Return-Path: X-Original-To: apmail-ambari-commits-archive@www.apache.org Delivered-To: apmail-ambari-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 84081180D4 for ; Thu, 10 Dec 2015 18:08:14 +0000 (UTC) Received: (qmail 23210 invoked by uid 500); 10 Dec 2015 18:08:14 -0000 Delivered-To: apmail-ambari-commits-archive@ambari.apache.org Received: (qmail 23181 invoked by uid 500); 10 Dec 2015 18:08:14 -0000 Mailing-List: contact commits-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ambari-dev@ambari.apache.org Delivered-To: mailing list commits@ambari.apache.org Received: (qmail 23172 invoked by uid 99); 10 Dec 2015 18:08:14 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Dec 2015 18:08:14 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 2B3F6E17A7; Thu, 10 Dec 2015 18:08:14 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: rlevas@apache.org To: commits@ambari.apache.org Message-Id: <9afd19a72a2949cc9b124e8cec3d686d@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: ambari git commit: AMBARI-14197. Enforce granular role-based access control for Views functions (rlevas) Date: Thu, 10 Dec 2015 18:08:14 +0000 (UTC) Repository: ambari Updated Branches: refs/heads/trunk 5ed67a090 -> 1c218dc74 AMBARI-14197. Enforce granular role-based access control for Views functions (rlevas) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/1c218dc7 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/1c218dc7 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/1c218dc7 Branch: refs/heads/trunk Commit: 1c218dc749e4b7687b52cbbd7ef7ef5f471aa886 Parents: 5ed67a0 Author: Robert Levas Authored: Thu Dec 10 13:07:55 2015 -0500 Committer: Robert Levas Committed: Thu Dec 10 13:08:04 2015 -0500 ---------------------------------------------------------------------- .../api/services/ViewInstanceService.java | 52 ++++++------------ .../internal/ViewInstanceResourceProvider.java | 15 +++-- .../internal/ViewPrivilegeResourceProvider.java | 8 +++ .../internal/ViewResourceProvider.java | 16 ++++-- .../AmbariAuthorizationFilter.java | 31 +---------- .../authorization/AuthorizationHelper.java | 20 +++++++ .../apache/ambari/server/view/ViewRegistry.java | 42 +++++++------- .../ViewInstanceResourceProviderTest.java | 41 +++++++++++++- .../security/TestAuthenticationFactory.java | 45 ++++++++++++++- .../AmbariAuthorizationFilterTest.java | 49 ++++++----------- .../ambari/server/view/ViewRegistryTest.java | 58 ++++++++------------ 11 files changed, 212 insertions(+), 165 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/main/java/org/apache/ambari/server/api/services/ViewInstanceService.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/api/services/ViewInstanceService.java b/ambari-server/src/main/java/org/apache/ambari/server/api/services/ViewInstanceService.java index 05c5079..1eea8db 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/api/services/ViewInstanceService.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/api/services/ViewInstanceService.java @@ -1,4 +1,4 @@ -/** +/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information @@ -21,6 +21,7 @@ package org.apache.ambari.server.api.services; import org.apache.ambari.server.api.resources.ResourceInstance; import org.apache.ambari.server.controller.spi.Resource; import org.apache.ambari.server.orm.entities.ViewInstanceEntity; +import org.apache.ambari.server.security.authorization.AuthorizationException; import org.apache.ambari.server.view.ViewRegistry; import javax.ws.rs.DELETE; @@ -68,7 +69,7 @@ public class ViewInstanceService extends BaseService { */ public ViewInstanceService(String viewName, String version) { this.viewName = viewName; - this.version = version; + this.version = version; viewRegistry = ViewRegistry.getInstance(); } @@ -90,11 +91,8 @@ public class ViewInstanceService extends BaseService { @Path("{instanceName}") @Produces("text/plain") public Response getService(String body, @Context HttpHeaders headers, @Context UriInfo ui, - @PathParam("instanceName") String instanceName) { - - hasPermission(Request.Type.GET, instanceName); - return handleRequest(headers, body, ui, Request.Type.GET, - createResource(viewName, version, instanceName)); + @PathParam("instanceName") String instanceName) throws AuthorizationException { + return handleRequest(headers, body, ui, Request.Type.GET, createResource(viewName, version, instanceName)); } /** @@ -108,11 +106,8 @@ public class ViewInstanceService extends BaseService { */ @GET @Produces("text/plain") - public Response getServices(String body, @Context HttpHeaders headers, @Context UriInfo ui) { - - hasPermission(Request.Type.GET, null); - return handleRequest(headers, body, ui, Request.Type.GET, - createResource(viewName, version, null)); + public Response getServices(String body, @Context HttpHeaders headers, @Context UriInfo ui) throws AuthorizationException { + return handleRequest(headers, body, ui, Request.Type.GET, createResource(viewName, version, null)); } /** @@ -130,10 +125,8 @@ public class ViewInstanceService extends BaseService { @Path("{instanceName}") @Produces("text/plain") public Response createService(String body, @Context HttpHeaders headers, @Context UriInfo ui, - @PathParam("instanceName") String instanceName) { - hasPermission(Request.Type.POST, instanceName); - return