Skip to content

update IT for add namespace field to policy entry #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
thjaeckle merged 3 commits into from
Mar 30, 2026
Merged

update IT for add namespace field to policy entry #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3354b92
update IT for add ns field to policy entry
hu-ahmed Mar 23, 2026
b2846ac
update IT for add ns field to policy entry
hu-ahmed Mar 13, 2026
bd939d0
add ITs for namespace-scoped policy entries
thjaeckle Mar 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
241 changes: 241 additions & 0 deletions .../test/java/org/eclipse/ditto/testing/system/things/authorization/PolicyEnforcementIT.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@

import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.HashSet;
import java.util.concurrent.TimeUnit;

Expand Down Expand Up @@ -157,6 +159,159 @@ public void getThingWithoutGrantedRead() {
.fire();
}

@Test
public void getThingWithNamespaceScopedPolicyEntry() {
final PolicyId policyId =
PolicyId.of(idGenerator().withPrefixedRandomName("getThingWithNamespaceScopedPolicyEntry"));
final Policy policy = createPolicyRootAndNamespaceScopedAccess(policyId, defaultClientSubjectId,
client2SubjectId, "com.acme", "READ");
final ThingId allowedThingId = ThingId.of("com.acme", idGenerator().withRandomName());
final ThingId deniedThingId = ThingId.of("other.ns", idGenerator().withRandomName());

putPolicy(policy)
.expectingHttpStatus(HttpStatus.CREATED)
.fire();

putThing(API_V_2, Thing.newBuilder().setId(allowedThingId).setPolicyId(policyId).build(), JsonSchemaVersion.V_2)
.expectingHttpStatus(CREATED)
.fire();

putThing(API_V_2, Thing.newBuilder().setId(deniedThingId).setPolicyId(policyId).build(), JsonSchemaVersion.V_2)
.expectingHttpStatus(CREATED)
.fire();

getThing(API_V_2, allowedThingId)
.withConfiguredAuth(serviceEnv.getTestingContext2())
.expectingHttpStatus(HttpStatus.OK)
.fire();

getThing(API_V_2, deniedThingId)
.withConfiguredAuth(serviceEnv.getTestingContext2())
.expectingHttpStatus(HttpStatus.NOT_FOUND)
.fire();
}

@Test
public void getThingWithExactNamespaceOnlyScopedPolicyEntry() {
final PolicyId policyId =
PolicyId.of(idGenerator().withPrefixedRandomName("exactNamespaceOnly"));
final Policy policy = createPolicyRootAndNamespaceScopedAccessWithPatterns(policyId,
defaultClientSubjectId, client2SubjectId, "READ",
Arrays.asList("com.acme"));
final ThingId exactMatchThingId = ThingId.of("com.acme", idGenerator().withRandomName());
final ThingId nestedThingId = ThingId.of("com.acme.vehicles", idGenerator().withRandomName());
final ThingId otherThingId = ThingId.of("other.ns", idGenerator().withRandomName());

putPolicy(policy)
.expectingHttpStatus(HttpStatus.CREATED)
.fire();

putThing(API_V_2, Thing.newBuilder().setId(exactMatchThingId).setPolicyId(policyId).build(),
JsonSchemaVersion.V_2)
.expectingHttpStatus(CREATED)
.fire();

putThing(API_V_2, Thing.newBuilder().setId(nestedThingId).setPolicyId(policyId).build(),
JsonSchemaVersion.V_2)
.expectingHttpStatus(CREATED)
.fire();

putThing(API_V_2, Thing.newBuilder().setId(otherThingId).setPolicyId(policyId).build(),
JsonSchemaVersion.V_2)
.expectingHttpStatus(CREATED)
.fire();

// exact match: com.acme matches
getThing(API_V_2, exactMatchThingId)
.withConfiguredAuth(serviceEnv.getTestingContext2())
.expectingHttpStatus(HttpStatus.OK)
.fire();

// nested namespace: com.acme.vehicles does NOT match exact-only pattern "com.acme"
getThing(API_V_2, nestedThingId)
.withConfiguredAuth(serviceEnv.getTestingContext2())
.expectingHttpStatus(HttpStatus.NOT_FOUND)
.fire();

