component-test/src/main/java/io/mifos/anubis/TestAnubisTenantPermissions.java - fineract-cn-anubis - Git at Google

 /*
  * Copyright 2017 The Mifos Initiative.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *    http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package io.mifos.anubis;

 import io.mifos.anubis.api.v1.domain.AllowedOperation;
 import io.mifos.anubis.example.noinitialize.UserContext;
 import io.mifos.anubis.test.v1.TenantApplicationSecurityEnvironmentTestRule;
 import io.mifos.core.api.context.AutoSeshat;
 import io.mifos.core.api.context.AutoUserContext;
 import io.mifos.core.api.util.InvalidTokenException;
 import io.mifos.core.api.util.NotFoundException;
 import io.mifos.core.lang.AutoTenantContext;
 import io.mifos.core.test.env.TestEnvironment;
 import org.junit.Assert;
 import org.junit.Rule;
 import org.junit.Test;

 /**
  * @author Myrle Krantz
  */
 public class TestAnubisTenantPermissions extends AbstractNoInitializeTest {
   private static final String DUMMY_URI = "/dummy";
   private static final String DESIGNATOR_URI = "/parameterized/{useridentifier}/with/*/parameters";
   private static final String USER_NAME = "Meryre";

   @Rule
   public final TenantApplicationSecurityEnvironmentTestRule tenantApplicationSecurityEnvironment = new TenantApplicationSecurityEnvironmentTestRule(testEnvironment);

   @Test
   public void readPermissionShouldWorkToRead()
   {
     try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.READ))
     {
       example.getDummy();
     }
   }

   @Test(expected = NotFoundException.class)
   public void readPermissionShouldNotWorkToWrite()
   {
     try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.READ))
     {
       example.createDummy();
     }
   }

   @Test(expected = NotFoundException.class)
   public void readPermissionShouldNotWorkToDelete()
   {
     try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.READ))
     {
       example.deleteDummy();
     }
   }

   @Test
   public void changePermissionShouldWorkToWrite()
   {
     try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.CHANGE))
     {
       example.createDummy();
     }
   }

   @Test(expected = NotFoundException.class)
   public void changePermissionShouldNotWorkToRead()
   {
     try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.CHANGE))
     {
       example.getDummy();
     }
   }

   @Test(expected = NotFoundException.class)
   public void changePermissionShouldNotWorkToDelete()
   {
     try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.CHANGE))
     {
       example.deleteDummy();
     }
   }

   @Test
   public void deletePermissionShouldWorkToDelete()
   {
     try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.DELETE))
     {
       example.deleteDummy();
     }
   }

   @Test(expected = NotFoundException.class)
   public void deletePermissionShouldNotWorkToRead()
   {
     try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.DELETE))
     {
       example.getDummy();
     }
   }

   @Test(expected = NotFoundException.class)
   public void deletePermissionShouldNotWorkToChange()
   {
     try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.DELETE))
     {
       example.createDummy();
     }
   }

   @Test(expected = InvalidTokenException.class)
   public void tokenForWrongTenantShouldNotWork()
   {
     final String permissionToken;
     try (final AutoTenantContext ignored = TestEnvironment.createRandomTenantContext()) {
       permissionToken = tenantApplicationSecurityEnvironment.getPermissionToken(USER_NAME, DUMMY_URI, AllowedOperation.READ);
     }

     try (final AutoUserContext ignored = new AutoUserContext(USER_NAME, permissionToken))
     {
       example.getDummy();
     }
   }

   @Test(expected = InvalidTokenException.class)
   public void expiredTokenShouldNotWork() throws InterruptedException {
     final String permissionToken;
     try (final AutoTenantContext ignored = TestEnvironment.createRandomTenantContext()) {
       permissionToken = tenantApplicationSecurityEnvironment.getPermissionToken(USER_NAME, DUMMY_URI, AllowedOperation.READ);
     }

     Thread.sleep(150);

     try (final AutoUserContext ignored = new AutoUserContext(USER_NAME, permissionToken))
     {
       example.getDummy();
     }
   }

   @Test(expected = InvalidTokenException.class)
   public void tokenForWrongUserShouldNotWork() throws InterruptedException {
     final String permissionToken = tenantApplicationSecurityEnvironment.getPermissionToken(USER_NAME, DUMMY_URI, AllowedOperation.READ);

     try (final AutoUserContext ignored = new AutoUserContext("Menna", permissionToken))
     {
       example.getDummy();
     }
   }

