github.com/vmware/go-vcloud-director/v2@v2.24.0/govcd/access_control_catalog_test.go (about) 1 //go:build functional || catalog || ALL 2 3 /* 4 * Copyright 2020 VMware, Inc. All rights reserved. Licensed under the Apache v2 License. 5 */ 6 7 package govcd 8 9 import ( 10 "fmt" 11 "os" 12 13 . "gopkg.in/check.v1" 14 15 "github.com/vmware/go-vcloud-director/v2/types/v56" 16 ) 17 18 // catalogTenantContext defines whether we use tenant context during catalog tests. 19 // By default is off, unless variable VCD_CATALOG_TENANT_CONTEXT is set 20 var catalogTenantContext = os.Getenv("VCD_CATALOG_TENANT_CONTEXT") != "" 21 22 // GetId completes the implementation of interface accessControlType 23 func (catalog Catalog) GetId() string { 24 return catalog.Catalog.ID 25 } 26 27 // GetId completes the implementation of interface accessControlType 28 func (catalog AdminCatalog) GetId() string { 29 return catalog.AdminCatalog.ID 30 } 31 32 func (vcd *TestVCD) Test_AdminCatalogAccessControl(check *C) { 33 if vcd.config.VCD.Org == "" { 34 check.Skip("Test_AdminCatalogAccessControl: Org name not given.") 35 return 36 } 37 vcd.checkSkipWhenApiToken(check) 38 org, err := vcd.client.GetOrgByName(vcd.config.VCD.Org) 39 check.Assert(err, IsNil) 40 check.Assert(org, NotNil) 41 adminorg, err := vcd.client.GetAdminOrgByName(vcd.config.VCD.Org) 42 43 check.Assert(err, IsNil) 44 check.Assert(org, NotNil) 45 catalogName := "ac-admin-catalog" 46 // Create a new catalog 47 adminCatalog, err := adminorg.CreateCatalog(catalogName, catalogName) 48 check.Assert(err, IsNil) 49 check.Assert(adminCatalog, NotNil) 50 AddToCleanupList(catalogName, "catalog", vcd.config.VCD.Org, check.TestName()) 51 vcd.testCatalogAccessControl(adminorg, adminCatalog, check.TestName(), catalogName, check) 52 53 orgInfo, err := adminCatalog.getOrgInfo() 54 check.Assert(err, IsNil) 55 check.Assert(orgInfo.OrgId, Equals, extractUuid(adminorg.AdminOrg.ID)) 56 check.Assert(orgInfo.OrgName, Equals, adminorg.AdminOrg.Name) 57 58 err = adminCatalog.Delete(true, true) 59 check.Assert(err, IsNil) 60 } 61 62 func (vcd *TestVCD) Test_CatalogAccessControl(check *C) { 63 if vcd.config.VCD.Org == "" { 64 check.Skip("Test_CatalogAccessControl: Org name not given.") 65 return 66 } 67 vcd.checkSkipWhenApiToken(check) 68 org, err := vcd.client.GetOrgByName(vcd.config.VCD.Org) 69 check.Assert(err, IsNil) 70 check.Assert(org, NotNil) 71 adminorg, err := vcd.client.GetAdminOrgByName(vcd.config.VCD.Org) 72 73 check.Assert(err, IsNil) 74 check.Assert(org, NotNil) 75 catalogName := "ac-catalog" 76 // Create a new catalog 77 adminCatalog, err := adminorg.CreateCatalog(catalogName, catalogName) 78 check.Assert(err, IsNil) 79 check.Assert(adminCatalog, NotNil) 80 AddToCleanupList(catalogName, "catalog", vcd.config.VCD.Org, check.TestName()) 81 catalog, err := org.GetCatalogByName(catalogName, true) 82 check.Assert(err, IsNil) 83 vcd.testCatalogAccessControl(adminorg, catalog, check.TestName(), catalogName, check) 84 85 orgInfo, err := catalog.getOrgInfo() 86 check.Assert(err, IsNil) 87 check.Assert(orgInfo.OrgId, Equals, extractUuid(adminorg.AdminOrg.ID)) 88 check.Assert(orgInfo.OrgName, Equals, adminorg.AdminOrg.Name) 89 90 err = catalog.Delete(true, true) 91 check.Assert(err, IsNil) 92 } 93 94 func (vcd *TestVCD) testCatalogAccessControl(adminOrg *AdminOrg, catalog accessControlType, testName, catalogName string, check *C) { 95 96 var users = []struct { 97 name string 98 role string 99 user *OrgUser 100 }{ 101 {"ac-user1", OrgUserRoleVappAuthor, nil}, 102 {"ac-user2", OrgUserRoleOrganizationAdministrator, nil}, 103 {"ac-user3", OrgUserRoleCatalogAuthor, nil}, 104 } 105 106 orgName := "ac-testorg" 107 var newOrg *AdminOrg 108 var err error 109 if vcd.client.Client.IsSysAdmin { 110 111 // Create a new Org 112 task, err := CreateOrg(vcd.client, orgName, orgName, orgName, &types.OrgSettings{}, true) 113 check.Assert(err, IsNil) 114 err = task.WaitTaskCompletion() 115 check.Assert(err, IsNil) 116 newOrg, err = vcd.client.GetAdminOrgByName(orgName) 117 check.Assert(err, IsNil) 118 AddToCleanupList(orgName, "org", "", testName) 119 defer func() { 120 if testVerbose { 121 fmt.Printf("deleting %s\n", orgName) 122 } 123 err = newOrg.Disable() 124 check.Assert(err, IsNil) 125 err = newOrg.Delete(true, true) 126 check.Assert(err, IsNil) 127 }() 128 } 129 130 checkEmpty := func() { 131 settings, err := catalog.GetAccessControl(catalogTenantContext) 132 check.Assert(err, IsNil) 133 check.Assert(settings.IsSharedToEveryone, Equals, false) // There should not be a global sharing 134 check.Assert(settings.AccessSettings, IsNil) // There should not be any explicit sharing 135 } 136 137 // Create three users 138 for i := 0; i < len(users); i++ { 139 users[i].user, err = adminOrg.CreateUserSimple(OrgUserConfiguration{ 140 Name: users[i].name, Password: users[i].name, RoleName: users[i].role, IsEnabled: true, 141 }) 142 check.Assert(err, IsNil) 143 check.Assert(users[i].user, NotNil) 144 AddToCleanupList(users[i].name, "user", vcd.config.VCD.Org, testName) 145 } 146 defer func() { 147 for i := 0; i < len(users); i++ { 148 if testVerbose { 149 fmt.Printf("deleting %s\n", users[i].name) 150 } 151 err = users[i].user.Delete(false) 152 check.Assert(err, IsNil) 153 } 154 }() 155 checkEmpty() 156 //globalSettings := types.ControlAccessParams{ 157 // IsSharedToEveryone: true, 158 // EveryoneAccessLevel: addrOf(types.ControlAccessReadWrite), 159 // AccessSettings: nil, 160 //} 161 //err = testAccessControl(catalogName+" catalog global", catalog, globalSettings, globalSettings, true, check) 162 //check.Assert(err, IsNil) 163 164 // Set control access to one user 165 oneUserSettings := types.ControlAccessParams{ 166 IsSharedToEveryone: false, 167 EveryoneAccessLevel: nil, 168 AccessSettings: &types.AccessSettingList{ 169 AccessSetting: []*types.AccessSetting{ 170 { 171 Subject: &types.LocalSubject{ 172 HREF: users[0].user.User.Href, 173 Name: users[0].user.User.Name, 174 Type: users[0].user.User.Type, 175 }, 176 ExternalSubject: nil, 177 AccessLevel: types.ControlAccessReadWrite, 178 }, 179 }, 180 }, 181 } 182 err = testAccessControl(catalogName+" catalog one user", catalog, oneUserSettings, oneUserSettings, true, catalogTenantContext, check) 183 check.Assert(err, IsNil) 184 185 // Check that vapp.GetAccessControl and vdc.GetVappAccessControl return the same data 186 controlAccess, err := catalog.GetAccessControl(catalogTenantContext) 187 check.Assert(err, IsNil) 188 orgControlAccessByName, err := adminOrg.GetCatalogAccessControl(catalogName, catalogTenantContext) 189 check.Assert(err, IsNil) 190 check.Assert(controlAccess, DeepEquals, orgControlAccessByName) 191 192 orgControlAccessById, err := adminOrg.GetCatalogAccessControl(catalog.GetId(), catalogTenantContext) 193 check.Assert(err, IsNil) 194 check.Assert(controlAccess, DeepEquals, orgControlAccessById) 195 196 // Set control access to two users 197 twoUserSettings := types.ControlAccessParams{ 198 IsSharedToEveryone: false, 199 EveryoneAccessLevel: nil, 200 AccessSettings: &types.AccessSettingList{ 201 AccessSetting: []*types.AccessSetting{ 202 { 203 Subject: &types.LocalSubject{ 204 HREF: users[0].user.User.Href, 205 //Name: users[0].user.User.Name, // Pass info without name for one of the subjects 206 Type: users[0].user.User.Type, 207 }, 208 ExternalSubject: nil, 209 AccessLevel: types.ControlAccessReadOnly, 210 }, 211 { 212 Subject: &types.LocalSubject{ 213 HREF: users[1].user.User.Href, 214 Name: users[1].user.User.Name, 215 Type: users[1].user.User.Type, 216 }, 217 ExternalSubject: nil, 218 AccessLevel: types.ControlAccessFullControl, 219 }, 220 }, 221 }, 222 } 223 err = testAccessControl(catalogName+" catalog two users", catalog, twoUserSettings, twoUserSettings, true, catalogTenantContext, check) 224 check.Assert(err, IsNil) 225 226 // Check removal of sharing setting 227 err = catalog.RemoveAccessControl(catalogTenantContext) 228 check.Assert(err, IsNil) 229 checkEmpty() 230 231 // Set control access to three users 232 threeUserSettings := types.ControlAccessParams{ 233 IsSharedToEveryone: false, 234 EveryoneAccessLevel: nil, 235 AccessSettings: &types.AccessSettingList{ 236 AccessSetting: []*types.AccessSetting{ 237 { 238 Subject: &types.LocalSubject{ 239 HREF: users[0].user.User.Href, 240 Name: users[0].user.User.Name, 241 Type: users[0].user.User.Type, 242 }, 243 ExternalSubject: nil, 244 AccessLevel: types.ControlAccessReadOnly, 245 }, 246 { 247 Subject: &types.LocalSubject{ 248 HREF: users[1].user.User.Href, 249 //Name: users[1].user.User.Name,// Pass info without name for one of the subjects 250 Type: users[1].user.User.Type, 251 }, 252 ExternalSubject: nil, 253 AccessLevel: types.ControlAccessFullControl, 254 }, 255 { 256 Subject: &types.LocalSubject{ 257 HREF: users[2].user.User.Href, 258 Name: users[2].user.User.Name, 259 Type: users[2].user.User.Type, 260 }, 261 ExternalSubject: nil, 262 AccessLevel: types.ControlAccessReadWrite, 263 }, 264 }, 265 }, 266 } 267 err = testAccessControl(catalogName+" catalog three users", catalog, threeUserSettings, threeUserSettings, true, catalogTenantContext, check) 268 check.Assert(err, IsNil) 269 270 if vcd.client.Client.IsSysAdmin && newOrg != nil { 271 272 // Set control access to three users and