valitydev/org-manager
14
0
Fork 0
mirror of https://github.com/valitydev/org-manager.git synced 2024-11-06 08:25:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix after review

Browse Source
This commit is contained in:
ggmaleva 2021-03-04 16:54:34 +03:00
parent a454a09f7b
commit 69f37c1fa4
16 changed files with 265 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/main/java/com/rbkmoney/orgmanager/config/properties/AccessProperties.java Normal file
View File

@ -0,0 +1,14 @@
package com.rbkmoney.orgmanager.config.properties;
import lombok.Data;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Configuration;
@Configuration
@ConfigurationProperties(prefix = "access-check")
@Data
public class AccessProperties {
private Boolean enabled;
}

2
src/main/java/com/rbkmoney/orgmanager/config/properties/BouncerProperties.java
View File

@ -9,10 +9,10 @@ import org.springframework.context.annotation.Configuration;
@Data
public class BouncerProperties {
private Boolean enabled;
private String contextFragmentId;
private String deploymentId;
private String authMethod;
private String realm;
private String ruleSetId;
}

53
src/main/java/com/rbkmoney/orgmanager/controller/OrgsController.java
View File

@ -4,7 +4,7 @@ import com.rbkmoney.orgmanager.service.InvitationService;
import com.rbkmoney.orgmanager.service.KeycloakService;
import com.rbkmoney.orgmanager.service.OrganizationRoleService;
import com.rbkmoney.orgmanager.service.OrganizationService;
import com.rbkmoney.orgmanager.service.RightService;
import com.rbkmoney.orgmanager.service.ResourceAccessService;
import com.rbkmoney.swag.organizations.api.OrgsApi;
import com.rbkmoney.swag.organizations.model.InlineObject;
import com.rbkmoney.swag.organizations.model.InlineObject1;
@ -22,7 +22,6 @@ import com.rbkmoney.swag.organizations.model.RoleId;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.keycloak.representations.AccessToken;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.RestController;
@ -38,7 +37,7 @@ public class OrgsController implements OrgsApi {
private final InvitationService invitationService;
private final OrganizationRoleService organizationRoleService;
private final KeycloakService keycloakService;
private final RightService rightService;
private final ResourceAccessService resourceAccessService;
@Override
public ResponseEntity<Organization> createOrg(
@ -47,11 +46,7 @@ public class OrgsController implements OrgsApi {
String xIdempotencyKey) {
log.info("Create organization: requestId={}, idempontencyKey={}, organization={}", xRequestID, xIdempotencyKey,
organization);
if (!rightService.haveRights()) {
return ResponseEntity
.status(HttpStatus.FORBIDDEN)
.build();
}
resourceAccessService.checkRights();
AccessToken accessToken = keycloakService.getAccessToken();
return organizationService.create(accessToken.getSubject(), organization, xIdempotencyKey);
}
@ -61,11 +56,7 @@ public class OrgsController implements OrgsApi {
String xRequestID,
String orgId) {
log.info("Get organization: requestId={}, orgId={}", xRequestID, orgId);
if (!rightService.haveOrganizationRights(orgId)) {
return ResponseEntity
.status(HttpStatus.FORBIDDEN)
.build();
}
resourceAccessService.checkOrganizationRights(orgId);
return organizationService.get(orgId);
}
@ -75,22 +66,14 @@ public class OrgsController implements OrgsApi {
String orgId,
String userId) {
log.info("Get organization member: requestId={}, orgId={}, userId={}", xRequestID, orgId, userId);
if (!rightService.haveMemberRights(orgId, userId)) {
return ResponseEntity
.status(HttpStatus.FORBIDDEN)
.build();
}
resourceAccessService.checkMemberRights(orgId, userId);
return organizationService.getMember(userId);
}
@Override
public ResponseEntity<MemberOrgListResult> listOrgMembers(String xRequestID, String orgId) {
log.info("List organization members: requestId={}, orgId={}", xRequestID, orgId);
if (!rightService.haveOrganizationRights(orgId)) {
return ResponseEntity
.status(HttpStatus.FORBIDDEN)
.build();
}
resourceAccessService.checkOrganizationRights(orgId);
return organizationService.listMembers(orgId);
}
@ -117,11 +100,7 @@ public class OrgsController implements OrgsApi {
@Override
public ResponseEntity<InvitationListResult> listInvitations(String xRequestID, String orgId, InvitationStatusName status) {
log.info("List invitations: requestId={}, orgId={}, status={}", xRequestID, orgId, status);
if (!rightService.haveOrganizationRights(orgId)) {
return ResponseEntity
.status(HttpStatus.FORBIDDEN)
.build();
}
resourceAccessService.checkOrganizationRights(orgId);
return invitationService.list(orgId, status);
}
@ -146,21 +125,13 @@ public class OrgsController implements OrgsApi {
@Override
public ResponseEntity<RoleAvailableListResult> listOrgRoles(String xRequestID, String orgId) {
log.info("List organization roles: requestId={}, orgId={}", xRequestID, orgId);
if (!rightService.haveOrganizationRights(orgId)) {
return ResponseEntity
.status(HttpStatus.FORBIDDEN)
.build();
}
resourceAccessService.checkOrganizationRights(orgId);
return organizationRoleService.list(orgId);
}
@Override
public ResponseEntity<Organization> patchOrg(String xRequestID, String orgId, InlineObject inlineObject) {
if (!rightService.haveOrganizationRights(orgId)) {
return ResponseEntity
.status(HttpStatus.FORBIDDEN)
.build();
}
resourceAccessService.checkOrganizationRights(orgId);
return organizationService.modify(orgId, inlineObject.getName());
}
@ -181,11 +152,7 @@ public class OrgsController implements OrgsApi {
String orgId,
String userId) {
log.info("Expel member organization: requestId={}, orgId={}, userId={}", xRequestID, orgId, userId);
if (!rightService.haveMemberRights(orgId, userId)) {
return ResponseEntity
.status(HttpStatus.FORBIDDEN)
.build();
}
resourceAccessService.checkMemberRights(orgId, userId);
return organizationService.expelOrgMember(orgId, userId);
}

