CheckAccessIT.java example

Explorer
gerrit-master
// Copyright (C) 2017 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package com.google.gerrit.acceptance.rest.account;

import static com.google.common.truth.Truth.assertThat;
import static org.junit.Assert.fail;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.gerrit.acceptance.AbstractDaemonTest;
import com.google.gerrit.acceptance.TestAccount;
import com.google.gerrit.common.data.Permission;
import com.google.gerrit.extensions.api.config.AccessCheckInfo;
import com.google.gerrit.extensions.api.config.AccessCheckInput;
import com.google.gerrit.extensions.restapi.RestApiException;
import com.google.gerrit.reviewdb.client.AccountGroup;
import com.google.gerrit.reviewdb.client.Project;
import com.google.gerrit.server.group.SystemGroupBackend;
import java.util.List;
import java.util.Map;
import org.junit.Before;
import org.junit.Test;

public class CheckAccessIT extends AbstractDaemonTest {

  private Project.NameKey normalProject;
  private Project.NameKey secretProject;
  private Project.NameKey secretRefProject;
  private TestAccount privilegedUser;
  private AccountGroup privilegedGroup;

  @Before
  public void setUp() throws Exception {
    normalProject = createProject("normal");
    secretProject = createProject("secret");
    secretRefProject = createProject("secretRef");
    privilegedGroup = groupCache.get(new AccountGroup.NameKey(createGroup("privilegedGroup")));

    privilegedUser = accounts.create("privilegedUser", "snowden@nsa.gov", "Ed Snowden");
    gApi.groups().id(privilegedGroup.getGroupUUID().get()).addMembers(privilegedUser.username);

    assertThat(gApi.groups().id(privilegedGroup.getGroupUUID().get()).members().get(0).email)
        .contains("snowden");

    // deny(secretProject, Permission.READ, SystemGroupBackend.REGISTERED_USERS, "refs/*");
    grant(Permission.READ, secretProject, "refs/*", false, privilegedGroup.getGroupUUID());
    block(Permission.READ, SystemGroupBackend.REGISTERED_USERS, "refs/*", secretProject);

    // deny/grant/block arg ordering is screwy.
    deny(secretRefProject, Permission.READ, SystemGroupBackend.ANONYMOUS_USERS, "refs/*");
    grant(
        Permission.READ,
        secretRefProject,
        "refs/heads/secret/*",
        false,
        privilegedGroup.getGroupUUID());
    block(
        Permission.READ,
        SystemGroupBackend.REGISTERED_USERS,
        "refs/heads/secret/*",
        secretRefProject);
    grant(
        Permission.READ,
        secretRefProject,
        "refs/heads/*",
        false,
        SystemGroupBackend.REGISTERED_USERS);
  }

  @Test
  public void invalidInputs() {
    List<AccessCheckInput> inputs =
        ImmutableList.of(
            new AccessCheckInput(),
            new AccessCheckInput(user.email, null, null),
            new AccessCheckInput(null, normalProject.toString(), null),
            new AccessCheckInput("doesnotexist@invalid.com", normalProject.toString(), null));
    for (AccessCheckInput input : inputs) {
      try {
        gApi.config().server().checkAccess(input);
        fail(String.format("want RestApiException for %s", newGson().toJson(input)));
      } catch (RestApiException e) {

      }
    }
  }

  @Test
  public void accessible() {
    Map<AccessCheckInput, Integer> inputs =
        ImmutableMap.of(
            new AccessCheckInput(user.email, normalProject.get(), null), 200,
            new AccessCheckInput(user.email, secretProject.get(), null), 403,
            new AccessCheckInput(user.email, "nonexistent", null), 404,
            new AccessCheckInput(privilegedUser.email, normalProject.get(), null), 200,
            new AccessCheckInput(privilegedUser.email, secretProject.get(), null), 200);

    for (Map.Entry<AccessCheckInput, Integer> entry : inputs.entrySet()) {
      String in = newGson().toJson(entry.getKey());
      AccessCheckInfo info = null;

      try {
        info = gApi.config().server().checkAccess(entry.getKey());
      } catch (RestApiException e) {
        fail(String.format("check.check(%s): exception %s", in, e));
      }

      int want = entry.getValue();
      if (want != info.status) {
        fail(String.format("check.access(%s) = %d, want %d", in, info.status, want));
      }

      switch (want) {
        case 403:
          assertThat(info.message).contains("cannot see");
          break;
        case 404:
          assertThat(info.message).contains("does not exist");
          break;
        case 200:
          assertThat(info.message).isNull();
          break;
        default:
          fail(String.format("unknown code %d", want));
      }
    }
  }
}