Repository: nifi-registry Updated Branches: refs/heads/master 2460c84bd -> 287cc41fb
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-framework/src/test/groovy/org/apache/nifi/registry/service/AuthorizationServiceSpec.groovy ---------------------------------------------------------------------- diff --git a/nifi-registry-framework/src/test/groovy/org/apache/nifi/registry/service/AuthorizationServiceSpec.groovy b/nifi-registry-framework/src/test/groovy/org/apache/nifi/registry/service/AuthorizationServiceSpec.groovy index a7fa5eb..ead72d4 100644 --- a/nifi-registry-framework/src/test/groovy/org/apache/nifi/registry/service/AuthorizationServiceSpec.groovy +++ b/nifi-registry-framework/src/test/groovy/org/apache/nifi/registry/service/AuthorizationServiceSpec.groovy @@ -16,6 +16,10 @@ */ package org.apache.nifi.registry.service +import org.apache.nifi.registry.authorization.AccessPolicy +import org.apache.nifi.registry.authorization.User +import org.apache.nifi.registry.authorization.UserGroup +import org.apache.nifi.registry.bucket.Bucket import org.apache.nifi.registry.security.authorization.AccessPolicy as AuthAccessPolicy import org.apache.nifi.registry.security.authorization.AuthorizableLookup import org.apache.nifi.registry.security.authorization.ConfigurableAccessPolicyProvider @@ -27,10 +31,6 @@ import org.apache.nifi.registry.security.authorization.User as AuthUser import org.apache.nifi.registry.security.authorization.exception.AccessDeniedException import org.apache.nifi.registry.security.authorization.resource.Authorizable import org.apache.nifi.registry.security.authorization.resource.ResourceType -import org.apache.nifi.registry.bucket.Bucket -import org.apache.nifi.registry.model.authorization.AccessPolicy -import org.apache.nifi.registry.model.authorization.User -import org.apache.nifi.registry.model.authorization.UserGroup import spock.lang.Specification class AuthorizationServiceSpec extends Specification { @@ -536,15 +536,14 @@ class AuthorizationServiceSpec extends Specification { then: resources != null - resources.size() == 7 + resources.size() == 6 def sortedResources = resources.sort{it.identifier} sortedResources[0].identifier == "/buckets" sortedResources[1].identifier == "/buckets/b1" sortedResources[2].identifier == "/buckets/b2" sortedResources[3].identifier == "/policies" sortedResources[4].identifier == "/proxy" - sortedResources[5].identifier == "/resources" - sortedResources[6].identifier == "/tenants" + sortedResources[5].identifier == "/tenants" } @@ -581,7 +580,6 @@ class AuthorizationServiceSpec extends Specification { authorizableLookup.getAuthorizableByResource("/buckets/b2") >> denied authorizableLookup.getAuthorizableByResource("/policies") >> authorized authorizableLookup.getAuthorizableByResource("/proxy") >> denied - authorizableLookup.getAuthorizableByResource("/resources") >> authorized authorizableLookup.getAuthorizableByResource("/tenants") >> authorized @@ -590,13 +588,12 @@ class AuthorizationServiceSpec extends Specification { then: resources != null - resources.size() == 5 + resources.size() == 4 def sortedResources = resources.sort{it.identifier} sortedResources[0].identifier == "/buckets" sortedResources[1].identifier == "/buckets/b1" sortedResources[2].identifier == "/policies" - sortedResources[3].identifier == "/resources" - sortedResources[4].identifier == "/tenants" + sortedResources[3].identifier == "/tenants" when: @@ -611,12 +608,4 @@ class AuthorizationServiceSpec extends Specification { } - - - - - - - - } http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/NiFiRegistryResourceConfig.java ---------------------------------------------------------------------- diff --git a/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/NiFiRegistryResourceConfig.java b/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/NiFiRegistryResourceConfig.java index 2fe9fcd..118fc9f 100644 --- a/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/NiFiRegistryResourceConfig.java +++ b/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/NiFiRegistryResourceConfig.java @@ -16,13 +16,12 @@ */ package org.apache.nifi.registry.web; -import org.apache.nifi.registry.web.api.AccessPolicyResource; import org.apache.nifi.registry.web.api.AccessResource; import org.apache.nifi.registry.web.api.BucketFlowResource; import org.apache.nifi.registry.web.api.BucketResource; import org.apache.nifi.registry.web.api.FlowResource; import org.apache.nifi.registry.web.api.ItemResource; -import org.apache.nifi.registry.web.api.ResourceResource; +import org.apache.nifi.registry.web.api.AccessPolicyResource; import