/*
* RHQ Management Platform
* Copyright (C) 2005-2014 Red Hat, Inc.
* All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation version 2 of the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
package org.rhq.enterprise.server.auth.test;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.UUID;
import javax.ejb.EJBException;
import javax.persistence.EntityManager;
import javax.security.auth.login.LoginException;
import javax.transaction.NotSupportedException;
import javax.transaction.SystemException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.rhq.core.domain.auth.Subject;
import org.rhq.core.domain.authz.Permission;
import org.rhq.core.domain.authz.Role;
import org.rhq.core.domain.configuration.Configuration;
import org.rhq.core.domain.configuration.PropertySimple;
import org.rhq.core.domain.criteria.SubjectCriteria;
import org.rhq.core.domain.search.SavedSearch;
import org.rhq.core.domain.search.SearchSubsystem;
import org.rhq.core.domain.util.PageControl;
import org.rhq.core.domain.util.PageList;
import org.rhq.core.domain.util.PageOrdering;
import org.rhq.enterprise.server.auth.SessionManager;
import org.rhq.enterprise.server.auth.SessionNotFoundException;
import org.rhq.enterprise.server.auth.SubjectManagerLocal;
import org.rhq.enterprise.server.authz.AuthorizationManagerLocal;
import org.rhq.enterprise.server.authz.PermissionException;
import org.rhq.enterprise.server.authz.RoleManagerLocal;
import org.rhq.enterprise.server.search.SavedSearchManagerLocal;
import org.rhq.enterprise.server.test.AbstractEJB3Test;
import org.rhq.enterprise.server.test.TransactionCallback;
import org.rhq.enterprise.server.util.LookupUtil;
import org.rhq.enterprise.server.util.SessionTestHelper;
import org.testng.annotations.Test;
/**
* Tests the subject manager.
*/
@Test
public class SubjectManagerBeanTest extends AbstractEJB3Test {
private static final Log LOG = LogFactory.getLog(SubjectManagerBeanTest.class);
private static final String RHQADMIN = "rhqadmin";
private static final String ITEST_USER = "smb_itest_user";
private SubjectManagerLocal subjectManager;
private AuthorizationManagerLocal authorizationManager;
private RoleManagerLocal roleManager;
private SavedSearchManagerLocal savedSearchManager;
@Override
protected void beforeMethod() {
subjectManager = LookupUtil.getSubjectManager();
authorizationManager = LookupUtil.getAuthorizationManager();
roleManager = LookupUtil.getRoleManager();
savedSearchManager = LookupUtil.getSavedSearchManager();
createITestSubject();
}
private Subject createITestSubject() {
Subject subjectToCreate = new Subject(ITEST_USER, true, false);
return subjectManager.createSubject(subjectManager.getOverlord(), subjectToCreate, ITEST_USER);
}
/**
* This runs after each test method. It clears out all sessions.
*/
@Override
protected void afterMethod() {
deleteITestSubject();
// create a list of all users we know our tests have used
List<String> usernames = new ArrayList<String>();
usernames.add("admin");
usernames.add(RHQADMIN);
usernames.add("new_user");
usernames.add(ITEST_USER);
SessionManager session_manager = SessionManager.getInstance();
// clean out all users' sessions (a user can have more than one session)
while (usernames.size() > 0) {
try {
String doomed_user = usernames.get(0);
session_manager.invalidate(doomed_user);
} finally {
usernames.remove(0);
}
}
}
private void deleteITestSubject() {
Subject subject = subjectManager.getSubjectByName(ITEST_USER);
if (subject != null) {
subjectManager.deleteSubjects(subjectManager.getOverlord(), new int[] { subject.getId() });
}
}
/**
* Tests persisting and retrieving user configuration.
