From b9f1a200fa37a85fb604a477c9b777a99b30299b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Pfeuffer?= <rene.pfeuffer@cloudogu.com>
Date: Wed, 13 Jun 2018 14:07:43 +0200
Subject: [PATCH] Test roles

---
 .../api/v2/resources/GroupSubResource.java    | 48 +++++++++++++----
 .../api/v2/resources/GroupV2ResourceTest.java | 53 ++++++++++++++++++-
 .../api/v2/resources/UserV2ResourceTest.java  | 19 +++++--
 3 files changed, 106 insertions(+), 14 deletions(-)

diff --git a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/GroupSubResource.java b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/GroupSubResource.java
index 6de603ffd1..393b545742 100644
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/GroupSubResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/GroupSubResource.java
@@ -1,6 +1,11 @@
 package sonia.scm.api.v2.resources;
 
+import org.apache.shiro.SecurityUtils;
+import sonia.scm.api.rest.resources.AbstractManagerResource;
 import sonia.scm.group.Group;
+import sonia.scm.group.GroupException;
+import sonia.scm.group.GroupManager;
+import sonia.scm.security.Role;
 import sonia.scm.web.VndMediaType;
 
 import javax.inject.Inject;
@@ -11,31 +16,39 @@ import javax.ws.rs.Path;
 import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.Context;
+import javax.ws.rs.core.GenericEntity;
 import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriInfo;
-import java.util.stream.IntStream;
-import java.util.stream.StreamSupport;
-
-import static java.util.stream.Collectors.toList;
+import java.util.Collection;
 
 @Produces(VndMediaType.GROUP)
-public class GroupSubResource {
+public class GroupSubResource extends AbstractManagerResource<Group, GroupException> {
 
   private final Group2GroupDtoMapper groupToGroupDtoMapper;
 
   @Inject
-  public GroupSubResource(Group2GroupDtoMapper groupToGroupDtoMapper) {
+  public GroupSubResource(GroupManager manager, Group2GroupDtoMapper groupToGroupDtoMapper) {
+    super(manager);
     this.groupToGroupDtoMapper = groupToGroupDtoMapper;
   }
 
   @Path("")
   @GET
   public Response get(@Context Request request, @Context UriInfo uriInfo, @PathParam("id") String id) {
-    Group group = new Group("admin", "admin");
-    group.setCreationDate(System.currentTimeMillis());
-    group.setMembers(IntStream.range(1, 10).mapToObj(n -> "user" + n).collect(toList()));
-    return Response.ok(groupToGroupDtoMapper.groupToGroupDto(group, uriInfo)).build();
+    if (SecurityUtils.getSubject().hasRole(Role.ADMIN))
+    {
+      Group group = manager.get(id);
+      if (group == null) {
+        return Response.status(Response.Status.NOT_FOUND).build();
+      }
+      GroupDto groupDto = groupToGroupDtoMapper.groupToGroupDto(group, uriInfo);
+      return Response.ok(groupDto).build();
+    }
+    else
+    {
+      return Response.status(Response.Status.FORBIDDEN).build();
+    }
   }
 
   @Path("")
@@ -49,4 +62,19 @@ public class GroupSubResource {
   public Response update(@PathParam("id") String id) {
     throw new RuntimeException();
   }
+
+  @Override
+  protected GenericEntity<Collection<Group>> createGenericEntity(Collection<Group> items) {
+    throw new UnsupportedOperationException();
+  }
+
+  @Override
+  protected String getId(Group item) {
+    return item.getName();
+  }
+
+  @Override
+  protected String getPathPart() {
+    throw new UnsupportedOperationException();
+  }
 }
diff --git a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/GroupV2ResourceTest.java b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/GroupV2ResourceTest.java
index b59b077ad9..b42a4a4403 100644
--- a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/GroupV2ResourceTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/GroupV2ResourceTest.java
@@ -18,13 +18,17 @@ import sonia.scm.group.GroupException;
 import sonia.scm.group.GroupManager;
 import sonia.scm.web.VndMediaType;
 
+import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.net.URISyntaxException;
 import java.net.URL;
+import java.util.Collections;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
 import static org.mockito.Mockito.doNothing;
+import static org.mockito.Mockito.when;
 import static org.mockito.MockitoAnnotations.initMocks;
 
 @SubjectAware(
@@ -53,13 +57,60 @@ public class GroupV2ResourceTest {
     initMocks(this);
     doNothing().when(groupManager).create(groupCaptor.capture());
 
