1 package de.dlr.shepard.auth.permission.services;
2
3 import static org.junit.jupiter.api.Assertions.assertEquals;
4 import static org.junit.jupiter.api.Assertions.assertFalse;
5 import static org.junit.jupiter.api.Assertions.assertTrue;
6 import static org.mockito.Mockito.when;
7
8 import de.dlr.shepard.BaseTestCase;
9 import de.dlr.shepard.auth.permission.daos.PermissionsDAO;
10 import de.dlr.shepard.auth.permission.model.Permissions;
11 import de.dlr.shepard.auth.permission.model.Roles;
12 import de.dlr.shepard.auth.security.PermissionLastSeenCache;
13 import de.dlr.shepard.auth.users.entities.User;
14 import de.dlr.shepard.auth.users.entities.UserGroup;
15 import de.dlr.shepard.auth.users.services.UserGroupService;
16 import de.dlr.shepard.common.neo4j.entities.BasicEntity;
17 import de.dlr.shepard.common.util.AccessType;
18 import de.dlr.shepard.common.util.Constants;
19 import de.dlr.shepard.common.util.PermissionType;
20 import de.dlr.shepard.context.collection.entities.Collection;
21 import de.dlr.shepard.context.collection.services.DataObjectService;
22 import de.dlr.shepard.context.labJournal.services.LabJournalEntryService;
23 import jakarta.ws.rs.container.ContainerRequestContext;
24 import jakarta.ws.rs.core.PathSegment;
25 import jakarta.ws.rs.core.UriInfo;
26 import java.net.URI;
27 import java.net.URISyntaxException;
28 import java.util.ArrayList;
29 import java.util.List;
30 import java.util.Optional;
31 import org.junit.jupiter.api.BeforeEach;
32 import org.junit.jupiter.api.Test;
33 import org.mockito.InjectMocks;
34 import org.mockito.Mock;
35
36
37 public class PermissionsServiceSecondTest extends BaseTestCase {
38
39 @Mock
40 UriInfo uriInfo;
41
42 @Mock
43 private PathSegment rootSeg;
44
45 @Mock
46 private PathSegment idSeg;
47
48 @Mock
49 private PathSegment pathSeg;
50
51 @Mock
52 private PathSegment thirdSegment;
53
54 @Mock
55 private PermissionsDAO permissionsDAO;
56
57 @Mock
58 private UserGroupService userGroupService;
59
60 @Mock
61 private DataObjectService dataObjectService;
62
63 @Mock
64 private LabJournalEntryService labJournalEntryService;
65
66 @Mock
67 private PermissionLastSeenCache permissionLastSeenCache;
68
69 @InjectMocks
70 private PermissionsService permissionsService;
71
72 @Mock
73 ContainerRequestContext request;
74
75 @BeforeEach
76 public void setUpRequestContext() throws URISyntaxException {
77 URI uri = new URI("http://my.url/test/200/sub");
78 when(uriInfo.getAbsolutePath()).thenReturn(uri);
79 when(rootSeg.getPath()).thenReturn(Constants.COLLECTIONS);
80 when(idSeg.getPath()).thenReturn("123");
81 when(pathSeg.getPath()).thenReturn(Constants.DATA_OBJECTS);
82 when(uriInfo.getPathSegments()).thenReturn(List.of(rootSeg, idSeg, pathSeg));
83 when(request.getUriInfo()).thenReturn(uriInfo);
84 }
85
86 @Test
87 public void isAllowedTest_NoId() {
88 when(uriInfo.getPathSegments()).thenReturn(List.of(rootSeg));
89 var actual = permissionsService.isAllowed(request, AccessType.Read, "principal");
90 assertTrue(actual);
91 }
92
93 @Test
94 public void isAllowedTest_EmptyId() {
95 when(idSeg.getPath()).thenReturn("");
96
97 var actual = permissionsService.isAllowed(request, AccessType.Read, "principal");
98 assertTrue(actual);
99 }
100
101 @Test
102 public void isAllowedTest_NonNumericId() {
103 when(idSeg.getPath()).thenReturn("abc");
104
105 var actual = permissionsService.isAllowed(request, AccessType.Read, "principal");
106 assertFalse(actual);
107 }
108
109 @Test
110 public void isAllowedTest_GetUsers() {
111 when(rootSeg.getPath()).thenReturn(Constants.USERS);
112 when(idSeg.getPath()).thenReturn("abc");
113 when(uriInfo.getPathSegments()).thenReturn(List.of(rootSeg, idSeg));
114 var actual = permissionsService.isAllowed(request, AccessType.Read, "principal");
115 assertTrue(actual);
