org.sonatype.nexus.security.role.Role Java Examples

@Test
public void testListRoles() throws Exception {
  AuthorizationManager authzManager = this.getAuthorizationManager();
  Set<Role> roles = authzManager.listRoles();

  Map<String, Role> roleMap = this.toRoleMap(roles);
  Assert.assertTrue(roleMap.containsKey("role1"));
  Assert.assertTrue(roleMap.containsKey("role2"));
  Assert.assertTrue(roleMap.containsKey("role3"));
  Assert.assertEquals(3, roles.size());

  Role role3 = roleMap.get("role3");

  Assert.assertEquals("role3", role3.getRoleId());
  Assert.assertEquals("RoleThree", role3.getName());
  Assert.assertEquals("Role Three", role3.getDescription());
  Assert.assertTrue(role3.getPrivileges().contains("1"));
  Assert.assertTrue(role3.getPrivileges().contains("4"));
  Assert.assertEquals(2, role3.getPrivileges().size());
}
 

@Test
public void testGetRoles() throws Exception {
  Role role1 = createRole("default", "id1", "role1", "role1", Arrays.asList("role1", "role2"),
      Arrays.asList("priv1", "priv2"));
  Role role2 = createRole("default", "id2", "role2", "role2", Arrays.asList("role2", "role3"),
      Arrays.asList("priv2", "priv3"));

  when(securitySystem.listRoles("default")).thenReturn(new LinkedHashSet<>(Arrays.asList(role2, role1)));

  List<RoleXOResponse> apiRoles = underTest.getRoles("default");

  assertThat(apiRoles.size(), is(2));

  assertApiRole(apiRoles.get(0), "default", "id1", "role1", "role1", Arrays.asList("role1", "role2"),
      Arrays.asList("priv1", "priv2"));
  assertApiRole(apiRoles.get(1), "default", "id2", "role2", "role2", Arrays.asList("role2", "role3"),
      Arrays.asList("priv2", "priv3"));
}
 

@Test
public void testCreateRole() throws Exception {
  RoleXORequest roleXo = createApiRole("roleId", "roleName", "description", Collections.singleton("childRole"),
      Collections.singleton("priv"));

  Role createdRole = new Role();
  createdRole.setRoleId("roleId");
  createdRole.setSource("default");
  createdRole.setName("roleName");
  createdRole.setDescription("description");
  createdRole.setReadOnly(false);
  createdRole.setRoles(Collections.singleton("childRole"));
  createdRole.setPrivileges(Collections.singleton("priv"));

  when(authorizationManager.addRole(any())).thenReturn(createdRole);

  RoleXOResponse result = underTest.create(roleXo);

  assertApiRole(result, "default", "roleId", "roleName", "description", Collections.singleton("childRole"),
      Collections.singleton("priv"));
}
 

@Test
public void testUpdateRole() {
  Role role = createRole("default", "id1", "role1", "role1", Arrays.asList("role1", "role2"),
      Arrays.asList("priv1", "priv2"));
  when(authorizationManager.getRole("id1")).thenReturn(role);

  RoleXORequest roleXo = createApiRole("id1", "role2", "role2", Arrays.asList("role3", "role4"),
      Arrays.asList("priv3", "priv4"));

  underTest.update("id1", roleXo);

  ArgumentCaptor<Role> argument = ArgumentCaptor.forClass(Role.class);
  verify(authorizationManager).updateRole(argument.capture());
  assertRole(argument.getValue(), "default", "id1", "role2", "role2", Arrays.asList("role3", "role4"),
      Arrays.asList("priv3", "priv4"));
}
 

@Test
public void testUpdateRole_readOnly() {
  Role role = createRole("default", "id", "name", "description", Collections.singleton("role1"),
      Collections.singleton("priv1"));

  when(authorizationManager.getRole("id")).thenReturn(role);
  when(authorizationManager.updateRole(role)).thenThrow(ReadonlyRoleException.class);

