JSonDeserializerWithAccessFilter with working access rights validation
This commit is contained in:
@@ -1,14 +1,12 @@
|
||||
package org.hostsharing.hsadminng.service.accessfilter;
|
||||
|
||||
import com.fasterxml.jackson.core.JsonGenerator;
|
||||
import com.fasterxml.jackson.annotation.JsonTypeId;
|
||||
import com.fasterxml.jackson.core.JsonParser;
|
||||
import com.fasterxml.jackson.core.ObjectCodec;
|
||||
import com.fasterxml.jackson.core.TreeNode;
|
||||
import com.fasterxml.jackson.databind.JsonNode;
|
||||
import com.fasterxml.jackson.databind.ObjectMapper;
|
||||
import org.apache.commons.lang3.NotImplementedException;
|
||||
import org.apache.commons.lang3.tuple.ImmutablePair;
|
||||
import org.hostsharing.hsadminng.service.dto.CustomerDTO;
|
||||
import org.hostsharing.hsadminng.web.rest.errors.BadRequestAlertException;
|
||||
import org.junit.Before;
|
||||
import org.junit.Rule;
|
||||
import org.junit.Test;
|
||||
@@ -22,9 +20,8 @@ import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.catchThrowable;
|
||||
import static org.hostsharing.hsadminng.service.accessfilter.MockSecurityContext.givenLoginUserWithRole;
|
||||
import static org.mockito.BDDMockito.given;
|
||||
import static org.mockito.Mockito.never;
|
||||
import static org.mockito.Mockito.verify;
|
||||
|
||||
@SuppressWarnings("ALL")
|
||||
public class JSonDeserializerWithAccessFilterUnitTest {
|
||||
|
||||
@Rule
|
||||
@@ -40,7 +37,7 @@ public class JSonDeserializerWithAccessFilterUnitTest {
|
||||
public TreeNode treeNode;
|
||||
|
||||
@Before
|
||||
public void init() throws IOException {
|
||||
public void init() {
|
||||
givenLoginUserWithRole(Role.ANY_CUSTOMER_USER);
|
||||
|
||||
given(jsonParser.getCodec()).willReturn(codec);
|
||||
@@ -82,21 +79,81 @@ public class JSonDeserializerWithAccessFilterUnitTest {
|
||||
assertThat(actualDto.openLongField).isEqualTo(1234L);
|
||||
}
|
||||
|
||||
// --- fixture code below ---
|
||||
@Test
|
||||
public void shouldDeserializeStringFieldIfRequiredRoleIsCoveredByUser() throws IOException {
|
||||
// given
|
||||
givenLoginUserWithRole(Role.FINANCIAL_CONTACT);
|
||||
givenJSonTree(asJSon(ImmutablePair.of("restrictedField", "Restricted String Value")));
|
||||
|
||||
private String asJSon(final ImmutablePair<String, ? extends Object>... properties) {
|
||||
// when
|
||||
GivenDto actualDto = new JSonDeserializerWithAccessFilter<>(jsonParser, null, GivenDto.class).deserialize();
|
||||
|
||||
// then
|
||||
assertThat(actualDto.restrictedField).isEqualTo("Restricted String Value");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void shouldInitializeFieldIfRequiredRoleIsNotCoveredByUser() throws IOException {
|
||||
// given
|
||||
givenLoginUserWithRole(Role.ANY_CUSTOMER_USER);
|
||||
givenJSonTree(asJSon(ImmutablePair.of("restrictedField", "Restricted String Value")));
|
||||
|
||||
// when
|
||||
Throwable exception = catchThrowable(() -> new JSonDeserializerWithAccessFilter<>(jsonParser, null, GivenDto.class).deserialize());
|
||||
|
||||
// then
|
||||
assertThat(exception).isInstanceOfSatisfying(BadRequestAlertException.class, badRequestAlertException -> {
|
||||
assertThat(badRequestAlertException.getParam()).isEqualTo("GivenDto.restrictedField");
|
||||
assertThat(badRequestAlertException.getErrorKey()).isEqualTo("initializationProhibited");
|
||||
});
|
||||
}
|
||||
|
||||
