SSDM-5019 : Project Authorization - Step 1.1 (project predicates and...

SSDM-5019 : Project Authorization - Step 1.1 (project predicates and validators) - more tests and bugfixes SVN: 38112

SSDM-5019 : Project Authorization - Step 1.1 (project predicates and...
d545b539 · pkupczyk · e13d75f2 · d545b539 · d545b539 · d545b539
Commit d545b539 authored 7 years ago by pkupczyk
--- a/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/authorization/project/ProjectAuthorizationEnabled.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/authorization/project/ProjectAuthorizationEnabled.java
@@ -147,20 +147,50 @@ public class ProjectAuthorizationEnabled<O> implements IProjectAuthorization<O>
    {
        for (IRole role : roles)
        {
-            IProject roleProject = role.getProject();
+            if (hasAccess(role, project))
-            if (roleProject == null)
-            {
-                continue;
-            } else if (areNotNullAndEqual(project.getId(), roleProject.getId()))
            {
                return true;
-            } else if (areNotNullAndEqual(project.getPermId(), roleProject.getPermId()))
+            }
+        }
+        return false;
+    }
+    private boolean hasAccess(IRole role, IProject project)
+    {
+        IProject roleProject = role.getProject();
+        if (roleProject == null)
+        {
+            return false;
+        }
+        boolean idNN = areNotNull(project.getId(), roleProject.getId());
+        boolean permIdNN = areNotNull(project.getPermId(), roleProject.getPermId());
+        boolean identifierNN = areNotNull(project.getIdentifier(), roleProject.getIdentifier());
+        boolean idEqual = areEqual(project.getId(), roleProject.getId());
+        boolean permIdEqual = areEqual(project.getPermId(), roleProject.getPermId());
+        boolean identifierEqual = areEqual(project.getIdentifier(), roleProject.getIdentifier());
+        if (idNN && permIdNN)
+        {
+            return idEqual && permIdEqual;
+        } else
+        {
+            if (idNN)
            {
-                return true;
+                return idEqual;
-            } else if (areNotNullAndEqual(project.getIdentifier(), roleProject.getIdentifier()))
+            }
+            if (permIdNN)
            {
-                return true;
+                return permIdEqual;
+            }
+            if (identifierNN)
+            {
+                return identifierEqual;
            }
        }
@@ -247,14 +277,9 @@ public class ProjectAuthorizationEnabled<O> implements IProjectAuthorization<O>
        }
    }
-    private static boolean areNotNullAndEqual(Object o1, Object o2)
+    private static boolean areNotNull(Object o1, Object o2)
    {
-        if (o1 == null || o2 == null)
+        return o1 != null && o2 != null;
-        {
-            return false;
-        }
-        return o1.equals(o2);
    }
 }
--- a/openbis/sourceTest/java/ch/systemsx/cisd/openbis/generic/server/authorization/project/ProjectAuthorizationTest.java
+++ b/openbis/sourceTest/java/ch/systemsx/cisd/openbis/generic/server/authorization/project/ProjectAuthorizationTest.java
+package ch.systemsx.cisd.openbis.generic.server.authorization.project;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+import org.jmock.Expectations;
+import org.jmock.Mockery;
+import org.testng.Assert;
+import org.testng.annotations.AfterMethod;
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.DataProvider;
+import org.testng.annotations.Test;
+import ch.systemsx.cisd.openbis.generic.server.authorization.IAuthorizationDataProvider;
+import ch.systemsx.cisd.openbis.generic.server.authorization.TestAuthorizationConfig;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.data.object.IObject;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.data.object.Object;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.data.project.IProject;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.data.role.IRole;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.provider.object.IObjectsProvider;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.provider.role.IRolesProvider;
+public class ProjectAuthorizationTest extends Assert
+{
+    private static final String PROJECT_PROVIDER = "projectProvider";
+    private static final String ORIGINAL_OBJECT_A = "A";
+    private static final String ORIGINAL_OBJECT_B = "B";
+    private static final IProject PROJECT_X = new TestProject(1L, "permIdX", "identifierX");
+    private static final IProject PROJECT_Y = new TestProject(2L, "permIdY", "identifierY");
+    private static final IProject PROJECT_OTHER = new TestProject(3L, "permIdOther", "identifierOther");
+    private static final IRole ROLE_WITHOUT_PROJECT = new TestRole(null);
+    private static final IRole ROLE_WITH_PROJECT_X = new TestRole(PROJECT_X);
+    private static final IRole ROLE_WITH_PROJECT_Y = new TestRole(PROJECT_Y);
+    private static final IRole ROLE_WITH_OTHER_PROJECT = new TestRole(PROJECT_OTHER);
+    private Mockery context;
+    private IAuthorizationDataProvider dataProvider;
+    private IObjectsProvider<String> objectsProvider;
+    private IRolesProvider rolesProvider;
+    @SuppressWarnings("unchecked")
+    @BeforeMethod
+    public void setUp()
+    {
+        context = new Mockery();
+        dataProvider = context.mock(IAuthorizationDataProvider.class);
+        objectsProvider = context.mock(IObjectsProvider.class);
+        rolesProvider = context.mock(IRolesProvider.class);
+    }
+    @AfterMethod
+    public void tearDown()
+    {
+        context.assertIsSatisfied();
+    }
+    @Test
+    public void testDisabled()
+    {
+        context.checking(new Expectations()
+            {
+                {
+                    allowing(dataProvider).getAuthorizationConfig();
+                    will(returnValue(new TestAuthorizationConfig(false)));
+                    allowing(objectsProvider).getOriginalObjects();
+                    will(returnValue(Arrays.asList(ORIGINAL_OBJECT_A, ORIGINAL_OBJECT_B)));
+                }
+            });
+        assertResults(Arrays.<String> asList(), Arrays.asList(ORIGINAL_OBJECT_A, ORIGINAL_OBJECT_B));
+    }
+    @Test
+    public void testEnabledWithNullObjects()
+    {
+        context.checking(new Expectations()
+            {
+                {
+                    allowing(dataProvider).getAuthorizationConfig();
+                    will(returnValue(new TestAuthorizationConfig(true)));
+                    allowing(objectsProvider).getObjects(dataProvider);
+                    will(returnValue(null));
+                    allowing(rolesProvider).getRoles(dataProvider);
+                    will(returnValue(Arrays.asList(ROLE_WITH_PROJECT_X, ROLE_WITH_PROJECT_Y)));
+                }
+            });
+        assertResults(Arrays.<String> asList(), Arrays.<String> asList());
+    }
+    @Test
+    public void testEnabledWithEmptyObjects()
+    {
+        context.checking(new Expectations()
+            {
+                {
+                    allowing(dataProvider).getAuthorizationConfig();
+                    will(returnValue(new TestAuthorizationConfig(true)));
+                    allowing(objectsProvider).getObjects(dataProvider);
+                    will(returnValue(Arrays.asList()));
+                    allowing(rolesProvider).getRoles(dataProvider);
+                    will(returnValue(Arrays.asList(ROLE_WITH_PROJECT_X, ROLE_WITH_PROJECT_Y)));
+                }
+            });
+        assertResults(Arrays.<String> asList(), Arrays.<String> asList());
+    }
+    @Test
+    public void testEnabledWithNullRoles()
+    {
+        context.checking(new Expectations()
+            {
+                {
+                    allowing(dataProvider).getAuthorizationConfig();
+                    will(returnValue(new TestAuthorizationConfig(true)));
+                    IObject<String> objectA = new Object<String>(ORIGINAL_OBJECT_A, PROJECT_X);
+                    IObject<String> objectB = new Object<String>(ORIGINAL_OBJECT_B, PROJECT_Y);
+                    allowing(objectsProvider).getObjects(dataProvider);
+                    will(returnValue(Arrays.asList(objectA, objectB)));
+                    allowing(rolesProvider).getRoles(dataProvider);
+                    will(returnValue(null));
+                }
+            });
+        assertResults(Arrays.<String> asList(), Arrays.<String> asList(ORIGINAL_OBJECT_A, ORIGINAL_OBJECT_B));
+    }
+    @Test
+    public void testEnabledWithEmptyRoles()
+    {
+        context.checking(new Expectations()
+            {
+                {
+                    allowing(dataProvider).getAuthorizationConfig();
+                    will(returnValue(new TestAuthorizationConfig(true)));
+                    IObject<String> objectA = new Object<String>(ORIGINAL_OBJECT_A, PROJECT_X);
+                    IObject<String> objectB = new Object<String>(ORIGINAL_OBJECT_B, PROJECT_Y);
+                    allowing(objectsProvider).getObjects(dataProvider);
+                    will(returnValue(Arrays.asList(objectA, objectB)));
+                    allowing(rolesProvider).getRoles(dataProvider);
+                    will(returnValue(Arrays.asList()));
+                }
+            });
+        assertResults(Arrays.<String> asList(), Arrays.<String> asList(ORIGINAL_OBJECT_A, ORIGINAL_OBJECT_B));
+    }
+    @Test
+    public void testEnabledWithObjectWithoutProject()
+    {
+        context.checking(new Expectations()
+            {
+                {
+                    allowing(dataProvider).getAuthorizationConfig();
+                    will(returnValue(new TestAuthorizationConfig(true)));
+                    IObject<String> objectWithoutProject = new Object<String>(ORIGINAL_OBJECT_A, null);
+                    allowing(objectsProvider).getObjects(dataProvider);
+                    will(returnValue(Arrays.asList(objectWithoutProject)));
+                    allowing(rolesProvider).getRoles(dataProvider);
+                    will(returnValue(Arrays.asList(ROLE_WITH_PROJECT_X, ROLE_WITH_PROJECT_Y)));
+                }
+            });
+        assertResults(Arrays.<String> asList(), Arrays.<String> asList(ORIGINAL_OBJECT_A));
+    }
+    @Test
+    public void testEnabledWithObjectWithOtherProject()
+    {
+        context.checking(new Expectations()
+            {
+                {
+                    allowing(dataProvider).getAuthorizationConfig();
+                    will(returnValue(new TestAuthorizationConfig(true)));
+                    IObject<String> objectWithOtherProject = new Object<String>(ORIGINAL_OBJECT_A, PROJECT_OTHER);
+                    allowing(objectsProvider).getObjects(dataProvider);
+                    will(returnValue(Arrays.asList(objectWithOtherProject)));
+                    allowing(rolesProvider).getRoles(dataProvider);
+                    will(returnValue(Arrays.asList(ROLE_WITH_PROJECT_X, ROLE_WITH_PROJECT_Y)));
+                }
+            });
+        assertResults(Arrays.<String> asList(), Arrays.<String> asList(ORIGINAL_OBJECT_A));
+    }
+    @Test
+    public void testEnabledWithRoleWithoutProject()
+    {
+        context.checking(new Expectations()
+            {
+                {
+                    allowing(dataProvider).getAuthorizationConfig();
+                    will(returnValue(new TestAuthorizationConfig(true)));
+                    IObject<String> objectA = new Object<String>(ORIGINAL_OBJECT_A, PROJECT_X);
+                    IObject<String> objectB = new Object<String>(ORIGINAL_OBJECT_B, PROJECT_Y);
+                    allowing(objectsProvider).getObjects(dataProvider);
+                    will(returnValue(Arrays.asList(objectA, objectB)));
+                    allowing(rolesProvider).getRoles(dataProvider);
+                    will(returnValue(Arrays.asList(ROLE_WITHOUT_PROJECT)));
+                }
+            });
+        assertResults(Arrays.<String> asList(), Arrays.<String> asList(ORIGINAL_OBJECT_A, ORIGINAL_OBJECT_B));
+    }
+    @Test
+    public void testEnabledWithRoleWithOtherProject()
+    {
+        context.checking(new Expectations()
+            {
+                {
+                    allowing(dataProvider).getAuthorizationConfig();
+                    will(returnValue(new TestAuthorizationConfig(true)));
+                    IObject<String> objectA = new Object<String>(ORIGINAL_OBJECT_A, PROJECT_X);
+                    IObject<String> objectB = new Object<String>(ORIGINAL_OBJECT_B, PROJECT_Y);
+                    allowing(objectsProvider).getObjects(dataProvider);
+                    will(returnValue(Arrays.asList(objectA, objectB)));
+                    allowing(rolesProvider).getRoles(dataProvider);
+                    will(returnValue(Arrays.asList(ROLE_WITH_OTHER_PROJECT)));
+                }
+            });
+        assertResults(Arrays.<String> asList(), Arrays.<String> asList(ORIGINAL_OBJECT_A, ORIGINAL_OBJECT_B));
+    }
+    @Test(dataProvider = PROJECT_PROVIDER)
+    public void testEnabledWithProjectMatching(final IProject objectProject, final IProject roleProject, boolean matching)
+    {
+        context.checking(new Expectations()
+            {
+                {
+                    allowing(dataProvider).getAuthorizationConfig();