*
* @throws Exception
*/
public void testUserConfiguration() throws Exception {
Subject superuser;
getTransactionManager().begin();
try {
superuser = subjectManager.getOverlord();
// create the user
Subject new_user = new Subject("dummy-user", true, false);
new_user = subjectManager.createSubject(superuser, new_user);
assert new_user.getUserConfiguration() == null : "There should not be any configuration yet";
// set and persist an empty configuration
Configuration config = new Configuration();
new_user.setUserConfiguration(config);
assert new_user.getUserConfiguration() != null : "An empty configuration should have been set";
assert new_user.getUserConfiguration().getProperties().size() == 0 : "An empty config should have been set";
assert new_user.getUserConfiguration().getId() == 0 : "Configuration wasn't persisted - should not have an ID";
new_user = subjectManager.updateSubject(superuser, new_user); // let superuser change it
config = new_user.getUserConfiguration();
assert config != null : "An empty configuration should have been persisted";
assert config.getProperties().size() == 0 : "An empty config should have been persisted";
assert config.getId() != 0 : "Configuration was persisted - should have an ID";
// set and persist a non-empty configuration
config.put(new PropertySimple("firstname", "firstvalue"));
config.put(new PropertySimple("secondname", "secondvalue"));
assert new_user.getUserConfiguration() != null : "A full configuration should have been set";
assert new_user.getUserConfiguration().getProperties().size() == 2 : "A full config should have been set";
new_user = createSession(new_user);
new_user = subjectManager.updateSubject(new_user, new_user); // let the user itself change it
config = new_user.getUserConfiguration();
assert config != null : "A full configuration should have been persisted";
assert config.getProperties().size() == 2 : "A full config should have been persisted";
assert config.getId() != 0 : "Configuration was persisted - should have an ID";
assert config.getSimple("firstname").getStringValue().equals("firstvalue") : "Configuration wasn't persisted properly";
assert config.getSimple("secondname").getStringValue().equals("secondvalue") : "Configuration wasn't persisted properly!";
// let's try the load method to make sure it can eagerly load the configuration
Subject loaded = subjectManager.loadUserConfiguration(new_user.getId());
config = loaded.getUserConfiguration();
assert config != null : "A full configuration should have been persisted";
assert config.getProperties().size() == 2 : "A full config should have been persisted";
assert config.getId() != 0 : "Configuration was persisted - should have an ID";
assert config.getSimple("firstname").getStringValue().equals("firstvalue") : "Configuration wasn't persisted properly";
assert config.getSimple("secondname").getStringValue().equals("secondvalue") : "Configuration wasn't persisted properly!";
// set and persist a null configuration
new_user.setUserConfiguration(null);
assert new_user.getUserConfiguration() == null : "There should not be any configuration anymore";
new_user = subjectManager.updateSubject(superuser, new_user); // let superuser change it
assert new_user.getUserConfiguration() == null : "An empty configuration should have been persisted";
} finally {
getTransactionManager().rollback();
}
}
/**
* Makes sure you cannot disable super users.
*
* @throws Exception
*/
public void testTryToDisableSuperUsers() throws Exception {
Subject superuser;
Subject rhqadmin;
getTransactionManager().begin();
try {
superuser = subjectManager.getOverlord();
rhqadmin = subjectManager.getSubjectByName(RHQADMIN);
rhqadmin = createSession(rhqadmin);
try {
superuser.setFactive(false);
subjectManager.updateSubject(rhqadmin, superuser);
assert false : "You should not be able to disable the superuser";
} catch (PermissionException se) {
superuser.setFactive(true);
}
} finally {
getTransactionManager().rollback();
}
getTransactionManager().begin();
try {
try {
rhqadmin.setFactive(false);
subjectManager.updateSubject(superuser, rhqadmin);
assert false : "You should not be able to delete the rhqadmin user";
} catch (PermissionException se) {
rhqadmin.setFactive(true);
}
} finally {
getTransactionManager().rollback();
}
}
/**
* Makes sure you cannot delete the super users.
*
* @throws Exception
*/
public void testTryToDeleteSuperUsers() throws Exception {
Subject superuser;
Subject rhqadmin;
getTransactionManager().begin();
try {
superuser = subjectManager.getOverlord();
superuser = createSession(superuser);
rhqadmin = subjectManager.getSubjectByName(RHQADMIN);
rhqadmin = createSession(rhqadmin);
try {
subjectManager.deleteUsers(superuser, new int[] { rhqadmin.getId() });
assert false : "You should not be able to delete the rhqadmin user";
} catch (PermissionException se) {
}
} finally {
getTransactionManager().rollback();
}
getTransactionManager().begin();
try {
try {
subjectManager.deleteUsers(rhqadmin, new int[] { superuser.getId() });
assert false : "You should not be able to delete the superuser";
} catch (PermissionException se) {
}
} finally {
getTransactionManager().rollback();
}
// but you should be allowed to change the rhqadmin's principal password
getTransactionManager().begin();
try {
subjectManager.changePassword(rhqadmin, rhqadmin.getName(), "change-me");
} finally {
getTransactionManager().rollback();
}
}
/**
* Tests CRUD on subjects.
