mirrors
/
sonarqube
镜像来自 https://github.com/SonarSource/sonarqube.git
關注 1
收藏 0
複製 0
程式碼 問題 0 版本發佈 237 Wiki 活動
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
35008 提交
59 分支
目錄樹: 12639b9a55
分支列表 標籤
${ item.name }
建立分支 ${ searchTerm }
從 '12639b9a55'
${ noResults }
sonarqube/server/sonar-webserver-webapi/src/it/java/org/sonar/server/permission/ws/UsersActionIT.java

UsersActionIT.java 15KB
原始文件 Blame 歷史記錄

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2023 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.server.permission.ws;

  21. 

  22. import java.util.Set;

  23. import org.junit.Test;

  24. import org.sonar.api.resources.Qualifiers;

  25. import org.sonar.api.resources.ResourceTypes;

  26. import org.sonar.api.server.ws.WebService.Param;

  27. import org.sonar.api.server.ws.WebService.SelectionMode;

  28. import org.sonar.api.web.UserRole;

  29. import org.sonar.db.component.BranchDto;

  30. import org.sonar.db.component.ComponentDto;

  31. import org.sonar.db.component.ProjectData;

  32. import org.sonar.db.component.ResourceTypesRule;

  33. import org.sonar.db.permission.GlobalPermission;

  34. import org.sonar.db.project.ProjectDto;

  35. import org.sonar.db.user.UserDto;

  36. import org.sonar.server.common.avatar.AvatarResolverImpl;

  37. import org.sonar.server.exceptions.BadRequestException;

  38. import org.sonar.server.exceptions.ForbiddenException;

  39. import org.sonar.server.exceptions.NotFoundException;

  40. import org.sonar.server.exceptions.UnauthorizedException;

  41. import org.sonar.server.management.ManagedInstanceService;

  42. import org.sonar.server.permission.PermissionService;

  43. import org.sonar.server.permission.PermissionServiceImpl;

  44. import org.sonar.server.permission.RequestValidator;

  45. 

  46. import static java.util.function.Function.identity;

  47. import static java.util.stream.Collectors.toMap;

  48. import static org.apache.commons.lang.StringUtils.countMatches;

  49. import static org.assertj.core.api.Assertions.assertThat;

  50. import static org.assertj.core.api.Assertions.assertThatThrownBy;

  51. import static org.mockito.ArgumentMatchers.any;

  52. import static org.mockito.Mockito.mock;

  53. import static org.mockito.Mockito.when;

  54. import static org.sonar.api.server.ws.WebService.Param.PAGE;

  55. import static org.sonar.api.server.ws.WebService.Param.PAGE_SIZE;

  56. import static org.sonar.api.server.ws.WebService.Param.TEXT_QUERY;

  57. import static org.sonar.db.user.UserTesting.newUserDto;

  58. import static org.sonar.test.JsonAssert.assertJson;

  59. import static org.sonarqube.ws.client.permission.PermissionsWsParameters.PARAM_PERMISSION;

  60. import static org.sonarqube.ws.client.permission.PermissionsWsParameters.PARAM_PROJECT_ID;

  61. import static org.sonarqube.ws.client.permission.PermissionsWsParameters.PARAM_PROJECT_KEY;

  62. import static org.sonarqube.ws.client.permission.PermissionsWsParameters.PARAM_USER_LOGIN;

  63. 

  64. public class UsersActionIT extends BasePermissionWsIT<UsersAction> {

  65. 

  66.   private final ResourceTypes resourceTypes = new ResourceTypesRule().setRootQualifiers(Qualifiers.PROJECT);

  67.   private final PermissionService permissionService = new PermissionServiceImpl(resourceTypes);

  68.   private final WsParameters wsParameters = new WsParameters(permissionService);

  69.   private final RequestValidator requestValidator = new RequestValidator(permissionService);

  70.   private final ManagedInstanceService managedInstanceService = mock(ManagedInstanceService.class);

  71. 

