mirror of
https://github.com/st-tu-dresden-praktikum/swt23w23
synced 2024-07-19 21:04:36 +02:00
Make inventory authorization tests more complete
This commit is contained in:
parent
0eb3276dde
commit
c5f6b18cd3
|
@ -16,12 +16,18 @@
|
|||
*/
|
||||
package catering.inventory;
|
||||
|
||||
import static catering.inventory.InventoryControllerIntegrationTests.PermissionResult.FORBIDDEN;
|
||||
import static catering.inventory.InventoryControllerIntegrationTests.PermissionResult.LOGIN;
|
||||
import static catering.inventory.InventoryControllerIntegrationTests.PermissionResult.OK;
|
||||
import static catering.inventory.InventoryControllerIntegrationTests.PermissionResult.OVERVIEW;
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.tuple;
|
||||
import static org.hamcrest.CoreMatchers.containsString;
|
||||
import static org.hamcrest.CoreMatchers.endsWith;
|
||||
import static org.hamcrest.CoreMatchers.not;
|
||||
import static org.salespointframework.core.Currencies.EURO;
|
||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.anonymous;
|
||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
|
||||
|
@ -47,8 +53,10 @@ import org.springframework.http.HttpHeaders;
|
|||
import org.springframework.security.test.context.support.WithMockUser;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.ResultActions;
|
||||
import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
|
||||
|
||||
import catering.catalog.Consumable;
|
||||
import catering.catalog.Rentable;
|
||||
import catering.order.OrderType;
|
||||
|
||||
@AutoConfigureMockMvc
|
||||
|
@ -206,6 +214,43 @@ class InventoryControllerIntegrationTests {
|
|||
.andExpect(content().string(containsString("Ungültiger Name")));
|
||||
}
|
||||
|
||||
/*
|
||||
* Tests for authorization
|
||||
*/
|
||||
|
||||
static enum PermissionResult {
|
||||
/**
|
||||
* The result is an HTTP 403 (Forbidden) error code
|
||||
*/
|
||||
FORBIDDEN,
|
||||
/**
|
||||
* The result is a redirect to the login page
|
||||
*/
|
||||
LOGIN,
|
||||
/**
|
||||
* The result is an HTTP 200 (Ok) status code
|
||||
*/
|
||||
OK,
|
||||
/**
|
||||
* The result is a redirect to the inventory overview page
|
||||
*/
|
||||
OVERVIEW;
|
||||
|
||||
@FunctionalInterface
|
||||
public interface PermissionChecker {
|
||||
ResultActions check(ResultActions resultActions) throws Exception;
|
||||
}
|
||||
|
||||
PermissionChecker toChecker() {
|
||||
return switch (this) {
|
||||
case FORBIDDEN -> ra -> ra.andExpect(status().isForbidden());
|
||||
case LOGIN -> InventoryControllerIntegrationTests::assertRedirectsToLogin;
|
||||
case OK -> ra -> ra.andExpect(status().isOk());
|
||||
case OVERVIEW -> ra -> ra.andExpect(redirectedUrl("/inventory"));
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Helper function for asserting that protected endpoints are not accessible by
|
||||
* unauthentificated users.
|
||||
|
@ -215,7 +260,7 @@ class InventoryControllerIntegrationTests {
|
|||
* @return the {@link ResultActions} given as a parameter to perform more
|
||||
* matching on
|
||||
*/
|
||||
ResultActions assertRedirectsToLogin(ResultActions resultActions) throws Exception {
|
||||
static ResultActions assertRedirectsToLogin(ResultActions resultActions) throws Exception {
|
||||
// Spring security uses the full URL to redirect to login,
|
||||
// so we can’t use redirectedUrl("/login") in this case.
