ReAuthenticationFilterTest.java example

Explorer
gocd-master
/*
 * Copyright 2017 ThoughtWorks, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.thoughtworks.go.server.security;


import com.thoughtworks.go.util.SystemEnvironment;
import com.thoughtworks.go.util.TimeProvider;
import org.joda.time.DateTimeUtils;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.security.Authentication;
import org.springframework.security.GrantedAuthority;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.providers.TestingAuthenticationToken;
import org.springframework.security.userdetails.User;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;

import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.mockito.Mockito.*;

@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration(locations = {
        "classpath:WEB-INF/applicationContext-global.xml",
        "classpath:WEB-INF/applicationContext-dataLocalAccess.xml",
        "classpath:WEB-INF/applicationContext-acegi-security.xml"
})
public class ReAuthenticationFilterTest {
    private SystemEnvironment systemEnvironment;
    private ReAuthenticationFilter filter;
    private HttpSession session;
    private HttpServletRequest request;
    private HttpServletResponse response;
    private FilterChain filterChain;
    private TimeProvider timeProvider;

    @Before
    public void setUp() throws Exception {
        timeProvider = mock(TimeProvider.class);
        session = mock(HttpSession.class);
        request = mock(HttpServletRequest.class);
        response = mock(HttpServletResponse.class);
        filterChain = mock(FilterChain.class);
        systemEnvironment = mock(SystemEnvironment.class);
        filter = new ReAuthenticationFilter(systemEnvironment, timeProvider);

        stub(request.getSession()).toReturn(session);
        stub(session.getId()).toReturn("session_id");
    }

    @Test
    public void shouldContinueWithChainAndReturnIfReAuthenticationIsDisabled() throws IOException, ServletException {
        when(systemEnvironment.isReAuthenticationEnabled()).thenReturn(false);

        filter.doFilterHttp(request, response, filterChain);

        verify(filterChain).doFilter(request, response);
        verifyNoMoreInteractions(filterChain);
    }

    @Test
    public void shouldContinueWithChainAndReturnIfNotAuthenticated() throws IOException, ServletException {
        when(systemEnvironment.isReAuthenticationEnabled()).thenReturn(true);

        filter.doFilterHttp(request, response, filterChain);

        verify(filterChain).doFilter(request, response);
        verifyNoMoreInteractions(filterChain);
    }

    @Test
    public void shouldContinueWithChainAndReturnForAuthenticatedSessionWithoutLastAuthenticationTimeStamp() throws IOException, ServletException {
        long currentTimeMillis = DateTimeUtils.currentTimeMillis();
        Authentication authentication = setupAuthentication();

        when(systemEnvironment.isReAuthenticationEnabled()).thenReturn(true);
        when(timeProvider.currentTimeMillis()).thenReturn(currentTimeMillis);

        filter.doFilterHttp(request, response, filterChain);

        verify(session).setAttribute(ReAuthenticationFilter.LAST_REAUTHENICATION_CHECK_TIME, currentTimeMillis);
        verify(filterChain).doFilter(request, response);
        verifyNoMoreInteractions(filterChain);
        assertTrue(authentication.isAuthenticated());
    }

    @Test
    public void shouldReAuthenticateIfReAuthTimeIntervalHasElapsed() throws IOException, ServletException {
        long currentTimeMillis = DateTimeUtils.currentTimeMillis();
        long minuteBack = DateTimeUtils.currentTimeMillis() - 60000;
        Authentication authentication = setupAuthentication();

        when(timeProvider.currentTimeMillis()).thenReturn(currentTimeMillis);
        when(systemEnvironment.isReAuthenticationEnabled()).thenReturn(true);
        when(systemEnvironment.getReAuthenticationTimeInterval()).thenReturn(55000L);
        when(session.getAttribute(ReAuthenticationFilter.LAST_REAUTHENICATION_CHECK_TIME)).thenReturn(minuteBack);

        filter.doFilterHttp(request, response, filterChain);

        verify(session).setAttribute(ReAuthenticationFilter.LAST_REAUTHENICATION_CHECK_TIME, currentTimeMillis);
        verify(filterChain).doFilter(request, response);
        verifyNoMoreInteractions(filterChain);
        assertFalse(authentication.isAuthenticated());
    }

    private Authentication setupAuthentication() {
        GrantedAuthority[] authorities = {};
        Authentication authentication = new TestingAuthenticationToken(new User("user", "password", true, true,true, true, authorities), null, authorities);
        SecurityContextHolder.getContext().setAuthentication(authentication);
        authentication.setAuthenticated(true);

        return authentication;
    }
}