diff --git a/db/tables.sql b/db/tables.sql index fc7129a..6d10694 100644 --- a/db/tables.sql +++ b/db/tables.sql @@ -1,3 +1,5 @@ +-- vim: set ts=8 + -- All tables, keys, indexes, and constraints for authz_umichlib in MariaDB. CREATE TABLE aa_user( userid VARCHAR(64) NOT NULL, @@ -22,7 +24,7 @@ CREATE TABLE aa_user( lastModifiedTime TIMESTAMP NOT NULL, lastModifiedBy VARCHAR(64) NOT NULL, dlpsExpiryTime DATETIME, - dlpsDeleted CHAR(1) NOT NULL, + dlpsDeleted CHAR(1) NOT NULL, PRIMARY KEY (userid) ); @@ -32,7 +34,7 @@ CREATE TABLE aa_user_grp( manager INT, lastModifiedTime TIMESTAMP NOT NULL, lastModifiedBy VARCHAR(64) NOT NULL, - dlpsDeleted CHAR(1) NOT NULL, + dlpsDeleted CHAR(1) NOT NULL, PRIMARY KEY (uniqueIdentifier) ); @@ -42,7 +44,7 @@ CREATE TABLE aa_inst( manager INT, lastModifiedTime TIMESTAMP NOT NULL, lastModifiedBy VARCHAR(64) NOT NULL, - dlpsDeleted CHAR(1) NOT NULL, + dlpsDeleted CHAR(1) NOT NULL, PRIMARY KEY (uniqueIdentifier) ); @@ -51,7 +53,7 @@ CREATE TABLE aa_is_member_of_inst( inst INT NOT NULL, lastModifiedTime TIMESTAMP NOT NULL, lastModifiedBy VARCHAR(64) NOT NULL, - dlpsDeleted CHAR(1) NOT NULL, + dlpsDeleted CHAR(1) NOT NULL, PRIMARY KEY (userid, inst) ); @@ -60,7 +62,7 @@ CREATE TABLE aa_is_member_of_grp( user_grp INT NOT NULL, lastModifiedTime TIMESTAMP NOT NULL, lastModifiedBy VARCHAR(64) NOT NULL, - dlpsDeleted CHAR(1) NOT NULL, + dlpsDeleted CHAR(1) NOT NULL, PRIMARY KEY (userid, user_grp) ); @@ -72,11 +74,11 @@ CREATE TABLE aa_coll( dlpsSource VARCHAR(128) NOT NULL, dlpsAuthenMethod VARCHAR(3) NOT NULL, dlpsAuthzType CHAR(1) NOT NULL, - dlpsPartlyPublic CHAR(1) NOT NULL, + dlpsPartlyPublic CHAR(1) NOT NULL, manager INT, lastModifiedTime TIMESTAMP NOT NULL, lastModifiedBy VARCHAR(64) NOT NULL, - dlpsDeleted CHAR(1) NOT NULL, + dlpsDeleted CHAR(1) NOT NULL, PRIMARY KEY (uniqueIdentifier) ); @@ -86,7 +88,7 @@ CREATE TABLE aa_coll_obj( coll VARCHAR(32) NOT NULL, lastModifiedTime TIMESTAMP NOT NULL, lastModifiedBy VARCHAR(64) NOT NULL, - dlpsDeleted CHAR(1) NOT NULL, + dlpsDeleted CHAR(1) NOT NULL, PRIMARY KEY (dlpsServer, dlpsPath, coll) ); @@ -101,7 +103,7 @@ CREATE TABLE aa_network( inst INT, lastModifiedTime TIMESTAMP NOT NULL, lastModifiedBy VARCHAR(64) NOT NULL, - dlpsDeleted CHAR(1) NOT NULL, + dlpsDeleted CHAR(1) NOT NULL, PRIMARY KEY (uniqueIdentifier) ); @@ -114,7 +116,7 @@ CREATE TABLE aa_may_access( lastModifiedTime TIMESTAMP NOT NULL, lastModifiedBy VARCHAR(64) NOT NULL, dlpsExpiryTime TIMESTAMP, - dlpsDeleted CHAR(1) NOT NULL, + dlpsDeleted CHAR(1) NOT NULL, PRIMARY KEY (uniqueIdentifier) ); @@ -163,4 +165,3 @@ ALTER TABLE aa_network ADD CONSTRAINT network_dlpsDeleted ALTER TABLE aa_may_access ADD CONSTRAINT may_access_dlpsDeleted CHECK (dlpsDeleted IN ('t', 'f')); - diff --git a/db/test-fixture.sql b/db/test-fixture.sql index f40a2e4..7d56164 100644 --- a/db/test-fixture.sql +++ b/db/test-fixture.sql @@ -96,6 +96,38 @@ INSERT INTO aa_may_access VALUES( NULL, NULL, NULL, @test_inst_id, 'lauth-by-username', CURRENT_TIMESTAMP, 'root', NULL, 'f' ); + +---------- setup for user