From 81a6dc563869193d1918a903401069ffdc776c12 Mon Sep 17 00:00:00 2001 From: Leopold Cramer Date: Mon, 20 Oct 2025 11:52:18 +0200 Subject: [PATCH 1/5] allow keycloak groups in RBAC for easier user handling --- .../common/config/CsmPlatformProperties.kt | 3 ++ .../com/cosmotech/common/rbac/CsmRbac.kt | 47 +++++++++++++++---- .../cosmotech/common/utils/SecurityUtils.kt | 8 ++++ .../com/cosmotech/common/rbac/CsmRbacTests.kt | 46 +++++++++++------- 4 files changed, 76 insertions(+), 28 deletions(-) diff --git a/common/src/main/kotlin/com/cosmotech/common/config/CsmPlatformProperties.kt b/common/src/main/kotlin/com/cosmotech/common/config/CsmPlatformProperties.kt index 01b71cf87..da3747c8f 100644 --- a/common/src/main/kotlin/com/cosmotech/common/config/CsmPlatformProperties.kt +++ b/common/src/main/kotlin/com/cosmotech/common/config/CsmPlatformProperties.kt @@ -73,6 +73,9 @@ data class CsmPlatformProperties( /** The JWT Claim where the mail information is stored */ val mailJwtClaim: String = "preferred_username", + /** The JWT Claim where the groups information are stored */ + val groupJwtClaim: String = "user_groups", + /** The JWT Claim where the roles information is stored */ val rolesJwtClaim: String = "roles", diff --git a/common/src/main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt b/common/src/main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt index c52e95a46..df18cdcad 100644 --- a/common/src/main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt +++ b/common/src/main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt @@ -8,6 +8,7 @@ import com.cosmotech.common.exceptions.CsmClientException import com.cosmotech.common.exceptions.CsmResourceNotFoundException import com.cosmotech.common.rbac.model.RbacAccessControl import com.cosmotech.common.rbac.model.RbacSecurity +import com.cosmotech.common.utils.getCurrentAccountGroups import com.cosmotech.common.utils.getCurrentAccountIdentifier import org.slf4j.Logger import org.slf4j.LoggerFactory @@ -71,7 +72,9 @@ open class CsmRbac( var userIsAdminOrHasPermission = this.isAdmin(rbacSecurity, rolesDefinition) if (!userIsAdminOrHasPermission) { val user = getCurrentAccountIdentifier(this.csmPlatformProperties) - userIsAdminOrHasPermission = this.verifyRbac(rbacSecurity, permission, rolesDefinition, user) + val groups = getCurrentAccountGroups(this.csmPlatformProperties) + userIsAdminOrHasPermission = + this.verifyRbac(rbacSecurity, permission, rolesDefinition, user, groups) } return userIsAdminOrHasPermission } @@ -173,19 +176,31 @@ open class CsmRbac( var isAdmin = this.isAdminToken(rbacSecurity) if (!isAdmin) { val user = getCurrentAccountIdentifier(this.csmPlatformProperties) - isAdmin = this.verifyAdminRole(rbacSecurity, user, rolesDefinition) + val groups = getCurrentAccountGroups(this.csmPlatformProperties) + isAdmin = this.verifyAdminRole(rbacSecurity, user, groups, rolesDefinition) } return isAdmin } internal fun verifyAdminRole( rbacSecurity: RbacSecurity, - user: String, + user: String?, + groups: List?, rolesDefinition: RolesDefinition ): Boolean { logger.debug("RBAC ${rbacSecurity.id} - Verifying if $user has default admin rbac role") - val isAdmin = this.getUserRole(rbacSecurity, user) == this.getAdminRole(rolesDefinition) - logger.debug("RBAC ${rbacSecurity.id} - $user has default admin rbac role: $isAdmin") + var isAdmin = false + groups?.forEach { + if (this.getUserRole(rbacSecurity, it) == this.getAdminRole(rolesDefinition)) { + isAdmin = true + } + } + if (user != null) { + if (this.getUserRole(rbacSecurity, user) == this.getAdminRole(rolesDefinition)) { + isAdmin = true + } + } + logger.debug("RBAC ${rbacSecurity.id} - $user have default admin rbac role: $isAdmin") return isAdmin } @@ -193,11 +208,22 @@ open class CsmRbac( rbacSecurity: RbacSecurity, permission: String, rolesDefinition: RolesDefinition, - user: String + user: String?, + groups: List? ): Boolean { logger.debug("RBAC ${rbacSecurity.id} - Verifying $user has permission in ACL: $permission") - val isAuthorized = - this.verifyPermissionFromRole(permission, getUserRole(rbacSecurity, user), rolesDefinition) + var isAuthorized = false + groups?.forEach { + if (this.verifyPermissionFromRole( + permission, getUserRole(rbacSecurity, it), rolesDefinition)) { + isAuthorized = true + } + } + if (user != null) { + if (this.verifyPermissionFromRole( + permission, getUserRole(rbacSecurity, user), rolesDefinition)) + isAuthorized = true + } logger.debug("RBAC ${rbacSecurity.id} - $user has permission $permission in ACL: $isAuthorized") return isAuthorized } @@ -219,10 +245,11 @@ open class CsmRbac( rbacSecurity: RbacSecurity, permission: String, rolesDefinition: RolesDefinition, - user: String + user: String?, + groups: List? ): Boolean { return (this.verifyDefault(rbacSecurity, permission, rolesDefinition) || - this.verifyUser(rbacSecurity, permission, rolesDefinition, user)) + this.verifyUser(rbacSecurity, permission, rolesDefinition, user, groups)) } internal fun verifyPermissionFromRole( diff --git a/common/src/main/kotlin/com/cosmotech/common/utils/SecurityUtils.kt b/common/src/main/kotlin/com/cosmotech/common/utils/SecurityUtils.kt index cf0074236..e75fc3a85 100644 --- a/common/src/main/kotlin/com/cosmotech/common/utils/SecurityUtils.kt +++ b/common/src/main/kotlin/com/cosmotech/common/utils/SecurityUtils.kt @@ -55,6 +55,14 @@ fun getCurrentAccountIdentifier(configuration: CsmPlatformProperties): String { } } +fun getCurrentAccountGroups(configuration: CsmPlatformProperties): List? { + val authentication = getCurrentAuthentication() + val jwt = (authentication as JwtAuthenticationToken).token.tokenValue + val jwtClaimsSet = JWTParser.parse(jwt).jwtClaimsSet + return jwtClaimsSet.getListClaim(configuration.authorization.groupJwtClaim).toList() + as List? +} + fun getCurrentAuthenticatedRoles(configuration: CsmPlatformProperties): List { return (getValueFromAuthenticatedToken(configuration) { try { diff --git a/common/src/test/kotlin/com/cosmotech/common/rbac/CsmRbacTests.kt b/common/src/test/kotlin/com/cosmotech/common/rbac/CsmRbacTests.kt index 8674d6a33..5f2ac874f 100644 --- a/common/src/test/kotlin/com/cosmotech/common/rbac/CsmRbacTests.kt +++ b/common/src/test/kotlin/com/cosmotech/common/rbac/CsmRbacTests.kt @@ -265,17 +265,18 @@ class CsmRbacTests { @Test fun `verify permission read for user writer OK`() { - assertTrue(rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_READER)) + assertTrue(rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_READER, emptyList())) } @Test fun `verify permission write for user writer KO`() { - assertFalse(rbac.verifyUser(rbacSecurity, PERM_WRITE, rolesDefinition, USER_READER)) + assertFalse( + rbac.verifyUser(rbacSecurity, PERM_WRITE, rolesDefinition, USER_READER, emptyList())) } @Test fun `verify permission read for user none KO`() { - assertFalse(rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NONE)) + assertFalse(rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NONE, emptyList())) } @Test @@ -291,13 +292,15 @@ class CsmRbacTests { @Test fun `add new reader user and verify read permission OK`() { rbac.setUserRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) - assertTrue(rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER)) + assertTrue( + rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER, emptyList())) } @Test fun `add new reader user and verify write permission KO`() { rbac.setUserRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) - assertFalse(rbac.verifyUser(rbacSecurity, PERM_WRITE, rolesDefinition, USER_NEW_READER)) + assertFalse( + rbac.verifyUser(rbacSecurity, PERM_WRITE, rolesDefinition, USER_NEW_READER, emptyList())) } @Test @@ -326,7 +329,8 @@ class CsmRbacTests { val rbacSecurity = rbac.addUserRole( parentRbacSecurity, rbacSecurity, USER_IN_PARENT, USER_READER_ROLE, rolesDefinition) - assertTrue(rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_IN_PARENT)) + assertTrue( + rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_IN_PARENT, emptyList())) } @Test @@ -336,7 +340,7 @@ class CsmRbacTests { val rbacSecurity = rbac.addUserRole( parentRbacSecurity, rbacSecurity, USER_NOTIN, USER_READER_ROLE, rolesDefinition) - assertTrue(rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NOTIN)) + assertTrue(rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NOTIN, emptyList())) } @Test @@ -345,7 +349,8 @@ class CsmRbacTests { rbac.setUserRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) rbac.removeUser(rbacSecurity, USER_NEW_READER, rolesDefinition) - assertFalse(rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER)) + assertFalse( + rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER, emptyList())) } @Test @@ -354,7 +359,8 @@ class CsmRbacTests { rbac.setUserRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) rbac.removeUser(rbacSecurity, USER_NEW_READER, rolesDefinition) - assertTrue(rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER)) + assertTrue( + rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER, emptyList())) } @Test @@ -363,36 +369,39 @@ class CsmRbacTests { rbac.setUserRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) rbac.removeUser(rbacSecurity, USER_NEW_READER, rolesDefinition) - assertTrue(rbac.verifyUser(rbacSecurity, PERM_ADMIN, rolesDefinition, USER_NEW_READER)) + assertTrue( + rbac.verifyUser(rbacSecurity, PERM_ADMIN, rolesDefinition, USER_NEW_READER, emptyList())) } @Test fun `update existing new user and verify write permission OK`() { rbac.setUserRole(rbacSecurity, USER_NEW_READER, USER_WRITER_ROLE, rolesDefinition) - assertTrue(rbac.verifyUser(rbacSecurity, PERM_WRITE, rolesDefinition, USER_NEW_READER)) + assertTrue( + rbac.verifyUser(rbacSecurity, PERM_WRITE, rolesDefinition, USER_NEW_READER, emptyList())) } @Test fun `update existing new user and verify read permission OK`() { rbac.setUserRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) - assertTrue(rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER)) + assertTrue( + rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER, emptyList())) } @Test fun `user with no roles has default read permission`() { - assertTrue(rbac.verifyRbac(rbacSecurity, PERM_READ, rolesDefinition, USER_NONE)) + assertTrue(rbac.verifyRbac(rbacSecurity, PERM_READ, rolesDefinition, USER_NONE, emptyList())) } @Test fun `update default security to no roles and verify read OK for reader user`() { rbac.setDefault(rbacSecurity, USER_READER_ROLE, rolesDefinition) - assertTrue(rbac.verifyRbac(rbacSecurity, PERM_READ, rolesDefinition, USER_READER)) + assertTrue(rbac.verifyRbac(rbacSecurity, PERM_READ, rolesDefinition, USER_READER, emptyList())) } @Test fun `update default security to writer role and verify write OK for reader user`() { rbac.setDefault(rbacSecurity, USER_WRITER_ROLE, rolesDefinition) - assertTrue(rbac.verifyRbac(rbacSecurity, PERM_WRITE, rolesDefinition, USER_READER)) + assertTrue(rbac.verifyRbac(rbacSecurity, PERM_WRITE, rolesDefinition, USER_READER, emptyList())) } @Test @@ -529,14 +538,14 @@ class CsmRbacTests { fun `user has admin role`() { every { getCurrentAuthenticatedRoles(csmPlatformProperties) } returns listOf(ROLE_ORGANIZATION_USER) - assertTrue(rbac.verifyAdminRole(rbacSecurity, USER_ADMIN, rolesDefinition)) + assertTrue(rbac.verifyAdminRole(rbacSecurity, USER_ADMIN, emptyList(), rolesDefinition)) } @Test fun `user has not admin role`() { every { getCurrentAuthenticatedRoles(csmPlatformProperties) } returns listOf(ROLE_ORGANIZATION_USER) - assertFalse(rbac.verifyAdminRole(rbacSecurity, USER_READER, rolesDefinition)) + assertFalse(rbac.verifyAdminRole(rbacSecurity, USER_READER, emptyList(), rolesDefinition)) } @Test @@ -969,7 +978,8 @@ class CsmRbacTests { listOf(ROLE_ORGANIZATION_USER) every { getCurrentAccountIdentifier(csmPlatformProperties) } returns APP_REG_ID assertTrue( - rbac.verifyRbac(rbacSecurity, PERMISSION_READ, getCommonRolesDefinition(), APP_REG_ID)) + rbac.verifyRbac( + rbacSecurity, PERMISSION_READ, getCommonRolesDefinition(), APP_REG_ID, emptyList())) } @Test From 6d3257c5752223e692a7846f8ff232afeb8b5609 Mon Sep 17 00:00:00 2001 From: Leopold Cramer Date: Wed, 22 Oct 2025 17:26:18 +0200 Subject: [PATCH 2/5] remove optional from newly added groups to avoid null values --- .../main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt | 12 ++++++------ .../com/cosmotech/common/utils/SecurityUtils.kt | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/common/src/main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt b/common/src/main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt index df18cdcad..e5314a40d 100644 --- a/common/src/main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt +++ b/common/src/main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt @@ -208,18 +208,18 @@ open class CsmRbac( rbacSecurity: RbacSecurity, permission: String, rolesDefinition: RolesDefinition, - user: String?, - groups: List? + user: String, + groups: List ): Boolean { logger.debug("RBAC ${rbacSecurity.id} - Verifying $user has permission in ACL: $permission") var isAuthorized = false - groups?.forEach { + groups.forEach { if (this.verifyPermissionFromRole( permission, getUserRole(rbacSecurity, it), rolesDefinition)) { isAuthorized = true } } - if (user != null) { + if (user.isNotEmpty()) { if (this.verifyPermissionFromRole( permission, getUserRole(rbacSecurity, user), rolesDefinition)) isAuthorized = true @@ -245,8 +245,8 @@ open class CsmRbac( rbacSecurity: RbacSecurity, permission: String, rolesDefinition: RolesDefinition, - user: String?, - groups: List? + user: String, + groups: List ): Boolean { return (this.verifyDefault(rbacSecurity, permission, rolesDefinition) || this.verifyUser(rbacSecurity, permission, rolesDefinition, user, groups)) diff --git a/common/src/main/kotlin/com/cosmotech/common/utils/SecurityUtils.kt b/common/src/main/kotlin/com/cosmotech/common/utils/SecurityUtils.kt index e75fc3a85..6fa00bee5 100644 --- a/common/src/main/kotlin/com/cosmotech/common/utils/SecurityUtils.kt +++ b/common/src/main/kotlin/com/cosmotech/common/utils/SecurityUtils.kt @@ -55,12 +55,12 @@ fun getCurrentAccountIdentifier(configuration: CsmPlatformProperties): String { } } -fun getCurrentAccountGroups(configuration: CsmPlatformProperties): List? { +fun getCurrentAccountGroups(configuration: CsmPlatformProperties): List { val authentication = getCurrentAuthentication() val jwt = (authentication as JwtAuthenticationToken).token.tokenValue val jwtClaimsSet = JWTParser.parse(jwt).jwtClaimsSet return jwtClaimsSet.getListClaim(configuration.authorization.groupJwtClaim).toList() - as List? + as List } fun getCurrentAuthenticatedRoles(configuration: CsmPlatformProperties): List { From 59ab262c3cb246de31346c2c9261f4530134b317 Mon Sep 17 00:00:00 2001 From: Leopold Cramer Date: Tue, 28 Oct 2025 11:09:56 +0100 Subject: [PATCH 3/5] feat: add PR feedbacks + fix broken tests + add new edge case tests for keycloak groups --- .../com/cosmotech/common/rbac/CsmRbac.kt | 160 +++++++++--------- .../com/cosmotech/common/rbac/CsmRbacTests.kt | 128 +++++++++----- .../service/DatasetServiceIntegrationTest.kt | 3 + .../dataset/service/DatasetServiceRBACTest.kt | 43 ++--- .../dataset/service/DatasetServiceImpl.kt | 11 +- .../OrganizationServiceIntegrationTest.kt | 6 + .../service/OrganizationServiceRBACTest.kt | 25 +-- .../service/OrganizationServiceImpl.kt | 10 +- .../service/OrganizationServiceImplTests.kt | 10 +- .../run/service/RunServiceIntegrationTest.kt | 3 + .../service/RunnerServiceIntegrationTest.kt | 5 +- .../runner/service/RunnerServiceRBACTest.kt | 149 ++++++++-------- .../cosmotech/runner/service/RunnerService.kt | 8 +- .../service/SolutionServiceIntegrationTest.kt | 3 + .../service/SolutionServiceRBACTest.kt | 85 +++++----- .../solution/service/SolutionServiceImpl.kt | 10 +- .../WorkspaceServiceIntegrationTest.kt | 3 + .../service/WorkspaceServiceRBACTest.kt | 75 ++++---- .../workspace/service/WorkspaceServiceImpl.kt | 12 +- .../service/WorkspaceServiceImplTests.kt | 4 + 20 files changed, 420 insertions(+), 333 deletions(-) diff --git a/common/src/main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt b/common/src/main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt index e5314a40d..cd16aaa36 100644 --- a/common/src/main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt +++ b/common/src/main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt @@ -30,19 +30,20 @@ open class CsmRbac( val accessControls = mutableListOf() objectSecurity.accessControlList.forEach { if (accessControls.contains(it.id)) { - throw IllegalArgumentException("User ${it.id} is referenced multiple times in the security") + throw IllegalArgumentException( + "Entity ${it.id} is referenced multiple times in the security") } accessControls.add(it.id) } // Make sure we have at least one admin if (!objectSecurity.accessControlList.any { it.role == ROLE_ADMIN }) { - val currentUserId = getCurrentAccountIdentifier(csmPlatformProperties) - val currentUserACL = objectSecurity.accessControlList.find { it.id == currentUserId } - if (currentUserACL != null) { - currentUserACL.role = ROLE_ADMIN + val currentEntityId = getCurrentAccountIdentifier(csmPlatformProperties) + val currentEntityACL = objectSecurity.accessControlList.find { it.id == currentEntityId } + if (currentEntityACL != null) { + currentEntityACL.role = ROLE_ADMIN } else { - objectSecurity.accessControlList.add(RbacAccessControl(currentUserId, ROLE_ADMIN)) + objectSecurity.accessControlList.add(RbacAccessControl(currentEntityId, ROLE_ADMIN)) } } @@ -56,7 +57,7 @@ open class CsmRbac( ) { if (!this.check(rbacSecurity, permission, rolesDefinition)) throw CsmAccessForbiddenException( - "RBAC ${rbacSecurity.id} - User does not have permission $permission") + "RBAC ${rbacSecurity.id} - Entity does not have permission $permission") } fun check( @@ -64,19 +65,19 @@ open class CsmRbac( permission: String, rolesDefinition: RolesDefinition = getCommonRolesDefinition() ): Boolean { - logger.info("RBAC ${rbacSecurity.id} - Verifying permission $permission for user") + logger.info("RBAC ${rbacSecurity.id} - Verifying permission $permission for entity") if (!this.csmPlatformProperties.rbac.enabled) { logger.debug("RBAC ${rbacSecurity.id} - RBAC check not enabled") return true } - var userIsAdminOrHasPermission = this.isAdmin(rbacSecurity, rolesDefinition) - if (!userIsAdminOrHasPermission) { - val user = getCurrentAccountIdentifier(this.csmPlatformProperties) + var entityIsAdminOrHasPermission = this.isAdmin(rbacSecurity, rolesDefinition) + if (!entityIsAdminOrHasPermission) { + val entity = getCurrentAccountIdentifier(this.csmPlatformProperties) val groups = getCurrentAccountGroups(this.csmPlatformProperties) - userIsAdminOrHasPermission = - this.verifyRbac(rbacSecurity, permission, rolesDefinition, user, groups) + entityIsAdminOrHasPermission = + this.verifyRbac(rbacSecurity, permission, rolesDefinition, entity, groups) } - return userIsAdminOrHasPermission + return entityIsAdminOrHasPermission } fun setDefault( @@ -92,33 +93,35 @@ open class CsmRbac( return rbacSecurity } - fun addUserRole( + fun addEntityRole( parentRbacSecurity: RbacSecurity, rbacSecurity: RbacSecurity, - userId: String, + entityId: String, role: String, rolesDefinition: RolesDefinition = getCommonRolesDefinition() ): RbacSecurity { if (!isAdmin(rbacSecurity, rolesDefinition)) { - this.checkUserExists( + this.checkEntityExists( parentRbacSecurity, - userId, - "User $userId not found in parent ${parentRbacSecurity.id} component") + entityId, + "Entity $entityId not found in parent ${parentRbacSecurity.id} component") } - return setUserRole(rbacSecurity, userId, role, rolesDefinition) + return setEntityRole(rbacSecurity, entityId, role, rolesDefinition) } - fun setUserRole( + fun setEntityRole( rbacSecurity: RbacSecurity, - userId: String, + entityId: String, role: String, rolesDefinition: RolesDefinition = getCommonRolesDefinition() ): RbacSecurity { - logger.info("RBAC ${rbacSecurity.id} - Setting user $userId roles") + logger.info("RBAC ${rbacSecurity.id} - Setting entity $entityId roles") this.verifyRoleOrThrow(rbacSecurity, role, rolesDefinition) val currentACLRole = - rbacSecurity.accessControlList.firstOrNull { it.id.lowercase() == userId.lowercase() }?.role + rbacSecurity.accessControlList + .firstOrNull { it.id.lowercase() == entityId.lowercase() } + ?.role val adminRole = this.getAdminRole(rolesDefinition) if (currentACLRole == adminRole && role != adminRole && @@ -127,48 +130,48 @@ open class CsmRbac( "RBAC ${rbacSecurity.id} - It is forbidden to unset the last administrator") } val accessList = rbacSecurity.accessControlList - val userAccess = accessList.find { it.id == userId } - if (userAccess == null) { - accessList.add(RbacAccessControl(userId, role)) + val entityAccess = accessList.find { it.id == entityId } + if (entityAccess == null) { + accessList.add(RbacAccessControl(entityId, role)) } else { - userAccess.role = role + entityAccess.role = role } return rbacSecurity } - fun getUsers(rbacSecurity: RbacSecurity): List { + fun getEntities(rbacSecurity: RbacSecurity): List { return (rbacSecurity.accessControlList.map { it.id }) } - fun getAccessControl(rbacSecurity: RbacSecurity, userId: String): RbacAccessControl { - return rbacSecurity.accessControlList.find { it.id == userId } + fun getAccessControl(rbacSecurity: RbacSecurity, entityId: String): RbacAccessControl { + return rbacSecurity.accessControlList.find { it.id == entityId } ?: throw CsmResourceNotFoundException( - "User $userId not found in ${rbacSecurity.id} component") + "Entity $entityId not found in ${rbacSecurity.id} component") } - fun checkUserExists( + fun checkEntityExists( rbacSecurity: RbacSecurity, - userId: String, - exceptionUserNotFoundMessage: String + entityId: String, + exceptionEntityNotFoundMessage: String ): RbacAccessControl { - return rbacSecurity.accessControlList.find { it.id == userId } - ?: throw CsmResourceNotFoundException(exceptionUserNotFoundMessage) + return rbacSecurity.accessControlList.find { it.id == entityId } + ?: throw CsmResourceNotFoundException(exceptionEntityNotFoundMessage) } - fun removeUser( + fun removeEntity( rbacSecurity: RbacSecurity, - userId: String, + entityId: String, rolesDefinition: RolesDefinition = getCommonRolesDefinition() ): RbacSecurity { - logger.info("RBAC ${rbacSecurity.id} - Removing user $userId from security") - checkUserExists(rbacSecurity, userId, "User $userId not found") - val role = this.getUserRole(rbacSecurity, userId) + logger.info("RBAC ${rbacSecurity.id} - Removing entity $entityId from security") + checkEntityExists(rbacSecurity, entityId, "Entity $entityId not found") + val role = this.getEntityRole(rbacSecurity, entityId) if (role == (this.getAdminRole(rolesDefinition)) && this.getAdminCount(rbacSecurity, rolesDefinition) == 1) { throw CsmAccessForbiddenException( "RBAC ${rbacSecurity.id} - It is forbidden to remove the last administrator") } - rbacSecurity.accessControlList.removeIf { it.id == userId } + rbacSecurity.accessControlList.removeIf { it.id == entityId } return rbacSecurity } @@ -184,47 +187,46 @@ open class CsmRbac( internal fun verifyAdminRole( rbacSecurity: RbacSecurity, - user: String?, - groups: List?, + user: String, + groups: List, rolesDefinition: RolesDefinition ): Boolean { logger.debug("RBAC ${rbacSecurity.id} - Verifying if $user has default admin rbac role") - var isAdmin = false - groups?.forEach { - if (this.getUserRole(rbacSecurity, it) == this.getAdminRole(rolesDefinition)) { - isAdmin = true - } - } - if (user != null) { - if (this.getUserRole(rbacSecurity, user) == this.getAdminRole(rolesDefinition)) { - isAdmin = true - } - } - logger.debug("RBAC ${rbacSecurity.id} - $user have default admin rbac role: $isAdmin") + val isAdmin = + if (rbacSecurity.accessControlList.any() { it.id == user }) { + this.getEntityRole(rbacSecurity, user) == this.getAdminRole(rolesDefinition) + } else { + groups.any { + this.getEntityRole(rbacSecurity, it) == this.getAdminRole(rolesDefinition) + } || + this.getEntityRole(rbacSecurity, rbacSecurity.default) == + this.getAdminRole(rolesDefinition) + } + logger.debug("RBAC ${rbacSecurity.id} - $user has default admin rbac role: $isAdmin") return isAdmin } - internal fun verifyUser( + internal fun verifyEntity( rbacSecurity: RbacSecurity, permission: String, rolesDefinition: RolesDefinition, user: String, groups: List ): Boolean { - logger.debug("RBAC ${rbacSecurity.id} - Verifying $user has permission in ACL: $permission") - var isAuthorized = false - groups.forEach { - if (this.verifyPermissionFromRole( - permission, getUserRole(rbacSecurity, it), rolesDefinition)) { - isAuthorized = true - } - } - if (user.isNotEmpty()) { - if (this.verifyPermissionFromRole( - permission, getUserRole(rbacSecurity, user), rolesDefinition)) - isAuthorized = true - } - logger.debug("RBAC ${rbacSecurity.id} - $user has permission $permission in ACL: $isAuthorized") + logger.debug( + "RBAC ${rbacSecurity.id} - Verifying $user or one of $groups has permission in ACL: $permission") + val isAuthorized = + if (rbacSecurity.accessControlList.any() { it.id == user }) { + verifyPermissionFromRole(permission, getEntityRole(rbacSecurity, user), rolesDefinition) + } else { + groups.any { + verifyPermissionFromRole(permission, getEntityRole(rbacSecurity, it), rolesDefinition) + } || + verifyPermissionFromRole( + permission, getEntityRole(rbacSecurity, rbacSecurity.default), rolesDefinition) + } + logger.debug( + "RBAC ${rbacSecurity.id} - $user or one of $groups has permission $permission in ACL: $isAuthorized") return isAuthorized } @@ -249,7 +251,7 @@ open class CsmRbac( groups: List ): Boolean { return (this.verifyDefault(rbacSecurity, permission, rolesDefinition) || - this.verifyUser(rbacSecurity, permission, rolesDefinition, user, groups)) + this.verifyEntity(rbacSecurity, permission, rolesDefinition, user, groups)) } internal fun verifyPermissionFromRole( @@ -268,9 +270,9 @@ open class CsmRbac( return rolesDefinition[role] ?: listOf() } - internal fun getUserRole(rbacSecurity: RbacSecurity, user: String): String { + internal fun getEntityRole(rbacSecurity: RbacSecurity, entity: String): String { return rbacSecurity.accessControlList - .firstOrNull { it.id.lowercase() == user.lowercase() } + .firstOrNull { it.id.lowercase() == entity.lowercase() } ?.role ?: rbacSecurity.default } @@ -290,8 +292,8 @@ open class CsmRbac( throw CsmClientException("RBAC ${rbacSecurity.id} - Role $role does not exist") } - internal fun verifyPermission(permission: String, userPermissions: List): Boolean { - return userPermissions.contains(permission) + internal fun verifyPermission(permission: String, entityPermissions: List): Boolean { + return entityPermissions.contains(permission) } internal fun verifyPermissionFromRoles( @@ -303,9 +305,9 @@ open class CsmRbac( } internal fun isAdminToken(rbacSecurity: RbacSecurity): Boolean { - logger.debug("RBAC ${rbacSecurity.id} - Verifying if user has platform admin role in token") + logger.debug("RBAC ${rbacSecurity.id} - Verifying if entity has platform admin role in token") val isAdmin = csmAdmin.verifyCurrentRolesAdmin() - logger.debug("RBAC ${rbacSecurity.id} - user has platform admin role in token: $isAdmin") + logger.debug("RBAC ${rbacSecurity.id} - entity has platform admin role in token: $isAdmin") return isAdmin } diff --git a/common/src/test/kotlin/com/cosmotech/common/rbac/CsmRbacTests.kt b/common/src/test/kotlin/com/cosmotech/common/rbac/CsmRbacTests.kt index 5f2ac874f..f96ce0e8d 100644 --- a/common/src/test/kotlin/com/cosmotech/common/rbac/CsmRbacTests.kt +++ b/common/src/test/kotlin/com/cosmotech/common/rbac/CsmRbacTests.kt @@ -46,6 +46,12 @@ const val USER_ADMIN_2 = "usertestadmin2@cosmotech.com" const val USER_NOTIN = "usertestnotin@cosmotech.com" const val USER_MAIL_TOKEN = "john.doe@cosmotech.com" +const val GROUP_NONE = "group_none" +const val GROUP_READER = "group_reader" +const val GROUP_USER = "group_user" +const val GROUP_EDITOR = "group_editor" +const val GROUP_ADMIN = "group_admin" + const val USER_NEW_READER = "usertestnew@cosmotech.com" const val APP_REG_ID = "f6fbd519-9a53-4c6b-aabb-dfre52s16742" @@ -99,6 +105,7 @@ class CsmRbacTests { every { csmPlatformProperties.rbac.enabled } answers { true } every { csmPlatformProperties.authorization.rolesJwtClaim } answers { "roles" } every { csmPlatformProperties.authorization.mailJwtClaim } answers { "upn" } + every { csmPlatformProperties.authorization.groupJwtClaim } answers { "user_groups" } every { csmPlatformProperties.authorization.applicationIdJwtClaim } answers { "oid" } every { csmPlatformProperties.identityProvider } answers { DEFAULT_IDENTITY_PROVIDER } rolesDefinition = @@ -146,6 +153,8 @@ class CsmRbacTests { mockkStatic(::getCurrentAuthenticatedRoles) every { getCurrentAccountIdentifier(csmPlatformProperties) } returns USER_NOTIN + every { getCurrentAccountGroups(csmPlatformProperties) } returns + listOf(GROUP_NONE, GROUP_READER, GROUP_USER, GROUP_EDITOR, GROUP_ADMIN) } @Test @@ -255,28 +264,29 @@ class CsmRbacTests { @Test fun `find role for user from resource security`() { - assertEquals(ROLE_READER, rbac.getUserRole(rbacSecurity, USER_READER)) + assertEquals(ROLE_READER, rbac.getEntityRole(rbacSecurity, USER_READER)) } @Test fun `find roles for admin from resource security`() { - assertEquals(ROLE_ADMIN, rbac.getUserRole(rbacSecurity, USER_ADMIN)) + assertEquals(ROLE_ADMIN, rbac.getEntityRole(rbacSecurity, USER_ADMIN)) } @Test fun `verify permission read for user writer OK`() { - assertTrue(rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_READER, emptyList())) + assertTrue( + rbac.verifyEntity(rbacSecurity, PERM_READ, rolesDefinition, USER_READER, emptyList())) } @Test fun `verify permission write for user writer KO`() { assertFalse( - rbac.verifyUser(rbacSecurity, PERM_WRITE, rolesDefinition, USER_READER, emptyList())) + rbac.verifyEntity(rbacSecurity, PERM_WRITE, rolesDefinition, USER_READER, emptyList())) } @Test fun `verify permission read for user none KO`() { - assertFalse(rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NONE, emptyList())) + assertFalse(rbac.verifyEntity(rbacSecurity, PERM_READ, rolesDefinition, USER_NONE, emptyList())) } @Test @@ -291,22 +301,22 @@ class CsmRbacTests { @Test fun `add new reader user and verify read permission OK`() { - rbac.setUserRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) + rbac.setEntityRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) assertTrue( - rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER, emptyList())) + rbac.verifyEntity(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER, emptyList())) } @Test fun `add new reader user and verify write permission KO`() { - rbac.setUserRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) + rbac.setEntityRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) assertFalse( - rbac.verifyUser(rbacSecurity, PERM_WRITE, rolesDefinition, USER_NEW_READER, emptyList())) + rbac.verifyEntity(rbacSecurity, PERM_WRITE, rolesDefinition, USER_NEW_READER, emptyList())) } @Test fun `adding a user with role none throws exception`() { assertThrows { - rbac.setUserRole(rbacSecurity, USER_NEW_READER, ROLE_NONE, rolesDefinition) + rbac.setEntityRole(rbacSecurity, USER_NEW_READER, ROLE_NONE, rolesDefinition) } } @@ -316,7 +326,7 @@ class CsmRbacTests { every { getCurrentAuthenticatedRoles(csmPlatformProperties) } returns listOf(ROLE_ORGANIZATION_USER) assertThrows { - rbac.addUserRole( + rbac.addEntityRole( parentRbacSecurity, rbacSecurity, USER_NOTIN, USER_READER_ROLE, rolesDefinition) } } @@ -327,10 +337,10 @@ class CsmRbacTests { every { getCurrentAuthenticatedRoles(csmPlatformProperties) } returns listOf(ROLE_ORGANIZATION_USER) val rbacSecurity = - rbac.addUserRole( + rbac.addEntityRole( parentRbacSecurity, rbacSecurity, USER_IN_PARENT, USER_READER_ROLE, rolesDefinition) assertTrue( - rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_IN_PARENT, emptyList())) + rbac.verifyEntity(rbacSecurity, PERM_READ, rolesDefinition, USER_IN_PARENT, emptyList())) } @Test @@ -338,53 +348,53 @@ class CsmRbacTests { every { getCurrentAuthenticatedRoles(csmPlatformProperties) } returns listOf(ROLE_PLATFORM_ADMIN) val rbacSecurity = - rbac.addUserRole( + rbac.addEntityRole( parentRbacSecurity, rbacSecurity, USER_NOTIN, USER_READER_ROLE, rolesDefinition) - assertTrue(rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NOTIN, emptyList())) + assertTrue(rbac.verifyEntity(rbacSecurity, PERM_READ, rolesDefinition, USER_NOTIN, emptyList())) } @Test fun `remove new reader user and verify read permission KO with default none`() { rbacSecurity = RbacSecurity(COMPONENT_ID, ROLE_NONE, mutableListOf()) - rbac.setUserRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) - rbac.removeUser(rbacSecurity, USER_NEW_READER, rolesDefinition) + rbac.setEntityRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) + rbac.removeEntity(rbacSecurity, USER_NEW_READER, rolesDefinition) assertFalse( - rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER, emptyList())) + rbac.verifyEntity(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER, emptyList())) } @Test fun `remove new reader user and verify read permission OK with default reader`() { rbacSecurity = RbacSecurity(COMPONENT_ID, ROLE_READER, mutableListOf()) - rbac.setUserRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) - rbac.removeUser(rbacSecurity, USER_NEW_READER, rolesDefinition) + rbac.setEntityRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) + rbac.removeEntity(rbacSecurity, USER_NEW_READER, rolesDefinition) assertTrue( - rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER, emptyList())) + rbac.verifyEntity(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER, emptyList())) } @Test fun `remove new reader user and verify read permission OK with default admin`() { rbacSecurity = RbacSecurity(COMPONENT_ID, ROLE_ADMIN, mutableListOf()) - rbac.setUserRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) - rbac.removeUser(rbacSecurity, USER_NEW_READER, rolesDefinition) + rbac.setEntityRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) + rbac.removeEntity(rbacSecurity, USER_NEW_READER, rolesDefinition) assertTrue( - rbac.verifyUser(rbacSecurity, PERM_ADMIN, rolesDefinition, USER_NEW_READER, emptyList())) + rbac.verifyEntity(rbacSecurity, PERM_ADMIN, rolesDefinition, USER_NEW_READER, emptyList())) } @Test fun `update existing new user and verify write permission OK`() { - rbac.setUserRole(rbacSecurity, USER_NEW_READER, USER_WRITER_ROLE, rolesDefinition) + rbac.setEntityRole(rbacSecurity, USER_NEW_READER, USER_WRITER_ROLE, rolesDefinition) assertTrue( - rbac.verifyUser(rbacSecurity, PERM_WRITE, rolesDefinition, USER_NEW_READER, emptyList())) + rbac.verifyEntity(rbacSecurity, PERM_WRITE, rolesDefinition, USER_NEW_READER, emptyList())) } @Test fun `update existing new user and verify read permission OK`() { - rbac.setUserRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) + rbac.setEntityRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) assertTrue( - rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER, emptyList())) + rbac.verifyEntity(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER, emptyList())) } @Test @@ -578,37 +588,37 @@ class CsmRbacTests { @Test fun `get count of users with new admin role`() { - rbac.setUserRole(rbacSecurity, USER_NEW_READER, USER_ADMIN_ROLE, rolesDefinition) + rbac.setEntityRole(rbacSecurity, USER_NEW_READER, USER_ADMIN_ROLE, rolesDefinition) assertEquals(2, rbac.getAdminCount(rbacSecurity, rolesDefinition)) } @Test fun `throw exception if last admin deleted`() { assertThrows { - rbac.removeUser(rbacSecurity, USER_ADMIN, rolesDefinition) + rbac.removeEntity(rbacSecurity, USER_ADMIN, rolesDefinition) } } @Test fun `throw exception if last admin from two is deleted`() { - rbac.setUserRole(rbacSecurity, USER_NEW_READER, USER_ADMIN_ROLE, rolesDefinition) - rbac.removeUser(rbacSecurity, USER_NEW_READER, rolesDefinition) + rbac.setEntityRole(rbacSecurity, USER_NEW_READER, USER_ADMIN_ROLE, rolesDefinition) + rbac.removeEntity(rbacSecurity, USER_NEW_READER, rolesDefinition) assertThrows { - rbac.removeUser(rbacSecurity, USER_ADMIN, rolesDefinition) + rbac.removeEntity(rbacSecurity, USER_ADMIN, rolesDefinition) } } @Test fun `throw exception if last admin removed from setRole`() { assertThrows { - rbac.setUserRole(rbacSecurity, USER_ADMIN, USER_READER_ROLE, rolesDefinition) + rbac.setEntityRole(rbacSecurity, USER_ADMIN, USER_READER_ROLE, rolesDefinition) } } @Test fun `throw exception if role does not exist with setRole`() { assertThrows { - rbac.setUserRole(rbacSecurity, USER_READER, ROLE_NOTIN, rolesDefinition) + rbac.setEntityRole(rbacSecurity, USER_READER, ROLE_NOTIN, rolesDefinition) } } @@ -616,7 +626,7 @@ class CsmRbacTests { fun `get user list`() { assertEquals( listOf(USER_WRITER, USER_READER, USER_NONE, USER_ADMIN, USER_MAIL_TOKEN, APP_REG_ID), - rbac.getUsers(rbacSecurity)) + rbac.getEntities(rbacSecurity)) } @Test @@ -688,7 +698,7 @@ class CsmRbacTests { val customRolePermissions = listOf(PERMISSION_READ, customPermission) definition.permissions.put(customRole, customRolePermissions) val rbacTest = CsmRbac(csmPlatformProperties, admin) - rbacTest.setUserRole(rbacSecurity, USER_NEW_READER, customRole, definition) + rbacTest.setEntityRole(rbacSecurity, USER_NEW_READER, customRole, definition) every { getCurrentAuthenticatedRoles(csmPlatformProperties) } returns listOf(ROLE_ORGANIZATION_USER) every { getCurrentAccountIdentifier(csmPlatformProperties) } returns USER_NEW_READER @@ -700,7 +710,7 @@ class CsmRbacTests { fun `can add resource id and resource security in a second step`() { val definition = getCommonRolesDefinition() val rbacTest = CsmRbac(csmPlatformProperties, admin) - rbacTest.setUserRole(rbacSecurity, USER_READER, ROLE_VIEWER, definition) + rbacTest.setEntityRole(rbacSecurity, USER_READER, ROLE_VIEWER, definition) every { getCurrentAuthenticatedRoles(csmPlatformProperties) } returns listOf(ROLE_ORGANIZATION_USER) every { getCurrentAccountIdentifier(csmPlatformProperties) } returns USER_READER @@ -720,7 +730,7 @@ class CsmRbacTests { mutableListOf( RbacAccessControl(id = "test.user@test.com", role = ROLE_ADMIN))) val newUserId = "whatever.user@test.com" - rbac.setUserRole(rbacDefinition, newUserId, role, getCommonRolesDefinition()) + rbac.setEntityRole(rbacDefinition, newUserId, role, getCommonRolesDefinition()) assertTrue(rbacDefinition.accessControlList.size == 2) assertTrue( rbacDefinition.accessControlList.contains( @@ -743,14 +753,14 @@ class CsmRbacTests { if (shouldThrows) { val assertThrows = assertThrows { - rbac.setUserRole(rbacDefinition, userId, role, getCommonRolesDefinition()) + rbac.setEntityRole(rbacDefinition, userId, role, getCommonRolesDefinition()) } assertEquals( "RBAC ${rbacDefinition.id} - It is forbidden to unset the last administrator", assertThrows.message) } else { assertDoesNotThrow { - rbac.setUserRole(rbacDefinition, userId, role, getCommonRolesDefinition()) + rbac.setEntityRole(rbacDefinition, userId, role, getCommonRolesDefinition()) assertTrue(rbacDefinition.accessControlList.size == 1) assertTrue( rbacDefinition.accessControlList.contains( @@ -774,7 +784,7 @@ class CsmRbacTests { mutableListOf(RbacAccessControl(id = userId, role = ROLE_ADMIN))) val assertThrows = assertThrows { - rbac.removeUser(rbacDefinition, userId, getCommonRolesDefinition()) + rbac.removeEntity(rbacDefinition, userId, getCommonRolesDefinition()) } assertEquals( "RBAC ${rbacDefinition.id} - It is forbidden to remove the last administrator", @@ -797,7 +807,7 @@ class CsmRbacTests { RbacAccessControl(id = USER_ADMIN, role = ROLE_ADMIN), RbacAccessControl(id = userId, role = role))) assertDoesNotThrow { - rbac.removeUser(rbacDefinition, userId, getCommonRolesDefinition()) + rbac.removeEntity(rbacDefinition, userId, getCommonRolesDefinition()) assertTrue(rbacDefinition.accessControlList.size == 1) assertTrue( rbacDefinition.accessControlList.contains( @@ -928,7 +938,7 @@ class CsmRbacTests { @Test fun `when removing throw 404 if user not exists`() { - assertThrows { rbac.removeUser(rbacSecurity, USER_NOTIN) } + assertThrows { rbac.removeEntity(rbacSecurity, USER_NOTIN) } } @Test @@ -1031,4 +1041,34 @@ class CsmRbacTests { RbacAccessControl(USER_NOTIN, ROLE_ADMIN))), security) } + + @Test + fun `user with multiple group permissions use the highest one`() { + every { getCurrentAuthenticatedRoles(csmPlatformProperties) } returns + listOf(ROLE_ORGANIZATION_USER) + rbacSecurity = + RbacSecurity( + COMPONENT_ID, + ROLE_NONE, + mutableListOf( + RbacAccessControl(GROUP_ADMIN, ROLE_ADMIN), + RbacAccessControl(GROUP_EDITOR, ROLE_EDITOR), + RbacAccessControl(GROUP_READER, ROLE_READER), + RbacAccessControl(GROUP_NONE, ROLE_NONE))) + assertTrue(rbac.check(rbacSecurity, PERMISSION_WRITE_SECURITY, getCommonRolesDefinition())) + } + + @Test + fun `user with both groups and mail permissions use the more precise one`() { + every { getCurrentAuthenticatedRoles(csmPlatformProperties) } returns + listOf(ROLE_ORGANIZATION_USER) + rbacSecurity = + RbacSecurity( + COMPONENT_ID, + ROLE_NONE, + mutableListOf( + RbacAccessControl(GROUP_EDITOR, ROLE_EDITOR), + RbacAccessControl(USER_NOTIN, ROLE_NONE))) + assertFalse(rbac.check(rbacSecurity, PERMISSION_READ, getCommonRolesDefinition())) + } } diff --git a/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceIntegrationTest.kt b/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceIntegrationTest.kt index 086f8eb72..200f64b1d 100644 --- a/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceIntegrationTest.kt +++ b/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceIntegrationTest.kt @@ -11,6 +11,7 @@ import com.cosmotech.common.rbac.ROLE_EDITOR import com.cosmotech.common.rbac.ROLE_NONE import com.cosmotech.common.rbac.ROLE_USER import com.cosmotech.common.tests.CsmTestBase +import com.cosmotech.common.utils.getCurrentAccountGroups import com.cosmotech.common.utils.getCurrentAccountIdentifier import com.cosmotech.common.utils.getCurrentAuthenticatedRoles import com.cosmotech.common.utils.getCurrentAuthenticatedUserName @@ -95,6 +96,7 @@ class DatasetServiceIntegrationTest() : CsmTestBase() { val UNALLOWED_MIME_TYPE_SOURCE_FILE_NAME = "wrong_mimetype.yaml" val INVENTORY_SOURCE_FILE_NAME = "product_inventory.csv" val WRONG_ORIGINAL_FILE_NAME = "../../wrong_name_pattern.csv" + val defaultGroup = listOf("myTestGroup") private val logger = LoggerFactory.getLogger(DatasetServiceIntegrationTest::class.java) @@ -119,6 +121,7 @@ class DatasetServiceIntegrationTest() : CsmTestBase() { fun setUp() { mockkStatic("com.cosmotech.common.utils.SecurityUtilsKt") every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER + every { getCurrentAccountGroups(any()) } returns defaultGroup every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "test.user" every { getCurrentAuthenticatedRoles(any()) } returns listOf("user") diff --git a/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceRBACTest.kt b/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceRBACTest.kt index 615f9bb65..35c86f876 100644 --- a/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceRBACTest.kt +++ b/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceRBACTest.kt @@ -16,6 +16,7 @@ import com.cosmotech.common.rbac.ROLE_NONE import com.cosmotech.common.rbac.ROLE_USER import com.cosmotech.common.rbac.ROLE_VIEWER import com.cosmotech.common.tests.CsmTestBase +import com.cosmotech.common.utils.getCurrentAccountGroups import com.cosmotech.common.utils.getCurrentAccountIdentifier import com.cosmotech.common.utils.getCurrentAuthenticatedRoles import com.cosmotech.common.utils.getCurrentAuthenticatedUserName @@ -85,6 +86,7 @@ class DatasetServiceRBACTest : CsmTestBase() { val CONNECTED_ADMIN_USER = "test.admin@cosmotech.com" val CONNECTED_DEFAULT_USER = "test.user@cosmotech.com" val CUSTOMER_SOURCE_FILE_NAME = "customers.csv" + val defaultGroup = listOf("myTestGroup") private val logger = LoggerFactory.getLogger(DatasetServiceIntegrationTest::class.java) @@ -110,6 +112,7 @@ class DatasetServiceRBACTest : CsmTestBase() { fun setUp() { mockkStatic("com.cosmotech.common.utils.SecurityUtilsKt") every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER + every { getCurrentAccountGroups(any()) } returns defaultGroup every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "test.user" every { getCurrentAuthenticatedRoles(any()) } returns listOf("user") @@ -180,7 +183,7 @@ class DatasetServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, datasetCreated.id) } assertEquals( - "RBAC ${datasetCreated.id} - User does not have permission $PERMISSION_READ", + "RBAC ${datasetCreated.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -228,7 +231,7 @@ class DatasetServiceRBACTest : CsmTestBase() { DatasetAccessControl("NewUser", role)) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -272,7 +275,7 @@ class DatasetServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, listOf(), null, null) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -317,7 +320,7 @@ class DatasetServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, datasetSaved.id) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_DELETE", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_DELETE", exception.message) } else { assertDoesNotThrow { @@ -365,7 +368,7 @@ class DatasetServiceRBACTest : CsmTestBase() { CONNECTED_DEFAULT_USER) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -424,7 +427,7 @@ class DatasetServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, dataset, mockMultipartFiles) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_CREATE_CHILDREN", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_CREATE_CHILDREN", exception.message) } else { assertDoesNotThrow { @@ -473,7 +476,7 @@ class DatasetServiceRBACTest : CsmTestBase() { CONNECTED_DEFAULT_USER) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -521,7 +524,7 @@ class DatasetServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, datasetSaved.id) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -565,7 +568,7 @@ class DatasetServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, null, null) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -631,7 +634,7 @@ class DatasetServiceRBACTest : CsmTestBase() { arrayOf()) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -685,7 +688,7 @@ class DatasetServiceRBACTest : CsmTestBase() { null) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -739,7 +742,7 @@ class DatasetServiceRBACTest : CsmTestBase() { DatasetRole(role)) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -791,7 +794,7 @@ class DatasetServiceRBACTest : CsmTestBase() { DatasetRole(role)) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -855,7 +858,7 @@ class DatasetServiceRBACTest : CsmTestBase() { makeDatasetPartCreateRequest()) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -922,7 +925,7 @@ class DatasetServiceRBACTest : CsmTestBase() { datasetSaved.parts[0].id) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -988,7 +991,7 @@ class DatasetServiceRBACTest : CsmTestBase() { datasetSaved.parts[0].id) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1054,7 +1057,7 @@ class DatasetServiceRBACTest : CsmTestBase() { datasetSaved.parts[0].id) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1117,7 +1120,7 @@ class DatasetServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, datasetSaved.id, null, null) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1182,7 +1185,7 @@ class DatasetServiceRBACTest : CsmTestBase() { makeDatasetPartUpdateRequest()) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -1251,7 +1254,7 @@ class DatasetServiceRBACTest : CsmTestBase() { makeDatasetPartUpdateRequest()) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { diff --git a/dataset/src/main/kotlin/com/cosmotech/dataset/service/DatasetServiceImpl.kt b/dataset/src/main/kotlin/com/cosmotech/dataset/service/DatasetServiceImpl.kt index 0719624b3..23c1cdd87 100644 --- a/dataset/src/main/kotlin/com/cosmotech/dataset/service/DatasetServiceImpl.kt +++ b/dataset/src/main/kotlin/com/cosmotech/dataset/service/DatasetServiceImpl.kt @@ -121,7 +121,7 @@ class DatasetServiceImpl( require(!users.contains(datasetAccessControl.id)) { "User is already in this Dataset security" } val rbacSecurity = - csmRbac.setUserRole( + csmRbac.setEntityRole( dataset.security.toGenericSecurity(datasetId), datasetAccessControl.id, datasetAccessControl.role) @@ -227,7 +227,7 @@ class DatasetServiceImpl( val dataset = getVerifiedDataset(organizationId, workspaceId, datasetId, PERMISSION_READ_SECURITY) - return csmRbac.getUsers(dataset.security.toGenericSecurity(datasetId)) + return csmRbac.getEntities(dataset.security.toGenericSecurity(datasetId)) } override fun listDatasets( @@ -285,7 +285,8 @@ class DatasetServiceImpl( val dataset = getVerifiedDataset(organizationId, workspaceId, datasetId, PERMISSION_WRITE_SECURITY) - val rbacSecurity = csmRbac.removeUser(dataset.security.toGenericSecurity(datasetId), identityId) + val rbacSecurity = + csmRbac.removeEntity(dataset.security.toGenericSecurity(datasetId), identityId) dataset.security = rbacSecurity.toResourceSecurity() save(dataset) } @@ -373,12 +374,12 @@ class DatasetServiceImpl( val dataset = getVerifiedDataset(organizationId, workspaceId, datasetId, PERMISSION_WRITE_SECURITY) - csmRbac.checkUserExists( + csmRbac.checkEntityExists( dataset.security.toGenericSecurity(datasetId), identityId, "User '$identityId' not found in dataset $datasetId") val rbacSecurity = - csmRbac.setUserRole( + csmRbac.setEntityRole( dataset.security.toGenericSecurity(datasetId), identityId, datasetRole.role) dataset.security = rbacSecurity.toResourceSecurity() save(dataset) diff --git a/organization/src/integrationTest/kotlin/com/cosmotech/organization/service/OrganizationServiceIntegrationTest.kt b/organization/src/integrationTest/kotlin/com/cosmotech/organization/service/OrganizationServiceIntegrationTest.kt index a1189a00c..e021c7e97 100644 --- a/organization/src/integrationTest/kotlin/com/cosmotech/organization/service/OrganizationServiceIntegrationTest.kt +++ b/organization/src/integrationTest/kotlin/com/cosmotech/organization/service/OrganizationServiceIntegrationTest.kt @@ -23,6 +23,7 @@ import com.cosmotech.common.rbac.ROLE_VIEWER import com.cosmotech.common.security.ROLE_ORGANIZATION_USER import com.cosmotech.common.security.ROLE_PLATFORM_ADMIN import com.cosmotech.common.tests.CsmTestBase +import com.cosmotech.common.utils.getCurrentAccountGroups import com.cosmotech.common.utils.getCurrentAccountIdentifier import com.cosmotech.common.utils.getCurrentAuthenticatedRoles import com.cosmotech.common.utils.getCurrentAuthenticatedUserName @@ -84,6 +85,7 @@ class OrganizationServiceIntegrationTest : CsmTestBase() { var startTime: Long = 0 val defaultName = "my.account-tester@cosmotech.com" + val defaultGroup = listOf("myTestGroup") @BeforeAll fun globalSetup() { @@ -94,6 +96,7 @@ class OrganizationServiceIntegrationTest : CsmTestBase() { fun setUp() { mockkStatic("com.cosmotech.common.utils.SecurityUtilsKt") every { getCurrentAccountIdentifier(any()) } returns defaultName + every { getCurrentAccountGroups(any()) } returns defaultGroup every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "my.account-tester" every { getCurrentAuthenticatedRoles(any()) } returns listOf() rediSearchIndexer.createIndexFor(Organization::class.java) @@ -2229,6 +2232,7 @@ class OrganizationServiceIntegrationTest : CsmTestBase() { mockkStatic(::getCurrentAuthentication) every { getCurrentAuthentication() } returns mockk() every { getCurrentAccountIdentifier(any()) } returns TEST_USER_ID + every { getCurrentAccountGroups(any()) } returns defaultGroup every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "test.user" every { getCurrentAuthenticatedRoles(any()) } returns listOf(ROLE_ORGANIZATION_USER) } @@ -2238,6 +2242,7 @@ class OrganizationServiceIntegrationTest : CsmTestBase() { mockkStatic(::getCurrentAuthentication) every { getCurrentAuthentication() } returns mockk() every { getCurrentAccountIdentifier(any()) } returns TEST_ADMIN_USER_ID + every { getCurrentAccountGroups(any()) } returns defaultGroup every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "test.admin" every { getCurrentAuthenticatedRoles(any()) } returns listOf(ROLE_PLATFORM_ADMIN) } @@ -2245,6 +2250,7 @@ class OrganizationServiceIntegrationTest : CsmTestBase() { /** Run a test with different Organization.User */ private fun runAsDifferentOrganizationUser() { every { getCurrentAccountIdentifier(any()) } returns OTHER_TEST_USER_ID + every { getCurrentAccountGroups(any()) } returns defaultGroup every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "test.other.user" every { getCurrentAuthenticatedRoles(any()) } returns listOf(ROLE_ORGANIZATION_USER) } diff --git a/organization/src/integrationTest/kotlin/com/cosmotech/organization/service/OrganizationServiceRBACTest.kt b/organization/src/integrationTest/kotlin/com/cosmotech/organization/service/OrganizationServiceRBACTest.kt index f21a53040..53d10320e 100644 --- a/organization/src/integrationTest/kotlin/com/cosmotech/organization/service/OrganizationServiceRBACTest.kt +++ b/organization/src/integrationTest/kotlin/com/cosmotech/organization/service/OrganizationServiceRBACTest.kt @@ -16,6 +16,7 @@ import com.cosmotech.common.rbac.ROLE_USER import com.cosmotech.common.rbac.ROLE_VALIDATOR import com.cosmotech.common.rbac.ROLE_VIEWER import com.cosmotech.common.tests.CsmTestBase +import com.cosmotech.common.utils.getCurrentAccountGroups import com.cosmotech.common.utils.getCurrentAccountIdentifier import com.cosmotech.common.utils.getCurrentAuthenticatedRoles import com.cosmotech.common.utils.getCurrentAuthenticatedUserName @@ -54,6 +55,7 @@ import org.springframework.test.context.junit4.SpringRunner class OrganizationServiceRBACTest : CsmTestBase() { val CONNECTED_ADMIN_USER = "test.admin@cosmotech.com" val TEST_USER_MAIL = "testuser@mail.fr" + val defaultGroup = listOf("myTestGroup") // NEEDED: recreate indexes in redis @Autowired lateinit var rediSearchIndexer: RediSearchIndexer @@ -69,6 +71,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { fun setUp() { mockkStatic("com.cosmotech.common.utils.SecurityUtilsKt") every { getCurrentAccountIdentifier(any()) } returns TEST_USER_MAIL + every { getCurrentAccountGroups(any()) } returns defaultGroup every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "my.account-tester" every { getCurrentAuthenticatedRoles(any()) } returns listOf() rediSearchIndexer.createIndexFor(Organization::class.java) @@ -117,7 +120,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organizationApiService.getOrganization(organization.id) } assertEquals( - "RBAC ${organization.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organization.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { organizationApiService.getOrganization(organization.id) } @@ -147,7 +150,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organizationApiService.deleteOrganization(organization.id) } assertEquals( - "RBAC ${organization.id} - User does not have permission $PERMISSION_DELETE", + "RBAC ${organization.id} - Entity does not have permission $PERMISSION_DELETE", exception.message) } else { assertDoesNotThrow { organizationApiService.deleteOrganization(organization.id) } @@ -178,7 +181,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organization.id, OrganizationUpdateRequest("name")) } assertEquals( - "RBAC ${organization.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${organization.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -211,7 +214,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organizationApiService.getOrganizationPermissions(organization.id, role) } assertEquals( - "RBAC ${organization.id} - User does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${organization.id} - Entity does not have permission $PERMISSION_READ_SECURITY", exception.message) } else assertDoesNotThrow { @@ -242,7 +245,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organizationApiService.getOrganizationSecurity(organization.id) } assertEquals( - "RBAC ${organization.id} - User does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${organization.id} - Entity does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -275,7 +278,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organization.id, OrganizationRole(role)) } assertEquals( - "RBAC ${organization.id} - User does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${organization.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -309,7 +312,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organization.id, OrganizationAccessControl("id", role)) } assertEquals( - "RBAC ${organization.id} - User does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${organization.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -343,7 +346,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organization.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${organization.id} - User does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${organization.id} - Entity does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -377,7 +380,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organization.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${organization.id} - User does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${organization.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -411,7 +414,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organization.id, TEST_USER_MAIL, OrganizationRole(role)) } assertEquals( - "RBAC ${organization.id} - User does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${organization.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -444,7 +447,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organizationApiService.listOrganizationSecurityUsers(organization.id) } assertEquals( - "RBAC ${organization.id} - User does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${organization.id} - Entity does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { diff --git a/organization/src/main/kotlin/com/cosmotech/organization/service/OrganizationServiceImpl.kt b/organization/src/main/kotlin/com/cosmotech/organization/service/OrganizationServiceImpl.kt index b131912f7..55cef6800 100644 --- a/organization/src/main/kotlin/com/cosmotech/organization/service/OrganizationServiceImpl.kt +++ b/organization/src/main/kotlin/com/cosmotech/organization/service/OrganizationServiceImpl.kt @@ -184,7 +184,7 @@ class OrganizationServiceImpl( } val rbacSecurity = - csmRbac.setUserRole( + csmRbac.setEntityRole( organization.security.toGenericSecurity(organizationId), organizationAccessControl.id, organizationAccessControl.role) @@ -202,12 +202,12 @@ class OrganizationServiceImpl( organizationRole: OrganizationRole ): OrganizationAccessControl { val organization = getVerifiedOrganization(organizationId, PERMISSION_WRITE_SECURITY) - csmRbac.checkUserExists( + csmRbac.checkEntityExists( organization.security.toGenericSecurity(organizationId), identityId, "User '$identityId' not found in organization $organizationId") val rbacSecurity = - csmRbac.setUserRole( + csmRbac.setEntityRole( organization.security.toGenericSecurity(organizationId), identityId, organizationRole.role) @@ -222,14 +222,14 @@ class OrganizationServiceImpl( override fun deleteOrganizationAccessControl(organizationId: String, identityId: String) { val organization = getVerifiedOrganization(organizationId, PERMISSION_WRITE_SECURITY) val rbacSecurity = - csmRbac.removeUser(organization.security.toGenericSecurity(organizationId), identityId) + csmRbac.removeEntity(organization.security.toGenericSecurity(organizationId), identityId) organization.security = rbacSecurity.toResourceSecurity() save(organization) } override fun listOrganizationSecurityUsers(organizationId: String): List { val organization = getVerifiedOrganization(organizationId, PERMISSION_READ_SECURITY) - return csmRbac.getUsers(organization.security.toGenericSecurity(organizationId)) + return csmRbac.getEntities(organization.security.toGenericSecurity(organizationId)) } override fun getVerifiedOrganization( diff --git a/organization/src/test/kotlin/com/cosmotech/organization/service/OrganizationServiceImplTests.kt b/organization/src/test/kotlin/com/cosmotech/organization/service/OrganizationServiceImplTests.kt index 1127e900a..8bec4350a 100644 --- a/organization/src/test/kotlin/com/cosmotech/organization/service/OrganizationServiceImplTests.kt +++ b/organization/src/test/kotlin/com/cosmotech/organization/service/OrganizationServiceImplTests.kt @@ -16,6 +16,7 @@ import com.cosmotech.common.rbac.ROLE_VALIDATOR import com.cosmotech.common.rbac.ROLE_VIEWER import com.cosmotech.common.rbac.model.RbacAccessControl import com.cosmotech.common.rbac.model.RbacSecurity +import com.cosmotech.common.utils.getCurrentAccountGroups import com.cosmotech.common.utils.getCurrentAccountIdentifier import com.cosmotech.common.utils.getCurrentAuthenticatedRoles import com.cosmotech.common.utils.getCurrentAuthenticatedUserName @@ -50,6 +51,8 @@ const val USER_ID = "bob@mycompany.com" @ExtendWith(MockKExtension::class) class OrganizationServiceImplTests { + val defaultGroup = listOf("myTestGroup") + @Suppress("unused") @MockK private var eventPublisher: CsmEventPublisher = mockk(relaxed = true) @Suppress("unused") @@ -67,6 +70,7 @@ class OrganizationServiceImplTests { mockkStatic("com.cosmotech.common.utils.SecurityUtilsKt") every { getCurrentAccountIdentifier(any()) } returns USER_ID + every { getCurrentAccountGroups(any()) } returns defaultGroup every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "my.account-tester" every { getCurrentAuthenticatedRoles(any()) } returns listOf() @@ -85,8 +89,8 @@ class OrganizationServiceImplTests { val rbacAccessControl = RbacAccessControl(USER_ID, ROLE_ADMIN) every { organizationRepository.findByIdOrNull(any()) } returns organization every { csmRbac.verify(any(), any()) } returns Unit - every { csmRbac.checkUserExists(any(), any(), any()) } returns rbacAccessControl - every { csmRbac.setUserRole(any(), any(), any()) } returns rbacSecurity + every { csmRbac.checkEntityExists(any(), any(), any()) } returns rbacAccessControl + every { csmRbac.setEntityRole(any(), any(), any()) } returns rbacSecurity assertEquals(organization.security.default, rbacSecurity.default) assertEquals( @@ -108,7 +112,7 @@ class OrganizationServiceImplTests { val organization = getMockOrganization() every { organizationRepository.findByIdOrNull(any()) } returns organization every { csmRbac.verify(any(), any()) } returns Unit - every { csmRbac.checkUserExists(any(), any(), any()) } throws + every { csmRbac.checkEntityExists(any(), any(), any()) } throws mockk() val organizationRole = OrganizationRole(role = ROLE_VIEWER) assertThrows { diff --git a/run/src/integrationTest/kotlin/com/cosmotech/run/service/RunServiceIntegrationTest.kt b/run/src/integrationTest/kotlin/com/cosmotech/run/service/RunServiceIntegrationTest.kt index b987b7383..7c20921ac 100644 --- a/run/src/integrationTest/kotlin/com/cosmotech/run/service/RunServiceIntegrationTest.kt +++ b/run/src/integrationTest/kotlin/com/cosmotech/run/service/RunServiceIntegrationTest.kt @@ -8,6 +8,7 @@ import com.cosmotech.common.events.RunStart import com.cosmotech.common.rbac.ROLE_ADMIN import com.cosmotech.common.rbac.ROLE_NONE import com.cosmotech.common.tests.CsmTestBase +import com.cosmotech.common.utils.getCurrentAccountGroups import com.cosmotech.common.utils.getCurrentAccountIdentifier import com.cosmotech.common.utils.getCurrentAuthenticatedRoles import com.cosmotech.common.utils.getCurrentAuthenticatedUserName @@ -81,6 +82,7 @@ class RunServiceIntegrationTest : CsmTestBase() { val CONNECTED_ADMIN_USER = "test.admin@cosmotech.com" val CONNECTED_READER_USER = "test.user@cosmotech.com" + val defaultGroup = listOf("myTestGroup") private val logger = LoggerFactory.getLogger(RunServiceIntegrationTest::class.java) @MockK(relaxed = true) private lateinit var containerFactory: RunContainerFactory @@ -113,6 +115,7 @@ class RunServiceIntegrationTest : CsmTestBase() { fun setUp() { mockkStatic("com.cosmotech.common.utils.SecurityUtilsKt") every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER + every { getCurrentAccountGroups(any()) } returns defaultGroup every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "test.user" every { getCurrentAuthenticatedRoles(any()) } returns listOf("user") diff --git a/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceIntegrationTest.kt b/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceIntegrationTest.kt index 4bb614b17..f820710f4 100644 --- a/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceIntegrationTest.kt +++ b/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceIntegrationTest.kt @@ -19,6 +19,7 @@ import com.cosmotech.common.rbac.ROLE_VIEWER import com.cosmotech.common.security.ROLE_ORGANIZATION_USER import com.cosmotech.common.security.ROLE_PLATFORM_ADMIN import com.cosmotech.common.tests.CsmTestBase +import com.cosmotech.common.utils.getCurrentAccountGroups import com.cosmotech.common.utils.getCurrentAccountIdentifier import com.cosmotech.common.utils.getCurrentAuthenticatedRoles import com.cosmotech.common.utils.getCurrentAuthenticatedUserName @@ -91,6 +92,7 @@ class RunnerServiceIntegrationTest : CsmTestBase() { val TEST_USER_MAIL = "fake@mail.fr" val CUSTOMERS_FILE_NAME = "customers.csv" val CUSTOMERS_5_LINES_FILE_NAME = "customers_5_lines.csv" + val defaultGroup = listOf("myTestGroup") private val logger = LoggerFactory.getLogger(RunnerServiceIntegrationTest::class.java) private val defaultName = "my.account-tester@cosmotech.com" @@ -142,6 +144,7 @@ class RunnerServiceIntegrationTest : CsmTestBase() { every { containerRegistryService.getImageLabel(any(), any(), any()) } returns null mockkStatic("com.cosmotech.common.utils.SecurityUtilsKt") every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER + every { getCurrentAccountGroups(any()) } returns defaultGroup every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "test.user" every { getCurrentAuthenticatedRoles(any()) } returns listOf(ROLE_ORGANIZATION_USER) @@ -929,7 +932,7 @@ class RunnerServiceIntegrationTest : CsmTestBase() { datasetApiService.getDatasetAccessControl( organizationSaved.id, workspaceSaved.id, retrievedDataset.id, "id") } - assertEquals("User id not found in ${retrievedDataset.id} component", exception.message) + assertEquals("Entity id not found in ${retrievedDataset.id} component", exception.message) } @Test diff --git a/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceRBACTest.kt b/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceRBACTest.kt index b85e3a3f7..4b3ba7b6d 100644 --- a/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceRBACTest.kt +++ b/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceRBACTest.kt @@ -18,6 +18,7 @@ import com.cosmotech.common.rbac.ROLE_USER import com.cosmotech.common.rbac.ROLE_VALIDATOR import com.cosmotech.common.rbac.ROLE_VIEWER import com.cosmotech.common.tests.CsmTestBase +import com.cosmotech.common.utils.getCurrentAccountGroups import com.cosmotech.common.utils.getCurrentAccountIdentifier import com.cosmotech.common.utils.getCurrentAuthenticatedRoles import com.cosmotech.common.utils.getCurrentAuthenticatedUserName @@ -82,6 +83,7 @@ class RunnerServiceRBACTest : CsmTestBase() { val CONNECTED_ADMIN_USER = "test.admin@cosmotech.com" val TEST_USER_MAIL = "testuser@mail.fr" + val defaultGroup = listOf("myTestGroup") @Autowired lateinit var rediSearchIndexer: RediSearchIndexer @Autowired lateinit var organizationApiService: OrganizationApiServiceInterface @@ -97,6 +99,7 @@ class RunnerServiceRBACTest : CsmTestBase() { fun setUp() { mockkStatic("com.cosmotech.common.utils.SecurityUtilsKt") every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER + every { getCurrentAccountGroups(any()) } returns defaultGroup every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "test.user" every { getCurrentAuthenticatedRoles(any()) } returns listOf() @@ -157,7 +160,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, null, null) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -209,7 +212,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, null, null) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -262,7 +265,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, null, null) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -316,7 +319,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, null, null) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -368,7 +371,7 @@ class RunnerServiceRBACTest : CsmTestBase() { runnerApiService.createRunner(organizationSaved.id, workspaceSaved.id, runner) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -422,11 +425,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE || role == ROLE_VALIDATOR) { assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } } else { @@ -480,7 +483,7 @@ class RunnerServiceRBACTest : CsmTestBase() { runnerApiService.createRunner(organizationSaved.id, workspaceSaved.id, runner) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -534,11 +537,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_VALIDATOR || role == ROLE_NONE) { assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_CREATE_CHILDREN", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_CREATE_CHILDREN", exception.message) } } else { @@ -593,7 +596,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -649,7 +652,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -705,7 +708,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -761,7 +764,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -816,7 +819,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -871,7 +874,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -927,7 +930,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -983,7 +986,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1039,7 +1042,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1094,11 +1097,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_DELETE", + "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_DELETE", exception.message) } } else { @@ -1157,7 +1160,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerUpdateRequest(datasetList = mutableListOf(datasetSaved.id))) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1219,7 +1222,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerUpdateRequest(datasetList = mutableListOf(datasetSaved.id))) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1281,7 +1284,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerUpdateRequest(datasetList = mutableListOf(datasetSaved.id))) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1343,7 +1346,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerUpdateRequest(datasetList = mutableListOf(datasetSaved.id))) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1405,11 +1408,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } } else { @@ -1468,7 +1471,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, role) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1524,7 +1527,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, role) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1580,7 +1583,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, role) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1636,7 +1639,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, role) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1692,11 +1695,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", exception.message) } } else { @@ -1752,7 +1755,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1808,7 +1811,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1864,7 +1867,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1920,7 +1923,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1976,11 +1979,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", exception.message) } } else { @@ -2039,7 +2042,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerRole(ROLE_ADMIN)) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2101,7 +2104,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerRole(ROLE_ADMIN)) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2163,7 +2166,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerRole(ROLE_ADMIN)) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2225,7 +2228,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerRole(ROLE_ADMIN)) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2287,11 +2290,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } } else { @@ -2353,7 +2356,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerAccessControl("id", ROLE_ADMIN)) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2538,7 +2541,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerAccessControl("id", ROLE_ADMIN)) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2600,7 +2603,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerAccessControl("id", ROLE_ADMIN)) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2662,11 +2665,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } } else { @@ -2725,7 +2728,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2781,7 +2784,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2837,7 +2840,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2893,7 +2896,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2949,11 +2952,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", exception.message) } } else { @@ -3009,7 +3012,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3110,7 +3113,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3166,7 +3169,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3222,11 +3225,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } } else { @@ -3286,7 +3289,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerRole(ROLE_VIEWER)) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3350,7 +3353,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerRole(ROLE_VIEWER)) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3414,7 +3417,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerRole(ROLE_VIEWER)) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3478,7 +3481,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerRole(ROLE_VIEWER)) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3542,11 +3545,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } } else { @@ -3606,7 +3609,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3662,7 +3665,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3718,7 +3721,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3774,7 +3777,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3830,11 +3833,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", exception.message) } } else { diff --git a/runner/src/main/kotlin/com/cosmotech/runner/service/RunnerService.kt b/runner/src/main/kotlin/com/cosmotech/runner/service/RunnerService.kt index 57bcaa534..a792525a0 100644 --- a/runner/src/main/kotlin/com/cosmotech/runner/service/RunnerService.kt +++ b/runner/src/main/kotlin/com/cosmotech/runner/service/RunnerService.kt @@ -681,7 +681,7 @@ class RunnerService( // create a rbacSecurity object from runner Rbac by adding user with id and role in // runnerAccessControl val rbacSecurity = - csmRbac.setUserRole( + csmRbac.setEntityRole( this.runner.getRbac(), runnerAccessControl.id, runnerAccessControl.role, @@ -709,14 +709,14 @@ class RunnerService( fun deleteAccessControlFor(userId: String) { // create a rbacSecurity object from runner Rbac by removing user - val rbacSecurity = csmRbac.removeUser(this.getRbacSecurity(), userId, this.roleDefinition) + val rbacSecurity = csmRbac.removeEntity(this.getRbacSecurity(), userId, this.roleDefinition) this.setRbacSecurity(rbacSecurity) this.removeAccessControlToDatasetParameter(userId) } fun checkUserExists(userId: String) { - csmRbac.checkUserExists( + csmRbac.checkEntityExists( runner.getRbac(), userId, "User '$userId' not found in runner ${runner.id}") } @@ -862,7 +862,7 @@ class RunnerService( } fun getUsers(): List { - return csmRbac.getUsers(this.getRbacSecurity()) + return csmRbac.getEntities(this.getRbacSecurity()) } fun setDefaultSecurity(role: String) { diff --git a/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceIntegrationTest.kt