*
* @throws Exception
*/
public void testSubjects() throws Exception {
Subject new_user = null;
getTransactionManager().begin();
List<Permission> all_global_perms = new ArrayList<Permission>();
all_global_perms.add(Permission.MANAGE_SECURITY);
all_global_perms.add(Permission.MANAGE_INVENTORY);
all_global_perms.add(Permission.MANAGE_SETTINGS);
// get the system super subject
Subject superuser = subjectManager.getSubjectById(1);
assert superuser.getId() == 1;
assert superuser.getName().equals("admin");
assert authorizationManager.getExplicitGlobalPermissions(superuser).containsAll(all_global_perms);
// get the rhqadmin subject
Subject rhqadmin = subjectManager.getSubjectByName(RHQADMIN);
assert rhqadmin.getId() == 2;
assert rhqadmin.getName().equals(RHQADMIN);
assert authorizationManager.getExplicitGlobalPermissions(rhqadmin).containsAll(all_global_perms);
rhqadmin = createSession(rhqadmin); // our test needs to ensure the rhqadmin user has a session
// check the subjects that do and do not have principals
Collection<String> all_users_with_principals = subjectManager.findAllUsersWithPrincipals();
assert !all_users_with_principals.contains(superuser.getName());
assert all_users_with_principals.contains(rhqadmin.getName());
assert !subjectManager.isUserWithPrincipal(superuser.getName());
assert subjectManager.isUserWithPrincipal(rhqadmin.getName());
// get all subjects, whether or not they have a principal
SubjectManagerLocal subjectManager = LookupUtil.getSubjectManager();
Subject subject = null;
try {
subject = subjectManager.loginUnauthenticated(RHQADMIN);
} catch (Exception e) {
assert false : "There must be at least rhqadmin user";
}
SubjectCriteria c = new SubjectCriteria();
c.addFilterFsystem(false);
c.addSortName(PageOrdering.ASC);
PageList<Subject> all_subjects = subjectManager.findSubjectsByCriteria(subject, c);
assert all_subjects.size() >= 1 : "There must be at least rhqadmin user";
assert !all_subjects.contains(superuser) : "The superuser should not have been returned in the list";
assert all_subjects.contains(rhqadmin) : "Missing user [" + rhqadmin + "] from: " + all_subjects;
// create, modify then delete the user
new_user = new Subject();
new_user.setFsystem(false);
new_user.setFactive(true);
new_user.setName("dummy-user");
new_user.setFirstName("my-firstname");
new_user.setLastName("my-lastname");
new_user.setEmailAddress("email@address.com");
new_user.setPhoneNumber("1-800-555-1212");
new_user.setSmsAddress("sms address");
new_user.setDepartment("my-department");
new_user = subjectManager.createSubject(rhqadmin, new_user);
new_user = createSession(new_user);
assert !subjectManager.isUserWithPrincipal(new_user.getName());
subjectManager.createPrincipal(subjectManager.getOverlord(), new_user.getName(), "my-password");
assert subjectManager.isUserWithPrincipal(new_user.getName());
// make sure it was persisted and you can actually login with it
assert new_user.getId() != 0;
Subject login_new_user = subjectManager.loginUnauthenticated(new_user.getName());
assert login_new_user.equals(new_user);
new_user = login_new_user; // login_new_user was given a new session ID
subjectManager.changePassword(new_user, new_user.getName(), "my-new-password");
subjectManager.changePassword(rhqadmin, new_user.getName(), "my-new-password"); // see that rhqadmin can change it too
getTransactionManager().commit();
getTransactionManager().begin();
try {
subjectManager.changePassword(new_user, rhqadmin.getName(), "not-allowed");
assert false : "The new user does not have permission to change another's password";
} catch (PermissionException se) {
} finally {
// PermissionException causes a rollback, let's start a new tx
getTransactionManager().rollback();
}
getTransactionManager().begin();
// this new user has no roles - therefore, no global permissions
assert authorizationManager.getExplicitGlobalPermissions(new_user).size() == 0;
try {
subjectManager.deleteUsers(new_user, new int[] { new_user.getId() });
assert false : "The new user should not have had the permission to delete itself";
} catch (PermissionException e) {
} finally {
// PermissionException causes a rollback, let's start a new tx
getTransactionManager().rollback();
}
getTransactionManager().begin();
// delete the new user
assert subjectManager.getSubjectByName(new_user.getName()).equals(new_user);
assert subjectManager.isUserWithPrincipal(new_user.getName());
subjectManager.deleteUsers(rhqadmin, new int[] { new_user.getId() });
assert subjectManager.getSubjectByName(new_user.getName()) == null;
assert !subjectManager.isUserWithPrincipal(new_user.getName());
getTransactionManager().commit();
}
/**
* Tests finding Subjects with Roles.
