From 026212104163f38f10a57099d90318c2f5e2a979 Mon Sep 17 00:00:00 2001 From: Benjamin Eckstein <13351939+benjamineckstein@users.noreply.github.com> Date: Tue, 21 Jan 2020 16:59:57 +0100 Subject: [PATCH] TSK-1029: Test and fix privilege for runasadmin is only temporary --- .../pro/taskana/security/CurrentUserContext.java | 13 ++++++++----- .../acceptance/security/TaskEngineAccTest.java | 15 +++++++++++++++ .../taskana/rest/WorkbasketControllerIntTest.java | 2 +- 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/lib/taskana-core/src/main/java/pro/taskana/security/CurrentUserContext.java b/lib/taskana-core/src/main/java/pro/taskana/security/CurrentUserContext.java index d8ce906ec..af70379ba 100644 --- a/lib/taskana-core/src/main/java/pro/taskana/security/CurrentUserContext.java +++ b/lib/taskana-core/src/main/java/pro/taskana/security/CurrentUserContext.java @@ -8,6 +8,7 @@ import java.security.Principal; import java.security.PrivilegedAction; import java.security.acl.Group; import java.util.ArrayList; +import java.util.HashSet; import java.util.List; import java.util.Set; import java.util.function.Supplier; @@ -94,12 +95,14 @@ public final class CurrentUserContext { // dont add authorisation if none is available. return supplier.get(); } - Set principals = subject.getPrincipals(); - Set privateCredentials = subject.getPrivateCredentials(); - Set publicCredentials = subject.getPublicCredentials(); - principals.add(new GroupPrincipal("admin")); - Subject subject1 = new Subject(true, principals, privateCredentials, publicCredentials); + Set principalsCopy = new HashSet<>(subject.getPrincipals()); + Set privateCredentialsCopy = new HashSet<>(subject.getPrivateCredentials()); + Set publicCredentialsCopy = new HashSet<>(subject.getPublicCredentials()); + + principalsCopy.add(new GroupPrincipal("admin")); + Subject subject1 = + new Subject(true, principalsCopy, privateCredentialsCopy, publicCredentialsCopy); return Subject.doAs(subject1, (PrivilegedAction) supplier::get); } diff --git a/lib/taskana-core/src/test/java/acceptance/security/TaskEngineAccTest.java b/lib/taskana-core/src/test/java/acceptance/security/TaskEngineAccTest.java index 5f379c728..fc0af4cda 100644 --- a/lib/taskana-core/src/test/java/acceptance/security/TaskEngineAccTest.java +++ b/lib/taskana-core/src/test/java/acceptance/security/TaskEngineAccTest.java @@ -10,6 +10,7 @@ import org.junit.jupiter.api.extension.ExtendWith; import pro.taskana.TaskanaRole; import pro.taskana.exceptions.NotAuthorizedException; +import pro.taskana.security.CurrentUserContext; import pro.taskana.security.JaasExtension; import pro.taskana.security.WithAccessId; @@ -30,6 +31,20 @@ class TaskEngineAccTest extends AbstractAccTest { () -> taskanaEngine.checkRoleMembership(TaskanaRole.BUSINESS_ADMIN)); } + @WithAccessId( + userName = "user_1_1", + groupNames = {"businessadmin"}) + @Test + void testRunAsAdminIsOnlyTemporary() { + assertTrue(taskanaEngine.isUserInRole(TaskanaRole.BUSINESS_ADMIN)); + assertFalse(taskanaEngine.isUserInRole(TaskanaRole.ADMIN)); + CurrentUserContext.runAsAdmin(() -> { + assertTrue(taskanaEngine.isUserInRole(TaskanaRole.ADMIN)); + return true; + }); + assertFalse(taskanaEngine.isUserInRole(TaskanaRole.ADMIN)); + } + @WithAccessId(userName = "user_1_1") // , groupNames = {"businessadmin"}) @Test void testUser() throws NotAuthorizedException { diff --git a/rest/taskana-rest-spring/src/test/java/pro/taskana/rest/WorkbasketControllerIntTest.java b/rest/taskana-rest-spring/src/test/java/pro/taskana/rest/WorkbasketControllerIntTest.java index b91df98b8..dde0b1153 100644 --- a/rest/taskana-rest-spring/src/test/java/pro/taskana/rest/WorkbasketControllerIntTest.java +++ b/rest/taskana-rest-spring/src/test/java/pro/taskana/rest/WorkbasketControllerIntTest.java @@ -114,7 +114,7 @@ class WorkbasketControllerIntTest { * restrictions. */ @Test - void testDeleteWorkbasketPermissionWithBusinessAdmin() { + void testDeleteWorkbasketAsBusinessAdminWithoutExplicitReadPermission() { String workbasketID = "WBI:100000000000000000000000000000000005";