File tree Expand file tree Collapse file tree
header/src/main/java/org/zstack/header/identity
test/src/test/groovy/org/zstack/test/unittest/identity Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -12,6 +12,7 @@ public void permissions() {
1212 .name ("identity" )
1313 .adminOnlyAPIs (
1414 APICreateAccountMsg .class ,
15+ APIQueryAccountMsg .class ,
1516 APIShareResourceMsg .class ,
1617 APIRevokeResourceSharingMsg .class ,
1718 APIUpdateQuotaMsg .class ,
Original file line number Diff line number Diff line change 1+ package org .zstack .test .unittest .identity ;
2+
3+ import org .junit .Assert ;
4+ import org .junit .Before ;
5+ import org .junit .Test ;
6+ import org .zstack .header .identity .APIQueryAccountMsg ;
7+ import org .zstack .header .identity .RBACInfo ;
8+ import org .zstack .header .identity .rbac .RBAC ;
9+
10+ public class TestAPIQueryAccountMsgRBACCase {
11+
12+ @ Before
13+ public void setUp () {
14+ RBAC .permissions .clear ();
15+ }
16+
17+ @ Test
18+ public void testAPIQueryAccountMsgIsAdminOnly () {
19+ RBACInfo rbacInfo = new RBACInfo ();
20+ rbacInfo .permissions ();
21+
22+ boolean isAdminOnly = RBAC .isAdminOnlyAPI (APIQueryAccountMsg .class .getName ());
23+ Assert .assertTrue (
24+ "APIQueryAccountMsg should be admin-only to prevent privilege escalation, " +
25+ "but it is currently accessible to normal IAM users via the wildcard normalAPIs pattern" ,
26+ isAdminOnly
27+ );
28+ }
29+
30+ @ Test
31+ public void testAPIQueryAccountMsgNotInNormalAPIs () {
32+ RBACInfo rbacInfo = new RBACInfo ();
33+ rbacInfo .permissions ();
34+
35+ String apiName = APIQueryAccountMsg .class .getName ();
36+ boolean isInNormalOnly = RBAC .permissions .stream ()
37+ .anyMatch (p -> p .getNormalAPIs ().contains (apiName ) && !p .getAdminOnlyAPIs ().contains (apiName ));
38+ Assert .assertFalse (
39+ "APIQueryAccountMsg should NOT be accessible as a normal API" ,
40+ isInNormalOnly
41+ );
42+ }
43+ }
You can’t perform that action at this time.
0 commit comments