b/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceIntegrationTest.kt index 0072e6a54..c83d45814 100644 --- a/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceIntegrationTest.kt +++ b/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceIntegrationTest.kt @@ -13,6 +13,7 @@ import com.cosmotech.common.rbac.ROLE_USER import com.cosmotech.common.rbac.ROLE_VIEWER import com.cosmotech.common.security.ROLE_PLATFORM_ADMIN import com.cosmotech.common.tests.CsmTestBase +import com.cosmotech.common.utils.getCurrentAccountGroups import com.cosmotech.common.utils.getCurrentAccountIdentifier import com.cosmotech.common.utils.getCurrentAuthenticatedRoles import com.cosmotech.common.utils.getCurrentAuthenticatedUserName @@ -64,6 +65,7 @@ class SolutionServiceIntegrationTest : CsmTestBase() { private val logger = LoggerFactory.getLogger(SolutionServiceIntegrationTest::class.java) val fileName = "test_solution_file.txt" + val defaultGroup = listOf("myTestGroup") @Autowired lateinit var rediSearchIndexer: RediSearchIndexer @Autowired lateinit var organizationApiService: OrganizationApiServiceInterface @@ -87,6 +89,7 @@ class SolutionServiceIntegrationTest : CsmTestBase() { solutionApiService, "containerRegistryService", containerRegistryService) every { containerRegistryService.getImageLabel(any(), any(), any()) } returns null every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER + every { getCurrentAccountGroups(any()) } returns defaultGroup every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "test.user" every { getCurrentAuthenticatedRoles(any()) } returns listOf("user") diff --git a/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceRBACTest.kt b/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceRBACTest.kt index 0041a37f0..d0cb30dd4 100644 --- a/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceRBACTest.kt +++ b/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceRBACTest.kt @@ -18,6 +18,7 @@ import com.cosmotech.common.rbac.ROLE_USER import com.cosmotech.common.rbac.ROLE_VIEWER import com.cosmotech.common.tests.CsmTestBase import com.cosmotech.common.utils.ResourceScanner +import com.cosmotech.common.utils.getCurrentAccountGroups import com.cosmotech.common.utils.getCurrentAccountIdentifier import com.cosmotech.common.utils.getCurrentAuthenticatedRoles import com.cosmotech.common.utils.getCurrentAuthenticatedUserName @@ -60,6 +61,7 @@ import org.springframework.test.util.ReflectionTestUtils class SolutionServiceRBACTest : CsmTestBase() { val TEST_USER_MAIL = "testuser@mail.fr" + val defaultGroup = listOf("myTestGroup") @Autowired lateinit var rediSearchIndexer: RediSearchIndexer @@ -88,6 +90,7 @@ class SolutionServiceRBACTest : CsmTestBase() { solutionApiService, "containerRegistryService", containerRegistryService) every { containerRegistryService.getImageLabel(any(), any(), any()) } returns null every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER + every { getCurrentAccountGroups(any()) } returns defaultGroup every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "test.user" every { getCurrentAuthenticatedRoles(any()) } returns listOf("user") @@ -121,7 +124,7 @@ class SolutionServiceRBACTest : CsmTestBase() { solutionApiService.getSolution(organizationSaved.id, solutionSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -158,7 +161,7 @@ class SolutionServiceRBACTest : CsmTestBase() { solutionApiService.getSolution(organizationSaved.id, solutionSaved.id) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -194,7 +197,7 @@ class SolutionServiceRBACTest : CsmTestBase() { solutionApiService.listSolutions(organizationSaved.id, null, null) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -230,7 +233,7 @@ class SolutionServiceRBACTest : CsmTestBase() { } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_CREATE_CHILDREN", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_CREATE_CHILDREN", exception.message) } else { assertDoesNotThrow { @@ -266,7 +269,7 @@ class SolutionServiceRBACTest : CsmTestBase() { solutionApiService.deleteSolution(organizationSaved.id, solutionSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -304,7 +307,7 @@ class SolutionServiceRBACTest : CsmTestBase() { } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_DELETE", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_DELETE", exception.message) } else { assertDoesNotThrow { @@ -345,7 +348,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, solutionUpdateRequest) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -388,7 +391,7 @@ class SolutionServiceRBACTest : CsmTestBase() { } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -428,7 +431,7 @@ class SolutionServiceRBACTest : CsmTestBase() { SolutionAccessControl("user", ROLE_USER)) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -471,7 +474,7 @@ class SolutionServiceRBACTest : CsmTestBase() { } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -511,7 +514,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -550,7 +553,7 @@ class SolutionServiceRBACTest : CsmTestBase() { } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -588,7 +591,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -627,7 +630,7 @@ class SolutionServiceRBACTest : CsmTestBase() { } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -665,7 +668,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -704,7 +707,7 @@ class SolutionServiceRBACTest : CsmTestBase() { } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -745,7 +748,7 @@ class SolutionServiceRBACTest : CsmTestBase() { SolutionRole(ROLE_USER)) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -789,7 +792,7 @@ class SolutionServiceRBACTest : CsmTestBase() { SolutionRole(ROLE_USER)) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -830,7 +833,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "runTemplate") } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -869,7 +872,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "runTemplate") } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -909,7 +912,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "runTemplate", runTemplate) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -950,7 +953,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "runTemplate", runTemplate) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -988,7 +991,7 @@ class SolutionServiceRBACTest : CsmTestBase() { solutionApiService.getSolutionSecurity(organizationSaved.id, solutionSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1026,7 +1029,7 @@ class SolutionServiceRBACTest : CsmTestBase() { } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -1065,7 +1068,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, SolutionRole(ROLE_VIEWER)) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1105,7 +1108,7 @@ class SolutionServiceRBACTest : CsmTestBase() { } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -1144,7 +1147,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1182,7 +1185,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "parameter") } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1224,7 +1227,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, parameterToCreate) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -1265,7 +1268,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "parameter", parameterToUpdate) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -1304,7 +1307,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "parameter") } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -1343,7 +1346,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1382,7 +1385,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "group") } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1423,7 +1426,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, parameterGroupToCreate) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -1465,7 +1468,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "group", parameterGroupToUpdate) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -1504,7 +1507,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "group") } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -1542,7 +1545,7 @@ class SolutionServiceRBACTest : CsmTestBase() { solutionApiService.listRunTemplates(organizationSaved.id, solutionSaved.id) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1580,7 +1583,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "runTemplate") } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1621,7 +1624,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, runTemplateToCreate) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -1665,7 +1668,7 @@ class SolutionServiceRBACTest : CsmTestBase() { runTemplateToUpdate) } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -1704,7 +1707,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "runTemplate") } assertEquals( - "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { diff --git a/solution/src/main/kotlin/com/cosmotech/solution/service/SolutionServiceImpl.kt b/solution/src/main/kotlin/com/cosmotech/solution/service/SolutionServiceImpl.kt index 579304f29..13dcb4a7c 100644 --- a/solution/src/main/kotlin/com/cosmotech/solution/service/SolutionServiceImpl.kt +++ b/solution/src/main/kotlin/com/cosmotech/solution/service/SolutionServiceImpl.kt @@ -357,7 +357,7 @@ class SolutionServiceImpl( } val rbacSecurity = - csmRbac.addUserRole( + csmRbac.addEntityRole( organization.security.toGenericSecurity(organizationId), solution.security.toGenericSecurity(solutionId), solutionAccessControl.id, @@ -551,12 +551,12 @@ class SolutionServiceImpl( solutionRole: SolutionRole ): SolutionAccessControl { val solution = getVerifiedSolution(organizationId, solutionId, PERMISSION_WRITE_SECURITY) - csmRbac.checkUserExists( + csmRbac.checkEntityExists( solution.security.toGenericSecurity(solutionId), identityId, "User '$identityId' not found in solution $solutionId") val rbacSecurity = - csmRbac.setUserRole( + csmRbac.setEntityRole( solution.security.toGenericSecurity(solutionId), identityId, solutionRole.role) solution.security = rbacSecurity.toResourceSecurity() save(solution) @@ -572,14 +572,14 @@ class SolutionServiceImpl( ) { val solution = getVerifiedSolution(organizationId, solutionId, PERMISSION_WRITE_SECURITY) val rbacSecurity = - csmRbac.removeUser(solution.security.toGenericSecurity(solutionId), identityId) + csmRbac.removeEntity(solution.security.toGenericSecurity(solutionId), identityId) solution.security = rbacSecurity.toResourceSecurity() save(solution) } override fun listSolutionSecurityUsers(organizationId: String, solutionId: String): List { val solution = getVerifiedSolution(organizationId, solutionId, PERMISSION_READ_SECURITY) - return csmRbac.getUsers(solution.security.toGenericSecurity(solutionId)) + return csmRbac.getEntities(solution.security.toGenericSecurity(solutionId)) } override fun getVerifiedSolution( diff --git a/workspace/src/integrationTest/kotlin/com/cosmotech/workspace/service/WorkspaceServiceIntegrationTest.kt b/workspace/src/integrationTest/kotlin/com/cosmotech/workspace/service/WorkspaceServiceIntegrationTest.kt index f1e9df573..01cacd4a7 100644 --- a/workspace/src/integrationTest/kotlin/com/cosmotech/workspace/service/WorkspaceServiceIntegrationTest.kt +++ b/workspace/src/integrationTest/kotlin/com/cosmotech/workspace/service/WorkspaceServiceIntegrationTest.kt @@ -7,6 +7,7 @@ import com.cosmotech.common.exceptions.CsmAccessForbiddenException import com.cosmotech.common.exceptions.CsmResourceNotFoundException import com.cosmotech.common.rbac.* import com.cosmotech.common.tests.CsmTestBase +import com.cosmotech.common.utils.getCurrentAccountGroups import com.cosmotech.common.utils.getCurrentAccountIdentifier import com.cosmotech.common.utils.getCurrentAuthenticatedRoles import com.cosmotech.common.utils.getCurrentAuthenticatedUserName @@ -60,6 +61,7 @@ class WorkspaceServiceIntegrationTest : CsmTestBase() { val CONNECTED_ADMIN_USER = "test.admin@cosmotech.com" val CONNECTED_DEFAULT_USER = "test.user@cosmotech.com" val fileName = "test_workspace_file.txt" + val defaultGroup = listOf("myTestGroup") private val logger = LoggerFactory.getLogger(WorkspaceServiceIntegrationTest::class.java) @Autowired lateinit var rediSearchIndexer: RediSearchIndexer @@ -86,6 +88,7 @@ class WorkspaceServiceIntegrationTest : CsmTestBase() { fun setUp() { mockkStatic("com.cosmotech.common.utils.SecurityUtilsKt") every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER + every { getCurrentAccountGroups(any()) } returns defaultGroup every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "test.user" every { getCurrentAuthenticatedRoles(any()) } returns listOf("user") diff --git a/workspace/src/integrationTest/kotlin/com/cosmotech/workspace/service/WorkspaceServiceRBACTest.kt b/workspace/src/integrationTest/kotlin/com/cosmotech/workspace/service/WorkspaceServiceRBACTest.kt index 04c7319fa..8b91d5d3f 100644 --- a/workspace/src/integrationTest/kotlin/com/cosmotech/workspace/service/WorkspaceServiceRBACTest.kt +++ b/workspace/src/integrationTest/kotlin/com/cosmotech/workspace/service/WorkspaceServiceRBACTest.kt @@ -18,6 +18,7 @@ import com.cosmotech.common.rbac.ROLE_USER import com.cosmotech.common.rbac.ROLE_VIEWER import com.cosmotech.common.tests.CsmTestBase import com.cosmotech.common.utils.ResourceScanner +import com.cosmotech.common.utils.getCurrentAccountGroups import com.cosmotech.common.utils.getCurrentAccountIdentifier import com.cosmotech.common.utils.getCurrentAuthenticatedRoles import com.cosmotech.common.utils.getCurrentAuthenticatedUserName @@ -72,6 +73,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { val TEST_USER_MAIL = "testuser@mail.fr" val CONNECTED_ADMIN_USER = "test.admin@cosmotech.com" + val defaultGroup = listOf("myTestGroup") @RelaxedMockK private lateinit var resource: MultipartFile @@ -96,6 +98,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { ReflectionTestUtils.setField(workspaceApiService, "s3Template", s3Template) every { containerRegistryService.getImageLabel(any(), any(), any()) } returns null every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER + every { getCurrentAccountGroups(any()) } returns defaultGroup every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "test.user" every { getCurrentAuthenticatedRoles(any()) } returns listOf() @@ -139,7 +142,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { workspaceApiService.listWorkspaces(organizationSaved.id, null, null) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -189,11 +192,11 @@ class WorkspaceServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_CREATE_CHILDREN", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_CREATE_CHILDREN", exception.message) } } else { @@ -245,11 +248,11 @@ class WorkspaceServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } } else { @@ -291,7 +294,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { workspaceApiService.getWorkspace(organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -335,7 +338,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { workspaceApiService.deleteWorkspace(organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -376,7 +379,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { workspaceApiService.deleteWorkspace(organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_DELETE", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_DELETE", exception.message) } else { assertDoesNotThrow { @@ -423,7 +426,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { WorkspaceUpdateRequest(key = "key", "new name")) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -470,7 +473,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { WorkspaceUpdateRequest("key", "new name")) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -518,7 +521,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -560,7 +563,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -611,7 +614,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, resource, true, "") } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -660,7 +663,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, resource, true, "") } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -706,7 +709,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -748,7 +751,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -793,7 +796,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, "") } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -836,7 +839,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, "") } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -882,7 +885,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, "") } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -925,7 +928,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, "") } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_WRITE", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -971,7 +974,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, ROLE_USER) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1014,7 +1017,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, ROLE_USER) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -1060,7 +1063,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1102,7 +1105,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -1147,7 +1150,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, WorkspaceRole(ROLE_USER)) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1190,7 +1193,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, WorkspaceRole(ROLE_USER)) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -1238,7 +1241,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { WorkspaceAccessControl("id", ROLE_USER)) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1285,7 +1288,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { WorkspaceAccessControl("id", ROLE_USER)) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -1333,7 +1336,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1376,7 +1379,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -1422,7 +1425,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1465,7 +1468,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -1514,7 +1517,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { WorkspaceRole(ROLE_ADMIN)) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1563,7 +1566,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { WorkspaceRole(ROLE_ADMIN)) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -1612,7 +1615,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1655,7 +1658,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { diff --git a/workspace/src/main/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImpl.kt b/workspace/src/main/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImpl.kt index aa0aa72b6..3d5fb730b 100644 --- a/workspace/src/main/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImpl.kt +++ b/workspace/src/main/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImpl.kt @@ -433,12 +433,12 @@ internal class WorkspaceServiceImpl( ): WorkspaceAccessControl { val organization = organizationService.getVerifiedOrganization(organizationId) val