component-test/src/main/java/org/apache/fineract/cn/anubis/TestAnubisTenantPermissions.java - fineract-cn-anubis - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.fineract.cn.anubis;

 import org.apache.fineract.cn.anubis.api.v1.domain.AllowedOperation;
 import org.apache.fineract.cn.anubis.example.noinitialize.UserContext;
 import org.apache.fineract.cn.anubis.test.v1.TenantApplicationSecurityEnvironmentTestRule;
 import org.apache.fineract.cn.api.context.AutoSeshat;
 import org.apache.fineract.cn.api.context.AutoUserContext;
 import org.apache.fineract.cn.api.util.InvalidTokenException;
 import org.apache.fineract.cn.api.util.NotFoundException;
 import org.apache.fineract.cn.lang.AutoTenantContext;
 import org.apache.fineract.cn.test.env.TestEnvironment;
 import org.junit.Assert;
 import org.junit.Rule;
 import org.junit.Test;

 /**
  * @author Myrle Krantz
  */
 public class TestAnubisTenantPermissions extends AbstractNoInitializeTest {
   private static final String DUMMY_URI = "/dummy";
   private static final String DESIGNATOR_URI = "/parameterized/{useridentifier}/with/*/parameters";
   private static final String USER_NAME = "Meryre";

   @Rule
   public final TenantApplicationSecurityEnvironmentTestRule tenantApplicationSecurityEnvironment = new TenantApplicationSecurityEnvironmentTestRule(testEnvironment);

   @Test
   public void readPermissionShouldWorkToRead()
   {
     try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.READ))
     {
       example.getDummy();
     }
   }

   @Test(expected = NotFoundException.class)
   public void readPermissionShouldNotWorkToWrite()
   {
     try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.READ))
     {
       example.createDummy();
     }
   }

   @Test(expected = NotFoundException.class)
   public void readPermissionShouldNotWorkToDelete()
   {
     try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.READ))
     {
       example.deleteDummy();
     }
   }

   @Test
   public void changePermissionShouldWorkToWrite()
   {
     try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.CHANGE))
     {
       example.createDummy();
     }
   }

   @Test(expected = NotFoundException.class)
   public void changePermissionShouldNotWorkToRead()
   {
     try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.CHANGE))
     {
       example.getDummy();
     }
   }

   @Test(expected = NotFoundException.class)
   public void changePermissionShouldNotWorkToDelete()
   {
     try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.CHANGE))
     {
       example.deleteDummy();
     }
   }

   @Test
   public void deletePermissionShouldWorkToDelete()
   {
     try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.DELETE))
     {
       example.deleteDummy();
     }
   }

   @Test(expected = NotFoundException.class)
   public void deletePermissionShouldNotWorkToRead()
   {
     try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.DELETE))
     {
       example.getDummy();
     }
   }

   @Test(expected = NotFoundException.class)
   public void deletePermissionShouldNotWorkToChange()
   {
     try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.DELETE))
     {
       example.createDummy();
     }
   }

   @Test(expected = InvalidTokenException.class)
   public void tokenForWrongTenantShouldNotWork()
   {
     final String permissionToken;
     try (final AutoTenantContext ignored = TestEnvironment.createRandomTenantContext()) {
       permissionToken = tenantApplicationSecurityEnvironment.getPermissionToken(USER_NAME, DUMMY_URI, AllowedOperation.READ);
     }

     try (final AutoUserContext ignored = new AutoUserContext(USER_NAME, permissionToken))
     {
       example.getDummy();
     }
   }

   @Test(expected = InvalidTokenException.class)
   public void expiredTokenShouldNotWork() throws InterruptedException {
     final String permissionToken;
     try (final AutoTenantContext ignored = TestEnvironment.createRandomTenantContext()) {
       permissionToken = tenantApplicationSecurityEnvironment.getPermissionToken(USER_NAME, DUMMY_URI, AllowedOperation.READ);
     }

     Thread.sleep(150);

     try (final AutoUserContext ignored = new AutoUserContext(USER_NAME, permissionToken))
     {
       example.getDummy();
     }
   }

   @Test(expected = InvalidTokenException.class)
   public void tokenForWrongUserShouldNotWork() throws InterruptedException {
     final String permissionToken = tenantApplicationSecurityEnvironment.getPermissionToken(USER_NAME, DUMMY_URI, AllowedOperation.READ);

     try (final AutoUserContext ignored = new AutoUserContext("Menna", permissionToken))
     {
       example.getDummy();
     }
   }

