Support limited scope authkeys.
When checking if identity is authorized for an operation, check the allowed rights associated with the key and reject authentication appropriately.
Add Identity type.
Move Privilege class to common.
Make Privilege an enumeration and add CRUD and ALL sets.
Modify authenticate directive to provide an identity.
Use Identity instead of WhiskAuth in router.
Use Identity in entitlement check instead of Subject.
Add test for activation only key confirming lack of CRUD rights.
Consolidated RejectRequest error messages to a new singelton.
Refactored Authentication traits to be Promise-less. (Adopted from @markusthoemmes.)
diff --git a/tests/src/limits/ThrottleTests.scala b/tests/src/limits/ThrottleTests.scala
index ac020ff..47ca75f 100644
--- a/tests/src/limits/ThrottleTests.scala
+++ b/tests/src/limits/ThrottleTests.scala
@@ -28,6 +28,9 @@
import org.scalatest.concurrent.ScalaFutures
import org.scalatest.junit.JUnitRunner
+import spray.json._
+import spray.json.DefaultJsonProtocol._
+
import common.TestHelpers
import common.TestUtils
import common.TestUtils._
@@ -35,9 +38,8 @@
import common.WskActorSystem
import common.WskProps
import common.WskTestHelpers
-import spray.json._
-import spray.json.DefaultJsonProtocol._
import common.WhiskProperties
+import whisk.http.Messages._
@RunWith(classOf[JUnitRunner])
class ThrottleTests
@@ -59,9 +61,6 @@
val maximumFiringsPerMinute = WhiskProperties.getProperty("limits.triggers.fires.perMinute").toInt
val maximumConcurrentInvokes = WhiskProperties.getProperty("limits.actions.invokes.concurrent").toInt
- val rateMessage = "Too many requests from user"
- val concurrencyMessage = "The user has sent too many requests in a given amount of time."
-
/**
* Extracts the number of throttled results from a sequence of <code>RunResult</code>
*
@@ -140,7 +139,7 @@
val afterInvokes = Instant.now
waitForActivations(results.par)
- throttledActivations(results, rateMessage) should be > 0
+ throttledActivations(results, tooManyRequests) should be > 0
val alreadyWaited = durationBetween(afterInvokes, Instant.now)
settleThrottles(alreadyWaited)
@@ -160,7 +159,7 @@
val afterFirings = Instant.now
waitForActivations(results.par)
- throttledActivations(results, rateMessage) should be > 0
+ throttledActivations(results, tooManyRequests) should be > 0
val alreadyWaited = durationBetween(afterFirings, Instant.now)
settleThrottles(alreadyWaited)
@@ -200,7 +199,7 @@
val combinedResults = slowResults ++ fastResults ++ endResults
waitForActivations(combinedResults.par)
- throttledActivations(combinedResults, concurrencyMessage) should be > 0
+ throttledActivations(combinedResults, tooManyConcurrentRequests) should be > 0
val alreadyWaited = durationBetween(afterInvokes, Instant.now)
settleThrottles(alreadyWaited)
diff --git a/tests/src/whisk/core/admin/WskAdminTests.scala b/tests/src/whisk/core/admin/WskAdminTests.scala
index 09d3f43..43e433f 100644
--- a/tests/src/whisk/core/admin/WskAdminTests.scala
+++ b/tests/src/whisk/core/admin/WskAdminTests.scala
@@ -56,8 +56,8 @@
wskadmin.cli(Seq("user", "whois", authkey)).stdout.trim should be(subject)
wskadmin.cli(Seq("user", "delete", subject)).stdout should include("Subject deleted")
- val recreate = wskadmin.cli(Seq("user", "create", subject, "-u", auth.compact))
- wskadmin.cli(Seq("user", "get", subject)).stdout.trim should be(auth.compact)
+ val recreate = wskadmin.cli(Seq("user", "create", subject, "-u", auth.authkey.compact))
+ wskadmin.cli(Seq("user", "get", subject)).stdout.trim should be(auth.authkey.compact)
wskadmin.cli(Seq("user", "delete", subject)).stdout should include("Subject deleted")
}
diff --git a/tests/src/whisk/core/container/test/ContainerPoolTests.scala b/tests/src/whisk/core/container/test/ContainerPoolTests.scala
index d809051..9a2a50d 100644
--- a/tests/src/whisk/core/container/test/ContainerPoolTests.scala
+++ b/tests/src/whisk/core/container/test/ContainerPoolTests.scala
@@ -39,9 +39,7 @@
import whisk.core.entity.EntityName
import whisk.core.entity.Exec
import whisk.core.entity.EntityPath
-import whisk.core.entity.Subject
import whisk.core.entity.WhiskAction
-import whisk.core.entity.WhiskAuth
import whisk.core.entity.WhiskAuthStore
import whisk.core.entity.WhiskEntityStore
import scala.language.postfixOps
@@ -220,7 +218,7 @@
}
private val defaultNamespace = EntityPath("container pool test")
- private val defaultAuth = WhiskAuth(Subject(), AuthKey()) // XXXXXX test this with a real uuid/key
+ private val defaultAuth = AuthKey()
/*
* Create an action with the given name that print hello_N payload !
