self.log('Install schema')
schemaManager.install()
} else {
diff --git
a/modules/core/domain/src/main/java/org/rhq/core/domain/criteria/BundleCriteria.java
b/modules/core/domain/src/main/java/org/rhq/core/domain/criteria/BundleCriteria.java
index 32f2f9d..2e34174 100644
--- a/modules/core/domain/src/main/java/org/rhq/core/domain/criteria/BundleCriteria.java
+++ b/modules/core/domain/src/main/java/org/rhq/core/domain/criteria/BundleCriteria.java
@@ -26,6 +26,7 @@ import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlRootElement;
import org.rhq.core.domain.bundle.Bundle;
+import org.rhq.core.domain.util.CriteriaUtils;
import org.rhq.core.domain.util.PageOrdering;
/**
@@ -64,8 +65,9 @@ public class BundleCriteria extends TaggedCriteria {
filterOverrides.put("bundleTypeId", "bundleType.id = ?");
filterOverrides.put("bundleTypeName", "bundleType.name like
?");
filterOverrides.put("bundleGroupIds", "" //
- + "id IN ( SELECT bg.bundle.id " //
- + " FROM BundleGroup bg " //
+ + "id IN ( SELECT innerbundle.id " //
+ + " FROM Bundle innerbundle " //
+ + " JOIN innerbundle.bundleGroups bg"
+ " WHERE bg.id IN ( ? ) )");
filterOverrides.put("destinationIds", "" //
+ "id IN ( SELECT bd.bundle.id " //
@@ -103,15 +105,8 @@ public class BundleCriteria extends TaggedCriteria {
this.filterDescription = filterDescription;
}
- /** Convenience routine calls addFilterBundleGroupIds */
- public void addFilterBundleGroupId(Integer filterBundleGroupId) {
- List<Integer> ids = new ArrayList<Integer>(1);
- ids.add(filterBundleGroupId);
- this.addFilterBundleGroupIds(ids);
- }
-
- public void addFilterBundleGroupIds(List<Integer> filterBundleGroupIds) {
- this.filterBundleGroupIds = filterBundleGroupIds;
+ public void addFilterBundleGroupIds(Integer... filterBundleGroupIds) {
+ this.filterBundleGroupIds =
CriteriaUtils.getListIgnoringNulls(filterBundleGroupIds);
}
/** Convenience routine calls addFilterDestinationIds */
diff --git
a/modules/core/domain/src/main/java/org/rhq/core/domain/criteria/BundleGroupCriteria.java
b/modules/core/domain/src/main/java/org/rhq/core/domain/criteria/BundleGroupCriteria.java
index 88886d7..69ceea4 100644
---
a/modules/core/domain/src/main/java/org/rhq/core/domain/criteria/BundleGroupCriteria.java
+++
b/modules/core/domain/src/main/java/org/rhq/core/domain/criteria/BundleGroupCriteria.java
@@ -18,7 +18,6 @@
*/
package org.rhq.core.domain.criteria;
-import java.util.ArrayList;
import java.util.List;
import javax.xml.bind.annotation.XmlAccessType;
@@ -26,6 +25,7 @@ import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlRootElement;
import org.rhq.core.domain.bundle.BundleGroup;
+import org.rhq.core.domain.util.CriteriaUtils;
import org.rhq.core.domain.util.PageOrdering;
/**
@@ -39,9 +39,7 @@ public class BundleGroupCriteria extends Criteria {
private String filterName;
private String filterDescription;
- private Integer filterBundleId;
private List<Integer> filterBundleIds; // requires overrides
- private Integer filterRoleId;
private List<Integer> filterRoleIds; // requires overrides
private boolean fetchBundles;
@@ -52,12 +50,14 @@ public class BundleGroupCriteria extends Criteria {
public BundleGroupCriteria() {
filterOverrides.put("bundleIds", "" //
- + "id IN ( SELECT b.id " //
+ + "id IN ( SELECT bg.id " //
+ " FROM Bundle b " //
+ + " JOIN b.bundleGroups bg"
+ " WHERE b.id IN ( ? ) )");
filterOverrides.put("roleIds", "" //
- + "id IN ( SELECT r.id " //
+ + "id IN ( SELECT bg.id " //
+ " FROM Role r " //
+ + " JOIN r.bundleGroups bg"
+ " WHERE r.id IN ( ? ) )");
}
@@ -74,15 +74,12 @@ public class BundleGroupCriteria extends Criteria {
this.filterDescription = filterDescription;
}
- /** Convenience routine calls addFilterBundleVersionIds */
- public void addFilterBundleId(Integer filterBundleId) {
- List<Integer> ids = new ArrayList<Integer>(1);
- ids.add(filterBundleId);
- this.addFilterBundleIds(ids);
+ public void addFilterBundleIds(Integer... filterBundleIds) {
+ this.filterBundleIds = CriteriaUtils.getListIgnoringNulls(filterBundleIds);
}
- public void addFilterBundleIds(List<Integer> filterBundleIds) {
- this.filterBundleIds = filterBundleIds;
+ public void addFilterRoleIds(Integer... filterRoleIds) {
+ this.filterRoleIds = CriteriaUtils.getListIgnoringNulls(filterRoleIds);
}
public void fetchBundles(boolean fetchBundles) {
diff --git
a/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/bundle/BundleManagerBeanTest.java
b/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/bundle/BundleManagerBeanTest.java
index c4d9a79..117d2df 100644
---
a/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/bundle/BundleManagerBeanTest.java
+++
b/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/bundle/BundleManagerBeanTest.java
@@ -39,11 +39,14 @@ import org.hibernate.LazyInitializationException;
import org.testng.annotations.Test;
import org.rhq.core.domain.auth.Subject;
+import org.rhq.core.domain.authz.Permission;
+import org.rhq.core.domain.authz.Role;
import org.rhq.core.domain.bundle.Bundle;
import org.rhq.core.domain.bundle.BundleDeployment;
import org.rhq.core.domain.bundle.BundleDeploymentStatus;
import org.rhq.core.domain.bundle.BundleDestination;
import org.rhq.core.domain.bundle.BundleFile;
+import org.rhq.core.domain.bundle.BundleGroup;
import org.rhq.core.domain.bundle.BundleResourceDeployment;
import org.rhq.core.domain.bundle.BundleResourceDeploymentHistory;
import org.rhq.core.domain.bundle.BundleType;
@@ -65,8 +68,11 @@ import org.rhq.core.domain.content.Repo;
import org.rhq.core.domain.criteria.BundleCriteria;
import org.rhq.core.domain.criteria.BundleDeploymentCriteria;
import org.rhq.core.domain.criteria.BundleFileCriteria;
+import org.rhq.core.domain.criteria.BundleGroupCriteria;
import org.rhq.core.domain.criteria.BundleResourceDeploymentCriteria;
import org.rhq.core.domain.criteria.BundleVersionCriteria;
+import org.rhq.core.domain.criteria.RoleCriteria;
+import org.rhq.core.domain.criteria.SubjectCriteria;
import org.rhq.core.domain.resource.Agent;
import org.rhq.core.domain.resource.InventoryStatus;
import org.rhq.core.domain.resource.Resource;
@@ -78,6 +84,7 @@ import org.rhq.core.domain.util.PageOrdering;
import org.rhq.core.util.file.FileUtil;
import org.rhq.core.util.stream.StreamUtil;
