From e74bbd3dc9ede540383b84e5e29273b94e2d973d Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Tue, 3 Mar 2026 17:13:59 -0800 Subject: [PATCH 1/3] Expand "See Audit Log Events" test (#2899) --- src/org/labkey/test/tests/AuditLogTest.java | 52 ++++++++++++++------- 1 file changed, 34 insertions(+), 18 deletions(-) diff --git a/src/org/labkey/test/tests/AuditLogTest.java b/src/org/labkey/test/tests/AuditLogTest.java index 0ea179d032..6ea185d06e 100644 --- a/src/org/labkey/test/tests/AuditLogTest.java +++ b/src/org/labkey/test/tests/AuditLogTest.java @@ -47,6 +47,7 @@ import org.labkey.test.util.Log4jUtils; import org.labkey.test.util.PermissionsHelper; import org.labkey.test.util.PortalHelper; +import org.labkey.test.util.SearchHelper; import org.labkey.test.util.UIUserHelper; import java.io.BufferedReader; @@ -64,11 +65,11 @@ import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; +import static org.labkey.test.util.PasswordUtil.getUsername; import static org.labkey.test.util.PermissionsHelper.AUTHOR_ROLE; import static org.labkey.test.util.PermissionsHelper.EDITOR_ROLE; import static org.labkey.test.util.PermissionsHelper.FOLDER_ADMIN_ROLE; import static org.labkey.test.util.PermissionsHelper.PROJECT_ADMIN_ROLE; -import static org.labkey.test.util.PasswordUtil.getUsername; @Category({Daily.class, Hosting.class}) @BaseWebDriverTest.ClassTimeout(minutes = 9) @@ -79,21 +80,18 @@ public class AuditLogTest extends BaseWebDriverTest public static final String QUERY_UPDATE_EVENT = "Query update events"; public static final String PROJECT_AUDIT_EVENT = "Project and Folder events"; public static final String ASSAY_AUDIT_EVENT = "Link to Study events"; + public static final String COMMENT_COLUMN = "Comment"; private static final String AUDIT_TEST_USER = "audit_user1@auditlog.test"; private static final String AUDIT_TEST_USER2 = "audit_user2@auditlog.test"; private static final String AUDIT_TEST_USER3 = "audit_user3@auditlog.test"; - private static final String AUDIT_SECURITY_GROUP = "Testers"; - private static final String AUDIT_TEST_PROJECT = "AuditVerifyTest"; private static final String AUDIT_DETAILED_TEST_PROJECT = "AuditDetailedLogTest"; private static final String AUDIT_TEST_SUBFOLDER = "AuditVerifyTest_Subfolder"; private static final String AUDIT_PROPERTY_EVENTS_PROJECT = "AuditDomainPropertyEvents"; - - final String DOMAIN_PROPERTY_LOG_NAME = "Domain property events"; - - public static final String COMMENT_COLUMN = "Comment"; + private static final String DOMAIN_PROPERTY_LOG_NAME = "Domain property events"; + private static final String SEARCH_TERM = "doesn't matter"; private final ApiPermissionsHelper permissionsHelper = new ApiPermissionsHelper(this); private final AuditLogHelper _auditLogHelper = new AuditLogHelper(this); @@ -377,19 +375,37 @@ protected void canSeeAuditLogTest() createUserWithPermissions(AUDIT_TEST_USER, AUDIT_TEST_PROJECT, EDITOR_ROLE); createUserWithPermissions(AUDIT_TEST_USER2, AUDIT_TEST_PROJECT, PROJECT_ADMIN_ROLE); + // Do a search to ensure an audit entry in /home + clickProject("Home"); + new SearchHelper(this).searchFor(SEARCH_TERM); + goToProjectHome(); + // signed in as an admin so we should see rows here - verifyAuditQueries(true); + verifyAuditQueries(true, getProjectName()); // signed in as an editor should not show any rows for audit query links impersonate(AUDIT_TEST_USER); - verifyAuditQueries(false); + verifyAuditQueries(false, getProjectName()); + verifyAuditQueries(false, "Home"); + stopImpersonating(); + + // Grant the "See Audit Log Events" folder role to our audit user in the project and verify we see audit + // information in this project but not /Home. We pass the fully qualified classnames in the next few calls to + // disambiguate the root role from the folder role. + permissionsHelper.addMemberToRole(AUDIT_TEST_USER, "org.labkey.api.security.roles.CanSeeAuditLogFolderRole", PermissionsHelper.MemberType.user, getProjectName()); + impersonate(AUDIT_TEST_USER); + verifyAuditQueries(true, getProjectName()); + verifyAuditQueries(false, "Home"); stopImpersonating(); + permissionsHelper.removeUserRoleAssignment(AUDIT_TEST_USER, "org.labkey.api.security.roles.CanSeeAuditLogFolderRole", getProjectName()); - // now