2023-12-16 19:55:34 +01:00
|
|
|
package com.commafeed.integration;
|
|
|
|
|
|
2024-08-12 13:10:35 +02:00
|
|
|
import java.net.HttpCookie;
|
2023-12-16 19:55:34 +01:00
|
|
|
import java.util.Base64;
|
2024-08-12 13:10:35 +02:00
|
|
|
import java.util.List;
|
|
|
|
|
import java.util.stream.Collectors;
|
2023-12-16 19:55:34 +01:00
|
|
|
|
2024-08-07 08:10:14 +02:00
|
|
|
import org.apache.hc.core5.http.HttpStatus;
|
2023-12-16 19:55:34 +01:00
|
|
|
import org.junit.jupiter.api.Assertions;
|
|
|
|
|
import org.junit.jupiter.api.Test;
|
|
|
|
|
|
|
|
|
|
import com.commafeed.frontend.model.Entries;
|
|
|
|
|
import com.commafeed.frontend.model.UserModel;
|
2024-08-07 08:10:14 +02:00
|
|
|
import com.commafeed.frontend.model.request.MarkRequest;
|
2023-12-16 19:55:34 +01:00
|
|
|
import com.commafeed.frontend.model.request.ProfileModificationRequest;
|
|
|
|
|
import com.commafeed.frontend.model.request.SubscribeRequest;
|
|
|
|
|
|
2024-08-07 08:10:14 +02:00
|
|
|
import io.quarkus.test.junit.QuarkusTest;
|
2023-12-17 14:11:15 +01:00
|
|
|
import jakarta.ws.rs.client.Entity;
|
|
|
|
|
import jakarta.ws.rs.core.HttpHeaders;
|
|
|
|
|
import jakarta.ws.rs.core.Response;
|
|
|
|
|
|
2024-08-07 08:10:14 +02:00
|
|
|
@QuarkusTest
|
2023-12-16 19:55:34 +01:00
|
|
|
class SecurityIT extends BaseIT {
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
void notLoggedIn() {
|
|
|
|
|
try (Response response = getClient().target(getApiBaseUrl() + "user/profile").request().get()) {
|
2024-08-07 08:10:14 +02:00
|
|
|
Assertions.assertEquals(HttpStatus.SC_UNAUTHORIZED, response.getStatus());
|
2023-12-16 19:55:34 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-08-12 13:10:35 +02:00
|
|
|
@Test
|
|
|
|
|
void formLogin() {
|
|
|
|
|
List<HttpCookie> cookies = login();
|
|
|
|
|
|
|
|
|
|
try (Response response = getClient().target(getApiBaseUrl() + "user/profile")
|
|
|
|
|
.request()
|
|
|
|
|
.header(HttpHeaders.COOKIE, cookies.stream().map(HttpCookie::toString).collect(Collectors.joining(";")))
|
|
|
|
|
.get()) {
|
|
|
|
|
Assertions.assertEquals(HttpStatus.SC_OK, response.getStatus());
|
|
|
|
|
cookies.forEach(c -> Assertions.assertTrue(c.getMaxAge() > 0));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
void basicAuthLogin() {
|
|
|
|
|
String auth = "Basic " + Base64.getEncoder().encodeToString("admin:admin".getBytes());
|
|
|
|
|
try (Response response = getClient().target(getApiBaseUrl() + "user/profile")
|
|
|
|
|
.request()
|
|
|
|
|
.header(HttpHeaders.AUTHORIZATION, auth)
|
|
|
|
|
.get()) {
|
|
|
|
|
Assertions.assertEquals(HttpStatus.SC_OK, response.getStatus());
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-12-16 19:55:34 +01:00
|
|
|
@Test
|
|
|
|
|
void wrongPassword() {
|
|
|
|
|
String auth = "Basic " + Base64.getEncoder().encodeToString("admin:wrong-password".getBytes());
|
|
|
|
|
try (Response response = getClient().target(getApiBaseUrl() + "user/profile")
|
|
|
|
|
.request()
