[archiva-redback-core] 02/02: Adding permission tests for v2 API

Wed, 30 Sep 2020 12:21:21 -0700 

This is an automated email from the ASF dual-hosted git repository.

martin_s pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/archiva-redback-core.git

commit b2a150fc5b619a9c70ac50b722a5ecb4437b6585
Author: Martin Stockhammer <[email protected]>
AuthorDate: Wed Sep 30 21:13:52 2020 +0200

    Adding permission tests for v2 API
---
 .../redback/rest/api/services/v2/UserService.java  |   5 +-
 .../rest/services/v2/NativeUserServiceTest.java    | 110 ++++++++++++++++++++-
 2 files changed, 112 insertions(+), 3 deletions(-)

diff --git 
a/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/services/v2/UserService.java
 
b/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/services/v2/UserService.java
index ee83204..e87d77d 100644
--- 
a/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/services/v2/UserService.java
+++ 
b/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/services/v2/UserService.java
@@ -433,10 +433,11 @@ public interface UserService
     @Path( "{userId}/operations" )
     @GET
     @Produces( { MediaType.APPLICATION_JSON } )
-    @RedbackAuthorization( permissions = 
RedbackRoleConstants.USER_MANAGEMENT_USER_LIST_OPERATION )
+    @RedbackAuthorization( permissions = 
RedbackRoleConstants.USER_MANAGEMENT_USER_VIEW_OPERATION,
+        resource = "{userId}")
     @io.swagger.v3.oas.annotations.Operation( summary = "Returns a list of 
privileged operations assigned to the given user.",
         security = {
-            @SecurityRequirement( name = 
RedbackRoleConstants.USER_MANAGEMENT_USER_LIST_OPERATION )
+            @SecurityRequirement( name = 
RedbackRoleConstants.USER_MANAGEMENT_USER_VIEW_OPERATION )
         },
         responses = {
             @ApiResponse( responseCode = "200",
diff --git 
a/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/v2/NativeUserServiceTest.java
 
b/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/v2/NativeUserServiceTest.java
index da3c666..09e051b 100644
--- 
a/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/v2/NativeUserServiceTest.java
+++ 
b/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/v2/NativeUserServiceTest.java
@@ -19,6 +19,8 @@ package org.apache.archiva.redback.rest.services.v2;
  */
 
