nl.surfnet.coin.selfservice.interceptor.AuthorityScopeInterceptorTest.java Source code

Java tutorial

  1. HOME
  2. Java
  3. nl.surfnet.coin.selfservice.interceptor.AuthorityScopeInterceptorTest.java

Introduction

Here is the source code for nl.surfnet.coin.selfservice.interceptor.AuthorityScopeInterceptorTest.java

Source

/*
 * Copyright 2012 SURFnet bv, The Netherlands
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package nl.surfnet.coin.selfservice.interceptor;

import static nl.surfnet.coin.selfservice.control.BaseController.SERVICE_APPLY_ALLOWED;
import static nl.surfnet.coin.selfservice.control.BaseController.TOKEN_CHECK;
import static nl.surfnet.coin.selfservice.domain.CoinAuthority.Authority.ROLE_DASHBOARD_ADMIN;
import static org.junit.Assert.*;

import java.util.Map;

import org.junit.Before;
import org.junit.Test;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.MockitoAnnotations;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;

import nl.surfnet.coin.csa.Csa;
import nl.surfnet.coin.csa.model.Service;
import nl.surfnet.coin.selfservice.control.BaseController;
import nl.surfnet.coin.selfservice.domain.CoinAuthority;
import nl.surfnet.coin.selfservice.domain.CoinAuthority.Authority;
import nl.surfnet.coin.selfservice.domain.CoinUser;
import nl.surfnet.spring.security.opensaml.SAMLAuthenticationToken;

/**
 * AuthorityScopeInterceptorTest.java
 * 
 */
public class AuthorityScopeInterceptorTest {

    @InjectMocks
    private AuthorityScopeInterceptor interceptor;

    @Mock
    private Csa csa;

    @Before
    public void setUp() throws Exception {
        interceptor = new AuthorityScopeInterceptor();
        MockitoAnnotations.initMocks(this);
    }

    @Test
    public void test_power_user_may_see_technical_mail_address() throws Exception {
        ModelAndView modelAndView = new ModelAndView();

        CoinUser user = coinUser(ROLE_DASHBOARD_ADMIN);
        SecurityContextHolder.getContext()
                .setAuthentication(new SAMLAuthenticationToken(user, "", user.getAuthorities()));
        Service sp = buildService();
        modelAndView.addObject(BaseController.SERVICE, sp);

        interceptor.postHandle(new MockHttpServletRequest(), null, null, modelAndView);

        String technicalSupportMail = sp.getSupportMail();
        assertNotNull(technicalSupportMail);

        // also allowed
        Map<String, Object> model = modelAndView.getModel();
        assertTrue((Boolean) model.get(SERVICE_APPLY_ALLOWED));

    }

    @Test
    public void token_session_does_not_equal_request_param_token() throws Exception {
        ModelAndView modelAndView = buildSecurityContext(ROLE_DASHBOARD_ADMIN);

        MockHttpServletRequest request = new MockHttpServletRequest();
        interceptor.postHandle(request, null, null, modelAndView);

        // first check if the token is generated and stored in session and modelMap
        String token = (String) modelAndView.getModelMap().get(TOKEN_CHECK);
        assertNotNull(token);

        String sessionToken = (String) request.getSession(false).getAttribute(TOKEN_CHECK);
        assertNotNull(token);
        assertEquals(token, sessionToken);

        // now check if the prehandle checks the token if the method is a POST
        request = new MockHttpServletRequest();
        request.setMethod(RequestMethod.POST.name());
        try {
            interceptor.preHandle(request, null, null);
            fail("Expected security exception");
        } catch (Exception e) {
        }

        // now check if the prehandle checks the token if the method is a POST
        request = new MockHttpServletRequest();
        request.addParameter(TOKEN_CHECK, sessionToken);
        request.getSession().setAttribute(TOKEN_CHECK, sessionToken);
        request.setMethod(RequestMethod.POST.name());

        assertTrue(interceptor.preHandle(request, null, null));

    }

    private CoinUser coinUser(Authority... authorities) {
        CoinUser coinUser = new CoinUser();
        for (Authority authority : authorities) {
            coinUser.addAuthority(new CoinAuthority(authority));
        }
        return coinUser;
    }

    private Service buildService() {
        Service service = new Service(1L, "", "", "", false, null, "http://mock-idp");
        service.setSupportMail("somesupportmail");
        service.setAvailableForEndUser(true);
        return service;
    }

    private ModelAndView buildSecurityContext(Authority... roles) {
        CoinUser user = coinUser(roles);
        SecurityContextHolder.getContext()
                .setAuthentication(new SAMLAuthenticationToken(user, "", user.getAuthorities()));
        return new ModelAndView();
    }

}