/*
* JBoss, Home of Professional Open Source.
* Copyright 2015, Red Hat Middleware LLC, and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
package org.jboss.as.test.integration.web.security.runas;
import static java.net.HttpURLConnection.HTTP_OK;
import static org.jboss.as.test.integration.web.security.runas.CallProtectedEjbServlet.DESTROY_METHOD_NOT_PASS;
import static org.jboss.as.test.integration.web.security.runas.CallProtectedEjbServlet.DESTROY_METHOD_PASS;
import static org.jboss.as.test.integration.web.security.runas.CallProtectedEjbServlet.DOGET_METHOD_NOT_PASS;
import static org.jboss.as.test.integration.web.security.runas.CallProtectedEjbServlet.DOGET_METHOD_PASS;
import static org.jboss.as.test.integration.web.security.runas.CallProtectedEjbServlet.INIT_METHOD_NOT_PASS;
import static org.jboss.as.test.integration.web.security.runas.CallProtectedEjbServlet.INIT_METHOD_PASS;
import static org.junit.Assert.assertTrue;
import java.io.BufferedReader;
import java.io.File;
import java.io.FilePermission;
import java.io.FileReader;
import java.io.IOException;
import java.net.URL;
import org.apache.commons.io.FileUtils;
import org.jboss.arquillian.container.test.api.Deployer;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.container.test.api.OperateOnDeployment;
import org.jboss.arquillian.container.test.api.RunAsClient;
import org.jboss.arquillian.junit.Arquillian;
import org.jboss.arquillian.junit.InSequence;
import org.jboss.arquillian.test.api.ArquillianResource;
import org.jboss.as.arquillian.container.ManagementClient;
import org.jboss.as.test.integration.security.common.Utils;
import org.jboss.as.test.shared.ServerReload;
import org.jboss.as.test.shared.integration.ejb.security.PermissionUtils;
import org.jboss.shrinkwrap.api.ShrinkWrap;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Test;
import org.junit.runner.RunWith;
/**
* Test case for RunAs in Servlet. It tests secured EJB invocation in HttpServlet init(), doGet() and destroy() methods.
*
* @author olukas
*/
@RunWith(Arquillian.class)
@RunAsClient
public class ServletRunAsTestCase {
private static final String DEPLOYMENT = "deployment";
private static String correctRoleResult;
private static String incorrectRoleResult;
private static final File WORK_DIR = new File("ServletRunAsTestCase-" + System.currentTimeMillis());
private static final File CORRECT_ROLE_AND_STOP_SERVER = new File(WORK_DIR, "correctRoleAndStopServer.log");
private static final File INCORRECT_ROLE_AND_STOP_SERVER = new File(WORK_DIR, "incorrectRoleAndStopServer.log");
private static final File CORRECT_ROLE_AND_UNDEPLOY = new File(WORK_DIR, "correctRoleAndUndeploy.log");
private static final File INCORRECT_ROLE_AND_UNDEPLOY = new File(WORK_DIR, "incorrectRoleAndUndeploy.log");
@ArquillianResource
private ManagementClient managementClient;
@ArquillianResource
Deployer deployer;
@Test
@InSequence(Integer.MIN_VALUE)
public void initialize() throws Exception {
deployer.deploy(DEPLOYMENT);
WORK_DIR.mkdirs();
}
/**
* Access Servlet which uses RunAs with correct role needed for secured EJB invocation.
* <p>
* This method will run init() and doGet() method and stores results.
*
* @param url
* @throws Exception
*/
@Test
@InSequence(1)
@OperateOnDeployment(DEPLOYMENT)
public void runServletWithCorrectRole(@ArquillianResource URL url) throws Exception {
final URL servletUrl = new URL(url.toExternalForm() + RunAsAdminServlet.SERVLET_PATH.substring(1) + "?"