* @throws SystemException
* @throws NotSupportedException
*/
public void testFindSubjectsWithRoles() throws NotSupportedException, SystemException {
getTransactionManager().begin();
EntityManager entityMgr = getEntityManager();
SubjectManagerLocal subjectManager = LookupUtil.getSubjectManager();
RoleManagerLocal roleManager = LookupUtil.getRoleManager();
Subject overlord = subjectManager.getOverlord();
try {
//create new subject
Subject subject = SessionTestHelper.createNewSubject(entityMgr, "testSubject");
//create new role for subject
Role roleWithSubject = SessionTestHelper.createNewRoleForSubject(entityMgr, subject, "role with subject");
roleWithSubject.addPermission(Permission.VIEW_RESOURCE);
Role newRole = new Role("role without subject");
Role roleWithoutSubject = roleManager.createRole(overlord, newRole);
//exercise findAvailableSubjectsForRole
Integer[] pendingSubjectIds = new Integer[0];
PageList<Subject> subjects = subjectManager.findAvailableSubjectsForRole(subjectManager.getOverlord(),
roleWithoutSubject.getId(), pendingSubjectIds, PageControl.getUnlimitedInstance());
assert subjects.size() > 0 : "Unable to locate subject(s) available for role with id '"
+ roleWithSubject.getId() + "'.";//Should be at least one.
// boolean located = false;
Subject locatedSubject = null;
for (Subject s : subjects) {
if (s.getName().equals(subject.getName())) {
locatedSubject = s;
}
}
assert locatedSubject != null : "Unable to located subject with name '" + subject.getName() + "'.";
assert locatedSubject.getId() == subject.getId() : "Subject id does not match expected subject identifier '"
+ subject.getId() + "'";//should match.
} finally {
getTransactionManager().rollback();
}
}
/**
* Tests getting a super user subject.
*
* @throws Exception
*/
public void testGetSuperUser() throws Exception {
getTransactionManager().begin();
try {
Subject superuser1 = subjectManager.getOverlord();
assert superuser1.getId() == 1;
Subject superuser2 = subjectManager.getOverlord();
assert superuser2.getId() == 1;
assert superuser1.equals(superuser2);
// that second call should have used the same session since not enough time elapsed to expire the session
assert superuser1.getSessionId().equals(superuser2.getSessionId());
} finally {
getTransactionManager().rollback();
}
}
/**
* Tests logging in and out when not requiring passwords.
