From c003fa9f7648ee31a963171683c29f6d6313c646 Mon Sep 17 00:00:00 2001 From: Teryk Bellahsene Date: Fri, 31 Jul 2015 11:15:27 +0200 Subject: [PATCH] SONAR-6481 SONAR-6484 SONAR-4475 do not remove the last admin user or group permission --- .../server/permission/PermissionService.java | 18 +- .../permission/ws/RemoveUserAction.java | 4 +- .../step/ApplyPermissionsStepTest.java | 2 +- .../qualityprofile/ws/ProjectsActionTest.java | 4 +- .../usergroups/ws/DeleteActionTest.java | 2 +- .../server/view/index/ViewIndexerTest.java | 2 +- .../db/permission/PermissionRepository.java | 4 +- .../main/java/org/sonar/db/user/RoleDao.java | 8 +- .../java/org/sonar/db/user/RoleMapper.java | 1 + .../org/sonar/db/user/RoleMapper.xml | 24 +++ .../java/org/sonar/db/user/RoleDaoTest.java | 164 ++++++++++++------ 11 files changed, 171 insertions(+), 62 deletions(-) diff --git a/server/sonar-server/src/main/java/org/sonar/server/permission/PermissionService.java b/server/sonar-server/src/main/java/org/sonar/server/permission/PermissionService.java index 001a00d7507..2389efba4ec 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/permission/PermissionService.java +++ b/server/sonar-server/src/main/java/org/sonar/server/permission/PermissionService.java @@ -63,7 +63,7 @@ public class PermissionService { private final ComponentFinder componentFinder; public PermissionService(DbClient dbClient, PermissionRepository permissionRepository, PermissionFinder finder, - IssueAuthorizationIndexer issueAuthorizationIndexer, UserSession userSession, ComponentFinder componentFinder) { + IssueAuthorizationIndexer issueAuthorizationIndexer, UserSession userSession, ComponentFinder componentFinder) { this.dbClient = dbClient; this.permissionRepository = permissionRepository; this.finder = finder; @@ -206,6 +206,7 @@ public class PermissionService { if (Operation.ADD == operation) { permissionRepository.insertGroupPermission(componentId, targetedGroup, permissionChange.permission(), session); } else { + checkAdminUsersExistOutsideTheRemovedGroup(session, permissionChange, targetedGroup); permissionRepository.deleteGroupPermission(componentId, targetedGroup, permissionChange.permission(), session); } return true; @@ -224,12 +225,27 @@ public class PermissionService { if (Operation.ADD == operation) { permissionRepository.insertUserPermission(componentId, targetedUser, permissionChange.permission(), session); } else { + checkOtherAdminUsersExist(session, permissionChange); permissionRepository.deleteUserPermission(componentId, targetedUser, permissionChange.permission(), session); } return true; } + private void checkOtherAdminUsersExist(DbSession session, PermissionChange permissionChange) { + if (GlobalPermissions.SYSTEM_ADMIN.equals(permissionChange.permission()) + && dbClient.roleDao().countUserPermissions(session, permissionChange.permission(), null) <= 1) { + throw new BadRequestException(String.format("Last user with '%s' permission. Permission cannot be removed.", GlobalPermissions.SYSTEM_ADMIN)); + } + } + + private void checkAdminUsersExistOutsideTheRemovedGroup(DbSession session, PermissionChange permissionChange, Long groupIdToExclude) { + if (GlobalPermissions.SYSTEM_ADMIN.equals(permissionChange.permission()) + && dbClient.roleDao().countUserPermissions(session, permissionChange.permission(), groupIdToExclude) <= 0) { + throw new BadRequestException(String.format("Last group with '%s' permission. Permission cannot be removed.", GlobalPermissions.SYSTEM_ADMIN)); + } + } + private Long getTargetedUser(DbSession session, String userLogin) { UserDto user = dbClient.userDao().selectActiveUserByLogin(session, userLogin); badRequestIfNullResult(user, OBJECT_TYPE_USER, userLogin); diff --git a/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveUserAction.java b/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveUserAction.java index 87d4ff5f566..708fecc0c95 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveUserAction.java +++ b/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveUserAction.java @@ -24,8 +24,8 @@ import org.sonar.api.server.ws.Request; import org.sonar.api.server.ws.Response; import org.sonar.api.server.ws.WebService; import org.sonar.core.permission.GlobalPermissions; -import org.sonar.server.permission.PermissionService; import org.sonar.server.permission.PermissionChange; +import org.sonar.server.permission.PermissionService; public class RemoveUserAction implements PermissionsWsAction { @@ -42,7 +42,7 @@ public class RemoveUserAction implements PermissionsWsAction { @Override public void define(WebService.NewController context) { WebService.NewAction action = context.createAction(ACTION) - .setDescription("Remove permission to a user.
Requires 'Administer System' permission.") + .setDescription("Remove permission from a user.
Requires 'Administer System' permission.") .setSince("5.2") .setPost(true) .setHandler(this); diff --git a/server/sonar-server/src/test/java/org/sonar/server/computation/step/ApplyPermissionsStepTest.java b/server/sonar-server/src/test/java/org/sonar/server/computation/step/ApplyPermissionsStepTest.java index 6e730589b4d..780421e168b 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/computation/step/ApplyPermissionsStepTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/computation/step/ApplyPermissionsStepTest.java @@ -134,7 +134,7 @@ public class ApplyPermissionsStepTest extends BaseStepTest { ComponentDto projectDto = ComponentTesting.newProjectDto(PROJECT_UUID).setKey(PROJECT_KEY).setAuthorizationUpdatedAt(authorizationUpdatedAt); dbClient.componentDao().insert(dbSession, projectDto); // Permissions are already set on the project - dbClient.roleDao().insertGroupRole(new GroupRoleDto().setRole(UserRole.USER).setGroupId(null).setResourceId(projectDto.getId()), dbSession); + dbClient.roleDao().insertGroupRole(dbSession, new GroupRoleDto().setRole(UserRole.USER).setGroupId(null).setResourceId(projectDto.getId())); dbSession.commit(); diff --git a/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/ProjectsActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/ProjectsActionTest.java index a254c97e6a7..c0cddb928cd 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/ProjectsActionTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/ProjectsActionTest.java @@ -117,7 +117,7 @@ public class ProjectsActionTest { dbClient.componentDao().insert(session, project1, project2); // user only sees project1 - roleDao.insertUserRole(new UserRoleDto().setUserId(userId).setResourceId(project1.getId()).setRole(UserRole.USER), session); + roleDao.insertUserRole(session, new UserRoleDto().setUserId(userId).setResourceId(project1.getId()).setRole(UserRole.USER)); associateProjectsWithProfile(session, xooP1, project1, project2); @@ -231,7 +231,7 @@ public class ProjectsActionTest { private void addBrowsePermissionToAnyone(DbSession session, ComponentDto... projects) { for (ComponentDto project : projects) { - roleDao.insertGroupRole(new GroupRoleDto().setGroupId(null).setResourceId(project.getId()).setRole(UserRole.USER), session); + roleDao.insertGroupRole(session, new GroupRoleDto().setGroupId(null).setResourceId(project.getId()).setRole(UserRole.USER)); } } diff --git a/server/sonar-server/src/test/java/org/sonar/server/usergroups/ws/DeleteActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/usergroups/ws/DeleteActionTest.java index 