   @Test(expected = NotFoundException.class)
   public void requestForAnotherUsersInformationWhenYoureOnlyPermittedToAccessOwnShouldNotWork()
   {
     try (final AutoUserContext ignored = setPermissionContext(DESIGNATOR_URI, AllowedOperation.READ))
     {
       example.parameterized("wrong_user_name", "silly_parameter");
     }
   }

   @Test
   public void requestYourOwnInformationWhenYoureOnlyPermittedToAccessOwnShouldWork()
   {
     try (final AutoUserContext ignored = setPermissionContext(DESIGNATOR_URI, AllowedOperation.READ))
     {
       final String ret = example.parameterized(USER_NAME, "silly_parameter");
       Assert.assertEquals(ret, USER_NAME+"silly_parameter"+42);
     }
   }

   @Test
   public void tenantTokenForSystemEndpointShouldNotWorkRegardlessOfPermissions()
   {
     try (final AutoSeshat ignored = new AutoSeshat(tenantApplicationSecurityEnvironment.systemToken()))
     {
       example.callSystemEndpoint();
     }
     catch (final InvalidTokenException e)
     {
       Assert.fail("call to system endpoint with system token should succeed.");
     }

     try (final AutoUserContext ignored = setPermissionContext("/systemendpoint", AllowedOperation.CHANGE))
     {
       example.callSystemEndpoint();
     }
   }

   @Test
   public void userNameShouldBeCorrectlySetInUserContext()
   {
     try (final AutoUserContext ignored = setPermissionContext("/usercontext", AllowedOperation.READ))
     {
       final UserContext context = example.getUserContext();
       Assert.assertEquals(USER_NAME, context.getUserIdentifier());
     }
   }

   private AutoUserContext setPermissionContext(final String uri, final AllowedOperation allowedOperation)
   {
     final String permissionToken = tenantApplicationSecurityEnvironment.getPermissionToken(USER_NAME, uri, allowedOperation);

     return new AutoUserContext(USER_NAME, permissionToken);
   }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/
	package org.apache.fineract.cn.anubis;

	import org.apache.fineract.cn.anubis.api.v1.domain.AllowedOperation;
	import org.apache.fineract.cn.anubis.example.noinitialize.UserContext;
	import org.apache.fineract.cn.anubis.test.v1.TenantApplicationSecurityEnvironmentTestRule;
	import org.apache.fineract.cn.api.context.AutoSeshat;
	import org.apache.fineract.cn.api.context.AutoUserContext;
	import org.apache.fineract.cn.api.util.InvalidTokenException;
	import org.apache.fineract.cn.api.util.NotFoundException;
	import org.apache.fineract.cn.lang.AutoTenantContext;
	import org.apache.fineract.cn.test.env.TestEnvironment;
	import org.junit.Assert;
	import org.junit.Rule;
	import org.junit.Test;

	/**
	* @author Myrle Krantz
	*/
	public class TestAnubisTenantPermissions extends AbstractNoInitializeTest {
	private static final String DUMMY_URI = "/dummy";
	private static final String DESIGNATOR_URI = "/parameterized/{useridentifier}/with/*/parameters";
	private static final String USER_NAME = "Meryre";

	@Rule
	public final TenantApplicationSecurityEnvironmentTestRule tenantApplicationSecurityEnvironment = new TenantApplicationSecurityEnvironmentTestRule(testEnvironment);

	@Test
	public void readPermissionShouldWorkToRead()
	{
	try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.READ))
	{
	example.getDummy();
	}
	}

	@Test(expected = NotFoundException.class)
	public void readPermissionShouldNotWorkToWrite()
	{
	try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.READ))
	{
	example.createDummy();
	}
	}

	@Test(expected = NotFoundException.class)
	public void readPermissionShouldNotWorkToDelete()
	{
	try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.READ))
	{
	example.deleteDummy();
	}
	}

	@Test
	public void changePermissionShouldWorkToWrite()
	{
	try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.CHANGE))
	{
	example.createDummy();
	}
	}

	@Test(expected = NotFoundException.class)
	public void changePermissionShouldNotWorkToRead()
	{
	try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.CHANGE))
	{
	example.getDummy();
	}
	}

