mirror of
https://github.com/google/nomulus.git
synced 2025-05-13 07:57:13 +02:00
Make the superuser flag bypass TLD access checks
The --superuser command in the nomulus command-line tool should be bypassing checks on whether the passed-in registrar client ID has access to the TLD in question, but currently it is not. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=158974462
This commit is contained in:
Ben McIlwain
parent
3a02e6fb11
commit
580c41f2d6
26 changed files with 223 additions and 38 deletions
|
|
@ -89,9 +89,9 @@ public final class ClaimsCheckFlow implements Flow {
|
|||
String tld = domainName.parent().toString();
|
||||
// Only validate access to a TLD the first time it is encountered.
|
||||
if (seenTlds.add(tld)) {
|
||||
checkAllowedAccessToTld(clientId, tld);
|
||||
Registry registry = Registry.get(tld);
|
||||
if (!isSuperuser) {
|
||||
checkAllowedAccessToTld(clientId, tld);
|
||||
Registry registry = Registry.get(tld);
|
||||
DateTime now = clock.nowUtc();
|
||||
verifyNotInPredelegation(registry, now);
|
||||
if (registry.getTldState(now) == TldState.SUNRISE) {
|
||||
|
|
|
|||
|
|
@ -203,7 +203,10 @@ public final class DomainApplicationCreateFlow implements TransactionalFlow {
|
|||
InternetDomainName domainName = validateDomainName(targetId);
|
||||
String idnTableName = validateDomainNameWithIdnTables(domainName);
|
||||
String tld = domainName.parent().toString();
|
||||
checkAllowedAccessToTld(clientId, tld);
|
||||
if (!isSuperuser) {
|
||||
// Access to the TLD should be checked before the subsequent checks as it is a greater concern
|
||||
checkAllowedAccessToTld(clientId, tld);
|
||||
}
|
||||
Registry registry = Registry.get(tld);
|
||||
FeesAndCredits feesAndCredits =
|
||||
pricingLogic.getCreatePrice(registry, targetId, now, command.getPeriod().getValue());
|
||||
|
|
|
|||
|
|
@ -88,8 +88,8 @@ public final class DomainApplicationDeleteFlow implements TransactionalFlow {
|
|||
verifyApplicationDomainMatchesTargetId(existingApplication, targetId);
|
||||
verifyOptionalAuthInfo(authInfo, existingApplication);
|
||||
String tld = existingApplication.getTld();
|
||||
checkAllowedAccessToTld(clientId, tld);
|
||||
if (!isSuperuser) {
|
||||
checkAllowedAccessToTld(clientId, tld);
|
||||
Registry registry = Registry.get(tld);
|
||||
verifyRegistryStateAllowsLaunchFlows(registry, now);
|
||||
verifyLaunchPhaseMatchesRegistryPhase(
|
||||
|
|
|
|||
|
|
@ -174,13 +174,13 @@ public class DomainApplicationUpdateFlow implements TransactionalFlow {
|
|||
DomainApplication existingApplication, Update command, DateTime now) throws EppException {
|
||||
AddRemove add = command.getInnerAdd();
|
||||
AddRemove remove = command.getInnerRemove();
|
||||
String tld = existingApplication.getTld();
|
||||
if (!isSuperuser) {
|
||||
verifyResourceOwnership(clientId, existingApplication);
|
||||
verifyClientUpdateNotProhibited(command, existingApplication);
|
||||
verifyAllStatusesAreClientSettable(union(add.getStatusValues(), remove.getStatusValues()));
|
||||
checkAllowedAccessToTld(clientId, tld);
|
||||
}
|
||||
String tld = existingApplication.getTld();
|
||||
checkAllowedAccessToTld(clientId, tld);
|
||||
if (UPDATE_DISALLOWED_APPLICATION_STATUSES
|
||||
.contains(existingApplication.getApplicationStatus())) {
|
||||
throw new ApplicationStatusProhibitsUpdateException(
|
||||
|
|
|
|||
|
|
@ -136,11 +136,10 @@ public final class DomainCheckFlow implements Flow {
|
|||
// This validation is moderately expensive, so cache the results.
|
||||
domains.put(targetId, domainName);
|
||||
String tld = domainName.parent().toString();
|
||||
if (seenTlds.add(tld)) {
|
||||
boolean tldFirstTimeSeen = seenTlds.add(tld);
|
||||
if (tldFirstTimeSeen && !isSuperuser) {
|
||||
checkAllowedAccessToTld(clientId, tld);
|
||||
if (!isSuperuser) {
|
||||
verifyNotInPredelegation(Registry.get(tld), now);
|
||||
}
|
||||
verifyNotInPredelegation(Registry.get(tld), now);
|
||||
}
|
||||
}
|
||||
ImmutableMap<String, InternetDomainName> domainNames = domains.build();
|
||||
|
|
|
|||
|
|
@ -211,8 +211,8 @@ public final class DomainDeleteFlow implements TransactionalFlow {
|
|||
if (!isSuperuser) {
|
||||
verifyResourceOwnership(clientId, existingDomain);
|
||||
verifyNotInPredelegation(registry, now);
|
||||
checkAllowedAccessToTld(clientId, registry.getTld().toString());
|
||||
}
|
||||
checkAllowedAccessToTld(clientId, registry.getTld().toString());
|
||||
if (!existingDomain.getSubordinateHosts().isEmpty()) {
|
||||
throw new DomainToDeleteHasHostsException();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -219,8 +219,8 @@ public final class DomainRenewFlow implements TransactionalFlow {
|
|||
verifyNoDisallowedStatuses(existingDomain, RENEW_DISALLOWED_STATUSES);
|
||||
if (!isSuperuser) {
|
||||
verifyResourceOwnership(clientId, existingDomain);
|
||||
checkAllowedAccessToTld(clientId, existingDomain.getTld());
|
||||
}
|
||||
checkAllowedAccessToTld(clientId, existingDomain.getTld());
|
||||
verifyUnitIsYears(command.getPeriod());
|
||||
// If the date they specify doesn't match the expiration, fail. (This is an idempotence check).
|
||||
if (!command.getCurrentExpirationDate().equals(
|
||||
|
|
|
|||
|
|
@ -188,6 +188,7 @@ public final class DomainRestoreRequestFlow implements TransactionalFlow {
|
|||
verifyResourceOwnership(clientId, existingDomain);
|
||||
verifyNotReserved(InternetDomainName.from(targetId), false);
|
||||
verifyPremiumNameIsNotBlocked(targetId, now, clientId);
|
||||
checkAllowedAccessToTld(clientId, existingDomain.getTld());
|
||||
}
|
||||
// No other changes can be specified on a restore request.
|
||||
if (!command.noChangesPresent()) {
|
||||
|
|
@ -197,7 +198,6 @@ public final class DomainRestoreRequestFlow implements TransactionalFlow {
|
|||
if (!existingDomain.getGracePeriodStatuses().contains(GracePeriodStatus.REDEMPTION)) {
|
||||
throw new DomainNotEligibleForRestoreException();
|
||||
}
|
||||
checkAllowedAccessToTld(clientId, existingDomain.getTld());
|
||||
validateFeeChallenge(targetId, existingDomain.getTld(), now, feeUpdate, feesAndCredits);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -36,6 +36,7 @@ import com.googlecode.objectify.Key;
|
|||
import google.registry.flows.EppException;
|
||||
import google.registry.flows.ExtensionManager;
|
||||
import google.registry.flows.FlowModule.ClientId;
|
||||
import google.registry.flows.FlowModule.Superuser;
|
||||
import google.registry.flows.FlowModule.TargetId;
|
||||
import google.registry.flows.TransactionalFlow;
|
||||
import google.registry.flows.annotations.ReportingSpec;
|
||||
|
|
@ -83,6 +84,7 @@ public final class DomainTransferApproveFlow implements TransactionalFlow {
|
|||
@Inject Optional<AuthInfo> authInfo;
|
||||
@Inject @ClientId String clientId;
|
||||
@Inject @TargetId String targetId;
|
||||
@Inject @Superuser boolean isSuperuser;
|
||||
@Inject HistoryEntry.Builder historyBuilder;
|
||||
@Inject EppResponse.Builder responseBuilder;
