diff options
author | Jon Marius Venstad <jvenstad@yahoo-inc.com> | 2019-04-15 09:49:24 +0200 |
---|---|---|
committer | Jon Marius Venstad <jvenstad@yahoo-inc.com> | 2019-04-15 10:16:26 +0200 |
commit | d0fe8b84ed98bf6cb294af8edda1f7d0bcd03e89 (patch) | |
tree | aec3dafb5b56d5ca8c5c1aff4977db645c844ffb /controller-server | |
parent | 21815a3df707eb798009ce96b2b2e52a64f22903 (diff) |
Replace Roles with static factories in Role
Diffstat (limited to 'controller-server')
9 files changed, 48 insertions, 68 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java index 8e397366203..15cdf034ca0 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java @@ -17,7 +17,6 @@ import com.yahoo.vespa.hosted.controller.Controller; import com.yahoo.vespa.hosted.controller.TenantController; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory; import com.yahoo.vespa.hosted.controller.api.role.Role; -import com.yahoo.vespa.hosted.controller.api.role.Roles; import com.yahoo.vespa.hosted.controller.athenz.ApplicationAction; import com.yahoo.vespa.hosted.controller.athenz.impl.AthenzFacade; import com.yahoo.vespa.hosted.controller.api.role.SecurityContext; @@ -44,14 +43,12 @@ public class AthenzRoleFilter extends CorsRequestFilterBase { // TODO: No need f private final AthenzFacade athenz; private final TenantController tenants; - private final Roles roles; @Inject public AthenzRoleFilter(CorsFilterConfig config, AthenzClientFactory athenzClientFactory, Controller controller) { super(Set.copyOf(config.allowedUrls())); this.athenz = new AthenzFacade(athenzClientFactory); this.tenants = controller.tenants(); - this.roles = new Roles(controller.system()); } @Override @@ -80,18 +77,18 @@ public class AthenzRoleFilter extends CorsRequestFilterBase { // TODO: No need f AthenzIdentity identity = principal.getIdentity(); if (athenz.hasHostedOperatorAccess(identity)) - return Set.of(roles.hostedOperator()); + return Set.of(Role.hostedOperator()); if (tenant.isPresent() && isTenantAdmin(identity, tenant.get())) - return Set.of(roles.athenzTenantAdmin(tenant.get().name())); + return Set.of(Role.athenzTenantAdmin(tenant.get().name())); if (identity.getDomain().equals(SCREWDRIVER_DOMAIN) && application.isPresent() && tenant.isPresent()) // NOTE: Only fine-grained deploy authorization for Athenz tenants if ( tenant.get().type() != Tenant.Type.athenz || hasDeployerAccess(identity, ((AthenzTenant) tenant.get()).domain(), application.get())) - return Set.of(roles.tenantPipeline(tenant.get().name(), application.get())); + return Set.of(Role.tenantPipeline(tenant.get().name(), application.get())); - return Set.of(roles.everyone()); + return Set.of(Role.everyone()); } private boolean isTenantAdmin(AthenzIdentity identity, Tenant tenant) { diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java index 42e35663ef0..80855676139 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java @@ -13,10 +13,8 @@ import com.yahoo.vespa.hosted.controller.Controller; import com.yahoo.vespa.hosted.controller.api.role.Action; import com.yahoo.vespa.hosted.controller.api.role.Enforcer; import com.yahoo.vespa.hosted.controller.api.role.Role; -import com.yahoo.vespa.hosted.controller.api.role.Roles; import com.yahoo.vespa.hosted.controller.api.role.SecurityContext; -import java.security.Principal; import java.util.Optional; import java.util.Set; import java.util.logging.Logger; @@ -30,7 +28,6 @@ public class ControllerAuthorizationFilter extends CorsRequestFilterBase { private static final Logger log = Logger.getLogger(ControllerAuthorizationFilter.class.getName()); - private final Roles roles; private final Enforcer enforcer; @Inject @@ -42,7 +39,6 @@ public class ControllerAuthorizationFilter extends