116 }
117
118 @Test
119 public void isAllowedTest_EditUsers() {
120 when(rootSeg.getPath()).thenReturn(Constants.USERS);
121 when(idSeg.getPath()).thenReturn("abc");
122 when(uriInfo.getPathSegments()).thenReturn(List.of(rootSeg, idSeg));
123 var actual = permissionsService.isAllowed(request, AccessType.Write, "principal");
124 assertTrue(actual);
125 }
126
127 @Test
128 public void isAllowedTest_SearchUsers() {
129 when(rootSeg.getPath()).thenReturn(Constants.SEARCH);
130 when(idSeg.getPath()).thenReturn(Constants.USERS);
131 when(uriInfo.getPathSegments()).thenReturn(List.of(rootSeg, idSeg));
132 var actual = permissionsService.isAllowed(request, AccessType.Read, "principal");
133 assertTrue(actual);
134 }
135
136 @Test
137 public void isNotAllowedTest_SearchUsersWrongPath() {
138 when(rootSeg.getPath()).thenReturn(Constants.SEARCH);
139 when(idSeg.getPath()).thenReturn(Constants.USERS);
140 var actual = permissionsService.isAllowed(request, AccessType.Read, "principal");
141 assertFalse(actual);
142 }
143
144 @Test
145 public void isNotAllowedTest_SearchUsersThreeSegments() {
146 when(rootSeg.getPath()).thenReturn(Constants.SEARCH);
147 when(idSeg.getPath()).thenReturn(Constants.USERS);
148 when(thirdSegment.getPath()).thenReturn("bla");
149 when(uriInfo.getPathSegments()).thenReturn(List.of(rootSeg, idSeg, thirdSegment));
150 var actual = permissionsService.isAllowed(request, AccessType.Read, "principal");
151 assertFalse(actual);
152 }
153
154 @Test
155 public void isAllowedTest_ManageYourself() {
156 when(rootSeg.getPath()).thenReturn(Constants.USERS);
157 when(idSeg.getPath()).thenReturn("principal");
158
159 var actual = permissionsService.isAllowed(request, AccessType.Read, "principal");
160 assertTrue(actual);
161 }
162
163 @Test
164 public void isAllowedTest_ManageOther() {
165 when(rootSeg.getPath()).thenReturn(Constants.USERS);
166 when(idSeg.getPath()).thenReturn("different");
167
168 var actual = permissionsService.isAllowed(request, AccessType.Read, "principal");
169 assertTrue(actual);
170 }
171
172 @Test
173 public void isAllowedTest_NoUsername() {
174 var perms = new Permissions() {
175 {
176 setOwner(new User("principal"));
177 }
178 };
179 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(perms);
180
181 var actual = permissionsService.isAllowed(request, AccessType.Read, "");
182 assertFalse(actual);
183 }
184
185 @Test
186 public void isAllowedTest_NoPermissions() {
187 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(null);
188
189 var actual = permissionsService.isAllowed(request, AccessType.Read, "principal");
190 assertTrue(actual);
191 }
192
193 @Test
194 public void isAllowedTest_IsOwner() {
195 var perms = new Permissions() {
196 {
197 setOwner(new User("principal"));
198 }
199 };
200 when(pathSeg.getPath()).thenReturn(Constants.PERMISSIONS);
201 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(perms);
202
203 var actual = permissionsService.isAllowed(request, AccessType.Read, "principal");
204 assertTrue(actual);
205 }
206
207 @Test
208 public void isAllowedTest_DifferentOwner() {
209 var perms = new Permissions() {
210 {
211 setOwner(new User("different"));
212 }
213 };
214 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(perms);
215
216 var actual = permissionsService.isAllowed(request, AccessType.Read, "principal");
217 assertFalse(actual);
218 }
219
220 @Test
221 public void isAllowedTest_Manager() {
222 var perms = new Permissions() {
223 {
224 setManager(List.of(new User("principal")));
225 }
226 };
227 when(pathSeg.getPath()).thenReturn(Constants.PERMISSIONS);
228 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(perms);
229
230 var actual = permissionsService.isAllowed(request, AccessType.Manage, "principal");
231 assertTrue(actual);
232 }
233
234 @Test