diff --git a/tests/src/whisk/core/controller/test/ActionsApiTests.scala b/tests/src/whisk/core/controller/test/ActionsApiTests.scala
index 1371905..ab1ab0e 100644
--- a/tests/src/whisk/core/controller/test/ActionsApiTests.scala
+++ b/tests/src/whisk/core/controller/test/ActionsApiTests.scala
@@ -81,7 +81,7 @@
/** Actions API tests */
behavior of "Actions API"
- val creds = WhiskAuth(Subject(), AuthKey())
+ val creds = WhiskAuth(Subject(), AuthKey()).toIdentity
val namespace = EntityPath(creds.subject())
val collectionPath = s"/${EntityPath.DEFAULT}/${collection.path}"
def aname = MakeName.next("action_tests")
@@ -137,7 +137,7 @@
}
// it should "reject list action with explicit namespace not owned by subject" in {
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
Get(s"/$namespace/${collection.path}") ~> sealRoute(routes(auser)) ~> check {
status should be(Forbidden)
}
@@ -173,7 +173,7 @@
}
// it should "reject get action by name in explicit namespace not owned by subject" in
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
Get(s"/$namespace/${collection.path}/${action.name}") ~> sealRoute(routes(auser)) ~> check {
status should be(Forbidden)
}
@@ -202,7 +202,7 @@
put(entityStore, action)
// it should "reject delete action by name not owned by subject" in
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
Get(s"/$namespace/${collection.path}/${action.name}") ~> sealRoute(routes(auser)) ~> check {
status should be(Forbidden)
}
@@ -436,7 +436,7 @@
val content = WhiskActionPut(Some(action.exec), Some(action.parameters))
// it should "reject put action in namespace not owned by subject" in
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
Put(s"/$namespace/${collection.path}/${action.name}", content) ~> sealRoute(routes(auser)) ~> check {
status should be(Forbidden)
}
@@ -564,7 +564,7 @@
put(entityStore, action)
// it should "reject post to action in namespace not owned by subject"
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
Post(s"/$namespace/${collection.path}/${action.name}", args) ~> sealRoute(routes(auser)) ~> check {
status should be(Forbidden)
}
diff --git a/tests/src/whisk/core/controller/test/ActivationsApiTests.scala b/tests/src/whisk/core/controller/test/ActivationsApiTests.scala
index 3304d3c..931768a 100644
--- a/tests/src/whisk/core/controller/test/ActivationsApiTests.scala
+++ b/tests/src/whisk/core/controller/test/ActivationsApiTests.scala
@@ -58,7 +58,7 @@
/** Activations API tests */
behavior of "Activations API"
- val creds = WhiskAuth(Subject(), AuthKey())
+ val creds = WhiskAuth(Subject(), AuthKey()).toIdentity
val namespace = EntityPath(creds.subject())
val collectionPath = s"/${EntityPath.DEFAULT}/${collection.path}"
def aname = MakeName.next("activations_tests")
diff --git a/tests/src/whisk/core/controller/test/AuthenticateTests.scala b/tests/src/whisk/core/controller/test/AuthenticateTests.scala
index b8fd6fa..3c61997 100644
--- a/tests/src/whisk/core/controller/test/AuthenticateTests.scala
+++ b/tests/src/whisk/core/controller/test/AuthenticateTests.scala
@@ -62,7 +62,7 @@
val creds = createTempCredentials._1
val pass = UserPass(creds.uuid(), creds.key())
val user = Await.result(validateCredentials(Some(pass)), dbOpTimeout)
- user.get should be(creds)
+ user.get should be(creds.toIdentity)
}
it should "authorize a known user from cache" in {
@@ -76,13 +76,13 @@
authStore.outputStream = printstream
try {
val user = Await.result(validateCredentials(Some(pass))(transid()), dbOpTimeout)
- user.get should be(creds)
+ user.get should be(creds.toIdentity)
stream.toString should include regex (s"serving from datastore: ${creds.uuid()}")
stream.reset()
// repeat query, should be served from cache
val cachedUser = Await.result(validateCredentials(Some(pass))(transid()), dbOpTimeout)
- cachedUser.get should be(creds)
+ cachedUser.get should be(creds.toIdentity)
stream.toString should include regex (s"serving from cache: ${creds.uuid()}")
stream.reset()
@@ -103,7 +103,7 @@
val refetchedUser = Await.result(validateCredentials(Some(newPass))(transid()), dbOpTimeout)
stream.toString should include regex (s"serving from cache: ${creds.uuid()}")
refetchedUser.isDefined should be(true)
- refetchedUser.get should be(newCreds)
+ refetchedUser.get should be(newCreds.toIdentity)
} finally {
authStore.outputStream = savedstream
stream.close()
diff --git a/tests/src/whisk/core/controller/test/AuthorizeTests.scala b/tests/src/whisk/core/controller/test/AuthorizeTests.scala
index ff8e567..ebd6fc3 100644
--- a/tests/src/whisk/core/controller/test/AuthorizeTests.scala
+++ b/tests/src/whisk/core/controller/test/AuthorizeTests.scala
@@ -32,6 +32,11 @@
import whisk.core.entitlement.Privilege.REJECT
import whisk.core.entitlement.Resource
import whisk.core.entity.Subject
+import whisk.core.entity.AuthKey
+import whisk.core.entitlement.Privilege
+import whisk.core.entity.EntityName
+import whisk.core.entity.Identity
+import whisk.core.entitlement.OperationNotAllowed
/**
* Tests authorization handler which guards resources.
@@ -51,14 +56,14 @@
behavior of "Authorize"
val requestTimeout = 1 second
- val someUser = Subject()
- val adminUser = Subject("admin")
- val guestUser = Subject("anonym")
+ val someUser = Subject().toIdentity(AuthKey())
+ val adminUser = Subject("admin").toIdentity(AuthKey())
+ val guestUser = Subject("anonym").toIdentity(AuthKey())
it should "authorize a user to only read from their collection" in {
implicit val tid = transid()
val collections = Seq(ACTIONS, RULES, TRIGGERS, PACKAGES, ACTIVATIONS, NAMESPACES)
- val resources = collections map { Resource(someUser.namespace, _, None) }
+ val resources = collections map { Resource(someUser.namespace.toPath, _, None) }
resources foreach { r =>
Await.result(entitlementService.check(someUser, READ, r), requestTimeout) should be(true)
Await.result(entitlementService.check(someUser, PUT, r), requestTimeout) should be(false)
@@ -71,7 +76,7 @@
it should "not authorize a user to list someone else's collection or access it by other other right" in {
implicit val tid = transid()
val collections = Seq(ACTIONS, RULES, TRIGGERS, PACKAGES, ACTIVATIONS, NAMESPACES)
- val resources = collections map { Resource(someUser.namespace, _, None) }
+ val resources = collections map { Resource(someUser.namespace.toPath, _, None) }
resources foreach { r =>
// it is permissible to list packages in any namespace (provided they are either owned by
// the subject requesting access or the packages are public); that is, the entitlement is more
@@ -89,7 +94,7 @@
implicit val tid = transid()
// packages are tested separately
val collections = Seq(ACTIONS, RULES, TRIGGERS)
- val resources = collections map { Resource(someUser.namespace, _, Some("xyz")) }
+ val resources = collections map { Resource(someUser.namespace.toPath, _, Some("xyz")) }
resources foreach { r =>
Await.result(entitlementService.check(someUser, READ, r), requestTimeout) should be(true)
Await.result(entitlementService.check(someUser, PUT, r), requestTimeout) should be(true)
@@ -98,10 +103,30 @@
}
}
+ it should "not authorize a user to CRUD an entity in a collection if authkey has no CRUD rights" in {
+ implicit val tid = transid()
+ val subject = Subject()
+ val someUser = Identity(subject, EntityName(subject()), AuthKey(), Set(Privilege.ACTIVATE))
+ val collections = Seq(ACTIONS, RULES, TRIGGERS)
+ val resources = collections map { Resource(someUser.namespace.toPath, _, Some("xyz")) }
+ resources foreach { r =>
+ an[OperationNotAllowed] should be thrownBy {
+ Await.result(entitlementService.check(someUser, READ, r), requestTimeout)
+ }
+ an[OperationNotAllowed] should be thrownBy {
+ Await.result(entitlementService.check(someUser, PUT, r), requestTimeout)
+ }
+ an[OperationNotAllowed] should be thrownBy {
+ Await.result(entitlementService.check(someUser, DELETE, r), requestTimeout)
+ }
+ Await.result(entitlementService.check(someUser, ACTIVATE, r), requestTimeout) should be(true)
+ }
+ }
+
it should "not authorize a user to CRUD or activate an entity in a collection that does not support CRUD or activate" in {
implicit val tid = transid()
val collections = Seq(NAMESPACES, ACTIVATIONS)
- val resources = collections map { Resource(someUser.namespace, _, Some("xyz")) }
+ val resources = collections map { Resource(someUser.namespace.toPath, _, Some("xyz")) }
resources foreach { r =>
Await.result(entitlementService.check(someUser, READ, r), requestTimeout) should be(true)
Await.result(entitlementService.check(someUser, PUT, r), requestTimeout) should be(false)
@@ -113,7 +138,7 @@
it should "not authorize a user to CRUD or activate an entity in someone else's collection" in {
implicit val tid = transid()
val collections = Seq(ACTIONS, RULES, TRIGGERS, PACKAGES)
- val resources = collections map { Resource(someUser.namespace, _, Some("xyz")) }
+ val resources = collections map { Resource(someUser.namespace.toPath, _, Some("xyz")) }
resources foreach { r =>
Await.result(entitlementService.check(guestUser, READ, r), requestTimeout) should be(false)
Await.result(entitlementService.check(guestUser, PUT, r), requestTimeout) should be(false)
@@ -125,7 +150,7 @@
it should "authorize a user to list, create/update/delete a package" in {
implicit val tid = transid()
val collections = Seq(PACKAGES)
- val resources = collections map { Resource(someUser.namespace, _, Some("xyz")) }
+ val resources = collections map { Resource(someUser.namespace.toPath, _, Some("xyz")) }
resources foreach { r =>
a[RejectRequest] should be thrownBy {
// read should fail because the lookup for the package will fail
@@ -141,27 +166,27 @@
it should "grant access to entire collection to another user" in {
implicit val tid = transid()
- val all = Resource(someUser.namespace, ACTIONS, None)
- val one = Resource(someUser.namespace, ACTIONS, Some("xyz"))
+ val all = Resource(someUser.namespace.toPath, ACTIONS, None)
+ val one = Resource(someUser.namespace.toPath, ACTIONS, Some("xyz"))
Await.result(entitlementService.check(adminUser, READ, all), requestTimeout) should not be (true)
Await.result(entitlementService.check(adminUser, READ, one), requestTimeout) should not be (true)
- Await.result(entitlementService.grant(adminUser, READ, all), requestTimeout) // granted
