EjbXACMLAuthorizationModuleTestCase.java

/*
 * JBoss, Home of Professional Open Source.
 * Copyright 2012, Red Hat, Inc., and individual contributors
 * as indicated by the @author tags. See the copyright.txt file in the
 * distribution for a full listing of individual contributors.
 *
 * This is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this software; if not, write to the Free
 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
 */
package org.jboss.as.test.integration.security.xacml;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.fail;

import java.io.IOException;
import java.util.concurrent.Callable;

import javax.ejb.EJB;
import javax.ejb.EJBAccessException;

import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.junit.Arquillian;
import org.jboss.as.arquillian.api.ServerSetup;
import org.jboss.as.arquillian.api.ServerSetupTask;
import org.jboss.as.test.integration.security.common.AbstractSecurityDomainsServerSetupTask;
import org.jboss.as.test.integration.security.common.config.SecurityDomain;
import org.jboss.as.test.integration.security.common.config.SecurityModule;
import org.jboss.as.test.integration.security.common.ejb3.Hello;
import org.jboss.as.test.integration.security.common.ejb3.HelloBean;
import org.jboss.as.test.shared.integration.ejb.security.Util;
import org.jboss.shrinkwrap.api.ShrinkWrap;
import org.jboss.shrinkwrap.api.asset.StringAsset;
import org.jboss.shrinkwrap.api.spec.JavaArchive;
import org.junit.Test;
import org.junit.runner.RunWith;

/**
 * Arquillian JUnit testcase for testing XACML based authorization of EJBs.
 *
 * @author Josef Cacek
 */
@RunWith(Arquillian.class)
@ServerSetup({EjbXACMLAuthorizationModuleTestCase.SecurityDomainsSetup.class})
public class EjbXACMLAuthorizationModuleTestCase {

    @EJB(mappedName = "java:global/test-custom-xacml/HelloBean")
    private Hello hello;

    // Public methods --------------------------------------------------------

    /**
     * Creates {@link JavaArchive} for testing the {@link CustomXACMLAuthorizationModule}.
     *
     * @return
     * @throws IOException
     * @throws IllegalArgumentException
     */
    @Deployment
    public static JavaArchive deploymentCustomXACMLAuthz() throws IllegalArgumentException, IOException {
        return createJar("test-custom-xacml.jar", SecurityDomain.DEFAULT_NAME);
    }

    /**
     * Tests secured EJB call for unauthenticated user.
     *
     * @throws Exception
     */
    @Test
    public void testNotAuthn() throws Exception {
        try {
            hello.sayHelloWorld();
            fail("Access to sayHelloWorld() should be denied if not authenticated.");
        } catch (EJBAccessException e) {
            //OK
        }
    }

    /**
     * Test secured EJB call for authenticated and authorized user.
     *
     * @throws Exception
     */
    @Test
    public void testAuthz() throws Exception {
        final Callable<Void> callable = () -> {
            assertEquals(HelloBean.HELLO_WORLD, hello.sayHelloWorld());
            return null;
        };
        Util.switchIdentitySCF("jduke", "theduke", callable);
    }

    /**
     * Test secured EJB call for authenticated but not authorized authorized user.
     *
     * @throws Exception
     */
    @Test
    public void testNotAuthz() throws Exception {
        final Callable<Void> callable = () -> {
            hello.sayHelloWorld();
            fail("Access to sayHelloWorld() should be denied for JohnDoe.");
            return null;
        };
        try {
            Util.switchIdentitySCF("JohnDoe", "jdoe", callable);
        } catch (EJBAccessException e) {
            //OK - expected
        }
    }

    /**
     * Tests unauthenticated call followed by the authentication and second call to the same instance.
     *
     * @throws Exception
     */
    @Test
    public void testAuthenticationCache() throws Exception {
        try {
            hello.sayHelloWorld();
            fail("Access to sayHello() should be denied if not authenticated.");
        } catch (EJBAccessException e) {
            //OK
        }
        final Callable<Void> callable = () -> {
            assertEquals(HelloBean.HELLO_WORLD, hello.sayHelloWorld());
            return null;
        };
        Util.switchIdentitySCF("jduke", "theduke", callable);
    }

    // Private methods -------------------------------------------------------

    /**
     * Creates JAR with the EJB for the test deployment.
     *
     * @param archiveName
     * @param securityDomainName
     * @return
     */
    private static JavaArchive createJar(final String archiveName, final String securityDomainName) {
        final JavaArchive jar = ShrinkWrap
                .create(JavaArchive.class, archiveName)
                .addClasses(HelloBean.class, Hello.class, CustomXACMLAuthorizationModule.class, Util.class)
                .addAsResource(new StringAsset("jduke=theduke\nJohnDoe=jdoe"), "users.properties")
                .addAsResource(new StringAsset("jduke=TestRole,TestRole2\nJohnDoe=TestRole"), "roles.properties")
                .addAsResource(EjbXACMLAuthorizationModuleTestCase.class.getPackage(),
                        XACMLTestUtils.TESTOBJECTS_CONFIG + "/jbossxacml-config.xml", "jbossxacml-config.xml")
                .addAsResource(EjbXACMLAuthorizationModuleTestCase.class.getPackage(),
                        XACMLTestUtils.TESTOBJECTS_POLICIES + "/ejb-xacml-policy.xml", "xacml-policy.xml")
                .addAsManifestResource(EjbXACMLAuthorizationModuleTestCase.class.getPackage(),
                        XACMLTestUtils.TESTOBJECTS_CONFIG + "/jboss-ejb3.xml", "jboss-ejb3.xml");
        XACMLTestUtils.addJBossDeploymentStructureToArchive(jar);
        jar.addClasses(AbstractSecurityDomainsServerSetupTask.class);
        return jar;
    }

    // Embedded classes ------------------------------------------------------

    /**
     * A {@link ServerSetupTask} instance which creates security domains for this test case.
     *
     * @author Josef Cacek
     */
    static class SecurityDomainsSetup extends AbstractSecurityDomainsServerSetupTask {

        /**
         * Returns SecurityDomains configuration for this testcase.
         *
         * @see org.jboss.as.test.integration.security.common.AbstractSecurityDomainsServerSetupTask#getSecurityDomains()
         */
        @Override
        protected SecurityDomain[] getSecurityDomains() {
            final SecurityDomain sd = new SecurityDomain.Builder()
                    .name(SecurityDomain.DEFAULT_NAME)
                    .loginModules(new SecurityModule.Builder().name("UsersRoles").build())
                    .authorizationModules(
                            new SecurityModule.Builder().name(CustomXACMLAuthorizationModule.class.getName()).build()) //
                    .build();
            return new SecurityDomain[]{sd};
        }
    }
}