1
0

JSonDeserializerWithAccessFilter with working access rights validation

This commit is contained in:
Michael Hoennig
2019-04-23 08:31:26 +02:00
parent bb0fb4aa78
commit 63bd602397
10 changed files with 198 additions and 45 deletions

View File

@@ -1,14 +1,12 @@
package org.hostsharing.hsadminng.service.accessfilter;
import com.fasterxml.jackson.core.JsonGenerator;
import com.fasterxml.jackson.annotation.JsonTypeId;
import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.core.ObjectCodec;
import com.fasterxml.jackson.core.TreeNode;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.apache.commons.lang3.NotImplementedException;
import org.apache.commons.lang3.tuple.ImmutablePair;
import org.hostsharing.hsadminng.service.dto.CustomerDTO;
import org.hostsharing.hsadminng.web.rest.errors.BadRequestAlertException;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
@@ -22,9 +20,8 @@ import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.catchThrowable;
import static org.hostsharing.hsadminng.service.accessfilter.MockSecurityContext.givenLoginUserWithRole;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.verify;
@SuppressWarnings("ALL")
public class JSonDeserializerWithAccessFilterUnitTest {
@Rule
@@ -40,7 +37,7 @@ public class JSonDeserializerWithAccessFilterUnitTest {
public TreeNode treeNode;
@Before
public void init() throws IOException {
public void init() {
givenLoginUserWithRole(Role.ANY_CUSTOMER_USER);
given(jsonParser.getCodec()).willReturn(codec);
@@ -82,21 +79,81 @@ public class JSonDeserializerWithAccessFilterUnitTest {
assertThat(actualDto.openLongField).isEqualTo(1234L);
}
// --- fixture code below ---
@Test
public void shouldDeserializeStringFieldIfRequiredRoleIsCoveredByUser() throws IOException {
// given
givenLoginUserWithRole(Role.FINANCIAL_CONTACT);
givenJSonTree(asJSon(ImmutablePair.of("restrictedField", "Restricted String Value")));
private String asJSon(final ImmutablePair<String, ? extends Object>... properties) {
// when
GivenDto actualDto = new JSonDeserializerWithAccessFilter<>(jsonParser, null, GivenDto.class).deserialize();
// then
assertThat(actualDto.restrictedField).isEqualTo("Restricted String Value");
}
@Test
public void shouldInitializeFieldIfRequiredRoleIsNotCoveredByUser() throws IOException {
// given
givenLoginUserWithRole(Role.ANY_CUSTOMER_USER);
givenJSonTree(asJSon(ImmutablePair.of("restrictedField", "Restricted String Value")));
// when
Throwable exception = catchThrowable(() -> new JSonDeserializerWithAccessFilter<>(jsonParser, null, GivenDto.class).deserialize());
// then
assertThat(exception).isInstanceOfSatisfying(BadRequestAlertException.class, badRequestAlertException -> {
assertThat(badRequestAlertException.getParam()).isEqualTo("GivenDto.restrictedField");
assertThat(badRequestAlertException.getErrorKey()).isEqualTo("initializationProhibited");
});
}
@Test
public void shouldUpdateFieldIfRequiredRoleIsNotCoveredByUser() throws IOException {
// given
givenLoginUserWithRole(Role.ANY_CUSTOMER_USER);
givenJSonTree(asJSon(
ImmutablePair.of("id", 1234L),
ImmutablePair.of("restrictedField", "Restricted String Value")));
// when
Throwable exception = catchThrowable(() -> new JSonDeserializerWithAccessFilter<>(jsonParser, null, GivenDto.class).deserialize());
// then
assertThat(exception).isInstanceOfSatisfying(BadRequestAlertException.class, badRequestAlertException -> {
assertThat(badRequestAlertException.getParam()).isEqualTo("GivenDto.restrictedField");
assertThat(badRequestAlertException.getErrorKey()).isEqualTo("updateProhibited");
});
}
@Test
public void should() throws IOException {
// given
givenJSonTree(asJSon(ImmutablePair.of("restrictedField", "Restricted String Value")));
// when
Throwable exception = catchThrowable(() -> new JSonDeserializerWithAccessFilter<>(jsonParser, null, GivenDtoWithMultipleSelfId.class).deserialize());
// then
assertThat(exception).isInstanceOf(AssertionError.class).hasMessageContaining("xx");
}
// --- only fixture code below ---
@SafeVarargs
private final String asJSon(final ImmutablePair<String, Object>... properties) {
final StringBuilder json = new StringBuilder();
for ( ImmutablePair<String, ? extends Object> prop: properties ) {
for (ImmutablePair<String, Object> prop : properties) {
json.append(inQuotes(prop.left));
json.append(": ");
if ( prop.right instanceof Number ) {
if (prop.right instanceof Number) {
json.append(prop.right);
} else {
json.append(inQuotes(prop.right));
}
json.append(",\n");
}
return "{\n" + json.substring(0, json.length()-2) + "\n}";
return "{\n" + json.substring(0, json.length() - 2) + "\n}";
}
private void givenJSonTree(String givenJSon) throws IOException {
@@ -108,16 +165,34 @@ public class JSonDeserializerWithAccessFilterUnitTest {
}
public static class GivenDto {
@AccessFor(update = {Role.TECHNICAL_CONTACT, Role.FINANCIAL_CONTACT})
@SelfId
@AccessFor(read = Role.ANY_CUSTOMER_USER)
Long id;
@AccessFor(init = {Role.TECHNICAL_CONTACT, Role.FINANCIAL_CONTACT}, update = {Role.TECHNICAL_CONTACT, Role.FINANCIAL_CONTACT})
String restrictedField;
@AccessFor(update = Role.ANYBODY)
@AccessFor(init = Role.ANYBODY, update = Role.ANYBODY)
String openStringField;
@AccessFor(update = Role.ANYBODY)
@AccessFor(init = Role.ANYBODY, update = Role.ANYBODY)
Integer openIntegerField;
@AccessFor(update = Role.ANYBODY)
@AccessFor(init = Role.ANYBODY, update = Role.ANYBODY)
Long openLongField;
}
public static class GivenDtoWithMultipleSelfId {
@SelfId
@AccessFor(read = Role.ANY_CUSTOMER_USER)
Long id;
@SelfId
@AccessFor(read = Role.ANY_CUSTOMER_USER)
Long id2;
}
}