Source Code of org.sonatype.security.realms.XmlAuthenticatingRealmTest

/*
 * Sonatype Nexus (TM) Open Source Version
 * Copyright (c) 2007-2014 Sonatype, Inc.
 * All rights reserved. Includes the third-party code listed at http://links.sonatype.com/products/nexus/oss/attributions.
 *
 * This program and the accompanying materials are made available under the terms of the Eclipse Public License Version 1.0,
 * which accompanies this distribution and is available at http://www.eclipse.org/legal/epl-v10.html.
 *
 * Sonatype Nexus (TM) Professional Version is available from Sonatype, Inc. "Sonatype" and "Sonatype Nexus" are trademarks
 * of Sonatype, Inc. Apache Maven is a trademark of the Apache Software Foundation. M2eclipse is a trademark of the
 * Eclipse Foundation. All other trademarks are the property of their respective owners.
 */
package org.sonatype.security.realms;

import java.io.File;
import java.util.HashSet;
import java.util.Properties;
import java.util.Set;

import org.sonatype.configuration.validation.InvalidConfigurationException;
import org.sonatype.security.model.CPrivilege;
import org.sonatype.security.model.CProperty;
import org.sonatype.security.model.CRole;
import org.sonatype.security.model.CUser;
import org.sonatype.security.realms.tools.DefaultConfigurationManager;
import org.sonatype.security.usermanagement.PasswordGenerator;

import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authc.credential.PasswordService;
import org.apache.shiro.realm.Realm;
import org.eclipse.sisu.launch.InjectedTestCase;

import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.is;

public class XmlAuthenticatingRealmTest
    extends InjectedTestCase
{
  private final String SECURITY_FILE_PATH = getBasedir() + "/target/jsecurity/security.xml";

  private final String SECURITY_CONFIGURATION_FILE_PATH = getBasedir() + "/target/jsecurity/security-configuration.xml";

  private File configFile = new File(SECURITY_FILE_PATH);

  private XmlAuthenticatingRealm realm;

  private DefaultConfigurationManager configurationManager;

  private PasswordGenerator passwordGenerator;

  private PasswordService passwordService;

  private CUser testUser;

  @Override
  public void configure(Properties properties) {
    properties.put("security-xml-file", SECURITY_FILE_PATH);
    properties.put("application-conf", SECURITY_CONFIGURATION_FILE_PATH);
    super.configure(properties);
  }

  @Override
  protected void setUp()
      throws Exception
  {
    super.setUp();

    realm = (XmlAuthenticatingRealm) lookup(Realm.class, "XmlAuthenticatingRealm");

    configurationManager = lookup(DefaultConfigurationManager.class);

    configurationManager.clearCache();

    passwordGenerator = lookup(PasswordGenerator.class, "default");
    passwordService = lookup(PasswordService.class, "default");

    configFile.delete();
  }

  public void testSuccessfulAuthentication()
      throws Exception
  {
    buildTestAuthenticationConfig(CUser.STATUS_ACTIVE);

    UsernamePasswordToken upToken = new UsernamePasswordToken("username", "password");

    AuthenticationInfo ai = realm.getAuthenticationInfo(upToken);

    String password = new String((char[]) ai.getCredentials());

    assertThat(this.passwordService.passwordsMatch("password", password), is(true));
  }

  public void testCreateWithPassowrd()
      throws Exception
  {
    buildTestAuthenticationConfig(CUser.STATUS_ACTIVE);

    String clearPassword = "default-password";
    String username = "testCreateWithPassowrdEmailUserId";

    CUser user = new CUser();
    user.setEmail("testCreateWithPassowrdEmail@somewhere");
    user.setFirstName("testCreateWithPassowrdEmail");
    user.setLastName("testCreateWithPassowrdEmail");
    user.setStatus(CUser.STATUS_ACTIVE);
    user.setId(username);

    Set<String> roles = new HashSet<String>();
    roles.add("role");

    configurationManager.createUser(user, clearPassword, roles);

    UsernamePasswordToken upToken = new UsernamePasswordToken("testCreateWithPassowrdEmailUserId", clearPassword);

    AuthenticationInfo ai = realm.getAuthenticationInfo(upToken);

    String password = new String((char[]) ai.getCredentials());

    assertThat(this.passwordService.passwordsMatch(clearPassword, password), is(true));
  }

  public void testFailedAuthentication()
      throws Exception
  {
    buildTestAuthenticationConfig(CUser.STATUS_ACTIVE);

    UsernamePasswordToken upToken = new UsernamePasswordToken("username", "badpassword");

    try {
      realm.getAuthenticationInfo(upToken);

      fail("Authentication should have failed");
    }
    catch (AuthenticationException e) {
      // good
    }
  }

  public void testDisabledAuthentication()
      throws Exception
  {
    buildTestAuthenticationConfig(CUser.STATUS_DISABLED);

    UsernamePasswordToken upToken = new UsernamePasswordToken("username", "password");

    try {
      realm.getAuthenticationInfo(upToken);

      fail("Authentication should have failed");
    }
    catch (AuthenticationException e) {
      // good
    }
  }

  public void testDetectLegacyUser()
      throws Exception
  {
    String password = "password";
    String username = "username";
    buildLegacyTestAuthenticationConfig(password);

    UsernamePasswordToken upToken = new UsernamePasswordToken(username, password);
    AuthenticationInfo ai = realm.getAuthenticationInfo(upToken);
    CUser updatedUser = this.configurationManager.readUser(username);
    String hash = new String((char[]) ai.getCredentials());

    assertThat(this.passwordService.passwordsMatch(password, hash), is(true));
    assertThat(this.passwordService.passwordsMatch(password, updatedUser.getPassword()), is(true));
  }

  private void buildTestAuthenticationConfig(String status)
      throws InvalidConfigurationException
  {
    buildTestAuthenticationConfig(status, this.hashPassword("password"));
  }

  private void buildTestAuthenticationConfig(String status, String hash)
      throws InvalidConfigurationException
  {
    CPrivilege priv = new CPrivilege();
    priv.setId("priv");
    priv.setName("name");
    priv.setDescription("desc");
    priv.setType("method");

    CProperty prop = new CProperty();
    prop.setKey("method");
    prop.setValue("read");
    priv.addProperty(prop);

    prop = new CProperty();
    prop.setKey("permission");
    prop.setValue("somevalue");
    priv.addProperty(prop);

    configurationManager.createPrivilege(priv);

    CRole role = new CRole();
    role.setName("name");
    role.setId("role");
    role.setDescription("desc");
    role.setSessionTimeout(50);
    role.addPrivilege("priv");

    configurationManager.createRole(role);

    testUser = new CUser();
    testUser.setEmail("dummyemail@somewhere");
    testUser.setFirstName("dummyFirstName");
    testUser.setLastName("dummyLastName");
    testUser.setStatus(status);
    testUser.setId("username");
    testUser.setPassword(hash);

    Set<String> roles = new HashSet<String>();
    roles.add("role");

    configurationManager.createUser(testUser, roles);
    configurationManager.save();
  }

  private void buildLegacyTestAuthenticationConfig(String password)
      throws InvalidConfigurationException
  {
    buildTestAuthenticationConfig(CUser.STATUS_ACTIVE, this.legacyHashPassword(password));
  }

  private String hashPassword(String password) {
    return this.passwordService.encryptPassword(password);
  }

  private String legacyHashPassword(String password) {
    return this.passwordGenerator.hashPassword(password);
  }
}