nosu
/
taskana
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

TSK-1196: improved accessId check before deleting all user access items

This commit is contained in:
holgerhagen 2020-06-24 11:59:42 +02:00
parent 6f225ebc28
commit 8760bdceb3
3 changed files with 69 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
rest/taskana-rest-spring/src/main/java/pro/taskana/common/rest/ldap/LdapClient.java
View File

@ -75,7 +75,7 @@ public class LdapClient {
accessIds.add(groupByDn);
}
} else {
accessIds.addAll(searchUsersByName(name));
accessIds.addAll(searchUsersByNameOrAccessId(name));
accessIds.addAll(searchGroupsByName(name));
}
sortListOfAccessIdResources(accessIds);
@ -90,9 +90,9 @@ public class LdapClient {
return result;
}
public List<AccessIdRepresentationModel> searchUsersByName(final String name)
public List<AccessIdRepresentationModel> searchUsersByNameOrAccessId(final String name)
throws InvalidArgumentException {
LOGGER.debug("entry to searchUsersByName(name = {}).", name);
LOGGER.debug("entry to searchUsersByNameOrAccessId(name = {}).", name);
isInitOrFail();
testMinSearchForLength(name);
@ -116,7 +116,31 @@ public class LdapClient {
SearchControls.SUBTREE_SCOPE,
userAttributesToReturn,
new UserContextMapper());
LOGGER.debug("exit from searchUsersByName. Retrieved the following users: {}.", accessIds);
LOGGER.debug(
"exit from searchUsersByNameOrAccessId. Retrieved the following users: {}.", accessIds);
return accessIds;
}
public List<AccessIdRepresentationModel> getUsersByAccessId(final String accessId) {
LOGGER.debug("entry to searchUsersByAccessId(name = {}).", accessId);
isInitOrFail();
final AndFilter andFilter = new AndFilter();
andFilter.and(new EqualsFilter(getUserSearchFilterName(), getUserSearchFilterValue()));
andFilter.and(new EqualsFilter(getUserIdAttribute(), accessId));
String[] userAttributesToReturn = {
getUserFirstnameAttribute(), getUserLastnameAttribute(), getUserIdAttribute()
};
final List<AccessIdRepresentationModel> accessIds =
ldapTemplate.search(
getUserSearchBase(),
andFilter.encode(),
SearchControls.SUBTREE_SCOPE,
userAttributesToReturn,
new UserContextMapper());
LOGGER.debug("exit from searchUsersByAccessId. Retrieved the following users: {}.", accessIds);
return accessIds;
}
@ -260,8 +284,8 @@ public class LdapClient {
return LdapSettings.TASKANA_LDAP_GROUPS_OF_USER.getValueFromEnv(env);
}
public boolean isGroup(String accessId) {
return accessId.contains(getGroupSearchBase());
public boolean isUser(String accessId) {
return !getUsersByAccessId(accessId).isEmpty();
}
boolean nameIsDn(String name) {
@ -293,9 +317,8 @@ public class LdapClient {
String[] getLookUpGoupAttributesToReturn() {
if (CN.equals(getGroupNameAttribute())) {
return new String[] {CN};
} else {
return new String[] {getGroupNameAttribute(), CN};
}
return new String[] {getGroupNameAttribute(), CN};
}
@PostConstruct

5
rest/taskana-rest-spring/src/main/java/pro/taskana/workbasket/rest/WorkbasketAccessItemController.java
View File

@ -115,7 +115,7 @@ public class WorkbasketAccessItemController extends AbstractPagingController {
@RequestParam("access-id") String accessId)
throws NotAuthorizedException, InvalidArgumentException {
LOGGER.debug("Entry to removeWorkbasketAccessItems(access-id= {})", accessId);
if (!ldapClient.isGroup(accessId)) {
if (ldapClient.isUser(accessId)) {
List<WorkbasketAccessItem> workbasketAccessItemList =
workbasketService.createWorkbasketAccessItemQuery().accessIdIn(accessId).list();
@ -125,8 +125,7 @@ public class WorkbasketAccessItemController extends AbstractPagingController {
} else {
throw new InvalidArgumentException(
String.format(
"%s corresponding to a group, not a user. "
+ "You just can remove access items for a user",
"AccessId '%s' is not a user. " + "You can remove all access items for users only.",
accessId));
}

40
rest/taskana-rest-spring/src/test/java/pro/taskana/workbasket/rest/WorkbasketAccessItemControllerIntTest.java
View File

@ -120,9 +120,9 @@ class WorkbasketAccessItemControllerIntTest {
}
@Test
void testRemoveWorkbasketAccessItemsOfUser() {
void should_deleteAllAccessItemForUser_ifValidAccessIdOfUserIsSupplied() {
String parameters = "?access-id=user-1-1";
String parameters = "?access-id=teamlead-2";
ResponseEntity<Void> response =
template.exchange(
restHelper.toUrl(Mapping.URL_WORKBASKET_ACCESS_ITEMS) + parameters,
@ -134,8 +134,40 @@ class WorkbasketAccessItemControllerIntTest {
}
@Test
void testGetBadRequestIfTryingToDeleteAccessItemsForGroup() {
String parameters = "?access-id=cn=monitor-users,cn=groups,OU=Test,O=TASKANA";
void should_returnBadRequest_ifAccessIdIsSubStringOfUser() {
String parameters = "?access-id=user-1";
ThrowingCallable httpCall =
() ->
template.exchange(
restHelper.toUrl(Mapping.URL_WORKBASKET_ACCESS_ITEMS) + parameters,
HttpMethod.DELETE,
restHelper.defaultRequest(),
ParameterizedTypeReference.forType(Void.class));
assertThatThrownBy(httpCall)
.isInstanceOf(HttpClientErrorException.class)
.extracting(ex -> ((HttpClientErrorException) ex).getStatusCode())
.isEqualTo(HttpStatus.BAD_REQUEST);
}
@Test
void should_returnBadRequest_ifAccessIdIsGroup() {
String parameters = "?access-id=cn=monitor-users,cn=groups,ou=test,o=taskana";
ThrowingCallable httpCall =
() ->
template.exchange(
restHelper.toUrl(Mapping.URL_WORKBASKET_ACCESS_ITEMS) + parameters,
HttpMethod.DELETE,
restHelper.defaultRequest(),
ParameterizedTypeReference.forType(Void.class));
assertThatThrownBy(httpCall)
.isInstanceOf(HttpClientErrorException.class)
.extracting(ex -> ((HttpClientErrorException) ex).getStatusCode())
.isEqualTo(HttpStatus.BAD_REQUEST);
}
@Test
void should_returnBadRequest_ifAccessIdIsOrganizationalGroup() {
String parameters = "?access-id=cn=organisationseinheit ksc,cn=organisation,ou=test,o=taskana";
ThrowingCallable httpCall =
() ->
template.exchange(