Merge

scm-webapp/src/test/java/sonia/scm/api/v2/resources/BrowserResultToBrowserResultDtoMapperTest.java

@@ -4,6 +4,7 @@ import org.apache.shiro.subject.Subject;
 import org.apache.shiro.subject.support.SubjectThreadState;
 import org.apache.shiro.util.ThreadContext;
 import org.apache.shiro.util.ThreadState;
+import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.mockito.InjectMocks;
@@ -61,6 +62,11 @@ public class BrowserResultToBrowserResultDtoMapperTest {
     fileObject2.setDirectory(true);
   }
 
+  @After
+  public void unbind() {
+    ThreadContext.unbindSubject();
+  }
+
   @Test
   public void shouldMapAttributesCorrectly() {
     BrowserResult browserResult = createBrowserResult();

scm-webapp/src/test/java/sonia/scm/api/v2/resources/ConfigResourceTest.java

@@ -3,6 +3,7 @@ package sonia.scm.api.v2.resources;
 import com.github.sdorra.shiro.ShiroRule;
 import com.github.sdorra.shiro.SubjectAware;
 import com.google.common.io.Resources;
+import org.apache.shiro.util.ThreadContext;
 import org.jboss.resteasy.core.Dispatcher;
 import org.jboss.resteasy.mock.MockDispatcherFactory;
 import org.jboss.resteasy.mock.MockHttpRequest;
@@ -21,7 +22,9 @@ import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
 
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
 import static org.mockito.MockitoAnnotations.initMocks;
 
 @SubjectAware(
@@ -47,6 +50,13 @@ public class ConfigResourceTest {
   @InjectMocks
   private ScmConfigurationToConfigDtoMapperImpl configToDtoMapper;
 
+  public ConfigResourceTest() {
+      // cleanup state that might have been left by other tests
+      ThreadContext.unbindSecurityManager();
+      ThreadContext.unbindSubject();
+      ThreadContext.remove();
+  }
+
   @Before
   public void prepareEnvironment() {
     initMocks(this);

scm-webapp/src/test/java/sonia/scm/api/v2/resources/FileObjectToFileObjectDtoMapperTest.java

@@ -4,6 +4,7 @@ import org.apache.shiro.subject.Subject;
 import org.apache.shiro.subject.support.SubjectThreadState;
 import org.apache.shiro.util.ThreadContext;
 import org.apache.shiro.util.ThreadState;
+import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -40,6 +41,10 @@ public class FileObjectToFileObjectDtoMapperTest {
     ThreadContext.bind(subject);
   }
 
+  @After
+  public void unbind() {
+    ThreadContext.unbindSubject();
+  }
 
   @Test
   public void shouldMapAttributesCorrectly() {

scm-webapp/src/test/java/sonia/scm/api/v2/resources/PermissionRootResourceTest.java