handleRequest(headers, body, ui, Request.Type.POST, - createResource(viewName, version, instanceName)); + @PathParam("instanceName") String instanceName) throws AuthorizationException { + return handleRequest(headers, body, ui, Request.Type.POST, createResource(viewName, version, instanceName)); } /** @@ -148,11 +141,8 @@ public class ViewInstanceService extends BaseService { */ @POST @Produces("text/plain") - public Response createServices(String body, @Context HttpHeaders headers, @Context UriInfo ui) { - - hasPermission(Request.Type.POST, null); - return handleRequest(headers, body, ui, Request.Type.POST, - createResource(viewName, version, null)); + public Response createServices(String body, @Context HttpHeaders headers, @Context UriInfo ui) throws AuthorizationException { + return handleRequest(headers, body, ui, Request.Type.POST, createResource(viewName, version, null)); } /** @@ -170,10 +160,8 @@ public class ViewInstanceService extends BaseService { @Path("{instanceName}") @Produces("text/plain") public Response updateService(String body, @Context HttpHeaders headers, @Context UriInfo ui, - @PathParam("instanceName") String instanceName) { - - hasPermission(Request.Type.PUT, instanceName); - return handleRequest(headers, body, ui, Request.Type.PUT, createResource(viewName, version, instanceName)); + @PathParam("instanceName") String instanceName) throws AuthorizationException { + return handleRequest(headers, body, ui, Request.Type.PUT, createResource(viewName, version, instanceName)); } /** @@ -188,10 +176,8 @@ public class ViewInstanceService extends BaseService { */ @PUT @Produces("text/plain") - public Response updateServices(String body, @Context HttpHeaders headers, @Context UriInfo ui) { - - hasPermission(Request.Type.PUT, null); - return handleRequest(headers, body, ui, Request.Type.PUT, createResource(viewName, version, null)); + public Response updateServices(String body, @Context HttpHeaders headers, @Context UriInfo ui) throws AuthorizationException { + return handleRequest(headers, body, ui, Request.Type.PUT, createResource(viewName, version, null)); } /** @@ -208,10 +194,8 @@ public class ViewInstanceService extends BaseService { @Path("{instanceName}") @Produces("text/plain") public Response deleteService(@Context HttpHeaders headers, @Context UriInfo ui, - @PathParam("instanceName") String instanceName) { - - hasPermission(Request.Type.DELETE, instanceName); - return handleRequest(headers, null, ui, Request.Type.DELETE, createResource(viewName, version, instanceName)); + @PathParam("instanceName") String instanceName) throws AuthorizationException { + return handleRequest(headers, null, ui, Request.Type.DELETE, createResource(viewName, version, instanceName)); } /** @@ -269,7 +253,7 @@ public class ViewInstanceService extends BaseService { * @return a view instance resource */ private ResourceInstance createResource(String viewName, String viewVersion, String instanceName) { - Map mapIds = new HashMap(); + Map mapIds = new HashMap(); mapIds.put(Resource.Type.View, viewName); mapIds.put(Resource.Type.ViewVersion, viewVersion); mapIds.put(Resource.Type.ViewInstance, instanceName); http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewInstanceResourceProvider.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewInstanceResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewInstanceResourceProvider.java index 71d0826..750a347 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewInstanceResourceProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewInstanceResourceProvider.java @@ -34,6 +34,7 @@ import org.apache.ambari.server.controller.utilities.PropertyHelper; import org.apache.ambari.server.orm.entities.ViewEntity; import org.apache.ambari.server.orm.entities.ViewInstanceDataEntity; import org.apache.ambari.server.orm.entities.ViewInstanceEntity; +import org.apache.ambari.server.security.authorization.RoleAuthorization; import org.apache.ambari.server.view.ViewRegistry; import org.apache.ambari.server.view.validation.InstanceValidationResultImpl; import org.apache.ambari.server.view.validation.ValidationException; @@ -41,6 +42,7 @@ import org.apache.ambari.server.view.validation.ValidationResultImpl; import org.apache.ambari.view.validation.Validator; import java.util.Collections; +import java.util.EnumSet; import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; @@ -50,7 +52,7 @@ import java.util.Set; /** * Resource provider for view instances. */ -public class ViewInstanceResourceProvider extends AbstractResourceProvider { +public class ViewInstanceResourceProvider extends AbstractAuthorizedResourceProvider { /** * View instance property id constants. @@ -118,13 +120,18 @@ public class ViewInstanceResourceProvider extends AbstractResourceProvider { */ public ViewInstanceResourceProvider() { super(propertyIds, keyPropertyIds); + + EnumSet requiredAuthorizations = EnumSet.of(RoleAuthorization.AMBARI_MANAGE_VIEWS); + setRequiredCreateAuthorizations(requiredAuthorizations); + setRequiredDeleteAuthorizations(requiredAuthorizations); + setRequiredUpdateAuthorizations(requiredAuthorizations); } // ----- ResourceProvider -------------------------------------------------- @Override - public RequestStatus createResources(Request request) + protected RequestStatus createResourcesAuthorized(Request