grant CanSeeAuditLog permission to our audit user and verify - // we see audit information - permissionsHelper.setSiteRoleUserPermissions(AUDIT_TEST_USER, "See Audit Log Events"); + // Grant the "See Audit Log Events" root role to our audit user and verify we see audit information in this + // project and in /Home + permissionsHelper.setSiteRoleUserPermissions(AUDIT_TEST_USER, "org.labkey.api.security.roles.CanSeeAuditLogRole"); impersonate(AUDIT_TEST_USER); - verifyAuditQueries(true); + verifyAuditQueries(true, getProjectName()); + ExecuteQueryPage.beginAt(this, "Home", "auditLog", "SearchAuditEvent"); + verifyAuditQueryEvent(this, "Query", SEARCH_TERM, 1); // cleanup stopImpersonating(); @@ -482,7 +498,7 @@ public void testDetailedQueryUpdateAuditLog() throws IOException, CommandExcepti //then create model (which has detailed audit log level) InsertRowsCommand insertCmd2 = new InsertRowsCommand("vehicle", "models"); rowMap = new HashMap<>(); - rowMap.put("manufacturerId", resp1.getRows().get(0).get("rowid")); + rowMap.put("manufacturerId", resp1.getRows().getFirst().get("rowid")); rowMap.put("name", "Soul"); insertCmd2.addRow(rowMap); insertCmd2.execute(cn, AUDIT_DETAILED_TEST_PROJECT); @@ -535,17 +551,17 @@ protected void verifyListAuditLogQueries(Visibility v) verifyAuditQueryEvent(this, "List", "Child List", 1, canSeeChild(v)); } - protected void verifyAuditQueries(boolean canSeeAuditLog) + protected void verifyAuditQueries(boolean canSeeAuditLog, String containerPath) { - ExecuteQueryPage.beginAt(this, getProjectName(), "auditLog", "ContainerAuditEvent"); + ExecuteQueryPage.beginAt(this, containerPath, "auditLog", "ContainerAuditEvent"); if (canSeeAuditLog) verifyAuditQueryEvent(this, COMMENT_COLUMN, AUDIT_TEST_PROJECT + " was created", 1); else assertTextPresent("No data to show."); - ExecuteQueryPage.beginAt(this, getProjectName(), "auditLog", "GroupAuditEvent"); + ExecuteQueryPage.beginAt(this, containerPath, "auditLog", "GroupAuditEvent"); if (canSeeAuditLog) - verifyAuditQueryEvent(this, COMMENT_COLUMN, "The user " + AUDIT_TEST_USER + " was assigned to the security role Editor.", 1); + verifyAuditQueryEvent(this, COMMENT_COLUMN, "The user " + AUDIT_TEST_USER + " was assigned to the security role Editor.", 4); else assertTextPresent("No data to show."); } From db338dae2fe7627c95060c5964fab0dcf521a16d Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Wed, 4 Mar 2026 09:05:27 -0800 Subject: [PATCH 2/3] Disambiguate site vs. folder see audit events roles --- src/org/labkey/test/tests/AbstractAssayTest.java | 5 +++-- src/org/labkey/test/tests/AuditLogTest.java | 8 +++++--- src/org/labkey/test/util/PermissionsHelper.java | 5 +++++ 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/src/org/labkey/test/tests/AbstractAssayTest.java b/src/org/labkey/test/tests/AbstractAssayTest.java index 58a7a0fcb0..9ac92692d0 100644 --- a/src/org/labkey/test/tests/AbstractAssayTest.java +++ b/src/org/labkey/test/tests/AbstractAssayTest.java @@ -36,6 +36,7 @@ import static org.labkey.test.params.FieldDefinition.DOMAIN_TRICKY_CHARACTERS; import static org.labkey.test.util.PermissionsHelper.EDITOR_ROLE; import static org.labkey.test.util.PermissionsHelper.READER_ROLE; +import static org.labkey.test.util.PermissionsHelper.SEE_AUDIT_LOG_SITE_ROLE; /** * @deprecated TODO: Move shared functionality to a Helper class @@ -209,8 +210,8 @@ protected void setupEnvironment() //add a PI user to that group permissionsHelper.addUserToProjGroup(TEST_ASSAY_USR_PI1, getProjectName(), TEST_ASSAY_GRP_PIS); - // give the PI user "CanSeeAuditLog" permission - permissionsHelper.setSiteRoleUserPermissions(TEST_ASSAY_USR_PI1, "See Audit Log Events"); + // give the PI user site "CanSeeAuditLog" permission + permissionsHelper.setSiteRoleUserPermissions(TEST_ASSAY_USR_PI1, SEE_AUDIT_LOG_SITE_ROLE); //add a lab tech user to the Users group permissionsHelper.addUserToProjGroup(TEST_ASSAY_USR_TECH1, getProjectName(), TEST_ASSAY_GRP_USERS); diff --git a/src/org/labkey/test/tests/AuditLogTest.java b/src/org/labkey/test/tests/AuditLogTest.java index 6ea185d06e..00853b70ac 100644 --- a/src/org/labkey/test/tests/AuditLogTest.java +++ b/src/org/labkey/test/tests/AuditLogTest.java @@ -70,6 +70,8 @@ import static org.labkey.test.util.PermissionsHelper.EDITOR_ROLE; import static org.labkey.test.util.PermissionsHelper.FOLDER_ADMIN_ROLE; import static org.labkey.test.util.PermissionsHelper.PROJECT_ADMIN_ROLE; +import static org.labkey.test.util.PermissionsHelper.SEE_AUDIT_LOG_FOLDER_ROLE; +import static org.labkey.test.util.PermissionsHelper.SEE_AUDIT_LOG_SITE_ROLE; @Category({Daily.class, Hosting.class}) @BaseWebDriverTest.ClassTimeout(minutes = 9) @@ -392,16 +394,16 @@ protected void canSeeAuditLogTest() // Grant the "See Audit Log Events" folder role to our audit user in the project and verify we see audit // information in this project but not /Home. We pass the fully qualified classnames in the next few calls to // disambiguate the root role from the folder role. - permissionsHelper.addMemberToRole(AUDIT_TEST_USER, "org.labkey.api.security.roles.CanSeeAuditLogFolderRole", PermissionsHelper.MemberType.user, getProjectName()); + permissionsHelper.addMemberToRole(AUDIT_TEST_USER, SEE_AUDIT_LOG_FOLDER_ROLE, PermissionsHelper.MemberType.user, getProjectName()); impersonate(AUDIT_TEST_USER); verifyAuditQueries(true, getProjectName()); verifyAuditQueries(false, "Home"); stopImpersonating(); - permissionsHelper.removeUserRoleAssignment(AUDIT_TEST_USER, "org.labkey.api.security.roles.CanSeeAuditLogFolderRole", getProjectName()); + permissionsHelper.removeUserRoleAssignment(AUDIT_TEST_USER, SEE_AUDIT_LOG_FOLDER_ROLE, getProjectName()); // Grant the "See Audit Log Events" root role to our audit user and verify we see audit information in this // project and in /Home - permissionsHelper.setSiteRoleUserPermissions(AUDIT_TEST_USER, "org.labkey.api.security.roles.CanSeeAuditLogRole"); + permissionsHelper.setSiteRoleUserPermissions(AUDIT_TEST_USER, SEE_AUDIT_LOG_SITE_ROLE); impersonate(AUDIT_TEST_USER); verifyAuditQueries(true, getProjectName()); ExecuteQueryPage.beginAt(this, "Home", "auditLog", "SearchAuditEvent"); diff --git a/src/org/labkey/test/util/PermissionsHelper.java b/src/org/labkey/test/util/PermissionsHelper.java index cf1ba40fa0..004d585c85 100644 --- a/src/org/labkey/test/util/PermissionsHelper.java +++ b/src/org/labkey/test/util/PermissionsHelper.java @@ -47,6 +47,11 @@ public abstract class PermissionsHelper public static final String AUTHOR_ROLE = "Author"; public static final String SUBMITTER_ROLE = "Submitter"; + // These two roles have the same friendly name; disambiguate using their fully qualified class names + public static final String SEE_AUDIT_LOG_SITE_ROLE = "org.labkey.api.security.roles.CanSeeAuditLogRole"; + public static final String SEE_AUDIT_LOG_FOLDER_ROLE = "org.labkey.api.security.roles.CanSeeAuditLogFolderRole"; + + // Should "See Audit Log" roles be added here? public static final Set AUDIT_LOG_VIEWER_ROLES = Set.of(SITE_ADMIN_ROLE, APP_ADMIN_ROLE, PROJECT_ADMIN_ROLE, FOLDER_ADMIN_ROLE); public static boolean canSeeAuditLogs(String roleName) From d0e33a3a0871dcdf11ea0a28dbea40466649aee6 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Wed, 4 Mar 2026 09:07:10 -0800 Subject: [PATCH 3/3] Comment --- src/org/labkey/test/util/PermissionsHelper.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/org/labkey/test/util/PermissionsHelper.java b/src/org/labkey/test/util/PermissionsHelper.java index 004d585c85..8a4bc85741 100644 --- a/src/org/labkey/test/util/PermissionsHelper.java +++ b/src/org/labkey/test/util/PermissionsHelper.java @@ -51,7 +51,7 @@ public abstract class PermissionsHelper public static final String SEE_AUDIT_LOG_SITE_ROLE = "org.labkey.api.security.roles.CanSeeAuditLogRole"; public static final String SEE_AUDIT_LOG_FOLDER_ROLE = "org.labkey.api.security.roles.CanSeeAuditLogFolderRole"; - // Should "See Audit Log" roles be added here? + // TODO: Should "See Audit Log" roles be added here? public static final Set AUDIT_LOG_VIEWER_ROLES = Set.of(SITE_ADMIN_ROLE, APP_ADMIN_ROLE, PROJECT_ADMIN_ROLE, FOLDER_ADMIN_ROLE); public static boolean canSeeAuditLogs(String roleName)