CorsRequestFilterBase { ControllerAuthorizationFilter(SystemName system, Set<String> allowedUrls) { super(allowedUrls); - this.roles = new Roles(system); this.enforcer = new Enforcer(system); } @@ -57,7 +53,7 @@ public class ControllerAuthorizationFilter extends CorsRequestFilterBase { Action action = Action.from(HttpRequest.Method.valueOf(request.getMethod())); // Avoid expensive look-ups when request is always legal. - if (roles.everyone().allows(action, request.getUri(), enforcer)) + if (Role.everyone().allows(action, request.getUri(), enforcer)) return Optional.empty(); Set<Role> roles = securityContext.get().roles(); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiHandler.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiHandler.java index b8c904a80f6..c11bdc38c5d 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiHandler.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiHandler.java @@ -18,7 +18,6 @@ import com.yahoo.vespa.hosted.controller.api.integration.user.UserManagement; import com.yahoo.vespa.hosted.controller.api.integration.user.UserRoles; import com.yahoo.vespa.hosted.controller.api.role.Role; import com.yahoo.vespa.hosted.controller.api.role.RoleDefinition; -import com.yahoo.vespa.hosted.controller.api.role.Roles; import com.yahoo.vespa.hosted.controller.restapi.ErrorResponse; import com.yahoo.vespa.hosted.controller.restapi.MessageResponse; import com.yahoo.vespa.hosted.controller.restapi.SlimeJsonResponse; @@ -50,9 +49,9 @@ public class UserApiHandler extends LoggingRequestHandler { private final UserManagement users; @Inject - public UserApiHandler(Context parentCtx, Roles roles, UserManagement users) { + public UserApiHandler(Context parentCtx, UserManagement users) { super(parentCtx); - this.roles = new UserRoles(roles); + this.roles = new UserRoles(); this.users = users; } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java index 008be2fd276..7e0bb42c712 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java @@ -10,7 +10,6 @@ import com.yahoo.vespa.hosted.controller.api.integration.user.UserManagement; import com.yahoo.vespa.hosted.controller.api.integration.user.UserRoles; import com.yahoo.vespa.hosted.controller.api.role.ApplicationRole; import com.yahoo.vespa.hosted.controller.api.role.Role; -import com.yahoo.vespa.hosted.controller.api.role.Roles; import com.yahoo.vespa.hosted.controller.api.role.TenantRole; import com.yahoo.vespa.hosted.controller.tenant.CloudTenant; import com.yahoo.vespa.hosted.controller.tenant.Tenant; @@ -25,15 +24,13 @@ public class CloudAccessControl implements AccessControl { private final Marketplace marketplace; private final UserManagement userManagement; - private final Roles roles; private final UserRoles userRoles; @Inject - public CloudAccessControl(Marketplace marketplace, UserManagement userManagement, Roles roles) { + public CloudAccessControl(Marketplace marketplace, UserManagement userManagement) { this.marketplace = marketplace; this.userManagement = userManagement; - this.roles = roles; - this.userRoles = new UserRoles(roles); + this.userRoles = new UserRoles(); } @Override @@ -43,7 +40,7 @@ public class CloudAccessControl implements AccessControl { for (Role role : userRoles.tenantRoles(spec.tenant())) userManagement.createRole(role); - userManagement.addUsers(roles.tenantOwner(spec.tenant()), List.of(new UserId(credentials.user().getName()))); + userManagement.addUsers(Role.tenantOwner(spec.tenant()), List.of(new UserId(credentials.user().getName()))); return tenant; } @@ -65,7 +62,7 @@ public class CloudAccessControl implements AccessControl { public void createApplication(ApplicationId id, Credentials credentials) { for (Role role : userRoles.applicationRoles(id.tenant(), id.application())) userManagement.createRole(role); - userManagement.addUsers(roles.applicationAdmin(id.tenant(), id.application()), List.of(new UserId(credentials.user().getName()))); + userManagement.addUsers(Role.applicationAdmin(id.tenant(), id.application()), List.of(new UserId(credentials.user().getName()))); } @Override diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ControllerContainerCloudTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ControllerContainerCloudTest.java index 95477758deb..4f068451d24 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ControllerContainerCloudTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ControllerContainerCloudTest.java @@ -3,7 +3,6 @@ package com.yahoo.vespa.hosted.controller.restapi; import com.yahoo.application.container.handler.Request; import com.yahoo.config.provision.SystemName; import com.yahoo.vespa.hosted.controller.api.role.Role; -import com.yahoo.vespa.hosted.controller.api.role.Roles; import com.yahoo.vespa.hosted.controller.api.role.SecurityContext; import java.nio.charset.StandardCharsets; @@ -64,7 +63,7 @@ public class ControllerContainerCloudTest extends ControllerContainerTest { private final Request.Method method; private byte[] data = new byte[0]; private Principal user = () -> "user@test"; - private Set<Role> roles = Set.of(new Roles(system()).everyone()); + private Set<Role> roles = Set.of(Role.everyone()); private RequestBuilder(String path, Request.Method method) { this.path = path; diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ControllerContainerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ControllerContainerTest.java index 6abfa7fa72d..4cb0d509531 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ControllerContainerTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ControllerContainerTest.java @@ -96,7 +96,6 @@ public class ControllerContainerTest { " <component id='com.yahoo.vespa.hosted.controller.integration.ApplicationStoreMock'/>\n" + " <component id='com.yahoo.vespa.hosted.controller.api.integration.stubs.MockTesterCloud'/>\n" + " <component id='com.yahoo.vespa.hosted.controller.api.integration.stubs.MockMailer'/>\n" + - " <component id='com.yahoo.vespa.hosted.controller.api.role.Roles'/>\n" + " <handler id='com.yahoo.vespa.hosted.controller.restapi.deployment.DeploymentApiHandler'>\n" + " <binding>http://*/deployment/v1/*</binding>\n" + " </handler>\n" + diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java index b48cb4bff50..e36a02f387c 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java @@ -10,7 +10,7 @@ import com.yahoo.vespa.athenz.api.AthenzUser; import com.yahoo.vespa.hosted.controller.ControllerTester; import com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId; import com.yahoo.vespa.hosted.controller.api.identifiers.ScrewdriverId; -import com.yahoo.vespa.hosted.controller.api.role.Roles; +import com.yahoo.vespa.hosted.controller.api.role.Role; import com.yahoo.vespa.hosted.controller.athenz.ApplicationAction; import com.yahoo.vespa.hosted.controller.athenz.HostedAthenzIdentities; import com.yahoo.vespa.hosted.controller.athenz.mock.AthenzClientFactoryMock; @@ -66,55 +66,53 @@ public class AthenzRoleFilterTest { @Test public void testTranslations() { - Roles roles = new Roles(tester.controller().system()); - // Hosted operators are always members of the hostedOperator role. - assertEquals(Set.of(roles.hostedOperator()), + assertEquals(Set.of(Role.hostedOperator()), filter.roles(HOSTED_OPERATOR, NO_CONTEXT_PATH)); - assertEquals(Set.of(roles.hostedOperator()), + assertEquals(Set.of(Role.hostedOperator()), filter.roles(HOSTED_OPERATOR, TENANT_CONTEXT_PATH)); - assertEquals(Set.of(roles.hostedOperator()), + assertEquals(Set.of(Role.hostedOperator()), filter.roles(HOSTED_OPERATOR, APPLICATION_CONTEXT_PATH)); // Tenant admins are members of the athenzTenantAdmin role within their tenant subtree. - assertEquals(Set.of(roles.everyone()), + assertEquals(Set.of(Role.everyone()), filter.roles(TENANT_PIPELINE, NO_CONTEXT_PATH)); - assertEquals(Set.of(roles.athenzTenantAdmin(TENANT)), + assertEquals(Set.of(Role.athenzTenantAdmin(TENANT)), filter.roles(TENANT_ADMIN, TENANT_CONTEXT_PATH)); - assertEquals(Set.of(roles.athenzTenantAdmin(TENANT)), + assertEquals(Set.of(Role.athenzTenantAdmin(TENANT)), filter.roles(TENANT_ADMIN, APPLICATION_CONTEXT_PATH)); - assertEquals(Set.of(roles.everyone()), + assertEquals(Set.of(Role.everyone()), filter.roles(TENANT_ADMIN, TENANT2_CONTEXT_PATH)); - assertEquals(Set.of(roles.everyone()), + assertEquals(Set.of(Role.everyone()), filter.roles(TENANT_ADMIN, APPLICATION2_CONTEXT_PATH)); // Build services are members of the tenantPipeline role within their application subtree. - assertEquals(Set.of(roles.everyone()), + assertEquals(Set.of(Role.everyone()), filter.roles(TENANT_PIPELINE, NO_CONTEXT_PATH)); - assertEquals(Set.of(roles.everyone()), + assertEquals(Set.of(Role.everyone()), filter.roles(TENANT_PIPELINE, TENANT_CONTEXT_PATH)); - assertEquals(Set.of(roles.tenantPipeline(TENANT, APPLICATION)), + assertEquals(Set.of(Role.tenantPipeline(TENANT, APPLICATION)), filter.roles(TENANT_PIPELINE, APPLICATION_CONTEXT_PATH)); - assertEquals(Set.of(roles.everyone()), + assertEquals(Set.of(Role.everyone()), filter.roles(TENANT_PIPELINE, APPLICATION2_CONTEXT_PATH)); // Unprivileged users are just members of the everyone role. - assertEquals(Set.of(roles.everyone()), + assertEquals(Set.of(Role.everyone()), filter.roles(USER, NO_CONTEXT_PATH)); - assertEquals(Set.of(roles.everyone()), + assertEquals(Set.of(Role.everyone()), filter.roles(USER, TENANT_CONTEXT_PATH)); - assertEquals(Set.of(roles.everyone()), + assertEquals(Set.of(Role.everyone()), filter.roles(USER, APPLICATION_CONTEXT_PATH)); } diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilterTest.java index 105e10eefd2..f2b0039750e 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilterTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilterTest.java @@ -7,7 +7,7 @@ import com.yahoo.config.provision.SystemName; import com.yahoo.jdisc.http.HttpRequest.Method; import com.yahoo.jdisc.http.filter.DiscFilterRequest; import com.yahoo.vespa.hosted.controller.ControllerTester; -import com.yahoo.vespa.hosted.controller.api.role.Roles; +import com.yahoo.vespa.hosted.controller.api.role.Role; import com.yahoo.vespa.hosted.controller.api.role.SecurityContext; import com.yahoo.vespa.hosted.controller.restapi.ApplicationRequestToDiscFilterRequestWrapper; import org.junit.Test; @@ -34,8 +34,7 @@ public class ControllerAuthorizationFilterTest { @Test public void operator() { ControllerTester tester = new ControllerTester(); - Roles roles = new Roles(tester.controller().system()); - SecurityContext securityContext = new SecurityContext(() -> "operator", Set.of(roles.hostedOperator())); + SecurityContext securityContext = new SecurityContext(() -> "operator", Set.of(Role.hostedOperator())); ControllerAuthorizationFilter filter = createFilter(tester); assertIsAllowed(invokeFilter(filter, createRequest(Method.POST, "/zone/v2/path", securityContext))); @@ -46,8 +45,7 @@ public class ControllerAuthorizationFilterTest { @Test public void unprivileged() { ControllerTester tester = new ControllerTester(); - Roles roles = new Roles(tester.controller().system()); - SecurityContext securityContext = new SecurityContext(() -> "user", Set.of(roles.everyone())); + SecurityContext securityContext = new