import org.rhq.core.util.updater.DeploymentProperties;
+import org.rhq.enterprise.server.authz.PermissionException;
import org.rhq.enterprise.server.plugin.pc.MasterServerPluginContainer;
import org.rhq.enterprise.server.resource.ResourceManagerLocal;
import org.rhq.enterprise.server.test.AbstractEJB3Test;
@@ -98,10 +105,13 @@ public class BundleManagerBeanTest extends AbstractEJB3Test {
private static final boolean TESTS_ENABLED = true;
- private static final String TEST_PREFIX = "bundletest";
+ private static final String TEST_PREFIX =
BundleManagerBeanTest.class.getSimpleName();
private static final String TEST_BUNDLE_DESTBASEDIR_PROP = TEST_PREFIX +
".destBaseDirProp";
private static final String TEST_BUNDLE_DESTBASEDIR_PROP_VALUE = TEST_PREFIX +
"/destBaseDir";
+ private static final String TEST_BUNDLE_GROUP_NAME = TEST_PREFIX +
".bundleGroup";
private static final String TEST_DESTBASEDIR_NAME = TEST_PREFIX +
".destBaseDirName";
+ private static final String TEST_ROLE_NAME = TEST_PREFIX + ".role";
+ private static final String TEST_USER_NAME = TEST_PREFIX + ".user";
private BundleManagerLocal bundleManager;
private ResourceManagerLocal resourceManager;
@@ -143,6 +153,21 @@ public class BundleManagerBeanTest extends AbstractEJB3Test {
private void cleanupDatabase() {
try {
+ RoleCriteria roleCriteria = new RoleCriteria();
+ roleCriteria.addFilterName(TEST_ROLE_NAME);
+ List<Role> testRoles =
LookupUtil.getRoleManager().findRolesByCriteria(overlord, roleCriteria);
+ for (Role testRole : testRoles) {
+ LookupUtil.getRoleManager().deleteRoles(overlord, new int[] {
testRole.getId() });
+ }
+
+ SubjectCriteria subjectCriteria = new SubjectCriteria();
+ subjectCriteria.addFilterName(TEST_USER_NAME);
+ List<Subject> testSubjects =
LookupUtil.getSubjectManager().findSubjectsByCriteria(overlord,
+ subjectCriteria);
+ for (Subject testSubject : testSubjects) {
+ LookupUtil.getSubjectManager().deleteSubjects(overlord, new int[] {
testSubject.getId() });
+ }
+
getTransactionManager().begin();
Query q;
@@ -232,6 +257,13 @@ public class BundleManagerBeanTest extends AbstractEJB3Test {
em.remove(em.getReference(Repo.class, ((Repo) removeMe).getId()));
}
+ // remove bundle groups no longer referenced by bundles
+ q = em.createQuery("SELECT bg FROM BundleGroup bg WHERE bg.name LIKE
'" + TEST_PREFIX + "%'");
+ doomed = q.getResultList();
+ for (Object removeMe : doomed) {
+ em.remove(em.getReference(BundleGroup.class, ((BundleGroup)
removeMe).getId()));
+ }
+
// remove Resource Groups left over from test deployments freeing up test
resources
q = em.createQuery("SELECT rg FROM ResourceGroup rg WHERE rg.name LIKE
'" + TEST_PREFIX + "%'");
doomed = q.getResultList();
@@ -755,7 +787,7 @@ public class BundleManagerBeanTest extends AbstractEJB3Test {
public void testAddBundleFilesToDifferentBundles() throws Exception {
// create a bundle type to use for both bundles.
BundleType bt = createBundleType("one");
- Bundle b1 = createBundle("one", bt);
+ Bundle b1 = createBundle(overlord, "one", bt, 0);
assertNotNull(b1);
BundleVersion bv1 = createBundleVersion(b1.getName(), "1.0", b1);
assertNotNull(bv1);
@@ -763,7 +795,7 @@ public class BundleManagerBeanTest extends AbstractEJB3Test {
null, "Bundle #1 File # 1".getBytes());
// create a second bundle but create file of the same name as above
- Bundle b2 = createBundle("two", bt);
+ Bundle b2 = createBundle(overlord, "two", bt, 0);
assertNotNull(b2);
BundleVersion bv2 = createBundleVersion(b2.getName(), "1.0", b2);
assertNotNull(bv2);
@@ -860,9 +892,10 @@ public class BundleManagerBeanTest extends AbstractEJB3Test {
int size = brd.getBundleResourceDeploymentHistories().size();
assertTrue(size > 0);
String auditMessage = "BundleTest-Message";
- bundleManager.addBundleResourceDeploymentHistoryInNewTrans(overlord, brd.getId(),
new BundleResourceDeploymentHistory(
- overlord.getName(), auditMessage, auditMessage,
BundleResourceDeploymentHistory.Category.DEPLOY_STEP,
- BundleResourceDeploymentHistory.Status.SUCCESS, auditMessage,
auditMessage));
+ bundleManager.addBundleResourceDeploymentHistoryInNewTrans(overlord,
brd.getId(),
+ new BundleResourceDeploymentHistory(overlord.getName(), auditMessage,
auditMessage,
+ BundleResourceDeploymentHistory.Category.DEPLOY_STEP,
BundleResourceDeploymentHistory.Status.SUCCESS,
+ auditMessage, auditMessage));
brds = bundleManager.findBundleResourceDeploymentsByCriteria(overlord, c);
assertEquals(1, brds.size());
@@ -1284,31 +1317,253 @@ public class BundleManagerBeanTest extends AbstractEJB3Test {
assertEquals(1, bundles.size());
}
- @Test(enabled = false)
- public void testNoAuthz() throws Exception {
- // create
+ @Test(enabled = TESTS_ENABLED)
+ public void authzBundleGroupTest() throws Exception {
+ Subject subject = null;
+ Role role = null;
+
+ subject = createNewSubject(TEST_USER_NAME);
+ role = createNewRoleForSubject(subject, TEST_ROLE_NAME);
+
+ subject = createSession(subject); // start a session so we can use this subject
in SLSB calls
+
+ // deny bundle group create
+ try {
+ bundleManager.createBundleGroup(subject, TEST_BUNDLE_GROUP_NAME,
"test");
+ fail("Should have thrown PermissionException");
+ } catch (PermissionException e) {
+ // expected
+ }
+
+ // allow bundle group create
+ addRolePermissions(role, Permission.MANAGE_BUNDLE_GROUPS);
+ BundleGroup bundleGroup = bundleManager.createBundleGroup(subject,
TEST_BUNDLE_GROUP_NAME, "test");
+
+ // deny bundle group delete
+ removeRolePermissions(role, Permission.MANAGE_BUNDLE_GROUPS);
+ try {
+ bundleManager.deleteBundleGroups(subject, new int[] { bundleGroup.getId()
});
+ fail("Should have thrown PermissionException");
+ } catch (PermissionException e) {
+ // expected
+ }
+
+ // deny global perm bundleGroup view
+ BundleGroupCriteria bgCriteria = new BundleGroupCriteria();
+ List<BundleGroup> bundleGroups =
bundleManager.findBundleGroupsByCriteria(subject, bgCriteria);
+ assertNotNull(bundleGroups);
+ assert bundleGroups.isEmpty() : "Should not be able to see unassociated
bundle group";
+
+ // allow global perm bundleGroup view
+ addRolePermissions(role, Permission.MANAGE_BUNDLE_GROUPS);
+ bundleGroups = bundleManager.findBundleGroupsByCriteria(subject, bgCriteria);
+ assertNotNull(bundleGroups);
