SecureLinkTest.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.wicket.security;

import java.util.HashMap;
import java.util.Map;

import org.apache.wicket.Page;
import org.apache.wicket.extensions.markup.html.tabs.ITab;
import org.apache.wicket.markup.html.pages.AccessDeniedPage;
import org.apache.wicket.protocol.http.WebRequestCycle;
import org.apache.wicket.request.target.component.BookmarkablePageRequestTarget;
import org.apache.wicket.security.actions.WaspAction;
import org.apache.wicket.security.checks.LinkSecurityCheck;
import org.apache.wicket.security.components.ISecurePage;
import org.apache.wicket.security.components.SecureComponentHelper;
import org.apache.wicket.security.components.markup.html.links.SecurePageLink;
import org.apache.wicket.security.pages.insecure.SecureComponentPage;
import org.apache.wicket.security.pages.secure.HomePage;
import org.apache.wicket.security.pages.secure.PageA;
import org.apache.wicket.util.tester.FormTester;
import org.apache.wicket.util.tester.TagTester;

/**
 * Test links
 * 
 * @author marrink
 */
public class SecureLinkTest extends WaspAbstractTestBase
{

	/**
	 * Test a link that will allow people to replace panels / containers much like the
	 * {@link ITab} from extensions
	 */
	public void testContainerLink()
	{
		// change to default behavior of ClassAuthorizationStrategy
		setSecureClass(ISecurePage.class);
		setUp();
		// continueto originaldestination does not work if there is no url
		// available, so we need to fake one here(testing only hack)
		mock.setupRequestAndResponse();
		WebRequestCycle cycle = mock.createRequestCycle();
		String url1 =
			cycle.urlFor(new BookmarkablePageRequestTarget(SecureComponentPage.class, null))
				.toString();
		// the expected url is the base test
		mock.getServletRequest().setURL("/WaspAbstractTestBase$1/WaspAbstractTestBase$1/" + url1);
		mock.processRequestCycle();
		mock.assertRenderedPage(getLoginPage());
		FormTester form = mock.newFormTester("signInPanel:signInForm");
		form.setValue("username", "test");
		form.setValue("password", "test");
		form.submit();
		mock.assertRenderedPage(SecureComponentPage.class);
		mock.assertVisible("replaceMe");
		mock.assertInvisible("link"); // no enable action on
		// webmarkupcontainer
		// need to arrange enable rights for webmarkupcontainer
		Map<String, WaspAction> authorized = new HashMap<String, WaspAction>();
		authorized.put(SecureComponentHelper
			.alias(SecureComponentPage.MyReplacementContainer.class), application
			.getActionFactory().getAction("access render enable"));
		login(authorized);
		mock.startPage(mock.getLastRenderedPage());
		mock.assertRenderedPage(SecureComponentPage.class);
		mock.assertVisible("replaceMe");
		mock.assertVisible("link");
		TagTester tag = mock.getTagByWicketId("replaceMe");
		assertEquals("span", tag.getName());
		mock.clickLink("link", false);
		mock.assertRenderedPage(SecureComponentPage.class);
		mock.assertVisible("replaceMe");
		mock.assertInvisible("link");
		tag = mock.getTagByWicketId("replaceMe");
		assertEquals("div", tag.getName());

	}

	/**
	 * Test visibility and clickability of a secure link.
	 */
	public void testLink()
	{
		// step zero, login and you will not see the PageA link (it has no
		// authorization, the default render check
		// will prevent it from rendering
		doLogin();
		mock.assertInvisible("link");
		mock.assertVisible("sorry");
		// step one, show the secure home page without a link to PageA
		Page lastPage = mock.getLastRenderedPage();
		SecurePageLink< ? > link = (SecurePageLink< ? >) lastPage.get("link");
		LinkSecurityCheck linkcheck =
			((LinkSecurityCheck) link.getSecurityCheck()).setUseAlternativeRenderCheck(true);
		// step two, show the secure home page with a not clickable link to
		// PageA (e.g. not a href)
		Map<String, WaspAction> authorized = new HashMap<String, WaspAction>();
		authorized.put(SecureComponentHelper.alias(link), application.getActionFactory().getAction(
			"access render"));
		login(authorized);
		mock.startPage(lastPage);
		mock.assertRenderedPage(getHomePage());
		assertSame(lastPage, mock.getLastRenderedPage());
		mock.assertInvisible("sorry");
		mock.assertVisible("link");
		TagTester tag = mock.getTagByWicketId("link");
		assertNull(tag.getAttribute("href"));
		assertNull(tag.getAttribute("onclick"));
		// step three, show the secure home page with a clickable link to PageA
		authorized.clear();
		authorized.put(SecureComponentHelper.alias(HomePage.class), application.getActionFactory()
			.getAction("access render enable"));
		authorized.put(SecureComponentHelper.alias(PageA.class), application.getActionFactory()
			.getAction("render enable"));
		login(authorized);
		Page page = mock.getLastRenderedPage();
		mock.startPage(page);
		tag = mock.getTagByWicketId("link");
		assertNotNull(tag.getAttribute("href"));
		logoff(authorized);
		authorized.clear();
		// step four, show the secure home page with a clickable link and click
		// the link that is not enabled.
		linkcheck.setUseAlternativeRenderCheck(false);
		authorized.put(SecureComponentHelper.alias(HomePage.class), application.getActionFactory()
			.getAction("access render enable"));
		authorized.put(SecureComponentHelper.alias(PageA.class), application.getActionFactory()
			.getAction("access render"));
		login(authorized);
		mock.setupRequestAndResponse();
		mock.processRequestCycle();
		mock.assertRenderedPage(getHomePage());
		mock.assertInvisible("sorry");
		mock.assertVisible("link");
		mock.assertDisabled("link");
		// step five, add enable rights and click the link again.
		authorized.put(SecureComponentHelper.alias(PageA.class), application.getActionFactory()
			.getAction("access render enable"));
		// Note that normally access is implied by render, just not in this
		// simple
		// testcase
		login(authorized);
		mock.startPage(getHomePage());
		mock.clickLink("link", false);
		mock.assertRenderedPage(PageA.class);
	}

}