+                    will(returnValue(new TestAuthorizationConfig(true)));
+                    IObject<String> objectWithProjectWithId = new Object<String>(ORIGINAL_OBJECT_A, objectProject);
+                    allowing(objectsProvider).getObjects(dataProvider);
+                    will(returnValue(Arrays.asList(objectWithProjectWithId)));
+                    allowing(rolesProvider).getRoles(dataProvider);
+                    will(returnValue(Arrays.asList(new TestRole(roleProject))));
+                }
+            });
+        if (matching)
+        {
+            assertResults(Arrays.<String> asList(ORIGINAL_OBJECT_A), Arrays.<String> asList());
+        } else
+        {
+            assertResults(Arrays.<String> asList(), Arrays.<String> asList(ORIGINAL_OBJECT_A));
+        }
+    }
+    @Test
+    public void testEnabledWithAccessToAllObjects()
+    {
+        context.checking(new Expectations()
+            {
+                {
+                    allowing(dataProvider).getAuthorizationConfig();
+                    will(returnValue(new TestAuthorizationConfig(true)));
+                    IObject<String> objectA = new Object<String>(ORIGINAL_OBJECT_A, PROJECT_X);
+                    IObject<String> objectB = new Object<String>(ORIGINAL_OBJECT_B, PROJECT_Y);
+                    allowing(objectsProvider).getObjects(dataProvider);
+                    will(returnValue(Arrays.asList(objectA, objectB)));
+                    allowing(rolesProvider).getRoles(dataProvider);
+                    will(returnValue(Arrays.asList(ROLE_WITH_PROJECT_X, ROLE_WITH_PROJECT_Y)));
+                }
+            });
+        assertResults(Arrays.<String> asList(ORIGINAL_OBJECT_A, ORIGINAL_OBJECT_B), Arrays.<String> asList());
+    }
+    @Test
+    public void testEnabledWithAccessToSomeObjects()
+    {
+        context.checking(new Expectations()
+            {
+                {
+                    allowing(dataProvider).getAuthorizationConfig();
+                    will(returnValue(new TestAuthorizationConfig(true)));
+                    IObject<String> objectA = new Object<String>(ORIGINAL_OBJECT_A, PROJECT_X);
+                    IObject<String> objectB = new Object<String>(ORIGINAL_OBJECT_B, PROJECT_Y);
+                    allowing(objectsProvider).getObjects(dataProvider);
+                    will(returnValue(Arrays.asList(objectA, objectB)));
+                    allowing(rolesProvider).getRoles(dataProvider);
+                    will(returnValue(Arrays.asList(ROLE_WITH_PROJECT_X)));
+                }
+            });
+        assertResults(Arrays.<String> asList(ORIGINAL_OBJECT_A), Arrays.<String> asList(ORIGINAL_OBJECT_B));
+    }
+    @Test
+    public void testEnabledWithAccessToZeroObjects()
+    {
+        context.checking(new Expectations()
+            {
+                {
+                    allowing(dataProvider).getAuthorizationConfig();
+                    will(returnValue(new TestAuthorizationConfig(true)));
+                    IObject<String> objectA = new Object<String>(ORIGINAL_OBJECT_A, PROJECT_X);
+                    IObject<String> objectB = new Object<String>(ORIGINAL_OBJECT_B, PROJECT_Y);
+                    allowing(objectsProvider).getObjects(dataProvider);
+                    will(returnValue(Arrays.asList(objectA, objectB)));
+                    allowing(rolesProvider).getRoles(dataProvider);
+                    will(returnValue(Arrays.asList()));
+                }
+            });
+        assertResults(Arrays.<String> asList(), Arrays.<String> asList(ORIGINAL_OBJECT_A, ORIGINAL_OBJECT_B));
+    }
+    private void assertResults(List<String> expectedWithAccess, List<String> expectedWithoutAccess)
+    {
+        IProjectAuthorization<String> pa = new ProjectAuthorizationBuilder<String>()
+                .withData(dataProvider)
+                .withObjects(objectsProvider)
+                .withRoles(rolesProvider).build();
+        Collection<String> withAccess = pa.getObjectsWithAccess();
+        assertEquals(withAccess, expectedWithAccess);
+        Collection<String> withoutAccess = pa.getObjectsWithoutAccess();
+        assertEquals(withoutAccess, expectedWithoutAccess);
+    }
+    @DataProvider(name = PROJECT_PROVIDER)
+    protected java.lang.Object[][] provideProjects()
+    {
+        return new java.lang.Object[][] {
+                // ALL nulls
