Merge pull request #20 from rbkmoney/ft/JAVA-103

Add checking rights in org-manager controllers
2024-11-06 00:15:23 +00:00 · 2021-03-05 15:09:15 +03:00 · 2021-03-05 15:09:15 +03:00 · 24c75fee6c
commit 24c75fee6c
parent 2ad7308bd8 3c9c0997ea
17 changed files with 483 additions and 21 deletions
--- a/src/main/java/com/rbkmoney/orgmanager/config/BouncerConfig.java
+++ b/src/main/java/com/rbkmoney/orgmanager/config/BouncerConfig.java
@ -0,0 +1,24 @@
+package com.rbkmoney.orgmanager.config;
+
+import com.rbkmoney.bouncer.decisions.ArbiterSrv;
+import com.rbkmoney.woody.thrift.impl.http.THClientBuilder;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.io.Resource;
+
+import java.io.IOException;
+
+@Configuration
+public class BouncerConfig {
+
+    @Bean
+    public ArbiterSrv.Iface bouncerClient(@Value("${bouncer.url}") Resource resource,
+                                          @Value("${bouncer.networkTimeout}") int networkTimeout) throws IOException {
+        return new THClientBuilder()
+                .withNetworkTimeout(networkTimeout)
+                .withAddress(resource.getURI())
+                .build(ArbiterSrv.Iface.class);
+    }
+
+}
--- a/src/main/java/com/rbkmoney/orgmanager/config/properties/AccessProperties.java
+++ b/src/main/java/com/rbkmoney/orgmanager/config/properties/AccessProperties.java
@ -0,0 +1,14 @@
+package com.rbkmoney.orgmanager.config.properties;
+
+import lombok.Data;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+@ConfigurationProperties(prefix = "access-check")
+@Data
+public class AccessProperties {
+
+    private Boolean enabled;
+
+}
--- a/src/main/java/com/rbkmoney/orgmanager/config/properties/BouncerProperties.java
+++ b/src/main/java/com/rbkmoney/orgmanager/config/properties/BouncerProperties.java
@ -13,5 +13,6 @@ public class BouncerProperties {
    private String deploymentId;
    private String authMethod;
    private String realm;
+    private String ruleSetId;

 }
--- a/src/main/java/com/rbkmoney/orgmanager/controller/OrgsController.java
+++ b/src/main/java/com/rbkmoney/orgmanager/controller/OrgsController.java
@ -4,6 +4,7 @@ import com.rbkmoney.orgmanager.service.InvitationService;
 import com.rbkmoney.orgmanager.service.KeycloakService;
 import com.rbkmoney.orgmanager.service.OrganizationRoleService;
 import com.rbkmoney.orgmanager.service.OrganizationService;
+import com.rbkmoney.orgmanager.service.ResourceAccessService;
 import com.rbkmoney.swag.organizations.api.OrgsApi;
 import com.rbkmoney.swag.organizations.model.InlineObject;
 import com.rbkmoney.swag.organizations.model.InlineObject1;
@ -36,41 +37,43 @@ public class OrgsController implements OrgsApi {
    private final InvitationService invitationService;
    private final OrganizationRoleService organizationRoleService;
    private final KeycloakService keycloakService;
+    private final ResourceAccessService resourceAccessService;

-    // TODO при создании организации можем использовать для проверки его id?
    @Override
    public ResponseEntity<Organization> createOrg(
            String xRequestID,
            Organization organization,
            String xIdempotencyKey) {
-        log.info("Create organization: requestId={}, idempontencyKey={}, organization={}", xRequestID, xIdempotencyKey, organization);
+        log.info("Create organization: requestId={}, idempontencyKey={}, organization={}", xRequestID, xIdempotencyKey,
+                organization);
+        resourceAccessService.checkRights();
        AccessToken accessToken = keycloakService.getAccessToken();
        return organizationService.create(accessToken.getSubject(), organization, xIdempotencyKey);
    }

-    // TODO organization в контекст
    @Override
    public ResponseEntity<Organization> getOrg(
            String xRequestID,
            String orgId) {
        log.info("Get organization: requestId={}, orgId={}", xRequestID, orgId);
+        resourceAccessService.checkOrganizationRights(orgId);
        return organizationService.get(orgId);
    }