 import io.restassured.response.Response;
+import org.apache.archiva.redback.rest.api.model.Operation;
+import org.apache.archiva.redback.rest.api.model.Permission;
 import org.apache.archiva.redback.rest.api.model.v2.User;
 import org.apache.archiva.redback.rest.services.mock.EmailMessage;
 import org.junit.jupiter.api.AfterAll;
@@ -1099,9 +1101,83 @@ public class NativeUserServiceTest extends 
AbstractNativeRestServices
             Response response = given( ).spec( getRequestSpec( token ) 
).contentType( JSON )
                 .when( )
                 .get( "aragorn/permissions" )
+                .then( ).statusCode( 200 ).extract( ).response( );
+            List<Permission> result = response.getBody( ).jsonPath( ).getList( 
"", Permission.class );
+            assertNotNull( result );
+            assertEquals( 2, result.size( ) );
+            assertTrue( result.stream( ).anyMatch( permission -> 
permission.getName( ).equals( "Edit User Data by Username" ) ) );
+            assertTrue( result.stream( ).anyMatch( permission -> 
permission.getName( ).equals( "View User Data by Username" ) ) );
+        }
+        finally
+        {
+            given( ).spec( getRequestSpec( adminToken ) ).contentType( JSON )
+                .delete( "aragorn" )
+                .then( ).statusCode( 200 );
+        }
+    }
+
+    @Test
+    void getUserPermissionsInvalidPermission( )
+    {
+        String adminToken = getAdminToken( );
+        Map<String, Object> jsonAsMap = new HashMap<>( );
+        jsonAsMap.put( "user_id", "aragorn" );
+        jsonAsMap.put( "email", "[email protected]" );
+        jsonAsMap.put( "fullName", "Aragorn King of Gondor" );
+        jsonAsMap.put( "validated", true );
+        jsonAsMap.put( "password", "pAssw0rD" );
+        given( ).spec( getRequestSpec( adminToken ) ).contentType( JSON )
+            .body( jsonAsMap )
+            .when( )
+            .post( )
+            .then( ).statusCode( 201 );
+        try
+        {
+
+            String token = getUserToken( "aragorn", "pAssw0rD" );
+            given( ).spec( getRequestSpec( token ) ).contentType( JSON )
+                .when( )
+                .get( "admin/permissions" )
+                .then( ).statusCode( 403 );
+        }
+        finally
+        {
+            given( ).spec( getRequestSpec( adminToken ) ).contentType( JSON )
+                .delete( "aragorn" )
+                .then( ).statusCode( 200 );
+        }
+    }
+
+    @Test
+    void getUserOperations( )
+    {
+        String adminToken = getAdminToken( );
+        Map<String, Object> jsonAsMap = new HashMap<>( );
+        jsonAsMap.put( "user_id", "aragorn" );
+        jsonAsMap.put( "email", "[email protected]" );
+        jsonAsMap.put( "fullName", "Aragorn King of Gondor" );
+        jsonAsMap.put( "validated", true );
+        jsonAsMap.put( "password", "pAssw0rD" );
+        given( ).spec( getRequestSpec( adminToken ) ).contentType( JSON )
+            .body( jsonAsMap )
+            .when( )
+            .post( )
+            .then( ).statusCode( 201 );
+        try
+        {
+
+            String token = getUserToken( "aragorn", "pAssw0rD" );
+            Response response = given( ).spec( getRequestSpec( token ) 
).contentType( JSON )
+                .when( )
+                .get( "aragorn/operations" )
                 .prettyPeek( )
                 .then( ).statusCode( 200 ).extract( ).response( );
-            assertEquals( 2, response.getBody( ).jsonPath( ).getList( "" 
).size( ) );
+            List<Operation> result = response.getBody( ).jsonPath( ).getList( 
"", Operation.class );
+            assertNotNull( result );
+            assertEquals( 2, result.size( ) );
+            assertTrue( result.stream( ).anyMatch( operation -> 
operation.getName( ).equals( "user-management-user-edit" ) ) );
+            assertTrue( result.stream( ).anyMatch( operation -> 
operation.getName( ).equals( "user-management-user-view" ) ) );
+
 
 
         }
@@ -1113,4 +1189,36 @@ public class NativeUserServiceTest extends 
AbstractNativeRestServices
         }
     }
 
+    @Test
+    void getUserOperationsInvalidPermission( )
+    {
+        String adminToken = getAdminToken( );
+        Map<String, Object> jsonAsMap = new HashMap<>( );
+        jsonAsMap.put( "user_id", "aragorn" );
+        jsonAsMap.put( "email", "[email protected]" );
+        jsonAsMap.put( "fullName", "Aragorn King of Gondor" );
+        jsonAsMap.put( "validated", true );
+        jsonAsMap.put( "password", "pAssw0rD" );
+        given( ).spec( getRequestSpec( adminToken ) ).contentType( JSON )
+            .body( jsonAsMap )
+            .when( )
+            .post( )
+            .then( ).statusCode( 201 );
+        try
+        {
+
+            String token = getUserToken( "aragorn", "pAssw0rD" );
+            given( ).spec( getRequestSpec( token ) ).contentType( JSON )
+                .when( )
+                .get( "admin/operations" )
+                .prettyPeek( )
+                .then( ).statusCode( 403 );
+        }
+        finally
+        {
+            given( ).spec( getRequestSpec( adminToken ) ).contentType( JSON )
+                .delete( "aragorn" )
+                .then( ).statusCode( 200 );
+        }
+    }
 }

Reply via email to