+ Await.result(entitlementService.grant(adminUser.subject, READ, all), requestTimeout) // granted
Await.result(entitlementService.check(adminUser, READ, all), requestTimeout) should be(true)
Await.result(entitlementService.check(adminUser, READ, one), requestTimeout) should be(true)
- Await.result(entitlementService.revoke(adminUser, READ, all), requestTimeout) // revoked
+ Await.result(entitlementService.revoke(adminUser.subject, READ, all), requestTimeout) // revoked
}
it should "grant access to specific resource to a user" in {
implicit val tid = transid()
- val all = Resource(someUser.namespace, ACTIONS, None)
- val one = Resource(someUser.namespace, ACTIONS, Some("xyz"))
+ val all = Resource(someUser.namespace.toPath, ACTIONS, None)
+ val one = Resource(someUser.namespace.toPath, ACTIONS, Some("xyz"))
Await.result(entitlementService.check(adminUser, READ, all), requestTimeout) should not be (true)
Await.result(entitlementService.check(adminUser, READ, one), requestTimeout) should not be (true)
Await.result(entitlementService.check(adminUser, DELETE, one), requestTimeout) should not be (true)
- Await.result(entitlementService.grant(adminUser, READ, one), requestTimeout) // granted
+ Await.result(entitlementService.grant(adminUser.subject, READ, one), requestTimeout) // granted
Await.result(entitlementService.check(adminUser, READ, all), requestTimeout) should not be (true)
Await.result(entitlementService.check(adminUser, READ, one), requestTimeout) should be(true)
Await.result(entitlementService.check(adminUser, DELETE, one), requestTimeout) should not be (true)
- Await.result(entitlementService.revoke(adminUser, READ, one), requestTimeout) // revoked
+ Await.result(entitlementService.revoke(adminUser.subject, READ, one), requestTimeout) // revoked
}
}
diff --git a/tests/src/whisk/core/controller/test/NamespacesApiTests.scala b/tests/src/whisk/core/controller/test/NamespacesApiTests.scala
index bc444a6..e56dc41 100644
--- a/tests/src/whisk/core/controller/test/NamespacesApiTests.scala
+++ b/tests/src/whisk/core/controller/test/NamespacesApiTests.scala
@@ -53,7 +53,7 @@
behavior of "Namespaces API"
val collectionPath = s"/${collection.path}"
- val creds = WhiskAuth(Subject(), AuthKey())
+ val creds = WhiskAuth(Subject(), AuthKey()).toIdentity
val namespace = EntityPath(creds.subject())
it should "list namespaces for subject" in {
diff --git a/tests/src/whisk/core/controller/test/PackageActionsApiTests.scala b/tests/src/whisk/core/controller/test/PackageActionsApiTests.scala
index e3b3333..366776f 100644
--- a/tests/src/whisk/core/controller/test/PackageActionsApiTests.scala
+++ b/tests/src/whisk/core/controller/test/PackageActionsApiTests.scala
@@ -67,7 +67,7 @@
/** Package Actions API tests */
behavior of "Package Actions API"
- val creds = WhiskAuth(Subject(), AuthKey())
+ val creds = WhiskAuth(Subject(), AuthKey()).toIdentity
val namespace = EntityPath(creds.subject())
val collectionPath = s"/${EntityPath.DEFAULT}/${collection.path}"
def aname = MakeName.next("package_action_tests")
@@ -188,7 +188,7 @@
it should "reject put action in package owned by different subject" in {
implicit val tid = transid()
- val provider = WhiskPackage(Subject().namespace, aname, publish = true)
+ val provider = WhiskPackage(EntityPath(Subject()()), aname, publish = true)
val content = WhiskActionPut(Some(Exec.js("??")))
put(entityStore, provider)
Put(s"/${provider.namespace}/${collection.path}/${provider.name}/$aname", content) ~> sealRoute(routes(creds)) ~> check {
@@ -205,7 +205,7 @@
put(entityStore, action)
// it should "reject delete action in package owned by different subject" in {
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
Delete(s"/${provider.namespace}/${collection.path}/${provider.name}/${action.name}") ~> sealRoute(routes(auser)) ~> check {
status should be(Forbidden)
}
@@ -266,7 +266,7 @@
it should "get action in package binding with public package" in {
implicit val tid = transid()
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
val provider = WhiskPackage(namespace, aname, None, publish = true)
val binding = WhiskPackage(EntityPath(auser.subject()), aname, provider.bind, Parameters("b", "B"))
val action = WhiskAction(provider.path, aname, Exec.js("??"))
@@ -284,7 +284,7 @@
it should "get action in package binding with public package with overriding parameters" in {
implicit val tid = transid()
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
val provider = WhiskPackage(namespace, aname, None, Parameters("p", "P"), publish = true)
val binding = WhiskPackage(EntityPath(auser.subject()), aname, provider.bind, Parameters("b", "B"))
val action = WhiskAction(provider.path, aname, Exec.js("??"), Parameters("a", "A") ++ Parameters("b", "b"))
@@ -304,7 +304,7 @@
// check on either one or both of the binding and package
ignore should "get action in package binding with explicit entitlement grant" in {
implicit val tid = transid()
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
val provider = WhiskPackage(namespace, aname, None, Parameters("p", "P"), publish = false)
val binding = WhiskPackage(EntityPath(auser.subject()), aname, provider.bind, Parameters("b", "B"))
val action = WhiskAction(provider.path, aname, Exec.js("??"), Parameters("a", "A"))
@@ -343,7 +343,7 @@
it should "reject get action in package binding that does not exist" in {
implicit val tid = transid()
val name = aname
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
val provider = WhiskPackage(namespace, aname, None, Parameters("p", "P"), publish = true)
val binding = WhiskPackage(EntityPath(auser.subject()), aname, provider.bind, Parameters("b", "B"))
val action = WhiskAction(provider.path, aname, Exec.js("??"), Parameters("a", "A"))
@@ -357,7 +357,7 @@
it should "reject get action in package binding with package that does not exist" in {
implicit val tid = transid()
val name = aname
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
val provider = WhiskPackage(namespace, aname, None, Parameters("p", "P"), publish = true)
val binding = WhiskPackage(EntityPath(auser.subject()), aname, provider.bind, Parameters("b", "B"))
val action = WhiskAction(provider.path, aname, Exec.js("??"), Parameters("a", "A"))
@@ -371,7 +371,7 @@
it should "reject get non-existing action in package binding" in {
implicit val tid = transid()
val name = aname
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
val provider = WhiskPackage(namespace, aname, None, Parameters("p", "P"), publish = true)
val binding = WhiskPackage(EntityPath(auser.subject()), aname, provider.bind, Parameters("b", "B"))
val action = WhiskAction(provider.path, aname, Exec.js("??"), Parameters("a", "A"))
@@ -384,7 +384,7 @@
it should "reject get action in package binding with private package" in {
implicit val tid = transid()
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
val provider = WhiskPackage(namespace, aname, None, Parameters("p", "P"), publish = false)
val binding = WhiskPackage(EntityPath(auser.subject()), aname, provider.bind, Parameters("b", "B"))
val action = WhiskAction(provider.path, aname, Exec.js("??"), Parameters("a", "A"))
@@ -413,7 +413,7 @@
it should "allow non-owner to invoke an action in public package" in {
implicit val tid = transid()
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
val provider = WhiskPackage(namespace, aname, publish = true)
val action = WhiskAction(provider.path, aname, Exec.js("??"))
val content = JsObject("xxx" -> "yyy".toJson)
@@ -428,7 +428,7 @@
it should "invoke action in package binding with public package" in {
implicit val tid = transid()
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
val provider = WhiskPackage(namespace, aname, publish = true)
val reference = WhiskPackage(EntityPath(auser.subject()), aname, provider.bind)
val action = WhiskAction(provider.path, aname, Exec.js("??"))
@@ -447,7 +447,7 @@
// check on either one or both of the binding and package
ignore should "invoke action in package binding with explicit entitlement grant even if package is not public" in {
implicit val tid = transid()
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
val provider = WhiskPackage(namespace, aname, publish = false)
val reference = WhiskPackage(EntityPath(auser.subject()), aname, provider.bind)
val action = WhiskAction(provider.path, aname, Exec.js("??"))
@@ -466,7 +466,7 @@
it should "reject non-owner invoking an action in private package" in {
implicit val tid = transid()
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
val provider = WhiskPackage(namespace, aname, publish = false)
val action = WhiskAction(provider.path, aname, Exec.js("??"))
val content = JsObject("xxx" -> "yyy".toJson)
@@ -502,7 +502,7 @@
it should "reject invoke action in package binding with private package" in {
implicit val tid = transid()
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
val provider = WhiskPackage(namespace, aname, publish = false)
val reference = WhiskPackage(EntityPath(auser.subject()), aname, provider.bind)
val action = WhiskAction(provider.path, aname, Exec.js("??"))
diff --git a/tests/src/whisk/core/controller/test/PackagesApiTests.scala b/tests/src/whisk/core/controller/test/PackagesApiTests.scala
index ab96857..9d29228 100644
--- a/tests/src/whisk/core/controller/test/PackagesApiTests.scala
+++ b/tests/src/whisk/core/controller/test/PackagesApiTests.scala
@@ -65,7 +65,7 @@
/** Packages API tests */
behavior of "Packages API"
- val creds = WhiskAuth(Subject(), AuthKey())
+ val creds = WhiskAuth(Subject(), AuthKey()).toIdentity
val namespace = EntityPath(creds.subject())
val collectionPath = s"/${EntityPath.DEFAULT}/${collection.path}"
def aname = MakeName.next("packages_tests")
@@ -99,7 +99,7 @@
}
}
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
Get(s"/$namespace/${collection.path}") ~> sealRoute(routes(auser)) ~> check {
val response = responseAs[List[JsObject]]
response should be(List()) // cannot list packages that are private in another namespace
@@ -131,7 +131,7 @@
expected forall { p => (response contains p.summaryAsJson) } should be(true)
}
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
Get(s"/$namespace/${collection.path}") ~> sealRoute(routes(auser)) ~> check {
status should be(OK)
val response = responseAs[List[JsObject]]
@@ -213,7 +213,7 @@
Get(s"$collectionPath?public=true") ~> sealRoute(routes(creds)) ~> check {
status should be(OK)
val response = responseAs[List[JsObject]]
- val expected = providers filter { _.namespace == creds.subject.namespace }
+ val expected = providers filter { _.namespace == creds.namespace.toPath }
response.length should be >= (expected.length)
expected forall { p => (response contains p.summaryAsJson) && p.binding == None } should be(true)
}
@@ -273,7 +273,7 @@
put(entityStore, feed)
// it should "reject get private package from other subject" in {
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
Get(s"/$namespace/${collection.path}/${provider.name}") ~> sealRoute(routes(auser)) ~> check {
status should be(Forbidden)
}
@@ -297,7 +297,7 @@
put(entityStore, feed)
// it should "reject get package reference from other subject" in {
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
Get(s"/$namespace/${collection.path}/${reference.name}") ~> sealRoute(routes(auser)) ~> check {
status should be(Forbidden)
}
@@ -334,7 +334,7 @@
put(entityStore, provider)
// it should "reject create package reference in some other namespace" in {
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
Put(s"/$namespace/${collection.path}/${reference.name}", content) ~> sealRoute(routes(auser)) ~> check {
