/**
* Copyright (c) 2013-2016, The SeedStack authors <http://seedstack.org>
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
package org.seedstack.seed.security.internal.realms;
import org.junit.Before;
import org.junit.Test;
import org.seedstack.seed.security.AuthenticationInfo;
import org.seedstack.seed.security.AuthenticationToken;
import org.seedstack.seed.security.IncorrectCredentialsException;
import org.seedstack.seed.security.RoleMapping;
import org.seedstack.seed.security.RolePermissionResolver;
import org.seedstack.seed.security.UnsupportedTokenException;
import org.seedstack.seed.security.X509CertificateToken;
import org.seedstack.seed.security.principals.PrincipalProvider;
import org.seedstack.seed.security.principals.Principals;
import org.seedstack.seed.security.principals.X509CertificatePrincipalProvider;
import javax.security.auth.x500.X500Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Set;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
public class X509CertificateRealmTest {
private X509CertificateRealm underTest;
private X509Certificate x509Certificate;
private RoleMapping roleMapping;
private RolePermissionResolver rolePermissionResolver;
@Before
public void before() {
underTest = new X509CertificateRealm();
x509Certificate = mock(X509Certificate.class);
roleMapping = mock(RoleMapping.class);
rolePermissionResolver = mock(RolePermissionResolver.class);
underTest.setRoleMapping(roleMapping);
underTest.setRolePermissionResolver(rolePermissionResolver);
}
@Test
public void getters_should_return_attributes() {
assertThat(underTest.getRoleMapping()).isEqualTo(roleMapping);
assertThat(underTest.getRolePermissionResolver()).isEqualTo(rolePermissionResolver);
}
@Test
public void getAuthenticationInfo_should_return_authentication_info() {
String id = "a123456";
AuthenticationToken token = new X509CertificateToken(new X509Certificate[] { x509Certificate });
X500Principal x500Principal = new X500Principal("CN=John Doe, OU=SI, O=PSA, UID=" + id + ", C=foo");
when(x509Certificate.getSubjectX500Principal()).thenReturn(x500Principal);
AuthenticationInfo authInfo = underTest.getAuthenticationInfo(token);
assertThat(authInfo.getIdentityPrincipal().getPrincipal()).isEqualTo(id);
PrincipalProvider<X509Certificate[]> x509pp = Principals.getOnePrincipalByType(authInfo.getOtherPrincipals(), X509Certificate[].class);
assertThat(x509pp.getPrincipal()[0]).isEqualTo(x509Certificate);
}
@Test(expected = UnsupportedTokenException.class)
public void getAuthenticationInfo_should_throw_exception_if_unsupported_token() {
underTest.getAuthenticationInfo(mock(AuthenticationToken.class));
}
@Test(expected = IncorrectCredentialsException.class)
public void getAuthenticationInfo_should_throw_exception_if_token_empty() {
X509CertificateToken token = new X509CertificateToken(null);
underTest.getAuthenticationInfo(token);
}
@Test
public void getAuthenticationInfo_no_uid() {
AuthenticationToken token = new X509CertificateToken(new X509Certificate[] { x509Certificate });
X500Principal x500Principal = new X500Principal("CN=John Doe, OU=SI, O=PSA");
when(x509Certificate.getSubjectX500Principal()).thenReturn(x500Principal);
AuthenticationInfo authInfo = underTest.getAuthenticationInfo(token);
X509Certificate[] principal = (X509Certificate[]) authInfo.getIdentityPrincipal().getPrincipal();
assertThat(principal[0]).isEqualTo(x509Certificate);
}
@Test
public void getRealmRoles_should_return_roles() {
X509Certificate[] certificates = new X509Certificate[2];
certificates[0] = x509Certificate;
String cn1 = "foobar";
String cn2 = "barfoo";
X500Principal x500Principal1 = new X500Principal("CN=" + cn1 + ", OU=ou, o=PSA");
X500Principal x500Principal2 = new X500Principal("CN=" + cn2 + ", OU=ou, o=PSA");
when(x509Certificate.getIssuerX500Principal()).thenReturn(x500Principal1);
X509Certificate x509Certificate2 = mock(X509Certificate.class);
when(x509Certificate2.getIssuerX500Principal()).thenReturn(x500Principal2);
certificates[1] = x509Certificate2;
X509CertificatePrincipalProvider x509CertificatePp = new X509CertificatePrincipalProvider(certificates);
Collection<PrincipalProvider<?>> list = new ArrayList<>();
list.add(x509CertificatePp);
Set<String> roles = underTest.getRealmRoles(Principals.identityPrincipal("uid"), list);
assertThat(roles).containsOnly(cn1, cn2);
}
}