/*
* JBoss, Home of Professional Open Source.
* Copyright 2013, Red Hat, Inc., and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
package org.jboss.as.test.integration.domain.rbac;
import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.ATTRIBUTES;
import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.OPERATIONS;
import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.READ_CHILDREN_RESOURCES_OPERATION;
import static org.jboss.as.test.integration.management.util.ModelUtil.createOpNode;
import org.jboss.as.controller.access.management.AccessConstraintKey;
import org.jboss.as.controller.access.management.ApplicationTypeAccessConstraintDefinition;
import org.jboss.as.controller.access.management.SensitiveTargetAccessConstraintDefinition;
import org.jboss.as.controller.client.ModelControllerClient;
import org.jboss.as.controller.client.helpers.domain.DomainClient;
import org.jboss.as.controller.descriptions.ModelDescriptionConstants;
import org.jboss.as.test.integration.domain.suites.SimpleRbacProviderTestSuite;
import org.jboss.as.test.integration.management.rbac.Outcome;
import org.jboss.as.test.integration.management.rbac.RbacUtil;
import org.jboss.dmr.ModelNode;
import org.jboss.dmr.Property;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
/**
* Test of the access constraint utilization resources.
*
* @author Brian Stansberry (c) 2013 Red Hat Inc.
*/
public class AccessConstraintUtilizationTestCase extends AbstractRbacTestCase {
@BeforeClass
public static void setupDomain() throws Exception {
// Launch the domain
testSupport = SimpleRbacProviderTestSuite.createSupport(AccessConstraintUtilizationTestCase.class.getSimpleName());
masterClientConfig = testSupport.getDomainMasterConfiguration();
DomainClient domainClient = testSupport.getDomainMasterLifecycleUtil().getDomainClient();
}
@AfterClass
public static void tearDownDomain() throws Exception {
testSupport = null;
SimpleRbacProviderTestSuite.stopSupport();
}
private static class ExpectedDef {
private final AccessConstraintKey key;
private final boolean expectResource;
private final boolean expectAttributes;
private final boolean expectOps;
/**
* The test case works by reading the child resources of type 'applies-to' from the classifications representation in
* the model, this class is used to indicate what we expect the specified constraint to actually apply to.
*
* i.e. Is this constraint used as resource level, against specific attributes or operations or a combination of this?
*
* Note: Although when a constraint is applied at resource level it does apply to all attributes, operations and
* children of that resource 'applies-to' only shows where it is actually applied.
*
* @param key the {@link AccessConstraintKey} key that is to be tested.
* @param expectResource is it expected that this access constraint is applied to at least one resource?
* @param expectAttributes is it expected that this access constraint is applied to at least one attribute?
* @param expectOps is it expected that this access constrains is applied to at least one operation.
*/
private ExpectedDef(AccessConstraintKey key, boolean expectResource, boolean expectAttributes, boolean expectOps) {
this.key = key;
this.expectResource = expectResource;
this.expectAttributes = expectAttributes;
this.expectOps = expectOps;
}
}
private static final String ADDR_FORMAT =
"core-service=management/access=authorization/constraint=%s/type=%s/classification=%s";
private static final ExpectedDef[] EXPECTED_DEFS = {
new ExpectedDef(SensitiveTargetAccessConstraintDefinition.ACCESS_CONTROL.getKey(), true, true, false),
new ExpectedDef(SensitiveTargetAccessConstraintDefinition.CREDENTIAL.getKey(), false, true, false),
new ExpectedDef(SensitiveTargetAccessConstraintDefinition.EXTENSIONS.getKey(), true, false, false),
new ExpectedDef(SensitiveTargetAccessConstraintDefinition.MANAGEMENT_INTERFACES.getKey(), true, true, false),
new ExpectedDef(SensitiveTargetAccessConstraintDefinition.MODULE_LOADING.getKey(), true, false, false),
new ExpectedDef(SensitiveTargetAccessConstraintDefinition.PATCHING.getKey(), true, false, false),
new ExpectedDef(SensitiveTargetAccessConstraintDefinition.READ_WHOLE_CONFIG.getKey(), false, false, true),
new ExpectedDef(SensitiveTargetAccessConstraintDefinition.SECURITY_DOMAIN.getKey(), true, false, false),
new ExpectedDef(SensitiveTargetAccessConstraintDefinition.SECURITY_DOMAIN_REF.getKey(), false, true, false),
new ExpectedDef(SensitiveTargetAccessConstraintDefinition.SECURITY_REALM.getKey(), true, false, false),
new ExpectedDef(SensitiveTargetAccessConstraintDefinition.SECURITY_REALM_REF.getKey(), false, true, false),
new ExpectedDef(SensitiveTargetAccessConstraintDefinition.SECURITY_VAULT.getKey(), true, false, false),
new ExpectedDef(SensitiveTargetAccessConstraintDefinition.SERVER_SSL.getKey(), true, false, false),
/* N/A in domain
new ExpectedDef(SensitiveTargetAccessConstraintDefinition.SERVICE_CONTAINER.getKey(), true, false, false),
*/
new ExpectedDef(SensitiveTargetAccessConstraintDefinition.SOCKET_BINDING_REF.getKey(), false, true, false),
new ExpectedDef(SensitiveTargetAccessConstraintDefinition.SOCKET_CONFIG.getKey(), true, true, true),
new ExpectedDef(SensitiveTargetAccessConstraintDefinition.SNAPSHOTS.getKey(), false, false, true),
new ExpectedDef(SensitiveTargetAccessConstraintDefinition.SYSTEM_PROPERTY.getKey(), true, true, true),
// A few subsystem ones
//this is not part of core
//new ExpectedDef(getSensKey(UndertowExtension.SUBSYSTEM_NAME, "web-access-log"), true, false, false),
//new ExpectedDef(getSensKey(DataSourcesExtension.SUBSYSTEM_NAME, "data-source-security"), false, true, false),
//new ExpectedDef(getSensKey(ResourceAdaptersExtension.SUBSYSTEM_NAME, "resource-adapter-security"), false, true, false),
/* server only
new ExpectedDef(getSensKey(JdrReportExtension.SUBSYSTEM_NAME, "jdr"), false, false, true),
*/
//new ExpectedDef(getSensKey(MessagingExtension.SUBSYSTEM_NAME, "messaging-management"), false, true, false),
/* N/A on standalone */
new ExpectedDef(SensitiveTargetAccessConstraintDefinition.DOMAIN_CONTROLLER.getKey(), false, true, true),
new ExpectedDef(SensitiveTargetAccessConstraintDefinition.DOMAIN_NAMES.getKey(), false, true, false),
new ExpectedDef(SensitiveTargetAccessConstraintDefinition.JVM.getKey(), false, true, true),
/* */
new ExpectedDef(ApplicationTypeAccessConstraintDefinition.DEPLOYMENT.getKey(), true, false, true),
/* not part of core
new ExpectedDef(getAppKey(DataSourcesExtension.SUBSYSTEM_NAME, "data-source"), true, false, false),
new ExpectedDef(getAppKey(DataSourcesExtension.SUBSYSTEM_NAME, "xa-data-source"), true, false, false),
new ExpectedDef(getAppKey(DataSourcesExtension.SUBSYSTEM_NAME, "jdbc-driver"), true, false, false),
new ExpectedDef(getAppKey(MessagingExtension.SUBSYSTEM_NAME, "queue"), true, false, false),
new ExpectedDef(getAppKey(MessagingExtension.SUBSYSTEM_NAME, "jms-queue"), true, false, false),
new ExpectedDef(getAppKey(MessagingExtension.SUBSYSTEM_NAME, "jms-topic"), true, false, false)
*/
};
@Test
public void testConstraintUtilization() throws Exception {
ModelControllerClient client = testSupport.getDomainMasterLifecycleUtil().getDomainClient();
for (ExpectedDef expectedDef : EXPECTED_DEFS) {
AccessConstraintKey acdKey = expectedDef.key;
String constraint = ModelDescriptionConstants.SENSITIVE.equals(acdKey.getType())
? ModelDescriptionConstants.SENSITIVITY_CLASSIFICATION
: ModelDescriptionConstants.APPLICATION_CLASSIFICATION;
String acdType = acdKey.isCore() ? "core" : acdKey.getSubsystemName();
String path = String.format(ADDR_FORMAT, acdKey.getType(), acdType, acdKey.getName());
ModelNode op = createOpNode(path, READ_CHILDREN_RESOURCES_OPERATION);
op.get(ModelDescriptionConstants.CHILD_TYPE).set(ModelDescriptionConstants.APPLIES_TO);
System.out.println("Testing " + acdKey);
ModelNode result = RbacUtil.executeOperation(client, op, Outcome.SUCCESS).get(ModelDescriptionConstants.RESULT);
Assert.assertTrue(acdKey + "result is defined", result.isDefined());
Assert.assertTrue(acdKey + "result has content", result.asInt() > 0);
boolean foundResource = false;
boolean foundAttr = false;
boolean foundOps = false;
for (Property prop : result.asPropertyList()) {
ModelNode pathResult = prop.getValue();
if (pathResult.get(ModelDescriptionConstants.ENTIRE_RESOURCE).asBoolean()) {
Assert.assertTrue(acdKey + " -- " + prop.getName() + " resource", expectedDef.expectResource);
foundResource = true;
}
ModelNode attrs = pathResult.get(ATTRIBUTES);
if (attrs.isDefined() && attrs.asInt() > 0) {
Assert.assertTrue(acdKey + " -- " + prop.getName() + " attributes = " + attrs.asString(), expectedDef.expectAttributes);
foundAttr = true;
}
ModelNode ops = pathResult.get(OPERATIONS);
if (ops.isDefined() && ops.asInt() > 0) {
Assert.assertTrue(acdKey + " -- " + prop.getName() + " operations = " + ops.asString(), expectedDef.expectOps);
foundOps = true;
}
}
Assert.assertEquals(acdKey + " -- resource", expectedDef.expectResource, foundResource);
Assert.assertEquals(acdKey + " -- attributes", expectedDef.expectAttributes, foundAttr);
Assert.assertEquals(acdKey + " -- operations", expectedDef.expectOps, foundOps);
}
}
private static AccessConstraintKey getAppKey(String subsystemName, String name) {
return new AccessConstraintKey(ModelDescriptionConstants.APPLICATION_CLASSIFICATION, false, subsystemName, name);
}
private static AccessConstraintKey getSensKey(String subsystemName, String name) {
return new AccessConstraintKey(ModelDescriptionConstants.SENSITIVITY_CLASSIFICATION, false, subsystemName, name);
}
@Override
protected void configureRoles(ModelNode op, String[] roles) {
// no-op
}
}