  72.   @Override

  73.   protected UsersAction buildWsAction() {

  74.     return new UsersAction(db.getDbClient(), userSession, newPermissionWsSupport(), new AvatarResolverImpl(), wsParameters, requestValidator, managedInstanceService);

  75.   }

  76. 

  77.   @Test

  78.   public void search_for_users_with_response_example() {

  79.     UserDto user1 = db.users().insertUser(newUserDto().setLogin("admin").setName("Administrator").setEmail("admin@admin.com"));

  80.     UserDto user2 = db.users().insertUser(newUserDto().setLogin("adam.west").setName("Adam West").setEmail("adamwest@adamwest.com"));

  81.     UserDto user3 = db.users().insertUser(newUserDto().setLogin("george.orwell").setName("George Orwell").setEmail("george.orwell@1984.net"));

  82.     db.users().insertGlobalPermissionOnUser(user1, GlobalPermission.ADMINISTER_QUALITY_PROFILES);

  83.     db.users().insertGlobalPermissionOnUser(user1, GlobalPermission.ADMINISTER);

  84.     db.users().insertGlobalPermissionOnUser(user1, GlobalPermission.ADMINISTER_QUALITY_GATES);

  85.     db.users().insertGlobalPermissionOnUser(user3, GlobalPermission.SCAN);

  86.     mockUsersAsManaged(user3.getUuid());

  87. 

  88.     loginAsAdmin();

  89.     String result = newRequest().execute().getInput();

  90. 

  91.     assertJson(result).withStrictArrayOrder().isSimilarTo(getClass().getResource("users-example.json"));

  92.   }

  93. 

  94.   @Test

  95.   public void search_for_users_with_one_permission() {

  96.     insertUsersHavingGlobalPermissions();

  97. 

  98.     loginAsAdmin();

  99.     String result = newRequest().setParam("permission", "scan").execute().getInput();

  100. 

  101.     assertJson(result).withStrictArrayOrder().isSimilarTo(getClass().getResource("UsersActionIT/users.json"));

  102.   }

  103. 

  104.   @Test

  105.   public void search_for_users_with_permission_on_project() {

  106.     // User has permission on project

  107.     ProjectDto project = db.components().insertPrivateProject().getProjectDto();

  108.     UserDto user = db.users().insertUser(newUserDto());

  109.     db.users().insertProjectPermissionOnUser(user, UserRole.ISSUE_ADMIN, project);

  110. 

  111.     // User has permission on another project

  112.     ProjectDto anotherProject = db.components().insertPrivateProject().getProjectDto();

  113.     UserDto userHavePermissionOnAnotherProject = db.users().insertUser(newUserDto());

  114.     db.users().insertProjectPermissionOnUser(userHavePermissionOnAnotherProject, UserRole.ISSUE_ADMIN, anotherProject);

  115. 

  116.     // User has no permission

  117.     UserDto withoutPermission = db.users().insertUser(newUserDto());

  118. 

  119.     userSession.logIn().addProjectPermission(GlobalPermission.ADMINISTER.getKey(), project);

  120.     String result = newRequest()

  121.       .setParam(PARAM_PERMISSION, UserRole.ISSUE_ADMIN)

  122.       .setParam(PARAM_PROJECT_ID, project.getUuid())

  123.       .execute()

  124.       .getInput();

  125. 

  126.     assertThat(result).contains(user.getLogin())

  127.       .doesNotContain(userHavePermissionOnAnotherProject.getLogin())

  128.       .doesNotContain(withoutPermission.getLogin());

  129.   }

  130. 

  131.   @Test

  132.   public void search_also_for_users_without_permission_when_filtering_name() {

  133.     // User with permission on project

  134.     ProjectDto project = db.components().insertPrivateProject().getProjectDto();

  135.     UserDto user = db.users().insertUser(newUserDto("with-permission-login", "with-permission-name", "with-permission-email"));

  136.     db.users().insertProjectPermissionOnUser(user, UserRole.ISSUE_ADMIN, project);

  137. 

