mirror of
https://github.com/google/nomulus.git
synced 2025-05-14 00:17:20 +02:00
Make the superuser flag bypass TLD access checks
The --superuser command in the nomulus command-line tool should be bypassing checks on whether the passed-in registrar client ID has access to the TLD in question, but currently it is not. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=158974462
This commit is contained in:
Ben McIlwain
parent
3a02e6fb11
commit
580c41f2d6
26 changed files with 223 additions and 38 deletions
|
|
@ -89,9 +89,9 @@ public final class ClaimsCheckFlow implements Flow {
|
||||||
String tld = domainName.parent().toString();
|
String tld = domainName.parent().toString();
|
||||||
// Only validate access to a TLD the first time it is encountered.
|
// Only validate access to a TLD the first time it is encountered.
|
||||||
if (seenTlds.add(tld)) {
|
if (seenTlds.add(tld)) {
|
||||||
checkAllowedAccessToTld(clientId, tld);
|
|
||||||
Registry registry = Registry.get(tld);
|
|
||||||
if (!isSuperuser) {
|
if (!isSuperuser) {
|
||||||
|
checkAllowedAccessToTld(clientId, tld);
|
||||||
|
Registry registry = Registry.get(tld);
|
||||||
DateTime now = clock.nowUtc();
|
DateTime now = clock.nowUtc();
|
||||||
verifyNotInPredelegation(registry, now);
|
verifyNotInPredelegation(registry, now);
|
||||||
if (registry.getTldState(now) == TldState.SUNRISE) {
|
if (registry.getTldState(now) == TldState.SUNRISE) {
|
||||||
|
|
|
||||||
|
|
@ -203,7 +203,10 @@ public final class DomainApplicationCreateFlow implements TransactionalFlow {
|
||||||
InternetDomainName domainName = validateDomainName(targetId);
|
InternetDomainName domainName = validateDomainName(targetId);
|
||||||
String idnTableName = validateDomainNameWithIdnTables(domainName);
|
String idnTableName = validateDomainNameWithIdnTables(domainName);
|
||||||
String tld = domainName.parent().toString();
|
String tld = domainName.parent().toString();
|
||||||
checkAllowedAccessToTld(clientId, tld);
|
if (!isSuperuser) {
|
||||||
|
// Access to the TLD should be checked before the subsequent checks as it is a greater concern
|
||||||
|
checkAllowedAccessToTld(clientId, tld);
|
||||||
|
}
|
||||||
Registry registry = Registry.get(tld);
|
Registry registry = Registry.get(tld);
|
||||||
FeesAndCredits feesAndCredits =
|
FeesAndCredits feesAndCredits =
|
||||||
pricingLogic.getCreatePrice(registry, targetId, now, command.getPeriod().getValue());
|
pricingLogic.getCreatePrice(registry, targetId, now, command.getPeriod().getValue());
|
||||||
|
|
|
||||||
|
|
@ -88,8 +88,8 @@ public final class DomainApplicationDeleteFlow implements TransactionalFlow {
|
||||||
verifyApplicationDomainMatchesTargetId(existingApplication, targetId);
|
verifyApplicationDomainMatchesTargetId(existingApplication, targetId);
|
||||||
verifyOptionalAuthInfo(authInfo, existingApplication);
|
verifyOptionalAuthInfo(authInfo, existingApplication);
|
||||||
String tld = existingApplication.getTld();
|
String tld = existingApplication.getTld();
|
||||||
checkAllowedAccessToTld(clientId, tld);
|
|
||||||
if (!isSuperuser) {
|
if (!isSuperuser) {
|
||||||
|
checkAllowedAccessToTld(clientId, tld);
|
||||||
Registry registry = Registry.get(tld);
|
Registry registry = Registry.get(tld);
|
||||||
verifyRegistryStateAllowsLaunchFlows(registry, now);
|
verifyRegistryStateAllowsLaunchFlows(registry, now);
|
||||||
verifyLaunchPhaseMatchesRegistryPhase(
|
verifyLaunchPhaseMatchesRegistryPhase(
|
||||||
|
|
|
||||||
|
|
@ -174,13 +174,13 @@ public class DomainApplicationUpdateFlow implements TransactionalFlow {
|
||||||
DomainApplication existingApplication, Update command, DateTime now) throws EppException {
|
DomainApplication existingApplication, Update command, DateTime now) throws EppException {
|
||||||
AddRemove add = command.getInnerAdd();
|
AddRemove add = command.getInnerAdd();
|
||||||
AddRemove remove = command.getInnerRemove();
|
AddRemove remove = command.getInnerRemove();
|
||||||
|
String tld = existingApplication.getTld();
|
||||||
if (!isSuperuser) {
|
if (!isSuperuser) {
|
||||||
verifyResourceOwnership(clientId, existingApplication);
|
verifyResourceOwnership(clientId, existingApplication);
|
||||||
verifyClientUpdateNotProhibited(command, existingApplication);
|
verifyClientUpdateNotProhibited(command, existingApplication);
|
||||||
verifyAllStatusesAreClientSettable(union(add.getStatusValues(), remove.getStatusValues()));
|
verifyAllStatusesAreClientSettable(union(add.getStatusValues(), remove.getStatusValues()));
|
||||||
|
checkAllowedAccessToTld(clientId, tld);
|
||||||
}
|
}
|
||||||
String tld = existingApplication.getTld();
|
|
||||||
checkAllowedAccessToTld(clientId, tld);
|
|
||||||
if (UPDATE_DISALLOWED_APPLICATION_STATUSES
|
if (UPDATE_DISALLOWED_APPLICATION_STATUSES
|
||||||
.contains(existingApplication.getApplicationStatus())) {
|
.contains(existingApplication.getApplicationStatus())) {
|
||||||
throw new ApplicationStatusProhibitsUpdateException(
|
throw new ApplicationStatusProhibitsUpdateException(
|
||||||
|
|
|
||||||
|
|
@ -136,11 +136,10 @@ public final class DomainCheckFlow implements Flow {
|
||||||
// This validation is moderately expensive, so cache the results.