17
src/main/java/com/rbkmoney/orgmanager/controller/UserController.java
View File

@ -3,7 +3,7 @@ package com.rbkmoney.orgmanager.controller;
import com.rbkmoney.orgmanager.entity.OrganizationEntityPageable;
import com.rbkmoney.orgmanager.service.KeycloakService;
import com.rbkmoney.orgmanager.service.OrganizationService;
import com.rbkmoney.orgmanager.service.RightService;
import com.rbkmoney.orgmanager.service.ResourceAccessService;
import com.rbkmoney.swag.organizations.api.UserApi;
import com.rbkmoney.swag.organizations.model.OrganizationJoinRequest;
import com.rbkmoney.swag.organizations.model.OrganizationMembership;
@ -11,7 +11,6 @@ import com.rbkmoney.swag.organizations.model.OrganizationSearchResult;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.keycloak.representations.AccessToken;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.RestController;
@ -22,18 +21,14 @@ public class UserController implements UserApi {
private final OrganizationService organizationService;
private final KeycloakService keycloakService;
private final RightService rightService;
private final ResourceAccessService resourceAccessService;
@Override
public ResponseEntity<Void> cancelOrgMembership(
String xRequestID,
String orgId) {
log.info("Cancel org membership: orgId={}", orgId);
if (!rightService.haveOrganizationRights(orgId)) {
return ResponseEntity
.status(HttpStatus.FORBIDDEN)
.build();
}
resourceAccessService.checkOrganizationRights(orgId);
AccessToken accessToken = keycloakService.getAccessToken();
return organizationService.cancelOrgMembership(orgId, accessToken.getSubject(), accessToken.getEmail());
}
@ -43,11 +38,7 @@ public class UserController implements UserApi {
String xRequestID,
String orgId) {
log.info("Inquire org membership: orgId={}", orgId);
if (!rightService.haveOrganizationRights(orgId)) {
return ResponseEntity
.status(HttpStatus.FORBIDDEN)
.build();
}
resourceAccessService.checkOrganizationRights(orgId);
AccessToken accessToken = keycloakService.getAccessToken();
return organizationService.getMembership(orgId, accessToken.getSubject(), accessToken.getEmail());
}

8
src/main/java/com/rbkmoney/orgmanager/exception/AccessDeniedException.java Normal file
View File

@ -0,0 +1,8 @@
package com.rbkmoney.orgmanager.exception;
public class AccessDeniedException extends RuntimeException {
public AccessDeniedException(String message) {
super(message);
}
}