  138.     // User without permission

  139.     UserDto withoutPermission = db.users().insertUser(newUserDto("without-permission-login", "without-permission-name", "without-permission-email"));

  140.     UserDto anotherUser = db.users().insertUser(newUserDto("another-user", "another-user", "another-user"));

  141. 

  142.     loginAsAdmin();

  143.     String result = newRequest()

  144.       .setParam(PARAM_PROJECT_ID, project.getUuid())

  145.       .setParam(TEXT_QUERY, "with")

  146.       .execute()

  147.       .getInput();

  148. 

  149.     assertThat(result).contains(user.getLogin(), withoutPermission.getLogin()).doesNotContain(anotherUser.getLogin());

  150.   }

  151. 

  152.   @Test

  153.   public void search_also_for_users_without_permission_when_filtering_email() {

  154.     // User with permission on project

  155.     ProjectDto project = db.components().insertPrivateProject().getProjectDto();

  156.     UserDto user = db.users().insertUser(newUserDto("with-permission-login", "with-permission-name", "with-permission-email"));

  157.     db.users().insertProjectPermissionOnUser(user, UserRole.ISSUE_ADMIN, project);

  158. 

  159.     // User without permission

  160.     UserDto withoutPermission = db.users().insertUser(newUserDto("without-permission-login", "without-permission-name", "without-permission-email"));

  161.     UserDto anotherUser = db.users().insertUser(newUserDto("another-user", "another-user", "another-user"));

  162. 

  163.     loginAsAdmin();

  164.     String result = newRequest().setParam(PARAM_PROJECT_ID, project.getUuid()).setParam(TEXT_QUERY, "email").execute().getInput();

  165. 

  166.     assertThat(result).contains(user.getLogin(), withoutPermission.getLogin()).doesNotContain(anotherUser.getLogin());

  167.   }

  168. 

  169.   @Test

  170.   public void search_also_for_users_without_permission_when_filtering_login() {

  171.     // User with permission on project

  172.     ProjectDto project = db.components().insertPrivateProject().getProjectDto();

  173.     UserDto user = db.users().insertUser(newUserDto("with-permission-login", "with-permission-name", "with-permission-email"));

  174.     db.users().insertProjectPermissionOnUser(user, UserRole.ISSUE_ADMIN, project);

  175. 

  176.     // User without permission

  177.     UserDto withoutPermission = db.users().insertUser(newUserDto("without-permission-login", "without-permission-name", "without-permission-email"));

  178.     UserDto anotherUser = db.users().insertUser(newUserDto("another-user", "another-user", "another-user"));

  179. 

  180.     loginAsAdmin();

  181.     String result = newRequest().setParam(PARAM_PROJECT_ID, project.getUuid()).setParam(TEXT_QUERY, "login").execute().getInput();

  182. 

  183.     assertThat(result).contains(user.getLogin(), withoutPermission.getLogin()).doesNotContain(anotherUser.getLogin());

  184.   }

  185. 

  186.   @Test

  187.   public void search_for_users_with_query_as_a_parameter() {

  188.     insertUsersHavingGlobalPermissions();

  189. 

  190.     loginAsAdmin();

  191.     String result = newRequest()

  192.       .setParam("permission", "scan")

  193.       .setParam(TEXT_QUERY, "ame-1")

  194.       .execute()

  195.       .getInput();

  196. 

  197.     assertThat(result).contains("login-1")

  198.       .doesNotContain("login-2")

  199.       .doesNotContain("login-3");

  200.   }

  201. 

  202.   @Test

  203.   public void search_for_users_with_select_as_a_parameter() {

  204.     insertUsersHavingGlobalPermissions();

  205. 

  206.     loginAsAdmin();

  207.     String result = newRequest()

  208.       .execute()

  209.       .getInput();

  210. 