request) throws SystemException, UnsupportedPropertyException, ResourceAlreadyExistsException, NoSuchParentResourceException { for (Map properties : request.getProperties()) { @@ -176,7 +183,7 @@ public class ViewInstanceResourceProvider extends AbstractResourceProvider { } @Override - public RequestStatus updateResources(Request request, Predicate predicate) + protected RequestStatus updateResourcesAuthorized(Request request, Predicate predicate) throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException { Iterator> iterator = request.getProperties().iterator(); @@ -191,7 +198,7 @@ public class ViewInstanceResourceProvider extends AbstractResourceProvider { } @Override - public RequestStatus deleteResources(Predicate predicate) + protected RequestStatus deleteResourcesAuthorized(Predicate predicate) throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException { modifyResources(getDeleteCommand(predicate)); http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java index a1a9c46..e5bd224 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProvider.java @@ -18,6 +18,7 @@ package org.apache.ambari.server.controller.internal; import java.util.Collections; +import java.util.EnumSet; import java.util.HashMap; import java.util.HashSet; import java.util.Map; @@ -34,6 +35,7 @@ import org.apache.ambari.server.orm.entities.UserEntity; import org.apache.ambari.server.orm.entities.ViewEntity; import org.apache.ambari.server.orm.entities.ViewInstanceEntity; import org.apache.ambari.server.security.authorization.ResourceType; +import org.apache.ambari.server.security.authorization.RoleAuthorization; import org.apache.ambari.server.view.ViewRegistry; /** @@ -88,6 +90,12 @@ public class ViewPrivilegeResourceProvider extends PrivilegeResourceProvider requiredAuthorizations = EnumSet.of(RoleAuthorization.AMBARI_MANAGE_VIEWS); + setRequiredCreateAuthorizations(requiredAuthorizations); + setRequiredDeleteAuthorizations(requiredAuthorizations); + setRequiredGetAuthorizations(requiredAuthorizations); + setRequiredUpdateAuthorizations(requiredAuthorizations); } http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewResourceProvider.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewResourceProvider.java index bc92a91..ee01927 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewResourceProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ViewResourceProvider.java @@ -28,9 +28,11 @@ import org.apache.ambari.server.controller.spi.ResourceAlreadyExistsException; import org.apache.ambari.server.controller.spi.SystemException; import org.apache.ambari.server.controller.spi.UnsupportedPropertyException; import org.apache.ambari.server.orm.entities.ViewEntity; +import org.apache.ambari.server.security.authorization.RoleAuthorization; import org.apache.ambari.server.view.ViewRegistry; import java.util.Collections; +import java.util.EnumSet; import java.util.HashMap; import java.util.HashSet; import java.util.Map; @@ -39,7 +41,7 @@ import java.util.Set; /** * Resource provider for view instances. */ -public class ViewResourceProvider extends AbstractResourceProvider { +public class ViewResourceProvider extends AbstractAuthorizedResourceProvider { /** * View property id constants. @@ -71,13 +73,18 @@ public class ViewResourceProvider extends AbstractResourceProvider { */ public ViewResourceProvider() { super(propertyIds, keyPropertyIds); + + EnumSet requiredAuthorizations = EnumSet.of(RoleAuthorization.AMBARI_MANAGE_VIEWS); + setRequiredCreateAuthorizations(requiredAuthorizations); + setRequiredDeleteAuthorizations(requiredAuthorizations); + setRequiredUpdateAuthorizations(requiredAuthorizations); } // ----- ResourceProvider -------------------------------------------------- @Override - public RequestStatus createResources(Request request) + protected RequestStatus createResourcesAuthorized(Request request) throws SystemException, UnsupportedPropertyException, ResourceAlreadyExistsException, NoSuchParentResourceException { throw new UnsupportedOperationException("Not yet supported."); @@ -112,17 +119,18 @@ public class ViewResourceProvider extends AbstractResourceProvider { } } } + return resources; } @Override - public RequestStatus updateResources(Request request, Predicate predicate) + protected RequestStatus updateResourcesAuthorized(Request request, Predicate predicate) throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException { throw new UnsupportedOperationException("Not yet supported."); } @Override - public RequestStatus deleteResources(Predicate predicate) + protected RequestStatus deleteResourcesAuthorized(Predicate predicate) throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException { throw new UnsupportedOperationException("Not yet supported."); } http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java index 5146cca..d817ad7 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java @@ -20,7 +20,6 @@ package org.apache.ambari.server.security.authorization; import java.io.IOException; import java.security.Principal; -import java.util.regex.Matcher; import java.util.regex.Pattern; import javax.servlet.Filter; @@ -36,7 +35,6 @@ import com.google.inject.Inject; import org.apache.ambari.server.configuration.Configuration; import org.apache.ambari.server.orm.entities.PermissionEntity; import