ext/entity-filtering/src/test/java/org/glassfish/jersey/message/filtering/SecurityEntityProcessorTest.java

/*
 * Copyright (c) 2013, 2018 Oracle and/or its affiliates. All rights reserved.
 *
 * This program and the accompanying materials are made available under the
 * terms of the Eclipse Public License v. 2.0, which is available at
 * http://www.eclipse.org/legal/epl-2.0.
 *
 * This Source Code may also be made available under the following Secondary
 * Licenses when the conditions for such availability set forth in the
 * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
 * version 2 with the GNU Classpath Exception, which is available at
 * https://www.gnu.org/software/classpath/license.html.
 *
 * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
 */

package org.glassfish.jersey.message.filtering;

import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.Arrays;
import java.util.stream.Collectors;

import org.glassfish.jersey.message.filtering.spi.EntityGraph;
import org.glassfish.jersey.message.filtering.spi.EntityProcessor;
import org.glassfish.jersey.message.filtering.spi.EntityProcessorContext;
import org.glassfish.jersey.message.filtering.spi.FilteringHelper;
import org.glassfish.jersey.message.filtering.spi.ScopeProvider;

import org.junit.Before;
import org.junit.Test;
import static org.hamcrest.CoreMatchers.equalTo;
import static org.hamcrest.MatcherAssert.assertThat;

/**
 * {@link org.glassfish.jersey.message.filtering.SecurityEntityProcessor} unit tests.
 *
 * @author Michal Gajdos
 */
@SuppressWarnings("JavaDoc")
public class SecurityEntityProcessorTest {

    private SecurityEntityProcessor processor;

    @Before
    public void setUp() throws Exception {
        processor = new SecurityEntityProcessor();
    }

    @Test
    public void testProcessPermitAllClass() throws Exception {
        final EntityGraph actual = new EntityGraphImpl(PermitAllEntity.class);

        final EntityGraph expected = new EntityGraphImpl(PermitAllEntity.class);
        expected.addFilteringScopes(FilteringHelper.getDefaultFilteringScope());

        for (final boolean forWriter : new boolean[] {true, false}) {
            final EntityProcessor.Result result = testProcessClass(PermitAllEntity.class, actual, forWriter);

            assertThat(result, equalTo(EntityProcessor.Result.APPLY));
            assertThat(actual, equalTo(expected));
        }
    }

    @Test
    public void testProcessDenyAllClass() throws Exception {
        final EntityGraph actual = new EntityGraphImpl(DenyAllEntity.class);
        final EntityGraph expected = new EntityGraphImpl(DenyAllEntity.class);

        for (final boolean forWriter : new boolean[] {true, false}) {
            final EntityProcessor.Result result = testProcessClass(DenyAllEntity.class, actual, forWriter);

            assertThat(result, equalTo(EntityProcessor.Result.ROLLBACK));
            assertThat(actual, equalTo(expected));
        }
    }

    @Test
    public void testProcessRolesAllowedClass() throws Exception {
        final EntityGraph actual = new EntityGraphImpl(RolesAllowedEntity.class);

        final EntityGraph expected = new EntityGraphImpl(RolesAllowedEntity.class);
        expected.addFilteringScopes(
                Arrays.asList(
                        SecurityHelper.getRolesAllowedScope("manager"), SecurityHelper.getRolesAllowedScope("client"))
                      .stream()
                      .collect(Collectors.toSet()));

        for (final boolean forWriter : new boolean[] {true, false}) {
            final EntityProcessor.Result result = testProcessClass(RolesAllowedEntity.class, actual, forWriter);

            assertThat(result, equalTo(EntityProcessor.Result.APPLY));
            assertThat(actual, equalTo(expected));
        }
    }

    private EntityProcessor.Result testProcessClass(final Class<?> clazz, final EntityGraph graph, final boolean forWriter)
            throws Exception {

        final EntityProcessorContext context = new EntityProcessorContextImpl(
                forWriter ? EntityProcessorContext.Type.CLASS_WRITER : EntityProcessorContext.Type.CLASS_READER,
                clazz, graph);

        return processor.process(context);
    }

    @Test
    public void testProcessPermitAllProperties() throws Exception {
        final EntityGraph actual = new EntityGraphImpl(PermitAllEntity.class);

        final EntityGraph expected = new EntityGraphImpl(PermitAllEntity.class);
        expected.addField("field", ScopeProvider.DEFAULT_SCOPE);

        for (final boolean forWriter : new boolean[] {true, false}) {
            final EntityProcessor.Result result = testProcessProperty(PermitAllEntity.class, actual, forWriter);

            assertThat(result, equalTo(EntityProcessor.Result.APPLY));
            assertThat(actual, equalTo(expected));
        }
    }

    @Test
    public void testProcessDenyAllProperties() throws Exception {
        final EntityGraph actual = new EntityGraphImpl(DenyAllEntity.class);
        final EntityGraph expected = new EntityGraphImpl(DenyAllEntity.class);

        for (final boolean forWriter : new boolean[] {true, false}) {
            final EntityProcessor.Result result = testProcessProperty(DenyAllEntity.class, actual, forWriter);

            assertThat(result, equalTo(EntityProcessor.Result.ROLLBACK));
            assertThat(actual, equalTo(expected));
        }
    }

    @Test
    public void testProcessRolesAllowedProperties() throws Exception {
        final EntityGraph actual = new EntityGraphImpl(RolesAllowedEntity.class);
        final EntityGraph expected = new EntityGraphImpl(RolesAllowedEntity.class);

        for (final boolean forWriter : new boolean[] {true, false}) {
            final EntityProcessor.Result result = testProcessProperty(RolesAllowedEntity.class, actual, forWriter);

            if (forWriter) {
                expected.addField("field", SecurityHelper.getRolesAllowedScope("manager"));
            } else {
                expected.addField("field", SecurityHelper.getRolesAllowedScope("client"));
            }

            assertThat(result, equalTo(EntityProcessor.Result.APPLY));
            assertThat(actual, equalTo(expected));
        }
    }

    private EntityProcessor.Result testProcessProperty(final Class<?> clazz, final EntityGraph graph, final boolean forWriter)
            throws Exception {

        final Field field = clazz.getDeclaredField("field");
        final Method method = forWriter ? clazz.getMethod("getField") : clazz.getMethod("setField", String.class);

        final EntityProcessorContext context = new EntityProcessorContextImpl(
                forWriter ? EntityProcessorContext.Type.PROPERTY_WRITER : EntityProcessorContext.Type.PROPERTY_WRITER,
                field, method, graph);

        return processor.process(context);
    }

    @Test
    public void testProcessPermitAllAccessors() throws Exception {
        final EntityGraph actual = new EntityGraphImpl(PermitAllEntity.class);
        actual.addFilteringScopes(FilteringHelper.getDefaultFilteringScope());

        final EntityGraph expected = new EntityGraphImpl(PermitAllEntity.class);
        expected.addFilteringScopes(FilteringHelper.getDefaultFilteringScope());
        expected.addSubgraph("subgraph", SubEntity.class, ScopeProvider.DEFAULT_SCOPE);

        for (final boolean forWriter : new boolean[] {true, false}) {
            final EntityProcessor.Result result = testProcessAccessor(PermitAllEntity.class, actual, forWriter);

            assertThat(result, equalTo(EntityProcessor.Result.APPLY));
            assertThat(actual, equalTo(expected));
        }
    }

    @Test
    public void testProcessDenyAllAccessors() throws Exception {
        final EntityGraph actual = new EntityGraphImpl(DenyAllEntity.class);
        final EntityGraph expected = new EntityGraphImpl(DenyAllEntity.class);

        for (final boolean forWriter : new boolean[] {true, false}) {
            final EntityProcessor.Result result = testProcessAccessor(DenyAllEntity.class, actual, forWriter);

            assertThat(result, equalTo(EntityProcessor.Result.ROLLBACK));
            assertThat(actual, equalTo(expected));
        }
    }

    @Test
    public void testProcessRolesAllowedAccessor() throws Exception {
        final EntityGraph actual = new EntityGraphImpl(RolesAllowedEntity.class);
        final EntityGraph expected = new EntityGraphImpl(RolesAllowedEntity.class);

        for (final boolean forWriter : new boolean[] {true, false}) {
            final EntityProcessor.Result result = testProcessAccessor(RolesAllowedEntity.class, actual, forWriter);

            if (forWriter) {
                expected.addSubgraph("subgraph", SubEntity.class, SecurityHelper.getRolesAllowedScope("manager"));
            } else {
                expected.addSubgraph("subgraph", SubEntity.class, SecurityHelper.getRolesAllowedScope("client"));
            }

            assertThat(result, equalTo(EntityProcessor.Result.APPLY));
            assertThat(actual, equalTo(expected));
        }
    }

    private EntityProcessor.Result testProcessAccessor(final Class<?> clazz, final EntityGraph graph, final boolean forWriter)
            throws Exception {

        final Method method = forWriter ? clazz.getMethod("getSubgraph") : clazz.getMethod("setSubgraph", SubEntity.class);

        final EntityProcessorContext context = new EntityProcessorContextImpl(
                forWriter ? EntityProcessorContext.Type.PROPERTY_WRITER : EntityProcessorContext.Type.PROPERTY_WRITER,
                method, graph);

        return processor.process(context);
    }
}