+ assertEquals("Should be able to see unassociated bundle group", 1,
bundleGroups.size());
+
+ // allow bundle group delete
+ bundleManager.deleteBundleGroups(subject, new int[] { bundleGroup.getId() });
+
+ // deny unassigned bundle create (no global create or view)
+ try {
+ createBundle(subject, TEST_PREFIX + ".bundle");
+ fail("Should have thrown PermissionException");
+ } catch (PermissionException e) {
+ // expected
+ }
+
+ // deny unassigned bundle create (no global view)
+ addRolePermissions(role, Permission.CREATE_BUNDLES);
+ try {
+ createBundle(subject, TEST_PREFIX + ".bundle");
+ fail("Should have thrown PermissionException");
+ } catch (PermissionException e) {
+ // expected
+ }
+
+ // deny unassigned bundle create (no global create)
+ removeRolePermissions(role, Permission.CREATE_BUNDLES);
+ addRolePermissions(role, Permission.VIEW_BUNDLES);
+ try {
+ createBundle(subject, TEST_PREFIX + ".bundle");
+ fail("Should have thrown PermissionException");
+ } catch (PermissionException e) {
+ // expected
+ }
+
+ // allow unassigned bundle create
+ addRolePermissions(role, Permission.CREATE_BUNDLES);
+ Bundle bundle = createBundle(subject, TEST_PREFIX + ".bundle");
+
+ // deny unassigned bundle view
+ removeRolePermissions(role, Permission.CREATE_BUNDLES, Permission.VIEW_BUNDLES);
+ BundleCriteria bCriteria = new BundleCriteria();
+ List<Bundle> bundles = bundleManager.findBundlesByCriteria(subject,
bCriteria);
+ assertNotNull(bundles);
+ assert bundles.isEmpty() : "Should not be able to see unassigned
bundle";
+
+ // allow unassigned bundle view
+ addRolePermissions(role, Permission.VIEW_BUNDLES);
+ bundles = bundleManager.findBundlesByCriteria(subject, bCriteria);
+ assertNotNull(bundles);
+ assertEquals("Should be able to see unassigned bundle", 1,
bundles.size());
+
+ // deny global perm bundle assign
+ bundleGroup = bundleManager.createBundleGroup(subject, TEST_BUNDLE_GROUP_NAME,
"test");
+ try {
+ bundleManager.assignBundlesToBundleGroup(subject, bundleGroup.getId(), new
int[] { bundle.getId() });
+ fail("Should have thrown PermissionException");
+ } catch (PermissionException e) {
+ // expected
+ }
+
+ // allow global perm bundle assign
+ addRolePermissions(role, Permission.CREATE_BUNDLES);
+ bundleManager.assignBundlesToBundleGroup(subject, bundleGroup.getId(), new int[]
{ bundle.getId() });
+
+ // deny assigned, unassociated-bundle-group bundle view
+ removeRolePermissions(role, Permission.CREATE_BUNDLES, Permission.VIEW_BUNDLES);
+ bundles = bundleManager.findBundlesByCriteria(subject, bCriteria);
+ assertNotNull(bundles);
+ assert bundles.isEmpty() : "Should not be able to see assigned
bundle";
+
+ // allow assigned, associated-bundle-group bundle view
+ addRoleBundleGroup(role, bundleGroup);
+ bundles = bundleManager.findBundlesByCriteria(subject, bCriteria);
+ assertNotNull(bundles);
+ assertEquals("Should be able to see assigned bundle", 1,
bundles.size());
+
+ // check new bundle criteria options (no match)
+ bCriteria.addFilterBundleGroupIds(87678);
+ bCriteria.fetchBundleGroups(true);
+ bundles = bundleManager.findBundlesByCriteria(subject, bCriteria);
+ assertNotNull(bundles);
+ assert bundles.isEmpty() : "Should not have found anything";
+
+ // check new bundle criteria options (match)
+ bCriteria.addFilterBundleGroupIds(bundleGroup.getId());
+ bCriteria.fetchBundleGroups(true);
+ bundles = bundleManager.findBundlesByCriteria(subject, bCriteria);
+ assertNotNull(bundles);
+ assertEquals("Should be able to see assigned bundle", 1,
bundles.size());
+ assertNotNull(bundles.get(0).getBundleGroups());
+ assertEquals("Should have fetched bundlegroup", 1,
bundles.get(0).getBundleGroups().size());
+ assertEquals("Should have fetched expected bundlegroup", bundleGroup,
bundles.get(0).getBundleGroups()
+ .iterator().next());
+
+ // check new bundle group criteria options (no match)
+ bgCriteria.addFilterId(87678);
+ bgCriteria.addFilterBundleIds(87678);
+ bgCriteria.addFilterRoleIds(87678);
+ bgCriteria.fetchBundles(true);
+ bgCriteria.fetchRoles(true);
+ bundleGroups = bundleManager.findBundleGroupsByCriteria(subject, bgCriteria);
+ assertNotNull(bundleGroups);
+ assert bundleGroups.isEmpty() : "Should not have found anything";
+
+ // check new bundle group criteria options (no match)
+ bgCriteria.addFilterId(bundleGroup.getId());
+ bundleGroups = bundleManager.findBundleGroupsByCriteria(subject, bgCriteria);
+ assertNotNull(bundleGroups);
+ assert bundleGroups.isEmpty() : "Should not have found anything";
+
+ // check new bundle group criteria options (no match)
+ bgCriteria.addFilterBundleIds(bundle.getId());
+ bundleGroups = bundleManager.findBundleGroupsByCriteria(subject, bgCriteria);
+ assertNotNull(bundleGroups);
+ assert bundleGroups.isEmpty() : "Should not have found anything";
+
+ // check new bundle group criteria options (match)
+ bgCriteria.addFilterRoleIds(role.getId());
+ bundleGroups = bundleManager.findBundleGroupsByCriteria(subject, bgCriteria);
+ assertNotNull(bundleGroups);
+ assertEquals("Should be able to see assigned bundle", 1,
bundleGroups.size());
+ assertNotNull(bundleGroups.get(0).getBundles());
+ assertEquals("Should have fetched bundle in bundle group", 1,
bundleGroups.get(0).getBundles().size());
+ assertEquals("Should have fetched bundle in bundle group", bundle,
bundleGroups.get(0).getBundles()
+ .iterator().next());
+ assertNotNull(bundleGroups.get(0).getRoles());
+ assertEquals("Should have fetched role for bundle group", 1,
bundleGroups.get(0).getRoles().size());
+ assertEquals("Should have fetched role for bundle group", role,
bundleGroups.get(0).getRoles().iterator()
+ .next());
+ }
+
+ private Subject createNewSubject(String subjectName) throws Exception {
+
+ Subject newSubject = new Subject();
+ newSubject.setName(subjectName);
+ newSubject.setFactive(true);
+ newSubject.setFsystem(false);
+
+ return LookupUtil.getSubjectManager().createSubject(overlord, newSubject);
+ }
+
+ private Role createNewRoleForSubject(Subject subject, String roleName) throws
Exception {
+ Role newRole = new Role(roleName);
+ newRole.setFsystem(false);
+ newRole.addSubject(subject);
+ return LookupUtil.getRoleManager().createRole(overlord, newRole);
+ }
+
