Apache
/
archiva-redback-core
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Adding permission tests for v2 API

This commit is contained in:
Martin Stockhammer 2020-09-30 21:13:52 +02:00
parent f1f69feaa7
commit b2a150fc5b
2 changed files with 112 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/services/v2/UserService.java
View File

@ -433,10 +433,11 @@ public interface UserService
@Path( "{userId}/operations" )
@GET
@Produces( { MediaType.APPLICATION_JSON } )
@RedbackAuthorization( permissions = RedbackRoleConstants.USER_MANAGEMENT_USER_LIST_OPERATION )
@RedbackAuthorization( permissions = RedbackRoleConstants.USER_MANAGEMENT_USER_VIEW_OPERATION,
resource = "{userId}")
@io.swagger.v3.oas.annotations.Operation( summary = "Returns a list of privileged operations assigned to the given user.",
security = {
@SecurityRequirement( name = RedbackRoleConstants.USER_MANAGEMENT_USER_LIST_OPERATION )
@SecurityRequirement( name = RedbackRoleConstants.USER_MANAGEMENT_USER_VIEW_OPERATION )
},
responses = {
@ApiResponse( responseCode = "200",

110
redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/v2/NativeUserServiceTest.java
View File

@ -19,6 +19,8 @@ package org.apache.archiva.redback.rest.services.v2;
*/
import io.restassured.response.Response;
import org.apache.archiva.redback.rest.api.model.Operation;
import org.apache.archiva.redback.rest.api.model.Permission;
import org.apache.archiva.redback.rest.api.model.v2.User;
import org.apache.archiva.redback.rest.services.mock.EmailMessage;
import org.junit.jupiter.api.AfterAll;
@ -1099,9 +1101,83 @@ public class NativeUserServiceTest extends AbstractNativeRestServices
Response response = given( ).spec( getRequestSpec( token ) ).contentType( JSON )
.when( )
.get( "aragorn/permissions" )
.then( ).statusCode( 200 ).extract( ).response( );
List<Permission> result = response.getBody( ).jsonPath( ).getList( "", Permission.class );
assertNotNull( result );
assertEquals( 2, result.size( ) );
assertTrue( result.stream( ).anyMatch( permission -> permission.getName( ).equals( "Edit User Data by Username" ) ) );
assertTrue( result.stream( ).anyMatch( permission -> permission.getName( ).equals( "View User Data by Username" ) ) );
}
finally
{
given( ).spec( getRequestSpec( adminToken ) ).contentType( JSON )
.delete( "aragorn" )
.then( ).statusCode( 200 );
}
}
@Test
void getUserPermissionsInvalidPermission( )
{
String adminToken = getAdminToken( );
Map<String, Object> jsonAsMap = new HashMap<>( );
jsonAsMap.put( "user_id", "aragorn" );
jsonAsMap.put( "email", "aragorn@lordoftherings.org" );
jsonAsMap.put( "fullName", "Aragorn King of Gondor" );
jsonAsMap.put( "validated", true );
jsonAsMap.put( "password", "pAssw0rD" );
given( ).spec( getRequestSpec( adminToken ) ).contentType( JSON )
.body( jsonAsMap )
.when( )
.post( )
.then( ).statusCode( 201 );
try
{
String token = getUserToken( "aragorn", "pAssw0rD" );
given( ).spec( getRequestSpec( token ) ).contentType( JSON )
.when( )
.get( "admin/permissions" )
.then( ).statusCode( 403 );
}
finally
{
given( ).spec( getRequestSpec( adminToken ) ).contentType( JSON )
.delete( "aragorn" )
.then( ).statusCode( 200 );
}
}
@Test
void getUserOperations( )
{
String adminToken = getAdminToken( );
Map<String, Object> jsonAsMap = new HashMap<>( );
jsonAsMap.put( "user_id", "aragorn" );
jsonAsMap.put( "email", "aragorn@lordoftherings.org" );
jsonAsMap.put( "fullName", "Aragorn King of Gondor" );
jsonAsMap.put( "validated", true );
jsonAsMap.put( "password", "pAssw0rD" );
given( ).spec( getRequestSpec( adminToken ) ).contentType( JSON )
.body( jsonAsMap )
.when( )
.post( )
.then( ).statusCode( 201 );
try
{
String token = getUserToken( "aragorn", "pAssw0rD" );
Response response = given( ).spec( getRequestSpec( token ) ).contentType( JSON )
.when( )
.get( "aragorn/operations" )
.prettyPeek( )
.then( ).statusCode( 200 ).extract( ).response( );
assertEquals( 2, response.getBody( ).jsonPath( ).getList( "" ).size( ) );
List<Operation> result = response.getBody( ).jsonPath( ).getList( "", Operation.class );
assertNotNull( result );
assertEquals( 2, result.size( ) );
assertTrue( result.stream( ).anyMatch( operation -> operation.getName( ).equals( "user-management-user-edit" ) ) );
assertTrue( result.stream( ).anyMatch( operation -> operation.getName( ).equals( "user-management-user-view" ) ) );
}
@ -1113,4 +1189,36 @@ public class NativeUserServiceTest extends AbstractNativeRestServices
}
}
@Test
void getUserOperationsInvalidPermission( )
{
String adminToken = getAdminToken( );
Map<String, Object> jsonAsMap = new HashMap<>( );
jsonAsMap.put( "user_id", "aragorn" );
jsonAsMap.put( "email", "aragorn@lordoftherings.org" );
jsonAsMap.put( "fullName", "Aragorn King of Gondor" );
jsonAsMap.put( "validated", true );
jsonAsMap.put( "password", "pAssw0rD" );
given( ).spec( getRequestSpec( adminToken ) ).contentType( JSON )
.body( jsonAsMap )
.when( )
.post( )
.then( ).statusCode( 201 );
try
{
String token = getUserToken( "aragorn", "pAssw0rD" );
given( ).spec( getRequestSpec( token ) ).contentType( JSON )
.when( )
.get( "admin/operations" )
.prettyPeek( )
.then( ).statusCode( 403 );
}
finally
{
given( ).spec( getRequestSpec( adminToken ) ).contentType( JSON )
.delete( "aragorn" )
.then( ).statusCode( 200 );
}
}
}