1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34 package fr.paris.lutece.portal.web.rbac;
35
36 import java.math.BigInteger;
37 import java.security.SecureRandom;
38 import java.util.Collection;
39 import java.util.Random;
40
41 import org.apache.commons.lang3.StringUtils;
42 import org.springframework.mock.web.MockHttpServletRequest;
43
44 import fr.paris.lutece.portal.business.page.Page;
45 import fr.paris.lutece.portal.business.rbac.RBACRole;
46 import fr.paris.lutece.portal.business.rbac.RBACRoleHome;
47 import fr.paris.lutece.portal.business.rbac.RBAC;
48 import fr.paris.lutece.portal.business.rbac.RBACHome;
49 import fr.paris.lutece.portal.business.user.AdminUser;
50 import fr.paris.lutece.portal.business.user.AdminUserHome;
51 import fr.paris.lutece.portal.service.admin.AccessDeniedException;
52 import fr.paris.lutece.portal.service.message.AdminMessage;
53 import fr.paris.lutece.portal.service.message.AdminMessageService;
54 import fr.paris.lutece.portal.service.security.SecurityTokenService;
55 import fr.paris.lutece.test.LuteceTestCase;
56 import fr.paris.lutece.test.Utils;
57
58
59
60
61
62 public class RoleManagementJspBeanTest extends LuteceTestCase
63 {
64 private static final String PARAMETER_ROLE_KEY = "role_key";
65 private static final String PARAMETER_RBAC_ID = "rbac_id";
66
67
68
69
70 public void testGetManageRoles( ) throws AccessDeniedException
71 {
72 System.out.println( "getManageRoles" );
73
74 MockHttpServletRequest request = new MockHttpServletRequest( );
75 Utils.registerAdminUserWithRigth( request, new AdminUser( ), RoleManagementJspBean.RIGHT_MANAGE_ROLES );
76
77 RoleManagementJspBean instance = new RoleManagementJspBean( );
78 instance.init( request, RoleManagementJspBean.RIGHT_MANAGE_ROLES );
79 assertTrue( StringUtils.isNotEmpty( instance.getManageRoles( request ) ) );
80 }
81
82
83
84
85 public void testGetCreateRole( ) throws AccessDeniedException
86 {
87 System.out.println( "getCreateRole" );
88
89 MockHttpServletRequest request = new MockHttpServletRequest( );
90
91 Utils.registerAdminUserWithRigth( request, new AdminUser( ), RoleManagementJspBean.RIGHT_MANAGE_ROLES );
92
93 RoleManagementJspBean instance = new RoleManagementJspBean( );
94 instance.init( request, RoleManagementJspBean.RIGHT_MANAGE_ROLES );
95 assertTrue( StringUtils.isNotEmpty( instance.getCreateRole( request ) ) );
96 }
97
98
99
100
101
102
103 public void testDoCreateRole( ) throws AccessDeniedException
104 {
105 RoleManagementJspBean bean = new RoleManagementJspBean( );
106 MockHttpServletRequest request = new MockHttpServletRequest( );
107 final String roleName = getRandomName( );
108 request.setParameter( "role_key", roleName );
109 request.setParameter( "role_description", roleName );
110 request.setParameter( SecurityTokenService.PARAMETER_TOKEN, SecurityTokenService.getInstance( ).getToken( request, "admin/rbac/create_role.html" ) );
111 try
112 {
113 assertFalse( RBACRoleHome.checkExistRole( roleName ) );
114 bean.doCreateRole( request );
115 assertTrue( RBACRoleHome.checkExistRole( roleName ) );
116 }
117 finally
118 {
119 RBACRoleHome.remove( roleName );
120 }
121 }
122
123 public void testDoCreateRoleInvalidToken( ) throws AccessDeniedException
124 {
125 RoleManagementJspBean bean = new RoleManagementJspBean( );
126 MockHttpServletRequest request = new MockHttpServletRequest( );
127 final String roleName = getRandomName( );
128 request.setParameter( "role_key", roleName );