|
||||
@Inject DomainTransferApproveFlow() {}
|
||||
|
|
@ -102,7 +104,9 @@ public final class DomainTransferApproveFlow implements TransactionalFlow {
|
|||
verifyHasPendingTransfer(existingDomain);
|
||||
verifyResourceOwnership(clientId, existingDomain);
|
||||
String tld = existingDomain.getTld();
|
||||
checkAllowedAccessToTld(clientId, tld);
|
||||
if (!isSuperuser) {
|
||||
checkAllowedAccessToTld(clientId, tld);
|
||||
}
|
||||
TransferData transferData = existingDomain.getTransferData();
|
||||
String gainingClientId = transferData.getGainingClientId();
|
||||
HistoryEntry historyEntry = historyBuilder
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@ import com.googlecode.objectify.Key;
|
|||
import google.registry.flows.EppException;
|
||||
import google.registry.flows.ExtensionManager;
|
||||
import google.registry.flows.FlowModule.ClientId;
|
||||
import google.registry.flows.FlowModule.Superuser;
|
||||
import google.registry.flows.FlowModule.TargetId;
|
||||
import google.registry.flows.TransactionalFlow;
|
||||
import google.registry.flows.annotations.ReportingSpec;
|
||||
|
|
@ -71,6 +72,7 @@ public final class DomainTransferCancelFlow implements TransactionalFlow {
|
|||
@Inject Optional<AuthInfo> authInfo;
|
||||
@Inject @ClientId String clientId;
|
||||
@Inject @TargetId String targetId;
|
||||
@Inject @Superuser boolean isSuperuser;
|
||||
@Inject HistoryEntry.Builder historyBuilder;
|
||||
@Inject EppResponse.Builder responseBuilder;
|
||||
@Inject DomainTransferCancelFlow() {}
|
||||
|
|
@ -85,7 +87,9 @@ public final class DomainTransferCancelFlow implements TransactionalFlow {
|
|||
verifyOptionalAuthInfo(authInfo, existingDomain);
|
||||
verifyHasPendingTransfer(existingDomain);
|
||||
verifyTransferInitiator(clientId, existingDomain);
|
||||
checkAllowedAccessToTld(clientId, existingDomain.getTld());
|
||||
if (!isSuperuser) {
|
||||
checkAllowedAccessToTld(clientId, existingDomain.getTld());
|
||||
}
|
||||
HistoryEntry historyEntry = historyBuilder
|
||||
.setType(HistoryEntry.Type.DOMAIN_TRANSFER_CANCEL)
|
||||
.setOtherClientId(existingDomain.getTransferData().getLosingClientId())
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@ import com.googlecode.objectify.Key;
|
|||
import google.registry.flows.EppException;
|
||||
import google.registry.flows.ExtensionManager;
|
||||
import google.registry.flows.FlowModule.ClientId;
|
||||
import google.registry.flows.FlowModule.Superuser;
|
||||
import google.registry.flows.FlowModule.TargetId;
|
||||
import google.registry.flows.TransactionalFlow;
|
||||
import google.registry.flows.annotations.ReportingSpec;
|
||||
|
|
@ -71,6 +72,7 @@ public final class DomainTransferRejectFlow implements TransactionalFlow {
|
|||
@Inject Optional<AuthInfo> authInfo;
|
||||
@Inject @ClientId String clientId;
|
||||
@Inject @TargetId String targetId;
|
||||
@Inject @Superuser boolean isSuperuser;
|
||||
@Inject HistoryEntry.Builder historyBuilder;
|
||||
@Inject EppResponse.Builder responseBuilder;
|
||||
@Inject DomainTransferRejectFlow() {}
|
||||
|
|
@ -91,7 +93,9 @@ public final class DomainTransferRejectFlow implements TransactionalFlow {
|
|||
verifyOptionalAuthInfo(authInfo, existingDomain);
|
||||
verifyHasPendingTransfer(existingDomain);
|
||||
verifyResourceOwnership(clientId, existingDomain);
|
||||
checkAllowedAccessToTld(clientId, existingDomain.getTld());
|
||||
if (!isSuperuser) {
|
||||
