View Javadoc
1   /*
2    * Copyright (c) 2002-2025, City of Paris
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions
7    * are met:
8    *
9    *  1. Redistributions of source code must retain the above copyright notice
10   *     and the following disclaimer.
11   *
12   *  2. Redistributions in binary form must reproduce the above copyright notice
13   *     and the following disclaimer in the documentation and/or other materials
14   *     provided with the distribution.
15   *
16   *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17   *     contributors may be used to endorse or promote products derived from
18   *     this software without specific prior written permission.
19   *
20   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21   * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26   * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28   * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30   * POSSIBILITY OF SUCH DAMAGE.
31   *
32   * License 1.0
33   */
34  package fr.paris.lutece.portal.web.features;
35  
36  import java.math.BigInteger;
37  import java.security.SecureRandom;
38  import java.util.Random;
39  
40  import org.springframework.mock.web.MockHttpServletRequest;
41  
42  import fr.paris.lutece.portal.business.right.Right;
43  import fr.paris.lutece.portal.business.right.RightHome;
44  import fr.paris.lutece.portal.business.user.AdminUser;
45  import fr.paris.lutece.portal.business.user.AdminUserHome;
46  import fr.paris.lutece.portal.service.admin.AccessDeniedException;
47  import fr.paris.lutece.portal.service.security.SecurityTokenService;
48  import fr.paris.lutece.test.LuteceTestCase;
49  
50  public class RightJspBeanTest extends LuteceTestCase
51  {
52      private Right right;
53      private RightJspBean bean;
54  
55      @Override
56      protected void setUp( ) throws Exception
57      {
58          super.setUp( );
59          right = new Right( );
60          right.setId( getRandomName( ) );
61          right.setLevel( 0 );
62          RightHome.create( right );
63          bean = new RightJspBean( );
64      }
65  
66      @Override
67      protected void tearDown( ) throws Exception
68      {
69          RightHome.remove( right.getId( ) );
70          super.tearDown( );
71      }
72  
73      public void testDoAssignUsers( ) throws AccessDeniedException
74      {
75          MockHttpServletRequest request = new MockHttpServletRequest( );
76          request.setParameter( "id_right", right.getId( ) );
77          AdminUser user = AdminUserHome.findUserByLogin( "admin" );
78          request.setParameter( "available_users_list", Integer.toString( user.getUserId( ) ) );
79          request.setParameter( SecurityTokenService.PARAMETER_TOKEN,
80                  SecurityTokenService.getInstance( ).getToken( request, "admin/features/assign_users_right.html" ) );
81  
82          assertFalse( AdminUserHome.getRightsListForUser( user.getUserId( ) ).keySet( ).contains( right.getId( ) ) );
83          bean.doAssignUsers( request );
84          assertTrue( AdminUserHome.getRightsListForUser( user.getUserId( ) ).keySet( ).contains( right.getId( ) ) );
85      }
86  
87      public void testDoAssignUsersInvalidToken( ) throws AccessDeniedException
88      {
89          MockHttpServletRequest request = new MockHttpServletRequest( );
90          request.setParameter( "id_right", right.getId( ) );
91          AdminUser user = AdminUserHome.findUserByLogin( "admin" );
92          request.setParameter( "available_users_list", Integer.toString( user.getUserId( ) ) );
93          request.setParameter( SecurityTokenService.PARAMETER_TOKEN,
94                  SecurityTokenService.getInstance( ).getToken( request, "admin/features/assign_users_right.html" ) + "b" );
95  
96          assertFalse( AdminUserHome.getRightsListForUser( user.getUserId( ) ).keySet( ).contains( right.getId( ) ) );
97          try
98          {
99              bean.doAssignUsers( request );
100             fail( "Should have thrown" );
101         }
102         catch( AccessDeniedException e )
103         {
104             assertFalse( AdminUserHome.getRightsListForUser( user.getUserId( ) ).keySet( ).contains( right.getId( ) ) );
105         }
106     }
107 
108     public void testDoAssignUsersNoToken( ) throws AccessDeniedException
109     {
110         MockHttpServletRequest request = new MockHttpServletRequest( );
111         request.setParameter( "id_right", right.getId( ) );