+ private void addRolePermissions(Role role, Permission... permissions) throws
Exception {
+
+ for (Permission p : permissions) {
+ role.getPermissions().add(p);
+ }
+ LookupUtil.getRoleManager().setPermissions(overlord, role.getId(),
role.getPermissions());
+ }
+
+ private void removeRolePermissions(Role role, Permission... permissions) throws
Exception {
+
+ for (Permission p : permissions) {
+ role.getPermissions().remove(p);
+ }
+ LookupUtil.getRoleManager().setPermissions(overlord, role.getId(),
role.getPermissions());
+ }
+
+ private void addRoleBundleGroup(Role role, BundleGroup bundleGroup) throws Exception
{
+
+ int[] ids = new int[1];
+ ids[0] = bundleGroup.getId();
+ LookupUtil.getRoleManager().addBundleGroupsToRole(overlord, role.getId(), ids);
+ }
+
+ private void removeRoleBundleGroup(Role role, BundleGroup bundleGroup) throws
Exception {
+
+ int[] ids = new int[1];
+ ids[0] = bundleGroup.getId();
+ LookupUtil.getRoleManager().removeBundleGroupsFromRole(overlord, role.getId(),
ids);
}
// helper methods
private BundleType createBundleType(String name) throws Exception {
final String fullName = TEST_PREFIX + "-type-" + name;
- ResourceType rt = createResourceTypeForBundleType(name);
- BundleType bt = bundleManager.createBundleType(overlord, fullName, rt.getId());
+ BundleType bt = null;
+ try {
+ bt = bundleManager.getBundleType(overlord, fullName);
+ } catch (Throwable t) {
+ ResourceType rt = createResourceTypeForBundleType(name);
+ bt = bundleManager.createBundleType(overlord, fullName, rt.getId());
+
+ assert bt.getId() > 0;
+ assert bt.getName().endsWith(fullName);
+ }
- assert bt.getId() > 0;
- assert bt.getName().endsWith(fullName);
return bt;
}
private Bundle createBundle(String name) throws Exception {
+ return createBundle(overlord, name);
+ }
+
+ private Bundle createBundle(Subject subject, String name) throws Exception {
BundleType bt = createBundleType(name);
- return createBundle(name, bt);
+ return createBundle(subject, name, bt, 0);
}
- private Bundle createBundle(String name, BundleType bt) throws Exception {
+ private Bundle createBundle(Subject subject, String name, BundleType bt, int
bundleGroupId) throws Exception {
final String fullName = TEST_PREFIX + "-bundle-" + name;
- Bundle b = bundleManager.createBundle(overlord, fullName, fullName +
"-desc", bt.getId(), 0);
+ Bundle b = bundleManager.createBundle(subject, fullName, fullName +
"-desc", bt.getId(), bundleGroupId);
assert b.getId() > 0;
assert b.getName().endsWith(fullName);
@@ -1316,6 +1571,11 @@ public class BundleManagerBeanTest extends AbstractEJB3Test {
}
private BundleVersion createBundleVersion(String name, String version, Bundle bundle)
throws Exception {
+ return createBundleVersion(overlord, name, version, bundle);
+ }
+
+ private BundleVersion createBundleVersion(Subject subject, String name, String
version, Bundle bundle)
+ throws Exception {
final String fullName = TEST_PREFIX + "-bundleversion-" + version +
"-" + name;
final String recipe = "deploy -f " + TEST_PREFIX + ".zip -d @@
test.path @@";
BundleVersion bv = bundleManager.createBundleVersion(overlord, bundle.getId(),
fullName, fullName + "-desc",
diff --git
a/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/util/SessionTestHelper.java
b/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/util/SessionTestHelper.java
index 10b5dbc..b85408d 100644
---
a/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/util/SessionTestHelper.java
+++
b/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/util/SessionTestHelper.java
@@ -19,6 +19,7 @@
package org.rhq.enterprise.server.util;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collection;
import java.util.EnumSet;
import java.util.Random;
@@ -137,6 +138,18 @@ public class SessionTestHelper {
return newRole;
}
+ public static void addRolePermissions(EntityManager em, Role role, Permission...
permissions) {
+ role.getPermissions().addAll(Arrays.asList(permissions));
+ em.merge(role);
+ em.flush();
+ }
+
+ public static void removeRolePermissions(EntityManager em, Role role, Permission...
permissions) {
+ role.getPermissions().removeAll(Arrays.asList(permissions));
+ em.merge(role);
+ em.flush();
+ }
+
public static ResourceType createNewResourceType(EntityManager em) {
ResourceType type = new ResourceType(preprocess("testType"),
"testPlugin", ResourceCategory.PLATFORM, null);
ConfigurationDefinition resourceConfigDef = new
ConfigurationDefinition("Fake def",
diff --git
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerBean.java
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerBean.java
index af4c81f..aeaf597 100644
---
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerBean.java
+++
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerBean.java
@@ -39,6 +39,7 @@ import org.apache.commons.logging.LogFactory;
import org.rhq.core.domain.auth.Subject;
import org.rhq.core.domain.authz.Permission;
import org.rhq.core.domain.authz.Role;
+import org.rhq.core.domain.bundle.BundleGroup;
import org.rhq.core.domain.criteria.RoleCriteria;
import org.rhq.core.domain.resource.group.LdapGroup;
import org.rhq.core.domain.resource.group.ResourceGroup;
@@ -88,6 +89,7 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
/**
* @see org.rhq.enterprise.server.authz.RoleManagerLocal#findRolesBySubject(int
subjectId,PageControl pageControl)
*/
+ @Override
@SuppressWarnings("unchecked")
// the first param, subject, is not the subject making the request, its the subject
whose roles are to be returned.
// therefore, we won't want our security interceptor to check this method since
the subject won't have a session associated with it
@@ -109,6 +111,7 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
/**
* @see org.rhq.enterprise.server.authz.RoleManagerLocal#findRoles(PageControl)
*/
+ @Override
@SuppressWarnings("unchecked")
public PageList<Role> findRoles(PageControl pc) {
pc.initDefaultOrderingField("r.name");
@@ -135,6 +138,7 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
/**
* @see org.rhq.enterprise.server.authz.RoleManagerLocal#createRole(Subject, Role)
*/
+ @Override
@RequiredPermission(Permission.MANAGE_SECURITY)
public Role createRole(Subject whoami, Role newRole) {
// Make sure there's not an existing role with the same name.