checkAllowedAccessToTld(clientId, existingDomain.getTld());
|
||||
}
|
||||
DomainResource newDomain =
|
||||
denyPendingTransfer(existingDomain, TransferStatus.CLIENT_REJECTED, now);
|
||||
ofy().save().<ImmutableObject>entities(
|
||||
|
|
|
|||
|
|
@ -217,9 +217,9 @@ public final class DomainTransferRequestFlow implements TransactionalFlow {
|
|||
if (gainingClientId.equals(existingDomain.getCurrentSponsorClientId())) {
|
||||
throw new ObjectAlreadySponsoredException();
|
||||
}
|
||||
checkAllowedAccessToTld(gainingClientId, existingDomain.getTld());
|
||||
verifyTransferPeriodIsOneYear(period);
|
||||
if (!isSuperuser) {
|
||||
checkAllowedAccessToTld(gainingClientId, existingDomain.getTld());
|
||||
verifyPremiumNameIsNotBlocked(targetId, now, gainingClientId);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -212,14 +212,14 @@ public final class DomainUpdateFlow implements TransactionalFlow {
|
|||
verifyOptionalAuthInfo(authInfo, existingDomain);
|
||||
AddRemove add = command.getInnerAdd();
|
||||
AddRemove remove = command.getInnerRemove();
|
||||
String tld = existingDomain.getTld();
|
||||
if (!isSuperuser) {
|
||||
verifyResourceOwnership(clientId, existingDomain);
|
||||
verifyClientUpdateNotProhibited(command, existingDomain);
|
||||
verifyAllStatusesAreClientSettable(union(add.getStatusValues(), remove.getStatusValues()));
|
||||
checkAllowedAccessToTld(clientId, tld);
|
||||
}
|
||||
String tld = existingDomain.getTld();
|
||||
Registry registry = Registry.get(tld);
|
||||
checkAllowedAccessToTld(clientId, tld);
|
||||
FeeTransformCommandExtension feeUpdate =
|
||||
eppInput.getSingleExtension(FeeUpdateCommandExtension.class);
|
||||
// If the fee extension is present, validate it (even if the cost is zero, to check for price
|
||||
|
|
|
|||
|
|
@ -31,7 +31,6 @@ import google.registry.model.domain.DomainResource;
|
|||
import google.registry.model.registrar.Registrar;
|
||||
import google.registry.model.registry.Registry;
|
||||
import google.registry.model.registry.Registry.TldState;
|
||||
import google.registry.testing.DatastoreHelper;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
|
||||
|
|
@ -81,7 +80,6 @@ public class ClaimsCheckFlowTest extends ResourceFlowTestCase<ClaimsCheckFlow, D
|
|||
doSuccessfulTest("domain_check_claims_response.xml");
|
||||
}
|
||||
|
||||
|
||||
@Test
|
||||
public void testSuccess_multipleTlds() throws Exception {
|
||||
setEppInput("domain_check_claims_multiple_tlds.xml");
|
||||
|
|
@ -115,7 +113,7 @@ public class ClaimsCheckFlowTest extends ResourceFlowTestCase<ClaimsCheckFlow, D
|
|||
|
||||
@Test
|
||||
public void testFailure_notAuthorizedForTld() throws Exception {
|
||||
DatastoreHelper.persistResource(
|
||||
persistResource(
|
||||
Registrar.loadByClientId("TheRegistrar")
|
||||
.asBuilder()
|
||||
.setAllowedTlds(ImmutableSet.<String>of())
|
||||
|
|
@ -124,6 +122,22 @@ public class ClaimsCheckFlowTest extends ResourceFlowTestCase<ClaimsCheckFlow, D
|
|||
runFlow();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||
persistClaimsList(
|
||||
ImmutableMap.of("example2", "2013041500/2/6/9/rJ1NrDO92vDsAzf7EQzgjX4R0000000001"));
|
||||
persistResource(
|
||||
Registrar.loadByClientId("TheRegistrar")
|
||||
.asBuilder()
|
||||
.setAllowedTlds(ImmutableSet.<String>of())
|
||||
.build());
|
||||
assertTransactionalFlow(false);
|
||||
assertNoHistory(); // Checks don't create a history event.
|
||||
assertNoBillingEvents(); // Checks are always free.
