diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java index 09a880e923..62fd795c80 100755 --- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java @@ -111,6 +111,8 @@ import javax.ws.rs.core.Response; import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collection; import java.util.Collections; import java.util.HashMap; import java.util.List; @@ -407,13 +409,7 @@ public void deleteXUser(@PathParam("id") Long id, @Context HttpServletRequest re @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_USERS + "\")") public VXUserList searchXUsers(@Context HttpServletRequest request, @QueryParam("syncSource") String syncSource, @QueryParam("userRole") String userRole) { - String userRoleParamName = RangerConstants.ROLE_USER; SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xUserService.sortFields); - String userName = null; - - if (request.getUserPrincipal() != null) { - userName = request.getUserPrincipal().getName(); - } searchUtil.extractString(request, searchCriteria, "name", "User name", null); searchUtil.extractString(request, searchCriteria, "emailAddress", "Email Address", null); @@ -426,40 +422,47 @@ public VXUserList searchXUsers(@Context HttpServletRequest request, @QueryParam( searchUtil.extractRoleString(request, searchCriteria, "userRole", "Role", null); searchUtil.extractString(request, searchCriteria, "syncSource", "Sync Source", null); - if (CollectionUtils.isNotEmpty(userRolesList) && CollectionUtils.size(userRolesList) == 1 && userRolesList.get(0).equalsIgnoreCase(userRoleParamName)) { - if (!(searchCriteria.getParamList().containsKey("name"))) { - searchCriteria.addParam("name", userName); - } else if ((searchCriteria.getParamList().containsKey("name")) && userName != null && userName.contains((String) searchCriteria.getParamList().get("name"))) { - searchCriteria.addParam("name", userName); - } - } - UserSessionBase userSession = ContextUtil.getCurrentUserSession(); if (userSession != null && userSession.getLoginId() != null) { VXUser loggedInVXUser = xUserService.getXUserByUserName(userSession.getLoginId()); if (loggedInVXUser != null && loggedInVXUser.getUserRoleList().size() == 1) { - if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN) || loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR)) { - boolean hasRole = false; - - hasRole = !userRolesList.contains(RangerConstants.ROLE_SYS_ADMIN) ? userRolesList.add(RangerConstants.ROLE_SYS_ADMIN) : hasRole; - hasRole = !userRolesList.contains(RangerConstants.ROLE_ADMIN_AUDITOR) ? userRolesList.add(RangerConstants.ROLE_ADMIN_AUDITOR) : hasRole; - hasRole = !userRolesList.contains(RangerConstants.ROLE_USER) ? userRolesList.add(RangerConstants.ROLE_USER) : hasRole; - - if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN) && "rangerusersync".equalsIgnoreCase(userSession.getLoginId())) { - hasRole = !userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN) ? userRolesList.add(RangerConstants.ROLE_KEY_ADMIN) : hasRole; - hasRole = !userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) ? userRolesList.add(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) : hasRole; + Collection roles = loggedInVXUser.getUserRoleList(); + List allowedSysAdminRoles = Arrays.asList(RangerConstants.ROLE_SYS_ADMIN, RangerConstants.ROLE_ADMIN_AUDITOR, RangerConstants.ROLE_USER); + List allowedKeyAdminRoles = Arrays.asList(RangerConstants.ROLE_KEY_ADMIN, RangerConstants.ROLE_KEY_ADMIN_AUDITOR, RangerConstants.ROLE_USER); + + if (roles.contains(RangerConstants.ROLE_SYS_ADMIN) || roles.contains(RangerConstants.ROLE_ADMIN_AUDITOR)) { + boolean isSysAdmin = roles.contains(RangerConstants.ROLE_SYS_ADMIN); + boolean isRangerUserSync = "rangerusersync".equalsIgnoreCase(userSession.getLoginId()); + + if (CollectionUtils.isNotEmpty(userRolesList)) { + boolean hasDisallowedRole = userRolesList.stream().anyMatch(role -> !allowedSysAdminRoles.contains(role)); + if (isSysAdmin && !isRangerUserSync && hasDisallowedRole) { + logger.warn("Access denied: SYS_ADMIN [{}] tried to access KEY_ADMIN users: {}", userSession.getLoginId(), userRolesList); + throw restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data."); + } + } else { + userRolesList.addAll(allowedSysAdminRoles); + if (isSysAdmin && isRangerUserSync) { + userRolesList.addAll(allowedKeyAdminRoles); + } } - } else if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN) || loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) { - boolean hasRole = false; - - hasRole = !userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN) ? userRolesList.add(RangerConstants.ROLE_KEY_ADMIN) : hasRole; - hasRole = !userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) ? userRolesList.add(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) : hasRole; - hasRole = !userRolesList.contains(RangerConstants.ROLE_USER) ? userRolesList.add(RangerConstants.ROLE_USER) : hasRole; - } else if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) { - if ((CollectionUtils.isNotEmpty(userRolesList) && (userRolesList.size() != 1 || !userRolesList.contains(RangerConstants.ROLE_USER))) - || (userRole != null && !RangerConstants.ROLE_USER.equals(userRole))) { + } else if (roles.contains(RangerConstants.ROLE_KEY_ADMIN) || roles.contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) { + if (CollectionUtils.isNotEmpty(userRolesList)) { + boolean hasDisallowedRole = userRolesList.stream().anyMatch(role -> !allowedKeyAdminRoles.contains(role)); + if (hasDisallowedRole) { + logger.warn("Access denied: KEY_ADMIN [{}] tried to access SYS_ADMIN users: {}", userSession.getLoginId(), userRolesList); + throw restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data."); + } + } else { + userRolesList.addAll(allowedKeyAdminRoles); + } + } else if (roles.contains(RangerConstants.ROLE_USER)) { + boolean invalidRoles = CollectionUtils.isNotEmpty(userRolesList) && (userRolesList.size() != 1 || !userRolesList.contains(RangerConstants.ROLE_USER)); + boolean invalidUserRole = userRole != null && !RangerConstants.ROLE_USER.equals(userRole); + + if (invalidRoles || invalidUserRole) { throw restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data."); } @@ -469,7 +472,7 @@ public VXUserList searchXUsers(@Context HttpServletRequest request, @QueryParam( throw restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data."); } - if (loggedInVXUser != null && !xUserMgr.hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)) { + if (!xUserMgr.hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)) { loggedInVXUser = xUserMgr.getMaskedVXUser(loggedInVXUser); } diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestXUserREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestXUserREST.java index efef8506fd..0c4a314d84 100644 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestXUserREST.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestXUserREST.java @@ -1537,43 +1537,45 @@ public void test112deleteUsersByUserNameNull() { @Test public void test113ErrorWhenRoleUserIsTryingToFetchAnotherUserDetails() { destroySession(); - Assertions.assertThrows(Throwable.class, () -> { - String userLoginID = "testuser"; - Long userId = 8L; - - RangerSecurityContext context = new RangerSecurityContext(); - context.setUserSession(new UserSessionBase()); - RangerContextHolder.setSecurityContext(context); - UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); - currentUserSession.setUserAdmin(false); - XXPortalUser xXPortalUser = new XXPortalUser(); - xXPortalUser.setLoginId(userLoginID); - xXPortalUser.setId(userId); - currentUserSession.setXXPortalUser(xXPortalUser); - - VXUser loggedInUser = createVXUser(); - List loggedInUserRole = new