Add AccessControlServiceTest

LEDfan · LEDfan · commit 5823e5b30e43 · 2021-10-15T12:09:19.000+02:00
diff --git a/src/main/java/eu/openanalytics/containerproxy/service/AccessControlService.java b/src/main/java/eu/openanalytics/containerproxy/service/AccessControlService.java
@@ -29,32 +29,51 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.stereotype.Service;
 
-import javax.inject.Inject;
-
 @Service
 public class AccessControlService {
 
-    @Lazy
-    @Inject
-    private IAuthenticationBackend authBackend;
-
-    @Inject
-    private UserService userService;
+    private final IAuthenticationBackend authBackend;
+    private final UserService userService;
+    private final IProxySpecProvider specProvider;
 
-    @Inject
-    private IProxySpecProvider specProvider;
+    public AccessControlService(@Lazy IAuthenticationBackend authBackend, UserService userService, IProxySpecProvider specProvider) {
+        this.authBackend = authBackend;
+        this.userService = userService;
+        this.specProvider = specProvider;
+    }
 
     public boolean canAccess(Authentication auth, String specId) {
         return canAccess(auth, specProvider.getSpec(specId));
     }
 
     public boolean canAccess(Authentication auth, ProxySpec spec) {
+        Optional<String> sessionId = getSessionId();
+        if (!sessionId.isPresent()) {
+            return checkAccess(auth, spec);
+        }
+        // we got a sessionId -> use the cache
+        return authorizationCache.computeIfAbsent(
+                Pair.of(sessionId.get(), spec.getId()),
+                (k) -> checkAccess(auth, spec));
+    }
+
+    /**
+     * @return the sessionId if the RequestContext is present
+     */
+    private Optional<String> getSessionId() {
+        return Optional
+                .ofNullable(RequestContextHolder.getRequestAttributes())
+                .map(RequestAttributes::getSessionId);
+    }
+
+    private boolean checkAccess(Authentication auth, ProxySpec spec) {
         if (auth == null || spec == null) {
             return false;
         }
 
-        if (auth instanceof AnonymousAuthenticationToken && !authBackend.hasAuthorization()) {
-            return true;
+        if (auth instanceof AnonymousAuthenticationToken) {
+            // if anonymous -> only allow access if we the backend has no authorization enabled
+            return !authBackend.hasAuthorization();
         }
 