|
||||
runFlowAssertResponse(
|
||||
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_check_claims_response.xml"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testFailure_predelgation() throws Exception {
|
||||
createTld("tld", TldState.PREDELEGATION);
|
||||
|
|
|
|||
|
|
@ -1131,6 +1131,17 @@ public class DomainApplicationCreateFlowTest
|
|||
runSuperuserFlow("domain_create_sunrush_response.xml");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||
DatastoreHelper.persistResource(Registrar.loadByClientId("TheRegistrar")
|
||||
.asBuilder()
|
||||
.setAllowedTlds(ImmutableSet.<String>of())
|
||||
.build());
|
||||
persistContactsAndHosts();
|
||||
clock.advanceOneMilli();
|
||||
runSuperuserFlow("domain_create_sunrise_encoded_signed_mark_response.xml");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_superuserSunrush() throws Exception {
|
||||
createTld("tld", TldState.SUNRUSH);
|
||||
|
|
|
|||
|
|
@ -150,6 +150,16 @@ public class DomainApplicationDeleteFlowTest
|
|||
runFlow();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
||||
sessionMetadata.setClientId("NewRegistrar");
|
||||
persistResource(
|
||||
newDomainApplication("example.tld").asBuilder().setRepoId("1-TLD").build());
|
||||
clock.advanceOneMilli();
|
||||
runFlowAssertResponse(
|
||||
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_delete_response.xml"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testFailure_notAuthorizedForTld() throws Exception {
|
||||
persistResource(
|
||||
|
|
@ -162,12 +172,16 @@ public class DomainApplicationDeleteFlowTest
|
|||
thrown.expect(NotAuthorizedForTldException.class);
|
||||
runFlow();
|
||||
}
|
||||
|
||||
|
||||
@Test
|
||||
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
||||
sessionMetadata.setClientId("NewRegistrar");
|
||||
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||
persistResource(
|
||||
newDomainApplication("example.tld").asBuilder().setRepoId("1-TLD").build());
|
||||
persistResource(
|
||||
Registrar.loadByClientId("TheRegistrar")
|
||||
.asBuilder()
|
||||
.setAllowedTlds(ImmutableSet.<String>of())
|
||||
.build());
|
||||
clock.advanceOneMilli();
|
||||
runFlowAssertResponse(
|
||||
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_delete_response.xml"));
|
||||
|
|
|
|||
|
|
@ -562,6 +562,16 @@ public class DomainApplicationUpdateFlowTest
|
|||
runFlow();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
||||
sessionMetadata.setClientId("NewRegistrar");
|
||||
persistReferencedEntities();
|
||||
persistApplication();
|
||||
clock.advanceOneMilli();
|
||||
runFlowAssertResponse(
|
||||
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_update_response.xml"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testFailure_notAuthorizedForTld() throws Exception {
|
||||
persistResource(
|
||||
|
|
@ -574,10 +584,14 @@ public class DomainApplicationUpdateFlowTest
|
|||
thrown.expect(NotAuthorizedForTldException.class);
|
||||
runFlow();
|
||||
}
|
||||
|
||||
|
||||
@Test
|
||||
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
||||
sessionMetadata.setClientId("NewRegistrar");
|
||||
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||
persistResource(
|
||||
Registrar.loadByClientId("TheRegistrar")
|
||||
.asBuilder()
|
||||
.setAllowedTlds(ImmutableSet.<String>of())
|
||||
.build());
|
||||
persistReferencedEntities();
|
||||
persistApplication();
|
||||
clock.advanceOneMilli();
|
||||
|
|
|
|||
|
|
@ -294,6 +294,18 @@ public class DomainCheckFlowTest
|
|||
runFlow();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||
persistActiveDomain("example2.tld");
|
||||
DatastoreHelper.persistResource(
|
||||
Registrar.loadByClientId("TheRegistrar")
|
||||
.asBuilder()
|
||||
.setAllowedTlds(ImmutableSet.<String>of())
|
||||
.build());
|
||||
runFlowAssertResponse(
|
||||
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_check_one_tld_response.xml"));
|
||||
}
|
||||
|
||||
private void doFailingBadLabelTest(String label, Class<? extends Exception> expectedException)
|
||||
throws Exception {
|
||||
setEppInput("domain_check_template.xml", ImmutableMap.of("LABEL", label));
|
||||
|
|
|
|||
|
|