+ Utils.encodeQueryParam(CallProtectedEjbServlet.FILE_PARAM, CORRECT_ROLE_AND_UNDEPLOY.getAbsolutePath()));
correctRoleResult = Utils.makeCall(servletUrl.toURI(), HTTP_OK);
}
/**
* Check whether Servlet which uses RunAs with correct role needed for secured EJB invocation can correctly invoked that EJB
* method in HttpServlet.init() method.
*
* @throws Exception
*/
@Test
@InSequence(2)
public void checkInitMethodWithCorrectRole() throws Exception {
assertTrue("EJB invocation failed in init() method of Servlet which uses RunAs with correct role.",
correctRoleResult.contains(INIT_METHOD_PASS + HelloBean.HELLO));
}
/**
* Check whether Servlet which uses RunAs with correct role needed for secured EJB invocation can correctly invoked that EJB
* method in HttpServlet.doGet() method.
*
* @throws Exception
*/
@Test
@InSequence(3)
public void checkDoGetMethodWithCorrectRole() throws Exception {
assertTrue("EJB invocation failed in doGet() method of Servlet which uses RunAs with correct role.",
correctRoleResult.contains(DOGET_METHOD_PASS + HelloBean.HELLO));
}
/**
* Access Servlet which uses RunAs with different role than in needed for secured EJB invocation.
* <p>
* This method will run init() and doGet() method and stores results.
*
* @param url
* @throws Exception
*/
@Test
@InSequence(4)
@OperateOnDeployment(DEPLOYMENT)
public void runServletWithIncorrectRole(@ArquillianResource URL url) throws Exception {
final URL servletUrl = new URL(url.toExternalForm() + RunAsUserServlet.SERVLET_PATH.substring(1) + "?"
+ Utils.encodeQueryParam(CallProtectedEjbServlet.FILE_PARAM, INCORRECT_ROLE_AND_UNDEPLOY.getAbsolutePath()));
incorrectRoleResult = Utils.makeCall(servletUrl.toURI(), HTTP_OK);
}
/**
* Check whether Servlet which uses RunAs with different role than in needed for secured EJB invocation cannot correctly
* invoked that EJB method in HttpServlet.init() method.
*
* @throws Exception
*/
@Test
@InSequence(5)
public void checkInitMethodWithIncorrectRole() throws Exception {
assertTrue("EJB invocation did not failed in init() method of Servlet which uses RunAs with incorrect role.",
incorrectRoleResult.contains(INIT_METHOD_NOT_PASS));
}
/**
* Check whether Servlet which uses RunAs with different role than in needed for secured EJB invocation cannot correctly
* invoked that EJB method in HttpServlet.doGet() method.
*
* @throws Exception
*/
@Test
@InSequence(6)
public void checkDoGetMethodWithIncorrectRole() throws Exception {
assertTrue("EJB invocation did not failed in doGet() method of Servlet which uses RunAs with incorrect role.",
incorrectRoleResult.contains(DOGET_METHOD_NOT_PASS));
}
/**
* Stop server for invoking HttpServlet.destroy() method during undeploying.
*
* @throws Exception
*/
@Test
@InSequence(7)
public void runDestroyMethodInUndeploying() throws Exception {
deployer.undeploy(DEPLOYMENT);
}
/**
* Check whether Servlet which uses RunAs with correct role needed for secured EJB invocation can correctly invoked that EJB
* method in HttpServlet.destroy() method during undeploying application.
*
* @throws Exception
*/
@Test
@InSequence(8)
public void checkDestroyInUndeployingMethodWithCorrectRole() throws Exception {
assertTrue("EJB invocation failed in destroy() method of Servlet which uses RunAs with correct role during undeploying.",
readFirstLineOfFile(CORRECT_ROLE_AND_UNDEPLOY).contains(DESTROY_METHOD_PASS + HelloBean.HELLO));
}
/**
* Check whether Servlet which uses RunAs with different role than in needed for secured EJB invocation cannot correctly
* invoked that EJB method in HttpServlet.destroy() method during undeploying application.
*
* @throws Exception
*/
@Test
@InSequence(9)
public void checkDestroyInUndeployingMethodWithIncorrectRole() throws Exception {
assertTrue("EJB invocation did not failed in destroy() method of Servlet which uses RunAs with incorrect role during "
+ "undeploying.",
readFirstLineOfFile(INCORRECT_ROLE_AND_UNDEPLOY).contains(DESTROY_METHOD_NOT_PASS));
}
/**
* Restart server for invoking HttpServlet.destroy() method during stopping server. It also hit Servlet for initialization
* of Servlet before server is restarted.
*
* @param url
* @throws Exception
*/
@Test
@InSequence(10)
@OperateOnDeployment(DEPLOYMENT)
public void runDestroyMethodInStopServer(@ArquillianResource URL url) throws Exception {
deployer.deploy(DEPLOYMENT);
URL servletUrl = new URL(url.toExternalForm() + RunAsAdminServlet.SERVLET_PATH.substring(1) + "?"
+ Utils.encodeQueryParam(CallProtectedEjbServlet.FILE_PARAM, CORRECT_ROLE_AND_STOP_SERVER.getAbsolutePath()));
Utils.makeCall(servletUrl.toURI(), HTTP_OK);
servletUrl = new URL(url.toExternalForm() + RunAsUserServlet.SERVLET_PATH.substring(1) + "?"
+ Utils.encodeQueryParam(CallProtectedEjbServlet.FILE_PARAM, INCORRECT_ROLE_AND_STOP_SERVER.getAbsolutePath()));
Utils.makeCall(servletUrl.toURI(), HTTP_OK);
ServerReload.executeReloadAndWaitForCompletion(managementClient.getControllerClient(), 50000);
}
/**
* Check whether Servlet which uses RunAs with correct role needed for secured EJB invocation can correctly invoked that EJB
* method in HttpServlet.destroy() method during stopping server.
*
* @throws Exception
*/
@Test
@InSequence(11)
public void checkDestroyMethodInStopServerWithCorrectRole() throws Exception {
assertTrue("EJB invocation failed in destroy() method of Servlet which uses RunAs with correct role during stopping "
+ "server.",
readFirstLineOfFile(CORRECT_ROLE_AND_STOP_SERVER).contains(DESTROY_METHOD_PASS + HelloBean.HELLO));
}
/**
* Check whether Servlet which uses RunAs with different role than in needed for secured EJB invocation cannot correctly
* invoked that EJB method in HttpServlet.destroy() method during stopping server.
*
* @throws Exception
*/
@Test
@InSequence(12)
public void checkDestroyMethodInStopServerWithIncorrectRole() throws Exception {
assertTrue("EJB invocation did not failed in destroy() method of Servlet which uses RunAs with incorrect role "
+ "during stopping server.",
readFirstLineOfFile(INCORRECT_ROLE_AND_STOP_SERVER).contains(DESTROY_METHOD_NOT_PASS));
}
@Test
@InSequence(Integer.MAX_VALUE)
public void finish() throws Exception {
deployer.undeploy(DEPLOYMENT);
FileUtils.deleteQuietly(WORK_DIR);
}
@Deployment(name = DEPLOYMENT, managed = false, testable = false)
public static WebArchive deployment() throws Exception {
WebArchive war = ShrinkWrap.create(WebArchive.class, "servlet-runas.war");
war.addClasses(CallProtectedEjbServlet.class, RunAsAdminServlet.class, RunAsUserServlet.class, Hello.class,
HelloBean.class);
war.addAsWebResource(PermissionUtils.createPermissionsXmlAsset(new FilePermission(WORK_DIR.getAbsolutePath() + "/*", "read,write")), "META-INF/permissions.xml");
return war;
}
private String readFirstLineOfFile(File file) throws IOException {
try (BufferedReader br = new BufferedReader(new FileReader(file))) {
return br.readLine();
}
}
}