.classpath
| 4
modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/auth/test/SubjectManagerBeanTest.java
| 174 ++++++++--
2 files changed, 158 insertions(+), 20 deletions(-)
New commits:
commit 3bb788b5b3d472e1500df7b4bec304814a45bcac
Author: Thomas Segismont <tsegismo(a)redhat.com>
Date: Thu Feb 28 18:38:03 2013 +0100
Better coverage of SubjectManagerBean following criteria API changes
diff --git a/.classpath b/.classpath
index f6ced85..1a0df52 100644
--- a/.classpath
+++ b/.classpath
@@ -218,7 +218,7 @@
<classpathentry exported="true" kind="var"
path="M2_REPO/log4j/log4j/1.2.14/log4j-1.2.14.jar"/>
<classpathentry exported="true" kind="var"
path="M2_REPO/tomcat/tomcat-jk/4.1.31/tomcat-jk-4.1.31.jar"/>
<classpathentry exported="true" kind="var"
path="M2_REPO/jdom/jdom/1.0/jdom-1.0.jar"/>
- <classpathentry exported="true" kind="var"
path="M2_REPO/commons-collections/commons-collections/3.2/commons-collections-3.2.jar"/>
+ <classpathentry exported="true" kind="var"
path="M2_REPO/commons-collections/commons-collections/3.2/commons-collections-3.2.jar"
sourcepath="/M2_REPO/commons-collections/commons-collections/3.2/commons-collections-3.2-sources.jar"/>
<classpathentry exported="true" kind="var"
path="M2_REPO/javax/persistence/persistence-api/1.0/persistence-api-1.0.jar"
sourcepath="/M2_REPO/javax/persistence/persistence-api/1.0/persistence-api-1.0-sources.jar"/>
<classpathentry exported="true" kind="var"
path="M2_REPO/jboss/jboss-jmx/4.2.3.GA/jboss-jmx-4.2.3.GA.jar"/>
<classpathentry exported="true" kind="var"
path="M2_REPO/tomcat/catalina/5.5.20/catalina-5.5.20.jar"/>
@@ -344,7 +344,7 @@
<classpathentry exported="true" kind="var"
path="M2_REPO/javax/enterprise/cdi-api/1.0-SP4/cdi-api-1.0-SP4.jar"
sourcepath="M2_REPO/javax/enterprise/cdi-api/1.0-SP4/cdi-api-1.0-SP4-sources.jar"/>
<classpathentry exported="true" kind="var"
path="M2_REPO/javax/inject/javax.inject/1/javax.inject-1.jar"
sourcepath="M2_REPO/javax/inject/javax.inject/1/javax.inject-1-sources.jar"/>
<classpathentry exported="true" kind="var"
path="M2_REPO/org/mozilla/rhino/1.7R4/rhino-1.7R4.jar"/>
- <classpathentry exported="true" kind="var"
path="M2_REPO/org/picketbox/picketbox/4.0.7.Final/picketbox-4.0.7.Final.jar"/>
+ <classpathentry exported="true" kind="var"
path="M2_REPO/org/picketbox/picketbox/4.0.7.Final/picketbox-4.0.7.Final.jar"
sourcepath="/M2_REPO/org/picketbox/picketbox/4.0.7.Final/picketbox-4.0.7.Final-sources.jar"/>
<classpathentry exported="true" kind="var"
path="M2_REPO/org/python/jython-standalone/2.5.2/jython-standalone-2.5.2.jar"/>
<classpathentry exported="true" kind="var"
path="M2_REPO/com/wordnik/swagger-annotations_2.9.1/1.1.1-SNAPSHOT/swagger-annotations_2.9.1-1.1.1-20121031.024335-6.jar"/>
<classpathentry exported="true" kind="var"
path="M2_REPO/joda-time/joda-time/2.1/joda-time-2.1.jar"/>
diff --git
a/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/auth/test/SubjectManagerBeanTest.java
b/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/auth/test/SubjectManagerBeanTest.java
index fe7691d..4b17dc5 100644
---
a/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/auth/test/SubjectManagerBeanTest.java
+++
b/modules/enterprise/server/itests-2/src/test/java/org/rhq/enterprise/server/auth/test/SubjectManagerBeanTest.java
@@ -25,11 +25,14 @@ import java.util.List;
import java.util.Set;
import java.util.UUID;
+import javax.ejb.EJBException;
import javax.persistence.EntityManager;
import javax.security.auth.login.LoginException;
import javax.transaction.NotSupportedException;
import javax.transaction.SystemException;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
import org.testng.annotations.Test;
import org.rhq.core.domain.auth.Subject;