  RoleXORequest roleXo = createApiRole("id", "name", "description", Collections.singleton("role1"),
      Collections.singleton("priv1"));

  try {
    underTest.update("id", roleXo);
    fail("exception should have been thrown for internal role");
  }
  catch (WebApplicationMessageException e) {
    assertThat(e.getResponse().getStatus(), is(400));
    assertThat(e.getResponse().getMediaType(), is(MediaType.APPLICATION_JSON_TYPE));
    assertThat(e.getResponse().getEntity().toString(),
        is("\"Role 'id' is internal and cannot be modified or deleted.\""));
  }
}
 

private Role createRole(final String source,
                        final String id,
                        final String name,
                        final String description,
                        final Collection<String> roles,
                        final Collection<String> privileges)
{
  Role role = new Role();
  role.setRoleId(id);
  role.setName(name);
  role.setDescription(description);
  role.setSource(source);
  roles.forEach(role::addRole);
  privileges.forEach(role::addPrivilege);

  return role;
}
 

public Role createRole(final String name, final String[] roleIds, final String[] privilegeNames) {
  List<Privilege> privileges =
      Arrays.stream(privilegeNames).map(this::getPrivilege).filter(Objects::nonNull).collect(Collectors.toList());

  if (privileges.size() != privilegeNames.length) {
    throw new IllegalStateException(
        String.format("Missing privileges names: %s privileges: %s", privilegeNames, privileges));
  }

  List<Role> roles = Arrays.stream(roleIds).map(this::getRole).filter(Objects::nonNull).collect(Collectors.toList());

  if (roles.size() != roleIds.length) {
    throw new IllegalStateException("Missing privileges names: ${roleIds} privileges: ${roles}");
  }

  return createRole(name, roles, privileges);
}
 

private void assertRole(final Role role,
                        final String source,
                        final String id,
                        final String name,
                        final String description,
                        final Collection<String> roles,
                        final Collection<String> privileges)
{
  assertThat(role.getSource(), is(source));
  assertThat(role.getRoleId(), is(id));
  assertThat(role.getName(), is(name));
  assertThat(role.getDescription(), is(description));
  if (roles.isEmpty()) {
    assertThat(role.getRoles(), empty());
  }
  else {
    assertThat(role.getRoles(), containsInAnyOrder(roles.toArray(new String[] {})));
  }
  if (privileges.isEmpty()) {
    assertThat(role.getPrivileges(), empty());
  }
  else {
    assertThat(role.getPrivileges(), containsInAnyOrder(privileges.toArray(new String[] {})));
  }
}
 

@Override
protected Result check() throws Exception {
  if (!realmManager.isRealmEnabled(DefaultRoleRealm.NAME)) {
    return Result.healthy("Default Role Realm not in use.");
  }

  if (defaultRoleRealm.getRole() == null) {
    return Result.unhealthy("Default Role Realm is enabled but not configured.");
  }

  Role matched = securitySystem.listRoles(DEFAULT_SOURCE).stream()
      .filter(role -> role.getRoleId().equals(defaultRoleRealm.getRole())).findFirst().orElse(null);

  if (matched == null) {
    return Result
        .unhealthy("Default Role Realm configured to use role %s which doesn't exist.", defaultRoleRealm.getRole());
  }

  return Result.healthy("Default Role Realm configured to use role %s.", defaultRoleRealm.getRole());
}
 

@Override
public Set<Role> listRoles() {
  Set<Role> roles = new HashSet<Role>();

  Role role1 = new Role();
  role1.setSource(this.getSource());
  role1.setName("Role 1");
  role1.setRoleId("test-role1");
  role1.addPrivilege("from-role1:read");
  role1.addPrivilege("from-role1:delete");

  Role role2 = new Role();
  role2.setSource(this.getSource());
  role2.setName("Role 2");
  role2.setRoleId("test-role2");
  role2.addPrivilege("from-role2:read");
  role2.addPrivilege("from-role2:delete");

  roles.add(role1);
  roles.add(role2);

  return roles;
}
 

private static Set<Role> toRoles(String source, String sourceCode, List<?>[] lists, boolean forCompatible) {
    Set<Role> roles = new LinkedHashSet<>();

    for (List<?> list : lists) {
        if (list == null || list.isEmpty()) {
            continue;
        }

        for (Object representation : list) {
            if (representation instanceof RoleRepresentation) {
                if (forCompatible && ((RoleRepresentation) representation).getClientRole()) {
                    roles.add(toCompatibleRole(source, (RoleRepresentation) representation));
                }

                roles.add(toRole(source, sourceCode, (RoleRepresentation) representation));
            } else if (representation instanceof GroupRepresentation) {
                roles.add(toRole(source, sourceCode, (GroupRepresentation) representation));
            }
        }
    }
    return roles;
}
 

