pentaho · smmribeiro · Apr 10, 2024 · Apr 9, 2024 · Mar 18, 2024 · Apr 10, 2024
@@ -20,7 +20,10 @@
 
 package org.pentaho.platform.engine.services.solution;
 
+import org.pentaho.commons.util.repository.exception.PermissionDeniedException;
+import org.pentaho.platform.api.engine.IAuthorizationPolicy;
 import org.pentaho.platform.api.repository.IContentItem;
+import org.pentaho.platform.engine.core.system.PentahoSystem;
 import org.pentaho.platform.engine.services.messages.Messages;
 import org.pentaho.platform.util.UUIDUtil;
 
@@ -30,9 +33,15 @@
 public abstract class SimpleContentGenerator extends BaseContentGenerator {
 
   private static final long serialVersionUID = -8882315618256741737L;
+  private static final String REPOSITORY_CREATE_ACTION = "org.pentaho.repository.create";
 
   @Override
   public void createContent() throws Exception {
+
+    if ( !PentahoSystem.get( IAuthorizationPolicy.class ).isAllowed( REPOSITORY_CREATE_ACTION ) ) {
+      throw new PermissionDeniedException();
+    }
+
     OutputStream out = null;
     if ( outputHandler == null ) {
       error( Messages.getInstance().getErrorString( "SimpleContentGenerator.ERROR_0001_NO_OUTPUT_HANDLER" ) ); //$NON-NLS-1$

@@ -22,6 +22,8 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.pentaho.commons.util.repository.exception.PermissionDeniedException;
+import org.pentaho.platform.api.engine.IAuthorizationPolicy;
 import org.pentaho.platform.api.engine.IContentGenerator;
 import org.pentaho.platform.api.engine.IOutputHandler;
 import org.pentaho.platform.api.engine.IParameterProvider;
@@ -86,6 +88,8 @@ public class GeneratorStreamingOutput {
 
   private static final boolean MIMETYPE_MUTABLE = true;
 
+  private static final String REPOSITORY_CREATE_ACTION = "org.pentaho.repository.create";
+
   /**
    * Invokes a content generator to produce some content either in the context of a repository file, or in the form of a
    * direct service call (no repository file in view).
@@ -176,6 +180,11 @@ public void write( OutputStream output, MimeTypeCallback callback ) throws IOExc
   }
 
   protected void generateContent( OutputStream outputStream, final MimeTypeCallback callback ) throws Exception {
+
+    if ( !PentahoSystem.get( IAuthorizationPolicy.class ).isAllowed( REPOSITORY_CREATE_ACTION ) ) {
+      throw new PermissionDeniedException();
+    }
+
     try {
       httpServletResponse.setCharacterEncoding( LocaleHelper.getSystemEncoding() );
     } catch ( Throwable t ) {

@@ -49,12 +49,15 @@
 import org.codehaus.enunciate.Facet;
 import org.codehaus.enunciate.jaxrs.ResponseCode;
 import org.codehaus.enunciate.jaxrs.StatusCodes;
+import org.pentaho.commons.util.repository.exception.PermissionDeniedException;
+import org.pentaho.platform.api.engine.IAuthorizationPolicy;
 import org.pentaho.platform.api.repository2.unified.UnifiedRepositoryException;
 import org.pentaho.platform.api.scheduler2.IJobTrigger;
 import org.pentaho.platform.api.scheduler2.Job;
 import org.pentaho.platform.api.scheduler2.Job.JobState;
 import org.pentaho.platform.api.scheduler2.SchedulerException;
 import org.pentaho.platform.api.repository2.unified.webservices.RepositoryFileDto;
+import org.pentaho.platform.engine.core.system.PentahoSystem;
 import org.pentaho.platform.web.http.api.resources.proxies.BlockStatusProxy;
 import org.pentaho.platform.web.http.api.resources.services.SchedulerService;
 import org.pentaho.platform.web.http.messages.Messages;
@@ -525,9 +528,15 @@ public List<Job> getJobs( @DefaultValue ( "false" ) @QueryParam ( "asCronString"
     } )
   public List<Job> getAllJobs() {
     try {
-      return schedulerService.getJobs();
+      if ( PentahoSystem.get( IAuthorizationPolicy.class ).isAllowed( "org.pentaho.scheduler.manage" ) ) {
+        return schedulerService.getJobs();
+      } else {
+        throw new PermissionDeniedException();
+      }
     } catch ( SchedulerException e ) {
       throw new RuntimeException( e );
+    } catch ( PermissionDeniedException e ) {
+      throw new RuntimeException( e );
     }
   }
 