workspace = getVerifiedWorkspace(organizationId, workspaceId, PERMISSION_WRITE_SECURITY) - val users = csmRbac.getUsers(workspace.security.toGenericSecurity(workspaceId)) + val users = csmRbac.getEntities(workspace.security.toGenericSecurity(workspaceId)) require(!users.contains(workspaceAccessControl.id)) { "User is already in this Workspace security" } val rbacSecurity = - csmRbac.addUserRole( + csmRbac.addEntityRole( organization.security.toGenericSecurity(organizationId), workspace.security.toGenericSecurity(workspaceId), workspaceAccessControl.id, @@ -458,12 +458,12 @@ internal class WorkspaceServiceImpl( workspaceRole: WorkspaceRole ): WorkspaceAccessControl { val workspace = getVerifiedWorkspace(organizationId, workspaceId, PERMISSION_WRITE_SECURITY) - csmRbac.checkUserExists( + csmRbac.checkEntityExists( workspace.security.toGenericSecurity(workspaceId), identityId, "User '$identityId' not found in workspace $workspaceId") val rbacSecurity = - csmRbac.setUserRole( + csmRbac.setEntityRole( workspace.security.toGenericSecurity(workspaceId), identityId, workspaceRole.role) workspace.security = rbacSecurity.toResourceSecurity() save(workspace) @@ -479,7 +479,7 @@ internal class WorkspaceServiceImpl( ) { val workspace = getVerifiedWorkspace(organizationId, workspaceId, PERMISSION_WRITE_SECURITY) val rbacSecurity = - csmRbac.removeUser(workspace.security.toGenericSecurity(workspaceId), identityId) + csmRbac.removeEntity(workspace.security.toGenericSecurity(workspaceId), identityId) workspace.security = rbacSecurity.toResourceSecurity() save(workspace) } @@ -489,7 +489,7 @@ internal class WorkspaceServiceImpl( workspaceId: String ): List { val workspace = getVerifiedWorkspace(organizationId, workspaceId, PERMISSION_READ_SECURITY) - return csmRbac.getUsers(workspace.security.toGenericSecurity(workspaceId)) + return csmRbac.getEntities(workspace.security.toGenericSecurity(workspaceId)) } fun updateSecurityVisibility(workspace: Workspace): Workspace { diff --git a/workspace/src/test/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImplTests.kt b/workspace/src/test/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImplTests.kt index 932a125f1..d7637308c 100644 --- a/workspace/src/test/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImplTests.kt +++ b/workspace/src/test/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImplTests.kt @@ -17,6 +17,7 @@ import com.cosmotech.common.rbac.ROLE_USER import com.cosmotech.common.rbac.ROLE_VALIDATOR import com.cosmotech.common.rbac.ROLE_VIEWER import com.cosmotech.common.utils.ResourceScanner +import com.cosmotech.common.utils.getCurrentAccountGroups import com.cosmotech.common.utils.getCurrentAccountIdentifier import com.cosmotech.common.utils.getCurrentAuthenticatedRoles import com.cosmotech.common.utils.getCurrentAuthenticatedUserName @@ -80,6 +81,8 @@ const val S3_BUCKET_NAME = "test-bucket" @Suppress("LargeClass") class WorkspaceServiceImplTests { + val defaultGroup = listOf("myTestGroup") + @MockK private lateinit var solutionService: SolutionApiServiceInterface @RelaxedMockK private lateinit var organizationService: OrganizationApiServiceInterface @@ -112,6 +115,7 @@ class WorkspaceServiceImplTests { fun beforeEach() { mockkStatic("com.cosmotech.common.utils.SecurityUtilsKt") every { getCurrentAccountIdentifier(any()) } returns CONNECTED_DEFAULT_USER + every { getCurrentAccountGroups(any()) } returns defaultGroup every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "my.account-tester" every { getCurrentAuthenticatedRoles(any()) } returns listOf() From 66ee7c9550c1898ac4a78b79d3f9e3ffec17084c Mon Sep 17 00:00:00 2001 From: Leopold Cramer Date: Wed, 29 Oct 2025 15:24:41 +0100 Subject: [PATCH 4/5] restore some naming for clarity --- .../com/cosmotech/common/rbac/CsmRbac.kt | 22 ++- .../com/cosmotech/common/rbac/CsmRbacTests.kt | 25 ++- .../dataset/service/DatasetServiceRBACTest.kt | 40 ++--- .../service/OrganizationServiceRBACTest.kt | 22 +-- .../runner/service/RunnerServiceRBACTest.kt | 146 +++++++++--------- .../service/SolutionServiceRBACTest.kt | 82 +++++----- .../service/WorkspaceServiceRBACTest.kt | 72 ++++----- 7 files changed, 203 insertions(+), 206 deletions(-) diff --git a/common/src/main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt b/common/src/main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt index cd16aaa36..faabed4b0 100644 --- a/common/src/main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt +++ b/common/src/main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt @@ -38,12 +38,12 @@ open class CsmRbac( // Make sure we have at least one admin if (!objectSecurity.accessControlList.any { it.role == ROLE_ADMIN }) { - val currentEntityId = getCurrentAccountIdentifier(csmPlatformProperties) - val currentEntityACL = objectSecurity.accessControlList.find { it.id == currentEntityId } - if (currentEntityACL != null) { - currentEntityACL.role = ROLE_ADMIN + val currentUserId = getCurrentAccountIdentifier(csmPlatformProperties) + val currentUserACL = objectSecurity.accessControlList.find { it.id == currentUserId } + if (currentUserACL != null) { + currentUserACL.role = ROLE_ADMIN } else { - objectSecurity.accessControlList.add(RbacAccessControl(currentEntityId, ROLE_ADMIN)) + objectSecurity.accessControlList.add(RbacAccessControl(currentUserId, ROLE_ADMIN)) } } @@ -57,7 +57,7 @@ open class CsmRbac( ) { if (!this.check(rbacSecurity, permission, rolesDefinition)) throw CsmAccessForbiddenException( - "RBAC ${rbacSecurity.id} - Entity does not have permission $permission") + "RBAC ${rbacSecurity.id} - User does not have permission $permission") } fun check( @@ -206,15 +206,14 @@ open class CsmRbac( return isAdmin } - internal fun verifyEntity( + internal fun verifyUser( rbacSecurity: RbacSecurity, permission: String, rolesDefinition: RolesDefinition, user: String, groups: List ): Boolean { - logger.debug( - "RBAC ${rbacSecurity.id} - Verifying $user or one of $groups has permission in ACL: $permission") + logger.debug("RBAC ${rbacSecurity.id} - Verifying $user has permission in ACL: $permission") val isAuthorized = if (rbacSecurity.accessControlList.any() { it.id == user }) { verifyPermissionFromRole(permission, getEntityRole(rbacSecurity, user), rolesDefinition) @@ -225,8 +224,7 @@ open class CsmRbac( verifyPermissionFromRole( permission, getEntityRole(rbacSecurity, rbacSecurity.default), rolesDefinition) } - logger.debug( - "RBAC ${rbacSecurity.id} - $user or one of $groups has permission $permission in ACL: $isAuthorized") + logger.debug("RBAC ${rbacSecurity.id} - $user has permission $permission in ACL: $isAuthorized") return isAuthorized } @@ -251,7 +249,7 @@ open class CsmRbac( groups: List ): Boolean { return (this.verifyDefault(rbacSecurity, permission, rolesDefinition) || - this.verifyEntity(rbacSecurity, permission, rolesDefinition, user, groups)) + this.verifyUser(rbacSecurity, permission, rolesDefinition, user, groups)) } internal fun verifyPermissionFromRole( diff --git a/common/src/test/kotlin/com/cosmotech/common/rbac/CsmRbacTests.kt b/common/src/test/kotlin/com/cosmotech/common/rbac/CsmRbacTests.kt index f96ce0e8d..e50268e89 100644 --- a/common/src/test/kotlin/com/cosmotech/common/rbac/CsmRbacTests.kt +++ b/common/src/test/kotlin/com/cosmotech/common/rbac/CsmRbacTests.kt @@ -274,19 +274,18 @@ class CsmRbacTests { @Test fun `verify permission read for user writer OK`() { - assertTrue( - rbac.verifyEntity(rbacSecurity, PERM_READ, rolesDefinition, USER_READER, emptyList())) + assertTrue(rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_READER, emptyList())) } @Test fun `verify permission write for user writer KO`() { assertFalse( - rbac.verifyEntity(rbacSecurity, PERM_WRITE, rolesDefinition, USER_READER, emptyList())) + rbac.verifyUser(rbacSecurity, PERM_WRITE, rolesDefinition, USER_READER, emptyList())) } @Test fun `verify permission read for user none KO`() { - assertFalse(rbac.verifyEntity(rbacSecurity, PERM_READ, rolesDefinition, USER_NONE, emptyList())) + assertFalse(rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NONE, emptyList())) } @Test @@ -303,14 +302,14 @@ class CsmRbacTests { fun `add new reader user and verify read permission OK`() { rbac.setEntityRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) assertTrue( - rbac.verifyEntity(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER, emptyList())) + rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER, emptyList())) } @Test fun `add new reader user and verify write permission KO`() { rbac.setEntityRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) assertFalse( - rbac.verifyEntity(rbacSecurity, PERM_WRITE, rolesDefinition, USER_NEW_READER, emptyList())) + rbac.verifyUser(rbacSecurity, PERM_WRITE, rolesDefinition, USER_NEW_READER, emptyList())) } @Test @@ -340,7 +339,7 @@ class CsmRbacTests { rbac.addEntityRole( parentRbacSecurity, rbacSecurity, USER_IN_PARENT, USER_READER_ROLE, rolesDefinition) assertTrue( - rbac.verifyEntity(rbacSecurity, PERM_READ, rolesDefinition, USER_IN_PARENT, emptyList())) + rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_IN_PARENT, emptyList())) } @Test @@ -350,7 +349,7 @@ class CsmRbacTests { val rbacSecurity = rbac.addEntityRole( parentRbacSecurity, rbacSecurity, USER_NOTIN, USER_READER_ROLE, rolesDefinition) - assertTrue(rbac.verifyEntity(rbacSecurity, PERM_READ, rolesDefinition, USER_NOTIN, emptyList())) + assertTrue(rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NOTIN, emptyList())) } @Test @@ -360,7 +359,7 @@ class CsmRbacTests { rbac.setEntityRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) rbac.removeEntity(rbacSecurity, USER_NEW_READER, rolesDefinition) assertFalse( - rbac.verifyEntity(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER, emptyList())) + rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER, emptyList())) } @Test @@ -370,7 +369,7 @@ class CsmRbacTests { rbac.setEntityRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) rbac.removeEntity(rbacSecurity, USER_NEW_READER, rolesDefinition) assertTrue( - rbac.verifyEntity(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER, emptyList())) + rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER, emptyList())) } @Test @@ -380,21 +379,21 @@ class CsmRbacTests { rbac.setEntityRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) rbac.removeEntity(rbacSecurity, USER_NEW_READER, rolesDefinition) assertTrue( - rbac.verifyEntity(rbacSecurity, PERM_ADMIN, rolesDefinition, USER_NEW_READER, emptyList())) + rbac.verifyUser(rbacSecurity, PERM_ADMIN, rolesDefinition, USER_NEW_READER, emptyList())) } @Test fun `update existing new user and verify write permission OK`() { rbac.setEntityRole(rbacSecurity, USER_NEW_READER, USER_WRITER_ROLE, rolesDefinition) assertTrue( - rbac.verifyEntity(rbacSecurity, PERM_WRITE, rolesDefinition, USER_NEW_READER, emptyList())) + rbac.verifyUser(rbacSecurity, PERM_WRITE, rolesDefinition, USER_NEW_READER, emptyList())) } @Test fun `update existing new user and verify read permission OK`() { rbac.setEntityRole(rbacSecurity, USER_NEW_READER, USER_READER_ROLE, rolesDefinition) assertTrue( - rbac.verifyEntity(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER, emptyList())) + rbac.verifyUser(rbacSecurity, PERM_READ, rolesDefinition, USER_NEW_READER, emptyList())) } @Test diff --git a/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceRBACTest.kt b/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceRBACTest.kt index 35c86f876..da0bf923a 100644 --- a/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceRBACTest.kt +++ b/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceRBACTest.kt @@ -183,7 +183,7 @@ class DatasetServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, datasetCreated.id) } assertEquals( - "RBAC ${datasetCreated.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${datasetCreated.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -231,7 +231,7 @@ class DatasetServiceRBACTest : CsmTestBase() { DatasetAccessControl("NewUser", role)) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -275,7 +275,7 @@ class DatasetServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, listOf(), null, null) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -320,7 +320,7 @@ class DatasetServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, datasetSaved.id) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_DELETE", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_DELETE", exception.message) } else { assertDoesNotThrow { @@ -368,7 +368,7 @@ class DatasetServiceRBACTest : CsmTestBase() { CONNECTED_DEFAULT_USER) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -427,7 +427,7 @@ class DatasetServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, dataset, mockMultipartFiles) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_CREATE_CHILDREN", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_CREATE_CHILDREN", exception.message) } else { assertDoesNotThrow { @@ -476,7 +476,7 @@ class DatasetServiceRBACTest : CsmTestBase() { CONNECTED_DEFAULT_USER) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -524,7 +524,7 @@ class DatasetServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, datasetSaved.id) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -568,7 +568,7 @@ class DatasetServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, null, null) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -634,7 +634,7 @@ class DatasetServiceRBACTest : CsmTestBase() { arrayOf()) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -688,7 +688,7 @@ class DatasetServiceRBACTest : CsmTestBase() { null) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -742,7 +742,7 @@ class DatasetServiceRBACTest : CsmTestBase() { DatasetRole(role)) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -794,7 +794,7 @@ class DatasetServiceRBACTest : CsmTestBase() { DatasetRole(role)) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -858,7 +858,7 @@ class DatasetServiceRBACTest : CsmTestBase() { makeDatasetPartCreateRequest()) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -925,7 +925,7 @@ class DatasetServiceRBACTest : CsmTestBase() { datasetSaved.parts[0].id) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -991,7 +991,7 @@ class DatasetServiceRBACTest : CsmTestBase() { datasetSaved.parts[0].id) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1057,7 +1057,7 @@ class DatasetServiceRBACTest : CsmTestBase() { datasetSaved.parts[0].id) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1120,7 +1120,7 @@ class DatasetServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, datasetSaved.id, null, null) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1185,7 +1185,7 @@ class DatasetServiceRBACTest : CsmTestBase() { makeDatasetPartUpdateRequest()) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -1254,7 +1254,7 @@ class DatasetServiceRBACTest : CsmTestBase() { makeDatasetPartUpdateRequest()) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { diff --git a/organization/src/integrationTest/kotlin/com/cosmotech/organization/service/OrganizationServiceRBACTest.kt b/organization/src/integrationTest/kotlin/com/cosmotech/organization/service/OrganizationServiceRBACTest.kt index 53d10320e..2013358d4 100644 --- a/organization/src/integrationTest/kotlin/com/cosmotech/organization/service/OrganizationServiceRBACTest.kt +++ b/organization/src/integrationTest/kotlin/com/cosmotech/organization/service/OrganizationServiceRBACTest.kt @@ -120,7 +120,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organizationApiService.getOrganization(organization.id) } assertEquals( - "RBAC ${organization.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organization.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { organizationApiService.getOrganization(organization.id) } @@ -150,7 +150,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organizationApiService.deleteOrganization(organization.id) } assertEquals( - "RBAC ${organization.id} - Entity does not have permission $PERMISSION_DELETE", + "RBAC ${organization.id} - User does not have permission $PERMISSION_DELETE", exception.message) } else { assertDoesNotThrow { organizationApiService.deleteOrganization(organization.id) } @@ -181,7 +181,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organization.id, OrganizationUpdateRequest("name")) } assertEquals( - "RBAC ${organization.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${organization.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -214,7 +214,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organizationApiService.getOrganizationPermissions(organization.id, role) } assertEquals( - "RBAC ${organization.id} - Entity does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${organization.id} - User does not have permission $PERMISSION_READ_SECURITY", exception.message) } else assertDoesNotThrow { @@ -245,7 +245,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organizationApiService.getOrganizationSecurity(organization.id) } assertEquals( - "RBAC ${organization.id} - Entity does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${organization.id} - User does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -278,7 +278,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organization.id, OrganizationRole(role)) } assertEquals( - "RBAC ${organization.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${organization.id} - User does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -312,7 +312,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organization.id, OrganizationAccessControl("id", role)) } assertEquals( - "RBAC ${organization.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${organization.id} - User does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -346,7 +346,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organization.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${organization.id} - Entity does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${organization.id} - User does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -380,7 +380,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organization.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${organization.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${organization.id} - User does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -414,7 +414,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organization.id, TEST_USER_MAIL, OrganizationRole(role)) } assertEquals( - "RBAC ${organization.