ArrayList(); - loggedInUserRole.add(RangerConstants.ROLE_USER); - loggedInUser.setId(8L); - loggedInUser.setName("testuser"); - loggedInUser.setUserRoleList(loggedInUserRole); - - HttpServletRequest request = Mockito.mock(HttpServletRequest.class); - SearchCriteria testSearchCriteria = createsearchCriteria(); - testSearchCriteria.addParam("name", "admin"); - - Mockito.when(searchUtil.extractCommonCriterias(Mockito.any(), Mockito.any())).thenReturn(testSearchCriteria); - - Mockito.when(searchUtil.extractCommonCriterias(request, xUserService.sortFields)).thenReturn(testSearchCriteria); - Mockito.when(searchUtil.extractString(request, testSearchCriteria, "emailAddress", "Email Address", null)).thenReturn(""); - Mockito.when(searchUtil.extractInt(request, testSearchCriteria, "userSource", "User Source")).thenReturn(1); - Mockito.when(searchUtil.extractInt(request, testSearchCriteria, "isVisible", "User Visibility")).thenReturn(1); - Mockito.when(searchUtil.extractInt(request, testSearchCriteria, "status", "User Status")).thenReturn(1); - Mockito.when(searchUtil.extractStringList(request, testSearchCriteria, "userRoleList", "User Role List", "userRoleList", null, null)).thenReturn(new ArrayList()); - Mockito.when(searchUtil.extractRoleString(request, testSearchCriteria, "userRole", "Role", null)).thenReturn(""); - Mockito.when(xUserService.getXUserByUserName("testuser")).thenReturn(loggedInUser); - Mockito.when(restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data.")).thenThrow(new WebApplicationException()); - //thrown.expect(WebApplicationException.class); + String userLoginID = "testuser"; + Long userId = 8L; + + RangerSecurityContext context = new RangerSecurityContext(); + context.setUserSession(new UserSessionBase()); + RangerContextHolder.setSecurityContext(context); + UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); + currentUserSession.setUserAdmin(false); + XXPortalUser xXPortalUser = new XXPortalUser(); + xXPortalUser.setLoginId(userLoginID); + xXPortalUser.setId(userId); + currentUserSession.setXXPortalUser(xXPortalUser); + + VXUser loggedInUser = createVXUser(); + List loggedInUserRole = new ArrayList(); + loggedInUserRole.add(RangerConstants.ROLE_USER); + loggedInUser.setId(8L); + loggedInUser.setName("testuser"); + loggedInUser.setUserRoleList(loggedInUserRole); + + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + SearchCriteria testSearchCriteria = createsearchCriteria(); + testSearchCriteria.addParam("name", "admin"); + + Mockito.when(searchUtil.extractCommonCriterias(Mockito.any(), Mockito.any())).thenReturn(testSearchCriteria); + + Mockito.when(searchUtil.extractCommonCriterias(request, xUserService.sortFields)).thenReturn(testSearchCriteria); + Mockito.when(searchUtil.extractString(request, testSearchCriteria, "name", "User name", null)).thenReturn(""); + Mockito.when(searchUtil.extractString(request, testSearchCriteria, "emailAddress", "Email Address", null)).thenReturn(""); + Mockito.when(searchUtil.extractInt(request, testSearchCriteria, "userSource", "User Source")).thenReturn(1); + Mockito.when(searchUtil.extractInt(request, testSearchCriteria, "isVisible", "User Visibility")).thenReturn(1); + Mockito.when(searchUtil.extractInt(request, testSearchCriteria, "status", "User Status")).thenReturn(1); + Mockito.when(searchUtil.extractStringList(request, testSearchCriteria, "userRoleList", "User Role List", "userRoleList", null, null)).thenReturn(new ArrayList()); + Mockito.when(searchUtil.extractRoleString(request, testSearchCriteria, "userRole", "Role", null)).thenReturn(""); + Mockito.when(searchUtil.extractString(request, testSearchCriteria, "syncSource", "Sync Source", null)).thenReturn(""); + Mockito.when(xUserService.getXUserByUserName("testuser")).thenReturn(loggedInUser); + Mockito.when(restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data.")).thenThrow(new