*
* @throws Exception
*/
public void testLoginUnauthenticated() throws Exception {
getTransactionManager().begin();
try {
Subject subject1 = subjectManager.loginUnauthenticated(RHQADMIN);
int session1 = subject1.getSessionId();
Thread.sleep(500); // just wait a bit
Subject subject2 = subjectManager.loginUnauthenticated(RHQADMIN);
int session2 = subject2.getSessionId();
assert session1 != session2 : "The same sessionId should never be assigned when logging in twice";
assert subject1.equals(subject2);
Subject s = subjectManager.getSubjectByNameAndSessionId(RHQADMIN, subject1.getSessionId());
assert s.getSessionId() == session1;
s = subjectManager.getSubjectByNameAndSessionId(RHQADMIN, subject2.getSessionId());
assert s.getSessionId() == session2;
subjectManager.logout(session1);
try {
s = subjectManager.getSubjectByNameAndSessionId(RHQADMIN, subject1.getSessionId());
assert false : "Session should be invalid";
} catch (SessionNotFoundException ok) {
}
s = subjectManager.getSubjectByNameAndSessionId(RHQADMIN, subject2.getSessionId());
assert s.getSessionId() == session2;
// this should ne a no-op, no exception
subjectManager.logout(session1);
subjectManager.logout(session2);
try {
s = subjectManager.getSubjectByNameAndSessionId(RHQADMIN, subject2.getSessionId());
fail("Session should be invalid");
} catch (SessionNotFoundException e) {
// expected
}
try {
subjectManager.loginUnauthenticated("rhqadminX");
assert false : "Should not have logged in - provided a bad username";
} catch (LoginException ok) {
}
} finally {
getTransactionManager().rollback();
}
}
public void testDeleteUser() throws Exception {
getTransactionManager().begin();
try {
Subject overlord = subjectManager.getOverlord();
Subject new_user = new Subject("dummy-user", true, false);
new_user = subjectManager.createSubject(overlord, new_user);
Role new_role = new Role("dummy-role");
RoleManagerLocal roleManager = LookupUtil.getRoleManager();
new_role = roleManager.createRole(overlord, new_role);
// new_user.addRole(new_role);
int[] subjectIds = new int[] { new_user.getId() };
roleManager.addSubjectsToRole(overlord, new_role.getId(), subjectIds);
assert new_role.getSubjects().contains(new_user) : "New_role does not contain new_user";
int count = new_role.getSubjects().size();
subjectManager.deleteUsers(overlord, subjectIds);
assert new_role.getSubjects().size() == count - 1 : "User was not deleted from new_role";
} finally {
getTransactionManager().rollback();
}
}
public void testViewUsersPermission_subjectWithViewUsersRoleCanViewOtherUsers() throws Exception {
getTransactionManager().begin();
try {
Subject overlord = subjectManager.getOverlord();
Subject rhqadmin = subjectManager.getSubjectByName(RHQADMIN);
Role roleWithViewUsersPerm = new Role("role" + UUID.randomUUID());
roleWithViewUsersPerm.addPermission(Permission.VIEW_USERS);
roleWithViewUsersPerm = roleManager.createRole(overlord, roleWithViewUsersPerm);
Subject subjectWithViewUsersRole = new Subject("subject" + UUID.randomUUID(), true, false);
subjectWithViewUsersRole.addRole(roleWithViewUsersPerm);
subjectWithViewUsersRole = subjectManager.createSubject(overlord, subjectWithViewUsersRole, "password");
subjectWithViewUsersRole = subjectManager.loginUnauthenticated(subjectWithViewUsersRole.getName());
Subject anotherSubject = new Subject("subject" + UUID.randomUUID(), true, false);
anotherSubject = subjectManager.createSubject(overlord, anotherSubject, "password");
PageList<Subject> subjects = subjectManager.findSubjectsByCriteria(subjectWithViewUsersRole,
new SubjectCriteria());
Set<Subject> subjectSet = new HashSet<Subject>(subjects);
assertTrue(subjectSet.contains(subjectWithViewUsersRole));
assertTrue(subjectSet.contains(anotherSubject));
assertTrue(subjectSet.contains(rhqadmin));
} finally {
getTransactionManager().rollback();
}
}
public void testViewUsersPermission_rhqadminCanViewOtherUsers() throws Exception {
getTransactionManager().begin();
try {
Subject overlord = subjectManager.getOverlord();
Subject rhqadmin = subjectManager.getSubjectByName(RHQADMIN);
rhqadmin = subjectManager.loginUnauthenticated(rhqadmin.getName());