@@ -182,6 +186,7 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
/**
* @see org.rhq.enterprise.server.authz.RoleManagerLocal#deleteRoles(Subject, int[])
*/
+ @Override
@RequiredPermission(Permission.MANAGE_SECURITY)
public void deleteRoles(Subject subject, int[] doomedRoleIds) {
if (doomedRoleIds != null) {
@@ -202,6 +207,13 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
entityManager.merge(doomedResourceGroupRelationship);
}
+ //remove attached Bundle Groups
+ Set<BundleGroup> bundleGroupsToUnhook = new
HashSet<BundleGroup>(doomedRole.getBundleGroups()); // avoid concurrent mod
exception
+ for (BundleGroup doomedBundleGroupRelationship : bundleGroupsToUnhook) {
+ doomedRole.removeBundleGroup(doomedBundleGroupRelationship);
+ entityManager.merge(doomedBundleGroupRelationship);
+ }
+
//remove attached LDAP Subjects
Set<Subject> ldapSubjectsToUnhook = new
HashSet<Subject>(doomedRole.getLdapSubjects()); // avoid concurrent mod exception
for (Subject doomedLdapSubjectRelationship : ldapSubjectsToUnhook) {
@@ -232,6 +244,7 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
/**
* @see org.rhq.enterprise.server.authz.RoleManagerLocal#addRolesToSubject(Subject,
int, int[])
*/
+ @Override
@RequiredPermission(Permission.MANAGE_SECURITY)
public void addRolesToSubject(Subject subject, int subjectId, int[] roleIds) {
addRolesToSubject(subject, subjectId, roleIds, false);
@@ -272,6 +285,7 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
/**
* @see org.rhq.enterprise.server.authz.RoleManagerLocal#addSubjectsToRole(Subject,
int, int[])
*/
+ @Override
@RequiredPermission(Permission.MANAGE_SECURITY)
public void addSubjectsToRole(Subject subject, int roleId, int[] subjectIds) {
if (subjectIds != null) {
@@ -303,6 +317,7 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
/**
* @see
org.rhq.enterprise.server.authz.RoleManagerLocal#removeRolesFromSubject(Subject, int,
int[])
*/
+ @Override
@RequiredPermission(Permission.MANAGE_SECURITY)
public void removeRolesFromSubject(Subject subject, int subjectId, int[] roleIds) {
if (roleIds != null) {
@@ -324,6 +339,7 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
return;
}
+ @Override
@RequiredPermission(Permission.MANAGE_SECURITY)
public void setAssignedSubjectRoles(Subject subject, int subjectId, int[] roleIds) {
@@ -359,6 +375,7 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
/**
* @see org.rhq.enterprise.server.authz.RoleManagerLocal#getRoleById(Integer)
*/
+ @Override
public Role getRoleById(Integer roleId) {
Role role = entityManager.find(Role.class, roleId);
return role;
@@ -367,6 +384,7 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
/**
* @see org.rhq.enterprise.server.authz.RoleManagerLocal#setPermissions(Subject,
Integer, Set)
*/
+ @Override
@RequiredPermission(Permission.MANAGE_SECURITY)
public void setPermissions(Subject subject, Integer roleId, Set<Permission>
permissions) {
Role role = entityManager.find(Role.class, roleId);
@@ -381,6 +399,7 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
/**
* @see org.rhq.enterprise.server.authz.RoleManagerLocal#getPermissions(Integer)
*/
+ @Override
public Set<Permission> getPermissions(Integer roleId) {
Role role = entityManager.find(Role.class, roleId);
Set<Permission> rolePermissions = role.getPermissions();
@@ -390,6 +409,7 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
/**
* @see org.rhq.enterprise.server.authz.RoleManagerLocal#updateRole(Subject, Role)
*/
+ @Override
@RequiredPermission(Permission.MANAGE_SECURITY)
public Role updateRole(Subject whoami, Role role) {
Role attachedRole = entityManager.find(Role.class, role.getId());
@@ -481,6 +501,7 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
/**
* @see
org.rhq.enterprise.server.authz.RoleManagerLocal#findSubjectsByRole(Integer,PageControl)
*/
+ @Override
@SuppressWarnings("unchecked")
public PageList<Subject> findSubjectsByRole(Integer roleId, PageControl pc) {
pc.initDefaultOrderingField("s.name");
@@ -501,6 +522,7 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
/**
* @see
org.rhq.enterprise.server.authz.RoleManagerLocal#findRolesByIds(Integer[],PageControl)
*/
+ @Override
@SuppressWarnings("unchecked")
public PageList<Role> findRolesByIds(Integer[] roleIds, PageControl pc) {
if ((roleIds == null) || (roleIds.length == 0)) {
@@ -528,6 +550,7 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
return new PageList<Role>(roles, (int) count, pc);
}
+ @Override
@RequiredPermission(Permission.MANAGE_SECURITY)
@SuppressWarnings("unchecked")
public PageList<Role> findAvailableRolesForSubject(Subject subject, Integer
subjectId, Integer[] pendingRoleIds,
@@ -565,14 +588,39 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
return new PageList<Role>(roles, (int) count, pc);
}
+ @Override
@RequiredPermission(Permission.MANAGE_SECURITY)
public PageList<Role> findSubjectUnassignedRoles(Subject subject, int
subjectId, PageControl pc) {
return findAvailableRolesForSubject(subject, subjectId, null, pc);
}
+ @Override
+ @RequiredPermission(Permission.MANAGE_SECURITY)
+ public void addBundleGroupsToRole(Subject subject, int roleId, int[] bundleGroupIds)
{
+ if ((bundleGroupIds != null) && (bundleGroupIds.length > 0)) {
+ Role role = entityManager.find(Role.class, roleId);
+ if (role == null) {
+ throw new IllegalArgumentException("Could not find role[" +
roleId + "] in order to add resourceGroups");
+ }
+ role.getBundleGroups().size(); // load them in
+
+ for (Integer bundleGroupId : bundleGroupIds) {
+ BundleGroup bundleGroup = entityManager.find(BundleGroup.class,
bundleGroupId);
+ if (bundleGroup == null) {
+ throw new IllegalArgumentException("Tried to add
BundleGroup[" + bundleGroupId + "] to role["
+ + roleId + "], but bundleGroup was not found.");
+ }
+ role.addBundleGroup(bundleGroup);
+ }
+ }
+
+ return;
+ }
+
/**
* @see
org.rhq.enterprise.server.authz.RoleManagerLocal#addResourceGroupsToRole(Subject, int,
int[])
*/
+ @Override
@RequiredPermission(Permission.MANAGE_SECURITY)
public void addResourceGroupsToRole(Subject subject, int roleId, int[] groupIds) {
if ((groupIds != null) && (groupIds.length > 0)) {
@@ -595,9 +643,32 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
return;
}
+ @Override
+ @RequiredPermission(Permission.MANAGE_SECURITY)
+ public void removeBundleGroupsFromRole(Subject subject, int roleId, int[]
bundleGroupIds) {
+ if ((bundleGroupIds != null) && (bundleGroupIds.length > 0)) {
+ Role role = entityManager.find(Role.class, roleId);
+ if (role == null) {
+ throw new IllegalArgumentException("Could not find role[" +
roleId
+ + "] in order to remove BundleGroups");
+ }
+ role.getBundleGroups().size(); // load them in
+
+ for (Integer bundleGroupId : bundleGroupIds) {
+ BundleGroup bundleGroup = entityManager.find(BundleGroup.class,
bundleGroupId);
+ if (bundleGroup == null) {
+ throw new IllegalArgumentException("Tried to remove
BundleGroup[" + bundleGroupId + "] from role["
+ + roleId + "], but BundleGroup was not found");
+ }
+ role.removeBundleGroup(bundleGroup);
+ }
+ }
+ }
+
/**
* @see
org.rhq.enterprise.server.authz.RoleManagerLocal#removeResourceGroupsFromRole(Subject,
int, int[])
*/
+ @Override
@RequiredPermission(Permission.MANAGE_SECURITY)