WebApplicationException()); + + Assertions.assertThrows(WebApplicationException.class, () -> { xUserRest.searchXUsers(request, null, null); }); } @@ -1582,56 +1584,56 @@ public void test113ErrorWhenRoleUserIsTryingToFetchAnotherUserDetails() { @Test public void test114RoleUserWillGetOnlyHisOwnUserDetails() { destroySession(); - Assertions.assertThrows(Throwable.class, () -> { - String userLoginID = "testuser"; - Long userId = 8L; - - RangerSecurityContext context = new RangerSecurityContext(); - context.setUserSession(new UserSessionBase()); - RangerContextHolder.setSecurityContext(context); - UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); - currentUserSession.setUserAdmin(false); - XXPortalUser xXPortalUser = new XXPortalUser(); - xXPortalUser.setLoginId(userLoginID); - xXPortalUser.setId(userId); - currentUserSession.setXXPortalUser(xXPortalUser); - - VXUser loggedInUser = createVXUser(); - List loggedInUserRole = new ArrayList(); - loggedInUserRole.add(RangerConstants.ROLE_USER); - loggedInUser.setId(8L); - loggedInUser.setName("testuser"); - loggedInUser.setUserRoleList(loggedInUserRole); - - VXUserList expecteUserList = new VXUserList(); - VXUser expectedUser = new VXUser(); - expectedUser.setId(8L); - expectedUser.setName("testuser"); - List userList = new ArrayList(); - userList.add(expectedUser); - expecteUserList.setVXUsers(userList); - - HttpServletRequest request = Mockito.mock(HttpServletRequest.class); - SearchCriteria testSearchCriteria = createsearchCriteria(); - - Mockito.when(searchUtil.extractCommonCriterias(Mockito.any(), Mockito.any())).thenReturn(testSearchCriteria); - - Mockito.when(searchUtil.extractCommonCriterias(request, xUserService.sortFields)).thenReturn(testSearchCriteria); - Mockito.when(searchUtil.extractString(request, testSearchCriteria, "emailAddress", "Email Address", null)).thenReturn(""); - Mockito.when(searchUtil.extractInt(request, testSearchCriteria, "userSource", "User Source")).thenReturn(1); - Mockito.when(searchUtil.extractInt(request, testSearchCriteria, "isVisible", "User Visibility")).thenReturn(1); - Mockito.when(searchUtil.extractInt(request, testSearchCriteria, "status", "User Status")).thenReturn(1); - Mockito.when(searchUtil.extractStringList(request, testSearchCriteria, "userRoleList", "User Role List", "userRoleList", null, null)).thenReturn(new ArrayList()); - Mockito.when(searchUtil.extractRoleString(request, testSearchCriteria, "userRole", "Role", null)).thenReturn(""); - Mockito.when(xUserService.getXUserByUserName("testuser")).thenReturn(loggedInUser); - Mockito.when(xUserMgr.searchXUsers(testSearchCriteria)).thenReturn(expecteUserList); - - VXUserList gotVXUserList = xUserRest.searchXUsers(request, null, null); - - Assertions.assertEquals(gotVXUserList.getList().size(), 1); - Assertions.assertEquals(gotVXUserList.getList().get(0).getId(), expectedUser.getId()); - Assertions.assertEquals(gotVXUserList.getList().get(0).getName(), expectedUser.getName()); - }); + String userLoginID = "testuser"; + Long userId = 8L; + + RangerSecurityContext context = new RangerSecurityContext(); + context.setUserSession(new UserSessionBase()); + RangerContextHolder.setSecurityContext(context); + UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); + currentUserSession.setUserAdmin(false); + XXPortalUser xXPortalUser = new XXPortalUser(); + xXPortalUser.setLoginId(userLoginID); + xXPortalUser.setId(userId); + currentUserSession.setXXPortalUser(xXPortalUser); + + VXUser loggedInUser = createVXUser(); + List loggedInUserRole = new ArrayList(); + loggedInUserRole.add(RangerConstants.ROLE_USER); + loggedInUser.setId(8L); + loggedInUser.setName("testuser"); + loggedInUser.setUserRoleList(loggedInUserRole); + + VXUserList expecteUserList = new VXUserList(); + VXUser expectedUser = new VXUser(); + expectedUser.setId(8L); + expectedUser.setName("testuser"); + List