2 * Copyright (C) 2009 EDIT
3 * European Distributed Institute of Taxonomy
4 * http://www.e-taxonomy.eu
6 * The contents of this file are subject to the Mozilla Public License Version 1.1
7 * See LICENSE.TXT at the top of this package for the full license terms.
10 package eu
.etaxonomy
.cdm
.api
.service
;
13 import java
.io
.FileNotFoundException
;
14 import java
.util
.ArrayList
;
15 import java
.util
.List
;
18 import org
.apache
.log4j
.Logger
;
19 import org
.junit
.Assert
;
20 import org
.junit
.Test
;
21 import org
.springframework
.security
.access
.AccessDeniedException
;
22 import org
.springframework
.security
.authentication
.AuthenticationManager
;
23 import org
.springframework
.security
.core
.Authentication
;
24 import org
.springframework
.security
.core
.GrantedAuthority
;
25 import org
.springframework
.security
.core
.context
.SecurityContext
;
26 import org
.springframework
.security
.core
.context
.SecurityContextHolder
;
27 import org
.unitils
.dbunit
.annotation
.DataSet
;
28 import org
.unitils
.spring
.annotation
.SpringBeanByType
;
30 import eu
.etaxonomy
.cdm
.database
.PermissionDeniedException
;
31 import eu
.etaxonomy
.cdm
.model
.common
.GrantedAuthorityImpl
;
32 import eu
.etaxonomy
.cdm
.model
.common
.Group
;
33 import eu
.etaxonomy
.cdm
.model
.common
.User
;
34 import eu
.etaxonomy
.cdm
.persistence
.hibernate
.permission
.Role
;
38 * @author a.kohlbecker
42 @DataSet(value
="SecurityTest.xml")
43 public class UserAndGroupServiceImplTest
extends AbstractSecurityTestBase
{
45 protected static final Logger logger
= Logger
.getLogger(UserAndGroupServiceImplTest
.class);
48 private AuthenticationManager authenticationManager
;
51 private IUserService userService
;
54 private IGroupService groupService
;
57 private IGrantedAuthorityService grantedAuthorityService
;
60 private ITaxonService taxonService
;
63 private Authentication authentication
;
67 public void testCreateUser() {
70 authentication
= authenticationManager
.authenticate(tokenForAdmin
);
71 SecurityContext context
= SecurityContextHolder
.getContext();
72 context
.setAuthentication(authentication
);
76 userService
.createUser(User
.NewInstance("new user 1", "00000"));
81 authentication
= authenticationManager
.authenticate(tokenForTaxonEditor
);
82 context
= SecurityContextHolder
.getContext();
83 context
.setAuthentication(authentication
);
86 userService
.createUser(User
.NewInstance("new user 2", "00000"));
89 Assert
.assertEquals("Access is denied", e
.getMessage());
95 public void testUpdateUser(){
97 // TaxonEditor should be able to change its own email address
98 authentication
= authenticationManager
.authenticate(tokenForTaxonEditor
);
99 SecurityContext context
= SecurityContextHolder
.getContext();
100 context
.setAuthentication(authentication
);
102 User user
= userService
.find(TAXON_EDITOR_UUID
);
103 user
.setEmailAddress("test@bgbm.org");
107 userService.updateUser(user);
108 }catch (Exception e){
109 Assert.fail("the user TaxonEditor should be able to change its own email address");
113 authentication
= authenticationManager
.authenticate(tokenForUserManager
);
114 context
= SecurityContextHolder
.getContext();
115 context
.setAuthentication(authentication
);
117 user
.setEmailAddress("user@bgbm.org");
120 userService
.updateUser(user
);
121 }catch (Exception e
){
122 Assert
.fail("the user UserManager should be able to change others email addresses");
125 authentication
= authenticationManager
.authenticate(tokenForPartEditor
);
126 context
= SecurityContextHolder
.getContext();
127 context
.setAuthentication(authentication
);
130 userService
.updateUser(user
);
131 Assert
.fail("the user PartEditor should NOT be able to change others email addresses");
132 }catch (Exception e
){
133 Assert
.assertEquals("Access is denied", e
.getMessage());
139 public void testChangePassword(){
141 // the user TaxonEditor should be able to change its own password
142 authentication
= authenticationManager
.authenticate(tokenForTaxonEditor
);
143 SecurityContext context
= SecurityContextHolder
.getContext();
144 context
.setAuthentication(authentication
);
146 userService
.changePasswordForUser(tokenForTaxonEditor
.getName(), "newPassword");
148 Exception exception
= null;
149 // the user TaxonEditor should NOT be able to change others passwords
151 userService
.changePasswordForUser(tokenForAdmin
.getName(), "newPassword");
152 commitAndStartNewTransaction(null);
153 } catch (AccessDeniedException e
){
154 logger
.debug("Expected failure of evaluation.", e
);
156 } catch (RuntimeException e
){
157 exception
= findThrowableOfTypeIn(PermissionDeniedException
.class, e
);
158 logger
.debug("Expected failure of evaluation.", exception
);
160 // needed in case saveOrUpdate was interrupted by the RuntimeException
161 // commitAndStartNewTransaction() would raise an UnexpectedRollbackException
163 startNewTransaction();
165 Assert
.assertNotNull("must fail here!", exception
);
167 // the user User manager should be able to change others passwords
168 authentication
= authenticationManager
.authenticate(tokenForUserManager
);
169 context
= SecurityContextHolder
.getContext();
170 context
.setAuthentication(authentication
);
171 userService
.changePasswordForUser(tokenForAdmin
.getName(), "newPassword");
176 public void testCreateGroup(){
178 authentication
= authenticationManager
.authenticate(tokenForUserManager
);
179 SecurityContext context
= SecurityContextHolder
.getContext();
180 context
.setAuthentication(authentication
);
183 List
<GrantedAuthority
> authorityList
= new ArrayList
<GrantedAuthority
>();
184 GrantedAuthorityImpl rolePublishAthotrity
= GrantedAuthorityImpl
.NewInstance();
185 rolePublishAthotrity
.setAuthority(Role
.ROLE_PUBLISH
.toString()); // testing if creating a Role from string is working
186 authorityList
.add(rolePublishAthotrity
);
188 String publishersGroupName
= "publishers";
190 groupService
.createGroup(publishersGroupName
, authorityList
);
192 commitAndStartNewTransaction(null);
194 List
<GrantedAuthority
> groupAuthorities
= groupService
.findGroupAuthorities(publishersGroupName
);
196 Assert
.assertEquals(Role
.ROLE_PUBLISH
.toString(), groupAuthorities
.get(0).getAuthority());
201 public void testRefreshUser(){
203 String newGroupName
= "new_publishers";
205 // -----------------------------------------------------------------
206 // authenticate as TaxonEditor to load the user for the first time and to let cache it in the session
207 authentication
= authenticationManager
.authenticate(tokenForTaxonEditor
);
208 SecurityContext context
= SecurityContextHolder
.getContext();
209 context
.setAuthentication(authentication
);
211 User user
= (User
) authentication
.getPrincipal();
213 // check that everything is clean
214 for(GrantedAuthority authority
: user
.getAuthorities()){
215 if(authority
.equals(Role
.ROLE_PUBLISH
)){
216 Assert
.fail("an authority '" + Role
.ROLE_PUBLISH
+ "' must not yet exists");
219 for(Group group
: user
.getGroups()){
220 if(group
.getName().equals(newGroupName
)){
221 Assert
.fail("the group '" + newGroupName
+ "' must not yet exists");
225 // -----------------------------------------------------------------
226 // authenticate as UserManager to be able to add the role ROLE_PUBLISH in various ways
227 authentication
= authenticationManager
.authenticate(tokenForUserManager
);
228 context
= SecurityContextHolder
.getContext();
229 context
.setAuthentication(authentication
);
231 // create an entity of ROLE_PUBLISH and save it to the database
232 grantedAuthorityService
.save(Role
.ROLE_PUBLISH
.asNewGrantedAuthority());
233 commitAndStartNewTransaction(null);
234 GrantedAuthorityImpl rolePublish
= grantedAuthorityService
.load(Role
.ROLE_PUBLISH
.getUuid());
236 user
= userService
.load(TAXON_EDITOR_UUID
);
238 // 1. add to the users GrantedAuthorities
239 // TODO is there any other way to do this?
240 Set
<GrantedAuthority
> grantedAuthorities
= user
.getGrantedAuthorities();
241 grantedAuthorities
.add(rolePublish
);
242 user
.setGrantedAuthorities(grantedAuthorities
);
243 userService
.saveOrUpdate(user
);
245 commitAndStartNewTransaction(null);
247 // 2. add to existing group
248 Group group_special_editor
= groupService
.load(GROUP_SPECIAL_EDITOR_UUID
);
249 String groupSpecialEditor_Name
= group_special_editor
.getName();
250 rolePublish
= grantedAuthorityService
.load(Role
.ROLE_PUBLISH
.getUuid());
251 group_special_editor
.addGrantedAuthority(rolePublish
);
252 groupService
.saveOrUpdate(group_special_editor
);
254 commitAndStartNewTransaction(null);
256 // 3. add in new group
257 Group groupNewPublishers
= Group
.NewInstance(newGroupName
);
258 rolePublish
= grantedAuthorityService
.load(Role
.ROLE_PUBLISH
.getUuid());
259 groupNewPublishers
.addGrantedAuthority(rolePublish
);
260 groupService
.saveOrUpdate(groupNewPublishers
);
261 groupService
.addUserToGroup(user
.getUsername(), newGroupName
);
263 commitAndStartNewTransaction(null);
265 // -----------------------------------------------------------------
266 // again authenticate as TaxonEditor
267 authentication
= authenticationManager
.authenticate(tokenForTaxonEditor
);
268 context
= SecurityContextHolder
.getContext();
269 context
.setAuthentication(authentication
);
271 // and check if everything is updated
272 user
= (User
) authentication
.getPrincipal();
274 // 1. check users authorities for the role
275 boolean newAuthorityFound
= false;
276 for(GrantedAuthority authority
: user
.getAuthorities()){
277 if(authority
.equals(Role
.ROLE_PUBLISH
)){
278 newAuthorityFound
= true;
282 Assert
.assertTrue("the new authority '" + Role
.ROLE_PUBLISH
+ "' is missing", newAuthorityFound
);
284 // 2. check for role in existing group
285 boolean newAuthorityFoundInExistingGroup
= false;
286 for(Group group
: user
.getGroups()){
287 if(group
.getUuid().equals(GROUP_SPECIAL_EDITOR_UUID
)){
288 for(GrantedAuthority authority
: group
.getGrantedAuthorities()){
289 if(authority
.equals(Role
.ROLE_PUBLISH
)){
290 newAuthorityFoundInExistingGroup
= true;
294 if(newAuthorityFoundInExistingGroup
){
299 Assert
.assertTrue("the new authority '" + Role
.ROLE_PUBLISH
+ "' is missing in existing group", newAuthorityFoundInExistingGroup
);
301 // 3. check new group
302 boolean newGroupFound
= false;
303 for(Group group
: user
.getGroups()){
304 if(group
.getName().equals(newGroupName
)){
305 newGroupFound
= true;
309 Assert
.assertTrue("the new group '" + newGroupName
+ "' is missing", newGroupFound
);
311 // ==================================================================
312 // again authenticate as UserManager to be able to add the role ROLE_PUBLISH in various ways
313 authentication
= authenticationManager
.authenticate(tokenForUserManager
);
314 context
= SecurityContextHolder
.getContext();
315 context
.setAuthentication(authentication
);
317 groupService
.removeUserFromGroup(user
.getUsername(), groupSpecialEditor_Name
);
319 commitAndStartNewTransaction(null);
321 // -----------------------------------------------------------------
322 // again authenticate as TaxonEditor
323 authentication
= authenticationManager
.authenticate(tokenForTaxonEditor
);
324 context
= SecurityContextHolder
.getContext();
325 context
.setAuthentication(authentication
);
327 // and check if the group has been removed from the user
328 user
= (User
) authentication
.getPrincipal();
330 for(Group group
: user
.getGroups()){
331 if(group
.getName().equals(groupSpecialEditor_Name
)){
332 Assert
.fail("The user TaxonEditor should no longer be member of this group");
341 * @see eu.etaxonomy.cdm.test.integration.CdmIntegrationTest#createTestData()
344 public void createTestDataSet() throws FileNotFoundException
{
345 // TODO Auto-generated method stub