Allow superuser to access @RequireAdminUserAccess
Project: http://git-wip-us.apache.org/repos/asf/usergrid/repo Commit: http://git-wip-us.apache.org/repos/asf/usergrid/commit/f61b5a13 Tree: http://git-wip-us.apache.org/repos/asf/usergrid/tree/f61b5a13 Diff: http://git-wip-us.apache.org/repos/asf/usergrid/diff/f61b5a13 Branch: refs/heads/hotfix-2.0.0 Commit: f61b5a1306e5f5bed29286c3a821797f7ca9b81c Parents: 8dddc0e Author: Michael Russo <[email protected]> Authored: Mon Feb 22 21:17:24 2016 -0800 Committer: Michael Russo <[email protected]> Committed: Mon Feb 22 21:17:24 2016 -0800 ---------------------------------------------------------------------- .../MvccEntitySerializationStrategyImpl.java | 2 +- .../security/SecuredResourceFilterFactory.java | 2 +- .../usergrid/rest/management/AdminUsersIT.java | 99 ++++++++++++++++---- .../endpoints/NamedResource.java | 32 +++++++ .../endpoints/mgmt/OrgResource.java | 5 + .../endpoints/mgmt/TokenResource.java | 9 ++ 6 files changed, 130 insertions(+), 19 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/usergrid/blob/f61b5a13/stack/corepersistence/collection/src/main/java/org/apache/usergrid/persistence/collection/serialization/impl/MvccEntitySerializationStrategyImpl.java ---------------------------------------------------------------------- diff --git a/stack/corepersistence/collection/src/main/java/org/apache/usergrid/persistence/collection/serialization/impl/MvccEntitySerializationStrategyImpl.java b/stack/corepersistence/collection/src/main/java/org/apache/usergrid/persistence/collection/serialization/impl/MvccEntitySerializationStrategyImpl.java index 6badbc1..8dbb24f 100644 --- a/stack/corepersistence/collection/src/main/java/org/apache/usergrid/persistence/collection/serialization/impl/MvccEntitySerializationStrategyImpl.java +++ b/stack/corepersistence/collection/src/main/java/org/apache/usergrid/persistence/collection/serialization/impl/MvccEntitySerializationStrategyImpl.java @@ -200,7 +200,7 @@ public abstract class MvccEntitySerializationStrategyImpl implements MvccEntityS final List<ScopedRowKey<CollectionPrefixedKey<Id>>> scopedRowKeys ) { try { - return keyspace.prepareQuery( columnFamily ).getKeySlice( rowKeys ) + return keyspace.prepareQuery( columnFamily ).getKeySlice( scopedRowKeys ) .withColumnRange( maxVersion, null, false, 1 ).execute().getResult(); } http://git-wip-us.apache.org/repos/asf/usergrid/blob/f61b5a13/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java b/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java index 2699938..c554fea 100644 --- a/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java +++ b/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java @@ -321,7 +321,7 @@ public class SecuredResourceFilterFactory implements ResourceFilterFactory { @Override public void authorize( ContainerRequest request ) { logger.debug( "AdminUserFilter.authorize" ); - if ( !isUser( getUserIdentifier() ) ) { + if ( !isUser( getUserIdentifier() ) && !isServiceAdmin() ) { throw mappableSecurityException( "unauthorized", "No admin user access authorized" ); } } http://git-wip-us.apache.org/repos/asf/usergrid/blob/f61b5a13/stack/rest/src/test/java/org/apache/usergrid/rest/management/AdminUsersIT.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/test/java/org/apache/usergrid/rest/management/AdminUsersIT.java b/stack/rest/src/test/java/org/apache/usergrid/rest/management/AdminUsersIT.java index 2a68029..7b13fd1 100644 --- a/stack/rest/src/test/java/org/apache/usergrid/rest/management/AdminUsersIT.java +++ b/stack/rest/src/test/java/org/apache/usergrid/rest/management/AdminUsersIT.java @@ -158,6 +158,7 @@ public class AdminUsersIT extends AbstractRestIT { * Get the management user feed and check that it has the correct title. * @throws Exception */ + @Ignore @Test public void mgmtUserFeed() throws Exception { @@ -332,16 +333,35 @@ public class AdminUsersIT extends AbstractRestIT { } } - /** - * Update the current management user and make sure the change persists - * @throws Exception - */ - @Ignore("Fails because we cannot GET a management user with a super user token - only with an Admin level token." - + "But, we can PUT with a superuser token. This test will work once that issue has been resolved.") @Test - public