129 request.setParameter( "role_description", roleName );
130 request.setParameter( SecurityTokenService.PARAMETER_TOKEN,
131 SecurityTokenService.getInstance( ).getToken( request, "admin/rbac/create_role.html" ) + "b" );
132 try
133 {
134 assertFalse( RBACRoleHome.checkExistRole( roleName ) );
135 bean.doCreateRole( request );
136 fail( "Should have thrown" );
137 }
138 catch( AccessDeniedException e )
139 {
140 assertFalse( RBACRoleHome.checkExistRole( roleName ) );
141 }
142 finally
143 {
144 RBACRoleHome.remove( roleName );
145 }
146 }
147
148 public void testDoCreateRoleNoToken( ) throws AccessDeniedException
149 {
150 RoleManagementJspBean bean = new RoleManagementJspBean( );
151 MockHttpServletRequest request = new MockHttpServletRequest( );
152 final String roleName = getRandomName( );
153 request.setParameter( "role_key", roleName );
154 request.setParameter( "role_description", roleName );
155 try
156 {
157 assertFalse( RBACRoleHome.checkExistRole( roleName ) );
158 bean.doCreateRole( request );
159 fail( "Should have thrown" );
160 }
161 catch( AccessDeniedException e )
162 {
163 assertFalse( RBACRoleHome.checkExistRole( roleName ) );
164 }
165 finally
166 {
167 RBACRoleHome.remove( roleName );
168 }
169 }
170
171
172
173
174 public void testGetModifyRole( ) throws AccessDeniedException
175 {
176 System.out.println( "getModifyRole" );
177
178
179 }
180
181
182
183
184
185
186 public void testDoModifyRole( ) throws AccessDeniedException
187 {
188 RBACRole role = new RBACRole( );
189 role.setKey( getRandomName( ) );
190 role.setDescription( role.getKey( ) );
191 RBACRoleHome.create( role );
192 RoleManagementJspBean bean = new RoleManagementJspBean( );
193 MockHttpServletRequest request = new MockHttpServletRequest( );
194 request.setParameter( "role_key", role.getKey( ) );
195 request.setParameter( "role_key_previous", role.getKey( ) );
196 request.setParameter( "role_description", role.getKey( ) + "_mod" );
197 request.setParameter( SecurityTokenService.PARAMETER_TOKEN,
198 SecurityTokenService.getInstance( ).getToken( request, "admin/rbac/view_role_description.html" ) );
199 try
200 {
201 RBACRole stored = RBACRoleHome.findByPrimaryKey( role.getKey( ) );
202 assertEquals( role.getDescription( ), stored.getDescription( ) );
203 bean.doModifyRole( request );
204 stored = RBACRoleHome.findByPrimaryKey( role.getKey( ) );
205 assertEquals( role.getDescription( ) + "_mod", stored.getDescription( ) );
206 }
207 finally
208 {
209 RBACRoleHome.remove( role.getKey( ) );
210 }
211 }
212
213 public void testDoModifyRoleInvalidToken( ) throws AccessDeniedException
214 {
215 RBACRole role = new RBACRole( );
216 role.setKey( getRandomName( ) );
217 role.setDescription( role.getKey( ) );
218 RBACRoleHome.create( role );
219 RoleManagementJspBean bean = new RoleManagementJspBean( );
220 MockHttpServletRequest request = new MockHttpServletRequest( );
221 request.setParameter( "role_key", role.getKey( ) );
222 request.setParameter( "role_key_previous", role.getKey( ) );
223 request.setParameter( "role_description", role.getKey( ) + "_mod" );
224 request.setParameter( SecurityTokenService.PARAMETER_TOKEN,
225 SecurityTokenService.getInstance( ).getToken( request, "admin/rbac/view_role_description.html" ) + "b" );
226 try
227 {
228 RBACRole stored = RBACRoleHome.findByPrimaryKey( role.getKey( ) );
229 assertEquals( role.getDescription( ), stored.getDescription( ) );
230 bean.doModifyRole( request );
231 fail( "Should have thrown" );
