refactor RbacGrantControllerAcceptanceTest introducing fixture classes for better readability
This commit is contained in:
parent
8a62d9802e
commit
eebe2d40a6
@ -2,6 +2,7 @@ package net.hostsharing.hsadminng.rbac.rbacgrant;
|
|||||||
|
|
||||||
import io.restassured.RestAssured;
|
import io.restassured.RestAssured;
|
||||||
import io.restassured.http.ContentType;
|
import io.restassured.http.ContentType;
|
||||||
|
import io.restassured.response.ValidatableResponse;
|
||||||
import net.hostsharing.hsadminng.Accepts;
|
import net.hostsharing.hsadminng.Accepts;
|
||||||
import net.hostsharing.hsadminng.HsadminNgApplication;
|
import net.hostsharing.hsadminng.HsadminNgApplication;
|
||||||
import net.hostsharing.hsadminng.context.Context;
|
import net.hostsharing.hsadminng.context.Context;
|
||||||
@ -64,40 +65,23 @@ class RbacGrantControllerAcceptanceTest {
|
|||||||
void packageAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() {
|
void packageAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() {
|
||||||
|
|
||||||
// given
|
// given
|
||||||
final var givenNewUserName = "test-user-" + RandomStringUtils.randomAlphabetic(8) + "@example.com";
|
final var givenNewUser = createRBacUser();
|
||||||
final var givenCurrentUserPackageAdmin = "aaa00@aaa.example.com";
|
final var givenRoleToGrant = "package#aaa00.admin";
|
||||||
final var givenAssumedRole = "package#aaa00.admin";
|
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com", givenRoleToGrant);
|
||||||
final var givenOwnPackageAdminRole = "package#aaa00.admin";
|
final var givenOwnPackageAdminRole =
|
||||||
|
findRbacRoleByName(givenCurrentUserAsPackageAdmin.assumedRole);
|
||||||
|
|
||||||
// when
|
// when
|
||||||
RestAssured // @formatter:off
|
givenCurrentUserAsPackageAdmin
|
||||||
.given()
|
.grantsRole(givenOwnPackageAdminRole).assumed()
|
||||||
.header("current-user", givenCurrentUserPackageAdmin)
|
.toUser(givenNewUser);
|
||||||
.header("assumed-roles", givenAssumedRole)
|
|
||||||
.contentType(ContentType.JSON)
|
|
||||||
.body("""
|
|
||||||
{
|
|
||||||
"assumed": true,
|
|
||||||
"grantedRoleUuid": "%s",
|
|
||||||
"granteeUserUuid": "%s"
|
|
||||||
}
|
|
||||||
""".formatted(
|
|
||||||
findRbacRoleByName(givenOwnPackageAdminRole).getUuid().toString(),
|
|
||||||
createRBacUser(givenNewUserName).getUuid().toString())
|
|
||||||
)
|
|
||||||
.port(port)
|
|
||||||
.when()
|
|
||||||
.post("http://localhost/api/rbac-grants")
|
|
||||||
.then().assertThat()
|
|
||||||
.statusCode(201);
|
|
||||||
// @formatter:on
|
|
||||||
|
|
||||||
// then
|
// then
|
||||||
assertThat(findAllGrantsOfUser(givenCurrentUserPackageAdmin))
|
assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin))
|
||||||
.extracting(RbacGrantEntity::toDisplay)
|
.extracting(RbacGrantEntity::toDisplay)
|
||||||
.contains("{ grant assumed role " + givenOwnPackageAdminRole +
|
.contains("{ grant assumed role " + givenOwnPackageAdminRole.getRoleName() +
|
||||||
" to user " + givenNewUserName +
|
" to user " + givenNewUser.getName() +
|
||||||
" by role " + givenAssumedRole + " }");
|
" by role " + givenRoleToGrant + " }");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -105,40 +89,24 @@ class RbacGrantControllerAcceptanceTest {
|
|||||||
void packageAdmin_canNotGrantAlienPackageAdminRole_toArbitraryUser() {
|
void packageAdmin_canNotGrantAlienPackageAdminRole_toArbitraryUser() {
|
||||||
|
|
||||||
// given
|
// given
|
||||||
final var givenNewUserName = "test-user-" + RandomStringUtils.randomAlphabetic(8) + "@example.com";
|
final var givenNewUser = createRBacUser();