|
||||
return resultActions
|
||||
|
@ -223,36 +268,60 @@ class InventoryControllerIntegrationTests {
|
|||
.andExpect(header().string(HttpHeaders.LOCATION, endsWith("/login")));
|
||||
}
|
||||
|
||||
@Test
|
||||
void disallowUnauthorizedList() throws Exception {
|
||||
assertRedirectsToLogin(mvc.perform(get("/inventory")));
|
||||
ResultActions requestAsAnonymous(MockHttpServletRequestBuilder requestBuilder) throws Exception {
|
||||
return mvc.perform(requestBuilder.with(anonymous()));
|
||||
}
|
||||
|
||||
ResultActions requestAsCustomer(MockHttpServletRequestBuilder requestBuilder) throws Exception {
|
||||
return mvc.perform(requestBuilder.with(user("unprivileged").roles("CUSTOMER")));
|
||||
}
|
||||
|
||||
ResultActions requestAsAdministrator(MockHttpServletRequestBuilder requestBuilder) throws Exception {
|
||||
return mvc.perform(requestBuilder.with(user("admin").roles("ADMIN")));
|
||||
}
|
||||
|
||||
void checkPermissions(MockHttpServletRequestBuilder requestBuilder, PermissionResult anonymous,
|
||||
PermissionResult customer, PermissionResult administrator) throws Exception {
|
||||
anonymous.toChecker().check(requestAsAnonymous(requestBuilder));
|
||||
customer.toChecker().check(requestAsCustomer(requestBuilder));
|
||||
administrator.toChecker().check(requestAsAdministrator(requestBuilder));
|
||||
}
|
||||
|
||||
@Test
|
||||
void disallowUnauthorizedEditPage() throws Exception {
|
||||
assertRedirectsToLogin(
|
||||
mvc.perform(get("/inventory/edit/" + anyPid).queryParam("type", Consumable.class.getSimpleName())));
|
||||
void checkPermissionsForList() throws Exception {
|
||||
checkPermissions(get("/inventory"), LOGIN, FORBIDDEN, OK);
|
||||
}
|
||||
|
||||
@Test
|
||||
void disallowUnauthorizedEdit() throws Exception {
|
||||
assertRedirectsToLogin(
|
||||
mvc.perform(post("/inventory/edit/" + anyPid).queryParam("type", Consumable.class.getSimpleName())));
|
||||
void checkPermissionsForEditPage() throws Exception {
|
||||
for (Class<? extends Product> type : Set.of(Consumable.class, Rentable.class)) {
|
||||
checkPermissions(get("/inventory/edit/" + anyPid).queryParam("type", type.getSimpleName()),
|
||||
LOGIN, FORBIDDEN, OK);
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
void disallowUnauthorizedAddPage() throws Exception {
|
||||
assertRedirectsToLogin(mvc.perform(get("/inventory/add").queryParam("type", Consumable.class.getSimpleName())));
|
||||
void checkPermissionsForEdit() throws Exception {
|
||||
for (Class<? extends Product> type : Set.of(Consumable.class, Rentable.class)) {
|
||||
checkPermissions(post("/inventory/edit/" + anyPid).queryParam("type", type.getSimpleName()),
|
||||
LOGIN, FORBIDDEN, OK);
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
void disallowUnauthorizedAdd() throws Exception {
|
||||
assertRedirectsToLogin(
|
||||
mvc.perform(post("/inventory/add").queryParam("type", Consumable.class.getSimpleName())));
|
||||
void checkPermissionsForAddPage() throws Exception {
|
||||
checkPermissions(get("/inventory/add").queryParam("type", Consumable.class.getSimpleName()), LOGIN, FORBIDDEN,
|
||||
OK);
|
||||
}
|
||||
|
||||
@Test
|
||||
void disallowUnauthorizedDelete() throws Exception {
|
||||
assertRedirectsToLogin(mvc.perform(get("/inventory/delete/" + anyPid)));
|
||||
void checkPermissionsForAdd() throws Exception {
|
||||
checkPermissions(post("/inventory/add").queryParam("type", Consumable.class.getSimpleName()), LOGIN, FORBIDDEN,
|
||||
OK);
|
||||
}
|
||||
|
||||
@Test
|
||||
void checkPermissionsForDelete() throws Exception {
|
||||
checkPermissions(get("/inventory/delete/" + anyPid), LOGIN, FORBIDDEN, OVERVIEW);
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue