From fea14a860ebc0c7d1dd95069f85e59aa662f9aba Mon Sep 17 00:00:00 2001
From: jensp <jensp@8810af33-2d31-482b-a856-94f89814c4df>
Date: Fri, 10 Jun 2016 09:35:27 +0000
Subject: [PATCH] CCM NG: ccm-shortcuts: Secured methods for creating, saving
 and deleting Shortcuts with the appropriate annoations from
 ccm-core/org.libreccm.security. Tests for ShortcutManager extended to check
 if the authorization check works as intented.

git-svn-id: https://svn.libreccm.org/ccm/ccm_ng@4149 8810af33-2d31-482b-a856-94f89814c4df
---
 .../libreccm/shortcuts/ShortcutManager.java   |   7 +-
 .../shortcuts/ShortcutRepository.java         |  15 ++
 .../shortcuts/ShortcutManagerTest.java        | 181 +++++++++++++-----
 .../src/test/resources/configs/shiro.ini      |  10 +
 .../shortcuts/ShortcutManagerTest/data.xml    |  35 ++++
 .../src/test/resources/test-beans.xml         |  11 ++
 ccm-shortcuts/src/test/resources/test-web.xml |  14 ++
 7 files changed, 221 insertions(+), 52 deletions(-)
 create mode 100644 ccm-shortcuts/src/test/resources/configs/shiro.ini
 create mode 100644 ccm-shortcuts/src/test/resources/test-beans.xml

diff --git a/ccm-shortcuts/src/main/java/org/libreccm/shortcuts/ShortcutManager.java b/ccm-shortcuts/src/main/java/org/libreccm/shortcuts/ShortcutManager.java
index dfe8ad1a9..a07974ea8 100644
--- a/ccm-shortcuts/src/main/java/org/libreccm/shortcuts/ShortcutManager.java
+++ b/ccm-shortcuts/src/main/java/org/libreccm/shortcuts/ShortcutManager.java
@@ -18,8 +18,9 @@
  */
 package org.libreccm.shortcuts;
 
-import java.net.URI;
-import java.net.URL;
+
+import org.libreccm.security.AuthorizationRequired;
+import org.libreccm.security.RequiresPrivilege;
 
 import javax.enterprise.context.RequestScoped;
 import javax.inject.Inject;
@@ -46,6 +47,8 @@ public class ShortcutManager {
      * @param redirect The URL to which the Shortcut redirects. Can't be null.
      * @return the new Shortcut
      */
+    @AuthorizationRequired
+    @RequiresPrivilege(ShortcutsConstants.SHORTSCUT_MANAGE_PRIVILEGE)
     public Shortcut createShortcut(final String url, final String redirect) {
         if (url == null || url.trim().isEmpty()) {
             throw new IllegalArgumentException(
diff --git a/ccm-shortcuts/src/main/java/org/libreccm/shortcuts/ShortcutRepository.java b/ccm-shortcuts/src/main/java/org/libreccm/shortcuts/ShortcutRepository.java
index b9314fb53..8fd287d19 100644
--- a/ccm-shortcuts/src/main/java/org/libreccm/shortcuts/ShortcutRepository.java
+++ b/ccm-shortcuts/src/main/java/org/libreccm/shortcuts/ShortcutRepository.java
@@ -19,6 +19,8 @@
 package org.libreccm.shortcuts;
 
 import org.libreccm.core.AbstractEntityRepository;
+import org.libreccm.security.AuthorizationRequired;
+import org.libreccm.security.RequiresPrivilege;
 
 import java.util.List;
 import java.util.Optional;
@@ -78,4 +80,17 @@ public class ShortcutRepository extends AbstractEntityRepository<Long, Shortcut>
         return query.getResultList();
     }
 
+    @Override
+    @AuthorizationRequired
+    @RequiresPrivilege(ShortcutsConstants.SHORTSCUT_MANAGE_PRIVILEGE)
+    public void save(final Shortcut shortcut) {
+        super.save(shortcut);
+    }
+    
+    @Override
+    @AuthorizationRequired
+    @RequiresPrivilege(ShortcutsConstants.SHORTSCUT_MANAGE_PRIVILEGE)
+    public void delete(final Shortcut shortcut) {
+        super.delete(shortcut);
+    }
 }
diff --git a/ccm-shortcuts/src/test/java/org/libreccm/shortcuts/ShortcutManagerTest.java b/ccm-shortcuts/src/test/java/org/libreccm/shortcuts/ShortcutManagerTest.java
index ed4b5d7a6..13f11253c 100644
--- a/ccm-shortcuts/src/test/java/org/libreccm/shortcuts/ShortcutManagerTest.java
+++ b/ccm-shortcuts/src/test/java/org/libreccm/shortcuts/ShortcutManagerTest.java
@@ -18,17 +18,19 @@
  */
 package org.libreccm.shortcuts;
 
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.authz.UnauthorizedException;
+import org.apache.shiro.subject.Subject;
+
 import java.io.File;
-import java.net.MalformedURLException;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.net.URL;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.stream.IntStream;
+
 import javax.inject.Inject;
 import javax.persistence.EntityManager;
 import javax.persistence.PersistenceContext;
+
 import org.jboss.arquillian.container.test.api.Deployment;
 import org.jboss.arquillian.container.test.api.ShouldThrowException;
 import org.jboss.arquillian.junit.Arquillian;
@@ -40,7 +42,6 @@ import org.jboss.arquillian.persistence.UsingDataSet;
 import org.jboss.arquillian.transaction.api.annotation.TransactionMode;
 import org.jboss.arquillian.transaction.api.annotation.Transactional;
 import org.jboss.shrinkwrap.api.ShrinkWrap;
-import org.jboss.shrinkwrap.api.asset.EmptyAsset;
 import org.jboss.shrinkwrap.api.spec.WebArchive;
 import org.jboss.shrinkwrap.resolver.api.maven.Maven;
 import org.jboss.shrinkwrap.resolver.api.maven.PomEquippedResolveStage;
@@ -53,6 +54,7 @@ import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
+import org.libreccm.security.Shiro;
 import org.libreccm.tests.categories.IntegrationTest;
 
 import static org.hamcrest.CoreMatchers.*;
@@ -72,6 +74,12 @@ public class ShortcutManagerTest {
     @Inject
     private ShortcutManager shortcutManager;
 
+    @Inject
+    private Shiro shiro;
+
+    @Inject
+    private Subject subject;
+
     @PersistenceContext
     private EntityManager entityManager;
 
@@ -97,21 +105,21 @@ public class ShortcutManagerTest {
     @Deployment
     public static WebArchive createDeployment() {
         final PomEquippedResolveStage pom = Maven
-                .resolver()
-                .loadPomFromFile("pom.xml");
+            .resolver()
+            .loadPomFromFile("pom.xml");
         final PomEquippedResolveStage dependencies = pom
-                .importCompileAndRuntimeDependencies();
+            .importCompileAndRuntimeDependencies();
         dependencies.addDependency(MavenDependencies.createDependency(
-                "org.libreccm:ccm-core", ScopeType.RUNTIME, false));
+            "org.libreccm:ccm-core", ScopeType.RUNTIME, false));
         dependencies.addDependency(MavenDependencies.createDependency(
-                "org.libreccm:ccm-testutils", ScopeType.RUNTIME, false));
+            "org.libreccm:ccm-testutils", ScopeType.RUNTIME, false));
         dependencies.addDependency(MavenDependencies.createDependency(
-                "net.sf.saxon:Saxon-HE", ScopeType.RUNTIME, false));
+            "net.sf.saxon:Saxon-HE", ScopeType.RUNTIME, false));
         dependencies.addDependency(MavenDependencies.createDependency(
-                "org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-impl-maven",
-                ScopeType.RUNTIME, false));
-        final File[] libsWithCcmCore = dependencies.resolve().withTransitivity().
-                asFile();
+            "org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-impl-maven",
+            ScopeType.RUNTIME, false));
+        final File[] libsWithCcmCore = dependencies.resolve().withTransitivity()
+            .asFile();
 
         final List<File> libsList = new ArrayList<>(libsWithCcmCore.length - 1);
         IntStream.range(0, libsWithCcmCore.length).forEach(i -> {
@@ -128,26 +136,29 @@ public class ShortcutManagerTest {
         }
 
         return ShrinkWrap.create(
-                WebArchive.class,
-                "LibreCCM-org.libreccm.shortcuts.ShortcutTest-web.war")
-                .addPackage(org.libreccm.categorization.Categorization.class
-                        .getPackage())
-                .addPackage(org.libreccm.configuration.Configuration.class
-                        .getPackage())
-                .addPackage(org.libreccm.core.CcmCore.class.getPackage())
-                .addPackage(org.libreccm.jpa.EntityManagerProducer.class
-                        .getPackage())
-                .addPackage(org.libreccm.l10n.LocalizedString.class
-                        .getPackage())
-                .addPackage(org.libreccm.security.Permission.class.getPackage())
-                .addPackage(org.libreccm.shortcuts.Shortcuts.class.getPackage())
-                .addPackage(org.libreccm.web.CcmApplication.class.getPackage())
-                .addPackage(org.libreccm.workflow.Workflow.class.getPackage())
-                .addAsLibraries(libs)
-                .addAsResource("test-persistence.xml",
-                               "META-INF/persistence.xml")
-                .addAsWebInfResource("test-web.xml", "WEB-INF/web.xml")
-                .addAsWebInfResource(EmptyAsset.INSTANCE, "WEB-INF/beans.xml");
+            WebArchive.class,
+            "LibreCCM-org.libreccm.shortcuts.ShortcutTest-web.war")
+            .addPackage(org.libreccm.categorization.Categorization.class
+                .getPackage())
+            .addPackage(org.libreccm.cdi.utils.CdiUtil.class.getPackage())
+            .addPackage(org.libreccm.configuration.Configuration.class
+                .getPackage())
+            .addPackage(org.libreccm.core.CcmCore.class.getPackage())
+            .addPackage(org.libreccm.jpa.EntityManagerProducer.class
+                .getPackage())
+            .addPackage(org.libreccm.l10n.LocalizedString.class
+                .getPackage())
+            .addPackage(org.libreccm.security.Permission.class.getPackage())
+            .addPackage(org.libreccm.shortcuts.Shortcuts.class.getPackage())
+            .addPackage(org.libreccm.web.CcmApplication.class.getPackage())
+            .addPackage(org.libreccm.workflow.Workflow.class.getPackage())
+            .addClass(com.arsdigita.kernel.KernelConfig.class)
+            .addAsLibraries(libs)
+            .addAsResource("configs/shiro.ini", "shiro.ini")
+            .addAsResource("test-persistence.xml",
+                           "META-INF/persistence.xml")
+            .addAsWebInfResource("test-web.xml", "web.xml")
+            .addAsResource("test-beans.xml", "META-INF/beans.xml");
     }
 
     @Test
@@ -164,59 +175,129 @@ public class ShortcutManagerTest {
 
     @Test
     @UsingDataSet(
-            "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
+        "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
     @ShouldMatchDataSet(
-            value = "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml",
-            excludeColumns = {"shortcut_id"})
+        value = "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml",
+        excludeColumns = {"shortcut_id"})
     @InSequence(100)
-    public void createShortcutStringParams() {
+    public void createShortcutBySystemUser() {
+        final Subject systemUser = shiro.getSystemUser();
+        systemUser.execute(() -> {
+            shortcutManager.createShortcut("datenschutz",
+                                           "/ccm/navigation/privacy");
+
+            return null;
+        });
+
+    }
+
+    @Test
+    @UsingDataSet(
+        "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
+    @ShouldMatchDataSet(
+        value = "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml",
+        excludeColumns = {"shortcut_id"})
+    @InSequence(110)
+    public void createShortcutByAuthorizedUser() {
+        final UsernamePasswordToken token = new UsernamePasswordToken(
+            "john.doe@example.org", "foo123");
+        token.setRememberMe(true);
+        subject.login(token);
+
+        shortcutManager.createShortcut("datenschutz",
+                                       "/ccm/navigation/privacy");
+
+        subject.logout();
+    }
+
+    @Test(expected = UnauthorizedException.class)
+    @UsingDataSet(
+        "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
+    @ShouldThrowException(UnauthorizedException.class)
+    @InSequence(120)
+    public void createShortcutByUnAuthorizedUser() {
         shortcutManager.createShortcut("datenschutz",
                                        "/ccm/navigation/privacy");
     }
 
     @Test(expected = IllegalArgumentException.class)
     @UsingDataSet(
-            "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
+        "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
     @ShouldThrowException(IllegalArgumentException.class)
-    @InSequence(110)
-    public void createShortcutStringParamsNullUrlKey() {
+    @InSequence(130)
+    public void createShortcutNullUrlKey() {
+        final UsernamePasswordToken token = new UsernamePasswordToken(
+            "john.doe@example.org", "foo123");
+        token.setRememberMe(true);
+        subject.login(token);
+
         shortcutManager.createShortcut(null, "http://www.example.org");
+
+        subject.logout();
     }
 
     @Test(expected = IllegalArgumentException.class)
     @UsingDataSet(
-            "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
+        "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
     @ShouldThrowException(IllegalArgumentException.class)
     @InSequence(120)
-    public void createShortcutStringParamsNullRedirect() {
+    public void createShortcutNullRedirect() {
+        final UsernamePasswordToken token = new UsernamePasswordToken(
+            "john.doe@example.org", "foo123");
+        token.setRememberMe(true);
+        subject.login(token);
+
         shortcutManager.createShortcut("example", null);
+
+        subject.logout();
     }
 
     @Test(expected = IllegalArgumentException.class)
     @UsingDataSet(
-            "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
+        "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
     @ShouldThrowException(IllegalArgumentException.class)
     @InSequence(140)
-    public void createShortcutStringParamsEmptyUrlKey() {
+    public void createShortcutEmptyUrlKey() {
+        final UsernamePasswordToken token = new UsernamePasswordToken(
+            "john.doe@example.org", "foo123");
+        token.setRememberMe(true);
+        subject.login(token);
+
         shortcutManager.createShortcut("  ", "http://www.example.org");
+
+        subject.logout();
     }
 