|
// This validation is moderately expensive, so cache the results.
|
||||||
domains.put(targetId, domainName);
|
domains.put(targetId, domainName);
|
||||||
String tld = domainName.parent().toString();
|
String tld = domainName.parent().toString();
|
||||||
if (seenTlds.add(tld)) {
|
boolean tldFirstTimeSeen = seenTlds.add(tld);
|
||||||
|
if (tldFirstTimeSeen && !isSuperuser) {
|
||||||
checkAllowedAccessToTld(clientId, tld);
|
checkAllowedAccessToTld(clientId, tld);
|
||||||
if (!isSuperuser) {
|
verifyNotInPredelegation(Registry.get(tld), now);
|
||||||
verifyNotInPredelegation(Registry.get(tld), now);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
ImmutableMap<String, InternetDomainName> domainNames = domains.build();
|
ImmutableMap<String, InternetDomainName> domainNames = domains.build();
|
||||||
|
|
|
||||||
|
|
@ -211,8 +211,8 @@ public final class DomainDeleteFlow implements TransactionalFlow {
|
||||||
if (!isSuperuser) {
|
if (!isSuperuser) {
|
||||||
verifyResourceOwnership(clientId, existingDomain);
|
verifyResourceOwnership(clientId, existingDomain);
|
||||||
verifyNotInPredelegation(registry, now);
|
verifyNotInPredelegation(registry, now);
|
||||||
|
checkAllowedAccessToTld(clientId, registry.getTld().toString());
|
||||||
}
|
}
|
||||||
checkAllowedAccessToTld(clientId, registry.getTld().toString());
|
|
||||||
if (!existingDomain.getSubordinateHosts().isEmpty()) {
|
if (!existingDomain.getSubordinateHosts().isEmpty()) {
|
||||||
throw new DomainToDeleteHasHostsException();
|
throw new DomainToDeleteHasHostsException();
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -219,8 +219,8 @@ public final class DomainRenewFlow implements TransactionalFlow {
|
||||||
verifyNoDisallowedStatuses(existingDomain, RENEW_DISALLOWED_STATUSES);
|
verifyNoDisallowedStatuses(existingDomain, RENEW_DISALLOWED_STATUSES);
|
||||||
if (!isSuperuser) {
|
if (!isSuperuser) {
|
||||||
verifyResourceOwnership(clientId, existingDomain);
|
verifyResourceOwnership(clientId, existingDomain);
|
||||||
|
checkAllowedAccessToTld(clientId, existingDomain.getTld());
|
||||||
}
|
}
|
||||||
checkAllowedAccessToTld(clientId, existingDomain.getTld());
|
|
||||||
verifyUnitIsYears(command.getPeriod());
|
verifyUnitIsYears(command.getPeriod());
|
||||||
// If the date they specify doesn't match the expiration, fail. (This is an idempotence check).
|
// If the date they specify doesn't match the expiration, fail. (This is an idempotence check).
|
||||||
if (!command.getCurrentExpirationDate().equals(
|
if (!command.getCurrentExpirationDate().equals(
|
||||||
|
|
|
||||||
|
|
@ -188,6 +188,7 @@ public final class DomainRestoreRequestFlow implements TransactionalFlow {
|
||||||
verifyResourceOwnership(clientId, existingDomain);
|
verifyResourceOwnership(clientId, existingDomain);
|
||||||
verifyNotReserved(InternetDomainName.from(targetId), false);
|
verifyNotReserved(InternetDomainName.from(targetId), false);
|
||||||
verifyPremiumNameIsNotBlocked(targetId, now, clientId);
|
verifyPremiumNameIsNotBlocked(targetId, now, clientId);
|
||||||
|
checkAllowedAccessToTld(clientId, existingDomain.getTld());
|
||||||
}
|
}
|
||||||
// No other changes can be specified on a restore request.
|
// No other changes can be specified on a restore request.