SecurityContext(() -> "user", Set.of(Role.everyone())); ControllerAuthorizationFilter filter = createFilter(tester); assertIsForbidden(invokeFilter(filter, createRequest(Method.POST, "/zone/v2/path", securityContext))); @@ -59,8 +57,7 @@ public class ControllerAuthorizationFilterTest { public void unprivilegedInPublic() { ControllerTester tester = new ControllerTester(); tester.zoneRegistry().setSystemName(SystemName.Public); - Roles roles = new Roles(tester.controller().system()); - SecurityContext securityContext = new SecurityContext(() -> "user", Set.of(roles.everyone())); + SecurityContext securityContext = new SecurityContext(() -> "user", Set.of(Role.everyone())); ControllerAuthorizationFilter filter = createFilter(tester); assertIsForbidden(invokeFilter(filter, createRequest(Method.POST, "/zone/v2/path", securityContext))); diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiTest.java index 3a78e9fc262..59f63f0472a 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/user/UserApiTest.java @@ -4,7 +4,6 @@ import com.yahoo.config.provision.ApplicationId; import com.yahoo.config.provision.SystemName; import com.yahoo.config.provision.TenantName; import com.yahoo.vespa.hosted.controller.api.role.Role; -import com.yahoo.vespa.hosted.controller.api.role.Roles; import com.yahoo.vespa.hosted.controller.restapi.ContainerTester; import com.yahoo.vespa.hosted.controller.restapi.ControllerContainerCloudTest; import org.junit.Test; @@ -28,8 +27,7 @@ public class UserApiTest extends ControllerContainerCloudTest { public void testUserManagement() { ContainerTester tester = new ContainerTester(container, responseFiles); assertEquals(SystemName.Public, tester.controller().system()); - Roles roles = new Roles(tester.controller().system()); - Set<Role> operator = Set.of(roles.hostedOperator()); + Set<Role> operator = Set.of(Role.hostedOperator()); ApplicationId id = ApplicationId.from("my-tenant", "my-app", "default"); @@ -70,80 +68,80 @@ public class UserApiTest extends ControllerContainerCloudTest { // POST a hosted operator role is not allowed. tester.assertResponse(request("/user/v1/tenant/my-tenant", POST) - .roles(Set.of(roles.tenantOwner(id.tenant()))) + .roles(Set.of(Role.tenantOwner(id.tenant()))) .data("{\"user\":\"evil@evil\",\"roleName\":\"hostedOperator\"}"), "{\"error-code\":\"BAD_REQUEST\",\"message\":\"Malformed or illegal role name 'hostedOperator'.\"}", 400); // POST a tenant operator is available to the tenant owner. tester.assertResponse(request("/user/v1/tenant/my-tenant", POST) - .roles(Set.of(roles.tenantOwner(id.tenant()))) + .roles(Set.of(Role.tenantOwner(id.tenant()))) .data("{\"user\":\"operator@tenant\",\"roleName\":\"tenantOperator\"}"), "{\"message\":\"user 'operator@tenant' is now a member of role 'tenantOperator' of 'my-tenant'\"}"); // POST a tenant admin is not available to a tenant operator. tester.assertResponse(request("/user/v1/tenant/my-tenant", POST) - .roles(Set.of(roles.tenantOperator(id.tenant()))) + .roles(Set.of(Role.tenantOperator(id.tenant()))) .data("{\"user\":\"admin@tenant\",\"roleName\":\"tenantAdmin\"}"), accessDenied, 403); // POST an application admin for a non-existent application fails. tester.assertResponse(request("/user/v1/tenant/my-tenant/application/my-app", POST) - .roles(Set.of(roles.tenantOwner(TenantName.from("my-tenant")))) + .roles(Set.of(Role.tenantOwner(TenantName.from("my-tenant")))) .data("{\"user\":\"admin@app\",\"roleName\":\"applicationAdmin\"}"), "{\"error-code\":\"INTERNAL_SERVER_ERROR\",\"message\":\"NullPointerException\"}", 500); // POST an application is allowed for a tenant