diff --git a/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java index 00062f3e24..620d1e6193 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java @@ -19,8 +19,6 @@ package org.apache.ranger.biz; -import java.io.File; -import java.io.IOException; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Date; @@ -68,8 +66,6 @@ import org.apache.ranger.view.*; import org.apache.ranger.view.VXTrxLogV2.AttributeChangeInfo; import org.apache.ranger.view.VXTrxLogV2.ObjectChangeInfo; -import com.fasterxml.jackson.core.JsonGenerationException; -import com.fasterxml.jackson.databind.JsonMappingException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -165,53 +161,6 @@ public void init() { logger.info("<== AssetMgr.init()"); } - public File getXResourceFile(Long id, String fileType) { - VXResource xResource = xResourceService.readResource(id); - if (xResource == null) { - throw this.restErrorUtil.createRESTException( - "serverMsg.datasourceIdEmpty" + "id " + id, - MessageEnums.DATA_NOT_FOUND, id, "dataSourceId", - "DataSource not found with " + "id " + id); - } - - return getXResourceFile(xResource, fileType); - } - - public File getXResourceFile(VXResource xResource, String fileType) { - File file = null; - try { - if (fileType != null) { - if ("json".equalsIgnoreCase(fileType)) { - file = jsonUtil.writeJsonToFile(xResource, - xResource.getName()); - } else { - throw restErrorUtil.createRESTException( - "Please send the supported filetype.", - MessageEnums.INVALID_INPUT_DATA); - } - } else { - throw restErrorUtil - .createRESTException( - "Please send the file format in which you want to export.", - MessageEnums.DATA_NOT_FOUND); - } - } catch (JsonGenerationException e) { - throw this.restErrorUtil.createRESTException( - "serverMsg.jsonGeneration" + " : " + e.getMessage(), - MessageEnums.ERROR_SYSTEM); - } catch (JsonMappingException e) { - throw this.restErrorUtil.createRESTException( - "serverMsg.jsonMapping" + " : " + e.getMessage(), - MessageEnums.ERROR_SYSTEM); - } catch (IOException e) { - throw this.restErrorUtil.createRESTException( - "serverMsg.ioException" + " : " + e.getMessage(), - MessageEnums.ERROR_SYSTEM); - } - - return file; - } - public String getLatestRepoPolicy(VXAsset xAsset, List xResourceList, Long updatedTime, X509Certificate[] certchain, boolean httpEnabled, String epoch, String ipAddress, boolean isSecure, String count, String agentId) { @@ -1396,6 +1345,9 @@ public VXUgsyncAuditInfoList getUgsyncAudits(SearchCriteria searchCriteria) { } public VXUgsyncAuditInfoList getUgsyncAuditsBySyncSource(String syncSource) { + if (!msBizUtil.hasModuleAccess(RangerConstants.MODULE_AUDIT)) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is not having permissions on the "+RangerConstants.MODULE_AUDIT+" module.", true); + } if(syncSource!=null && !syncSource.trim().isEmpty()){ return xUgsyncAuditInfoService.searchXUgsyncAuditInfoBySyncSource(syncSource); }else{ diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index c934fdd7ca..0dee877343 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -5067,62 +5067,62 @@ public int compare(RangerPolicy c1, RangerPolicy c2) { // fetch policies maintained for the roles and groups belonging to the group String groupName = searchFilter.getParam("group"); - if (!StringUtils.isEmpty(groupName)) { - Set groupNames = daoMgr.getXXGroupGroup().findGroupNamesByGroupName(groupName); - groupNames.add(RangerConstants.GROUP_PUBLIC); - groupNames.add(groupName); - Set processedSvcIdsForGroup = new HashSet<>(); - Set processedGroupsName = new HashSet<>(); - List xPolList2; - for (String grpName : groupNames) { - searchFilter.setParam("group", grpName); - xPolList2 = policyService.searchResources(searchFilter, policyService.searchFields, policyService.sortFields, retList); - if (!CollectionUtils.isEmpty(xPolList2)) { - for (XXPolicy xPol2 : xPolList2) { - if(xPol2!=null){ - if (!processedPolicies.contains(xPol2.getId())) { - if (!processedSvcIdsForGroup.contains(xPol2.getService()) - || !processedGroupsName.contains(groupName)) { - loadRangerPolicies(xPol2.getService(), processedSvcIdsForGroup, policyMap, searchFilter); - processedGroupsName.add(groupName); - } - if (policyMap.containsKey(xPol2.getId())) { - policyList.add(policyMap.get(xPol2.getId())); - processedPolicies.add(xPol2.getId()); - } + if (StringUtils.isBlank(groupName)) { + groupName = RangerConstants.GROUP_PUBLIC; + } + Set groupNames = daoMgr.getXXGroupGroup().findGroupNamesByGroupName(groupName); + groupNames.add(groupName); + Set processedSvcIdsForGroup = new HashSet<>(); + Set processedGroupsName = new HashSet<>(); + List xPolList2; + for (String grpName : groupNames) { + searchFilter.setParam("group", grpName); + xPolList2 = policyService.searchResources(searchFilter, policyService.searchFields, policyService.sortFields, retList); + if (!CollectionUtils.isEmpty(xPolList2)) { + for (XXPolicy xPol2 : xPolList2) { + if(xPol2!=null){ + if (!processedPolicies.contains(xPol2.getId())) { + if (!processedSvcIdsForGroup.contains(xPol2.getService()) + || !processedGroupsName.contains(groupName)) { + loadRangerPolicies(xPol2.getService(), processedSvcIdsForGroup, policyMap, searchFilter); + processedGroupsName.add(groupName); + } + if (policyMap.containsKey(xPol2.getId())) { + policyList.add(policyMap.get(xPol2.getId())); + processedPolicies.add(xPol2.getId()); } } } } } + } - searchFilter.removeParam("group"); - XXGroup xxGroup = daoMgr.getXXGroup().findByGroupName(groupName); - if (xxGroup != null) { - Set allContainedRoles = new HashSet<>(); - List xxRoles = daoMgr.getXXRole().findByGroupId(xxGroup.getId()); - for (XXRole xxRole : xxRoles) { - getContainingRoles(xxRole.getId(), allContainedRoles); - } - Set roleNames = getRoleNames(allContainedRoles); - Set processedRoleName = new HashSet<>(); - List xPolList3; - for (String roleName : roleNames) { - searchFilter.setParam("role", roleName); - xPolList3 = policyService.searchResources(searchFilter, policyService.searchFields, policyService.sortFields, retList); - if (!CollectionUtils.isEmpty(xPolList3)) { - for (XXPolicy xPol3 : xPolList3) { - if (xPol3 != null) { - if (!processedPolicies.contains(xPol3.getId())) { - if (!processedSvcIdsForRole.contains(xPol3.getService()) - || !processedRoleName.contains(roleName)) { - loadRangerPolicies(xPol3.getService(), processedSvcIdsForRole, policyMap, searchFilter); - processedRoleName.add(roleName); - } - if (policyMap.containsKey(xPol3.getId())) { - policyList.add(policyMap.get(xPol3.getId())); - processedPolicies.add(xPol3.getId()); - } + searchFilter.removeParam("group"); + XXGroup xxGroup = daoMgr.getXXGroup().findByGroupName(groupName); + if (xxGroup != null) { + Set allContainedRoles = new HashSet<>(); + List xxRoles = daoMgr.getXXRole().findByGroupId(xxGroup.getId()); + for (XXRole xxRole : xxRoles) { + getContainingRoles(xxRole.getId(), allContainedRoles); + } + Set roleNames = getRoleNames(allContainedRoles); + Set processedRoleName = new HashSet<>(); + List xPolList3; + for (String roleName : roleNames) { + searchFilter.setParam("role", roleName); + xPolList3 = policyService.searchResources(searchFilter, policyService.searchFields, policyService.sortFields, retList); + if (!CollectionUtils.isEmpty(xPolList3)) { + for (XXPolicy xPol3 : xPolList3) { + if (xPol3 != null) { + if (!processedPolicies.contains(xPol3.getId())) { + if (!processedSvcIdsForRole.contains(xPol3.getService()) + || !processedRoleName.contains(roleName)) { + loadRangerPolicies(xPol3.getService(), processedSvcIdsForRole, policyMap, searchFilter); + processedRoleName.add(roleName); + } + if (policyMap.containsKey(xPol3.getId())) { + policyList.add(policyMap.get(xPol3.getId())); + processedPolicies.add(xPol3.getId()); } } } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java index 0e723d9c4b..07119dee39 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java @@ -259,6 +259,10 @@ public XXPortalUser updateUser(VXPortalUser userProfile) { userProfile.setPublicScreenName(gjUser.getLoginId()); } + if (rangerBizUtil.isKeyAdmin() && userProfile.getStatus() != gjUser.getStatus()) { + throw restErrorUtil.createRESTException("Status update is not permitted to logged in user.", MessageEnums.INVALID_INPUT_DATA); + } + // userRoleList updateRoles(userProfile.getId(), userProfile.getUserRoleList()); @@ -338,17 +342,10 @@ public void setUserRoles(Long userId, List vStringRolesList) { /** * @param pwdChange - * @return - */ - public VXResponse changePassword(VXPasswordChange pwdChange) { - - VXResponse ret = new VXResponse(); - - // First let's get the XXPortalUser for the current logged in user - String currentUserLoginId = ContextUtil.getCurrentUserLoginId(); - XXPortalUser gjUserCurrent = daoManager.getXXPortalUser().findByLoginId(currentUserLoginId); - checkAccessForUpdate(gjUserCurrent); - + * @return + */ + public VXResponse changePassword(VXPasswordChange pwdChange) { + VXResponse ret = new VXResponse(); // Get the user of whom we want to change the password XXPortalUser gjUser = daoManager.getXXPortalUser().findByLoginId(pwdChange.getLoginId()); if (gjUser == null) { @@ -362,8 +359,8 @@ public VXResponse changePassword(VXPasswordChange pwdChange) { vXResponse.setMsgDesc("SECURITY:changePassword().Ranger External Users cannot change password. LoginId=" + pwdChange.getLoginId()); throw restErrorUtil.generateRESTException(vXResponse); } - - String currentPassword = gjUser.getPassword(); + checkAccess(gjUser); + String currentPassword = gjUser.getPassword(); //check current password and provided old password is same or not if (this.isFipsEnabled) { if (!isPasswordValid(pwdChange.getLoginId(), currentPassword, pwdChange.getOldPassword())) { @@ -436,8 +433,7 @@ private void updateOldPasswords(XXPortalUser gjUser, List oldPasswords) * @return */ public VXPortalUser changeEmailAddress(XXPortalUser gjUser, VXPasswordChange changeEmail) { - checkAccessForUpdate(gjUser); - rangerBizUtil.blockAuditorRoleUser(); + checkAccess(gjUser); if (StringUtils.isEmpty(changeEmail.getEmailAddress())) { changeEmail.setEmailAddress(null); } @@ -625,33 +621,24 @@ protected void gjUserToUserProfile(XXPortalUser user, VXPortalUser userProfile) } userProfile.setId(user.getId()); - List xUserPermissions = daoManager - .getXXUserPermission().findByUserPermissionIdAndIsAllowed( - userProfile.getId()); - List xxGroupPermissions = daoManager - .getXXGroupPermission().findbyVXPortalUserId( - userProfile.getId()); - - List groupPermissions = new ArrayList(); - List vxUserPermissions = new ArrayList(); - for (XXGroupPermission xxGroupPermission : xxGroupPermissions) { - VXGroupPermission groupPermission = xGroupPermissionService - .populateViewBean(xxGroupPermission); - groupPermission.setModuleName(daoManager.getXXModuleDef() - .findByModuleId(groupPermission.getModuleId()) - .getModule()); - groupPermissions.add(groupPermission); - } - for (XXUserPermission xUserPermission : xUserPermissions) { - VXUserPermission vXUserPermission = xUserPermissionService - .populateViewBean(xUserPermission); - vXUserPermission.setModuleName(daoManager.getXXModuleDef() - .findByModuleId(vXUserPermission.getModuleId()) - .getModule()); - vxUserPermissions.add(vXUserPermission); + if (sess.isUserAdmin() || sess.getXXPortalUser().getId().equals(user.getId())) { + List xUserPermissions = daoManager.getXXUserPermission().findByUserPermissionIdAndIsAllowed(userProfile.getId()); + List xxGroupPermissions = daoManager.getXXGroupPermission().findbyVXPortalUserId(userProfile.getId()); + List groupPermissions = new ArrayList(); + List vxUserPermissions = new ArrayList(); + for (XXGroupPermission xxGroupPermission : xxGroupPermissions) { + VXGroupPermission groupPermission = xGroupPermissionService.populateViewBean(xxGroupPermission); + groupPermission.setModuleName(daoManager.getXXModuleDef().findByModuleId(groupPermission.getModuleId()).getModule()); + groupPermissions.add(groupPermission); + } + for (XXUserPermission xUserPermission : xUserPermissions) { + VXUserPermission vXUserPermission = xUserPermissionService.populateViewBean(xUserPermission); + vXUserPermission.setModuleName(daoManager.getXXModuleDef().findByModuleId(vXUserPermission.getModuleId()).getModule()); + vxUserPermissions.add(vXUserPermission); + } + userProfile.setGroupPermissions(groupPermissions); + userProfile.setUserPermList(vxUserPermissions); } - userProfile.setGroupPermissions(groupPermissions); - userProfile.setUserPermList(vxUserPermissions); userProfile.setFirstName(user.getFirstName()); userProfile.setLastName(user.getLastName()); userProfile.setPublicScreenName(user.getPublicScreenName()); @@ -765,14 +752,20 @@ public VXPortalUserList searchUsers(SearchCriteria searchCriteria) { @SuppressWarnings("rawtypes") List resultList = query.getResultList(); // Iterate over the result list and create the return list + int adminCount = 0; for (Object object : resultList) { XXPortalUser gjUser = (XXPortalUser) object; VXPortalUser userProfile = new VXPortalUser(); gjUserToUserProfile(gjUser, userProfile); - objectList.add(userProfile); + if (rangerBizUtil.isKeyAdmin() && (userProfile.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN) || userProfile.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR))) { + adminCount++; + continue; + } else { + objectList.add(userProfile); + } } - returnList.setResultSize(resultSize); + returnList.setResultSize(resultSize-adminCount); returnList.setPageSize(query.getMaxResults()); returnList.setSortBy(sortBy); returnList.setSortType(querySortType); @@ -1007,9 +1000,7 @@ public XXPortalUserRole addUserRole(Long userId, String userRole) { public void checkAccess(Long userId) { XXPortalUser gjUser = daoManager.getXXPortalUser().getById(userId); if (gjUser == null) { - throw restErrorUtil - .create403RESTException("serverMsg.userMgrWrongUser: " - + userId); + throw restErrorUtil.create403RESTException("serverMsg.userMgrWrongUser: " + userId); } checkAccess(gjUser); @@ -1021,58 +1012,14 @@ public void checkAccess(Long userId) { */ public void checkAccess(XXPortalUser gjUser) { if (gjUser == null) { - throw restErrorUtil - .create403RESTException("serverMsg.userMgrWrongUser"); + throw restErrorUtil.create403RESTException("serverMsg.userMgrWrongUser"); } - UserSessionBase sess = ContextUtil.getCurrentUserSession(); - if (sess != null) { - - // Admin - if (sess.isUserAdmin() || sess.isKeyAdmin()) { - return; - } - - // Self - if (sess.getXXPortalUser().getId().equals(gjUser.getId())) { - return; - } - - } - throw restErrorUtil.create403RESTException("User " - + " access denied. loggedInUser=" - + (sess != null ? sess.getXXPortalUser().getId() - : "Not Logged In") + ", accessing user=" - + gjUser.getId()); - - } - - public void checkAccessForUpdate(XXPortalUser gjUser) { - if (gjUser == null) { - throw restErrorUtil - .create403RESTException("serverMsg.userMgrWrongUser"); - } - UserSessionBase sess = ContextUtil.getCurrentUserSession(); - if (sess != null) { - - // Admin - if (sess.isUserAdmin()) { - return; - } - - // Self - if (sess.getXXPortalUser().getId().equals(gjUser.getId())) { - return; - } - + VXPortalUser requestedVXUser = getUserProfileByLoginId(gjUser.getLoginId()); + if (requestedVXUser !=null && CollectionUtils.isNotEmpty(requestedVXUser.getUserRoleList()) && hasAccessToGetUserInfo(requestedVXUser)) { + return; } - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_FORBIDDEN); - vXResponse.setMsgDesc("User " - + " access denied. loggedInUser=" - + (sess != null ? sess.getXXPortalUser().getId() - : "Not Logged In") + ", accessing user=" - + gjUser.getId()); - throw restErrorUtil.generateRESTException(vXResponse); + logger.info("Logged-In user is not allowed to access requested user data."); + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true); } @@ -1460,4 +1407,27 @@ private String encodeString(String text, String salt, String algorithm) { throw restErrorUtil.createRESTException("algorithm `" + algorithm + "' not supported"); } } + + private boolean hasAccessToGetUserInfo(VXPortalUser requestedVXUser) { + UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + if (userSession != null && userSession.getLoginId() != null) { + VXPortalUser loggedInVXUser = getUserProfileByLoginId(userSession.getLoginId()); + if (loggedInVXUser != null && loggedInVXUser.getUserRoleList().size() == 1) { + if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) { + return requestedVXUser.getId().equals(loggedInVXUser.getId()) ? true : false; + } else if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN) || loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) { + if (requestedVXUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN) || requestedVXUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) || requestedVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) { + return true; + } + } else if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN) || loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR)) { + if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN) && "rangerusersync".equalsIgnoreCase(userSession.getLoginId())) { + return true; + } else if (requestedVXUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN) || requestedVXUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) || requestedVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) { + return true; + } + } + } + } + return false; + } } \ No newline at end of file diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java index 2fde68de11..038402fd00 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java @@ -52,35 +52,35 @@ public class XAuditMgr extends XAuditMgrBase { RangerBizUtil rangerBizUtil; public VXTrxLog getXTrxLog(Long id) { - checkAdminAccess(); + checkAllAdminsAccess(); return super.getXTrxLog(id); } public VXTrxLog createXTrxLog(VXTrxLog vXTrxLog) { checkAdminAccess(); - rangerBizUtil.blockAuditorRoleUser(); + rangerBizUtil.blockAuditorRoleUser(); return super.createXTrxLog(vXTrxLog); } public VXTrxLog updateXTrxLog(VXTrxLog vXTrxLog) { checkAdminAccess(); - rangerBizUtil.blockAuditorRoleUser(); + rangerBizUtil.blockAuditorRoleUser(); return super.updateXTrxLog(vXTrxLog); } public void deleteXTrxLog(Long id, boolean force) { checkAdminAccess(); - rangerBizUtil.blockAuditorRoleUser(); + rangerBizUtil.blockAuditorRoleUser(); super.deleteXTrxLog(id, force); } public VXTrxLogList searchXTrxLogs(SearchCriteria searchCriteria) { - checkAdminAccess(); + checkAllAdminsAccess(); return super.searchXTrxLogs(searchCriteria); } public VXLong getXTrxLogSearchCount(SearchCriteria searchCriteria) { - checkAdminAccess(); + checkAllAdminsAccess(); return super.getXTrxLogSearchCount(searchCriteria); } @@ -144,4 +144,12 @@ public VXLong getXAccessAuditSearchCount(SearchCriteria searchCriteria) { } } + private boolean checkAllAdminsAccess(){ + if (rangerBizUtil.isAdmin() || rangerBizUtil.isKeyAdmin() || rangerBizUtil.isAuditAdmin() || rangerBizUtil.isAuditKeyAdmin()){ + return true; + } else { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User doesn't have permissions to perform this action", true); + } + } + } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgrBase.java b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgrBase.java index c53db99f3b..02b2e59a3f 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgrBase.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgrBase.java @@ -19,12 +19,15 @@ package org.apache.ranger.biz; +import java.util.List; +import java.util.stream.Collectors; + import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.RESTErrorUtil; import org.apache.ranger.common.SearchCriteria; import org.apache.ranger.plugin.store.PList; -import org.apache.ranger.service.XAccessAuditService; import org.apache.ranger.service.RangerTrxLogV2Service; +import org.apache.ranger.service.XAccessAuditService; import org.apache.ranger.view.VXAccessAudit; import org.apache.ranger.view.VXAccessAuditList; import org.apache.ranger.view.VXLong; @@ -33,9 +36,6 @@ import org.apache.ranger.view.VXTrxLogV2; import org.springframework.beans.factory.annotation.Autowired; -import java.util.List; -import java.util.stream.Collectors; - public class XAuditMgrBase { @Autowired diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index 5ba6c14b90..cec829361f 100755 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -58,7 +58,6 @@ import org.apache.ranger.db.XXAuditMapDao; import org.apache.ranger.db.XXAuthSessionDao; import org.apache.ranger.db.XXGroupDao; -import org.apache.ranger.db.XXGroupGroupDao; import org.apache.ranger.db.XXGroupPermissionDao; import org.apache.ranger.db.XXGroupUserDao; import org.apache.ranger.db.XXPermMapDao; @@ -70,7 +69,6 @@ import org.apache.ranger.db.XXUserPermissionDao; import org.apache.ranger.entity.XXAuditMap; import org.apache.ranger.entity.XXGroup; -import org.apache.ranger.entity.XXGroupGroup; import org.apache.ranger.entity.XXGroupUser; import org.apache.ranger.entity.XXPermMap; import org.apache.ranger.entity.XXPolicy; @@ -162,9 +160,15 @@ public class XUserMgr extends XUserMgrBase { static final Logger logger = LoggerFactory.getLogger(XUserMgr.class); static final Set roleAssignmentUpdatedUsers = new HashSet<>(); + static final String MSG_DATA_ACCESS_DENY = "Logged-In user is not allowed to access requested user data"; + public VXUser getXUserByUserName(String userName) { VXUser vXUser=null; vXUser=xUserService.getXUserByUserName(userName); + if(vXUser != null && !hasAccessToGetUserInfo(vXUser)) { + logger.info(MSG_DATA_ACCESS_DENY); + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, MSG_DATA_ACCESS_DENY, true); + } if(vXUser!=null && !hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)){ vXUser=getMaskedVXUser(vXUser); } @@ -381,7 +385,7 @@ public VXUser updateXUser(VXUser vXUser) { throw restErrorUtil.createRESTException("Please provide a valid first name.", MessageEnums.INVALID_INPUT_DATA); } - checkAccess(vXUser.getName()); + checkAccess(vXUser); xaBizUtil.blockAuditorRoleUser(); VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser .getName()); @@ -792,11 +796,9 @@ public VXGroupUser createXGroupUser(VXGroupUser vXGroupUser) { public VXUser getXUser(Long id) { VXUser vXUser=null; vXUser=xUserService.readResourceWithOutLogin(id); - if(vXUser != null){ - if(!hasAccessToGetUserInfo(vXUser)){ - logger.info("Logged-In user is not allowed to access requested user data."); - throw restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data."); - } + if(vXUser != null && !hasAccessToGetUserInfo(vXUser)){ + logger.info(MSG_DATA_ACCESS_DENY); + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, MSG_DATA_ACCESS_DENY, true); } if(vXUser!=null && !hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)){ @@ -808,17 +810,20 @@ public VXUser getXUser(Long id) { private boolean hasAccessToGetUserInfo(VXUser requestedVXUser) { UserSessionBase userSession = ContextUtil.getCurrentUserSession(); if (userSession != null && userSession.getLoginId() != null) { - VXUser loggedInVXUser = xUserService.getXUserByUserName(userSession - .getLoginId()); - if (loggedInVXUser != null) { - if (loggedInVXUser.getUserRoleList().size() == 1 - && loggedInVXUser.getUserRoleList().contains( - RangerConstants.ROLE_USER)) { - + VXUser loggedInVXUser = xUserService.getXUserByUserName(userSession.getLoginId()); + if (requestedVXUser != null && CollectionUtils.isNotEmpty(requestedVXUser.getUserRoleList()) && loggedInVXUser != null && loggedInVXUser.getUserRoleList().size() == 1) { + if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) { return requestedVXUser.getId().equals(loggedInVXUser.getId()) ? true : false; - - }else{ - return true; + } else if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN) || loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) { + if (requestedVXUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN) || requestedVXUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) || requestedVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) { + return true; + } + } else if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN) || loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR)) { + if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN) && "rangerusersync".equalsIgnoreCase(userSession.getLoginId())) { + return true; + } else if (requestedVXUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN) || requestedVXUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) || requestedVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) { + return true; + } } } } @@ -846,7 +851,7 @@ public VXGroup getXGroup(Long id) { .findGroupIdListByUserId(loggedInVXUser.getId()); if (!listGroupId.contains(id)) { - logger.info("Logged-In user is not allowed to access requested user data."); + logger.info(MSG_DATA_ACCESS_DENY); throw restErrorUtil .create403RESTException("Logged-In user is not allowed to access requested group data."); } @@ -1037,24 +1042,6 @@ public void deleteXGroupUser(Long id, boolean force) { super.deleteXGroupUser(id, force); } - public VXGroupGroup createXGroupGroup(VXGroupGroup vXGroupGroup){ - checkAdminAccess(); - xaBizUtil.blockAuditorRoleUser(); - return super.createXGroupGroup(vXGroupGroup); - } - - public VXGroupGroup updateXGroupGroup(VXGroupGroup vXGroupGroup) { - checkAdminAccess(); - xaBizUtil.blockAuditorRoleUser(); - return super.updateXGroupGroup(vXGroupGroup); - } - - public void deleteXGroupGroup(Long id, boolean force) { - checkAdminAccess(); - xaBizUtil.blockAuditorRoleUser(); - super.deleteXGroupGroup(id, force); - } - public void deleteXPermMap(Long id, boolean force) { xaBizUtil.blockAuditorRoleUser(); if (force) { @@ -1374,12 +1361,11 @@ public void checkAdminAccess() { } } - public void checkAccess(String loginID) { + public void checkAccess(VXUser vxUser) { UserSessionBase session = ContextUtil.getCurrentUserSession(); if (session != null) { - if (!session.isUserAdmin() && !session.isKeyAdmin() && !session.getLoginId().equalsIgnoreCase(loginID)) { - throw restErrorUtil.create403RESTException("Operation" + " denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "Not Logged In") - + " ,isn't permitted to perform the action."); + if (!hasAccessToGetUserInfo(vxUser)) { + throw restErrorUtil.create403RESTException("Operation" + " denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "Not Logged In") + " ,isn't permitted to perform the action."); } } else { VXResponse vXResponse = new VXResponse(); @@ -1482,37 +1468,14 @@ public void checkAccessRoles(List stringRolesList) { UserSessionBase session = ContextUtil.getCurrentUserSession(); if (session != null && stringRolesList != null) { if (!session.isUserAdmin() && !session.isKeyAdmin()) { - throw restErrorUtil.create403RESTException("Permission" - + " denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); + throw restErrorUtil.create403RESTException("Permission denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "Not Logged In") + " ,isn't permitted to perform the action."); } else { - if (!"rangerusersync".equals(session.getXXPortalUser() - .getLoginId())) {// new logic for rangerusersync user - if (session.isUserAdmin() - && stringRolesList - .contains(RangerConstants.ROLE_KEY_ADMIN)) { - throw restErrorUtil.create403RESTException("Permission" - + " denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser() - .getId() : "") - + " isn't permitted to perform the action."); + if (!"rangerusersync".equals(session.getXXPortalUser().getLoginId())) {// new logic for rangerusersync user + if (session.isUserAdmin() && (stringRolesList.contains(RangerConstants.ROLE_KEY_ADMIN) || stringRolesList.contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR))) { + throw restErrorUtil.create403RESTException("Permission denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "") + " isn't permitted to perform the action."); + } else if (session.isKeyAdmin() && (stringRolesList.contains(RangerConstants.ROLE_SYS_ADMIN) || stringRolesList.contains(RangerConstants.ROLE_ADMIN_AUDITOR))) { + throw restErrorUtil.create403RESTException("Permission denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "") + " isn't permitted to perform the action."); } - if (session.isKeyAdmin() - && stringRolesList - .contains(RangerConstants.ROLE_SYS_ADMIN)) { - throw restErrorUtil.create403RESTException("Permission" - + " denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser() - .getId() : "") - + " isn't permitted to perform the action."); - } - } else { - logger.info("LoggedInUser=" - + (session != null ? session.getXXPortalUser() - .getId() : "") - + " is permitted to perform the action."); } } } else { @@ -1531,8 +1494,8 @@ public VXStringList setUserRolesByExternalID(Long userId, List vString roleListNewProfile.add(vXString.getValue()); } } - checkAccessRoles(roleListNewProfile); VXUser vXUser=getXUser(userId); + checkAccessRoles(roleListNewProfile); List portalUserRoleList =null; if(vXUser!=null && roleListNewProfile.size()>0){ VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser.getName()); @@ -1557,9 +1520,10 @@ public VXStringList setUserRolesByName(String userName, List vStringRo roleListNewProfile.add(vXString.getValue()); } } + VXUser vXUser=getXUserByUserName(userName); checkAccessRoles(roleListNewProfile); - if(userName!=null && roleListNewProfile.size()>0){ - VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(userName); + if(vXUser!=null && roleListNewProfile.size()>0){ + VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser.getName()); if(oldUserProfile!=null){ denySelfRoleChange(oldUserProfile.getLoginId()); updateUserRolesPermissions(oldUserProfile,roleListNewProfile); @@ -1579,7 +1543,7 @@ public VXStringList getUserRolesByExternalID(Long userId) { if(vXUser==null){ throw restErrorUtil.createRESTException("Please provide a valid ID", MessageEnums.INVALID_INPUT_DATA); } - checkAccess(vXUser.getName()); + checkAccess(vXUser); List portalUserRoleList =null; VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser.getName()); if(oldUserProfile!=null){ @@ -1593,7 +1557,8 @@ public VXStringList getUserRolesByExternalID(Long userId) { public VXStringList getUserRolesByName(String userName) { VXPortalUser vXPortalUser=null; if(userName!=null && !userName.trim().isEmpty()){ - checkAccess(userName); + VXUser vXUser=xUserService.getXUserByUserName(userName); + checkAccess(vXUser); vXPortalUser = userMgr.getUserProfileByLoginId(userName); if(vXPortalUser!=null && vXPortalUser.getUserRoleList()!=null){ List portalUserRoleList = daoManager.getXXPortalUserRole().findByUserId(vXPortalUser.getId()); @@ -2090,9 +2055,6 @@ public void deleteXGroup(Long id, boolean force) { XXGroupPermissionDao xXGroupPermissionDao=daoManager.getXXGroupPermission(); List xXGroupPermissions=xXGroupPermissionDao.findByGroupId(id); - XXGroupGroupDao xXGroupGroupDao = daoManager.getXXGroupGroup(); - List xXGroupGroups = xXGroupGroupDao.findByGroupId(id); - XXPolicyDao xXPolicyDao = daoManager.getXXPolicy(); List xXPolicyList = xXPolicyDao.findByGroupId(id); logger.warn("Deleting GROUP : "+vXGroup.getName()); @@ -2131,17 +2093,6 @@ public void deleteXGroup(Long id, boolean force) { xXAuditMapDao.remove(vXAuditMap.getId()); } } - //delete XXGroupGroupDao records of group-group mapping - for (XXGroupGroup xXGroupGroup : xXGroupGroups) { - if(xXGroupGroup!=null){ - XXGroup xXGroupParent=xXGroupDao.getById(xXGroupGroup.getParentGroupId()); - XXGroup xXGroupChild=xXGroupDao.getById(xXGroupGroup.getGroupId()); - if(xXGroupParent!=null && xXGroupChild!=null){ - logger.warn("Removing group '" + xXGroupChild.getName() + "' from group '" + xXGroupParent.getName() + "'"); - } - xXGroupGroupDao.remove(xXGroupGroup.getId()); - } - } //delete XXPolicyItemGroupPerm records of group for (XXPolicy xXPolicy : xXPolicyList) { RangerPolicy rangerPolicy = policyService.getPopulatedViewObject(xXPolicy); @@ -2235,9 +2186,6 @@ public void deleteXGroup(Long id, boolean force) { if(hasReferences==false && vXAuditMapList.getListSize()>0){ hasReferences=true; } - if(hasReferences==false && CollectionUtils.isNotEmpty(xXGroupGroups)){ - hasReferences=true; - } if(hasReferences==false && CollectionUtils.isNotEmpty(xXGroupPermissions)){ hasReferences=true; } @@ -2780,7 +2728,7 @@ public int createOrUpdateXUsers(VXUserList users) { continue; } - checkAccess(userName); + checkAccess(vXUser); TransactionTemplate txTemplate = new TransactionTemplate(txManager); txTemplate.setPropagationBehavior(TransactionDefinition.PROPAGATION_REQUIRES_NEW); try { diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgrBase.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgrBase.java index 54e6d373ae..5f95ef733d 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgrBase.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgrBase.java @@ -23,7 +23,6 @@ import org.apache.ranger.common.RESTErrorUtil; import org.apache.ranger.common.SearchCriteria; import org.apache.ranger.service.XAuditMapService; -import org.apache.ranger.service.XGroupGroupService; import org.apache.ranger.service.XGroupPermissionService; import org.apache.ranger.service.XGroupService; import org.apache.ranger.service.XGroupUserService; @@ -34,8 +33,6 @@ import org.apache.ranger.view.VXAuditMap; import org.apache.ranger.view.VXAuditMapList; import org.apache.ranger.view.VXGroup; -import org.apache.ranger.view.VXGroupGroup; -import org.apache.ranger.view.VXGroupGroupList; import org.apache.ranger.view.VXGroupList; import org.apache.ranger.view.VXGroupPermissionList; import org.apache.ranger.view.VXGroupUser; @@ -63,9 +60,6 @@ public class XUserMgrBase { @Autowired XGroupUserService xGroupUserService; - @Autowired - XGroupGroupService xGroupGroupService; - @Autowired XPermMapService xPermMapService; @@ -179,39 +173,6 @@ public VXLong getXGroupUserSearchCount(SearchCriteria searchCriteria) { xGroupUserService.searchFields); } - public VXGroupGroup getXGroupGroup(Long id){ - return (VXGroupGroup)xGroupGroupService.readResource(id); - } - - public VXGroupGroup createXGroupGroup(VXGroupGroup vXGroupGroup){ - vXGroupGroup = (VXGroupGroup)xGroupGroupService.createResource(vXGroupGroup); - return vXGroupGroup; - } - - public VXGroupGroup updateXGroupGroup(VXGroupGroup vXGroupGroup) { - vXGroupGroup = (VXGroupGroup)xGroupGroupService.updateResource(vXGroupGroup); - return vXGroupGroup; - } - - public void deleteXGroupGroup(Long id, boolean force) { - if (force) { - xGroupGroupService.deleteResource(id); - } else { - throw restErrorUtil.createRESTException( - "serverMsg.modelMgrBaseDeleteModel", - MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); - } - } - - public VXGroupGroupList searchXGroupGroups(SearchCriteria searchCriteria) { - return xGroupGroupService.searchXGroupGroups(searchCriteria); - } - - public VXLong getXGroupGroupSearchCount(SearchCriteria searchCriteria) { - return xGroupGroupService.getSearchCount(searchCriteria, - xGroupGroupService.searchFields); - } - public VXPermMap getXPermMap(Long id){ return (VXPermMap)xPermMapService.readResource(id); } diff --git a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java index 93672662df..21af0636de 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java @@ -19,8 +19,6 @@ package org.apache.ranger.rest; -import java.io.File; -import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.HashMap; import java.util.List; @@ -39,14 +37,9 @@ import javax.ws.rs.Produces; import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.Context; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.core.Response; - -import org.apache.commons.lang.StringUtils; import org.apache.ranger.admin.client.datatype.RESTResponse; import org.apache.ranger.biz.AssetMgr; import org.apache.ranger.biz.RangerBizUtil; -import org.apache.ranger.common.PropertiesUtil; import org.apache.ranger.common.RESTErrorUtil; import org.apache.ranger.common.RangerSearchUtil; import org.apache.ranger.common.SearchCriteria; @@ -61,7 +54,6 @@ import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.SearchFilter; -import org.apache.ranger.plugin.util.ServicePolicies; import org.apache.ranger.security.context.RangerAPIList; import org.apache.ranger.service.XAccessAuditService; import org.apache.ranger.service.XAssetService; @@ -251,7 +243,6 @@ public VXAssetList searchXAssets(@Context HttpServletRequest request) { if(services != null) { List assets = new ArrayList(); - for(RangerService service : services) { VXAsset asset = serviceUtil.toVXAsset(service); @@ -261,6 +252,8 @@ public VXAssetList searchXAssets(@Context HttpServletRequest request) { } ret.setVXAssets(assets); + ret.setTotalCount(assets.size()); + ret.setResultSize(assets.size()); } if(logger.isDebugEnabled()) { @@ -388,7 +381,6 @@ public VXResource updateXResource(VXResource vXResource , @PathParam("id") Long @DELETE @Path("/resources/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") @RangerAnnotationClassName(class_name = VXResource.class) public void deleteXResource(@PathParam("id") Long id, @Context HttpServletRequest request) { @@ -419,7 +411,6 @@ public VXResourceList searchXResources(@Context HttpServletRequest request) { if(policies != null) { List resources = new ArrayList(); - for(RangerPolicy policy : policies) { RangerService service = serviceREST.getServiceByName(policy.getService()); @@ -431,6 +422,8 @@ public VXResourceList searchXResources(@Context HttpServletRequest request) { } ret.setVXResources(resources); + ret.setTotalCount(resources.size()); + ret.setResultSize(resources.size()); } if(logger.isDebugEnabled()) { @@ -540,78 +533,6 @@ public VXLong countXCredentialStores(@Context HttpServletRequest request) { return assetMgr.getXCredentialStoreSearchCount(searchCriteria); } - @GET - @Path("/resource/{id}") - @Produces({ "application/json" }) - public Response getXResourceFile(@Context HttpServletRequest request, - @PathParam("id") Long id) { - String fileType = searchUtil.extractString(request, - new SearchCriteria(), "fileType", "File type", - StringUtil.VALIDATION_TEXT); - - VXResource resource = getXResource(id); - - - Response response=null; - if(resource!