235 public void isAllowedTest_NoManager() {
236 var perms = new Permissions();
237 when(pathSeg.getPath()).thenReturn(Constants.PERMISSIONS);
238 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(perms);
239
240 var actual = permissionsService.isAllowed(request, AccessType.Manage, "principal");
241 assertFalse(actual);
242 }
243
244 @Test
245 public void isAllowedTest_Reader() {
246 var perms = new Permissions() {
247 {
248 setReader(List.of(new User("principal")));
249 }
250 };
251 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(perms);
252
253 var actual = permissionsService.isAllowed(request, AccessType.Read, "principal");
254 assertTrue(actual);
255 }
256
257 @Test
258 public void isAllowedTest_NoReader() {
259 var perms = new Permissions();
260 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(perms);
261
262 var actual = permissionsService.isAllowed(request, AccessType.Read, "principal");
263 assertFalse(actual);
264 }
265
266 @Test
267 public void isAllowedTest_Writer() {
268 var perms = new Permissions() {
269 {
270 setWriter(List.of(new User("principal")));
271 }
272 };
273 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(perms);
274
275 var actual = permissionsService.isAllowed(request, AccessType.Write, "principal");
276 assertTrue(actual);
277 }
278
279 @Test
280 public void isAllowedTest_WriterGroup() {
281 UserGroup writerGroup = new UserGroup();
282 writerGroup.setId(35L);
283 User writer = new User("principal");
284 ArrayList<User> users = new ArrayList<>();
285 users.add(writer);
286 writerGroup.setUsers(users);
287 ArrayList<UserGroup> writerGroups = new ArrayList<>();
288 writerGroups.add(writerGroup);
289 var perms = new Permissions() {
290 {
291 setWriterGroups(writerGroups);
292 }
293 };
294 when(userGroupService.getUserGroupOptional(35L)).thenReturn(Optional.of(writerGroup));
295 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(perms);
296
297 assertTrue(permissionsService.isAccessTypeAllowedForUser(123, AccessType.Write, "principal"));
298 }
299
300 @Test
301 public void isNotAllowedTest_WriterGroup() {
302 UserGroup writerGroup = new UserGroup();
303 writerGroup.setId(35L);
304 User writer = new User("principal");
305 ArrayList<User> users = new ArrayList<>();
306 users.add(writer);
307 writerGroup.setUsers(users);
308 ArrayList<UserGroup> writerGroups = new ArrayList<>();
309 writerGroups.add(writerGroup);
310 var perms = new Permissions() {
311 {
312 setWriterGroups(writerGroups);
313 }
314 };
315 when(userGroupService.getUserGroup(35L)).thenReturn(writerGroup);
316 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(perms);
317 assertFalse(permissionsService.isAccessTypeAllowedForUser(123, AccessType.Write, "Heinz"));
318 }
319
320 @Test
321 public void isAllowedTest_ReaderGroup() {
322 UserGroup readerGroup = new UserGroup();
323 readerGroup.setId(35L);
324 User reader = new User("principal");
325 ArrayList<User> users = new ArrayList<>();
326 users.add(reader);
327 readerGroup.setUsers(users);
328 ArrayList<UserGroup> readerGroups = new ArrayList<>();
329 readerGroups.add(readerGroup);
330 var perms = new Permissions() {
331 {
332 setReaderGroups(readerGroups);
333 }
334 };
335 when(userGroupService.getUserGroupOptional(35L)).thenReturn(Optional.of(readerGroup));
336 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(perms);
337 assertTrue(permissionsService.isAccessTypeAllowedForUser(123, AccessType.Read, "principal"));
338 }
339
340 @Test
341 public void isNotAllowedTest_ReaderGroup() {
342 UserGroup readerGroup = new UserGroup();
343 readerGroup.setId(35L);
344 User reader = new User("principal");
345 ArrayList<User> users = new ArrayList<>();
346 users.add(reader);
347 readerGroup.setUsers(users);
348 ArrayList<UserGroup> readerGroups = new ArrayList<>();
