UserPasswordControllerTest.java

/* (c) 2017 Open Source Geospatial Foundation - all rights reserved
 * This code is licensed under the GPL 2.0 license, available at the root
 * application directory.
 */
package org.geoserver.rest.security;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotEquals;

import java.io.IOException;
import java.text.MessageFormat;

import org.custommonkey.xmlunit.XMLUnit;
import org.custommonkey.xmlunit.XpathEngine;
import org.geoserver.data.test.SystemTestData;
import org.geoserver.rest.RestBaseController;
import org.geoserver.security.GeoServerUserGroupService;
import org.geoserver.security.GeoServerUserGroupStore;
import org.geoserver.security.impl.GeoServerUser;
import org.geoserver.security.validation.PasswordPolicyException;
import org.geoserver.security.xml.XMLUserGroupService;
import org.geoserver.test.GeoServerSystemTestSupport;
import org.junit.Test;
import org.springframework.http.HttpStatus;

/**
 * Test for {@link UserPasswordController}
 *
 * @author Emanuele Tajariol <etj at geo-solutions.it>
 */
public class UserPasswordControllerTest extends GeoServerSystemTestSupport {

    final static String UP_URI = RestBaseController.ROOT_PATH + "/security/self/password";

    final static String USERNAME = "restuser";
    final static String USERPW = "restpassword";


    protected static XpathEngine xp;

    String xmlTemplate=
         "<"+UserPasswordController.XML_ROOT_ELEM+">"+
           "<"+UserPasswordController.UP_NEW_PW+">{0}</"+UserPasswordController.UP_NEW_PW+">" +
          "</"+UserPasswordController.XML_ROOT_ELEM+">";

    String xmlBadTemplate=
         "<"+UserPasswordController.XML_ROOT_ELEM+">"+
           "<not_the_right_element>{0}</not_the_right_element>" +
          "</"+UserPasswordController.XML_ROOT_ELEM+">";

    @Override
    protected void onSetUp(SystemTestData testData) throws Exception {
        super.onSetUp(testData);

        // Create the test restuser if needed
        GeoServerUserGroupService service = getSecurityManager().loadUserGroupService(
                XMLUserGroupService.DEFAULT_NAME);

        if (service.getUserByUsername(USERNAME)==null) {
            GeoServerUser user = service.createUserObject(USERNAME, USERPW, true);
            GeoServerUserGroupStore store = service.createStore();

            store.addUser(user);
            store.store();
            service.load();
        }

        xp = XMLUnit.newXpathEngine();
    }


    public void resetUserPassword() throws IOException, PasswordPolicyException {
        GeoServerUserGroupService service = getSecurityManager().loadUserGroupService(
                XMLUserGroupService.DEFAULT_NAME);

        GeoServerUser user = service.getUserByUsername(USERNAME);
        user.setPassword(USERPW);

        GeoServerUserGroupStore store = service.createStore();
        store.updateUser(user);
        store.store();
        service.load();
    }


    public void login() throws Exception {
        resetUserPassword();

        login(USERNAME, USERPW, "ROLE_AUTHENTICATED");
    }

    @Test
    public void testGetAsAuthorized() throws Exception {
        login();

        assertEquals( HttpStatus.METHOD_NOT_ALLOWED,
                      HttpStatus.valueOf(getAsServletResponse(UP_URI).getStatus()) );
    }

    @Test
    public void testGetAsNotAuthorized() throws Exception {
        logout();

        assertEquals( HttpStatus.METHOD_NOT_ALLOWED,
                HttpStatus.valueOf(getAsServletResponse(UP_URI).getStatus()) );
    }

    @Test
    public void testPutUnauthorized() throws Exception {
        logout();

        String body = MessageFormat.format(xmlTemplate, "new01");
        assertEquals( 405, putAsServletResponse(UP_URI, body, "text/xml").getStatus() );
    }

    @Test
    public void testPutInvalidNewPassword() throws Exception {
        login();

        String body = MessageFormat.format(xmlTemplate, "   ");
        assertEquals( HttpStatus.BAD_REQUEST.value(),
                      putAsServletResponse(UP_URI, body, "text/xml").getStatus() );
    }

    @Test
    public void testPutInvalidElement() throws Exception {
        login();

        String body = MessageFormat.format(xmlBadTemplate, "newpw42");
        assertEquals( HttpStatus.BAD_REQUEST.value(),
                      putAsServletResponse(UP_URI, body, "text/xml").getStatus() );
    }

    @Test
    public void testPutAsXML() throws Exception {
        login();

        String body = MessageFormat.format(xmlTemplate, "pw01");
        assertEquals( 200, putAsServletResponse(UP_URI,body,"text/xml").getStatus() );
    }

    @Test
    public void checkUpdatedPassword() throws Exception {
        GeoServerUserGroupService service = getSecurityManager().loadUserGroupService(
                XMLUserGroupService.DEFAULT_NAME);

        GeoServerUser user;

        login();

        // store proper starting encoding
        user = service.getUserByUsername(USERNAME);
        String originalPw = user.getPassword();

        String body = MessageFormat.format(xmlTemplate, "pw01");
        assertEquals( 200, putAsServletResponse(UP_URI,body,"text/xml").getStatus() );

        // check pw has been updated
        service.load();
        user = service.getUserByUsername(USERNAME);
        String pw1 = user.getPassword();
        assertNotEquals(originalPw, pw1);

        body = MessageFormat.format(xmlTemplate, "pw02");
        assertEquals( 200, putAsServletResponse(UP_URI,body,"text/xml").getStatus() );

        // check pw has been updated
        service.load();
        user = service.getUserByUsername(USERNAME);
        String pw2 = user.getPassword();
        assertNotEquals(originalPw, pw2);
        assertNotEquals(pw1, pw2);
    }

}