Git Plugin Config: Create fine-grained configuration permissions.

No more hard-coded isAdmin() checks. Also adds more tests.
2025-11-09 15:05:44 +01:00 · 2018-08-01 16:21:05 +02:00
parent 86af96bd83
commit aed70d3544
10 changed files with 114 additions and 56 deletions
--- a/scm-plugins/scm-git-plugin/src/test/java/sonia/scm/api/v2/resources/GitConfigDtoToGitConfigMapperTest.java
+++ b/scm-plugins/scm-git-plugin/src/test/java/sonia/scm/api/v2/resources/GitConfigDtoToGitConfigMapperTest.java
@@ -9,6 +9,7 @@ import sonia.scm.repository.GitConfig;
 import java.io.File;

 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;

@RunWith(MockitoJUnitRunner.class)
 public class GitConfigDtoToGitConfigMapperTest {
@@ -22,7 +23,7 @@ public class GitConfigDtoToGitConfigMapperTest {
    GitConfig config = mapper.map(dto);
    assertEquals("express", config.getGcExpression());
    assertEquals("repository/directory", config.getRepositoryDirectory().getPath());
-    assertEquals(false, config.isDisabled());
+    assertFalse(config.isDisabled());
  }

  private GitConfigDto createDefaultDto() {
--- a/scm-plugins/scm-git-plugin/src/test/java/sonia/scm/api/v2/resources/GitConfigResourceTest.java
+++ b/scm-plugins/scm-git-plugin/src/test/java/sonia/scm/api/v2/resources/GitConfigResourceTest.java
@@ -11,6 +11,7 @@ import org.jboss.resteasy.mock.MockHttpResponse;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
+import org.junit.rules.ExpectedException;
 import org.junit.runner.RunWith;
 import org.mockito.Answers;
 import org.mockito.InjectMocks;
@@ -18,6 +19,7 @@ import org.mockito.Mock;
 import org.mockito.runners.MockitoJUnitRunner;
 import sonia.scm.repository.GitConfig;
 import sonia.scm.repository.GitRepositoryHandler;
+import sonia.scm.web.GitVndMediaType;

 import javax.servlet.http.HttpServletResponse;
 import java.io.File;
@@ -27,12 +29,12 @@ import java.net.URISyntaxException;

 import static junit.framework.TestCase.assertTrue;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
 import static org.mockito.Mockito.when;

@SubjectAware(
-  username = "trillian",
-  password = "secret",
-  configuration = "classpath:sonia/scm/repository/shiro.ini"
+  configuration = "classpath:sonia/scm/configuration/shiro.ini",
+  password = "secret"
 )
@RunWith(MockitoJUnitRunner.class)
 public class GitConfigResourceTest {
@@ -40,6 +42,9 @@ public class GitConfigResourceTest {
  @Rule
  public ShiroRule shiro = new ShiroRule();

+  @Rule
+  public ExpectedException thrown = ExpectedException.none();
+
  private Dispatcher dispatcher = MockDispatcherFactory.createDispatcher();

  private final URI baseUri = URI.create("/");
@@ -66,10 +71,10 @@ public class GitConfigResourceTest {
  }

  @Test
+  @SubjectAware(username = "readWrite")
  public void shouldGetGitConfig() throws URISyntaxException, IOException {
-    MockHttpRequest request = MockHttpRequest.get("/" + GitConfigResource.GIT_CONFIG_PATH_V2);
-    MockHttpResponse response = new MockHttpResponse();
-    dispatcher.invoke(request, response);
+    MockHttpResponse response = get();
+
    assertEquals(HttpServletResponse.SC_OK, response.getStatus());

    String responseString = response.getContentAsString();
@@ -82,7 +87,55 @@ public class GitConfigResourceTest {
    assertTrue(responseString.contains("\"update\":{\"href\":\"/v2/config/git"));
  }

-  // TODO update & negative tests
+  @Test
+  @SubjectAware(username = "readOnly")
+  public void shouldGetGitConfigWithoutUpdateLink() throws URISyntaxException {
+    MockHttpResponse response = get();
+
+    assertEquals(HttpServletResponse.SC_OK, response.getStatus());
+
+    assertFalse(response.getContentAsString().contains("\"update\":{\"href\":\"/v2/config/git"));
+  }
+
+  @Test
+  @SubjectAware(username = "writeOnly")
+  public void shouldGetConfigOnlyWhenAuthorized() throws URISyntaxException {
+    thrown.expectMessage("Subject does not have permission [configuration:read:git]");
+
+    get();
+  }
+
+  @Test
+  @SubjectAware(username = "writeOnly")
+  public void shouldUpdateConfig() throws URISyntaxException {
+    MockHttpResponse response = put();
+    assertEquals(HttpServletResponse.SC_NO_CONTENT, response.getStatus());
+  }
+
+  @Test
+  @SubjectAware(username = "readOnly")
+  public void shouldUpdateConfigOnlyWhenAuthorized() throws URISyntaxException, IOException {
+    thrown.expectMessage("Subject does not have permission [configuration:write:git]");
+
+    put();
+  }
+
+  private MockHttpResponse get() throws URISyntaxException {
+    MockHttpRequest request = MockHttpRequest.get("/" + GitConfigResource.GIT_CONFIG_PATH_V2);
+    MockHttpResponse response = new MockHttpResponse();
+    dispatcher.invoke(request, response);
+    return response;
+  }
+
+  private MockHttpResponse put() throws URISyntaxException {
+    MockHttpRequest request = MockHttpRequest.put("/" + GitConfigResource.GIT_CONFIG_PATH_V2)
+                                             .contentType(GitVndMediaType.GIT_CONFIG)
+                                             .content("{\"disabled\":true}".getBytes());
+
+    MockHttpResponse response = new MockHttpResponse();
+    dispatcher.invoke(request, response);
+    return response;
+  }

  private GitConfig createConfiguration() {
    GitConfig config = new GitConfig();
--- a/scm-plugins/scm-git-plugin/src/test/java/sonia/scm/api/v2/resources/GitConfigToGitConfigDtoMapperTest.java
+++ b/scm-plugins/scm-git-plugin/src/test/java/sonia/scm/api/v2/resources/GitConfigToGitConfigDtoMapperTest.java
@@ -13,7 +13,6 @@ import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.runners.MockitoJUnitRunner;
 import sonia.scm.repository.GitConfig;
-import sonia.scm.security.Role;

 import java.io.File;
 import java.net.URI;
@@ -56,7 +55,7 @@ public class GitConfigToGitConfigDtoMapperTest {
  public void shouldMapFields() {
    GitConfig config = createConfiguration();

-    when(subject.hasRole(Role.ADMIN)).thenReturn(true);
+    when(subject.isPermitted("configuration:write:git")).thenReturn(true);
    GitConfigDto dto = mapper.map(config);

    assertEquals("express", dto.getGcExpression());
@@ -66,6 +65,17 @@ public class GitConfigToGitConfigDtoMapperTest {
    assertEquals(expectedBaseUri.toString(), dto.getLinks().getLinkBy("update").get().getHref());
  }

+  @Test
+  public void shouldMapFieldsWithoutUpdate() {
+    GitConfig config = createConfiguration();
+
+    when(subject.isPermitted("configuration:write:git")).thenReturn(false);
+    GitConfigDto dto = mapper.map(config);
+
+    assertEquals(expectedBaseUri.toString(), dto.getLinks().getLinkBy("self").get().getHref());
+    assertFalse(dto.getLinks().hasLink("update"));
+  }
+
  private GitConfig createConfiguration() {
    GitConfig config = new GitConfig();
    config.setDisabled(false);
--- a/scm-plugins/scm-git-plugin/src/test/resources/sonia/scm/configuration/shiro.ini
+++ b/scm-plugins/scm-git-plugin/src/test/resources/sonia/scm/configuration/shiro.ini
@@ -0,0 +1,9 @@
+[users]
+readOnly = secret, reader
+writeOnly = secret, writer
+readWrite = secret, readerWriter
+
+[roles]
+reader = configuration:read:git
+writer = configuration:write:git
+readerWriter = configuration:*:git
--- a/scm-plugins/scm-git-plugin/src/test/resources/sonia/scm/repository/shiro.ini
+++ b/scm-plugins/scm-git-plugin/src/test/resources/sonia/scm/repository/shiro.ini
@@ -1,11 +0,0 @@
-[users]
-trillian = secret, admin
-dent = secret, creator, heartOfGold, puzzle42
-unpriv = secret
-crato = secret, creator
-
-[roles]
-admin = *
-creator = repository:create
-heartOfGold = "repository:read,modify,delete:hof"
-puzzle42 = "repository:read,write:p42"