mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
34710 Commits
59 Branches
Tree: b0ab2c391e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b0ab2c391e'
${ noResults }
sonarqube/server/sonar-webserver-webapi/src/it/java/org/sonar/server/permission/ws/UsersActionIT.java

UsersActionIT.java 15KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2023 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.server.permission.ws;

  21. 

  22. import java.util.Set;

  23. import org.junit.Test;

  24. import org.sonar.api.resources.Qualifiers;

  25. import org.sonar.api.resources.ResourceTypes;

  26. import org.sonar.api.server.ws.WebService.Param;

  27. import org.sonar.api.server.ws.WebService.SelectionMode;

  28. import org.sonar.api.web.UserRole;

  29. import org.sonar.db.component.ComponentDto;

  30. import org.sonar.db.component.ResourceTypesRule;

  31. import org.sonar.db.permission.GlobalPermission;

  32. import org.sonar.db.project.ProjectDto;

  33. import org.sonar.db.user.UserDto;

  34. import org.sonar.server.exceptions.BadRequestException;

  35. import org.sonar.server.exceptions.ForbiddenException;

  36. import org.sonar.server.exceptions.NotFoundException;

  37. import org.sonar.server.exceptions.UnauthorizedException;

  38. import org.sonar.server.common.avatar.AvatarResolverImpl;

  39. import org.sonar.server.management.ManagedInstanceService;

  40. import org.sonar.server.permission.PermissionService;

  41. import org.sonar.server.permission.PermissionServiceImpl;

  42. import org.sonar.server.permission.RequestValidator;

  43. 

  44. import static java.util.function.Function.identity;

  45. import static java.util.stream.Collectors.toMap;

  46. import static org.apache.commons.lang.StringUtils.countMatches;

  47. import static org.assertj.core.api.Assertions.assertThat;

  48. import static org.assertj.core.api.Assertions.assertThatThrownBy;

  49. import static org.mockito.ArgumentMatchers.any;

  50. import static org.mockito.Mockito.mock;

  51. import static org.mockito.Mockito.when;

  52. import static org.sonar.api.server.ws.WebService.Param.PAGE;

  53. import static org.sonar.api.server.ws.WebService.Param.PAGE_SIZE;

  54. import static org.sonar.api.server.ws.WebService.Param.TEXT_QUERY;

  55. import static org.sonar.db.user.UserTesting.newUserDto;

  56. import static org.sonar.test.JsonAssert.assertJson;

  57. import static org.sonarqube.ws.client.permission.PermissionsWsParameters.PARAM_PERMISSION;

  58. import static org.sonarqube.ws.client.permission.PermissionsWsParameters.PARAM_PROJECT_ID;

  59. import static org.sonarqube.ws.client.permission.PermissionsWsParameters.PARAM_PROJECT_KEY;

  60. import static org.sonarqube.ws.client.permission.PermissionsWsParameters.PARAM_USER_LOGIN;

  61. 

  62. public class UsersActionIT extends BasePermissionWsIT<UsersAction> {

  63. 

  64.   private final ResourceTypes resourceTypes = new ResourceTypesRule().setRootQualifiers(Qualifiers.PROJECT);

  65.   private final PermissionService permissionService = new PermissionServiceImpl(resourceTypes);

  66.   private final WsParameters wsParameters = new WsParameters(permissionService);

  67.   private final RequestValidator requestValidator = new RequestValidator(permissionService);

  68.   private final ManagedInstanceService managedInstanceService = mock(ManagedInstanceService.class);

  69. 

  70.   @Override

  71.   protected UsersAction buildWsAction() {

  72.     return new UsersAction(db.getDbClient(), userSession, newPermissionWsSupport(), new AvatarResolverImpl(), wsParameters, requestValidator, managedInstanceService);

  73.   }

  74. 

  75.   @Test

  76.   public void search_for_users_with_response_example() {

  77.     UserDto user1 = db.users().insertUser(newUserDto().setLogin("admin").setName("Administrator").setEmail("admin@admin.com"));

  78.     UserDto user2 = db.users().insertUser(newUserDto().setLogin("adam.west").setName("Adam West").setEmail("adamwest@adamwest.com"));

  79.     UserDto user3 = db.users().insertUser(newUserDto().setLogin("george.orwell").setName("George Orwell").setEmail("george.orwell@1984.net"));

  80.     db.users().insertGlobalPermissionOnUser(user1, GlobalPermission.ADMINISTER_QUALITY_PROFILES);

  81.     db.users().insertGlobalPermissionOnUser(user1, GlobalPermission.ADMINISTER);

  82.     db.users().insertGlobalPermissionOnUser(user1, GlobalPermission.ADMINISTER_QUALITY_GATES);

  83.     db.users().insertGlobalPermissionOnUser(user3, GlobalPermission.SCAN);

  84.     mockUsersAsManaged(user3.getUuid());

  85. 