public void removeResourceGroupsFromRole(Subject subject, int roleId, int[] groupIds)
{
if ((groupIds != null) && (groupIds.length > 0)) {
@@ -618,6 +689,27 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
}
}
+ @Override
+ @RequiredPermission(Permission.MANAGE_SECURITY)
+ public void setAssignedBundleGroups(Subject subject, int roleId, int[]
bundleGroupIds) {
+ Role role = getRole(subject, roleId);
+ List<Integer> currentBundleGroups = new ArrayList<Integer>();
+ for (BundleGroup group : role.getBundleGroups()) {
+ currentBundleGroups.add(group.getId());
+ }
+
+ List<Integer> newBundleGroups = ArrayUtils.wrapInList(bundleGroupIds); //
members needing addition
+ newBundleGroups.removeAll(currentBundleGroups);
+ int[] newBundleGroupIds = ArrayUtils.unwrapCollection(newBundleGroups);
+ roleManager.addBundleGroupsToRole(subject, roleId, newBundleGroupIds);
+
+ List<Integer> removedBundleGroups = new
ArrayList<Integer>(currentBundleGroups); // members needing removal
+ removedBundleGroups.removeAll(ArrayUtils.wrapInList(bundleGroupIds));
+ int[] removedGroupIds = ArrayUtils.unwrapCollection(removedBundleGroups);
+ roleManager.removeBundleGroupsFromRole(subject, roleId, removedGroupIds);
+ }
+
+ @Override
@RequiredPermission(Permission.MANAGE_SECURITY)
public void setAssignedResourceGroups(Subject subject, int roleId, int[] groupIds) {
Role role = getRole(subject, roleId);
@@ -668,11 +760,13 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
}
}
+ @Override
public PageList<Role> findSubjectAssignedRoles(Subject subject, int subjectId,
PageControl pc) {
PageList<Role> assignedRoles = findRolesBySubject(subjectId, pc);
return assignedRoles;
}
+ @Override
@RequiredPermission(Permission.MANAGE_SECURITY)
public void removeSubjectsFromRole(Subject subject, int roleId, int[] subjectIds) {
if ((subjectIds != null) && (subjectIds.length > 0)) {
@@ -697,6 +791,7 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
}
}
+ @Override
@RequiredPermission(Permission.MANAGE_SECURITY)
public void setAssignedSubjects(Subject subject, int roleId, int[] subjectIds) {
@@ -729,6 +824,31 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
}
}
+ @Override
+ @RequiredPermission(Permission.MANAGE_SECURITY)
+ public void removeRolesFromBundleGroup(Subject subject, int bundleGroupId, int[]
roleIds) {
+ if ((roleIds != null) && (roleIds.length > 0)) {
+ BundleGroup bundleGroup = entityManager.find(BundleGroup.class,
bundleGroupId);
+ if (bundleGroup == null) {
+ throw new IllegalArgumentException("Could not find
BundleGroup[" + bundleGroupId
+ + "] in order to remove roles");
+ }
+ bundleGroup.getRoles().size(); // load them in
+
+ for (Integer roleId : roleIds) {
+ Role doomedRole = entityManager.find(Role.class, roleId);
+ if (doomedRole == null) {
+ throw new IllegalArgumentException("Tried to remove role["
+ roleId + "] from BundleGroup["
+ + bundleGroupId + "], but role was not found");
+ }
+ bundleGroup.removeRole(doomedRole);
+ }
+ }
+
+ return;
+ }
+
+ @Override
@RequiredPermission(Permission.MANAGE_SECURITY)
public void removeRolesFromResourceGroup(Subject subject, int groupId, int[] roleIds)
{
if ((roleIds != null) && (roleIds.length > 0)) {
@@ -751,10 +871,36 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
return;
}
+ @Override
public Role getRole(Subject subject, int roleId) {
return entityManager.find(Role.class, roleId);
}
+ @Override
+ @RequiredPermission(Permission.MANAGE_SECURITY)
+ public void addRolesToBundleGroup(Subject subject, int bundleGroupId, int[] roleIds)
{
+ if ((roleIds != null) && (roleIds.length > 0)) {
+ BundleGroup bundleGroup = entityManager.find(BundleGroup.class,
bundleGroupId);
+ if (bundleGroup == null) {
+ throw new IllegalArgumentException("Could not find
bundleGroup[" + bundleGroupId
+ + "] in order to add roles");
+ }
+ bundleGroup.getRoles().size(); // load them in
+
+ for (Integer roleId : roleIds) {
+ Role role = entityManager.find(Role.class, roleId);
+ if (role == null) {
+ throw new IllegalArgumentException("Tried to add role[" +
roleId + "] to bundleGroup["
+ + bundleGroupId + "], but role was not found");
+ }
+ bundleGroup.addRole(role);
+ }
+ }
+
+ return;
+ }
+
+ @Override
@RequiredPermission(Permission.MANAGE_SECURITY)
public void addRolesToResourceGroup(Subject subject, int groupId, int[] roleIds) {
if ((roleIds != null) && (roleIds.length > 0)) {
@@ -777,6 +923,7 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
return;
}
+ @Override
@SuppressWarnings("unchecked")
public PageList<Role> findRolesByCriteria(Subject subject, RoleCriteria
criteria) {
@@ -788,7 +935,7 @@ public class RoleManagerBean implements RoleManagerLocal,
RoleManagerRemote {
CriteriaQueryGenerator generator = new CriteriaQueryGenerator(subject,
criteria);
CriteriaQueryRunner<Role> queryRunner = new
CriteriaQueryRunner<Role>(criteria, generator, entityManager);
- @SuppressWarnings({ "UnnecessaryLocalVariable" })
+
PageList<Role> roles = queryRunner.execute();
return roles;
diff --git
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerLocal.java
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerLocal.java
index 5c2e1cb..d099f7c 100644
---
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerLocal.java
+++
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerLocal.java
@@ -25,7 +25,6 @@ import javax.ejb.Local;
import org.rhq.core.domain.auth.Subject;
import org.rhq.core.domain.authz.Permission;
import org.rhq.core.domain.authz.Role;
-import org.rhq.core.domain.criteria.RoleCriteria;
import org.rhq.core.domain.util.PageControl;
import org.rhq.core.domain.util.PageList;
@@ -36,7 +35,7 @@ import org.rhq.core.domain.util.PageList;
* @author John Mazzitelli
*/
@Local
-public interface RoleManagerLocal {
+public interface RoleManagerLocal extends RoleManagerRemote {
/**
* This returns a page list of all the roles that a subject is authorized to access.
*
@@ -57,26 +56,6 @@ public interface RoleManagerLocal {
PageList<Role> findRoles(PageControl pc);
/**
- * Persists the new role to the database. The subjects assigned to the role are
ignored - this only creates the role
- * entity with 0 subjects initially assigned to it.
- *
- * @param subject the user attempting to create the role
- * @param newRole the new role to persist
- *
- * @return the persisted role with the primary key populated
- */
- Role createRole(Subject subject, Role newRole);
-
- /**
- * Removes a set of roles from the database. The subjects assigned to the roles are
no longer authorized with the
- * deleted roles. Groups attached to the deleted roles are left alone.
- *
- * @param subject the user attempting to delete the role
- * @param doomedRoleIds the IDs of the roles to delete
- */
- void deleteRoles(Subject subject, int[] doomedRoleIds);
-
- /**
* Sets the permissions for the specified role. Any currently existing role
permissions are overwritten - that is,
* <code>permissions</code> will be the complete set of permissions the
role will now be authorized with.
*
@@ -96,16 +75,6 @@ public interface RoleManagerLocal {
Set<Permission> getPermissions(Integer roleId);
/**
- * Updates the given role, excluding the subjects and groups. This updates
permissions, name, description, etc.