232 }
233 catch( AccessDeniedException e )
234 {
235 RBACRole stored = RBACRoleHome.findByPrimaryKey( role.getKey( ) );
236 assertEquals( role.getDescription( ), stored.getDescription( ) );
237 }
238 finally
239 {
240 RBACRoleHome.remove( role.getKey( ) );
241 }
242 }
243
244 public void testDoModifyRoleNoToken( ) throws AccessDeniedException
245 {
246 RBACRole role = new RBACRole( );
247 role.setKey( getRandomName( ) );
248 role.setDescription( role.getKey( ) );
249 RBACRoleHome.create( role );
250 RoleManagementJspBean bean = new RoleManagementJspBean( );
251 MockHttpServletRequest request = new MockHttpServletRequest( );
252 request.setParameter( "role_key", role.getKey( ) );
253 request.setParameter( "role_key_previous", role.getKey( ) );
254 request.setParameter( "role_description", role.getKey( ) + "_mod" );
255 try
256 {
257 RBACRole stored = RBACRoleHome.findByPrimaryKey( role.getKey( ) );
258 assertEquals( role.getDescription( ), stored.getDescription( ) );
259 bean.doModifyRole( request );
260 fail( "Should have thrown" );
261 }
262 catch( AccessDeniedException e )
263 {
264 RBACRole stored = RBACRoleHome.findByPrimaryKey( role.getKey( ) );
265 assertEquals( role.getDescription( ), stored.getDescription( ) );
266 }
267 finally
268 {
269 RBACRoleHome.remove( role.getKey( ) );
270 }
271 }
272
273
274
275
276 public void testDoConfirmRemoveRole( ) throws AccessDeniedException
277 {
278 RoleManagementJspBean bean = new RoleManagementJspBean( );
279 MockHttpServletRequest request = new MockHttpServletRequest( );
280 request.setParameter( "role_key", "role" );
281 bean.doConfirmRemoveRole( request );
282 AdminMessage message = AdminMessageService.getMessage( request );
283 assertNotNull( message );
284 assertTrue( message.getRequestParameters( ).containsKey( SecurityTokenService.PARAMETER_TOKEN ) );
285 }
286
287
288
289
290
291
292 public void testDoRemoveRole( ) throws AccessDeniedException
293 {
294 RBACRole role = new RBACRole( );
295 role.setKey( getRandomName( ) );
296 role.setDescription( role.getKey( ) );
297 RBACRoleHome.create( role );
298 RoleManagementJspBean bean = new RoleManagementJspBean( );
299 MockHttpServletRequest request = new MockHttpServletRequest( );
300 request.setParameter( "role_key", role.getKey( ) );
301 request.setParameter( SecurityTokenService.PARAMETER_TOKEN,
302 SecurityTokenService.getInstance( ).getToken( request, "jsp/admin/rbac/DoRemoveRole.jsp" ) );
303 try
304 {
305 assertTrue( RBACRoleHome.checkExistRole( role.getKey( ) ) );
306 bean.doRemoveRole( request );
307 assertFalse( RBACRoleHome.checkExistRole( role.getKey( ) ) );
308 }
309 finally
310 {
311 RBACRoleHome.remove( role.getKey( ) );
312 }
313 }
314
315 public void testDoRemoveRoleInvalidToken( ) throws AccessDeniedException
316 {
317 RBACRole role = new RBACRole( );
318 role.setKey( getRandomName( ) );
319 role.setDescription( role.getKey( ) );
320 RBACRoleHome.create( role );
321 RoleManagementJspBean bean = new RoleManagementJspBean( );
322 MockHttpServletRequest request = new MockHttpServletRequest( );
323 request.setParameter( "role_key", role.getKey( ) );
324 request.setParameter( SecurityTokenService.PARAMETER_TOKEN,
325 SecurityTokenService.getInstance( ).getToken( request, "jsp/admin/rbac/DoRemoveRole.jsp" ) + "b" );
326 try
327 {
328 assertTrue( RBACRoleHome.checkExistRole( role.getKey( ) ) );
329 bean.doRemoveRole( request );
330 fail( "Should have thrown" );
331 }
332 catch( AccessDeniedException e )