+                { new TestProject(null, null, null), new TestProject(null, null, null), false },
+                // ALL same
+                { new TestProject(1L, "p", "i"), new TestProject(1L, "p", "i"), true },
+                // ALL different
+                { new TestProject(1L, "p1", "i1"), new TestProject(2L, "p2", "i2"), false },
+                // ID same
+                { new TestProject(1L, null, null), new TestProject(1L, null, null), true },
+                // ID different
+                { new TestProject(1L, null, null), new TestProject(2L, null, null), false },
+                // PERM_ID same
+                { new TestProject(null, "p", null), new TestProject(null, "p", null), true },
+                // PERM_ID different
+                { new TestProject(null, "p1", null), new TestProject(null, "p2", null), false },
+                // IDENTIFIER same
+                { new TestProject(null, null, "i"), new TestProject(null, null, "i"), true },
+                // IDENTIFIER different
+                { new TestProject(null, null, "i1"), new TestProject(null, null, "i2"), false },
+                // ID same, PERM_ID same
+                { new TestProject(1L, "p", null), new TestProject(1L, "p", null), true },
+                // ID same, PERM_ID different - weird situation
+                { new TestProject(1L, "p1", null), new TestProject(1L, "p2", null), false },
+                // ID different, PERM_ID same - weird situation
+                { new TestProject(1L, "p", null), new TestProject(2L, "p", null), false },
+                // ID same, IDENTIFIER same
+                { new TestProject(1L, null, "i"), new TestProject(1L, null, "i"), true },
+                // ID same, IDENTIFIER different
+                { new TestProject(1L, null, "i1"), new TestProject(1L, null, "i2"), true },
+                // ID different, IDENTIFIER same
+                { new TestProject(1L, null, "i"), new TestProject(2L, null, "i"), false },
+                // PERM_ID same, IDENTIFIER same
+                { new TestProject(null, "p", "i"), new TestProject(null, "p", "i"), true },
+                // PERM_ID same, IDENTIFIER different
+                { new TestProject(null, "p", "i1"), new TestProject(null, "p", "i2"), true },
+                // PERM_ID different, IDENTIFIER same
+                { new TestProject(null, "p1", "i"), new TestProject(null, "p2", "i"), false },
+        };
+    }
+}
--- a/openbis/sourceTest/java/ch/systemsx/cisd/openbis/generic/server/authorization/project/TestProject.java
+++ b/openbis/sourceTest/java/ch/systemsx/cisd/openbis/generic/server/authorization/project/TestProject.java
+/*
+ * Copyright 2017 ETH Zuerich, CISD
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package ch.systemsx.cisd.openbis.generic.server.authorization.project;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.data.project.IProject;
+/**
+ * @author pkupczyk
+ */
+public class TestProject implements IProject
+{
+    private Long id;
+    private String permId;
+    private String identifier;
+    public TestProject(Long id, String permId, String identifier)
+    {
+        this.id = id;
+        this.permId = permId;
+        this.identifier = identifier;
+    }
+    @Override
+    public Long getId()
+    {
+        return id;
+    }
+    @Override
+    public String getPermId()
+    {
+        return permId;
+    }
+    @Override
+    public String getIdentifier()
+    {
+        return identifier;
+    }
+    @Override
+    public String toString()
+    {
+        return "TestProject[id: " + id + ", permId: " + permId + ", identifier: " + identifier + "]";
+    }
+}
--- a/openbis/sourceTest/java/ch/systemsx/cisd/openbis/generic/server/authorization/project/TestRole.java
+++ b/openbis/sourceTest/java/ch/systemsx/cisd/openbis/generic/server/authorization/project/TestRole.java
+/*
+ * Copyright 2017 ETH Zuerich, CISD
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package ch.systemsx.cisd.openbis.generic.server.authorization.project;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.data.project.IProject;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.data.role.IRole;
+/**
+ * @author pkupczyk
+ */
+public class TestRole implements IRole
+{
+    private IProject project;
+    public TestRole(IProject project)
+    {
+        this.project = project;
+    }
+    @Override
+    public IProject getProject()
+    {
+        return project;
+    }
+}