View Javadoc
1   /*
2    * Copyright (c) 2015, Mairie de Paris
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions
7    * are met:
8    *
9    *  1. Redistributions of source code must retain the above copyright notice
10   *     and the following disclaimer.
11   *
12   *  2. Redistributions in binary form must reproduce the above copyright notice
13   *     and the following disclaimer in the documentation and/or other materials
14   *     provided with the distribution.
15   *
16   *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17   *     contributors may be used to endorse or promote products derived from
18   *     this software without specific prior written permission.
19   *
20   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21   * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26   * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28   * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30   * POSSIBILITY OF SUCH DAMAGE.
31   *
32   * License 1.0
33   */
34  package fr.paris.lutece.portal.web.user;
35  
36  import java.security.SecureRandom;
37  import java.util.HashMap;
38  import java.util.Locale;
39  import java.util.Map;
40  
41  import org.springframework.mock.web.MockHttpServletRequest;
42  
43  import fr.paris.lutece.portal.business.right.Right;
44  import fr.paris.lutece.portal.business.user.AdminUser;
45  import fr.paris.lutece.portal.business.user.AdminUserHome;
46  import fr.paris.lutece.portal.business.user.authentication.LuteceDefaultAdminUser;
47  import fr.paris.lutece.portal.service.admin.AccessDeniedException;
48  import fr.paris.lutece.portal.service.admin.AdminAuthenticationService;
49  import fr.paris.lutece.portal.service.admin.AdminUserService;
50  import fr.paris.lutece.portal.service.admin.PasswordResetException;
51  import fr.paris.lutece.portal.service.i18n.I18nService;
52  import fr.paris.lutece.portal.service.message.AdminMessage;
53  import fr.paris.lutece.portal.service.message.AdminMessageService;
54  import fr.paris.lutece.portal.service.security.UserNotSignedException;
55  import fr.paris.lutece.portal.service.spring.SpringContextService;
56  import fr.paris.lutece.portal.web.constants.Messages;
57  import fr.paris.lutece.test.LuteceTestCase;
58  import fr.paris.lutece.util.password.IPasswordFactory;
59  
60  public class AdminUserJspBeanTest extends LuteceTestCase
61  {
62      public void testDoCreateAdminUser(  ) throws PasswordResetException, AccessDeniedException, UserNotSignedException
63      {
64          AdminUserJspBean bean = new AdminUserJspBean( );
65          MockHttpServletRequest request = new MockHttpServletRequest( );
66          bean.doCreateAdminUser( request );
67          AdminMessage message = AdminMessageService.getMessage( request );
68          assertNotNull( message );
69          assertEquals( I18nService.getLocalizedString( Messages.MANDATORY_FIELDS, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
70  
71          String randomUserName = "User_" + new SecureRandom( ).nextLong( );
72          try
73          {
74              request = new MockHttpServletRequest( );
75              request.addParameter( "access_code", randomUserName );
76              bean.doCreateAdminUser( request );
77              message = AdminMessageService.getMessage( request );
78              assertNotNull( message );
79              assertEquals( I18nService.getLocalizedString( Messages.MANDATORY_FIELDS, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
80  
81              request = new MockHttpServletRequest( );
82              request.addParameter( "access_code", randomUserName );
83              request.addParameter( "last_name", randomUserName );
84              bean.doCreateAdminUser( request );
85              message = AdminMessageService.getMessage( request );
86              assertNotNull( message );
87              assertEquals( I18nService.getLocalizedString( Messages.MANDATORY_FIELDS, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
88  
89              request = new MockHttpServletRequest( );
90              request.addParameter( "access_code", randomUserName );
91              request.addParameter( "last_name", randomUserName );
92              request.addParameter( "first_name", randomUserName );
93              bean.doCreateAdminUser( request );
94              message = AdminMessageService.getMessage( request );
95              assertNotNull( message );
96              assertEquals( I18nService.getLocalizedString( Messages.MANDATORY_FIELDS, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
97  
98              request = new MockHttpServletRequest( );
99              request.addParameter( "access_code", randomUserName );
100             request.addParameter( "last_name", randomUserName );
101             request.addParameter( "first_name", randomUserName );
102             request.addParameter( "email", "   " );
103             bean.doCreateAdminUser( request );
104             message = AdminMessageService.getMessage( request );
105             assertNotNull( message );
