TSK-1029: Test and fix privilege for runasadmin is only temporary

2020-01-21 16:59:57 +01:00 · 2020-01-21 16:59:57 +01:00 · 0262121041
parent 1d15f5102f
commit 0262121041
3 changed files with 24 additions and 6 deletions
--- a/lib/taskana-core/src/main/java/pro/taskana/security/CurrentUserContext.java
+++ b/lib/taskana-core/src/main/java/pro/taskana/security/CurrentUserContext.java
@ -8,6 +8,7 @@ import java.security.Principal;
 import java.security.PrivilegedAction;
 import java.security.acl.Group;
 import java.util.ArrayList;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 import java.util.function.Supplier;
@ -94,12 +95,14 @@ public final class CurrentUserContext {
      // dont add authorisation if none is available.
      return supplier.get();
    }
-    Set<Principal> principals = subject.getPrincipals();
-    Set<Object> privateCredentials = subject.getPrivateCredentials();
-    Set<Object> publicCredentials = subject.getPublicCredentials();

-    principals.add(new GroupPrincipal("admin"));
-    Subject subject1 = new Subject(true, principals, privateCredentials, publicCredentials);
+    Set<Principal> principalsCopy = new HashSet<>(subject.getPrincipals());
+    Set<Object> privateCredentialsCopy = new HashSet<>(subject.getPrivateCredentials());
+    Set<Object> publicCredentialsCopy = new HashSet<>(subject.getPublicCredentials());
+
+    principalsCopy.add(new GroupPrincipal("admin"));
+    Subject subject1 =
+        new Subject(true, principalsCopy, privateCredentialsCopy, publicCredentialsCopy);

    return Subject.doAs(subject1, (PrivilegedAction<T>) supplier::get);
  }
--- a/lib/taskana-core/src/test/java/acceptance/security/TaskEngineAccTest.java
+++ b/lib/taskana-core/src/test/java/acceptance/security/TaskEngineAccTest.java
@ -10,6 +10,7 @@ import org.junit.jupiter.api.extension.ExtendWith;

 import pro.taskana.TaskanaRole;
 import pro.taskana.exceptions.NotAuthorizedException;
+import pro.taskana.security.CurrentUserContext;
 import pro.taskana.security.JaasExtension;
 import pro.taskana.security.WithAccessId;

@ -30,6 +31,20 @@ class TaskEngineAccTest extends AbstractAccTest {
        () -> taskanaEngine.checkRoleMembership(TaskanaRole.BUSINESS_ADMIN));
  }

+  @WithAccessId(
+      userName = "user_1_1",
+      groupNames = {"businessadmin"})
+  @Test
+  void testRunAsAdminIsOnlyTemporary() {
+    assertTrue(taskanaEngine.isUserInRole(TaskanaRole.BUSINESS_ADMIN));
+    assertFalse(taskanaEngine.isUserInRole(TaskanaRole.ADMIN));
+    CurrentUserContext.runAsAdmin(() -> {
+      assertTrue(taskanaEngine.isUserInRole(TaskanaRole.ADMIN));
+      return true;
+    });
+    assertFalse(taskanaEngine.isUserInRole(TaskanaRole.ADMIN));
+  }
+
  @WithAccessId(userName = "user_1_1") // , groupNames = {"businessadmin"})
  @Test
  void testUser() throws NotAuthorizedException {
--- a/rest/taskana-rest-spring/src/test/java/pro/taskana/rest/WorkbasketControllerIntTest.java
+++ b/rest/taskana-rest-spring/src/test/java/pro/taskana/rest/WorkbasketControllerIntTest.java
@ -114,7 +114,7 @@ class WorkbasketControllerIntTest {
   * restrictions.
   */
  @Test
-  void testDeleteWorkbasketPermissionWithBusinessAdmin() {
+  void testDeleteWorkbasketAsBusinessAdminWithoutExplicitReadPermission() {

    String workbasketID = "WBI:100000000000000000000000000000000005";