Ref #33886: validate access-expression for none auth

LEDfan · LEDfan · commit bd0ccd6dcd88 · 2025-05-08T08:54:19.000+02:00
diff --git a/src/test/java/eu/openanalytics/containerproxy/test/auth/AccessControlServiceTest.java b/src/test/java/eu/openanalytics/containerproxy/test/auth/AccessControlServiceTest.java
@@ -105,16 +105,27 @@ public void anonymousAccessTest() {
         AccessControl proxyAccessControl = new AccessControl();
         proxyAccessControl.setGroups(new String[]{"myGroup"});
 
-        // when anonymous -> has access
+        // when anonymous -> has no access
         Authentication anonymousAuth = mock(AnonymousAuthenticationToken.class);
-        Assertions.assertTrue(accessControlService.canAccess(anonymousAuth, createProxySpec(proxyAccessControl)));
+        Assertions.assertFalse(accessControlService.canAccess(anonymousAuth, createProxySpec(proxyAccessControl)));
 
         // when not-anonymous -> has no access
         Authentication auth = mock(Authentication.class);
         Assertions.assertFalse(accessControlService.canAccess(auth, createProxySpec(proxyAccessControl)));
 
         // when spec has no Access Control -> has access
         Assertions.assertTrue(accessControlService.canAccess(anonymousAuth, createProxySpec(null)));
+
+        proxyAccessControl = new AccessControl();
+        proxyAccessControl.setExpression("#{false}");
+
+        // when spec has 'false' expression -> has no access
+        Assertions.assertFalse(accessControlService.canAccess(anonymousAuth, createProxySpec(proxyAccessControl)));
+
+        proxyAccessControl.setExpression("#{true}");
+
+        // when spec has 'true' expression -> has access
+        Assertions.assertTrue(accessControlService.canAccess(anonymousAuth, createProxySpec(proxyAccessControl)));
     }
 
     @Test
