Source Code of org.sonatype.security.realms.XmlAuthorizingRealmTest

/*
 * Sonatype Nexus (TM) Open Source Version
 * Copyright (c) 2007-2014 Sonatype, Inc.
 * All rights reserved. Includes the third-party code listed at http://links.sonatype.com/products/nexus/oss/attributions.
 *
 * This program and the accompanying materials are made available under the terms of the Eclipse Public License Version 1.0,
 * which accompanies this distribution and is available at http://www.eclipse.org/legal/epl-v10.html.
 *
 * Sonatype Nexus (TM) Professional Version is available from Sonatype, Inc. "Sonatype" and "Sonatype Nexus" are trademarks
 * of Sonatype, Inc. Apache Maven is a trademark of the Apache Software Foundation. M2eclipse is a trademark of the
 * Eclipse Foundation. All other trademarks are the property of their respective owners.
 */
package org.sonatype.security.realms;

import java.io.File;
import java.util.HashSet;
import java.util.Properties;
import java.util.Set;

import org.sonatype.configuration.validation.InvalidConfigurationException;
import org.sonatype.security.AbstractSecurityTestCase;
import org.sonatype.security.model.CPrivilege;
import org.sonatype.security.model.CProperty;
import org.sonatype.security.model.CRole;
import org.sonatype.security.model.CUser;
import org.sonatype.security.realms.privileges.application.ApplicationPrivilegeDescriptor;
import org.sonatype.security.realms.privileges.application.ApplicationPrivilegeMethodPropertyDescriptor;
import org.sonatype.security.realms.privileges.application.ApplicationPrivilegePermissionPropertyDescriptor;
import org.sonatype.security.realms.tools.DefaultConfigurationManager;
import org.sonatype.security.usermanagement.UserStatus;

import junit.framework.Assert;
import org.apache.shiro.authz.permission.RolePermissionResolver;
import org.apache.shiro.authz.permission.WildcardPermission;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.subject.SimplePrincipalCollection;

public class XmlAuthorizingRealmTest
    extends AbstractSecurityTestCase
{

  private final String SECURITY_CONFIG_FILE_PATH = getBasedir() + "/target/security/security.xml";

  private File configFile = new File(SECURITY_CONFIG_FILE_PATH);

  private XmlAuthorizingRealm realm;

  private DefaultConfigurationManager configurationManager;

  @Override
  public void configure(Properties properties) {
    properties.put(PLEXUS_SECURITY_XML_FILE, SECURITY_CONFIG_FILE_PATH);
    super.configure(properties);
  }

  @Override
  protected void setUp()
      throws Exception
  {
    super.setUp();

    realm = (XmlAuthorizingRealm) lookup(Realm.class, "XmlAuthorizingRealm");
    realm.setRolePermissionResolver(this.lookup(RolePermissionResolver.class));

    configurationManager = lookup(DefaultConfigurationManager.class);

    configurationManager.clearCache();

    configFile.delete();
  }

  public void testAuthorization()
      throws Exception
  {
    buildTestAuthorizationConfig();

    // Fails because the configuration requirement in SecurityXmlRealm isn't initialized
    // thus NPE
    SimplePrincipalCollection principal = new SimplePrincipalCollection("username", realm.getName());

    Assert.assertTrue(realm.hasRole(principal, "role"));

    // Verify the permission
    Assert.assertTrue(realm.isPermitted(principal, new WildcardPermission("app:config:read")));
    // Verify other method not allowed
    Assert.assertFalse(realm.isPermitted(principal, new WildcardPermission("app:config:create")));
    Assert.assertFalse(realm.isPermitted(principal, new WildcardPermission("app:config:update")));
    Assert.assertFalse(realm.isPermitted(principal, new WildcardPermission("app:config:delete")));

    // Verify other permission not allowed
    Assert.assertFalse(realm.isPermitted(principal, new WildcardPermission("app:ui:read")));
    Assert.assertFalse(realm.isPermitted(principal, new WildcardPermission("app:ui:create")));
    Assert.assertFalse(realm.isPermitted(principal, new WildcardPermission("app:ui:update")));
    Assert.assertFalse(realm.isPermitted(principal, new WildcardPermission("app:ui:delete")));
  }

  public void testCaseSensitiveAuthorization()
      throws Exception
  {
    buildTestAuthorizationConfig("ABcd");

    SimplePrincipalCollection principal = new SimplePrincipalCollection("ABcd", realm.getName());

    Assert.assertTrue(realm.hasRole(principal, "role"));

    // Verify the permission
    Assert.assertTrue(realm.isPermitted(principal, new WildcardPermission("app:config:read")));
    // Verify other method not allowed
    Assert.assertFalse(realm.isPermitted(principal, new WildcardPermission("app:config:create")));
    Assert.assertFalse(realm.isPermitted(principal, new WildcardPermission("app:config:update")));
    Assert.assertFalse(realm.isPermitted(principal, new WildcardPermission("app:config:delete")));

    // Verify other permission not allowed
    Assert.assertFalse(realm.isPermitted(principal, new WildcardPermission("app:ui:read")));
    Assert.assertFalse(realm.isPermitted(principal, new WildcardPermission("app:ui:create")));
    Assert.assertFalse(realm.isPermitted(principal, new WildcardPermission("app:ui:update")));
    Assert.assertFalse(realm.isPermitted(principal, new WildcardPermission("app:ui:delete")));

    principal = new SimplePrincipalCollection("abcd", realm.getName());

    Assert.assertTrue(realm.hasRole(principal, "role"));

    // Verify the permission
    Assert.assertTrue(realm.isPermitted(principal, new WildcardPermission("app:config:read")));
    // Verify other method not allowed
    Assert.assertFalse(realm.isPermitted(principal, new WildcardPermission("app:config:create")));
    Assert.assertFalse(realm.isPermitted(principal, new WildcardPermission("app:config:update")));
    Assert.assertFalse(realm.isPermitted(principal, new WildcardPermission("app:config:delete")));

    // Verify other permission not allowed
    Assert.assertFalse(realm.isPermitted(principal, new WildcardPermission("app:ui:read")));
    Assert.assertFalse(realm.isPermitted(principal, new WildcardPermission("app:ui:create")));
    Assert.assertFalse(realm.isPermitted(principal, new WildcardPermission("app:ui:update")));
    Assert.assertFalse(realm.isPermitted(principal, new WildcardPermission("app:ui:delete")));
  }

  private void buildTestAuthorizationConfig()
      throws InvalidConfigurationException
  {
    buildTestAuthorizationConfig("username");
  }

  private void buildTestAuthorizationConfig(String userId)
      throws InvalidConfigurationException
  {
    CProperty permissionProp = new CProperty();
    permissionProp.setKey(ApplicationPrivilegePermissionPropertyDescriptor.ID);
    permissionProp.setValue("app:config");

    CProperty methodProp = new CProperty();
    methodProp.setKey(ApplicationPrivilegeMethodPropertyDescriptor.ID);
    methodProp.setValue("read");

    CPrivilege priv = new CPrivilege();
    priv.setId("priv");
    priv.setName("somepriv");
    priv.setType(ApplicationPrivilegeDescriptor.TYPE);
    priv.setDescription("somedescription");
    priv.addProperty(permissionProp);
    priv.addProperty(methodProp);

    configurationManager.createPrivilege(priv);

    CRole role = new CRole();
    role.setId("role");
    role.setName("somerole");
    role.setDescription("somedescription");
    role.setSessionTimeout(60);
    role.addPrivilege(priv.getId());

    configurationManager.createRole(role);

    CUser user = new CUser();
    user.setEmail("dummyemail@foo");
    user.setFirstName("dummyFirstName");
    user.setLastName("dummyLastName");
    user.setStatus(UserStatus.active.toString());
    user.setId(userId);
    user.setPassword("password");

    Set<String> roles = new HashSet<String>();
    roles.add(role.getId());

    configurationManager.createUser(user, roles);

    configurationManager.save();
  }

}