333 {
334 assertTrue( RBACRoleHome.checkExistRole( role.getKey( ) ) );
335 }
336 finally
337 {
338 RBACRoleHome.remove( role.getKey( ) );
339 }
340 }
341
342 public void testDoRemoveRoleNoToken( ) throws AccessDeniedException
343 {
344 RBACRole role = new RBACRole( );
345 role.setKey( getRandomName( ) );
346 role.setDescription( role.getKey( ) );
347 RBACRoleHome.create( role );
348 RoleManagementJspBean bean = new RoleManagementJspBean( );
349 MockHttpServletRequest request = new MockHttpServletRequest( );
350 request.setParameter( "role_key", role.getKey( ) );
351 try
352 {
353 assertTrue( RBACRoleHome.checkExistRole( role.getKey( ) ) );
354 bean.doRemoveRole( request );
355 fail( "Should have thrown" );
356 }
357 catch( AccessDeniedException e )
358 {
359 assertTrue( RBACRoleHome.checkExistRole( role.getKey( ) ) );
360 }
361 finally
362 {
363 RBACRoleHome.remove( role.getKey( ) );
364 }
365 }
366
367
368
369
370 public void testgetViewRoleDescription( ) throws AccessDeniedException
371 {
372 System.out.println( "getViewRoleDescription" );
373
374
375 }
376
377 public void testDoConfirmRemoveControlFromRole( )
378 {
379 RoleManagementJspBean bean = new RoleManagementJspBean( );
380 MockHttpServletRequest request = new MockHttpServletRequest( );
381 request.setParameter( "rbac_id", "1" );
382 bean.doConfirmRemoveControlFromRole( request );
383 AdminMessage message = AdminMessageService.getMessage( request );
384 assertNotNull( message );
385 assertTrue( message.getRequestParameters( ).containsKey( SecurityTokenService.PARAMETER_TOKEN ) );
386 }
387
388
389
390
391
392
393 public void testDoRemoveControlFromRole( ) throws AccessDeniedException
394 {
395 RBACRole role = new RBACRole( );
396 role.setKey( getRandomName( ) );
397 role.setDescription( role.getKey( ) );
398 RBACRoleHome.create( role );
399 RBAC rBAC = new RBAC( );
400 rBAC.setRoleKey( role.getKey( ) );
401 rBAC.setResourceId( "*" );
402 rBAC.setPermissionKey( "*" );
403 rBAC.setResourceTypeKey( "*" );
404 RBACHome.create( rBAC );
405 RoleManagementJspBean bean = new RoleManagementJspBean( );
406 MockHttpServletRequest request = new MockHttpServletRequest( );
407 request.setParameter( "rbac_id", Integer.toString( rBAC.getRBACId( ) ) );
408 request.setParameter( SecurityTokenService.PARAMETER_TOKEN,
409 SecurityTokenService.getInstance( ).getToken( request, "jsp/admin/rbac/DoRemoveControlFromRole.jsp" ) );
410 try
411 {
412 Collection<RBAC> rbacs = RBACHome.findResourcesByCode( role.getKey( ) );
413 boolean found = false;
414 for ( RBAC aRBAC : rbacs )
415 {
416 if ( aRBAC.getRBACId( ) == rBAC.getRBACId( ) )
417 {
418 found = true;
419 break;
420 }
421 }
422 assertTrue( found );
423 bean.doRemoveControlFromRole( request );
424 rbacs = RBACHome.findResourcesByCode( role.getKey( ) );
425 found = false;
426 for ( RBAC aRBAC : rbacs )
427 {
428 if ( aRBAC.getRBACId( ) == rBAC.getRBACId( ) )
429 {
430 found = true;
431 break;
432 }
433 }
434 assertFalse( found );
435 }
436 finally
437 {
438 RBACHome.remove( rBAC.getRBACId( ) );
439 RBACRoleHome.remove( role.getKey( ) );
440 }
441 }
442
443 public void testDoRemoveControlFromRoleInvalidToken( ) throws AccessDeniedException
444 {
445 RBACRole role = new RBACRole( );
446 role.setKey( getRandomName( ) );
447 role.setDescription( role.getKey( ) );
448 RBACRoleHome.create( role );
449 RBAC rBAC = new RBAC( );
450 rBAC.setRoleKey( role.getKey( ) );
451 rBAC.setResourceId( "*" );
452 rBAC.setPermissionKey( "*" );
453 rBAC.setResourceTypeKey( "*" );
454 RBACHome.create( rBAC );
455 RoleManagementJspBean bean = new RoleManagementJspBean( );
456 MockHttpServletRequest request = new MockHttpServletRequest( );
457 request.setParameter( "rbac_id", Integer.toString( rBAC.getRBACId( ) ) );
458 request.setParameter( SecurityTokenService.PARAMETER_TOKEN,
459 SecurityTokenService.getInstance( ).getToken( request, "jsp/admin/rbac/DoRemoveControlFromRole.jsp" ) + "b" );
460 try
461 {
462 Collection<RBAC> rbacs = RBACHome.findResourcesByCode( role.getKey( ) );
463 boolean found = false;
464 for ( RBAC aRBAC : rbacs )
465 {
466 if ( aRBAC.getRBACId( ) == rBAC.getRBACId( ) )
467 {
468 found = true;
469 break;
470 }
471 }
472 assertTrue( found );
473 bean.doRemoveControlFromRole( request );
474 fail( "Should have thrown" );
475 }
476 catch( AccessDeniedException e )
477 {
478 Collection<RBAC> rbacs = RBACHome.findResourcesByCode( role.getKey( ) );
479 boolean found = false;
480 for ( RBAC aRBAC : rbacs )
481 {
482 if ( aRBAC.getRBACId( ) == rBAC.getRBACId( ) )
483 {
484 found = true;
485 break;
486 }
487 }
488 assertTrue( found );
489 }
490 finally
491 {
492 RBACHome.remove( rBAC.getRBACId( ) );
493 RBACRoleHome.remove( role.getKey( ) );
494 }
495 }
496
497 public void testDoRemoveControlFromRoleNoToken( ) throws AccessDeniedException
498 {
499 RBACRole role = new RBACRole( );
500 role.setKey( getRandomName( ) );
501 role.setDescription( role.getKey( ) );
502 RBACRoleHome.create( role );
503 RBAC rBAC = new RBAC( );
504 rBAC.setRoleKey( role.getKey( ) );
505 rBAC.setResourceId( "*" );
506 rBAC.setPermissionKey( "*" );
507 rBAC.setResourceTypeKey( "*" );
508 RBACHome.create( rBAC );
509 RoleManagementJspBean bean = new RoleManagementJspBean( );
510 MockHttpServletRequest request = new MockHttpServletRequest( );
511 request.setParameter( "rbac_id", Integer.toString( rBAC.getRBACId( ) ) );
512 try
513 {
514 Collection<RBAC> rbacs = RBACHome.findResourcesByCode( role.getKey( ) );
515 boolean found = false;
516 for ( RBAC aRBAC : rbacs )
517 {
518 if ( aRBAC.getRBACId( ) == rBAC.getRBACId( ) )
519 {
520 found = true;
521 break;
522 }
523 }
524 assertTrue( found );
525 bean.doRemoveControlFromRole( request );
526 fail( "Should have thrown" );
527 }
528 catch( AccessDeniedException e )
529 {
530 Collection<RBAC> rbacs = RBACHome.findResourcesByCode( role.getKey( ) );
531 boolean found = false;
532 for ( RBAC aRBAC : rbacs )
533 {
534 if ( aRBAC.getRBACId( ) == rBAC.getRBACId( ) )
535 {
536 found = true;
537 break;
538 }
539 }
540 assertTrue( found );
541 }
542 finally
543 {
544 RBACHome.remove( rBAC.getRBACId( ) );
545 RBACRoleHome.remove( role.getKey( ) );
546 }
547 }
548
549 public void testDoAssignUsers( ) throws AccessDeniedException
550 {
551 RoleManagementJspBean bean = new RoleManagementJspBean( );
552 MockHttpServletRequest request = new MockHttpServletRequest( );
553 request.setParameter( SecurityTokenService.PARAMETER_TOKEN, SecurityTokenService.getInstance( ).getToken( request, "AssignUsersRole.jsp" ) );
554 Collection<AdminUser> users = AdminUserHome.findUserList( );
555 for ( AdminUser user : users )
556 {
557 request.addParameter( "available_users_list", Integer.toString( user.getUserId( ) ) );
558 }
559 RBACRole role = new RBACRole( );
560 role.setKey( getRandomName( ) );
561 role.setDescription( role.getKey( ) );
562 RBACRoleHome.create( role );
563 request.setParameter( "role_key", role.getKey( ) );
564 try
565 {
566 bean.doAssignUsers( request );
567 users = AdminUserHome.findUserList( );
568 for ( AdminUser user : users )
569 {
570 assertTrue( AdminUserHome.hasRole( user, role.getKey( ) ) );
571 }
572 }
573 finally
574 {
575 users = AdminUserHome.findUserList( );
576 for ( AdminUser user : users )
577 {
578 AdminUserHome.removeRoleForUser( user.getUserId( ), role.getKey( ) );
579 }
580 RBACRoleHome.remove( role.getKey( ) );
581 }
582 }
583
584 public void testDoAssignUsersInvalidToken( ) throws AccessDeniedException
585 {
586 RoleManagementJspBean bean = new RoleManagementJspBean( );
587 MockHttpServletRequest request = new MockHttpServletRequest( );
588 request.setParameter( SecurityTokenService.PARAMETER_TOKEN, SecurityTokenService.getInstance( ).getToken( request, "AssignUsersRole.jsp" ) + "b" );
589 Collection<AdminUser> users = AdminUserHome.findUserList( );
590 for ( AdminUser user : users )
591 {
592 request.addParameter( "available_users_list", Integer.toString( user.getUserId( ) ) );
593 }
594 RBACRole role = new RBACRole( );
595 role.setKey( getRandomName( ) );
596 role.setDescription( role.getKey( ) );
597 RBACRoleHome.create( role );
598 request.setParameter( "role_key", role.getKey( ) );
599 try
600 {
601 bean.doAssignUsers( request );
602 fail( "Should have thrown" );
603 }
604 catch( AccessDeniedException e )
605 {
606 users = AdminUserHome.findUserList( );
607 for ( AdminUser user : users )
608 {
609 assertFalse( AdminUserHome.hasRole( user, role.getKey( ) ) );
610 }
611 }
612 finally
613 {
614 users = AdminUserHome.findUserList( );
615 for ( AdminUser user : users )
616 {
617 AdminUserHome.removeRoleForUser( user.getUserId( ), role.getKey( ) );
618 }
619 RBACRoleHome.remove( role.getKey( ) );
620 }
621 }
622
623 public void testDoAssignUsersNoToken( ) throws AccessDeniedException
624 {
625 RoleManagementJspBean bean = new RoleManagementJspBean( );
626 MockHttpServletRequest request = new MockHttpServletRequest( );
627 Collection<AdminUser> users = AdminUserHome.findUserList( );
628 for ( AdminUser user : users )
629 {
630 request.addParameter( "available_users_list", Integer.toString( user.getUserId( ) ) );
631 }
632 RBACRole role = new RBACRole( );
633 role.setKey( getRandomName( ) );
634 role.setDescription( role.getKey( ) );
635 RBACRoleHome.create( role );
636 request.setParameter( "role_key", role.getKey( ) );
637 try
638 {
639 bean.doAssignUsers( request );
640 fail( "Should have thrown" );
641 }
642 catch( AccessDeniedException e )
643 {
644 users = AdminUserHome.findUserList( );
645 for ( AdminUser user : users )
646 {
647 assertFalse( AdminUserHome.hasRole( user, role.getKey( ) ) );
648 }
649 }
650 finally
651 {
652 users = AdminUserHome.findUserList( );
653 for ( AdminUser user : users )
654 {
655 AdminUserHome.removeRoleForUser( user.getUserId( ), role.getKey( ) );
656 }
657 RBACRoleHome.remove( role.getKey( ) );
658 }
659 }
660
661 public void testDoSelectPermissions( ) throws AccessDeniedException
662 {
663 RBACRole role = new RBACRole( );
664 role.setKey( getRandomName( ) );
665 role.setDescription( role.getKey( ) );
666 RBACRoleHome.create( role );
667 RoleManagementJspBean bean = new RoleManagementJspBean( );
668 MockHttpServletRequest request = new MockHttpServletRequest( );
669 request.setParameter( "role_key", role.getKey( ) );
670 request.setParameter( "select_resources", "all" );
671 request.setParameter( "select_permissions", "all" );