-    // TODO organization и user в контекст
    @Override
    public ResponseEntity<Member> getOrgMember(
            String xRequestID,
            String orgId,
            String userId) {
        log.info("Get organization member: requestId={}, orgId={}, userId={}", xRequestID, orgId, userId);
+        resourceAccessService.checkMemberRights(orgId, userId);
        return organizationService.getMember(userId);
    }

-    // TODO organization  контекст
    @Override
    public ResponseEntity<MemberOrgListResult> listOrgMembers(String xRequestID, String orgId) {
        log.info("List organization members: requestId={}, orgId={}", xRequestID, orgId);
+        resourceAccessService.checkOrganizationRights(orgId);
        return organizationService.listMembers(orgId);
    }

@ -97,6 +100,7 @@ public class OrgsController implements OrgsApi {
    @Override
    public ResponseEntity<InvitationListResult> listInvitations(String xRequestID, String orgId, InvitationStatusName status) {
        log.info("List invitations: requestId={}, orgId={}, status={}", xRequestID, orgId, status);
+        resourceAccessService.checkOrganizationRights(orgId);
        return invitationService.list(orgId, status);
    }

@ -118,16 +122,16 @@ public class OrgsController implements OrgsApi {
        return organizationRoleService.get(orgId, roleId);
    }

-    // TODO organization в контекст
    @Override
    public ResponseEntity<RoleAvailableListResult> listOrgRoles(String xRequestID, String orgId) {
        log.info("List organization roles: requestId={}, orgId={}", xRequestID, orgId);
+        resourceAccessService.checkOrganizationRights(orgId);
        return organizationRoleService.list(orgId);
    }

-    // TODO organization в контекст
    @Override
    public ResponseEntity<Organization> patchOrg(String xRequestID, String orgId, InlineObject inlineObject) {
+        resourceAccessService.checkOrganizationRights(orgId);
        return organizationService.modify(orgId, inlineObject.getName());
    }

@ -142,13 +146,13 @@ public class OrgsController implements OrgsApi {
        return organizationService.assignMemberRole(orgId, userId, body);
    }

-    // TODO organization и user в контекст
    @Override
    public ResponseEntity<Void> expelOrgMember(
            String xRequestID,
            String orgId,
            String userId) {
        log.info("Expel member organization: requestId={}, orgId={}, userId={}", xRequestID, orgId, userId);
+        resourceAccessService.checkMemberRights(orgId, userId);
        return organizationService.expelOrgMember(orgId, userId);
    }

--- a/src/main/java/com/rbkmoney/orgmanager/controller/UserController.java
+++ b/src/main/java/com/rbkmoney/orgmanager/controller/UserController.java
@ -3,6 +3,7 @@ package com.rbkmoney.orgmanager.controller;
 import com.rbkmoney.orgmanager.entity.OrganizationEntityPageable;
 import com.rbkmoney.orgmanager.service.KeycloakService;
 import com.rbkmoney.orgmanager.service.OrganizationService;
+import com.rbkmoney.orgmanager.service.ResourceAccessService;
 import com.rbkmoney.swag.organizations.api.UserApi;
 import com.rbkmoney.swag.organizations.model.OrganizationJoinRequest;
 import com.rbkmoney.swag.organizations.model.OrganizationMembership;
@ -20,24 +21,25 @@ public class UserController implements UserApi {

    private final OrganizationService organizationService;
    private final KeycloakService keycloakService;
+    private final ResourceAccessService resourceAccessService;

-    // TODO organization и текущий user в контекст
    @Override
    public ResponseEntity<Void> cancelOrgMembership(
            String xRequestID,
            String orgId) {
-        AccessToken accessToken = keycloakService.getAccessToken();
        log.info("Cancel org membership: orgId={}", orgId);
+        resourceAccessService.checkOrganizationRights(orgId);
+        AccessToken accessToken = keycloakService.getAccessToken();
        return organizationService.cancelOrgMembership(orgId, accessToken.getSubject(), accessToken.getEmail());
    }