  86.     loginAsAdmin();

  87.     String result = newRequest().execute().getInput();

  88. 

  89.     assertJson(result).withStrictArrayOrder().isSimilarTo(getClass().getResource("users-example.json"));

  90.   }

  91. 

  92.   @Test

  93.   public void search_for_users_with_one_permission() {

  94.     insertUsersHavingGlobalPermissions();

  95. 

  96.     loginAsAdmin();

  97.     String result = newRequest().setParam("permission", "scan").execute().getInput();

  98. 

  99.     assertJson(result).withStrictArrayOrder().isSimilarTo(getClass().getResource("UsersActionIT/users.json"));

  100.   }

  101. 

  102.   @Test

  103.   public void search_for_users_with_permission_on_project() {

  104.     // User has permission on project

  105.     ProjectDto project = db.components().insertPrivateProject().getProjectDto();

  106.     UserDto user = db.users().insertUser(newUserDto());

  107.     db.users().insertProjectPermissionOnUser(user, UserRole.ISSUE_ADMIN, project);

  108. 

  109.     // User has permission on another project

  110.     ProjectDto anotherProject = db.components().insertPrivateProject().getProjectDto();

  111.     UserDto userHavePermissionOnAnotherProject = db.users().insertUser(newUserDto());

  112.     db.users().insertProjectPermissionOnUser(userHavePermissionOnAnotherProject, UserRole.ISSUE_ADMIN, anotherProject);

  113. 

  114.     // User has no permission

  115.     UserDto withoutPermission = db.users().insertUser(newUserDto());

  116. 

  117.     userSession.logIn().addProjectPermission(GlobalPermission.ADMINISTER.getKey(), project);

  118.     String result = newRequest()

  119.       .setParam(PARAM_PERMISSION, UserRole.ISSUE_ADMIN)

  120.       .setParam(PARAM_PROJECT_ID, project.getUuid())

  121.       .execute()

  122.       .getInput();

  123. 

  124.     assertThat(result).contains(user.getLogin())

  125.       .doesNotContain(userHavePermissionOnAnotherProject.getLogin())

  126.       .doesNotContain(withoutPermission.getLogin());

  127.   }

  128. 

  129.   @Test

  130.   public void search_also_for_users_without_permission_when_filtering_name() {

  131.     // User with permission on project

  132.     ProjectDto project = db.components().insertPrivateProject().getProjectDto();

  133.     UserDto user = db.users().insertUser(newUserDto("with-permission-login", "with-permission-name", "with-permission-email"));

  134.     db.users().insertProjectPermissionOnUser(user, UserRole.ISSUE_ADMIN, project);

  135. 

  136.     // User without permission

  137.     UserDto withoutPermission = db.users().insertUser(newUserDto("without-permission-login", "without-permission-name", "without-permission-email"));

  138.     UserDto anotherUser = db.users().insertUser(newUserDto("another-user", "another-user", "another-user"));

  139. 

  140.     loginAsAdmin();

  141.     String result = newRequest()

  142.       .setParam(PARAM_PROJECT_ID, project.getUuid())

  143.       .setParam(TEXT_QUERY, "with")

  144.       .execute()

  145.       .getInput();

  146. 

  147.     assertThat(result).contains(user.getLogin(), withoutPermission.getLogin()).doesNotContain(anotherUser.getLogin());

  148.   }

  149. 

  150.   @Test

  151.   public void search_also_for_users_without_permission_when_filtering_email() {

  152.     // User with permission on project

  153.     ProjectDto project = db.components().insertPrivateProject().getProjectDto();

  154.     UserDto user = db.users().insertUser(newUserDto("with-permission-login", "with-permission-name", "with-permission-email"));

  155.     db.users().insertProjectPermissionOnUser(user, UserRole.ISSUE_ADMIN, project);

  156. 

  157.     // User without permission

  158.     UserDto withoutPermission = db.users().insertUser(newUserDto("without-permission-login", "without-permission-name", "without-permission-email"));

  159.     UserDto anotherUser = db.users().insertUser(newUserDto("another-user", "another-user", "another-user"));

  160. 

  161.     loginAsAdmin();

  162.     String result = newRequest().setParam(PARAM_PROJECT_ID, project.getUuid()).setParam(TEXT_QUERY, "email").execute().getInput();

  163. 

  164.     assertThat(result).contains(user.getLogin(), withoutPermission.getLogin()).doesNotContain(anotherUser.getLogin());

  165.   }

  166. 