org.apache.nifi.registry.web.api.TenantResource; import org.glassfish.jersey.server.ResourceConfig; import org.glassfish.jersey.server.ServerProperties; @@ -63,7 +62,6 @@ public class NiFiRegistryResourceConfig extends ResourceConfig { register(BucketFlowResource.class); register(FlowResource.class); register(ItemResource.class); - register(ResourceResource.class); register(TenantResource.class); // include bean validation errors in response http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AccessPolicyResource.java ---------------------------------------------------------------------- diff --git a/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AccessPolicyResource.java b/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AccessPolicyResource.java index 2c96d70..50474d3 100644 --- a/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AccessPolicyResource.java +++ b/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AccessPolicyResource.java @@ -34,13 +34,14 @@ import io.swagger.annotations.ApiOperation; import io.swagger.annotations.ApiParam; import io.swagger.annotations.ApiResponse; import io.swagger.annotations.ApiResponses; +import org.apache.nifi.registry.authorization.Resource; import org.apache.nifi.registry.security.authorization.Authorizer; import org.apache.nifi.registry.security.authorization.AuthorizerCapabilityDetection; import org.apache.nifi.registry.security.authorization.RequestAction; import org.apache.nifi.registry.security.authorization.resource.Authorizable; import org.apache.nifi.registry.security.authorization.user.NiFiUserUtils; -import org.apache.nifi.registry.model.authorization.AccessPolicy; -import org.apache.nifi.registry.model.authorization.AccessPolicySummary; +import org.apache.nifi.registry.authorization.AccessPolicy; +import org.apache.nifi.registry.authorization.AccessPolicySummary; import org.apache.nifi.registry.service.AuthorizationService; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -304,6 +305,31 @@ public class AccessPolicyResource extends AuthorizableApplicationResource { return generateOkResponse(deletedPolicy).build(); } + /** + * Gets the available resources that support access/authorization policies. + * + * @return A resourcesEntity. + */ + @GET + @Path("/resources") + @Consumes(MediaType.WILDCARD) + @Produces(MediaType.APPLICATION_JSON) + @ApiOperation( + value = "Gets the available resources that support access/authorization policies", + response = Resource.class, + responseContainer = "List" + ) + @ApiResponses({ + @ApiResponse(code = 401, message = HttpStatusMessages.MESSAGE_401), + @ApiResponse(code = 403, message = HttpStatusMessages.MESSAGE_403) }) + public Response getResources() { + authorizeAccess(RequestAction.READ); + + final List<Resource> resources = authorizationService.getResources(); + + return generateOkResponse(resources).build(); + } + private void verifyAuthorizerIsManaged() { if (!AuthorizerCapabilityDetection.isManagedAuthorizer(authorizer)) { http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AccessResource.java ---------------------------------------------------------------------- diff --git a/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AccessResource.java b/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AccessResource.java index 187f976..d232c4a 100644 --- a/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AccessResource.java +++ b/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AccessResource.java @@ -23,7 +23,7 @@ import io.swagger.annotations.ApiResponse; import io.swagger.annotations.ApiResponses; import org.apache.commons.lang3.StringUtils; import org.apache.nifi.registry.exception.AdministrationException; -import org.apache.nifi.registry.model.authorization.CurrentUser; +import org.apache.nifi.registry.authorization.CurrentUser; import org.apache.nifi.registry.properties.NiFiRegistryProperties; import org.apache.nifi.registry.security.authentication.AuthenticationRequest; import org.apache.nifi.registry.security.authentication.AuthenticationResponse; http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AuthorizableApplicationResource.java ---------------------------------------------------------------------- diff --git a/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AuthorizableApplicationResource.java b/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AuthorizableApplicationResource.java index 1e6602e..1d75104 100644 --- a/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AuthorizableApplicationResource.java +++ b/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AuthorizableApplicationResource.java @@ -22,7 +22,7 @@ import org.apache.nifi.registry.security.authorization.resource.Authorizable; import org.apache.nifi.registry.security.authorization.resource.ResourceType; import org.apache.nifi.registry.security.authorization.user.NiFiUserUtils; import org.apache.nifi.registry.bucket.BucketItem; -import org.apache.nifi.registry.model.authorization.Resource; +import org.apache.nifi.registry.authorization.Resource; import org.apache.nifi.registry.service.AuthorizationService; import org.slf4j.Logger; import org.slf4j.LoggerFactory; http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/ResourceResource.java ---------------------------------------------------------------------- diff --git a/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/ResourceResource.java b/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/ResourceResource.java deleted file mode 100644 index 119b71f..0000000 --- a/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/ResourceResource.java +++ /dev/null @@ -1,90 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.registry.web.api; - -import io.swagger.annotations.Api; -import io.swagger.annotations.ApiOperation; -import io.swagger.annotations.ApiResponse; -import io.swagger.annotations.ApiResponses; -import org.apache.nifi.registry.model.authorization.Resource; -import org.apache.nifi.registry.security.authorization.Authorizer; -import org.apache.nifi.registry.security.authorization.RequestAction; -import org.apache.nifi.registry.security.authorization.resource.Authorizable; -import org.apache.nifi.registry.security.authorization.user.NiFiUserUtils; -import org.apache.nifi.registry.service.AuthorizationService; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Component; - -import javax.ws.rs.Consumes; -import javax.ws.rs.GET; -import javax.ws.rs.Path; -import javax.ws.rs.Produces; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.core.Response; -import java.util.List; - -/** - * RESTful endpoint for retrieving system diagnostics. - */ -@Component -@Path("/resources") -@Api( - value = "/resources", - description = "Provides the resources in this NiFi that can have access/authorization policies." -) -public class ResourceResource extends AuthorizableApplicationResource { - - private static final Logger logger = LoggerFactory.getLogger(ResourceResource.class); - - @Autowired - public ResourceResource(AuthorizationService authorizationService, Authorizer authorizer) { - super(authorizer, authorizationService); - } - - /** - * Gets the available resources that support access/authorization policies. - * - * @return A resourcesEntity. - */ - @GET - @Consumes(MediaType.WILDCARD) - @Produces(MediaType.APPLICATION_JSON) - @ApiOperation( - value = "Gets the available resources that support access/authorization policies", - response = Resource.class, - responseContainer = "List" - ) - @ApiResponses({ - @ApiResponse(code = 401, message = HttpStatusMessages.MESSAGE_401), - @ApiResponse(code = 403, message = HttpStatusMessages.MESSAGE_403) }) - public Response getResources() { - authorizeResource(); - - final List<Resource> resources = authorizationService.getResources(); - - return generateOkResponse(resources).build(); - } - - private void authorizeResource() { - authorizationService.authorizeAccess(lookup -> { - final Authorizable resource = lookup.getResourcesAuthorizable(); - resource.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser()); - }); - } -} http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/TenantResource.java ---------------------------------------------------------------------- diff --git a/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/TenantResource.java b/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/TenantResource.java index 3d088d7..d9cb66a 100644 --- a/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/TenantResource.java +++ b/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/TenantResource.java @@ -27,8 +27,8 @@ import org.apache.nifi.registry.security.authorization.AuthorizerCapabilityDetec import org.apache.nifi.registry.security.authorization.RequestAction; import org.apache.nifi.registry.security.authorization.resource.Authorizable; import org.apache.nifi.registry.security.authorization.user.NiFiUserUtils; -import org.apache.nifi.registry.model.authorization.User; -import org.apache.nifi.registry.model.authorization.UserGroup; +import org.apache.nifi.registry.authorization.User; +import org.apache.nifi.registry.authorization.UserGroup; import org.apache.nifi.registry.service.AuthorizationService; import