ApiKeyIT xref

View Javadoc
1   package de.dlr.shepard.integrationtests;
2   
3   import static io.restassured.RestAssured.given;
4   import static org.assertj.core.api.Assertions.assertThat;
5   
6   import de.dlr.shepard.ErrorResponse;
7   import de.dlr.shepard.auth.apikey.io.ApiKeyIO;
8   import de.dlr.shepard.auth.apikey.io.ApiKeyWithJWTIO;
9   import de.dlr.shepard.common.util.Constants;
10  import io.quarkus.test.junit.QuarkusIntegrationTest;
11  import io.restassured.builder.RequestSpecBuilder;
12  import io.restassured.http.ContentType;
13  import java.util.UUID;
14  import org.junit.jupiter.api.BeforeAll;
15  import org.junit.jupiter.api.MethodOrderer;
16  import org.junit.jupiter.api.Order;
17  import org.junit.jupiter.api.Test;
18  import org.junit.jupiter.api.TestMethodOrder;
19  
20  @QuarkusIntegrationTest
21  @TestMethodOrder(MethodOrderer.OrderAnnotation.class)
22  public class ApiKeyIT extends BaseTestCaseIT {
23  
24    private static String apiKeyURL;
25    private static ApiKeyIO apikey;
26  
27    @BeforeAll
28    public static void setUp() {
29      apiKeyURL = String.format("/%s/%s/%s", Constants.USERS, nameOfDefaultUser, Constants.APIKEYS);
30    }
31  
32    @Test
33    @Order(1)
34    public void createApiKey_createNewKey_success() {
35      var toCreate = new ApiKeyIO();
36      toCreate.setName("ApiKeyDummy");
37  
38      var actual = given()
39        .spec(requestSpecOfDefaultUser)
40        .body(toCreate)
41        .when()
42        .post(apiKeyURL)
43        .then()
44        .statusCode(201)
45        .extract()
46        .as(ApiKeyWithJWTIO.class);
47      apikey = new ApiKeyIO() {
48        {
49          setBelongsTo(actual.getBelongsTo());
50          setCreatedAt(actual.getCreatedAt());
51          setName(actual.getName());
52          setUid(actual.getUid());
53        }
54      };
55  
56      assertThat(actual.getUid()).isNotNull();
57      assertThat(actual.getCreatedAt()).isNotNull();
58      assertThat(actual.getBelongsTo()).isEqualTo(nameOfDefaultUser);
59      assertThat(actual.getName()).isEqualTo("ApiKeyDummy");
60      assertThat(actual.getJwt()).isNotNull();
61  
62      var newSpec = new RequestSpecBuilder()
63        .setContentType(ContentType.JSON)
64        .addHeader("X-API-KEY", actual.getJwt())
65        .build();
66      given().spec(newSpec).when().get(apiKeyURL).then().statusCode(200);
67    }
68  
69    @Test
70    @Order(2)
71    public void getApiKey_getExistingKey_success() {
72      var actual = given()
73        .spec(requestSpecOfDefaultUser)
74        .when()
75        .get(apiKeyURL + "/" + apikey.getUid())
76        .then()
77        .statusCode(200)
78        .extract()
79        .as(ApiKeyIO.class);
80      assertThat(actual).isEqualTo(apikey);
81    }
82  
83    @Test
84    @Order(3)
85    public void getApiKey_getNonExistingKey_notFound() {
86      ErrorResponse response = given()
87        .spec(requestSpecOfDefaultUser)
88        .when()
89        .get(apiKeyURL + "/" + UUID.randomUUID())
90        .then()
91        .statusCode(404)
92        .extract()
93        .as(ErrorResponse.class);
94      assertThat(response.getMessage()).isEqualTo("ID ERROR - ApiKey does not exist");
95    }
96  
97    @Test
98    @Order(4)
99    public void getApiKey_getByKeyUuidOfOtherUser_notFound() {
100     ErrorResponse response = given()
101       .spec(requestSpecOfDefaultUser)
102       .when()
103       .get(apiKeyURL + "/" + otherUser.getApiKey().getUid())
104       .then()
105       .statusCode(403)
106       .extract()
107       .as(ErrorResponse.class);
108     assertThat(response.getMessage()).isEqualTo("You do not have permissions for this ApiKey.");
109   }
110 
111   @Test
112   @Order(5)
113   public void getApiKey_getKeyOfOtherUser_Forbidden() {
114     ErrorResponse response = given()
115       .spec(requestSpecOfDefaultUser)
116       .when()
117       .get(
118         String.format(
119           "/%s/%s/%s/%s",
120           Constants.USERS,
121           otherUser.getUser().getUsername(),
122           Constants.APIKEYS,
123           otherUser.getApiKey().getUid()
124         )
125       )
126       .then()
127       .statusCode(403)
128       .extract()
129       .as(ErrorResponse.class);
130     assertThat(response.getMessage()).isEqualTo("The requested action is forbidden by the permission policies");
131   }
132 
133   @Test
134   @Order(6)
135   public void getApiKey_getNonExistingKeyOfOtherUser_Forbidden() {
136     ErrorResponse response = given()
137       .spec(requestSpecOfDefaultUser)
138       .when()
139       .get(
140         String.format(
141           "/%s/%s/%s/%s",
142           Constants.USERS,
143           otherUser.getUser().getUsername(),
144           Constants.APIKEYS,
145           UUID.randomUUID()
146         )
147       )
148       .then()
149       .statusCode(403)
150       .extract()
151       .as(ErrorResponse.class);
152     assertThat(response.getMessage()).isEqualTo("The requested action is forbidden by the permission policies");
153   }
154 
155   @Test
156   @Order(7)
157   public void getApiKey_getAllKeys_existingKeyReturned() {
158     var actual = given()
159       .spec(requestSpecOfDefaultUser)
160       .when()
161       .get(apiKeyURL)
162       .then()
163       .statusCode(200)
164       .extract()
165       .as(ApiKeyIO[].class);
166     assertThat(actual).contains(apikey);
167   }
168 
169   @Test
170   @Order(8)
171   public void deleteApiKey_deleteExistingKey_success() {
172     given().spec(requestSpecOfDefaultUser).when().delete(apiKeyURL + "/" + apikey.getUid()).then().statusCode(204);
173     given().spec(requestSpecOfDefaultUser).when().get(apiKeyURL + "/" + apikey.getUid()).then().statusCode(404);
174   }
175 
176   @Test
177   @Order(9)
178   public void deleteApiKey_deleteNonExistingKey_notFound() {
179     given().spec(requestSpecOfDefaultUser).when().delete(apiKeyURL + "/" + UUID.randomUUID()).then().statusCode(404);
180   }
181 
182   @Test
183   @Order(10)
184   public void deleteApiKey_deleteKeyOfOtherUser_Forbidden() {
185     ErrorResponse response = given()
186       .spec(requestSpecOfDefaultUser)
187       .when()
188       .delete(
189         String.format(
190           "/%s/%s/%s/%s",
191           Constants.USERS,
192           otherUser.getUser().getUsername(),
193           Constants.APIKEYS,
194           UUID.randomUUID()
195         )
196       )
197       .then()
198       .statusCode(403)
199       .extract()
200       .as(ErrorResponse.class);
201     assertThat(response.getMessage()).isEqualTo("The requested action is forbidden by the permission policies");
202   }
203 
204   @Test
205   @Order(11)
206   public void deleteApiKey_deleteNonexistingKeyOfOtherUser_Forbidden() {
207     ErrorResponse response = given()
208       .spec(requestSpecOfDefaultUser)
209       .when()
210       .delete(
211         String.format(
212           "/%s/%s/%s/%s",
213           Constants.USERS,
214           otherUser.getUser().getUsername(),
215           Constants.APIKEYS,
216           otherUser.getApiKey().getUid()
217         )
218       )
219       .then()
220       .statusCode(403)
221       .extract()
222       .as(ErrorResponse.class);
223     assertThat(response.getMessage()).isEqualTo("The requested action is forbidden by the permission policies");
224   }
225 }