@@ -0,0 +1,460 @@
+package sonia.scm.api.v2.resources;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.github.sdorra.shiro.ShiroRule;
+import com.github.sdorra.shiro.SubjectAware;
+import com.google.common.collect.ImmutableList;
+import de.otto.edison.hal.HalRepresentation;
+import lombok.ToString;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.shiro.authz.AuthorizationException;
+import org.apache.shiro.subject.Subject;
+import org.apache.shiro.subject.support.SubjectThreadState;
+import org.apache.shiro.util.ThreadContext;
+import org.apache.shiro.util.ThreadState;
+import org.assertj.core.util.Lists;
+import org.jboss.resteasy.core.Dispatcher;
+import org.jboss.resteasy.mock.MockDispatcherFactory;
+import org.jboss.resteasy.mock.MockHttpRequest;
+import org.jboss.resteasy.mock.MockHttpResponse;
+import org.jboss.resteasy.spi.HttpRequest;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.DynamicTest;
+import org.junit.jupiter.api.TestFactory;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import sonia.scm.api.rest.AuthorizationExceptionMapper;
+import sonia.scm.repository.NamespaceAndName;
+import sonia.scm.repository.Permission;
+import sonia.scm.repository.PermissionType;
+import sonia.scm.repository.Repository;
+import sonia.scm.repository.RepositoryManager;
+import sonia.scm.web.VndMediaType;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.function.Consumer;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+import static de.otto.edison.hal.Link.link;
+import static de.otto.edison.hal.Links.linkingTo;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.Assert.fail;
+import static org.junit.jupiter.api.DynamicTest.dynamicTest;
+import static org.mockito.Matchers.any;
+import static org.mockito.Mockito.doThrow;
+import static org.mockito.Mockito.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import static org.mockito.MockitoAnnotations.initMocks;
+
+@Slf4j
+@SubjectAware(
+  username = "trillian",
+  password = "secret",
+  configuration = "classpath:sonia/scm/repository/shiro.ini"
+)
+public class PermissionRootResourceTest {
+  private static final String REPOSITORY_NAMESPACE = "repo_namespace";
+  private static final String REPOSITORY_NAME = "repo";
+  private static final String PERMISSION_WRITE = "repository:permissionWrite:" + REPOSITORY_NAME;
+  private static final String PERMISSION_READ = "repository:permissionRead:" + REPOSITORY_NAME;
+  private static final String PERMISSION_OWNER = "repository:modify:" + REPOSITORY_NAME;
+
+  private static final String PERMISSION_NAME = "perm";
+  private static final String PATH_OF_ALL_PERMISSIONS = REPOSITORY_NAMESPACE + "/" + REPOSITORY_NAME + "/permissions/";
+  private static final String PATH_OF_ONE_PERMISSION = PATH_OF_ALL_PERMISSIONS + PERMISSION_NAME;
+  private static final String PERMISSION_TEST_PAYLOAD = "{ \"name\" : \"permission_name\", \"type\" : \"READ\"  }";
+  private static final ArrayList<Permission> TEST_PERMISSIONS = Lists
+    .newArrayList(
+      new Permission("user_write", PermissionType.WRITE, false),
+      new Permission("user_read", PermissionType.READ, false),
+      new Permission("user_owner", PermissionType.OWNER, false),
+      new Permission("group_read", PermissionType.READ, true),
+      new Permission("group_write", PermissionType.WRITE, true),
+      new Permission("group_owner", PermissionType.OWNER, true)
+    );
+  private final ExpectedRequest requestGETAllPermissions = new ExpectedRequest()
+    .description("GET all permissions")
+    .method("GET")
+    .path(PATH_OF_ALL_PERMISSIONS);
+  private final ExpectedRequest requestPOSTPermission = new ExpectedRequest()
+    .description("create new permission")
+    .method("POST")
+    .content(PERMISSION_TEST_PAYLOAD)
+    .path(PATH_OF_ALL_PERMISSIONS);
+  private final ExpectedRequest requestGETPermission = new ExpectedRequest()
+    .description("GET permission")
+    .method("GET")
+    .path(PATH_OF_ONE_PERMISSION);
+  private final ExpectedRequest requestDELETEPermission = new ExpectedRequest()
+    .description("delete permission")
+    .method("DELETE")
+    .path(PATH_OF_ONE_PERMISSION);
+  private final ExpectedRequest requestPUTPermission = new ExpectedRequest()
+    .description("update permission")
+    .method("PUT")
+    .content(PERMISSION_TEST_PAYLOAD)
+    .path(PATH_OF_ONE_PERMISSION);
+
+  private final Dispatcher dispatcher = MockDispatcherFactory.createDispatcher();
+
+  @Rule
+  public ShiroRule shiro = new ShiroRule();
+
+  @Mock
+  private RepositoryManager repositoryManager;
+
+  private final URI baseUri = URI.create("/");
+  private final ResourceLinks resourceLinks = ResourceLinksMock.createMock(baseUri);
+
+  @InjectMocks
+  private PermissionToPermissionDtoMapperImpl permissionToPermissionDtoMapper;
+
+  @InjectMocks
+  private PermissionDtoToPermissionMapperImpl permissionDtoToPermissionMapper;
+
+  private PermissionCollectionToDtoMapper permissionCollectionToDtoMapper;
+
+  private PermissionRootResource permissionRootResource;
+
+  private final Subject subject = mock(Subject.class);
+  private final ThreadState subjectThreadState = new SubjectThreadState(subject);
+
+  @BeforeEach
+  @Before
+  public void prepareEnvironment() {
+    initMocks(this);
+    permissionCollectionToDtoMapper = new PermissionCollectionToDtoMapper(permissionToPermissionDtoMapper, resourceLinks);
+    permissionRootResource = new PermissionRootResource(permissionDtoToPermissionMapper, permissionToPermissionDtoMapper, permissionCollectionToDtoMapper, resourceLinks, repositoryManager);
+    RepositoryRootResource repositoryRootResource = new RepositoryRootResource(MockProvider
+      .of(new RepositoryResource(null, null, null, null, null, null, null, null, MockProvider.of(permissionRootResource))), null);
+    subjectThreadState.bind();
+    ThreadContext.bind(subject);
+    dispatcher.getRegistry().addSingletonResource(repositoryRootResource);
+    dispatcher.getProviderFactory().registerProvider(RepositoryNotFoundExceptionMapper.class);
+    dispatcher.getProviderFactory().registerProvider(PermissionNotFoundExceptionMapper.class);
+    dispatcher.getProviderFactory().registerProvider(PermissionAlreadyExistsExceptionMapper.class);
+    dispatcher.getProviderFactory().registerProvider(AuthorizationExceptionMapper.class);
+  }
+
+  @After
+  public void unbind() {
+    ThreadContext.unbindSubject();
+  }
+
+  @TestFactory
+  @DisplayName("test endpoints on missing repository")
+  Stream<DynamicTest> missedRepositoryTestFactory() {
+    return createDynamicTestsToAssertResponses(
+      requestGETAllPermissions.expectedResponseStatus(404),
+      requestGETPermission.expectedResponseStatus(404),
+      requestPOSTPermission.expectedResponseStatus(404),
+      requestDELETEPermission.expectedResponseStatus(404),
+      requestPUTPermission.expectedResponseStatus(404));
+  }
+
+  @TestFactory
+  @DisplayName("test endpoints on missing permissions and user is Admin")
+  Stream<DynamicTest> missedPermissionTestFactory() {
+    Repository mockRepository = mock(Repository.class);
+    when(mockRepository.getId()).thenReturn(REPOSITORY_NAME);
+    when(mockRepository.getNamespace()).thenReturn(REPOSITORY_NAMESPACE);
+    when(mockRepository.getName()).thenReturn(REPOSITORY_NAME);
+    when(repositoryManager.get(any(NamespaceAndName.class))).thenReturn(mockRepository);
+    return createDynamicTestsToAssertResponses(
+      requestGETPermission.expectedResponseStatus(404),
+      requestPOSTPermission.expectedResponseStatus(201),
+      requestGETAllPermissions.expectedResponseStatus(200),
+      requestDELETEPermission.expectedResponseStatus(204),
+      requestPUTPermission.expectedResponseStatus(404));
+  }
+
+  @TestFactory
+  @DisplayName("test endpoints on missing permissions and user is not Admin")
+  Stream<DynamicTest> missedPermissionUserForbiddenTestFactory() {
+    Repository mockRepository = mock(Repository.class);
+    when(mockRepository.getId()).thenReturn(REPOSITORY_NAME);
+    when(mockRepository.getNamespace()).thenReturn(REPOSITORY_NAMESPACE);
+    when(mockRepository.getName()).thenReturn(REPOSITORY_NAME);
+    doThrow(AuthorizationException.class).when(repositoryManager).get(any(NamespaceAndName.class));
+    return createDynamicTestsToAssertResponses(
+      requestGETPermission.expectedResponseStatus(403),
+      requestPOSTPermission.expectedResponseStatus(403),
+      requestGETAllPermissions.expectedResponseStatus(403),
+      requestDELETEPermission.expectedResponseStatus(403),
+      requestPUTPermission.expectedResponseStatus(403));
+  }
+
+  @Test
+  public void userWithPermissionWritePermissionShouldGetAllPermissionsWithCreateAndUpdateLinks() throws URISyntaxException {
+    createUserWithRepositoryAndPermissions(TEST_PERMISSIONS, PERMISSION_WRITE);
+    assertGettingExpectedPermissions(ImmutableList.copyOf(TEST_PERMISSIONS), PERMISSION_WRITE);
+  }
+
+  @Test
+  public void userWithPermissionReadPermissionShouldGetAllPermissionsWithoutCreateAndUpdateLinks() throws URISyntaxException {
+    createUserWithRepositoryAndPermissions(TEST_PERMISSIONS, PERMISSION_READ);
+    assertGettingExpectedPermissions(ImmutableList.copyOf(TEST_PERMISSIONS), PERMISSION_READ);
+  }
+
+  @Test
+  public void shouldGetAllPermissions() throws URISyntaxException {
+    createUserWithRepositoryAndPermissions(TEST_PERMISSIONS, PERMISSION_READ);
+    assertGettingExpectedPermissions(ImmutableList.copyOf(TEST_PERMISSIONS), PERMISSION_READ);
+  }
+
+  @Test
+  public void shouldGetPermissionByName() throws URISyntaxException {
+    createUserWithRepositoryAndPermissions(TEST_PERMISSIONS, PERMISSION_READ);
+    Permission expectedPermission = TEST_PERMISSIONS.get(0);
+    assertExpectedRequest(requestGETPermission
+      .expectedResponseStatus(200)
+      .path(PATH_OF_ALL_PERMISSIONS + expectedPermission.getName())
+      .responseValidator((response) -> {
+        String body = response.getContentAsString();
+        ObjectMapper mapper = new ObjectMapper();
+        try {
+          PermissionDto actualPermissionDto = mapper.readValue(body, PermissionDto.class);
+          assertThat(actualPermissionDto)
+            .as("response payload match permission object model")
+            .isEqualToComparingFieldByFieldRecursively(getExpectedPermissionDto(expectedPermission, PERMISSION_READ))
+          ;
+        } catch (IOException e) {
+          fail();
+        }
+      })
+    );
+  }
+
+  @Test
+  public void shouldGetCreatedPermissions() throws URISyntaxException {
+    createUserWithRepositoryAndPermissions(TEST_PERMISSIONS, PERMISSION_WRITE);
+    Permission newPermission = new Permission("new_group_perm", PermissionType.WRITE, true);
+    ArrayList<Permission> permissions = Lists.newArrayList(TEST_PERMISSIONS);
+    permissions.add(newPermission);
+    ImmutableList<Permission> expectedPermissions = ImmutableList.copyOf(permissions);
+    assertExpectedRequest(requestPOSTPermission
+      .content("{\"name\" : \"" + newPermission.getName() + "\" , \"type\" : \"WRITE\" , \"groupPermission\" : true}")
+      .expectedResponseStatus(201)
+      .responseValidator(response -> assertThat(response.getContentAsString())
+        .as("POST response has no body")
+        .isBlank())
+    );
+    assertGettingExpectedPermissions(expectedPermissions, PERMISSION_WRITE);
+  }
+
+  @Test
+  public void shouldNotAddExistingPermission() throws URISyntaxException {
+    createUserWithRepositoryAndPermissions(TEST_PERMISSIONS, PERMISSION_WRITE);
+    Permission newPermission = TEST_PERMISSIONS.get(0);
+    assertExpectedRequest(requestPOSTPermission
+      .content("{\"name\" : \"" + newPermission.getName() + "\" , \"type\" : \"WRITE\" , \"groupPermission\" : true}")
+      .expectedResponseStatus(409)
+    );
+  }
+
+  @Test
+  public void shouldGetUpdatedPermissions() throws URISyntaxException {
+    createUserWithRepositoryAndPermissions(TEST_PERMISSIONS, PERMISSION_WRITE);
+    Permission modifiedPermission = TEST_PERMISSIONS.get(0);
+    // modify the type to owner
+    modifiedPermission.setType(PermissionType.OWNER);
+    ImmutableList<Permission> expectedPermissions = ImmutableList.copyOf(TEST_PERMISSIONS);
+    assertExpectedRequest(requestPUTPermission
+      .content("{\"name\" : \"" + modifiedPermission.getName() + "\" , \"type\" : \"OWNER\" , \"groupPermission\" : false}")
+      .path(PATH_OF_ALL_PERMISSIONS + modifiedPermission.getName())
+      .expectedResponseStatus(204)
+      .responseValidator(response -> assertThat(response.getContentAsString())
+        .as("PUT response has no body")
+        .isBlank())
+    );
+    assertGettingExpectedPermissions(expectedPermissions, PERMISSION_WRITE);
+  }
+
+
+  @Test
+  public void shouldDeletePermissions() throws URISyntaxException {
+    createUserWithRepositoryAndPermissions(TEST_PERMISSIONS, PERMISSION_OWNER);
+    Permission deletedPermission = TEST_PERMISSIONS.get(0);
+    ImmutableList<Permission> expectedPermissions = ImmutableList.copyOf(TEST_PERMISSIONS.subList(1, TEST_PERMISSIONS.size()));
+    assertExpectedRequest(requestDELETEPermission
+      .path(PATH_OF_ALL_PERMISSIONS + deletedPermission.getName())
+      .expectedResponseStatus(204)
+      .responseValidator(response -> assertThat(response.getContentAsString())
+        .as("DELETE response has no body")
+        .isBlank())
+    );
+    assertGettingExpectedPermissions(expectedPermissions, PERMISSION_READ);
+  }
+
+  @Test
+  public void deletingNotExistingPermissionShouldProcess() throws URISyntaxException {
+    createUserWithRepositoryAndPermissions(TEST_PERMISSIONS, PERMISSION_OWNER);
+    Permission deletedPermission = TEST_PERMISSIONS.get(0);
+    ImmutableList<Permission> expectedPermissions = ImmutableList.copyOf(TEST_PERMISSIONS.subList(1, TEST_PERMISSIONS.size()));
+    assertExpectedRequest(requestDELETEPermission
+      .path(PATH_OF_ALL_PERMISSIONS + deletedPermission.getName())
+      .expectedResponseStatus(204)
+      .responseValidator(response -> assertThat(response.getContentAsString())
+        .as("DELETE response has no body")
+        .isBlank())
+    );
+    assertGettingExpectedPermissions(expectedPermissions, PERMISSION_READ);
+    assertExpectedRequest(requestDELETEPermission
+      .path(PATH_OF_ALL_PERMISSIONS + deletedPermission.getName())
+      .expectedResponseStatus(204)
+      .responseValidator(response -> assertThat(response.getContentAsString())
+        .as("DELETE response has no body")
+        .isBlank())
+    );
+    assertGettingExpectedPermissions(expectedPermissions, PERMISSION_READ);
+  }
+
+  private void assertGettingExpectedPermissions(ImmutableList<Permission> expectedPermissions, String userPermission) throws URISyntaxException {
+    assertExpectedRequest(requestGETAllPermissions
+      .expectedResponseStatus(200)
+      .responseValidator((response) -> {
+        String body = response.getContentAsString();
+        ObjectMapper mapper = new ObjectMapper();
+        try {
+          HalRepresentation halRepresentation = mapper.readValue(body, HalRepresentation.class);
+          List<HalRepresentation> actualPermissionDtos = halRepresentation.getEmbedded().getItemsBy("permissions", HalRepresentation.class);
+          List<PermissionDto> permissionDtoStream = actualPermissionDtos.stream()
+            .map(hal -> {
+              PermissionDto result = new PermissionDto();
+              result.setName(hal.getAttribute("name").asText());
+              result.setType(hal.getAttribute("type").asText());
+              result.setGroupPermission(hal.getAttribute("groupPermission").asBoolean());
+              result.add(hal.getLinks());
+              return result;
+            }).collect(Collectors.toList());
+          assertThat(permissionDtoStream)
+            .as("response payload match permission object models")
+            .hasSize(expectedPermissions.size())
+            .usingRecursiveFieldByFieldElementComparator()
+            .containsExactlyInAnyOrder(getExpectedPermissionDtos(Lists.newArrayList(expectedPermissions), userPermission))
+          ;
+        } catch (IOException e) {
+          fail();
+        }
+      })
+    );
+  }
+
+  private PermissionDto[] getExpectedPermissionDtos(ArrayList<Permission> permissions, String userPermission) {
+    return permissions
+      .stream()
+      .map(p -> getExpectedPermissionDto(p, userPermission))
+      .toArray(PermissionDto[]::new);
+  }
+
+  private PermissionDto getExpectedPermissionDto(Permission permission, String userPermission) {
+    PermissionDto result = new PermissionDto();
+    result.setName(permission.getName());
+    result.setGroupPermission(permission.isGroupPermission());
+    result.setType(permission.getType().name());
+    String permissionHref = "/" + RepositoryRootResource.REPOSITORIES_PATH_V2 + PATH_OF_ALL_PERMISSIONS + permission.getName();
+    if (PERMISSION_READ.equals(userPermission)) {
+      result.add(linkingTo()
+        .self(permissionHref)
+        .build());
+    } else {
+      result.add(linkingTo()
+        .self(permissionHref)
+        .single(link("update", permissionHref))
+        .single(link("delete", permissionHref))
+        .build());
+    }
+    return result;
+  }
+
+  private Repository createUserWithRepository(String userPermission) {
+    Repository mockRepository = mock(Repository.class);
+    when(mockRepository.getId()).thenReturn(REPOSITORY_NAME);
+    when(mockRepository.getNamespace()).thenReturn(REPOSITORY_NAMESPACE);
+    when(mockRepository.getName()).thenReturn(REPOSITORY_NAME);
+    when(repositoryManager.get(any(NamespaceAndName.class))).thenReturn(mockRepository);
+    when(subject.isPermitted(userPermission != null ? eq(userPermission) : any(String.class))).thenReturn(true);
+    return mockRepository;
+  }
+
+  private void createUserWithRepositoryAndPermissions(ArrayList<Permission> permissions, String userPermission) {
+    when(createUserWithRepository(userPermission).getPermissions()).thenReturn(permissions);
+  }
+
+  private Stream<DynamicTest> createDynamicTestsToAssertResponses(ExpectedRequest... expectedRequests) {
+    return Stream.of(expectedRequests)
+      .map(entry -> dynamicTest("the endpoint " + entry.description + " should return the status code " + entry.expectedResponseStatus, () -> assertExpectedRequest(entry)));
+  }
+
+  private MockHttpResponse assertExpectedRequest(ExpectedRequest entry) throws URISyntaxException {
+    MockHttpResponse response = new MockHttpResponse();
+    HttpRequest request = null;
+    request = MockHttpRequest
+      .create(entry.method, "/" + RepositoryRootResource.REPOSITORIES_PATH_V2 + entry.path)
+      .content(entry.content)
+      .contentType(VndMediaType.PERMISSION);
+    dispatcher.invoke(request, response);
+    log.info("Test the Request :{}", entry);
+    assertThat(response.getStatus())
+      .as("assert status code")
+      .isEqualTo(entry.expectedResponseStatus);
+    if (entry.responseValidator != null) {
+      entry.responseValidator.accept(response);
+    }
+    return response;
+  }
+
+  @ToString
+  public class ExpectedRequest {
+    private String description;
+    private String method;
+    private String path;
+    private int expectedResponseStatus;
+    private byte[] content = new byte[]{};
+    private Consumer<MockHttpResponse> responseValidator;
+
+    public ExpectedRequest description(String description) {
+      this.description = description;
+      return this;
+    }
+
+    public ExpectedRequest method(String method) {
+      this.method = method;
+      return this;
+    }
+
+    public ExpectedRequest path(String path) {
+      this.path = path;
+      return this;
+    }
+
+    public ExpectedRequest content(String content) {
+      if (content != null) {
+        this.content = content.getBytes();
+      }
+      return this;
+    }
+
+    public ExpectedRequest expectedResponseStatus(int expectedResponseStatus) {
+      this.expectedResponseStatus = expectedResponseStatus;
+      return this;
+    }
+
+    public ExpectedRequest responseValidator(Consumer<MockHttpResponse> responseValidator) {
+      this.responseValidator = responseValidator;
+      return this;
+    }
+  }
+
+}

scm-webapp/src/test/java/sonia/scm/api/v2/resources/RepositoryRootResourceTest.java

@@ -11,10 +11,13 @@ import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
 import org.mockito.Answers;
+import org.mockito.ArgumentCaptor;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import sonia.scm.PageResult;
 import sonia.scm.repository.NamespaceAndName;
+import sonia.scm.repository.Permission;
+import sonia.scm.repository.PermissionType;
 import sonia.scm.repository.Repository;
 import sonia.scm.repository.RepositoryException;
 import sonia.scm.repository.RepositoryIsNotArchivedException;
@@ -35,10 +38,13 @@ import static javax.servlet.http.HttpServletResponse.SC_NO_CONTENT;
 import static javax.servlet.http.HttpServletResponse.SC_OK;
 import static javax.servlet.http.HttpServletResponse.SC_PRECONDITION_FAILED;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
+import static org.mockito.ArgumentCaptor.forClass;
 import static org.mockito.Matchers.any;
 import static org.mockito.Matchers.anyObject;
 import static org.mockito.Matchers.eq;
+import static org.mockito.Mockito.doNothing;
 import static org.mockito.Mockito.doThrow;
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.verify;
@@ -240,6 +246,28 @@ public class RepositoryRootResourceTest {
     verify(repositoryManager).create(any(Repository.class));
   }
 
+  @Test
+  public void shouldNotOverwriteExistingPermissionsOnUpdate() throws Exception {
+    Repository existingRepository = mockRepository("space", "repo");
+    existingRepository.setPermissions(singletonList(new Permission("user", PermissionType.READ)));
+
+    URL url = Resources.getResource("sonia/scm/api/v2/repository-test-update.json");
+    byte[] repository = Resources.toByteArray(url);
+
+    ArgumentCaptor<Repository> modifiedRepositoryCaptor = forClass(Repository.class);
+    doNothing().when(repositoryManager).modify(modifiedRepositoryCaptor.capture());
+
+    MockHttpRequest request = MockHttpRequest
+      .put("/" + RepositoryRootResource.REPOSITORIES_PATH_V2 + "space/repo")
+      .contentType(VndMediaType.REPOSITORY)
+      .content(repository);
+    MockHttpResponse response = new MockHttpResponse();
+
+    dispatcher.invoke(request, response);
+
+    assertFalse(modifiedRepositoryCaptor.getValue().getPermissions().isEmpty());
+  }
+
   private PageResult<Repository> createSingletonPageResult(Repository repository) {
     return new PageResult<>(singletonList(repository), 0);
   }

scm-webapp/src/test/java/sonia/scm/api/v2/resources/ResourceLinksMock.java

@@ -23,7 +23,7 @@ public class ResourceLinksMock {
     when(resourceLinks.branchCollection()).thenReturn(new ResourceLinks.BranchCollectionLinks(uriInfo));
     when(resourceLinks.changeset()).thenReturn(new ResourceLinks.ChangesetLinks(uriInfo));
     when(resourceLinks.source()).thenReturn(new ResourceLinks.SourceLinks(uriInfo));
-    when(resourceLinks.permissionCollection()).thenReturn(new ResourceLinks.PermissionCollectionLinks(uriInfo));
+    when(resourceLinks.permission()).thenReturn(new ResourceLinks.PermissionLinks(uriInfo));
     when(resourceLinks.config()).thenReturn(new ResourceLinks.ConfigLinks(uriInfo));
     when(resourceLinks.branch()).thenReturn(new ResourceLinks.BranchLinks(uriInfo));
     when(resourceLinks.repositoryType()).thenReturn(new ResourceLinks.RepositoryTypeLinks(uriInfo));

