ApiKeyIT xref

View Javadoc
1   package de.dlr.shepard.integrationtests;
2   
3   import static io.restassured.RestAssured.given;
4   import static org.assertj.core.api.Assertions.assertThat;
5   
6   import de.dlr.shepard.ErrorResponse;
7   import de.dlr.shepard.auth.apikey.io.ApiKeyIO;
8   import de.dlr.shepard.auth.apikey.io.ApiKeyWithJWTIO;
9   import de.dlr.shepard.common.util.Constants;
10  import io.quarkus.test.junit.QuarkusIntegrationTest;
11  import io.restassured.builder.RequestSpecBuilder;
12  import io.restassured.http.ContentType;
13  import java.util.UUID;
14  import org.junit.jupiter.api.BeforeAll;
15  import org.junit.jupiter.api.MethodOrderer;
16  import org.junit.jupiter.api.Order;
17  import org.junit.jupiter.api.Test;
18  import org.junit.jupiter.api.TestMethodOrder;
19  
20  @QuarkusIntegrationTest
21  @TestMethodOrder(MethodOrderer.OrderAnnotation.class)
22  public class ApiKeyIT extends BaseTestCaseIT {
23  
24    private static String apiKeyURL;
25    private static ApiKeyIO apikey;
26  
27    @BeforeAll
28    public static void setUp() {
29      apiKeyURL = "/%s/%s/%s".formatted(Constants.USERS, nameOfDefaultUser, Constants.APIKEYS);
30    }
31  
32    @Test
33    @Order(1)
34    public void createApiKey_createNewKey_success() {
35      var toCreate = new ApiKeyIO();
36      toCreate.setName("ApiKeyDummy");
37  
38      var actual = given()
39        .spec(requestSpecOfDefaultUser)
40        .body(toCreate)
41        .when()
42        .post(apiKeyURL)
43        .then()
44        .statusCode(201)
45        .extract()
46        .as(ApiKeyWithJWTIO.class);
47      apikey = new ApiKeyIO() {
48        {
49          setBelongsTo(actual.getBelongsTo());
50          setCreatedAt(actual.getCreatedAt());
51          setName(actual.getName());
52          setUid(actual.getUid());
53        }
54      };
55  
56      assertThat(actual.getUid()).isNotNull();
57      assertThat(actual.getCreatedAt()).isNotNull();
58      assertThat(actual.getBelongsTo()).isEqualTo(nameOfDefaultUser);
59      assertThat(actual.getName()).isEqualTo("ApiKeyDummy");
60      assertThat(actual.getJwt()).isNotNull();
61  
62      var newSpec = new RequestSpecBuilder()
63        .setContentType(ContentType.JSON)
64        .addHeader("X-API-KEY", actual.getJwt())
65        .build();
66      given().spec(newSpec).when().get(apiKeyURL).then().statusCode(200);
67    }
68  
69    @Test
70    @Order(2)
71    public void getApiKey_getExistingKey_success() {
72      var actual = given()
73        .spec(requestSpecOfDefaultUser)
74        .when()
75        .get(apiKeyURL + "/" + apikey.getUid())
76        .then()
77        .statusCode(200)
78        .extract()
79        .as(ApiKeyIO.class);
80      assertThat(actual).isEqualTo(apikey);
81    }
82  
83    @Test
84    @Order(3)
85    public void getApiKey_getNonExistingKey_notFound() {
86      ErrorResponse response = given()
87        .spec(requestSpecOfDefaultUser)
88        .when()
89        .get(apiKeyURL + "/" + UUID.randomUUID())
90        .then()
91        .statusCode(404)
92        .extract()
93        .as(ErrorResponse.class);
94      assertThat(response.getMessage()).isEqualTo("ID ERROR - ApiKey does not exist");
95    }
96  
97    @Test
98    @Order(4)
99    public void getApiKey_getByKeyUuidOfOtherUser_notFound() {
100     ErrorResponse response = given()
101       .spec(requestSpecOfDefaultUser)
102       .when()
103       .get(apiKeyURL + "/" + otherUser.getApiKey().getUid())
104       .then()
105       .statusCode(403)
106       .extract()
107       .as(ErrorResponse.class);
108     assertThat(response.getMessage()).isEqualTo("You do not have permissions for this ApiKey.");