  211.     assertThat(result).contains("login-1", "login-2", "login-3");

  212.   }

  213. 

  214.   @Test

  215.   public void search_for_users_is_paginated() {

  216.     for (int i = 9; i >= 0; i--) {

  217.       UserDto user = db.users().insertUser(newUserDto().setName("user-" + i));

  218.       db.users().insertGlobalPermissionOnUser(user, GlobalPermission.ADMINISTER);

  219.       db.users().insertGlobalPermissionOnUser(user, GlobalPermission.ADMINISTER_QUALITY_GATES);

  220.     }

  221.     loginAsAdmin();

  222. 

  223.     assertJson(newRequest().setParam(PAGE, "1").setParam(PAGE_SIZE, "2").execute().getInput()).withStrictArrayOrder().isSimilarTo("{\n" +

  224.       "  \"paging\": {\n" +

  225.       "    \"pageIndex\": 1,\n" +

  226.       "    \"pageSize\": 2,\n" +

  227.       "    \"total\": 10\n" +

  228.       "  },\n" +

  229.       "  \"users\": [\n" +

  230.       "    {\n" +

  231.       "      \"name\": \"user-0\"\n" +

  232.       "    },\n" +

  233.       "    {\n" +

  234.       "      \"name\": \"user-1\"\n" +

  235.       "    }\n" +

  236.       "  ]\n" +

  237.       "}");

  238.     assertJson(newRequest().setParam(PAGE, "3").setParam(PAGE_SIZE, "4").execute().getInput()).withStrictArrayOrder().isSimilarTo("{\n" +

  239.       "  \"paging\": {\n" +

  240.       "    \"pageIndex\": 3,\n" +

  241.       "    \"pageSize\": 4,\n" +

  242.       "    \"total\": 10\n" +

  243.       "  },\n" +

  244.       "  \"users\": [\n" +

  245.       "    {\n" +

  246.       "      \"name\": \"user-8\"\n" +

  247.       "    },\n" +

  248.       "    {\n" +

  249.       "      \"name\": \"user-9\"\n" +

  250.       "    }\n" +

  251.       "  ]\n" +

  252.       "}");

  253.   }

  254. 

  255.   @Test

  256.   public void return_more_than_20_permissions() {

  257.     loginAsAdmin();

  258.     for (int i = 0; i < 30; i++) {

  259.       UserDto user = db.users().insertUser(newUserDto().setLogin("user-" + i));

  260.       db.users().insertGlobalPermissionOnUser(user, GlobalPermission.SCAN);

  261.       db.users().insertGlobalPermissionOnUser(user, GlobalPermission.PROVISION_PROJECTS);

  262.     }

  263. 

  264.     String result = newRequest()

  265.       .setParam(PAGE_SIZE, "100")

  266.       .execute()

  267.       .getInput();

  268. 

  269.     assertThat(countMatches(result, "scan")).isEqualTo(30);

  270.   }

  271. 

  272.   @Test

  273.   public void fail_if_project_permission_without_project() {

  274.     loginAsAdmin();

  275. 

  276.     assertThatThrownBy(() -> {

  277.       newRequest()

  278.         .setParam(PARAM_PERMISSION, UserRole.ISSUE_ADMIN)

  279.         .setParam(Param.SELECTED, SelectionMode.ALL.value())

  280.         .execute();

  281.     })

  282.       .isInstanceOf(BadRequestException.class);

  283.   }

  284. 

  285.   @Test

  286.   public void fail_if_insufficient_privileges() {

  287.     userSession.logIn("login");

  288. 

  289.     assertThatThrownBy(() -> {

  290.       newRequest()

  291.         .setParam("permission", GlobalPermission.ADMINISTER.getKey())

  292.         .execute();

  293.     })

  294.       .isInstanceOf(ForbiddenException.class);

  295.   }

  296. 