     @Test(expected = IllegalArgumentException.class)
     @UsingDataSet(
-            "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
+        "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
     @ShouldThrowException(IllegalArgumentException.class)
     @InSequence(150)
-    public void createShortcutStringParamsEmptyRedirect() {
+    public void createShortcutEmptyRedirect() {
+        final UsernamePasswordToken token = new UsernamePasswordToken(
+            "john.doe@example.org", "foo123");
+        token.setRememberMe(true);
+        subject.login(token);
+
         shortcutManager.createShortcut("example", " ");
+
+        subject.logout();
     }
 
     @Test(expected = IllegalArgumentException.class)
     @UsingDataSet(
-            "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
+        "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
     @ShouldThrowException(IllegalArgumentException.class)
     @InSequence(160)
-    public void createShortcutStringParamsEmptyParams() {
+    public void createShortcutEmptyParams() {
+        final UsernamePasswordToken token = new UsernamePasswordToken(
+            "john.doe@example.org", "foo123");
+        token.setRememberMe(true);
+        subject.login(token);
+
         shortcutManager.createShortcut("", "");
+
+        subject.logout();
     }
 
 //    @Test
diff --git a/ccm-shortcuts/src/test/resources/configs/shiro.ini b/ccm-shortcuts/src/test/resources/configs/shiro.ini
new file mode 100644
index 000000000..f313a39e8
--- /dev/null
+++ b/ccm-shortcuts/src/test/resources/configs/shiro.ini
@@ -0,0 +1,10 @@
+[main]
+
+passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
+passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
+passwordMatcher.passwordService = $passwordService
+
+ccmRealm = org.libreccm.security.CcmShiroRealm
+ccmRealm.credentialsMatcher = $passwordMatcher
+
+securityManager.realms = $ccmRealm
\ No newline at end of file
diff --git a/ccm-shortcuts/src/test/resources/datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml b/ccm-shortcuts/src/test/resources/datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml
index 420534b49..c9384f3af 100644
--- a/ccm-shortcuts/src/test/resources/datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml
+++ b/ccm-shortcuts/src/test/resources/datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml
@@ -1,5 +1,40 @@
 <?xml version="1.0" encoding="utf-8"?>
 <dataset>
+    <ccm_core.parties party_id="-100"
+                      name="public-user" />
+    <ccm_core.parties party_id="-110"
+                      name="jdoe" />
+    
+    <ccm_core.users party_id="-100" 
+                    given_name="public"
+                    family_name="user"
+                    email_address="public-user@localhost"
+                    banned="false"
+                    bouncing="false"
+                    verified="true"
+                    password_reset_required="false" />
+    <!-- Password is foo123 -->
+    <ccm_core.users party_id="-110" 
+                    given_name="John"
+                    family_name="Doe"
+                    email_address="john.doe@example.org"
+                    password="$shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q=="
+                    banned="false"
+                    bouncing="false"
+                    verified="true"
+                    password_reset_required="false" />
+    
+    <ccm_core.ccm_roles role_id="-200"
+                        name="shortcuts-manager"/>
+    
+    <ccm_core.role_memberships membership_id="-300" 
+                               role_id="-200" 
+                               member_id="-110" />
+    
+    <ccm_core.permissions permission_id="-400"
+                           granted_privilege="manage_shortcuts"
+                           grantee_id="-200" />
+    
     <ccm_shortcuts.shortcuts shortcut_id="-10"
                              url_key="mitglieder"
                              redirect="/ccm/navigation/members" />
diff --git a/ccm-shortcuts/src/test/resources/test-beans.xml b/ccm-shortcuts/src/test/resources/test-beans.xml
new file mode 100644
index 000000000..d45765d18
--- /dev/null
+++ b/ccm-shortcuts/src/test/resources/test-beans.xml
@@ -0,0 +1,11 @@
+<beans xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee 
+                           http://xmlns.jcp.org/xml/ns/javaee/beans_1_1.xsd"
+       bean-discovery-mode="annotated">
+       
+        <interceptors>
+            <class>org.libreccm.security.AuthorizationInterceptor</class>
+        </interceptors>
+    
+</beans>
diff --git a/ccm-shortcuts/src/test/resources/test-web.xml b/ccm-shortcuts/src/test/resources/test-web.xml
index 219ae2cfa..32efc46a8 100644
--- a/ccm-shortcuts/src/test/resources/test-web.xml
+++ b/ccm-shortcuts/src/test/resources/test-web.xml
@@ -6,4 +6,18 @@
          version="3.0">
     
     <display-name>LibreCCM Shortcuts Test</display-name>
+    
+    <filter>
+        <filter-name>ShiroFilter</filter-name>
+        <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>ShiroFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <listener>
+        <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
+    </listener>
 </web-app>