   @Test(expected = NotFoundException.class)
   public void requestForAnotherUsersInformationWhenYoureOnlyPermittedToAccessOwnShouldNotWork()
   {
     try (final AutoUserContext ignored = setPermissionContext(DESIGNATOR_URI, AllowedOperation.READ))
     {
       example.parameterized("wrong_user_name", "silly_parameter");
     }
   }

   @Test
   public void requestYourOwnInformationWhenYoureOnlyPermittedToAccessOwnShouldWork()
   {
     try (final AutoUserContext ignored = setPermissionContext(DESIGNATOR_URI, AllowedOperation.READ))
     {
       final String ret = example.parameterized(USER_NAME, "silly_parameter");
       Assert.assertEquals(ret, USER_NAME+"silly_parameter"+42);
     }
   }

   @Test
   public void tenantTokenForSystemEndpointShouldNotWorkRegardlessOfPermissions()
   {
     try (final AutoSeshat ignored = new AutoSeshat(tenantApplicationSecurityEnvironment.systemToken()))
     {
       example.callSystemEndpoint();
     }
     catch (final InvalidTokenException e)
     {
       Assert.fail("call to system endpoint with system token should succeed.");
     }

     try (final AutoUserContext ignored = setPermissionContext("/systemendpoint", AllowedOperation.CHANGE))
     {
       example.callSystemEndpoint();
     }
   }

   @Test
   public void userNameShouldBeCorrectlySetInUserContext()
   {
     try (final AutoUserContext ignored = setPermissionContext("/usercontext", AllowedOperation.READ))
     {
       final UserContext context = example.getUserContext();
       Assert.assertEquals(USER_NAME, context.getUserIdentifier());
     }
   }

   private AutoUserContext setPermissionContext(final String uri, final AllowedOperation allowedOperation)
   {
     final String permissionToken = tenantApplicationSecurityEnvironment.getPermissionToken(USER_NAME, uri, allowedOperation);

     return new AutoUserContext(USER_NAME, permissionToken);
   }
 }
	/*
	* Copyright 2017 The Mifos Initiative.
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package io.mifos.anubis;

	import io.mifos.anubis.api.v1.domain.AllowedOperation;
	import io.mifos.anubis.example.noinitialize.UserContext;
	import io.mifos.anubis.test.v1.TenantApplicationSecurityEnvironmentTestRule;
	import io.mifos.core.api.context.AutoSeshat;
	import io.mifos.core.api.context.AutoUserContext;
	import io.mifos.core.api.util.InvalidTokenException;
	import io.mifos.core.api.util.NotFoundException;
	import io.mifos.core.lang.AutoTenantContext;
	import io.mifos.core.test.env.TestEnvironment;
	import org.junit.Assert;
	import org.junit.Rule;
	import org.junit.Test;

	/**
	* @author Myrle Krantz
	*/
	public class TestAnubisTenantPermissions extends AbstractNoInitializeTest {
	private static final String DUMMY_URI = "/dummy";
	private static final String DESIGNATOR_URI = "/parameterized/{useridentifier}/with/*/parameters";
	private static final String USER_NAME = "Meryre";

	@Rule
	public final TenantApplicationSecurityEnvironmentTestRule tenantApplicationSecurityEnvironment = new TenantApplicationSecurityEnvironmentTestRule(testEnvironment);

	@Test
	public void readPermissionShouldWorkToRead()
	{
	try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.READ))
	{
	example.getDummy();
	}
	}

	@Test(expected = NotFoundException.class)
	public void readPermissionShouldNotWorkToWrite()
	{
	try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.READ))
	{
	example.createDummy();
	}
	}

	@Test(expected = NotFoundException.class)
	public void readPermissionShouldNotWorkToDelete()
	{
	try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.READ))
	{
	example.deleteDummy();
	}
	}

	@Test
	public void changePermissionShouldWorkToWrite()
	{
	try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.CHANGE))
	{
	example.createDummy();
	}
	}

	@Test(expected = NotFoundException.class)
	public void changePermissionShouldNotWorkToRead()
	{
	try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.CHANGE))
	{
	example.getDummy();
	}
	}

