This repository has been archived by the owner on May 15, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
SecurityTest.java
165 lines (141 loc) · 8.23 KB
/
SecurityTest.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
/*
* Copyright. This file is part of swigg-security.
*
* swigg-security is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Foobar is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with swigg-security. If not, see <http://www.gnu.org/licenses/>.
*/
package net.swigg.security.example;
import net.swigg.security.authentication.AuthenticationConfig;
import net.swigg.security.authentication.BCryptCredentialsMatcher;
import net.swigg.security.authorization.AuthorizationConfig;
import net.swigg.security.authorization.DATPermission;
import net.swigg.security.authorization.PermissionFetcher;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.subject.Subject;
import org.junit.After;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.transaction.annotation.Transactional;
import javax.persistence.EntityManager;
import javax.persistence.PersistenceContext;
import java.util.Collection;
import static net.swigg.security.authorization.TargetIdentity.ANY;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
/**
* @author Dustin Sweigart <dustin@swigg.net>
*/
@ContextConfiguration(classes = {SecurityTest.Config.class})
@RunWith(SpringJUnit4ClassRunner.class)
public class SecurityTest {
@Autowired
AccountRepository accountRepository;
@PersistenceContext
EntityManager entityManager;
@After
public void tearDown() throws Exception {
accountRepository.clear();
}
@Test
@Transactional
public void testPermissions() throws Exception {
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
Role adminRole = new Role("admin");
Role memberRole = new Role("member");
Role guestRole = new Role("guest");
// add basic accounts
Account kermit = new Account(1, "kermit", passwordEncoder.encode("kermit1"), adminRole, memberRole);
Account fozzy = new Account(2, "fozzy", passwordEncoder.encode("fozzy1"), memberRole);
accountRepository.addAccount(kermit, fozzy);
// setup test permissions
entityManager.persist(new DATPermission(adminRole, "*:*:*")); // admin role can do anything
entityManager.persist(new DATPermission(memberRole, "account:read:*")); // members can read any account
entityManager.persist(new DATPermission(guestRole, "account:create")); // guests can create an account
entityManager.persist(new DATPermission(fozzy, "account:delete").setTargets(fozzy)); // fozzy can delete his own account
// login as kermit
SecurityUtils.getSubject().login(new UsernamePasswordToken("kermit", "kermit1"));
Subject subject = SecurityUtils.getSubject();
// what roles does kermit have?
assertTrue(subject.hasRole(adminRole.getPrincipalIdentity()));
assertTrue(subject.hasRole(memberRole.getPrincipalIdentity()));
assertFalse(subject.hasRole(guestRole.getPrincipalIdentity()));
// can kermit generally do anything?
assertTrue(subject.isPermitted(new AccountPermission().create()));
assertTrue(subject.isPermitted(new AccountPermission().read()));
assertTrue(subject.isPermitted(new AccountPermission().delete()));
assertTrue(subject.isPermitted(new AccountPermission(ANY).create()));
assertTrue(subject.isPermitted(new AccountPermission(ANY).read()));
assertTrue(subject.isPermitted(new AccountPermission(ANY).delete()));
// can kermit do stuff to his own account?
assertTrue(subject.isPermitted(new AccountPermission(kermit).create())); // this is meaningless, but kermit can do anything
assertTrue(subject.isPermitted(new AccountPermission(kermit).read()));
assertTrue(subject.isPermitted(new AccountPermission(kermit).delete()));
// can kermit do stuff to fozzy's account?
assertTrue(subject.isPermitted(new AccountPermission(fozzy).create())); // this is meaningless, but kermit can do anything
assertTrue(subject.isPermitted(new AccountPermission(fozzy).read()));
assertTrue(subject.isPermitted(new AccountPermission(fozzy).delete()));
// login as fozzy
SecurityUtils.getSubject().login(new UsernamePasswordToken("fozzy", "fozzy1"));
subject = SecurityUtils.getSubject();
// what roles does fozzy have?
assertFalse(subject.hasRole(adminRole.getPrincipalIdentity()));
assertTrue(subject.hasRole(memberRole.getPrincipalIdentity()));
assertFalse(subject.hasRole(guestRole.getPrincipalIdentity()));
// can fozzy generally do anything?
assertFalse(subject.isPermitted(new AccountPermission().create())); // no permission implies "account:create"
assertTrue(subject.isPermitted(new AccountPermission().read())); // member implies "account:read:*"
assertFalse(subject.isPermitted(new AccountPermission().delete())); // no permission implies "account:delete"
assertFalse(subject.isPermitted(new AccountPermission(ANY).create())); // no permission implies: "account:create:*"
assertTrue(subject.isPermitted(new AccountPermission(ANY).read())); // member implies "account:read:*"
assertFalse(subject.isPermitted(new AccountPermission(ANY).delete())); // no permission implies "account:delete:*"
// can fozzy do stuff to his own account?
assertFalse(subject.isPermitted(new AccountPermission(fozzy).create())); // this is meaningless, but technically no permissions implies "account:create:account-2"
assertTrue(subject.isPermitted(new AccountPermission(fozzy).read())); // member implies "account:read:*"
assertTrue(subject.isPermitted(new AccountPermission(fozzy).delete())); // as fozzy: "account:delete:account-2"
// can fozzy do stuff to kermit's account?
assertFalse(subject.isPermitted(new AccountPermission(kermit).create())); // no permission implies "account:create:account-1"
assertTrue(subject.isPermitted(new AccountPermission(kermit).read())); // member implies "account:read:*"
assertFalse(subject.isPermitted(new AccountPermission(kermit).delete())); // no permission implies "account:delete:account-1"
}
@Configuration
@EnableAutoConfiguration(exclude = {SecurityAutoConfiguration.class})
@Import({AuthorizationConfig.class, AuthenticationConfig.class})
public static class Config {
@Bean
public ExampleRealm securityTestAuthorizingRealm(BCryptCredentialsMatcher credentialsMatcher, PermissionFetcher permissionFetcher, AccountRepository accountRepository) {
return new ExampleRealm(credentialsMatcher, permissionFetcher, accountRepository);
}
@Bean
public org.apache.shiro.mgt.SecurityManager securityManager(Collection<Realm> realms) {
org.apache.shiro.mgt.SecurityManager securityManager = new DefaultSecurityManager(realms);
SecurityUtils.setSecurityManager(securityManager);
return securityManager;
}
@Bean
public AccountRepository accountRepository() {
return new AccountRepository();
}
}
}