Merge pull request #7198 from deutschebank/db-contrib/7194-flag-to-di…

…sable-self-assignment-of-roles Db contrib/7194 flag to disable self assignment of roles
finos · Jan 17, 2025 · f5ffd13 · f5ffd13
2 parents ab05dd9 + 9816abb
commit f5ffd13
Show file tree

Hide file tree

Showing 2 changed files with 281 additions and 8 deletions.
diff --git a/...est/src/test/java/org/finos/waltz/integration_test/inmem/service/UserRoleServiceTest.java b/...est/src/test/java/org/finos/waltz/integration_test/inmem/service/UserRoleServiceTest.java
@@ -1,16 +1,25 @@
 package org.finos.waltz.integration_test.inmem.service;
 
+import org.finos.waltz.common.ListUtilities;
 import org.finos.waltz.common.SetUtilities;
 import org.finos.waltz.integration_test.inmem.BaseInMemoryIntegrationTest;
+import org.finos.waltz.model.bulk_upload.BulkUploadMode;
+import org.finos.waltz.model.settings.ImmutableSetting;
 import org.finos.waltz.model.user.ImmutableUpdateRolesCommand;
+import org.finos.waltz.model.user.SystemRole;
 import org.finos.waltz.model.user.User;
+import org.finos.waltz.schema.Tables;
+import org.finos.waltz.service.settings.SettingsService;
 import org.finos.waltz.service.user.UserRoleService;
+import org.finos.waltz.test_common.helpers.PersonHelper;
 import org.finos.waltz.test_common.helpers.UserHelper;
+import org.jooq.impl.DSL;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 
 import java.util.Set;
 
+import static java.lang.String.format;
 import static org.finos.waltz.common.SetUtilities.asSet;
 import static org.finos.waltz.test_common.helpers.NameHelper.mkName;
 import static org.junit.jupiter.api.Assertions.assertFalse;
@@ -26,6 +35,16 @@ public class UserRoleServiceTest extends BaseInMemoryIntegrationTest {
     @Autowired
     private UserRoleService svc;
 
+    @Autowired
+    private SettingsService settingsService;
+
+    @Autowired
+    private PersonHelper personHelper;
+
+    private static final String DISABLE_SELF_ROLE_MANAGEMENT_SETTINGS_KEY = "feature.user-roles.disable-self-role-mgmt";
+
+
+
     @Test
     public void userCanBeCreated() {
         String name = mkName("userCanBeCreated");
@@ -127,4 +146,224 @@ public void canFindAllUsersForAGivenRole() {
 