-    // TODO organization и текущий user в контекст
    @Override
    public ResponseEntity<OrganizationMembership> inquireOrgMembership(
            String xRequestID,
            String orgId) {
-        AccessToken accessToken = keycloakService.getAccessToken();
        log.info("Inquire org membership: orgId={}", orgId);
+        resourceAccessService.checkOrganizationRights(orgId);
+        AccessToken accessToken = keycloakService.getAccessToken();
        return organizationService.getMembership(orgId, accessToken.getSubject(), accessToken.getEmail());
    }

--- a/src/main/java/com/rbkmoney/orgmanager/exception/AccessDeniedException.java
+++ b/src/main/java/com/rbkmoney/orgmanager/exception/AccessDeniedException.java
@ -0,0 +1,8 @@
+package com.rbkmoney.orgmanager.exception;
+
+public class AccessDeniedException extends RuntimeException {
+
+    public AccessDeniedException(String message) {
+        super(message);
+    }
+}
--- a/src/main/java/com/rbkmoney/orgmanager/exception/BouncerException.java
+++ b/src/main/java/com/rbkmoney/orgmanager/exception/BouncerException.java
@ -0,0 +1,8 @@
+package com.rbkmoney.orgmanager.exception;
+
+public class BouncerException extends RuntimeException {
+
+    public BouncerException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
--- a/src/main/java/com/rbkmoney/orgmanager/exception/RestExceptionHandler.java
+++ b/src/main/java/com/rbkmoney/orgmanager/exception/RestExceptionHandler.java
@ -0,0 +1,20 @@
+package com.rbkmoney.orgmanager.exception;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.ControllerAdvice;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.context.request.WebRequest;
+import org.springframework.web.servlet.mvc.method.annotation.ResponseEntityExceptionHandler;
+
+@ControllerAdvice
+public class RestExceptionHandler extends ResponseEntityExceptionHandler {
+
+    @ExceptionHandler(value = {AccessDeniedException.class})
+    protected ResponseEntity<Object> handleAccessDeniedException(AccessDeniedException ex, WebRequest request) {
+        return ResponseEntity
+                .status(HttpStatus.FORBIDDEN)
+                .build();
+    }
+
+}
--- a/src/main/java/com/rbkmoney/orgmanager/service/BouncerService.java
+++ b/src/main/java/com/rbkmoney/orgmanager/service/BouncerService.java
@ -0,0 +1,8 @@
+package com.rbkmoney.orgmanager.service;
+
+import com.rbkmoney.orgmanager.service.dto.BouncerContextDto;
+
+public interface BouncerService {
+
+    boolean havePrivileges(BouncerContextDto bouncerContext);
+}
--- a/src/main/java/com/rbkmoney/orgmanager/service/BouncerServiceImpl.java
+++ b/src/main/java/com/rbkmoney/orgmanager/service/BouncerServiceImpl.java
@ -0,0 +1,36 @@
+package com.rbkmoney.orgmanager.service;
+
+import com.rbkmoney.bouncer.decisions.ArbiterSrv;
+import com.rbkmoney.bouncer.decisions.Context;
+import com.rbkmoney.bouncer.decisions.Judgement;
+import com.rbkmoney.bouncer.decisions.Resolution;
+import com.rbkmoney.orgmanagement.UserNotFound;
+import com.rbkmoney.orgmanager.config.properties.BouncerProperties;
+import com.rbkmoney.orgmanager.exception.BouncerException;
+import com.rbkmoney.orgmanager.service.dto.BouncerContextDto;
+import lombok.RequiredArgsConstructor;
+import org.apache.thrift.TException;
+import org.springframework.stereotype.Service;
+
+@Service
+@RequiredArgsConstructor
+public class BouncerServiceImpl implements BouncerService {
+
+    private final BouncerContextFactory bouncerContextFactory;
+    private final ArbiterSrv.Iface bouncerClient;
+    private final BouncerProperties bouncerProperties;
+
+    @Override
+    public boolean havePrivileges(BouncerContextDto bouncerContext) {
+        try {
+            Context context = bouncerContextFactory.buildContext(bouncerContext);
+            Judgement judge = bouncerClient.judge(bouncerProperties.getRuleSetId(), context);
+            Resolution resolution = judge.getResolution();
+            return resolution.isSetAllowed();
+        } catch (UserNotFound e) {
+            throw new BouncerException("Error while build bouncer context", e);
+        } catch (TException e) {
+            throw new BouncerException("Error while call bouncer", e);
+        }
+    }
+}
--- a/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessService.java