672 request.setParameter( "resource_type", Page.RESOURCE_TYPE );
673 request.setParameter( SecurityTokenService.PARAMETER_TOKEN,
674 SecurityTokenService.getInstance( ).getToken( request, "admin/rbac/select_permissions.html" ) );
675 try
676 {
677 Collection<RBAC> rbacs = RBACHome.findResourcesByCode( role.getKey( ) );
678 assertTrue( rbacs.isEmpty( ) );
679 bean.doSelectPermissions( request );
680 rbacs = RBACHome.findResourcesByCode( role.getKey( ) );
681 assertEquals( 1, rbacs.size( ) );
682 RBAC rbac = rbacs.iterator( ).next( );
683 assertEquals( Page.RESOURCE_TYPE, rbac.getResourceTypeKey( ) );
684 assertEquals( RBAC.WILDCARD_RESOURCES_ID, rbac.getResourceId( ) );
685 assertEquals( RBAC.WILDCARD_PERMISSIONS_KEY, rbac.getPermissionKey( ) );
686 }
687 finally
688 {
689 RBACHome.removeForRoleKey( role.getKey( ) );
690 RBACRoleHome.remove( role.getKey( ) );
691 }
692 }
693
694 public void testDoSelectPermissionsInvalidToken( ) throws AccessDeniedException
695 {
696 RBACRole role = new RBACRole( );
697 role.setKey( getRandomName( ) );
698 role.setDescription( role.getKey( ) );
699 RBACRoleHome.create( role );
700 RoleManagementJspBean bean = new RoleManagementJspBean( );
701 MockHttpServletRequest request = new MockHttpServletRequest( );
702 request.setParameter( "role_key", role.getKey( ) );
703 request.setParameter( "select_resources", "all" );
704 request.setParameter( "select_permissions", "all" );
705 request.setParameter( "resource_type", Page.RESOURCE_TYPE );
706 request.setParameter( SecurityTokenService.PARAMETER_TOKEN,
707 SecurityTokenService.getInstance( ).getToken( request, "admin/rbac/select_permissions.html" ) + "b" );
708 try
709 {
710 Collection<RBAC> rbacs = RBACHome.findResourcesByCode( role.getKey( ) );
711 assertTrue( rbacs.isEmpty( ) );
712 bean.doSelectPermissions( request );
713 fail( "Should have thrown" );
714 }
715 catch( AccessDeniedException e )
716 {
717 Collection<RBAC> rbacs = RBACHome.findResourcesByCode( role.getKey( ) );
718 assertTrue( rbacs.isEmpty( ) );
719 }
720 finally
721 {
722 RBACHome.removeForRoleKey( role.getKey( ) );
723 RBACRoleHome.remove( role.getKey( ) );
724 }
725 }
726
727 public void testDoSelectPermissionsNoToken( ) throws AccessDeniedException
728 {
729 RBACRole role = new RBACRole( );
730 role.setKey( getRandomName( ) );
731 role.setDescription( role.getKey( ) );
732 RBACRoleHome.create( role );
733 RoleManagementJspBean bean = new RoleManagementJspBean( );
734 MockHttpServletRequest request = new MockHttpServletRequest( );
735 request.setParameter( "role_key", role.getKey( ) );
736 request.setParameter( "select_resources", "all" );
737 request.setParameter( "select_permissions", "all" );
738 request.setParameter( "resource_type", Page.RESOURCE_TYPE );
739 try
740 {
741 Collection<RBAC> rbacs = RBACHome.findResourcesByCode( role.getKey( ) );
742 assertTrue( rbacs.isEmpty( ) );
743 bean.doSelectPermissions( request );
744 fail( "Should have thrown" );
745 }
746 catch( AccessDeniedException e )
747 {
748 Collection<RBAC> rbacs = RBACHome.findResourcesByCode( role.getKey( ) );
749 assertTrue( rbacs.isEmpty( ) );
750 }
751 finally
752 {
753 RBACHome.removeForRoleKey( role.getKey( ) );
754 RBACRoleHome.remove( role.getKey( ) );
755 }
756 }
757
758 public void testDoUnAssignUser( ) throws AccessDeniedException
759 {
760 RBACRole role = new RBACRole( );
761 role.setKey( getRandomName( ) );
762 role.setDescription( role.getKey( ) );
763 RBACRoleHome.create( role );