         if (specHasNoAccessControl(spec.getAccessControl())) {
diff --git a/src/test/java/eu/openanalytics/containerproxy/test/auth/AccessControlServiceTest.java b/src/test/java/eu/openanalytics/containerproxy/test/auth/AccessControlServiceTest.java
@@ -0,0 +1,168 @@
+package eu.openanalytics.containerproxy.test.auth;
+
+import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
+import eu.openanalytics.containerproxy.model.spec.ProxyAccessControl;
+import eu.openanalytics.containerproxy.model.spec.ProxySpec;
+import eu.openanalytics.containerproxy.service.AccessControlService;
+import eu.openanalytics.containerproxy.service.UserService;
+import eu.openanalytics.containerproxy.spec.IProxySpecProvider;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
+import org.springframework.security.core.Authentication;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+public class AccessControlServiceTest {
+
+    private final IAuthenticationBackend authBackend;
+    private final UserService userService;
+    private final IProxySpecProvider specProvider;
+    private final AccessControlService accessControlService;
+
+    public AccessControlServiceTest() {
+        authBackend = mock(IAuthenticationBackend.class);
+        userService = mock(UserService.class);
+        specProvider = mock(IProxySpecProvider.class);
+        accessControlService = new AccessControlService(authBackend, userService, specProvider);
+    }
+
+    @Test
+    public void authOrSpecIsNull() {
+        Authentication auth = mock(Authentication.class);
+        Authentication nullAuth = null;
+        ProxySpec nullSpec = null;
+
+        Assertions.assertFalse(accessControlService.canAccess(nullAuth, createProxySpec(null)));
+        Assertions.assertFalse(accessControlService.canAccess(auth, nullSpec));
+        Assertions.assertFalse(accessControlService.canAccess(nullAuth, nullSpec));
+    }
+
+    @Test
+    public void usingSpecId() {
+        when(authBackend.hasAuthorization()).thenReturn(true);
+        ProxyAccessControl proxyAccessControl = new ProxyAccessControl();
+        when(specProvider.getSpec("myId")).thenReturn(createProxySpec(proxyAccessControl));
+
+        Authentication auth = mock(Authentication.class);
+
+        Assertions.assertTrue(accessControlService.canAccess(auth, "myId"));
+    }
+
+    @Test
+    public void specHasNoAccessControlTest() {
+        when(authBackend.hasAuthorization()).thenReturn(true);
+        Authentication auth = mock(Authentication.class);
+        ProxyAccessControl proxyAccessControl = new ProxyAccessControl();
+
+        Assertions.assertTrue(accessControlService.canAccess(auth, createProxySpec(proxyAccessControl)));
+    }
+
+    @Test
+    public void specHasNullAccessControlTest() {
+        when(authBackend.hasAuthorization()).thenReturn(true);
+        Authentication auth = mock(Authentication.class);
+
+        Assertions.assertTrue(accessControlService.canAccess(auth, createProxySpec(null)));
+    }
+
+    @Test
+    public void anonymousAccessTest() {
+        when(authBackend.hasAuthorization()).thenReturn(false);
+
+        ProxyAccessControl proxyAccessControl = new ProxyAccessControl();
+        proxyAccessControl.setGroups(new String[]{"myGroup"});
+
+        // when anonymous -> has access
+        Authentication anonymousAuth = mock(AnonymousAuthenticationToken.class);
+        Assertions.assertTrue(accessControlService.canAccess(anonymousAuth, createProxySpec(proxyAccessControl)));
+
+        // when not-anonymous -> has no access
+        Authentication auth = mock(Authentication.class);
+        Assertions.assertFalse(accessControlService.canAccess(auth, createProxySpec(proxyAccessControl)));
+
+        // when spec has no Access Control -> has access
+        Assertions.assertTrue(accessControlService.canAccess(anonymousAuth, createProxySpec(null)));
+    }
+
+    @Test
+    public void hasGroupAccessTest() {
+        when(authBackend.hasAuthorization()).thenReturn(true);
+        ProxyAccessControl proxyAccessControl = new ProxyAccessControl();
+        proxyAccessControl.setGroups(new String[]{"myGroup1", "myGroupAbc", "xxy"});
+
+        // user is not part of any group -> no access
+        Authentication auth1 = mock(Authentication.class);
+        Assertions.assertFalse(accessControlService.canAccess(auth1, createProxySpec(proxyAccessControl)));
+
+        // user is part of group, but not the correct group -> no access
+        when(userService.isMember(auth1, "myGroup1")).thenReturn(false);
+        Assertions.assertFalse(accessControlService.canAccess(auth1, createProxySpec(proxyAccessControl)));
+
+        // user is part of the correct -> hass access
+        Authentication auth2 = mock(Authentication.class);
+        when(userService.isMember(auth2, "myGroup1")).thenReturn(true);
+        Assertions.assertTrue(accessControlService.canAccess(auth2, createProxySpec(proxyAccessControl)));
+    }
+
+    @Test
+    public void hasUserAccessTest() {
+        when(authBackend.hasAuthorization()).thenReturn(true);
+        ProxyAccessControl proxyAccessControl = new ProxyAccessControl();
+        proxyAccessControl.setUsers(new String[]{"myUser1", "myUser2"});
+
+        // user is not part of the user access list -> no access
+        Authentication auth1 = mock(Authentication.class);
+        when(auth1.getName()).thenReturn("Bart");
+        Assertions.assertFalse(accessControlService.canAccess(auth1, createProxySpec(proxyAccessControl)));
+
+        // user is part of the user access list -> hass access
+        Authentication auth2 = mock(Authentication.class);
+        when(auth2.getName()).thenReturn("myUser1");
+        when(userService.isMember(auth2, "myGroup1")).thenReturn(true);
+        Assertions.assertTrue(accessControlService.canAccess(auth2, createProxySpec(proxyAccessControl)));
+    }
+
+    @Test
+    public void combinationOfGroupAndUserTest() {
+        when(authBackend.hasAuthorization()).thenReturn(true);
+        ProxyAccessControl proxyAccessControl = new ProxyAccessControl();
+        proxyAccessControl.setUsers(new String[]{"myUser1", "myUser2"});
+        proxyAccessControl.setGroups(new String[]{"myGroup1", "myGroupAbc", "xxy"});
+
+        // user is not part of any group and not on the user access list -> no access
+        Authentication auth1 = mock(Authentication.class);
+        when(auth1.getName()).thenReturn("Bart");
+        Assertions.assertFalse(accessControlService.canAccess(auth1, createProxySpec(proxyAccessControl)));
+
+        // user is not part of any group, but it is on the user access list -> has access
+        Authentication auth2 = mock(Authentication.class);
+        when(auth2.getName()).thenReturn("myUser1");
+        Assertions.assertTrue(accessControlService.canAccess(auth2, createProxySpec(proxyAccessControl)));
+
+        // user is part of group and not on the user access list -> has access
+        Authentication auth3 = mock(Authentication.class);
+        when(auth3.getName()).thenReturn("Bart");
+        when(userService.isMember(auth3, "myGroup1")).thenReturn(false);
+        when(userService.isMember(auth3, "myGroupAbc")).thenReturn(true);
+        when(userService.isMember(auth3, "xxy")).thenReturn(false);
+        Assertions.assertTrue(accessControlService.canAccess(auth3, createProxySpec(proxyAccessControl)));
+
+        // user is part of group and also on the user access list -> has access
+        Authentication auth4 = mock(Authentication.class);
+        when(auth4.getName()).thenReturn("myUser1");
+        when(userService.isMember(auth4, "myGroup1")).thenReturn(false);
+        when(userService.isMember(auth4, "myGroupAbc")).thenReturn(true);
+        when(userService.isMember(auth4, "xxy")).thenReturn(false);
+        Assertions.assertTrue(accessControlService.canAccess(auth4, createProxySpec(proxyAccessControl)));
+    }
+
+    private ProxySpec createProxySpec(ProxyAccessControl proxyAccessControl) {
+        ProxySpec proxySpec = new ProxySpec();
+        proxySpec.setId("myId");
+        proxySpec.setAccessControl(proxyAccessControl);
+        return proxySpec;
+    }
+
+}