- *
- * @param subject user asking to update the role
- * @param role
- *
- * @return the updated role
- */
- Role updateRole(Subject subject, Role role);
-
- /**
* Given a set of role Ids, this returns a list of all the roles.
*
* @param roleIds
@@ -140,12 +109,6 @@ public interface RoleManagerLocal {
PageList<Role> findAvailableRolesForSubject(Subject subject, Integer subjectId,
Integer[] pendingRoleIds,
PageControl pc);
- // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
- //
- // The following are shared with the Remote Interface
- //
- // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-
/**
* Returns the role with the given ID
*
@@ -157,64 +120,5 @@ public interface RoleManagerLocal {
// Use getRole instead
Role getRoleById(Integer roleId);
- Role getRole(Subject subject, int roleId);
-
- PageList<Role> findSubjectAssignedRoles(Subject subject, int subjectId,
PageControl pc);
-
- //This is a proxy of getAvailableRolesForSubject but without pendingRoleIds as
required by remote spec
- PageList<Role> findSubjectUnassignedRoles(Subject subject, int subjectId,
PageControl pc);
-
- /**
- * Assigns a set of roles to a subject which authorizes the subject to do anything
the roles permit.
- *
- * @param subject the user attempting to assign the roles to the subject
- * @param subjectId the subject who is to be authorized with the given roles
- * @param roleIds the roles to assign
- */
- void addRolesToSubject(Subject subject, int subjectId, int[] roleIds);
-
- /**
- * Disassociates particular roles from a subject. Once complete, the subject will no
longer be authorized with the
- * given roles.
- *
- * @param subject the user that is attempting to perform the remove
- * @param subjectId the user that is to have the roles unassigned from it
- * @param roleIds list of role IDs that are to be removed from user
- */
- void removeRolesFromSubject(Subject subject, int subjectId, int[] roleIds);
-
- void setAssignedSubjectRoles(Subject subject, int subjectId, int[] roleIds);
-
- void addSubjectsToRole(Subject subject, int roleId, int[] subjectIds);
-
- void removeSubjectsFromRole(Subject subject, int roleId, int[] subjectIds);
-
void setAssignedSubjects(Subject sessionSubject, int roleId, int[] subjectIds);
-
- /**
- * Adds the given resource groups to the given role.
- *
- * @param subject user attempting to add the groups to the role
- * @param roleId
- * @param pendingGroupIds
- */
- void addResourceGroupsToRole(Subject subject, int roleId, int[] pendingGroupIds);
-
- void addRolesToResourceGroup(Subject subject, int groupId, int[] roleIds);
-
- void setAssignedResourceGroups(Subject subject, int roleId, int[] groupIds);
-
- /**
- * Removes the given resource groups from the given role.
- *
- * @param subject user attempting to remove the groups from the role
- * @param roleId
- * @param groupIds
- */
- void removeResourceGroupsFromRole(Subject subject, int roleId, int[] groupIds);
-
- void removeRolesFromResourceGroup(Subject subject, int groupId, int[] roleIds);
-
- PageList<Role> findRolesByCriteria(Subject subject, RoleCriteria criteria);
-
}
\ No newline at end of file
diff --git
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerRemote.java
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerRemote.java
index 0586998..83194da 100644
---
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerRemote.java
+++
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/RoleManagerRemote.java
@@ -130,6 +130,15 @@ public interface RoleManagerRemote {
void setAssignedSubjectRoles(Subject subject, int subjectId, int[] roleIds);
/**
+ * Adds the given bundle groups to the given role.
+ *
+ * @param subject The logged in user's subject.
+ * @param roleId
+ * @param bundleGroupIds
+ */
+ void addBundleGroupsToRole(Subject subject, int roleId, int[] bundleGroupIds);
+
+ /**
* Adds the given resource groups to the given role.
*
* @param subject The logged in user's subject.
@@ -138,11 +147,24 @@ public interface RoleManagerRemote {
*/
void addResourceGroupsToRole(Subject subject, int roleId, int[] pendingGroupIds);
+ void addRolesToBundleGroup(Subject subject, int bundleGroupId, int[] roleIds);
+
void addRolesToResourceGroup(Subject subject, int groupId, int[] roleIds);
+ void setAssignedBundleGroups(Subject subject, int roleId, int[] bundleGroupIds);
+
void setAssignedResourceGroups(Subject subject, int roleId, int[] groupIds);
/**
+ * Removes the given bundle groups from the given role.
+ *
+ * @param subject user attempting to remove the groups from the role
+ * @param roleId
+ * @param bundleGroupIds
+ */
+ void removeBundleGroupsFromRole(Subject subject, int roleId, int[] bundleGroupIds);
+
+ /**
* Removes the given resource groups from the given role.
*
* @param subject user attempting to remove the groups from the role
@@ -151,6 +173,8 @@ public interface RoleManagerRemote {
*/
void removeResourceGroupsFromRole(Subject subject, int roleId, int[] groupIds);
+ void removeRolesFromBundleGroup(Subject subject, int bundleGroupId, int[] roleIds);
+
void removeRolesFromResourceGroup(Subject subject, int groupId, int[] roleIds);
PageList<Role> findRolesByCriteria(Subject subject, RoleCriteria criteria);
diff --git
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerBean.java
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerBean.java
index a9882c4..bc85e6d 100644
---
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerBean.java
+++
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerBean.java
@@ -66,6 +66,7 @@ import org.rhq.core.clientapi.agent.bundle.BundleScheduleResponse;
import org.rhq.core.clientapi.agent.configuration.ConfigurationUtility;
import org.rhq.core.domain.auth.Subject;
import org.rhq.core.domain.authz.Permission;
+import org.rhq.core.domain.authz.Role;
import org.rhq.core.domain.bundle.Bundle;
import org.rhq.core.domain.bundle.BundleDeployment;
import org.rhq.core.domain.bundle.BundleDeploymentStatus;
@@ -233,6 +234,8 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
}
}
+ checkCreateInitialBundleVersionAuthz(subject, bundleGroupId);
+
// create and add the required Repo. the Repo is a detached object which helps in
its eventual removal.
