#1059 add unit and integration tests for RBAC checks using user-access details

Author: challamani-ms

calm-hub/keycloak-dev/device-code-flow-v2.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
-CLIENT_ID="calm-hub-device-flow"
-SCOPE="architectures:all architectures:read"
+CLIENT_ID="calm-hub-admin-app"
+SCOPE="namespace:admin"
 DEVICE_AUTH_ENDPOINT="https://localhost:9443/realms/calm-hub-realm/protocol/openid-connect/auth/device"
 DEVICE_AUTH_RESPONSE=$(curl --insecure -X POST \
   -H "Content-Type: application/x-www-form-urlencoded" \
@@ -54,11 +54,17 @@ poll_token() {
 #Start token polling
 poll_token
 
-echo -e "\nPress enter to get patterns"
+echo -e "\nPress enter to create a sample user-access details associated to finos"
 read
 if [[ -n $ACCESS_TOKEN ]]; then
-  curl --insecure -v "https://localhost:8443/calm/namespaces/finos/patterns" \
+  curl -X POST --insecure -v "https://localhost:8443/calm/namespaces/finos/user-access" \
     -H "Content-Type: application/json" \
-    -H "Authorization: Bearer $ACCESS_TOKEN"
+    -H "Authorization: Bearer $ACCESS_TOKEN" \
+    -d '{ "namespace": "finos", "resourceType": "namespaces", "permission": "read", "username": "demo" }'
+
+  echo -e "\nPress enter to get list of user-access details"
+  read
+  curl --insecure -v "https://localhost:8443/calm/namespaces/finos/user-access" \
+      -H "Content-Type: application/json" \
+      -H "Authorization: Bearer $ACCESS_TOKEN"
 fi
-#Reference: https://github.com/keycloak/keycloak-community/blob/main/design/oauth2-device-authorization-grant.md

calm-hub/keycloak-dev/device-code-flow.sh

@@ -10,9 +10,6 @@ DEVICE_AUTH_RESPONSE=$(curl -X POST \
   -d "client_id=$CLIENT_ID" -d "scope=$SCOPE" \
   $DEVICE_AUTH_ENDPOINT)
 
-
-#M467095uma
-
 # Extract values from the device auth response.
 DEVICE_CODE=$(echo "$DEVICE_AUTH_RESPONSE" | jq -r '.device_code')
 USER_CODE=$(echo "$DEVICE_AUTH_RESPONSE" | jq -r '.user_code')

calm-hub/keycloak-dev/device_code_flow_entraid.sh

@@ -45,9 +45,9 @@ if (db.counters.countDocuments({ _id: "flowStoreCounter" }) === 1) {
 if (db.counters.countDocuments({ _id: "userAccessStoreCounter" }) === 1) {
     db.counters.insertOne({
         _id: "userAccessStoreCounter",
-        sequence_value: 1
+        sequence_value: 4
     });
-    print("Initialized userAccessStoreCounter with sequence_value 1");
+    print("Initialized userAccessStoreCounter with sequence_value 4");
 } else {
     print("userAccessStoreCounter already exists, no initialization needed");
 }
@@ -2672,21 +2672,21 @@ db.architectures.insertMany([
 
 db.userAccess.insertMany([
     {
-        "id": NumberInt(1),
+        "userAccessId": NumberInt(1),
         "username": "demo_admin",
         "permission": "write",
         "namespace": "finos",
         "resourceType": "all"
     },
     {
-        "id": NumberInt(2),
+        "userAccessId": NumberInt(2),
         "username": "demo_admin",
         "permission": "write",
         "namespace": "workshop",
         "resourceType": "patterns"
     },
     {
-        "id": NumberInt(3),
+        "userAccessId": NumberInt(3),
         "username": "demo_admin",
         "permission": "write",
         "namespace": "traderx",

calm-hub/mongo/init-mongo.js

@@ -37,9 +37,11 @@ public static void counterSetup(MongoDatabase database) {
             Document patternStoreCounter = new Document("_id", "patternStoreCounter").append("sequence_value", 0);
             Document architectureStoreCounter = new Document("_id", "architectureStoreCounter").append("sequence_value", 0);
             Document adrStoreCounter = new Document("_id", "adrStoreCounter").append("sequence_value", 0);
+            Document userAccessStoreCounter = new Document("_id", "userAccessStoreCounter").append("sequence_value", 0);
             database.getCollection("counters").insertOne(patternStoreCounter);
             database.getCollection("counters").insertOne(architectureStoreCounter);
             database.getCollection("counters").insertOne(adrStoreCounter);
+            database.getCollection("counters").insertOne(userAccessStoreCounter);
         }
     }
 }