106             assertEquals( I18nService.getLocalizedString( Messages.MANDATORY_FIELDS, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
107 
108             request = new MockHttpServletRequest( );
109             request.addParameter( "access_code", "admin" );
110             request.addParameter( "last_name", randomUserName );
111             request.addParameter( "first_name", randomUserName );
112             request.addParameter( "email", randomUserName + "@lutece.fr" );
113             bean.doCreateAdminUser( request );
114             message = AdminMessageService.getMessage( request );
115             assertNotNull( message );
116             assertEquals( I18nService.getLocalizedString( "portal.users.message.user.accessCodeAlreadyUsed", Locale.FRENCH ), message.getText( Locale.FRENCH ) );
117 
118             request = new MockHttpServletRequest( );
119             request.addParameter( "access_code", randomUserName );
120             request.addParameter( "last_name", randomUserName );
121             request.addParameter( "first_name", randomUserName );
122             request.addParameter( "email", "admin@lutece.fr" );
123             bean.doCreateAdminUser( request );
124             message = AdminMessageService.getMessage( request );
125             assertNotNull( message );
126             assertEquals( I18nService.getLocalizedString( "portal.users.message.user.accessEmailUsed", Locale.FRENCH ), message.getText( Locale.FRENCH ) );
127 
128             request = new MockHttpServletRequest( );
129             request.addParameter( "access_code", randomUserName );
130             request.addParameter( "last_name", randomUserName );
131             request.addParameter( "first_name", randomUserName );
132             request.addParameter( "email", randomUserName + "@lutece.fr" );
133             request.addParameter( "user_level", "0" );
134             request.getSession( true ).setAttribute( "lutece_admin_user", getLevel1AdminUserWithCORE_USERS_MANAGEMENTRight( ) );
135             bean.init( request, "CORE_USERS_MANAGEMENT" ) ;
136             bean.doCreateAdminUser( request );
137             message = AdminMessageService.getMessage( request );
138             assertNotNull( message );
139             assertEquals( I18nService.getLocalizedString( Messages.USER_ACCESS_DENIED, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
140 
141             request = new MockHttpServletRequest( );
142             request.addParameter( "access_code", randomUserName );
143             request.addParameter( "last_name", randomUserName );
144             request.addParameter( "first_name", randomUserName );
145             request.addParameter( "email", randomUserName + "@lutece.fr" );
146             request.addParameter( "user_level", "0" );
147             AdminAuthenticationService.getInstance( ).registerUser( request, AdminUserHome.findUserByLogin( "admin" ) );
148             bean.init( request, "CORE_USERS_MANAGEMENT" ) ;
149             bean.doCreateAdminUser( request );
150             message = AdminMessageService.getMessage( request );
151             assertNotNull( message );
152             assertEquals( I18nService.getLocalizedString( Messages.MANDATORY_FIELDS, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
153 
154             request = new MockHttpServletRequest( );
155             request.addParameter( "access_code", randomUserName );
156             request.addParameter( "last_name", randomUserName );
157             request.addParameter( "first_name", randomUserName );
158             request.addParameter( "email", randomUserName + "@lutece.fr" );
159             request.addParameter( "user_level", "0" );
160             request.addParameter( "first_password", randomUserName );
161             AdminAuthenticationService.getInstance( ).registerUser( request, AdminUserHome.findUserByLogin( "admin" ) );
162             bean.init( request, "CORE_USERS_MANAGEMENT" ) ;
163             bean.doCreateAdminUser( request );
164             message = AdminMessageService.getMessage( request );
165             assertNotNull( message );
166             assertEquals( I18nService.getLocalizedString( "portal.users.message.differentsPassword", Locale.FRENCH ), message.getText( Locale.FRENCH ) );
167 
168             request = new MockHttpServletRequest( );
169             request.addParameter( "access_code", randomUserName );
170             request.addParameter( "last_name", randomUserName );
171             request.addParameter( "first_name", randomUserName );
172             request.addParameter( "email", randomUserName + "@lutece.fr" );
173             request.addParameter( "user_level", "0" );
174             request.addParameter( "first_password", randomUserName );
175             AdminAuthenticationService.getInstance( ).registerUser( request, AdminUserHome.findUserByLogin( "admin" ) );
176             bean.init( request, "CORE_USERS_MANAGEMENT" ) ;
177             bean.doCreateAdminUser( request );
178             message = AdminMessageService.getMessage( request );
179             assertNotNull( message );
