View Javadoc
1   /*
2    * MIT License
3    *
4    * Copyright (c) 2010-2024 The Waffle Project Contributors: https://github.com/Waffle/waffle/graphs/contributors
5    *
6    * Permission is hereby granted, free of charge, to any person obtaining a copy
7    * of this software and associated documentation files (the "Software"), to deal
8    * in the Software without restriction, including without limitation the rights
9    * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10   * copies of the Software, and to permit persons to whom the Software is
11   * furnished to do so, subject to the following conditions:
12   *
13   * The above copyright notice and this permission notice shall be included in all
14   * copies or substantial portions of the Software.
15   *
16   * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17   * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18   * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19   * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20   * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21   * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22   * SOFTWARE.
23   */
24  package waffle.spring;
25  
26  import java.io.IOException;
27  import java.nio.charset.StandardCharsets;
28  import java.util.ArrayList;
29  import java.util.Base64;
30  import java.util.Collection;
31  import java.util.Collections;
32  import java.util.List;
33  
34  import javax.servlet.ServletException;
35  
36  import org.junit.jupiter.api.AfterEach;
37  import org.junit.jupiter.api.Assertions;
38  import org.junit.jupiter.api.BeforeEach;
39  import org.junit.jupiter.api.Test;
40  import org.springframework.context.ApplicationContext;
41  import org.springframework.context.support.AbstractApplicationContext;
42  import org.springframework.context.support.ClassPathXmlApplicationContext;
43  import org.springframework.security.core.Authentication;
44  import org.springframework.security.core.GrantedAuthority;
45  import org.springframework.security.core.context.SecurityContextHolder;
46  
47  import waffle.mock.http.SimpleFilterChain;
48  import waffle.mock.http.SimpleHttpRequest;
49  import waffle.mock.http.SimpleHttpResponse;
50  import waffle.servlet.spi.BasicSecurityFilterProvider;
51  import waffle.servlet.spi.NegotiateSecurityFilterProvider;
52  import waffle.servlet.spi.SecurityFilterProviderCollection;
53  import waffle.windows.auth.PrincipalFormat;
54  import waffle.windows.auth.impl.WindowsAccountImpl;
55  
56  /**
57   * The Class NegotiateSecurityFilterTest.
58   */
59  class NegotiateSecurityFilterTest {
60  
61      /** The filter. */
62      private NegotiateSecurityFilter filter;
63  
64      /** The ctx. */
65      private ApplicationContext ctx;
66  
67      /**
68       * Sets the up.
69       */
70      @BeforeEach
71      void setUp() {
72          final String[] configFiles = new String[] { "springTestFilterBeans.xml" };
73          this.ctx = new ClassPathXmlApplicationContext(configFiles);
74          SecurityContextHolder.getContext().setAuthentication(null);
75          this.filter = (NegotiateSecurityFilter) this.ctx.getBean("waffleNegotiateSecurityFilter");
76      }
77  
78      /**
79       * Shut down.
80       */
81      @AfterEach
82      void shutDown() {
83          ((AbstractApplicationContext) this.ctx).close();
84      }
85  
86      /**
87       * Test filter.
88       */
89      @Test
90      void testFilter() {
91          Assertions.assertFalse(this.filter.isAllowGuestLogin());
92          Assertions.assertEquals(PrincipalFormat.FQN, this.filter.getPrincipalFormat());
93          Assertions.assertEquals(PrincipalFormat.BOTH, this.filter.getRoleFormat());
94          Assertions.assertNull(this.filter.getFilterConfig());
95          Assertions.assertNotNull(this.filter.getProvider());
96      }
97  
98      /**
99       * Test provider.
100      *
101      * @throws ClassNotFoundException
102      *             the class not found exception
103      */
104     @Test
105     void testProvider() throws ClassNotFoundException {
106         final SecurityFilterProviderCollection provider = this.filter.getProvider();
107         Assertions.assertEquals(2, provider.size());
108         Assertions.assertTrue(provider.getByClassName(
109                 "waffle.servlet.spi.BasicSecurityFilterProvider") instanceof BasicSecurityFilterProvider);
110         Assertions.assertTrue(provider.getByClassName(
111                 "waffle.servlet.spi.NegotiateSecurityFilterProvider") instanceof NegotiateSecurityFilterProvider);
112     }
113 
114     /**
115      * Test no challenge get.
116      *
117      * @throws IOException
118      *             Signals that an I/O exception has occurred.
119      * @throws ServletException
120      *             the servlet exception
121      */
122     @Test
123     void testNoChallengeGET() throws IOException, ServletException {
124         final SimpleHttpRequest request = new SimpleHttpRequest();
125         request.setMethod("GET");
126         final SimpleHttpResponse response = new SimpleHttpResponse();
127         final SimpleFilterChain chain = new SimpleFilterChain();
128         this.filter.doFilter(request, response, chain);
129         // unlike servlet filters, it's a passthrough
130         Assertions.assertEquals(500, response.getStatus());
131     }
132 
133     /**
134      * Test negotiate.
135      *
136      * @throws IOException
137      *             Signals that an I/O exception has occurred.
138      * @throws ServletException
139      *             the servlet exception
140      */
141     @Test
142     void testNegotiate() throws IOException, ServletException {
143         final String securityPackage = "Negotiate";
144         final SimpleFilterChain filterChain = new SimpleFilterChain();
145         final SimpleHttpRequest request = new SimpleHttpRequest();
146 
147         final String clientToken = Base64.getEncoder()
148                 .encodeToString(WindowsAccountImpl.getCurrentUsername().getBytes(StandardCharsets.UTF_8));
149         request.addHeader("Authorization", securityPackage + " " + clientToken);
150 
151         final SimpleHttpResponse response = new SimpleHttpResponse();
152         this.filter.doFilter(request, response, filterChain);
153 
154         final Authentication auth = SecurityContextHolder.getContext().getAuthentication();
155         Assertions.assertNotNull(auth);
156         final Collection<? extends GrantedAuthority> authorities = auth.getAuthorities();
157         Assertions.assertNotNull(authorities);
158         Assertions.assertEquals(3, authorities.size());
159 
160         final List<String> list = new ArrayList<>();
161         for (final GrantedAuthority grantedAuthority : authorities) {
162             list.add(grantedAuthority.getAuthority());
163         }
164         Collections.sort(list);
165         Assertions.assertEquals("ROLE_EVERYONE", list.get(0));
166         Assertions.assertEquals("ROLE_USER", list.get(1));
167         Assertions.assertEquals("ROLE_USERS", list.get(2));
168         Assertions.assertEquals(0, response.getHeaderNamesSize());
169     }
170 
171     /**
172      * Test unsupported security package passthrough.
173      *
174      * @throws IOException
175      *             Signals that an I/O exception has occurred.
176      * @throws ServletException
177      *             the servlet exception
178      */
179     @Test
180     void testUnsupportedSecurityPackagePassthrough() throws IOException, ServletException {
181         final SimpleFilterChain filterChain = new SimpleFilterChain();
182         final SimpleHttpRequest request = new SimpleHttpRequest();
183         request.addHeader("Authorization", "Unsupported challenge");
184         final SimpleHttpResponse response = new SimpleHttpResponse();
185         this.filter.doFilter(request, response, filterChain);
186         // the filter should ignore authorization for an unsupported security package, ie. not return a 401
187         Assertions.assertEquals(500, response.getStatus());
188     }
189 
190     /**
191      * Test guest is disabled.
192      *
193      * @throws IOException
194      *             Signals that an I/O exception has occurred.
195      * @throws ServletException
196      *             the servlet exception
197      */
198     @Test
199     void testGuestIsDisabled() throws IOException, ServletException {
200         final String securityPackage = "Negotiate";
201         final SimpleFilterChain filterChain = new SimpleFilterChain();
202         final SimpleHttpRequest request = new SimpleHttpRequest();
203 
204         final String clientToken = Base64.getEncoder().encodeToString("Guest".getBytes(StandardCharsets.UTF_8));
205         request.addHeader("Authorization", securityPackage + " " + clientToken);
206 
207         final SimpleHttpResponse response = new SimpleHttpResponse();
208         this.filter.doFilter(request, response, filterChain);
209 
210         Assertions.assertEquals(401, response.getStatus());
211         Assertions.assertNull(SecurityContextHolder.getContext().getAuthentication());
212     }
213 
214     /**
215      * Test after properties set.
216      *
217      * @throws ServletException
218      *             the servlet exception
219      */
220     @Test
221     void testAfterPropertiesSet() throws ServletException {
222         this.filter.setProvider(null);
223         Assertions.assertThrows(ServletException.class, () -> {
224             this.filter.afterPropertiesSet();
225         });
226     }
227 
228 }