@Test
|
||||
public void shouldUpdateFieldIfRequiredRoleIsNotCoveredByUser() throws IOException {
|
||||
// given
|
||||
givenLoginUserWithRole(Role.ANY_CUSTOMER_USER);
|
||||
givenJSonTree(asJSon(
|
||||
ImmutablePair.of("id", 1234L),
|
||||
ImmutablePair.of("restrictedField", "Restricted String Value")));
|
||||
|
||||
// when
|
||||
Throwable exception = catchThrowable(() -> new JSonDeserializerWithAccessFilter<>(jsonParser, null, GivenDto.class).deserialize());
|
||||
|
||||
// then
|
||||
assertThat(exception).isInstanceOfSatisfying(BadRequestAlertException.class, badRequestAlertException -> {
|
||||
assertThat(badRequestAlertException.getParam()).isEqualTo("GivenDto.restrictedField");
|
||||
assertThat(badRequestAlertException.getErrorKey()).isEqualTo("updateProhibited");
|
||||
});
|
||||
}
|
||||
|
||||
@Test
|
||||
public void should() throws IOException {
|
||||
// given
|
||||
givenJSonTree(asJSon(ImmutablePair.of("restrictedField", "Restricted String Value")));
|
||||
|
||||
// when
|
||||
Throwable exception = catchThrowable(() -> new JSonDeserializerWithAccessFilter<>(jsonParser, null, GivenDtoWithMultipleSelfId.class).deserialize());
|
||||
|
||||
// then
|
||||
assertThat(exception).isInstanceOf(AssertionError.class).hasMessageContaining("xx");
|
||||
}
|
||||
|
||||
// --- only fixture code below ---
|
||||
|
||||
@SafeVarargs
|
||||
private final String asJSon(final ImmutablePair<String, Object>... properties) {
|
||||
final StringBuilder json = new StringBuilder();
|
||||
for ( ImmutablePair<String, ? extends Object> prop: properties ) {
|
||||
for (ImmutablePair<String, Object> prop : properties) {
|
||||
json.append(inQuotes(prop.left));
|
||||
json.append(": ");
|
||||
if ( prop.right instanceof Number ) {
|
||||
if (prop.right instanceof Number) {
|
||||
json.append(prop.right);
|
||||
} else {
|
||||
json.append(inQuotes(prop.right));
|
||||
}
|
||||
json.append(",\n");
|
||||
}
|
||||
return "{\n" + json.substring(0, json.length()-2) + "\n}";
|
||||
return "{\n" + json.substring(0, json.length() - 2) + "\n}";
|
||||
}
|
||||
|
||||
private void givenJSonTree(String givenJSon) throws IOException {
|
||||
@@ -108,16 +165,34 @@ public class JSonDeserializerWithAccessFilterUnitTest {
|
||||
}
|
||||
|
||||
public static class GivenDto {
|
||||
@AccessFor(update = {Role.TECHNICAL_CONTACT, Role.FINANCIAL_CONTACT})
|
||||
|
||||
@SelfId
|
||||
@AccessFor(read = Role.ANY_CUSTOMER_USER)
|
||||
Long id;
|
||||
|
||||
@AccessFor(init = {Role.TECHNICAL_CONTACT, Role.FINANCIAL_CONTACT}, update = {Role.TECHNICAL_CONTACT, Role.FINANCIAL_CONTACT})
|
||||
String restrictedField;
|
||||
|
||||
@AccessFor(update = Role.ANYBODY)
|
||||
@AccessFor(init = Role.ANYBODY, update = Role.ANYBODY)
|
||||
String openStringField;
|
||||
|
||||
@AccessFor(update = Role.ANYBODY)
|
||||
@AccessFor(init = Role.ANYBODY, update = Role.ANYBODY)
|
||||
Integer openIntegerField;
|
||||
|
||||
@AccessFor(update = Role.ANYBODY)
|
||||
@AccessFor(init = Role.ANYBODY, update = Role.ANYBODY)
|
||||
Long openLongField;
|
||||
}
|
||||
|
||||
|
||||
public static class GivenDtoWithMultipleSelfId {
|
||||
|
||||
@SelfId
|
||||
@AccessFor(read = Role.ANY_CUSTOMER_USER)
|
||||
Long id;
|
||||
|
||||
@SelfId
|
||||
@AccessFor(read = Role.ANY_CUSTOMER_USER)
|
||||
Long id2;
|
||||
|
||||
}
|
||||
}
|
||||
|
Reference in New Issue
Block a user