Re: [PR] Add support for federated principal and role with block for manual role assignment [polaris]

[via GitHub]

eric-maynard commented on code in PR #1353:
URL: https://github.com/apache/polaris/pull/1353#discussion_r2038934219


##########
quarkus/service/src/test/java/org/apache/polaris/service/quarkus/admin/ManagementServiceTest.java:
##########
@@ -158,4 +173,150 @@ public void 
testUpdateCatalogWithDisallowedStorageConfig() {
         .isInstanceOf(IllegalArgumentException.class)
         .hasMessage("Unsupported storage type: FILE");
   }
+
+  private PolarisMetaStoreManager setupMetaStoreManager() {
+    MetaStoreManagerFactory metaStoreManagerFactory = 
services.metaStoreManagerFactory();
+    RealmContext realmContext = services.realmContext();
+    return metaStoreManagerFactory.getOrCreateMetaStoreManager(realmContext);
+  }
+
+  private PolarisCallContext setupCallContext(PolarisMetaStoreManager 
metaStoreManager) {
+    MetaStoreManagerFactory metaStoreManagerFactory = 
services.metaStoreManagerFactory();
+    RealmContext realmContext = services.realmContext();
+    return new PolarisCallContext(
+        metaStoreManagerFactory.getOrCreateSessionSupplier(realmContext).get(),
+        services.polarisDiagnostics());
+  }
+
+  private PolarisAdminService setupPolarisAdminService(
+      PolarisMetaStoreManager metaStoreManager, PolarisCallContext 
callContext) {
+    RealmContext realmContext = services.realmContext();
+    return new PolarisAdminService(
+        CallContext.of(realmContext, callContext),
+        services.entityManagerFactory().getOrCreateEntityManager(realmContext),
+        metaStoreManager,
+        new SecurityContext() {
+          @Override
+          public Principal getUserPrincipal() {
+            return new AuthenticatedPolarisPrincipal(
+                new PrincipalEntity.Builder().setName("root").build(), 
Set.of("service_admin"));
+          }
+
+          @Override
+          public boolean isUserInRole(String role) {
+            return true;
+          }
+
+          @Override
+          public boolean isSecure() {
+            return false;
+          }
+
+          @Override
+          public String getAuthenticationScheme() {
+            return "";
+          }
+        },
+        new PolarisAuthorizerImpl(new DefaultConfigurationStore(Map.of())));
+  }
+
+  private PrincipalEntity createPrincipal(
+      PolarisMetaStoreManager metaStoreManager,
+      PolarisCallContext callContext,
+      String name,
+      boolean isFederated) {
+    return new PrincipalEntity.Builder()
+        .setFederated(isFederated)
+        .setName(name)
+        .setCreateTimestamp(Instant.now().toEpochMilli())
+        .setId(metaStoreManager.generateNewEntityId(callContext).getId())
+        .build();
+  }
+
+  private PrincipalRoleEntity createRole(
+      PolarisMetaStoreManager metaStoreManager,
+      PolarisCallContext callContext,
+      String name,
+      boolean isFederated) {
+    return new PrincipalRoleEntity.Builder()
+        .setId(metaStoreManager.generateNewEntityId(callContext).getId())
+        .setName(name)
+        .setFederated(isFederated)
+        .setProperties(Map.of())
+        .setCreateTimestamp(Instant.now().toEpochMilli())
+        .setLastUpdateTimestamp(Instant.now().toEpochMilli())
+        .build();
+  }
+
+  @Test
+  public void testCannotAddFederatedPrincipalToNonFederatedRole() {
+    PolarisMetaStoreManager metaStoreManager = setupMetaStoreManager();
+    PolarisCallContext callContext = setupCallContext(metaStoreManager);
+    PolarisAdminService polarisAdminService =
+        setupPolarisAdminService(metaStoreManager, callContext);
+
+    PrincipalEntity federatedPrincipal =
+        createPrincipal(metaStoreManager, callContext, "federated_id", true);
+    metaStoreManager.createPrincipal(callContext, federatedPrincipal);
+
+    PrincipalRoleEntity nonFederatedRole =
+        createRole(metaStoreManager, callContext, "non_federated_role", false);
+    EntityResult result =
+        metaStoreManager.createEntityIfNotExists(callContext, null, 
nonFederatedRole);
+    assertThat(result.isSuccess()).isTrue();
+
+    assertThatThrownBy(
+            () ->
+                polarisAdminService.assignPrincipalRole(
+                    federatedPrincipal.getName(), nonFederatedRole.getName()))
+        .isInstanceOf(ValidationException.class);
+  }
+
+  @Test
+  public void testCannotAddNonFederatedPrincipalToFederatedRole() {

Review Comment:
   It could make sense to use a parameterized test here. IIUC there is 
basically a table like the following:
   | Principal Type | Principal Role Type | Can Attach |
   | ------------- | ------------- | -- |
   | Non-Federated  | Non-Federated  | Yes |
   | Non-Federated  | Federated  | No |
   | Federated  | Non-Federated  | No |
   | Federated  | Federated  | No |



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org