@@ -48,6 +51,7 @@ import org.rhq.enterprise.server.authz.AuthorizationManagerLocal;
import org.rhq.enterprise.server.authz.PermissionException;
import org.rhq.enterprise.server.authz.RoleManagerLocal;
import org.rhq.enterprise.server.test.AbstractEJB3Test;
+import org.rhq.enterprise.server.test.TransactionCallback;
import org.rhq.enterprise.server.util.LookupUtil;
import org.rhq.enterprise.server.util.SessionTestHelper;
@@ -57,18 +61,27 @@ import org.rhq.enterprise.server.util.SessionTestHelper;
@Test
public class SubjectManagerBeanTest extends AbstractEJB3Test {
+ private static final Log LOG = LogFactory.getLog(SubjectManagerBeanTest.class);
+
+ private static final String RHQADMIN = "rhqadmin";
+
+ private static final String ITEST_USER = "smb_itest_user";
+
private SubjectManagerLocal subjectManager;
private AuthorizationManagerLocal authorizationManager;
private RoleManagerLocal roleManager;
- /**
- * Prepares things for the entire test class.
- */
@Override
protected void beforeMethod() {
subjectManager = LookupUtil.getSubjectManager();
authorizationManager = LookupUtil.getAuthorizationManager();
roleManager = LookupUtil.getRoleManager();
+ createITestSubject();
+ }
+
+ private Subject createITestSubject() {
+ Subject subjectToCreate = new Subject(ITEST_USER, true, false);
+ return subjectManager.createSubject(subjectManager.getOverlord(),
subjectToCreate, ITEST_USER);
}
/**
@@ -76,11 +89,14 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test {
*/
@Override
protected void afterMethod() {
+ deleteITestSubject();
+
// create a list of all users we know our tests have used
List<String> usernames = new ArrayList<String>();
usernames.add("admin");
- usernames.add("rhqadmin");
+ usernames.add(RHQADMIN);
usernames.add("new_user");
+ usernames.add(ITEST_USER);
SessionManager session_manager = SessionManager.getInstance();
@@ -95,6 +111,13 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test {
}
}
+ private void deleteITestSubject() {
+ Subject subject = subjectManager.getSubjectByName(ITEST_USER);
+ if (subject != null) {
+ subjectManager.deleteSubjects(subjectManager.getOverlord(), new int[] {
subject.getId() });
+ }
+ }
+
/**
* Tests persisting and retrieving user configuration.
*
@@ -173,7 +196,7 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test {
getTransactionManager().begin();
try {
superuser = subjectManager.getOverlord();
- rhqadmin = subjectManager.getSubjectByName("rhqadmin");
+ rhqadmin = subjectManager.getSubjectByName(RHQADMIN);
rhqadmin = createSession(rhqadmin);
try {
@@ -214,7 +237,7 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test {
try {
superuser = subjectManager.getOverlord();
superuser = createSession(superuser);
- rhqadmin = subjectManager.getSubjectByName("rhqadmin");
+ rhqadmin = subjectManager.getSubjectByName(RHQADMIN);
rhqadmin = createSession(rhqadmin);
try {
@@ -268,9 +291,9 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test {
assert
authorizationManager.getExplicitGlobalPermissions(superuser).containsAll(all_global_perms);
// get the rhqadmin subject
- Subject rhqadmin = subjectManager.getSubjectByName("rhqadmin");
+ Subject rhqadmin = subjectManager.getSubjectByName(RHQADMIN);
assert rhqadmin.getId() == 2;
- assert rhqadmin.getName().equals("rhqadmin");
+ assert rhqadmin.getName().equals(RHQADMIN);
assert
authorizationManager.getExplicitGlobalPermissions(rhqadmin).containsAll(all_global_perms);
rhqadmin = createSession(rhqadmin); // our test needs to ensure the rhqadmin user
has a session
@@ -286,7 +309,7 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test {
SubjectManagerLocal subjectManager = LookupUtil.getSubjectManager();
Subject subject = null;
try {