org.slf4j.Logger; import org.slf4j.LoggerFactory; http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/PermissionsService.java ---------------------------------------------------------------------- diff --git a/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/PermissionsService.java b/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/PermissionsService.java index f3ecb11..1e00ee1 100644 --- a/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/PermissionsService.java +++ b/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/PermissionsService.java @@ -18,13 +18,21 @@ package org.apache.nifi.registry.web.security; import org.apache.nifi.registry.bucket.Bucket; import org.apache.nifi.registry.bucket.BucketItem; -import org.apache.nifi.registry.model.authorization.Permissions; +import org.apache.nifi.registry.authorization.Permissions; import org.apache.nifi.registry.security.authorization.AuthorizableLookup; import org.apache.nifi.registry.security.authorization.resource.Authorizable; import org.apache.nifi.registry.service.AuthorizationService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; +/** + * This is a class that Resource classes can utilized to populate fields + * on model objects returned by the {@link org.apache.nifi.registry.service.RegistryService} + * before returning them to a client. + * + * The fields cannot be populated by the RegistryService because they require + * the {@link AuthorizationService}, which RegistryService does not depend on. + */ @Service public class PermissionsService { http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/SecureFileIT.java ---------------------------------------------------------------------- diff --git a/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/SecureFileIT.java b/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/SecureFileIT.java index e3e0f21..0ffdb0d 100644 --- a/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/SecureFileIT.java +++ b/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/SecureFileIT.java @@ -17,6 +17,10 @@ package org.apache.nifi.registry.web.api; import org.apache.nifi.registry.NiFiRegistryTestApiApplication; +import org.apache.nifi.registry.authorization.ResourcePermissions; +import org.apache.nifi.registry.authorization.Tenant; +import org.apache.nifi.registry.authorization.User; +import org.apache.nifi.registry.authorization.UserGroup; import org.junit.Test; import org.junit.runner.RunWith; import org.skyscreamer.jsonassert.JSONAssert; @@ -25,9 +29,12 @@ import org.springframework.context.annotation.Import; import org.springframework.test.context.jdbc.Sql; import org.springframework.test.context.junit4.SpringRunner; +import javax.ws.rs.client.Entity; +import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotNull; /** * Deploy the Web API Application using an embedded Jetty Server for local integration testing, with the follow characteristics: @@ -53,11 +60,12 @@ public class SecureFileIT extends IntegrationTestBase { String expectedJson = "{" + "\"identity\":\"CN=user1, OU=nifi\"," + "\"anonymous\":false," + - "\"administrationPermissions\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + - "\"bucketsPermissions\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + - "\"tenantsPermissions\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + - "\"policiesPermissions\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + - "\"resourcesPermissions\":{\"canRead\":true}" + + "\"resourcePermissions\":{" + + "\"anyTopLevelResource\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + + "\"buckets\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + + "\"tenants\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + + "\"policies\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + + "\"proxy\":{\"canRead\":false,\"canWrite\":true,\"canDelete\":false}}" + "}"; // When: the /access endpoint is queried @@ -78,15 +86,14 @@ public class SecureFileIT extends IntegrationTestBase { // Given: an empty registry returns these resources String expected = "[" + "{\"identifier\":\"/policies\",\"name\":\"Access Policies\"}," + - "{\"identifier\":\"/tenants\",\"name\":\"Tenant\"}," + + "{\"identifier\":\"/tenants\",\"name\":\"Tenants\"}," + "{\"identifier\":\"/proxy\",\"name\":\"Proxy User Requests\"}," + - "{\"identifier\":\"/resources\",\"name\":\"Resources\"}," + "{\"identifier\":\"/buckets\",\"name\":\"Buckets\"}" + "]"; // When: the /resources endpoint is queried final String resourcesJson = client - .target(createURL("resources")) + .target(createURL("/policies/resources")) .request() .get(String.class); @@ -94,4 +101,70 @@ public class SecureFileIT extends IntegrationTestBase { JSONAssert.assertEquals(expected, resourcesJson, false); } + @Test + public void testCreateUser() throws Exception { + + // Given: the server has been configured with FileUserGroupProvider, which is configurable, + // and: the initial admin client wants to create a tenant + Tenant tenant = new Tenant(); + tenant.setIdentity("New User"); + + // When: the POST /tenants/users endpoint is accessed + final Response createUserResponse = client + .target(createURL("tenants/users")) + .request() + .post(Entity.entity(tenant, MediaType.APPLICATION_JSON_TYPE), Response.class); + + // Then: "201 created" is returned with the expected user + assertEquals(201, createUserResponse.getStatus()); + User actualUser = createUserResponse.readEntity(User.class); + assertNotNull(actualUser.getIdentifier()); + try { + assertEquals(tenant.getIdentity(), actualUser.getIdentity()); + assertEquals(true, actualUser.getConfigurable()); + assertEquals(0, actualUser.getUserGroups().size()); + assertEquals(0, actualUser.getAccessPolicies().size()); + assertEquals(new ResourcePermissions(), actualUser.getResourcePermissions()); + } finally { + // cleanup user for other tests + client.target(createURL("tenants/users/" + actualUser.getIdentifier())) + .request() + .delete(); + } + + } + + @Test + public void testCreateUserGroup() throws Exception { + + // Given: the server has been configured with FileUserGroupProvider, which is configurable, + // and: the initial admin client wants to create a tenant + Tenant tenant = new Tenant(); + tenant.setIdentity("New Group"); + + // When: the POST /tenants/user-groups endpoint is used + final Response createUserGroupResponse = client + .target(createURL("tenants/user-groups")) + .request() + .post(Entity.entity(tenant, MediaType.APPLICATION_JSON_TYPE), Response.class); + + // Then: 201 created is returned with the expected group + assertEquals(201, createUserGroupResponse.getStatus()); + UserGroup actualUserGroup = createUserGroupResponse.readEntity(UserGroup.class); + assertNotNull(actualUserGroup.getIdentifier()); + try { + assertEquals(tenant.getIdentity(), actualUserGroup.getIdentity()); + assertEquals(true, actualUserGroup.getConfigurable()); + assertEquals(0, actualUserGroup.getUsers().size()); + assertEquals(0, actualUserGroup.getAccessPolicies().size()); + assertEquals(new ResourcePermissions(), actualUserGroup.getResourcePermissions()); + } finally { + // cleanup user for other tests + client.target(createURL("tenants/user-groups/" + actualUserGroup.getIdentifier())) + .request() + .delete(); + } + + } + } http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/SecureKerberosIT.java ---------------------------------------------------------------------- diff --git a/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/SecureKerberosIT.java b/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/SecureKerberosIT.java index e610a38..8d8ea97 100644 --- a/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/SecureKerberosIT.java +++ b/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/SecureKerberosIT.java @@ -190,11 +190,12 @@ public class SecureKerberosIT extends IntegrationTestBase { String expectedJson = "{" + "\"identity\":\"kerberosUser@LOCALHOST\"," + "\"anonymous\":false," + - "\"administrationPermissions\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + - "\"bucketsPermissions\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + - "\"tenantsPermissions\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + - "\"policiesPermissions\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + - "\"resourcesPermissions\":{\"canRead\":true}" + + "\"resourcePermissions\":{" + + "\"anyTopLevelResource\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + + "\"buckets\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + + "\"tenants\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + + "\"policies\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + + "\"proxy\":{\"canRead\":false,\"canWrite\":true,\"canDelete\":false}}" + "}"; // When: the /access endpoint is queried using a JWT for the kerberos user http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/SecureLdapIT.java ---------------------------------------------------------------------- diff --git a/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/SecureLdapIT.java b/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/SecureLdapIT.java index 416e50d..3ee4d83 100644 --- a/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/SecureLdapIT.java +++ b/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/SecureLdapIT.java @@ -20,11 +20,11 @@ import org.apache.commons.lang3.StringUtils; import org.apache.nifi.registry.SecureLdapTestApiApplication; import org.apache.nifi.registry.bucket.Bucket; import org.apache.nifi.registry.extension.ExtensionManager; -import org.apache.nifi.registry.model.authorization.AccessPolicy; -import org.apache.nifi.registry.model.authorization.AccessPolicySummary; -import org.apache.nifi.registry.model.authorization.CurrentUser; -import org.apache.nifi.registry.model.authorization.Permissions; -import org.apache.nifi.registry.model.authorization.Tenant; +import org.apache.nifi.registry.authorization.AccessPolicy; +import org.apache.nifi.registry.authorization.AccessPolicySummary; +import org.apache.nifi.registry.authorization.CurrentUser; +import org.apache.nifi.registry.authorization.Permissions; +import org.apache.nifi.registry.authorization.Tenant; import org.apache.nifi.registry.properties.NiFiRegistryProperties; import org.apache.nifi.registry.security.authorization.Authorizer; import org.apache.nifi.registry.security.authorization.AuthorizerFactory; @@ -235,11 +235,12 @@ public class SecureLdapIT extends IntegrationTestBase { String expectedJson = "{" + "\"identity\":\"nifiadmin\"," + "\"anonymous\":false," + - "\"administrationPermissions\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + - "\"bucketsPermissions\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + - "\"tenantsPermissions\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + - "\"policiesPermissions\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + - "\"resourcesPermissions\":{\"canRead\":true}" + + "\"resourcePermissions\":{" + + "\"anyTopLevelResource\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + + "\"buckets\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + + "\"tenants\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + + "\"policies\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + + "\"proxy\":{\"canRead\":false,\"canWrite\":true,\"canDelete\":false}}" + "}"; // When: the /access endpoint is queried using a JWT for the nifiadmin LDAP user @@ -261,7 +262,13 @@ public class SecureLdapIT extends IntegrationTestBase { // Given: the client and server have been configured correctly for LDAP authentication String expectedJson = "[" + - "{\"identity\":\"nifiadmin\",\"userGroups\":[],\"configurable\":false}," + + "{\"identity\":\"nifiadmin\",\"userGroups\":[],\"configurable\":false," + + "\"resourcePermissions\":{" + + "\"anyTopLevelResource\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + + "\"buckets\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + + "\"tenants\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + + "\"policies\":{\"canRead\":true,\"canWrite\":true,\"canDelete\":true}," + + "\"proxy\":{\"canRead\":false,\"canWrite\":true,\"canDelete\":false}}}," + "{\"identity\":\"euler\",\"userGroups\":[{\"identity\":\"mathematicians\"}],\"accessPolicies\":[],\"configurable\":false}," + "{\"identity\":\"euclid\",\"userGroups\":[{\"identity\":\"mathematicians\"}],\"accessPolicies\":[],\"configurable\":false}," + "{\"identity\":\"boyle\",\"userGroups\":[{\"identity\":\"chemists\"}],\"accessPolicies\":[],\"configurable\":false}," + @@ -378,12 +385,10 @@ public class SecureLdapIT extends IntegrationTestBase { .get(CurrentUser.class); // Then: 200 OK is returned indicating user has access to no top-level resources - assertEquals(new Permissions(), currentUser.getAdministrationPermissions()); - assertEquals(new Permissions(), currentUser.getBucketsPermissions()); - assertEquals(new Permissions(), currentUser.getTenantsPermissions()); - assertEquals(new Permissions(), currentUser.getPoliciesPermissions()); - assertEquals(new Permissions(), currentUser.getResourcesPermissions()); - + assertEquals(new Permissions(), currentUser.getResourcePermissions().getBuckets()); + assertEquals(new Permissions(), currentUser.getResourcePermissions().getTenants()); + assertEquals(new Permissions(), currentUser.getResourcePermissions().getPolicies()); + assertEquals(new Permissions(), currentUser.getResourcePermissions().getProxy()); // When: nifiadmin creates a bucket final Bucket bucket = new Bucket(); http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/SecureNiFiRegistryClientIT.java ---------------------------------------------------------------------- diff --git a/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/SecureNiFiRegistryClientIT.java b/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/SecureNiFiRegistryClientIT.java index 3abd276..06186f3 