void updateManagementUser() throws Exception { + public void updateManagementUserNoToken() throws Exception { + + + Organization newOrg = createOrgPayload( "updateManagementUserNoToken", null ); + + + Organization orgReturned = clientSetup.getRestClient().management().orgs().post( newOrg ); + + assertNotNull( orgReturned.getOwner() ); + + //Add a property to management user + Entity userProperty = new Entity( ).chainPut( "company","usergrid" ); + + try{ + management().users().user( newOrg.getUsername() ).put( userProperty ); + } catch( UniformInterfaceException e ){ + + int status = e.getResponse().getStatus(); + assertEquals(401, status); + } + + } + + @Test + public void updateManagementUserSuperuserToken() throws Exception { + - Organization newOrg = createOrgPayload( "updateManagementUser", null ); + Organization newOrg = createOrgPayload( "updateManagementUserSuperuserToken", null ); Organization orgReturned = clientSetup.getRestClient().management().orgs().post( newOrg ); @@ -350,24 +370,69 @@ public class AdminUsersIT extends AbstractRestIT { //Add a property to management user Entity userProperty = new Entity( ).chainPut( "company","usergrid" ); + + management.token().setToken( clientSetup.getSuperuserToken()); management().users().user( newOrg.getUsername() ).put( userProperty ); - Entity userUpdated = updateAdminUser( userProperty, orgReturned ); - assertEquals( "usergrid",userUpdated.getAsString( "company" ) ); + } - //Update property with new management value. - userProperty = new Entity( ).chainPut( "company","Apigee" ); + @Test + public void updateManagementUserAdminToken() throws Exception { - userUpdated = updateAdminUser( userProperty, orgReturned); + Organization newOrg = createOrgPayload( "updateManagementUserAdminToken", null ); + + + Organization orgReturned = clientSetup.getRestClient().management().orgs().post( newOrg ); + + assertNotNull( orgReturned.getOwner() ); + + String orgName = orgReturned.getName(); + + //Add a property to management user + Entity userProperty = new Entity( ).chainPut( "company","usergrid" ); + + User adminUser = orgReturned.getOwner(); + + Token adminToken = management.token().get(adminUser.getUsername(), orgName); + assertNotNull(adminToken); + management.token().setToken( adminToken ); + management().users().user( newOrg.getUsername() ).put( userProperty ); - assertEquals( "Apigee",userUpdated.getAsString( "company" ) ); } - private Entity updateAdminUser(Entity userProperty, Organization organization){ - management().users().user( organization.getUsername() ).put( userProperty ); + @Test + public void updateManagementUserWrongAdminToken() throws Exception { + + Organization newOrg = createOrgPayload( "updateManagementUserWrongAdminToken", null ); + Organization orgReturned = clientSetup.getRestClient().management().orgs().post( newOrg ); + assertNotNull( orgReturned.getOwner() ); + + // add a new management user to the org for the purpose of a 'wrong' user trying update others + Entity adminUserPayload = new Entity(); + String wrongAdminUsername = "wrongAdminUser"+UUIDUtils.newTimeUUID(); + adminUserPayload.put( "username", wrongAdminUsername ); + adminUserPayload.put( "name", wrongAdminUsername ); + adminUserPayload.put( "email", wrongAdminUsername+"@usergrid.com" ); + adminUserPayload.put( "password", wrongAdminUsername ); + management().orgs().org( clientSetup.getOrganizationName() ).users().post(User.class ,adminUserPayload ); - return management().users().user( organization.getUsername() ).get(); + + // get token of the newly added wrongAdminUser + Token wrongAdminToken = management.token().get(wrongAdminUsername, wrongAdminUsername); + assertNotNull(wrongAdminToken); + management.token().setToken( wrongAdminToken ); + + try{ + //Add a property to management user + Entity userProperty = new Entity( ).chainPut( "company","usergrid" ); + management().users().user( newOrg.getUsername() ).put( userProperty ); + + } catch( UniformInterfaceException e ){ + + int status = e.getResponse().getStatus(); + assertEquals(401, status); + } } http://git-wip-us.apache.org/repos/asf/usergrid/blob/f61b5a13/stack/rest/src/test/java/org/apache/usergrid/rest/test/resource2point0/endpoints/NamedResource.