@@ -1071,7 +1080,15 @@ public List<Job> getJobs() {
       @ResponseCode ( code = 200, condition = "Successfully retrieved blockout jobs." ),
     } )
   public List<Job> getBlockoutJobs() {
-    return schedulerService.getBlockOutJobs();
+    try {
+      if ( PentahoSystem.get( IAuthorizationPolicy.class ).isAllowed( "org.pentaho.scheduler.manage" ) ) {
+        return schedulerService.getBlockOutJobs();
+      } else {
+        throw new PermissionDeniedException();
+      }
+    } catch ( PermissionDeniedException e ) {
+      throw new RuntimeException( e );
+    }
   }
 
 

@@ -72,6 +72,7 @@
 import static org.mockito.Mockito.doThrow;
 import static org.mockito.Mockito.eq;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.mockStatic;
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.nullable;
 import static org.mockito.Mockito.spy;
@@ -88,6 +89,8 @@ public class SolutionImportHandlerTest {
   private IUnifiedRepository repository;
   private IRoleAuthorizationPolicyRoleBindingDao roleAuthorizationPolicyRoleBindingDao;
   private IPlatformMimeResolver mockMimeResolver;
+  private static MockedStatic<PentahoSystem> pentahoSystem;
+  IAuthorizationPolicy policy = mock( IAuthorizationPolicy.class );
 
   @Before
   public void setUp() throws Exception {
@@ -496,6 +499,8 @@ public void testImportSchedules() throws Exception {
       when( iSchedulerMock.getStatus() ).thenReturn( mock( IScheduler.SchedulerStatus.class ) );
       pentahoSessionHolderMockedStatic.when( PentahoSessionHolder::getSession )
         .thenReturn( mock( IPentahoSession.class ) );
+      pentahoSystemMockedStatic.when( () -> PentahoSystem.get( eq( IAuthorizationPolicy.class ) ) ).thenReturn( policy );
+      when( policy.isAllowed( anyString() ) ).thenReturn( true );
 
       importHandler.importSchedules( schedules );
 
@@ -527,6 +532,8 @@ public void testImportSchedules_FailsToCreateSchedule() throws Exception {
       when( iSchedulerMock.getStatus() ).thenReturn( mock( IScheduler.SchedulerStatus.class ) );
       pentahoSessionHolderMockedStatic.when( PentahoSessionHolder::getSession )
         .thenReturn( mock( IPentahoSession.class ) );
+      pentahoSystemMockedStatic.when( () -> PentahoSystem.get( eq( IAuthorizationPolicy.class ) ) ).thenReturn( policy );
+      when( policy.isAllowed( anyString() ) ).thenReturn( true );
 
       importHandler.importSchedules( schedules );
       Assert.assertEquals( 0, ImportSession.getSession().getImportedScheduleJobIds().size() );
@@ -535,6 +542,7 @@ public void testImportSchedules_FailsToCreateSchedule() throws Exception {
 
   @Test
   public void testImportSchedules_FailsToCreateScheduleWithSpace() throws Exception {
+
     List<JobScheduleRequest> schedules = new ArrayList<>();
     JobScheduleRequest scheduleRequest = spy( new JobScheduleRequest() );
     scheduleRequest.setInputFile( "/home/admin/scheduled Transform.ktr" );
@@ -563,6 +571,9 @@ public void testImportSchedules_FailsToCreateScheduleWithSpace() throws Exceptio
         .thenReturn( iSchedulerMock );
       when( iSchedulerMock.getStatus() ).thenReturn( mock( IScheduler.SchedulerStatus.class ) );
       pentahoSessionHolderMockedStatic.when( PentahoSessionHolder::getSession ).thenReturn( mock( IPentahoSession.class ) );
+      pentahoSystemMockedStatic.when( () -> PentahoSystem.get( eq( IAuthorizationPolicy.class ) ) ).thenReturn( policy );
+      when( policy.isAllowed( anyString() ) ).thenReturn( true );
+
       importHandler.importSchedules( schedules );
       verify( importHandler, times( 2 ) ).createSchedulerJob(
         any( SchedulerResource.class ), any( JobScheduleRequest.class ) );
@@ -604,6 +615,8 @@ public void testImportSchedules_FailsToCreateScheduleWithSpaceOnWindows() throws
       when( iSchedulerMock.getStatus() ).thenReturn( mock( IScheduler.SchedulerStatus.class ) );
       pentahoSessionHolderMockedStatic.when( PentahoSessionHolder::getSession )
         .thenReturn( mock( IPentahoSession.class ) );
+      pentahoSystemMockedStatic.when( () -> PentahoSystem.get( eq( IAuthorizationPolicy.class ) ) ).thenReturn( policy );
+      when( policy.isAllowed( anyString() ) ).thenReturn( true );
 
       importHandler.importSchedules( schedules );
       verify( importHandler, times( 2 ) )