100644 --- a/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/SecureNiFiRegistryClientIT.java +++ b/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/SecureNiFiRegistryClientIT.java @@ -17,6 +17,7 @@ package org.apache.nifi.registry.web.api; import org.apache.nifi.registry.NiFiRegistryTestApiApplication; +import org.apache.nifi.registry.authorization.Permissions; import org.apache.nifi.registry.bucket.Bucket; import org.apache.nifi.registry.client.BucketClient; import org.apache.nifi.registry.client.FlowClient; @@ -30,7 +31,7 @@ import org.apache.nifi.registry.flow.VersionedFlow; import org.apache.nifi.registry.flow.VersionedFlowSnapshot; import org.apache.nifi.registry.flow.VersionedFlowSnapshotMetadata; import org.apache.nifi.registry.flow.VersionedProcessGroup; -import org.apache.nifi.registry.model.authorization.CurrentUser; +import org.apache.nifi.registry.authorization.CurrentUser; import org.junit.After; import org.junit.Assert; import org.junit.Before; @@ -86,9 +87,16 @@ public class SecureNiFiRegistryClientIT extends IntegrationTestBase { @Test public void testGetAccessStatus() throws IOException, NiFiRegistryException { final UserClient userClient = client.getUserClient(); - final CurrentUser status = userClient.getAccessStatus(); - Assert.assertEquals("CN=user1, OU=nifi", status.getIdentity()); - Assert.assertFalse(status.isAnonymous()); + final CurrentUser currentUser = userClient.getAccessStatus(); + Assert.assertEquals("CN=user1, OU=nifi", currentUser.getIdentity()); + Assert.assertFalse(currentUser.isAnonymous()); + Assert.assertNotNull(currentUser.getResourcePermissions()); + Permissions fullAccess = new Permissions().withCanRead(true).withCanWrite(true).withCanDelete(true); + Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getAnyTopLevelResource()); + Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getBuckets()); + Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getTenants()); + Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getPolicies()); + Assert.assertEquals(new Permissions().withCanWrite(true), currentUser.getResourcePermissions().getProxy()); } @Test http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/UnsecuredNiFiRegistryClientIT.java ---------------------------------------------------------------------- diff --git a/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/UnsecuredNiFiRegistryClientIT.java b/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/UnsecuredNiFiRegistryClientIT.java index 5265acb..184a54d 100644 --- a/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/UnsecuredNiFiRegistryClientIT.java +++ b/nifi-registry-web-api/src/test/java/org/apache/nifi/registry/web/api/UnsecuredNiFiRegistryClientIT.java @@ -16,6 +16,7 @@ */ package org.apache.nifi.registry.web.api; +import org.apache.nifi.registry.authorization.Permissions; import org.apache.nifi.registry.bucket.Bucket; import org.apache.nifi.registry.bucket.BucketItem; import org.apache.nifi.registry.client.BucketClient; @@ -33,7 +34,7 @@ import org.apache.nifi.registry.flow.VersionedFlowSnapshot; import org.apache.nifi.registry.flow.VersionedFlowSnapshotMetadata; import org.apache.nifi.registry.flow.VersionedProcessGroup; import org.apache.nifi.registry.flow.VersionedProcessor; -import org.apache.nifi.registry.model.authorization.CurrentUser; +import org.apache.nifi.registry.authorization.CurrentUser; import org.apache.nifi.registry.params.SortOrder; import org.apache.nifi.registry.params.SortParameter; import org.junit.After; @@ -90,9 +91,16 @@ public class UnsecuredNiFiRegistryClientIT extends UnsecuredITBase { @Test public void testGetAccessStatus() throws IOException, NiFiRegistryException { final UserClient userClient = client.getUserClient(); - final CurrentUser status = userClient.getAccessStatus(); - Assert.assertEquals("anonymous", status.getIdentity()); - Assert.assertTrue(status.isAnonymous()); + final CurrentUser currentUser = userClient.getAccessStatus(); + Assert.assertEquals("anonymous", currentUser.getIdentity()); + Assert.assertTrue(currentUser.isAnonymous()); + Assert.assertNotNull(currentUser.getResourcePermissions()); + Permissions fullAccess = new Permissions().withCanRead(true).withCanWrite(true).withCanDelete(true); + Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getAnyTopLevelResource()); + Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getBuckets()); + Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getTenants()); + Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getPolicies()); + Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getProxy()); } @Test