+++ b/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessService.java
@ -0,0 +1,11 @@
+package com.rbkmoney.orgmanager.service;
+
+public interface ResourceAccessService {
+
+    void checkRights();
+
+    void checkOrganizationRights(String orgId);
+
+    void checkMemberRights(String orgId, String memberId);
+
+}
--- a/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessServiceImpl.java
+++ b/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessServiceImpl.java
@ -0,0 +1,70 @@
+package com.rbkmoney.orgmanager.service;
+
+import com.rbkmoney.orgmanager.config.properties.AccessProperties;
+import com.rbkmoney.orgmanager.exception.AccessDeniedException;
+import com.rbkmoney.orgmanager.service.dto.BouncerContextDto;
+import com.rbkmoney.orgmanager.util.StackUtils;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.stereotype.Service;
+
+@Slf4j
+@Service
+@RequiredArgsConstructor
+public class ResourceAccessServiceImpl implements ResourceAccessService {
+
+    private final AccessProperties accessProperties;
+    private final BouncerService bouncerService;
+
+    @Override
+    public void checkRights() {
+        if (!accessProperties.getEnabled()) {
+            return;
+        }
+        String callerMethodName = StackUtils.getCallerMethodName();
+        BouncerContextDto bouncerContext = BouncerContextDto.builder()
+                .operationName(callerMethodName)
+                .build();
+        log.info("Check the user's rights to perform the operation {}", callerMethodName);
+        if (!bouncerService.havePrivileges(bouncerContext)) {
+            throw new AccessDeniedException(
+                    String.format("No rights to perform %s", callerMethodName));
+        }
+    }
+
+    @Override
+    public void checkOrganizationRights(String orgId) {
+        if (!accessProperties.getEnabled()) {
+            return;
+        }
+        String callerMethodName = StackUtils.getCallerMethodName();
+        BouncerContextDto bouncerContext = BouncerContextDto.builder()
+                .operationName(callerMethodName)
+                .organizationId(orgId)
+                .build();
+        log.info("Check the user's rights to perform the operation {} in organization {}", callerMethodName, orgId);
+        if (!bouncerService.havePrivileges(bouncerContext)) {
+            throw new AccessDeniedException(
+                    String.format("No rights to perform %s in %s", callerMethodName, orgId));
+        }
+    }
+
+    @Override
+    public void checkMemberRights(String orgId, String memberId) {
+        if (!accessProperties.getEnabled()) {
+            return;
+        }
+        String callerMethodName = StackUtils.getCallerMethodName();
+        BouncerContextDto bouncerContext = BouncerContextDto.builder()
+                .operationName(callerMethodName)
+                .organizationId(orgId)
+                .memberId(memberId)
+                .build();
+        log.info("Check the user's rights to perform the operation {} in organization {} with member {}",
+                callerMethodName, orgId, memberId);
+        if (!bouncerService.havePrivileges(bouncerContext)) {
+            throw new AccessDeniedException(
+                    String.format("No rights to perform %s in %s with %s", callerMethodName, orgId, memberId));
+        }
+    }
+}
--- a/src/main/java/com/rbkmoney/orgmanager/util/StackUtils.java
+++ b/src/main/java/com/rbkmoney/orgmanager/util/StackUtils.java
@ -0,0 +1,20 @@
+package com.rbkmoney.orgmanager.util;
+
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
+
+import java.util.Optional;
+
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
+public class StackUtils {
+
+    public static String getCallerMethodName() {
+        Optional<StackWalker.StackFrame> callerFrame = StackWalker.getInstance()
+                .walk(s -> s.skip(2).findFirst());
+        if (callerFrame.isEmpty()) {
+            throw new RuntimeException("Can't get caller method name");
+        }
+        return callerFrame.get().getMethodName();
+    }
+
+}
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@ -70,7 +70,13 @@ dashboard:
  url: https://dashboard.rbk.money/organizations/accept-invitation/