68365e85afb..5465772752e 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/usergroups/ws/DeleteActionTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/usergroups/ws/DeleteActionTest.java @@ -125,7 +125,7 @@ public class DeleteActionTest { @Test public void delete_with_permissions() throws Exception { GroupDto group = groupDao.insert(session, new GroupDto().setName("to-delete")); - roleDao.insertGroupRole(new GroupRoleDto().setGroupId(group.getId()).setResourceId(42L).setRole(UserRole.ADMIN), session); + roleDao.insertGroupRole(session, new GroupRoleDto().setGroupId(group.getId()).setResourceId(42L).setRole(UserRole.ADMIN)); session.commit(); loginAsAdmin(); diff --git a/server/sonar-server/src/test/java/org/sonar/server/view/index/ViewIndexerTest.java b/server/sonar-server/src/test/java/org/sonar/server/view/index/ViewIndexerTest.java index c989b76e8c8..75e86390690 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/view/index/ViewIndexerTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/view/index/ViewIndexerTest.java @@ -213,7 +213,7 @@ public class ViewIndexerTest { ComponentDto project = ComponentTesting.newProjectDto(); ComponentDto file = ComponentTesting.newFileDto(project); dbClient.componentDao().insert(dbSession, project, file); - dbClient.roleDao().insertGroupRole(new GroupRoleDto().setRole(UserRole.USER).setGroupId(null).setResourceId(project.getId()), dbSession); + dbClient.roleDao().insertGroupRole(dbSession, new GroupRoleDto().setRole(UserRole.USER).setGroupId(null).setResourceId(project.getId())); IssueDto issue = IssueTesting.newDto(rule, file, project); dbClient.issueDao().insert(dbSession, issue); diff --git a/sonar-db/src/main/java/org/sonar/db/permission/PermissionRepository.java b/sonar-db/src/main/java/org/sonar/db/permission/PermissionRepository.java index aeaaceb1bf6..f34ce6cc9f8 100644 --- a/sonar-db/src/main/java/org/sonar/db/permission/PermissionRepository.java +++ b/sonar-db/src/main/java/org/sonar/db/permission/PermissionRepository.java @@ -65,7 +65,7 @@ public class PermissionRepository { if (updateProjectAuthorizationDate) { updateProjectAuthorizationDate(session, resourceId); } - dbClient.roleDao().insertUserRole(userRoleDto, session); + dbClient.roleDao().insertUserRole(session, userRoleDto); } public void insertUserPermission(@Nullable Long resourceId, Long userId, String permission, DbSession session) { @@ -87,7 +87,7 @@ public class PermissionRepository { .setGroupId(groupId) .setResourceId(resourceId); updateProjectAuthorizationDate(session, resourceId); - dbClient.roleDao().insertGroupRole(groupRole, session); + dbClient.roleDao().insertGroupRole(session, groupRole); } public void insertGroupPermission(@Nullable Long resourceId, @Nullable Long groupId, String permission, DbSession session) { diff --git a/sonar-db/src/main/java/org/sonar/db/user/RoleDao.java b/sonar-db/src/main/java/org/sonar/db/user/RoleDao.java index 5833798adb6..a2cd68cffc4 100644 --- a/sonar-db/src/main/java/org/sonar/db/user/RoleDao.java +++ b/sonar-db/src/main/java/org/sonar/db/user/RoleDao.java @@ -37,11 +37,11 @@ public class RoleDao implements Dao { return session.getMapper(RoleMapper.class).selectGroupPermissions(groupName, resourceId, DefaultGroups.isAnyone(groupName)); } - public void insertGroupRole(GroupRoleDto groupRole, SqlSession session) { + public void insertGroupRole(DbSession session, GroupRoleDto groupRole) { mapper(session).insertGroupRole(groupRole); } - public void insertUserRole(UserRoleDto userRole, SqlSession session) { + public void insertUserRole(DbSession session, UserRoleDto userRole) { mapper(session).insertUserRole(userRole); } @@ -77,6 +77,10 @@ public class RoleDao implements Dao { return countResourceGroupRoles(session, componentId) + countResourceUserRoles(session, componentId); } + public int countUserPermissions(DbSession session, String permission, @Nullable Long allGroupsExceptThisGroupId) { + return mapper(session).countUsersWithPermission(permission, allGroupsExceptThisGroupId); + } + public void removeAllPermissions(DbSession session, Long resourceId) { deleteGroupRolesByResourceId(session, resourceId); deleteUserRolesByResourceId(session, resourceId); diff --git a/sonar-db/src/main/java/org/sonar/db/user/RoleMapper.java b/sonar-db/src/main/java/org/sonar/db/user/RoleMapper.java index f26b59874bf..0667a4672c7 100644 --- a/sonar-db/src/main/java/org/sonar/db/user/RoleMapper.java +++ b/sonar-db/src/main/java/org/sonar/db/user/RoleMapper.java @@ -56,4 +56,5 @@ public interface RoleMapper { void deleteGroupRolesByGroupId(long groupId); + int countUsersWithPermission(@Param("permission") String permission, @Nullable @Param("groupId") Long groupId); } diff --git a/sonar-db/src/main/resources/org/sonar/db/user/RoleMapper.xml b/sonar-db/src/main/resources/org/sonar/db/user/RoleMapper.xml index 41303206013..d1f70ebd133 100644 --- a/sonar-db/src/main/resources/org/sonar/db/user/RoleMapper.xml +++ b/sonar-db/src/main/resources/org/sonar/db/user/RoleMapper.xml @@ -112,6 +112,30 @@ FROM group_roles WHERE resource_id=#{id} + + delete from group_roles where group_id=#{id} diff --git a/sonar-db/src/test/java/org/sonar/db/user/RoleDaoTest.java b/sonar-db/src/test/java/org/sonar/db/user/RoleDaoTest.java index 9c1af133dca..28bd8251c06 100644 --- a/sonar-db/src/test/java/org/sonar/db/user/RoleDaoTest.java +++ b/sonar-db/src/test/java/org/sonar/db/user/RoleDaoTest.java @@ -27,6 +27,7 @@ import org.sonar.api.security.DefaultGroups; import org.sonar.api.utils.System2; import org.sonar.api.web.UserRole; import org.sonar.core.permission.GlobalPermissions; +import org.sonar.db.DbClient; import org.sonar.db.DbTester; import org.sonar.test.DbTests; @@ -36,127 +37,190 @@ import static org.assertj.core.api.Assertions.assertThat; public class RoleDaoTest { @Rule - public DbTester dbTester = DbTester.create(System2.INSTANCE); + public DbTester db = DbTester.create(System2.INSTANCE); - RoleDao underTest = dbTester.getDbClient().roleDao(); + RoleDao underTest = db.getDbClient().roleDao(); @Test public void retrieve_global_user_permissions() { - dbTester.prepareDbUnit(getClass(), "globalUserPermissions.xml"); + db.prepareDbUnit(getClass(), "globalUserPermissions.xml"); - assertThat(underTest.selectUserPermissions(dbTester.getSession(), "admin_user", null)).containsOnly(GlobalPermissions.SYSTEM_ADMIN, GlobalPermissions.QUALITY_PROFILE_ADMIN); - assertThat(underTest.selectUserPermissions(dbTester.getSession(), "profile_admin_user", null)).containsOnly(GlobalPermissions.QUALITY_PROFILE_ADMIN); + assertThat(underTest.selectUserPermissions(db.getSession(), "admin_user", null)).containsOnly(GlobalPermissions.SYSTEM_ADMIN, GlobalPermissions.QUALITY_PROFILE_ADMIN); + assertThat(underTest.selectUserPermissions(db.getSession(), "profile_admin_user", null)).containsOnly(GlobalPermissions.QUALITY_PROFILE_ADMIN); } @Test public void retrieve_resource_user_permissions() { - dbTester.prepareDbUnit(getClass(), "resourceUserPermissions.xml"); + db.prepareDbUnit(getClass(), "resourceUserPermissions.xml"); - assertThat(underTest.selectUserPermissions(dbTester.getSession(), "admin_user", 1L)).containsOnly(UserRole.ADMIN, UserRole.USER); - assertThat(underTest.selectUserPermissions(dbTester.getSession(), "browse_admin_user", 1L)).containsOnly(UserRole.USER); + assertThat(underTest.selectUserPermissions(db.getSession(), "admin_user", 1L)).containsOnly(UserRole.ADMIN, UserRole.USER); + assertThat(underTest.selectUserPermissions(db.getSession(), "browse_admin_user", 1L)).containsOnly(UserRole.USER); } @Test public void retrieve_global_group_permissions() { - dbTester.prepareDbUnit(getClass(), "globalGroupPermissions.xml"); + db.prepareDbUnit(getClass(), "globalGroupPermissions.xml"); - assertThat(underTest.selectGroupPermissions(dbTester.getSession(), "sonar-administrators", null)).containsOnly(GlobalPermissions.SYSTEM_ADMIN, GlobalPermissions.QUALITY_PROFILE_ADMIN, + assertThat(underTest.selectGroupPermissions(db.getSession(), "sonar-administrators", null)).containsOnly(GlobalPermissions.SYSTEM_ADMIN, + GlobalPermissions.QUALITY_PROFILE_ADMIN, GlobalPermissions.DASHBOARD_SHARING); - assertThat(underTest.selectGroupPermissions(dbTester.getSession(), "sonar-users", null)).containsOnly(GlobalPermissions.DASHBOARD_SHARING); - assertThat(underTest.selectGroupPermissions(dbTester.getSession(), DefaultGroups.ANYONE, null)).containsOnly(GlobalPermissions.PREVIEW_EXECUTION, GlobalPermissions.SCAN_EXECUTION); - assertThat(underTest.selectGroupPermissions(dbTester.getSession(), "anyone", null)).containsOnly(GlobalPermissions.PREVIEW_EXECUTION, GlobalPermissions.SCAN_EXECUTION); - assertThat(underTest.selectGroupPermissions(dbTester.getSession(), "AnYoNe", null)).containsOnly(GlobalPermissions.PREVIEW_EXECUTION, GlobalPermissions.SCAN_EXECUTION); + assertThat(underTest.selectGroupPermissions(db.getSession(), "sonar-users", null)).containsOnly(GlobalPermissions.DASHBOARD_SHARING); + assertThat(underTest.selectGroupPermissions(db.getSession(), DefaultGroups.ANYONE, null)).containsOnly(GlobalPermissions.PREVIEW_EXECUTION, + GlobalPermissions.SCAN_EXECUTION); + assertThat(underTest.selectGroupPermissions(db.getSession(), "anyone", null)).containsOnly(GlobalPermissions.PREVIEW_EXECUTION, GlobalPermissions.SCAN_EXECUTION); + assertThat(underTest.selectGroupPermissions(db.getSession(), "AnYoNe", null)).containsOnly(GlobalPermissions.PREVIEW_EXECUTION, GlobalPermissions.SCAN_EXECUTION); } @Test public void retrieve_resource_group_permissions() { - dbTester.prepareDbUnit(getClass(), "resourceGroupPermissions.xml"); + db.prepareDbUnit(getClass(), "resourceGroupPermissions.xml"); - assertThat(underTest.selectGroupPermissions(dbTester.getSession(), "sonar-administrators", 1L)).containsOnly(UserRole.ADMIN, UserRole.CODEVIEWER); - assertThat(underTest.selectGroupPermissions(dbTester.getSession(), "sonar-users", 1L)).containsOnly(UserRole.CODEVIEWER); + assertThat(underTest.selectGroupPermissions(db.getSession(), "sonar-administrators", 1L)).containsOnly(UserRole.ADMIN, UserRole.CODEVIEWER); + assertThat(underTest.selectGroupPermissions(db.getSession(), "sonar-users", 1L)).containsOnly(UserRole.CODEVIEWER); } @Test public void delete_global_user_permission() { - dbTester.prepareDbUnit(getClass(), "globalUserPermissions.xml"); + db.prepareDbUnit(getClass(), "globalUserPermissions.xml"); UserRoleDto userRoleToDelete = new UserRoleDto().setUserId(200L).setRole(GlobalPermissions.QUALITY_PROFILE_ADMIN); - underTest.deleteUserRole(userRoleToDelete, dbTester.getSession()); - dbTester.getSession().commit(); + underTest.deleteUserRole(userRoleToDelete, db.getSession()); + db.getSession().commit(); - dbTester.assertDbUnit(getClass(), "globalUserPermissions-result.xml", "user_roles"); + db.assertDbUnit(getClass(), "globalUserPermissions-result.xml", "user_roles"); } @Test public void delete_resource_user_permission() { - dbTester.prepareDbUnit(getClass(), "resourceUserPermissions.xml"); + db.prepareDbUnit(getClass(), "resourceUserPermissions.xml"); UserRoleDto userRoleToDelete = new UserRoleDto().setUserId(200L).setRole(UserRole.USER).setResourceId(1L); - underTest.deleteUserRole(userRoleToDelete, dbTester.getSession()); - dbTester.getSession().commit(); + underTest.deleteUserRole(userRoleToDelete, db.getSession()); + db.getSession().commit(); - dbTester.assertDbUnit(getClass(), "resourceUserPermissions-result.xml", "user_roles"); + db.assertDbUnit(getClass(), "resourceUserPermissions-result.xml", "user_roles"); } @Test public void delete_global_group_permission() { - dbTester.prepareDbUnit(getClass(), "globalGroupPermissions.xml"); + db.prepareDbUnit(getClass(), "globalGroupPermissions.xml"); GroupRoleDto groupRoleToDelete = new GroupRoleDto().setGroupId(100L).setRole(GlobalPermissions.QUALITY_PROFILE_ADMIN); - underTest.deleteGroupRole(groupRoleToDelete, dbTester.getSession()); - dbTester.getSession().commit(); + underTest.deleteGroupRole(groupRoleToDelete, db.getSession()); + db.getSession().commit(); - dbTester.assertDbUnit(getClass(), "globalGroupPermissions-result.xml", "group_roles"); + db.assertDbUnit(getClass(), "globalGroupPermissions-result.xml", "group_roles"); } @Test public void delete_resource_group_permission() { - dbTester.prepareDbUnit(getClass(), "resourceGroupPermissions.xml"); + db.prepareDbUnit(getClass(), "resourceGroupPermissions.xml"); GroupRoleDto groupRoleToDelete = new GroupRoleDto().setGroupId(100L).setRole(UserRole.CODEVIEWER).setResourceId(1L); - underTest.deleteGroupRole(groupRoleToDelete, dbTester.getSession()); - dbTester.getSession().commit(); + underTest.deleteGroupRole(groupRoleToDelete, db.getSession()); + db.getSession().commit(); - dbTester.assertDbUnit(getClass(), "resourceGroupPermissions-result.xml", "group_roles"); + db.assertDbUnit(getClass(), "resourceGroupPermissions-result.xml", "group_roles"); } @Test public void delete_all_group_permissions_by_group_id() { - dbTester.prepareDbUnit(getClass(), "deleteGroupPermissionsByGroupId.xml"); + db.prepareDbUnit(getClass(), "deleteGroupPermissionsByGroupId.xml"); - underTest.deleteGroupRolesByGroupId(dbTester.getSession(), 100L); - dbTester.getSession().commit(); + underTest.deleteGroupRolesByGroupId(db.getSession(), 100L); + db.getSession().commit(); - dbTester.assertDbUnit(getClass(), "deleteGroupPermissionsByGroupId-result.xml", "group_roles"); + db.assertDbUnit(getClass(), "deleteGroupPermissionsByGroupId-result.xml", "group_roles"); } @Test public void should_count_component_permissions() { - dbTester.prepareDbUnit(getClass(), "should_count_component_permissions.xml"); + db.prepareDbUnit(getClass(), "should_count_component_permissions.xml"); - assertThat(underTest.countComponentPermissions(dbTester.getSession(), 123L)).isEqualTo(2); + assertThat(underTest.countComponentPermissions(db.getSession(), 123L)).isEqualTo(2); } @Test public void should_remove_all_permissions() { - dbTester.prepareDbUnit(getClass(), "should_remove_all_permissions.xml"); + db.prepareDbUnit(getClass(), "should_remove_all_permissions.xml"); - assertThat(underTest.selectGroupPermissions(dbTester.getSession(), "devs", 123L)).hasSize(1); - assertThat(underTest.selectGroupPermissions(dbTester.getSession(), "other", 123L)).isEmpty(); - assertThat(underTest.selectUserPermissions(dbTester.getSession(), "dave.loper", 123L)).hasSize(1); - assertThat(underTest.selectUserPermissions(dbTester.getSession(), "other.user", 123L)).isEmpty(); + assertThat(underTest.selectGroupPermissions(db.getSession(), "devs", 123L)).hasSize(1); + assertThat(underTest.selectGroupPermissions(db.getSession(), "other", 123L)).isEmpty(); + assertThat(underTest.selectUserPermissions(db.getSession(), "dave.loper", 123L)).hasSize(1); + assertThat(underTest.selectUserPermissions(db.getSession(), "other.user", 123L)).isEmpty(); - underTest.removeAllPermissions(dbTester.getSession(), 123L); - dbTester.getSession().commit(); + underTest.removeAllPermissions(db.getSession(), 123L); + db.getSession().commit(); - dbTester.assertDbUnitTable(getClass(), "should_remove_all_permissions-result.xml", "group_roles", "group_id", "resource_id", "role"); - dbTester.assertDbUnitTable(getClass(), "should_remove_all_permissions-result.xml", "user_roles", "user_id", "resource_id", "role"); + db.assertDbUnitTable(getClass(), "should_remove_all_permissions-result.xml", "group_roles", "group_id", "resource_id", "role"); + db.assertDbUnitTable(getClass(), "should_remove_all_permissions-result.xml", "user_roles", "user_id", "resource_id", "role"); - assertThat(underTest.selectGroupPermissions(dbTester.getSession(), "devs", 123L)).isEmpty(); - assertThat(underTest.selectUserPermissions(dbTester.getSession(), "dave.loper", 123L)).isEmpty(); + assertThat(underTest.selectGroupPermissions(db.getSession(), "devs", 123L)).isEmpty(); + assertThat(underTest.selectUserPermissions(db.getSession(), "dave.loper", 123L)).isEmpty(); + } + + @Test + public void count_users_with_one_specific_permission() { + DbClient dbClient = db.getDbClient(); + UserDto user = dbClient.userDao().insert(db.getSession(), new UserDto().setActive(true)); + dbClient.roleDao().insertUserRole(db.getSession(), new UserRoleDto() + .setUserId(user.getId()) + .setResourceId(123L) + .setRole(GlobalPermissions.SYSTEM_ADMIN)); + dbClient.roleDao().insertUserRole(db.getSession(), new UserRoleDto() + .setUserId(user.getId()) + .setRole(GlobalPermissions.SYSTEM_ADMIN)); + dbClient.roleDao().insertUserRole(db.getSession(), new UserRoleDto() + .setUserId(user.getId()) + .setRole(GlobalPermissions.SCAN_EXECUTION)); + + int result = underTest.countUserPermissions(db.getSession(), GlobalPermissions.SYSTEM_ADMIN, null); + + assertThat(result).isEqualTo(1); + } + + @Test + public void count_users_with_one_permission_when_the_last_one_is_in_a_group() { + DbClient dbClient = db.getDbClient(); + + UserDto user = dbClient.userDao().insert(db.getSession(), new UserDto().setActive(true)); + GroupDto group = dbClient.groupDao().insert(db.getSession(), new GroupDto()); + dbClient.userGroupDao().insert(db.getSession(), new UserGroupDto() + .setGroupId(group.getId()) + .setUserId(user.getId())); + dbClient.roleDao().insertGroupRole(db.getSession(), new GroupRoleDto() + .setGroupId(group.getId()) + .setRole(GlobalPermissions.SYSTEM_ADMIN)); + + int resultWithoutExcludingGroup = underTest.countUserPermissions(db.getSession(), GlobalPermissions.SYSTEM_ADMIN, null); + int resultWithGroupExclusion = underTest.countUserPermissions(db.getSession(), GlobalPermissions.SYSTEM_ADMIN, group.getId()); + + assertThat(resultWithoutExcludingGroup).isEqualTo(1); + assertThat(resultWithGroupExclusion).isEqualTo(0); + } + + @Test + public void count_user_twice_when_user_and_group_permission() { + DbClient dbClient = db.getDbClient(); + + UserDto user = dbClient.userDao().insert(db.getSession(), new UserDto().setActive(true)); + GroupDto group = dbClient.groupDao().insert(db.getSession(), new GroupDto()); + dbClient.userGroupDao().insert(db.getSession(), new UserGroupDto() + .setGroupId(group.getId()) + .setUserId(user.getId())); + dbClient.roleDao().insertGroupRole(db.getSession(), new GroupRoleDto() + .setGroupId(group.getId()) + .setRole(GlobalPermissions.SYSTEM_ADMIN)); + dbClient.roleDao().insertUserRole(db.getSession(), new UserRoleDto() + .setUserId(user.getId()) + .setRole(GlobalPermissions.SYSTEM_ADMIN)); + + int result = underTest.countUserPermissions(db.getSession(), GlobalPermissions.SYSTEM_ADMIN, null); + + assertThat(result).isEqualTo(2); } } -- 2.39.5