2023-12-16 19:55:34 +01:00
|
|
|
package com.commafeed.integration;
|
|
|
|
|
|
2024-08-12 13:10:35 +02:00
|
|
|
import java.net.HttpCookie;
|
|
|
|
|
import java.util.List;
|
|
|
|
|
import java.util.stream.Collectors;
|
2023-12-16 19:55:34 +01:00
|
|
|
|
2024-08-07 08:10:14 +02:00
|
|
|
import org.apache.hc.core5.http.HttpStatus;
|
2023-12-16 19:55:34 +01:00
|
|
|
import org.junit.jupiter.api.Assertions;
|
|
|
|
|
import org.junit.jupiter.api.Test;
|
|
|
|
|
|
2024-08-16 14:02:49 +02:00
|
|
|
import com.commafeed.ExceptionMappers.UnauthorizedResponse;
|
2023-12-16 19:55:34 +01:00
|
|
|
import com.commafeed.frontend.model.Entries;
|
|
|
|
|
import com.commafeed.frontend.model.UserModel;
|
2024-08-07 08:10:14 +02:00
|
|
|
import com.commafeed.frontend.model.request.MarkRequest;
|
2023-12-16 19:55:34 +01:00
|
|
|
import com.commafeed.frontend.model.request.ProfileModificationRequest;
|
|
|
|
|
import com.commafeed.frontend.model.request.SubscribeRequest;
|
|
|
|
|
|
2024-08-07 08:10:14 +02:00
|
|
|
import io.quarkus.test.junit.QuarkusTest;
|
2024-08-14 16:00:47 +02:00
|
|
|
import io.restassured.RestAssured;
|
2023-12-17 14:11:15 +01:00
|
|
|
import jakarta.ws.rs.core.HttpHeaders;
|
2024-08-14 16:00:47 +02:00
|
|
|
import jakarta.ws.rs.core.MediaType;
|
2023-12-17 14:11:15 +01:00
|
|
|
|
2024-08-07 08:10:14 +02:00
|
|
|
@QuarkusTest
|
2023-12-16 19:55:34 +01:00
|
|
|
class SecurityIT extends BaseIT {
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
void notLoggedIn() {
|
2024-08-16 14:02:49 +02:00
|
|
|
UnauthorizedResponse info = RestAssured.given()
|
|
|
|
|
.get("rest/user/profile")
|
|
|
|
|
.then()
|
|
|
|
|
.statusCode(HttpStatus.SC_UNAUTHORIZED)
|
|
|
|
|
.extract()
|
|
|
|
|
.as(UnauthorizedResponse.class);
|
|
|
|
|
Assertions.assertTrue(info.allowRegistrations());
|
2023-12-16 19:55:34 +01:00
|
|
|
}
|
|
|
|
|
|
2024-08-12 13:10:35 +02:00
|
|
|
@Test
|
|
|
|
|
void formLogin() {
|
|
|
|
|
List<HttpCookie> cookies = login();
|
2024-08-14 16:00:47 +02:00
|
|
|
cookies.forEach(c -> Assertions.assertTrue(c.getMaxAge() > 0));
|
2024-08-12 13:10:35 +02:00
|
|
|
|
2024-08-14 16:00:47 +02:00
|
|
|
RestAssured.given()
|
2024-08-12 13:10:35 +02:00
|
|
|
.header(HttpHeaders.COOKIE, cookies.stream().map(HttpCookie::toString).collect(Collectors.joining(";")))
|
2024-08-14 16:00:47 +02:00
|
|
|
.get("rest/user/profile")
|
|
|
|
|
.then()
|
|
|
|
|
.statusCode(HttpStatus.SC_OK);
|
2024-08-12 13:10:35 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
void basicAuthLogin() {
|
2024-08-14 16:00:47 +02:00
|
|
|
RestAssured.given().auth().preemptive().basic("admin", "admin").get("rest/user/profile").then().statusCode(HttpStatus.SC_OK);
|
2024-08-12 13:10:35 +02:00
|
|
|
}
|
|
|
|
|
|
2023-12-16 19:55:34 +01:00
|
|
|
@Test
|
|
|
|
|
void wrongPassword() {
|
2024-08-14 16:00:47 +02:00
|
|
|
RestAssured.given()
|
|
|
|
|
.auth()
|
|
|
|
|
.preemptive()
|
|
|
|
|
.basic("admin", "wrong-password")
|
|
|
|
|
.get("rest/user/profile")
|
|
|
|
|
.then()
|
|
|
|
|
.statusCode(HttpStatus.SC_UNAUTHORIZED);
|
2023-12-16 19:55:34 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
void missingRole() {
|
2024-08-14 16:00:47 +02:00
|
|
|
RestAssured.given().auth().preemptive().basic("demo", "demo").get("rest/admin/metrics").then().statusCode(HttpStatus.SC_FORBIDDEN);
|
2023-12-16 19:55:34 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
void apiKey() {
|
|
|
|
|
// create api key
|
|
|
|
|
ProfileModificationRequest req = new ProfileModificationRequest();
|
|
|
|
|
req.setCurrentPassword("admin");
|
|
|
|
|
req.setNewApiKey(true);
|
2024-08-14 16:00:47 +02:00
|
|
|
RestAssured.given()
|
|
|
|
|
.auth()
|
|
|
|
|
.preemptive()
|
|
|
|
|
.basic("admin", "admin")
|
|
|
|
|
.body(req)
|
|
|
|
|
.contentType(MediaType.APPLICATION_JSON)
|
|
|
|
|
.post("rest/user/profile")
|
|
|
|
|
.then()
|
|
|
|
|
.statusCode(HttpStatus.SC_OK);
|
2023-12-16 19:55:34 +01:00
|
|
|
|
|
|
|
|
// fetch api key
|
2024-08-14 16:00:47 +02:00
|
|
|
String apiKey = RestAssured.given()
|
|
|
|
|
.auth()
|
|
|
|
|
.preemptive()
|
|
|
|
|
.basic("admin", "admin")
|
|
|
|
|
.get("rest/user/profile")
|
|
|
|
|
.then()
|
|
|
|
|
.statusCode(HttpStatus.SC_OK)
|
|
|
|
|
.extract()
|
|
|
|
|
.as(UserModel.class)
|
2023-12-16 19:55:34 +01:00
|
|
|
.getApiKey();
|
|
|
|
|
|
|
|
|
|
// subscribe to a feed
|
|
|
|
|
SubscribeRequest subscribeRequest = new SubscribeRequest();
|
|
|
|
|
subscribeRequest.setUrl(getFeedUrl());
|
|
|
|
|
subscribeRequest.setTitle("my title for this feed");
|
2024-08-14 16:00:47 +02:00
|
|
|
long subscriptionId = RestAssured.given()
|
|
|
|
|
.auth()
|
|
|
|
|
.preemptive()
|
|
|
|
|
.basic("admin", "admin")
|
|
|
|
|
.body(subscribeRequest)
|
|
|
|
|
.contentType(MediaType.APPLICATION_JSON)
|
|
|
|
|
.post("rest/feed/subscribe")
|
|
|
|
|
.then()
|
|
|
|
|
.statusCode(HttpStatus.SC_OK)
|
|
|
|
|
.extract()
|
|
|
|
|
.as(Long.class);
|
2023-12-16 19:55:34 +01:00
|
|
|
|
|
|
|
|
// get entries with api key
|
2024-08-14 16:00:47 +02:00
|
|
|
Entries entries = RestAssured.given()
|
2023-12-16 19:55:34 +01:00
|
|
|
.queryParam("id", subscriptionId)
|
|
|
|
|
.queryParam("readType", "unread")
|
|
|
|
|
.queryParam("apiKey", apiKey)
|
2024-08-14 16:00:47 +02:00
|
|
|
.get("rest/feed/entries")
|
|
|
|
|
.then()
|
|
|
|
|
.statusCode(HttpStatus.SC_OK)
|
|
|
|
|
.extract()
|
|
|
|
|
.as(Entries.class);
|
2023-12-16 19:55:34 +01:00
|
|
|
Assertions.assertEquals("my title for this feed", entries.getName());
|
2024-08-07 08:10:14 +02:00
|
|
|
|
|
|
|
|
// mark entry as read and expect it won't work because it's not a GET request
|
|
|
|
|
MarkRequest markRequest = new MarkRequest();
|
|
|
|
|
markRequest.setId("1");
|
|
|
|
|
markRequest.setRead(true);
|
2024-08-14 16:00:47 +02:00
|
|
|
RestAssured.given()
|
|
|
|
|
.body(markRequest)
|
|
|
|
|
.contentType(MediaType.APPLICATION_JSON)
|
2024-08-07 08:10:14 +02:00
|
|
|
.queryParam("apiKey", apiKey)
|
2024-08-14 16:00:47 +02:00
|
|
|
.post("rest/entry/mark")
|
|
|
|
|
.then()
|
|
|
|
|
.statusCode(HttpStatus.SC_UNAUTHORIZED);
|
2023-12-16 19:55:34 +01:00
|
|
|
}
|
|
|
|
|
}
|