  167.   @Test

  168.   public void search_also_for_users_without_permission_when_filtering_login() {

  169.     // User with permission on project

  170.     ProjectDto project = db.components().insertPrivateProject().getProjectDto();

  171.     UserDto user = db.users().insertUser(newUserDto("with-permission-login", "with-permission-name", "with-permission-email"));

  172.     db.users().insertProjectPermissionOnUser(user, UserRole.ISSUE_ADMIN, project);

  173. 

  174.     // User without permission

  175.     UserDto withoutPermission = db.users().insertUser(newUserDto("without-permission-login", "without-permission-name", "without-permission-email"));

  176.     UserDto anotherUser = db.users().insertUser(newUserDto("another-user", "another-user", "another-user"));

  177. 

  178.     loginAsAdmin();

  179.     String result = newRequest().setParam(PARAM_PROJECT_ID, project.getUuid()).setParam(TEXT_QUERY, "login").execute().getInput();

  180. 

  181.     assertThat(result).contains(user.getLogin(), withoutPermission.getLogin()).doesNotContain(anotherUser.getLogin());

  182.   }

  183. 

  184.   @Test

  185.   public void search_for_users_with_query_as_a_parameter() {

  186.     insertUsersHavingGlobalPermissions();

  187. 

  188.     loginAsAdmin();

  189.     String result = newRequest()

  190.       .setParam("permission", "scan")

  191.       .setParam(TEXT_QUERY, "ame-1")

  192.       .execute()

  193.       .getInput();

  194. 

  195.     assertThat(result).contains("login-1")

  196.       .doesNotContain("login-2")

  197.       .doesNotContain("login-3");

  198.   }

  199. 

  200.   @Test

  201.   public void search_for_users_with_select_as_a_parameter() {

  202.     insertUsersHavingGlobalPermissions();

  203. 

  204.     loginAsAdmin();

  205.     String result = newRequest()

  206.       .execute()

  207.       .getInput();

  208. 

  209.     assertThat(result).contains("login-1", "login-2", "login-3");

  210.   }

  211. 

  212.   @Test

  213.   public void search_for_users_is_paginated() {

  214.     for (int i = 9; i >= 0; i--) {

  215.       UserDto user = db.users().insertUser(newUserDto().setName("user-" + i));

  216.       db.users().insertGlobalPermissionOnUser(user, GlobalPermission.ADMINISTER);

  217.       db.users().insertGlobalPermissionOnUser(user, GlobalPermission.ADMINISTER_QUALITY_GATES);

  218.     }

  219.     loginAsAdmin();

  220. 

  221.     assertJson(newRequest().setParam(PAGE, "1").setParam(PAGE_SIZE, "2").execute().getInput()).withStrictArrayOrder().isSimilarTo("{\n" +

  222.       "  \"paging\": {\n" +

  223.       "    \"pageIndex\": 1,\n" +

  224.       "    \"pageSize\": 2,\n" +

  225.       "    \"total\": 10\n" +

  226.       "  },\n" +

  227.       "  \"users\": [\n" +

  228.       "    {\n" +

  229.       "      \"name\": \"user-0\"\n" +

  230.       "    },\n" +

  231.       "    {\n" +

  232.       "      \"name\": \"user-1\"\n" +

  233.       "    }\n" +

  234.       "  ]\n" +

  235.       "}");

  236.     assertJson(newRequest().setParam(PAGE, "3").setParam(PAGE_SIZE, "4").execute().getInput()).withStrictArrayOrder().isSimilarTo("{\n" +

  237.       "  \"paging\": {\n" +

  238.       "    \"pageIndex\": 3,\n" +

  239.       "    \"pageSize\": 4,\n" +

  240.       "    \"total\": 10\n" +

  241.       "  },\n" +

  242.       "  \"users\": [\n" +

  243.       "    {\n" +

  244.       "      \"name\": \"user-8\"\n" +

  245.       "    },\n" +

  246.       "    {\n" +

  247.       "      \"name\": \"user-9\"\n" +

  248.       "    }\n" +

  249.       "  ]\n" +

  250.       "}");

  251.   }

  252. 

  253.   @Test

  254.   public void return_more_than_20_permissions() {

  255.     loginAsAdmin();

  256.     for (int i = 0; i < 30; i++) {

  257.       UserDto user = db.users().insertUser(newUserDto().setLogin("user-" + i));

  258.       db.users().insertGlobalPermissionOnUser(user, GlobalPermission.SCAN);

  259.       db.users().insertGlobalPermissionOnUser(user, GlobalPermission.PROVISION_PROJECTS);

  260.     }

  261. 

  262.     String result = newRequest()

  263.       .setParam(PAGE_SIZE, "100")

  264.       .execute()

  265.       .getInput();

  266. 

  267.     assertThat(countMatches(result, "scan")).isEqualTo(30);

  268.   }

  269. 

