Let integration tests use links from HAL and test brute force links

2025-11-07 22:15:45 +01:00 · 2018-08-22 12:20:09 +02:00
parent 585d37feed
commit 02f4801b58
2 changed files with 50 additions and 13 deletions
--- a/scm-it/src/test/java/sonia/scm/it/PermissionsITCase.java
+++ b/scm-it/src/test/java/sonia/scm/it/PermissionsITCase.java
@@ -50,10 +50,12 @@ import java.util.List;
 import java.util.Objects;

 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
 import static sonia.scm.it.RepositoryUtil.addAndCommitRandomFile;
 import static sonia.scm.it.RestUtil.given;
 import static sonia.scm.it.ScmTypes.availableScmTypes;
-import static sonia.scm.it.TestData.callUserPermissions;
+import static sonia.scm.it.TestData.USER_SCM_ADMIN;
+import static sonia.scm.it.TestData.callRepository;

@RunWith(Parameterized.class)
 public class PermissionsITCase {
@@ -94,15 +96,35 @@ public class PermissionsITCase {
  }

  @Test
-  public void readUserShouldSeePermissions() {
-    List<Object> userPermissions = TestData.getUserPermissions(USER_READ, USER_PASS, repositoryType);
-    assertEquals(userPermissions.size(), createdPermissions);
+  public void readUserShouldNotSeePermissions() {
+    assertNull(callRepository(USER_WRITE, USER_PASS, repositoryType, HttpStatus.SC_OK)
+      .extract()
+      .body().jsonPath().getString("_links.permissions.href"));
  }

  @Test
-  public void writeUserShouldSeePermissions() {
-    List<Object> userPermissions = TestData.getUserPermissions(USER_WRITE, USER_PASS, repositoryType);
-    assertEquals(userPermissions.size(), createdPermissions);
+  public void readUserShouldNotSeeBruteForcePermissions() {
+    given(VndMediaType.PERMISSION, USER_READ, USER_PASS)
+      .when()
+      .get(TestData.getDefaultPermissionUrl(USER_SCM_ADMIN, USER_SCM_ADMIN, repositoryType))
+      .then()
+      .statusCode(HttpStatus.SC_FORBIDDEN);
+  }
+
+  @Test
+  public void writeUserShouldNotSeePermissions() {
+    assertNull(callRepository(USER_WRITE, USER_PASS, repositoryType, HttpStatus.SC_OK)
+      .extract()
+      .body().jsonPath().getString("_links.permissions.href"));
+  }
+
+  @Test
+  public void writeUserShouldNotSeeBruteForcePermissions() {
+    given(VndMediaType.PERMISSION, USER_WRITE, USER_PASS)
+      .when()
+      .get(TestData.getDefaultPermissionUrl(USER_SCM_ADMIN, USER_SCM_ADMIN, repositoryType))
+      .then()
+      .statusCode(HttpStatus.SC_FORBIDDEN);
  }

  @Test
@@ -112,8 +134,17 @@ public class PermissionsITCase {
  }

  @Test
-  public void otherUserShouldNotSeePermissions() {
-    callUserPermissions(USER_OTHER, USER_PASS, repositoryType, HttpStatus.SC_FORBIDDEN);
+  public void otherUserShouldNotSeeRepository() {
+    callRepository(USER_OTHER, USER_PASS, repositoryType, HttpStatus.SC_FORBIDDEN);
+  }
+
+  @Test
+  public void otherUserShouldNotSeeBruteForcePermissions() {
+    given(VndMediaType.PERMISSION, USER_OTHER, USER_PASS)
+      .when()
+      .get(TestData.getDefaultPermissionUrl(USER_SCM_ADMIN, USER_SCM_ADMIN, repositoryType))
+      .then()
+      .statusCode(HttpStatus.SC_FORBIDDEN);
  }

  @Test
--- a/scm-it/src/test/java/sonia/scm/it/TestData.java
+++ b/scm-it/src/test/java/sonia/scm/it/TestData.java
@@ -72,7 +72,7 @@ public class TestData {
        "\t\"groupPermission\": false\n" +
        "\t\n" +
        "}")
-      .post(TestData.getDefaultPermissionUrl(repositoryType))
+      .post(TestData.getDefaultPermissionUrl(USER_SCM_ADMIN, USER_SCM_ADMIN, repositoryType))
      .then()
      .statusCode(HttpStatus.SC_CREATED)
    ;
@@ -87,7 +87,7 @@ public class TestData {
  public static ValidatableResponse callUserPermissions(String username, String password, String repositoryType, int expectedStatusCode) {
    return given(VndMediaType.PERMISSION, username, password)
      .when()
-      .get(TestData.getDefaultPermissionUrl(repositoryType))
+      .get(TestData.getDefaultPermissionUrl(username, password, repositoryType))
      .then()
      .statusCode(expectedStatusCode);
  }
@@ -102,8 +102,14 @@ public class TestData {
      .statusCode(expectedStatusCode);
  }

-  public static String getDefaultPermissionUrl(String repositoryType) {
-    return getDefaultRepositoryUrl(repositoryType) + "/permissions/";
+  public static String getDefaultPermissionUrl(String username, String password, String repositoryType) {
+    return given(VndMediaType.REPOSITORY, username, password)
+      .when()
+      .get(getDefaultRepositoryUrl(repositoryType))
+      .then()
+      .statusCode(HttpStatus.SC_OK)
+      .extract()
+      .body().jsonPath().getString("_links.permissions.href");
  }