112         AdminUser user = AdminUserHome.findUserByLogin( "admin" );
113         request.setParameter( "available_users_list", Integer.toString( user.getUserId( ) ) );
114 
115         assertFalse( AdminUserHome.getRightsListForUser( user.getUserId( ) ).keySet( ).contains( right.getId( ) ) );
116         try
117         {
118             bean.doAssignUsers( request );
119             fail( "Should have thrown" );
120         }
121         catch( AccessDeniedException e )
122         {
123             assertFalse( AdminUserHome.getRightsListForUser( user.getUserId( ) ).keySet( ).contains( right.getId( ) ) );
124         }
125     }
126 
127     public void testDoUnAssignUser( ) throws AccessDeniedException
128     {
129         AdminUser user = AdminUserHome.findUserByLogin( "admin" );
130         AdminUserHome.createRightForUser( user.getUserId( ), right.getId( ) );
131         MockHttpServletRequest request = new MockHttpServletRequest( );
132         request.setParameter( "id_right", right.getId( ) );
133         request.setParameter( "id_user", Integer.toString( user.getUserId( ) ) );
134         request.setParameter( "anchor", "anchor" );
135         request.setParameter( SecurityTokenService.PARAMETER_TOKEN,
136                 SecurityTokenService.getInstance( ).getToken( request, "admin/features/assign_users_right.html" ) );
137 
138         assertTrue( AdminUserHome.getRightsListForUser( user.getUserId( ) ).keySet( ).contains( right.getId( ) ) );
139         try
140         {
141             bean.doUnAssignUser( request );
142             assertFalse( AdminUserHome.getRightsListForUser( user.getUserId( ) ).keySet( ).contains( right.getId( ) ) );
143         }
144         finally
145         {
146             AdminUserHome.removeRightForUser( user.getUserId( ), right.getId( ) );
147         }
148     }
149 
150     public void testDoUnAssignUserInvalidToken( ) throws AccessDeniedException
151     {
152         AdminUser user = AdminUserHome.findUserByLogin( "admin" );
153         AdminUserHome.createRightForUser( user.getUserId( ), right.getId( ) );
154         MockHttpServletRequest request = new MockHttpServletRequest( );
155         request.setParameter( "id_right", right.getId( ) );
156         request.setParameter( "id_user", Integer.toString( user.getUserId( ) ) );
157         request.setParameter( "anchor", "anchor" );
158         request.setParameter( SecurityTokenService.PARAMETER_TOKEN,
159                 SecurityTokenService.getInstance( ).getToken( request, "admin/features/assign_users_right.html" ) + "b" );
160 
161         assertTrue( AdminUserHome.getRightsListForUser( user.getUserId( ) ).keySet( ).contains( right.getId( ) ) );
162         try
163         {
164             bean.doUnAssignUser( request );
165             fail( "Should have thrown" );
166         }
167         catch( AccessDeniedException e )
168         {
169             assertTrue( AdminUserHome.getRightsListForUser( user.getUserId( ) ).keySet( ).contains( right.getId( ) ) );
170         }
171         finally
172         {
173             AdminUserHome.removeRightForUser( user.getUserId( ), right.getId( ) );
174         }
175     }
176 
177     public void testDoUnAssignUserNoToken( ) throws AccessDeniedException
178     {
179         AdminUser user = AdminUserHome.findUserByLogin( "admin" );
180         AdminUserHome.createRightForUser( user.getUserId( ), right.getId( ) );
181         MockHttpServletRequest request = new MockHttpServletRequest( );
182         request.setParameter( "id_right", right.getId( ) );
183         request.setParameter( "id_user", Integer.toString( user.getUserId( ) ) );
184         request.setParameter( "anchor", "anchor" );
185 
186         assertTrue( AdminUserHome.getRightsListForUser( user.getUserId( ) ).keySet( ).contains( right.getId( ) ) );
187         try
188         {
189             bean.doUnAssignUser( request );
190             fail( "Should have thrown" );
191         }
192         catch( AccessDeniedException e )
193         {
194             assertTrue( AdminUserHome.getRightsListForUser( user.getUserId( ) ).keySet( ).contains( right.getId( ) ) );
195         }
196         finally
197         {
198             AdminUserHome.removeRightForUser( user.getUserId( ), right.getId( ) );
199         }
200     }
201 
202     private String getRandomName( )
203     {
204         Random rand = new SecureRandom( );
205         BigInteger bigInt = new BigInteger( 128, rand );
206         return "junit" + bigInt.toString( 36 );
207     }
208 }