scm-webapp/src/test/java/sonia/scm/it/IntegrationTestUtil.java

@@ -120,15 +120,15 @@ public final class IntegrationTestUtil
     }
   }
 
-  public static Collection<String> createRepositoryTypeParameters() {
-    Collection<String> params = new ArrayList<>();
+  public static Collection<String[]> createRepositoryTypeParameters() {
+    Collection<String[]> params = new ArrayList<>();
 
-    params.add("git");
-    params.add("svn" );
+    params.add(new String[]{"git"});
+    params.add(new String[]{"svn"});
 
     if (IOUtil.search("hg") != null)
     {
-      params.add("hg");
+      params.add(new String[]{"hg"});
     }
 
     return params;

scm-webapp/src/test/java/sonia/scm/it/RepositoryArchiveITCase.java

@@ -81,7 +81,7 @@ public class RepositoryArchiveITCase
   //~--- methods --------------------------------------------------------------
 
   @Parameterized.Parameters(name = "{0}")
-  public static Collection<String> createParameters() {
+  public static Collection<String[]> createParameters() {
     return IntegrationTestUtil.createRepositoryTypeParameters();
   }
 

scm-webapp/src/test/java/sonia/scm/it/RepositoryHookITCase.java

@@ -208,7 +208,7 @@ public class RepositoryHookITCase extends AbstractAdminITCaseBase
    * @return repository types test parameter
    */
   @Parameters(name = "{0}")
-  public static Collection<String> createParameters()
+  public static Collection<String[]> createParameters()
   {
     return IntegrationTestUtil.createRepositoryTypeParameters();
   }

scm-webapp/src/test/java/sonia/scm/security/DefaultAuthorizationCollectorTest.java

@@ -40,15 +40,12 @@ import org.apache.shiro.authz.SimpleAuthorizationInfo;
 import org.apache.shiro.subject.SimplePrincipalCollection;
 import org.apache.shiro.subject.Subject;
 import org.hamcrest.Matchers;
-import org.junit.Test;
 import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.Mockito;
-import static org.mockito.Mockito.*;
-import static org.hamcrest.Matchers.*;
-import static org.junit.Assert.*;
-import org.junit.Rule;
 import org.mockito.junit.MockitoJUnitRunner;
 import sonia.scm.cache.Cache;
 import sonia.scm.cache.CacheManager;
@@ -60,6 +57,16 @@ import sonia.scm.repository.RepositoryTestData;
 import sonia.scm.user.User;
 import sonia.scm.user.UserTestData;
 
+import static org.hamcrest.Matchers.containsInAnyOrder;
+import static org.hamcrest.Matchers.hasSize;
+import static org.hamcrest.Matchers.nullValue;
+import static org.junit.Assert.assertSame;
+import static org.junit.Assert.assertThat;
+import static org.mockito.Mockito.any;
+import static org.mockito.Mockito.anyObject;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
 /**
  * Unit tests for {@link AuthorizationCollector}.
  * 
@@ -200,7 +207,7 @@ public class DefaultAuthorizationCollectorTest {
     AuthorizationInfo authInfo = collector.collect();
     assertThat(authInfo.getRoles(), Matchers.containsInAnyOrder(Role.USER));
     assertThat(authInfo.getObjectPermissions(), nullValue());
-    assertThat(authInfo.getStringPermissions(), containsInAnyOrder("repository:read:one", "repository:read,write:two"));
+    assertThat(authInfo.getStringPermissions(), containsInAnyOrder("repository:read,pull:one", "repository:read,pull,push:two"));
   }
   
   /**