	@Test(expected = NotFoundException.class)
	public void changePermissionShouldNotWorkToDelete()
	{
	try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.CHANGE))
	{
	example.deleteDummy();
	}
	}

	@Test
	public void deletePermissionShouldWorkToDelete()
	{
	try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.DELETE))
	{
	example.deleteDummy();
	}
	}

	@Test(expected = NotFoundException.class)
	public void deletePermissionShouldNotWorkToRead()
	{
	try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.DELETE))
	{
	example.getDummy();
	}
	}

	@Test(expected = NotFoundException.class)
	public void deletePermissionShouldNotWorkToChange()
	{
	try (final AutoUserContext ignored = setPermissionContext(DUMMY_URI, AllowedOperation.DELETE))
	{
	example.createDummy();
	}
	}

	@Test(expected = InvalidTokenException.class)
	public void tokenForWrongTenantShouldNotWork()
	{
	final String permissionToken;
	try (final AutoTenantContext ignored = TestEnvironment.createRandomTenantContext()) {
	permissionToken = tenantApplicationSecurityEnvironment.getPermissionToken(USER_NAME, DUMMY_URI, AllowedOperation.READ);
	}

	try (final AutoUserContext ignored = new AutoUserContext(USER_NAME, permissionToken))
	{
	example.getDummy();
	}
	}

	@Test(expected = InvalidTokenException.class)
	public void expiredTokenShouldNotWork() throws InterruptedException {
	final String permissionToken;
	try (final AutoTenantContext ignored = TestEnvironment.createRandomTenantContext()) {
	permissionToken = tenantApplicationSecurityEnvironment.getPermissionToken(USER_NAME, DUMMY_URI, AllowedOperation.READ);
	}

	Thread.sleep(150);

	try (final AutoUserContext ignored = new AutoUserContext(USER_NAME, permissionToken))
	{
	example.getDummy();
	}
	}

	@Test(expected = InvalidTokenException.class)
	public void tokenForWrongUserShouldNotWork() throws InterruptedException {
	final String permissionToken = tenantApplicationSecurityEnvironment.getPermissionToken(USER_NAME, DUMMY_URI, AllowedOperation.READ);

	try (final AutoUserContext ignored = new AutoUserContext("Menna", permissionToken))
	{
	example.getDummy();
	}
	}

	@Test(expected = NotFoundException.class)
	public void requestForAnotherUsersInformationWhenYoureOnlyPermittedToAccessOwnShouldNotWork()
	{
	try (final AutoUserContext ignored = setPermissionContext(DESIGNATOR_URI, AllowedOperation.READ))
	{
	example.parameterized("wrong_user_name", "silly_parameter");
	}
	}

	@Test
	public void requestYourOwnInformationWhenYoureOnlyPermittedToAccessOwnShouldWork()
	{
	try (final AutoUserContext ignored = setPermissionContext(DESIGNATOR_URI, AllowedOperation.READ))
	{
	final String ret = example.parameterized(USER_NAME, "silly_parameter");
	Assert.assertEquals(ret, USER_NAME+"silly_parameter"+42);
	}
	}

	@Test
	public void tenantTokenForSystemEndpointShouldNotWorkRegardlessOfPermissions()
	{
	try (final AutoSeshat ignored = new AutoSeshat(tenantApplicationSecurityEnvironment.systemToken()))
	{
	example.callSystemEndpoint();
	}
	catch (final InvalidTokenException e)
	{
	Assert.fail("call to system endpoint with system token should succeed.");
	}

	try (final AutoUserContext ignored = setPermissionContext("/systemendpoint", AllowedOperation.CHANGE))
	{
	example.callSystemEndpoint();
	}
	}

	@Test
	public void userNameShouldBeCorrectlySetInUserContext()
	{
	try (final AutoUserContext ignored = setPermissionContext("/usercontext", AllowedOperation.READ))
	{
	final UserContext context = example.getUserContext();
	Assert.assertEquals(USER_NAME, context.getUserIdentifier());
	}
	}

	private AutoUserContext setPermissionContext(final String uri, final AllowedOperation allowedOperation)
	{
	final String permissionToken = tenantApplicationSecurityEnvironment.getPermissionToken(USER_NAME, uri, allowedOperation);

	return new AutoUserContext(USER_NAME, permissionToken);
	}
	}