349 readerGroups.add(readerGroup);
350 var perms = new Permissions() {
351 {
352 setReaderGroups(readerGroups);
353 }
354 };
355 when(userGroupService.getUserGroup(35L)).thenReturn(readerGroup);
356 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(perms);
357 assertFalse(permissionsService.isAccessTypeAllowedForUser(123, AccessType.Read, "AKP"));
358 }
359
360 @Test
361 public void isAllowedTest_NoWriter() {
362 var perms = new Permissions();
363 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(perms);
364
365 var actual = permissionsService.isAllowed(request, AccessType.Write, "principal");
366 assertFalse(actual);
367 }
368
369 @Test
370 public void isAllowedTest_TypePrivate() {
371 var perms = new Permissions() {
372 {
373 setPermissionType(PermissionType.Private);
374 }
375 };
376 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(perms);
377
378 var actual = permissionsService.isAllowed(request, AccessType.Read, "principal");
379 assertFalse(actual);
380 }
381
382 @Test
383 public void isAllowedTest_TypeReadable() {
384 var perms = new Permissions() {
385 {
386 setPermissionType(PermissionType.PublicReadable);
387 }
388 };
389 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(perms);
390
391 var actual = permissionsService.isAllowed(request, AccessType.Read, "principal");
392 assertTrue(actual);
393 }
394
395 @Test
396 public void isAllowedTest_TypeReadableWrite() {
397 var perms = new Permissions() {
398 {
399 setPermissionType(PermissionType.PublicReadable);
400 }
401 };
402 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(perms);
403
404 var actual = permissionsService.isAllowed(request, AccessType.Write, "principal");
405 assertFalse(actual);
406 }
407
408 @Test
409 public void isAllowedTest_TypePublic() {
410 var perms = new Permissions() {
411 {
412 setPermissionType(PermissionType.Public);
413 }
414 };
415 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(perms);
416
417 var actual = permissionsService.isAllowed(request, AccessType.Read, "principal");
418 assertTrue(actual);
419 }
420
421 @Test
422 public void isAllowedTest_TypePublicWrite() {
423 var perms = new Permissions() {
424 {
425 setPermissionType(PermissionType.Public);
426 }
427 };
428 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(perms);
429
430 var actual = permissionsService.isAllowed(request, AccessType.Write, "principal");
431 assertTrue(actual);
432 }
433
434 @Test
435 public void isAllowedTest_InvalidAccessType() {
436 var perms = new Permissions() {
437 {
438 setPermissionType(PermissionType.Public);
439 }
440 };
441 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(perms);
442
443 var actual = permissionsService.isAllowed(request, AccessType.None, "principal");
444 assertFalse(actual);
445 }
446
447 @Test
448 public void getRolesTest() {
449 var perms = new Permissions() {
450 {
451 setPermissionType(PermissionType.Public);
452 }
453 };
454 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(perms);
455
456 var expected = new Roles(false, false, true, true);
457 var actual = permissionsService.getUserRolesOnEntity(123, "bob");
458 assertEquals(expected, actual);
459 }
460
461 @Test
462 public void getRolesTest_null() {
463 when(permissionsDAO.findByEntityNeo4jId(123)).thenReturn(null);
464
465 var expected = new Roles(false, true, true, true);
466 var actual = permissionsService.getUserRolesOnEntity(123, "bob");
467 assertEquals(expected, actual);
468 }
469
470 @Test
471 public void isAccessTypeAllowedForUser_UserHasReadPermissionsTriesToRead_success() {
472 User user = new User("testuser");
473 var collection = new Collection(2L);
474 collection.setShepardId(4L);
475 ArrayList<BasicEntity> colList = new ArrayList<BasicEntity>();
476 colList.add(collection);
477 var existing = new Permissions(1L);
478 existing.setEntities(colList);
479 existing.setReader(List.of(user));
480
481 when(permissionsDAO.findByEntityNeo4jId(collection.getShepardId())).thenReturn(existing);
482
483 var actual = permissionsService.isAccessTypeAllowedForUser(
484 collection.getShepardId(),
485 AccessType.Read,
486 user.getUsername()
487 );
488 assertTrue(actual);
489 }
490
491 @Test
492 public void isAccessTypeAllowedForUser_UserHasWritePermissionsTriesToRead_success() {
493 User user = new User("testuser");
494 var collection = new Collection(2L);
495 collection.setShepardId(4L);
496 ArrayList<BasicEntity> colList = new ArrayList<BasicEntity>();
497 colList.add(collection);
498 var existing = new Permissions(1L);
499 existing.setEntities(colList);
500 existing.setWriter(List.of(user));
501
502 when(permissionsDAO.findByEntityNeo4jId(collection.getShepardId())).thenReturn(existing);
503
504 var actual = permissionsService.isAccessTypeAllowedForUser(
505 collection.getShepardId(),
506 AccessType.Read,
507 user.getUsername()
508 );
509 assertTrue(actual);
510 }
511
512 @Test
513 public void isAccessTypeAllowedForUser_UserHasReadPermissionsTriesToWrite_forbid() {
514 User user = new User("testuser");
515 var collection = new Collection(2L);
516 collection.setShepardId(4L);
517 ArrayList<BasicEntity> colList = new ArrayList<BasicEntity>();
518 colList.add(collection);
519 var existing = new Permissions(1L);
520 existing.setEntities(colList);
521 existing.setReader(List.of(user));
522
523 when(permissionsDAO.findByEntityNeo4jId(collection.getShepardId())).thenReturn(existing);
524
525 var actual = permissionsService.isAccessTypeAllowedForUser(
526 collection.getShepardId(),
527 AccessType.Write,
528 user.getUsername()
529 );
530 assertFalse(actual);
531 }
532
533 @Test
534 public void isAccessTypeAllowedForUser_UserHasManagePermissionsTriesToRead_success() {
535 User user = new User("testuser");
536 var collection = new Collection(2L);
537 collection.setShepardId(4L);
538 ArrayList<BasicEntity> colList = new ArrayList<BasicEntity>();
539 colList.add(collection);
540 var existing = new Permissions(1L);
541 existing.setEntities(colList);
542 existing.setManager(List.of(user));
543
544 when(permissionsDAO.findByEntityNeo4jId(collection.getShepardId())).thenReturn(existing);
545
546 var actual = permissionsService.isAccessTypeAllowedForUser(
547 collection.getShepardId(),
548 AccessType.Read,
549 user.getUsername()
550 );
551 assertTrue(actual);
552 }
553
554 @Test
555 public void isAccessTypeAllowedForUser_UserIsOwnerTriesToWrite_success() {
556 User user = new User("testuser");
557 var collection = new Collection(2L);
558 collection.setShepardId(4L);
559 ArrayList<BasicEntity> colList = new ArrayList<BasicEntity>();
560 colList.add(collection);
561 var existing = new Permissions(1L);
562 existing.setEntities(colList);
563 existing.setOwner(user);
564
565 when(permissionsDAO.findByEntityNeo4jId(collection.getShepardId())).thenReturn(existing);
566
567 var actual = permissionsService.isAccessTypeAllowedForUser(
568 collection.getShepardId(),
569 AccessType.Write,
570 user.getUsername()
571 );
572 assertTrue(actual);
573 }
574
575 @Test
576 public void isAccessTypeAllowedForUser_UserHasNoPermissionsTriesToRead_forbid() {
577 User user = new User("testuser");
578 var collection = new Collection(2L);
579 collection.setShepardId(4L);
580 ArrayList<BasicEntity> colList = new ArrayList<BasicEntity>();
581 colList.add(collection);
582 var existing = new Permissions(1L);
583 existing.setEntities(colList);
584
585 when(permissionsDAO.findByEntityNeo4jId(collection.getShepardId())).thenReturn(existing);
586
587 var actual = permissionsService.isAccessTypeAllowedForUser(
588 collection.getShepardId(),
589 AccessType.Read,
590 user.getUsername()
591 );
592 assertFalse(actual);
593 }
594 }