JBPAPP6-1061 extend EJB JACC policy module tests

kwart · kwart · commit 3ce94fd3af92 · 2012-12-05T14:09:28.000+01:00
diff --git a/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/common/Utils.java b/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/common/Utils.java
@@ -21,13 +21,9 @@
  */
 package org.jboss.as.test.integration.security.common;
 
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.OP;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.OP_ADDR;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.REMOVE;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.SUBSYSTEM;
+import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.*;
 import static org.jboss.as.security.Constants.SECURITY_DOMAIN;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.*;
 
 import java.io.File;
 import java.io.FileOutputStream;
@@ -642,4 +638,29 @@ public static Asset getJBossWebXmlAsset(final String securityDomain) {
         sb.append("\n</jboss-web>");
         return new StringAsset(sb.toString());
     }
+
+    /**
+     * Creates content of users.properties and/or roles.properties files for given array of role names.
+     * <p>
+     * For instance if you provide 2 roles - "role1", "role2" then the result will be:
+     * 
+     * <pre>
+     * role1=role1
+     * role2=role2
+     * </pre>
+     * 
+     * If you use it as users.properties and roles.properties, then <code>roleName == userName == password</code>
+     * 
+     * @param roles role names (used also as user names and passwords)
+     * @return not-<code>null</code> content of users.properties and/or roles.properties
+     */
+    public static String createUsersFromRoles(String... roles) {
+        final StringBuilder sb = new StringBuilder();
+        if (roles != null) {
+            for (String role : roles) {
+                sb.append(role).append("=").append(role).append("\n");
+            }
+        }
+        return sb.toString();
+    }
 }
diff --git a/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/jacc/JACCAuthzPropagationTestCase.java b/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/jacc/JACCAuthzPropagationTestCase.java
@@ -0,0 +1,202 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2012, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.as.test.integration.security.jacc;
+
+import static org.junit.Assert.assertEquals;
+
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.net.MalformedURLException;
+import java.net.URISyntaxException;
+import java.net.URL;
+
+import org.apache.http.client.ClientProtocolException;
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.container.test.api.RunAsClient;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.arquillian.test.api.ArquillianResource;
+import org.jboss.as.arquillian.api.ServerSetup;
+import org.jboss.as.arquillian.api.ServerSetupTask;
+import org.jboss.as.security.Constants;
+import org.jboss.as.test.integration.security.common.AbstractSecurityDomainsServerSetupTask;
+import org.jboss.as.test.integration.security.common.Utils;
+import org.jboss.as.test.integration.security.common.config.SecurityDomain;
+import org.jboss.as.test.integration.security.common.config.SecurityModule;
+import org.jboss.as.test.integration.security.jacc.propagation.BridgeBean;
+import org.jboss.as.test.integration.security.jacc.propagation.Manage;
+import org.jboss.as.test.integration.security.jacc.propagation.PropagationTestServlet;
+import org.jboss.as.test.integration.security.jacc.propagation.TargetBean;
+import org.jboss.as.test.integration.security.loginmodules.UsersRolesLoginModuleTestCase;
+import org.jboss.logging.Logger;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.asset.StringAsset;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.junit.Ignore;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+/**
+ * Tests, which checks run-as identity handling in EJB JACC authorization module.
+ * 
+ * @author Josef Cacek
+ */
+@RunWith(Arquillian.class)
+@ServerSetup({ JACCAuthzPropagationTestCase.SecurityDomainsSetup.class })
+@RunAsClient
+public class JACCAuthzPropagationTestCase {
+
+    private static final Logger LOGGER = Logger.getLogger(JACCAuthzPropagationTestCase.class);
+
+    private static final String TEST_NAME = Manage.TEST_NAME;
+
+    // Public methods --------------------------------------------------------
+
+    /**
+     * Creates {@link WebArchive} deployment.
+     */
+    @Deployment(name = "war")
+    public static WebArchive warDeployment() {
+        LOGGER.info("Start WAR deployment");
+        final WebArchive war = ShrinkWrap.create(WebArchive.class, TEST_NAME + ".war");
+        war.addClasses(PropagationTestServlet.class, Manage.class, BridgeBean.class, TargetBean.class);
+        final StringAsset usersRolesAsset = new StringAsset(Utils.createUsersFromRoles(Manage.ROLES_ALL));
+        war.addAsResource(usersRolesAsset, "users.properties");
+        war.addAsResource(usersRolesAsset, "roles.properties");
+
+        war.addAsWebInfResource(UsersRolesLoginModuleTestCase.class.getPackage(), "web-basic-authn.xml", "web.xml");
+        war.addAsWebInfResource(Utils.getJBossWebXmlAsset(TEST_NAME), "jboss-web.xml");
+        war.addAsWebInfResource(Utils.getJBossEjb3XmlAsset(TEST_NAME), "jboss-ejb3.xml");
+        LOGGER.info(war.toString(true));
+        return war;
+
+    }
+
+    /**
+     * Tests direct permissions (RolesAllowed).
+     * 
+     * @param webAppURL
+     * @throws Exception
+     */
+    @Test
+    public void testTarget(@ArquillianResource URL webAppURL) throws Exception {
+        assertAccessAllowed(webAppURL, Manage.BEAN_NAME_TARGET, PropagationTestServlet.METHOD_NAME_ADMIN, Manage.ROLE_ADMIN);
+        assertAccessAllowed(webAppURL, Manage.BEAN_NAME_TARGET, PropagationTestServlet.METHOD_NAME_MANAGE, Manage.ROLE_MANAGER);
+        assertAccessAllowed(webAppURL, Manage.BEAN_NAME_TARGET, PropagationTestServlet.METHOD_NAME_WORK, Manage.ROLE_ADMIN);
+
+        assertAccessDenied(webAppURL, Manage.BEAN_NAME_TARGET, PropagationTestServlet.METHOD_NAME_ADMIN, Manage.ROLE_MANAGER);
+    }
+
+    /**
+     * Tests run-as permissions.
+     * 
+     * @param webAppURL
+     * @throws Exception
+     */
+    @Test
+    @Ignore("JBPAPP6-1686")
+    public void testBridge(@ArquillianResource URL webAppURL) throws Exception {
+        assertAccessAllowed(webAppURL, Manage.BEAN_NAME_BRIDGE, PropagationTestServlet.METHOD_NAME_MANAGE, Manage.ROLE_ADMIN);
+        assertAccessAllowed(webAppURL, Manage.BEAN_NAME_BRIDGE, PropagationTestServlet.METHOD_NAME_MANAGE, Manage.ROLE_MANAGER);
+        assertAccessAllowed(webAppURL, Manage.BEAN_NAME_BRIDGE, PropagationTestServlet.METHOD_NAME_MANAGE, Manage.ROLE_USER);
+        assertAccessAllowed(webAppURL, Manage.BEAN_NAME_BRIDGE, PropagationTestServlet.METHOD_NAME_WORK, Manage.ROLE_USER);
+
+        assertAccessDenied(webAppURL, Manage.BEAN_NAME_BRIDGE, PropagationTestServlet.METHOD_NAME_ADMIN, Manage.ROLE_ADMIN);
+        assertAccessDenied(webAppURL, Manage.BEAN_NAME_BRIDGE, PropagationTestServlet.METHOD_NAME_ADMIN, Manage.ROLE_MANAGER);
+    }
+
+    // Private methods -------------------------------------------------------
+
+    /**
+     * Asserts the access to the given method in the given bean is allowed for given role.
+     * 
+     * @param webAppURL
+     * @param beanName
+     * @param methodName
+     * @param roleName
+     * @throws ClientProtocolException
+     * @throws IOException
+     * @throws URISyntaxException
+     */
+    private void assertAccessAllowed(URL webAppURL, String beanName, String methodName, String roleName)
+            throws ClientProtocolException, IOException, URISyntaxException {
+        final URL testUrl = getTestURL(webAppURL, beanName, methodName);
+        assertEquals("Access of role " + roleName + " to " + methodName + " method in " + beanName + " should be allowed.",
+                Manage.RESULT, Utils.makeCallWithBasicAuthn(testUrl, roleName, roleName, 200));
+    }
+
+    /**
+     * Asserts the access to the given method in the given bean is denied for given role.
+     * 
+     * @param webAppURL
+     * @param beanName
+     * @param methodName
+     * @param roleName
+     * @throws ClientProtocolException
+     * @throws IOException
+     * @throws URISyntaxException
+     */
+    private void assertAccessDenied(URL webAppURL, String beanName, String methodName, String roleName)
+            throws ClientProtocolException, IOException, URISyntaxException {
+        final URL testUrl = getTestURL(webAppURL, beanName, methodName);
+        assertEquals("Access of role " + roleName + " to " + methodName + " method in " + beanName + " should be denied.",
+                PropagationTestServlet.RESULT_EJB_ACCESS_EXCEPTION,
+                Utils.makeCallWithBasicAuthn(testUrl, roleName, roleName, 200));
+    }
+
+    /**
+     * Creates URL of the test application with the given values of request parameters.
