Details
diff --git a/profiles/killbill/src/test/java/org/killbill/billing/jaxrs/TestSecurity.java b/profiles/killbill/src/test/java/org/killbill/billing/jaxrs/TestSecurity.java
index fe40922..47e92ac 100644
--- a/profiles/killbill/src/test/java/org/killbill/billing/jaxrs/TestSecurity.java
+++ b/profiles/killbill/src/test/java/org/killbill/billing/jaxrs/TestSecurity.java
@@ -22,11 +22,13 @@ import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
+import java.util.UUID;
import javax.annotation.Nullable;
import javax.ws.rs.core.Response.Status;
import org.killbill.billing.client.KillBillClientException;
+import org.killbill.billing.client.RequestOptions;
import org.killbill.billing.client.model.Permissions;
import org.killbill.billing.client.model.RoleDefinition;
import org.killbill.billing.client.model.UserRoles;
@@ -85,6 +87,17 @@ public class TestSecurity extends TestJaxrsBase {
}
@Test(groups = "slow")
+ public void testDynamicUserRolesNoPermissions() throws Exception {
+ final String username = UUID.randomUUID().toString();
+ final String password = UUID.randomUUID().toString();
+ final String role = UUID.randomUUID().toString();
+ testDynamicUserRolesInternal(username, password, role, ImmutableList.of(""), false);
+
+ final Permissions permissions = killBillClient.getPermissions(RequestOptions.builder().withUser(username).withPassword(password).build());
+ Assert.assertEquals(permissions.size(), 0);
+ }
+
+ @Test(groups = "slow")
public void testUserPermission() throws KillBillClientException {
final String roleDefinition = "notEnoughToAddUserAndRoles";
diff --git a/util/src/main/java/org/killbill/billing/util/security/api/DefaultSecurityApi.java b/util/src/main/java/org/killbill/billing/util/security/api/DefaultSecurityApi.java
index 22edced..70ed26c 100644
--- a/util/src/main/java/org/killbill/billing/util/security/api/DefaultSecurityApi.java
+++ b/util/src/main/java/org/killbill/billing/util/security/api/DefaultSecurityApi.java
@@ -52,6 +52,9 @@ import org.killbill.billing.util.security.shiro.realm.KillBillJdbcRealm;
import com.google.common.base.Function;
import com.google.common.base.Functions;
import com.google.common.base.Predicate;
+import com.google.common.base.Predicates;
+import com.google.common.base.Strings;
+import com.google.common.collect.Collections2;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Iterables;
import com.google.common.collect.Lists;
@@ -214,12 +217,20 @@ public class DefaultSecurityApi implements SecurityApi {
}));
}
- private List<String> sanitizeAndValidatePermissions(final List<String> permissions) throws SecurityApiException {
-
- if (permissions == null || permissions.isEmpty()) {
- throw new SecurityApiException(ErrorCode.SECURITY_INVALID_PERMISSIONS, "null");
+ private List<String> sanitizeAndValidatePermissions(final List<String> permissionsRaw) throws SecurityApiException {
+ if (permissionsRaw == null) {
+ return ImmutableList.<String>of();
}
+ final Collection<String> permissions = Collections2.<String>filter(Lists.<String, String>transform(permissionsRaw,
+ new Function<String, String>() {
+ @Override
+ public String apply(final String input) {
+ return Strings.emptyToNull(input);
+ }
+ }),
+ Predicates.<String>notNull());
+
final Map<String, Set<String>> groupToValues = new HashMap<String, Set<String>>();
for (final String curPerm : permissions) {
if ("*".equals(curPerm)) {
diff --git a/util/src/main/java/org/killbill/billing/util/security/shiro/dao/DefaultUserDao.java b/util/src/main/java/org/killbill/billing/util/security/shiro/dao/DefaultUserDao.java
