From a5947342411fb69f1ab0029c0882e1b24dac6428 Mon Sep 17 00:00:00 2001
From: Thomas Becker <tbecker@intalio.com>
Date: Thu, 19 Jan 2012 11:13:22 +0100
Subject: [PATCH] 369048: more test cases for ConstraintSecurityHandler

Signed-off-by: Greg Wilkins <gregw@webtide.com>
---
 .../jetty/security/DataConstraintsTest.java   | 280 +++++++++++++++++-
 1 file changed, 269 insertions(+), 11 deletions(-)

diff --git a/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java b/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java
index 8b3ab580418..38a2bb0eb7c 100644
--- a/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java
+++ b/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java
@@ -23,12 +23,15 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.eclipse.jetty.http.HttpMethods;
 import org.eclipse.jetty.http.HttpSchemes;
 import org.eclipse.jetty.io.EndPoint;
+import org.eclipse.jetty.security.authentication.BasicAuthenticator;
 import org.eclipse.jetty.server.Connector;
 import org.eclipse.jetty.server.LocalConnector;
 import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.UserIdentity;
 import org.eclipse.jetty.server.handler.AbstractHandler;
 import org.eclipse.jetty.server.handler.ContextHandler;
 import org.eclipse.jetty.server.session.SessionHandler;
@@ -53,6 +56,7 @@ public class DataConstraintsTest
     {
         _server = new Server();
         _connector = new LocalConnector();
+        _connector.setMaxIdleTime(300000);
         _connector.setIntegralPort(9998);
         _connector.setIntegralScheme("FTP");
         _connector.setConfidentialPort(9999);
@@ -89,7 +93,7 @@ public class DataConstraintsTest
 
         _security = new ConstraintSecurityHandler();
         _session.setHandler(_security);
-        
+
         _security.setHandler(new AbstractHandler()
         {
             public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
@@ -98,7 +102,7 @@ public class DataConstraintsTest
                 response.sendError(404);
             }
         });
-        
+
     }
 
     @After
@@ -121,14 +125,14 @@ public class DataConstraintsTest
         ConstraintMapping mapping0 = new ConstraintMapping();
         mapping0.setPathSpec("/integral/*");
         mapping0.setConstraint(constraint0);
-        
+
         _security.setConstraintMappings(Arrays.asList(new ConstraintMapping[]
                 {
                         mapping0
                 }));
-    
+
         _server.start();
-        
+
         String response;
         response = _connector.getResponses("GET /ctx/some/thing HTTP/1.0\r\n\r\n");
         assertThat(response, containsString("HTTP/1.1 404 Not Found"));
@@ -137,12 +141,12 @@ public class DataConstraintsTest
         assertThat(response, containsString("HTTP/1.1 302 Found"));
         assertThat(response, containsString("Location: FTP://"));
         assertThat(response, containsString(":9998"));
-        
+
         response = _connectorS.getResponses("GET /ctx/integral/info HTTP/1.0\r\n\r\n");
         assertThat(response, containsString("HTTP/1.1 404 Not Found"));
 
     }
-    
+
     @Test
     public void testConfidential() throws Exception
     {
@@ -153,14 +157,14 @@ public class DataConstraintsTest
         ConstraintMapping mapping0 = new ConstraintMapping();
         mapping0.setPathSpec("/confid/*");
         mapping0.setConstraint(constraint0);
-        
+
         _security.setConstraintMappings(Arrays.asList(new ConstraintMapping[]
                 {
                         mapping0
                 }));
-    
+
         _server.start();
-        
+
         String response;
         response = _connector.getResponses("GET /ctx/some/thing HTTP/1.0\r\n\r\n");
         assertThat(response, containsString("HTTP/1.1 404 Not Found"));
@@ -169,10 +173,264 @@ public class DataConstraintsTest
         assertThat(response, containsString("HTTP/1.1 302 Found"));
         assertThat(response, containsString("Location: SPDY://"));
         assertThat(response, containsString(":9999"));
-        
+
         response = _connectorS.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n");
         assertThat(response, containsString("HTTP/1.1 404 Not Found"));
 