@Test
public void testGetRoles_allSources() throws Exception {
  Role role1 = createRole("default", "id1", "role1", "role1", Arrays.asList("role1", "role2"),
      Arrays.asList("priv1", "priv2"));
  Role role2 = createRole("another", "id2", "role2", "role2", Arrays.asList("role2", "role3"),
      Arrays.asList("priv2", "priv3"));

  when(securitySystem.listRoles()).thenReturn(new LinkedHashSet<>(Arrays.asList(role2, role1)));

  List<RoleXOResponse> apiRoles = underTest.getRoles(null);

  assertThat(apiRoles.size(), is(2));

  assertApiRole(apiRoles.get(0), "default", "id1", "role1", "role1", Arrays.asList("role1", "role2"),
      Arrays.asList("priv1", "priv2"));
  assertApiRole(apiRoles.get(1), "another", "id2", "role2", "role2", Arrays.asList("role2", "role3"),
      Arrays.asList("priv2", "priv3"));
}
 

private CRole convert(final Role source) {
  CRole target = configuration.newRole();
  target.setId(source.getRoleId());
  target.setVersion(source.getVersion());
  target.setName(source.getName());
  target.setDescription(source.getDescription());
  target.setReadOnly(source.isReadOnly());

  if (source.getPrivileges() != null) {
    target.setPrivileges(Sets.newHashSet(source.getPrivileges()));
  }
  else {
    target.setPrivileges(Sets.<String>newHashSet());
  }

  if (source.getRoles() != null) {
    target.setRoles(Sets.newHashSet(source.getRoles()));
  }
  else {
    target.setRoles(Sets.<String>newHashSet());
  }

  return target;
}
 

public static Role toRole(String source, String sourceCode, GroupRepresentation representation) {
    if (representation == null) {
        return null;
    }

    Role role = new Role();
    String roleName = String.format("%s:%s%s",
                                    REALM_GROUP_PREFIX,
                                    sourceCode != null ? sourceCode + ":" : "",
                                    representation.getPath());

    role.setRoleId(roleName);
    role.setName(roleName);
    role.setReadOnly(true);
    role.setSource(source);

    return role;
}
 

public static Role toRole(String source, String sourceCode, RoleRepresentation representation) {
    if (representation == null) {
        return null;
    }

    Role role = new Role();
    String prefix = representation.getClientRole() ? CLIENT_ROLE_PREFIX : REALM_ROLE_PREFIX;
    String roleName = String.format("%s:%s%s",
                                    prefix,
                                    sourceCode != null ? sourceCode + ":" : "",
                                    representation.getName());

    // Use role name as role-id and role-name of Nexus3
    role.setRoleId(roleName);
    role.setName(roleName);
    if (representation.getDescription() != null && !representation.getDescription().isEmpty()) {
        role.setDescription(String.format("%s: %s", prefix, representation.getDescription()));
    }
    role.setReadOnly(true);
    role.setSource(source);

    return role;
}
 

@Test
public void testAddRole() throws Exception {
  AuthorizationManager authzManager = this.getAuthorizationManager();

  Role role = new Role();
  role.setRoleId("new-role");
  role.setName("new-name");
  role.setDescription("new-description");
  role.addPrivilege("2");
  role.addPrivilege("4");

  authzManager.addRole(role);

  CRole secRole = this.getConfigurationManager().readRole(role.getRoleId());

  Assert.assertEquals(role.getRoleId(), secRole.getId());
  Assert.assertEquals(role.getName(), secRole.getName());
  Assert.assertEquals(role.getDescription(), secRole.getDescription());
  Assert.assertTrue(secRole.getPrivileges().contains("2"));
  Assert.assertTrue(secRole.getPrivileges().contains("4"));
  Assert.assertEquals(2, secRole.getPrivileges().size());
}
 