index 26644fe..07c8737 100644
--- a/util/src/main/java/org/killbill/billing/util/security/shiro/dao/DefaultUserDao.java
+++ b/util/src/main/java/org/killbill/billing/util/security/shiro/dao/DefaultUserDao.java
@@ -70,12 +70,7 @@ public class DefaultUserDao implements UserDao {
@Override
public Void inTransaction(final Handle handle, final TransactionStatus status) throws Exception {
final UserRolesSqlDao userRolesSqlDao = handle.attach(UserRolesSqlDao.class);
- for (String role : roles) {
- final RolesPermissionsSqlDao rolesPermissionsSqlDao = handle.attach(RolesPermissionsSqlDao.class);
- final List<RolesPermissionsModelDao> currentRolePermissions = rolesPermissionsSqlDao.getByRoleName(role);
- if (currentRolePermissions.isEmpty()) {
- throw new SecurityApiException(ErrorCode.SECURITY_INVALID_ROLE, role);
- }
+ for (final String role : roles) {
userRolesSqlDao.create(new UserRolesModelDao(username, role, createdDate, createdBy));
}
diff --git a/util/src/test/java/org/killbill/billing/util/security/shiro/realm/TestKillBillJdbcRealm.java b/util/src/test/java/org/killbill/billing/util/security/shiro/realm/TestKillBillJdbcRealm.java
index 931e546..30f90af 100644
--- a/util/src/test/java/org/killbill/billing/util/security/shiro/realm/TestKillBillJdbcRealm.java
+++ b/util/src/test/java/org/killbill/billing/util/security/shiro/realm/TestKillBillJdbcRealm.java
@@ -1,6 +1,6 @@
/*
- * Copyright 2014-2015 Groupon, Inc
- * Copyright 2014-2015 The Billing Project, LLC
+ * Copyright 2014-2016 Groupon, Inc
+ * Copyright 2014-2016 The Billing Project, LLC
*
* The Billing Project licenses this file to you under the Apache License, version 2.0
* (the "License"); you may not use this file except in compliance with the
@@ -97,7 +97,6 @@ public class TestKillBillJdbcRealm extends UtilTestSuiteWithEmbeddedDB {
} catch (final AuthenticationException e) {
}
-
final AuthenticationToken newGoodToken = new UsernamePasswordToken(username, newPassword);
securityManager.login(subject, newGoodToken);
Assert.assertTrue(true);
@@ -115,9 +114,16 @@ public class TestKillBillJdbcRealm extends UtilTestSuiteWithEmbeddedDB {
}
@Test(groups = "slow")
+ public void testEmptyPermissions() throws SecurityApiException {
+ securityApi.addRoleDefinition("sanity1", null, callContext);
+ validateUserRoles(securityApi.getRoleDefinition("sanity1", callContext), ImmutableList.<String>of());
+
+ securityApi.addRoleDefinition("sanity2", ImmutableList.<String>of(), callContext);
+ validateUserRoles(securityApi.getRoleDefinition("sanity2", callContext), ImmutableList.<String>of());
+ }
+
+ @Test(groups = "slow")
public void testInvalidPermissions() {
- testInvalidPermissionScenario(null);
- testInvalidPermissionScenario(ImmutableList.<String>of());
testInvalidPermissionScenario(ImmutableList.of("foo"));
testInvalidPermissionScenario(ImmutableList.of("account:garbage"));
testInvalidPermissionScenario(ImmutableList.of("tag:delete_tag_definition", "account:hsgdsgdjsgd"));
@@ -162,7 +168,6 @@ public class TestKillBillJdbcRealm extends UtilTestSuiteWithEmbeddedDB {
securityApi.addRoleDefinition("newRestricted", ImmutableList.of("account:*", "invoice", "tag:delete_tag_definition"), callContext);
securityApi.updateUserRoles(username, ImmutableList.of("newRestricted"), callContext);
-
final Subject newSubject = securityManager.login(null, goodToken);
newSubject.checkPermission(Permission.ACCOUNT_CAN_CHARGE.toString());
newSubject.checkPermission(Permission.INVOICE_CAN_CREDIT.toString());