|
||||||
if (!command.noChangesPresent()) {
|
if (!command.noChangesPresent()) {
|
||||||
|
|
@ -197,7 +198,6 @@ public final class DomainRestoreRequestFlow implements TransactionalFlow {
|
||||||
if (!existingDomain.getGracePeriodStatuses().contains(GracePeriodStatus.REDEMPTION)) {
|
if (!existingDomain.getGracePeriodStatuses().contains(GracePeriodStatus.REDEMPTION)) {
|
||||||
throw new DomainNotEligibleForRestoreException();
|
throw new DomainNotEligibleForRestoreException();
|
||||||
}
|
}
|
||||||
checkAllowedAccessToTld(clientId, existingDomain.getTld());
|
|
||||||
validateFeeChallenge(targetId, existingDomain.getTld(), now, feeUpdate, feesAndCredits);
|
validateFeeChallenge(targetId, existingDomain.getTld(), now, feeUpdate, feesAndCredits);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -36,6 +36,7 @@ import com.googlecode.objectify.Key;
|
||||||
import google.registry.flows.EppException;
|
import google.registry.flows.EppException;
|
||||||
import google.registry.flows.ExtensionManager;
|
import google.registry.flows.ExtensionManager;
|
||||||
import google.registry.flows.FlowModule.ClientId;
|
import google.registry.flows.FlowModule.ClientId;
|
||||||
|
import google.registry.flows.FlowModule.Superuser;
|
||||||
import google.registry.flows.FlowModule.TargetId;
|
import google.registry.flows.FlowModule.TargetId;
|
||||||
import google.registry.flows.TransactionalFlow;
|
import google.registry.flows.TransactionalFlow;
|
||||||
import google.registry.flows.annotations.ReportingSpec;
|
import google.registry.flows.annotations.ReportingSpec;
|
||||||
|
|
@ -83,6 +84,7 @@ public final class DomainTransferApproveFlow implements TransactionalFlow {
|
||||||
@Inject Optional<AuthInfo> authInfo;
|
@Inject Optional<AuthInfo> authInfo;
|
||||||
@Inject @ClientId String clientId;
|
@Inject @ClientId String clientId;
|
||||||
@Inject @TargetId String targetId;
|
@Inject @TargetId String targetId;
|
||||||
|
@Inject @Superuser boolean isSuperuser;
|
||||||
@Inject HistoryEntry.Builder historyBuilder;
|
@Inject HistoryEntry.Builder historyBuilder;
|
||||||
@Inject EppResponse.Builder responseBuilder;
|
@Inject EppResponse.Builder responseBuilder;
|
||||||
@Inject DomainTransferApproveFlow() {}
|
@Inject DomainTransferApproveFlow() {}
|
||||||
|
|
@ -102,7 +104,9 @@ public final class DomainTransferApproveFlow implements TransactionalFlow {
|
||||||
verifyHasPendingTransfer(existingDomain);
|
verifyHasPendingTransfer(existingDomain);
|
||||||
verifyResourceOwnership(clientId, existingDomain);
|
verifyResourceOwnership(clientId, existingDomain);
|
||||||
String tld = existingDomain.getTld();
|
String tld = existingDomain.getTld();
|
||||||
checkAllowedAccessToTld(clientId, tld);
|
if (!isSuperuser) {
|
||||||
|
checkAllowedAccessToTld(clientId, tld);
|
||||||
|
}
|
||||||
TransferData transferData = existingDomain.getTransferData();
|
TransferData transferData = existingDomain.getTransferData();
|
||||||
String gainingClientId = transferData.getGainingClientId();
|
String gainingClientId = transferData.getGainingClientId();
|
||||||
HistoryEntry historyEntry = historyBuilder
|
HistoryEntry historyEntry = historyBuilder
|
||||||
|
|
|
||||||
|
|
@ -32,6 +32,7 @@ import com.googlecode.objectify.Key;
|
||||||
import google.registry.flows.EppException;
|
import google.registry.flows.EppException;
|
||||||
import google.registry.flows.ExtensionManager;
|
import google.registry.flows.ExtensionManager;
|
||||||
import google.registry.flows.FlowModule.ClientId;
|
import google.registry.flows.FlowModule.ClientId;
|
||||||
|
import google.registry.flows.FlowModule.Superuser;
|
||||||
import google.registry.flows.FlowModule.TargetId;
|
import google.registry.flows.FlowModule.TargetId;
|
||||||
import google.registry.flows.TransactionalFlow;
|
import google.registry.flows.TransactionalFlow;
|
||||||
import google.registry.flows.annotations.ReportingSpec;
|
import google.registry.flows.annotations.ReportingSpec;
|
||||||
|
|
@ -71,6 +72,7 @@ public final class DomainTransferCancelFlow implements TransactionalFlow {
|
||||||
@Inject Optional<AuthInfo> authInfo;
|
@Inject Optional<AuthInfo> authInfo;
|
||||||
@Inject @ClientId String clientId;
|
@Inject @ClientId String clientId;
|
||||||
@Inject @TargetId String targetId;