|
||||||
final var givenCurrentUserPackageAdmin = "aaa00@aaa.example.com";
|
final var givenRoleToGrant = "package#aaa00.admin";
|
||||||
final var givenAssumedRole = "package#aaa00.admin";
|
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com", givenRoleToGrant);
|
||||||
final var givenAlienPackageAdminRole = "package#aab00.admin";
|
final var givenAlienPackageAdminRole = findRbacRoleByName("package#aab00.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
RestAssured // @formatter:off
|
final var result = givenCurrentUserAsPackageAdmin
|
||||||
.given()
|
.grantsRole(givenAlienPackageAdminRole).assumed()
|
||||||
.header("current-user", givenCurrentUserPackageAdmin)
|
.toUser(givenNewUser);
|
||||||
.header("assumed-roles", givenAssumedRole)
|
|
||||||
.contentType(ContentType.JSON)
|
// then
|
||||||
.body("""
|
result.assertThat()
|
||||||
{
|
|
||||||
"assumed": true,
|
|
||||||
"grantedRoleUuid": "%s",
|
|
||||||
"granteeUserUuid": "%s"
|
|
||||||
}
|
|
||||||
""".formatted(
|
|
||||||
findRbacRoleByName(givenAlienPackageAdminRole).getUuid().toString(),
|
|
||||||
createRBacUser(givenNewUserName).getUuid().toString())
|
|
||||||
)
|
|
||||||
.port(port)
|
|
||||||
.when()
|
|
||||||
.post("http://localhost/api/rbac-grants")
|
|
||||||
.then().assertThat()
|
|
||||||
.body("message", containsString("Access to granted role"))
|
.body("message", containsString("Access to granted role"))
|
||||||
.body("message", containsString("forbidden for {package#aaa00.admin}"))
|
.body("message", containsString("forbidden for {package#aaa00.admin}"))
|
||||||
.statusCode(403);
|
.statusCode(403);
|
||||||
// @formatter:on
|
assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin))
|
||||||
|
|
||||||
// then
|
|
||||||
assertThat(findAllGrantsOfUser(givenCurrentUserPackageAdmin))
|
|
||||||
.extracting(RbacGrantEntity::getGranteeUserName)
|
.extracting(RbacGrantEntity::getGranteeUserName)
|
||||||
.doesNotContain(givenNewUserName);
|
.doesNotContain(givenNewUser.getName());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -148,24 +116,87 @@ class RbacGrantControllerAcceptanceTest {
|
|||||||
@Test
|
@Test
|
||||||
@Accepts({ "GRT:D(Delete)" })
|
@Accepts({ "GRT:D(Delete)" })
|
||||||
@Transactional(propagation = Propagation.NEVER)
|
@Transactional(propagation = Propagation.NEVER)
|
||||||
void packageAdmin_canRevokePackageAdminRole_grantedByPackageAdmin_toArbitraryUser() {
|
void packageAdmin_canRevokePackageAdminRole_grantedByPackageAdmin_fromArbitraryUser() {
|
||||||
|
|
||||||
// given
|
// given
|
||||||
final var givenNewUserName = "test-user-" + RandomStringUtils.randomAlphabetic(8) + "@example.com";
|
final var givenArbitraryUser = createRBacUser();
|
||||||
final var givenNewUserNameUuid = createRBacUser(givenNewUserName).getUuid();
|
final var givenRoleToGrant = "package#aaa00.admin";
|
||||||
final var givenCurrentUserPackageAdmin = "aaa00@aaa.example.com";
|
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com", givenRoleToGrant);
|
||||||
final var givenAssumedRole = "package#aaa00.admin";
|
final var givenOwnPackageAdminRole = findRbacRoleByName("package#aaa00.admin");
|
||||||
final var givenOwnPackageAdminRole = "package#aaa00.admin";
|
|
||||||
final var givenOwnPackageAdminRoleUuid = findRbacRoleByName(givenOwnPackageAdminRole).getUuid();
|
|
||||||
final var expectedGrant = "{ grant assumed role " + givenOwnPackageAdminRole +
|
|
||||||
" to user " + givenNewUserName +
|
|
||||||
" by role " + givenAssumedRole + " }";
|
|
||||||
|
|
||||||
// and given a grant
|
// and given an existing grant
|
||||||
RestAssured // @formatter:off
|
assumeCreated(givenCurrentUserAsPackageAdmin
|
||||||
|
.grantsRole(givenOwnPackageAdminRole).assumed()
|
||||||
|
.toUser(givenArbitraryUser));
|
||||||
|
assumeGrantExists(
|
||||||
|
givenCurrentUserAsPackageAdmin,
|
||||||
|
"{ grant assumed role %s to user %s by role %s }".formatted(
|
||||||
|
givenOwnPackageAdminRole.getRoleName(),
|
||||||
|
givenArbitraryUser.getName(),
|
||||||
|
givenCurrentUserAsPackageAdmin.assumedRole));
|
||||||
|
|
||||||
|
// when
|
||||||
|
final var revokeResponse = givenCurrentUserAsPackageAdmin
|
||||||
|
.revokesRole(givenOwnPackageAdminRole)
|
||||||
|
.fromUser(givenArbitraryUser);
|
||||||
|
|
||||||
|
// then
|
||||||
|
assertRevoked(revokeResponse);
|
||||||
|
assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin))
|
||||||
|
.extracting(RbacGrantEntity::getGranteeUserName)
|
||||||
|
.doesNotContain(givenArbitraryUser.getName());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private void assumeCreated(final ValidatableResponse response) {
|
||||||
|
assumeThat(response.extract().response().statusCode()).isEqualTo(201);
|
||||||
|
}
|
||||||
|
|
||||||
|
private void assertRevoked(final ValidatableResponse revokeResponse) {
|
||||||
|
revokeResponse.assertThat().statusCode(204);
|
||||||
|
}
|
||||||
|
|
||||||
|
class Subject {
|
||||||
|
|
||||||
|
final String currentUser;
|
||||||
|
final String assumedRole;
|
||||||
|
|
||||||
|
public Subject(final String currentUser, final String assumedRole) {
|
||||||
|
this.currentUser = currentUser;
|
||||||
|
this.assumedRole = assumedRole;
|
||||||
|
}
|
||||||
|
|
||||||
|
GrantFixture grantsRole(final RbacRoleEntity givenOwnPackageAdminRole) {
|
||||||
|
return new GrantFixture(givenOwnPackageAdminRole);
|
||||||
|
}
|
||||||
|
|
||||||
|
RevokeFixture revokesRole(final RbacRoleEntity givenOwnPackageAdminRole) {
|
||||||
|
return new RevokeFixture(givenOwnPackageAdminRole);
|
||||||
|
}
|
||||||
|
|
||||||
|
class GrantFixture {
|
||||||
|
|
||||||
|
private Subject grantingSubject = Subject.this;
|
||||||
|
private final RbacRoleEntity grantedRole;
|
||||||
|
private boolean assumed;
|
||||||
|
private RbacUserEntity granteeUser;
|
||||||
|
|
||||||
|
public GrantFixture(final RbacRoleEntity roleToGrant) {
|
||||||
|
this.grantedRole = roleToGrant;
|
||||||
|
}
|
||||||
|
|
||||||
|
GrantFixture assumed() {
|
||||||
|
this.assumed = true;
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
|
ValidatableResponse toUser(final RbacUserEntity granteeUser) {
|
||||||
|
this.granteeUser = granteeUser;
|
||||||
|
|
||||||
|
return RestAssured // @formatter:ff
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", givenCurrentUserPackageAdmin)
|
.header("current-user", grantingSubject.currentUser)
|
||||||
.header("assumed-roles", givenAssumedRole)
|
.header("assumed-roles", grantingSubject.assumedRole)
|
||||||
.contentType(ContentType.JSON)
|
.contentType(ContentType.JSON)
|
||||||
.body("""
|
.body("""
|
||||||
{
|
{
|
||||||
@ -174,23 +205,34 @@ class RbacGrantControllerAcceptanceTest {
|
|||||||
"granteeUserUuid": "%s"
|
"granteeUserUuid": "%s"
|
||||||
}
|
}
|
||||||
""".formatted(
|
""".formatted(
|
||||||
givenOwnPackageAdminRoleUuid.toString(),
|
grantedRole.getUuid(),
|
||||||
givenNewUserNameUuid.toString())
|
granteeUser.getUuid())
|
||||||
)
|
)
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.post("http://localhost/api/rbac-grants")
|
.post("http://localhost/api/rbac-grants")
|
||||||
.then().assertThat()
|
.then(); // @formatter:on