  297.   @Test

  298.   public void fail_if_not_logged_in() {

  299.     userSession.anonymous();

  300. 

  301.     assertThatThrownBy(() -> {

  302.       newRequest()

  303.         .setParam("permission", GlobalPermission.ADMINISTER.getKey())

  304.         .execute();

  305.     })

  306.       .isInstanceOf(UnauthorizedException.class);

  307.   }

  308. 

  309.   @Test

  310.   public void fail_if_project_uuid_and_project_key_are_provided() {

  311.     ComponentDto project = db.components().insertPrivateProject().getMainBranchComponent();

  312.     loginAsAdmin();

  313. 

  314.     assertThatThrownBy(() -> newRequest()

  315.       .setParam(PARAM_PERMISSION, GlobalPermission.ADMINISTER.getKey())

  316.       .setParam(PARAM_PROJECT_ID, project.uuid())

  317.       .setParam(PARAM_PROJECT_KEY, project.getKey())

  318.       .execute())

  319.       .isInstanceOf(BadRequestException.class)

  320.       .hasMessage("Project id or project key can be provided, not both.");

  321.   }

  322. 

  323.   @Test

  324.   public void fail_if_search_query_is_too_short() {

  325.     loginAsAdmin();

  326. 

  327.     assertThatThrownBy(() -> newRequest().setParam(TEXT_QUERY, "ab").execute())

  328.       .isInstanceOf(IllegalArgumentException.class)

  329.       .hasMessage("'q' length (2) is shorter than the minimum authorized (3)");

  330.   }

  331. 

  332.   @Test

  333.   public void fail_when_using_branch_uuid() {

  334.     UserDto user = db.users().insertUser(newUserDto());

  335.     ProjectData project = db.components().insertPublicProject();

  336.     BranchDto branch = db.components().insertProjectBranch(project.getProjectDto());

  337.     db.users().insertProjectPermissionOnUser(user, UserRole.ISSUE_ADMIN, project.getProjectDto());

  338.     userSession.logIn().addProjectPermission(UserRole.ADMIN, project.getProjectDto());

  339. 

  340.     assertThatThrownBy(() -> {

  341.       newRequest()

  342.         .setParam(PARAM_PROJECT_ID, branch.getUuid())

  343.         .setParam(PARAM_USER_LOGIN, user.getLogin())

  344.         .setParam(PARAM_PERMISSION, GlobalPermission.ADMINISTER.getKey())

  345.         .execute();

  346.     })

  347.       .isInstanceOf(NotFoundException.class)

  348.       .hasMessage("Entity not found");

  349.   }

  350. 

  351.   private void insertUsersHavingGlobalPermissions() {

  352.     UserDto user1 = db.users().insertUser(newUserDto("login-1", "name-1", "email-1"));

  353.     UserDto user2 = db.users().insertUser(newUserDto("login-2", "name-2", "email-2"));

  354.     UserDto user3 = db.users().insertUser(newUserDto("login-3", "name-3", "email-3"));

  355.     db.users().insertGlobalPermissionOnUser(user1, GlobalPermission.SCAN);

  356.     db.users().insertGlobalPermissionOnUser(user2, GlobalPermission.SCAN);

  357.     db.users().insertGlobalPermissionOnUser(user3, GlobalPermission.ADMINISTER);

  358.     mockUsersAsManaged(user1.getUuid());

  359.   }

  360. 

  361.   private void mockUsersAsManaged(String... userUuids) {

  362.     when(managedInstanceService.getUserUuidToManaged(any(), any())).thenAnswer(invocation ->

  363.       {

  364.         Set<?> allUsersUuids = invocation.getArgument(1, Set.class);

  365.         return allUsersUuids.stream()

  366.           .map(userUuid -> (String) userUuid)

  367.           .collect(toMap(identity(), userUuid -> Set.of(userUuids).contains(userUuid)));

  368.       }

  369.     );

  370.   }

  371. }