Added authorization checks for BrokerService's JSON RPC methods #11092
Conversation
sleshchenko
added
status/code-review
sleshchenko
force-pushed
the
brokerServiceFilter
branch
from
8c5c0d5 to
c244984
Compare
...e/che/multiuser/permission/workspace/infra/kubernetes/BrokerServicePermissionFilterTest.java
Outdated
Show resolved
Hide resolved
|
|
||
| @AfterMethod | ||
| public void tearDown() { | ||
| EnvironmentContext.reset(); |
There was a problem hiding this comment.
I would add operations that would throw some custom exception when unexpected permissions check is executed in tests. This would ensure that there are no similar bugs in the code and tests at the same time. WDYT?
There was a problem hiding this comment.
Makes sense. I'll do it.
There was a problem hiding this comment.
I'll try to implement what you suggested but it fails
...
public class BrokerServicePermissionFilterTest {
...
@BeforeMethod
public void setUp() {
EnvironmentContext.getCurrent().setSubject(subject);
when(subject.hasPermission(any(), any(), any())).thenThrow(new IllegalArgumentException());
permissionFilter = new BrokerServicePermissionFilter();
}
...
@Test(
dataProvider = "coveredMethods",
expectedExceptions = ForbiddenException.class,
expectedExceptionsMessageRegExp =
"User doesn't have the required permissions to the specified workspace")
public void shouldThrowExceptionIfUserDoesNotHaveRunPermission(String method) throws Exception {
// !!!!!!!!!!!!!!!!
// java.lang.IllegalArgumentException is thrown here
// given
when(subject.hasPermission(eq(WorkspaceDomain.DOMAIN_ID), eq("ws123"), eq(WorkspaceDomain.RUN)))
.thenReturn(false);
// when
permissionFilter.doAccept(
method, DtoFactory.newDto(BrokerResultEvent.class).withWorkspaceId("ws123"));
}
...
}So, looks like mockito make invocation method on defining new method behavior
when(subject.hasPermission(eq(WorkspaceDomain.DOMAIN_ID), eq("ws123"), eq(WorkspaceDomain.RUN)))
.thenReturn(false);
And java.lang.IllegalArgumentException is thrown since there is defined behavior for any values of parameters.
If you know how to implement it in another simple way - I'll be happy to do it.
| @@ -305,7 +305,9 @@ private void configureMultiUserMode( | |||
| if (OpenShiftInfrastructure.NAME.equals(infrastructure) | |||
| || KubernetesInfrastructure.NAME.equals(infrastructure)) { | |||
| install(new ReplicationModule(persistenceProperties)); | |||
|
|
|||
| bind( | |||
There was a problem hiding this comment.
Can you elaborate why this is specific to the infra implementation?
There was a problem hiding this comment.
Because BrokerService is kubernetes specific component that is bound only for Kubernetes and OpenShift infrastructures. Does it make sense?
There was a problem hiding this comment.
yes, not sure it should be really specific to the k8s in general, but I'm fine with that for the time being
|
ci-test |
|
ci-test build report: |
|
Maven build is failed because of build error in |
|
ci-test |
|
ci-test build report: |
sleshchenko
force-pushed
the
brokerServiceFilter
branch
from
d4f3327 to
34ab3e0
Compare
benoitf
removed
the
status/code-review
What does this PR do?
Adds authorization checks for BrokerService's JSON RPC methods. Only user who has
runpermission is allowed to callbroker/resultandbroker/statusChangedworkspace related methods.What issues does this PR fix or reference?
#11080
Release Notes
N/A
Docs PR
N/A