180             assertEquals( I18nService.getLocalizedString( "portal.users.message.differentsPassword", Locale.FRENCH ), message.getText( Locale.FRENCH ) );
181 
182             request = new MockHttpServletRequest( );
183             request.addParameter( "access_code", randomUserName );
184             request.addParameter( "last_name", randomUserName );
185             request.addParameter( "first_name", randomUserName );
186             request.addParameter( "email", randomUserName + "@lutece.fr" );
187             request.addParameter( "user_level", "0" );
188             request.addParameter( "first_password", randomUserName );
189             request.addParameter( "second_password", randomUserName );
190             request.addParameter( "status", Integer.toString( AdminUser.ACTIVE_CODE ) ); // NPE if absent
191             request.addParameter( "language", "fr" ); // NPE if absent
192             AdminAuthenticationService.getInstance( ).registerUser( request, AdminUserHome.findUserByLogin( "admin" ) );
193             bean.init( request, "CORE_USERS_MANAGEMENT" ) ;
194             bean.doCreateAdminUser( request );
195             message = AdminMessageService.getMessage( request );
196             assertNull( message );
197             AdminUser createdUser = AdminUserHome.findUserByLogin( randomUserName );
198             assertNotNull( createdUser );
199             LuteceDefaultAdminUser createdUserWithPassword = AdminUserHome.findLuteceDefaultAdminUserByPrimaryKey( createdUser.getUserId( ) );
200             assertNotNull( createdUserWithPassword );
201             assertTrue( createdUserWithPassword.getPassword( ).check( randomUserName ) );
202         } finally
203         {
204             AdminUser user = AdminUserHome.findUserByLogin( randomUserName );
205             if ( user != null )
206             {
207                 AdminUserHome.remove( user.getUserId( ) );
208             }
209         }
210     }
211 
212     private AdminUser getLevel1AdminUserWithCORE_USERS_MANAGEMENTRight( )
213     {
214         AdminUser user = new AdminUser( );
215         user.setUserLevel( 1 );
216         Map<String, Right> rights = new HashMap<String, Right>(1);
217         rights.put( "CORE_USERS_MANAGEMENT", new Right( ) );
218         user.setRights( rights );
219         return user;
220     }
221 
222     public void testDoModifyAdminUser(  ) throws AccessDeniedException, UserNotSignedException
223     {
224         AdminUser userToModify = getUserToModify( );
225         try
226         {
227             AdminUserJspBean bean = new AdminUserJspBean( );
228             MockHttpServletRequest request = new MockHttpServletRequest( );
229             AdminAuthenticationService.getInstance( ).registerUser( request, AdminUserHome.findUserByLogin( "lutece" ) );
230             request.addParameter( "id_user", Integer.toString( userToModify.getUserId( ) ) );
231             try
232             {
233                 bean.doModifyAdminUser( request );
234                 fail( "Should not be able to modify a user with a lower level" );
235             } catch (AccessDeniedException e)
236             {
237             }
238 
239             request = new MockHttpServletRequest( );
240             AdminAuthenticationService.getInstance( ).registerUser( request, AdminUserHome.findUserByLogin( "admin" ) );
241             request.addParameter( "id_user", Integer.toString( userToModify.getUserId( ) ) );
242             bean.doModifyAdminUser( request );
243             AdminMessage message = AdminMessageService.getMessage( request );
244             assertNotNull( message );
245             assertEquals( I18nService.getLocalizedString( Messages.MANDATORY_FIELDS, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
246 
247             final String modifiedName = userToModify.getAccessCode( ) + "_mod";
248 
249             request = new MockHttpServletRequest( );
250             AdminAuthenticationService.getInstance( ).registerUser( request, AdminUserHome.findUserByLogin( "admin" ) );
251             request.addParameter( "id_user", Integer.toString( userToModify.getUserId( ) ) );
252             request.addParameter( "access_code", modifiedName );
253             bean.doModifyAdminUser( request );
254             message = AdminMessageService.getMessage( request );
255             assertNotNull( message );
256             assertEquals( I18nService.getLocalizedString( Messages.MANDATORY_FIELDS, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
257 
258             request = new MockHttpServletRequest( );
259             AdminAuthenticationService.getInstance( ).registerUser( request, AdminUserHome.findUserByLogin( "admin" ) );
260             request.addParameter( "id_user", Integer.toString( userToModify.getUserId( ) ) );
261             request.addParameter( "access_code", modifiedName );
262             request.addParameter( "last_name", modifiedName );
263             bean.doModifyAdminUser( request );
264             message = AdminMessageService.getMessage( request );