@ -678,6 +678,15 @@ public class DomainDeleteFlowTest extends ResourceFlowTestCase<DomainDeleteFlow,
|
|||
runFlow();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
||||
sessionMetadata.setClientId("NewRegistrar");
|
||||
setupSuccessfulTest();
|
||||
clock.advanceOneMilli();
|
||||
runFlowAssertResponse(
|
||||
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_delete_response_pending.xml"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testFailure_notAuthorizedForTld() throws Exception {
|
||||
setupSuccessfulTest();
|
||||
|
|
@ -691,9 +700,13 @@ public class DomainDeleteFlowTest extends ResourceFlowTestCase<DomainDeleteFlow,
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
||||
sessionMetadata.setClientId("NewRegistrar");
|
||||
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||
setupSuccessfulTest();
|
||||
persistResource(
|
||||
Registrar.loadByClientId("TheRegistrar")
|
||||
.asBuilder()
|
||||
.setAllowedTlds(ImmutableSet.<String>of())
|
||||
.build());
|
||||
clock.advanceOneMilli();
|
||||
runFlowAssertResponse(
|
||||
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_delete_response_pending.xml"));
|
||||
|
|
|
|||
|
|
@ -611,6 +611,14 @@ public class DomainRenewFlowTest extends ResourceFlowTestCase<DomainRenewFlow, D
|
|||
runFlow();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
||||
sessionMetadata.setClientId("NewRegistrar");
|
||||
persistDomain();
|
||||
runFlowAssertResponse(
|
||||
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_renew_response.xml"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testFailure_notAuthorizedForTld() throws Exception {
|
||||
persistResource(
|
||||
|
|
@ -624,8 +632,12 @@ public class DomainRenewFlowTest extends ResourceFlowTestCase<DomainRenewFlow, D
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
||||
sessionMetadata.setClientId("NewRegistrar");
|
||||
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||
persistResource(
|
||||
Registrar.loadByClientId("TheRegistrar")
|
||||
.asBuilder()
|
||||
.setAllowedTlds(ImmutableSet.<String>of())
|
||||
.build());
|
||||
persistDomain();
|
||||
runFlowAssertResponse(
|
||||
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_renew_response.xml"));
|
||||
|
|
|
|||
|
|
@ -494,6 +494,14 @@ public class DomainRestoreRequestFlowTest extends
|
|||
runFlow();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
||||
sessionMetadata.setClientId("NewRegistrar");
|
||||
persistPendingDeleteDomain();
|
||||
thrown.expect(ResourceNotOwnedException.class);
|
||||
runFlowAssertResponse(readFile("domain_update_response.xml"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testFailure_notAuthorizedForTld() throws Exception {
|
||||
persistResource(
|
||||
|
|
@ -507,11 +515,17 @@ public class DomainRestoreRequestFlowTest extends
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
||||
sessionMetadata.setClientId("NewRegistrar");
|
||||
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||
persistResource(
|
||||
Registrar.loadByClientId("TheRegistrar")
|
||||
.asBuilder()
|
||||
.setAllowedTlds(ImmutableSet.<String>of())
|
||||
.build());
|
||||
persistPendingDeleteDomain();
|
||||
thrown.expect(ResourceNotOwnedException.class);
|
||||
runFlowAssertResponse(readFile("domain_update_response.xml"));
|
||||
runFlowAssertResponse(
|
||||
CommitMode.LIVE,
|
||||
UserPrivileges.SUPERUSER,
|
||||
readFile("domain_update_response.xml"));
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
|
|||
|
|
@ -423,6 +423,19 @@ public class DomainTransferApproveFlowTest
|
|||
doSuccessfulTest("tld", "domain_transfer_approve.xml", "domain_transfer_approve_response.xml");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||
persistResource(
|
||||
Registrar.loadByClientId("TheRegistrar")
|
||||
.asBuilder()
|
||||
.setAllowedTlds(ImmutableSet.<String>of())
|
||||
.build());
|
||||
runFlowAssertResponse(
|
||||
CommitMode.LIVE,
|
||||
UserPrivileges.SUPERUSER,
|
||||
readFile("domain_transfer_approve_response.xml"));
|
||||
}
|
||||
|
||||
// NB: No need to test pending delete status since pending transfers will get cancelled upon
|
||||
// entering pending delete phase. So it's already handled in that test case.
