CCM NG: ccm-shortcuts: Secured methods for creating, saving and deleting Shortcuts with the appropriate annoations from ccm-core/org.libreccm.security. Tests for ShortcutManager extended to check if the authorization check works as intented.

git-svn-id: https://svn.libreccm.org/ccm/ccm_ng@4149 8810af33-2d31-482b-a856-94f89814c4df
2016-06-10 09:35:27 +00:00 · 2016-06-10 09:35:27 +00:00 · fea14a860e
parent e7f4e49a15
commit fea14a860e
7 changed files with 221 additions and 52 deletions
--- a/ccm-shortcuts/src/main/java/org/libreccm/shortcuts/ShortcutManager.java
+++ b/ccm-shortcuts/src/main/java/org/libreccm/shortcuts/ShortcutManager.java
@ -18,8 +18,9 @@
 */
 package org.libreccm.shortcuts;

-import java.net.URI;
-import java.net.URL;
+
+import org.libreccm.security.AuthorizationRequired;
+import org.libreccm.security.RequiresPrivilege;

 import javax.enterprise.context.RequestScoped;
 import javax.inject.Inject;
@ -46,6 +47,8 @@ public class ShortcutManager {
     * @param redirect The URL to which the Shortcut redirects. Can't be null.
     * @return the new Shortcut
     */
+    @AuthorizationRequired
+    @RequiresPrivilege(ShortcutsConstants.SHORTSCUT_MANAGE_PRIVILEGE)
    public Shortcut createShortcut(final String url, final String redirect) {
        if (url == null || url.trim().isEmpty()) {
            throw new IllegalArgumentException(
--- a/ccm-shortcuts/src/main/java/org/libreccm/shortcuts/ShortcutRepository.java
+++ b/ccm-shortcuts/src/main/java/org/libreccm/shortcuts/ShortcutRepository.java
@ -19,6 +19,8 @@
 package org.libreccm.shortcuts;

 import org.libreccm.core.AbstractEntityRepository;
+import org.libreccm.security.AuthorizationRequired;
+import org.libreccm.security.RequiresPrivilege;

 import java.util.List;
 import java.util.Optional;
@ -78,4 +80,17 @@ public class ShortcutRepository extends AbstractEntityRepository<Long, Shortcut>
        return query.getResultList();
    }

+    @Override
+    @AuthorizationRequired
+    @RequiresPrivilege(ShortcutsConstants.SHORTSCUT_MANAGE_PRIVILEGE)
+    public void save(final Shortcut shortcut) {
+        super.save(shortcut);
+    }
+    
+    @Override
+    @AuthorizationRequired
+    @RequiresPrivilege(ShortcutsConstants.SHORTSCUT_MANAGE_PRIVILEGE)
+    public void delete(final Shortcut shortcut) {
+        super.delete(shortcut);
+    }
 }
--- a/ccm-shortcuts/src/test/java/org/libreccm/shortcuts/ShortcutManagerTest.java
+++ b/ccm-shortcuts/src/test/java/org/libreccm/shortcuts/ShortcutManagerTest.java
@ -18,17 +18,19 @@
 */
 package org.libreccm.shortcuts;

+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.authz.UnauthorizedException;
+import org.apache.shiro.subject.Subject;
+
 import java.io.File;
-import java.net.MalformedURLException;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.net.URL;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.stream.IntStream;
+
 import javax.inject.Inject;
 import javax.persistence.EntityManager;
 import javax.persistence.PersistenceContext;
+
 import org.jboss.arquillian.container.test.api.Deployment;
 import org.jboss.arquillian.container.test.api.ShouldThrowException;
 import org.jboss.arquillian.junit.Arquillian;
@ -40,7 +42,6 @@ import org.jboss.arquillian.persistence.UsingDataSet;
 import org.jboss.arquillian.transaction.api.annotation.TransactionMode;
 import org.jboss.arquillian.transaction.api.annotation.Transactional;
 import org.jboss.shrinkwrap.api.ShrinkWrap;
-import org.jboss.shrinkwrap.api.asset.EmptyAsset;
 import org.jboss.shrinkwrap.api.spec.WebArchive;
 import org.jboss.shrinkwrap.resolver.api.maven.Maven;
 import org.jboss.shrinkwrap.resolver.api.maven.PomEquippedResolveStage;
@ -53,6 +54,7 @@ import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
+import org.libreccm.security.Shiro;
 import org.libreccm.tests.categories.IntegrationTest;

 import static org.hamcrest.CoreMatchers.*;
@ -72,6 +74,12 @@ public class ShortcutManagerTest {
    @Inject
    private ShortcutManager shortcutManager;

+    @Inject
+    private Shiro shiro;
+
+    @Inject
+    private Subject subject;
+
    @PersistenceContext
    private EntityManager entityManager;

@ -97,21 +105,21 @@ public class ShortcutManagerTest {
    @Deployment
    public static WebArchive createDeployment() {
        final PomEquippedResolveStage pom = Maven
-                .resolver()
-                .loadPomFromFile("pom.xml");
+            .resolver()
+            .loadPomFromFile("pom.xml");
        final PomEquippedResolveStage dependencies = pom
-                .importCompileAndRuntimeDependencies();
+            .importCompileAndRuntimeDependencies();
        dependencies.addDependency(MavenDependencies.createDependency(
-                "org.libreccm:ccm-core", ScopeType.RUNTIME, false));
+            "org.libreccm:ccm-core", ScopeType.RUNTIME, false));
        dependencies.addDependency(MavenDependencies.createDependency(
-                "org.libreccm:ccm-testutils", ScopeType.RUNTIME, false));
+            "org.libreccm:ccm-testutils", ScopeType.RUNTIME, false));
        dependencies.addDependency(MavenDependencies.createDependency(
-                "net.sf.saxon:Saxon-HE", ScopeType.RUNTIME, false));
+            "net.sf.saxon:Saxon-HE", ScopeType.RUNTIME, false));
        dependencies.addDependency(MavenDependencies.createDependency(
-                "org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-impl-maven",
-                ScopeType.RUNTIME, false));
-        final File[] libsWithCcmCore = dependencies.resolve().withTransitivity().
-                asFile();
+            "org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-impl-maven",
+            ScopeType.RUNTIME, false));
+        final File[] libsWithCcmCore = dependencies.resolve().withTransitivity()
+            .asFile();

        final List<File> libsList = new ArrayList<>(libsWithCcmCore.length - 1);
        IntStream.range(0, libsWithCcmCore.length).forEach(i -> {
@ -128,26 +136,29 @@ public class ShortcutManagerTest {
        }

        return ShrinkWrap.create(
-                WebArchive.class,
-                "LibreCCM-org.libreccm.shortcuts.ShortcutTest-web.war")
-                .addPackage(org.libreccm.categorization.Categorization.class
-                        .getPackage())
-                .addPackage(org.libreccm.configuration.Configuration.class
-                        .getPackage())
-                .addPackage(org.libreccm.core.CcmCore.class.getPackage())
-                .addPackage(org.libreccm.jpa.EntityManagerProducer.class
-                        .getPackage())
-                .addPackage(org.libreccm.l10n.LocalizedString.class
-                        .getPackage())
-                .addPackage(org.libreccm.security.Permission.class.getPackage())
-                .addPackage(org.libreccm.shortcuts.Shortcuts.class.getPackage())
-                .addPackage(org.libreccm.web.CcmApplication.class.getPackage())
-                .addPackage(org.libreccm.workflow.Workflow.class.getPackage())
-                .addAsLibraries(libs)
-                .addAsResource("test-persistence.xml",
-                               "META-INF/persistence.xml")
-                .addAsWebInfResource("test-web.xml", "WEB-INF/web.xml")
-                .addAsWebInfResource(EmptyAsset.INSTANCE, "WEB-INF/beans.xml");
+            WebArchive.class,
+            "LibreCCM-org.libreccm.shortcuts.ShortcutTest-web.war")
+            .addPackage(org.libreccm.categorization.Categorization.class
+                .getPackage())
+            .addPackage(org.libreccm.cdi.utils.CdiUtil.class.getPackage())
+            .addPackage(org.libreccm.configuration.Configuration.class
+                .getPackage())
+            .addPackage(org.libreccm.core.CcmCore.class.getPackage())
+            .addPackage(org.libreccm.jpa.EntityManagerProducer.class
+                .getPackage())
+            .addPackage(org.libreccm.l10n.LocalizedString.class
+                .getPackage())
+            .addPackage(org.libreccm.security.Permission.class.getPackage())
+            .addPackage(org.libreccm.shortcuts.Shortcuts.class.getPackage())
+            .addPackage(org.libreccm.web.CcmApplication.class.getPackage())
+            .addPackage(org.libreccm.workflow.Workflow.class.getPackage())
+            .addClass(com.arsdigita.kernel.KernelConfig.class)
+            .addAsLibraries(libs)
+            .addAsResource("configs/shiro.ini", "shiro.ini")
+            .addAsResource("test-persistence.xml",
+                           "META-INF/persistence.xml")
+            .addAsWebInfResource("test-web.xml", "web.xml")
+            .addAsResource("test-beans.xml", "META-INF/beans.xml");
    }

    @Test
@ -164,59 +175,129 @@ public class ShortcutManagerTest {

    @Test
    @UsingDataSet(
-            "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
+        "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
    @ShouldMatchDataSet(
-            value = "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml",
-            excludeColumns = {"shortcut_id"})
+        value = "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml",
+        excludeColumns = {"shortcut_id"})
    @InSequence(100)
-    public void createShortcutStringParams() {
+    public void createShortcutBySystemUser() {
+        final Subject systemUser = shiro.getSystemUser();
+        systemUser.execute(() -> {
+            shortcutManager.createShortcut("datenschutz",
+                                           "/ccm/navigation/privacy");
+
+            return null;
+        });
+
+    }
+
+    @Test
+    @UsingDataSet(
+        "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
+    @ShouldMatchDataSet(
+        value = "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml",
+        excludeColumns = {"shortcut_id"})
+    @InSequence(110)
+    public void createShortcutByAuthorizedUser() {
+        final UsernamePasswordToken token = new UsernamePasswordToken(
+            "john.doe@example.org", "foo123");
+        token.setRememberMe(true);
+        subject.login(token);
+
+        shortcutManager.createShortcut("datenschutz",
+                                       "/ccm/navigation/privacy");
+
+        subject.logout();
+    }
+
+    @Test(expected = UnauthorizedException.class)
+    @UsingDataSet(
+        "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
+    @ShouldThrowException(UnauthorizedException.class)
+    @InSequence(120)
+    public void createShortcutByUnAuthorizedUser() {
        shortcutManager.createShortcut("datenschutz",
                                       "/ccm/navigation/privacy");
    }

    @Test(expected = IllegalArgumentException.class)
    @UsingDataSet(
-            "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
+        "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
    @ShouldThrowException(IllegalArgumentException.class)
-    @InSequence(110)
-    public void createShortcutStringParamsNullUrlKey() {
+    @InSequence(130)
+    public void createShortcutNullUrlKey() {
+        final UsernamePasswordToken token = new UsernamePasswordToken(
+            "john.doe@example.org", "foo123");
+        token.setRememberMe(true);
+        subject.login(token);
+
        shortcutManager.createShortcut(null, "http://www.example.org");
+
+        subject.logout();
    }

    @Test(expected = IllegalArgumentException.class)
    @UsingDataSet(
-            "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
+        "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(120)
-    public void createShortcutStringParamsNullRedirect() {
+    public void createShortcutNullRedirect() {
+        final UsernamePasswordToken token = new UsernamePasswordToken(
+            "john.doe@example.org", "foo123");
+        token.setRememberMe(true);
+        subject.login(token);
+
        shortcutManager.createShortcut("example", null);
+
+        subject.logout();
    }

    @Test(expected = IllegalArgumentException.class)
    @UsingDataSet(
-            "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
+        "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(140)
-    public void createShortcutStringParamsEmptyUrlKey() {
+    public void createShortcutEmptyUrlKey() {
+        final UsernamePasswordToken token = new UsernamePasswordToken(
+            "john.doe@example.org", "foo123");
+        token.setRememberMe(true);
+        subject.login(token);
+
        shortcutManager.createShortcut("  ", "http://www.example.org");
+
+        subject.logout();
    }

    @Test(expected = IllegalArgumentException.class)
    @UsingDataSet(
-            "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
+        "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(150)
-    public void createShortcutStringParamsEmptyRedirect() {
+    public void createShortcutEmptyRedirect() {
+        final UsernamePasswordToken token = new UsernamePasswordToken(
+            "john.doe@example.org", "foo123");
+        token.setRememberMe(true);
+        subject.login(token);
+
        shortcutManager.createShortcut("example", " ");
+
+        subject.logout();
    }

    @Test(expected = IllegalArgumentException.class)
    @UsingDataSet(
-            "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
+        "datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(160)
-    public void createShortcutStringParamsEmptyParams() {
+    public void createShortcutEmptyParams() {
+        final UsernamePasswordToken token = new UsernamePasswordToken(
+            "john.doe@example.org", "foo123");
+        token.setRememberMe(true);
+        subject.login(token);
+
        shortcutManager.createShortcut("", "");
+
+        subject.logout();
    }

 //    @Test
--- a/ccm-shortcuts/src/test/resources/configs/shiro.ini
+++ b/ccm-shortcuts/src/test/resources/configs/shiro.ini
@ -0,0 +1,10 @@
+[main]
+
+passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
+passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
+passwordMatcher.passwordService = $passwordService
+
+ccmRealm = org.libreccm.security.CcmShiroRealm
+ccmRealm.credentialsMatcher = $passwordMatcher
+
+securityManager.realms = $ccmRealm
--- a/ccm-shortcuts/src/test/resources/datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml
+++ b/ccm-shortcuts/src/test/resources/datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml
@ -1,5 +1,40 @@
 <?xml version="1.0" encoding="utf-8"?>
 <dataset>
+    <ccm_core.parties party_id="-100"
+                      name="public-user" />
+    <ccm_core.parties party_id="-110"
+                      name="jdoe" />
+    
+    <ccm_core.users party_id="-100" 
+                    given_name="public"
+                    family_name="user"
+                    email_address="public-user@localhost"
+                    banned="false"
+                    bouncing="false"
+                    verified="true"
+                    password_reset_required="false" />
+    <!-- Password is foo123 -->
+    <ccm_core.users party_id="-110" 
+                    given_name="John"
+                    family_name="Doe"
+                    email_address="john.doe@example.org"
+                    password="$shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q=="
+                    banned="false"
+                    bouncing="false"
+                    verified="true"
+                    password_reset_required="false" />
+    
+    <ccm_core.ccm_roles role_id="-200"
+                        name="shortcuts-manager"/>
+    
+    <ccm_core.role_memberships membership_id="-300" 
+                               role_id="-200" 
+                               member_id="-110" />
+    
+    <ccm_core.permissions permission_id="-400"
+                           granted_privilege="manage_shortcuts"
+                           grantee_id="-200" />
+    
    <ccm_shortcuts.shortcuts shortcut_id="-10"
                             url_key="mitglieder"
                             redirect="/ccm/navigation/members" />
--- a/ccm-shortcuts/src/test/resources/test-beans.xml
+++ b/ccm-shortcuts/src/test/resources/test-beans.xml
@ -0,0 +1,11 @@
+<beans xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee 
+                           http://xmlns.jcp.org/xml/ns/javaee/beans_1_1.xsd"
+       bean-discovery-mode="annotated">
+       
+        <interceptors>
+            <class>org.libreccm.security.AuthorizationInterceptor</class>
+        </interceptors>
+    
+</beans>
--- a/ccm-shortcuts/src/test/resources/test-web.xml
+++ b/ccm-shortcuts/src/test/resources/test-web.xml
@ -6,4 +6,18 @@
         version="3.0">
    
    <display-name>LibreCCM Shortcuts Test</display-name>
+    
+    <filter>
+        <filter-name>ShiroFilter</filter-name>
+        <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>ShiroFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <listener>
+        <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
+    </listener>
 </web-app>