     }
 
+    @Test
+    public void testConfidentialWithNoRolesSetAndNoMethodRestriction() throws Exception
+    {
+        Constraint constraint0 = new Constraint();
+        constraint0.setName("confid");
+        constraint0.setDataConstraint(Constraint.DC_CONFIDENTIAL);
+        ConstraintMapping mapping0 = new ConstraintMapping();
+        mapping0.setPathSpec("/confid/*");
+        mapping0.setConstraint(constraint0);
+
+        _security.setConstraintMappings(Arrays.asList(new ConstraintMapping[]
+                                                                            {
+                mapping0
+                                                                            }));
+
+        _server.start();
+
+        String response;
+
+        response = _connector.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 302 Found"));
+
+        response = _connectorS.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 404 Not Found"));
+
+    }
+
+    @Test
+    public void testConfidentialWithNoRolesSetAndMethodRestriction() throws Exception
+    {
+        Constraint constraint0 = new Constraint();
+        constraint0.setName("confid");
+        constraint0.setDataConstraint(Constraint.DC_CONFIDENTIAL);
+        ConstraintMapping mapping0 = new ConstraintMapping();
+        mapping0.setPathSpec("/confid/*");
+        mapping0.setMethod(HttpMethods.POST);
+        mapping0.setConstraint(constraint0);
+
+        _security.setConstraintMappings(Arrays.asList(new ConstraintMapping[]
+                                                                            {
+                mapping0
+                                                                            }));
+
+        _server.start();
+
+        String response;
+
+        response = _connector.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 404 Not Found"));
+
+        response = _connectorS.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 404 Not Found"));
+
+        response = _connector.getResponses("POST /ctx/confid/info HTTP/1.0\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 302 Found"));
+
+        response = _connectorS.getResponses("POST /ctx/confid/info HTTP/1.0\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 404 Not Found"));
+
+    }
+    @Test
+    public void testConfidentialWithRolesSetAndMethodRestriction() throws Exception
+    {
+        Constraint constraint0 = new Constraint();
+        constraint0.setRoles(new String[] { "admin" } );
+        constraint0.setName("confid");
+        constraint0.setDataConstraint(Constraint.DC_CONFIDENTIAL);
+        ConstraintMapping mapping0 = new ConstraintMapping();
+        mapping0.setPathSpec("/confid/*");
+        mapping0.setMethod(HttpMethods.POST);
+        mapping0.setConstraint(constraint0);
+
+        _security.setConstraintMappings(Arrays.asList(new ConstraintMapping[]
+                                                                            {
+                mapping0
+                                                                            }));
+
+        _server.start();
+
+        String response;
+
+        response = _connector.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 404 Not Found"));
+
+        response = _connectorS.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 404 Not Found"));
+
+        response = _connector.getResponses("POST /ctx/confid/info HTTP/1.0\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 302 Found"));
+
+        response = _connectorS.getResponses("POST /ctx/confid/info HTTP/1.0\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 404 Not Found"));
+
+    }
+
+    @Test
+    public void testConfidentialWithRolesSetAndMethodRestrictionAndAuthenticationRequired() throws Exception
+    {
+        Constraint constraint0 = new Constraint();
+        constraint0.setRoles(new String[] { "admin" } );
+        constraint0.setAuthenticate(true);
+        constraint0.setName("confid");
+        constraint0.setDataConstraint(Constraint.DC_CONFIDENTIAL);
+        ConstraintMapping mapping0 = new ConstraintMapping();
+        mapping0.setPathSpec("/confid/*");
+        mapping0.setMethod(HttpMethods.POST);
+        mapping0.setConstraint(constraint0);
+
+        _security.setConstraintMappings(Arrays.asList(new ConstraintMapping[]
+                                                                            {
+                mapping0
+                                                                            }));
+        DefaultIdentityService identityService = new DefaultIdentityService();
+        _security.setLoginService(new CustomLoginService(identityService));
+        _security.setIdentityService(identityService);
+        _security.setAuthenticator(new BasicAuthenticator());
+        _server.start();
+
+        String response;
+
+        response = _connector.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 404 Not Found"));
+
+        response = _connectorS.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 404 Not Found"));
+
+        response = _connector.getResponses("POST /ctx/confid/info HTTP/1.0\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 302 Found"));
+
+        response = _connectorS.getResponses("POST /ctx/confid/info HTTP/1.0\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 401 Unauthorized"));
+
+        response = _connector.getResponses("GET /ctx/confid/info HTTP/1.0\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 404 Not Found"));
+
+        response = _connector.getResponses("POST /ctx/confid/info HTTP/1.0\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 302 Found"));
+
+        response = _connectorS.getResponses("POST /ctx/confid/info HTTP/1.0\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 404 Not Found"));
+
+    }
+
+    @Test
+    public void testRestrictedWithoutAuthenticator() throws Exception
+    {
+        Constraint constraint0 = new Constraint();
+        constraint0.setAuthenticate(true);
+        constraint0.setRoles(new String[] { "admin" } );
+        constraint0.setName("restricted");
+        ConstraintMapping mapping0 = new ConstraintMapping();
+        mapping0.setPathSpec("/restricted/*");
+        mapping0.setMethod("GET");
+        mapping0.setConstraint(constraint0);
+
+        _security.setConstraintMappings(Arrays.asList(new ConstraintMapping[]
+                                                                            {
+                mapping0
+                                                                            }));
+        _server.start();
+
+        String response;
+
+        response = _connector.getResponses("GET /ctx/restricted/info HTTP/1.0\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 403 Forbidden"));
+
+        response = _connectorS.getResponses("GET /ctx/restricted/info HTTP/1.0\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 403 Forbidden"));
+
+        response = _connector.getResponses("GET /ctx/restricted/info HTTP/1.0\r\n Authorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 403 Forbidden"));
+
+        response = _connectorS.getResponses("GET /ctx/restricted/info HTTP/1.0\r\n Authorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 403 Forbidden"));
+
+    }
+
+    @Test
+    public void testRestricted() throws Exception
+    {
+        Constraint constraint0 = new Constraint();
+        constraint0.setAuthenticate(true);
+        constraint0.setRoles(new String[] { "admin" } );
+        constraint0.setName("restricted");
+        ConstraintMapping mapping0 = new ConstraintMapping();
+        mapping0.setPathSpec("/restricted/*");
+        mapping0.setMethod("GET");
+        mapping0.setConstraint(constraint0);
+
+        _security.setConstraintMappings(Arrays.asList(new ConstraintMapping[]
+                                                                            {
+                mapping0
+                                                                            }));
+        DefaultIdentityService identityService = new DefaultIdentityService();
+        _security.setLoginService(new CustomLoginService(identityService));
+        _security.setIdentityService(identityService);
+        _security.setAuthenticator(new BasicAuthenticator());
+        _server.start();
+
+        String response;
+
+        response = _connector.getResponses("GET /ctx/restricted/info HTTP/1.0\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 401 Unauthorized"));
+
+        response = _connectorS.getResponses("GET /ctx/restricted/info HTTP/1.0\r\n\r\n");
+        assertThat(response, containsString("HTTP/1.1 401 Unauthorized"));
+
+        response = _connector.getResponses("GET /ctx/restricted/info HTTP/1.0\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\n\n");
+        assertThat(response, containsString("HTTP/1.1 404 Not Found"));
+
+        response = _connectorS.getResponses("GET /ctx/restricted/info HTTP/1.0\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\n\n");
+        assertThat(response, containsString("HTTP/1.1 404 Not Found"));
+
+    }
+
+    private class CustomLoginService implements LoginService{
+        private IdentityService identityService;
+
+        public CustomLoginService(IdentityService identityService)
+        {
+            this.identityService = identityService;
+        }
+        public String getName()
+        {
+            return "name";
+        }
+
+        public UserIdentity login(String username, Object credentials)
+        {
+            if("admin".equals(username) && "password".equals(credentials))
+                    return new DefaultUserIdentity(null,null,new String[] { "admin" } );
+            return null;
+        }
+
+        public boolean validate(UserIdentity user)
+        {
+            return false;
+        }
+
+        public IdentityService getIdentityService()
+        {
+            return identityService;
+        }
+
+        public void setIdentityService(IdentityService service)
+        {
+        }
+
+        public void logout(UserIdentity user)
+        {
+        }
+
+    }
+
 }