Add tests for the Change Password Endpoints

scm-webapp/src/test/java/sonia/scm/api/v2/resources/DispatcherMock.java

@@ -16,6 +16,7 @@ public class DispatcherMock {
     dispatcher.getProviderFactory().registerProvider(ConcurrentModificationExceptionMapper.class);
     dispatcher.getProviderFactory().registerProvider(InternalRepositoryExceptionMapper.class);
     dispatcher.getProviderFactory().registerProvider(ChangePasswordNotAllowedExceptionMapper.class);
+    dispatcher.getProviderFactory().registerProvider(InvalidPasswordExceptionMapper.class);
     return dispatcher;
   }
 }

scm-webapp/src/test/java/sonia/scm/api/v2/resources/MeResourceTest.java

@@ -2,8 +2,8 @@ package sonia.scm.api.v2.resources;
 
 import com.github.sdorra.shiro.ShiroRule;
 import com.github.sdorra.shiro.SubjectAware;
+import org.apache.shiro.authc.credential.PasswordService;
 import org.jboss.resteasy.core.Dispatcher;
-import org.jboss.resteasy.mock.MockDispatcherFactory;
 import org.jboss.resteasy.mock.MockHttpRequest;
 import org.jboss.resteasy.mock.MockHttpResponse;
 import org.junit.Before;
@@ -23,11 +23,17 @@ import java.net.URISyntaxException;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.doNothing;
+import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 import static org.mockito.MockitoAnnotations.initMocks;
+import static sonia.scm.api.v2.resources.DispatcherMock.createDispatcher;
 
 @SubjectAware(
+  username = "trillian",
+  password = "secret",
   configuration = "classpath:sonia/scm/repository/shiro.ini"
 )
 public class MeResourceTest {
@@ -35,8 +41,7 @@ public class MeResourceTest {
   @Rule
   public ShiroRule shiro = new ShiroRule();
 
-  private Dispatcher dispatcher = MockDispatcherFactory.createDispatcher();
-
+  private Dispatcher dispatcher;
 
   private final ResourceLinks resourceLinks = ResourceLinksMock.createMock(URI.create("/"));
   @Mock
@@ -48,21 +53,27 @@ public class MeResourceTest {
   private UserManager userManager;
 
   @InjectMocks
-  private UserToUserDtoMapperImpl userToDtoMapper;
+  private MeToUserDtoMapperImpl userToDtoMapper;
 
   private ArgumentCaptor<User> userCaptor = ArgumentCaptor.forClass(User.class);
 
+  @Mock
+  private PasswordService passwordService;
+  private User originalUser;
+
   @Before
   public void prepareEnvironment() throws Exception {
     initMocks(this);
-    createDummyUser("trillian");
+    originalUser = createDummyUser("trillian");
     when(userManager.create(userCaptor.capture())).thenAnswer(invocation -> invocation.getArguments()[0]);
     doNothing().when(userManager).modify(userCaptor.capture());
     doNothing().when(userManager).delete(userCaptor.capture());
+    when(userManager.isTypeDefault(userCaptor.capture())).thenCallRealMethod();
+    when(userManager.getUserTypeChecker()).thenCallRealMethod();
     when(userManager.getDefaultType()).thenReturn("xml");
     userToDtoMapper.setResourceLinks(resourceLinks);
-    MeResource meResource = new MeResource(userToDtoMapper, userManager);
-    dispatcher.getRegistry().addSingletonResource(meResource);
+    MeResource meResource = new MeResource(userToDtoMapper, userManager, passwordService);
+    dispatcher = createDispatcher(meResource);
     when(uriInfo.getBaseUri()).thenReturn(URI.create("/"));
     when(uriInfoStore.get()).thenReturn(uriInfo);
   }
@@ -79,13 +90,77 @@ public class MeResourceTest {
     assertEquals(HttpServletResponse.SC_OK, response.getStatus());
     assertTrue(response.getContentAsString().contains("\"name\":\"trillian\""));
     assertTrue(response.getContentAsString().contains("\"password\":null"));
-    assertTrue(response.getContentAsString().contains("\"self\":{\"href\":\"/v2/users/trillian\"}"));
+    assertTrue(response.getContentAsString().contains("\"self\":{\"href\":\"/v2/me/\"}"));
     assertTrue(response.getContentAsString().contains("\"delete\":{\"href\":\"/v2/users/trillian\"}"));
   }
 
+  @Test
+  @SubjectAware(username = "trillian", password = "secret")
+  public void shouldEncryptPasswordBeforeChanging() throws Exception {
+    String newPassword = "pwd123";
+    String encryptedNewPassword = "encrypted123";
+    String oldPassword = "notEncriptedSecret";
+    String content = String.format("{ \"oldPassword\": \"%s\" , \"newPassword\": \"%s\" }", oldPassword, newPassword);
+    MockHttpRequest request = MockHttpRequest
+      .put("/" + MeResource.ME_PATH_V2 + "password")
+      .contentType(VndMediaType.PASSWORD_CHANGE)
+      .content(content.getBytes());
+    MockHttpResponse response = new MockHttpResponse();
+    when(passwordService.encryptPassword(eq(newPassword))).thenReturn(encryptedNewPassword);
+    when(passwordService.encryptPassword(eq(oldPassword))).thenReturn("secret");
+
+    dispatcher.invoke(request, response);
+
+    assertEquals(HttpServletResponse.SC_NO_CONTENT, response.getStatus());
+    verify(userManager).modify(any(User.class));
+    User updatedUser = userCaptor.getValue();
+    assertEquals(encryptedNewPassword, updatedUser.getPassword());
+  }
+
+  @Test
+  @SubjectAware(username = "trillian", password = "secret")
+  public void shouldGet400OnChangePasswordOfUserWithNonDefaultType() throws Exception {
+    originalUser.setType("not an xml type");
+    String newPassword = "pwd123";
+    String oldPassword = "notEncriptedSecret";
+    String content = String.format("{ \"oldPassword\": \"%s\" , \"newPassword\": \"%s\" }", oldPassword, newPassword);
+    MockHttpRequest request = MockHttpRequest
+      .put("/" + MeResource.ME_PATH_V2 + "password")
+      .contentType(VndMediaType.PASSWORD_CHANGE)
+      .content(content.getBytes());
+    MockHttpResponse response = new MockHttpResponse();
+    when(passwordService.encryptPassword(newPassword)).thenReturn("encrypted123");
+    when(passwordService.encryptPassword(eq(oldPassword))).thenReturn("secret");
+
+    dispatcher.invoke(request, response);
+
+    assertEquals(HttpServletResponse.SC_BAD_REQUEST, response.getStatus());
+  }
+
+  @Test
+  @SubjectAware(username = "trillian", password = "secret")
+  public void shouldGet401OnChangePasswordIfOldPasswordDoesNotMatchOriginalPassword() throws Exception {
+    String newPassword = "pwd123";
+    String oldPassword = "notEncriptedSecret";
+    String content = String.format("{ \"oldPassword\": \"%s\" , \"newPassword\": \"%s\" }", oldPassword, newPassword);
+    MockHttpRequest request = MockHttpRequest
+      .put("/" + MeResource.ME_PATH_V2 + "password")
+      .contentType(VndMediaType.PASSWORD_CHANGE)
+      .content(content.getBytes());
+    MockHttpResponse response = new MockHttpResponse();
+    when(passwordService.encryptPassword(newPassword)).thenReturn("encrypted123");
+    when(passwordService.encryptPassword(eq(oldPassword))).thenReturn("differentThanSecret");
+
+    dispatcher.invoke(request, response);
+
+    assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getStatus());
+  }
+
+
   private User createDummyUser(String name) {
     User user = new User();
     user.setName(name);
+    user.setType("xml");
     user.setPassword("secret");
     user.setCreationDate(System.currentTimeMillis());
     when(userManager.get(name)).thenReturn(user);

scm-webapp/src/test/java/sonia/scm/api/v2/resources/MeToUserDtoMapperTest.java

@@ -0,0 +1,135 @@
+package sonia.scm.api.v2.resources;
+
+import org.apache.shiro.subject.Subject;
+import org.apache.shiro.subject.support.SubjectThreadState;
+import org.apache.shiro.util.ThreadContext;
+import org.apache.shiro.util.ThreadState;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import sonia.scm.user.User;
+import sonia.scm.user.UserManager;
+
+import java.net.URI;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import static org.mockito.MockitoAnnotations.initMocks;
+
+public class MeToUserDtoMapperTest {
+
+  private final URI baseUri = URI.create("http://example.com/base/");
+  @SuppressWarnings("unused") // Is injected
+  private final ResourceLinks resourceLinks = ResourceLinksMock.createMock(baseUri);
+
+  @Mock
+  private UserManager userManager;
+
+  @InjectMocks
+  private MeToUserDtoMapperImpl mapper;
+
+  private final Subject subject = mock(Subject.class);
+  private final ThreadState subjectThreadState = new SubjectThreadState(subject);
+
+  private URI expectedBaseUri;
+  private URI expectedUserBaseUri;
+
+  @Before
+  public void init() {
+    initMocks(this);
+    when(userManager.getDefaultType()).thenReturn("xml");
+    expectedBaseUri = baseUri.resolve(MeResource.ME_PATH_V2 + "/");
+    expectedUserBaseUri = baseUri.resolve(UserRootResource.USERS_PATH_V2 + "/");
+    subjectThreadState.bind();
+    ThreadContext.bind(subject);
+  }
+
+  @After
+  public void unbindSubject() {
+    ThreadContext.unbindSubject();
+  }
+
+  @Test
+  public void shouldMapTheUpdateLink() {
+    User user = createDefaultUser();
+    when(subject.isPermitted("user:modify:abc")).thenReturn(true);
+
+    UserDto userDto = mapper.map(user);
+    assertEquals("expected update link", expectedUserBaseUri.resolve("abc").toString(), userDto.getLinks().getLinkBy("update").get().getHref());
+
+    when(subject.isPermitted("user:modify:abc")).thenReturn(false);
+    userDto = mapper.map(user);
+    assertFalse("expected no update link", userDto.getLinks().getLinkBy("update").isPresent());
+  }
+
+  @Test
+  public void shouldMapTheSelfLink() {
+    User user = createDefaultUser();
+    when(subject.isPermitted("user:modify:abc")).thenReturn(true);
+
+    UserDto userDto = mapper.map(user);
+    assertEquals("expected self link", expectedBaseUri.toString(), userDto.getLinks().getLinkBy("self").get().getHref());
+
+  }
+
+  @Test
+  public void shouldMapTheDeleteLink() {
+    User user = createDefaultUser();
+    when(subject.isPermitted("user:delete:abc")).thenReturn(true);
+
+    UserDto userDto = mapper.map(user);
+    assertEquals("expected update link", expectedUserBaseUri.resolve("abc").toString(), userDto.getLinks().getLinkBy("delete").get().getHref());
+
+    when(subject.isPermitted("user:delete:abc")).thenReturn(false);
+    userDto = mapper.map(user);
+    assertFalse("expected no delete link", userDto.getLinks().getLinkBy("delete").isPresent());
+  }
+
+  @Test
+  public void shouldGetPasswordLinkOnlyForDefaultUserType() {
+    User user = createDefaultUser();
+    when(subject.isPermitted("user:modify:abc")).thenReturn(true);
+    when(userManager.isTypeDefault(eq(user))).thenReturn(true);
+
+    UserDto userDto = mapper.map(user);
+
+    assertEquals("expected password link with modify permission", expectedBaseUri.resolve("password").toString(), userDto.getLinks().getLinkBy("password").get().getHref());
+
+    when(subject.isPermitted("user:modify:abc")).thenReturn(false);
+    userDto = mapper.map(user);
+    assertEquals("expected password link on mission modify permission", expectedBaseUri.resolve("password").toString(), userDto.getLinks().getLinkBy("password").get().getHref());
+
+    when(userManager.isTypeDefault(eq(user))).thenReturn(false);
+
+    userDto = mapper.map(user);
+
+    assertFalse("expected no password link", userDto.getLinks().getLinkBy("password").isPresent());
+  }
+
+
+  @Test
+  public void shouldGetEmptyPasswordProperty() {
+    User user = createDefaultUser();
+    user.setPassword("myHighSecurePassword");
+    when(subject.isPermitted("user:modify:abc")).thenReturn(true);
+
+    UserDto userDto = mapper.map(user);
+
+    assertThat(userDto.getPassword()).as("hide password for the me resource").isBlank();
+  }
+
+  private User createDefaultUser() {
+    User user = new User();
+    user.setName("abc");
+    user.setCreationDate(1L);
+    return user;
+  }
+
+
+}

scm-webapp/src/test/java/sonia/scm/api/v2/resources/ResourceLinksMock.java

@@ -13,7 +13,9 @@ public class ResourceLinksMock {
     UriInfo uriInfo = mock(UriInfo.class);
     when(uriInfo.getBaseUri()).thenReturn(baseUri);
 
-    when(resourceLinks.user()).thenReturn(new ResourceLinks.UserLinks(uriInfo));
+    ResourceLinks.UserLinks userLinks = new ResourceLinks.UserLinks(uriInfo);
+    when(resourceLinks.user()).thenReturn(userLinks);
+    when(resourceLinks.me()).thenReturn(new ResourceLinks.MeLinks(uriInfo,userLinks));
     when(resourceLinks.userCollection()).thenReturn(new ResourceLinks.UserCollectionLinks(uriInfo));
     when(resourceLinks.group()).thenReturn(new ResourceLinks.GroupLinks(uriInfo));
     when(resourceLinks.groupCollection()).thenReturn(new ResourceLinks.GroupCollectionLinks(uriInfo));

scm-webapp/src/test/java/sonia/scm/api/v2/resources/UserRootResourceTest.java

@@ -68,6 +68,8 @@ public class UserRootResourceTest {
     initMocks(this);
     originalUser = createDummyUser("Neo");
     when(userManager.create(userCaptor.capture())).thenAnswer(invocation -> invocation.getArguments()[0]);
+    when(userManager.isTypeDefault(userCaptor.capture())).thenCallRealMethod();
+    when(userManager.getUserTypeChecker()).thenCallRealMethod();
     doNothing().when(userManager).modify(userCaptor.capture());
     doNothing().when(userManager).delete(userCaptor.capture());
     when(userManager.getDefaultType()).thenReturn("xml");
@@ -114,7 +116,7 @@ public class UserRootResourceTest {
   @Test
   public void shouldEncryptPasswordBeforeChanging() throws Exception {
     String newPassword = "pwd123";
-    String content = MessageFormat.format("'{'\"newPassword\": \"{0}\"'}'", newPassword);
+    String content = String.format("{\"newPassword\": \"%s\"}", newPassword);
     MockHttpRequest request = MockHttpRequest
       .put("/" + UserRootResource.USERS_PATH_V2 + "Neo/password")
       .contentType(VndMediaType.PASSWORD_CHANGE)
@@ -134,7 +136,7 @@ public class UserRootResourceTest {
   public void shouldGet400OnChangePasswordOfUserWithNonDefaultType() throws Exception {
     originalUser.setType("not an xml type");
     String newPassword = "pwd123";
-    String content = MessageFormat.format("'{'\"newPassword\": \"{0}\"'}'", newPassword);
+    String content = String.format("{\"newPassword\": \"%s\"}", newPassword);
     MockHttpRequest request = MockHttpRequest
       .put("/" + UserRootResource.USERS_PATH_V2 + "Neo/password")
       .contentType(VndMediaType.PASSWORD_CHANGE)

scm-webapp/src/test/java/sonia/scm/api/v2/resources/UserToUserDtoMapperTest.java

@@ -18,6 +18,7 @@ import java.time.Instant;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
+import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 import static org.mockito.MockitoAnnotations.initMocks;
@@ -67,12 +68,17 @@ public class UserToUserDtoMapperTest {
   public void shouldGetPasswordLinkOnlyForDefaultUserType() {
     User user = createDefaultUser();
     when(subject.isPermitted("user:modify:abc")).thenReturn(true);
-    user.setType("xml");
+    when(userManager.isTypeDefault(eq(user))).thenReturn(true);
 
     UserDto userDto = mapper.map(user);
 
-    assertEquals("expected password link", expectedBaseUri.resolve("abc/password").toString(), userDto.getLinks().getLinkBy("password").get().getHref());
-    user.setType("db");
+    assertEquals("expected password link with modify permission", expectedBaseUri.resolve("abc/password").toString(), userDto.getLinks().getLinkBy("password").get().getHref());
+
+    when(subject.isPermitted("user:modify:abc")).thenReturn(false);
+    userDto = mapper.map(user);
+    assertEquals("expected password link on mission modify permission", expectedBaseUri.resolve("abc/password").toString(), userDto.getLinks().getLinkBy("password").get().getHref());
+
+    when(userManager.isTypeDefault(eq(user))).thenReturn(false);
 
     userDto = mapper.map(user);