userList = new ArrayList(); + userList.add(expectedUser); + expecteUserList.setVXUsers(userList); + + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + SearchCriteria testSearchCriteria = createsearchCriteria(); + + Mockito.when(searchUtil.extractCommonCriterias(Mockito.any(), Mockito.any())).thenReturn(testSearchCriteria); + + Mockito.when(searchUtil.extractCommonCriterias(request, xUserService.sortFields)).thenReturn(testSearchCriteria); + Mockito.when(searchUtil.extractString(request, testSearchCriteria, "name", "User name", null)).thenReturn(""); + Mockito.when(searchUtil.extractString(request, testSearchCriteria, "emailAddress", "Email Address", null)).thenReturn(""); + Mockito.when(searchUtil.extractInt(request, testSearchCriteria, "userSource", "User Source")).thenReturn(1); + Mockito.when(searchUtil.extractInt(request, testSearchCriteria, "isVisible", "User Visibility")).thenReturn(1); + Mockito.when(searchUtil.extractInt(request, testSearchCriteria, "status", "User Status")).thenReturn(1); + Mockito.when(searchUtil.extractStringList(request, testSearchCriteria, "userRoleList", "User Role List", "userRoleList", null, null)).thenReturn(new ArrayList()); + Mockito.when(searchUtil.extractRoleString(request, testSearchCriteria, "userRole", "Role", null)).thenReturn(""); + Mockito.when(searchUtil.extractString(request, testSearchCriteria, "syncSource", "Sync Source", null)).thenReturn(""); + Mockito.when(xUserService.getXUserByUserName("testuser")).thenReturn(loggedInUser); + Mockito.when(xUserMgr.hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)).thenReturn(true); + + VXUserList gotVXUserList = xUserRest.searchXUsers(request, null, null); + + Assertions.assertEquals(gotVXUserList.getList().size(), 1); + Assertions.assertEquals(gotVXUserList.getList().get(0).getId(), expectedUser.getId()); + Assertions.assertEquals(gotVXUserList.getList().get(0).getName(), expectedUser.getName()); } @Test @@ -2351,6 +2353,102 @@ public void test164modifyUserVisibilityWithEmptyMap() { Mockito.verify(xUserMgr).modifyUserVisibility(visibilityMap); } + @SuppressWarnings({ "unchecked", "static-access" }) + @Test + public void test165AdminUserWillHaveAdminAuditorAndUserRoles() { + // reset session + destroySession(); + String adminLoginId = "adminuser"; + Long adminUserId = 10L; + RangerSecurityContext context = new RangerSecurityContext(); + context.setUserSession(new UserSessionBase()); + RangerContextHolder.setSecurityContext(context); + UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); + currentUserSession.setUserAdmin(false); + XXPortalUser xXPortalUser = new XXPortalUser(); + xXPortalUser.setLoginId(adminLoginId); + xXPortalUser.setId(adminUserId); + currentUserSession.setXXPortalUser(xXPortalUser); + + VXUser loggedInUser = new VXUser(); + List roles = new ArrayList(); + roles.add(RangerConstants.ROLE_SYS_ADMIN); + loggedInUser.setId(adminUserId); + loggedInUser.setName(adminLoginId); + loggedInUser.setUserRoleList(roles); + + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + SearchCriteria testSearchCriteria = createsearchCriteria(); + Mockito.when(searchUtil.extractCommonCriterias(Mockito.any(), Mockito.any())).thenReturn(testSearchCriteria); + Mockito.when(searchUtil.extractString(request, testSearchCriteria, "name", "User name", null)).thenReturn(""); + Mockito.when(searchUtil.extractString(request, testSearchCriteria, "emailAddress", "Email Address", null)).thenReturn(""); + Mockito.when(searchUtil.extractInt(request, testSearchCriteria, "userSource", "User Source")).thenReturn(1); + Mockito.when(searchUtil.extractInt(request, testSearchCriteria, "isVisible", "User Visibility")).thenReturn(1); + Mockito.when(searchUtil.extractInt(request, testSearchCriteria, "status", "User Status")).thenReturn(1); + List userRoleListParam = new