--- /dev/null
+set testid@aaf.att.com <pass>
+set testunused@aaf.att.com <pass>
+set XX@NS <pass>
+set bogus boguspass
+#delay 10
+set NFR 0
+as testid@aaf.att.com
+# TC_Role1.10.0.POS Validate NS ok
+ns list name com.test.TC_Role1.@[user.name]
+** Expect 200 **
+
+List Namespaces by Name[com.test.TC_Role1.@[THE_USER]]
+--------------------------------------------------------------------------------
+ *** Namespace Not Found ***
+
+# TC_Role1.10.1.POS Create Namespace with valid IDs and Responsible Parties
+ns create com.test.TC_Role1.@[user.name] @[user.name] testid@aaf.att.com
+** Expect 201 **
+Created Namespace
+
+# TC_Role1.10.10.POS Create role to assign mechid perm to
+role create com.test.TC_Role1.@[user.name].cred_admin
+** Expect 201 **
+Created Role
+
+as XX@NS
+# TC_Role1.10.11.POS Assign role to mechid perm
+perm grant com.att.aaf.mechid com.att create com.test.TC_Role1.@[user.name].cred_admin
+** Expect 201 **
+Granted Permission [com.att.aaf.mechid|com.att|create] to Role [com.test.TC_Role1.@[THE_USER].cred_admin]
+
+as testid@aaf.att.com
+# TC_Role1.10.12.POS Assign user for creating creds
+user role add testid@aaf.att.com com.test.TC_Role1.@[user.name].cred_admin
+** Expect 201 **
+Added Role [com.test.TC_Role1.@[THE_USER].cred_admin] to User [testid@aaf.att.com]
+
+# TC_Role1.20.1.POS List Data on non-Empty NS
+ns list name com.test.TC_Role1.@[user.name]
+** Expect 200 **
+
+List Namespaces by Name[com.test.TC_Role1.@[THE_USER]]
+--------------------------------------------------------------------------------
+com.test.TC_Role1.@[THE_USER]
+ Administrators
+ testid@aaf.att.com
+ Responsible Parties
+ @[THE_USER]@csp.att.com
+ Roles
+ com.test.TC_Role1.@[THE_USER].admin
+ com.test.TC_Role1.@[THE_USER].cred_admin
+ com.test.TC_Role1.@[THE_USER].owner
+ Permissions
+ com.test.TC_Role1.@[THE_USER].access * *
+ com.test.TC_Role1.@[THE_USER].access * read
+
+# TC_Role1.20.2.POS Add Roles
+role create com.test.TC_Role1.@[user.name].r.A
+** Expect 201 **
+Created Role
+
+role create com.test.TC_Role1.@[user.name].r.B
+** Expect 201 **
+Created Role
+
+# TC_Role1.20.3.POS List Data on non-Empty NS
+ns list name com.test.TC_Role1.@[user.name]
+** Expect 200 **
+
+List Namespaces by Name[com.test.TC_Role1.@[THE_USER]]
+--------------------------------------------------------------------------------
+com.test.TC_Role1.@[THE_USER]
+ Administrators
+ testid@aaf.att.com
+ Responsible Parties
+ @[THE_USER]@csp.att.com
+ Roles
+ com.test.TC_Role1.@[THE_USER].admin
+ com.test.TC_Role1.@[THE_USER].cred_admin
+ com.test.TC_Role1.@[THE_USER].owner
+ com.test.TC_Role1.@[THE_USER].r.A
+ com.test.TC_Role1.@[THE_USER].r.B
+ Permissions
+ com.test.TC_Role1.@[THE_USER].access * *
+ com.test.TC_Role1.@[THE_USER].access * read
+
+# TC_Role1.20.4.NEG Don't write over Role
+role create com.test.TC_Role1.@[user.name].r.A
+** Expect 409 **
+Failed [SVC1409]: Conflict Already Exists - Role [com.test.TC_Role1.@[THE_USER].r.A] already exists
+
+# TC_Role1.20.5.NEG Don't allow non-user to create
+as bogus
+role create com.test.TC_Role1.@[user.name].r.No
+** Expect 401 **
+Failed with code 401, Unauthorized
+
+# TC_Role1.20.6.NEG Don't allow non-user to create without Approval
+as testunused@aaf.att.com
+role create com.test.TC_Role1.@[user.name].r.No
+** Expect 403 **
+Failed [SVC1403]: Forbidden - [testunused@aaf.att.com] may not write Role [com.test.TC_Role1.@[THE_USER].r.No]
+
+# TC_Role1.20.10.NEG Non-admins can't change description
+as testunused@aaf.att.com
+role describe com.test.TC_Role1.@[user.name].r.A Description A
+** Expect 403 **
+Failed [SVC1403]: Forbidden - You do not have approval to change com.test.TC_Role1.@[THE_USER].r.A
+
+# TC_Role1.20.11.NEG Role must exist to change description
+as testid@aaf.att.com
+role describe com.test.TC_Role1.@[user.name].r.C Description C
+** Expect 404 **
+Failed [SVC1404]: Not Found - Role [com.test.TC_Role1.@[THE_USER].r.C] does not exist
+
+# TC_Role1.20.12.POS Admin can change description
+role describe com.test.TC_Role1.@[user.name].r.A Description A
+** Expect 200 **
+Description added to role
+
+# TC_Role1.30.1.POS List Data on non-Empty NS
+as testid@aaf.att.com
+ns list name com.test.TC_Role1.@[user.name]
+** Expect 200 **
+
+List Namespaces by Name[com.test.TC_Role1.@[THE_USER]]
+--------------------------------------------------------------------------------
+com.test.TC_Role1.@[THE_USER]
+ Administrators
+ testid@aaf.att.com
+ Responsible Parties
+ @[THE_USER]@csp.att.com
+ Roles
+ com.test.TC_Role1.@[THE_USER].admin
+ com.test.TC_Role1.@[THE_USER].cred_admin
+ com.test.TC_Role1.@[THE_USER].owner
+ com.test.TC_Role1.@[THE_USER].r.A
+ com.test.TC_Role1.@[THE_USER].r.B
+ Permissions
+ com.test.TC_Role1.@[THE_USER].access * *
+ com.test.TC_Role1.@[THE_USER].access * read
+
+# TC_Role1.30.2.POS Create Sub-ns when Roles that exist
+ns create com.test.TC_Role1.@[user.name].r @[user.name] testid@aaf.att.com
+** Expect 201 **
+Created Namespace
+
+# TC_Role1.30.3.POS List Data on NS with sub-roles
+ns list name com.test.TC_Role1.@[user.name]
+** Expect 200 **
+
+List Namespaces by Name[com.test.TC_Role1.@[THE_USER]]
+--------------------------------------------------------------------------------
+com.test.TC_Role1.@[THE_USER]
+ Administrators
+ testid@aaf.att.com
+ Responsible Parties
+ @[THE_USER]@csp.att.com
+ Roles
+ com.test.TC_Role1.@[THE_USER].admin
+ com.test.TC_Role1.@[THE_USER].cred_admin
+ com.test.TC_Role1.@[THE_USER].owner
+ Permissions
+ com.test.TC_Role1.@[THE_USER].access * *
+ com.test.TC_Role1.@[THE_USER].access * read
+
+ns list name com.test.TC_Role1.@[user.name].r
+** Expect 200 **
+
+List Namespaces by Name[com.test.TC_Role1.@[THE_USER].r]
+--------------------------------------------------------------------------------
+com.test.TC_Role1.@[THE_USER].r
+ Administrators
+ testid@aaf.att.com
+ Responsible Parties
+ @[THE_USER]@csp.att.com
+ Roles
+ com.test.TC_Role1.@[THE_USER].r.A
+ com.test.TC_Role1.@[THE_USER].r.B
+ com.test.TC_Role1.@[THE_USER].r.admin
+ com.test.TC_Role1.@[THE_USER].r.owner
+ Permissions
+ com.test.TC_Role1.@[THE_USER].r.access * *
+ com.test.TC_Role1.@[THE_USER].r.access * read
+
+# TC_Role1.40.01.POS List Data on non-Empty NS
+role list role com.test.TC_Role1.@[user.name].r.A
+** Expect 200 **
+
+List Roles for Role[com.test.TC_Role1.@[THE_USER].r.A]
+--------------------------------------------------------------------------------
+ROLE Name
+ PERM Type Instance Action
+--------------------------------------------------------------------------------
+com.test.TC_Role1.@[THE_USER].r.A
+
+# TC_Role1.40.20.POS Create a Perm, and add to Role
+perm create com.test.TC_Role1.@[user.name].samplePerm1 some.long(involved).text SELECT com.test.TC_Role1.@[user.name].r.A
+** Expect 201 **
+Created Permission
+Granted Permission [com.test.TC_Role1.@[THE_USER].samplePerm1|some.long(involved).text|SELECT] to Role [com.test.TC_Role1.@[THE_USER].r.A]
+
+# TC_Role1.40.25.POS List
+role list role com.test.TC_Role1.@[user.name].r.A
+** Expect 200 **
+
+List Roles for Role[com.test.TC_Role1.@[THE_USER].r.A]
+--------------------------------------------------------------------------------
+ROLE Name
+ PERM Type Instance Action
+--------------------------------------------------------------------------------
+com.test.TC_Role1.@[THE_USER].r.A
+ com.test.TC_Role1.@[THE_USER].samplePerm1 some.long(involved).text SELECT
+
+# TC_Role1.40.30.POS Create a Perm
+perm create com.test.TC_Role1.@[user.name].samplePerm1 some.other_long(less.involved).text lower_case
+** Expect 201 **
+Created Permission
+
+# TC_Role1.40.32.POS Separately Grant Perm
+perm grant com.test.TC_Role1.@[user.name].samplePerm1 some.other_long(less.involved).text lower_case com.test.TC_Role1.@[user.name].r.A
+** Expect 201 **
+Granted Permission [com.test.TC_Role1.@[THE_USER].samplePerm1|some.other_long(less.involved).text|lower_case] to Role [com.test.TC_Role1.@[THE_USER].r.A]
+
+# TC_Role1.40.35.POS List
+role list role com.test.TC_Role1.@[user.name].r.A
+** Expect 200 **
+
+List Roles for Role[com.test.TC_Role1.@[THE_USER].r.A]
+--------------------------------------------------------------------------------
+ROLE Name
+ PERM Type Instance Action
+--------------------------------------------------------------------------------
+com.test.TC_Role1.@[THE_USER].r.A
+ com.test.TC_Role1.@[THE_USER].samplePerm1 some.long(involved).text SELECT
+ com.test.TC_Role1.@[THE_USER].samplePerm1 some.other_long(less.involved).text lower_case
+
+# TC_Role1.50.1.POS Create user to attach to role
+user cred add m00001@@[user.name].TC_Role1.test.com password123
+** Expect 201 **
+Added Credential [m00001@@[THE_USER].TC_Role1.test.com]
+
+# TC_Role1.50.2.POS Create new role
+role create com.test.TC_Role1.@[user.name].r.C
+** Expect 201 **
+Created Role
+
+# TC_Role1.50.3.POS Attach user to role
+user role add m00001@@[user.name].TC_Role1.test.com com.test.TC_Role1.@[user.name].r.C
+** Expect 201 **
+Added Role [com.test.TC_Role1.@[THE_USER].r.C] to User [m00001@@[THE_USER].TC_Role1.test.com]
+
+# TC_Role1.50.4.POS Create permission and attach to role
+perm create com.test.TC_Role1.@[user.name].p.C myInstance myAction com.test.TC_Role1.@[user.name].r.C
+** Expect 201 **
+Created Permission
+Granted Permission [com.test.TC_Role1.@[THE_USER].p.C|myInstance|myAction] to Role [com.test.TC_Role1.@[THE_USER].r.C]
+
+# TC_Role1.50.20.NEG Delete role with permission and user attached should fail
+role delete com.test.TC_Role1.@[user.name].r.C
+** Expect 424 **
+Failed [SVC1424]: Failed Dependency - Role [com.test.TC_Role1.@[THE_USER].r.C] cannot be deleted as it is used by 1 or more Users.
+
+# TC_Role1.50.21.POS Force delete role should work
+set force true
+set force=true role delete com.test.TC_Role1.@[user.name].r.C
+** Expect 200 **
+Deleted Role
+
+# TC_Role1.50.30.POS List Data on non-Empty NS
+ns list name com.test.TC_Role1.@[user.name]
+** Expect 200 **
+
+List Namespaces by Name[com.test.TC_Role1.@[THE_USER]]
+--------------------------------------------------------------------------------
+com.test.TC_Role1.@[THE_USER]
+ Administrators
+ testid@aaf.att.com
+ Responsible Parties
+ @[THE_USER]@csp.att.com
+ Roles
+ com.test.TC_Role1.@[THE_USER].admin
+ com.test.TC_Role1.@[THE_USER].cred_admin
+ com.test.TC_Role1.@[THE_USER].owner
+ Permissions
+ com.test.TC_Role1.@[THE_USER].access * *
+ com.test.TC_Role1.@[THE_USER].access * read
+ com.test.TC_Role1.@[THE_USER].p.C myInstance myAction
+ com.test.TC_Role1.@[THE_USER].samplePerm1 some.long(involved).text SELECT
+ com.test.TC_Role1.@[THE_USER].samplePerm1 some.other_long(less.involved).text lower_case
+ Credentials
+ m00001@@[THE_USER].TC_Role1.test.com
+
+# Need to let DB catch up on deletes
+sleep 0
+as testid@aaf.att.com
+# TC_Role1.99.05.POS Remove Permissions from "40_reports"
+set force true
+set force=true perm delete com.test.TC_Role1.@[user.name].samplePerm1 some.long(involved).text SELECT
+** Expect 200,404 **
+Deleted Permission
+
+set force true
+set force=true perm delete com.test.TC_Role1.@[user.name].samplePerm1 some.other_long(less.involved).text lower_case
+** Expect 200,404 **
+Deleted Permission
+
+# TC_Role1.99.10.POS Namespace Admin can delete Namepace defined Roles
+force role delete com.test.TC_Role1.@[user.name].r.A
+** Expect 200,404 **
+Deleted Role
+
+force role delete com.test.TC_Role1.@[user.name].r.B
+** Expect 200,404 **
+Deleted Role
+
+force role delete com.test.TC_Role1.@[user.name].r.C
+** Expect 200,404 **
+Failed [SVC3404]: Not Found - Role [com.test.TC_Role1.@[THE_USER].r.C] does not exist
+
+# TC_Role1.99.15.POS Remove ability to create creds
+user role del testid@aaf.att.com com.test.TC_Role1.@[user.name].cred_admin
+** Expect 200,404 **
+Removed Role [com.test.TC_Role1.@[THE_USER].cred_admin] from User [testid@aaf.att.com]
+
+as XX@NS
+perm ungrant com.att.aaf.mechid com.att create com.test.TC_Role1.@[user.name].cred_admin
+** Expect 200,404 **
+UnGranted Permission [com.att.aaf.mechid|com.att|create] from Role [com.test.TC_Role1.@[THE_USER].cred_admin]
+
+as testid@aaf.att.com
+role delete com.test.TC_Role1.@[user.name].cred_admin
+** Expect 200,404 **
+Deleted Role
+
+# TC_Role1.99.20.POS Namespace Admin can delete permissions and credentials
+perm delete com.test.TC_Role1.@[user.name].p.C myInstance myAction
+** Expect 200,404 **
+Deleted Permission
+
+set force true
+user cred del m00001@@[user.name].TC_Role1.test.com
+** Expect 200,404 **
+Deleted Credential [m00001@@[THE_USER].TC_Role1.test.com]
+
+# TC_Role1.99.90.POS Namespace Admin can delete Namespace
+force ns delete com.test.TC_Role1.@[user.name].r
+** Expect 200,404 **
+Deleted Namespace
+
+force ns delete com.test.TC_Role1.@[user.name]
+** Expect 200,404 **
+Deleted Namespace
+
+# TC_Role1.99.99.POS List to prove clean Namespaces
+ns list name com.test.TC_Role1.@[user.name].r
+** Expect 200,404 **
+
+List Namespaces by Name[com.test.TC_Role1.@[THE_USER].r]
+--------------------------------------------------------------------------------
+ *** Namespace Not Found ***
+
+ns list name com.test.TC_Role1.@[user.name]
+** Expect 200,404 **
+
+List Namespaces by Name[com.test.TC_Role1.@[THE_USER]]
+--------------------------------------------------------------------------------
+ *** Namespace Not Found ***
+
Code Review / aaf / authz.git / blobdiff