org.apache.ambari.server.orm.entities.PrivilegeEntity; -import org.apache.ambari.server.orm.entities.ViewInstanceEntity.ViewInstanceVersionDTO; import org.apache.ambari.server.security.authorization.internal.InternalAuthenticationToken; import org.apache.ambari.server.view.ViewRegistry; import org.apache.commons.lang.StringUtils; @@ -191,17 +189,9 @@ public class AmbariAuthorizationFilter implements Filter { } } - if (!authorized && requestURI.matches(VIEWS_CONTEXT_PATH_PATTERN)) { - final ViewInstanceVersionDTO dto = parseViewInstanceInfo(requestURI); - authorized = getViewRegistry().checkPermission(dto.getViewName(), dto.getVersion(), dto.getInstanceName(), true); - } - - // allow GET for everything except /views, /api/v1/users, /api/v1/groups, /api/v1/ldap_sync_events if (!authorized && (!httpRequest.getMethod().equals("GET") - || requestURI.matches(VIEWS_CONTEXT_ALL_PATTERN) - || requestURI.matches(API_GROUPS_ALL_PATTERN) || requestURI.matches(API_LDAP_SYNC_EVENTS_ALL_PATTERN))) { httpResponse.setHeader("WWW-Authenticate", "Basic realm=\"" + realm + "\""); @@ -264,6 +254,8 @@ public class AmbariAuthorizationFilter implements Filter { requestURI.matches(API_CLUSTER_SERVICES_ALL_PATTERN) || requestURI.matches(API_CLUSTERS_PATTERN) || requestURI.matches(API_STACK_VERSIONS_PATTERN) || + requestURI.matches(API_VIEWS_ALL_PATTERN) || + requestURI.matches(VIEWS_CONTEXT_PATH_PATTERN) || requestURI.matches(API_WIDGET_LAYOUTS_PATTERN) || requestURI.matches(API_HOSTS_ALL_PATTERN) || requestURI.matches(API_HOSTS_ALL) || @@ -296,25 +288,6 @@ public class AmbariAuthorizationFilter implements Filter { return value == null || value.length() == 0 ? defaultValue : value; } - /** - * Parses context path into view name, version and instance name - * - * @param contextPath the context path - * @return null if context path doesn't match correct pattern - */ - static ViewInstanceVersionDTO parseViewInstanceInfo(String contextPath) { - final Pattern pattern = Pattern.compile(VIEWS_CONTEXT_PATH_PATTERN); - final Matcher matcher = pattern.matcher(contextPath); - if (!matcher.matches()) { - return null; - } else { - final String viewName = matcher.group(1); - final String version = matcher.group(2); - final String instanceName = matcher.group(3); - return new ViewInstanceVersionDTO(viewName, version, instanceName); - } - } - SecurityContext getSecurityContext() { return SecurityContextHolder.getContext(); } http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java index 1b3e6f4..565c487 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java @@ -215,6 +215,26 @@ public class AuthorizationHelper { * * @param resourceType a resource type being acted upon * @param resourceId the resource id (relative to the resource type) being acted upon + * @param requiredAuthorization the required authorization + * @throws AuthorizationException if authorization is not granted + * @see #isAuthorized(ResourceType, Long, Set) + */ + public static void verifyAuthorization(ResourceType resourceType, + Long resourceId, + RoleAuthorization requiredAuthorization) + throws AuthorizationException { + verifyAuthorization(resourceType, resourceId, EnumSet.of(requiredAuthorization)); + } + + /** + * Determines if the authenticated user (from application's security context) is authorized to + * perform an operation on the the specific resource by matching the authenticated user's + * authorizations with one from the provided set of authorizations. + *

+ * If not authorized, an {@link AuthorizationException} will be thrown. + * + * @param resourceType a resource type being acted upon + * @param resourceId the resource id (relative to the resource type) being acted upon * @param requiredAuthorizations a set of requirements for which one match will allow authorization * @throws AuthorizationException if authorization is not granted * @see #isAuthorized(ResourceType, Long, Set) http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java b/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java index 895e987..8c6c2a7 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java @@ -63,7 +63,9 @@ import org.apache.ambari.server.orm.entities.ViewInstanceEntity; import org.apache.ambari.server.orm.entities.ViewParameterEntity; import org.apache.ambari.server.orm.entities.ViewResourceEntity; import org.apache.ambari.server.security.SecurityHelper; -import org.apache.ambari.server.security.authorization.AmbariGrantedAuthority; +import org.apache.ambari.server.security.authorization.AuthorizationHelper; +import org.apache.ambari.server.security.authorization.ResourceType; +import org.apache.ambari.server.security.authorization.RoleAuthorization; import org.apache.ambari.server.state.Clusters; import org.apache.ambari.server.state.StackId; import org.apache.ambari.server.state.stack.OsFamily; @@ -91,7 +93,6 @@ import org.apache.ambari.view.events.Event; import org.apache.ambari.view.events.Listener; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.springframework.security.core.GrantedAuthority; import javax.inject.Inject; import javax.inject.Provider; @@ -1394,29 +1395,24 @@ public class ViewRegistry { // check that the current user is authorized to access the given view instance resource private boolean checkAuthorization(ResourceEntity resourceEntity) { - for (GrantedAuthority