|
|
|
|
|
.header(HttpHeaders.AUTHORIZATION, auth)
|
|
|
|
|
.get()) {
|
2024-08-07 08:10:14 +02:00
|
|
|
Assertions.assertEquals(HttpStatus.SC_UNAUTHORIZED, response.getStatus());
|
2023-12-16 19:55:34 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
void missingRole() {
|
|
|
|
|
String auth = "Basic " + Base64.getEncoder().encodeToString("demo:demo".getBytes());
|
2024-08-07 08:10:14 +02:00
|
|
|
try (Response response = getClient().target(getApiBaseUrl() + "admin/metrics")
|
2023-12-16 19:55:34 +01:00
|
|
|
.request()
|
|
|
|
|
.header(HttpHeaders.AUTHORIZATION, auth)
|
|
|
|
|
.get()) {
|
2024-08-07 08:10:14 +02:00
|
|
|
Assertions.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatus());
|
2023-12-16 19:55:34 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
void apiKey() {
|
|
|
|
|
String auth = "Basic " + Base64.getEncoder().encodeToString("admin:admin".getBytes());
|
|
|
|
|
|
|
|
|
|
// create api key
|
|
|
|
|
ProfileModificationRequest req = new ProfileModificationRequest();
|
|
|
|
|
req.setCurrentPassword("admin");
|
|
|
|
|
req.setNewApiKey(true);
|
|
|
|
|
getClient().target(getApiBaseUrl() + "user/profile")
|
|
|
|
|
.request()
|
|
|
|
|
.header(HttpHeaders.AUTHORIZATION, auth)
|
|
|
|
|
.post(Entity.json(req))
|
|
|
|
|
.close();
|
|
|
|
|
|
|
|
|
|
// fetch api key
|
|
|
|
|
String apiKey = getClient().target(getApiBaseUrl() + "user/profile")
|
|
|
|
|
.request()
|
|
|
|
|
.header(HttpHeaders.AUTHORIZATION, auth)
|
|
|
|
|
.get(UserModel.class)
|
|
|
|
|
.getApiKey();
|
|
|
|
|
|
|
|
|
|
// subscribe to a feed
|
|
|
|
|
SubscribeRequest subscribeRequest = new SubscribeRequest();
|
|
|
|
|
subscribeRequest.setUrl(getFeedUrl());
|
|
|
|
|
subscribeRequest.setTitle("my title for this feed");
|
|
|
|
|
long subscriptionId = getClient().target(getApiBaseUrl() + "feed/subscribe")
|
|
|
|
|
.request()
|
|
|
|
|
.header(HttpHeaders.AUTHORIZATION, auth)
|
|
|
|
|
.post(Entity.json(subscribeRequest), Long.class);
|
|
|
|
|
|
|
|
|
|
// get entries with api key
|
|
|
|
|
Entries entries = getClient().target(getApiBaseUrl() + "feed/entries")
|
|
|
|
|
.queryParam("id", subscriptionId)
|
|
|
|
|
.queryParam("readType", "unread")
|
|
|
|
|
.queryParam("apiKey", apiKey)
|
|
|
|
|
.request()
|
|
|
|
|
.get(Entries.class);
|
|
|
|
|
Assertions.assertEquals("my title for this feed", entries.getName());
|
2024-08-07 08:10:14 +02:00
|
|
|
|
|
|
|
|
// mark entry as read and expect it won't work because it's not a GET request
|
|
|
|
|
MarkRequest markRequest = new MarkRequest();
|
|
|
|
|
markRequest.setId("1");
|
|
|
|
|
markRequest.setRead(true);
|
|
|
|
|
try (Response markResponse = getClient().target(getApiBaseUrl() + "entry/mark")
|
|
|
|
|
.queryParam("apiKey", apiKey)
|
|
|
|
|
.request()
|
|
|
|
|
.post(Entity.json(markRequest))) {
|
|
|
|
|
Assertions.assertEquals(HttpStatus.SC_UNAUTHORIZED, markResponse.getStatus());
|
|
|
|
|
}
|
2023-12-16 19:55:34 +01:00
|
|
|
}
|
|
|
|
|
}
|