=null && StringUtils.isNotEmpty(fileType)){ - File file = null; - file=assetMgr.getXResourceFile(resource, fileType); - if(file!=null){ - response=Response.ok(file, MediaType.APPLICATION_OCTET_STREAM).header("Content-Disposition","attachment;filename=" + file.getName()).build(); - file=null; - } - } - return response; - } - - @GET - @Path("/policyList/{repository}") - @Produces({ "application/json" }) - @Encoded - public String getResourceJSON(@Context HttpServletRequest request, - @PathParam("repository") String repository) { - - String epoch = request.getParameter("epoch"); - X509Certificate[] certchain = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); - String ipAddress = request.getHeader("X-FORWARDED-FOR"); - boolean isSecure = request.isSecure(); - String policyCount = request.getParameter("policyCount"); - String agentId = request.getParameter("agentId"); - Long lastKnowPolicyVersion = Long.valueOf(-1); - String capabilityVector = "0"; - - if (ipAddress == null) { - ipAddress = request.getRemoteAddr(); - } - - boolean httpEnabled = PropertiesUtil.getBooleanProperty("ranger.service.http.enabled",true); - - ServicePolicies servicePolicies = null; - - try { - servicePolicies = serviceREST.getServicePoliciesIfUpdated(repository, lastKnowPolicyVersion, 0L, agentId, "", "", false, capabilityVector, request); - } catch(Exception excp) { - logger.error("failed to retrieve policies for repository " + repository, excp); - } - - RangerService service = serviceUtil.getServiceByName(repository); - List policies = servicePolicies != null ? servicePolicies.getPolicies() : null; - long policyUpdTime = (servicePolicies != null && servicePolicies.getPolicyUpdateTime() != null) ? servicePolicies.getPolicyUpdateTime().getTime() : 0l; - VXAsset vAsset = serviceUtil.toVXAsset(service); - List vResourceList = new ArrayList(); - - if(policies != null) { - for(RangerPolicy policy : policies) { - vResourceList.add(serviceUtil.toVXResource(policy, service)); - } - } - - String file = assetMgr.getLatestRepoPolicy(vAsset, vResourceList, policyUpdTime, - certchain, httpEnabled, epoch, ipAddress, isSecure, policyCount, agentId); - - return file; - } - @GET @Path("/exportAudit") @Produces({ "application/json" }) diff --git a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java index 7be7127cb9..d8e30b516a 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java @@ -374,6 +374,7 @@ public RangerRoleList getAllRoles(@Context HttpServletRequest request) { } SearchFilter filter = searchUtil.getSearchFilter(request, roleService.sortFields); try { + ensureAdminAccess(null, null); roleStore.getRoles(filter,ret); } catch(WebApplicationException excp) { throw excp; diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index 6fc6a3c1ce..ce3a957666 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -621,6 +621,7 @@ public List getPoliciesForResource(@PathParam("serviceDefName") St if (policyAdmin != null) { ret = policyAdmin.getMatchingPolicies(new RangerAccessResourceImpl(resource)); + ret = applyAdminAccessFilter(ret); } } @@ -674,7 +675,7 @@ private String validateResourcePoliciesRequest(String serviceDefName, String ser LOG.error("Invalid service-name:[" + serviceName + "]"); } if (service == null || !StringUtils.equals(service.getType(), serviceDefName)) { - ret = "Invalid service-name:[" + serviceName + "] or service-name is not of service-type:[" + serviceDefName + "]"; + ret = "Invalid service-name:[" + serviceName + "] or service-type:[" + serviceDefName + "]"; } else { services.add(service); ret = StringUtils.EMPTY; @@ -3509,7 +3510,11 @@ public VXString getPolicyVersionList(@PathParam("policyId") Long policyId) { @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_POLICY_FOR_VERSION_NO + "\")") public RangerPolicy getPolicyForVersionNumber(@PathParam("policyId") Long policyId, @PathParam("versionNo") int versionNo) { - return svcStore.getPolicyForVersionNumber(policyId, versionNo); + RangerPolicy policy = svcStore.getPolicyForVersionNumber(policyId, versionNo); + if (policy != null) { + ensureAdminAndAuditAccess(policy); + } + return policy; } @GET @@ -4135,7 +4140,7 @@ private void validateGrantor(String grantor) { VXUser vxUser = null; if (grantor != null) { try { - vxUser = userMgr.getXUserByUserName(grantor); + vxUser = xUserService.getXUserByUserName(grantor); if (vxUser == null) { throw restErrorUtil.createGrantRevokeRESTException("Grantor user " + grantor + " doesn't exist"); } @@ -4149,7 +4154,7 @@ private void validateGrantees(Set grantees) { VXUser vxUser = null; for (String userName : grantees) { try { - vxUser = userMgr.getXUserByUserName(userName); + vxUser = xUserService.getXUserByUserName(userName); if (vxUser == null) { throw restErrorUtil.createGrantRevokeRESTException("Grantee user " + userName + " doesn't exist"); } @@ -4471,6 +4476,10 @@ public RangerPolicy getPolicyByName(String serviceName, String policyName, Strin if (dbPolicy != null) { ret = policyService.getPopulatedViewObject(dbPolicy); } + + if (ret != null) { + ensureAdminAndAuditAccess(ret); + } } if (LOG.isDebugEnabled()) { diff --git a/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java b/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java index 2adf0b0a27..6675d71a6d 100755 --- a/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java @@ -409,12 +409,16 @@ public PList getTagDefs(@Context HttpServletRequest request) { @GET @Path(TagRESTConstants.TAGTYPES_RESOURCE) @Produces({ "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public List getTagTypes() { if(LOG.isDebugEnabled()) { LOG.debug("==> TagREST.getTagTypes()"); } + // check for ADMIN access + if (!bizUtil.isAdmin()) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User don't have permission to perform this action", true); + } + List ret = null; try { @@ -638,12 +642,16 @@ public List getTagsByType(@PathParam("type") String type) { @GET @Path(TagRESTConstants.TAGS_RESOURCE) @Produces({ "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public List getAllTags() { if(LOG.isDebugEnabled()) { LOG.debug("==> TagREST.getAllTags()"); } + // check for ADMIN access + if (!bizUtil.isAdmin()) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User don't have permission to perform this action", true); + } + List ret; try { @@ -1042,12 +1050,16 @@ public RangerServiceResource getServiceResourceByResource(@PathParam("serviceNam @GET @Path(TagRESTConstants.RESOURCES_RESOURCE) @Produces({ "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public List getAllServiceResources() { if(LOG.isDebugEnabled()) { LOG.debug("==> TagREST.getAllServiceResources()"); } + // check for ADMIN access + if (!bizUtil.isAdmin()) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User don't have permission to perform this action", true); + } + List ret; try { diff --git a/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java index c6557b11c1..4708b86387 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java @@ -323,7 +323,6 @@ public VXResponse changePassword(@PathParam("userId") Long userId, throw restErrorUtil.createRESTException("serverMsg.userRestUser",MessageEnums.DATA_NOT_FOUND, null, null, changePassword.getLoginId()); } - userManager.checkAccessForUpdate(gjUser); changePassword.setId(gjUser.getId()); VXResponse ret = userManager.changePassword(changePassword); return ret; @@ -358,7 +357,6 @@ public VXPortalUser changeEmailAddress(@PathParam("userId") Long userId, throw restErrorUtil.createRESTException("serverMsg.userRestUser",MessageEnums.DATA_NOT_FOUND, null, null, changeEmail.getLoginId()); } - userManager.checkAccessForUpdate(gjUser); changeEmail.setId(gjUser.getId()); VXPortalUser ret = userManager.changeEmailAddress(gjUser, changeEmail); return ret; diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java index 0a3c524b5f..bd71c00b28 100755 --- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java @@ -60,6 +60,7 @@ import org.apache.ranger.common.annotation.RangerAnnotationClassName; import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName; import org.apache.ranger.db.RangerDaoManager; +import org.apache.ranger.entity.XXGroup; import org.apache.ranger.entity.XXService; import org.apache.ranger.entity.XXServiceDef; import org.apache.ranger.plugin.model.RangerPluginInfo; @@ -71,7 +72,6 @@ import org.apache.ranger.security.context.RangerAPIList; import org.apache.ranger.service.AuthSessionService; import org.apache.ranger.service.XAuditMapService; -import org.apache.ranger.service.XGroupGroupService; import org.apache.ranger.service.XGroupPermissionService; import org.apache.ranger.service.XGroupService; import org.apache.ranger.service.XGroupUserService; @@ -129,9 +129,6 @@ public class XUserREST { @Autowired XGroupUserService xGroupUserService; - @Autowired - XGroupGroupService xGroupGroupService; - @Autowired XPermMapService xPermMapService; @@ -146,16 +143,16 @@ public class XUserREST { @Autowired SessionMgr sessionMgr; - + @Autowired AuthSessionService authSessionService; @Autowired RangerBizUtil bizUtil; - + @Autowired XResourceService xResourceService; - + @Autowired StringUtil stringUtil; @@ -423,12 +420,23 @@ else if ((searchCriteria.getParamList().containsKey("name")) && userName!= null UserSessionBase userSession = ContextUtil.getCurrentUserSession(); if (userSession != null && userSession.getLoginId() != null) { - VXUser loggedInVXUser = xUserService.getXUserByUserName(userSession - .getLoginId()); - if (loggedInVXUser != null) { - if (loggedInVXUser.getUserRoleList().size() == 1 - && loggedInVXUser.getUserRoleList().contains( - RangerConstants.ROLE_USER)) { + VXUser loggedInVXUser = xUserService.getXUserByUserName(userSession.getLoginId()); + if (loggedInVXUser != null && loggedInVXUser.getUserRoleList().size() == 1) { + if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN) || loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR)) { + boolean hasRole = false; + hasRole = !userRolesList.contains(RangerConstants.ROLE_SYS_ADMIN) ? userRolesList.add(RangerConstants.ROLE_SYS_ADMIN) : hasRole; + hasRole = !userRolesList.contains(RangerConstants.ROLE_ADMIN_AUDITOR) ? userRolesList.add(RangerConstants.ROLE_ADMIN_AUDITOR) : hasRole; + hasRole = !userRolesList.contains(RangerConstants.ROLE_USER) ? userRolesList.add(RangerConstants.ROLE_USER) : hasRole; + if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN) && "rangerusersync".equalsIgnoreCase(userSession.getLoginId())) { + hasRole = !userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN) ? userRolesList.add(RangerConstants.ROLE_KEY_ADMIN) : hasRole; + hasRole = !userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) ? userRolesList.add(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) : hasRole; + } + } else if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN) || loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) { + boolean hasRole = false; + hasRole = !userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN) ? userRolesList.add(RangerConstants.ROLE_KEY_ADMIN) : hasRole; + hasRole = !userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) ? userRolesList.add(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) : hasRole; + hasRole = !userRolesList.contains(RangerConstants.ROLE_USER) ? userRolesList.add(RangerConstants.ROLE_USER) : hasRole; + } else if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) { logger.info("Logged-In user having user role will be able to fetch his own user details."); if (!searchCriteria.getParamList().containsKey("name")) { searchCriteria.addParam("name", loggedInVXUser.getName()); @@ -545,6 +553,9 @@ public VXGroupUser getXGroupUser(@PathParam("id") Long id) { @Produces({ "application/json" }) @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public VXGroupUser createXGroupUser(VXGroupUser vXGroupUser) { + if (vXGroupUser == null || StringUtils.isBlank(vXGroupUser.getName()) || vXGroupUser.getUserId() == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "Group name or UserId is empty or null", true); + } return xUserMgr.createXGroupUser(vXGroupUser); } @@ -553,6 +564,9 @@ public VXGroupUser createXGroupUser(VXGroupUser vXGroupUser) { @Consumes({ "application/json" }) @Produces({ "application/json" }) public VXGroupUser updateXGroupUser(VXGroupUser vXGroupUser) { + if (vXGroupUser == null || StringUtils.isBlank(vXGroupUser.getName()) || vXGroupUser.getUserId() == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "Group name or UserId is empty or null", true); + } return xUserMgr.updateXGroupUser(vXGroupUser); } @@ -608,69 +622,6 @@ public VXLong countXGroupUsers(@Context HttpServletRequest request) { return xUserMgr.getXGroupUserSearchCount(searchCriteria); } - // Handle XGroupGroup - @GET - @Path("/groupgroups/{id}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_GROUP + "\")") - public VXGroupGroup getXGroupGroup(@PathParam("id") Long id) { - return xUserMgr.getXGroupGroup(id); - } - - @POST - @Path("/groupgroups") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public VXGroupGroup createXGroupGroup(VXGroupGroup vXGroupGroup) { - return xUserMgr.createXGroupGroup(vXGroupGroup); - } - - @PUT - @Path("/groupgroups") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public VXGroupGroup updateXGroupGroup(VXGroupGroup vXGroupGroup) { - return xUserMgr.updateXGroupGroup(vXGroupGroup); - } - - @DELETE - @Path("/groupgroups/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - @RangerAnnotationClassName(class_name = VXGroupGroup.class) - public void deleteXGroupGroup(@PathParam("id") Long id, - @Context HttpServletRequest request) { - boolean force = false; - xUserMgr.deleteXGroupGroup(id, force); - } - - /** - * Implements the traditional search functionalities for XGroupGroups - * - * @param request - * @return - */ - @GET - @Path("/groupgroups") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUP_GROUPS + "\")") - public VXGroupGroupList searchXGroupGroups( - @Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xGroupGroupService.sortFields); - return xUserMgr.searchXGroupGroups(searchCriteria); - } - - @GET - @Path("/groupgroups/count") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUP_GROUPS + "\")") - public VXLong countXGroupGroups(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xGroupGroupService.sortFields); - - return xUserMgr.getXGroupGroupSearchCount(searchCriteria); - } - // Handle XPermMap @GET @Path("/permmaps/{id}") @@ -865,7 +816,25 @@ public VXUser getXUserByUserName(@Context HttpServletRequest request, @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_BY_GROUP_NAME + "\")") public VXGroup getXGroupByGroupName(@Context HttpServletRequest request, @PathParam("groupName") String groupName) { - return xGroupService.getGroupByGroupName(groupName); + VXGroup vXGroup = xGroupService.getGroupByGroupName(groupName); + UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + if (userSession != null && userSession.getLoginId() != null && userSession.getUserRoleList().contains(RangerConstants.ROLE_USER)) { + VXUser loggedInVXUser = xUserService.getXUserByUserName(userSession.getLoginId()); + boolean isMatch = false; + if (loggedInVXUser != null && vXGroup != null) { + List userGroups = xGroupService.getGroupsByUserId(loggedInVXUser.getId()); + for (XXGroup xXGroup: userGroups) { + if (xXGroup != null && StringUtils.equals(xXGroup.getName(), vXGroup.getName())) { + isMatch = true; + break; + } + } + } + if (!isMatch) { + vXGroup = null; + } + } + return vXGroup; } @DELETE diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java index 83a82c86c9..acfce5f0a1 100755 --- a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java +++ b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java @@ -160,12 +160,6 @@ public class RangerAPIList { public static final String SEARCH_X_GROUP_USERS = "XUserREST.searchXGroupUsers"; public static final String GET_X_GROUP_USERS_BY_GROUP_NAME = "XUserREST.getXGroupUsersByGroupName"; public static final String COUNT_X_GROUP_USERS = "XUserREST.countXGroupUsers"; - public static final String GET_X_GROUP_GROUP = "XUserREST.getXGroupGroup"; - public static final String CREATE_X_GROUP_GROUP = "XUserREST.createXGroupGroup"; - public static final String UPDATE_X_GROUP_GROUP = "XUserREST.updateXGroupGroup"; - public static final String DELETE_X_GROUP_GROUP = "XUserREST.deleteXGroupGroup"; - public static final String SEARCH_X_GROUP_GROUPS = "XUserREST.searchXGroupGroups"; - public static final String COUNT_X_GROUP_GROUPS = "XUserREST.countXGroupGroups"; public static final String GET_X_PERM_MAP = "XUserREST.getXPermMap"; public static final String CREATE_X_PERM_MAP = "XUserREST.createXPermMap"; public static final String UPDATE_X_PERM_MAP = "XUserREST.updateXPermMap"; diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java index 37ccc0785e..cbfcabf6e3 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java +++ b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java @@ -104,7 +104,6 @@ private void mapReportsWithAPIs() { apiAssociatedWithReports.add(RangerAPIList.SEARCH_USERS); apiAssociatedWithReports.add(RangerAPIList.COUNT_X_AUDIT_MAPS); - apiAssociatedWithReports.add(RangerAPIList.COUNT_X_GROUP_GROUPS); apiAssociatedWithReports.add(RangerAPIList.COUNT_X_GROUPS); apiAssociatedWithReports.add(RangerAPIList.COUNT_X_GROUP_USERS); apiAssociatedWithReports.add(RangerAPIList.COUNT_X_PERM_MAPS); @@ -112,7 +111,6 @@ private void mapReportsWithAPIs() { apiAssociatedWithReports.add(RangerAPIList.GET_X_AUDIT_MAP); apiAssociatedWithReports.add(RangerAPIList.GET_X_GROUP); apiAssociatedWithReports.add(RangerAPIList.GET_X_GROUP_BY_GROUP_NAME); - apiAssociatedWithReports.add(RangerAPIList.GET_X_GROUP_GROUP); apiAssociatedWithReports.add(RangerAPIList.GET_X_GROUP_USER); apiAssociatedWithReports.add(RangerAPIList.GET_X_GROUP_USERS); apiAssociatedWithReports.add(RangerAPIList.GET_X_PERM_MAP); @@ -120,7 +118,6 @@ private void mapReportsWithAPIs() { apiAssociatedWithReports.add(RangerAPIList.GET_X_USER_BY_USER_NAME); apiAssociatedWithReports.add(RangerAPIList.GET_X_USER_GROUPS); apiAssociatedWithReports.add(RangerAPIList.SEARCH_X_AUDIT_MAPS); - apiAssociatedWithReports.add(RangerAPIList.SEARCH_X_GROUP_GROUPS); apiAssociatedWithReports.add(RangerAPIList.SEARCH_X_GROUPS); apiAssociatedWithReports.add(RangerAPIList.SEARCH_X_GROUP_USERS); apiAssociatedWithReports.add(RangerAPIList.SEARCH_X_PERM_MAPS); @@ -173,7 +170,6 @@ private void mapTagBasedPoliciesWithAPIs() { apiAssociatedWithTagBasedPolicy.add(RangerAPIList.SEARCH_USERS); apiAssociatedWithTagBasedPolicy.add(RangerAPIList.COUNT_X_AUDIT_MAPS); - apiAssociatedWithTagBasedPolicy.add(RangerAPIList.COUNT_X_GROUP_GROUPS); apiAssociatedWithTagBasedPolicy.add(RangerAPIList.COUNT_X_GROUPS); apiAssociatedWithTagBasedPolicy.add(RangerAPIList.COUNT_X_GROUP_USERS); apiAssociatedWithTagBasedPolicy.add(RangerAPIList.COUNT_X_PERM_MAPS); @@ -185,7 +181,6 @@ private void mapTagBasedPoliciesWithAPIs() { apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_X_AUDIT_MAP); apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_X_GROUP); apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_X_GROUP_BY_GROUP_NAME); - apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_X_GROUP_GROUP); apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_X_GROUP_USER); apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_X_GROUP_USERS); apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_X_PERM_MAP); @@ -196,7 +191,6 @@ private void mapTagBasedPoliciesWithAPIs() { apiAssociatedWithTagBasedPolicy.add(RangerAPIList.MODIFY_USER_ACTIVE_STATUS); apiAssociatedWithTagBasedPolicy.add(RangerAPIList.MODIFY_USER_VISIBILITY); apiAssociatedWithTagBasedPolicy.add(RangerAPIList.SEARCH_X_AUDIT_MAPS); - apiAssociatedWithTagBasedPolicy.add(RangerAPIList.SEARCH_X_GROUP_GROUPS); apiAssociatedWithTagBasedPolicy.add(RangerAPIList.SEARCH_X_GROUPS); apiAssociatedWithTagBasedPolicy.add(RangerAPIList.SEARCH_X_GROUP_USERS); apiAssociatedWithTagBasedPolicy.add(RangerAPIList.SEARCH_X_PERM_MAPS); @@ -310,7 +304,6 @@ private void mapUGWithAPIs() { apiAssociatedWithUserAndGroups.add(RangerAPIList.SEARCH_USERS); apiAssociatedWithUserAndGroups.add(RangerAPIList.COUNT_X_AUDIT_MAPS); - apiAssociatedWithUserAndGroups.add(RangerAPIList.COUNT_X_GROUP_GROUPS); apiAssociatedWithUserAndGroups.add(RangerAPIList.COUNT_X_GROUPS); apiAssociatedWithUserAndGroups.add(RangerAPIList.COUNT_X_GROUP_USERS); apiAssociatedWithUserAndGroups.add(RangerAPIList.COUNT_X_PERM_MAPS); @@ -322,7 +315,6 @@ private void mapUGWithAPIs() { apiAssociatedWithUserAndGroups.add(RangerAPIList.GET_X_AUDIT_MAP); apiAssociatedWithUserAndGroups.add(RangerAPIList.GET_X_GROUP); apiAssociatedWithUserAndGroups.add(RangerAPIList.GET_X_GROUP_BY_GROUP_NAME); - apiAssociatedWithUserAndGroups.add(RangerAPIList.GET_X_GROUP_GROUP); apiAssociatedWithUserAndGroups.add(RangerAPIList.GET_X_GROUP_USER); apiAssociatedWithUserAndGroups.add(RangerAPIList.GET_X_GROUP_USERS); apiAssociatedWithUserAndGroups.add(RangerAPIList.GET_X_PERM_MAP); @@ -333,7 +325,6 @@ private void mapUGWithAPIs() { apiAssociatedWithUserAndGroups.add(RangerAPIList.MODIFY_USER_ACTIVE_STATUS); apiAssociatedWithUserAndGroups.add(RangerAPIList.MODIFY_USER_VISIBILITY); apiAssociatedWithUserAndGroups.add(RangerAPIList.SEARCH_X_AUDIT_MAPS); - apiAssociatedWithUserAndGroups.add(RangerAPIList.SEARCH_X_GROUP_GROUPS); apiAssociatedWithUserAndGroups.add(RangerAPIList.SEARCH_X_GROUPS); apiAssociatedWithUserAndGroups.add(RangerAPIList.SEARCH_X_GROUP_USERS); apiAssociatedWithUserAndGroups.add(RangerAPIList.SEARCH_X_PERM_MAPS); @@ -389,7 +380,6 @@ private void mapAuditWithAPIs() { apiAssociatedWithAudit.add(RangerAPIList.SEARCH_USERS); apiAssociatedWithAudit.add(RangerAPIList.COUNT_X_AUDIT_MAPS); - apiAssociatedWithAudit.add(RangerAPIList.COUNT_X_GROUP_GROUPS); apiAssociatedWithAudit.add(RangerAPIList.COUNT_X_GROUPS); apiAssociatedWithAudit.add(RangerAPIList.COUNT_X_GROUP_USERS); apiAssociatedWithAudit.add(RangerAPIList.COUNT_X_PERM_MAPS); @@ -397,7 +387,6 @@ private void mapAuditWithAPIs() { apiAssociatedWithAudit.add(RangerAPIList.GET_X_AUDIT_MAP); apiAssociatedWithAudit.add(RangerAPIList.GET_X_GROUP); apiAssociatedWithAudit.add(RangerAPIList.GET_X_GROUP_BY_GROUP_NAME); - apiAssociatedWithAudit.add(RangerAPIList.GET_X_GROUP_GROUP); apiAssociatedWithAudit.add(RangerAPIList.GET_X_GROUP_USER); apiAssociatedWithAudit.add(RangerAPIList.GET_X_GROUP_USERS); apiAssociatedWithAudit.add(RangerAPIList.GET_X_PERM_MAP); @@ -405,7 +394,6 @@ private void mapAuditWithAPIs() { apiAssociatedWithAudit.add(RangerAPIList.GET_X_USER_BY_USER_NAME); apiAssociatedWithAudit.add(RangerAPIList.GET_X_USER_GROUPS); apiAssociatedWithAudit.add(RangerAPIList.SEARCH_X_AUDIT_MAPS); - apiAssociatedWithAudit.add(RangerAPIList.SEARCH_X_GROUP_GROUPS); apiAssociatedWithAudit.add(RangerAPIList.SEARCH_X_GROUPS); apiAssociatedWithAudit.add(RangerAPIList.SEARCH_X_GROUP_USERS); apiAssociatedWithAudit.add(RangerAPIList.SEARCH_X_PERM_MAPS); @@ -473,7 +461,6 @@ private void mapResourceBasedPoliciesWithAPIs() { apiAssociatedWithRBPolicies.add(RangerAPIList.SEARCH_USERS); apiAssociatedWithRBPolicies.add(RangerAPIList.COUNT_X_AUDIT_MAPS); - apiAssociatedWithRBPolicies.add(RangerAPIList.COUNT_X_GROUP_GROUPS); apiAssociatedWithRBPolicies.add(RangerAPIList.COUNT_X_GROUPS); apiAssociatedWithRBPolicies.add(RangerAPIList.COUNT_X_GROUP_USERS); apiAssociatedWithRBPolicies.add(RangerAPIList.COUNT_X_PERM_MAPS); @@ -485,7 +472,6 @@ private void mapResourceBasedPoliciesWithAPIs() { apiAssociatedWithRBPolicies.add(RangerAPIList.GET_X_AUDIT_MAP); apiAssociatedWithRBPolicies.add(RangerAPIList.GET_X_GROUP); apiAssociatedWithRBPolicies.add(RangerAPIList.GET_X_GROUP_BY_GROUP_NAME); - apiAssociatedWithRBPolicies.add(RangerAPIList.GET_X_GROUP_GROUP); apiAssociatedWithRBPolicies.add(RangerAPIList.GET_X_GROUP_USER); apiAssociatedWithRBPolicies.add(RangerAPIList.GET_X_GROUP_USERS); apiAssociatedWithRBPolicies.add(RangerAPIList.GET_X_PERM_MAP); @@ -496,7 +482,6 @@ private void mapResourceBasedPoliciesWithAPIs() { apiAssociatedWithRBPolicies.add(RangerAPIList.MODIFY_USER_ACTIVE_STATUS); apiAssociatedWithRBPolicies.add(RangerAPIList.MODIFY_USER_VISIBILITY); apiAssociatedWithRBPolicies.add(RangerAPIList.SEARCH_X_AUDIT_MAPS); - apiAssociatedWithRBPolicies.add(RangerAPIList.SEARCH_X_GROUP_GROUPS); apiAssociatedWithRBPolicies.add(RangerAPIList.SEARCH_X_GROUPS); apiAssociatedWithRBPolicies.add(RangerAPIList.SEARCH_X_GROUP_USERS); apiAssociatedWithRBPolicies.add(RangerAPIList.SEARCH_X_PERM_MAPS); diff --git a/security-admin/src/main/java/org/apache/ranger/service/XGroupService.java b/security-admin/src/main/java/org/apache/ranger/service/XGroupService.java index 98ee626120..46484e706a 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/XGroupService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/XGroupService.java @@ -168,4 +168,8 @@ public Map getXXGroupIdNameMap() { public Long getAllGroupCount() { return daoManager.getXXGroup().getAllCount(); } + + public List getGroupsByUserId(Long userId) { + return daoManager.getXXGroup().findByUserId(userId); + } } diff --git a/security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java b/security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java index 942d53e917..6a4f533cd9 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java @@ -134,6 +134,8 @@ public VXUgsyncAuditInfoList searchXUgsyncAuditInfoBySyncSource(String syncSourc } returnList.setVxUgsyncAuditInfoList(xUgsyncAuditInfoList); + returnList.setTotalCount(xUgsyncAuditInfoList.size()); + returnList.setResultSize(xUgsyncAuditInfoList.size()); return returnList; } diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java b/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java index 2b4ba0d153..671b80de54 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java @@ -25,12 +25,14 @@ import java.util.HashSet; import java.util.List; import java.util.Map; +import java.util.Set; import org.apache.commons.collections.ListUtils; import org.apache.ranger.common.ContextUtil; import org.apache.ranger.common.GUIDUtil; import org.apache.ranger.common.JSONUtil; import org.apache.ranger.common.RESTErrorUtil; +import org.apache.ranger.common.RangerConstants; import org.apache.ranger.common.RangerFactory; import org.apache.ranger.common.SearchCriteria; import org.apache.ranger.common.StringUtil; @@ -69,6 +71,7 @@ import org.apache.ranger.view.RangerPolicyList; import org.apache.ranger.view.RangerServiceDefList; import org.apache.ranger.view.RangerServiceList; +import org.apache.ranger.view.VXGroup; import org.apache.ranger.view.VXGroupList; import org.apache.ranger.view.VXString; import org.apache.ranger.view.VXUser; @@ -167,6 +170,15 @@ public class TestServiceDBStore { @Rule public ExpectedException thrown = ExpectedException.none(); + private VXGroup vxGroup() { + VXGroup vXGroup = new VXGroup(); + vXGroup.setId(Id); + vXGroup.setDescription("group test working"); + vXGroup.setName(RangerConstants.GROUP_PUBLIC); + vXGroup.setIsVisible(1); + return vXGroup; + } + public void setup() { RangerSecurityContext context = new RangerSecurityContext(); context.setUserSession(new UserSessionBase()); @@ -1999,6 +2011,25 @@ public void test30getPolicies() throws Exception { policyListObj.setSortType("1"); policyListObj.setStartIndex(0); policyListObj.setTotalCount(10); + + Set groupNames = new HashSet(){{add(RangerConstants.GROUP_PUBLIC);}}; + XXGroupGroupDao xXGroupGroupDao = Mockito.mock(XXGroupGroupDao.class); + Mockito.when(daoManager.getXXGroupGroup()).thenReturn(xXGroupGroupDao); + XXGroupDao xxGroupDao = Mockito.mock(XXGroupDao.class); + XXRoleDao xxRoleDao = Mockito.mock(XXRoleDao.class); + VXGroup vxGroup = vxGroup(); + XXGroup xxGroup = new XXGroup(); + xxGroup.setId(vxGroup.getId()); + xxGroup.setName(vxGroup.getName()); + xxGroup.setDescription(vxGroup.getDescription()); + xxGroup.setIsVisible(vxGroup.getIsVisible()); + Mockito.when(daoManager.getXXGroup()).thenReturn(xxGroupDao); + Mockito.when(xxGroupDao.findByGroupName(vxGroup.getName())).thenReturn(xxGroup); + Mockito.when(xXGroupGroupDao.findGroupNamesByGroupName(Mockito.anyString())).thenReturn(groupNames); + List xxRoles = new ArrayList(); + Mockito.when(daoManager.getXXGroup()).thenReturn(xxGroupDao); + Mockito.when(daoManager.getXXRole()).thenReturn(xxRoleDao); + Mockito.when(xxRoleDao.findByGroupId(xxGroup.getId())).thenReturn(xxRoles); List dbRangerPolicy = serviceDBStore.getPolicies(filter); Assert.assertNotNull(dbRangerPolicy); @@ -2017,6 +2048,25 @@ public void test31getPaginatedPolicies() throws Exception { policyListObj.setSortType("1"); policyListObj.setStartIndex(0); policyListObj.setTotalCount(10); + + Set groupNames = new HashSet(){{add(RangerConstants.GROUP_PUBLIC);}}; + XXGroupGroupDao xXGroupGroupDao = Mockito.mock(XXGroupGroupDao.class); + Mockito.when(daoManager.getXXGroupGroup()).thenReturn(xXGroupGroupDao); + XXGroupDao xxGroupDao = Mockito.mock(XXGroupDao.class); + XXRoleDao xxRoleDao = Mockito.mock(XXRoleDao.class); + VXGroup vxGroup = vxGroup(); + XXGroup xxGroup = new XXGroup(); + xxGroup.setId(vxGroup.getId()); + xxGroup.setName(vxGroup.getName()); + xxGroup.setDescription(vxGroup.getDescription()); + xxGroup.setIsVisible(vxGroup.getIsVisible()); + Mockito.when(daoManager.getXXGroup()).thenReturn(xxGroupDao); + Mockito.when(xxGroupDao.findByGroupName(vxGroup.getName())).thenReturn(xxGroup); + Mockito.when(xXGroupGroupDao.findGroupNamesByGroupName(Mockito.anyString())).thenReturn(groupNames); + List xxRoles = new ArrayList(); + Mockito.when(daoManager.getXXGroup()).thenReturn(xxGroupDao); + Mockito.when(daoManager.getXXRole()).thenReturn(xxRoleDao); + Mockito.when(xxRoleDao.findByGroupId(xxGroup.getId())).thenReturn(xxRoles); PList dbRangerPolicyList = serviceDBStore .getPaginatedPolicies(filter); @@ -2113,6 +2163,25 @@ public void test36getPaginatedServicePolicies() throws Exception { SearchFilter filter = new SearchFilter(); filter.setParam(SearchFilter.POLICY_NAME, "policyName"); filter.setParam(SearchFilter.SERVICE_NAME, "serviceName"); + + Set groupNames = new HashSet(){{add(RangerConstants.GROUP_PUBLIC);}}; + XXGroupGroupDao xXGroupGroupDao = Mockito.mock(XXGroupGroupDao.class); + Mockito.when(daoManager.getXXGroupGroup()).thenReturn(xXGroupGroupDao); + XXGroupDao xxGroupDao = Mockito.mock(XXGroupDao.class); + XXRoleDao xxRoleDao = Mockito.mock(XXRoleDao.class); + VXGroup vxGroup = vxGroup(); + XXGroup xxGroup = new XXGroup(); + xxGroup.setId(vxGroup.getId()); + xxGroup.setName(vxGroup.getName()); + xxGroup.setDescription(vxGroup.getDescription()); + xxGroup.setIsVisible(vxGroup.getIsVisible()); + Mockito.when(daoManager.getXXGroup()).thenReturn(xxGroupDao); + Mockito.when(xxGroupDao.findByGroupName(vxGroup.getName())).thenReturn(xxGroup); + Mockito.when(xXGroupGroupDao.findGroupNamesByGroupName(Mockito.anyString())).thenReturn(groupNames); + List xxRoles = new ArrayList(); + Mockito.when(daoManager.getXXGroup()).thenReturn(xxGroupDao); + Mockito.when(daoManager.getXXRole()).thenReturn(xxRoleDao); + Mockito.when(xxRoleDao.findByGroupId(xxGroup.getId())).thenReturn(xxRoles); PList dbRangerPolicyList = serviceDBStore .getPaginatedServicePolicies(serviceName, filter); @@ -2132,6 +2201,25 @@ public void test37getPaginatedServicePolicies() throws Exception { Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao); Mockito.when(xServiceDao.getById(Id)).thenReturn(xService); + Set groupNames = new HashSet(){{add(RangerConstants.GROUP_PUBLIC);}}; + XXGroupGroupDao xXGroupGroupDao = Mockito.mock(XXGroupGroupDao.class); + Mockito.when(daoManager.getXXGroupGroup()).thenReturn(xXGroupGroupDao); + XXGroupDao xxGroupDao = Mockito.mock(XXGroupDao.class); + XXRoleDao xxRoleDao = Mockito.mock(XXRoleDao.class); + VXGroup vxGroup = vxGroup(); + XXGroup xxGroup = new XXGroup(); + xxGroup.setId(vxGroup.getId()); + xxGroup.setName(vxGroup.getName()); + xxGroup.setDescription(vxGroup.getDescription()); + xxGroup.setIsVisible(vxGroup.getIsVisible()); + Mockito.when(daoManager.getXXGroup()).thenReturn(xxGroupDao); + Mockito.when(xxGroupDao.findByGroupName(vxGroup.getName())).thenReturn(xxGroup); + Mockito.when(xXGroupGroupDao.findGroupNamesByGroupName(Mockito.anyString())).thenReturn(groupNames); + List xxRoles = new ArrayList(); + Mockito.when(daoManager.getXXGroup()).thenReturn(xxGroupDao); + Mockito.when(daoManager.getXXRole()).thenReturn(xxRoleDao); + Mockito.when(xxRoleDao.findByGroupId(xxGroup.getId())).thenReturn(xxRoles); + //PList dbRangerPolicyList = serviceDBStore.getPaginatedServicePolicies(rangerService.getId(), filter); } @@ -2325,7 +2413,6 @@ public void test44getMetricByTypePolicies() throws Exception { String type = "policies"; RangerServiceList svcList = new RangerServiceList(); svcList.setTotalCount(10l); - Mockito.when(svcService.searchRangerServices(Mockito.any(SearchFilter.class))).thenReturn(svcList); serviceDBStore.getMetricByType(ServiceDBStore.METRIC_TYPE.getMetricTypeByName(type)); } diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java index 29f2ce802b..cdf265b2d9 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java @@ -313,10 +313,24 @@ public void test03ChangePasswordAsAdmin() { Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); Mockito.when(userDao.findByLoginId(Mockito.nullable(String.class))).thenReturn(user); - Mockito.when(stringUtil.equals(Mockito.anyString(), Mockito.nullable(String.class))).thenReturn(true); - Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); - Mockito.when(stringUtil.validatePassword(Mockito.anyString(), Mockito.any(String[].class))).thenReturn(true); + XXPortalUserRoleDao xPortalUserRoleDao = Mockito.mock(XXPortalUserRoleDao.class); + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(xPortalUserRoleDao); + List xPortalUserRoleList = new ArrayList(); + XXPortalUserRole XXPortalUserRole = new XXPortalUserRole(); + XXPortalUserRole.setId(userId); + XXPortalUserRole.setUserId(userId); + XXPortalUserRole.setUserRole("ROLE_USER"); + xPortalUserRoleList.add(XXPortalUserRole); + XXUserPermissionDao xUserPermissionDao = Mockito.mock(XXUserPermissionDao.class); + XXGroupPermissionDao xGroupPermissionDao = Mockito.mock(XXGroupPermissionDao.class); + Mockito.when(daoManager.getXXUserPermission()).thenReturn(xUserPermissionDao); + Mockito.when(daoManager.getXXGroupPermission()).thenReturn(xGroupPermissionDao); + XXPortalUserRoleDao roleDao = Mockito.mock(XXPortalUserRoleDao.class); + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(roleDao); + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); + thrown.expect(WebApplicationException.class); + VXResponse dbVXResponse = userMgr.changePassword(pwdChange); Assert.assertNotNull(dbVXResponse); Assert.assertEquals(userProfile.getStatus(),dbVXResponse.getStatusCode()); @@ -369,6 +383,25 @@ public void test04ChangePasswordAsKeyAdmin() { Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); Mockito.when(stringUtil.validatePassword(Mockito.anyString(), Mockito.any(String[].class))).thenReturn(true); + XXPortalUserRoleDao xPortalUserRoleDao = Mockito.mock(XXPortalUserRoleDao.class); + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(xPortalUserRoleDao); + List xPortalUserRoleList = new ArrayList(); + XXPortalUserRole XXPortalUserRole = new XXPortalUserRole(); + XXPortalUserRole.setId(userId); + XXPortalUserRole.setUserId(userId); + XXPortalUserRole.setUserRole("ROLE_USER"); + xPortalUserRoleList.add(XXPortalUserRole); + XXPortalUserRoleDao roleDao = Mockito.mock(XXPortalUserRoleDao.class); + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(roleDao); + Mockito.when(roleDao.findByParentId(Mockito.anyLong())).thenReturn(xPortalUserRoleList); + XXUserPermissionDao xUserPermissionDao = Mockito.mock(XXUserPermissionDao.class); + XXGroupPermissionDao xGroupPermissionDao = Mockito.mock(XXGroupPermissionDao.class); + Mockito.when(daoManager.getXXUserPermission()).thenReturn(xUserPermissionDao); + List xUserPermissionsList = new ArrayList(); + List xGroupPermissionList = new ArrayList(); + Mockito.when(xUserPermissionDao.findByUserPermissionIdAndIsAllowed(userProfile.getId())).thenReturn(xUserPermissionsList); + Mockito.when(daoManager.getXXGroupPermission()).thenReturn(xGroupPermissionDao); + Mockito.when(xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId())).thenReturn(xGroupPermissionList); VXResponse dbVXResponse = userMgr.changePassword(pwdChange); Assert.assertNotNull(dbVXResponse); Assert.assertEquals(userProfile.getStatus(),dbVXResponse.getStatusCode()); @@ -398,6 +431,26 @@ public void test05ChangePasswordAsUser() { Mockito.when(stringUtil.equals(Mockito.anyString(), Mockito.nullable(String.class))).thenReturn(true); Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); Mockito.when(stringUtil.validatePassword(Mockito.anyString(), Mockito.any(String[].class))).thenReturn(true); + Mockito.when(userDao.findByLoginId(Mockito.anyString())).thenReturn(user); + XXPortalUserRoleDao xPortalUserRoleDao = Mockito.mock(XXPortalUserRoleDao.class); + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(xPortalUserRoleDao); + List xPortalUserRoleList = new ArrayList(); + XXPortalUserRole XXPortalUserRole = new XXPortalUserRole(); + XXPortalUserRole.setId(userId); + XXPortalUserRole.setUserId(userId); + XXPortalUserRole.setUserRole("ROLE_USER"); + xPortalUserRoleList.add(XXPortalUserRole); + XXUserPermissionDao xUserPermissionDao = Mockito.mock(XXUserPermissionDao.class); + XXGroupPermissionDao xGroupPermissionDao = Mockito.mock(XXGroupPermissionDao.class); + Mockito.when(daoManager.getXXUserPermission()).thenReturn(xUserPermissionDao); + List xUserPermissionsList = new ArrayList(); + List xGroupPermissionList = new ArrayList(); + Mockito.when(xUserPermissionDao.findByUserPermissionIdAndIsAllowed(userProfile.getId())).thenReturn(xUserPermissionsList); + Mockito.when(daoManager.getXXGroupPermission()).thenReturn(xGroupPermissionDao); + Mockito.when(xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId())).thenReturn(xGroupPermissionList); + XXPortalUserRoleDao roleDao = Mockito.mock(XXPortalUserRoleDao.class); + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(roleDao); + Mockito.when(roleDao.findByParentId(Mockito.anyLong())).thenReturn(xPortalUserRoleList); VXResponse dbVXResponse = userMgr.changePassword(pwdChange); Assert.assertNotNull(dbVXResponse); @@ -415,7 +468,16 @@ public void test06ChangeEmailAddressAsAdmin() { XXUserPermissionDao xUserPermissionDao = Mockito.mock(XXUserPermissionDao.class); XXGroupPermissionDao xGroupPermissionDao = Mockito.mock(XXGroupPermissionDao.class); XXModuleDefDao xModuleDefDao = Mockito.mock(XXModuleDefDao.class); - XXModuleDef xModuleDef = Mockito.mock(XXModuleDef.class); + + XXModuleDef xModuleDef = new XXModuleDef(); + xModuleDef.setUpdatedByUserId(userId); + xModuleDef.setAddedByUserId(userId); + xModuleDef.setCreateTime(new Date()); + xModuleDef.setId(userId); + xModuleDef.setModule("Policy manager"); + xModuleDef.setUpdateTime(new Date()); + xModuleDef.setUrl("/policy manager"); + VXPortalUser userProfile = userProfile(); XXPortalUser user = new XXPortalUser(); @@ -482,11 +544,8 @@ public void test06ChangeEmailAddressAsAdmin() { groupPermission.setOwner("admin"); Mockito.when(stringUtil.validateEmail(Mockito.anyString())).thenReturn(true); - Mockito.when(stringUtil.equals(Mockito.anyString(), Mockito.anyString())).thenReturn(true); - Mockito.when(stringUtil.normalizeEmail(Mockito.anyString())).thenReturn(changeEmail.getEmailAddress()); Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(roleDao); - Mockito.when(userDao.update(user)).thenReturn(user); Mockito.when(roleDao.findByParentId(Mockito.anyLong())).thenReturn(list); Mockito.when(daoManager.getXXUserPermission()).thenReturn(xUserPermissionDao); Mockito.when(daoManager.getXXGroupPermission()).thenReturn(xGroupPermissionDao); @@ -496,7 +555,28 @@ public void test06ChangeEmailAddressAsAdmin() { Mockito.when(xUserPermissionService.populateViewBean(xUserPermissionObj)).thenReturn(userPermission); Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao); Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong())).thenReturn(xModuleDef); - Mockito.doNothing().when(rangerBizUtil).blockAuditorRoleUser(); + + Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); + Mockito.when(userDao.findByLoginId(Mockito.anyString())).thenReturn(user); + Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); + Mockito.when(userDao.findByLoginId(Mockito.anyString())).thenReturn(user); + XXPortalUserRoleDao xPortalUserRoleDao = Mockito.mock(XXPortalUserRoleDao.class); + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(xPortalUserRoleDao); + List xPortalUserRoleList = new ArrayList(); + XXPortalUserRole.setId(userId); + XXPortalUserRole.setUserId(userId); + XXPortalUserRole.setUserRole("ROLE_USER"); + xPortalUserRoleList.add(XXPortalUserRole); + Mockito.when(daoManager.getXXUserPermission()).thenReturn(xUserPermissionDao); + Mockito.when(xUserPermissionDao.findByUserPermissionIdAndIsAllowed(userProfile.getId())).thenReturn(xUserPermissionsList); + Mockito.when(daoManager.getXXGroupPermission()).thenReturn(xGroupPermissionDao); + Mockito.when(xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId())).thenReturn(xGroupPermissionList); + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(roleDao); + Mockito.when(roleDao.findByParentId(Mockito.anyLong())).thenReturn(xPortalUserRoleList); + Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao); + Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong())).thenReturn(xModuleDef); + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); + thrown.expect(WebApplicationException.class); VXPortalUser dbVXPortalUser = userMgr.changeEmailAddress(user,changeEmail); Assert.assertNotNull(dbVXPortalUser); Assert.assertEquals(userId, dbVXPortalUser.getId()); @@ -521,10 +601,6 @@ public void test07ChangeEmailAddressAsKeyAdmin() { setupKeyAdmin(); XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class); XXPortalUserRoleDao roleDao = Mockito.mock(XXPortalUserRoleDao.class); - XXUserPermissionDao xUserPermissionDao = Mockito.mock(XXUserPermissionDao.class); - XXGroupPermissionDao xGroupPermissionDao = Mockito.mock(XXGroupPermissionDao.class); - XXModuleDefDao xModuleDefDao = Mockito.mock(XXModuleDefDao.class); - XXModuleDef xModuleDef = Mockito.mock(XXModuleDef.class); VXPortalUser userProfile = userProfile(); XXPortalUser userKeyAdmin = new XXPortalUser(); @@ -596,15 +672,30 @@ public void test07ChangeEmailAddressAsKeyAdmin() { Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(roleDao); Mockito.when(roleDao.findByParentId(Mockito.anyLong())).thenReturn(list); + Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); + Mockito.when(userDao.findByLoginId(Mockito.anyString())).thenReturn(userKeyAdmin); + XXPortalUserRoleDao xPortalUserRoleDao = Mockito.mock(XXPortalUserRoleDao.class); + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(xPortalUserRoleDao); + List xPortalUserRoleList = new ArrayList(); + XXPortalUserRole.setId(userId); + XXPortalUserRole.setUserId(userId); + XXPortalUserRole.setUserRole("ROLE_USER"); + xPortalUserRoleList.add(XXPortalUserRole); + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(roleDao); + Mockito.when(roleDao.findByParentId(Mockito.anyLong())).thenReturn(xPortalUserRoleList); + XXUserPermissionDao xUserPermissionDao = Mockito.mock(XXUserPermissionDao.class); + XXGroupPermissionDao xGroupPermissionDao = Mockito.mock(XXGroupPermissionDao.class); Mockito.when(daoManager.getXXUserPermission()).thenReturn(xUserPermissionDao); - Mockito.when(daoManager.getXXGroupPermission()).thenReturn(xGroupPermissionDao); Mockito.when(xUserPermissionDao.findByUserPermissionIdAndIsAllowed(userProfile.getId())).thenReturn(xUserPermissionsList); + Mockito.when(daoManager.getXXGroupPermission()).thenReturn(xGroupPermissionDao); Mockito.when(xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId())).thenReturn(xGroupPermissionList); Mockito.when(xGroupPermissionService.populateViewBean(xGroupPermissionObj)).thenReturn(groupPermission); Mockito.when(xUserPermissionService.populateViewBean(xUserPermissionObj)).thenReturn(userPermission); + XXModuleDefDao xModuleDefDao = Mockito.mock(XXModuleDefDao.class); + XXModuleDef xModuleDef = new XXModuleDef(); + xModuleDef.setModule("Users/Groups"); Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao); - Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong())).thenReturn(xModuleDef); - Mockito.doNothing().when(rangerBizUtil).blockAuditorRoleUser(); + Mockito.when(xModuleDefDao.findByModuleId(groupPermission.getModuleId())).thenReturn(xModuleDef); VXPortalUser dbVXPortalUser = userMgr.changeEmailAddress(userKeyAdmin,changeEmail); Assert.assertNotNull(dbVXPortalUser); Assert.assertEquals(userId, dbVXPortalUser.getId()); @@ -613,7 +704,6 @@ public void test07ChangeEmailAddressAsKeyAdmin() { Assert.assertEquals(changeEmail.getEmailAddress(),dbVXPortalUser.getEmailAddress()); } - @Test public void test08ChangeEmailAddressAsUser() { setupUser(); @@ -702,7 +792,23 @@ public void test08ChangeEmailAddressAsUser() { Mockito.when(xUserPermissionService.populateViewBean(xUserPermissionObj)).thenReturn(userPermission); Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao); Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong())).thenReturn(xModuleDef); - Mockito.doNothing().when(rangerBizUtil).blockAuditorRoleUser(); + Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); + Mockito.when(userDao.findByLoginId(Mockito.anyString())).thenReturn(user); + XXPortalUserRoleDao xPortalUserRoleDao = Mockito.mock(XXPortalUserRoleDao.class); + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(xPortalUserRoleDao); + List xPortalUserRoleList = new ArrayList(); + XXPortalUserRole.setId(userId); + XXPortalUserRole.setUserId(userId); + XXPortalUserRole.setUserRole("ROLE_USER"); + xPortalUserRoleList.add(XXPortalUserRole); + Mockito.when(daoManager.getXXUserPermission()).thenReturn(xUserPermissionDao); + Mockito.when(xUserPermissionDao.findByUserPermissionIdAndIsAllowed(userProfile.getId())).thenReturn(xUserPermissionsList); + Mockito.when(daoManager.getXXGroupPermission()).thenReturn(xGroupPermissionDao); + Mockito.when(xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId())).thenReturn(xGroupPermissionList); + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(roleDao); + Mockito.when(roleDao.findByParentId(Mockito.anyLong())).thenReturn(xPortalUserRoleList); + Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao); + Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong())).thenReturn(xModuleDef); VXPortalUser dbVXPortalUser = userMgr.changeEmailAddress(user,changeEmail); Assert.assertNotNull(dbVXPortalUser); Assert.assertEquals(userId, dbVXPortalUser.getId()); @@ -934,10 +1040,8 @@ public void test14UpdateUserWithPass() { user.setPassword(encryptedPwd); Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); Mockito.when(userDao.getById(userProfile.getId())).thenReturn(user); - Mockito.when(stringUtil.validateEmail(Mockito.anyString())).thenReturn(true); - Mockito.doNothing().when(rangerBizUtil).blockAuditorRoleUser(); - Mockito.when(stringUtil.validatePassword(Mockito.anyString(), Mockito.any(String[].class))).thenReturn(true); - Mockito.when(userDao.update(user)).thenReturn(user); + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); + thrown.expect(WebApplicationException.class); XXPortalUser dbXXPortalUser = userMgr.updateUserWithPass(userProfile); Assert.assertNotNull(dbXXPortalUser); Assert.assertEquals(userId, dbXXPortalUser.getId()); @@ -1174,6 +1278,8 @@ public void test20checkAccess() { XXPortalUser xPortalUser = Mockito.mock(XXPortalUser.class); Mockito.when(daoManager.getXXPortalUser()).thenReturn(xPortalUserDao); Mockito.when(xPortalUserDao.getById(userId)).thenReturn(xPortalUser); + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); + thrown.expect(WebApplicationException.class); userMgr.checkAccess(userId); Mockito.when(xPortalUserDao.getById(userId)).thenReturn(null); @@ -1187,10 +1293,6 @@ public void test21getUserProfile() { setup(); XXPortalUserDao xPortalUserDao = Mockito.mock(XXPortalUserDao.class); XXPortalUser xPortalUser = Mockito.mock(XXPortalUser.class); - XXUserPermissionDao xUserPermissionDao = Mockito.mock(XXUserPermissionDao.class); - XXGroupPermissionDao xGroupPermissionDao = Mockito.mock(XXGroupPermissionDao.class); - - XXPortalUserRoleDao xPortalUserRoleDao = Mockito.mock(XXPortalUserRoleDao.class); List xPortalUserRoleList = new ArrayList(); XXPortalUserRole XXPortalUserRole = new XXPortalUserRole(); @@ -1224,10 +1326,8 @@ public void test21getUserProfile() { Mockito.when(daoManager.getXXPortalUser()).thenReturn(xPortalUserDao); Mockito.when(xPortalUserDao.getById(userId)).thenReturn(null); - Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(xPortalUserRoleDao); - Mockito.when(daoManager.getXXUserPermission()).thenReturn(xUserPermissionDao); - - Mockito.when(daoManager.getXXGroupPermission()).thenReturn(xGroupPermissionDao); + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); + thrown.expect(WebApplicationException.class); VXPortalUser dbVXPortalUser = userMgr.getUserProfile(userId); Mockito.when(xPortalUserDao.getById(userId)).thenReturn(xPortalUser); dbVXPortalUser = userMgr.getUserProfile(userId); @@ -1275,12 +1375,7 @@ public void test22getUserProfileByLoginId() { @Test public void test23setUserRoles() { setup(); - XXPortalUserRoleDao xPortalUserRoleDao = Mockito.mock(XXPortalUserRoleDao.class); XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class); - XXUserPermissionDao xUserPermissionDao = Mockito.mock(XXUserPermissionDao.class); - XXGroupPermissionDao xGroupPermissionDao = Mockito.mock(XXGroupPermissionDao.class); - XXModuleDefDao xModuleDefDao = Mockito.mock(XXModuleDefDao.class); - VXPortalUser userProfile = userProfile(); XXPortalUser user = new XXPortalUser(); user.setEmailAddress(userProfile.getEmailAddress()); @@ -1354,21 +1449,10 @@ public void test23setUserRoles() { userPermission.setUserId(userId); userPermission.setUserName("xyz"); userPermission.setOwner("admin"); - - Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(xPortalUserRoleDao); Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); Mockito.when(userDao.getById(userId)).thenReturn(user); - Mockito.when(daoManager.getXXUserPermission()).thenReturn(xUserPermissionDao); - Mockito.when(xUserPermissionDao.findByUserPermissionIdAndIsAllowed(userProfile.getId())).thenReturn(xUserPermissionsList); - Mockito.when(daoManager.getXXGroupPermission()).thenReturn(xGroupPermissionDao); - Mockito.when(xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId())).thenReturn(xGroupPermissionList); - Mockito.when(xGroupPermissionService.populateViewBean(xGroupPermissionObj)).thenReturn(groupPermission); - Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao); - Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong())).thenReturn(xModuleDef); - Mockito.when(xUserPermissionService.populateViewBean(xUserPermissionObj)).thenReturn(userPermission); - Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao); - Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong())).thenReturn(xModuleDef); - Mockito.doNothing().when(rangerBizUtil).blockAuditorRoleUser(); + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); + thrown.expect(WebApplicationException.class); userMgr.checkAccess(userId); userMgr.setUserRoles(userId, vStringRolesList); @@ -1496,9 +1580,8 @@ public void test27UpdateUser() { user.setPassword(encryptedPwd); Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); Mockito.when(userDao.getById(userProfile.getId())).thenReturn(user); - Mockito.when(stringUtil.validateEmail(Mockito.anyString())).thenReturn(true); - - Mockito.doNothing().when(rangerBizUtil).blockAuditorRoleUser(); + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); + thrown.expect(WebApplicationException.class); XXPortalUser dbXXPortalUser = userMgr.updateUser(userProfile); Assert.assertNotNull(dbXXPortalUser); Assert.assertEquals(userId, dbXXPortalUser.getId()); @@ -1536,9 +1619,8 @@ public void test28UpdateUser() { user.setFirstName("null"); user.setLastName("null"); Mockito.when(userDao.getById(userProfile.getId())).thenReturn(user); - Mockito.when(stringUtil.validateEmail(Mockito.anyString())).thenReturn(true); - Mockito.doNothing().when(rangerBizUtil).blockAuditorRoleUser(); - Mockito.when(userDao.findByEmailAddress(Mockito.anyString())).thenReturn(user); + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); + thrown.expect(WebApplicationException.class); dbXXPortalUser = userMgr.updateUser(userProfile); Assert.assertNotNull(dbXXPortalUser); Assert.assertEquals(userId, dbXXPortalUser.getId()); @@ -1661,7 +1743,11 @@ public void test30getRolesByLoginId() { @Test public void test31checkAccess() { setup(); + XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class); + Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); XXPortalUser xPortalUser = Mockito.mock(XXPortalUser.class); + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); + thrown.expect(WebApplicationException.class); userMgr.checkAccess(xPortalUser); destroySession(); VXPortalUser userProfile = userProfile(); @@ -1691,31 +1777,10 @@ public void test32checkAdminAccess() { userMgr.checkAdminAccess(); } - @Test - public void test33checkAccessForUpdate() { - setup(); - XXPortalUser xPortalUser = Mockito.mock(XXPortalUser.class); - userMgr.checkAccessForUpdate(xPortalUser); - - destroySession(); - xPortalUser.setId(userId); - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_FORBIDDEN); - vXResponse.setMsgDesc("User access denied. loggedInUser=Not Logged In , accessing user="+ xPortalUser.getId()); - Mockito.when(restErrorUtil.generateRESTException((VXResponse) Mockito.any())).thenThrow(new WebApplicationException()); - thrown.expect(WebApplicationException.class); - userMgr.checkAccessForUpdate(xPortalUser); - xPortalUser = null; - Mockito.when(restErrorUtil.create403RESTException("serverMsg.userMgrWrongUser")).thenThrow(new WebApplicationException()); - thrown.expect(WebApplicationException.class); - userMgr.checkAccessForUpdate(xPortalUser); - } - @Test public void test34updateRoleForExternalUsers() { setupRangerUserSyncUser(); XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class); - XXPortalUserRoleDao roleDao = Mockito.mock(XXPortalUserRoleDao.class); XXUserPermissionDao xUserPermissionDao = Mockito.mock(XXUserPermissionDao.class); Collection existingRoleList = new ArrayList(); existingRoleList.add(RangerConstants.ROLE_USER); @@ -1749,13 +1814,11 @@ public void test34updateRoleForExternalUsers() { xUserPermissionObj.setUserId(userId); xUserPermissionsList.add(xUserPermissionObj); Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); - Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(roleDao); - Mockito.when(roleDao.findByUserId(userId)).thenReturn(list); Mockito.when(userDao.getById(userProfile.getId())).thenReturn(user); - Mockito.when(stringUtil.validateEmail(Mockito.anyString())).thenReturn(true); - Mockito.doNothing().when(rangerBizUtil).blockAuditorRoleUser(); Mockito.when(daoManager.getXXUserPermission()).thenReturn(xUserPermissionDao); Mockito.when(xUserPermissionDao.findByUserPermissionId(userProfile.getId())).thenReturn(xUserPermissionsList); + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); + thrown.expect(WebApplicationException.class); VXPortalUser dbVXPortalUser = userMgr.updateRoleForExternalUsers(reqRoleList,existingRoleList,userProfile); Assert.assertNotNull(dbVXPortalUser); Assert.assertEquals(userId, dbVXPortalUser.getId()); @@ -1822,13 +1885,12 @@ public void test36UpdateUser() { user.setLoginId(userProfile.getLoginId()); userProfile.setFirstName("User"); userProfile.setLastName("User"); - Mockito.when(stringUtil.validateEmail(Mockito.anyString())).thenReturn(true); String encryptedPwd = userMgr.encrypt(userProfile.getLoginId(),userProfile.getPassword()); user.setPassword(encryptedPwd); Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); Mockito.when(userDao.getById(userProfile.getId())).thenReturn(user); - Mockito.doNothing().when(rangerBizUtil).blockAuditorRoleUser(); - Mockito.when(stringUtil.toCamelCaseAllWords(Mockito.anyString())).thenReturn(userProfile.getFirstName()); + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); + thrown.expect(WebApplicationException.class); XXPortalUser dbXXPortalUser = userMgr.updateUser(userProfile); Assert.assertNotNull(dbXXPortalUser); Mockito.when(stringUtil.isEmpty(Mockito.anyString())).thenReturn(true); @@ -1970,7 +2032,7 @@ public void test45ChangePassword() { invalidpwdChange.setOldPassword("invalidOldPassword"); invalidpwdChange.setEmailAddress(userProfile.getEmailAddress()); invalidpwdChange.setUpdPassword(userProfile.getPassword()); - Mockito.when(restErrorUtil.createRESTException("serverMsg.userMgrOldPassword",MessageEnums.INVALID_INPUT_DATA, null, null, invalidpwdChange.getLoginId())).thenThrow(new WebApplicationException()); + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); thrown.expect(WebApplicationException.class); userMgr.changePassword(invalidpwdChange); } @@ -1980,8 +2042,8 @@ public void test46ChangePassword() { destroySession(); setupUser(); VXPortalUser userProfile = userProfile(); - XXPortalUser user2 = new XXPortalUser(); - user2.setId(userId); + XXPortalUser gjUser = new XXPortalUser(); + gjUser.setId(userId); VXPasswordChange invalidpwdChange = new VXPasswordChange(); invalidpwdChange.setId(userProfile.getId()); invalidpwdChange.setLoginId(userProfile.getLoginId()+1); @@ -1991,10 +2053,9 @@ public void test46ChangePassword() { XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class); Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); - Mockito.when(userDao.findByLoginId(userProfile.getLoginId())).thenReturn(user2); - Mockito.when(userDao.findByLoginId(invalidpwdChange.getLoginId())).thenReturn(null); + Mockito.when(userDao.findByLoginId(invalidpwdChange.getLoginId())).thenReturn(gjUser); - Mockito.when(restErrorUtil.createRESTException("serverMsg.userMgrInvalidUser",MessageEnums.DATA_NOT_FOUND, null, null, invalidpwdChange.getLoginId())).thenThrow(new WebApplicationException()); + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); thrown.expect(WebApplicationException.class); userMgr.changePassword(invalidpwdChange); } @@ -2024,6 +2085,26 @@ public void test47ChangePasswordAsUser() { Mockito.when(stringUtil.equals(Mockito.anyString(), Mockito.nullable(String.class))).thenReturn(true); Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); Mockito.when(stringUtil.validatePassword(Mockito.anyString(), Mockito.any(String[].class))).thenReturn(true); + Mockito.when(userDao.findByLoginId(Mockito.anyString())).thenReturn(user); + XXPortalUserRoleDao xPortalUserRoleDao = Mockito.mock(XXPortalUserRoleDao.class); + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(xPortalUserRoleDao); + List xPortalUserRoleList = new ArrayList(); + XXPortalUserRole XXPortalUserRole = new XXPortalUserRole(); + XXPortalUserRole.setId(userId); + XXPortalUserRole.setUserId(userId); + XXPortalUserRole.setUserRole("ROLE_USER"); + xPortalUserRoleList.add(XXPortalUserRole); + XXUserPermissionDao xUserPermissionDao = Mockito.mock(XXUserPermissionDao.class); + XXGroupPermissionDao xGroupPermissionDao = Mockito.mock(XXGroupPermissionDao.class); + Mockito.when(daoManager.getXXUserPermission()).thenReturn(xUserPermissionDao); + List xUserPermissionsList = new ArrayList(); + List xGroupPermissionList = new ArrayList(); + Mockito.when(xUserPermissionDao.findByUserPermissionIdAndIsAllowed(userProfile.getId())).thenReturn(xUserPermissionsList); + Mockito.when(daoManager.getXXGroupPermission()).thenReturn(xGroupPermissionDao); + Mockito.when(xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId())).thenReturn(xGroupPermissionList); + XXPortalUserRoleDao roleDao = Mockito.mock(XXPortalUserRoleDao.class); + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(roleDao); + Mockito.when(roleDao.findByParentId(Mockito.anyLong())).thenReturn(xPortalUserRoleList); Mockito.when(restErrorUtil.createRESTException("serverMsg.userMgrOldPassword",MessageEnums.INVALID_INPUT_DATA, user.getId(), "password", user.toString())).thenThrow(new WebApplicationException()); thrown.expect(WebApplicationException.class); userMgr.changePassword(pwdChange); @@ -2053,6 +2134,26 @@ public void test48ChangePasswordAsUser() { Mockito.when(stringUtil.equals(Mockito.anyString(), Mockito.nullable(String.class))).thenReturn(true); Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); Mockito.when(stringUtil.validatePassword(Mockito.anyString(), Mockito.any(String[].class))).thenReturn(false); + Mockito.when(userDao.findByLoginId(Mockito.anyString())).thenReturn(user); + XXPortalUserRoleDao xPortalUserRoleDao = Mockito.mock(XXPortalUserRoleDao.class); + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(xPortalUserRoleDao); + List xPortalUserRoleList = new ArrayList(); + XXPortalUserRole XXPortalUserRole = new XXPortalUserRole(); + XXPortalUserRole.setId(userId); + XXPortalUserRole.setUserId(userId); + XXPortalUserRole.setUserRole("ROLE_USER"); + xPortalUserRoleList.add(XXPortalUserRole); + XXUserPermissionDao xUserPermissionDao = Mockito.mock(XXUserPermissionDao.class); + XXGroupPermissionDao xGroupPermissionDao = Mockito.mock(XXGroupPermissionDao.class); + Mockito.when(daoManager.getXXUserPermission()).thenReturn(xUserPermissionDao); + List xUserPermissionsList = new ArrayList(); + List xGroupPermissionList = new ArrayList(); + Mockito.when(xUserPermissionDao.findByUserPermissionIdAndIsAllowed(userProfile.getId())).thenReturn(xUserPermissionsList); + Mockito.when(daoManager.getXXGroupPermission()).thenReturn(xGroupPermissionDao); + Mockito.when(xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId())).thenReturn(xGroupPermissionList); + XXPortalUserRoleDao roleDao = Mockito.mock(XXPortalUserRoleDao.class); + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(roleDao); + Mockito.when(roleDao.findByParentId(Mockito.anyLong())).thenReturn(xPortalUserRoleList); Mockito.when(restErrorUtil.createRESTException("serverMsg.userMgrNewPassword",MessageEnums.INVALID_PASSWORD, null, null, pwdChange.getLoginId())).thenThrow(new WebApplicationException()); thrown.expect(WebApplicationException.class); userMgr.changePassword(pwdChange); @@ -2139,10 +2240,7 @@ public void test51UpdateUserWithPass() { user.setPassword(encryptedPwd); Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); Mockito.when(userDao.getById(userProfile.getId())).thenReturn(user); - Mockito.when(stringUtil.validateEmail(Mockito.anyString())).thenReturn(true); - Mockito.doNothing().when(rangerBizUtil).blockAuditorRoleUser(); - Mockito.when(stringUtil.validatePassword(Mockito.anyString(), Mockito.any(String[].class))).thenReturn(false); - Mockito.when(restErrorUtil.createRESTException("serverMsg.userMgrNewPassword", MessageEnums.INVALID_PASSWORD, null, null, user.getId().toString())).thenThrow(new WebApplicationException()); + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); thrown.expect(WebApplicationException.class); userMgr.updateUserWithPass(userProfile); } diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java index de342e994c..647891ef36 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java @@ -107,7 +107,6 @@ import org.apache.ranger.view.VXAuditMap; import org.apache.ranger.view.VXAuditMapList; import org.apache.ranger.view.VXGroup; -import org.apache.ranger.view.VXGroupGroup; import org.apache.ranger.view.VXGroupList; import org.apache.ranger.view.VXGroupPermission; import org.apache.ranger.view.VXGroupUser; @@ -418,15 +417,6 @@ private VXGroupUser vxGroupUser(){ return vxGroupUser; } - private VXGroupGroup vxGroupGroup(){ - VXGroupGroup vXGroupGroup = new VXGroupGroup(); - vXGroupGroup.setId(userId); - vXGroupGroup.setName("group user test"); - vXGroupGroup.setOwner("Admin"); - vXGroupGroup.setUpdatedBy("User"); - return vXGroupGroup; - } - private XXGroupGroup xxGroupGroup(){ XXGroupGroup xXGroupGroup = new XXGroupGroup(); xXGroupGroup.setId(userId); @@ -643,7 +633,8 @@ public void test01CreateXUser() { loggedInUser.setName("testuser"); loggedInUser.setUserRoleList(loggedInUserRole); Mockito.when(xUserService.getXUserByUserName("admin")).thenReturn(loggedInUser); - + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); + thrown.expect(WebApplicationException.class); VXUser dbvxUser = xUserMgr.getXUser(userId); Mockito.verify(userMgr).createDefaultAccountUser((VXPortalUser) Mockito.any()); Assert.assertNotNull(dbvxUser); @@ -785,6 +776,13 @@ public void test05UpdateXUser() { VXUserPermission vXUserPermission = vxUserPermission(); Mockito.when(xUserPermissionService.createResource((VXUserPermission) Mockito.any())).thenReturn(vXUserPermission); Mockito.when(sessionMgr.getActiveUserSessionsForPortalUserId(userId)).thenReturn(userSessions); + VXUser loggedInUser = vxUser(); + List loggedInUserRole = new ArrayList(); + loggedInUserRole.add(RangerConstants.ROLE_SYS_ADMIN); + loggedInUser.setId(8L); + loggedInUser.setName("testuser"); + loggedInUser.setUserRoleList(loggedInUserRole); + Mockito.when(xUserService.getXUserByUserName("admin")).thenReturn(loggedInUser); VXUser dbvxUser = xUserMgr.updateXUser(vxUser); Assert.assertNotNull(dbvxUser); Assert.assertEquals(dbvxUser.getId(), vxUser.getId()); @@ -1117,8 +1115,6 @@ public void test20DeleteXGroup() { List xXGroupGroups = new ArrayList(); XXGroupGroup xXGroupGroup = xxGroupGroup(); xXGroupGroups.add(xXGroupGroup); - Mockito.when(daoManager.getXXGroupGroup()).thenReturn(xXGroupGroupDao); - Mockito.when(xXGroupGroupDao.findByGroupId(userId)).thenReturn(xXGroupGroups); XXGroupPermissionDao xXGroupPermissionDao= Mockito.mock(XXGroupPermissionDao.class); Mockito.when(daoManager.getXXGroupPermission()).thenReturn(xXGroupPermissionDao); List xXGroupPermissions=new ArrayList(); @@ -1678,9 +1674,7 @@ public void test36getGroupsForUser() { @Test public void test37setUserRolesByExternalID() { setup(); - XXPortalUserRoleDao xPortalUserRoleDao = Mockito.mock(XXPortalUserRoleDao.class); VXUser vXUser = vxUser(); - VXPortalUser userProfile = userProfile(); List vStringRolesList = new ArrayList(); VXString vXStringObj = new VXString(); vXStringObj.setValue("ROLE_USER"); @@ -1700,10 +1694,7 @@ public void test37setUserRolesByExternalID() { List groupPermList = new ArrayList(); VXGroupPermission groupPermission = vxGroupPermission(); groupPermList.add(groupPermission); - Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(xPortalUserRoleDao); - Mockito.when(xPortalUserRoleDao.findByUserId(userId)).thenReturn(xPortalUserRoleList); Mockito.when(xUserMgr.getXUser(userId)).thenReturn(vXUser); - Mockito.when(userMgr.getUserProfileByLoginId(vXUser.getName())).thenReturn(userProfile); List permissionList = new ArrayList(); permissionList.add(RangerConstants.MODULE_USER_GROUPS); @@ -1715,11 +1706,9 @@ public void test37setUserRolesByExternalID() { loggedInUser.setName("testuser"); loggedInUser.setUserRoleList(loggedInUserRole); Mockito.when(xUserService.getXUserByUserName("admin")).thenReturn(loggedInUser); - - XXModuleDefDao mockxxModuleDefDao = Mockito.mock(XXModuleDefDao.class); - Mockito.when(daoManager.getXXModuleDef()).thenReturn(mockxxModuleDefDao); - Mockito.when(mockxxModuleDefDao.findAccessibleModulesByUserId(8L, 8L)).thenReturn(permissionList); - + + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); + thrown.expect(WebApplicationException.class); VXStringList vXStringList = xUserMgr.setUserRolesByExternalID(userId,vStringRolesList); Assert.assertNotNull(vXStringList); } @@ -1749,7 +1738,6 @@ public void test38setUserRolesByExternalID() { VXGroupPermission groupPermission = vxGroupPermission(); groupPermList.add(groupPermission); Mockito.when(xUserMgr.getXUser(userId)).thenReturn(vXUser); - Mockito.when(userMgr.getUserProfileByLoginId(vXUser.getName())).thenReturn(null); List permissionList = new ArrayList(); permissionList.add(RangerConstants.MODULE_USER_GROUPS); @@ -1761,12 +1749,8 @@ public void test38setUserRolesByExternalID() { loggedInUser.setName("testuser"); loggedInUser.setUserRoleList(loggedInUserRole); Mockito.when(xUserService.getXUserByUserName("admin")).thenReturn(loggedInUser); - - XXModuleDefDao mockxxModuleDefDao = Mockito.mock(XXModuleDefDao.class); - Mockito.when(daoManager.getXXModuleDef()).thenReturn(mockxxModuleDefDao); - Mockito.when(mockxxModuleDefDao.findAccessibleModulesByUserId(8L, 8L)).thenReturn(permissionList); - - Mockito.when(restErrorUtil.createRESTException("User ID doesn't exist.",MessageEnums.INVALID_INPUT_DATA)).thenThrow(new WebApplicationException()); + + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); thrown.expect(WebApplicationException.class); xUserMgr.setUserRolesByExternalID(userId, vStringRolesList); } @@ -1806,7 +1790,6 @@ public void test39setUserRolesByExternalID() { public void test40setUserRolesByName() { destroySession(); setup(); - XXPortalUserRoleDao xPortalUserRoleDao = Mockito.mock(XXPortalUserRoleDao.class); VXPortalUser userProfile = userProfile(); List vStringRolesList = new ArrayList(); VXString vXStringObj = new VXString(); @@ -1827,13 +1810,10 @@ public void test40setUserRolesByName() { List groupPermList = new ArrayList(); VXGroupPermission groupPermission = vxGroupPermission(); groupPermList.add(groupPermission); - Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(xPortalUserRoleDao); - Mockito.when(xPortalUserRoleDao.findByUserId(userId)).thenReturn(xPortalUserRoleList); - Mockito.when(userMgr.getUserProfileByLoginId(userProfile.getLoginId())).thenReturn(userProfile); - VXStringList vXStringList = xUserMgr.setUserRolesByName(userProfile.getLoginId(), vStringRolesList); - Assert.assertNotNull(vXStringList); Mockito.when(restErrorUtil.createRESTException("Login ID doesn't exist.",MessageEnums.INVALID_INPUT_DATA)).thenThrow(new WebApplicationException()); thrown.expect(WebApplicationException.class); + VXStringList vXStringList = xUserMgr.setUserRolesByName(userProfile.getLoginId(), vStringRolesList); + Assert.assertNotNull(vXStringList); xUserMgr.setUserRolesByName(null, vStringRolesList); } @@ -1841,7 +1821,6 @@ public void test40setUserRolesByName() { public void test41setUserRolesByName() { destroySession(); setup(); - XXPortalUserRoleDao xPortalUserRoleDao = Mockito.mock(XXPortalUserRoleDao.class); VXPortalUser userProfile = userProfile(); List vStringRolesList = new ArrayList(); VXString vXStringObj = new VXString(); @@ -1862,13 +1841,10 @@ public void test41setUserRolesByName() { List groupPermList = new ArrayList(); VXGroupPermission groupPermission = vxGroupPermission(); groupPermList.add(groupPermission); - Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(xPortalUserRoleDao); - Mockito.when(xPortalUserRoleDao.findByUserId(userId)).thenReturn(xPortalUserRoleList); - Mockito.when(userMgr.getUserProfileByLoginId(userProfile.getLoginId())).thenReturn(userProfile); - VXStringList vXStringList = xUserMgr.setUserRolesByName(userProfile.getLoginId(), vStringRolesList); - Assert.assertNotNull(vXStringList); Mockito.when(restErrorUtil.createRESTException("Login ID doesn't exist.",MessageEnums.INVALID_INPUT_DATA)).thenThrow(new WebApplicationException()); thrown.expect(WebApplicationException.class); + VXStringList vXStringList = xUserMgr.setUserRolesByName(userProfile.getLoginId(), vStringRolesList); + Assert.assertNotNull(vXStringList); xUserMgr.setUserRolesByName(null, vStringRolesList); } @@ -1876,9 +1852,7 @@ public void test41setUserRolesByName() { public void test42getUserRolesByExternalID() { destroySession(); setup(); - XXPortalUserRoleDao