Subject anotherSubject = new Subject("subject" + UUID.randomUUID(), true, false);
anotherSubject = subjectManager.createSubject(overlord, anotherSubject, "password");
PageList<Subject> subjects = subjectManager.findSubjectsByCriteria(rhqadmin, new SubjectCriteria());
Set<Subject> subjectSet = new HashSet<Subject>(subjects);
assertTrue(subjectSet.contains(anotherSubject));
assertTrue(subjectSet.contains(rhqadmin));
} finally {
getTransactionManager().rollback();
}
}
public void testViewUsersPermission_subjectWithNonViewUsersRoleCannotViewOtherUsers() throws Exception {
getTransactionManager().begin();
try {
Subject overlord = subjectManager.getOverlord();
Role roleWithoutViewUsersPerm = new Role("role" + UUID.randomUUID());
roleWithoutViewUsersPerm = roleManager.createRole(overlord, roleWithoutViewUsersPerm);
Subject subjectWithNonViewUsersRole = new Subject("subject" + UUID.randomUUID(), true, false);
subjectWithNonViewUsersRole.addRole(roleWithoutViewUsersPerm);
subjectWithNonViewUsersRole = subjectManager.createSubject(overlord, subjectWithNonViewUsersRole,
"password");
subjectWithNonViewUsersRole = subjectManager.loginUnauthenticated(subjectWithNonViewUsersRole.getName());
Subject anotherSubject = new Subject("subject" + UUID.randomUUID(), true, false);
anotherSubject = subjectManager.createSubject(overlord, anotherSubject, "password");
PageList<Subject> subjects = subjectManager.findSubjectsByCriteria(subjectWithNonViewUsersRole,
new SubjectCriteria());
Set<Subject> subjectSet = new HashSet<Subject>(subjects);
assertEquals(1, subjectSet.size());
assertTrue(subjectSet.contains(subjectWithNonViewUsersRole));
} finally {
getTransactionManager().rollback();
}
}
public void testViewUsersPermission_subjectWithNoRolesCannotViewOtherUsers() throws Exception {
getTransactionManager().begin();
try {
Subject overlord = subjectManager.getOverlord();
Subject subjectWithNoRoles = new Subject("subject" + UUID.randomUUID(), true, false);
subjectWithNoRoles = subjectManager.createSubject(overlord, subjectWithNoRoles, "password");
subjectWithNoRoles = subjectManager.loginUnauthenticated(subjectWithNoRoles.getName());
Subject anotherSubject = new Subject("subject" + UUID.randomUUID(), true, false);
anotherSubject = subjectManager.createSubject(overlord, anotherSubject, "password");
PageList<Subject> subjects = subjectManager.findSubjectsByCriteria(subjectWithNoRoles,
new SubjectCriteria());
Set<Subject> subjectSet = new HashSet<Subject>(subjects);
assertEquals(1, subjectSet.size());
assertTrue(subjectSet.contains(subjectWithNoRoles));
} finally {
getTransactionManager().rollback();
}
}
public void testSubjectWithNoRolesCannotLoginIfItIsDisabled() throws Exception {
getTransactionManager().begin();
try {
Subject overlord = subjectManager.getOverlord();
final String name = "subject" + UUID.randomUUID();
final String password = "password";
Subject subjectWithNoRoles = new Subject(name, true, false);
subjectWithNoRoles = subjectManager.createSubject(overlord, subjectWithNoRoles, password);
subjectManager.loginLocal(name, password);
fail("Exception should be thrown when logging in without any roles if it is disabled, but wasn't.");
} catch (LoginException ex) {
assertTrue(true);
} finally {
getTransactionManager().rollback();
}
}
public void subjectCannotUpdateAnotherSubjectWithoutPermission() throws LoginException {
executeInTransaction(new TransactionCallback() {
@Override
public void execute() throws Exception {
Subject fakeSubject = new Subject("fakeUser", true, false);
Subject itestSubject = subjectManager.loginUnauthenticated(ITEST_USER);
try {
subjectManager.updateSubject(itestSubject, fakeSubject, "newPassword");
fail("Subject without permission should not be able to update another subject");
} catch (PermissionException e) {
assertTrue(e.getMessage().contains("do not have permission to update user"));
}
}
});
}
public void nobodyCanDisableASystemSubject() {
executeInTransaction(new TransactionCallback() {
@Override
public void execute() throws Exception {
Subject rhqAdminSubject = subjectManager.getSubjectByName(RHQADMIN);