109   }
110 
111   @Test
112   @Order(5)
113   public void getApiKey_getKeyOfOtherUser_Forbidden() {
114     ErrorResponse response = given()
115       .spec(requestSpecOfDefaultUser)
116       .when()
117       .get(
118         "/%s/%s/%s/%s".formatted(
119             Constants.USERS,
120             otherUser.getUser().getUsername(),
121             Constants.APIKEYS,
122             otherUser.getApiKey().getUid()
123           )
124       )
125       .then()
126       .statusCode(403)
127       .extract()
128       .as(ErrorResponse.class);
129     assertThat(response.getMessage()).isEqualTo("The requested action is forbidden by the permission policies");
130   }
131 
132   @Test
133   @Order(6)
134   public void getApiKey_getNonExistingKeyOfOtherUser_Forbidden() {
135     ErrorResponse response = given()
136       .spec(requestSpecOfDefaultUser)
137       .when()
138       .get(
139         "/%s/%s/%s/%s".formatted(
140             Constants.USERS,
141             otherUser.getUser().getUsername(),
142             Constants.APIKEYS,
143             UUID.randomUUID()
144           )
145       )
146       .then()
147       .statusCode(403)
148       .extract()
149       .as(ErrorResponse.class);
150     assertThat(response.getMessage()).isEqualTo("The requested action is forbidden by the permission policies");
151   }
152 
153   @Test
154   @Order(7)
155   public void getApiKey_getAllKeys_existingKeyReturned() {
156     var actual = given()
157       .spec(requestSpecOfDefaultUser)
158       .when()
159       .get(apiKeyURL)
160       .then()
161       .statusCode(200)
162       .extract()
163       .as(ApiKeyIO[].class);
164     assertThat(actual).contains(apikey);
165   }
166 
167   @Test
168   @Order(8)
169   public void deleteApiKey_deleteExistingKey_success() {
170     given().spec(requestSpecOfDefaultUser).when().delete(apiKeyURL + "/" + apikey.getUid()).then().statusCode(204);
171     given().spec(requestSpecOfDefaultUser).when().get(apiKeyURL + "/" + apikey.getUid()).then().statusCode(404);
172   }
173 
174   @Test
175   @Order(9)
176   public void deleteApiKey_deleteNonExistingKey_notFound() {
177     given().spec(requestSpecOfDefaultUser).when().delete(apiKeyURL + "/" + UUID.randomUUID()).then().statusCode(404);
178   }
179 
180   @Test
181   @Order(10)
182   public void deleteApiKey_deleteKeyOfOtherUser_Forbidden() {
183     ErrorResponse response = given()
184       .spec(requestSpecOfDefaultUser)
185       .when()
186       .delete(
187         "/%s/%s/%s/%s".formatted(
188             Constants.USERS,
189             otherUser.getUser().getUsername(),
190             Constants.APIKEYS,
191             UUID.randomUUID()
192           )
193       )
194       .then()
195       .statusCode(403)
196       .extract()
197       .as(ErrorResponse.class);
198     assertThat(response.getMessage()).isEqualTo("The requested action is forbidden by the permission policies");
199   }
200 
201   @Test
202   @Order(11)
203   public void deleteApiKey_deleteNonexistingKeyOfOtherUser_Forbidden() {
204     ErrorResponse response = given()
205       .spec(requestSpecOfDefaultUser)
206       .when()
207       .delete(
208         "/%s/%s/%s/%s".formatted(
209             Constants.USERS,
210             otherUser.getUser().getUsername(),
211             Constants.APIKEYS,
212             otherUser.getApiKey().getUid()
213           )
214       )
215       .then()
216       .statusCode(403)
217       .extract()
218       .as(ErrorResponse.class);
219     assertThat(response.getMessage()).isEqualTo("The requested action is forbidden by the permission policies");
220   }
221 }