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/test/java/org/apache/usergrid/rest/test/resource2point0/endpoints/NamedResource.java b/stack/rest/src/test/java/org/apache/usergrid/rest/test/resource2point0/endpoints/NamedResource.java index bf5dbf0..8d8ed6b 100644 --- a/stack/rest/src/test/java/org/apache/usergrid/rest/test/resource2point0/endpoints/NamedResource.java +++ b/stack/rest/src/test/java/org/apache/usergrid/rest/test/resource2point0/endpoints/NamedResource.java @@ -17,12 +17,16 @@ package org.apache.usergrid.rest.test.resource2point0.endpoints; +import com.sun.jersey.api.client.GenericType; +import com.sun.jersey.api.client.filter.HTTPBasicAuthFilter; +import org.apache.usergrid.rest.test.resource2point0.model.Entity; import org.apache.usergrid.rest.test.resource2point0.model.QueryParameters; import org.apache.usergrid.rest.test.resource2point0.model.Token; import org.apache.usergrid.rest.test.resource2point0.state.ClientContext; import com.sun.jersey.api.client.WebResource; +import javax.ws.rs.core.MediaType; import java.util.HashMap; import java.util.Iterator; import java.util.Map; @@ -105,5 +109,33 @@ public abstract class NamedResource implements UrlResource { return resource; } + public <T> T post(Class<T> type, Entity requestEntity) { + return post(true,type,requestEntity,null,false); + + } + + //Used for empty posts + public <T> T post( boolean useToken, Class<T> type, Map entity, final QueryParameters queryParameters, boolean useBasicAuthentication ) { + WebResource resource = getResource(useToken); + resource = addParametersToResource(resource, queryParameters); + WebResource.Builder builder = resource + .type(MediaType.APPLICATION_JSON_TYPE) + .accept( MediaType.APPLICATION_JSON ); + + if(entity!=null){ + builder.entity(entity); + } + + if(useBasicAuthentication){ + //added httpBasicauth filter to all setup calls because they all do verification this way. + HTTPBasicAuthFilter httpBasicAuthFilter = new HTTPBasicAuthFilter( "superuser","superpassword" ); + resource.addFilter(httpBasicAuthFilter); + } + + GenericType<T> gt = new GenericType<>((Class) type); + return builder.post(gt.getRawClass()); + + } + } http://git-wip-us.apache.org/repos/asf/usergrid/blob/f61b5a13/stack/rest/src/test/java/org/apache/usergrid/rest/test/resource2point0/endpoints/mgmt/OrgResource.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/test/java/org/apache/usergrid/rest/test/resource2point0/endpoints/mgmt/OrgResource.java b/stack/rest/src/test/java/org/apache/usergrid/rest/test/resource2point0/endpoints/mgmt/OrgResource.java index 2786cb0..1b7202a 100644 --- a/stack/rest/src/test/java/org/apache/usergrid/rest/test/resource2point0/endpoints/mgmt/OrgResource.java +++ b/stack/rest/src/test/java/org/apache/usergrid/rest/test/resource2point0/endpoints/mgmt/OrgResource.java @@ -55,6 +55,11 @@ public class OrgResource extends NamedResource { return new OrganizationResource( orgname,context,this ); } + public OrganizationResource org( final String orgname ){ + return new OrganizationResource( orgname,context,this ); + } + + /** * This post is for the POST params case, where the entire call is made using queryParameters. */ http://git-wip-us.apache.org/repos/asf/usergrid/blob/f61b5a13/stack/rest/src/test/java/org/apache/usergrid/rest/test/resource2point0/endpoints/mgmt/TokenResource.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/test/java/org/apache/usergrid/rest/test/resource2point0/endpoints/mgmt/TokenResource.java b/stack/rest/src/test/java/org/apache/usergrid/rest/test/resource2point0/endpoints/mgmt/TokenResource.java index cb4d286..b029949 100644 --- a/stack/rest/src/test/java/org/apache/usergrid/rest/test/resource2point0/endpoints/mgmt/TokenResource.java +++ b/stack/rest/src/test/java/org/apache/usergrid/rest/test/resource2point0/endpoints/mgmt/TokenResource.java @@ -48,6 +48,15 @@ public class TokenResource extends NamedResource { return token; } + public Token get(String username, String password){ + QueryParameters queryParameters = new QueryParameters(); + queryParameters.addParam( "grant_type", "password" ); + queryParameters.addParam( "username", username ); + queryParameters.addParam( "password", password ); + return get(queryParameters); + + } + /** * Obtains an access token and sets the token for the context to use in later calls *