	@Test(expected = NotFoundException.class)
	public void changePermissionShouldNotWorkToDelete()
	{
	try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.CHANGE))
	{
	example.deleteDummy();
	}
	}

	@Test
	public void deletePermissionShouldWorkToDelete()
	{
	try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.DELETE))
	{
	example.deleteDummy();
	}
	}

	@Test(expected = NotFoundException.class)
	public void deletePermissionShouldNotWorkToRead()
	{
	try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.DELETE))
	{
	example.getDummy();
	}
	}

	@Test(expected = NotFoundException.class)
	public void deletePermissionShouldNotWorkToChange()
	{
	try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.DELETE))
	{
	example.createDummy();
	}
	}

	@Test(expected = InvalidTokenException.class)
	public void tokenForWrongTenantShouldNotWork()
	{
	final String permissionToken;
	try (final AutoTenantContext ignored = TestEnvironment.createRandomTenantContext()) {
	permissionToken = tenantApplicationSecurityEnvironment.getPermissionToken(USER_NAME, DUMMY_URI, AllowedOperation.READ);
	}

	try (final AutoUserContext ignored = new AutoUserContext(USER_NAME, permissionToken))
	{
	example.getDummy();
	}
	}

	@Test(expected = InvalidTokenException.class)
	public void expiredTokenShouldNotWork() throws InterruptedException {
	final String permissionToken;
	try (final AutoTenantContext ignored = TestEnvironment.createRandomTenantContext()) {
	permissionToken = tenantApplicationSecurityEnvironment.getPermissionToken(USER_NAME, DUMMY_URI, AllowedOperation.READ);
	}

	Thread.sleep(150);

	try (final AutoUserContext ignored = new AutoUserContext(USER_NAME, permissionToken))
	{
	example.getDummy();
	}
	}

	@Test(expected = InvalidTokenException.class)
	public void tokenForWrongUserShouldNotWork() throws InterruptedException {
	final String permissionToken = tenantApplicationSecurityEnvironment.getPermissionToken(USER_NAME, DUMMY_URI, AllowedOperation.READ);

	try (final AutoUserContext ignored = new AutoUserContext("Menna", permissionToken))
	{
	example.getDummy();
	}
	}

	@Test(expected = NotFoundException.class)
	public void requestForAnotherUsersInformationWhenYoureOnlyPermittedToAccessOwnShouldNotWork()
	{
	try (final AutoUserContext ignored = setPermissionContext(DESIGNATOR_URI, AllowedOperation.READ))
	{
	example.parameterized("wrong_user_name", "silly_parameter");
	}
	}

	@Test
	public void requestYourOwnInformationWhenYoureOnlyPermittedToAccessOwnShouldWork()
	{
	try (final AutoUserContext ignored = setPermissionContext(DESIGNATOR_URI, AllowedOperation.READ))
	{
	final String ret = example.parameterized(USER_NAME, "silly_parameter");
	Assert.assertEquals(ret, USER_NAME+"silly_parameter"+42);
	}
	}

	@Test
	public void tenantTokenForSystemEndpointShouldNotWorkRegardlessOfPermissions()
	{
	try (final AutoSeshat ignored = new AutoSeshat(tenantApplicationSecurityEnvironment.systemToken()))
	{
	example.callSystemEndpoint();
	}
	catch (final InvalidTokenException e)
	{
	Assert.fail("call to system endpoint with system token should succeed.");
	}

	try (final AutoUserContext ignored = setPermissionContext("/systemendpoint", AllowedOperation.CHANGE))
	{
	example.callSystemEndpoint();
	}
	}

	@Test
	public void userNameShouldBeCorrectlySetInUserContext()
	{
	try (final AutoUserContext ignored = setPermissionContext("/usercontext", AllowedOperation.READ))
	{
	final UserContext context = example.getUserContext();
	Assert.assertEquals(USER_NAME, context.getUserIdentifier());
	}
	}

	private AutoUserContext setPermissionContext(final String uri, final AllowedOperation allowedOperation)
	{
	final String permissionToken = tenantApplicationSecurityEnvironment.getPermissionToken(USER_NAME, uri, allowedOperation);

	return new AutoUserContext(USER_NAME, permissionToken);
	}
	}