 bouncer:
+  url: http://localhost:8022/change_it
+  networkTimeout: 10000
  context-fragment-id: orgmgmt
  deployment-id: production
  auth-method: SessionToken
  realm: external
+  rule-set-id: change_it
+
+access-check:
+  enabled: false
--- a/src/test/java/com/rbkmoney/orgmanager/controller/OrgsControllerTest.java
+++ b/src/test/java/com/rbkmoney/orgmanager/controller/OrgsControllerTest.java
@ -3,20 +3,17 @@ package com.rbkmoney.orgmanager.controller;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.rbkmoney.orgmanager.OrgManagerApplication;
 import com.rbkmoney.orgmanager.entity.MemberEntity;
-import com.rbkmoney.orgmanager.entity.MemberRoleEntity;
 import com.rbkmoney.orgmanager.entity.OrganizationEntity;
+import com.rbkmoney.orgmanager.exception.AccessDeniedException;
 import com.rbkmoney.orgmanager.repository.InvitationRepositoryTest;
 import com.rbkmoney.orgmanager.repository.MemberRepository;
 import com.rbkmoney.orgmanager.repository.OrganizationRepository;
 import com.rbkmoney.orgmanager.service.OrganizationService;
+import com.rbkmoney.orgmanager.service.ResourceAccessService;
 import com.rbkmoney.orgmanager.util.TestData;
 import com.rbkmoney.swag.organizations.model.InvitationRequest;
-import com.rbkmoney.swag.organizations.model.Invitee;
-import com.rbkmoney.swag.organizations.model.InviteeContact;
 import com.rbkmoney.swag.organizations.model.MemberRole;
-import com.rbkmoney.swag.organizations.model.MemberRoleScope;
 import com.rbkmoney.swag.organizations.model.OrganizationMembership;
-import com.rbkmoney.swag.organizations.model.ResourceScopeId;
 import com.rbkmoney.swag.organizations.model.RoleId;
 import org.junit.Assert;
 import org.junit.Before;
@ -32,14 +29,11 @@ import org.springframework.test.context.TestPropertySource;
 import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.test.web.servlet.MockMvc;

-import java.time.LocalDateTime;
-import java.util.HashMap;
-import java.util.Map;
 import java.util.Optional;
-import java.util.Set;

 import static org.hamcrest.core.Is.is;
 import static org.hamcrest.core.IsAnything.anything;
+import static org.mockito.Mockito.doThrow;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
@ -81,6 +75,9 @@ public class OrgsControllerTest extends AbstractControllerTest {
    @SpyBean
    private OrganizationService organizationService;

+    @SpyBean
+    private ResourceAccessService resourceAccessService;
+
    @Before
    public void setUp() throws Exception {
        keycloakOpenIdStub.givenStub();
@ -88,6 +85,18 @@ public class OrgsControllerTest extends AbstractControllerTest {
        organizationRepository.save(organizationEntity);
    }