+    Group group = new Group();
+    group.setName("admin");
+    group.setCreationDate(0L);
+    group.setMembers(Collections.singletonList("user"));
+    when(groupManager.get("admin")).thenReturn(group);
+
     GroupCollectionResource groupCollectionResource = new GroupCollectionResource(groupManager, dtoToGroupMapper, groupToDtoMapper);
-    GroupSubResource groupSubResource = new GroupSubResource(groupToDtoMapper);
+    GroupSubResource groupSubResource = new GroupSubResource(groupManager, groupToDtoMapper);
     GroupV2Resource groupV2Resource = new GroupV2Resource(groupCollectionResource, groupSubResource);
 
     dispatcher.getRegistry().addSingletonResource(groupV2Resource);
   }
 
+  @Test
+  public void shouldGetNotFoundForNotExistentGroup() throws URISyntaxException {
+    MockHttpRequest request = MockHttpRequest.get("/" + GroupV2Resource.GROUPS_PATH_V2 + "nosuchgroup");
+    MockHttpResponse response = new MockHttpResponse();
+
+    dispatcher.invoke(request, response);
+
+    assertEquals(HttpServletResponse.SC_NOT_FOUND, response.getStatus());
+  }
+
+  @Test
+  @SubjectAware(username = "unpriv")
+  public void shouldGetNotAuthorizedForWrongUser() throws URISyntaxException {
+    MockHttpRequest request = MockHttpRequest.get("/" + GroupV2Resource.GROUPS_PATH_V2 + "admin");
+    MockHttpResponse response = new MockHttpResponse();
+
+    dispatcher.invoke(request, response);
+
+    assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
+  }
+
+  @Test
+  public void shouldGetGroup() throws URISyntaxException {
+    Group group = new Group();
+    group.setName("admin");
+    group.setCreationDate(0L);
+    group.setMembers(Collections.singletonList("user"));
+    when(groupManager.get("admin")).thenReturn(group);
+
+    MockHttpRequest request = MockHttpRequest.get("/" + GroupV2Resource.GROUPS_PATH_V2 + "admin");
+    MockHttpResponse response = new MockHttpResponse();
+
+    dispatcher.invoke(request, response);
+
+    assertEquals(HttpServletResponse.SC_OK, response.getStatus());
+    assertTrue(response.getContentAsString().contains("\"name\":\"admin\""));
+    assertTrue(response.getContentAsString().contains("\"self\":{\"href\":\"/v2/groups/admin\"}"));
+    assertTrue(response.getContentAsString().contains("\"delete\":{\"href\":\"/v2/groups/admin\"}"));
+    assertTrue(response.getContentAsString().contains("\"name\":\"user\""));
+  }
+
   @Test
   public void shouldCreateNewGroupWithMembers() throws URISyntaxException, IOException {
     URL url = Resources.getResource("sonia/scm/api/v2/group-test-create.json");
diff --git a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/UserV2ResourceTest.java b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/UserV2ResourceTest.java
index 25a86facd5..86c3fceab0 100644
--- a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/UserV2ResourceTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/UserV2ResourceTest.java
@@ -62,7 +62,9 @@ public class UserV2ResourceTest {
   @Before
   public void prepareEnvironment() throws IOException, UserException {
     initMocks(this);
-    when(userManager.getPage(any(), eq(0), eq(10))).thenReturn(new PageResult<>(Collections.singletonList(createDummyUser()), true));
+    User dummyUser = createDummyUser();
+    when(userManager.getPage(any(), eq(0), eq(10))).thenReturn(new PageResult<>(Collections.singletonList(dummyUser), true));
+    when(userManager.get("Neo")).thenReturn(dummyUser);
     doNothing().when(userManager).create(userCaptor.capture());
 
     UserCollectionResource userCollectionResource = new UserCollectionResource(userManager, dtoToUserMapper, userToDtoMapper);
@@ -74,7 +76,7 @@ public class UserV2ResourceTest {
 
   @Test
   public void shouldCreateFullResponseForAdmin() throws URISyntaxException {
-    MockHttpRequest request = MockHttpRequest.get("/" + UserV2Resource.USERS_PATH_V2);
+    MockHttpRequest request = MockHttpRequest.get("/" + UserV2Resource.USERS_PATH_V2 + "Neo");
     MockHttpResponse response = new MockHttpResponse();
 
     dispatcher.invoke(request, response);
@@ -88,7 +90,7 @@ public class UserV2ResourceTest {
 
   @Test
   @SubjectAware(username = "unpriv")
-  public void shouldCreateLimitedResponseForAdmin() throws URISyntaxException {
+  public void shouldCreateLimitedResponseForSimpleUser() throws URISyntaxException {
     MockHttpRequest request = MockHttpRequest.get("/" + UserV2Resource.USERS_PATH_V2);
     MockHttpResponse response = new MockHttpResponse();
 
@@ -101,6 +103,17 @@ public class UserV2ResourceTest {
     assertFalse(response.getContentAsString().contains("\"delete\":{\"href\":\"/v2/users/Neo\"}"));
   }
 
+  @Test
+  @SubjectAware(username = "unpriv")
+  public void shouldNotGetSingleUserForSimpleUser() throws URISyntaxException {
+    MockHttpRequest request = MockHttpRequest.get("/" + UserV2Resource.USERS_PATH_V2 + "Neo");
+    MockHttpResponse response = new MockHttpResponse();
+
+    dispatcher.invoke(request, response);
+
+    assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
+  }
+
   @Test
   public void shouldCreateNewUserWithEncryptedPassword() throws URISyntaxException, IOException {
     URL url = Resources.getResource("sonia/scm/api/v2/user-test-create.json");