grantedAuthority : securityHelper.getCurrentAuthorities()) { - if (grantedAuthority instanceof AmbariGrantedAuthority) { - - AmbariGrantedAuthority authority = (AmbariGrantedAuthority) grantedAuthority; - PrivilegeEntity privilegeEntity = authority.getPrivilegeEntity(); - Integer permissionId = privilegeEntity.getPermission().getId(); - - // admin has full access - if (permissionId.equals(PermissionEntity.AMBARI_ADMINISTRATOR_PERMISSION)) { - return true; - } - if (resourceEntity != null) { - // VIEW.USER for the given view instance resource. - if (privilegeEntity.getResource().equals(resourceEntity)) { - if (permissionId.equals(PermissionEntity.VIEW_USER_PERMISSION)) { - return true; - } - } - } + Long resourceId = null; + + // Get the relevant resource id from the ResourceEntity. Essentially, this will need to be + // the resource's Id, but for now it needs to be the resource type Id due to the existing architecture + // of the authorization (admin*) tables. + if(resourceEntity != null) { + ResourceTypeEntity resourceType = resourceEntity.getResourceType(); + + if(resourceType != null) { + Integer resourceTypeId = resourceType.getId(); + if (resourceTypeId != null) + resourceId = resourceTypeId.longValue(); } } - // TODO : should we log this? - return false; + + return (resourceId == null) + ? AuthorizationHelper.isAuthorized(ResourceType.AMBARI, null, RoleAuthorization.AMBARI_MANAGE_VIEWS) + : AuthorizationHelper.isAuthorized(ResourceType.VIEW, resourceId, RoleAuthorization.VIEW_USE); } // fire the onDeploy event. http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewInstanceResourceProviderTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewInstanceResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewInstanceResourceProviderTest.java index 1af7264..4b6700d 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewInstanceResourceProviderTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewInstanceResourceProviderTest.java @@ -26,13 +26,18 @@ import org.apache.ambari.server.controller.utilities.PropertyHelper; import org.apache.ambari.server.orm.entities.ViewEntity; import org.apache.ambari.server.orm.entities.ViewInstanceDataEntity; import org.apache.ambari.server.orm.entities.ViewInstanceEntity; +import org.apache.ambari.server.security.TestAuthenticationFactory; +import org.apache.ambari.server.security.authorization.AuthorizationException; import org.apache.ambari.server.view.ViewRegistry; import org.apache.ambari.server.view.configuration.ViewConfig; import org.apache.ambari.view.ViewDefinition; import org.easymock.Capture; +import org.junit.After; import org.junit.Assert; import org.junit.Before; import org.junit.Test; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.context.SecurityContextHolder; import java.util.Collections; import java.util.HashMap; @@ -57,6 +62,11 @@ public class ViewInstanceResourceProviderTest { reset(singleton); } + @After + public void clearAuthentication() { + SecurityContextHolder.getContext().setAuthentication(null); + } + @Test public void testToResource() throws Exception { ViewInstanceResourceProvider provider = new ViewInstanceResourceProvider(); @@ -108,7 +118,16 @@ public class ViewInstanceResourceProviderTest { } @Test - public void testCreateResources() throws Exception { + public void testCreateResourcesAsAdministrator() throws Exception { + testCreateResources(TestAuthenticationFactory.createAdministrator()); + } + + @Test(expected = AuthorizationException.class) + public void testCreateResourcesAsClusterAdministrator() throws Exception { + testCreateResources(TestAuthenticationFactory.createClusterAdministrator()); + } + + private void testCreateResources(Authentication authentication) throws Exception { ViewInstanceResourceProvider provider = new ViewInstanceResourceProvider(); Set> properties = new HashSet>(); @@ -156,6 +175,8 @@ public class ViewInstanceResourceProviderTest { replay(singleton); + SecurityContextHolder.getContext().setAuthentication(authentication); + // as admin provider.createResources(PropertyHelper.getCreateRequest(properties, null)); assertEquals(viewInstanceEntity, instanceEntityCapture.getValue()); @@ -204,6 +225,8 @@ public class ViewInstanceResourceProviderTest { replay(singleton); + SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator()); + try { provider.createResources(PropertyHelper.getCreateRequest(properties, null)); fail("Expected ResourceAlreadyExistsException."); @@ -243,6 +266,8 @@ public class ViewInstanceResourceProviderTest { replay(singleton); + SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator()); + try { provider.createResources(PropertyHelper.getCreateRequest(properties, null)); fail("Expected IllegalStateException."); @@ -280,6 +305,8 @@ public class ViewInstanceResourceProviderTest { replay(singleton); + SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator()); + provider.updateResources(PropertyHelper.getCreateRequest(properties, null), predicate); Assert.assertNull(viewInstanceEntity.getIcon()); @@ -288,7 +315,16 @@ public class ViewInstanceResourceProviderTest { } @Test - public void testDeleteResources_viewNotLoaded() throws Exception { + public void testDeleteResourcesAsAdministrator() throws Exception { + testDeleteResources(TestAuthenticationFactory.createAdministrator()); + } + + @Test(expected = AuthorizationException.class) + public void testDeleteResourcesAsClusterAdministrator() throws Exception { + testDeleteResources(TestAuthenticationFactory.createClusterAdministrator()); + } + + private void testDeleteResources(Authentication authentication) throws Exception { ViewInstanceResourceProvider provider = new ViewInstanceResourceProvider(); PredicateBuilder predicateBuilder = new PredicateBuilder(); @@ -307,6 +343,7 @@ public class ViewInstanceResourceProviderTest { replay(singleton); + SecurityContextHolder.getContext().setAuthentication(authentication); provider.deleteResources(predicate); verify(singleton); http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java b/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java index 8abe757..692133f 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java @@ -76,6 +76,14 @@ public class TestAuthenticationFactory { return new TestAuthorization(name, Collections.singleton(createClusterUserGrantedAuthority())); } + public static Authentication createViewUser(Long viewResourceId) { + return createViewUser("viewUser", viewResourceId); + } + + public static Authentication createViewUser(String name, Long viewResourceId) { + return new TestAuthorization(name, Collections.singleton(createViewUserGrantedAuthority(viewResourceId))); + } + private static GrantedAuthority createAdministratorGrantedAuthority() { return new AmbariGrantedAuthority(createAdministratorPrivilegeEntity()); } @@ -96,6 +104,10 @@ public class TestAuthenticationFactory { return new AmbariGrantedAuthority(createClusterUserPrivilegeEntity()); } + private static GrantedAuthority createViewUserGrantedAuthority(Long resourceId) { + return new AmbariGrantedAuthority(createViewUserPrivilegeEntity(resourceId)); + } + private static PrivilegeEntity createAdministratorPrivilegeEntity() { PrivilegeEntity privilegeEntity = new PrivilegeEntity(); privilegeEntity.setResource(createAmbariResourceEntity()); @@ -131,6 +143,13 @@ public class TestAuthenticationFactory { return privilegeEntity; } + private static PrivilegeEntity createViewUserPrivilegeEntity(Long resourceId) { + PrivilegeEntity privilegeEntity = new PrivilegeEntity(); + privilegeEntity.setResource(createViewResourceEntity(resourceId)); + privilegeEntity.setPermission(createViewUserPermission()); + return privilegeEntity; + } + private static PermissionEntity createAdministratorPermission() { PermissionEntity permissionEntity = new PermissionEntity(); permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.AMBARI)); @@ -251,6 +270,15 @@ public class TestAuthenticationFactory { return permissionEntity; } + private static PermissionEntity createViewUserPermission() { + PermissionEntity permissionEntity = new PermissionEntity(); + permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.CLUSTER)); + permissionEntity.setAuthorizations(createAuthorizations(EnumSet.of( + RoleAuthorization.VIEW_USE + ))); + return permissionEntity; + } + private static ResourceEntity createAmbariResourceEntity() { ResourceEntity resourceEntity = new ResourceEntity(); resourceEntity.setId(null); @@ -265,10 +293,23 @@ public class TestAuthenticationFactory { return resourceEntity; } + private static ResourceEntity createViewResourceEntity(Long resourceId) { + ResourceEntity resourceEntity = new ResourceEntity(); + resourceEntity.setId(resourceId); + if(resourceId != null) { + resourceEntity.setResourceType(createResourceTypeEntity(ResourceType.VIEW.name(), resourceId.intValue())); + } + return resourceEntity; + } + private static ResourceTypeEntity createResourceTypeEntity(ResourceType resourceType) { + return createResourceTypeEntity(resourceType.name(), resourceType.getId()); + } + + private static ResourceTypeEntity createResourceTypeEntity(String resourceName, Integer resourceId) { ResourceTypeEntity resourceTypeEntity = new ResourceTypeEntity(); - resourceTypeEntity.setId(resourceType.getId()); - resourceTypeEntity.setName(resourceType.name()); + resourceTypeEntity.setId(resourceId.intValue()); + resourceTypeEntity.setName(resourceName); return resourceTypeEntity; } http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java index 03a7442..4cab770 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java @@ -202,7 +202,7 @@ public class AmbariAuthorizationFilterTest { urlTests.put("/api/v1/clusters/cluster", "GET", true); urlTests.put("/api/v1/clusters/cluster", "POST", true); urlTests.put("/api/v1/views", "GET", true); - urlTests.put("/api/v1/views", "POST", false); + urlTests.put("/api/v1/views", "POST", true); urlTests.put("/api/v1/persist/SomeValue", "GET", true); urlTests.put("/api/v1/persist/SomeValue", "POST", false); urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "POST", true); @@ -213,10 +213,10 @@ public class AmbariAuthorizationFilterTest { urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "PUT", true); urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "GET", true); urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "DELETE", true); - urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", false); - urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", false); - urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", false); - urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", false); + urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", true); + urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", true); + urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", true); + urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", true); urlTests.put("/api/v1/users/user1", "GET", true); urlTests.put("/api/v1/users/user1", "POST", true); urlTests.put("/api/v1/users/user2", "GET", true); @@ -235,7 +235,7 @@ public class AmbariAuthorizationFilterTest { urlTests.put("/api/v1/clusters/cluster", "GET", true); urlTests.put("/api/v1/clusters/cluster", "POST", true); urlTests.put("/api/v1/views", "GET", true); - urlTests.put("/api/v1/views", "POST", false); + urlTests.put("/api/v1/views", "POST", true); urlTests.put("/api/v1/persist/SomeValue", "GET", true); urlTests.put("/api/v1/persist/SomeValue", "POST", true); urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "POST", true); @@ -246,10 +246,10 @@ public class AmbariAuthorizationFilterTest { urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "PUT", true); urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "GET", true); urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "DELETE", true); - urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", false); - urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", false); - urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", false); - urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", false); + urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", true); + urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", true); + urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", true); + urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", true); urlTests.put("/api/v1/users/user1", "GET", true); urlTests.put("/api/v1/users/user1", "POST", true); urlTests.put("/api/v1/users/user2", "GET", true); @@ -281,8 +281,8 @@ public class AmbariAuthorizationFilterTest { urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "DELETE", true); urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", true); urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", true); - urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", false); - urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", false); + urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", true); + urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", true); urlTests.put("/api/v1/users/user1", "GET", true); urlTests.put("/api/v1/users/user1", "POST", true); urlTests.put("/api/v1/users/user2", "GET", true); @@ -301,7 +301,7 @@ public class AmbariAuthorizationFilterTest { urlTests.put("/api/v1/clusters/cluster", "GET", true); urlTests.put("/api/v1/clusters/cluster", "POST", true); urlTests.put("/api/v1/views", "GET", true); - urlTests.put("/api/v1/views", "POST", false); + urlTests.put("/api/v1/views", "POST", true); urlTests.put("/api/v1/persist/SomeValue", "GET", true); urlTests.put("/api/v1/persist/SomeValue", "POST", false); urlTests.put("/api/v1/clusters/c1/credentials/ambari.credential", "POST", true); @@ -312,10 +312,10 @@ public class AmbariAuthorizationFilterTest { urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "PUT", true); urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "GET", true); urlTests.put("/api/v1/clusters/c1/credentials/cluster.credential", "DELETE", true); - urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", false); - urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", false); - urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", false); - urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", false); + urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", true); + urlTests.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", true); + urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", true); + urlTests.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", true); urlTests.put("/api/v1/users/user1", "GET", true); urlTests.put("/api/v1/users/user1", "POST", true); urlTests.put("/api/v1/users/user2", "GET", true); @@ -444,19 +444,4 @@ public class AmbariAuthorizationFilterTest { } } } - - @Test - public void testParseViewContextPath() throws Exception { - final String[] pathesToTest = { - AmbariAuthorizationFilter.VIEWS_CONTEXT_PATH_PREFIX + "MY_VIEW/1.0.0/INSTANCE1", - AmbariAuthorizationFilter.VIEWS_CONTEXT_PATH_PREFIX + "MY_VIEW/1.0.0/INSTANCE1/index.html", - AmbariAuthorizationFilter.VIEWS_CONTEXT_PATH_PREFIX + "MY_VIEW/1.0.0/INSTANCE1/api/test" - }; - for (String contextPath: pathesToTest) { - final ViewInstanceVersionDTO dto = AmbariAuthorizationFilter.parseViewInstanceInfo(contextPath); - Assert.assertEquals("INSTANCE1", dto.getInstanceName()); - Assert.assertEquals("MY_VIEW", dto.getViewName()); - Assert.assertEquals("1.0.0", dto.getVersion()); - } - } } http://git-wip-us.apache.org/repos/asf/ambari/blob/1c218dc7/ambari-server/src/test/java/org/apache/ambari/server/view/ViewRegistryTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/view/ViewRegistryTest.java b/ambari-server/src/test/java/org/apache/ambari/server/view/ViewRegistryTest.java index f94cb25..c47cfa4 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/view/ViewRegistryTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/view/ViewRegistryTest.java @@ -77,6 +77,7 @@ import