+    @Test
+    public void expelOrgMemberWithoutAccess() throws Exception {
+        doThrow(new AccessDeniedException("Access denied")).when(resourceAccessService)
+                .checkMemberRights(ORGANIZATION_ID, MEMBER_ID);
+
+        mockMvc.perform(delete(String.format("/orgs/%s/members/%s", ORGANIZATION_ID, MEMBER_ID))
+                .contentType("application/json")
+                .header("Authorization", "Bearer " + generateRBKadminJwt())
+                .header("X-Request-ID", "testRequestId"))
+                .andExpect(status().isForbidden());
+    }
+
    @Test
    public void assignMemberRoleTest() throws Exception {
        MemberRole memberRole = TestData.buildMemberRole();
--- a/src/test/java/com/rbkmoney/orgmanager/service/BouncerServiceImplTest.java
+++ b/src/test/java/com/rbkmoney/orgmanager/service/BouncerServiceImplTest.java
@ -0,0 +1,100 @@
+package com.rbkmoney.orgmanager.service;
+
+import com.rbkmoney.bouncer.decisions.ArbiterSrv;
+import com.rbkmoney.bouncer.decisions.Context;
+import com.rbkmoney.bouncer.decisions.Judgement;
+import com.rbkmoney.bouncer.decisions.Resolution;
+import com.rbkmoney.bouncer.decisions.ResolutionAllowed;
+import com.rbkmoney.bouncer.decisions.ResolutionRestricted;
+import com.rbkmoney.bouncer.decisions.RulesetNotFound;
+import com.rbkmoney.orgmanagement.UserNotFound;
+import com.rbkmoney.orgmanager.TestObjectFactory;
+import com.rbkmoney.orgmanager.config.properties.BouncerProperties;
+import com.rbkmoney.orgmanager.exception.BouncerException;
+import com.rbkmoney.orgmanager.service.dto.BouncerContextDto;
+import org.apache.thrift.TException;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(SpringExtension.class)
+class BouncerServiceImplTest {
+
+    @Mock
+    private ArbiterSrv.Iface bouncerClient;
+
+    @Mock
+    private BouncerContextFactory bouncerContextFactory;
+
+    private BouncerService bouncerService;
+
+
+    @BeforeEach
+    void setUp() {
+        BouncerProperties bouncerProperties = new BouncerProperties();
+        bouncerProperties.setRuleSetId(TestObjectFactory.randomString());
+        bouncerService = new BouncerServiceImpl(bouncerContextFactory, bouncerClient, bouncerProperties);
+    }
+
+    @Test
+    void havePrivilegesWithIncorrectBuildContext() throws TException {
+        BouncerContextDto bouncerContext = TestObjectFactory.testBouncerContextDto();
+        when(bouncerContextFactory.buildContext(bouncerContext)).thenThrow(new UserNotFound());
+
+        var exception = assertThrows(BouncerException.class, () -> bouncerService.havePrivileges(bouncerContext));
+
+        assertThat(exception.getMessage(), containsString("Error while build bouncer context"));
+    }
+
+    @Test
+    void havePrivilegesWithIncorrectBouncerCall() throws TException {
+        BouncerContextDto bouncerContext = TestObjectFactory.testBouncerContextDto();
+        when(bouncerContextFactory.buildContext(bouncerContext)).thenReturn(new Context());
+        when(bouncerClient.judge(anyString(), any(Context.class))).thenThrow(new RulesetNotFound());
+
+        var exception = assertThrows(BouncerException.class, () -> bouncerService.havePrivileges(bouncerContext));
+
+        assertThat(exception.getMessage(), containsString("Error while call bouncer"));
+    }
+
+    @Test
+    void havePrivilegesWithRestrictedResolution() throws TException {
+        BouncerContextDto bouncerContext = TestObjectFactory.testBouncerContextDto();
+        when(bouncerContextFactory.buildContext(bouncerContext)).thenReturn(new Context());
+        Judgement judgement = new Judgement();
+        Resolution resolution = new Resolution();
+        resolution.setRestricted(new ResolutionRestricted());
+        judgement.setResolution(resolution);
+        when(bouncerClient.judge(anyString(), any(Context.class))).thenReturn(judgement);
+
+        boolean result = bouncerService.havePrivileges(bouncerContext);
+
+        assertFalse(result);
+    }
+
+    @Test
+    void havePrivilegesWithAllowedResolution() throws TException {
+        BouncerContextDto bouncerContext = TestObjectFactory.testBouncerContextDto();
+        when(bouncerContextFactory.buildContext(bouncerContext)).thenReturn(new Context());
+        Judgement judgement = new Judgement();
+        Resolution resolution = new Resolution();
+        resolution.setAllowed(new ResolutionAllowed());
+        judgement.setResolution(resolution);