8
src/main/java/com/rbkmoney/orgmanager/exception/BouncerException.java Normal file
View File

@ -0,0 +1,8 @@
package com.rbkmoney.orgmanager.exception;
public class BouncerException extends RuntimeException {
public BouncerException(String message, Throwable cause) {
super(message, cause);
}
}

21
src/main/java/com/rbkmoney/orgmanager/exception/RestExceptionHandler.java Normal file
View File

@ -0,0 +1,21 @@
package com.rbkmoney.orgmanager.exception;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.context.request.WebRequest;
import org.springframework.web.servlet.mvc.method.annotation.ResponseEntityExceptionHandler;
@ControllerAdvice
public class RestExceptionHandler extends ResponseEntityExceptionHandler {
@ExceptionHandler(value = {AccessDeniedException.class})
protected ResponseEntity<Object> handleAccessDeniedException(AccessDeniedException ex, WebRequest request) {
// TODO возможно выдавать сообщение с ошибкой?
return ResponseEntity
.status(HttpStatus.FORBIDDEN)
.build();
}
}

17
src/main/java/com/rbkmoney/orgmanager/service/BouncerServiceImpl.java
View File

@ -4,7 +4,9 @@ import com.rbkmoney.bouncer.decisions.ArbiterSrv;
import com.rbkmoney.bouncer.decisions.Context;
import com.rbkmoney.bouncer.decisions.Judgement;
import com.rbkmoney.bouncer.decisions.Resolution;
import com.rbkmoney.orgmanagement.UserNotFound;
import com.rbkmoney.orgmanager.config.properties.BouncerProperties;
import com.rbkmoney.orgmanager.exception.BouncerException;
import com.rbkmoney.orgmanager.service.dto.BouncerContextDto;
import lombok.RequiredArgsConstructor;
import org.apache.thrift.TException;
@ -20,22 +22,15 @@ public class BouncerServiceImpl implements BouncerService {
@Override
public boolean havePrivileges(BouncerContextDto bouncerContext) {
if (!bouncerProperties.getEnabled()) {
return true;
}
return passJudgement(bouncerContext);
}
private boolean passJudgement(BouncerContextDto bouncerContext) {
try {
Context context = bouncerContextFactory.buildContext(bouncerContext);
// TODO откуда брать ruleSetId ?
Judgement judge = bouncerClient.judge("ruleSetId", context);
Judgement judge = bouncerClient.judge(bouncerProperties.getRuleSetId(), context);
Resolution resolution = judge.getResolution();
return resolution.isSetAllowed();
} catch (UserNotFound e) {
throw new BouncerException("Error while build bouncer context", e);
} catch (TException e) {
// TODO что делаем при исключении?
return false;
throw new BouncerException("Error while call bouncer", e);
}
}
}

11
src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessService.java Normal file
View File

@ -0,0 +1,11 @@
package com.rbkmoney.orgmanager.service;
public interface ResourceAccessService {
void checkRights();
void checkOrganizationRights(String orgId);
void checkMemberRights(String orgId, String memberId);
}

35
src/main/java/com/rbkmoney/orgmanager/service/RightServiceImpl.java → src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessServiceImpl.java
View File