@@ -24,6 +24,11 @@
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.mockStatic;
+import static org.mockito.Mockito.when;
 
 import java.io.ByteArrayOutputStream;
 import java.util.ArrayList;
@@ -34,12 +39,14 @@
 import org.apache.axis2.description.TransportInDescription;
 import org.apache.axis2.description.TransportOutDescription;
 import org.apache.axis2.engine.AxisConfiguration;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.*;
+import org.mockito.MockedStatic;
+import org.pentaho.platform.api.engine.IAuthorizationPolicy;
 import org.pentaho.platform.api.engine.IOutputHandler;
 import org.pentaho.platform.api.engine.IParameterProvider;
 import org.pentaho.platform.engine.core.output.SimpleOutputHandler;
 import org.pentaho.platform.engine.core.solution.SimpleParameterProvider;
+import org.pentaho.platform.engine.core.system.PentahoSystem;
 import org.pentaho.platform.engine.core.system.StandaloneSession;
 import org.pentaho.platform.plugin.services.pluginmgr.servicemgr.AxisWebServiceManager;
 import org.pentaho.platform.util.web.SimpleUrlFactory;
@@ -60,6 +67,8 @@ public class AxisServiceExecutorTest {
 
   private ByteArrayOutputStream out;
   private AxisServiceExecutor contentGenerator;
+  private static MockedStatic<PentahoSystem> pentahoSystem;
+
 
   @Before
   public void setUp() throws Exception {
@@ -99,6 +108,16 @@ public void setUp() throws Exception {
 
     assertNotNull( "contentGenerator is null", contentGenerator );
     assertNotNull( "Logger is null", contentGenerator.getLogger() );
+
+    pentahoSystem = mockStatic( PentahoSystem.class );
+    IAuthorizationPolicy policy = mock( IAuthorizationPolicy.class );
+    pentahoSystem.when( () -> PentahoSystem.get( eq( IAuthorizationPolicy.class ) ) ).thenReturn( policy );
+    when( policy.isAllowed( anyString() ) ).thenReturn( true );
+  }
+
+  @After
+  public void cleanUp() {
+    pentahoSystem.close();
   }
 
   @Test

@@ -20,13 +20,17 @@
 
 package org.pentaho.platform.web.http.api.resources;
 
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import org.hamcrest.core.IsInstanceOf;
+import org.junit.*;
+import org.junit.rules.ExpectedException;
+import org.mockito.MockedStatic;
+import org.pentaho.commons.util.repository.exception.PermissionDeniedException;
+import org.pentaho.platform.api.engine.IAuthorizationPolicy;
 import org.pentaho.platform.api.repository2.unified.UnifiedRepositoryException;
 import org.pentaho.platform.api.scheduler2.IJobTrigger;
 import org.pentaho.platform.api.scheduler2.Job;
 import org.pentaho.platform.api.scheduler2.SchedulerException;
+import org.pentaho.platform.engine.core.system.PentahoSystem;
 import org.pentaho.platform.web.http.api.resources.proxies.BlockStatusProxy;
 import org.pentaho.platform.web.http.api.resources.services.SchedulerService;
 
@@ -45,16 +49,25 @@
 public class SchedulerResourceTest {
 
   SchedulerResource schedulerResource;
+  private static MockedStatic<PentahoSystem> pentahoSystem;
+  IAuthorizationPolicy policy = mock( IAuthorizationPolicy.class );
 
   @Before
   public void setUp() {
     schedulerResource = spy( new SchedulerResource() );
     schedulerResource.schedulerService = mock( SchedulerService.class );
+
+    pentahoSystem = mockStatic( PentahoSystem.class );
+
+    pentahoSystem.when( () -> PentahoSystem.get( eq( IAuthorizationPolicy.class ) ) ).thenReturn( policy );
+    when( policy.isAllowed( anyString() ) ).thenReturn( true );
   }
 
   @After
   public void tearDown() {
     schedulerResource = null;
+
+    pentahoSystem.close();
   }
 
   @Test
@@ -920,4 +933,27 @@ private void assertUpdateJob( JobScheduleRequest request, Response.Status expect
     assertEquals( expectedStatus.getStatusCode(), response.getStatus() );
     assertEquals( expectedResponse, response.getEntity() );
   }
+  @Rule
+  public ExpectedException exceptionRule = ExpectedException.none();
+  @Test
+  public void testGetAllJobsNoPermission() {
+    when( policy.isAllowed( anyString() ) ).thenReturn( false );
+
+    exceptionRule.expect( RuntimeException.class );
+    exceptionRule.expectCause( IsInstanceOf.instanceOf( PermissionDeniedException.class) );
+
+    schedulerResource.getAllJobs();
+  }
+
+  @Test
+  public void testGetBlockoutJobsNoPermission() {
+
+    when( policy.isAllowed( anyString() ) ).thenReturn( false );
+
+    exceptionRule.expect( RuntimeException.class );
+    exceptionRule.expectCause( IsInstanceOf.instanceOf( PermissionDeniedException.class) );
+
+    schedulerResource.getBlockoutJobs();
+  }
+
 }
@@ -21,10 +21,13 @@
 package org.pentaho.test.platform.plugin.services.webservices;
 
 import org.junit.Test;
+import org.mockito.MockedStatic;
+import org.pentaho.platform.api.engine.IAuthorizationPolicy;
 import org.pentaho.platform.api.engine.IOutputHandler;
 import org.pentaho.platform.api.engine.IParameterProvider;
 import org.pentaho.platform.engine.core.output.SimpleOutputHandler;
 import org.pentaho.platform.engine.core.solution.SimpleParameterProvider;
+import org.pentaho.platform.engine.core.system.PentahoSystem;
 import org.pentaho.platform.engine.core.system.StandaloneSession;
 import org.pentaho.platform.plugin.services.pluginmgr.servicemgr.AxisWebServiceManager;
 import org.pentaho.platform.plugin.services.webservices.content.AxisServiceWsdlGenerator;
@@ -38,6 +41,11 @@
 import java.util.Map;
 
 import static org.junit.Assert.*;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.mockStatic;
+import static org.mockito.Mockito.when;
 
 public class AxisServiceWsdlGeneratorTest {
 
@@ -50,6 +58,12 @@ public void testBadInit2() throws Exception {
 
   @Test
   public void testBadInit3() throws Exception {
+
+    MockedStatic<PentahoSystem>  pentahoSystem = mockStatic( PentahoSystem.class );
+    IAuthorizationPolicy policy = mock( IAuthorizationPolicy.class );
+    pentahoSystem.when( () -> PentahoSystem.get( eq( IAuthorizationPolicy.class ) ) ).thenReturn( policy );
+    when( policy.isAllowed( anyString() ) ).thenReturn( true );
+
     StandaloneSession session = new StandaloneSession( "test" ); //$NON-NLS-1$
 
     AxisServiceWsdlGenerator contentGenerator = new AxisServiceWsdlGenerator();

@@ -25,10 +25,13 @@
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
+import org.mockito.MockedStatic;
+import org.pentaho.platform.api.engine.IAuthorizationPolicy;
 import org.pentaho.platform.api.engine.IOutputHandler;
 import org.pentaho.platform.api.engine.IParameterProvider;
 import org.pentaho.platform.engine.core.output.SimpleOutputHandler;
 import org.pentaho.platform.engine.core.solution.SimpleParameterProvider;
+import org.pentaho.platform.engine.core.system.PentahoSystem;
 import org.pentaho.platform.engine.core.system.StandaloneSession;
 import org.pentaho.platform.plugin.services.pluginmgr.servicemgr.AxisWebServiceManager;
 import org.pentaho.platform.plugin.services.webservices.content.AxisServiceWsdlGenerator;
@@ -43,6 +46,11 @@
 
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.mockStatic;
+import static org.mockito.Mockito.when;
 
 public class WsdlPageTest {
 
@@ -53,6 +61,7 @@ public class WsdlPageTest {
 
   private ByteArrayOutputStream out;
   private AxisServiceWsdlGenerator contentGenerator;
+  private static MockedStatic<PentahoSystem> pentahoSystem;
 
   @Before
   public void setUp() {
@@ -77,12 +86,19 @@ public void setUp() {
     contentGenerator.setMessagesList( new ArrayList<String>() );
     contentGenerator.setSession( session );
     contentGenerator.setUrlFactory( new SimpleUrlFactory( BASE_URL + "?" ) );
+
+    pentahoSystem = mockStatic( PentahoSystem.class );
+    IAuthorizationPolicy policy = mock( IAuthorizationPolicy.class );
+    pentahoSystem.when( () -> PentahoSystem.get( eq( IAuthorizationPolicy.class ) ) ).thenReturn( policy );
+    when( policy.isAllowed( anyString() ) ).thenReturn( true );
   }
 
   @After
   public void tearDown() {
     AxisWebServiceManager.currentAxisConfiguration = beforeTestCfg;
     AxisWebServiceManager.currentAxisConfigContext = beforeTestCtx;
+
+    pentahoSystem.close();
   }