+        when(bouncerClient.judge(anyString(), any(Context.class))).thenReturn(judgement);
+
+        boolean result = bouncerService.havePrivileges(bouncerContext);
+
+        assertTrue(result);
+    }
+}
--- a/src/test/java/com/rbkmoney/orgmanager/service/ResourceAccessServiceImplTest.java
+++ b/src/test/java/com/rbkmoney/orgmanager/service/ResourceAccessServiceImplTest.java
@ -0,0 +1,121 @@
+package com.rbkmoney.orgmanager.service;
+
+import com.rbkmoney.orgmanager.TestObjectFactory;
+import com.rbkmoney.orgmanager.config.properties.AccessProperties;
+import com.rbkmoney.orgmanager.exception.AccessDeniedException;
+import com.rbkmoney.orgmanager.service.dto.BouncerContextDto;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.stringContainsInOrder;
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(SpringExtension.class)
+class ResourceAccessServiceImplTest {
+
+    private AccessProperties accessProperties;
+    @Mock
+    private BouncerService bouncerService;
+
+    private ResourceAccessService resourceAccessService;
+
+    @BeforeEach
+    void setUp() {
+        accessProperties = new AccessProperties();
+        accessProperties.setEnabled(true);
+        resourceAccessService = new ResourceAccessServiceImpl(accessProperties, bouncerService);
+    }
+
+    @Test
+    void checkNotEnabled() {
+        accessProperties.setEnabled(false);
+
+        assertDoesNotThrow(() -> resourceAccessService.checkRights());
+
+        verify(bouncerService, times(0)).havePrivileges(any(BouncerContextDto.class));
+    }
+
+    @Test
+    void checkRightsWithoutAccess() {
+        when(bouncerService.havePrivileges(any(BouncerContextDto.class))).thenReturn(false);
+
+        var exception = assertThrows(AccessDeniedException.class, () -> resourceAccessService.checkRights());
+
+        assertThat(exception.getMessage(), containsString("No rights to perform"));
+    }
+
+    @Test
+    void checkRightsSuccess() {
+        when(bouncerService.havePrivileges(any(BouncerContextDto.class))).thenReturn(true);
+        assertDoesNotThrow(() -> resourceAccessService.checkRights());
+    }
+
+    @Test
+    void checkOrganizationNotEnabled() {
+        accessProperties.setEnabled(false);
+        var orgId = "test";
+
+        assertDoesNotThrow(() -> resourceAccessService.checkOrganizationRights(orgId));
+
+        verify(bouncerService, times(0)).havePrivileges(any(BouncerContextDto.class));
+    }
+
+    @Test
+    void checkOrganizationRightsWithoutAccess() {
+        String orgId = TestObjectFactory.randomString();
+        when(bouncerService.havePrivileges(any(BouncerContextDto.class))).thenReturn(false);
+
+        var exception = assertThrows(AccessDeniedException.class,
+                () -> resourceAccessService.checkOrganizationRights(orgId));
+
+        assertThat(exception.getMessage(), stringContainsInOrder("No rights to perform", orgId));
+    }
+
+    @Test
+    void checkOrganizationRightsSuccess() {
+        when(bouncerService.havePrivileges(any(BouncerContextDto.class))).thenReturn(true);
+        assertDoesNotThrow(() -> resourceAccessService.checkOrganizationRights(anyString()));
+    }
+
+    @Test
+    void checkMemberNotEnabled() {
+        accessProperties.setEnabled(false);
+        var orgId = "test";
+        var memberId = "test";
+
+        assertDoesNotThrow(() -> resourceAccessService.checkMemberRights(orgId, memberId));
+
+        verify(bouncerService, times(0)).havePrivileges(any(BouncerContextDto.class));
+    }
+
+    @Test
+    void checkMemberRightsWithoutAccess() {
+        String orgId = TestObjectFactory.randomString();
+        String memberId = TestObjectFactory.randomString();
+        when(bouncerService.havePrivileges(any(BouncerContextDto.class))).thenReturn(false);
+
+        var exception = assertThrows(AccessDeniedException.class,
+                () -> resourceAccessService.checkMemberRights(orgId, memberId));
+
+        assertThat(exception.getMessage(), stringContainsInOrder("No rights to perform", orgId, memberId));
+    }
+
+    @Test
+    void checkMemberRightsSuccess() {
+        String orgId = TestObjectFactory.randomString();
+        String memberId = TestObjectFactory.randomString();
+        when(bouncerService.havePrivileges(any(BouncerContextDto.class))).thenReturn(true);
+        assertDoesNotThrow(() -> resourceAccessService.checkMemberRights(orgId, memberId));
+    }
+}