     }
 
+    @Test
+    public void cannotEditOwnRolesIfDSRMEnabled() {
+        deleteDSRMSetting();
+        // DSRM = Disable Self Role Management
+        String stem = "cannotEditOwnRolesIfDSRMEnabled";
+        String username = mkName(stem + "_user");
+        String randomRole = mkName(stem + "_random_role");
+
+        helper.createUser(username);
+        personHelper.createPerson(username);
+
+        svc.updateRoles(username, username, ImmutableUpdateRolesCommand.builder()
+                .addRoles(SystemRole.ADMIN.name())
+                .comment("cmnt")
+                .build());
+
+        helper.createRole(randomRole);
+
+        // creating the four-eye-check setting with true as value
+        settingsService.create(ImmutableSetting.builder()
+                .name(DISABLE_SELF_ROLE_MANAGEMENT_SETTINGS_KEY)
+                .description("desc")
+                .value("true")
+                .restricted(false)
+                .build());
+
+        try {
+            svc.updateRoles(username, username, ImmutableUpdateRolesCommand.builder()
+                    .addRoles(randomRole)
+                    .comment("should_not_add")
+                    .build());
+
+        } catch (IllegalArgumentException e) {
+            assertNotNull(e);
+        }
+    }
+
+    @Test
+    public void cannotBulkEditOwnRolesIfDSRMEnabled() {
+        deleteDSRMSetting();
+
+        String stem = "cannotBulkEditOwnRolesIfDSRMEnabled";
+        String username = mkName(stem + "_user");
+        String randomRole = mkName(stem + "_random_role");
+
+        String bulkUploadString = format("username, role, comment\n" +
+            "%s, %s, comment\n" +
+            "%s, %s, comment2",
+            username, randomRole, username + "2", randomRole);
+
+        String[] lines = bulkUploadString.split("\\R");
+
+        helper.createUser(username);
+        personHelper.createPerson(username);
+        helper.createUser(username + "2");
+        personHelper.createPerson(username + "2");
+
+        svc.updateRoles(username, username, ImmutableUpdateRolesCommand.builder()
+                .addRoles(SystemRole.ADMIN.name())
+                .comment("cmnt")
+                .build());
+
+        helper.createRole(randomRole);
+
+        // creating the four-eye-check setting with true as value
+        settingsService.create(ImmutableSetting.builder()
+                .name(DISABLE_SELF_ROLE_MANAGEMENT_SETTINGS_KEY)
+                .description("desc")
+                .value("true")
+                .restricted(false)
+                .build());
+
+
+        svc.bulkUpload(BulkUploadMode.ADD_ONLY, ListUtilities.asList(lines), username);
+        assertFalse(svc.hasRole(username, randomRole));
+        assertTrue(svc.hasRole(username + "2", randomRole));
+    }
+
+    @Test
+    public void canEditWithDSRMFlagOff() {
+        deleteDSRMSetting();
+
+        String stem = "canEditWithDSRMFlagOff";
+        String username = mkName(stem + "_user");
+        String randomRole = mkName(stem + "_random_role");
+
+        helper.createUser(username);
+        personHelper.createPerson(username);
+
+        svc.updateRoles(username, username, ImmutableUpdateRolesCommand.builder()
+                .addRoles(SystemRole.ADMIN.name())
+                .comment("cmnt")
+                .build());
+
+        helper.createRole(randomRole);
+
+        // creating the four-eye-check setting with true as value
+        settingsService.create(ImmutableSetting.builder()
+                .name(DISABLE_SELF_ROLE_MANAGEMENT_SETTINGS_KEY)
+                .description("desc")
+                .value("false")
+                .restricted(false)
+                .build());
+
+
+        svc.updateRoles(username, username, ImmutableUpdateRolesCommand.builder()
+                .addRoles(randomRole)
+                .comment("should_not_add")
+                .build());
+
+        svc.hasRole(username, randomRole);
+    }
+
+    @Test
+    public void canBulkEditWithDSRMFlagOff() {
+        deleteDSRMSetting();
+
+        String stem = "canBulkEditWithDSRMFlagOff";
+        String username = mkName(stem + "_user");
+        String randomRole = mkName(stem + "_random_role");
+
+        String bulkUploadString = format("username, role, comment\n" +
+                        "%s, %s, comment\n" +
+                        "%s, %s, comment2",
+                username, randomRole, username + "2", randomRole);
+
+        String[] lines = bulkUploadString.split("\\R");
+
+        helper.createUser(username);
+        personHelper.createPerson(username);
+        helper.createUser(username + "2");
+        personHelper.createPerson(username + "2");
+
+        svc.updateRoles(username, username, ImmutableUpdateRolesCommand.builder()
+                .addRoles(SystemRole.ADMIN.name())
+                .comment("cmnt")
+                .build());
+
+        helper.createRole(randomRole);
+
+        // creating the four-eye-check setting with true as value
+        settingsService.create(ImmutableSetting.builder()
+                .name(DISABLE_SELF_ROLE_MANAGEMENT_SETTINGS_KEY)
+                .description("desc")
+                .value("false")
+                .restricted(false)
+                .build());
+
+
+        svc.bulkUpload(BulkUploadMode.ADD_ONLY, ListUtilities.asList(lines), username);
+        assertTrue(svc.hasRole(username, randomRole));
+        assertTrue(svc.hasRole(username + "2", randomRole));
+    }
+
+    @Test
+    public void canEditWithNoDSRMFlag() {
+        deleteDSRMSetting();
+
+        String stem = "canEditWithDSRMFlagOff";
+        String username = mkName(stem + "_user");
+        String randomRole = mkName(stem + "_random_role");
+
+        helper.createUser(username);
+        personHelper.createPerson(username);
+
+        svc.updateRoles(username, username, ImmutableUpdateRolesCommand.builder()
+                .addRoles(SystemRole.ADMIN.name())
+                .comment("cmnt")
+                .build());
+
+        helper.createRole(randomRole);
+
+        svc.updateRoles(username, username, ImmutableUpdateRolesCommand.builder()
+                .addRoles(randomRole)
+                .comment("should_not_add")
+                .build());
+
+        svc.hasRole(username, randomRole);
+    }
+
+    @Test
+    public void canBulkEditWithNoDSRMFlag() {
+        deleteDSRMSetting();
+
+        String stem = "adminCanChangeOwnRolesAndOthersRolesInBulkIfNoDSRMSetting";
+        String username = mkName(stem + "_user");
+        String randomRole = mkName(stem + "_random_role");
+
+        String bulkUploadString = format("username, role, comment\n" +
+                        "%s, %s, comment\n" +
+                        "%s, %s, comment2",
+                username, randomRole, username + "2", randomRole);
+
+        String[] lines = bulkUploadString.split("\\R");
+
+        helper.createUser(username);
+        personHelper.createPerson(username);
+        helper.createUser(username + "2");
+        personHelper.createPerson(username + "2");
+
+        svc.updateRoles(username, username, ImmutableUpdateRolesCommand.builder()
+                .addRoles(SystemRole.ADMIN.name())
+                .comment("cmnt")
+                .build());
+
+        helper.createRole(randomRole);
+
+        svc.bulkUpload(BulkUploadMode.ADD_ONLY, ListUtilities.asList(lines), username);
+        assertTrue(svc.hasRole(username, randomRole));
+        assertTrue(svc.hasRole(username + "2", randomRole));
+    }
+
+    private void deleteDSRMSetting() {
+        if(settingsService.getByName(DISABLE_SELF_ROLE_MANAGEMENT_SETTINGS_KEY) != null) {
+            this.getDsl().deleteFrom(Tables.SETTINGS)
+                    .where(Tables.SETTINGS.NAME.eq(DISABLE_SELF_ROLE_MANAGEMENT_SETTINGS_KEY))
+                    .execute();
+        }
+    }
+
 }