xPortalUserRoleDao = Mockito.mock(XXPortalUserRoleDao.class); VXUser vXUser = vxUser(); - VXPortalUser userProfile = userProfile(); List vStringRolesList = new ArrayList(); VXString vXStringObj = new VXString(); vXStringObj.setValue("ROLE_USER"); @@ -1898,10 +1872,7 @@ public void test42getUserRolesByExternalID() { List groupPermList = new ArrayList(); VXGroupPermission groupPermission = vxGroupPermission(); groupPermList.add(groupPermission); - Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(xPortalUserRoleDao); - Mockito.when(xPortalUserRoleDao.findByUserId(userId)).thenReturn(xPortalUserRoleList); Mockito.when(xUserMgr.getXUser(userId)).thenReturn(vXUser); - Mockito.when(userMgr.getUserProfileByLoginId(vXUser.getName())).thenReturn(userProfile); List permissionList = new ArrayList(); permissionList.add(RangerConstants.MODULE_USER_GROUPS); @@ -1913,11 +1884,8 @@ public void test42getUserRolesByExternalID() { loggedInUser.setName("testuser"); loggedInUser.setUserRoleList(loggedInUserRole); Mockito.when(xUserService.getXUserByUserName("admin")).thenReturn(loggedInUser); - - XXModuleDefDao mockxxModuleDefDao = Mockito.mock(XXModuleDefDao.class); - Mockito.when(daoManager.getXXModuleDef()).thenReturn(mockxxModuleDefDao); - Mockito.when(mockxxModuleDefDao.findAccessibleModulesByUserId(8L, 8L)).thenReturn(permissionList); - + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); + thrown.expect(WebApplicationException.class); VXStringList vXStringList = xUserMgr.getUserRolesByExternalID(userId); Assert.assertNotNull(vXStringList); Mockito.when(restErrorUtil.createRESTException("Please provide a valid ID",MessageEnums.INVALID_INPUT_DATA)).thenThrow(new WebApplicationException()); @@ -1930,9 +1898,7 @@ public void test42getUserRolesByExternalID() { public void test43getUserRolesByExternalID() { destroySession(); setup(); - XXPortalUserRoleDao xPortalUserRoleDao = Mockito.mock(XXPortalUserRoleDao.class); VXUser vXUser = vxUser(); - VXPortalUser userProfile = userProfile(); List vStringRolesList = new ArrayList(); VXString vXStringObj = new VXString(); vXStringObj.setValue("ROLE_USER"); @@ -1952,10 +1918,7 @@ public void test43getUserRolesByExternalID() { List groupPermList = new ArrayList(); VXGroupPermission groupPermission = vxGroupPermission(); groupPermList.add(groupPermission); - Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(xPortalUserRoleDao); - Mockito.when(xPortalUserRoleDao.findByUserId(userId)).thenReturn(xPortalUserRoleList); Mockito.when(xUserMgr.getXUser(userId)).thenReturn(vXUser); - Mockito.when(userMgr.getUserProfileByLoginId(vXUser.getName())).thenReturn(userProfile); List permissionList = new ArrayList(); permissionList.add(RangerConstants.MODULE_USER_GROUPS); @@ -1967,11 +1930,8 @@ public void test43getUserRolesByExternalID() { loggedInUser.setName("testuser"); loggedInUser.setUserRoleList(loggedInUserRole); Mockito.when(xUserService.getXUserByUserName("admin")).thenReturn(loggedInUser); - - XXModuleDefDao mockxxModuleDefDao = Mockito.mock(XXModuleDefDao.class); - Mockito.when(daoManager.getXXModuleDef()).thenReturn(mockxxModuleDefDao); - Mockito.when(mockxxModuleDefDao.findAccessibleModulesByUserId(8L, 8L)).thenReturn(permissionList); - + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); + thrown.expect(WebApplicationException.class); VXStringList vXStringList = xUserMgr.getUserRolesByExternalID(userId); Assert.assertNotNull(vXStringList); Mockito.when(restErrorUtil.createRESTException("User ID doesn't exist.",MessageEnums.INVALID_INPUT_DATA)).thenThrow(new WebApplicationException()); @@ -2011,6 +1971,15 @@ public void test44getUserRolesByName() { Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(xPortalUserRoleDao); Mockito.when(xPortalUserRoleDao.findByUserId(userId)).thenReturn(xPortalUserRoleList); Mockito.when(userMgr.getUserProfileByLoginId(userProfile.getLoginId())).thenReturn(userProfile); + VXUser loggedInUser = vxUser(); + List loggedInUserRole = new ArrayList(); + loggedInUserRole.add(RangerConstants.ROLE_SYS_ADMIN); + loggedInUser.setId(8L); + loggedInUser.setName("admin"); + loggedInUser.setUserRoleList(loggedInUserRole); + Mockito.when(xUserService.getXUserByUserName("admin")).thenReturn(loggedInUser); + VXUser testuser = vxUser(); + Mockito.when(xUserService.getXUserByUserName("testuser")).thenReturn(testuser); VXStringList vXStringList = xUserMgr.getUserRolesByName(userProfile.getLoginId()); Assert.assertNotNull(vXStringList); Mockito.when(restErrorUtil.createRESTException("Please provide a valid userName",MessageEnums.INVALID_INPUT_DATA)).thenThrow(new WebApplicationException()); @@ -2050,6 +2019,15 @@ public void test45getUserRolesByName() { Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(xPortalUserRoleDao); Mockito.when(xPortalUserRoleDao.findByUserId(userId)).thenReturn(xPortalUserRoleList); Mockito.when(userMgr.getUserProfileByLoginId(userProfile.getLoginId())).thenReturn(userProfile); + VXUser loggedInUser = vxUser(); + List loggedInUserRole = new ArrayList(); + loggedInUserRole.add(RangerConstants.ROLE_SYS_ADMIN); + loggedInUser.setId(8L); + loggedInUser.setName("admin"); + loggedInUser.setUserRoleList(loggedInUserRole); + Mockito.when(xUserService.getXUserByUserName("admin")).thenReturn(loggedInUser); + VXUser testuser = vxUser(); + Mockito.when(xUserService.getXUserByUserName("testuser")).thenReturn(testuser); VXStringList vXStringList = xUserMgr.getUserRolesByName(userProfile.getLoginId()); Assert.assertNotNull(vXStringList); Mockito.when(restErrorUtil.createRESTException("Please provide a valid userName",MessageEnums.INVALID_INPUT_DATA)).thenThrow(new WebApplicationException()); @@ -2077,10 +2055,6 @@ public void test47searchXUsers() { testSearchCriteria.addParam("name", userName); Mockito.when(xUserService.getXUserByUserName(userName)).thenReturn(vxUser); Mockito.when(xUserService.searchXUsers(testSearchCriteria)).thenReturn(vXUserListSort); - VXGroupUserList vxGroupUserList = vxGroupUserList(); - Mockito.when(xGroupUserService.searchXGroupUsers((SearchCriteria) Mockito.any())).thenReturn(vxGroupUserList); - VXGroup group = vxGroup(); - Mockito.when(xGroupService.readResource(Mockito.anyLong())).thenReturn(group); VXUserList dbVXUserList = xUserMgr.searchXUsers(testSearchCriteria); Assert.assertNotNull(dbVXUserList); testSearchCriteria.addParam("isvisible", "true"); @@ -2373,45 +2347,6 @@ public void test55updateXGroupUser() { Mockito.verify(xGroupUserService).updateResource((VXGroupUser) Mockito.any()); } - @Test - public void test56createXGroupGroup() { - setup(); - VXUser vxUser = vxUser(); - vxUser.setUserSource(RangerCommonEnums.USER_EXTERNAL); - VXGroupGroup vXGroupGroup = vxGroupGroup(); - Mockito.when(xGroupGroupService.createResource((VXGroupGroup) Mockito.any())).thenReturn(vXGroupGroup); - VXGroupGroup dbvXGroupGroup = xUserMgr.createXGroupGroup(vXGroupGroup); - Assert.assertNotNull(dbvXGroupGroup); - Assert.assertEquals(dbvXGroupGroup.getId(), vXGroupGroup.getId()); - Assert.assertEquals(dbvXGroupGroup.getName(), vXGroupGroup.getName()); - Mockito.verify(xGroupGroupService).createResource((VXGroupGroup) Mockito.any()); - } - - @Test - public void test57updateXGroupGroup() { - setup(); - VXUser vxUser = vxUser(); - vxUser.setUserSource(RangerCommonEnums.USER_EXTERNAL); - VXGroupGroup vXGroupGroup = vxGroupGroup(); - Mockito.when(xGroupGroupService.updateResource((VXGroupGroup) Mockito.any())).thenReturn(vXGroupGroup); - VXGroupGroup dbvXGroupGroup = xUserMgr.updateXGroupGroup(vXGroupGroup); - Assert.assertNotNull(dbvXGroupGroup); - Assert.assertEquals(dbvXGroupGroup.getId(), vXGroupGroup.getId()); - Assert.assertEquals(dbvXGroupGroup.getName(), vXGroupGroup.getName()); - Mockito.verify(xGroupGroupService).updateResource((VXGroupGroup) Mockito.any()); - } - - @Test - public void test58deleteXGroupGroup() { - setup(); - VXUser vxUser = vxUser(); - vxUser.setUserSource(RangerCommonEnums.USER_EXTERNAL); - VXGroupGroup vXGroupGroup = vxGroupGroup(); - Mockito.when(xGroupGroupService.deleteResource((Long) Mockito.any())).thenReturn(true); - xUserMgr.deleteXGroupGroup(vXGroupGroup.getId(),true); - Mockito.verify(xGroupGroupService).deleteResource((Long) Mockito.any()); - } - @Test public void test59deleteXGroupUser() { setup(); @@ -2477,10 +2412,6 @@ public void test63searchXUsers_Cases() { testSearchCriteria.addParam("name", userName); Mockito.when(xUserService.getXUserByUserName(userName)).thenReturn(vxUser); Mockito.when(xUserService.searchXUsers(testSearchCriteria)).thenReturn(vXUserListSort); - VXGroupUserList vxGroupUserList = vxGroupUserList(); - Mockito.when(xGroupUserService.searchXGroupUsers((SearchCriteria) Mockito.any())).thenReturn(vxGroupUserList); - VXGroup vXGroup = vxGroup(); - Mockito.when(xGroupService.readResource(Mockito.anyLong())).thenReturn(vXGroup); VXUserList dbVXUserList = xUserMgr.searchXUsers(testSearchCriteria); Assert.assertNotNull(dbVXUserList); testSearchCriteria.addParam("isvisible", "true"); @@ -2647,6 +2578,13 @@ public void test72UpdateXUser() { UserSessionBase userSession = Mockito.mock(UserSessionBase.class); Set userSessions = new HashSet(); userSessions.add(userSession); + VXUser loggedInUser = vxUser(); + List loggedInUserRole = new ArrayList(); + loggedInUserRole.add(RangerConstants.ROLE_SYS_ADMIN); + loggedInUser.setId(8L); + loggedInUser.setName("testuser"); + loggedInUser.setUserRoleList(loggedInUserRole); + Mockito.when(xUserService.getXUserByUserName("admin")).thenReturn(loggedInUser); VXUser dbvxUser = xUserMgr.updateXUser(vxUser); Assert.assertNotNull(dbvxUser); Assert.assertEquals(dbvxUser.getId(), vxUser.getId()); @@ -2777,18 +2715,25 @@ public void test77updateUserRolesPermissions() { public void test78checkAccess() { destroySession(); setupUser(); + VXUser vxUser = vxUser(); Mockito.when(restErrorUtil.create403RESTException(Mockito.anyString())).thenThrow(new WebApplicationException()); thrown.expect(WebApplicationException.class); - xUserMgr.checkAccess("testuser2"); + xUserMgr.checkAccess(vxUser); } @Test public void test79checkAccess() { destroySession(); + VXUser vxUser = vxUser(); + VXUser loggedInUser = vxUser(); + List loggedInUserRole = new ArrayList(); + loggedInUserRole.add(RangerConstants.ROLE_SYS_ADMIN); + loggedInUser.setId(8L); + loggedInUser.setName("admin"); + loggedInUser.setUserRoleList(loggedInUserRole); Mockito.when(restErrorUtil.generateRESTException((VXResponse)Mockito.any())).thenThrow(new WebApplicationException()); thrown.expect(WebApplicationException.class); - VXPortalUser vXPortalUser = userProfile(); - xUserMgr.checkAccess(vXPortalUser.getLoginId()); + xUserMgr.checkAccess(vxUser); } @Test @@ -3133,8 +3078,6 @@ public void test95DeleteXGroup() { vXAuditMaps.add(vXAuditMap); XXGroupGroupDao xXGroupGroupDao = Mockito.mock(XXGroupGroupDao.class); List xXGroupGroups = new ArrayList(); - Mockito.when(daoManager.getXXGroupGroup()).thenReturn(xXGroupGroupDao); - Mockito.when(xXGroupGroupDao.findByGroupId(userId)).thenReturn(xXGroupGroups); XXGroupPermissionDao xXGroupPermissionDao= Mockito.mock(XXGroupPermissionDao.class); Mockito.when(daoManager.getXXGroupPermission()).thenReturn(xXGroupPermissionDao); List xXGroupPermissions=new ArrayList(); @@ -3174,9 +3117,7 @@ public void test95DeleteXGroup() { Mockito.when(xAuditMapService.searchXAuditMaps((SearchCriteria) Mockito.any())).thenReturn(new VXAuditMapList()); XXGroupGroup xXGroupGroup = xxGroupGroup(); xXGroupGroups.add(xXGroupGroup); - Mockito.when(xXGroupGroupDao.findByGroupId(userId)).thenReturn(xXGroupGroups); xUserMgr.deleteXGroup(vXGroup.getId(), force); - Mockito.when(xXGroupGroupDao.findByGroupId(userId)).thenReturn(new ArrayList()); XXGroupPermission xGroupPermissionObj = xxGroupPermission(); xXGroupPermissions.add(xGroupPermissionObj); Mockito.when(xXGroupPermissionDao.findByGroupId(vXGroup.getId())).thenReturn(xXGroupPermissions); @@ -3396,7 +3337,7 @@ public void test101getAdminUserDetailsWithUserHavingUSER_ROLE() { vxUser.setUserSource(RangerCommonEnums.USER_UNIX); Mockito.when(xUserService.readResourceWithOutLogin(5L)).thenReturn(vxUser); Mockito.when(xUserService.getXUserByUserName("testuser")).thenReturn(loggedInUser); - Mockito.when(restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data.")).thenThrow(new WebApplicationException()); + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); thrown.expect(WebApplicationException.class); xUserMgr.getXUser(5L); } @@ -3431,7 +3372,7 @@ public void test102getKeyAdminUserDetailsWithUserHavingUSER_ROLE() { vxUser.setUserSource(RangerCommonEnums.USER_UNIX); Mockito.when(xUserService.readResourceWithOutLogin(5L)).thenReturn(vxUser); Mockito.when(xUserService.getXUserByUserName("testuser")).thenReturn(loggedInUser); - Mockito.when(restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data.")).thenThrow(new WebApplicationException()); + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); thrown.expect(WebApplicationException.class); xUserMgr.getXUser(5L); } @@ -3466,7 +3407,7 @@ public void test103getAdminAuditorUserDetailsWithUserHavingUSER_ROLE() { vxUser.setUserSource(RangerCommonEnums.USER_UNIX); Mockito.when(xUserService.readResourceWithOutLogin(5L)).thenReturn(vxUser); Mockito.when(xUserService.getXUserByUserName("testuser")).thenReturn(loggedInUser); - Mockito.when(restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data.")).thenThrow(new WebApplicationException()); + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); thrown.expect(WebApplicationException.class); xUserMgr.getXUser(5L); } @@ -3501,7 +3442,7 @@ public void test104getKeyAdminAuditorUserDetailsWithUserHavingUSER_ROLE() { vxUser.setUserSource(RangerCommonEnums.USER_UNIX); Mockito.when(xUserService.readResourceWithOutLogin(5L)).thenReturn(vxUser); Mockito.when(xUserService.getXUserByUserName("testuser")).thenReturn(loggedInUser); - Mockito.when(restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data.")).thenThrow(new WebApplicationException()); + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); thrown.expect(WebApplicationException.class); xUserMgr.getXUser(5L); } @@ -3546,7 +3487,7 @@ public void test105getUserDetailsOfItsOwn() { Assert.assertNotNull(expectedVXUser); Assert.assertEquals(expectedVXUser.getName(), vxUser.getName()); destroySession(); - Mockito.when(restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data.")).thenThrow(new WebApplicationException()); + Mockito.when(restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true)).thenThrow(new WebApplicationException()); thrown.expect(WebApplicationException.class); xUserMgr.getXUser(8L); } @@ -3863,6 +3804,14 @@ public void test111CreateOrUpdateXUsers() { Mockito.when(xUserPermissionDao.findByModuleIdAndPortalUserId(null, null)).thenReturn(xUserPermissionObj); Mockito.when(xUserPermissionService.populateViewBean(xUserPermissionObj)).thenReturn(userPermission); Mockito.when(xUserPermissionService.updateResource((VXUserPermission) Mockito.any())).thenReturn(userPermission); + Mockito.when(daoManager.getXXPortalUser()).thenReturn(xXPortalUserDao); + VXUser loggedInUser = vxUser(); + List loggedInUserRole = new ArrayList(); + loggedInUserRole.add(RangerConstants.ROLE_SYS_ADMIN); + loggedInUser.setId(8L); + loggedInUser.setName("testuser"); + loggedInUser.setUserRoleList(loggedInUserRole); + Mockito.when(xUserService.getXUserByUserName("admin")).thenReturn(loggedInUser); int createdOrUpdatedUserCount = xUserMgr.createOrUpdateXUsers(users); Assert.assertEquals(createdOrUpdatedUserCount, 1); } @@ -3923,6 +3872,14 @@ public void test112CreateOrUpdateXUsers() { Mockito.when(xUserService.createResource((VXUser) Mockito.any())).thenReturn(vXUser); Mockito.when(xUserPermissionService.populateViewBean(xUserPermissionObj)).thenReturn(userPermission); Mockito.when(xUserPermissionService.updateResource((VXUserPermission) Mockito.any())).thenReturn(userPermission); + Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); + VXUser loggedInUser = vxUser(); + List loggedInUserRole = new ArrayList(); + loggedInUserRole.add(RangerConstants.ROLE_SYS_ADMIN); + loggedInUser.setId(8L); + loggedInUser.setName("testuser"); + loggedInUser.setUserRoleList(loggedInUserRole); + Mockito.when(xUserService.getXUserByUserName("admin")).thenReturn(loggedInUser); xUserMgr.createOrUpdateXUsers(users); vXUser.setPassword("*****"); @@ -3974,6 +3931,13 @@ public void test113CreateOrUpdateXUsers() { xUserPermissionObj.setUserId(userId); xUserPermissionsList.add(xUserPermissionObj); Mockito.when(xUserPermissionDao.findByUserPermissionId(vXPortalUser.getId())).thenReturn(xUserPermissionsList); + VXUser loggedInUser = vxUser(); + List loggedInUserRole = new ArrayList(); + loggedInUserRole.add(RangerConstants.ROLE_SYS_ADMIN); + loggedInUser.setId(8L); + loggedInUser.setName("testuser"); + loggedInUser.setUserRoleList(loggedInUserRole); + Mockito.when(xUserService.getXUserByUserName("admin")).thenReturn(loggedInUser); xUserMgr.createOrUpdateXUsers(users); vXUserList.clear(); vXUser.setUserSource(RangerCommonEnums.USER_APP); diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestAssetREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestAssetREST.java index fa14d93f91..20e9bc2e12 100644 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestAssetREST.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestAssetREST.java @@ -18,8 +18,6 @@ import static org.junit.Assert.fail; -import java.io.File; -import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Arrays; import java.util.Date; @@ -29,8 +27,6 @@ import javax.servlet.http.HttpServletRequest; import javax.ws.rs.WebApplicationException; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.core.Response; import org.apache.commons.lang.StringUtils; import org.apache.ranger.admin.client.datatype.RESTResponse; @@ -51,17 +47,9 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.apache.ranger.plugin.model.RangerService; -import org.apache.ranger.plugin.model.RangerServiceDef; -import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef; -import org.apache.ranger.plugin.model.RangerServiceDef.RangerContextEnricherDef; -import org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumDef; -import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef; -import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; -import org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef; import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.SearchFilter; -import org.apache.ranger.plugin.util.ServicePolicies; import org.apache.ranger.service.XAccessAuditService; import org.apache.ranger.service.XAssetService; import org.apache.ranger.service.XCredentialStoreService; @@ -256,47 +244,6 @@ private RangerPolicy rangerPolicy(Long id) { return policy; } - private RangerServiceDef rangerServiceDef() { - List configs = new ArrayList(); - List resources = new ArrayList(); - List accessTypes = new ArrayList(); - List policyConditions = new ArrayList(); - List contextEnrichers = new ArrayList(); - List enums = new ArrayList(); - - RangerServiceDef rangerServiceDef = new RangerServiceDef(); - rangerServiceDef.setId(Id); - rangerServiceDef.setImplClass("RangerServiceHdfs"); - rangerServiceDef.setLabel("HDFS Repository"); - rangerServiceDef.setDescription("HDFS Repository"); - rangerServiceDef.setRbKeyDescription(null); - rangerServiceDef.setUpdatedBy("Admin"); - rangerServiceDef.setUpdateTime(new Date()); - rangerServiceDef.setConfigs(configs); - rangerServiceDef.setResources(resources); - rangerServiceDef.setAccessTypes(accessTypes); - rangerServiceDef.setPolicyConditions(policyConditions); - rangerServiceDef.setContextEnrichers(contextEnrichers); - rangerServiceDef.setEnums(enums); - - return rangerServiceDef; - } - - private ServicePolicies servicePolicies() { - RangerPolicy rangerPolicy = rangerPolicy(Id); - RangerServiceDef rangerServiceDef = rangerServiceDef(); - ServicePolicies servicePolicies = new ServicePolicies(); - List policies = new ArrayList(); - policies.add(rangerPolicy); - servicePolicies.setServiceId(Id); - servicePolicies.setServiceName("Hdfs_1"); - servicePolicies.setPolicyVersion(1L); - servicePolicies.setPolicyUpdateTime(new Date()); - servicePolicies.setServiceDef(rangerServiceDef); - servicePolicies.setPolicies(policies); - return servicePolicies; - } - private VXPolicy vXPolicy(RangerPolicy policy, RangerService service) { VXPolicy ret = new VXPolicy(); ret.setPolicyName(StringUtils.trim(policy.getName())); @@ -639,73 +586,6 @@ public void testCountXCredentialStores() { Mockito.verify(assetMgr).getXCredentialStoreSearchCount(searchCriteria); } - @Test - public void testGetXResourceFile() { - File file = new File("testGetXResource"); - Response expectedResponse = Response.ok(file, MediaType.APPLICATION_OCTET_STREAM) - .header("Content-Disposition", "attachment;filename=" + file.getName()).build(); - VXResource vxResource = vxResource(Id); - Mockito.when( - searchUtil.extractString((HttpServletRequest) Mockito.any(), (SearchCriteria) Mockito.any(), - (String) Mockito.any(), (String) Mockito.any(), (String) Mockito.any())) - .thenReturn("json"); - Mockito.when(assetREST.getXResource(Id)).thenReturn(vxResource); - Mockito.when(assetMgr.getXResourceFile(vxResource, "json")).thenReturn(file); - Response reponse = assetREST.getXResourceFile(request, Id); - Assert.assertEquals(expectedResponse.getStatus(), reponse.getStatus()); - Mockito.verify(assetMgr).getXResourceFile(vxResource, "json"); - Mockito.verify(searchUtil).extractString((HttpServletRequest) Mockito.any(), - (SearchCriteria) Mockito.any(), (String) Mockito.any(), (String) Mockito.any(), - (String) Mockito.any()); - } - - @Test - public void testGetResourceJSON() { - RangerService rangerService = rangerService(Id); - String file = "testGetResourceJSON"; - VXAsset vXAsset = vXAsset(Id); - Date date = new Date(); - String strdt = date.toString(); - X509Certificate[] certchain = new X509Certificate[1]; - certchain[0] = Mockito.mock(X509Certificate.class); - ServicePolicies servicePolicies = servicePolicies(); - RangerPolicy rangerPolicy = rangerPolicy(Id); - List policies = new ArrayList(); - policies.add(rangerPolicy); - Mockito.when(request.getParameter("epoch")).thenReturn(strdt); - Mockito.when(request.getAttribute("javax.servlet.request.X509Certificate")).thenReturn(certchain); - Mockito.when(request.getHeader("X-FORWARDED-FOR")).thenReturn("valid"); - Mockito.when(request.isSecure()).thenReturn(true); - Mockito.when(request.getParameter("policyCount")).thenReturn("4"); - Mockito.when(request.getParameter("agentId")).thenReturn("12"); - // Mockito.when(PropertiesUtil.getBooleanProperty("ranger.service.http.enabled",true)).thenReturn(true); - try { - Mockito.when(serviceREST.getServicePoliciesIfUpdated(Mockito.anyString(), Mockito.anyLong(), - Mockito.anyLong(), Mockito.anyString(), Mockito.anyString() , Mockito.anyString() , Mockito.anyBoolean(), Mockito.anyString(), (HttpServletRequest) Mockito.any())) - .thenReturn(servicePolicies); - } catch (Exception e) { - fail("test failed due to: " + e.getMessage()); - } - Mockito.when(serviceUtil.getServiceByName("hdfs_dev")).thenReturn(rangerService); - Mockito.when(serviceUtil.toVXAsset(rangerService)).thenReturn(vXAsset); - Mockito.when(assetMgr.getLatestRepoPolicy((VXAsset) Mockito.any(), Mockito.anyList(), Mockito.anyLong(), - (X509Certificate[]) Mockito.any(), Mockito.anyBoolean(), Mockito.anyString(), Mockito.anyString(), - Mockito.anyBoolean(), Mockito.anyString(), Mockito.anyString())).thenReturn(file); - String actualFile = assetREST.getResourceJSON(request, "hdfs_dev"); - Assert.assertEquals(file, actualFile); - Mockito.verify(serviceUtil).getServiceByName("hdfs_dev"); - Mockito.verify(serviceUtil).toVXAsset(rangerService); - Mockito.verify(request).getParameter("epoch"); - Mockito.verify(request).getAttribute("javax.servlet.request.X509Certificate"); - Mockito.verify(request).getHeader("X-FORWARDED-FOR"); - Mockito.verify(request).isSecure(); - Mockito.verify(request).getParameter("policyCount"); - Mockito.verify(request).getParameter("agentId"); - Mockito.verify(assetMgr).getLatestRepoPolicy((VXAsset) Mockito.any(), Mockito.anyList(), - Mockito.anyLong(), (X509Certificate[]) Mockito.any(), Mockito.anyBoolean(), Mockito.anyString(), - Mockito.anyString(), Mockito.anyBoolean(), Mockito.anyString(), Mockito.anyString()); - } - @Test public void testSearchXPolicyExportAudits() { SearchCriteria searchCriteria = new SearchCriteria(); diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestRoleREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestRoleREST.java index 3978fab1b1..175af395f5 100644 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestRoleREST.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestRoleREST.java @@ -238,6 +238,7 @@ public void test7GetAllRoles(){ RangerRoleList rangerRoleList = new RangerRoleList(); Mockito.when(searchUtil.getSearchFilter(Mockito.any(HttpServletRequest.class), eq(roleService.sortFields))). thenReturn(Mockito.mock(SearchFilter.class)); + Mockito.when(bizUtil.isUserRangerAdmin(Mockito.anyString())).thenReturn(true); RangerRoleList returnedRangerRoleList = roleRest.getAllRoles(Mockito.mock(HttpServletRequest.class)); Assert.assertNotNull(returnedRangerRoleList); Assert.assertEquals(returnedRangerRoleList.getListSize(), rangerRoleList.getListSize()); diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java index 40de07150a..15011a34ac 100644 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java @@ -1285,10 +1285,9 @@ public void test32getPolicyVersionList() throws Exception { @Test public void test33getPolicyForVersionNumber() throws Exception { RangerPolicy rangerPolicy = rangerPolicy(); - Mockito.when(svcStore.getPolicyForVersionNumber(Id, 1)).thenReturn( - rangerPolicy); - RangerPolicy dbRangerPolicy = serviceREST.getPolicyForVersionNumber(Id, - 1); + Mockito.when(svcStore.getPolicyForVersionNumber(Id, 1)).thenReturn(rangerPolicy); + Mockito.when(bizUtil.isAdmin()).thenReturn(true); + RangerPolicy dbRangerPolicy = serviceREST.getPolicyForVersionNumber(Id, 1); Assert.assertNotNull(dbRangerPolicy); Mockito.verify(svcStore).getPolicyForVersionNumber(Id, 1); } @@ -2290,7 +2289,7 @@ public void test63getServices() throws Exception{ } public void mockValidateGrantRevokeRequest(){ - Mockito.when(userMgr.getXUserByUserName(Mockito.anyString())).thenReturn(Mockito.mock(VXUser.class)); + Mockito.when(xUserService.getXUserByUserName(Mockito.anyString())).thenReturn(Mockito.mock(VXUser.class)); Mockito.when(userMgr.getGroupByGroupName(Mockito.anyString())).thenReturn(Mockito.mock(VXGroup.class)); Mockito.when(daoManager.getXXRole().findByRoleName(Mockito.anyString())).thenReturn(Mockito.mock(XXRole.class)); } @@ -2779,6 +2778,7 @@ public void test80GetPolicyByNameAndServiceNameWithZoneName() throws Exception { Mockito.when(daoManager.getXXPolicy()).thenReturn(xXPolicyDao); Mockito.when(daoManager.getXXPolicy().findPolicy(policyName,serviceName,zoneName)).thenReturn(xxPolicy); Mockito.when(policyService.getPopulatedViewObject(xxPolicy)).thenReturn(rangerPolicy); + Mockito.when(bizUtil.isAdmin()).thenReturn(true); RangerPolicy dbRangerPolicy = serviceREST.getPolicyByName(serviceName, policyName, zoneName); Assert.assertNotNull(dbRangerPolicy); Assert.assertEquals(dbRangerPolicy, rangerPolicy); @@ -2797,6 +2797,7 @@ public void test81GetPolicyByNameAndServiceNameWithZoneNameIsNull() throws Excep Mockito.when(daoManager.getXXPolicy()).thenReturn(xXPolicyDao); Mockito.when(daoManager.getXXPolicy().findPolicy(policyName,serviceName,null)).thenReturn(xxPolicy); Mockito.when(policyService.getPopulatedViewObject(xxPolicy)).thenReturn(rangerPolicy); + Mockito.when(bizUtil.isAdmin()).thenReturn(true); RangerPolicy dbRangerPolicy = serviceREST.getPolicyByName(serviceName, policyName, null); Assert.assertNotNull(dbRangerPolicy); Assert.assertEquals(dbRangerPolicy, rangerPolicy); diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestTagREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestTagREST.java index 7165a304da..34122dd799 100755 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestTagREST.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestTagREST.java @@ -499,10 +499,12 @@ public void test15getAllTagDefs() { @Test public void test16getTagTypes(){ + boolean isAdmin = true; List ret = new ArrayList(); ret.add(name); try { + Mockito.when(bizUtil.isAdmin()).thenReturn(isAdmin); Mockito.when(tagStore.getTagTypes()).thenReturn(ret); } catch (Exception e) { } @@ -760,6 +762,7 @@ public void test25getTagsByType() { @Test public void test26getAllTags() { + boolean isAdmin = true; List ret = new ArrayList(); RangerTag rangerTag = new RangerTag(); rangerTag.setId(id); @@ -767,6 +770,7 @@ public void test26getAllTags() { ret.add(rangerTag); try { + Mockito.when(bizUtil.isAdmin()).thenReturn(isAdmin); Mockito.when(tagStore.getTags((SearchFilter)Mockito.any())).thenReturn(ret); } catch (Exception e) { } @@ -784,9 +788,10 @@ public void test26getAllTags() { @Test public void test60getAllTags() { + boolean isAdmin = true; List ret = new ArrayList(); - try { + Mockito.when(bizUtil.isAdmin()).thenReturn(isAdmin); Mockito.when(tagStore.getTags((SearchFilter)Mockito.any())).thenReturn(ret); } catch (Exception e) { } @@ -1118,6 +1123,7 @@ public void test36getServiceResourceByServiceAndResourceSignature() { @Test public void test37getAllServiceResources() { + boolean isAdmin = true; List ret = new ArrayList(); RangerServiceResource rangerServiceResource = new RangerServiceResource(); rangerServiceResource.setId(id); @@ -1125,6 +1131,7 @@ public void test37getAllServiceResources() { ret.add(rangerServiceResource); try { + Mockito.when(bizUtil.isAdmin()).thenReturn(isAdmin); Mockito.when(tagStore.getServiceResources((SearchFilter)Mockito.any())).thenReturn(ret); } catch (Exception e) { } diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestUserREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestUserREST.java index cb2ccc47c8..4af1769763 100644 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestUserREST.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestUserREST.java @@ -401,7 +401,7 @@ public void test16ChangePassword() { Mockito.verify(daoManager).getXXPortalUser(); Mockito.verify(xxPortalUserDao).getById(userId); - Mockito.verify(userManager).checkAccessForUpdate(xxPUser); + Mockito.verify(userManager).checkAccess(xxPUser); Mockito.verify(userManager).changePassword(vxPasswordChange); } @@ -440,7 +440,7 @@ public void test18ChangeEmailAddress() { Mockito.verify(daoManager).getXXPortalUser(); Mockito.verify(xxPortalUserDao).getById(userId); - Mockito.verify(userManager).checkAccessForUpdate(xxPUser); + Mockito.verify(userManager).checkAccess(xxPUser); Mockito.verify(userManager).changeEmailAddress(xxPUser, changeEmail); } diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestXUserREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestXUserREST.java index 74744e6cff..5b478489cf 100644 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestXUserREST.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestXUserREST.java @@ -59,8 +59,6 @@ import org.apache.ranger.view.VXAuthSession; import org.apache.ranger.view.VXAuthSessionList; import org.apache.ranger.view.VXGroup; -import org.apache.ranger.view.VXGroupGroup; -import org.apache.ranger.view.VXGroupGroupList; import org.apache.ranger.view.VXGroupList; import org.apache.ranger.view.VXGroupPermission; import org.apache.ranger.view.VXGroupPermissionList; @@ -147,8 +145,6 @@ public class TestXUserREST { @Mock VXGroupUser vXGroupUser; @Mock XGroupUserService xGroupUserService; @Mock VXGroupUserList vXGroupUserList; - @Mock VXGroupGroup vXGroupGroup; - @Mock VXGroupGroupList vXGroupGroupList; @Mock XGroupGroupService xGroupGroupService; @Mock VXPermMap vXPermMap; @Mock RESTErrorUtil restErrorUtil; @@ -647,92 +643,6 @@ public void test31countXGroupUserst() { assertEquals(testvxLong.getClass(),vXLong.getClass()); } @Test - public void test32getXGroupGroup() { - VXGroupGroup compareTestVXGroup=createVXGroupGroup(); - - Mockito.when(xUserMgr.getXGroupGroup(id)).thenReturn(compareTestVXGroup); - VXGroupGroup retVxGroup= xUserRest.getXGroupGroup(id); - - assertNotNull(retVxGroup); - assertEquals(compareTestVXGroup.getClass(),retVxGroup.getClass()); - assertEquals(compareTestVXGroup.getId(),retVxGroup.getId()); - Mockito.verify(xUserMgr).getXGroupGroup(id); - } @Test - public void test33createXGroupGroup() { - VXGroupGroup compareTestVXGroup=createVXGroupGroup(); - - Mockito.when(xUserMgr.createXGroupGroup(compareTestVXGroup)).thenReturn(compareTestVXGroup); - VXGroupGroup retVxGroup= xUserRest.createXGroupGroup(compareTestVXGroup); - - assertNotNull(retVxGroup); - assertEquals(compareTestVXGroup.getClass(),retVxGroup.getClass()); - assertEquals(compareTestVXGroup.getId(),retVxGroup.getId()); - Mockito.verify(xUserMgr).createXGroupGroup(compareTestVXGroup); - } - @Test - public void test34updateXGroupGroup() { - VXGroupGroup compareTestVXGroup=createVXGroupGroup(); - - Mockito.when(xUserMgr.updateXGroupGroup(compareTestVXGroup)).thenReturn(compareTestVXGroup); - VXGroupGroup retVxGroup= xUserRest.updateXGroupGroup(compareTestVXGroup); - - assertNotNull(retVxGroup); - assertEquals(compareTestVXGroup.getClass(),retVxGroup.getClass()); - assertEquals(compareTestVXGroup.getId(),retVxGroup.getId()); - Mockito.verify(xUserMgr).updateXGroupGroup(compareTestVXGroup); - } - @Test - public void test35deleteXGroupGroup() { - boolean forceDelete = false; - - Mockito.doNothing().when(xUserMgr).deleteXGroupGroup(id, forceDelete); - xUserRest.deleteXGroupGroup(id,request); - Mockito.verify(xUserMgr).deleteXGroupGroup(id,forceDelete); - } - @SuppressWarnings("unchecked") - @Test - public void test36searchXGroupGroups() { - VXGroupGroupList testvXGroupGroupList=new VXGroupGroupList(); - VXGroupGroup testVXGroup=createVXGroupGroup(); - List testVXGroupGroups= new ArrayList(); - testVXGroupGroups.add(testVXGroup); - testvXGroupGroupList.setVXGroupGroups(testVXGroupGroups); - - HttpServletRequest request = Mockito.mock(HttpServletRequest.class); - SearchCriteria testSearchCriteria=createsearchCriteria(); - - Mockito.when(searchUtil.extractCommonCriterias((HttpServletRequest)Mockito.any() ,(List)Mockito.any())).thenReturn(testSearchCriteria); - - Mockito.when(xUserMgr.searchXGroupGroups(testSearchCriteria)).thenReturn(testvXGroupGroupList); - VXGroupGroupList outputvXGroupGroupList=xUserRest.searchXGroupGroups(request); - - Mockito.verify(xUserMgr).searchXGroupGroups(testSearchCriteria); - Mockito.verify(searchUtil).extractCommonCriterias((HttpServletRequest)Mockito.any() ,(List)Mockito.any()); - - assertNotNull(outputvXGroupGroupList); - assertEquals(outputvXGroupGroupList.getClass(),testvXGroupGroupList.getClass()); - assertEquals(outputvXGroupGroupList.getResultSize(),testvXGroupGroupList.getResultSize()); - } - @SuppressWarnings("unchecked") - @Test - public void test37countXGroupGroups() { - HttpServletRequest request = Mockito.mock(HttpServletRequest.class); - SearchCriteria testSearchCriteria=createsearchCriteria(); - - Mockito.when(searchUtil.extractCommonCriterias((HttpServletRequest)Mockito.any() ,(List)Mockito.any())).thenReturn(testSearchCriteria); - - vXLong.setValue(1); - - Mockito.when(xUserMgr.getXGroupGroupSearchCount(testSearchCriteria)).thenReturn(vXLong); - VXLong testvxLong=xUserRest.countXGroupGroups(request); - Mockito.verify(xUserMgr).getXGroupGroupSearchCount(testSearchCriteria); - Mockito.verify(searchUtil).extractCommonCriterias((HttpServletRequest)Mockito.any() ,(List)Mockito.any()); - - assertNotNull(testvxLong); - assertEquals(testvxLong.getClass(),vXLong.getClass()); - assertEquals(testvxLong.getValue(),vXLong.getValue()); - } - @Test public void test38getXPermMapVXResourceNull() throws Exception{ VXPermMap permMap = testcreateXPermMap(); @@ -2181,17 +2091,7 @@ private VXGroupUser createVXGroupUser(){ testVXGroupUser.setUserId(id); return testVXGroupUser; } - private VXGroupGroup createVXGroupGroup() { - VXGroupGroup testVXGroupGroup= new VXGroupGroup(); - testVXGroupGroup.setName("testGroup"); - testVXGroupGroup.setCreateDate(new Date()); - testVXGroupGroup.setUpdateDate(new Date()); - testVXGroupGroup.setUpdatedBy("Admin"); - testVXGroupGroup.setOwner("Admin"); - testVXGroupGroup.setId(id); - testVXGroupGroup.setParentGroupId(id); - return testVXGroupGroup; - } + private VXPermMap testcreateXPermMap(){ VXPermMap testVXPermMap= new VXPermMap(); testVXPermMap.setCreateDate(new Date());