// other namespace: not matched
getThing(API_V_2, otherThingId)
.withConfiguredAuth(serviceEnv.getTestingContext2())
.expectingHttpStatus(HttpStatus.NOT_FOUND)
.fire();
}

@Test
public void getThingWithWildcardNamespaceOnlyScopedPolicyEntry() {
final PolicyId policyId =
PolicyId.of(idGenerator().withPrefixedRandomName("wildcardNamespaceOnly"));
final Policy policy = createPolicyRootAndNamespaceScopedAccessWithPatterns(policyId,
defaultClientSubjectId, client2SubjectId, "READ",
Arrays.asList("com.acme.*"));
final ThingId exactThingId = ThingId.of("com.acme", idGenerator().withRandomName());
final ThingId nestedThingId = ThingId.of("com.acme.vehicles", idGenerator().withRandomName());

putPolicy(policy)
.expectingHttpStatus(HttpStatus.CREATED)
.fire();

putThing(API_V_2, Thing.newBuilder().setId(exactThingId).setPolicyId(policyId).build(),
JsonSchemaVersion.V_2)
.expectingHttpStatus(CREATED)
.fire();

putThing(API_V_2, Thing.newBuilder().setId(nestedThingId).setPolicyId(policyId).build(),
JsonSchemaVersion.V_2)
.expectingHttpStatus(CREATED)
.fire();

// wildcard "com.acme.*" does NOT match exact namespace "com.acme"
getThing(API_V_2, exactThingId)
.withConfiguredAuth(serviceEnv.getTestingContext2())
.expectingHttpStatus(HttpStatus.NOT_FOUND)
.fire();

// wildcard "com.acme.*" matches nested "com.acme.vehicles"
getThing(API_V_2, nestedThingId)
.withConfiguredAuth(serviceEnv.getTestingContext2())
.expectingHttpStatus(HttpStatus.OK)
.fire();
}

@Test
public void getThingWithoutNamespaceScopePolicyEntryIsGlobal() {
final PolicyId policyId =
PolicyId.of(idGenerator().withPrefixedRandomName("noNamespaceScope"));
final Policy policy = createPolicyRootAndAdditionalAccess(policyId,
defaultClientSubjectId, client2SubjectId, "READ");
final ThingId thingId1 = ThingId.of("com.acme", idGenerator().withRandomName());
final ThingId thingId2 = ThingId.of("other.ns", idGenerator().withRandomName());

putPolicy(policy)
.expectingHttpStatus(HttpStatus.CREATED)
.fire();

putThing(API_V_2, Thing.newBuilder().setId(thingId1).setPolicyId(policyId).build(),
JsonSchemaVersion.V_2)
.expectingHttpStatus(CREATED)
.fire();

putThing(API_V_2, Thing.newBuilder().setId(thingId2).setPolicyId(policyId).build(),
JsonSchemaVersion.V_2)
.expectingHttpStatus(CREATED)
.fire();

// without namespace scope, entry applies to all namespaces
getThing(API_V_2, thingId1)
.withConfiguredAuth(serviceEnv.getTestingContext2())
.expectingHttpStatus(HttpStatus.OK)
.fire();

getThing(API_V_2, thingId2)
.withConfiguredAuth(serviceEnv.getTestingContext2())
.expectingHttpStatus(HttpStatus.OK)
.fire();
}

@Test
public void postThingAlterPolicyForReadAccess() {
final ThingId thingId = ThingId.of(idGenerator().withRandomName());
Expand Down Expand Up @@ -931,6 +1086,92 @@ private static Policy createPolicyRootAndAdditionalAccessWithRevoke(final Policy
return PoliciesModelFactory.newPolicy(policyId, entry1, entry2);
}

private static Policy createPolicyRootAndNamespaceScopedAccess(final PolicyId policyId,
final SubjectId rootUser,
final SubjectId additionalUser,
final String namespace,
final String additionalGrantedPermission) {

final EffectedPermissions permissionsAll =
EffectedPermissions.newInstance(collect("READ", "WRITE"), Permissions.none());
final EffectedPermissions permissionsAdditional = EffectedPermissions.newInstance(
Permissions.newInstance("READ", additionalGrantedPermission), Permissions.none());
final PolicyEntry rootEntry = PoliciesModelFactory.newPolicyEntry(
Label.of("rootUser"),
Subjects.newInstance(PoliciesModelFactory.newSubject(rootUser, SubjectType.GENERATED)),
PoliciesModelFactory.newResources(
Resource.newInstance(ResourceKey.newInstance("policy:"), permissionsAll),
Resource.newInstance(ResourceKey.newInstance("thing:"), permissionsAll)));