operator. tester.assertResponse(request("/application/v4/tenant/my-tenant/application/my-app", POST) .user("operator@tenant") - .roles(Set.of(roles.tenantOperator(id.tenant()))), + .roles(Set.of(Role.tenantOperator(id.tenant()))), new File("application-created.json")); // POST an application is not allowed under a different tenant. tester.assertResponse(request("/application/v4/tenant/other-tenant/application/my-app", POST) - .roles(Set.of(roles.tenantOperator(id.tenant()))), + .roles(Set.of(Role.tenantOperator(id.tenant()))), accessDenied, 403); // POST an application role is allowed for a tenant admin. tester.assertResponse(request("/user/v1/tenant/my-tenant/application/my-app", POST) - .roles(Set.of(roles.tenantAdmin(id.tenant()))) + .roles(Set.of(Role.tenantAdmin(id.tenant()))) .data("{\"user\":\"reader@app\",\"roleName\":\"applicationReader\"}"), "{\"message\":\"user 'reader@app' is now a member of role 'applicationReader' of 'my-app' owned by 'my-tenant'\"}"); // POST a tenant role is not allowed to an application. tester.assertResponse(request("/user/v1/tenant/my-tenant/application/my-app", POST) - .roles(Set.of(roles.hostedOperator())) + .roles(Set.of(Role.hostedOperator())) .data("{\"user\":\"reader@app\",\"roleName\":\"tenantOperator\"}"), "{\"error-code\":\"BAD_REQUEST\",\"message\":\"Malformed or illegal role name 'tenantOperator'.\"}", 400); // GET tenant role information is available to application readers. tester.assertResponse(request("/user/v1/tenant/my-tenant") - .roles(Set.of(roles.applicationReader(id.tenant(), id.application()))), + .roles(Set.of(Role.applicationReader(id.tenant(), id.application()))), new File("tenant-roles.json")); // GET application role information is available to tenant operators. tester.assertResponse(request("/user/v1/tenant/my-tenant/application/my-app") - .roles(Set.of(roles.tenantOperator(id.tenant()))), + .roles(Set.of(Role.tenantOperator(id.tenant()))), new File("application-roles.json")); // GET application role information is available also under the /api prefix. tester.assertResponse(request("/api/user/v1/tenant/my-tenant/application/my-app") - .roles(Set.of(roles.tenantOperator(id.tenant()))), + .roles(Set.of(Role.tenantOperator(id.tenant()))), new File("application-roles.json")); // DELETE an application role is allowed for an application admin. tester.assertResponse(request("/user/v1/tenant/my-tenant/application/my-app", DELETE) - .roles(Set.of(roles.applicationAdmin(id.tenant(), id.application()))) + .roles(Set.of(Role.applicationAdmin(id.tenant(), id.application()))) .data("{\"user\":\"operator@tenant\",\"roleName\":\"applicationAdmin\"}"), "{\"message\":\"user 'operator@tenant' is no longer a member of role 'applicationAdmin' of 'my-app' owned by 'my-tenant'\"}"); // DELETE an application is available to application admins. tester.assertResponse(request("/application/v4/tenant/my-tenant/application/my-app", DELETE) - .roles(Set.of(roles.applicationAdmin(id.tenant(), id.application()))), + .roles(Set.of(Role.applicationAdmin(id.tenant(), id.application()))), ""); // DELETE a tenant role is available to tenant admins. tester.assertResponse(request("/user/v1/tenant/my-tenant", DELETE) - .roles(Set.of(roles.tenantAdmin(id.tenant()))) + .roles(Set.of(Role.tenantAdmin(id.tenant()))) .data("{\"user\":\"operator@tenant\",\"roleName\":\"tenantOperator\"}"), "{\"message\":\"user 'operator@tenant' is no longer a member of role 'tenantOperator' of 'my-tenant'\"}"); @@ -155,7 +153,7 @@ public class UserApiTest extends ControllerContainerCloudTest { // DELETE the tenant is available to the tenant owner. tester.assertResponse(request("/application/v4/tenant/my-tenant", DELETE) - .roles(Set.of(roles.tenantOwner(id.tenant()))), + .roles(Set.of(Role.tenantOwner(id.tenant()))), new File("tenant-without-applications.json")); } |