265             assertNotNull( message );
266             assertEquals( I18nService.getLocalizedString( Messages.MANDATORY_FIELDS, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
267 
268             request = new MockHttpServletRequest( );
269             AdminAuthenticationService.getInstance( ).registerUser( request, AdminUserHome.findUserByLogin( "admin" ) );
270             request.addParameter( "id_user", Integer.toString( userToModify.getUserId( ) ) );
271             request.addParameter( "access_code", modifiedName );
272             request.addParameter( "last_name", modifiedName );
273             request.addParameter( "first_name", modifiedName );
274             bean.doModifyAdminUser( request );
275             message = AdminMessageService.getMessage( request );
276             assertNotNull( message );
277             assertEquals( I18nService.getLocalizedString( Messages.MANDATORY_FIELDS, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
278 
279             request = new MockHttpServletRequest( );
280             AdminAuthenticationService.getInstance( ).registerUser( request, AdminUserHome.findUserByLogin( "admin" ) );
281             request.addParameter( "id_user", Integer.toString( userToModify.getUserId( ) ) );
282             request.addParameter( "access_code", modifiedName );
283             request.addParameter( "last_name", modifiedName );
284             request.addParameter( "first_name", modifiedName );
285             request.addParameter( "email", "  " );
286             bean.doModifyAdminUser( request );
287             message = AdminMessageService.getMessage( request );
288             assertNotNull( message );
289             assertEquals( I18nService.getLocalizedString( Messages.MANDATORY_FIELDS, Locale.FRENCH ), message.getText( Locale.FRENCH ) );
290 
291             request = new MockHttpServletRequest( );
292             AdminAuthenticationService.getInstance( ).registerUser( request, AdminUserHome.findUserByLogin( "admin" ) );
293             request.addParameter( "id_user", Integer.toString( userToModify.getUserId( ) ) );
294             request.addParameter( "access_code", "admin" );
295             request.addParameter( "last_name", modifiedName );
296             request.addParameter( "first_name", modifiedName );
297             request.addParameter( "email", modifiedName + "@lutece.fr" );
298             bean.doModifyAdminUser( request );
299             message = AdminMessageService.getMessage( request );
300             assertNotNull( message );
301             assertEquals( I18nService.getLocalizedString( "portal.users.message.user.accessCodeAlreadyUsed", Locale.FRENCH ), message.getText( Locale.FRENCH ) );
302 
303             request = new MockHttpServletRequest( );
304             AdminAuthenticationService.getInstance( ).registerUser( request, AdminUserHome.findUserByLogin( "admin" ) );
305             request.addParameter( "id_user", Integer.toString( userToModify.getUserId( ) ) );
306             request.addParameter( "access_code", modifiedName );
307             request.addParameter( "last_name", modifiedName );
308             request.addParameter( "first_name", modifiedName );
309             request.addParameter( "email", "admin@lutece.fr" );
310             bean.doModifyAdminUser( request );
311             message = AdminMessageService.getMessage( request );
312             assertNotNull( message );
313             assertEquals( I18nService.getLocalizedString( "portal.users.message.user.accessEmailUsed", Locale.FRENCH ), message.getText( Locale.FRENCH ) );
314 
315             request = new MockHttpServletRequest( );
316             AdminAuthenticationService.getInstance( ).registerUser( request, AdminUserHome.findUserByLogin( "admin" ) );
317             request.addParameter( "id_user", Integer.toString( userToModify.getUserId( ) ) );
318             request.addParameter( "access_code", modifiedName );
319             request.addParameter( "last_name", modifiedName );
320             request.addParameter( "first_name", modifiedName );
321             request.addParameter( "email", modifiedName + "@lutece.fr" );
322             request.addParameter( "second_password", modifiedName );
323             bean.doModifyAdminUser( request );
324             message = AdminMessageService.getMessage( request );
325             assertNotNull( message );
326             assertEquals( I18nService.getLocalizedString( "portal.users.message.differentsPassword", Locale.FRENCH ), message.getText( Locale.FRENCH ) );
327 
328             request = new MockHttpServletRequest( );
329             AdminAuthenticationService.getInstance( ).registerUser( request, AdminUserHome.findUserByLogin( "admin" ) );
330             request.addParameter( "id_user", Integer.toString( userToModify.getUserId( ) ) );
331             request.addParameter( "access_code", modifiedName );
332             request.addParameter( "last_name", modifiedName );
333             request.addParameter( "first_name", modifiedName );
334             request.addParameter( "email", modifiedName + "@lutece.fr" );
335             request.addParameter( "first_password", modifiedName );
336             bean.doModifyAdminUser( request );
337             message = AdminMessageService.getMessage( request );
338             assertNotNull( message );
339             assertEquals( I18nService.getLocalizedString( "portal.users.message.differentsPassword", Locale.FRENCH ), message.getText( Locale.FRENCH ) );
340 
341             request = new MockHttpServletRequest( );
342             AdminAuthenticationService.getInstance( ).registerUser( request, AdminUserHome.findUserByLogin( "admin" ) );
343             request.addParameter( "id_user", Integer.toString( userToModify.getUserId( ) ) );
344             request.addParameter( "access_code", modifiedName );
345             request.addParameter( "last_name", modifiedName );
346             request.addParameter( "first_name", modifiedName );
347             request.addParameter( "email", modifiedName + "@lutece.fr" );
348             request.addParameter( "first_password", modifiedName );
349             request.addParameter( "second_password", modifiedName + "diff" );
350             bean.doModifyAdminUser( request );
351             message = AdminMessageService.getMessage( request );
352             assertNotNull( message );
353             assertEquals( I18nService.getLocalizedString( "portal.users.message.differentsPassword", Locale.FRENCH ), message.getText( Locale.FRENCH ) );
354 
355             request = new MockHttpServletRequest( );
356             AdminAuthenticationService.getInstance( ).registerUser( request, AdminUserHome.findUserByLogin( "admin" ) );
357             request.addParameter( "id_user", Integer.toString( userToModify.getUserId( ) ) );
358             request.addParameter( "access_code", modifiedName );
359             request.addParameter( "last_name", modifiedName );
360             request.addParameter( "first_name", modifiedName );
361             request.addParameter( "email", modifiedName + "@lutece.fr" );
362             request.addParameter( "first_password", modifiedName );
363             request.addParameter( "second_password", modifiedName );
364             request.addParameter( "status", Integer.toString( AdminUser.ACTIVE_CODE ) ); // NPE if absent
365             request.addParameter( "language", "fr" ); // NPE if absent
366             bean.doModifyAdminUser( request );
367             message = AdminMessageService.getMessage( request );
368             assertNull( message );
369             LuteceDefaultAdminUser modifiedUser = AdminUserHome.findLuteceDefaultAdminUserByPrimaryKey( userToModify.getUserId( ) );
370             assertNotNull( modifiedUser );
371             assertEquals( modifiedName, modifiedUser.getAccessCode( ) );
372             assertEquals( modifiedName, modifiedUser.getLastName( ) );
373             assertEquals( modifiedName, modifiedUser.getFirstName( ) );
374             assertEquals( modifiedName + "@lutece.fr", modifiedUser.getEmail( ) );
375             assertTrue( modifiedUser.getPassword( ).check( modifiedName ) );
376         } finally
377         {
378             AdminUserHome.remove( userToModify.getUserId( ) );
379         }
380     }
381 
382     private AdminUser getUserToModify( )
383     {
384         String randomName = "User_" + new SecureRandom( ).nextLong( );
385         LuteceDefaultAdminUser user = new LuteceDefaultAdminUser( );
386         user.setAccessCode( randomName );
387         user.setFirstName( randomName );
388         user.setLastName( randomName );
389         user.setEmail( randomName + "@lutece.fr" );
390         user.setUserLevel( 0 );
391         user.setStatus( AdminUser.ACTIVE_CODE );
392         IPasswordFactory passwordFactory = SpringContextService.getBean( IPasswordFactory.BEAN_NAME );
393         user.setPassword( passwordFactory.getPasswordFromCleartext( "PASSWORD" ) );
394         AdminUserHome.create( user );
395         return AdminUserHome.findByPrimaryKey( user.getUserId( ) );
396     }
397 
398     // FIXME : this only tests that passwords are unchanged
399     public void testDoUseAdvancedSecurityParameters(  )
400     {
401         boolean bUseAdvancesSecurityParameters = AdminUserService.getBooleanSecurityParameter( AdminUserService.DSKEY_USE_ADVANCED_SECURITY_PARAMETERS );
402         AdminUserJspBean bean = new AdminUserJspBean( );
403         try
404         {
405             LuteceDefaultAdminUser admin = AdminUserHome.findLuteceDefaultAdminUserByPrimaryKey( 1 );
406             assertTrue( admin.getPassword( ).check( "adminadmin" ) );
407             bean.doUseAdvancedSecurityParameters( new MockHttpServletRequest( ) );
408             admin = AdminUserHome.findLuteceDefaultAdminUserByPrimaryKey( 1 );
409             assertTrue( admin.getPassword( ).check( "adminadmin" ) );
410         } finally
411         {
412             if ( !bUseAdvancesSecurityParameters )
413             {
414                 bean.doRemoveAdvancedSecurityParameters( new MockHttpServletRequest( ) );
415             }
416         }
417     }
418 }