- subject = subjectManager.loginUnauthenticated("rhqadmin");
+ subject = subjectManager.loginUnauthenticated(RHQADMIN);
} catch (Exception e) {
assert false : "There must be at least rhqadmin user";
}
@@ -441,30 +464,30 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test {
getTransactionManager().begin();
try {
- Subject subject1 =
subjectManager.loginUnauthenticated("rhqadmin");
+ Subject subject1 = subjectManager.loginUnauthenticated(RHQADMIN);
int session1 = subject1.getSessionId();
Thread.sleep(500); // just wait a bit
- Subject subject2 =
subjectManager.loginUnauthenticated("rhqadmin");
+ Subject subject2 = subjectManager.loginUnauthenticated(RHQADMIN);
int session2 = subject2.getSessionId();
assert session1 != session2 : "The same sessionId should never be
assigned when logging in twice";
assert subject1.equals(subject2);
- Subject s = subjectManager.getSubjectByNameAndSessionId("rhqadmin",
subject1.getSessionId());
+ Subject s = subjectManager.getSubjectByNameAndSessionId(RHQADMIN,
subject1.getSessionId());
assert s.getSessionId() == session1;
- s = subjectManager.getSubjectByNameAndSessionId("rhqadmin",
subject2.getSessionId());
+ s = subjectManager.getSubjectByNameAndSessionId(RHQADMIN,
subject2.getSessionId());
assert s.getSessionId() == session2;
subjectManager.logout(session1);
try {
- s = subjectManager.getSubjectByNameAndSessionId("rhqadmin",
subject1.getSessionId());
+ s = subjectManager.getSubjectByNameAndSessionId(RHQADMIN,
subject1.getSessionId());
assert false : "Session should be invalid";
} catch (SessionNotFoundException ok) {
}
- s = subjectManager.getSubjectByNameAndSessionId("rhqadmin",
subject2.getSessionId());
+ s = subjectManager.getSubjectByNameAndSessionId(RHQADMIN,
subject2.getSessionId());
assert s.getSessionId() == session2;
// this should ne a no-op, no exception
@@ -472,7 +495,7 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test {
subjectManager.logout(session2);
try {
- s = subjectManager.getSubjectByNameAndSessionId("rhqadmin",
subject2.getSessionId());
+ s = subjectManager.getSubjectByNameAndSessionId(RHQADMIN,
subject2.getSessionId());
fail("Session should be invalid");
} catch (SessionNotFoundException e) {
// expected
@@ -521,7 +544,7 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test {
try {
Subject overlord = subjectManager.getOverlord();
- Subject rhqadmin = subjectManager.getSubjectByName("rhqadmin");
+ Subject rhqadmin = subjectManager.getSubjectByName(RHQADMIN);
Role roleWithViewUsersPerm = new Role("role" + UUID.randomUUID());
roleWithViewUsersPerm.addPermission(Permission.VIEW_USERS);
@@ -552,7 +575,7 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test {
try {
Subject overlord = subjectManager.getOverlord();
- Subject rhqadmin = subjectManager.getSubjectByName("rhqadmin");
+ Subject rhqadmin = subjectManager.getSubjectByName(RHQADMIN);
rhqadmin = subjectManager.loginUnauthenticated(rhqadmin.getName());
Subject anotherSubject = new Subject("subject" + UUID.randomUUID(),
true, false);
@@ -618,4 +641,119 @@ public class SubjectManagerBeanTest extends AbstractEJB3Test {
}
}
+ public void subjectCannotUpdateAnotherSubjectWithoutPermission() throws
LoginException {
+ executeInTransaction(new TransactionCallback() {
+
+ @Override
+ public void execute() throws Exception {
+ Subject fakeSubject = new Subject("fakeUser", true, false);
+ Subject itestSubject = subjectManager.loginUnauthenticated(ITEST_USER);
+ try {
+ subjectManager.updateSubject(itestSubject, fakeSubject,
"newPassword");
+ fail("Subject without permission should not be able to update
another subject");
+ } catch (PermissionException e) {
+ assertTrue(e.getMessage().contains("do not have permission to
update user"));
+ }
+ }
+ });
+ }
+