try {
Subject changedSubject = new Subject(rhqAdminSubject.getName(), false, rhqAdminSubject.getFsystem());
changedSubject.setId(rhqAdminSubject.getId());
subjectManager.updateSubject(subjectManager.getOverlord(), changedSubject, "newPassword");
fail("Nobody should be able to disable a system subject");
} catch (PermissionException e) {
assertTrue(e.getMessage().startsWith("You cannot disable the system user"));
}
}
});
}
public void nobodyCanChangeASubjectName() {
executeInTransaction(new TransactionCallback() {
@Override
public void execute() throws Exception {
Subject itestSubject = subjectManager.getSubjectByName(ITEST_USER);
Subject changedSubject = new Subject("pipo", itestSubject.getFactive(), itestSubject.getFsystem());
changedSubject.setId(itestSubject.getId());
try {
subjectManager.updateSubject(subjectManager.getOverlord(), changedSubject, "newPassword");
fail("Nobody should be able to change a subject name");
} catch (EJBException e) {
Exception cause = e.getCausedByException();
assertEquals(IllegalArgumentException.class, cause.getClass());
assertTrue(cause.getMessage().equals("You cannot change a user's username."));
}
}
});
}
public void nobodyCanChangeAnUnknowSubject() {
executeInTransaction(new TransactionCallback() {
@Override
public void execute() throws Exception {
try {
Subject fakeSubject = new Subject("fakeUser", true, false);
subjectManager.updateSubject(subjectManager.getOverlord(), fakeSubject, "newPassword");
fail("Nobody should be able to change an unknown subject");
} catch (EJBException e) {
Exception cause = e.getCausedByException();
assertEquals(IllegalArgumentException.class, cause.getClass());
assertTrue(cause.getMessage().startsWith("No user exists with id"));
}
}
});
}
public void subjectCanUpdateItself() {
executeInTransaction(new TransactionCallback() {
@Override
public void execute() throws Exception {
Subject itestSubject = subjectManager.loginUnauthenticated(ITEST_USER);
Subject changedSubject = new Subject(itestSubject.getName(), itestSubject.getFactive(),
itestSubject.getFsystem());
changedSubject.setId(itestSubject.getId());
changedSubject.setEmailAddress("pipo@molo.com");
try {
changedSubject = subjectManager.updateSubject(itestSubject, changedSubject, "newPassword");
assertEquals("pipo@molo.com", changedSubject.getEmailAddress());
} catch (Exception e) {
LOG.error(e);
fail("Subject should be able to update itself");
}
}
});
}
public void subjectWhitoutManageSecurityPermissionCannotUpdateItsRoles() throws LoginException {
executeInTransaction(new TransactionCallback() {
@Override
public void execute() throws Exception {
Subject itestSubject = subjectManager.loginUnauthenticated(ITEST_USER);
final PageList<Role> allRoles = roleManager.findRoles(PageControl.getUnlimitedInstance());
Subject changedSubject = new Subject(itestSubject.getName(), itestSubject.getFactive(),
itestSubject.getFsystem());
changedSubject.setId(itestSubject.getId());
changedSubject.getRoles().addAll(allRoles);
try {
subjectManager.updateSubject(itestSubject, changedSubject, "newPassword");
fail("Subject whitout " + Permission.MANAGE_SECURITY
+ " permission should not be able to update its roles");
} catch (PermissionException e) {
assertTrue(e.getMessage().contains("is not authorized for"));
}
}
});
}
public void shouldBeAbleToDeleteASubjectWhoOwnsASavedSearch() {
// See https://bugzilla.redhat.com/show_bug.cgi?id=952652
SavedSearch savedSearch = new SavedSearch(SearchSubsystem.GROUP, "fake saved search", "pipo", subjectManager.getSubjectByName(ITEST_USER));
Integer savedSearchId = savedSearchManager.createSavedSearch(subjectManager.getOverlord(), savedSearch);
boolean subjectDeleted = false;
try {
deleteITestSubject();
subjectDeleted = true;
} catch (Exception e) {
LOG.error("Failed to delete a subject who owns a saved search", e);
fail("Failed to delete a subject who owns a saved search");
} finally {
// This is only necessary if we failed to delete subject
if (!subjectDeleted) {
savedSearchManager.deleteSavedSearch(subjectManager.getOverlord(), savedSearchId);
}
}
}
}