@ -1,5 +1,7 @@
package com.rbkmoney.orgmanager.service;
import com.rbkmoney.orgmanager.config.properties.AccessProperties;
import com.rbkmoney.orgmanager.exception.AccessDeniedException;
import com.rbkmoney.orgmanager.service.dto.BouncerContextDto;
import com.rbkmoney.orgmanager.util.StackUtils;
import lombok.RequiredArgsConstructor;
@ -9,33 +11,49 @@ import org.springframework.stereotype.Service;
@Slf4j
@Service
@RequiredArgsConstructor
public class RightServiceImpl implements RightService {
public class ResourceAccessServiceImpl implements ResourceAccessService {
private final AccessProperties accessProperties;
private final BouncerService bouncerService;
@Override
public boolean haveRights() {
public void checkRights() {
if (!accessProperties.getEnabled()) {
return;
}
String callerMethodName = StackUtils.getCallerMethodName();
BouncerContextDto bouncerContext = BouncerContextDto.builder()
.operationName(callerMethodName)
.build();
log.info("Check the user's rights to perform the operation {}", callerMethodName);
return bouncerService.havePrivileges(bouncerContext);
if (!bouncerService.havePrivileges(bouncerContext)) {
throw new AccessDeniedException(
String.format("No rights to perform %s", callerMethodName));
}
}
@Override
public boolean haveOrganizationRights(String orgId) {
public void checkOrganizationRights(String orgId) {
if (!accessProperties.getEnabled()) {
return;
}
String callerMethodName = StackUtils.getCallerMethodName();
BouncerContextDto bouncerContext = BouncerContextDto.builder()
.operationName(callerMethodName)
.organizationId(orgId)
.build();
log.info("Check the user's rights to perform the operation {} in organization {}", callerMethodName, orgId);
return bouncerService.havePrivileges(bouncerContext);
if (!bouncerService.havePrivileges(bouncerContext)) {
throw new AccessDeniedException(
String.format("No rights to perform %s in %s", callerMethodName, orgId));
}
}
@Override
public boolean haveMemberRights(String orgId, String memberId) {
public void checkMemberRights(String orgId, String memberId) {
if (!accessProperties.getEnabled()) {
return;
}
String callerMethodName = StackUtils.getCallerMethodName();
BouncerContextDto bouncerContext = BouncerContextDto.builder()
.operationName(callerMethodName)
@ -44,6 +62,9 @@ public class RightServiceImpl implements RightService {
.build();
log.info("Check the user's rights to perform the operation {} in organization {} with member {}",
callerMethodName, orgId, memberId);
return bouncerService.havePrivileges(bouncerContext);
if (!bouncerService.havePrivileges(bouncerContext)) {
throw new AccessDeniedException(
String.format("No rights to perform %s in %s with %s", callerMethodName, orgId, memberId));
}
}
}

11
src/main/java/com/rbkmoney/orgmanager/service/RightService.java
View File

@ -1,11 +0,0 @@
package com.rbkmoney.orgmanager.service;
public interface RightService {
boolean haveRights();
boolean haveOrganizationRights(String orgId);
boolean haveMemberRights(String orgId, String memberId);
}

4
src/main/java/com/rbkmoney/orgmanager/util/StackUtils.java
View File

@ -8,13 +8,11 @@ import java.util.Optional;
@NoArgsConstructor(access = AccessLevel.PRIVATE)
public class StackUtils {
private static final String CALLER_NOT_EXIST = "Caller method doesn't exist";
public static String getCallerMethodName() {
Optional<StackWalker.StackFrame> callerFrame = StackWalker.getInstance()
.walk(s -> s.skip(2).findFirst());
if (callerFrame.isEmpty()) {
return CALLER_NOT_EXIST;
throw new RuntimeException("Can't get caller method name");
}
return callerFrame.get().getMethodName();
}

5
src/main/resources/application.yml
View File

@ -72,8 +72,11 @@ dashboard:
bouncer:
url: http://localhost:8022/change_it
networkTimeout: 10000
enabled: false
context-fragment-id: orgmgmt
deployment-id: production
auth-method: SessionToken
realm: external
rule-set-id: change_it
access-check:
enabled: false

27
src/test/java/com/rbkmoney/orgmanager/controller/OrgsControllerTest.java
View File

@ -3,20 +3,17 @@ package com.rbkmoney.orgmanager.controller;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.rbkmoney.orgmanager.OrgManagerApplication;
import com.rbkmoney.orgmanager.entity.MemberEntity;
import com.rbkmoney.orgmanager.entity.MemberRoleEntity;
import com.rbkmoney.orgmanager.entity.OrganizationEntity;
import com.rbkmoney.orgmanager.exception.AccessDeniedException;
import com.rbkmoney.orgmanager.repository.InvitationRepositoryTest;
import com.rbkmoney.orgmanager.repository.MemberRepository;
import com.rbkmoney.orgmanager.repository.OrganizationRepository;
import com.rbkmoney.orgmanager.service.OrganizationService;
import com.rbkmoney.orgmanager.service.ResourceAccessService;
import com.rbkmoney.orgmanager.util.TestData;
import com.rbkmoney.swag.organizations.model.InvitationRequest;
import com.rbkmoney.swag.organizations.model.Invitee;
import com.rbkmoney.swag.organizations.model.InviteeContact;
import com.rbkmoney.swag.organizations.model.MemberRole;
import com.rbkmoney.swag.organizations.model.MemberRoleScope;
import com.rbkmoney.swag.organizations.model.OrganizationMembership;
import com.rbkmoney.swag.organizations.model.ResourceScopeId;
import com.rbkmoney.swag.organizations.model.RoleId;
import org.junit.Assert;
import org.junit.Before;
@ -32,14 +29,11 @@ import org.springframework.test.context.TestPropertySource;
import org.springframework.test.context.junit4.SpringRunner;
import org.springframework.test.web.servlet.MockMvc;
import java.time.LocalDateTime;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import static org.hamcrest.core.Is.is;
import static org.hamcrest.core.IsAnything.anything;
import static org.mockito.Mockito.doThrow;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
@ -81,6 +75,9 @@ public class OrgsControllerTest extends AbstractControllerTest {
@SpyBean
private OrganizationService organizationService;
@SpyBean
private ResourceAccessService resourceAccessService;
@Before
public void setUp() throws Exception {
keycloakOpenIdStub.givenStub();
@ -88,6 +85,18 @@ public class OrgsControllerTest extends AbstractControllerTest {
organizationRepository.save(organizationEntity);
}
@Test
public void expelOrgMemberWithoutAccess() throws Exception {
doThrow(new AccessDeniedException("Access denied")).when(resourceAccessService)
.checkMemberRights(ORGANIZATION_ID, MEMBER_ID);
mockMvc.perform(delete(String.format("/orgs/%s/members/%s", ORGANIZATION_ID, MEMBER_ID))
.contentType("application/json")
.header("Authorization", "Bearer " + generateRBKadminJwt())
.header("X-Request-ID", "testRequestId"))
.andExpect(status().isForbidden());
}
@Test
public void assignMemberRoleTest() throws Exception {
MemberRole memberRole = TestData.buildMemberRole();

28
src/test/java/com/rbkmoney/orgmanager/service/BouncerServiceImplTest.java
View File

@ -10,6 +10,7 @@ import com.rbkmoney.bouncer.decisions.RulesetNotFound;
import com.rbkmoney.orgmanagement.UserNotFound;
import com.rbkmoney.orgmanager.TestObjectFactory;
import com.rbkmoney.orgmanager.config.properties.BouncerProperties;
import com.rbkmoney.orgmanager.exception.BouncerException;
import com.rbkmoney.orgmanager.service.dto.BouncerContextDto;
import org.apache.thrift.TException;
import org.junit.jupiter.api.BeforeEach;
@ -18,7 +19,10 @@ import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.Mock;
import org.springframework.test.context.junit.jupiter.SpringExtension;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.containsString;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyString;
@ -33,36 +37,24 @@ class BouncerServiceImplTest {
@Mock
private BouncerContextFactory bouncerContextFactory;
private BouncerProperties bouncerProperties;
private BouncerService bouncerService;
@BeforeEach
void setUp() {
bouncerProperties = new BouncerProperties();
bouncerProperties.setEnabled(Boolean.TRUE);
BouncerProperties bouncerProperties = new BouncerProperties();
bouncerProperties.setRuleSetId(TestObjectFactory.randomString());
bouncerService = new BouncerServiceImpl(bouncerContextFactory, bouncerClient, bouncerProperties);
}
@Test
void havePrivilegesWithNotEnabledBouncer() {
bouncerProperties.setEnabled(Boolean.FALSE);
BouncerContextDto bouncerContext = TestObjectFactory.testBouncerContextDto();
boolean result = bouncerService.havePrivileges(bouncerContext);
assertTrue(result);
}
@Test
void havePrivilegesWithIncorrectBuildContext() throws TException {
BouncerContextDto bouncerContext = TestObjectFactory.testBouncerContextDto();
when(bouncerContextFactory.buildContext(bouncerContext)).thenThrow(new UserNotFound());
boolean result = bouncerService.havePrivileges(bouncerContext);
var exception = assertThrows(BouncerException.class, () -> bouncerService.havePrivileges(bouncerContext));
assertFalse(result);
assertThat(exception.getMessage(), containsString("Error while build bouncer context"));
}
@Test
@ -71,9 +63,9 @@ class BouncerServiceImplTest {
when(bouncerContextFactory.buildContext(bouncerContext)).thenReturn(new Context());
when(bouncerClient.judge(anyString(), any(Context.class))).thenThrow(new RulesetNotFound());
boolean result = bouncerService.havePrivileges(bouncerContext);
var exception = assertThrows(BouncerException.class, () -> bouncerService.havePrivileges(bouncerContext));
assertFalse(result);
assertThat(exception.getMessage(), containsString("Error while call bouncer"));
}
@Test

121
src/test/java/com/rbkmoney/orgmanager/service/ResourceAccessServiceImplTest.java Normal file
View File

@ -0,0 +1,121 @@
package com.rbkmoney.orgmanager.service;
import com.rbkmoney.orgmanager.TestObjectFactory;
import com.rbkmoney.orgmanager.config.properties.AccessProperties;
import com.rbkmoney.orgmanager.exception.AccessDeniedException;
import com.rbkmoney.orgmanager.service.dto.BouncerContextDto;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.Mock;
import org.springframework.test.context.junit.jupiter.SpringExtension;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.stringContainsInOrder;
import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
@ExtendWith(SpringExtension.class)
class ResourceAccessServiceImplTest {
private AccessProperties accessProperties;
@Mock
private BouncerService bouncerService;
private ResourceAccessService resourceAccessService;
@BeforeEach
void setUp() {
accessProperties = new AccessProperties();
accessProperties.setEnabled(true);
resourceAccessService = new ResourceAccessServiceImpl(accessProperties, bouncerService);
}
@Test
void checkNotEnabled() {
accessProperties.setEnabled(false);
assertDoesNotThrow(() -> resourceAccessService.checkRights());
verify(bouncerService, times(0)).havePrivileges(any(BouncerContextDto.class));
}
@Test
void checkRightsWithoutAccess() {
when(bouncerService.havePrivileges(any(BouncerContextDto.class))).thenReturn(false);
var exception = assertThrows(AccessDeniedException.class, () -> resourceAccessService.checkRights());
assertThat(exception.getMessage(), containsString("No rights to perform"));
}
@Test
void checkRightsSuccess() {
when(bouncerService.havePrivileges(any(BouncerContextDto.class))).thenReturn(true);
assertDoesNotThrow(() -> resourceAccessService.checkRights());
}
@Test
void checkOrganizationNotEnabled() {
accessProperties.setEnabled(false);
var orgId = "test";
assertDoesNotThrow(() -> resourceAccessService.checkOrganizationRights(orgId));
verify(bouncerService, times(0)).havePrivileges(any(BouncerContextDto.class));
}
@Test
void checkOrganizationRightsWithoutAccess() {
String orgId = TestObjectFactory.randomString();
when(bouncerService.havePrivileges(any(BouncerContextDto.class))).thenReturn(false);
var exception = assertThrows(AccessDeniedException.class,
() -> resourceAccessService.checkOrganizationRights(orgId));
assertThat(exception.getMessage(), stringContainsInOrder("No rights to perform", orgId));
}
@Test
void checkOrganizationRightsSuccess() {
when(bouncerService.havePrivileges(any(BouncerContextDto.class))).thenReturn(true);
assertDoesNotThrow(() -> resourceAccessService.checkOrganizationRights(anyString()));
}
@Test
void checkMemberNotEnabled() {
accessProperties.setEnabled(false);
var orgId = "test";
var memberId = "test";
assertDoesNotThrow(() -> resourceAccessService.checkMemberRights(orgId, memberId));
verify(bouncerService, times(0)).havePrivileges(any(BouncerContextDto.class));
}
@Test
void checkMemberRightsWithoutAccess() {
String orgId = TestObjectFactory.randomString();
String memberId = TestObjectFactory.randomString();
when(bouncerService.havePrivileges(any(BouncerContextDto.class))).thenReturn(false);
var exception = assertThrows(AccessDeniedException.class,
() -> resourceAccessService.checkMemberRights(orgId, memberId));
assertThat(exception.getMessage(), stringContainsInOrder("No rights to perform", orgId, memberId));
}
@Test
void checkMemberRightsSuccess() {
String orgId = TestObjectFactory.randomString();
String memberId = TestObjectFactory.randomString();
when(bouncerService.havePrivileges(any(BouncerContextDto.class))).thenReturn(true);
assertDoesNotThrow(() -> resourceAccessService.checkMemberRights(orgId, memberId));
}
}