|
||||
|
||||
|
|
|
|||
|
|
@ -299,6 +299,20 @@ public class DomainTransferCancelFlowTest
|
|||
doSuccessfulTest("domain_transfer_cancel.xml", "domain_transfer_cancel_response.xml");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||
persistResource(
|
||||
Registrar.loadByClientId("NewRegistrar")
|
||||
.asBuilder()
|
||||
.setAllowedTlds(ImmutableSet.<String>of())
|
||||
.build());
|
||||
clock.advanceOneMilli();
|
||||
runFlowAssertResponse(
|
||||
CommitMode.LIVE,
|
||||
UserPrivileges.SUPERUSER,
|
||||
readFile("domain_transfer_cancel_response.xml"));
|
||||
}
|
||||
|
||||
// NB: No need to test pending delete status since pending transfers will get cancelled upon
|
||||
// entering pending delete phase. So it's already handled in that test case.
|
||||
|
||||
|
|
|
|||
|
|
@ -166,6 +166,19 @@ public class DomainTransferRejectFlowTest
|
|||
doSuccessfulTest("domain_transfer_reject.xml", "domain_transfer_reject_response.xml");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||
persistResource(
|
||||
Registrar.loadByClientId("TheRegistrar")
|
||||
.asBuilder()
|
||||
.setAllowedTlds(ImmutableSet.<String>of())
|
||||
.build());
|
||||
runFlowAssertResponse(
|
||||
CommitMode.LIVE,
|
||||
UserPrivileges.SUPERUSER,
|
||||
readFile("domain_transfer_reject_response.xml"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testFailure_badContactPassword() throws Exception {
|
||||
// Change the contact's password so it does not match the password in the file.
|
||||
|
|
|
|||
|
|
@ -571,6 +571,19 @@ public class DomainTransferRequestFlowTest
|
|||
doSuccessfulTest("domain_transfer_request.xml", "domain_transfer_request_response.xml");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||
setupDomain("example", "tld");
|
||||
persistResource(
|
||||
Registrar.loadByClientId("NewRegistrar")
|
||||
.asBuilder()
|
||||
.setAllowedTlds(ImmutableSet.<String>of())
|
||||
.build());
|
||||
clock.advanceOneMilli();
|
||||
// We don't verify the results; just check that the flow doesn't fail.
|
||||
runTest("domain_transfer_request.xml", UserPrivileges.SUPERUSER);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_autorenewGraceActive_onlyAtTransferRequestTime() throws Exception {
|
||||
setupDomain("example", "tld");
|
||||
|
|
|
|||
|
|
@ -961,6 +961,16 @@ public class DomainUpdateFlowTest extends ResourceFlowTestCase<DomainUpdateFlow,
|
|||
runFlow();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
||||
sessionMetadata.setClientId("NewRegistrar");
|
||||
persistReferencedEntities();
|
||||
persistDomain();
|
||||
clock.advanceOneMilli();
|
||||
runFlowAssertResponse(
|
||||
CommitMode.LIVE, UserPrivileges.SUPERUSER, readFile("domain_update_response.xml"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testFailure_notAuthorizedForTld() throws Exception {
|
||||
persistResource(
|
||||
|
|
@ -975,8 +985,12 @@ public class DomainUpdateFlowTest extends ResourceFlowTestCase<DomainUpdateFlow,
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testSuccess_superuserUnauthorizedClient() throws Exception {
|
||||
sessionMetadata.setClientId("NewRegistrar");
|
||||
public void testSuccess_superuserNotAuthorizedForTld() throws Exception {
|
||||
persistResource(
|
||||
Registrar.loadByClientId("TheRegistrar")
|
||||
.asBuilder()
|
||||
.setAllowedTlds(ImmutableSet.<String>of())
|
||||
.build());
|
||||
persistReferencedEntities();
|
||||
persistDomain();
|
||||
clock.advanceOneMilli();
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue