From 2bc9a2d70f17b1cbcea5238ec49c51ccae12b7f7 Mon Sep 17 00:00:00 2001
From: Mohamed Karray <mohamed.karray.sr@gmail.com>
Date: Mon, 1 Oct 2018 12:20:17 +0200
Subject: [PATCH] add unit tests for the user and group name validation

---
 .../scm/api/v2/ValidationConstraints.java     |  6 ++--
 .../v2/resources/GroupRootResourceTest.java   | 26 ++++++++++++++++
 .../resources/PermissionRootResourceTest.java | 30 +++++++++++++++++++
 .../v2/resources/UserRootResourceTest.java    | 26 ++++++++++++++++
 4 files changed, 85 insertions(+), 3 deletions(-)

diff --git a/scm-webapp/src/main/java/sonia/scm/api/v2/ValidationConstraints.java b/scm-webapp/src/main/java/sonia/scm/api/v2/ValidationConstraints.java
index 50dfd72bfb..b98af3aa80 100644
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/ValidationConstraints.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/ValidationConstraints.java
@@ -5,10 +5,10 @@ public final class ValidationConstraints {
   private ValidationConstraints() {}
 
   /**
-   * A user or group name should not start with the @ character
+   * A user or group name should not start with <code>@</code> or a whitespace
    * and it not contains whitespaces
-   * the characters: . - _ are allowed
+   * and the characters: . - _ @ are allowed
    */
-  public static final String USER_GROUP_PATTERN = "^[^@][A-z0-9\\.\\-_]|([A-z0-9\\.\\-_]*[A-z0-9\\.\\-_])?$";
+  public static final String USER_GROUP_PATTERN = "^[^@\\s][A-z0-9\\.\\-_@]+$";
 
 }
diff --git a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/GroupRootResourceTest.java b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/GroupRootResourceTest.java
index f662542ff7..c4fded9bb7 100644
--- a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/GroupRootResourceTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/GroupRootResourceTest.java
@@ -224,6 +224,32 @@ public class GroupRootResourceTest {
     assertEquals("user1", createdGroup.getMembers().get(0));
   }
 
+  @Test
+  public void shouldGet400OnCreatingNewGroupWithNotAllowedCharacters() throws URISyntaxException {
+    // the @ character at the begin of the name is not allowed
+    String groupJson = "{ \"name\": \"@grpname\", \"type\": \"admin\" }";
+    MockHttpRequest request = MockHttpRequest
+      .post("/" + GroupRootResource.GROUPS_PATH_V2)
+      .contentType(VndMediaType.GROUP)
+      .content(groupJson.getBytes());
+    MockHttpResponse response = new MockHttpResponse();
+
+    dispatcher.invoke(request, response);
+
+    assertEquals(400, response.getStatus());
+
+    // the whitespace at the begin opf the name is not allowed
+    groupJson = "{ \"name\": \" grpname\", \"type\": \"admin\" }";
+    request = MockHttpRequest
+      .post("/" + GroupRootResource.GROUPS_PATH_V2)
+      .contentType(VndMediaType.GROUP)
+      .content(groupJson.getBytes());
+
+    dispatcher.invoke(request, response);
+
+    assertEquals(400, response.getStatus());
+  }
+
   @Test
   public void shouldFailForMissingContent() throws URISyntaxException {
     MockHttpRequest request = MockHttpRequest
diff --git a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/PermissionRootResourceTest.java b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/PermissionRootResourceTest.java
index 563e9bdbc0..635d994763 100644
--- a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/PermissionRootResourceTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/PermissionRootResourceTest.java
@@ -48,6 +48,7 @@ import java.util.stream.Stream;
 import static de.otto.edison.hal.Link.link;
 import static de.otto.edison.hal.Links.linkingTo;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.fail;
 import static org.junit.jupiter.api.DynamicTest.dynamicTest;
 import static org.mockito.Matchers.any;
@@ -233,6 +234,35 @@ public class PermissionRootResourceTest extends RepositoryTestBase {
     );
   }
 
+
+  @Test
+  public void shouldGet400OnCreatingNewPermissionWithNotAllowedCharacters() throws URISyntaxException {
+    // the @ character at the begin of the name is not allowed
+    createUserWithRepository("user");
+    String permissionJson = "{ \"name\": \"@permission\", \"type\": \"OWNER\" }";
+    MockHttpRequest request = MockHttpRequest
+      .post("/" + RepositoryRootResource.REPOSITORIES_PATH_V2 + PATH_OF_ALL_PERMISSIONS)
+      .content(permissionJson.getBytes())
+      .contentType(VndMediaType.PERMISSION);
+    MockHttpResponse response = new MockHttpResponse();
+
+    dispatcher.invoke(request, response);
+
+    assertEquals(400, response.getStatus());
+
+    // the whitespace at the begin opf the name is not allowed
+    permissionJson = "{ \"name\": \" permission\", \"type\": \"OWNER\" }";
+    request = MockHttpRequest
+      .post("/" + RepositoryRootResource.REPOSITORIES_PATH_V2 + PATH_OF_ALL_PERMISSIONS)
+      .content(permissionJson.getBytes())
+      .contentType(VndMediaType.PERMISSION);
+    response = new MockHttpResponse();
+
+    dispatcher.invoke(request, response);
+
+    assertEquals(400, response.getStatus());
+  }
+
   @Test
   public void shouldGetCreatedPermissions() throws URISyntaxException {
     createUserWithRepositoryAndPermissions(TEST_PERMISSIONS, PERMISSION_WRITE);
diff --git a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/UserRootResourceTest.java b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/UserRootResourceTest.java
index 065a33313f..6ab1dc6aeb 100644
--- a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/UserRootResourceTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/UserRootResourceTest.java
@@ -98,6 +98,32 @@ public class UserRootResourceTest {
     assertTrue(response.getContentAsString().contains("\"delete\":{\"href\":\"/v2/users/Neo\"}"));
   }
 
+  @Test
+  public void shouldGet400OnCreatingNewUserWithNotAllowedCharacters() throws URISyntaxException {
+    // the @ character at the begin of the name is not allowed
+    String userJson = "{ \"name\": \"@user\", \"type\": \"db\" }";
+    MockHttpRequest request = MockHttpRequest
+      .post("/" + UserRootResource.USERS_PATH_V2)
+      .contentType(VndMediaType.USER)
+      .content(userJson.getBytes());
+    MockHttpResponse response = new MockHttpResponse();
+
+    dispatcher.invoke(request, response);
+
+    assertEquals(400, response.getStatus());
+
+    // the whitespace at the begin opf the name is not allowed
+    userJson = "{ \"name\": \" user\", \"type\": \"db\" }";
+    request = MockHttpRequest
+      .post("/" + UserRootResource.USERS_PATH_V2)
+      .contentType(VndMediaType.USER)
+      .content(userJson.getBytes());
+
+    dispatcher.invoke(request, response);
+
+    assertEquals(400, response.getStatus());
+  }
+
   @Test
   @SubjectAware(username = "unpriv")
   public void shouldCreateLimitedResponseForSimpleUser() throws URISyntaxException {