status should be(Forbidden)
}
@@ -434,7 +434,7 @@
put(entityStore, provider)
// it should "reject update package owned by different user" in {
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
Put(s"/$namespace/${collection.path}/${provider.name}?overwrite=true", content) ~> sealRoute(routes(auser)) ~> check {
status should be(Forbidden)
}
@@ -457,7 +457,7 @@
put(entityStore, reference)
// it should "reject update package reference owned by different user"
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
Put(s"/$namespace/${collection.path}/${reference.name}?overwrite=true", content) ~> sealRoute(routes(auser)) ~> check {
status should be(Forbidden)
}
@@ -504,7 +504,7 @@
put(entityStore, provider)
// it should "reject deleting package owned by different user" in {
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
Get(s"/$namespace/${collection.path}/${provider.name}") ~> sealRoute(routes(auser)) ~> check {
status should be(Forbidden)
}
@@ -523,7 +523,7 @@
put(entityStore, reference)
// it should "reject deleting package reference owned by different user" in {
- val auser = WhiskAuth(Subject(), AuthKey())
+ val auser = WhiskAuth(Subject(), AuthKey()).toIdentity
Get(s"/$namespace/${collection.path}/${reference.name}") ~> sealRoute(routes(auser)) ~> check {
status should be(Forbidden)
}
diff --git a/tests/src/whisk/core/controller/test/RulesApiTests.scala b/tests/src/whisk/core/controller/test/RulesApiTests.scala
index bca466a..043d4ea 100644
--- a/tests/src/whisk/core/controller/test/RulesApiTests.scala
+++ b/tests/src/whisk/core/controller/test/RulesApiTests.scala
@@ -71,7 +71,7 @@
/** Rules API tests */
behavior of "Rules API"
- val creds = WhiskAuth(Subject(), AuthKey())
+ val creds = WhiskAuth(Subject(), AuthKey()).toIdentity
val namespace = EntityPath(creds.subject())
def aname = MakeName.next("rules_tests")
val collectionPath = s"/${EntityPath.DEFAULT}/${collection.path}"
diff --git a/tests/src/whisk/core/controller/test/TriggersApiTests.scala b/tests/src/whisk/core/controller/test/TriggersApiTests.scala
index c88ce82..2603e17 100644
--- a/tests/src/whisk/core/controller/test/TriggersApiTests.scala
+++ b/tests/src/whisk/core/controller/test/TriggersApiTests.scala
@@ -70,7 +70,7 @@
/** Triggers API tests */
behavior of "Triggers API"
- val creds = WhiskAuth(Subject(), AuthKey())
+ val creds = WhiskAuth(Subject(), AuthKey()).toIdentity
val namespace = EntityPath(creds.subject())
val collectionPath = s"/${EntityPath.DEFAULT}/${collection.path}"
def aname = MakeName.next("triggers_tests")
diff --git a/tests/src/whisk/core/dispatcher/test/DispatcherTests.scala b/tests/src/whisk/core/dispatcher/test/DispatcherTests.scala
index e7182f0..7c96f3e 100644
--- a/tests/src/whisk/core/dispatcher/test/DispatcherTests.scala
+++ b/tests/src/whisk/core/dispatcher/test/DispatcherTests.scala
@@ -45,6 +45,7 @@
import whisk.core.entity.EntityPath
import whisk.core.entity.FullyQualifiedEntityName
import whisk.common.Logging
+import whisk.core.entity.AuthKey
@RunWith(classOf[JUnitRunner])
class DispatcherTests extends FlatSpec with Matchers with WskActorSystem {
@@ -64,8 +65,9 @@
def sendMessage(connector: TestConnector, count: Int) = {
val content = JsObject("payload" -> JsNumber(count))
val subject = Subject()
+ val authkey = AuthKey()
val path = FullyQualifiedEntityName(EntityPath("test"), EntityName(s"count-$count"), None)
- val msg = Message(TransactionId.testing, path, subject, ActivationId(), subject.namespace, Some(content))
+ val msg = Message(TransactionId.testing, path, subject, authkey, ActivationId(), EntityPath(subject()), Some(content))
connector.send(msg)
}