an org 273 threeUserOrgSettings := types.ControlAccessParams{ 274 IsSharedToEveryone: false, 275 EveryoneAccessLevel: nil, 276 AccessSettings: &types.AccessSettingList{ 277 AccessSetting: []*types.AccessSetting{ 278 { 279 Subject: &types.LocalSubject{ 280 HREF: users[0].user.User.Href, 281 Name: users[0].user.User.Name, 282 Type: users[0].user.User.Type, 283 }, 284 ExternalSubject: nil, 285 AccessLevel: types.ControlAccessReadOnly, 286 }, 287 { 288 Subject: &types.LocalSubject{ 289 HREF: users[1].user.User.Href, 290 //Name: users[1].user.User.Name,// Pass info without name for one of the subjects 291 Type: users[1].user.User.Type, 292 }, 293 ExternalSubject: nil, 294 AccessLevel: types.ControlAccessFullControl, 295 }, 296 { 297 Subject: &types.LocalSubject{ 298 HREF: users[2].user.User.Href, 299 Name: users[2].user.User.Name, 300 Type: users[2].user.User.Type, 301 }, 302 ExternalSubject: nil, 303 AccessLevel: types.ControlAccessReadWrite, 304 }, 305 { 306 Subject: &types.LocalSubject{ 307 HREF: newOrg.AdminOrg.HREF, 308 Name: newOrg.AdminOrg.Name, 309 Type: newOrg.AdminOrg.Type, 310 }, 311 ExternalSubject: nil, 312 AccessLevel: types.ControlAccessReadOnly, 313 }, 314 }, 315 }, 316 } 317 err = testAccessControl(catalogName+" catalog three users and org", catalog, threeUserOrgSettings, threeUserOrgSettings, true, catalogTenantContext, check) 318 check.Assert(err, IsNil) 319 320 err = catalog.RemoveAccessControl(catalogTenantContext) 321 check.Assert(err, IsNil) 322 checkEmpty() 323 324 // Set control access to two org 325 twoOrgsSettings := types.ControlAccessParams{ 326 IsSharedToEveryone: false, 327 EveryoneAccessLevel: nil, 328 AccessSettings: &types.AccessSettingList{ 329 AccessSetting: []*types.AccessSetting{ 330 { 331 Subject: &types.LocalSubject{ 332 HREF: adminOrg.AdminOrg.HREF, 333 Name: adminOrg.AdminOrg.Name, 334 Type: adminOrg.AdminOrg.Type, 335 }, 336 ExternalSubject: nil, 337 AccessLevel: types.ControlAccessFullControl, 338 }, 339 { 340 Subject: &types.LocalSubject{ 341 HREF: newOrg.AdminOrg.HREF, 342 Name: newOrg.AdminOrg.Name, 343 Type: newOrg.AdminOrg.Type, 344 }, 345 ExternalSubject: nil, 346 AccessLevel: types.ControlAccessReadOnly, 347 }, 348 }, 349 }, 350 } 351 err = testAccessControl(catalogName+" catalog two org", catalog, twoOrgsSettings, twoOrgsSettings, true, catalogTenantContext, check) 352 check.Assert(err, IsNil) 353 catalogs, err := vcd.client.Client.QueryCatalogRecords(catalogName, TenantContext{newOrg.AdminOrg.ID, newOrg.AdminOrg.Name}) 354 check.Assert(err, IsNil) 355 check.Assert(len(catalogs), Equals, 1) 356 foundCatalog, err := vcd.client.Client.GetAdminCatalogByHref(catalogs[0].HREF) 357 check.Assert(err, IsNil) 358 check.Assert(foundCatalog.AdminCatalog.ID, Equals, catalog.GetId()) 359 } 360 361 // Set empty settings explicitly 362 emptySettings := types.ControlAccessParams{ 363 IsSharedToEveryone: false, 364 } 365 err = testAccessControl(catalogName+" catalog empty", catalog, emptySettings, emptySettings, false, catalogTenantContext, check) 366 check.Assert(err, IsNil) 367 368 checkEmpty() 369 370 }