|
||||||
.statusCode(201); // @formatter:on
|
}
|
||||||
assumeThat(findAllGrantsOfUser(givenCurrentUserPackageAdmin))
|
}
|
||||||
.extracting(RbacGrantEntity::toDisplay)
|
|
||||||
.contains(expectedGrant);
|
|
||||||
|
|
||||||
// when
|
class RevokeFixture {
|
||||||
RestAssured // @formatter:off
|
|
||||||
|
private Subject currentSubject = Subject.this;
|
||||||
|
private final RbacRoleEntity grantedRole;
|
||||||
|
private boolean assumed;
|
||||||
|
private RbacUserEntity granteeUser;
|
||||||
|
|
||||||
|
public RevokeFixture(final RbacRoleEntity roleToGrant) {
|
||||||
|
this.grantedRole = roleToGrant;
|
||||||
|
}
|
||||||
|
|
||||||
|
ValidatableResponse fromUser(final RbacUserEntity granteeUser) {
|
||||||
|
this.granteeUser = granteeUser;
|
||||||
|
|
||||||
|
return RestAssured // @formatter:ff
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", givenCurrentUserPackageAdmin)
|
.header("current-user", currentSubject.currentUser)
|
||||||
.header("assumed-roles", givenAssumedRole)
|
.header("assumed-roles", currentSubject.assumedRole)
|
||||||
.contentType(ContentType.JSON)
|
.contentType(ContentType.JSON)
|
||||||
.body("""
|
.body("""
|
||||||
{
|
{
|
||||||
@ -199,36 +241,37 @@ class RbacGrantControllerAcceptanceTest {
|
|||||||
"granteeUserUuid": "%s"
|
"granteeUserUuid": "%s"
|
||||||
}
|
}
|
||||||
""".formatted(
|
""".formatted(
|
||||||
givenOwnPackageAdminRoleUuid.toString(),
|
grantedRole.getUuid(),
|
||||||
givenNewUserNameUuid.toString())
|
granteeUser.getUuid())
|
||||||
)
|
)
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.delete("http://localhost/api/rbac-grants/%s/%s".formatted(
|
.delete("http://localhost/api/rbac-grants/%s/%s".formatted(
|
||||||
givenOwnPackageAdminRoleUuid, givenNewUserNameUuid
|
grantedRole.getUuid(), granteeUser.getUuid()
|
||||||
))
|
))
|
||||||
.then().assertThat()
|
.then(); // @formatter:on
|
||||||
.statusCode(204); // @formatter:on
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// then
|
private void assumeGrantExists(final Subject grantingSubject, final String expectedGrant) {
|
||||||
assertThat(findAllGrantsOfUser(givenCurrentUserPackageAdmin))
|
assumeThat(findAllGrantsOf(grantingSubject))
|
||||||
.extracting(RbacGrantEntity::toDisplay)
|
.extracting(RbacGrantEntity::toDisplay)
|
||||||
.doesNotContain("{ grant assumed role " + givenOwnPackageAdminRole +
|
.contains(expectedGrant);
|
||||||
" to user " + givenNewUserName +
|
|
||||||
" by role " + givenAssumedRole + " }");
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
List<RbacGrantEntity> findAllGrantsOfUser(final String userName) {
|
List<RbacGrantEntity> findAllGrantsOf(final Subject grantingSubject) {
|
||||||
return jpaAttempt.transacted(() -> {
|
return jpaAttempt.transacted(() -> {
|
||||||
context.setCurrentUser(userName);
|
context.setCurrentUser(grantingSubject.currentUser);
|
||||||
return rbacGrantRepository.findAll();
|
return rbacGrantRepository.findAll();
|
||||||
}).returnedValue();
|
}).returnedValue();
|
||||||
}
|
}
|
||||||
|
|
||||||
RbacUserEntity createRBacUser(final String userName) {
|
RbacUserEntity createRBacUser() {
|
||||||
return jpaAttempt.transacted(() ->
|
return jpaAttempt.transacted(() ->
|
||||||
rbacUserRepository.create(new RbacUserEntity(UUID.randomUUID(), userName))
|
rbacUserRepository.create(new RbacUserEntity(
|
||||||
|
UUID.randomUUID(),
|
||||||
|
"test-user-" + RandomStringUtils.randomAlphabetic(8) + "@example.com"))
|
||||||
).returnedValue();
|
).returnedValue();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user