Add tests for logging unauthorized operations

neo4j · Sep 12, 2016 · 70b5788 · 70b5788
1 parent f6b0406
commit 70b5788
Showing 1 changed file with 38 additions and 1 deletion.
diff --git a/...ty/src/test/java/org/neo4j/server/security/enterprise/auth/AuthProceduresLoggingTest.java b/...ty/src/test/java/org/neo4j/server/security/enterprise/auth/AuthProceduresLoggingTest.java
@@ -42,6 +42,7 @@
 
 import static org.neo4j.logging.AssertableLogProvider.inLog;
 import static org.neo4j.server.security.enterprise.auth.AuthProcedures.PERMISSION_DENIED;
+import static org.neo4j.server.security.enterprise.auth.PredefinedRolesBuilder.ADMIN;
 import static org.neo4j.server.security.enterprise.auth.PredefinedRolesBuilder.ARCHITECT;
 import static org.neo4j.server.security.enterprise.auth.PredefinedRolesBuilder.READER;
 
@@ -119,6 +120,15 @@ public void shouldLogCreatingUserWithBadPassword() throws Throwable
                 error( "[admin]: tried to create user `%s`: %s", "mats", "A password cannot be empty." ) );
     }
 
+    @Test
+    public void shouldLogUnauthorizedCreatingUser() throws Throwable
+    {
+        authProcedures.authSubject = matsSubject;
+        catchAuthorizationViolation( () -> authProcedures.createUser( "andres", "", true ) );
+
+        log.assertExactly( error( "[mats]: tried to create user `%s`: %s", "andres", PERMISSION_DENIED ) );
+    }
+
     @Test
     public void shouldLogDeletingUser() throws Throwable
     {
@@ -138,6 +148,15 @@ public void shouldLogDeletingNonExistentUser() throws Throwable
         log.assertExactly( error( "[admin]: tried to delete user `%s`: %s", "andres", "User 'andres' does not exist." ) );
     }
 
+    @Test
+    public void shouldLogUnauthorizedDeleteUser() throws Throwable
+    {
+        authProcedures.authSubject = matsSubject;
+        catchAuthorizationViolation( () -> authProcedures.deleteUser( ADMIN ) );
+
+        log.assertExactly( error( "[mats]: tried to delete user `%s`: %s", ADMIN, PERMISSION_DENIED ) );
+    }
+
     @Test
     public void shouldLogAddingRoleToUser() throws Throwable
     {
@@ -160,6 +179,15 @@ public void shouldLogFailureToAddRoleToUser() throws Throwable
                 error( "[admin]: tried to add role `%s` to user `%s`: %s", "null", "mats", "Role 'null' does not exist." ) );
     }
 
+    @Test
+    public void shouldLogUnauthorizedAddingRole() throws Throwable
+    {
+        authProcedures.authSubject = matsSubject;
+        catchAuthorizationViolation( () -> authProcedures.addRoleToUser( ADMIN, "mats" ) );
+
+        log.assertExactly( error( "[mats]: tried to add role `%s` to user `%s`: %s", ADMIN, "mats", PERMISSION_DENIED ) );
+    }
+
     @Test
     public void shouldLogRemovalOfRoleFromUser() throws Throwable
     {
@@ -194,6 +222,15 @@ public void shouldLogFailureToRemoveRoleFromUser() throws Throwable
         );
     }
 
+    @Test
+    public void shouldLogUnauthorizedRemovingRole() throws Throwable
+    {
+        authProcedures.authSubject = matsSubject;
+        catchAuthorizationViolation( () -> authProcedures.removeRoleFromUser( ADMIN, ADMIN ) );
+
+        log.assertExactly( error( "[mats]: tried to remove role `%s` from user `%s`: %s", ADMIN, ADMIN, PERMISSION_DENIED ) );
+    }
+
     @Test
     public void shouldLogPasswordChanges() throws IOException, InvalidArgumentsException
     {
@@ -253,7 +290,7 @@ public void shouldLogFailureToChangeOwnPassword() throws Throwable
     }
 
     @Test
-    public void shouldLogUnauthorizedFailureToChangePassword() throws Throwable
+    public void shouldLogUnauthorizedChangePassword() throws Throwable
     {
         // Given
         authProcedures.createUser( "andres", "neo4j", true );