Repo repo = new Repo(name);
repo.setCandidate(false);
@@ -761,7 +764,6 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
}
if (isInitialVersion) {
- checkCreateInitialBundleVersionAuthz(subject, initialBundleGroupId);
bundle = bundleManager.createBundle(subject, bundleName, bundleDescription,
bundleType.getId(),
initialBundleGroupId);
createdBundle = true;
@@ -1619,7 +1621,7 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
// filter by bundles that are viewable
if (!authorizationManager.hasGlobalPermission(subject, Permission.VIEW_BUNDLES))
{
-
generator.setAuthorizationResourceFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE,
null,
+
generator.setAuthorizationBundleFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE,
subject.getId());
}
@@ -1660,7 +1662,7 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
CriteriaQueryGenerator generator = new CriteriaQueryGenerator(subject,
criteria);
if (!authorizationManager.hasGlobalPermission(subject, Permission.VIEW_BUNDLES))
{
-
generator.setAuthorizationResourceFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE,
null,
+
generator.setAuthorizationBundleFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE,
subject.getId());
}
@@ -1720,7 +1722,7 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
// filter by bundles that are viewable
if (!authorizationManager.hasGlobalPermission(subject, Permission.VIEW_BUNDLES))
{
-
generator.setAuthorizationResourceFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE,
null,
+
generator.setAuthorizationBundleFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE,
subject.getId());
}
@@ -1735,8 +1737,8 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
CriteriaQueryGenerator generator = new CriteriaQueryGenerator(subject,
criteria);
if (!authorizationManager.hasGlobalPermission(subject, Permission.VIEW_BUNDLES))
{
-
generator.setAuthorizationResourceFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE,
null,
- subject.getId());
+
generator.setAuthorizationBundleFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE,
+ subject.getId(), null);
}
CriteriaQueryRunner<Bundle> queryRunner = new
CriteriaQueryRunner<Bundle>(criteria, generator, entityManager);
@@ -1781,7 +1783,7 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
generator.alterProjection(replacementSelectList);
if (!authorizationManager.hasGlobalPermission(subject, Permission.VIEW_BUNDLES))
{
-
generator.setAuthorizationResourceFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE,
null,
+
generator.setAuthorizationBundleFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE,
subject.getId());
}
@@ -1990,7 +1992,7 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
public void deleteBundleGroups(Subject subject, int[] bundleGroupIds) throws
Exception {
for (int bundleGroupId : bundleGroupIds) {
- BundleGroup bundleGroup = this.entityManager.find(BundleGroup.class,
bundleGroupIds);
+ BundleGroup bundleGroup = this.entityManager.find(BundleGroup.class,
bundleGroupId);
if (null == bundleGroup) {
return;
}
@@ -1999,6 +2001,12 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
for (Bundle b : bundleGroup.getBundles()) {
bundleGroup.removeBundle(b);
}
+
+ // remove from any roles
+ for (Role r : bundleGroup.getRoles()) {
+ bundleGroup.removeRole(r);
+ }
+
bundleGroup = entityManager.merge(bundleGroup);
// now remove the bundle group
@@ -2012,8 +2020,8 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
// filter by bundle groups that are viewable
if (!authorizationManager.hasGlobalPermission(subject,
Permission.MANAGE_BUNDLE_GROUPS)) {
-
generator.setAuthorizationResourceFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE_GROUP,
- null, subject.getId());
+
generator.setAuthorizationBundleFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE_GROUP,
+ subject.getId(), null);
}
CriteriaQueryRunner<BundleGroup> queryRunner = new
CriteriaQueryRunner<BundleGroup>(criteria, generator,
diff --git
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerLocal.java
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerLocal.java
index 01ca620..f96d356 100644
---
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerLocal.java
+++
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerLocal.java
@@ -68,9 +68,12 @@ public interface BundleManagerLocal extends BundleManagerRemote {
/**
* Internal use only, and test entry point.
- * </p>
- * This method performs NO AUTHZ!
- * </p>
+ * <pre>
+ * Required Permissions (same as createInitialBundleVersionXxx): Either:
+ * - Global.CREATE_BUNDLES and Global.VIEW_BUNDLES
+ * - Global.CREATE_BUNDLES and BundleGroup.VIEW_BUNDLES_IN_GROUP for bundle group BG
+ * - BundleGroup.CREATE_BUNDLES_IN_GROUP for bundle group BG
+ * </pre>
* @param subject user that must have proper permissions
* @param name not null or empty
* @param description optional long description of the bundle
@@ -87,9 +90,12 @@ public interface BundleManagerLocal extends BundleManagerRemote {
* Convenience method that combines {@link #createBundle(Subject, String, int)} and
{@link #createBundleVersion(Subject, int, String, String, String)}.
* This will first check to see if a bundle with the given type/name exists - if it
doesn't, it will be created. If it does, it will be reused.
* This will then create the bundle version that will be associated with the bundle
that was created or found.
- * </p>
- * This method performs NO AUTHZ!
- * </p>
+ * <pre>
+ * Required Permissions (same as createInitialBundleVersionXxx): Either:
+ * - Global.CREATE_BUNDLES and Global.VIEW_BUNDLES
+ * - Global.CREATE_BUNDLES and BundleGroup.VIEW_BUNDLES_IN_GROUP for bundle group BG
+ * - BundleGroup.CREATE_BUNDLES_IN_GROUP for bundle group BG
+ * </pre>
* @param subject user that must have proper permissions
* @param bundleName name of the bundle to use (if not found, it will be created)
* @param bundleDescription optional long description of the bundle
diff --git
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/util/CriteriaQueryGenerator.java
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/util/CriteriaQueryGenerator.java
index 0a1060d..3692b78 100644
---
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/util/CriteriaQueryGenerator.java
+++
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/util/CriteriaQueryGenerator.java
@@ -124,10 +124,9 @@ public final class CriteriaQueryGenerator {
} else if (type == AuthorizationTokenType.GROUP) {
defaultFragment = "group";
setAuthorizationResourceFragment(type, defaultFragment, subjectId);
- } else if (type == AuthorizationTokenType.BUNDLE) {
- setAuthorizationBundleFragment(subjectId);
- } else if (type == AuthorizationTokenType.BUNDLE_GROUP) {
- setAuthorizationBundleGroupFragment(subjectId);
+ } else {
+ throw new IllegalArgumentException(this.getClass().getSimpleName()
+ + " does not yet support generating resource queries for '"
+ type + "' token types");
}
}
@@ -237,10 +236,31 @@ public final class CriteriaQueryGenerator {
return customAuthzFragment;
}
- public void setAuthorizationBundleFragment(int subjectId) {
+ public void setAuthorizationBundleFragment(AuthorizationTokenType type, int
subjectId) {
+ if (type == AuthorizationTokenType.BUNDLE) {
+ setAuthorizationBundleFragment(type, subjectId, "bundle");
+ } else if (type == AuthorizationTokenType.BUNDLE_GROUP) {
+ setAuthorizationBundleFragment(type, subjectId, "bundleGroup");
+ } else {
+ throw new IllegalArgumentException(this.getClass().getSimpleName()
+ + " does not yet support generating bundle queries for '" +
type + "' token types");
+ }
+ }
+
+ public void setAuthorizationBundleFragment(AuthorizationTokenType type, int
subjectId, String fragment) {
+ if (type == AuthorizationTokenType.BUNDLE) {
+ setAuthorizationBundleFragment(subjectId, fragment);
+ } else if (type == AuthorizationTokenType.BUNDLE_GROUP) {
+ setAuthorizationBundleGroupFragment(subjectId, fragment);
+ } else {
+ throw new IllegalArgumentException(this.getClass().getSimpleName()
+ + " does not yet support generating bundle queries for '" +
type + "' token types");
+ }
+ }
+
+ private void setAuthorizationBundleFragment(int subjectId, String fragment) {
this.authorizationSubjectId = subjectId;
- String fragment = "bundle";
String customAuthzFragment = "" //
+ "( %aliasWithFragment%.id IN ( SELECT %innerAlias%.id " + NL //
+ " FROM %alias% innerAlias " + NL //
@@ -271,8 +291,9 @@ public final class CriteriaQueryGenerator {
}
}
- public void setAuthorizationBundleGroupFragment(int subjectId) {
- String fragment = "bundleGroup";
+ private void setAuthorizationBundleGroupFragment(int subjectId, String fragment) {
+ this.authorizationSubjectId = subjectId;
+
String customAuthzFragment = "" //
+ "( %aliasWithFragment%.id IN ( SELECT %innerAlias%.id " + NL //
+ " FROM %alias% innerAlias " + NL //