ArrayList(); + Mockito.when(searchUtil.extractStringList(request, testSearchCriteria, "userRoleList", "User Role List", "userRoleList", null, null)).thenReturn(userRoleListParam); + Mockito.when(searchUtil.extractRoleString(request, testSearchCriteria, "userRole", "Role", null)).thenReturn(""); + Mockito.when(searchUtil.extractString(request, testSearchCriteria, "syncSource", "Sync Source", null)).thenReturn(null); + + Mockito.when(xUserService.getXUserByUserName(adminLoginId)).thenReturn(loggedInUser); + Mockito.when(xUserMgr.searchXUsers(testSearchCriteria)).thenReturn(new VXUserList()); + + VXUserList result = xUserRest.searchXUsers(request, null, null); + Assertions.assertNotNull(result); + // verify roles augmented for admin + Assertions.assertTrue(userRoleListParam.contains(RangerConstants.ROLE_SYS_ADMIN)); + Assertions.assertTrue(userRoleListParam.contains(RangerConstants.ROLE_ADMIN_AUDITOR)); + Assertions.assertTrue(userRoleListParam.contains(RangerConstants.ROLE_USER)); + } + + @SuppressWarnings({ "unchecked", "static-access" }) + @Test + public void test166KeyAdminUserWillHaveKeyAdminAuditorAndUserRoles() { + // reset session + destroySession(); + String keyAdminLoginId = "keyadminuser"; + Long keyAdminUserId = 11L; + RangerSecurityContext context = new RangerSecurityContext(); + context.setUserSession(new UserSessionBase()); + RangerContextHolder.setSecurityContext(context); + UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); + currentUserSession.setUserAdmin(false); + XXPortalUser xXPortalUser = new XXPortalUser(); + xXPortalUser.setLoginId(keyAdminLoginId); + xXPortalUser.setId(keyAdminUserId); + currentUserSession.setXXPortalUser(xXPortalUser); + + VXUser loggedInUser = new VXUser(); + List roles = new ArrayList(); + roles.add(RangerConstants.ROLE_KEY_ADMIN); + loggedInUser.setId(keyAdminUserId); + loggedInUser.setName(keyAdminLoginId); + loggedInUser.setUserRoleList(roles); + + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + SearchCriteria testSearchCriteria = createsearchCriteria(); + Mockito.when(searchUtil.extractCommonCriterias(Mockito.any(), Mockito.any())).thenReturn(testSearchCriteria); + Mockito.when(searchUtil.extractString(request, testSearchCriteria, "name", "User name", null)).thenReturn(""); + Mockito.when(searchUtil.extractString(request, testSearchCriteria, "emailAddress", "Email Address", null)).thenReturn(""); + Mockito.when(searchUtil.extractInt(request, testSearchCriteria, "userSource", "User Source")).thenReturn(1); + Mockito.when(searchUtil.extractInt(request, testSearchCriteria, "isVisible", "User Visibility")).thenReturn(1); + Mockito.when(searchUtil.extractInt(request, testSearchCriteria, "status", "User Status")).thenReturn(1); + List userRoleListParam = new ArrayList(); + Mockito.when(searchUtil.extractStringList(request, testSearchCriteria, "userRoleList", "User Role List", "userRoleList", null, null)).thenReturn(userRoleListParam); + Mockito.when(searchUtil.extractRoleString(request, testSearchCriteria, "userRole", "Role", null)).thenReturn(""); + Mockito.when(searchUtil.extractString(request, testSearchCriteria, "syncSource", "Sync Source", null)).thenReturn(null); + + Mockito.when(xUserService.getXUserByUserName(keyAdminLoginId)).thenReturn(loggedInUser); + Mockito.when(xUserMgr.searchXUsers(testSearchCriteria)).thenReturn(new VXUserList()); + + VXUserList result = xUserRest.searchXUsers(request, null, null); + Assertions.assertNotNull(result); + // verify roles augmented for keyadmin + Assertions.assertTrue(userRoleListParam.contains(RangerConstants.ROLE_KEY_ADMIN)); + Assertions.assertTrue(userRoleListParam.contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)); + Assertions.assertTrue(userRoleListParam.contains(RangerConstants.ROLE_USER)); + } + @AfterEach public void destroySession() { RangerSecurityContext context = new RangerSecurityContext();