-
Notifications
You must be signed in to change notification settings - Fork 748
Expand file tree
/
Copy pathPermissionsTest.java
More file actions
156 lines (133 loc) · 6.43 KB
/
PermissionsTest.java
File metadata and controls
156 lines (133 loc) · 6.43 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
package io.jenkins.plugins.casc.permissions;
import static io.jenkins.plugins.casc.permissions.Action.APPLY_NEW_CONFIGURATION;
import static io.jenkins.plugins.casc.permissions.Action.VIEW_CONFIGURATION;
import static java.lang.String.format;
import static java.net.HttpURLConnection.HTTP_FORBIDDEN;
import static java.net.HttpURLConnection.HTTP_OK;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.is;
import static org.hamcrest.Matchers.not;
import static org.junit.jupiter.api.Assertions.assertEquals;
import com.google.common.collect.ImmutableMap;
import java.util.Map;
import jenkins.model.Jenkins;
import org.hamcrest.Matchers;
import org.htmlunit.html.HtmlPage;
import org.junit.jupiter.api.Test;
import org.jvnet.hudson.test.JenkinsRule;
import org.jvnet.hudson.test.JenkinsRule.WebClient;
import org.jvnet.hudson.test.MockAuthorizationStrategy;
import org.jvnet.hudson.test.junit.jupiter.WithJenkins;
@WithJenkins
class PermissionsTest {
private static final String RELATIVE_PATH_MANAGE_PAGE = "manage";
private static final String RELATIVE_PATH_CASC_PAGE = "configuration-as-code";
@Test
void checkPermissionsForReader(JenkinsRule j) throws Exception {
final String READER = "reader";
j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
j.jenkins.setAuthorizationStrategy(
new MockAuthorizationStrategy().grant(Jenkins.READ).everywhere().to(READER));
JenkinsRule.WebClient webClient = j.createWebClient().withThrowExceptionOnFailingStatusCode(false);
webClient.login(READER);
assertCannotAccessPage(webClient, RELATIVE_PATH_CASC_PAGE);
assertCannotAccessPage(webClient, RELATIVE_PATH_MANAGE_PAGE);
}
@Test
void checkPermissionsForSystemReader(JenkinsRule j) throws Exception {
final String SYSTEM_READER = "systemReader";
j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
.grant(Jenkins.READ)
.everywhere()
.to(SYSTEM_READER)
.grant(Jenkins.SYSTEM_READ)
.everywhere()
.to(SYSTEM_READER));
JenkinsRule.WebClient webClient = j.createWebClient().withThrowExceptionOnFailingStatusCode(false);
assertUserPermissions(
webClient,
SYSTEM_READER,
ImmutableMap.<Action, Boolean>builder()
.put(VIEW_CONFIGURATION, true)
.put(APPLY_NEW_CONFIGURATION, false)
.build());
}
@Test
void checkPermissionsForManager(JenkinsRule j) throws Exception {
final String MANAGER = "manager";
j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
.grant(Jenkins.READ)
.everywhere()
.to(MANAGER)
.grant(Jenkins.MANAGE)
.everywhere()
.to(MANAGER));
JenkinsRule.WebClient webClient = j.createWebClient().withThrowExceptionOnFailingStatusCode(false);
assertUserPermissions(
webClient, MANAGER, ImmutableMap.<Action, Boolean>builder().build());
}
@Test
void checkPermissionsForAdmin(JenkinsRule j) throws Exception {
final String ADMIN = "admin";
j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
.grant(Jenkins.ADMINISTER)
.everywhere()
.to(ADMIN));
JenkinsRule.WebClient webClient = j.createWebClient().withThrowExceptionOnFailingStatusCode(false);
assertUserPermissions(
webClient,
ADMIN,
ImmutableMap.<Action, Boolean>builder()
.put(VIEW_CONFIGURATION, true)
.put(APPLY_NEW_CONFIGURATION, true)
.build());
}
private void assertUserPermissions(WebClient webClient, String user, Map<Action, Boolean> allowedActions)
throws Exception {
webClient.login(user);
assertCascTileShows(webClient);
HtmlPage cascPage = assertCanAccessPage(webClient, RELATIVE_PATH_CASC_PAGE);
allowedActions.forEach((action, isAllowed) -> assertActionAvailable(cascPage, action, isAllowed));
}
private HtmlPage assertCanAccessPage(WebClient webClient, String relativePath) throws Exception {
HtmlPage page = webClient.goTo(relativePath);
assertEquals(HTTP_OK, page.getWebResponse().getStatusCode());
return page;
}
private void assertCannotAccessPage(WebClient webClient, String relativePath) throws Exception {
final HtmlPage page = webClient.goTo(relativePath);
final int statusCode = page.getWebResponse().getStatusCode();
assertThat(format("Page %s should not be accessible", relativePath), statusCode, is(HTTP_FORBIDDEN));
}
private void assertCascTileShows(WebClient webClient) throws Exception {
HtmlPage managePage = assertCanAccessPage(webClient, RELATIVE_PATH_MANAGE_PAGE);
final String pageContent = managePage.getWebResponse().getContentAsString();
assertThat(
"The user should have access to the CasC tile in management page",
pageContent,
containsString("Configuration as Code"));
}
private void assertActionAvailable(HtmlPage page, Action action, boolean shouldContain) {
String responseContent = page.getWebResponse().getContentAsString();
if (action == APPLY_NEW_CONFIGURATION && shouldContain) {
assertThat(
format("Action %s should be available", action.name()),
responseContent,
Matchers.anyOf(containsString("Setup configuration"), containsString("Apply configuration")));
} else if (shouldContain) {
assertThat(
format("Action %s should be available", action.name()),
responseContent,
containsString(action.buttonText));
} else {
assertThat(
format("Action %s should not be available", action.name()),
responseContent,
not(containsString(action.buttonText)));
}
}
}