calm-hub/src/integration-test/java/integration/MongoSetup.java

@@ -7,6 +7,7 @@
 import io.quarkus.test.junit.TestProfile;
 import org.bson.Document;
 import org.eclipse.microprofile.config.ConfigProvider;
+import org.finos.calm.domain.UserAccess;
 import org.finos.calm.security.CalmHubScopes;
 import org.junit.jupiter.api.*;
 import org.junit.jupiter.params.ParameterizedTest;
@@ -48,6 +49,17 @@ void setupPatterns() {
                         new Document("namespace", "finos").append("patterns", new ArrayList<>())
                 );
             }
+
+            if (!database.listCollectionNames().into(new ArrayList<>()).contains("userAccess")) {
+                database.createCollection("userAccess");
+                Document document = new Document("username", "test-user")
+                        .append("namespace", "finos")
+                        .append("permission", UserAccess.Permission.read.name())
+                        .append("resourceType", UserAccess.ResourceType.patterns.name())
+                        .append("userAccessId", 101);
+
+                database.getCollection("userAccess").insertOne(document);
+            }
             counterSetup(database);
             namespaceSetup(database);
         }
@@ -58,7 +70,7 @@ void setupPatterns() {
     void end_to_end_get_patterns_with_valid_scopes() {
         String authServerUrl = ConfigProvider.getConfig().getValue("quarkus.oidc.auth-server-url", String.class);
         logger.info("authServerUrl {}", authServerUrl);
-        String accessToken = getAccessToken(authServerUrl, CalmHubScopes.ARCHITECTURES_READ);
+        String accessToken = generateAccessTokenWithPasswordGrantType(authServerUrl, CalmHubScopes.ARCHITECTURES_READ);
         given()
                 .auth().oauth2(accessToken)
                 .when().get("/calm/namespaces/finos/patterns")
@@ -67,7 +79,7 @@ void end_to_end_get_patterns_with_valid_scopes() {
                 .body("values", empty());
     }
 
-    private String getAccessToken(String authServerUrl, String scope) {
+    private String generateAccessTokenWithClientCredentialGrant(String authServerUrl, String scope) {
         String accessToken = given()
                 .auth()
                 .preemptive()
@@ -83,12 +95,31 @@ private String getAccessToken(String authServerUrl, String scope) {
         return accessToken;
     }
 
+    //This is not recommended from production, this password grant type is using to embedded preferred_username in jwt token to perform RBAC checks.
+    private String generateAccessTokenWithPasswordGrantType(String authServerUrl, String scope) {
+        String accessToken = given()
+                .auth()
+                .preemptive()
+                .basic("calm-hub-client-app", "calm-hub-client-app-secret")
+                .formParam("grant_type", "password")
+                .formParam("username", "test-user")
+                .formParam("password", "changeme")
+                .formParam("scope", scope)
+                .when()
+                .post(authServerUrl.concat("/protocol/openid-connect/token"))
+                .then()
+                .statusCode(200)
+                .extract()
+                .path("access_token");
+        return accessToken;
+    }
+
     @Test
     @Order(2)
     void end_to_end_forbidden_create_pattern_when_matching_scopes_notfound() {
         String authServerUrl = ConfigProvider.getConfig().getValue("quarkus.oidc.auth-server-url", String.class);
         logger.info("authServerUrl {}", authServerUrl);
-        String accessToken = getAccessToken(authServerUrl, CalmHubScopes.ARCHITECTURES_READ);
+        String accessToken = generateAccessTokenWithClientCredentialGrant(authServerUrl, CalmHubScopes.ARCHITECTURES_READ);
 
         given()
                 .auth().oauth2(accessToken)
@@ -118,7 +149,7 @@ void end_to_end_unauthorize_create_pattern_request_with_no_access_token() {
     void end_to_end_get_namespaces_with_valid_access_token(String scope) {
         String authServerUrl = ConfigProvider.getConfig().getValue("quarkus.oidc.auth-server-url", String.class);
         logger.info("authServerUrl {}", authServerUrl);
-        String accessToken = getAccessToken(authServerUrl, scope);
+        String accessToken = generateAccessTokenWithClientCredentialGrant(authServerUrl, scope);
         given()
                 .auth().oauth2(accessToken)
                 .when().get("/calm/namespaces")
@@ -132,7 +163,7 @@ void end_to_end_get_namespaces_with_valid_access_token(String scope) {
     void end_to_end_forbidden_get_namespaces_when_matching_scopes_notfound() {
         String authServerUrl = ConfigProvider.getConfig().getValue("quarkus.oidc.auth-server-url", String.class);
         logger.info("authServerUrl {}", authServerUrl);
-        String accessToken = getAccessToken(authServerUrl, "deny:all");
+        String accessToken = generateAccessTokenWithClientCredentialGrant(authServerUrl, "deny:all");
         given()
                 .auth().oauth2(accessToken)
                 .when().get("/calm/namespaces")

calm-hub/src/integration-test/java/integration/PermittedScopesIntegration.java

@@ -31,7 +31,7 @@ public enum ResourceType {
     private Permission permission;
     private String namespace;
     private ResourceType resourceType;
-    private int id;
+    private int userAccessId;
 
     @JsonDeserialize(using = LocalDateTimeDeserializer.class)
     @JsonSerialize(using = LocalDateTimeSerializer.class)
@@ -41,12 +41,12 @@ public enum ResourceType {
     @JsonSerialize(using = LocalDateTimeSerializer.class)
     private LocalDateTime updateDateTime;
 
-    public UserAccess(String username, Permission permission, String namespace, ResourceType resourceType, int id) {
+    public UserAccess(String username, Permission permission, String namespace, ResourceType resourceType, int userAccessId) {
         this.username = username;
         this.permission = permission;
         this.namespace = namespace;
         this.resourceType = resourceType;
-        this.id = id;
+        this.userAccessId = userAccessId;
     }
 
     public UserAccess(String username, Permission permission, String namespace, ResourceType resourceType) {
@@ -66,7 +66,7 @@ public static class UserAccessBuilder {
         private Permission permission;
         private String namespace;
         private ResourceType resourceType;
-        private int id;
+        private int userAccessId;
 
         public UserAccessBuilder setUsername(String username) {
             this.username = username;
@@ -88,13 +88,13 @@ public UserAccessBuilder setResourceType(ResourceType resourceType) {
             return this;
         }
 
-        public UserAccessBuilder setId(int id) {
-            this.id = id;
+        public UserAccessBuilder setUserAccessId(int userAccessId) {
+            this.userAccessId = userAccessId;
             return this;
         }
 
         public UserAccess build(){
-            return new UserAccess(username, permission, namespace, resourceType, id);
+            return new UserAccess(username, permission, namespace, resourceType, userAccessId);
         }
     }
 
@@ -114,8 +114,8 @@ public ResourceType getResourceType() {
         return resourceType;
     }
 
-    public int getId() {
-        return id;
+    public int getUserAccessId() {
+        return userAccessId;
     }
 
     public LocalDateTime getCreationDateTime() {
@@ -141,7 +141,7 @@ public boolean equals(Object o) {
 
         UserAccess that = (UserAccess) o;
 
-        if (id != that.id) return false;
+        if (userAccessId != that.userAccessId) return false;
         if (!Objects.equals(username, that.username)) return false;
         if (!Objects.equals(permission, that.permission)) return false;
         if (!Objects.equals(namespace, that.namespace)) return false;
@@ -150,7 +150,7 @@ public boolean equals(Object o) {
 
     @Override
     public int hashCode() {
-        return Objects.hash(username, permission, namespace, resourceType, id);
+        return Objects.hash(username, permission, namespace, resourceType, userAccessId);
     }
 
     @Override
@@ -160,7 +160,7 @@ public String toString() {
                 ", permission='" + permission + '\'' +
                 ", namespace='" + namespace + '\'' +
                 ", resourceType='" + resourceType + '\'' +
-                ", id=" + id +
+                ", userAccessId=" + userAccessId +
                 '}';
     }
 
@@ -180,7 +180,7 @@ public void setResourceType(ResourceType resourceType) {
         this.resourceType = resourceType;
     }
 
-    public void setId(int id) {
-        this.id = id;
+    public void setUserAccessId(int userAccessId) {
+        this.userAccessId = userAccessId;
     }
 }