764 AdminUser user = AdminUserHome.findUserByLogin( "admin" );
765 int userId = user.getUserId( );
766 AdminUserHome.createRoleForUser( userId, role.getKey( ) );
767 RoleManagementJspBean bean = new RoleManagementJspBean( );
768 MockHttpServletRequest request = new MockHttpServletRequest( );
769 request.setParameter( "role_key", role.getKey( ) );
770 request.setParameter( "id_user", Integer.toString( userId ) );
771 request.setParameter( "anchor", "anchor" );
772 request.setParameter( SecurityTokenService.PARAMETER_TOKEN, SecurityTokenService.getInstance( ).getToken( request, "AssignUsersRole.jsp" ) );
773 try
774 {
775 assertTrue( AdminUserHome.hasRole( user, role.getKey( ) ) );
776 bean.doUnAssignUser( request );
777 assertFalse( AdminUserHome.hasRole( user, role.getKey( ) ) );
778 }
779 finally
780 {
781 AdminUserHome.removeRoleForUser( userId, role.getKey( ) );
782 RBACRoleHome.remove( role.getKey( ) );
783 }
784 }
785
786 public void testDoUnAssignUserInvalidToken( ) throws AccessDeniedException
787 {
788 RBACRole role = new RBACRole( );
789 role.setKey( getRandomName( ) );
790 role.setDescription( role.getKey( ) );
791 RBACRoleHome.create( role );
792 AdminUser user = AdminUserHome.findUserByLogin( "admin" );
793 int userId = user.getUserId( );
794 AdminUserHome.createRoleForUser( userId, role.getKey( ) );
795 RoleManagementJspBean bean = new RoleManagementJspBean( );
796 MockHttpServletRequest request = new MockHttpServletRequest( );
797 request.setParameter( "role_key", role.getKey( ) );
798 request.setParameter( "id_user", Integer.toString( userId ) );
799 request.setParameter( "anchor", "anchor" );
800 request.setParameter( SecurityTokenService.PARAMETER_TOKEN, SecurityTokenService.getInstance( ).getToken( request, "AssignUsersRole.jsp" ) + "b" );
801 try
802 {
803 assertTrue( AdminUserHome.hasRole( user, role.getKey( ) ) );
804 bean.doUnAssignUser( request );
805 fail( "Should have thrown" );
806 }
807 catch( AccessDeniedException e )
808 {
809 assertTrue( AdminUserHome.hasRole( user, role.getKey( ) ) );
810 }
811 finally
812 {
813 AdminUserHome.removeRoleForUser( userId, role.getKey( ) );
814 RBACRoleHome.remove( role.getKey( ) );
815 }
816 }
817
818 public void testDoUnAssignUserNoToken( ) throws AccessDeniedException
819 {
820 RBACRole role = new RBACRole( );
821 role.setKey( getRandomName( ) );
822 role.setDescription( role.getKey( ) );
823 RBACRoleHome.create( role );
824 AdminUser user = AdminUserHome.findUserByLogin( "admin" );
825 int userId = user.getUserId( );
826 AdminUserHome.createRoleForUser( userId, role.getKey( ) );
827 RoleManagementJspBean bean = new RoleManagementJspBean( );
828 MockHttpServletRequest request = new MockHttpServletRequest( );
829 request.setParameter( "role_key", role.getKey( ) );
830 request.setParameter( "id_user", Integer.toString( userId ) );
831 request.setParameter( "anchor", "anchor" );
832 try
833 {
834 assertTrue( AdminUserHome.hasRole( user, role.getKey( ) ) );
835 bean.doUnAssignUser( request );
836 fail( "Should have thrown" );
837 }
838 catch( AccessDeniedException e )
839 {
840 assertTrue( AdminUserHome.hasRole( user, role.getKey( ) ) );
841 }
842 finally
843 {
844 AdminUserHome.removeRoleForUser( userId, role.getKey( ) );
845 RBACRoleHome.remove( role.getKey( ) );
846 }
847 }
848
849 private String getRandomName( )
850 {
851 Random rand = new SecureRandom( );
852 BigInteger bigInt = new BigInteger( 128, rand );
853 return "junit" + bigInt.toString( 36 );
854 }
855 }