From e38c73c0f5ebf3f48b127bea2c15ae4a7019d0b6 Mon Sep 17 00:00:00 2001
From: Enrico Vianello <enrico.vianello@cnaf.infn.it>
Date: Fri, 31 Jan 2025 23:09:27 +0100
Subject: [PATCH] Add SecurityExpressions tests

---
 .../util/IamSecurityExpressionsTests.java     | 98 +++++++++++++++++++
 1 file changed, 98 insertions(+)
 create mode 100644 iam-login-service/src/test/java/it/infn/mw/iam/test/util/IamSecurityExpressionsTests.java

diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/util/IamSecurityExpressionsTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/util/IamSecurityExpressionsTests.java
new file mode 100644
index 000000000..d53159c4e
--- /dev/null
+++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/util/IamSecurityExpressionsTests.java
@@ -0,0 +1,98 @@
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package it.infn.mw.iam.test.util;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import org.junit.After;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.context.SpringBootTest.WebEnvironment;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.test.context.junit4.SpringRunner;
+
+import it.infn.mw.iam.IamLoginService;
+import it.infn.mw.iam.api.account.AccountUtils;
+import it.infn.mw.iam.api.requests.GroupRequestUtils;
+import it.infn.mw.iam.api.requests.model.GroupRequestDto;
+import it.infn.mw.iam.core.expression.IamSecurityExpressionMethods;
+import it.infn.mw.iam.core.userinfo.OAuth2AuthenticationScopeResolver;
+import it.infn.mw.iam.persistence.repository.IamGroupRequestRepository;
+import it.infn.mw.iam.test.api.requests.GroupRequestsTestUtils;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest(classes = {IamLoginService.class}, webEnvironment = WebEnvironment.MOCK)
+public class IamSecurityExpressionsTests extends GroupRequestsTestUtils {
+
+  @Autowired
+  private AccountUtils accountUtils;
+
+  @Autowired
+  private GroupRequestUtils groupRequestUtils;
+
+  @Autowired
+  private OAuth2AuthenticationScopeResolver scopeResolver;
+
+  @Autowired
+  private IamGroupRequestRepository repo;
+
+  @After
+  public void destroy() {
+    repo.deleteAll();
+  }
+  
+  private IamSecurityExpressionMethods getMethods() {
+    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+    return new IamSecurityExpressionMethods(authentication, accountUtils, groupRequestUtils, scopeResolver);
+  }
+
+  @Test
+  @WithMockUser(roles = { "ADMIN", "USER" }, username = TEST_ADMIN)
+  public void testIsAdmin() {
+    assertTrue(getMethods().isAdmin());
+    assertTrue(getMethods().isUser(TEST_ADMIN_UUID));
+    assertFalse(getMethods().isUser(TEST_USERUUID));
+    GroupRequestDto request = savePendingGroupRequest(TEST_USERNAME, TEST_001_GROUPNAME);
+    assertTrue(getMethods().canAccessGroupRequest(request.getUuid()));
+    assertTrue(getMethods().canManageGroupRequest(request.getUuid()));
+    assertTrue(getMethods().userCanDeleteGroupRequest(request.getUuid()));
+  }
+
+  @Test
+  @WithMockUser(roles = { "USER" }, username = TEST_USERNAME)
+  public void testIsNotAdmin() {
+    assertFalse(getMethods().isAdmin());
+    assertTrue(getMethods().isUser(TEST_USERUUID));
+    assertFalse(getMethods().isUser(TEST_ADMIN_UUID));
+    GroupRequestDto request = savePendingGroupRequest(TEST_USERNAME, TEST_001_GROUPNAME);
+    assertTrue(getMethods().canAccessGroupRequest(request.getUuid()));
+    assertFalse(getMethods().canManageGroupRequest(request.getUuid()));
+    assertTrue(getMethods().userCanDeleteGroupRequest(request.getUuid()));
+    GroupRequestDto approved = saveApprovedGroupRequest(TEST_USERNAME, TEST_001_GROUPNAME);
+    assertTrue(getMethods().canAccessGroupRequest(approved.getUuid()));
+    assertFalse(getMethods().canManageGroupRequest(approved.getUuid()));
+    assertFalse(getMethods().userCanDeleteGroupRequest(approved.getUuid()));
+    GroupRequestDto notMine = savePendingGroupRequest(TEST_100_USERNAME, TEST_001_GROUPNAME);
+    assertFalse(getMethods().canAccessGroupRequest(notMine.getUuid()));
+    assertFalse(getMethods().canManageGroupRequest(notMine.getUuid()));
+    assertFalse(getMethods().userCanDeleteGroupRequest(notMine.getUuid()));
+  }
+}