Repository: brooklyn-server Updated Branches: refs/heads/master 06f68e134 -> 3b746e3ec
Add actions to SEE_ALL_SERVER_INFO entitlement group Groovy console and reloading Brookyln properties. Project: http://git-wip-us.apache.org/repos/asf/brooklyn-server/repo Commit: http://git-wip-us.apache.org/repos/asf/brooklyn-server/commit/4ff1e1ae Tree: http://git-wip-us.apache.org/repos/asf/brooklyn-server/tree/4ff1e1ae Diff: http://git-wip-us.apache.org/repos/asf/brooklyn-server/diff/4ff1e1ae Branch: refs/heads/master Commit: 4ff1e1ae999147ae087e2adcec821ad0dbe3fc88 Parents: 27dacc3 Author: Sam Corbett <sam.corb...@cloudsoftcorp.com> Authored: Thu Apr 7 15:54:47 2016 +0100 Committer: Sam Corbett <sam.corb...@cloudsoftcorp.com> Committed: Mon Apr 11 15:47:00 2016 +0100 ---------------------------------------------------------------------- .../brooklyn/rest/resources/ScriptResource.java | 6 +++ .../brooklyn/rest/resources/ServerResource.java | 6 ++- .../entitlement/ScriptApiEntitlementsTest.java | 56 ++++++++++++++++++++ .../entitlement/ServerApiEntitlementsTest.java | 24 +++++++++ 4 files changed, 91 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/4ff1e1ae/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/ScriptResource.java ---------------------------------------------------------------------- diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/ScriptResource.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/ScriptResource.java index 77989c3..7b558b6 100644 --- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/ScriptResource.java +++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/ScriptResource.java @@ -18,8 +18,10 @@ */ package org.apache.brooklyn.rest.resources; +import org.apache.brooklyn.core.mgmt.entitlement.Entitlements; import org.apache.brooklyn.rest.api.ScriptApi; import org.apache.brooklyn.rest.domain.ScriptExecutionSummary; +import org.apache.brooklyn.rest.util.WebResourceUtils; import org.apache.brooklyn.util.stream.ThreadLocalPrintStream; import org.apache.brooklyn.util.stream.ThreadLocalPrintStream.OutputCapturingContext; @@ -45,6 +47,10 @@ public class ScriptResource extends AbstractBrooklynRestResource implements Scri @SuppressWarnings("rawtypes") @Override public ScriptExecutionSummary groovy(HttpServletRequest request, String script) { + if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_ALL_SERVER_INFO, null)) { + throw WebResourceUtils.forbidden("User '%s' is not authorized for this operation", Entitlements.getEntitlementContext().user()); + } + log.info("Web REST executing user-supplied script"); if (log.isDebugEnabled()) { log.debug("Web REST user-supplied script contents:\n"+script); http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/4ff1e1ae/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/ServerResource.java ---------------------------------------------------------------------- diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/ServerResource.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/ServerResource.java index 0b99fc8..7be07de 100644 --- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/ServerResource.java +++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/ServerResource.java @@ -96,7 +96,11 @@ public class ServerResource extends AbstractBrooklynRestResource implements Serv @Override public void reloadBrooklynProperties() { - brooklyn().reloadBrooklynProperties(); + if (Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_ALL_SERVER_INFO, null)) { + brooklyn().reloadBrooklynProperties(); + } else { + throw WebResourceUtils.forbidden("User '%s' is not authorized for this operation", Entitlements.getEntitlementContext().user()); + } } private boolean isMaster() { http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/4ff1e1ae/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ScriptApiEntitlementsTest.java ---------------------------------------------------------------------- diff --git a/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ScriptApiEntitlementsTest.java b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ScriptApiEntitlementsTest.java new file mode 100644 index 0000000..5f6498a --- /dev/null +++ b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ScriptApiEntitlementsTest.java @@ -0,0 +1,56 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.brooklyn.rest.entitlement; + +import static org.testng.Assert.assertEquals; + +import java.net.URI; +import java.util.Map; + +import org.apache.brooklyn.util.http.HttpTool; +import org.apache.brooklyn.util.http.HttpToolResponse; +import org.testng.annotations.Test; + +import com.google.common.collect.ImmutableMap; +import com.google.gson.Gson; + +public class ScriptApiEntitlementsTest extends AbstractRestApiEntitlementsTest { + + @Test(groups = "Integration") + public void testGroovy() throws Exception { + String script = "1 + 1"; + HttpToolResponse rootRepsonse = httpPost("myRoot", "/v1/script/groovy", script.getBytes()); + assertHealthyStatusCode(rootRepsonse); + Map groovyOutput = new Gson().fromJson(rootRepsonse.getContentAsString(), Map.class); + assertEquals(groovyOutput.get("result"), "2"); + assertForbiddenPost("myUser", "/v1/script/groovy", script.getBytes()); + assertForbiddenPost("myReadonly", "/v1/script/groovy", script.getBytes()); + assertForbiddenPost("myMinimal", "/v1/script/groovy", script.getBytes()); + assertForbiddenPost("unrecognisedUser", "/v1/script/groovy", script.getBytes()); + } + + @Override + protected HttpToolResponse httpPost(String user, String path, byte[] body) throws Exception { + final ImmutableMap<String, String> headers = ImmutableMap.of( + "Content-Type", "application/text"); + final URI uri = URI.create(getBaseUriRest()).resolve(path); + return HttpTool.httpPost(newClient(user), uri, headers, body); + } +} http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/4ff1e1ae/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ServerApiEntitlementsTest.java ---------------------------------------------------------------------- diff --git a/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ServerApiEntitlementsTest.java b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ServerApiEntitlementsTest.java index afa42cb..ca53976 100644 --- a/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ServerApiEntitlementsTest.java +++ b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ServerApiEntitlementsTest.java @@ -18,6 +18,7 @@ */ package org.apache.brooklyn.rest.entitlement; +import org.apache.brooklyn.core.mgmt.entitlement.Entitlements; import org.testng.annotations.Test; @Test(singleThreaded = true) @@ -27,8 +28,31 @@ public class ServerApiEntitlementsTest extends AbstractRestApiEntitlementsTest { public void testGetHealthy() throws Exception { String path = "/v1/server/up"; assertPermitted("myRoot", path); + assertPermitted("myUser", path); assertForbidden("myReadonly", path); assertForbidden("myMinimal", path); assertForbidden("unrecognisedUser", path); } + + @Test(groups = "Integration") + public void testReloadProperties() throws Exception { + String resource = "/v1/server/properties/reload"; + assertPermittedPost("myRoot", resource, null); + assertForbiddenPost("myUser", resource, null); + assertForbiddenPost("myReadonly", resource, null); + assertForbiddenPost("myMinimal", resource, null); + assertForbiddenPost("unrecognisedUser", resource, null); + } + + @Test(groups = "Integration") + public void testGetConfig() throws Exception { + // Property set in test setup. + String path = "/v1/server/config/" + Entitlements.GLOBAL_ENTITLEMENT_MANAGER.getName(); + assertPermitted("myRoot", path); + assertForbidden("myUser", path); + assertForbidden("myReadonly", path); + assertForbidden("myMinimal", path); + assertForbidden("unrecognisedUser", path); + } + }