+ public void nobodyCanDisableASystemSubject() {
+ executeInTransaction(new TransactionCallback() {
+
+ @Override
+ public void execute() throws Exception {
+ Subject rhqAdminSubject = subjectManager.getSubjectByName(RHQADMIN);
+ try {
+ Subject changedSubject = new Subject(rhqAdminSubject.getName(),
false, rhqAdminSubject.getFsystem());
+ changedSubject.setId(rhqAdminSubject.getId());
+ subjectManager.updateSubject(subjectManager.getOverlord(),
changedSubject, "newPassword");
+ fail("Nobody should be able to disable a system subject");
+ } catch (PermissionException e) {
+ assertTrue(e.getMessage().startsWith("You cannot disable the
system user"));
+ }
+ }
+ });
+ }
+
+ public void nobodyCanChangeASubjectName() {
+ executeInTransaction(new TransactionCallback() {
+
+ @Override
+ public void execute() throws Exception {
+ Subject itestSubject = subjectManager.getSubjectByName(ITEST_USER);
+ Subject changedSubject = new Subject("pipo",
itestSubject.getFactive(), itestSubject.getFsystem());
+ changedSubject.setId(itestSubject.getId());
+ try {
+ subjectManager.updateSubject(subjectManager.getOverlord(),
changedSubject, "newPassword");
+ fail("Nobody should be able to change a subject name");
+ } catch (EJBException e) {
+ Exception cause = e.getCausedByException();
+ assertEquals(IllegalArgumentException.class, cause.getClass());
+ assertTrue(cause.getMessage().equals("You cannot change a
user's username."));
+ }
+ }
+ });
+ }
+
+ public void nobodyCanChangeAnUnknowSubject() {
+ executeInTransaction(new TransactionCallback() {
+
+ @Override
+ public void execute() throws Exception {
+ try {
+ Subject fakeSubject = new Subject("fakeUser", true,
false);
+ subjectManager.updateSubject(subjectManager.getOverlord(),
fakeSubject, "newPassword");
+ fail("Nobody should be able to change an unknown
subject");
+ } catch (EJBException e) {
+ Exception cause = e.getCausedByException();
+ assertEquals(IllegalArgumentException.class, cause.getClass());
+ assertTrue(cause.getMessage().startsWith("No user exists with
id"));
+ }
+ }
+ });
+ }
+
+ public void subjectCanUpdateItself() {
+ executeInTransaction(new TransactionCallback() {
+
+ @Override
+ public void execute() throws Exception {
+ Subject itestSubject = subjectManager.loginUnauthenticated(ITEST_USER);
+ Subject changedSubject = new Subject(itestSubject.getName(),
itestSubject.getFactive(),
+ itestSubject.getFsystem());
+ changedSubject.setId(itestSubject.getId());
+ changedSubject.setEmailAddress("pipo(a)molo.com");
+ try {
+ changedSubject = subjectManager.updateSubject(itestSubject,
changedSubject, "newPassword");
+ assertEquals("pipo(a)molo.com",
changedSubject.getEmailAddress());
+ } catch (Exception e) {
+ LOG.error(e);
+ fail("Subject should be able to update itself");
+ }
+ }
+ });
+ }
+
+ public void subjectWhitoutManageSecurityPermissionCannotUpdateItsRoles() throws
LoginException {
+ executeInTransaction(new TransactionCallback() {
+
+ @Override
+ public void execute() throws Exception {
+ Subject itestSubject = subjectManager.loginUnauthenticated(ITEST_USER);
+ final PageList<Role> allRoles =
roleManager.findRoles(PageControl.getUnlimitedInstance());
+ Subject changedSubject = new Subject(itestSubject.getName(),
itestSubject.getFactive(),
+ itestSubject.getFsystem());
+ changedSubject.setId(itestSubject.getId());
+ changedSubject.getRoles().addAll(allRoles);
+ try {
+ subjectManager.updateSubject(itestSubject, changedSubject,
"newPassword");
+ fail("Subject whitout " + Permission.MANAGE_SECURITY
+ + " permission should not be able to update its
roles");
+ } catch (PermissionException e) {
+ assertTrue(e.getMessage().contains("is not authorized
for"));
+ }
+ }
+ });
+ }
}
\ No newline at end of file