+     * 
+     * @param webAppURL
+     * @param beanName
+     * @param method
+     * @return
+     * @throws MalformedURLException
+     * @throws UnsupportedEncodingException
+     */
+    private URL getTestURL(URL webAppURL, String beanName, String method) throws MalformedURLException,
+            UnsupportedEncodingException {
+        return new URL(webAppURL.toExternalForm() + PropagationTestServlet.SERVLET_PATH.substring(1) + "?" //
+                + PropagationTestServlet.PARAM_BEAN_NAME + "=" + beanName + "&" // 
+                + PropagationTestServlet.PARAM_METHOD_NAME + "=" + method);
+    }
+
+    // Embedded classes ------------------------------------------------------
+
+    /**
+     * A {@link ServerSetupTask} instance which creates security domains for this test case.
+     * 
+     * @author Josef Cacek
+     */
+    static class SecurityDomainsSetup extends AbstractSecurityDomainsServerSetupTask {
+        /**
+         * @see org.jboss.as.test.integration.security.common.AbstractSecurityDomainsServerSetupTask#getSecurityDomains()
+         */
+        @Override
+        protected SecurityDomain[] getSecurityDomains() {
+            return new SecurityDomain[] { new SecurityDomain.Builder().name(TEST_NAME)
+                    .loginModules(new SecurityModule.Builder().name("UsersRoles").flag(Constants.REQUIRED).build()) //
+                    .authorizationModules(new SecurityModule.Builder().name("JACC").flag(Constants.REQUIRED).build()) //
+                    .cacheType("default") //
+                    .build() };
+        }
+    }
+}
diff --git a/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/jacc/propagation/BridgeBean.java b/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/jacc/propagation/BridgeBean.java
@@ -0,0 +1,60 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2012, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.as.test.integration.security.jacc.propagation;
+
+import javax.annotation.security.DeclareRoles;
+import javax.annotation.security.RolesAllowed;
+import javax.annotation.security.RunAs;
+import javax.ejb.EJB;
+import javax.ejb.Stateless;
+
+/**
+ * Implementation of {@link Manage} interface which has injected {@link TargetBean} EJB and calls it's methods as
+ * {@link Manage#ROLE_MANAGER} role (using {@link javax.annotation.security.RunAs} annotation). This class is protected, it
+ * allows access to all test roles. Methods of this class are not protected.
+ * 
+ * @author Josef Cacek
+ */
+@Stateless(name = Manage.BEAN_NAME_BRIDGE)
+@DeclareRoles({ Manage.ROLE_ADMIN, Manage.ROLE_MANAGER, Manage.ROLE_USER })
+@RunAs(Manage.ROLE_MANAGER)
+@RolesAllowed({ Manage.ROLE_ADMIN, Manage.ROLE_MANAGER, Manage.ROLE_USER })
+public class BridgeBean implements Manage {
+
+    @EJB(beanName = Manage.BEAN_NAME_TARGET)
+    private Manage targetBean = null;
+
+    // Public methods --------------------------------------------------------
+
+    public String admin() {
+        return targetBean.admin();
+    }
+
+    public String manage() {
+        return targetBean.manage();
+    }
+
+    public String work() {
+        return targetBean.work();
+    }
+
+}
diff --git a/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/jacc/propagation/Manage.java b/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/jacc/propagation/Manage.java
@@ -0,0 +1,52 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2012, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.as.test.integration.security.jacc.propagation;
+
+/**
+ * Interface used for testing authorization propagation in the JACC policy module.
+ * 
+ * @author Josef Cacek
+ */
+public interface Manage {
+
+    String TEST_NAME = "jacc-propagation-test";
+
+    String ROLE_ADMIN = "Admin";
+    String ROLE_MANAGER = "Manager";
+    String ROLE_USER = "User";
+
+    /** All test roles */
+    String[] ROLES_ALL = { ROLE_ADMIN, ROLE_MANAGER, ROLE_USER };
+
+    String BEAN_NAME_TARGET = "TargetBean";
+    String BEAN_NAME_BRIDGE = "BridgeBean";
+
+    /** Default result of methods defined in this interface. */
+    String RESULT = "OK";
+
+    String admin();
+
+    String manage();
+
+    String work();
+
+}
diff --git a/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/jacc/propagation/PropagationTestServlet.java b/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/jacc/propagation/PropagationTestServlet.java
diff --git a/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/jacc/propagation/TargetBean.java b/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/jacc/propagation/TargetBean.java