|
@Inject @TargetId String targetId;
|
||||||
|
@Inject @Superuser boolean isSuperuser;
|
||||||
@Inject HistoryEntry.Builder historyBuilder;
|
@Inject HistoryEntry.Builder historyBuilder;
|
||||||
@Inject EppResponse.Builder responseBuilder;
|
@Inject EppResponse.Builder responseBuilder;
|
||||||
@Inject DomainTransferCancelFlow() {}
|
@Inject DomainTransferCancelFlow() {}
|
||||||
|
|
@ -85,7 +87,9 @@ public final class DomainTransferCancelFlow implements TransactionalFlow {
|
||||||
verifyOptionalAuthInfo(authInfo, existingDomain);
|
verifyOptionalAuthInfo(authInfo, existingDomain);
|
||||||
verifyHasPendingTransfer(existingDomain);
|
verifyHasPendingTransfer(existingDomain);
|
||||||
verifyTransferInitiator(clientId, existingDomain);
|
verifyTransferInitiator(clientId, existingDomain);
|
||||||
checkAllowedAccessToTld(clientId, existingDomain.getTld());
|
if (!isSuperuser) {
|
||||||
|
checkAllowedAccessToTld(clientId, existingDomain.getTld());
|
||||||
|
}
|
||||||
HistoryEntry historyEntry = historyBuilder
|
HistoryEntry historyEntry = historyBuilder
|
||||||
.setType(HistoryEntry.Type.DOMAIN_TRANSFER_CANCEL)
|
.setType(HistoryEntry.Type.DOMAIN_TRANSFER_CANCEL)
|
||||||
.setOtherClientId(existingDomain.getTransferData().getLosingClientId())
|
.setOtherClientId(existingDomain.getTransferData().getLosingClientId())
|
||||||
|
|
|
||||||
|
|
@ -32,6 +32,7 @@ import com.googlecode.objectify.Key;
|
||||||
import google.registry.flows.EppException;
|
import google.registry.flows.EppException;
|
||||||
import google.registry.flows.ExtensionManager;
|
import google.registry.flows.ExtensionManager;
|
||||||
import google.registry.flows.FlowModule.ClientId;
|
import google.registry.flows.FlowModule.ClientId;
|
||||||
|
import google.registry.flows.FlowModule.Superuser;
|
||||||
import google.registry.flows.FlowModule.TargetId;
|
import google.registry.flows.FlowModule.TargetId;
|
||||||
import google.registry.flows.TransactionalFlow;
|
import google.registry.flows.TransactionalFlow;
|
||||||
import google.registry.flows.annotations.ReportingSpec;
|
import google.registry.flows.annotations.ReportingSpec;
|
||||||
|
|
@ -71,6 +72,7 @@ public final class DomainTransferRejectFlow implements TransactionalFlow {
|
||||||
@Inject Optional<AuthInfo> authInfo;
|
@Inject Optional<AuthInfo> authInfo;
|
||||||
@Inject @ClientId String clientId;
|
@Inject @ClientId String clientId;
|
||||||
@Inject @TargetId String targetId;
|
@Inject @TargetId String targetId;
|
||||||
|
@Inject @Superuser boolean isSuperuser;
|
||||||
@Inject HistoryEntry.Builder historyBuilder;
|
@Inject HistoryEntry.Builder historyBuilder;
|
||||||
@Inject EppResponse.Builder responseBuilder;
|
@Inject EppResponse.Builder responseBuilder;
|
||||||
@Inject DomainTransferRejectFlow() {}
|
@Inject DomainTransferRejectFlow() {}
|
||||||
|
|
@ -91,7 +93,9 @@ public final class DomainTransferRejectFlow implements TransactionalFlow {
|
||||||
verifyOptionalAuthInfo(authInfo, existingDomain);
|
verifyOptionalAuthInfo(authInfo, existingDomain);
|
||||||
verifyHasPendingTransfer(existingDomain);
|
verifyHasPendingTransfer(existingDomain);
|
||||||
verifyResourceOwnership(clientId, existingDomain);
|
verifyResourceOwnership(clientId, existingDomain);
|
||||||
checkAllowedAccessToTld(clientId, existingDomain.getTld());
|
if (!isSuperuser) {
|
||||||
|
checkAllowedAccessToTld(clientId, existingDomain.getTld());
|
||||||
|
}
|
||||||
DomainResource newDomain =
|
DomainResource newDomain =
|
||||||
denyPendingTransfer(existingDomain, TransferStatus.CLIENT_REJECTED, now);
|
denyPendingTransfer(existingDomain, TransferStatus.CLIENT_REJECTED, now);
|
||||||
ofy().save().<ImmutableObject>entities(
|
ofy().save().<ImmutableObject>entities(
|
||||||
|
|
|
||||||
|
|
@ -217,9 +217,9 @@ public final class DomainTransferRequestFlow implements TransactionalFlow {
|
||||||
if (gainingClientId.equals(existingDomain.getCurrentSponsorClientId())) {
|
if (gainingClientId.equals(existingDomain.getCurrentSponsorClientId())) {
|
||||||
throw new ObjectAlreadySponsoredException();
|
throw new ObjectAlreadySponsoredException();
|
||||||
}
|
}
|
||||||
checkAllowedAccessToTld(gainingClientId, existingDomain.getTld());
|
|
||||||
verifyTransferPeriodIsOneYear(period);
|
verifyTransferPeriodIsOneYear(period);
|
||||||
if (!isSuperuser) {
|
if (!isSuperuser) {
|
||||||
|
checkAllowedAccessToTld(gainingClientId, existingDomain.getTld());
|
||||||
verifyPremiumNameIsNotBlocked(targetId, now, gainingClientId);
|
verifyPremiumNameIsNotBlocked(targetId, now, gainingClientId);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -212,14 +212,14 @@ public final class DomainUpdateFlow implements TransactionalFlow {
|
||||||
verifyOptionalAuthInfo(authInfo, existingDomain);
|
verifyOptionalAuthInfo(authInfo, existingDomain);
|
||||||
AddRemove add = command.getInnerAdd();
|
AddRemove add = command.getInnerAdd();
|
||||||
AddRemove remove = command.getInnerRemove();
|
AddRemove remove = command.getInnerRemove();
|
||||||
|
String tld = existingDomain.getTld();
|
||||||
if (!isSuperuser) {
|
if (!isSuperuser) {
|
||||||
verifyResourceOwnership(clientId, existingDomain);
|
verifyResourceOwnership(clientId, existingDomain);
|
||||||
verifyClientUpdateNotProhibited(command, existingDomain);
|
verifyClientUpdateNotProhibited(command, existingDomain);
|
||||||
verifyAllStatusesAreClientSettable(union(add.getStatusValues(), remove.getStatusValues()));
|
verifyAllStatusesAreClientSettable(union(add.getStatusValues(), remove.getStatusValues()));
|
||||||
|
checkAllowedAccessToTld(clientId, tld);
|
||||||
}
|
}
|
||||||
String tld = existingDomain.getTld();
|
|
||||||
Registry registry = Registry.get(tld);
|
Registry registry = Registry.get(tld);
|
||||||
checkAllowedAccessToTld(clientId, tld);
|
|
||||||
FeeTransformCommandExtension feeUpdate =
|
FeeTransformCommandExtension feeUpdate =
|
||||||
eppInput.getSingleExtension(FeeUpdateCommandExtension.class);
|
eppInput.getSingleExtension(FeeUpdateCommandExtension.class);
|
||||||
// If the fee extension is present, validate it (even if the cost is zero, to check for price
|
// If the fee extension is present, validate it (even if the cost is zero, to check for price
|
||||||
|
|
|
||||||
|
|
@ -31,7 +31,6 @@ import google.registry.model.domain.DomainResource;
|
||||||
import google.registry.model.registrar.Registrar;
|
import google.registry.model.registrar.Registrar;
|
||||||
import google.registry.model.registry.Registry;
|
import google.registry.model.registry.Registry;
|
||||||
import google.registry.model.registry.Registry.TldState;
|
import google.registry.model.registry.Registry.TldState;
|
||||||
import google.registry.testing.DatastoreHelper;
|
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
|
|
||||||
|
|
@ -81,7 +80,6 @@ public class ClaimsCheckFlowTest extends ResourceFlowTestCase<ClaimsCheckFlow, D
|
||||||
doSuccessfulTest("domain_check_claims_response.xml");
|
doSuccessfulTest("domain_check_claims_response.xml");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testSuccess_multipleTlds() throws Exception {
|
public void testSuccess_multipleTlds() throws Exception {
|
||||||
setEppInput("domain_check_claims_multiple_tlds.xml");
|
setEppInput("domain_check_claims_multiple_tlds.xml");
|
||||||
|
|
@ -115,7 +113,7 @@ public class ClaimsCheckFlowTest extends ResourceFlowTestCase<ClaimsCheckFlow, D
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testFailure_notAuthorizedForTld() throws Exception {
|
public void testFailure_notAuthorizedForTld() throws Exception {
|
||||||
DatastoreHelper.persistResource(
|
persistResource(
|
||||||
Registrar.loadByClientId("TheRegistrar")
|
Registrar.loadByClientId("TheRegistrar")
|
||||||
.asBuilder()
|
.asBuilder()
|
||||||
.setAllowedTlds(ImmutableSet.<String>of())
|
.setAllowedTlds(ImmutableSet.<String>of())
|
||||||
|
|
@ -124,6 +122,22 @@ public class ClaimsCheckFlowTest extends ResourceFlowTestCase<ClaimsCheckFlow, D
|
||||||
runFlow();
|
runFlow();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||||
|
persistClaimsList(
|
||||||
|
ImmutableMap.of("example2", "2013041500/2/6/9/rJ1NrDO92vDsAzf7EQzgjX4R0000000001"));
|
||||||
|
persistResource(
|
||||||
|
Registrar.loadByClientId("TheRegistrar")
|
||||||
|
.asBuilder()
|
||||||
|
.setAllowedTlds(ImmutableSet.<String>of())
|
||||||
|
.build());
|
||||||
|
assertTransactionalFlow(false);
|
||||||
|
assertNoHistory(); // Checks don't create a history event.
|
||||||
|
assertNoBillingEvents(); // Checks are always free.
|
||||||
|
runFlowAssertResponse(
|
||||||
|
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_check_claims_response.xml"));
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testFailure_predelgation() throws Exception {
|
public void testFailure_predelgation() throws Exception {
|
||||||
createTld("tld", TldState.PREDELEGATION);
|
createTld("tld", TldState.PREDELEGATION);
|
||||||
|
|
|
||||||
|
|
@ -1131,6 +1131,17 @@ public class DomainApplicationCreateFlowTest
|
||||||
runSuperuserFlow("domain_create_sunrush_response.xml");
|
runSuperuserFlow("domain_create_sunrush_response.xml");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||||
|
DatastoreHelper.persistResource(Registrar.loadByClientId("TheRegistrar")
|
||||||
|
.asBuilder()
|
||||||
|
.setAllowedTlds(ImmutableSet.<String>of())
|
||||||
|
.build());
|
||||||
|
persistContactsAndHosts();
|
||||||
|
clock.advanceOneMilli();
|
||||||
|
runSuperuserFlow("domain_create_sunrise_encoded_signed_mark_response.xml");
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testSuccess_superuserSunrush() throws Exception {
|
public void testSuccess_superuserSunrush() throws Exception {
|
||||||
createTld("tld", TldState.SUNRUSH);
|
createTld("tld", TldState.SUNRUSH);
|
||||||
|
|
|
||||||
|
|
@ -150,6 +150,16 @@ public class DomainApplicationDeleteFlowTest
|
||||||
runFlow();
|
runFlow();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
||||||
|
sessionMetadata.setClientId("NewRegistrar");
|
||||||
|
persistResource(
|
||||||
|
newDomainApplication("example.tld").asBuilder().setRepoId("1-TLD").build());
|
||||||
|
clock.advanceOneMilli();
|
||||||
|
runFlowAssertResponse(
|
||||||
|
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_delete_response.xml"));
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testFailure_notAuthorizedForTld() throws Exception {
|
public void testFailure_notAuthorizedForTld() throws Exception {
|
||||||
persistResource(
|
persistResource(
|
||||||
|
|
@ -162,12 +172,16 @@ public class DomainApplicationDeleteFlowTest
|
||||||
thrown.expect(NotAuthorizedForTldException.class);
|
thrown.expect(NotAuthorizedForTldException.class);
|
||||||
runFlow();
|
runFlow();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||||
sessionMetadata.setClientId("NewRegistrar");
|
|
||||||
persistResource(
|
persistResource(
|
||||||
newDomainApplication("example.tld").asBuilder().setRepoId("1-TLD").build());
|
newDomainApplication("example.tld").asBuilder().setRepoId("1-TLD").build());
|
||||||
|
persistResource(
|
||||||
|
Registrar.loadByClientId("TheRegistrar")
|
||||||
|
.asBuilder()
|
||||||
|
.setAllowedTlds(ImmutableSet.<String>of())
|
||||||
|
.build());
|
||||||
clock.advanceOneMilli();
|
clock.advanceOneMilli();
|
||||||
runFlowAssertResponse(
|
runFlowAssertResponse(
|
||||||
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_delete_response.xml"));
|
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_delete_response.xml"));
|
||||||
|
|
|
||||||
|
|
@ -562,6 +562,16 @@ public class DomainApplicationUpdateFlowTest
|
||||||
runFlow();
|
runFlow();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
||||||
|
sessionMetadata.setClientId("NewRegistrar");
|
||||||
|
persistReferencedEntities();
|
||||||
|
persistApplication();
|
||||||
|
clock.advanceOneMilli();
|
||||||
|
runFlowAssertResponse(
|
||||||
|
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_update_response.xml"));
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testFailure_notAuthorizedForTld() throws Exception {
|
public void testFailure_notAuthorizedForTld() throws Exception {
|
||||||
persistResource(
|
persistResource(
|
||||||
|
|
@ -574,10 +584,14 @@ public class DomainApplicationUpdateFlowTest
|
||||||
thrown.expect(NotAuthorizedForTldException.class);
|
thrown.expect(NotAuthorizedForTldException.class);
|
||||||
runFlow();
|
runFlow();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||||
sessionMetadata.setClientId("NewRegistrar");
|
persistResource(
|
||||||
|
Registrar.loadByClientId("TheRegistrar")
|
||||||
|
.asBuilder()
|
||||||
|
.setAllowedTlds(ImmutableSet.<String>of())
|
||||||
|
.build());
|
||||||
persistReferencedEntities();
|
persistReferencedEntities();
|
||||||
persistApplication();
|
persistApplication();
|
||||||
clock.advanceOneMilli();
|
clock.advanceOneMilli();
|
||||||
|
|
|
||||||
|
|
@ -294,6 +294,18 @@ public class DomainCheckFlowTest
|
||||||
runFlow();
|
runFlow();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||||
|
persistActiveDomain("example2.tld");
|
||||||
|
DatastoreHelper.persistResource(
|
||||||
|
Registrar.loadByClientId("TheRegistrar")
|
||||||
|
.asBuilder()
|
||||||
|
.setAllowedTlds(ImmutableSet.<String>of())
|
||||||
|
.build());
|
||||||
|
runFlowAssertResponse(
|
||||||
|
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_check_one_tld_response.xml"));
|
||||||
|
}
|
||||||
|
|
||||||
private void doFailingBadLabelTest(String label, Class<? extends Exception> expectedException)
|
private void doFailingBadLabelTest(String label, Class<? extends Exception> expectedException)
|
||||||
throws Exception {
|
throws Exception {
|
||||||
setEppInput("domain_check_template.xml", ImmutableMap.of("LABEL", label));
|
setEppInput("domain_check_template.xml", ImmutableMap.of("LABEL", label));
|
||||||
|
|
|
||||||
|
|
@ -678,6 +678,15 @@ public class DomainDeleteFlowTest extends ResourceFlowTestCase<DomainDeleteFlow,
|
||||||
runFlow();
|
runFlow();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
||||||
|
sessionMetadata.setClientId("NewRegistrar");
|
||||||
|
setupSuccessfulTest();
|
||||||
|
clock.advanceOneMilli();
|
||||||
|
runFlowAssertResponse(
|
||||||
|
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_delete_response_pending.xml"));
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testFailure_notAuthorizedForTld() throws Exception {
|
public void testFailure_notAuthorizedForTld() throws Exception {
|
||||||
setupSuccessfulTest();
|
setupSuccessfulTest();
|
||||||
|
|
@ -691,9 +700,13 @@ public class DomainDeleteFlowTest extends ResourceFlowTestCase<DomainDeleteFlow,
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||||
sessionMetadata.setClientId("NewRegistrar");
|
|
||||||
setupSuccessfulTest();
|
setupSuccessfulTest();
|
||||||
|
persistResource(
|
||||||
|
Registrar.loadByClientId("TheRegistrar")
|
||||||
|
.asBuilder()
|
||||||
|
.setAllowedTlds(ImmutableSet.<String>of())
|
||||||
|
.build());
|
||||||
clock.advanceOneMilli();
|
clock.advanceOneMilli();
|
||||||
runFlowAssertResponse(
|
runFlowAssertResponse(
|
||||||
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_delete_response_pending.xml"));
|
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_delete_response_pending.xml"));
|
||||||
|
|
|
||||||
|
|
@ -611,6 +611,14 @@ public class DomainRenewFlowTest extends ResourceFlowTestCase<DomainRenewFlow, D
|
||||||
runFlow();
|
runFlow();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
||||||
|
sessionMetadata.setClientId("NewRegistrar");
|
||||||
|
persistDomain();
|
||||||
|
runFlowAssertResponse(
|
||||||
|
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_renew_response.xml"));
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testFailure_notAuthorizedForTld() throws Exception {
|
public void testFailure_notAuthorizedForTld() throws Exception {
|
||||||
persistResource(
|
persistResource(
|
||||||
|
|
@ -624,8 +632,12 @@ public class DomainRenewFlowTest extends ResourceFlowTestCase<DomainRenewFlow, D
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||||
sessionMetadata.setClientId("NewRegistrar");
|
persistResource(
|
||||||
|
Registrar.loadByClientId("TheRegistrar")
|
||||||
|
.asBuilder()
|
||||||
|
.setAllowedTlds(ImmutableSet.<String>of())
|
||||||
|
.build());
|
||||||
persistDomain();
|
persistDomain();
|
||||||
runFlowAssertResponse(
|
runFlowAssertResponse(
|
||||||
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_renew_response.xml"));
|
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_renew_response.xml"));
|
||||||
|
|
|
||||||
|
|
@ -494,6 +494,14 @@ public class DomainRestoreRequestFlowTest extends
|
||||||
runFlow();
|
runFlow();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
||||||
|
sessionMetadata.setClientId("NewRegistrar");
|
||||||
|
persistPendingDeleteDomain();
|
||||||
|
thrown.expect(ResourceNotOwnedException.class);
|
||||||
|
runFlowAssertResponse(readFile("domain_update_response.xml"));
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testFailure_notAuthorizedForTld() throws Exception {
|
public void testFailure_notAuthorizedForTld() throws Exception {
|
||||||
persistResource(
|
persistResource(
|
||||||
|
|
@ -507,11 +515,17 @@ public class DomainRestoreRequestFlowTest extends
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||||
sessionMetadata.setClientId("NewRegistrar");
|
persistResource(
|
||||||
|
Registrar.loadByClientId("TheRegistrar")
|
||||||
|
.asBuilder()
|
||||||
|
.setAllowedTlds(ImmutableSet.<String>of())
|
||||||
|
.build());
|
||||||
persistPendingDeleteDomain();
|
persistPendingDeleteDomain();
|
||||||
thrown.expect(ResourceNotOwnedException.class);
|
runFlowAssertResponse(
|
||||||
runFlowAssertResponse(readFile("domain_update_response.xml"));
|
CommitMode.LIVE,
|
||||||
|
UserPrivileges.SUPERUSER,
|
||||||
|
readFile("domain_update_response.xml"));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
|
|
||||||
|
|
@ -423,6 +423,19 @@ public class DomainTransferApproveFlowTest
|
||||||
doSuccessfulTest("tld", "domain_transfer_approve.xml", "domain_transfer_approve_response.xml");
|
doSuccessfulTest("tld", "domain_transfer_approve.xml", "domain_transfer_approve_response.xml");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||||
|
persistResource(
|
||||||
|
Registrar.loadByClientId("TheRegistrar")
|
||||||
|
.asBuilder()
|
||||||
|
.setAllowedTlds(ImmutableSet.<String>of())
|
||||||
|
.build());
|
||||||
|
runFlowAssertResponse(
|
||||||
|
CommitMode.LIVE,
|
||||||
|
UserPrivileges.SUPERUSER,
|
||||||
|
readFile("domain_transfer_approve_response.xml"));
|
||||||
|
}
|
||||||
|
|
||||||
// NB: No need to test pending delete status since pending transfers will get cancelled upon
|
// NB: No need to test pending delete status since pending transfers will get cancelled upon
|
||||||
// entering pending delete phase. So it's already handled in that test case.
|
// entering pending delete phase. So it's already handled in that test case.
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -299,6 +299,20 @@ public class DomainTransferCancelFlowTest
|
||||||
doSuccessfulTest("domain_transfer_cancel.xml", "domain_transfer_cancel_response.xml");
|
doSuccessfulTest("domain_transfer_cancel.xml", "domain_transfer_cancel_response.xml");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||||
|
persistResource(
|
||||||
|
Registrar.loadByClientId("NewRegistrar")
|
||||||
|
.asBuilder()
|
||||||
|
.setAllowedTlds(ImmutableSet.<String>of())
|
||||||
|
.build());
|
||||||
|
clock.advanceOneMilli();
|
||||||
|
runFlowAssertResponse(
|
||||||
|
CommitMode.LIVE,
|
||||||
|
UserPrivileges.SUPERUSER,
|
||||||
|
readFile("domain_transfer_cancel_response.xml"));
|
||||||
|
}
|
||||||
|
|
||||||
// NB: No need to test pending delete status since pending transfers will get cancelled upon
|
// NB: No need to test pending delete status since pending transfers will get cancelled upon
|
||||||
// entering pending delete phase. So it's already handled in that test case.
|
// entering pending delete phase. So it's already handled in that test case.
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -166,6 +166,19 @@ public class DomainTransferRejectFlowTest
|
||||||
doSuccessfulTest("domain_transfer_reject.xml", "domain_transfer_reject_response.xml");
|
doSuccessfulTest("domain_transfer_reject.xml", "domain_transfer_reject_response.xml");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||||
|
persistResource(
|
||||||
|
Registrar.loadByClientId("TheRegistrar")
|
||||||
|
.asBuilder()
|
||||||
|
.setAllowedTlds(ImmutableSet.<String>of())
|
||||||
|
.build());
|
||||||
|
runFlowAssertResponse(
|
||||||
|
CommitMode.LIVE,
|
||||||
|
UserPrivileges.SUPERUSER,
|
||||||
|
readFile("domain_transfer_reject_response.xml"));
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testFailure_badContactPassword() throws Exception {
|
public void testFailure_badContactPassword() throws Exception {
|
||||||
// Change the contact's password so it does not match the password in the file.
|
// Change the contact's password so it does not match the password in the file.
|
||||||
|
|
|
||||||
|
|
@ -571,6 +571,19 @@ public class DomainTransferRequestFlowTest
|
||||||
doSuccessfulTest("domain_transfer_request.xml", "domain_transfer_request_response.xml");
|
doSuccessfulTest("domain_transfer_request.xml", "domain_transfer_request_response.xml");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||||
|
setupDomain("example", "tld");
|
||||||
|
persistResource(
|
||||||
|
Registrar.loadByClientId("NewRegistrar")
|
||||||
|
.asBuilder()
|
||||||
|
.setAllowedTlds(ImmutableSet.<String>of())
|
||||||
|
.build());
|
||||||
|
clock.advanceOneMilli();
|
||||||
|
// We don't verify the results; just check that the flow doesn't fail.
|
||||||
|
runTest("domain_transfer_request.xml", UserPrivileges.SUPERUSER);
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testSuccess_autorenewGraceActive_onlyAtTransferRequestTime() throws Exception {
|
public void testSuccess_autorenewGraceActive_onlyAtTransferRequestTime() throws Exception {
|
||||||
setupDomain("example", "tld");
|
setupDomain("example", "tld");
|
||||||
|
|
|
||||||
|
|
@ -961,6 +961,16 @@ public class DomainUpdateFlowTest extends ResourceFlowTestCase<DomainUpdateFlow,
|
||||||
runFlow();
|
runFlow();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
||||||
|
sessionMetadata.setClientId("NewRegistrar");
|
||||||
|
persistReferencedEntities();
|
||||||
|
persistDomain();
|
||||||
|
clock.advanceOneMilli();
|
||||||
|
runFlowAssertResponse(
|
||||||
|
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_update_response.xml"));
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testFailure_notAuthorizedForTld() throws Exception {
|
public void testFailure_notAuthorizedForTld() throws Exception {
|
||||||
persistResource(
|
persistResource(
|
||||||
|
|
@ -975,8 +985,12 @@ public class DomainUpdateFlowTest extends ResourceFlowTestCase<DomainUpdateFlow,
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||||
sessionMetadata.setClientId("NewRegistrar");
|
persistResource(
|
||||||
|
Registrar.loadByClientId("TheRegistrar")
|
||||||
|
.asBuilder()
|
||||||
|
.setAllowedTlds(ImmutableSet.<String>of())
|
||||||
|
.build());
|
||||||
persistReferencedEntities();
|
persistReferencedEntities();
|
||||||
persistDomain();
|
persistDomain();
|
||||||
clock.advanceOneMilli();
|
clock.advanceOneMilli();
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue