[SYNCOPE-1856] - Added test

fit/core-reference/src/test/java/org/apache/syncope/fit/core/RealmITCase.java

@@ -22,6 +22,7 @@
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assertions.fail;
 
@@ -40,17 +41,22 @@
 import org.apache.syncope.common.lib.policy.DefaultAccountRuleConf;
 import org.apache.syncope.common.lib.policy.DefaultAttrReleasePolicyConf;
 import org.apache.syncope.common.lib.policy.DefaultAuthPolicyConf;
+import org.apache.syncope.common.lib.request.UserCR;
 import org.apache.syncope.common.lib.to.ImplementationTO;
 import org.apache.syncope.common.lib.to.PagedResult;
 import org.apache.syncope.common.lib.to.ProvisioningResult;
 import org.apache.syncope.common.lib.to.RealmTO;
+import org.apache.syncope.common.lib.to.RoleTO;
+import org.apache.syncope.common.lib.to.UserTO;
 import org.apache.syncope.common.lib.types.ClientExceptionType;
 import org.apache.syncope.common.lib.types.ExecStatus;
+import org.apache.syncope.common.lib.types.IdRepoEntitlement;
 import org.apache.syncope.common.lib.types.IdRepoImplementationType;
 import org.apache.syncope.common.lib.types.ImplementationEngine;
 import org.apache.syncope.common.lib.types.PolicyType;
 import org.apache.syncope.common.rest.api.RESTHeaders;
 import org.apache.syncope.common.rest.api.beans.RealmQuery;
+import org.apache.syncope.common.rest.api.service.RealmService;
 import org.apache.syncope.core.provisioning.api.serialization.POJOHelper;
 import org.apache.syncope.fit.AbstractITCase;
 import org.junit.jupiter.api.Test;
@@ -401,4 +407,49 @@ public void issueSYNCOPE1472() {
 
         assertFalse(realmTO.getResources().contains("resource-ldap-orgunit"), "Should not contain removed resources");
     }
+
+        @Test
+    public void issueSYNCOPE1856() {
+        // CREATE ROLE
+        RoleTO roleTO = new RoleTO();
+        roleTO.getEntitlements()
+                .addAll(List.of(IdRepoEntitlement.REALM_SEARCH, IdRepoEntitlement.REALM_CREATE,
+                        IdRepoEntitlement.REALM_UPDATE, IdRepoEntitlement.REALM_DELETE));
+        roleTO.getRealms().add("/even");
+        roleTO.setKey("REALM_ADMIN");
+        Response roleResponse = ROLE_SERVICE.create(roleTO);
+        assertEquals(Response.Status.CREATED.getStatusCode(), roleResponse.getStatusInfo().getStatusCode());
+
+        // CREATE REALM MANAGER
+        UserCR userCR = UserITCase.getUniqueSample("[email protected]");
+        userCR.setUsername("manager");
+        userCR.setRealm("/even");
+        userCR.getRoles().add(roleTO.getKey());
+        UserTO manager = createUser(userCR).getEntity();
+
+        RealmService managerRealmService = CLIENT_FACTORY.create(manager.getUsername(), "password123")
+                .getService(RealmService.class);
+
+        // MANAGER CANNOT CREATE REALM CHILD OF /
+        RealmTO realmTO = new RealmTO();
+        realmTO.setName("child");
+        assertThrows(SyncopeClientException.class, () -> managerRealmService.create("/", realmTO));
+
+        Response response = REALM_SERVICE.create("/", realmTO);
+        assertEquals(Response.Status.CREATED.getStatusCode(), response.getStatusInfo().getStatusCode());
+        RealmTO childRealm = REALM_SERVICE.search(new RealmQuery.Builder().base("/").keyword("child").build())
+                .getResult()
+                .get(0);
+
+        // MANAGER CANNOT UPDATE /child
+        assertThrows(SyncopeClientException.class, () -> managerRealmService.update(childRealm));
+
+        // MANAGER CANNOT DELETE /child
+        assertThrows(SyncopeClientException.class, () -> managerRealmService.delete(childRealm.getFullPath()));
+
+        //CLEAN
+        deleteUser(manager.getKey());
+        ROLE_SERVICE.delete("REALM_ADMIN");
+        REALM_SERVICE.delete("/child");
+    }
 }