  270.   @Test

  271.   public void fail_if_project_permission_without_project() {

  272.     loginAsAdmin();

  273. 

  274.     assertThatThrownBy(() -> {

  275.       newRequest()

  276.         .setParam(PARAM_PERMISSION, UserRole.ISSUE_ADMIN)

  277.         .setParam(Param.SELECTED, SelectionMode.ALL.value())

  278.         .execute();

  279.     })

  280.       .isInstanceOf(BadRequestException.class);

  281.   }

  282. 

  283.   @Test

  284.   public void fail_if_insufficient_privileges() {

  285.     userSession.logIn("login");

  286. 

  287.     assertThatThrownBy(() -> {

  288.       newRequest()

  289.         .setParam("permission", GlobalPermission.ADMINISTER.getKey())

  290.         .execute();

  291.     })

  292.       .isInstanceOf(ForbiddenException.class);

  293.   }

  294. 

  295.   @Test

  296.   public void fail_if_not_logged_in() {

  297.     userSession.anonymous();

  298. 

  299.     assertThatThrownBy(() -> {

  300.       newRequest()

  301.         .setParam("permission", GlobalPermission.ADMINISTER.getKey())

  302.         .execute();

  303.     })

  304.       .isInstanceOf(UnauthorizedException.class);

  305.   }

  306. 

  307.   @Test

  308.   public void fail_if_project_uuid_and_project_key_are_provided() {

  309.     ComponentDto project = db.components().insertPrivateProject().getMainBranchComponent();

  310.     loginAsAdmin();

  311. 

  312.     assertThatThrownBy(() -> newRequest()

  313.       .setParam(PARAM_PERMISSION, GlobalPermission.ADMINISTER.getKey())

  314.       .setParam(PARAM_PROJECT_ID, project.uuid())

  315.       .setParam(PARAM_PROJECT_KEY, project.getKey())

  316.       .execute())

  317.       .isInstanceOf(BadRequestException.class)

  318.       .hasMessage("Project id or project key can be provided, not both.");

  319.   }

  320. 

  321.   @Test

  322.   public void fail_if_search_query_is_too_short() {

  323.     loginAsAdmin();

  324. 

  325.     assertThatThrownBy(() -> newRequest().setParam(TEXT_QUERY, "ab").execute())

  326.       .isInstanceOf(IllegalArgumentException.class)

  327.       .hasMessage("'q' length (2) is shorter than the minimum authorized (3)");

  328.   }

  329. 

  330.   @Test

  331.   public void fail_when_using_branch_uuid() {

  332.     UserDto user = db.users().insertUser(newUserDto());

  333.     ComponentDto project = db.components().insertPublicProject().getMainBranchComponent();

  334.     ComponentDto branch = db.components().insertProjectBranch(project);

  335.     db.users().insertProjectPermissionOnUser(user, UserRole.ISSUE_ADMIN, project);

  336.     userSession.logIn().addProjectPermission(UserRole.ADMIN, project);

  337. 

  338.     assertThatThrownBy(() -> {

  339.       newRequest()

  340.         .setParam(PARAM_PROJECT_ID, branch.uuid())

  341.         .setParam(PARAM_USER_LOGIN, user.getLogin())

  342.         .setParam(PARAM_PERMISSION, GlobalPermission.ADMINISTER.getKey())

  343.         .execute();

  344.     })

  345.       .isInstanceOf(NotFoundException.class)

  346.       .hasMessage("Entity not found");

  347.   }

  348. 

  349.   private void insertUsersHavingGlobalPermissions() {

  350.     UserDto user1 = db.users().insertUser(newUserDto("login-1", "name-1", "email-1"));

  351.     UserDto user2 = db.users().insertUser(newUserDto("login-2", "name-2", "email-2"));

  352.     UserDto user3 = db.users().insertUser(newUserDto("login-3", "name-3", "email-3"));

  353.     db.users().insertGlobalPermissionOnUser(user1, GlobalPermission.SCAN);

  354.     db.users().insertGlobalPermissionOnUser(user2, GlobalPermission.SCAN);

  355.     db.users().insertGlobalPermissionOnUser(user3, GlobalPermission.ADMINISTER);

  356.     mockUsersAsManaged(user1.getUuid());

  357.   }

  358. 

  359.   private void mockUsersAsManaged(String... userUuids) {

  360.     when(managedInstanceService.getUserUuidToManaged(any(), any())).thenAnswer(invocation ->

  361.       {

  362.         Set<?> allUsersUuids = invocation.getArgument(1, Set.class);

  363.         return allUsersUuids.stream()

  364.           .map(userUuid -> (String) userUuid)

  365.           .collect(toMap(identity(), userUuid -> Set.of(userUuids).contains(userUuid)));

  366.       }

  367.     );

  368.   }

  369. }