allowed via group membership ---------- +INSERT INTO aa_user VALUES( + 'lauth-group-member',NULL,'Lauth',NULL,'Test-group-mem','lauth-group-member', + NULL, -- org unit + 'Library auth system test user - this user is a group member', + 'Ann Arbor','MI','48109-119',NULL,NULL,'Staff',NULL, + '!none', -- umich id, !none + '@umich.edu', -- password, @umich.edu MAY signify SSO + 0,NULL, + CURRENT_TIMESTAMP,'root', -- modified + NULL, -- expiry + 'f' +); + +INSERT INTO aa_user_grp VALUES( + 9999, -- uniqueIdentifier + 'Library auth system test group', -- commonName + 0, -- manager + CURRENT_TIMESTAMP, 'root', -- modified + 'f' -- deleted +); + +INSERT INTO aa_is_member_of_grp VALUES( + 'lauth-group-member', 9999, CURRENT_TIMESTAMP, 'root', 'f' +); + +INSERT INTO aa_may_access VALUES( + NULL, + NULL, 9999, NULL, 'lauth-by-username', CURRENT_TIMESTAMP, 'root', NULL, 'f' +); + ----------------------------------------------------------------------------- -- Individual grant to the by-username collection diff --git a/test-site/htpasswd b/test-site/htpasswd index 7791301..999a274 100644 --- a/test-site/htpasswd +++ b/test-site/htpasswd @@ -1,3 +1,4 @@ lauth-allowed:$apr1$p.sxKRK5$KgXJ3DmjWUAjPWDT.MXgD0 lauth-denied:$apr1$QGNY5c50$KYz8u1TVMyKtPJqQnjRTM1 lauth-inst-member:$apr1$OlwhNzKS$pAko/dHzrwwLhirtsMyDb/ +lauth-group-member:$apr1$hb0MeJ4P$6/scL5/84n6YOXqSbmzBo. diff --git a/test/restrictions/group_member_spec.rb b/test/restrictions/group_member_spec.rb new file mode 100644 index 0000000..cbe6c19 --- /dev/null +++ b/test/restrictions/group_member_spec.rb @@ -0,0 +1,19 @@ +require "base64" + +RSpec.describe "Access to resources restricted to named group member" do + include BasicAuth + + context "when logged in as a group member" do + it "is allowed" do + response = website.get("/restricted-by-username/") do |req| + req.headers["Authorization"] = basic_auth_group_member + end + + expect(response.status).to eq HttpCodes::OK + end + end + + def website + @website ||= Faraday.new(TestSite::URL) + end +end diff --git a/test/support/auth_users.rb b/test/support/auth_users.rb index 168455b..a9fa7ea 100644 --- a/test/support/auth_users.rb +++ b/test/support/auth_users.rb @@ -14,4 +14,8 @@ def another_good_user def inst_user "lauth-inst-member" end + + def group_user + "lauth-group-member" + end end diff --git a/test/support/basic_auth.rb b/test/support/basic_auth.rb index 4658648..622b7d0 100644 --- a/test/support/basic_auth.rb +++ b/test/support/basic_auth.rb @@ -2,14 +2,22 @@ module BasicAuth include AuthUsers def basic_auth_bad_user - "Basic #{Base64.urlsafe_encode64("#{bad_user}:lauth-denied")}" + basic_auth_for(bad_user) end def basic_auth_good_user - "Basic #{Base64.urlsafe_encode64("#{good_user}:lauth-allowed")}" + basic_auth_for(good_user) end def basic_auth_inst_member - "Basic #{Base64.urlsafe_encode64("#{inst_user}:lauth-inst-member")}" + basic_auth_for(inst_user) + end + + def basic_auth_group_member + basic_auth_for(group_user) + end + + def basic_auth_for(user) + "Basic #{Base64.urlsafe_encode64("#{user}:#{user}")}" end end