Fixed Tests and bug for no Admin Users

Signed-off-by: Thomas Schauer-Koeckeis <[email protected]>
DependencyTrack · nscuro · Sep 24, 2024 · Aug 23, 2024 · Aug 27, 2024 · Aug 27, 2024
commit e663e7e70969f206a288ccd441a663d5c5a9e0f2
diff --git a/src/main/java/org/dependencytrack/resources/v1/ProjectResource.java b/src/main/java/org/dependencytrack/resources/v1/ProjectResource.java
@@ -69,6 +69,7 @@
 import java.util.Collection;
 import java.util.List;
 import java.util.Set;
+import java.util.UUID;
 import java.util.function.BiConsumer;
 import java.util.function.Function;
 
@@ -324,19 +325,20 @@ public Response createProject(Project jsonProject) {
             }
             boolean required = qm.isEnabled(ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED);
             boolean isAdmin = qm.hasAccessManagementPermission(principal);
-            if (required && choosenTeams.size() == 0) {
+            if (required && choosenTeams.isEmpty()) {
                 return Response.status(422)
                         .entity("You need to specify at least one team to which the project should belong").build();
             }
             List<Team> visibleTeams = isAdmin ? qm.getTeams() : userTeams;
+            List<UUID> visibleUuids = visibleTeams.isEmpty() ? new ArrayList<UUID>(): visibleTeams.stream().map(Team::getUuid).toList();
             jsonProject.setAccessTeams(new ArrayList<Team>());
             for (Team choosenTeam : choosenTeams) {
-                Team ormTeam = qm.getObjectByUuid(Team.class, choosenTeam.getUuid());
-                if (!visibleTeams.contains(ormTeam)) {
+                if (!visibleUuids.contains(choosenTeam.getUuid())) {
                     return isAdmin ? Response.status(404).entity("This team does not exist!").build()
                             : Response.status(403)
                                     .entity("You don't have the permission to assign this team to a project.").build();
                 }
+                Team ormTeam = qm.getObjectByUuid(Team.class, choosenTeam.getUuid());
                 jsonProject.addAccessTeam(ormTeam);
             }
             if (!qm.doesProjectExist(StringUtils.trimToNull(jsonProject.getName()), StringUtils.trimToNull(jsonProject.getVersion()))) {

diff --git a/src/test/java/org/dependencytrack/resources/v1/ProjectResourceTest.java b/src/test/java/org/dependencytrack/resources/v1/ProjectResourceTest.java
@@ -20,8 +20,12 @@
 
 import alpine.common.util.UuidUtil;
 import alpine.event.framework.EventService;
+import alpine.model.IConfigProperty;
+import alpine.model.ManagedUser;
 import alpine.model.IConfigProperty.PropertyType;
 import alpine.model.Team;
+import alpine.model.Permission;
+import alpine.server.auth.JsonWebToken;
 import alpine.server.filters.ApiFilter;
 import alpine.server.filters.AuthenticationFilter;
 import jakarta.json.Json;
@@ -51,6 +55,7 @@
 import org.dependencytrack.model.ServiceComponent;
 import org.dependencytrack.model.Tag;
 import org.dependencytrack.model.Vulnerability;
+import org.dependencytrack.persistence.DefaultObjectGenerator;
 import org.dependencytrack.tasks.CloneProjectTask;
 import org.dependencytrack.tasks.scanners.AnalyzerIdentity;
 import org.glassfish.jersey.client.HttpUrlConnectorProvider;
@@ -76,6 +81,8 @@
 import static org.hamcrest.Matchers.equalTo;
 
 public class ProjectResourceTest extends ResourceTest {
+    private ManagedUser testUser;
+    private String jwt;
 
     @ClassRule
     public static JerseyTestRule jersey = new JerseyTestRule(
@@ -90,6 +97,23 @@ public void after() throws Exception {
         super.after();
     }
 
+    public void getUserToken(boolean isAdmin) {
+        testUser = qm.createManagedUser("testuser", TEST_USER_PASSWORD_HASH);
+        jwt = new JsonWebToken().createToken(testUser);
+        qm.addUserToTeam(testUser, team);
+        final var generator = new DefaultObjectGenerator();
+        generator.loadDefaultPermissions();
+        List<Permission> permissionsList = new ArrayList<Permission>();
+        final Permission permission = qm.getPermission("PORTFOLIO_MANAGEMENT");
+        permissionsList.add(permission);
+        testUser.setPermissions(permissionsList);
+        if (isAdmin) {
+            final Permission adminPermission = qm.getPermission("ACCESS_MANAGEMENT");
+            permissionsList.add(adminPermission);
+            testUser.setPermissions(permissionsList);
+        }
+    }
+
     @Test
     public void getProjectsDefaultRequestTest() {
         for (int i=0; i<1000; i++) {
@@ -483,6 +507,102 @@ public void createProjectEmptyTest() {
         Assert.assertEquals(400, response.getStatus(), 0);
     }
 
+    @Test
+    public void createProjectWithExistingTeamRequiredTest() {
+        getUserToken(false);
+        Team AllowedTeam = qm.createTeam("AllowedTeam", false);
+        Project project = new Project();
+        project.setName("ProjectWithExistingTeamRequired");
+        qm.addUserToTeam(testUser, AllowedTeam);
+        qm.createConfigProperty("access-management", "acl.enabled", "true", IConfigProperty.PropertyType.BOOLEAN, "");
+        final JsonObject jsonTeam = Json.createObjectBuilder().add("uuid", AllowedTeam.getUuid().toString()).build();
+        final JsonObjectBuilder requestBodyBuilder = Json.createObjectBuilder()
+                .add("name", project.getName()).add("classifier", "CONTAINER").addNull("parent").add("active", true)
+                .add("accessTeams", Json.createArrayBuilder().add(jsonTeam).build());
+        Response response = jersey.target(V1_PROJECT)
+                .request()
+                .header("Authorization", "Bearer " + jwt)
+                .put(Entity.json(requestBodyBuilder.build().toString()));
+        Assert.assertEquals(201, response.getStatus(), 0);
+    }
+
+    @Test
+    public void createProjectWithoutExistingTeamRequiredTest() {
+        getUserToken(false);
+        Project project = new Project();
+        project.setName("ProjectWithoutExistingTeamRequired");
+        project.setAccessTeams(new ArrayList<Team>());
+        qm.createConfigProperty("access-management", "acl.enabled", "true", IConfigProperty.PropertyType.BOOLEAN, "");
+        Response response = jersey.target(V1_PROJECT)
+                .request()
+                .header("Authorization", "Bearer " + jwt)
+                .put(Entity.entity(project, MediaType.APPLICATION_JSON));
+        Assert.assertEquals(422, response.getStatus(), 0);
+    }
+
+    @Test
+    public void createProjectWithNotAllowedExistingTeamTest() {
+        getUserToken(false);
+        Team notAllowedTeam = qm.createTeam("NotAllowedTeam", false);
+        Project project = new Project();
+        project.setName("ProjectWithNotAllowedExistingTeam");
+        project.addAccessTeam(notAllowedTeam);
+        qm.createConfigProperty("access-management", "acl.enabled", "true", IConfigProperty.PropertyType.BOOLEAN, "");
+        Response response = jersey.target(V1_PROJECT)
+                .request()
+                .header("Authorization", "Bearer " + jwt)
+                .put(Entity.entity(project, MediaType.APPLICATION_JSON));
+        Assert.assertEquals(403, response.getStatus(), 0);
+    }
+
+    @Test
+    public void createProjectWithNotAllowedExistingTeamAdminTest() {
+        getUserToken(true);
+        Team notAllowedTeam = qm.createTeam("NotAllowedTeam", false);
+        Project project = new Project();
+        project.setName("ProjectWithNotAllowedExistingTeam");
+        project.addAccessTeam(notAllowedTeam);
+        qm.createConfigProperty("access-management", "acl.enabled", "true", IConfigProperty.PropertyType.BOOLEAN, "");
+        Response response = jersey.target(V1_PROJECT)
+                .request()
+                .header("Authorization", "Bearer " + jwt)
+                .put(Entity.entity(project, MediaType.APPLICATION_JSON));
+        Assert.assertEquals(201, response.getStatus(), 0);
+    }
+
+    @Test
+    public void createProjectWithNotExistingTeamNoAdminTest() {
+        getUserToken(false);
+        Team notAllowedTeam = new Team();
+        notAllowedTeam.setUuid(new UUID(1, 1));
+        notAllowedTeam.setName("NotAllowedTeam");
+        Project project = new Project();
+        project.addAccessTeam(notAllowedTeam);
+        project.setName("ProjectWithNotAllowedExistingTeam");
+        qm.createConfigProperty("access-management", "acl.enabled", "true", IConfigProperty.PropertyType.BOOLEAN, "");
+        Response response = jersey.target(V1_PROJECT)
+                .request()
+                .header("Authorization", "Bearer " + jwt)
+                .put(Entity.entity(project, MediaType.APPLICATION_JSON));
+        Assert.assertEquals(403, response.getStatus(), 0);
+    }
+
+    @Test
+    public void createProjectWithNotExistingTeamTest() {
+        getUserToken(true);
+        Team notAllowedTeam = new Team();
+        notAllowedTeam.setUuid(new UUID(1, 1));
+        notAllowedTeam.setName("NotAllowedTeam");
+        Project project = new Project();
+        project.addAccessTeam(notAllowedTeam);
+        project.setName("ProjectWithNotExistingTeam");
+        Response response = jersey.target(V1_PROJECT)
+                .request()
+                .header("Authorization", "Bearer " + jwt)
+                .put(Entity.entity(project, MediaType.APPLICATION_JSON));
+        Assert.assertEquals(404, response.getStatus(), 0);
+    }
+
     @Test
     public void updateProjectTest() {
         Project project = qm.createProject("ABC", null, "1.0", null, null, null, true, false);