@Test
public void testUpdateRole() throws Exception {
  AuthorizationManager authzManager = this.getAuthorizationManager();

  Role role2 = authzManager.getRole("role2");
  role2.setDescription("new description");
  role2.setName("new name");

  Set<String> permissions = new HashSet<String>();
  permissions.add("2");
  role2.setPrivileges(permissions);

  authzManager.updateRole(role2);

  CRole secRole = this.getConfigurationManager().readRole(role2.getRoleId());

  Assert.assertEquals(role2.getRoleId(), secRole.getId());
  Assert.assertEquals(role2.getName(), secRole.getName());
  Assert.assertEquals(role2.getDescription(), secRole.getDescription());
  Assert.assertTrue(secRole.getPrivileges().contains("2"));
  Assert.assertEquals(1, secRole.getPrivileges().size());
}
 

public Role findRoleByRoleId(String roleId) {
    String[] splits = roleId.split(":");
    String roleType = splits.length > 1 ? splits[0] : null;
    String roleSourceCode = splits.length > 2 ? splits[1] : null;
    String roleName = splits[splits.length - 1];

    if (!(roleSourceCode + "").equals(getSourceCode() + "")) {
        return null;
    }

    RoleRepresentation role;
    if (KeycloakMapper.REALM_GROUP_PREFIX.equals(roleType)) {
        GroupRepresentation group = this.keycloakAdminClient.getRealmGroupByGroupPath(roleName);

        return KeycloakMapper.toRole(getSource(), getSourceCode(), group);
    } else if (KeycloakMapper.REALM_ROLE_PREFIX.equals(roleType)) {
        role = this.keycloakAdminClient.getRealmRoleByRoleName(roleName);
    } else {
        String client = this.keycloakAdminClient.getConfig().getResource();
        role = this.keycloakAdminClient.getRealmClientRoleByRoleName(client, roleName);
    }

    return KeycloakMapper.toRole(getSource(), getSourceCode(), role);
}
 

@Subscribe
@AllowConcurrentEvents
public void on(final RoleEvent event) {
  if (isRecording()) {
    Role role = event.getRole();

    AuditData data = new AuditData();
    data.setDomain(DOMAIN);
    data.setType(type(event.getClass()));
    data.setContext(role.getRoleId());

    Map<String, Object> attributes = data.getAttributes();
    attributes.put("id", role.getRoleId());
    attributes.put("name", role.getName());
    attributes.put("source", role.getSource());
    attributes.put("roles", string(role.getRoles()));
    attributes.put("privileges", string(role.getPrivileges()));

    record(data);
  }
}
 

@Before
public void setup() throws Exception {
  when(applicationDirectories.getWorkDirectory()).thenReturn(util.createTempDir());
  adminPasswordFileManager = new AdminPasswordFileManagerImpl(applicationDirectories);
  underTest = new UserApiResource(securitySystem, adminPasswordFileManager);

  final User user = createUser();
  when(securitySystem.getUser(any(), any())).thenAnswer(i -> {
    if ("jdoe".equals(i.getArguments()[0]) && "LDAP".equals(i.getArguments()[1])) {
      throw new UserNotFoundException((String) i.getArguments()[0]);
    }
    return user;
  });
  when(securitySystem.getUser(user.getUserId())).thenReturn(user);

  UserManager ldap = mock(UserManager.class);
  when(ldap.supportsWrite()).thenReturn(false);
  when(securitySystem.getUserManager("LDAP")).thenReturn(ldap);

  when(securitySystem.getUserManager(UserManager.DEFAULT_SOURCE)).thenReturn(userManager);
  when(securitySystem.listRoles(UserManager.DEFAULT_SOURCE))
      .thenReturn(Collections.singleton(new Role("nx-admin", null, null, null, true, null, null)));
  when(userManager.supportsWrite()).thenReturn(true);
}
 

@Test
public void testAuthorizationManager() throws Exception {
  SecuritySystem securitySystem = this.getSecuritySystem();

  Set<Role> roles = securitySystem.listRoles("sourceB");
  Assert.assertEquals(2, roles.size());

  Map<String, Role> roleMap = new HashMap<String, Role>();
  for (Role role : roles) {
    roleMap.put(role.getRoleId(), role);
  }

  Assert.assertTrue(roleMap.containsKey("test-role1"));
  Assert.assertTrue(roleMap.containsKey("test-role2"));

  Role role1 = roleMap.get("test-role1");
  Assert.assertEquals("Role 1", role1.getName());

  Assert.assertTrue(role1.getPrivileges().contains("from-role1:read"));
  Assert.assertTrue(role1.getPrivileges().contains("from-role1:delete"));
}
 

@Test
public void testGetRole() throws Exception {
  AuthorizationManager authzManager = this.getAuthorizationManager();

  Role role1 = authzManager.getRole("role1");

  Assert.assertEquals("role1", role1.getRoleId());
  Assert.assertEquals("RoleOne", role1.getName());
  Assert.assertEquals("Role One", role1.getDescription());
  Assert.assertTrue(role1.getPrivileges().contains("1"));
  Assert.assertTrue(role1.getPrivileges().contains("2"));
  Assert.assertEquals(2, role1.getPrivileges().size());
}
 

private void getRoles(final String roleId, final AuthorizationManager authorizationManager, final List<Role> roles)
{
  try {
    Role role = authorizationManager.getRole(roleId);
    roles.add(role);
    role.getRoles().forEach(nestedRoleId -> getRoles(nestedRoleId, authorizationManager, roles));
  }
  catch (NoSuchRoleException e) {
    log.debug("Unable to find role for roleId={}, continue searching for roles", roleId, e);
  }
}
 

private Map<String, Role> toRoleMap(Set<Role> roles) {
  Map<String, Role> roleMap = new HashMap<String, Role>();

  for (Role role : roles) {
    roleMap.put(role.getRoleId(), role);
  }

  return roleMap;
}
 

private Set<String> getRoles() throws Exception {
  AuthorizationManager authzManager = lookup(AuthorizationManager.class);

  Set<String> roles = new HashSet<String>();
  for (Role role : authzManager.listRoles()) {
    roles.add(role.getRoleId());
  }

  return roles;
}
 

@Override
public void deleteRole(final String roleId) throws NoSuchRoleException {
  Role role = getRole(roleId);
  configuration.deleteRole(roleId);

  eventManager.post(new RoleDeletedEvent(role));

  // notify any listeners that the config changed
  this.fireAuthorizationChangedEvent();
}
 

@Override
public Role addRole(final Role role) {
  // the roleId of the secRole might change, so we need to keep the reference
  final CRole secRole = this.convert(role);

  configuration.createRole(secRole);

  eventManager.post(new RoleCreatedEvent(role));

  // notify any listeners that the config changed
  this.fireAuthorizationChangedEvent();

  return this.convert(secRole);
}
 

private Role convert(final CRole source) {
  Role target = new Role();
  target.setRoleId(source.getId());
  target.setVersion(source.getVersion());
  target.setName(source.getName());
  target.setSource(SOURCE);
  target.setDescription(source.getDescription());
  target.setReadOnly(source.isReadOnly());
  target.setPrivileges(Sets.newHashSet(source.getPrivileges()));
  target.setRoles(Sets.newHashSet(source.getRoles()));
  return target;
}
 

@Override
public Set<Role> listRoles(String sourceId) throws NoSuchAuthorizationManagerException {
  if (ALL_ROLES_KEY.equalsIgnoreCase(sourceId)) {
    return listRoles();
  }
  else {
    AuthorizationManager authzManager = getAuthorizationManager(sourceId);
    return authzManager.listRoles();
  }
}
 

@Override
public Set<Role> listRoles() {
  Set<Role> result = new HashSet<>();
  for (AuthorizationManager authzManager : authorizationManagers.values()) {
    Set<Role> roles = authzManager.listRoles();
    if (roles != null) {
      result.addAll(roles);
    }
  }

  return result;
}