From 4111b57b57e02e927ace616e084db221a4cfdc04 Mon Sep 17 00:00:00 2001 From: Aaron Coburn Date: Fri, 23 Feb 2018 17:15:09 -0500 Subject: [PATCH 1/2] Add authN/authZ tests Resolves #48 --- .../app/TrellisAuthenticationTest.java | 1307 +++++++++++++++++ .../src/test/resources/trellis-config.yml | 2 +- trellis-app/src/test/resources/users.auth | 1 + .../java/org/trellisldp/http/WebAcFilter.java | 4 + 4 files changed, 1313 insertions(+), 1 deletion(-) create mode 100644 trellis-app/src/test/java/org/trellisldp/app/TrellisAuthenticationTest.java diff --git a/trellis-app/src/test/java/org/trellisldp/app/TrellisAuthenticationTest.java b/trellis-app/src/test/java/org/trellisldp/app/TrellisAuthenticationTest.java new file mode 100644 index 000000000..9e1e0f42c --- /dev/null +++ b/trellis-app/src/test/java/org/trellisldp/app/TrellisAuthenticationTest.java @@ -0,0 +1,1307 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.trellisldp.app; + +import static io.dropwizard.testing.ConfigOverride.config; +import static io.dropwizard.testing.ResourceHelpers.resourceFilePath; +import static java.nio.charset.StandardCharsets.UTF_8; +import static java.util.stream.Collectors.toList; +import static javax.ws.rs.client.Entity.entity; +import static javax.ws.rs.core.HttpHeaders.AUTHORIZATION; +import static javax.ws.rs.core.HttpHeaders.LINK; +import static javax.ws.rs.core.Link.fromUri; +import static javax.ws.rs.core.Response.Status.FORBIDDEN; +import static javax.ws.rs.core.Response.Status.Family.SUCCESSFUL; +import static javax.ws.rs.core.Response.Status.NOT_FOUND; +import static javax.ws.rs.core.Response.Status.UNAUTHORIZED; +import static javax.ws.rs.core.Response.Status.fromStatusCode; +import static org.apache.commons.codec.binary.Base64.encodeBase64String; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.trellisldp.http.domain.RdfMediaType.APPLICATION_SPARQL_UPDATE; +import static org.trellisldp.http.domain.RdfMediaType.TEXT_TURTLE; + +import io.dropwizard.client.JerseyClientBuilder; +import io.dropwizard.testing.DropwizardTestSupport; +import io.jsonwebtoken.Jwts; +import io.jsonwebtoken.SignatureAlgorithm; + +import java.util.List; + +import javax.ws.rs.client.Client; +import javax.ws.rs.client.WebTarget; +import javax.ws.rs.core.Link; +import javax.ws.rs.core.Response; + +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; +import org.junit.platform.runner.JUnitPlatform; +import org.junit.runner.RunWith; +import org.trellisldp.app.config.TrellisConfiguration; +import org.trellisldp.vocabulary.LDP; +import org.trellisldp.vocabulary.Trellis; + +/** + * Authorization tests + * + * @author acoburn + */ +@RunWith(JUnitPlatform.class) +public class TrellisAuthenticationTest { + + //TODO -- add group tests + // -- add tests for acl:default + + private static final String JWT_SECRET = "secret"; + + private static final DropwizardTestSupport APP + = new DropwizardTestSupport(TrellisApplication.class, + resourceFilePath("trellis-config.yml"), + config("auth.basic.usersFile", resourceFilePath("users.auth")), + config("binaries", resourceFilePath("data") + "/binaries"), + config("mementos", resourceFilePath("data") + "/mementos"), + config("namespaces", resourceFilePath("data/namespaces.json"))); + + private static Client client; + private static String baseURL; + private static String container; + private static String publicContainer, publicContainerAcl, publicContainerChild; + private static String protectedContainer, protectedContainerAcl, protectedContainerChild; + private static String privateContainer, privateContainerAcl, privateContainerChild; + + @BeforeAll + public static void setUp() { + APP.before(); + client = new JerseyClientBuilder(APP.getEnvironment()).build("test client"); + client.property("jersey.config.client.connectTimeout", 5000); + client.property("jersey.config.client.readTimeout", 5000); + baseURL = "http://localhost:" + APP.getLocalPort() + "/"; + + final String jwt = "Bearer " + Jwts.builder().claim("webid", + Trellis.AdministratorAgent.getIRIString()) + .signWith(SignatureAlgorithm.HS512, JWT_SECRET.getBytes(UTF_8)) + .compact(); + + final String containerContent + = "PREFIX skos: \n" + + "PREFIX dc: \n\n" + + "<> skos:prefLabel \"Basic Container\"@eng ; " + + " dc:description \"This is a simple Basic Container for testing.\"@eng ."; + + // POST an LDP-BC + try (final Response res = target().request() + .header(LINK, fromUri(LDP.BasicContainer.getIRIString()).rel("type").build()) + .header(AUTHORIZATION, jwt).post(entity(containerContent, TEXT_TURTLE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + container = res.getLocation().toString(); + } + + // POST a public container + try (final Response res = target(container).request() + .header(LINK, fromUri(LDP.BasicContainer.getIRIString()).rel("type").build()) + .header(AUTHORIZATION, jwt).post(entity(containerContent, TEXT_TURTLE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + publicContainer = res.getLocation().toString(); + } + + // Add a child to the public container + try (final Response res = target(publicContainer).request().header(AUTHORIZATION, jwt) + .post(entity("", TEXT_TURTLE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + publicContainerChild = res.getLocation().toString(); + publicContainerAcl = getLinks(res).stream().filter(link -> link.getRel().equals("acl")) + .map(link -> link.getUri().toString()).findFirst().orElse(""); + } + + final String publicAcl = "PREFIX acl: \n" + + "PREFIX foaf: \n\n" + + "INSERT DATA { \n" + + "[acl:accessTo <" + publicContainer + ">; acl:mode acl:Read; acl:agentClass foaf:Agent ] }; \n" + + "PREFIX acl: \n\n" + + "INSERT DATA { [acl:accessTo <" + publicContainer + ">; acl:mode acl:Read, acl:Write; " + + " acl:agentClass acl:AuthenticatedAgent ] }"; + + // Add an ACL for the public container + try (final Response res = target(publicContainerAcl).request().header(AUTHORIZATION, jwt).method("PATCH", + entity(publicAcl, APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + + // POST a protected container + try (final Response res = target(container).request() + .header(LINK, fromUri(LDP.BasicContainer.getIRIString()).rel("type").build()) + .header(AUTHORIZATION, jwt).post(entity(containerContent, TEXT_TURTLE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + protectedContainer = res.getLocation().toString(); + } + + // Add a child to the protected container + try (final Response res = target(protectedContainer).request().header(AUTHORIZATION, jwt) + .post(entity("", TEXT_TURTLE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + protectedContainerChild = res.getLocation().toString(); + protectedContainerAcl = getLinks(res).stream().filter(link -> link.getRel().equals("acl")) + .map(link -> link.getUri().toString()).findFirst().orElse(""); + } + + final String protectedAcl = "PREFIX acl: \n\n" + + "INSERT DATA { \n" + + "[acl:accessTo <" + protectedContainer + ">; acl:mode acl:Read, acl:Write; " + + " acl:agent ] }"; + + // Add an ACL for the protected container + try (final Response res = target(protectedContainerAcl).request().header(AUTHORIZATION, jwt).method("PATCH", + entity(protectedAcl, APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + + // POST a private container + try (final Response res = target(container).request() + .header(LINK, fromUri(LDP.BasicContainer.getIRIString()).rel("type").build()) + .header(AUTHORIZATION, jwt).post(entity(containerContent, TEXT_TURTLE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + privateContainer = res.getLocation().toString(); + } + + // Add a child to the private container + try (final Response res = target(privateContainer).request().header(AUTHORIZATION, jwt) + .post(entity("", TEXT_TURTLE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + privateContainerChild = res.getLocation().toString(); + privateContainerAcl = getLinks(res).stream().filter(link -> link.getRel().equals("acl")) + .map(link -> link.getUri().toString()).findFirst().orElse(""); + } + + final String privateAcl = "PREFIX acl: \n\n" + + "INSERT DATA { " + + "[acl:accessTo <" + privateContainer + ">; acl:mode acl:Read, acl:Write; " + + " acl:agent ] }"; + + // Add an ACL for the private container + try (final Response res = target(privateContainerAcl).request().header(AUTHORIZATION, jwt).method("PATCH", + entity(privateAcl, APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @AfterAll + public static void tearDown() { + APP.after(); + } + + @Test + public void testPublicLinkHeader() { + assertEquals(publicContainer + "?ext=acl", publicContainerAcl); + } + + @Test + public void testProtectedLinkHeader() { + assertEquals(protectedContainer + "?ext=acl", protectedContainerAcl); + } + + @Test + public void testPrivateLinkHeader() { + assertEquals(privateContainer + "?ext=acl", privateContainerAcl); + } + + @Nested + @DisplayName("Jwt Administrator tests") + public class JwtAdministratorTests { + + private final String jwt = "Bearer " + Jwts.builder().claim("webid", + Trellis.AdministratorAgent.getIRIString()) + .signWith(SignatureAlgorithm.HS512, JWT_SECRET.getBytes(UTF_8)) + .compact(); + + @Test + @DisplayName("Verify that an administrator can read a public resource") + public void testAdminCanReadPublicResource() { + try (final Response res = target(publicContainer).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an administrator can read the child of a public resource") + public void testAdminCanReadPublicResourceChild() { + try (final Response res = target(publicContainerChild).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an administrator can write to a public resource") + public void testAdminCanWritePublicResource() { + try (final Response res = target(publicContainer).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an administrator can write to the child of a public resource") + public void testAdminCanWritePublicResourceChild() { + try (final Response res = target(publicContainerChild).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an administrator can control a public resource") + public void testAdminCanControlPublicResource() { + try (final Response res = target(publicContainerAcl).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an administrator can control the child of a public resource") + public void testAdminCanControlPublicResourceChild() { + try (final Response res = target(publicContainerChild + "?ext=acl").request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(NOT_FOUND, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an administrator can read a protected resource") + public void testAdminCanReadProtectedResource() { + try (final Response res = target(protectedContainer).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an administrator can read the child of a protected resource") + public void testAdminCanReadProtectedResourceChild() { + try (final Response res = target(protectedContainerChild).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an administrator can write to a protected resource") + public void testAdminCanWriteProtectedResource() { + try (final Response res = target(protectedContainer).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an administrator can write to the child of a protected resource") + public void testAdminCanWriteProtectedResourceChild() { + try (final Response res = target(protectedContainerChild).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an administrator can control a protected resource") + public void testAdminCanControlProtectedResource() { + try (final Response res = target(protectedContainerAcl).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an administrator can control the child of a protected resource") + public void testAdminCanControlProtectedResourceChild() { + try (final Response res = target(protectedContainerChild + "?ext=acl").request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(NOT_FOUND, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an administrator can read a private resource") + public void testAdminCanReadPrivateResource() { + try (final Response res = target(privateContainer).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an administrator can read the child of a private resource") + public void testAdminCanReadPrivateResourceChild() { + try (final Response res = target(privateContainerChild).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an administrator can write to a private resource") + public void testAdminCanWritePrivateResource() { + try (final Response res = target(privateContainer).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an administrator can write to the child of a private resource") + public void testAdminCanWritePrivateResourceChild() { + try (final Response res = target(privateContainerChild).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an administrator can control a private resource") + public void testAdminCanControlPrivateResource() { + try (final Response res = target(privateContainerAcl).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an administrator can control the child of a private resource") + public void testAdminCanControlPrivateResourceChild() { + try (final Response res = target(privateContainerChild + "?ext=acl").request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(NOT_FOUND, fromStatusCode(res.getStatus())); + } + } + } + + @Nested + @DisplayName("Basic Auth User tests") + public class BasicAuthUserTests { + + private final String auth = "Basic " + encodeBase64String("acoburn:secret".getBytes()); + + @Test + @DisplayName("Verify that a user can read a public resource") + public void testUserCanReadPublicResource() { + try (final Response res = target(publicContainer).request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can read the child of a public resource") + public void testUserCanReadPublicResourceChild() { + try (final Response res = target(publicContainerChild).request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can write to a public resource") + public void testUserCanWritePublicResource() { + try (final Response res = target(publicContainer).request() + .header(AUTHORIZATION, auth).method("PATCH", + entity("INSERT { <> \"Bar\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can write to the child of a public resource") + public void testUserCanWritePublicResourceChild() { + try (final Response res = target(publicContainerChild).request() + .header(AUTHORIZATION, auth).method("PATCH", + entity("INSERT { <> \"Bar\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user cannot control a public resource") + public void testUserCanControlPublicResource() { + try (final Response res = target(publicContainer + "?ext=acl").request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot control the child of a public resource") + public void testUserCanControlPublicResourceChild() { + try (final Response res = target(publicContainerChild + "?ext=acl").request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user can read a protected resource") + public void testUserCanReadProtectedResource() { + try (final Response res = target(protectedContainer).request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can read the child of a protected resource") + public void testUserCanReadProtectedResourceChild() { + try (final Response res = target(protectedContainerChild).request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can write to a protected resource") + public void testUserCanWriteProtectedResource() { + try (final Response res = target(protectedContainer).request() + .header(AUTHORIZATION, auth).method("PATCH", + entity("INSERT { <> \"Bar\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can write to the child of a protected resource") + public void testUserCanWriteProtectedResourceChild() { + try (final Response res = target(protectedContainerChild).request() + .header(AUTHORIZATION, auth).method("PATCH", + entity("INSERT { <> \"Bar\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can control a protected resource") + public void testUserCanControlProtectedResource() { + try (final Response res = target(protectedContainerAcl).request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user can control a protected resource") + public void testUserCanControlProtectedResourceChild() { + try (final Response res = target(protectedContainerChild + "?ext=acl").request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot read a private resource") + public void testUserCanReadPrivateResource() { + try (final Response res = target(privateContainer).request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot read the child of a private resource") + public void testUserCanReadPrivateResourceChild() { + try (final Response res = target(privateContainerChild).request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot write to a private resource") + public void testUserCanWritePrivateResource() { + try (final Response res = target(privateContainer).request() + .header(AUTHORIZATION, auth).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot write to the child of a private resource") + public void testUserCanWritePrivateResourceChild() { + try (final Response res = target(privateContainerChild).request() + .header(AUTHORIZATION, auth).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot control a private resource") + public void testUserCanControlPrivateResource() { + try (final Response res = target(privateContainer + "?ext=acl").request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot control the child of a private resource") + public void testUserCanControlPrivateResourceChild() { + try (final Response res = target(privateContainerChild + "?ext=acl").request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + } + + @Nested + @DisplayName("Jwt User tests") + public class JwtUserTests { + + private final String jwt = "Bearer " + Jwts.builder() + .claim("webid", "https://people.apache.org/~acoburn/#i") + .signWith(SignatureAlgorithm.HS512, JWT_SECRET.getBytes(UTF_8)) + .compact(); + + @Test + @DisplayName("Verify that a user can read a public resource") + public void testUserCanReadPublicResource() { + try (final Response res = target(publicContainer).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can read the child of a public resource") + public void testUserCanReadPublicResourceChild() { + try (final Response res = target(publicContainerChild).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can write to a public resource") + public void testUserCanWritePublicResource() { + try (final Response res = target(publicContainer).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Bar\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can write to the child of a public resource") + public void testUserCanWritePublicResourceChild() { + try (final Response res = target(publicContainerChild).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Bar\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user cannot control a public resource") + public void testUserCanControlPublicResource() { + try (final Response res = target(publicContainerAcl).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot control the child of a public resource") + public void testUserCanControlPublicResourceChild() { + try (final Response res = target(publicContainerChild + "?ext=acl").request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user can read a protected resource") + public void testUserCanReadProtectedResource() { + try (final Response res = target(protectedContainer).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can read the child of a protected resource") + public void testUserCanReadProtectedResourceChild() { + try (final Response res = target(protectedContainerChild).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can write to a protected resource") + public void testUserCanWriteProtectedResource() { + try (final Response res = target(protectedContainer).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Bar\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can write to the child of a protected resource") + public void testUserCanWriteProtectedResourceChile() { + try (final Response res = target(protectedContainerChild).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Bar\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can control a protected resource") + public void testUserCanControlProtectedResource() { + try (final Response res = target(protectedContainerAcl).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user can control the child of a protected resource") + public void testUserCanControlProtectedResourceChild() { + try (final Response res = target(protectedContainerChild + "?ext=acl").request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot read a private resource") + public void testUserCanReadPrivateResource() { + try (final Response res = target(privateContainer).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot read the child of a private resource") + public void testUserCanReadPrivateResourceChile() { + try (final Response res = target(privateContainerChild).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot write to a private resource") + public void testUserCanWritePrivateResource() { + try (final Response res = target(privateContainer).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot write to the child of a private resource") + public void testUserCanWritePrivateResourceChild() { + try (final Response res = target(privateContainerChild).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot control a private resource") + public void testUserCanControlPrivateResource() { + try (final Response res = target(privateContainerAcl).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot control the child of a private resource") + public void testUserCanControlPrivateResourceChild() { + try (final Response res = target(privateContainerChild + "?ext=acl").request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + } + + @Nested + @DisplayName("Basic Auth other user tests") + public class BasicAuthOtherUserTests { + + private final String auth = "Basic " + encodeBase64String("user:password".getBytes(UTF_8)); + + @Test + @DisplayName("Verify that a user can read a public resource") + public void testUserCanReadPublicResource() { + try (final Response res = target(publicContainer).request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can read the child of a public resource") + public void testUserCanReadPublicResourceChile() { + try (final Response res = target(publicContainerChild).request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can write to a public resource") + public void testUserCanWritePublicResource() { + try (final Response res = target(publicContainer).request() + .header(AUTHORIZATION, auth).method("PATCH", + entity("INSERT { <> \"Bar\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can write to the child of a public resource") + public void testUserCanWritePublicResourceChild() { + try (final Response res = target(publicContainerChild).request() + .header(AUTHORIZATION, auth).method("PATCH", + entity("INSERT { <> \"Bar\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user cannot control a public resource") + public void testUserCanControlPublicResource() { + try (final Response res = target(publicContainer + "?ext=acl").request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot control the child of a public resource") + public void testUserCanControlPublicResourceChild() { + try (final Response res = target(publicContainerChild + "?ext=acl").request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot read a protected resource") + public void testUserCanReadProtectedResource() { + try (final Response res = target(protectedContainer).request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot read the child of a protected resource") + public void testUserCanReadProtectedResourceChild() { + try (final Response res = target(protectedContainerChild).request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot write to a protected resource") + public void testUserCanWriteProtectedResource() { + try (final Response res = target(protectedContainer).request() + .header(AUTHORIZATION, auth).method("PATCH", + entity("INSERT { <> \"Bar\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot write to the child of a protected resource") + public void testUserCanWriteProtectedResourceChild() { + try (final Response res = target(protectedContainerChild).request() + .header(AUTHORIZATION, auth).method("PATCH", + entity("INSERT { <> \"Bar\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot control a protected resource") + public void testUserCanControlProtectedResource() { + try (final Response res = target(protectedContainerAcl).request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot control the child of a protected resource") + public void testUserCanControlProtectedResourceChild() { + try (final Response res = target(protectedContainerChild + "?ext=acl").request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot read a private resource") + public void testUserCanReadPrivateResource() { + try (final Response res = target(privateContainer).request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot read the child of a private resource") + public void testUserCanReadPrivateResourceChild() { + try (final Response res = target(privateContainerChild).request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot write to a private resource") + public void testUserCanWritePrivateResource() { + try (final Response res = target(privateContainer).request() + .header(AUTHORIZATION, auth).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot write to the child of a private resource") + public void testUserCanWritePrivateResourceChild() { + try (final Response res = target(privateContainerChild).request() + .header(AUTHORIZATION, auth).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot control a private resource") + public void testUserCanControlPrivateResource() { + try (final Response res = target(privateContainerAcl).request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot control the child of a private resource") + public void testUserCanControlPrivateResourceChild() { + try (final Response res = target(privateContainerChild + "?ext=acl").request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + } + + @Nested + @DisplayName("Jwt Other user tests") + public class JwtOtherUserTests { + + private final String jwt = "Bearer " + Jwts.builder() + .claim("webid", "http://example.org/user") + .signWith(SignatureAlgorithm.HS512, JWT_SECRET.getBytes(UTF_8)) + .compact(); + + @Test + @DisplayName("Verify that a user can read a public resource") + public void testUserCanReadPublicResource() { + try (final Response res = target(publicContainer).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can read the child of a public resource") + public void testUserCanReadPublicResourceChild() { + try (final Response res = target(publicContainerChild).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can write to a public resource") + public void testUserCanWritePublicResource() { + try (final Response res = target(publicContainer).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Bar\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can write to the child of a public resource") + public void testUserCanWritePublicResourceChild() { + try (final Response res = target(publicContainerChild).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Bar\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user cannot control a public resource") + public void testUserCanControlPublicResource() { + try (final Response res = target(publicContainer + "?ext=acl").request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot control the child of a public resource") + public void testUserCanControlPublicResourceChild() { + try (final Response res = target(publicContainerChild + "?ext=acl").request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot read a protected resource") + public void testUserCanReadProtectedResource() { + try (final Response res = target(protectedContainer).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot read the child of a protected resource") + public void testUserCanReadProtectedResourceChild() { + try (final Response res = target(protectedContainerChild).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot write to a protected resource") + public void testUserCanWriteProtectedResource() { + try (final Response res = target(protectedContainer).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Bar\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot write to the child of a protected resource") + public void testUserCanWriteProtectedResourceChild() { + try (final Response res = target(protectedContainerChild).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Bar\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot control a protected resource") + public void testUserCanControlProtectedResource() { + try (final Response res = target(protectedContainer + "?ext=acl").request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot control the child of a protected resource") + public void testUserCanControlProtectedResourceChild() { + try (final Response res = target(protectedContainerChild + "?ext=acl").request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot read a private resource") + public void testUserCanReadPrivateResource() { + try (final Response res = target(privateContainer).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot read the child of a private resource") + public void testUserCanReadPrivateResourceChild() { + try (final Response res = target(privateContainerChild).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot write to a private resource") + public void testUserCanWritePrivateResource() { + try (final Response res = target(privateContainer).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot write to the child of a private resource") + public void testUserCanWritePrivateResourceChild() { + try (final Response res = target(privateContainerChild).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot control a private resource") + public void testUserCanControlPrivateResource() { + try (final Response res = target(privateContainerAcl).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user cannot control the child of a private resource") + public void testUserCanControlPrivateResourceChild() { + try (final Response res = target(privateContainerChild + "?ext=acl").request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + } + + @Nested + @DisplayName("Anonymous tests") + public class AnonymousTests { + + @Test + @DisplayName("Verify that an anonymous user can read a public resource") + public void testCanReadPublicResource() { + try (final Response res = target(publicContainer).request().get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an anonymous user can read the child of a public resource") + public void testCanReadPublicResourceChild() { + try (final Response res = target(publicContainerChild).request().get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an anonymous user cannot write to a public resource") + public void testCanWritePublicResource() { + try (final Response res = target(publicContainer).request().method("PATCH", + entity("INSERT { <> \"Bar\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an anonymous user cannot write to the child of a public resource") + public void testCanWritePublicResourceChild() { + try (final Response res = target(publicContainerChild).request().method("PATCH", + entity("INSERT { <> \"Bar\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an anonymous user cannot control a public resource") + public void testCanControlPublicResource() { + try (final Response res = target(publicContainerAcl).request().get()) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an anonymous user cannot control the child of a public resource") + public void testCanControlPublicResourceChild() { + try (final Response res = target(publicContainerChild + "?ext=acl").request().get()) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an anonymous user cannot read a protected resource") + public void testCanReadProtectedResource() { + try (final Response res = target(protectedContainer).request().get()) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an anonymous user cannot read the child of a protected resource") + public void testCanReadProtectedResourceChild() { + try (final Response res = target(protectedContainerChild).request().get()) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an anonymous user cannot write to a protected resource") + public void testCanWriteProtectedResource() { + try (final Response res = target(protectedContainer).request().method("PATCH", + entity("INSERT { <> \"Bar\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an anonymous user cannot write to the child of a protected resource") + public void testCanWriteProtectedResourceChild() { + try (final Response res = target(protectedContainerChild).request().method("PATCH", + entity("INSERT { <> \"Bar\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an anonymous user cannot control a protected resource") + public void testCanControlProtectedResource() { + try (final Response res = target(protectedContainerAcl).request().get()) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an anonymous user cannot control the child of a protected resource") + public void testCanControlProtectedResourceChild() { + try (final Response res = target(protectedContainerChild + "?ext=acl").request().get()) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an anonymous user cannot read a private resource") + public void testCanReadPrivateResource() { + try (final Response res = target(privateContainer).request().get()) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an anonymous user cannot read the child of a private resource") + public void testCanReadPrivateResourceChild() { + try (final Response res = target(privateContainerChild).request().get()) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an anonymous user cannot write to a private resource") + public void testCanWritePrivateResource() { + try (final Response res = target(privateContainer).request().method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an anonymous user cannot write to the child of a private resource") + public void testCanWritePrivateResourceChild() { + try (final Response res = target(privateContainerChild).request().method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an anonymous user cannot control a private resource") + public void testCanControlPrivateResource() { + try (final Response res = target(privateContainerAcl).request().get()) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an anonymous user cannot control the child of a private resource") + public void testCanControlPrivateResourceChild() { + try (final Response res = target(privateContainerChild + "?ext=acl").request().get()) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } + } + + private static WebTarget target() { + return target(baseURL); + } + + private static WebTarget target(final String url) { + return client.target(url); + } + + private static List getLinks(final Response res) { + // Jersey's client doesn't parse complex link headers correctly + return res.getStringHeaders().get(LINK).stream().map(Link::valueOf).collect(toList()); + } +} diff --git a/trellis-app/src/test/resources/trellis-config.yml b/trellis-app/src/test/resources/trellis-config.yml index b1e07b10c..a8a353ea7 100644 --- a/trellis-app/src/test/resources/trellis-config.yml +++ b/trellis-app/src/test/resources/trellis-config.yml @@ -33,7 +33,7 @@ auth: base64Encoded: false key: secret basic: - enabled: false + enabled: true cors: enabled: true diff --git a/trellis-app/src/test/resources/users.auth b/trellis-app/src/test/resources/users.auth index 653f9e49b..727bb8f81 100644 --- a/trellis-app/src/test/resources/users.auth +++ b/trellis-app/src/test/resources/users.auth @@ -1,3 +1,4 @@ # A comment other : pass acoburn : secret : https://people.apache.org/~acoburn/#i +user : password : http://example.com/user diff --git a/trellis-http/src/main/java/org/trellisldp/http/WebAcFilter.java b/trellis-http/src/main/java/org/trellisldp/http/WebAcFilter.java index 49dd95a17..5ad90328f 100644 --- a/trellis-http/src/main/java/org/trellisldp/http/WebAcFilter.java +++ b/trellis-http/src/main/java/org/trellisldp/http/WebAcFilter.java @@ -129,6 +129,7 @@ private void verifyCanAppend(final Set modes, final Session session, final } throw new ForbiddenException(); } + LOGGER.debug("User: {} can append to {}", session.getAgent(), path); } private void verifyCanControl(final Set modes, final Session session, final String path) { @@ -140,6 +141,7 @@ private void verifyCanControl(final Set modes, final Session session, final } throw new ForbiddenException(); } + LOGGER.debug("User: {} can control {}", session.getAgent(), path); } private void verifyCanWrite(final Set modes, final Session session, final String path) { @@ -151,6 +153,7 @@ private void verifyCanWrite(final Set modes, final Session session, final S } throw new ForbiddenException(); } + LOGGER.debug("User: {} can write to {}", session.getAgent(), path); } private void verifyCanRead(final Set modes, final Session session, final String path) { @@ -162,5 +165,6 @@ private void verifyCanRead(final Set modes, final Session session, final St } throw new ForbiddenException(); } + LOGGER.debug("User: {} can read {}", session.getAgent(), path); } } From 85de957e110686ab65248869a2b211a8ffb7c739 Mon Sep 17 00:00:00 2001 From: Aaron Coburn Date: Mon, 26 Feb 2018 09:36:21 -0500 Subject: [PATCH 2/2] Add tests group acl:agentGroup --- .../app/TrellisAuthenticationTest.java | 400 +++++++++++++++++- trellis-app/src/test/resources/users.auth | 2 +- 2 files changed, 398 insertions(+), 4 deletions(-) diff --git a/trellis-app/src/test/java/org/trellisldp/app/TrellisAuthenticationTest.java b/trellis-app/src/test/java/org/trellisldp/app/TrellisAuthenticationTest.java index 9e1e0f42c..43d9c5538 100644 --- a/trellis-app/src/test/java/org/trellisldp/app/TrellisAuthenticationTest.java +++ b/trellis-app/src/test/java/org/trellisldp/app/TrellisAuthenticationTest.java @@ -62,8 +62,7 @@ @RunWith(JUnitPlatform.class) public class TrellisAuthenticationTest { - //TODO -- add group tests - // -- add tests for acl:default + //TODO -- add tests for acl:default private static final String JWT_SECRET = "secret"; @@ -81,6 +80,8 @@ public class TrellisAuthenticationTest { private static String publicContainer, publicContainerAcl, publicContainerChild; private static String protectedContainer, protectedContainerAcl, protectedContainerChild; private static String privateContainer, privateContainerAcl, privateContainerChild; + private static String groupContainer, groupContainerAcl, groupContainerChild; + private static String groupResource; @BeforeAll public static void setUp() { @@ -195,6 +196,57 @@ public static void setUp() { entity(privateAcl, APPLICATION_SPARQL_UPDATE))) { assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); } + + final String groupContent + = "@prefix acl: .\n" + + "@prefix vcard: .\n" + + "<> a acl:GroupListing.\n" + + "<#Developers> a vcard:Group;\n" + + " vcard:hasUID ;\n" + + " vcard:hasMember ;\n" + + " vcard:hasMember .\n" + + "<#Management> a vcard:Group;\n" + + " vcard:hasUID ;\n" + + " vcard:hasMember ."; + + // POST a group listing + try (final Response res = target(container).request() + .header(AUTHORIZATION, jwt).post(entity(groupContent, TEXT_TURTLE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + groupResource = res.getLocation().toString(); + } + + // POST a group-controlled container + try (final Response res = target(container).request() + .header(LINK, fromUri(LDP.BasicContainer.getIRIString()).rel("type").build()) + .header(AUTHORIZATION, jwt).post(entity(containerContent, TEXT_TURTLE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + groupContainer = res.getLocation().toString(); + } + + // Add a child to the group container + try (final Response res = target(groupContainer).request().header(AUTHORIZATION, jwt) + .post(entity("", TEXT_TURTLE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + groupContainerChild = res.getLocation().toString(); + groupContainerAcl = getLinks(res).stream().filter(link -> link.getRel().equals("acl")) + .map(link -> link.getUri().toString()).findFirst().orElse(""); + } + + final String groupAcl = "PREFIX acl: \n\n" + + "INSERT DATA { " + + "[acl:accessTo <" + groupContainer + ">; acl:mode acl:Read, acl:Write; " + + " acl:agentGroup <" + groupResource + "#Developers> ] };\n" + + "PREFIX acl: \n\n" + + "INSERT DATA { " + + "[acl:accessTo <" + groupContainer + ">; acl:mode acl:Read; " + + " acl:agentGroup <" + groupResource + "#Management> ] }"; + + // Add an ACL for the private container + try (final Response res = target(groupContainerAcl).request().header(AUTHORIZATION, jwt).method("PATCH", + entity(groupAcl, APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } } @AfterAll @@ -399,6 +451,64 @@ public void testAdminCanControlPrivateResourceChild() { assertEquals(NOT_FOUND, fromStatusCode(res.getStatus())); } } + + @Test + @DisplayName("Verify that an administrator can read a group-controlled resource") + public void testAdminCanReadGroupResource() { + try (final Response res = target(groupContainer).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an administrator can read the child of a group-controlled resource") + public void testAdminCanReadGroupResourceChild() { + try (final Response res = target(groupContainerChild).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an administrator can write to a group-controlled resource") + public void testAdminCanWriteGroupResource() { + try (final Response res = target(groupContainer).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an administrator can write to the child of a group-controlled resource") + public void testAdminCanWriteGroupResourceChild() { + try (final Response res = target(groupContainerChild).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an administrator can control a group-controlled resource") + public void testAdminCanControlGroupResource() { + try (final Response res = target(groupContainerAcl).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that an administrator can control the child of a group-controlled resource") + public void testAdminCanControlGroupResourceChild() { + try (final Response res = target(groupContainerChild + "?ext=acl").request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(NOT_FOUND, fromStatusCode(res.getStatus())); + } + } } @Nested @@ -580,6 +690,64 @@ public void testUserCanControlPrivateResourceChild() { assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); } } + + @Test + @DisplayName("Verify that a user can read a group-controlled resource") + public void testCanReadGroupResource() { + try (final Response res = target(groupContainer).request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can read the child of a group-controlled resource") + public void testCanReadGroupResourceChild() { + try (final Response res = target(groupContainerChild).request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can write to a group-controlled resource") + public void testCanWriteGroupResource() { + try (final Response res = target(groupContainer).request() + .header(AUTHORIZATION, auth).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can write to the child of a group-controlled resource") + public void testCanWriteGroupResourceChild() { + try (final Response res = target(groupContainerChild).request() + .header(AUTHORIZATION, auth).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can control a group-controlled resource") + public void testCanControlGroupResource() { + try (final Response res = target(groupContainerAcl).request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user can control the child of a group-controlled resource") + public void testCanControlGroupResourceChild() { + try (final Response res = target(groupContainerChild + "?ext=acl").request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } } @Nested @@ -764,6 +932,64 @@ public void testUserCanControlPrivateResourceChild() { assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); } } + + @Test + @DisplayName("Verify that a user can read a group-controlled resource") + public void testCanReadGroupResource() { + try (final Response res = target(groupContainer).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can read the child of a group-controlled resource") + public void testCanReadGroupResourceChild() { + try (final Response res = target(groupContainerChild).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can write to a group-controlled resource") + public void testCanWriteGroupResource() { + try (final Response res = target(groupContainer).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can write to the child of a group-controlled resource") + public void testCanWriteGroupResourceChild() { + try (final Response res = target(groupContainerChild).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can control a group-controlled resource") + public void testCanControlGroupResource() { + try (final Response res = target(groupContainerAcl).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user can control the child of a group-controlled resource") + public void testCanControlGroupResourceChild() { + try (final Response res = target(groupContainerChild + "?ext=acl").request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } } @Nested @@ -945,6 +1171,64 @@ public void testUserCanControlPrivateResourceChild() { assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); } } + + @Test + @DisplayName("Verify that a user can read a group-controlled resource") + public void testCanReadGroupResource() { + try (final Response res = target(groupContainer).request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can read the child of a group-controlled resource") + public void testCanReadGroupResourceChild() { + try (final Response res = target(groupContainerChild).request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can write to a group-controlled resource") + public void testCanWriteGroupResource() { + try (final Response res = target(groupContainer).request() + .header(AUTHORIZATION, auth).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user can write to the child of a group-controlled resource") + public void testCanWriteGroupResourceChild() { + try (final Response res = target(groupContainerChild).request() + .header(AUTHORIZATION, auth).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user can control a group-controlled resource") + public void testCanControlGroupResource() { + try (final Response res = target(groupContainerAcl).request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user can control the child of a group-controlled resource") + public void testCanControlGroupResourceChild() { + try (final Response res = target(groupContainerChild + "?ext=acl").request() + .header(AUTHORIZATION, auth).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } } @Nested @@ -952,7 +1236,7 @@ public void testUserCanControlPrivateResourceChild() { public class JwtOtherUserTests { private final String jwt = "Bearer " + Jwts.builder() - .claim("webid", "http://example.org/user") + .claim("webid", "https://madison.example.com/profile/#me") .signWith(SignatureAlgorithm.HS512, JWT_SECRET.getBytes(UTF_8)) .compact(); @@ -1129,6 +1413,64 @@ public void testUserCanControlPrivateResourceChild() { assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); } } + + @Test + @DisplayName("Verify that a user can read a group-controlled resource") + public void testCanReadGroupResource() { + try (final Response res = target(groupContainer).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can read the child of a group-controlled resource") + public void testCanReadGroupResourceChild() { + try (final Response res = target(groupContainerChild).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(SUCCESSFUL, res.getStatusInfo().getFamily()); + } + } + + @Test + @DisplayName("Verify that a user can write to a group-controlled resource") + public void testCanWriteGroupResource() { + try (final Response res = target(groupContainer).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user can write to the child of a group-controlled resource") + public void testCanWriteGroupResourceChild() { + try (final Response res = target(groupContainerChild).request() + .header(AUTHORIZATION, jwt).method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user can control a group-controlled resource") + public void testCanControlGroupResource() { + try (final Response res = target(groupContainerAcl).request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that a user can control the child of a group-controlled resource") + public void testCanControlGroupResourceChild() { + try (final Response res = target(groupContainerChild + "?ext=acl").request() + .header(AUTHORIZATION, jwt).get()) { + assertEquals(FORBIDDEN, fromStatusCode(res.getStatus())); + } + } } @Nested @@ -1290,6 +1632,58 @@ public void testCanControlPrivateResourceChild() { assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); } } + + @Test + @DisplayName("Verify that an anonymous user can read a group-controlled resource") + public void testCanReadGroupResource() { + try (final Response res = target(groupContainer).request().get()) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an anonymous user can read the child of a group-controlled resource") + public void testCanReadGroupResourceChild() { + try (final Response res = target(groupContainerChild).request().get()) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an anonymous user can write to a group-controlled resource") + public void testCanWriteGroupResource() { + try (final Response res = target(groupContainer).request().method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an anonymous user can write to the child of a group-controlled resource") + public void testCanWriteGroupResourceChild() { + try (final Response res = target(groupContainerChild).request().method("PATCH", + entity("INSERT { <> \"Foo\" } WHERE {}", + APPLICATION_SPARQL_UPDATE))) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an anonymous user can control a group-controlled resource") + public void testCanControlGroupResource() { + try (final Response res = target(groupContainerAcl).request().get()) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } + + @Test + @DisplayName("Verify that an anonymous user can control the child of a group-controlled resource") + public void testCanControlGroupResourceChild() { + try (final Response res = target(groupContainerChild + "?ext=acl").request().get()) { + assertEquals(UNAUTHORIZED, fromStatusCode(res.getStatus())); + } + } } private static WebTarget target() { diff --git a/trellis-app/src/test/resources/users.auth b/trellis-app/src/test/resources/users.auth index 727bb8f81..198422439 100644 --- a/trellis-app/src/test/resources/users.auth +++ b/trellis-app/src/test/resources/users.auth @@ -1,4 +1,4 @@ # A comment other : pass acoburn : secret : https://people.apache.org/~acoburn/#i -user : password : http://example.com/user +user : password : https://madison.example.com/profile/#me