final PolicyEntry scopedEntry = PoliciesModelFactory.newPolicyEntry(
Label.of("namespaceScopedUser"),
Subjects.newInstance(
PoliciesModelFactory.newSubject(additionalUser, ARBITRARY_SUBJECT_TYPE)),
PoliciesModelFactory.newResources(
Resource.newInstance(ResourceKey.newInstance("thing:"), permissionsAdditional)),
Arrays.asList(namespace, namespace + ".*"),
org.eclipse.ditto.policies.model.ImportableType.IMPLICIT,
Collections.emptySet());

return PoliciesModelFactory.newPolicy(policyId, rootEntry, scopedEntry);
}

private static Policy createPolicyRootAndNamespaceScopedAccessWithPatterns(final PolicyId policyId,
final SubjectId rootUser,
final SubjectId additionalUser,
final String additionalGrantedPermission,
final List<String> namespacePatterns) {

final EffectedPermissions permissionsAll =
EffectedPermissions.newInstance(collect("READ", "WRITE"), Permissions.none());
final EffectedPermissions permissionsAdditional = EffectedPermissions.newInstance(
Permissions.newInstance("READ", additionalGrantedPermission), Permissions.none());
final PolicyEntry rootEntry = PoliciesModelFactory.newPolicyEntry(
Label.of("rootUser"),
Subjects.newInstance(PoliciesModelFactory.newSubject(rootUser, SubjectType.GENERATED)),
PoliciesModelFactory.newResources(
Resource.newInstance(ResourceKey.newInstance("policy:"), permissionsAll),
Resource.newInstance(ResourceKey.newInstance("thing:"), permissionsAll)));

final PolicyEntry scopedEntry = PoliciesModelFactory.newPolicyEntry(
Label.of("namespaceScopedUser"),
Subjects.newInstance(
PoliciesModelFactory.newSubject(additionalUser, ARBITRARY_SUBJECT_TYPE)),
PoliciesModelFactory.newResources(
Resource.newInstance(ResourceKey.newInstance("thing:"), permissionsAdditional)),
namespacePatterns,
org.eclipse.ditto.policies.model.ImportableType.IMPLICIT,
Collections.emptySet());

return PoliciesModelFactory.newPolicy(policyId, rootEntry, scopedEntry);
}

private static Policy createPolicyRootAndAdditionalAccess(final PolicyId policyId,
final SubjectId rootUser,
final SubjectId additionalUser,
final String additionalGrantedPermission) {

final EffectedPermissions permissionsAll =
EffectedPermissions.newInstance(collect("READ", "WRITE"), Permissions.none());
final EffectedPermissions permissionsAdditional = EffectedPermissions.newInstance(
Permissions.newInstance("READ", additionalGrantedPermission), Permissions.none());
final PolicyEntry rootEntry = PoliciesModelFactory.newPolicyEntry(
Label.of("rootUser"),
Subjects.newInstance(PoliciesModelFactory.newSubject(rootUser, SubjectType.GENERATED)),
PoliciesModelFactory.newResources(
Resource.newInstance(ResourceKey.newInstance("policy:"), permissionsAll),
Resource.newInstance(ResourceKey.newInstance("thing:"), permissionsAll)));

final PolicyEntry additionalEntry = PoliciesModelFactory.newPolicyEntry(
Label.of("additionalUser"),
Subjects.newInstance(
PoliciesModelFactory.newSubject(additionalUser, ARBITRARY_SUBJECT_TYPE)),
PoliciesModelFactory.newResources(
Resource.newInstance(ResourceKey.newInstance("thing:"), permissionsAdditional)));

return PoliciesModelFactory.newPolicy(policyId, rootEntry, additionalEntry);
}

private static Policy createDefaultPolicy(final SubjectId user, final PolicyId policyId) {
return createDefaultPolicy(user, policyId, Label.of("DEFAULT"));
}
Expand Down
Loading