security hardening #12
+78
@@ -0,0 +1,78 @@
|
|||||||
|
package de.zendric.app.xpensely_Server.security;
|
||||||
|
|
||||||
|
import de.zendric.app.xpensely_server.model.AppUser;
|
||||||
|
import de.zendric.app.xpensely_server.security.AuthenticatedUserResolver;
|
||||||
|
import de.zendric.app.xpensely_server.services.UserService;
|
||||||
|
import org.junit.jupiter.api.BeforeEach;
|
||||||
|
import org.junit.jupiter.api.Test;
|
||||||
|
import org.springframework.http.HttpStatus;
|
||||||
|
import org.springframework.security.oauth2.jwt.Jwt;
|
||||||
|
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
|
||||||
|
import org.springframework.web.server.ResponseStatusException;
|
||||||
|
|
||||||
|
import static org.junit.jupiter.api.Assertions.*;
|
||||||
|
import static org.mockito.Mockito.*;
|
||||||
|
|
||||||
|
class AuthenticatedUserResolverTest {
|
||||||
|
|
||||||
|
UserService userService;
|
||||||
|
AuthenticatedUserResolver resolver;
|
||||||
|
|
||||||
|
@BeforeEach
|
||||||
|
void setUp() {
|
||||||
|
userService = mock(UserService.class);
|
||||||
|
resolver = new AuthenticatedUserResolver(userService);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void resolveCurrentUser_validJwt_returnsAppUser() {
|
||||||
|
Jwt jwt = Jwt.withTokenValue("token")
|
||||||
|
.header("alg", "RS256")
|
||||||
|
.subject("google-id-123")
|
||||||
|
.build();
|
||||||
|
JwtAuthenticationToken auth = new JwtAuthenticationToken(jwt);
|
||||||
|
|
||||||
|
AppUser user = new AppUser();
|
||||||
|
user.setId(1L);
|
||||||
|
user.setGoogleId("google-id-123");
|
||||||
|
when(userService.getUserByGoogleId("google-id-123")).thenReturn(user);
|
||||||
|
|
||||||
|
AppUser result = resolver.resolveCurrentUser(auth);
|
||||||
|
assertEquals(user, result);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void resolveCurrentUser_userNotFound_throws403() {
|
||||||
|
Jwt jwt = Jwt.withTokenValue("token")
|
||||||
|
.header("alg", "RS256")
|
||||||
|
.subject("unknown-id")
|
||||||
|
.build();
|
||||||
|
JwtAuthenticationToken auth = new JwtAuthenticationToken(jwt);
|
||||||
|
when(userService.getUserByGoogleId("unknown-id")).thenReturn(null);
|
||||||
|
|
||||||
|
ResponseStatusException ex = assertThrows(ResponseStatusException.class,
|
||||||
|
() -> resolver.resolveCurrentUser(auth));
|
||||||
|
assertEquals(HttpStatus.FORBIDDEN, ex.getStatusCode());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void resolveCurrentUser_userServiceThrows_throws403() {
|
||||||
|
Jwt jwt = Jwt.withTokenValue("token")
|
||||||
|
.header("alg", "RS256")
|
||||||
|
.subject("gone-id")
|
||||||
|
.build();
|
||||||
|
JwtAuthenticationToken auth = new JwtAuthenticationToken(jwt);
|
||||||
|
when(userService.getUserByGoogleId("gone-id")).thenThrow(new IllegalArgumentException("not found"));
|
||||||
|
|
||||||
|
ResponseStatusException ex = assertThrows(ResponseStatusException.class,
|
||||||
|
() -> resolver.resolveCurrentUser(auth));
|
||||||
|
assertEquals(HttpStatus.FORBIDDEN, ex.getStatusCode());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void resolveCurrentUser_nullAuthentication_throws403() {
|
||||||
|
ResponseStatusException ex = assertThrows(ResponseStatusException.class,
|
||||||
|
() -> resolver.resolveCurrentUser(null));
|
||||||
|
assertEquals(HttpStatus.FORBIDDEN, ex.getStatusCode());
|
||||||
|
}
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user