org.apache.ambari.server.orm.entities.ViewInstanceDataEntity; import org.apache.ambari.server.orm.entities.ViewInstanceEntity; import org.apache.ambari.server.orm.entities.ViewInstanceEntityTest; import org.apache.ambari.server.security.SecurityHelper; +import org.apache.ambari.server.security.TestAuthenticationFactory; import org.apache.ambari.server.security.authorization.AmbariGrantedAuthority; import org.apache.ambari.server.state.Cluster; import org.apache.ambari.server.state.Clusters; @@ -98,10 +99,12 @@ import org.apache.ambari.view.validation.ValidationResult; import org.apache.ambari.view.validation.Validator; import org.easymock.Capture; import org.easymock.EasyMock; +import org.junit.After; import org.junit.Assert; import org.junit.Before; import org.junit.Test; import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.context.SecurityContextHolder; /** * ViewRegistry tests. @@ -227,6 +230,11 @@ public class ViewRegistryTest { clusters); } + @After + public void clearAuthentication() { + SecurityContextHolder.getContext().setAuthentication(null); + } + @Test public void testReadViewArchives() throws Exception { testReadViewArchives(false, false); @@ -1236,24 +1244,14 @@ public class ViewRegistryTest { public void testIncludeDefinitionForAdmin() { ViewRegistry registry = ViewRegistry.getInstance(); ViewEntity viewEntity = createNiceMock(ViewEntity.class); - AmbariGrantedAuthority adminAuthority = createNiceMock(AmbariGrantedAuthority.class); - PrivilegeEntity privilegeEntity = createNiceMock(PrivilegeEntity.class); - PermissionEntity permissionEntity = createNiceMock(PermissionEntity.class); - - Collection authorities = new ArrayList(); - authorities.add(adminAuthority); - securityHelper.getCurrentAuthorities(); - EasyMock.expectLastCall().andReturn(authorities); - expect(adminAuthority.getPrivilegeEntity()).andReturn(privilegeEntity); - expect(privilegeEntity.getPermission()).andReturn(permissionEntity); - expect(permissionEntity.getId()).andReturn(PermissionEntity.AMBARI_ADMINISTRATOR_PERMISSION); + replay(configuration); - replay(securityHelper, adminAuthority, privilegeEntity, permissionEntity, configuration); + SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createAdministrator()); Assert.assertTrue(registry.includeDefinition(viewEntity)); - verify(securityHelper, adminAuthority, privilegeEntity, permissionEntity, configuration); + verify(configuration); } @Test @@ -1261,19 +1259,15 @@ public class ViewRegistryTest { ViewRegistry registry = ViewRegistry.getInstance(); ViewEntity viewEntity = createNiceMock(ViewEntity.class); - Collection authorities = new ArrayList(); + expect(viewEntity.getInstances()).andReturn(Collections.emptyList()).anyTimes(); - Collection instances = new ArrayList(); + replay(viewEntity, configuration); - securityHelper.getCurrentAuthorities(); - EasyMock.expectLastCall().andReturn(authorities); - expect(viewEntity.getInstances()).andReturn(instances); - - replay(securityHelper, viewEntity, configuration); + SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createViewUser(1L)); Assert.assertFalse(registry.includeDefinition(viewEntity)); - verify(securityHelper, viewEntity, configuration); + verify(viewEntity, configuration); } @Test @@ -1282,29 +1276,23 @@ public class ViewRegistryTest { ViewEntity viewEntity = createNiceMock(ViewEntity.class); ViewInstanceEntity instanceEntity = createNiceMock(ViewInstanceEntity.class); ResourceEntity resourceEntity = createNiceMock(ResourceEntity.class); - AmbariGrantedAuthority viewUseAuthority = createNiceMock(AmbariGrantedAuthority.class); - PrivilegeEntity privilegeEntity = createNiceMock(PrivilegeEntity.class); - PermissionEntity permissionEntity = createNiceMock(PermissionEntity.class); - - Collection authorities = new ArrayList(); - authorities.add(viewUseAuthority); + ResourceTypeEntity resourceTypeEntity = createNiceMock(ResourceTypeEntity.class); Collection instances = new ArrayList(); instances.add(instanceEntity); expect(viewEntity.getInstances()).andReturn(instances); expect(instanceEntity.getResource()).andReturn(resourceEntity); - expect(viewUseAuthority.getPrivilegeEntity()).andReturn(privilegeEntity).anyTimes(); - expect(privilegeEntity.getPermission()).andReturn(permissionEntity).anyTimes(); - expect(privilegeEntity.getResource()).andReturn(resourceEntity).anyTimes(); - expect(permissionEntity.getId()).andReturn(PermissionEntity.VIEW_USER_PERMISSION).anyTimes(); - securityHelper.getCurrentAuthorities(); - EasyMock.expectLastCall().andReturn(authorities).anyTimes(); - replay(securityHelper, viewEntity, instanceEntity, viewUseAuthority, privilegeEntity, permissionEntity, configuration); + expect(resourceEntity.getResourceType()).andReturn(resourceTypeEntity).anyTimes(); + expect(resourceTypeEntity.getId()).andReturn(1).anyTimes(); + + replay(viewEntity, instanceEntity, resourceEntity, resourceTypeEntity, configuration); + + SecurityContextHolder.getContext().setAuthentication(TestAuthenticationFactory.createViewUser(resourceEntity.getResourceType().getId().longValue())); Assert.assertTrue(registry.includeDefinition(viewEntity)); - verify(securityHelper, viewEntity, instanceEntity, viewUseAuthority, privilegeEntity, permissionEntity, configuration); + verify(viewEntity, instanceEntity, resourceEntity, resourceTypeEntity, configuration); } @Test