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${organization.id} - User does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -447,7 +447,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { organizationApiService.listOrganizationSecurityUsers(organization.id) } assertEquals( - "RBAC ${organization.id} - Entity does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${organization.id} - User does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { diff --git a/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceRBACTest.kt b/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceRBACTest.kt index 4b3ba7b6d..4d3aaafbc 100644 --- a/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceRBACTest.kt +++ b/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceRBACTest.kt @@ -160,7 +160,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, null, null) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -212,7 +212,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, null, null) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -265,7 +265,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, null, null) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -319,7 +319,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, null, null) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -371,7 +371,7 @@ class RunnerServiceRBACTest : CsmTestBase() { runnerApiService.createRunner(organizationSaved.id, workspaceSaved.id, runner) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -425,11 +425,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE || role == ROLE_VALIDATOR) { assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } } else { @@ -483,7 +483,7 @@ class RunnerServiceRBACTest : CsmTestBase() { runnerApiService.createRunner(organizationSaved.id, workspaceSaved.id, runner) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -537,11 +537,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_VALIDATOR || role == ROLE_NONE) { assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_CREATE_CHILDREN", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_CREATE_CHILDREN", exception.message) } } else { @@ -596,7 +596,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -652,7 +652,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -708,7 +708,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -764,7 +764,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -819,7 +819,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -874,7 +874,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -930,7 +930,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -986,7 +986,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1042,7 +1042,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1097,11 +1097,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_DELETE", + "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_DELETE", exception.message) } } else { @@ -1160,7 +1160,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerUpdateRequest(datasetList = mutableListOf(datasetSaved.id))) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1222,7 +1222,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerUpdateRequest(datasetList = mutableListOf(datasetSaved.id))) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1284,7 +1284,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerUpdateRequest(datasetList = mutableListOf(datasetSaved.id))) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1346,7 +1346,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerUpdateRequest(datasetList = mutableListOf(datasetSaved.id))) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1408,11 +1408,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } } else { @@ -1471,7 +1471,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, role) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1527,7 +1527,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, role) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1583,7 +1583,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, role) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1639,7 +1639,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, role) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1695,11 +1695,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", exception.message) } } else { @@ -1755,7 +1755,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1811,7 +1811,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1867,7 +1867,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1923,7 +1923,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1979,11 +1979,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", exception.message) } } else { @@ -2042,7 +2042,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerRole(ROLE_ADMIN)) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2104,7 +2104,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerRole(ROLE_ADMIN)) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2166,7 +2166,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerRole(ROLE_ADMIN)) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2228,7 +2228,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerRole(ROLE_ADMIN)) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2290,11 +2290,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } } else { @@ -2356,7 +2356,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerAccessControl("id", ROLE_ADMIN)) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2541,7 +2541,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerAccessControl("id", ROLE_ADMIN)) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2603,7 +2603,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerAccessControl("id", ROLE_ADMIN)) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2665,11 +2665,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } } else { @@ -2728,7 +2728,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2784,7 +2784,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2840,7 +2840,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2896,7 +2896,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -2952,11 +2952,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", exception.message) } } else { @@ -3012,7 +3012,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3113,7 +3113,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3169,7 +3169,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3225,11 +3225,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } } else { @@ -3289,7 +3289,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerRole(ROLE_VIEWER)) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3353,7 +3353,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerRole(ROLE_VIEWER)) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3417,7 +3417,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerRole(ROLE_VIEWER)) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3481,7 +3481,7 @@ class RunnerServiceRBACTest : CsmTestBase() { RunnerRole(ROLE_VIEWER)) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3545,11 +3545,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } } else { @@ -3609,7 +3609,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3665,7 +3665,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${datasetSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${datasetSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3721,7 +3721,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3777,7 +3777,7 @@ class RunnerServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, runnerSaved.id) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -3833,11 +3833,11 @@ class RunnerServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${runnerSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${runnerSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", exception.message) } } else { diff --git a/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceRBACTest.kt b/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceRBACTest.kt index d0cb30dd4..d8f221c93 100644 --- a/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceRBACTest.kt +++ b/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceRBACTest.kt @@ -124,7 +124,7 @@ class SolutionServiceRBACTest : CsmTestBase() { solutionApiService.getSolution(organizationSaved.id, solutionSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -161,7 +161,7 @@ class SolutionServiceRBACTest : CsmTestBase() { solutionApiService.getSolution(organizationSaved.id, solutionSaved.id) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -197,7 +197,7 @@ class SolutionServiceRBACTest : CsmTestBase() { solutionApiService.listSolutions(organizationSaved.id, null, null) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -233,7 +233,7 @@ class SolutionServiceRBACTest : CsmTestBase() { } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_CREATE_CHILDREN", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_CREATE_CHILDREN", exception.message) } else { assertDoesNotThrow { @@ -269,7 +269,7 @@ class SolutionServiceRBACTest : CsmTestBase() { solutionApiService.deleteSolution(organizationSaved.id, solutionSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -307,7 +307,7 @@ class SolutionServiceRBACTest : CsmTestBase() { } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_DELETE", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_DELETE", exception.message) } else { assertDoesNotThrow { @@ -348,7 +348,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, solutionUpdateRequest) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -391,7 +391,7 @@ class SolutionServiceRBACTest : CsmTestBase() { } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -431,7 +431,7 @@ class SolutionServiceRBACTest : CsmTestBase() { SolutionAccessControl("user", ROLE_USER)) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -474,7 +474,7 @@ class SolutionServiceRBACTest : CsmTestBase() { } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -514,7 +514,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -553,7 +553,7 @@ class SolutionServiceRBACTest : CsmTestBase() { } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -591,7 +591,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -630,7 +630,7 @@ class SolutionServiceRBACTest : CsmTestBase() { } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -668,7 +668,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -707,7 +707,7 @@ class SolutionServiceRBACTest : CsmTestBase() { } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -748,7 +748,7 @@ class SolutionServiceRBACTest : CsmTestBase() { SolutionRole(ROLE_USER)) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -792,7 +792,7 @@ class SolutionServiceRBACTest : CsmTestBase() { SolutionRole(ROLE_USER)) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -833,7 +833,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "runTemplate") } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -872,7 +872,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "runTemplate") } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -912,7 +912,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "runTemplate", runTemplate) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -953,7 +953,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "runTemplate", runTemplate) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -991,7 +991,7 @@ class SolutionServiceRBACTest : CsmTestBase() { solutionApiService.getSolutionSecurity(organizationSaved.id, solutionSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1029,7 +1029,7 @@ class SolutionServiceRBACTest : CsmTestBase() { } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -1068,7 +1068,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, SolutionRole(ROLE_VIEWER)) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1108,7 +1108,7 @@ class SolutionServiceRBACTest : CsmTestBase() { } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -1147,7 +1147,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1185,7 +1185,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "parameter") } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1227,7 +1227,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, parameterToCreate) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -1268,7 +1268,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "parameter", parameterToUpdate) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -1307,7 +1307,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "parameter") } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -1346,7 +1346,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1385,7 +1385,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "group") } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1426,7 +1426,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, parameterGroupToCreate) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -1468,7 +1468,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "group", parameterGroupToUpdate) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -1507,7 +1507,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "group") } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -1545,7 +1545,7 @@ class SolutionServiceRBACTest : CsmTestBase() { solutionApiService.listRunTemplates(organizationSaved.id, solutionSaved.id) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1583,7 +1583,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "runTemplate") } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1624,7 +1624,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, runTemplateToCreate) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -1668,7 +1668,7 @@ class SolutionServiceRBACTest : CsmTestBase() { runTemplateToUpdate) } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -1707,7 +1707,7 @@ class SolutionServiceRBACTest : CsmTestBase() { organizationSaved.id, solutionSaved.id, "runTemplate") } assertEquals( - "RBAC ${solutionSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${solutionSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { diff --git a/workspace/src/integrationTest/kotlin/com/cosmotech/workspace/service/WorkspaceServiceRBACTest.kt b/workspace/src/integrationTest/kotlin/com/cosmotech/workspace/service/WorkspaceServiceRBACTest.kt index 8b91d5d3f..9ab893d54 100644 --- a/workspace/src/integrationTest/kotlin/com/cosmotech/workspace/service/WorkspaceServiceRBACTest.kt +++ b/workspace/src/integrationTest/kotlin/com/cosmotech/workspace/service/WorkspaceServiceRBACTest.kt @@ -142,7 +142,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { workspaceApiService.listWorkspaces(organizationSaved.id, null, null) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -192,11 +192,11 @@ class WorkspaceServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_CREATE_CHILDREN", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_CREATE_CHILDREN", exception.message) } } else { @@ -248,11 +248,11 @@ class WorkspaceServiceRBACTest : CsmTestBase() { } if (role == ROLE_NONE) { assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } } else { @@ -294,7 +294,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { workspaceApiService.getWorkspace(organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -338,7 +338,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { workspaceApiService.deleteWorkspace(organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -379,7 +379,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { workspaceApiService.deleteWorkspace(organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_DELETE", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_DELETE", exception.message) } else { assertDoesNotThrow { @@ -426,7 +426,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { WorkspaceUpdateRequest(key = "key", "new name")) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -473,7 +473,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { WorkspaceUpdateRequest("key", "new name")) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -521,7 +521,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -563,7 +563,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -614,7 +614,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, resource, true, "") } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -663,7 +663,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, resource, true, "") } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -709,7 +709,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -751,7 +751,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -796,7 +796,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, "") } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -839,7 +839,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, "") } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -885,7 +885,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, "") } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -928,7 +928,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, "") } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_WRITE", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_WRITE", exception.message) } else { assertDoesNotThrow { @@ -974,7 +974,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, ROLE_USER) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1017,7 +1017,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, ROLE_USER) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -1063,7 +1063,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1105,7 +1105,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -1150,7 +1150,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, WorkspaceRole(ROLE_USER)) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1193,7 +1193,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, WorkspaceRole(ROLE_USER)) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -1241,7 +1241,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { WorkspaceAccessControl("id", ROLE_USER)) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1288,7 +1288,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { WorkspaceAccessControl("id", ROLE_USER)) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -1336,7 +1336,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1379,7 +1379,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -1425,7 +1425,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1468,7 +1468,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id, TEST_USER_MAIL) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -1517,7 +1517,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { WorkspaceRole(ROLE_ADMIN)) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1566,7 +1566,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { WorkspaceRole(ROLE_ADMIN)) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_WRITE_SECURITY", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_WRITE_SECURITY", exception.message) } else { assertDoesNotThrow { @@ -1615,7 +1615,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${organizationSaved.id} - Entity does not have permission $PERMISSION_READ", + "RBAC ${organizationSaved.id} - User does not have permission $PERMISSION_READ", exception.message) } else { assertDoesNotThrow { @@ -1658,7 +1658,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { organizationSaved.id, workspaceSaved.id) } assertEquals( - "RBAC ${workspaceSaved.id} - Entity does not have permission $PERMISSION_READ_SECURITY", + "RBAC ${workspaceSaved.id} - User does not have permission $PERMISSION_READ_SECURITY", exception.message) } else { assertDoesNotThrow { From 339021f242bf1b0c083759287e0ce12675a10cbf Mon Sep 17 00:00:00 2001 From: Leopold Cramer Date: Mon, 3 Nov 2025 16:55:08 +0100 Subject: [PATCH 5/5] apply corrections from pull request feedbacks --- .../common/config/CsmPlatformProperties.kt | 2 +- .../kotlin/com/cosmotech/common/rbac/CsmRbac.kt | 8 ++------ .../com/cosmotech/common/utils/SecurityUtils.kt | 13 ++++++++----- .../service/DatasetServiceIntegrationTest.kt | 3 +-- .../dataset/service/DatasetServiceRBACTest.kt | 3 +-- .../service/OrganizationServiceRBACTest.kt | 3 +-- .../service/OrganizationServiceImplTests.kt | 4 +--- .../run/service/RunServiceIntegrationTest.kt | 3 +-- .../runner/service/RunnerServiceIntegrationTest.kt | 3 +-- .../runner/service/RunnerServiceRBACTest.kt | 3 +-- .../service/SolutionServiceIntegrationTest.kt | 3 +-- .../solution/service/SolutionServiceRBACTest.kt | 4 ++-- .../service/WorkspaceServiceIntegrationTest.kt | 3 +-- .../workspace/service/WorkspaceServiceRBACTest.kt | 3 +-- .../workspace/service/WorkspaceServiceImplTests.kt | 4 +--- 15 files changed, 24 insertions(+), 38 deletions(-) diff --git a/common/src/main/kotlin/com/cosmotech/common/config/CsmPlatformProperties.kt b/common/src/main/kotlin/com/cosmotech/common/config/CsmPlatformProperties.kt index da3747c8f..0d4df9db5 100644 --- a/common/src/main/kotlin/com/cosmotech/common/config/CsmPlatformProperties.kt +++ b/common/src/main/kotlin/com/cosmotech/common/config/CsmPlatformProperties.kt @@ -74,7 +74,7 @@ data class CsmPlatformProperties( val mailJwtClaim: String = "preferred_username", /** The JWT Claim where the groups information are stored */ - val groupJwtClaim: String = "user_groups", + val groupJwtClaim: String = "groups", /** The JWT Claim where the roles information is stored */ val rolesJwtClaim: String = "roles", diff --git a/common/src/main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt b/common/src/main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt index faabed4b0..107d5c18e 100644 --- a/common/src/main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt +++ b/common/src/main/kotlin/com/cosmotech/common/rbac/CsmRbac.kt @@ -198,9 +198,7 @@ open class CsmRbac( } else { groups.any { this.getEntityRole(rbacSecurity, it) == this.getAdminRole(rolesDefinition) - } || - this.getEntityRole(rbacSecurity, rbacSecurity.default) == - this.getAdminRole(rolesDefinition) + } || rbacSecurity.default == this.getAdminRole(rolesDefinition) } logger.debug("RBAC ${rbacSecurity.id} - $user has default admin rbac role: $isAdmin") return isAdmin @@ -220,9 +218,7 @@ open class CsmRbac( } else { groups.any { verifyPermissionFromRole(permission, getEntityRole(rbacSecurity, it), rolesDefinition) - } || - verifyPermissionFromRole( - permission, getEntityRole(rbacSecurity, rbacSecurity.default), rolesDefinition) + } || verifyPermissionFromRole(permission, rbacSecurity.default, rolesDefinition) } logger.debug("RBAC ${rbacSecurity.id} - $user has permission $permission in ACL: $isAuthorized") return isAuthorized diff --git a/common/src/main/kotlin/com/cosmotech/common/utils/SecurityUtils.kt b/common/src/main/kotlin/com/cosmotech/common/utils/SecurityUtils.kt index 6fa00bee5..626d397bc 100644 --- a/common/src/main/kotlin/com/cosmotech/common/utils/SecurityUtils.kt +++ b/common/src/main/kotlin/com/cosmotech/common/utils/SecurityUtils.kt @@ -56,11 +56,14 @@ fun getCurrentAccountIdentifier(configuration: CsmPlatformProperties): String { } fun getCurrentAccountGroups(configuration: CsmPlatformProperties): List { - val authentication = getCurrentAuthentication() - val jwt = (authentication as JwtAuthenticationToken).token.tokenValue - val jwtClaimsSet = JWTParser.parse(jwt).jwtClaimsSet - return jwtClaimsSet.getListClaim(configuration.authorization.groupJwtClaim).toList() - as List + return (getValueFromAuthenticatedToken(configuration) { + try { + val jwt = JWTParser.parse(it) + jwt.jwtClaimsSet.getStringListClaim(configuration.authorization.groupJwtClaim) + } catch (e: ParseException) { + JSONObjectUtils.parse(it)[configuration.authorization.groupJwtClaim] as List + } + } ?: emptyList()) } fun getCurrentAuthenticatedRoles(configuration: CsmPlatformProperties): List { diff --git a/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceIntegrationTest.kt b/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceIntegrationTest.kt index 200f64b1d..f8be664d0 100644 --- a/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceIntegrationTest.kt +++ b/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceIntegrationTest.kt @@ -96,7 +96,6 @@ class DatasetServiceIntegrationTest() : CsmTestBase() { val UNALLOWED_MIME_TYPE_SOURCE_FILE_NAME = "wrong_mimetype.yaml" val INVENTORY_SOURCE_FILE_NAME = "product_inventory.csv" val WRONG_ORIGINAL_FILE_NAME = "../../wrong_name_pattern.csv" - val defaultGroup = listOf("myTestGroup") private val logger = LoggerFactory.getLogger(DatasetServiceIntegrationTest::class.java) @@ -121,7 +120,7 @@ class DatasetServiceIntegrationTest() : CsmTestBase() { fun setUp() { mockkStatic("com.cosmotech.common.utils.SecurityUtilsKt") every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER - every { getCurrentAccountGroups(any()) } returns defaultGroup + every { getCurrentAccountGroups(any()) } returns listOf("myTestGroup") every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "test.user" every { getCurrentAuthenticatedRoles(any()) } returns listOf("user") diff --git a/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceRBACTest.kt b/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceRBACTest.kt index da0bf923a..3252f3725 100644 --- a/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceRBACTest.kt +++ b/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceRBACTest.kt @@ -86,7 +86,6 @@ class DatasetServiceRBACTest : CsmTestBase() { val CONNECTED_ADMIN_USER = "test.admin@cosmotech.com" val CONNECTED_DEFAULT_USER = "test.user@cosmotech.com" val CUSTOMER_SOURCE_FILE_NAME = "customers.csv" - val defaultGroup = listOf("myTestGroup") private val logger = LoggerFactory.getLogger(DatasetServiceIntegrationTest::class.java) @@ -112,7 +111,7 @@ class DatasetServiceRBACTest : CsmTestBase() { fun setUp() { mockkStatic("com.cosmotech.common.utils.SecurityUtilsKt") every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER - every { getCurrentAccountGroups(any()) } returns defaultGroup + every { getCurrentAccountGroups(any()) } returns listOf("myTestGroup") every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "test.user" every { getCurrentAuthenticatedRoles(any()) } returns listOf("user") diff --git a/organization/src/integrationTest/kotlin/com/cosmotech/organization/service/OrganizationServiceRBACTest.kt b/organization/src/integrationTest/kotlin/com/cosmotech/organization/service/OrganizationServiceRBACTest.kt index 2013358d4..7924b6462 100644 --- a/organization/src/integrationTest/kotlin/com/cosmotech/organization/service/OrganizationServiceRBACTest.kt +++ b/organization/src/integrationTest/kotlin/com/cosmotech/organization/service/OrganizationServiceRBACTest.kt @@ -55,7 +55,6 @@ import org.springframework.test.context.junit4.SpringRunner class OrganizationServiceRBACTest : CsmTestBase() { val CONNECTED_ADMIN_USER = "test.admin@cosmotech.com" val TEST_USER_MAIL = "testuser@mail.fr" - val defaultGroup = listOf("myTestGroup") // NEEDED: recreate indexes in redis @Autowired lateinit var rediSearchIndexer: RediSearchIndexer @@ -71,7 +70,7 @@ class OrganizationServiceRBACTest : CsmTestBase() { fun setUp() { mockkStatic("com.cosmotech.common.utils.SecurityUtilsKt") every { getCurrentAccountIdentifier(any()) } returns TEST_USER_MAIL - every { getCurrentAccountGroups(any()) } returns defaultGroup + every { getCurrentAccountGroups(any()) } returns listOf("myTestGroup") every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "my.account-tester" every { getCurrentAuthenticatedRoles(any()) } returns listOf() rediSearchIndexer.createIndexFor(Organization::class.java) diff --git a/organization/src/test/kotlin/com/cosmotech/organization/service/OrganizationServiceImplTests.kt b/organization/src/test/kotlin/com/cosmotech/organization/service/OrganizationServiceImplTests.kt index 8bec4350a..152d8a497 100644 --- a/organization/src/test/kotlin/com/cosmotech/organization/service/OrganizationServiceImplTests.kt +++ b/organization/src/test/kotlin/com/cosmotech/organization/service/OrganizationServiceImplTests.kt @@ -51,8 +51,6 @@ const val USER_ID = "bob@mycompany.com" @ExtendWith(MockKExtension::class) class OrganizationServiceImplTests { - val defaultGroup = listOf("myTestGroup") - @Suppress("unused") @MockK private var eventPublisher: CsmEventPublisher = mockk(relaxed = true) @Suppress("unused") @@ -70,7 +68,7 @@ class OrganizationServiceImplTests { mockkStatic("com.cosmotech.common.utils.SecurityUtilsKt") every { getCurrentAccountIdentifier(any()) } returns USER_ID - every { getCurrentAccountGroups(any()) } returns defaultGroup + every { getCurrentAccountGroups(any()) } returns listOf("myTestGroup") every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "my.account-tester" every { getCurrentAuthenticatedRoles(any()) } returns listOf() diff --git a/run/src/integrationTest/kotlin/com/cosmotech/run/service/RunServiceIntegrationTest.kt b/run/src/integrationTest/kotlin/com/cosmotech/run/service/RunServiceIntegrationTest.kt index 7c20921ac..2dec54c9e 100644 --- a/run/src/integrationTest/kotlin/com/cosmotech/run/service/RunServiceIntegrationTest.kt +++ b/run/src/integrationTest/kotlin/com/cosmotech/run/service/RunServiceIntegrationTest.kt @@ -82,7 +82,6 @@ class RunServiceIntegrationTest : CsmTestBase() { val CONNECTED_ADMIN_USER = "test.admin@cosmotech.com" val CONNECTED_READER_USER = "test.user@cosmotech.com" - val defaultGroup = listOf("myTestGroup") private val logger = LoggerFactory.getLogger(RunServiceIntegrationTest::class.java) @MockK(relaxed = true) private lateinit var containerFactory: RunContainerFactory @@ -115,7 +114,7 @@ class RunServiceIntegrationTest : CsmTestBase() { fun setUp() { mockkStatic("com.cosmotech.common.utils.SecurityUtilsKt") every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER - every { getCurrentAccountGroups(any()) } returns defaultGroup + every { getCurrentAccountGroups(any()) } returns listOf("myTestGroup") every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "test.user" every { getCurrentAuthenticatedRoles(any()) } returns listOf("user") diff --git a/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceIntegrationTest.kt b/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceIntegrationTest.kt index f820710f4..6d848416a 100644 --- a/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceIntegrationTest.kt +++ b/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceIntegrationTest.kt @@ -92,7 +92,6 @@ class RunnerServiceIntegrationTest : CsmTestBase() { val TEST_USER_MAIL = "fake@mail.fr" val CUSTOMERS_FILE_NAME = "customers.csv" val CUSTOMERS_5_LINES_FILE_NAME = "customers_5_lines.csv" - val defaultGroup = listOf("myTestGroup") private val logger = LoggerFactory.getLogger(RunnerServiceIntegrationTest::class.java) private val defaultName = "my.account-tester@cosmotech.com" @@ -144,7 +143,7 @@ class RunnerServiceIntegrationTest : CsmTestBase() { every { containerRegistryService.getImageLabel(any(), any(), any()) } returns null mockkStatic("com.cosmotech.common.utils.SecurityUtilsKt") every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER - every { getCurrentAccountGroups(any()) } returns defaultGroup + every { getCurrentAccountGroups(any()) } returns listOf("myTestGroup") every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "test.user" every { getCurrentAuthenticatedRoles(any()) } returns listOf(ROLE_ORGANIZATION_USER) diff --git a/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceRBACTest.kt b/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceRBACTest.kt index 4d3aaafbc..52c0e839d 100644 --- a/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceRBACTest.kt +++ b/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceRBACTest.kt @@ -83,7 +83,6 @@ class RunnerServiceRBACTest : CsmTestBase() { val CONNECTED_ADMIN_USER = "test.admin@cosmotech.com" val TEST_USER_MAIL = "testuser@mail.fr" - val defaultGroup = listOf("myTestGroup") @Autowired lateinit var rediSearchIndexer: RediSearchIndexer @Autowired lateinit var organizationApiService: OrganizationApiServiceInterface @@ -99,7 +98,7 @@ class RunnerServiceRBACTest : CsmTestBase() { fun setUp() { mockkStatic("com.cosmotech.common.utils.SecurityUtilsKt") every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER - every { getCurrentAccountGroups(any()) } returns defaultGroup + every { getCurrentAccountGroups(any()) } returns listOf("myTestGroup") every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "test.user" every { getCurrentAuthenticatedRoles(any()) } returns listOf() diff --git a/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceIntegrationTest.kt b/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceIntegrationTest.kt index c83d45814..b0aa8ea51 100644 --- a/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceIntegrationTest.kt +++ b/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceIntegrationTest.kt @@ -65,7 +65,6 @@ class SolutionServiceIntegrationTest : CsmTestBase() { private val logger = LoggerFactory.getLogger(SolutionServiceIntegrationTest::class.java) val fileName = "test_solution_file.txt" - val defaultGroup = listOf("myTestGroup") @Autowired lateinit var rediSearchIndexer: RediSearchIndexer @Autowired lateinit var organizationApiService: OrganizationApiServiceInterface @@ -89,7 +88,7 @@ class SolutionServiceIntegrationTest : CsmTestBase() { solutionApiService, "containerRegistryService", containerRegistryService) every { containerRegistryService.getImageLabel(any(), any(), any()) } returns null every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER - every { getCurrentAccountGroups(any()) } returns defaultGroup + every { getCurrentAccountGroups(any()) } returns listOf("myTestGroup") every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "test.user" every { getCurrentAuthenticatedRoles(any()) } returns listOf("user") diff --git a/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceRBACTest.kt b/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceRBACTest.kt index d8f221c93..4bc84925e 100644 --- a/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceRBACTest.kt +++ b/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceRBACTest.kt @@ -61,7 +61,6 @@ import org.springframework.test.util.ReflectionTestUtils class SolutionServiceRBACTest : CsmTestBase() { val TEST_USER_MAIL = "testuser@mail.fr" - val defaultGroup = listOf("myTestGroup") @Autowired lateinit var rediSearchIndexer: RediSearchIndexer @@ -90,7 +89,8 @@ class SolutionServiceRBACTest : CsmTestBase() { solutionApiService, "containerRegistryService", containerRegistryService) every { containerRegistryService.getImageLabel(any(), any(), any()) } returns null every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER - every { getCurrentAccountGroups(any()) } returns defaultGroup + every { getCurrentAccountGroups(any()) } returns listOf("myTestGroup") + every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "test.user" every { getCurrentAuthenticatedRoles(any()) } returns listOf("user") diff --git a/workspace/src/integrationTest/kotlin/com/cosmotech/workspace/service/WorkspaceServiceIntegrationTest.kt b/workspace/src/integrationTest/kotlin/com/cosmotech/workspace/service/WorkspaceServiceIntegrationTest.kt index 01cacd4a7..50515266b 100644 --- a/workspace/src/integrationTest/kotlin/com/cosmotech/workspace/service/WorkspaceServiceIntegrationTest.kt +++ b/workspace/src/integrationTest/kotlin/com/cosmotech/workspace/service/WorkspaceServiceIntegrationTest.kt @@ -61,7 +61,6 @@ class WorkspaceServiceIntegrationTest : CsmTestBase() { val CONNECTED_ADMIN_USER = "test.admin@cosmotech.com" val CONNECTED_DEFAULT_USER = "test.user@cosmotech.com" val fileName = "test_workspace_file.txt" - val defaultGroup = listOf("myTestGroup") private val logger = LoggerFactory.getLogger(WorkspaceServiceIntegrationTest::class.java) @Autowired lateinit var rediSearchIndexer: RediSearchIndexer @@ -88,7 +87,7 @@ class WorkspaceServiceIntegrationTest : CsmTestBase() { fun setUp() { mockkStatic("com.cosmotech.common.utils.SecurityUtilsKt") every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER - every { getCurrentAccountGroups(any()) } returns defaultGroup + every { getCurrentAccountGroups(any()) } returns listOf("myTestGroup") every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "test.user" every { getCurrentAuthenticatedRoles(any()) } returns listOf("user") diff --git a/workspace/src/integrationTest/kotlin/com/cosmotech/workspace/service/WorkspaceServiceRBACTest.kt b/workspace/src/integrationTest/kotlin/com/cosmotech/workspace/service/WorkspaceServiceRBACTest.kt index 9ab893d54..313e7e569 100644 --- a/workspace/src/integrationTest/kotlin/com/cosmotech/workspace/service/WorkspaceServiceRBACTest.kt +++ b/workspace/src/integrationTest/kotlin/com/cosmotech/workspace/service/WorkspaceServiceRBACTest.kt @@ -73,7 +73,6 @@ class WorkspaceServiceRBACTest : CsmTestBase() { val TEST_USER_MAIL = "testuser@mail.fr" val CONNECTED_ADMIN_USER = "test.admin@cosmotech.com" - val defaultGroup = listOf("myTestGroup") @RelaxedMockK private lateinit var resource: MultipartFile @@ -98,7 +97,7 @@ class WorkspaceServiceRBACTest : CsmTestBase() { ReflectionTestUtils.setField(workspaceApiService, "s3Template", s3Template) every { containerRegistryService.getImageLabel(any(), any(), any()) } returns null every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER - every { getCurrentAccountGroups(any()) } returns defaultGroup + every { getCurrentAccountGroups(any()) } returns listOf("myTestGroup") every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "test.user" every { getCurrentAuthenticatedRoles(any()) } returns listOf() diff --git a/workspace/src/test/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImplTests.kt b/workspace/src/test/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImplTests.kt index d7637308c..4e644b252 100644 --- a/workspace/src/test/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImplTests.kt +++ b/workspace/src/test/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImplTests.kt @@ -81,8 +81,6 @@ const val S3_BUCKET_NAME = "test-bucket" @Suppress("LargeClass") class WorkspaceServiceImplTests { - val defaultGroup = listOf("myTestGroup") - @MockK private lateinit var solutionService: SolutionApiServiceInterface @RelaxedMockK private lateinit var organizationService: OrganizationApiServiceInterface @@ -115,7 +113,7 @@ class WorkspaceServiceImplTests { fun beforeEach() { mockkStatic("com.cosmotech.common.utils.SecurityUtilsKt") every { getCurrentAccountIdentifier(any()) } returns CONNECTED_DEFAULT_USER - every { getCurrentAccountGroups(any()) } returns defaultGroup + every { getCurrentAccountGroups(any()) } returns listOf("myTestGroup") every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "my.account-tester" every { getCurrentAuthenticatedRoles(any()) } returns listOf()